May 2, 2025 • 59 mins
Submit any questions you would like answered on the podcast!
Feeling overwhelmed by CMMC compliance and NIST 800-171’s 110 controls? You’re not alone — but you don’t have to be stuck.
In this episode of the CMMC Compliance Guide Podcast, Brooke and Austin break down NIST 800-171 Revision 2 in plain English — no government-speak, no tech jargon — so you can finally understand what each control family means for your business.
You'll learn:
- What NIST 800-171 really requires (and why it matters for your SPRS score)
- How to tackle key control families like Access Control, Awareness & Training, and Audit & Accountability
- The critical mistakes contractors make (and how to avoid them)
- Why documentation is the #1 secret weapon for CMMC success
- Real-world tips for manufacturing, machine shop, and aerospace contractors navigating CMMC Level 2
🔥 Don’t wait until an assessor says “No Soup for You” — build a compliance system that actually protects your business and wins contracts.
👉 Need help fast-tracking your compliance journey?
Visit https://cmmccomplianceguide.com to download free resources or schedule a discovery call.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_01 (00:00):
Hey there, welcome to the CMMC Compliance Guide
(00:02):
Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting.
We're here to help businesseslike yours navigate CMMC and
NIST 800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance.
But today, we're here to giveyou all the secrets for free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on track.
(00:26):
Today's episode is your plainEnglish breakdown of what those
110 controls in NIST 800-171actually mean and how to stop
being overwhelmed by them.
Before we dive into controlfamilies, Brooke, can you give
us the short version of whatNIST 800-171 is and what even
matters to our audience?
SPEAKER_00 (00:46):
Sure.
So NIST 800-171 or revision two,because that's the one we're
talking about a what we careabout, even though it's been
superseded by Revision 3.
And we've covered that inprevious episodes, but we're
sticking to Revision 2.
So that's the foundation forCMMC Level 2 compliance.
It really is all aboutprotecting FCI and CUI.
(01:09):
CUI is the important part ofthat that you really need to pay
attention to.
And so if your business handlesCUI as part of a contract, or
potentially could, because somepeople don't ever get anything
that's marked, of course, butyou should have some DFARS
clauses to look for.
In any case, if you handle someof that CUI as part of your
(01:30):
contract, you're expected toimplement NIST 800-171, revision
2, and all of its full glory,and 110 controls.
You're supposed to have allthose implemented.
By this point, the governmentsays you've had plenty of time,
and we just expect for all thecosts to implement those to
already be implemented.
SPEAKER_01 (01:48):
So they've got a contract, says they have to do
it, and that's why it matters.
SPEAKER_00 (01:52):
That's exactly why it matters.
And, of course, this is whatyour SPRS score, your SPURS
score,
SPEAKER_01 (02:00):
comes from.
Right, which is theself-assessment thing you have
to fill out on Existar orwhatever other.
SPEAKER_00 (02:05):
Yeah, so it's an Existar, of course.
That's their kind of version ofit.
And SPRS, you actually enter iton the– PIEE website.
It's a DOD website where you goin and enter your cage code and
your score and stuff like that.
And that's where you officiallyenter your SPRS score or SPRS
score, Supplier Performance RiskSystem, I believe is what it is,
(02:28):
but SPRS.
SPEAKER_01 (02:29):
All right.
So since we're getting into thecontrol families and we're
trying to get it into plainlanguage as much as we can.
That's
SPEAKER_00 (02:37):
sometimes a challenge, by the way, getting
into plain English.
SPEAKER_01 (02:40):
Yes.
More so than we bargained for.
Right.
And I'm going to put it on you.
Can
SPEAKER_00 (02:47):
you help us break it down in plain English?
Right.
You know, maybe...
brick English or otherwise, youknow, maybe a little bit of
Texan or something like that.
But yes, we'll break it downinto as much plain English as we
can.
SPEAKER_01 (03:00):
More understandable than the government does.
Hopefully.
We're trying to.
Hopefully.
These controls in the families,they're basically the federal
government wants you to have asoperational habits, right, that
are supposed to reduce your riskin handling their information.
And for For small contractors,it's about implementation that
(03:24):
fits into your workflow withoutoverwhelming the team.
Can you start with accesscontrol and try and break that
down and play in English for us?
Sure.
We'll start alphabeticallybecause that's how NIST does it.
SPEAKER_00 (03:35):
Access control really is who can access what
and all the other details thatgo along with it.
You're looking at role-basedpermissions.
You're looking at individualspermissions.
not groups.
You can't say a shop isaccessing this or the
engineering team is accessingthis.
It has to be Joe or Bob or Sallyor George or whoever.
(03:57):
You have to know who isaccessing that information.
So it has to be individualizedaccounts.
It cannot be shared accounts.
You can't just have one drivethat is open to everybody.
Even if you say this is all CUI,you really need to have it
divided up and, you know, Joecan access this.
Sally can access that.
They can't access what eachother needs to, unless there's a
(04:19):
good business reason for them todo so.
But just because it's easier tosay, you know, here's all of it,
is not a good reason to do that.
You have access control for areason.
You need to control that accessand make sure people have access
to only what is needed.
to perform their job.
SPEAKER_01 (04:35):
And I think it's a couple intentions there is you
have, you get to see whoaccessed when What, when, right?
And then you also have the justrestriction of people not able
to access things they don't needto, which is supposed to limit
the scope of the risks.
(04:58):
Like if their account gothacked, then it keeps that
sprawl from going too far.
Is that right?
Is that the intention behind it?
SPEAKER_00 (05:06):
It does, yes.
If their account gets hacked andthey can only get access to part
of it.
You've got to remember that–This really is because, and
we'll pick on China becausethey're easy to pick on, but
this is really because if you golook at Humvee or the Joint
Strike Fighter or several otherthings, China has some stuff
(05:26):
that impressively look a lotlike our Humvee and a lot like
our Joint Strike Fighter, stufflike that.
And it wasn't just by chance.
It's because they broke in andstole all the stuff.
So the government is saying,look, no more.
We're going to protect ourwarfighters.
We're going to protect ouradvantage.
And we're going to do that byprotecting this data.
(05:49):
And it really all boils down tothat's the government's data,
and we need to keep ouradvantage everywhere we can.
And that also does protect thewarfighters.
So that's really why they'redoing this.
I'll get off my soapbox there,but that's why they're doing
this.
Access control is veryimportant.
Only, you know, think aboutleast privilege.
(06:09):
Least privilege means that youonly have the access that you
need to complete your job.
You don't have any more.
In other words, you don't wantyour shop people accessing all
the HR files right so youwouldn't want Joe seeing that
Sally makes eight times what hemakes you know or whatever it
may be and a lot of people willcontrol that but then when it
(06:32):
comes to CUI it's just like wellit's all CUI you know and or
it's all it's all and actuallymore than that you know a lot of
times the thought is well it'sall it comes from our vendor and
it's you know it's everybodyneeds access to it well they
don't really need access toevery bit of it some of it's
contract information Some of itis part information, some of it,
you know, so you can divide upthat access to only who needs
(06:56):
access to those specific parts.
Is it a pain sometimes?
I'll admit it's a pain, but youdo need to divide that up and
figure out.
what the least amount of accessis that you can give.
It also goes to admin privilegesfor configuring the system as
well.
Do you want your local users tobe able to install their old
(07:17):
programs?
Well, you may want to, but thecorrect answer is no.
You don't want your users to beable to install programs and
admin their own system.
It's a simple one.
They should not be local admins,
SPEAKER_01 (07:28):
for instance.
It's coming from Uncle Sam, notfrom us.
SPEAKER_00 (07:32):
Right, yes.
SPEAKER_01 (07:33):
Sorry to spend so much time on this one, but this
is a popular one.
And say, like an aerospacemanufacturer, a very common
practice on the shop floor is tohave computers.
They're shared.
You've shared accounts.
It makes it easy.
They'll go grab a program orenter a job code or something,
whatever they need to do.
And then.
(07:55):
travel their machine, do theirthing.
They can't use shared accountsanymore, you're saying.
Right.
How would they handle that?
SPEAKER_00 (08:02):
There are several ways to handle that, but you
really need to haveindividualized accounts for
several reasons, but forcompliance, you have to have it
to access CUI.
So you can argue what is CUI andwhat is not CUI.
I can't remember what they callthe data points, but the
instructions for the CNCmachines, they're just
(08:23):
Basically, they're basicallyjust instructions on what to do
and the points where the machinegoes to do that.
Is that really CUI?
We can argue that point, but ifyou have to argue the point and
you have to bend over backwardsto figure out that you don't
(08:43):
think it's CUI, then is anassessor going to agree with
that?
Yeah.
I would have a tendency to erron the side that says, yes, go
ahead and treat it like CUI.
Yes, that does throw a monkeywrench into things because you
want to have shared accounts andall that kind of fun stuff.
Then you've got to protect thatdata.
Those machines don't necessarily– there's a whole can of worms
(09:07):
there.
But the point is– you reallyshould access any of that data
with an individualized accountand no shared accounts.
And you should, as much aspossible, just get those shared
accounts out of your systemaltogether.
It's never– even outside of CUIand CMMC compliance, it's really
(09:30):
not a good idea to have sharedaccounts anyway.
I understand why it makes thingseasy.
But when something happens,trying to find out who did it or
whatever, it's impossible tofind out what happened, right?
So exactly.
And I can tell you that a lot oftimes when something happens,
(09:51):
people are like, well, we'regoing to give everybody their
own accounts.
Well, that's probably what youshould have done from the
beginning.
But yes, no more sharedaccounts.
Like I said, that's a big thingin machine shops.
But it's just not a good idea.
And not compliant.
SPEAKER_01 (10:07):
Everyone on the shop floor needs their own account,
needs to log in to the computeron their own account, or if the
computer's locked down, like akiosk mode, whatever data entry
or time clock machine they have,within that program, they need
to have their own account aswell.
SPEAKER_00 (10:21):
Yeah, if it doesn't have anything to do with CUI,
it's just now, if you clock into a certain job, want to know
the individual that's clockingin and doing the work, so maybe,
it depends on where you'reauthenticating, right, and what
you're authenticating with, butat some point, you need those
individualized permissions.
And if you're logging in toclock in to a job, that job is
(10:44):
going to have a job number.
It may have some CUI associatedwith it.
In any case, that should be anindividualized account.
But to access it, If you're notaccessing any other CUI because
that's where you wouldauthenticate, then maybe you
don't have to log into thatmachine with an individual
account.
But also, to back up just alittle bit, if there is on a
(11:07):
machine that you access CUI butsome people need to log in and
not access CUI or if you have ashared account, it's okay to
have a shared account.
You just have to do your properaccess control and make sure
when they log in with thatshared account, they can't
access any CUI.
UNKNOWN (11:24):
Mm-hmm.
SPEAKER_00 (11:24):
So there may be things I need to do.
Don't deal with CUI.
And it's okay.
You can use a fast userswitching for that.
But if you can access that CUIfrom that shared account, that's
not a good thing.
And again, access control.
SPEAKER_01 (11:40):
So moving on to this next one is a little less
troublesome, I think, for peopleto implement, but far less
popular.
Or maybe it's not less popularin access control, but it's
certainly not one of the morepopular ones, which is awareness
and training.
Can you break that down, whatneeds to happen there, and some
(12:00):
plain English on that?
SPEAKER_00 (12:01):
For awareness and training, looking at role-based
training, you're looking atrisks associated with their
roles.
So you need to have training forthose people for their roles.
You need to have cybersecuritytraining for risks that may be
apparent in their job.
And you need to keep track ofit.
(12:23):
And Actually, it reminds meabout access and control, but
I'll go back to it in just aminute.
So you have to keep track of allthat.
You have to prove that you'vebeen doing this training.
Not only that, there's DODmandatory CUI training, and you
need to keep track of it.
If you use the government'swebsite for that, they get this
little PDF.
It's all great.
It gives you a littlecertificate that says, good job,
(12:45):
you just passed.
And then if you don't doanything with that PDF, there is
absolutely no tracking required.
The government doesn't saveanything.
There's nothing else.
So you've got to save that PDFsomewhere to prove that you've
taken that training.
It makes it kind of a pain inthe rear.
But if you're going to do thatfor your mandatory CUI training,
(13:09):
you've just got to remember tosave that PDF.
Shocking that they don't makethat easy for you.
Right.
So it is a way to accomplishthat CUI training.
You've just got to keep them ina central spot.
Yeah.
keep them logged and all thatkind of fun stuff.
I think
SPEAKER_01 (13:24):
the main thing is the documentation.
I think what you were sayingthere is being able to prove
you've been doing it is don'tlisten to DOD, but far more
important than the trainingitself.
The training is obviouslyimportant, but in terms of
getting certified for the peopleout there listening, you can do
the training all day long and belearned on it.
But if you don't havedocumentation, it doesn't
(13:46):
freaking matter.
SPEAKER_00 (13:46):
Absolutely.
You've got to have thatdocumented.
CUI is all about control andaccess, Managing that access,
meaning ongoing management, andthen it's about being able to
prove that.
