• Access Control Policy Primary Documents #cmmc #nist

    Working on the Saturday morning hack for “Access Control Policy in Plain English”





  • Going to the campus in New Haven for first time since March.

    Kinda want to skip work and spend 1000s at all the restaurants I have been missing.

    Life hard in a take out desert like East Haddam

  • Going to the campus in New Haven for first time since March.

    Kinda want to skip work and spend 1000s at all the restaurants I have been missing.

    Life hard in a take out desert like East Haddam

  • Going to the campus in New Haven for first time since March.

    Kinda want to skip work and spend 1000s at all the restaurants I have been missing.

    Life hard in a take out desert like East Haddam

  • Maturation Monday: Why #CyberSecurity Must Begin In School

    Monday again folks. Time for my weekly call for your organuizations to support the programs we have running with Conecpts for Adapative Learning.

    I believe in the maturation model included in the cmmc. I cringe when you hear SMEs (and their is 10–2 per webinar) say the practices are just NIST 800-171 controls. Another trope I can’t take is the idea that CMMC can’t be a maturation model since the lanscapers and the plumbers who provide essential services to our bases will never climb past level one.

    Maturation matters.

    To this end I want to begin building cyberhygeine practices long before we complain about a workforce pipeline. We need to instutionalize the practices of good hygeine from home through the high school.

    I believe the best way to begin is through a Domain’s of One’s Own. Give a kid their identity. Then model and mentor how we protect that which is most important. Us.

    Recently I have partnered with the Concepts for Adaptive Learning and we have brought in the following awards:

    • Ricker, J., McVerry, J. G., $120,000 (2020). Supporting a Tech4Teens Programming Manager. A 3 year funded project for external partner Concepts for Adaptive Learning. $120,000. Funded.

    • McVerry, J. G, Real, B & Ricker, J (2020). Digital Field Placements. Presidential Grant for Alternative Academic Delivery Digital Field Placements. $25,000. Davis Education Foundation. Funded.

    • McVerry, J. G. & Ricker, J. (2020) Tech4Teens Camp. $10,000 Funding for external partner Concepts for Adaptive Learning. Yale Community Foundation. Funded.

    We still need your help. If you or your organization is making a donation this holiday season please consider Concepts for Adaptive Learning. All of the money goes to support programs to increase Digital Literacy in the New Haven community. Your donations will help us provide free training and computers to families in need.

    As Connecticut schools shut down again and go fully remote parents and teachers have come to rely on Concepts for Adaptive Learning.

    Please Donate Today.

    Image Credit:“Amelia in Code” by donnierayjones is licensed under CC BY

  • Our CyberDI team had a wonderful meeting yesterday planning our #CMMC roll out.

    Yesterday we focused on the State of Connecticut. We work with each of our #HigherEd partner institutions to help protect the local DIB ecnomoy.

  • Looking all official we got our partnership badge from the CMMC-AB

  • We had a wonderful planning meeting around #cmmc yesterday and how we hope to leverage #HigherEducsation and State Agency to quickly scale and grow a culture around maturation

  • I just RSVPd yes to Cybersheath’s Cyber Con

  • Presenting on #CMMC at Connecticut Commission of Education al Technologies

    When I say we have to build the culture of #cybersecurity well before the workplace I mean it.

    I am excited to present on the #cmmc at today’s Connecticut Commission of Education al Technologies

    Community is the curriculum (h/t David Cormier) when it comes to culture

    Agenda •Connecting Students Outside of School and College oHome Connectivity oCommunity Wireless oDevices •Recommendations and Lessons Learned from Remote Learning •Media Literacy and Digital Citizenship Week Planning •Go Open CT (Open Education Resources) •Cybersecurity Maturity Model Certification

  • End of Cybersecurity Month

    Do I have a System Security Plan? Check! Do I have proof I do the stuff in my plan? Check! Do I have a Network Diagram? Check! Does the diagram reflect my Access Control Policy? Check! Can I tell this story?

    Answer these five questions and your journey to #compliance almost complete. If you hesitate on a query, even for a second, every person, system, and network your company touches is not secure.

