David Longenecker

Ok - Moving past the MS 0365GCCH 'in process' thing --- Regarding the DoD Memorandum on FedRAMP Moderate Equivalency requirements. I am actually a FAN - it is providing CSPs like Egnyte to get over the FedRAMP ATO / JAB P-ATO choke-point hurdle. We have been languishing in the FedRAMP either ever since attaining 'Ready Status' last year. The current FedRAMP program is obviously broken, thus the DoD Memo. We are "in process" with building out the newly defined BoE requirements with the aid of a FedRAMP recognized 3PAO, and will be successful in executing on this and providing our clients with this BoE going forward. That all said, in the Memorandum is this statement: 'The DIBCAC will review the CSP's BoE asserting to the FedRAMP Equivalency, with the CSP required to have an Annual Assessment conducted by a 3PAO validating compliance with DFARS 252.204-7012 AND 252.204-7020". Unpacking this - 1) We are wondering how the DIBCAC will handle the "review and assertion" thing? 2) We understand compliance to the 7012, but what is compliance to the 7020 all about for a CSP offering CSO's that have already met the above? This makes zero sense to me at first look. Thoughts?

3

CMMC Level 2 Assessment Objective: Network Communication by Exception PRACTICE: Organizations must deny network communications traffic by default and allow network communications traffic by exception. ASSESSMENT: This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections that are essential and approved are allowed. Be prepared! Your assessor could ask to 🔍 EXAMINE system and communications protection policy. 🗣 INTERVIEW system or network administrators. 📝 TEST mechanisms implementing traffic management at managed interfaces. (CMMC Assessment Guide: Level 2 Version 2.11, page 218) #CMMC #DoD #cybersecurity #NIST #InformationSecurity

43

Tropical threat looms for Belize as National Hurricane Center monitors developing system https://lnkd.in/gXAdCVay

1

There are several items that are missed on any data security audit. One is the Cybersecurity Risk Management Plan and Assessment. Typically found in only 1% of audits. An Incident Response Plan. Found less than 1% of the time. But almost never found are Data Flow Diagrams. With over 50% of the organization's data on the cloud, without the data flows completed, no one, yes no one in the organization knows where all the PII, PHI, PFI, PCI and other critical data is located. It takes about a month to complete all the data flows for an organization since all the department heads need to share their knowledge. When complete, these secure documents will allow the organization's leaders to strategize how they will protect their data. Without the data flows, many segments of the organization's data are not properly managed or protected. The organization will not have a backup plan if access to these systems is lost. So ID.AM.03 of the NIST Core V2 is a critical data security control. Please download the CSF and do the work that needs to be done to protect your organization.

10

🚨 Attention, Defense Contractors: Don't Let CMMC Compliance Become Your Financial Grim Reaper! ⚰️💸 Picture this: You’re sitting in your office, coffee in hand, feeling like the king (or queen) of the world. But wait—what’s this? Your CMMC compliance is as neglected as that gym membership you keep meaning to use! 😱 Now, let’s break it down with a little humor: 1. The “Lost Revenue” Fiasco Imagine waking up one morning and finding out you just lost a contract worth $1 million because your compliance paperwork is still gathering dust on your desk. That’s like finding out your favorite restaurant is permanently closed. *Cue the tears!* 🍔😭 2. Opportunity Costs Not renewing your contracts due to non-compliance is like getting kicked out of an all-you-can-eat buffet. You’re watching everyone else feast on lucrative contracts while you’re stuck at home munching on stale crackers. “Thanks for nothing, CMMC!” 🙄🍪 3. Operation: Expensive Fix Now you’re scrambling to get compliant and it’s going to cost you! You’ll need to hire consultants, upgrade your tech, and maybe even buy a crystal ball to predict your next move. That’s right; we’re talking tens of thousands of dollars. I hope you saved that last slice of pizza for dinner, because it’s going to be a rough month! 🍕💰 4. Insurance Premium Shock You think you’re saving money by not being compliant? Think again! Your cyber insurance costs just skyrocketed, and now it’s more expensive than your coffee addiction. Remember, a compliant organization is a happy (and cheaper) organization! ☕📈 5. The Reputation Rollercoaster Let’s not forget the reputational hit. Losing a significant contract because of non-compliance is like getting caught in your pajamas during a Zoom meeting. Awkward, embarrassing, and now you’re the talk of the office. “Did you hear about the company that couldn’t get compliant?” 😳🎤 Final Thoughts If your organization isn’t taking CMMC compliance seriously, you might as well light your money on fire and roast marshmallows over the flames! 🔥🍫 So, let’s avoid the contract chaos and get compliant! Here’s to a future filled with contracts and fewer financial nightmares! 🥳💼 #CMMC #Cybersecurity #Compliance #BusinessHumor #FinancialWisdom #LaughAndLearn

7

I hope everyone is having a good Friday. Time for some Sa(a)S. We're continuing the CMMC series with a more detailed breakdown of the 3 levels. The full post can be seen here: https://lnkd.in/g-DCGGi2 For a quick summary, all 3 levels are from NIST SP 800 171 (and 172 for level 3), so it's at least not completely new standards. And why the standards are still in the rule-making process, we have a good idea what the final requirements will be. Level 1 will have 17 requirements and is intended for the least sensitive DoD contracts. This certification will be based off of a self assessment. Level 2 has a big jump to 110 total requirements as more national security implications are expected with the associated contracts. This is expected to be the most common level, and in most cases will require a 3rd party assessment every 3 years with an annual self assessment. Level 3 is for the most sensitive contracts that don't involve classified (or greater) designations and will add up to an additional 35 requirements above level two. For this, companies will need to have Federal officials perform the assessment every three years. Please reach out with any questions and have a great weekend! #cmmc #cybersecurity #securityawareness

8