The latest information about how to become a CMMC auditor or certifier. Registrations are open for assessors, C3PAOs, and CMMC practitioners…
Author: Amira Armond
Amira is the founder of Kieri Solutions LLC, a cybersecurity consulting company in Maryland USA.
Connect with Amira on LinkedIn: https://www.linkedin.com/in/amira-armond-25a77a141/
- - -
Connect with Amira on LinkedIn: https://www.linkedin.com/in/amira-armond-25a77a141/
- - -
Policy templates and tools for CMMC and 800-171
This page has links and reviews of available templates and tools relating to the CMMC and NIST SP 800-171 **Updated April 3, 2024** Please help others in the community by leaving a comment with resource links! Policies Templates SANS Institute – Security Policies https://www.sans.org/information-security-policy/ SANS Institute provides a set of best practices security policies in Read More
C3PAO Shopping Guide
The National Defense Information Sharing & Analysis Center (ND-ISAC) is pleased to announce the release of a “C3PAO Shopping Guide for Small & Medium-Sized Businesses.” The guide was created through a team effort among participants in ND-ISAC’s Small & Medium-Sized Business Working Group in consultation with other SMBs across the Defense Industrial Base (DIB), along with Read More
CMMC JSVA program – what you need to know
Some tidbits about CMMC’s Joint Surveillance Voluntary Assessment (JSVA) program that you might not know: JSVA program is intended to train C3PAOs and CMMC Assessors 1) The DoD is essentially using the JSVA program to train and vet our private sector assessment teams over-the-shoulder with the DoD’s cybersecurity assessment teams. This lets us learn from Read More
When do you need a new assessment? What can change?
Information systems are constantly changing. Especially if they are functional, production systems, supporting real use. Workstations and servers break. Technology becomes obsolete. New solutions are implemented in response to changing functional requirements. One thing we don’t know, in the CMMC world, is how much change is too much change. What is the maximum amount of Read More
What is “Certified” as the result of assessment??
What exactly is “certified” when you go through a CMMC or Joint Surveillance assessment, or when you self-assess your environment and report it to the DoD? What does it mean when you want to bid on contracts using this certification? Disclaimer: I’m not a lawyer. This is not legal advice. I don’t have special insight Read More
CISA Proposed Rule – Mandatory Reporting of Cyber Incidents
CISA releases proposed rule for mandatory reporting of cyber incidents by Critical Infrastructure and State, Local, Territorial Governments. To my understanding, this will affect all DoD contractors with DFARS 252.204-7012 in their contracts, as well as most Federal Contractors. For example, despite small businesses being given an exclusion, any business that “Owns or operates critical Read More
CMMC assessment? Don’t let pride take you down
Getting CMMC assessed? Some advice.. Listen to your assessor If we say that your evidence isn’t related to the requirement being inspected, or especially the critical words “I think you have misinterpreted this requirement”, instead of getting mad, take a long pause and go ask a knowledgeable consultant to review your situation. Most interpretation problems Read More
CMMC, CUI, and Cloud Vendors – do you need FedRAMP?
Achieving Cloud Compliance in the Age of CMMC, CUI, and DFARS 7012: How secure are your cloud vendors?
CMMC Compliance FAQs – Organizations seeking certification
This article is provided by Kieri Solutions, an Authorized CMMC Third Party Assessment Organization, offering CMMC assessment services. Thanks to them for sharing some of the secret sauce! This article is meant to provide short explanations on topics that are commonly misunderstood (and not performed correctly) by defense contractors. It will be updated over time. Read More
CMMC Level 1 certification and preparation (how-to)
If you are reading this article, you are probably the owner of a small DoD contracting company. You’ve heard something about the CMMC (Cybersecurity Maturity Model Certification) either through your prime contractor or the SBA education office. You might be frustrated at yet another computer requirement, or you might be excited at the opportunity to Read More
CMMC Capabilities Discussion Home
This page describes how to find the CMMC requirements, how to interpret them, and how to start preparing for an outside audit. It explains how to read the CMMC document and how your team or an auditor would check each requirement against your information systems. Disclaimer: The goal is to help you understand how the Read More
CMMC News Rollup October 6, 2020
Hello folks, This is week’s update is pretty short. The DFARS Interim Rule is still the biggest news. Other topics are the new DoD CUI website which has great resources for contractors, and word-of-mouth updates on the CMMC-AB’s registered practitioner and C3PAO programs. -Amira Armond CMMC Registered Practitioner Per CMMC-AB support email: Everyone who completed Read More
DFARS 252.204-7012 or 252.204-7021 enforces NIST 800-171 and CMMC
If you are a Defense Contractor that handles Controlled Unclassified Information (CUI), this news is going to be very important for you. DFARS 252.204-7012 Interim Rule Yesterday, the DoD released an interim rule to the Defense Federal Acquisition Rules Supplement (DFARS) which goes into effect on November 30th, 2020. This publication is 89 pages long Read More
CMMC News Roundup September 28 2020
Hello all, Big news this last two weeks. In particular, the DFARS rule for CMMC abruptly changed course. It looked like it was delayed for months, but then (I think?) it got approved on an interim basis, to go into effect around November 27, 2020. DFARS Interim Rule Added – enforces assessments Federal Register Publication Read More
