Follow the CUI: Setting the Boundaries for Your CMMC Assessment

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] [Music] [Music] hello welcome to today's sci webcast follow the cui setting the boundaries for your cmmc assessment my name is shane mcgraw outreach team lead here at the sei and i'd like to thank you for attending we want to make as interactive as possible so we will address questions throughout today's talk and you can submit those questions in the youtube chat area and we will get to as many as we can our featured speakers today are matt trevors and gavin jericho matt trevors is the cmmc model architect is a technical manager at the sei matt has more than 20 years of experience in information technology information security and secure software development strategies gavin jericho is also the cmmc model architect and a senior member of the technical staff within our cert division at the sei and prior to working at the sei gavin has worked within the nuclear and transportation sectors implementing cyber security plans programs communication systems designs now i'm going to turn it over to matt trevors matt good afternoon all yours great shane thanks very much uh welcome everyone thanks for joining the webcast it's it's great to have uh folks here for a discussion on cmmc as shane mentioned i am joined by my friend and colleague gavin jericho galvin nice to see you again thank you matt thanks for having me i'm looking forward to the scoping discussion we're going to have today yes hopefully we're looking more to this than we had this morning our very brisk uh first uh morning in in pittsburgh where we had sub 40 degree temperature so that was kind of a wake-up call i don't know how you guys were in the the north hills today but it was a little brisk yeah same the kids did not enjoy the cold walk to the bus this morning yeah i don't blame them uh well with that let's let's dive right into the topic as shane mentioned uh follow the cui or follow the kui as we may say in the business uh we're gonna talk to you about how to go about scoping your cmmc's assessment so that's one thing i've heard a lot about is people trying to determine what's in scope what's out of scope how do i determine the answer and gavin and i are here to help uh guide your decision-making process and while we can't give you definitive guidance on what you know what eyes to dot and teased across we're going to do our very best to give you some things to uh consider and in that vein i wrote a blog post recently that is available at the sei insights website uh discussing this very uh topic and this this podcast or webcast is is kind of a continuation of that so gavin why don't you give the folks some of your initial thoughts on how they can go about scoping a cmmc assessment yeah so hopefully today we're going to give you some guidance on different concepts or different tools you can use to think about scoping your assessment boundary the scoping is the foundational step in your journey to achieve cmmc level certification and a properly defined boundary is going to allow not only your organization know what is in scope of the assessment but more importantly the c3pao as well a properly scoped assessment will also help you avoid scope creep by minimizing uh assets that may not be in scope of the the boundary so you wouldn't have to apply whatever practice cmmc practice you may have to that asset okay great so gavin ultimately don't you think one of the first things the organization should likely address is whether or not they need a single cmmc assessment if that goes company-wide or should they consider multiple assessments yeah i think that's a really good first step i mean ultimately you want to look at your enterprise network and answer the question does everything you do support the dod or do you have different lines of business if not you may want to try and separate the two because cmmc may not be applicable to your other lines of business so first of all i'd look at what what dod contracts do you have what services are you providing the dod are you providing a special widget for a specific subsystem are you developing software as you start thinking of these services then you can understand the assets that truly support those services and begin to scope your assessment boundary that way perhaps also since we do have different levels of cmmc relating to basically different information types where level one really is trying to protect the fci the federal contract information and level three is protecting the controlled unclassified information maybe it makes sense to do a cmmc level one assessment on your enterprise and then for the level three stuff where there is cui maybe isolate that off or separate that off into a smaller piece of the assessment puzzle right understood and just want to backtrack i'm going to try to hold your feet to the fire gavin and do the same for me when we use acronyms so c-3po is cmmc's third-party assessment organization so again gavin if you catch me feel free to free to call me out on that as well so sorry yeah so uh there yeah there are a number of acronyms in this uh cmmc cyber security maturity model certification there's another one right so so you talked about the various levels and and the enterprise network and fci and cui so that's it can be very wide so there's a breadth to the scope but they also need to know uh the level so as we talked about cmmc is is five levels so when they're scoping their assessment they also need to keep that in mind correct yeah so again whenever we talk about the levels and scoping the assessment it shouldn't