• Devoping and Testing CUI Scenario Questions

    Tomorrow in our CMMC Essentials class we will launch the module on Sensitive Data. This means defining the differences between Federal Contract Information, FCI, and Controlled Unclassified Information, CUI.

    Data Thief - Hacker - Cyber Criminal
    Data Thief - Hacker - Cyber Criminal flickr photo by perspec_photo88 shared under a Creative Commons (BY-SA) license

    We also need to cover the seventeen basic safeguards of protecting FCI and the responsibilities and the legal responsibilities of those with a legal need to access CUI:

    • Create
    • Designate
    • Label
    • Store
    • Disseminate
    • Destroy
    • Decontrol

    At the same time the scenarios should focus on helping an Organization Seeking Certifcation rather than focus on if Assessment Objectives get met by the NPCs (nonplaying characters) in the story.

    So in designing CUI scenario problems we have four major content goals:

    1. Definethe legal responsibility for authorized handling
    2. Identify domains, practices, and assessment objectives impacted by explicit mention of CUI
    3. Identify domains, practices, and objectives impacted implicity (think media protection policy)
    4. Create or evaluate a CUI plan or policy

    I worked with Brian Rogalaski of Hexscapes on the example below. Tell us what you think.

    Does it set to measure what we want it to measure? Does the scenario script provide enough detail while remaining vague enough to require additional information? How important is topic to what we want to measure? Does the scenario fir th audience of a CMMC Consultant and an MSP?

    Yoxas Inc., a small manufacturer has severely limited the use of portable storage devices on external systems. Jill needs to give a presentation at a client site that will contain CUI. According to the technical restrictions in the Yoxas CUI policy, Jill must reach out to Kamal, Yoxas's security officer where she receives permission to use a USB drive.

    What strategies would you suggest to Jill and Kamal take to make sure their use of portable storage devices stay compliant with CMMC Level Three practices and processes?

    What specific CMMC Domains, practices, and assessment objectives get impacted by Jill removing CUI off-site?

    What requirements must Jill and Kamal take to protect CUI based on NARA regulations?

    Write a Section for the CUI Policy at Yoxas Inc. that covers the limited use of Portable Storage Devices.

  • How would you teach the 17 Domains in the CMMC CCP class?

    Cybersecurity failed because cybersecurity training failed. Full stop.


    “Fail” by makinations is licensed under CC BY-NC

    Relying on self-paced videos followed by multiple choice questions and calling these activities scenario-based awareness and training has harmed our National Security.

    So as we work with CyberDI, and LTP/LPP, on Cybersecurity Maturity Model Certification we want to help address this crisis.

    Considering how to teach and assess the seventeen domains of CMMC weigh heavily on us. See it’s not just 17 Domains. You need to think practices, processes, and assessment objectives. In the end we have to ensure assessors have the ability to apply the yet released CMMC Assessment Process using the yet to released scoping guidance to check compliance on 705 assessment objectives.

    So we turn to to you the audience and ask, “How would you teach the Domains?” It always begins with audience.

    Audience

    I have such an amazing Instructional Design team:

    • Leighton Johnson
    • Vincent Scott
    • Paul Netopski
    • Brian Rogolaski
    • Dana Mantilla
    • Richard Dawson
    • Lauren Tucker
    • Lisa Lancor
    and we all agree that the way we ask about the domains must change based on the audience of the class. While all the classes expect some background in IT or security the CCP, the CMMC Certified Professional class, will focus on consultants providing training, CEOs and employees of Organziation Seeking Ceritfication, and Federal Employees. The audience will change the nature of the scenarios. In the CCP class we want to address scenarios where the answers and or discussion revolve around providing advice. In the CA1 and CA3 class we will focus strictly on applying the CAP to the Assessment Objectives.

    Compliance Recipe

    In the end how you assess all 705 objectives like making a breakfast smoothie. Everyone will tell you the best order to add fruit but in the end the blender blades treat them all the same. CMMC does the same with assessment objectives. In the end you must have compliance on all 705 assessment objectives. In the wild assessment strategies have coalesced around four main plans:
    • You break objectives down into People, Processes, and Technology
    • You organize the Domains into Groups and deploy assessors likewise
    • You organize your Domains into technical systems and deploy assessors likewise
    • You organize 705 assessment objectives into one gigantic spreadsheet

    The approach the assessor takes does not matter. In the end you chop up 17 Domains into 700 and something assessment objectives. Still, I want to cover the common text structures deployed by experts in the field.

    Determining an Objectives Scheme

    I can’t share the CMMC-AB objectives, but we have to cover ALL the Domains, ALL Practices, and ALL Processes in CMMC. That means 705 objectives.

    Now we can’t give you a quiz with 705 items on it so we had to immediately think on ways to cast an ontological net to meet the CMMC-AB objectives without threatening our validity of any pre and posttest.

    You see objectives take multiple items to measure. Given we have 17 domains if we wanted to use forced response items (multiple choice) we would find our learners in a pickle.

    Technically you should have two items, really three, per objective. So if we assessed every assessment objective we would need a post test of over 2,115 items. So writing objectives at the assessment level out.

    Next, I turned to to think about the rigor of the scenario problems we had to craft. I do not want learners spending hours in class looking for random page numbers and CMMC Practice and Process numbering systems.

    I don’t care if learners can count (unless talking IADM).

