CMMC News Roundup September 9 2020

Hello folks,

Here’s the latest CMMC news and articles you should check out!

CMMC FAQ for Organizations Seeking Certification

This easy FAQ article discusses frequently asked questions about implementing CMMC security. Things like “Can my employees use their home computers to work on CUI?”

Incident Handling tips from CISA

https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf

The Cybersecurity and Infrastructure Security Agency (CISA.gov) just released this 14 page document with very actionable tips for incident handling. Great resource to hand to your systems engineer and security team.

Provisional Assessor training update

I’ve spoken with a few provisional assessor selects this week. They were given a day’s worth of online training to go through. The first in-person class (out of several) started the week of Sept 1. According to participants, the in-person training is covering topics up to CMMC level 3.

C3PAO update

To my knowledge, there has been no action for C3PAOs, not even an email to discuss qualifications. If you have been contacted, please let me know so I can share your experience! Email or LinkedIn.

Drama about CMMC-AB “Sponsorships”

For a brief period last week, the CMMC Accreditation Body website displayed a “partners” page with options for sponsorship by companies. “Diamond” status ($500,000), Platinum ($250,000), Gold ($100,000). After community outrage, and possibly DoD influence, this page was taken down. As of today (September 9, 2020), several spokespersons from the DoD have said they will not condone sponsorships.

Related, the CMMC-AB and Duns & Bradstreet announced a partnership. The only problem is D&B is apparently offering a CMMC assessment tool, which again, may be putting it ahead of other private-sector CMMC compliance vendors.

My opinion: The CMMC-AB working groups and directors have put hundreds of thousands of dollars of hours into this project. They need funding and the top level full time positions should have been funded by the DoD. This is a big problem. HOWEVER, even with no funding, any preferential treatment toward for-profit companies invalidates the CMMC AB’s objectivity and needs to stop.

How to scope for your CMMC Assessment – from SEI

https://insights.sei.cmu.edu/sei_blog/2020/08/follow-the-cui-4-steps-to-starting-your-cmmc-assessment.html

The Carnegie Mellon University – Software Engineering Institute (SEI) worked hand-in-hand with the DoD to develop the CMMC model. They are one of the highest authorities on the topic. This blog describes following your CUI flows to determine which aspects of your environment are in-scope or not. Note: CUI means CMMC Level 3+, it does not address level 1-2 scoping directly.

Microsoft 365 GCC High adds features

This week, GCC High finally replaced the old Intune portal with Endpoint Manager and connected Defender ATP for cloud-only tenants. For my company and clients using GCC High E5, this is a big money saver because we can use it for central audit and alert requirements for Windows 10 devices instead of a different solution. GCC High is a complex topic, and its unique “features” are not well documented – if you want 30 minutes of free advice about moving to GCC High, my company, Kieri Solutions, is happy to sponsor a discussion. Send us an email to schedule a call.

Achieving Cloud Compliance in the Age of CMMC, CUI, and DFARS 7012: How secure are your cloud vendors?

CMMC, CUI, and Cloud Vendors – do you need FedRAMP?

This new blog from CMMCaudit delves deep into cloud vendor risk and why the DFARS 7012 rule places so much importance on it.

It includes an exclusive memo from the DCMA group performing DFARS 7012 audits today. This memo identifies some categories of clouds as in-scope, despite most cybersecurity teams ignoring them.

DoD DCMA Audit report

This report from late 2019 is a wealth of information about DFARS 252.204-7012 assessments conducted in 2019 against approximately 20 contractors. It describes why contractors failed their audits and in particular, describes vendor risk as a major concern.

https://www.dodig.mil/reports.html/Article/1916036/audit-of-protection-of-dod-controlled-unclassified-information-on-contractor-ow/

DFARS 252.204-7012 change delayed

https://insidecybersecurity.com/daily-news/arrington-rule-change-needed-dod-cyber-certification-program-enters-%E2%80%98end-phase%E2%80%99-release

This just in (September 9, 1:00pm EST)

Looks like the DFARS rule change is postponed by two months. This puts the public comment period in November 2020 instead of September. It should mean that the first official requirement for CMMC in contracts will be no earlier than February 2021.

Hope this all helps! Good luck to everyone in their assessment and compliance journeys.

-Amira Armond

4 thoughts on “CMMC News Roundup September 9 2020”

James Newman says:
Amira,
This is an excellent resource, having a place I can depend on to know the latest CMMC events is terrific. But you always bring your “A” game, so kudos and thank you. I will heavily socialize it if you don’t have any objections. 😉
September 13, 2020 at 9:57 am
- Amira Armond says:
  Jim,
  Please do!
  Amira
  September 13, 2020 at 8:20 pm
Bob Holland says:
Victoria what is the first step to become a registered profession or register for the auditor certification.
September 10, 2020 at 4:29 pm
VICTORIA DELANEY says:
Thank you so much for this newsletter. It is priceless.
September 9, 2020 at 7:02 pm