• Announcing our apporved curriculum. Check out the table of contents.

    Number 12

  • CMMC Infographic Number 12: Policies and Procedures

    What policies and procedures should you hvae as evidence during a CMMC Assessment?

    CMMC Policy and Procedures from NIST for a 171 assessment

    CMMC Infographic 11

  • CMMC Number 11: Infographic: CUI Marking Guidance

    This one more a fail. Too dense with information. I need to split the documentation top half with the examples in the bottom half

    pdf version //jgregorymcverry.com/readingsC…

    Number 10

  • Number Nine

    Dropping Number Ten in the #CMMC 30 Day Infographic Challenge

  • Number Eight

    Number Nine in the Series

    Talking MFA. Please turn on MFA

  • Number Seven

    Here is number Eight in the series: An intro to FedRAMP

  • Number Six

    Seven in the series: Internal Threats

    pdf: jgregorymcverry.com/readings/…

    infographic of internal threats. link to screen readable PDF below

  • Number Five

    Number six in the series: Asset Categorization

    PDF: jgregorymcverry.com/readings/…

  • Number Four

    Fifth in the series: ABCs of DFARS 7012

    info graphic screenreader capable pdf link below

    pdf: jgregorymcverry.com/readings/…

  • Number three

    Technically I think these last two out of order of publication. I may switch. Prolly not. Goal is 30 infographics in Thirty Days

    pdf: jgregorymcverry.com/readings/…

    infographic screenreader capabale pdf link above

  • Number Two

    Number three in the series: DFARS Interim Rules

  • Number One

    Number Two in the #cmmc series “Workstations and Controlled Environments

    pdf: jgregorymcverry.com/readings/…

  • First #cybersecurity infographic about FIPS encryption and #cmmc. Trying to complete a 30 day infographic challenge as my 2022 kickoff #clmooc

    infographic of FIPS 140

    PDF: jgregorymcverry.com/readings/…

  • Asset Categorization and CMMC

    Many Certified CMMC Professional (CCP)will find the Configuration Management domain one of the trickiest for organization seeking certification to implement. Yet you have to ensure all employess have secure equipment from the starting line. By spelling out clear rules of the road through policieis and procedures you can ensure all clients

    The 11 practices, six from level 2, three from level 3 and one level five requirement focus on how an organization deploys, sets up and manages systems, devices, software, networks and hardware. Specifically on an organizations ability have a configuration baseline and practices to audit this configuration and introduce changes.

    Why Configuration Management

    A CCP will want to work with clients to develop configuration management policies and procedures to mitigate security risks. You cannot eliminate vulnerabilities and reduce the costs of systems maintenance without a good configuration management. Every device you give an employee, every network router, and every switch needs to follow specific set up in a consistent manner. A Certified CMMC Professional will needs to work with a client to manage all changes. This will require organizations seeking certification to develop defined change control process.

    Imagine if you allowed employees to simply go online and order a laptop. How would you know what Operating Systems get used? Will you know if they update the computer? Which anti-virus software comes installed?

    Configuration management limits these issues. A company must have standard baseline image, not just for devices but for all the endpoints. Your configuration management and change logs need to track the software version, any hardware or software installed, ports that get open or blocked, and protocols for vulnerability scanner that the user does not control.

    Configuration Management takes deep technical knowledge. A CCP will need to work with software documentation, vulnerability scanning software, STIGS, Reference architecture from an external service provider, or often a checklists of steps to follow

    In fact, talented CCPs will see configuration more as a life cycle approach rather than a simple security management checklists. This lifecycle moves a system from the concept of operations through the vulnerability scanning, change management, operations, and decommissioning. As a system matures the people in a company will come and go. New technologies will emerge. A CCP can help clients address these programs by ensuring they have a consistent change management policy through the lifecycle of the system that boils down to system hardening, change management, and change management processes.

    You cannot accept the defaults. Rarely will products come out of the box with secured to a a NIST-SP-800-171 baseline. A CCP will work with clients to ensure service packs get updated, unnecessary features get deactivated, account provisioning stays in compliance, and all firewalls and automatic updates get set up. If an organization seeking certification inherits many of these practices from an external service provider such as an MSP or IT form the CCP will need to review the shared responsibility matrix.

    The configuration management lifecycle requires a focus on change management. You must ensure systems remain stable and employees cannot make changes without privileged access. As a CCP make sure clients include change management in their configuration policies. An Organization Seeking Certification must have a formal review proposed for all changes. This should include regularly scheduled reviews and an emergency process for installing critical patches. Only these proposed changed should get made. Finally, a CCO should ensure a client as procedures in place to re-assess their baseline setting and ti evaluate if it should change.

    In order for these first two elements of configuration management lifecycle to occur a CCP will need to assist companies in tracking the process through change logs. This includes having a change request process, evaluating the risk of change, an approval process, testing the change, evaluating if employees need new training, implementing a baseline, validating the baseline, and then finally documenting the change.

