• How do you use the Discussion Section of the CMMC Assessment Guides?

    Great post from Alex Johnson on the difference between the discussion and requirements of CMMC practices.

    “I want to offer some information to those who may be struggling with understanding what options are available to you regarding the implementation of NIST SP 800-171 and CMMC requirements or practices.

    NIST SP 800-171 Section 2.2 contains the following:

    “A discussion section follows each CUI security requirement providing additional information to facilitate the implementation and assessment of the requirements. This information is derived primarily from the security controls discussion sections in [SP 800-53] and is provided to give organizations a better understanding of the mechanisms and procedures used to implement the controls used to protect CUI. The discussion section is informative, not normative. It is not intended to extend the scope of a requirement or to influence the solutions organizations may use to satisfy a requirement. The use of examples is notional, not exhaustive, and not reflective of potential options available to organizations. “

    The bottom line is that you have options. The discussions are not telling you exactly what you have to do. Rather, they are helping you to understand the essence of what the requirement is. There are a few discussions that are normative, but only a few.

    A great example of this can be found in MP.2.119 (3.8.1). These assessment objectives require you to physically control and securely store media containing CUI. The discussion indicates that “physically controlling system media includes conducting inventories.” However, that is not a requirement based on NIST SP 800-171 Section 2.2.

    I hope this helps some who may “extend the scope of a requirement” based on the discussion section.”

    Alexy J. on LinkedIn: I want to offer some information to those who may be struggling with linkedin.com


  • Sample AWS Templates for incident respone.

    GitHub - aws-samples/aws-incident-response-playbooks github.com

  • CMMC Essesntials Mocktini Recipes

    Moonlight Maze Martini


    • 2 oz cranberry juice
    • 1 oz fresh lime juice
    • 5 oz club soda, seltzer or citrus sods like 7-up
    • splash oj
    • lime wedges for garnish, or orange peel for garlish
    • sugar for frosting glass
    • ice
    ### Directions
    • Pour ice into a shaker or tall glass.
    • Add cranberry juice, fresh lime juice and club soda. Shake to combine.
    • Run a lime wedge over the outside rim of a chilled martini glass. Pour sugar onto a small plate or flat surface.
    • Dip the rim of the glass into sugar until covered with a thin border.
    • Strain carefully into a chilled martini glass. Add a splash of OJ Garnish with lime or orange peel.

    Olympic Games Gimlet


    • 3 sage leaves
    • ¾ oz lime juice
    • ¾ oz simple syrup
    • ice


    • Into a cocktail shaker, add 3 sage leaves, the lime juice, and simple syrup.
    • Add ice to your cocktail shaker, then shake for 20-30 seconds.
    • SIf desired, add a sage leaf to the top for garnish.

    KillDisk Daquari


    • 2 large strawberries, hulled
    • ¼ cup white sugar
    • 1 tablespoon lemon juice
    • splash oj
    • ¾ cup chilled lemon-lime soda
    • 4 cubes ice


    • In the container of a blender, combine the strawberries, sugar, lemon juice and lemon-lime soda. Add the ice and blend until smooth. Pour into a fancy glass to serve.

    Nitro Zues Zombie Apocaylpse


    • 1 oz. Passion Fruit Syrup
    • 4 oz. Pineapple Juice
    • Splash of Lime Juice
    • Splash of Vanilla Syrup


    • Shake/Strain and Garnish!

    Telvent Tonic


    • 1.50 oz Monday Zero Alcohol Gin
    • 1.50 oz cranberry juice
    • .50 oz lime juice
    • .50 oz simple syrup
    • 2-3 oz tonic water


    • Combine all the ingredients except tonic water in a shaker with ice.
    • Shake and strain into a tall glass with ice. Top with tonic water.
    • Garnish with rosemary or cranberries if desired.

    Header Image: Relief. jgmac1106 shared under a CC BY a remix of “Martini 02” by Tom Hilton is licensed under CC BY and “Python Source Code” by joncutrer is licensed under CC0

  • Leslie Weinstein Joins Southern's CMMC Team as an Academic Advisor

    When you need quality you have to seek out talent.

    Southern Connecituct State University announce that Leslie Weinstein has joined the instructional design team as an outside Academic Advisor working content validity for our Cybersecurity Maturity Model Certification course.

    Leslie, a Major in the Army Reserves, works directly with the Army Chief Information Officer. In 2019 Major Weinstein founded CMMC Consulting, LLC in response to industry demand for accurate and timely information regarding the CMMC implementation efforts. She has designed a CMMC preparation methodology that focuses sharply on preparing companies to undergo the actual CMMC assessment.

    While on Active Duty with the Army, Leslie has served at the Defense Intelligence Agency, U.S. Cyber Command, Army Headquarters, and Afghanistan with the 101st Airborne Division (Air Assault). In between tours with the Army, Leslie also served the Department of Defense as an Army civilian and policy analyst supporting DoD Chief Information Officer (DoD CIO), Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)), and the Air Force A2.

    Leslie served as a National Security Fellow at the Foundation for Defense of Democracies in 2019, in addition to being a member of the Truman National Security Project’s Class of 2021 Defense Council cohort. She holds a Bachelor of Science in Management of Information Systems from the University of Alabama in Huntsville, a Master of Science in Strategic Intelligence from the National Intelligence University, and a Master of Business Administration from Cornell University.

    As a member of the curriculum team, Leslie will work with our expert panel on validating our objectives. Through in-depth discussions and iterative rounds, this panel will work to decide what body of knowledge an objective measures, how relevant that objective is to a matched objective, and how important the objective is for us to teach.

    Weinstien will also apply her experience in assisting over 100 defense contractors to meet regulatory cybersecurity requirements. By reviewing our Controlled Unclassified Information scenario trainings with her expert eye, she will develop specialized training to aid in the understanding and adoption of cybersecurity regulations.

    Leslie Weinstein hosts a successful and popular CUI podcast “Ooey Cooey.” Everyone who wants to understand CMMC should check out the show. Otherwise you will feel like a guinea pig spinning around the endless compliance wheel.

    If you would like to learn from Leslie Weinstein, and our herd of experts you should join the CMMC Essentials class organized by Southern Connecticut State University and CyberDI.

    We launch module one today, so make sure to register today.

  • Overview of Module Zero Kick Off: Do I need a Gap Analysis?

    Gran Canyon

    Imagine going to the Grand Canyon and paying a tour guide to point out holes in the ground.

    It sounds stupid, I know, but many companies do something like this by paying for a Gap Analysis. You already know your hygiene needs help; you don’t need to pay someone to tell you this.

    If you cannot tell me the number of contracts you have with a 7012 clause, tell me the number of endpoints you possess, or tell me the number of people you employ, then you will be throwing away money on a Gap Analysis.

    I brought this perspective to the CMMC Essentials III Kick Off yesterday and Vincent Scott pushed back but RJ Williams noted that Vince described what he would call a remediation plan.

    No clear definition exists in the community for the meaning of a Gap Analysis.

    The conversation began when I discussed my trouble in determining the best way to teach the Domains in the CMMC CCP class. In my mind, I thought it would be best to teach the exact way our future CCP comrades would conduct assessments to help companies get to -171 and CMMC compliance.

    Our class specifically focuses on the roots of cybersecurity before we even talk about Domains, Practices and Processes. Still—needing to cover 17 Domains, 130 Practices, and 705 objectives in one class presents a daunting task.

    So I threw out this idea: what if we take CSF Cybersecurity Framework as a lifecycle approach and use that on your CMMC journey? Enough folks have mapped the objectives. Yet, you end up just confusing folks.

    Cybersecurity frameworks are like religion. If you try to unify two, you just end up with a third.

    This sparked a thinking exercise between Richard Dawson, Lisa Lancor, myself, RJ, Vincent, and Jim Goodrich on how one could combine the roots of cybersecurity with a lifecycle approach.

    (Christina Reynolds of BDO wrote the best life cycle approach to CMMC that I have seen to date)

    screen shot of cycle that is described below

    We arrived at a rough sketch. The cycle begins with plan from a business awareness perspective. This means knowing your revenue from 7012 clause contracts, understanding the risks and threats used to attack sensitive data, and encouraging as many of your employees to learn about CMMC.

    Following this, you do not hop right into a Gap Analysis. Conduct your formative assessments before a summative test to ensure you pass CMMC. You need a system to help you grow. The development of this system begins with a scoping assessment. The average small business cannot do this step alone.

    To begin, you should know which contracts have CUI. Familiarize yourself with the vendors that may fall within your scope. You should also have a rough sketch of your CUI data flow. Once these things are in order, then it is time to engage a professional.

    In the picture, remediate came after Gap Analysis. We meant to switch this around, but I never did. Here you complete a self-assessment, or better yet, utilize a compliance package to guide your journey and remediate the stuff you can by yourself. Focus on the People and the Process.

    You may do this step a number of times. 2026 is a bit far off. You do not need to invest in all of this in one year. Grow your SSP, and shrink your POA&M, over the course of a year or two.

