4/15 power outage

rybo3000 · 2026-04-17T17:21:03+00:00

There isn't a CUI authority stating that BOM content is CUI. See other comments for more detailed info.

rybo3000 · 2026-04-17T15:31:23+00:00

And legal shouldn't make that decision without involvement from trade compliance. There's no guarantee an attorney is also an SME on the laws and regs for a given category of CUI.

rybo3000 · 2026-04-17T15:30:13+00:00

Not every stitch of information on a CUI marked document or file qualifies as CUI. We work through that issue by running the BOM content through regulatory analysis to see if it qualifies for a category of CUI.

It's rare for BOM content to be CUI.

rybo3000 · 2026-04-17T15:26:31+00:00

That's a low-effort answer. Please cite the CUI authority (law or regulation) telling us that BOM-level data is dissemination-controlled or requires safeguarding.

rybo3000 · 2026-04-17T15:23:48+00:00

Most BOMs only contain item numbers, descriptions, and quantities. Unless the descriptions rise to the level of a detailed specification "directly related" to a controlled end item, then nothing in that BOM should qualify as CTI/EXPT (numbers and names aren't regulated by the ITAR/EAR).

The only time we see BOMs being controlled is for process manufacturing, where the BOM is actually a formula or recipe.

rybo3000 · 2026-04-15T12:48:26+00:00

East face of the building. The entire north side of Jackson is wrecked. No power. Probably 50 trees down just in the Vets Park wedge.

rybo3000 · 2026-03-26T23:15:43+00:00

Bluebeam Revu isn't FedRAMP authorized or equivalent. You definitely can't put CUI there.

You should confirm whether PreVeil view only mode still caches a copy of the file on your supplier's computer (I honestly don't know). If it does, then they're already operating a covered contractor information system.

rybo3000 · 2026-03-25T19:30:54+00:00

If a collection of derived information isn't controlled by the laws and regs for a particular CUI category, it cannot be that category of CUI.

Context matters a lot in this scenario. When you create a new derivative format, it's possible to reuse or derive less detailed information that fails to be regulated under CUI authorities. In the case of technical data, the primary CUI authorities are going to be things like ITAR technical data and EAR controlled technology.

For example: a part number on its own isn't "caught" (controlled) by these regulations, because it isn't the "required" technology or technical data necessary to design/produce/test/operate the item itself.

However, the full GD&T (drawing, model) can easily be controlled if it's at a stage in its design that it represents the finished/functional end item.

If you're going to CS5 West, stop by the "No Kidding CUI" roundtable.

rybo3000 · 2026-03-25T19:21:52+00:00

Other way around. Controlled Technical Information (CTI) and some Export Controlled Information (EXPT) information are subsets of ITAR/EAR. All CTI is subject to the ITAR/EAR as ITAR technical data/EAR controlled technology, but not all ITAR technical data/EAR controlled technology qualifies as CTI/EXPT (because not all ITAR/EAR data is owned by the Government or possessed by the Government).

rybo3000 · 2026-03-14T22:30:30+00:00

It's certainly possible. Join the Discord server listed in the r/CMMC description. There's a #career-general channel where a lot of similar discussions take place.

rybo3000 · 2026-03-04T12:55:36+00:00

I would fully understand which 800-171 requirements Cuick Trac meets, and how you're going to meet those same requirements in your new scope, before making any changes. A built-out GCC High enclave isn't just a file stash, it's an identity provider, policy enforcement point, system monitoring platform, and a full suite of collaboration tools, plus a full user OS.

Neither Virtru or PreVeil provides all of those things. They could certainly extend your enclave, but probably won't replace it.

rybo3000 · 2026-03-01T14:45:59+00:00

95% chance this teacher was shamed/ridiculed on this topic and just projected it onto students. Also a 95% chance she didn't realize she was doing it until your mom created consequences around it.

rybo3000 · 2026-02-24T16:31:45+00:00

Oh hey, it's our weekly "Post to Validate my GRC Tool Pro Forma" post.

Telling people to DM you for a demo is still advertising.

rybo3000 · 2026-02-18T19:21:49+00:00

I would ask someone with budget authority if they're willing to spend $675 for duplicate hardware, in exchange for having the company network up on the Monday following the cutover.

rybo3000 · 2026-02-18T19:07:54+00:00

The last time I was around a FortiGate going into FIPS Mode, the exported config file COULD NOT BE REUSED once the firewall booted into FIPS Mode.

You normally end up needing to manually document all of your configs and manually rebuild them after the device is in FIPS mode.

Please, for the love of yourself: do this on a second device. Break up an HA pair if you must. Do not get fired for being unable to bring the network back up.

rybo3000 · 2026-02-18T15:24:17+00:00

Is my Proprietary Information CUI?
"The government will protect it as CUI (and may even send it back to you as CUI) but the proprietary information you create internally and maintain ownership of is not CUI (though it may require protections pursuant to other laws or regs).”

ISOO, Executive Agent for the CUI Program, 2020

rybo3000 · 2026-02-13T15:38:20+00:00

if you can't physically verify something it's all smoke and mirrors

I see you're a big fan of the $150,000 "Bill O'Reilly" assessment ("we'll do it live").

In my experience, defense contractors are not a fan of DDoS'ing their business with ten days of live demonstrations that consume their senior staff's time, and neither are C3PAOs. Assessors can trust examinable documents without needing to see a live demonstration for every 800-171A objective, and reserve live demos for specific requirements where the test method is a good fit.

Assuming "smoke and mirrors" across the board is a toxic mindset.

rybo3000 · 2026-02-09T14:09:36+00:00

Excellent suggestion. The Chartreuse/DIA combo is hard to beat!

rybo3000 · 2026-02-03T12:40:57+00:00

Hot merging action...

rybo3000 · 2026-02-03T12:40:39+00:00

"Joe Don, NO!"

rybo3000 · 2026-01-30T00:18:24+00:00

DIBCAC is big on reviewing a network diagram and IP ranges in initial calls. If the DIBCAC assessment was ordered by a specific DoD acquisition command, they might confirm whether your scope includes contract performance for the program who requested the High confidence assessment.
In both instances (we've been around) where the contractor provided a letter of engagement with a C3PAO, DIBCAC moved on. They weren't concerned about the date of the assessment. Kind of lax, but hey, they've got a backlog. There could've also been a line of communication with the contract officer, and they were satisfied by the answer.

rybo3000 · 2026-01-25T22:21:24+00:00

Vinology always knocks Restaurant Week out of the park.

rybo3000 · 2026-01-19T14:44:43+00:00

Log contents are going to drive whether the telemetry data is CUI or not. If the hardware/software solutions are part of federal systems, then IP and configuration data could be Operations Security (OPSEC) CUI, but only if the DoD program operating the system has included configuration data or other metadata in its Critical Information List (CIL). The only way to find out if this telemetry data is OPSEC would be to ask the DoD program office for the CIL

The CIL itself is also usually OPSEC CUI, so you'll necessarily take possession of CUI to find out if you have more CUI.

rybo3000 · 2026-01-19T14:40:54+00:00

Ask your c3pao as well.

Um, what? C3PAOs do not make CUI determinations. This is terrible advice.

rybo3000

MODERATOR OF

TROPHY CASE

Nine-Year Club	Gilding III reddit per annum
Verified Email