FedRAMP “Equivalent” Memo released

Must read for anyone with DFARS 252.204-7012 in their contract! FedRAMP equivalent is defined for DFARS 252.204-7012 Summary: FedRAMP Equivalency, as used in DFARS 252.204-7012, means that the cloud provider has been third-party-validated, with a full audit, by a FedRAMP Third Party Assessment Organization, to have implemented every control from the FedRAMP Moderate baseline. How Read More

CMMC Level 2 Self-Assessment Analysis

Our sponsor, Kieri Solutions, has released an in-depth review and analysis of CMMC Level 2 Self-Assessments according to the CMMC Proposed Rule. Not official guidance for CMMC Proposed Rule This paper is for educational purposes and is not authoritative in any way for the CMMC Program. Includes instructions to comment on CMMC Proposed Rule Towards Read More

Webinar – CMMC Proposed Rule Review

Our sponsor, Kieri Solutions, produced this webinar to review the hottest topics of the CMMC Proposed Rule. Thanks to Vincent Scott, Brian Hubbard, Jil Wright, and Amira Armond (all Certified CMMC Assessors and Instructors) for providing insightful review and commentary! 32CFR CMMC Proposed Rule Webinar What are your thoughts? Do you think Certification Assessments will Read More

CMMC Rule links to text (with December 26 content)!

Here are links to the text of the CMMC Proposed Rule: 32 CFR (CMMC Program) Downloadable PDF of Federal Register text (this version has page numbers): https://public-inspection.federalregister.gov/2023-27280.pdf Federal Register home page for CMMC and comments: https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program Docket Information (the rule agenda): https://www.regulations.gov/docket/DOD-2023-OS-0063 Public comments posted regarding rule: https://www.regulations.gov/document/DOD-2023-OS-0063-0001 Regulatory Impact Analysis 32 CFR Part 170 Read More

Is GCC-High required to pass CMMC?

Amira Armond (CMMC Instructor, Certified CMMC Assessor, President Kieri Solutions) answers the question “Is GCC-High required to pass a CMMC assessment?” This is actually an explanation of what the FedRAMP program is and is not. This video is meant for educational and entertainment purposes only. These are opinions presented in a purposefully simplified format. Enjoy, Read More

How the secret sauce is made – one practice, one hour

How does a defense contractor create a plan to perform each requirement in CMMC and NIST SP 800-171? Will you fail if you don’t write policy statements which regurgitate each requirement in a ‘shall” form? AKA “๐˜š๐˜ข๐˜ง๐˜ฆ๐˜จ๐˜ถ๐˜ข๐˜ณ๐˜ฅ๐˜ช๐˜ฏ๐˜จ ๐˜ฎ๐˜ฆ๐˜ข๐˜ด๐˜ถ๐˜ณ๐˜ฆ๐˜ด ๐˜ง๐˜ฐ๐˜ณ ๐˜Š๐˜œ๐˜ ๐˜ข๐˜ต ๐˜ข๐˜ญ๐˜ต๐˜ฆ๐˜ณ๐˜ฏ๐˜ข๐˜ต๐˜ช๐˜ท๐˜ฆ ๐˜ธ๐˜ฐ๐˜ณ๐˜ฌ ๐˜ด๐˜ช๐˜ต๐˜ฆ๐˜ด ๐˜ด๐˜ฉ๐˜ข๐˜ญ๐˜ญ ๐˜ฃ๐˜ฆ ๐˜ฆ๐˜ฏ๐˜ง๐˜ฐ๐˜ณ๐˜ค๐˜ฆ๐˜ฅ.” The answer is no. You don’t need to Read More

Joint Surveillance Assessment – what is it like?

This is an interview with Jose Rojas (TTC) and Ozzie Saeed (IntelliGRC) about their experience being assessed by Kieri Solutions, an Authorized C3PAO, as part of the Joint Surveillance Voluntary assessment program. Other than the obvious congratulations to both of them for helping TTC achieve a perfect “110” score on their assessment, we discuss what Read More

CMMC News – October 2023 – the DFARS Rule

Rulemaking Timeline for CMMC DFARS Rule The proposed CMMC Rule has been submitted to the Office of Information and Regulatory Affairs. Several groups (mostly cybersecurity professionals) have met with DoD CIO and OIRA to give recommendations for the rule. Most of them submitted documents with their feedback which can be downloaded from the EO 12866 Read More

What does “monitor” mean in CMMC?