So those things are themesthroughout.
And so to go back to accesscontrol, not only do you need to
(14:07):
do all the stuff with access, Iwon't beat that dead horse
anymore, but not only do youneed to do all that with access
control, but you need to be ableto prove it and you need to
document it.
You need to document who'sauthorized, what devices are
authorized, because accesscontrol is, is devices as well.
Your computers, your smartphone,if you use a phone to access it
(14:28):
and that's a whole nother can ofworms.
Uh, so, uh, but it's thosedevices that every, anything
that accesses CUI person, um,Service account, application
account, laptop, whatever it maybe, needs to be listed and
authorized.
It's signed off on that, yes,you do authorize these things.
(14:49):
Again, documentation.
I've always said documentation,documentation, and
documentation.
What is it?
Documentation.
Oh, okay.
Sorry, I forgot.
But there's a ton ofdocumentation that goes with
this.
That's throughout every one ofthese families, every one of
these controls.
So you've got to documenteverything to go along with your
access control as well as yourawareness and training.
SPEAKER_01 (15:12):
MMC is full of gotchas.
Bet you all didn't know a lot ofmanufacturers and stuff out
there.
Your computer has an accounttoo.
A lot of people don't know that.
So, like, you have an account tolog in to the system, but your
computer does too.
And you have to manage that.
Who would have thunk it?
Right.
Yeah.
Absolutely.
I guess it's IT people we know.
(15:33):
Right.
SPEAKER_00 (15:34):
You also have to go a step further.
You have to list all of your–anything that touches a network,
anything that you might have onthe network, you have to
document all of it.
Switches, access points,firewalls, you have to list all
of it.
Mm-hmm.
And it's got to be a certaintype of resource,
SPEAKER_01 (15:50):
UI asset or whatever.
Which is why we always saydocumentation is the most
burdensome part of compliance.
All right, moving on to auditand accountability, that control
family.
Can you break that down in plainEnglish for us?
SPEAKER_00 (16:04):
Logging is important.
The proper logging is important.
So you've got to make sure youhave the proper logging turned
on on your firewall, APs andswitches, especially on servers
and computers.
workstations.
You've got to have the rightlogging turned on, you know, who
accesses what, when is whatyou're trying to get to.
(16:26):
Also, who accesses adminfunctions and when and what did
they access, right?
You need to be able to log allthat.
And it's all pretty easy to log,right?
But then you've got to protectthose logs.
So how do you protect them?
Really, you get a SIM to ingestall those logs and keep them
somewhere where they can't bedeleted And then you give only a
(16:50):
– again, this goes to accesscontrol.
You only give people who needaccess to that logging, which
are going to be the admins ormaybe a– depending on how big
your team is, a subset of thoseadmins.
So only certain people can haveaccess to that logging.
(17:10):
So– It's got to be protected.
You've got to be able to log allthat.
And you've got to keep that forat least 90 days.
We like to keep those logs for ayear.
Part of that is, well, it'sreally to go back and be able to
find things that have happened.
Forensics.
Forensics, exactly.
In our job every day, we use anIT.
(17:33):
You try to figure out a problem,it's like, well– Go look at the
log.
See what the log says.
You go look at the applicationlog, security log, system log.
You go look at the server.
You go look at whatever it is.
You look at the logs and try tofind an error related.
So it's the same concept.
Any access you need to be ableto look up and see if something
(17:55):
goes wrong, this is where itwent wrong at, and this is how
it went wrong, and this is whathappened afterwards, et cetera,
et cetera.
SPEAKER_01 (18:01):
Yeah, and fun, another little fun, dirty little
secret of IT is that log times,those logs don't exist unless
you turn on the loggingcapability prior.
So if you've never turned it on,you can't look at them.
SPEAKER_00 (18:14):
Yeah, by default, Windows doesn't have everything
turned on necessarily that youneed, so you need to go enable
the rest of those logs.
Same sort of thing with othersystems.
You've just got to make surethat those items you need logged
are turned on.
So you do have logging turned onwith most systems.
It's just not always enough.
Sometimes it is.
Most of the time you need to goin and tweak it a little bit.
SPEAKER_01 (18:36):
Yeah, so logging seems like a simple...
task until you dig in that youhave to protect it and turn on
all these extra things andeverything else.
SPEAKER_00 (18:44):
The other thing that I will say that a sim helps
with, sorting through all thatdata.
Back in the day, in the earlydays for me in IT, I guess I'm
kind of a dinosaur, but thereare people that are even more
dinosaur than me.
I could look through a logpretty easy and find stuff.
I didn't know
SPEAKER_01 (19:01):
abacuses had logs.
SPEAKER_00 (19:03):
They do.
An abacus has an abacus that's alog for it.
But you can look through logsand find stuff pretty easy.
And you still can look throughlogs and find stuff.
But when it really comes toforensics, it's harder these
days than it used to be.
And even network traffic.
I used to be able to sniff somenetwork traffic and be able to
(19:24):
tell pretty easily what's goingon.
In fact, I've found someinfected machines that way
before.
But these days, that's reallyhard.
to find network sniffing becausea lot of the stuff is encrypted.
The traffic is encrypted.
The data inside the traffic isencrypted, so you can't
(19:45):
necessarily see what's going on.
But anyway.
All that just to say there's alot that goes on in those logs,
and there will be tens ofthousands of entries for you to
have to go look for and searchfor things, and it's a lot
easier to get a SIM that willhelp you with popping those
alerts.
It's also a lot easier if youhave a SOC team, a Security
(20:08):
Operations Center team on theback end, and there's caveats to
that about what you can use andwhat you can't.
Even with a SIM, too, you've gotto be compliant.
But if you have a SOC team onthe back end that are actual
real security, certified realsecurity experts that do that
24-7.
They can definitely find morethan you can.
SPEAKER_01 (20:26):
And what you're talking about there is that
there are vendors that you canpay will either use your
application, the SIM you boughtthat aggregates all your logs.
They'll either provide that oruse yours and then look through
it.
So you don't have to actuallyhire the people in-house.
Correct.
You can kind of hire themfractionally, if you will, kind
of like an accounting system.
Exactly.
SPEAKER_00 (20:45):
I would argue that you need those people because as
good as IT people might be, asgood as your best engineer might
be, and I'm an engineer andarchitect, but I realize I can
look through the security logsand I can find a lot of stuff.
Just a quick anecdote aboutthis.
Some of you may know about it.
The Rite of Boom, I went tothat.
They have some pre-daycontracts.
(21:06):
learning classes.
And so I went to one of those, Ithink it was a life in the day
of a SOC analyst or something.
Right.
And so you have a, they give youa scenario and then you split up
in teams.
I'm pretty proud of what I canlook through and find.
And I feel pretty good aboutmyself.
I realize I'm not a rocketscientist.
Okay.
Uh, but I feel pretty good aboutmy ability.
So we go through this, uh, we dopretty well.
(21:28):
Our team gets a second placeand, uh, we figure most
everything out or feeling realgood, you know, like what we
did, you know, and we After theyget finished announcing results
and everything, they say, oh, bythe way, this case was so easy,
we almost never see this in thewild.
That made us deflate prettyquickly.
But things are a lot moreobfuscated than a lot of people
(21:52):
give it credit for.
So when something really goeswrong, it's obfuscated, hard to
tell, hard to see.
There was a– not to chaseanother rabbit, but there was a
cybersecurity alert because wehave to stay on top of those–
you know of a new malware andone of the obfuscation
techniques it uses is it usessome characters that look like
(22:12):
blank spots and and so you don'tsee the command because it's out
of your vision and so you justdon't see it and you don't go oh
what's all that blank spot forand go figure it out it just it
escapes your immediate cursoryview when you go past it so but
a sim will catch that a sockteam will catch that where you
may not so anyway that's thatwas my point about all that it's
(22:33):
hard and you need some helpdoing it
SPEAKER_01 (22:35):
yeah so i think the point there is is that if you
have an IT person, they'reprobably busy fixing the
printers or the email that's notworking and the things they're
getting yelled at about.
And if you have a quality personthat you call your IT person,
they're probably even busierbecause they're doing two jobs.
The last thing they're going todo is look at the logs.
SPEAKER_00 (22:52):
Not only that, but you probably assign both of
those, the IT person and thequality person, you probably
assign them the job of makingsure you're compliant with CMMC.
So they're busy with that andthey're not going to be able to
look through those logs.
They have even less time to dothat because they're trying to
make sure you're compliant.
SPEAKER_01 (23:09):
And that's assuming you haven't given them a
drinking problem because all theproblems.
That's true.
Yeah.
All right.
So moving on.
to configuration management.
Can you demystify that one forus?
SPEAKER_00 (23:20):
So configuration management is just basically you
have to have a baseline for yoursystems and that's your
workstations, that's yourserver, that's your network
switches, that's your firewalls.
You have to have a baseline.
What is your baseline and whatis your baseline configuration
for those and do they meet thatand how do you manage that?
Again, there's that word.
You've got to manage it.
(23:40):
How do you manage that and howdo you show that they're still
in compliance?
So what can configurationmanagement is about.
You have to manage that changesomehow.
How do you manage that change?
You've got to be able to provethat you do that.
And a lot of times it's going tobe, you know, you start with a
brand new build on, we'll justsay workstations are easy, okay?
So I guess you can start with afirewall too.
(24:02):
But anyway, you start with abrand new build.
You don't start with a vendor'sbuild.
You start with a brand newbuild, whether it's an image,
whether it's a scripted install,whatever it may be, brand new.
You set your security You setyour basic settings.
You have a list of, again, adocumentation.
You have a list of what yoursettings are.
And then you have maybe GPOsthat apply or Intune policies
(24:26):
that apply.
And, yes, those have to bedocumented.
They're documented in Intune orthey're documented in your GPOs.
But really, to make it betterfor your assessor and for
yourself, it's probably good ona– whatever basis to export
those and document those and putthem in with your GRC platform,
your governance risk andcompliance platform, whatever
(24:48):
you use.
It's good to keep that in there.
SPEAKER_01 (24:50):
This is something that if you're DIYing as someone
who's not an IT person, by tradeis really hard because it's not
anywhere close to natural.
You're used to get it up andrunning, get in production,
you're done.
Even for IT people, same thing.
I mean, get it going, you'redone.
This is really a, ultimately,documentation requirement that
(25:11):
is needed and most people don'tdo.
And it's skirted over becauseit, again, is burdensome to have
to do all this, you know, whatessentially is paperwork,
digital version of paperwork, toput together a configuration
like baseline and all that.
So it's not natural.
It's one you're probably goingto miss.
You're not very intentionalabout it.
SPEAKER_00 (25:33):
IT teams or people generally fall into categories
in this.
Most IT folks are going to keepsome sort of standards.
on all our machines.
Promise all
SPEAKER_01 (25:43):
the standards are going to be
SPEAKER_00 (25:45):
up here.
That's exactly where they're at.
They cannot be documented inyour mind.
They can, but then you have toregurgitate those on paper.
So most IT folks are going tohave some sort of standard, and
they're going to say, of coursewe have a standard.
Well, what is it?
Well, we have this, we havethat.
What kind of standard does itfollow?
(26:05):
So you have to document those.
You have to say why you're doingthat.
And then the other part of thatis procedure.
You know, how do you go aboutthat?
And really, when you get intoprocedures, then that's where
you can beat up your deploymentand it's not necessarily
burdensome because you'vealready documented it.
This is your procedures.
This is how you do it.
(26:26):
You get that machine, do ascripted install.
There's Active Directory, forinstance, and it pushes all
those policies out.
So it doesn't have to be hard.
It just has to be documented andyou have to know what that
baseline is and what thatconfiguration is.
SPEAKER_01 (26:38):
Let's move on to the next one.
Identification and authentic So
SPEAKER_00 (26:42):
for identification and authentication, it works
closely with access control, ofcourse.
You need to be able to identifyaccounts, the people, the
computers, wherever it is.
You need to be able to identifythose accounts, need to
authenticate those accounts, andyou need to have some password
policies.
Password has to meet certainqualifications.
Multi-factor authenticationfalls in there also.
(27:02):
There's all sorts of otherthings that go along with that.
Basically, you've got to provewho it is logging on, you've got
to authenticate them logging on,and you've got to provide
multi-factor authentication.
factor authentication.
And multi-factor authentication,if you access CUI over the
network as a normal user, or ifyou access anything remotely,
which would be any cloudservices too, or VPNs, if you do
(27:26):
any admin activities, all thosethings need MFA.
So really what that leads to iseverybody has to have MFA for
everything, right?
But now if you have all your CUIon your local computer, then
really technically, and youdon't You don't access any cloud
applications.
You don't access the network,anything like that.
I guess really you don't have tohave multi-factor authentication
(27:49):
except for the admin functionson there.
Most people have a server orsomething, SharePoint or
whatever.
So you've got to have– and thatwould be GCC High SharePoint or
I guess Prevail or XSR orwhatever.
But anyway– you've got to havemulti-factor authentication.