    So, I turned to Webb’s Depth of Knowledge

    • Level 1. Recall and Reproduction:
    • Level 2. Skills and Concepts:
    • Level 3. Strategic Thinking
    • Level 4. Extended Thinking

    This got me to:

    • identify impacted domains and practices
    • list common strategies deployed by the OSC to meet compliance of those practice
    • compare alternate strategies for meeting compliance on these practices
    • create advice for to OSC to include on a POA&M

    Still, this left me with 68 objectives. Still too many. I would need 130-210ish forced response items. Plus, you usually must start with a bank of ten items for each objective to get down to three good multiple-choice items.

    Can’t happen. Not without threatening validity.

    Multidimemsional Scenario Problems

    So forced response items went out the window. Instead, Dr. Tucker and I began to think on a multidimensional scenario-based problem so we could create one template to pilot and test on domain, do some content validity work with our SMEs and then draft the rest of the domains to pilot.

    Our CCP Domain Scenario Template

    Given a scenario identify impacted domains and practices, list common strategies deployed by the OSC to meet compliance of those practices, compare alternate strategies for meeting compliance on these practices, and create advice for to OSC to include on a POA&M in the (area) for out of compliance.

    Domains & Practices Common Strategies for Compliance Compare Alternate Strategies for Compliance Advice for OSC on a POA&M
    1 point 1 point 1 point 1 point
    All Domains and practices were appropriately identified. All common strategies for compliance deployed by the OSC for compliance standards are identified. Provides a minimum of one alternate strategy for compliance are identified and explained with OSC approach. Provides at least two pieces of advice to the OSC to include on a POA&M in the specified area for out of compliance.
    (If incorrect, no additional points awarded. Revise and resubmit.) (If incorrect, no additional points awarded. Revise next to sections to resubmit.) (If incorrect, no additional points awarded. Revise next to sections to resubmit.) (If incorrect, no additional points awarded. Revise next to sections to resubmit.)

    Instructors:

    Domains & Practices If learner scores a 0 on the domain and practices, the remaining columns need to be redone, no remaining points can be awarded.

    Common Strategies for Compliance If learner scores a 0 on the strategies for compliance, the remaining columns need to be redone, no remaining points can be awarded.

    Alternate Strategies If learner scores a 0 on the strategies for alternate strategies, the remaining column need to be redone, no remaining points can be awarded.

    Each scenario can have a total of four points but they cumulates so if you cannot identify the correct domain and process you cannot earn credit for the assessment objectives.

    Content Validity Steps

    Now that Dr. Tucker and I have a template to play with we have provided it to our two content validity experts. Leighton Johnson and Vincent Scott. They and I will create a Domain specific scenario. We will then get together with our three exemplars and resolve any disagreements until we reach 100%.

    Then we will divide up the Domains and finish writing scenarios. Then comes the hard part. Running cognitive labs with students, doing inter-rater reliability checks, and writing scoring guides.

    Having so much fun.

  • Where do I Begin My CMMC Journey?

    Stop looking for the easy button. Hang up on those who say, “Turn Key”

    Then get started, you may have more done than you think.

    Do not go to page one of the CMMC Assessment Guide Level Three and open up to page 10 and start with Access Control (AC.) 1.00.1

    Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

    First by now you know only the assessment objectives matter. You must have enough observable evidence (multiple pieces of each) on the following AO’s to reach compliance on AC 1.00.1

    Determine if:

    • [a] authorized users are identified;
    • [b] processes acting on behalf of authorized users are identified;
    • [c] devices (and other systems) authorized to connect to the system are identified;
    • [d] system access is limited to authorized users;
    • [e] system access is limited to processes acting on behalf of authorized users; and
    • [f] systemaccessislimitedtoauthorizeddevices(includingothersystems).

    Do not start here. Heads explode, you begin to think people comes from a different planet.

    Define the Roles

    In our training classes for the Organizations Seeking Cerification we say begin by determining who has the authority over different parts of your System Security Plan (SSP) (see NIST-SP-800-18 for more).

    In small companies people often where all the hats. Still possible but you just need to initialize each one. After that we do not encourage folks to go right into counting and determining where Controlled Unclassified Information lives.

    Count Stuff

    We also encourage folks to inventory their policy very early on. Employee handbooks, meeting minutes, onboarding docs, etc. Even if you have informal systems in long email chains find this stuff. It will help when you use a template or policy package from a vendor.

    Then try to count where CUI lives in your system and what % of revenue comes in from contracts that flow down the DFARS 7012 clause.

    From there nobody can tell you the correct right step. Every system and company in totally different state. A three year old SBIR funded machine learning company may use the latest and greatest in uncompliant technology and a sixty year old manufacturer pays more in end of life extension fees for uncompliant technology.

    via GIPHY

    Basics of Cybersecurity

    We lean heavily on focusing on:

    1. Policy
    2. Access Control
    3. Inventory
    4. Awareness and Training
    5. Governance

    Before you even start thinking about your major techncal controls. Using these five roots of cybersecurity you should have enough skill to rough out a sketch of your data flow and network diagrams.

    A basic understanding of your scope. Now you can engage with cybersecurity and compliance experts on completing a true scoping assessment to prepare for a formative assessment before seeking a summative certification assessment.

    At the same time we wonder if you should think about CMMC compliance as starting with Awareness and Training Domain.

    via GIPHY

    Awareness and Training First?

    Can you complete your SSP as you utilize and also reach compliance on the Awareness and Training domain? Would this approach lead to increased hygeine?

    Everyone frets over CMMC devolving into a checklist of policy and confusing technical controls. Awareness and Training makes this difference.

    via GIPHY

  • Who took the Cake Marked CUI from the Fridge? CMMC and Data Ownership

    We have all seen or felt the rage. You go into fridge to grab the gooey cooey chocolate volcano cake you labeled in the fridge and the shelf laughs back at you with an eerily empty cackle. Someone did not now who owned the cake.


    flickr photo by carolinerac shared under a Creative Commons (BY-NC-ND) license

    Almost all the guidance on CMMC tells you to start with determining where and how CUI flows through your system. You might want to first figure out who gets to decide the lunch policy and what goes in the fridge.

