A Practitioner’s Thoughts On CMMC

Editor’s comments: This article is an excellent read if you have experience doing cyber-security compliance based on NIST SP 800-171 or DFARS 252.204-7012. If you don’t have prior experience on these topics, the article may not make much sense to you. Of particular interest to me is the scoping conflict between FCI and CUI, which is discussed in the section Reciprocity Considerations. Organizations which need to protect CUI at level 3+ will normally want to segment their contract operations away Read More

CMMC PS.2.127 Personnel Screening and US Citizen discussion

The CMMC version 1.0 has the following security requirement. CMMC Personnel Security (PS) PS.2.127 (Level 2) “Screen individuals prior to authorizing access to organizational systems containing CUI.” This is a Level 2 requirement. There are no level 3, 4, or 5 requirements in this version of the CMMC. The CMMC document included a discussion from NIST SP 800-171 R2 (3.9.1) for this same security requirement in the appendix (page B.12.2) to clarify this control.  It recommends evaluating the individual’s “conduct, Read More

What is FCI in CMMC and how does it affect scope?

The Cybersecurity Maturity Model Certification references “FCI” in draft version 0.6b.  What is this abbreviation? FCI in CMMC stands for “Federal Contract Information”. FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government.  FCI does not include information provided by the Government to the public.”  Page 6, CMMC Preface V0.6b 20191107.docx Analysis of term FCI in the CMMC Read More