DiscoverSum IT Up: CMMC News Roundup
Claim Ownership
Sum IT Up: CMMC News Roundup
Author: Summit 7 Systems
Subscribed: 10Played: 428Subscribe
Share
© Copyright 2024 by Summit 7 Systems
Description
It's difficult to keep up with all of the moving parts that make up the Department of Defense's Cybersecurity Maturity Model Certification Program. It's even more difficult to keep up with the relevant bits and bites that influence CMMC. This monthly podcast sums up the news and developments relevant to CMMC; DFARS and other regulations; and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.
73 Episodes
Reverse
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder
Calculating a self-assessment score is a fundamental part of complying with DoD cyber regulations. Unfortunately, Project Spectrum, the resource that DoD recommends more than any other no longer calculates an “SPRS score”. In this episode we briefly explain the requirement to self-assessment, the basics of calculating a score, and a little-known tool from DoD that can help.
Summit 7 Pathfinder Tool: https://www.summit7.us/pathfinder
Fuzzy Math (2021): https://youtu.be/843K3hkLquk
Project Spectrum: https://www.projectspectrum.io/#/
DIBCAC: https://www.dcma.mil/DIBCAC/
DoDAM (PDF): https://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf
CMMC Scoring: https://www.federalregister.gov/d/2023-27280/p-1429
CMMC False Starts: https://youtu.be/zwU4u86L_5A?
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder
The Cyber AB held the monthly Townhall for September. And with the 32 CFR rule imminent, they have a lot of information to put out lately. On this week's episode, Jason and Joy are joined by Kyle Gingrich, Interim Executive Director of the CAICO, as they cover the information distributed during this months townhall, changes to CMMC Ecosystem roles, the gold ole' days of CMMC, and so much more.
Sum IT Up “CMMC Final Rule Publication: Imminent” : Driving a Future-Ready Transportation Sector (youtube.com)
Link to FedRAMp Equivalency Memo: FEDRAMP-EquivalencyCloudServiceProviders.pdf (defense.gov)
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder
The 32 CFR CMMC final rule has officially cleared regulatory review. Next step: publication in the Federal Register. At this point the commercially availability of CMMC assessments is weeks away. This week Jacob and Jason go over the basics of rulemaking, the details of the CMMC rulemaking timeline, what's left in the process, and how to get started once and for all.
Summit 7 Pathfinder Tool: https://www.summit7.us/pathfinder
The History of CMMC (2010 – 2020): https://youtu.be/jbY2irZ1ePg
Pathfinder Tool Demo: https://youtu.be/JiDTCchfCa0?
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder
This week we're deep diving into the details of DoD distribution statements with guest host Defcert CEO, Ryan Bonner. Hoping that your customer will proactively minimize CUI for you just isn't a viable strategy in this cruel world. Instead, Ryan walks us through his process for reverse engineering the government's decision to mark something (or not). Armed with this information, contractors can more easily push back on their customers and scope their DFARS and CMMC environments – the holy grail.
Summit 7 Pathfinder Tool: https://www.summit7.us/pathfinder
Ryan CS2 Denver: https://youtu.be/IEy-TkmKMt8?si=euj5dH7shvrvpbAt
RTX Charging Letter: https://www.linkedin.com/posts/jacob-evan-horne_whoopsie-daisy-62b-defense-corporation-activity-7237851962417774594-tbly
DoD CUI Registry: https://www.dodcui.mil/
NARA CUI Registry: https://www.archives.gov/cui/registry/category-list
CMMC Pathfinder Tool | In 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence: https://www.summit7.us/pathfinder
Special guest host Daniel Akridge walks us through a visual of Procurement Administrative Lead Time compared to the CMMC rulemaking timelines. Daniel also walks us through Summit 7's CMMC Pathfinder Tool - a free resource companies can use to know exactly what steps they should take and what solutions might work best.
Connect with Daniel on LinkedIn: https://www.linkedin.com/in/danielakridge/
Connect with Jacob on LinkedIn: https://www.linkedin.com/in/jacob-evan-horne/
PALT Podcast: https://www.youtube.com/watch?v=NZs4f5voyrg
CMMC Pathfinder Tool: https://www.summit7.us/pathfinder
The team is back from Navy Gold Coast 2024, and we have some thoughts and takeaways from one of the largest defense industry conferences of the year. The DoD and small businesses are looking ahead to 2025 acquisition calendars while CMMC inches closer by the day.
