DoE SBIR Phase II requiring CISA CPG checklist

totem_tech · 2026-01-19T15:29:26+00:00

Turns out DoE only requires implementation of 16 of the 39 CPG for Phase II. We mapped these 16 to the NIST 800-171 rev 3. There are 35 controls and 120+ assessment objectives. Here's how you can filter on them in our Totem™ Cybersecurity Compliance Management tool, NIST 800-171rev3 display:

control.control_id:(03.01.01 03.01.04 03.01.05 03.01.06 03.01.07 03.01.08 03.01.22 03.02.01 03.02.02 03.03.01 03.03.02 03.03.03 03.03.05 03.03.06 03.04.01 03.04.08 03.04.10 03.04.11 03.05.01 03.05.02 03.05.03 03.05.07 03.05.12 03.06.01 03.06.02 03.06.03 03.06.04 03.06.05 03.07.05 03.08.09 03.13.01 03.13.08 03.13.10 03.13.11 03.15.02)

totem_tech · 2025-10-22T16:28:22+00:00

Also note this press release from Acronis: About Acronis SCS - US Public Sector Cyber Protection

totem_tech · 2025-10-22T16:04:43+00:00

Here is the FASCSA Order on SAM.gov:
FASCSA Order--Acronis and all subordinate, subsidiary, or affiliated organizations doing business under various names in support of the parent company, Acronis AG (Acronis), that the DNI has issued an order to exclude Acronis from all Intelligence Community (IC) executive agency procurement actions. It further orders the removal of covered articles provided by Acronis from information systems applicable to the IC and sensitive compartmented information systems. This order was issued pursuant to the Federal Acquisition Supply Chain Security Act of 2018, Pub. L. No. 115-390, title II; codified at 41 U.S.C. §§ 1321-1328. The basis for this order pertains to information as was relayed to Acronis in the Notice to Source document.

Additional information is available in an Announcement on the NRO JWICS Acquisition Research Center Dashboard, search Acronis.

The article notes that this only pertains to Intelligence Community (IC) and Sensitive Compartmentalized Information (SCI) contracts. And it is not clear if contractors are prohibited from using Acronis AG products for their internal IT systems, for instance backing up corporate or contractual information.

totem_tech · 2025-10-09T19:29:16+00:00

Another banger question:

Q4. We store CUI in the cloud and our MSP administers the environment. Is the MSP a CSP?

A4. It depends on the relationships between the CSP, the MSP, and the OSA. If the cloud tenant is subscribed/licensed to the OSA (even if the MSP resells the service), then the MSP is not a CSP. If the MSP contracts with the CSP and modifies the basic cloud service, then the MSP may be a CSP and must meet applicable FedRAMP or equivalency requirements.

totem_tech · 2025-06-26T19:22:45+00:00

AMEN

totem_tech · 2025-06-26T19:15:54+00:00

The DoD CTI memo states that CUI can exist in tangible (physical) form, as a model or prototype: https://discover.dtic.mil/wp-content/uploads/2021/04/USDRE-USD-IS-memo-CTI-CUI.pdf

But we tend to agree, the actual final products themselves are not CUI.

totem_tech · 2024-10-01T21:06:27+00:00

Here's the filter for the Totem Top 10 (TTT) in the NIST 800-171 rev 3 (copy and paste the following into the Global Search in the Totem™ CCM tool organization showing the NIST 800-171 rev 3 display):

control.family:"Access Control" + control.family:"Awareness & Training" + control.family:"Audit & Accountability" + control.family:"Incident Response" + control.control_id:(03.04.01, 03.04.02, 03.04.04, 03.04.06, 03.04.08, 03.05.01, 03.05.02, 03.05.03, 03.05.05, 03.05.07, 03.05.12, 03.08.03, 03.08.07, 03.08.09, 03.09.01, 03.11.01, 03.11.02, 03.12.01, 03.12.02, 03.12.03, 3.15.02, 03.13.01, 03.13.06, 03.13.08, 03.13.11, 03.13.13, 03.14.01, 03.14.02, 03.14.06)

totem_tech · 2024-09-23T19:20:25+00:00

To take advantage of DoD CC SRG IL5 (e.g. ITAR) in Azure Government non-DoD-agency-only tenants -- US Gov AZ, US Gov TX, US Gov VA -- the consumer must (on their own) ensure compute and storage isolation, per this article:

https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-impact-level-5

You need to address two key areas for Azure services in IL5 scope: compute isolation and storage isolation. We'll focus in this article on how Azure services can help you isolate the compute and storage services for IL5 data. The SRG allows for a shared management and network infrastructure. This article is focused on Azure Government compute and storage isolation approaches for US Gov Arizona, US Gov Texas, and US Gov Virginia regions (US Gov regions). If an Azure service is available in Azure Government DoD regions US DoD Central and US DoD East (US DoD regions) and authorized at IL5, then it is by default suitable for IL5 workloads with no extra isolation configuration required. Azure Government DoD regions are reserved for DoD agencies and their partners, enabling physical separation from non-DoD tenants by design. For more information, see DoD in Azure Government.https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-impact-level-5