    Then, when you feel your organization is approaching CMMC readiness, your company should start a formal Gap Analysis. Again, there is no point in paying people to point out the holes you already know exist.

    Overall, we had such a wonderful Module Zero launch and I am super excited about the new learners joining the class. RJ, Jim, and Kevin gonna fit right in. Our crew is rolling up to almost 30 deep now.

    We start module one on Thursday, so if you want to join check out Southern Connecticut State University.

    CMMC may make you want to jump into the Grand Canyon. But if you take a step back, breathe, and focus on growing your SSP while shrinking the POA&M over a period of time, life will be okay.

    And please turn on MFA.

    “grand canyon 2” by airlines470 is licensed under CC BY-SA

  • Moving from Microsoft Teams to Google Classroom

    After two iterations of our CMMC Essentials, class we have decided to move away from Microsoft Teams and onto Google Classroom.

    We simply could not reliably predict the UX for our learners on Microsoft Teams. For example, if a guest entered a meeting from their Teams, they could not use the chat feature during a meeting. Only f you copied the meeting url from the calendar, pasted it into a different browser, and then selected “open in Teams app” would guests receive access to the chat.

    We also do not know if a user has downloaded the app or only enters class through the browser based versions. Those experiences end up different. That never works for teaching. You want to spend your time on the content and not doing two different version of tool tutorials.

    File sharing became impossible. You record a meeting and it is uploaded to Stream. By default Guests can’t see Stream. You have to download the video and then reupload it to Teams for guest access. PITA. Same with files. Am I in teams, Sharepoint, O365? Got messy quick.

    If I have an SME booked for an hour I do not want to ten trying to share files.

    Then we do not know the feature sets or how these features work on Teams. At our university we have five different levels of Teams all on one tenant. We can choose from:

    • Staff
    • Professional Learning Community
    • Class
    • Other

    Each one has nuanced, role-based access settings that nobody really knows. We have asked. Well—first you have to try to figure out who to ask.

    For a small company, Teams will work as a training platform. At our University, nested in a State IT system, connected to our Active Directory, we just did not have enough control to flip radial buttons. Getting features turned on and off requires untangling webs of committees and shared governance.

    Moving to Google Classroom

    screenshot of google classroom

    Therefore, Dr. Tucker, Dr. Lancor, and I decided to shift to Google Classroom. Our university keeps an instance so we can train teachers on Google Workspace apps. Schools no longer use or teach Microsoft Products until you get to College. Local school districts demand teachers are trained in the Google ecosystem.

    We reached out to all of our alumni and future students, and everyone seem pleased with the change. People do not like Microsoft Teams when compared to Slack and Discord. A majority actually noted a bit of relief after having used Google Classroom with their children during the COVID-19 Pandemic. Most know the platform already.

    I do not like the inability to add images to Google Classroom materials. Pictures help, but I am sure Google saves on file size, bandwidth and improves accessibility (or does it hurt it??…maybe accessibility compliance) without images.

    We still provide students with an account on Cocoon Data’s Safe Share if they want to share IP or keep their SSP off our University’s Google Instance.

    What does this mean for an LTP?

    Nothing. We write curriculum LMS agnostic. You will have it delivered in HTML/Word/PDF and SCORM. We follow a simple instructional design rule of content frames.

    A content frame works by constraining design. We only get a set of boxes to put stuff in:

    • Overview
    • Essential Questions
    • Objectives
    • Videos
    • Read Tasks
    • Write Tasks
    • Participate Tasks

    Every module gets laid out using the exact same content frame. Predicatable navigation projects student satisfaction and learning.

    Our teacher guides use the lesson plan template CMMC-AB. If you purchase the optional teacher handbook you have a copy of the student textbook, with teaching tips and lessons for delivering the material in three different modalities

    • Asynchronous Online
    • Synchronous Online
    • Hybrid
    • Face to Face

    You will also know all of the content you recieve comes compliant with the American Disability Act and Section 508.

    Most importantly, you will know the courses elicit evidence of knowledge growth against our course objectives, which have undergone two protocols of content validation with subject matter experts. Every module will contain a pre and post test that is conditionally released to students through Safe Share or your LMS.

    We also move far beyond the traditional recorded Power Points. In our classes, community is the curriculum. You will receive tips on holding discussions for the modality of your choosing. In addition to this, you will receive a library of pre-edited discussions we have already conducted with the best people in cybersecurity. Every module does include a slide deck with speaker notes for the Instructors most comfortable with that toolkit.

    Our assignments move far beyond the traditional multiple choice test. Sure, we use some quizzes, but we want students learning by doing. Every lesson plan follows a scaffold of read, write, do. We set an active purpose for our readers, have them synthesize new learning in their writing, and then apply what they learn through a performance assessment.

  • Inventory Matters

    Inventory matters. As Sarah Spencer CEO of SolonTek notes, “You cannot protect what you cannot see.”

    “dandoodlescan065-inventory is waste” by Inha Leex Hale is licensed under CC BY

    Now, some people read the CMMC assessment guide for Level One and think, “Huh no inventory needed?”

    This is not true. You may not need to show your inventory results or policies for Level One compliance, but you will not be Level One compliant without good inventory policy.

    Think about assessment objective f of Access Control 1.001, “[f] system access is limited to authorized devices (including other systems).” You will need to inventory your systems to comply with this objective.

    What about CUI? If you read NIST-SP800-18 on writing a System Security Plan, you quickly realize you need to inventory all of your 7012 contracts and the data owner for each one.

    Vincent Scott and I developed a quick table of “some” of the areas hit by good inventory. The word “identified” happens a ton in the CMMC assessment guides. You have to decide if this also means counting. This list will continue to grow, so if you think we missed something, please let us know.

    Comment on LinkedIn or better yet get a blog and send me a webmention.

    CMMC Level Domain Number Definition Assessment Objective NIST 171
    1 Access Control AC.1.001   Limit information system access to authorized users, processes acting on behalf of authorized users, or devices [c] devices (and other systems) authorized to connect to the system are identified; 3.1.1
    1 Access Control AC.1.001   Limit information system access to authorized users, processes acting on behalf of authorized users, or devices [f] system access is limited to authorized devices (including other systems). 3.1.1
    2 Access Control AC.2.006   Limit use of portable storage devices on external systems [a] the use of portable storage devices containing CUI on external systems is identified and documented; 3.1.21
    2 Access Control AC.2.011   Authorize wireless access prior to allowing such connections [a] wireless access points are identified; 3.1.16
    2 Access Control AC.2.015   Route remote access via managed access control points [a] managed access control points are identified and implemented;  3.1.14
    2 Access Control AC.2.016    Control the flow of CUI in accordance with approved authorizations [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified; 3.1.3
    3 Access Control AC.3.020    Control connection of mobile devices [a] mobile devices that process, store, or transmit CUI are identified; 3.1.18
    3 Access Control AC.3.022    Encrypt CUI on mobile devices and mobile computing platforms [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; 3.1.19
    2 Configuration Management CM.2.061    Establish and maintain baseline configurations and inventories of organizational systems throughout the respective system development life cycles [e] the system inventory includes hardware, software, firmware, and documentation; and 3.4.1
    1 Identification and Authentication IA.1.076    Identify information system users, processes acting on behalf of users, or devices [c] devices accessing the system are identified. 3.5.1
    1 Identification and Authentication IA.1.077   Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. 3.5.2
    3 Media Protection MP.3.123    Prohibit the use of portable storage devices when such devices have no identifiable owner [a] the use of portable storage devices is prohibited when such devices have no identifiable owner. 3.8.8
    1 Physical Protection PE.1.134   Control and manage physical access devices [a] physical access devices are identified; 3.10.5
    2 System and Communications Protections SC.2.178   Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device  [a] collaborative computing devices are identified; 3.13.12
    2 System and Communications Protections SC.2.179    Use encrypted sessions for the management of network devices [a] the organization has one or more policies and/or procedures for establishing connections to manage network devices; N/A
    1 System and Informational Integrity SI.1.211    Provide protection from malicious code at appropriate locations within organizational information systems [a] designated locations for malicious code protection are identified; 3.14.2
  • Domains, Practices, and Processes of CMMC

    When you join the CMMC Essentials class at Southern Connecituct State University you interact with the best experts in Cybersecurity.

    Yesterday Vincent Scott, Leigthon Johnson, and Paul Netopski joined us to record the module launch of CMMC Domains, Practices, and Processes.

    We have a few MSPs joining us this session. They support both DIB and HIPPA contractors…Been a busy couple days for them….

    We spent most of the session dealing with the 999, 998, and 997s of CMMC. The policies (99), procedures (98), and plans required for Cybersecurity Maturity Model Certification (CMMC) compliance.

    A blog post by Amira sparked the discussion and we went into topics from:

    • The impossibility and impracticality of step by step procedures
    • Challenges for DIB large and small
    • Role of Reference Architecture
    • Automating procedures through STIGs, SIEM, and Compliance Managers

    We also discussed the three types of evidence required in the CMMC assessment process: interview, examine and test. Leighton shared his observation that CMMC requires no testing. You observe someone perform a test or interview them about test they perform but no C3PAO or Certified Assessor will ever test a private system.

