“OSCs must retain artifacts used as evidence for the assessment for the duration of the validity period of the certificate of assessment, and at minimum, for six years from the date of certification assessment as addressed in 32 CFR 170.17(c)(4). Read More
Tag: CMMC assessment
How to get a CMMC Audit or Assessment
You’re in the right place if the US Government or your prime contractor told you that you need to get a CMMC certification. What is CMMC? CMMC is an initialization for the term “Cybersecurity Maturity Model Certification”. This term was Read More
Policy templates and tools for CMMC and 800-171
This page has links and reviews of available templates and tools relating to the CMMC and NIST SP 800-171 **Updated April 3, 2024** Please help others in the community by leaving a comment with resource links! Policies Templates Kieri Compliance Read More
CMMC assessment? Don’t let pride take you down
Getting CMMC assessed? Some advice.. Listen to your assessor If we say that your evidence isn’t related to the requirement being inspected, or especially the critical words “I think you have misinterpreted this requirement”, instead of getting mad, take a Read More
CMMC Level 2 Self-Assessment Analysis
Our sponsor, Kieri Solutions, has released an in-depth review and analysis of CMMC Level 2 Self-Assessments according to the CMMC Proposed Rule. Not official guidance for CMMC Proposed Rule This paper is for educational purposes and is not authoritative in Read More
Joint Surveillance Assessment – what is it like?
This is an interview with Jose Rojas (TTC) and Ozzie Saeed (IntelliGRC) about their experience being assessed by Kieri Solutions, an Authorized C3PAO, as part of the Joint Surveillance Voluntary assessment program. Other than the obvious congratulations to both of Read More
What does “monitor” mean in CMMC?
Logan Therrien and Amira Armond from Kieri Solutions (an Authorized C3PAO) discuss the concept of monitoring and how it is evaluated by CMMC assessors. Several assessment objectives in CMMC Level 2 require monitoring. ๐ the physical facility where organizational systems Read More
Podcast – increasing the likelihood of passing CMMC assessments
This podcast by Omnistruct features Amira Armond, John Riley, and George Usi. Recorded in May-June 2023. They discuss the basics of CMMC, the “hardest” requirement (FIPS of course), the aspects that contractors have the most difficulty with, and the status Read More
3.13.11 FIPS 140-2 Validated Cryptography
It is time, finally, to talk about the #1 “Other than Satisfied” requirement in 800-171, per historic DIBCAC assessments. ๐ฑ ๐ฅ ๐ฅ ๐ ๐๐๐ 140-2 ๐๐๐ฅ๐ข๐๐๐ญ๐๐ ๐๐จ๐๐ฎ๐ฅ๐๐ฌ ๐ฅ ๐ฅ ๐ฑ Listen up – I’m going to tell you how to succeed Read More
What are Spot Checks for?
