Blog – Alive Data

errors

The message can’t be sent right now…SMIME error 0365

February 22, 2021February 25, 2021

If someone sends you a digitally signed email to Office365 (OWA), you may get an error and an inability to reply.

“This message can’t be sent right now. Please try again later.”

To resolve, choose the 3 dots (…) and choose “Show message options”

Under message options, de-select Digitally sign this message (S/MIME)

Unselected Digitally sign this message (S/MIME)

You will no be able to respond to the email in Office365.

CMMC

CUI Marking

February 19, 2021February 24, 2021

There is a lot of scuttlebutt surrounding the marking of CUI.

If you are a SUB, your PRIME is responsible for identifying CUI and providing instructions on how to mark the documents.

NOTE: Do not assume everything is CUI – remember, you must be at CMMC Leve 3 or NIST 800-53 to hold and manage CUI.

For general instructions on CUI, see https://www.archives.gov/files/cui/documents/20161206-cui-marking-handbook-v1-1-20190524.pdf

NIST

CUI Registry

February 12, 2021February 24, 2021

The National Archives and Records Administration manages an online searchable repository of CUI data at https://www.archives.gov/cui .

Use the service to help determine the classification of data and to inform your policies and conversations – reach out to your prime or agency of record for specifics regarding your project.

NIST

What is an SPRS score?

February 5, 2021February 24, 2021

An SPRS Score is a numerical representation of your NIST 800-171/53 compliance maturity level. This score is used to determine your eligibility to receive awards from the DOD.

What does SPRS stand for?

Supplier Performance Risk System

What is the SPRS system?

The Supplier Performance Risk System documents vendor self assessment results for DOD Acquisition Professionals. This system is ONLY used by DOD personnel – not primes or subs.

How do you get an SPRS score?

You get an SPRS score from conducting a self assessment of your NIST 800-171/53 adoption/compliance.

What is an SPRS score?

An SPRS score is calculated based upon your “adoption” and “maturity of” adoption of specific NIST controls. You will use a pre-formatted spreadsheet to conduct your analysis and arrive at a score.

Where do I get a spreadsheet for calculating my SPRS score?

Roll your own from the documentation OR contact us and we will send you one.

What will we need?

A current CAGE Code

Can I create an SPRS score myself or would you recommend assistance from a Infosec Professional?

An InfoSec professional familiar with the process will save you time and be able to identify systems/services that may improve your score. You may not need much help, but laser focused assistance can save you a lot of time and money.

How do we get started?

https://www.sprs.csd.disa.mil/nistsp.htm

CMMC

DIB Frameworks

January 29, 2021February 18, 2021

Compliance Frameworks

Federal Acquisition Regulation Clause (FAR)

15 Practices
Self Attestation

Defense Federal Acquisition Regulation Supplement DFARS

NIST 800-171
Self Attestation
SSP & POAM

The Federal Information Security Management Act (FISMA)

NIST 800-53

CMMC

Cybersecurity framework and maturity model that combines the above + additional practices identified by the DOD and industry
CMMC-AB

CMMC

CMMC Levels

January 22, 2021February 18, 2021

5 CMMC Levels

Level 1 – Basic Cyber Hygiene

Federal Contract Information
- 17 Practices

Level 2 – Intermediate Cyber Hygiene

Federal Contract Information
- 72 Practices (L1 + 55 Practices)

Level 3 – Good Cyber Hygiene

Controlled Unclassified Information
- 130 Practices (L2 + Practices)

Level 4 – Proactive

CUI + Controlled Technical Information
- 156 – (L3 + 26 Practices)

Level 5 – Advanced/Progressive

CUI + Controlled Technical Information
- 171 (L4 + 15 Practices)

CMMC

January 18, 2021February 18, 2021

Cyber Security Maturity Model

CMMC is a cybersecurity framework and maturity model

Combination of maturity processes + cybersecurity best practices
Co-developed by DOD and industry
Primarily combines FARS -21 & DFARS 7012
Additional practices defined by DOD and Industry
CMMC is broken into 5 maturity Levels, spanning 17 domains (originating from FIPS) and 171 practices
CMMC-AB is the governing body Formal Assessments Required

NIST

FCI

January 8, 2021February 18, 2021

Federal Contract Information

Definition:

FCI is information provided by or generated for the Government under contract not intended for public release. (FARS)

Federal Acquisition Regulation Clause 52.204-21

Required Protection

15 CMMC Controls
17 NIST Practices
CMMC Equivalency: Level 1

NIST

CUI

January 1, 2021February 18, 2021

Controlled Unclassified Information

Definition

Information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Defense Federal Acquisition Regulation Supplement DFARS Clause 252.204-7012

CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.

Required Protection

NIST 800-171
130 Practices
CMMC Equivalency: Level 3 or higher