SPEAKER_01 (28:06):
I think I hear the pitchforks coming.
Yes.
Everyone hates multi-factorauthentication.
And you're saying that I have aserver and I'm my shop and my
drawing is on the server and Iaccess it from my computer.
I have to use multi-factorauthentication to get that
drawing?
Yes.
SPEAKER_00 (28:25):
Now there's arguments about that.
Where do you feel the assessorsfall on that argument?
Well, there's argument betweenassessors too.
But I think mostly assess aregoing to fall on the fact that
it's over the network and youreally need to have multi-factor
authentication.
But I have had assessors say,I'm like, hey, I've got it.
It's just on the server.
It's on the local network.
It's not remote.
(28:46):
It's not on a separate subnet.
It's on that network.
That's really not what it says.
But the assessor is like, well,if you have it in all the other
instances here, then I wouldpass you.
I would be careful with that.
And multi-factor authentication,it's not hard to implement.
It's not expensive to implement.
The other caveat or the othernote I might put on this is that
(29:09):
Windows Hello can meet thatmulti-factor authentication.
A couple of caveats to that.
You want to make sure you meet,but Windows Hello can meet that
multi-factor authentication foryou.
SPEAKER_01 (29:23):
Microsoft is helping you for once.
SPEAKER_00 (29:25):
I wouldn't necessarily go that far because
they make it very confusing.
The reason I say it's confusingis if you're looking at, you
know, can you use Windows Hello?
Look at Windows Hello forbusiness.
So there's different things.
And then there's, you know, whatelse do they do that with?
Surface for business.
(29:46):
They have different things.
Everything, pretty much.
And then something for business.
OneDrive.
OneDrive for business.
OneDrive personal, you know.
So anyway.
But Windows Hello for businessis what you'd want to look for
and look up the caveats.
So you're
SPEAKER_01 (29:59):
saying when you Google it, type in Windows Hello
for business, not Windows Hello.
Yeah.
I think this is one of thosethings, like, if I'm– in my
office my server is physicallyin my office and I'm accessing
it from my laptop having to haveMFA MFA is one of those things
where it doesn't really have tomake sense or like be reasonable
it's just what makes itcompliant right so like whether
(30:22):
you agree with it or not andwhether there's justification
for that being the case you knowone of those things that doesn't
matter because compliance is acompliance it's not necessarily
the same as what makes sense andwhat's secure and again you'll
depends on you know what theassessor decides and where they
fall.
So next is incident response.
(30:43):
What do you have there for us?
SPEAKER_00 (30:44):
Oh, this is the one you would never want to have to
deal with.
You have to have a policy.
You have to have a written planand know what to do in the case
of an incident.
And what does that now thegovernment Take that definition
of an incident.
So if you have an incident, thisis what we do in case of an
incident.
It's got to be reported rightnow within 72 hours.
(31:05):
That might change to somethingdifferent.
Right now, you've got basicallythree days to report.
And it's three days, not threebusiness days, just so you know.
If it happens on a Fridayafternoon, the weekend counts.
SPEAKER_01 (31:20):
It's not really three days.
It's 72 hours.
SPEAKER_00 (31:23):
Yes, it is 72 hours.
So just keep that in mind.
And that bar may be changinglower.
I absolutely do not agree with,and a lot of people don't, but
the government is thegovernment.
So we'll see where that ends up.
But so you've got to have thatplan.
You've got to have definition ofan incident.
You've got to know how to reportit.
(31:43):
who to report it to.
There's a certificate you haveto go out and get, medium
assurance certificate, to put onyour computer to be able to
report those incidents.
I can guarantee you that if youwait until you have an incident
to get that medium assurancecertificate for your computer,
you will not report thatincident in time and you will be
behind that timeline.
SPEAKER_01 (32:02):
That's something you have to go get from the DOD.
SPEAKER_00 (32:06):
It's a certificate that you have to buy.
It's a little encrypted...
encrypted certificate that youput on your computer and
register on your computer thatwhen you go to the DC3 website
to be able to report anincident, it'll recognize your
computer and say, oh, okay, weknow who you are.
(32:27):
Now you can log in and create anincident.
So what
SPEAKER_01 (32:31):
happens if that computer is compromised?
SPEAKER_00 (32:33):
Well, you have a backup.
Okay.
You should have– you should nothave one.
You should have more than oneand at least two– Maybe more.
But also, those are kind of hardto go find after the fact if you
didn't document it.
Again, documentation.
But if you didn't document whereyou put those certificates and
who has them and you forget.
(32:54):
or they change computers, thenyou'll have no clue and you
won't be able to report thatincident.
So document that somehow.
Notate that computer that it'san incident reporting computer.
So if it gets changed out orsomething, that you need to move
that.
(33:14):
Mm-hmm.
probably buy a new certificate.
But anyway, that you need totake care of that.
SPEAKER_01 (33:18):
I feel like they should have done a hotline that
you call and they ask you whoyour childhood girlfriend was or
your childhood dog or something.
It would have been a lot easierjust to have a phone
SPEAKER_00 (33:27):
number.
It would be a lot easier.
The funny thing is thosesecurity questions that banks
like to ask you and stuff, thathas proved to be one of the
least secure ways to secure youraccount.
Because
SPEAKER_01 (33:37):
it's public information.
It's things
SPEAKER_00 (33:39):
you know.
You post on Facebook, I missedmy first dog Snoopy or whatever
it may be Other thing withincident response you have to do
is you have to, the plan, thepolicy and the plan that you
develop, you have to test that.
You have to come up with somescenario.
that pertains to you know anincident and test that run
(33:59):
through the steps and make surethat your incident response plan
addresses that and does that itdoes what it needs to do and
what i can tell you is you knowcome up with different ones
every time you do this andyou'll have to i have no doubt
you'll have to tweak it that'sokay tweak it and um you know
make sure you document and saveyour, uh, your latest version.
(34:22):
So again, if you have a GRCplatform, that's where the
latest version, the live versionwill reside.
SPEAKER_01 (34:29):
Yeah.
It's also understated that ifyou actually do have a incident,
like forget all the DODcompliance stuff.
Um, say you get hacked and it'syour business and money's on the
line, having an instant responseplan, something you like, uh, a
game plan to actually executeon.
(34:50):
It's really understated how muchthat helps.
Get you, hedge the issues,risks, money loss, and get you
taken care of.
SPEAKER_00 (35:01):
And to go a little further on that, your incident
response plan, surprise,surprise, should not be solely
about compliance.
Your incident response plan andprocedure will also involve
contacting your insurancecompany, your attorney, whoever
else.
Is there a forensics team thatyou have on retainer?
(35:22):
Probably not.
But is there one that you havethat you've talked to that you
know you'll use in an instancelike this?
All that needs to be documented.
And you need to have that idea,the idea of what you're going to
do with Just another quickanecdote.
An incident is also described asa potential incident, right?
(35:43):
I'll just use an email incidentbecause it's happened before.
We had a client a while back, agreat client we love to death.
This was back a few years ago.
Tried talking them into MFA ontheir email, and they were like,
that's too tough.
We don't want MFA on our email.
We don't keep CUI in there.
(36:05):
And I was like, well, you know,some people send you CUI through
email, and they shouldn't, weknow, but that happens.
And they're like, well, but ourpolicy is we don't have CUI on
email, so we're not going to putMFA on it.
Like, well, we really highlysuggest you do.
Anyway, long story short– Theydidn't want to do it.
(36:25):
So there was some credentialsout on the dark web from one of
the employees, and they gotlogged into their account.
They created a forwarding rule,and, of course, we got notified
immediately, right?
And so really in the end, thishacker was– I say hacker in
(36:48):
quotes.
I guess it's– Not in quotes ifthey actually got into their
account.
Anyway, but they got into theiraccount.
They created a rule that woulddivert all the replies to that
fake invoice into a certainfolder.
They created rules to hide theirtracks and then forward all the
fake invoices, the replies andwhatnot, to their own email
(37:09):
address, which they– I can'tremember on this particular one
where they created a similardomain, but that's a common
tactic– You know, all this funstuff.
And we got alerted.
We called them and said, hey,Billy Bob, you know.
Billy Bob was not really hisname, just so you know.
No, no.
(37:31):
Hey, Billy Bob, you know, hey.
there's some weird activitygoing on on your account.
Did you create a forwardingrule, you know, to do this?
No, I didn't do that.
And Hey, I'm getting, I'mgetting some calls, you know,
that I haven't had somebody callme and say, I sent him an
invoice and I didn't sendanything out.
We were like, Oh, all hands ondeck, you know?
So we, uh, we found what wasgoing on.
(37:52):
We bumped that person out, thathacker out.
Like I said, he only had accessfor like 15 minutes.
Uh, but, uh, That's an incident.
And so we said, look, this needsto be reported, this, that, and
the other.
And before they could get to thepoint of where they reported it,
one of the prime contractorsthey worked with reported it.
(38:15):
And then they were this close tolosing their contract, and we
had to jump through it.
We had to jump through so manyhoops to prove that we had going
on, that we had everythingsecure, all that.
So we had to jump through a lotof hoops.
Even though everything ended upokay, we had to jump through a
(38:36):
lot of hoops, spend a lot oftime, a lot of documentation, a
lot of proof, and a reputationhit for our client.
We had to go through all thatwith them and help them out.
What I can tell you isimmediately after that happened,
I said, hey, how aboutimplementing MFA?
And they said, now, let's do itnow.
So that helped push thatforward.
Also helped push forward someother things we wanted to do.
(38:58):
But that is just a quickanecdote.
It may not be only your choicebecause if something like that
happens, an incident just isn'tsomebody hacking into your
computer and accessing that CUI.
It may be somebody accessingyour email, which is a cloud
platform and So not a fakeinvoice or, you know, the other
(39:19):
fear is, of course, accessingCUI that's somewhere on your
Microsoft 365 platform,SharePoint, OneDrive, you know,
something like that.
So anyway, it's not always yourchoice whether you think it's an
incident or not.
Look at the definition of anincident, and if it's an
incident or potential incident,then it needs to be reported.
(39:40):
It's scary, but if you take careof business, you'll be fine.
SPEAKER_01 (39:45):
Yeah, they've built the framework to expect
incidents.
So if you handle them correctly,then you don't have to
necessarily be scared of them.
It's whenever you mishandle themthat you have negative
consequences.
Maintenance is up next.
What do you have on that one?
SPEAKER_00 (40:03):
There's a few areas, but you want to be able to show
that you perform maintenance onyour systems, patching updates,
stuff like that.
Again...
What did I say?
You want to be able to provethat?
So you want to do it, of course,but you want to be able to prove
it.
And that's through– for us, thatwould be through tickets that
are open.
That would be through, you know–our policies and plans and
(40:28):
authorizations, stuff like that.
But it's also on systems thatyou allow people to come in and
work on.
You know, they come in, theysign in, you have your copier
folks come in, they need to dowork on the copier.
They come in and do that work.
You know, do you shadow them?
You know, what do you do?
The correct answer is yes, youescort them.
(40:50):
And anything that they need toplug in is verified first, all
that kind of fun stuff.
But you need to performmaintenance, and you need to
make sure that all the toolsthat you use to perform
maintenance are vetted.
And you have to prove all that.
It has to be documented.
SPEAKER_01 (41:07):
Next is media protection.
SPEAKER_00 (41:10):
So for media protection, that's electronic
media and physical media.
So for electronic media,anywhere that CUI resides has to
be encrypted.
So it has to be encrypted atrest, which is on a hard disk
resting somewhere, or a USBstick, anything, wherever it's
(41:31):
at rest at, it needs to beencrypted.
But it also needs to beencrypted in transit.
So Wherever it goes to and from,it needs to be encrypted.
And the next leg to that is ifit's CUI and it's encrypted, it
really needs to be FIPS 140-2 or3 validated encryption, not
(41:54):
compliant.
I go round and round withvendors with this all the time.
Our encryption is FIPS 140-2compliant.
Well, that's nice.
So to be able to use it in thisprogram, in this compliance, it
has to be validated.
Is it validated?
What's that?
So in other words, it's in theCMVP database.
(42:17):
You can go look it up, and it'sgot a module that has been
validated, and you have to,again, you have to document that
module that you use forencryption or that the program
uses for encryption.
I like Windows.
Windows is there.
That's another story.
Windows 11, Windows 10, andWindows 11.
That's a whole other story.
(42:37):
We won't go there.
Windows 2009, 2019, 2016, youknow, they're in the CMVP
database.
But it's got to be encrypted.
Now, as far as physical mediagoes, it's got to be protected
as well.
I know a lot of manufacturershave travelers that they use.
You know, they print some CUIout or whatever.
(42:59):
whatever it may be, whatever theCUI may be, they print it out
and they carry it to thestation.
They do their work and they goput it back up.
So it's got to be protected.
If it's out somewhere and you'reusing it, you're using it and
it's okay.
You've got to be able to see it.
Right.
But if you walk away, you'resupposed to cover it up and to
where nobody else can see it.
(43:19):
So it's, which only makes sense,but you should cover it up.
