Risk Management
Active Ambassadors in This Topic
Community Posts
Seeking insights for research universities regarding CMMC 2.0 adoption and compliance. I'm listing our full question set below, but we would welcome insights on any or all of these:
1. What is the anticipated timeline for CMMC 2.0 adoption by the Federal Government? Any insights on the expected rollout and implementation schedule?
2. From a Higher Ed CIO perspective, what are the key operational differences between each "level" in CMMC 2.0? Are there any specific challenges or considerations especially for research universities?
3. For a research university, which CMMC level would be the most suitable target? Are there any key dates or deadlines that Higher Eds and researchers should be aware of in their compliance journey?
4. What are the most crucial features or elements of CMMC that universities need to achieve compliance? Any recommendations or best practices?
5. Specifically, are there any requirements in CMMC for 7/24/365 "eyes on glass" network and/or endpoint monitoring? If there is an endpoint requirement, does it extend to all servers and laptops issued by the university, or is it limited to hosts involved in research grants? What is expected to demonstrate compliance in this regard?
6. Apart from CMMC compliance, are there other considerations or or strategies to consider when seeking to qualify for/reduce cyber risk insurance costs?
I’m in the process of developing and formalizing the Risk Appetite Statement (RAS) for my organization, a public transport operator. Before we bring the draft to the Board, I’d appreciate your views on the best approach for engaging the Senior Leadership Team (SLT): Is 1:1 engagement more effective to gather candid input? Or would a group workshop be better to align perspectives and drive collective ownership? If anyone has experience developing a RAS specifically for a public transport or infrastructure-focused entity, I’d love to hear your lessons learned or key considerations. Appreciate any tips or tools!
1- Very worried33%
2 - Somewhat concerned58%
3 - Low priority7%
4 - Not concerned at all
How is the current geopolitical climate impacting identity security risks in your industry? What’s your approach to assessing potential risks associated with geopolitical instability?
How do you prioritize the organization’s identity security investments amid economic uncertainty? What's the most important focus when resources or budgets are especially constrained?
Yes, please specify37%
No, it's not relevant to our IT strategy44%
No, but we would like to be prepared18%
SaaS compliance audits today are sufficiently thorough.
Strongly Agree5%
Agree63%
Neither Agree nor Disagree19%
Disagree10%
Strongly Disagree