old.reddit.com /r/CMMC/.rss
CMMC
Atom Feed

 


We receive blueprints / drawings from one of our customers that has this text on it:

"WARNING - This document could contain information whose export is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et seq.) [or the Export Administration Act of 1979 (Title 50, U.S.C., App 2401 et seq.), as amended].

Violations of these export laws are subject to severe criminal penalties."

To me that screams "CUI", but at what designation? ITAR? EAR?

The customer is sending this to us as a physical print, not the digital copy. What I am trying to figure out is if I am sufficient with still going towards my CMMC L2 compliance, or if I need to step things up for ITAR compliance.

submitted by /u/NonCompliantCMMC
[link] [comments]

With all the talk of killing programs and cutting regulation, anyone have thoughts on the potential impact to CMMC?

submitted by /u/ZeroGap-Eddie
[link] [comments]

Hey everyone, do I need to enable Idle Session Timeout on Microsoft 365 to be compliant with this?

submitted by /u/Professional_Ad_4035
[link] [comments]

Turns out that the guy on the House Oversight Committee isn't actually opposed to the regulation that would help stop cyber fraud in defense contracting (witting or unwitting).

Turns out that Palmer's many, many disapproval resolutions are a reflection of his legal philosophy about the degree to which Congress delegates rulemaking authority to executive branch agencies.

Turns out, like it always has, that people jump to conclusions fueled by intense confirmation bias at the drop of a hat.

Overturning Chevron Deference won't kill CMMC. Palmer's resolution won't kill CMMC. Trump 2.0 won't kill CMMC.

If people spent half as much energy on complying with DFARS 7012 as they do grasping for straws we might not be in a situation justifying CMMC in the first place.

Here's an entire podcast on Palmer's Resolution: https://youtu.be/gziOAEBZTiA?si=H2SLD0FX8J4C9Qe3

submitted by /u/DFARSDidNothingWrong
[link] [comments]

"DoD's contract with the CMMC AB assigned places responsibility for Level 2 assessment interpretation to the CMMC Accreditation Body"

Is the government seriously going to allow a non-government entity to interpret guidelines used to determine if government information is being protected? Where is the accountability?

submitted by /u/Successful-Escape-74
[link] [comments]

When I look at this organization, it doesn't seem to jive with the way our government operates. Is there any reason another organization could not create a CMMC related certification and enter into an MOU with the DOD? I'm thinking ISACA?

I'm thinking of an organization that would charge reasonable certification maintenance fees and open up the avenues and methods to receive training.

From my experience in government, I'm pretty sure the DCMA would assess a C3PAO for any accreditation body.

I may get some blow back from those that have paid outrageous fees for training and certs thinking CMMC-AB is the sole source forever but I don't think government contracting works that way.

submitted by /u/Successful-Escape-74
[link] [comments]

This is going to be unpopular.

The U.S. Government should be paying for any CMMC audits/certifications of SMBs under a certain size directly. The C3PAOs should bill the govt not the SMB. Otherwise, the govt is lying about wanting SMBs to provide services.

The cost projections that the govt has put forward highlights the fact that many small businesses won't be able to afford CMMC. The government could already be looking at the overhead rates and determine which ones aren't spending enough on the security. They have overhead rate information since it's already required. The govt could provide a warning notice that SMBs will lose their existing contracts and not be eligible going forward. They could go ahead and estimate how much money that the SMBs need to be making to break even. If someone is working at a loss, the business can state that upfront.

Also, the govt should be paying for MS GCC High including all of the tools like defender, intune, etc directly. The writing is on the wall. GCC High is the blessed way forward. After listening to the GRC Academy and reading about the Azure use in the DoD, it's pretty obvious that MS has the entire sector under their thumb.

Companies like Google, Preveil, Virtru, etc. are just nipping around the edges providing a piece of the puzzle muddying the waters. Google's GCPW doesn't even work on ARM.

