TL;DR: Simplifying Essential Features for Compliance The Goal: Restrict and disable nonessential programs, ports, protocols, functions, and services to reduce your system’s attack surface and improve security. Challenges: Documentation—not implementation—is where most companies fall short. You must define “essential” clearly and apply it consistently. What to Do: • Inventory: Identify everything running on your systems....
One of the things that I wanted to see in the CMMC Rule was more clarity on utilizing Plans of Action and Milestones (POA&M) for companies that do not fully meet all 110 requirements during their assessment. I’m continuing to dive into the CMMC rule…it’s freaking long. Here is what it says about POA&Ms, the...
Woooohoooo, the long awaited CMMC Rule will be published on the Federal Register on October 15, 2024. The Wrightbrained team has spent some time looking at the document. Clarifications are a big theme. Everyone in the CMMC ecosystem had a lot of questions and there were several that stood out as the most common. I...
Disclaimer: This story is entirely fictional. Any resemblance to actual persons, living or dead, or actual events, or actual companies is purely coincidental and unintended. The characters, companies, and events portrayed are purely a work of fiction. Jil Wright, a Certified CMMC Assessor, has provided this narrative to offer organizations seeking certification an example of what...
Disclaimer: This story is entirely fictional. Any resemblance to actual persons, living or dead, or actual events, or actual companies is purely coincidental and unintended. The characters, companies, and events portrayed are purely a work of fiction. Jil Wright, a Certified CMMC Assessor, has provided this narrative to offer organizations seeking certification an example of what...
The Configuration Management (CM) domain in NIST SP 800-171 requires organizations to create and maintain baseline configurations and inventories for all their systems that includes hardware, software, firmware, and documentation. Think of baseline configurations like a snapshot, capturing the ideal system setup. Documenting a system’s desired state and practicing effective configuration and change management are crucial...
Multi-Factor Authentication (MFA) significantly strengthens security for businesses and individuals by adding extra layers of verification before granting access to accounts or devices. Instead of relying on just one factor like a password, MFA requires two or more factors. This makes it much harder for attackers to gain unauthorized access. Research suggests that implementing MFA...
In part one, we talked about what a Continuous Monitoring and Ongoing Maintenance Program should entail. Another huge part of the plan is to create a schedule to do the manual tasks required and to put human eyeballs on some of the tasks that may be automated. We’ll talk about that here as well as...
As most of us have figured out, compliance isn’t a one-time, set it and forget it kind of thing; it’s an ongoing commitment. With systems and threats always changing, it’s crucial to have a continuous monitoring and ongoing maintenance program in place. This includes continuous monitoring of the system, regular monitoring of controls, maintenance, and...
The purpose of the CMMC program is to verify that contractors have proper safeguards for Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) by moving from self-assessment to third-party or government assessments. This marks a significant change for DoD contractors, aimed at increasing accountability and ensuring the implementation of cybersecurity controls across the defense...