    Happy last day of #cybersecurity month. May your day be filled with treats and not tricks that rob our country blind.

    img credit Networked Pumpkin licensed under CC BY-NC a remix by jgmac1106 of “Halloween pumpkins” by jojo 77 lnkd.in/evYKxhw is licensed under CC BY-NC and “network spagetti” by versageek lnkd.in/e7WK9n2 is licensed under CC BY-SA

  • CMMC Maturation Level Begins at One. I think we should start at Grade One.

    Baby sitting at computer

    I teach cybersecurity from kindergarten to Sikorsky. By the time we get to protecting the DIB we have lost decades of instilling practices of good cyber hygiene into students so I propose starting the Maturation Model not at Level one, but in grade one.

    (This is my once a week ask to the CMMC community to support our free tech-4-teens) camp.

    Maturation Model and the CMMC

    The matuartion model in the CMMC derives from the CMMI developed by SEI.

    The model focuses on, “process institutionalization, which measures how ingrained the CMMC practices are within an organization” ((Stewart and Hoover, 2020)

    Five matutarity levels begin from basic cyber hygeine to state of the art real time monitoring and response for mission ready data. Organizations do need to grow but people make up organizations and we need to build in a culture of cybersecurity in our K12 school systems. It all begins with a Domain of One’s Own (DoOO).

    If you do not own and shape your truth who will?

    Domain of One’s Own

    DoOO began as a way to put students in charge of learning spaces. You give them a domain, a bit of server space, and some basic tools like CPanel and see what happens. Trust me a WordPress admin learns the importance of cybersecurity real quick.

    Gardner Campbell (2009) wrote about personal cyberinfastructure and said students:

    would become, in myriad small but important ways, system administrators for their own digital lives.3 In short, students would build a personal cyberinfrastructure, one they would continue to modify and extend throughout their college career — and beyond. A Personal Cyberinfrastructure

    The CMMC maturation model will work more efficiently when everyday people come ready with a fault tolerant culture while also knowing the importance of cybersecurity.

    I need your help and ask you support these efforts by donating to Tech 4 Teens camp.


    We established tech4teens during the COVID summer when students in New Haven had gotten little help in learning how to learn online. It grew out of a seven year old program I started called the Elm City Webmakers.

    Students bring a passion and get a blog. Then they get a taste of web design, photography, video editing, podcasting, and coding. After trying out all the flavors students go back to the buffet line and design their own dish.

    We go through a curriculum of tell your story, learn something, teach something, and then do something. During the do something module students develop a project to better themselves or the world while choosing one of the five tech pathways.

    As a volunteer I run the camp with Concepts for Adaptive Learning . We need you to donate. If you believe in the mission of cybersecurity and the CMMC let’s begin by building the culture amongst our K12 students.

    All of our proceeds go to providing free computers and digital literacies training to families in New Haven. The COVIOD crisis showed us the pain of the digital divide. Please give whatever you can. The local school districts have run out of computers to give families. We fill this void. Donate Now.

    Image attribution“Hacker” by Micah Sittig is licensed under CC BY

  • Did you get your CUI Shot

    Your #MondayMessage

    Remember folks we pronounce #CUI as “ C U I” not “cooey”

    Very scientific reason for this. If we had to protect Cooey all it would take would be saying, “Circle, Circle, Dot, Dot now I have my cooey shot” and all #cybersecurity woes would be gone.

    Too many auditors and assessors to feed for this to happen.

  • Split Realities of Department of Defense Cost Estimates for DFARS Interim Rules

    to forking roads at night, one lit and one dark It’s not that the pricing regulations are made up. They are just set in a different reality. DFARS 252.204-7012 gave companies until Dec, 2017 to be compliant with NIST 800-171.

    Therefore your #DFARS interim assessments should not be too cost prohibitive. You aren’t breaking the law and fibbing a bit on your SRP and POA&M are you?

    …..no, nobody would do that. Thus the day rate set in that reality.

    Yet if that reality existed than 7019, 7020, and 7021 and the #cmmc would not exist.