When you're not using it, whenyou're finished with it, it
needs to go in a secured place,which usually means a locked
room or a locked filing cabinet.
That's usually what that means.
So you've got to make sure thatis secured.
(43:40):
You've got to make sure thatonly the people who can access
it can access it.
SPEAKER_01 (43:44):
So what do, like, for example, most machine shops
have USB sticks.
They go stick in a machine,stick in a computer, you know.
How do you handle that if youhave to encrypt it?
SPEAKER_00 (44:00):
Well, there's several different ways to work
with encrypted USBs.
You can...
You can encrypt them withBitLocker.
Easy solution.
Always compatible with oldermachines that you may need to
transfer that information to.
Operational asset.
What we've found that works wellis there's some USBs that are...
(44:22):
The USB itself is FIPS 140-2 or3 encrypted.
And it has a little keypad onit.
So when you need to use it, youcan plug it in, press your...
unencryption key, and it'll makethat USB available to the
operating system.
It's nothing beyond that to theoperating system.
(44:44):
It's nothing special.
It's not BitLocker encryptedwhere that operating system has
to be the right version to readit.
It just has to be able to readthat USB.
And if it can do that, then onceyou unencrypt it, it unlocks it,
and that system can see it.
That's been shown to work reallywell.
Mm-hmm.
be forewarned, those are notcheap.
(45:06):
So you're looking at, you know,150 bucks each, you know,
something like that.
But
SPEAKER_01 (45:11):
if, I mean, as machine shop, People know it all
comes down to the aggregatetime, right?
So if you're fighting anencrypted USB stick or something
like that where it may be anexpensive USB stick, if you're
adding all the time it takes torun that job, personal walkover,
fuss with the encrypted device,it might well be worth the money
(45:31):
because you get operationalefficiency out of it.
SPEAKER_00 (45:34):
You do.
You get operational efficiency.
You also get peace of mindknowing that that is encrypted
and there's no question aboutit, right?
Mm-hmm.
It's also
SPEAKER_01 (45:44):
easier for a programmer to run a– sorry, not
programmer, but machine operatorto remember a code.
SPEAKER_00 (45:55):
You just got to tell them, punch in the code and
it'll work.
As opposed to, hey, when I plugit in, nothing works.
You do follow– BitLockerencryption is pretty easy, but
it does have some problemstrying to work with it with
different versions and differentolder computers and specialized
(46:16):
computers and stuff like that.
So we'll run into some issueswith that.
Or your very expensive machineyou don't want to replace.
Yes, some of those machines arevery expensive.
The other thing I would say,again, as part of documentation–
Not only in your system securityplan do you have to define your
(46:37):
data locations, which isphysical and electronic, but you
need to...
have an authorized list of, ifyou use USBs, is USB.
And, you know, any filingcabinets or whatever you might
have.
All
SPEAKER_01 (46:54):
right, up next is personnel security.
So does that mean you have tohire security guards to go
around your building?
SPEAKER_00 (47:03):
Well...
Might not be a bad idea,especially depending on where
you're located at.
But what that really means isyou have to screen your
employees.
Then you also have to do thatscreening every so often.
You have to schedule it every sooften.
So all of your employees, whenthey're hired, or if you already
have a bunch hired, you have togo conduct the screening on them
(47:24):
so you have that.
Then every so often, every...
however many years you say iswhat you
SPEAKER_01 (47:30):
have to do.
So you get to create thestandard, but you should
probably write the standard downas to where the bar is because
that
SPEAKER_00 (47:35):
really matters.
Absolutely.
And you have to document all thestuff that you do.
SPEAKER_01 (47:38):
Right.
So that will also help you froma legal perspective as well.
So make sure you do that.
So I would start with yourinsurance company.
So if you need to do drug tests,people operating machinery,
forklifts, et cetera, I'llprobably put that one in.
and obviously find some sort ofcriminal or whatever standard
(48:05):
you want that is okay or notokay.
Maybe getting publicintoxication in college isn't a
problem, but maybe a DUI is orsomething.
You just got to define it,right?
And put it on paper.
And then another one is if ITAR,So citizenship would be a good
(48:26):
screening as well, depending onwhat, uh, you know, business
you're in.
So if you're handling exportingof arms or having the ITAR
requirements, I would put that.
SPEAKER_00 (48:36):
Yes.
The other part of that is whenpeople are terminated or they
leave or whatever, or theychange positions, you need to
make sure that their access ishandled appropriately.
You know, it's, uh, whensomebody is terminated or
leaves, their access needs to becut immediately.
Uh, If they change positions,you need to make sure that their
access is changed appropriatelyat the appropriate time.
SPEAKER_01 (49:00):
Next is physical protection.
What about that one?
SPEAKER_00 (49:04):
Physical protection, make sure that where you store
CUI is secured, locked, secured,however you need to secure it
with keys or with proximitycards, wherever it may be.
That is secure.
The electronic locations and thephysical paper or whatever other
(49:24):
kind of location or CUI that is.
Make sure they're secured.
Those physical access means,keys, key cards, proximity
cards, stuff like that, you needto, again, document.
You need to have an inventory ofthose and make sure.
So that means your physical keysreally need to be serialized
(49:47):
somehow.
Proximity cards usually areanyway, but you need to keep
track of those.
So visitor access logs.
A lot of places have sort of areception area or a man trap,
something like that, You go inand you sign in and go on in.
And then when you leave, yousign out.
And so you need to havesomething like that in place.
(50:08):
Some sort of man trap, some sortof reception where people cannot
pass that.
They have to sign in.
You, of course, have to keepthose logs.
You have to review those logs.
Somebody has to review thoselogs.
SPEAKER_01 (50:19):
We are on risk assessment next.
SPEAKER_00 (50:21):
So for risk assessment, you've got to
evaluate the risk potential ofall your systems.
And then you have to evaluatethat ongoing.
You have to make sure thatthey're still the same.
has changed.
But then you also have to dovulnerability assessments, run
those, address anyvulnerabilities, address any
issues.
And what I would argue is that avulnerability assessment is not
(50:42):
just an IT, what we think is avulnerability, a CVE, but it
would be inactive accounts.
It would be even open ports thatare not necessarily showing up
on a vulnerability.
Do we need this port open?
So you need to run those riskassessments, evaluate those
vulnerabilities and addressthose in a timely manner.
SPEAKER_01 (51:03):
Also, a great low-hanging fruit type thing any
business can do that most aren'tis just run a vulnerability
assessment monthly, quarterly,and patch the holes before a
hacker finds it.
SPEAKER_00 (51:18):
Yeah, and that's what this requires.
But really, like you say, thatis just a low-hanging fruit,
something easy to do.
And it really needs to be done.
SPEAKER_01 (51:29):
Next up is security assessment, which is not the
same as risk assessment.
SPEAKER_00 (51:34):
Right.
It's not.
So you've got to review all your– basically all your security
settings, your SSP.
You've got to review all thatand make sure that it's still
appropriate.
What about this new server weput in?
We didn't ever do anything withit.
What about– do these– Does thisaccess control security settings
(51:55):
or whatever, do they still applythe same way that they did?
You have to go through andreview all your controls and
make sure that they and yourpolicies and your plans and
procedures make sure thateverything you put in place
still is appropriate.
SPEAKER_01 (52:10):
What about system and communications protection?
SPEAKER_00 (52:13):
So you have to protect your systems not only at
the border, which would be yourfirewall, right?
So you do have to do that.
You have to protect things atthe border.
You have to make sure that CUIis encrypted anywhere it goes.
Transit is a big thing we talkedabout a while ago.
It's big here.
If your CUI...
For instance, if you...
print your CUI this is a commonone if you print CUI it's not
(52:36):
encrypted so if it goes over awireless network you know is it
encrypted you know or are youtransmitting that CUI to a
website that uses theappropriate encryption those are
the kind of things you have tothink about with systems and
communication protection thereare other things also making
sure that your normal stuff afirewall will do like making
sure that the sessions are notspoofed and stuff like that I
(52:59):
mean those are there's all sortsof things there but it's all
your normal network level level.
Cautions you take need to betaken and documented.
Of course, everything needs tobe documented.
How you use it.
For this, you would want to havea data flow diagram.
Well, for a lot of these, youwant to have a data flow
diagram, but it would help thisas well.
SPEAKER_01 (53:17):
The next is system and information integrity.
SPEAKER_00 (53:20):
So for a system and information integrity, you
really want to keep all yourprotections up to date, your
antivirus or your endpoint,whatever your endpoint
protection is, whether it's MDR,ADR, whatever it may be, you
know, make sure it's up to date.
Make sure your systems arepatched.
Make sure, you know, and it'snot just Windows.
I mean, it's pretty common foryour IT shops to, you know,
(53:41):
patch your Windows machines, youknow.
But what about the Mac machines?
What about, do you have anyLinux in place?
What about your firewall?
What about your wireless accesspoints?
What about your switches?
You know, what about whateverother network devices there may
be?
Are they patched?
You know, you really want tomake sure that all that is taken
care of.
(54:02):
You want Can you
SPEAKER_01 (54:02):
tell me that that switch that we threw up in the
false ceiling and then ran acord down to the CNC machine to
get it working matters?
SPEAKER_00 (54:11):
Yeah, absolutely it does.
Absolutely.
Everything, that's a point ofaccess for someone.
If a hacker happens to get in onyour network, the first thing
they do is some reconnaissanceto figure out what's going on
and they find some Belkin switchthat was put up five years ago
and nobody's touched it sinceand, oh, hey, look here, I can
(54:31):
get into this licking split andthey get into that now they've
moved laterally and uh andthey're off of where they
initially came in at and nowthey're a lot harder to track
you got to keep everythingupdated keep everything patched
uh scan for anomalies and youjust you got to be proactive
about this and you got to provethat you're on doing it ongoing
again there's documentation andthe management
SPEAKER_01 (54:51):
i would say that you know when you implement all of
these things together ultimatelywhat nist is outside of maybe
maybe disagreeable compliancethings that we've talked about
um uh what it does is, ofcourse, checks the compliance
box, but really just makes yourbusiness resilient against
threats.
It does, absolutely.
(55:12):
You have to do all thiscompliance stuff, but the nice
thing thing you get out of it isthat you're nice and protected
and feel good and sleep good atnight so absolutely kind of to
bring it home uh what would yousay out of all these controls um
and requirements uh is the mostuh misunderstood or missed thing
uh that uh people might getwrong um but they can take home
(55:36):
and do something about
SPEAKER_00 (55:37):
it's not necessarily one control uh or two or three
controls but it's uh it's andagain i sound like a broken
record but it's it's adocumentation portion of this.
For instance, if it saysidentify somewhere, then that
means you have to list out.
You have to identify the users.
If it says authorize, you haveto have proof that somebody
(55:57):
authorized this.
It's easy for an IT person toglaze over that and go, we've
got an Active Directory full ofusers.
There's my list of authorizedusers.
That goes a long way, but notquite all the way there because
I guarantee you there's probablysome people, well, depending on
what kind of business it is.
There may be some people therethat are not in Active Directory
(56:20):
that don't log on to thecomputers, and they should be
listed on that list with noaccess.
IT guys, and I'm one of them,and I'm guilty of that too, you
look at identify and you look atauthorize, what does that really
mean?
It's going to be documentation.
When you get down to it,documentation is really the
(56:41):
biggest piece of this.
The Technical controls, we canimplement those, but all the
documentation to back it up.
You have to have your SSP.
You have to define how eachcontrol is implemented.
Really, if you go further anddefine how each of the
objectives in those controls areachieved, that would be even
(57:04):
better, and that defines thingsvery well for an assessor.
If they see that, you're well onthe way.
You're doing well.
SPEAKER_01 (57:10):
When it comes to documentation, have you ever
seen Seinfeld?
the soup episode.
I can't call him though.
Weird.
Cause I think the one, I thinkthat'll get us banned
automatically tagged on YouTube.
But, um, if you want to doeverything right, he goes, no
soup for you.
Documentation, uh, is that forCMMC compliance?
So you can do everything right.
(57:31):
But, uh, if you haven'tdocumented it, no soup for you.
SPEAKER_00 (57:34):
That's right.
No soup for you.
I guess the soup in this wouldbe, uh, the, uh, CMMC
certification.
Exactly.
Uh, yeah.
And so that documentation is notjust your, SSP, it goes down to
if you do a policy for each oneof your families, control
families, access control andwhatnot, or domains.
Anyway, so have a policy foreach one of those, but then you
(57:57):
need to break out and have yourplans and procedures like your
disaster recovery, like yourincident response, stuff like
that.
Then you also need to have yourauthorized lists and things like
that.
So inventory list, butDocumentation is huge.
Documentation is gigantic.
Then to go even further thanthat, you have to have proof of
(58:19):
all these things, not just yourdocumentation, but when it comes
time for an assessment, you haveto have proof.
Show me where the policy isimplemented in Active Directory
or in Intune or wherever it maybe.
Show us where that is.
Show us a screenshot, all thatkind of fun stuff.
So you have to have proof ofthat.