Logan Therrien and Amira Armond from Kieri Solutions (an Authorized C3PAO) discuss the concept of monitoring and how it is evaluated by CMMC assessors. Several assessment objectives in CMMC Level 2 require monitoring. ๐Ÿ” the physical facility where organizational systems reside is monitored;๐Ÿ” the support infrastructure for organizational systems is monitored.๐Ÿ” visitor activity is monitored.๐Ÿ” Read More

Why so few Defense contractors are compliant

๐‡๐จ๐ฐ ๐ฅ๐จ๐ง๐  ๐๐จ๐ž๐ฌ ๐ข๐ญ ๐ญ๐š๐ค๐ž ๐š ๐œ๐จ๐ฆ๐ฉ๐š๐ง๐ฒ ๐ญ๐จ ๐ ๐จ ๐›๐š๐ง๐ค๐ซ๐ฎ๐ฉ๐ญ ๐ข๐ญ ๐ฐ๐ก๐ž๐ง ๐œ๐š๐ง’๐ญ ๐ฐ๐ข๐ง ๐ฐ๐จ๐ซ๐ค? One year? Two? Three? Let me tell you a story about how a system of perverse incentives caused our current cybersecurity situation in the Defense Industrial Base. Back in 2017 (six years ago), new and renewing DoD contracts started including Read More

Podcast – increasing the likelihood of passing CMMC assessments

This podcast by Omnistruct features Amira Armond, John Riley, and George Usi. Recorded in May-June 2023. They discuss the basics of CMMC, the “hardest” requirement (FIPS of course), the aspects that contractors have the most difficulty with, and the status of the roll-out. Check it out! The link below has the full text transcript: Omnistruct: Read More

CMMC Breaking News – July 25, 2023

Today we had two big events in #CMMC and US Federal Contractor Cybersecurity. The Rule for CMMC moved to the Office of Management and Budget. That means a timer has started, 90 days or less, for the review to complete. Expect the text to be published by mid-October. There is still a possibility that it will come Read More

3.13.11 FIPS 140-2 Validated Cryptography

It is time, finally, to talk about the #1 “Other than Satisfied” requirement in 800-171, per historic DIBCAC assessments. ๐Ÿ˜ฑ ๐Ÿ’ฅ ๐Ÿ’ฅ ๐…๐ˆ๐๐’ 140-2 ๐•๐š๐ฅ๐ข๐๐š๐ญ๐ž๐ ๐Œ๐จ๐๐ฎ๐ฅ๐ž๐ฌ ๐Ÿ’ฅ ๐Ÿ’ฅ ๐Ÿ˜ฑ Listen up – I’m going to tell you how to succeed at this requirement. It might take money, it might take time, but it CAN be Read More

3.5.3 Multifactor Authentication

Multifactor Authentication: #2 of the top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC. ๐”๐ฌ๐ž ๐ฆ๐ฎ๐ฅ๐ญ๐ข๐Ÿ๐š๐œ๐ญ๐จ๐ซ ๐š๐ฎ๐ญ๐ก๐ž๐ง๐ญ๐ข๐œ๐š๐ญ๐ข๐จ๐ง ๐Ÿ๐จ๐ซ ๐ฅ๐จ๐œ๐š๐ฅ ๐š๐ง๐ ๐ง๐ž๐ญ๐ฐ๐จ๐ซ๐ค ๐š๐œ๐œ๐ž๐ฌ๐ฌ ๐ญ๐จ ๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐ ๐š๐œ๐œ๐จ๐ฎ๐ง๐ญ๐ฌ ๐š๐ง๐ ๐Ÿ๐จ๐ซ ๐ง๐ž๐ญ๐ฐ๐จ๐ซ๐ค ๐š๐œ๐œ๐ž๐ฌ๐ฌ ๐ญ๐จ ๐ง๐จ๐ง-๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐ ๐š๐œ๐œ๐จ๐ฎ๐ง๐ญ๐ฌ. My theory is that most of the time when this requirement is failed, it is because the IT department didn’t know Read More

What are Spot Checks for?

