To kind of wrap up here, let's talk about deliverables. So there are some deliverables expected to show compliance with just 801 71. It's known as the body of evidence and it's basically three major items, organizational policies and procedures. A system security plan or SSP. And a plan of action and milestones or POAM. So let's talk about each of those briefly and we'll drill down into those later in the course. We'll take a look at those in depth. Policies pretty straight forward direction provided to employees and contractors that is enforceable under US laws and HR direction. And ideally it would be one document that has everything in it. Sometimes that's not practical. Sometimes it's easier to have policies broken up. And the good news is well, it can be difficult to write policies. There's a lot of templates out there sands has some great templates. There are places where you can get policies. You don't have to start from scratch, but policies are part of your body of evidence. Probably the crux of your body of evidence is the SSP the system security plan. And that's essentially your plan that shows for each of 110 controls, are you in compliance with it as with artifacts and evidence that show how you comply with it. And then if you're not in compliance with various controls, that's where your POAM, your plan of action of milestones comes in. Your POAM can be used to say, okay, yes, I'm not in compliance with control X. But here's my plan and my timeline for when I'm going to get compliant. Again its plan of actions and milestones. You're going to develop and implement plans of actions for how you're going to be in compliance with the control. And eliminate any vulnerabilities that are tied to that control address delays and meeting requirements. And each item in your POAM should have an expected completion date as well as interim milestones. The objective here is, the government understands, you may not necessarily be in compliance with all of these things. But you have to show a plan for how you're going to get there. And the more detailed the plan, the more specific to plan, the more reasonable the timelines. The less trouble you're going to have with your contracting officer and or an audit under CMMC. Let's talk a little about system scoping and the idea of system scoping is, can you isolate see CUI? Rather than having CUI, spread across systems throughout an entire enterprise. Can I limited to certain systems and then only have to apply these controls to those systems. As I mentioned before. I think you'd be much better off if your entire organization is in compliance with this 801 71. But you can focus on using things like V lands access control to limit the scope of CUI. In your organization and potentially reduce the footprint of systems That need to be compliant with 801 71. Which could greatly reduce your costs and substantially reduce the amount of time it takes to get in compliance meeting control requirements. So we're down to the very end here. How do I get in compliance with this 80171? Well, it can be pretty challenging. It can take a lot of time, especially if you've never done anything like this before. And you have to start by writing policies and so forth. As it says here, the best response for any given control is people process and technology. Those are the three things you're typically going to need or some aspect of each perhaps to be in compliance with the given control. Some security controls may not be applicable and it's okay to say that now you may get called out on it, you may need to explain why. But again using alternatives or saying this doesn't apply to us. And here's why is one way to potentially eliminate the number of controls you have to comply with? Remember build off what you're currently doing. You don't have to start from scratch. Look for the alternative ways to meet requirements. If it's going to cost a lot or take a lot of time to meet a specific requirements, restrict access to see why the individuals who completed security and awareness training. Because they'll have a better grasp on how to keep it secure. And remember your body of evidence, your system, security, plan, your plan of action, your policies. This information itself is sensitive because it gives bad guys insight into your environment. As you start to compile this information, you need to make sure that you're protecting that and then finally a few resources. So these are the things you might need to take a look at the cross reference and really understand where you stand in regards to 801 71. You've got FISMA, you've got DFARS, you've got NIST 800-53, NARA, FIPS 00, FIPS199 and 32 CFR. All of those are easily found online. I would recommend you start out by downloading the NIST 80171 R two document and take a look at it. And when that will wrap up for this particular course and I will see you in the next course. Thanks.
