CMMC Rule links to text (with December 26 content)!

Here are links to the text of the CMMC Proposed Rule: 32 CFR (CMMC Program) Downloadable PDF of Federal Register text (this version has page numbers): https://public-inspection.federalregister.gov/2023-27280.pdf Federal Register home page for CMMC and comments: https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program Docket Information (the rule Read More

Why so few Defense contractors are compliant

๐‡๐จ๐ฐ ๐ฅ๐จ๐ง๐  ๐๐จ๐ž๐ฌ ๐ข๐ญ ๐ญ๐š๐ค๐ž ๐š ๐œ๐จ๐ฆ๐ฉ๐š๐ง๐ฒ ๐ญ๐จ ๐ ๐จ ๐›๐š๐ง๐ค๐ซ๐ฎ๐ฉ๐ญ ๐ข๐ญ ๐ฐ๐ก๐ž๐ง ๐œ๐š๐ง’๐ญ ๐ฐ๐ข๐ง ๐ฐ๐จ๐ซ๐ค? One year? Two? Three? Let me tell you a story about how a system of perverse incentives caused our current cybersecurity situation in the Defense Read More

Podcast – increasing the likelihood of passing CMMC assessments

This podcast by Omnistruct features Amira Armond, John Riley, and George Usi. Recorded in May-June 2023. They discuss the basics of CMMC, the “hardest” requirement (FIPS of course), the aspects that contractors have the most difficulty with, and the status Read More

3.13.11 FIPS 140-2 Validated Cryptography

It is time, finally, to talk about the #1 “Other than Satisfied” requirement in 800-171, per historic DIBCAC assessments. ๐Ÿ˜ฑ ๐Ÿ’ฅ ๐Ÿ’ฅ ๐…๐ˆ๐๐’ 140-2 ๐•๐š๐ฅ๐ข๐๐š๐ญ๐ž๐ ๐Œ๐จ๐๐ฎ๐ฅ๐ž๐ฌ ๐Ÿ’ฅ ๐Ÿ’ฅ ๐Ÿ˜ฑ Listen up – I’m going to tell you how to succeed Read More

3.5.3 Multifactor Authentication

Multifactor Authentication: #2 of the top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC. ๐”๐ฌ๐ž ๐ฆ๐ฎ๐ฅ๐ญ๐ข๐Ÿ๐š๐œ๐ญ๐จ๐ซ ๐š๐ฎ๐ญ๐ก๐ž๐ง๐ญ๐ข๐œ๐š๐ญ๐ข๐จ๐ง ๐Ÿ๐จ๐ซ ๐ฅ๐จ๐œ๐š๐ฅ ๐š๐ง๐ ๐ง๐ž๐ญ๐ฐ๐จ๐ซ๐ค ๐š๐œ๐œ๐ž๐ฌ๐ฌ ๐ญ๐จ ๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐ ๐š๐œ๐œ๐จ๐ฎ๐ง๐ญ๐ฌ ๐š๐ง๐ ๐Ÿ๐จ๐ซ ๐ง๐ž๐ญ๐ฐ๐จ๐ซ๐ค ๐š๐œ๐œ๐ž๐ฌ๐ฌ ๐ญ๐จ ๐ง๐จ๐ง-๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐ ๐š๐œ๐œ๐จ๐ฎ๐ง๐ญ๐ฌ. My theory is that most of Read More

What are Spot Checks for?

