• Overview of CMMC 2.0

    Ben Franklin once quipped, ““When you are finished changing, you are finished.”

    Nothing could ring more true in cybersecurity. Frameworks need to live and breath to respond to evolving threats.

    On November 4, 2021 the Department of Defense unveiled an update to the the Cybersecurity Maturity Model Certification framework to streamline compliance, increase flexibility, and lower cost for manufacturers and IT providers.


    • Reduce number of levels from Five to Three
    • Return to NIST as maintainer of all documents
    • Allow level one self-assessments
    • Self-assessments require senior level affirmation
    • Level Two is Old Level Three and NIST SP800-171 baseline for Controlled Unclassified Information
    • Level Two is bifurcated into priortized and non-prioritized contracts
    • Prioritized contracts require third party assessments.
    • Return of limited time bound POAMS
    • Return of limited approved waivers

    Reduced Levels

    CMMC 1.0 had five levels. Level One aligned to seventeen controls from NIST SP-800-171 to meet the fifteen safeguards required by FAR 52.204.21 for Federal Contract Information. Level Three, required for CUI, aligned to 110 controls from NIST SP-800-171 and 20 additional controls. Level Five would align to practices selected from NIST SP-800-172.

    This model did not work for maturity given the different baselines required for sensitive data. One would not seek a level two certification. In fact, DoD said no bids would even ask for a level two. We also had no classes or assessments for level two or four.

    Yet CMMC 1.0 had cummulative levels. Meaning you had to meet all of level one and two to meet level three. This pushed some CUI requirements down to level two which made no sense given lvel three served as the NIST SP-800-171 baseline.

    CMMC 2.0 removes the ill-fitted maturity requirements.

    Return of National Institute of Standards and Technology

    CMMC 1.0 tried to address some of the shortcomings of NIST-SP-800-171. In fact, early on the AB, rumor has it, tried to remove requirements until NARA/ISOO reminded them that the CUI program exists in law and NIST-SP-800-171 provides the baseline. They could only add and not remove.

    CMMC 1.0 added twenty additional practices, often referred to the Delta 20s, and made the assumed controls of NIST-SP-800-171 around policy and procedures (an assumption of practices Non Federal Organizations (NFO) just do..they don’t) explict in the process maturity measures.

    CMMC 2.0 removes anything unique to CMMC and returns us to just NIST-SP-800-171. Moving forward only NIST will change the requirements. We will see many of the delta 20s making a return, and while policies and procedures do not get explicitly assessed you can not pass an assessment without policy and procedures.

    Timeline and Rulemaking

    In order to allow for third party assessments under the Defense Federal Acquisition Supplemental regulations the Department of Defense (more likely their lawyers) decided we need to codify this in federal law.

    This requires a “harmonization” of rulemaking. First CFR 32, which governs the CUI program needs revision. Then CFR 48, which enables DFARS will get revised.

    Federal rule making takes a long time and the DoD estimates suggest 9-24 months. Before contractors breath a sigh of relief they should realize that a 24 month timeframe speeds up the original intent of the five year pilot program.

    Once the rule making process gets complete no pilot program will get unrolled because compliance with 171 required since 2017. The rule changing just empowers third party assessments under the DFARS clauses.

    More Flexibility

    CMMC 1.0 did not allow for any open assessment objectives. You had to meet all 305 to get a level three certification.

    CMMC 2.0 allows for a set of limited and timebound POAMs.

    Before you jump for joy and think you can couch really expensive stuff as an ever ending POA with a never reached milestones you should understand the caveats.

    First you need a minimum SPRS score self-assessing or having a third party assess you against the 171a methodology. A cut score still exists. They have lowered the threshold. How far? We do not know, but it won’t be low.

    You also can not POAM all the requirements and objectives. 171a breaks scores down into 5, 3, or 1. While official guidance did not get released officials have hinted no five pointers in the POAM. The most expensive stuff gets five points.

    You also get 180 days to rectify the POAM. This flexibility saves you nothing. In fact trying to address a five point control in three months may cost you a ton more than good planning.

    What does it Mean?

    For organizations seeking certification, little. Keep growing the SSP and shrinking the POAM. We always had 171 as a baseline and that did not change. The Interim DFARS clauses 7019 and 7020 did not go away. DFARS clause 7012 did not go away. If you have CUI or FCI on your systems the people, processes, and technology within scope still fall in scope.

    For CEO or CIO of organization seeking certification the affirmation requirements increase your personal liability under Fair Clause Claim. In fact both the DoJ and the DoD have highlighted increased focused on the whistleblower elements of the Fair Claims Act. You may find your lawyers, or more likely your Prime’s lawyers demanding a third-party assessment even if you do not hold CUI on a prioritized contract.

    Nobody knows what prioritized contracts mean. You cannot plan on what level of level two you will fall under. Plan your self-assessment as if a third-party assessor will come in and verify your results.

    If you wanted to join the ecosystem as a Certified CMMC Professional CCP or a CMMC Certified Assessor you may find the market grew instead of the logical conclusion the market contracted with self-assessments.

    It makes sense for the DoD to press pause on third party assessments. They have no idea how big the DIB is but they knew the majority would fail a level one, forget a level three assessment. Why make companies pay for a test you know they will fail?

    Yet the market for CCPs and CCAs may have grown. While the DoD may not require a third-party assessor you can bet many a Prime contractor will if you want to remain in their supply chain. Further the number of companies who need to self-assess will require more support.

    The number of companies needing a third party assessor remains high. The DoD has pinned this number on 30,000-40,000 and the CMMC-AB places it higher. Further, current thinking, likely to change, has any level three company who wants an assessment by the Government against the upcoming tailored controls from 172 must first have a level two assessment from a C3PAO against 171.

    In the end, the baseline of NIST-SP-800-171 did not change. Use the next nine to 24 months to grow the SSP and shrink the POAM.

    Change flickr photo by Matt Henry photos shared under a Creative Commons (BY) license

  • No CMMC Hot Takes. Just Take the Time for Some Slow Reads

    Inbox overflowing with email invitations to CMMC.20 webinars? Every consultant and software service promising to give you the most up to date info your company can not do without?

    You can do without. I offer no hot takes.

    Just some slow reads.

    If you really want to get prepared start reading. Congress got it wrong. Cybersecurity does take reading. A ton of reading.

    We know CMMC 2.0 will not kick in for 9-24 months on government clocks. I have no idea how long that will last in real time or dog years.

    Until then read.

    Evaluate the System Security Plan (SSP).

    Read more.

    Throw out your poorly templated SSP and start over.

    Read more.

    Finalize the SSP and write your POAM.

    Read more.

    Have set meetings to address POAM. Revist SSP in six months.

    Read more.

    Grow the SSP and Shrink the POAM.

    If you do not want to do the reading hire an expert. You can try to do cybersecurity without reading. You can also try accounting without math.

    So instead of beating you over the head with one more CMMC 2.0 webinar I offer you my top ten hit reading list for 7012 compliance.

    Reading and Time. My turnkey easy button solution to CMMC 2.0

    1. FIPS-199/200 - The basic controls. Only thing gov truly mandates
    2. SP 800-30 and 39 -learn the risk management process
    3. SP 800-37 - Do risk management
    4. SP 800-18 - How to write an SSP
    5. SP 800-60 & 70 - Mapping data flows and info system
    6. SP 800-53 - 1200 controls in the catalog. Spend a hot minute here.
    7. SP -800-171 -Learn the derived controls selected from 53 that combined with the basic controls from FIPS that you must have on nonfederal system (don’t skip Appendices)
    8. SP 800-115 - How do we test controls 9 SP 800-162 How to speak engineer to humans
    9. SP 800-137 - continuous monitoring guideline

    Bonus reading: SP 800-161 Supply chain risk management

    img credit: “A Shot of Ice and Fire” by ElleFlorio flickr.com/photos/el… is licensed under CC BY-SA

  • When Did Small Businesses Become the Enemy of Cybersecurity?

    When did growth become evil in America?

    When did we start believing the Government can handle complex and quickly shifting problem spaces with an agility the private sector cannot match? When did we start rooting against cottage industries?

    When did the entrepreneur become the enemy?

    According to critics of the Cybersecurity Maturity Model Certification program small businesses became a threat when the Defense Department tried to set up a system to upskill small manufacturers through third party assessments.

    CMMC 2.0 and Fear of Cottage Industries

    I lament the number of people who have cheered the Department of Defense shutting down what may have led to the largest cybersecurity training in our Nation’s history (still pales in comparison to the investment China makes in their workforce).

