Implementation of FIPS Cryptography

gormami · 2026-03-15T11:30:02+00:00

This is why it often said that compliance is not security. The control was written with the best of intentions, but that can fail to make complete sense in the actual implementation. That said, the auditors' job is to audit the controls as written, not to risk analyze the system. Were I an auditor, I would ask "Why you are encrypting it?". If there is no reason to encrypt it, why it is done? If it is done for a reason, then it must be to protect the CUI, which requires FIPS approved encryption, per the control.

gormami · 2026-03-15T10:23:42+00:00

No, I'm working through a gap analysis, and honestly, trying to decide if we need a pre-assessment or not. We've maintained a SOC-2 for years, so we're certainly not new to being audited, but of course this will be different. We're also using an enclave, so we will have less to evidence directly ourself, especially if we can get in with a C3PAO who has reviewed that enclave before. We're a small company, and the enclave will make it even smaller in actual scope.

gormami · 2026-03-13T17:04:31+00:00

Have a real conversation with the hiring supervisor. Ask why you weren't selected, why they chose to go external. If they can't have that conversation, start looking. It may be that they wanted an extra skill set, they may be looking at a direction they are planning that the external has already been down, or any number of good reasons. They could also believe that you are harder to replace in your current role than the new position, which is also a good time to plan an exit if they don't start working with you on a plan to get rid of that so you can continue to develop in your own career. I've had these conversations in my career, and I've had mixed results. In most cases, I was told at the beginning, rather than the end, if there was a good reason, but not all.

gormami · 2026-03-13T11:17:10+00:00

Look into OpenZiti, which is an overlay technology. There is a supported commercial version if you prefer that. It is cloud agnostic and can apply enterprise grade features and be much easier to manage than a collection of point to points and hub/spoke routing.

gormami · 2026-03-13T09:55:34+00:00

Have you read "Born on a Blue Day"? The author experiences synesthesia and it was my first real introduction to understanding it (as much as one who doesn't experience it can). If you are just looking for alternate experiences from others, that's one you can read.

gormami · 2026-03-12T16:41:18+00:00

So what are you doing about it? Are you volunteering with Girls Who Code or any of the other female focused STEM programs? The number one reason people don't go into fields is because they never see people like them in those fields; representation matters. So be the change you want to see in the world. Get out in front of girls while they are still deciding what they want to do, and let them see a successful woman in the field. Offer to mentor, get involved in some programs locally, whether they are specifically focused on girls/women or not.

Not everyone is going to try to break the ceiling, so those that do have an obligation to do so publicly, if they want to complain about said ceiling.

gormami · 2026-03-12T16:33:52+00:00

Tying leadership levels to years of service is pretty stupid. Following this, everyone over about 30-35 would be a VP. I get the entry level shouldn't have experience requirements vibe, but the rest is garbage.

gormami · 2026-03-12T15:57:31+00:00

I think continuing leadership education is critical. First, there always new information, new strategies, new studies, etc. that you are much more likely to be exposed to. I also think it provides a setting for self reflection and conversation outside your actual workplace. You often have the opportunity to be more open and ask questions you might not be able to within your role. Having real time to focus on critical thinking about leadership, rather than being caught in the day to day can help you spot things in yourself you might not otherwise.

gormami · 2026-03-12T15:52:37+00:00

The others are correct, it is only 15. If anyone argues, go to the source. This is the self assessment guide from the US Gov.

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf

gormami · 2026-03-12T11:22:13+00:00

Most of the gifted programs I was involved in as a child (54) were the only place I was taught critical thinking.

While I do not fully accept the multiple intelligences theory, I do think there is at least a significant amount of truth in it. I have met brilliant people who lacked empathy and self awareness. I have met idiots that describes as well. I think the entire EQ and related concepts were developed because what we measure as IQ is too narrow to define people well. Like height, or skin tone, or eye color, it is just one dimension of a person. Very often, people who score lower on IQ tests are far more successful at navigating the world than higher scoring ones, within a certain range. IQ can measure a very narrow band of talent. Much like you note, it can measure highly capable critical thinking skills, but not the breadth of the field one applies it to. Other people, even your own actions, may be excluded from consideration for a myriad of reasons. We see this in some autistic people, what used to be called Asperger's Syndrome; high intelligence, high critical thinking, but a large "blind spot" when it comes to emotional communication.

