Tag: 800-171

How the secret sauce is made - one practice, one hour

How the secret sauce is made – one practice, one hour

Posted on by Amira Armond

How does a defense contractor create a plan to perform each requirement in CMMC and NIST SP 800-171? Will you fail if you don’t write policy statements which regurgitate each requirement in a ‘shall” form? AKA “๐˜š๐˜ข๐˜ง๐˜ฆ๐˜จ๐˜ถ๐˜ข๐˜ณ๐˜ฅ๐˜ช๐˜ฏ๐˜จ ๐˜ฎ๐˜ฆ๐˜ข๐˜ด๐˜ถ๐˜ณ๐˜ฆ๐˜ด ๐˜ง๐˜ฐ๐˜ณ ๐˜Š๐˜œ๐˜ Read More

3.13.11 FIPS 140-2 Validated Cryptography

3.13.11 FIPS 140-2 Validated Cryptography

Posted on by Amira Armond

It is time, finally, to talk about the #1 “Other than Satisfied” requirement in 800-171, per historic DIBCAC assessments. ๐Ÿ˜ฑ ๐Ÿ’ฅ ๐Ÿ’ฅ ๐…๐ˆ๐๐’ 140-2 ๐•๐š๐ฅ๐ข๐๐š๐ญ๐ž๐ ๐Œ๐จ๐๐ฎ๐ฅ๐ž๐ฌ ๐Ÿ’ฅ ๐Ÿ’ฅ ๐Ÿ˜ฑ Listen up – I’m going to tell you how to succeed Read More

3.5.3 Multifactor Authentication

3.5.3 Multifactor Authentication

Posted on by Amira Armond

Multifactor Authentication: #2 of the top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC. ๐”๐ฌ๐ž ๐ฆ๐ฎ๐ฅ๐ญ๐ข๐Ÿ๐š๐œ๐ญ๐จ๐ซ ๐š๐ฎ๐ญ๐ก๐ž๐ง๐ญ๐ข๐œ๐š๐ญ๐ข๐จ๐ง ๐Ÿ๐จ๐ซ ๐ฅ๐จ๐œ๐š๐ฅ ๐š๐ง๐ ๐ง๐ž๐ญ๐ฐ๐จ๐ซ๐ค ๐š๐œ๐œ๐ž๐ฌ๐ฌ ๐ญ๐จ ๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐ ๐š๐œ๐œ๐จ๐ฎ๐ง๐ญ๐ฌ ๐š๐ง๐ ๐Ÿ๐จ๐ซ ๐ง๐ž๐ญ๐ฐ๐จ๐ซ๐ค ๐š๐œ๐œ๐ž๐ฌ๐ฌ ๐ญ๐จ ๐ง๐จ๐ง-๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐ ๐š๐œ๐œ๐จ๐ฎ๐ง๐ญ๐ฌ. My theory is that most of Read More

What are Spot Checks for?

