• What does the NDAA say About CMMC?

    The NDAA goes deep into developing the Cyber Director role but for those looking to NDAA for “significant changes” should look elsewhere.

    There are eight mentions of CMMC in the bill. I will need to dissect the fund allocations to CMMC. There are an additional five mentions of the cybersecurity maturity model certification in areas of threat and incident response.

    It looks like the House Small Business Committee that complained about contractors “having to read really big books” did not have their ammendment approved.

    It is really just section 1742 of the bill

    IN GENERAL.—Not later than March 1, 2021, the Sec- retary of Defense, acting through the Chief Information Officer of the Department of Defense and the Commander, Joint Forces Headquarters-Department of Defense Information Network, shall assess each Department component against the Cyberse- curity Maturity Model Certification (CMMC) framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementa- tion of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework.

    The report shall shall include, for each component that does not achieve at least level 3 status (referred to as ‘‘good cyber hygiene’’ in CMMC Model ver. 1.02), a determination as to whether and details as to how— (A) such component will implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022; and (B) such component will mitigate potential risks until such measures are implemented. (2) COMPTROLLER GENERAL REPORT REQUIRED.—Not later than 180 days after the submission of the report required under paragraph (1), the Comptroller General of the United States shall conduct an independent review of the report and provide a briefing to the congressional defense committees on the findings of the review.

    CYBERSECURITY MATURITY MODEL CERTIFICATION FUNDING LIMITATION.—Of the funds authorized to be appropriated by this Act for fiscal year 2021 for implementation of the CMMC, not more than 60 percent of such funds may be obligated or expended until the Under Secretary of Defense for Acquisition and Sustainment delivers to the congressional defense committees a plan for implementation of the CMMC via requirements in procure-ment contracts, developed in coordination with the Principal Cyber Advisor and the Chief Information Officer of the Department of Defense. The plan shall include a timeline for pilot activities, a description of the planned relationship between Department of Defense and the auditing or accrediting bodies, a funding and activity profile for the Defense Industrial Base Cybersecurity Assessment Center, and a description of efforts to ensure that the service acquisition executives and service program managers are equipped to implement the CMMC requirements and facilitate contractors’ meeting relevant requirements.

    img credit: Etherwan (2018). NDAA Compliance Statement. Retrieved from: www.etherwan.com/us/about-…

  • You are Doing Cyberscecurity Awareness and Training Wrong

    two people on the left and right of someone screaming in their ear

    Let me tell you how most of my pitch calls go when someone needs instructional design work for their company’s cybersecurity awareness and training.

    The customer typically says something along the lines of, “We just need a quick and dirty training, to check off the compliance box”.

    I ask, “Can you send me your policies and procedures so I can weave them into the training?”

    Response A:

    “My boss doesn’t want this eating up a bunch of time and resources. We just need the compliance. This isn’t about learning.”

    In the case of Response A, I always say, “Doesn’t it make sense to train your employees on your security stack based on their roles? Don’t you know policy and procedures mean nothing without people? We can write your awareness and training so it reflects your people, processes, and technology, and most importantly the threats the data you hold faces.”

    Response B:

    “We really don’t have the policies and procedures in place.”

    For Response B, I always say, “Then your awareness and training needs to start with how to write and deploy policies and procedures.”

    The Call Back

    Almost always I get a call back an hour or day later with, “I talked to the boss. They want to keep it dead simple and focus on compliance. How much for a quick one hour training?”

    I wish them luck and shut down the call.

  • Maturity models come to event logging for fe agencies www.whitehouse.gov/wp-conten… Per OMB’s response to Executive Order 14028

  • It came out of the kiln. Check it folks.

    A-10 Warthog.

    A limited signed and numbered 13 run as part of my efforts to support local artists through CMMC

  • Checking out lasers and CUI enclave policies

  • hello

  • The Basics of Controlled Unclassified Information

    When you cut through the marketing hype—and ignore all of the LinkedIn trolls predicting the doom of the Cybersecurity Maturity Model Certification (CMMC) program— you realize CMMC did not arise out of the blue. When you reasearch its history, you will find nothing especially new or unfamiliar. CMMC simply requires third party attestation of what defense contractors already had to do in order to fulfill the legal requirements of their agreements. The major change associated with CMMC is that it no longer allows for the self-assessment of cyber hygiene associated with Controlled Unclassified Information (CUI), as measured against NIST-SP-800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

    Individual contractors no longer have the authority to say how well they secure CUI. Instead, a third pary must come in and assess this information. In essence, it all comes down to CUI. But what do we mean we say Controlled Unclassified Information (CUI)?

    What is CUI?

    The US Government defines CUI as information which requires safeguarding or dissemination controls necessitated by law, regulation, or Government-Wide Policy; however, it does not include classified or nuclear stuff. The latter two fall under classified policies, and therefore require even more protections than CUI.

    The CUI program is thoroughly explained in the Code of Federal Regulation 32, Part 2002. This program standardizes how the Executive Branch handles CUI. The Department of Defense (DoD), for example, established a CUI policy on March 6th 2002. This policy, DoD Instruction 5200.48, “Controlled Unclassified Information,” fulfills their requirements to develop a CUI policy. Every department, and thus their respective agencies, must have a similar CUI policy.

    The CUI designation was created in response to 9/11 via President Obama’s Executive Order 13556. This executive order required all unclassified information throughout the Executive Branch which necessitated additional protection above and beyond information not for public release to be labeled CUI. Before this CUI policy, no uniform marking system existed for this kind of information across the Federal Government. Different agencies used an alphabet soup of labels such as FOUO, LES, and SBU.

    Under the Executive Order, the National Archives and Record Administration (NARA) was appointed to lead on developing a universal CUI Policy. The Secretary of Commerce, through the Office of Management and Budget, decided that CUI required moderate protection. FISMA, the Federal Information Modernization Security Act, then authorized the National Institute of Standards and Technologies (NIST) to develop standards for the protection of CUI.

    In fact, section two of the Executive Order designated NARA as the Executive Agency to oversee the order and the CUI program. NARA delegated this authority to the Information Security Oversight Office (ISOO). ISOO established a CUI registry that is:

    • Publicly Accessible
    • Includes authorized categories
    • Includes subcategories and guidance
    • Includes citations to laws and regulation and government wide policies

    The Department of Defense then defined their relevant categories using DoD Instruction 5200.48, “Controlled Unclassified Information”.

    The ISOO CUI policy defines two types of CUI: Basic and Specified. Specified CUI contains specific handling controls, which it requires or permits agencies to use, and which differ from those used for Basic CUI. So, if a federal law or regulation requires handling instructions beyond the basic protections of CUI, we call this CUI Specified. An agency can decide internally, or with agreement from ISOO, to require additional protections.

    CUI Lifecycle

    The CUI lifecycle requires a contractor to identify the CUI they handle, to explicitly mark this data as CUI, to protect this CUI while in transit and at rest, to only share CUI for a lawful purpose, to destroy CUI when necessary, and to decontrol CUI when it no longer needs additional security.

    Identifying CUI

    It is best to begin this process by determining if you have any CUI in your system, or if you wish to bid on future contracts that would require CUI in your systems. Unfortunately, most of the data contractors receive from the DoD and prime contractors will not have proper markings. This does no alleviate a contractor of the legal responsibilities for protecting CUI, especially if they have existing contracts with the Defense Federal Acquisition Regulation Supplemental (DFARS) clause 7012, which requires self-attestation for protecting CUI against a 171 baseline.

    Once you identify the CUI in your system, identify which contract vehicles with a 7012 clause the CUI is often associated with. Then identify the people or roles with legal access to that CUI under each contract. In fact, you should create a matrix to capture this information.

    You cannot expect the DoD or a prime contractor to label all CUI created under a CUI contract. How could a Contracting Officer (CO) or a Program Management Office decide if the personal notes taken or meeting minutes contain CUI?