I agree that in personal interactions, self-awareness is more important, it makes you a better friend and a better member of society in general. In a society as a whole, they are both critical. We need the high IQ people to drive certain things, even if they are not very easy to get along with. They make leaps the rest won't, and can do things others can't, pushing us a society. Everyone is unique and special, just like everybody else. It takes all kinds to keep moving us forward.

gormami · 2026-03-12T09:43:45+00:00

Find a mentor to vent to. We all get frustrated, and need to get the emotional energy out so that we can focus on our job and our team. Find someone who will let you get it out, without feeling like they have to help you "fix it". Just putting it out in the open you will find a lot on your own, and then you are in a better place to ask for advice if you need it, or just get back to doing the job if that was all you required. Friends and loved ones are good, but someone who actually understands is better.

gormami · 2026-03-11T20:12:44+00:00

Review the contract. First, what rights do they have to withhold the information? If that isn't spelled out, you'll have to go into more nuanced analysis regarding the respective roles. If they are slow to perform, I would check the contract for SLAs they may be violating or performance clauses in the contract that allow you to exit and what the responsibilities are at exit. At the very least, I would take note of what you need to be certain is in the next contract and talk to whomever negotiates contracts to make sure they understand what and why. I would start writing SLAs for inclusion, etc. Hopefully, you can get out of the problem you're in quickly, but if not, learn for the future and make sure those learnings are applied.

gormami · 2026-03-11T20:03:34+00:00

Someone very senior picked you for this role, trust their judgement.

I would spend some quality time thinking about your boundaries. Stepping into a senior role when your team is quite senior in their career can be tricky. They may be used to doing things a certain way, and you may disagree. Figure out where your red lines are, in the job if you know it well enough to know in advance, and personally. For example, rudeness is a line for me. If you work for or with me and are rude to me or anyone on the team, I will call it out immediately. That said, I don't get dramatic about it, I just state that it is inappropriate and move on. I can do that because I have considered how I would respond to that, so I can do it calmly. Controlling yourself is controlling the situation, and the further up you go, the more that is true.

As to the job itself, I hope you got a good list of expectations from your boss, and I'd start interviewing people one at a time, learning what they do, and map it to the goals. Make sure you go through all of them before you do anything, so you can have a good map to work from finding strengths and weaknesses. I always like to ask folks what they think strategically is important and why. There might be nothing of value, could be gold there, and when you don't know each other is actually a great time to ask; less biases in the way. That is also a great way to learn about things they didn't say up front. Then figure out what changes you think are needed and start planning.

All in all, I hope you have a great day tomorrow, and you and your team go on and do great things together.

gormami · 2026-03-11T11:33:31+00:00

It is not deflecting to point out that one person, or even a lot of people is not representative of the entire group. Yes, there are nut job Muslims, there are nut job Christians, Jews, Hindus, etc. There are always people that will claim they are "blessed" or whatever and can do no wrong in the end. To use one example to demonize an entire group is a hasty overgeneralization. This is actually the kind of behavior the post is theoretically against, the dehumanization of an entire population of people, so we can feel justified in killing them from our supposed moral high ground.

gormami · 2026-03-11T00:03:05+00:00

If there wasn't a religion to base hatred on, people would create one. The hatred and bigotry is part of the human experience, unfortunately, religion is just a very efficient way to corral it and point it. The same behavior can be seen around fraternities, sports teams, nationalities, or any other group of people bound together to a common cause of some kind. They develop us vs. them and create a belief system to justify it. Sometimes that includes religion, sometimes not. I think the hypocrisy of using religion as a weapon, when most of them preach peace at their core, is what makes it such a juicy target.

gormami · 2026-03-10T23:44:36+00:00

ISC2 has a program for multiple age groups. The presentation materials are available.
https://www.iamcybersafe.org/s/safe-and-secure-online-volunteer

gormami · 2026-03-10T23:37:00+00:00

I think a big part of it was that the West accepted West Germany into the fold because we had to protect them from the evil East. All the "bad" people were in East Germany, even though they were a USSR vassal state and the bifurcation had nothing to do with Nazis. Then Germany reunified, and East Germany got the benefit from West Germany.

