The Connection Between NIST SP 800-53 and SP 800-171

[00:00:01] Hello Climbers and welcome back to another episode of Climbing Mount CMMC.

[00:00:12] Hello again everybody, we're joined today by Karen Stanford. Karen, thank you for joining us.

[00:00:17] Yeah, my pleasure.

[00:00:18] Okay, so for those of you who may not have watched Karen in our previous recorded episodes that we've had with her, we've been very lucky to have her on the past.

[00:00:28] Karen is a veteran of 850 theory and FedRAMP experience. How many years have you been wrestling in that space?

[00:00:37] Well, since it came out, like I remember when it came out, it was 826 was its predecessor and it's interesting from the context of CMMC in that it was self-assessment.

[00:00:47] So 853 is the first independent assessment and it was like 2006 or something like that. So it's a long time.

[00:00:55] And so the reason why we wanted to have Karen come back and join us today is we wanted to talk about the connectivity between 853 and how, for those that may not know, think of 853 as the granddad, the grandfather of what 800-171 was used to be made from.

[00:01:14] So they tailored it is the term they use and they took the 853 controls, the moderate baseline, and they boiled it down to the requirements.

[00:01:23] Their objective was, is what kind of things could we extrapolate out of 853 to control and protect controlled unclassified information?

[00:01:32] And so that's how we ended up with 171, but you can trace it back to 853.

[00:01:38] And a lot of people that have had a lot of experience with 853 talk about how you can do that tracing back to get a much better understanding of what their objectives are when they're trying to enforce that through that.

[00:01:51] And I thought nobody better than to bring Karen to talk about how you can kind of walk that path.

[00:01:57] And so Karen, thank you so much. I'm super excited about this one.

[00:02:01] Me too. Me too. I'm excited about the topic.

[00:02:03] So what we're going to do is we're going to, we're going to try to walk that journey.

[00:02:07] We're going to start with some controls in 800-171 and we're going to show you how you can trace it back to 853.

[00:02:13] And then if we have enough time, reverse back again so that you can see how that is.

[00:02:18] And then see how sometimes people kind of go off the rails because if they're looking at the specific verbiage of some of the things in 800-1,

[00:02:25] if you follow it back to 853, you can start to understand a little bit more context and perhaps have a better interpretation about how those controls can be met.

[00:02:35] Absolutely.

[00:02:37] So do we want to start, I think the control we were talking about is remote access.

[00:02:43] So should we start maybe by looking at the control requirements from the CMMC requirements, which is 800-171-R2?

[00:02:50] Yep.

[00:02:51] Yes, let's do that. So what I'm going to do is share my screen and I'm going to show you the 800-171-R2.

[00:03:01] This is, y'all have to be a little patient with us. We're going to be using a lot of numbers and things in this situation, but that's the breaks.

[00:03:09] That's how it is when you're dealing with CMMC and the requirements.

[00:03:11] But what you would want to do is browse and do a search for 800-171.

[00:03:17] There's two different documents that are very important.

[00:03:19] There's the 800-171 and 171-Alpha.

[00:03:23] We're going to be bringing up just the 800-171 because there's an appendix that shows you the tailoring that happened from the 853 so you can trace it back.

[00:03:33] So that's what I'm going to show on the screen right now so that you can see what's going on.

[00:03:38] If you're just listening on a podcast, we'll try our best to interpret and tell you what we're doing.

[00:03:45] We'll try to read what's on the screen for you guys.

[00:03:46] So if you're looking at our screen that we're sharing, or Kaylee might throw it up for just a second for you to see, we're looking at 3.1.12, which is monitoring, controlling, remote access sessions.

[00:04:02] And then right here, Karen, you see it's referring to this section, this column.

[00:04:07] Can you talk a little bit about this and what's going on here and what we're seeing?

[00:04:11] Sure.

[00:04:11] So on the left, what we're seeing is the requirement for the 800-171.

[00:04:15] And this is R2 because that's what's in scope for CMMC.

[00:04:18] And then that column right to the right is the specific control in its parent framework, which is the 853.