    Marking CUI

    The CUI program set out to protect unclassified information and ensure the timely sharing of information. The marking requirements of CUI vary based on the kinds of CUI and the chosen designation indicator. These influence the requirements for banner markings, which have to include category markings, control markings, and any limited dissemination markings (only certain people should see this).

    CUI marking requirements are influenced by more than just their category and control markings. The type of media it is associated with, such as emails or military documents, can influence the marking as well. Email banners may differ from the requirements for removable media. CUI can also be co-mingled into documents that require different limited dissemination, or are considered classified. Finally, you also have rules about marking CUI for mailing.

    The marking must include a designation indicator. This indicates who created the CUI. This can include a variety of formats such as a letterhead, a logo on a sticker, a signature, or a controlled byline. You have no requirement to include contact information, but many markings add this optional information.

    Department of Defense guidance suggests using a Designation Indicator block when space allows. This includes who controls the data, as well as anyone to which control was flowed through an authorized and legal use, any limited dissemination controls, and a point of contact. For example:

    Controlled by: OUSD(I&S)

    Controlled by: CL&S INFOSECCUI Category(ies): PRVCY, OPSEC

    Limited Dissemination Control: FEDCON

    POC: John Brown, 703-555-0123

    The banner marking can include three elements. The first, the control marking, is mandatory. This can say “controlled” or “CUI.” Category markings are required for CUI Specified, and are separated by two // slashes. If dissemination controls are included, those follow the category markings, again after two forward slashes. Banners must appear in Bold Capitalized text, and ought to be centered when possible.

    CUI works as a basic CUI label.

    Category markings are optional, except in the case of CUI Specified. In fact, when you have Specified CUI, you are required to include the letters SP before the category marking. If more then one type of specified marking is included, you alphabetize them, but only separate each by one / forward slash after the first category, which follows the two // forward slashes and the basic marking.

    CUI//SP-HLTH/PHYS In this example we see two CUI specified categories which follow the basic CUI marking.

    The banner markings can also designate the dissemination controls. Limited Dissemination Controls identify an intended audience, so a document does not need continuous authorization.

    No Foreign Dissemination (NOFORN) —Information may not be disseminated in any form to foreign governments, foreign nationals, foreign or international organizations, or non-U.S. citizens.

    Federal Employees Only (FED ONLY) —Dissemination authorized only to employees of the U.S. Government executive branch agencies, or armed forces personnel of the U.S. or Active Guard and Reserve.

    Federal Employees and Contractors Only (FEDCON) —Includes individuals or employees who enter a contract with the U.S. to perform a specific job or supply labor, and dissemination is in furtherance of the contractual purpose.

    No Dissemination to Contractors (NOCON) —Intended for use when dissemination is not permitted to federal contractors, but permits dissemination to state, local, or tribal employees.

    Dissemination List Controlled DL ONLY —Dissemination authorized only to those individuals, organizations, or entities included on an accompanying dissemination list.

    Authorized for Release to Certain Foreign Nationals Only (REL TO USA, LIST) —Information has been predetermined by the designating agency to be releasable only to the foreign country(ies) or international organization(s) indicated, through established foreign disclosure procedures and channels.

    The Department of Defense CUI guidance also allows dissemination marking to be included in the designation box. These include:

    Distribution Statement A: Approved for public release. Distribution is unlimited.

    Distribution Statement B: Distribution authorized to U.S. Government agencies only (fill in reason and date of determination).

    Distribution Statement C: Distribution authorized to U.S. Government agencies and their contractors (fill in reason and date of determination). Other requests for this document shall be referred to (insert controlling DoD office).

    Distribution Statement D: Distribution authorized to Department of Defense and U.S. DoD contractors only (insert reason and date of determination). Other requests for this document shall be referred to (insert controlling DoD office).

    Distribution Statement E: Distribution authorized to DoD Components only (fill in reason and date of determination). Other requests shall be referred to (insert controlling DoD office).

    Distribution Statement F: Further dissemination only as directed by (insert controlling DoD Office and date of determination) or higher DoD authority.

    On digital media, you include these markings. On PowerPoint slides, you can include the CUI label at the top and bottom of the title slide with the indication block and the CUI label on the bottom of each slide. In a word document, you can include a cover sheet with the marking and designation block.

    Removable Media

    On a removable storage device, you are required to include the basic marking and a controlling indicators. Each file contained on the storage device needs its own marking. When feasible, you should include all required elements in the designation block, but the CUI basic marking and the originator or controller must always be included.


    Email is a bit trickier. When you send an email (try not to) containing CUI, you must let the recipient know. You must include a banner marking in the body of the email. Furthemore, best practice suggests including it in the CUI itself. Many companies use email server rules to sequester email with CUI. The subject line helps protect the data. When you forward email you must keep all banner markings. Make sure you cut and paste the banner to the top of the forward. You can also portion mark emails like regular documents where you call out sections that contain CUI.

    Physical Protection of CUI

    You will need to create a controlled environment to protect CUI. The regulations require you to have at least one physical barrier, such as sealed envelopes, locked doors, bins, drawers, or electronic locks. You have flexibility in deciding what counts as a physical barrier.

    You also need to consider meeting areas. You will need to control meeting access when CUI is shared and discussed. You will need to mark the door with the lock, noting only authorized indivduals allowed, and you will need a clean desk policy for after the meeting.

    Think about who has access to your controlled environments. You will need to lock away CUI from after hour cleaning crews, and to keep visitor and employee logs of areas that contain or discuss CUI. Your computer systems and networks also need to control access. You need to include banner markings on devices and systems that can connect to controlled environments.

    Basically, on electronic systems, you need to create some kind of barrier to prevent unauthorized access to CUI. This can include network folders, files, intranet, cloud enclaves, file sharing sites, and individual machines or devices.

    Encryption and CUI

    Based on Office of Management and Budget (OMB) policy, CUI requires moderate protection. This, in turn, requires encryption which meets a specific level called FIPS Validated 140-2A. At the simplest definition, encryption means that something we read in plain text is scrambled into a cyphertext. The authorized holder then has a “key” to unscramble the ciphertext into plain text.

    The approved encryption techniques are authorized by NIST in a document called “Federal Information Processing Standards (FIPS) 140-2.” The approved techniques, which can change based on use case and authorizer, include: AES, Triple-DES, and the Digital Signature Standard (“DSS”). NIST-SP-800-171 (3.1.13 and 3.13.11) and CMMC spell out specific requirements for encryption (AC.3.014, SC.3.177).

    With FIPs level encryption, we make an important distinction between modules and devices. A module can be an embedded part of a product, such as an “encrypt this email” button or an entire product such as a CUI cloud enclave. A device, such as a laptop or cellphone, does not itself need the encryption. The tool accessed on that device to share, view, store, or transmit CUI must use encryption modules that meet FIPS standards.

    Destroying CUI

    When you destroy CUI, the NARA policy CFR 32 Part 2002 requires the CUI to end up unreadable, indecipherable, and irreconcilable. The NARA policy follows guidance of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88, Revision l: “Guidelines for Media Sanitization” or any technique approved by Classified National Security Information (32 CFR 2001.47).

    In 2019, NARA released guidance on destroying paper-based CUI. You must follow the specifics of NIST-SP-800-88 when shredding paper. You must crosscut, meaning up and down, and left and right, down to 1mm x 5mm (0.04in x 0.2in) in size. You can also pulverize paper using disintegrator devices equipped with a 3/32in pulverizer. The approved shredders can get expensive. Many companies use a third party shredder or recycler that will provide a certification that they meet the requirements of NIST-SP-800-88.

    You can always go the cheapest route and follow the burn recommendations.

    In terms of media, there are also destruction requirements. NIST SP 800-171 3.8.3 states, “Sanitize or destroy system media containing CUI before disposal or release for reuse.” The type of media will determine how you sanitize the device. Hard drives, for example, need different disposal methods than static hard drives.