    You read blog post after blog post cheering the “shuttering of the CMMC cottage industry” or those snickering at C3PAOs who expected a market cap between 100-300,000 companies see hundreds of thousands in investments shrivel on the vine of time we call federal rule making.

    We, as a nation, through the efforts to scale CMMC could have addressed critical pipeline issues in IT, cybersecurity, machine learning, and artificial intelligence.

    Little ole me, nothing but a former middle school teacher with a blog, could even use CMMC 1.0 to build a massive network. I have four universities, Southern Connecticut State University, Capitol Technology University, Emory University, and Metropolitan State University of Denver delivering LTP curriculum. My University, SCSU, has even proposed a 171/CMMC pathway into our Cybersecurity Master’s program which works it’s way through Shared Governance.

    The support DoD decided to give in creating a CMMC vertical for 171 assessments would have also helped us address diversity, equity, and inclusion. Many of the schools involved offered free CMMC class tuition to their students. At my school, and many in the network, People of Color make up most of the student body. The opposite is true in the cyber industry.

    We were even working with high schools and states, specifically CT and SC, on a 2x2x2 apprenticeship. program. Students would earn IT and networking certs starting their junior year and high school, do internships and graduate with a CCP, they would then enroll two years in a community college and get paid internships while earning other certs and a CCA1, then transferring to a four year institution for two years to get a degree in cyber, have more paid apprenticeships, and leave a CCA3.

    Community groups about CMMC sprouted up across the country. I helped to found the CT CMMC Coalition, soon Northeast CMMC Coalition, which we will incorporate into a member owned co-op. We have released 100s of openly licensed pages of contents LPPs use for free in their training. The CMMC Info Institute provides another great example of a non-profit in this space. Their webinars have taught hundreds.

    All of this can go away if the naysayers win. CMMC 2.0 rolled the clock back to 2017 and drastically reduced the need for third party assessors. Feels like we decided to fit the mission to the weapons we have rather than get our hands dirty and build the weapons the mission needs.

    Cottage industries do not represent a threat to National Security. They provide a Mannerheim Line against a modern battle space. I fear with CMMC 2.0 the DoD has decided to comfortably wait things out behind the Maginot line of self-assessment.

    DoD Should Support Cyber Businesses

    I hear from the cottage industry critics that supporting small businesses detracts from DoD’s mission and they don’t do economic development. Then why does Farooq Mitha Direct the Defense Department’s office of small business programs? Why do we have Procurement Technical Assistance Centers? Why does every branch of the military give out billions annually in small business grants through SBIR/STTR?

    CMMC 1.0, in two years, accomplished more growth in the GovCon cyber sector than all past efforts combined. The Defense department did this while spending next to nothing and issuing a no cost contract to the CMMC-AB.

    Growth in the sector will take more than Project Spectrum, and small business efforts in the Defense Department need to transition from just supporting kinetic efforts and start investing in our cyber workforce.

    ##Headcount Issues Threaten Our Nation

    You think finding headcount difficult now? Just wait until the Portman/Peters FISMA reauthorization passes and every federal department must conduct ongoing pen testing. Trust me, I help fill the seats, cleared pentesters do not grow on trees. Have you counted the amount of funding CISA will get from the infrastructure bill and pending cyber bill. Hundreds of billons. Where will we find the people?

    CMMC 1.0 could have provided the pipeline if the market could have gotten established.

    Instead, folks found it more American to cheer against small businesses. They jeered at the Department of Defense desire to support small assessment companies in a nascent cottage industry. Critics demanded we roll back the clocks to 2017 and erase CMMC 1.0. Naysayers want the government and not private industry to help secure and assess cyber and IT in our manufacturing base.

    I disagree, and to all those who dream of starting a cottage industry I salute you.

    img credit: “Engineering Shed” by Tim Sheerman-Chase flickr.com/photos/ti… is licensed under CC BY

  • Cybersecurity: Did Bootcamps Break Us or Save Us

    The cybersecurity awareness and training industry tops a billion dollars in revenue and will only grow as regulatory frameworks that require companywide learning programs spread.

    At the same time and given Higher Education’s inability to adapt or keep up in digital fields, a training program that tops hundreds of billions of dollars grew overnight. In fact, a study by CompTIA (bias disclosure: a test vendor) found 91% of all employees use certifications in hiring.

    Classes to pass the certification exploded overnight. I worry the bootcamp model broke us.

    I do not want people equating a four-day class in how to pass a test to equal deep learning based in cognitive science. Not when it comes to cybersecurity. The mission too important to hunt for a quick fix in awareness and training.

    I know, like CMMC these certification classes are not meant to teach cybersecurity skills. Still, I personally believe the domains of knowledge assessed on the certified classes too hard to master in a four-day seminar.

    I don’t blame anyone, but human nature. You can never lay shame on someone for taking the path of least resistance when it comes to securing food or shelter for them and theirs. Once you introduce a high stakes test humans will immediately start mixing a broth to corrupt the reliability and validity of that test.

    At the same time these increased cost and regulations caused expected resentment in the cybersecurity professional community. Many feel their experience has established these skills and they feel preyed upon by a certificate mill industry. They have a point.

    The entire tech industry, however (I included) could benefit from a good dose of humility. Nobody knows it all, and if you know more, others in the class benefit. Those most successful in bootcamp classes are probably humble folks in other online spaces.

    Bootcamp Model

    In a “bootcamp” style class, whether to train employees or to prepare for a certification test ,the learning gets crammed into a very short time frame over long extended days.

    Almost all cognitive science research supports longer durations for learning. In fact, retention ability decays very quickly. Further long-term transfer to other domains increases when high quality feedback gets connected with bursts of content, activity, and reflection.

    Bootcamp models do work, and we have emerging research to support this, in well-defined domains with discrete skill sets. Configuring your endpoint detection, learning to write JavaScript, even playing Clarinet.

    The Domain of cybersecurity, especially when preparing to move from one industry framework or another, however, cannot happen overnight. Yes, as I stated these classes do not train you in cybersecurity, but it will take specialized knowledge to move from a HIPPA audit to a 171 assessment for example.

    These domains of knowledge too complex for quick learning just to check off a compliance box.

    Myth of Auto-Didactic Learner

    No bootcamp lives in a vacuum (until Space Force starts orbital unit training) so when people claim to only want self-paced learning, they should make sure they have community support somewhere.

    Nobody learns alone. No one gets self-taught. Full stop.

    Community is the Curriculum.

    The original MOOCS, which helped kick off the coding and cybersecurity bootcamp craze, never focused on size. they focused on people. When David Cormier coined the term the massive modified open, not the size of the class.

    It meant using network theory to encourage the spread of open resources and pedagogy through ever growing learning communities.

    So even a four day or four-week self-paced online class needs some element of community. You need peers to have discussions. You need groups to work on scenarios and case studies that will reflect what cybersecurity and assessors will do in the field. Most importantly you need high quality feedback from your instructors.

    Not opinion. Stable and replicable finding from cognitive science research and based on principles of Universal Design for Learning to ensure all learners can succeed.

    Bootcamp Models Dont Meet Diverse Workforce Needs

    You need a lot of resources to check out for four days and go to an intensive bootcamp. Childcare, carpools, community volunteering, the bootcamp model do not reflect the needs of the modern workforce.

    Bootcamp models do not help diversity, equity, and inclusion when the only option involves four days of unpaid work. We need to provide learning communities that allow for flexible and supportive learning modalities. As a nation we must root cybersecurity trainings in groups that face historical exclusion in the tech and cyber industry.

    These four-day learning bonanzas also hurt organizations. As a CEO do you want your entire cyber/IT team out of pocket for four days? What if like many small businesses as CEO you are your entire cyber/IT team? Can you be out for four days?

    A Better Way forward with CyberDI and Southern Connecticut State University

    At SCSU, we have developed and iterated on the CyberDI curriculum that they will deliver on our online and offline campuses as an LTP through four rounds of iterative design with the goals of using principles of cognitive science in curriculum development and delivery.

    Real science. Not bootcamp marketing or certificate mill hype.

    In our five-week class model you meet twice a week for live classes each week. Instructors schedules these classes either at noon, the evening, or the weekends depending on local audience needs. They offer hybrid and fully online versions. The lectures and discussions get recorded so if life gets in the way anyone can catch up.

    Every practice and process in the CMMC model gets covered through systematic and explicit instruction following the “Instructor does, class does, you do” model. This predictability, science tells, us, improves learning.