[00:04:26] So it's saying AC17 enhancement 1.

[00:04:28] So what this is doing is bringing down the requirements from the 853 and saying this is a control that's important enough to put in the CMMC framework.

[00:04:36] So that control enhancement and only that control enhancement is brought down.

[00:04:42] So it's interesting for this one that you don't actually see the parent requirement AC17 brought down, just AC17 enhancement 1.

[00:04:50] And so the requirement for AC17 is related to remote access.

[00:04:55] But this is basically in the 800-171 R2 is just saying you need to make sure that whatever remote access mechanisms you're using, you are controlling and monitoring them.

[00:05:06] So that's, you know, it's a little bit more simplistic than what we would see in the 853.

[00:05:12] So should I go to this AC17?

[00:05:17] Yeah, so yeah, let's look now at AC17.

[00:05:22] And this tool I'm showing, you know, you guys are showing, but this is a fantastic tool.

[00:05:28] And I did want to cover it a little bit.

[00:05:29] If you could scroll up just a little bit, I want to show the top.

[00:05:32] But this is NIST Cybersecurity Privacy Reference Tool.

[00:05:35] And in it, you can see there's some breadcrumbs right under that title.

[00:05:41] CPRT, NIST 853, Rev510, AC, AC17.

[00:05:45] So all of the controls are available through this interface.

[00:05:48] And what I like about it, if you could scroll down just a bit, is that it will show which controls are in scope for which baseline, all in one place.

[00:05:57] And it also enables you, if you go to the, Bobby, if you could click on the 853A assessment procedure, the blue tab.

[00:06:07] So this will show you what your assessor, if you're doing an 853 or a FedRAMP or a FedRAMP equivalency assessment, this is what your assessor has to do.

[00:06:14] So you can both look at the requirements and the assessment procedures, as well as figure out which enhancements are in scope for your baseline.

[00:06:21] So Karen, one of the things that I think is really helpful is we can look at the 3.1.12 on the left side of this screen.

[00:06:30] And then you can see the AC17 root control here.

[00:06:36] And the discussions, as you can see, they're very similar in their verbiage and wording.

[00:06:42] So you can really kind of see that inheritance that's happening.

[00:06:45] And then if you look at that chart in 171 that shows those, you can see AC is all throughout.

[00:06:55] That AC17 is all throughout the 3.113 on the 171.

[00:07:00] And so can you maybe talk about how this connectivity from the AC17 is coming over and bleeding over into this control in the 171 of 3.1.12?

[00:07:10] That's a lot of numbers.

[00:07:11] I'm sorry for everybody hearing that.

[00:07:13] But I think it's really important to understand where this inheritance is coming from.

[00:07:20] Obviously, you have to meet these on the left.

[00:07:22] You've got to meet the 171 for your CMMC compliance.

[00:07:26] But sometimes you can look at these on the right over here in the AC family in the 853 and just have a little bit better knowledge of where things are coming from.

[00:07:35] Yeah, I think it's a great thing to look between the two because in these discussion points, which you will find what we're seeing on the left is the CPRT tool.

[00:07:44] You'll be able to click through and read all those discussions.

[00:07:46] And they're also in the PDF files.

[00:07:50] So that discussion point, you know, a lot of times you're just working off of a template that's just listing the controls or you're in a testing spreadsheet that's just listing the controls and the assessment steps.

[00:08:00] This discussion tells you a little bit what they're talking about.

[00:08:02] And it can help rule some things in or out of scope.

[00:08:05] So like remote access is one where like in the cloud, it's kind of all remote access.

[00:08:11] But it talks a little bit through in the one for 853.

[00:08:18] It talks explicitly about the types of access being, you know, dial-up access, broadband, wireless, et cetera.

[00:08:24] So if you're not quite sure how to implement, you know, what are we talking about with this specific control?

[00:08:29] What qualifies as remote access?

[00:08:31] That's where you can go to the discussion points in the 853 and get some more information.

[00:08:37] And I think for the discussion points for the 800-171 are largely the same.