    No security engineer will ever allow a rando assessor or worse, a registered professional poke around the system.

    Finally we closed with the point that if you start your self assessment using the DCMA 171a assessment and get your SPRS score started you will be well ahead of your game.

    If you want a preview of the fun we have in our module kick offs (WE WILL NEVER USE A PPT PROMISE) check out this teaser:

    Join us for our next class starting Julty 20th https://southernct.edu/cmmc

  • CMMC Blues

    I’ve got them serious #CMMC blues

    Hated by every security recluse

    CEOs blame me for all their costs

    And scream, “Why don’t I sell COTS?”

    CMMC didn’t make #cui

    We need to see eye to eye

    That was an Executive order

    I ain’t no greedy hoarder

    Not even the DoD

    Did this to me

    It was NARA

    Who took costs farther

    But folks see CMMC

    As a wound and wanna cauter it.

    Yet OMB decided #CUI needed moderate

    FIPS came from their lips

    Not mine

    I didn’t take your dime

    That was 199

    Forgot about FISMA

    Didn’t Ya

    Forgot about FISMA

    Didn’t Ya

    Stop blaming CMMC

    For someone’s crime

    It’s not me

    Not Delta Twenties

    Those just pennies

    171 in NIST’s baseline

    Robbing your bottom line

    You see,

    Don’t blame CMMC

    You fret

    Over technical debt But

    7012 had the clause

    delving its paws

    Into your dwindling books You self-attested

    and now feel bested

    So stop with dirty looks

    CMMC didn’t do this

    NO complaining on LinkedIn

    Instead let this lesson sink in

    Grow your SSP

    Cut your POA&M at the knees

    Don’t blame CMMC

    For your lack of


    It wasn’t me

    Forgot about FISMA

    Didn’t Ya

    Forgot about FISMA

    Didn’t Ya

  • I just RSVPd yes to CS2 excited to talk to other Higher Education folks about CMMC

  • Creating Scenario Activities for CMMC Domains

    I have had the pleasure of working with Leighton Johnson, Vincent Scott, and Lauren Tucker on our curriculum. Together, we are covering every single practice, process, and assessment objective of Cybersecurity Maturity Model Certification (CMMC) domains. There are 17 domains, 130 practices, and 705 objectives necessary for Level 3 Certification.

    Like owls scanning the fields, we need to be able to see the big picture, but it is equally as important to focus on key targets of understanding.

    Despite this, we have all agreed that CMMC domains are the wrong place to focus first.

    Many people blame CMMC for all of their problems and technical debt, when in fact CMMC did not create the CUI policy; NARA did. This was in response to the Secretary of Commerce, who in turn was responding to an Executive Order from the President. CMMC did not decide CUI needs FIPS validated modules for encryption, nor did CMMC decide CUI needed moderate protection; the Office of Management and Budget did.

    Almost all of the costs associated with CMMC existed long before the program began. In fact, a deep understanding of the Defense Federal Acquisition Regulation Supplemental clauses 7012-7021 is necessary to grasp how CMMC evolved.

    Below is a sample activity we will use in our CMMC classes designed for CyberDI, an LPP and LTP working in partnership with higher education institutions across the country.

    If you would like to join our prep classes (not for ceritifcation) to grow your SSP and shrink your POA&M, we have another beginning July 20th at Southern Connecticut Stae University

    Defense Federal Acquisition Regulation Supplemental 7012-7021


    Directions: Utilize the assigned readings and experts in our network to answer the following questions. You will be provided a scenario to guide your instruction.


    Acme Inc is a small manufacturing company who is subcontracted from Roadrunner Corporation to produce high pressure air compressors for US Navy Submarines. Acme Inc also produces a variety of air compressors for other commercial needs. Roadrunner Corporation represents 40% of Acme Inc’s business.  


     Acme Inc has retained Mr. Wile E. Coyote as a 1099 consultant on the implementation of needed cybersecurity compliance requirements, which Roadrunner Corporation has informed them will soon be enforced.   


    What qualifications might Acme Inc have considered in hiring Mr. Coyote? 











    Mr.  Coyote conducts a series of interviews and reviews Acme Inc’s contract with Road Runner Corporation. He determines that Acme Inc is unaware of what Controlled Unclassified Information (CUI) is, but the CFO tells him that no matter what it is, Acme Inc does not have it. 


     In conversation with the Contract Assistant to the CFO who also serves as the Contracting Officer for Acme, Mr. Coyote learns that their contract with Roadrunner includes the DFARS 7012 clause, and that recently it was modified at the direction of the Navy to include the DFARS 7019, 7020, and 7021 clause. 


    What are the implications of the DFARS 7012 clause?  What does it require? 













    What are the implications of the DFARS 7019 and 7020 clause?  What request might Acme Inc expect now, or at any point going forward, based on the inclusion of these clauses? 














    Currently, whose permission is needed to add the 7021 clause to a contract? 







    What information should have been provided by the government and the prime when adding the 7021 clause to any contract? 









  • Prequisites for a DIBCAC CMMC Assessment

    While we await the release of the CMMC assessment process from the AB, we can look to how the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducted Level Three assessments of Certified Third Party Assessment Organizations (C3PAO) to understand their methodology.

    As we know, Cybersecurity Maturity Model Certification (CMMC) assessments happen in four phases. With each step, you decide to continue with the next phase of assessment. At a brown bag luncheon DIBCAC released their go/no-go decision trees.

    This provides a road map for companies that may want to prepare for their CMMC journey now.

    Documented SSP

    If you do not have a documented System Security Plan (SSP) you cannot be scored against the 171 framework or CMMC.

    If you utilize the NIST templates for 171a self-assessments, your SSP will not include all of the domains, practices, and assessment objectives necessary for Level 3 CMMC certification.

    Policy, Procedures, and Plans

    Do you know how much documentation CMMC takes? A lot—a lot—like hand falls off from writing amounts.

    At Level 2, you need a policy for every single one of the 17 domains in CMMC. This does not necessarily mean you must have 17 different documents, but you can. At Level 3, you need to document the procedures for implementing these policies, in addition to having a plan to budget and resource for these procedures.

    If you miss any of the necessary policies, procedures, or plans, you will not be allowed to proceed. If any of these three exist in draft form, you will not be allowed to not proceed. If you have confused procedures and plans, you will not be allowed to proceed.

    Completed Self-Assessment

    You need to certify that you have assessed yourself, and have no open action items on the 705 assessment objectives of CMMC.

    The information owner of the organziation seeking certification must validate the completion of the self assessment.

    No Open Plans of Action

    Level 3 CMMC certification is a binary assessment. Do or do not—there is no try. If you score a 704/705, and therefore are compliant on 99.85% of assessment objectives, you will fail. While there is no penalty for a low score on Medium, High, or Basic Self-Assessments, Level 3 CMMC Assessments follow Yoda rules.

    Customer Responsibilities Matrix

    If you use a Managed Service Provider or a Managed Security Service Provider, you need to know what assessment objectives they help you meet, which ones they do not, and which ones you share with them.

    You then have to work these matrices into your procedures to make sure you complete your shared obligations.

    If either step goes missing, you will not be allowed to proceed with certification.

    Procedures are Repeatable

    You must have your procedures written in such a way that an assessor can repeat them and get the same result you get, every time.

    If you cannot follow your procedures, or if they are not reliably replicable, you will not be allowed to proceed.


    The market for -171 and CMMC compliance just got much bigger in Connecticut.

    On 2021-07-06 Governor Lamont signed Public Act No. 21-119 into law.

    To incentivize the adoption of cybersecurity standards for businesses by allowing businesses that adopt certain cybersecurity framework to plead an affirmative defense to any cause of action that alleges that a failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.
    You can utlize an affirmative defense to get out lawsuits, like a get of of jail card, if you have good cybersecurity. Affirmative defenses are a means of making it impossible for you to be found liable during a lawsuit over a data breach. As the defense, you have to explain the burden of proof in your answer, and in Connecticut you now have a list of cybersecurity frakeworks to choose from.

    You receive an affirmative defense if you can prove to an insurance adjuster, or more likely to a third party attestation required prior to insuring, your systems are in compliance with one of these frameworks.

    • Companies can choose from the following frameworks:
    • Framework for Improving Critical Infrastructure
    • NIST SP-800-171
    • NIST SP-800-53
    • FedRAMP
    • Center for Internet Security Critical Security Controls for Effective Cyber Defense
    • ISO/IEC 27000-series
    We tried to get CMMC Level Three included, but the bill did not recieve any markup. Our friends in the Capitol let us know CMMC Level 3 would count for NIST-SP-800-171 since it subsumes all 110 controls.

    The demand for CMMC and -171 or -53 compliance just sky rocketed in Connecticut.

  • How Long Does a CMMC Assessment Take?

    I don’t know. You don’t know. Nobody knows.

    The scoping and final methodology guides have yet to hit the press as we await approval from the Department of Defense.

    Until then we guess, but with observable evidence in mind.