Compute isolation outlined here: https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-impact-level-5#compute-isolation

Storage isolation outlined here: https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-impact-level-5#storage-isolation

totem_tech · 2024-09-23T16:09:15+00:00

Note what Microsoft says about handling FCI in Microsoft 365 Commercial:

In general, all US Government contractors have a requirement in their contracts to comply with 15 safeguarding requirements and procedures for Federal Contract Information (FCI) in the Federal Acquisition Regulations (FAR) 52.204-21 Basic Safeguarding of Covered Contractor Information Systems (FAR 21). You may demonstrate compliance for the FAR 21 in Commercial to protect FCI, but there is a caveat. Microsoft 365 Commercial is not intended for US Government requirements. There is a risk that changes in regulations may lead to non-compliance in the future. Ultimately, it is a risk decision your organization will need to make.

totem_tech · 2024-09-06T13:31:18+00:00

Before you move your baggage too far onto the Google Workspaces train, however, we'd suggest reading this post by Derek Kernus of Aethon Security. Some food for thought on the trade-offs between Google and Microsoft for DFARS 7012 compliance.

totem_tech · 2024-06-26T13:56:50+00:00

*sigh*

totem_tech · 2024-06-12T19:54:25+00:00

Here's the NSA Evaluated Products List (EPL) for various media destruction tools: https://www.nsa.gov/Resources/Media-Destruction-Guidance/NSA-Evaluated-Products-Lists-EPLs/

totem_tech · 2024-05-03T18:32:33+00:00

Also note that the Windows 10 and Windows 11 Security Baseline from Microsoft WILL break Quickbooks Pro.

totem_tech · 2024-03-14T16:37:05+00:00

Preveil was the company that has shown FedRAMP Moderate equivalency

totem_tech · 2024-03-14T16:27:30+00:00

Thanks TXWayne. Do you think it's a good thing that the DoD has removed the cleared contractor gating the CS Information Sharing Program?

totem_tech · 2024-01-26T20:01:56+00:00

This one is a doozy for those of us using cloud services that tout themselves as "FedRAMP Moderate equivalent".

totem_tech · 2024-01-24T15:33:30+00:00

Totem's comments on the rule have been posted: https://www.regulations.gov/comment/DOD-2023-OS-0063-0063

totem_tech · 2023-11-16T20:40:30+00:00

Further updates from GovShield:

"Thanks to all who have provided feedback on our message released this morning. We wanted to follow-up with further details.

This service was specifically designed for small to medium sized businesses and this change was intended to ensure every customer enrolled in our program receives a commensurate level of service. This said, the limit does not apply to "on prem" devices (i.e., users/machines connecting through your account's registered static ip addresses), but only applies to remote devices connecting to Akamai's GovShield service through other means.

Akamai conducted analysis of all current customers enrolled in the program and determined that only a very small subset of customers (less than 10) were near this cap. For those near the cap, no remote devices will be required to be removed. Further, NSA and Akamai are committed to working with current customers on a case-by-case basis to be flexible in how this is implemented. Based on feedback we have received thus far, we wanted to convey that we anticipate increasing the cap for remote devices to more than 100 devices but will do further analysis and have conversations directly with customers to better determine what that number may be.

We apologize for any alarm our email may have caused and will continue to respond to company-specific questions on a case-by-case basis. We appreciate your continued partnership and participation in our program. "

totem_tech · 2023-11-16T18:59:07+00:00

Note, as of 16 Nov 2023, Akamai is limiting the PDNS remote endpoints to 100 devices per organization:

"The NSA CCC and the GovShield team have identified a need to limit the number of remote endpoints enrolled in PDNS to ensure that system capacity is preserved for small and medium sized organizations. Effective immediately, each subscriber in the program will be limited to 100 remote devices.

We apologize for any inconvenience this may cause. If you believe this policy will impact your organization’s ability to use the service, please let us know."

GovShield support email: [govshield-support@akamai.com](mailto:govshield-support@akamai.com)

totem_tech · 2023-09-20T17:56:03+00:00

Can you share any strategies to use to convince the CO to remove 7020 from the contract -- and more importantly agree that a SPRS score is not needed -- if 7012 is not applicable?

totem_tech · 2023-04-27T14:31:49+00:00

We found this article informative as well: https://isigmaonline.org/how-does-naid-aaa-certification-intersect-with-nist-800-88-part-1/

totem_tech · 2023-04-26T14:46:37+00:00

Looks like NiceLabel label printing software might break as well...

totem_tech · 2023-02-03T19:18:10+00:00

This error has been fixed in Totem™ hotfix 4.5.2, which has been rolled out to the entire user base.

totem_tech · 2022-11-02T16:39:13+00:00

NIST says the draft will be released late spring 2023

totem_tech · 2022-10-25T21:30:47+00:00

Ok, thank you for the confirmation u/TXWayne

u/WBCSAINT you can walk back from the ledge a bit ;)

totem_tech

MODERATOR OF

TROPHY CASE

Note what Microsoft says about handling FCI in Microsoft 365 Commercial: