CMMC Therapist || Lead CMMC Certified Assessor || CEO at Peak InfoSec, an Authorized C3PAO
Classic Beltway Friday drop... DoD Dropped the CMMC Model Details and Assessment Guides. You can find them at https://lnkd.in/gSghCr_v Question for James Goepel and Robert Metzger: With the exception of the SSP requirement 3.12.4, DoD has descoped all of the other NIST SP 800-171 requirements for "specialized assets" that process, store, or transmit CUI. This seems to be in violation of both 32 CFR Part 2002 and the scoping definition is NIST SP 800-171, para 1.1 "The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components." My question is does DoD have the legal authority to carte blanche waive enforcement of requirements or is this likely to get re-interpreted by the ISOO? #cmmc #cmmc2 #cmmcab #dfars #cui #nist800171 Jacob Horne, Regan Edens, Fernando Machado, CISSP, CISM, CISA, CEH, Jerry Leishman, Tom Cornelius, Wayne Boline, ??Jeff Dalton
Matthew Titcombe
3 年
Okay, third and maybe last question for James and Robert (you can blame Regan Edens for tangentially inspiring this one ?? ): Given in both Scoping guides, not even the Level 1 controls apply. Isn't this a violation of both FISMA and FIPS 200 requirements also? Granted I am not a lawyer and did not stay at a Holiday Inn Express last night, my understanding is FISMA and FIPS precedes and informs 32 CFR Part 2002.
Matthew Titcombe
3 年
Oh, and an even more dangerous question for James Goepel and Robert Metzger: What is to stop an OSC from declaring everything but the security components as "specialized assets"?
Tom Cornelius
3 年
The requirement in the scoping guide obligates the OSC to manage "specialized assets" and "Contractor Risk Managed Assets" according to the organization's existing policies, standards and procedures, which are enterprise-wide. Simply put, the organization needs enterprise-wide cybersecurity policies, standards and procedures - where within that enterprise scope, there will be CMMC assets that require CMMC-specific policies, standards and procedures. It expanded on the idea that documentation for risk management (e.g., governance practices) need to exist for more than just CMMC. While it doesn't mention NFOs, that basically supports the entire NFO premise of established and documented security practices that create the foundation of the security program to protect CUI.
Cybersecurity Public Speaker & Thought Leader; Author of Several Cyber/Infosec Books; CMMC CCP, CCA, PI; General Counsel; Electrical & Computer Engineer; Systems Admin./Dev.; Educator; Expert Witness; Company Co-founder
3 年Dude, you ask some REALLY complicated questions. Answering your first one took more space than a LinkedIn post will allow, so I put my answer into an article. Happy to discuss. https://www.dhirubhai.net/pulse/cmmc-20-scoping-guides-deep-dive-james-goepel