Information Security Resources

Peak InfoSec and Fathom Cyber Announce Strategic Partnership to Provide Comprehensive CMMC Support

Matthew Titcombe2025-01-28T09:27:19-05:00January 28th, 2025|Categories: News|Tags: assessment, certification, certification assessment, cmmc, NIST SP 800-171 Rev 2, NIST SP 800-171A|

With DoD's program underway, Peak InfoSec and Fathom Cyber announce a strategic partnership to provide comprehensive CMMC services to Defense Industry firms. TAMPA, FL, UNITED STATES, January 28, 2025 /EINPresswire.com/ -- Peak InfoSec and Fathom CyberAnnounce Strategic Partnership [...]

External Service Provider (ESP) Compliance Business Risk Transfer

Matthew Titcombe2024-11-03T14:30:23-05:00November 3rd, 2024|Categories: As the CMMC Churns|Tags: 32 cfr part 170, assessment, certification, certification assessment, cmmc, esp, examination, external service provider, MSP, MSSP, NIST SP 800-171 Rev 2, NIST SP 800-171A|

Are you in the Defense Industrial Base? Do you use an External Service Provider (ESP) (a.k.a. MSP, MSSP, local IT company, et al) to help your business run? Did you know under 32 CFR Part 170, CMMC [...]

The CMMC Program–It’s Here!!!

Matthew Titcombe2024-10-14T19:03:13-04:00October 14th, 2024|Categories: As the CMMC Churns|Tags: 32 cfr part 170, assessment, certification, certification assessment, cmmc, examination, NIST SP 800-171 Rev 2, NIST SP 800-171A|

It’s Here!!!! The CMMC Program is in white light... For many, CMMC will be even scarier than the movie Poltergeist (a classic BTW). Today, 15 October 2024, is the birthday of the CMMC Program. While the unofficial, pre-release [...]

3.3.3, Review and update logged events

Matthew Titcombe2024-06-16T13:48:16-04:00June 16th, 2024|Categories: As the CMMC Churns, understanding the requirements|Tags: 3.3, 3.3.3, AU, audit and accountability, audit logs, audit records, cmmc, Events, NIST SP 800-171 Rev 2, NIST SP 800-171 Rev 3|

Did you know that NIST SP 800-171's 3.3.3, Review and Update Logged Events, is a commonly and THOROUGHLY misunderstood requirement? Let's be blunt, 3.3.3 has NOTHING to do with identifying potential events that indicate a compromise. If [...]

3.3.1, System Auditing

Matthew Titcombe2024-06-11T10:07:13-04:00June 11th, 2024|Categories: As the CMMC Churns, understanding the requirements|Tags: 3.3, 3.3.1, AU, audit and accountability, audit logs, audit records, cmmc, Events, NIST SP 800-171 Rev 2, NIST SP 800-171 Rev 3|

Organization's struggle with documenting NIST SP 800-171's 3.3.1 System Auditing, especially when they are using Commercial Off the Shelf (COTS) software or cloud services. Like all of the other As the CMMC Churns Understand the Requirements series, [...]

All of the Assessment Types

Matthew Titcombe2024-05-31T16:44:55-04:00May 31st, 2024|Categories: Greenhorn's Guide, whItepapers|Tags: assessment, certification, certification assessment, cmmc, conformity assessment|

All of the Assessment Types A PDF version of this "Greenhorn's Guide to All of the Assessment Types" can be downloaded here: https://peakinfosec.com/wp-content/uploads/2024/05/All-of-the-Assessment-Types.pdf A Conformity Assessment??? What is an assessment? If your organization is involved [...]

3.1.22, Publicly Accessible Content

Matthew Titcombe2024-05-30T09:19:03-04:00May 30th, 2024|Categories: As the CMMC Churns, understanding the requirements|Tags: 3.1, 3.1.22, access control, cmmc, NIST SP 800-171 Rev 2, NIST SP 800-171 Rev 3, public content|

Is your organization struggling with NIST SP 800-171's Security Requirement 3.1.22, Publicly Accessible Content? Did you know this is one requirement applies to normally out-of-scope components while the remaining 109 apply to internal components? This As the CMMC [...]

Identifying Inactive Accounts via Sentinel

Matthew Titcombe2024-05-28T11:29:47-04:00May 28th, 2024|Categories: understanding the requirements, whItepapers|Tags: 3.5, 3.5.6, how-to, Identification and Authentication, NIST SP 800-171 Rev 2, sentinel, siem|

WARNING: The following whitepaper on Identifying Inactive Accounts via an Azure Sentinel analytic and watchlist is provided as-is with no guarantees of accuracy nor sufficiency & adequacy to fulfill the assessment objectives for 3.5.6, "Disable identifiers after a [...]

3.10.6 Alternate Work Sites

Matthew Titcombe2024-05-11T20:57:35-04:00April 19th, 2024|Categories: As the CMMC Churns, understanding the requirements|Tags: 3.10, 3.10.6, alternate site, cmmc, cybersecurity, NIST SP 800-171 Rev 2, NIST SP 800-171A, Physical Protection|

Is your organization struggling to understand how to approach the NIST SP 800-171 3.10.6 Security Requirement for Alternate Work Sites? What is allowed and what an assessor may be looking for? In this CMMC Churns, we dive [...]

