dib

What to make of the 1,700+ comments submitted on the initial public draft of NIST Special Publication 800-171 revision 3? Jacob and Jason give their high-level takeaways and expectations for the future of the standard.

Register for CS2 | Denver and see the Sum IT Up 1 year anniversary show LIVE: https://cs2.cloud/

Podcast listeners 15% discount code for CS2 | Denver: SUMITUPCS2DEN

Episode Links:

Jacob's LinkedIN Poll on ODPS: https://www.linkedin.com/posts/jacob-evan-horne_last-week-nist-posted-the-public-comments-activity-7092152417344999424--IvO?utm_source=share&utm_medium=member_desktop

NIST Webinar of NIST 800-171r3: https://csrc.nist.gov/Events/2023/protecting-cui-draft-sp800171-rev3

NIST SP 800-171r3 IPD: https://csrc.nist.gov/pubs/sp/800/171/r3/ipd

NIST Protecting CUI Project: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information

Sum It Up w/ Ron Ross: https://youtu.be/vAPFmga_NtI

Not even a week after DoD submitted the CMMC rule for regulatory review and the Office of Information and Regulatory Affairs accidentally posted the updated (draft) documents for all 3 levels of CMMC. In this episode we dive deep into new information about CMMC Level 3 and share our key takeaways from sneak peek of what's to come.

Episode Links:

SP 800-171r2 : Protecting Controlled Unclassified Information in Nonfederal Systems (nist.gov)

SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171

SP 800-171 ODP Poll Results: https://www.linkedin.com/posts/jacob-evan-horne_last-week-nist-posted-the-public-comments-activity-7092152417344999424--IvO

In November 2021 the #DoD announced CMMC 2.0. Then they announced that it would 9 – 24 months to go through rulemaking for #CMMC to become a reality. On July 24th, 2023, roughly 20 months later, DoD officially submitted the CMMC rule to the Office of Management and Budget. In this episode Jason and Jacob dive into what it all means for defense contractors moving forward.

Episode Links:

Cyber AB Town Hall (July ‘23): https://cyberab.org/News-Events/Town-Halls/Details/july-2023-town-hall

7 Things to Know About Rulemaking: https://www.summit7.us/blog/cmmc-rulemaking-updates-august-2023

Amira Armond on assessment types/pros/cons: https://www.linkedin.com/posts/amira-armond-25a77a141_cmmc-nist800171-activity-7092146281032122370-XXIs

Acronym Soup: https://www.acronymsoup.org/

Episode Links: Cyber AB June TH: https://cyberab.org/News-Events/Town-Halls CMMC Ecosystem Summit Call For Speakers: https://na.eventscloud.com/cmmcpapers Recording of the June 6th.2023 NIST Webinar on 800-171 r3: https://csrc.nist.gov/Events/2023/protecting-cui-draft-sp800171-rev3#:~:text=On%20June%206%2C%202023%2C%20NIST,in%20Nonfederal%20Systems%20and%20Organizations. DOD IG Report on Implementation and Oversight of the Controlled Unclassified Information Program: https://www.dodig.mil/reports.html/Article/3413433/audit-of-the-dods-implementation-and-oversight-of-the-controlled-unclassified-i/ Stephanie's LinkedIn: https://www.linkedin.com/in/bstephaniesiegmann/ Cyber Civil-Fraud Initiative: https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative Aerojet Rocketdyne FCA claim: https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity UBER CISO Convicted of Covering up Data Breach: https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach Supreme Court FCA Ruling: supremecourt.gov/opinions/22pdf/21-1326_6jfl.pdf Lauren's LinkedIn: https://www.linkedin.com/in/laurencayers/ Professional Services Council: www.pscouncil.orgg

In this episode Jacob and Jason discuss their takeaways from the May Cyber AB Town Hall, including Jacob's guest appearance. The initial public draft of NIST SP 800-171r3 was released; and in this episode the fellas give their initial feedback and analysis on it. Additionally, we discuss the proposed rule to expand eligibility into the DIB CS program, the recently published ND-ISAC Cybersecurity Handbook for SMBs, and the MS Volt Typhoon campaign.