    I see the DOD perspective, “Why would we include covering your past fraud in our pricing models?”

    Still in the reality we live in many DIB who currently touch CUI have work to do for 7019,7020, and 7021 compliance.

    The math scares me and this is why I think we look to states (kinda bad time I know) to cover this important economic development cost.

    (I am no cybersecurity expert, my opinions do not reflect those of the CMMC-AB or the CMMC Training working group. You need to consult with real cybersecurity SMEs and lawyers. I am just a dude with a blog).

  • What is the impact of #cmmc on Connecticut Small Businesses?

    As the DFARS Interim rules go into effect this got me thinking about how will small businsses in the DIB handle the required trainings, certifications, and assessments.

    So I did some digging through publicly available data here in Connecticut.

    650 or so companies share around 16-20 billion every year.

    Sounds like a lot of money. #cmmc is just gonna be cost of doing business, right?

    Yet when you dig down deeper only 300 companies had DoD awards 6 figures or higher.

    Granted this does not include money from primes that flow down to the subs. Just companies listed on DoD contracts.

    United Technologies Corporation, Sikorsky Aircraft Corporation, and Electric Boat Corporation use the same companies and they make up the lion share of DoD awards (EB alone uses 900 subs).

    I also did my data mining fast and may have missed some key awards…

    Still if your DoD revenue is around 6 figured #cmmc maybe cost prohibitive.

    This is why I see advocating for three solutions

    1. State budgets account for training and provide grants/loans and regional training centers.
    2. The DoD pick up the tab and do some training RFPs…We are talking pennies in terms of DoD spending but life or death for small businesses.
    3. Alignment with Higher Ed and workforce development.

    If you believe in #cybersecurity everybody right now needs to find out the relevant committee chairs of their state legislatures and start sending emails and making phone calls. “Red and White” by Vaidas M is licensed under CC BY-NC-ND

  • Thinking About Flow Down/Up and the CMMC

    Allison Giddens on LinkedIn: #CMMC #manufacturer #CUI | 12 comments linkedin.com


    A impt ? around primes>subs>subs and flow down/up of #cmmc in the supply chain.

    Will you make the 4,577th podcast to explain it?

    IMO few things:

    1. I already am hittingup State Legislator in Connecticut to put up or shut up.

    Connecticut gets 16-20 billiona year in DoD contracts…Wanna help that number grow or shrink?

    Legislate and fund Small business grants & consortium to help economy stay compliant. Our entire economy revolves around two things the Market and the DoD. #cybersecurity important to both.

    1. In Connecticut we are going to start baking #cmmc into our undergraduate and graduate cybersecurity programs and establish regional centers to help the rivertors of the world get their ML 3 that will be necessary to sub for a prime. I am giving statewide presentation to Governor’s commission in Nov.

    2. The DoD needs to start cranking out more training and compliance grants to be won at the state level. Cheap > 1 million each…50,000,000 DoD loses that in leaky toilets in a week

    3. I am not on this WG but this is where the actual metadata and the consumers of certification are critical. There are modern tools that could hash a cert even without distributed ledgers (blockchain shmockchain). Verification of levels with machine and human readable data solvable.

  • Microcredentialing and Cybersecurity

    I have worked in #OpenBadges and #microcredentialing for years with folks like Doug Belshaw and @mozilla

    Yet I have I not really seen as much uptake until I started working in #cybersecurity assessment and training.

    You see more verified achievements (mainly through Acclaim) then in any other industry (including education)

    Now that the EU has also adopted #cmmc and the number of private industries moving to the standard it will be critically important to get the metadata and tooling correct.

  • Black Anvil LLC-NIST800-171-DoD Assessment Methodology.e drive.google.com


    Another great tool you can use for your #dfars self-assessment using NIST 8001-171

  • What does the DIB think of CMMC? Let’s discuss with them. - YouTube youtube.com


    Great perspective from the DIB on #cmmc in terms of proactive steps.