Follow Hollie: https://www.linkedin.com/in/hollieflanner/
48 CFR Rule: https://youtu.be/Fzi3SFEs92U?si=HrOU9ZnlrSd_-hPr
PALT: https://youtu.be/NZs4f5voyrg?si=RNq22xmwbd7oZUxZ
National Defense Strategy Pod: https://youtu.be/TZtNQ8rg8eI?si=UKMscIx6tlkjKKuL
The DIB Cyber Strategy Pod: https://youtu.be/JYsmwcWzglU?si=veyhdqi0T2Dnhpsc
The National Defense Industrial Strategy Pod: https://youtu.be/ZKKkyK5PeOc?si=109D07JfcZFSVaXf
CMMC isn't a requirement to bid on defense contractors, but CMMC is a requirement to take award of DoD contracts. That means the most important metric is how much time you have between bidding and taking award. Turns out that “PALT” times are rarely long enough to go from zero to certified and that's a big, big problem for companies who are waiting on CMMC.
Episode Links:
48 CFR Proposed Rule: https://youtu.be/Fzi3SFEs92U?si=jUpnHDQvFiiqOuc8
GAO report on PALT: https://www.gao.gov/products/gao-24-106528
Secure the DIB replay: https://www.summit7.us/securethedib
1,417 days after the original CMMC contract clause was created and 1,003 days after the announcement of CMMC 2.0 here we are – the proposed rule revising DFARS clause 252.204-7021. This is the piece of the puzzle that will actually show up in your RFPs, contracts, awards, orders, etc. What does it say? Who does it affect? When will it show up? We step through it line-by-line.
If you haven't caught a Cyber AB Town Hall lately, then you're missing out on valuable information. This week we give our take on the AB's rulemaking timeline, what the FY25 NDAA says about CMMC, the upcoming DoD IG report on the Cyber AB, and more!
Cyber AB Town Halls: https://cyberab.org/News-Events/Town-Halls
Secure the DIB replay: https://www.summit7.us/securethedib
Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/
You're not crazy. According to a new inspector general report the federal CUI Program has been in hibernation for the last few years. But the story goes much deeper than run-of-the-mill findings. Desperately overworked civil servants, stubbornly non-compliant federal agencies, the lofty heights of the National Security Council, and even rumors of a new CUI executive order. This story might seem a world away from the day-to-day concerns of defense contractors, but what happens on top of the mountain inevitably rolls downhill.
ISOO IG Report: https://naraoig.oversight.gov/reports/audit/audit-naras-information-security-oversight-office
History of CMMC (2010 – 2020): https://youtu.be/jbY2irZ1ePg?si=bGiInfLCpr-WFvcF
Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/
Summer is coming to a close and that means it's time for our annual Secure the DIB Summer Camp webinar. Summit 7's Daniel Akridge joins the show this week to share what he's seeing and hearing from defense contractors regarding market dynamics, what the primes are up to, and how companies are dealing with the cost of compliance.
Episode Links:
DIB Summer Camp: https://www.summit7.us/securethedib
Big Dan: https://www.linkedin.com/in/danielakridge/
Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/
The DoD's Center for Manufacturing Cybersecurity has released a report documenting the level of confidence that defense contractors have in their cybersecurity posture. The conclusion? There is a systemic cybersecurity overconfidence problem in the DIB.
Episode Links:
DIB Summer Camp: https://www.summit7.us/securethedib
MxD Report: https://www.mxdusa.org/cyber/cyberreport/
Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/
The 32 CFR CMMC final rule has officially left the DoD and is currently undergoing final regulatory review. This is the last step before publication in the Federal Register. Based on what we know, CMMC should be a reality before the end of 2024.
