QMSCAPA Update: v2.20.10
Important additions, enhancements and fixes have been made in a new release of QMSCAPA™ (version 2.20.10) and is available for download from QMSCAPA.app.
Enhancements
- Sales Order and Contract Review
- Purchasing Processes, including:
- Request for Quote,
- Receiving Inspections
- Supplier Evaluations and Survey Questionnaires
- Quality Monitoring and Measuring Methods
- Customer Satisfaction Evaluations and Surveys
- On-time Delivery
- Purchasing Processes
- Manufactruing/Production Processes
- Sales Order and Contract Review Processes
- Training Programs, Schedules and Training Effectiveness Records
For more information go to QMSCAPA.app
FREE E-Book for ISO 9001:2015 Requirements
Guidance for Implementation of Quality Management Systems for Certification to the ISO 9001:2015 Standard
Complete the form below to download the “eBook”
Cybersecurity Maturity Model Certification
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.
The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”
- The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
- The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
- The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
- The intent is for certified independent 3rd party organizations to conduct audits and inform risk.
The CMMC effort builds upon existing regulation, specifically,
- 48 Code of Federal Regulations (CFR) 52.204-21 and
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, and
- incorporates practices from multiple sources such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 rev 1 & Draft NIST SP 800-171B,
- the United Kingdom’s Cyber Essentials, and Australia’s Essential Eight [11,12,47,4].
ABCI Consultants provide cyber security guidance, implementation and personnel training services, which focus on Information Security Management Systems (ISO 27001) and regulatory compliance (NIST 800-171).
NIST Releases Two Draft Guidelines on Personal Identity Verification (PIV) Credentials
NIST is announcing the initial public drafts of NIST SP 800-157r1 (Revision 1), Guidelines for Derived Personal Identity Verification (PIV) Credentials, and NIST SP 800-217, Guidelines for Personal Identity Verification (PIV) Federation. These two SPs complement Federal Information Processing Standard (FIPS) 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors.
- NIST SP 800-157 has been revised to feature an expanded set of derived PIV credentials to include public key infrastructure (PKI) and non-PKI-based phishing-resistant multi-factor authenticators.
- NIST SP 800-217 details technical requirements on the use of federated PIV identity and the interagency use of assertions to implement PIV federations backed by PIV identity accounts and PIV credentials.
NIST will introduce both draft documents at a virtual workshop on February 1, 2023. Please see the workshop homepage to register and attend the virtual event.
The public comment period for both draft publications is open through March 24, 2023. See the publication details for NIST SP 800-157r1 and NIST SP 800-217 to download the drafts and find instructions for submitting comments.
QMSCAPA Updated v2.17.2
Important additions, enhancements and fixes have been made in a new release of QMSCAPA™ (version 2.17) and is available for download from QMSCAPA.app.
Added New Features
- A Controlled Document Table has been linked to the Process Description.
- Added three new Process Maps for Process Planning and Auditing.
Enhancements
- Enhanced the Training Program elements (syllabus) table by adding a lookup table of commonly used syllabus elements.
Fixes
- Primary Document link from the Training Program to the Controlled Document Table.
For more information go to QMSCAPA.app
Awareness Training for CMMC Requirements
This ABCI online self-study foundations course for Awareness Training about the Cybersecurity Maturity Model Certification (CMMC) includes the following Modules:
- Module 1 – CMMC and DFARs Course Introduction
- Module 2 – Information Security Management Systems (ISMS)
- Module 3 – CUI and NIST 800-171
- Module 4 – DFARs Clause 252.204-7012
- Module 5 – DFARs Clause 252.204-7012 Q&A
- Module 6 – Cybersecurity Maturity Model Certification (CMMC)
NIST Special Publication 800-171 and the Defense Federal Acquisition Regulation supplement (DFAR) Clause 252.204-7012 for safeguarding and reporting Covered Defense Information (CDI).
Controlled Unclassified Information (CUI) is any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls.
- CUI supports federal missions and business functions that affect the economic and national security interests of the United States.
Non-federal organizations:
- colleges, universities,
- state, local and tribal governments,
- federal contractors and subcontractors often process, store, or transmit CUI.
NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal information systems and organizations.
- Requirements are organized into fourteen families.
- Each family contains the requirements related to the general security topic of the family.