    Decontrolling CUI

    CFR 32 Part 2002 defines decontrolling as the event in which the authorizing agency decides the CUI “no longer requires such controls.” You must have policies and procedure in place to decontrol CUI. CUI can be decontrolled automatically or through positive decontrol. In automotive decontrol, a prior event, such as a date, is chosen when the controls are no longer required by law or policy. In positive decontrol, the authorizing agency takes an action to remove the controls.

    While a contractor can be appointed by the authorizing agency to disagree with the ability to decontrol CUI on a contract with the 7012 clause, it will not happen often.

    In the end, when you think CMMC, just think about CUI and how you can protect it from unauthorized disclosure.

  • Looking for a good Risk Awareness training program? Why not start with NIST-SP-800-30?


  • Another great meeting of the CT CMMC Coalition

  • A must read —The Coast Guard 2021 Cybersecurity outlook www.uscg.mil/Portals/0…

  • CMMC and Ethics

    At a recent Town Hall, the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB) CEO Matt Travis noted that “trust and confidence in the CMMC Ecosystem” is the shared responsibility of both the AB and the members of the community.

    In fact, Travis’s call to action harkened back to the the testimony of Deputy Assistant Secretary of Defense for Industrial Policy Jesse Salazar, who noted in his testimony to the Armed Service Committee cybersecurity subcommittee:

    DoD must ensure there are clearly defined roles and responsibilities, standards of conduct, and audit mechanisms governing relationships with private sector entities within the external assessment system.

    In order for CMMC to succeed, ethics must matter.

    In the realm of Cybersecurity Maturity Model Certification, the Professional Code of Conduct drives ethical considerations. This document provides the standards to which all members hold themselves accountable.

    The document unites around five principles:

    • Professionalism
    • Objectivity
    • Confidentiality
    • Proper Use of Methods
    • Information Integrity

    The document then lays out the practices inherent to each principle, in addition to how reporting features are implemented.

    Conflict of Interests occur when a person has a duty or motivation to serve the interests of more than one party in the engagement of an activity. According to Matt Travis, this can lead to a variety of consequences, including:

    • Compromised Judgement
    • Threatened Objective Decisions
    • Undermined Impartiality
    • Destroyed Confidence in Fairness and Integrity
    • Required Disclosure

    CMMC Conflict of Interest

    We must remember that a mere perception of conflict can cause serious damage, even when no such conflict exists. Conflicts of interest can also exist without malicious intent or outcomes.

    The CMMC-AB, in fact, must establish a firewall between the registration of consultants, the accreditation of training schools, and the Assessment of Organizations Seeking Certification (OSC).

    Section 3.1.8 of the CMMC Professional Code of Conduct (CPCOC) requires everyone to avoid conflicts of interest to the greatest extent possible. We have a duty to avoid conflicts and report them when they occur.

    The professional code of conduct in Section 3.1.10 also prohibits Certified Third Party Assesment Organizations (C3PAOs) from soliciting business from the organizations they assess. In other words, you can not fail an OSC and then offer services to help them pass the next assessment.

    CMMC and Objectivity

    The CPCOC prohibits a credentialed assessor from joining an assessment team if that individual helped the organization prepare for the assessment.

    The ecosystems of many companies have Registered Professional Organization (RPO) credentials and C3PAO credentials. A business can not provide RPO services and then join a C3PAO Assessment Team, or host an Assessment Team themselves. Furthermore, if you have signed the CPCOC, you have an obligation to report this activity if you see it.

    CMMC-AB and Ethics

    In order to understand how the Accreditation Board (AB) must adhere to the ethics of the CPCOC, we must first understand their role in the ecosystem. The AB is required to:

    • Authorize CMMC C3PAOs to conduct assessments
    • Accredit C3PAOs in accordance with ISO 17020
    • Authorize the CAICO (CMMC Assessors and Instructors Certification Organization) to certify CMMC Instructors and Assessors
    • Establish, maintain, and Manage the CMMC Marketplace
    • Oversee the CMMC Professional Code of Conduct

    Due to these roles the CMMC-AB has a variety of tools to limit Conflict of Interest

    • CMMC-AB Code of Ethics
    • CMMC-AB Conflict of Interest Policy
    • CMMC-AB Directors Agreement
    • CMMC Code of Professional Conduct
    • Contract with Department of Defense
    • CMMC-AB Audit, Ethics, and Compliance Committee
    • Security and Compliance Officer
    • ISO 170ii General Requirements for Accreditation Bodies Assessing and Accrediting Conformity Assessment Bodies

    These elements work together to ensure the CMMC ecosystem maintains a high ethical standard.

    Duty to Disclose

    The CMMC-AB will release a disclosure matrix that lists all of the players in the ecosystem, and then a list of possible affiliations. These include elements of potential conflict such as ownership, financial interest, teaming agreements, family members, personal relationships, employment affiliations, and more. The AB will decide if, based on its role in the ecosystem, if that is a type of relationship that is okay, to be avoided, or risky enought to require mitigation.

    This document will explain your responsibilities to report conflict of interest.

    Red Lines for the CMMC-AB

    Based on the policies governing the AB, its members must not fail to disclose conflicts, have a vested interest in an C3PAO, use their status on the AB to generate business or leads, endorse any commercial product implicitly or explicitly, accept any gifts, or operate in a credentialed company within the ecosystem for the duration of one year after leaving the board.

    Shady Vendors

    As a member of the ecosystem, you face a barrage of emails. Many of these provide snake oil services or over-promise. As a small business, owners rely on word of mouth, not drip campaigns from marketing teams. Avoid anyone who promises quick assessments or turn key services.

    Take your time. You do not need a Level Three Certification overnight. 2026 is still a bit far off. Until then, just grow the SSP and shrink the POA&M.

  • CyberSecurity Begins with Awareness and Training

    Bad Ragaz - Original Sin

    It always comes down to the humans. Even with the best security, the tiniest friction can cause all systems fail. That 2% of DNA separating us from chimpanzees really messes with your cyber hygiene.

    If you want security you need to focus on the biggest attack vector: people.

    The Cybersecurity Maturity Model Certification (CMMC) program revolves around a national awareness and training program to increase the validity and reliability of the cybersecurity hygiene for the Defense Industrial Base (DIB).

    Relying on self-assessments hurts the overall validity of an organization’s cyber hygiene, due to the scoring system for determining compliance. In NIST-SP-800-171 nor 171a, the methodology describes a scoring scheme. That model of having 110 points, and subtracting either 1, 3, or five points, came from the Defense Contracting Management Agency (DCMA). It did not work.

    Relying on self-assessments hurt the overall reliability of knowing if someone had achieved adequate compliance against NIST-SP-800-171. A lot of revenue depends on contracts from the Department of Defense that carry the 7012 clause. Many companies lacked experience or have had past success with a business development strategy of ignoring Department Defense mandates .

    We use the amount of data exfiltration from small manufacturers as proof of the failure. The daily ransomware attacks DIB companies face is further observable evidence that self-assessment does not work.

    CMMC requires us to realize cybersecurity isn’t just everyone’s job. Cybersecurity IS everyone. You must control your story, data, and identity. The people matter.

    In fact, the CMMC model requires an Awareness and Training Policy for Level Two (and thus Level Three, given the cumulative nature of the model):


    Establish a policy that includes Awareness and Training.

    So how do you build an Awareness and Training policy? You need to understand what people need to know, when they need to know it, and how you will prove they know it. This begins, like all learning, by definining key terms.

    What is Awareness?

    I can understand the dangers of swimming in riptides in the absence of the training to escape one. All employees must have an awareness of the threats your company faces.