be a trivial decision that the organization makes the difference between scoping a level one cmmc certification assessment in a level three is around 110 to 130 practices so if somebody decides to achieve level one certification they're required to satisfy 17 practices at level 1. if somebody decides to get certified as a cmmc level 3 organization then they're required to comply or not comply but satisfy 130 practices plus some maturity concepts so that's the other consideration there is no maturity processes at level one so it's really do you do these practices can you show us evidence that you're doing these practices when we get to level three we're going to start looking at maturity concepts so not only are you doing these practices but how ingrained is it within your organization are people following processes defined processes is there a policy from higher level management that signed off on and states the direction of the domain or the cmmc program don't necessarily chase green which is to say you know don't arbitrarily set a level without doing some of this pre-planning effort if you truly don't have cui then there may not be a need for your organization to get level three certification and you can be in the level one range um preparation is key to before you you know go out to get cmmc certification right yeah and i just want to you know absolutely right i know we're talking about 17 versus 130 uh there's also level four and five right so in the entirety of cmmc there's 171 practices a lot of those are pulled from at level four and five from uh 172. nisto 800-172 which was the 171 bravo previously so that's really great and then we're also not really discussing level two and that is because level two is largely a transitional level right they don't expect to award contracts based on level two instead they they want to use that uh so that there's a staggered approach or a tiered approach to achieving level three so it's not like you're going zero to sixty from seventeen to a hundred and thirty as gavin and i will discuss there's transitional steps or there's different ways to measure success and perhaps if you're at level one aspiring for level three maybe you you start with the practices and process processes at level two before achieving level three so gavin we talked a lot about big muscle movements trying to determine the breadth of the of the assessment the level to strive for do you think it's valuable for the organizations to follow a process such as developed by the nist cyber security framework where you you define your current profile and then you pick a target profile and then build a a program to to get from a to b yeah i mean i i think that's essentially the the heart of what cmmc intended to do so rather than some of the requirements that are out there such as 800 171 as an organization must do all these things let's take an appropriate approach to see what information organizations actually have and set a profile based on that so in essence again level one is fci federal contract information and level three is cui you need to have a clear picture of what level of certificate certification you would like to achieve so some of the questions obvious that you need to answer is what cui does your organization have if any what fci does your organization have if any um the answer to those questions are gonna guide you to what level or profile you're gonna to you know eventually be at if you have fci only then it's level one if you have cui it's at least level three but maybe higher level depending on what contract you're supporting so great and gavin with that we have our first audience question uh tyler p good afternoon from pittsburgh pa can you address scoping for organizations without current contracts that are looking to get into dod working gavin if you don't mind i'd like to take a stab at this first while you collect your thoughts sure so what i would do tyler is i would honestly uh determine what your company does so through your mission statement or or you likely know what your company does and i would try to find an archive of previous rfps where where the government uh has or the dod has spun those out for for contracts and just uh then go back and see what part of your organization would would help achieve that contract and usually you know it's it's difficult to determine what's fci versus cui but if you're if you're creating boot laces or or you know just providing a commodity or standard uh components uh to the dod or to a prime contractor uh then it's likely you'll need a level one however if you're into more sensitive you know maybe radar systems or other missile or just basically uh more advanced products then you you may want to consider yourself for level three four and five uh gavin what are your thoughts on that question so i kind of hit upon this uh a little later but i think you're on the right track so looking at you know the services that your organization does try and look at what the definition of cui is if you look at nara guidance or iso guidance for the defense sector they do break out what cui is considered one of it is controlled technical information so under that there is engineering drawing specs whatnot i'd then take a look at you know kind of what matt was saying as far as the sensitivity of what you're providing then there might be you know a barrier depending on if it's a bootlace compared to um a specific subsystem of a radar installation you know you know there's not one right answer to see but you may be able to tell what's more sensitive or not based on your your work area and and we'll touch on