Sum IT Up: CMMC News Roundup

CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder Calculating a self-assessment score is a fundamental part of complying with DoD cyber regulations. Unfortunately, Project Spectrum, the resource that DoD recommends more than any other no longer calculates an “SPRS score”. In this episode we briefly explain the requirement to self-assessment, the basics of calculating a score, and a little-known tool from DoD that can help. Summit 7 Pathfinder Tool: https://www.summit7.us/pathfinder Fuzzy Math (2021): https://youtu.be/843K3hkLquk Project Spectrum: https://www.projectspectrum.io/#/ DIBCAC: https://www.dcma.mil/DIBCAC/ DoDAM (PDF): https://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf CMMC Scoring: https://www.federalregister.gov/d/2023-27280/p-1429 CMMC False Starts: https://youtu.be/zwU4u86L_5A?

CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder The Cyber AB held the monthly Townhall for September. And with the 32 CFR rule imminent, they have a lot of information to put out lately. On this week's episode, Jason and Joy are joined by Kyle Gingrich, Interim Executive Director of the CAICO, as they cover the information distributed during this months townhall, changes to CMMC Ecosystem roles, the gold ole' days of CMMC, and so much more. Sum IT Up “CMMC Final Rule Publication: Imminent” : Driving a Future-Ready Transportation Sector (youtube.com) Link to FedRAMp Equivalency Memo: FEDRAMP-EquivalencyCloudServiceProviders.pdf (defense.gov)

CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder The 32 CFR CMMC final rule has officially cleared regulatory review. Next step: publication in the Federal Register. At this point the commercially availability of CMMC assessments is weeks away. This week Jacob and Jason go over the basics of rulemaking, the details of the CMMC rulemaking timeline, what's left in the process, and how to get started once and for all. Summit 7 Pathfinder Tool: https://www.summit7.us/pathfinder The History of CMMC (2010 – 2020): https://youtu.be/jbY2irZ1ePg Pathfinder Tool Demo: https://youtu.be/JiDTCchfCa0?

CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder This week we're deep diving into the details of DoD distribution statements with guest host Defcert CEO, Ryan Bonner. Hoping that your customer will proactively minimize CUI for you just isn't a viable strategy in this cruel world. Instead, Ryan walks us through his process for reverse engineering the government's decision to mark something (or not). Armed with this information, contractors can more easily push back on their customers and scope their DFARS and CMMC environments – the holy grail. Summit 7 Pathfinder Tool: https://www.summit7.us/pathfinder Ryan CS2 Denver: https://youtu.be/IEy-TkmKMt8?si=euj5dH7shvrvpbAt RTX Charging Letter: https://www.linkedin.com/posts/jacob-evan-horne_whoopsie-daisy-62b-defense-corporation-activity-7237851962417774594-tbly DoD CUI Registry: https://www.dodcui.mil/ NARA CUI Registry: https://www.archives.gov/cui/registry/category-list

CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder Special guest host Daniel Akridge walks us through a visual of Procurement Administrative Lead Time compared to the CMMC rulemaking timelines. Daniel also walks us through Summit 7's CMMC Pathfinder Tool - a free resource companies can use to know exactly what steps they should take and what solutions might work best. Connect with Daniel on LinkedIn: https://www.linkedin.com/in/danielakridge/ Connect with Jacob on LinkedIn: https://www.linkedin.com/in/jacob-evan-horne/ PALT Podcast: https://www.youtube.com/watch?v=NZs4f5voyrg CMMC Pathfinder Tool: https://www.summit7.us/pathfinder

The team is back from Navy Gold Coast 2024, and we have some thoughts and takeaways from one of the largest defense industry conferences of the year. The DoD and small businesses are looking ahead to 2025 acquisition calendars while CMMC inches closer by the day. Follow Hollie: https://www.linkedin.com/in/hollieflanner/ 48 CFR Rule: https://youtu.be/Fzi3SFEs92U?si=HrOU9ZnlrSd_-hPr PALT: https://youtu.be/NZs4f5voyrg?si=RNq22xmwbd7oZUxZ National Defense Strategy Pod: https://youtu.be/TZtNQ8rg8eI?si=UKMscIx6tlkjKKuL The DIB Cyber Strategy Pod: https://youtu.be/JYsmwcWzglU?si=veyhdqi0T2Dnhpsc The National Defense Industrial Strategy Pod: https://youtu.be/ZKKkyK5PeOc?si=109D07JfcZFSVaXf

CMMC isn't a requirement to bid on defense contractors, but CMMC is a requirement to take award of DoD contracts. That means the most important metric is how much time you have between bidding and taking award. Turns out that “PALT” times are rarely long enough to go from zero to certified and that's a big, big problem for companies who are waiting on CMMC. Episode Links: 48 CFR Proposed Rule: https://youtu.be/Fzi3SFEs92U?si=jUpnHDQvFiiqOuc8 GAO report on PALT: https://www.gao.gov/products/gao-24-106528 Secure the DIB replay: https://www.summit7.us/securethedib

1,417 days after the original CMMC contract clause was created and 1,003 days after the announcement of CMMC 2.0 here we are – the proposed rule revising DFARS clause 252.204-7021. This is the piece of the puzzle that will actually show up in your RFPs, contracts, awards, orders, etc. What does it say? Who does it affect? When will it show up? We step through it line-by-line.

