Profile

Hi Demarius,Contra Costa County in California developed a set of questions to align with each of the NIST CSF subcontrols that may be helpful for your project. Their spreadsheet, local contact and open source language are available here: https://ehsd.org/smsa/Best,Drew -- Andrew Scheifele, PhD CEO ...

If you want to build support for restricting USB storage of regulated data, this article may help (or at least be fun reading for the long weekend). Either way, remind your vendors not to go out drinking with 460,000 PII records on a USB drive. https://www.nytimes.com/2022/06/28/world/asia/usb-jap ...

Hi all,We just took a quick look at ~150 recent HECVAT submissions through .The mean time between EDU launching the survey and vendor acknowledgement of survey was 21 days with a median time of 9 days. Throwing out the significant outliers the average time drops to 14 days (median 8 days). So bottom ...

Hi Mike,You may want to start with the CMMC level 2 (CUI) scoping guide. Released Dec 2021.https://www.acq.osd.mil/cmmc/docs/Scope_Level2_V2.0_FINAL_20211202_508.pdfBest regards,Drew -- Andrew Scheifele, PhD CEO & Co-Founder | SaltyCloud PBC CMMC Registered Practitioner Techstars ASAP '20 +1 ...

Hi Kevin,You are correct. A CMMC certified third party assessment organization (C3PAO) cannot provide both pre-audit getting ready type services and then do the actual 3rd party assessment for the same client. Firms can offer both types of services, but for any given client they must choose to provide ...