    Many of the changes to a system happen through software updates and patches released by a vendor. Therefore, change management processes must address how a company handles patch management. A CCP should work with organizations seeking certification to ensure the configuration management policy addresses patching.

    Configuration Management provides recognized, standardized, and established benchmarks that spell out the procedures a company must follow to secure their systems and metrics.

    Practices of the Configuration Management Domain

    The following security requirements fall under the Configuration Management family:

    3.4.1 Establish and maintain baseline configurations and inventories of organization information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

    A company must have a baseline approved by management to meet the assessment objectives under this practice. A CCP will have to work with their clients to ensure the baseline configurations get developed, documented, and maintained for each syetsm. This means identifying all the systems that handle FCI or CUI, monitoring these endpoints, and developing these endpoints so the baseline configuration before meets 171 compliance before user access.

    This requires a system development life cycle spelled out in your configuration management plan. You must provide the foundation for the successful development, implementation, and operation of company information systems.

    A Certified CMMC Professional has an ethical obligation to include staff on the team, or let who possess security expertise and skills to ensure that needed security capabilities are effectively integrated into configuration management utilizing best practices in reference architecture. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the company’s business processes. This process also enables the integration of the information security architecture into the enterprise architecture, consistent with company risk management and information security strategies.

    The configuration management domain lives and dies based on good document-based artifacts. As a Certified CMMC Professional working with clients to integrate a lifecycle approach you may have to assist clients in developing or curating specifications such as:

    • configuration management policy
    • procedures addressing the baseline configuration of the information system
    • procedures addressing configuration settings for the information system
    • configuration management plan
    • security plan
    • enterprise architecture documentation
    • security configuration checklists
    • evidence supporting approved deviations from established configuration settings
    • change control records
    • information system audit records
    • information system design documentation
    • information system architecture and configuration documentation
    • information system configuration settings and associated documentation
    • change control records
    • other relevant documents or records

    The technical members of a Certified CMMC Professional’s team will need to work closely with employees who have configuration management responsibilities, security configuration management responsibilities, and network adminsitrators. Again for many Organizations seeking certification this maybe an IT company or Managed Service Provider with these roles. In this case you must also ensure the shared responsibility matrix or teaming agreements handle baseline configuration, change processes, audit logs, and patching procedures.

    A CMMC assessor will want to see these employees or service providers conduct the following tests:

    • processes for managing baseline configurations
    • automated mechanisms supporting configuration control of the baseline configuration
    • processes for managing configuration settings
    • automated mechanisms that implement, monitor, and/or control information system configuration settings
    • automated mechanisms that identify and/ or document deviations from established configuration settings

    3.4.2 Establish and enforce security configuration settings for information technology products employed in organization information systems.

    This practice requires companies to bake security into their configuration management plan. A CCP must work with their clients to ensure assets only have features and capabilities that allow them to do their job. A good configuration management policy reflects the most restrictive settings that still allow a business to operate. Like any element of configuration management changes to security tools must get approved, tested, and documented.

    Once again a CCP will need to ensure a company has strong document based artifacts to meet the assessment objectives of this practice. These specifications can include:

    • configuration management policy
    • procedures addressing the baseline configuration of the information system
    • procedures addressing configuration settings for the information system
    • configuration management plan
    • enterprise architecture documentation
    • information system design documentation
    • information system architecture and configuration documentation
    • security configuration checklists
    • evidence supporting approved deviations from established configuration settings
    • system audit records
    • change control records
    • other relevant documents or records

    A CMMC Assessor will want to see interview the same people and observe many similar tests for this practices as well as other practices in this domain.

    3.4.3 Track, review, approve/disapprove, and audit changes to information systems.

    To ensure a company meets this practice a Certified CMMC Professional should first identify the IT leadership employees who act as a review board. All changes must get approved an d logged to have enough evidence for the assessment objectives. By building in a set time for the review board to meet you can help clients meet the requirements. You also need to make sure these changes get documents in IT asset management policies.

    Numerous changes must get documented. These include modifications to hardware, software, or firmware components and configuration settings. The change process cannot interfere with information system operations. Thus testing needs to reflect company security policies and procedures. They get by information system security policies and procedures default features. Overall a company want to protect the specific health, safety, and environmental risks. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). Changes to information systems should be reviewed and approved by company management prior to implementation. Beyond the evidence collected for the other practices in this domain a CCP may also want to consider:

    • change control records
    • information system audit records change control audit and review reports
    • agenda /minutes from configuration change control oversight meetings
    • other relevant documents or records

    Beyond the other individuals interviewed to gather evidence a CCP will want to speak with or help to establish a change review board. A CMMC assessor will want to observe tests on processes for configuration change control and automated mechanisms that implement configuration change control.

    3.4.4 Analyze the security impact of changes prior to implementation.

    You cannot simply introduce new software and changes to a company’s IT system and information security responsibilities such Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers. Once again for many organizations seeking certification this will involve including external service providers that do IT and security. No one department or person could track the endpoints and software across an entire organization.