    Social learning, not just explicit instruction, gets baked into the model. We have two weekly office hours where instructors and community members just drop in to get specific technical help or to ask general questions about course content.

    We know from research, building scaffolds that gives learners support drives success.

    Our course navigation is simple and works in Blackboard, Canva, Microsoft Teams, or my favorite a simple HTML website. In every module you are asked to read, write, and participate. We give you access to easy to navigate resources.

    screenshot of Google Classroom

    You can see above how each model gets laid out in a Google Classroom example. We know from decades of research ease of navigation drives learner efficacy and success.

    Most importantly you take part in production-based learning driven by feedback designed to elicit growth against the course objectives. Feedback, both formal and informal, drive learning. The teacher guide we provide has tips on writing feedback. The instructors who teach the CyberDI classes on SCSU campuses will get on going coaching in their questioning and discussion techniques. They get additional training on how to write and deliver feedback for growth.

    We do hope you choose a training program based in cognitive science and not just certificate mill marketing hype. The classes CyberDI will teach on our campuses meet this criteria.

    Just wanted to end with a quick shoutout to the subject experts who helped write and shape the curriculum

    Curriculum Authors:

    • Leighton Johnson- Wrote our Domain Scenarios
    • Paul Netopski- Wrote our CMMC Assessment Process Chapter
    • Vincent Scott- Co-wrote history of CMMC and Domain Scenarios
    • Tom Cornelius- Open Source contributor. We utilize Comp;iance Forge’s CC BY-SA Scoping Guidance.
    • Gregory McVerry co-wrote CUI scenarios, co-edited textbook with Dr. Tucker
    • Lauren Tucker-lead author on instructinal guide, co-edited text book
    • Richard Dawson-Wrote 162 aligned introductions for 17 Comains
    • Dana Mantilla-Video Instructor who interviewed top talent
    • Brian Rogalski-co-wrote CUI scenarios

    Academic Advisor: Leslie Weinstein

    Video Guests:

    • Allison Giddens
    • Vincent Scott
    • Margaret Glover
    • Paul Netopski
    • Matthew Carson
    • Jake Williams
    • Amira Armond
    • Ryan Heildron
    • Vic Malloy
    • Kyle Lai

    img credit: Bootcamp dreams. by jgmac1106 shared under an CC-BY-SA license a A remix of: Work boot” by Bigbadvoo flickr.com/photos/bi… is licensed under CC BY “Storm Clouds Gathering” by izoo3y flickr.com/photos/iz… is licensed under CC BY-SA “Cha-Ching” by spcbrass flickr.com/photos/sp… is licensed under CC BY-SA

  • How to Register on the CMMC-AB Class to Sign up for a CCP Class with an LTP

    Wow that title has a lot of letters. Luckily the registration process on the Cybersecurity Maturity Model Certification Accreditation Board website to create an account so you can sign up for a Certified CMMC Professional class with a Licensed Training Provider is not as difficult.

    Creating a profile on to register for a Certified CMMC Professional course requires a three-step process and a $200 fee paid to the CMMC Accreditation Board and not the Licensed Training Partner. The fee also does not cover the CCP exam. That will cost an additional $275.00

    You must first create an account on the CMMC-AB Moodle page (yeah open source).

    screenshot of account creation

    Once you do you a verification email gets sent your inbox

    screenshot of verification email

    After you verify your email you choose an MFA, multifactor authorization, method.

    screenshot choosing mFA

    Depending on which method you chose you may have additional security checks

    screenshots of security checks

    Once you have an account you can move on to Step One which requires you to make a profile

    screenshot of making profile

    screenshot of ccp application

    Once you make the profile you can then go and register for the CCP class. The application is extensive. You will upload your resume and any certifications you hold.

    The application did ask me to associate with a C3PAO. Currently, as far as I know, the CCP does not need to associate with a C3PAO. I put “none yet” and my application went through.

    Pay the money and you can now register for a class with an LTP.

    screenshot of payment acceptance

    You will get an ID number. The LTP will use this to share your progress and enrollment status.

  • top view of p-51b

    side view of p-51

    front propeller view

    close up side

  • "Any Questions?" is the Wrong Question for CyberSecurity Training

    We want to transform CyberSecurity Awareness and Training into an active learning process. For far too long we have assumed video-based quizzes work at the minimum and real training cannot happen because you need decades of experience to do Cyber.

    Neither assumption rings true. Active learning leads to greater transfer and retention. This production-based method, where learners must do stuff with what they learn begins with questioning.

    In my time working on Cybersecurity Maturity Model Certification courses, I have reviewed so much curriculum. Coched Provisional Instructors as they develop lesson plans and provided feedback to our instructors as we iterate on curriculum at Southern Connecticut State University.

    Stop Asking Any Questions

    Almost all the instruction I observe relies on direct intruction with little learner interaction. I see it in video based training and lectures where a highly talented Subject Matter Expers asks, “Any Questions” at the end of each segment or lecture.

    Everyone has questions. No one will ask.

    Instead a good teacher uses questions to elicit evidence of and scaffold knowledge growth. You can think of three types

    • Literal
    • Inferential
    • Evaluative

    Literal questions get answered with explicit, which means identifiable in the text, details. Inferential questions require students to combine information in a text, either explicitly or implied, and combine this with prior knowledge or another source. Evaluative questions ask you to combine implicit information with an opinion and may focus on why and how to fill is missing details.

    As an instructor you need to plan your questioning well. You can use verbs from Bloom’s Taxonomy or Webb’s Depth of Knowledge, but you need to ask questions for learning to occur.

    Helping Out CMMC Instructors

    So, to help out the Instructors who utilize the CMMC curriculum we write we started to create a question guide for each of the 17 Domains. It includes a definition from NIST SP-800-162 and questions a Certified CMMC Professional can use to help an Organization Seeking Certification. We derive these from 162 as well.

    We then include every assessment objective. CMMC courses mean nothing without Assessment Objectives. Next, we close with sample discussion questions. We hope these focus on pain points and common misconceptions. When an LTP or Provisional Instructor uses our material, you can know we provide you the tools to have active discussions,

    Check out our Access Control Example

    Featured Image “Question” by kevin dooley is licensed under CC BY

  • Writing threat scenarios.


  • What does the NDAA say About CMMC?

    The NDAA goes deep into developing the Cyber Director role but for those looking to NDAA for “significant changes” to the cybersecurity maturity model certification (CMMC) program should look elsewhere.

    There are eight mentions of CMMC in the bill. I will need to dissect the fund allocations to CMMC. There are an additional five mentions of the cybersecurity maturity model certification in areas of threat and incident response.

    It looks like the House Small Business Committee that complained about contractors “having to read really big books” did not have their ammendment approved.

    It is really just section 1742 of the bill.

    IN GENERAL.—Not later than March 1, 2021, the Sec- retary of Defense, acting through the Chief Information Officer of the Department of Defense and the Commander, Joint Forces Headquarters-Department of Defense Information Network, shall assess each Department component against the Cyberse- curity Maturity Model Certification (CMMC) framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementa- tion of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework.

    The report shall shall include, for each component that does not achieve at least level 3 status (referred to as ‘‘good cyber hygiene’’ in CMMC Model ver. 1.02), a determination as to whether and details as to how— (A) such component will implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022; and (B) such component will mitigate potential risks until such measures are implemented. (2) COMPTROLLER GENERAL REPORT REQUIRED.—Not later than 180 days after the submission of the report required under paragraph (1), the Comptroller General of the United States shall conduct an independent review of the report and provide a briefing to the congressional defense committees on the findings of the review.

    CYBERSECURITY MATURITY MODEL CERTIFICATION FUNDING LIMITATION.—Of the funds authorized to be appropriated by this Act for fiscal year 2021 for implementation of the CMMC, not more than 60 percent of such funds may be obligated or expended until the Under Secretary of Defense for Acquisition and Sustainment delivers to the congressional defense committees a plan for implementation of the CMMC via requirements in procure-ment contracts, developed in coordination with the Principal Cyber Advisor and the Chief Information Officer of the Department of Defense. The plan shall include a timeline for pilot activities, a description of the planned relationship between Department of Defense and the auditing or accrediting bodies, a funding and activity profile for the Defense Industrial Base Cybersecurity Assessment Center, and a description of efforts to ensure that the service acquisition executives and service program managers are equipped to implement the CMMC requirements and facilitate contractors’ meeting relevant requirements.

    img credit: Etherwan (2018). NDAA Compliance Statement. Retrieved from: www.etherwan.com/us/about-…

  • You are Doing Cyberscecurity Awareness and Training Wrong

    two people on the left and right of someone screaming in their ear

    Let me tell you how most of my pitch calls go when someone needs instructional design work for their company’s cybersecurity awareness and training.