    Not to mention many a prime might tell you, “We don’t know if we send you CUI but you must have a system that supports receiving CUI if you want future contracts.”

    So start with deciding whose in charge.

    CMMC and Data Ownership.

    To understand the team your company brings to the dance we turn to NIST SP 800-18. The document basically begins with deciding where the buck stops.

    What is Management Operation?

    In order for the plans to adequately reflect the protection of the resources, a senior management official must authorize a system to operate. The authorization of a system to process information, granted by a management official, provides an important quality control. By authorizing processing in a system, the manager accepts its associated risk.
    So before you even decide how you want CUI to flow you gotta know who signs the dotted line.

    Roles and Responsibility

    Management authorization should be based on an assessment of management, operational, and technical controls.
    1. Security Officer
    2. Information Systems Owner
    3. Information Owner
    According to NIST you appoint a The Chief Information Officer.

    (CIO) is the agency official responsible for developing and maintaining an agency-wide information security program and has the following responsibilities for system security planning

    Most small manufacturers do not have a CIO. You either use a Managed Service Provider or you as CEO do it. Sometimes people choose Deborah in accounting because she keeps that WordPress site about her Gobots collection. But usually just you.

    • The CIO chooses the senior agency information security officer (probably also you, an MSP, or Deborah).
    • Develop all the security procedures and policies(copy and paste SANS templates)
    • Do all the cybersecurity stuff
    • Do all the cybersecurity training stuff
    The Information Systems Owner, according to NIST, still probably just you, keeps all your wifi and printers going.
    Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.
    • Write the system security plan
    • Maintain and monitor the security plan
    • Make sire people do the cybersecurity training
    • Update the system security plan
    • Help with implementing practices and processes
    The information owner, and unless we talking Intellectual Property, with CUI, we mean the Department of Defense, but in terms of your company you need to know who:
    • Establishes the roles and rules
    • Help with security
    • Decide who gets access to sensitive information
    NIST SP 800-18 lists a few other jobs but we have already described three jobs past your headcount. Deborah quit when saw she had to do government level controls on private sector budgets.

    NIST wrote the guide to writing security plans for the government not for your small business. Just remember that you do need to decide who acts as the authorizing agent. Who says:

    • Our System Security Plan good to go
    • Authorize the information system
    • Denies access to the information system

    When you begin your CMMC journey you need to decide who gets to play boss of the SSP, the information system, and all the people. And please stop taking food out of the fridge that does not have your name.

  • Please support the DIMF Kids

    As part of our CMMC work we hope to create a Higher Education network to ensure we have the cybersecurity, machine learning, and artificial expertise to keep our country and economy safe.

    As part of that network we provide scholarships to children who lost a Defense Intelligence Enterprise officers in the line of duty.

    We need you to write to Congress to ensure we can provide even more scholarships to children who lost parents serving in silence.

    What is the Defense Intelligence Memorial Foundation?

    The Defense Intelligence Memorial Foundation (DIMF) is a tax-exempt, non-profit educational foundation. Our vision is to create an operationally transparent, ethical, and fiscally solvent foundation distributing scholarship funds to the families of Defense Intelligence officers killed in the line of duty. We support all elements of the Defense Intelligence Enterprise, to include the:

    • Defense Intelligence Agency
    • National Security Agency
    • National Geospatial-Intelligence Agency
    • National Reconnaissance Office Service Intelligence Components Combatant Commands

    The staff and board members are current and former intelligence officers dedicated to honoring the memory of those who gave the last full measure.

    Who qualifies for Foundation scholarships?

    The children of Defense Intelligence Enterprise officers, civilian or military, killed in the line of duty are eligible for scholarships. Scholarship candidates can be natural born, adopted, or the stepchildren of USG employees killed in the line of duty. These children are not covered under any other intelligencecommunity educational scholarship programs.

    Since 2000, the DIE has lost 54 officers in the line of duty. Aside from the Casualty Assistance Programs in each Defense Intelligence component, the families of these heroes are largely forgotten and, by the DIMF’s research, 44 children have not had the support of a non-profit organization for their educational needs. The DIMF is making some progress in this mission. In 2020, the DIMF awarded its first educational grant to one child and, in 2021, expects to award two additional scholarships.

    Families of the fallen in the Central Intelligence Agency and Special Operations community have benefited from charities supplying scholarships to their school-aged children. The FY14 Intelligence Authorization Act empowers the Director of CIA to fundraise and advocate for the CIA Officers Memorial Foundation. I am requesting your support for legislation, similar to what was enacted for the CIA, which would authorize Defense Intelligence leadership to fundraise on-behalf of non-profit organizations providing support to surviving family members.

    Attached is a form letter to send to Congress . On behalf of those who will benefit now and in the future, we thank you for supporting the DIMFKids

  • Alan Sharpe Joins Our CMMC Essentials Course as an Instructor

    The learning team we have built for CMMC Essentials blows me away everyday.

    Just yesterday I spen the day with Dr. Lauren Tucker, Vincent Scott, and Leighton Johnson. We conducted a content validity check of our learning objectives to the official (but NDAd) CMM-AB objectives.

    Then we launched right into Module Zero of CMMC Essentials. Paul Netopski, Dr. Lisa Lancor, and Brian Rogaliski rounded out the teaching squad.

    Today I am excited to announce Alex Sharpe will join the CMMC Essentials (not too late to register) class as an instructor. Mr. Sharpe, a CMMC Registered Professional and member of an upcoming Certified Instructor class, brings decades of operational experience.

