old.reddit.com /r/NISTControls/.rss
NIST Controls Discussion, Resource Sharing, News, Recommendations for Solutions
Atom Feed

 


In the SA family there are a number of controls (-4 enhancements,-10,-11, -15, etc) that say the "developer" of the system, system component, or system service must do things and I'm looking for a sanity check on how I'm approaching it while writing the SSP.

My take is that the controls refer to multiple "developers" - the developers of the system are your internal developers, the developer of system components is likely your IaaS provider for cloud based systems, and the developer of the system services are external services. For internal developers it's like you're "acquiring" the system from your own developers and you as the ISSO require them to meet the controls, then require external developers to meet the same controls and verify that through their FedRAMP authorizations (or contracts but FR authorization is the easy path).

Am I thinking the right way here?

submitted by /u/TheRealTimbo_Slice
[link] [comments]
Microsoft 365 G3 GCC Windows 11 Enterprise Entitlement

I know this is off topic for this sub and I apologize in advance. I am hoping this post might reach someone who has experience with Microsoft 365 GCC licensing. I posted this on r/sysadmin but was not able to get much help.

For those of you who have smaller GCC Tenant's how have you managed to obtain Windows 11 Enterprise licensing? I went down a rabbit hole chasing activation issues about two months ago, turns out NCE G3 licensing does not include Windows 11 Enterprise by default. When looking at a user with G3 I do not see the Win 11 Enterprise License, I compared this to a Commercial Tenant with E3 and the license is there. Microsoft support told me I need to order the VRM-00001 SKU for the license to be available in our tenant. This SKU is only available to those with EA/MPSA. We are under the 250 users/devices so we are not eligible for EA or MPSA. I cant seem to wrap my head around why Microsoft does this for a GCC Tenant and not Commercial. Has anyone come across this?

Microsoft GCC Licensing
Microsoft Commercial Licensing

This is for a standard GCC Tenant not High/DOD

My CSP PAX8 has been less than helpful with this.

Feel free to delete if not allowed.

https://preview.redd.it/4b9csieylp4e1.png?width=979&format=png&auto=webp&s=2aeb1f044480f11e94cca04c431046f151b97ffe

submitted by /u/xp_sp3
[link] [comments]

I'm needing a mapping of CCIs to Assessment Objectives for 800-53 rev 5. Is this something I need to pay for or does anyone know how I can obtain this for free?

submitted by /u/SweetPlum86
[link] [comments]

Hey all, apologies if this isn’t the best thread for this. I was interested to see if any of you made the jump from a DoD RMF role into a FedRAMP one? I’m looking to make the jump because it interests me more and gives better flexibility for the area I reside in. Was there anything specific you learned or worked on to show that your experience with 800-53 and the DoD is enough to land a FedRAMP position?

submitted by /u/Amazing_Cartoonist17
[link] [comments]

I've only ever worked with SSP. System Security Plan.

Recently been asked to help with a WISP. Written Information Security Program.

Are they fundamentally the same, with just different names? Or is there some important difference I need to know about?

submitted by /u/Covert_Tyro
[link] [comments]

If someone at my company is accessing CUI or ITAR data through a company VPN while in another country, is that legal? The data is stored securely on company servers with ITAR and NIST 800-171 compliant infrastructure in place for CUI. The individual is a U.S. citizen, and assuming the data remains secure and isn’t transferred to anyone else, are there any legal risks they should be aware of?

Thank you!

submitted by /u/jewfit_
[link] [comments]

Hi everyone,
I’m looking for good free tutorials or resources on implementing the RMF. Ideally, something that breaks down NIST controls (like 800-53 or 800-171), explains how to implement them, and ties them to meeting CMMC requirements. If you have any recommendations, I’d greatly appreciate it. I do much better watching videos to learn, than reading. Thanks!

submitted by /u/jewfit_
[link] [comments]

Looking for a SOC 2 correlation to 800 53 Rev 4 and 5. I know it may not line up directly but really needed. Anyone help me out?

submitted by /u/ImRight-AdmitIt101
[link] [comments]

The selection of security controls based on using the FIPS Publication 199 categorization for this system and NIST SP 800-53 Revision 5, the FISMA Moderate baseline of controls.

