• Cybersecurity: Did Bootcamps Break Us or Save Us

    The cybersecurity awareness and training industry tops a billion dollars in revenue and will only grow as regulatory frameworks that require companywide learning programs spread.

    At the same time and given Higher Education’s inability to adapt or keep up in digital fields, a training program that tops hundreds of billions of dollars grew overnight. In fact, a study by CompTIA (bias disclosure: a test vendor) found 91% of all employees use certifications in hiring.

    Classes to pass the certification exploded overnight. I worry the bootcamp model broke us.

    I do not want people equating a four-day class in how to pass a test to equal deep learning based in cognitive science. Not when it comes to cybersecurity. The mission too important to hunt for a quick fix in awareness and training.

    I know, like CMMC these certification classes are not meant to teach cybersecurity skills. Still, I personally believe the domains of knowledge assessed on the certified classes too hard to master in a four-day seminar.

    I don’t blame anyone, but human nature. You can never lay shame on someone for taking the path of least resistance when it comes to securing food or shelter for them and theirs. Once you introduce a high stakes test humans will immediately start mixing a broth to corrupt the reliability and validity of that test.

    At the same time these increased cost and regulations caused expected resentment in the cybersecurity professional community. Many feel their experience has established these skills and they feel preyed upon by a certificate mill industry. They have a point.

    The entire tech industry, however (I included) could benefit from a good dose of humility. Nobody knows it all, and if you know more, others in the class benefit. Those most successful in bootcamp classes are probably humble folks in other online spaces.

    Bootcamp Model

    In a “bootcamp” style class, whether to train employees or to prepare for a certification test ,the learning gets crammed into a very short time frame over long extended days.

    Almost all cognitive science research supports longer durations for learning. In fact, retention ability decays very quickly. Further long-term transfer to other domains increases when high quality feedback gets connected with bursts of content, activity, and reflection.

    Bootcamp models do work, and we have emerging research to support this, in well-defined domains with discrete skill sets. Configuring your endpoint detection, learning to write JavaScript, even playing Clarinet.

    The Domain of cybersecurity, especially when preparing to move from one industry framework or another, however, cannot happen overnight. Yes, as I stated these classes do not train you in cybersecurity, but it will take specialized knowledge to move from a HIPPA audit to a 171 assessment for example.

    These domains of knowledge too complex for quick learning just to check off a compliance box.

    Myth of Auto-Didactic Learner

    No bootcamp lives in a vacuum (until Space Force starts orbital unit training) so when people claim to only want self-paced learning, they should make sure they have community support somewhere.

    Nobody learns alone. No one gets self-taught. Full stop.

    Community is the Curriculum.

    The original MOOCS, which helped kick off the coding and cybersecurity bootcamp craze, never focused on size. they focused on people. When David Cormier coined the term the massive modified open, not the size of the class.

    It meant using network theory to encourage the spread of open resources and pedagogy through ever growing learning communities.

    So even a four day or four-week self-paced online class needs some element of community. You need peers to have discussions. You need groups to work on scenarios and case studies that will reflect what cybersecurity and assessors will do in the field. Most importantly you need high quality feedback from your instructors.

    Not opinion. Stable and replicable finding from cognitive science research and based on principles of Universal Design for Learning to ensure all learners can succeed.

    Bootcamp Models Dont Meet Diverse Workforce Needs

    You need a lot of resources to check out for four days and go to an intensive bootcamp. Childcare, carpools, community volunteering, the bootcamp model do not reflect the needs of the modern workforce.

    Bootcamp models do not help diversity, equity, and inclusion when the only option involves four days of unpaid work. We need to provide learning communities that allow for flexible and supportive learning modalities. As a nation we must root cybersecurity trainings in groups that face historical exclusion in the tech and cyber industry.

    These four-day learning bonanzas also hurt organizations. As a CEO do you want your entire cyber/IT team out of pocket for four days? What if like many small businesses as CEO you are your entire cyber/IT team? Can you be out for four days?

    A Better Way forward with CyberDI and Southern Connecticut State University

    At SCSU, we have developed and iterated on the CyberDI curriculum that they will deliver on our online and offline campuses as an LTP through four rounds of iterative design with the goals of using principles of cognitive science in curriculum development and delivery.

    Real science. Not bootcamp marketing or certificate mill hype.

    In our five-week class model you meet twice a week for live classes each week. Instructors schedules these classes either at noon, the evening, or the weekends depending on local audience needs. They offer hybrid and fully online versions. The lectures and discussions get recorded so if life gets in the way anyone can catch up.

    Every practice and process in the CMMC model gets covered through systematic and explicit instruction following the “Instructor does, class does, you do” model. This predictability, science tells, us, improves learning.

    Social learning, not just explicit instruction, gets baked into the model. We have two weekly office hours where instructors and community members just drop in to get specific technical help or to ask general questions about course content.

    We know from research, building scaffolds that gives learners support drives success.

    Our course navigation is simple and works in Blackboard, Canva, Microsoft Teams, or my favorite a simple HTML website. In every module you are asked to read, write, and participate. We give you access to easy to navigate resources.

    screenshot of Google Classroom

    You can see above how each model gets laid out in a Google Classroom example. We know from decades of research ease of navigation drives learner efficacy and success.

    Most importantly you take part in production-based learning driven by feedback designed to elicit growth against the course objectives. Feedback, both formal and informal, drive learning. The teacher guide we provide has tips on writing feedback. The instructors who teach the CyberDI classes on SCSU campuses will get on going coaching in their questioning and discussion techniques. They get additional training on how to write and deliver feedback for growth.

    We do hope you choose a training program based in cognitive science and not just certificate mill marketing hype. The classes CyberDI will teach on our campuses meet this criteria.

    Just wanted to end with a quick shoutout to the subject experts who helped write and shape the curriculum

    Curriculum Authors:

    • Leighton Johnson- Wrote our Domain Scenarios
    • Paul Netopski- Wrote our CMMC Assessment Process Chapter
    • Vincent Scott- Co-wrote history of CMMC and Domain Scenarios
    • Tom Cornelius- Open Source contributor. We utilize Comp;iance Forge’s CC BY-SA Scoping Guidance.
    • Gregory McVerry co-wrote CUI scenarios, co-edited textbook with Dr. Tucker
    • Lauren Tucker-lead author on instructinal guide, co-edited text book
    • Richard Dawson-Wrote 162 aligned introductions for 17 Comains
    • Dana Mantilla-Video Instructor who interviewed top talent
    • Brian Rogalski-co-wrote CUI scenarios

    Academic Advisor: Leslie Weinstein

    Video Guests:

    • Allison Giddens
    • Vincent Scott
    • Margaret Glover
    • Paul Netopski
    • Matthew Carson
    • Jake Williams
    • Amira Armond
    • Ryan Heildron
    • Vic Malloy
    • Kyle Lai

    img credit: Bootcamp dreams. by jgmac1106 shared under an CC-BY-SA license a A remix of: Work boot” by Bigbadvoo flickr.com/photos/bi… is licensed under CC BY “Storm Clouds Gathering” by izoo3y flickr.com/photos/iz… is licensed under CC BY-SA “Cha-Ching” by spcbrass flickr.com/photos/sp… is licensed under CC BY-SA

  • How to Register on the CMMC-AB Class to Sign up for a CCP Class with an LTP

    Wow that title has a lot of letters. Luckily the registration process on the Cybersecurity Maturity Model Certification Accreditation Board website to create an account so you can sign up for a Certified CMMC Professional class with a Licensed Training Provider is not as difficult.

    Creating a profile on to register for a Certified CMMC Professional course requires a three-step process and a $200 fee paid to the CMMC Accreditation Board and not the Licensed Training Partner. The fee also does not cover the CCP exam. That will cost an additional $275.00

    You must first create an account on the CMMC-AB Moodle page (yeah open source).

    screenshot of account creation

    Once you do you a verification email gets sent your inbox

    screenshot of verification email

    After you verify your email you choose an MFA, multifactor authorization, method.

    screenshot choosing mFA

    Depending on which method you chose you may have additional security checks

    screenshots of security checks

    Once you have an account you can move on to Step One which requires you to make a profile

    screenshot of making profile

    screenshot of ccp application

    Once you make the profile you can then go and register for the CCP class. The application is extensive. You will upload your resume and any certifications you hold.