SPEAKER_01 (58:35):
If you have questions about what we've
covered, please reach out to us.
We're here to help fast-trackyour compliance journey.
Text, email or call in yourquestions.
We'll answer them here for freeon the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
Stay tuned for our next episode.
Until then, stay compliant andstay secure.
(58:56):
Make sure you like, subscribeand share.
Hey there, welcome to the CMMC Compliance Guide
(00:02):
Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting.
We're here to help businesseslike yours navigate CMMC and
NIST 800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance.
But today, we're here to giveyou all the secrets for free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on track.
(00:26):
Today's episode is your plainEnglish breakdown of what those
110 controls in NIST 800-171actually mean and how to stop
being overwhelmed by them.
Before we dive into controlfamilies, Brooke, can you give
us the short version of whatNIST 800-171 is and what even
matters to our audience?
SPEAKER_00 (00:46):
Sure.
So NIST 800-171 or revision two,because that's the one we're
talking about a what we careabout, even though it's been
superseded by Revision 3.
And we've covered that inprevious episodes, but we're
sticking to Revision 2.
So that's the foundation forCMMC Level 2 compliance.
It really is all aboutprotecting FCI and CUI.
(01:09):
CUI is the important part ofthat that you really need to pay
attention to.
And so if your business handlesCUI as part of a contract, or
potentially could, because somepeople don't ever get anything
that's marked, of course, butyou should have some DFARS
clauses to look for.
In any case, if you handle someof that CUI as part of your
(01:30):
contract, you're expected toimplement NIST 800-171, revision
2, and all of its full glory,and 110 controls.
You're supposed to have allthose implemented.
By this point, the governmentsays you've had plenty of time,
and we just expect for all thecosts to implement those to
already be implemented.
SPEAKER_01 (01:48):
So they've got a contract, says they have to do
it, and that's why it matters.
SPEAKER_00 (01:52):
That's exactly why it matters.
And, of course, this is whatyour SPRS score, your SPURS
score,
SPEAKER_01 (02:00):
comes from.
Right, which is theself-assessment thing you have
to fill out on Existar orwhatever other.
SPEAKER_00 (02:05):
Yeah, so it's an Existar, of course.
That's their kind of version ofit.
And SPRS, you actually enter iton the– PIEE website.
It's a DOD website where you goin and enter your cage code and
your score and stuff like that.
And that's where you officiallyenter your SPRS score or SPRS
score, Supplier Performance RiskSystem, I believe is what it is,
(02:28):
but SPRS.
SPEAKER_01 (02:29):
All right.
So since we're getting into thecontrol families and we're
trying to get it into plainlanguage as much as we can.
That's
SPEAKER_00 (02:37):
sometimes a challenge, by the way, getting
into plain English.
SPEAKER_01 (02:40):
Yes.
More so than we bargained for.
Right.
And I'm going to put it on you.
Can
SPEAKER_00 (02:47):
you help us break it down in plain English?
Right.
You know, maybe...
brick English or otherwise, youknow, maybe a little bit of
Texan or something like that.
But yes, we'll break it downinto as much plain English as we
can.
SPEAKER_01 (03:00):
More understandable than the government does.
Hopefully.
We're trying to.
Hopefully.
These controls in the families,they're basically the federal
government wants you to have asoperational habits, right, that
are supposed to reduce your riskin handling their information.
And for For small contractors,it's about implementation that
(03:24):
fits into your workflow withoutoverwhelming the team.
Can you start with accesscontrol and try and break that
down and play in English for us?
Sure.
We'll start alphabeticallybecause that's how NIST does it.
SPEAKER_00 (03:35):
Access control really is who can access what
and all the other details thatgo along with it.
You're looking at role-basedpermissions.
You're looking at individualspermissions.
not groups.
You can't say a shop isaccessing this or the
engineering team is accessingthis.
It has to be Joe or Bob or Sallyor George or whoever.
(03:57):
You have to know who isaccessing that information.
So it has to be individualizedaccounts.
It cannot be shared accounts.
You can't just have one drivethat is open to everybody.
Even if you say this is all CUI,you really need to have it
divided up and, you know, Joecan access this.
Sally can access that.
They can't access what eachother needs to, unless there's a
(04:19):
good business reason for them todo so.
But just because it's easier tosay, you know, here's all of it,
is not a good reason to do that.
You have access control for areason.
You need to control that accessand make sure people have access
to only what is needed.
to perform their job.
SPEAKER_01 (04:35):
And I think it's a couple intentions there is you
have, you get to see whoaccessed when What, when, right?
And then you also have the justrestriction of people not able
to access things they don't needto, which is supposed to limit
the scope of the risks.
(04:58):
Like if their account gothacked, then it keeps that
sprawl from going too far.
Is that right?
Is that the intention behind it?
SPEAKER_00 (05:06):
It does, yes.
If their account gets hacked andthey can only get access to part
of it.
You've got to remember that–This really is because, and
we'll pick on China becausethey're easy to pick on, but
this is really because if you golook at Humvee or the Joint
Strike Fighter or several otherthings, China has some stuff
(05:26):
that impressively look a lotlike our Humvee and a lot like
our Joint Strike Fighter, stufflike that.
And it wasn't just by chance.
It's because they broke in andstole all the stuff.
So the government is saying,look, no more.
We're going to protect ourwarfighters.
We're going to protect ouradvantage.
And we're going to do that byprotecting this data.
(05:49):
And it really all boils down tothat's the government's data,
and we need to keep ouradvantage everywhere we can.
And that also does protect thewarfighters.
So that's really why they'redoing this.
I'll get off my soapbox there,but that's why they're doing
this.
Access control is veryimportant.
Only, you know, think aboutleast privilege.
(06:09):
Least privilege means that youonly have the access that you
need to complete your job.
You don't have any more.
In other words, you don't wantyour shop people accessing all
the HR files right so youwouldn't want Joe seeing that
Sally makes eight times what hemakes you know or whatever it
may be and a lot of people willcontrol that but then when it
(06:32):
comes to CUI it's just like wellit's all CUI you know and or
it's all it's all and actuallymore than that you know a lot of
times the thought is well it'sall it comes from our vendor and
it's you know it's everybodyneeds access to it well they
don't really need access toevery bit of it some of it's
contract information Some of itis part information, some of it,
you know, so you can divide upthat access to only who needs
(06:56):
access to those specific parts.
Is it a pain sometimes?
I'll admit it's a pain, but youdo need to divide that up and
figure out.
what the least amount of accessis that you can give.
It also goes to admin privilegesfor configuring the system as
well.
Do you want your local users tobe able to install their old
(07:17):
programs?
Well, you may want to, but thecorrect answer is no.
You don't want your users to beable to install programs and
admin their own system.
It's a simple one.
They should not be local admins,
SPEAKER_01 (07:28):
for instance.
It's coming from Uncle Sam, notfrom us.
SPEAKER_00 (07:32):
Right, yes.
SPEAKER_01 (07:33):
Sorry to spend so much time on this one, but this
is a popular one.
And say, like an aerospacemanufacturer, a very common
practice on the shop floor is tohave computers.
They're shared.
You've shared accounts.
It makes it easy.
They'll go grab a program orenter a job code or something,
whatever they need to do.
And then.
(07:55):
travel their machine, do theirthing.
They can't use shared accountsanymore, you're saying.
Right.
How would they handle that?
SPEAKER_00 (08:02):
There are several ways to handle that, but you
really need to haveindividualized accounts for
several reasons, but forcompliance, you have to have it
to access CUI.
So you can argue what is CUI andwhat is not CUI.
I can't remember what they callthe data points, but the
instructions for the CNCmachines, they're just
(08:23):
Basically, they're basicallyjust instructions on what to do
and the points where the machinegoes to do that.
Is that really CUI?
We can argue that point, but ifyou have to argue the point and
you have to bend over backwardsto figure out that you don't
(08:43):
think it's CUI, then is anassessor going to agree with
that?
Yeah.
I would have a tendency to erron the side that says, yes, go
ahead and treat it like CUI.
Yes, that does throw a monkeywrench into things because you
want to have shared accounts andall that kind of fun stuff.
Then you've got to protect thatdata.
Those machines don't necessarily– there's a whole can of worms
(09:07):
there.
But the point is– you reallyshould access any of that data
with an individualized accountand no shared accounts.
And you should, as much aspossible, just get those shared
accounts out of your systemaltogether.
It's never– even outside of CUIand CMMC compliance, it's really
(09:30):
not a good idea to have sharedaccounts anyway.
I understand why it makes thingseasy.
But when something happens,trying to find out who did it or
whatever, it's impossible tofind out what happened, right?
So exactly.
And I can tell you that a lot oftimes when something happens,
(09:51):
people are like, well, we'regoing to give everybody their
own accounts.
Well, that's probably what youshould have done from the
beginning.
But yes, no more sharedaccounts.
Like I said, that's a big thingin machine shops.
But it's just not a good idea.
And not compliant.
SPEAKER_01 (10:07):
Everyone on the shop floor needs their own account,
needs to log in to the computeron their own account, or if the
computer's locked down, like akiosk mode, whatever data entry
or time clock machine they have,within that program, they need
to have their own account aswell.
SPEAKER_00 (10:21):
Yeah, if it doesn't have anything to do with CUI,
it's just now, if you clock into a certain job, want to know
the individual that's clockingin and doing the work, so maybe,
it depends on where you'reauthenticating, right, and what
you're authenticating with, butat some point, you need those
individualized permissions.
And if you're logging in toclock in to a job, that job is
(10:44):
going to have a job number.
It may have some CUI associatedwith it.
In any case, that should be anindividualized account.
But to access it, If you're notaccessing any other CUI because
that's where you wouldauthenticate, then maybe you
don't have to log into thatmachine with an individual
account.
But also, to back up just alittle bit, if there is on a
(11:07):
machine that you access CUI butsome people need to log in and
not access CUI or if you have ashared account, it's okay to
have a shared account.
You just have to do your properaccess control and make sure
when they log in with thatshared account, they can't
access any CUI.
UNKNOWN (11:24):
Mm-hmm.
SPEAKER_00 (11:24):
So there may be things I need to do.
Don't deal with CUI.
And it's okay.
You can use a fast userswitching for that.
But if you can access that CUIfrom that shared account, that's
not a good thing.
And again, access control.
SPEAKER_01 (11:40):
So moving on to this next one is a little less
troublesome, I think, for peopleto implement, but far less
popular.
Or maybe it's not less popularin access control, but it's
certainly not one of the morepopular ones, which is awareness
and training.
Can you break that down, whatneeds to happen there, and some
(12:00):
plain English on that?
SPEAKER_00 (12:01):
For awareness and training, looking at role-based
training, you're looking atrisks associated with their
roles.
So you need to have training forthose people for their roles.
You need to have cybersecuritytraining for risks that may be
apparent in their job.
And you need to keep track ofit.
(12:23):
And Actually, it reminds meabout access and control, but
I'll go back to it in just aminute.
So you have to keep track of allthat.
You have to prove that you'vebeen doing this training.
Not only that, there's DODmandatory CUI training, and you
need to keep track of it.
If you use the government'swebsite for that, they get this
little PDF.
It's all great.
It gives you a littlecertificate that says, good job,
(12:45):
you just passed.
And then if you don't doanything with that PDF, there is
absolutely no tracking required.
The government doesn't saveanything.
There's nothing else.
So you've got to save that PDFsomewhere to prove that you've
taken that training.
It makes it kind of a pain inthe rear.
But if you're going to do thatfor your mandatory CUI training,
(13:09):
you've just got to remember tosave that PDF.
Shocking that they don't makethat easy for you.
Right.
So it is a way to accomplishthat CUI training.
You've just got to keep them ina central spot.
Yeah.
keep them logged and all thatkind of fun stuff.
I think
SPEAKER_01 (13:24):
the main thing is the documentation.
I think what you were sayingthere is being able to prove
you've been doing it is don'tlisten to DOD, but far more
important than the trainingitself.
The training is obviouslyimportant, but in terms of
getting certified for the peopleout there listening, you can do
the training all day long and belearned on it.
But if you don't havedocumentation, it doesn't
(13:46):
freaking matter.
SPEAKER_00 (13:46):
Absolutely.
You've got to have thatdocumented.
CUI is all about control andaccess, Managing that access,
meaning ongoing management, andthen it's about being able to
prove that.
So those things are themesthroughout.
And so to go back to accesscontrol, not only do you need to
(14:07):
do all the stuff with access, Iwon't beat that dead horse
anymore, but not only do youneed to do all that with access
control, but you need to be ableto prove it and you need to
document it.
You need to document who'sauthorized, what devices are
authorized, because accesscontrol is, is devices as well.
Your computers, your smartphone,if you use a phone to access it
(14:28):
and that's a whole nother can ofworms.
Uh, so, uh, but it's thosedevices that every, anything
that accesses CUI person, um,Service account, application
account, laptop, whatever it maybe, needs to be listed and
authorized.
It's signed off on that, yes,you do authorize these things.
(14:49):
Again, documentation.
I've always said documentation,documentation, and
documentation.
