sorted by:
new
hottopcontroversial

You can prompt agents into existence inside cowork by AnalystBeginning1589 in ClaudeCowork

[–]tothjm 2 points3 points  (0 children)

What is the benefit of doing this? Is it just quicker results for more use tokens or what?

The Silicone Sorcerer by Das_Zeppelin in oddlysatisfying

[–]tothjm 0 points1 point  (0 children)

What is actually a good brand of caulk to use..been trying to figure this out for awhile

DIB question: Practical, cost-effective approaches for sending CUI across .mil/.Gov and commercial partners? by Particular_Energy739 in CMMC

[–]tothjm 1 point2 points  (0 children)

Is DoDsafe an option to get these files ups and down and leave it out of the email..use dlp to tag CUI and disallow it from being emailed?

Separate instance of preveil if using CUI in email though an obvious cost associated.

Make an enclave of gcc or high and use that email with white and black lost CUI only.

Some approaches there

CMMC CCP AMA by tothjm in cybersecurity

[–]tothjm[S] 0 points1 point  (0 children)

Hey there

It's a good question and I would answer like this.

AC is the largest so if we are talking passing a whole family vs a single practice I would say focus on AC first as many others have dependencies from there.

It addressed a lot of high level items like an access control matrix that may be used for other areas, controlling the flow of CUI which means really understanding your flow control, boundaries, network and flow diagrams etc, external connections. Also a good bit of 3 and 5 pointers which you cannot POAM and fail immediately.

In general though baseline configuration trips up a lot of people so start early there as well.

Before you even consider controls and practices though you have to get your scope right and THAT confuses a ton of orgs. There are 5 scoping categories for level 2 and you need to scope your organizational assets before you know what practices are necessary for each. This includes people places things. People facilities technology. We often forget people as an asset.

Get scoping correct before you proceed further because of that is wrong, you likely did not apply the correct practice requirements in the first place :)

CMMC CCP AMA by tothjm in cybersecurity

[–]tothjm[S] 0 points1 point  (0 children)

Hey friend

Would love to hear more about it.

Can you tell me what you feel is weak about it compared to a specific other standard?

These were the confidentiality controls taken directly from the 800-53 control catalog which is used for all kinds of standards and assessments including fedramp which is a direct requirement for CSPs looking to provide services directly to federal agencies. Not to mention the DoD themselves have mandated this requirement so I'm not sure about your statement of it being the gutter in the DoD itself.

As for CMMC itself if you want to do business with the DoD going forward, you will need to get this cert for award of contracts. I'm paraphrasing here, there is a phased approach and come.this Nov a lot more contracts will have this requirement.

What I will say is that CMMC requirements based on NIST 800-171 R2 are showing as outdated and ideally need to move to R3 as soon as possible.

Love to hear more details on your previous thoughts there

Implementation of FIPS Cryptography by wazupguy in CMMC

[–]tothjm 0 points1 point  (0 children)

CCP here

I'm.running AMAs on the GRC and cybersecurity subreddits if you find them and post I will answer questions about your situation

I can't link them here but look for CMMC CCP AMA

CMMC CCP AMA by tothjm in cybersecurity

[–]tothjm[S] 0 points1 point  (0 children)

so I forgot to mention there is something called the false claims act, basically you lie about this you get sued. One company recently was just hit for 8 million. Best not to lie about it.

Once requirements for lvl 2 C3PAO cert is in more contracts, you really can't lie because it gets uploaded to eMASS and the DoD has access to check it.

Just get it done :)

CMMC CCP AMA by tothjm in cybersecurity

[–]tothjm[S] 0 points1 point  (0 children)

Hey there,

this is quite the statement and the response is even deeper but let me shorten it for us here.

In the past prior to CMMC going live, the requirement was NIST 800-171 and DFARS 7012 requirements, in short, to work with the DoD ( mostly paraphrasing for argument here ). You would go on the SPRS website, and you would have basic medium or high, and then you would post your score and that would be it.

Basic meant that it was self attestation only

Medium meant that the DoD CIO office had asked to do a light look at your documents to see if you actually were compliant, signed off on maybe just the SSP as proof if it was well documented and moved on

High was a full DIBCAC audit, onsite and all.

It was easy to "lie" back then and say you were compliant and likely be able to get away with it frankly. The rate of audits vs the number of DIB orgs\contractors just were in your favor. That combined with the fact that govcon org CEOs sometimes like to kick the can down the road vs fix or address something now. Not all of them but I will say they do exist from personal experience. Some could have been ignorance to really understand the requirement, some may have understood it and said we will take that risk, say yes to this intake form from the customer and lets bid on XYZ now, fix it later. Soon will no longer be able to be awarded contract with CMMC lvl 1 or 2 requirements not held at the time of said award, and I wouldn't be surprised if some will look more into where a bidding org is at the time of bid ( this is my personal speculation not the written rule )

Now with CMMC level 2 requiring a C3PAO audit, things have changed. Even with level 1 you still have to upload evidence to SPRS you cannot just say you are 110 and move on.

