Sum IT Up: CMMC News Roundup Summit 7 Systems
-
- Teknologi
It's difficult to keep up with all of the moving parts that make up the Department of Defense's Cybersecurity Maturity Model Certification Program. It's even more difficult to keep up with the relevant bits and bites that influence CMMC. This monthly podcast sums up the news and developments relevant to CMMC; DFARS and other regulations; and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.
-
Fun with NIST Policy Controls
This week we dive into the details of NIST policy and procedure controls. Love it or hate it, SP 800-171 requires policies and procedures regardless of revision. Luckily, it's easy to know what a good template looks like because policies have been outlined in NIST SP 800-53 for 20 years.
Episode Links:
NIST SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
NIST SP 800-53A: https://csrc.nist.gov/pubs/sp/800/53/a/r5/final -
FAR CUI Rule Update (May 2024)
The FAR CUI proposed rule has officially moved into regulatory review with the Office of Information and Regulatory Affairs (OIRA). With the FAR CUI rule one step away from publication in the Federal Register, we dive a little deeper into what it is and some open questions we're looking forward to resolving when the rule, after nearly 10 years, is finally released.
Episode Links:
FAR CUI Rule Episode: https://youtu.be/lZv3JwJNfcQ?si=lBM8sF7sF2xyLwmB
FAR CUI Rule: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=9000-AN56 -
Understanding 171r3 w/ Dr. Ron Ross
After more than a year of development, revision 3 of SP 800-171 and 171A are officially done. This week we're joined by Dr. Ron Ross to discuss what NIST learned from public comments, why NIST decided to add 19 new requirements, the thought process behind “ORC” controls, and what the future holds for the CUI series, rulemaking, and the SP 800-53 catalog.
Episode Links:
171r3 overview: https://youtu.be/TAzYQjLfPY0?si=TTP49MujwB3Obchl
171r3 overview blog: https://www.summit7.us/blog/nist-800-171-revision-3
Dr. Ross on the 171r3 final draft: https://youtu.be/IMms3dlPUGo?si=8Wd3p0At4BUhMkCq
NIST deep dive with Dr. Ross: https://youtu.be/vAPFmga_NtI?si=9_n5kXvTUYPcmUys
Scott Goodwin at CS2 Boston: https://youtu.be/LFfbDpZRM_M?si=yVcd4BxiwpNPzdRO -
EMERGENCY POD: CMMC Regulatory Review Update
DoD has officially submitted the 48 CFR CMMC proposed rule for regulatory review. As a result, we can now estimate the timelines for CMMC rules. Whatever was delaying the 48 CFR rule has apparently been fixed and that means contractors need to start getting serious about preparing for the coming CMMC roll-outs.
Episode links:
48 CFR CMMC: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0750-AK81
32 CFR CMMC: https://www.summit7.us/webinars/proposed-cmmc-rule
DIB CS Final Rule: https://youtu.be/E7GsBZMM1CI?si=3um3RYk8pDZH29Ca
CIRCIA Rule pt. 1: https://youtu.be/ngYSaO5fg5Y?si=1Z3G7_jGkmZ8KFxI
CIRCIA Rule pt. 2: https://youtu.be/kUdhl5QfziU?si=EIMlHpu_KMtcdAVX
SP 800-171r3 overview: https://youtu.be/TAzYQjLfPY0?si=32QowzgK33D9YLQx
DFARS 7012 class deviation: https://youtu.be/voziZRAMvv4?si=hHigkKuWpdbvDjW4
FAR CUI Rule: https://youtu.be/lZv3JwJNfcQ?si=6OKA2Kwz6tc_cMyS -
7 Things to Know About SP 800-171 revision 3
NIST SP 800-171 revision 3 and SP 800-171A revision have been officially released. Although revision 3 won't be required for defense contractors for some time, it pays to see exactly what the future holds. On the surface revision 3 has fewer requirements than revision 2. However, under the hood of 171Ar3 there is actually a 32% increase in the number of verification questions that need to be answered. Overall, 171r3 is progress in the right direction even if it comes with a few warts.
Episode Links:
SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/final
SP 800-171Ar3: https://csrc.nist.gov/pubs/sp/800/171/a/r3/final -
Crisis Averted: DFARS 7012 Class Deviation
The obligation for defense contractors to implement NIST SP 800-171 revision 3 has been delayed indefinitely thanks to a recent “class deviation” published by the DoD. The 2023 CMMC proposed rule specified that it will assess SP 800-171 revision 2, but language in defense contracts would have triggered a crisis – until now. Nevertheless, SP 800-171 revision 3 will be the requirement, but contractors have some room to breathe.
Lauren Ayers: https://www.linkedin.com/in/laurencayers/
Lauren Episode: https://youtu.be/t9nLlcu47IU?si=RzCn1RsM4N7waGmF
DFARS “Effective Date”: https://youtu.be/Vuz56hPs4Ng?si=pgK8qmbbtRGT2DkP
Class Deviation: https://www.defense.gov/News/Releases/Release/Article/3763953/department-of-defense-issues-class-deviation-on-cybersecurity-standards-for-cov/