System Security Plans Your SSP Is Your Organization’sSecurity Story.It’s Your Security Program on Paper. A field guide to writing implementation statements that actually hold up under assessment. If your cybersecurity program had a pulse, the System Security Plan would be it. Without it, your organization cannot begin a CMMC Level 2 assessment. With a weak...
During almost every CMMC readiness engagement, there is a moment when the organization realizes something important. They have many of the right security tools in place. The network is segmented. Multifactor authentication is deployed. Logging exists. Endpoint protection is running. But when it comes time to show how all of that supports the CMMC requirements,...
SC.L2-3.13.6 is a commonly missed practice in CMMC Level 2 assessments. Not because organizations ignore it, but because they genuinely believe they’ve satisfied it when they haven’t. 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). ASSESSMENT OBJECTIVE 3.13.6[a] network communications traffic is denied by...
If you handle defense work, you already know that ITAR (International Traffic in Arms Regulations) and CUI (Controlled Unclassified Information) often come up in the same conversation. They overlap, but they are not the same thing. This post explains when ITAR-controlled information must also be handled as CUI and when it stands alone under export control. Oh yeah — I...
Given the choice, most companies would choose a self-assessment over a third party assessment. Isn’t that what CMMC was trying to get away from? The decision of whether a company can self-assess for a Level 2 assessment or if a contract requires a third-party C3PAO assessment is determined by the specific requirements stated in the...
The purpose of the CMMC program is to verify that contractors have proper safeguards for Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) by moving from self-assessment to third-party or government assessments. This marks a significant change for DoD contractors, aimed at increasing accountability and ensuring the implementation of cybersecurity controls across the defense...