    The application did ask me to associate with a C3PAO. Currently, as far as I know, the CCP does not need to associate with a C3PAO. I put “none yet” and my application went through.

    Pay the money and you can now register for a class with an LTP.

    screenshot of payment acceptance

    You will get an ID number. The LTP will use this to share your progress and enrollment status.

  • top view of p-51b

    side view of p-51

    front propeller view

    close up side

  • "Any Questions?" is the Wrong Question for CyberSecurity Training

    We want to transform CyberSecurity Awareness and Training into an active learning process. For far too long we have assumed video-based quizzes work at the minimum and real training cannot happen because you need decades of experience to do Cyber.

    Neither assumption rings true. Active learning leads to greater transfer and retention. This production-based method, where learners must do stuff with what they learn begins with questioning.

    In my time working on Cybersecurity Maturity Model Certification courses, I have reviewed so much curriculum. Coched Provisional Instructors as they develop lesson plans and provided feedback to our instructors as we iterate on curriculum at Southern Connecticut State University.

    Stop Asking Any Questions

    Almost all the instruction I observe relies on direct intruction with little learner interaction. I see it in video based training and lectures where a highly talented Subject Matter Expers asks, “Any Questions” at the end of each segment or lecture.

    Everyone has questions. No one will ask.

    Instead a good teacher uses questions to elicit evidence of and scaffold knowledge growth. You can think of three types

    • Literal
    • Inferential
    • Evaluative

    Literal questions get answered with explicit, which means identifiable in the text, details. Inferential questions require students to combine information in a text, either explicitly or implied, and combine this with prior knowledge or another source. Evaluative questions ask you to combine implicit information with an opinion and may focus on why and how to fill is missing details.

    As an instructor you need to plan your questioning well. You can use verbs from Bloom’s Taxonomy or Webb’s Depth of Knowledge, but you need to ask questions for learning to occur.

    Helping Out CMMC Instructors

    So, to help out the Instructors who utilize the CMMC curriculum we write we started to create a question guide for each of the 17 Domains. It includes a definition from NIST SP-800-162 and questions a Certified CMMC Professional can use to help an Organization Seeking Certification. We derive these from 162 as well.

    We then include every assessment objective. CMMC courses mean nothing without Assessment Objectives. Next, we close with sample discussion questions. We hope these focus on pain points and common misconceptions. When an LTP or Provisional Instructor uses our material, you can know we provide you the tools to have active discussions,

    Check out our Access Control Example

    Featured Image “Question” by kevin dooley is licensed under CC BY

  • Writing threat scenarios.


  • What does the NDAA say About CMMC?

    The NDAA goes deep into developing the Cyber Director role but for those looking to NDAA for “significant changes” to the cybersecurity maturity model certification (CMMC) program should look elsewhere.

    There are eight mentions of CMMC in the bill. I will need to dissect the fund allocations to CMMC. There are an additional five mentions of the cybersecurity maturity model certification in areas of threat and incident response.

    It looks like the House Small Business Committee that complained about contractors “having to read really big books” did not have their ammendment approved.

    It is really just section 1742 of the bill.

    IN GENERAL.—Not later than March 1, 2021, the Sec- retary of Defense, acting through the Chief Information Officer of the Department of Defense and the Commander, Joint Forces Headquarters-Department of Defense Information Network, shall assess each Department component against the Cyberse- curity Maturity Model Certification (CMMC) framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementa- tion of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework.

    The report shall shall include, for each component that does not achieve at least level 3 status (referred to as ‘‘good cyber hygiene’’ in CMMC Model ver. 1.02), a determination as to whether and details as to how— (A) such component will implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022; and (B) such component will mitigate potential risks until such measures are implemented. (2) COMPTROLLER GENERAL REPORT REQUIRED.—Not later than 180 days after the submission of the report required under paragraph (1), the Comptroller General of the United States shall conduct an independent review of the report and provide a briefing to the congressional defense committees on the findings of the review.

    CYBERSECURITY MATURITY MODEL CERTIFICATION FUNDING LIMITATION.—Of the funds authorized to be appropriated by this Act for fiscal year 2021 for implementation of the CMMC, not more than 60 percent of such funds may be obligated or expended until the Under Secretary of Defense for Acquisition and Sustainment delivers to the congressional defense committees a plan for implementation of the CMMC via requirements in procure-ment contracts, developed in coordination with the Principal Cyber Advisor and the Chief Information Officer of the Department of Defense. The plan shall include a timeline for pilot activities, a description of the planned relationship between Department of Defense and the auditing or accrediting bodies, a funding and activity profile for the Defense Industrial Base Cybersecurity Assessment Center, and a description of efforts to ensure that the service acquisition executives and service program managers are equipped to implement the CMMC requirements and facilitate contractors’ meeting relevant requirements.

    img credit: Etherwan (2018). NDAA Compliance Statement. Retrieved from: www.etherwan.com/us/about-…

  • You are Doing Cyberscecurity Awareness and Training Wrong

    two people on the left and right of someone screaming in their ear

    Let me tell you how most of my pitch calls go when someone needs instructional design work for their company’s cybersecurity awareness and training.

    The customer typically says something along the lines of, “We just need a quick and dirty training, to check off the compliance box”.

    I ask, “Can you send me your policies and procedures so I can weave them into the training?”

    Response A:

    “My boss doesn’t want this eating up a bunch of time and resources. We just need the compliance. This isn’t about learning.”

    In the case of Response A, I always say, “Doesn’t it make sense to train your employees on your security stack based on their roles? Don’t you know policy and procedures mean nothing without people? We can write your awareness and training so it reflects your people, processes, and technology, and most importantly the threats the data you hold faces.”

    Response B:

    “We really don’t have the policies and procedures in place.”

    For Response B, I always say, “Then your awareness and training needs to start with how to write and deploy policies and procedures.”

    The Call Back

    Almost always I get a call back an hour or day later with, “I talked to the boss. They want to keep it dead simple and focus on compliance. How much for a quick one hour training?”

    I wish them luck and shut down the call.

  • Maturity models come to event logging for fe agencies www.whitehouse.gov/wp-conten… Per OMB’s response to Executive Order 14028

  • It came out of the kiln. Check it folks.

    A-10 Warthog.

    A limited signed and numbered 13 run as part of my efforts to support local artists through CMMC

  • Checking out lasers and CUI enclave policies

  • hello

  • The Basics of Controlled Unclassified Information

    When you cut through the marketing hype—and ignore all of the LinkedIn trolls predicting the doom of the Cybersecurity Maturity Model Certification (CMMC) program— you realize CMMC did not arise out of the blue. When you reasearch its history, you will find nothing especially new or unfamiliar. CMMC simply requires third party attestation of what defense contractors already had to do in order to fulfill the legal requirements of their agreements. The major change associated with CMMC is that it no longer allows for the self-assessment of cyber hygiene associated with Controlled Unclassified Information (CUI), as measured against NIST-SP-800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

    Individual contractors no longer have the authority to say how well they secure CUI. Instead, a third pary must come in and assess this information. In essence, it all comes down to CUI. But what do we mean we say Controlled Unclassified Information (CUI)?

    What is CUI?

    The US Government defines CUI as information which requires safeguarding or dissemination controls necessitated by law, regulation, or Government-Wide Policy; however, it does not include classified or nuclear stuff. The latter two fall under classified policies, and therefore require even more protections than CUI.