    In fact NIST SP 500-172, defines awareness as

    sensitivity to the threats and vulnerabilities of computer systems and the recognition of the need to protect data, information, and the means of processing them

    However, awareness—like swimming—does not equal training. In terms of cybersecurity, a company needs to have a general understanding of threats and cyber hygiene in order for it to grow. So, for example, while I may hang Controlled Unclassified Information (CUI) posters in the enclave to keep people aware of company policies, that does not equal a training program on selecting the correct shredder for the destruction of paper-based CUI.

    You may publish many of your policies in an employee handbook to make them aware of security issues. But you still need to train employees on how to execute these policies.

    What is Training?

    Awareness focuses on what, while training focuses on why and how. Training will take longer, and you as the learner will need to generate observable evidence of knowledge growth.

    What Type of Awareness Programs do my Employees Need?

    Based on the NIST 800-171a assessment objectives included in CMMC, you have to have an overall awareness of the threats CUI faces. All employees need an awareness of policies, standards, and procedures. This is often best covered in the Employee Handbook and Acceptable Use Policies.

    Your technical staff will need to understand the security risks associated with their activities to keep data safe. This, again, will require the development of Operating System awareness, and you may need to run multiple awareness programs for each major and minor technical system.

    Managers and system administrators need awareness of the applicable policies, standards, and procedures related to the security of the systems they oversee. This will include reference documents, a required tour of a wiki or database, and Security Technical Implementation Guides (STIGs).

    Some Awareness and Training requirements kick in at Level Two when we talk Cybersecurity Maturity Model Certification (CMMC):


    Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities, and of the applicable policies, standards, and procedures related to the security of those systems.


    Determine if:

    • [a] security risks associated with organizational activities involving CUI are identified;
    • [b] policies, standards, and procedures related to the security of the system are identified;
    • [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
    • [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.

    To meet the assessment objectives of this practice you will need to provide multiple types of security awareness and training programs

    What type of Training Program Do My Employees Need

    Based on the NIST 800-171a assessment objectives included in CMMC, you have to have three domains of training. One domain is focused on your CUI policy, another on threat analysis, and another on your system, security, and roles.

    CMMC has an entire set of objectives on developing and deploying a CUI policy. In your training, you need to ensure your managers and technical systems engineers, or Managed Service Providers (MSPs), know how CUI is protected on your system.

    Your training around applicable policies, standards, and procedures related to the security of the system will need extensive documentation, and will include recognizing educational certificates and providing your own training related to your reference architecture.

    For example, take AT.2.057, which requires contractors to “ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. ” This will require operating system training specific to a company’s reference architecture. You will rely on different certificate programs to ensure your technical staff can stay current as technology changes. You will need multiple trainings for each of the operating systems deployed on your major and minor systems that store, transmit, destroy, or create CUI as the result of a government contract.

    What is the Purpose of my Awareness and Training Policy?

    The first objective of AT.2.999 establishes a policy that includes Awareness and Training, which requires you to have a purpose to your awareness and training policy. For Level Three certification, you need a mission and strategic goals. AT.3.997 requires contractors to “establish, maintain, and resource a plan that includes Awareness and Training” objectives b and c.

    We recommend you do this on company-wide scale, via a threat awareness and training program. Explore the threats, external and internal, you face. Analyze risks to your business and supply chain.

    Break employees into groups and have them draft threat analysis documents (this is a Level Four requirement, but wise to implement ahead of time). Then when you have a complete list of threats, have the groups craft mission and goal statements.

    You then work with the groups in a whole company setting to ensure your employees draft the kind of comprehensive policy statement you envision. Ownership builds awareness.

    Many mature and large organizations will have awareness and training policies developed. If this is the case for your organization, you should still conduct ongoing threat analysis discussions at the department level.

    At the end of the day, make sure folks are aware.

    Who needs Awareness and Training?

    Everyone. Awareness and training ensure policies and procedures become company culture. However, it is important to note that your managers, sales staff, and security engineers need different awareness and training.

    NIST Special Publication 800-16, “Information Technology Security Training Requirements,” recommends creating a role-based training matrix. You can combine this approach with CMMC requirements to create a full curriculum scope and sequence for your awareness and training program.

    In the first column of the Matrix, list all the user roles on your information systems. Include a row for “all.” You can group trainees by their roles as well.

    Then create four domains in your awareness and training program:

    • Employee Responsibilities,
    • Information System Policies,
    • CUI
    • Reference Architecture

    What kind of training an employee receives, and in which domain, depends on their role. For example, all employees may have to watch a training and certify they read the Employee Handbook and Acceptable Use Policies. You probably want a training on the email rules of your company for all employees.

    For Level Three CMMC Certification, you need to document what will be learned. In fact, Assessment Objective [e] of AT.3.997 requires you to document “the plan documents, activities, and due dates.” In your matrices, be sure to list the trainings, in addition to when due dates occur.

    Fill out the chart indicating when role-based awareness and training occurs, what it includes, and how it is assessed.

    Large companies may have an internal learning management system that may track many of these metrics. Smaller companies may have to contract with a vendor. If you purchase IT or security products from MSPs or vendors, try to negotiate a training package, or choose those you see as compliance partners.

    What should Awareness and Training Cover?

    Employee Responsibilities

    You need to cover the four domains of knowledge, but now you must also develop the scope of learning objectives and the sequence of training for the matrices.

    First begin with employee responsibilities by examining the everyday system-wide awareness and trainings all employees must receive. This includes the employee handbook, sexual harassment, legal compliance, company wide posters, CUI handling posters, and stickers. These are everyday business practices that require awareness and training.

    Then decide which of these policies need more than awareness and actual training. This could include a short video summarizing the employee handbook with a quiz. Employees often have to attend mandatory trainings with a supervisor.

    Once you have the list, decide if the subject requires awareness or training. Add it to the matrix.

    Controlled Unclassified Information

    As noted above, you must include awareness and training on the “security risks associated with organizational activities involving CUI are identified.” In other words, you need to develop a CUI Training Program.

    At Level Two of the CMMC, your company will need awareness and training on the internal threats faced by companies who have a legal right to handle Control Unclassified Information on behalf of a government contract.

    At Levels Two and Three, your awareness and training program must include your company policies on receiving, creating, labeling, disseminating, transmitting, storing, and destroying CUI. This policy should cover the specific workflows for handling this information. You will also need to include your Incident Response Training on handing CUI data spillage.

    At Level Four, your CUI awareness and training program should include recognizing and responding to threats from social engineering that can lead to advanced persistent threat actors, breaches, and suspicious behaviors; you will be required to update the training at least annually, as well as when there are significant changes to relevant threats.

    Information System Policies

    Then you will have company-wide information system policies, such as your password policy, email policy, device policy, how Multifactor Authentification works (please turn on MFA), et cetera.

    These Information System Policies apply to all employees, however, at this point you may have to start specializing. The account generation for your Mobile Device Management tools may vary from your payroll system. In fact, at this level you will start to specialize at the Operating System level.

    Different types of operating systems will require you to verify employee training through different certificates. If you deploy in Kubernetes in Azure or use S3 in WS Govcloud, each of those stacks has individual Security Technical Implementation Guides (STIGs) and certification programs.

    You must consider all the major and minor systems, the data that flows through them, and the laws and regulations that govern how that data is used and shared.

    As a contractor, you also will need to consider trainings on your acquisition team on what kind of service level agreements you need in your vendor agreements with regards to information and technology systems. Trainings need to include examining vendor agreements and SLAs to determine if proposed security solutions meet CMMC Level Three standards.

    Reference Architecture

    As Tom Cornelius from Compliance Forge notes, “You must see policy as a blueprint and not documentation. You are more an archtiect than a writer.”

    As an organization, you will need solid reference architecture on how you build secure systems that can handle a moderate baseline for the protection of Controlled Unclassified Information. You will have a set of documents that describe how to build the ideal environment for your use case. You will need awareness and training on how to use and update your reference architecture.

