SlideShare une entreprise Scribd logo

CMMC case study: Inside a CMMC assessment

Infosec
Infosec

In order to bid on Department of Defense (DoD) contracts, hundreds of thousands of organizations will need to be assessed for their Cybersecurity Maturity Model Certification (CMMC) Level. But how exactly does that process work? Watch the free session here: https://www.infosecinstitute.com/webinar/cmmc-case-study-assessment/

Technologie
1  sur  30
Télécharger pour lire hors ligne
Meet the panel Leighton Johnson Infosec instructor and CTO at ISFMT Stacy High-Brinkley VP of Compliance Solutions and Service at CASK Government Services Jeff Peters Director of Content Marketing at Infosec
Today’s webcast ⮚ CMMC assessment and certification process ⮚ CMMC assessment levels ⮚ CMMC assessment criteria and methodology ⮚ CMMC timeline ⮚ CMMC Q&A
CMMC assessment and certification process
OSC certification process Organization Seeking Certification (OSC) details ⮚ Contractors can achieve a CMMC level for their entire enterprise network or for a particular segment or enclave, depending where the protected information is handled and stored. ⮚ Plan at least six month to get your CMMC certification OSC benefits ➢ Certification valid for 3 years ➢ Can bid on DoD contracts where CMMC Level requirements are designated
CMMC model and assessment guides Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) website ➢ CMMC Level 1 Assessment Guide (editable) ➢ CMMC Level 3 Assessment Guide (editable) Other resources ➢ CMMC Model v1.02, its appendices and appendices in tabular form ➢ CMMC Model Errata v1.0 ➢ CMMC Glossary (editable)
CMMC assessment process Certification provides assurance of practices and processes Certified Assessors use the same assessment methods for each contractor. Once a contractor is assessed and certified at a level, other entities (e.g., government sponsors and prime contractors looking to hire subcontractors) have assurance the certified contractor meets CMMC practices and processes. Methodology the same regardless of size The CMMC assessment methodology follows a data-centric security process that applies the practices equally, regardless of the contractor’s size, constraints or complexity. All CMMC levels are achievable by small, medium and large contractors. Assessment scope pre-determined by OSC and C3PAO Prior to a CMMC assessment, the contractor must define the scope for the assessment that represents the boundary for which the CMMC certificate will be issued. Additional guidance on assessment scope will be available in the next version of the CMMC Assessment Guides.
CMMC assessment levels
CMMC domains and levels 17 capability domains CMMC model with 5 levels measures cybersecurity maturity Access Control (AC) Incident Response (IR) Risk Management (RM) Asset Management (AM) Maintenance MA) Security Assessment (CA) Awareness and Training (AT) Media Protection (MP) Situational Awareness (SA) Audit and Accountability (AU) Personnel Security (PS) System and Communications Protection (SC) Configuration Management (CM) Physical Protection (PE) System and Information Integrity (SI) Identification and Authentication (IA) Recovery (RE)
CMMC Level 1 6 capability domains, 17 practices, 0 processes Access Control (AC) Media Protection (MP) System and Communications Protection (SC) Physical Protection (PE) System and Information Integrity (SI) Identification and Authentication (IA) Level 1 of CMMC addresses the protection of Federal Contract Information (FCI) and encompasses the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) Clause 52.204-21, which defines FCI as: Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites). DoD contracts that specify the need for a contractor to process, store or transmit FCI require the company to comply with CMMC Level 1 practices.
CMMC Level 3 17 capability domains, 130 total practices (Level 1: 17, Level 2: 55, Level 3: 58), 3 total processes Access Control (AC) Incident Response (IR) Risk Management (RM) Asset Management (AM) Maintenance MA) Security Assessment (CA) Awareness and Training (AT) Media Protection (MP) Situational Awareness (SA) Audit and Accountability (AU) Personnel Security (PS) System and Communications Protection (SC) Configuration Management (CM) Physical Protection (PE) System and Information Integrity (SI) Identification and Authentication (IA) Recovery (RE) CMMC Levels 1 through 3 consist of the security requirements specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations; 20 additional CMMC practices; and 3 CMMC maturity processes per each of the 17 domains. CMMC Level 3 addresses the protection of Controlled Unclassified Information (CUI), which the National Archives and Record Administration (NARA) defines as: Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.
CMMC assessment criteria and methodology
Assessment criteria and methodology: Objects Defined in NIST SP 800-171A Section 2.1. Assessment objects identify the specific items being assessed and can include: Specifications Document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system. Mechanisms The specific hardware, software or firmware safeguards employed within a system. Activities The protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan and monitoring network traffic). Individuals Or groups of individuals, are people applying the specifications, mechanisms or activities described above.
