Anybody who can give an overview of this.Appreciated.

Hello,

I work for an IT company and I have a local non-maintenance client that we use to manage pre 2020. They left us because they were struggling financially. Since then they have received a government contract and are doing really well. When they got a new IT company to manage their IT needs they went with a company that is in another state 3000 miles away. They went with them because of there expertise with dealing with companies that have government contracts. Its my understanding that the NIST SP 800-171 is just a set of rules that have to be met that can/will be audited. The IT company itself doesn't have some type of certification in order to manage these clients, correct? Can anyone can be a consultant for NIST SP 800-171 compliance? Do we need background checks in order to manage them?

I am asking because the VP is frustrated with this company and has called me a lot for support. I am thinking we would be a better fit as we are local and have a lot of the same systems, tech stack that this company uses. The way the VP expressed his concern is that this company is compliant with managing this stuff.

Can anyone shed some light on this or point me in the right direction. Not sure if it matters but I was enlisted for 6 years and was in network security/server admin roles so I understand the rules with needing firewalls, OU groups, deprovisioning users in a timely fashion, etc.

Does anyone know about the hiring process for the NYC Department of investigation? Right now my application is in the review stage and I’m waiting for an interview for investigative auditor position, but it’s been about 4 months since i submitted my application. Does know about the hiring and on boarding process with the Department of investigation?

Its a survey with multiple choice questions only and it takes 3-4 minutes to complete. feel free to forward the link to colleagues.The topic is "Why do IT projects fail not(only) because of Technology"
The groups Im interested in are devs, project managers and human ressource managers, which work in IT projects.

Survey link

• I dont need your email adress, your name, age or whatever, only your opinion -The platform asks for your email at the end, but its optional and fill it in only if you want a copy of your answers, otherwise just close, it still worked :)

Thanks in advance,
Le-

PS: sorry my english just in case, my thesis is in german :)

New ISSO for a DoD organization performing some software development. ISSM is new to our organization too.

Organization is performing static code analysis and CM , but needs to grow beyond that. Some engineers think it is okay to grab just about any code from GitHub and management thinks absolutely nothing should be used from GitHub. Obviously there is a middle ground and we need some process for assessing Open Source Software, libraries, etc. not to mention properly assessing our own applications and I'm not sure where to start. What I could find is that getting a list of components for our internally development apps should be one of our first stops. Not sure if same applies to OSS, or how we'd do that properly.

I think we will be rebuilding the software engineering process and procedures from scratch, but we are a bit out of our depth. Other than the high level TTPs, we are having a difficult time getting started. Can anyone point us to resources that can assist in this and make sure we get this as close to right as possible the first time around.

When it comes to OSCAL, I understand the what, but not the how. I understand that the goal of OSCAL is to automate the monitoring of control implementation, and that it does so through a set of extensible formats which support a range of risk management processes.

I've been reading this guide to learn more about the XML and JSON files included in the FedRAMP Automation release, but I'm having a hard time making sense of it (I'm not a software developer).

What am I supposed to do with these XML/JSON files to automate the creation of SSPs, monitor the implementation of controls, etc.? Are there any resources which teach XML/JSON noobs how to get started with OSCAL?

Thank you!

Hi developers who are interested in data security,

Cisco and Altinity are meeting over a LIVE webinar tomorrow to showcase their collaborative project on deploying Clickhouse in FedRAMP for government customers using Altinity’s FIPS-compatible stable builds.

Date and Time: June 20, 10 AM PDT

Speakers: Pauline Yeung, Data Engineer & SecDevOps at Cisco Umbrella and Robert Hodges, CEO at Altinity

​

Tune in LIVE to learn more about:

What is Cisco Umbrella and how does it use ClickHouse?
What are the challenges of bringing up ClickHouse in a FedRAMP environment?
How are Cisco Umbrella and Altinity working together to deploy FIPS-compatible analytics?
What lessons can we share with other users on the same path?

​

RSVP your free seat here: https://hubs.la/Q01T8qJT0

Isnt 2.B Minimum Password Strength in conflict with NIST SP 800-63B recommendation of 8 characters? Also mainframes like z/OS have a maximum password length of 8, I would think CISA would have included passphrase with password since z/OS can use up to 100 characters with passphrase.

What's with the increase use of space before and after / is written federal documentation of late? Is is a code or something because it is not an English grammar requirement?