J. Gregory McVerry

  • Big Announcement

    The DIB CS Program is OPEN for new companies. The outreach and onboarding functions have transitioned to DC3.

    DIB Companies, with or without an FCL, working with CUI, can apply at DC3.DIB.CSRegistration@us.af.mil

  • CyberDI's Customizable CMMC and Export Control Curriculum

    Proud to Announce CyberDI’s Awareness and Training Programs to meet your CMMC requirements and improving a culture of security

    CyberDI Awareness and Training Program

  • CMMC Tool Sets

  • CMMC, Backups, and FedRAMP

    Why do back ups live in the Media Protection family?

    Ransomware threatens your business everyday, and backups help to inoculate your systems. Why do back ups get such a small mention in NIST.SP.800-171r2?

    NIST explains in NIST-SP-800-171r2 they pulled “CP-9, System Backup” into the Media Protection family because the Contingency Planning family did not get included in 800-171’s requirement set.

    The Government does not care about your disaster recovery and contingency planning. NIST-SP-800-17 protects the confidentiality of the customer’s data, not keep your business afloat.

    Backups and CUI

    CUI still is designated as CUI even when encrypted. Encryption, when it is a FIPS Validated implementation, is sufficient protection of the CUI when outside of the organizations physical or digital control boundaries.

    resource: dodcio.defense.gov/Portals/0…

    -Q8. Is encrypted CUI still considered to be CUI? B-A8. In accordance with 32 CFR Part 2002, CUI remains controlled until it is formally decontrolled. As such, encrypted CUI data retains the control designation given to the plain text counterpart. While it is true that certain risks (e.g., transmission across unsecured, "common carrier" networks) may be accepted for cipher text that would not be accepted for plain text, this does not mean the original, controlled information, nor the data (plain or cipher text) representing it, is considered decontrolled.

    171 Requirements

    Only one requirement explicitly mentions backups, “3.8.9 — Protect the confidentiality of backup CUI at storage locations.”

    Organizations can reply on FIPS encryption and employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information if the backups store, process, or transmit CUI.

    NIST guidance calls our protecting system level and and user information. “Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software,and licenses. User-level information includes information other than system-level information.”

    171 Requirements about securing media used for backups

    While only one explicit requirement for protecting back up exists. Other 171 apply to the media you use for backups.

    • 3.8.1 — Protect system media containing CUI (paper and digital).

    • 3.8.2 — Limit access to CUI on system media to authorized users.

    • 3.8.3 — Sanitize or destroy media containing CUI before disposal or reuse.

    • 3.8.4 — Mark media containing CUI with appropriate markings.

    • 3.8.5 — Control access/accountability for media during transport outside controlled areas.

    • 3.8.6 — Use cryptographic mechanisms to protect CUI on digital media during transport (unless physically safeguarded).

    • 3.8.7 — Control the use of removable media on system components.

    • 3.8.8 — Prohibit portable storage devices with no identifiable owner.

    171 Requirements for securing back up data

    Other security requirements require you to protect the data often contained in a back up

    3.13.8 — Protect CUI from unauthorized disclosure during transmission

    3.13.10 — Establish and manage cryptographic keys

    3.13.11 — Use FIPS-validated cryptography when protecting CUI confidentiality

    3.13.16 — Protect the confidentiality of CUI at rest

    Scoping Your Backups

    For a CMMC assessment you only need to worry about backing up your CUI environments. You 100% as a business should have disaster recovery and contingency plans. Well deployed and tested backup systems prevent ransomware. Outside of MFA, investing in backups provides some of the greatest security for a company.

    Do you use cloud back ups? If you deploy cloud back ups, and these include CUI environments do you need to choose a FedRAMP authorized or equivalent service? Is a cloud back up provider outside of your boundary control? Can you then encrypt backups and store that cipher text at rest?

    For most CUI, if you encrypt your backups with validated FIPS encryption before going to the cloud that is sufficient. No FedRAMP needed. But…for Specified CUI like ITAR/Export controlled, there are some restrictions on what clouds or countries it can be stored in, even in encrypted form. Vendors may require you to choose their FedRAMP solution regardless of your data sovereignty requirements.

    Choosing a FedRAMP authorized solution usually have much higher costs. Many cloud providers do not offer a FedRAMP service, but they may license software to run on prem.