Episode Links:

NIST SP 800-171r3 Draft: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.ipd.pdf

NIST Security Controls: Deep Dive with Dr. Ron Ross: https://www.youtube.com/watch?v=vAPFmga_NtI

Cooey Center of Excellence:: https://discord.com/invite/rPtTes5bqA

NIST SP 800-53r5: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

The Cyber AB May Townhall: https://cyberab.org/News-Events/Town-Halls

DIB CS Proposed Rule: https://www.federalregister.gov/documents/2023/05/03/2023-09021/department-of-defense-dod-defense-industrial-base-dib-cybersecurity-cs-activities

ND-ISAC Handbook for SMBs: https://ndisac.org/wp-content/uploads/2023/05/Securing-SMB-Manufacturing-Supply-Chain-Resource-Handbook-Final_4MAY2023.pdf

MS Volt Typhoon Threat Brief: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

CISA VoltTyphoon Cybersecurity Advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

At first glance the initial public draft of NIST Special Publication (SP) 800-171 revision 3 is a big change compared to previous versions. Formatting changes, variable parameters, and new requirements have seemingly come out of nowhere. In reality SP 800-171 is a reflection of the much larger SP 800-53. The evolution of SP 800-53 over time has a direct effect on the look and feel of SP 800-171 and the cost, burden, and impact of assessment programs like CMMC. NIST Fellow Dr. Ron Ross joins the show to walk us through where SP 800-53 has been, where it's going, and how a broader understanding helps put SP 800-171 into context for federal contractors. For more information and resources please visit: https://www.summit7.us/resources#resources_nist

Episode Links:

Rainbow Series: https://en.wikipedia.org/wiki/Rainbow_Series

Anderson Report (PDF): https://csrc.nist.rip/publications/history/ande72.pdf

Ware Report: https://en.wikipedia.org/wiki/Ware_report

A Vulnerable System: https://www.amazon.com/Vulnerable-System-Information-Security-Computer-ebook/dp/B08YP9XH84

The Perfect Weapon: https://www.amazon.com/Perfect-Weapon-Sabotage-Fear-Cyber/dp/0451497899

FISMA: https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002

FIPS 200: https://csrc.nist.gov/publications/detail/fips/200/final

FIPS 199: https://csrc.nist.gov/publications/detail/fips/199/final RMF: https://csrc.nist.gov/projects/risk-management/about-rmf

Alan Paller: https://www.sans.org/about/our-founder/

Metrics as surrogates: https://hbr.org/2019/09/dont-let-metrics-undermine-your-business

EO 13556: https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information

CUI Registry: https://www.archives.gov/cui/registry/category-list

SP 800-171 r3 initial draft: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft

SP 800-53 r5: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

In this episode Jacob and Jason discuss their takeaways from the Cyber AB Town Hall, CS2 Huntsville, and other interesting topics from March 2023 including recent #DoD testimony before Congress, #DIBCAC perspectives on Multifactor Authentication and #FIPS validated encryption, and other exciting topics. This month we were joined by our first ever podcast guest: DefCERT founder and CEO Ryan Bonner helps tackle a few complicated #CUI questions submitted during the Town Hall.

Episode Links:

DefCERT: https://defcert.com/

Ryan Bonner: https://www.linkedin.com/in/rybonner/

March AB Town Hall: https://cyberab.org/News-Events/Town-Halls/Details/march-2023-town-hall

Upcoming Natty Stratty Implementation Plan: https://federalnewsnetwork.com/cybersecurity/2023/03/white-house-aims-to-issue-cyber-strategy-implementation-plan-by-june/

DoDI 5230.24 (PDF): https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodi/523024p.pdf

CUI Registry CTI: https://www.archives.gov/cui/registry/category-detail/controlled-technical-info.html

DFARS 252.204-7012: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

DFARS Rights in Technical Data: https://www.acq.osd.mil/dpap/dars/dfars/html/current/227_71.htm

CMMC Scoping Guide: https://dodcio.defense.gov/CMMC/Documentation/

DI MGMT 82247: https://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/Assess-Compliance-and-Enhance-Protection-of-Contractor-System-with-Attachments-11-6-2018.pdf

CMMC Rulemaking Overview: https://youtu.be/in69ORYRx4Y

32 CFR: https://www.ecfr.gov/current/title-32

48 CFR: https://www.ecfr.gov/current/title-48

Draft CAP (PDF): https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf GAO Report: https://www.gao.gov/products/gao-23-105510

CMMC Scaling vs DIBCAC: https://www.federalregister.gov/d/2020-21123/p-49

CMMC Assessment Guide: https://dodcio.defense.gov/CMMC/Documentation/

NIST SP 800-171A: https://www.nist.gov/news-events/news/2018/06/nist-publishing-special-publication-sp-800-171a-assessing-security

SPRS Rule: https://www.federalregister.gov/documents/2023/03/22/2023-05671/defense-federal-acquisition-regulation-supplement-use-of-supplier-performance-risk-system-sprs

Bob Metzger's Take on SPRS Rule: https://www.linkedin.com/posts/robertmetzger_sprs-evaluation-criteria-manual-activity-7046888772768067584-7bHW

Jacob's CS2 Session: https://youtu.be/hipUN_4rfOs

Stacy's CS2 Session: https://youtu.be/ZvBvzZkwmZg

DoD Testimony 1: https://www.armed-services.senate.gov/hearings/to-receive-testimony-on-enterprise-cybersecurity-to-protect-the-department-of-defense-information-networks