  • A Cloud’s Eye View Of Cyber VUCA In Age Of Rapid Change linkedin.com

    Great post on describing the tensions of #cybersecurity and the cloud

  • SPRS - Reference Material sprs.csd.disa.mil


    DoD has releasd some helpful guidance on Supplier Performance Risk System including assessment methodology for NIST-800-171 to comply with DFARS interim rules

  • Protecting FCI an CUI

    (This post is a pre-publication and draft of chapter two of a handbook I and Terry Lehman will publish on complying wwith DFARS Interim rule 252.204-7019,7020 and 7021 while also preparing for a CMMC future. We welcome feedback and corrections.)

    Billions of bytes swiped at a time and fights with adversaries and attacks allowed through broken systems. Alliteration aside, the state of our cybersecurity posture remains as weak as that lede. In fact, on June 22, 200 Mark Bradeley, the Director of the National Archives Information Security Oversight Office wrote the President of the United States and noted:

    Our Government’s ability to protect and share Classified National Security Information and Controlled Unclassified Information (CUI) continues to present serious challenges to our national security.

    Our efforts to protect critical information as it traveled through the DIB supply chain relied on “antiquated information security management practices” and relying on a self report of meeting NIST 800-171 failed.

    The immediate adoption of the DFARS interim rules seeks to mitigate the risks Director Bradely highlighted in his report.

    The federal government has two options when rulemaking a publicly reviewed rule which takes longer to go into effect or an interim rule that goes into effect once the public comment period is over. The stakeholders involved in protecting our country from cyber attacks felt the protection of CUI was a matter of immediate national security. In fact, the DFARS Interim rule specifically applies to contractors who inherit or create CUI and not those who only handle FCI..

    Protecting Information: FCI and CUI

    As cyber attacks have increased the United States Government has consistently stressed the need to protect two kinds of information: Federal Contract Information (FCI) and Controlled Unclassified Information.

    The DFARS Interim rule only applies to companies who currently inherit, meaning they receive CUI, or create CUI. Therefore federal contractors will find it essential to understand the difference between FCI and CUI.

    Federal Contract Information

    The FAR defines what it takes to get in business with the Executive Branch. The FAR, and its cousin DFARS (the Defense supplemental) get broken down into parts and labeled by a series of numbers. Federal Contract Information for example is defined in FAR 52.204-21.

    The Government defines federal contract information (FCI) as any information included in a contract not meant for public release. The expectations for FCI safeguards get described in “FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems.”

    Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

    Often referred to in shorthand as FAR 21the DFARS interim rules do not apply to DIB supply chain companies that only handle FCI. Yet a culture of good cyber hygiene begins with the basic safeguards required of any company handling FCI:

    • Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
    • Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
    • Verify and control/limit connections to and use of external information systems.
    • Control information posted or processed on publicly accessible information systems.
    • Identify information system users, processes acting on behalf of users, or devices.

    These five basic safeguards also map to the NIST SP 800-171 methodology as well all fifteen of the CFR Safeguarding requirements:

    (add table of 15 cfr with corresponding NIST SP 800-171 Number)

    Identifying FCI is straightforward. First it is not intended for public release. Second FCI is generated by or for the government. So you can assume if an artifact is not marked, “intended for public release” it is FCI.

    What about your intellectual property? A great new software that will save the government billions when you sell it off for millions? Don’t worry. It is not FCI if it was not generated as part of a contract. It doesn’t mean you are free of legal obligations; some good ideas may have export control restrictions.

    So what is the difference between FCI and Controlled Unclassified Information (CUI). Basically FCI is information that is not shared with the public but CUI must be legally safeguarded and is governed by other federal rules and regulations.

    Controlled Unclassified Information

    After continuous attacks on the DIB global supply chain the President of the United States created Controlled Unclassified Information through Executive Order 13556. The goal of the order, like many intelligence efforts after 9/11 was to standardize and streamline the labeling and protecting of CUI across 100 different federal agencies and over 300,000 DIB organizations.

    Prior to the creation of CUI a, “inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing.”

