- Joint Surveillance Assessment – what is it like?This is an interview with Jose Rojas (TTC) and Ozzie Saeed (IntelliGRC) about their experience being assessed by Kieri Solutions, an Authorized C3PAO, as part of the Joint Surveillance Voluntary assessment program. Other than the obvious congratulations to both of them for helping TTC achieve a perfect “110” score on their assessment, we discuss what Read More
- CMMC News – October 2023 – the DFARS RuleRulemaking Timeline for CMMC DFARS Rule The proposed CMMC Rule has been submitted to the Office of Information and Regulatory Affairs. Several groups (mostly cybersecurity professionals) have met with DoD CIO and OIRA to give recommendations for the rule. Most of them submitted documents with their feedback which can be downloaded from the EO 12866 Read More
- What does “monitor” mean in CMMC?Logan Therrien and Amira Armond from Kieri Solutions (an Authorized C3PAO) discuss the concept of monitoring and how it is evaluated by CMMC assessors. Several assessment objectives in CMMC Level 2 require monitoring. 🔍 the physical facility where organizational systems reside is monitored;🔍 the support infrastructure for organizational systems is monitored.🔍 visitor activity is monitored.🔍 Read More
- Why so few Defense contractors are compliant𝐇𝐨𝐰 𝐥𝐨𝐧𝐠 𝐝𝐨𝐞𝐬 𝐢𝐭 𝐭𝐚𝐤𝐞 𝐚 𝐜𝐨𝐦𝐩𝐚𝐧𝐲 𝐭𝐨 𝐠𝐨 𝐛𝐚𝐧𝐤𝐫𝐮𝐩𝐭 𝐢𝐭 𝐰𝐡𝐞𝐧 𝐜𝐚𝐧’𝐭 𝐰𝐢𝐧 𝐰𝐨𝐫𝐤? One year? Two? Three? Let me tell you a story about how a system of perverse incentives caused our current cybersecurity situation in the Defense Industrial Base. Back in 2017 (six years ago), new and renewing DoD contracts started including Read More
- Podcast – increasing the likelihood of passing CMMC assessmentsThis podcast by Omnistruct features Amira Armond, John Riley, and George Usi. Recorded in May-June 2023. They discuss the basics of CMMC, the “hardest” requirement (FIPS of course), the aspects that contractors have the most difficulty with, and the status of the roll-out. Check it out! The link below has the full text transcript: Omnistruct: Read More
- CMMC Breaking News – July 25, 2023Today we had two big events in #CMMC and US Federal Contractor Cybersecurity. The Rule for CMMC moved to the Office of Management and Budget. That means a timer has started, 90 days or less, for the review to complete. Expect the text to be published by mid-October. There is still a possibility that it will come Read More
General CMMC information (non-technical)
New to CMMC? Start here – Main page
MSPs and CMMC Compliance – This article discusses the risks and pitfalls of having an MSP “in-scope” during your CMMC assessment.
CMMC Level 1 certification and preparation (how-to) – Very easy to understand article with explanations about CMMC Level 1 requirements as they apply to a very small (1-5 person) business.
CMMC Compliance FAQs – Organizations seeking certification – Very easy to understand article with simple explanations of CMMC topics that are often misunderstood or asked about.
CMMC Glossary, Terms, and Definitions. Who’s who in CMMC – This is a must read to understand terms and links to official sources on many CMMC topics. Starts with general terms like “DoD” and “FAR” and goes into more specifics as you progress.
What is FCI in CMMC and how does it affect scope? – Explains what FCI is and how it would be used to scope a CMMC level 1 (and above) assessment.
CMMC “allowable cost” discussion and thoughts – Opinion article about the statement that cybersecurity is an allowable cost for DoD contractors.
How to submit a NIST SP 800-171 self assessment to SPRS – FAQs and links for how to submit SPRS.
Where is the Easy Button for CMMC? Why MSPs may be the solution – Opinion article about the high cost of CMMC Level 3 and 800-171 compliance which is devastating for very small businesses. Gives ideas for how to change your processes so that your own network is not in-scope anymore.