    The CUI program is thoroughly explained in the Code of Federal Regulation 32, Part 2002. This program standardizes how the Executive Branch handles CUI. The Department of Defense (DoD), for example, established a CUI policy on March 6th 2002. This policy, DoD Instruction 5200.48, “Controlled Unclassified Information,” fulfills their requirements to develop a CUI policy. Every department, and thus their respective agencies, must have a similar CUI policy.

    The CUI designation was created in response to 9/11 via President Obama’s Executive Order 13556. This executive order required all unclassified information throughout the Executive Branch which necessitated additional protection above and beyond information not for public release to be labeled CUI. Before this CUI policy, no uniform marking system existed for this kind of information across the Federal Government. Different agencies used an alphabet soup of labels such as FOUO, LES, and SBU.

    Under the Executive Order, the National Archives and Record Administration (NARA) was appointed to lead on developing a universal CUI Policy. The Secretary of Commerce, through the Office of Management and Budget, decided that CUI required moderate protection. FISMA, the Federal Information Modernization Security Act, then authorized the National Institute of Standards and Technologies (NIST) to develop standards for the protection of CUI.

    In fact, section two of the Executive Order designated NARA as the Executive Agency to oversee the order and the CUI program. NARA delegated this authority to the Information Security Oversight Office (ISOO). ISOO established a CUI registry that is:

    • Publicly Accessible
    • Includes authorized categories
    • Includes subcategories and guidance
    • Includes citations to laws and regulation and government wide policies

    The Department of Defense then defined their relevant categories using DoD Instruction 5200.48, “Controlled Unclassified Information”.

    The ISOO CUI policy defines two types of CUI: Basic and Specified. Specified CUI contains specific handling controls, which it requires or permits agencies to use, and which differ from those used for Basic CUI. So, if a federal law or regulation requires handling instructions beyond the basic protections of CUI, we call this CUI Specified. An agency can decide internally, or with agreement from ISOO, to require additional protections.

    CUI Lifecycle

    The CUI lifecycle requires a contractor to identify the CUI they handle, to explicitly mark this data as CUI, to protect this CUI while in transit and at rest, to only share CUI for a lawful purpose, to destroy CUI when necessary, and to decontrol CUI when it no longer needs additional security.

    Identifying CUI

    It is best to begin this process by determining if you have any CUI in your system, or if you wish to bid on future contracts that would require CUI in your systems. Unfortunately, most of the data contractors receive from the DoD and prime contractors will not have proper markings. This does no alleviate a contractor of the legal responsibilities for protecting CUI, especially if they have existing contracts with the Defense Federal Acquisition Regulation Supplemental (DFARS) clause 7012, which requires self-attestation for protecting CUI against a 171 baseline.

    Once you identify the CUI in your system, identify which contract vehicles with a 7012 clause the CUI is often associated with. Then identify the people or roles with legal access to that CUI under each contract. In fact, you should create a matrix to capture this information.

    You cannot expect the DoD or a prime contractor to label all CUI created under a CUI contract. How could a Contracting Officer (CO) or a Program Management Office decide if the personal notes taken or meeting minutes contain CUI?

    Marking CUI

    The CUI program set out to protect unclassified information and ensure the timely sharing of information. The marking requirements of CUI vary based on the kinds of CUI and the chosen designation indicator. These influence the requirements for banner markings, which have to include category markings, control markings, and any limited dissemination markings (only certain people should see this).

    CUI marking requirements are influenced by more than just their category and control markings. The type of media it is associated with, such as emails or military documents, can influence the marking as well. Email banners may differ from the requirements for removable media. CUI can also be co-mingled into documents that require different limited dissemination, or are considered classified. Finally, you also have rules about marking CUI for mailing.

    The marking must include a designation indicator. This indicates who created the CUI. This can include a variety of formats such as a letterhead, a logo on a sticker, a signature, or a controlled byline. You have no requirement to include contact information, but many markings add this optional information.

    Department of Defense guidance suggests using a Designation Indicator block when space allows. This includes who controls the data, as well as anyone to which control was flowed through an authorized and legal use, any limited dissemination controls, and a point of contact. For example:

    Controlled by: OUSD(I&S)

    Controlled by: CL&S INFOSECCUI Category(ies): PRVCY, OPSEC

    Limited Dissemination Control: FEDCON

    POC: John Brown, 703-555-0123

    The banner marking can include three elements. The first, the control marking, is mandatory. This can say “controlled” or “CUI.” Category markings are required for CUI Specified, and are separated by two // slashes. If dissemination controls are included, those follow the category markings, again after two forward slashes. Banners must appear in Bold Capitalized text, and ought to be centered when possible.

    CUI works as a basic CUI label.

    Category markings are optional, except in the case of CUI Specified. In fact, when you have Specified CUI, you are required to include the letters SP before the category marking. If more then one type of specified marking is included, you alphabetize them, but only separate each by one / forward slash after the first category, which follows the two // forward slashes and the basic marking.

    CUI//SP-HLTH/PHYS In this example we see two CUI specified categories which follow the basic CUI marking.

    The banner markings can also designate the dissemination controls. Limited Dissemination Controls identify an intended audience, so a document does not need continuous authorization.

    No Foreign Dissemination (NOFORN) —Information may not be disseminated in any form to foreign governments, foreign nationals, foreign or international organizations, or non-U.S. citizens.

    Federal Employees Only (FED ONLY) —Dissemination authorized only to employees of the U.S. Government executive branch agencies, or armed forces personnel of the U.S. or Active Guard and Reserve.

    Federal Employees and Contractors Only (FEDCON) —Includes individuals or employees who enter a contract with the U.S. to perform a specific job or supply labor, and dissemination is in furtherance of the contractual purpose.

    No Dissemination to Contractors (NOCON) —Intended for use when dissemination is not permitted to federal contractors, but permits dissemination to state, local, or tribal employees.

    Dissemination List Controlled DL ONLY —Dissemination authorized only to those individuals, organizations, or entities included on an accompanying dissemination list.

    Authorized for Release to Certain Foreign Nationals Only (REL TO USA, LIST) —Information has been predetermined by the designating agency to be releasable only to the foreign country(ies) or international organization(s) indicated, through established foreign disclosure procedures and channels.

    The Department of Defense CUI guidance also allows dissemination marking to be included in the designation box. These include:

    Distribution Statement A: Approved for public release. Distribution is unlimited.

    Distribution Statement B: Distribution authorized to U.S. Government agencies only (fill in reason and date of determination).

    Distribution Statement C: Distribution authorized to U.S. Government agencies and their contractors (fill in reason and date of determination). Other requests for this document shall be referred to (insert controlling DoD office).

    Distribution Statement D: Distribution authorized to Department of Defense and U.S. DoD contractors only (insert reason and date of determination). Other requests for this document shall be referred to (insert controlling DoD office).

    Distribution Statement E: Distribution authorized to DoD Components only (fill in reason and date of determination). Other requests shall be referred to (insert controlling DoD office).

    Distribution Statement F: Further dissemination only as directed by (insert controlling DoD Office and date of determination) or higher DoD authority.

    On digital media, you include these markings. On PowerPoint slides, you can include the CUI label at the top and bottom of the title slide with the indication block and the CUI label on the bottom of each slide. In a word document, you can include a cover sheet with the marking and designation block.

    Removable Media

    On a removable storage device, you are required to include the basic marking and a controlling indicators. Each file contained on the storage device needs its own marking. When feasible, you should include all required elements in the designation block, but the CUI basic marking and the originator or controller must always be included.


    Email is a bit trickier. When you send an email (try not to) containing CUI, you must let the recipient know. You must include a banner marking in the body of the email. Furthemore, best practice suggests including it in the CUI itself. Many companies use email server rules to sequester email with CUI. The subject line helps protect the data. When you forward email you must keep all banner markings. Make sure you cut and paste the banner to the top of the forward. You can also portion mark emails like regular documents where you call out sections that contain CUI.

    Physical Protection of CUI

    You will need to create a controlled environment to protect CUI. The regulations require you to have at least one physical barrier, such as sealed envelopes, locked doors, bins, drawers, or electronic locks. You have flexibility in deciding what counts as a physical barrier.

