old.reddit.com /r/NISTControls/.rss
NIST Controls Discussion, Resource Sharing, News, Recommendations for Solutions
Atom Feed
Back to top.
Recently Seen Items
Compact view
Reading view
We've been reviewing our vendor practices and are trying to sort out how to better address the destruction requirements for CUI. We are debating about whether we switch to a single-step destruction and adopt the 1mmx5mm particle size, or whether we stick with our multi-step process and its less stringent requirements.
Thus far, we've used a multi-step process for a variety of reasons. First is that we have about 20 locations around the country, and each uses a different disposal vendor, also each location maintains their vendor relationships. This translates to we don't know exactly what each of our vendors' particle sizes are, but we do know they crosscut shred and then recycle in bulk with other customer materials.
We're going to have each vendor complete a new security questionnaire (being written), but we want to make sure we start with a viable standard.
Along the way, we’ve re-reviewed NIST SP 800-88r1, the 2017 ISOO CUI Notice 2017-02 (2017-08-17), the ISOO CUI Notice 2019-03 (2019-07-15) about destroying CUI, and DCSA CUI destruction guidance version 2 (2020-03-17).
I am advocating that while we could continue to use a multi-step process having a larger particle size than the 1mmx5mm, it would be operationally easier to adopt a more stringent single-step process. Others are advocating continuing what we are doing. Still others agree with me on the single step process and particle size but would rather we purchase shredders for each location and bring it in-house.
Is there a better more comprehensive, more prescriptive document that we should reference?
Does anyone want to share how they are addressing this issue?
[link] [comments]
Trying to compare multiple CKLB files for changes and updates. WinDiff was the tool we were using to compare monthly CKL files. Is there a tool that works for CKLB files?
[link] [comments]
We are fully on GCC High, and have a lot of front line staff that rarely if ever accesses their email accounts. I'm considering dropping a lot of them entirely. Just wondering if anyone else out there operates in this way.
[link] [comments]
I understand that determining limits depends largely on the business, understanding of the risk, business requirements, etc.
but my question is are limits defined anywhere in that a system must be patched by some certain time of discovering the vulnerability?
this is an extremely complex hill for us to climb as some systems are legacy and or proprietary. they are entirely closed off systems and have no access to the internet. in some cases some of these systems will never be patched, they will instead be replaced.
would help to understand any CMMC / NIST defined limits or best practices.
thanks
[link] [comments]
I know 800-190 maps some but does anything have a current mapping of what controls need to be applied to different containers? As well as STIGs/SRGs to follow?
[link] [comments]
is there a control evaluation or gap analysis excel sheet available for NIST AI RMF? Kindly share some insights.Thank you so much.
[link] [comments]
(Cross-posted with r/CMMC .)
Hi, folks. Looking for some advice.
Assume that the strategy for protecting CUI at rest on laptops is Bitlocker (FIPS compliant of course).
Would an auditor inquire or care as to whether the WDE password is:
- present (exists)?
- allowed to be a default vs. required to be individualized by the user per policy?
- verified to have been changed from default (via monitoring/reporting)?
If the last applies--that is, if an auditor is going to ask "How do you KNOW that users aren't using the default Bitlocker password?", do you have a solution for that?
TIA
[link] [comments]
I totally understand that this is NIST controls sub, however there are folks here who have cross walked across various standards and with much more experience than I.
I am doing an assessment where I am stuck on real life understanding
CIS 13.9 Deploy Port-Level Access Control:
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication.
Does this now apply to ALL wired ports on the network? TBH, outside of the DOD, I have yet to see an environment where wired port access is 802.1x controlled. Which means if the site is deploying a desktop on that port, especially a domain joined Windows computers, it might get tricky.
On the wireless side the site is 802.1x. But not on the wired side. The way I am reading the control, it seems to be requiring that wired ports be 802.1x authenticated.
