cui

Episode Links: Cyber AB June TH: https://cyberab.org/News-Events/Town-Halls CMMC Ecosystem Summit Call For Speakers: https://na.eventscloud.com/cmmcpapers Recording of the June 6th.2023 NIST Webinar on 800-171 r3: https://csrc.nist.gov/Events/2023/protecting-cui-draft-sp800171-rev3#:~:text=On%20June%206%2C%202023%2C%20NIST,in%20Nonfederal%20Systems%20and%20Organizations. DOD IG Report on Implementation and Oversight of the Controlled Unclassified Information Program: https://www.dodig.mil/reports.html/Article/3413433/audit-of-the-dods-implementation-and-oversight-of-the-controlled-unclassified-i/ Stephanie's LinkedIn: https://www.linkedin.com/in/bstephaniesiegmann/ Cyber Civil-Fraud Initiative: https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative Aerojet Rocketdyne FCA claim: https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity UBER CISO Convicted of Covering up Data Breach: https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach Supreme Court FCA Ruling: supremecourt.gov/opinions/22pdf/21-1326_6jfl.pdf Lauren's LinkedIn: https://www.linkedin.com/in/laurencayers/ Professional Services Council: www.pscouncil.orgg

In this episode Jacob and Jason discuss their takeaways from the May Cyber AB Town Hall, including Jacob's guest appearance. The initial public draft of NIST SP 800-171r3 was released; and in this episode the fellas give their initial feedback and analysis on it. Additionally, we discuss the proposed rule to expand eligibility into the DIB CS program, the recently published ND-ISAC Cybersecurity Handbook for SMBs, and the MS Volt Typhoon campaign.

Episode Links:

NIST SP 800-171r3 Draft: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.ipd.pdf

NIST Security Controls: Deep Dive with Dr. Ron Ross: https://www.youtube.com/watch?v=vAPFmga_NtI

Cooey Center of Excellence:: https://discord.com/invite/rPtTes5bqA

NIST SP 800-53r5: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

The Cyber AB May Townhall: https://cyberab.org/News-Events/Town-Halls

DIB CS Proposed Rule: https://www.federalregister.gov/documents/2023/05/03/2023-09021/department-of-defense-dod-defense-industrial-base-dib-cybersecurity-cs-activities

ND-ISAC Handbook for SMBs: https://ndisac.org/wp-content/uploads/2023/05/Securing-SMB-Manufacturing-Supply-Chain-Resource-Handbook-Final_4MAY2023.pdf

MS Volt Typhoon Threat Brief: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

CISA VoltTyphoon Cybersecurity Advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

At first glance the initial public draft of NIST Special Publication (SP) 800-171 revision 3 is a big change compared to previous versions. Formatting changes, variable parameters, and new requirements have seemingly come out of nowhere. In reality SP 800-171 is a reflection of the much larger SP 800-53. The evolution of SP 800-53 over time has a direct effect on the look and feel of SP 800-171 and the cost, burden, and impact of assessment programs like CMMC. NIST Fellow Dr. Ron Ross joins the show to walk us through where SP 800-53 has been, where it's going, and how a broader understanding helps put SP 800-171 into context for federal contractors. For more information and resources please visit: https://www.summit7.us/resources#resources_nist

Episode Links:

Rainbow Series: https://en.wikipedia.org/wiki/Rainbow_Series

Anderson Report (PDF): https://csrc.nist.rip/publications/history/ande72.pdf

Ware Report: https://en.wikipedia.org/wiki/Ware_report

A Vulnerable System: https://www.amazon.com/Vulnerable-System-Information-Security-Computer-ebook/dp/B08YP9XH84

The Perfect Weapon: https://www.amazon.com/Perfect-Weapon-Sabotage-Fear-Cyber/dp/0451497899

FISMA: https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002

FIPS 200: https://csrc.nist.gov/publications/detail/fips/200/final

FIPS 199: https://csrc.nist.gov/publications/detail/fips/199/final RMF: https://csrc.nist.gov/projects/risk-management/about-rmf

Alan Paller: https://www.sans.org/about/our-founder/

Metrics as surrogates: https://hbr.org/2019/09/dont-let-metrics-undermine-your-business

EO 13556: https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information

CUI Registry: https://www.archives.gov/cui/registry/category-list

SP 800-171 r3 initial draft: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft

SP 800-53 r5: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

In this episode Jacob and Jason discuss their takeaways from the Cyber AB Town Hall, CS2 Huntsville, and other interesting topics from March 2023 including recent #DoD testimony before Congress, #DIBCAC perspectives on Multifactor Authentication and #FIPS validated encryption, and other exciting topics. This month we were joined by our first ever podcast guest: DefCERT founder and CEO Ryan Bonner helps tackle a few complicated #CUI questions submitted during the Town Hall.

Episode Links:

DefCERT: https://defcert.com/

Ryan Bonner: https://www.linkedin.com/in/rybonner/

March AB Town Hall: https://cyberab.org/News-Events/Town-Halls/Details/march-2023-town-hall

Upcoming Natty Stratty Implementation Plan: https://federalnewsnetwork.com/cybersecurity/2023/03/white-house-aims-to-issue-cyber-strategy-implementation-plan-by-june/

DoDI 5230.24 (PDF): https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodi/523024p.pdf

CUI Registry CTI: https://www.archives.gov/cui/registry/category-detail/controlled-technical-info.html

DFARS 252.204-7012: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

DFARS Rights in Technical Data: https://www.acq.osd.mil/dpap/dars/dfars/html/current/227_71.htm

CMMC Scoping Guide: https://dodcio.defense.gov/CMMC/Documentation/

DI MGMT 82247: https://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/Assess-Compliance-and-Enhance-Protection-of-Contractor-System-with-Attachments-11-6-2018.pdf

CMMC Rulemaking Overview: https://youtu.be/in69ORYRx4Y

32 CFR: https://www.ecfr.gov/current/title-32

48 CFR: https://www.ecfr.gov/current/title-48

Draft CAP (PDF): https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf GAO Report: https://www.gao.gov/products/gao-23-105510

CMMC Scaling vs DIBCAC: https://www.federalregister.gov/d/2020-21123/p-49

CMMC Assessment Guide: https://dodcio.defense.gov/CMMC/Documentation/

NIST SP 800-171A: https://www.nist.gov/news-events/news/2018/06/nist-publishing-special-publication-sp-800-171a-assessing-security

SPRS Rule: https://www.federalregister.gov/documents/2023/03/22/2023-05671/defense-federal-acquisition-regulation-supplement-use-of-supplier-performance-risk-system-sprs

Bob Metzger's Take on SPRS Rule: https://www.linkedin.com/posts/robertmetzger_sprs-evaluation-criteria-manual-activity-7046888772768067584-7bHW

Jacob's CS2 Session: https://youtu.be/hipUN_4rfOs

Stacy's CS2 Session: https://youtu.be/ZvBvzZkwmZg

DoD Testimony 1: https://www.armed-services.senate.gov/hearings/to-receive-testimony-on-enterprise-cybersecurity-to-protect-the-department-of-defense-information-networks

DoD Testimony 2: https://armedservices.house.gov/hearings/cyber-information-technologies-and-innovation-subcommittee-hearing-defense-digital-era

Amira Armond: https://www.linkedin.com/in/amira-armond-25a77a141/

In this episode Jacob and Jason discuss their takeaways from the February Cyber AB Town Hall. This month saw some amazing questions on #CUI, working with #DoD CIO, continuous monitoring, the cost of assessments, and #CMMC rulemaking. They also give their thoughts on the Project Spectrum feature segment of the Town Hall. Jacob and Jason also provide an overview and their takeaways from the newly released 2023 National Cybersecurity Strategy and what it means for defense contractors and CMMC.

***CORRECTION 3/3/2023: DOUBLE CHECK YOUR PROJECT SPECTRUM SELF-ASSESSMENT ANSWERS FOR PARTIAL SCORING AND SYSTEM SECURITY PLANS***

Episode Links:

Cyber AB Town Hall: https://cyberab.org/News-Events/Town-Halls

CMMC Rulemaking Overview: https://youtu.be/in69ORYRx4Y

Project Spectrum: https://www.projectspectrum.io/#/

DHS CSET Assessment Tool: https://www.cisa.gov/stopransomware/cyber-security-evaluation-tool-csetr

DHS CUI Rule: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202210&RIN=1601-AA76

NIST SP 800-53: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

“Common” Controls: https://csrc.nist.gov/glossary/term/common_control

“Hybrid” Controls: https://csrc.nist.gov/glossary/term/hybrid_control

“Inheritance”: https://csrc.nist.gov/glossary/term/inheritance

FedRAMP Baselines: https://www.fedramp.gov/baselines/

DoDI 5230.24 (PDF): https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodi/523024p.pdf

CUI Registry: https://www.archives.gov/cui/registry/category-list

CUI Overview: https://youtu.be/bEW7VgbIE_8

CMMC Level 1 Guide: https://www.microsoft.com/cms/api/am/binary/RE54xON

National Cyber Strategy: https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