this a little bit uh in a couple of questions but you know you really need to determine what parts of your organization so we we started by talking about do you do a full uh enterprise-wide assessment or or do you have several enclaves maybe you have contracts that you believe are going to be level one three maybe even four or five it's really good to have that stuff documented in data flow diagrams or network diagrams but i'm getting a little bit ahead of myself but yeah tyler great question thank you very much uh so let's let's move on uh gavin so you and i have both done assessments uh supporting various organizations you know one that comes to mind or the crr and the cra or the cyber resilience review or the cyber resilience analysis where we go out and evaluate critical uh infrastructure organizations but we don't do the entirety of the organization we you know we spend time helping them scope their critical services and that's how i think of this can you uh help explain to the audience what a critical service is and why maybe it might be the right way to address scoping sure so with the crr and the cras we do not want to go into an organization and look at the entire enterprise it's a snapshot in time of your cyber security practices and your maturity concepts so we really need to focus on the scoping and the way we do that is we bring forth the idea of a critical service so a critical service is something that's critical to the success of your organization's mission uh it supports the accomplishment of the organization's strategic objectives and it should be identified prioritized and communicated so oftentimes the easiest ones to to kind of highlight are those critical services where you're developing a piece of software or you're developing a subsystem for a larger system stuff like that uh as we kind of uh focus on those critical services we can then begin to scope the assessment pro appropriately by you know not looking everywhere in the enterprise but just focal focus on the assets that support that critical service so each organization may have these critical services defined in in many different places i think matt's going to also speak to where some of those may be found all right great thanks for the lead in gavin thank you very much so i gavin's right so i have a couple of uh other places that i uh help people during the scoping so if you review your mission statement uh at the enterprise level the department level or even perhaps the information system level that will give you a good idea of what your critical services are so what i don't want people to walk away with is you know one one thing that we often run into is people will start automatically with payroll payrolls our critical services are our critical service because without the payroll system people don't get paid and yes that would be unfortunate however to your customers and your stakeholders that is not the reason they engage with you they engage with you for the reasons stated in your your mission statement also other companies who may be a little bit more sophisticated or be under regulatory guidance business impact analysis is another good place to go identify your critical services and even critical assets and that those would be really good options for reviewing how you may want to go about scoping your critical services so gavin we talked about business services can you uh talk about some of the assets that we consider uh important or would be within the scope of of the cmmc assessment yeah sure so typically when we're talking cyber security everyone focuses immediately on the technology involved but we also like to consider not only the technology which is the systems and software that automate or support the service but also the people that operate and monitor their service can they access fci cui the information obviously is going to boil down to is it fci or is it cui and then also the facilities where the service is performed so obviously when you're scoping an assessment this is a data centric model so it all goes back to what fci or cui you may have i know there is some pain points right now with um cui and appropriately labeled cui but there is guidance out there and i suggest you be proactive with truly looking at the information that your organization possesses as i mentioned earlier the nara or the national archives and record administration and isu information security oversight office have high level definitions of cui and specifically that's broken down for different critical infrastructure sectors specifically for the defense base we have a couple overarching categories one is controlled technical information so some of the stuff whenever you do the research on there it's research and engineering data engineering drawings um technical orders technical reports data sets stuff like that i'd take a look at what data you have and see if you can apply it to those sets and that way you can get a better hand better handle on what you have some of the other categories that i see on the site are dod critical infrastructure security information naval nuclear propulsion information and unclassified controlled nuclear information so any of those i didn't go down to the detail but you can click on those and they're going to give you examples of what they consider to be some of their so i think it's a really good step to be proactive i know it's more work but if you can show that you know you know where your data is you're going to have a lot easier time scoping your assessment and limiting the scope of that level three possibly assessment to only the assets that store