    The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) portion of the Defense Contract Management Agency verified the self-assessment of a few organizations that attested to NIST-SP-800-171 compliance. To date they have conducted around 200 assessments of various kinds. Only a small portion of the 200 assessments conducted to date are CMMC Level 3 Assessments, which consist of both a High Assessment by DIBCAC and additional CMMC controls.

    Under the new interim rules of the Defense Federal Acquisition Regulation, supplemental assessments come in four flavors. First, there is the home made variety of Basic-Self assessments, called the 7018. These are followed by Medium Assessments, which are conducted by DIBCAC off-site, and fall under 7019; the majority of the 200 assessments conducted to date have been at this level. The High Assessment flavor of 7020 requires an on-site, in-depth review of the implementation of 701 from DIBCAC. Finally, the banana split of them all—171—comes with CMMC sprinkles. Don’t worry; only the Undersecretary of A&S has hands on this jummy jar.

    So, currently you get a call and DIBCAC asks for documents, or they may roll in to kick the tires on the System Security Plan (SSP) and the Plan of Action and Milestone.

    For the C3PAO, things are a bit different. They need 100% compliance on all 705 assessment objectives. In the case of a Level 3 CMMC Assessment, scoring a 704 out of 705 means failure. Under the interim rule, you can still have a POA&M; Medium, High, and Basic Self-Assessments are scored on a scale of -203 to 110, and there is no penalty for a low score. However, you will be need to pass these assessments with flying colors before you will be able to consider passing a Level 3 CMMC Assessment. On a CMMC Assessment performed by DIBCAC for a C3PAO, you can have no open assessment objectives.

    Six Week Assessment Cycle

    Overall, the assessments take around six weeks. Most of these assessments occurred during the COVID-19 lockdown, and it has been speculated that the circumstances of the pandemic may have extended the timeline, although this is doubtful.

    Four weeks before an assessment begins, DIBCAC meets with the Organization Seeking Certification (OSC), in this case the Certified Third Party Assessment Organization (C3PAO) candidate. You then receive a systems set-up to exchange documents. Consider: will your company use email, or a third party file sharing service?

    Two weeks before an assessment, DIBCAC reviews the documents and decides if the prerequisites fall in place. They then meet with the C3PAO to discuss their go or no-go decision.

    One week before an assessment, DIBCAC finalizes the assessment plan with the OSC.

    Then, the assessment week hits. DIBCAC has built a team and grouped domains into four loose categories. These give you clues to the types of people a C3PAO may include on an assessment team. We loosely categorize these into:

    • Group One- Identity and Access Management
    • Group Two- People and Procedures
    • Group Three- Technical Systems
    • Group Four- Governance

    Then for one week—in some cases two, if the assessment goes long— the assessment takes place. Following this, the final report is written by the DIBCAC team.

    As we have no official assessment process to share; we can only guess at what the Department of Defense will do by looking at what the Department of Defense does in the coming months.

    Just remember, CMMC is a bit off. 2026 does not even show up on desk calendars.

    Until then, grow the SSP and shrink the POA&M.

    featured image:

    TIme flickr photo by Dominic Hargreaves shared under a Creative Commons (BY-SA) license

    source: DIBCAC CMMC Assessment Team (April 2021). Candidate C3PAO Brown Bag. Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

  • Avoid Shady CMMC Training! Enroll in Southern Connecticut State University's CMMC Classes Today!

    CMMC Fraud in scrabble letters

    As a life-long public servant, nothing angers me more than swarmy consultants trying to make a quick buck as we try to harden our nation’s cybersecurity stance.

    Our country fights a digital war every day; our tireless manufacturers are attacked every day, and at every hour. The Defense Industrial Base sits on the frontline of a battlefield that knows no borders.

    We would not leave a wounded soldier behind. While this metaphor does not fully represent the sacrifices made by our veterans, we in the cybersecurity community have a similar obligation to support small businesses who are relentlessly injured by foreign actors, which allows for Controlled Unclassified Information (CUI) exfiltration.

    Given this, seeing the Cybersecurity Maturity Model Certification Accredidation Board release a statement of warning for falisified trainings upsets me.

    At a Town Hall, the CMMC-AB released a statement, which reads:

    The CMMC Accreditation Body (CMMC-AB) is alerting all current and prospective members of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem about companies and organizations misrepresenting their ability to train individuals in preparation for the CMMC assessor and CMMC instructor certification exams developed by the CMMC-AB in support of the Department of Defense’s (DoD) CMMC initiative

    No Registered Professional, Registered Professional Organzation, Licensed Training Provider, or Licensed Publishing Partner can enroll in any CMMC training that will lead to the ability to take a certification class

    This does not mean you should delay your CMMC training. In fact, many manufacturing companies, software providers, and Managed Service Providers need to get started in NIST-SP-800-171 compliance today.

    You have no idea how much work and policy writing must occur.

    Join the CMMC Essentials Class at Southern Connecticut State University

    While our classes do not lead to certification and the CMMC-AB has not certified our classes everyone in the CMMC Ecosystem should enroll in the classes SCSU offers with CyberDI, an LTP and LPP.

    We run a five week boot camp, one of which is starting on July 20th. You can choose the 8 hour pathway, or choose the full 20 hour community over the five weeks.

    The class costs $895, which includes the ability to join ALL classes taught in that academic year. PLUS if you decide to enroll in our CCP classes you can apply the $895 to the cost of tuition.

    You would never buy a house without an inspection, or a car without a test drive. So why do that with CMMC curriculum? Check us out and see if you want CyberDI as a long term training partner.

    Goals of the CMMC Essential Classes

    As an Educational Pychologist, I know what it takes to create valid and reliable educational experiences. We 100% develop and test curriculum and lesson plans that CyberDI will offer in our CCP classes.

    So we work with Leighton Johnson, Paul Netopski, and Vincent Scott to run content validity studies as we pilot the items. Dr. Lauren Tucker then reviews the material to ensure 508/ADA compliance, but more importantly apply a lens of Universal Design for Learning.

    • CMMC Essentials One: The Wireframe- create a content frame that increases student learning by reducing cognitive load caused by navigation issues
    • CMMC Essestials Two: Alpha- get all the learner facing materials validated and ready
    • CMMC Essentials Three: Beta-get all the teacher facing materials validated and ready

    Yet most people in the community do not complete our assignments. They bring a personal project and I align their subjectives to our learning objectives.

    What to People Build in Class?

    So many OSCs and MSPs take our class to start working on SSPs or business plans.

    • Penn State University- Joined our class to update their SSP for a CUI policy
    • NKT Photonics-Develop the Policies for a CUI Enclave
    • Cocoon Data’s SafeShare-Develop a Customer Inheritence Matrix
    • SMB Networks-Develop a plan as MSP to enter the 7012 manufacturing space
    • Data Intelligence Technology-Develop a Customer Inheritence Matrix for their CMMC assessment app
    • Net Synergy-Create a Plan to support existing customers with a 7012 clause
    • Alan Knapp Consulting-ERP and CMMC Compliance
    • 123 CMMC-Dana Mantilla’s CMMC podcast series

    You can join our class as an RP and an RPO to cement your place in the CMMC ecosystem.

    Who Teaches the Classes?

    CyberDI and SCSU have the best cadre of instructors and curriculum designers. Many of them stop in to lead classes. Our team includes:

    • Vincent Scott
    • Leighton Johnson
    • Jeff Baldwin
    • Paul Netopski
    • Margeret Glover Tanner
    • Brian Rogalaski
    • Alex Sharpe
    • Jacob Horne
    • Israel Campbell
    • Glenn Axelrod
    • Rodney Mcleod

    Want to learn more? Find me on the interwebz (jgmac1106 everywhere) or check out https://www.southernct.edu/cmmc.

  • Controlled Unclassified Information Glossary

    Need a Controlled Unclassified Information cheat cheet? Getting an acronym induced migraine?

    Look no further for relief than this handy-dandy CUI Glossary ripped, remixed, and reused verbatim from the Code of Federal Regulations.

    dictionary focus
    dictionary focus flickr photo by Cubosh shared under a Creative Commons (BY) license

    Agency (also Federal agency, executive agency, executive branch agency) is any “executive agency,” as defined in 5 U.S.C. 105; the United States Postal Service; and any other independent entity within the executive branch that designates or handles CUI.

    Agency CUI policies are the policies the agency enacts to implement the CUI Program within the agency. They must be in accordance with the Order, this part, and the CUI Registry and approved by the CUI EA.

    Agreements and arrangements are any vehicle that sets out specific CUI handling requirements for contractors and other information-sharing partners when the arrangement with the other party involves CUI. Agreements and arrangements include, but are not limited to, contracts, grants, licenses, certificates, memoranda of agreement/arrangement or understanding, and information-sharing agreements or arrangements. When disseminating or sharing CUI with non-executive branch entities, agencies should enter into written agreements or arrangements that include CUI provisions whenever feasible (see § 2002.16(a)(5) and (6) for details). When sharing information with foreign entities, agencies should enter agreements or arrangements when feasible (see § 2002.16(a)(5)(iii) and (a)(6) for details).