    Alex Sharpe gained over 30 years of real-world operational experience as a Cybersecurity, Privacy and Digital Transformation expert. Mr. Sharpe, an National Security Agency alum, has run business units and has influenced, and continues to influence, national policy.

    Mr. Sharpe has spent much of his career helping corporations and government agencies reap the rewards afforded by advances in technology (Digital Transformation) while mitigating cyber threats. This provides him a pragmatic understanding of the delicate balance between Cybersecurity, Operational Effectiveness, and Business realities.

    Sharpe began his career at NSA moving into the Management Consulting ranks building practices at Booz Allen and KPMG. He subsequently co-founded two firms with successful exits. He has participated in over 20 M&A transactions. He has delivered to clients in over 20 countries on 6 continents.

    Mr. Sharpe holds degrees in Electrical Engineering from New Jersey Institute of Technology (NJIT), Systems Engineering from Johns Hopkins University (JHU), and Business from Columbia Business School. He is a published author, speaker, instructor, and advisor. He serves on industry forums and pays it forward as a mentor at an incubator.

    Alex Sharpe LinkedIn Profile

  • Course Descriptions of the Classes we Design for CyberDI

    The official launch of Certified CMMC classes approaches everyday. I am so proud of our time at Southern Connecticut State University and what we build for CyberDI.

    Come learn with us.

    If you want to test drive the curriculum before buying we offer prep classes June 14th and July 20th.

    Learn
    Learn flickr photo by PlusLexia.com shared under a Creative Commons (BY) license

    Cybersecurity training is the greatest internal threat our Nation currently faces in our mission to protect sensitive data.

    CyberDI’s Certified Courses come equipped with all the materials for an LTP to deliver in any modality of their choosing. We see no difference in the educational experience of a face to face, online, or hybrid class. The modality does not determine learning.

    We see no difference in the role of the instructor whether a class runs asynchronously online or synchronously online. Time does not determine learning.

    Instead LTP’s can customize the CyberDI curriculum to the modality and medium that matches the needs of the target learners. We have customized multiple packages that will all elicit evidence of knowledge growth using learning objectives derived and aligned from the CMMC-AB objectives.

    Every LTP can know the best research practices were applied in ensuring the content validity of CyberDI courses. Every activity went through three rounds of content validity with cybersecurity, cryptology, and learning experts. Every module in all of our classes comes with a pre and post assessment to help learners measure their growth against the CMMC AB Certified objectives. As the number of students complete our courses we will also begin to provide reliability estimates or inter-rater training guides for our pre and post assessments.

    No LPP has constructed a better learning team. Dr. Lisa Lancor Chair of the Computer Science Department at Southern Connecticut State University leads a team that includes military and intelligence penetration experts, cryptologists, signal engineers, ADA/ Universal Design for Learning experts, network technicians, and educational psychologists.

    All of our course timings align to Carnegie credit hours and we offer course mappings for ISACA aligned CPEs. The three classes combined equal a three credit Carnegie Hour class.

    Students will also be provided a course workbook that includes all of the online activities in paper based form. The workbook will also include the CMMC assessment guides.

    LTPs can also rest assured that all of our learning tools are 508/ADA compliant. LTP’s have a legal and moral responsibility to ensure every learner can access course material. Universal Design for Learning could never have greater importance to the Department of Defense. Luckily veterans survive wounds that would have left them KIA but this also means we have a duty to ensure their fight and mission never end. Cybersecurity provides a great transition for wounded and newly abled veterans dealing with hearing or site loss. Respect our veterans and follow the law. Get 508 Compliant with CyberDI.

    Most importantly when an LTP chooses to work with CyberDI they know they have a mission driven partner. We fight every day to create CMMC aligned apprenticeships in High School through college, we train veterans in AI and ML. We see cybersecurity and CMMC as a ten-year headcount issue not a cash grab but a way to address a changing battlefield. We welcome other like-minded organizations to the fight.

    All knowledge areas in every class represent one module in our course. Every module will come with the following items an LTP can use to customize their course delivery:

    Completed module template in Word, HTML, and PDF

    Modules broken into lesson grouped logically around validated learning objectives

    Objectives mapped to CMMC-objectives noting where they are introduced, reinforced, and assessed.

    Module Kick off video defining all key terms through direct instruction

    Subject Matter Expert Interview video(s)

    A reading task aligned to lesson objective to scaffold active reading

    A writing task that then asks learners to combine reading understandings with prior knowledge or secondary sources

    A mentor text of the writing task for teaching purposes

    A 3 point rubric to assess the writing task

    Performance Assessment task to elicit observable evidence of knowledge and skill growth aligned to module objectives

    Performance assessment rubric, interrater training, or multiple-choice answers

    Performance assessment instructor guide

    Criteria and List of Possible evidence for an OBI 2.0 Digital Credential

    Digital Credentialing platform

    We partner with different LTP’s and will work with you to customize your curriculum to meet your customer needs.

    Working with CyberDI you can differentiate your product offerings and apply our LMS agnostic curriculum anywhere.

