๐๐จ๐ฐ ๐ฅ๐จ๐ง๐ ๐๐จ๐๐ฌ ๐ข๐ญ ๐ญ๐๐ค๐ ๐ ๐๐จ๐ฆ๐ฉ๐๐ง๐ฒ ๐ญ๐จ ๐ ๐จ ๐๐๐ง๐ค๐ซ๐ฎ๐ฉ๐ญ ๐ข๐ญ ๐ฐ๐ก๐๐ง ๐๐๐ง’๐ญ ๐ฐ๐ข๐ง ๐ฐ๐จ๐ซ๐ค? One year? Two? Three? Let me tell you a story about how a system of perverse incentives caused our current cybersecurity situation in the Defense Read More
Category: Latest CMMC news
Podcast – increasing the likelihood of passing CMMC assessments
This podcast by Omnistruct features Amira Armond, John Riley, and George Usi. Recorded in May-June 2023. They discuss the basics of CMMC, the “hardest” requirement (FIPS of course), the aspects that contractors have the most difficulty with, and the status Read More
CMMC Breaking News – July 25, 2023
Today we had two big events in #CMMC and US Federal Contractor Cybersecurity. The Rule for CMMC moved to the Office of Management and Budget. That means a timer has started, 90 days or less, for the review to complete. Expect the Read More
3.13.9 FIPS 140-2 Validated Cryptography
It is time, finally, to talk about the #1 “Other than Satisfied” requirement in 800-171, per historic DIBCAC assessments. ๐ฑ ๐ฅ ๐ฅ ๐ ๐๐๐ 140-2 ๐๐๐ฅ๐ข๐๐๐ญ๐๐ ๐๐จ๐๐ฎ๐ฅ๐๐ฌ ๐ฅ ๐ฅ ๐ฑ Listen up – I’m going to tell you how to succeed Read More
3.5.3 Multifactor Authentication
Multifactor Authentication: #2 of the top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC. ๐๐ฌ๐ ๐ฆ๐ฎ๐ฅ๐ญ๐ข๐๐๐๐ญ๐จ๐ซ ๐๐ฎ๐ญ๐ก๐๐ง๐ญ๐ข๐๐๐ญ๐ข๐จ๐ง ๐๐จ๐ซ ๐ฅ๐จ๐๐๐ฅ ๐๐ง๐ ๐ง๐๐ญ๐ฐ๐จ๐ซ๐ค ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ ๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐๐ ๐๐ ๐๐๐๐จ๐ฎ๐ง๐ญ๐ฌ ๐๐ง๐ ๐๐จ๐ซ ๐ง๐๐ญ๐ฐ๐จ๐ซ๐ค ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ ๐ง๐จ๐ง-๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐๐ ๐๐ ๐๐๐๐จ๐ฎ๐ง๐ญ๐ฌ. My theory is that most of Read More
What are Spot Checks for?
๐๐๐๐ ๐๐ฌ๐ฌ๐๐ฌ๐ฌ๐ฆ๐๐ง๐ญ ๐๐ฉ๐จ๐ญ ๐๐ก๐๐๐ค๐ฌ “๐๐ง ๐ค๐ฐ๐ฏ๐ต๐ณ๐ข๐ค๐ต๐ฐ๐ณ’๐ด ๐ณ๐ช๐ด๐ฌ-๐ฃ๐ข๐ด๐ฆ๐ฅ ๐ด๐ฆ๐ค๐ถ๐ณ๐ช๐ต๐บ ๐ฑ๐ฐ๐ญ๐ช๐ค๐ช๐ฆ๐ด, ๐ฑ๐ณ๐ฐ๐ค๐ฆ๐ฅ๐ถ๐ณ๐ฆ๐ด, ๐ข๐ฏ๐ฅ ๐ฑ๐ณ๐ข๐ค๐ต๐ช๐ค๐ฆ๐ด ๐ฅ๐ฐ๐ค๐ถ๐ฎ๐ฆ๐ฏ๐ต๐ข๐ต๐ช๐ฐ๐ฏ ๐ฐ๐ณ ๐ฐ๐ต๐ฉ๐ฆ๐ณ ๐ง๐ช๐ฏ๐ฅ๐ช๐ฏ๐จ๐ด ๐ณ๐ข๐ช๐ด๐ฆ ๐ฒ๐ถ๐ฆ๐ด๐ต๐ช๐ฐ๐ฏ๐ด ๐ข๐ฃ๐ฐ๐ถ๐ต ๐ต๐ฉ๐ฆ๐ด๐ฆ ๐ข๐ด๐ด๐ฆ๐ต๐ด, ๐ต๐ฉ๐ฆ ๐ข๐ด๐ด๐ฆ๐ด๐ด๐ฐ๐ณ ๐ค๐ข๐ฏ ๐ค๐ฐ๐ฏ๐ฅ๐ถ๐ค๐ต ๐ข ๐ญ๐ช๐ฎ๐ช๐ต๐ฆ๐ฅ ๐ด๐ฑ๐ฐ๐ต ๐ค๐ฉ๐ฆ๐ค๐ฌ ๐ต๐ฐ ๐ช๐ฅ๐ฆ๐ฏ๐ต๐ช๐ง๐บ ๐ณ๐ช๐ด๐ฌ๐ด. ๐๐ฉ๐ฆ ๐ญ๐ช๐ฎ๐ช๐ต๐ฆ๐ฅ ๐ด๐ฑ๐ฐ๐ต ๐ค๐ฉ๐ฆ๐ค๐ฌ(๐ด) ๐ด๐ฉ๐ข๐ญ๐ญ ๐ฏ๐ฐ๐ต ๐ฎ๐ข๐ต๐ฆ๐ณ๐ช๐ข๐ญ๐ญ๐บ ๐ช๐ฏ๐ค๐ณ๐ฆ๐ข๐ด๐ฆ ๐ต๐ฉ๐ฆ Read More
3.14.1 Identify, report, correct system flaws
Continuing the Top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC. “๐๐๐๐ง๐ญ๐ข๐๐ฒ, ๐ซ๐๐ฉ๐จ๐ซ๐ญ, ๐๐ง๐ ๐๐จ๐ซ๐ซ๐๐๐ญ ๐ข๐ง๐๐จ๐ซ๐ฆ๐๐ญ๐ข๐จ๐ง ๐๐ง๐ ๐ข๐ง๐๐จ๐ซ๐ฆ๐๐ญ๐ข๐จ๐ง ๐ฌ๐ฒ๐ฌ๐ญ๐๐ฆ ๐๐ฅ๐๐ฐ๐ฌ ๐ข๐ง ๐ ๐ญ๐ข๐ฆ๐๐ฅ๐ฒ ๐ฆ๐๐ง๐ง๐๐ซ.” This is the third most “Other than Satisfied” requirement. 3.14.1 is both misunderstood and Read More
3.11.1 Periodically assess the risk to organizational operations
3.11.1 ๐๐๐ซ๐ข๐จ๐๐ข๐๐๐ฅ๐ฅ๐ฒ ๐๐ฌ๐ฌ๐๐ฌ๐ฌ ๐ซ๐ข๐ฌ๐ค…This is the fourth-most “Other than satisfied” #CMMC requirement. Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or Read More
3.11.2 Scan for Vulnerabilities
Scan for vulnerabilities….This the fifth-most “Other than satisfied” #CMMC requirement with an 18% fail rate. 3.11.2 ๐๐๐๐ง ๐๐จ๐ซ ๐ฏ๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ข๐๐ฌ ๐ข๐ง ๐จ๐ซ๐ ๐๐ง๐ข๐ณ๐๐ญ๐ข๐จ๐ง๐๐ฅ ๐ฌ๐ฒ๐ฌ๐ญ๐๐ฆ๐ฌ ๐๐ง๐ ๐๐ฉ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐ฉ๐๐ซ๐ข๐จ๐๐ข๐๐๐ฅ๐ฅ๐ฒ ๐๐ง๐ ๐ฐ๐ก๐๐ง ๐ง๐๐ฐ ๐ฏ๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ข๐๐ฌ ๐๐๐๐๐๐ญ๐ข๐ง๐ ๐ญ๐ก๐จ๐ฌ๐ ๐ฌ๐ฒ๐ฌ๐ญ๐๐ฆ๐ฌ ๐๐ง๐ ๐๐ฉ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐๐ซ๐ ๐ข๐๐๐ง๐ญ๐ข๐๐ข๐๐. “๐๐๐๐๐๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐”…This is an example of Read More
3.3.3 Review and Update Logged Events
This is #6 in the series of most common failed requirements as assessed by the DoD’s Cyber Assessment Center. This requirement is another example of misunderstanding == failing (alongside the other top 10 requirements). Most people do not understand what Read More
3.3.4 Audit Logging Process Failure
Continuing the Top 10 Failed Requirements for 800-171! Onward to #7: 3.3.4 “๐๐ฅ๐๐ซ๐ญ ๐ข๐ง ๐ญ๐ก๐ ๐๐ฏ๐๐ง๐ญ ๐จ๐ ๐๐ง ๐๐ฎ๐๐ข๐ญ ๐ฅ๐จ๐ ๐ ๐ข๐ง๐ ๐ฉ๐ซ๐จ๐๐๐ฌ๐ฌ ๐๐๐ข๐ฅ๐ฎ๐ซ๐.” Sit with me while I tell a story… ๐๐ฏ ๐ฐ๐ณ๐จ๐ข๐ฏ๐ช๐ป๐ข๐ต๐ช๐ฐ๐ฏ ๐ฅ๐ช๐ด๐ค๐ฐ๐ท๐ฆ๐ณ๐ด ๐ต๐ฉ๐ข๐ต ๐ต๐ฉ๐ฆ๐บ ๐ธ๐ฆ๐ณ๐ฆ ๐ฃ๐ณ๐ฆ๐ข๐ค๐ฉ๐ฆ๐ฅ ๐ฃ๐ฆ๐ค๐ข๐ถ๐ด๐ฆ ๐จ๐ฐ๐ท๐ฆ๐ณ๐ฏ๐ฎ๐ฆ๐ฏ๐ต ๐ด๐ฆ๐ค๐ณ๐ฆ๐ต๐ด Read More
3.3.5 Correlate Audit Processes
NIST SP 800-171 3.3.5 ๐๐จ๐ซ๐ซ๐๐ฅ๐๐ญ๐ ๐๐ฎ๐๐ข๐ญ ๐ซ๐๐๐จ๐ซ๐ ๐ซ๐๐ฏ๐ข๐๐ฐ, ๐๐ง๐๐ฅ๐ฒ๐ฌ๐ข๐ฌ, ๐๐ง๐ ๐ซ๐๐ฉ๐จ๐ซ๐ญ๐ข๐ง๐ ๐ฉ๐ซ๐จ๐๐๐ฌ๐ฌ๐๐ฌ ๐๐จ๐ซ ๐ข๐ง๐ฏ๐๐ฌ๐ญ๐ข๐ ๐๐ญ๐ข๐จ๐ง ๐๐ง๐ ๐ซ๐๐ฌ๐ฉ๐จ๐ง๐ฌ๐ ๐ญ๐จ ๐ข๐ง๐๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐จ๐ ๐ฎ๐ง๐ฅ๐๐ฐ๐๐ฎ๐ฅ, ๐ฎ๐ง๐๐ฎ๐ญ๐ก๐จ๐ซ๐ข๐ณ๐๐, ๐ฌ๐ฎ๐ฌ๐ฉ๐ข๐๐ข๐จ๐ฎ๐ฌ, ๐จ๐ซ ๐ฎ๐ง๐ฎ๐ฌ๐ฎ๐๐ฅ ๐๐๐ญ๐ข๐ฏ๐ข๐ญ๐ฒ. This is the 8th most likely requirement to be “other than satisfied” by defense contractors, according Read More
C3PAO CMMC Level 2 Assessments
On behalf of CMMCAudit.org, I’m excited to share this interview with Kyle Lai about his lessons learned from the CMMC Level 2 assessment performed by DCMA DIBCAC against his C3PAO: KLC Consulting. This video is packed with actionable information about Read More
