Our previous article discussed what it meant to scope your self-assessment while pursuing Level 1 Maturity under CMMC. This approach included identifying the boundaries of FCI-holding systems and comprehensively cataloging technology, people, and processes that play a part in that system.
Here, we take the next step and cover CIO guidelines for performing your self-assessment.
One of the more significant changes in the new CMMC 2.0 guidelines was the move from third-party to self-assessment at Level 1 maturity. At Level 1, contractors can perform a self-assessment rather than engage with a C3PAO, significantly reshaping their obligations and the associated costs and effort for compliance.
Here, we’re covering the CIO’s guidance for organizations performing self-assessments, specifically how to scope their self-assessments for Level 1 maturity.
Over the past week, a new vulnerability in the Linux operating system and the XZ compression utility has led to a new security alert and an immediate call to roll back some new updates. While this threat is a massive problem for federal IT systems relying on specific Linux distributions, it also highlights how poorly managed open-source projects can fundamentally undermine federal security. It also demonstrates how state-sponsored actors can use these projects as a staging ground for more extensive Advanced Persistent Threats.