๐๐๐๐ ๐๐ฌ๐ฌ๐๐ฌ๐ฌ๐ฆ๐๐ง๐ญ ๐๐ฉ๐จ๐ญ ๐๐ก๐๐๐ค๐ฌ “๐๐ง ๐ค๐ฐ๐ฏ๐ต๐ณ๐ข๐ค๐ต๐ฐ๐ณ’๐ด ๐ณ๐ช๐ด๐ฌ-๐ฃ๐ข๐ด๐ฆ๐ฅ ๐ด๐ฆ๐ค๐ถ๐ณ๐ช๐ต๐บ ๐ฑ๐ฐ๐ญ๐ช๐ค๐ช๐ฆ๐ด, ๐ฑ๐ณ๐ฐ๐ค๐ฆ๐ฅ๐ถ๐ณ๐ฆ๐ด, ๐ข๐ฏ๐ฅ ๐ฑ๐ณ๐ข๐ค๐ต๐ช๐ค๐ฆ๐ด ๐ฅ๐ฐ๐ค๐ถ๐ฎ๐ฆ๐ฏ๐ต๐ข๐ต๐ช๐ฐ๐ฏ ๐ฐ๐ณ ๐ฐ๐ต๐ฉ๐ฆ๐ณ ๐ง๐ช๐ฏ๐ฅ๐ช๐ฏ๐จ๐ด ๐ณ๐ข๐ช๐ด๐ฆ ๐ฒ๐ถ๐ฆ๐ด๐ต๐ช๐ฐ๐ฏ๐ด ๐ข๐ฃ๐ฐ๐ถ๐ต ๐ต๐ฉ๐ฆ๐ด๐ฆ ๐ข๐ด๐ด๐ฆ๐ต๐ด, ๐ต๐ฉ๐ฆ ๐ข๐ด๐ด๐ฆ๐ด๐ด๐ฐ๐ณ ๐ค๐ข๐ฏ ๐ค๐ฐ๐ฏ๐ฅ๐ถ๐ค๐ต ๐ข ๐ญ๐ช๐ฎ๐ช๐ต๐ฆ๐ฅ ๐ด๐ฑ๐ฐ๐ต ๐ค๐ฉ๐ฆ๐ค๐ฌ ๐ต๐ฐ ๐ช๐ฅ๐ฆ๐ฏ๐ต๐ช๐ง๐บ ๐ณ๐ช๐ด๐ฌ๐ด. ๐๐ฉ๐ฆ ๐ญ๐ช๐ฎ๐ช๐ต๐ฆ๐ฅ ๐ด๐ฑ๐ฐ๐ต ๐ค๐ฉ๐ฆ๐ค๐ฌ(๐ด) ๐ด๐ฉ๐ข๐ญ๐ญ ๐ฏ๐ฐ๐ต ๐ฎ๐ข๐ต๐ฆ๐ณ๐ช๐ข๐ญ๐ญ๐บ ๐ช๐ฏ๐ค๐ณ๐ฆ๐ข๐ด๐ฆ ๐ต๐ฉ๐ฆ Read More
3.11.1 Periodically assess the risk to organizational operations
3.11.1 ๐๐๐ซ๐ข๐จ๐๐ข๐๐๐ฅ๐ฅ๐ฒ ๐๐ฌ๐ฌ๐๐ฌ๐ฌ ๐ซ๐ข๐ฌ๐ค…This is the fourth-most “Other than satisfied” #CMMC requirement. Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or Read More
3.11.2 Scan for Vulnerabilities
Scan for vulnerabilities….This the fifth-most “Other than satisfied” #CMMC requirement with an 18% fail rate. 3.11.2 ๐๐๐๐ง ๐๐จ๐ซ ๐ฏ๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ข๐๐ฌ ๐ข๐ง ๐จ๐ซ๐ ๐๐ง๐ข๐ณ๐๐ญ๐ข๐จ๐ง๐๐ฅ ๐ฌ๐ฒ๐ฌ๐ญ๐๐ฆ๐ฌ ๐๐ง๐ ๐๐ฉ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐ฉ๐๐ซ๐ข๐จ๐๐ข๐๐๐ฅ๐ฅ๐ฒ ๐๐ง๐ ๐ฐ๐ก๐๐ง ๐ง๐๐ฐ ๐ฏ๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ข๐๐ฌ ๐๐๐๐๐๐ญ๐ข๐ง๐ ๐ญ๐ก๐จ๐ฌ๐ ๐ฌ๐ฒ๐ฌ๐ญ๐๐ฆ๐ฌ ๐๐ง๐ ๐๐ฉ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐๐ซ๐ ๐ข๐๐๐ง๐ญ๐ข๐๐ข๐๐. “๐๐๐๐๐๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐”…This is an example of Read More
3.3.3 Review and Update Logged Events
This is #6 in the series of most common failed requirements as assessed by the DoD’s Cyber Assessment Center. This requirement is another example of misunderstanding == failing (alongside the other top 10 requirements). Most people do not understand what Read More
3.3.5 Correlate Audit Processes
NIST SP 800-171 3.3.5 ๐๐จ๐ซ๐ซ๐๐ฅ๐๐ญ๐ ๐๐ฎ๐๐ข๐ญ ๐ซ๐๐๐จ๐ซ๐ ๐ซ๐๐ฏ๐ข๐๐ฐ, ๐๐ง๐๐ฅ๐ฒ๐ฌ๐ข๐ฌ, ๐๐ง๐ ๐ซ๐๐ฉ๐จ๐ซ๐ญ๐ข๐ง๐ ๐ฉ๐ซ๐จ๐๐๐ฌ๐ฌ๐๐ฌ ๐๐จ๐ซ ๐ข๐ง๐ฏ๐๐ฌ๐ญ๐ข๐ ๐๐ญ๐ข๐จ๐ง ๐๐ง๐ ๐ซ๐๐ฌ๐ฉ๐จ๐ง๐ฌ๐ ๐ญ๐จ ๐ข๐ง๐๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐จ๐ ๐ฎ๐ง๐ฅ๐๐ฐ๐๐ฎ๐ฅ, ๐ฎ๐ง๐๐ฎ๐ญ๐ก๐จ๐ซ๐ข๐ณ๐๐, ๐ฌ๐ฎ๐ฌ๐ฉ๐ข๐๐ข๐จ๐ฎ๐ฌ, ๐จ๐ซ ๐ฎ๐ง๐ฎ๐ฌ๐ฎ๐๐ฅ ๐๐๐ญ๐ข๐ฏ๐ข๐ญ๐ฒ. This is the 8th most likely requirement to be “other than satisfied” by defense contractors, according Read More
CMMC Scoping for Level 2