CMMC Scoping for Level 2
This video is provided by Amira Armond and Jil Wright (CMMC Provisional Assessors and Provisional Instructors) from Kieri Solutions, an Authorized C3PAO. Topics discussed in the video are: This content is way more than the CCP course blueprint covers and more in-depth than what is Read More
CMMC Scoping for Level 1
This video is provided by Amira Armond and Jil Wright (CMMC Provisional Assessors and Provisional Instructors) from Kieri Solutions, an Authorized C3PAO. Topics included are: Kieri Solutions is an Authorized C3PAO providing CMMC and 800-171 assessment and preparation services. They Read More
3.6.3 Test the Organizational Incident Response Capability
This was originally posted on LinkedIn. Check the original post and community discussion here! On to the next requirement! 3.6.3 ๐๐๐ฌ๐ญ ๐ญ๐ก๐ ๐จ๐ซ๐ ๐๐ง๐ข๐ณ๐๐ญ๐ข๐จ๐ง๐๐ฅ ๐ข๐ง๐๐ข๐๐๐ง๐ญ ๐ซ๐๐ฌ๐ฉ๐จ๐ง๐ฌ๐ ๐๐๐ฉ๐๐๐ข๐ฅ๐ข๐ญ๐ฒ. This is post #5 in my series analyzing the top ten failed / misunderstood Read More
3.4.1 Establish / Maintain Baseline Configurations
This series reviews the top failed (misunderstood) 800-171 andย CMMCย requirements. Originally posted on LinkedIn – check the start of series here for community conversation and thoughts! 3.4.1 ๐๐ฌ๐ญ๐๐๐ฅ๐ข๐ฌ๐ก/๐ฆ๐๐ข๐ง๐ญ๐๐ข๐ง ๐๐๐ฌ๐๐ฅ๐ข๐ง๐ ๐๐จ๐ง๐๐ข๐ ๐ฎ๐ซ๐๐ญ๐ข๐จ๐ง๐ฌ This one is both commonly misunderstood and difficult to implement, even though Read More
Excuses that won’t work for your CMMC assessment
Public Safety Announcement forย #CMMCย and DIBCAC assessments of 800-171 compliance. “My _________ is scheduled to occur in January and we haven’t reached January yet.” – said too many Organizations Seeking Certification Do not try to use this excuse to explain why Read More
Top 10 “Other than satisfied” 800-171 requirements
At Cloud Security and Compliance Series – CS2 Huntsville, Nick Delrosso’s presentation included the “Top 10 Other Than Satisfied Requirements”. Nick Delrosso represents the DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) which has been performing cybersecurity assessments on contractors for the Read More
When is a FIPS Validated Module required?
This video from Amira Armond and Jillian Wright (both Kieri Solutions Provisional Assessors and Instructors), explains when FIPS 140-2 validated modules are required to be used by CMMC Level 2 / NIST SP 800-171. It also explains when FIPS is Read More
