Відео

finally, a decent venn diagram! close enough to CMMC 2.0 to still be relevant...

Thank you!!

I am writing this in 2024 and automation is the fashionable IT alleged panacea. In my opinion, it’s the automated systems you must monitor even more than non- automated ones. All it takes is for someone to mess with the automated ‘trusted’ systems and processes including the automated alerts that are supposed to flag bad things.

You can audit a private contractor on 1 billion criteria, civilians are civilians. All it takes is one employee getting resentful with his/ her civilian boss… or him/her getting radicalised because he/ she has fallen madly in love with a gorgeous undercover agent.

Do you check what cloud services your contractors use? How does international legislation work with cloud services as the servers in datacenters where data is stored and processed might be in different states or even in different countries? I, obviously, don’t want to pry into your business, I am just trying to learn how law and governance work in the cloud business given their infrastructure, so any direction from anyone to general principles of (international) law would be greatly appreciated. I live in the UK that has Data Protection Law and GDPR but it’s not in Europe and neither it is in the USA. One big cloud provider has a region in South America paired with a region in USA (if I remember correctly what I tried to learn). I find it fascinating (I know I am weird 😄). Thanks.

When you do an audit, do you walk the floor ie physically work in various departments to observe any Post-it notes with passwords affixed to displays or staff not locking their screens whilst they ‘quickly’ go to pick up something from the printer?

0:01 😃 🎵 You use Microsoft (?)

10:27 What if the organisation has a PaaS cloud service and the organisation has decentralised management and data management structures?

Thanks for sharing. I have no clue what you’re talking about but I understand it’s about securing an IT system. I am trying to learn about IT stuff, so please bear with me. Why do you use ‘privilege’ only when you mean special privileges (above the regular user’s)? Should not all accounts have their privilege settings to ring fence and control potential damage that can be inflicted even by a user with a minimum level of access? Also, what about the newly employed (inexperienced and maybe on their probation period) who might make an unintentional but very costly mistake? Should they not have a Read- only access to the live system (and maybe full access to a safely contained sandbox) whilst they learn the system?

You missed some of the families and their control count when reading out the families.

Great information. Can the same type of diagram be acceptable to represent CMMC 2.0 diagram requirements?

Thank you for the video. I got two points: 1. You were referring to Level 1 & 3, while level 3 is not published yet. Did you mean Level 2 instead? 2. Shouldn't the Readiness Assessment @ 3:50 be done after the POAM, and before the implementation? I thought the goal of it was to assess whether we had everything in place to implement the missing requirements.

Great video. Can you please update the information with regards to CMMC 2.0?

Part 3???

website is not working

Thanks!

awesome!

Thanks for video. Do you have video instructions how to actually fill this out ?

Need to do more! These are good and needed!

Its 3:30am and I can't sleep, so I can to watch this video!

Really great video. Where can I find that PDF doc?

Did you ever publish part 3

Thank you for taking the time to share this, your work is appreciated!

I came here for maybe some additional context on why NIST used to have the minimum failures defined but now they don't. I found it eventually in Nist 800-63b and it's kinda completely different than the previous version of 800-63b. "No more than 100 failed attempts" and then separately, they have a usability section with "Minimum of 10 failed attempts allowed" as a usability concern. :/ I had read some summaries of the earlier versions and they seem to have just said Minumum was 10 and maximum was 100. I'm trying to be a change maker and this stuff is SPAGETTI!

Very good information, where can I download that template? or an updated one?

This was very helpful. You have a super super cool channel. I'm looking through all of your videos and I know I'm going to be going through quite a few of them in the near future.

Where do you actually download or access the NIST assessment? I can't find that anywhere. In order to get a score to enter, I need to take the assessment, assuringly.

The FAR was established in ‘74 not ‘47.

Is this video free to use or share? Great job and thanks in advance!

although the structure changed somehow in rev. 5, this video helped a lot to understand the concept - thx!

Website is not working

Despite my expectations as it's written in the title, I couldn't find any information on NIST 800-53 and had to listen to what I knew.

Fantastic Info! Thanks for making this!

Dude, why are you whispering?

Iziddoxoo

What if you perform a self assessment and attain a negative score? Should that score be submitted? Should you try to address most issues and redo test? Should you use negative score and generate poam? On average what do companies score?

Would you recommend any training on change management for NIST standards pertaining more specifically to Technical Writing or Documentation?

SSP (System Security Plan?? Where does this come from? We have worked with DOD for 30 years and never heard of this. Are they expecting us to create it from scratch We do portaspotties...

Is this for all DOD contractors?

Im bidding for a federal contractor for the first time and Im trying to register an account on the PIEE page. However, I am stuck on the "Location Code/CAGE" line of the roles section. Do I need pre-existing paperwork to register?

How do we come into which risk level to determine Low, Medium or High ?

Thanks for sharing the information

Do you need to upload a POAM and SSP, or just post the score into SPRS?

Great summary! Thanks sir

Very helpful: Thanks

This is a really great video. Thanks man I like all your stuff. Any chance you can share that template or let me know where it came from? I like the layout and thr look of it

Do you need the score of 110 to be compliant as a basic user for the DOD?

Do you know how long has the RMF has been in use by private organizations? I understand it was initially for federal use only but its now being used in the private sector. I ask because I just passed my ISC CAP exam, got my certification and im looking for jobs and I see a lot of clearance require jobs linked to the RMF, not many non cleared jobs in the private sector.

Can you explain, with an exampke if possible, of how controls are more "outcome based" and how that differs from before?

Really good explanation. Can you provide the URL to the NIST website you used in the video? I can't seem to find that web page! Thanks.