This analysis comes from Cults and Nonconventional Religious Groups: A Collection of Outstanding Dissertations and Monographs, "Shakubuku: A Study of the Nichiren Shoshu Buddhist Movement in America, 1960-1975", David A. Snow, 1993, pp. 171-179.
I'll try to shave it down, because it's a long section, but he masterfully dissects the manipulation and artifice involved in the "discussion meetings" of then-NSA (now SGI-USA). You'll recognize the fakery he identifies - this is the nature of the Dead-Ikeda-cult SGI, a completely dishonest and exploitative cult.

It is at these discussion meetings, then, that NSA gets on with the real work of promoting and securing nominal conversion, of attempting to get recruits to take the first major step toward conversion by agreeing to receive a Gohonzon and to give chanting a try.

In those days, the nohonzon was issued up front (for a fee, of course - cash on the barrelhead).

And since gaining converts is, in large part, what this movement is all about, "nothing is more basic to the activities of NSA," as noted in the Winter edition of the 1975 NSA Quarterly, "than the discussion meeting." Or, as one district leader emphasized when discussing the importance of these meetings: "Discussion meetings are indispensable to the spread of the practice and the attainment of Kosen-rufu."

If you've ever felt confused at how sitting around someone's living room with the same bunch of losers month after month is doing anything toward the SGI's supposed goals of "world peace" or anything at all, actually, besides wasting the participants' time, I think what's described here will make it clearer what the original intent and purpose of these "discussion meetings" was, AND how far from that the current SGI "activities" have fallen.

The Character and Organization of These Meetings from a Sociological Standpoint
Given the purpose and importance of these discussion meetings, the question arises as to how they are organized and brought off in a strategic manner. In other words, what is the underlying strategy guiding this work of securing nominal conversion, and what are the kinds of tactical adjustments made at the line of scrimmage when the plan of attack does not appear to be advancing the group toward its goal of getting guests to agree to give chanting a try.

It's not enough that the "guests" say they'll try it; by the end of this ordeal, they'll say absolutely anything to get themselves to the other side of that door! What they really want is enough interest and desire on the part of those "guests" that they'll come back - and ideally become regularly attending members (as described in this indoctrinational creative writing fiction where a career Catholic priest is so entranced with the fictional (non)discussion meetings that he JOINS the SGI!! You'll notice that there is never any room within SGI to even mention one of THEIR SGI leaders who joins a Baptist church, for example, much less to celebrate such a stepping-out-of-line. But it's always FINE for other religions' leaders to see the obvious superiority of the SGI, knowmsayin?

In order to answer these question [sic] in a sociological manner, let us step out of the shoes of a guest and into those of a sociological [sic] with insiders' knowledge.
The Strategy of Theatrical Persuasion. Although members and the movement's literature like to characterize these meetings as being forums for free and open discussion and the spontaneous expression and flow of happiness and excitement, they are a far cry from gatherings characterized by spontaneity and unstructured discussion and interaction. Rather, they are meticulously planned and highly orchestrated meetings that can be best conceptualized, from a dramaturgical perspective, as theatrical-like presentations staged and conducted by a set of individuals (NSA members) who not only work together as a team but whose intimate cooperation is expected and required in order to foster and sustain a convincing impression or definition of the situation in the eyes of the audience (the recruits or guests).
Although the staged character of these meetings is seldom readily discernible to the unsuspecting guest, the appropriateness of conceptualizing these meetings in this way is suggested by the following considerations. First, the purpose of the meeting, as already indicated, is to sell guests on the idea of chanting, to so impress them that they feel compelled to give this practice call [sic] chanting a try.
Secondly, there is a division of labor such that all members have one or more roles to play. These various roles include the leadership role, the role of emcee, a general, overarching supportive role, and several more specific supportive roles, such as the role of giving an explanation of what NSA is all about, the role of a song leader, and the role of giving testimony. And even more significantly, members are provided with fairly detailed instructions, or, in the language of the theater, with scripts indicating what each role involves and how best to perform or play it.

There's a list of these roles. At the discussion meeting planning meeting, the attendees go down the list and simply plug different members' names into the worksheet.

The main leadership role, assumed by the district chief or, in his absence, the assistant district chief, includes, for example, the tasks of leading the chanting in a vigorous manner, conducting the question-and-answer session, meeting with each of the guests, and providing an inspirational role model for the other members. In performing these tasks, the leader is reminded that rather than putting on the air of a great sage, he should make a point of displaying great vitality, warmth, and compassion. Furthermore, he is expected "to be able to give clear explanations of the philosophy and practice," and is instructed to "always tailor his answers and encouragement to the audience."

Answers should always be tailored to the audience. If the guests are young, then the answers should include examples they can relate to. If the questions are too mystical or one-sided, the leader must have the wisdom to change the subject or break off the question-and-answer period diplomatically.

Blanche described how in her first district, the WD District leader instructed everyone that, if someone in the meeting was going on too long or rambling or whatever, that they should just start clapping wildly and shouting, "Congratulations!!" and then the MC would just move on to the next topic on the agenda. Reeeeal "spontaneous" there...

The emcee role is also regarded as particularly important, so much so that "the success of the meeting" is said to be contingent on how well it is performed. In fact, "so much depends on the emcee" that the discussion meeting is described for him as "a battleground in which he must struggle to bring victory to the members."

Barf. How far SGI has fallen! Now the goal is to see if there's some young teen in an SGI member's family who can be press-ganged to show up and read the agenda - their youth in and of itself is supposed to "encourage" everyone! Forget about all that "struggle" nonsense - they aren't gonna. This illustrates the SGI's current "form over function" approach, in which they just identify someone and pressure that person to do it, rather than the ideal candidate volunteering from a spirit of...oh, whatever - see above paragraph 🙄 Ideally, there would be SEVERAL young people positively brimming with passion and youthful energy who would be vying to be chosen: "Me! Let ME do it this time!" "No! ME!" "Choose ME!!" Instead, now it's just some tired old fart who agrees to do it, just to get this over with and there's no one else.

Specific responsibilities include setting "the gears fo the meeting in motion" and keeping the meeting going in a rhythmical and orderly manner.

You have to wonder just how crazy they envision these (non)discussion meetings might go - will a spontaneous rave break out if it isn't carefully controlled? An unpermitted parade? A frenzy of liturgical dance?? WHAT might happen??? Enquiring minds want to know!!

The emcee must develop the ability to keep the rhythm of the meeting going by making sure that there are no pauses or interruptions. If someone is causing a disorder, he should quiet the person in a polite manner. If a baby starts crying, he should see to it that either the mother or one of the young women at the meeting takes the child to another room to calm it down.

Gendered. Misogynist.

The emcee is also charged with being "the eyes and ears of the person leading the meeting."

Before and during the meeting, he should watch guests, be on the lookout for disruptions, and in general, be aware of everything that's happening. He should inform the person leading the meeting how many guests are present and whether they are young or old, so the leader can set the rhythm of the meeting accordingly.

Yeah. NO 😄 WOW but it's been a LONG TIME since any SGI sales pitch-based recruiting session - I mean discussion meeting - had any characteristics that would fit the above instructions. Just no way. Not now. Now, it's the same old handful of longhaulers dragging themselves in to go through the motions - as usual. By rote.

In addition, the emcee is expected to talk, act, and appear in a manner that displays or exudes strength, confidence, vitality and neatness.

The emcee must speak in a vigorous, strong and clear voice, but not screaming. The way he sits, stands up and moves the table must display confidence.

This was when a small table would be moved in in front of the person who led gongyo, who would turn around to face the group. This is of course a Japanese norm, completely foreign to Westerners. How many people outside of Japan even have a low table like that, designed for someone who's sitting on the floor??

In fact, he should stand up smartly whenever he is talking. As for appearance, he should reflect the image of NSA - clean and neat clothes and personal grooming.

It has been a LOOOOOOOONG time since ANY SGI district could insist on these requirements! Now they're just lucky if they can get anyone younger than retirement age to read the agenda off, and the agenda is often handed to them right there at the meeting itself - fuhgeddabout all this "advance preparation" nonsense. Nothing happens at the SGI discussion meetings, so nobody's going to go to this much trouble just because.

And finally, the emcee is instructed to have the details of the meeting worked out and the setting in order before the meeting begins.

...as opposed to showing up and being handed a printed agenda to read off as SGI does it now.

The emcee must have a plan for the meeting. He should write up a schedule showing who will give the explanation, what songs will be sung, who will give experiences and so on, and present it to the leader at least two days prior to the meeting. The emcee must prepare for the meeting. He should check to see if the meeting place is clean and neat, that all lights work and there is an appropriate meeting table. Most of all, he should do Shakubuku for the success of the meeting.

Oh, like any of that's gonna happen! 🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣
Yes, things were VERY different back in the late 1960s-early 1970s, when the SGI organization in the US was still growing. As you can see, all this has been tossed right out the window.
A couple of items:

• "the leader" - this was when the leader of the local district organizational unit (typically the MEN's leader) would assume the leadership role for the "discussion meeting". This was replaced with a "central figure", an invited "SENIOR leader" who would agree to attend and serve this "leader" function. The invited SENIOR leader would typically lead gongyo and preside over the proceedings - that's more how these meetings are arranged now.
  
• that "Shakubuku" in the last sentence? It strikes me wrong somehow. Sure, that'd be great and all for EVERYONE to bring a "guest" (#SGIGOALZ of course) but I think that having the person CHANT for the success of the meeting would be a more reasonable assignment. Also, how could the MC properly shepherd their "guest" and STILL do all that MC stuff single-mindedly??
  

