Episode Links: Cyber AB June TH: https://cyberab.org/News-Events/Town-Halls CMMC Ecosystem Summit Call For Speakers: https://na.eventscloud.com/cmmcpapers Recording of the June 6th.2023 NIST Webinar on 800-171 r3: https://csrc.nist.gov/Events/2023/protecting-cui-draft-sp800171-rev3#:~:text=On%20June%206%2C%202023%2C%20NIST,in%20Nonfederal%20Systems%20and%20Organizations. DOD IG Report on Implementation and Oversight of the Controlled Unclassified Information Program: https://www.dodig.mil/reports.html/Article/3413433/audit-of-the-dods-implementation-and-oversight-of-the-controlled-unclassified-i/ Stephanie's LinkedIn: https://www.linkedin.com/in/bstephaniesiegmann/ Cyber Civil-Fraud Initiative: https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative Aerojet Rocketdyne FCA claim: https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity UBER CISO Convicted of Covering up Data Breach: https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach Supreme Court FCA Ruling: supremecourt.gov/opinions/22pdf/21-1326_6jfl.pdf Lauren's LinkedIn: https://www.linkedin.com/in/laurencayers/ Professional Services Council: www.pscouncil.orgg

In this episode Jacob and Jason discuss their takeaways from the May Cyber AB Town Hall, including Jacob's guest appearance. The initial public draft of NIST SP 800-171r3 was released; and in this episode the fellas give their initial feedback and analysis on it. Additionally, we discuss the proposed rule to expand eligibility into the DIB CS program, the recently published ND-ISAC Cybersecurity Handbook for SMBs, and the MS Volt Typhoon campaign.

Episode Links:

NIST SP 800-171r3 Draft: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.ipd.pdf

NIST Security Controls: Deep Dive with Dr. Ron Ross: https://www.youtube.com/watch?v=vAPFmga_NtI

Cooey Center of Excellence:: https://discord.com/invite/rPtTes5bqA

NIST SP 800-53r5: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

The Cyber AB May Townhall: https://cyberab.org/News-Events/Town-Halls

DIB CS Proposed Rule: https://www.federalregister.gov/documents/2023/05/03/2023-09021/department-of-defense-dod-defense-industrial-base-dib-cybersecurity-cs-activities

ND-ISAC Handbook for SMBs: https://ndisac.org/wp-content/uploads/2023/05/Securing-SMB-Manufacturing-Supply-Chain-Resource-Handbook-Final_4MAY2023.pdf

MS Volt Typhoon Threat Brief: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

CISA VoltTyphoon Cybersecurity Advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

At first glance the initial public draft of NIST Special Publication (SP) 800-171 revision 3 is a big change compared to previous versions. Formatting changes, variable parameters, and new requirements have seemingly come out of nowhere. In reality SP 800-171 is a reflection of the much larger SP 800-53. The evolution of SP 800-53 over time has a direct effect on the look and feel of SP 800-171 and the cost, burden, and impact of assessment programs like CMMC. NIST Fellow Dr. Ron Ross joins the show to walk us through where SP 800-53 has been, where it's going, and how a broader understanding helps put SP 800-171 into context for federal contractors. For more information and resources please visit: https://www.summit7.us/resources#resources_nist

Episode Links:

Rainbow Series: https://en.wikipedia.org/wiki/Rainbow_Series

Anderson Report (PDF): https://csrc.nist.rip/publications/history/ande72.pdf

Ware Report: https://en.wikipedia.org/wiki/Ware_report

A Vulnerable System: https://www.amazon.com/Vulnerable-System-Information-Security-Computer-ebook/dp/B08YP9XH84

The Perfect Weapon: https://www.amazon.com/Perfect-Weapon-Sabotage-Fear-Cyber/dp/0451497899

FISMA: https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002

FIPS 200: https://csrc.nist.gov/publications/detail/fips/200/final

FIPS 199: https://csrc.nist.gov/publications/detail/fips/199/final RMF: https://csrc.nist.gov/projects/risk-management/about-rmf