The system security categorization impact level is determined to be overall moderate. Therefore, the following entire moderate baseline controls are selected as the minimum security requirements to the control baseline. This is under NIST SP 800-53 Revision 5 Moderate Baseline 287 Controls, NIST SP 800-53 Revision 5 Privacy Baseline 96 of 96 Controls. The system processes and stores privacy-related data. Therefore, the entire NIST SP 800-53 Revision 5 Privacy Baseline controls are selected to the system's control baseline. Additional Security Controls.

It might be good to note that there are about 15 components under this system.

Can I get guidance on how to tailor the controls?

submitted by /u/Unlucky_Beautiful_55
[link] [comments]

I am looking at different compliance managers to use for my company. This would be for programs we build and for the corporate network? I'd like for it to use OpenSCAP

I came across OpenRMF and want to try it out but just exploring other options. https://www.openrmf.io/

What else is out there? STIG Manager? Vulnerator?

submitted by /u/Banned4Truth10
[link] [comments]

We've been reviewing our vendor practices and are trying to sort out how to better address the destruction requirements for CUI. We are debating about whether we switch to a single-step destruction and adopt the 1mmx5mm particle size, or whether we stick with our multi-step process and its less stringent requirements.

Thus far, we've used a multi-step process for a variety of reasons. First is that we have about 20 locations around the country, and each uses a different disposal vendor, also each location maintains their vendor relationships. This translates to we don't know exactly what each of our vendors' particle sizes are, but we do know they crosscut shred and then recycle in bulk with other customer materials.

We're going to have each vendor complete a new security questionnaire (being written), but we want to make sure we start with a viable standard.

Along the way, we’ve re-reviewed NIST SP 800-88r1, the 2017 ISOO CUI Notice 2017-02 (2017-08-17), the ISOO CUI Notice 2019-03 (2019-07-15) about destroying CUI, and DCSA CUI destruction guidance version 2 (2020-03-17).

I am advocating that while we could continue to use a multi-step process having a larger particle size than the 1mmx5mm, it would be operationally easier to adopt a more stringent single-step process. Others are advocating continuing what we are doing. Still others agree with me on the single step process and particle size but would rather we purchase shredders for each location and bring it in-house.

Is there a better more comprehensive, more prescriptive document that we should reference?

Does anyone want to share how they are addressing this issue?

submitted by /u/iamanid10terror
[link] [comments]

Trying to compare multiple CKLB files for changes and updates. WinDiff was the tool we were using to compare monthly CKL files. Is there a tool that works for CKLB files?

submitted by /u/ballin_weasel
[link] [comments]

We are fully on GCC High, and have a lot of front line staff that rarely if ever accesses their email accounts. I'm considering dropping a lot of them entirely. Just wondering if anyone else out there operates in this way.

submitted by /u/hangin_on_by_an_RJ45
[link] [comments]

I understand that determining limits depends largely on the business, understanding of the risk, business requirements, etc.

but my question is are limits defined anywhere in that a system must be patched by some certain time of discovering the vulnerability?

this is an extremely complex hill for us to climb as some systems are legacy and or proprietary. they are entirely closed off systems and have no access to the internet. in some cases some of these systems will never be patched, they will instead be replaced.

would help to understand any CMMC / NIST defined limits or best practices.

thanks

submitted by /u/IlIIIllIIIIII
[link] [comments]

I know 800-190 maps some but does anything have a current mapping of what controls need to be applied to different containers? As well as STIGs/SRGs to follow?

submitted by /u/TartBetter6
[link] [comments]

is there a control evaluation or gap analysis excel sheet available for NIST AI RMF? Kindly share some insights.Thank you so much.

submitted by /u/Large-Mind1574
[link] [comments]

(Cross-posted with r/CMMC .)

Hi, folks. Looking for some advice.

Assume that the strategy for protecting CUI at rest on laptops is Bitlocker (FIPS compliant of course).

Would an auditor inquire or care as to whether the WDE password is:

  • present (exists)?
  • allowed to be a default vs. required to be individualized by the user per policy?
  • verified to have been changed from default (via monitoring/reporting)?

If the last applies--that is, if an auditor is going to ask "How do you KNOW that users aren't using the default Bitlocker password?", do you have a solution for that?

