CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

March 22, 2021

Good afternoon, everyone!

I’ve heard several speakers, including John Ellis, Director of the Software Division with the Defense Contract Management Agency (DCMA), identify the same two issues as the most problematic in DIBCAC assessments, so I’ll tackle one of those today.

Multi-Factor Authentication (MFA)

First, let’s make sure we understand exactly what MFA is. Many people confuse “two step authentication” (two separate passwords, or a password and security question) with “two factor authentication.” These are NOT the same.

True MFA requires two of the three possible factors of authentication:

  • Something you know (password, security question)

  • Something you have (physical token, one-time code sent to email or text)

  • Something you are (fingerprint, retina scan)

So, for example:

  • Logging into your local PC with a password, then logging into your secure enclave in the cloud with a different password, is not MFA.

  • Logging into your remote access software with a password and a security question, then logging into your local PC virtually with a different password, is not MFA.

  • Logging into your PC with a password, after using a “smart card” to unlock it, is MFA.

  • Logging into your remote access software with a password, then requiring a second password AND a code sent via text message to access the PC itself, is MFA.

Do these examples help?

The CMMC Level 3 Assessment Guide states that MFA is required for:

  • local access to privileged (admin) accounts

  • network access to privileged (admin) accounts

  • network access to unprivileged (standard) accounts

  • remote access

This applies to every device in your information systems which store, process or transmit CUI, and also all devices in any connected systems. (This is one example of why limiting the scope of your CUI environment is critical to decreasing the burden of compliance.)

Remember, the CMMC model is descriptive, not prescriptive, which means you have flexibility in HOW you meet the intent of the objectives.

Need help? I’m just an email or phone call away!

What’s the difference between a policy, a practice document and a plan?

Ah, I’m glad you asked that question! This is the subject of my work(fromhome)shop on April 22, and registration is now open.

This one-hour online class is Part Two of my CMMC "deep dive" series. Only 30 places available! Class kept small to enable Q&A and discussions.

Early Bird Price of $99 expires on April 1

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab. Feel free to share this update!

Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass
The Net Effect, LLC
251-433-0196 x107

PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!

TNE. Cybersecurity. Possible.

Speak with an Expert


The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy