Sum IT Up: CMMC News Roundup Summit 7 Systems

This week we dive into the details of NIST policy and procedure controls. Love it or hate it, SP 800-171 requires policies and procedures regardless of revision. Luckily, it's easy to know what a good template looks like because policies have been outlined in NIST SP 800-53 for 20 years.

Episode Links:

NIST SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

NIST SP 800-53A: https://csrc.nist.gov/pubs/sp/800/53/a/r5/final

The FAR CUI proposed rule has officially moved into regulatory review with the Office of Information and Regulatory Affairs (OIRA). With the FAR CUI rule one step away from publication in the Federal Register, we dive a little deeper into what it is and some open questions we're looking forward to resolving when the rule, after nearly 10 years, is finally released.


Episode Links:



FAR CUI Rule Episode: https://youtu.be/lZv3JwJNfcQ?si=lBM8sF7sF2xyLwmB




FAR CUI Rule: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=9000-AN56

After more than a year of development, revision 3 of SP 800-171 and 171A are officially done. This week we're joined by Dr. Ron Ross to discuss what NIST learned from public comments, why NIST decided to add 19 new requirements, the thought process behind “ORC” controls, and what the future holds for the CUI series, rulemaking, and the SP 800-53 catalog.
Episode Links:

171r3 overview: https://youtu.be/TAzYQjLfPY0?si=TTP49MujwB3Obchl
171r3 overview blog: https://www.summit7.us/blog/nist-800-171-revision-3
Dr. Ross on the 171r3 final draft: https://youtu.be/IMms3dlPUGo?si=8Wd3p0At4BUhMkCq
NIST deep dive with Dr. Ross: https://youtu.be/vAPFmga_NtI?si=9_n5kXvTUYPcmUys

Scott Goodwin at CS2 Boston: https://youtu.be/LFfbDpZRM_M?si=yVcd4BxiwpNPzdRO

DoD has officially submitted the 48 CFR CMMC proposed rule for regulatory review. As a result, we can now estimate the timelines for CMMC rules. Whatever was delaying the 48 CFR rule has apparently been fixed and that means contractors need to start getting serious about preparing for the coming CMMC roll-outs.

Episode links:
48 CFR CMMC: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0750-AK81

32 CFR CMMC: https://www.summit7.us/webinars/proposed-cmmc-rule

DIB CS Final Rule: https://youtu.be/E7GsBZMM1CI?si=3um3RYk8pDZH29Ca

CIRCIA Rule pt. 1: https://youtu.be/ngYSaO5fg5Y?si=1Z3G7_jGkmZ8KFxI

CIRCIA Rule pt. 2: https://youtu.be/kUdhl5QfziU?si=EIMlHpu_KMtcdAVX

SP 800-171r3 overview: https://youtu.be/TAzYQjLfPY0?si=32QowzgK33D9YLQx

DFARS 7012 class deviation: https://youtu.be/voziZRAMvv4?si=hHigkKuWpdbvDjW4

FAR CUI Rule: https://youtu.be/lZv3JwJNfcQ?si=6OKA2Kwz6tc_cMyS

NIST SP 800-171 revision 3 and SP 800-171A revision have been officially released. Although revision 3 won't be required for defense contractors for some time, it pays to see exactly what the future holds. On the surface revision 3 has fewer requirements than revision 2. However, under the hood of 171Ar3 there is actually a 32% increase in the number of verification questions that need to be answered. Overall, 171r3 is progress in the right direction even if it comes with a few warts.


Episode Links:


SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/final



SP 800-171Ar3: https://csrc.nist.gov/pubs/sp/800/171/a/r3/final

The obligation for defense contractors to implement NIST SP 800-171 revision 3 has been delayed indefinitely thanks to a recent “class deviation” published by the DoD. The 2023 CMMC proposed rule specified that it will assess SP 800-171 revision 2, but language in defense contracts would have triggered a crisis – until now. Nevertheless, SP 800-171 revision 3 will be the requirement, but contractors have some room to breathe.

Lauren Ayers: https://www.linkedin.com/in/laurencayers/

Lauren Episode: https://youtu.be/t9nLlcu47IU?si=RzCn1RsM4N7waGmF

DFARS “Effective Date”: https://youtu.be/Vuz56hPs4Ng?si=pgK8qmbbtRGT2DkP

Class Deviation: https://www.defense.gov/News/Releases/Release/Article/3763953/department-of-defense-issues-class-deviation-on-cybersecurity-standards-for-cov/