[00:08:42] You know, again, they're talking about local sessions versus remote.

[00:08:46] So they're trying to help the user understand what's the difference between a local session and a remote session and the discussion points on the 800-171 a little bit.

[00:08:55] All right.

[00:08:55] So I'm going to put you a little bit on the spot here and just, you know, shoot as straight as you feel comfortable sharing out publicly.

[00:09:02] But if someone during a CMMC assessment, we're not talking about a FedRAMP assessment.

[00:09:10] We're talking about a CMMC assessment.

[00:09:12] If they were talking to you and they said, this is what we're doing for our way of addressing it.

[00:09:19] And we also looked at the 853 and based on what we're seeing from both of those, this is how we are implementing it.

[00:09:29] Is that a problem or is that a good thing?

[00:09:32] Like, how would you look at that?

[00:09:33] That is fine.

[00:09:33] I mean, if you, I think that, I mean, you can, so I guess the risk of using the 853 would be potentially that you could over-engineer and you could assume some things are in scope that aren't.

[00:09:46] And, you know, for this one, it's not maybe the best example, but there's others where you could assume if you're going off the 853 that you have to do more than you would for the 800-171.

[00:09:59] So there's federal FISMA data handling requirements that you're going to see in the 853 that aren't applicable for the 800-171.

[00:10:07] An example would be like confidentiality, sorry, not confidentiality, availability.

[00:10:12] So 800-171 doesn't have any control requirements related to availability.

[00:10:17] So, you know, you could potentially, you know, engineer solutions that are addressing availability where it's not required under this framework.

[00:10:24] So that, you know, that's a risk.

[00:10:26] But other than that, I mean, it's not going to be less secure.

[00:10:29] So as an assessor, I don't mind seeing it.

[00:10:33] If I'm doing consulting, I'll tell them this is the minimum.

[00:10:37] You know, if you want to do that, that's fine, but you don't have to.

[00:10:40] Well, I think sometimes where I use the 853 is just to have a little bit more context of what they might be thinking about, but not necessarily going to the extent that may be defined in there.

[00:10:52] But it helps me also become a little bit more prepared that if an assessor said, I think you might need to do these types of things, I can be a little bit better prepared on how.

[00:11:02] Yeah, there's a great example of that in this space where I think a lot of people are using data loss prevention as a compensating control because they have BYOD or they're allowing work from home.

[00:11:16] And, you know, it's fine to use data loss prevention in your solution if it is to, you know, if it's part of meeting the control requirement for this, you know, for that specific control set.

[00:11:27] But it's not a direct requirement mapped down from the 853.

[00:11:32] So like data loss prevention in the 853 is a control under the, I think it's SC 710.

[00:11:38] And that's not even in scope for a high baseline for the 853.

[00:11:42] So data loss prevention is not a requirement.

[00:11:44] But I think that with everyone being, you know, acting in an abundance of caution and seeing that this is being implemented for some solutions, they've now interpreted that as a requirement.

[00:11:55] So if you are talking to an assessor or to an RPO and they're saying to do this and you're like, really, I don't know that we need to do this.

[00:12:04] If you can go and find that control in the 853 catalog and it is not brought down into the 800-171, that's your way to say.

[00:12:12] But that's not explicitly required in this framework.

[00:12:15] I think that's a great example because DLP is a great solution in helping you enhance your access control and controlling that data.

[00:12:23] Because especially when you're saying, I can leverage a DLP solution if we just want to stay generic.

[00:12:35] But rights management for Azure is an example of that to where you could say these types of labeled files, the way that they're set up with sensitivity labels and other types of mechanisms.

[00:12:47] This data now is being controlled by access.

[00:12:50] Like it knows who you are based on how you're having that.

[00:12:53] And then you can do those types of things.

[00:12:55] But it's not specifically called out that you have to do DLP, but you can enhance it through that way.

[00:13:03] Or, you know, yeah, there's a lot of requirements that if you go up and you uncover the source, you're like, oh, you know, it's not actually an explicit requirement.