process or transmit that data right great and gavin you just triggered a thought so you mentioned it maybe a little bit more work so as shane mentioned in the intro part of my background is in software development or secure software development and we have a saying in software development is you want to pull requirements to the left right so that means if you're following a system development life cycle or software development life cycle such as discover design develop debug deploy maintain dispose the earlier on the process you uncover those bugs or those issues uh the the less amount of money or time money and resources it'll cost the organization going forward so i think that's a very key point although maybe a little bit more effort now it may be less effort uh over the long run gavin what do you think is that a fair analogy yeah i i think so i mean the more effort you can put into it up front and truly identifying the information you have i've seen it a number of times over the last couple months of going into an organization and then truly not knowing where the cui or fci is so ultimately they want to scope the entire enterprise i think if we kind of try and move the needle away from that and truly get some proactive thought of what cui you may have and then begin to kind of trace that through the system you're going to have a lot better you're going to have a lot better success at appropriately scoping an assessment and passing the assessment because you can without a doubt then say this is where the information goes absolutely so we're getting a lot of great audience participation here gavin so i'll go ahead and read a question from neil g and then i will turn it over to you so neil g says can boundary for cmmc assessment be limited to the personnel who handle cui or kui using email and storage solution so i mean if you're speaking strictly from a personnel perspective i would say as long as you can justify your scoping to your c3pio then that would be satisfactory but i i don't know that you'll be able to limit so i'm not sure if the company the question is with regards to specifically personnel or that would be the entirety of your your scope so if it's you can scope it to those people but it would also include the the technology the information and the facilities also uh gavin what are your thoughts on that yeah i mean it's hard to say without having some of you know the background knowledge of you know neil's specific uh business but at a high level i mean i think that's kind of where you want to start going with your assessment boundary if you're truly only have personnel that are accessing cui through email or storing it and you're not leveraging that or creating something and whatnot then it would be appropriate to start thinking of where the cui is in those respects but that's kind of where i'm getting at as far as what cui you have if you can appropriately define where that's stored you're going to have a lot better chance with the assessor to say you know this is inbounds and this is out of bounds because this is how we use it or by policy we're doing things this way right great and then we have a follow-up question from neil g what is the best way to define boundary for cmmc assessment for small organizations with all remote workers uh using cloud software as a service services for handling cui so uh neil follow the kui right so if you have cui in uh your email system or basically as we've been talking about uh or we will talk about data flow diagrams will help you uh find the best way to to scope your assessment uh gavin any additional thoughts on that yeah so i mean there's currently a lot of work going on to discuss cloud cloud providers and all of that and it's even something we were going to discuss at a high level later on but i think the biggest thing that i want to point out here is just because you use a cloud provider to satisfy some of the cmmc level three requirements there still is that process maturity piece so while they may be providing you the technical solutions to satisfy some of these practices it's still on your organization to be mature enough to plan around this process define the processes and procedures on how you access the cui how you do different configurations of your technology as well as the policy for each of these cmmc domains okay perfect uh a couple more audience questions then we'll get back to the interview so brett c uh part of his question is is it safe to assume that gfe will be out of scope for an organization's assessment for cmmc and gavin i'm going to say to brett i would not assume that anything is out of scope until you can convince the c3 c3pao that you have appropriately scoped your assessment what are your thoughts kevin yeah and unfortunately there's still some um you know decisions being made where um you know we can't definitively say one way or the other but um again this all starts with talking with your assessor and letting them know what you have what other requirements you may be required to meet for gfe equipment sometimes that equipment isn't allowed to be updated or it's an old operating system because it's meant to support an existing system that's out in the field and you can't so there are discussions about this in place but i don't think matter i can leave any definitive guidance on that subject today right right thank you gavin and then from rick g how does cui marking and fou are i'm assuming that's for office or official use only coexist or does cui guidance replace foo so as gavin and i have spoken about cmmc largely focuses on fci and cui so federal contract information and