    You also need to consider meeting areas. You will need to control meeting access when CUI is shared and discussed. You will need to mark the door with the lock, noting only authorized indivduals allowed, and you will need a clean desk policy for after the meeting.

    Think about who has access to your controlled environments. You will need to lock away CUI from after hour cleaning crews, and to keep visitor and employee logs of areas that contain or discuss CUI. Your computer systems and networks also need to control access. You need to include banner markings on devices and systems that can connect to controlled environments.

    Basically, on electronic systems, you need to create some kind of barrier to prevent unauthorized access to CUI. This can include network folders, files, intranet, cloud enclaves, file sharing sites, and individual machines or devices.

    Encryption and CUI

    Based on Office of Management and Budget (OMB) policy, CUI requires moderate protection. This, in turn, requires encryption which meets a specific level called FIPS Validated 140-2A. At the simplest definition, encryption means that something we read in plain text is scrambled into a cyphertext. The authorized holder then has a “key” to unscramble the ciphertext into plain text.

    The approved encryption techniques are authorized by NIST in a document called “Federal Information Processing Standards (FIPS) 140-2.” The approved techniques, which can change based on use case and authorizer, include: AES, Triple-DES, and the Digital Signature Standard (“DSS”). NIST-SP-800-171 (3.1.13 and 3.13.11) and CMMC spell out specific requirements for encryption (AC.3.014, SC.3.177).

    With FIPs level encryption, we make an important distinction between modules and devices. A module can be an embedded part of a product, such as an “encrypt this email” button or an entire product such as a CUI cloud enclave. A device, such as a laptop or cellphone, does not itself need the encryption. The tool accessed on that device to share, view, store, or transmit CUI must use encryption modules that meet FIPS standards.

    Destroying CUI

    When you destroy CUI, the NARA policy CFR 32 Part 2002 requires the CUI to end up unreadable, indecipherable, and irreconcilable. The NARA policy follows guidance of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88, Revision l: “Guidelines for Media Sanitization” or any technique approved by Classified National Security Information (32 CFR 2001.47).

    In 2019, NARA released guidance on destroying paper-based CUI. You must follow the specifics of NIST-SP-800-88 when shredding paper. You must crosscut, meaning up and down, and left and right, down to 1mm x 5mm (0.04in x 0.2in) in size. You can also pulverize paper using disintegrator devices equipped with a 3/32in pulverizer. The approved shredders can get expensive. Many companies use a third party shredder or recycler that will provide a certification that they meet the requirements of NIST-SP-800-88.

    You can always go the cheapest route and follow the burn recommendations.

    In terms of media, there are also destruction requirements. NIST SP 800-171 3.8.3 states, “Sanitize or destroy system media containing CUI before disposal or release for reuse.” The type of media will determine how you sanitize the device. Hard drives, for example, need different disposal methods than static hard drives.

    Decontrolling CUI

    CFR 32 Part 2002 defines decontrolling as the event in which the authorizing agency decides the CUI “no longer requires such controls.” You must have policies and procedure in place to decontrol CUI. CUI can be decontrolled automatically or through positive decontrol. In automotive decontrol, a prior event, such as a date, is chosen when the controls are no longer required by law or policy. In positive decontrol, the authorizing agency takes an action to remove the controls.

    While a contractor can be appointed by the authorizing agency to disagree with the ability to decontrol CUI on a contract with the 7012 clause, it will not happen often.

    In the end, when you think CMMC, just think about CUI and how you can protect it from unauthorized disclosure.

  • Looking for a good Risk Awareness training program? Why not start with NIST-SP-800-30?


  • Another great meeting of the CT CMMC Coalition

  • A must read —The Coast Guard 2021 Cybersecurity outlook www.uscg.mil/Portals/0…

  • CMMC and Ethics

    At a recent Town Hall, the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB) CEO Matt Travis noted that “trust and confidence in the CMMC Ecosystem” is the shared responsibility of both the AB and the members of the community.

    In fact, Travis’s call to action harkened back to the the testimony of Deputy Assistant Secretary of Defense for Industrial Policy Jesse Salazar, who noted in his testimony to the Armed Service Committee cybersecurity subcommittee:

    DoD must ensure there are clearly defined roles and responsibilities, standards of conduct, and audit mechanisms governing relationships with private sector entities within the external assessment system.

    In order for CMMC to succeed, ethics must matter.

    In the realm of Cybersecurity Maturity Model Certification, the Professional Code of Conduct drives ethical considerations. This document provides the standards to which all members hold themselves accountable.

    The document unites around five principles:

    • Professionalism
    • Objectivity
    • Confidentiality
    • Proper Use of Methods
    • Information Integrity

    The document then lays out the practices inherent to each principle, in addition to how reporting features are implemented.

    Conflict of Interests occur when a person has a duty or motivation to serve the interests of more than one party in the engagement of an activity. According to Matt Travis, this can lead to a variety of consequences, including:

    • Compromised Judgement
    • Threatened Objective Decisions
    • Undermined Impartiality
    • Destroyed Confidence in Fairness and Integrity
    • Required Disclosure

    CMMC Conflict of Interest

    We must remember that a mere perception of conflict can cause serious damage, even when no such conflict exists. Conflicts of interest can also exist without malicious intent or outcomes.

    The CMMC-AB, in fact, must establish a firewall between the registration of consultants, the accreditation of training schools, and the Assessment of Organizations Seeking Certification (OSC).

    Section 3.1.8 of the CMMC Professional Code of Conduct (CPCOC) requires everyone to avoid conflicts of interest to the greatest extent possible. We have a duty to avoid conflicts and report them when they occur.

    The professional code of conduct in Section 3.1.10 also prohibits Certified Third Party Assesment Organizations (C3PAOs) from soliciting business from the organizations they assess. In other words, you can not fail an OSC and then offer services to help them pass the next assessment.

    CMMC and Objectivity

    The CPCOC prohibits a credentialed assessor from joining an assessment team if that individual helped the organization prepare for the assessment.

    The ecosystems of many companies have Registered Professional Organization (RPO) credentials and C3PAO credentials. A business can not provide RPO services and then join a C3PAO Assessment Team, or host an Assessment Team themselves. Furthermore, if you have signed the CPCOC, you have an obligation to report this activity if you see it.

    CMMC-AB and Ethics

    In order to understand how the Accreditation Board (AB) must adhere to the ethics of the CPCOC, we must first understand their role in the ecosystem. The AB is required to:

    • Authorize CMMC C3PAOs to conduct assessments
    • Accredit C3PAOs in accordance with ISO 17020
    • Authorize the CAICO (CMMC Assessors and Instructors Certification Organization) to certify CMMC Instructors and Assessors
    • Establish, maintain, and Manage the CMMC Marketplace
    • Oversee the CMMC Professional Code of Conduct

    Due to these roles the CMMC-AB has a variety of tools to limit Conflict of Interest

    • CMMC-AB Code of Ethics
    • CMMC-AB Conflict of Interest Policy
    • CMMC-AB Directors Agreement
    • CMMC Code of Professional Conduct
    • Contract with Department of Defense
    • CMMC-AB Audit, Ethics, and Compliance Committee
    • Security and Compliance Officer
    • ISO 170ii General Requirements for Accreditation Bodies Assessing and Accrediting Conformity Assessment Bodies

    These elements work together to ensure the CMMC ecosystem maintains a high ethical standard.

    Duty to Disclose

    The CMMC-AB will release a disclosure matrix that lists all of the players in the ecosystem, and then a list of possible affiliations. These include elements of potential conflict such as ownership, financial interest, teaming agreements, family members, personal relationships, employment affiliations, and more. The AB will decide if, based on its role in the ecosystem, if that is a type of relationship that is okay, to be avoided, or risky enought to require mitigation.

    This document will explain your responsibilities to report conflict of interest.

