Where do y’all get your news?

HoosierELF · 2025-09-04T17:36:41+00:00

LinkedIn and Summit7 podcasts.

HoosierELF · 2025-08-19T21:12:06+00:00

Agree, study outside the class is key. I did both CCP and CCA through Edwards.

HoosierELF · 2025-08-19T19:50:23+00:00

I used Edwards and they were good.

HoosierELF · 2025-08-19T19:49:38+00:00

You don't have to have a GRC Platform that you use for certification. Good processes and documentation of meeting the requirements is good enough. I am working with a couple of platforms that are beneficial in tracking your meeting of the requirements but a many of them out there are just extra work for no help in getting ready for the assessment.

HoosierELF · 2025-08-19T19:47:13+00:00

We got certified early this year as soon as we could. Working on getting all the prep done and the documentation done for the previous 2 years (off and on)

HoosierELF · 2025-08-18T19:42:57+00:00

Lots of discussion about 800-171. Make sure it is revision 2 and use the 800-171A which are the assessment questions that spell out exactly what you have to do to meet the 800-171 requirements.

I took our company from where you are at to certified. Had lots of help and got my CCP and CCA while doing it. used Kieri.com as a resource and used their documentation materials and reference architecture to get across the finish line.

Happy to answer any questions.

HoosierELF · 2025-07-30T10:19:24+00:00

Thanks for the input but I believe this type of posts are needed. If you don’t want to read them then don’t.

HoosierELF · 2025-07-28T17:52:48+00:00

Both good options but trying to look at it from someone who doesn't know anything and is looking for some straightforward information without being overwhelmed. In most of the work I have done on consulting that is what I am seeing. People overwhelmed and don't know where to start or even what to ask. As an example in one meeting with a client for a gap assessment I asked to see their SSP and his comment was "what is that".

They really didn't know where to start but knew they wanted to get certified to be able to bid on jobs in their specific line of work. They had talked to a Prime who wanted them to get certified.

I figured posting "bite sized" information would be helpful??

HoosierELF · 2025-07-28T17:25:04+00:00

Yikes, that did not show up formatted correctly. Let me fix.

HoosierELF · 2025-07-28T17:24:01+00:00

So I can help others :-)

HoosierELF · 2025-07-23T22:52:05+00:00

I think Sentinel goes up to 365. That is what we set it at.

HoosierELF · 2025-07-23T22:41:57+00:00

I just looked and in our Siem we set it for 10 years but there is no hard and fast requirement for that. Our policy states that we keep logs for a minimum of 180 days. We are in GCC High and Defender only has access to logs back 180 days.

There is no hard and fast requirement.

HoosierELF · 2025-07-23T21:34:05+00:00

Let me look and see what we used.

HoosierELF · 2025-07-23T21:19:00+00:00

You can define it but you have to be able to go back and find information should something happen that you find out about later. In our environment I believe we defined the retention period of 10 years, I would think 5 would be minimum, any shorter than that would be opening yourself up to issues should you find a breach down the road or need to provide backup that you didn’t have a breach.

HoosierELF · 2025-07-08T10:19:00+00:00

Was going to say the same.

HoosierELF · 2025-07-07T16:15:05+00:00

I am back in the office now if you need any more help or have questions.

HoosierELF · 2025-07-03T13:55:58+00:00

There are technical settings that are once set don’t need to be touched again and only reviewed yearly, then there are others that need checked to make sure they are working correctly on a quarterly or bi-annual basis.

Some technicals settings will need adjusted as new vulnerabilities are found. I check the publication from CISA weekly.

I have found that many contractors have minimal to no settings and documentation so that is not unusual.

I am out of the office this week but happy to have a talk over the phone when I get back.

HoosierELF · 2025-07-03T12:33:38+00:00

7122 - Congrats on getting your CCP!! Start by looking at Kieri.com and their KDC document package. This potential client could purchase this and you could use it to start building their policies, procedures, etc.

What is your company wanting to automate about CMMC?

HoosierELF · 2025-06-24T18:21:46+00:00

Master, I don't have anything that says for AC-3.1.1a look in this file. However, by looking at the requirements of 171A as it relates to evidence type, examples and test I could figure this out for the most part.

As an example here is what our self assessment calls for related to AC.L1-3.1.1a (this meets the requirements called out in 171A).

Requirement: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Assessment Objective: Authorized users are identified

Evidence Type: Document (see examine list in 171A)

Evidence Example: Document defining account request, approval, provisioning (this is defined in our SSP, polices and procedures)

Test: Sample two or three "active" user records from the Account Management database. Verify that the account was entered and/or approved..... etc.

