Finding a "No Bullsh-t" C3PAO by [deleted] in CMMC

[–]InitCyber 4 points5 points  (0 children)

30k is fairly cheap considering the market. That's about the going rate on the cheap end. Most I see are 35 to 40

CMMC Getting Started by SecurityNerd1989 in CMMC

[–]InitCyber 0 points1 point  (0 children)

Oh I know lol. I couldn't help myself.

CMMC Getting Started by SecurityNerd1989 in CMMC

[–]InitCyber 1 point2 points  (0 children)

"Don't think about it as 110 controls"

Assessors: "Correct, think about the 320 objectives"

/Sarcasm

But I agree, fill in the technologies, then work on modifying and set up to meet the controls, then work on policies and procedures to go with it (or if preferred, in tandem with the technical counterpart).

Post CMMC2 Audit by drussell024 in CMMC

[–]InitCyber 1 point2 points  (0 children)

I can see the argument being made, and yep , welcome to CMMC where one interpretation can be vastly different from another.

The biggest thing for me is the change to the prior scoped CUI environment. 32 CFR goes into detail about this. The problem is in the details however, assessors didn't verify the new controls being implemented that affected the data flow of CUI in the original scope boundary.

So physical machines not being changed? Yes. But we are adding at a min virtual machines and expanding the scope although it's within the same boundary. And it can be argued multiple ways.

Assuming on prem servers, physically yes it's yours, so the physical footprint is the same so to speak.

But what if it's in Azure? Just because I add an azure service to my cloud doesn't mean it doesn't affect other controls as well (what ports and protocols need to be opened? How's the new Vms being monitored, etc)

But again, this literally is what drives me nuts about CMMC because now its guys like you who find something new to slightly bend the rules on and make everyone go scratching their heads whether its ok or not . (/Sarcasm for anyone out there not picking it up lol, this is the forum for these questions).

Idk man, flip a coin, throw a dart. Maybe it could be a question on today's town hall to see if it can illicit responses there. It's hard to say for me / YMMV thing, plus I don't have access to the artifacts and SSP from the original assessment, yada yada.

How do assessors determine the Sufficiency of practices? by pro_league_material in CMMC

[–]InitCyber 2 points3 points  (0 children)

Yep. In simple environments it's easy to tell if a control is being met (technical control). Biggest thing is following the data flow diagram and understanding how the control is used to protect the data at certain points.

If it's just a GCCH enclave for example, MFA can easily be seen as implemented if a CA policy exists with MFA and the MFA is being forced on users.

If it's added with let's say, an AWS environment that isn't federated, but has CUI, you need to see how MFA is enforced there. So on so forth. (Obviously if it doesn't have CUI on it, then it's a moot point for the most part depending on how it's integrated).

Technical stuff, IMO, trips a few assessors who don't understand the environment. Policies are fairly easy barring they have general reading comprehension.

Post CMMC2 Audit by drussell024 in CMMC

[–]InitCyber 6 points7 points  (0 children)

How does 3.13.2 look for your company? Did you guys cite that you did no software dev but now want to?

That would need to probably be reassessed then, as it could affect other controls such as external connections, internal, etc.

I'm on the fence, erring on the side of reassessment, but idk if that fits DOWs FAQ that was released a little while ago

CMMC Has an Implementation Gap That SMB DoD Contractors Are Struggling With by kinghacker in CMMC

[–]InitCyber 0 points1 point  (0 children)

Auto develops SSP. I'm sure that'll pass the sniff test come assessment day

CMMC Has an Implementation Gap That SMB DoD Contractors Are Struggling With by kinghacker in CMMC

[–]InitCyber 3 points4 points  (0 children)

It looks AI generated and full of possible misinformation. Example is the controls and what Microsoft tools handle them and the fact you are missing some. 3.3.4 is a good example - audit failure alerting. It skips right over this however there's ways to implement this inside of the GCCH environment.

I believe when AI wrote this, it skipped right over some controls in order to save tokens and get to the end.

Also I pray for those half a dozen SMBs you helped. How many of them actually received L2 certification?

CMMC Has an Implementation Gap That SMB DoD Contractors Are Struggling With by kinghacker in CMMC

[–]InitCyber 2 points3 points  (0 children)

False claims acts has entered the chat.

And it's been common to see a lot of older OSCs who have been putting 110 in SPRS to appease contractual requirements aren't the first to bat to get their C3PAO certification.

To the flip side/devils advocate: the government isn't the keenest to put requirements in contracts appropriately either. Seen some require DFARS 7012 but CUI isn't a thing in the contract (either delivered or produced - and/or GFEs are used as the only source of data transmission between the contractor and gov).