๐‚๐Œ๐Œ๐‚ ๐€๐ฌ๐ฌ๐ž๐ฌ๐ฌ๐ฆ๐ž๐ง๐ญ ๐’๐ฉ๐จ๐ญ ๐‚๐ก๐ž๐œ๐ค๐ฌ “๐˜๐˜ง ๐˜ค๐˜ฐ๐˜ฏ๐˜ต๐˜ณ๐˜ข๐˜ค๐˜ต๐˜ฐ๐˜ณ’๐˜ด ๐˜ณ๐˜ช๐˜ด๐˜ฌ-๐˜ฃ๐˜ข๐˜ด๐˜ฆ๐˜ฅ ๐˜ด๐˜ฆ๐˜ค๐˜ถ๐˜ณ๐˜ช๐˜ต๐˜บ ๐˜ฑ๐˜ฐ๐˜ญ๐˜ช๐˜ค๐˜ช๐˜ฆ๐˜ด, ๐˜ฑ๐˜ณ๐˜ฐ๐˜ค๐˜ฆ๐˜ฅ๐˜ถ๐˜ณ๐˜ฆ๐˜ด, ๐˜ข๐˜ฏ๐˜ฅ ๐˜ฑ๐˜ณ๐˜ข๐˜ค๐˜ต๐˜ช๐˜ค๐˜ฆ๐˜ด ๐˜ฅ๐˜ฐ๐˜ค๐˜ถ๐˜ฎ๐˜ฆ๐˜ฏ๐˜ต๐˜ข๐˜ต๐˜ช๐˜ฐ๐˜ฏ ๐˜ฐ๐˜ณ ๐˜ฐ๐˜ต๐˜ฉ๐˜ฆ๐˜ณ ๐˜ง๐˜ช๐˜ฏ๐˜ฅ๐˜ช๐˜ฏ๐˜จ๐˜ด ๐˜ณ๐˜ข๐˜ช๐˜ด๐˜ฆ ๐˜ฒ๐˜ถ๐˜ฆ๐˜ด๐˜ต๐˜ช๐˜ฐ๐˜ฏ๐˜ด ๐˜ข๐˜ฃ๐˜ฐ๐˜ถ๐˜ต ๐˜ต๐˜ฉ๐˜ฆ๐˜ด๐˜ฆ ๐˜ข๐˜ด๐˜ด๐˜ฆ๐˜ต๐˜ด, ๐˜ต๐˜ฉ๐˜ฆ ๐˜ข๐˜ด๐˜ด๐˜ฆ๐˜ด๐˜ด๐˜ฐ๐˜ณ ๐˜ค๐˜ข๐˜ฏ ๐˜ค๐˜ฐ๐˜ฏ๐˜ฅ๐˜ถ๐˜ค๐˜ต ๐˜ข ๐˜ญ๐˜ช๐˜ฎ๐˜ช๐˜ต๐˜ฆ๐˜ฅ ๐˜ด๐˜ฑ๐˜ฐ๐˜ต ๐˜ค๐˜ฉ๐˜ฆ๐˜ค๐˜ฌ ๐˜ต๐˜ฐ ๐˜ช๐˜ฅ๐˜ฆ๐˜ฏ๐˜ต๐˜ช๐˜ง๐˜บ ๐˜ณ๐˜ช๐˜ด๐˜ฌ๐˜ด. ๐˜›๐˜ฉ๐˜ฆ ๐˜ญ๐˜ช๐˜ฎ๐˜ช๐˜ต๐˜ฆ๐˜ฅ ๐˜ด๐˜ฑ๐˜ฐ๐˜ต ๐˜ค๐˜ฉ๐˜ฆ๐˜ค๐˜ฌ(๐˜ด) ๐˜ด๐˜ฉ๐˜ข๐˜ญ๐˜ญ ๐˜ฏ๐˜ฐ๐˜ต ๐˜ฎ๐˜ข๐˜ต๐˜ฆ๐˜ณ๐˜ช๐˜ข๐˜ญ๐˜ญ๐˜บ ๐˜ช๐˜ฏ๐˜ค๐˜ณ๐˜ฆ๐˜ข๐˜ด๐˜ฆ ๐˜ต๐˜ฉ๐˜ฆ ๐˜ข๐˜ด๐˜ด๐˜ฆ๐˜ด๐˜ด๐˜ฎ๐˜ฆ๐˜ฏ๐˜ต ๐˜ฅ๐˜ถ๐˜ณ๐˜ข๐˜ต๐˜ช๐˜ฐ๐˜ฏ ๐˜ฏ๐˜ฐ๐˜ณ ๐˜ต๐˜ฉ๐˜ฆ ๐˜ข๐˜ด๐˜ด๐˜ฆ๐˜ด๐˜ด๐˜ฎ๐˜ฆ๐˜ฏ๐˜ต ๐˜ค๐˜ฐ๐˜ด๐˜ต. ๐˜›๐˜ฉ๐˜ฆ ๐˜ญ๐˜ช๐˜ฎ๐˜ช๐˜ต๐˜ฆ๐˜ฅ ๐˜ด๐˜ฑ๐˜ฐ๐˜ต ๐˜ค๐˜ฉ๐˜ฆ๐˜ค๐˜ฌ(๐˜ด) ๐˜ธ๐˜ช๐˜ญ๐˜ญ ๐˜ฃ๐˜ฆ ๐˜ธ๐˜ช๐˜ต๐˜ฉ๐˜ช๐˜ฏ ๐˜ต๐˜ฉ๐˜ฆ ๐˜ฅ๐˜ฆ๐˜ง๐˜ช๐˜ฏ๐˜ฆ๐˜ฅ Read More