DoD Testimony 2: https://armedservices.house.gov/hearings/cyber-information-technologies-and-innovation-subcommittee-hearing-defense-digital-era

Amira Armond: https://www.linkedin.com/in/amira-armond-25a77a141/

In this episode Jacob and Jason discuss their takeaways from the February Cyber AB Town Hall. This month saw some amazing questions on #CUI, working with #DoD CIO, continuous monitoring, the cost of assessments, and #CMMC rulemaking. They also give their thoughts on the Project Spectrum feature segment of the Town Hall. Jacob and Jason also provide an overview and their takeaways from the newly released 2023 National Cybersecurity Strategy and what it means for defense contractors and CMMC.

***CORRECTION 3/3/2023: DOUBLE CHECK YOUR PROJECT SPECTRUM SELF-ASSESSMENT ANSWERS FOR PARTIAL SCORING AND SYSTEM SECURITY PLANS***

Episode Links:

Cyber AB Town Hall: https://cyberab.org/News-Events/Town-Halls

CMMC Rulemaking Overview: https://youtu.be/in69ORYRx4Y

Project Spectrum: https://www.projectspectrum.io/#/

DHS CSET Assessment Tool: https://www.cisa.gov/stopransomware/cyber-security-evaluation-tool-csetr

DHS CUI Rule: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202210&RIN=1601-AA76

NIST SP 800-53: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

“Common” Controls: https://csrc.nist.gov/glossary/term/common_control

“Hybrid” Controls: https://csrc.nist.gov/glossary/term/hybrid_control

“Inheritance”: https://csrc.nist.gov/glossary/term/inheritance

FedRAMP Baselines: https://www.fedramp.gov/baselines/

DoDI 5230.24 (PDF): https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodi/523024p.pdf

CUI Registry: https://www.archives.gov/cui/registry/category-list

CUI Overview: https://youtu.be/bEW7VgbIE_8

CMMC Level 1 Guide: https://www.microsoft.com/cms/api/am/binary/RE54xON

National Cyber Strategy: https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

Cyber Strategy Overview: https://www.youtube.com/watch?v=6Fwtvcf2A2c

Sector Risk Management Agencies: https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/defense-industrial-base-sector

Vital Signs 2023 Report: https://www.ndia.org/about/press/press-releases/2023/2/8/ndia-president-urges-congress-to-ready-defense-sector-for-great-power-competition

State of the DIB Testimony: https://youtu.be/n62KE-1yQu4

In this episode we reflect on a few items from December 2022 and the story of #CMMC (rulemaking) in 2022 overall. We cover listener questions and Jason's experience taking (and passing) his #CCP exam. After a deep dive into the current status of CMMC rulemaking we discuss #DoD estimates about the size of the defense industrial base. We also cover a report on the status of NIST SP 800-171 implementation for DoD contractors. We wrap up with our predictions for 2023.

Episode Links:

Cooey Center of Excellence Discord Server: https://discord.com/invite/rPtTes5bq

A CMMC Rulemaking "Delay": https://insidecybersecurity.com/daily-news/pentagon%E2%80%99s-cmmc-program-launch-faces-delay-omb-rulemaking-review-shifts-january

Merrill Research Report: https://www.scmagazine.com/analysis/third-party-risk/most-us-defense-contractors-fail-basic-cybersecurity-requirements

Old school security advisory: https://www.cisa.gov/uscert/ncas/archives/alerts/TA04-111

Correction: In this episode (1:31:16), Jason mentions that Multifactor Authentication or “MFA” first started appearing in CISA Cybersecurity advisories in 2004. Although individual recommended security actions in CSAs that align with the requirements of NIST SP 800-171 can be found in alerts dating as far back as 2004, the recommendation for MFA was not introduced as a recommended mitigation action in a CISA CSA until 2014. We apologize for the error.... sometimes numbers get him excited.

In this episode Jacob and Jason dive into the November 2022 Cyber AB Town Hall and provide takeaways the Cyber AB's inaugural #CMMC Ecosystem Summit. Jacob and Jason also explore the findings of a GAO report on cyber incident reporting and handling by the #DoD and Defense Industrial Base contractors while connecting the dots to #DIBCAC findings featured in Episode 2. November 2022 is the 12th anniversary of Executive Order 13556 which establish the federal #CUI program. Of course, Jacob and Jason just so happened to find a clear example of overmarked CUI on a public DoD webpage. Episode Links: Cyber AB November Town Hall: https://cyberab.org/News-Events/Town-halls/Details/november-town-hall Executive Order 13556: https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information GAO Report: https://www.gao.gov/products/gao-23-105084 Kelly Kiernan: https://www.linkedin.com/in/kelley-kiernan-cto/ Blue Cyber: https://www.safcn.af.mil/CISO/Small-Business-Cybersecurity-Information/ DoD Zero Trust Strategy: https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf SP 800-171 vs NIST CSF Ransomware Profile: https://www.linkedin.com/posts/jacob-evan-horne_nist-sp-800-171-by-nist-csf-ransomware-profile-activity-6928378291812786176-Env7

