Matt Carson on Lesson Learned from a DIBCAC assessment.
Charles River Analytics first had an onprem solution after a self-assessment they decided to go to a cloud solution
They had large holes in their policies and procedures.
Know your FIPS settings. DIBCAC wanted to FIPS all the things if it had FIPS mode...I disagree with that conclusion but you gotta do what they say you gotta do.
You need to know the in and outs of your system to defend implementations. DIBCAC comes in with speficic bias,. They had some devices too old to MFA. Worked with DIBCAC and created a VLAN so those machines are behind the box with MFA.
Nobody is told why they make the DIBCAC list. Plan on a week of shutting down and doing nothing but the assessment.