Alan Paller: https://www.sans.org/about/our-founder/

Metrics as surrogates: https://hbr.org/2019/09/dont-let-metrics-undermine-your-business

EO 13556: https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information

CUI Registry: https://www.archives.gov/cui/registry/category-list

SP 800-171 r3 initial draft: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft

SP 800-53 r5: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

In this episode Jacob and Jason discuss their takeaways from the Cyber AB Town Hall and dive into several great questions asked during the extended Q&A. Amira Armond stops by to deep dive into the Top 10 “Other Than Satisfied” requirements found during DIBCAC audits. Lauren Ayers also stops by to teach us how to read DFARS clauses like a contracting officer.

Amira's LinkedIn: https://www.linkedin.com/in/amira-armond-25a77a141/

Kieri Solutions: https://www.kieri.com/

Amira's Blog: https://www.cmmcaudit.org/

Lauren LinkedIn: https://www.linkedin.com/in/laurencayers/

Professional Services Council: www.pscouncil.org

PSC June Conference: https://www.pscouncil.org/AcquisitionConference

Cooey Center of Excellence: https://discord.com/invite/rPtTes5bqA

DCMA DIBCAC: https://www.dcma.mil/DIBCAC/

DFARS Cyber FAQs: https://dodprocurementtoolbox.com/faqs/cybersecurity

Stacy Bostjanick at CS2 Huntsville: https://youtu.be/ZvBvzZkwmZg

NARA CUI Registry: https://www.archives.gov/cui/registry/category-list

CMMC CAP (PDF): https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf

CMMC Assessment Guides: https://dodcio.defense.gov/CMMC/Documentation/

NIST RMF: https://csrc.nist.gov/projects/risk-management/about-rmf

NIST SP 800-37: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

2018 CUI Industry Day: https://www.nist.gov/news-events/events/2018/10/controlled-unclassified-information-security-requirements-workshop

The DFARS: https://acquisition.gov/

NMCARS: https://www.secnav.navy.mil/rda/DASN-P/Pages/NMCARS.aspx

In this episode Jacob and Jason discuss their takeaways from the Cyber AB Town Hall, CS2 Huntsville, and other interesting topics from March 2023 including recent #DoD testimony before Congress, #DIBCAC perspectives on Multifactor Authentication and #FIPS validated encryption, and other exciting topics. This month we were joined by our first ever podcast guest: DefCERT founder and CEO Ryan Bonner helps tackle a few complicated #CUI questions submitted during the Town Hall.

Episode Links:

DefCERT: https://defcert.com/

Ryan Bonner: https://www.linkedin.com/in/rybonner/

March AB Town Hall: https://cyberab.org/News-Events/Town-Halls/Details/march-2023-town-hall

Upcoming Natty Stratty Implementation Plan: https://federalnewsnetwork.com/cybersecurity/2023/03/white-house-aims-to-issue-cyber-strategy-implementation-plan-by-june/

DoDI 5230.24 (PDF): https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodi/523024p.pdf

CUI Registry CTI: https://www.archives.gov/cui/registry/category-detail/controlled-technical-info.html

DFARS 252.204-7012: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

DFARS Rights in Technical Data: https://www.acq.osd.mil/dpap/dars/dfars/html/current/227_71.htm

CMMC Scoping Guide: https://dodcio.defense.gov/CMMC/Documentation/

DI MGMT 82247: https://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/Assess-Compliance-and-Enhance-Protection-of-Contractor-System-with-Attachments-11-6-2018.pdf

CMMC Rulemaking Overview: https://youtu.be/in69ORYRx4Y

32 CFR: https://www.ecfr.gov/current/title-32

48 CFR: https://www.ecfr.gov/current/title-48

Draft CAP (PDF): https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf GAO Report: https://www.gao.gov/products/gao-23-105510

CMMC Scaling vs DIBCAC: https://www.federalregister.gov/d/2020-21123/p-49

CMMC Assessment Guide: https://dodcio.defense.gov/CMMC/Documentation/

NIST SP 800-171A: https://www.nist.gov/news-events/news/2018/06/nist-publishing-special-publication-sp-800-171a-assessing-security