In fact, you can see a newly promoted leader doing exactly that, "chanting for the success of the meeting", here, from this same time period (early 1970s).
It's been a LONG time since any of this was happening, and you can clearly see in today's (non)discussion meetings how far things have deteriorated - and that's JUST the MC part! There's a bit about the demands on the members of the group - I'll skip to just this part:

As one district chief explained during a planning meeting for senior and junior leaders within the district and which I was invited to by one of my key informants:

Make sure to tell your members to chant in rhythm with the leaders. There shouldn't be any more than one rhythm. Everyone should be together so that there is unity. And remember to have them support the leader in whatever he says; the guests won't know whether he is right or wrong. So even if you don't agree with what is being said, act as if you do. this [sic] way there is unity at the meeting and the guests will be more impressed.

Wow, huh? It's completely dishonest and oriented entirely at flimflamming and bamboozling the "guests"!
Next there's a big section on "experiences", but I'm going to give that its own post because it's a WHOLE topic on its own. Hopefully today! But Ima skip ahead a bit, to p. 177:

A fourth indication of the staged character of discussion meetings is provided by the fact that planning meetings are held at both the district and chapter level for the purpose of discussing how to improve discussion meetings and make them more successful. Although rank-and-file members (those who have not attained that status of a junior or senior leader) are not normally invited to these planning meetings, I was able to attend several of them at the invitation of both my district chief and a junior leader who was one of my key informants.

SKULLDUGGERY!! 💀

It was during these planning meetings that I became deeply sensitized to the highly orchestrated and dramaturgical character of not only the discussion meetings but of NSA's overall operation.

At this point it's important to remember that "dramaturgical" means "relating to the art or the theory of writing and putting on plays, especially for the theater" - it's all putting on a show to manipulate the unwitting guests in order to trick them into transforming into new recruits. It's ALL fake - just a façade to fool the uninformed.

A fifth consideration suggesting that staged character of discussion meetings is the fact that much of what members do and say, both verbally and nonverbally, during the course of a meeting is to appear natural and spontaneous rather than artificial and contrived.

They try. Unconvincingly.

In other words, these meetings are not to appear as staged performances or as the product of dramaturgical cooperation. This concern is evidenced by the emphasis placed on exuding sincerity and responding to calls from the emcee and to what the leader says and does with alacrity and enthusiasm. It is also suggested by some of the rituals engaged in by the emcee, as when he scans the gathering after he has called for an experience so as to foster the impression that whom he calls is a spontaneous decision rather than one that has been pre-arranged, as indicated by the fact that those called on are already listed on his meeting agenda and by the fact that members frequently know beforehand whether they will be giving an experience.

This fakery apparently was dropped decades ago; in current SGI (non)discussion meetings, not only is the person acknowledged by name as delivering/"sharing" an "experience", but the person often has it written out on a piece of paper they semi-read off.

But none of this is evident to the guest.

Rather, what transpires - who gives the explanation, who gives testimonies, and so on - is staged in such a way that it all appears as if it is spontaneous and independent of prior planning, negotiation, and decision-making among the members. As a consequence, it seems reasonable to suggest that NSA in general and the district members in particular have something of the character of a secret society.

Only without any special perks or sexiness.

This is not particularly surprising, however, when considering the nature of theatrical-like teamwork. As Erving Goffman noted in his seminal discussion of this kind of work:

... if a performance is to be effective it will be likely that the extent of cooperation that makes this possible will be concealed and kept secret... The audience may appreciate, of course, that all members of the team are held together by a bond that no member of the audience shares ... But (the members of the team) form a secret society ... insofar as a secret is kept as to how they are cooperating together to maintain a particular definition of the situation.

This will all be very familiar to the people trying to recruit new suckers into MLM schemes/scams, too.

The sixth and final consideration suggesting the appropriateness of viewing these meetings from a dramaturgical perspective is the fact that they do not "go on" unless there is an audience, that is unless guests are in attendance.

Before Ikeda was excommunicated by Nichiren Shoshu and transformed the SGI into his own personal worship society, there was a certain "rhythm" to the year. February and August were "Shakubuku Months", and there was an "introductory meeting" scheduled every week. If it came to meeting start time and there was no "guest", the meeting was halted and everybody was sent out to try and find something with a pulse to drag in, at which point the meeting would proceed:

When I first discovered this I was somewhat startled, for I had assumed that these meetings were conducted in their entirety regardless of the presence or absence of a new face. But as I learned one evening, this is not the case. Following the chanting session on this particular evening, the leader emphasized that since these meetings were for guests and none were present, we would have to go out and round up one or two. So the members in attendance were divided into Shakubuku teams and sent out in search of prospects. Although three of the four teams returned empty-handed, one had managed to corral a single guest. But one is all that is needed; and so the formal meeting began as usual.

For "formal meeting" read "sales pitch". By the late-1980s, perhaps earlier, instead of being every discussion meeting, this format was restricted to the "introductory meetings" during the Shakubuku Months. However, he's describing something that happened every single time. No meeting unless a "guest" was present.

During my tenure as a member I saw this particular scenario re-enacted on four different occasions, and on one occasion we were sent back into the streets three times in succession. Around 8:30 p.m., after the third try and with one guest in hand, the show finally got on the road.

The author describes himself as "an active participant observer for nearly a year and a half".

Perhaps even more illustrative of the theatrical character of these meetings and the fact that they are staged for guests is the following course of events that transpired one evening during a meeting I attended:

Although no guests were present when the chanting began, a young couple came in toward the end of the chanting session and situated themselves on the floor at the back of the room. But apparently the emcee didn't notice them; for upon completion of the chanting session he didn't jump up and yell out: 'Welcome to a vigorous and happy meeting of the [name here] District of NSA!' But the district leader, who had apparently seen this couple come in, punched the emcee in the ribs and whispered that some guests were present. And so this member immediately assumed his role of the emcee and proceeded as usual by springing to his feet, putting on a big smile, and blurting out, 'Welcome to a vigorous and happy meeting of the [name here] District of NSA!'

"Vigorous and happy" 🤣

In light of the foregoing considerations and observations, there seems to be little question about the appropriateness of conceptualizing NSA discussion meetings as "shows" or presentations staged by the members, who constitute a performance team, before an audience composed of recruits or "guests".

This was what was going on BEFORE Dickeda swanned into the US in 1990 and "changed our direction" - because of what Sensei did, the bottom fell out of the discussion meetings. Instead of weekly meetings, Dickeata dictated that these meetings would only happen monthly from now on - and of COURSE Die-Sucky Scamsei's word is LAW in his own cult of personality, where the membership follows a PERSON instead of any "law". Post-excommunication, at the (non)discussion meetings I attended, there was at least one guest every single time, but they never came back. The ONLY person I saw join post-excommunication was a formerly homeless woman with two small children who had moved in with an SGI member (who had unethically selected her at the abused-women's shelter she was living at, where he volunteered computer classes for the residents). She was able to see it didn't work; she ended up quitting.
Now what SGI-USA is left with is an ever-shrinking membership of mostly Baby-Boom generation and older individuals who mostly joined during the time period described in this study. SGI has completely lost what vitality it once had; now it's simply waiting around for the grave - and oblivion.

Yesterday (Tuesday) I subbed for a teacher who is going to be out until Friday. For some reason, someone else took the job for today (Wednesday), but I will be back on Thursday (tomorrow). It’s a Spanish 8th grade class. I’m certified general K-6th.
The kids had a practice Regents exam to work on. The vast majority of students either finished the exam or only had 2 30-word responses left. That was ALL that was left for the 3 days this teacher is out.
Due to how many of them were almost done or done, I stopped by the secretary’s desk on my way out and informed her that the teacher didn’t leave enough work for the students for the next two days. I knew the teacher was just at the high school (right next door) doing some testing, so it’s not like she was out sick and couldn’t get more plans to the school. Furthermore, she had booked these absences weeks in advance.
The secretary tells me “I’ll email her, but you should probably think of something to do with them. You have two days to come up with something useful.” I let out a nervous laugh and said “yeah, I don’t speak Spanish well enough for that.”
I’m just soooooo annoyed that 1) the teacher wouldn’t leave enough work and 2) the secretary would act like it’s MY responsibility to come up with more work. As a sub, I am CERTAINLY not getting paid enough to plan lessons. The teacher, who knew about her absences weeks in advance, should absolutely be held responsible for not providing enough instructional materials. I also have no access to curriculum materials, no idea where they are in the curriculum, and am not certified in this subject area or grade level. Also, I can’t print things or assign them stuff on google classroom!
It’d be one thing if she had said “treat it like a study hall and let them work on things from other classes,” or “we’ll get another Spanish teacher to drop off some worksheets for you,” or anything else that didn’t place the responsibility on ME. But no, she acted like the teacher’s lack of planning constituted me doing extra work.
Long rant, so sorry. Needless to say, I’m not planning anything.

Just received a loan summary from a lender for new builds. Can anyone verify if this looks right and if anything can be waived? Yes, the 6.5% is really high for VA….

My agent is my realtor, and quoted me this. Is there anything outright way too expensive?

I was covering a Sped class during my conference period today and I told the aides that were there I was going to leave the class a bit early (~8 mins) so I could use the restroom and then walk back to my class as I anticipated my restroom break going on for about 10 minutes or so. Mind you this is a class of 12 kids with only mild autism (so nothing that would ever require one on one attention) AND with 3-4 aides. All the kids were doing were simple coloring math worksheets, the aides were either eating their lunches or on their phones, so I thought “ok I am clearly not needed here so I’ll just go take the #2 I was holding in a bit.”
Evidently, me alerting the aides I was going to use the restroom 8 mins before I had to hustle back to the room I signed up to cover constituted abandoning the class. I mean I’m sorry I’m already doing the school a favor by covering a class I technically don’t even have to cover so what else do the aides expect from me? My fault I guess so in the future I’ll just time my poops better to fit their schedule. Perhaps I’m not seeing something here, but was I supposed to tell the aides “hey I’m gonna take a large dump. I’ll be gone a while”? Or maybe next time I’ll rush my poops a little more so I don’t abandon my sacred duty of making sure kids don’t color outside the lines /s.

