Read the blog: [ Ссылка ]

The great and powerful Dr. Ron Ross returns to walk us through the latest drafts of NIST SP 800-171 and SP 800-171A: what they are, why they are, where they’re going, and what’s in store for federal contractors handling controlled unclassified information (CUI).

Episode Links:
.
NIST Controls Deep Dive w/ Ron Ross (May 2023): [ Ссылка ]
.
171r3 (Final Draft) - 7 Things to Know: [ Ссылка ]
.
800-171r3 Final Draft: [ Ссылка ]
.
800-171Ar3 Initial Draft: [ Ссылка ]
.
Protecting CUI Project: [ Ссылка ]
.

(0:00 – 1:20): Intros
(1:21 – 16:52): A brief history of 800-171
(16:53 – 23:20): “Standards” vs “Guidelines” vs “Tailoring”
(23:21 – 28:13): 800-171 and 172 as government risk tolerance
(28:14 – 29:15): Cost concerns for small business
(29:16 – 32:35): Federal vs nonfederal perspectives
(32:36 – 34:54): Dealing with the adversary
(34:55 – 37:47): 800-171 as security “outcomes”
(37:48 – 41:22): Does 171 require a minimum level of security knowledge?
(41:23 – 47:02): Does 171 require a minimum level of 800-53 knowledge?
(47:03 – 52:41): Converting 171r3 into an 800-53 “overlay”
(52:42 – 57:24): Should people wait on 171r3 to start on 171r2?
(57:25 – 1:01:15): “NFO Controls”: revising assumptions
(1:01:16 – 1:03:53): “ORC Controls”: revising redundancy
(1:03:54 – 1:06:03): Is 171r3 “better” than 171r2?
(1:06:04 – 1:12:43): Thoughts on ODPs
(1:12:44 – 1:18:30): “Periodically” vs “organization defined frequency”
(1:18:31 – 1:22:09): Glimpse the future: 800-171 rev. 4
(1:22:10 – 1:25:18): Timeline for the final 171r3
(1:27:13 – 1:33:51): SP 800-172 and 172A
(1:33:52 – 1:38:43): What has NIST learned so far?
(1:38:44 – 1:41:13): Tailoring: how does NIST decide?
(1:41:14 – 1:50:43): Independent assessments
(1:50:44 – 1:53:23): Only 95 requirements?
(1:53:24 – 1:54:55): High baseline tailoring?
(1:54:56 – 1:56:42): New controls from 800-53r5
(1:56:43 – 2:02:00): ORC category skepticism
(2:02:01 – 2:05:03): Ron’s closing thoughts

#nist #cmmc #dfars #cui #cybersecurity #dod

свернуть