SPRS Rule: https://www.federalregister.gov/documents/2023/03/22/2023-05671/defense-federal-acquisition-regulation-supplement-use-of-supplier-performance-risk-system-sprs

Bob Metzger's Take on SPRS Rule: https://www.linkedin.com/posts/robertmetzger_sprs-evaluation-criteria-manual-activity-7046888772768067584-7bHW

Jacob's CS2 Session: https://youtu.be/hipUN_4rfOs

Stacy's CS2 Session: https://youtu.be/ZvBvzZkwmZg

DoD Testimony 1: https://www.armed-services.senate.gov/hearings/to-receive-testimony-on-enterprise-cybersecurity-to-protect-the-department-of-defense-information-networks

DoD Testimony 2: https://armedservices.house.gov/hearings/cyber-information-technologies-and-innovation-subcommittee-hearing-defense-digital-era

Amira Armond: https://www.linkedin.com/in/amira-armond-25a77a141/

In this episode Jacob and Jason discuss their takeaways from the February Cyber AB Town Hall. This month saw some amazing questions on #CUI, working with #DoD CIO, continuous monitoring, the cost of assessments, and #CMMC rulemaking. They also give their thoughts on the Project Spectrum feature segment of the Town Hall. Jacob and Jason also provide an overview and their takeaways from the newly released 2023 National Cybersecurity Strategy and what it means for defense contractors and CMMC.

***CORRECTION 3/3/2023: DOUBLE CHECK YOUR PROJECT SPECTRUM SELF-ASSESSMENT ANSWERS FOR PARTIAL SCORING AND SYSTEM SECURITY PLANS***

Episode Links:

Cyber AB Town Hall: https://cyberab.org/News-Events/Town-Halls

CMMC Rulemaking Overview: https://youtu.be/in69ORYRx4Y

Project Spectrum: https://www.projectspectrum.io/#/

DHS CSET Assessment Tool: https://www.cisa.gov/stopransomware/cyber-security-evaluation-tool-csetr

DHS CUI Rule: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202210&RIN=1601-AA76

NIST SP 800-53: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

“Common” Controls: https://csrc.nist.gov/glossary/term/common_control

“Hybrid” Controls: https://csrc.nist.gov/glossary/term/hybrid_control

“Inheritance”: https://csrc.nist.gov/glossary/term/inheritance

FedRAMP Baselines: https://www.fedramp.gov/baselines/

DoDI 5230.24 (PDF): https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodi/523024p.pdf

CUI Registry: https://www.archives.gov/cui/registry/category-list

CUI Overview: https://youtu.be/bEW7VgbIE_8

CMMC Level 1 Guide: https://www.microsoft.com/cms/api/am/binary/RE54xON

National Cyber Strategy: https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

Cyber Strategy Overview: https://www.youtube.com/watch?v=6Fwtvcf2A2c

Sector Risk Management Agencies: https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/defense-industrial-base-sector

Vital Signs 2023 Report: https://www.ndia.org/about/press/press-releases/2023/2/8/ndia-president-urges-congress-to-ready-defense-sector-for-great-power-competition

State of the DIB Testimony: https://youtu.be/n62KE-1yQu4

In this episode Jacob and Jason discuss their takeaways from the January Cyber AB Town Hall including several great questions submitted from the #CMMC ecosystem. They also cover some great questions submitted by podcast listeners. Jacob breaks down the upcoming agenda for #CS2 Huntsville (there may or may not be a discount code for podcast listeners). Another #CISA alert related to managed service providers popped up in January. Additionally, a handful of #DoD reports on the level of internal resourcing and funding for cybersecurity shed light on the idea that DoD will have a CMMC cloud enclave ready for everyone in the #DIB on day 1 (or at all). Finally, several very interesting reports came out regarding the larger cyber-regulatory ecosystem. It helps to look up from the details of the CMMC debate from time to time in order to see which way the winds are blowing overall.

