NIST SP 800-171 revision 3 and SP 800-171A revision have been officially released. Although revision 3 won't be required for defense contractors for some time, it pays to see exactly what the future holds. On the surface revision 3 has fewer requirements than revision 2. However, under the hood of 171Ar3 there is actually a 32% increase in the number of verification questions that need to be answered. Overall, 171r3 is progress in the right direction even if it comes with a few warts. Episode Li...
May 16, 2024•50 min
The obligation for defense contractors to implement NIST SP 800-171 revision 3 has been delayed indefinitely thanks to a recent “class deviation” published by the DoD. The 2023 CMMC proposed rule specified that it will assess SP 800-171 revision 2, but language in defense contracts would have triggered a crisis – until now. Nevertheless, SP 800-171 revision 3 will be the requirement, but contractors have some room to breathe. Lauren Ayers: https://www.linkedin.com/in/laurencayers/ Lauren Episode...
May 09, 2024•36 min
Register for our upcoming CS2 Replay here: https://www.summit7.us/webinars/exploring-the-real-world-security-value-of-cmmc According to a very scientific LinkedIn poll, 61% of respondents think that DFARS clause 252.204-7012 incident reporting requirements should expand to match CIRCIA reporting requirements. While this move would make things more efficient for defense contractors, we're pretty sure folks are underestimating exactly how detailed a proposed CIRCIA incident report will be. Episode...
May 02, 2024•40 min
Register for our upcoming CS2 Replay here: https://www.summit7.us/webinars/exploring-the-real-world-security-value-of-cmmc Q2 2024 is upon us so this week we are updating the rulemaking calendar based on what we know about DFARS, CMMC, the FAR, and NIST revisions. If the Summer doldrums push things into the Fall then we could be in for a relentless holiday season. Episode links: CS2 Replay: https://www.summit7.us/webinars/exploring-the-real-world-security-value-of-cmmc Q1 Rulemaking Calendar: ht...
Apr 25, 2024•53 min
Defense contractors have had cyber incident reporting obligations under DFARS clause 252.204-7012 for many years. Recently, however, CISA issued a 457-page proposed rule implementing the 2022 Cyber Incident Reporting for Critical Infrastructure Act. Unless CISA and DoD can reach an agreement, DIB contractors will have duplicative incident reporting obligations for two different agencies. Episode Links: CIRCIA Proposed Rule: https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-in...
Apr 18, 2024•45 min
At long last the DIB Cybersecurity Strategy has officially been released and it's ... not great. One thing is clear: CMMC is a key part of the DoD's strategy and there are many DoD resources specifically designed to help contractors deal with it. Instead, the DoD is focused on coordination, communication, and threat intelligence sharing. Episode Links: DIB Cyber Strategy: https://www.defense.gov/News/Releases/Release/Article/3723439/dod-releases-defense-industrial-base-cybersecurity-strategy/ GC...
Apr 11, 2024•43 min
Register for CS2 | Boston here: https://cs2.cloud/boston Even before the CMMC proposed rule looped managed service providers into CMMC certification, defense contractors needed to be aware of how long it takes their MSP to get ready to support their assessment. This week we preview a talk from CS2 Boston focusing on the rocky road for MSPs featuring Ryan Bonner and Daniel Akridge. Podcast listeners use code SUMITUPBOSTON for a discount on registration Episode Links: Summit 7 Webinar: https://www...
Mar 28, 2024•23 min
Register for CS2 | Boston here: https://cs2.cloud/boston After nearly two years of silence and almost a decade of waiting the FAR CUI rule is one step closer to reality. In this episode we dive into what the FAR CUI rule is and what it means for federal contractors outside of the defense industrial base. Podcast listeners use code SUMITUPBOSTON for a discount on CS2 registration!
Mar 21, 2024•48 min
Register for CS2 | Boston here: https://cs2.cloud/boston On March 11th, the DoD issued a final rule expanding eligibility for the DIB Cybersecurity Program to non-cleared defense contractors and their managed service providers. This week we dive into the features of the rule, how it lines up with CMMC, and why the DoD final expanded the program after 12 years. Podcast listeners use the code SUMITUPBOSTON for a discount on registration! The DIB CS Final Rule: https://www.federalregister.gov/docum...
Mar 14, 2024•35 min
Register for CS2 | Boston here: https://cs2.cloud/boston NIST has released their summary of public comments received on the final drafts of SP 800-171 revision 3 and SP 800-171A revision 3. Jason and Jacob dive into when to expect the final revisions and what to expect in the revised requirements. Podcast listeners get a discount on CS2 registration, just use the code: SUMITUPBOSTON Episode Links: NIST CUI Project Page: https://csrc.nist.gov/projects/protecting-controlled-unclassified-informatio...
