1 hour 17 minutes
prepping for C MMC. Now let's cross over and roller sleeves up so we can understand. See MMC draft version 0.7 framework.
So in here we're going to review the sea MMC domains,
and then the sea. MMC practices, which in 0.7 there is 173 and then the Sea MMC, levels of which there are five.
So a broad overview, which is not a kim from,
Let's say this 853 that cybersecurity framework or the ice Oh, or even with the Kobe it they have domains. Access controls is the first domain within the Sea MMC model, and there is a total of 17
then under each domain, their capabilities that reside within those domains. And there's a total of 43. And again this is in the draft 430.7. And as I stated before,
Version one will have the final number domains, capabilities and practices
that will be published. And will there be a big difference? I don't think so, but we have to wait and see what those differences are. A different. Additionally, there are nine processes that transcend the five cmm sea levels
that are measuring how mature
you really are with the whole cybersecurity framework.
So 17 capability domains. And like I said before, there's access control, incident, response and probably incident response is one that if I was a contractor,
I would want to look at closely because historically I have seen with commercial companies
that instant response ends up being a week area toe where they have not adequately defined their Incident Response program that people involved call trees etcetera. So make a note of that
that incident response. You should double check and look against some other standards. And look at the 801 71.
Also asset management, that is, what software do you have?
What type off hardware do you have and can you account
for your software and hardware that you have also? Then what policies and procedures do you have in place? Do you have awareness and training for your staff on cybersecurity and other security aspects of social engineering
on the emails, Fraudulent emails
Also, with the audit and accountability with it? Look at your personnel. Make sure that you have segregation of duties, making sure that you don't have one person assigning everything in charge of everything with it.
Also physical protection.
And that is one people always know what my data center I have toe have that protected. But what about the documents that you have?
What about your data?
Do you have control of your data?
Whether it's up in the cloud, whether it's on a laptop that is going in and out of the facility,
how about as far as security the data as it is going from Point A to Point B, whether managed service provider, whether it's going out to a subcontractor, are the subcontractors you're working with? Are they careful with your data?
Do they understand everything that you are going through because they subcontractors
the same guidance of CMM see that you're going through? What's going to be interesting is, if you're a Level three
contractor and do you have 50 subs?
What will be the requirement of those subs? Will they all? Because the RFP says level three, will they all have to be level three certified as well? That's one question that will be clearly defined by the D. O. D. As we go forward, because do you have a janitor
who comes in and cleans up the offices.
Well, you have paperwork weighing around
computers, etcetera around. So what level will that Janner have to attuned to?
These are things that once version one comes out, other things D o d will provide guidance for.
But what I tell a contractor right now is if you're looking at level three,
if you plan for you and all the subs to be level three,
if the requirements get lessened for the sobs,
you're in good shape and you're ready to go.
The other thing is, is that Let's go into the different levels. So the level one they talk about basic high cyber hygiene. So they want to be able to say that,
Yes, I am following good cyber hygiene. I watch my documents, I watched my laptops, I watch applications and I am performing that in my daily activities and X is a level two
and you have intermediate cyber hygiene. I documented my policies and procedures. I have those in place
so that I have a
I t structure that my people in my firm follow level three. They're doing good cyber hygiene. That means that they have it managed. They have someone overlooking
the applications over your domain over the users, making sure that everything is in check.
The level four goes to proactive.
So not only are they managing it, but they're doing some pro active reviewing
there are looking for suspicious type of activity that's happening that could be on their VPN. It could be on the insight
of their network by any of the employees. It could be as faras outside. It could be as far as
access cards, people coming in and out. Are they making sure that the different vendors that they're dealing with and their suppliers, that whole supply chain that they're in is that being reviewed and making sure that if there
they're now at level four and everything in there, they're handling higher sensitive data,
and they have to make sure that up and down that supply chain and the ingress and outgoing data is very secure. And then you get to level five, which is the events the highest level toe where there is a ton sense of information within that contract,
they make sure that the full cyber security controls are in place.
They they have. If they have managed service providers there making sure that they're at the top level of what they can be so that that data is protected.
So in summary, you have level one
good basic cyber hygiene.
And this is where in level one,
the FARC losses federal acquisition regulation causes
have been demonstrated by that level one. And currently, in this weather one, there are 17 practices
that that they have to demonstrate adherence to level two. Is that intermediate cyber hygiene? So you have your S o. P. Standard operating procedures. You have your I D. Policy, your cyber security policy, your backup policy incident response policy
and all the plans are established for every practice within your environment.
Let's jump to level three. And now you're just demonstrating good cyber hygiene. And this is where the 801 71 is effective within your security requirements so
that you know, and you manage adherence to your policies and procedures.
And you're making sure that all the resource is our at the proper levels as faras access to the data for review and control your applications and operations,
the next two levels level four. We're getting into this highly sensitive information. So now not only do they have that good cyber hygiene there proactive with their cybersecurity program, they're making sure that the activities not only are managed,
but they're being reviewed to make sure that management is fully aware
off the adherence to the policies and procedures. And they're testing the effectiveness witness of their program and making sure it's falling. All those policies, procedures toe a T
also, if any sort of issues. As far as any cyber attacks, potential cyberattacks, anything that is out of the norm is being brought up to management and they're fully reviewing
the incidents are potential incidents to make sure that their infrastructure is safe.
And finally, level five,
that they've optimized all their capabilities
so that they could make sure that they are
have that advanced, persistent threat capability in place. So not only are they making sure that they're protected, they're going one mawr with it. They have the not only the I. D. S on the firewall, they have the i ps with it. They're making sure
that all the standardization are being adhered to across the organization that working with their
subs to make sure that everything is secure not knowing with them but everything they hand off and also their proactive looking at approve mints
across making sure the S. L. A's are being adhere to working with the vendors as Faras updates, making sure that the patching
patching is so important to make sure that they are up to date with all their Apache and they have a standard process in place to make sure those patches are not missed on it.