[00:13:13] So I think that, yeah, if there's concerns, like if you're happy to do something or if it's just configurable in a tool you're using, yeah, sure, go ahead and do whatever people are recommending.

[00:13:23] But if it comes down to if you're not sure if you need to do it and it's going to cost money, it's worth looking at the 8153.

[00:13:31] You know, because if it's listed explicitly as a requirement that's not mapped down to the 8171, then don't make that purchase.

[00:13:40] Well, and I think it also comes down to defining all 320 assessment objectives in your approach for CMMC.

[00:13:49] How are you going to do those and define those?

[00:13:54] And if you're not sure how you're attacking it or you're not sure the context of how you could layer better, I think that's where this walk method could be a huge help in trying to understand some other ways.

[00:14:08] Yeah, especially for folks who are like new to cybersecurity, folks who are in the defense industrial base in particular who have no, you know, like for a lot of the folks who have been in the federal space forever, all this makes sense because they've done it forever.

[00:14:23] Right. But when 853 first came out and I was in the space, then there were a bunch of us who sat in a room and we were trying to because the A hadn't come out yet.

[00:14:34] Right. So we were trying to come up with assessment procedures and the fights that we were laughing over the meaning of the control were crazy because, you know, it lends itself.

[00:14:43] It's open to interpretation a lot of different ways, you know, so everyone in the Dib is dealing with that right now.

[00:14:50] So if you if you want to know explicitly what exactly are they looking for us to be doing here, that's where you want to head to these discussion.

[00:14:56] Based on your experience and being there in the infancy of FedRAMP as it was kind of launching and then you had the three PAOs for those that aren't aware, it's a different acronym than for CMMC because you have C3 PAOs for the CMMC assessment and you have three PAOs for FedRAMP.

[00:15:16] Yeah. And can you maybe show or share some experiences of how it that equilibrium process kind of played out in the first few years?

[00:15:29] And maybe perhaps we might be able to read a little bit of the tea leaves of how that might play out for CMMC.

[00:15:36] From the perspective of how did the independent assessment body evolve for FedRAMP and CMMC?

[00:15:41] Right. Yeah.

[00:15:43] Yeah, it was interesting. I think I mean, the.

[00:15:45] The route to get FedRAMP was really different, I think.

[00:15:48] I think. And again, this is like a long time ago, you know, at least 10 years.

[00:15:54] But I think you had to respond to an RFP and you had to get an award through the government to be a three PAO.

[00:16:02] And and now they have moved that out and there's an independent body governing it.

[00:16:06] So I think that's CMMC kind of just went that route initially.

[00:16:10] Right. They didn't they didn't issue an RFP and you had to apply to be a three PAO.

[00:16:15] So so that's a difference. But I think that there are, you know, it's going to be an evolution.

[00:16:20] It was hard to be. I was I was at one of the leading three PAOs from inception.

[00:16:25] And it's it's it's it's hard to get folks who who have the experience to do that level of testing for one thing.

[00:16:34] And so I think that's going to you know, we're kind of seeing that with CMMC as well, where the stakes are high, zero tolerance, you know.

[00:16:41] So so hiring is hard. It was hard to scale up because you need to go from having one team to maybe needing five teams, you know, in not very, very much time.

[00:16:53] And but also I think that I would really like to see the CMMC space, learn a little bit about, you know, what look at what FedRAMP has had to publish on its marketplace with respect to guidance, because we all need that.

[00:17:05] The CMMC space, you know, like there's a bunch of questions you need answered.

[00:17:09] And that didn't exist for us in FedRAMP initially either.

[00:17:12] It was, you know, you could send a question, they would answer it to the best of their ability, but it didn't help the rest of the world.

[00:17:18] So I think it would be nice if CMMC could get to the point where they have everything you need to know, you can find in the in the resources section of the CMMC website.

[00:17:29] That would be great. But but I watched that evolution happen from everyone not knowing word of mouth.

[00:17:35] You know, I heard that this and that we went through that with FedRAMP and eventually they just had to kind of, you know, formalize a communications method.

