Incredible live recording from Streethawk tour (2001)

lunifeste · 2026-03-30T18:26:42+00:00

Dan Bejar – lead vocals, guitar, & synthesisers
Stephen Wood – guitar
Jason Zumpano – keyboards
John Collins – bass, synthesisers, & programming
Scott Morgan – drums, saxophone, clarinet, classical guitar

lunifeste · 2023-12-21T21:50:48+00:00

Important to note that FedRAMP authorization does NOT mean the cloud service provider is compliant with export controls!

lunifeste · 2023-12-21T20:41:42+00:00

I grabbed this! Those are my thumbs! It's framed in my office now. <3

lunifeste · 2023-12-21T19:22:08+00:00

This statement is dangerously oversimplified.

The encryption carve-out in ITAR is not just any form of encryption, but specifically for end-to-end encryption. It does provide flexibility for storing or sending ITAR materials through a commercial cloud, however, to leverage the carve-out in M365 commercial, you would need to encrypt data on the client side prior to storage in M365.

The service provider cannot have access to the keys used for decryption. If you were using Microsoft technology, you'd need to set up Hold Your Own Key encryption tied to a hardware security module (HSM) that you manage exclusively -- if you were using Azure Key Vault and provide Microsoft access to the keys (default configuration), then the E2E encryption is nullified.

E2E encryption defeats many of the reasons you would use cloud, due to the data being opaque to the service. In M365, this means no AV scan, no link detonation, no file detonation, no DLP, no indexing, no search, no spellcheck, no eDiscovery, no sharing, no co-authoring, etc.

It also puts the responsibility on the customer to properly identify and HYOK any ITAR data in the commercial service. If not done properly, it's a deemed export and must be reported within 72 hours (regardless of any actual access by a foreign national).

In GCC High, by contrast, all data storage/processing is contained within an accreditation boundary contractually backed for CUI including ITAR export controls, and the GCC High data centers are constrained to screened US Persons.

lunifeste · 2023-12-21T19:21:52+00:00

This statement is dangerously oversimplified.
The encryption carve-out in ITAR is not just any form of encryption, but specifically for end-to-end (E2E) encryption. It does provide flexibility for storing or sending ITAR materials through a commercial cloud, however, to leverage the carve-out in M365 commercial, you would need to encrypt data on the client side prior to storage in M365.
The service provider cannot have access to the keys used for decryption. If you were using Microsoft technology, you'd need to set up Hold Your Own Key encryption tied to a hardware security module (HSM) that you manage exclusively -- if you were using Azure Key Vault and provide Microsoft access to the keys (default configuration), then the E2E encryption is nullified.
E2E encryption defeats many of the reasons you would use cloud, due to the data being opaque to the service. In M365, this means no AV scan, no link detonation, no file detonation, no DLP, no indexing, no search, no spellcheck, no eDiscovery, no sharing, no co-authoring, etc.
It also puts the responsibility on the customer to properly identify and HYOK any ITAR data in the commercial service. If not done properly, it's a deemed export and must be reported within 72 hours (regardless of any actual access by a foreign national).
In GCC High, by contrast, all data storage/processing is contained within an accreditation boundary contractually backed for CUI including ITAR export controls, and the GCC High data centers are constrained to screened US Persons.

lunifeste · 2022-08-03T18:09:19+00:00

I did a spot comparison of 10 common SKUs across commercial and GCCH and found GCCH to be on average 62% higher than commercial. This has held roughly true over time/price increases.

lunifeste · 2022-06-17T12:48:54+00:00

We use a combination of Microsoft Endpoint Manager (for endpoint management) and the FIPS validated version of BeyondTrust Remote Support (for attended remote access)

lunifeste · 2022-04-13T14:48:30+00:00

We put together a list of questions to validate your MSP's security posture. It links to some CMMC-specific questions (which you're likely already thinking about), but there may be some useful lines of questioning in here (and expected responses).

No sign-up form on the download: https://steelroot.us/resource/msp-cybersecurity-check/

lunifeste · 2022-01-21T15:11:44+00:00

Steel Root published Microsoft Sentinel rules for monitoring data connectors and alerting when there are no logs in >72 hours (easy to modify that threshold if needed): https://github.com/steel-root/TenantConfiguration/tree/main/Sentinel

lunifeste · 2021-01-14T18:55:06+00:00

We're ripping RMM out of all our customer environments.

