16 Matching Annotations
  1. Mar 2021
    1. This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283

      Noticing a common text structure across all of the NIST guides. Another shout out to FISMA

    1. Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.

      Definition of FCI

    1. Potential Impact on Organizations and Individuals

      Low = limited moderate = serious high = severe or catastrophic

    2. Security Objectives

      FISMA outlines three objectives around security:

      1. Confidentiality'
      2. Integrity
      3. Availability

      The low, medium, and high refer what risk of potential impact would the data have in any of the three got breached.

    1. pprove accreditation criteria for third-party assessment organizations (3PAOs) to provide independent assessments of CSPs’ implementation of the FedRAMP security authorization requirements9

      This is similar to the C3PAO model in cmmc

    2. Federal Risk and Authorization Management Program (FedRAMP)

      Created in 2011 by the OMB in compliance with FISMA act of 2002.

    1. The RMF emphasizes risk management by promoting the development of security and privacy capabilities into information systems throughout the system development life cycle (SDLC);10

      System Development Life Cycle,

      thing to stress requires a continuous monitoring and reporting system in place.

    2. Executive Order (E.O.) 13800 requires federal agencies to modernize their IT infrastructure and systems and recognizes the increasing interconnectedness of federal information systems and networks.

      People will need to know the requirement to modernize federal IT

    3. OMB Circular A-130,Managing Information as a Strategic Resource [OMB A-130], addresses responsibilities for protecting federal information resources and for managing personally identifiable information (PII).

      How we have to manage PII

    1. The SEI team dug into the CERT Resilience Management Model (CERT-RMM), the SEI's foundational process improvement approach to operational resilience management.

      People will need to know the process maturity approach derived from CERT-RMM

    2. Process maturity is stickiness, or how well the technical practices are embedded in the organization.

      Definition of process maturity. history of cmmc

    3. retain all the practices from NIST 800-171, and find a way for DIB members of varying cyber-sophistication to participate without POAMs.

      history of cmmc, two requirements and the connection to nist-800-171

    1. blication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347.

      Find the FISMA act

  2. Dec 2019
    1. Only 1 percent of [Defense Industrial Base (DIB)] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.

      Only 1%! Yikes!