The government recently released a new federal acquisition regulation that requires NIST SP 800-53 controls for federal information systems operated by contractors. Buried inside that rule are several cost estimates for implementing and maintaining SP 800-53. Meanwhile, the government has never published cost estimates for NIST SP 800-171 even though it is derived directly from SP 800-53. In this episode we use are knowledge of SP 800-53 to do the impossible and estimate SP 800-171 using the gov...
Oct 12, 2023•41 min
In this episode we dive into best practices for submitting comments on the next drafts of NIST SP 800-171r3 and SP 800-171A. We also go deep on the contours of NIST SP 800-172. Happy 1 year anniversary to the show!
Oct 05, 2023•55 min
Register for CS2 | Denver: https://cs2.cloud/ The biggest debate around CMMC: whether the rule should be “interim final” or “proposed”. On average it takes around a year longer for proposed rules to go into effect. This begs the question: if the 2020 CMMC rule was interim final, why wouldn't the 2023 CMMC rule be interim final as well? Has the national security justification for interim final status in previous rules changed for the better? CS2 | Denver discount code: SUMITUPCS2DEN Episode Links...
Sep 28, 2023•33 min
It can be easy to lose perspective on the critical role that the CMMC program plays in the larger national defense strategy of the United States – especially if you don't work in the Pentagon. On top of that, the DoD is in full radio silence until the end of the public comment period on the upcoming CMMC rule. However, if you dig deep enough into DoD's strategy documents you'll quickly find that the CMMC program is a critical element of the national defense strategy of the United States. Episode...
Sep 21, 2023•23 min
Register for CS2 | Denver: https://cs2.cloud/ If you google DFARS 7021 you'll see that the CMMC contract clause has an “effective date” that isn't very old. Recently this has caused a folks to think that something has changed with CMMC before the rulemaking process has finished. In this episode we dive into what's going on with “effective date” disparities, the rulemaking process, and how to sniff out bad information. Episode Links: Deep dive with Lauren Ayers: https://youtu.be/lPQbO9872IQ?si=h8...
Sep 14, 2023•41 min
Register for CS2 | Denver: https://cs2.cloud/ The 2023 Federal Cybersecurity Vulnerability Reduction Act directs the government to change cybersecurity requirements for contractors. How will changes to federal acquisition regulations affect defense contractors? How many more vulnerability controls does NIST have on-deck that could be included? This week Jason and Jacob dive into what's coming around the bend. Episode Links: Legislation: https://www.congress.gov/bill/118th-congress/house-bill/525...
Sep 07, 2023•20 min
The Cyber AB Town Hall for August 2023 was full of encouraging numbers. The number of people certified in various CMMC ecosystem roles continues to increase. Successful Joint Surveillance Assessments are also up and a recent Reddit post contained fascinating details about the the cost and complexity of a real-world CMMC assessment. Episode Links: https://old.reddit.com/r/CMMC/comments/15zawp6/mission_accomplished/ https://old.reddit.com/r/NISTControls/comments/15zaxnl/mission_accomplished/ OIRA ...
Aug 31, 2023•45 min
Register for CS2 | Denver and catch the Sum IT Up 1 Year Anniversary show LIVE: https://cs2.cloud/ Just a few weeks after the end of the public comment period on NIST SP 800-171r3 and NIST has released their official summary. Timelines are on track and industry focused overwhelmingly on just a few things. Overall, NIST is planning some changes that will likely result in a larger 171r3. This week Jacob and Jason dive into what NIST is saying between the lines. *** ERRATA: NIST plans to release th...
Aug 24, 2023•58 min
What to make of the 1,700+ comments submitted on the initial public draft of NIST Special Publication 800-171 revision 3? Jacob and Jason give their high-level takeaways and expectations for the future of the standard. Register for CS2 | Denver and see the Sum IT Up 1 year anniversary show LIVE: https://cs2.cloud/ Podcast listeners 15% discount code for CS2 | Denver: SUMITUPCS2DEN Episode Links: Jacob's LinkedIN Poll on ODPS: https://www.linkedin.com/posts/jacob-evan-horne_last-week-nist-posted-...
Aug 17, 2023•52 min
Not even a week after DoD submitted the CMMC rule for regulatory review and the Office of Information and Regulatory Affairs accidentally posted the updated (draft) documents for all 3 levels of CMMC. In this episode we dive deep into new information about CMMC Level 3 and share our key takeaways from sneak peek of what's to come. Episode Links: SP 800-171r2 : Protecting Controlled Unclassified Information in Nonfederal Systems (nist.gov) SP 800-172: Enhanced Security Requirements for Protecting...
Aug 10, 2023•44 min
In November 2021 the #DoD announced CMMC 2.0. Then they announced that it would 9 – 24 months to go through rulemaking for #CMMC to become a reality. On July 24th, 2023, roughly 20 months later, DoD officially submitted the CMMC rule to the Office of Management and Budget. In this episode Jason and Jacob dive into what it all means for defense contractors moving forward. Episode Links: Cyber AB Town Hall (July ‘23): https://cyberab.org/News-Events/Town-Halls/Details/july-2023-town-hall 7 Things ...
Aug 03, 2023•19 min
Episode Links: Cyber AB June TH: https://cyberab.org/News-Events/Town-Halls CMMC Ecosystem Summit Call For Speakers: https://na.eventscloud.com/cmmcpapers Recording of the June 6th.2023 NIST Webinar on 800-171 r3: https://csrc.nist.gov/Events/2023/protecting-cui-draft-sp800171-rev3#:~:text=On%20June%206%2C%202023%2C%20NIST,in%20Nonfederal%20Systems%20and%20Organizations. DOD IG Report on Implementation and Oversight of the Controlled Unclassified Information Program: https://www.dodig.mil/report...