3.14.1 Identify, report, correct system flaws

Continuing the Top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC. “๐ˆ๐๐ž๐ง๐ญ๐ข๐Ÿ๐ฒ, ๐ซ๐ž๐ฉ๐จ๐ซ๐ญ, ๐š๐ง๐ ๐œ๐จ๐ซ๐ซ๐ž๐œ๐ญ ๐ข๐ง๐Ÿ๐จ๐ซ๐ฆ๐š๐ญ๐ข๐จ๐ง ๐š๐ง๐ ๐ข๐ง๐Ÿ๐จ๐ซ๐ฆ๐š๐ญ๐ข๐จ๐ง ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ ๐Ÿ๐ฅ๐š๐ฐ๐ฌ ๐ข๐ง ๐š ๐ญ๐ข๐ฆ๐ž๐ฅ๐ฒ ๐ฆ๐š๐ง๐ง๐ž๐ซ.” This is the third most “Other than Satisfied” requirement. 3.14.1 is both misunderstood and very hard to implement. Both problems cause failures. ๐–๐ก๐ฒ ๐ข๐ฌ 3.14.1 ๐ฆ๐ข๐ฌ๐ฎ๐ง๐๐ž๐ซ๐ฌ๐ญ๐จ๐จ๐?  Most people read the Read More

3.11.1 Periodically assess the risk to organizational operations

3.11.1 ๐๐ž๐ซ๐ข๐จ๐๐ข๐œ๐š๐ฅ๐ฅ๐ฒ ๐š๐ฌ๐ฌ๐ž๐ฌ๐ฌ ๐ซ๐ข๐ฌ๐ค…This is the fourth-most “Other than satisfied” #CMMC requirement. Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Not hard to do, but often misunderstood. Let’s break it down. ๐๐ž๐ซ๐ข๐จ๐๐ข๐œ๐š๐ฅ๐ฅ๐ฒ Read More

3.11.2 Scan for Vulnerabilities

Scan for vulnerabilities….This the fifth-most “Other than satisfied” #CMMC requirement with an 18% fail rate. 3.11.2 ๐’๐œ๐š๐ง ๐Ÿ๐จ๐ซ ๐ฏ๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ข๐ž๐ฌ ๐ข๐ง ๐จ๐ซ๐ ๐š๐ง๐ข๐ณ๐š๐ญ๐ข๐จ๐ง๐š๐ฅ ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ๐ฌ ๐š๐ง๐ ๐š๐ฉ๐ฉ๐ฅ๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐ฉ๐ž๐ซ๐ข๐จ๐๐ข๐œ๐š๐ฅ๐ฅ๐ฒ ๐š๐ง๐ ๐ฐ๐ก๐ž๐ง ๐ง๐ž๐ฐ ๐ฏ๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ข๐ž๐ฌ ๐š๐Ÿ๐Ÿ๐ž๐œ๐ญ๐ข๐ง๐  ๐ญ๐ก๐จ๐ฌ๐ž ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ๐ฌ ๐š๐ง๐ ๐š๐ฉ๐ฉ๐ฅ๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐š๐ซ๐ž ๐ข๐๐ž๐ง๐ญ๐ข๐Ÿ๐ข๐ž๐. “๐’๐’“๐’ˆ๐’‚๐’๐’Š๐’›๐’‚๐’•๐’Š๐’๐’๐’‚๐’ ๐’”๐’š๐’”๐’•๐’†๐’Ž๐’””…This is an example of a broadly-applicable requirement – something that is expected to be applied ๐˜ฉ๐˜ฐ๐˜ญ๐˜ช๐˜ด๐˜ต๐˜ช๐˜ค๐˜ข๐˜ญ๐˜ญ๐˜บ from boundary to Read More