    When a change gets proposed a process or control board must evaluate the security impact. The review process must have clear testing procedures. Many manufacturers will have a change control board or process as part of their Quality Management System for other certifications such as ISO 9001. A CCP should work with a client, who may not have dedicated IT staff, to meet these requirements using already existing processes. Tracking IT changes using the same process will save companies money and increase security.

    A CMMC assessor will want to ensure the effectiveness of theses tests. They must consider if the changes impact compliance with other 171 requirements. All configuration changes should then get tested, validated, and documented on a subset of devices or a staging environment before installing them on the operational system.

    This again falls to the importance of the change review board and the importance of clear policy and repeatable procedures with a plan to monitor, meet, and document testing and changes.

    3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.

    Zero trust means little once a malicious or unintentional internal threat has access to your servers and networks. You will need to track and log physical access to key physical areas where changes to the system can get introduced. This will often involve a key card and audit logs. As a CCP work with organizations seeking certification to ensure these areas get clearly marked and penalties for unauthorized access get spelled out in an employee handbook.

    For logical access you must consider the implications and how to track who can make security changes to a client’s boundaries. Modern identity management software can require approval, set time bound windows, send notifications to the control board, have role based access and many more features to monitor changes to logical boundaries.

    For both physical and logical restrictions always ensure to keep the practices of least privilege in mind.

    Beyond the other document-based artifacts already collected for this Domain a CCP must also consider: * logical access approvals * physical access approvals * access credentials * change control records * information system audit records * other relevant documents or records

    A CMMC assessor will want to interview employees with logical and physical access. They will need access to employees with information security responsibilities and network administrators.

    The assessor will want to see these employees perform automated mechanisms supporting/ implementing/enforcing access restrictions associated with changes to the information system

    3.4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities.

    An employee of a client will not need minesweeper and every Instagram photo filter on their computer in order to do their job. Simply put an Organization Seeking Certification must configure technology so employees only have functions need to keep the system and business operational. A CCP will need to work with a client to identify and remove/disable applications, ports, protocols, services and settings on your systems. This often means imaging machines to remove or add on to default settings.

    If a client a CCP works with does not use VOIP than disable the ports VOIP uses.

    A CCP will utilize a variety of evidence for document-based artifacts. They should note an inventory of ports gets included in the System Security Plan. ACCMC assessor will want to observe a test on the processes prohibiting or restricting functions, ports, protocols, and/or services

    3.4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.

    This practice relates closely to 3.4.6, and like many relies on strong IT Asset Management. A company, however, must explicitly define how they limit ports and protocols necessary to provide the service needed for continuation and security. You may disable FTP, for example, or remove applications from a device before access Once again this inventory of ports and programs must get included in the SSP.

    In fact companies should consider disabling unused or unnecessary physical and logical ports/ protocols such as Universal Serial Bus (USB), File Transfer Protocol (FTP), and Hyper Text Transfer Protocol (HTTP on information systems to prevent unauthorized connectios As a CCP you may have to help an organization seeking certification evaluate companies that can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections. Firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services can also help mitigate much risk. As a CCP help clients gather evidence from typical document-based artifacts that include.

    • configuration management policy
    • procedures addressing least functionality in the information system
    • configuration management plan
    • security plan
    • nformation system design documentation
    • information system configuration settings and associated documentation
    • specifications for preventing software program execution
    • security configuration checklists
    • documented reviews of functions, ports, protocols, and/or services
    • change control records
    • information system audit records
    • other relevant documents or records

    A Certified CMMC Professional will need to work with employees with responsibilities for reviewing functions, ports, protocols, and services on the information system and network administrators. Together make sure observable test can get performed on:

    • processes for reviewing/disabling non-secure functions, ports, protocols, and/or services
    • automated mechanisms implementing review and disabling of non-secure functions, ports, protocols, and/or services
    • processes preventing program execution on the information system
    • processes for software program usage and restrictions
    • automated mechanisms preventing program execution on the information system
    • automated mechanisms supporting and/or implementing software program usage and restrictions

    3.4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting policy to allow the execution of authorized software.

    This practice builds on top 3.4.7 but requires companies to maintain a list of approved software and a list of software denied to all or requiring an exception. In fact many organizations go beyond the minum of this control and organizations verifying the integrity of approve-listed software programs usingcryptographic checksums, digital signatures, or hash functions. These certificates help to verify versions and secure updates.

    Between maintaining an approved list and a not-authorized list, the denial list provides stronger protection. Policies alos get deployed to prevent certain types of software from being run on the company’s systems such as games. A CCP will need to ensure a client checks these policies s by periodic audit.

