Almost every defense contractor makes one or more of these design errors when they start building their CMMC Level 3 network
Author: Amira Armond
DFARS 252.204-7012 controls discussion for CMMC
Why is there a page for DFARS 252.204-7012 on a CMMC website? DFARS 252.204-7012 is a contract requirement for defense contractors that handle or might handle Controlled Unclassified Information (CUI). Unlike the CMMC, DFARS 7012 is currently required and should be a priority for DoD contractors that deal with CUI. You can tell if your Read More
How to submit a NIST SP 800-171 self assessment to SPRS
Answers to common questions about how to submit your NIST SP 800-171 self assessment to SPRS. Register an account, how to handle multiple…
FedRAMP “Equivalent” Memo released
Must read for anyone with DFARS 252.204-7012 in their contract! FedRAMP equivalent is defined for DFARS 252.204-7012 Summary: FedRAMP Equivalency, as used in DFARS 252.204-7012, means that the cloud provider has been third-party-validated, with a full audit, by a FedRAMP Third Party Assessment Organization, to have implemented every control from the FedRAMP Moderate baseline. How Read More
CMMC Level 2 Self-Assessment Analysis
Our sponsor, Kieri Solutions, has released an in-depth review and analysis of CMMC Level 2 Self-Assessments according to the CMMC Proposed Rule. Not official guidance for CMMC Proposed Rule This paper is for educational purposes and is not authoritative in any way for the CMMC Program. Includes instructions to comment on CMMC Proposed Rule Towards Read More
Webinar – CMMC Proposed Rule Review
Our sponsor, Kieri Solutions, produced this webinar to review the hottest topics of the CMMC Proposed Rule. Thanks to Vincent Scott, Brian Hubbard, Jil Wright, and Amira Armond (all Certified CMMC Assessors and Instructors) for providing insightful review and commentary! 32CFR CMMC Proposed Rule Webinar What are your thoughts? Do you think Certification Assessments will Read More
CMMC Rule links to text (with December 26 content)!
Here are links to the text of the CMMC Proposed Rule: 32 CFR (CMMC Program) Downloadable PDF of Federal Register text (this version has page numbers): https://public-inspection.federalregister.gov/2023-27280.pdf Federal Register home page for CMMC and comments: https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program Docket Information (the rule agenda): https://www.regulations.gov/docket/DOD-2023-OS-0063 Public comments posted regarding rule: https://www.regulations.gov/document/DOD-2023-OS-0063-0001 Regulatory Impact Analysis 32 CFR Part 170 Read More
Is GCC-High required to pass CMMC?
Amira Armond (CMMC Instructor, Certified CMMC Assessor, President Kieri Solutions) answers the question “Is GCC-High required to pass a CMMC assessment?” This is actually an explanation of what the FedRAMP program is and is not. This video is meant for educational and entertainment purposes only. These are opinions presented in a purposefully simplified format. Enjoy, Read More
How the secret sauce is made – one practice, one hour
How does a defense contractor create a plan to perform each requirement in CMMC and NIST SP 800-171? Will you fail if you don’t write policy statements which regurgitate each requirement in a ‘shall” form? AKA “๐๐ข๐ง๐ฆ๐จ๐ถ๐ข๐ณ๐ฅ๐ช๐ฏ๐จ ๐ฎ๐ฆ๐ข๐ด๐ถ๐ณ๐ฆ๐ด ๐ง๐ฐ๐ณ ๐๐๐ ๐ข๐ต ๐ข๐ญ๐ต๐ฆ๐ณ๐ฏ๐ข๐ต๐ช๐ท๐ฆ ๐ธ๐ฐ๐ณ๐ฌ ๐ด๐ช๐ต๐ฆ๐ด ๐ด๐ฉ๐ข๐ญ๐ญ ๐ฃ๐ฆ ๐ฆ๐ฏ๐ง๐ฐ๐ณ๐ค๐ฆ๐ฅ.” The answer is no. You don’t need to Read More
Joint Surveillance Assessment – what is it like?