What is it?
Documentation.
Oh, okay.
Sorry, I forgot.
But there's a ton ofdocumentation that goes with
this.
That's throughout every one ofthese families, every one of
these controls.
So you've got to documenteverything to go along with your
access control as well as yourawareness and training.
SPEAKER_01 (15:12):
MMC is full of gotchas.
Bet you all didn't know a lot ofmanufacturers and stuff out
there.
Your computer has an accounttoo.
A lot of people don't know that.
So, like, you have an account tolog in to the system, but your
computer does too.
And you have to manage that.
Who would have thunk it?
Right.
Yeah.
Absolutely.
I guess it's IT people we know.
(15:33):
Right.
SPEAKER_00 (15:34):
You also have to go a step further.
You have to list all of your–anything that touches a network,
anything that you might have onthe network, you have to
document all of it.
Switches, access points,firewalls, you have to list all
of it.
Mm-hmm.
And it's got to be a certaintype of resource,
SPEAKER_01 (15:50):
UI asset or whatever.
Which is why we always saydocumentation is the most
burdensome part of compliance.
All right, moving on to auditand accountability, that control
family.
Can you break that down in plainEnglish for us?
SPEAKER_00 (16:04):
Logging is important.
The proper logging is important.
So you've got to make sure youhave the proper logging turned
on on your firewall, APs andswitches, especially on servers
and computers.
workstations.
You've got to have the rightlogging turned on, you know, who
accesses what, when is whatyou're trying to get to.
(16:26):
Also, who accesses adminfunctions and when and what did
they access, right?
You need to be able to log allthat.
And it's all pretty easy to log,right?
But then you've got to protectthose logs.
So how do you protect them?
Really, you get a SIM to ingestall those logs and keep them
somewhere where they can't bedeleted And then you give only a
(16:50):
– again, this goes to accesscontrol.
You only give people who needaccess to that logging, which
are going to be the admins ormaybe a– depending on how big
your team is, a subset of thoseadmins.
So only certain people can haveaccess to that logging.
(17:10):
So– It's got to be protected.
You've got to be able to log allthat.
And you've got to keep that forat least 90 days.
We like to keep those logs for ayear.
Part of that is, well, it'sreally to go back and be able to
find things that have happened.
Forensics.
Forensics, exactly.
In our job every day, we use anIT.
(17:33):
You try to figure out a problem,it's like, well– Go look at the
log.
See what the log says.
You go look at the applicationlog, security log, system log.
You go look at the server.
You go look at whatever it is.
You look at the logs and try tofind an error related.
So it's the same concept.
Any access you need to be ableto look up and see if something
(17:55):
goes wrong, this is where itwent wrong at, and this is how
it went wrong, and this is whathappened afterwards, et cetera,
et cetera.
SPEAKER_01 (18:01):
Yeah, and fun, another little fun, dirty little
secret of IT is that log times,those logs don't exist unless
you turn on the loggingcapability prior.
So if you've never turned it on,you can't look at them.
SPEAKER_00 (18:14):
Yeah, by default, Windows doesn't have everything
turned on necessarily that youneed, so you need to go enable
the rest of those logs.
Same sort of thing with othersystems.
You've just got to make surethat those items you need logged
are turned on.
So you do have logging turned onwith most systems.
It's just not always enough.
Sometimes it is.
Most of the time you need to goin and tweak it a little bit.
SPEAKER_01 (18:36):
Yeah, so logging seems like a simple...
task until you dig in that youhave to protect it and turn on
all these extra things andeverything else.
SPEAKER_00 (18:44):
The other thing that I will say that a sim helps
with, sorting through all thatdata.
Back in the day, in the earlydays for me in IT, I guess I'm
kind of a dinosaur, but thereare people that are even more
dinosaur than me.
I could look through a logpretty easy and find stuff.
I didn't know
SPEAKER_01 (19:01):
abacuses had logs.
SPEAKER_00 (19:03):
They do.
An abacus has an abacus that's alog for it.
But you can look through logsand find stuff pretty easy.
And you still can look throughlogs and find stuff.
But when it really comes toforensics, it's harder these
days than it used to be.
And even network traffic.
I used to be able to sniff somenetwork traffic and be able to
(19:24):
tell pretty easily what's goingon.
In fact, I've found someinfected machines that way
before.
But these days, that's reallyhard.
to find network sniffing becausea lot of the stuff is encrypted.
The traffic is encrypted.
The data inside the traffic isencrypted, so you can't
(19:45):
necessarily see what's going on.
But anyway.
All that just to say there's alot that goes on in those logs,
and there will be tens ofthousands of entries for you to
have to go look for and searchfor things, and it's a lot
easier to get a SIM that willhelp you with popping those
alerts.
It's also a lot easier if youhave a SOC team, a Security
(20:08):
Operations Center team on theback end, and there's caveats to
that about what you can use andwhat you can't.
Even with a SIM, too, you've gotto be compliant.
But if you have a SOC team onthe back end that are actual
real security, certified realsecurity experts that do that
24-7.
They can definitely find morethan you can.
SPEAKER_01 (20:26):
And what you're talking about there is that
there are vendors that you canpay will either use your
application, the SIM you boughtthat aggregates all your logs.
They'll either provide that oruse yours and then look through
it.
So you don't have to actuallyhire the people in-house.
Correct.
You can kind of hire themfractionally, if you will, kind
of like an accounting system.
Exactly.
SPEAKER_00 (20:45):
I would argue that you need those people because as
good as IT people might be, asgood as your best engineer might
be, and I'm an engineer andarchitect, but I realize I can
look through the security logsand I can find a lot of stuff.
Just a quick anecdote aboutthis.
Some of you may know about it.
The Rite of Boom, I went tothat.
They have some pre-daycontracts.
(21:06):
learning classes.
And so I went to one of those, Ithink it was a life in the day
of a SOC analyst or something.
Right.
And so you have a, they give youa scenario and then you split up
in teams.
I'm pretty proud of what I canlook through and find.
And I feel pretty good aboutmyself.
I realize I'm not a rocketscientist.
Okay.
Uh, but I feel pretty good aboutmy ability.
So we go through this, uh, we dopretty well.
(21:28):
Our team gets a second placeand, uh, we figure most
everything out or feeling realgood, you know, like what we
did, you know, and we After theyget finished announcing results
and everything, they say, oh, bythe way, this case was so easy,
we almost never see this in thewild.
That made us deflate prettyquickly.
But things are a lot moreobfuscated than a lot of people
(21:52):
give it credit for.
So when something really goeswrong, it's obfuscated, hard to
tell, hard to see.
There was a– not to chaseanother rabbit, but there was a
cybersecurity alert because wehave to stay on top of those–
you know of a new malware andone of the obfuscation
techniques it uses is it usessome characters that look like
(22:12):
blank spots and and so you don'tsee the command because it's out
of your vision and so you justdon't see it and you don't go oh
what's all that blank spot forand go figure it out it just it
escapes your immediate cursoryview when you go past it so but
a sim will catch that a sockteam will catch that where you
may not so anyway that's thatwas my point about all that it's
(22:33):
hard and you need some helpdoing it
SPEAKER_01 (22:35):
yeah so i think the point there is is that if you
have an IT person, they'reprobably busy fixing the
printers or the email that's notworking and the things they're
getting yelled at about.
And if you have a quality personthat you call your IT person,
they're probably even busierbecause they're doing two jobs.
The last thing they're going todo is look at the logs.
SPEAKER_00 (22:52):
Not only that, but you probably assign both of
those, the IT person and thequality person, you probably
assign them the job of makingsure you're compliant with CMMC.
So they're busy with that andthey're not going to be able to
look through those logs.
They have even less time to dothat because they're trying to
make sure you're compliant.
SPEAKER_01 (23:09):
And that's assuming you haven't given them a
drinking problem because all theproblems.
That's true.
Yeah.
All right.
So moving on.
to configuration management.
Can you demystify that one forus?
SPEAKER_00 (23:20):
So configuration management is just basically you
have to have a baseline for yoursystems and that's your
workstations, that's yourserver, that's your network
switches, that's your firewalls.
You have to have a baseline.
What is your baseline and whatis your baseline configuration
for those and do they meet thatand how do you manage that?
Again, there's that word.
You've got to manage it.
(23:40):
How do you manage that and howdo you show that they're still
in compliance?
So what can configurationmanagement is about.
You have to manage that changesomehow.
How do you manage that change?
You've got to be able to provethat you do that.
And a lot of times it's going tobe, you know, you start with a
brand new build on, we'll justsay workstations are easy, okay?
So I guess you can start with afirewall too.
(24:02):
But anyway, you start with abrand new build.
You don't start with a vendor'sbuild.
You start with a brand newbuild, whether it's an image,
whether it's a scripted install,whatever it may be, brand new.
You set your security You setyour basic settings.
You have a list of, again, adocumentation.
You have a list of what yoursettings are.
And then you have maybe GPOsthat apply or Intune policies
(24:26):
that apply.
And, yes, those have to bedocumented.
They're documented in Intune orthey're documented in your GPOs.
But really, to make it betterfor your assessor and for
yourself, it's probably good ona– whatever basis to export
those and document those and putthem in with your GRC platform,
your governance risk andcompliance platform, whatever
(24:48):
you use.
It's good to keep that in there.
SPEAKER_01 (24:50):
This is something that if you're DIYing as someone
who's not an IT person, by tradeis really hard because it's not
anywhere close to natural.
You're used to get it up andrunning, get in production,
you're done.
Even for IT people, same thing.
I mean, get it going, you'redone.
This is really a, ultimately,documentation requirement that
(25:11):
is needed and most people don'tdo.
And it's skirted over becauseit, again, is burdensome to have
to do all this, you know, whatessentially is paperwork,
digital version of paperwork, toput together a configuration
like baseline and all that.
So it's not natural.
It's one you're probably goingto miss.
You're not very intentionalabout it.
SPEAKER_00 (25:33):
IT teams or people generally fall into categories
in this.
Most IT folks are going to keepsome sort of standards.
on all our machines.
Promise all
SPEAKER_01 (25:43):
the standards are going to be
SPEAKER_00 (25:45):
up here.
That's exactly where they're at.
They cannot be documented inyour mind.
They can, but then you have toregurgitate those on paper.
So most IT folks are going tohave some sort of standard, and
they're going to say, of coursewe have a standard.
Well, what is it?
Well, we have this, we havethat.
What kind of standard does itfollow?
(26:05):
So you have to document those.
You have to say why you're doingthat.
And then the other part of thatis procedure.
You know, how do you go aboutthat?
And really, when you get intoprocedures, then that's where
you can beat up your deploymentand it's not necessarily
burdensome because you'vealready documented it.
This is your procedures.
This is how you do it.
(26:26):
You get that machine, do ascripted install.
There's Active Directory, forinstance, and it pushes all
those policies out.
So it doesn't have to be hard.
It just has to be documented andyou have to know what that
baseline is and what thatconfiguration is.
SPEAKER_01 (26:38):
Let's move on to the next one.
Identification and authentic So
SPEAKER_00 (26:42):
for identification and authentication, it works
closely with access control, ofcourse.
You need to be able to identifyaccounts, the people, the
computers, wherever it is.
You need to be able to identifythose accounts, need to
authenticate those accounts, andyou need to have some password
policies.
Password has to meet certainqualifications.
Multi-factor authenticationfalls in there also.
(27:02):
There's all sorts of otherthings that go along with that.
Basically, you've got to provewho it is logging on, you've got
to authenticate them logging on,and you've got to provide
multi-factor authentication.
factor authentication.
And multi-factor authentication,if you access CUI over the
network as a normal user, or ifyou access anything remotely,
which would be any cloudservices too, or VPNs, if you do
(27:26):
any admin activities, all thosethings need MFA.
So really what that leads to iseverybody has to have MFA for
everything, right?
But now if you have all your CUIon your local computer, then
really technically, and youdon't You don't access any cloud
applications.
You don't access the network,anything like that.
I guess really you don't have tohave multi-factor authentication
(27:49):
except for the admin functionson there.
Most people have a server orsomething, SharePoint or
whatever.
So you've got to have– and thatwould be GCC High SharePoint or
I guess Prevail or XSR orwhatever.
But anyway– you've got to havemulti-factor authentication.
SPEAKER_01 (28:06):
I think I hear the pitchforks coming.
Yes.
Everyone hates multi-factorauthentication.
And you're saying that I have aserver and I'm my shop and my
drawing is on the server and Iaccess it from my computer.
I have to use multi-factorauthentication to get that
drawing?
Yes.
SPEAKER_00 (28:25):
Now there's arguments about that.
Where do you feel the assessorsfall on that argument?
Well, there's argument betweenassessors too.
But I think mostly assess aregoing to fall on the fact that
it's over the network and youreally need to have multi-factor
authentication.
But I have had assessors say,I'm like, hey, I've got it.
It's just on the server.
It's on the local network.
It's not remote.
(28:46):
It's not on a separate subnet.
It's on that network.
That's really not what it says.
