Information Technology Navigator

On October 15, 2024, the final rule for the Cybersecurity Maturity Model Certification (CMMC) program was officially published. This rule, codified as 32 CFR, becomes effective on December 16, 2024. The CMMC journey began in 2019 with DFARS Case 2019-D041, and after four years of development, the rule is now finalized. Let’s take a look at the history of the CMMC timeline, what's to come, and how organizations can prepare for what is next.

CMMC Rulemaking Timeline

The rulemaking process illustrated in the graphic below shows a high-level workflow from the Government Accountability Office (GAO).

Figure 1: GAO Federal Rulemaking

Read More

Protecting sensitive and classified information when working for the Federal Government requires constant vigilance. When the government issues a contract, it must specify to the performing contractor when covered defense information (CDI) or controlled unclassified information (CDI) will be generated under the contract. Many prime contractors “flowdown” every FAR and DFARS clause to subcontractors and vendors without considering if that subcontractor or vendor will be processing, storing, or transmitting CDI. Anticipating where CDI may reside once awarded a contract can be a challenge. Here is guidance on ways CDI can flowdown to subcontractors and the defense industrial base (DIB), and steps those organizations should take before signing an agreement.

An Introduction to DFARS

Read More

It’s been almost a year since we wrote about the risks of delaying CMMC (Cybersecurity Maturity Model Certification) compliance. The only thing that has remained constant since then is that CMMC is not going away. There have been many noteworthy recent developments in the DoD supply chain news space related to updates for DIB contractors to comply with the DFARS 7012 requirements to safeguard CUI (controlled unclassified information) data. The CMMC 2.0 final rulemaking timeline continues to shift from over the horizon to right around the corner, and the recently released NIST 800-171 revision 3 draft amplifies concerns about upcoming changes to the framework requiring additional protections for prime and subprime organizations supplying the DoD.

Read More

An Introduction to Cybersecurity for the Defense Industrial Base:

In today's digital age, cybersecurity is of paramount importance, particularly for organizations within the Defense Industrial Base (DIB). In January 2020, the United States Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) framework, building upon established cybersecurity standards from National Institute of Standards and Technology (NIST) Special Publication 800-53 and NIST Special Publication 800-171. These publications are closely aligned with the CMMC 2.0 requirements, providing essential guidelines for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. In addition, DFARS 252.204-7020 clause requires contractors to undergo an assessment of their implementation of NIST SP 800-171 controls by an accredited third-party assessment organization to evaluate a DIB contractor's compliance with the security requirements outlined in NIST SP 800-171 and provide assurance that adequate safeguards are in place to protect CUI.

Read More

 

Adoption of Microsoft’s 365 Government Community Cloud (GCC) High sovereign cloud solution is on the rise as organizations in the Defense Industrial Base (DIB) work to ensure compliance with the stringent regulations related to the Cyber Security Maturity Model (CMMC) v2.0 and current NIST 800-171 framework. GCC High is an excellent option for DIB contractors who handle Controlled Unclassified Information (CUI) and International Traffic in Arms Regulation (ITAR) data in their cloud or hybrid environments.

Microsoft continuously improves and enhances features and capabilities to the GCC High platform. Just like updates to Microsoft 365, it can be hard to keep up with them all. Daymark’s Government Community Services Team has carefully selected updates we believe are worth paying attention to with our own GCC High Roadmap.

Read More

Microsoft’s Ignite Conference was back to a face-to-face event his year in Seattle, Washington. The Daymark Solutions team was there soaking up the latest Microsoft has to offer and absorbing what’s in the works for the year ahead. This year’s conference theme of “doing more with less” spoke to the immense value of Microsoft’s product portfolio. From Power Platform’s low-code/no-code improvements to a host of new solutions under the Microsoft Entra, Purview and Viva umbrellas, doing more with less is really about making our lives easier in the modern digital work era we live in while providing first-in-class technology and security. The following are some notable takeaways from this year’s Ignite.

 

Microsoft Intune Premium - Advanced Management Suite

• What’s the Scoop?

Read More

Given the current cyber threat landscape, protecting data has never been more critical. We’ve been helping organizations architect and deploy secure data center and cloud environments for over 20 years. We are a Microsoft Gold Partner, Tier 1 Microsoft Direct Cloud Service Provider and AOS-G, GCC and GCC High reseller. We have the proven expertise and technical certifications to design, implement and provide on-going support for highly customized secure enclaves or “greenfield” environments in Microsoft Azure, Azure Government, and Microsoft 365 Commercial and Government community clouds to meet compliance requirements of NIST 800-171 and CMMC 2.0. We can help your team jumpstart the adoption of a cloud platform with Microsoft 365 and Azure.

Read More

If your organization has been working towards NIST 800-171 and is now on the journey to achieve CMMC 2.0 (the Cybersecurity Maturity Model Certification) it can be difficult to understand what you’ve already achieved and what’s left to do. Both standards are intended to reduce threats and strengthen cybersecurity for sensitive government data. Here’s some details on how they relate to each other and what’s involved to take the next steps toward CMMC compliance.

Read More

Microsoft 365 GCC vs. GCC High

How do you know which level of GCC is right for you? Here’s key criteria to help you distinguish GCC and GCC High so that your organization makes the move to the right cloud.

Government Community Cloud (GCC)

You can think of GCC as a government version of the Microsoft 365 commercial environment. It resides on the Azure Commercial infrastructure and has many of the same features, but servers must be located in the continental United States (CONUS) as mandated by FedRAMP Moderate. Although the servers are only in CONUS, access to data is available on a global basis. In general, non-defense-related government agencies and contractors can deploy GCC. 

Read More

The CMMC 2.0 model consists of 14 domains that assess the previously established NIST 800-171 controls. Here’s what each one is and what it covers.

Access Control: This domain requires your organization to establish who has access to your systems and what their requirements are to operate effectively. As well as who has remote access, internal system access, and the limitations of their roles in system.

Read More