Assessment criteria and methodology: Actions Defined in NIST SP 800-171A Section 2.1. The assessment methods define the nature and the extent of the Certified Assessor’s actions: Examine Process of reviewing, inspecting, observing, studying or analyzing assessment objects (i.e., specifications, mechanisms, activities) to facilitate understanding, achieve clarification or obtain evidence. Interview Process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification or obtain evidence Test Process of exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior.
Assessment actions: Interview The Certified Assessor has discussions with individuals within an organization to understand if a practice or process has been addressed. Interviews of applicable staff (possibly at different organizational levels) determine if: ➢ CMMC practices or processes are implemented ➢ If adequate resourcing, training and planning have occurred for individuals to perform the practices
Assessment actions: Examine Examination includes reviewing, inspecting, observing, studying or analyzing assessment objects (documents, mechanisms or activities). Documents need to be in their final forms (drafts are not eligible to be submitted as evidence because they are not yet official). Common types of documents that can be used as evidence include: ➢ Policy, process and procedure documents ➢ Training materials ➢ Plans and planning documents ➢ System-level, network and data flow diagrams In other cases, the practice or process is best assessed by observing that safeguards are in place by viewing hardware or associated configuration information or observing staff following a process.
Assessment actions: Test Testing is an important part of the assessment process. ➢ Interviews tell the Certified Assessor what the contractor staff believe to be true ➢ Documentation provides evidence of intent ➢ Testing demonstrates what has or has not been done. For example: ➢ Contractor staff may talk about how users are identified ➢ Documentation may provide details on how users are identified ➢ Seeing a demonstration of identifying users provides evidence that the practice is met The Certified Assessor will determine which practices or objectives within a practice need demonstration or testing. Not all practices will require testing.
Assessment findings The assessment of a CMMC practice or process results in one of three possible findings: MET, NOT MET, or NOT APPLICABLE. ➢ MET: The contractor successfully meets the practice or process. For each practice or process marked MET, the Certified Assessor includes statements that indicate the response conforms to the objectives and documents the appropriate evidence to support the response. ➢ NOT MET: The contractor has not met the practice or process. For each practice or process marked NOT MET, the Certified Assessor includes statements that explain why and documents the appropriate evidence that the contractor does not conform to the objectives. ➢ NOT APPLICABLE (N/A): The practice or process does not apply. For each practice or process marked N/A, the Certified Assessor includes a statement that explains why the practice or process does not apply to the contractor. For example, SC.1.176 might be N/A if there are no publicly accessible systems
Assessment findings: Inherited practices A contractor can inherit practice or process objectives. A practice or process objective that is inherited is met because adequate evidence is provided that the enterprise or another entity, such as an External Service Provider (ESP), performs the practice or process objective. ➢ Evidence from the enterprise or the entity from which the objectives are inherited should show they are applicable to in-scope assets and that the assessment objectives are met. ➢ For each practice or process objective that is inherited, the Certified Assessor includes statements that indicate how they were evaluated and from whom they are inherited. If the contractor cannot demonstrate adequate evidence for all assessment objectives, through either contractor evidence or evidence of inheritance, the contractor will receive a NOT MET for the practice or process.
CMMC timeline
Timeline of CMMC rollout
CMMC assessment Q&A
Are there any expenses associated with CMMC for Organizations Seeking Certification (OSC) that can be reimbursed?
What is the status on ISO 27001 reciprocity and how will this effect the appraisals for certifications?
The industry has conflicting rules regarding CUI. If you go by the DoD CUI registry, it includes a lot. But we are not seeing the government mark many documents as CUI. Is CUI only the documents marked by the government as CUI, or are contractors to also mark their documents as CUI (e.g., proposals and such)?
Per the CMMC assessors guide, Assessors must select from two of the following three: examine, interview and test. Can they select to just examine and interview for a specific practice? If so, then do they collect evidence? Is evidence (screen shot, documentation, reports or tickets form a ticketing system) always collected to be sent to the CMMC-AB Assessor for review? How far back in time is evidence collect for — 3 months, 6 months, a year?
Do businesses using M365 need to upgrade to MS Government GCC High (Govt Community Cloud) to comply with CMMC Maturity Level 3 requirements?
Other questions?
Additional CMMC resources CMMC career path: How to become a CMMC Certified Assessor ⮚ Available on-demand ⮚ Watch Now CMMC rollout: How CMMC will impact your organization ➢ Available on-demand ⮚ Watch Now All Infosec CMMC resources: infosecinstitute.com/cmmc
About us Infosec believes knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and privacy training to stay cyber-safe at work and home. www.infosecinstitute.com

