old.reddit.com /r/CMMC/.rss
CMMC
Atom Feed
old.reddit.com /r/CMMC/.rss
CMMC
Atom Feed
Hi all, hopefully someone can help me learn a little bit more about some of these compliance standards and what we might actually need.
For some background. My company sells a cloud hosted software solution that we host in Azure. We have a commercial Azure tenant where the majority of our customers applications are hosted. The commercial cloud platform is SOC2 certified.
We were able to get access to a GCC High Azure Gov Cloud Tenant since we had several customers refusing to go hosted unless we were in Gov Cloud. We have met that requirement but are now continually being asked about Fedramp Compliance and or/ CMMC.
Truthfully I am not sure which one we would need, if we can even afford the compliance certification process, or if I could feasibly even get this set up. We are a small company, and I am basically it when it comes to IT. I have all of my normal duties on top of getting controls put in place for one of these compliance standards.
We are not a gov entity. We just sell an application that is appealing for several of our customers who do contract out w/ the gov or have a product that ends up in the defense pipeline.
There are many proposal writing companies based in countries like India that provide proposal writing services to government contractors in the US, including those that work with the DoD, will CMMC impact them or their business in any way?
Mind you, these are not subcontractors on their contracts with the government, but simply companies that help create technical responses to RFPs on behalf of the contractor as consultants and knowledge workers.
What do you think?
While discussing CMMC with a co-worker recently, they were under the impression that an organization with a single CAGE code can only have one CMMC assessment/authorization. Meaning, he insisted you can't have multiple systems scoped/assessed separately under one CAGE code, it has to be done all together in scope and sumbitted that way. That doesn't make much sense to me, so thought I'd ask some of you CMMC gurus if you've seen anything in the rule that would provide clarity on this. Thanks!
Ok so I am a contractor for a DoD facility and we will be CMMC L2. I maintain the entire IT infrastructure as if I was employeed as the IT Admin but I am a contractor, for personal reasons I do not wish to be W2 which they are fine with. I don’t use any personal equipment, I issue myself Intune managed equipment and I follow all of the policy and procedure that I have implemented per the NIST 800-171. I work no differently than as if I was employeed as the admin and issue myself physical access and network access accounts that are audited like everyone else and I am physically at the facility and do not access anything that is not by managed equipment. I am literally the one writing the policies.
Now my question and concern is per the new CMMC Rule would I be considered an MSP or can I maintain my status as a contractor and not have to conduct my own CMMC certification as an MSP?
( if I need to clarify anything better to help answer this question let me know )
Happy to be done with it and move on to becoming a C3PAO. Personally over prepared for the assessment and ended a day early with a perfect score. One interesting part was that I had to change my company address in SAM to my actual physical address instead of a virtual address (typically used for privacy purposes when having an address for your business online but typically reflects an actual physical location, you just don't work from there and only use the address) because it had to match where I actually was working from and apparently they have to visit your HQ. As a result, they said they had to come to my home for assessment of the physical controls and other stuff like admin MFA with no Internet connection. Was fine with me because I implemented all of the physical controls for my home office. Be careful if you use a virtual address or somewhere that you actually aren't, because they might just have to show up to your address as listed. From what I've heard, assessments can be different based on your group of assessors so maybe others won't have to deal with it, but who knows.
Feel free to ask questions. Biggest thing was having documentation clear and available before the assessment and also understanding exactly which consoles to pull up for what requirements. Like I said I over prepared by essentially taking notes for what I'd show for each objective 😅 I run a fully remote firm so maybe this post relates to others out there.
I've heard in the past that Azure Virtual Desktop has benefits in an environment and makes it easier to keep up with the NIST and CMMC controls, but I have yet to find any reasoning for that. Anyone have any insight into how using AVD could have better security than issuing laptops that are controlled by Intune and GPO's?
I am working at a very small DoD subcontracting company with 13 employees, only 5 of which work out of our office. I am curious how hardcore I need to go with our security to pass the CMMC audit.
The office has a compact layout with one main door in the center and a second door on the other side that open up to 5 tight rooms. It is located in a medium-sized building with 10ish other small businesses. There is a server closet, and we store barely any physical documents.
3.10.1, Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
Is it enough to have a code lock on the doors? We have a key lock on the server room and locked file cabinets incase we would ever have physical CUI documents.
