5 thoughts on “CMMC Compliance FAQs – Organizations seeking certification

  1. Jil says:

    Hi, Interesting feed, thank you.
    We´re discussing the supply chain and whether or not a map of a component of a product should be considered a CUI. Would appreciate feedback or information on where we can find further guidance.

  2. Eric Burke says:

    Great read. I’m curious to know if you have an opinion as to what a reasonable expectation is for someone with a strong (30+ yr) Systems Integration / MSP background to reach an CA-3 assessor level? I’m about to begin the process and I can’t seem to find any specific information about needing to hold any level for a particular amount of time before moving onto the next step. I’m currently a Security+ and CySA+ holder, but I get the sense that the lack of DOD-specific experience could be a barrier to success. I look forward to reading more!

  3. Cary Anderson says:

    Mr. Armond

    Not wanting to argue the point about not being able to use BYOD, but can you please cite the controls that prohibit it?

    It seems to me that AC.1.1003 applies at ML1, but it doesn’t rule out the use of BYOD – and would it cover the use of smart phones too?

    Thank you sir.

    • Amira Armond says:

      Hello Cary,
      Great question!
      I think control AC.1.003 “Verify and control/limit connections to and use of external information systems.” is the one that applies to this discussion. The appendix says “Control and limit personal devices like laptops, tablets, and phones from accessing the company networks and information.” Keep in mind this advice is for level 1.

      I come at this from the perspective of military networks, which is closely applicable to CMMC Level 3-4-5. It is less applicable to level 1 and 2. I would say that there is some leeway to allow personally-owned devices at level 1 and 2, but they need to be “controlled and limited”.
      How does one control and limit devices? Using a BYOD policy, like you mentioned, which requires security measures. Once you start requiring that phones or laptops have PINs, updated operating systems, encryption, and malware scanning, do those devices really count as “home” devices anymore? Do you allow the children to use the same laptop as your employee does? If not, it doesn’t count as a home device anymore.

      Hopefully the DoD will provide assessment guidelines and examples of audit failures soon, so that we understand what will fail an audit. That is the ultimate answer. In the meantime, we are just trying to make sure we are on the passing side of wherever that line is.

      I’ve updated the FAQ slightly based on this conversation. Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *