Turns out that the guy on the House Oversight Committee isn't actually opposed to the regulation that would help stop cyber fraud in defense contracting (witting or unwitting).

Turns out that Palmer's many, many disapproval resolutions are a reflection of his legal philosophy about the degree to which Congress delegates rulemaking authority to executive branch agencies.

Turns out, like it always has, that people jump to conclusions fueled by intense confirmation bias at the drop of a hat.

Overturning Chevron Deference won't kill CMMC. Palmer's resolution won't kill CMMC. Trump 2.0 won't kill CMMC.

If people spent half as much energy on complying with DFARS 7012 as they do grasping for straws we might not be in a situation justifying CMMC in the first place.

Here's an entire podcast on Palmer's Resolution: https://youtu.be/gziOAEBZTiA?si=H2SLD0FX8J4C9Qe3

"DoD's contract with the CMMC AB assigned places responsibility for Level 2 assessment interpretation to the CMMC Accreditation Body"

Is the government seriously going to allow a non-government entity to interpret guidelines used to determine if government information is being protected? Where is the accountability?

When I look at this organization, it doesn't seem to jive with the way our government operates. Is there any reason another organization could not create a CMMC related certification and enter into an MOU with the DOD? I'm thinking ISACA?

I'm thinking of an organization that would charge reasonable certification maintenance fees and open up the avenues and methods to receive training.

From my experience in government, I'm pretty sure the DCMA would assess a C3PAO for any accreditation body.

I may get some blow back from those that have paid outrageous fees for training and certs thinking CMMC-AB is the sole source forever but I don't think government contracting works that way.

This is going to be unpopular.

The U.S. Government should be paying for any CMMC audits/certifications of SMBs under a certain size directly. The C3PAOs should bill the govt not the SMB. Otherwise, the govt is lying about wanting SMBs to provide services.

The cost projections that the govt has put forward highlights the fact that many small businesses won't be able to afford CMMC. The government could already be looking at the overhead rates and determine which ones aren't spending enough on the security. They have overhead rate information since it's already required. The govt could provide a warning notice that SMBs will lose their existing contracts and not be eligible going forward. They could go ahead and estimate how much money that the SMBs need to be making to break even. If someone is working at a loss, the business can state that upfront.

Also, the govt should be paying for MS GCC High including all of the tools like defender, intune, etc directly. The writing is on the wall. GCC High is the blessed way forward. After listening to the GRC Academy and reading about the Azure use in the DoD, it's pretty obvious that MS has the entire sector under their thumb.

Companies like Google, Preveil, Virtru, etc. are just nipping around the edges providing a piece of the puzzle muddying the waters. Google's GCPW doesn't even work on ARM.

GRC Acadmey #36 podcast
https://grcacademy.io/podcast/s1-e36-microsoft-365-gcc-high-the-inside-story-with-richard-wakeman/

Pro Public report
https://www.propublica.org/article/microsoft-white-house-offer-cybersecurity-biden-nadella

My company provides organizations a means to securely share CUI via email, as well as a means to share files too large for email, too. I’m not here to promote my company, so I won’t mention our name.

I ask my question above because we get this question asked of us daily, particularly by smaller shops that don’t want to fork out budget for GCC High or similar.

What document storage solutions are folks using, and of course, are you happy with it?

Related, I’m also curious if there’s anyone here that is using Google Workspace, maybe with CSE and Assured Controls to meet this need. If yes, what’s that experience been like?

Thanks in advance for the recommendations.

In a GCC High Azure tenant can a Windows 365 Cloud PC store CUI? Assuming it has all the proper controls set in place from Intune?

Hi All,

I wanted to float this to see what the community thinks about accounting packages and CMMC. We have an SMB client that is beginning the journey to meet 171/CMMC compliance. One item I can't seem to identify information or a clear path forward on is the Accounting package. This client does have CUI data in house but this does not mean that invoices or accounting related transactions would contain CUI. How are people approaching this?

This client currently has QuickBooks. I have looked for alternatives and the only ones I see are Deltek and Unanet. It does look like MS Dynamics Finance is also an option but the 20 seat minimum makes the annual cost very large for SMB. I'm not sure if I am over thinking this and if QuickBooks can remain and still meet the necessary compliance requirements.

Any feedback or recommendations are appreciated.

Thanks!

Sorry if this is somewhat redundant to the earlier post but I am starting to have some serious questions about this. I know most people downplayed any chance of the new administration doing anything, but, Playing Devil's Advocate, what would have to happen for CMMC to be essentially canceled under this new administration? I want to sit for the CCP exam next month, and now I am wondering if it is even worth it. I think regardless of what the comments are, I will continue to make sure my company is compliant because there is still 800-171.

With windows 11 21H2 being the latest FIPS-validated windows version, but 24H2 being the downloadable version, is anyone holding on to the 21H2 iso to support their clients? Or are you drawing up POA&Ms for those that have updated?

We (a CDC with ITAR reqs and so on) recently got acquired by a large corporation. This group does not usually handle cases like us, those who handle CUI or higher-classification data. As the integration goes forward, they are asking us to open our firewall for them to perform Rapid7 vuln scans on our network, which will populate info like our IP ranges, computer names, active users, and software lists/versions.