In this episode Jacob and Jason dive into the October 2022 Cyber AB Town Hall by exploring the questions (both answered and unanswered) submitted during the town hall Q&A segment. Jason provides his thoughts on the quality of the updated Registered Practitioner training. Time is spent on Rumor Control: Large prime contractors are seemingly requiring everyone to get #CMMC Level 2 certified and there's not much that #DoD can do to stop them. Jacob discusses the specter of #NIST SP #800-171 Appendix E and why they remain a thorn in everyone's sides. Other questions addressed: Are the rumors of Congressional funding for CMMC actually true? Is DoD actually bad at communicating? Why is it so hard to know how many requirements correspond to CMMC Level 1? The show wraps up with a brief discussion of NIST SP 800-172 and the newly released #CISA Cross-Sector Cybersecurity Performance Goals.

Episode Links:

Cyber AB Town Hall: https://cyberab.org/News-Events/Town-halls

CMMC Level 3 Likelihood: https://www.linkedin.com/posts/jacob-evan-horne_cmmc-cybersecurity-govcon-activity-6978019292143394816-0OGI?utm_source=share&utm_medium=member_desktop

NFO Controls in CMMC: https://www.youtube.com/watch?v=9UyyONyOjJg

NIST SP 800-171 Comment summary: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft

CMMC Delta 20 rationale: https://insights.sei.cmu.edu/blog/beyond-nist-sp-800-171-20-additional-practices-cmmc/

The SA-9 Control: https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-9

CMMC Documentation: https://www.acq.osd.mil/cmmc/documentation.html

DFARS Rulemaking on funding (2016): https://www.federalregister.gov/d/2016-25315/p-139

DoD Testimony on Communication and Industry Engagement: https://www.armed-services.senate.gov/hearings/cybersecurity-of-the-defense-industrial-base

OMB Rules Under Review: https://www.reginfo.gov/public/jsp/EO/eoDashboard.myjsp

7 Steps to CMMC: https://www.summit7.us/7-steps-to-cmmc

FAR 52.204-21: https://www.acquisition.gov/far/52.204-21

NIST SP 800-172: https://csrc.nist.gov/publications/detail/sp/800-172/final

DoD hopes Primes Don't Require Level 2: https://www.linkedin.com/posts/jacob-evan-horne_cmmc-cybersecurity-govcon-activity-6973293313240047617-YCGe?utm_source=share&utm_medium=member_desktop

Public/Private Partnership Overview: https://www.chathamhouse.org/sites/default/files/publications/ia/INTA92_1_03_Carr.pdf

CISA Cross-Sector Cyber Performance Goals: https://www.cisa.gov/cpg James Dempsey on Measurable Standards: https://www.lawfareblog.com/cybersecurity-regulation-its-not-performance-based-if-outcomes-cant-be-measured

The Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from DIB entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss the Level 1 Assessment Guide for the CMMC.

One of the primary drivers of the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) is the congressional mandate to reduce the risk of accidental disclosure of controlled unclassified information (CUI). However, a full CMMC assessment can seem daunting to organizations in the Defense Industrial Base (DIB), and many might not know where to start. In this webcast, Model Architects Gavin Jurecko and Matt Trevors reviewed several steps for identifying CUI exposure in terms of their critical services and the assets that support them. This approach can help DIB organizations properly scope a CMMC assessment and contain the costs of protecting CUI.

Andrew Hoover and Katie Stewart discussed the DoD’s new CMMC program. They gave a brief overview of CMMC followed by a deep dive into the Process Maturity aspect of the model. The webcast provided insight into how organizations can prepare for CMMC.

Have you got a clear, concise marketing plan for your business? Or are flying by the seat of your pants hoping things will work out. 

A marketing plan is arguably one of the most important documents any business can create. If you've avoided creating a plan because you thought it would be too expensive, time consuming or difficult then I have good news. 

Author of the One Page Marketing Plan Allan Dib joins me to explain how you can create a sophisticated plan for your business on one sheet of paper in around 20 mins.

Today on the Dear Handmade Life podcast we’re talking to serial entrepreneur, rebellious marketer, technology expert and author of one of my favorite marketing books The 1-Page Marketing Plan about marketing your creative business. I talk with Allan about letting go of money issues, the fault of glorifying busyness, the importance of getting clear goals, the "know, like and trust" strategy and we dive deep into the first few steps of creating a 1-page marketing plan.