    The customer typically says something along the lines of, “We just need a quick and dirty training, to check off the compliance box”.

    I ask, “Can you send me your policies and procedures so I can weave them into the training?”

    Response A:

    “My boss doesn’t want this eating up a bunch of time and resources. We just need the compliance. This isn’t about learning.”

    In the case of Response A, I always say, “Doesn’t it make sense to train your employees on your security stack based on their roles? Don’t you know policy and procedures mean nothing without people? We can write your awareness and training so it reflects your people, processes, and technology, and most importantly the threats the data you hold faces.”

    Response B:

    “We really don’t have the policies and procedures in place.”

    For Response B, I always say, “Then your awareness and training needs to start with how to write and deploy policies and procedures.”

    The Call Back

    Almost always I get a call back an hour or day later with, “I talked to the boss. They want to keep it dead simple and focus on compliance. How much for a quick one hour training?”

    I wish them luck and shut down the call.

  • Maturity models come to event logging for fe agencies www.whitehouse.gov/wp-conten… Per OMB’s response to Executive Order 14028

  • It came out of the kiln. Check it folks.

    A-10 Warthog.

    A limited signed and numbered 13 run as part of my efforts to support local artists through CMMC

  • Checking out lasers and CUI enclave policies

  • hello

  • The Basics of Controlled Unclassified Information

    When you cut through the marketing hype—and ignore all of the LinkedIn trolls predicting the doom of the Cybersecurity Maturity Model Certification (CMMC) program— you realize CMMC did not arise out of the blue. When you reasearch its history, you will find nothing especially new or unfamiliar. CMMC simply requires third party attestation of what defense contractors already had to do in order to fulfill the legal requirements of their agreements. The major change associated with CMMC is that it no longer allows for the self-assessment of cyber hygiene associated with Controlled Unclassified Information (CUI), as measured against NIST-SP-800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

    Individual contractors no longer have the authority to say how well they secure CUI. Instead, a third pary must come in and assess this information. In essence, it all comes down to CUI. But what do we mean we say Controlled Unclassified Information (CUI)?

    What is CUI?

    The US Government defines CUI as information which requires safeguarding or dissemination controls necessitated by law, regulation, or Government-Wide Policy; however, it does not include classified or nuclear stuff. The latter two fall under classified policies, and therefore require even more protections than CUI.

    The CUI program is thoroughly explained in the Code of Federal Regulation 32, Part 2002. This program standardizes how the Executive Branch handles CUI. The Department of Defense (DoD), for example, established a CUI policy on March 6th 2002. This policy, DoD Instruction 5200.48, “Controlled Unclassified Information,” fulfills their requirements to develop a CUI policy. Every department, and thus their respective agencies, must have a similar CUI policy.

    The CUI designation was created in response to 9/11 via President Obama’s Executive Order 13556. This executive order required all unclassified information throughout the Executive Branch which necessitated additional protection above and beyond information not for public release to be labeled CUI. Before this CUI policy, no uniform marking system existed for this kind of information across the Federal Government. Different agencies used an alphabet soup of labels such as FOUO, LES, and SBU.

    Under the Executive Order, the National Archives and Record Administration (NARA) was appointed to lead on developing a universal CUI Policy. The Secretary of Commerce, through the Office of Management and Budget, decided that CUI required moderate protection. FISMA, the Federal Information Modernization Security Act, then authorized the National Institute of Standards and Technologies (NIST) to develop standards for the protection of CUI.

    In fact, section two of the Executive Order designated NARA as the Executive Agency to oversee the order and the CUI program. NARA delegated this authority to the Information Security Oversight Office (ISOO). ISOO established a CUI registry that is:

    • Publicly Accessible
    • Includes authorized categories
    • Includes subcategories and guidance
    • Includes citations to laws and regulation and government wide policies

    The Department of Defense then defined their relevant categories using DoD Instruction 5200.48, “Controlled Unclassified Information”.

    The ISOO CUI policy defines two types of CUI: Basic and Specified. Specified CUI contains specific handling controls, which it requires or permits agencies to use, and which differ from those used for Basic CUI. So, if a federal law or regulation requires handling instructions beyond the basic protections of CUI, we call this CUI Specified. An agency can decide internally, or with agreement from ISOO, to require additional protections.

    CUI Lifecycle

    The CUI lifecycle requires a contractor to identify the CUI they handle, to explicitly mark this data as CUI, to protect this CUI while in transit and at rest, to only share CUI for a lawful purpose, to destroy CUI when necessary, and to decontrol CUI when it no longer needs additional security.

    Identifying CUI

    It is best to begin this process by determining if you have any CUI in your system, or if you wish to bid on future contracts that would require CUI in your systems. Unfortunately, most of the data contractors receive from the DoD and prime contractors will not have proper markings. This does no alleviate a contractor of the legal responsibilities for protecting CUI, especially if they have existing contracts with the Defense Federal Acquisition Regulation Supplemental (DFARS) clause 7012, which requires self-attestation for protecting CUI against a 171 baseline.

    Once you identify the CUI in your system, identify which contract vehicles with a 7012 clause the CUI is often associated with. Then identify the people or roles with legal access to that CUI under each contract. In fact, you should create a matrix to capture this information.

    You cannot expect the DoD or a prime contractor to label all CUI created under a CUI contract. How could a Contracting Officer (CO) or a Program Management Office decide if the personal notes taken or meeting minutes contain CUI?

    Marking CUI

    The CUI program set out to protect unclassified information and ensure the timely sharing of information. The marking requirements of CUI vary based on the kinds of CUI and the chosen designation indicator. These influence the requirements for banner markings, which have to include category markings, control markings, and any limited dissemination markings (only certain people should see this).

    CUI marking requirements are influenced by more than just their category and control markings. The type of media it is associated with, such as emails or military documents, can influence the marking as well. Email banners may differ from the requirements for removable media. CUI can also be co-mingled into documents that require different limited dissemination, or are considered classified. Finally, you also have rules about marking CUI for mailing.

    The marking must include a designation indicator. This indicates who created the CUI. This can include a variety of formats such as a letterhead, a logo on a sticker, a signature, or a controlled byline. You have no requirement to include contact information, but many markings add this optional information.

    Department of Defense guidance suggests using a Designation Indicator block when space allows. This includes who controls the data, as well as anyone to which control was flowed through an authorized and legal use, any limited dissemination controls, and a point of contact. For example:

    Controlled by: OUSD(I&S)

    Controlled by: CL&S INFOSECCUI Category(ies): PRVCY, OPSEC

    Limited Dissemination Control: FEDCON

    POC: John Brown, 703-555-0123

    The banner marking can include three elements. The first, the control marking, is mandatory. This can say “controlled” or “CUI.” Category markings are required for CUI Specified, and are separated by two // slashes. If dissemination controls are included, those follow the category markings, again after two forward slashes. Banners must appear in Bold Capitalized text, and ought to be centered when possible.

    CUI works as a basic CUI label.

    Category markings are optional, except in the case of CUI Specified. In fact, when you have Specified CUI, you are required to include the letters SP before the category marking. If more then one type of specified marking is included, you alphabetize them, but only separate each by one / forward slash after the first category, which follows the two // forward slashes and the basic marking.

    CUI//SP-HLTH/PHYS In this example we see two CUI specified categories which follow the basic CUI marking.

    The banner markings can also designate the dissemination controls. Limited Dissemination Controls identify an intended audience, so a document does not need continuous authorization.

    No Foreign Dissemination (NOFORN) —Information may not be disseminated in any form to foreign governments, foreign nationals, foreign or international organizations, or non-U.S. citizens.

    Federal Employees Only (FED ONLY) —Dissemination authorized only to employees of the U.S. Government executive branch agencies, or armed forces personnel of the U.S. or Active Guard and Reserve.

    Federal Employees and Contractors Only (FEDCON) —Includes individuals or employees who enter a contract with the U.S. to perform a specific job or supply labor, and dissemination is in furtherance of the contractual purpose.

    No Dissemination to Contractors (NOCON) —Intended for use when dissemination is not permitted to federal contractors, but permits dissemination to state, local, or tribal employees.

