Vincent Scott’s Post

Small businesses, such as local construction companies and janitorial services, must meet CMMC to be eligible to bid for work. I've been helping some smaller clients in this category self-assess. How will a home-based business, like many small service companies, meet CMMC Level 1? They can only meet the physical security requirements if their home office is locked, which isn't realistic with extended families living at home. A very modest Microsoft Azure virtual enclave costs $10K or more per year just to bid work. Even when running virtually, your home network is still in scope for assessment. Under the final rule, companies who previously self-assessed to check the box are now threatened with the possibility of a False Claims Act charge. I'm curious how this plays out, but I worry we will lose small business competitive bids, and the taxpayer will indirectly fund the real cost of certification for larger small businesses.

Small businesses, such as local construction companies and janitorial services, must meet CMMC to be eligible to bid for work. I've been helping some smaller clients in this category self-assess. How will a home-based business, like many small service companies, meet CMMC Level 1? They can only meet the physical security requirements if their home office is locked, which isn't realistic with extended families living at home. A very modest Microsoft Azure virtual enclave costs $10K or more per year just to bid work. Even when running virtually, your home network is still in scope for assessment. Under the final rule, companies who previously self-assessed to check the box are now threatened with the possibility of a False Claims Act charge. I'm curious how this plays out, but I worry we will lose small business competitive bids, and the taxpayer will indirectly fund the real cost of certification for larger small businesses.

CMMC is final! - The rule is out for you to peruse: https://lnkd.in/gn-E5tT2 Here are the change summary Changes have been made to the CMMC Significant changes include: • The Implementation Phase 1 has been extended by an additional six months. • A new taxonomy was created differentiating the level and type of assessment conducted from the CMMC Status achieved as a result. • Clarification was added regarding the DoD’s role in achievement or loss of CMMC  Statuses. • CMMC Status will be automatically updated in SPRS for OSAs who have met standards acceptance. • Requirements regarding conflict of interest were updated to expand the cooling-off period for the CMMC Accreditation Body to one year and bounded the timeframe between consulting and assessing for the CMMC Ecosystem to three years. • A requirement was added for the CMMC Ecosystem members to report adverse information to the CAICO. • A Provisional Instructor role was added to cover the transitional period that ends 18 months after the effective date of this rule. • A CCI requirement was added to clarify that a CCI must be certified at the same or higher level than the classes they are instructing. • A requirement for artifact retention was added to Level 1 self-assessments and Level 2 self-assessments. • The assessment requirements for ESPs have been reduced. • The definition of CSP has been narrowed and is now based on NIST SP 800-145 Sept 2011. • The assessment requirements for Security Protection Assets and Security Protection Data have been reduced. • References to FedRAMP equivalency have been tied to DoD policy. • Clarified the requirements for CSPs for an OSC seeking a CMMC Status of Level 3 (DIBCAC). • Clarified that DCMA DIBCAC has the authority to perform limited checks of compliance of assets that changed asset category or changed assessment requirements between the Level 2 and Level 3 certification assessment. • Clarification was added around the use of VDI clients. • Provided clarification to distinguish between Plan of Action & Milestones (POA&Ms) and operational plan of action. #cmmc

🚀 Are You Ready for CMMC 2.0? 🚀 Attention all defense contractors! 🌐 Our latest blog post dives deep into the "CMMC 2.0 Implementation Timeline and Requirements" you need to know. 🔍 Discover: - Key milestones and deadlines 📅 - Essential requirements for compliance ✅ - Tips to streamline your implementation process 🔧 Don't let the complexities of CMMC 2.0 overwhelm you! Stay ahead of the game and ensure your organization meets the new standards to protect sensitive data. 💪 👉 Click the link to read more and prepare your business for a secure future! https://hubs.la/Q02NSXh90 #Quzara #CMMC2 #Cybersecurity #DefenseContractors #Compliance #BlogPost #QuzaraBlog

Are you ready for CMMC 2.0? This article provides great insight into the CMMC and NIST 800-172 and how they are aligned as well as what you can expect if you are a DoD Contractor. Prevalent conducted a survey and found that there has been a 49% increase in third-party breaches year over year since 2021 and 61% of those surveyed have been negatively impacted by a third-party breach this year. Guidance and frameworks such as CMMC are definitely needed to assist organizations in safe0guarding themselves. These points alone make this article a great read!

