Hello,

I work in IT outsourcing and I was given the task of writing up the subset of security controls from both CMMC and FedRamp that allow compliance with PHI and PII.

I need advice on how I might identify the controls from CMMC that, if satisfied, would ensure regulatory compliance.

My question though is where can I find a comprehensive list of controls from CMMC Level 3 and FedRamp and how will I know when a control applies in covering PHI/PII?

Is this a reasonable task? I am new to this space so I’m sure I have some lack of knowledge that you folks could perhaps help fill me in on.