Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/

The DoD's Center for Manufacturing Cybersecurity has released a report documenting the level of confidence that defense contractors have in their cybersecurity posture. The conclusion? There is a systemic cybersecurity overconfidence problem in the DIB.

Episode Links:

DIB Summer Camp: https://www.summit7.us/securethedib

MxD Report: https://www.mxdusa.org/cyber/cyberreport/

Register for Secure the DIB: Summer Camp for FREE here: https://www.securethedib.us/

The 32 CFR CMMC final rule has officially left the DoD and is currently undergoing final regulatory review. This is the last step before publication in the Federal Register. Based on what we know, CMMC should be a reality before the end of 2024.

Episode Links: Proposed Rule Webinar: https://www.summit7.us/webinars/proposed-cmmc-rule

Now that SP 800-171 revision 3 is official, organizationally defined parameters (ODPs) are officially a part of our the rest of our lives. Like most things in SP 800-171 there are great details in SP 800-53 that help explain what's going on. In this episode we take a deep dive in requirement 3.1.8 through the lens of ODPs.

Episode Links:

SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

FedRAMP baselines: https://www.fedramp.gov/baselines/

The good news about NIST SP 800-171 revision 2 being the standard for the next few years is it's a smaller standard compared to revision 3. However, there are some confusing aspects to NIST SP 800-171 revision 2 that defense contractors can't afford to overlook. The most important? NFO Controls.

Episode Links:

NIST SP 800-171r2: https://csrc.nist.gov/pubs/sp/800/171/r3/final

DFARS 7012 Class Deviation: https://youtu.be/voziZRAMvv4?si=yPaUuHLnHIQsfGQu

Policy and Procedure Deep Dive: https://youtu.be/TXsKdH3hC6E?si=GoAlpEuMqQWAsOzr

NIST has released four introductory training courses for the 800 series of special publications that make up the basis for the NIST Risk Management Framework. Each 60 minute course does a great job covering SP 800-37, 53, 53A, and 53B. If you need a leg up on the knowledge that forms the basis of CMMC training, you should check out the courses.

NIST Training Courses:

NIST CPRT: https://csrc.nist.gov/Projects/risk-management/rmf-courses

Although CMMC assessments are difficult, CMMC certifications are achievable (assuming you have passed through the “assessment feasibility determination” prior to the actual assessment. For many companies, failing CMMC assessments won't be their biggest problem – it will be qualifying for the assessment in the first place.

Episode Links:

CMMC Cap (PDF): https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf

CMMC Fuzzy Math (2021): https://youtu.be/843K3hkLquk?si=aDuiomqVxSSwnExI

NIST Policy Controls: https://youtu.be/TXsKdH3hC6E?si=24svcK18w20DbLP_

This week we dive into the details of NIST policy and procedure controls. Love it or hate it, SP 800-171 requires policies and procedures regardless of revision. Luckily, it's easy to know what a good template looks like because policies have been outlined in NIST SP 800-53 for 20 years.

Episode Links:

NIST SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

NIST SP 800-53A: https://csrc.nist.gov/pubs/sp/800/53/a/r5/final

The FAR CUI proposed rule has officially moved into regulatory review with the Office of Information and Regulatory Affairs (OIRA). With the FAR CUI rule one step away from publication in the Federal Register, we dive a little deeper into what it is and some open questions we're looking forward to resolving when the rule, after nearly 10 years, is finally released.

Episode Links:

FAR CUI Rule Episode: https://youtu.be/lZv3JwJNfcQ?si=lBM8sF7sF2xyLwmB

FAR CUI Rule: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=9000-AN56