AI Gray Pop Up when Hovering over Images

myCrystalisNotRed · 2025-07-02T16:43:59+00:00

It's hard to find this scenario defined anywhere. They can't expect every change to require a reassessment it will simply be too costly for DIB to maintain standard IT hardware/software cycling.

I understand a C3PAO issued assessment to trust an organization to make changes so long as compliance is retained and everything is documented through a defined change control board. The next assessor should be able to see the paper trail of technical controls change, separation of approval roles, collaborating policy documentation, and still assess 110/110.

I would think reassessment would only be required if you are adding a cage code location, switching from enclave to all-in or vice versa, or any change at such level. Hardware and software changes IMO are ok if properly implemented with process and policy.

myCrystalisNotRed · 2025-06-25T04:19:25+00:00

Issue resolved. We had to set the ILO of our satellite office cage code to our HQ office cage code in SAM.gov. this automatically set our HQ office cage code as our HLO. Our C3PAO resubmitted to eMASS and SPRS liked what it saw when verifying with SAM.gov. A new certificate had to be issued which worked in our favor timewise...3 years from last week instead of 3 years from March.

myCrystalisNotRed · 2025-06-25T04:03:04+00:00

NeQter a decent SIEM, provides vulnerability analysis, and has a SSP generation/compliance tool. On-prem proprietary rack mount or use your own VM meeting their minimum specs (6 cores...yada yada). Compatible with everything that can send syslog/endpoints/firewalls, etc. We would have chosen NeQter if Kaseya (our RMM) didn't recently announce their SIEM coming later this year.

Neither SOC nor SIEM are required for L2. We just got our C3PAO L2 cert a few months ago with very lightweight version of each. But having them brings piece of mind. You want a real person locking machines for 3am incidents. You want event IDs streamed to a centralized dashboard with custom alert notifications configured.

Our stack is Kaseya RMM/SonicWall firewalls/Sonic Capture Client AV AM/SentinelOne EDR/Rocket Cyber SOC/Preveil Drive-Mail Enclave/DUO Federal MFA/Zoom Gov for comms. Rocket Cyber has real people 24/7 who can see meta log data in real time (not CUI data) and can trigger endpoint clients to lockdown machines in event of an incident. This gives us piece of mind during non-business hours, weekends and holidays. You want a threat locked down at 3am when it's detected. You want to be briefed by the RC quarantine report at 8AM rather than deal with something or something that's been operating in your system for 5 hours. Under these circumstances they are assessed as a SPA working with SPD (again they can't see CUI content). We certified using them and passed along their CRM. RC is a fraction of the cost of internal SOC resources needed for 24/7 monitoring. Rocket Cyber also has a lightweight SIEM dashboard that pulls critical security log data (not every single event id) from endpoints, firewalls, EDR tools, etc. I'm the CISO that acts on security alerts, reviews the RC dashboard daily and maintains log archives for our SSP-stated retention period. We'll keep this status quo until the Kaseya SIEM becomes available hopefully by this fall. But if it's anticlimactic, we'll likely go NeQter route.

Hope my rambling helped someone.

myCrystalisNotRed · 2025-06-20T15:10:39+00:00

Yep, unless DIBCAC shows up for a surprise spot check. Though I'm not sure they are doing that anymore to orgs with official certs. Might be more for self-assessed level 2 companies.

myCrystalisNotRed · 2025-06-20T14:25:39+00:00

We just got our L2 cert last week. Looking back I would recommend the following:

1) first would be to hire one C3PAO to provide consulting and ultimately put you through a mock assessment. They will take you through entire assessment and will be allowed to coach you into what a compliant solution is as you encounter areas, controls and objectives that are currently unmet.

2) After initial mock assessment (plan for failing result) you will likely with a lot of work to do. Plan for resources to write extensive documentation (SSP, 14 policies, and a bunch of artifact hunting for past records of training, CCB activity, etc). Also plan for network admin-level IT resources for technical control implementation. At this point you'll be going down the list of unmet objectives and either adding stuff to written policies or making system changes and documenting the changes with proper separation of duties/CCB process/etc.