3.3.3 Review and Update Logged Events

This is #6 in the series of most common failed requirements as assessed by the DoD’s Cyber Assessment Center. This requirement is another example of misunderstanding == failing (alongside the other top 10 requirements). Most people do not understand what is expected for 3.3.3. To “review and update logged events”, you must consider ๐ฐ๐ก๐ข๐œ๐ก ๐ž๐ฏ๐ž๐ง๐ญ๐ฌ Read More

3.3.4 Audit Logging Process Failure

Continuing the Top 10 Failed Requirements for 800-171! Onward to #7: 3.3.4 “๐€๐ฅ๐ž๐ซ๐ญ ๐ข๐ง ๐ญ๐ก๐ž ๐ž๐ฏ๐ž๐ง๐ญ ๐จ๐Ÿ ๐š๐ง ๐š๐ฎ๐๐ข๐ญ ๐ฅ๐จ๐ ๐ ๐ข๐ง๐  ๐ฉ๐ซ๐จ๐œ๐ž๐ฌ๐ฌ ๐Ÿ๐š๐ข๐ฅ๐ฎ๐ซ๐ž.” Sit with me while I tell a story… ๐˜ˆ๐˜ฏ ๐˜ฐ๐˜ณ๐˜จ๐˜ข๐˜ฏ๐˜ช๐˜ป๐˜ข๐˜ต๐˜ช๐˜ฐ๐˜ฏ ๐˜ฅ๐˜ช๐˜ด๐˜ค๐˜ฐ๐˜ท๐˜ฆ๐˜ณ๐˜ด ๐˜ต๐˜ฉ๐˜ข๐˜ต ๐˜ต๐˜ฉ๐˜ฆ๐˜บ ๐˜ธ๐˜ฆ๐˜ณ๐˜ฆ ๐˜ฃ๐˜ณ๐˜ฆ๐˜ข๐˜ค๐˜ฉ๐˜ฆ๐˜ฅ ๐˜ฃ๐˜ฆ๐˜ค๐˜ข๐˜ถ๐˜ด๐˜ฆ ๐˜จ๐˜ฐ๐˜ท๐˜ฆ๐˜ณ๐˜ฏ๐˜ฎ๐˜ฆ๐˜ฏ๐˜ต ๐˜ด๐˜ฆ๐˜ค๐˜ณ๐˜ฆ๐˜ต๐˜ด ๐˜ข๐˜ณ๐˜ฆ ๐˜ฃ๐˜ฆ๐˜ช๐˜ฏ๐˜จ ๐˜ด๐˜ฐ๐˜ญ๐˜ฅ ๐˜ฐ๐˜ฏ ๐˜ต๐˜ฉ๐˜ฆ ๐˜ฅ๐˜ข๐˜ณ๐˜ฌ ๐˜ธ๐˜ฆ๐˜ฃ.  ๐˜‹๐˜Š3 ๐˜ช๐˜ฏ๐˜ค๐˜ช๐˜ฅ๐˜ฆ๐˜ฏ๐˜ต ๐˜ณ๐˜ฆ๐˜ด๐˜ฑ๐˜ฐ๐˜ฏ๐˜ด๐˜ฆ ๐˜ต๐˜ฆ๐˜ข๐˜ฎ๐˜ด ๐˜ข๐˜ณ๐˜ฆ ๐˜ค๐˜ข๐˜ญ๐˜ญ๐˜ฆ๐˜ฅ; ๐˜ต๐˜ฉ๐˜ฆ๐˜บ ๐˜ด๐˜ต๐˜ข๐˜ณ๐˜ต Read More

3.3.5 Correlate Audit Processes

NIST SP 800-171 3.3.5 ๐‚๐จ๐ซ๐ซ๐ž๐ฅ๐š๐ญ๐ž ๐š๐ฎ๐๐ข๐ญ ๐ซ๐ž๐œ๐จ๐ซ๐ ๐ซ๐ž๐ฏ๐ข๐ž๐ฐ, ๐š๐ง๐š๐ฅ๐ฒ๐ฌ๐ข๐ฌ, ๐š๐ง๐ ๐ซ๐ž๐ฉ๐จ๐ซ๐ญ๐ข๐ง๐  ๐ฉ๐ซ๐จ๐œ๐ž๐ฌ๐ฌ๐ž๐ฌ ๐Ÿ๐จ๐ซ ๐ข๐ง๐ฏ๐ž๐ฌ๐ญ๐ข๐ ๐š๐ญ๐ข๐จ๐ง ๐š๐ง๐ ๐ซ๐ž๐ฌ๐ฉ๐จ๐ง๐ฌ๐ž ๐ญ๐จ ๐ข๐ง๐๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐จ๐Ÿ ๐ฎ๐ง๐ฅ๐š๐ฐ๐Ÿ๐ฎ๐ฅ, ๐ฎ๐ง๐š๐ฎ๐ญ๐ก๐จ๐ซ๐ข๐ณ๐ž๐, ๐ฌ๐ฎ๐ฌ๐ฉ๐ข๐œ๐ข๐จ๐ฎ๐ฌ, ๐จ๐ซ ๐ฎ๐ง๐ฎ๐ฌ๐ฎ๐š๐ฅ ๐š๐œ๐ญ๐ข๐ฏ๐ข๐ญ๐ฒ. This is the 8th most likely requirement to be “other than satisfied” by defense contractors, according to the DoD’s Cybersecurity Assessment Center. The problem is that this requirement can be read Read More