    CCP-56 hours contact time

    Training Modality Type

    Description of course features/additional student materials

    Number of Course Days

    56 hour asynchronous self-paced learning

    Build a curriculum with module resources

    Direct Instruction video

    Articles written and curated by Nation’s leading experts

    A writing task

    Performance assessment with feedback from course facilitator

    Teacher guide to scoring and providing feedback

    Problem based CUI scenarios faced by OSCs

    Problem based Domain scenarios for helping OSCs

     7

    56 hour synchronous online /f2f learning

    Everything above plus

    Class pacing guide

    Lesson plans

    Face to face teaching tips

    7

    56 hour asynchronous online learning

    Everything above plus

    Class pacing guide

    Lesson plans

    Threaded discussion prompts

     7

    CCA-1 24 hour contact time

    Training Modality Type

    Description of course features/additional student materials

    Number of Course Days

    24 hour asynchronous self-paced learning

     Build a curriculum with module resources

    Direct Instruction video

    Articles written and curated by Nation’s leading experts

    A writing task

    Performance assessment with feedback from course facilitator

    Teacher guide to scoring and providing feedback

    Problem based FAR scenarios

    Tabletop cyberrange activities

    Blue/red/purple assessment objective prompts

    Problem based Domain scenarios for helping OSCs

     3

    24hour synchronous online/f2flearning

    Everything above plus

    Class pacing guide

    Lesson plans

    Face to face teaching tips

     3

         

    24hour asynchronous online learning

    Everything above plus

    Class pacing guide

    Lesson plans

    Threaded discussion prompts

    3

    CCA-56 hour contact time

    Training Modality Type

    Description of course features/additional student materials

    Number of Course Days

    56 hour asynchronous self-paced learning

    Build a curriculum with module resources

    Direct Instruction video

    Articles written and curated by Nation’s leading experts

    A writing task

    Performance assessment with feedback from course facilitator

    Teacher guide to scoring and providing feedback

    Problem based CUI scenarios aligned to ISOO requirements

    Problem based CUI scenarios aligned to assessment objectives

    Problem based CMMC domain scenarios algned to assessment objectives

    Network diagram challenges

    Cyber range scoping activities

    Blue/red/purple assessment objective prompts

     7

    56 hour synchronous online/f2f learning

    Everything above plus

    Class pacing guide

    Lesson plans

    Face to face teaching tips

     7

    56 hour asynchronous online learning

    Everything above plus

    Lesson plans

    Threaded discussion prompts

    7

  • Mocktini Recipes for CMMC Essential Happy Hours

    Blah, blah, travel story.

    Please enjoy these recipes for the Mocktini Happy Hours scheduled every Wednesday night during our CMMC Essentials class at Southern Connecticut State University.

    Limey
    Limey flickr photo by SanFranAnnie shared under a Creative Commons (BY-SA) license

    Frozen Apple Stuxnet

    • Salt, to serve
    • 1 lime, halved
    • 2 cups (500ml) Ashton Valley Fresh Sparkling Apple Juice
    • 2 tsp finely grated lime rind
    • 2 tbsp lime juice
    • 4 cups ice cubes
    • 4 slices green apple
    • Lime zest, to serve
    • Place salt on a plate. Run the cut side of the lime around the rims of serving glasses. Dip in the salt to coat.

    Black Energy

    Ingredients: * 510 mg (two capsules) black activated charcoal * 1 oz Honey Syrup * 1.75 oz Lime Juice * 2.25 ozBeet Juice

    Directions: * 1. In a small bowl, break apart the charcoal capsules and discard the outer layer. * 2. Whisk together the charcoal and honey syrup until combined (it will be jet black in color). * 3. In a shaker, combine the charcoal-honey syrup with the remaining ingredients and fill with ice. * 4. Shake, and strain into a rocks glass filled with fresh ice.

    Place sparkling apple juice, tequila, if using, lime rind, lime juice and ice in a blender and blend until smooth. Pour evenly among the glasses.

    Decorate with apple slices and lime zest.

    Shadow Hammer Slammer

    Ingredients

    • 1 can of seltzer
    • 2 cups pineapple juice
    • 1 ½ cups orange juice
    • maraschino cherries for garnish

    Instructions * 1. In a pitcher, add ice, seltzer,  and two juices. * 2. Stir to dilute slightly from the melting ice. * 3. Fill red solo cups or cocktail glasses with ice and put two to three cherries in each glass. * 4. Fill with the Shadow  Hammer Slammer drink.

  • What Practices and Assessment Objectives from CMMC apply to CUI?

    Sometimes to get a job done you just need Data.

    In the Cybersecurity Maturity Model Certification program, with five levels of cyber hygeine, almost all the Domains, practicies, and assessment objectives implicity require you to follow the regulations for the authorized handling of sensitive data: Controlled Unclassified Information (CUI) on non-federal systems (your computers, phones, internet, and other stuff).

    The major baseline for CMMC Level 3, which the Department of Defense will require for handling of CUI, builds off of NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Basically everything after the first Level in CMMC has a role in protecting CUI.

    Yet you should know the assessment objectives that explicitly call out CUI. Once you know you have CUI in your business use need to scope out your CMMC assessment. This means you need think about your data flow from the DoD, or a prime, and all your subcontractors. You need to inventory all assets in and out of scope, you need a network diagram, and need to know what third party or Software as a Service companies you use and if they fall in scope or out of scope (CMMC Kill Chain, 2002).

    This sounds like a lot. It is. You probably need a professional.

    Still before engaging a vendor you should have a good understanding the assessment objectives that explicitly call out CUI. May provide you with a good place to start before enganging a cybersecurity Professional.

    AC.2.005

    Provide privacy and security notices consistent with applicable CUI rules.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and

    [b] privacy and security notices are displayed.

    AC.2.006

    Limit use of portable storage devices on external systems.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] the use of portable storage devices containing CUI on external systems is identified and documented;

    [b] limits on the use of portable storage devices containing CUI on external systems are defined; and

    [c] the use of portable storage devices containing CUI on external systems is limited as defined.