GRC Acadmey #36 podcast
https://grcacademy.io/podcast/s1-e36-microsoft-365-gcc-high-the-inside-story-with-richard-wakeman/

Pro Public report
https://www.propublica.org/article/microsoft-white-house-offer-cybersecurity-biden-nadella

submitted by /u/cmmcpain
[link] [comments]

My company provides organizations a means to securely share CUI via email, as well as a means to share files too large for email, too. I’m not here to promote my company, so I won’t mention our name.

I ask my question above because we get this question asked of us daily, particularly by smaller shops that don’t want to fork out budget for GCC High or similar.

What document storage solutions are folks using, and of course, are you happy with it?

Related, I’m also curious if there’s anyone here that is using Google Workspace, maybe with CSE and Assured Controls to meet this need. If yes, what’s that experience been like?

Thanks in advance for the recommendations.

submitted by /u/mmorps
[link] [comments]

In a GCC High Azure tenant can a Windows 365 Cloud PC store CUI? Assuming it has all the proper controls set in place from Intune?

submitted by /u/slint01
[link] [comments]
ambiguity on Security Protection Assets

At a high level, we are using Azure Virtual Desktop to provide an enclave that can access Preveil - the method of authentication to the AVD is Entra ID (with MFA and everything else) - we sync accounts from local AD. Would the domain controllers be considered Security Protection Assets and would that local AD be in scope of the assessment? Would it be better to simply make them CLOUD ONLY accounts?

https://preview.redd.it/qmmby08s8x1e1.png?width=733&format=png&auto=webp&s=100c3855227811c5943b6977fd42475f32d4fd0b

Edit - I also found this which makes me believe the DC's are in scope.

https://preview.redd.it/a2whhsgjix1e1.png?width=681&format=png&auto=webp&s=6be17dc98c50904e42402b38c91f8016feabed2a

submitted by /u/Adminvb2929
[link] [comments]

Hi All,

I wanted to float this to see what the community thinks about accounting packages and CMMC. We have an SMB client that is beginning the journey to meet 171/CMMC compliance. One item I can't seem to identify information or a clear path forward on is the Accounting package. This client does have CUI data in house but this does not mean that invoices or accounting related transactions would contain CUI. How are people approaching this?

This client currently has QuickBooks. I have looked for alternatives and the only ones I see are Deltek and Unanet. It does look like MS Dynamics Finance is also an option but the 20 seat minimum makes the annual cost very large for SMB. I'm not sure if I am over thinking this and if QuickBooks can remain and still meet the necessary compliance requirements.

Any feedback or recommendations are appreciated.

Thanks!

submitted by /u/Ikeeptrying-
[link] [comments]

Sorry if this is somewhat redundant to the earlier post but I am starting to have some serious questions about this. I know most people downplayed any chance of the new administration doing anything, but, Playing Devil's Advocate, what would have to happen for CMMC to be essentially canceled under this new administration? I want to sit for the CCP exam next month, and now I am wondering if it is even worth it. I think regardless of what the comments are, I will continue to make sure my company is compliant because there is still 800-171.

submitted by /u/azjeep
[link] [comments]

With windows 11 21H2 being the latest FIPS-validated windows version, but 24H2 being the downloadable version, is anyone holding on to the 21H2 iso to support their clients? Or are you drawing up POA&Ms for those that have updated?

submitted by /u/freethepirates1
[link] [comments]

We (a CDC with ITAR reqs and so on) recently got acquired by a large corporation. This group does not usually handle cases like us, those who handle CUI or higher-classification data. As the integration goes forward, they are asking us to open our firewall for them to perform Rapid7 vuln scans on our network, which will populate info like our IP ranges, computer names, active users, and software lists/versions.