    Can you segment off your CUI backups? Many vendors include backup as part of their product solution. Maybe you have a cloud backup solution for out of boundary assets and a different solution for your CUI enclave.

    You have alternatives to using FedRAMP cloud based solutions. Just make sure to properly scope your backups of CUI environments, but choosing FedRAMP authorized cloud back ups will be accepted by an assessor.

    Back Up Best Practices

    Just because CMMC does not require a back up or contingency plan you may want to take the opportunity to ensure you follow best practices.

    You need to develop a back up policy:

    Auto-generated description: A detailed backup policy infographic outlines eight steps, including defining recovery objectives, deciding on media, encryption requirements, security, regulatory references, lifecycle management, recovery procedures, and testing procedures.

    You need to develop a back up plan:

    Auto-generated description: A flowchart provides a comprehensive guide on planning data backups, covering file identification, risk evaluation, network mapping, and policy development.

    Utilize a 3-2-1 Back Up solution

    Auto-generated description: A 3-2-1 backup strategy infographic details keeping three copies of files on two types of media, with one off-site, emphasizing file identification and emergency readiness.

    Consider the implications of Cloud Back Ups

    Auto-generated description: A guide for evaluating cloud backups, highlighting risks, encryption, phishing-resistant MFA, least privilege, and the importance of updates and testing.

    Make sure to protect your chosen Media types

    Auto-generated description: A comparison chart details the pros, cons, and security features of cloud, hard drive, and removable media types, including external hard drives, flash drives, optical media, and magnetic tape.

    You need to protect your backups

    Auto-generated description: An infographic titled Protect Backups details strategies for reducing data loss risks, listing key areas such as risks, solutions, steps, and the importance of practice drills and patch management.

    Finally you need to test your back ups

    Auto-generated description: A diagram titled Backup Recovery outlines the importance of testing, training, and exercises with a focus on confidentiality, integrity, and availability.

    Creating Disaster Recovery and Contigency Plans

    You do not need to worry about disaster recovery for CMMC compliance. You do, however, need to worry about good back ups if you care about the security of company. Utilize the momentum of CMMC to develop and test your disaster recovery. As you do document evidence for your System Security Plan

    Auto-generated description: A circular graphic features an image of network cables and connectors, overlaid with an icon of servers connecting to a cloud, accompanied by the text Good Back Ups 21st Century Victory Gardens.

  • AI For Security S ecurity For AI

    A good intro to the risks, challenges, and opportunities

  • Many people are confused by the Cross tenant collaboration and the new Microsoft UX:

    gcch-m365-webinar-connect-collaborate-create-june-2025-complete.pdf

  • Adding sensitivity labels to SharePoint: learn.microsoft.com/en-us/pur…

    unlabeled filed continue to be protected with current SharePoint permissions for the user, even though the files have left original SharePoint boundary

    COOL!

  • Adding cross posting to Blue Sky

  • People keep asking, “What they can do?”

    How can they help

    If you are a small business owner one of the best things you can do is make sure you have a good backup and recovery plan

    Good back ups are the Victory Gardens of the 21st Century

  • Many companies are now hearing more and more about Multi-Factor Authentication. In fact for most small businesses you can no longer get insurance, let alone cyber coverage, without ensuring MFA gets used for all sensitive data.

    Really if you can turn on Multi-Factor Authentication. You should

    MFA

  • Certified CMMC Assessor: Spinning the Wheels of Trust in Much Bigger Systems

    Certified CMMC Assessors click into place as just another cog in a much larger system that already exists.

    Every objective that a CCA examines must already be legally met by Organization Seeking Certification. CMMC introduced no new requirements on Federal contractors. When people often complain about the cost of CMMC they do not mean the actual assessment but refer more to meeting the requirements a CMMC assessment measures.

    After the continued exfiltration of data and failed self assessments A third party validation of the system security plan was added to increase the trustworthiness of systems designed to process, store, and transmit Controlled Unclassified Information.

    According to NIST a system is a series of elements or components that together have a shared identity working towards a goal within the constraints of a specific environment and the requirements of the outcome.

    Organization Seeking Certification engineer security in their systems through systems security engineering. Originally the Government placed trust in organizations seeking certification. However recent evidence calls into doubt the trustworthiness of self reporting. The lack of trust in System Security Plans in turns cast doubt on the trustworthiness of the overall security engineered into a system.

    So through CMMC a third party assessment was added to assess trustworthiness and increase trust in the supply chain.