[00:17:43] So I think that that'll be a change that we that we hopefully see based on the need.

[00:17:48] But it's yeah, I feel like it'll go very similar to the way FedRAMP went.

[00:17:53] All right. So, Karen, let's now kind of go in a different direction.

[00:17:57] So if we look at the AC17, the requirements those have and how they would port back in through that direction of of what kind of requirements you would want to see in the 53 and then how those can then be translated into 171.

[00:18:14] Sure. So one of the one of the things you need to do for the 817 is define the types of remote access.

[00:18:22] So for this, you need to look at your information system and see are we using a VPN?

[00:18:28] Do we have any zero trust network access in place?

[00:18:31] Do we have any folks who are SSHing in? Are we using virtual desktop?

[00:18:35] So there's a whole bunch of different ways that you could facilitate remote access.

[00:18:40] So you need to understand what those are.

[00:18:43] And then you need to define usage restrictions for those specific ones that you've defined.

[00:18:48] And this would be for the 8173.

[00:18:50] So, you know, examples might be if you're using a VPN.

[00:18:54] Well, some of the some of the requirements you're going to automatically have from the 853 framework, like you should be using MFA because that's a distinct requirement.

[00:19:01] But you probably should be using role based access for your administrators or anything coming in via remote access.

[00:19:08] So some of this is already built in.

[00:19:09] But you can also do things like time based restrictions where you aren't going to allow users in between certain hours overnight.

[00:19:16] Or you could do, you know, geo location services.

[00:19:21] So like nobody from Russia is allowed to come in.

[00:19:23] You can also ensure that your devices, your VPN connectivity is ensuring that the end unit is compliant with the security requirements.

[00:19:31] So whatever you have in place, you want to document those usage restrictions in your system security plan or your policies for the 853.

[00:19:41] And, you know, then in the 853, there's the requirement to document the configuration or connection requirements.

[00:19:48] And for this, this might be, you know, if you're using a web based session, are you using TLS 1.1 or TLS 1.2?

[00:19:57] What are the cryptographic algorithms?

[00:19:58] So based on the requirements, it wants you to come up with the specific configuration connection requirements.

[00:20:05] So using SSH2, you know, maybe prohibiting RDP or whatever you want to do related to remote connections, you know, prohibiting or explaining how to configure or what the requirements are.

[00:20:18] So you also need to document that.

[00:20:22] And a lot of that is thought through in the scoping process, right?

[00:20:25] It is.

[00:20:26] You're thinking about that and about how you would tell the story and how you would validate your approach.

[00:20:31] And this is an example when you said earlier of how it all ties in and there's so many references to other controls because this is where, you know,

[00:20:39] you have to do MFA for remote access under a different control in the 853 framework.

[00:20:43] But here it's going to, you know, wants to look at what you've defined and your assessor will go validate it.

[00:20:49] And, you know, you'll also find for some of the technologies you're using for FedRAMP or for 853 FISMA, you might, you know,

[00:21:00] you might hit them all by complying with a configuration guide like CIS benchmark or DysSysdig.

[00:21:06] So, you know, there's layers of this, but this control is basically saying you need to do all these things to have a secure remote connection.

[00:21:13] And we want you to document these because that's going to be part of the assessment.

[00:21:16] Now, let's dive a little bit further into the discussion.

[00:21:20] I've seen, and Ron Ross has talked about this personally, about how some people have taken the discussion as gospel in their interpretation of how it must be completed.

[00:21:32] Can you talk a little bit about that and how sometimes people get wrapped around the axle about those things?

[00:21:37] And that's something that happened with the, like when you said the comparisons between the three POs, the comparisons between the framework, same thing happened there.

[00:21:45] So none of these have ever been designed to be rigid.

[00:21:47] And that's why they're subject to interpretation and people argue about them.

[00:21:51] And, you know, I can't speak for Dr. Ross's intent, but there's always been in the 853 the option to evaluate the risk as it's presented.

[00:22:01] So are there compensating controls?