    Beyond the usual document based artifacts of this domain a CCP will want to help an organization seeking certification organize evidence from:

    • information system configuration settings and associated documentation
    • list of software programs not authorized to execute on the information system
    • list of software programs authorized to execute on the information system
    • security configuration checklists
    • review and update records associated with list of unauthorized software programs
    • review and update records associated with list of authorized software programs
    • change control records

    Employees with information security responsibilities and network administrators will need to know how to demonstrate tests on

    • process for identifying, reviewing, and updating programs not authorized to execute on the information system
    • process for identifying, reviewing, and updating programs authorized to execute on the information system
    • process for implementing blacklisting automated mechanisms supporting and/or implementing blacklisting
    • process for implementing whitelisting automated mechanisms supporting and/or implementing whitelisting

    3.4.9 Control and monitor user-installed software.

    As a Certified CMMC professional just make sure companies disable user installed software on in scope systems. Remember users should not have privileged or admin access on machines that connect to your network and all privileged users always require MFA authentication. This will allow a company to control unapproved software.

    Policies must fully describe allowed installations and procedures to check that for policy violations. These polices may want to have very stringent exceptions for installing software, especially on the devices of privileged users.

    A CMMC Assessor will not only want to review these policies and procedures but they will want to see employees perform tests on processes governing user-installed software on the information system an automated mechanisms for alerting personnel/roles when unauthorized installation of software gets detected.

    If a company takes the time to put down a clear pathway for configuration management we can help to protect the confidentiality of information. Just remember while we need to get to the finish line one should approach it more as conditioning. Once you have your baseline configured get back to tthe starting line and review the deployment as you maintiain the overall cyber health of a company.

    “Starting Line” by Phil Roeder flickr.com/photos/ta… is licensed under CC BY

  • Attending the John Ellis Talk on CMMC 2.0 hosted by PrVeil

  • Overview of CMMC 2.0

    Ben Franklin once quipped, ““When you are finished changing, you are finished.”

    Nothing could ring more true in cybersecurity. Frameworks need to live and breath to respond to evolving threats.

    On November 4, 2021 the Department of Defense unveiled an update to the the Cybersecurity Maturity Model Certification framework to streamline compliance, increase flexibility, and lower cost for manufacturers and IT providers.

    TLDR

    • Reduce number of levels from Five to Three
    • Return to NIST as maintainer of all documents
    • Allow level one self-assessments
    • Self-assessments require senior level affirmation
    • Level Two is Old Level Three and NIST SP800-171 baseline for Controlled Unclassified Information
    • Level Two is bifurcated into priortized and non-prioritized contracts
    • Prioritized contracts require third party assessments.
    • Return of limited time bound POAMS
    • Return of limited approved waivers

    Reduced Levels

    CMMC 1.0 had five levels. Level One aligned to seventeen controls from NIST SP-800-171 to meet the fifteen safeguards required by FAR 52.204.21 for Federal Contract Information. Level Three, required for CUI, aligned to 110 controls from NIST SP-800-171 and 20 additional controls. Level Five would align to practices selected from NIST SP-800-172.

    This model did not work for maturity given the different baselines required for sensitive data. One would not seek a level two certification. In fact, DoD said no bids would even ask for a level two. We also had no classes or assessments for level two or four.

    Yet CMMC 1.0 had cummulative levels. Meaning you had to meet all of level one and two to meet level three. This pushed some CUI requirements down to level two which made no sense given lvel three served as the NIST SP-800-171 baseline.

    CMMC 2.0 removes the ill-fitted maturity requirements.

    Return of National Institute of Standards and Technology

    CMMC 1.0 tried to address some of the shortcomings of NIST-SP-800-171. In fact, early on the AB, rumor has it, tried to remove requirements until NARA/ISOO reminded them that the CUI program exists in law and NIST-SP-800-171 provides the baseline. They could only add and not remove.

    CMMC 1.0 added twenty additional practices, often referred to the Delta 20s, and made the assumed controls of NIST-SP-800-171 around policy and procedures (an assumption of practices Non Federal Organizations (NFO) just do..they don’t) explict in the process maturity measures.

    CMMC 2.0 removes anything unique to CMMC and returns us to just NIST-SP-800-171. Moving forward only NIST will change the requirements. We will see many of the delta 20s making a return, and while policies and procedures do not get explicitly assessed you can not pass an assessment without policy and procedures.

    Timeline and Rulemaking

    In order to allow for third party assessments under the Defense Federal Acquisition Supplemental regulations the Department of Defense (more likely their lawyers) decided we need to codify this in federal law.

    This requires a “harmonization” of rulemaking. First CFR 32, which governs the CUI program needs revision. Then CFR 48, which enables DFARS will get revised.

    Federal rule making takes a long time and the DoD estimates suggest 9-24 months. Before contractors breath a sigh of relief they should realize that a 24 month timeframe speeds up the original intent of the five year pilot program.

    Once the rule making process gets complete no pilot program will get unrolled because compliance with 171 required since 2017. The rule changing just empowers third party assessments under the DFARS clauses.

    More Flexibility

    CMMC 1.0 did not allow for any open assessment objectives. You had to meet all 305 to get a level three certification.

    CMMC 2.0 allows for a set of limited and timebound POAMs.

    Before you jump for joy and think you can couch really expensive stuff as an ever ending POA with a never reached milestones you should understand the caveats.