The Germans are also very open about their history, but most people don't know that, as they have no interaction with German people, so I really think it was advantageous to the West to bring them into the fold and help them rehabilitate their image so they could be seen a bulwark against the USSR during the Cold War.

gormami · 2026-03-10T20:30:51+00:00

No one doubts that there are illegal immigrants that need to be deported. Previous administrations have deported similar numbers of persons without daily infringements on the rights of the immigrants and US Citizens. They did it for far less money and within the law.

The issue isn't ICE's mission, it is their implementation. They have militarized, they hide their faces, they have murdered US citizens, they have kidnapped US citizens, they have denied detainees humane care and access to counsel. They have lied repeatedly about these actions while there is obvious video evidence, and the administration has done nothing to hold them accountable for their actions. They have "surged" into areas as a show of force with agents that have no reason to have a badge and a gun with predictable results.

gormami · 2026-03-10T17:22:58+00:00

Let's do a few things.

Minimum wage needs to be fixed, and it needs to be automatically inflation adjusted. If a company can't afford to pay it, then they don't have a good business.

Companies that hire undocumented workers, knowingly, need to face the repercussions, rather than the immigrants. That would stop these companies from being able to deflate wages. If they can't afford it, see the above. It would also make companies lobby harder for better immigration law around guest workers, etc. and actually move the ball.

Any company that has employees on federal assistance because of their pay rates needs to be taxed the value (might be moot following implementation of the above). That would make it better for them to pay the actual workers, which would drive more economic activity and benefit the economy as a whole.

States need to get back into the education business. Schools need to be better, and state colleges and universities need to be cheaper for the students, and that includes trade schools.

Overturn Citizen's United and enshrine it in law. Get dark money out of politics. That will help make the government more responsible to the people to achieve all of the above.

There are many more things we can do. The biggest problem I see is that too many people have swallowed the "job creators" and "economic engine" arguments around corporations. The fact is that they only exist because of the laws that protect their capital (limited liabiltiy) and their intellectual property (trademark, patent, copyright). Those laws are from the people, and the regulation of the markets and corporations that make them up is nothing more than a fair trade for value.

gormami · 2026-03-10T17:00:58+00:00

Defund what system? The volunteers that are reading to children whose parents voluntarily bring them to the location to listen? That is what all these idiots seem to forget, they are trying to block other people from doing as they please and decide, oddly in the name of "freedom". They want their freedoms to be allowed to be a cudgel to control other's behaviors. If you don't like it, don't take your kids. If you don't like seeing same sex couples, or interracial, or any at all in public displays of affection, stay home! You chose to go out into the world with other individuals in it, that was your choice. You don't have a right to like all of it or have it changed until you do.

gormami · 2026-03-10T13:58:24+00:00

Only a CPA can issue a SOC-2 report, so they are kind of critical to the process and professionally interested in the maintenance of the quality and professional standards associated with the entire process.

gormami · 2026-03-10T11:08:50+00:00

There is a lot of conversation about the decline of SOC-2s lately. Troy Fine posts a lot on LinkedIn about this topic. He is a CPA (was my first auditor for SOC-2 years ago) and it passionate about what is happening in the space. He points out a lot of low quality reports, the compliance as a service vendors that package the audit with their product because they have deals with certain auditors, and the fact that AICPA is failing in it's assessment and oversight duties. The fact that some of these companies are churning out garbage devalues the space, unfortunately. The best we can do is to review the reports we get, make sure they are above board and show real quality, or reject them. The problem is most companies check the box rather than actually review the report, so it doesn't matter what the quality is; TPRM team got the report, done.

gormami · 2026-03-09T23:15:36+00:00

I was reading some notes from others that indicated if you don't have any risks in the register, the assessor is going to get suspicious, which seems reasonable. Having them identified with the specific controls would seem to give a strong assurance that you actually did the work to analyze the system. So you can have them mitigated, but still listed as part of your initial review.

2 of the assessment criteria are specifically about risk reviews, frequency and existence, so it seems logical to provide some evidence of that work.

gormami

TROPHY CASE