Hey, what’s up I found this community/group and figured I can chat with you guys. We all know prices are wild right now for homes was wondering if what we’re looking at is a good deal? I have a special situation I’m buying the home I’ve been renting for the last 10 years and I love it. Great neighborhood mid modern home more than happy my question is is this a good loan? I’m happy for the the sale price on the home . Thanks again

Hello,
I have consulted with other attorneys and doing my own research but am getting mixed comments about a topic. In a divorce hearing, the plaintiff's lawyer submits the Child Support Worksheet and dramatically increase the defendant's income. Furthermore, the Order that included this judgement was never signed by a judge or entered with the clerk but the arrears for this huge amount the defendant was responsible for, that he obviously couldn't keep up with, was added to the final judgment. Does that constitute fraud by the attorney or the judge or both even? I've reviewed, many sources that say submitting misinformation that results in a contract judgment is fraud. Also, any judgement resulting in an "unenforceable order" is void. I would really like to hear from others on this matter.

Curious about the US Election? The battle for the Republican nomination for President starts this week, with former-President Trump enjoying a big lead over rivals like Nikki Haley and Ron DeSantis. But Trump also faces criminal charges and an effort to block him from being on the ballot because of his actions on January 6. A class on US politics - POLC92 (Mondays 11-1) - has space - and no pre-requisites to encourage students in any program to take the class (including CNCR). Students will learn about the unusual features of the US primary campaign season before looking at the constitutional issues involved in excluding Trump from the ballot by holding a debate on the question of whether the courts should be involved. The class is part of the Aura recording system, so if you cannot attend class, you can just watch a video of the lecture (and find the lecture slides) on Quercus shortly after lecture finishes on Mondays. Syllabus: here
https://preview.redd.it/l0kfu3h86hbc1.png?width=773&format=png&auto=webp&s=270fb2a0db4283b69c306ac425f0da0c864b081d

We homeschool and have found that not all curricula are the same. Some definitely teach anti gun and anti freedom versions of the bill of rights. Our current choice is in part because of how they teach rights. They took a very non biased approach to teaching gun rights.
We had an optional SCOTUS case worksheet. We wrote on the Bruen decision. They had to share the name of the case, the year the case was heard by SCOTUS, summarize the constitutional argument, the ruling, which justices ruled which way and the reasons given in the opinions. We had a good conversation about how the constitution is still alive and in constant use.
Edit: for example it says the second is for self defense. They bring up hunting but they make sure to stress that scotus agrees that guns are for self defense.

Hello,
I am trying to send a file into ChatPDF and get the answer back that i want to paste into Cell A1 in my workbook (just for testing) but i just can't seem to get any further.
I get the following error
"Status: 500
Response: {"error":"invalid json response body at https://prompt-pr4yueoqha-ue.a.run.app/ reason: Unexpected token 'I', \"Internal S\"... is not valid JSON"}"
And i've tried the format in a JSON validator, and it checks out, so i have no idea what might be wrong.Here is the complete code. And the JsonConverter is from here https://github.com/VBA-tools/VBA-JSON -- which seems to work as it converts my uploaded document into a string for the sourceID needed.
And here is also the documention for the API
https://www.chatpdf.com/docs/api/backend
​

Sub UploadFile() Dim http As Object Dim stream As Object Dim filePath As String Dim apiKey As String Dim responseText As String filePath = "C:\Users\ ((CROPPED OUT))" apiKey = "sec_((CROPPED OUT))" ' Create the HTTP request Set http = CreateObject("MSXML2.XMLHTTP") Set stream = CreateObject("ADODB.Stream") stream.Type = 1 ' adTypeBinary stream.Open stream.LoadFromFile filePath http.Open "POST", "https://api.chatpdf.com/v1/sources/add-file", False http.setRequestHeader "x-api-key", apiKey http.setRequestHeader "Content-Type", "application/octet-stream" ' Send the request with file content http.send stream.Read ' Check the response If http.Status = 200 Then responseText = http.responseText PasteValueIntoA1 responseText, "sourceId" Else Debug.Print "Status: " & http.Status Debug.Print "Error: " & http.responseText Debug.Print "Full Error Response: " & http.responseText End If stream.Close End Sub 

​

Sub SendMessage(sourceId As String) Dim http As Object Dim headers As String Dim data As String Dim apiKey As String Dim responseText As String ' Set your API key and source ID here apiKey = "sec_((CROPPED OUT))" ' Prepare JSON data data = "{""sourceId"": """ & sourceId & """, ""messages"": [{""role"": ""user"", ""content"": ""Who wrote the constitution?""}]}" ' Create the HTTP request Set http = CreateObject("MSXML2.XMLHTTP") http.Open "POST", "https://api.chatpdf.com/v1/chats/message", False http.setRequestHeader "x-api-key", apiKey http.setRequestHeader "Content-Type", "application/json" http.send data Debug.Print data ' Check the response If http.Status = 200 Then ' Do some coding here for pasting in A1 -- but can't get past this part' Else Debug.Print "Status: " & http.Status Debug.Print "Response: " & http.responseText End If End Sub 

​

Sub PasteValueIntoA1(jsonString As String, key As String) Dim json As Object Dim ws As Worksheet Set ws = ThisWorkbook.Sheets("Sheet1") ' ' Parse JSON string Set json = JsonConverter.ParseJson(jsonString) ' Check if key exists in JSON If json.Exists(key) Then ' Paste the value into cell A1 SendMessage json(key) Else ws.Range("A1").Value = "Key not found" End If End Sub 

​

This post captures Totem Technologies notes as we complete our first read-through of NIST's final public draft revision 3 of the 800-171 standard. If you read our post about the initial public draft (ipd) there aren't _many_ differences between the ipd and the fpd. But there are enough differences to make this post worth the read, if we do say so ourselves :) Our overall pros and cons of rev 3 still stand:

Pros:

• Some redundancy in -171 rev 2 has been removed
• Configuration Management capability requirements have been expanded and focused. We believe cybersecurity revolves around effective CM; this is good news.
• Monitoring of physical facilities is now explicitly required instead of just implied. While this can be expensive, at least we know up front we have to do it and can plan accordingly, and won't be surprised during an assessment later on.
• Supply Chain Risk Management (SCRM) requirements have been introduced. This is a necessary addition to ensure we adequately protect ourselves from all 3rd-party risk, however...(see Cons)

Cons:

• Supply Chain Risk Management (SCRM) requirements have been introduced. This is going to be seriously burdensome for small to medium sized organizations to effectively implement.
• Other (maybe even more) redundancy has been introduced (see the 3.16.1 vs. the new Supply Chain Risk Management family controls, for instance)

General notes:

• There are 95 controls in the fpd, as opposed to 110 in rev 2
• Where we note below that a control family has fewer controls than in rev2, note that this doesn't necessarily mean that family has fewer things to do! If there are fewer controls in a family, that is usually just a sign that NIST consolidated two or more controls
• From a footnote in section 1.1: Nonfederal systems include information technology (IT) systems, operational technology (OT) systems, and Internet of Things (IoT) devices. So 800-171 now expands to include protections for OT systems too.
• The use of ODP only makes -171 less approachable by the average SMB. Convoluted language. DoD may choose to define the ODP for us, perhaps in a document similar to the CNSSI 1253 for DoD-owned IT systems, but that just adds a layer of complexity to the compliance.
• DNS filtering (a CMMC 1.0 delta 20 control we thought for sure would make it in) is not explicitly required. Neither is Email Sandboxing/Detonation. We are disappointed with this.
• The NFO (Non-Federal Organization) assumed/implied protections have been removed from rev 3. To some extent these have been replaced by the ORC designation (Other Related Controls), wherein "The outcome of the control relating to the protection of confidentiality of CUI is adequately covered by other related controls." While in some cases this removal is good (there were a lot of poor assumptions), NIST now says, for example, the implied requirement of maintaining a Configuration Management Plan (CMP) doesn't contribute to the Confidentiality of CUI. We think maintaining a CMP is still a good idea, so we'd suggest having an CMP. (We have a template at our free tools page: https://www.totem.tech/free-tools/)
• NIST also released an ipd of the 800-171A rev 3. That will take longer to review, so we aim to publish a KB article on that soon.

How FAR 52.204-21 (CMMC Level 1) is incorporated into rev 3 fpd

Changes to how FAR 52.204-21 controls (Basic protections for FCI) are incorporated into NIST 800-171:

• NIST 800-171r2 dispersed the FAR 52.204-21 across 17 controls: 3.1.1, 3.1.2, 3.1.20, 3.1.22, 3.5.1, 3.5.2, 3.8.3, 3.10.1, 3.10.3, 3.10.4, 3.10.5, 3.13.1, 3.13.5, 3.14.1, 3.14.2, 3.14.4, 3.14.5
• NIST 800-171r3 fpd disperses these across 13 controls: 3.1.1 (reworded only to address human users), 3.1.2 (reworded, but the outcome is the same), 3.1.20, 3.1.22, 3.5.1, 3.5.2 (although the IA controls have been reworded, the outcome is the same), 3.8.3, 3.10.1 (now split and 3.10.8 has the equipment part of this), 3.10.8, 3.10.7 (encapsulates 3.10.3-5), 3.13.1 (encapsulates 3.13.5), 3.14.1, 3.14.2 (encapsulates 3.14.4-5)

