A Practitioner’s Thoughts On CMMC

Editor’s comments: This article is an excellent read if you have experience doing cyber-security compliance based on NIST SP 800-171 or DFARS 252.204-7012. If you don’t have prior experience on these topics, the article may not make much sense to you. Of particular interest to me is the scoping conflict between FCI and CUI, which is discussed in the section Reciprocity Considerations. Organizations which need to protect CUI at level 3+ will normally want to segment their contract operations away Read More

CMMC news: CMMC AB opens registration for C3PAOs and Assessors

Hello all, The CMMC Accreditation Body has opened new pages on their website to give information about registering as a C3PAO  (Certified Third Party Assessor Organization) and as an Assessor.   They also have information about becoming a ‘registered practitioner’ or a ‘registered provider organization’ (these can be team members but not lead audits). You can find the source information on the front page of CMMC AB website: https://cmmcab.org Here are my quick notes from reviewing the information.  Please remember that Read More

CMMC Level 1 certification and preparation (how-to)

If you are reading this article, you are probably the owner of a small DoD contracting company.  You’ve heard something about the CMMC (Cybersecurity Maturity Model Certification) either through your prime contractor or the SBA education office.  You might be frustrated at yet another computer requirement, or you might be excited at the opportunity to distinguish your company from your competitors. How to prepare for CMMC Level 1 certification First, the standard disclaimer.  As I write this article in 2020: Read More

CMMC News – Auditor Training Update – May 22, 2020

These are my notes from the CMMC Accreditation Body webinar regarding Assessor / Auditor Training. Disclaimer: I’m not a member of the CMMC AB, I am just providing these notes as a service to the community. Please watch the webinar for exact wording and full details. This webinar was released May 21, 2020 on the cmmcab.org website  and is archived on vimeo. Ben Tchoubineh, the Chair for the Training Committee, presented. CMMC Training will be rolled out in two phases: Read More

CMMC PS.2.127 Personnel Screening and US Citizen discussion

The CMMC version 1.0 has the following security requirement. CMMC Personnel Security (PS) PS.2.127 (Level 2) “Screen individuals prior to authorizing access to organizational systems containing CUI.” This is a Level 2 requirement. There are no level 3, 4, or 5 requirements in this version of the CMMC. The CMMC document included a discussion from NIST SP 800-171 R2 (3.9.1) for this same security requirement in the appendix (page B.12.2) to clarify this control.  It recommends evaluating the individual’s “conduct, Read More

CMMC Version 1.0 Released – Analysis for DoD contractors

As promised, the Cybersecurity Maturity Model Certification (CMMC) version 1.0 was released to the public on January 31, 2020. The document should be stable at this point.  Cybersecurity leads for defense contractors need to read through it as soon as possible and begin closing the gaps in their organization’s cyber-security practices. Links to CMMC v1.0 documents: Link to CMMC version 1.0 document:  https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf Link to CMMC briefing PDF: https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf Link to official website for CMMC Model v1.0: https://www.acq.osd.mil/cmmc/index.html Early analysis Read More

Remote Management & Access Tools for 800-171 and CMMC

A question came up today from a client that has a large remote workforce. “How can my help desk manage end user devices while staying compliant with 800-171 and CMMC?” For example, can we use remote access tools like LogMeIn or Chrome Remote Desktop, which allow always-on connections to the desktop? The following is my opinion. Take it at your own risk. The problem with always-on remote access programs Assuming that your end user devices contain or access sensitive information, Read More

What is FCI in CMMC and how does it affect scope?

The Cybersecurity Maturity Model Certification references “FCI” in draft version 0.6b.  What is this abbreviation? FCI in CMMC stands for “Federal Contract Information”. FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government.  FCI does not include information provided by the Government to the public.”  Page 6, CMMC Preface V0.6b 20191107.docx Analysis of term FCI in the CMMC Read More

CMMC Capabilities Discussion Home

This page describes how to find the CMMC requirements, how to interpret them, and how to start preparing for an outside audit. It explains how to read the CMMC document and how your team or an auditor would check each requirement against your information systems. Disclaimer: The goal is to help you understand how the CMMC is organized and numbered.  I might have some things wrong and the CMMC will definitely change over time.  Please comment below to give guidance Read More

CMMC “allowable cost” discussion and thoughts

As I write this, we are still early in the process for the CMMC. The CMMC introductory Listening Tour just finished. CMMC Draft version 0.6 was released November 7, 2019. At this time, a third party oversight organization for certifiers and auditors has not been chosen yet. CMMC draft version 0.6 states, “This document includes CMMC Levels 1-3 of the latest version of the CMMC Model (Appendix A) with clarifications for CMMC Level 1 in Appendix B. The updates to Read More