    Trust and Trustworthiness

    A CCA serves as the verification and validation method to assure with confidence that federal contractors protect the confidentiality of Controlled Unclassified Information. A CCA verifies the trustworthiness of the evidence an organization seeking certification includes in their System Security Plan. You validate that their tests to ensure the trustworthiness of their systems proves the Organization Seeking Certification

    Trust is a belief that an entity meets certain expectations and can be relied upon. The terms belief and can imply that trust may be granted to an entity whether the entity is trustworthy or not. A trustworthy entity is one for which sufficient evidence exists to its claimed trustworthiness.

    Verification and Validation of the System Security Plan

    As a Certified CMMC Assessor you verify and validate that an Organization Seeking Certification meets the security requirements of NIST-SP-800-171. In order for a System Security Plan to be trustworthy the OSC must have a demonstrated ability to satisfy expectations of protecting Controlled Unclassified Information

    Since trustworthiness is something demonstrated, you verify and validate the evidence that supports a claim or judgment of the CMMC practices being met.

    As a Certified CMMC Assessor you also serve a dual role of trust. As a trained assessor the Government can put trust in your assessment. As a Certified assessor the Organization Seeking Certification can trust your credentials. Trust is value judgment based on authority and evidence.

    In terms of Cybersecurity Maturity Model Certification program this means you examine the SSP and validate each CMMC practice to ensure there is sufficient evidence of trustworthiness in the claims being made by the Organization Seeking Certification.

    A CCA validates the trustworthiness of each claim an Organization Seeking Certification makes about meeting the security requirements assessment of NIST-SP-800-171 to protect the confidentiality of Controlled Unclassified Information.

    This means the verification and validation of each assessment objective. As an assessor you have to make sure the evidence is sufficient and adequate enough to ensure that each of the 110 security requirements has enough depth and breadth that the claims made in the System Security Plan can be trusted.

    Your role in the system is to increase the assurance that the Nation’s controlled Unclassified Information gets protected. According to NIST,

    Assurance is a complex and multi-dimensional property of the system that builds over time. Assurance must be planned, established, and maintained in alignment with the system throughout the system life cycle.

    In your roles of dual trust as a CCA you help to build assurances in the overall supply chain system. You also verify the evidence an OSC includes in a System Security Plan and validate how an organization establishes the trustworthiness of these claims in the trustworthy context.

    Trustworthy Context

    The trustworthiness context involves decision making and evidence based demonstrations that a system security plan can be trusted to protect the confidentiality of Controlled Unclassified Information. The Organization documents how they develop and maintain their assurances of meeting the security requirements of NIST-SP-800-171 and how they demonstrate how the assurance is satisfied. A CMMC Certified Assessor verifies and validates the System Security Plan as a decision-making context.

    When the Organization Seeking Certification writes how they meet the security requirements of each NIST-SP-800-171 objective they create an assurance case. This demonstrates how they cover the objective with enough depth and breadth to ensure we can trust the assurance case.

    As a CCA you will verify and validate the evidence in System Security Plans with a variety of quality. An effective SSP acts as an assurance case playbook. First a claim is derived from from security objectives Then the OSC connects to and documents credible and relevant evidence that substantiates the claims. Often the evidence get validated through ongoing testing and good system development life cycle practices. Basically Say What you do, explain how you do it, and prove it gets done. Have an assurance case for every assessment objective.

    Organizations with strong cyber hygiene present a compelling assurance case for all 325 objectives in NIST-SP-800-171.The result provide a statement that adequate security has been achieved and driven by stakeholder needs and expectations. Strong Systems Security Engineering helps to strengthen security and reduce the effort on validating and verifying assurance cases.

  • Hanging at Converge Security and learning about Conway’s Law at the Keynote addresds

  • Developing a Rubric to Assess Policies and Procedures for CMMC Compliance

    People panic when it comes to policy and procedures and CMMC. Rightfully so. Compliance with NIST-SP-800-171 at a miminum requires fourteen different policies and fourteen different procedures. Probably More. In fact NIST recommends 39 different plans, policies, and procedures for 171 compliance.

    While policy and procedures are not explicitly assessed by CMMC practices a majority of assessment artifacts imply the need for policy and procedures through explicit mention of document based specifications.

    Yet few people write policy and procedures. Even less do it well.

    To help you in creating compliant policy I have developed a series of “self-assessment” checklists for each Domain of CMMC.