    AC.2.016

    Control the flow of CUI in accordance with approved authorizations.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    Determine if: [a] information flow control policies are defined;

    [b] methods and enforcement mechanisms for controlling the flow of CUI are defined;

    [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;

    [d] authorizations for controlling the flow of CUI are defined; and

    [e] approved authorizations for controlling the flow of CUI are enforced.

    AC.3.014

    Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and

    [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.

    AC.3.020

    Control connection of mobile devices.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] mobile devices that process, store, or transmit CUI are identified;

    [b] mobile device connections are authorized; and

    [c] mobile device connections are monitored and logged.

    AC.3.022

    Encrypt CUI on mobile devices and mobile computing platforms.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and

    [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.

    AM.3.036

    Define procedures for the handling of CUI data.

    ASSESSMENT OBJECTIVES [CMMC]

    Determine if: [a] the organization establishes and maintains one or more processes or procedures for handling CUI data.

    AT.2.056

    Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    Determine if: [a] security risks associated with organizational activities involving CUI are identified;

    [b] policies, standards, and procedures related to the security of the system are identified;

    [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and

    [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.

    MA.3.115

    Ensure equipment removed for off-site maintenance is sanitized of any CUI.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.

    MA.3.116

    Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.

    P.2.119

    Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] paper media containing CUI is physically controlled;

    [b] digital media containing CUI is physically controlled;

    [c] paper media containing CUI is securely stored; and

    [d] digital media containing CUI is securely stored.

    MP.2.120

    Limit access to CUI on system media to authorized users.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] access to CUI on system media is limited to authorized users.

    MP.3.122

    Mark media with necessary CUI markings and distribution limitations.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] media containing CUI is marked with applicable CUI markings; and

    [b] media containing CUI is marked with distribution limitations.

    MP.3.124

    Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] access to media containing CUI is controlled; and

    [b] accountability for media containing CUI is maintained during transport outside of controlled areas.

    MP.3.125

    Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.

    PS.2.127

    Screen individuals prior to authorizing access to organizational systems containing CUI.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] individuals are screened prior to authorizing access to organizational systems containing CUI.

    PS.2.128

    Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    Determine if: [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;

    [b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and

    [c] the system is protected during and after personnel transfer actions.

    PE.3.136

    Enforce safeguarding measures for CUI at alternate work sites.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] safeguarding measures for CUI are defined for alternate work sites; and

    [b] safeguarding measures for CUI are enforced for alternate work sites.

    RE.2.138

    Protect the confidentiality of backup CUI at storage locations.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] the confidentiality of backup CUI is protected at storage locations.

    RM.2.141

    Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined; and

    [b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.

    SC.3.177

    Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.

    SC.3.185

    Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified;

    [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and

    [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.

    SC.3.191

    Protect the confidentiality of CUI at rest.

    ASSESSMENT OBJECTIVES [NIST SP 800-171A]

    [a] the confidentiality of CUI at rest is protected.

    SC.3.193

    Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).

    ASSESSMENT OBJECTIVES [CMMC]

    Determine if: [a] the organization has a security policy which restricts publishing CUI to any externally owned, publicly accessible information system;

    [b] the organization designates individuals authorized to post organization information onto any externally owned, publicly accessible information systems;

    [c] the organization trains authorized individuals to ensure that publicly accessible organization information does not contain CUI;

    [d] the organization conducts reviews to ensure CUI is not included in proposed content to be posted by the organization on a publicly accessible information system under its control; and

    [e] the organization removes CUI, if discovered, from any publicly accessible information system under its control.

    Data flickr photo by thirteenthbat shared under a Creative Commons (BY) license

  • An important read from the GAO. A report mandated by the 2020 NDAA on cybersecurity insurance jgregorymcverry.com/readings/…

  • Memorial Day Poem

  • We will establish the commercial viability of Wire Additive Manufacturing while collecting baseline data to prepare for a Phase II SBIR through a three stage research process:

    • 1: Acqusition and Curriculum Writing
    • 2: Integrator Training
    • 3: Intern Program
    Note 8

  • The Team:

    • Grisha: FTE Principal Investigator and Project Manager
    • Connecticut Center for Advanced Technology: Develop Base Core Curriculum. Deliver WAM Integrator training
    • Todd Schwendemann, SCSU Center of Nanotechnology: Program and curriculum evaluator
    Note 7

  • As an SBIR Team we will focus on the following goals:

    • Duplicable Process and Procedures
    • Integrator Recruitment and Retention
    • Intern Career Pathway Development
    Wire Addiditive Manufacturing means nothing without a focus on the headcount. Note 6

  • callback to Note 5

    Wire Additive Manufacturing leads to savings. You know what breaks a bunch? Stuff you pour liquid metal into.

    Casting replacement, parts replacement, reducing parts of origin, imagine subs doing WAM repairs while out at sea

  • Rewind to Note 4

    Instead of subtracting, additive manufacturing works like a 3D printer. Hybrid models add and subtract materials. This also improves security.

    Rick and Grisha expect to have many contracts with the 7021 clause, which means CMMC. Wire Additive = less data flow

  • Back to Note 3

    C&C Metals Inc. makes big parts for submarines. Imagine hot metal poruing into a casting. Takes two years to get castings approved for shipbuilding and one year for repair castings.

    Then 500 lbs of raw material, $15,000 later, gets shaped into 44 lbs part.

    Slow. Too slow

  • In reply to Note 2

    The Team will focus on the immediate commercial applicability of Wire Additive manufacturing while demonstrating the increased, speed, security, and savings to deliver ship building readiness.

    Navy cannot deliver increased Columbias doing the same thing over

  • Note 1

    Jeff will join the SBIR bid team I have built for C&C Metals inc. The core values of CCAT align well. In fact Rick Corbiski had a tinge of jealousy looking at the support CT manufactuers in state.