    Red Lines for the CMMC-AB

    Based on the policies governing the AB, its members must not fail to disclose conflicts, have a vested interest in an C3PAO, use their status on the AB to generate business or leads, endorse any commercial product implicitly or explicitly, accept any gifts, or operate in a credentialed company within the ecosystem for the duration of one year after leaving the board.

    Shady Vendors

    As a member of the ecosystem, you face a barrage of emails. Many of these provide snake oil services or over-promise. As a small business, owners rely on word of mouth, not drip campaigns from marketing teams. Avoid anyone who promises quick assessments or turn key services.

    Take your time. You do not need a Level Three Certification overnight. 2026 is still a bit far off. Until then, just grow the SSP and shrink the POA&M.

  • CyberSecurity Begins with Awareness and Training

    Bad Ragaz - Original Sin

    It always comes down to the humans. Even with the best security, the tiniest friction can cause all systems fail. That 2% of DNA separating us from chimpanzees really messes with your cyber hygiene.

    If you want security you need to focus on the biggest attack vector: people.

    The Cybersecurity Maturity Model Certification (CMMC) program revolves around a national awareness and training program to increase the validity and reliability of the cybersecurity hygiene for the Defense Industrial Base (DIB).

    Relying on self-assessments hurts the overall validity of an organization’s cyber hygiene, due to the scoring system for determining compliance. In NIST-SP-800-171 nor 171a, the methodology describes a scoring scheme. That model of having 110 points, and subtracting either 1, 3, or five points, came from the Defense Contracting Management Agency (DCMA). It did not work.

    Relying on self-assessments hurt the overall reliability of knowing if someone had achieved adequate compliance against NIST-SP-800-171. A lot of revenue depends on contracts from the Department of Defense that carry the 7012 clause. Many companies lacked experience or have had past success with a business development strategy of ignoring Department Defense mandates .

    We use the amount of data exfiltration from small manufacturers as proof of the failure. The daily ransomware attacks DIB companies face is further observable evidence that self-assessment does not work.

    CMMC requires us to realize cybersecurity isn’t just everyone’s job. Cybersecurity IS everyone. You must control your story, data, and identity. The people matter.

    In fact, the CMMC model requires an Awareness and Training Policy for Level Two (and thus Level Three, given the cumulative nature of the model):


    Establish a policy that includes Awareness and Training.

    So how do you build an Awareness and Training policy? You need to understand what people need to know, when they need to know it, and how you will prove they know it. This begins, like all learning, by definining key terms.

    What is Awareness?

    I can understand the dangers of swimming in riptides in the absence of the training to escape one. All employees must have an awareness of the threats your company faces.

    In fact NIST SP 500-172, defines awareness as

    sensitivity to the threats and vulnerabilities of computer systems and the recognition of the need to protect data, information, and the means of processing them

    However, awareness—like swimming—does not equal training. In terms of cybersecurity, a company needs to have a general understanding of threats and cyber hygiene in order for it to grow. So, for example, while I may hang Controlled Unclassified Information (CUI) posters in the enclave to keep people aware of company policies, that does not equal a training program on selecting the correct shredder for the destruction of paper-based CUI.

    You may publish many of your policies in an employee handbook to make them aware of security issues. But you still need to train employees on how to execute these policies.

    What is Training?

    Awareness focuses on what, while training focuses on why and how. Training will take longer, and you as the learner will need to generate observable evidence of knowledge growth.

    What Type of Awareness Programs do my Employees Need?

    Based on the NIST 800-171a assessment objectives included in CMMC, you have to have an overall awareness of the threats CUI faces. All employees need an awareness of policies, standards, and procedures. This is often best covered in the Employee Handbook and Acceptable Use Policies.

    Your technical staff will need to understand the security risks associated with their activities to keep data safe. This, again, will require the development of Operating System awareness, and you may need to run multiple awareness programs for each major and minor technical system.

    Managers and system administrators need awareness of the applicable policies, standards, and procedures related to the security of the systems they oversee. This will include reference documents, a required tour of a wiki or database, and Security Technical Implementation Guides (STIGs).

    Some Awareness and Training requirements kick in at Level Two when we talk Cybersecurity Maturity Model Certification (CMMC):


    Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities, and of the applicable policies, standards, and procedures related to the security of those systems.


    Determine if:

    • [a] security risks associated with organizational activities involving CUI are identified;
    • [b] policies, standards, and procedures related to the security of the system are identified;
    • [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
    • [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.

    To meet the assessment objectives of this practice you will need to provide multiple types of security awareness and training programs

    What type of Training Program Do My Employees Need

    Based on the NIST 800-171a assessment objectives included in CMMC, you have to have three domains of training. One domain is focused on your CUI policy, another on threat analysis, and another on your system, security, and roles.

    CMMC has an entire set of objectives on developing and deploying a CUI policy. In your training, you need to ensure your managers and technical systems engineers, or Managed Service Providers (MSPs), know how CUI is protected on your system.

    Your training around applicable policies, standards, and procedures related to the security of the system will need extensive documentation, and will include recognizing educational certificates and providing your own training related to your reference architecture.

    For example, take AT.2.057, which requires contractors to “ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. ” This will require operating system training specific to a company’s reference architecture. You will rely on different certificate programs to ensure your technical staff can stay current as technology changes. You will need multiple trainings for each of the operating systems deployed on your major and minor systems that store, transmit, destroy, or create CUI as the result of a government contract.

    What is the Purpose of my Awareness and Training Policy?

    The first objective of AT.2.999 establishes a policy that includes Awareness and Training, which requires you to have a purpose to your awareness and training policy. For Level Three certification, you need a mission and strategic goals. AT.3.997 requires contractors to “establish, maintain, and resource a plan that includes Awareness and Training” objectives b and c.

    We recommend you do this on company-wide scale, via a threat awareness and training program. Explore the threats, external and internal, you face. Analyze risks to your business and supply chain.

    Break employees into groups and have them draft threat analysis documents (this is a Level Four requirement, but wise to implement ahead of time). Then when you have a complete list of threats, have the groups craft mission and goal statements.

    You then work with the groups in a whole company setting to ensure your employees draft the kind of comprehensive policy statement you envision. Ownership builds awareness.

    Many mature and large organizations will have awareness and training policies developed. If this is the case for your organization, you should still conduct ongoing threat analysis discussions at the department level.

    At the end of the day, make sure folks are aware.

    Who needs Awareness and Training?

    Everyone. Awareness and training ensure policies and procedures become company culture. However, it is important to note that your managers, sales staff, and security engineers need different awareness and training.

    NIST Special Publication 800-16, “Information Technology Security Training Requirements,” recommends creating a role-based training matrix. You can combine this approach with CMMC requirements to create a full curriculum scope and sequence for your awareness and training program.

    In the first column of the Matrix, list all the user roles on your information systems. Include a row for “all.” You can group trainees by their roles as well.

    Then create four domains in your awareness and training program:

    • Employee Responsibilities,
    • Information System Policies,
    • CUI
    • Reference Architecture

    What kind of training an employee receives, and in which domain, depends on their role. For example, all employees may have to watch a training and certify they read the Employee Handbook and Acceptable Use Policies. You probably want a training on the email rules of your company for all employees.

    For Level Three CMMC Certification, you need to document what will be learned. In fact, Assessment Objective [e] of AT.3.997 requires you to document “the plan documents, activities, and due dates.” In your matrices, be sure to list the trainings, in addition to when due dates occur.

    Fill out the chart indicating when role-based awareness and training occurs, what it includes, and how it is assessed.

    Large companies may have an internal learning management system that may track many of these metrics. Smaller companies may have to contract with a vendor. If you purchase IT or security products from MSPs or vendors, try to negotiate a training package, or choose those you see as compliance partners.

    What should Awareness and Training Cover?

    Employee Responsibilities

    You need to cover the four domains of knowledge, but now you must also develop the scope of learning objectives and the sequence of training for the matrices.