TIA

submitted by /u/ice-ninecicle
[link] [comments]

I totally understand that this is NIST controls sub, however there are folks here who have cross walked across various standards and with much more experience than I.

I am doing an assessment where I am stuck on real life understanding

CIS 13.9 Deploy Port-Level Access Control:

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication.

Does this now apply to ALL wired ports on the network? TBH, outside of the DOD, I have yet to see an environment where wired port access is 802.1x controlled. Which means if the site is deploying a desktop on that port, especially a domain joined Windows computers, it might get tricky.

On the wireless side the site is 802.1x. But not on the wired side. The way I am reading the control, it seems to be requiring that wired ports be 802.1x authenticated.

submitted by /u/the_harminat0r
[link] [comments]

Hi everyone, I am a designer that was hired to help design a GRC tool MVP. I have no prior domain experience but I’m eager to learn! Please be kind :)

I’m coming to all of you amazing SMEs for help, I’ll take all the info and advice you want to give me! Thank you in advance!

Knowledge I have so far: - an overview of the RMF process - some concepts of personas involved but not the nuances (e.g., small org vs large org) - some concepts of risk baselines and tailoring controls - some concepts of controls to assessment objectives and assessment procedures - some concepts of evidence and implementation statements - Some concepts of an SSP - we’re wanting to start with NIST 800-53 rev 5 controls management with OSCAL and inheritance through system components that other systems can inherit through a component library.

Things I could use help on: - Educational resources - The must-knows for someone in my position - Your idea of what the perfect GRC tool MVP looks like (necessary features and magic wand features) - Any pitfalls to avoid - Best existing tools to reference great UX/UI - Any one that would be interested in testing a prototype!

submitted by /u/SweetPlum86
[link] [comments]

SSP

Anyone have a link to an SSP in a more readable format other than the one provided by NIST?

submitted by /u/Public-Serve7013
[link] [comments]

Howdy y’all!

Fresh to the ISSO world and looking for some help. I work with mostly standalone MUSAs and small P2P s and was stumped on which tools to use for auditing requirements… do y’all just use event viewer or is there some good solutions..?

submitted by /u/Invalidnametag
[link] [comments]

Since the requirement (and recommendation *NOT* to rotate passwords frequently) was changed and the recommendation is to only change passwords when there's a suspected breach of the credentials... Does that mean PIEE is being compromised every 60 days?

submitted by /u/MapAdministrative995
[link] [comments]

Has anyone gotten the Cisco_IOS_XE_Router to work with the guidance provided by DISA? Looking for some pointers to get it working.

submitted by /u/jer9009
[link] [comments]

Hi all,

I had a quick question, I am mostly familiar with 800-53. I am helping with some privacy components, and I have a cloud SaaS that has a ISO 27018 certification as well as 27001.

The customer has not completed for example incident response protocols with the cloud provider, etc.. How does the ISO 27018 look at those when they are assessed "just" as a provider.

Everywhere I look it seems that PII processing at the ISO 27018 is assessed considering the customer (I dont have access to the ISO control list, so I am a bit blind)
How do they contuct ISO 27018 audits without a customer, obtain a certification and the certification basically extends to the customer... I am scratching my head a bit on this one. Unless the provider is bound to establish processes with the customer, in which case I would have no evidence for.

Thank you all! Hopefully this was a clear question, I am just a bit questionning my reasoning here.

submitted by /u/Radishingz
[link] [comments]

Background:

We are a small federal consulting company about 100 employees. We have been working with our MSP on going through our processes and controls as we prepare for CMMC Level 2 and pretty comfortable with where we are at, however, we are now taking a look at GCC High to see if it's worth going the extra mile to not only be CMMC audit ready but also if the cost of having GCCH could be worth the appeal to future potential DoD clients and projects.

What we currently have: About a quarter of employees have Microsoft 365 Business Premium licenses and 75% use Business Basic. We use PreVeil Business plan (about 10 seats) to handle our CUI documents.

Questions:

Does anyone have insight on costs for GCC high for a company this size?

Would only employees that work with CUI need GCC high while the other employees remain with Business Basic plan? Or does GCCH have to be applied to the enterprise?

submitted by /u/TheVizualizer
[link] [comments]
Loading ...