    Think Like Customers

    Constantly Innovate

    Be Acccountable

    We are All In

  • Spent Friday at Connectict Center for Advanced Technology meeting with Jeff Crandall and Rick and Grisha of C & C Metals, Inc.

    We took a tour of the Center and then got cracking on an SBIR NSF award we will submit for additive manufacturing

  • CMMC Process Assessments: Get better at Doing Business

    Getting lost in the different requirements of the Cybersecurity Maturity Model Certification? Pull back the sheets and realize much of what we mean withe practices and processes revolve around doing business better.

    You do practices in cybersecurity. Verbs. Controls. Compliance.

    These practices require processes to stick. Your company needs solid policies, documentation, and plans to implement practices. Processes. Governance. Nouns.

    With reflection through these processes comes security. Culture.

    When a company has plan to protect controlled unclassified information CUI, hires the right people, provides the training, and provides funding sensitive data gets protected.

    The practices in CMMC derive from controls of different security frameworks. 110 of the one hundred seventy one practices in CMMC originate from the safeguarding requirements and security requirements specified in FAR Clause 52.204-21and DFARS Clause 252.204- 7012. Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21. Level 3, building on Levels 1 and 2, includes all of the security requirements in NIST SP 800-171 plus twenty additional practices commonly called the Delta 20s (the Greek letter Delta, a triangle, means change)

    Basically, Cybersecurity Maturity Model Certification provides an avenue for third party attestation of NIST SP-800-171, twenty additional practices, and also measurement of process institutionalization. The process part of a CMMC assessment.

    Process institutionalization, or the set of repeated practices and processes that lead to stable hygeine within an organization, leads to better business practice. By focusing on institutionalizing the practices and processes of CMMC a company gains stability in times of stress and consistency of results over time.

    Any company who does business in the Defense Contracting space d should have a measure of their process maturity.

    What is Maturity Measurement?

    Maturity models measure growth through a series of benchmark measures. Think of CMMC like the 60 inches sign on a roller coaster. You need to reach a certain level of maturity to go for a ride. CMMC, in processes, practices, and methods and set goals and priorities for improvement.

    CMMC requires measurement of maturity. The assessments do not act as a growth measure, our maturation assessment. Instead you need to show compliance on every objective of every practice and process measurement.

    What is Process Measurement?

    Processes build culture. As a company you engage in specific procedural activities. CMMC has identified, using research from SEI and Carnegie Melon frrom the last 35 years, specfic maturation processes that allow cultures of cyber hygeine to thrive. These processes have five levels within CMMC.

    You must meet the objectives of each of the processes at the level of certification.

    An Overview of CMMC Process Maturity

    The CMMC defines five levels of process maturity. Each level acts as a gateway benchmark assessment. You must demonstrate all level one and level two processes as well as level three in order for compliance. Five processes get measured Across CMMC. Two two processes at level two and one additional process as you move up each of level from three to five.
    • Level 1 requires that an organization performs the specified practices. You do not need to document any policy at level one for compliance. Meeting the security requirements of level one compliance will be easier with well written policy. rocess maturity is not assessed for Level 1.
    • Level 2 requires that an organization create a plan and the policies to document the practices and processes required of CMMC. Policy, policy, policy.
    • Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. You need to say who does what and how much you spend doing it. missions, goals, project plans, resourcing, required training, and stakeholders.
    • Level 4 requires an organization to test how well things go in the implementation of the plan.
    • Level 5 requires an organization to use continuous monitoring and improvement cycles.

    History of Process Maturity Measurement

    The process maturity assessment included in CMMC has a long history. The Software Engineering Institute began development in 1986 and released the Capability Maturity Model for Software, or CMM in 1991. The model gets used in both e Capability Maturity Model Integration (CMMI) and CERT Resilience Management Model, or CERT-RMM.

    Cybersecurity takes culture and process measurement seeks to improve cybersecurity by shifting perspectives within an organization seeking certitication. Companies must measure, and understand the process, not the just use a checklist technical practices.

    CERT-RMM and the CMMC both measure practices and the institutionalization of these controls through process maturity assessment. In the CMMC an assessor will look for three types of processes: policy, practices, and plans. Commonly referred to as 99, 98 and 97 in the CMMC assessment guide.

    Three Types of Processes

    99 Establish a policy

    (NOTE: Convert screenshots to tables for accessibility purposes)

    Above you see the assessment objectives for the Awareness and Training Domain. These objectives requite establishing a policy process and below you thee same assessment objectives for the Access Control domain. What do you notice?

    98 Document the CMMC practices to implement

    The 99’s require you to have policy.The 98’s require a plan to make the policy come to life.

    Above you see the assessment objectives for the Awareness and Training Domain. The 98s require you to document to implement your policies. Below you thee same assessment objectives for the Access Control domain. What do you notice?

    The 98s represent must of the practices in your SSP. However you do not want to include the line, “See the SSP.” This means an assessor needs tu hunt, pick, and infer. Tnree sure ways to fail an assessment.

    97 Establish, maintain, and resource a plan

    If the 98s describe your procedures for documenting CMMC practices. The 97s describe how you pay qualified people to get the job done.

    assessment objectiveds of AT.3.997

    Above you see the assessment objectives for the Awareness and Training Domain. The 99s require you to budget and staff yoyr . Below you thee same assessment objectives for the Access Control domain. What do you notice?

    Assessment objectives for AC.3.997

    Across the 99s, 98s, and 99s we notice that the assessments objectives do not change. So you can come up with a template to make process asessment easier. You will not write 17 mission statements with goals and objectives. Many of the observable evidence will get used over and over. As an Organization Seeking Certification you need to draw an explicit link to your observable evidence and the assessments.

