CMMC compliance requires use of FedRAMP® Moderate authorized services and FIPS 140-2 encryption in many situations. But what does that mean? Neither term is common in the commercial space. FedRAMP® and FIPS 140-2 play vital roles in securing contractor information systems. But they serve different purposes. Let’s demystify these frameworks Read more…
Navigating CMMC compliance requirements can feel overwhelming—especially for small to medium-sized defense contractors. One of the most critical and misunderstood components of CMMC is the System Security Plan (SSP). Many people ask: “How many documents do we need to be CMMC-compliant?” The answer may surprise you: technically, you need only Read more…
What does compliance with CMMC or other cybersecurity requirements have to do with ISO 9001? A lot. Compliance with CMMC requires organizations to have mature business processes and procedures to address and document things like: And there are more. Without a systematic way to create, review, approve, and consistently update Read more…
While most of us understand cloud services through the common NIST definition, the Cybersecurity Maturity Model Certification (CMMC) takes a notably different approach. This distinction can significantly impact defense contractors and their compliance requirements. Let’s explore this through a practical example: Imagine Quantum Naval Solutions, where employees can spin up Read more…
Many of us trust Google Authenticator to add a layer of security to our accounts. But, Google Authenticator has a serious security vulnerability which makes it unacceptable for CMMC compliance and dubious for general use. By default, Google Authenticator syncs your one-time codes to your Google account in the Cloud. Read more…
I just finished reading “Why Nations Fail” (2012) by Daron Acemoglu and James A. Robinson. I’m still processing its theory about why some nations prosper while others remain poor. The book presents a compelling framework that challenges traditional explanations based on geography, culture, or ethnicity. The authors begin with striking Read more…
Joe Spritzer’s construction company would like to start doing business with the DoD. The company has no cybersecurity policies or controls in place. Where does Joe start? The first thing is to understand the major players in the CMMC program: Organizations Seeking Assessment These are companies like Joe’s construction company Read more…
This week’s release of the first three post-quantum encryption standards by NIST—FIPS 203, 204, and 205—marks a significant step in securing data against the threat of quantum computing. These standards aim to protect encryption and digital signatures from quantum attacks, ensuring that sensitive data remains secure as technology evolves. Here Read more…
Bluetooth should be avoided on systems doing any kind of work for the Federal government – DoD or civilian. When tightening security for system access, it’s important to consider all vectors of attack—especially Bluetooth-enabled peripherals like keyboards, mice, earbuds, and other devices. Here’s why: CMMC Control AC.L1-3.1.1 (Access Control): This Read more…
It looks like a USB charging cable. And it is. But it’s more. What looks like a simple charging cable can actually be an advanced tool with a WiFi access point that can be used to take control of a computer and steal data. To make matters worse, standard intrusion and Read more…