This is an interview with Jose Rojas (TTC) and Ozzie Saeed (IntelliGRC) about their experience being assessed by Kieri Solutions, an Authorized C3PAO, as part of the Joint Surveillance Voluntary assessment program. Other than the obvious congratulations to both of them for helping TTC achieve a perfect “110” score on their assessment, we discuss what Read More
CMMC News – October 2023 – the DFARS Rule
Rulemaking Timeline for CMMC DFARS Rule The proposed CMMC Rule has been submitted to the Office of Information and Regulatory Affairs. Several groups (mostly cybersecurity professionals) have met with DoD CIO and OIRA to give recommendations for the rule. Most of them submitted documents with their feedback which can be downloaded from the EO 12866 Read More
What does “monitor” mean in CMMC?
Logan Therrien and Amira Armond from Kieri Solutions (an Authorized C3PAO) discuss the concept of monitoring and how it is evaluated by CMMC assessors. Several assessment objectives in CMMC Level 2 require monitoring. ๐ the physical facility where organizational systems reside is monitored;๐ the support infrastructure for organizational systems is monitored.๐ visitor activity is monitored.๐ Read More
Why so few Defense contractors are compliant
๐๐จ๐ฐ ๐ฅ๐จ๐ง๐ ๐๐จ๐๐ฌ ๐ข๐ญ ๐ญ๐๐ค๐ ๐ ๐๐จ๐ฆ๐ฉ๐๐ง๐ฒ ๐ญ๐จ ๐ ๐จ ๐๐๐ง๐ค๐ซ๐ฎ๐ฉ๐ญ ๐ข๐ญ ๐ฐ๐ก๐๐ง ๐๐๐ง’๐ญ ๐ฐ๐ข๐ง ๐ฐ๐จ๐ซ๐ค? One year? Two? Three? Let me tell you a story about how a system of perverse incentives caused our current cybersecurity situation in the Defense Industrial Base. Back in 2017 (six years ago), new and renewing DoD contracts started including Read More
Podcast – increasing the likelihood of passing CMMC assessments
This podcast by Omnistruct features Amira Armond, John Riley, and George Usi. Recorded in May-June 2023. They discuss the basics of CMMC, the “hardest” requirement (FIPS of course), the aspects that contractors have the most difficulty with, and the status of the roll-out. Check it out! The link below has the full text transcript: Omnistruct: Read More
CMMC Breaking News – July 25, 2023
Today we had two big events in #CMMC and US Federal Contractor Cybersecurity. The Rule for CMMC moved to the Office of Management and Budget. That means a timer has started, 90 days or less, for the review to complete. Expect the text to be published by mid-October. There is still a possibility that it will come Read More
3.13.11 FIPS 140-2 Validated Cryptography
It is time, finally, to talk about the #1 “Other than Satisfied” requirement in 800-171, per historic DIBCAC assessments. ๐ฑ ๐ฅ ๐ฅ ๐ ๐๐๐ 140-2 ๐๐๐ฅ๐ข๐๐๐ญ๐๐ ๐๐จ๐๐ฎ๐ฅ๐๐ฌ ๐ฅ ๐ฅ ๐ฑ Listen up – I’m going to tell you how to succeed at this requirement. It might take money, it might take time, but it CAN be Read More
3.5.3 Multifactor Authentication
Multifactor Authentication: #2 of the top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC. ๐๐ฌ๐ ๐ฆ๐ฎ๐ฅ๐ญ๐ข๐๐๐๐ญ๐จ๐ซ ๐๐ฎ๐ญ๐ก๐๐ง๐ญ๐ข๐๐๐ญ๐ข๐จ๐ง ๐๐จ๐ซ ๐ฅ๐จ๐๐๐ฅ ๐๐ง๐ ๐ง๐๐ญ๐ฐ๐จ๐ซ๐ค ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ ๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐๐ ๐๐ ๐๐๐๐จ๐ฎ๐ง๐ญ๐ฌ ๐๐ง๐ ๐๐จ๐ซ ๐ง๐๐ญ๐ฐ๐จ๐ซ๐ค ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ ๐ง๐จ๐ง-๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐๐ ๐๐ ๐๐๐๐จ๐ฎ๐ง๐ญ๐ฌ. My theory is that most of the time when this requirement is failed, it is because the IT department didn’t know Read More
What are Spot Checks for?
