dfars

Register for CS2 | Boston here: https://cs2.cloud/boston

NIST has released their summary of public comments received on the final drafts of SP 800-171 revision 3 and SP 800-171A revision 3. Jason and Jacob dive into when to expect the final revisions and what to expect in the revised requirements.

Podcast listeners get a discount on CS2 registration, just use the code: SUMITUPBOSTON

Episode Links:

NIST CUI Project Page: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information

171r3 Blog: https://www.summit7.us/blog/nist-800-171-rev3-final-draft

ORC Control Poll: https://www.linkedin.com/posts/jacob-evan-horne_supply-chain-security-pop-quiz-nist-control-activity-7168287222444576769-7iw_

Register for CS2 | Boston here: https://cs2.cloud/boston

The public comment period on the CMMC proposed rule has closed so what happens next? In this episode we wade through the red tape in store over the next 12 months.

Podcast listeners use code SUMITUPBOSTON for a discount on registration

Episode Links: CS2 Boston: https://cs2.cloud/boston

“Midnight Rulemaking”: https://www.gao.gov/products/gao-23-105510

DoD's Rule Overview: https://youtu.be/DqRf0DiVBVI?si=2kTZcX45zD5ZPsnp

We Are the World: https://youtu.be/cYfe8RYcz-w

Register for CS2 | Boston here: https://cs2.cloud/boston

It's almost Springtime and that means it's almost time for another CS2 conference. CS2 Boston will be the 13th event in the series and, as always, there's an all-star lineup covering every nook and cranny of DFARS, NIST, and CMMC.

Podcast listeners get 20% off registration with the code SUMITUPBOSTON

Episode Links:

CS2 Boston: https://cs2.cloud/boston

DoD video overview: https://youtu.be/DqRf0DiVBVI?si=rDYWHsAHr6jwPPVm

Register for CS2 | Boston here: https://cs2.cloud/boston

If you thought the publication of one major DoD cyber rule at the end of 2023 caused a lot of issues how about FIVE potential rules and two NIST revisions in 2024? This week we outline the seven rules to watch for in 2024.

Listener discount code: SUMITUPBOSTON

Episode Links:

[Webinar] The Top 10 Questions From the CMMC Rule: https://www.summit7.us/webinars/the-top-10-questions-from-the-cmmc-rule

CS2 Boston: https://cs2.cloud/boston

Midnight Rulemaking: https://www.gao.gov/products/gao-23-105510

Register for CS2 | Boston: https://cs2.cloud/boston

This week we're joined by Alex Canizares to catch up on enforcement trends under the False Claims Act. As a former DOJ trial attorney, Alex walks us through the finer details of FCA cases and what it means for CMMC, defense contractors, and the road ahead.

Episode Links:

Alex Canizares: https://www.linkedin.com/in/alexandercanizares/

Perkins Coie Blog: https://www.perkinscoie.com/en/news-insights/dod-issues-proposed-cmmc-rule-requiring-cybersecurity-assessments-of-contractors.html

Perkins Coie Blog: https://www.perkinscoie.com/en/news-insights/proposed-far-rules-introduce-new-compliance-obligations-and-false-claims-act-risks-for-government-contractors.html

Cyber Civil Fraud Initiative: https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative

CS2 discount code for our listeners: SUMITUPBOSTON

The Supreme Court is set to upend decades of administrative law doctrine and it will have huge impacts on the cyber regulation landscape. In this episode we sit down with Jim Dempsey, a lecturer at the UC Berkeley Law School and a senior policy advisor at the Stanford Cyber Policy Center, to understand what SCOTUS is up to and what the heck is has to do with CMMC?

Episode Links:

Cyber Law Fundamentals: https://iapp.org/resources/article/cybersecurity-law-fundamentals/

Lawfare Article: https://www.lawfaremedia.org/article/a-cyber-threat-to-u.s.-drinking-water

Cyber Law Podcast: https://open.spotify.com/show/3Co2wdTUaZr4Xqnlxs4soG?si=64382c0b7b7a49c9

Tech Policy Podcast: https://open.spotify.com/episode/1klWdGIAxI7YBTljMvI412?si=ea93f23b3f9143cb

Dissed Podcast: https://open.spotify.com/episode/70GmGuWyEyKI2qNLcqlSIv?si=c69a3b6337ea4227

National Cyber Strategy: https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

Chevon Deference: https://ballotpedia.org/Chevron_deference_(doctrine)

Auer Deference: https://ballotpedia.org/Auer_deference

With five rulemaking efforts, multiple NIST revisions, and everything else going on in the DoD cyber regulation space it's hard to keep up with what's happening. In this episode we try and predict what's coming around the corner in 2024.