    Take configuration management for example. If you do not have a clear configuration management documentation and provide baseline training on using the necessary references, you will not have the basics of Access Control, the root of cybersecurity.

    Next, you can turn to the other domains in CMMC to determine the specifics of company-wide training policies.

    What other Domains Should Awareness and Training Cover?

    The Awareness and Training you provide must go well beyond the practices and process of the AT domain. In fact, according to Native Intelligence in a blog post on Amira Armond’s CMMC Audit, Awareness and Training needs to cover fourteen additional practices across five domains

    • Access Control (AC)
    • Media Protection (MP)
    • Maintenance (MA)
    • Physical Protection (PE)
    • Systems and Communications Protection (SC)

    How to Get Started on an Awareness and Training Plan

    Create an Instructional Leadership Team

    You first begin by designating who owns your awareness and training program. The Instructional Leadership Team should contain stakeholders across the organization and not just from IT or your security team (if you even have either position. The team could include your Information System Security Officer, CIO, CTO, information System Security Manager, human resources, facility security officer, or employees designated to serve on the instructional leadership team.)

    Craft Goals, Missions, and Objectives

    Your instructional Leadership Team then crafts your goals mission and objectives. This begins by a walkthrough through of your threat environment. Understand the common threats to the sensitive data you hold.

    You can have very generic goals, missions, and objectives for your trainings. You may want to consider utilizing the awareness and training domain to strengthen your talent across the board. However, you only need to track system security related training with CMMC.

    Determine Roles for Awareness and Training

    Next, the Instructional Leadership Team determines roles and responsibilities. Christina Reynolds of BDO-USA recommends using the RAC model: who is Responsible, who is Accountable, and who need to be Consulted. The goal is to create observable evidence that partially meets assessment objectives c, d, and g of AT.2.999

    ” the roles and responsibilities of the activities covered by this policy are defined; (i.e., the responsibility, authority, and ownership of Awareness and Training activities);”

    “The policy establishes or directs the establishment of procedures to carry out and meet the intent of the policy;”

    “the policy is endorsed by management and disseminated to appropriate stakeholders; and “

    So you develop a matrix of roles and responsibilities. Include general users, data owners, system owners, and members of the Instructional Leadership Team. Make a column for each.

    Then, in the rows include who must complete training, who develops the training program, who agrees to acceptable use policies, who decides which roles get what training, who completes role based training, and who is responsible for record keeping.

    Establish Company-wide Baselines

    Now, decide what basic training every employee must have. This will include your awareness activities, employee handbooks, email policies, acceptable use policies, etc. You may include optional training on overall threat awareness and common attack vectors, such as phishing.

    The goal is to establish the bare minimum of security awareness you want with your employees. This wil usually include a variety of trainings like company wide meetings, video on-demands, or online learning.

    Develop A Training Matrix

    Now that you have a baseline of security awareness and training you want for employees, you next decide on specialized roles, and create a role-based training matrix. People in specialized roles and management positions will need additional training over and beyond what every employee recieves.

    You need to group people into roles based on functions in the workplace.

    Then create a list of topics, which includes items such as:

    • CUI
    • Email
    • Threat Awareness
    • Media Protection
    • Passwords
    • Mobile Devices
    • Access Control Policy
    • Reference Architecture
    • Crafting Service Level Agreements
    • etc

    You then decide based on the number of roles created by your Instructional Leadership Team which group gets what training.

    Develop Company Wide Awareness and Training Rubric

    Next the Instructional Leadership Team needs to define success metrics for your awareness and training program. In terms of CMMC, it is important to know if a plan really does not kick in until Level Four process requirements, but you cannot have a compliant training program at this Level without evidence of learning gains.

    The evidence of awareness and training success, like all compliance data, can fall into one of three categories: interview, observe and test.

    First, you want to understand if your awareness and trainign impacts your operational security. Indicators could include reduction in down time, increased phishing test success rates, and incident reporting. If you can not automate these metrics, you can have the Instructional Leadership Team rate them on a four point likert scale.

    You also have training program metrics, such as the frequency of training programs, learner performance, attendance, and learner feedback. You should check with your state on the requirements to protect and retain employee training data.

    Evaluate Content

    Now you have to choose content that will align your role based matrices with your required learning matrices. It will probably be cheaper to purchase curriculum than to develop it in-house. However, when you pay for an instructional designer to develop your program, you can align the program to your company culture and workflow.

    The majority of cybersecurity training is video-based garbage designed to allow you to check off a compliance box about providing training. Develop or utilize a rubric for evaluating curriculum. You may consider hiring a consultant to help you evalaute curriculum. At the very least, choose your networks from word of mouth.

    Create Deployment and Evaluation Schedule

    Next, you must create a scope and sequence guide for your curriuclum. This document includes the objectives of your chosen curriculum, how those objectives will be measured, when the curriculum will be delivered, and who will evaluate the result. You can include information about awareness and training.

    For awareness, you could include the posters you hang and monthly security reminders that are delivered by email. The awareness program occurs all the time, and for all users.

    For training, this again will be a role-based document. Many people may end up including the role-based matrix in the scope and sequence of the curriculum.

    Craft Awareness and Training Plan Compliance Documentation

    Finally, you will need to create a way to document your awareness and training program, so you organize observable evidence in a way that would not require a CMMC assors to make any inferences about your program. Spell out how you meet each requirement in your Policy, Procedures and Plans. If you followed the path above, you will have the majority of the required documentation already.

    Now, as your goal you must include the procedures you have decided upon for your Awareness and Training Policy, in addition to how you plan to include the metrics from your Awareness and Training in both your System Security Plan (SSP) and your Awareness and Training Plan.

    Create a policy for retaining security training records. Create the procedures to make sure this happens.

    Include a table in your policy that explicitly addresses all of the required Awareness and Rraining in a practice or assessment objective. Then, in your SSP, reference this policy and include two pieces of observable evidence that the assessment objectives have been met.

    For example, you need to include training of internal threats at Level Two of CMMC. This means that for Level Three compliance, you must demonstrate you provide this training. Explicitly spell this out, in addition to any required training in your Awareness and training Policy and Procedures.

    For many companies, beginning with the Awaress and Training domain may provide a great launching point for your CMMC journey.

    Meet CMMC Compliance through Awareness and Training

    Can you complete your SSP as you utilize and also reach compliance on the Awareness and Training domain? Would this approach lead to increased hygiene?

    Everyone frets over CMMC devolving into a checklist of policy and confusing technical controls. Awareness and Training makes this difference.

    Christina Reynolds co-authored this post in the guidance she provided in how to craft Awareness and Training Policy

    Featured Image: “Bad Ragaz - Original Sin” by Kecko is licensed under CC BY

  • Roots of CyberSecurity

    So many people complain bout the forest and trees in the Cybersecurity Maturity Model Certification. Some look to the trees and can write 5,000 word essays pulling about the etymology of a single word. They never see the forest.

    “Forest Turnover” by Nicholas_T is licensed under CC BY

    Others claims CMMC will rise only to find itelf destined to fail. They note a piling up of assumptions and technical debt. They may note other compliance efforts like ISO failed or unjustly complain SOC2 compliance comes from gumball machines. They never take the time to see the trees.

    “Tree” by T

    Yet we need to stop worrying about the forest and trees of CMMC. Cybersecurity happens underground, through your culture.You must grow cyber hygiene in rich soil. Do not look to the forest or the trees. Instead get to the roots of cybersecurity.

    Roots of Cybersecurity

    The root system expands 20 times the size of any canopy. Often when we think trees have died around us, being returned to the earth by, you guessed it fungus, they go on living underground. Their roots living for years, decades, possibly centuries keeping other trees alive.

    “DSC01648” by Clearly Ambiguous is licensed under CC BY

    We must see cybersecurity as a symbiotic relationship between the Defense Industrial Base and the Department of Defense. You as a business owner need to understand that without some basics you can never secure sensitive data, and if you can’t secure sensitive data you will never get passed the basics.