    First begin with employee responsibilities by examining the everyday system-wide awareness and trainings all employees must receive. This includes the employee handbook, sexual harassment, legal compliance, company wide posters, CUI handling posters, and stickers. These are everyday business practices that require awareness and training.

    Then decide which of these policies need more than awareness and actual training. This could include a short video summarizing the employee handbook with a quiz. Employees often have to attend mandatory trainings with a supervisor.

    Once you have the list, decide if the subject requires awareness or training. Add it to the matrix.

    Controlled Unclassified Information

    As noted above, you must include awareness and training on the “security risks associated with organizational activities involving CUI are identified.” In other words, you need to develop a CUI Training Program.

    At Level Two of the CMMC, your company will need awareness and training on the internal threats faced by companies who have a legal right to handle Control Unclassified Information on behalf of a government contract.

    At Levels Two and Three, your awareness and training program must include your company policies on receiving, creating, labeling, disseminating, transmitting, storing, and destroying CUI. This policy should cover the specific workflows for handling this information. You will also need to include your Incident Response Training on handing CUI data spillage.

    At Level Four, your CUI awareness and training program should include recognizing and responding to threats from social engineering that can lead to advanced persistent threat actors, breaches, and suspicious behaviors; you will be required to update the training at least annually, as well as when there are significant changes to relevant threats.

    Information System Policies

    Then you will have company-wide information system policies, such as your password policy, email policy, device policy, how Multifactor Authentification works (please turn on MFA), et cetera.

    These Information System Policies apply to all employees, however, at this point you may have to start specializing. The account generation for your Mobile Device Management tools may vary from your payroll system. In fact, at this level you will start to specialize at the Operating System level.

    Different types of operating systems will require you to verify employee training through different certificates. If you deploy in Kubernetes in Azure or use S3 in WS Govcloud, each of those stacks has individual Security Technical Implementation Guides (STIGs) and certification programs.

    You must consider all the major and minor systems, the data that flows through them, and the laws and regulations that govern how that data is used and shared.

    As a contractor, you also will need to consider trainings on your acquisition team on what kind of service level agreements you need in your vendor agreements with regards to information and technology systems. Trainings need to include examining vendor agreements and SLAs to determine if proposed security solutions meet CMMC Level Three standards.

    Reference Architecture

    As Tom Cornelius from Compliance Forge notes, “You must see policy as a blueprint and not documentation. You are more an archtiect than a writer.”

    As an organization, you will need solid reference architecture on how you build secure systems that can handle a moderate baseline for the protection of Controlled Unclassified Information. You will have a set of documents that describe how to build the ideal environment for your use case. You will need awareness and training on how to use and update your reference architecture.

    Take configuration management for example. If you do not have a clear configuration management documentation and provide baseline training on using the necessary references, you will not have the basics of Access Control, the root of cybersecurity.

    Next, you can turn to the other domains in CMMC to determine the specifics of company-wide training policies.

    What other Domains Should Awareness and Training Cover?

    The Awareness and Training you provide must go well beyond the practices and process of the AT domain. In fact, according to Native Intelligence in a blog post on Amira Armond’s CMMC Audit, Awareness and Training needs to cover fourteen additional practices across five domains

    • Access Control (AC)
    • Media Protection (MP)
    • Maintenance (MA)
    • Physical Protection (PE)
    • Systems and Communications Protection (SC)

    How to Get Started on an Awareness and Training Plan

    Create an Instructional Leadership Team

    You first begin by designating who owns your awareness and training program. The Instructional Leadership Team should contain stakeholders across the organization and not just from IT or your security team (if you even have either position. The team could include your Information System Security Officer, CIO, CTO, information System Security Manager, human resources, facility security officer, or employees designated to serve on the instructional leadership team.)

    Craft Goals, Missions, and Objectives

    Your instructional Leadership Team then crafts your goals mission and objectives. This begins by a walkthrough through of your threat environment. Understand the common threats to the sensitive data you hold.

    You can have very generic goals, missions, and objectives for your trainings. You may want to consider utilizing the awareness and training domain to strengthen your talent across the board. However, you only need to track system security related training with CMMC.

    Determine Roles for Awareness and Training

    Next, the Instructional Leadership Team determines roles and responsibilities. Christina Reynolds of BDO-USA recommends using the RAC model: who is Responsible, who is Accountable, and who need to be Consulted. The goal is to create observable evidence that partially meets assessment objectives c, d, and g of AT.2.999

    ” the roles and responsibilities of the activities covered by this policy are defined; (i.e., the responsibility, authority, and ownership of Awareness and Training activities);”

    “The policy establishes or directs the establishment of procedures to carry out and meet the intent of the policy;”

    “the policy is endorsed by management and disseminated to appropriate stakeholders; and “

    So you develop a matrix of roles and responsibilities. Include general users, data owners, system owners, and members of the Instructional Leadership Team. Make a column for each.

    Then, in the rows include who must complete training, who develops the training program, who agrees to acceptable use policies, who decides which roles get what training, who completes role based training, and who is responsible for record keeping.

    Establish Company-wide Baselines

    Now, decide what basic training every employee must have. This will include your awareness activities, employee handbooks, email policies, acceptable use policies, etc. You may include optional training on overall threat awareness and common attack vectors, such as phishing.

    The goal is to establish the bare minimum of security awareness you want with your employees. This wil usually include a variety of trainings like company wide meetings, video on-demands, or online learning.

    Develop A Training Matrix

    Now that you have a baseline of security awareness and training you want for employees, you next decide on specialized roles, and create a role-based training matrix. People in specialized roles and management positions will need additional training over and beyond what every employee recieves.

    You need to group people into roles based on functions in the workplace.

    Then create a list of topics, which includes items such as:

    • CUI
    • Email
    • Threat Awareness
    • Media Protection
    • Passwords
    • Mobile Devices
    • Access Control Policy
    • Reference Architecture
    • Crafting Service Level Agreements
    • etc

    You then decide based on the number of roles created by your Instructional Leadership Team which group gets what training.

    Develop Company Wide Awareness and Training Rubric

    Next the Instructional Leadership Team needs to define success metrics for your awareness and training program. In terms of CMMC, it is important to know if a plan really does not kick in until Level Four process requirements, but you cannot have a compliant training program at this Level without evidence of learning gains.

    The evidence of awareness and training success, like all compliance data, can fall into one of three categories: interview, observe and test.

    First, you want to understand if your awareness and trainign impacts your operational security. Indicators could include reduction in down time, increased phishing test success rates, and incident reporting. If you can not automate these metrics, you can have the Instructional Leadership Team rate them on a four point likert scale.

    You also have training program metrics, such as the frequency of training programs, learner performance, attendance, and learner feedback. You should check with your state on the requirements to protect and retain employee training data.

    Evaluate Content

    Now you have to choose content that will align your role based matrices with your required learning matrices. It will probably be cheaper to purchase curriculum than to develop it in-house. However, when you pay for an instructional designer to develop your program, you can align the program to your company culture and workflow.

    The majority of cybersecurity training is video-based garbage designed to allow you to check off a compliance box about providing training. Develop or utilize a rubric for evaluating curriculum. You may consider hiring a consultant to help you evalaute curriculum. At the very least, choose your networks from word of mouth.

    Create Deployment and Evaluation Schedule

    Next, you must create a scope and sequence guide for your curriuclum. This document includes the objectives of your chosen curriculum, how those objectives will be measured, when the curriculum will be delivered, and who will evaluate the result. You can include information about awareness and training.

    For awareness, you could include the posters you hang and monthly security reminders that are delivered by email. The awareness program occurs all the time, and for all users.

    For training, this again will be a role-based document. Many people may end up including the role-based matrix in the scope and sequence of the curriculum.

    Craft Awareness and Training Plan Compliance Documentation

    Finally, you will need to create a way to document your awareness and training program, so you organize observable evidence in a way that would not require a CMMC assors to make any inferences about your program. Spell out how you meet each requirement in your Policy, Procedures and Plans. If you followed the path above, you will have the majority of the required documentation already.