๐‚๐Œ๐Œ๐‚ ๐€๐ฌ๐ฌ๐ž๐ฌ๐ฌ๐ฆ๐ž๐ง๐ญ ๐’๐ฉ๐จ๐ญ ๐‚๐ก๐ž๐œ๐ค๐ฌ “๐˜๐˜ง ๐˜ค๐˜ฐ๐˜ฏ๐˜ต๐˜ณ๐˜ข๐˜ค๐˜ต๐˜ฐ๐˜ณ’๐˜ด ๐˜ณ๐˜ช๐˜ด๐˜ฌ-๐˜ฃ๐˜ข๐˜ด๐˜ฆ๐˜ฅ ๐˜ด๐˜ฆ๐˜ค๐˜ถ๐˜ณ๐˜ช๐˜ต๐˜บ ๐˜ฑ๐˜ฐ๐˜ญ๐˜ช๐˜ค๐˜ช๐˜ฆ๐˜ด, ๐˜ฑ๐˜ณ๐˜ฐ๐˜ค๐˜ฆ๐˜ฅ๐˜ถ๐˜ณ๐˜ฆ๐˜ด, ๐˜ข๐˜ฏ๐˜ฅ ๐˜ฑ๐˜ณ๐˜ข๐˜ค๐˜ต๐˜ช๐˜ค๐˜ฆ๐˜ด ๐˜ฅ๐˜ฐ๐˜ค๐˜ถ๐˜ฎ๐˜ฆ๐˜ฏ๐˜ต๐˜ข๐˜ต๐˜ช๐˜ฐ๐˜ฏ ๐˜ฐ๐˜ณ ๐˜ฐ๐˜ต๐˜ฉ๐˜ฆ๐˜ณ ๐˜ง๐˜ช๐˜ฏ๐˜ฅ๐˜ช๐˜ฏ๐˜จ๐˜ด ๐˜ณ๐˜ข๐˜ช๐˜ด๐˜ฆ ๐˜ฒ๐˜ถ๐˜ฆ๐˜ด๐˜ต๐˜ช๐˜ฐ๐˜ฏ๐˜ด ๐˜ข๐˜ฃ๐˜ฐ๐˜ถ๐˜ต ๐˜ต๐˜ฉ๐˜ฆ๐˜ด๐˜ฆ ๐˜ข๐˜ด๐˜ด๐˜ฆ๐˜ต๐˜ด, ๐˜ต๐˜ฉ๐˜ฆ ๐˜ข๐˜ด๐˜ด๐˜ฆ๐˜ด๐˜ด๐˜ฐ๐˜ณ ๐˜ค๐˜ข๐˜ฏ ๐˜ค๐˜ฐ๐˜ฏ๐˜ฅ๐˜ถ๐˜ค๐˜ต ๐˜ข ๐˜ญ๐˜ช๐˜ฎ๐˜ช๐˜ต๐˜ฆ๐˜ฅ ๐˜ด๐˜ฑ๐˜ฐ๐˜ต ๐˜ค๐˜ฉ๐˜ฆ๐˜ค๐˜ฌ ๐˜ต๐˜ฐ ๐˜ช๐˜ฅ๐˜ฆ๐˜ฏ๐˜ต๐˜ช๐˜ง๐˜บ ๐˜ณ๐˜ช๐˜ด๐˜ฌ๐˜ด. ๐˜›๐˜ฉ๐˜ฆ ๐˜ญ๐˜ช๐˜ฎ๐˜ช๐˜ต๐˜ฆ๐˜ฅ ๐˜ด๐˜ฑ๐˜ฐ๐˜ต ๐˜ค๐˜ฉ๐˜ฆ๐˜ค๐˜ฌ(๐˜ด) ๐˜ด๐˜ฉ๐˜ข๐˜ญ๐˜ญ ๐˜ฏ๐˜ฐ๐˜ต ๐˜ฎ๐˜ข๐˜ต๐˜ฆ๐˜ณ๐˜ช๐˜ข๐˜ญ๐˜ญ๐˜บ ๐˜ช๐˜ฏ๐˜ค๐˜ณ๐˜ฆ๐˜ข๐˜ด๐˜ฆ ๐˜ต๐˜ฉ๐˜ฆ Read More

3.14.1 Identify, report, correct system flaws

Continuing the Top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC. “๐ˆ๐๐ž๐ง๐ญ๐ข๐Ÿ๐ฒ, ๐ซ๐ž๐ฉ๐จ๐ซ๐ญ, ๐š๐ง๐ ๐œ๐จ๐ซ๐ซ๐ž๐œ๐ญ ๐ข๐ง๐Ÿ๐จ๐ซ๐ฆ๐š๐ญ๐ข๐จ๐ง ๐š๐ง๐ ๐ข๐ง๐Ÿ๐จ๐ซ๐ฆ๐š๐ญ๐ข๐จ๐ง ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ ๐Ÿ๐ฅ๐š๐ฐ๐ฌ ๐ข๐ง ๐š ๐ญ๐ข๐ฆ๐ž๐ฅ๐ฒ ๐ฆ๐š๐ง๐ง๐ž๐ซ.” This is the third most “Other than Satisfied” requirement. 3.14.1 is both misunderstood and Read More