Recommandé

CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationInfosec
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
CompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateCompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateInfosec
 
CompTIA CASP+ | Everything you need to know about the new exam
CompTIA CASP+ | Everything you need to know about the new examCompTIA CASP+ | Everything you need to know about the new exam
CompTIA CASP+ | Everything you need to know about the new examInfosec
 
Comp tia security sy0 601 domain 3 implementation
Comp tia security sy0 601 domain 3 implementationComp tia security sy0 601 domain 3 implementation
Comp tia security sy0 601 domain 3 implementationShivamSharma909
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221SALIH AHMED ISLAM
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
 

Recommandé

CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationInfosec
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
CompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateCompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateInfosec
 
CompTIA CASP+ | Everything you need to know about the new exam
CompTIA CASP+ | Everything you need to know about the new examCompTIA CASP+ | Everything you need to know about the new exam
CompTIA CASP+ | Everything you need to know about the new examInfosec
 
Comp tia security sy0 601 domain 3 implementation
Comp tia security sy0 601 domain 3 implementationComp tia security sy0 601 domain 3 implementation
Comp tia security sy0 601 domain 3 implementationShivamSharma909
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221SALIH AHMED ISLAM
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC BreakdownIgnyte Assurance Platform
 
Oissg
OissgOissg
OissgConferencias FIST
 
File1
File1File1
File1ivanmagalhaes__
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingIgnyte Assurance Platform
 
NICE Cybersecurity Workforce Framework: Close your skills gap with role-based...
NICE Cybersecurity Workforce Framework: Close your skills gap with role-based...NICE Cybersecurity Workforce Framework: Close your skills gap with role-based...
NICE Cybersecurity Workforce Framework: Close your skills gap with role-based...Infosec
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkKevin Fealey
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Item46763
Item46763Item46763
Item46763madunix
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010Donald E. Hester
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsTrish McGinity, CCSK
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STakishaPeck109
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 

Contenu connexe

Tendances

Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingIgnyte Assurance Platform
 
NICE Cybersecurity Workforce Framework: Close your skills gap with role-based...
NICE Cybersecurity Workforce Framework: Close your skills gap with role-based...NICE Cybersecurity Workforce Framework: Close your skills gap with role-based...
NICE Cybersecurity Workforce Framework: Close your skills gap with role-based...Infosec
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkKevin Fealey
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Item46763
Item46763Item46763
Item46763madunix
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010Donald E. Hester
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsTrish McGinity, CCSK
 

