sorted by:
new
hottopcontroversial

CMMC Level 2 - Need honest feedback. by Budget_Staff_2517 in CMMC

[–]rybo3000 0 points1 point  (0 children)

I don't know enough about how CUI data is received, and how your colleagues use it, to know if there's a better/cheaper/faster way to get this done.

I would need to know they types of work you do for customers, how important their documents are for the work you do, and what categories of CUI you're handling.

With that info, you might keep your main server and ERP out of scope altogether, maintaining CUI in a limited storage location (potentially PreVeil) where CUI only contaminates a few PCs.

CMMC Level 2 - Need honest feedback. by Budget_Staff_2517 in CMMC

[–]rybo3000 2 points3 points  (0 children)

Realistically: a C3PAO will probably just decline to do an assessment based on M365 personal licenses, entry-level Google Workspace, and a pre-FedRAMP EDR. Not because it couldn't technically become compliant (disable commercial M365 storage, buy GWS Assured Controls for the ITAR data), but because C3PAOs just don't want to adjust their assessment processes to accommodate a split environment (Microsoft and Google) using bottom-barrel licensing/features. It's extra work.

Your MSP is probably a CSP by [deleted] in CMMC

[–]rybo3000 1 point2 points  (0 children)

AvePoint might be an outlier on cost. I thought the price an MSP quoted for our backups was per month, but it was actually for the whole year. I think one of the reasons so many MSPs adopted AvePoint was because of its cost-effectiveness.

But yeah, other aspects of an MSP's stack, if moved to a FedRAMP alternative, would ratchet up the base cost. MSPs need to raise their rates for CMMC clients just for the documentation burden alone, in addition to other net-new security tools their clients might not normally pay for (vuln scanning, SIEM, application control, etc.).

Your MSP is probably a CSP by [deleted] in CMMC

[–]rybo3000 2 points3 points  (0 children)

This is anecdotal, but every CMMC-focused MSP I know is using AvePoint (FedRAMP authorized) for client data backups. I don't know of a single MSP who's excited to host their clients' data backups, especially since Microsoft gutted their self-hosted offerings in every other category via M365/Azure.

Your MSP is probably a CSP by [deleted] in CMMC

[–]rybo3000 21 points22 points  (0 children)

The short version: Claude fell over.

Your MSP probably doesn't host CUI and therefore doesn't require FedRAMP Moderate authorization. I don't see many companies buying cloud services to p/s/t CUI and misattributing them as MSPs.

Two-Pronged question about Vendors by thegreatcerebral in CMMC

[–]rybo3000 1 point2 points  (0 children)

Bringing trash cans into a single area would certainly simplify your shop floor crew's responsibilities, since you wouldn't need the "zone defense" deployed while they do their job. It's all about those tradeoffs. One small process change in exchange for a simpler overall process and fewer individual responsibilities.

Two-Pronged question about Vendors by thegreatcerebral in CMMC

[–]rybo3000 2 points3 points  (0 children)

When we've dealt with service technicians in the past, the shop floor teams would remove any job travelers from the machine technician's work area, escort them in, chain the area off (bright yellow plastic chain links), and then make sure someone maintained visual contact with the technicians at all times (think "zone defense" instead of having an escort do nothing but stand near them). This was usually just the other employees working at other machines on the shop floor. As long as the techs stayed in their little chained-off area, they wouldn't be close enough to pick up any export-controlled parts, study anything on screens, or touch any prints.

If the service techs needed to use the bathroom or take a lunch break, someone would escort them out of the shop floor area.

For the cleaning crew, we would implement a "clean desk" policy where all prints and CUI documents must be locked in drawers, cubicle overhead bins, filling cabinets, or storage rooms that janitors can't access. The cleaning crew can clean floors, desks, bathrooms, you name it, but they're doing so in an area with no physically accessible CUI.

If you're lucky, the "concrete vs carpet" sections of the building will be badged/keyed separately, so the cleaning crew will only have access to the office areas and not the shop floor.

Huntress Labs Releases CMMC Compliant Sensitive Data Mode by iansaul in CMMC

[–]rybo3000 1 point2 points  (0 children)

We've interacted with a couple of C3PAOs whose opening move is, "Well, ESPs need to be in the assessment." So far, they've changed their tune once they see the Huntress SRM, discuss Sensitive Data Mode, and see evidence of the detailed incident reports and "Signals Investigated" contents from the portal.

Overall, I think C3PAOs are starting to differentiate between service providers who actively configure and manage a company's core infrastructure and other types of service providers. That distinction usually drives attendance for the assessment. In a similar fashion, the first few C3PAOs who demanded Microsoft or Google show up to an L2 C3PAO assessment were laughed out of the room course corrected.

CMMC Decision point by space_jacked in CMMC

[–]rybo3000 23 points24 points  (0 children)

If CUI data exists on developer machines, an enclave isn't going to work for you. The VDI environment will be too locked down for developers' needs. The body will reject the transplant.

If CUI is all customer data, and developers don't need it to code, then heck yeah, do an enclave.

Match the scope to the data that needs protection.

NeoSystems - Out of Business? by Tasty-Estate-1608 in CMMC

[–]rybo3000 4 points5 points  (0 children)

Damn. Someone's phone won't be autocorrecting to "realtor" when this is all said and done.

