Brett Osborne’s Post

View profile for Brett Osborne, graphic

Sr CyberSec-CyberGRC Advisor|vCISO|CMMC|[@RPM3Solutions]| & SP800-171| Advisor-Assessor-Instructor-Speaker|@Aperitisoft compliance design|Multi Frameworks NIST ISO CIS

Ask the CCP: SCOPE AND BOUNDARIES-CLOUD & MSSP So, I am counting the days until (around) October 28th: • 56 is the approximate number of work days . . .   . . . that sometime in late October: CMMC version 2 will (might) become effective. THIS JUST IN - the CyberAB projected that the Effective-ness of CMMC version 2 might not occur until maybe March of 2025. I posted a 1-off in yesterday’s installment (T.A.R.D.I.S).  1. TO LEAD with Yesterday’s topic which is boundaries I will preface today’s discussion which is noted above with commentary about how to represent your boundaries. Historically there’s always been a balance in security diagrams that the IT staff seems to not always grasp. Meaning that I have seen some truly awful data flow diagrams and boundary diagrams as an assessor for the last couple of decades. And already out there we go So my prescription for all the OSC , is to get your CMMC certification boundary and assessment boundary well defined early. The certification boundary coincides with your list of CMMC assets against other types of assets. Likewise your CMMC assessment boundary shows what is going to be assessed there are demonstrative diagrams available as examples. As I am quite adept at creating these, DM me if you need assistance with creating Data Flow Diagrams as well as Boundary Diagrams and Assessment Diagrams. These are critical to get correct for your CMMC evaluation.  2. This installment goes deeper to addressing cloud tenants and Managed IT/Security Services (MSSP). It is stated in CMMC V2 rule that Cloud Service Providers (CSP) are not part of the CMMC boundary – only the Organization Seeking Certification (OSC) tenant is to be a CMMC Asset. However, MSSPs hosting IT and Security Assets for the OSC are within the CMMC Boundary and Scope. This based on no separation between the organizations, meaning that CMMC assumes the MSSP has insight to the OSC’s information.  Therefore MSSPs must be concurrently certified to the same as the OSC they are supporting. However, DoD is not yet permitting MSSPs to enter the CMMC Certification processes.  Advice to MSSPs is therefore, be prepared for complete CMMC compliance immediately.  #CMMCv2 #boundary #assessment #dfd I Prepare and Evaluate Organizational Readiness for CMMCv2. So if you have any questions. . . .  Since I am both CCP and Certified Instructor, I am a CUI expert Or at least I know where to find the specifications and details 🤔 Tap Me/DM here on LinkedIn or email

To view or add a comment, sign in

Explore topics