What does compliance with CMMC or other cybersecurity requirements have to do with ISO 9001? A lot. Compliance with CMMC requires organizations to have mature business processes and procedures to address and document things like: And there are more. Without a systematic way to create, review, approve, and consistently update Read more…
While most of us understand cloud services through the common NIST definition, the Cybersecurity Maturity Model Certification (CMMC) takes a notably different approach. This distinction can significantly impact defense contractors and their compliance requirements. Let’s explore this through a practical example: Imagine Quantum Naval Solutions, where employees can spin up Read more…
Many of us trust Google Authenticator to add a layer of security to our accounts. But, Google Authenticator has a serious security vulnerability which makes it unacceptable for CMMC compliance and dubious for general use. By default, Google Authenticator syncs your one-time codes to your Google account in the Cloud. Read more…
I just finished reading “Why Nations Fail” (2012) by Daron Acemoglu and James A. Robinson. I’m still processing its theory about why some nations prosper while others remain poor. The book presents a compelling framework that challenges traditional explanations based on geography, culture, or ethnicity. The authors begin with striking Read more…
Joe Spritzer’s construction company would like to start doing business with the DoD. The company has no cybersecurity policies or controls in place. Where does Joe start? The first thing is to understand the major players in the CMMC program: Organizations Seeking Assessment These are companies like Joe’s construction company Read more…
This week’s release of the first three post-quantum encryption standards by NIST—FIPS 203, 204, and 205—marks a significant step in securing data against the threat of quantum computing. These standards aim to protect encryption and digital signatures from quantum attacks, ensuring that sensitive data remains secure as technology evolves. Here Read more…
Bluetooth should be avoided on systems doing any kind of work for the Federal government – DoD or civilian. When tightening security for system access, it’s important to consider all vectors of attack—especially Bluetooth-enabled peripherals like keyboards, mice, earbuds, and other devices. Here’s why: CMMC Control AC.L1-3.1.1 (Access Control): This Read more…
It looks like a USB charging cable. And it is. But it’s more. What looks like a simple charging cable can actually be an advanced tool with a WiFi access point that can be used to take control of a computer and steal data. To make matters worse, standard intrusion and Read more…
For CMMC compliance, will DoD provide standardized templates for a System Security Plan (SSP) and Plan of Action and Milestones (POA&M)? No. The DoD does not plan to create specific templates for compliance documentation, recognizing that each organization is unique. A “one-size-fits-all” template would not generally be helpful. DFARS 252.204-7012 Read more…
Under the CMMC program, prime contractors that are required to meet Level 2 standards for handling Controlled Unclassified Information (CUI) typically must obtain a Final Level 2 (C3PAO) certification assessment. However, in limited cases, the Department of Defense (DoD) may make a risk-based decision to allow self-assessments based on the specific nature of the work and Read more…