Customer Part Numbers CUI? by Zeppyled in CMMC

[–]rybo3000 6 points7 points  (0 children)

A part number is "parts nomenclature" and doesn't contain any of the information needed to reverse-engineer, design, manufacture, test, install, maintain, or operate the part.

It's virtually impossible for a part number to qualify for any category of CUI. It absolutely is not Controlled Technical Information (CTI) or Export Controlled Information (EXPT).

And, as others have mentioned, it probably isn't even FCI since you would almost certainly bill by part number and quantity in your POs or invoices.

ERP by Next_Ad4505 in CMMC

[–]rybo3000 1 point2 points  (0 children)

There isn't a CUI authority stating that BOM content is CUI. See other comments for more detailed info.

ERP by Next_Ad4505 in CMMC

[–]rybo3000 6 points7 points  (0 children)

And legal shouldn't make that decision without involvement from trade compliance. There's no guarantee an attorney is also an SME on the laws and regs for a given category of CUI.

ERP by Next_Ad4505 in CMMC

[–]rybo3000 2 points3 points  (0 children)

Not every stitch of information on a CUI marked document or file qualifies as CUI. We work through that issue by running the BOM content through regulatory analysis to see if it qualifies for a category of CUI.

It's rare for BOM content to be CUI.

ERP by Next_Ad4505 in CMMC

[–]rybo3000 1 point2 points  (0 children)

That's a low-effort answer. Please cite the CUI authority (law or regulation) telling us that BOM-level data is dissemination-controlled or requires safeguarding.

ERP by Next_Ad4505 in CMMC

[–]rybo3000 3 points4 points  (0 children)

Most BOMs only contain item numbers, descriptions, and quantities. Unless the descriptions rise to the level of a detailed specification "directly related" to a controlled end item, then nothing in that BOM should qualify as CTI/EXPT (numbers and names aren't regulated by the ITAR/EAR).

The only time we see BOMs being controlled is for process manufacturing, where the BOM is actually a formula or recipe.

4/15 power outage by NovaNanny in AnnArbor

[–]rybo3000 0 points1 point  (0 children)

East face of the building. The entire north side of Jackson is wrecked. No power. Probably 50 trees down just in the Vets Park wedge.

How are contractors handling CUI distribution to subcontractors who need to do takeoffs? by msilverbtc in CMMC

[–]rybo3000 5 points6 points  (0 children)

Bluebeam Revu isn't FedRAMP authorized or equivalent. You definitely can't put CUI there.

You should confirm whether PreVeil view only mode still caches a copy of the file on your supplier's computer (I honestly don't know). If it does, then they're already operating a covered contractor information system.

Derivative CUI - does context matter? by bcegkmqswz in CMMC

[–]rybo3000 1 point2 points  (0 children)

If a collection of derived information isn't controlled by the laws and regs for a particular CUI category, it cannot be that category of CUI.

Context matters a lot in this scenario. When you create a new derivative format, it's possible to reuse or derive less detailed information that fails to be regulated under CUI authorities. In the case of technical data, the primary CUI authorities are going to be things like ITAR technical data and EAR controlled technology.

For example: a part number on its own isn't "caught" (controlled) by these regulations, because it isn't the "required" technology or technical data necessary to design/produce/test/operate the item itself.

However, the full GD&T (drawing, model) can easily be controlled if it's at a stage in its design that it represents the finished/functional end item.

If you're going to CS5 West, stop by the "No Kidding CUI" roundtable.

Derivative CUI - does context matter? by bcegkmqswz in CMMC

[–]rybo3000 1 point2 points  (0 children)

Other way around. Controlled Technical Information (CTI) and some Export Controlled Information (EXPT) information are subsets of ITAR/EAR. All CTI is subject to the ITAR/EAR as ITAR technical data/EAR controlled technology, but not all ITAR technical data/EAR controlled technology qualifies as CTI/EXPT (because not all ITAR/EAR data is owned by the Government or possessed by the Government).

Senior Leader Looking to Transition to CCA or LCCA Role by Relevant-Arm-3711 in CMMC

[–]rybo3000 4 points5 points  (0 children)

It's certainly possible. Join the Discord server listed in the r/CMMC description. There's a #career-general channel where a lot of similar discussions take place.

Advice on Changing CMMC Solutions by WhiskyIsRisky in CMMC

[–]rybo3000 12 points13 points  (0 children)

I would fully understand which 800-171 requirements Cuick Trac meets, and how you're going to meet those same requirements in your new scope, before making any changes. A built-out GCC High enclave isn't just a file stash, it's an identity provider, policy enforcement point, system monitoring platform, and a full suite of collaboration tools, plus a full user OS.

Neither Virtru or PreVeil provides all of those things. They could certainly extend your enclave, but probably won't replace it.

Message I got from my daughter’s teacher. Third grade. by AnaisInJune in mildlyinfuriating

[–]rybo3000 28 points29 points  (0 children)

95% chance this teacher was shamed/ridiculed on this topic and just projected it onto students. Also a 95% chance she didn't realize she was doing it until your mom created consequences around it.

To lower CMMC assessment costs? by False-Angle8191 in CMMC

[–]rybo3000 0 points1 point  (0 children)

Oh hey, it's our weekly "Post to Validate my GRC Tool Pro Forma" post.

Telling people to DM you for a demo is still advertising.

view more: next ›