Tendances (20)

CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC Breakdown
 
Oissg
OissgOissg
Oissg
 
File1
File1File1
File1
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
 
NICE Cybersecurity Workforce Framework: Close your skills gap with role-based...
NICE Cybersecurity Workforce Framework: Close your skills gap with role-based...NICE Cybersecurity Workforce Framework: Close your skills gap with role-based...
NICE Cybersecurity Workforce Framework: Close your skills gap with role-based...
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
Item46763
Item46763Item46763
Item46763
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture,
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certs
 

Similaire à CMMC case study: Inside a CMMC assessment

To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STakishaPeck109
 
Supporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo LogicSupporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo LogicCloudHesive
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceWilliam McBorrough
 
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfSyllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfYoyo Sudaryo
 
Cyber review-guide
Cyber review-guideCyber review-guide
Cyber review-guideaqazad
 
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015AFCEA International
 
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...Ignyte Assurance Platform
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
 
Secure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.pptSecure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.pptNeha Sharma
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
Dimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperDimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperJason Cumberland
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechsMordecai Kraushar
 
cryptocurrency-security-standard-auditor-ccssa-guide.pdf
cryptocurrency-security-standard-auditor-ccssa-guide.pdfcryptocurrency-security-standard-auditor-ccssa-guide.pdf
cryptocurrency-security-standard-auditor-ccssa-guide.pdfssuser66b5d61
 
Cpm500 d _alleman__tpm jun 2010 lesson 3 (v2)
Cpm500 d _alleman__tpm jun 2010 lesson 3 (v2)Cpm500 d _alleman__tpm jun 2010 lesson 3 (v2)
Cpm500 d _alleman__tpm jun 2010 lesson 3 (v2)Glen Alleman
 
Measuring and Improving MP1.ppt
Measuring and Improving MP1.pptMeasuring and Improving MP1.ppt
Measuring and Improving MP1.pptssuserf2880f
 

Similaire à CMMC case study: Inside a CMMC assessment (20)

To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, S
 
Security audit
Security auditSecurity audit
Security audit
 
Supporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo LogicSupporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo Logic
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance Service
 
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfSyllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
 
Cyber review-guide
Cyber review-guideCyber review-guide
Cyber review-guide
 
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015
 
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
 
Secure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.pptSecure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.ppt
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC Compliance
 
Sample audit plan
Sample audit planSample audit plan
Sample audit plan
 
James hall ch 15
James hall ch 15James hall ch 15
James hall ch 15
 
Dimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperDimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paper
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechs
 
An IT Governance program
An IT Governance programAn IT Governance program
An IT Governance program
 
cryptocurrency-security-standard-auditor-ccssa-guide.pdf
cryptocurrency-security-standard-auditor-ccssa-guide.pdfcryptocurrency-security-standard-auditor-ccssa-guide.pdf
cryptocurrency-security-standard-auditor-ccssa-guide.pdf
 
Cpm500 d _alleman__tpm jun 2010 lesson 3 (v2)
Cpm500 d _alleman__tpm jun 2010 lesson 3 (v2)Cpm500 d _alleman__tpm jun 2010 lesson 3 (v2)
Cpm500 d _alleman__tpm jun 2010 lesson 3 (v2)
 
Measuring and Improving MP1.ppt
Measuring and Improving MP1.pptMeasuring and Improving MP1.ppt
Measuring and Improving MP1.ppt
 

Plus de Infosec

AWS Certified DevOps Engineer: What it is and how to get certified
AWS Certified DevOps Engineer: What it is and how to get certifiedAWS Certified DevOps Engineer: What it is and how to get certified
AWS Certified DevOps Engineer: What it is and how to get certifiedInfosec
 
AWS Cloud Operations Administrator: What it is and how to get certified
AWS Cloud Operations Administrator: What it is and how to get certifiedAWS Cloud Operations Administrator: What it is and how to get certified
AWS Cloud Operations Administrator: What it is and how to get certifiedInfosec
 
