Information Security Resources

External Service Provider (ESP) Compliance Business Risk Transfer

November 3rd, 2024|Categories: As the CMMC Churns|Tags: , , , , , , , , , , , |

Are you in the Defense Industrial Base?  Do you use an External Service Provider (ESP) (a.k.a. MSP, MSSP, local IT company, et al) to help your business run?  Did you know under 32 CFR Part 170, CMMC [...]

The CMMC Program–It’s Here!!!

October 14th, 2024|Categories: As the CMMC Churns|Tags: , , , , , , , |

It’s Here!!!!  The CMMC Program is in white light...  For many, CMMC will be even scarier than the movie Poltergeist (a classic BTW). Today, 15 October 2024, is the birthday of the CMMC Program.  While the unofficial, pre-release [...]

3.3.3, Review and update logged events

June 16th, 2024|Categories: As the CMMC Churns, understanding the requirements|Tags: , , , , , , , , , |

Did you know that NIST SP 800-171's 3.3.3, Review and Update Logged Events, is a commonly and THOROUGHLY misunderstood requirement?  Let's be blunt, 3.3.3 has NOTHING to do with identifying potential events that indicate a compromise. If [...]

3.3.1, System Auditing

June 11th, 2024|Categories: As the CMMC Churns, understanding the requirements|Tags: , , , , , , , , , |

Organization's struggle with documenting NIST SP 800-171's 3.3.1 System Auditing, especially when they are using Commercial Off the Shelf (COTS) software or cloud services. Like all of the other As the CMMC Churns Understand the Requirements series, [...]

All of the Assessment Types

May 31st, 2024|Categories: Greenhorn's Guide, whItepapers|Tags: , , , , |

All of the Assessment Types A PDF version of this "Greenhorn's Guide to All of the Assessment Types" can be downloaded here: https://peakinfosec.com/wp-content/uploads/2024/05/All-of-the-Assessment-Types.pdf A Conformity Assessment??? What is an assessment?  If your organization is involved [...]

3.1.22, Publicly Accessible Content

May 30th, 2024|Categories: As the CMMC Churns, understanding the requirements|Tags: , , , , , , |

Is your organization struggling with NIST SP 800-171's Security Requirement 3.1.22, Publicly Accessible Content? Did you know this is one requirement applies to normally out-of-scope components while the remaining 109 apply to internal components? This As the CMMC [...]

Identifying Inactive Accounts via Sentinel

May 28th, 2024|Categories: understanding the requirements, whItepapers|Tags: , , , , , , |

WARNING:  The following whitepaper on Identifying Inactive Accounts via an Azure Sentinel analytic and watchlist is provided as-is with no guarantees of accuracy nor sufficiency & adequacy to fulfill the assessment objectives for 3.5.6, "Disable identifiers after a [...]

3.10.6 Alternate Work Sites

April 19th, 2024|Categories: As the CMMC Churns, understanding the requirements|Tags: , , , , , , , |

Is your organization struggling to understand how to approach the NIST SP 800-171 3.10.6 Security Requirement for Alternate Work Sites?  What is allowed and what an assessor may be looking for? In this CMMC Churns, we dive [...]

Requirements have Relationships

March 6th, 2024|Categories: As the CMMC Churns|Tags: , , , , |

I’ll bet you didn’t know the Security Requirements in NIST SP 800-171 have relationships. We see people just jumping into NIST SP 800-171 compliance helping organizations and even CMMC Certified Assessors failing to understand how one requirement [...]

Approve, the Forgotten Verb

February 25th, 2024|Categories: As the CMMC Churns, understanding the requirements|Tags: , , , , , , |

Did you know one of the most prolific failures for an organization's self-assessments and those seeking certification during a conformity assessment under Cybersecurity is their documentation?  Approvals. For some crazy reason organizations think draft documentation, settings that [...]

32 CFR Part 170 Word Document

January 8th, 2024|Categories: CMMC, Compliance, DFARS & NIST SP 800-171, Information Security, whItepapers|Tags: , , , , , , , , , , , |

Here is the MS Word version of the Draft 32 CFR Part 170, CMMC Program rule: PART_170—CYBERSECURITY_MATURITY MODEL_CERTIFICATION_PROGRAM

3.13.7 and Split Tunneling

June 22nd, 2023|Categories: As the CMMC Churns, understanding the requirements|Tags: , , , , |

Are you trying got understand the 3.13.7 and Split Tunneling Security Requirement in NIST SP 800-171 Rev 2 (and draft Rev 3?? Like all of the requirements, there are nuances in the actual Security Requirement, “Prevent remote [...]

Tips about FIPS Part 2

March 31st, 2023|Categories: As the CMMC Churns, understanding the requirements|Tags: , , , , |

Has 3.13.11, the use of FIPS-validated encryption, sent your organization through the Seven Stages of CMMC Grief? Does the use of FIPS-validated encryption have you befuddled?  Tips about FIPS Part 2 continues address the most common DIBCAC [...]

An Authorized CMMC 3rd Party Assessment Organization (C3PAO)