The $0 CMMC Level 2 Compliance Fallacy

Government representatives have stated that complying with CMMC 2.0 Level 2 shouldn’t cost contractors or the government anything, because contractors have been attesting to the government that they are doing these things for years. This article explores why this is correct only for a small minority (17 out of 110) of the controls in CMMC 2.0 Level 2.

When is CUI not CUI?

Imagine the following scenario: As part of Project Road Runner, a new initiative, the United States Army, a portion of the Department of Defense (“DoD”) wants to purchase three dozen anvils. The anvils must meet specific size, strength, and weight requirements. DoD has already performed a search and is not able to find a COTS (more…)

CMMC 2.0 Model and Scoping Guide Now Available

The US Department of Defense updated their main website (OUSD A&S – Cybersecurity Maturity Model Certification (CMMC) (osd.mil)) to include an updated CMMC Model consistent with the information released on Nov. 4 about CMMC 2.0. They also released scoping guidance for CMMC 2.0 Levels 1 and 2, and a hashing approach for preserving evidence. Among (more…)

On NIST SP 800-171, NFO Controls and Polices, Procedures, and Plans

With CMMC 2.0, DoD removed process maturity as an assessed requirement. Some commentators are suggesting that NIST 800-171’s “NFO” controls inherently require policies. We explore the requirement in this article.