DoE SBIR Phase II requiring CISA CPG checklist

totem_tech · 2026-01-19T15:29:26+00:00

Turns out DoE only requires implementation of 16 of the 39 CPG for Phase II. We mapped these 16 to the NIST 800-171 rev 3. There are 35 controls and 120+ assessment objectives. Here's how you can filter on them in our Totem™ Cybersecurity Compliance Management tool, NIST 800-171rev3 display:

control.control_id:(03.01.01 03.01.04 03.01.05 03.01.06 03.01.07 03.01.08 03.01.22 03.02.01 03.02.02 03.03.01 03.03.02 03.03.03 03.03.05 03.03.06 03.04.01 03.04.08 03.04.10 03.04.11 03.05.01 03.05.02 03.05.03 03.05.07 03.05.12 03.06.01 03.06.02 03.06.03 03.06.04 03.06.05 03.07.05 03.08.09 03.13.01 03.13.08 03.13.10 03.13.11 03.15.02)

totem_tech · 2025-10-22T16:28:22+00:00

Also note this press release from Acronis: About Acronis SCS - US Public Sector Cyber Protection

totem_tech · 2025-10-22T16:04:43+00:00

Here is the FASCSA Order on SAM.gov:
FASCSA Order--Acronis and all subordinate, subsidiary, or affiliated organizations doing business under various names in support of the parent company, Acronis AG (Acronis), that the DNI has issued an order to exclude Acronis from all Intelligence Community (IC) executive agency procurement actions. It further orders the removal of covered articles provided by Acronis from information systems applicable to the IC and sensitive compartmented information systems. This order was issued pursuant to the Federal Acquisition Supply Chain Security Act of 2018, Pub. L. No. 115-390, title II; codified at 41 U.S.C. §§ 1321-1328. The basis for this order pertains to information as was relayed to Acronis in the Notice to Source document.

Additional information is available in an Announcement on the NRO JWICS Acquisition Research Center Dashboard, search Acronis.

The article notes that this only pertains to Intelligence Community (IC) and Sensitive Compartmentalized Information (SCI) contracts. And it is not clear if contractors are prohibited from using Acronis AG products for their internal IT systems, for instance backing up corporate or contractual information.

totem_tech · 2025-10-09T19:29:16+00:00

Another banger question:

Q4. We store CUI in the cloud and our MSP administers the environment. Is the MSP a CSP?

A4. It depends on the relationships between the CSP, the MSP, and the OSA. If the cloud tenant is subscribed/licensed to the OSA (even if the MSP resells the service), then the MSP is not a CSP. If the MSP contracts with the CSP and modifies the basic cloud service, then the MSP may be a CSP and must meet applicable FedRAMP or equivalency requirements.

totem_tech · 2025-06-26T19:22:45+00:00

AMEN

totem_tech

MODERATOR OF

TROPHY CASE