[00:22:03] Is there anything to offset the risk?

[00:22:05] Is this in an isolated subnet?

[00:22:06] Is this not a public facing system?

[00:22:09] So I think CMMC with its rigidity and its inability to have anything has folks, you know, probably over-testing and over-hardening themselves.

[00:22:21] But the intent really, I think another fault of CMMC is that you don't have to write in this framework any risk statement.

[00:22:30] So in the 853, if I issue a finding that says that you aren't monitoring your remote access, I have to say what the risk is.

[00:22:37] So the risk would be that you have unauthorized people who are coming in on your system.

[00:22:41] So that gives you an understanding as to what you really need to be looking at.

[00:22:45] So if you don't understand the risk the control is addressing, you don't know what to look at to say it's a compensating control.

[00:22:53] So for me as an assessor, I need to look at the risk.

[00:22:57] And the risk is, do you know who's coming in and out of your system via remote mechanisms?

[00:23:01] And if I can get a good understanding as to what that is, it's not a checkbox thing.

[00:23:06] You know, like there could be multiple different layers of ensuring that this is okay, especially with cloud and there being a number of different tools.

[00:23:14] It's not good to be rigid in your interpretation.

[00:23:18] You're just not doing anyone any favors.

[00:23:20] And the ultimate question you should be asking is, what's the risk here?

[00:23:25] There's a control requirement that they've asked for.

[00:23:27] And so there must be an associated risk.

[00:23:29] And the question for you as an assessor is, is that risk real for this organization or has it been somehow mitigated or somehow addressed?

[00:23:38] So, yeah, I'm not a big fan of rigid interpretations.

[00:23:41] Well, I've seen some people go, well, because this isn't the discussion, I have to use a VPN.

[00:23:46] You know, I've got a client who created a VPN for that purpose.

[00:23:50] And yeah, so that is unfortunate.

[00:23:54] But I think part of it is an outshoot of everyone being overly concerned because of the zero tolerance.

[00:23:59] Whereas in the 853 risk management framework, you can say this is an alternative implementation.

[00:24:05] You know, we're not able to patch this, but it's completely ergap in an isolated network.

[00:24:08] And so then somebody gets to decide, OK, I'm good with that.

[00:24:12] And that's, you know, because there's no in the DOD, there's no risk executive function.

[00:24:17] There's nobody to do that.

[00:24:18] And so they're saying nothing, you know, nothing is no deviations allowed, which means that people are getting rigid and overinterpreting.

[00:24:25] OK, so in here it has the assessment objectives.

[00:24:28] But in Charlie and Delta, it talks about controlled and monitored.

[00:24:34] And you see those terms also utilized in 853.

[00:24:39] Can you talk a little bit about the different typical terminologies that you see in these repetitively used kind of a NIST speak?

[00:24:49] And like how that can help people get a better idea of what that would translate, because I think Ryan Bonner said it really well.

[00:24:59] He said that these NIST controls are written in such a way that they're definitely afraid of referring specifically to a technology.

[00:25:09] They wanted to write it in such a way that it was ambiguous, that it could have multiple meanings so that you can use different technologies to accomplish the same things.

[00:25:17] So can you maybe sort of talk about these NIST speaks that you see here in this assessment objectives and then maybe try to translate it Rosetta Stone wise to what's maybe some technologies and ways that people could accomplish these things?

[00:25:32] Sure.

[00:25:33] So if we look at this, I think the first one has has in particular caused some concerns.

[00:25:38] But I think the intent here for 3.1.12 is that what you're supposed to do as an assessor is to look at 3.1.12a not as a requirement, but as an if-then statement.

[00:25:49] So if remote access sessions are permitted, you should identify the types and then you should control and monitor those types.

[00:25:56] Right.

[00:25:56] So there's no real requirement to force remote access.

[00:25:59] Sometimes there's no need for that.

[00:26:00] But if it is as an assessor, you want to know what is it?

[00:26:03] So do you have a jump, a bastion host set up that you're SSHing into some hosts?