[link] [comments]
Hi everyone, I am a designer that was hired to help design a GRC tool MVP. I have no prior domain experience but I’m eager to learn! Please be kind :)
I’m coming to all of you amazing SMEs for help, I’ll take all the info and advice you want to give me! Thank you in advance!
Knowledge I have so far: - an overview of the RMF process - some concepts of personas involved but not the nuances (e.g., small org vs large org) - some concepts of risk baselines and tailoring controls - some concepts of controls to assessment objectives and assessment procedures - some concepts of evidence and implementation statements - Some concepts of an SSP - we’re wanting to start with NIST 800-53 rev 5 controls management with OSCAL and inheritance through system components that other systems can inherit through a component library.
Things I could use help on: - Educational resources - The must-knows for someone in my position - Your idea of what the perfect GRC tool MVP looks like (necessary features and magic wand features) - Any pitfalls to avoid - Best existing tools to reference great UX/UI - Any one that would be interested in testing a prototype!
[link] [comments]
Anyone have a link to an SSP in a more readable format other than the one provided by NIST?
[link] [comments]
Howdy y’all!
Fresh to the ISSO world and looking for some help. I work with mostly standalone MUSAs and small P2P s and was stumped on which tools to use for auditing requirements… do y’all just use event viewer or is there some good solutions..?
[link] [comments]
Since the requirement (and recommendation *NOT* to rotate passwords frequently) was changed and the recommendation is to only change passwords when there's a suspected breach of the credentials... Does that mean PIEE is being compromised every 60 days?
[link] [comments]
Has anyone gotten the Cisco_IOS_XE_Router to work with the guidance provided by DISA? Looking for some pointers to get it working.
[link] [comments]
Hi all,
I had a quick question, I am mostly familiar with 800-53. I am helping with some privacy components, and I have a cloud SaaS that has a ISO 27018 certification as well as 27001.
The customer has not completed for example incident response protocols with the cloud provider, etc.. How does the ISO 27018 look at those when they are assessed "just" as a provider.
Everywhere I look it seems that PII processing at the ISO 27018 is assessed considering the customer (I dont have access to the ISO control list, so I am a bit blind)
How do they contuct ISO 27018 audits without a customer, obtain a certification and the certification basically extends to the customer... I am scratching my head a bit on this one. Unless the provider is bound to establish processes with the customer, in which case I would have no evidence for.
Thank you all! Hopefully this was a clear question, I am just a bit questionning my reasoning here.
[link] [comments]
Background:
We are a small federal consulting company about 100 employees. We have been working with our MSP on going through our processes and controls as we prepare for CMMC Level 2 and pretty comfortable with where we are at, however, we are now taking a look at GCC High to see if it's worth going the extra mile to not only be CMMC audit ready but also if the cost of having GCCH could be worth the appeal to future potential DoD clients and projects.
What we currently have: About a quarter of employees have Microsoft 365 Business Premium licenses and 75% use Business Basic. We use PreVeil Business plan (about 10 seats) to handle our CUI documents.
Questions:
Does anyone have insight on costs for GCC high for a company this size?
Would only employees that work with CUI need GCC high while the other employees remain with Business Basic plan? Or does GCCH have to be applied to the enterprise?
[link] [comments]
Folks, I have written this in an attempt to simplify a pain I felt. Beginning to write the SSP felt overwhelming and I wrote the article to help somewhat simplify and ease that process. It isnt by any way a complete guide however I would be very much indebted to get some constructive feedback to improve this and help build more useful pieces of text in the future. Also please let me know if I got anything wrong with my limited knowledge, I wouldnt want to share any form of inaccurate information through my write ups.
Moderators I am unsure if this is against the rules, If so please let me know I would be more than happy to remove and keep the sanctity of this forum.
[link] [comments]
Is there a way to get "official answer/clarification" about some of the nist controls ?