    Dissemination List Controlled DL ONLY —Dissemination authorized only to those individuals, organizations, or entities included on an accompanying dissemination list.

    Authorized for Release to Certain Foreign Nationals Only (REL TO USA, LIST) —Information has been predetermined by the designating agency to be releasable only to the foreign country(ies) or international organization(s) indicated, through established foreign disclosure procedures and channels.

    The Department of Defense CUI guidance also allows dissemination marking to be included in the designation box. These include:

    Distribution Statement A: Approved for public release. Distribution is unlimited.

    Distribution Statement B: Distribution authorized to U.S. Government agencies only (fill in reason and date of determination).

    Distribution Statement C: Distribution authorized to U.S. Government agencies and their contractors (fill in reason and date of determination). Other requests for this document shall be referred to (insert controlling DoD office).

    Distribution Statement D: Distribution authorized to Department of Defense and U.S. DoD contractors only (insert reason and date of determination). Other requests for this document shall be referred to (insert controlling DoD office).

    Distribution Statement E: Distribution authorized to DoD Components only (fill in reason and date of determination). Other requests shall be referred to (insert controlling DoD office).

    Distribution Statement F: Further dissemination only as directed by (insert controlling DoD Office and date of determination) or higher DoD authority.

    On digital media, you include these markings. On PowerPoint slides, you can include the CUI label at the top and bottom of the title slide with the indication block and the CUI label on the bottom of each slide. In a word document, you can include a cover sheet with the marking and designation block.

    Removable Media

    On a removable storage device, you are required to include the basic marking and a controlling indicators. Each file contained on the storage device needs its own marking. When feasible, you should include all required elements in the designation block, but the CUI basic marking and the originator or controller must always be included.


    Email is a bit trickier. When you send an email (try not to) containing CUI, you must let the recipient know. You must include a banner marking in the body of the email. Furthemore, best practice suggests including it in the CUI itself. Many companies use email server rules to sequester email with CUI. The subject line helps protect the data. When you forward email you must keep all banner markings. Make sure you cut and paste the banner to the top of the forward. You can also portion mark emails like regular documents where you call out sections that contain CUI.

    Physical Protection of CUI

    You will need to create a controlled environment to protect CUI. The regulations require you to have at least one physical barrier, such as sealed envelopes, locked doors, bins, drawers, or electronic locks. You have flexibility in deciding what counts as a physical barrier.

    You also need to consider meeting areas. You will need to control meeting access when CUI is shared and discussed. You will need to mark the door with the lock, noting only authorized indivduals allowed, and you will need a clean desk policy for after the meeting.

    Think about who has access to your controlled environments. You will need to lock away CUI from after hour cleaning crews, and to keep visitor and employee logs of areas that contain or discuss CUI. Your computer systems and networks also need to control access. You need to include banner markings on devices and systems that can connect to controlled environments.

    Basically, on electronic systems, you need to create some kind of barrier to prevent unauthorized access to CUI. This can include network folders, files, intranet, cloud enclaves, file sharing sites, and individual machines or devices.

    Encryption and CUI

    Based on Office of Management and Budget (OMB) policy, CUI requires moderate protection. This, in turn, requires encryption which meets a specific level called FIPS Validated 140-2A. At the simplest definition, encryption means that something we read in plain text is scrambled into a cyphertext. The authorized holder then has a “key” to unscramble the ciphertext into plain text.

    The approved encryption techniques are authorized by NIST in a document called “Federal Information Processing Standards (FIPS) 140-2.” The approved techniques, which can change based on use case and authorizer, include: AES, Triple-DES, and the Digital Signature Standard (“DSS”). NIST-SP-800-171 (3.1.13 and 3.13.11) and CMMC spell out specific requirements for encryption (AC.3.014, SC.3.177).

    With FIPs level encryption, we make an important distinction between modules and devices. A module can be an embedded part of a product, such as an “encrypt this email” button or an entire product such as a CUI cloud enclave. A device, such as a laptop or cellphone, does not itself need the encryption. The tool accessed on that device to share, view, store, or transmit CUI must use encryption modules that meet FIPS standards.

    Destroying CUI

    When you destroy CUI, the NARA policy CFR 32 Part 2002 requires the CUI to end up unreadable, indecipherable, and irreconcilable. The NARA policy follows guidance of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88, Revision l: “Guidelines for Media Sanitization” or any technique approved by Classified National Security Information (32 CFR 2001.47).

    In 2019, NARA released guidance on destroying paper-based CUI. You must follow the specifics of NIST-SP-800-88 when shredding paper. You must crosscut, meaning up and down, and left and right, down to 1mm x 5mm (0.04in x 0.2in) in size. You can also pulverize paper using disintegrator devices equipped with a 3/32in pulverizer. The approved shredders can get expensive. Many companies use a third party shredder or recycler that will provide a certification that they meet the requirements of NIST-SP-800-88.

    You can always go the cheapest route and follow the burn recommendations.

    In terms of media, there are also destruction requirements. NIST SP 800-171 3.8.3 states, “Sanitize or destroy system media containing CUI before disposal or release for reuse.” The type of media will determine how you sanitize the device. Hard drives, for example, need different disposal methods than static hard drives.

    Decontrolling CUI

    CFR 32 Part 2002 defines decontrolling as the event in which the authorizing agency decides the CUI “no longer requires such controls.” You must have policies and procedure in place to decontrol CUI. CUI can be decontrolled automatically or through positive decontrol. In automotive decontrol, a prior event, such as a date, is chosen when the controls are no longer required by law or policy. In positive decontrol, the authorizing agency takes an action to remove the controls.

    While a contractor can be appointed by the authorizing agency to disagree with the ability to decontrol CUI on a contract with the 7012 clause, it will not happen often.

    In the end, when you think CMMC, just think about CUI and how you can protect it from unauthorized disclosure.

  • Looking for a good Risk Awareness training program? Why not start with NIST-SP-800-30?


  • Another great meeting of the CT CMMC Coalition

  • A must read —The Coast Guard 2021 Cybersecurity outlook www.uscg.mil/Portals/0…

  • CMMC and Ethics

    At a recent Town Hall, the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB) CEO Matt Travis noted that “trust and confidence in the CMMC Ecosystem” is the shared responsibility of both the AB and the members of the community.

    In fact, Travis’s call to action harkened back to the the testimony of Deputy Assistant Secretary of Defense for Industrial Policy Jesse Salazar, who noted in his testimony to the Armed Service Committee cybersecurity subcommittee:

    DoD must ensure there are clearly defined roles and responsibilities, standards of conduct, and audit mechanisms governing relationships with private sector entities within the external assessment system.

    In order for CMMC to succeed, ethics must matter.

    In the realm of Cybersecurity Maturity Model Certification, the Professional Code of Conduct drives ethical considerations. This document provides the standards to which all members hold themselves accountable.

    The document unites around five principles:

    • Professionalism
    • Objectivity
    • Confidentiality
    • Proper Use of Methods
    • Information Integrity

    The document then lays out the practices inherent to each principle, in addition to how reporting features are implemented.

    Conflict of Interests occur when a person has a duty or motivation to serve the interests of more than one party in the engagement of an activity. According to Matt Travis, this can lead to a variety of consequences, including:

    • Compromised Judgement
    • Threatened Objective Decisions
    • Undermined Impartiality
    • Destroyed Confidence in Fairness and Integrity
    • Required Disclosure

    CMMC Conflict of Interest

    We must remember that a mere perception of conflict can cause serious damage, even when no such conflict exists. Conflicts of interest can also exist without malicious intent or outcomes.

    The CMMC-AB, in fact, must establish a firewall between the registration of consultants, the accreditation of training schools, and the Assessment of Organizations Seeking Certification (OSC).

    Section 3.1.8 of the CMMC Professional Code of Conduct (CPCOC) requires everyone to avoid conflicts of interest to the greatest extent possible. We have a duty to avoid conflicts and report them when they occur.

    The professional code of conduct in Section 3.1.10 also prohibits Certified Third Party Assesment Organizations (C3PAOs) from soliciting business from the organizations they assess. In other words, you can not fail an OSC and then offer services to help them pass the next assessment.

    CMMC and Objectivity

    The CPCOC prohibits a credentialed assessor from joining an assessment team if that individual helped the organization prepare for the assessment.

    The ecosystems of many companies have Registered Professional Organization (RPO) credentials and C3PAO credentials. A business can not provide RPO services and then join a C3PAO Assessment Team, or host an Assessment Team themselves. Furthermore, if you have signed the CPCOC, you have an obligation to report this activity if you see it.