Does anyone know if any of this information counts as CDI/CUI/FCI? We can expect that non-US citizens would be able to see the results of the scans. At the very least, I am concerned about exploits being known by employees that do not work directly for my division, as those can be used to gain access to our CUI.

How compliant does an MSP need to be if my company is going for level 2?

Does anyone use Adobe Acrobat with AI? I was offered the AI feature (for contracts) to get added on my Adobe Acrobat account (about 15 licenses), however, I'm hesitant to add it. Simply because I don't want any of my data to be stored somewhere on Adobe's servers by AI. We don't use Adobe creative Cloud btw. I was told by Adobe rep that they don't store any data if I use the AI feature. Has anyone been using it? or should I stay away?

IE if we had had internal website with things like time clocks, holiday bookings etc. On this internal site is also a folder request tool that all access requests must flow throw. Approval is sent to folder owner, IT actions.

This would be roughly the procedure for permission change, but if that internal website is not defined in my CUI enclave scope, should I even be defining it? Would this cause an assessor to want to the consider the internal website as part of an assessment? Would I then need to classify it as a CRMA within the SSP?

I guess what I'm asking is where do you draw the line for an environment definition?

Hello,

I'm curious about the requirements for US citizens and what that means with the Enclave.

Our company is planning to switch to MSFT GCC from our commercial tenant. We also have users across the world. We do not expect any sort of CUI in our environment but are required to get certified as some customers require a CMMC environment for the security services that we provide.

Our security services include SaaS tools that feed into a SOAR for SOC services. The SaaS services and SOAR will be locked down to US resources only. Does this mean we can setup a MSFT GCC tenant to house all users?

Thank you for any sort of help!

I'm been given the task of finding a IT Ticketing application/tool that is CMMC compliant and is having a time of it. Does anyone know of one that I can research?

For example, a prime has a contract with the DOD for some missiles. The prime has a proprietary drawing, for something simple like a washer, or an o-ring the drawing says "proprietary to Prime Company" and is sent to us along with a purchase order. Is this drawing considered CUI as it's a supporting document/data for this contract? If not, is there ever a way for the primes information to become CUI , or is CUI only for government information?

For those of you who don’t think that a Trump presidency can change the course of CMMC it most certainty can. Through the removal of the Chevron Doctrine which is in direct line with his push to consolidate power. Through removal takes away the stick approach of the carrot and stick. It gives the judiciary more scrutiny of CMMC regulations and if they spot irregularities they may not side with DOd interpretations. As other CMMC leaders have pointed out not a good idea to move away from domain expertise in general. Hopefully the final rule removes any doubt and ambiguity that can be leveraged by those that want to play dirty.

(Cross-posted with r/NISTControls.)

Hi, folks. Looking for some advice.

Assume that the strategy for protecting CUI at rest on laptops is Bitlocker (FIPS compliant of course).

Would an auditor inquire or care as to whether the WDE password is:

• present (exists)?
• allowed to be a default vs. required to be individualized by the user per policy?
• verified to have been changed from default (via monitoring/reporting)?

If the last applies--that is, if an auditor is going to ask "How do you KNOW that users aren't using the default Bitlocker password?", do you have a solution for that?

TIA

Is there a site that notes which versions of the CAP, AG & SG will be on the exam I'm taking this week?

I took the Edwards class 1 year ago ... Does anyone know if it's the same versions for the last year?

Thanks in advance.

I have gone through CCP training w/INFOSEC, and have been studying for the CCP exam. I have had a hard time memorizing which DFARS clause 252.204-7xxx does what. Does anyone have any tips?

I figured out a way to remember which domains have Level 1 controls using two "words"... ACIAMP PESCSI. That's the 6 domains that have Level 1 controls... AC, IA, MP, PE, SC & SI. I have not figured out any such trick for the DFARS clauses though. Thanks.

Hello

US manufacturing - CMMC level 1

we have a new CFO who seems very keen on bringing off shore support. he has worked with people from Pakistan and other shore. the guy he wants us to work is currently in China. Is there a rule preventing this. I'm trying to find something with no luck.

Hi Folks!

I had heard of the Microsoft Product Placemat for CMMC before, but I didn't really know how to use it.

Justin Orcutt from Microsoft walked through it with me, and I posted that video to YouTube here: How Microsoft's CMMC Product Placemat Helps You Comply with CMMC (youtube.com)

If you haven't heard of it, the Placemat is an interactive Excel doc that shows how Microsoft cloud products meet the NIST 800-171/CMMC requirements.

It provides implementation instructions to meet each CMMC control and also helps users understand their shared responsibility in meeting the controls.

• Microsoft CMMC Product Placemat: https://www.microsoft.com/en-us/download/details.aspx?id=102536
• Microsoft CMMC Technical Reference Guide: https://www.microsoft.com/en-us/download/details.aspx?id=103401

I hope that helps!

Jacob Hill

Hey sorry guys, im confused here. I know that for level2 the SPRS calculation goes up to 110 but it seems that lvl 3 has more controls, so how would SPRS calculation work for that? Is there information that I am misunderstanding or missing here? thank you in advance