CMMC TechBriefs

RBAC: The Same Actor, Different Roles, Dressed by the Group Context In modern enterprise environments, Role-Based Access Control (RBAC) is not just a technical necessity, it's a strategic safeguard. Yet many implementations fall into a subtle trap: assigning roles directly to users, while leaving groups as passive containers. This post challenges that model and offers a more dynamic, compliant alternative. The Actor Metaphor: John Smith in Context Imagine John Smith , a trusted employee. He’s a “basic user” in one department, but a “data steward” in another. If we assign him a static role say, “basic user” across the entire system, we flatten his capabilities. He becomes limited everywhere, regardless of context. But what if we treat groups as contextual environments  like, costumes for an actor? John remains the same person, but when he enters the “Finance Team” group, he wears the “data steward” role. In “Marketing,” he’s simply a “viewer.” This approach respects both least...

Equifax Data Breach – Independent Incident Report Reporter:  Rana Jahandad Khan Incident: Equifax Data Breach 2017 Date of Incident: Mid May and July 2017 A Red hat hacker breaching compliance barriers under NIST 800-61r2 Red Hat:  An attacker operating outside traditional ethical boundaries, exploiting known vulnerabilities aggressively. Executive Summary Equifax reported a data breach into their system. As a result, 143 million Americans’ Social Security numbers, birth dates, addresses, and some driver license numbers were compromised. Roughly 209,000 credit card records were also stolen. The incident occurred due to an unpatched Apache Struts vulnerability exploited by attackers. Detailed Summary In 2017, Equifax—a credit monitoring company serving businesses, individuals, and government entities—suffered a major breach. Attackers exploited CVE-2017-5638, a known Apache Struts vulnerability, using a simple Python tool (jexboss.py). They bypassed firewalls, acce...

How to Build a Role-Based Access Matrix That Actually Works (Respecting Export Boundaries in Global Teams) By Rana Jahandad Khan In today’s compliance-driven environments, access control isn’t just about who logs in but it’s about how we collaborate securely across borders, roles, and responsibilities. Whether you're working within FedRAMP, CMMC, or NIST frameworks, the challenge is the same: enabling global teamwork while respecting regulatory boundaries. This post shares how I built a role-based access matrix that balances operational clarity, export control requirements, and inclusive collaboration. Why Role-Based Access Matters Modern systems are complex. We work with talented professionals from around the world, each contributing their best. But certain regulatory frameworks, especially those involving export-controlled data require us to define access based on roles, responsibilities, and sometimes legal boundaries. The goal isn’t exclusion. It’s precision. We want t...

  How to Think Like an AO Without a CAC  A guide for compliance architects, learners, and legacy builders Introduction You don’t need a Common Access Card (CAC) to think like an Audit Objective (AO) lead. You need clarity, integrity, and a systems-first mindset. This post is for those who want to architect audit-ready environments without waiting for credentials. Section 1: What Is an AO Mindset? Seeing every control as a question: What would an auditor ask? Building evidence before it’s requested Mapping frameworks like CSF 2.0, CMMC, and RMF with purpose Documenting not just for compliance - but for clarity and trust Section 2: Tools You Already Have NIST SP 800-171A Rev. 3 : Assessment procedures for CUI CMMC Level 1 : Foundational practices for FCI Microsoft Defender, Intune, Entra ID : Technical safeguards that generate audit evidence SharePoint : A living repository of your audit lens Section 3: Learning Without a CAC Use Defense Acquisition Univers...

NIST CSF 2.0 Meets CMMC Level 1: A Practical Crosswalk for Compliance Architects By Rana Jahandad Khan Cybersecurity frameworks often feel like parallel universes, each with its own language, structure, and expectations. But what if you could align two major frameworks with a single set of controls? That’s exactly what I set out to do with this crosswalk between NIST Cybersecurity Framework 2.0 and CMMC Level 1 . Whether you're preparing for a defense audit or building a scalable security program, this mapping helps you satisfy both frameworks without duplicating effort.      Why This Crosswalk Matters NIST CSF 2.0 introduces a new Govern function, elevating cybersecurity to a strategic, enterprise-level concern. CMMC Level 1 focuses on foundational security practices for contractors handling Federal Contract Information (FCI). By aligning the two, you can build once and comply twice, saving time, reducing risk, and strengthening audit posture. NIST CSF 2.0 →...

  How I Built a Bulletproof Compliance Folder—From Chaos to Clarity Introduction In the world of compliance, clarity is currency. Scattered evidence, reactive documentation, and unclear roles don’t just slow audits—they erode trust. As a systems architect and compliance lead, I’ve spent years refining a folder structure that transforms chaos into clarity. This post outlines the architecture behind my CMMC Level 1 evidence system, designed to be scalable, hash-verifiable, and audit-ready. The Problem: Fragmented Evidence and Reactive Workflows Most compliance environments suffer from: Disorganized folders with no naming conventions Evidence stored in multiple formats across disconnected locations Lack of cross-referencing between policies, screenshots, and enforcement logs No hash integrity or tamper-proof tracking These issues lead to failed audits, user confusion, and leadership frustration. The Solution: A Nested, Referenced, and Role-Aware Folder System I designe...