๐๐๐๐ ๐๐ฌ๐ฌ๐๐ฌ๐ฌ๐ฆ๐๐ง๐ญ ๐๐ฉ๐จ๐ญ ๐๐ก๐๐๐ค๐ฌ “๐๐ง ๐ค๐ฐ๐ฏ๐ต๐ณ๐ข๐ค๐ต๐ฐ๐ณ’๐ด ๐ณ๐ช๐ด๐ฌ-๐ฃ๐ข๐ด๐ฆ๐ฅ ๐ด๐ฆ๐ค๐ถ๐ณ๐ช๐ต๐บ ๐ฑ๐ฐ๐ญ๐ช๐ค๐ช๐ฆ๐ด, ๐ฑ๐ณ๐ฐ๐ค๐ฆ๐ฅ๐ถ๐ณ๐ฆ๐ด, ๐ข๐ฏ๐ฅ ๐ฑ๐ณ๐ข๐ค๐ต๐ช๐ค๐ฆ๐ด ๐ฅ๐ฐ๐ค๐ถ๐ฎ๐ฆ๐ฏ๐ต๐ข๐ต๐ช๐ฐ๐ฏ ๐ฐ๐ณ ๐ฐ๐ต๐ฉ๐ฆ๐ณ ๐ง๐ช๐ฏ๐ฅ๐ช๐ฏ๐จ๐ด ๐ณ๐ข๐ช๐ด๐ฆ ๐ฒ๐ถ๐ฆ๐ด๐ต๐ช๐ฐ๐ฏ๐ด ๐ข๐ฃ๐ฐ๐ถ๐ต ๐ต๐ฉ๐ฆ๐ด๐ฆ ๐ข๐ด๐ด๐ฆ๐ต๐ด, ๐ต๐ฉ๐ฆ ๐ข๐ด๐ด๐ฆ๐ด๐ด๐ฐ๐ณ ๐ค๐ข๐ฏ ๐ค๐ฐ๐ฏ๐ฅ๐ถ๐ค๐ต ๐ข ๐ญ๐ช๐ฎ๐ช๐ต๐ฆ๐ฅ ๐ด๐ฑ๐ฐ๐ต ๐ค๐ฉ๐ฆ๐ค๐ฌ ๐ต๐ฐ ๐ช๐ฅ๐ฆ๐ฏ๐ต๐ช๐ง๐บ ๐ณ๐ช๐ด๐ฌ๐ด. ๐๐ฉ๐ฆ ๐ญ๐ช๐ฎ๐ช๐ต๐ฆ๐ฅ ๐ด๐ฑ๐ฐ๐ต ๐ค๐ฉ๐ฆ๐ค๐ฌ(๐ด) ๐ด๐ฉ๐ข๐ญ๐ญ ๐ฏ๐ฐ๐ต ๐ฎ๐ข๐ต๐ฆ๐ณ๐ช๐ข๐ญ๐ญ๐บ ๐ช๐ฏ๐ค๐ณ๐ฆ๐ข๐ด๐ฆ ๐ต๐ฉ๐ฆ ๐ข๐ด๐ด๐ฆ๐ด๐ด๐ฎ๐ฆ๐ฏ๐ต ๐ฅ๐ถ๐ณ๐ข๐ต๐ช๐ฐ๐ฏ ๐ฏ๐ฐ๐ณ ๐ต๐ฉ๐ฆ ๐ข๐ด๐ด๐ฆ๐ด๐ด๐ฎ๐ฆ๐ฏ๐ต ๐ค๐ฐ๐ด๐ต. ๐๐ฉ๐ฆ ๐ญ๐ช๐ฎ๐ช๐ต๐ฆ๐ฅ ๐ด๐ฑ๐ฐ๐ต ๐ค๐ฉ๐ฆ๐ค๐ฌ(๐ด) ๐ธ๐ช๐ญ๐ญ ๐ฃ๐ฆ ๐ธ๐ช๐ต๐ฉ๐ช๐ฏ ๐ต๐ฉ๐ฆ ๐ฅ๐ฆ๐ง๐ช๐ฏ๐ฆ๐ฅ Read More
3.14.1 Identify, report, correct system flaws
Continuing the Top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC. “๐๐๐๐ง๐ญ๐ข๐๐ฒ, ๐ซ๐๐ฉ๐จ๐ซ๐ญ, ๐๐ง๐ ๐๐จ๐ซ๐ซ๐๐๐ญ ๐ข๐ง๐๐จ๐ซ๐ฆ๐๐ญ๐ข๐จ๐ง ๐๐ง๐ ๐ข๐ง๐๐จ๐ซ๐ฆ๐๐ญ๐ข๐จ๐ง ๐ฌ๐ฒ๐ฌ๐ญ๐๐ฆ ๐๐ฅ๐๐ฐ๐ฌ ๐ข๐ง ๐ ๐ญ๐ข๐ฆ๐๐ฅ๐ฒ ๐ฆ๐๐ง๐ง๐๐ซ.” This is the third most “Other than Satisfied” requirement. 3.14.1 is both misunderstood and very hard to implement. Both problems cause failures. ๐๐ก๐ฒ ๐ข๐ฌ 3.14.1 ๐ฆ๐ข๐ฌ๐ฎ๐ง๐๐๐ซ๐ฌ๐ญ๐จ๐จ๐? Most people read the Read More
3.11.1 Periodically assess the risk to organizational operations
3.11.1 ๐๐๐ซ๐ข๐จ๐๐ข๐๐๐ฅ๐ฅ๐ฒ ๐๐ฌ๐ฌ๐๐ฌ๐ฌ ๐ซ๐ข๐ฌ๐ค…This is the fourth-most “Other than satisfied” #CMMC requirement. Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Not hard to do, but often misunderstood. Let’s break it down. ๐๐๐ซ๐ข๐จ๐๐ข๐๐๐ฅ๐ฅ๐ฒ Read More
3.11.2 Scan for Vulnerabilities