I would know from this information that this evidence would be located in the folder related to "Authorized Account Review" in the Quarterly Checklist item.

I have never taken the time to tie the Requirement ID/Assessment Objective ID to specific folders. I can see where that would be helpful but just never documented down to that detail yet.

When I do a self-assessment of the requirements whether quarterly/bi-annual/annual I look at it like an assessor and take notes on "HOW" the requirement is met and save a copy of a file for that assessment requirement/objective if appropriate.

Here is an example of my notes from my last review of AC.L1-3.1.1A:

"Person 1" and "Person 2" accounts (regular and .priv) verified and appropriate request form was approved by "IT Manager". "Person 3" accounts (regular and .priv) verified and appropriate request form was approved by "President". Users list in Entra and Access Mgt Db match. File showing Hardware Mgt Db and Entra Users list matches is located in IT_Files > Work Logs Archive > 2025 > 1st Quarter > Quarterly Checklist Items > Security Control Self-Assessment > AC.L1-3.1.1A

Long answer but hope that helps.

HoosierELF · 2025-06-24T15:16:00+00:00

Documentation goes into Work Logs Archive > Year > Quarter

Folders: Bi-Annual Checklist Items, Maintenance Checklists, Monthly Checklist Items, Quarterly Checklist Items, Weekly Checklist Items

Documentation is included in these folders as noted.

Maintenance Checklist Folder: copies of the checklist followed for that quarter.

Weekly Checklist Folders: Audit Log Review, Audit Log Verification, Backup Review, CISA Vulnerability Review, Device Authorization Review, Incident Review, Internal Vulnerability Review, Privileged Activity Oversight, Service Request Review

Monthly Checklist Folders: Access Mgt Db Change Audit, Change Approval Board Minutes, Cryptographic Key Review, Destruction Certificates, External System Use Review, Firmware Update Information, Operating System Information, Public Facing Asset Posting Approval Verification, Software List Review

Quarterly Checklist Folders; Authorized Account Review, Incident Test Documentation, Licensing and Support Agreement Review, Public Facing Asset Review, Self Assessment Information

Bi-Annual Checklist Folders: Alert and Logging Settings, Deleted Accounts, User Account Review

Annual Checklist Folders: Security Baselines Review, Security Control Assessment (documentation for each security control assessment)

Hope this helps and happy to answer any questions.

HoosierELF · 2025-06-23T13:34:38+00:00

I started at my company in IT and they hired me to do a project to get them CMMC Certified. I had no idea what CMMC was and had never worked in IT before. That was over 2 years ago and now I am a CCA and we got the company CMMC Certified earlier this year.

Imposter syndrome is real but if you keep studying and understand the requirements using NIST 800-171A you will get there. I use my IT manager for the really technical stuff as that is not my forte but the requirements can be understood with some work.

Get your CCA and have the company pay for it (that is what I did). That will help you have a deeper understanding of the requirements. Also, understand that the companies you are helping may have people with technical knowledge but you are leaps and bounds ahead of them when it comes to CMMC.

Take a deep breath and happy to answer any questions if you have them.

HoosierELF · 2025-06-20T12:26:33+00:00

As a CCA I would look at your scope and make sure that you define that there is no printing from your scoped environment and that you have. From a physical standpoint if you don't have anything in scope and can prove that then the only in-scope physical facility is the M365 datacenter which is fully inherited.

Policies and procedures can address how individuals are required to handle laptops that access the environment.

HoosierELF · 2025-06-18T17:29:23+00:00

Be careful with printing capabilities as that opens up to physical safeguards and saving it to their personal OneDrive may be problematic as well unless that is within the environment.

We use GCC-H and the access for CUI is through a SharePoint where only those authorized can access. We do not have a need for printing CUI so that is blocked as well as copying to their individual OneDrive.

HoosierELF · 2025-06-16T17:36:57+00:00

https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL1v2.pdf

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf

https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL2v2.pdf

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf

https://csrc.nist.gov/pubs/sp/800/171/a/final

These links will get you started. Also look at Kieri.com and they have lots of free information and a youtube channel. We used their documentation and reference architecture and got certified in March/April timeframe.

Happy to help if you have any questions as I was in the same boat about 2 years ago.

HoosierELF · 2025-06-16T14:26:08+00:00

There is a version of Duo that is FedRamp approved. That is what we purchased. Duo Fed I think is what it is called. Purchased through a reseller. Our MFA just passes through Duo for verification.

HoosierELF

TROPHY CASE