3.10.2, Protect and monitor the physical facility and support infrastructure for organizational systems.
The company that we rent our office from has almost no security. During business hours it is fully open with no one watching the doors. I assume we need cameras watching our two doors from the outside but do we also need anything inside
3.10.3, Escort visitors and monitor visitor activity.
We never have visitors but I will write up a policy for how to handle it (including escorting and monitoring)
3.10.4, Maintain audit logs of physical access.
Because we use a code lock and not any sort of badge, this may be a problem. Will we need to switch to some sort of lock that can track how gains access.
3.10.5, Control and manage physical access devices.
This this I am unsure on. I assume that if we would switch to badges that this would then apply to keeping track of those badges and how has them but if we do not then would this all be "Not Applicable"?
3.10.6, Enforce safeguarding measures for CUI at alternate work sites.
I am also unsure on this. Most of our employees currently do work offsite at large companies like NASA and Boeing. Would this requirement be met by pointing to the security practices of those companies?
Thank you so much if anyone was willing to read through all of this and provide be with any amount of guidance.
We receive blueprints / drawings from one of our customers that has this text on it:
"WARNING - This document could contain information whose export is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et seq.) [or the Export Administration Act of 1979 (Title 50, U.S.C., App 2401 et seq.), as amended].
Violations of these export laws are subject to severe criminal penalties."
To me that screams "CUI", but at what designation? ITAR? EAR?
The customer is sending this to us as a physical print, not the digital copy. What I am trying to figure out is if I am sufficient with still going towards my CMMC L2 compliance, or if I need to step things up for ITAR compliance.
With all the talk of killing programs and cutting regulation, anyone have thoughts on the potential impact to CMMC?
Hey everyone, do I need to enable Idle Session Timeout on Microsoft 365 to be compliant with this?
Turns out that the guy on the House Oversight Committee isn't actually opposed to the regulation that would help stop cyber fraud in defense contracting (witting or unwitting).
Turns out that Palmer's many, many disapproval resolutions are a reflection of his legal philosophy about the degree to which Congress delegates rulemaking authority to executive branch agencies.
Turns out, like it always has, that people jump to conclusions fueled by intense confirmation bias at the drop of a hat.
Overturning Chevron Deference won't kill CMMC. Palmer's resolution won't kill CMMC. Trump 2.0 won't kill CMMC.
If people spent half as much energy on complying with DFARS 7012 as they do grasping for straws we might not be in a situation justifying CMMC in the first place.
Here's an entire podcast on Palmer's Resolution: https://youtu.be/gziOAEBZTiA?si=H2SLD0FX8J4C9Qe3
"DoD's contract with the CMMC AB assigned places responsibility for Level 2 assessment interpretation to the CMMC Accreditation Body"
Is the government seriously going to allow a non-government entity to interpret guidelines used to determine if government information is being protected? Where is the accountability?
When I look at this organization, it doesn't seem to jive with the way our government operates. Is there any reason another organization could not create a CMMC related certification and enter into an MOU with the DOD? I'm thinking ISACA?
I'm thinking of an organization that would charge reasonable certification maintenance fees and open up the avenues and methods to receive training.
From my experience in government, I'm pretty sure the DCMA would assess a C3PAO for any accreditation body.
I may get some blow back from those that have paid outrageous fees for training and certs thinking CMMC-AB is the sole source forever but I don't think government contracting works that way.
This is going to be unpopular.
The U.S. Government should be paying for any CMMC audits/certifications of SMBs under a certain size directly. The C3PAOs should bill the govt not the SMB. Otherwise, the govt is lying about wanting SMBs to provide services.
The cost projections that the govt has put forward highlights the fact that many small businesses won't be able to afford CMMC. The government could already be looking at the overhead rates and determine which ones aren't spending enough on the security. They have overhead rate information since it's already required. The govt could provide a warning notice that SMBs will lose their existing contracts and not be eligible going forward. They could go ahead and estimate how much money that the SMBs need to be making to break even. If someone is working at a loss, the business can state that upfront.
Also, the govt should be paying for MS GCC High including all of the tools like defender, intune, etc directly. The writing is on the wall. GCC High is the blessed way forward. After listening to the GRC Academy and reading about the Azure use in the DoD, it's pretty obvious that MS has the entire sector under their thumb.
