Micro Blog - I FAQ, Therefore I Am
On January 27th, 2017 the DoD published the “Networking and Penetration Reporting and Contracting for Cloud Services (DFARS Case...
top of page
Shelby Scott
- Mar 8
- 4 min
'Love' is a Verb. So is 'Identified.'
If you’ve ever picked up a self-help book, you may have come across the phrase “love is a verb.” This adage is designed to draw attention...
Vincent Scott
- Feb 1
- 2 min
Micro Blog - 3 Questions about POA&M
What is a POA&M and when do I need one? According to NIST SP 800-37 Rev. 2, a Plan of Actions and Milestones (POAM or POA&M) is, “A...
Vincent Scott
- Jan 18
- 2 min
Micro Blog - 3 Questions about Potential CMMC Changes
Is the new CMMC rule going to be a draft rule or an interim final rule? While an interim final rule was originally scheduled for release...
Vincent Scott
- Nov 26, 2022
- 4 min
'The Fifth Risk' of Vulnerability Management
As seen on GRC Viewpoint: https://lnkd.in/dHQjaGQz. Maintaining an environment which centralizes not only the protection, but the...
Jack Poltorak
- Oct 11, 2022
- 1 min
Microsoft Exchange Server – Two Zero Day Vulnerabilities Found
On September 29th, Microsoft announced Zero Day vulnerabilities which affect the 2013, 2016 and 2019 versions of Microsoft Exchange. Note...
Vincent Scott
- Jul 1, 2022
- 3 min
Handling CUI
This question of U.S. ONLY and CUI comes up a lot. To be clear, although I have deep experience on the sharing of intelligence...
Vincent Scott
- Jun 21, 2022
- 4 min
DIB Contractors should start considering an Evidence Locker for CMMC
Organizations seeking certification, or OSC, in the Defense Industrial Base (DIB) should start considering the creation and maintenance...
Vincent Scott
- Jun 1, 2022
- 4 min
CMMC Rollout: Where to Next?
Several people have asked me about this one. I posted this in the NDIA forum a week or so ago to generate discussion there on the current...
Vincent Scott
- Mar 5, 2022
- 7 min
Leadership in the Remote Work Environment
Today, a set of questions came across my desk from a reporter for a high-tech magazine. It piqued my interest, so I provided some input...
Vincent Scott
- Feb 17, 2022
- 3 min
When is Encryption Enough?
Based on the LinkedIn exchanges of views on encrypted CUI and covered systems linked below, I have, as promised crafted an input to the...
Vincent Scott
- Jan 13, 2022
- 3 min
The #1 Problem in Cybersecurity: The Truth You Don’t Want to Know
The Truth You Don’t Want to Know My new favorite saying, and it seems to be rampant in the halls of success, but perhaps nowhere more so...
Vincent Scott
- Jan 5, 2022
- 8 min
Scoping Guide
Although the new Cybersecurity Maturity Model Certification (CMMC) Scoping Guides bring much needed clarification, specific aspects of...
Vincent Scott
- Dec 11, 2021
- 4 min
The FedRAMP System needs updating; it was never intended for commercial use
As we move forward with accountability around cyber for the Defense Industrial Base (DIB), the specific language in the rules, controls,...
Vincent Scott
- May 31, 2021
- 8 min
How Do We Right the CMMC Ship?
Previously I wrote CMMC Trip to Tartarus story under the banner “CMMC is impossible and here is why!” I did not receive many comments...
Vincent Scott
- Apr 22, 2021
- 6 min
CMMC: A Trip to Tartarus
So I normally don’t go in for the sensationalized headline. I abhor them in fact, but in this case, I think it is needed. Put the breaks...
Vincent Scott
- Apr 19, 2021
- 7 min
CMMC and the Challenge of Documentation
History A long-time requirement for any auditable process or standard has been documentation. I sometimes think that early cave paintings...
Vincent Scott
- Jan 26, 2021
- 3 min
Observations from a CMMC Protest paper: A plain English translation
I have put this together as a review of the paper posted by Bob Metzger’s law firm, New DOD Cyber Rules Create Fertile Bid Protest...
Vincent Scott
- Jan 17, 2021
- 3 min
Cyber Operations, Cyber Standards, and Solar Winds
In the course of the much appreciated exchange of ideas in a LinkedIn thread, the concept of Cyber Standards like CMMC (the new DoD...
Vincent Scott
- Dec 12, 2020
- 5 min
CUI, DFARS, and the Catch-22
Federal Government: "Put CUI controls in place so we can give you a contract." Federal Contractors: "No. Give us the contract and tell us...
bottom of page