One of the more significant changes in the new CMMC 2.0 guidelines was the move from third-party to self-assessment at Level 1 maturity. At Level 1, contractors can perform a self-assessment rather than engage with a C3PAO, significantly reshaping their obligations and the associated costs and effort for compliance.
Here, we’re covering the CIO’s guidance for organizations performing self-assessments, specifically how to scope their self-assessments for Level 1 maturity.
Over the past week, a new vulnerability in the Linux operating system and the XZ compression utility has led to a new security alert and an immediate call to roll back some new updates. While this threat is a massive problem for federal IT systems relying on specific Linux distributions, it also highlights how poorly managed open-source projects can fundamentally undermine federal security. It also demonstrates how state-sponsored actors can use these projects as a staging ground for more extensive Advanced Persistent Threats.