    Why Policy

    Policy defines the governance of the systems you engineer to protect the confidentiality of Controlled Unclassified Information. Let us examine configuration management.

    Overall configuration management policy communicate senior management’s expectations to the company. A good policy, regardless of domain must have specific, measurable, and confirmable objectives. Policies providea top-down approach to define what is required and what is not permitted with configuration management.

    While policy defines the objectives for what must get done, procedures describe how the policy objectives get met through specific actions and results. Configuration Management procedures describe the methodology and tasks for each activity that supports implementation of Configuration Management policy.

    As a company meeting CMMC requirements you should document your configuration management policy and procedures during your planning phase. In fact NIST-SP-800-171 requires you to regulary review all policies and procuedres.

    What makes a Good Congifuration Management Policy

    You can not check CMMC Assessment guides for help with writing configuration managment. You will not find your answers in NIST-SP-800-171, but 171 will tell you where to look,

    In the back of NIST-SP-800-171 you will find Appendix E. This lists all the security controls the government assumes you do or controls they assume only apply to the federal government. These controls came from NIST-SP-800-53.

    The very first base control of every family in NIST-SP-800-53 is policy and procedures. If you look at NIST-SP-800-53a you can find a list of requirements for compliant policy. This provides a wonderful tool for you to assess your current policy.

    As a tool however it is hard to read.

    Why A Configuration Management Policy Rubric

    Self-assessment works in improving technical writing skills. We know from decades of research that theese metacognitive, or thinking about thinking, guides help to improve outcomes.

    To design these rubrics I went through the objectives of each Policy and Procudure for each Family in NIST-SP-800-53. This information is required but not assessed for NIST-SP-800-171 nor assessed for CMMC but required evidence for a CMMC assessment.

    Organization Defined Parameters

    In order to be technology agnostic and provide a more holisitic approach NIST rarely defines rules around roles, events, and freqencies. Instead your policy and procedures must have clear organization defined parameters that get enforced in policy and procudures

    In NIST-SP-800-53a these ODPs get explicitly defined and displayed in a table with the requirements but off set with grey shading. These requirements are just NFOd in NIST-SP-800-171.

    The Requirements in NIST-SP-800-53a then spell out what should go into each policy

    screenshot of first page of CM1 in NIST-SP-800-53

    I tried to take this information and turn it into a checklist a company can use to evaluate their configuration management policy.

    Check it out the checklist

  • Can you Engineer Culture in your Systems?

    As we try to create online communities focused on open learning we have to recognize the troubled history open source has had with diversity, equity, and inclusion. Some bias is implicit due to systematic discrimination. You need to be well off to work for free.

    Often though we have seen countless explicit attacks such as Gamergate or even death threats against those doing Open Source Intelligence work to fight right wing extremism online.Before you can even begin to create an online community focused on open learning you need trust.

    For many we never engineered safety into the online communities we create and curate. Systems Security Engineering Approach to Culture

    Creating a Community as Your Curriculum (Cormier, 2008) takes a systems approach to engineering trustworthiness into the spaces you design. You can also think about your classroom culture, and the overall culture of your school as a system. in fact, our educational system is nested within this much larger system that many parents and students do not rightfully trust. By choosing a framework to develop an innovate and healthy online community you in turn reduce the threats to the members of your group that will do the learning work You also help build a better world.

    Once a framework is chosen systems engineering requires a set of iterative steps.

    Collect baseline data
Identify goal you will engineer
Acknowledge and identify blockers and variables of interest
Develop a solution to address the goal without negatively impacting other systems
Monitor the progress. Evaluate variable of interest.
Iterate on the process

    When engineering for community we have to everyone recognize the cultural importance of safety. When trying to increase the overall hygiene of online communities you curate ,and thus engineer better trust in your system, you must first focus on the trust of potential and existing community members

    Dr. Kimberly Young-McLear, who won the 2017 Captain Niels P. Thomsen Innovation Award Winner for “Cultural Change for leveraging social media for large-scale disaster response.: has created the framework for a healthy and innovative workplace. Psychological Safety

    Psychological safety is paramount to good community culture. Dr, Young-McLear defines psychological safety as, “a service culture where all members have the confidence to serve as their authentic selves where self-knowledge, initiative, creativity, and self-empowerment are rewarded in an environment of interpersonal risk-taking.”