Cyber Strategy Overview: https://www.youtube.com/watch?v=6Fwtvcf2A2c

Sector Risk Management Agencies: https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/defense-industrial-base-sector

Vital Signs 2023 Report: https://www.ndia.org/about/press/press-releases/2023/2/8/ndia-president-urges-congress-to-ready-defense-sector-for-great-power-competition

State of the DIB Testimony: https://youtu.be/n62KE-1yQu4

In this episode we reflect on a few items from December 2022 and the story of #CMMC (rulemaking) in 2022 overall. We cover listener questions and Jason's experience taking (and passing) his #CCP exam. After a deep dive into the current status of CMMC rulemaking we discuss #DoD estimates about the size of the defense industrial base. We also cover a report on the status of NIST SP 800-171 implementation for DoD contractors. We wrap up with our predictions for 2023.

Episode Links:

Cooey Center of Excellence Discord Server: https://discord.com/invite/rPtTes5bq

A CMMC Rulemaking "Delay": https://insidecybersecurity.com/daily-news/pentagon%E2%80%99s-cmmc-program-launch-faces-delay-omb-rulemaking-review-shifts-january

Merrill Research Report: https://www.scmagazine.com/analysis/third-party-risk/most-us-defense-contractors-fail-basic-cybersecurity-requirements

Old school security advisory: https://www.cisa.gov/uscert/ncas/archives/alerts/TA04-111

Correction: In this episode (1:31:16), Jason mentions that Multifactor Authentication or “MFA” first started appearing in CISA Cybersecurity advisories in 2004. Although individual recommended security actions in CSAs that align with the requirements of NIST SP 800-171 can be found in alerts dating as far back as 2004, the recommendation for MFA was not introduced as a recommended mitigation action in a CISA CSA until 2014. We apologize for the error.... sometimes numbers get him excited.

Conversación con el tatuador ecuatoriano (residenciado en Massachusetts, USA , Hector Cedillo, durante la cual nos cuenta de su infancia en el ecuador, sus comienzos en el mundo del tatuaje además de su pasión por las bicicletas de montaña (mountain bikes) principalmente el Downhill (descenso). Muchas anécdotas más como su experiencias como juez durante la Convención de Tatuajes de China. Esperamos les divierta!

The Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from DIB entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss the Level 5 process maturity requirements, which are standardizing and optimizing a documented approach for CMMC.

Ian Bremmer interviews Cui Tiankai, China’s top diplomat in the United States, on a wide range of topics including accusations that China has underreported COVID-19 fatalities, his nation’s decision to expel journalists from major U.S. publications, and China’s emerging role in global aid and relief efforts.

Ian Bremmer interviews Cui Tiankai, China’s top diplomat in the United States, on a wide range of topics including accusations that China has underreported COVID-19 fatalities, his nation’s decision to expel journalists from major U.S. publications, and China’s emerging role in global aid and relief efforts.

We are posting this podcast on June 4th, 2019, the 30th anniversary of the Tiananmen Square Massacre. We have decided to focus on a song (which is just a poem, after all) that was performed for the protesters in the Square and that became the anthem ofr the movement that, thirty years ago, briefly lit a path for Chinese democracy, before being snuffed out so brutally. 

Early on, most agencies did not address cybersecurity as part of contracting. Now, it is standard language in all contracts, especially those in Government and Industry entities. The number one rule in contracting is that your small business must meet or exceed the cybersecurity protection level of your client. The U.S. Department of Defense has its own cybersecurity requirements for contractors. Being noncompliant can lead to cancellation of contracts and/or liability for damages, or more. Femi and Steve talk about what kinds of measures your small business needs to do in preparation for bidding on government and industry contracts.

This broadcast features national security whistle blower Richard Grove in his own words.  Richard provides an insider's look into Cui Bono, or who benefited from the attacks of September 11th as he tells his story of corporate corruption, drug trafficing, and money laundering and their connections to 9-11.  This is the third in a 3 part series which will be posted together with two one hour segments and one shortened segment.

This broadcast features national security whistle blower Richard Grove in his own words.  Richard provides an insider's look into Cui Bono, or who benefited from the attacks of September 11th as he tells his story of corporate corruption, drug trafficing, and money laundering and their connections to 9-11.  This is the second in a 3 part series which will be posted together with two one hour segments and one shortened segment.

This broadcast features national security whistle blower Richard Grove in his own words.  Richard provides an insider's look into Cui Bono, or who benifited from the attacks of September 11th as he tells his story of corporate corruption, drug trafficing, and money laundering and their connections to 9-11.  This is the first in a 3 part series which will be posted together with two one hour segments and one shortened segment.