Multi-tenant implementation for CMMC 2.0

old.reddit.com / @/u/Outside_River_8071, https://old.reddit.com/user/Outside_River_8071

I'm working IT for a smallish engineering firm, and I've been trying to get the ball rolling on getting us set up for compliance. The company is about 80 people right now but it seems like we keep growing. Currently, maybe 10 people do government work. Currently we're on commercial Business 365, and working on at least being Level 1, but with the goal to eventually try to prep for Level 2.

A thought I had, to possibly save a little money, is to create a GCC tenant for the sole purpose of doing Federal work, along with devices that are only used with those accounts and the corresponding work.. Since the number of people actually participating in it is so small, maybe it would work? I'm not sure if the controls are intended to be company wide, or just for those who work with CUI. Otherwise, we should probably do a full migration to GCC? High shouldn't be necessary I think, as we don't work with ITAR or EAC

Any advice is welcome, thanks in advance!

submitted by /u/Outside_River_8071
[link] [comments]
published about 2 months ago

NIST 800 - 53 Implementation

old.reddit.com / @/u/Helontir, https://old.reddit.com/user/Helontir

Hello everyone,

I have just implemented the NIST 800 53 for my employer in Germany. In other words, I have written a large catalog of safety measures (>400 controls) based on NIST 800 -53.

We are now planning to inventory all IT systems and assign a subset of relevant safety measures to each IT system.

My problem is that I don't want to assign controls individually for a large number of IT systems and applications.

Hence my question:

Is there a methodology from NIST on how I assign controls from the NIST 800 - 53 to categories of IT systems or applications? For example, is there a template that certain Control Families are relevant for web servers?

Thanks in advance!

submitted by /u/Helontir
[link] [comments]
published about 2 months ago

Are there any other resources that show how to simply comply with each STIG?

old.reddit.com / @/u/anti4r, https://old.reddit.com/user/anti4r

Im referring to something like this/Resources/BC%2013%20-%20Released%20Hardening%20MS%20Windows%20for%20NIST%20SP%20800-171%20Compliance%20%20CMTC%20%2028%20Sep%202021.pdf?ver=_DEhmi5P7R08rIZvlqDyzw%3D%3D), where they show all the Windows Group Policy Object settings that need to be changed in order to secure a Windows machine, or another similarly easy to understand resource, I find the STIG descriptions to be a bit ambiguous at times

submitted by /u/anti4r
[link] [comments]