|
I'm making this thread for the people who may (god help them) need to comply with NIST 800-171/CMMC, If you are doing work for the DoD (or apart of the Defense Industry Base) even Off the shelf crap, then CMMC is going to be a massive pain in the loving rear end for you.. CMMC is a required audit of your network to ensure your not loving it up and have loving Anti-Virus installed before you can do business with the DoD. Gotta protect that CUI, FCI, CDI! For all the nerds not in the know, Check out this very awful website: https://www.cmmcab.org/ drat ponzi scheme if I've ever seen one. Balsa fucked around with this message at 16:54 on Aug 31, 2020 |
#
?
Aug 31, 2020 16:41
|
|
|
|
| # ? Apr 24, 2024 23:12 |
|
|
Ahhhh CMMC, the obvious conclusion to so many self-attesting to NIST 800-171 compliance. I assume everyone that had to be NIST 800-171 start at level 3 on CMMC. I also assume the auditors are going to have massive disparities the first year as they try to figure out exactly how they rate compliance across CMMC. Need 100% on each category to pass that check? Or is it more if you are doing things 90% of the time for each check? Left up to the auditors, who knows! I'm sure 2020 will continue to be awful!
|
|
#
?
Aug 31, 2020 18:37
|
|
|
bigdookie posted:Ahhhh CMMC, the obvious conclusion to so many self-attesting to NIST 800-171 compliance. I assume everyone that had to be NIST 800-171 start at level 3 on CMMC. I also assume the auditors are going to have massive disparities the first year as they try to figure out exactly how they rate compliance across CMMC. From what I understand, if you fail any of the level 1, 2, or 3 controls at all, you don't pass, and you get bunked down the min passing level you passed all the controls on. Best part is, if you want to contest anything, it goes to the QA Board... and all appeals also go to the QA Board lulz. The assessment requires you to be on site as a auditor. gather all the details in eMASS and submit it to the QA board and they score your assessment! (And charge 30k to do it) Weeeee for small bussiness
|
|
#
?
Aug 31, 2020 18:41
|
|
|
https://sera-brynn.com/wp-content/uploads/2019/05/Reality_Check_DFARS_2019.pdf Well then the fallout should be incredible! I think the first year is going to be a massive POAM writing marathon for most companies when they can no longer self attest.
|
|
#
?
Aug 31, 2020 18:48
|
|
|
bigdookie posted:https://sera-brynn.com/wp-content/uploads/2019/05/Reality_Check_DFARS_2019.pdf Jokes on you, POAM ARE NOT LONGER ACCEPTED UNDER CMMC #rekt
|
|
#
?
Aug 31, 2020 18:57
|
|
|
omg a CMMC thread
|
|
#
?
Dec 1, 2021 20:42
|
|
|
Bob Morales posted:omg a CMMC thread I too was excited for a CMMC thread, and its dead just like CMMC 1.0. We had a pre-audit to simulate our challenges, the pre-audit was filled with paper pushing auditors that barely knew what they were asking. *mumble* *stammer* Uhhh FIPS, you all have FIPS? *cough*
|
|
#
?
Jan 9, 2022 20:54
|
|
|
bigdookie posted:I too was excited for a CMMC thread, and its dead just like CMMC 1.0. I think our consultant is coming up here this week so we can spend a whole day doing nothing FIPS can eat my rear end since it fucks all firewalls up apparently
|
|
#
?
Jan 10, 2022 00:52
|
|
|
*Ignore
Hughmoris fucked around with this message at 19:43 on Jan 10, 2022 |
|
#
?
Jan 10, 2022 19:37
|
|
|
My company has decided to say gently caress it and push off an official audit until closer to the current deadline for contracts to start including CMMC requirements. Their logic is that we have a sweet relationship with the 3PAO so they'll knock our pre-audit and audits out at the drop of a hat. In related news, I'm BCC'ing my personal email account on all compliance-related emails so nobody can say I didn't warn them that this is a bad and expensive plan.
|
|
#
?
Sep 4, 2022 16:22
|
|
|
Everyone's dance cards are filling up :/
|
|
#
?
Sep 4, 2022 16:29
|
|
|
I feel like it's pretty telling that nobody can really talk about CMMC because so much remains unknown and they're uncomfortable with their organizations making huge bets on the gentlest interpretations possible.
|
|
#
?
Sep 4, 2022 16:30
|
|
|
As a computertoucher who is suddenly responsible for a large part of a startup's sudden crunch-timeline effort to become properly 800-171 in exchange for big honkin' contracts I am necroing this thread to let the world know that I crave the sweet release of death. Ain't nobody getting their unauthorized hands on our cooey or eye tars tho
|
|
#
?
Dec 5, 2023 16:23
|
|
|
|
| # ? Apr 24, 2024 23:12 |
|
|
Cabbage Disrespect posted:As a computertoucher who is suddenly responsible for a large part of a startup's sudden crunch-timeline effort to become properly 800-171 in exchange for big honkin' contracts I am necroing this thread to let the world know that I crave the sweet release of death. I am necroing this thread because I didn't know it existed. My boss and I have been working on prepping our company for this compliance for what feels like two years at this point, and lol if you need to go full bore at this. Luckily if you're starting now there's now apparently, according to people above my pay grade, the ability to narrowly scope your network to different tiering of compliance. So you can have a part of your network rated for level 1, another for 2, etc,etc and so long as you keep your cui stuff in the proper part of the infra for the contract you're golden. Which took a load off our minds, because we where working under the assumption that it was all or nothing and where pondering how hard/expensive it would be to create an entirely separate network for working in CMMC required environments.
|
|
#
?
Jan 7, 2024 19:04
|
|