    The executive order defines CUI as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

    In the definition we can see some clear differences with FCI. While all CUI is technically FCI CUI is a particular subset about data that must be A: safeguarded and B: include information the government creates or possesses. FCI refers to information given out byt the government and CUI often refers to information within the government and authorized members of the DIB supply chain that requires additional protections based on current regulations.

    The executive order established the Information Security Oversight Office of the National Archives and Records Administration to create and maintain a CUI registry. If an artifact falls into one of the buckets of CUI identified in the registry then it is CUI.

    As a contractor you have five responsibilities in protecting CUI based on DoD Instruction 5200.48 Controlled Unclassified Information: 1. Whenever DoD provides information to contractors, it must identify whether any of the information is CUI via the contracting vehicle, in whole or part, and mark such documents, material, or media in accordance with this issuance. 2. Whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities, protective measures and dissemination controls, including those directed by relevant law, regulation, or government-wide policy, will be articulated in the contract, grant, or other legal agreement, as appropriate. 3. DoD contracts must require contractors to monitor CUI for aggregation and compilation based on the potential to generate classified information pursuant to security classification guidance addressing the accumulation of unclassified data or information. DoD contracts shall require contractors to report the potential classification of aggregated or compiled CUI to a DoD representative. 4. DoD personnel and contractors, pursuant to mandatory DoD contract provisions, will submit unclassified DoD information for review and approval for release in accordance with the standard DoD Component processes and DoDI 5230.09. 5. All CUI records must follow the approved mandatory disposition authorities whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities in accordance with Section 1220-1236 of Title 36, CFR, Section 3301a of Title 44, U.S.C., and this issuance.

    As you complete a DFARS Interim rule self assessment you can think about CUI as any data that some law, regulation, or policy says you must protect. So tax information? Yep, there are rules. It is CUI. Plans you recieved to develop a part for an engine? Once again rule exist so it’s CUI.

    This has lead to the CUI registry published by NARA to have 24 categories and 83 subcategories. The directory is also a living document and agencies or contractors can use a provisional label if they feel a new subcategory or category is needed. These labels can then be further broken down into Basic CUI and Specific CUI

    Basic CUI

    According to the CUI Marking Guide version 1.1

    CUI Basic is, as the name implies, the standard “flavor” of CUI. All of the rules of CUI apply to CUI Basic Categories and Subcategories, making the handling and marking of CUI Basic the simplest.

    Specified CUI

    CUI Specified is not a higher level it is just different. Remember our first rule: CUI is any information covered by laws, regulation and policies. Some of these laws, such as export control laws, apply to CUI in the Defense Industrial Base.

    According to the CUI Marking Guide version 1.1: >CUI Specified is different, since the requirements for how users must treat each type of information vary with each Category or Subcategory. This is because some Authorities have VERY specific requirements for how to handle the type of information they pertain to – requirements that simply would not make sense for the rest of CUI.

    How do you know if you have CUI Specified? If the contracting agency, law or regulation that governs your project has a place in the CUI Registry as a specified authority you hold CUI specified.

    We have included a revised version of the CUI marking guide in the appendix of this book.

    Controlled Technical Information

    The DoD also finds Controlled Technical Information (CTI), a special type of CUI, as mission critical when it comes to protecting against cybersecurity threats The DoD defines Controlled as

    Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure or dissemination

    When considering the presence of CTI this may require CMMC maturation levels above three and have additional protections.

    Do I need to protect CUI?

    Of course, silly. Protecting CUI is the entire goal of the CMMC efforts. Unprotected CUI costs billions if not trillions a year. Stolen CUI puts may even put our soldiers into the crosshairs of our enemy. The efforts to protect controlled unclassified information lead to DOD launching DFARS 252.204-7012 which required contractors to apply the NIST 800-171 standards.

    When overwhelming evidence showed the self reporting mechanisms including SSPs and PO&AM did not get the job done the DoD created the Cybersecurity Maturation Model Certification and will now require third party assessors.

    CMMC does not fully kick off until 2025. This doesn’t mean DIB contractors can rest easy. The DoD updated DFARS with three new clauses: DFARS 252.204-7012: 7019, 7020, and 7021.

