The DoD released a “CMMC 101” overview which does a good job of describing the CMMC program at a high level. If you need to review CMMC with your company executives, this might be the best presentation to use. Of course, it doesn’t mention some of the juicier bits, like Contractor Risk Managed Assets being Read More
Author: Amira Armond
Amira is the founder of Kieri Solutions LLC, a cybersecurity consulting company in Maryland USA.
Connect with Amira on LinkedIn: https://www.linkedin.com/in/amira-armond-25a77a141/
- - -
Connect with Amira on LinkedIn: https://www.linkedin.com/in/amira-armond-25a77a141/
- - -
32CFR Final Rule Published – CMMC goes live!
On October 15, 2024, the Federal Register was updated with the CMMC Final Rule (32CFR). This rule will be fully effective on December 15, 2024. Link to Federal Register for CMMC This link goes to the U.S. Government’s Federal Register page. From here, you can view the document as published in the register, which includes Read More
Podcast – CMMC Scoping with Climbing Mt CMMC
Amira Armond from Kieri Solutions – Authorized C3PAO, and Bobby Guerra from Axiom.tech talk about CMMC scoping. Topics discussed: This podcast by Climbing Mount CMMC is oriented toward education for Managed Services Providers who support clients in the Defense Industrial Base. V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and Read More
Review of CMMC Registered Practitioner Training
This post was originally written in September 2020. It was updated in July 2024. In September 2020, I took the Cyber-AB’s Registered Practitioner training course. We aren’t allowed to reproduce the content, so you won’t learn any secrets from me, but I can tell you about my experience. How is the CMMC RP Training set Read More
NCDMM one of first companies to get “110” JSVA
What it is like to be CMMC assessed by Kieri Solutions? Want to learn about the great work that National Center for Defense Manufacturing & Machining (NCDMM) is doing with over 200 Alliance Partners? Check out this interview with Jason Saly, IT and Cloud Services Director, and the lead for NCDMM’s CMMC compliance journey. NCDMM Read More
How to become a CMMC assessor or auditor
The latest information about how to become a CMMC auditor or certifier. Registrations are open for assessors, C3PAOs, and CMMC practitioners…
CMMC Final Rule moves to OIRA review
Exciting morning in Defense Contractor land! The CMMC Final Rule (32 CFR) has moved to its last phase before publication. It is in OIRA review (Office of Information and Regulatory Affairs – the technical editors/reviewers for government regulations). All the comments were responded to…Even the angry ones… (Golly geez I hope some of those errors Read More
DoD estimates CMMC paperwork burden
“OSCs must retain artifacts used as evidence for the assessment for the duration of the validity period of the certificate of assessment, and at minimum, for six years from the date of certification assessment as addressed in 32 CFR 170.17(c)(4). The OSC is responsible for compiling relevant artifacts as evidence and having knowledgeable personnel available Read More
How to get a CMMC Audit or Assessment
You’re in the right place if the US Government or your prime contractor told you that you need to get a CMMC certification. What is CMMC? CMMC is an initialization for the term “Cybersecurity Maturity Model Certification”. This term was introduced by the Department of Defense in 2019 to name a new cybersecurity program. This Read More
Policy templates and tools for CMMC and 800-171
This page has links and reviews of available templates and tools relating to the CMMC and NIST SP 800-171 **Updated April 3, 2024** Please help others in the community by leaving a comment with resource links! Policies Templates Kieri Compliance Documentation *sponsored* https://www.kieri.com/kcd If you are seeking a set of CMMC-specific policy, procedures, and system Read More
C3PAO Shopping Guide
The National Defense Information Sharing & Analysis Center (ND-ISAC) is pleased to announce the release of a “C3PAO Shopping Guide for Small & Medium-Sized Businesses.” The guide was created through a team effort among participants in ND-ISAC’s Small & Medium-Sized Business Working Group in consultation with other SMBs across the Defense Industrial Base (DIB), along with Read More
CMMC JSVA program – what you need to know
Some tidbits about CMMC’s Joint Surveillance Voluntary Assessment (JSVA) program that you might not know: JSVA program is intended to train C3PAOs and CMMC Assessors 1) The DoD is essentially using the JSVA program to train and vet our private sector assessment teams over-the-shoulder with the DoD’s cybersecurity assessment teams. This lets us learn from Read More
When do you need a new assessment? What can change?
Information systems are constantly changing. Especially if they are functional, production systems, supporting real use. Workstations and servers break. Technology becomes obsolete. New solutions are implemented in response to changing functional requirements. One thing we don’t know, in the CMMC world, is how much change is too much change. What is the maximum amount of Read More
What is “Certified” as the result of assessment??