    Now, as your goal you must include the procedures you have decided upon for your Awareness and Training Policy, in addition to how you plan to include the metrics from your Awareness and Training in both your System Security Plan (SSP) and your Awareness and Training Plan.

    Create a policy for retaining security training records. Create the procedures to make sure this happens.

    Include a table in your policy that explicitly addresses all of the required Awareness and Rraining in a practice or assessment objective. Then, in your SSP, reference this policy and include two pieces of observable evidence that the assessment objectives have been met.

    For example, you need to include training of internal threats at Level Two of CMMC. This means that for Level Three compliance, you must demonstrate you provide this training. Explicitly spell this out, in addition to any required training in your Awareness and training Policy and Procedures.

    For many companies, beginning with the Awaress and Training domain may provide a great launching point for your CMMC journey.

    Meet CMMC Compliance through Awareness and Training

    Can you complete your SSP as you utilize and also reach compliance on the Awareness and Training domain? Would this approach lead to increased hygiene?

    Everyone frets over CMMC devolving into a checklist of policy and confusing technical controls. Awareness and Training makes this difference.

    Christina Reynolds co-authored this post in the guidance she provided in how to craft Awareness and Training Policy

    Featured Image: “Bad Ragaz - Original Sin” by Kecko is licensed under CC BY

  • Roots of CyberSecurity

    So many people complain bout the forest and trees in the world of cybersecurity. Some look to the trees and can write 5,000 word essays pulling about the etymology of a single word. They never see the forest.

    “Forest Turnover” by Nicholas_T is licensed under CC BY

    Others claim cybersecurity frameworks such as the Department of Defense’s Cybersecurity Maturity Model Certification will rise only to find itelf destined to fail. These critics note a piling up of assumptions and technical debt. They point to the Forest of compliance efforts like ISO or unjustly complain SOC2 compliance comes from gumball machines. They never take the time to see the trees.

    “Tree” by T

    Yet we need to stop worrying about the forest and trees of CMMC. Cybersecurity happens underground, through your culture. You must grow cyber hygiene in rich soil. Do not look to the forest or the trees. Instead get to the roots of cybersecurity and the fungus that keeps it alive.

    Roots of Cybersecurity

    The root system of any tree expands 20 times the size of the canopy. Often when we think trees have died around us, being returned to the earth by, you guessed it fungus, the trees go on living underground. Their roots living for years, decades, possibly centuries keeping other trees alive. Connected through a network of fungus.

    “DSC01648” by Clearly Ambiguous is licensed under CC BY

    We must see cybersecurity as a symbiotic relationship between the public and the private sectors. You as a business owner need to understand that without some basics you can never secure sensitive data, and if you can’t secure sensitive data you will never get past the basics.

    Around 90% of land plants thrive in mutually-beneficial relationships with fungi. Yet we do not see it. The mycelium, network of fine white filaments that make up the vegetative part of fung, exist out of sight. It just happens. We need this in cybersecurity.

    “Mushroom, NCI Sourdough trail” by furtwangl is licensed under CC BY

    Symbiotic relationships.

    The plants and trees allow the fungus to siphon off food and the fungus help the plants eat, act as a network of advanced persistent threat, and fight of pests. In a cubic inch of soil you can find 8 miles of mycelium. We must get to a similar state of cybersecurity, hidden underground protecting our networks.

    To deliver food plants provide fungi with carbohydrates. The fungi suck up water, and provide nutrients like phosphorus and nitrogen, via their mycelia.

    The fungi also create a network to support each other. Paul Stamets, back in 1970 compared the mycelia of root systems to ARPANet, what we now call the Internet. Further According to Suzanne Simard older trees adjust the fungal network to help younger trees. They can redirect carbon they collect in their canopies to children of the forest floor who hide in the shadows. Protected by larger organisms.

    “Rhizomic” by mikecogh is licensed under CC BY

    The Wood Wide Web, also like cybersecurity provides advanced persistent threat analysis. When fungus in the roots recognize a threat they trigger the production of defense-related chemicals. These make later immune system responses quicker. When one tree gets attacked by harmful pests or deadly fungi, the mycelium can set off a chemical response in the root system to warn other trees.

    We need to get to the roots of cybersecurity and this this includes five elements. You must do every one of these first.


    First in terms of Governance who owns your data, who owns your systems, who maintains the System Security Plan? The mycelium under the trees acts as a microbial neural background. The management.

    When you look at mycelium and a node breaks the network moves around it. You must have a plan to handle cybersecurity and know who will enforce policies.


    Fungus migrated from the sea to land millions of years before plant life. The acids they produce broke down calcium in the rocks and produced soil. Your policy does the same thing.

    The fungi worked by acting as carbon sinks. Fungus got the system working just as your policy is required for cybersecurity. In fact you should begin with writing a policy of how your company writes policy. You may in fact have a ton of existing policy but you can not protect what you don’t know you have.


    After the great extinction event that killed the dinosaurs the fungi inherited the earth. They could grow in the dark and even use radiation as food. The largest mycelium organism sprawls across 2,200 acres of Oregon and has lived before the time of the Christian Era. You need to know the spread of sensitive data, endpoints, and people.

    Have you counted them all? If you do not have a solid inventory system you can not have security. You need to know how sensitive data spread through your network for without an inventory it will spread like a rhizome, like mcyelliumn

    Access Control

    Paul Stamets has long argued that the Internet just provides proof of concepts that already exist. The mapping of Internet traffic and Dark Matter all reflect the mapping of the rhizomatic spread of the rhizome.

    You will need to keep a compliance machete at the ready to control access to sensitive data. Fungus act gateway species. Stamets note they let other life in. In fact he creates physical and logical barriers of mycelium downstream from farm to remove excess fertilizer and deadly diseases like e. Coli.

    Awareness and Training

    As he studies the fungus of the world Stametz tries to preserve the genome. In fact in collaboration with the Department of Defense they discovered five ancient and almost extinct fungi in the old growth forests that could help fight poxxed based diseases.

    Ancient forests in China contain fungi that fight Flu and SARS.

    Saving our old growth forest is a matter of national security. Just like your cyber security.

    Let’s get to the root of the issue



  • How do you use the Discussion Section of the CMMC Assessment Guides?

    Great post from Alex Johnson on the difference between the discussion and requirements of CMMC practices.

    “I want to offer some information to those who may be struggling with understanding what options are available to you regarding the implementation of NIST SP 800-171 and CMMC requirements or practices.

    NIST SP 800-171 Section 2.2 contains the following:

    “A discussion section follows each CUI security requirement providing additional information to facilitate the implementation and assessment of the requirements. This information is derived primarily from the security controls discussion sections in [SP 800-53] and is provided to give organizations a better understanding of the mechanisms and procedures used to implement the controls used to protect CUI. The discussion section is informative, not normative. It is not intended to extend the scope of a requirement or to influence the solutions organizations may use to satisfy a requirement. The use of examples is notional, not exhaustive, and not reflective of potential options available to organizations. “

    The bottom line is that you have options. The discussions are not telling you exactly what you have to do. Rather, they are helping you to understand the essence of what the requirement is. There are a few discussions that are normative, but only a few.

    A great example of this can be found in MP.2.119 (3.8.1). These assessment objectives require you to physically control and securely store media containing CUI. The discussion indicates that “physically controlling system media includes conducting inventories.” However, that is not a requirement based on NIST SP 800-171 Section 2.2.

    I hope this helps some who may “extend the scope of a requirement” based on the discussion section.”

    Alexy J. on LinkedIn: I want to offer some information to those who may be struggling with linkedin.com


  • Sample AWS Templates for incident respone.

    GitHub - aws-samples/aws-incident-response-playbooks github.com

  • CMMC Essesntials Mocktini Recipes

    Moonlight Maze Martini


    • 2 oz cranberry juice
    • 1 oz fresh lime juice
    • 5 oz club soda, seltzer or citrus sods like 7-up
    • splash oj
    • lime wedges for garnish, or orange peel for garlish
    • sugar for frosting glass
    • ice
    ### Directions
    • Pour ice into a shaker or tall glass.
    • Add cranberry juice, fresh lime juice and club soda. Shake to combine.
    • Run a lime wedge over the outside rim of a chilled martini glass. Pour sugar onto a small plate or flat surface.
    • Dip the rim of the glass into sugar until covered with a thin border.
    • Strain carefully into a chilled martini glass. Add a splash of OJ Garnish with lime or orange peel.

    Olympic Games Gimlet


    • 3 sage leaves
    • ¾ oz lime juice
    • ¾ oz simple syrup
    • ice


    • Into a cocktail shaker, add 3 sage leaves, the lime juice, and simple syrup.
    • Add ice to your cocktail shaker, then shake for 20-30 seconds.
    • SIf desired, add a sage leaf to the top for garnish.

    KillDisk Daquari


    • 2 large strawberries, hulled
    • ¼ cup white sugar
    • 1 tablespoon lemon juice
    • splash oj
    • ¾ cup chilled lemon-lime soda
    • 4 cubes ice


    • In the container of a blender, combine the strawberries, sugar, lemon juice and lemon-lime soda. Add the ice and blend until smooth. Pour into a fancy glass to serve.

    Nitro Zues Zombie Apocaylpse


    • 1 oz. Passion Fruit Syrup
    • 4 oz. Pineapple Juice
    • Splash of Lime Juice
    • Splash of Vanilla Syrup


    • Shake/Strain and Garnish!

    Telvent Tonic


    • 1.50 oz Monday Zero Alcohol Gin
    • 1.50 oz cranberry juice
    • .50 oz lime juice
    • .50 oz simple syrup
    • 2-3 oz tonic water


    • Combine all the ingredients except tonic water in a shaker with ice.
    • Shake and strain into a tall glass with ice. Top with tonic water.
    • Garnish with rosemary or cranberries if desired.

    Header Image: Relief. jgmac1106 shared under a CC BY a remix of “Martini 02” by Tom Hilton is licensed under CC BY and “Python Source Code” by joncutrer is licensed under CC0

  • Leslie Weinstein Joins Southern's CMMC Team as an Academic Advisor

    When you need quality you have to seek out talent.

    Southern Connecituct State University announce that Leslie Weinstein has joined the instructional design team as an outside Academic Advisor working content validity for our Cybersecurity Maturity Model Certification course.

    Leslie, a Major in the Army Reserves, works directly with the Army Chief Information Officer. In 2019 Major Weinstein founded CMMC Consulting, LLC in response to industry demand for accurate and timely information regarding the CMMC implementation efforts. She has designed a CMMC preparation methodology that focuses sharply on preparing companies to undergo the actual CMMC assessment.

    While on Active Duty with the Army, Leslie has served at the Defense Intelligence Agency, U.S. Cyber Command, Army Headquarters, and Afghanistan with the 101st Airborne Division (Air Assault). In between tours with the Army, Leslie also served the Department of Defense as an Army civilian and policy analyst supporting DoD Chief Information Officer (DoD CIO), Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)), and the Air Force A2.

    Leslie served as a National Security Fellow at the Foundation for Defense of Democracies in 2019, in addition to being a member of the Truman National Security Project’s Class of 2021 Defense Council cohort. She holds a Bachelor of Science in Management of Information Systems from the University of Alabama in Huntsville, a Master of Science in Strategic Intelligence from the National Intelligence University, and a Master of Business Administration from Cornell University.

    As a member of the curriculum team, Leslie will work with our expert panel on validating our objectives. Through in-depth discussions and iterative rounds, this panel will work to decide what body of knowledge an objective measures, how relevant that objective is to a matched objective, and how important the objective is for us to teach.

    Weinstien will also apply her experience in assisting over 100 defense contractors to meet regulatory cybersecurity requirements. By reviewing our Controlled Unclassified Information scenario trainings with her expert eye, she will develop specialized training to aid in the understanding and adoption of cybersecurity regulations.

    Leslie Weinstein hosts a successful and popular CUI podcast “Ooey Cooey.” Everyone who wants to understand CMMC should check out the show. Otherwise you will feel like a guinea pig spinning around the endless compliance wheel.

    If you would like to learn from Leslie Weinstein, and our herd of experts you should join the CMMC Essentials class organized by Southern Connecticut State University and CyberDI.

    We launch module one today, so make sure to register today.

  • Overview of Module Zero Kick Off: Do I need a Gap Analysis?

    Gran Canyon

    Imagine going to the Grand Canyon and paying a tour guide to point out holes in the ground.

    It sounds stupid, I know, but many companies do something like this by paying for a Gap Analysis. You already know your hygiene needs help; you don’t need to pay someone to tell you this.

    If you cannot tell me the number of contracts you have with a 7012 clause, tell me the number of endpoints you possess, or tell me the number of people you employ, then you will be throwing away money on a Gap Analysis.

    I brought this perspective to the CMMC Essentials III Kick Off yesterday and Vincent Scott pushed back but RJ Williams noted that Vince described what he would call a remediation plan.

    No clear definition exists in the community for the meaning of a Gap Analysis.

    The conversation began when I discussed my trouble in determining the best way to teach the Domains in the CMMC CCP class. In my mind, I thought it would be best to teach the exact way our future CCP comrades would conduct assessments to help companies get to -171 and CMMC compliance.

    Our class specifically focuses on the roots of cybersecurity before we even talk about Domains, Practices and Processes. Still—needing to cover 17 Domains, 130 Practices, and 705 objectives in one class presents a daunting task.

    So I threw out this idea: what if we take CSF Cybersecurity Framework as a lifecycle approach and use that on your CMMC journey? Enough folks have mapped the objectives. Yet, you end up just confusing folks.

    Cybersecurity frameworks are like religion. If you try to unify two, you just end up with a third.

    This sparked a thinking exercise between Richard Dawson, Lisa Lancor, myself, RJ, Vincent, and Jim Goodrich on how one could combine the roots of cybersecurity with a lifecycle approach.

    (Christina Reynolds of BDO wrote the best life cycle approach to CMMC that I have seen to date)

    screen shot of cycle that is described below

    We arrived at a rough sketch. The cycle begins with plan from a business awareness perspective. This means knowing your revenue from 7012 clause contracts, understanding the risks and threats used to attack sensitive data, and encouraging as many of your employees to learn about CMMC.

    Following this, you do not hop right into a Gap Analysis. Conduct your formative assessments before a summative test to ensure you pass CMMC. You need a system to help you grow. The development of this system begins with a scoping assessment. The average small business cannot do this step alone.

    To begin, you should know which contracts have CUI. Familiarize yourself with the vendors that may fall within your scope. You should also have a rough sketch of your CUI data flow. Once these things are in order, then it is time to engage a professional.

    In the picture, remediate came after Gap Analysis. We meant to switch this around, but I never did. Here you complete a self-assessment, or better yet, utilize a compliance package to guide your journey and remediate the stuff you can by yourself. Focus on the People and the Process.

    You may do this step a number of times. 2026 is a bit far off. You do not need to invest in all of this in one year. Grow your SSP, and shrink your POA&M, over the course of a year or two.

    Then, when you feel your organization is approaching CMMC readiness, your company should start a formal Gap Analysis. Again, there is no point in paying people to point out the holes you already know exist.

    Overall, we had such a wonderful Module Zero launch and I am super excited about the new learners joining the class. RJ, Jim, and Kevin gonna fit right in. Our crew is rolling up to almost 30 deep now.

    We start module one on Thursday, so if you want to join check out Southern Connecticut State University.

    CMMC may make you want to jump into the Grand Canyon. But if you take a step back, breathe, and focus on growing your SSP while shrinking the POA&M over a period of time, life will be okay.

    And please turn on MFA.

    “grand canyon 2” by airlines470 is licensed under CC BY-SA

subscribe via RSS

All content, unless otherwise notes, is licensed with a CC-BY