Initial info on the “CMMC changes” we’ve been hearing about is here. I’m glad to reflect on taking the common sense route from the start when advising. “What should we be doing regardless?”

-Scoping
-Understand processing, storing, transmitting
-Address architecture / infrastructure shortcomings
-Address legacy systems where reasonable
-Low hanging fruit (minimal effort/cost configuration changes)
-Awareness and Training
-Multi-factor authentication
-EDR vs. legacy AV
-Network: firewall cleanup, segmentation
-And so on…

Cybersecurity Maturity Model Certification 2.0 Updates and Way Forward