    Where does Observable Evidence Live?

    Before you think about process institutionalization take inventory of where your policy and procedures already live. You can find this in both policy and day to operation. Begin this effort by taking inventory of policies you already have at your company:
    • Employee Handbooks
    • Employee Agreements
    • HR Onboarding, Screening, and Termination
    • Org Chart
    • System Security Plan
    • Threat Diagram
    • Job Descriptions with Separation of Duty
    • Nondisclosure agreements
    • Vendor agreements
    • Floor plan
    • Visitor Guide
    • Visitor logs
    • Inventory Policy
    • Awareness and Training Policy
    • Project Scoping Policy
    • Business Continuation Plan
    • Disaster Recovery Plan
    • Acceptable Use Policy
    • Clean Desk Policy
    • Password/MFA Policy
    • Remote work station polic
    • Acceptable Encryption Policy
    • Account Management Policy.
    • Audit Policy.
    • Configuration Management Policy
    • Email Policy (don’t do dumb footers)
    • Federal Contract Information Policy
    • Controlled Unclassified Information Policy
    • Penetration Testing Ploicy
    • Software Installation Policy
    • Workstation Security Policy
    Before you even begin to document your institutionalization you need to inventory your existing policy and if you have glaring holes start to write the policy but also think about how daily operations can create observation evidence for process maturity assessment.

    Think about the minutes of your weekly security stand ups, perhaps you have the results of a SWOT analysis, what about the daily task checklist for newtork mantainers, or logs from your SEIM? All of these provide evidence of institutionalization.

    Hacking the Text Structure

    You will not make 17 different documents and write a different report for every 99, 98, and 97. You could and an assessor will not mark you out of compliance but you can also develop more efficient methods. Some OSCs for example combine the 98 and 97 OE into one document. Others recommend creating a spreadsheet combining all off the process objectives.

    At the minimum a spreadsheet should have the following columns

    • Explicit text from a policy. Do not just list the policy or page number Copy the text
    • The domain
    • The Process
    • Policy Document title
    You want to create an index that correlates the practices to the explicit text. For CMMC Level three you need procedures to implement 130 practices. To increase the chances of passing an assessment and lowering your cost

    If you are using a wiki or a document rather than a spreadsheet make the Assessment Objectives explicit headings. Then under the heading add xxplicit text from a policy. and where it can be documented. Do not just list the policy or page number. Copy the text.

    When documenting the budget requirements for 97 some people may create a sanitized version without PII of experts and the annual spend. You should have an unsanitized copy that does not leave your premise and is made available for an assessor to view on site.

    Overall focusing on process maturity will help your business succeed. Compliance and security matter but policies and governance rule.

    Image credit: “Processing” by marksdk is licensed under CC BY-SA

    Work Cited;:

    Armond, A. (2020).Policy templates and tools for CMMC and 800-171.www.cmmcaudit.org/policy-te…

    Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC. (2020). CMMC Assessment Guide Level 3. Version 1.0.1

  • Is My Outsourced IT Provider in CMMC Scope?

    Let’s ask the Department of Defense

    "Q7: Our Company has outsourced its IT support and systems to a third-party contractor. Are we still responsible for complying with DFARS clause 252.204-7012 and implementing NIST SP 800-171?”
    A7: Outsourcing your IT to another company does not transfer your DFARS clause 252.204-7012 responsibilities or implementation of NIST SP 800-171 requirements. Your company is responsible and accountable for meeting the contractual obligations with the Government as per the contract. The key to successfully demonstrating compliance with DFARS clause 252.204-7012 and NIST SP 800-171 is having a well written contract with the third-party that describes your requirements, and includes deliverables that meet or exceed requirements to protect DoD CUI. If your IT service support is deemed to be less than or non-compliant with the contract, the company contracting with DoD is ultimately responsible.

    NIST SP 800-171 requirements make up the basline of Cybersecurity Maturity Model Certification Level Three. Your IT Provider will fall in scope if they touch or have responsibilities on networks where Controlled Unclassified Information (CUI) transverses.

    What Do I Do about my IT Provider?

    A few strategies exist. First follow the advice of the Department of Defense and have one vendor agreement per contract that flows down the 7012 or 7019 clause. You need to think ahead of time how CUI will flow between you and your IT provider.

    You can also treat your IT provider as an “employee.” Issue the same badges and devices. Subject a specified IT contractor to the same policies and procedures you would of anyone else with a legal need to handle CUI.

    Some companies utilize a vCISO, a virtual security specialist split between some companies. You may want a third party to help with the inheritance between you and your IT provider. Inheritance means practices and processes that fall in scope and under the domain of a service providers. So your IT may inherit some controls from a cloud service like Azure, they provide some responsibility, and you the customer, with the 7012 clause contract, must make not only do you complete the requirements but the IT company does what they say they do.

    Finally you can try and descope your IT partner, but you can not do this, probably, without increasing your own headcount. Better to choose providers that will work with you as a cybersecurity partner.

    Source: Department of Defense (December, 2020). Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73; DFARS Subpart 239.76 and PGI Subpart 239.76

    Technology flickr photo by TLC-kios shared into the public domain using Creative Commons Public Domain Dedication (CC0)

  • www.itpromentor.com/best-prac… Good O365 compliance best practices.

  • www.itpromentor.com/best-prac… Good O365 compliance best practices.

subscribe via RSS

All content, unless otherwise notes, is licensed with a CC-BY-SA https://creativecommons.org/licenses/by-sa/4.0/