Jacob Horne’s Post

New podcast is up: NIST policy controls edition. Love them or hate them, policies and procedures are a fundamental part of NIST SP 800-171 revision 2 and 3 and, therefore, CMMC. Most people will buy policy templates, or look to language models for help. How do you know if what you're getting is any good? Luckily, SP 800-53 has outlined what a decent policy should contain for years. This week we dive into the details of NIST's philosophy on the relationship between policies and security controls to extract the helpful bits for CMMC success. Links are in the comments below 👇 Like ❤️ and subscribe 🔔

Take a look at this conversation I was lucky enough to have with Bobby Guerra. Lots of information in this one about MSPs and consultants in the CMMC space. Hard truths! We thoroughly cover all of the pitfalls and important considerations when tackling 800-171 compliance and selecting help. This conversation was sparked by a recent post of mine related to CMMC “pop-ups”. We cover a thorough list of important considerations to make sure you don’t get taken advantage of and stay on course during your journey towards that perfect 110! #cmmc #complliance #DIB #ccp #cca #msp #mssp The link is in the comments.

What a great conversation to observe! Thanks to Bobby Guerra and Koren Wise for their informative discussion about the CMMC ecosystem. Their insights as experienced professionals are invaluable. I highly recommend watching the one-hour video posted in the comments of Koren's post below. #CMMC #DIB #Compliance #MSP #MSSP

🗣 Episode 8 featuring Koren Wise drops tomorrow the 11th! I loved having Koren on the podcast to discuss many different topics about the CMMC community. We discuss gap assessments, JSVAs, the flow of CUI, MSPs and the education required to work in the CMMC space, and much more. I threw a lot of hard-hitting questions and I appreciated all of Koren's honesty and insight. 👀 Check out the sneak peek video below! Topics: 🔶 Conducting thorough gap assessments and understanding the flow of Controlled Unclassified Information (CUI) are essential steps in achieving compliance. 🔶 Accurate scoping, network diagrams, and the right skill sets are necessary for implementing the NIST 800-171 framework. 🔶 Engaging with experienced and knowledgeable MSPs is crucial for successful CMMC compliance. 🔶 Assessing the MSP's approach to compliance and their use of tools is essential to mitigate risks. 🔶 MSPs can play a vital role in securing the nation's data and should embrace the CMMC journey.

Not that my 2-cent-add is going to create additional fervor, but this is actually quite important and will absolutely impact companies, some more than others... talking to you healthcare, financial institutions, and you too manufacturing, software developer, and universities. BLUF: Imagine CMMC (or CMMC-like) programs for every industry that works in conjunction with the US Federal Government. Big thanks to Jacob Horne and Jason Sproesser for putting this exclusive out there. Keep in mind CUI has been around for a long time, since 2010 EO 13556 (putting aside Obama replaced the CUI MoD from Bush from 2008), but it wasn't until DFARS (for the DoD) where CUI was tied to security controls, specifically 800-171, which is now the underpinning of CMMC for DoD's DIB. Now, many years later, FAR is being updated to enforce CUI security through contract language. One could presume (correctly?) that as a Federal register, they/it (NARA/OIRA) will reference NIST's 800-171, the actual standard for securing CUI - and 800-171 clearly states that it is THE standard, not just for the DoD. You need to digest this completely and what it could mean. It is huge. Watch the video from Jacob Horne and Jason Sproesser. Also, if you're unsure the potential impact to you initially, I suggest you start becoming familiar with the CUI registry ASAP. If you think you're far removed, do double check the section on "Privacy". https://lnkd.in/eK_qJ3iB #itsabouttogetreal

𝗔𝗳𝘁𝗲𝗿 𝗻𝗲𝗮𝗿𝗹𝘆 𝟮 𝘆𝗲𝗮𝗿𝘀 𝘁𝗵𝗲 𝗙𝗔𝗥 𝗖𝗨𝗜 𝗿𝘂𝗹𝗲 𝗶𝘀 𝗺𝗼𝘃𝗶𝗻𝗴 𝗮𝗴𝗮𝗶𝗻. 𝗧𝗵𝗶𝘀 𝗶𝘀 𝗻𝗼𝘁 𝗮 𝗱𝗿𝗶𝗹𝗹. 𝗧𝗵𝗲 𝗯𝗼𝘁𝘁𝗼𝗺 𝗹𝗶𝗻𝗲: the FAR CUI rule will create a contract clause requiring ALL federal contactors to protect CUI by implementing NIST SP 800-171. This week on the podcast we cover everything we know about the upcoming rule and speculate about some big questions that weren't an issue back in 2016: - Why has the FAR CUI rule been MIA since 2016? - Will the FAR CUI rule specify a revision of SP 800-171? - Will other agencies accept self-attested compliance even though it's proven to be an abject failure? - Where is Kate Middleton? Show links are in the comments below. Premieres at 11am EST.

How to implement the ISO 27001 framework for organizations to attain comprehensive security rather than solely obtaining a certification? In my recent interview in the #SaaSTrana #Podcast with Venkatesh (Venky) Sundar (Founder, Indusface), we discussed:   - About Sprinto - What exactly is ISO 27001 compliance/certification?  - Who should consider getting an ISO 27001 certification?  - Similarities & differences between SOC2 and ISO 27001  - How long does it take to get the compliance/certificate?  - At what stage should companies start thinking of security compliance  - Practices to follow to reduce the time taken to achieve compliance  - Importance of VAPT in ISO 27001  - Which compliances/certifications do SaaS companies need to grow their business? Listen to the full podcast now! Link in comments. #iso #iso27001 #soc2 #compliance #applicationsecurity #appsec #saas

Here’s what I’m intrigued by in 2024 #SupplyChain #SupplyChainManagement #SupplyChainPodcast @SCMR

Here's Clause 7.5 of ISO 27008, Sampling techniques. It's always a challenge to know how much to look at and how big a sample to take. I hope this helps! If you have any specific topics related to your ISMS that you'd like to hear about in these podcasts, let us know...thanks! Click here to try Conformance1's free online ISO 27001 Gap Checklist: https://lnkd.in/gP57EWzD #ISO27001 #ISMSauditing

🎙 The eighth episode of "Security Thought Leadership: in conversation with Martin Gill" is now LIVE! 🚀 Join us for a interesting discussion with industry thought leader, Paul Ekblom 🔗 Listen to the episode now at https://lnkd.in/gC_GPK9Z or find links to your preferred platforms here > https://lnkd.in/gWZUkn4B Professor Paul Ekblom is a leading authority on crime and its prevention. He has committed his career to developing frameworks and toolkits that can be used to guide the work of security practitioners, which as you will hear, are located on a free to use website. He was formerly Professor of Design Against Crime at the University of the Arts London (UAL) where he is now Professor Emeritus. In this podcast you will hear Paul talk about the ways in which academic research, based on a scientific approach – ‘Crime Science’ - can help security practitioners. Specific frameworks and toolkits designed for this purpose are discussed. For example, if you are still referring to the ‘4Ds’ you are way out of date, Paul argues there are 11Ds (and growing). You may not look at risk assessment, system specification and design in the same way again. At the end Paul addresses the three questions we ask all our guests:  1. Which person has most influenced you? 2. Which book has most influenced you? 3. What is the priority issue the security sector needs to focus on to change for the better? #SecurityThoughtLeadership #securityinconversation