    Around 90% of land plants thrive mutually-beneficial relationships with fungi. Yet we do not see it. The mycelium, network of fine white filaments that make up the vegetative part of fungi exist out of site. It just happens. What we need in cybersecurity.

    “Mushroom, NCI Sourdough trail” by furtwangl is licensed under CC BY Symbiotic relationship. The plants and trees allow the fungus to siphon off food and the fungus help the plants eat, ,act as a network of advanced persistent threat, and fight of pests. In a cubic inch of soil you can find 8 miles of mycelium. We must get to a similar state of cybersecurity hidden underground protecting our networks.

    To deliver food plants provide fungi with carbohydrates. The fungi suck up water, and provide nutrients like phosphorus and nitrogen, via their mycelia.

    The fungi also create a network to support each Paul Stamets, back in 1970 compared the mycelia of root systems to ARPANet. What we now call the Internet. According to Suzanne Simard older trees just the fungal network to help younger trees. They can redirect carbon they collect in their canopies to children of the forest floor who hide in the shadows,

    “Rhizomic” by mikecogh is licensed under CC BY

    The Wood Wide Web, also like cybersecurity provides advanced persistent threat analysis. When fungus work in the roots they triggers the production of defense-related chemicals. These make later immune system responses quicker. When one tree gets attacked by harmful pests or deafly fungi the mycelium can set off a chemical response in the root system to warn other trees.

    As a metaphor for your company we need to get to the roots of cybersecurity and this this includes five elements. You must do every one of these first.


    First in terms of Governance who owns your data, who owns your systems, who maintains the System Security Plan. The mycelium under the trees acts as a microbial neural background.

    When you look at mycelium and a node breaks the network moves around it. You must have a plan to handle CMMC and know who will enforce policies.


    Fungus migrated from the sea to land millions of years before plant life. The acids they produce broke down calcium in the rocks and produced soil. Your policy does the same thing.

    The fungi worked by acting as carbon sinks. Fungus got the system working just as your policy is required for cybersecurity. In fact you should begin with writing a policy of how your company writes policy. You may in fact have a ton of existing policy but you can not protect what you don’t know you have.


    After the great extinction event that killed the dinosaurs the fungi inherited the earth. They could grow in the dark and even use radiation as food. The largest mycelium organism sprawls across 2,200 acres of Oregon and has lived before the time of the Christian Era. You need to know the spread of your CUI, endpoints, and people. Have you counted them all? If you do not have a solid inventory system you can not have security. You need to know how sensitive data spread through your network for without an inventory it will spread like a rhizome, like mcyelliumn

    Access Control

    Paul Stamets has long argued that the Internet just provides proof o f concepts that al;ready exist. The mapping of Internet traffic and Dark Matter all reflect the mapping of the rhizomatic spread of the rhizome.

    You will need to keep a compliance machete at the ready to control access to sensitive data. Fungus act gateway species. Stamets note they let other life in. In fact he creates physical and logical barriers of mycelium downstream from farm to remove excess fertilizer and deadly diseases like e. Coli.

    Awareness and Training

    As he studies the fungus of the world Stametz tries to preserve the genome. In fact in collaboration with the Department of Defense they discovered five ancient and almost extinct fungi in the old growth forests that could help fight poxxed based diseases.

    Ancient forests in China contain fungi that fight Flu and SARS.

    Saving our old growth forest a matter of national security. Just like your cyber security.

    Let’s get to the root of the issue



  • How do you use the Discussion Section of the CMMC Assessment Guides?

    Great post from Alex Johnson on the difference between the discussion and requirements of CMMC practices.

    “I want to offer some information to those who may be struggling with understanding what options are available to you regarding the implementation of NIST SP 800-171 and CMMC requirements or practices.

    NIST SP 800-171 Section 2.2 contains the following:

    “A discussion section follows each CUI security requirement providing additional information to facilitate the implementation and assessment of the requirements. This information is derived primarily from the security controls discussion sections in [SP 800-53] and is provided to give organizations a better understanding of the mechanisms and procedures used to implement the controls used to protect CUI. The discussion section is informative, not normative. It is not intended to extend the scope of a requirement or to influence the solutions organizations may use to satisfy a requirement. The use of examples is notional, not exhaustive, and not reflective of potential options available to organizations. “

    The bottom line is that you have options. The discussions are not telling you exactly what you have to do. Rather, they are helping you to understand the essence of what the requirement is. There are a few discussions that are normative, but only a few.

    A great example of this can be found in MP.2.119 (3.8.1). These assessment objectives require you to physically control and securely store media containing CUI. The discussion indicates that “physically controlling system media includes conducting inventories.” However, that is not a requirement based on NIST SP 800-171 Section 2.2.

    I hope this helps some who may “extend the scope of a requirement” based on the discussion section.”

    Alexy J. on LinkedIn: I want to offer some information to those who may be struggling with linkedin.com


  • Sample AWS Templates for incident respone.

    GitHub - aws-samples/aws-incident-response-playbooks github.com

  • CMMC Essesntials Mocktini Recipes

    Moonlight Maze Martini


    • 2 oz cranberry juice
    • 1 oz fresh lime juice
    • 5 oz club soda, seltzer or citrus sods like 7-up
    • splash oj
    • lime wedges for garnish, or orange peel for garlish
    • sugar for frosting glass
    • ice
    ### Directions
    • Pour ice into a shaker or tall glass.
    • Add cranberry juice, fresh lime juice and club soda. Shake to combine.
    • Run a lime wedge over the outside rim of a chilled martini glass. Pour sugar onto a small plate or flat surface.
    • Dip the rim of the glass into sugar until covered with a thin border.
    • Strain carefully into a chilled martini glass. Add a splash of OJ Garnish with lime or orange peel.

    Olympic Games Gimlet


    • 3 sage leaves
    • ¾ oz lime juice
    • ¾ oz simple syrup
    • ice


    • Into a cocktail shaker, add 3 sage leaves, the lime juice, and simple syrup.
    • Add ice to your cocktail shaker, then shake for 20-30 seconds.
    • SIf desired, add a sage leaf to the top for garnish.

    KillDisk Daquari


    • 2 large strawberries, hulled
    • ¼ cup white sugar
    • 1 tablespoon lemon juice
    • splash oj
    • ¾ cup chilled lemon-lime soda
    • 4 cubes ice


    • In the container of a blender, combine the strawberries, sugar, lemon juice and lemon-lime soda. Add the ice and blend until smooth. Pour into a fancy glass to serve.

    Nitro Zues Zombie Apocaylpse


    • 1 oz. Passion Fruit Syrup
    • 4 oz. Pineapple Juice
    • Splash of Lime Juice
    • Splash of Vanilla Syrup


    • Shake/Strain and Garnish!

    Telvent Tonic


    • 1.50 oz Monday Zero Alcohol Gin
    • 1.50 oz cranberry juice
    • .50 oz lime juice
    • .50 oz simple syrup
    • 2-3 oz tonic water


    • Combine all the ingredients except tonic water in a shaker with ice.
    • Shake and strain into a tall glass with ice. Top with tonic water.
    • Garnish with rosemary or cranberries if desired.

    Header Image: Relief. jgmac1106 shared under a CC BY a remix of “Martini 02” by Tom Hilton is licensed under CC BY and “Python Source Code” by joncutrer is licensed under CC0

  • Leslie Weinstein Joins Southern's CMMC Team as an Academic Advisor

    When you need quality you have to seek out talent.

    Southern Connecituct State University announce that Leslie Weinstein has joined the instructional design team as an outside Academic Advisor working content validity for our Cybersecurity Maturity Model Certification course.

    Leslie, a Major in the Army Reserves, works directly with the Army Chief Information Officer. In 2019 Major Weinstein founded CMMC Consulting, LLC in response to industry demand for accurate and timely information regarding the CMMC implementation efforts. She has designed a CMMC preparation methodology that focuses sharply on preparing companies to undergo the actual CMMC assessment.