Lessons learned from two (three?) DIBCAC assessments
On behalf of CMMCAudit.org, I’m excited to share this interview withย Jake Williamsย about his lessons learned from two DIBCAC assessments of DFARS 252.204-7012 and NIST SP 800-171 compliance. This video is packed with actionable information about what to expect during assessments. Read More
CMMC Annual Compliance Tasks
This article discusses six annual CMMC compliance tasks that are ideal for the quiet holiday season
Trends in 800-171 reporting and SPRS scores
Author: Amira Armond, the president of Kieri Solutions – an authorized CMMC Third Party Assessment Organization (C3PAO) providing CMMC assessments, CMMC consulting, and Compliance Documentation packages designed for small/medium business. This graphic depicts my personal experience talking with defense contractors Read More
MSPs and CMMC Compliance
Are you using a Managed Service Provider for your CMMC-compliant information system? Are you a Managed Service Provider with defense contractor clients? This article discusses the risks and pitfalls of having an MSP “in-scope” during your CMMC assessment, and gives Read More
Are you ready for CMMC Assessment?
This article is provided by our sponsor, Kieri Solutions, an authorized CMMC Third Party Assessment Organization (C3PAO). Kieri Solutions provides assessment services, high-quality CMMC consulting, and an easy to use compliance documentation package geared toward small and medium businesses. CMMC Read More
CMMC Scope – are you ready for an assessment?
This article gives examples and explanations of how to identify your CMMC scope to an assessor when you are planning…
CMMC, CUI, and Cloud Vendors – do you need FedRAMP?
Achieving Cloud Compliance in the Age of CMMC, CUI, and DFARS 7012: How secure are your cloud vendors?
CMMC 2.0 Scoping Scenarios Analysis
This detailed analysis of the CMMC Scoping Guide for Level 2 is meant for educational purposes only. It discusses 12 common scenarios and gives recommendations for scoping.
CMMC 2.0 is here – what changes in CMMC?
CMMC 2.0 is released, what changes? This article is being updated as more information comes out. The DoD just announced major…
Does CMMC enforce FedRAMP and other CUI protections?
Will CMMC assessors stick to just the CMMC requirements or will they review your compliance to CUI-specified handling and other regulations?