Avsnitt
-
DoD has officially submitted the 48 CFR CMMC proposed rule for regulatory review. As a result, we can now estimate the timelines for CMMC rules. Whatever was delaying the 48 CFR rule has apparently been fixed and that means contractors need to start getting serious about preparing for the coming CMMC roll-outs.
Episode links:
48 CFR CMMC: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0750-AK81
32 CFR CMMC: https://www.summit7.us/webinars/proposed-cmmc-rule
DIB CS Final Rule: https://youtu.be/E7GsBZMM1CI?si=3um3RYk8pDZH29Ca
CIRCIA Rule pt. 1: https://youtu.be/ngYSaO5fg5Y?si=1Z3G7_jGkmZ8KFxI
CIRCIA Rule pt. 2: https://youtu.be/kUdhl5QfziU?si=EIMlHpu_KMtcdAVX
SP 800-171r3 overview: https://youtu.be/TAzYQjLfPY0?si=32QowzgK33D9YLQx
DFARS 7012 class deviation: https://youtu.be/voziZRAMvv4?si=hHigkKuWpdbvDjW4
FAR CUI Rule: https://youtu.be/lZv3JwJNfcQ?si=6OKA2Kwz6tc_cMyS
-
NIST SP 800-171 revision 3 and SP 800-171A revision have been officially released. Although revision 3 won't be required for defense contractors for some time, it pays to see exactly what the future holds. On the surface revision 3 has fewer requirements than revision 2. However, under the hood of 171Ar3 there is actually a 32% increase in the number of verification questions that need to be answered. Overall, 171r3 is progress in the right direction even if it comes with a few warts.
Episode Links:
SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/final
SP 800-171Ar3: https://csrc.nist.gov/pubs/sp/800/171/a/r3/final
-
Saknas det avsnitt?
-
The obligation for defense contractors to implement NIST SP 800-171 revision 3 has been delayed indefinitely thanks to a recent “class deviation” published by the DoD. The 2023 CMMC proposed rule specified that it will assess SP 800-171 revision 2, but language in defense contracts would have triggered a crisis – until now. Nevertheless, SP 800-171 revision 3 will be the requirement, but contractors have some room to breathe.
Lauren Ayers: https://www.linkedin.com/in/laurencayers/
Lauren Episode: https://youtu.be/t9nLlcu47IU?si=RzCn1RsM4N7waGmF
DFARS “Effective Date”: https://youtu.be/Vuz56hPs4Ng?si=pgK8qmbbtRGT2DkP
Class Deviation: https://www.defense.gov/News/Releases/Release/Article/3763953/department-of-defense-issues-class-deviation-on-cybersecurity-standards-for-cov/
-
Register for our upcoming CS2 Replay here: https://www.summit7.us/webinars/exploring-the-real-world-security-value-of-cmmc
According to a very scientific LinkedIn poll, 61% of respondents think that DFARS clause 252.204-7012 incident reporting requirements should expand to match CIRCIA reporting requirements. While this move would make things more efficient for defense contractors, we're pretty sure folks are underestimating exactly how detailed a proposed CIRCIA incident report will be.
Episode Links:
CIRCIA Primer: https://youtu.be/ngYSaO5fg5Y?si=RSg4sWRRWuyrCr9S
-
Register for our upcoming CS2 Replay here: https://www.summit7.us/webinars/exploring-the-real-world-security-value-of-cmmc
Q2 2024 is upon us so this week we are updating the rulemaking calendar based on what we know about DFARS, CMMC, the FAR, and NIST revisions. If the Summer doldrums push things into the Fall then we could be in for a relentless holiday season.
Episode links:
CS2 Replay: https://www.summit7.us/webinars/exploring-the-real-world-security-value-of-cmmc
Q1 Rulemaking Calendar: https://youtu.be/IgebrVfrgWs?si=3mf5n2l1ODIlCUPt
-
Defense contractors have had cyber incident reporting obligations under DFARS clause 252.204-7012 for many years. Recently, however, CISA issued a 457-page proposed rule implementing the 2022 Cyber Incident Reporting for Critical Infrastructure Act. Unless CISA and DoD can reach an agreement, DIB contractors will have duplicative incident reporting obligations for two different agencies.
Episode Links:
CIRCIA Proposed Rule: https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements
Congressional Research Service Report (PDF): https://crsreports.congress.gov/product/pdf/R/R48025
How to submit effective comments: https://youtu.be/1T_62cYiUA4?si=sp91i_cXFGiyD7JW
-
At long last the DIB Cybersecurity Strategy has officially been released and it's ... not great. One thing is clear: CMMC is a key part of the DoD's strategy and there are many DoD resources specifically designed to help contractors deal with it. Instead, the DoD is focused on coordination, communication, and threat intelligence sharing.