Jun 30, 2023•2 hr 19 min•Ep. 10
In this episode Jacob and Jason discuss their takeaways from the May Cyber AB Town Hall, including Jacob's guest appearance. The initial public draft of NIST SP 800-171r3 was released; and in this episode the fellas give their initial feedback and analysis on it. Additionally, we discuss the proposed rule to expand eligibility into the DIB CS program, the recently published ND-ISAC Cybersecurity Handbook for SMBs, and the MS Volt Typhoon campaign. Episode Links: NIST SP 800-171r3 Draft: https://...
Jun 02, 2023•1 hr 56 min
At first glance the initial public draft of NIST Special Publication (SP) 800-171 revision 3 is a big change compared to previous versions. Formatting changes, variable parameters, and new requirements have seemingly come out of nowhere. In reality SP 800-171 is a reflection of the much larger SP 800-53. The evolution of SP 800-53 over time has a direct effect on the look and feel of SP 800-171 and the cost, burden, and impact of assessment programs like CMMC. NIST Fellow Dr. Ron Ross joins the ...
May 31, 2023•3 hr 32 min
In this episode Jacob and Jason discuss their takeaways from the Cyber AB Town Hall and dive into several great questions asked during the extended Q&A. Amira Armond stops by to deep dive into the Top 10 “Other Than Satisfied” requirements found during DIBCAC audits. Lauren Ayers also stops by to teach us how to read DFARS clauses like a contracting officer. Amira's LinkedIn: https://www.linkedin.com/in/amira-armond-25a77a141/ Kieri Solutions: https://www.kieri.com/ Amira's Blog: https://www...
May 04, 2023•3 hr 4 min•Ep. 8
In this episode Jacob and Jason discuss their takeaways from the Cyber AB Town Hall, CS2 Huntsville, and other interesting topics from March 2023 including recent #DoD testimony before Congress, #DIBCAC perspectives on Multifactor Authentication and #FIPS validated encryption, and other exciting topics. This month we were joined by our first ever podcast guest: DefCERT founder and CEO Ryan Bonner helps tackle a few complicated #CUI questions submitted during the Town Hall. Episode Links: DefCERT...
Apr 02, 2023•3 hr 15 min•Ep. 7
In this episode Jacob and Jason discuss their takeaways from the February Cyber AB Town Hall. This month saw some amazing questions on #CUI, working with #DoD CIO, continuous monitoring, the cost of assessments, and #CMMC rulemaking. They also give their thoughts on the Project Spectrum feature segment of the Town Hall. Jacob and Jason also provide an overview and their takeaways from the newly released 2023 National Cybersecurity Strategy and what it means for defense contractors and CMMC. ***C...
Mar 03, 2023•2 hr 26 min
In this episode Jacob and Jason discuss their takeaways from the January Cyber AB Town Hall including several great questions submitted from the #CMMC ecosystem. They also cover some great questions submitted by podcast listeners. Jacob breaks down the upcoming agenda for #CS2 Huntsville (there may or may not be a discount code for podcast listeners). Another #CISA alert related to managed service providers popped up in January. Additionally, a handful of #DoD reports on the level of internal re...
Feb 09, 2023•2 hr 31 min•Ep. 5
In this episode we reflect on a few items from December 2022 and the story of #CMMC (rulemaking) in 2022 overall. We cover listener questions and Jason's experience taking (and passing) his #CCP exam. After a deep dive into the current status of CMMC rulemaking we discuss #DoD estimates about the size of the defense industrial base. We also cover a report on the status of NIST SP 800-171 implementation for DoD contractors. We wrap up with our predictions for 2023. Episode Links: Cooey Center of ...
Jan 13, 2023•1 hr 37 min•Ep. 4
In this episode Jacob and Jason dive into the November 2022 Cyber AB Town Hall and provide takeaways the Cyber AB's inaugural #CMMC Ecosystem Summit. Jacob and Jason also explore the findings of a GAO report on cyber incident reporting and handling by the #DoD and Defense Industrial Base contractors while connecting the dots to #DIBCAC findings featured in Episode 2. November 2022 is the 12th anniversary of Executive Order 13556 which establish the federal #CUI program. Of course, Jacob and Jaso...
Dec 12, 2022•2 hr 13 min•Season 1Ep. 3
In this episode Jacob and Jason dive into the October 2022 Cyber AB Town Hall by exploring the questions (both answered and unanswered) submitted during the town hall Q&A segment. Jason provides his thoughts on the quality of the updated Registered Practitioner training. Time is spent on Rumor Control: Large prime contractors are seemingly requiring everyone to get #CMMC Level 2 certified and there's not much that #DoD can do to stop them. Jacob discusses the specter of #NIST SP #800-171 App...
Nov 03, 2022•2 hr 38 min•Season 1Ep. 2
In this episode Jacob and Jason dive into the September 2022 Cyber AB Town Hall including their takeaways on the new Cybersecurity Assessor and Instructor Certification Organization ("CAICO"); the Certified CMMC Professional (CCP) beta exam; and recent assessment data provided by Nick Delrosso of the Defense Contract Management Agency's (DCMA) Defense Industrial Base Cyber Assessment Center (DIBCAC). Jason discusses the relevance of a new alert from the Cybersecurity & Infrastructure Securit...
Oct 11, 2022•2 hr 2 min•Season 1Ep. 1