Defense Federal Acquisition Regulation supplement (DFARs) Clause 252.204-7012 is required in all contracts except for contracts solely for the acquisition of COTS items.
- In addition the Contractor shall include the clause in subcontracts for which performance will involve Covered Defense Information or Operationally Critical Support.
- CDI, is used to describe information that requires protection under DFAR Clause 252.204-7012.
- It is defined as unclassified Controlled Technical Information or other information as described in the CUI Registry.
(http://www.archives.gov/cui/registry/category-list.html)
- CUI requires safeguarding/dissemination controls AND IS EITHER marked or otherwise identified in the contract and provided to the contractor by DoD in support of performance of the contract;
- Or the CDI is collected, developed, received, transmitted, used or stored by the contractor in performance of contract.
Order Online Through PayPal’s Secure Card Services
ISO 27001 Lead Auditor Training Class scheduled for online learning
Mastering the audit of an Information Security Management System (ISMS) based on ISO/IEC 27001
4 1/2 days from August 17th through August 20th, 2020
Summary | Go to Enrollment Form
This five-day intensive course enables participants to develop the necessary expertise to audit an Information Security Management System (ISMS) and to manage a team of auditors by applying widely recognized audit principles, procedures and techniques.
- During this training, the participant will acquire the necessary knowledge and skills to proficiently plan and perform internal and external audits in compliance with ISO 19011 the certification process according to ISO 17011.
- Based on practical exercises, the participant will develop the skills (mastering audit techniques) and competencies (managing audit teams and audit program, communicating with customers, conflict resolution, etc.) necessary to efficiently conduct an audit.
Certified Course
Who should attend?
- Internal auditors
- Auditors wanting to perform and lead Information Security Management System (ISMS) certification audits
- Project managers or consultants wanting to master the Information Security Management System audit process
- CxO and Senior Managers responsible for the IT governance of an enterprise and the management of its risks
- Members of an information security team
- Expert advisors in information technology
- Technical experts wanting to prepare for an Information security audit function
Learning objectives
- To acquire the expertise to perform an ISO/IEC 27001 internal audit following ISO 19011 guidelines
- To acquire the expertise to perform an ISO/IEC 27001 certification audit following ISO 19011 guidelines and the specifications of ISO 17021 and ISO 27006
- To acquire the necessary expertise to manage an ISMS audit team
- To understand the operation of an ISO/IEC 27001 conformant information security management system
- To understand the relationship between an Information Security Management System, including risk management, controls and compliance with the requirements of different stakeholders of the organization
- To improve the ability to analyze the internal and external environment of an organization, its risk assessment and audit decision-making
Course Agenda | Go to Enrollment Form
Day 1: Introduction to Information Security Management System (ISMS) concepts as required by ISO/IEC 27001
- Normative, regulatory and legal framework related to information security
- Fundamental principles of information security
- ISO/IEC 27001 certification process
- Information Security Management System (ISMS)
- Detailed presentation of the clauses 4 to 8 of ISO/IEC 27001
Day 2: Planning and Initiating an ISO/IEC 27001 audit
- Fundamental audit concepts and principles
- Audit approach based on evidence and on risk
- Preparation of an ISO/IEC 27001 certification audit
- ISMS documentation audit
- Conducting an opening meeting
Day 3: Conducting an ISO/IEC 27001 audit
- Communication during the audit
- Audit procedures: observation, document review, interview, sampling techniques, technical verification, corroboration and evaluation
- Audit test plans
- Formulation of audit findings
- Documenting nonconformities
Day 4: Concluding and ensuring the follow-up of an ISO/IEC 27001 audit
- Audit documentation
- Quality review
- Conducting a closing meeting and conclusion of an ISO/IEC 27001 audit
- Evaluation of corrective action plans
- ISO/IEC 27001 Surveillance audit
- Internal audit management program
Day 5: Certification Exam (Flexible schedule)
- 8 am to 11:30 am (online)
Prerequisites
PECB Certified ISO/IEC 27001 Foundation Certification or basic knowledge of ISO/IEC 27001 is recommended.
Educational approach
- This training is based on both theory and practice:
- Sessions of lectures illustrated with examples based on real cases
- Practical exercises based on a full case study including role playings and oral presentations
- Review exercises to assist the exam preparation
- Practice test similar to the certification exam
Examination and Certification
- The “PECB Certified ISO/IEC 27001 Lead Auditor” exam fully meets the requirements of the PECB Examination and Certification Programme (ECP). The exam covers the following competence domains:
- Domain 1: Fundamental principles and concepts of information security
- Domain 2: Information Security Management System (ISMS)
- Domain 3: Fundamental audit concepts and principles
- Domain 4: Preparation of an ISO/IEC 27001 audit
- Domain 5: Conducting an 27001 audit
- Domain 6: Closing an ISO/IEC 27001 audit
- Domain 7: Managing an ISO/IEC 27001 audit program
- The “PECB Certified ISO/IEC 27001 Lead Auditor” exam is available in different languages (the complete list of languages can be found in the examination application form)
- Duration: 3 hours
- For more information about the exam, refer to the section on PECB Certified ISO/IEC 27001 Lead Auditor Exam
- After successfully completing the exam, participants can apply for the credentials of PECB Certified ISO/IEC 27001 Provisional Auditor, PECB Certified ISO/IEC 27001 Auditor or PECB Certified ISO/IEC 27001 Lead Auditor depending on their level of experience. Those credentials are available for internal and external auditors
- A certificate will be issued to participants who successfully pass the exam and comply with all the other requirements related to the selected credential
- For more information about PECB Certified ISO/IEC 27001 certifications and the PECB certification process, refer to the section on ISO/IEC 27001 certifications
General Information
- Certification fees are included in the exam price
- A student manual containing over 450 pages of information and practical examples will be distributed to participants
- A participation certificate of 31 CPD (Continuing Professional Development) credits will be issued to participants
- In case of failure of the exam, participants are allowed to retake the exam for free under certain conditions
Location:
Online via Join.me
Fee: $1,750.00
Go to Enrollment Form
QMSCAPA Updated to v2.6.12
Important enhancements were made in a new release of QMSCAPA™ (version 2.6.12) and is available for download from ABCI-Software.
- Added a new Nonconformance Report template to report NCRs by “Type” and date range.
- Enhanced the Monitoring and Measuring Device module.
- Enhanced the module for evaluating and surveying customer satisfaction.
- Fixed a problem with correctly storing the User Defined Menu options in the QMSCAPA.INI file.
- Updated the Document Control Index Viewer [DCIViewer.exe]
- Updated the File and Table Manager.
- Updated all Report Templates to include the template file name in the Report footer.
- Updated the Supplier/Vendor Survey Questionnaire sets. (See options to access example data files and tables.)
Download the QMSCAPA ‘Update‘ and the free Viewer for Documented Information
- 1) Document Icon – The Document Control Index (DCI) browse table hyperlinks to the file path of the stored document or image. The native file viewer opens the linked document.
- 2) Person/Clipboard Icon – The Records Control Index (RCI) browse table hyperlinks to the file path of records and record approvals.
- 3) information Icon – The Referenced Document table may be used to link to electronic documents for important equipment/instrument user guides, referenced standards, guidance document and other forms of Organization Knowledge.
Additional information about this release has been posted to What’s New in QMSCAPA.
NIST Releases Two Cybersecurity Guidance Publications
The National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) released two draft practice guides today:
- Special Publication (SP) 1800-25: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
- Special Publication (SP) 1800-26: Detecting and Responding to Ransomware and Other Destructive Events
Ransomware, malware, insider threats, and even honest user mistakes present ongoing threats to organizations. All types of data, such as database records, system files, configurations, user files, applications, and customer data, are potential targets of data corruption, modification, and destruction.
Formulating a defense against these threats requires thorough knowledge of the assets within the enterprise and protection of these assets against data corruption and destruction.
Furthermore, quick, accurate, and thorough detection and response to a loss of data integrity can save an organization time, money, and headaches. While human knowledge and expertise are essential components of a defense, the right tools and preparation are essential to minimizing downtime and losses due to data integrity events.
As detailed in these two practice guides, the NCCoE, in collaboration with members of the business community and vendors of cybersecurity solutions, has built example solutions to address these data integrity challenges.
CMMC FAQ’s
Background
The Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC), version 0.7 in December 2019 to support the public’s continued review of the draft model in preparation for the release of the CMMC Version 1.0 at the end of January 2020. The sharing of Federal Contract Information (FCI) and CUI with Defense Industrial Base (DIB) sector contractors expands the Department’s attack surface because sensitive data is distributed beyond the DoD’s information security boundary. Cybersecurity must become a foundation of DoD acquisition.