    First you need a minimum SPRS score self-assessing or having a third party assess you against the 171a methodology. A cut score still exists. They have lowered the threshold. How far? We do not know, but it won’t be low.

    You also can not POAM all the requirements and objectives. 171a breaks scores down into 5, 3, or 1. While official guidance did not get released officials have hinted no five pointers in the POAM. The most expensive stuff gets five points.

    You also get 180 days to rectify the POAM. This flexibility saves you nothing. In fact trying to address a five point control in three months may cost you a ton more than good planning.

    What does it Mean?

    For organizations seeking certification, little. Keep growing the SSP and shrinking the POAM. We always had 171 as a baseline and that did not change. The Interim DFARS clauses 7019 and 7020 did not go away. DFARS clause 7012 did not go away. If you have CUI or FCI on your systems the people, processes, and technology within scope still fall in scope.

    For CEO or CIO of organization seeking certification the affirmation requirements increase your personal liability under Fair Clause Claim. In fact both the DoJ and the DoD have highlighted increased focused on the whistleblower elements of the Fair Claims Act. You may find your lawyers, or more likely your Prime’s lawyers demanding a third-party assessment even if you do not hold CUI on a prioritized contract.

    Nobody knows what prioritized contracts mean. You cannot plan on what level of level two you will fall under. Plan your self-assessment as if a third-party assessor will come in and verify your results.

    If you wanted to join the ecosystem as a Certified CMMC Professional CCP or a CMMC Certified Assessor you may find the market grew instead of the logical conclusion the market contracted with self-assessments.

    It makes sense for the DoD to press pause on third party assessments. They have no idea how big the DIB is but they knew the majority would fail a level one, forget a level three assessment. Why make companies pay for a test you know they will fail?

    Yet the market for CCPs and CCAs may have grown. While the DoD may not require a third-party assessor you can bet many a Prime contractor will if you want to remain in their supply chain. Further the number of companies who need to self-assess will require more support.

    The number of companies needing a third party assessor remains high. The DoD has pinned this number on 30,000-40,000 and the CMMC-AB places it higher. Further, current thinking, likely to change, has any level three company who wants an assessment by the Government against the upcoming tailored controls from 172 must first have a level two assessment from a C3PAO against 171.

    In the end, the baseline of NIST-SP-800-171 did not change. Use the next nine to 24 months to grow the SSP and shrink the POAM.

    Change flickr photo by Matt Henry photos shared under a Creative Commons (BY) license

  • No CMMC Hot Takes. Just Take the Time for Some Slow Reads

    Inbox overflowing with email invitations to CMMC.20 webinars? Every consultant and software service promising to give you the most up to date info your company can not do without?

    You can do without. I offer no hot takes.

    Just some slow reads.

    If you really want to get prepared start reading. Congress got it wrong. Cybersecurity does take reading. A ton of reading.

    We know CMMC 2.0 will not kick in for 9-24 months on government clocks. I have no idea how long that will last in real time or dog years.

    Until then read.

    Evaluate the System Security Plan (SSP).

    Read more.

    Throw out your poorly templated SSP and start over.

    Read more.

    Finalize the SSP and write your POAM.

    Read more.

    Have set meetings to address POAM. Revist SSP in six months.

    Read more.

    Grow the SSP and Shrink the POAM.

    If you do not want to do the reading hire an expert. You can try to do cybersecurity without reading. You can also try accounting without math.

    So instead of beating you over the head with one more CMMC 2.0 webinar I offer you my top ten hit reading list for 7012 compliance.

    Reading and Time. My turnkey easy button solution to CMMC 2.0

    1. FIPS-199/200 - The basic controls. Only thing gov truly mandates
    2. SP 800-30 and 39 -learn the risk management process
    3. SP 800-37 - Do risk management
    4. SP 800-18 - How to write an SSP
    5. SP 800-60 & 70 - Mapping data flows and info system
    6. SP 800-53 - 1200 controls in the catalog. Spend a hot minute here.
    7. SP -800-171 -Learn the derived controls selected from 53 that combined with the basic controls from FIPS that you must have on nonfederal system (don’t skip Appendices)
    8. SP 800-115 - How do we test controls 9 SP 800-162 How to speak engineer to humans
    9. SP 800-137 - continuous monitoring guideline

    Bonus reading: SP 800-161 Supply chain risk management

    img credit: “A Shot of Ice and Fire” by ElleFlorio flickr.com/photos/el… is licensed under CC BY-SA

  • When Did Small Businesses Become the Enemy of Cybersecurity?

    When did growth become evil in America?

    When did we start believing the Government can handle complex and quickly shifting problem spaces with an agility the private sector cannot match? When did we start rooting against cottage industries?

    When did the entrepreneur become the enemy?

    According to critics of the Cybersecurity Maturity Model Certification program small businesses became a threat when the Defense Department tried to set up a system to upskill small manufacturers through third party assessments.

