Sum IT Up: CMMC News Roundup Summit 7 Systems
-
- Teknologi
It's difficult to keep up with all of the moving parts that make up the Department of Defense's Cybersecurity Maturity Model Certification Program. It's even more difficult to keep up with the relevant bits and bites that influence CMMC. This monthly podcast sums up the news and developments relevant to CMMC; DFARS and other regulations; and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.
-
EMERGENCY POD: CMMC Regulatory Review Update
DoD has officially submitted the 48 CFR CMMC proposed rule for regulatory review. As a result, we can now estimate the timelines for CMMC rules. Whatever was delaying the 48 CFR rule has apparently been fixed and that means contractors need to start getting serious about preparing for the coming CMMC roll-outs.
Episode links:
48 CFR CMMC: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0750-AK81
32 CFR CMMC: https://www.summit7.us/webinars/proposed-cmmc-rule
DIB CS Final Rule: https://youtu.be/E7GsBZMM1CI?si=3um3RYk8pDZH29Ca
CIRCIA Rule pt. 1: https://youtu.be/ngYSaO5fg5Y?si=1Z3G7_jGkmZ8KFxI
CIRCIA Rule pt. 2: https://youtu.be/kUdhl5QfziU?si=EIMlHpu_KMtcdAVX
SP 800-171r3 overview: https://youtu.be/TAzYQjLfPY0?si=32QowzgK33D9YLQx
DFARS 7012 class deviation: https://youtu.be/voziZRAMvv4?si=hHigkKuWpdbvDjW4
FAR CUI Rule: https://youtu.be/lZv3JwJNfcQ?si=6OKA2Kwz6tc_cMyS -
7 Things to Know About SP 800-171 revision 3
NIST SP 800-171 revision 3 and SP 800-171A revision have been officially released. Although revision 3 won't be required for defense contractors for some time, it pays to see exactly what the future holds. On the surface revision 3 has fewer requirements than revision 2. However, under the hood of 171Ar3 there is actually a 32% increase in the number of verification questions that need to be answered. Overall, 171r3 is progress in the right direction even if it comes with a few warts.
Episode Links:
SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/final
SP 800-171Ar3: https://csrc.nist.gov/pubs/sp/800/171/a/r3/final -
Crisis Averted: DFARS 7012 Class Deviation
The obligation for defense contractors to implement NIST SP 800-171 revision 3 has been delayed indefinitely thanks to a recent “class deviation” published by the DoD. The 2023 CMMC proposed rule specified that it will assess SP 800-171 revision 2, but language in defense contracts would have triggered a crisis – until now. Nevertheless, SP 800-171 revision 3 will be the requirement, but contractors have some room to breathe.
Lauren Ayers: https://www.linkedin.com/in/laurencayers/
Lauren Episode: https://youtu.be/t9nLlcu47IU?si=RzCn1RsM4N7waGmF
DFARS “Effective Date”: https://youtu.be/Vuz56hPs4Ng?si=pgK8qmbbtRGT2DkP
Class Deviation: https://www.defense.gov/News/Releases/Release/Article/3763953/department-of-defense-issues-class-deviation-on-cybersecurity-standards-for-cov/ -
CIRCIA Reports Require How Much Info?!
Register for our upcoming CS2 Replay here: https://www.summit7.us/webinars/exploring-the-real-world-security-value-of-cmmc
According to a very scientific LinkedIn poll, 61% of respondents think that DFARS clause 252.204-7012 incident reporting requirements should expand to match CIRCIA reporting requirements. While this move would make things more efficient for defense contractors, we're pretty sure folks are underestimating exactly how detailed a proposed CIRCIA incident report will be.
Episode Links:
CIRCIA Primer: https://youtu.be/ngYSaO5fg5Y?si=RSg4sWRRWuyrCr9S -
2024 Cybersecurity Rulemaking Calendar (Updated)
Register for our upcoming CS2 Replay here: https://www.summit7.us/webinars/exploring-the-real-world-security-value-of-cmmc
Q2 2024 is upon us so this week we are updating the rulemaking calendar based on what we know about DFARS, CMMC, the FAR, and NIST revisions. If the Summer doldrums push things into the Fall then we could be in for a relentless holiday season.
Episode links:
CS2 Replay: https://www.summit7.us/webinars/exploring-the-real-world-security-value-of-cmmc
Q1 Rulemaking Calendar: https://youtu.be/IgebrVfrgWs?si=3mf5n2l1ODIlCUPt -
CIRCIA Rulemaking: Double Incident Reporting for the DIB
Defense contractors have had cyber incident reporting obligations under DFARS clause 252.204-7012 for many years. Recently, however, CISA issued a 457-page proposed rule implementing the 2022 Cyber Incident Reporting for Critical Infrastructure Act. Unless CISA and DoD can reach an agreement, DIB contractors will have duplicative incident reporting obligations for two different agencies.
Episode Links:
CIRCIA Proposed Rule: https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements
Congressional Research Service Report (PDF): https://crsreports.congress.gov/product/pdf/R/R48025
How to submit effective comments: https://youtu.be/1T_62cYiUA4?si=sp91i_cXFGiyD7JW