A Practitioner’s Thoughts On CMMC

Editor’s comments: This article is an excellent read if you have experience doing cyber-security compliance based on NIST SP 800-171 or DFARS 252.204-7012. If you don’t have prior experience on these topics, the article may not make much sense to you. Of particular interest to me is the scoping conflict between FCI and CUI, which is discussed in the section Reciprocity Considerations. Organizations which need to protect CUI at level 3+ will normally want to segment their contract operations away Read More

CMMC news: CMMC AB opens registration for C3PAOs and Assessors

Hello all, The CMMC Accreditation Body has opened new pages on their website to give information about registering as a C3PAO  (Certified Third Party Assessor Organization) and as an Assessor.   They also have information about becoming a ‘registered practitioner’ or a ‘registered provider organization’ (these can be team members but not lead audits). You can find the source information on the front page of CMMC AB website: https://cmmcab.org Here are my quick notes from reviewing the information.  Please remember that Read More

CMMC Level 1 certification and preparation (how-to)

If you are reading this article, you are probably the owner of a small DoD contracting company.  You’ve heard something about the CMMC (Cybersecurity Maturity Model Certification) either through your prime contractor or the SBA education office.  You might be frustrated at yet another computer requirement, or you might be excited at the opportunity to distinguish your company from your competitors. How to prepare for CMMC Level 1 certification First, the standard disclaimer.  As I write this article in 2020: Read More

CMMC News – Auditor Training Update – May 22, 2020

These are my notes from the CMMC Accreditation Body webinar regarding Assessor / Auditor Training. Disclaimer: I’m not a member of the CMMC AB, I am just providing these notes as a service to the community. Please watch the webinar for exact wording and full details. This webinar was released May 21, 2020 on the cmmcab.org website  and is archived on vimeo. Ben Tchoubineh, the Chair for the Training Committee, presented. CMMC Training will be rolled out in two phases: Read More

CMMC News – May 21 2020

The CMMC Accreditation Body (CMMC AB) has started to publish their progress via webinars on the cmmcab.org website. Here are my notes from the webinar I watched on 5/21/2020, published at https://www.cmmcab.org and archived on YouTube here. Ty Schieber is the Chair of the CMMC Accreditation Body. He presented the current status of the AB.  The Accreditation Body has: Incorporated the non-profit organization, 501c3 application pending Staffed an all-volunteer, corporation agnostic, board of directors Created committees and stakeholder working groups Read More

CMMC Version 1.0 Released – Analysis for DoD contractors

As promised, the Cybersecurity Maturity Model Certification (CMMC) version 1.0 was released to the public on January 31, 2020. The document should be stable at this point.  Cybersecurity leads for defense contractors need to read through it as soon as possible and begin closing the gaps in their organization’s cyber-security practices. Links to CMMC v1.0 documents: Link to CMMC version 1.0 document:  https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf Link to CMMC briefing PDF: https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf Link to official website for CMMC Model v1.0: https://www.acq.osd.mil/cmmc/index.html Early analysis Read More

Remote Management & Access Tools for 800-171 and CMMC

A question came up today from a client that has a large remote workforce. “How can my help desk manage end user devices while staying compliant with 800-171 and CMMC?” For example, can we use remote access tools like LogMeIn or Chrome Remote Desktop, which allow always-on connections to the desktop? The following is my opinion. Take it at your own risk. The problem with always-on remote access programs Assuming that your end user devices contain or access sensitive information, Read More

What is FCI in CMMC and how does it affect scope?

The Cybersecurity Maturity Model Certification references “FCI” in draft version 0.6b.  What is this abbreviation? FCI in CMMC stands for “Federal Contract Information”. FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government.  FCI does not include information provided by the Government to the public.”  Page 6, CMMC Preface V0.6b 20191107.docx Analysis of term FCI in the CMMC Read More

Policy templates and tools for CMMC and 800-171

This page has links and reviews of available templates and tools relating to the CMMC and NIST SP 800-171 Please help others in the community by leaving a comment about your experiences! DoD Environmental Research Programs templates for NIST SP 800-171 https://www.serdp-estcp.org/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/Templates-and-Checklists Evaluation: This site has about twenty downloadable documents ranging from Incident Response forms to a full IT policy document. The ESTCP IT Policies and Procedures template looks to have a wide range of standard policies included. They are Read More

CMMC “allowable cost” discussion and thoughts

As I write this, we are still early in the process for the CMMC. The CMMC introductory Listening Tour just finished. CMMC Draft version 0.6 was released November 7, 2019. At this time, a third party oversight organization for certifiers and auditors has not been chosen yet. CMMC draft version 0.6 states, “This document includes CMMC Levels 1-3 of the latest version of the CMMC Model (Appendix A) with clarifications for CMMC Level 1 in Appendix B. The updates to Read More