System Security Plans Your SSP Is Your Organization’sSecurity Story.It’s Your Security Program on Paper. A field guide to writing implementation statements that actually hold up under assessment. If your cybersecurity program had a pulse, the System Security Plan would be it. Without it, your organization cannot begin a CMMC Level 2 assessment. With a weak...
During almost every CMMC readiness engagement, there is a moment when the organization realizes something important. They have many of the right security tools in place. The network is segmented. Multifactor authentication is deployed. Logging exists. Endpoint protection is running. But when it comes time to show how all of that supports the CMMC requirements,...
SC.L2-3.13.6 is a commonly missed practice in CMMC Level 2 assessments. Not because organizations ignore it, but because they genuinely believe they’ve satisfied it when they haven’t. 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). ASSESSMENT OBJECTIVE 3.13.6[a] network communications traffic is denied by...
If you handle defense work, you already know that ITAR (International Traffic in Arms Regulations) and CUI (Controlled Unclassified Information) often come up in the same conversation. They overlap, but they are not the same thing. This post explains when ITAR-controlled information must also be handled as CUI and when it stands alone under export control. Oh yeah — I...
If you are reading this, you are probably a subcontractor in the Defense Industrial Base (DIB), and there is a good chance your prime contractor has dropped a bombshell: you need to be compliant with CMMC. Maybe they asked for your System Security Plan (SSP). Maybe they requested your Supplier Performance Risk System (SPRS) score....
What Contractors Need to Know About the 48 CFR Final Rule On November 10, 2025, the Department of Defense will cross the line from policy to enforcement. The 48 CFR Final Rule will go into effect, and the Cybersecurity Maturity Model Certification (CMMC) will be a contractual requirement. If you want to win or extend...
Let’s talk about practice 3.3.3. – Review and update logged events. [a] Determine if a process for determining when to review logged events is defined. [b] Determine if event types being logged are reviewed in accordance with the defined review process. [c] Determine if event types being logged are updated based on the review. ...
This is the first time I have shared something like this. I’ve actually created a ton of python scripts to automate things that need to be done at a certain frequency. It just speeds up the process. If you like this kind of info, let me know in the comments and I will share more....
How Defender blocks mobile code. CMMC Practice SC L2 3.13.13 - Configure attack surface reduction, setup WDAC, setup real-time protection.
What Are Security Protection Assets (SPAs)? SPAs are the tools, systems, and personnel that provide security functions or capabilities within the CMMC assessment scope of an Organization Seeking Certification (OSC). They protect CUI assets and the broader infrastructure that supports them. A Few Examples of SPAs: Firewalls: Devices or software that regulate network traffic, blocking...