But the assessor is like, well,if you have it in all the other
instances here, then I wouldpass you.
I would be careful with that.
And multi-factor authentication,it's not hard to implement.
It's not expensive to implement.
The other caveat or the othernote I might put on this is that
(29:09):
Windows Hello can meet thatmulti-factor authentication.
A couple of caveats to that.
You want to make sure you meet,but Windows Hello can meet that
multi-factor authentication foryou.
SPEAKER_01 (29:23):
Microsoft is helping you for once.
SPEAKER_00 (29:25):
I wouldn't necessarily go that far because
they make it very confusing.
The reason I say it's confusingis if you're looking at, you
know, can you use Windows Hello?
Look at Windows Hello forbusiness.
So there's different things.
And then there's, you know, whatelse do they do that with?
Surface for business.
(29:46):
They have different things.
Everything, pretty much.
And then something for business.
OneDrive.
OneDrive for business.
OneDrive personal, you know.
So anyway.
But Windows Hello for businessis what you'd want to look for
and look up the caveats.
So you're
SPEAKER_01 (29:59):
saying when you Google it, type in Windows Hello
for business, not Windows Hello.
Yeah.
I think this is one of thosethings, like, if I'm– in my
office my server is physicallyin my office and I'm accessing
it from my laptop having to haveMFA MFA is one of those things
where it doesn't really have tomake sense or like be reasonable
it's just what makes itcompliant right so like whether
(30:22):
you agree with it or not andwhether there's justification
for that being the case you knowone of those things that doesn't
matter because compliance is acompliance it's not necessarily
the same as what makes sense andwhat's secure and again you'll
depends on you know what theassessor decides and where they
fall.
So next is incident response.
(30:43):
What do you have there for us?
SPEAKER_00 (30:44):
Oh, this is the one you would never want to have to
deal with.
You have to have a policy.
You have to have a written planand know what to do in the case
of an incident.
And what does that now thegovernment Take that definition
of an incident.
So if you have an incident, thisis what we do in case of an
incident.
It's got to be reported rightnow within 72 hours.
(31:05):
That might change to somethingdifferent.
Right now, you've got basicallythree days to report.
And it's three days, not threebusiness days, just so you know.
If it happens on a Fridayafternoon, the weekend counts.
SPEAKER_01 (31:20):
It's not really three days.
It's 72 hours.
SPEAKER_00 (31:23):
Yes, it is 72 hours.
So just keep that in mind.
And that bar may be changinglower.
I absolutely do not agree with,and a lot of people don't, but
the government is thegovernment.
So we'll see where that ends up.
But so you've got to have thatplan.
You've got to have definition ofan incident.
You've got to know how to reportit.
(31:43):
who to report it to.
There's a certificate you haveto go out and get, medium
assurance certificate, to put onyour computer to be able to
report those incidents.
I can guarantee you that if youwait until you have an incident
to get that medium assurancecertificate for your computer,
you will not report thatincident in time and you will be
behind that timeline.
SPEAKER_01 (32:02):
That's something you have to go get from the DOD.
SPEAKER_00 (32:06):
It's a certificate that you have to buy.
It's a little encrypted...
encrypted certificate that youput on your computer and
register on your computer thatwhen you go to the DC3 website
to be able to report anincident, it'll recognize your
computer and say, oh, okay, weknow who you are.
(32:27):
Now you can log in and create anincident.
So what
SPEAKER_01 (32:31):
happens if that computer is compromised?
SPEAKER_00 (32:33):
Well, you have a backup.
Okay.
You should have– you should nothave one.
You should have more than oneand at least two– Maybe more.
But also, those are kind of hardto go find after the fact if you
didn't document it.
Again, documentation.
But if you didn't document whereyou put those certificates and
who has them and you forget.
(32:54):
or they change computers, thenyou'll have no clue and you
won't be able to report thatincident.
So document that somehow.
Notate that computer that it'san incident reporting computer.
So if it gets changed out orsomething, that you need to move
that.
(33:14):
Mm-hmm.
probably buy a new certificate.
But anyway, that you need totake care of that.
SPEAKER_01 (33:18):
I feel like they should have done a hotline that
you call and they ask you whoyour childhood girlfriend was or
your childhood dog or something.
It would have been a lot easierjust to have a phone
SPEAKER_00 (33:27):
number.
It would be a lot easier.
The funny thing is thosesecurity questions that banks
like to ask you and stuff, thathas proved to be one of the
least secure ways to secure youraccount.
Because
SPEAKER_01 (33:37):
it's public information.
It's things
SPEAKER_00 (33:39):
you know.
You post on Facebook, I missedmy first dog Snoopy or whatever
it may be Other thing withincident response you have to do
is you have to, the plan, thepolicy and the plan that you
develop, you have to test that.
You have to come up with somescenario.
that pertains to you know anincident and test that run
(33:59):
through the steps and make surethat your incident response plan
addresses that and does that itdoes what it needs to do and
what i can tell you is you knowcome up with different ones
every time you do this andyou'll have to i have no doubt
you'll have to tweak it that'sokay tweak it and um you know
make sure you document and saveyour, uh, your latest version.
(34:22):
So again, if you have a GRCplatform, that's where the
latest version, the live versionwill reside.
SPEAKER_01 (34:29):
Yeah.
It's also understated that ifyou actually do have a incident,
like forget all the DODcompliance stuff.
Um, say you get hacked and it'syour business and money's on the
line, having an instant responseplan, something you like, uh, a
game plan to actually executeon.
(34:50):
It's really understated how muchthat helps.
Get you, hedge the issues,risks, money loss, and get you
taken care of.
SPEAKER_00 (35:01):
And to go a little further on that, your incident
response plan, surprise,surprise, should not be solely
about compliance.
Your incident response plan andprocedure will also involve
contacting your insurancecompany, your attorney, whoever
else.
Is there a forensics team thatyou have on retainer?
(35:22):
Probably not.
But is there one that you havethat you've talked to that you
know you'll use in an instancelike this?
All that needs to be documented.
And you need to have that idea,the idea of what you're going to
do with Just another quickanecdote.
An incident is also described asa potential incident, right?
(35:43):
I'll just use an email incidentbecause it's happened before.
We had a client a while back, agreat client we love to death.
This was back a few years ago.
Tried talking them into MFA ontheir email, and they were like,
that's too tough.
We don't want MFA on our email.
We don't keep CUI in there.
(36:05):
And I was like, well, you know,some people send you CUI through
email, and they shouldn't, weknow, but that happens.
And they're like, well, but ourpolicy is we don't have CUI on
email, so we're not going to putMFA on it.
Like, well, we really highlysuggest you do.
Anyway, long story short– Theydidn't want to do it.
(36:25):
So there was some credentialsout on the dark web from one of
the employees, and they gotlogged into their account.
They created a forwarding rule,and, of course, we got notified
immediately, right?
And so really in the end, thishacker was– I say hacker in
(36:48):
quotes.
I guess it's– Not in quotes ifthey actually got into their
account.
Anyway, but they got into theiraccount.
They created a rule that woulddivert all the replies to that
fake invoice into a certainfolder.
They created rules to hide theirtracks and then forward all the
fake invoices, the replies andwhatnot, to their own email
(37:09):
address, which they– I can'tremember on this particular one
where they created a similardomain, but that's a common
tactic– You know, all this funstuff.
And we got alerted.
We called them and said, hey,Billy Bob, you know.
Billy Bob was not really hisname, just so you know.
No, no.
(37:31):
Hey, Billy Bob, you know, hey.
there's some weird activitygoing on on your account.
Did you create a forwardingrule, you know, to do this?
No, I didn't do that.
And Hey, I'm getting, I'mgetting some calls, you know,
that I haven't had somebody callme and say, I sent him an
invoice and I didn't sendanything out.
We were like, Oh, all hands ondeck, you know?
So we, uh, we found what wasgoing on.
(37:52):
We bumped that person out, thathacker out.
Like I said, he only had accessfor like 15 minutes.
Uh, but, uh, That's an incident.
And so we said, look, this needsto be reported, this, that, and
the other.
And before they could get to thepoint of where they reported it,
one of the prime contractorsthey worked with reported it.
(38:15):
And then they were this close tolosing their contract, and we
had to jump through it.
We had to jump through so manyhoops to prove that we had going
on, that we had everythingsecure, all that.
So we had to jump through a lotof hoops.
Even though everything ended upokay, we had to jump through a
(38:36):
lot of hoops, spend a lot oftime, a lot of documentation, a
lot of proof, and a reputationhit for our client.
We had to go through all thatwith them and help them out.
What I can tell you isimmediately after that happened,
I said, hey, how aboutimplementing MFA?
And they said, now, let's do itnow.
So that helped push thatforward.
Also helped push forward someother things we wanted to do.
(38:58):
But that is just a quickanecdote.
It may not be only your choicebecause if something like that
happens, an incident just isn'tsomebody hacking into your
computer and accessing that CUI.
It may be somebody accessingyour email, which is a cloud
platform and So not a fakeinvoice or, you know, the other
(39:19):
fear is, of course, accessingCUI that's somewhere on your
Microsoft 365 platform,SharePoint, OneDrive, you know,
something like that.
So anyway, it's not always yourchoice whether you think it's an
incident or not.
Look at the definition of anincident, and if it's an
incident or potential incident,then it needs to be reported.
(39:40):
It's scary, but if you take careof business, you'll be fine.
SPEAKER_01 (39:45):
Yeah, they've built the framework to expect
incidents.
So if you handle them correctly,then you don't have to
necessarily be scared of them.
It's whenever you mishandle themthat you have negative
consequences.
Maintenance is up next.
What do you have on that one?
SPEAKER_00 (40:03):
There's a few areas, but you want to be able to show
that you perform maintenance onyour systems, patching updates,
stuff like that.
Again...
What did I say?
You want to be able to provethat?
So you want to do it, of course,but you want to be able to prove
it.
And that's through– for us, thatwould be through tickets that
are open.
That would be through, you know–our policies and plans and
(40:28):
authorizations, stuff like that.
But it's also on systems thatyou allow people to come in and
work on.
You know, they come in, theysign in, you have your copier
folks come in, they need to dowork on the copier.
They come in and do that work.
You know, do you shadow them?
You know, what do you do?
The correct answer is yes, youescort them.
(40:50):
And anything that they need toplug in is verified first, all
that kind of fun stuff.
But you need to performmaintenance, and you need to
make sure that all the toolsthat you use to perform
maintenance are vetted.
And you have to prove all that.
It has to be documented.
SPEAKER_01 (41:07):
Next is media protection.
SPEAKER_00 (41:10):
So for media protection, that's electronic
media and physical media.
So for electronic media,anywhere that CUI resides has to
be encrypted.
So it has to be encrypted atrest, which is on a hard disk
resting somewhere, or a USBstick, anything, wherever it's
(41:31):
at rest at, it needs to beencrypted.
But it also needs to beencrypted in transit.
So Wherever it goes to and from,it needs to be encrypted.
And the next leg to that is ifit's CUI and it's encrypted, it
really needs to be FIPS 140-2 or3 validated encryption, not
(41:54):
compliant.
I go round and round withvendors with this all the time.
Our encryption is FIPS 140-2compliant.
Well, that's nice.
So to be able to use it in thisprogram, in this compliance, it
has to be validated.
Is it validated?
What's that?
So in other words, it's in theCMVP database.
(42:17):
You can go look it up, and it'sgot a module that has been
validated, and you have to,again, you have to document that
module that you use forencryption or that the program
uses for encryption.
I like Windows.
Windows is there.
That's another story.
Windows 11, Windows 10, andWindows 11.
That's a whole other story.
(42:37):
We won't go there.
Windows 2009, 2019, 2016, youknow, they're in the CMVP
database.
But it's got to be encrypted.
Now, as far as physical mediagoes, it's got to be protected
as well.
I know a lot of manufacturershave travelers that they use.
You know, they print some CUIout or whatever.
(42:59):
whatever it may be, whatever theCUI may be, they print it out
and they carry it to thestation.
They do their work and they goput it back up.
So it's got to be protected.
If it's out somewhere and you'reusing it, you're using it and
it's okay.
You've got to be able to see it.
Right.
But if you walk away, you'resupposed to cover it up and to
where nobody else can see it.
(43:19):
So it's, which only makes sense,but you should cover it up.
When you're not using it, whenyou're finished with it, it
needs to go in a secured place,which usually means a locked
room or a locked filing cabinet.
That's usually what that means.
So you've got to make sure thatis secured.
(43:40):
You've got to make sure thatonly the people who can access
it can access it.
SPEAKER_01 (43:44):
So what do, like, for example, most machine shops
have USB sticks.
They go stick in a machine,stick in a computer, you know.
How do you handle that if youhave to encrypt it?
SPEAKER_00 (44:00):
Well, there's several different ways to work
with encrypted USBs.
You can...
You can encrypt them withBitLocker.
Easy solution.
Always compatible with oldermachines that you may need to
transfer that information to.
Operational asset.
What we've found that works wellis there's some USBs that are...
(44:22):
The USB itself is FIPS 140-2 or3 encrypted.
