Conversations from LinkedIn

Logo for linkedIn

This page is an index of great LinkedIn discussions and posts about CMMC and 800-171. It will be updated over time with new topics.

If you don’t have a LinkedIn account, you will still be able to see some comments, but not all. I highly recommend being signed in to LinkedIn for full effect.

Discussions with comments from the DoD, Carnegie Mellon University | Software Engineering Institute, the CMMC Accreditation Body, and other authorities are given priority in this index.

If you would like to recommend a great LinkedIn discussion for this page, please let us know at newsletter@cmmcaudit.org or comment below.

Non-technical CMMC discussions (Contractors and National Security)

Let’s not build a ten dollar fence around a one dollar horse! On cybersecurity costs for small businesses.

https://www.linkedin.com/posts/amira-armond-25a77a141_supplychain-cmmc-nist800171-activity-6746192106500435968-BLfL

SPRS self assessment required for non-CUI contracts?

https://www.linkedin.com/posts/amira-armond-25a77a141_how-to-submit-a-nist-sp-800-171-self-assessment-activity-6743493722983432193-euKf

What’s next for CMMC? (Robert Metzger, Deborah Rodin, Eleanor Ross)

https://www.linkedin.com/posts/robertmetzger_the-cmmc-interim-rule-what-lies-ahead-what-activity-6746915847438249984-Etng

CMMC and operational technology systems (manufacturing)

https://www.linkedin.com/posts/leslieweinsteinmba_operational-technology-ot-information-activity-6745705201010778112-_81M

Disruption to DoD’s supply chain if CMMC moves forward on pace

https://www.linkedin.com/posts/leslieweinsteinmba_impact-of-cmmc-on-dod-small-business-supply-activity-6740637804306407425-BeMx

CMMC creates fertile ground for bid protests (Robert Metzger, Katie Arrington)

https://www.linkedin.com/posts/robertmetzger_new-dod-cyber-rules-create-fertile-bid-protest-grounds-law360-activity-6759536168825688064-THrA

Sensitive Data (CUI , FCI, etc)

Are DIB aggregated security information (such as SSPs) considered CUI?

https://www.linkedin.com/posts/amira-armond-25a77a141_cmmc-nist800171-dfars-activity-6734783791673425920-OpbE

Is FOUO CUI?

https://www.linkedin.com/posts/vincent-scott-cybersecurity_cmmc-nist800171-cmmcab-activity-6746437211949998080-y6_e

DNI tries to abort Controlled Unclassified Information policy

https://www.linkedin.com/posts/robertmetzger_dni-tries-to-abort-controlled-unclassified-activity-6745197990799142913-3XyB

If a contract requires CMMC ML3, can FCI for that contract be held in a CMMC ML1 information system? (Poll shows 60/40 split)

https://www.linkedin.com/posts/amira-armond-25a77a141_cmmc-activity-6764641231973695488-YOCp

CMMC Process Maturity discussions

CMMC compliance can’t be met by simply buying technical tools

https://www.linkedin.com/posts/amira-armond-25a77a141_cmmcab-cmmc-dfars7012-activity-6737001724726272000-TYiq

CMMC Technical discussions (about specific practices)

AC.1.001 on how most companies fail the device objective

https://www.linkedin.com/posts/amira-armond-25a77a141_cmmc-nist800171-activity-6754725540831232000-gfDH

AC.2.005 on Privacy and Security Notices

https://www.linkedin.com/posts/amira-armond-25a77a141_cmmc-cmmcab-nist800171-activity-6748920155973160960-qyA4

IA.2.081 – password storage and one way hashing

https://www.linkedin.com/posts/amira-armond-25a77a141_cmmc-nist800171-cybersecurity-activity-6743905209925279744–lbV

RM.2.142 – vulnerability scanning, requirement for credentialed scans?

https://www.linkedin.com/posts/amira-armond-25a77a141_cmmc-nist800171-activity-6742240706426880000-cA5w

Clouds – can you encrypt your CUI in a non-FedRAMP cloud and still pass?

https://www.linkedin.com/posts/amira-armond-25a77a141_cloudsecurity-cmmc-dfars7012-activity-6728484379435290624-H3B3

SC.3.183 – where does Deny traffic by default, allow by exception, apply?

https://www.linkedin.com/posts/amira-armond-25a77a141_cmmc-dfars7012-cybersecurity-activity-6722490652367577088-G1o3

Should endpoints that access VDI be in scope?

https://www.linkedin.com/posts/activity-6745447885149761536-GvXw

Are phone conversations in-scope?

https://www.linkedin.com/posts/amira-armond-25a77a141_cmmc-dfars7021-dfars7012-activity-6761427968133734400-XmqP

FedRAMP reciprocity with CMMC and POA&Ms (Ted Dziekanowski)

https://www.linkedin.com/posts/tdziekanowski_dod-eyes-cmmc-fedramp-reciprocity-by-end-activity-6766410547127709696-aUqr/

CMMC Professionals (C3PAOs, Certified Assessors, Registered Practitioners, etc)

CMMC assessors are required to complete a Tier-3 (non-clearance) Suitability Determination

https://www.linkedin.com/posts/activity-6741489712936157184-HLMv

Review of CMMC Assessment Guide for Level 3 , version 1.10

https://www.linkedin.com/posts/amira-armond-25a77a141_cmmc-level-3-assessment-guide-webinar-and-activity-6747471485704663040-Doqq

ISO 17020

https://www.linkedin.com/posts/christopher-paris-nian-2a87031b_iso-17020-for-cmmc-c3paos-activity-6749401011665870849-AMv2

More on ISO 17020

https://www.linkedin.com/posts/christopher-paris-nian-2a87031b_a-few-more-wrinkles-emerge-re-cmmc-c3paos-activity-6751892259114930176-OLE-

How much will ISO 17020 cost? Reddit and Vince Scott

https://www.linkedin.com/feed/update/urn:li:activity:6756160132805140480/

C3PAOs need to use FedRAMP High clouds (if they use clouds)

https://www.linkedin.com/posts/reganedens_cmmcab-activity-6752361566777221120-ipB7

Assessment Procedures

Depth and thoroughness of assessment? CMMC references 171 Appendix D

https://www.linkedin.com/feed/update/urn:li:activity:6755246339312926720/

DFARS 252.204-7012 , 7019 , 7020, 7021

Interview with Regan Edens about DFARS, FedRAMP, and AB authority. Additional discussion about FedRAMP cloud requirements.

https://www.linkedin.com/posts/amira-armond-25a77a141_cmmc-ab-regan-edens-interview-on-dfars-fedramp-activity-6750033669626327040-EXzE

DFARS, CUI, and the Catch-22

https://www.linkedin.com/posts/vincent-scott-cybersecurity_cmmc-cmmab-nist800171-activity-6743680052195590144-AviE

Cloud requirements

https://www.linkedin.com/posts/reganedens_cmmcconversations-cloudsecurity-activity-6752372812725436416-9a2w

Technology and Security Products

Do I need Office 365 GCC High for CMMC Level 3? (Andy Sauer)

https://www.linkedin.com/posts/andy-sauer-cissp-cism-063ba933_cmmc-gcchigh-dib-activity-6760247905832996864-0c6S

One thought on “Conversations from LinkedIn

  1. Bradley Fell says:

    Hello-
    I’m an Associate of ISC2 and I am a Cybersecurity vendor for MSP and Small business, I would like to become a CMMC auditor – but I see you have this requirement for college degree, why is this?
    Will my ISC2 designation suffice?

Leave a Reply

Your email address will not be published. Required fields are marked *