    Authorized holder is an individual, agency, organization, or group of users that is permitted to designate or handle CUI, in accordance with this part.

    Classified information is information that Executive Order 13526, “Classified National Security Information,” December 29, 2009 (3 CFR, 2010 Comp., p. 298), or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended, requires agencies to mark with classified markings and protect against unauthorized disclosure.

    Controlled environment is any area or space an authorized holder deems to have adequate physical or procedural controls (e.g., barriers or managed access controls) to protect CUI from unauthorized access or disclosure.

    Control level is a general term that indicates the safeguarding and disseminating requirements associated with CUI Basic and CUI Specified.

    Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.

    Controls are safeguarding or dissemination controls that a law, regulation, or Government-wide policy requires or permits agencies to use when handling CUI. The authority may specify the controls it requires or permits the agency to apply, or the authority may generally require or permit agencies to control the information (in which case, the agency applies controls from the Order, this part, and the CUI Registry).

    CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. Agencies handle CUI Basic according to the uniform set of controls set forth in this part and the CUI Registry. CUI Basic differs from CUI Specified (see definition for CUI Specified in this section), and CUI Basic controls apply whenever CUI Specified ones do not cover the involved CUI.

    CUI categories and subcategories are those types of information for which laws, regulations, or Government-wide policies require or permit agencies to exercise safeguarding or dissemination controls, and which the CUI EA has approved and listed in the CUI Registry. The controls for any CUI Basic categories and any CUI Basic subcategories are the same, but the controls for CUI Specified categories and subcategories can differ from CUI Basic ones and from each other. A CUI category may be Specified, while some or all of its subcategories may not be, and vice versa. If dealing with CUI that falls into a CUI Specified category or subcategory, review the controls for that category or subcategory on the CUI Registry. Also consult the agency’s CUI policy for specific direction from the Senior Agency Official.

    CUI category or subcategory markings are the markings approved by the CUI EA for the categories and subcategories listed in the CUI Registry.

    CUI Executive Agent (EA) is the National Archives and Records Administration (NARA), which implements the executive branch-wide CUI Program and oversees Federal agency actions to comply with the Order. NARA has delegated this authority to the Director of the Information Security Oversight Office (ISOO).

    CUI Program is the executive branch-wide program to standardize CUI handling by all Federal agencies. The Program includes the rules, organization, and procedures for CUI, established by the Order, this part, and the CUI Registry.

    CUI Program manager is an agency official, designated by the agency head or CUI SAO, to serve as the official representative to the CUI EA on the agency’s day-to-day CUI Program operations, both within the agency and in interagency contexts.

    CUI Registry is the online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI EA other than this part. Among other information, the CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.

    CUI senior agency official (SAO) is a senior official designated in writing by an agency head and responsible to that agency head for implementation of the CUI Program within that agency. The CUI SAO is the primary point of contact for official correspondence, accountability reporting, and other matters of record between the agency and the CUI EA.

    CUI Specified is the subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. The CUI Registry indicates which laws, regulations, and Government-wide policies include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out specific controls for CUI Specified information and does not for CUI Basic information. CUI Basic controls apply to those aspects of CUI Specified where the authorizing laws, regulations, and Government-wide policies do not provide specific guidance.

    Decontrolling occurs when an authorized holder, consistent with this part and the CUI Registry, removes safeguarding or dissemination controls from CUI that no longer requires such controls. Decontrol may occur automatically or through agency action. See § 2002.18.

    Designating CUI occurs when an authorized holder, consistent with this part and the CUI Registry, determines that a specific item of information falls into a CUI category or subcategory. The authorized holder who designates the CUI must make recipients aware of the information’s CUI status in accordance with this part.

    Designating agency is the executive branch agency that designates or approves the designation of a specific item of information as CUI.

    Disseminating occurs when authorized holders provide access, transmit, or transfer CUI to other authorized holders through any means, whether internal or external to an agency.

    Document means any tangible thing which constitutes or contains information, and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writings of every kind and description over which an agency has authority, whether inscribed by hand or by mechanical, facsimile, electronic, magnetic, microfilm, photographic, or other means, as well as phonic or visual reproductions or oral statements, conversations, or events, and including, but not limited to: Correspondence, email, notes, reports, papers, files, manuals, books, pamphlets, periodicals, letters, memoranda, notations, messages, telegrams, cables, facsimiles, records, studies, working papers, accounting papers, contracts, licenses, certificates, grants, agreements, computer disks, computer tapes, telephone logs, computer mail, computer printouts, worksheets, sent or received communications of any kind, teletype messages, agreements, diary entries, calendars and journals, printouts, drafts, tables, compilations, tabulations, recommendations, accounts, work papers, summaries, address books, other records and recordings or transcriptions of conferences, meetings, visits, interviews, discussions, or telephone conversations, charts, graphs, indexes, tapes, minutes, contracts, leases, invoices, records of purchase or sale correspondence, electronic or other transcription of taping of personal conversations or conferences, and any written, printed, typed, punched, taped, filmed, or graphic matter however produced or reproduced. Document also includes the file, folder, exhibits, and containers, the labels on them, and any metadata, associated with each original or copy. Document also includes voice records, film, tapes, video tapes, email, personal computer files, electronic matter, and other data compilations from which information can be obtained, including materials used in data processing.

    Federal information system is an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. 44 U.S.C. 3554(a)(1)(A)(ii).

    Foreign entity is a foreign government, an international organization of governments or any element thereof, an international or foreign public or judicial body, or an international or foreign private or non-governmental organization.

    Formerly Restricted Data (FRD) is a type of information classified under the Atomic Energy Act, and defined in 10 CFR 1045, Nuclear Classification and Declassification.

    Handling is any use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.

    Lawful Government purpose is any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes as within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement).

    Legacy material is unclassified information that an agency marked as restricted from access or dissemination in some way, or otherwise controlled, prior to the CUI Program.

    Limited dissemination control is any CUI EA-approved control that agencies may use to limit or specify CUI dissemination.

    Misuse of CUI occurs when someone uses CUI in a manner not in accordance with the policy contained in the Order, this part, the CUI Registry, agency CUI policy, or the applicable laws, regulations, and Government-wide policies that govern the affected information. This may include intentional violations or unintentional errors in safeguarding or disseminating CUI. This may also include designating or marking information as CUI when it does not qualify as CUI.

    National Security System is a special type of information system (including telecommunications systems) whose function, operation, or use is defined in National Security Directive 42 and 44 U.S.C. 3542(b)(2).

    Non-executive branch entity is a person or organization established, operated, and controlled by individual(s) acting outside the scope of any official capacity as officers, employees, or agents of the executive branch of the Federal Government. Such entities may include: Elements of the legislative or judicial branches of the Federal Government; state, interstate, tribal, or local government elements; and private organizations. Non-executive branch entity does not include foreign entities as defined in this part, nor does it include individuals or organizations when they receive CUI information pursuant to federal disclosure laws, including the Freedom of Information Act (FOIA) and the Privacy Act of 1974.

    On behalf of an agency occurs when a non-executive branch entity uses or operates an information system or maintains or collects information for the purpose of processing, storing, or transmitting Federal information, and those activities are not incidental to providing a service or product to the Government.

    Order is Executive Order 13556, Controlled Unclassified Information, November 4, 2010 (3 CFR, 2011 Comp., p. 267), or any successor order.

    Portion is ordinarily a section within a document, and may include subjects, titles, graphics, tables, charts, bullet statements, sub-paragraphs, bullets points, or other sections.

    Protection includes all controls an agency applies or must apply when handling information that qualifies as CUI.

    Public release occurs when the agency that originally designated particular information as CUI makes that information available to the public through the agency’s official public release processes. Disseminating CUI to non-executive branch entities as authorized does not constitute public release. Releasing information to an individual pursuant to the Privacy Act of 1974 or disclosing it in response to a FOIA request also does not automatically constitute public release, although it may if that agency ties such actions to its official public release processes. Even though an agency may disclose some CUI to a member of the public, the Government must still control that CUI unless the agency publicly releases it through its official public release processes.

    Records are agency records and Presidential papers or Presidential records (or Vice-Presidential), as those terms are defined in 44 U.S.C. 3301 and 44 U.S.C. 2201 and 2207. Records also include such items created or maintained by a Government contractor, licensee, certificate holder, or grantee that are subject to the sponsoring agency’s control under the terms of the entity’s agreement with the agency.

    Required or permitted (by a law, regulation, or Government-wide policy) is the basis by which information may qualify as CUI. If a law, regulation, or Government-wide policy requires that agencies exercise safeguarding or dissemination controls over certain information, or specifically permits agencies the discretion to do so, then that information qualifies as CUI. The term ‘specifically permits’ in this context can include language such as “is exempt from” applying certain information release or disclosure requirements, “may” release or disclose the information, “may not be required to” release or disclose the information, “is responsible for protecting” the information, and similar specific but indirect, forms of granting the agency discretion regarding safeguarding or dissemination controls. This does not include general agency or agency head authority and discretion to make decisions, risk assessments, or other broad agency authorities, discretions, and powers, regardless of the source. The CUI Registry reflects all appropriate authorizing authorities.