Scan for vulnerabilities….This the fifth-most “Other than satisfied” #CMMC requirement with an 18% fail rate. 3.11.2 ๐๐๐๐ง ๐๐จ๐ซ ๐ฏ๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ข๐๐ฌ ๐ข๐ง ๐จ๐ซ๐ ๐๐ง๐ข๐ณ๐๐ญ๐ข๐จ๐ง๐๐ฅ ๐ฌ๐ฒ๐ฌ๐ญ๐๐ฆ๐ฌ ๐๐ง๐ ๐๐ฉ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐ฉ๐๐ซ๐ข๐จ๐๐ข๐๐๐ฅ๐ฅ๐ฒ ๐๐ง๐ ๐ฐ๐ก๐๐ง ๐ง๐๐ฐ ๐ฏ๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ข๐๐ฌ ๐๐๐๐๐๐ญ๐ข๐ง๐ ๐ญ๐ก๐จ๐ฌ๐ ๐ฌ๐ฒ๐ฌ๐ญ๐๐ฆ๐ฌ ๐๐ง๐ ๐๐ฉ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐๐ซ๐ ๐ข๐๐๐ง๐ญ๐ข๐๐ข๐๐. “๐๐๐๐๐๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐”…This is an example of a broadly-applicable requirement – something that is expected to be applied ๐ฉ๐ฐ๐ญ๐ช๐ด๐ต๐ช๐ค๐ข๐ญ๐ญ๐บ from boundary to Read More
3.3.3 Review and Update Logged Events
This is #6 in the series of most common failed requirements as assessed by the DoD’s Cyber Assessment Center. This requirement is another example of misunderstanding == failing (alongside the other top 10 requirements). Most people do not understand what is expected for 3.3.3. To “review and update logged events”, you must consider ๐ฐ๐ก๐ข๐๐ก ๐๐ฏ๐๐ง๐ญ๐ฌ Read More
3.3.4 Audit Logging Process Failure
Continuing the Top 10 Failed Requirements for 800-171! Onward to #7: 3.3.4 “๐๐ฅ๐๐ซ๐ญ ๐ข๐ง ๐ญ๐ก๐ ๐๐ฏ๐๐ง๐ญ ๐จ๐ ๐๐ง ๐๐ฎ๐๐ข๐ญ ๐ฅ๐จ๐ ๐ ๐ข๐ง๐ ๐ฉ๐ซ๐จ๐๐๐ฌ๐ฌ ๐๐๐ข๐ฅ๐ฎ๐ซ๐.” Sit with me while I tell a story… ๐๐ฏ ๐ฐ๐ณ๐จ๐ข๐ฏ๐ช๐ป๐ข๐ต๐ช๐ฐ๐ฏ ๐ฅ๐ช๐ด๐ค๐ฐ๐ท๐ฆ๐ณ๐ด ๐ต๐ฉ๐ข๐ต ๐ต๐ฉ๐ฆ๐บ ๐ธ๐ฆ๐ณ๐ฆ ๐ฃ๐ณ๐ฆ๐ข๐ค๐ฉ๐ฆ๐ฅ ๐ฃ๐ฆ๐ค๐ข๐ถ๐ด๐ฆ ๐จ๐ฐ๐ท๐ฆ๐ณ๐ฏ๐ฎ๐ฆ๐ฏ๐ต ๐ด๐ฆ๐ค๐ณ๐ฆ๐ต๐ด ๐ข๐ณ๐ฆ ๐ฃ๐ฆ๐ช๐ฏ๐จ ๐ด๐ฐ๐ญ๐ฅ ๐ฐ๐ฏ ๐ต๐ฉ๐ฆ ๐ฅ๐ข๐ณ๐ฌ ๐ธ๐ฆ๐ฃ. ๐๐3 ๐ช๐ฏ๐ค๐ช๐ฅ๐ฆ๐ฏ๐ต ๐ณ๐ฆ๐ด๐ฑ๐ฐ๐ฏ๐ด๐ฆ ๐ต๐ฆ๐ข๐ฎ๐ด ๐ข๐ณ๐ฆ ๐ค๐ข๐ญ๐ญ๐ฆ๐ฅ; ๐ต๐ฉ๐ฆ๐บ ๐ด๐ต๐ข๐ณ๐ต Read More
