This article gives examples and explanations of how to identify your CMMC scope to an assessor when you are planning…
The latest information about how to become a CMMC auditor or certifier. Registrations are open for assessors, C3PAOs, and CMMC practitioners…
Will CMMC assessors stick to just the CMMC requirements or will they review your compliance to CUI-specified handling and other regulations?
CMMC Level 3 wants procedures, AKA the 998 requirements, but what does that actually mean? And what is necessary to pass?
CMMC news about inheriting cybersecurity from cloud providers, C3PAOs moved to “candidate” status, the next Town Hall meeting, the DFARS Final Rule coming out in May…
This article is a deep-dive on CMMC practice SC.1.175 which requires control and monitoring of communications at external boundaries and…
Interview with Jeff Dalton (CMMC-AB) about CMMC assessments. Who is authorized to perform assessments? When should you do a pre-assessment? Can you fix issues found during an assessment?
CMMC news for January 5, 2021. C3PAOs need FedRAMP High clouds. Assessment Guides > Appendixes. Congress mandates CMMC assessments against…
If you are reading this article, you are probably the owner of a small DoD contracting company. You’ve heard something about the CMMC (Cybersecurity Maturity Model Certification) either through your prime contractor or the SBA education office. You might be Read More
This page describes how to find the CMMC requirements, how to interpret them, and how to start preparing for an outside audit. It explains how to read the CMMC document and how your team or an auditor would check each Read More
This page is an index of LinkedIn discussions and posts about CMMC and 800-171. It will be updated over time with new topics.
This interview with Regan Edens (CMMC-AB Chairman of the Standards Management Committee) clarifies clouds and CMMC, FedRAMP, and DFARS questions for Organizations Seeking Certification (OSCs)
CMMC Registered Practitioner is abbreviated “CMMC RP” The CMMC RP is a person who specializes in helping companies prepare for the CMMC. The CMMC-AB website is the official source of information about the Registered Practitioner Program. CMMC-AB Registered Practitioner Page Read More
This article is an in-depth review of the CMMC Level 2 Requirement RM.2.142 on the topic of vulnerability scanning. I break out frequently asked questions and reference other requirements that are related to vulnerability scanning. This requirement also applies to current DFARS 252.204-7012 and NIST SP 800-171 organizations that hold CUI
CMMC and DFARS compliance is too expensive for small businesses. This article describes “easy button” solutions such as a CMMC MSP, using …
In-depth article about CMMC basics such as where it came from, what purpose it is trying to achieve, timeframe for rollout, and…
This article gives advice on how a quality cyber-awareness training program helps your organization meet 19+ CMMC practice requirements
This webinar is published by Carnegie Mellon University’s Software Engineering Institute (SEI) – the co-authors of the CMMC Model. Their guidance about the CMMC should be considered authoritative. At CMMC level 2 and above, organizations are expected to have policies Read More
Author: Tom Cornelius| Senior Partner at ComplianceForge | Founder & Contributor at Secure Controls Framework (SCF) Originally published on LinkedIn on October 19, 2020 The concept of creating a “CMMC Kill Chain” started off as a bit of a dare… kind Read More
This video from Carnegie Mellon Software Engineering Institute (co-authors of the CMMC Model) discusses CMMC Level 4 Maturity. The specific topic is CMMC requirement ML.4.996 “Review and measure [DOMAIN NAME] activities for effectiveness” SEI Blog: https://insights.sei.cmu.edu/sei_blog/cybersecurity-maturity-model-certification-cmmc/
Hello folks, This is week’s update is pretty short. The DFARS Interim Rule is still the biggest news. Other topics are the new DoD CUI website which has great resources for contractors, and word-of-mouth updates on the CMMC-AB’s registered practitioner Read More
If you are a Defense Contractor that handles Controlled Unclassified Information (CUI), this news is going to be very important for you. DFARS 252.204-7012 Interim Rule Yesterday, the DoD released an interim rule to the Defense Federal Acquisition Rules Supplement Read More
I just finished the CMMC-AB’s Registered Practitioner training course. We aren’t allowed to reproduce the content, so you won’t learn any secrets from me, but I can tell you about my experience. Thanks to James Newman (a colleague of mine, Read More
Author: Tom Cornelius| Senior Partner at ComplianceForge | Founder & Contributor at Secure Controls Framework (SCF) Originally published on LinkedIn on August 13, 2020 This episode of Coffee Thoughts With Tom addresses CMMC as a conformity assessment, since conformity assessments are intended Read More
*Updated August 13, 2020* CMMC cybersecurity is an “allowable cost” for DoD contractors? “The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.” “The Read More
The Cybersecurity Maturity Model Certification references “FCI”. What is this abbreviation? FCI in CMMC stands for “Federal Contract Information”. FCI is “Information not intended for public release. It is provided by or generated by for the Government under a Read More
Editor’s comments: This article is an excellent read if you have experience doing cyber-security compliance based on NIST SP 800-171 or DFARS 252.204-7012. If you don’t have prior experience on these topics, the article may not make much sense to Read More
Hello all, The CMMC Accreditation Body has opened new pages on their website to give information about registering as a C3PAO (Certified Third Party Assessor Organization) and as an Assessor. They also have information about becoming a ‘registered practitioner’ or Read More
These are my notes from the CMMC Accreditation Body webinar regarding Assessor / Auditor Training. Disclaimer: I’m not a member of the CMMC AB, I am just providing these notes as a service to the community. Please watch the webinar Read More
The CMMC version 1.0 has the following security requirement. CMMC Personnel Security (PS) PS.2.127 (Level 2) “Screen individuals prior to authorizing access to organizational systems containing CUI.” This is a Level 2 requirement. There are no level 3, 4, or Read More