CS2 Huntsville: https://cs2.cloud/huntsville

Episode Links:

January AB Town Hall: https://cyberab.org/News-Events/Town-Halls/Details/january-town-hall Understanding CMMC

Rulemaking: https://info.summit7.us/blog/cmmc-compliance-deadline CMMC CAP & Comments: https://cyberab.org/CMMC-

Ecosystem/Member-Area-Downloads-and-Forums DoDI 5230.24: https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodi/523024p.pdf

CUI Registry (CTI): https://www.archives.gov/cui/registry/category-detail/controlled-technical-info.html

CUI on Game Forums: https://www.pcgamer.com/more-restricted-military-intel-ends-up-on-the-war-thunder-forums/ More CUI on Game Forums: https://www.pcgamer.com/wait-again-war-thunder-fans-just-cant-help-themselves-when-it-comes-to-posting-sensitive-military-documents/

DoD IG on CUI Overmarking: https://www.stripes.com/theaters/us/2023-01-03/congress-orders-pentagon-controlled-unclassified-8639918.html

Production Machining Article: https://www.productionmachining.com/articles/a-small-cnc-machine-shops-journey-to-cmmc- CS2 Huntsville: https://cs2.cloud/huntsville

CISA Alert on RMM Software: https://www.cisa.gov/uscert/ncas/alerts/aa23-025a DoD IG on "SUNET": https://www.dodig.mil/reports.html/Article/2931705/project-announcement-evaluation-of-dods-secure-unclassified-network-sunet-cyber/

DoD Annual OT&E Report: https://www.dote.osd.mil/annualreport/

Minihan Memo: https://www.airandspaceforces.com/read-full-memo-from-amc-gen-mike-minihan/

CSIS Wargame Video: https://www.youtube.com/watch?v=YZ6HJEl7Q90

Compliance Statistics: https://secureframe.com/blog/compliance-statistics

World Economic Forum Cyber Outlook: https://www.weforum.org/reports/global-cybersecurity-outlook-2023

Daniel on Cloud Enclaves: https://www.youtube.com/watch?v=_Ka-AOzb54s

CSF 2.0 Concept Paper: https://csrc.nist.gov/News/2023/csf-2-0-concept-paper-released

Cyber Requirements as "Outcomes": https://www.garp.org/risk-intelligence/technology/cyber-risk-landscape-011322

Regulation Predictions: https://www.hstoday.us/featured/column-avoiding-regulatory-pitfalls-in-cyberspace/

John Ellis on DIBCAC Assessments for SMBs: https://youtu.be/NA_th4wmUuY

Jim Dempsey Lecture: https://www.youtube.com/watch?v=-ZfXB78vB10

In this episode we reflect on a few items from December 2022 and the story of #CMMC (rulemaking) in 2022 overall. We cover listener questions and Jason's experience taking (and passing) his #CCP exam. After a deep dive into the current status of CMMC rulemaking we discuss #DoD estimates about the size of the defense industrial base. We also cover a report on the status of NIST SP 800-171 implementation for DoD contractors. We wrap up with our predictions for 2023.

Episode Links:

Cooey Center of Excellence Discord Server: https://discord.com/invite/rPtTes5bq

A CMMC Rulemaking "Delay": https://insidecybersecurity.com/daily-news/pentagon%E2%80%99s-cmmc-program-launch-faces-delay-omb-rulemaking-review-shifts-january

Merrill Research Report: https://www.scmagazine.com/analysis/third-party-risk/most-us-defense-contractors-fail-basic-cybersecurity-requirements

Old school security advisory: https://www.cisa.gov/uscert/ncas/archives/alerts/TA04-111

Correction: In this episode (1:31:16), Jason mentions that Multifactor Authentication or “MFA” first started appearing in CISA Cybersecurity advisories in 2004. Although individual recommended security actions in CSAs that align with the requirements of NIST SP 800-171 can be found in alerts dating as far back as 2004, the recommendation for MFA was not introduced as a recommended mitigation action in a CISA CSA until 2014. We apologize for the error.... sometimes numbers get him excited.