    Restricted Data (RD) is a type of information classified under the Atomic Energy Act, defined in 10 CFR part 1045, Nuclear Classification and Declassification.

    Re-use means incorporating, restating, or paraphrasing information from its originally designated form into a newly created document.

    Self-inspection is an agency’s internally managed review and evaluation of its activities to implement the CUI Program.

    Unauthorized disclosure occurs when an authorized holder of CUI intentionally or unintentionally discloses CUI without a lawful Government purpose, in violation of restrictions imposed by safeguarding or dissemination controls, or contrary to limited dissemination controls.

    Uncontrolled unclassified information is information that neither the Order nor the authorities governing classified information cover as protected. Although this information is not controlled or classified, agencies must still handle it in accordance with Federal Information Security Modernization Act (FISMA) requirements.

    Working papers are documents or materials, regardless of form, that an agency or user expects to revise prior to creating a finished product.

    source: 32 Code of Federal Regulations. Section 2002.4-Definitions

  • Devoping and Testing CUI Scenario Questions

    Tomorrow in our CMMC Essentials class we will launch the module on Sensitive Data. This means defining the differences between Federal Contract Information, FCI, and Controlled Unclassified Information, CUI.

    Data Thief - Hacker - Cyber Criminal
    Data Thief - Hacker - Cyber Criminal flickr photo by perspec_photo88 shared under a Creative Commons (BY-SA) license

    We also need to cover the seventeen basic safeguards of protecting FCI and the responsibilities and the legal responsibilities of those with a legal need to access CUI:

    • Create
    • Designate
    • Label
    • Store
    • Disseminate
    • Destroy
    • Decontrol

    At the same time the scenarios should focus on helping an Organization Seeking Certifcation rather than focus on if Assessment Objectives get met by the NPCs (nonplaying characters) in the story.

    So in designing CUI scenario problems we have four major content goals:

    1. Definethe legal responsibility for authorized handling
    2. Identify domains, practices, and assessment objectives impacted by explicit mention of CUI
    3. Identify domains, practices, and objectives impacted implicity (think media protection policy)
    4. Create or evaluate a CUI plan or policy

    I worked with Brian Rogalaski of Hexscapes on the example below. Tell us what you think.

    Does it set to measure what we want it to measure? Does the scenario script provide enough detail while remaining vague enough to require additional information? How important is topic to what we want to measure? Does the scenario fir th audience of a CMMC Consultant and an MSP?

    Yoxas Inc., a small manufacturer has severely limited the use of portable storage devices on external systems. Jill needs to give a presentation at a client site that will contain CUI. According to the technical restrictions in the Yoxas CUI policy, Jill must reach out to Kamal, Yoxas's security officer where she receives permission to use a USB drive.

    What strategies would you suggest to Jill and Kamal take to make sure their use of portable storage devices stay compliant with CMMC Level Three practices and processes?

    What specific CMMC Domains, practices, and assessment objectives get impacted by Jill removing CUI off-site?

    What requirements must Jill and Kamal take to protect CUI based on NARA regulations?

    Write a Section for the CUI Policy at Yoxas Inc. that covers the limited use of Portable Storage Devices.

  • How would you teach the 17 Domains in the CMMC CCP class?

    Cybersecurity failed because cybersecurity training failed. Full stop.

    “Fail” by makinations is licensed under CC BY-NC

    Relying on self-paced videos followed by multiple choice questions and calling these activities scenario-based awareness and training has harmed our National Security.

    So as we work with CyberDI, and LTP/LPP, on Cybersecurity Maturity Model Certification we want to help address this crisis.

    Considering how to teach and assess the seventeen domains of CMMC weigh heavily on us. See it’s not just 17 Domains. You need to think practices, processes, and assessment objectives. In the end we have to ensure assessors have the ability to apply the yet released CMMC Assessment Process using the yet to released scoping guidance to check compliance on 705 assessment objectives.

    So we turn to to you the audience and ask, “How would you teach the Domains?” It always begins with audience.


    I have such an amazing Instructional Design team:

    • Leighton Johnson
    • Vincent Scott
    • Paul Netopski
    • Brian Rogolaski
    • Dana Mantilla
    • Richard Dawson
    • Lauren Tucker
    • Lisa Lancor
    and we all agree that the way we ask about the domains must change based on the audience of the class. While all the classes expect some background in IT or security the CCP, the CMMC Certified Professional class, will focus on consultants providing training, CEOs and employees of Organziation Seeking Ceritfication, and Federal Employees. The audience will change the nature of the scenarios. In the CCP class we want to address scenarios where the answers and or discussion revolve around providing advice. In the CA1 and CA3 class we will focus strictly on applying the CAP to the Assessment Objectives.

    Compliance Recipe

    In the end how you assess all 705 objectives like making a breakfast smoothie. Everyone will tell you the best order to add fruit but in the end the blender blades treat them all the same. CMMC does the same with assessment objectives. In the end you must have compliance on all 705 assessment objectives. In the wild assessment strategies have coalesced around four main plans:
    • You break objectives down into People, Processes, and Technology
    • You organize the Domains into Groups and deploy assessors likewise
    • You organize your Domains into technical systems and deploy assessors likewise
    • You organize 705 assessment objectives into one gigantic spreadsheet

    The approach the assessor takes does not matter. In the end you chop up 17 Domains into 700 and something assessment objectives. Still, I want to cover the common text structures deployed by experts in the field.

    Determining an Objectives Scheme

    I can’t share the CMMC-AB objectives, but we have to cover ALL the Domains, ALL Practices, and ALL Processes in CMMC. That means 705 objectives.

    Now we can’t give you a quiz with 705 items on it so we had to immediately think on ways to cast an ontological net to meet the CMMC-AB objectives without threatening our validity of any pre and posttest.

    You see objectives take multiple items to measure. Given we have 17 domains if we wanted to use forced response items (multiple choice) we would find our learners in a pickle.

    Technically you should have two items, really three, per objective. So if we assessed every assessment objective we would need a post test of over 2,115 items. So writing objectives at the assessment level out.

    Next, I turned to to think about the rigor of the scenario problems we had to craft. I do not want learners spending hours in class looking for random page numbers and CMMC Practice and Process numbering systems.

    I don’t care if learners can count (unless talking IADM).

    So, I turned to Webb’s Depth of Knowledge

    • Level 1. Recall and Reproduction:
    • Level 2. Skills and Concepts:
    • Level 3. Strategic Thinking
    • Level 4. Extended Thinking

    This got me to:

    • identify impacted domains and practices
    • list common strategies deployed by the OSC to meet compliance of those practice
    • compare alternate strategies for meeting compliance on these practices
    • create advice for to OSC to include on a POA&M

    Still, this left me with 68 objectives. Still too many. I would need 130-210ish forced response items. Plus, you usually must start with a bank of ten items for each objective to get down to three good multiple-choice items.

    Can’t happen. Not without threatening validity.

    Multidimemsional Scenario Problems

    So forced response items went out the window. Instead, Dr. Tucker and I began to think on a multidimensional scenario-based problem so we could create one template to pilot and test on domain, do some content validity work with our SMEs and then draft the rest of the domains to pilot.

    Our CCP Domain Scenario Template

    Given a scenario identify impacted domains and practices, list common strategies deployed by the OSC to meet compliance of those practices, compare alternate strategies for meeting compliance on these practices, and create advice for to OSC to include on a POA&M in the (area) for out of compliance.

    Domains & Practices Common Strategies for Compliance Compare Alternate Strategies for Compliance Advice for OSC on a POA&M
    1 point 1 point 1 point 1 point
    All Domains and practices were appropriately identified. All common strategies for compliance deployed by the OSC for compliance standards are identified. Provides a minimum of one alternate strategy for compliance are identified and explained with OSC approach. Provides at least two pieces of advice to the OSC to include on a POA&M in the specified area for out of compliance.
    (If incorrect, no additional points awarded. Revise and resubmit.) (If incorrect, no additional points awarded. Revise next to sections to resubmit.) (If incorrect, no additional points awarded. Revise next to sections to resubmit.) (If incorrect, no additional points awarded. Revise next to sections to resubmit.)


    Domains & Practices If learner scores a 0 on the domain and practices, the remaining columns need to be redone, no remaining points can be awarded.

    Common Strategies for Compliance If learner scores a 0 on the strategies for compliance, the remaining columns need to be redone, no remaining points can be awarded.

    Alternate Strategies If learner scores a 0 on the strategies for alternate strategies, the remaining column need to be redone, no remaining points can be awarded.

    Each scenario can have a total of four points but they cumulates so if you cannot identify the correct domain and process you cannot earn credit for the assessment objectives.

    Content Validity Steps

    Now that Dr. Tucker and I have a template to play with we have provided it to our two content validity experts. Leighton Johnson and Vincent Scott. They and I will create a Domain specific scenario. We will then get together with our three exemplars and resolve any disagreements until we reach 100%.