[00:26:09] Are you all coming in via a management web console?

[00:26:12] Are you coming in via RDP?

[00:26:14] Are you coming in via VPN?

[00:26:17] So your SSP should say what you're doing of all those types.

[00:26:21] You know, there could be other types as well.

[00:26:23] But, you know, write down the types you're using and then, you know, that's the next requirement that you've identified them.

[00:26:30] So the best place to put that is in your system security plan.

[00:26:33] So you could indicate, you know, our users will come in via VPN or they may initiate a remote desktop session to the CUI enclave.

[00:26:44] Just identify those specific types.

[00:26:46] And then your assessor is going to look at the next two and say, how are they being controlled and monitored?

[00:26:51] So this is where if it's a VPN, you might say, you know, some of the requirements may actually already be in here.

[00:26:57] But, you know, there's a requirement in both of these frameworks to have multi-factor if you're doing remote access, right?

[00:27:02] So are you doing the right things for that remote access session?

[00:27:06] Are you using FIPS validated if that's the requirement?

[00:27:10] So you want to ensure that whatever mechanism you're using for remote access is controlled.

[00:27:15] And so that would, you know, that would be what they would do for C and then monitored is the second part.

[00:27:21] So you would look here for how they're doing it.

[00:27:25] If it's a VPN, sometimes there are tools integrated into the VPN or the firewall itself to enable you to do that.

[00:27:32] But ideally, you want to export those logs into a sim or something where you can see who's coming in, where they're coming in from.

[00:27:38] And this is an example if you are like, okay, I need to do, you know, I know they're going to test me for D.

[00:27:44] What do I think would be good?

[00:27:46] That's where you can go back to the A853 or perhaps the FedRAMP where you can see specific parameters on what they want to see recorded for remote access sessions.

[00:27:57] You don't have to comply with it.

[00:27:58] But if you're wondering, you know, what would be good enough, it's going to be that.

[00:28:01] So for, you know, for controlling it, you need to ensure, for example, if you're using a VPN that you're forcing the multi-factor, you need to use FIPS validated.

[00:28:11] You may have some additional requirements related to the VPN.

[00:28:15] It might validate that your virus protection is up to date or whatever.

[00:28:18] You know, so there could be you need to define what you're doing for the controlling and then your assessor will go in and assess it.

[00:28:26] And then for monitoring, you know, we would expect somebody who is responsible for monitoring remote sessions to be able to show us some events.

[00:28:35] Like, can you show us some events of people who are trying to get in after hours or repeated attempts to get in?

[00:28:41] Can you show us people who are trying to SSH into your system remotely?

[00:28:44] So that's the kind of stuff that we would want to see demonstrated as being recorded so you can keep your eye on it and understand if you're under attack.

[00:28:52] And some good tricks is trying to centralize your identity management through your access points.

[00:29:01] So, for example, if you are using a VPN, can you have your VPN leverage your identity management solution in a more central fashion?

[00:29:09] Like, for example, when you go to log in, can you call back to Azure Active Directory to validate who that person is?

[00:29:17] And then the sign-in process natively inside Azure can then grab that and you can start to identify.

[00:29:24] And then you have additional logs that are natively built in.

[00:29:27] There's a lot of things that you can do from a technical perspective that help you out.

[00:29:33] There are.

[00:29:34] And I love when anyone integrates their ID, you know, because we have to, especially in FedRAMP, we have to assess if you're, if someone, you know, it's not just someone who's coming into your information system as a user.

[00:29:46] It's also your back-end users.

[00:29:47] And some of those back-end users are SSH-ing into a RHEL host on the internet, right?

[00:29:51] So that's still remote access.

[00:29:53] And so we have to assess all of it.

[00:29:55] And if they have it integrated with single sign-on, that means we don't need to, for example, ensure that your credentials are going to lock out after a certain amount of time, which we have to do for all of the types.

[00:30:07] So integrating with any identity provider is really good for your assessor and will provide you the assurance that you do have that one-stop shop to go look to see what's this anomalous user activity.

