|
|
|
|
|
|
by gnarlynarwhal42
85 days ago
|
|
|
Are you referring to SC.L2-3.13.6? The intent of this control is absolutely not to require a whitelist of individual websites. This control is meant to apply to ports and protocols aka tighten up and document your firewall rules If you are referring to SI.L2-3.14.7, you also do not need to whitelist websites. A pDNS service helps here but is not required. There are free options available, one of which is offered to small businesses in the DIB through the NSA's CCC program. This also gets you vulnerability scanning and some other stuff, all free. Let me know if you have any questions. CMMC isnt a cakewalk but it needs to be done right if you don't want to fail your $40k C3PAO assessment :) |
|
|
I am unfortunately now ignorant in this area. Without going into detail I was partly involved with IT but no longer after a restructuring and "staff reduction." IT duties were fully transferred to the CMMC vendor. The vendor is either ignorant or lying as they may be a reseller or getting kick backs for the white list. Frustrating but I am now powerless.