AWS Certified Security - Specialty: What it is and how to get certified
AWS Certified Security - Specialty: What it is and how to get certifiedAWS Certified Security - Specialty: What it is and how to get certified
AWS Certified Security - Specialty: What it is and how to get certifiedInfosec
 
AWS Certified Solutions Architect Webinar.pptx
AWS Certified Solutions Architect Webinar.pptxAWS Certified Solutions Architect Webinar.pptx
AWS Certified Solutions Architect Webinar.pptxInfosec
 
Infosec and AWS - A new way to train for your AWS certification (1).pptx
Infosec and AWS - A new way to train for your AWS certification (1).pptxInfosec and AWS - A new way to train for your AWS certification (1).pptx
Infosec and AWS - A new way to train for your AWS certification (1).pptxInfosec
 
How AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxHow AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxInfosec
 
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptxInfosec
 
NCSAM 2023 Webinar.pptx
NCSAM 2023 Webinar.pptxNCSAM 2023 Webinar.pptx
NCSAM 2023 Webinar.pptxInfosec
 
CompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowCompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowInfosec
 
Skills training value: How to differentiate your staff and your organization ...
Skills training value: How to differentiate your staff and your organization ...Skills training value: How to differentiate your staff and your organization ...
Skills training value: How to differentiate your staff and your organization ...Infosec
 
Learning ≠ Education: How people really learn and what it means for security ...
Learning ≠ Education: How people really learn and what it means for security ...Learning ≠ Education: How people really learn and what it means for security ...
Learning ≠ Education: How people really learn and what it means for security ...Infosec
 
Security awareness training - 4 topics that matter most
Security awareness training - 4 topics that matter mostSecurity awareness training - 4 topics that matter most
Security awareness training - 4 topics that matter mostInfosec
 
Join the hunt: Threat hunting for proactive cyber defense.pptx
Join the hunt: Threat hunting for proactive cyber defense.pptxJoin the hunt: Threat hunting for proactive cyber defense.pptx
Join the hunt: Threat hunting for proactive cyber defense.pptxInfosec
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxInfosec
 
How to do application security right
How to do application security rightHow to do application security right
How to do application security rightInfosec
 
A public discussion about privacy careers: Training, certification and experi...
A public discussion about privacy careers: Training, certification and experi...A public discussion about privacy careers: Training, certification and experi...
A public discussion about privacy careers: Training, certification and experi...Infosec
 
Learn intrusion detection: Using Zeek and Elastic for incident response
Learn intrusion detection: Using Zeek and Elastic for incident responseLearn intrusion detection: Using Zeek and Elastic for incident response
Learn intrusion detection: Using Zeek and Elastic for incident responseInfosec
 
Get started in cybersecurity in 2022
Get started in cybersecurity in 2022Get started in cybersecurity in 2022
Get started in cybersecurity in 2022Infosec
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examInfosec
 
CompTIA network+ | Everything you need to know about the new exam
CompTIA network+ | Everything you need to know about the new examCompTIA network+ | Everything you need to know about the new exam
CompTIA network+ | Everything you need to know about the new examInfosec
 

Plus de Infosec (20)

AWS Certified DevOps Engineer: What it is and how to get certified
AWS Certified DevOps Engineer: What it is and how to get certifiedAWS Certified DevOps Engineer: What it is and how to get certified
AWS Certified DevOps Engineer: What it is and how to get certified
 
AWS Cloud Operations Administrator: What it is and how to get certified
AWS Cloud Operations Administrator: What it is and how to get certifiedAWS Cloud Operations Administrator: What it is and how to get certified
AWS Cloud Operations Administrator: What it is and how to get certified
 
AWS Certified Security - Specialty: What it is and how to get certified
AWS Certified Security - Specialty: What it is and how to get certifiedAWS Certified Security - Specialty: What it is and how to get certified
AWS Certified Security - Specialty: What it is and how to get certified
 
