What is FCI in CMMC and how does it affect scope?

The Cybersecurity Maturity Model Certification references “FCI” in draft version 0.6b.  What is this abbreviation? FCI in CMMC stands for “Federal Contract Information”. FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government.  FCI does not include information provided by the Government to the public.”  Page 6, CMMC Preface V0.6b 20191107.docx Analysis of term FCI in the CMMC Read More

Policy templates and tools for CMMC and 800-171

This page has links and reviews of available templates and tools relating to the CMMC and NIST SP 800-171 Please help others in the community by leaving a comment about your experiences! DoD Environmental Research Programs templates for NIST SP 800-171 https://www.serdp-estcp.org/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/Templates-and-Checklists Evaluation: This site has about twenty downloadable documents ranging from Incident Response forms to a full IT policy document. The ESTCP IT Policies and Procedures template looks to have a wide range of standard policies included. They are Read More

CMMC “allowable cost” discussion and thoughts

As I write this, we are still early in the process for the CMMC. The CMMC introductory Listening Tour just finished. CMMC Draft version 0.6 was released November 7, 2019. At this time, a third party oversight organization for certifiers and auditors has not been chosen yet. CMMC draft version 0.6 states, “This document includes CMMC Levels 1-3 of the latest version of the CMMC Model (Appendix A) with clarifications for CMMC Level 1 in Appendix B. The updates to Read More