Estimating the Cost of NIST SP 800-171

Register for CS2 | Boston here: https://cs2.cloud/boston

NIST has released their summary of public comments received on the final drafts of SP 800-171 revision 3 and SP 800-171A revision 3. Jason and Jacob dive into when to expect the final revisions and what to expect in the revised requirements.

Podcast listeners get a discount on CS2 registration, just use the code: SUMITUPBOSTON

Episode Links:

NIST CUI Project Page: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information

171r3 Blog: https://www.summit7.us/blog/nist-800-171-rev3-final-draft

ORC Control Poll: https://www.linkedin.com/posts/jacob-evan-horne_supply-chain-security-pop-quiz-nist-control-activity-7168287222444576769-7iw_

Register for CS2 | Boston here: https://cs2.cloud/boston

The public comment period on the CMMC proposed rule has closed so what happens next? In this episode we wade through the red tape in store over the next 12 months.

Podcast listeners use code SUMITUPBOSTON for a discount on registration

Episode Links: CS2 Boston: https://cs2.cloud/boston

“Midnight Rulemaking”: https://www.gao.gov/products/gao-23-105510

DoD's Rule Overview: https://youtu.be/DqRf0DiVBVI?si=2kTZcX45zD5ZPsnp

We Are the World: https://youtu.be/cYfe8RYcz-w

Register for CS2 | Boston here: https://cs2.cloud/boston

It's almost Springtime and that means it's almost time for another CS2 conference. CS2 Boston will be the 13th event in the series and, as always, there's an all-star lineup covering every nook and cranny of DFARS, NIST, and CMMC.

Podcast listeners get 20% off registration with the code SUMITUPBOSTON

Episode Links:

CS2 Boston: https://cs2.cloud/boston

DoD video overview: https://youtu.be/DqRf0DiVBVI?si=rDYWHsAHr6jwPPVm

Register for CS2 | Boston here: https://cs2.cloud/boston

If you thought the publication of one major DoD cyber rule at the end of 2023 caused a lot of issues how about FIVE potential rules and two NIST revisions in 2024? This week we outline the seven rules to watch for in 2024.

Listener discount code: SUMITUPBOSTON

Episode Links:

[Webinar] The Top 10 Questions From the CMMC Rule: https://www.summit7.us/webinars/the-top-10-questions-from-the-cmmc-rule

CS2 Boston: https://cs2.cloud/boston

Midnight Rulemaking: https://www.gao.gov/products/gao-23-105510

Register for CS2 | Boston: https://cs2.cloud/boston

This week we're joined by Alex Canizares to catch up on enforcement trends under the False Claims Act. As a former DOJ trial attorney, Alex walks us through the finer details of FCA cases and what it means for CMMC, defense contractors, and the road ahead.

Episode Links:

Alex Canizares: https://www.linkedin.com/in/alexandercanizares/

Perkins Coie Blog: https://www.perkinscoie.com/en/news-insights/dod-issues-proposed-cmmc-rule-requiring-cybersecurity-assessments-of-contractors.html

Perkins Coie Blog: https://www.perkinscoie.com/en/news-insights/proposed-far-rules-introduce-new-compliance-obligations-and-false-claims-act-risks-for-government-contractors.html

Cyber Civil Fraud Initiative: https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative

CS2 discount code for our listeners: SUMITUPBOSTON

The Supreme Court is set to upend decades of administrative law doctrine and it will have huge impacts on the cyber regulation landscape. In this episode we sit down with Jim Dempsey, a lecturer at the UC Berkeley Law School and a senior policy advisor at the Stanford Cyber Policy Center, to understand what SCOTUS is up to and what the heck is has to do with CMMC?

Episode Links:

Cyber Law Fundamentals: https://iapp.org/resources/article/cybersecurity-law-fundamentals/

Lawfare Article: https://www.lawfaremedia.org/article/a-cyber-threat-to-u.s.-drinking-water

Cyber Law Podcast: https://open.spotify.com/show/3Co2wdTUaZr4Xqnlxs4soG?si=64382c0b7b7a49c9

Tech Policy Podcast: https://open.spotify.com/episode/1klWdGIAxI7YBTljMvI412?si=ea93f23b3f9143cb

Dissed Podcast: https://open.spotify.com/episode/70GmGuWyEyKI2qNLcqlSIv?si=c69a3b6337ea4227

National Cyber Strategy: https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

Chevon Deference: https://ballotpedia.org/Chevron_deference_(doctrine)

Auer Deference: https://ballotpedia.org/Auer_deference

With five rulemaking efforts, multiple NIST revisions, and everything else going on in the DoD cyber regulation space it's hard to keep up with what's happening. In this episode we try and predict what's coming around the corner in 2024.

Episode Links:

Register for CS2 Boston: https://cs2.cloud/boston

DoD IG Report Episode: https://youtu.be/_3GLX6ele_E?si=KKhtgbjsxiLXWVJd

Stephanie Siegmann: https://youtu.be/d1yweDy2wV4?si=naLAhZPV794TAC66

DoD IG Audit: https://www.linkedin.com/posts/jacob-evan-horne_dod-ig-dod-process-for-accrediting-c3paos-activity-7114319133088866304-uhU5

RAS Syndrome: https://en.wikipedia.org/wiki/RAS_syndrome

The DoD has released yet another strategy document that claims to have the answer for expanding the defense supply chain while also increasing cybersecurity requirements. Maybe this time it will be different? This week we dive into the National Defense Industrial Strategy to see if there is anything to learn about the DoD's position on the impacts of CMMC.

Episode Links:

Register for CS2 Boston: https://cs2.cloud/boston

NDIS: https://www.businessdefense.gov/NDIS.html

DoD Cyber Strat: https://www.defense.gov/News/Releases/Release/Article/3523199/dod-releases-2023-cyber-strategy-summary/

“The Last Supper”: https://www.washingtonpost.com/archive/business/1997/07/04/how-a-dinner-led-to-a-feeding-frenzy/13961ba2-5908-4992-8335-c3c087cdebc6/

View the full webinar, CMMC Published: A Comprehensive Overview of the Proposed CMMC Rule On-Demand here: https://www.summit7.us/webinars/proposed-cmmc-rule

FedRAMP moderate “equivalency” has been a thing since 2016, but DoD never really defined the term until January 2024. “The memo” has defense suppliers and the people behind their cloud apps in panic mode. In this episode we dive into what the memo says, potential reasons why, and whether equivalency will still be a thing in the future at all.

Episode Links:

DFARS 7012: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

The memo (PDF): https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf

Equivalency circa 2018: https://www.nist.gov/news-events/events/2018/10/controlled-unclassified-information-security-requirements-workshop

FedRAMP: https://www.fedramp.gov/program-basics/

NIST SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/fpd

Register for the upcoming webinar; CMMC Published: A Comprehensive Overview of the Proposed CMMC Rule: https://www.summit7.us/webinars/proposed-cmmc-rule

Thinking about submitting comments on the CMMC proposed rule? Not sure where to start? In this episode we go over the “commenter's checklist” from regulations.gov to help you evaluate the quality of your public comments on federal rules, NIST publications, and more.

Episode Links:

Summit 7 Webinar: https://www.summit7.us/webinars/proposed-cmmc-rule

Commenter's Checklist (PDF): https://s3.amazonaws.com/prod-regulations-faq/pdf/Tips-For-Submitting-Effective-Comments.pdf

CMMC Proposed Rule: https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program

CMMC Guidance Documents: https://www.federalregister.gov/documents/2023/12/26/2023-27281/cybersecurity-maturity-model-certification-cmmc-program-guidance

NIST SP 800-171 revision 3 draft: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information