    CMMC-AB and Ethics

    In order to understand how the Accreditation Board (AB) must adhere to the ethics of the CPCOC, we must first understand their role in the ecosystem. The AB is required to:

    • Authorize CMMC C3PAOs to conduct assessments
    • Accredit C3PAOs in accordance with ISO 17020
    • Authorize the CAICO (CMMC Assessors and Instructors Certification Organization) to certify CMMC Instructors and Assessors
    • Establish, maintain, and Manage the CMMC Marketplace
    • Oversee the CMMC Professional Code of Conduct

    Due to these roles the CMMC-AB has a variety of tools to limit Conflict of Interest

    • CMMC-AB Code of Ethics
    • CMMC-AB Conflict of Interest Policy
    • CMMC-AB Directors Agreement
    • CMMC Code of Professional Conduct
    • Contract with Department of Defense
    • CMMC-AB Audit, Ethics, and Compliance Committee
    • Security and Compliance Officer
    • ISO 170ii General Requirements for Accreditation Bodies Assessing and Accrediting Conformity Assessment Bodies

    These elements work together to ensure the CMMC ecosystem maintains a high ethical standard.

    Duty to Disclose

    The CMMC-AB will release a disclosure matrix that lists all of the players in the ecosystem, and then a list of possible affiliations. These include elements of potential conflict such as ownership, financial interest, teaming agreements, family members, personal relationships, employment affiliations, and more. The AB will decide if, based on its role in the ecosystem, if that is a type of relationship that is okay, to be avoided, or risky enought to require mitigation.

    This document will explain your responsibilities to report conflict of interest.

    Red Lines for the CMMC-AB

    Based on the policies governing the AB, its members must not fail to disclose conflicts, have a vested interest in an C3PAO, use their status on the AB to generate business or leads, endorse any commercial product implicitly or explicitly, accept any gifts, or operate in a credentialed company within the ecosystem for the duration of one year after leaving the board.

    Shady Vendors

    As a member of the ecosystem, you face a barrage of emails. Many of these provide snake oil services or over-promise. As a small business, owners rely on word of mouth, not drip campaigns from marketing teams. Avoid anyone who promises quick assessments or turn key services.

    Take your time. You do not need a Level Three Certification overnight. 2026 is still a bit far off. Until then, just grow the SSP and shrink the POA&M.

  • CyberSecurity Begins with Awareness and Training

    Bad Ragaz - Original Sin

    It always comes down to the humans. Even with the best security, the tiniest friction can cause all systems fail. That 2% of DNA separating us from chimpanzees really messes with your cyber hygiene.

    If you want security you need to focus on the biggest attack vector: people.

    The Cybersecurity Maturity Model Certification (CMMC) program revolves around a national awareness and training program to increase the validity and reliability of the cybersecurity hygiene for the Defense Industrial Base (DIB).

    Relying on self-assessments hurts the overall validity of an organization’s cyber hygiene, due to the scoring system for determining compliance. In NIST-SP-800-171 nor 171a, the methodology describes a scoring scheme. That model of having 110 points, and subtracting either 1, 3, or five points, came from the Defense Contracting Management Agency (DCMA). It did not work.

    Relying on self-assessments hurt the overall reliability of knowing if someone had achieved adequate compliance against NIST-SP-800-171. A lot of revenue depends on contracts from the Department of Defense that carry the 7012 clause. Many companies lacked experience or have had past success with a business development strategy of ignoring Department Defense mandates .

    We use the amount of data exfiltration from small manufacturers as proof of the failure. The daily ransomware attacks DIB companies face is further observable evidence that self-assessment does not work.

    CMMC requires us to realize cybersecurity isn’t just everyone’s job. Cybersecurity IS everyone. You must control your story, data, and identity. The people matter.

    In fact, the CMMC model requires an Awareness and Training Policy for Level Two (and thus Level Three, given the cumulative nature of the model):


    Establish a policy that includes Awareness and Training.

    So how do you build an Awareness and Training policy? You need to understand what people need to know, when they need to know it, and how you will prove they know it. This begins, like all learning, by definining key terms.

    What is Awareness?

    I can understand the dangers of swimming in riptides in the absence of the training to escape one. All employees must have an awareness of the threats your company faces.

    In fact NIST SP 500-172, defines awareness as

    sensitivity to the threats and vulnerabilities of computer systems and the recognition of the need to protect data, information, and the means of processing them

    However, awareness—like swimming—does not equal training. In terms of cybersecurity, a company needs to have a general understanding of threats and cyber hygiene in order for it to grow. So, for example, while I may hang Controlled Unclassified Information (CUI) posters in the enclave to keep people aware of company policies, that does not equal a training program on selecting the correct shredder for the destruction of paper-based CUI.

    You may publish many of your policies in an employee handbook to make them aware of security issues. But you still need to train employees on how to execute these policies.

    What is Training?

    Awareness focuses on what, while training focuses on why and how. Training will take longer, and you as the learner will need to generate observable evidence of knowledge growth.

    What Type of Awareness Programs do my Employees Need?

    Based on the NIST 800-171a assessment objectives included in CMMC, you have to have an overall awareness of the threats CUI faces. All employees need an awareness of policies, standards, and procedures. This is often best covered in the Employee Handbook and Acceptable Use Policies.

    Your technical staff will need to understand the security risks associated with their activities to keep data safe. This, again, will require the development of Operating System awareness, and you may need to run multiple awareness programs for each major and minor technical system.

    Managers and system administrators need awareness of the applicable policies, standards, and procedures related to the security of the systems they oversee. This will include reference documents, a required tour of a wiki or database, and Security Technical Implementation Guides (STIGs).

    Some Awareness and Training requirements kick in at Level Two when we talk Cybersecurity Maturity Model Certification (CMMC):


    Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities, and of the applicable policies, standards, and procedures related to the security of those systems.


    Determine if:

    • [a] security risks associated with organizational activities involving CUI are identified;
    • [b] policies, standards, and procedures related to the security of the system are identified;
    • [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
    • [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.

    To meet the assessment objectives of this practice you will need to provide multiple types of security awareness and training programs

    What type of Training Program Do My Employees Need

    Based on the NIST 800-171a assessment objectives included in CMMC, you have to have three domains of training. One domain is focused on your CUI policy, another on threat analysis, and another on your system, security, and roles.

    CMMC has an entire set of objectives on developing and deploying a CUI policy. In your training, you need to ensure your managers and technical systems engineers, or Managed Service Providers (MSPs), know how CUI is protected on your system.

    Your training around applicable policies, standards, and procedures related to the security of the system will need extensive documentation, and will include recognizing educational certificates and providing your own training related to your reference architecture.

    For example, take AT.2.057, which requires contractors to “ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. ” This will require operating system training specific to a company’s reference architecture. You will rely on different certificate programs to ensure your technical staff can stay current as technology changes. You will need multiple trainings for each of the operating systems deployed on your major and minor systems that store, transmit, destroy, or create CUI as the result of a government contract.

    What is the Purpose of my Awareness and Training Policy?

    The first objective of AT.2.999 establishes a policy that includes Awareness and Training, which requires you to have a purpose to your awareness and training policy. For Level Three certification, you need a mission and strategic goals. AT.3.997 requires contractors to “establish, maintain, and resource a plan that includes Awareness and Training” objectives b and c.

    We recommend you do this on company-wide scale, via a threat awareness and training program. Explore the threats, external and internal, you face. Analyze risks to your business and supply chain.

    Break employees into groups and have them draft threat analysis documents (this is a Level Four requirement, but wise to implement ahead of time). Then when you have a complete list of threats, have the groups craft mission and goal statements.

    You then work with the groups in a whole company setting to ensure your employees draft the kind of comprehensive policy statement you envision. Ownership builds awareness.

    Many mature and large organizations will have awareness and training policies developed. If this is the case for your organization, you should still conduct ongoing threat analysis discussions at the department level.

    At the end of the day, make sure folks are aware.

    Who needs Awareness and Training?

    Everyone. Awareness and training ensure policies and procedures become company culture. However, it is important to note that your managers, sales staff, and security engineers need different awareness and training.

    NIST Special Publication 800-16, “Information Technology Security Training Requirements,” recommends creating a role-based training matrix. You can combine this approach with CMMC requirements to create a full curriculum scope and sequence for your awareness and training program.

