Logo

    dib

    Explore "dib" with insightful episodes like "What’s Next for 800-171r3?", "What comes after CMMC public comments?", "CS2 Boston Preview", "2024 Rulemaking Calendar" and "CMMC and the Supreme Court" from podcasts like ""Sum IT Up: CMMC News Roundup", "Sum IT Up: CMMC News Roundup", "Sum IT Up: CMMC News Roundup", "Sum IT Up: CMMC News Roundup" and "Sum IT Up: CMMC News Roundup"" and more!

    Episodes (42)

    What’s Next for 800-171r3?

    What’s Next for 800-171r3?

    Register for CS2 | Boston here: https://cs2.cloud/boston

    NIST has released their summary of public comments received on the final drafts of SP 800-171 revision 3 and SP 800-171A revision 3. Jason and Jacob dive into when to expect the final revisions and what to expect in the revised requirements.

    Podcast listeners get a discount on CS2 registration, just use the code: SUMITUPBOSTON

    Episode Links:

    NIST CUI Project Page: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information

    171r3 Blog: https://www.summit7.us/blog/nist-800-171-rev3-final-draft

    ORC Control Poll: https://www.linkedin.com/posts/jacob-evan-horne_supply-chain-security-pop-quiz-nist-control-activity-7168287222444576769-7iw_

    What comes after CMMC public comments?

    What comes after CMMC public comments?

    Register for CS2 | Boston here: https://cs2.cloud/boston

    The public comment period on the CMMC proposed rule has closed so what happens next? In this episode we wade through the red tape in store over the next 12 months.

    Podcast listeners use code SUMITUPBOSTON for a discount on registration

    Episode Links: CS2 Boston: https://cs2.cloud/boston

    “Midnight Rulemaking”: https://www.gao.gov/products/gao-23-105510

    DoD's Rule Overview: https://youtu.be/DqRf0DiVBVI?si=2kTZcX45zD5ZPsnp

    We Are the World: https://youtu.be/cYfe8RYcz-w

    CS2 Boston Preview

    CS2 Boston Preview

    Register for CS2 | Boston here: https://cs2.cloud/boston

    It's almost Springtime and that means it's almost time for another CS2 conference. CS2 Boston will be the 13th event in the series and, as always, there's an all-star lineup covering every nook and cranny of DFARS, NIST, and CMMC.

    Podcast listeners get 20% off registration with the code SUMITUPBOSTON

    Episode Links:

    CS2 Boston: https://cs2.cloud/boston

    DoD video overview: https://youtu.be/DqRf0DiVBVI?si=rDYWHsAHr6jwPPVm

    2024 Rulemaking Calendar

    2024 Rulemaking Calendar

    Register for CS2 | Boston here: https://cs2.cloud/boston

    If you thought the publication of one major DoD cyber rule at the end of 2023 caused a lot of issues how about FIVE potential rules and two NIST revisions in 2024? This week we outline the seven rules to watch for in 2024.

    Listener discount code: SUMITUPBOSTON

    Episode Links:

    [Webinar] The Top 10 Questions From the CMMC Rule: https://www.summit7.us/webinars/the-top-10-questions-from-the-cmmc-rule

    CS2 Boston: https://cs2.cloud/boston

    Midnight Rulemaking: https://www.gao.gov/products/gao-23-105510

    CMMC and the Supreme Court

    CMMC and the Supreme Court

    The Supreme Court is set to upend decades of administrative law doctrine and it will have huge impacts on the cyber regulation landscape. In this episode we sit down with Jim Dempsey, a lecturer at the UC Berkeley Law School and a senior policy advisor at the Stanford Cyber Policy Center, to understand what SCOTUS is up to and what the heck is has to do with CMMC?

    Episode Links:

    Cyber Law Fundamentals: https://iapp.org/resources/article/cybersecurity-law-fundamentals/

    Lawfare Article: https://www.lawfaremedia.org/article/a-cyber-threat-to-u.s.-drinking-water

    Cyber Law Podcast: https://open.spotify.com/show/3Co2wdTUaZr4Xqnlxs4soG?si=64382c0b7b7a49c9

    Tech Policy Podcast: https://open.spotify.com/episode/1klWdGIAxI7YBTljMvI412?si=ea93f23b3f9143cb

    Dissed Podcast: https://open.spotify.com/episode/70GmGuWyEyKI2qNLcqlSIv?si=c69a3b6337ea4227

    National Cyber Strategy: https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

    Chevon Deference: https://ballotpedia.org/Chevron_deference_(doctrine)

    Auer Deference: https://ballotpedia.org/Auer_deference

    New Strategy, Who NDIS?

