u/ThatInfoSecGuy

▲ 3 r/CMMC

How should I address "vibe coded" software in my environment?

I'm not sure why I am struggling with this one so much, but I'm hitting a wall when it comes to determining how to apply CMMC to internally developed software, particularly using a platform like Claude Code. I know PCI has specific requirements around internally developed software, but I think CMMC's lack of specificity on the topic is really throwing me for a loop.

reddit.com
u/ThatInfoSecGuy — 6 days ago

PCI for Password Managers?

Fair warning, this one is definitely "outside the box" when it comes to PCI compliance. To start off, with the general rule of PCI compliance obligations being "any organization that can process, transmit, or store payment card information" how does that apply to a password manager that provides the capability to store card details for the user?

Obviously this is outside of the traditional scope of PCI because the password manager isn't accepting the card info for the purpose of completing a transaction, but it is still saving the information for long term storage. A potentially complicating factor is that based on the platforms I looked into, many platforms allow the CVV/CVC to be saved as well, which is definitely against the rules.

The only thing I can come up with is that because the password manager isn't being used for the purpose of accepting a payment, that PCI rules aren't applicable but I am hoping someone with authoritative knowledge sees this and can weigh in.

reddit.com
u/ThatInfoSecGuy — 1 month ago
▲ 4 r/CMMC

Would you consider this FCI?

I am talking with an organization who is in a fairly odd spot with CMMC and I'd like to see if anyone can help parse through this logic.

This org, I'll call them "Org 1" provides financial-based consulting services to their clients, who are all CMMC L2 obligated orgs, I'll call these "Source Orgs". These Source Orgs are usually 1 or 2 layers separated from DoD. The Source Orgs are telling Org 1 that they must follow CMMC (I'm guessing because the Source Orgs don't fully understand CMMC).

Org 1 has employees who are contracted out to the Source Orgs on various types of projects that can involve access to CUI, but the Org 1 employees can only access Source Org data from computers that are fully managed by the Source Org.

Org 1 only has three laptops that are owned by Org 1: One for the owner, one for the admin assistant/bookkeeper, and one to be used for training new employees until they get the Source Org provided computer. The only interactions an Org 1 computer will have with a Source Org is via contract based communications.

Now I know what the FAR definition of FCI is, but I'm not sure how many layers down from the original "provided by or generated by for the Government under a contract" is still applicable for FCI.

Has anyone ever encountered a situation this convoluted and if you have, what was your answer?

reddit.com
u/ThatInfoSecGuy — 2 months ago