CMMC Level 1 certification and preparation (how-to)

If you are reading this article, you are probably the owner of a small DoD contracting company.  You’ve heard something about the CMMC (Cybersecurity Maturity Model Certification) either through your prime contractor or the SBA education office.  You might be frustrated at yet another computer requirement, or you might be excited at the opportunity to distinguish your company from your competitors. How to prepare for CMMC Level 1 certification First, the standard disclaimer.  As I write this article in 2020: Read More

CMMC PS.2.127 Personnel Screening and US Citizen discussion

The CMMC version 1.0 has the following security requirement. CMMC Personnel Security (PS) PS.2.127 (Level 2) “Screen individuals prior to authorizing access to organizational systems containing CUI.” This is a Level 2 requirement. There are no level 3, 4, or 5 requirements in this version of the CMMC. The CMMC document included a discussion from NIST SP 800-171 R2 (3.9.1) for this same security requirement in the appendix (page B.12.2) to clarify this control.  It recommends evaluating the individual’s “conduct, Read More

CMMC Version 1.0 Released – Analysis for DoD contractors

As promised, the Cybersecurity Maturity Model Certification (CMMC) version 1.0 was released to the public on January 31, 2020. The document should be stable at this point.  Cybersecurity leads for defense contractors need to read through it as soon as possible and begin closing the gaps in their organization’s cyber-security practices. Links to CMMC v1.0 documents: Link to CMMC version 1.0 document:  https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf Link to CMMC briefing PDF: https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf Link to official website for CMMC Model v1.0: https://www.acq.osd.mil/cmmc/index.html Early analysis Read More

Remote Management & Access Tools for 800-171 and CMMC

A question came up today from a client that has a large remote workforce. “How can my help desk manage end user devices while staying compliant with 800-171 and CMMC?” For example, can we use remote access tools like LogMeIn or Chrome Remote Desktop, which allow always-on connections to the desktop? The following is my opinion. Take it at your own risk. The problem with always-on remote access programs Assuming that your end user devices contain or access sensitive information, Read More

CMMC Capabilities Discussion Home

This page describes how to find the CMMC requirements, how to interpret them, and how to start preparing for an outside audit. It explains how to read the CMMC document and how your team or an auditor would check each requirement against your information systems. Disclaimer: The goal is to help you understand how the CMMC is organized and numbered.  I might have some things wrong and the CMMC will definitely change over time.  Please comment below to give guidance Read More