#CMMC AC.L2-3.1.18[a] "determine if mobile devices connections are authorized" this is more aimed at company networks. As an assessor i think a policy could cover authorizing categories of mobile devices to a guest network. That network should have protections against guest network traffic coming internally. An internal network would need some kind of registration or list of "known good" (authorized) devices since there's more sensitive data traveling there. Documentation of how these devices are authorized will also be needed. Don't want randos connecting to the network. #cybersecurity #infosec #compliance #security

#CMMC AC.L2-3.1.18[a] "determine if mobile devices that process, store, or transmit CUI are identified" at first glance this is like, duh, I have the CUI data flow which shows them. Further needs to be done so that any CUI mobile device must be known, like an inventory or special device list/group to trace the capability of CUI to specific devices. #cybersecurity #infosec #compliance #security

#CMMC AC.L2-3.1.17[b] "determine if wireless access to the system is protected using encryption" is your connection encrypted when connected to wireless. Would need to point out the modules/products used to the assessor. Also important to note is that if CUI is involved (a.k.a. stored/processed/transmitted) then the encryption is expected to be FIPS 'validated' cryptography! #cybersecurity #infosec #compliance #security

Microsoft Federal Successfully Completes Voluntary CMMC Assessment https://rodtrent.com/wiq

#CMMC #PublicSector

#CMMC AC.L2-3.1.17[a] "determine if wireless access to the system is protected using authentication" the system most referred to here is the corporate network and the wireless access points one may have across the enterprise. Essentially, don't allow any "open" WiFi access to the system. Companies should be set up with passwords for access and those should be changed whenever people leave the company. Individual authentication per user can also be used. #cybersecurity #infosec #compliance #security

#CMMC AC.L2-3.1.16[b] "determine if wireless access is authorized prior to allowing such connections" so what the assessor will look for here is some documentation of how the management approves connections of computers or categories of computers. Could be defined in policy signed by management, or could be a workflow of approval for allowing WiFi access. Or some other document. #cybersecurity #infosec #compliance #security

#CMMC AC.L2-3.1.16[a] "determine if wireless access points are identified" make sure there's a network diagram or something identifying the wireless around the office/scoped locations #cybersecurity #infosec #compliance #security

#CMMC AC.L2-3.1.15[d] "determine if access to the identified security-relevant information via remote access is authorized" the company takes their list or document from [b] and then be prepared to show in some way how the access is authorized by someone. Show, don't tell. #cybersecurity #infosec #compliance #security

#CMMC AC.L2-3.1.15[c] "determine if the execution of the identified privileged commands via remote access is authorized" companies identify what they want to be able to run remotely and document proof of authorization for the accounts or if you can get really granular then with each command itself. There's also probably a handful (or two) of ways in between to authorize the actions with PIM. #cybersecurity #infosec #compliance #security

#CMMC AC.L2-3.1.15[a] "determine if security-relevant information authorized to be accessed remotely is identified" It's good to also document the types or descriptions of information that is authorized 4 remote access. Know what is authorized! #cybersecurity #infosec #compliance

#CMMC AC.L2-3.1.15[a] "determine if privileged commands authorized for remote execution are identified" So, the company has documented and implemented points on the infrastructure to route remote access connections through. Now the assessor will want to see that these points are getting that traffic. Audit log that traffic! Easy!
#security #cybersecurity #infosec #compliance

I wish the #CMMC blueprint pdf was not secured. It makes it a bit of a pain in the ass to study with when you can't comment or highlight anything.

#CMMC AC.L2-3.1.14[b] "determine if remote access is routed through managed network access control points" So, the company has documented and implemented points on the infrastructure to route remote access connections through. Now the assessor will want to see that these points are getting that traffic. Audit log that traffic! Easy!
#security #cybersecurity #infosec #compliance

#CMMC AC.L2-3.1.14[a] "determine if managed access control points are identified and implemented" this one is also dealing with remote access. Since it's not as manageable with... Say, employees remoting into their work computers individually. The requirements are to ensure that these separate connections can be controlled in some way. Identify in some demonstrable way that the remote access has control points. This assessment objective goes double duty to mention implementation as well. So, one also will have to demonstrate the implementation!
#security #cybersecurity #infosec #compliance

#CMMC AC.L2-3.1.13[b] "determine if cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented" this is more for the assessors of course. Take the cryptographic modules from [a] and make sure you are using them. Simple, right?
#security #cybersecurity #infosec #compliance

#CMMC AC.L2-3.1.13[a] "determine if cryptographic mechanisms to protect the confidentiality of remote access sessions are identified" when a company has remote access, which is documented from previous requirements, then those should be protected with cryptography. What kinds of cryptography you ask? If there is any CUI involved then it must be a product using a cryptography module that is FIPS 140 validated. WTF does that mean? Well, for the list of products available that can be easily shown to comply go here: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules and for other accepted products one can go here for NSA approved products: https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/Components-List/#components-list-index
So these "mechanisms" would be the ones that you implement and then show that they are identified.
#security #cybersecurity #infosec #compliance

#CMMC AC.L2-3.1.12[d] "determine if remote access sessions are monitored" the same, but different? Remote access sessions need records to prove control, and then there needs to be a process/documentation of reviewing those records. Also, could be alerting appropriate folks about sessions to show the monitoring. #security #cybersecurity #infosec #compliance

#CMMC AC.L2-3.1.12[c] "determine if remote access sessions are controlled" This one is a bit different because it is looking for the existence of control. Control over remote access is implying a process that moderates the participants themselves... Or how they access or when they access or what they access. As long as it isn't a free-for-all and it can be proven. #security #cybersecurity #infosec #compliance

#CMMC AC.L2-3.1.12[b] "determine if the types of permitted remote access are identified" much like the previous one this identification is solved with documentation. This is IT's worst enemy because no one has the time to do the paperwork. Could refer to policy to outline the types, or could be plans or even a technical document. Just have to write down the types you use. Can't have people connecting willy nilly to the network/system, it's not safe. #security #cybersecurity #infosec #compliance

Hey #CMMC world we have another Certified CMMC Professional course coming up on Feb 6th

This one taught by Paul Netopski a crowd favorite. #cybersecurity