Send us a text

🔍 Want to stay ahead in the world of government contracts and cybersecurity? Dive into our latest CMMC News episode where we explore the NIST SP 800-171 DoD Assessment Requirements. It's all about breaking through the wall of acronyms and jargon to ensure you know exactly what the Department of Defense expects when it comes to protecting sensitive information.

Here are 3 key takeaways:

• Understand Assessment Levels: We break down the three types of cybersecurity assessments — Basic, Medium, and High — and what each level of confidence means for your contract requirements with the DoD.
• Supplier Performance Risk System (SPRS): Learn how all assessment scores are recorded in SPRS, the centralized database that helps the DoD gauge the cybersecurity health of their contractors.
• Subcontractor Compliance: Discover how these requirements flow down to subcontractors and what obligations primes have to ensure their partners are compliant.

Stay informed, secure those contracts, and fortify your cybersecurity posture! 🎧🔒

#Cybersecurity #DoD #NISTSP800171 #GovernmentContracts #CMMCNews

Support the show

Send us a text

We just dived deep into the Department of Defense's NIST SP 800-171 assessment requirements. This is crucial for any contractor involved with DoD contracts, especially when it comes to cybersecurity. Here are three key takeaways:

• Assessment Frequency: If you're implementing NIST SP 800-171, make sure you have a recent assessment conducted within the last three years for every covered information system tied to DoD contracts.
• Assessment Levels: There are three types of DoD assessments - Basic, Medium, and High. Understanding which level applies to you and how to proceed can make or break your eligibility for DoD contracts. The details for each can be found in another key document, the NIST SP 800-171 DoD Assessment Methodology.
• Reporting Requirements: Once your assessment is complete, post your summary level scores in the Supplier Performance Risk System (SPRS). This is a mandatory step to demonstrate your commitment to cybersecurity, and remember, time is of the essence – scores need to be posted within 30 days of assessment completion.

🔗 If you’re involved in defense contracting, keeping up with these requirements is non-negotiable! Tune into our latest episode for the full breakdown and stay ahead in the ever-evolving landscape of cybersecurity standards.

For the official CMMC documentation, click this link: https://dodcio.defense.gov/cmmc/Resources-Documentation/

#DefenseContracting #Cybersecurity #NISTSP800171 #DOD #CMMCNews #PodcastHighlights

Support the show

Send us a text

Hello LinkedIn community! 🌐 As we delve deeper into the cybersecurity requirements for Department of Defense (DOD) contracts, understanding DFARS Clause 252.204-7012 is crucial. It outlines safeguarding covered defense information (CDI) and protocols for cyber incident reporting. Here are three key takeaways for businesses and contractors engaging with the DOD:

• Understanding CDI: It’s essential to recognize what constitutes covered defense information. CDI includes sensitive technical data, like military blueprints and designs, and any information listed in the controlled unclassified information (CUI) registry. Whether provided by the DOD or generated during contract work, this data requires strict protection.
• Timely Reporting: In the event of a cyber incident, the clock is ticking. Incidents must be reported within 72 hours to the DOD. This rapid reporting helps mitigate potential damages and underscores the importance of having efficient processes in place to identify and report any compromises.
• Subcontractor Responsibilities: Prime contractors must ensure that subcontractors comply with the same cybersecurity requirements. This includes using standardized controls outlined in NIST SP 800-171 and ensuring that all reporting protocols are followed. If deviations are necessary, these must be formally requested and approved.

In a world where cybersecurity is critical, adopting such stringent measures not only protects sensitive information but also reinforces the security of the defense industrial base. Let's leverage these practices to enhance data security across various sectors.

For the official CMMC documentation, click this link: https://dodcio.defense.gov/cmmc/Resources-Documentation/

#CyberSecurity #DOD #DefenseContracts #DataProtection #Compliance #DFARS #CyberIncidentResponse

Support the show

Send us a text

🌟 Just listened to another insightful episode of the CMMC News podcast, where the hosts take a deep dive into the complexities of CMMC, focusing on ESPs, SPAs, and VDIs. Here's what stood out to me:

🔍 Key Takeaways:

• Scoping ESPs in CMMC: The involvement of External Service Providers in the CMMC assessment depends largely on their interaction with Controlled Unclassified Information (CUI) and whether they are a Cloud Service Provider. Non-cloud ESPs processing CUI make the whole service part of your CMMC scope.
• VDI Configurations Simplifying Scope: A properly configured Virtual Desktop Infrastructure can simplify CMMC scope by ensuring that local endpoint devices remain out of scope. This requires strict configurations to prevent local processing or storage of CUI.
• CRMAs vs. Specialized Assets: Understanding the difference between Contractor Risk Managed Assets (CRMAs) and specialized assets is crucial. While CRMAs can share networks with CUI processing assets without handling CUI, specialized assets often can't meet all security requirements due to their nature.

🎧 If you're navigating the CMMC landscape, definitely give this episode a listen for more practical insights!