    While on Active Duty with the Army, Leslie has served at the Defense Intelligence Agency, U.S. Cyber Command, Army Headquarters, and Afghanistan with the 101st Airborne Division (Air Assault). In between tours with the Army, Leslie also served the Department of Defense as an Army civilian and policy analyst supporting DoD Chief Information Officer (DoD CIO), Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)), and the Air Force A2.

    Leslie served as a National Security Fellow at the Foundation for Defense of Democracies in 2019, in addition to being a member of the Truman National Security Project’s Class of 2021 Defense Council cohort. She holds a Bachelor of Science in Management of Information Systems from the University of Alabama in Huntsville, a Master of Science in Strategic Intelligence from the National Intelligence University, and a Master of Business Administration from Cornell University.

    As a member of the curriculum team, Leslie will work with our expert panel on validating our objectives. Through in-depth discussions and iterative rounds, this panel will work to decide what body of knowledge an objective measures, how relevant that objective is to a matched objective, and how important the objective is for us to teach.

    Weinstien will also apply her experience in assisting over 100 defense contractors to meet regulatory cybersecurity requirements. By reviewing our Controlled Unclassified Information scenario trainings with her expert eye, she will develop specialized training to aid in the understanding and adoption of cybersecurity regulations.

    Leslie Weinstein hosts a successful and popular CUI podcast “Ooey Cooey.” Everyone who wants to understand CMMC should check out the show. Otherwise you will feel like a guinea pig spinning around the endless compliance wheel.

    If you would like to learn from Leslie Weinstein, and our herd of experts you should join the CMMC Essentials class organized by Southern Connecticut State University and CyberDI.

    We launch module one today, so make sure to register today.

  • Overview of Module Zero Kick Off: Do I need a Gap Analysis?

    Gran Canyon

    Imagine going to the Grand Canyon and paying a tour guide to point out holes in the ground.

    It sounds stupid, I know, but many companies do something like this by paying for a Gap Analysis. You already know your hygiene needs help; you don’t need to pay someone to tell you this.

    If you cannot tell me the number of contracts you have with a 7012 clause, tell me the number of endpoints you possess, or tell me the number of people you employ, then you will be throwing away money on a Gap Analysis.

    I brought this perspective to the CMMC Essentials III Kick Off yesterday and Vincent Scott pushed back but RJ Williams noted that Vince described what he would call a remediation plan.

    No clear definition exists in the community for the meaning of a Gap Analysis.

    The conversation began when I discussed my trouble in determining the best way to teach the Domains in the CMMC CCP class. In my mind, I thought it would be best to teach the exact way our future CCP comrades would conduct assessments to help companies get to -171 and CMMC compliance.

    Our class specifically focuses on the roots of cybersecurity before we even talk about Domains, Practices and Processes. Still—needing to cover 17 Domains, 130 Practices, and 705 objectives in one class presents a daunting task.

    So I threw out this idea: what if we take CSF Cybersecurity Framework as a lifecycle approach and use that on your CMMC journey? Enough folks have mapped the objectives. Yet, you end up just confusing folks.

    Cybersecurity frameworks are like religion. If you try to unify two, you just end up with a third.

    This sparked a thinking exercise between Richard Dawson, Lisa Lancor, myself, RJ, Vincent, and Jim Goodrich on how one could combine the roots of cybersecurity with a lifecycle approach.

    (Christina Reynolds of BDO wrote the best life cycle approach to CMMC that I have seen to date)

    screen shot of cycle that is described below

    We arrived at a rough sketch. The cycle begins with plan from a business awareness perspective. This means knowing your revenue from 7012 clause contracts, understanding the risks and threats used to attack sensitive data, and encouraging as many of your employees to learn about CMMC.

    Following this, you do not hop right into a Gap Analysis. Conduct your formative assessments before a summative test to ensure you pass CMMC. You need a system to help you grow. The development of this system begins with a scoping assessment. The average small business cannot do this step alone.

    To begin, you should know which contracts have CUI. Familiarize yourself with the vendors that may fall within your scope. You should also have a rough sketch of your CUI data flow. Once these things are in order, then it is time to engage a professional.

    In the picture, remediate came after Gap Analysis. We meant to switch this around, but I never did. Here you complete a self-assessment, or better yet, utilize a compliance package to guide your journey and remediate the stuff you can by yourself. Focus on the People and the Process.

    You may do this step a number of times. 2026 is a bit far off. You do not need to invest in all of this in one year. Grow your SSP, and shrink your POA&M, over the course of a year or two.

    Then, when you feel your organization is approaching CMMC readiness, your company should start a formal Gap Analysis. Again, there is no point in paying people to point out the holes you already know exist.

    Overall, we had such a wonderful Module Zero launch and I am super excited about the new learners joining the class. RJ, Jim, and Kevin gonna fit right in. Our crew is rolling up to almost 30 deep now.

    We start module one on Thursday, so if you want to join check out Southern Connecticut State University.

    CMMC may make you want to jump into the Grand Canyon. But if you take a step back, breathe, and focus on growing your SSP while shrinking the POA&M over a period of time, life will be okay.

    And please turn on MFA.

    “grand canyon 2” by airlines470 is licensed under CC BY-SA

  • Moving from Microsoft Teams to Google Classroom

    After two iterations of our CMMC Essentials, class we have decided to move away from Microsoft Teams and onto Google Classroom.

    We simply could not reliably predict the UX for our learners on Microsoft Teams. For example, if a guest entered a meeting from their Teams, they could not use the chat feature during a meeting. Only f you copied the meeting url from the calendar, pasted it into a different browser, and then selected “open in Teams app” would guests receive access to the chat.

    We also do not know if a user has downloaded the app or only enters class through the browser based versions. Those experiences end up different. That never works for teaching. You want to spend your time on the content and not doing two different version of tool tutorials.

    File sharing became impossible. You record a meeting and it is uploaded to Stream. By default Guests can’t see Stream. You have to download the video and then reupload it to Teams for guest access. PITA. Same with files. Am I in teams, Sharepoint, O365? Got messy quick.

    If I have an SME booked for an hour I do not want to ten trying to share files.

    Then we do not know the feature sets or how these features work on Teams. At our university we have five different levels of Teams all on one tenant. We can choose from:

    • Staff
    • Professional Learning Community
    • Class
    • Other

    Each one has nuanced, role-based access settings that nobody really knows. We have asked. Well—first you have to try to figure out who to ask.

    For a small company, Teams will work as a training platform. At our University, nested in a State IT system, connected to our Active Directory, we just did not have enough control to flip radial buttons. Getting features turned on and off requires untangling webs of committees and shared governance.

    Moving to Google Classroom

    screenshot of google classroom

    Therefore, Dr. Tucker, Dr. Lancor, and I decided to shift to Google Classroom. Our university keeps an instance so we can train teachers on Google Workspace apps. Schools no longer use or teach Microsoft Products until you get to College. Local school districts demand teachers are trained in the Google ecosystem.

    We reached out to all of our alumni and future students, and everyone seem pleased with the change. People do not like Microsoft Teams when compared to Slack and Discord. A majority actually noted a bit of relief after having used Google Classroom with their children during the COVID-19 Pandemic. Most know the platform already.

    I do not like the inability to add images to Google Classroom materials. Pictures help, but I am sure Google saves on file size, bandwidth and improves accessibility (or does it hurt it??…maybe accessibility compliance) without images.

    We still provide students with an account on Cocoon Data’s Safe Share if they want to share IP or keep their SSP off our University’s Google Instance.

    What does this mean for an LTP?

    Nothing. We write curriculum LMS agnostic. You will have it delivered in HTML/Word/PDF and SCORM. We follow a simple instructional design rule of content frames.