    CMMC 2.0 and Fear of Cottage Industries

    I lament the number of people who have cheered the Department of Defense shutting down what may have led to the largest cybersecurity training in our Nation’s history (still pales in comparison to the investment China makes in their workforce).

    You read blog post after blog post cheering the “shuttering of the CMMC cottage industry” or those snickering at C3PAOs who expected a market cap between 100-300,000 companies see hundreds of thousands in investments shrivel on the vine of time we call federal rule making.

    We, as a nation, through the efforts to scale CMMC could have addressed critical pipeline issues in IT, cybersecurity, machine learning, and artificial intelligence.

    Little ole me, nothing but a former middle school teacher with a blog, could even use CMMC 1.0 to build a massive network. I have four universities, Southern Connecticut State University, Capitol Technology University, Emory University, and Metropolitan State University of Denver delivering LTP curriculum. My University, SCSU, has even proposed a 171/CMMC pathway into our Cybersecurity Master’s program which works it’s way through Shared Governance.

    The support DoD decided to give in creating a CMMC vertical for 171 assessments would have also helped us address diversity, equity, and inclusion. Many of the schools involved offered free CMMC class tuition to their students. At my school, and many in the network, People of Color make up most of the student body. The opposite is true in the cyber industry.

    We were even working with high schools and states, specifically CT and SC, on a 2x2x2 apprenticeship. program. Students would earn IT and networking certs starting their junior year and high school, do internships and graduate with a CCP, they would then enroll two years in a community college and get paid internships while earning other certs and a CCA1, then transferring to a four year institution for two years to get a degree in cyber, have more paid apprenticeships, and leave a CCA3.

    Community groups about CMMC sprouted up across the country. I helped to found the CT CMMC Coalition, soon Northeast CMMC Coalition, which we will incorporate into a member owned co-op. We have released 100s of openly licensed pages of contents LPPs use for free in their training. The CMMC Info Institute provides another great example of a non-profit in this space. Their webinars have taught hundreds.

    All of this can go away if the naysayers win. CMMC 2.0 rolled the clock back to 2017 and drastically reduced the need for third party assessors. Feels like we decided to fit the mission to the weapons we have rather than get our hands dirty and build the weapons the mission needs.

    Cottage industries do not represent a threat to National Security. They provide a Mannerheim Line against a modern battle space. I fear with CMMC 2.0 the DoD has decided to comfortably wait things out behind the Maginot line of self-assessment.

    DoD Should Support Cyber Businesses

    I hear from the cottage industry critics that supporting small businesses detracts from DoD’s mission and they don’t do economic development. Then why does Farooq Mitha Direct the Defense Department’s office of small business programs? Why do we have Procurement Technical Assistance Centers? Why does every branch of the military give out billions annually in small business grants through SBIR/STTR?

    CMMC 1.0, in two years, accomplished more growth in the GovCon cyber sector than all past efforts combined. The Defense department did this while spending next to nothing and issuing a no cost contract to the CMMC-AB.

    Growth in the sector will take more than Project Spectrum, and small business efforts in the Defense Department need to transition from just supporting kinetic efforts and start investing in our cyber workforce.

    ##Headcount Issues Threaten Our Nation

    You think finding headcount difficult now? Just wait until the Portman/Peters FISMA reauthorization passes and every federal department must conduct ongoing pen testing. Trust me, I help fill the seats, cleared pentesters do not grow on trees. Have you counted the amount of funding CISA will get from the infrastructure bill and pending cyber bill. Hundreds of billons. Where will we find the people?

    CMMC 1.0 could have provided the pipeline if the market could have gotten established.

    Instead, folks found it more American to cheer against small businesses. They jeered at the Department of Defense desire to support small assessment companies in a nascent cottage industry. Critics demanded we roll back the clocks to 2017 and erase CMMC 1.0. Naysayers want the government and not private industry to help secure and assess cyber and IT in our manufacturing base.

    I disagree, and to all those who dream of starting a cottage industry I salute you.

    img credit: “Engineering Shed” by Tim Sheerman-Chase flickr.com/photos/ti… is licensed under CC BY

  • Cybersecurity: Did Bootcamps Break Us or Save Us

    The cybersecurity awareness and training industry tops a billion dollars in revenue and will only grow as regulatory frameworks that require companywide learning programs spread.

    At the same time and given Higher Education’s inability to adapt or keep up in digital fields, a training program that tops hundreds of billions of dollars grew overnight. In fact, a study by CompTIA (bias disclosure: a test vendor) found 91% of all employees use certifications in hiring.

    Classes to pass the certification exploded overnight. I worry the bootcamp model broke us.

    I do not want people equating a four-day class in how to pass a test to equal deep learning based in cognitive science. Not when it comes to cybersecurity. The mission too important to hunt for a quick fix in awareness and training.

    I know, like CMMC these certification classes are not meant to teach cybersecurity skills. Still, I personally believe the domains of knowledge assessed on the certified classes too hard to master in a four-day seminar.