For the official CMMC documentation, click this link: https://dodcio.defense.gov/cmmc/Resources-Documentation/

#CMMC #CyberSecurity #DevSecLead #VDI #ESPs #Compliance

Support the show

Send us a text

🚀 Exciting Insights from Our Latest Deep Dive on the CMMC News Podcast! 🎧

In our newest episode, we unpack the intricacies of the Cybersecurity Maturity Model Certification (CMMC) and its alignment with NIST standards, essential for those engaged with Department of Defense contracts. Dive into the details with us as we explore practical implications and strategic alignments.

🔹 Key Takeaways:

• CMMC Levels Explained: Understand how the different levels of CMMC build upon each other, starting from the foundational Level 1 to the more advanced Level 3 that incorporates elements like NIST SP 800-171 and 800-172.
• Scoring System Nuances: Learn about the in-depth scoring methodology for NIST SP 800-171 Rev 2, highlighting the critical components and areas of partial credit, essential for MFA and FIPS compliance.
• Preparing for the Transition: The shift to NIST SP 800-171 Rev 3 is on the horizon. Organizations need to stay compliant with Rev 2 while preparing for Rev 3, focusing on gap analysis and updating system security plans.

Tune into the episode for a detailed exploration and ensure your security protocols are robust and compliant. Stay ahead in the defense industrial base with actionable insights and strategies! 🎙️🔍

For the official CMMC documentation, click this link: https://dodcio.defense.gov/cmmc/Resources-Documentation/

#CMMC #Cybersecurity #NISTStandards #DODContracts #DevSecLeadPodcast

Support the show

Send us a text

🚀 New Episode Alert: Navigating CMMC Compliance with ESPs and Inherited Controls 🚀

In our latest episode of CMMC News, we dive deep into the complexities of CMMC compliance and how to effectively manage the relationship with your External Service Providers (ESPs). This episode is packed with insights that are crucial for any DOD contractor aiming to unravel the intricacies of inheriting security controls while maintaining full compliance responsibility. Here's a sneak peek at three key takeaways:

🔹 Own Your Responsibility: Just because your ESP is CMMC certified doesn’t mean you’re off the hook. You're accountable for validating, documenting, and proving those inherited controls work in your environment.

🔹 Clear Role Divisions: Understand the spectrum of responsibilities—fully inherited, partially inherited, and those non-delegable controls that are 100% on you, like user authorization and data classification.

🔹 Audit Readiness is Key: Meticulous documentation is your best friend. Make sure your controls are thoroughly documented in your SSP, supported by concrete evidence to ace that CMMC assessment.

For the official CMMC documentation, click this link: https://dodcio.defense.gov/cmmc/Resources-Documentation/

#CMMC #Cybersecurity #DODCompliance #ESPs #SecurityControls #AuditReady

Support the show

Send us a text

In this episode of CMMC News, host Wilson Bautista Jr. breaks down the crucial factors to consider when choosing a CMMC consultant. He outlines five essential criteria: ensuring proper CMMC certification, verifying real audit experience, evaluating communication skills, determining consultation needs (assessment vs. implementation), and assessing cultural fit with your organization. Whether you're starting your CMMC journey or preparing for an audit, this episode provides valuable insights to help you avoid costly mistakes and find the right consultant to guide your compliance efforts. Learn how to identify red flags, verify credentials, and make an informed decision that will support your organization's path to CMMC compliance.

Support the show

Send us a text

Welcome to another episode of CMMC News! Today, we're simplifying the complexities of cybersecurity compliance, specifically diving into how to choose the right Certified Third Party Assessment Organization (C3PAO) to guide your organization to CMMC compliance. I'm your host, Wilson Bautista Jr., and in this episode, we'll break down the key considerations to make the right choice. From examining a C3PAO's experience with federal compliance frameworks like NIST 80171 and FedRAMP to assessing their industry expertise, reputation, and communication skills, we'll cover it all. Plus, we'll discuss the importance of verifying accreditation and balancing cost versus value. Tune in as we navigate the steps to ensure you're not just compliant but well-prepared for long-term security. Let's get started!

Support the show

Send us a text

A Department of Defense Inspector General audit (DODIG-2025-056) revealed that the Department of Defense (DoD) inadequately implemented its process for authorizing third-party organizations to conduct Cybersecurity Maturity Model Certification (CMMC) 2.0 assessments. The audit found that the DoD failed to ensure all required steps were completed before authorizing these organizations, increasing the risk of awarding contracts to companies lacking sufficient cybersecurity controls. Two hotline allegations were substantiated. Ten recommendations were issued to improve the authorization process, focusing on implementing quality assurance measures to guarantee compliance. The DoD OIG will continue monitoring the DoD's implementation of these recommendations.

Ref: https://www.dodig.mil/In-the-Spotlight/Article/4028197/press-release-audit-of-the-dods-process-for-authorizing-third-party-organizatio/

Support the show

Send us a text

This memorandum from the Department of Defense outlines requirements for cloud service providers (CSPs) seeking FEDRAMP Moderate equivalency. It details the necessary assessments and documentation, including security plans and testing procedures, that CSPs must meet. The memorandum emphasizes the importance of compliance with specified Defense Federal Acquisition Regulations Supplement clauses. Finally, it clarifies the roles and responsibilities of the contractor, CSP, and assessing organizations. The document aims to ensure the security of covered defense information processed by these cloud services.

Ref: https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf

Support the show