I'm relatively new to this standard as far as trying to understand how to properly implement it. Based on what I've heard and read I'm a bit confused and just looking for some guidance/clarity.

1. As I understand it, to meet FIPS requirements, software, client and server applications as well as any hardware involved (disk encryption on a SAN for example) must all be compliant. Is this correct?
2. If the above is true, i'd assume then that if ANY segment of the configuration is not compliant (e.g. the application is not, but the server, SAN, firewalls, etc all are) that this would lead to the full solution not being compliant?
3. FIPS Validated vs FIPS Compliant. As I understand it, FIPS Compliant indicates we believe the application is compliant, but we have not gone through the process of validating the specific solution. FIPS Validated indicates it's been reviewed fully either specific to your implementation or via the vendors OOTB solution.
4. I've seen mixed messages on this last aspect, but from what I gather, this standard enforces data protections "at rest" and "in transit". If you are not validating against both, then the solution would not technically be compliant with the standard.

I think that's it, hopefully the above makes sense. Ultimately, what i'm looking for confirmation on is if I were to take a non-compliant off the shelf product, is there anyway I can host it and result in us being able to make it FIPS compliant (e.g. putting it behind a FIPS approved load balancer/firewall, encrypt with hardware SAN encryption, running on a FIPS compliant window server). To me, this seems to not be possible, but i'm not able to find a clear answer on this.

Thanks!

Good Morning fellow IA / Cyber Sec Pros,

​

Anyways enough with the formalities. I am having trouble signing up for this dumb training. I took this class many a year ago and have not retained my certificate for it, thus can not just take the BGP exam to get re-certified. I have looked all over the cyber.mil catalog and can not find anywhere to sign up for this thing. Any alternate avenues to complete this or suggestions would be appreciated. Thank you very much for your time.

I am looking over the worksheets that FedRAMP has given to do control selections for Annual Assessments. The old one...the one from 2018...is still out on their Documents and Templates page..it's called Annual Assessment Controls Selection Worksheet. There is a new one provided now called FedRAMP rev 4 to rev 5 Assessment Controls Selection Template. I am trying to figure out if FedRAMP has added new CORE controls that are tested every year. From the FedRAMP rev 4 to rev 5 Assessment Controls Selection Template, it looks like they have. But I am not sure if I am interpreting it correctly. Anyone have a clear answer on this?

Hey, r/CMMC community! 🌐

I'm curious about the rules and regulations surrounding access to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), I've heard varying information, and I'm wondering if non-U.S. citizens are allowed to access such data.

Scenario: The parent company is in Canada, and the subsidiary company is located and operating from the USA, supplying network equipment DoD. Is it allowed for non-U.S. citizens can process the purchase order, build software applications, and install equipment at the site(DoD) location?

Does anyone have insights or experiences to share on this topic? Any relevant laws or policies I should be aware of? Thanks in advance for your input! 🤔🌎 #FederalContract #CUI #Regulations

Thanks

Hi all,

My state org. is looking at adopting various provisions of 800-171 to comply with new mandates. Does anybody have a cheat sheet of applicable NIST docs that outline best practices? I.e. for the access control family look at NIST Pub 800-XYZ, for data destruction look at NIST Pub 800-ABC? Thanks!

Basically, I'm tasked with setting up a CMMC 2.0 L2 compliant Azure environment. I'm expecting there to be a good amount of controls/practices that are managed by and inherited from Microsoft. Essentially, I just need the control implementation summary or the customer responsibility matrix with artifacts/evidence so I can show it to an assessor and document it in our policies/SSP.

Anyone know where to get that for Azure commercial and/or GCC High? Is there a place I can access it in Azure or do I have to ask an MS rep or what? Thanks!

Is there a formal process to become certified to conduct NIST 800-171 audits?

I've been told by our POC that our CUI will eventually be marked as CUI//OPSEC//FEDCON. The TCAQ helpdesk told me that our cloud services used in performance of the contract must be FedRAMP Moderate, with no mention of GCC. We only provide a "commercial service" to the DoD, and this doesn't involve any manufacturing, coding, production, munitions (including encryption), providing cloud services, or such.

Our contract also states "Compliance with NIST SP 800-171 measures is required at the prime contractor level and does not apply to subcontractors and other entities that the prime contractor engages with in order to meet the requirements of this contract."

Putting all of this together would seem to indicate that we do not need GCC, as we do not fall under ITAR. I will be asking our POC soon, but would like some feedback from non-DoD people. I have already confirmed (directly from the DoD) that this contract does NOT fall under 252.239-7010 Cloud Computing Services, although this wasn't via our actual POC but from the TCAQ help desk.

Hey gang, could use a sounding board. I'm a QA guy, not IT or security, but have been pushed to implement CMMC 2.0 at my new job. Small business, maybe 25-30 people, all local network with only 1 laptop on VPN (that I will deal with later). Cost and Culture are big factors in what I can try to implement, and I'm trying to understand what is required without much guidance. So, I had a thought today, and wanted to try it on you guys. Please tell me if it's ridiculous outright, or if it just has holes in it. We need to solve our data encryption, MFA, and mobile data media issues. I know it's not perfect, but I hope that it's workable. We are definitely installing CCTV cameras on all entrances, and badge-entry on doors, and securing fences/gates. However, we are working on securing the interior and databases. I've been working on utilizing Bitlocker to at least get us up and running for encryption, but we don't have any TPMs on the computers, as they are mostly home-build types, not office models. So, rather than using passwords for Bitlocker, since we are still using those for log-ins on desktops, I thought I might be able to use the other options.

My hope was, if I ordered some bulk USB drives:

1. Format all USB drives, to remove any data/potential malware
2. Use partitions in each USB drive to store a user's encryption key, and log each device as issued to a specific user, as well as print the encryption keys to go to the ISSO/ISSM if we need to recover the device
3. Each user would use the USB as the encryption key for MFA (something they have), and still use a password to log into the device (something they know), while we work to get away from passwords
4. These USB drives would also be able to move CUI on approved devices, and would force a session lock/sign-out when they take the drive to another location to move the CUI, as the encryption key for the device they are leaving

These USB drives can also have encryption to-go, plus we could have some larger SSD drives for bigger files on the log. My instincts tell me there are so many reasons why this can't work, but I need other eyes to tell me what, exactly.

​

Appreciate any help you all can give me!

​

Sorry if this is not the right place for this question because its note really related to CMMC. We are expecting a DFARS flow down to implement "PDNS" (protected DNS) an all systems to protect all CDI.

We are planning on incorporating the DoD PDNS services that supply this service, but the question came up if AWS's Route 53 Resolver DNS Firewall should also meet this requirement. Any opinions/advice on this subject?

How do you approach this?

The project that I am on wants me to mark data labels (ex. public, internal, PII, etc.) for the database tables within the application. This is new territory for me, outside of the traditional assessors skillset to implement this. A couple of questions:

1. Is this a common practice in security programs to do this, and if so, what is the purpose and why? Are we going in the right direction or there is no need to do this.
2. The data labeling the table exercise apparently cannot all be completed at the same time since we are in the agile app lifecyle, where there are changes that take place that make it hard to do have a complete the data label exercise for the tables to be compelte. Not sure if it is because the application team didn't want to give us the data definitions of the data tables.

Please give me your wisdom. I am a bit stumped.

​