Policy templates and tools for CMMC and 800-171

This page has links and reviews of available templates and tools relating to the CMMC and NIST SP 800-171 **Updated February 10, 2021** Please help others in the community by leaving a comment with resource links! Warning – Assessment / Compliance platforms I want to warn everyone to be extremely cautious about any vendor that Read More

CMMC Level 1 certification and preparation (how-to)

If you are reading this article, you are probably the owner of a small DoD contracting company.  You’ve heard something about the CMMC (Cybersecurity Maturity Model Certification) either through your prime contractor or the SBA education office.  You might be frustrated at yet another computer requirement, or you might be excited at the opportunity to Read More

CMMC Capabilities Discussion Home

This page describes how to find the CMMC requirements, how to interpret them, and how to start preparing for an outside audit. It explains how to read the CMMC document and how your team or an auditor would check each requirement against your information systems. Disclaimer: The goal is to help you understand how the Read More

CMMC News Rollup October 6, 2020

Hello folks, This is week’s update is pretty short. The DFARS Interim Rule is still the biggest news. Other topics are the new DoD CUI website which has great resources for contractors, and word-of-mouth updates on the CMMC-AB’s registered practitioner and C3PAO programs. -Amira Armond CMMC Registered Practitioner Per CMMC-AB support email: Everyone who completed Read More

DFARS 252.204-7012 or 252.204-7021 enforces NIST 800-171 and CMMC

If you are a Defense Contractor that handles Controlled Unclassified Information (CUI), this news is going to be very important for you. DFARS 252.204-7012 Interim Rule Yesterday, the DoD released an interim rule to the Defense Federal Acquisition Rules Supplement (DFARS) which goes into effect on November 30th, 2020. This publication is 89 pages long Read More

CMMC News Roundup September 28 2020

Hello all, Big news this last two weeks. In particular, the DFARS rule for CMMC abruptly changed course. It looked like it was delayed for months, but then (I think?) it got approved on an interim basis, to go into effect around November 27, 2020. DFARS Interim Rule Added – enforces assessments Federal Register Publication Read More

Review of CMMC Registered Practitioner Training

I just finished the CMMC-AB’s Registered Practitioner training course. We aren’t allowed to reproduce the content, so you won’t learn any secrets from me, but I can tell you about my experience. Thanks to James Newman (a colleague of mine, fellow CISSP, and security evangelist) who was pre-registered and helped me get up to speed. Read More

CMMC News Roundup September 9 2020

Hello folks, Here’s the latest CMMC news and articles you should check out! CMMC FAQ for Organizations Seeking Certification This easy FAQ article discusses frequently asked questions about implementing CMMC security. Things like “Can my employees use their home computers to work on CUI?” Incident Handling tips from CISA https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf The Cybersecurity and Infrastructure Security Read More

CMMC News Rollup – August 26, 2020

DFARS rule update for CMMC The acquisitions office has proposed an amendment to DFARS 252.204-7012, which is the contract rule that currently requires a high level of cybersecurity for the majority of Defense Contractors. The amendment is expected to replace the 110 controls in NIST SP 800-171 with CMMC’s Level 1-5 approach. If and when Read More

When is a conformity assessment not a conformity assessment? (hint – it is CMMC)

Author: Tom Cornelius| Senior Partner at ComplianceForge | Founder & Contributor at Secure Controls Framework (SCF) Originally published on LinkedIn on August 13, 2020 This episode of Coffee Thoughts With Tom addresses CMMC as a conformity assessment, since conformity assessments are intended to use a risk-based approach to determine a confidence point (e.g., materiality threshold) instead of Read More

CMMC Glossary, Terms, and Definitions. Who’s who in CMMC

As the CMMC ecosystem grows, it is starting to get hard to track all the key players and concepts. This page is meant as an easy to understand “who’s who” and “what’s what” for the CMMC. This CMMC glossary of terms is ordered so that each term builds on the previous terms. If you are Read More

CMMC “allowable cost” discussion and thoughts

*Updated August 13, 2020* CMMC cybersecurity is an “allowable cost” for DoD contractors? “The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.” “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. Read More

What is FCI in CMMC and how does it affect scope?

