By Greg Kent, Senior Vice President, CTO A previous blog discussed the latest guidance from DoD and the Cyber AB in the draft CMMC Assessment Process (CAP) document. Specifically, CSPs need to address both criteria defined in the CMMC CAP: (1) documenting an SSP that attests to the compliance status, describes how the requirement [...]
By Greg Kent, Senior Vice President, CTO DoD contractors using a cloud service provider (CSP) to store, process, or transmit covered defense information (CDI)/controlled unclassified information (CUI) must require and ensure that the CSP meets security requirements equivalent to those within the FedRAMP Moderate baseline. Since DFARS clause 252.204-7012 section (b)(2)(ii)(D) was finalized, many contractors [...]
By Greg Kent, Senior Vice President, CTO CMMC requirements for multifactor authentication (MFA) seems to stump many SMBs. CMMC control IA.L2-3.5.3 requires Federal contractors to "Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts." But what exactly does this mean? Understanding some NIST terminology is essential [...]
By Connor Payne With CMMC generally consisting of a “follow the data” exercise, DoD contractors often underestimate their reliance on third-party vendors to store, protect, process, or transmit CUI data. Many small and midsize businesses (SMBs) rely heavily on managed service providers (MSPs) and even more refined services such as managed security service providers (MSSPs), [...]
By Connor Payne Inherited controls from a cloud service provider such as Amazon Web Services (AWS) or Microsoft Azure include physical and environmental controls that a customer fully inherits from the provider. In general terms, shared responsibility means that the cloud service provider is responsible for the security of the cloud while the customer is [...]
By Les Buday, Managing Director “Streamlined. Flexible. Secure.” This is the tagline listed on the CMMC website managed by the Office of the Under Secretary of Defense (OUSD) Acquisition & Sustainment (A&S). On this website you can find all of the information regarding the newly redefined Cybersecurity Maturity Model Certification (CMMC) program. More commonly referred to as [...]
By Greg Kent “Follow the CUI.” That is the standard practice that DoD contractors follow to determine exactly what system components and networks are within the scope boundary for Level 3 Cybersecurity Maturity Model Certification (CMMC) compliance. Any system, network, or component that is used to store, process, transmit, or secure CUI should be included [...]
By Josh Griswell One approach that contractors can take in approaching CMMC is including all of their infrastructure within the scope boundary for a CMMC certification. This means that all of the company’s components and devices would have to follow the processes and practices required by CMMC. The larger the company’s environment, the more complex [...]
By Greg Kent The Department of Defense (DoD) recently released changes to DFARS rules for security assessments required for contractors. The CMMC Interim Rule (DFARS Case 2019-D041) requires defense contractors to self-report a score of compliance with 800-171 controls using a specified scoring methodology. Results of these assessments will be posted on the Supplier Performance [...]
By Greg Kent Fall will be here before you know it, so now is a good time for DoD contractors to review their business development and contract strategy for the coming year. With CMMC being required for bidding on new contracts towards the end of 2020, there are big changes on the horizon. Once the [...]