Posted on by Amira Armond

๐‚๐Œ๐Œ๐‚ ๐€๐ฌ๐ฌ๐ž๐ฌ๐ฌ๐ฆ๐ž๐ง๐ญ ๐’๐ฉ๐จ๐ญ ๐‚๐ก๐ž๐œ๐ค๐ฌ “๐˜๐˜ง ๐˜ค๐˜ฐ๐˜ฏ๐˜ต๐˜ณ๐˜ข๐˜ค๐˜ต๐˜ฐ๐˜ณ’๐˜ด ๐˜ณ๐˜ช๐˜ด๐˜ฌ-๐˜ฃ๐˜ข๐˜ด๐˜ฆ๐˜ฅ ๐˜ด๐˜ฆ๐˜ค๐˜ถ๐˜ณ๐˜ช๐˜ต๐˜บ ๐˜ฑ๐˜ฐ๐˜ญ๐˜ช๐˜ค๐˜ช๐˜ฆ๐˜ด, ๐˜ฑ๐˜ณ๐˜ฐ๐˜ค๐˜ฆ๐˜ฅ๐˜ถ๐˜ณ๐˜ฆ๐˜ด, ๐˜ข๐˜ฏ๐˜ฅ ๐˜ฑ๐˜ณ๐˜ข๐˜ค๐˜ต๐˜ช๐˜ค๐˜ฆ๐˜ด ๐˜ฅ๐˜ฐ๐˜ค๐˜ถ๐˜ฎ๐˜ฆ๐˜ฏ๐˜ต๐˜ข๐˜ต๐˜ช๐˜ฐ๐˜ฏ ๐˜ฐ๐˜ณ ๐˜ฐ๐˜ต๐˜ฉ๐˜ฆ๐˜ณ ๐˜ง๐˜ช๐˜ฏ๐˜ฅ๐˜ช๐˜ฏ๐˜จ๐˜ด ๐˜ณ๐˜ข๐˜ช๐˜ด๐˜ฆ ๐˜ฒ๐˜ถ๐˜ฆ๐˜ด๐˜ต๐˜ช๐˜ฐ๐˜ฏ๐˜ด ๐˜ข๐˜ฃ๐˜ฐ๐˜ถ๐˜ต ๐˜ต๐˜ฉ๐˜ฆ๐˜ด๐˜ฆ ๐˜ข๐˜ด๐˜ด๐˜ฆ๐˜ต๐˜ด, ๐˜ต๐˜ฉ๐˜ฆ ๐˜ข๐˜ด๐˜ด๐˜ฆ๐˜ด๐˜ด๐˜ฐ๐˜ณ ๐˜ค๐˜ข๐˜ฏ ๐˜ค๐˜ฐ๐˜ฏ๐˜ฅ๐˜ถ๐˜ค๐˜ต ๐˜ข ๐˜ญ๐˜ช๐˜ฎ๐˜ช๐˜ต๐˜ฆ๐˜ฅ ๐˜ด๐˜ฑ๐˜ฐ๐˜ต ๐˜ค๐˜ฉ๐˜ฆ๐˜ค๐˜ฌ ๐˜ต๐˜ฐ ๐˜ช๐˜ฅ๐˜ฆ๐˜ฏ๐˜ต๐˜ช๐˜ง๐˜บ ๐˜ณ๐˜ช๐˜ด๐˜ฌ๐˜ด. ๐˜›๐˜ฉ๐˜ฆ ๐˜ญ๐˜ช๐˜ฎ๐˜ช๐˜ต๐˜ฆ๐˜ฅ ๐˜ด๐˜ฑ๐˜ฐ๐˜ต ๐˜ค๐˜ฉ๐˜ฆ๐˜ค๐˜ฌ(๐˜ด) ๐˜ด๐˜ฉ๐˜ข๐˜ญ๐˜ญ ๐˜ฏ๐˜ฐ๐˜ต ๐˜ฎ๐˜ข๐˜ต๐˜ฆ๐˜ณ๐˜ช๐˜ข๐˜ญ๐˜ญ๐˜บ ๐˜ช๐˜ฏ๐˜ค๐˜ณ๐˜ฆ๐˜ข๐˜ด๐˜ฆ ๐˜ต๐˜ฉ๐˜ฆ Read More

3.14.1 Identify, report, correct system flaws

3.14.1 Identify, report, correct system flaws

Posted on by Amira Armond

Continuing the Top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC. “๐ˆ๐๐ž๐ง๐ญ๐ข๐Ÿ๐ฒ, ๐ซ๐ž๐ฉ๐จ๐ซ๐ญ, ๐š๐ง๐ ๐œ๐จ๐ซ๐ซ๐ž๐œ๐ญ ๐ข๐ง๐Ÿ๐จ๐ซ๐ฆ๐š๐ญ๐ข๐จ๐ง ๐š๐ง๐ ๐ข๐ง๐Ÿ๐จ๐ซ๐ฆ๐š๐ญ๐ข๐จ๐ง ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ ๐Ÿ๐ฅ๐š๐ฐ๐ฌ ๐ข๐ง ๐š ๐ญ๐ข๐ฆ๐ž๐ฅ๐ฒ ๐ฆ๐š๐ง๐ง๐ž๐ซ.” This is the third most “Other than Satisfied” requirement. 3.14.1 is both misunderstood and Read More

3.11.1 Periodically assess the risk to organizational operations

3.11.1 Periodically assess the risk to organizational operations

Posted on by Amira Armond

3.11.1 ๐๐ž๐ซ๐ข๐จ๐๐ข๐œ๐š๐ฅ๐ฅ๐ฒ ๐š๐ฌ๐ฌ๐ž๐ฌ๐ฌ ๐ซ๐ข๐ฌ๐ค…This is the fourth-most “Other than satisfied” #CMMC requirement. Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or Read More