Episode Links: Proposed Rule Webinar: https://www.summit7.us/webinars/proposed-cmmc-rule
Now that SP 800-171 revision 3 is official, organizationally defined parameters (ODPs) are officially a part of our the rest of our lives. Like most things in SP 800-171 there are great details in SP 800-53 that help explain what's going on. In this episode we take a deep dive in requirement 3.1.8 through the lens of ODPs.
Episode Links:
SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
FedRAMP baselines: https://www.fedramp.gov/baselines/
The good news about NIST SP 800-171 revision 2 being the standard for the next few years is it's a smaller standard compared to revision 3. However, there are some confusing aspects to NIST SP 800-171 revision 2 that defense contractors can't afford to overlook. The most important? NFO Controls.
Episode Links:
NIST SP 800-171r2: https://csrc.nist.gov/pubs/sp/800/171/r3/final
DFARS 7012 Class Deviation: https://youtu.be/voziZRAMvv4?si=yPaUuHLnHIQsfGQu
Policy and Procedure Deep Dive: https://youtu.be/TXsKdH3hC6E?si=GoAlpEuMqQWAsOzr
NIST has released four introductory training courses for the 800 series of special publications that make up the basis for the NIST Risk Management Framework. Each 60 minute course does a great job covering SP 800-37, 53, 53A, and 53B. If you need a leg up on the knowledge that forms the basis of CMMC training, you should check out the courses.
NIST Training Courses:
NIST CPRT: https://csrc.nist.gov/Projects/risk-management/rmf-courses
Although CMMC assessments are difficult, CMMC certifications are achievable (assuming you have passed through the “assessment feasibility determination” prior to the actual assessment. For many companies, failing CMMC assessments won't be their biggest problem – it will be qualifying for the assessment in the first place.
Episode Links:
CMMC Cap (PDF): https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf
CMMC Fuzzy Math (2021): https://youtu.be/843K3hkLquk?si=aDuiomqVxSSwnExI
NIST Policy Controls: https://youtu.be/TXsKdH3hC6E?si=24svcK18w20DbLP_
This week we dive into the details of NIST policy and procedure controls. Love it or hate it, SP 800-171 requires policies and procedures regardless of revision. Luckily, it's easy to know what a good template looks like because policies have been outlined in NIST SP 800-53 for 20 years.
Episode Links:
NIST SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
NIST SP 800-53A: https://csrc.nist.gov/pubs/sp/800/53/a/r5/final
The FAR CUI proposed rule has officially moved into regulatory review with the Office of Information and Regulatory Affairs (OIRA). With the FAR CUI rule one step away from publication in the Federal Register, we dive a little deeper into what it is and some open questions we're looking forward to resolving when the rule, after nearly 10 years, is finally released.
Episode Links:
FAR CUI Rule Episode: https://youtu.be/lZv3JwJNfcQ?si=lBM8sF7sF2xyLwmB
FAR CUI Rule: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=9000-AN56
After more than a year of development, revision 3 of SP 800-171 and 171A are officially done. This week we're joined by Dr. Ron Ross to discuss what NIST learned from public comments, why NIST decided to add 19 new requirements, the thought process behind “ORC” controls, and what the future holds for the CUI series, rulemaking, and the SP 800-53 catalog.
Episode Links:
171r3 overview: https://youtu.be/TAzYQjLfPY0?si=TTP49MujwB3Obchl
171r3 overview blog: https://www.summit7.us/blog/nist-800-171-revision-3
Dr. Ross on the 171r3 final draft: https://youtu.be/IMms3dlPUGo?si=8Wd3p0At4BUhMkCq
NIST deep dive with Dr. Ross: https://youtu.be/vAPFmga_NtI?si=9_n5kXvTUYPcmUys
Scott Goodwin at CS2 Boston: https://youtu.be/LFfbDpZRM_M?si=yVcd4BxiwpNPzdRO
Comments
Top Podcasts
The Best New Comedy Podcast Right Now – June 2024The Best News Podcast Right Now – June 2024The Best New Business Podcast Right Now – June 2024The Best New Sports Podcast Right Now – June 2024The Best New True Crime Podcast Right Now – June 2024The Best New Joe Rogan Experience Podcast Right Now – June 20The Best New Dan Bongino Show Podcast Right Now – June 20The Best New Mark Levin Podcast – June 2024
United States