Episode Links:

Register for CS2 Boston: https://cs2.cloud/boston

DoD IG Report Episode: https://youtu.be/_3GLX6ele_E?si=KKhtgbjsxiLXWVJd

Stephanie Siegmann: https://youtu.be/d1yweDy2wV4?si=naLAhZPV794TAC66

DoD IG Audit: https://www.linkedin.com/posts/jacob-evan-horne_dod-ig-dod-process-for-accrediting-c3paos-activity-7114319133088866304-uhU5

RAS Syndrome: https://en.wikipedia.org/wiki/RAS_syndrome

The DoD has released yet another strategy document that claims to have the answer for expanding the defense supply chain while also increasing cybersecurity requirements. Maybe this time it will be different? This week we dive into the National Defense Industrial Strategy to see if there is anything to learn about the DoD's position on the impacts of CMMC.

Episode Links:

Register for CS2 Boston: https://cs2.cloud/boston

NDIS: https://www.businessdefense.gov/NDIS.html

DoD Cyber Strat: https://www.defense.gov/News/Releases/Release/Article/3523199/dod-releases-2023-cyber-strategy-summary/

“The Last Supper”: https://www.washingtonpost.com/archive/business/1997/07/04/how-a-dinner-led-to-a-feeding-frenzy/13961ba2-5908-4992-8335-c3c087cdebc6/

View the full webinar, CMMC Published: A Comprehensive Overview of the Proposed CMMC Rule On-Demand here: https://www.summit7.us/webinars/proposed-cmmc-rule

FedRAMP moderate “equivalency” has been a thing since 2016, but DoD never really defined the term until January 2024. “The memo” has defense suppliers and the people behind their cloud apps in panic mode. In this episode we dive into what the memo says, potential reasons why, and whether equivalency will still be a thing in the future at all.

Episode Links:

DFARS 7012: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

The memo (PDF): https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf

Equivalency circa 2018: https://www.nist.gov/news-events/events/2018/10/controlled-unclassified-information-security-requirements-workshop

FedRAMP: https://www.fedramp.gov/program-basics/

NIST SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/fpd

Register for the upcoming webinar; CMMC Published: A Comprehensive Overview of the Proposed CMMC Rule: https://www.summit7.us/webinars/proposed-cmmc-rule

Thinking about submitting comments on the CMMC proposed rule? Not sure where to start? In this episode we go over the “commenter's checklist” from regulations.gov to help you evaluate the quality of your public comments on federal rules, NIST publications, and more.

Episode Links:

Summit 7 Webinar: https://www.summit7.us/webinars/proposed-cmmc-rule

Commenter's Checklist (PDF): https://s3.amazonaws.com/prod-regulations-faq/pdf/Tips-For-Submitting-Effective-Comments.pdf

CMMC Proposed Rule: https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program

CMMC Guidance Documents: https://www.federalregister.gov/documents/2023/12/26/2023-27281/cybersecurity-maturity-model-certification-cmmc-program-guidance

NIST SP 800-171 revision 3 draft: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information

Register for the upcoming webinar; CMMC Published: A Comprehensive Overview of the Proposed CMMC Rule: https://www.summit7.us/webinars/proposed-cmmc-rule

The 2023 CMMC rule was published the Friday before Christmas and most people haven’t fully digested all 234 pages yet. In this episode Jason and Jacob cover the rule at 30,000 feet so you can hit the ground running in 2024.

Episode Links:

.....

CMMC on the Federal Register: https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program

.....

The CMMC documents: https://www.federalregister.gov/documents/2023/12/26/2023-27281/cybersecurity-maturity-model-certification-cmmc-program-guidance

Summit 7 CMMC Solutions: https://www.summit7.us/cmmc-level-solution-sets

The DoD Inspector General released a special report comparing their contractor cyber assessment findings with their findings during DOJ false claims act investigations. No surprise, the same cybersecurity issues pop up again and again. Will this add fuel the CMMC fire?

