|
|
|
|
|
|
by MisterTea
87 days ago
|
|
|
In the process of becoming CMMC compliant. Contractor is supposedly "the best in the industry and well respected" but is clearly ignorant of anything beyond the most basic MS AD setup paired with Cisco Gear. My favorite part is the security policies CMMC requires are bonkers like IT needing to evaluate and white list individual websites. So if a worker is doing research and needs to visit dozens of websites you have to do a security audit of the site and white list each one. -OR- you can pay a monthly fee to some rent seeking middle man who maintains a vetted white list. All these policies do is invent new ways for people to grift companies. |
|
|
The intent of this control is absolutely not to require a whitelist of individual websites.
This control is meant to apply to ports and protocols aka tighten up and document your firewall rules
If you are referring to SI.L2-3.14.7, you also do not need to whitelist websites. A pDNS service helps here but is not required. There are free options available, one of which is offered to small businesses in the DIB through the NSA's CCC program. This also gets you vulnerability scanning and some other stuff, all free.
Let me know if you have any questions. CMMC isnt a cakewalk but it needs to be done right if you don't want to fail your $40k C3PAO assessment :)