The Cybersecurity Maturity Model Certification references “FCI”.   What is this abbreviation? FCI in CMMC stands for “Federal Contract Information”. FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government.  FCI does not Read More

CMMC Provisional Auditor program opt-ins

On August 9th 2020, the CMMC Accreditation Body sent this email to me (and presumably others who registered for CMMC certified assessor). To opt-in, you must attest that you meet experience requirements 10+ years experience conducting evidence-based assessments in cyber or other information technology field. or 20+ years experience as a “consultant or proven leader” Read More

CMMC Rollout Status – Taking stock (July 31, 2020)

Editor’s note: This article gives a timely update on the laws and processes governing CMMC enforcement. To this point, there has not been official requirement for CMMC in the Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS). However, as this article describes, the process has been started to change the regulations. Author: Read More

CMMC news round-up July 30, 2020

Here are the CMMC news topics this week: Registrations open for CMMC auditors, C3PAOs, and “registered” practitioners / organizations Registration has been open for a month and a week. Links and information about registration can be found at this CMMCaudit blog “CMMC AB opens registration for C3PAOs and Assessors“. I submitted applications for C3PAO and Read More

A Practitioner’s Thoughts On CMMC

Editor’s comments: This article is an excellent read if you have experience doing cyber-security compliance based on NIST SP 800-171 or DFARS 252.204-7012. If you don’t have prior experience on these topics, the article may not make much sense to you. Of particular interest to me is the scoping conflict between FCI and CUI, which Read More

CMMC news: CMMC AB opens registration for C3PAOs and Assessors

Hello all, The CMMC Accreditation Body has opened new pages on their website to give information about registering as a C3PAO  (Certified Third Party Assessor Organization) and as an Assessor.   They also have information about becoming a ‘registered practitioner’ or a ‘registered provider organization’ (these can be team members but not lead audits). You can Read More

CMMC News – Auditor Training Update – May 22, 2020

These are my notes from the CMMC Accreditation Body webinar regarding Assessor / Auditor Training. Disclaimer: I’m not a member of the CMMC AB, I am just providing these notes as a service to the community. Please watch the webinar for exact wording and full details. This webinar was released May 21, 2020 on the Read More

CMMC News – May 21 2020

The CMMC Accreditation Body (CMMC AB) has started to publish their progress via webinars on the cmmcab.org website. Here are my notes from the webinar I watched on 5/21/2020, published at https://www.cmmcab.org and archived on YouTube here. Ty Schieber is the Chair of the CMMC Accreditation Body. He presented the current status of the AB.  Read More

CMMC PS.2.127 Personnel Screening and US Citizen discussion

The CMMC version 1.0 has the following security requirement. CMMC Personnel Security (PS) PS.2.127 (Level 2) “Screen individuals prior to authorizing access to organizational systems containing CUI.” This is a Level 2 requirement. There are no level 3, 4, or 5 requirements in this version of the CMMC. Disclaimer:  This article is an opinion.  Use Read More

CMMC Version 1.0 Released – Analysis for DoD contractors

As promised, the Cybersecurity Maturity Model Certification (CMMC) version 1.0 was released to the public on January 31, 2020. The document should be stable at this point.  Cybersecurity leads for defense contractors need to read through it as soon as possible and begin closing the gaps in their organization’s cyber-security practices. Links to CMMC v1.0 Read More

Remote Management & Access Tools for 800-171 and CMMC

A question came up today from a client that has a large remote workforce. “How can my help desk manage end user devices while staying compliant with 800-171 and CMMC?” For example, can we use remote access tools like LogMeIn or Chrome Remote Desktop, which allow always-on connections to the desktop? The following is my Read More