Mar 07, 2024•38 min
Register for CS2 | Boston here: https://cs2.cloud/boston The public comment period on the CMMC proposed rule has closed so what happens next? In this episode we wade through the red tape in store over the next 12 months. Podcast listeners use code SUMITUPBOSTON for a discount on registration Episode Links: CS2 Boston: https://cs2.cloud/boston “Midnight Rulemaking”: https://www.gao.gov/products/gao-23-105510 DoD's Rule Overview: https://youtu.be/DqRf0DiVBVI?si=2kTZcX45zD5ZPsnp We Are the World: h...
Feb 29, 2024•31 min
Register for CS2 | Boston here: https://cs2.cloud/boston It's almost Springtime and that means it's almost time for another CS2 conference. CS2 Boston will be the 13th event in the series and, as always, there's an all-star lineup covering every nook and cranny of DFARS, NIST, and CMMC. Podcast listeners get 20% off registration with the code SUMITUPBOSTON Episode Links: CS2 Boston: https://cs2.cloud/boston DoD video overview: https://youtu.be/DqRf0DiVBVI?si=rDYWHsAHr6jwPPVm...
Feb 22, 2024•35 min
Register for CS2 | Boston here: https://cs2.cloud/boston If you thought the publication of one major DoD cyber rule at the end of 2023 caused a lot of issues how about FIVE potential rules and two NIST revisions in 2024? This week we outline the seven rules to watch for in 2024. Listener discount code: SUMITUPBOSTON Episode Links: [Webinar] The Top 10 Questions From the CMMC Rule: https://www.summit7.us/webinars/the-top-10-questions-from-the-cmmc-rule CS2 Boston: https://cs2.cloud/boston Midnigh...
Feb 15, 2024•50 min
Register for CS2 | Boston: https://cs2.cloud/boston This week we're joined by Alex Canizares to catch up on enforcement trends under the False Claims Act. As a former DOJ trial attorney, Alex walks us through the finer details of FCA cases and what it means for CMMC, defense contractors, and the road ahead. Episode Links: Alex Canizares: https://www.linkedin.com/in/alexandercanizares/ Perkins Coie Blog: https://www.perkinscoie.com/en/news-insights/dod-issues-proposed-cmmc-rule-requiring-cybersec...
Feb 08, 2024•51 min
The Supreme Court is set to upend decades of administrative law doctrine and it will have huge impacts on the cyber regulation landscape. In this episode we sit down with Jim Dempsey, a lecturer at the UC Berkeley Law School and a senior policy advisor at the Stanford Cyber Policy Center, to understand what SCOTUS is up to and what the heck is has to do with CMMC? Episode Links: Cyber Law Fundamentals: https://iapp.org/resources/article/cybersecurity-law-fundamentals/ Lawfare Article: https://ww...
Feb 01, 2024•1 hr 1 min
With five rulemaking efforts, multiple NIST revisions, and everything else going on in the DoD cyber regulation space it's hard to keep up with what's happening. In this episode we try and predict what's coming around the corner in 2024. Episode Links: Register for CS2 Boston: https://cs2.cloud/boston DoD IG Report Episode: https://youtu.be/_3GLX6ele_E?si=KKhtgbjsxiLXWVJd Stephanie Siegmann: https://youtu.be/d1yweDy2wV4?si=naLAhZPV794TAC66 DoD IG Audit: https://www.linkedin.com/posts/jacob-evan-...
Jan 25, 2024•46 min
The DoD has released yet another strategy document that claims to have the answer for expanding the defense supply chain while also increasing cybersecurity requirements. Maybe this time it will be different? This week we dive into the National Defense Industrial Strategy to see if there is anything to learn about the DoD's position on the impacts of CMMC. Episode Links: Register for CS2 Boston: https://cs2.cloud/boston NDIS: https://www.businessdefense.gov/NDIS.html DoD Cyber Strat: https://www...
Jan 18, 2024•33 min
FedRAMP moderate “equivalency” has been a thing since 2016, but DoD never really defined the term until January 2024. “The memo” has defense suppliers and the people behind their cloud apps in panic mode. In this episode we dive into what the memo says, potential reasons why, and whether equivalency will still be a thing in the future at all. Episode Links: DFARS 7012: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012 The memo (PDF): https://dodcio.defense.gov/Portals/...
Jan 11, 2024•32 min
Register for the upcoming webinar; CMMC Published: A Comprehensive Overview of the Proposed CMMC Rule: https://www.summit7.us/webinars/proposed-cmmc-rule Thinking about submitting comments on the CMMC proposed rule? Not sure where to start? In this episode we go over the “commenter's checklist” from regulations.gov to help you evaluate the quality of your public comments on federal rules, NIST publications, and more. Episode Links: Summit 7 Webinar: https://www.summit7.us/webinars/proposed-cmmc-...