3.3.5 Correlate Audit Processes
NIST SP 800-171 3.3.5 ๐๐จ๐ซ๐ซ๐๐ฅ๐๐ญ๐ ๐๐ฎ๐๐ข๐ญ ๐ซ๐๐๐จ๐ซ๐ ๐ซ๐๐ฏ๐ข๐๐ฐ, ๐๐ง๐๐ฅ๐ฒ๐ฌ๐ข๐ฌ, ๐๐ง๐ ๐ซ๐๐ฉ๐จ๐ซ๐ญ๐ข๐ง๐ ๐ฉ๐ซ๐จ๐๐๐ฌ๐ฌ๐๐ฌ ๐๐จ๐ซ ๐ข๐ง๐ฏ๐๐ฌ๐ญ๐ข๐ ๐๐ญ๐ข๐จ๐ง ๐๐ง๐ ๐ซ๐๐ฌ๐ฉ๐จ๐ง๐ฌ๐ ๐ญ๐จ ๐ข๐ง๐๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐จ๐ ๐ฎ๐ง๐ฅ๐๐ฐ๐๐ฎ๐ฅ, ๐ฎ๐ง๐๐ฎ๐ญ๐ก๐จ๐ซ๐ข๐ณ๐๐, ๐ฌ๐ฎ๐ฌ๐ฉ๐ข๐๐ข๐จ๐ฎ๐ฌ, ๐จ๐ซ ๐ฎ๐ง๐ฎ๐ฌ๐ฎ๐๐ฅ ๐๐๐ญ๐ข๐ฏ๐ข๐ญ๐ฒ. This is the 8th most likely requirement to be “other than satisfied” by defense contractors, according to the DoD’s Cybersecurity Assessment Center. The problem is that this requirement can be read Read More
C3PAO CMMC Level 2 Assessments
On behalf of CMMCAudit.org, I’m excited to share this interview with Kyle Lai about his lessons learned from the CMMC Level 2 assessment performed by DCMA DIBCAC against his C3PAO: KLC Consulting. This video is packed with actionable information about how CMMC Level 2 assessments are performed. We compared and contrasted between the assessment that Read More
CMMC Scoping for Level 2
This video is provided by Amira Armond and Jil Wright (CMMC Provisional Assessors and Provisional Instructors) from Kieri Solutions, an Authorized C3PAO. Topics discussed in the video are: This content is way more than the CCP course blueprint covers and more in-depth than what is normally covered in CCA courses! If you haven’t seen it yet, go watch the CMMC Read More
CMMC Scoping for Level 1