Notes about specific families/controls

What follows are some notes about specific controls, grouped by family. Control changes with HUGE (or is it "YUGE"?) ramifications for small businesses are noted.
Access Control
16 controls (down from 22)
3.1.1 emphasis seems to be on user accounts, de-emphasizing PAOBOAU and device access control (see 3.5.2 where all the device access control reqs were moved to)
3.1.2 replaces requirements to limit "functions and transactions" with a requirement to enforce authorizations for accounts (i.e. permission setting on accounts)
3.1.5 again, a de-emphasis on device access control here, only referencing users and PAOBOAU
3.1.5-3.1.7: strong emphasis on least privilege, for accounts, privileged users, and access to privileged functions. Interesting that they break least privilege out into three controls now, whereas they have combined into a single control the previously multiple controls on remote and wireless access (see next two notes).
3.1.12: I like what they've done in combining previous 3.1.12, 3.1.13, 3.1.14, and 3.1.15 into a single control
3.1.16: same here, combining wireless access control 3.1.17 into it
3.1.18: I like the allowance for container-based encryption on mobile devices
Awareness and Training
2 controls (down from 3)
3.2.1: The phrase security "literacy" training seems pedantic doesn't it?; insider threat training requirement (previously separate 3.2.3) is now included in this control; excellent that we're required not just to train on insider threat but also social engineering
Audit and Accountability
8 controls (down from 9)
3.3.3: We're happy that the old "Audit Record Review" was merged into 3.3.1, as 3.3.3 was consistently misinterpreted to mean "review logs for anomalous activity" instead of it's actual meaning which was to review which events the org was generating logs for
AU family: still no explicit requirement for a SIEM/SOC capability
Configuration Management
10 controls (up from 9)
3.4.2: now requires hardening to the "most restrictive mode consistent with operational requirements", but doesn't explain what they heck that means. Just speak plain english: choose a hardening guide/STIG/benchmark, and then apply as much of it as you can without affecting functionality. NIST does provide a nice list of types of parameters and configuration setting guides/source.
3.4.3: with inclusion of security impact analysis, now makes 3.4.4 redundant
3.4.7: now incorporated into 3.4.6 for configuring the system for least function
3.4.8: HUGE: no more blacklisting; only whitelisting allowed
3.4.1 / 3.4.10: 171 now distinguishes better between baselines and inventories; 3.4.1 is to establish a baseline and 3.4.10 (new control) is to maintain an inventory
3.4.11: (new control) we'll need to identify and document CUI location and who has access to it; aligns perfectly with our CUI inventory worksheet and process. Love this control
3.4.12: significant ramifications for orgs that allow users to take work laptops on travel with them, as the org will be required to inspect the laptop for security deficiencies
Identification and Authentication
8 controls (down from 11)
3.5.1: combines usernames and passwords (old 3.5.2 control) into one control now for users and passwords
3.5.2: HUGE: 171 removes language about device "verification" and now requires "authentication", e.g. 802.1x, RADIUS, Kerberos. Looks like filtering by MAC will not be sufficient for this control any longer.
3.5.3: MFA required for all system accounts, period. This means local accounts require MFA as well. Well done NIST, no longer nitpicking over local vs. privileged vs. network accounts.
3.5.5: user accounts now have to have a "characteristic", e.g. "contractor", "foreign", "MSP", etc. This can be done by appending the username with the characteristic, e.g. [john.doe.msp@company.com](mailto:john.doe.msp@company.com)
3.5.7: all password-policy-related controls now combined into this one, done away with password history requirements, but now requires passwords to be checked against known bad lists at the time of creation (need to check if Windows has a tool that can help with this)
3.5.12: new control for the protection of authenticators (including passwords), which includes allowances for changing passwords after events, not necessarily time periods. The ODP for this control is for "events" and not "period". NIST makes the welcome comment: "The use of long passwords or passphrases may obviate the need to periodically change authenticators." We'll see if the DoD lets us change passwords when appropriate, and not after arbitrarily defined short periods of time, such as 90 or (heaven forbid) 60 days
Incident Response
4 controls (up from 3)
3.6.2: "Provide incident response support resource that offers advice and assistance to users...for the handling and reporting of incidents." Check out our CIRA!!!
3.6.4: new control requiring training on incident response. Very cool, but will require additional training resources.
Maintenance
3 controls (down from 6)
3.7.4: quarantine machine requirement now rolled into this one control
3.7.6: clarifies that maintenance personnel can be non-escorted, but must have appropriate authorizations
Media Protection
7 controls (down from 9)
3.8.7: now provides and ODP opportunity for the DoD to prohibit certain types of media from use with CUI. Let's hope DoD makes an informed decision if they decide to ban certain types of media. (For instance, if they banned USB flash drives for some reason, many DoD contractors would have to significantly adjust how they move information around internally)
3.8.9: conspicuous (for us) lack of FIPS Validated encryption requirement for CUI backups; in fact there isn't even an ODP to define what type of encryption is used (although 3.13.11 does have an ODP, and 13.11 would apply to backups as well, so... let's hope the DoD doesn't call out FIPS Validation as an ODP!!!)
Personnel Security
2 controls (no change)
3.9.1: no clarification on what constitutes acceptable employee "screening". We get this question all the time--do I need to do background checks? Of what kind?
NIST backed off the explicit requirement in the ipd to have our MSPs do background checks on their employees; we should ask our MSPs to do this anyway, as 3.9.1 implies that screening must happen prior to _any_ access to CUI systems
Physical Security
5 controls (down from 6)
3.10.1: HUGE: now required to have staff use "authorization credentials" for physical access to systems, at least systems that handle CUI (not necessarily required for FCI systems then?). Per NIST "Authorization credentials include identification badges, identification cards, and smart cards. Individuals with permanent physical access authorization credentials are not considered visitors." This means you will have to issue badges, etc. to staff. Note this control doesn't go so far to say that these badges are required to be used to enter the facility, instead just to differentiate between staff and visitors; 3.10.7 still allows the use of keyed locks for physical access control; however, check out our notes below for 3.10.8.
3.10.2: HUGE: got rid of ambiguous term "protect" and focuses on "monitoring" of physical facilities. This control now explicitly requires monitoring of the facility, especially publicly accessible areas, which NIST previously assumed we were doing (in an "NFO" control in the appendix of rev 2). We are also required to periodically review the physical access logs (required to be generated by 3.10.7), not just generate them.
3.10.7: HUGE: new control, now encapsulates the 3 controls in FAR 52.204-21 (ix), previously 3.10.3-5, facilitating only the 15 controls in the FAR in the -171, instead of 17. Now required to control egress, although we are still allowed to log only access to entry _or_ egress
3.10.8: HUGE: new control; the protect and monitor "infrastructure" aspect of 3.10.2 has been moved here, with a more focused emphasis on controlling access to network comms spaces, cables, and devices. May have huge ramifications for manufacturers and other orgs with IT infrastructure organically grown over a long period of time. Also, we are required to control physical access to "output devices" e.g. "monitors, printers, scanners, audio devices, facsimile machines, and copiers." Per NIST: "Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only." Taken together, 3.10.1, 3.10.7, and 3.10.8 strongly suggest we will need badge readers / keypads and differentiated access control for areas where CUI is present. If CUI is present in your whole facility--access to your whole facility will require more sophisticated access control than keyed locks, and you'll not be able to leave doors unlocked.
Risk Assessment
2 controls (down from 3)
3.11.1: HUGE: organizational risk assessment now requires supply chain risk assessment. Totem has SCRM plan template in the works
3.12.2: all vulnerability scanning and remediation now consolidated here
Security Assessment and Monitoring -- updated title
4 controls (no change in total, but one of the controls is new)
3.12.4: required SSP but this has been incorporated into the new Planning family
3.12.5: HUGE: new control requiring organizations to establish SLA, MOU, ISAs, including Interface Control Descriptions (ICD) prior to exchanging CUI with _any other_ organization. However, the ODP text suggests a simple NDA may suffice to meet this control? Totem to comment on this to NIST.
System and Communications Protection
10 controls (down from 16)
3.13.1: this is a L1 control as well, and has 3.13.5 (DMZ) incorporated into it now
3.13.2: this control has been removed/reclassified as "NCO" meaning not required because it doesn't help protect the confidentiality of CUI. So you now don't have to explicitly document your secure architecture and security processes, as in our SEPG. This is good news as it reduces the paperwork burden for small businesses.
3.13.7: split-tunneling requirement has been removed, as NIST says it is covered by other controls. However, the words "split tunneling" are not explicitly used by any other controls, but only implied by others, e.g. by a combo of controlling remote access, ensuring least functionality, and hardening your stuff. Our take: just keep explicitly preventing split tunneling by configuring your VPN clients correctly. Jeez...
3.13.8: modified to require crypto for securing CUI in transmission and storage (was just addressing transmission, but 3.13.16 has been incorporated now)
3.13.11: HUGE: In rev2 this is the single control that requires FIPS Validated crypto; now this control allows organizations to define what type of crypto is used. However, the DoD could (will?) continue to double down on the requirement for FIPS validated crypto, so we'll see...
3.13.14: specific requirements for VoIP protection and monitoring have been removed
3.13.17: note that this HUGE new requirement previously added in the ipd has now been removed: it was going to require the use of proxy services for web content filtering. NIST says this is an "ORC" control, i.e. adequately covered by other controls (perhaps 3.1.3 now...). Totem will be making a comment to NIST that we think explicitly requiring some content filter (e.g. DNS filtering) is a great control.
System and Information Integrity
5 controls (down from 7 controls)
3.14.1: L1 control, now NIST provides clarification on what constitute "flaws", distinguishing flaws (bugs) from vulnerabilities, and requiring testing of bug fixes before production roll out
3.14.2: all L1 controls related to antivirus (3.14.2, 3.14.4, and 3.14.5) are rolled up into this one control now
3.14.6: incorporates 3.14.7 and gets explicit that NIST is looking for network traffic analysis (e.g. IDS) here
3.14.8: new control requiring us to establish CUI retention policies, in accordance with contracts and other guidance. The spirit of this control is to prevent us from keeping CUI _too long_, so that there is less risk of the CUI being compromised.
Planning
new family with 3 controls
3.15.1: requires policies and procedures for all the other controls. I don't know how you have an SSP without these, but apparently this needs to be explicitly stated
3.15.2: this is the control that requires an SSP, and incorporates aspects of the old 3.12.4. Note the requirement to identify connections to other systems. Check out Totem's CUI and System Inventory (https://www.totem.tech/free-tools/) for a template worksheet that facilitates the identification and characterization of interconnections.
3.15.3: new control requiring published "rules of behavior" (RoB); we've been coaching clients from the beginning that the first policy they need to put in place is an Acceptable Use Policy (AUP). We have templates for this (https://www.totem.tech/free-tools/).
System and Services Acquisition
new family with 3 controls
3.16.1: provides an ODP for the DoD to define which of the security controls must be included in contracts with service providers (e.g. MSP). NIST is very vague in the language here, but we think this is the control that will allow the DoD to force us to use MSP that comply with 800-171/CMMC.
3.16.2: this is a new control for the management of unsupported system components. One of the old "delta 20" from CMMC 1.0, but in this case the control de-emphasizes the mitigation that can be achieved by isolating unsupported components. NIST emphatically wants us to replace or internally develop support protocols (i.e. roll our own patches) for unsupported components, instead of just isolating them.
3.16.3: HUGE: this requires us to ensure we have service level agreements in place with all our Managed Service Providers (MSP) that dictate the MSP will abide by our security requirements for the protection of CUI. This one is going to be herding cats, as there are 10s of 1000s of MSPs out there. Also it is unclear what the difference is between 3.16.1 and 3.16.3a.
Supply Chain Risk Management
new family with 3 controls
3.17.1: HUGE: we are explicitly required to maintain a Supply Chain Risk Management (SCRM) plan. This has been a stated emphasis of the entire Federal gov't, especially the DoD, so this is no surprise, but this is going to be a large undertaking for the average small business. Totem will publish our SCRM Plan template in early Q1 2024
3.17.2: new control that requires us to identify and implement Acquisition Strategies, Tools, and Methods for SCRM. Redundant control, as this would already be done in an SCRM Plan, although this control is a little more specific in risk mitigation techniques, such as requiring tamper-evident packaging, counterfeit product inspection, etc.
3.17.3: new control that requires us to identify and implement Supply Chain Controls and Processes for SCRM. Redundant control, as this would already be done in an SCRM Plan

