It's difficult to keep up with all of the moving parts that make up the Department of Defense's Cybersecurity Maturity Model Certification Program. It's even more difficult to keep up with the relevant bits and bites that influence CMMC. This weekly podcast sums up the news and developments relevant to CMMC; DFARS and other regulations; and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.
What is the CMMC phased roll-out? How will the CMMC phased roll-out affect defense contractors and when? Most importantly: How should companies strategize based on the CMMC phased roll-out? We get into all of that and more this week. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 32 CFR CMMC Webinar: https://www.summit7.us/webinars/cmmc-32-cfr-final-rule
Who decides what CMMC status level is required in defense contracts? How do they decide? Q2 2025 is just around the corner and this week we dive into the decision factors that lead to CMMC status level requirements. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 32 CFR CMMC Webinar: https://www.summit7.us/webinars/cmmc-32-cfr-final-rule 48 CFR proposed rule podcast: https://youtu.be/Fzi3SFEs92U...
A Joint Resolution of Disapproval has been submitted to disapprove the 32 CFR CMMC final rule. Is this the end of CMMC as we know it? Or, as is usually the case, has the ecosystem jumped to conclusions and let their confirmation bias get the better of them? This week we go deep into the Congressional Review Act and why there's much more to the story of Representative Palmer's resolution. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvk...
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder Start working on that beach body of evidence because all signs point to CMMC showing up in defense contracts in Summer 2025. Turns out that our Summer estimate is more conservative than government estimates. However, if you're a subcontractor then it doesn't matter much because the big primes are already telling people what time it is...
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder As a result of the 32 CFR Final CMMC rule, many organizations will be looking for help comprehending and implementing the imposed requirements. On this episode of the show, Jason and Joy dig into the differences between the Registered Practitioner (RP) certificate, and the Certified CMMC Professional (CCP) certification to highlight t...
[Webinar] CMMC Finalized: The 32 CFR CMMC Final Rule | Register Now: https://www.summit7.us/webinars/cmmc-32-cfr-final-rule The Cyber AB Townhall for the Month of October is the First TH since the publishing of the 32 CFR Final CMMC rule. On this episode of the show, Jason and Joy dig into the information distributed during the Townhall surrounding the re-authorization of C3PAOs and the eligibility of CMMC Certified Assesors (CCA). CMMC Pathfinder Tool: https://www.summit7.us/pathfinder...
[Webinar] CMMC Finalized: The 32 CFR CMMC Final Rule | Register Now: https://www.summit7.us/webinars/cmmc-32-cfr-final-rule After years of waiting the FAR CUI rule has cleared regulatory review and we should see the proposed rule published in just a few weeks. In this episode we briefly cover the history of the FAR CUI rule and discuss what we know about it (and what we think we know). The FAR CUI rule review page: https://www.reginfo.gov/public/do/eoDetails?rrid=539461 CMMC Pathfinder Tool: htt...
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder The 32 CFR CMMC final rule is finally final! It's also 470 pages long. What gives? Public comment responses. Literally just 230 pages of responses to public comments. While some of the responses are helpful, much of the time DoD was forced to take the time and space to explain why comments weren't relevant to the CMMC program at all. ...
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder Yet another report analyzing defense contractor cybersecurity and compliance with DFARS contract clauses has found that adoption remains low. Even when companies are aware of their obligations, believe that CMMC will happen in 2024, and support minimum requirements there is no guarantee that implementation will happen. This week we di...
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder Calculating a self-assessment score is a fundamental part of complying with DoD cyber regulations. Unfortunately, Project Spectrum, the resource that DoD recommends more than any other no longer calculates an “SPRS score”. In this episode we briefly explain the requirement to self-assessment, the basics of calculating a score, and a l...
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder The Cyber AB held the monthly Townhall for September. And with the 32 CFR rule imminent, they have a lot of information to put out lately. On this week's episode, Jason and Joy are joined by Kyle Gingrich, Interim Executive Director of the CAICO, as they cover the information distributed during this months townhall, changes to CMMC Ec...