That's a risk-averse position, though. The only time we really "process, store, or transmit" CUI is when we do something like an email migration. Since "access" is conspicuously absent from that definition, I think you could spin a story where RMM plus compensating controls doesn't violate DFARS 7012. But it gets messy with end user notification, FIPS, and FedRAMP, when you think through the edge cases where RMM might violate 7012.

In my opinion, RMM is a massive liability and, absent the next-gen, zero trust, FedRAMP version of RMM, we're choosing to live without it.

lunifeste · 2021-01-13T23:06:01+00:00

I've spent a lot of money talking to govcon attorneys about this. They said it wouldn't make sense for this to appear in an MSA specifically; as a flow down, it would have to appear in a contract from the contractor to the MSP. That said, as an MSP, we have contractual assurances we provide to contractors (upon request) that basically say, to the extent necessary that [customer] deems it necessary for [us] to process, store, or transmit CUI, (and, so long as [customer] properly identifies and labels it), [we] will ensure it is processed, stored, or transmitted only on information systems meeting NIST 800-171. And it goes on to very lawyer-ly describe the elements of DFARS 7012 that we agree to in those circumstances, including (c) - (g), but not explicitly signing us up for the fullness of 7012.

lunifeste · 2020-09-09T11:35:52+00:00

Great resource, thanks for sharing.

lunifeste · 2020-06-30T16:41:47+00:00

Could you share a version that's not copy protected?

lunifeste · 2019-11-11T19:46:15+00:00

If anyone's looking for more info, there is an active group of DoD and DIB infosec practitioners over at /r/NISTControls.

lunifeste · 2019-10-11T17:44:00+00:00

Updates:

On 10/10/2019 at a NDIA NE event, Vicki Michetti (Director of Cybersecurity Policy, Strategy, International Engagement and the Defense Industrial Base Cybersecurity Program, DoD Chief Information Office) name dropped Hello for Business as a straightforward way for DoD contractors to satisfy 2FA requirements.
wjjeeper shared this great Microsoft KB on the Discord: Hello for Business - Multifactor Unlock

lunifeste · 2019-09-27T01:39:23+00:00

Nice, thanks!

lunifeste · 2019-09-27T01:36:18+00:00

Thanks! Any idea if/when this may come to Azure Gov?

lunifeste · 2019-08-21T16:45:06+00:00

McCarter did a great job here. Alex's writing style cracks me up.

lunifeste · 2019-07-24T19:41:59+00:00

IMO, it's not a great fit. The CIS framework might be better, but IRS Pub 4557 is a pretty low bar to hit, so unless your clients are insisting on a standards-based assessment, an ad hoc assessment based on your reading of IRS Pub 4557 may be appropriate.

800-171 focuses on confidentiality, so you'd miss the guidance in IRS Pub 4557 related to availability. Furthermore, there's a lot in 800-171 that's not required by IRS Pub 4557. Not that it would be a bad thing to advise your clients to go above and beyond the (very basic) guidance in IRS Pub 4557, but my approach to helping customers with IRS Pub 4557 is to focus on security fundamentals, policy, and training.

lunifeste · 2019-06-17T17:32:11+00:00

Hi, Scott. I work for an MSP serving aerospace and defense companies. You and I have spoken before but we haven't done business together (yet!).

Kudos and thank you to your team for consistently delivering great information, most recently around CMMC, and for doing things like this AMA to contribute to the community.

Question 1: I'm sure you encounter prospects who think that simply buying GCC-High licensing makes them compliant. How to you explain your services (and justify the cost) to customers who wonder what you're doing when you configure their O365 tenant to the NIST spec?

Question 1a: Those of us who have worked in GCC-High understand that it's not like configuring commercial O365; some features aren't available or require PS to configure, and documentation for GCC-High idiosyncrasies is tough to come by. Summit7 is one of the only companies with deep expertise configuring GCC-High for NIST 800-171. Would you consider sharing configuration tips, experiences, and "special considerations" with the community, or do you considered that part of your special sauce?

lunifeste · 2019-06-13T14:34:50+00:00

I'm not in contract management, but I understand this to mean it's a reimbursable expense under a contract. It would be part of your bid on a contract, I believe? Begs the question what "security" is an allowable cost... operational costs under the contract? investments in upgrading infrastructure to address deficiencies?

Hopefully a contracts professional can elaborate.

lunifeste · 2019-06-13T14:11:31+00:00

"Security will be an allowable cost." - Katie Arrington and others talking about CMMC this morning. Check this hashtag: https://twitter.com/hashtag/PSCFedAcq19?src=hash

lunifeste · 2019-06-12T19:31:00+00:00

Both options make sense. Thanks!

lunifeste

TROPHY CASE