    In the first column of the Matrix, list all the user roles on your information systems. Include a row for “all.” You can group trainees by their roles as well.

    Then create four domains in your awareness and training program:

    • Employee Responsibilities,
    • Information System Policies,
    • CUI
    • Reference Architecture

    What kind of training an employee receives, and in which domain, depends on their role. For example, all employees may have to watch a training and certify they read the Employee Handbook and Acceptable Use Policies. You probably want a training on the email rules of your company for all employees.

    For Level Three CMMC Certification, you need to document what will be learned. In fact, Assessment Objective [e] of AT.3.997 requires you to document “the plan documents, activities, and due dates.” In your matrices, be sure to list the trainings, in addition to when due dates occur.

    Fill out the chart indicating when role-based awareness and training occurs, what it includes, and how it is assessed.

    Large companies may have an internal learning management system that may track many of these metrics. Smaller companies may have to contract with a vendor. If you purchase IT or security products from MSPs or vendors, try to negotiate a training package, or choose those you see as compliance partners.

    What should Awareness and Training Cover?

    Employee Responsibilities

    You need to cover the four domains of knowledge, but now you must also develop the scope of learning objectives and the sequence of training for the matrices.

    First begin with employee responsibilities by examining the everyday system-wide awareness and trainings all employees must receive. This includes the employee handbook, sexual harassment, legal compliance, company wide posters, CUI handling posters, and stickers. These are everyday business practices that require awareness and training.

    Then decide which of these policies need more than awareness and actual training. This could include a short video summarizing the employee handbook with a quiz. Employees often have to attend mandatory trainings with a supervisor.

    Once you have the list, decide if the subject requires awareness or training. Add it to the matrix.

    Controlled Unclassified Information

    As noted above, you must include awareness and training on the “security risks associated with organizational activities involving CUI are identified.” In other words, you need to develop a CUI Training Program.

    At Level Two of the CMMC, your company will need awareness and training on the internal threats faced by companies who have a legal right to handle Control Unclassified Information on behalf of a government contract.

    At Levels Two and Three, your awareness and training program must include your company policies on receiving, creating, labeling, disseminating, transmitting, storing, and destroying CUI. This policy should cover the specific workflows for handling this information. You will also need to include your Incident Response Training on handing CUI data spillage.

    At Level Four, your CUI awareness and training program should include recognizing and responding to threats from social engineering that can lead to advanced persistent threat actors, breaches, and suspicious behaviors; you will be required to update the training at least annually, as well as when there are significant changes to relevant threats.

    Information System Policies

    Then you will have company-wide information system policies, such as your password policy, email policy, device policy, how Multifactor Authentification works (please turn on MFA), et cetera.

    These Information System Policies apply to all employees, however, at this point you may have to start specializing. The account generation for your Mobile Device Management tools may vary from your payroll system. In fact, at this level you will start to specialize at the Operating System level.

    Different types of operating systems will require you to verify employee training through different certificates. If you deploy in Kubernetes in Azure or use S3 in WS Govcloud, each of those stacks has individual Security Technical Implementation Guides (STIGs) and certification programs.

    You must consider all the major and minor systems, the data that flows through them, and the laws and regulations that govern how that data is used and shared.

    As a contractor, you also will need to consider trainings on your acquisition team on what kind of service level agreements you need in your vendor agreements with regards to information and technology systems. Trainings need to include examining vendor agreements and SLAs to determine if proposed security solutions meet CMMC Level Three standards.

    Reference Architecture

    As Tom Cornelius from Compliance Forge notes, “You must see policy as a blueprint and not documentation. You are more an archtiect than a writer.”

    As an organization, you will need solid reference architecture on how you build secure systems that can handle a moderate baseline for the protection of Controlled Unclassified Information. You will have a set of documents that describe how to build the ideal environment for your use case. You will need awareness and training on how to use and update your reference architecture.

    Take configuration management for example. If you do not have a clear configuration management documentation and provide baseline training on using the necessary references, you will not have the basics of Access Control, the root of cybersecurity.

    Next, you can turn to the other domains in CMMC to determine the specifics of company-wide training policies.

    What other Domains Should Awareness and Training Cover?

    The Awareness and Training you provide must go well beyond the practices and process of the AT domain. In fact, according to Native Intelligence in a blog post on Amira Armond’s CMMC Audit, Awareness and Training needs to cover fourteen additional practices across five domains

    • Access Control (AC)
    • Media Protection (MP)
    • Maintenance (MA)
    • Physical Protection (PE)
    • Systems and Communications Protection (SC)

    How to Get Started on an Awareness and Training Plan

    Create an Instructional Leadership Team

    You first begin by designating who owns your awareness and training program. The Instructional Leadership Team should contain stakeholders across the organization and not just from IT or your security team (if you even have either position. The team could include your Information System Security Officer, CIO, CTO, information System Security Manager, human resources, facility security officer, or employees designated to serve on the instructional leadership team.)

    Craft Goals, Missions, and Objectives

    Your instructional Leadership Team then crafts your goals mission and objectives. This begins by a walkthrough through of your threat environment. Understand the common threats to the sensitive data you hold.

    You can have very generic goals, missions, and objectives for your trainings. You may want to consider utilizing the awareness and training domain to strengthen your talent across the board. However, you only need to track system security related training with CMMC.

    Determine Roles for Awareness and Training

    Next, the Instructional Leadership Team determines roles and responsibilities. Christina Reynolds of BDO-USA recommends using the RAC model: who is Responsible, who is Accountable, and who need to be Consulted. The goal is to create observable evidence that partially meets assessment objectives c, d, and g of AT.2.999

    ” the roles and responsibilities of the activities covered by this policy are defined; (i.e., the responsibility, authority, and ownership of Awareness and Training activities);”

    “The policy establishes or directs the establishment of procedures to carry out and meet the intent of the policy;”

    “the policy is endorsed by management and disseminated to appropriate stakeholders; and “

    So you develop a matrix of roles and responsibilities. Include general users, data owners, system owners, and members of the Instructional Leadership Team. Make a column for each.

    Then, in the rows include who must complete training, who develops the training program, who agrees to acceptable use policies, who decides which roles get what training, who completes role based training, and who is responsible for record keeping.

    Establish Company-wide Baselines

    Now, decide what basic training every employee must have. This will include your awareness activities, employee handbooks, email policies, acceptable use policies, etc. You may include optional training on overall threat awareness and common attack vectors, such as phishing.

    The goal is to establish the bare minimum of security awareness you want with your employees. This wil usually include a variety of trainings like company wide meetings, video on-demands, or online learning.

    Develop A Training Matrix

    Now that you have a baseline of security awareness and training you want for employees, you next decide on specialized roles, and create a role-based training matrix. People in specialized roles and management positions will need additional training over and beyond what every employee recieves.

    You need to group people into roles based on functions in the workplace.

    Then create a list of topics, which includes items such as:

    • CUI
    • Email
    • Threat Awareness
    • Media Protection
    • Passwords
    • Mobile Devices
    • Access Control Policy
    • Reference Architecture
    • Crafting Service Level Agreements
    • etc

    You then decide based on the number of roles created by your Instructional Leadership Team which group gets what training.

    Develop Company Wide Awareness and Training Rubric

    Next the Instructional Leadership Team needs to define success metrics for your awareness and training program. In terms of CMMC, it is important to know if a plan really does not kick in until Level Four process requirements, but you cannot have a compliant training program at this Level without evidence of learning gains.

    The evidence of awareness and training success, like all compliance data, can fall into one of three categories: interview, observe and test.

    First, you want to understand if your awareness and trainign impacts your operational security. Indicators could include reduction in down time, increased phishing test success rates, and incident reporting. If you can not automate these metrics, you can have the Instructional Leadership Team rate them on a four point likert scale.

    You also have training program metrics, such as the frequency of training programs, learner performance, attendance, and learner feedback. You should check with your state on the requirements to protect and retain employee training data.

    Evaluate Content

    Now you have to choose content that will align your role based matrices with your required learning matrices. It will probably be cheaper to purchase curriculum than to develop it in-house. However, when you pay for an instructional designer to develop your program, you can align the program to your company culture and workflow.

    The majority of cybersecurity training is video-based garbage designed to allow you to check off a compliance box about providing training. Develop or utilize a rubric for evaluating curriculum. You may consider hiring a consultant to help you evalaute curriculum. At the very least, choose your networks from word of mouth.

