SPD discrepancies in final rule

old.reddit.com / @/u/Important_Yam_3039, https://old.reddit.com/user/Important_Yam_3039

SPD discrepancies in final rule

I'd be interested to hear your takes on how SPD is classified in the final rule. In the comment section, SPD should be treated as CUI and be kept in a FedRAMP compliant solution for your ESP/CSP vendors.

https://preview.redd.it/7c8ts44kq6ud1.png?width=895&format=png&auto=webp&s=7dc143f0b6114e7759ffe9d11d73522ccbdeadca

Then in the rule it states:

https://preview.redd.it/wbfc6xhar6ud1.png?width=875&format=png&auto=webp&s=4a632b9995fdd4338cb6f1968132478c22a96f44

Per the definitions, SPA's that don't store, process, or transmit CUI are classified as ESPs that don't need to under go a CMMC audit. Thoughts?

submitted by /u/Important_Yam_3039
[link] [comments]

published about 1 month ago


Previous

32CFR 170 CMMC rule public preview published!!!
published about 1 month ago

Next

Looking to clear up confusion with Windows Hello for Business being passable MFA
published about 1 month ago
See all items from the same source