    The Internet has not always been a welcoming place as demonstrated in current news stories about harassment and stalking. Unrepresented populations need to feel safe in your community no matter their role. Online spaces improve when systematically marginalized groups of people share their perspectives and contribute to organizational solutions without fear of marginalization, retaliation, bullying, or discrimination. This can not happen without psychological safety.

    The model Dr. Young-McLear created integrates survivors of sexual assault, harassment, and racism. Marginalized groups are often ignored or for reporting incidents of abuse. The Web reflects our reality. The internet has never been a safe place for all. We must all work to create a places, online and in person where everyone feels safe and valued. This will increase the trustworthiness you engineer into your online community. Moral Courage

    Engineering an innovative and healthy environment also requires moral courage. This means all community members must feel compelled toward action to intervene against any culture or practice that inhibits the safety of any of our members. member of your organization must report violations of laws, policies, or your company’s mission, vision, and core values. Talk to potential members who have faced racism and discrimination in the past. Encourage a speak up culture. Cultural Competencies

    As you engineer an innovative and healthy workspace focus on growing key cultural competencies in your online communities

    Valuing diversity
Having the capacity for cultural self-assessment
Being conscious of the dynamics inherent when cultures interact
Having institutionalized cultural knowledge
Having developed adaptations to service delivery reflecting an understanding of cultural diversity

    Developing cultural competence systematically within a workforce requires subject-matter expertise and involvement by systemically marginalized groups. Over time as you grow your community may need to rely on experts in race, gender, gender identity, sexual orientation, religion, ethnicity, education, and ob position. In terms of addressing the systemically marginalized in online learning can look at the language used, the discourse patterns of leaders, and do recruitment outside of 24 hackathon events Inclusion

    According to Dr. Young-McLear inclusion is “individuals perceiving acceptance within the organization, as well as the ability to bring unique contributions to the workplace. Once your organizers have done the hard work of building psychological safety, moral courage, and cultural competencies feelings of inclusion will increase.

    We need more voices in for our online environments to thrive. We need communities explicitly inclusive to those who have faced trauma. Inclusion helps with both recruitment and retention. More importantly it makes your company safer. Research has shown diverse teams make better decisions. Diversity and Equity

    Diversity and equity share traits but have different impacts on the learning spaces you design. Diversity in the workplace means workers who are different from each other or come from different backgrounds. Diversity can involve constructs such as race, gender, age, etc. You need to think in terms of cultural, physical, and cognitive diversity.

    Only when your online spaces invest in diversity and equity can we hope to improve efforts to recruit, retain and members from systematically marginalized groups into technology. Diversity work often involves doing personal work more than outreach. Do not ask marginalized communities to put in extra effort to help you overcome their oppression. Mission Readiness and Innovation

    Once the foundation of psychological safety, moral courage, cultural competence, and diversity and equity get engineered into your systems the overall mission readiness of your online space may improve. Then innovation will follow. No matter the focus of your online community when people feel safe and there is a healthy exchange of free ideas innovation thrives.

  • Guide to Microsoft's Security and Compliance Rebranding

    Many people might stare with wide eye confusion at the naming conventions Microsoft has used in rebranding. Some of the services used in the government and by government contractors have a new moniker.

    Yet when you think about the changes the logic makes sense in terms of keeping compliance and security engines purring.

    Microsoft has a long established partnership with the Cybersecurity Maturity Model Certification community.

    In fact for the last five years, going back to when the System Security Plans (SSP) did not have their trustworthiness verified by a third party, the Seattle based company has retooled much of their information architecture to help the Government transition to the cloud and away from on-premises and boundary based protections.

    Microsoft has also created new tools to help with security and compliance. These efforts have lead to a rebranding of services companies will use for CMMC. Microsoft wanted to make a distinction between services for security and those for compliance.

    When you consider the Risk Management Framework (NIST-SP-800-37 and 39) that form the backbone of the 171 security requirements we think about a business at three levels:

    • Level One: Governance and Organization
    • Level Two: Business Processes
    • Level Three: Technical and Business Systems

    At each of the three level different assets, which include people, will have privileged and non-privileged roles. This means a user can access something at a specific tier other users can not access.

    In terms of the IA (information architecture) a company deploys they need to consider the Microsoft tools they choose for compliance and those they choose for security.