    Create Deployment and Evaluation Schedule

    Next, you must create a scope and sequence guide for your curriuclum. This document includes the objectives of your chosen curriculum, how those objectives will be measured, when the curriculum will be delivered, and who will evaluate the result. You can include information about awareness and training.

    For awareness, you could include the posters you hang and monthly security reminders that are delivered by email. The awareness program occurs all the time, and for all users.

    For training, this again will be a role-based document. Many people may end up including the role-based matrix in the scope and sequence of the curriculum.

    Craft Awareness and Training Plan Compliance Documentation

    Finally, you will need to create a way to document your awareness and training program, so you organize observable evidence in a way that would not require a CMMC assors to make any inferences about your program. Spell out how you meet each requirement in your Policy, Procedures and Plans. If you followed the path above, you will have the majority of the required documentation already.

    Now, as your goal you must include the procedures you have decided upon for your Awareness and Training Policy, in addition to how you plan to include the metrics from your Awareness and Training in both your System Security Plan (SSP) and your Awareness and Training Plan.

    Create a policy for retaining security training records. Create the procedures to make sure this happens.

    Include a table in your policy that explicitly addresses all of the required Awareness and Rraining in a practice or assessment objective. Then, in your SSP, reference this policy and include two pieces of observable evidence that the assessment objectives have been met.

    For example, you need to include training of internal threats at Level Two of CMMC. This means that for Level Three compliance, you must demonstrate you provide this training. Explicitly spell this out, in addition to any required training in your Awareness and training Policy and Procedures.

    For many companies, beginning with the Awaress and Training domain may provide a great launching point for your CMMC journey.

    Meet CMMC Compliance through Awareness and Training

    Can you complete your SSP as you utilize and also reach compliance on the Awareness and Training domain? Would this approach lead to increased hygiene?

    Everyone frets over CMMC devolving into a checklist of policy and confusing technical controls. Awareness and Training makes this difference.

    Christina Reynolds co-authored this post in the guidance she provided in how to craft Awareness and Training Policy

    Featured Image: “Bad Ragaz - Original Sin” by Kecko is licensed under CC BY

  • Roots of CyberSecurity

    So many people complain bout the forest and trees in the world of cybersecurity. Some look to the trees and can write 5,000 word essays pulling about the etymology of a single word. They never see the forest.

    “Forest Turnover” by Nicholas_T is licensed under CC BY

    Others claim cybersecurity frameworks such as the Department of Defense’s Cybersecurity Maturity Model Certification will rise only to find itelf destined to fail. These critics note a piling up of assumptions and technical debt. They point to the Forest of compliance efforts like ISO or unjustly complain SOC2 compliance comes from gumball machines. They never take the time to see the trees.

    “Tree” by T

    Yet we need to stop worrying about the forest and trees of CMMC. Cybersecurity happens underground, through your culture. You must grow cyber hygiene in rich soil. Do not look to the forest or the trees. Instead get to the roots of cybersecurity and the fungus that keeps it alive.

    Roots of Cybersecurity

    The root system of any tree expands 20 times the size of the canopy. Often when we think trees have died around us, being returned to the earth by, you guessed it fungus, the trees go on living underground. Their roots living for years, decades, possibly centuries keeping other trees alive. Connected through a network of fungus.

    “DSC01648” by Clearly Ambiguous is licensed under CC BY

    We must see cybersecurity as a symbiotic relationship between the public and the private sectors. You as a business owner need to understand that without some basics you can never secure sensitive data, and if you can’t secure sensitive data you will never get past the basics.

    Around 90% of land plants thrive in mutually-beneficial relationships with fungi. Yet we do not see it. The mycelium, network of fine white filaments that make up the vegetative part of fung, exist out of sight. It just happens. We need this in cybersecurity.

    “Mushroom, NCI Sourdough trail” by furtwangl is licensed under CC BY

    Symbiotic relationships.

    The plants and trees allow the fungus to siphon off food and the fungus help the plants eat, act as a network of advanced persistent threat, and fight of pests. In a cubic inch of soil you can find 8 miles of mycelium. We must get to a similar state of cybersecurity, hidden underground protecting our networks.

    To deliver food plants provide fungi with carbohydrates. The fungi suck up water, and provide nutrients like phosphorus and nitrogen, via their mycelia.

    The fungi also create a network to support each other. Paul Stamets, back in 1970 compared the mycelia of root systems to ARPANet, what we now call the Internet. Further According to Suzanne Simard older trees adjust the fungal network to help younger trees. They can redirect carbon they collect in their canopies to children of the forest floor who hide in the shadows. Protected by larger organisms.

    “Rhizomic” by mikecogh is licensed under CC BY

    The Wood Wide Web, also like cybersecurity provides advanced persistent threat analysis. When fungus in the roots recognize a threat they trigger the production of defense-related chemicals. These make later immune system responses quicker. When one tree gets attacked by harmful pests or deadly fungi, the mycelium can set off a chemical response in the root system to warn other trees.

    We need to get to the roots of cybersecurity and this this includes five elements. You must do every one of these first.


    First in terms of Governance who owns your data, who owns your systems, who maintains the System Security Plan? The mycelium under the trees acts as a microbial neural background. The management.

    When you look at mycelium and a node breaks the network moves around it. You must have a plan to handle cybersecurity and know who will enforce policies.


    Fungus migrated from the sea to land millions of years before plant life. The acids they produce broke down calcium in the rocks and produced soil. Your policy does the same thing.

    The fungi worked by acting as carbon sinks. Fungus got the system working just as your policy is required for cybersecurity. In fact you should begin with writing a policy of how your company writes policy. You may in fact have a ton of existing policy but you can not protect what you don’t know you have.


    After the great extinction event that killed the dinosaurs the fungi inherited the earth. They could grow in the dark and even use radiation as food. The largest mycelium organism sprawls across 2,200 acres of Oregon and has lived before the time of the Christian Era. You need to know the spread of sensitive data, endpoints, and people.

    Have you counted them all? If you do not have a solid inventory system you can not have security. You need to know how sensitive data spread through your network for without an inventory it will spread like a rhizome, like mcyelliumn

    Access Control

    Paul Stamets has long argued that the Internet just provides proof of concepts that already exist. The mapping of Internet traffic and Dark Matter all reflect the mapping of the rhizomatic spread of the rhizome.

    You will need to keep a compliance machete at the ready to control access to sensitive data. Fungus act gateway species. Stamets note they let other life in. In fact he creates physical and logical barriers of mycelium downstream from farm to remove excess fertilizer and deadly diseases like e. Coli.

    Awareness and Training

    As he studies the fungus of the world Stametz tries to preserve the genome. In fact in collaboration with the Department of Defense they discovered five ancient and almost extinct fungi in the old growth forests that could help fight poxxed based diseases.

    Ancient forests in China contain fungi that fight Flu and SARS.

    Saving our old growth forest is a matter of national security. Just like your cyber security.

    Let’s get to the root of the issue



  • How do you use the Discussion Section of the CMMC Assessment Guides?

    Great post from Alex Johnson on the difference between the discussion and requirements of CMMC practices.

    “I want to offer some information to those who may be struggling with understanding what options are available to you regarding the implementation of NIST SP 800-171 and CMMC requirements or practices.

    NIST SP 800-171 Section 2.2 contains the following:

    “A discussion section follows each CUI security requirement providing additional information to facilitate the implementation and assessment of the requirements. This information is derived primarily from the security controls discussion sections in [SP 800-53] and is provided to give organizations a better understanding of the mechanisms and procedures used to implement the controls used to protect CUI. The discussion section is informative, not normative. It is not intended to extend the scope of a requirement or to influence the solutions organizations may use to satisfy a requirement. The use of examples is notional, not exhaustive, and not reflective of potential options available to organizations. “

    The bottom line is that you have options. The discussions are not telling you exactly what you have to do. Rather, they are helping you to understand the essence of what the requirement is. There are a few discussions that are normative, but only a few.

    A great example of this can be found in MP.2.119 (3.8.1). These assessment objectives require you to physically control and securely store media containing CUI. The discussion indicates that “physically controlling system media includes conducting inventories.” However, that is not a requirement based on NIST SP 800-171 Section 2.2.

    I hope this helps some who may “extend the scope of a requirement” based on the discussion section.”

    Alexy J. on LinkedIn: I want to offer some information to those who may be struggling with linkedin.com


  • Sample AWS Templates for incident respone.

    GitHub - aws-samples/aws-incident-response-playbooks github.com

subscribe via RSS

All content, unless otherwise notes, is licensed with a CC-BY