Keep in mind, the CUI example is just one of many. If you work in the weeds and actually have to make this stuff work, you will soon realize some controls are pretty much impossible. After spending hundreds of thousands of dollars on many different consultants to get our business compliant, none actually added extra security to our infrastructure. They left us with all the heavy lifting with no real path to the finish line. We filled out endless questionnaires so they could deliver a bunch of template driven documents. Many consultants just did a lot of wordsmithing to show compliance. Last time I checked, our adversaries are not going to run away when they see great wordsmithing. Such a waste of time and money to attempt to bring us compliant. We can always do better at our security but spending a disproportional amount of money on some of these controls is not going to deter our adversaries.
Sounds like you had bad experiences with subpar consultants, sorry to hear that. You keep saying we've never actually managed environment or implemented controls. That's actually our entire business model. For more on the security value of the NIST requirements check these out: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-Njz4Q_ghU14.html and ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-LFfbDpZRM_M.html
@@Summit7 I am a huge proponent of cyber security. You are an MSP or MSSP. You would have to spend at least three months full time in our business to even begin to understand our business processes to have any meaningful effect or to even attempt to re-shape the culture needed for CMMC. We have very complex processes which are changing continuously due to DOD contracts flowing in. My IT staff ran circles around every consultant and we have used many. They were from the main players, and I won't name them to save embarrassment. We had to fix oversights and educate consultants. Too much money spent on too many consultants and not interested in doing it again. My IT staff has either a CCP or CCA just for thoroughness. The CMMC training and testing was not particularly challenging or useful, but it checks a box which the Cyber AB seems to think is so important. My objective is not to insult, but to plant the seed that this approach is painful and ineffective. We must focus on real cyber security and not on programs which seem support endless billable hours for cyber vendors and consultants at the expense of DOD contractors and national security. I do appreciate your thoughts and openness. Thank you.
I hate to say this, but the more I listen to all of you the more I realize you have never actually managed an IT infrastructure in a company that produces military hardware. These are very rapidly changing environments which do not fit your discussion. You need to get out and actually do some of this work before acting like this is all reasonable. Shame on you for promoting this vendor driven business.
No reason to be in the business then, if it’s too hard to figure out. You’re either willing to comply with the requirements so you can capture the revenue, or you aren’t because you feel it’s unprofitable comparative to the effort necessary to fulfill. But either way, none of the TPRM programs from any large, well-established client are. They’re all onerous, time consuming, anxiety inducing, and expensive. Ask me how I know this from personal experience.
@@Summit7 Yes, there are many, but begin with identifying and controlling the flow of CUI. There is no useful guidance as to what CUI is. Not from training, not from consultants, not from the Cyber AB, and not from the government. Nothing is properly marked from the customer and pushing it back just annoys them. Without useful guidance, we cannot guess. We have anywhere from millions of documents to a few thousand depending how we guess. And some form of CUI or sensitive information is everywhere; endpoints, manufacturing equipment, file servers, databases, cloud serves (supposedly FedRAMP is not necessarily CMMC compliant), test equipment, ERP, MES, PLM, you name it. Most system are not isolated as they need to pull data from other systems and even call home for dynamic calibration data. How are you going to show a flow diagram when no one can agree on what is CUI, CTI, ITAR, EAR, etc.?
@@anthonybarnhart4910 That is the same song and dance most vendors and Cyber AB promoters say. There are serious defenses against intrusions and comprises which can be done more efficiently than 171 controls or Cyber AB requirements. We will lose against China, North Korea, Iran, and Russia by bankrupting ourselves. My prediction is this can will continue to be kicked down the road unless more common sense prevails, POA&Ms are accepted, or the vendor influence is removed.
