First Draft of our Certified Assessor Objectives
Updated: Sep 22, 2020
In my last post I discussed our strategies of leaving behind a world of NDA's into working openly in our efforts as a Licensed CMMC-AB Publishing Partner.
We all have the same goal: Keep America's data safe. Every assessor will complete the same certification exam. So doesn't working together make the most sense?
So we promised to adopt open Practices and openly license our Certified Professional and Certified Assessor objectives.
While we will conduct a rigorous content validity study we welcome feedback on these drafts. Just drop a comment or an email.
We have also given our objectives a CC-BY-SA license so you can feel free to use them in any cybersecurity course or training. Just make sure to give us credit and give any deritiave work the same license
Overview and Intro
Define FCI
Define CUI
Compare FCI and CUI
Explain importance of protecting FCI and CUI
Describe controls to protect FCI
Assessment Methodologies
Define four phases of assessment methodology
Identify conditions necessary for assessment
Compare remediation approaches
Evaluate an assessment plan
Write an evaluation plan
Identification and Authentication
Define discretionary, mandatory, attribute, and role based access control
Evaluate access control policies
Compare access control strategies
Evaluate threats to multifactor authentication, two-factor vs. three-factor authentication
Construct token based solution to authentication
Develop a trust path to support internetwork authentication and authorization
Manage authorization, proofing, provisioning, and maintenance across user life cycle
Media Production
Describe strategies to sanitize media of Federal Contract Information
Physical Protection
Role-play visitor access scenario
Compare audit logs to reveal physical threat access
Evaluate plans to limit physical access
Appraise visitor device access policies
System and Communication
Define and compare external and internal boundaries
Develop a plan to monitor, control, and protect organizational communications
Identify components of a subnetwork to release publicly available information
Describe the threats and protections caused by gateways, routers, firewalls, guards,
Complete network-based malicious code analysis
Utilize virtualization systems for threat analysis
Evaluate strategies to physically or logically separate data and assets
System and Information Integrity
Identify flaws in information integrity during role play scenarios
Develop a patch management plan for fictional system
Define zero-day vulnerability
Utilize code and vulnerability scans to identify threats