AWS Certified Solutions Architect Webinar.pptx
AWS Certified Solutions Architect Webinar.pptxAWS Certified Solutions Architect Webinar.pptx
AWS Certified Solutions Architect Webinar.pptx
 
Infosec and AWS - A new way to train for your AWS certification (1).pptx
Infosec and AWS - A new way to train for your AWS certification (1).pptxInfosec and AWS - A new way to train for your AWS certification (1).pptx
Infosec and AWS - A new way to train for your AWS certification (1).pptx
 
How AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxHow AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptx
 
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
 
NCSAM 2023 Webinar.pptx
NCSAM 2023 Webinar.pptxNCSAM 2023 Webinar.pptx
NCSAM 2023 Webinar.pptx
 
CompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowCompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to know
 
Skills training value: How to differentiate your staff and your organization ...
Skills training value: How to differentiate your staff and your organization ...Skills training value: How to differentiate your staff and your organization ...
Skills training value: How to differentiate your staff and your organization ...
 
Learning ≠ Education: How people really learn and what it means for security ...
Learning ≠ Education: How people really learn and what it means for security ...Learning ≠ Education: How people really learn and what it means for security ...
Learning ≠ Education: How people really learn and what it means for security ...
 
Security awareness training - 4 topics that matter most
Security awareness training - 4 topics that matter mostSecurity awareness training - 4 topics that matter most
Security awareness training - 4 topics that matter most
 
Join the hunt: Threat hunting for proactive cyber defense.pptx
Join the hunt: Threat hunting for proactive cyber defense.pptxJoin the hunt: Threat hunting for proactive cyber defense.pptx
Join the hunt: Threat hunting for proactive cyber defense.pptx
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
 
How to do application security right
How to do application security rightHow to do application security right
How to do application security right
 
A public discussion about privacy careers: Training, certification and experi...
A public discussion about privacy careers: Training, certification and experi...A public discussion about privacy careers: Training, certification and experi...
A public discussion about privacy careers: Training, certification and experi...
 
Learn intrusion detection: Using Zeek and Elastic for incident response
Learn intrusion detection: Using Zeek and Elastic for incident responseLearn intrusion detection: Using Zeek and Elastic for incident response
Learn intrusion detection: Using Zeek and Elastic for incident response
 
Get started in cybersecurity in 2022
Get started in cybersecurity in 2022Get started in cybersecurity in 2022
Get started in cybersecurity in 2022
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the exam
 
CompTIA network+ | Everything you need to know about the new exam
CompTIA network+ | Everything you need to know about the new examCompTIA network+ | Everything you need to know about the new exam
CompTIA network+ | Everything you need to know about the new exam
 

Dernier

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Dernier (20)