    A content frame works by constraining design. We only get a set of boxes to put stuff in:

    • Overview
    • Essential Questions
    • Objectives
    • Videos
    • Read Tasks
    • Write Tasks
    • Participate Tasks

    Every module gets laid out using the exact same content frame. Predicatable navigation projects student satisfaction and learning.

    Our teacher guides use the lesson plan template CMMC-AB. If you purchase the optional teacher handbook you have a copy of the student textbook, with teaching tips and lessons for delivering the material in three different modalities

    • Asynchronous Online
    • Synchronous Online
    • Hybrid
    • Face to Face

    You will also know all of the content you recieve comes compliant with the American Disability Act and Section 508.

    Most importantly, you will know the courses elicit evidence of knowledge growth against our course objectives, which have undergone two protocols of content validation with subject matter experts. Every module will contain a pre and post test that is conditionally released to students through Safe Share or your LMS.

    We also move far beyond the traditional recorded Power Points. In our classes, community is the curriculum. You will receive tips on holding discussions for the modality of your choosing. In addition to this, you will receive a library of pre-edited discussions we have already conducted with the best people in cybersecurity. Every module does include a slide deck with speaker notes for the Instructors most comfortable with that toolkit.

    Our assignments move far beyond the traditional multiple choice test. Sure, we use some quizzes, but we want students learning by doing. Every lesson plan follows a scaffold of read, write, do. We set an active purpose for our readers, have them synthesize new learning in their writing, and then apply what they learn through a performance assessment.

  • Inventory Matters

    Inventory matters. As Sarah Spencer CEO of SolonTek notes, “You cannot protect what you cannot see.”

    “dandoodlescan065-inventory is waste” by Inha Leex Hale is licensed under CC BY

    Now, some people read the CMMC assessment guide for Level One and think, “Huh no inventory needed?”

    This is not true. You may not need to show your inventory results or policies for Level One compliance, but you will not be Level One compliant without good inventory policy.

    Think about assessment objective f of Access Control 1.001, “[f] system access is limited to authorized devices (including other systems).” You will need to inventory your systems to comply with this objective.

    What about CUI? If you read NIST-SP800-18 on writing a System Security Plan, you quickly realize you need to inventory all of your 7012 contracts and the data owner for each one.

    Vincent Scott and I developed a quick table of “some” of the areas hit by good inventory. The word “identified” happens a ton in the CMMC assessment guides. You have to decide if this also means counting. This list will continue to grow, so if you think we missed something, please let us know.

    Comment on LinkedIn or better yet get a blog and send me a webmention.

    CMMC Level Domain Number Definition Assessment Objective NIST 171
    1 Access Control AC.1.001   Limit information system access to authorized users, processes acting on behalf of authorized users, or devices [c] devices (and other systems) authorized to connect to the system are identified; 3.1.1
    1 Access Control AC.1.001   Limit information system access to authorized users, processes acting on behalf of authorized users, or devices [f] system access is limited to authorized devices (including other systems). 3.1.1
    2 Access Control AC.2.006   Limit use of portable storage devices on external systems [a] the use of portable storage devices containing CUI on external systems is identified and documented; 3.1.21
    2 Access Control AC.2.011   Authorize wireless access prior to allowing such connections [a] wireless access points are identified; 3.1.16
    2 Access Control AC.2.015   Route remote access via managed access control points [a] managed access control points are identified and implemented;  3.1.14
    2 Access Control AC.2.016    Control the flow of CUI in accordance with approved authorizations [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified; 3.1.3
    3 Access Control AC.3.020    Control connection of mobile devices [a] mobile devices that process, store, or transmit CUI are identified; 3.1.18
    3 Access Control AC.3.022    Encrypt CUI on mobile devices and mobile computing platforms [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; 3.1.19
    2 Configuration Management CM.2.061    Establish and maintain baseline configurations and inventories of organizational systems throughout the respective system development life cycles [e] the system inventory includes hardware, software, firmware, and documentation; and 3.4.1
    1 Identification and Authentication IA.1.076    Identify information system users, processes acting on behalf of users, or devices [c] devices accessing the system are identified. 3.5.1
    1 Identification and Authentication IA.1.077   Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. 3.5.2
    3 Media Protection MP.3.123    Prohibit the use of portable storage devices when such devices have no identifiable owner [a] the use of portable storage devices is prohibited when such devices have no identifiable owner. 3.8.8
    1 Physical Protection PE.1.134   Control and manage physical access devices [a] physical access devices are identified; 3.10.5
    2 System and Communications Protections SC.2.178   Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device  [a] collaborative computing devices are identified; 3.13.12
    2 System and Communications Protections SC.2.179    Use encrypted sessions for the management of network devices [a] the organization has one or more policies and/or procedures for establishing connections to manage network devices; N/A
    1 System and Informational Integrity SI.1.211    Provide protection from malicious code at appropriate locations within organizational information systems [a] designated locations for malicious code protection are identified; 3.14.2
  • Domains, Practices, and Processes of CMMC

    When you join the CMMC Essentials class at Southern Connecituct State University, you interact with the best experts in Cybersecurity.

    Yesterday Vincent Scott, Leigthon Johnson, and Paul Netopski joined us to record the module launch of CMMC Domains, Practices, and Processes.

    We have a few MSPs joining us this session. They support both DIB and HIPPA contractors…Been a busy couple days for them….

    We spent most of the session dealing with the 999, 998, and 997s of CMMC. The policies (99), procedures (98), and plans (97) required for Cybersecurity Maturity Model Certification (CMMC) compliance.

    A blog post by Amira sparked the discussion and we went into topics from:

    • The impossibility and impracticality of step by step procedures
    • Challenges for DIB large and small
    • Role of Reference Architecture
    • Automating procedures through STIGs, SIEM, and Compliance Managers

    We also discussed the three types of evidence required throughout the CMMC assessment process: interviews, examinations, and tests. Leighton shared his observation that CMMC requires no testing. You observe someone perform a test, or interview them about the test they performed, but no C3PAO or Certified Assessor will ever test a private system.

    No security engineer will ever allow a random assessor—or worse—a registered professional poke around the system.

    Finally, we closed with the point that if you start your self assessment using the DCMA 171a assessment, and get your SPRS score started you will be well ahead of the game.

    If you want a preview of the fun we have in our module kick offs (WE WILL NEVER USE A PPT PROMISE) check out this teaser:

    Join us for our next class starting Julty 20th https://southernct.edu/cmmc

  • CMMC Blues

    I’ve got them serious #CMMC blues

    Hated by every security recluse

    CEOs blame me for all their costs

    And scream, “Why don’t I sell COTS?”

    CMMC didn’t make #cui

    We need to see eye to eye

    That was an Executive order

    I ain’t no greedy hoarder

    Not even the DoD

    Did this to me

    It was NARA

    Who took costs farther

    But folks see CMMC

    As a wound and wanna cauter it.

    Yet OMB decided #CUI needed moderate

    FIPS came from their lips

    Not mine

    I didn’t take your dime

    That was 199

    Forgot about FISMA

    Didn’t Ya

    Forgot about FISMA

    Didn’t Ya

    Stop blaming CMMC

    For someone’s crime

    It’s not me

    Not Delta Twenties

    Those just pennies

    171 in NIST’s baseline

    Robbing your bottom line

    You see,

    Don’t blame CMMC

    You fret

    Over technical debt But

    7012 had the clause

    delving its paws

    Into your dwindling books You self-attested

    and now feel bested

    So stop with dirty looks

    CMMC didn’t do this

    NO complaining on LinkedIn

    Instead let this lesson sink in

    Grow your SSP

    Cut your POA&M at the knees

    Don’t blame CMMC

    For your lack of


    It wasn’t me

    Forgot about FISMA

    Didn’t Ya

    Forgot about FISMA

    Didn’t Ya

subscribe via RSS

All content, unless otherwise notes, is licensed with a CC-BY