Jan 04, 2024•44 min
Register for the upcoming webinar; CMMC Published: A Comprehensive Overview of the Proposed CMMC Rule: https://www.summit7.us/webinars/proposed-cmmc-rule The 2023 CMMC rule was published the Friday before Christmas and most people haven’t fully digested all 234 pages yet. In this episode Jason and Jacob cover the rule at 30,000 feet so you can hit the ground running in 2024. Episode Links: ..... CMMC on the Federal Register: https://www.federalregister.gov/documents/2023/12/26/2023-27280/cyberse...
Dec 28, 2023•41 min
Summit 7 CMMC Solutions: https://www.summit7.us/cmmc-level-solution-sets The DoD Inspector General released a special report comparing their contractor cyber assessment findings with their findings during DOJ false claims act investigations. No surprise, the same cybersecurity issues pop up again and again. Will this add fuel the CMMC fire? Episode Links: The IG Report: https://www.dodig.mil/reports.html/Article/3606026/special-report-common-cybersecurity-weaknesses-related-to-the-protection-of-...
Dec 21, 2023•24 min
There are two different CMMC rules. One rule pertains to the CMMC program while the other pertains to the CMMC contract clause. The Fall 2023 Unified Agenda is out and it provides all the details about why there are two rules and what it means for defense contractors. Episode Links: Unified Agenda: https://www.reginfo.gov/public/do/eAgendaMain . 32 CFR CMMC: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0790-AL49 . 48 CFR CMMC: https://www.reginfo.gov/public/do/eAgendaVi...
Dec 14, 2023•27 min
It's Christmas time so we put together our wishlist of what we'd like to see in the upcoming CMMC rule. . For CMMC resources, solutions & more visit: https://www.summit7.us/cmmc-level-solution-sets
Dec 07, 2023•38 min
The November Cyber AB Town Hall was recapped the CMMC ecosystem highlights from 2023. Assessor numbers have increased, but will there be enough assessment capacity to meet demand? Episode links: Cyber AB Town Halls: https://cyberab.org/News-Events/Town-halls/Details/november-town-hall . Natty Stratty Discussion: https://youtu.be/QvaLdx_wb1U?si=pgIabPLZJpGGVDS-
Nov 30, 2023•48 min
OIRA's review of the CMMC rule is nearly complete and we expect the CMMC proposed rule to be published sometime between Thanksgiving and mid-December. On top of that, DoD has initiated rulemaking to revise DFARS clause 252.204-7012. In this episode we dive into the rulemaking feast.
Nov 23, 2023•48 min
The great and powerful Dr. Ron Ross returns to walk us through the latest drafts of NIST SP 800-171 and SP 800-171A: what they are, why they are, where they're going, and what's in store for federal contractors handling controlled unclassified information (CUI). Episode Links: . NIST Controls Deep Dive w/ Ron Ross (May 2023): https://youtu.be/vAPFmga_NtI?si=kfmdKyXaHiTCpFiq . 171r3 (Final Draft) - 7 Things to Know: https://www.summit7.us/blog/nist-800-171-rev3-final-draft . 800-171r3 Final Draft...
Nov 16, 2023•2 hr 5 min
The final draft of NIST SP 800-171 revision 3 and the initial draft of SP 800-171A are out. There are simultaneously more and fewer requirements. ODPs have gone away, but not really. Problematic assumptions were reversed only to be repeated. Up is down; left is right; and the final revisions are expected in a few short months. Today we dive into the first 7 things you need to know. Episode Links: . 800-171r3 Final Draft: https://csrc.nist.gov/pubs/sp/800/171/r3/fpd . 800-171Ar3 Initial Draft: ht...
Nov 09, 2023•57 min
The final draft of NIST SP 800-171 revision 3 and the initial draft of SP 800-171A are due to be published soon. In this episode we dive into seven questions at the front of our minds before the big day. . Episode Links: . SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/ipd . Protecting CUI Project: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information
Nov 02, 2023•56 min
Get any good candy for Halloween? The CMMC rule got a 30-day extension for the pre-publication review by the Office of Information and Regulatory Affairs (OIRA). The Cyber AB got notice that the DoD Inspector General is auditing the accreditation process for C3PAOs. In this episode we discuss why both of these things aren't as big of a deal as they might seem. Episode Links: Cyber AB Town Halls: https://cyberab.org/News-Events/Town-Halls DoD IG Project Announcement: https://www.dodig.mil/reports...
Oct 26, 2023•25 min
The regulatory review of the CMMC rule is coming to an end. That means we should see a published CMMC rule in the next few weeks. In this episode Jason and Jacob dive into 7 things you need to know to hit the ground running when the public comment window opens. Episode Links: CMMC rulemaking entry: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=0790-AL49
Oct 19, 2023•47 min