    Then we will divide up the Domains and finish writing scenarios. Then comes the hard part. Running cognitive labs with students, doing inter-rater reliability checks, and writing scoring guides.

    Having so much fun.

  • Where do I Begin My CMMC Journey?

    Stop looking for the easy button. Hang up on those who say, “Turn Key”

    Then get started, you may have more done than you think.

    Do not go to page one of the CMMC Assessment Guide Level Three and open up to page 10 and start with Access Control (AC.) 1.00.1

    Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

    First by now you know only the assessment objectives matter. You must have enough observable evidence (multiple pieces of each) on the following AO’s to reach compliance on AC 1.00.1

    Determine if:

    • [a] authorized users are identified;
    • [b] processes acting on behalf of authorized users are identified;
    • [c] devices (and other systems) authorized to connect to the system are identified;
    • [d] system access is limited to authorized users;
    • [e] system access is limited to processes acting on behalf of authorized users; and
    • [f] systemaccessislimitedtoauthorizeddevices(includingothersystems).

    Do not start here. Heads explode, you begin to think people comes from a different planet.

    Define the Roles

    In our training classes for the Organizations Seeking Cerification we say begin by determining who has the authority over different parts of your System Security Plan (SSP) (see NIST-SP-800-18 for more).

    In small companies people often where all the hats. Still possible but you just need to initialize each one. After that we do not encourage folks to go right into counting and determining where Controlled Unclassified Information lives.

    Count Stuff

    We also encourage folks to inventory their policy very early on. Employee handbooks, meeting minutes, onboarding docs, etc. Even if you have informal systems in long email chains find this stuff. It will help when you use a template or policy package from a vendor.

    Then try to count where CUI lives in your system and what % of revenue comes in from contracts that flow down the DFARS 7012 clause.

    From there nobody can tell you the correct right step. Every system and company in totally different state. A three year old SBIR funded machine learning company may use the latest and greatest in uncompliant technology and a sixty year old manufacturer pays more in end of life extension fees for uncompliant technology.

    via GIPHY

    Basics of Cybersecurity

    We lean heavily on focusing on:

    1. Policy
    2. Access Control
    3. Inventory
    4. Awareness and Training
    5. Governance

    Before you even start thinking about your major techncal controls. Using these five roots of cybersecurity you should have enough skill to rough out a sketch of your data flow and network diagrams.

    A basic understanding of your scope. Now you can engage with cybersecurity and compliance experts on completing a true scoping assessment to prepare for a formative assessment before seeking a summative certification assessment.

    At the same time we wonder if you should think about CMMC compliance as starting with Awareness and Training Domain.

    via GIPHY

    Awareness and Training First?

    Can you complete your SSP as you utilize and also reach compliance on the Awareness and Training domain? Would this approach lead to increased hygeine?

    Everyone frets over CMMC devolving into a checklist of policy and confusing technical controls. Awareness and Training makes this difference.

    via GIPHY

  • Who took the Cake Marked CUI from the Fridge? CMMC and Data Ownership

    We have all seen or felt the rage. You go into fridge to grab the gooey cooey chocolate volcano cake you labeled in the fridge and the shelf laughs back at you with an eerily empty cackle. Someone did not now who owned the cake.

    flickr photo by carolinerac shared under a Creative Commons (BY-NC-ND) license

    Almost all the guidance on CMMC tells you to start with determining where and how CUI flows through your system. You might want to first figure out who gets to decide the lunch policy and what goes in the fridge.

    Not to mention many a prime might tell you, “We don’t know if we send you CUI but you must have a system that supports receiving CUI if you want future contracts.”

    So start with deciding whose in charge.

    CMMC and Data Ownership.

    To understand the team your company brings to the dance we turn to NIST SP 800-18. The document basically begins with deciding where the buck stops.

    What is Management Operation?

    In order for the plans to adequately reflect the protection of the resources, a senior management official must authorize a system to operate. The authorization of a system to process information, granted by a management official, provides an important quality control. By authorizing processing in a system, the manager accepts its associated risk.
    So before you even decide how you want CUI to flow you gotta know who signs the dotted line.

    Roles and Responsibility

    Management authorization should be based on an assessment of management, operational, and technical controls.
    1. Security Officer
    2. Information Systems Owner
    3. Information Owner
    According to NIST you appoint a The Chief Information Officer.

    (CIO) is the agency official responsible for developing and maintaining an agency-wide information security program and has the following responsibilities for system security planning

    Most small manufacturers do not have a CIO. You either use a Managed Service Provider or you as CEO do it. Sometimes people choose Deborah in accounting because she keeps that WordPress site about her Gobots collection. But usually just you.

    • The CIO chooses the senior agency information security officer (probably also you, an MSP, or Deborah).
    • Develop all the security procedures and policies(copy and paste SANS templates)
    • Do all the cybersecurity stuff
    • Do all the cybersecurity training stuff
    The Information Systems Owner, according to NIST, still probably just you, keeps all your wifi and printers going.
    Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.
    • Write the system security plan
    • Maintain and monitor the security plan
    • Make sire people do the cybersecurity training
    • Update the system security plan
    • Help with implementing practices and processes
    The information owner, and unless we talking Intellectual Property, with CUI, we mean the Department of Defense, but in terms of your company you need to know who:
    • Establishes the roles and rules
    • Help with security
    • Decide who gets access to sensitive information
    NIST SP 800-18 lists a few other jobs but we have already described three jobs past your headcount. Deborah quit when saw she had to do government level controls on private sector budgets.

    NIST wrote the guide to writing security plans for the government not for your small business. Just remember that you do need to decide who acts as the authorizing agent. Who says:

    • Our System Security Plan good to go
    • Authorize the information system
    • Denies access to the information system

    When you begin your CMMC journey you need to decide who gets to play boss of the SSP, the information system, and all the people. And please stop taking food out of the fridge that does not have your name.

  • Please support the DIMF Kids

    As part of our CMMC work we hope to create a Higher Education network to ensure we have the cybersecurity, machine learning, and artificial expertise to keep our country and economy safe.

    As part of that network we provide scholarships to children who lost a Defense Intelligence Enterprise officers in the line of duty.

    We need you to write to Congress to ensure we can provide even more scholarships to children who lost parents serving in silence.

    What is the Defense Intelligence Memorial Foundation?

    The Defense Intelligence Memorial Foundation (DIMF) is a tax-exempt, non-profit educational foundation. Our vision is to create an operationally transparent, ethical, and fiscally solvent foundation distributing scholarship funds to the families of Defense Intelligence officers killed in the line of duty. We support all elements of the Defense Intelligence Enterprise, to include the:

    • Defense Intelligence Agency
    • National Security Agency
    • National Geospatial-Intelligence Agency
    • National Reconnaissance Office Service Intelligence Components Combatant Commands

    The staff and board members are current and former intelligence officers dedicated to honoring the memory of those who gave the last full measure.

    Who qualifies for Foundation scholarships?

    The children of Defense Intelligence Enterprise officers, civilian or military, killed in the line of duty are eligible for scholarships. Scholarship candidates can be natural born, adopted, or the stepchildren of USG employees killed in the line of duty. These children are not covered under any other intelligencecommunity educational scholarship programs.

    Since 2000, the DIE has lost 54 officers in the line of duty. Aside from the Casualty Assistance Programs in each Defense Intelligence component, the families of these heroes are largely forgotten and, by the DIMF’s research, 44 children have not had the support of a non-profit organization for their educational needs. The DIMF is making some progress in this mission. In 2020, the DIMF awarded its first educational grant to one child and, in 2021, expects to award two additional scholarships.

    Families of the fallen in the Central Intelligence Agency and Special Operations community have benefited from charities supplying scholarships to their school-aged children. The FY14 Intelligence Authorization Act empowers the Director of CIA to fundraise and advocate for the CIA Officers Memorial Foundation. I am requesting your support for legislation, similar to what was enacted for the CIA, which would authorize Defense Intelligence leadership to fundraise on-behalf of non-profit organizations providing support to surviving family members.

    Attached is a form letter to send to Congress . On behalf of those who will benefit now and in the future, we thank you for supporting the DIMFKids

  • Alex Sharpe Joins Our CMMC Essentials Course as an Instructor

    The learning team we have built for CMMC Essentials blows me away everyday.

    Just yesterday I spen the day with Dr. Lauren Tucker, Vincent Scott, and Leighton Johnson. We conducted a content validity check of our learning objectives to the official (but NDAd) CMM-AB objectives.

    Then we launched right into Module Zero of CMMC Essentials. Paul Netopski, Dr. Lisa Lancor, and Brian Rogaliski rounded out the teaching squad.

    Today I am excited to announce Alex Sharpe will join the CMMC Essentials (not too late to register) class as an instructor. Mr. Sharpe, a CMMC Registered Professional and member of an upcoming Certified Instructor class, brings decades of operational experience.

    Alex Sharpe gained over 30 years of real-world operational experience as a Cybersecurity, Privacy and Digital Transformation expert. Mr. Sharpe, an National Security Agency alum, has run business units and has influenced, and continues to influence, national policy.