controlled unclassified information and what we we can say emphatically is all cui is considered fci but not all fci is considered cui and fou o doesn't really come into the vernacular of cmmc uh so if it's for official use only uh you're gonna have to classify that information as fci cui or or another type of data gavin what are your thoughts i'm gonna defer to you on that i don't i'm not a documents markings expert so i don't really have anything to add to that okay okay so let's uh let's get back to uh the question answer portion of this uh great questions from the audience thank you so much it really makes this uh you're really testing to make sure that gavin and i are truly model architects i think so thank you very much for those questions uh so we've talked about data flow diagrams a little bit gavin in this discussion and when i you know we talked about us doing crrs and cras in the past i've always found it extremely helpful to draw a diagram up front as part of the scoping exercise uh can you what are your thoughts on on you know drawing data flow diagrams to help folks scope their assessment yeah so it's never a bad idea to have a data flow diagram or a network diagram i know some of these specific practices that relate to that you know having the information flows and the diagrams may only show up in level three but it's just good practice to have your network mapped out so you can explain to the assessor what the boundaries may be so a high level diagram can be worth a thousand words or as they say a picture is where it's a thousand words but when you're looking at the high level network diagram it's not that you must have every single component diagrammed out but think of it from a system or a subsystem point of view you know a system or subsystem is going to have many different components that underlie in that subsystem and maybe a different drawing can show all the details of that but when you're trying to scope the assessment boundary you want to look at what can have the fci what can have the cui and the high level network diagram that shows hey this can only have bi-directional or this can only have unidirectional communication or this is segmented differently those relationships are going to be super important when discussing these things with your assessor you want to be sure to include stuff like cloud instances that you use um any type of remote access methods especially now in our current you know it with working from home and with covid going on remote access has become a big thing so any of those types of methods you want to point out on these high level diagrams managed service providers you're going to want to call out those in the high level diagrams make sure that you make an effort to kind of truly show a depiction of what your network looks like so you and the assessor can have a common picture of of what you're going to be talking about for however long that assessment is going to last you can also then depending on your organization break that down in the lower level network diagrams to show individual components you can start to include ports protocols services whatever as you begin to discuss some of those higher level cmmc practices you may be able you may have to show how you're protecting or dealing with some of those things as well so again it's it's it's not a requirement at the lower levels of cmmc to have these diagrams but it's highly recommended that somebody takes the time to appropriately document these things so you and your assessor can be on the same page right couldn't agree more and i think the analogy of moving everything to the left applies here as well you just because you don't have to do it at level three or at level one doesn't mean you shouldn't if you have the bandwidth uh i strongly encourage you to take these efforts and and bring them to your assessment because uh you it is incumbent upon you to to ensure that the the assessor or the c3pio has enough uh evidence for them to have you uh be marked as satisfied for each of the the the practices so i think it's it's key that if if you do a little bit extra work it's gonna show that you're more prepared you're taking this seriously and uh you may have the c3pao at ease so i think that's that's great so we have another question from the audience so chinho k what about how do you usually deal with feb ramp environments so i think the question is if if they are a company that deals with a fed ramp moderate or fab fedramp high environment how do we treat that so i will say that that is part of our reciprocity initiative and i believe miss arrington the the ciso uh for ousd acquisition as data publicly that fedramp is one of the primary uh regulations that we will be uh mapping to so that we have a good uh so that the community has a good understanding of how those two standards uh relate gavin any any other thoughts on that yeah so what work is going on ongoing on that there are specific practices that we expect to be satisfied by um cloud instances that are federant moderate and the details between that are currently being worked out okay great all right so back to the q and a uh so gavin one of the terms that i see very miss often are often misused is uh level one level three fci cui uh with regards to assessments so just wanted to you know take a moment to to wax poetic on that for a sec so uh level three as as most of you are aware is consists of all 110 171 controls or requirements in addition to 20 additional so some of these practices ended up at level 1 through the work of of the model architects so those controls or requirements or practices whatever