CMMC Scope – are you ready for an assessment? – The defense contractor is responsible for identifying the scope they seek CMMC certification for. This guide gives examples of how you can describe your scope to an assessment team.
Trends in 800-171 reporting and SPRS scores – This article depicts my personal experience talking with defense contractors about their 800-171 and CMMC compliance (and what score they entered in SPRS) over the last three years.
Cybersecurity topics (for practitioners)
Are you ready for CMMC Assessment? 11 topics to review which can cause you to fail your assessment (or get disqualified before you even start).
Covered Defense Information and Covered Contractor Information System. 18 minute video that reviews the DFARS 252.204-7012 rule and the definitions for these scope terms in detail. Mandatory cybersecurity protections apply to CUI only if it is included in the performance of a contract.
System Security Plan for 800-171 and CMMC. One hour training (you probably get continuing education credits) from Amira Armond which describes what a System Security Plan is used for, where to get a template, how to fill out each section, and how to respond to each requirement fully.
Policy templates and tools for CMMC and 800-171. Most popular page on the site. Free and no-registration resources that you will want to include in your cybersecurity program.
How to become a CMMC auditor or certifier – Progress tracker for ecosystem readiness for CMMC assessors.
Review of CMMC Registered Practitioner Training – Describes the Registered Practitioner training, the value included.
Registered Practitioner Home – Home site for CMMC Registered Practitioners.
Getting started with DFARS 252.204-7012 – Home site for defense contractors that need to comply with DFARS 7012. Links to all the policy and instruction documents related to this.
Getting started with NIST SP 800-171 – Home site specific to NIST SP 800-171 requirements.
How to submit a NIST SP 800-171 self assessment to SPRS – One of our most popular articles! Tons of information and screenshots and resources for submitting the required NIST SP 800-171 DoD Self-Assessment to SPRS. This is required for most new and renewing DoD contracts starting December 1, 2020.
Practice and Process deep-dives (for practitioners)
CMMC, CUI, and Cloud Vendors – do you need FedRAMP? Deep dive on DFARS requirement to use only FedRAMP Moderate + clouds (or equivalent), and why this is important.
CMMC Annual Compliance Tasks – This article discusses six annual CMMC compliance tasks that are ideal for the quiet holiday season.
CMMC PS.2.127 Personnel Screening and US Citizen discussion. Considerations for building a screening program, discusses marijuana use in legalized states and citizenship requirements in the CMMC.
Address 19 CMMC Practices with Cybersecurity Training. Article describing how a cybersecurity training program either fully meets or contributes to meeting 19 different practice requirements within the CMMC.
CMMC RM.2.142 Scan for vulnerabilities in organizational systems. Article about the CMMC requirements for vulnerability scanning and related practices.
CMMC practice deep dives: SC.1.175. Article about the CMMC requirements for defining, control, monitoring, and protection of communications that traverse external and internal boundaries.
CMMC News Updates and Related Articles
CMMC News – May 30, 2021 – Biden’s executive order. Scoping guide and DFARS final rule timeline. New FAQs from CMMC-AB. CMMC required by Spaceforce contract.
CMMC News – April 24, 2021 – Presentation from DIBCAC about how they are performing CMMC assessments. New titles for CMMC assessors and C3PAOs. Pilots delayed.
CMMC News – March 22, 2021 – Concerns about hashed evidence. Operational Technology out of scope? Audits of C3PAO systems started. CMMC-AB updates.
CMMC News – February 16, 2021 – Fun critique of the CMMC, link to CMMC-AB Statement of Work, reciprocity news, Navy CMMC implementation memo
CMMC News – January 23, 2021 – Updates on training for CPs, CAs. FedRAMP clouds not authorized for CMMC? CISA offers free resources for cybersecurity.
CMMC News Rollup November 19 2020. C3PAO ISO 17021 update. RPs authorized. Discussion about encryption and clouds. Lots more.
CMMC News Rollup – October 25, 2020. 800-171 DoD Self Assessments info, free user training resources for awareness, CUI handling.