    New Strategy, Who NDIS?

    The DoD has released yet another strategy document that claims to have the answer for expanding the defense supply chain while also increasing cybersecurity requirements. Maybe this time it will be different? This week we dive into the National Defense Industrial Strategy to see if there is anything to learn about the DoD's position on the impacts of CMMC.

    Episode Links:

    Register for CS2 Boston: https://cs2.cloud/boston

    NDIS: https://www.businessdefense.gov/NDIS.html

    DoD Cyber Strat: https://www.defense.gov/News/Releases/Release/Article/3523199/dod-releases-2023-cyber-strategy-summary/

    “The Last Supper”: https://www.washingtonpost.com/archive/business/1997/07/04/how-a-dinner-led-to-a-feeding-frenzy/13961ba2-5908-4992-8335-c3c087cdebc6/

    View the full webinar, CMMC Published: A Comprehensive Overview of the Proposed CMMC Rule On-Demand here: https://www.summit7.us/webinars/proposed-cmmc-rule

    Cloudy With a Chance of Memos

    Cloudy With a Chance of Memos

    FedRAMP moderate “equivalency” has been a thing since 2016, but DoD never really defined the term until January 2024. “The memo” has defense suppliers and the people behind their cloud apps in panic mode. In this episode we dive into what the memo says, potential reasons why, and whether equivalency will still be a thing in the future at all.

    Episode Links:

    DFARS 7012: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

    The memo (PDF): https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf

    Equivalency circa 2018: https://www.nist.gov/news-events/events/2018/10/controlled-unclassified-information-security-requirements-workshop

    FedRAMP: https://www.fedramp.gov/program-basics/

    NIST SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/fpd

    DoD IG: Contractor Cybersecurity Hasn’t Improved

    DoD IG: Contractor Cybersecurity Hasn’t Improved

    Summit 7 CMMC Solutions: https://www.summit7.us/cmmc-level-solution-sets

    The DoD Inspector General released a special report comparing their contractor cyber assessment findings with their findings during DOJ false claims act investigations. No surprise, the same cybersecurity issues pop up again and again. Will this add fuel the CMMC fire?

    Episode Links:

    The IG Report: https://www.dodig.mil/reports.html/Article/3606026/special-report-common-cybersecurity-weaknesses-related-to-the-protection-of-dod/ The IG project announcement for C3PAOs: https://www.dodig.mil/reports.html/Article/3536652/project-announcement-audit-of-the-dods-process-for-accrediting-third-party-orga/

    171r3 Webinar (NIST): https://csrc.nist.gov/Events/2024/critical-updates-to-nist-cui-publications

    171r3 Comments Extended: https://csrc.nist.gov/News/2023/drafts-of-800-171-rev-3-and-800-171a-rev-3-availab

    Halloween episode: https://youtu.be/jy2AHrSztjM?si=7h6cW30Gr25Gx11X

    7 Things to Know About the 171r3 and 171Ar3 Drafts

    7 Things to Know About the 171r3 and 171Ar3 Drafts

    The final draft of NIST SP 800-171 revision 3 and the initial draft of SP 800-171A are out. There are simultaneously more and fewer requirements. ODPs have gone away, but not really. Problematic assumptions were reversed only to be repeated. Up is down; left is right; and the final revisions are expected in a few short months. Today we dive into the first 7 things you need to know.

    Episode Links:

    .

    800-171r3 Final Draft: https://csrc.nist.gov/pubs/sp/800/171/r3/fpd

    .

    800-171Ar3 Initial Draft: https://csrc.nist.gov/pubs/sp/800/171/a/fpd

    .

    Protecting CUI Project: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information

    .

    Sum IT Up: Live (CS2 Denver): https://youtu.be/td8Te1LZfEI?si=Yh7SIM2A9SFjMVMK

    7 Questions Ahead of the NIST SP 800-171r3 Final Draft

    7 Questions Ahead of the NIST SP 800-171r3 Final Draft

    The final draft of NIST SP 800-171 revision 3 and the initial draft of SP 800-171A are due to be published soon. In this episode we dive into seven questions at the front of our minds before the big day.

    .

    Episode Links:

    .

    SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/ipd

    .