term you use uh still apply to cui it just so happens that they also more directly apply to fci so gavin any thoughts on you know fci cui level one level three yeah so i'd like to just try and clear up so cmmc was written as well because there was a you know not every organization handles the same type of information and then even more so not every organization depending on what they do should have to satisfy all of the requirements of 800-171 so with that being said one of the one of the principles that we wanted to use for cmmc level one was to relate it to the far requirements that's where we got the 17 practices so cmmc level one relates to the 17 far practices and um a level one organization is required to you know satisfy those practices now when they go to level three since the model is cumulative they'll still have to comply with or satisfy the level one level two and also the level three practices what we're trying to say too with the scoping boundary is uh just because your organization handles both fci and cui cui has a higher barrier to entry to protect so if you choose to get a cmmc level 3 assessment or certification you need to meet all the practices at cmmc level three it doesn't matter if you have commingled data in the level three environment i.e fci and cui since it's cumulative everything would have to be protected using all of the practices so that's where it kind of behooves an organization to say okay well maybe we do have these different boundaries and fci doesn't permeate everywhere there's lower sensitivity information the barrier to satisfy those requirements is a lot lower so that's where you get into maybe having two assessment boundaries where you have a level one assessment boundary for your enterprise and then you isolate the cui further to do the level three assessment since there's more practices that have to be satisfied at level three right so gavin what i hear you saying is that they would uh pursue two assessments right it's not like they could do both of those at once they would likely go for their cmmc level one enterprise first and then once that is achieved then they would use uh they would follow or pursue a cmmc level three for their enclave correct correct okay perfect so while we're on this enclave kick let's let's talk a little bit about cloud providers so we've had a question from chinho about fedramp and and you just talked briefly about uh cloud uh how how will the use of cloud impact an organization and their scoping of an assessment so i i kind of think of this in two ways you're either gonna have a cloud provider or an msp that has an associated cmmc certification so whether that's level one three or higher you know that becomes a little easier to say then okay here's how we use them they have level three certification they've been assessed and show that they meet all these requirements um but then you get into this instance where they may not need to have that certification so you may be pulling this msp in depending on the size of course this is all you know dependent on specifics of your instance but maybe they won't have to have a cmmc certification then if you appropriately define the boundaries on how they connect to your systems appropriately identify the people you can apply the controls to them and make sure that via policy procedures that you know whatever service they're providing you me is within your assessment boundary and you're protecting that information appropriately maybe it's ensuring that they can't access the cui stuff like that so you know just because you're achieving level three certification doesn't necessarily mean that every msp or cloud provider is going to have to have that same level of certification and we have a couple more questions gavin so another question from neil g how do you craft boundary diagrams network and or data flow when the sensitive information is being handled at end points phones tablets and mobile devices and that's a great question so one of the the early places i started to build data flow diagrams was in stride threat modeling and in stride threat modeling for those who aren't familiar it's a process that was built in the late 90s by microsoft and it stands for spoofing tampering repudiation information disclosure denial of service and elevation of privilege you have four different uh objects on a stride diagram so external entities processes data stores and data connects connections so neil what i would do is start to build out a diagram that maybe consists of those four pieces then we also talked about technology information people and facilities with your phones obviously they're likely going to use a cellular network i'm assuming they're not just wi-fi so you're going to have your mobile device management section you're going to likely need to have some form of encrypted tunnels so a vpn running over top of that it's absolutely doable you may not want to draw every phone but instead group them into a logical group for phones maybe tablets other mobile devices it's it's very very doable it may result in a large diagram that you may need to consider this may be a good opportunity to consider multiple cmmc assessments gavin what are your thoughts yeah i mean i think you're on the right track there's no right or what way to wrong way to do it but you know depending on the size of the organization the intent isn't to put every specific end point but really you know is there a specific aggregation point that they all have to communicate through to get to us another portion of the network you know that's how you're going to want to start thinking of crafting