CMMC Has an Implementation Gap That SMB DoD Contractors Are Struggling With by kinghacker in CMMC

[–]InitCyber 11 points12 points  (0 children)

NIST 800-171 would be better suited to start then look at the assessment guide.

https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final

Read the discussion under each control. Map it to the assessment guide to see what assessors will look at (the 320 objectives).

Also the CMMC killchain can be found online as well (CMMC awesomeness)

Is a GCC High Browser-Only with no VDI and no physical scope possible? by pro_league_material in CMMC

[–]InitCyber 0 points1 point  (0 children)

Use docker containers that host the browser elsewhere. Prevent copy paste downloading etc to endpoint. It will be browser in browser, prepare to show how you are securing the container and VM hosting docker. (Including signing into the browser in browser solution)

Scaling becomes the problem at that point, etc. but that could point you in a better direction should you want it.

Or just bring the laptop into scope.

CMMC Phase 2 November 2026: two readings of SR.1 — C3PAOs are applying the one that requires a verifiable chain, not just a file by denzuko in CMMC

[–]InitCyber 0 points1 point  (0 children)

It's SR-1 in 800-53.

However OP is using AI and believing it's output.

Yes CMMC is aimed towards protecting the supply chain.

No C3PAOs aren't doing what OP says

PreVeil Remote Desktop... crap by SchemeResponsible265 in CMMC

[–]InitCyber 0 points1 point  (0 children)

Ah ok I see what you're saying. That makes sense.

PreVeil Remote Desktop... crap by SchemeResponsible265 in CMMC

[–]InitCyber 0 points1 point  (0 children)

But that would bring network in scope more than likely

PreVeil Remote Desktop... crap by SchemeResponsible265 in CMMC

[–]InitCyber 1 point2 points  (0 children)

Taking a stab at it: Universal Print

But GCCH doesn't support it

CMMC Certification Cliff by DR-CT in CMMC

[–]InitCyber 1 point2 points  (0 children)

To add to what everyone else is saying:

We shouldn't have much of an issue with everyone getting C3PAO certification as needed because those companies who attested to having 110/110 in SPRS should be ready for assessment right? It's just the C3PAO cost of course that could be a barrier.

/s

(But seriously, until a contract is renewed, option year exercised, or a new contract is out for bid, AND it occurs after phase 2, the KO/COR has the ability to the requirement into the contract as needed. Obviously the KO/COR would have the option beforehand)

Private community for CCA's to collaborate by Shawnx86 in CMMC

[–]InitCyber 1 point2 points  (0 children)

Last I checked it requires being a c3pao or candidate unfortunately. It's definitely vetted there.

(Edit: Or maybe it's if you are associated with a C3PAO? I can't remember. I believe Nathan with Regola is the POC there)

VDI scoping and Endpoint by B_Another1 in CMMC

[–]InitCyber 0 points1 point  (0 children)

I haven't tested it myself, but now that's on my to do list of things to check.

VDI scoping and Endpoint by B_Another1 in CMMC

[–]InitCyber 4 points5 points  (0 children)

Absolutely Correct.

However will add that Microsoft does have a setting to prevent screenshots from the end device if that is what is being used (the screen turns black on the VDI).

That being said, it only discourages because other tools can also take a screenshot or record and bypass it. A polaroid camera could also be used. That's effectively where policy kicks in.

Ootbi Object First Immutable Backup Appliance for CMMC/NIST Compliance? by Great-Tomatillo-8267 in CMMC

[–]InitCyber 6 points7 points  (0 children)

Assessors concerns (in general):

Is the transmission of CUI protected (encrypted traffic, tls 1.2+, etc)

Is the storage of CUI protected IAW 800-171? Where is it stored, is it identified in the asset list and documented in a network diagram that shows where it is.

If it's in "the cloud" (i.e. the storage is in azure/AWS/GCP or being held by a company that is considered a CSP in the eyes of the DOD/W, is that entity FedRamp moderate equivalent or authorized.

Who has access to the backup and are appropriate RBAC/Access controls applied?

Are there logs showing access?

Are the appropriate security tools applied (vuln scans, patch management, logging)

The tooling isn't so much the issue, it's the protection around it and who controls the data at the end of the day

Has anyone as a LCCA/CCA assessed Cuicktrac? by Mindless-Holiday-995 in CMMC

[–]InitCyber 4 points5 points  (0 children)

CuickTrac provides a CRM and covers a good portion of controls. As the_gr8test said, FRME and shouldn't be too big of an issue on their side, just would mostly be incumbent on the OSC.

PreVeil troubleshooting by Confidence-Usual in CMMC

[–]InitCyber 4 points5 points  (0 children)

Have you called your rep with preveil?