One of the details I find most interesting about this case is the fact that Eric and Dylan were firing reloaded ammunition.
Reloaded ammo is made by reusing cartridge cases and sometimes even the primers after flattening out the dimple. However, some people don’t even flatten out the primer dimple. My dad made his own ammo like this, so I’ve handled reloaded ammo and it does look a bit beat up.
CBI 38/JCSO 1097 Two 9 mm single stack magazines and 18 live rounds of 9 mm Luger caliber ammunition. (R-P 9 mm)
(Noted as 9mm magazine includes 8 shells" in serology)
10 Rounds from magazine 38A 8 Rounds from magazine 38B
Both magazines are noted as having a 9-round capacity
(note: not sure how 38A is noted as containing 10 live rounds in one place and is said to be a 9-round capacity magazine right below).
Item #38A was a magazine found on Eric’s body. It was full of live, reloaded ammo.
The Cartridge Case Worksheet from the CBI states:
“Examined live rounds of 38A – note all have slight indents on primers, some have apparent extractor marks. Used 3 of 38A live rounds w/38A for testing of #21” (#38A is a 9 or 10-round magazine and #21 is the Hi-Point Carbine)
Source: (Full CBI, p.2322)
​
CBI 60/JCSO 2109
One fired S&B round of 9 mm Luger caliber FMJ bullet ammunition found outside.
This round was also reloaded.
The notes read: "numerous extractor and ejector marks; appears to be a reload."
This casing was not traced to any specific gun.
Source: (Full CBI, p.2340)
​
There were 35 different 9 mm ammo head stamps collected as evidence. Some were fired by police, but Eric and Dylan fired at least 18 different types of ammunition.
Thanks to SGA for bringing the CBI notes on the “possible reloads” and extractor marks on all the ammo in the magazine to my attention, which got me digging!!
Here are the 18 types of ammo they had:
WIN 9MM LUGER
CBC 9MM LUGER
9x19 L Y 92
R-P 9MM LUGER
CCC 88
WCC 86
WCC 87 (+)
WCC 88 +)
WCC 89 (+)
WCC 95
A-MERC
PMC 9mm LUGER
FC 9MM LUGER
GFL 9MM LUGER
3-D 9MM LUGER
I> 9mm PARA 92
SPEER 9MM LUGER
FC 87
​
The only type of ammo that is consistent, in a large quantity, is the WIN 9MM LUGER, which I’ve read was the type Manes purchased for them, but I can’t verify this. Maybe someone else can.
CBI Cartridge Case Worksheets documented 10 or 11 rounds of reloaded ammo. Nine or ten in the magazine found on Eric’s body and one fired casing that had extractor marks from multiple firings. We are missing hundreds of Cartridge Case Worksheets, so we can’t say for sure how many reloaded rounds they had with them that day. However, with 18 different head stamps, most of it had to have been reloaded. The only way to get ammo with 18 different head stamps is to buy 18 individual, separate boxes of ammunition, and we have no evidence of them doing that.
Reloaded ammo makes sense of why Eric and Dylan had cartridges with head stamps that are normally reserved for law enforcement. It would also explain why they had so many different head stamps, when we were told they only bought 2 boxes of ammo at the gun show (250 rounds) and Manes brought them two boxes he bought at K-Mart (50 round boxes).
Why would they buy reloaded ammo?
There are two reasons they would have purchased reloaded ammo. The first reason being they didn’t know anything about firearms and thought it was a good deal to save a few bucks and didn’t know the potential risks. However, based on my research into the Tanner Gun Show, I lean toward the possibility that they purchased ammunition they didn’t know was reloaded.
Apparently, the TGS is notorious for hosting vendors who offload reloaded ammo in factory boxes and people don’t know any better until they get home and open the boxes. Given Eric and Dylan’s lack of firearms knowledge, they probably didn’t even know until they saw the extractor marks on the casings. By then, it would have been too late.
And I actually wonder if this is why they asked Manes to buy them some more ammo. They already had more than enough bullets, and they even left some at home. Well, if they started test firing their reloaded ammo at Rampart Range in March and realized they had really shitty ammo, it only makes sense for them to want more (and to not be seen buying it so close to the date of their planned attack). Most of the ammo they fired that day was the Winchester 9mm Luger ammo, at least according to the CBI reports. This seems like the only manufacturer’s ammo they had.
What about the subsonic ammo?
Now let’s look at the live round found in the office area with the head stamp of TZ 85, which indicates it's subsonic: CBI 920/JSCO 2412.
At first, it looks like someone was shooting subsonic ammunition that day and dropped a bullet. I wouldn’t have thought anything else until I realized they were shooting reloads that day.
We don’t have a CBI Cartridge Case Worksheet for the TZ 85 live round found in the office area. So, we can’t say if it had extractor marks on it or not in order to determine if it was a reload, but I think this bullet was a reloaded round. It fits the pattern. I didn’t know until I researched it, but people who reload their own ammunition often visit law enforcement shooting ranges to pick up the brass because it’s thicker and sturdier. This makes sense, especially since many people reload their ammo multiple times, which weakens the cartridge more each time. It isn’t unusual to have reloaded rounds with LE and military head stamps.
Where did they get reloaded ammo?
Now the next question is where did they get their reloaded ammo? It wasn’t from the manufacturer, so we can rule out the boxes Manes bought from K-Mart. What we have left is the Tanner Gun Show.
In order to sell reloaded ammo, you need to be a registered ammunition manufacturer with a class 6 FFL federal license (and have insurance) and register for ITAR and pay all applicable fees. It’s highly unlikely that the vendors at the TGS did this. This is why they sneak their reloads into manufacturer’s boxes.
Digging into this, here’s what people had to say about buying ammo at the TGS and some comments on using reloads in general:

People that buy ammo from gun show vendors are like people that visit prostitutes. Ya really never know what you are going to come home with.

​

No offense but that’s what happens when you buy ammo at the Tanner Gun Show lol, let this be a learning experience.

​

As a general rule, unless you’re a Milsurp shooter buying surplus ammo, or the seller is someone you know for sure is reputable, avoid buying ammo at gun shows. Will almost always be overpriced and/or (as is likely in this case) someone’s reloads or remans their trying to pass as factory.

​

I went to Tanner yesterday, it was like going to a gunshow in a sex dungeon, but the worst of both. I should have brought my bloody headlamp.

​

Dont even think of trying to find good non reloaded ammo either. These crooks say its factory non reloads but the crimps have all been reamed.

​

The factory reloads normally have a reputation that you can check. For another, if their ammo damages your gun, you know where their offices are, and they have a vested interest in fixing the problem. With a private reloader, you're taking your chances on both the ammo and on any warranty services.

​

With some reload that the operator did not personally load. My rule is that if I did not load it or see it loaded I will not fire a reload in any weapon I own.

