Mastering NIST 800-171 for CMMC - with its Author Dr. Ron Ross скачать в хорошем качестве

Mastering NIST 800-171 for CMMC - with its Author Dr. Ron Ross

NIST 800-171 Deep Dive with Dr. Ron Ross - Session 1 Join Dr. Ronald Ross, the lead architect behind NIST 800-171 and former NIST Fellow, as he breaks down the foundational requirements for protecting Controlled Unclassified Information (CUI) in the Defense Industrial Base. In this first session of our 5-part series, Dr. Ross covers four critical control families that form the backbone of CMMC compliance. What You'll Learn: *Access Control (AC) - The Foundation of CUI Protection* How to properly scope your CUI environment and define security boundaries Understanding least privilege and separation of duties for real-world scenarios Managing remote access and external system connections *Identification & Authentication (IA) - Proving Identity* Unique identification requirements for users, processes, and devices Multi-factor authentication: current requirements and what's coming in Rev 3 Authentication strategies for different account types *Audit & Accountability (AU) - Understanding Your Security Posture* Defining and monitoring security events that matter Protecting audit data from compromise Responding to audit system failures *System & Communications Protection (SC) - Defending the Perimeter* Boundary protection and network segmentation strategies Cryptographic requirements for CUI in transit and at rest The shift away from offline storage in upcoming revisions Key Takeaways: Why implementing controls isn't enough—you must prove compliance How 110 requirements work together as a unified defense system The critical difference between security functionality and security assurance Practical guidance for small contractors facing separation of duties challenges Timestamps: *00:00* - Introduction and Dr. Ross's background *02:03* - The landscape: Why CUI protection matters for national security *06:00* - History of NIST 800-171 and the CUI protection program *10:58* - Overview of the 5-part webinar series *12:42* - *Access Control Family begins* *12:55* - AC-3.1.1 & 3.1.2: Limiting system access to authorized users *16:17* - AC-3.1.3: Controlling information flow between domains *18:06* - AC-3.1.4: Separation of duties *19:52* - AC-3.1.5: Least privilege principle *20:45* - AC-3.1.10: Session lock requirements *21:58* - AC-3.1.20: Controlling external system connections *24:01* - *Q&A: Separation of duties for small organizations* *26:50* - *Identification & Authentication Family begins* *27:11* - IA-3.5.1: User and device identification *28:42* - IA-3.5.2: Authentication of users and devices *29:33* - IA-3.5.3: Multi-factor authentication requirements *31:18* - *Q&A: Scoping - who and what is in scope?* *34:09* - *Q&A: How to treat hard copy CUI* *36:30* - *Audit & Accountability Family begins* *37:06* - AU-3.3.1: Creating and managing audit records *38:45* - AU-3.3.2: Ensuring actions can be traced to individuals *39:45* - AU-3.3.3: Reviewing and updating audited events *40:44* - AU-3.3.4: Alerting on audit processing failures *41:38* - AU-3.3.5: Protecting audit information *42:33* - *Q&A: What exactly is CUI and what needs to be audited?* *46:46* - *System & Communications Protection Family begins* *47:01* - SC-3.13.1: Monitoring and controlling communications at boundaries *49:02* - SC-3.13.2: Security engineering principles *50:26* - SC-3.13.3: Separating user and management functionality *51:30* - SC-3.13.4: Public access protections (DMZ) *52:44* - SC-3.13.6: Deny by default, allow by exception *54:02* - SC-3.13.8: Cryptographic protection in transit *54:32* - SC-3.13.10: FIPS-validated cryptography *55:37* - SC-3.13.16: Protecting CUI at rest *56:47* - Closing remarks and next steps --- *About Dr. Ronald Ross:* President of Ron Ross Secure and recently retired NIST Fellow, Dr. Ross led the development of foundational cybersecurity standards including NIST 800-171, 800-53, and the Risk Management Framework. With a PhD in Computer Science and over 20 years of military service, he's widely recognized as one of the most influential figures in U.S. cybersecurity policy. *Next in the Series:* Sessions 2-5 will cover the remaining 10 control families in NIST 800-171. Stay tuned for deep dives into Awareness & Training, Configuration Management, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, and System & Information Integrity. #CMMC #NIST800171 #CyberSecurity #DefenseIndustrial #CUI #Compliance #InfoSec