CMMC News Rollup October 6, 2020. DFARS Interim rule, Registered Practitioner track update, CUI Resources from DoD
September 28, 2020: CMMC News Roundup. DFARS Interim rule, OxBridge Lessons-Learned paper.
September 9, 2020: CMMC News Roundup. Incident handling tips, CMMC-AB “Sponsorship” drama, scoping your CMMC assessment, M365 GCC High features.
August 26, 2020: CMMC News Rollup. DAU webinar introduces CMMC requirements for MSPs, first pathfinder assessments started
August 15, 2020: When is a conformity assessment not a conformity assessment? (hint – it is CMMC). Guest article about CMMC hurdles
August 10, 2020: CMMC Provisional Auditor program opt-ins. Provisional assessors invited to apply (closed now)
Archives (these articles are out of date)
CMMC Basics – the Full Details – In depth article about CMMC and its rollout.
Webinar on CMMC Level 1 by the Software Engineering Institute (CMU) – Video from the authors of the CMMC model, which gives an introduction to CMMC Level 1 and how to use the document.
Conversations from LinkedIn – index page for valuable CMMC and DFARS discussions on LinkedIn
All about CMMC Assessments (Part 1) with Jeff Dalton – What is a CMMC Gap Analysis or Pre-Assessment? What is the difference in services between an RPO and a C3PAO? Should you go straight to an official assessment, or get a Gap Analysis first? What if you fail your assessment?
All about CMMC Assessments (Part 2) with Jeff Dalton – How are assessments scoped? What is the Assessment Planning process? What is the difference between an “assessment” and an “audit”?
CMMC-AB Regan Edens interview on DFARS, FedRAMP, and AB authority. Interview with Regan Edens (CMMC-AB) about whether clouds that “store, process, or transmit” CUI will still need to be DFARS 7012 compliant once CMMC rolls out. Also discussion about CMMC-AB’s authority and role to clarify technical questions like these.
Answers about C3PAOs, Assessors, and other CMMC Professional questions. Interview with Jeff Dalton (CMMC-AB) about current status of various CMMC professional roles. Must-know information if you are a C3PAO, CA, RP, RPO or other professional.
CMMC-AB Jeff Dalton Interview #2 – C3PAOs, CAs, Instructors, Ethics. Second interview with Jeff Dalton (CMMC-AB) about current status of various CMMC professional roles. Must-know information if you are a Licensed Instructor, C3PAO, CA, RP, RPO or other professional.
How to read and use the CMMC. Geared towards internal cybersecurity team members.
CMMC Auditor Training Resources – Home site for training ideas for CMMC Certified Assessors.
CMMC ML.2.999 Developing an effective CMMC Policy. Video from CMU SEI (co-authors of the CMMC Model) about developing good policies to support Maturity Level 2 and above
CMMC ML.4.996 Review and measure [DOMAIN NAME] activities for effectiveness. Video from CMU SEI (co-authors of the CMMC Model) about their intention for Maturity Level 4.
Remote Management & Access Tools for 800-171 and CMMC. Deep dive on choosing a compliant remote management toolset for your helpdesk.
CMMC Level 1 Assessment Guide – Video from SEI CMU (the authors of the CMMC model) introducing the Level 1 Assessment Guide. Commentary from CMMCAudit.org included.
CMMC Level 3 Assessment Guide Webinar and Review – Video from SEI CMU (the authors of the CMMC model) introducing the Level 3 Assessment Guide. Commentary from CMMCAudit.org included.
Introducing the CMMC Kill Chain – Zero to full compliance – This is good advice from Tom Cornelius about starting your compliance program from scratch. It identifies the general order of tasks you should tackle.
CMMC news: CMMC AB opens registration for C3PAOs and Assessors – From mid 2020 – this article has information about C3PAOs and Certified Assessor requirements.
DFARS 252.204-7012 or 252.204-7021 enforces NIST 800-171 – Written when the DFARS Interim Rule introducing DFARS 252.204-7019 , 7020, and 7021 was just published. Warns contractors about the NIST SP 800-171 self-assessment requirement.