This video is provided by Amira Armond and Jil Wright (CMMC Provisional Assessors and Provisional Instructors) from Kieri Solutions, an Authorized C3PAO. Topics included are: Enjoy, and don’t forget to subscribe to our YouTube channel for lots of other CMMC training content. Kieri Solutions is an Authorized C3PAO providing CMMC and 800-171 assessment and preparation Read More
3.6.3 Test the Organizational Incident Response Capability
This was originally posted on LinkedIn. Check the original post and community discussion here! On to the next requirement! 3.6.3 ๐๐๐ฌ๐ญ ๐ญ๐ก๐ ๐จ๐ซ๐ ๐๐ง๐ข๐ณ๐๐ญ๐ข๐จ๐ง๐๐ฅ ๐ข๐ง๐๐ข๐๐๐ง๐ญ ๐ซ๐๐ฌ๐ฉ๐จ๐ง๐ฌ๐ ๐๐๐ฉ๐๐๐ข๐ฅ๐ข๐ญ๐ฒ. This is post #5 in my series analyzing the top ten failed / misunderstood NIST SP 800-171 and #CMMC requirements according to DIBCAC. Incident response testing is the 9th most “other Read More
3.4.1 Establish / Maintain Baseline Configurations
This series reviews the top failed (misunderstood) 800-171 andย CMMCย requirements. Originally posted on LinkedIn – check the start of series here for community conversation and thoughts! 3.4.1 ๐๐ฌ๐ญ๐๐๐ฅ๐ข๐ฌ๐ก/๐ฆ๐๐ข๐ง๐ญ๐๐ข๐ง ๐๐๐ฌ๐๐ฅ๐ข๐ง๐ ๐๐จ๐ง๐๐ข๐ ๐ฎ๐ซ๐๐ญ๐ข๐จ๐ง๐ฌ This one is both commonly misunderstood and difficult to implement, even though it can be 100% a manual process. First, the requirement language is split into two Read More
Excuses that won’t work for your CMMC assessment
Public Safety Announcement forย #CMMCย and DIBCAC assessments of 800-171 compliance. “My _________ is scheduled to occur in January and we haven’t reached January yet.” – said too many Organizations Seeking Certification Do not try to use this excuse to explain why you lack evidence for performing an 800-171 requirement! Your assessor will not be sympathetic. What Read More