CMMC v2 got you confused? Let me break it down clearly 👇 Every defense contractor handling Controlled Unclassified Information (CUI) will be impacted. If you’ve been nerding out with acronyms like CMMC, NIST, and DFARS, this one’s for you. Here’s what really matters in simplified terms: 1️. Levels Matter - CMMC verifies cyber compliance. But NOT all contractors need the same level of certification. - Level 1: For contracts with basic data (FCI) = 15 requirements. - Level 2: For CUI = 110 requirements. And if your prime contract needs Level 2 -> your subs will need it too. - Level 3: High bar, but applies to less than 1% of the defense industrial base (DIB). 2️. No Size Exception - Small business? Doesn’t matter.  - No exceptions based on size—implementations are required anyway. 3️. FedRAMP or No Ramp - Cloud service usage? FedRAMP Moderate = necessary when handling CUI.  - Think twice about accepting FedRAMP "equivalency". 4️. Scoping is EVERYTHING - Tightly scope your environment to control costs.  - Make sure CUI data only flows in/out of in-scope environments. 5️. Third-Party IS Your Rescuer - Outsourcing? Managed service providers (MSPs) could save you. - Pick a partner that truly specializes in CMMC. CMMC isn’t a guessing game anymore. Plan for Level 2 if you’re handling CUI data. You’ll thank me later. ☑️ Got questions? Ask away in the comments. 😎    ♻️ Repost this if you get it now! Many thanks to Jacob Horne and Scott Edwards at Summit 7 for the excellent webinar last week! 🎥

=============================================          BREAKING NEWS: NIST SP 800-171 Rev 3 Leaked ============================================= Okay, if you are trying to keep up with the status of NIST Special Publication (SP) 800-171 Revision 3, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," well it leaked. Links are below... Kudos to Joe Scholefield, CCP for figuring it out. Sorry Ron Ross & Victoria Yan Pillitteri--enquiring minds wanted to know. If you are in Defense Industrial Base (#DIB) and subject to DFARS Clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," you should do the following: 1. Continue to follow the "Class Deviation on Cybersecurity Standards for     Covered Contractor Information Systems" and stick to NIST SP 800-171     Rev 2 (c.f., https://lnkd.in/eY88rE47) 2. Add changes required to your security posture required under NIST SP     800-171 R3 to your Risk Registry 3. Add a POA&M entry to plan for and begin implementation of NIST SP     800-171 R3 Security Requirements 4. Go read the new revisions 5. IGNORE THE CMMC FUD STORM ABOUT TO KICK OFF. Call an Authorized     C3PAO for pragmatic guidance Okay, here are the links to NIST SP 800-171 Rev 3 and NIST SP 800-171A Rev3: - https://lnkd.in/eCsGFHQP - https://lnkd.in/eTaf9cfB ================================================= Peak InfoSec Homepage: https://peakinfosec.com As the CMMC Churns Episodes: https://lnkd.in/eVGYGs3g Contact Peak InfoSec for Support: https://lnkd.in/e8sM_2Z3 Email: [email protected] ================================================= #cuicon #cmmc #cmmc2 #32cfrpart2002 #32cfrpart170 #infosec #informationsecurity #compliance #cybersecurity #cui #fci #cmmcab #thecyberab #nist800171 #defenseindustry #defensecontractors #defensecontracting #grc #manufacturing #dfars #manufacturingindustry #dib #satellite #satellitecommunications #satellitesystems #managedserviceprovider #msp #managedsecurityservices #mssp #DoD #GovCon #governmentcontracting #SmallBusiness #contracts #contractors 

Working with US organizations (most likely DOD and related providers and partners) ? Most likely CMMC 2.0 requirements are on the table. "If You Need to Comply With CMMC 2.0, Here Is Your Complete CMMC Compliance Checklist" Your Complete CMMC Compliance Checklist 👇👇 Enjoy the reading ! Get the checklist: https://lnkd.in/g_pwA6Z2 #cybersecurity #compliance #CMMC #NIST #CUI #blog Some key acronyms I got from US related federal project management training : - POAM : Plan of action and milestones - CUI : Controlled Unclassified Information - FCI : Federal Contract Information - ATO : Authorization to operate - Award : Contract attribution to a provider Enjoy !

Are you ready? Given the complexity of the Cybersecurity Maturity Model Certification (CMMC) framework, it is essential for government contractors and subcontractors to have a comprehensive CMMC compliance checklist to ensure they meet all the requirements. The CMMC certification process is arduous but our CMMC 2.0 compliance roadmap can help. This blog post explores the CMMC 2.0 compliance requirements, provides a comprehensive CMMC Compliance checklist, and offers Department of Defense (DoD) contractors practical insights into how they can achieve CMMC compliance. CMMC 2.0 Compliance Roadmap for DoD Contractors Read Now What Is CMMC Compliance? CMMC is a cybersecurity framework regulating manufacturing contractors serving in the Defense Industrial Base (Defense Industrial Base), an extensive list of DoD supply chain partners. 

CMMC Program Final Rule to be published on Tuesday, October 15th, 2024. Looks like DoD estimates ~8k contractors being assessed over the first 4 years. Of note: "Organizations Seeking Assessment (OSAs) satisfy the CMMC requirements needed for contract award by successfully meeting all 110 security requirements of NIST SP 800-171 R2 or by receiving a Conditional CMMC Status when achieving the minimum passing score of 80 percent and only including permittable NOT MET requirements as described in § 170.21 on the POA&M. All requirements that were scored “NOT MET” and placed on the POA&M must be remedied within 180 days of receiving their Conditional CMMC Status. " https://lnkd.in/gF-RtbHS