S33D Technology

08/27/2025

Want to hear about more about what it’s like working in GRC and are or will be in the Baltimore-DC area 5 September? Come on out. Let me know you’re coming and if you wanted to grab something afterwards, let’s chat.

Excited to be a part of this with Chris and the amazing crew he’s gathering.

Tech Woke Live Podcast: The Future of RMF & GRC 📍 Impact Hub Baltimore 🗓 September 5, 2025 🕕 6:00 PM – 9:00 PM Join us for a special live recording of the…

07/22/2025

After a career working on and leading government Risk Management Framework (RMF) teams, I shifted to supporting small businesses in implementing CMMC. Which then led to other opportunities in GovTech.

There’s a lot of opportunity out there if you make the right connections and foster them. One connection I made is with Christopher Okpala. It was great to sit down with him and discuss things around some of my favorite topics. After you check this out, let’s connect on here, and in-person if you’re in the DC Area.

Thanks again for having me, Chris.

Link in the comments. 👇🏾

06/12/2025

When you had the experts at S33D prepare you for your CMMC assessment.

CMMc is here to stay and so are the bad guys. Protect your data and feel prepared going into your assessment.

05/26/2025

This Memorial Day we pause to honor the sacrifice of those who have died in service to our great nation. God bless those honorable and courageous men and women!

05/13/2025

❓❓Ever wonder why you can still earn partial points on CMMC 3.13.11 – “Employ FIPS-validated cryptographic modules when used to protect CUI”? Spoiler: It’s Reality⁣
⁣
The answer is buried in the FIPS documentation — and it reveals a dose of real-world practicality from the DoD.⁣
⁣
The FIPS 140-3 Management Manual makes it clear:⁣
⁣
❌ Non-validated cryptographic modules do not meet the standard for protecting CUI, and data encrypted with them is essentially treated as plaintext.⁣
⁣
But we know the reality: it’s not plaintext. It’s still encrypted — just not validated.⁣
⁣
That’s why the DoD built in 𝘧𝘭𝘦𝘹𝘪𝘣𝘪𝘭𝘪𝘵𝘺. They recognized that not every implementation could maintain strict validation 100% of the time — so they allowed partial credit when you’re doing your best to secure CUI but aren’t fully FIPS-validated.⁣
⁣
✍🏾 It may also happen that 𝐲𝐨𝐮𝐫 𝐨𝐧𝐜𝐞 𝐯𝐚𝐥𝐢𝐝𝐚𝐭𝐞𝐝 𝐦𝐨𝐝𝐮𝐥𝐞 𝐛𝐞𝐜𝐨𝐦𝐞𝐬 𝐢𝐧𝐯𝐚𝐥𝐢𝐝𝐚𝐭𝐞𝐝 𝐝𝐮𝐞 𝐭𝐨 𝐩𝐚𝐭𝐜𝐡𝐢𝐧𝐠 𝐯𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐢𝐞𝐬. A 𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺-𝘳𝘦𝘭𝘦𝘷𝘢𝘯𝘵 𝘊𝘝𝘌 patch may cause that module to be revoked due to it no longer meeting its functional security objectives and security requirements derived from those objectives.⁣
⁣
✅ Bottom line: The requirement is strict, but 𝐭𝐡𝐞 𝐬𝐜𝐨𝐫𝐢𝐧𝐠 𝐫𝐞𝐟𝐥𝐞𝐜𝐭𝐬 𝐫𝐞𝐚𝐥𝐢𝐭𝐲. If you’re encrypting with strong algorithms but not yet validated, you’re not fully compliant — but you’re not starting from zero either. Also, this lends a reminder that you must 𝐩𝐞𝐫𝐢𝐨𝐝𝐢𝐜𝐚𝐥𝐥𝐲 𝐜𝐡𝐞𝐜𝐤 that the modules you’re using, and the validated module you’ve recorded are accurate.

S33D Technology is prepared to support you in navigating this and other topics.

05/05/2025

💡 Did you know: The DoD publicly published a configuration guide to Microsoft Entra. Link in the Comments

The Defense Information Systems Agency (DISA) released, in February 2025, their first revision of their Microsoft Entra ID Security Technical Implementation Guide (STIG). Is it fantastic and will solve all of your problems? No. But it does push out some basic items that can secure your organization.

As is typical, they included the NIST SP 800-53 revision 4 and revision 5 references. These are great for everyone that need a reference of how to do something, and you don't know where to start for your CMMC/NIST compliance program.

STIGs are great resources that someone that is advanced and someone that is a novice can benefit from. Just like CIS Benchmarks.

Happy compliance. Reach out if you want to implement this or other security configurations in your organization and just need someone to speak to you about it before you start clicking buttons and brick a computer.

04/28/2025

🚨AC.L2-3.1.10 – Session Lock: Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Session locks come in handy to prevent unauthorized access to data. This can happen in the office and outside the office. With family and an office cleaner. Windows Key + L saves you the hassle of that inadvertent exposure and reporting that unauthorized exposure to CUI or proprietary data.

✅Technical Fix: Implement a 5-minute lockout.

📑Admin Fix: Make it policy that all users lock their devices when left unattended.

🔗 Link to the story in the comments

04/25/2025

📝𝗛𝗼𝘄 𝗧𝗼: Managing App Protection Policies for Unmanaged Devices in Microsoft Intune

If you’re setting up an App Protection Policy (MAM) in Intune and want it to apply only to unmanaged devices (think personal phones or laptops that access corporate apps like Outlook, Teams, or OneDrive), you’ll notice that the old method of selecting 'Unmanaged Devices Only' is no longer available.

👉 Instead, Microsoft now requires you to:

Set Target to apps on all device types = Yes (𝘯𝘰 𝘸𝘢𝘺 𝘢𝘳𝘰𝘶𝘯𝘥 𝘵𝘩𝘪𝘴).

Create and assign a MAM Assignment Filter where:

🖱️ Property: deviceTrustType

🖱️ Operator: Equals

🖱️ Value: Azure AD registered

✅ Azure AD registered devices are typically personal BYOD devices, not fully managed corporate assets.

By filtering this way, you can tightly control which apps and devices are protected — without over-enforcing restrictions on corporate-managed devices that already meet compliance standards.

Key takeaway:

Don’t look for “𝘋𝘦𝘷𝘪𝘤𝘦 𝘔𝘢𝘯𝘢𝘨𝘦𝘮𝘦𝘯𝘵 𝘛𝘺𝘱𝘦” when filtering MAM policies anymore — use Device Trust Type and target Azure AD registered devices instead.

Security is constantly evolving, and small changes like this have a big impact when you're scaling secure access in hybrid environments.

03/21/2025

How can you implement CMMC requirement "3.1.9: Provide privacy and security notices consistent with applicable CUI rules" on a system like a mobile phone? Do you actually have to use a digital notice banner or another way?

This maps to NIST SP 800-53, AC-8.

The best way to do it is via your user agreement. Your user agreement can be powerful!

Some uses that help with CMMC compliance:
1. Notice and Consent to Monitoring
2. Home Office (remote work) Standards for User Environment
3. Data Handling Standards
4. Acceptable Use of Company Resources
5. etc...

It's simple, but useful!