NIST Security Controls: Deep Dive with Dr. Ron Ross скачать в хорошем качестве

NIST Security Controls: Deep Dive with Dr. Ron Ross

CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder At first glance the initial public draft of NIST Special Publication (SP) 800-171 revision 3 is a big change compared to previous versions. Formatting changes, variable parameters, and new requirements have seemingly come out of nowhere. In reality SP 800-171 is a reflection of the much larger SP 800-53. The evolution of SP 800-53 over time has a direct effect on the look and feel of SP 800-171 and the cost, burden, and impact of assessment programs like CMMC. NIST Fellow Dr. Ron Ross joins the show to walk us through where SP 800-53 has been, where it's going, and how a broader understanding helps put SP 800-171 into context for federal contractors. Want more NIST 800-171 resources? Visit: https://www.summit7.us/resources#reso... Episode Links: Rainbow Series: https://en.wikipedia.org/wiki/Rainbow... Anderson Report (PDF): https://csrc.nist.rip/publications/hi... Ware Report: https://en.wikipedia.org/wiki/Ware_re... A Vulnerable System: https://www.amazon.com/Vulnerable-Sys... The Perfect Weapon: https://www.amazon.com/Perfect-Weapon... FISMA: https://en.wikipedia.org/wiki/Federal... FIPS 200: https://csrc.nist.gov/publications/de... FIPS 199: https://csrc.nist.gov/publications/de... RMF: https://csrc.nist.gov/projects/risk-m... Alan Paller: https://www.sans.org/about/our-founder/ Metrics as surrogates: https://hbr.org/2019/09/dont-let-metr... EO 13556: https://obamawhitehouse.archives.gov/... CUI Registry: https://www.archives.gov/cui/registry... SP 800-171 r3 initial draft: https://csrc.nist.gov/publications/de... SP 800-53 r5: https://csrc.nist.gov/publications/de... Chapters: (0:00 – 3:25): Episode intro (3:26 – 7:50): Friendly banter (7:51 – 14:28): Ron Ross’ Origin Story (14:29 – 20:33): The Importance of Learning the Fundamentals (20:34 – 22:36): The Importance of Fostering Curiosity (22:37 – 25:23): Origin Story Cont’d (25:24 – 32:35): Cyber War and the Impact of FISMA (32:36 – 40:00): The Analogy of the Water Line (40:01 - 44:29): Advanced Threats and the OPM hack (44:30 – 50:54): The FISMA Series (FIPS 199/200, 800-53) (50:56 – 58:49): FIPS 200, Control Baselines, and RMF (59:43 – 1:05:05): Are 3 control baselines enough? (1:05:06 – 1:09:48): Does the design of 800-53 constrain 800-171? (1:09:49 – 1:11:00): No implementation guidance? (1:11:01 – 1:14:06): Why were “control classes” removed from 800-53? (1:14:07 – 1:21:45): Why were “priority codes” removed from 800-53? (1:21:46 – 1:27:30): What happened to examples in 800-53? (1:27:31 - 1:30:12): Organizationally-defined parameters (1:30:13 – 1:33:19): Why was “Organization” vs “System” removed from 800-53? (1:33:20 – 1:36:20): If we remove everything from 800-53 what’s left for 800-171? (1:36:20 – 1:48:55): Why were assurance categories removed from 800-53? (1:48:56 – 1:53:15): Have we removed too much context from 800-171? (1:53:16 – 1:56:20): Why aren’t 800-171 requirements labeled as base controls vs enhancements? (1:56:21 – 1:59:09): The mystery of “related controls” in 800-53 (1:59:10 – 2:07:00): The origin of SP 800-171 (2:07:01 – 2:14:09): FISMA requirements vs DoD baselines (2:14:10 – 2:17:10): Ambiguity vs specificity in 800-171 (2:17:11 – 2:19:15): Converting 800-171 into a CUI overlay (2:19:16 – 2:26:00): Who defines organizationally-defined parameters? (2:26:01 – 2:30:44): Can you have a minimum baseline if ODPs are variable? (2:30:45 – 2:26:50): “Withdrawn” requirements group similarities (2:36:51 – 2:39:55): Is 800-171 risk-based? (2:39:56 – 2:44:01): If CUI is related to national security why isn’t it classified? (2:44:00 – 2:48:06): Small business environments (2:48:07 – 2:53:09): NFO controls (2:53:10 – 2:57:59): Zero trust (2:58:00 – 3:05:15): Tailoring for confidentiality only (3:05:14 – 3:08:28): Independent Assessments (3:08:27 – 3:15:23): MSPs (3:15:24 – 3:20:52): Public comments (3:20:53 – 3:23:39): FIPS (3:23:40 – 3:26:12): Does 171A expand requirements? (3:26:13 – 3:29:00): Revision cycle schedule (3:29:03 – 3:31:58): Wrap up #cybersecurity #nist #dod #dib #cmmc #cui