top | item 43792502 (no title) starfezzy | 10 months ago Have they given a reason for being hesitant? The whole point of IL4+ is that they handle CUI (and higher). The whole point of services provided for these levels is that they meet the requirements. discuss order hn newest subroutine|10 months ago The following is required from the company using a provisionally authorized vendor service:* organization required to perform a Risk Assessment (is this standardized?)* organization must issue an Authority to Operate (ATO) (example? to whom?) to use it for CUI as the data owner.* organization must ensure data is encrypted properly both at rest and in transit (is plain text typed into a chat window encrypted at rest?).* organization must ensure the system is documented in a System Security Plan (SSP) (example?).* organization must get approval from government sponsor of each project to use CUI with AI toolsI am the one pushing for adoption, but don't have the time or FedRAMP/DISA expertise, and our FSO/CISO would rather we just not.
subroutine|10 months ago The following is required from the company using a provisionally authorized vendor service:* organization required to perform a Risk Assessment (is this standardized?)* organization must issue an Authority to Operate (ATO) (example? to whom?) to use it for CUI as the data owner.* organization must ensure data is encrypted properly both at rest and in transit (is plain text typed into a chat window encrypted at rest?).* organization must ensure the system is documented in a System Security Plan (SSP) (example?).* organization must get approval from government sponsor of each project to use CUI with AI toolsI am the one pushing for adoption, but don't have the time or FedRAMP/DISA expertise, and our FSO/CISO would rather we just not.
subroutine|10 months ago
* organization required to perform a Risk Assessment (is this standardized?)
* organization must issue an Authority to Operate (ATO) (example? to whom?) to use it for CUI as the data owner.
* organization must ensure data is encrypted properly both at rest and in transit (is plain text typed into a chat window encrypted at rest?).
* organization must ensure the system is documented in a System Security Plan (SSP) (example?).
* organization must get approval from government sponsor of each project to use CUI with AI tools
I am the one pushing for adoption, but don't have the time or FedRAMP/DISA expertise, and our FSO/CISO would rather we just not.