What exactly is “certified” when you go through a CMMC or Joint Surveillance assessment, or when you self-assess your environment and report it to the DoD? What does it mean when you want to bid on contracts using this certification? Disclaimer: I’m not a lawyer. This is not legal advice. I don’t have special insight Read More
CISA Proposed Rule – Mandatory Reporting of Cyber Incidents
CISA releases proposed rule for mandatory reporting of cyber incidents by Critical Infrastructure and State, Local, Territorial Governments. To my understanding, this will affect all DoD contractors with DFARS 252.204-7012 in their contracts, as well as most Federal Contractors. For example, despite small businesses being given an exclusion, any business that “Owns or operates critical Read More
CMMC assessment? Don’t let pride take you down
Getting CMMC assessed? Some advice.. Listen to your assessor If we say that your evidence isn’t related to the requirement being inspected, or especially the critical words “I think you have misinterpreted this requirement”, instead of getting mad, take a long pause and go ask a knowledgeable consultant to review your situation. Most interpretation problems Read More
CMMC, CUI, and Cloud Vendors – do you need FedRAMP?
Achieving Cloud Compliance in the Age of CMMC, CUI, and DFARS 7012: How secure are your cloud vendors?
CMMC Compliance FAQs – Organizations seeking certification
This article is provided by Kieri Solutions, an Authorized CMMC Third Party Assessment Organization, offering CMMC assessment services. Thanks to them for sharing some of the secret sauce! This article is meant to provide short explanations on topics that are commonly misunderstood (and not performed correctly) by defense contractors. It will be updated over time. Read More
CMMC Level 1 certification and preparation (how-to)
If you are reading this article, you are probably the owner of a small DoD contracting company. You’ve heard something about the CMMC (Cybersecurity Maturity Model Certification) either through your prime contractor or the SBA education office. You might be frustrated at yet another computer requirement, or you might be excited at the opportunity to Read More
CMMC Capabilities Discussion Home
This page describes how to find the CMMC requirements, how to interpret them, and how to start preparing for an outside audit. It explains how to read the CMMC document and how your team or an auditor would check each requirement against your information systems. Disclaimer: The goal is to help you understand how the Read More
CMMC News Rollup October 6, 2020
Hello folks, This is week’s update is pretty short. The DFARS Interim Rule is still the biggest news. Other topics are the new DoD CUI website which has great resources for contractors, and word-of-mouth updates on the CMMC-AB’s registered practitioner and C3PAO programs. -Amira Armond CMMC Registered Practitioner Per CMMC-AB support email: Everyone who completed Read More
DFARS 252.204-7012 or 252.204-7021 enforces NIST 800-171 and CMMC
If you are a Defense Contractor that handles Controlled Unclassified Information (CUI), this news is going to be very important for you. DFARS 252.204-7012 Interim Rule Yesterday, the DoD released an interim rule to the Defense Federal Acquisition Rules Supplement (DFARS) which goes into effect on November 30th, 2020. This publication is 89 pages long Read More
CMMC News Roundup September 28 2020
Hello all, Big news this last two weeks. In particular, the DFARS rule for CMMC abruptly changed course. It looked like it was delayed for months, but then (I think?) it got approved on an interim basis, to go into effect around November 27, 2020. DFARS Interim Rule Added – enforces assessments Federal Register Publication Read More
CMMC News Roundup September 9 2020
Hello folks, Here’s the latest CMMC news and articles you should check out! CMMC FAQ for Organizations Seeking Certification This easy FAQ article discusses frequently asked questions about implementing CMMC security. Things like “Can my employees use their home computers to work on CUI?” Incident Handling tips from CISA https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf The Cybersecurity and Infrastructure Security Read More
CMMC News Rollup – August 26, 2020
DFARS rule update for CMMC The acquisitions office has proposed an amendment to DFARS 252.204-7012, which is the contract rule that currently requires a high level of cybersecurity for the majority of Defense Contractors. The amendment is expected to replace the 110 controls in NIST SP 800-171 with CMMC’s Level 1-5 approach. If and when Read More
When is a conformity assessment not a conformity assessment? (hint – it is CMMC)
Author: Tom Cornelius| Senior Partner at ComplianceForge | Founder & Contributor at Secure Controls Framework (SCF) Originally published on LinkedIn on August 13, 2020 This episode of Coffee Thoughts With Tom addresses CMMC as a conformity assessment, since conformity assessments are intended to use a risk-based approach to determine a confidence point (e.g., materiality threshold) instead of Read More
CMMC Glossary, Terms, and Definitions. Who’s who in CMMC
As the CMMC ecosystem grows, it is starting to get hard to track all the key players and concepts. This page is meant as an easy to understand “who’s who” and “what’s what” for the CMMC. This CMMC glossary of terms is ordered so that each term builds on the previous terms. If you are Read More
CMMC “allowable cost” discussion and thoughts
*Updated August 13, 2020* CMMC cybersecurity is an “allowable cost” for DoD contractors? “The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.” “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. Read More
What is FCI in CMMC and how does it affect scope?
The Cybersecurity Maturity Model Certification references “FCI”. What is this abbreviation? FCI in CMMC stands for “Federal Contract Information”. FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government. FCI does not Read More
CMMC Provisional Auditor program opt-ins
On August 9th 2020, the CMMC Accreditation Body sent this email to me (and presumably others who registered for CMMC certified assessor). To opt-in, you must attest that you meet experience requirements 10+ years experience conducting evidence-based assessments in cyber or other information technology field. or 20+ years experience as a “consultant or proven leader” Read More