CMMC Scoping for Level 2

This video is provided by Amira Armond and Jil Wright (CMMC Provisional Assessors and Provisional Instructors) from Kieri Solutions, an Authorized C3PAO. Topics discussed in the video are: This content is way more than the CCP course blueprint covers and more in-depth than what is normally covered in CCA courses! If you haven’t seen it yet, go watch the CMMC Read More

CMMC Scoping for Level 1

This video is provided by Amira Armond and Jil Wright (CMMC Provisional Assessors and Provisional Instructors) from Kieri Solutions, an Authorized C3PAO. Topics included are: Enjoy, and don’t forget to subscribe to our YouTube channel for lots of other CMMC training content. Kieri Solutions is an Authorized C3PAO providing CMMC and 800-171 assessment and preparation Read More

3.6.3 Test the Organizational Incident Response Capability

This was originally posted on LinkedIn. Check the original post and community discussion here! On to the next requirement! 3.6.3 ๐“๐ž๐ฌ๐ญ ๐ญ๐ก๐ž ๐จ๐ซ๐ ๐š๐ง๐ข๐ณ๐š๐ญ๐ข๐จ๐ง๐š๐ฅ ๐ข๐ง๐œ๐ข๐๐ž๐ง๐ญ ๐ซ๐ž๐ฌ๐ฉ๐จ๐ง๐ฌ๐ž ๐œ๐š๐ฉ๐š๐›๐ข๐ฅ๐ข๐ญ๐ฒ. This is post #5 in my series analyzing the top ten failed / misunderstood NIST SP 800-171 and #CMMC requirements according to DIBCAC. Incident response testing is the 9th most “other Read More

3.4.1 Establish / Maintain Baseline Configurations

This series reviews the top failed (misunderstood) 800-171 andย CMMCย requirements. Originally posted on LinkedIn – check the start of series here for community conversation and thoughts! 3.4.1 ๐„๐ฌ๐ญ๐š๐›๐ฅ๐ข๐ฌ๐ก/๐ฆ๐š๐ข๐ง๐ญ๐š๐ข๐ง ๐›๐š๐ฌ๐ž๐ฅ๐ข๐ง๐ž ๐œ๐จ๐ง๐Ÿ๐ข๐ ๐ฎ๐ซ๐š๐ญ๐ข๐จ๐ง๐ฌ This one is both commonly misunderstood and difficult to implement, even though it can be 100% a manual process. First, the requirement language is split into two Read More

Excuses that won’t work for your CMMC assessment

Public Safety Announcement forย #CMMCย and DIBCAC assessments of 800-171 compliance. “My _________ is scheduled to occur in January and we haven’t reached January yet.” – said too many Organizations Seeking Certification Do not try to use this excuse to explain why you lack evidence for performing an 800-171 requirement! Your assessor will not be sympathetic. What Read More

Top 10 “Other than satisfied” 800-171 requirements

At Cloud Security and Compliance Series – CS2 Huntsville, Nick Delrosso’s presentation included the “Top 10 Other Than Satisfied Requirements”. Nick Delrosso represents the DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) which has been performing cybersecurity assessments on contractors for the last few years. Top 10 failed… This is the list of the top ten 800-171 Read More

When is a FIPS Validated Module required?

This video from Amira Armond and Jillian Wright (both Kieri Solutions Provisional Assessors and Instructors), explains when FIPS 140-2 validated modules are required to be used by CMMC Level 2 / NIST SP 800-171. It also explains when FIPS is NOT required. Hint: you do not need FIPS for everything. Enjoy! Reference: NIST Cryptographic Module Read More