[00:30:19] You don't need to go, hey, well, someone SSH-ed into our Ubuntu host over here and did something really malicious.

[00:30:25] You don't need to think about that.

[00:30:27] You can just look at your one, you know, your one source for all that.

[00:30:30] Yeah, and I think that that starts to come down to the art of utilizing technologies that layer and make your job easier.

[00:30:40] Because if you can utilize technologies that check multiple boxes across multiple controls to – it makes the assessment job easier for you as an assessor, right?

[00:30:50] But it also helps provide better visibility and other things like that.

[00:30:57] It does in that, you know, all of these security requirements are designed to provide you with that level of assurance.

[00:31:03] And if you can have anything that gives you more of a single pane of glass, you're able to keep your finger on the pulse of your security, of your system, you know.

[00:31:12] So I'm a big fan of things that are going to, you know, consolidate requirements into one technology.

[00:31:19] So I think having good seasoned people like yourself that you can talk to that have an experience and have seen audits happen and have seen scenarios of people utilizing technologies and other things like that can be a huge help as well.

[00:31:32] Yeah, I think that I learned the most in my FedRAMP career by working with top-notch shops, you know, like name brand shops where this is what they did to address this problem.

[00:31:42] So, yeah, there's ways, there's creative ways to do all of this.

[00:31:47] And I think that, you know, what you should be looking for is somebody who can do it for you with minimal viable product at a cost-effective manner.

[00:31:54] Yeah.

[00:31:55] Wouldn't that be nice to be able to –

[00:31:57] I know.

[00:31:58] Well, I mean, a cost-effective manner for you in that they're not saying buy this suite of 9,000 tools.

[00:32:03] Yeah.

[00:32:04] You know, that's not really going to help you.

[00:32:07] I mean, you'll probably be fine, but you could get there with less money spent.

[00:32:13] Karen, thank you so much for taking time out of your day to share this.

[00:32:16] The amount of wealth and experience you have with 853 and FedRAMP and then flowing that into CMMC, I've just always – it's been such a joy every time I talk to you.

[00:32:27] I love talking with you too as well to get the different perspective about how confusing this is.

[00:32:32] It's gotten really confusing.

[00:32:34] Yeah.

[00:32:35] And hopefully we haven't confused anybody by using so many different numbers and different platforms.

[00:32:39] And acronyms.

[00:32:40] Yes.

[00:32:40] Yeah.

[00:32:41] It could be – but our goal with this video was really to try to help people try to see the heritage of where 171 came from and how you could possibly use that to enhance and better interpret 171 as you're going through CMMC.

[00:32:57] But I thank you so much for taking time.

[00:32:59] Karen, would you just share perhaps, you know, any additional insights you have and how other people can connect to you?

[00:33:06] Sure.

[00:33:06] So you can connect with me on LinkedIn.

[00:33:08] My company website is archstonesecurity.com.

[00:33:11] And if you have interest in NIST, I've created a video series called NIST Control Freak where I'm going to discuss all things related to NIST.

[00:33:19] But I'm focusing a lot on the NIST 853 series.

[00:33:23] So if you want to know more about a specific control, I'm going to be covering each of them in that video series.

[00:33:28] So if you're trying to implement this, I'm always happy to answer any of your questions.

[00:33:33] Even if it's just a LinkedIn request, I'm happy to help.

[00:33:36] If you're stuck on a question, you need an interpretation, I'm always happy to help.

[00:33:40] So if you're a vendor perhaps and you're listening to this and considering stepping into space, Karen's a great resource to tap on the shoulder to have some additional insight.

[00:33:47] These waters can be a little choppy.

[00:33:49] So having some additional insight is very helpful.

[00:33:53] So everybody, thank you so much for tuning in and watching this one.

[00:33:56] I have learned so much.

[00:33:58] I hope you have as well.

[00:33:59] And as always for everybody, keep on climbing.

[00:34:03] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.

[00:34:09] We hope you guys enjoyed today's episode and listen out for the next one.

[00:34:13] But until then, keep on climbing.