    Microsoft Azure and Microsoft 365

    The compliance and security services that Microsoft offers will cut across two different cloud platforms that people often confuse, Microsoft Azure and Microsoft 365. They each have different security and compliance needs and impact what controls a customer inherits from Microsoft or more like a Managed Service Provider. Microsoft 365 is a Service as a Software cloud (SaaS). This means all of your tools like Microsoft Office, Microsoft PowerPoint, and Visio. An organization seeking certification has limited responsibility with SaaS tools. You need to control access and training but Microsoft handles almost all the other security requirements.

    Microsoft Azure is more an Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) depending on how an organization seeking certification deploys the service. Usually with IaaS a company does not control all their hardware or need to purchase the hardware. PaaS get used when you establish hybrid environments or create an enclave, for Controlled Unclassified Information, for example.

    Azure also gets used when Managed Service Providers, or security providers build apps in the cloud. For the end user the tool is a SaaS cloud model , outside of Microsoft, but for the company designing the tool they use Azure as a PaaS.

    As Microsoft focused on improving their services for CMMC they identified assets in both Microsoft 365 and Azure that an organization may use for security and those tools that will get used for compliance. These tools were rebranded and sorted into two different buckets.

    Security and Compliance

    When working on services that provide security to a Microsoft cloud deployment companies will work with the Microsoft 365 Defender portal. As part of a cloud first approach Microsoft has stopped the level of bifurcation between branding of their services. Azure Security Center is now Microsoft Defender for Cloud and Microsoft 365 Security Center is now Microsoft 365 Defender

    When working on services that provide governance, risk management, compliance (GRC)services, a cloud user will access the Microsoft Purview Compliance portal.


    Current name
    New name

    Azure Purview
    Microsoft Purview

    Azure Purview portal
    Microsoft Purview governance portal

    Microsoft 365 compliance
    Microsoft Purview

    Microsoft 365 compliance center
    Microsoft Purview compliance portal

    Azure Purview Data Catalog
    Microsoft Purview Data Catalog

    Azure Purview Data Insights
    Microsoft Purview Data Estate Insights

    Azure Purview Data Map
    Microsoft Purview Data Map

    Azure Purview Data Sharing
    Microsoft Purview Data Sharing

    Azure Purview Data Use Management
    Microsoft Purview Data Use Management

    Microsoft 365 Advanced Audit
    Microsoft Purview Audit (Premium)

    Microsoft 365 Basic Audit
    Microsoft Purview Audit (Standard)

    Office 365 Advanced eDiscovery
    Microsoft Purview eDiscovery (Premium)

    Office 365 Core eDiscovery
    Microsoft Purview eDiscovery (Standard)

    Microsoft 365 Communication Compliance
    Microsoft Purview Communication Compliance

    Microsoft Compliance Manager
    Microsoft Purview Compliance Manager

    Customer Key for Office 365
    Microsoft Purview Customer Key

    Double Key Encryption for Office 365
    Microsoft Purview Double Key Encryption

    Office 365 Customer Lockbox
    Microsoft Purview Customer Lockbox

    Office 365 Data loss prevention
    Microsoft Purview Data Loss Prevention

    Microsoft 365 Information Barriers
    Microsoft Purview Information Barriers

    Microsoft Information Protection
    Microsoft Purview Information Protection

    Microsoft Information Governance
    Microsoft Purview Data Lifecycle Management

    Microsoft 365 Insider Risk Management
    Microsoft Purview Insider Risk Management

    Privileged Access Management in Microsoft 365
    Microsoft Purview Privileged Access Management

    Records Management in Microsoft 365
    Microsoft Purview Records Management

    Do not let new naming conventions confuse you. The rebranded services from Microsoft provide the same catnip we have all come to love when dealing with Cybersecurity Maturity Model Certification.

    Img credit: Confused flickr photo by slava shared under a Creative Commons (BY) license

  • Matt Titcombe on the Compliance Trap from the Department of Defense.

  • Amira Armond on how inheritance and CMMC works.

  • Excited for Kyle Lai’s talk on ISO 2700. This is why I came.

  • Cole French a C3PAO on preparing for CMMC.

  • Victoria Pillitteri of NIST on future of 171

  • Leopold Wildenauer Datacentric approaches to Protecting CUI: CMMC and Zero Trust

  • Karen Evans, Why CMMC matters for SMBs.

  • Stacy Bostjanick, CMMC Director, at CMMC Day

subscribe via RSS