Does anyone know if any of this information counts as CDI/CUI/FCI? We can expect that non-US citizens would be able to see the results of the scans. At the very least, I am concerned about exploits being known by employees that do not work directly for my division, as those can be used to gain access to our CUI.

submitted by /u/Brando230
[link] [comments]

How compliant does an MSP need to be if my company is going for level 2?

submitted by /u/citrusvon1
[link] [comments]

Does anyone use Adobe Acrobat with AI? I was offered the AI feature (for contracts) to get added on my Adobe Acrobat account (about 15 licenses), however, I'm hesitant to add it. Simply because I don't want any of my data to be stored somewhere on Adobe's servers by AI. We don't use Adobe creative Cloud btw. I was told by Adobe rep that they don't store any data if I use the AI feature. Has anyone been using it? or should I stay away?

submitted by /u/Big-Studio-7855
[link] [comments]

IE if we had had internal website with things like time clocks, holiday bookings etc. On this internal site is also a folder request tool that all access requests must flow throw. Approval is sent to folder owner, IT actions.

This would be roughly the procedure for permission change, but if that internal website is not defined in my CUI enclave scope, should I even be defining it? Would this cause an assessor to want to the consider the internal website as part of an assessment? Would I then need to classify it as a CRMA within the SSP?

I guess what I'm asking is where do you draw the line for an environment definition?

submitted by /u/angrysysadminisangry
[link] [comments]

Hello,

I'm curious about the requirements for US citizens and what that means with the Enclave.

Our company is planning to switch to MSFT GCC from our commercial tenant. We also have users across the world. We do not expect any sort of CUI in our environment but are required to get certified as some customers require a CMMC environment for the security services that we provide.

Our security services include SaaS tools that feed into a SOAR for SOC services. The SaaS services and SOAR will be locked down to US resources only. Does this mean we can setup a MSFT GCC tenant to house all users?

Thank you for any sort of help!

submitted by /u/t_m_f_b
[link] [comments]

I'm been given the task of finding a IT Ticketing application/tool that is CMMC compliant and is having a time of it. Does anyone know of one that I can research?

submitted by /u/qs20759
[link] [comments]

For example, a prime has a contract with the DOD for some missiles. The prime has a proprietary drawing, for something simple like a washer, or an o-ring the drawing says "proprietary to Prime Company" and is sent to us along with a purchase order. Is this drawing considered CUI as it's a supporting document/data for this contract? If not, is there ever a way for the primes information to become CUI , or is CUI only for government information?

submitted by /u/your-amish-mechanic
[link] [comments]

For those of you who don’t think that a Trump presidency can change the course of CMMC it most certainty can. Through the removal of the Chevron Doctrine which is in direct line with his push to consolidate power. Through removal takes away the stick approach of the carrot and stick. It gives the judiciary more scrutiny of CMMC regulations and if they spot irregularities they may not side with DOd interpretations. As other CMMC leaders have pointed out not a good idea to move away from domain expertise in general. Hopefully the final rule removes any doubt and ambiguity that can be leveraged by those that want to play dirty.

submitted by /u/El_Che1
[link] [comments]

(Cross-posted with r/NISTControls.)

Hi, folks. Looking for some advice.

Assume that the strategy for protecting CUI at rest on laptops is Bitlocker (FIPS compliant of course).

Would an auditor inquire or care as to whether the WDE password is:

  • present (exists)?
  • allowed to be a default vs. required to be individualized by the user per policy?
  • verified to have been changed from default (via monitoring/reporting)?

If the last applies--that is, if an auditor is going to ask "How do you KNOW that users aren't using the default Bitlocker password?", do you have a solution for that?

TIA

submitted by /u/ice-ninecicle
[link] [comments]

Is there a site that notes which versions of the CAP, AG & SG will be on the exam I'm taking this week?

I took the Edwards class 1 year ago ... Does anyone know if it's the same versions for the last year?

Thanks in advance.

submitted by /u/50208
[link] [comments]

I have gone through CCP training w/INFOSEC, and have been studying for the CCP exam. I have had a hard time memorizing which DFARS clause 252.204-7xxx does what. Does anyone have any tips?

I figured out a way to remember which domains have Level 1 controls using two "words"... ACIAMP PESCSI. That's the 6 domains that have Level 1 controls... AC, IA, MP, PE, SC & SI. I have not figured out any such trick for the DFARS clauses though. Thanks.

submitted by /u/No-Engineer-6044
[link] [comments]
Loading ...