Hello,
I work in IT outsourcing and I was given the task of writing up the subset of security controls from both CMMC and FedRamp that allow compliance with PHI and PII.
I need advice on how I might identify the controls from CMMC that, if satisfied, would ensure regulatory compliance.
My question though is where can I find a comprehensive list of controls from CMMC Level 3 and FedRamp and how will I know when a control applies in covering PHI/PII?
Is this a reasonable task? I am new to this space so I’m sure I have some lack of knowledge that you folks could perhaps help fill me in on.
[link] [comments]