Companies like Google, Preveil, Virtru, etc. are just nipping around the edges providing a piece of the puzzle muddying the waters. Google's GCPW doesn't even work on ARM.
GRC Acadmey #36 podcast
https://grcacademy.io/podcast/s1-e36-microsoft-365-gcc-high-the-inside-story-with-richard-wakeman/
Pro Public report
https://www.propublica.org/article/microsoft-white-house-offer-cybersecurity-biden-nadella
My company provides organizations a means to securely share CUI via email, as well as a means to share files too large for email, too. I’m not here to promote my company, so I won’t mention our name.
I ask my question above because we get this question asked of us daily, particularly by smaller shops that don’t want to fork out budget for GCC High or similar.
What document storage solutions are folks using, and of course, are you happy with it?
Related, I’m also curious if there’s anyone here that is using Google Workspace, maybe with CSE and Assured Controls to meet this need. If yes, what’s that experience been like?
Thanks in advance for the recommendations.
In a GCC High Azure tenant can a Windows 365 Cloud PC store CUI? Assuming it has all the proper controls set in place from Intune?
At a high level, we are using Azure Virtual Desktop to provide an enclave that can access Preveil - the method of authentication to the AVD is Entra ID (with MFA and everything else) - we sync accounts from local AD. Would the domain controllers be considered Security Protection Assets and would that local AD be in scope of the assessment? Would it be better to simply make them CLOUD ONLY accounts? Edit - I also found this which makes me believe the DC's are in scope. [link] [comments] |
Hi All,
I wanted to float this to see what the community thinks about accounting packages and CMMC. We have an SMB client that is beginning the journey to meet 171/CMMC compliance. One item I can't seem to identify information or a clear path forward on is the Accounting package. This client does have CUI data in house but this does not mean that invoices or accounting related transactions would contain CUI. How are people approaching this?
This client currently has QuickBooks. I have looked for alternatives and the only ones I see are Deltek and Unanet. It does look like MS Dynamics Finance is also an option but the 20 seat minimum makes the annual cost very large for SMB. I'm not sure if I am over thinking this and if QuickBooks can remain and still meet the necessary compliance requirements.
Any feedback or recommendations are appreciated.
Thanks!
Sorry if this is somewhat redundant to the earlier post but I am starting to have some serious questions about this. I know most people downplayed any chance of the new administration doing anything, but, Playing Devil's Advocate, what would have to happen for CMMC to be essentially canceled under this new administration? I want to sit for the CCP exam next month, and now I am wondering if it is even worth it. I think regardless of what the comments are, I will continue to make sure my company is compliant because there is still 800-171.
With windows 11 21H2 being the latest FIPS-validated windows version, but 24H2 being the downloadable version, is anyone holding on to the 21H2 iso to support their clients? Or are you drawing up POA&Ms for those that have updated?
We (a CDC with ITAR reqs and so on) recently got acquired by a large corporation. This group does not usually handle cases like us, those who handle CUI or higher-classification data. As the integration goes forward, they are asking us to open our firewall for them to perform Rapid7 vuln scans on our network, which will populate info like our IP ranges, computer names, active users, and software lists/versions.
Does anyone know if any of this information counts as CDI/CUI/FCI? We can expect that non-US citizens would be able to see the results of the scans. At the very least, I am concerned about exploits being known by employees that do not work directly for my division, as those can be used to gain access to our CUI.
How compliant does an MSP need to be if my company is going for level 2?
Does anyone use Adobe Acrobat with AI? I was offered the AI feature (for contracts) to get added on my Adobe Acrobat account (about 15 licenses), however, I'm hesitant to add it. Simply because I don't want any of my data to be stored somewhere on Adobe's servers by AI. We don't use Adobe creative Cloud btw. I was told by Adobe rep that they don't store any data if I use the AI feature. Has anyone been using it? or should I stay away?
IE if we had had internal website with things like time clocks, holiday bookings etc. On this internal site is also a folder request tool that all access requests must flow throw. Approval is sent to folder owner, IT actions.
This would be roughly the procedure for permission change, but if that internal website is not defined in my CUI enclave scope, should I even be defining it? Would this cause an assessor to want to the consider the internal website as part of an assessment? Would I then need to classify it as a CRMA within the SSP?
I guess what I'm asking is where do you draw the line for an environment definition?