Review of CMMC Registered Practitioner Training
This is a historical post from September 2020. Information on Registered Practitioners may have changed since then. You have been warned. I just finished the CMMC-AB’s Registered Practitioner training course. We aren’t allowed to reproduce the content, so you won’t learn any secrets from me, but I can tell you about my experience. Thanks to Read More
CMMC News Roundup September 9 2020
Hello folks, Here’s the latest CMMC news and articles you should check out! CMMC FAQ for Organizations Seeking Certification This easy FAQ article discusses frequently asked questions about implementing CMMC security. Things like “Can my employees use their home computers to work on CUI?” Incident Handling tips from CISA https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf The Cybersecurity and Infrastructure Security Read More
CMMC News Rollup – August 26, 2020
DFARS rule update for CMMC The acquisitions office has proposed an amendment to DFARS 252.204-7012, which is the contract rule that currently requires a high level of cybersecurity for the majority of Defense Contractors. The amendment is expected to replace the 110 controls in NIST SP 800-171 with CMMC’s Level 1-5 approach. If and when Read More
When is a conformity assessment not a conformity assessment? (hint – it is CMMC)
Author: Tom Cornelius| Senior Partner at ComplianceForge | Founder & Contributor at Secure Controls Framework (SCF) Originally published on LinkedIn on August 13, 2020 This episode of Coffee Thoughts With Tom addresses CMMC as a conformity assessment, since conformity assessments are intended to use a risk-based approach to determine a confidence point (e.g., materiality threshold) instead of Read More
CMMC Glossary, Terms, and Definitions. Who’s who in CMMC
As the CMMC ecosystem grows, it is starting to get hard to track all the key players and concepts. This page is meant as an easy to understand “who’s who” and “what’s what” for the CMMC. This CMMC glossary of terms is ordered so that each term builds on the previous terms. If you are Read More
CMMC “allowable cost” discussion and thoughts
*Updated August 13, 2020* CMMC cybersecurity is an “allowable cost” for DoD contractors? “The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.” “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. Read More
What is FCI in CMMC and how does it affect scope?
The Cybersecurity Maturity Model Certification references “FCI”. What is this abbreviation? FCI in CMMC stands for “Federal Contract Information”. FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government. FCI does not Read More
CMMC Provisional Auditor program opt-ins
On August 9th 2020, the CMMC Accreditation Body sent this email to me (and presumably others who registered for CMMC certified assessor). To opt-in, you must attest that you meet experience requirements 10+ years experience conducting evidence-based assessments in cyber or other information technology field. or 20+ years experience as a “consultant or proven leader” Read More
CMMC Rollout Status – Taking stock (July 31, 2020)
Editor’s note: This article gives a timely update on the laws and processes governing CMMC enforcement. To this point, there has not been official requirement for CMMC in the Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS). However, as this article describes, the process has been started to change the regulations. Author: Read More
CMMC news round-up July 30, 2020
Here are the CMMC news topics this week: Registrations open for CMMC auditors, C3PAOs, and “registered” practitioners / organizations Registration has been open for a month and a week. Links and information about registration can be found at this CMMCaudit blog “CMMC AB opens registration for C3PAOs and Assessors“. I submitted applications for C3PAO and Read More
A Practitioner’s Thoughts On CMMC
Editor’s comments: This article is an excellent read if you have experience doing cyber-security compliance based on NIST SP 800-171 or DFARS 252.204-7012. If you don’t have prior experience on these topics, the article may not make much sense to you. Of particular interest to me is the scoping conflict between FCI and CUI, which Read More
CMMC news: CMMC AB opens registration for C3PAOs and Assessors
Hello all, The CMMC Accreditation Body has opened new pages on their website to give information about registering as a C3PAO (Certified Third Party Assessor Organization) and as an Assessor. They also have information about becoming a ‘registered practitioner’ or a ‘registered provider organization’ (these can be team members but not lead audits). You can Read More
CMMC News – Auditor Training Update – May 22, 2020
These are my notes from the CMMC Accreditation Body webinar regarding Assessor / Auditor Training. Disclaimer: I’m not a member of the CMMC AB, I am just providing these notes as a service to the community. Please watch the webinar for exact wording and full details. This webinar was released May 21, 2020 on the Read More
CMMC News – May 21 2020
The CMMC Accreditation Body (CMMC AB) has started to publish their progress via webinars on the cmmcab.org website. Here are my notes from the webinar I watched on 5/21/2020, published at https://www.cmmcab.org and archived on YouTube here. Ty Schieber is the Chair of the CMMC Accreditation Body. He presented the current status of the AB. Read More
CMMC PS.2.127 Personnel Screening and US Citizen discussion
The CMMC version 1.0 has the following security requirement. CMMC Personnel Security (PS) PS.2.127 (Level 2) “Screen individuals prior to authorizing access to organizational systems containing CUI.” This is a Level 2 requirement. There are no level 3, 4, or 5 requirements in this version of the CMMC. Disclaimer: This article is an opinion. Use Read More