3.11.1 Periodically assess the risk to organizational operations

3.11.1 ๐๐ž๐ซ๐ข๐จ๐๐ข๐œ๐š๐ฅ๐ฅ๐ฒ ๐š๐ฌ๐ฌ๐ž๐ฌ๐ฌ ๐ซ๐ข๐ฌ๐ค…This is the fourth-most “Other than satisfied” #CMMC requirement. Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or Read More

3.11.2 Scan for Vulnerabilities

Scan for vulnerabilities….This the fifth-most “Other than satisfied” #CMMC requirement with an 18% fail rate. 3.11.2 ๐’๐œ๐š๐ง ๐Ÿ๐จ๐ซ ๐ฏ๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ข๐ž๐ฌ ๐ข๐ง ๐จ๐ซ๐ ๐š๐ง๐ข๐ณ๐š๐ญ๐ข๐จ๐ง๐š๐ฅ ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ๐ฌ ๐š๐ง๐ ๐š๐ฉ๐ฉ๐ฅ๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐ฉ๐ž๐ซ๐ข๐จ๐๐ข๐œ๐š๐ฅ๐ฅ๐ฒ ๐š๐ง๐ ๐ฐ๐ก๐ž๐ง ๐ง๐ž๐ฐ ๐ฏ๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ข๐ž๐ฌ ๐š๐Ÿ๐Ÿ๐ž๐œ๐ญ๐ข๐ง๐  ๐ญ๐ก๐จ๐ฌ๐ž ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ๐ฌ ๐š๐ง๐ ๐š๐ฉ๐ฉ๐ฅ๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐š๐ซ๐ž ๐ข๐๐ž๐ง๐ญ๐ข๐Ÿ๐ข๐ž๐. “๐’๐’“๐’ˆ๐’‚๐’๐’Š๐’›๐’‚๐’•๐’Š๐’๐’๐’‚๐’ ๐’”๐’š๐’”๐’•๐’†๐’Ž๐’””…This is an example of Read More

3.3.4 Audit Logging Process Failure

Continuing the Top 10 Failed Requirements for 800-171! Onward to #7: 3.3.4 “๐€๐ฅ๐ž๐ซ๐ญ ๐ข๐ง ๐ญ๐ก๐ž ๐ž๐ฏ๐ž๐ง๐ญ ๐จ๐Ÿ ๐š๐ง ๐š๐ฎ๐๐ข๐ญ ๐ฅ๐จ๐ ๐ ๐ข๐ง๐  ๐ฉ๐ซ๐จ๐œ๐ž๐ฌ๐ฌ ๐Ÿ๐š๐ข๐ฅ๐ฎ๐ซ๐ž.” Sit with me while I tell a story… ๐˜ˆ๐˜ฏ ๐˜ฐ๐˜ณ๐˜จ๐˜ข๐˜ฏ๐˜ช๐˜ป๐˜ข๐˜ต๐˜ช๐˜ฐ๐˜ฏ ๐˜ฅ๐˜ช๐˜ด๐˜ค๐˜ฐ๐˜ท๐˜ฆ๐˜ณ๐˜ด ๐˜ต๐˜ฉ๐˜ข๐˜ต ๐˜ต๐˜ฉ๐˜ฆ๐˜บ ๐˜ธ๐˜ฆ๐˜ณ๐˜ฆ ๐˜ฃ๐˜ณ๐˜ฆ๐˜ข๐˜ค๐˜ฉ๐˜ฆ๐˜ฅ ๐˜ฃ๐˜ฆ๐˜ค๐˜ข๐˜ถ๐˜ด๐˜ฆ ๐˜จ๐˜ฐ๐˜ท๐˜ฆ๐˜ณ๐˜ฏ๐˜ฎ๐˜ฆ๐˜ฏ๐˜ต ๐˜ด๐˜ฆ๐˜ค๐˜ณ๐˜ฆ๐˜ต๐˜ด Read More