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

CMMC case study: Inside a CMMC assessment

  • 1.
  • 2. Meet the panel Leighton Johnson Infosec instructor and CTO at ISFMT Stacy High-Brinkley VP of Compliance Solutions and Service at CASK Government Services Jeff Peters Director of Content Marketing at Infosec
  • 3. Today’s webcast ⮚ CMMC assessment and certification process ⮚ CMMC assessment levels ⮚ CMMC assessment criteria and methodology ⮚ CMMC timeline ⮚ CMMC Q&A
  • 5. OSC certification process Organization Seeking Certification (OSC) details ⮚ Contractors can achieve a CMMC level for their entire enterprise network or for a particular segment or enclave, depending where the protected information is handled and stored. ⮚ Plan at least six month to get your CMMC certification OSC benefits ➢ Certification valid for 3 years ➢ Can bid on DoD contracts where CMMC Level requirements are designated
  • 6. CMMC model and assessment guides Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) website ➢ CMMC Level 1 Assessment Guide (editable) ➢ CMMC Level 3 Assessment Guide (editable) Other resources ➢ CMMC Model v1.02, its appendices and appendices in tabular form ➢ CMMC Model Errata v1.0 ➢ CMMC Glossary (editable)
  • 7. CMMC assessment process Certification provides assurance of practices and processes Certified Assessors use the same assessment methods for each contractor. Once a contractor is assessed and certified at a level, other entities (e.g., government sponsors and prime contractors looking to hire subcontractors) have assurance the certified contractor meets CMMC practices and processes. Methodology the same regardless of size The CMMC assessment methodology follows a data-centric security process that applies the practices equally, regardless of the contractor’s size, constraints or complexity. All CMMC levels are achievable by small, medium and large contractors. Assessment scope pre-determined by OSC and C3PAO Prior to a CMMC assessment, the contractor must define the scope for the assessment that represents the boundary for which the CMMC certificate will be issued. Additional guidance on assessment scope will be available in the next version of the CMMC Assessment Guides.
  • 9. CMMC domains and levels 17 capability domains CMMC model with 5 levels measures cybersecurity maturity Access Control (AC) Incident Response (IR) Risk Management (RM) Asset Management (AM) Maintenance MA) Security Assessment (CA) Awareness and Training (AT) Media Protection (MP) Situational Awareness (SA) Audit and Accountability (AU) Personnel Security (PS) System and Communications Protection (SC) Configuration Management (CM) Physical Protection (PE) System and Information Integrity (SI) Identification and Authentication (IA) Recovery (RE)
  • 10. CMMC Level 1 6 capability domains, 17 practices, 0 processes Access Control (AC) Media Protection (MP) System and Communications Protection (SC) Physical Protection (PE) System and Information Integrity (SI) Identification and Authentication (IA) Level 1 of CMMC addresses the protection of Federal Contract Information (FCI) and encompasses the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) Clause 52.204-21, which defines FCI as: Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites). DoD contracts that specify the need for a contractor to process, store or transmit FCI require the company to comply with CMMC Level 1 practices.
  • 11. CMMC Level 3 17 capability domains, 130 total practices (Level 1: 17, Level 2: 55, Level 3: 58), 3 total processes Access Control (AC) Incident Response (IR) Risk Management (RM) Asset Management (AM) Maintenance MA) Security Assessment (CA) Awareness and Training (AT) Media Protection (MP) Situational Awareness (SA) Audit and Accountability (AU) Personnel Security (PS) System and Communications Protection (SC) Configuration Management (CM) Physical Protection (PE) System and Information Integrity (SI) Identification and Authentication (IA) Recovery (RE) CMMC Levels 1 through 3 consist of the security requirements specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations; 20 additional CMMC practices; and 3 CMMC maturity processes per each of the 17 domains. CMMC Level 3 addresses the protection of Controlled Unclassified Information (CUI), which the National Archives and Record Administration (NARA) defines as: Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.
  • 12. CMMC assessment criteria and methodology
  • 13. Assessment criteria and methodology: Objects Defined in NIST SP 800-171A Section 2.1. Assessment objects identify the specific items being assessed and can include: Specifications Document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system. Mechanisms The specific hardware, software or firmware safeguards employed within a system. Activities The protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan and monitoring network traffic). Individuals Or groups of individuals, are people applying the specifications, mechanisms or activities described above.
  • 14. Assessment criteria and methodology: Actions Defined in NIST SP 800-171A Section 2.1. The assessment methods define the nature and the extent of the Certified Assessor’s actions: Examine Process of reviewing, inspecting, observing, studying or analyzing assessment objects (i.e., specifications, mechanisms, activities) to facilitate understanding, achieve clarification or obtain evidence. Interview Process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification or obtain evidence Test Process of exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior.