3.11.2 Scan for Vulnerabilities

3.11.2 Scan for Vulnerabilities

Posted on by Amira Armond

Scan for vulnerabilities….This the fifth-most “Other than satisfied” #CMMC requirement with an 18% fail rate. 3.11.2 ๐’๐œ๐š๐ง ๐Ÿ๐จ๐ซ ๐ฏ๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ข๐ž๐ฌ ๐ข๐ง ๐จ๐ซ๐ ๐š๐ง๐ข๐ณ๐š๐ญ๐ข๐จ๐ง๐š๐ฅ ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ๐ฌ ๐š๐ง๐ ๐š๐ฉ๐ฉ๐ฅ๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐ฉ๐ž๐ซ๐ข๐จ๐๐ข๐œ๐š๐ฅ๐ฅ๐ฒ ๐š๐ง๐ ๐ฐ๐ก๐ž๐ง ๐ง๐ž๐ฐ ๐ฏ๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ข๐ž๐ฌ ๐š๐Ÿ๐Ÿ๐ž๐œ๐ญ๐ข๐ง๐  ๐ญ๐ก๐จ๐ฌ๐ž ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ๐ฌ ๐š๐ง๐ ๐š๐ฉ๐ฉ๐ฅ๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐š๐ซ๐ž ๐ข๐๐ž๐ง๐ญ๐ข๐Ÿ๐ข๐ž๐. “๐’๐’“๐’ˆ๐’‚๐’๐’Š๐’›๐’‚๐’•๐’Š๐’๐’๐’‚๐’ ๐’”๐’š๐’”๐’•๐’†๐’Ž๐’””…This is an example of Read More

3.3.4 Audit Logging Process Failure

3.3.4 Audit Logging Process Failure

Posted on by Amira Armond

Continuing the Top 10 Failed Requirements for 800-171! Onward to #7: 3.3.4 “๐€๐ฅ๐ž๐ซ๐ญ ๐ข๐ง ๐ญ๐ก๐ž ๐ž๐ฏ๐ž๐ง๐ญ ๐จ๐Ÿ ๐š๐ง ๐š๐ฎ๐๐ข๐ญ ๐ฅ๐จ๐ ๐ ๐ข๐ง๐  ๐ฉ๐ซ๐จ๐œ๐ž๐ฌ๐ฌ ๐Ÿ๐š๐ข๐ฅ๐ฎ๐ซ๐ž.” Sit with me while I tell a story… ๐˜ˆ๐˜ฏ ๐˜ฐ๐˜ณ๐˜จ๐˜ข๐˜ฏ๐˜ช๐˜ป๐˜ข๐˜ต๐˜ช๐˜ฐ๐˜ฏ ๐˜ฅ๐˜ช๐˜ด๐˜ค๐˜ฐ๐˜ท๐˜ฆ๐˜ณ๐˜ด ๐˜ต๐˜ฉ๐˜ข๐˜ต ๐˜ต๐˜ฉ๐˜ฆ๐˜บ ๐˜ธ๐˜ฆ๐˜ณ๐˜ฆ ๐˜ฃ๐˜ณ๐˜ฆ๐˜ข๐˜ค๐˜ฉ๐˜ฆ๐˜ฅ ๐˜ฃ๐˜ฆ๐˜ค๐˜ข๐˜ถ๐˜ด๐˜ฆ ๐˜จ๐˜ฐ๐˜ท๐˜ฆ๐˜ณ๐˜ฏ๐˜ฎ๐˜ฆ๐˜ฏ๐˜ต ๐˜ด๐˜ฆ๐˜ค๐˜ณ๐˜ฆ๐˜ต๐˜ด Read More

3.3.5 Correlate Audit Processes

3.3.5 Correlate Audit Processes

Posted on by Amira Armond

NIST SP 800-171 3.3.5 ๐‚๐จ๐ซ๐ซ๐ž๐ฅ๐š๐ญ๐ž ๐š๐ฎ๐๐ข๐ญ ๐ซ๐ž๐œ๐จ๐ซ๐ ๐ซ๐ž๐ฏ๐ข๐ž๐ฐ, ๐š๐ง๐š๐ฅ๐ฒ๐ฌ๐ข๐ฌ, ๐š๐ง๐ ๐ซ๐ž๐ฉ๐จ๐ซ๐ญ๐ข๐ง๐  ๐ฉ๐ซ๐จ๐œ๐ž๐ฌ๐ฌ๐ž๐ฌ ๐Ÿ๐จ๐ซ ๐ข๐ง๐ฏ๐ž๐ฌ๐ญ๐ข๐ ๐š๐ญ๐ข๐จ๐ง ๐š๐ง๐ ๐ซ๐ž๐ฌ๐ฉ๐จ๐ง๐ฌ๐ž ๐ญ๐จ ๐ข๐ง๐๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐จ๐Ÿ ๐ฎ๐ง๐ฅ๐š๐ฐ๐Ÿ๐ฎ๐ฅ, ๐ฎ๐ง๐š๐ฎ๐ญ๐ก๐จ๐ซ๐ข๐ณ๐ž๐, ๐ฌ๐ฎ๐ฌ๐ฉ๐ข๐œ๐ข๐จ๐ฎ๐ฌ, ๐จ๐ซ ๐ฎ๐ง๐ฎ๐ฌ๐ฎ๐š๐ฅ ๐š๐œ๐ญ๐ข๐ฏ๐ข๐ญ๐ฒ. This is the 8th most likely requirement to be “other than satisfied” by defense contractors, according Read More