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder The 32 CFR CMMC final rule has officially cleared regulatory review. Next step: publication in the Federal Register. At this point the commercially availability of CMMC assessments is weeks away. This week Jacob and Jason go over the basics of rulemaking, the details of the CMMC rulemaking timeline, what's left in the process, and how...
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder This week we're deep diving into the details of DoD distribution statements with guest host Defcert CEO, Ryan Bonner. Hoping that your customer will proactively minimize CUI for you just isn't a viable strategy in this cruel world. Instead, Ryan walks us through his process for reverse engineering the government's decision to mark som...
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder Special guest host Daniel Akridge walks us through a visual of Procurement Administrative Lead Time compared to the CMMC rulemaking timelines. Daniel also walks us through Summit 7's CMMC Pathfinder Tool - a free resource companies can use to know exactly what steps they should take and what solutions might work best. Connect with Dan...
The team is back from Navy Gold Coast 2024, and we have some thoughts and takeaways from one of the largest defense industry conferences of the year. The DoD and small businesses are looking ahead to 2025 acquisition calendars while CMMC inches closer by the day. Follow Hollie: https://www.linkedin.com/in/hollieflanner/ 48 CFR Rule: https://youtu.be/Fzi3SFEs92U?si=HrOU9ZnlrSd_-hPr PALT: https://youtu.be/NZs4f5voyrg?si=RNq22xmwbd7oZUxZ National Defense Strategy Pod: https://youtu.be/TZtNQ8rg8eI?s...
CMMC isn't a requirement to bid on defense contractors, but CMMC is a requirement to take award of DoD contracts. That means the most important metric is how much time you have between bidding and taking award. Turns out that “PALT” times are rarely long enough to go from zero to certified and that's a big, big problem for companies who are waiting on CMMC. Episode Links: 48 CFR Proposed Rule: https://youtu.be/Fzi3SFEs92U?si=jUpnHDQvFiiqOuc8 GAO report on PALT: https://www.gao.gov/products/gao-2...
1,417 days after the original CMMC contract clause was created and 1,003 days after the announcement of CMMC 2.0 here we are – the proposed rule revising DFARS clause 252.204-7021. This is the piece of the puzzle that will actually show up in your RFPs, contracts, awards, orders, etc. What does it say? Who does it affect? When will it show up? We step through it line-by-line.
If you haven't caught a Cyber AB Town Hall lately, then you're missing out on valuable information. This week we give our take on the AB's rulemaking timeline, what the FY25 NDAA says about CMMC, the upcoming DoD IG report on the Cyber AB, and more! Cyber AB Town Halls: https://cyberab.org/News-Events/Town-Halls Secure the DIB replay: https://www.summit7.us/securethedib
Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/ You're not crazy. According to a new inspector general report the federal CUI Program has been in hibernation for the last few years. But the story goes much deeper than run-of-the-mill findings. Desperately overworked civil servants, stubbornly non-compliant federal agencies, the lofty heights of the National Security Council, and even rumors of a new CUI executive order. This story might seem a world away from...
Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/ Summer is coming to a close and that means it's time for our annual Secure the DIB Summer Camp webinar. Summit 7's Daniel Akridge joins the show this week to share what he's seeing and hearing from defense contractors regarding market dynamics, what the primes are up to, and how companies are dealing with the cost of compliance. Episode Links: DIB Summer Camp: https://www.summit7.us/securethedib Big Dan: https:/...
Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/ The DoD's Center for Manufacturing Cybersecurity has released a report documenting the level of confidence that defense contractors have in their cybersecurity posture. The conclusion? There is a systemic cybersecurity overconfidence problem in the DIB. Episode Links: DIB Summer Camp: https://www.summit7.us/securethedib MxD Report: https://www.mxdusa.org/cyber/cyberreport/...
Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/ The 32 CFR CMMC final rule has officially left the DoD and is currently undergoing final regulatory review. This is the last step before publication in the Federal Register. Based on what we know, CMMC should be a reality before the end of 2024. Episode Links: Proposed Rule Webinar: https://www.summit7.us/webinars/proposed-cmmc-rule
Now that SP 800-171 revision 3 is official, organizationally defined parameters (ODPs) are officially a part of our the rest of our lives. Like most things in SP 800-171 there are great details in SP 800-53 that help explain what's going on. In this episode we take a deep dive in requirement 3.1.8 through the lens of ODPs. Episode Links: SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final FedRAMP baselines: https://www.fedramp.gov/baselines/...
The good news about NIST SP 800-171 revision 2 being the standard for the next few years is it's a smaller standard compared to revision 3. However, there are some confusing aspects to NIST SP 800-171 revision 2 that defense contractors can't afford to overlook. The most important? NFO Controls. Episode Links: NIST SP 800-171r2: https://csrc.nist.gov/pubs/sp/800/171/r3/final DFARS 7012 Class Deviation: https://youtu.be/voziZRAMvv4?si=yPaUuHLnHIQsfGQu Policy and Procedure Deep Dive: https://youtu...
NIST has released four introductory training courses for the 800 series of special publications that make up the basis for the NIST Risk Management Framework. Each 60 minute course does a great job covering SP 800-37, 53, 53A, and 53B. If you need a leg up on the knowledge that forms the basis of CMMC training, you should check out the courses. NIST Training Courses: NIST CPRT: https://csrc.nist.gov/Projects/risk-management/rmf-courses
Although CMMC assessments are difficult, CMMC certifications are achievable (assuming you have passed through the “assessment feasibility determination” prior to the actual assessment. For many companies, failing CMMC assessments won't be their biggest problem – it will be qualifying for the assessment in the first place. Episode Links: CMMC Cap (PDF): https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf CMMC Fuzzy Math (2021): https://youtu.be/843K3hkLq...
This week we dive into the details of NIST policy and procedure controls. Love it or hate it, SP 800-171 requires policies and procedures regardless of revision. Luckily, it's easy to know what a good template looks like because policies have been outlined in NIST SP 800-53 for 20 years. Episode Links: NIST SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final NIST SP 800-53A: https://csrc.nist.gov/pubs/sp/800/53/a/r5/final
The FAR CUI proposed rule has officially moved into regulatory review with the Office of Information and Regulatory Affairs (OIRA). With the FAR CUI rule one step away from publication in the Federal Register, we dive a little deeper into what it is and some open questions we're looking forward to resolving when the rule, after nearly 10 years, is finally released. Episode Links: FAR CUI Rule Episode: https://youtu.be/lZv3JwJNfcQ?si=lBM8sF7sF2xyLwmB FAR CUI Rule: https://www.reginfo.gov/public/d...
After more than a year of development, revision 3 of SP 800-171 and 171A are officially done. This week we're joined by Dr. Ron Ross to discuss what NIST learned from public comments, why NIST decided to add 19 new requirements, the thought process behind “ORC” controls, and what the future holds for the CUI series, rulemaking, and the SP 800-53 catalog. Episode Links: 171r3 overview: https://youtu.be/TAzYQjLfPY0?si=TTP49MujwB3Obchl 171r3 overview blog: https://www.summit7.us/blog/nist-800-171-r...
DoD has officially submitted the 48 CFR CMMC proposed rule for regulatory review. As a result, we can now estimate the timelines for CMMC rules. Whatever was delaying the 48 CFR rule has apparently been fixed and that means contractors need to start getting serious about preparing for the coming CMMC roll-outs. Episode links: 48 CFR CMMC: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0750-AK81 32 CFR CMMC: https://www.summit7.us/webinars/proposed-cmmc-rule DIB CS Final R...