I've never been to a gun show, but it sounds like it's a place where newbies get suckered into buying other people's leftovers in terms of ammunition. Hard pass.
Information on selling reloaded ammunition
The law on manufacturing ammunition & licensing:
(a) No person shall engage in the business of importing, manufacturing, or dealing in firearms, or importing or manufacturing ammunition, until he has filed an application with and received a license to do so from the Attorney General. The application shall be in such form and contain only that information necessary to determine eligibility for licensing as the Attorney General shall by regulation prescribe and shall include a photograph and fingerprints of the applicant. Each applicant shall pay a fee for obtaining such a license, a separate fee being required for each place in which the applicant is to do business, as follows:
(1) If the applicant is a manufacturer—
(A) of destructive devices, ammunition for destructive devices or armor piercing ammunition, a fee of $1,000 per year;
(B) of firearms other than destructive devices, a fee of $50 per year; or
(C) of ammunition for firearms, other than ammunition for destructive devices or armor piercing ammunition, a fee of $10 per year.
Definition of ammunition:
(17) (A) The term “ammunition” means ammunition or cartridge cases, primers, bullets, or propellent powder designed for use in any firearm.
Information on ITAR:

ITAR stands for the International Traffic in Arms Regulations which were promulgated to implement the provisions of the Arms Export Control Act of 1976 (AECA). The relevant section (emphasis added) is as follows:
Any person who engages in the United States in the business of either manufacturing or exporting defense articles or furnishing defense services is required to register with the Directorate of Defense Trade Controls. For the purpose of this subchapter, engaging in the business of manufacturing or exporting defense articles or furnishing defense services requires only one occasion of manufacturing or exporting a defense article or furnishing a defense service. Manufacturers who do not engage in exporting must nevertheless register.
As for what constitutes ‘defense articles’, 22 CFR 121.1 contains a complete listing under what is known as The United States Munitions List (USML). The relevant section is contained in Category III of the list in subsection f:
(1) The components, parts, accessories and attachments controlled in this category include, but are not limited to cartridge cases, powder bags (or other propellant charges), bullets, jackets, cores, shells (excluding shotgun shells), projectiles (including canister rounds and submunitions therefor), boosters, firing components therefor, primers, and other detonating devices for the defense articles controlled in this category.

First time poster!! I just wanted to see if you guys thought this is a fair amount to pay in closing and a fair rate. This is my very first home. My credit score ranges from 720 to 750 (I think when they pulled it was like ~720).
It's an FHA loan for a triplex in PA. No flooding. Student loans (still going for my master's) and my car debt (339 a month) is my only debt.
Let me know if you need any more information to make a more informed decision.
Closing is still a couple of weeks away in my opinion. Appraisal came back 168k. Loan is for 160 with 5k in sellers assistance.
Thanks a lot!

I am a para in an elementary MD room. Our teacher has been out since September 15. A student who was improperly placed in our MD room broke her thumb the third week of school. The first 3 weeks she was out we had a parade of different subs. The 4th week they got someone to fill in tfn. The SpEd department head and some resource teachers created a new schedule for our class. They brought us some folder activities, and worksheets, then proceeded to explain to us how to fill out grading rubrics for students on modified curriculums. We are also deciding which activities the students do each day. In my mind this constitutes making lesson plans, which we are NOT supposed to do. There is no one directing what’s going on in our classroom. It’s incredibly frustrating and we feel like there are numerous illegal things happening. We found out last week that our teacher is resigning. Not sure when it’s official. Our union rep has not been very helpful.
Can someone give me some direction? I want to do right by our students. They are the ones who will suffer the most in the long run. Things are bad enough in this class with a good teacher. Without one it’s ridiculous.

I'm not sure if this is exactly right, but its a loose framework. since my character sheet menu isn't visible to me, this is my off the cuff worksheet for my characters stats
strength = bench+squat+deadlift (1RM in kilo)/20
Dex= average of the following 3
maximum difficulty you could realistically climb on the French grading scale x2 (I wanted to use the yds, it was too difficult)
words per minute you can type /4
1000/dot agility drill time
constitution = (v02 max) /4 [still not happy with this one]
Int = IQ score / 6.25 (IQ of 125=20)
Wisdom = age /2 +/- 1 for every good and bad life choice you made (by your own definition)
Cha = (your own subjective rating of your attractiveness on a 10 point scale) + (your subjective rating of your personality on a 10 point scale)
let me know if there are better figures I can use for more accurate calculations.(i.e. Con seems to be a poor judge of my actual stat)
some edits made to reflect comments below

At the moment, data is the biggest asset on the internet. Whilst you are reading this, there will be zillions of data uploaded to the data pool already. But you know what goes behind the hottest buzzwords “data”, “data analysis”, and “data visualization”? The definite processes of extracting, scrutinizing, synthesizing, refining, evaluating, and statistically organizing data. Again, wondering how these processes seem to work? Well, there are a set of tools and techniques that follow the process depending on the type of data, organization, and the requirements based on the organizational or business purpose.

To traverse deeper in the world of data analysis and its crucial tools, the team of TechData Solutions offers students and professionals one of the best online courses that focuses primarily on Data analysis with Power BI, SQL, and Tableau; the top tools you need to know as a novice in the dynamics of data visualization.

• Download Brochure
• Request a Demo
• Enroll Now

Data Analysis — Process

Technically, data analysis is a systematic process that involves cleaning, transforming, and data modeling to extract clean and necessary information that enables the decision-making for any business. In layman terms, we as humans take our daily decisions by analyzing what happened in the past while considering the future consequences to make the best decisions. The same goes when businesses, organizations, and enterprises decide to make the best decisions using the data available in any format.
This five-step cycle constitutes the data analysis process:

1. Identity the right data
2. Collecting data
3. Cleaning and filtering data
4. Analyzing data sets and results
5. Interpret data results

And repeat.
Thus, if your business lacks the desired growth, you will have to take a step back, retrospect, follow the steps, and make a way out without repeating the same mistakes. And if your business is blooming, you will have to predict the future while analyzing the best processes and the data.

Online Data Analysis — Course Curriculum

1. Data Analysis with Power BI

Model Overview
Take data visualization and reporting to next-level with Power BI, a business intelligence tool that converts the data from diverse data sources into interactive dashboards. This module certification training covers most of this tool, enabling you to solve business problems, make better decisions, and enhance the business operations. It will also help you get hands-on training on Microsoft Power BI, master the dashboard building, derive better insights from the captured data, and a lot more.
Requirements

• Laptop
• Stable and good internet connectivity

Course ContentPower BI AdvancedData Modeling
Learn how you can build custom calculations on tables to derive data, relationships between the tables having data to

• Create calculated tables
• Create calculated columns
• Derive and manage time-based data

Data Sources
Learn how to get data from various supported data sources to your Power BI desktop

• Flat Files
• SQL Database
• Azure Cloud
• OData Feed
• Blank Query

Reporting and visualization
Learn how to create reports by integrating the excel data with Power BI
Data Analysis Expressions (DAX)
Get thorough understanding of the primary components:

• Introduction
• DAX Functions
• ○ Text
• ○ Date
• ○ Logical
• ○ Counting

Best PracticesCase Studies and Assignments

2. Data Analysis with Structured Query Language

Module Overview
In this course module, you will learn how to use SQL for data extraction and analyzing data stored in the tables or databases. You will get hands-on training on how to create tables, join tables with various operations, imply functions, and perform aggregations with the basic version. Then with the advanced module, you will get trained to perform more complex analysis, visualizations, and calculations using subqueries, stored procedures, views, temp tables, and window functions. By the end of this module, you will be efficiently able to write SQL queries to perform data analysis and data visualization tasks.
Requirements

• Laptop
• Stable and good internet connectivity

Course Content
SQL Basics
Setup and Installation
● Introduction to SQL
● Download and Installation — SQL Server
● Install SQL Server Management Studio (SSMS)
● Connect SSMS to Installed version of SQL Server
● Install Sample Database
SQL Commands
Learn to write SQL queries using the SQL commands
● SELECT — extracts data from the database.
● UPDATE — updates data in the database.
● DELETE — deletes data from the database.
● INSERT INTO — inserts new data into the database.
● CREATE DATABASE — creates the new database.
● ALTER DATABASE — modifies the existing database.
● CREATE TABLE — creates new table
● ALTER TABLE — modifies a table
● DROP TABLE — deletes the existing table
● CREATE INDEX — creates an index
● DROP INDEX — deletes an index
Create SQL Statement using commands and query the data from the database
SQL Joins
Learn how to combine data from two or multiple tables using the SQL Joins
● INNER JOIN
● LEFT JOINs
● RIGHT JOINs
● FULL OUTER JOINs/ FULL JOINs
● SELF JOINs
SQL Aggregations
Learn how to use common SQL aggregations in commands
● COUNT
● SUM
● AVERAGE
● MIN
● MAX
Also, learn how to work with NULL values and DATA functions
SQL Advanced
Subqueries and Temp Tables
Learn to write subqueries and nested queries to execute multiple queries together and use temp tables
SQL Operators
Learn how to perform various operations on queries and data using the various types of SQL operators
Arithmetic Operators
● Add
● Subtract
● Multiply
● Divide
● Modulo
Bitwise Operators
● AND
● OR
● Exclusive OR
Comparison Operators
● Equal to
● Greater than
● Less than
● Greater than or equal to
● Less than or equal to
● Not equal to
Logical Operators
● ALL
● AND
● ANY
● BETWEEN
● EXISTS
● IN
● LIKE
● NOT
● OR
● SOME
SQL Stored Procedures
Learn reusability with the SQL queries
SQL Keys and Constraints
Learn how to specify rules for data in a SQL table
● UNIQUE
● NOT NULL
● PRIMARY KEY
● FOREIGN KEY
● CHECK
● DEFAULT
SQL Data Cleaning, Transforming, and Backup
Learn how to perform data maintenance, cleaning using SQL and take a backup of the data or database
Best practices

3. Data Analysis with Tableau

Module Overview
This interactive module helps you master the best BI, data visualization, and reporting tool — Tableau Desktop. Learn how to effectively use the tool to efficiently create interactive dashboards, illustrate data trends, and add dimensions to the data in formats of charts and graphs. Get trained and certified and accelerate your career in data analytics through our Data Analysis with Tableau online course module.
Requirements

• Laptop
• Stable and good internet connectivity

Prerequisites

• Basic understanding of terminologies used in computer programming
• Basic knowledge about various charts and graphs
• SQL knowledge