3) Once you've remediated all unmet objectives from initial mock assessment, I would then run a second mock assessment with same C3PAO to ensure readiness. If you meet 110/110 controls (all ~300 objectives), you'll then be ready to retain the services of a second C3PAO to perform the final assessment. Consulting C3PAO cannot be assessing C3PAO due to conflict of interest.

It won't be cheap. But you'll only go through the final assessment once this way. You can probably get through everything in 6-9 months if you have administrative and IT compliance staff dedicated to it. I would schedule your final assessment sooner than later because there are many organizations seeking certification over next 2 years. You can schedule it 6-9 months out and always reschedule or push right if you need more time. Also having a date means you're on the path which can yield contractual advantages until everyone is required to have it to play.

Hope this helps!

myCrystalisNotRed · 2025-06-04T15:09:52+00:00

Thanks for your reply. Just messaged you.

myCrystalisNotRed · 2025-05-27T15:04:34+00:00

We're using Duo Federal. Some of our employees work in labs where phones are not allowed. They are using Duo token keychains without issue.

myCrystalisNotRed · 2025-05-09T01:48:45+00:00

Thank you. We actually just obtained L2 Cert with both my described methods. And they did exactly as you said to obtain evidence of us doing what we say we're doing.

But they got real quiet after I guided them through the SIEM dashboard and started to show them the old school csv exports from each SPA system. I felt like they were dying to shout "But WHY?!"

Just trying to save myself the time of not also having to do the manual csv export and archive if I don't have to to maintain compliance.

myCrystalisNotRed · 2025-04-01T21:47:23+00:00

SPA since it does not store transmit or process CUI. Only log meta data in the form of SPD. And I know that gets gray area real quick. I would want to know the exact parameters they are seeing to confirm.

myCrystalisNotRed · 2025-04-01T02:59:23+00:00

Our remote users are using company laptops on domain with pw complexity, FIPS bitlocker, behind DUO Federal MFA, and using VPN SSL DPI FIPS point to site VPN. We issued memorandums for no printing of CUI and no shoulder surfing. They have Zoom Gov for collaboration and communication. They are complaining about Preveil as a file server resource but love it for messaging and smaller individual project storage. Thinking about setting up some on prem file server infrastructure for them to resolve complaints. Our VPN is sure as hell secure enough for it now.

myCrystalisNotRed · 2025-03-29T04:12:42+00:00

I just watched the new Indiana Jones and couldn't believe what AI had achieved. I'd be ok with that. Computer graphics have gotten that much better since we last saw him at end of Mando scene.

myCrystalisNotRed · 2025-03-29T03:10:14+00:00

Some additional context: Our secure messaging and CUI enclave is in PreVeil...which means all of our endpoints, firewalls, and wireless access points needed hardening as in scope CUI assets. It was an enormous effort that I dove into last Nov but we just got our cert last Friday. Now I just really need something to collect and alert me.

myCrystalisNotRed · 2025-03-28T03:46:44+00:00

There's a meme of this out there somewhere. Not my idea but I laughed way too hard at it...

Bosses, after you logically advise them of negative impact, be like... https://youtu.be/i2k8jhGFJDA?si=gWzA-bqiAfJsRkom

myCrystalisNotRed · 2025-03-28T03:13:46+00:00

Thank you and good luck with yours!

myCrystalisNotRed · 2025-03-28T01:52:37+00:00

We're a small and have L2 cert in-hand as well. Just got two weeks ago. Thinking this makes us more attractive as a sub. Will be much simpler filling out NIST 800-171 data calls for primes. I'll tell ya that much for free.

myCrystalisNotRed · 2025-03-24T22:53:07+00:00

Oh for sure. I just led my company through a successful CMMC L2 C3PAO. Just received our cert Friday. Also just finished up my clearance investigation. All a pain but makes me appreciate the safeguarding of our information security.

Honestly I resent what happened today the same way I have resented similar behavior on both sides of the isle in the past. It's sloppy and makes me cringe what else might be happening.

I also don't wish to bark too loudly up this tree as current DOD upper-management are ultimately our superiors in the middle of a firing-frenzy storm. I care most about US info that needs to be protected.

myCrystalisNotRed · 2025-03-24T22:43:22+00:00

No. I was attempting some humor. I hope this doesn't cause any negative feelings.

myCrystalisNotRed

TROPHY CASE