I seems to have a bit of disagreement with fedramp pmo/advisors and look for "ultimate authority" for interpretation of controls
(control in question was discussed in this subreddit, and based on the discussion my interpretation is correct. but as I am unable to point to here as to official source of wisdom, i look for other possibilities)
[link] [comments]
I need recommendation of a software that we can use for remote desktop other team members. We currently use Quick Assist but looks like it does comply with NIST standard. We a small company of less than 10 people and starting our NIST compliance journey. We operate 100% remote using Microsoft 365 Business and NordLayer VPN.
[link] [comments]
I have been trying to gain an understanding on what specific artifact/evidence that should be requested per specific selected controls. To include tailored questions that can be used as a guide to gather information for writing implementation statements.
Background: Currently going through my first full start to finish RMF process for ATO. I am assisting ISSO’s, ISSM’s, and other stakeholders with writing the control implementation statements while also gathering artifacts/evidence. The system has 15 components and 188 controls we are working on writing implementation statements per each component. With that comes with meeting with the appropriate POC per components and interview them to gain knowledge on the processes and how these components are being used in the main system.
Does somebody have some sort of guide for internal auditing? Maybe an artifact request list?
[link] [comments]
I’ve worked as an ISSO for a while, and im looking to get back into this line of work.
Ive gone through the quarterly ConMon checklist for the SAP I work in. But who actually writes the ConMon spreadsheet? Why are those controls selected? Is it written prior to the ATO by an ISSO/ISSM or is given to the program by the customer? Is it based on your Risk Assessment Report?
[link] [comments]
Has anyone heard of classified IATT scans for a closed system, not connected to any network or with classified information?
[link] [comments]
The company I work at has an AVD setup on Microsoft 365 GCC High specifically for client engagements where we deal with CUI. However, for some reason, they have disabled OneDrive functionality on it. We can still use SharePoint, Outlook, and Teams, but OneDrive is completely disabled.
Does anyone have a guess as to why? It's my understanding that OneDrive in M365 GCC High would be using the same server as the other services and has the same certifications, controls, etc. I want to make the case for us to use it, as I think it would get more people to move from our shitty on-premises shared drive to the AVD side of things.
Apologies if my terminology or understanding is incorrect. I'm not an IT professional but trying to learn.
[link] [comments]
Hi everyone
I was just wondering what security artefacts would projects need to deliver as part of your project / programme frameworks.
Feeling recently that security is slowing becoming an after thought or that it’s just pen testing and vulnerability scanning
In our current framework four phases 1) initiate , 2) plan (requirements) 3) execute 4) control and closure
During these phases Info Sec feed into other teams architecture , BAs and PMs and testing but it’s more info sec going then rather than then updating info sec also in the framework there are no Info Sec artefacts besides vuln or pen testing reports just feeding into other docs.
My plan was to change this to have a weekly drop in session projects can book to engage info sec. Then on the framework the below artefacts 1) initiate - initial risk assessment and business impact analysis
2) plan- systems security plan / information assurance document (how the system will be secured and focus on CIA triad), DR / contingency plan
3) execute - final approved copies of above documents, evidence of executed tests and DR manuals
Is this a good starter for ten? Or anything else that would be needed?
[link] [comments]
I am trying to obtain CMMC Level 1 compliance which contains 17 requirements defined in FAR 52.204-21. My question is: what all do I need other than policies and procedures in order to submit the self-assessment? I have policies and procedures aligning with the 17 requirements in the FAR clause, and of course everything written and stated is implemented in my environment. I also have an SSP defining how we adhere to the 17 controls. Do I need anything else to prepare for the self-assessment and/or any future audits? Do I need a POA&M?
Any help is greatly appreciated!
[link] [comments]
Hello,
I work as an ISSO in step 6 doing ConMon stuff, super easy, first “cyber gig”. Recently got an ISSO job doing all the steps in RMF and I’m a little intimidated. I know I’ll be able to learn but of course I sold myself in my interviews like I’ll come in and hit the ground running. Any suggestions on things I should study ahead of my start date? Do I have a shot just learning on the job If i really apply it.
[link] [comments]