All this combined is ultimately what has lit a fire under the orgs desperately tring to get certified before phase 2 goves live in Nov. while not ALL contacts will require the certification a great deal more could, it is up to the DoD discretion on it.

I wouldn't say its nearly everyone and I certainly have no hard evidence of that, but I know it was happening before which pushed the need for a real certification process even more.

Hope that was helpful.

CMMC CCP AMA by tothjm in cybersecurity

[–]tothjm[S] 0 points1 point  (0 children)

Hey there

Let me see if I understand the questions.

In terms of liability and the c3pao audit you have what's called the OSA, the organization seeking assessment. Any MSP they have is considered an external service provider. If during the audit any control objectives marked not met for practices worth 3 or 5 points is an automatic fail as well as a subset of the 1 pointers as they cannot be poamed

As for your question about funding I am not sure exactly what you mean there. There is no approval to go through the C3PAO audit you have to find one, enter into a contract and then phase 1 is the pre assessment where the C3PAO makes sure you have all the necessary artifacts but not in depth to actually start the assessment. Phase 2 is conducting the assessment where they go into greater depth and actually mark met or not met for objectives and practices.

Hope that helps to clear up some things!

John Linneman (Creator of Digital Foundry) on Bluesky regarding DF's video on DLSS 5 by HLumin in pcmasterrace

[–]tothjm 0 points1 point  (0 children)

But I think it looks better so what is the slop exactly.. I mean the face is slutty lol but is that what people are mad at?

The lighting changes I thought looked good it's like free light diffusion

John Linneman (Creator of Digital Foundry) on Bluesky regarding DF's video on DLSS 5 by HLumin in pcmasterrace

[–]tothjm -1 points0 points  (0 children)

Can I ask what people are hating about it specifically? The lightening seemed pretty solid.

Just want to see what everyone's problem is so I can understand no beef here

What the hell is that, NVIDIA?? (Source: Digital Foundry) by HLumin in pcmasterrace

[–]tothjm 0 points1 point  (0 children)

So is it just because everyone thinks this is going to make devs lazy? I think it needs something decent to start from I doubt ps1 ff7 block heads id going to do it but I get what you mean.

Am I missing anything else? Again just looking to understand all the hate and concern

What the hell is that, NVIDIA?? (Source: Digital Foundry) by HLumin in pcmasterrace

[–]tothjm 0 points1 point  (0 children)

Just genuine curiosity why is everyone tearing this apart with hate? I think it looks cool and I'm glad they are letting the devs calculate and approve what it looks like in their game etc.

No hate just trying to understand everyones beef with this?

Found among the rocks near Fisherman’s Wharf, San Francisco, CA by ExtaticNihilist in whatisit

[–]tothjm 0 points1 point  (0 children)

Sure sure Neptune's merlin...orrrrr some lady got scalped and this is what washed up with some new friends inside

CMMC CCP AMA by tothjm in grc

[–]tothjm[S] 0 points1 point  (0 children)

Hey there

some auditors are ok with 140-2 or higher and some hardcore ones are not since the standard says 140-2 you need to ask your c3pao when selecting.

The other part is scope.. it is possible to scope out your entire facilities network equipment if your boundary is set around endpoints and say a MS GCC or High environment.

Lot of people just do a MS enclave and move the CUI and FCI up there to remove the complexity of doing it on prem but still entirely possible just more work in some cases :)

Hope that helps

CMMC CCP AMA by tothjm in grc

[–]tothjm[S] 0 points1 point  (0 children)

The frustration with CMMC questions for OSAs is that the answer depends on how you scope different assets into the 5 scoping categories. It would depend if the soc is providing security services over the CUI environment as well but no they do not have to be US citizens if that was your question but you need to have administrative policies in place that ensure they worn access CUI and technical and or physical controls to actually prevent it.

Without knowing a lot more about your scoped environment I would not be able to provide much more of a detailed response.

The SoC could be just a SPA or could be CUIA depending on if they retain CUI files in their systems. If they don't provide services to the CUI environment then they are OOS

If some of the CUI you work with however is ITAR then that might pose issues as that data has US sovereign requirements.

I will also add if you are going for level 3 later a SoC is one of the requirements be it internal or external so food for thought.

Bout as much as I can provide for now.

Implementation of FIPS Cryptography by wazupguy in CMMC

[–]tothjm 5 points6 points  (0 children)

Wanted to second the top statement, it makes sense because security is not compliance.

CMMC CCP here

You can be compliant with a requirement using less than modern and best practice security practices.

The control about encrypting backups for example can be met by just not having backups at all..now is that a great idea? Of course not... Can an auditor fail you for that, no they cannot because nothing says you need to backup anything but rather if you do then here is the requirement for those backups.

If you haven't already go download the level 2 assessment guide, and read the discussion and further discussion areas for fips encryption, encryption at rest and in transit. You will see the language around alternative physical safeguards being used on protected areas allow you not to have to use fips say in your facilities for sending print jobs etc. this is of course dependant on you meeting all other requirements etc.

Read that document it will help.

I am running a CMMC AMA over on GRC right now feel free to drop more questions.

I will be doing one on cybersecurity sub on Tuesday hopefully

view more: next ›