First Draft of our Certified Assessor Objectives

In my last post I discussed our strategies of leaving behind a world of NDA's into working openly in our efforts as a Licensed CMMC-AB Publishing Partner.

We all have the same goal: Keep America's data safe. Every assessor will complete the same certification exam. So doesn't working together make the most sense?

So we promised to adopt open Practices and openly license our Certified Professional and Certified Assessor objectives.

While we will conduct a rigorous content validity study we welcome feedback on these drafts. Just drop a comment or an email.

We have also given our objectives a CC-BY-SA license so you can feel free to use them in any cybersecurity course or training. Just make sure to give us credit and give any deritiave work the same license

Overview and Intro

Define FCI

Define CUI

Compare FCI and CUI

Explain importance of protecting FCI and CUI

Describe controls to protect FCI

Assessment Methodologies

Define four phases of assessment methodology

Identify conditions necessary for assessment

Compare remediation approaches

Evaluate an assessment plan

Write an evaluation plan

Identification and Authentication

Define discretionary, mandatory, attribute, and role based access control

Evaluate access control policies

Compare access control strategies

Evaluate threats to multifactor authentication, two-factor vs. three-factor authentication

Construct token based solution to authentication

Develop a trust path to support internetwork authentication and authorization

Manage authorization, proofing, provisioning, and maintenance across user life cycle

Media Production

Describe strategies to sanitize media of Federal Contract Information

Physical Protection

Role-play visitor access scenario

Compare audit logs to reveal physical threat access

Evaluate plans to limit physical access

Appraise visitor device access policies

System and Communication

Define and compare external and internal boundaries

Develop a plan to monitor, control, and protect organizational communications

Identify components of a subnetwork to release publicly available information

Describe the threats and protections caused by gateways, routers, firewalls, guards,

Complete network-based malicious code analysis

Utilize virtualization systems for threat analysis

Evaluate strategies to physically or logically separate data and assets

System and Information Integrity

Identify flaws in information integrity during role play scenarios

Develop a patch management plan for fictional system

Define zero-day vulnerability

Utilize code and vulnerability scans to identify threats