  • 15. Assessment actions: Interview The Certified Assessor has discussions with individuals within an organization to understand if a practice or process has been addressed. Interviews of applicable staff (possibly at different organizational levels) determine if: ➢ CMMC practices or processes are implemented ➢ If adequate resourcing, training and planning have occurred for individuals to perform the practices
  • 16. Assessment actions: Examine Examination includes reviewing, inspecting, observing, studying or analyzing assessment objects (documents, mechanisms or activities). Documents need to be in their final forms (drafts are not eligible to be submitted as evidence because they are not yet official). Common types of documents that can be used as evidence include: ➢ Policy, process and procedure documents ➢ Training materials ➢ Plans and planning documents ➢ System-level, network and data flow diagrams In other cases, the practice or process is best assessed by observing that safeguards are in place by viewing hardware or associated configuration information or observing staff following a process.
  • 17. Assessment actions: Test Testing is an important part of the assessment process. ➢ Interviews tell the Certified Assessor what the contractor staff believe to be true ➢ Documentation provides evidence of intent ➢ Testing demonstrates what has or has not been done. For example: ➢ Contractor staff may talk about how users are identified ➢ Documentation may provide details on how users are identified ➢ Seeing a demonstration of identifying users provides evidence that the practice is met The Certified Assessor will determine which practices or objectives within a practice need demonstration or testing. Not all practices will require testing.
  • 18. Assessment findings The assessment of a CMMC practice or process results in one of three possible findings: MET, NOT MET, or NOT APPLICABLE. ➢ MET: The contractor successfully meets the practice or process. For each practice or process marked MET, the Certified Assessor includes statements that indicate the response conforms to the objectives and documents the appropriate evidence to support the response. ➢ NOT MET: The contractor has not met the practice or process. For each practice or process marked NOT MET, the Certified Assessor includes statements that explain why and documents the appropriate evidence that the contractor does not conform to the objectives. ➢ NOT APPLICABLE (N/A): The practice or process does not apply. For each practice or process marked N/A, the Certified Assessor includes a statement that explains why the practice or process does not apply to the contractor. For example, SC.1.176 might be N/A if there are no publicly accessible systems
  • 19. Assessment findings: Inherited practices A contractor can inherit practice or process objectives. A practice or process objective that is inherited is met because adequate evidence is provided that the enterprise or another entity, such as an External Service Provider (ESP), performs the practice or process objective. ➢ Evidence from the enterprise or the entity from which the objectives are inherited should show they are applicable to in-scope assets and that the assessment objectives are met. ➢ For each practice or process objective that is inherited, the Certified Assessor includes statements that indicate how they were evaluated and from whom they are inherited. If the contractor cannot demonstrate adequate evidence for all assessment objectives, through either contractor evidence or evidence of inheritance, the contractor will receive a NOT MET for the practice or process.
  • 21. Timeline of CMMC rollout
  • 23. Are there any expenses associated with CMMC for Organizations Seeking Certification (OSC) that can be reimbursed?
  • 24. What is the status on ISO 27001 reciprocity and how will this effect the appraisals for certifications?
  • 25. The industry has conflicting rules regarding CUI. If you go by the DoD CUI registry, it includes a lot. But we are not seeing the government mark many documents as CUI. Is CUI only the documents marked by the government as CUI, or are contractors to also mark their documents as CUI (e.g., proposals and such)?
  • 26. Per the CMMC assessors guide, Assessors must select from two of the following three: examine, interview and test. Can they select to just examine and interview for a specific practice? If so, then do they collect evidence? Is evidence (screen shot, documentation, reports or tickets form a ticketing system) always collected to be sent to the CMMC-AB Assessor for review? How far back in time is evidence collect for — 3 months, 6 months, a year?
  • 27. Do businesses using M365 need to upgrade to MS Government GCC High (Govt Community Cloud) to comply with CMMC Maturity Level 3 requirements?
  • 29. Additional CMMC resources CMMC career path: How to become a CMMC Certified Assessor ⮚ Available on-demand ⮚ Watch Now CMMC rollout: How CMMC will impact your organization ➢ Available on-demand ⮚ Watch Now All Infosec CMMC resources: infosecinstitute.com/cmmc
  • 30. About us Infosec believes knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and privacy training to stay cyber-safe at work and home. www.infosecinstitute.com