Episode Links:

The IG Report: https://www.dodig.mil/reports.html/Article/3606026/special-report-common-cybersecurity-weaknesses-related-to-the-protection-of-dod/ The IG project announcement for C3PAOs: https://www.dodig.mil/reports.html/Article/3536652/project-announcement-audit-of-the-dods-process-for-accrediting-third-party-orga/

171r3 Webinar (NIST): https://csrc.nist.gov/Events/2024/critical-updates-to-nist-cui-publications

171r3 Comments Extended: https://csrc.nist.gov/News/2023/drafts-of-800-171-rev-3-and-800-171a-rev-3-availab

Halloween episode: https://youtu.be/jy2AHrSztjM?si=7h6cW30Gr25Gx11X

There are two different CMMC rules. One rule pertains to the CMMC program while the other pertains to the CMMC contract clause. The Fall 2023 Unified Agenda is out and it provides all the details about why there are two rules and what it means for defense contractors.

Episode Links:

Unified Agenda: https://www.reginfo.gov/public/do/eAgendaMain

.

32 CFR CMMC: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0790-AL49

.

48 CFR CMMC: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0750-AK81

It's Christmas time so we put together our wishlist of what we'd like to see in the upcoming CMMC rule.

.

For CMMC resources, solutions & more visit: https://www.summit7.us/cmmc-level-solution-sets

The November Cyber AB Town Hall was recapped the CMMC ecosystem highlights from 2023. Assessor numbers have increased, but will there be enough assessment capacity to meet demand?

Episode links:

Cyber AB Town Halls: https://cyberab.org/News-Events/Town-halls/Details/november-town-hall

.

Natty Stratty Discussion: https://youtu.be/QvaLdx_wb1U?si=pgIabPLZJpGGVDS-

OIRA's review of the CMMC rule is nearly complete and we expect the CMMC proposed rule to be published sometime between Thanksgiving and mid-December. On top of that, DoD has initiated rulemaking to revise DFARS clause 252.204-7012. In this episode we dive into the rulemaking feast.

The great and powerful Dr. Ron Ross returns to walk us through the latest drafts of NIST SP 800-171 and SP 800-171A: what they are, why they are, where they're going, and what's in store for federal contractors handling controlled unclassified information (CUI).

Episode Links:

.

NIST Controls Deep Dive w/ Ron Ross (May 2023): https://youtu.be/vAPFmga_NtI?si=kfmdKyXaHiTCpFiq

.

171r3 (Final Draft) - 7 Things to Know: https://www.summit7.us/blog/nist-800-171-rev3-final-draft

.

800-171r3 Final Draft: https://csrc.nist.gov/pubs/sp/800/171/r3/fpd

.

800-171Ar3 Initial Draft: https://csrc.nist.gov/pubs/sp/800/171/a/fpd

.

Protecting CUI Project: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information

The final draft of NIST SP 800-171 revision 3 and the initial draft of SP 800-171A are out. There are simultaneously more and fewer requirements. ODPs have gone away, but not really. Problematic assumptions were reversed only to be repeated. Up is down; left is right; and the final revisions are expected in a few short months. Today we dive into the first 7 things you need to know.

Episode Links:

.

800-171r3 Final Draft: https://csrc.nist.gov/pubs/sp/800/171/r3/fpd

.

800-171Ar3 Initial Draft: https://csrc.nist.gov/pubs/sp/800/171/a/fpd

.

Protecting CUI Project: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information

.

Sum IT Up: Live (CS2 Denver): https://youtu.be/td8Te1LZfEI?si=Yh7SIM2A9SFjMVMK

The final draft of NIST SP 800-171 revision 3 and the initial draft of SP 800-171A are due to be published soon. In this episode we dive into seven questions at the front of our minds before the big day.

.

Episode Links:

.

SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/ipd

.

Protecting CUI Project: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information

Get any good candy for Halloween? The CMMC rule got a 30-day extension for the pre-publication review by the Office of Information and Regulatory Affairs (OIRA). The Cyber AB got notice that the DoD Inspector General is auditing the accreditation process for C3PAOs. In this episode we discuss why both of these things aren't as big of a deal as they might seem.

Episode Links:

Cyber AB Town Halls: https://cyberab.org/News-Events/Town-Halls

DoD IG Project Announcement: https://www.dodig.mil/reports.html/Article/3536652/project-announcement-audit-of-the-dods-process-for-accrediting-third-party-orga/

OMB Rulemaking Dashboard: https://www.reginfo.gov/public/jsp/EO/eoDashboard.myjsp