    These rule changes will have an immediate effect on the DIB and if companies do not want to lose contracts or have the Department of Justice haul them in front of a judge under the Fair Clause act they need to get ready.


    Department of Defense. (2020) DOD INSTRUCTION 5200.48CONTROLLED UNCLASSIFIED INFORMATION (CUI). Retrieved October 19, 2020

    Devin Casey. (2020) ​FCI and CUI, what is the difference? – CUI Program Blog. Retrieved October 19, 2020, from isoo.blogs.archives.gov/2020/06/1…

    NARAL. (2016) Marking Controlled Unclassified Information - CUI Handbook. V1-1-20190524. Washington, D.C.

  • Sample Workbook Page from our DFARS Interim

    This is an example page from the Workbook Terry Lehman and I are working on a handbook for the DFARS Interim rules.

    Like always this work has a Creative Commons BY-SA license. Feel free to use in any as long as you share the love.

    Access Control

    In many ways good cyber hygeine begins and ends with Access Control. A company must create a culture of cybersecurity and continuous improvement and this begins by developing the practices and processes to limit and protect FCI and CUI. According to the CMMC Access control activities:

    ensure that access granted to organizational systems and information is commensurate with defined access requirements. Access requirements are developed based on the organization’s needs balanced with the security requirements needed to protect the organization’s assets.


    Overall focusing on access control provides the greatest Return on Investment for organizations looking to harden cybersecurity. Thus the Department of Defense (DOD) requires Observable Evidence (OE) of Access Control policies for companies who interact with Federal Contract Information.

    Therefore the rules of the road get defined by “Basic Safeguarding of Contractor Information Systems’ (48 CFR 52.204-21 (often referred to as simply “21”). If a company has access to either inherited or created CUI Access Control is not enough but it is essential to all cybersecurity efforts.

    The DFARS Interim assessment guide includes 22 controls pulled from 48 CFR 52.204-21 and NIST 800-171 for Access Control

    Connection to the CMMC

    Access control practices get introduced in Maturation Level 1 build up four capabilities as processes get institutionalized:

    1. Establish system access requirement
    2. Control internal system access
    3. Control remote system access
    4. Limit data access to authorized users and processes

    3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)


    This control, like all those requirements fundamentals to the l NIST SP 800-171 ‘Basic Security Requirements’ remain so critical to cybersecurity that you must subtract five points from the score of a 110 . Basically if a company does not limit access to secure systems and data almost all other cyber security get rendered moot.

    Connection to the CMMC

    NIST 800-171 -AC 3.1.1 gets reflected in the CMMC as a maturation level one practice AC 1.001 and builds to the capability of establishing system access requirements.

    NIST 800 171- A.c 31.1.1 is also first of the 15 CFR Safeguarding Requirements . Access control should lead to a culture where users and employees get limited access to only information systems they need to complete their job.

    Goals of Self-Assessment

    As you complete your DFARS Interim rule self assessment you want to ensure you determine how you identify users. You also need to note how you determine what processes are being run by users. Your Security plan a needs to detail how access by devices and users are limited to only those with authorization.

    Where to Look

    ☑ Access Control Policy

    ☑ Account Management Procedures

    ☑ System Security Plan

    ☑ System Monitoring Records

    ☑ etc

    Your Observable Evidence

    Who to Talk To

    ☑ Personnel with account management responsibiltiies

    ☑ System administrators

    ☑ Network Administrators

    ☑ Personnel with security responsibiltiies

    Your Observable Evidence

    What to Test

    ☑ Account management mechanisms

    ☑ System account managing processes

    Your Observable Evidence

    DFARS NIST 800-171 Score _______

    Information, if needed, for the PO&AM

  • Good to see impact CMMC may have in protecting other government and public supply chains: www.meritalk.com/articles/…

    “Lock Up The Forest” by cogdogblog is licensed under CC0

subscribe via RSS

All content, unless otherwise notes, is licensed with a CC-BY-SA https://creativecommons.org/licenses/by-sa/4.0/