Episode Links:
DIB Cyber Strategy: https://www.defense.gov/News/Releases/Release/Article/3723439/dod-releases-defense-industrial-base-cybersecurity-strategy/
GCC: https://www.cisa.gov/resources-tools/groups/government-coordinating-councils
SCC: https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/defense-industrial-base-sector/sector-charters-and-membership
CIPAC: https://www.cisa.gov/resources-tools/resources/cipac-2022-charter
NSA Enduring Security Framework: https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/Enduring-Security-Framework/
-
Register for CS2 | Boston here: https://cs2.cloud/boston
Even before the CMMC proposed rule looped managed service providers into CMMC certification, defense contractors needed to be aware of how long it takes their MSP to get ready to support their assessment. This week we preview a talk from CS2 Boston focusing on the rocky road for MSPs featuring Ryan Bonner and Daniel Akridge.
Podcast listeners use code SUMITUPBOSTON for a discount on registration
Episode Links:
Summit 7 Webinar: https://www.summit7.us/webinars/can-my-msp-do-cmmc
Daniel: https://www.linkedin.com/in/danielakridge/
Defcert: https://defcert.com/
Ryan: https://www.linkedin.com/in/rybonner/
GAO on lead times: https://www.linkedin.com/posts/jacob-evan-horne_gao-defense-contract-lead-times-activity-7174430584172138498-oSfY
-
Register for CS2 | Boston here: https://cs2.cloud/boston
After nearly two years of silence and almost a decade of waiting the FAR CUI rule is one step closer to reality. In this episode we dive into what the FAR CUI rule is and what it means for federal contractors outside of the defense industrial base.
Podcast listeners use code SUMITUPBOSTON for a discount on CS2 registration!
-
Register for CS2 | Boston here: https://cs2.cloud/boston
On March 11th, the DoD issued a final rule expanding eligibility for the DIB Cybersecurity Program to non-cleared defense contractors and their managed service providers. This week we dive into the features of the rule, how it lines up with CMMC, and why the DoD final expanded the program after 12 years.
Podcast listeners use the code SUMITUPBOSTON for a discount on registration!
The DIB CS Final Rule: https://www.federalregister.gov/documents/2024/03/12/2024-04752/department-of-defense-dod-defense-industrial-base-dib-cybersecurity-cs-activities
DCISE: https://www.dc3.mil/Missions/DIB-Cybersecurity/DIB-Cybersecurity-DCISE/
The 2020 Cyberspace Solarium Commission Report: https://www.solarium.gov/report
The 2023 Cyberspace Solarium Implementation Report: https://cybersolarium.org/annual-assessment/2023-annual-report-on-implementation/
-
Register for CS2 | Boston here: https://cs2.cloud/boston
NIST has released their summary of public comments received on the final drafts of SP 800-171 revision 3 and SP 800-171A revision 3. Jason and Jacob dive into when to expect the final revisions and what to expect in the revised requirements.
Podcast listeners get a discount on CS2 registration, just use the code: SUMITUPBOSTON
Episode Links:
NIST CUI Project Page: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information
171r3 Blog: https://www.summit7.us/blog/nist-800-171-rev3-final-draft
ORC Control Poll: https://www.linkedin.com/posts/jacob-evan-horne_supply-chain-security-pop-quiz-nist-control-activity-7168287222444576769-7iw_
-
Register for CS2 | Boston here: https://cs2.cloud/boston
The public comment period on the CMMC proposed rule has closed so what happens next? In this episode we wade through the red tape in store over the next 12 months.
Podcast listeners use code SUMITUPBOSTON for a discount on registration
Episode Links: CS2 Boston: https://cs2.cloud/boston
“Midnight Rulemaking”: https://www.gao.gov/products/gao-23-105510
DoD's Rule Overview: https://youtu.be/DqRf0DiVBVI?si=2kTZcX45zD5ZPsnp
We Are the World: https://youtu.be/cYfe8RYcz-w
-
Register for CS2 | Boston here: https://cs2.cloud/boston
It's almost Springtime and that means it's almost time for another CS2 conference. CS2 Boston will be the 13th event in the series and, as always, there's an all-star lineup covering every nook and cranny of DFARS, NIST, and CMMC.
Podcast listeners get 20% off registration with the code SUMITUPBOSTON
Episode Links:
CS2 Boston: https://cs2.cloud/boston
DoD video overview: https://youtu.be/DqRf0DiVBVI?si=rDYWHsAHr6jwPPVm
-
Register for CS2 | Boston here: https://cs2.cloud/boston
If you thought the publication of one major DoD cyber rule at the end of 2023 caused a lot of issues how about FIVE potential rules and two NIST revisions in 2024? This week we outline the seven rules to watch for in 2024.
Listener discount code: SUMITUPBOSTON
Episode Links:
[Webinar] The Top 10 Questions From the CMMC Rule: https://www.summit7.us/webinars/the-top-10-questions-from-the-cmmc-rule
CS2 Boston: https://cs2.cloud/boston
Midnight Rulemaking: https://www.gao.gov/products/gao-23-105510
-
Register for CS2 | Boston: https://cs2.cloud/boston
This week we're joined by Alex Canizares to catch up on enforcement trends under the False Claims Act. As a former DOJ trial attorney, Alex walks us through the finer details of FCA cases and what it means for CMMC, defense contractors, and the road ahead.