And it has a little keypad onit.
So when you need to use it, youcan plug it in, press your...
unencryption key, and it'll makethat USB available to the
operating system.
It's nothing beyond that to theoperating system.
(44:44):
It's nothing special.
It's not BitLocker encryptedwhere that operating system has
to be the right version to readit.
It just has to be able to readthat USB.
And if it can do that, then onceyou unencrypt it, it unlocks it,
and that system can see it.
That's been shown to work reallywell.
Mm-hmm.
be forewarned, those are notcheap.
(45:06):
So you're looking at, you know,150 bucks each, you know,
something like that.
But
SPEAKER_01 (45:11):
if, I mean, as machine shop, People know it all
comes down to the aggregatetime, right?
So if you're fighting anencrypted USB stick or something
like that where it may be anexpensive USB stick, if you're
adding all the time it takes torun that job, personal walkover,
fuss with the encrypted device,it might well be worth the money
(45:31):
because you get operationalefficiency out of it.
SPEAKER_00 (45:34):
You do.
You get operational efficiency.
You also get peace of mindknowing that that is encrypted
and there's no question aboutit, right?
Mm-hmm.
It's also
SPEAKER_01 (45:44):
easier for a programmer to run a– sorry, not
programmer, but machine operatorto remember a code.
SPEAKER_00 (45:55):
You just got to tell them, punch in the code and
it'll work.
As opposed to, hey, when I plugit in, nothing works.
You do follow– BitLockerencryption is pretty easy, but
it does have some problemstrying to work with it with
different versions and differentolder computers and specialized
(46:16):
computers and stuff like that.
So we'll run into some issueswith that.
Or your very expensive machineyou don't want to replace.
Yes, some of those machines arevery expensive.
The other thing I would say,again, as part of documentation–
Not only in your system securityplan do you have to define your
(46:37):
data locations, which isphysical and electronic, but you
need to...
have an authorized list of, ifyou use USBs, is USB.
And, you know, any filingcabinets or whatever you might
have.
All
SPEAKER_01 (46:54):
right, up next is personnel security.
So does that mean you have tohire security guards to go
around your building?
SPEAKER_00 (47:03):
Well...
Might not be a bad idea,especially depending on where
you're located at.
But what that really means isyou have to screen your
employees.
Then you also have to do thatscreening every so often.
You have to schedule it every sooften.
So all of your employees, whenthey're hired, or if you already
have a bunch hired, you have togo conduct the screening on them
(47:24):
so you have that.
Then every so often, every...
however many years you say iswhat you
SPEAKER_01 (47:30):
have to do.
So you get to create thestandard, but you should
probably write the standard downas to where the bar is because
that
SPEAKER_00 (47:35):
really matters.
Absolutely.
And you have to document all thestuff that you do.
SPEAKER_01 (47:38):
Right.
So that will also help you froma legal perspective as well.
So make sure you do that.
So I would start with yourinsurance company.
So if you need to do drug tests,people operating machinery,
forklifts, et cetera, I'llprobably put that one in.
and obviously find some sort ofcriminal or whatever standard
(48:05):
you want that is okay or notokay.
Maybe getting publicintoxication in college isn't a
problem, but maybe a DUI is orsomething.
You just got to define it,right?
And put it on paper.
And then another one is if ITAR,So citizenship would be a good
(48:26):
screening as well, depending onwhat, uh, you know, business
you're in.
So if you're handling exportingof arms or having the ITAR
requirements, I would put that.
SPEAKER_00 (48:36):
Yes.
The other part of that is whenpeople are terminated or they
leave or whatever, or theychange positions, you need to
make sure that their access ishandled appropriately.
You know, it's, uh, whensomebody is terminated or
leaves, their access needs to becut immediately.
Uh, If they change positions,you need to make sure that their
access is changed appropriatelyat the appropriate time.
SPEAKER_01 (49:00):
Next is physical protection.
What about that one?
SPEAKER_00 (49:04):
Physical protection, make sure that where you store
CUI is secured, locked, secured,however you need to secure it
with keys or with proximitycards, wherever it may be.
That is secure.
The electronic locations and thephysical paper or whatever other
(49:24):
kind of location or CUI that is.
Make sure they're secured.
Those physical access means,keys, key cards, proximity
cards, stuff like that, you needto, again, document.
You need to have an inventory ofthose and make sure.
So that means your physical keysreally need to be serialized
(49:47):
somehow.
Proximity cards usually areanyway, but you need to keep
track of those.
So visitor access logs.
A lot of places have sort of areception area or a man trap,
something like that, You go inand you sign in and go on in.
And then when you leave, yousign out.
And so you need to havesomething like that in place.
(50:08):
Some sort of man trap, some sortof reception where people cannot
pass that.
They have to sign in.
You, of course, have to keepthose logs.
You have to review those logs.
Somebody has to review thoselogs.
SPEAKER_01 (50:19):
We are on risk assessment next.
SPEAKER_00 (50:21):
So for risk assessment, you've got to
evaluate the risk potential ofall your systems.
And then you have to evaluatethat ongoing.
You have to make sure thatthey're still the same.
has changed.
But then you also have to dovulnerability assessments, run
those, address anyvulnerabilities, address any
issues.
And what I would argue is that avulnerability assessment is not
(50:42):
just an IT, what we think is avulnerability, a CVE, but it
would be inactive accounts.
It would be even open ports thatare not necessarily showing up
on a vulnerability.
Do we need this port open?
So you need to run those riskassessments, evaluate those
vulnerabilities and addressthose in a timely manner.
SPEAKER_01 (51:03):
Also, a great low-hanging fruit type thing any
business can do that most aren'tis just run a vulnerability
assessment monthly, quarterly,and patch the holes before a
hacker finds it.
SPEAKER_00 (51:18):
Yeah, and that's what this requires.
But really, like you say, thatis just a low-hanging fruit,
something easy to do.
And it really needs to be done.
SPEAKER_01 (51:29):
Next up is security assessment, which is not the
same as risk assessment.
SPEAKER_00 (51:34):
Right.
It's not.
So you've got to review all your– basically all your security
settings, your SSP.
You've got to review all thatand make sure that it's still
appropriate.
What about this new server weput in?
We didn't ever do anything withit.
What about– do these– Does thisaccess control security settings
(51:55):
or whatever, do they still applythe same way that they did?
You have to go through andreview all your controls and
make sure that they and yourpolicies and your plans and
procedures make sure thateverything you put in place
still is appropriate.
SPEAKER_01 (52:10):
What about system and communications protection?
SPEAKER_00 (52:13):
So you have to protect your systems not only at
the border, which would be yourfirewall, right?
So you do have to do that.
You have to protect things atthe border.
You have to make sure that CUIis encrypted anywhere it goes.
Transit is a big thing we talkedabout a while ago.
It's big here.
If your CUI...
For instance, if you...
print your CUI this is a commonone if you print CUI it's not
(52:36):
encrypted so if it goes over awireless network you know is it
encrypted you know or are youtransmitting that CUI to a
website that uses theappropriate encryption those are
the kind of things you have tothink about with systems and
communication protection thereare other things also making
sure that your normal stuff afirewall will do like making
sure that the sessions are notspoofed and stuff like that I
(52:59):
mean those are there's all sortsof things there but it's all
your normal network level level.
Cautions you take need to betaken and documented.
Of course, everything needs tobe documented.
How you use it.
For this, you would want to havea data flow diagram.
Well, for a lot of these, youwant to have a data flow
diagram, but it would help thisas well.
SPEAKER_01 (53:17):
The next is system and information integrity.
SPEAKER_00 (53:20):
So for a system and information integrity, you
really want to keep all yourprotections up to date, your
antivirus or your endpoint,whatever your endpoint
protection is, whether it's MDR,ADR, whatever it may be, you
know, make sure it's up to date.
Make sure your systems arepatched.
Make sure, you know, and it'snot just Windows.
I mean, it's pretty common foryour IT shops to, you know,
(53:41):
patch your Windows machines, youknow.
But what about the Mac machines?
What about, do you have anyLinux in place?
What about your firewall?
What about your wireless accesspoints?
What about your switches?
You know, what about whateverother network devices there may
be?
Are they patched?
You know, you really want tomake sure that all that is taken
care of.
(54:02):
You want Can you
SPEAKER_01 (54:02):
tell me that that switch that we threw up in the
false ceiling and then ran acord down to the CNC machine to
get it working matters?
SPEAKER_00 (54:11):
Yeah, absolutely it does.
Absolutely.
Everything, that's a point ofaccess for someone.
If a hacker happens to get in onyour network, the first thing
they do is some reconnaissanceto figure out what's going on
and they find some Belkin switchthat was put up five years ago
and nobody's touched it sinceand, oh, hey, look here, I can
(54:31):
get into this licking split andthey get into that now they've
moved laterally and uh andthey're off of where they
initially came in at and nowthey're a lot harder to track
you got to keep everythingupdated keep everything patched
uh scan for anomalies and youjust you got to be proactive
about this and you got to provethat you're on doing it ongoing
again there's documentation andthe management
SPEAKER_01 (54:51):
i would say that you know when you implement all of
these things together ultimatelywhat nist is outside of maybe
maybe disagreeable compliancethings that we've talked about
um uh what it does is, ofcourse, checks the compliance
box, but really just makes yourbusiness resilient against
threats.
It does, absolutely.
(55:12):
You have to do all thiscompliance stuff, but the nice
thing thing you get out of it isthat you're nice and protected
and feel good and sleep good atnight so absolutely kind of to
bring it home uh what would yousay out of all these controls um
and requirements uh is the mostuh misunderstood or missed thing
uh that uh people might getwrong um but they can take home
(55:36):
and do something about
SPEAKER_00 (55:37):
it's not necessarily one control uh or two or three
controls but it's uh it's andagain i sound like a broken
record but it's it's adocumentation portion of this.
For instance, if it saysidentify somewhere, then that
means you have to list out.
You have to identify the users.
If it says authorize, you haveto have proof that somebody
(55:57):
authorized this.
It's easy for an IT person toglaze over that and go, we've
got an Active Directory full ofusers.
There's my list of authorizedusers.
That goes a long way, but notquite all the way there because
I guarantee you there's probablysome people, well, depending on
what kind of business it is.
There may be some people therethat are not in Active Directory
(56:20):
that don't log on to thecomputers, and they should be
listed on that list with noaccess.
IT guys, and I'm one of them,and I'm guilty of that too, you
look at identify and you look atauthorize, what does that really
mean?
It's going to be documentation.
When you get down to it,documentation is really the
(56:41):
biggest piece of this.
The Technical controls, we canimplement those, but all the
documentation to back it up.
You have to have your SSP.
You have to define how eachcontrol is implemented.
Really, if you go further anddefine how each of the
objectives in those controls areachieved, that would be even
(57:04):
better, and that defines thingsvery well for an assessor.
If they see that, you're well onthe way.
You're doing well.
SPEAKER_01 (57:10):
When it comes to documentation, have you ever
seen Seinfeld?
the soup episode.
I can't call him though.
Weird.
Cause I think the one, I thinkthat'll get us banned
automatically tagged on YouTube.
But, um, if you want to doeverything right, he goes, no
soup for you.
Documentation, uh, is that forCMMC compliance?
So you can do everything right.
(57:31):
But, uh, if you haven'tdocumented it, no soup for you.
SPEAKER_00 (57:34):
That's right.
No soup for you.
I guess the soup in this wouldbe, uh, the, uh, CMMC
certification.
Exactly.
Uh, yeah.
And so that documentation is notjust your, SSP, it goes down to
if you do a policy for each oneof your families, control
families, access control andwhatnot, or domains.
Anyway, so have a policy foreach one of those, but then you
(57:57):
need to break out and have yourplans and procedures like your
disaster recovery, like yourincident response, stuff like
that.
Then you also need to have yourauthorized lists and things like
that.
So inventory list, butDocumentation is huge.
Documentation is gigantic.
Then to go even further thanthat, you have to have proof of
(58:19):
all these things, not just yourdocumentation, but when it comes
time for an assessment, you haveto have proof.
Show me where the policy isimplemented in Active Directory
or in Intune or wherever it maybe.
Show us where that is.
Show us a screenshot, all thatkind of fun stuff.
So you have to have proof ofthat.
SPEAKER_01 (58:35):
If you have questions about what we've
covered, please reach out to us.
We're here to help fast-trackyour compliance journey.
Text, email or call in yourquestions.
We'll answer them here for freeon the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
Stay tuned for our next episode.
Until then, stay compliant andstay secure.
(58:56):
Make sure you like, subscribeand share.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Cold Case Files: Miami
Joyce Sapp, 76; Bryan Herrera, 16; and Laurance Webb, 32—three Miami residents whose lives were stolen in brutal, unsolved homicides. Cold Case Files: Miami follows award‑winning radio host and City of Miami Police reserve officer Enrique Santos as he partners with the department’s Cold Case Homicide Unit, determined family members, and the advocates who spend their lives fighting for justice for the victims who can no longer fight for themselves.