    I don’t blame anyone, but human nature. You can never lay shame on someone for taking the path of least resistance when it comes to securing food or shelter for them and theirs. Once you introduce a high stakes test humans will immediately start mixing a broth to corrupt the reliability and validity of that test.

    At the same time these increased cost and regulations caused expected resentment in the cybersecurity professional community. Many feel their experience has established these skills and they feel preyed upon by a certificate mill industry. They have a point.

    The entire tech industry, however (I included) could benefit from a good dose of humility. Nobody knows it all, and if you know more, others in the class benefit. Those most successful in bootcamp classes are probably humble folks in other online spaces.

    Bootcamp Model

    In a “bootcamp” style class, whether to train employees or to prepare for a certification test ,the learning gets crammed into a very short time frame over long extended days.

    Almost all cognitive science research supports longer durations for learning. In fact, retention ability decays very quickly. Further long-term transfer to other domains increases when high quality feedback gets connected with bursts of content, activity, and reflection.

    Bootcamp models do work, and we have emerging research to support this, in well-defined domains with discrete skill sets. Configuring your endpoint detection, learning to write JavaScript, even playing Clarinet.

    The Domain of cybersecurity, especially when preparing to move from one industry framework or another, however, cannot happen overnight. Yes, as I stated these classes do not train you in cybersecurity, but it will take specialized knowledge to move from a HIPPA audit to a 171 assessment for example.

    These domains of knowledge too complex for quick learning just to check off a compliance box.

    Myth of Auto-Didactic Learner

    No bootcamp lives in a vacuum (until Space Force starts orbital unit training) so when people claim to only want self-paced learning, they should make sure they have community support somewhere.

    Nobody learns alone. No one gets self-taught. Full stop.

    Community is the Curriculum.

    The original MOOCS, which helped kick off the coding and cybersecurity bootcamp craze, never focused on size. they focused on people. When David Cormier coined the term the massive modified open, not the size of the class.

    It meant using network theory to encourage the spread of open resources and pedagogy through ever growing learning communities.

    So even a four day or four-week self-paced online class needs some element of community. You need peers to have discussions. You need groups to work on scenarios and case studies that will reflect what cybersecurity and assessors will do in the field. Most importantly you need high quality feedback from your instructors.

    Not opinion. Stable and replicable finding from cognitive science research and based on principles of Universal Design for Learning to ensure all learners can succeed.

    Bootcamp Models Dont Meet Diverse Workforce Needs

    You need a lot of resources to check out for four days and go to an intensive bootcamp. Childcare, carpools, community volunteering, the bootcamp model do not reflect the needs of the modern workforce.

    Bootcamp models do not help diversity, equity, and inclusion when the only option involves four days of unpaid work. We need to provide learning communities that allow for flexible and supportive learning modalities. As a nation we must root cybersecurity trainings in groups that face historical exclusion in the tech and cyber industry.

    These four-day learning bonanzas also hurt organizations. As a CEO do you want your entire cyber/IT team out of pocket for four days? What if like many small businesses as CEO you are your entire cyber/IT team? Can you be out for four days?

    A Better Way forward with CyberDI and Southern Connecticut State University

    At SCSU, we have developed and iterated on the CyberDI curriculum that they will deliver on our online and offline campuses as an LTP through four rounds of iterative design with the goals of using principles of cognitive science in curriculum development and delivery.

    Real science. Not bootcamp marketing or certificate mill hype.

    In our five-week class model you meet twice a week for live classes each week. Instructors schedules these classes either at noon, the evening, or the weekends depending on local audience needs. They offer hybrid and fully online versions. The lectures and discussions get recorded so if life gets in the way anyone can catch up.

    Every practice and process in the CMMC model gets covered through systematic and explicit instruction following the “Instructor does, class does, you do” model. This predictability, science tells, us, improves learning.

    Social learning, not just explicit instruction, gets baked into the model. We have two weekly office hours where instructors and community members just drop in to get specific technical help or to ask general questions about course content.

    We know from research, building scaffolds that gives learners support drives success.

    Our course navigation is simple and works in Blackboard, Canva, Microsoft Teams, or my favorite a simple HTML website. In every module you are asked to read, write, and participate. We give you access to easy to navigate resources.

    screenshot of Google Classroom

    You can see above how each model gets laid out in a Google Classroom example. We know from decades of research ease of navigation drives learner efficacy and success.

    Most importantly you take part in production-based learning driven by feedback designed to elicit growth against the course objectives. Feedback, both formal and informal, drive learning. The teacher guide we provide has tips on writing feedback. The instructors who teach the CyberDI classes on SCSU campuses will get on going coaching in their questioning and discussion techniques. They get additional training on how to write and deliver feedback for growth.

    We do hope you choose a training program based in cognitive science and not just certificate mill marketing hype. The classes CyberDI will teach on our campuses meet this criteria.