The Three Types of Evidentiary Objects

Matthew Titcombe2024-05-12T12:20:02-04:00April 8th, 2024|Categories: As the CMMC Churns|Tags: assessment, assessment objects, cmmc, examination, NIST SP 800-171 Rev 2, NIST SP 800-171A|

Did you know there are three general types of Examination Assessment Objects in NIST SP 800-171A? Well, we looked at all 879 listed Examination Assessment Objects in 171A and realized there are three main types. There is [...]

Your SSP Sucks, Seriously.

Matthew Titcombe2024-05-12T12:20:43-04:00March 28th, 2024|Categories: As the CMMC Churns|Tags: cmmc, NIST SP 800-171 Rev 2, SSP, system security plan|

Sorry to tell many of you, your NIST SP 800-171 required System Security Plan (SSP) sucks. As the start of CMMC draws nearer, we are now seeing more SSPs by other companies and, well, they miss the [...]

Requirements have Relationships

Matthew Titcombe2024-05-12T12:21:33-04:00March 6th, 2024|Categories: As the CMMC Churns|Tags: cmmc, Information Security, NIST SP 800-171 Rev 2, security requirements, SSP|

I’ll bet you didn’t know the Security Requirements in NIST SP 800-171 have relationships. We see people just jumping into NIST SP 800-171 compliance helping organizations and even CMMC Certified Assessors failing to understand how one requirement [...]

Approve, the Forgotten Verb

Matthew Titcombe2024-05-11T21:07:03-04:00February 25th, 2024|Categories: As the CMMC Churns, understanding the requirements|Tags: 3.4, certification, cmmc, configuration management, IIoT, NIST SP 800-171 Rev 2, SSP|

Did you know one of the most prolific failures for an organization's self-assessments and those seeking certification during a conformity assessment under Cybersecurity is their documentation? Approvals. For some crazy reason organizations think draft documentation, settings that [...]

32 CFR Part 170 Word Document

Matthew Titcombe2024-05-11T19:58:04-04:00January 8th, 2024|Categories: CMMC, Compliance, DFARS & NIST SP 800-171, Information Security, whItepapers|Tags: certification, cmmc, cmmc assessment scope, cybersecurity, DoD, Information Security, maturity, model, scope of applicability, scoping, structure, taxonomy|

Here is the MS Word version of the Draft 32 CFR Part 170, CMMC Program rule: PART_170—CYBERSECURITY_MATURITY MODEL_CERTIFICATION_PROGRAM

CMMC Rule, an Executive Summary

Matthew Titcombe2024-05-11T21:08:49-04:00January 1st, 2024|Categories: As the CMMC Churns|Tags: 32 cfr part 170, cmmc, cmmc program, DoD, NIST SP 800-171 Rev 2|

The new Cybersecurity Maturity Model Certification (CMMC) rule was published on 22 December 2023. While many of the "in the weeds" details are new and worthy of later discussion, this "As the CMMC Churns" video focuses on [...]

CUI Litmus Test

Matthew Titcombe2024-05-12T12:22:42-04:00July 6th, 2023|Categories: As the CMMC Churns|Tags: cmmc, CUI, NIST SP 800-171 Rev 2, scope of applicability, scoping|

Find out about the CUI Litmus test if your organization struggling to identify CUI in your environment. Does your organization know the key tenets to identify CUI? If not, this As the CMMC Churns [...]

Assessors and Toddlers

Matthew Titcombe2024-05-12T12:23:26-04:00June 28th, 2023|Categories: As the CMMC Churns|Tags: assessment, assessor, certification, cmmc|

Is your organization getting ready to undergo a formal Conformity Assessment for NIST SP 800-171? If so, you need to watch this video!!! You need to understand the similarities between Assessors and Toddlers. With the uptick in non-voluntary [...]

3.13.7 and Split Tunneling

Matthew Titcombe2024-05-12T12:25:23-04:00June 22nd, 2023|Categories: As the CMMC Churns, understanding the requirements|Tags: 3.13, 3.13.7, NIST SP 800-171 Rev 2, split tunneling, Systems and Communications Protection|

Are you trying got understand the 3.13.7 and Split Tunneling Security Requirement in NIST SP 800-171 Rev 2 (and draft Rev 3?? Like all of the requirements, there are nuances in the actual Security Requirement, “Prevent remote [...]

NIST SP 800-171 Rev 3 Draft

Matthew Titcombe2024-05-12T12:26:35-04:00May 19th, 2023|Categories: As the CMMC Churns|Tags: NIST SP 800-171 Rev 2, NIST SP 800-171 Rev 3|

DO NOT watch this if you are a Defense Industrial Base (DIB) Contractor. You have real work to do by implementing NIST SP 800-171 Revision 2 versus finding out about the NIST SP 800-171 Rev 3 Draft. [...]

4-Ways to Demonstrate Compliance

Matthew Titcombe2024-05-12T12:28:44-04:00May 5th, 2023|Categories: As the CMMC Churns|Tags: assessment, certification, cmmc, jsva, NIST SP 800-171 Rev 2|

BREAKING NEWS from "As the CMMC Churns".... There are now 4-Ways to Demonstrate Compliance. The Cyber-AB, with DoD's implicit blessing, is now allowing Authorized C3PAOs to conduct formal NIST SP 800-171 Assessments for organizations both inside and [...]

Be as Smart as a Fox

We share our knowledge and experiences so everyone can benefit