1 hour 17 minutes
our next lesson and prepping for C. MMC now will review the framework definitions.
So in this video you'll learn about the Sea MMC Draft
the basics of the Nest, SP 801 71 which is the privacy data
document. And then we'll look at comparing the draft 0.7 against the 801 71.
where is a far claws coming in effect with C MMC.
So see, MMC
currently is reviewing as far as the accredited third party contractors that are out there
and then there are no poems
prior to going into the bidding process.
Next, there are five specific level requirements in the contract,
and the draft 0.7 has 173 controls.
Now these controls Mayberry. When Version one, the official version comes out because there was initially adopt for version
0.6 and the seven and the number of controls has definitely changed through the version. So probably a version one that will be changed in the controls
with the NUS SP 800 ash 1 71
the contractor uses at for their self assessment if they have a poem those air permitted. They just have the have as a poem
is stated as I plan of action and a milestone to be able to clear that poem.
And it's really unclear what's required by the contract right now, as far as what actually details that self assessment. And with C MMC, there will be further definition and a queer outline of what the contractors must dio.
They talk about 100 and 43 controls out of the 801 71. Then there's also 801 71 B, which they call Bravo, which gets into the higher
elements of cybersecurity. On and nose are pretty much reserved for the higher levels four and five off the contractors RFP so that if you're a contractor and
you are working with the F 45 or with one of the tanks
10 to 1, you'll have to be a level five
contractor with it. Because within the R, P E will state
that it is Level five on Lee.
So with the sea MMC access controls, I'm going to use access controls for the comparison between the draft 0.7 version and in this 801 71 so that you can see some of the similarities between their each what they call
in the level they have a practice.
And those are the practices that the contractor is to be satisfying.
And, as you can see with the access controls, they start with one P O. P. 1001 going to pee ones years or two, etcetera all the way to the P 1173
Then if we look at the f nist sp 801 71 their access controls, you can see how similar they are. The
this document here actually came out of the S P 801 71 it will for further delineates all the different domains that they review.
So with this CMM see kind of a preview,
it's for the defense industrial base, which is termed dib. So what's kind of review? A bit, currently, the contractor
is self assessing themselves. Many times I see that there are some tools that allow the contractor to do their self assessment.
And also contractors can have 1/3 party come in to do that. Help them with their self assessed, um
so going through this whole process will be changing.
Now instead of a self assessment, see MMC ISS setting up ah structure toe where they must comply and someone will actually be coming in to review.
How well are they secure? Are they really aligning with the sea MMC controls, which are reflected in the far causes and also in the SP 801 71 1 71 Bravo? It's with this
change that is occurring
off why you have to prepare now, because how you view yourself and how someone else views you could be drastically different. And this is where it's essential that the contractors reach out
and understand what the change is going to be. And when version one comes out, they'll have definitive guidance as far as what they should be aligning to. And when someone comes in to see if they're aligning to what is expected of that contractor