    Just wanted to end with a quick shoutout to the subject experts who helped write and shape the curriculum

    Curriculum Authors:

    • Leighton Johnson- Wrote our Domain Scenarios
    • Paul Netopski- Wrote our CMMC Assessment Process Chapter
    • Vincent Scott- Co-wrote history of CMMC and Domain Scenarios
    • Tom Cornelius- Open Source contributor. We utilize Comp;iance Forge’s CC BY-SA Scoping Guidance.
    • Gregory McVerry co-wrote CUI scenarios, co-edited textbook with Dr. Tucker
    • Lauren Tucker-lead author on instructinal guide, co-edited text book
    • Richard Dawson-Wrote 162 aligned introductions for 17 Comains
    • Dana Mantilla-Video Instructor who interviewed top talent
    • Brian Rogalski-co-wrote CUI scenarios

    Academic Advisor: Leslie Weinstein

    Video Guests:

    • Allison Giddens
    • Vincent Scott
    • Margaret Glover
    • Paul Netopski
    • Matthew Carson
    • Jake Williams
    • Amira Armond
    • Ryan Heildron
    • Vic Malloy
    • Kyle Lai

    img credit: Bootcamp dreams. by jgmac1106 shared under an CC-BY-SA license a A remix of: Work boot” by Bigbadvoo flickr.com/photos/bi… is licensed under CC BY “Storm Clouds Gathering” by izoo3y flickr.com/photos/iz… is licensed under CC BY-SA “Cha-Ching” by spcbrass flickr.com/photos/sp… is licensed under CC BY-SA

  • How to Register on the CMMC-AB Class to Sign up for a CCP Class with an LTP

    Wow that title has a lot of letters. Luckily the registration process on the Cybersecurity Maturity Model Certification Accreditation Board website to create an account so you can sign up for a Certified CMMC Professional class with a Licensed Training Provider is not as difficult.

    Creating a profile on to register for a Certified CMMC Professional course requires a three-step process and a $200 fee paid to the CMMC Accreditation Board and not the Licensed Training Partner. The fee also does not cover the CCP exam. That will cost an additional $275.00

    You must first create an account on the CMMC-AB Moodle page (yeah open source).

    screenshot of account creation

    Once you do you a verification email gets sent your inbox

    screenshot of verification email

    After you verify your email you choose an MFA, multifactor authorization, method.

    screenshot choosing mFA

    Depending on which method you chose you may have additional security checks

    screenshots of security checks

    Once you have an account you can move on to Step One which requires you to make a profile

    screenshot of making profile

    screenshot of ccp application

    Once you make the profile you can then go and register for the CCP class. The application is extensive. You will upload your resume and any certifications you hold.

    The application did ask me to associate with a C3PAO. Currently, as far as I know, the CCP does not need to associate with a C3PAO. I put “none yet” and my application went through.

    Pay the money and you can now register for a class with an LTP.

    screenshot of payment acceptance

    You will get an ID number. The LTP will use this to share your progress and enrollment status.

  • top view of p-51b

    side view of p-51

    front propeller view

    close up side

  • We want to transform CyberSecurity Awareness and Training into an active learning process. For far too long we have assumed video-based quizzes work at the minimum and real training cannot happen because you need decades of experience to do Cyber.

    Neither assumption rings true. Active learning leads to greater transfer and retention. This production-based method, where learners must do stuff with what they learn begins with questioning.

    In my time working on Cybersecurity Maturity Model Certification courses, I have reviewed so much curriculum. Coched Provisional Instructors as they develop lesson plans and provided feedback to our instructors as we iterate on curriculum at Southern Connecticut State University.

    Stop Asking Any Questions

    Almost all the instruction I observe relies on direct intruction with little learner interaction. I see it in video based training and lectures where a highly talented Subject Matter Expers asks, “Any Questions” at the end of each segment or lecture.

    Everyone has questions. No one will ask.

    Instead a good teacher uses questions to elicit evidence of and scaffold knowledge growth. You can think of three types

    • Literal
    • Inferential
    • Evaluative

    Literal questions get answered with explicit, which means identifiable in the text, details. Inferential questions require students to combine information in a text, either explicitly or implied, and combine this with prior knowledge or another source. Evaluative questions ask you to combine implicit information with an opinion and may focus on why and how to fill is missing details.

    As an instructor you need to plan your questioning well. You can use verbs from Bloom’s Taxonomy or Webb’s Depth of Knowledge, but you need to ask questions for learning to occur.

    Helping Out CMMC Instructors

    So, to help out the Instructors who utilize the CMMC curriculum we write we started to create a question guide for each of the 17 Domains. It includes a definition from NIST SP-800-162 and questions a Certified CMMC Professional can use to help an Organization Seeking Certification. We derive these from 162 as well.

    We then include every assessment objective. CMMC courses mean nothing without Assessment Objectives. Next, we close with sample discussion questions. We hope these focus on pain points and common misconceptions. When an LTP or Provisional Instructor uses our material, you can know we provide you the tools to have active discussions,

    Check out our Access Control Example

    Featured Image “Question” by kevin dooley is licensed under CC BY

subscribe via RSS