If you haven't caught a Cyber AB Town Hall lately, then you're missing out on valuable information. This week we give our take on the AB's rulemaking timeline, what the FY25 NDAA says about CMMC, the upcoming DoD IG report on the Cyber AB, and more! Cyber AB Town Halls: https://cyberab.org/News-Events/Town-Halls Secure the DIB replay: https://www.summit7.us/securethedib

Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/ You're not crazy. According to a new inspector general report the federal CUI Program has been in hibernation for the last few years. But the story goes much deeper than run-of-the-mill findings. Desperately overworked civil servants, stubbornly non-compliant federal agencies, the lofty heights of the National Security Council, and even rumors of a new CUI executive order. This story might seem a world away from the day-to-day concerns of defense contractors, but what happens on top of the mountain inevitably rolls downhill. ISOO IG Report: https://naraoig.oversight.gov/reports/audit/audit-naras-information-security-oversight-office History of CMMC (2010 – 2020): https://youtu.be/jbY2irZ1ePg?si=bGiInfLCpr-WFvcF

Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/ Summer is coming to a close and that means it's time for our annual Secure the DIB Summer Camp webinar. Summit 7's Daniel Akridge joins the show this week to share what he's seeing and hearing from defense contractors regarding market dynamics, what the primes are up to, and how companies are dealing with the cost of compliance. Episode Links: DIB Summer Camp: https://www.summit7.us/securethedib Big Dan: https://www.linkedin.com/in/danielakridge/

Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/ The DoD's Center for Manufacturing Cybersecurity has released a report documenting the level of confidence that defense contractors have in their cybersecurity posture. The conclusion? There is a systemic cybersecurity overconfidence problem in the DIB. Episode Links: DIB Summer Camp: https://www.summit7.us/securethedib MxD Report: https://www.mxdusa.org/cyber/cyberreport/

Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/ The 32 CFR CMMC final rule has officially left the DoD and is currently undergoing final regulatory review. This is the last step before publication in the Federal Register. Based on what we know, CMMC should be a reality before the end of 2024. Episode Links: Proposed Rule Webinar: https://www.summit7.us/webinars/proposed-cmmc-rule

Now that SP 800-171 revision 3 is official, organizationally defined parameters (ODPs) are officially a part of our the rest of our lives. Like most things in SP 800-171 there are great details in SP 800-53 that help explain what's going on. In this episode we take a deep dive in requirement 3.1.8 through the lens of ODPs. Episode Links: SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final FedRAMP baselines: https://www.fedramp.gov/baselines/

The good news about NIST SP 800-171 revision 2 being the standard for the next few years is it's a smaller standard compared to revision 3. However, there are some confusing aspects to NIST SP 800-171 revision 2 that defense contractors can't afford to overlook. The most important? NFO Controls. Episode Links: NIST SP 800-171r2: https://csrc.nist.gov/pubs/sp/800/171/r3/final DFARS 7012 Class Deviation: https://youtu.be/voziZRAMvv4?si=yPaUuHLnHIQsfGQu Policy and Procedure Deep Dive: https://youtu.be/TXsKdH3hC6E?si=GoAlpEuMqQWAsOzr

NIST has released four introductory training courses for the 800 series of special publications that make up the basis for the NIST Risk Management Framework. Each 60 minute course does a great job covering SP 800-37, 53, 53A, and 53B. If you need a leg up on the knowledge that forms the basis of CMMC training, you should check out the courses. NIST Training Courses: NIST CPRT: https://csrc.nist.gov/Projects/risk-management/rmf-courses

Although CMMC assessments are difficult, CMMC certifications are achievable (assuming you have passed through the “assessment feasibility determination” prior to the actual assessment. For many companies, failing CMMC assessments won't be their biggest problem – it will be qualifying for the assessment in the first place. Episode Links: CMMC Cap (PDF): https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf CMMC Fuzzy Math (2021): https://youtu.be/843K3hkLquk?si=aDuiomqVxSSwnExI NIST Policy Controls: https://youtu.be/TXsKdH3hC6E?si=24svcK18w20DbLP_

This week we dive into the details of NIST policy and procedure controls. Love it or hate it, SP 800-171 requires policies and procedures regardless of revision. Luckily, it's easy to know what a good template looks like because policies have been outlined in NIST SP 800-53 for 20 years. Episode Links: NIST SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final NIST SP 800-53A: https://csrc.nist.gov/pubs/sp/800/53/a/r5/final

The FAR CUI proposed rule has officially moved into regulatory review with the Office of Information and Regulatory Affairs (OIRA). With the FAR CUI rule one step away from publication in the Federal Register, we dive a little deeper into what it is and some open questions we're looking forward to resolving when the rule, after nearly 10 years, is finally released. Episode Links: FAR CUI Rule Episode: https://youtu.be/lZv3JwJNfcQ?si=lBM8sF7sF2xyLwmB FAR CUI Rule: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=9000-AN56

After more than a year of development, revision 3 of SP 800-171 and 171A are officially done. This week we're joined by Dr. Ron Ross to discuss what NIST learned from public comments, why NIST decided to add 19 new requirements, the thought process behind “ORC” controls, and what the future holds for the CUI series, rulemaking, and the SP 800-53 catalog. Episode Links: 171r3 overview: https://youtu.be/TAzYQjLfPY0?si=TTP49MujwB3Obchl 171r3 overview blog: https://www.summit7.us/blog/nist-800-171-revision-3 Dr. Ross on the 171r3 final draft: https://youtu.be/IMms3dlPUGo?si=8Wd3p0At4BUhMkCq NIST deep dive with Dr. Ross: https://youtu.be/vAPFmga_NtI?si=9_n5kXvTUYPcmUys Scott Goodwin at CS2 Boston: https://youtu.be/LFfbDpZRM_M?si=yVcd4BxiwpNPzdRO