your boundary diagrams right okay all right next sorry go ahead i think there's a question from scott deworth of is that a change our seat our three pao did not state we would need two separate reviews for level three certification um i i don't want it to seem like i was saying that you need two separate reviews all i was saying was if you have fci and cui then the barrier even though you have fci in your level three environment it still has to be assessed via all 130 practices plus the maturity processes at level three so depending on your boundary you may it may be easier for your organization to say we only have fci over here let's do a level one assessment and then we have an enclave where we only have cui therefore that would be the second assessment you know ultimately it's going to be up to you how you want to handle your certification but there are ways to maybe lower the barrier of entry because the fci does not have to meet as high of a bar as the cui as far as practices right and just to call out 3pao sounds an awful lot like c3pao but the three pao are and grab and correct me if i'm wrong there are the third party assessment organizations uh charged with uh evaluating organizations for fedramp correct that sounds right to me all right great another question from chinho k do you think use of g suite fedramp moderate to use for the cui environment so i don't think either of us can answer that qinho i think that would largely depend on how the reciprocity mapping between cmmc level three and february moderate uh fleshes out uh yeah i i don't really know that we we have information beyond that gavin anything to add no i i can't really add anything more to that yeah yeah folks we know that there's still some stuff outstanding uh we wish we could give you uh more definitive answers but this is a very quick moving uh system and uh we're trying uh to get to it as quickly as we can as you see the cmmc accreditation body is is now helping in this effort so hopefully that will help us pick up the pace a little so gavin with that we've covered a lot of ground uh scoping is vital to the success success of any assessment i think we've we've proven that do you have any other gotchas or things people should keep in mind when they're scoping a cmmc assessment yeah i mean i i think primarily for the organizations that are at level one they they're they tend to you know not have as much experience with you know implementing some of these requirements so i hope today we've kind of broken this down giving you different tools through the network diagrams through thinking of what services you provide not only thinking of your technology assets but also the people that access them the information the facilities they reside kind of taking a different perspective on how you can think about these and begin to define your boundary um there are another there's a number of self-assessment tools out there that can quickly give you an idea on how far you are from your target the cyber resilience analysis is a great tool to you know baseline your capabilities this is a tool that's available through dc3 the the center for cyber crimes through dod where you can get an independent third party to give you a fresh set of eyes on how you're doing things a lot a lot of the maturity concepts are included in this tool um so you know i i don't think there's a one size fits all for this um but there's definitely tools you can use to make your life saying we want to assassinate flat network i think there's some tools that organizations may be using and they can leverage to help guide the conversation to the appropriate assets that store process transmit fci or cui great thanks gavin uh you know before we wrap up i just i wanted to commend the audience on some some great questions obviously we understand that there is a fair number of organizations you know upwards of 350 000 companies that may have to adhere to cmmc in one way shape or form i think that's not slated for the next five years to get to that sort of level but i can appreciate the anxiety that people are experiencing as they stare down the barrel of this new uh assessment uh we we went to great lengths to to make sure that uh the practices and processes within the model would help you achieve better cybersecurity outcomes uh in no way was a punitive uh please remember that this was not punitive we're merely trying to help folks establish more uh sophisticated and effective cyber programs uh with that shane uh thanks very much for having us and everyone have a good day yeah again great discussion today and thank you for sharing your expertise matt did mention his blog post early on in the webcast that is in the chat so make sure you guys find that link and and read that blog post as well last i'd like to thank you guys for attending all great questions upon exiting today please hit the like button and share the archive of this if you found value also you can subscribe to our youtube channel by clicking the sei seal in the lower right corner of the video window and that will subscribe you to our channel and lastly please join us for our next webcast which will be on october 6th the topic will be threats for machine learning with mark sherman we will email everyone a link to that registration so that's all the time we have for today thanks everyone have a great day you

Info

Channel: Software Engineering Institute | Carnegie Mellon University

Views: 1,876

Rating: 5 out of 5

Keywords: Government, DoD, CMMC, Cybersecurity, DIB

Id: 5x6JnSOSBYI

Channel Id: undefined

Length: 45min 55sec (2755 seconds)

Published: Tue Sep 15 2020