This is the first time I have shared something like this. I’ve actually created a ton of python scripts to automate things that need to be done at a certain frequency. It just speeds up the process. If you like this kind of info, let me know in the comments and I will share more....
Tag: cmmc
Microsoft Defender vs. Mobile Code
How Defender blocks mobile code. CMMC Practice SC L2 3.13.13 - Configure attack surface reduction, setup WDAC, setup real-time protection.
Security Protection Assets and Security Protection Data in CMMC
What Are Security Protection Assets (SPAs)? SPAs are the tools, systems, and personnel that provide security functions or capabilities within the CMMC assessment scope of an Organization Seeking Certification (OSC). They protect CUI assets and the broader infrastructure that supports them. A Few Examples of SPAs: Firewalls: Devices or software that regulate network traffic, blocking...
CMMC Practice 3.4.7 – Ports, Protocols, Programs Functions, and Services
TL;DR: Simplifying Essential Features for Compliance The Goal: Restrict and disable nonessential programs, ports, protocols, functions, and services to reduce your system’s attack surface and improve security. Challenges: Documentation—not implementation—is where most companies fall short. You must define “essential” clearly and apply it consistently. What to Do: • Inventory: Identify everything running on your systems....
CMMC Level 2 Self-Assessment or Assessment by a CMMC Third Party Assessment Organization?
Given the choice, most companies would choose a self-assessment over a third party assessment. Isn’t that what CMMC was trying to get away from? The decision of whether a company can self-assess for a Level 2 assessment or if a contract requires a third-party C3PAO assessment is determined by the specific requirements stated in the...
The CMMC Rule and Plans of Action & Milestones (POA&M)
One of the things that I wanted to see in the CMMC Rule was more clarity on utilizing Plans of Action and Milestones (POA&M) for companies that do not fully meet all 110 requirements during their assessment. I’m continuing to dive into the CMMC rule…it’s freaking long. Here is what it says about POA&Ms, the...
The CMMC Rule is FINAL!
Woooohoooo, the long awaited CMMC Rule will be published on the Federal Register on October 15, 2024. The Wrightbrained team has spent some time looking at the document. Clarifications are a big theme. Everyone in the CMMC ecosystem had a lot of questions and there were several that stood out as the most common. I...
FIPS 140-2 and CMMC Compliance
What is FIPS 140-2? Federal Information Processing Standards Publication 140-2 is a standard for the cryptographic modules used in software and hardware to protect sensitive data. The key difference between FIPS-validated modules and others is the rigorous testing and verification process they undergo. This process can take years, ensuring these modules meet strict security protocols....
The CrowdStrike Outage: Risk Assessments & Single Points of Failure
On July 19, 2024, what should have been a routine update meant to improve CrowdStrike’s Falcon Sensor software ended up causing chaos. Instead of enhancing the endpoint detection and response system, the update resulted in Windows computers crashing spectacularly, displaying the dreaded “Blue Screen of Death.” This caused disruptions across the globe and across industries...
VerySecure UAV’s On-Site CMMC Assessment – Physical Security & related domains
Disclaimer: This story is entirely fictional. Any resemblance to actual persons, living or dead, or actual events, or actual companies is purely coincidental and unintended. The characters, companies, and events portrayed are purely a work of fiction. Jil Wright, a Certified CMMC Assessor, has provided this narrative to offer organizations seeking certification an example of what...