    Mr. Sharpe has spent much of his career helping corporations and government agencies reap the rewards afforded by advances in technology (Digital Transformation) while mitigating cyber threats. This provides him a pragmatic understanding of the delicate balance between Cybersecurity, Operational Effectiveness, and Business realities.

    Sharpe began his career at NSA moving into the Management Consulting ranks building practices at Booz Allen and KPMG. He subsequently co-founded two firms with successful exits. He has participated in over 20 M&A transactions. He has delivered to clients in over 20 countries on 6 continents.

    Mr. Sharpe holds degrees in Electrical Engineering from New Jersey Institute of Technology (NJIT), Systems Engineering from Johns Hopkins University (JHU), and Business from Columbia Business School. He is a published author, speaker, instructor, and advisor. He serves on industry forums and pays it forward as a mentor at an incubator.

    Alex Sharpe LinkedIn Profile

  • Course Descriptions of the Classes we Design for CyberDI

    The official launch of Certified CMMC classes approaches everyday. I am so proud of our time at Southern Connecticut State University and what we build for CyberDI.

    Come learn with us.

    If you want to test drive the curriculum before buying we offer prep classes June 14th and July 20th.

    Learn flickr photo by PlusLexia.com shared under a Creative Commons (BY) license

    Cybersecurity training is the greatest internal threat our Nation currently faces in our mission to protect sensitive data.

    CyberDI’s Certified Courses come equipped with all the materials for an LTP to deliver in any modality of their choosing. We see no difference in the educational experience of a face to face, online, or hybrid class. The modality does not determine learning.

    We see no difference in the role of the instructor whether a class runs asynchronously online or synchronously online. Time does not determine learning.

    Instead LTP’s can customize the CyberDI curriculum to the modality and medium that matches the needs of the target learners. We have customized multiple packages that will all elicit evidence of knowledge growth using learning objectives derived and aligned from the CMMC-AB objectives.

    Every LTP can know the best research practices were applied in ensuring the content validity of CyberDI courses. Every activity went through three rounds of content validity with cybersecurity, cryptology, and learning experts. Every module in all of our classes comes with a pre and post assessment to help learners measure their growth against the CMMC AB Certified objectives. As the number of students complete our courses we will also begin to provide reliability estimates or inter-rater training guides for our pre and post assessments.

    No LPP has constructed a better learning team. Dr. Lisa Lancor Chair of the Computer Science Department at Southern Connecticut State University leads a team that includes military and intelligence penetration experts, cryptologists, signal engineers, ADA/ Universal Design for Learning experts, network technicians, and educational psychologists.

    All of our course timings align to Carnegie credit hours and we offer course mappings for ISACA aligned CPEs. The three classes combined equal a three credit Carnegie Hour class.

    Students will also be provided a course workbook that includes all of the online activities in paper based form. The workbook will also include the CMMC assessment guides.

    LTPs can also rest assured that all of our learning tools are 508/ADA compliant. LTP’s have a legal and moral responsibility to ensure every learner can access course material. Universal Design for Learning could never have greater importance to the Department of Defense. Luckily veterans survive wounds that would have left them KIA but this also means we have a duty to ensure their fight and mission never end. Cybersecurity provides a great transition for wounded and newly abled veterans dealing with hearing or site loss. Respect our veterans and follow the law. Get 508 Compliant with CyberDI.

    Most importantly when an LTP chooses to work with CyberDI they know they have a mission driven partner. We fight every day to create CMMC aligned apprenticeships in High School through college, we train veterans in AI and ML. We see cybersecurity and CMMC as a ten-year headcount issue not a cash grab but a way to address a changing battlefield. We welcome other like-minded organizations to the fight.

    All knowledge areas in every class represent one module in our course. Every module will come with the following items an LTP can use to customize their course delivery:

    Completed module template in Word, HTML, and PDF

    Modules broken into lesson grouped logically around validated learning objectives

    Objectives mapped to CMMC-objectives noting where they are introduced, reinforced, and assessed.

    Module Kick off video defining all key terms through direct instruction

    Subject Matter Expert Interview video(s)

    A reading task aligned to lesson objective to scaffold active reading

    A writing task that then asks learners to combine reading understandings with prior knowledge or secondary sources

    A mentor text of the writing task for teaching purposes

    A 3 point rubric to assess the writing task

    Performance Assessment task to elicit observable evidence of knowledge and skill growth aligned to module objectives

    Performance assessment rubric, interrater training, or multiple-choice answers

    Performance assessment instructor guide

    Criteria and List of Possible evidence for an OBI 2.0 Digital Credential

    Digital Credentialing platform

    We partner with different LTP’s and will work with you to customize your curriculum to meet your customer needs.

    Working with CyberDI you can differentiate your product offerings and apply our LMS agnostic curriculum anywhere.

    CCP-56 hours contact time

    Training Modality Type

    Description of course features/additional student materials

    Number of Course Days

    56 hour asynchronous self-paced learning

    Build a curriculum with module resources

    Direct Instruction video

    Articles written and curated by Nation’s leading experts

    A writing task

    Performance assessment with feedback from course facilitator

    Teacher guide to scoring and providing feedback

    Problem based CUI scenarios faced by OSCs

    Problem based Domain scenarios for helping OSCs


    56 hour synchronous online /f2f learning

    Everything above plus

    Class pacing guide

    Lesson plans

    Face to face teaching tips


    56 hour asynchronous online learning

    Everything above plus

    Class pacing guide

    Lesson plans

    Threaded discussion prompts


    CCA-1 24 hour contact time

    Training Modality Type

    Description of course features/additional student materials

    Number of Course Days

    24 hour asynchronous self-paced learning

     Build a curriculum with module resources

    Direct Instruction video

    Articles written and curated by Nation’s leading experts

    A writing task

    Performance assessment with feedback from course facilitator

    Teacher guide to scoring and providing feedback

    Problem based FAR scenarios

    Tabletop cyberrange activities

    Blue/red/purple assessment objective prompts

    Problem based Domain scenarios for helping OSCs


    24hour synchronous online/f2flearning

    Everything above plus

    Class pacing guide

    Lesson plans

    Face to face teaching tips



    24hour asynchronous online learning

    Everything above plus

    Class pacing guide

    Lesson plans

    Threaded discussion prompts


    CCA-56 hour contact time

    Training Modality Type

    Description of course features/additional student materials

    Number of Course Days

    56 hour asynchronous self-paced learning

    Build a curriculum with module resources

    Direct Instruction video

    Articles written and curated by Nation’s leading experts

    A writing task

    Performance assessment with feedback from course facilitator

    Teacher guide to scoring and providing feedback

    Problem based CUI scenarios aligned to ISOO requirements

    Problem based CUI scenarios aligned to assessment objectives

    Problem based CMMC domain scenarios algned to assessment objectives

    Network diagram challenges

    Cyber range scoping activities

    Blue/red/purple assessment objective prompts


    56 hour synchronous online/f2f learning

    Everything above plus

    Class pacing guide

    Lesson plans

    Face to face teaching tips


    56 hour asynchronous online learning

    Everything above plus

    Lesson plans

    Threaded discussion prompts


  • Mocktini Recipes for CMMC Essential Happy Hours

    Blah, blah, travel story.

    Please enjoy these recipes for the Mocktini Happy Hours scheduled every Wednesday night during our CMMC Essentials class at Southern Connecticut State University.

    Limey flickr photo by SanFranAnnie shared under a Creative Commons (BY-SA) license

    Frozen Apple Stuxnet

    • Salt, to serve
    • 1 lime, halved
    • 2 cups (500ml) Ashton Valley Fresh Sparkling Apple Juice
    • 2 tsp finely grated lime rind
    • 2 tbsp lime juice
    • 4 cups ice cubes
    • 4 slices green apple
    • Lime zest, to serve
    • Place salt on a plate. Run the cut side of the lime around the rims of serving glasses. Dip in the salt to coat.

    Black Energy

    Ingredients: * 510 mg (two capsules) black activated charcoal * 1 oz Honey Syrup * 1.75 oz Lime Juice * 2.25 ozBeet Juice

    Directions: * 1. In a small bowl, break apart the charcoal capsules and discard the outer layer. * 2. Whisk together the charcoal and honey syrup until combined (it will be jet black in color). * 3. In a shaker, combine the charcoal-honey syrup with the remaining ingredients and fill with ice. * 4. Shake, and strain into a rocks glass filled with fresh ice.

    Place sparkling apple juice, tequila, if using, lime rind, lime juice and ice in a blender and blend until smooth. Pour evenly among the glasses.

    Decorate with apple slices and lime zest.

    Shadow Hammer Slammer


    • 1 can of seltzer
    • 2 cups pineapple juice
    • 1 ½ cups orange juice
    • maraschino cherries for garnish

    Instructions * 1. In a pitcher, add ice, seltzer,  and two juices. * 2. Stir to dilute slightly from the melting ice. * 3. Fill red solo cups or cocktail glasses with ice and put two to three cherries in each glass. * 4. Fill with the Shadow  Hammer Slammer drink.

subscribe via RSS

All content, unless otherwise notes, is licensed with a CC-BY