This video is provided by Amira Armond and Jil Wright (CMMC Provisional Assessors and Provisional Instructors) from Kieri Solutions, an Authorized C3PAO. Topics discussed in the video are: This content is way more than the CCP course blueprint covers and more in-depth than what is Read More
CMMC Scoping for Level 1
This video is provided by Amira Armond and Jil Wright (CMMC Provisional Assessors and Provisional Instructors) from Kieri Solutions, an Authorized C3PAO. Topics included are: Enjoy, and don’t forget to subscribe to our YouTube channel for lots of other CMMC Read More
Excuses that won’t work for your CMMC assessment
Public Safety Announcement forย #CMMCย and DIBCAC assessments of 800-171 compliance. “My _________ is scheduled to occur in January and we haven’t reached January yet.” – said too many Organizations Seeking Certification Do not try to use this excuse to explain why Read More
CMMC Scope – are you ready for an assessment?
This article gives examples and explanations of how to identify your CMMC scope to an assessor when you are planning…
CMMC Assessment Part 3 – Interview with Jeff Dalton
This is Part 3 of our CMMC Assessment series with Jeff Dalton (the lead trainer of the CMMC Provisional Assessors). Q&A about assessments!
CMMC-AB Jeff Dalton โ the CMMC Assessment Process โ Part 2
Second interview with Jeff Dalton (CMMC-AB) about the CMMC assessment process. Topics relevant to every defense contractor, non-technical.
CMMC-AB Jeff Dalton – the CMMC Assessment Process – Part 1
Interview with Jeff Dalton (CMMC-AB) about CMMC assessments. Who is authorized to perform assessments? When should you do a pre-assessment? Can you fix issues found during an assessment?
Introducing the CMMC Kill Chain – Zero to full compliance
Author: Tom Cornelius| Senior Partner at ComplianceForge | Founder & Contributor at Secure Controls Framework (SCF) Originally published on LinkedIn on October 19, 2020 The concept of creating a โCMMC Kill Chainโ started off as a bit of a dareโฆ kind Read More
When is a conformity assessment not a conformity assessment? (hint โ it is CMMC)
Author: Tom Cornelius| Senior Partner at ComplianceForge | Founder & Contributor at Secure Controls Framework (SCF) Originally published on LinkedIn on August 13, 2020 This episode of Coffee Thoughts With Tom addresses CMMC as a conformity assessment, since conformity assessments are intended Read More