Defense Cybersecurity Group

#CMMC tidbit for today. Have you looked at the Defense Cybersecurity Group Glossary lately? https://lnkd.in/gvkJgrwS We keep adding to it and it is posted for free. We think regulatory definitions are really important. With the demise of the old CMMC Glossary we created our own, pulled primarily from 32CFR170, the CMMC Program rule, but also 7012, and the NIST Glossary. We are currently adding a bit on CRM vs SRM. Customer Responsibility Matrix vs Shared Responsibility Matrix. Same thing but 32CFR170 exclusively uses CRM. Unfortunately, it does not provide a separate definition. Neither does NIST. We developed one from context. Is that good? Recommended improvements? Customer Responsibility Matrix (CRM)?- CRM is not explicitly defined in 32CFR170 however it is a critical term and used in 32CFR170 as follows:?"customer responsibility matrix (CRM), which describes the responsibilities of the OSA and ESP with respect to the services provided." 32CFR170 also states:?"In accordance with §?170.19(c)(2), the OSA's on-premises infrastructure connecting to the CSP's product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the?Customer Responsibility Matrix (CRM)?must be documented or referred to in the OSA's System Security Plan (SSP)."?https://lnkd.in/gKm-u2-5 The CRM is effectively an expression of "control inheritance."?Inheritance is a practice in Federal Risk Management Framework (RMF) and is defined as:?"A situation in which a system or application receives protection from security or privacy controls (or portions of controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See common control." NIST Glossary The common practice for a CRM is for that matrix to exist as a spreadsheet or table that maps to the 171 control list or assessment objective list.?In general mapping to assessment objectives is considered a superior approach.?The mapping should include a description of which security requirements/controls/practices the CSP or ESP meets and the OSA may inherit, which the OSA/OSC must perform on their own, and which are shared.?There is no established standard for the construction of a CRM, however a CRM must be provided to assessors as part of the documentation for each CSP and ESP in use by the OSA. A CRM is sometimes also called a Shared Responsibility Matrix (SRM).?32CFR170 exclusively uses the term CRM.?NIST does not use either term.? Shared Responsibility Matrix (SRM).?Another term for Customer Responsibility Matrix (CRM) which is the term used in CMMC as defined by 32CFR170.?NIST does not use or define either term.??

I’m happy to share that I’ve obtained a new certification: Certified CMMC Assessor (CCA) from The Cyber AB!

An interesting summary from Holland and Knight on the new #CMMC rule 32CFR170 which went final last Friday. I found their final paragraph particularly interesting... "The above is just the tip of the iceberg when thinking about the intricacies of the CMMC program and the implications for the DIB (including contractors far down the supply chain). Companies in the DOD supply chain would be wise to not delay further and ensure they are properly certified." At 470 pages the assessment community (C3PAO's and CCA's) are still getting their minds wrapped around the many aspects including significant changes that will impact how we assess Organizations Seeking Assessment (OSAs). The fundamental point though that DIB companies "would be wise to not delay further" is of course spot on. As Jacob Horne, Robert Metzger and others have been saying for a while, the time is past to get moving on having a cybersecurity program that supports CMMC compliance. There is a LOT of detail and nuance in a document with a word count 80% the New Testament. That said the fundamentals remain. First have a Program. This is not going to be something solved by either writing policies in a long weekend nor by buying a single tool. The #1 aspect of this or any program are the people executing it. These are activities that will need to be done now and into the future as long as an organization has a DoD contract or subcontract. The first thing to do for any program is pick the leader. Who will do this? Who will direct the work and make sure it stays on track? Do it in house, hire contractors, buy tools, whatever needs to be done... Who is the leader of your CMMC Program?

If you missed the Kieri Solutions conversation on the new 32CFR170 #CMMC rule, the recording is now available. Thoroughly enjoyed the discussion and the team made some great points. Thanks much for including me Amira Armond! https://lnkd.in/gvEq7vsr

#CMMC 32CFR170 Final Rule is out. CMMC is real and will begin to appear in contracts once the corresponding 48CFR Rule is complete. "When CMMC requirements are applied to a solicitation, Contracting officers will not make award, exercise an option, or extend the period of performance on a contract, if the offeror or contractor does not have the passing results of a current certification assessment or self-assessment for the required CMMC level, and an affirmation of continuous compliance with the security requirements in the Supplier Performance Risk System (SPRS)6 for all information systems that process, store, or transmit FCI or CUI during contract performance.?" #DIB https://lnkd.in/gPJWFqzW

CMMC Certified Professional is some of the best instruction available for CMMC. Although originally designed as the first step to becoming an assessor as a consultant or implementor this is the best way to dive in and really learn about CMMC. I will be teaching the next iteration starting 15 OCT. Come join us! I focus on teaching CMMC not just the test (although we cover that too). Our course dives into CMMC specific control implementation approaches and how those might be assessed, regulatory changes, and a host of relevant topics. Join us to really understand CMMC and the coming assessment processes. #CMMC #nist800171 #informationsecurity #DIB https://lnkd.in/g5-K6nab