3.6.3 Test the Organizational Incident Response Capability

3.6.3 Test the Organizational Incident Response Capability

Posted on by Amira Armond

This was originally posted on LinkedIn. Check the original post and community discussion here! On to the next requirement! 3.6.3 ๐“๐ž๐ฌ๐ญ ๐ญ๐ก๐ž ๐จ๐ซ๐ ๐š๐ง๐ข๐ณ๐š๐ญ๐ข๐จ๐ง๐š๐ฅ ๐ข๐ง๐œ๐ข๐๐ž๐ง๐ญ ๐ซ๐ž๐ฌ๐ฉ๐จ๐ง๐ฌ๐ž ๐œ๐š๐ฉ๐š๐›๐ข๐ฅ๐ข๐ญ๐ฒ. This is post #5 in my series analyzing the top ten failed / misunderstood Read More

3.4.1 Establish / Maintain Baseline Configurations

3.4.1 Establish / Maintain Baseline Configurations

Posted on by Amira Armond

This series reviews the top failed (misunderstood) 800-171 andย CMMCย requirements. Originally posted on LinkedIn – check the start of series here for community conversation and thoughts! 3.4.1 ๐„๐ฌ๐ญ๐š๐›๐ฅ๐ข๐ฌ๐ก/๐ฆ๐š๐ข๐ง๐ญ๐š๐ข๐ง ๐›๐š๐ฌ๐ž๐ฅ๐ข๐ง๐ž ๐œ๐จ๐ง๐Ÿ๐ข๐ ๐ฎ๐ซ๐š๐ญ๐ข๐จ๐ง๐ฌ This one is both commonly misunderstood and difficult to implement, even though Read More

Excuses that won’t work for your CMMC assessment

Posted on by Amira Armond

Public Safety Announcement forย #CMMCย and DIBCAC assessments of 800-171 compliance. “My _________ is scheduled to occur in January and we haven’t reached January yet.” – said too many Organizations Seeking Certification Do not try to use this excuse to explain why Read More

Top 10 "Other than satisfied" 800-171 requirements

Top 10 “Other than satisfied” 800-171 requirements

Posted on by Amira Armond

At Cloud Security and Compliance Series – CS2 Huntsville, Nick Delrosso’s presentation included the “Top 10 Other Than Satisfied Requirements”. Nick Delrosso represents the DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) which has been performing cybersecurity assessments on contractors for the Read More

Lessons learned from two (three?) DIBCAC assessments

Posted on by Amira Armond

On behalf of CMMCAudit.org, I’m excited to share this interview withย Jake Williamsย about his lessons learned from two DIBCAC assessments of DFARS 252.204-7012 and NIST SP 800-171 compliance. This video is packed with actionable information about what to expect during assessments. Read More

CMMC RM.2.142 Scan for vulnerabilities in organizational systems

CMMC RM.2.142 Scan for vulnerabilities in organizational systems

Posted on by Amira Armond

This article is an in-depth review of the CMMC Level 2 Requirement RM.2.142 on the topic of vulnerability scanning. I break out frequently asked questions and reference other requirements that are related to vulnerability scanning. This requirement also applies to current DFARS 252.204-7012 and NIST SP 800-171 organizations that hold CUI

DFARS 252.204-7012 or 252.204-7021 enforces NIST 800-171 and CMMC

DFARS 252.204-7012 or 252.204-7021 enforces NIST 800-171 and CMMC

Posted on by Amira Armond

If you are a Defense Contractor that handles Controlled Unclassified Information (CUI), this news is going to be very important for you. DFARS 252.204-7012 Interim Rule Yesterday, the DoD released an interim rule to the Defense Federal Acquisition Rules Supplement Read More

Remote Management & Access Tools for 800-171 and CMMC

Posted on by Amira Armond

A question came up today from a client that has a large remote workforce. “How can my help desk manage end user devices while staying compliant with 800-171 and CMMC?” For example, can we use remote access tools like LogMeIn Read More