Sum IT Up: CMMC News Roundup Summit 7 Systems

NIST SP 800-171 revision 3 and SP 800-171A revision have been officially released. Although revision 3 won't be required for defense contractors for some time, it pays to see exactly what the future holds. On the surface revision 3 has fewer requirements than revision 2. However, under the hood of 171Ar3 there is actually a 32% increase in the number of verification questions that need to be answered. Overall, 171r3 is progress in the right direction even if it comes with a few warts.


Episode Links:


SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/final



SP 800-171Ar3: https://csrc.nist.gov/pubs/sp/800/171/a/r3/final

The obligation for defense contractors to implement NIST SP 800-171 revision 3 has been delayed indefinitely thanks to a recent “class deviation” published by the DoD. The 2023 CMMC proposed rule specified that it will assess SP 800-171 revision 2, but language in defense contracts would have triggered a crisis – until now. Nevertheless, SP 800-171 revision 3 will be the requirement, but contractors have some room to breathe.

Lauren Ayers: https://www.linkedin.com/in/laurencayers/

Lauren Episode: https://youtu.be/t9nLlcu47IU?si=RzCn1RsM4N7waGmF

DFARS “Effective Date”: https://youtu.be/Vuz56hPs4Ng?si=pgK8qmbbtRGT2DkP

Class Deviation: https://www.defense.gov/News/Releases/Release/Article/3763953/department-of-defense-issues-class-deviation-on-cybersecurity-standards-for-cov/

Register for our upcoming CS2 Replay here: https://www.summit7.us/webinars/exploring-the-real-world-security-value-of-cmmc

According to a very scientific LinkedIn poll, 61% of respondents think that DFARS clause 252.204-7012 incident reporting requirements should expand to match CIRCIA reporting requirements. While this move would make things more efficient for defense contractors, we're pretty sure folks are underestimating exactly how detailed a proposed CIRCIA incident report will be.

Episode Links:

CIRCIA Primer: https://youtu.be/ngYSaO5fg5Y?si=RSg4sWRRWuyrCr9S

Register for our upcoming CS2 Replay here: https://www.summit7.us/webinars/exploring-the-real-world-security-value-of-cmmc
Q2 2024 is upon us so this week we are updating the rulemaking calendar based on what we know about DFARS, CMMC, the FAR, and NIST revisions. If the Summer doldrums push things into the Fall then we could be in for a relentless holiday season.
Episode links:
CS2 Replay: https://www.summit7.us/webinars/exploring-the-real-world-security-value-of-cmmc
Q1 Rulemaking Calendar: https://youtu.be/IgebrVfrgWs?si=3mf5n2l1ODIlCUPt

Defense contractors have had cyber incident reporting obligations under DFARS clause 252.204-7012 for many years. Recently, however, CISA issued a 457-page proposed rule implementing the 2022 Cyber Incident Reporting for Critical Infrastructure Act. Unless CISA and DoD can reach an agreement, DIB contractors will have duplicative incident reporting obligations for two different agencies.

Episode Links:

CIRCIA Proposed Rule: https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements

Congressional Research Service Report (PDF): https://crsreports.congress.gov/product/pdf/R/R48025

How to submit effective comments: https://youtu.be/1T_62cYiUA4?si=sp91i_cXFGiyD7JW

At long last the DIB Cybersecurity Strategy has officially been released and it's ... not great. One thing is clear: CMMC is a key part of the DoD's strategy and there are many DoD resources specifically designed to help contractors deal with it. Instead, the DoD is focused on coordination, communication, and threat intelligence sharing.

Episode Links:
DIB Cyber Strategy: https://www.defense.gov/News/Releases/Release/Article/3723439/dod-releases-defense-industrial-base-cybersecurity-strategy/

GCC: https://www.cisa.gov/resources-tools/groups/government-coordinating-councils

SCC: https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/defense-industrial-base-sector/sector-charters-and-membership

CIPAC: https://www.cisa.gov/resources-tools/resources/cipac-2022-charter

NSA Enduring Security Framework: https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/Enduring-Security-Framework/