Course Content
Tableau Basics
Introduction and Setup
● Introduction to Tableau
● Download and Installation
● Environment setup — Desktop and Public
File Types
Learn about various extensions used in the Tableau files
● Workbook
● Packaged Workbook
● Data Source
● Packaged Data source
● Bookmark
● Data Extract
● Preferences
Data Types
Learn about how Tableau classifies the data into various data types
● STRING
● BOOLEAN
● NUMBER
● DATE
● DATETIME
Operators
Learn how to perform specific mathematical or logical manipulations. Tableau has a number of operators used to create calculated fields and formulas.
● General Operators
○ Addition
○ Subtraction
● Arithmetic Operators
○ Multiplication
○ Division
○ Modulo
○ Power
● Relational Operators
○ Equal to
○ Not Equal to
○ Greater than
○ Lesser than
● Logical Operators
○ AND
○ OR
○ NOT
Tableau Advanced
Data Sources
Learn how to connect the data sources using tableau’s native connectors.
● File Systems (Excel, CSV, etc.)
● Relational Systems such as SQL server, Oracle, etc.
● Cloud data sources such as Google BigQuery, Google Cloud, AWS cloud etc.
● Other Sources using ODBC
Worksheets
Learn about the worksheets where you can create views for data analysis, how you can perform various operations such as:
● Add
● Rename
● Save
● Delete
● Paged
Functions
Learn about the number of inbuilt Tableau functions which help in creating expressions for complex calculations.
● Number Functions
○ CEILING
○ POWER
○ ROUND
● String Functions
○ LEN
○ LTRIM
○ REPLACE
○ UPPER
● Date Functions
○ DATEADD
○ DATENAME
○ DAY
○ NOW
● Logical Functions
○ IFNULL
○ ISDATE
○ MIN
● Aggregate Functions
○ AVG
○ COUNT
○ MEDIAN
○ STDEV
Sorting and Filtering
Learn about the basic data sorting using two sorting methods:
● Computed sorting
● Manual sorting
Learn about the filters:
● Quick filters
● Basic filters
● Context filters
● Condition filters
● Top filters
and the operations
Best practices
Case Studies and Assignments

Benefits of Enrolling in the online Data Analysis with Power BI, SQL, and Tableau course

When it comes to online courses which involve technology and data, TechData Solutions offers the best data certification courses to students, graduates, and experienced professionals who have a knack of learning new skills and take their career to new heights. Our instructor-led training modules are curated by a team of industrial experts with several years of corporate experience and practical exposure. Become a data analytics professional by enrolling in this course and explore a plethora of benefits:

• Affordable pricing for training and certification
• Online training on data analysis
• Online training on data visualization with top tools and techniques
• High quality eLearning modules
• Conceptual-based learning experience
• Self-paced learning
• Weekly assignments and assessments
• One-to-one instructor training with guidance
• Q&A sessions with 24*7 guidance
• Resume building
• Interview preparation

Job and Salary Perspectives

A novice, experienced candidate in the IT industry, or someone who is looking for a career switch; with our online data analysis certification course, you can land your dream job in several industries, that include science, healthcare, business, government, criminal justice, and finance. Big tech companies across the globe have been eyeing certified candidates with niche knowledge in the areas of data analysis, data engineering, data visualization, and the like.
With our online training and certification, you can be the best fit for job profiles with titles listed below:

• Data Analyst
• Power BI Data Analyst
• Business Intelligence Analyst
• Operations Research Analyst
• Data Scientist
• Data Engineer
• Medical and Healthcare Analyst
• Market Research Analyst
• Business Analyst
• Project Manager

and more.
An average salary of a data analyst in India ranges between Rs 1.9 Lakhs to Rs 11.6 Lakhs which is expected to grow in future considering the bloom of data and new dimensions of technologies.

Curriculum

Introduction : 1

This is not a rant, this is an appreciation of teachers and the teaching profession.
Back in May I decided to commit myself to teaching middle school music; I have a Masters and I had done some after school coaching and really enjoyed it. It felt right as a second career. I've been going all out for four months readying myself for the school year: Praxis prep/test, standards/curriculum, emergency certification, summer teacher academy courses, seemingly endless professional development sessions, unit/lesson planning and research, making worksheets/exercises/quizzes/surveys, classroom & materials prep, and more forms, regulations, and policies than I can remember ever encountering.
It has been mountains and mountains of work. But I always kept the faith, believing that I had my passion to share and that, despite all the warnings about middle schoolers, crowded urban schools with chronic absenteeism and underfunded districts, and the difficulties of teaching in general, I would find my groove. I expected a difficult first year. I was ready for it!
I made it through one day, that's it.
After 4 consecutive classes—7:40am to 12:30pm—before lunch on my first day, I felt like I had run a marathon (I actually weighed myself when I got home that day: I had lost 3lbs). I remember thinking, about halfway through the second period: "This is not for me. I am not wired for this job." It was a shock to the system. I never expected such an unrelenting pace; I don't think I had more than 1 minute to breathe between one class and the next. Unreal.
I'm not bitter or angry, nor do I regret any of the time spent preparing. Are there specifics about my experience that explain my 180? Sure. But it has been such a learning experience—a reality check. And I was lucky to have a teacher leader who was incredibly supportive.
And that's who this post is for: the teachers out there like her who have been doing this work day after day, year after year...I don't know how you do it. I literally don't understand how you find it in your constitution to handle the sheer intensity of 5 hours of successive classes of students (and the sheer scale of knowledge that you're expected to retain as a public school employee). I cannot overstate how much respect and admiration I have for the teachers who not only show up to work every day, but actually do it well.
I'm not cut out for teaching, and I'm fine with that. But I'm so, so thankful today that others can do this work. They are amazing people.
<3

This post captures Totem Technologies notes as we complete our first read-through of NIST's draft revision 3 of the 800-171 standard. Eventually we'll flesh this KB post out into a blog.

Pros:

• Some redundancy in -171 rev 2 has been removed
• Configuration Management capability requirements have been expanded and focused. We believe cybersecurity revolves around effective CM; this is good news.
• Supply Chain Risk Management (SCRM) requirements have been introduced. This is a necessary addition to ensure we adequately protect ourselves from all 3rd-party risk, however...(see Cons)

Cons:

• Supply Chain Risk Management (SCRM) requirements have been introduced. This is going to be seriously burdensome for small to medium sized organizations to effectively implement.
• Other (maybe even more) redundancy has been introduced (see the new Supply Chain Risk Management family controls, for instance)

General notes:

• This is a DRAFT for initial public comment. All changes noted herein are simply proposed, and NIST is accepting comments on the proposal. It will be months (maybe even 2024) before a final version 3 of -171 is published.
• There are 109 controls (one fewer control) in 17 families (3 new families)
• From a footnote in section 1.1: Nonfederal systems include information technology (IT) systems, operational technology (OT) systems, and Internet of Things (IoT) devices. So 800-171 now expands to include protections for OT systems (SCADA, industrial control systems, etc.) too. OT was not mentioned once in rev 2.
• NIST removed the definition for isolated security domain, e.g. enclave from Section 1.1. This is a shame, as it was quite a lucid explanation, so lucid it made its way into the CMMC Scoping Guide.
• The introduction of organizationally-defined parameters (ODP) into -171 rev 3 only makes the standard less approachable by the average SMB. ODP makes for convoluted language. The DoD may choose to define the ODP for us, perhaps in a document similar to the CNSSI 1253 (which sets parameters for DoD-owned IT systems) but that just adds a layer of complexity to the compliance.
• Aside from new control 3.13.17 for proxy services, DNS filtering (a CMMC 1.0 delta 20 control we thought for sure would make it in) is not explicitly called out. Neither is Email sandboxing/detonation. We are disappointed with this.
• NIST assumes non-federal organizations already have some cybersecurity protections in place. (These historically have been atrocious assumptions, but nonetheless they exist). These assumptions are categorized as "NFO" in the -171 tailoring criteria. The only assumptions NIST leaves in the -171 rev 3 tailoring criteria are: Configuration Management Plan (CM family), Visitor Access Records (PE family), Secure Delivery and Removal areas (PE family), Security and Privacy Architectures (PL family), Access Agreements (PS family), 11 controls in the SA family, Boundary Protection – External Telecommunications Services (SC family), Process Isolation (SC family). So, in rev 3, the NFO assumptions are down from 61 to 18.
• Somehow, in rev 3, NIST changed from assuming non-federal organizations had alarms and surveillance equipment in place at their physical buildings to stating that these protections don't contribute to the confidentiality of CUI. (PE-6(1) Monitoring Physical Access – Intrusion Alarms and Surveillance Equipment is now NCO, but was NFO in -171r2.) This would cause Totem to reconsider our strong recommendation that our clients who don't already have alarms and surveillance systems to install them. This can be an expensive endeavor for many companies, but we feel strongly organizations should do this, and felt bolstered in that assertion by NIST's assumption that organizations had these detective controls in place. We have requested clarification from NIST on this.

