1 hour 17 minutes
prepping for C MMC now.
So let's roller sleeves up one more time and look at the structure off the draft. See MMC version 10.7 framework.
Well, we will review the CMA. See distribution at each level, the capabilities at each level,
the practices that are under each of the capabilities, and then how the access level controls can be demonstrated.
this graph shows you at level one, at least within the 10.7 framework. There are a total off 17 practices
right now, 15 of those of all from Fars or what they call the CFR 52 2 of 4-21
then with the NIST 801 71 17 of the controls can be related back to all 17 practices.
When you get to level two now you have 15 controls
off which you have the 48 of the nest 801 71 related back to the practices
then with level three, have an additional 59 practices, 45 arising from 1 71
Now, at this point, you wonder Well,
where'd they get the other information from? If not if they aren't in far, they aren't in 801. 71 you'll see is we go through that They used additional cybersecurity frameworks. One was from Australia,
Another was the UK. They also walked at the Carnegie Mellon structure and C I s
so level four Now there's only 26
practices that were added and 13 came from the 800 deaths, 71 Bravo and then level 5 16 practices were added. Only five came from the 1 71 Bravo.
So when we look at the domains, we had laid them out before, where we talked about the access controls.
You get an incident response, the infrastructure etcetera in the here he have a layout off the capabilities and practices under each one, and you'll notice that
some may only have one. Others have mobile with in them.
So let's look at access control as an example of how you can envision what version one will look like. And this is the draft the 10.0 dot seven.
So on it, you have the access control. And so the I capabilities that you have are established system access requirements.
You have You want to control your internal system access,
then you want to control remote system access and then number four limit access to authorize users and processes. And typically, when I go into a client or commercial company or agency,
this is probably the one area that an assessor and I know I always stringently look at,
because as people are hired
and as their terminated,
this is a well known potential area where authorized users may not be removed timely. Also authorized users as they get promoted or move from one department to another.
Their access may not be appropriately
or removed from a certain application or area.
in access control, this is a critical area because this is about your users. How do you control your users? Because remember,
we talked a little bit about the insider threat,
and that's where you can have a disgruntled employ could be going through divorce bad times at home or just is going through rough times in general. And they decided to take it out on you, your company
and this is where a person may have been, and there have been plenty of stories where 10 15 years unemployed, been with a company that all of a sudden
something happened and they decide to get back at the company or maybe somebody else within the company. And this is why you gonna make sure your user access controls or type
so again, looking at the first
practice P 101
Limit information Access to authorize users processes acting on behalf of authorized users such as an application will go and be acting on behalf unauthorized Use their just for protection
to the application and other devices that you have out there. You could have monitoring devices back up devices. So you want to make sure that all of those users are authorized, making sure that when you put a new system or device in
making sure the old one was removed so that no one can capture that user
off that device or system and use it for
a hacker purpose. And if you notice P one on one, they will list
the various other cyber frameworks out there that they used to make up. He won over one, so there's the far cause
they have been this 801 71 then they have the Australian framework that they looked at all three to be able to come up with that practice. And if you go over toe level two,
it's P 105 And that's provide privacy and security notices
consistent with the application federal contract information rules.
And that comes directly out of the 801 71. And if you notice they're joined together
to wear that, you have 11 them 105 So at level one, they have the women access. If you're liable to. Not only women access that, have those notices
and then also level two. They add another one limit use of portable storage devices on external systems. So are the USB ports controlled, and again that comes out of the mist 801 71.
So you'll see as you migrate up from level one
toe level two to level three, Form five. Some of the practices can be unique to the bubble.
Some convey build on a
practice from a lower level.
You'll see somewhere there's a level one level two level three level for on level five practice that builds from the base all the way up to being proactive