Towards that end, Office of the Under Secretary of Defense for Acquisition and Sustainment [OUSD(A&S)] is working with DoD stakeholders, University-Affiliated Research Centers, Federally Funded Research and Development Centers, and industry to develop the Cybersecurity Maturity Model Certification (CMMC).
CMMC is a DoD certification process that measures a DIB sector company’s ability to protect FCI and CUI. CMMC combines various cybersecurity standards and maps these best practices and processes to maturity levels, ranging from basic cyber hygiene to highly advanced practices. CMMC also adds a certification element to verify implementation of cybersecurity requirements.
CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow down to subcontractors in a multi-tier supply chain. With respect to implementation, a DIB contractor may meet a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s).
1 – What is CUI?
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and includes the following organizational index groupings:
- Critical Infrastructure
- Defense
- Export Control
- Financial
- Immigration
- Intelligence
- International Agreements
- Law Enforcement
- Legal
- Natural and Cultural Resources
- NATO
- Nuclear
- Privacy
- Procurement and Acquisition
- Proprietary Business Information
- Provisional
- Statistical
- Tax
2 – CUI versus FOUO?
CUI, established by Executive Order 13556, is an umbrella term for all unclassified information that requires safeguarding. FOUO, which stands for ‘For Official Use Only’, is a document designation used by the DoD.
3 – What are the concerns regarding cybersecurity in the Defense Industrial Base (DIB)?
The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks.
The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].
The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 Billion, nearly 1% of global GDP, may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 Billion. [Ref: “Economic Impact of Cybercrime – No Slowing Down” in February 2018].
4 – What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”
5 – Why is the CMMC being created?
DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
6 – When will the final CMMC framework be released to the public?
Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information.
7 – Will other Federal (non DoD) contracts use CMMC?
The initial implementation of the CMMC will only be within the DoD.
8 – What is the relationship between NIST SP 800-171 rev.1 and CMMC?
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
9 – How will CMMC be different from NIST SP 800-171?
Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.
10 – How will my organization become certified?
Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
11 – How much will CMMC certification cost?
Will the cost be based on the level we requested or the size of the organization?
The certification cost has not yet been determined. The cost, and associated assessment, will likely scale with the level requested.
12 – Will there be a self-certification?
Self-certification shall not be recognized by the DoD.
13 – How do I request a certification assessment?
We expect that there will be a number of companies providing 3rd party CMMC assessment and certification.
14 – Who will perform the assessments?
An independent 3rd party assessment organization will normally perform the assessment. Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
15 – Are the results of my assessment public?
Does the DoD see my results?
Your certification level will be made public, however details regarding specific findings will not be publicly accessible. The DoD will see your certification level.
16 – How often does my organization need to be reassessed?
The duration of a certification is still under consideration.
17 – If my organization is certified CMMC and I am compromised, do I lose my certification?
You will not lose your certification. However, depending on the circumstances of the compromise and the direction of the government program manager, you may be required to be recertified.
18 – If my organization is certified CMMC and I am compromised will my organization require re-certification?
A compromise will not automatically require a re-certification. However, depending on the circumstances of the compromise and the direction of your government program manager, you may be required to be re-certified.
19 – What if my organization cannot afford to be certified?
Does that mean my organization can no longer work on DOD contracts?
The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.
20 – My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?
Yes. All companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes.
21 – I am a subcontractor on a DoD contract. Does my organization need to be certified?
Yes, all companies doing business with the Department of Defense will need to obtain CMMC.
22 – How will I know what CMMC level is required for a contract?
The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.
23 – Will CMMC certifications and the associated third party assessments apply to a classified systems and / or classified environments within the Defense Industrial Base?
The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ unclassified networks.
CMMC audits by third party assessment organizations will not be applied to classified systems or environments. The Defense Counterintelligence and Security Agency (DCSA) will include CMMC assessments as part of their holistic security rating score.
ABCI Consultants provide cyber security guidance, implementation and personnel training services, which focus on Information Security Management Systems (ISO 27001) and regulatory compliance (NIST 800-171).
QMSCAPA™ stands for Quality Management System, Corrective Actions and Preventive Actions. QMSCAPA™ is a Microsoft Windows compatible computer application, which is designed to generate a CAPA log for a Quality Management System based upon the ISO Standards. 
ISO Awareness, Foundations & Internal Auditor Training