    Protecting CUI Project: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information

    Trick or Treating at the Cyber AB Town Hall

    Trick or Treating at the Cyber AB Town Hall

    Get any good candy for Halloween? The CMMC rule got a 30-day extension for the pre-publication review by the Office of Information and Regulatory Affairs (OIRA). The Cyber AB got notice that the DoD Inspector General is auditing the accreditation process for C3PAOs. In this episode we discuss why both of these things aren't as big of a deal as they might seem.

    Episode Links:

    Cyber AB Town Halls: https://cyberab.org/News-Events/Town-Halls

    DoD IG Project Announcement: https://www.dodig.mil/reports.html/Article/3536652/project-announcement-audit-of-the-dods-process-for-accrediting-third-party-orga/

    OMB Rulemaking Dashboard: https://www.reginfo.gov/public/jsp/EO/eoDashboard.myjsp

    7 Things to Know Ahead of the CMMC Rule

    7 Things to Know Ahead of the CMMC Rule

    The regulatory review of the CMMC rule is coming to an end. That means we should see a published CMMC rule in the next few weeks. In this episode Jason and Jacob dive into 7 things you need to know to hit the ground running when the public comment window opens.

    Episode Links: CMMC rulemaking entry: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=0790-AL49

    Estimating the Cost of NIST SP 800-171

    Estimating the Cost of NIST SP 800-171

    The government recently released a new federal acquisition regulation that requires NIST SP 800-53 controls for federal information systems operated by contractors. Buried inside that rule are several cost estimates for implementing and maintaining SP 800-53. Meanwhile, the government has never published cost estimates for NIST SP 800-171 even though it is derived directly from SP 800-53. In this episode we use are knowledge of SP 800-53 to do the impossible and estimate SP 800-171 using the government's own numbers.

    Episode Links:

    LinkedIn Poll: https://www.linkedin.com/posts/jacob-evan-horne_information-hazards-are-one-of-my-favorite-activity-7116107489045004288-BfrM

    FAR Rule: https://www.federalregister.gov/documents/2023/10/03/2023-21327/federal-acquisition-regulation-standardizing-cybersecurity-requirements-for-unclassified-federal

    Fuzzy Math @ CS2 San Diego (2021): https://www.youtube.com/watch?v=843K3hkLquk

    SolarWinds Hack: https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic

    EO 14028: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

    DFARS 7012: https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.

    DFARS 7010: https://www.acquisition.gov/dfars/252.239-7010-cloud-computing-services.

    FIPS 199: https://csrc.nist.gov/pubs/fips/199/final

    SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

    SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final

    SP 800-171B cost estimate (2019): https://csrc.nist.gov/pubs/sp/800/171/b/ipd

    The 2020 CMMC Rule 3 Years Later

    The 2020 CMMC Rule 3 Years Later

    Register for CS2 | Denver: https://cs2.cloud/

    The biggest debate around CMMC: whether the rule should be “interim final” or “proposed”. On average it takes around a year longer for proposed rules to go into effect. This begs the question: if the 2020 CMMC rule was interim final, why wouldn't the 2023 CMMC rule be interim final as well? Has the national security justification for interim final status in previous rules changed for the better?

    CS2 | Denver discount code: SUMITUPCS2DEN

    Episode Links:

    CS2 Denver: https://cs2.cloud/

    2020 Rule: https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of

    2016 Rule: https://www.federalregister.gov/documents/2016/10/21/2016-25315/defense-federal-acquisition-regulation-supplement-network-penetration-reporting-and-contracting-for

    2013 Rule: https://www.federalregister.gov/documents/2013/11/18/2013-27313/defense-federal-acquisition-regulation-supplement-safeguarding-unclassified-controlled-technical

    LinkedIn Poll: https://www.linkedin.com/posts/jacob-evan-horne_3-years-ago-this-month-the-dod-issued-the-activity-7110270262020857856-l6Om

    CMMC and the National Defense Strategy of the U.S.

    CMMC and the National Defense Strategy of the U.S.

    It can be easy to lose perspective on the critical role that the CMMC program plays in the larger national defense strategy of the United States – especially if you don't work in the Pentagon. On top of that, the DoD is in full radio silence until the end of the public comment period on the upcoming CMMC rule. However, if you dig deep enough into DoD's strategy documents you'll quickly find that the CMMC program is a critical element of the national defense strategy of the United States.