In this episode Jacob and Jason dive into the November 2022 Cyber AB Town Hall and provide takeaways the Cyber AB's inaugural #CMMC Ecosystem Summit. Jacob and Jason also explore the findings of a GAO report on cyber incident reporting and handling by the #DoD and Defense Industrial Base contractors while connecting the dots to #DIBCAC findings featured in Episode 2. November 2022 is the 12th anniversary of Executive Order 13556 which establish the federal #CUI program. Of course, Jacob and Jason just so happened to find a clear example of overmarked CUI on a public DoD webpage. Episode Links: Cyber AB November Town Hall: https://cyberab.org/News-Events/Town-halls/Details/november-town-hall Executive Order 13556: https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information GAO Report: https://www.gao.gov/products/gao-23-105084 Kelly Kiernan: https://www.linkedin.com/in/kelley-kiernan-cto/ Blue Cyber: https://www.safcn.af.mil/CISO/Small-Business-Cybersecurity-Information/ DoD Zero Trust Strategy: https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf SP 800-171 vs NIST CSF Ransomware Profile: https://www.linkedin.com/posts/jacob-evan-horne_nist-sp-800-171-by-nist-csf-ransomware-profile-activity-6928378291812786176-Env7

In this episode Jacob and Jason dive into the October 2022 Cyber AB Town Hall by exploring the questions (both answered and unanswered) submitted during the town hall Q&A segment. Jason provides his thoughts on the quality of the updated Registered Practitioner training. Time is spent on Rumor Control: Large prime contractors are seemingly requiring everyone to get #CMMC Level 2 certified and there's not much that #DoD can do to stop them. Jacob discusses the specter of #NIST SP #800-171 Appendix E and why they remain a thorn in everyone's sides. Other questions addressed: Are the rumors of Congressional funding for CMMC actually true? Is DoD actually bad at communicating? Why is it so hard to know how many requirements correspond to CMMC Level 1? The show wraps up with a brief discussion of NIST SP 800-172 and the newly released #CISA Cross-Sector Cybersecurity Performance Goals.

Episode Links:

Cyber AB Town Hall: https://cyberab.org/News-Events/Town-halls

CMMC Level 3 Likelihood: https://www.linkedin.com/posts/jacob-evan-horne_cmmc-cybersecurity-govcon-activity-6978019292143394816-0OGI?utm_source=share&utm_medium=member_desktop

NFO Controls in CMMC: https://www.youtube.com/watch?v=9UyyONyOjJg

NIST SP 800-171 Comment summary: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft

CMMC Delta 20 rationale: https://insights.sei.cmu.edu/blog/beyond-nist-sp-800-171-20-additional-practices-cmmc/

The SA-9 Control: https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-9

CMMC Documentation: https://www.acq.osd.mil/cmmc/documentation.html

DFARS Rulemaking on funding (2016): https://www.federalregister.gov/d/2016-25315/p-139

DoD Testimony on Communication and Industry Engagement: https://www.armed-services.senate.gov/hearings/cybersecurity-of-the-defense-industrial-base

OMB Rules Under Review: https://www.reginfo.gov/public/jsp/EO/eoDashboard.myjsp

7 Steps to CMMC: https://www.summit7.us/7-steps-to-cmmc

FAR 52.204-21: https://www.acquisition.gov/far/52.204-21

NIST SP 800-172: https://csrc.nist.gov/publications/detail/sp/800-172/final

DoD hopes Primes Don't Require Level 2: https://www.linkedin.com/posts/jacob-evan-horne_cmmc-cybersecurity-govcon-activity-6973293313240047617-YCGe?utm_source=share&utm_medium=member_desktop

Public/Private Partnership Overview: https://www.chathamhouse.org/sites/default/files/publications/ia/INTA92_1_03_Carr.pdf

CISA Cross-Sector Cyber Performance Goals: https://www.cisa.gov/cpg James Dempsey on Measurable Standards: https://www.lawfareblog.com/cybersecurity-regulation-its-not-performance-based-if-outcomes-cant-be-measured