3.3.5 Correlate Audit Processes

NIST SP 800-171 3.3.5 ๐‚๐จ๐ซ๐ซ๐ž๐ฅ๐š๐ญ๐ž ๐š๐ฎ๐๐ข๐ญ ๐ซ๐ž๐œ๐จ๐ซ๐ ๐ซ๐ž๐ฏ๐ข๐ž๐ฐ, ๐š๐ง๐š๐ฅ๐ฒ๐ฌ๐ข๐ฌ, ๐š๐ง๐ ๐ซ๐ž๐ฉ๐จ๐ซ๐ญ๐ข๐ง๐  ๐ฉ๐ซ๐จ๐œ๐ž๐ฌ๐ฌ๐ž๐ฌ ๐Ÿ๐จ๐ซ ๐ข๐ง๐ฏ๐ž๐ฌ๐ญ๐ข๐ ๐š๐ญ๐ข๐จ๐ง ๐š๐ง๐ ๐ซ๐ž๐ฌ๐ฉ๐จ๐ง๐ฌ๐ž ๐ญ๐จ ๐ข๐ง๐๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐จ๐Ÿ ๐ฎ๐ง๐ฅ๐š๐ฐ๐Ÿ๐ฎ๐ฅ, ๐ฎ๐ง๐š๐ฎ๐ญ๐ก๐จ๐ซ๐ข๐ณ๐ž๐, ๐ฌ๐ฎ๐ฌ๐ฉ๐ข๐œ๐ข๐จ๐ฎ๐ฌ, ๐จ๐ซ ๐ฎ๐ง๐ฎ๐ฌ๐ฎ๐š๐ฅ ๐š๐œ๐ญ๐ข๐ฏ๐ข๐ญ๐ฒ. This is the 8th most likely requirement to be “other than satisfied” by defense contractors, according Read More

CMMC Scoping for Level 2

This video is provided by Amira Armond and Jil Wright (CMMC Provisional Assessors and Provisional Instructors) from Kieri Solutions, an Authorized C3PAO. Topics discussed in the video are: This content is way more than the CCP course blueprint covers and more in-depth than what is Read More

CMMC Scoping for Level 1

This video is provided by Amira Armond and Jil Wright (CMMC Provisional Assessors and Provisional Instructors) from Kieri Solutions, an Authorized C3PAO. Topics included are: Enjoy, and don’t forget to subscribe to our YouTube channel for lots of other CMMC Read More

3.6.3 Test the Organizational Incident Response Capability

This was originally posted on LinkedIn. Check the original post and community discussion here! On to the next requirement! 3.6.3 ๐“๐ž๐ฌ๐ญ ๐ญ๐ก๐ž ๐จ๐ซ๐ ๐š๐ง๐ข๐ณ๐š๐ญ๐ข๐จ๐ง๐š๐ฅ ๐ข๐ง๐œ๐ข๐๐ž๐ง๐ญ ๐ซ๐ž๐ฌ๐ฉ๐จ๐ง๐ฌ๐ž ๐œ๐š๐ฉ๐š๐›๐ข๐ฅ๐ข๐ญ๐ฒ. This is post #5 in my series analyzing the top ten failed / misunderstood Read More

3.4.1 Establish / Maintain Baseline Configurations

This series reviews the top failed (misunderstood) 800-171 andย CMMCย requirements. Originally posted on LinkedIn – check the start of series here for community conversation and thoughts! 3.4.1 ๐„๐ฌ๐ญ๐š๐›๐ฅ๐ข๐ฌ๐ก/๐ฆ๐š๐ข๐ง๐ญ๐š๐ข๐ง ๐›๐š๐ฌ๐ž๐ฅ๐ข๐ง๐ž ๐œ๐จ๐ง๐Ÿ๐ข๐ ๐ฎ๐ซ๐š๐ญ๐ข๐จ๐ง๐ฌ This one is both commonly misunderstood and difficult to implement, even though Read More

When is a FIPS Validated Module required?

This video from Amira Armond and Jillian Wright (both Kieri Solutions Provisional Assessors and Instructors), explains when FIPS 140-2 validated modules are required to be used by CMMC Level 2 / NIST SP 800-171. It also explains when FIPS is Read More

Lessons learned from two (three?) DIBCAC assessments

On behalf of CMMCAudit.org, I’m excited to share this interview withย Jake Williamsย about his lessons learned from two DIBCAC assessments of DFARS 252.204-7012 and NIST SP 800-171 compliance. This video is packed with actionable information about what to expect during assessments. Read More

CMMC-AB Jeff Dalton – the CMMC Assessment Process – Part 1

Interview with Jeff Dalton (CMMC-AB) about CMMC assessments. Who is authorized to perform assessments? When should you do a pre-assessment? Can you fix issues found during an assessment?

CMMC Level 1 certification and preparation (how-to)

If you are reading this article, you are probably the owner of a small DoD contracting company.  You’ve heard something about the CMMC (Cybersecurity Maturity Model Certification) either through your prime contractor or the SBA education office.  You might be Read More