    Episode Links:

    CS2 Denver: https://cs2.cloud/

    2023 DoD Cyber Strat: https://www.defense.gov/News/Releases/Release/Article/3523199/dod-releases-2023-cyber-strategy-summary/#:~:text=The%20strategy%20highlights%20DOD's%20actions,protect%20the%20defense%20industrial%20base

    2022 National Defense Strategy: https://www.defense.gov/News/News-Stories/Article/Article/3202438/dod-releases-national-defense-strategy-missile-defense-nuclear-posture-reviews/#:~:text=The%202022%20National%20Defense%20Strategy%2C%20or%20NDS%2C%20places,of%20U.S.%20allies%20and%20partners%20on%20shared%20objectives.

    2023 National Cyber Strategy: https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

    Additional Context: https://www.linkedin.com/posts/jacob-evan-horne_2023-dod-cyber-strat-summary-activity-7107765455938822145-ibdi

    CMMC in Canada: https://www.ccc.ca/en/announcements/government-of-canada-program-for-cyber-security-certification/

    Register for CS2 | Denver: https://cs2.cloud/

    DFARS and CMMC Updated?

    DFARS and CMMC Updated?

    Register for CS2 | Denver: https://cs2.cloud/

    If you google DFARS 7021 you'll see that the CMMC contract clause has an “effective date” that isn't very old. Recently this has caused a folks to think that something has changed with CMMC before the rulemaking process has finished. In this episode we dive into what's going on with “effective date” disparities, the rulemaking process, and how to sniff out bad information.

    Episode Links:

    Deep dive with Lauren Ayers: https://youtu.be/lPQbO9872IQ?si=h8ojZyOYTxEkxeWY

    Rulemaking update: https://youtu.be/qyLDQxo-YPg?si=SHGUHNzlY_4-XkBA

    https://www.ecfr.gov/

    https://www.acquisition.gov/

    CS2 discount code for Sum IT Up listeners: SUMITUPCS2DEN

    New Vulnerability Management Requirements for Contractors?

    New Vulnerability Management Requirements for Contractors?

    Register for CS2 | Denver: https://cs2.cloud/

    The 2023 Federal Cybersecurity Vulnerability Reduction Act directs the government to change cybersecurity requirements for contractors. How will changes to federal acquisition regulations affect defense contractors? How many more vulnerability controls does NIST have on-deck that could be included? This week Jason and Jacob dive into what's coming around the bend.

    Episode Links:

    Legislation: https://www.congress.gov/bill/118th-congress/house-bill/5255/text

    LinkedIn Discussion: https://www.linkedin.com/posts/jacob-evan-horne_federal-cybersecurity-vulnerability-reduction-activity-7102336020951519233-kM1L

    800-53B: https://csrc.nist.gov/pubs/sp/800/53/b/upd1/final

    800-171r3 IPD: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.ipd.pdf

    New Details on Joint Surveillance Assessments

    New Details on Joint Surveillance Assessments

    The Cyber AB Town Hall for August 2023 was full of encouraging numbers. The number of people certified in various CMMC ecosystem roles continues to increase. Successful Joint Surveillance Assessments are also up and a recent Reddit post contained fascinating details about the the cost and complexity of a real-world CMMC assessment.

    Episode Links:

    https://old.reddit.com/r/CMMC/comments/15zawp6/mission_accomplished/

    https://old.reddit.com/r/NISTControls/comments/15zaxnl/mission_accomplished/

    OIRA Leak Episode: https://youtu.be/b_CthhFXLfw?si=hD9RJHTU_D7jqm85

    Register for CS2 | Denver: https://cs2.cloud/

    CS2 | Denver podcast discount code: SUMITUPCS2DEN

    NIST Releases Summary of 171r3 Public Comments

    NIST Releases Summary of 171r3 Public Comments

    Register for CS2 | Denver and catch the Sum IT Up 1 Year Anniversary show LIVE: https://cs2.cloud/

    Just a few weeks after the end of the public comment period on NIST SP 800-171r3 and NIST has released their official summary. Timelines are on track and industry focused overwhelmingly on just a few things. Overall, NIST is planning some changes that will likely result in a larger 171r3. This week Jacob and Jason dive into what NIST is saying between the lines.

    *** ERRATA: NIST plans to release the next drafts in Q4 2023, not Q4 2024***

    Episode Links:

    171r3 Project page: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information

    CS2 Denver: https://cs2.cloud/

    Logo

    © 2024 Podcastworld. All rights reserved

    Stay up to date

    For any inquiries, please email us at hello@podcastworld.io