How FAR 52.204-21 (CMMC Level 1) is incorporated into rev 3

Changes to how FAR 52.204-21 controls (Basic protections for FCI) are incorporated into NIST 800-171:

• NIST 800-171r2 dispersed the FAR 52.204-21 across 17 controls: 3.1.1, 3.1.2, 3.1.20, 3.1.22, 3.5.1, 3.5.2, 3.8.3, 3.10.1, 3.10.3, 3.10.4, 3.10.5, 3.13.1, 3.13.5, 3.14.1, 3.14.2, 3.14.4, 3.14.5
• NIST 800-171r3 disperses these across 13 controls: 3.1.1, 3.1.2 (reworded, but the outcome is the same), 3.1.20, 3.1.22, 3.5.1, 3.5.2 (although the IA controls have been reworded, the outcome is the same), 3.8.3, 3.10.1 (now split and 3.10.8 has the equipment part of this), 3.10.8, 3.10.7 (encapsulates 3.10.3-5), 3.13.1 (encapsulates 3.13.5), 3.14.1, 3.14.2 (encapsulates 3.14.4-5)

Notes about specific families/controls

What follows are some notes about specific controls, grouped by family. Control changes with HUGE ramifications for small businesses are noted.
Access Control -- rev 2: 22 controls; rev 3: 18 controls (-4)

• 3.1.1: emphasis seems to be on user accounts, de-emphasizing PAOBOAUand device access control (see 3.5.2 where all the device access control reqs were moved to)
• 3.1.5: again, a de-emphasis on device access control here, only referencing users and PAOBOAU
• 3.1.12: we like what they've done in combining previous 3.1.12, 3.1.13, 3.1.14, and 3.1.15 into a single control
• 3.1.16: same here, combining wireless access control 3.1.17 into it
• 3.1.18: we like the allowance for container-based encryption on mobile devices
• 3.1.23: requires users to not only lockout, but log out when they are finished with a session or expecting to be out for a while

Awareness and Training -- remains at 3 controls (no change)

• 3.2.1: the phrase security "literacy" training is pedantic
• 3.2.3: we like that we're required not just to train on insider threat but also social engineering
• 3.3.3: we're happy that the old "Audit Record Review" was merged into 3.3.1, as 3.3.3 was consistently misinterpreted to mean "review logs for anomalous activity" instead of it's actual meaning which was to review which events the org was generating logs for

Audit and Accountability -- remains at 9 controls (no change)

• rev 3 still has no explicit requirement for a SIEM/SOC capability
• 3.3.7: we are not sure why NIST got rid of the requirement for an authoritative time source for time stamps

Configuration Management -- rev 2: 9 controls; rev 3: 11 controls (+2)

• 3.4.1: now requires hardening to the "most restrictive mode consistent with operational requirements", but doesn't explain what they heck that means. We wish NIST would just speak plain english: choose a hardening guide/STIG/benchmark, and then apply as much of it as you can without affecting functionality.
• 3.4.8: HUGE: no more software blacklisting allowed as an option; only whitelisting
• 3.4.1 / 3.4.10: -171 now distinguishes better between baselines and inventories
• 3.4.11: new control requires orgs to pinpoint the location of CUI in their systems; aligns perfectly with our CUI inventory worksheet and process. We love this control.
• 3.4.12: new control with significant ramifications for orgs that allow users to take work laptops on travel with them

Identification and Authentication -- rev 2: 11 controls; rev 3: 8 controls (-3)

• 3.5.1: combines usernames and passwords (old 3.5.2 control) into one control now for users and passwords
• 3.5.2: HUGE: 171 removes language about device "verification" and now requires "authentication", e.g. 802.1x, RADIUS, Kerberos. We have a question into NIST to clarify if MAC filtering, which is a form of verification, would not suffice for this control.
• 3.5.3: MFA required for all system accounts, period. This means local accounts require MFA as well. Well done NIST!
• 3.5.5: user accounts now have to have a "characteristic", e.g. "contractor", "foreign", "MSP", etc.
• 3.5.7: all password-policy-related controls now combined into this one, done away with password history requirements, but now requires passwords to be checked against known bad lists at the time of creation
• 3.5.12: new control for the protection of authenticators (including passwords), which includes allowances for changing passwords after events, not necessarily time periods

Incident Response -- rev 2: 3 controls; rev 3: 4 controls (+1)

• 3.6.2: "Provide incident response support resource that offers advice and assistance to users...for the handling and reporting of incidents." Check out our Computer Incident Response Aid template!!!
• 3.6.4: new control requiring training on incident response. Very cool, but will require additional training resources.

Maintenance -- rev 2: 6 controls; rev 3: 3 controls (-3)

• 3.7.4: tools, techniques, mechanisms, personnel and quarantine machine protection requirements now rolled into this one control
• 3.7.6: clarifies that maintenance personnel can be non-escorted, but must have appropriate authorizations

Media Protection -- rev 2: 9 controls; rev 3: 7 controls (-2)

• 3.8.4: media can be exempt from CUI marking if they remain in certain designated areas

Personnel Security -- rev 2: 2 controls; rev 3: 3 controls (+1)

• 3.9.1: no clarification on what constitutes acceptable employee "screening". We get this question all the time--do an organization need to do background checks to meet this control? Of what kind? We've asked NIST for clarification
• 3.9.3: new requirement for establishing external personnel security with (managed) service providers. The reqs should be established in an SLA or other contract document. This is redundant to controls in the new System and Services Acquisition family.

Physical Protection -- rev 2: 6 controls; rev 3: 5 controls (-1)

• 3.10.2: got rid of ambiguous term "protect" and focuses on "monitoring" of physical facilities
• 3.10.7: new control, now encapsulates the 3 controls in FAR 52.204-21 (ix), previously 3.10.3-5, facilitating only the 15 controls in the FAR in the -171, instead of 17. Now required to control egress to facilities, although we are still allowed to log only access to entry _or_ egress
• 3.10.8: new control; the protect and monitor "infrastructure" aspect of 3.10.2 has been moved here, with a more focused emphasis on controlling access to network comms spaces, cables, and devices. Nothing new, but the focused emphasis may have huge ramifications for manufacturers and other orgs with IT infrastructure organically grown over a long period of time

Risk Assessment -- still 3 controls, although one is new (no change)

• 3.11.1: HUGE: now requires supply chain risk assessment. Totem has SCRM plan template in work; due to be released in the summer of 2023
• 3.11.2: all vuln scanning and remediation requirements are now consolidated here
• 3.11.4: new control requiring "Risk Response", which was just implied before

Security Assessment and Monitoring -- updated title; rev 2: 4 controls; rev3: 6 controls (+2)

• 3.12.4: this was the control that required SSP but this has been incorporated into the new Planning family
• 3.12.5: new control requiring independent assessors; this sets up the DoD with additional justification for the CMMC
• 3.12.6: HUGE: new control requiring organizations to establish SLA, MOU, ISAs prior to exchanging CUI with _any other_ organization
• 3.12.7: new control requiring us to justify, document, and authorize all categories ("classes") of internal system connections, e.g. between workstations and printers

System and Communications Protection -- rev 2: 16 controls; rev 3: 14 controls (-2)

• 3.13.1: this is a L1 control as well, and has 3.13.5 (DMZ) incorporated into it now
• 3.13.7: split-tunneling is now "allowed" as long as it is "securely provisioned", but the example of secure provisioning sure seems like split-tunneling prevention. Confusing, and we've asked NIST to clarify
• 3.13.8: modified to require crypto for securing CUI in transmission and storage (was just addressing transmission, but 3.13.16 has been incorporated now)
• 3.13.11: HUGE: In rev2 this is the single control that requires FIPS Validated crypto; now this control allows organizations to define what type of crypto is used. However, the DoD could (will?) continue to double down on the requirement for FIPS validated crypto, so we'll see...
• 3.13.14: specific requirements for VoIP protection and monitoring have been removed
• 3.13.17: HUGE new requirement: now requires the use of proxy services for web content filtering. We have a comment in to request clarification if DNS filtering services, such as that offered by the NSA will suffice here. If not, this will be an additional expense, as orgs will either have to 1) implement proxy servers in house and route _all_ (even remote) traffic through those, or 2) subscribe to a paid, reputable Internet-based proxy
• 3.13.18: new control requiring limiting the number of external connections (e.g. documenting and approving _all_ system interconnections). We've been advising clients for years to do this to meet control 3.12.4, but 3.12.4 is gone and incorporated into the new 3.15 family, so we're glad this control is now more explicit. See our CUI and System Inventory template for a sample interconnections table.

System and Information Integrity -- rev2: 7 controls; rev3: 5 controls (-2)

• 3.14.1: L1 control, now NIST provides clarification on what constitute "flaws", distinguishing flaws (bugs) from vulnerabilities, and requiring testing of bug fixes before production roll out
• 3.14.2: all L1 controls related to antivirus (3.14.2, 3.14.4, and 3.14.5) are rolled up into this one control now
• 3.14.6: incorporates 3.14.7 and gets explicit that NIST is looking for network traffic analysis (e.g. IDS) here
• 3.14.8: new control requiring spam protection. Most of us will have this from major cloud service providers (CSP) or half-way decent endpoint protection providers

Planning -- new family with 3 controls (+3)

• 3.15.1: requires policies and procedures for all the other controls. I don't know how you have an SSP without these, but apparently this needs to be explicitly stated
• 3.15.2: this is the control that requires an SSP, and incorporates aspects of the old 3.12.4
• 3.15.3: new control requiring published "rules of behavior" (RoB); we've been coaching clients from the beginning that the first policy they need to put in place is an Acceptable Use Policy (AUP). We have a templatefor this!

System and Services Acquisition -- new family with 3 controls (+3)

• 3.16.1: this is simply the old 3.13.2 control requiring an org to use security engineering principles. See our SEPG template
• 3.16.2: this is a new control for the management of unsupported system components. One of the old "delta 20" from CMMC 1.0, but in this case the control de-emphasizes the mitigation that can be achieved by isolating unsupported components. NIST emphatically wants us to replace or internally develop support protocols for unsupported components, instead of just isolating them.
• 3.16.3: HUGE: this requires us to ensure we have service level agreements in place with all our Managed Service Providers (MSP) that dictate the MSP will abide by our security requirements for the protection of CUI. This one is going to be herding cats, as there are 10s of 1000s of MSPs out there

Supply Chain Risk Management -- new family with 4 controls (+4)

• 3.17.1: HUGE: we are explicitly required to maintain a Supply Chain Risk Management (SCRM) plan. This has been a stated emphasis of the entire Federal gov't, especially the DoD, so this is no surprise, but this is going to be a large undertaking for the average small business. Totem will publish our SCRM Plan template in summer 2023.
• 3.17.2: new control that requires us to identify and implement Acquisition Strategies, Tools, and Methods for SCRM. Redundant control, as this would already be done in an SCRM Plan
• 3.17.3: new control that requires us to identify and implement Supply Chain Controls and Processes for SCRM. Redundant control, as this would already be done in an SCRM Plan
• 3.17.4: new control requiring secure disposal of components containing CUI. This is a completely redundant control to 3.8.3 Media Sanitization. Not sure why NIST reiterated this