Episode Links:
Alex Canizares: https://www.linkedin.com/in/alexandercanizares/
Perkins Coie Blog: https://www.perkinscoie.com/en/news-insights/dod-issues-proposed-cmmc-rule-requiring-cybersecurity-assessments-of-contractors.html
Perkins Coie Blog: https://www.perkinscoie.com/en/news-insights/proposed-far-rules-introduce-new-compliance-obligations-and-false-claims-act-risks-for-government-contractors.html
Cyber Civil Fraud Initiative: https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative
CS2 discount code for our listeners: SUMITUPBOSTON
-
The Supreme Court is set to upend decades of administrative law doctrine and it will have huge impacts on the cyber regulation landscape. In this episode we sit down with Jim Dempsey, a lecturer at the UC Berkeley Law School and a senior policy advisor at the Stanford Cyber Policy Center, to understand what SCOTUS is up to and what the heck is has to do with CMMC?
Episode Links:
Cyber Law Fundamentals: https://iapp.org/resources/article/cybersecurity-law-fundamentals/
Lawfare Article: https://www.lawfaremedia.org/article/a-cyber-threat-to-u.s.-drinking-water
Cyber Law Podcast: https://open.spotify.com/show/3Co2wdTUaZr4Xqnlxs4soG?si=64382c0b7b7a49c9
Tech Policy Podcast: https://open.spotify.com/episode/1klWdGIAxI7YBTljMvI412?si=ea93f23b3f9143cb
Dissed Podcast: https://open.spotify.com/episode/70GmGuWyEyKI2qNLcqlSIv?si=c69a3b6337ea4227
National Cyber Strategy: https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/
Chevon Deference: https://ballotpedia.org/Chevron_deference_(doctrine)
Auer Deference: https://ballotpedia.org/Auer_deference
-
With five rulemaking efforts, multiple NIST revisions, and everything else going on in the DoD cyber regulation space it's hard to keep up with what's happening. In this episode we try and predict what's coming around the corner in 2024.
Episode Links:
Register for CS2 Boston: https://cs2.cloud/boston
DoD IG Report Episode: https://youtu.be/_3GLX6ele_E?si=KKhtgbjsxiLXWVJd
Stephanie Siegmann: https://youtu.be/d1yweDy2wV4?si=naLAhZPV794TAC66
DoD IG Audit: https://www.linkedin.com/posts/jacob-evan-horne_dod-ig-dod-process-for-accrediting-c3paos-activity-7114319133088866304-uhU5
RAS Syndrome: https://en.wikipedia.org/wiki/RAS_syndrome
-
The DoD has released yet another strategy document that claims to have the answer for expanding the defense supply chain while also increasing cybersecurity requirements. Maybe this time it will be different? This week we dive into the National Defense Industrial Strategy to see if there is anything to learn about the DoD's position on the impacts of CMMC.
Episode Links:
Register for CS2 Boston: https://cs2.cloud/boston
NDIS: https://www.businessdefense.gov/NDIS.html
DoD Cyber Strat: https://www.defense.gov/News/Releases/Release/Article/3523199/dod-releases-2023-cyber-strategy-summary/
“The Last Supper”: https://www.washingtonpost.com/archive/business/1997/07/04/how-a-dinner-led-to-a-feeding-frenzy/13961ba2-5908-4992-8335-c3c087cdebc6/
View the full webinar, CMMC Published: A Comprehensive Overview of the Proposed CMMC Rule On-Demand here: https://www.summit7.us/webinars/proposed-cmmc-rule
-
FedRAMP moderate “equivalency” has been a thing since 2016, but DoD never really defined the term until January 2024. “The memo” has defense suppliers and the people behind their cloud apps in panic mode. In this episode we dive into what the memo says, potential reasons why, and whether equivalency will still be a thing in the future at all.
Episode Links:
DFARS 7012: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
The memo (PDF): https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf
Equivalency circa 2018: https://www.nist.gov/news-events/events/2018/10/controlled-unclassified-information-security-requirements-workshop
FedRAMP: https://www.fedramp.gov/program-basics/
NIST SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/fpd
-
Register for the upcoming webinar; CMMC Published: A Comprehensive Overview of the Proposed CMMC Rule: https://www.summit7.us/webinars/proposed-cmmc-rule
Thinking about submitting comments on the CMMC proposed rule? Not sure where to start? In this episode we go over the “commenter's checklist” from regulations.gov to help you evaluate the quality of your public comments on federal rules, NIST publications, and more.
Episode Links:
Summit 7 Webinar: https://www.summit7.us/webinars/proposed-cmmc-rule
Commenter's Checklist (PDF): https://s3.amazonaws.com/prod-regulations-faq/pdf/Tips-For-Submitting-Effective-Comments.pdf
CMMC Proposed Rule: https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program
CMMC Guidance Documents: https://www.federalregister.gov/documents/2023/12/26/2023-27281/cybersecurity-maturity-model-certification-cmmc-program-guidance
NIST SP 800-171 revision 3 draft: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information
- Visa fler