In this episode Jacob and Jason dive into the October 2022 Cyber AB Town Hall by exploring the questions (both answered and unanswered) submitted during the town hall Q&A segment. Jason provides his thoughts on the quality of the updated Registered Practitioner training. Time is spent on Rumor Control: Large prime contractors are seemingly requiring everyone to get #CMMC Level 2 certified and there's not much that #DoD can do to stop them. Jacob discusses the specter of #NIST SP #800-171 Appendix E and why they remain a thorn in everyone's sides. Other questions addressed: Are the rumors of Congressional funding for CMMC actually true? Is DoD actually bad at communicating? Why is it so hard to know how many requirements correspond to CMMC Level 1? The show wraps up with a brief discussion of NIST SP 800-172 and the newly released #CISA Cross-Sector Cybersecurity Performance Goals.
Episode Links:
Cyber AB Town Hall: https://cyberab.org/News-Events/Town-halls
CMMC Level 3 Likelihood: https://www.linkedin.com/posts/jacob-evan-horne_cmmc-cybersecurity-govcon-activity-6978019292143394816-0OGI?utm_source=share&utm_medium=member_desktop
NFO Controls in CMMC: https://www.youtube.com/watch?v=9UyyONyOjJg
NIST SP 800-171 Comment summary: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft
CMMC Delta 20 rationale: https://insights.sei.cmu.edu/blog/beyond-nist-sp-800-171-20-additional-practices-cmmc/
The SA-9 Control: https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-9
CMMC Documentation: https://www.acq.osd.mil/cmmc/documentation.html
DFARS Rulemaking on funding (2016): https://www.federalregister.gov/d/2016-25315/p-139
DoD Testimony on Communication and Industry Engagement: https://www.armed-services.senate.gov/hearings/cybersecurity-of-the-defense-industrial-base
OMB Rules Under Review: https://www.reginfo.gov/public/jsp/EO/eoDashboard.myjsp
7 Steps to CMMC: https://www.summit7.us/7-steps-to-cmmc
FAR 52.204-21: https://www.acquisition.gov/far/52.204-21
NIST SP 800-172: https://csrc.nist.gov/publications/detail/sp/800-172/final
DoD hopes Primes Don't Require Level 2: https://www.linkedin.com/posts/jacob-evan-horne_cmmc-cybersecurity-govcon-activity-6973293313240047617-YCGe?utm_source=share&utm_medium=member_desktop
Public/Private Partnership Overview: https://www.chathamhouse.org/sites/default/files/publications/ia/INTA92_1_03_Carr.pdf
CISA Cross-Sector Cyber Performance Goals: https://www.cisa.gov/cpg James Dempsey on Measurable Standards: https://www.lawfareblog.com/cybersecurity-regulation-its-not-performance-based-if-outcomes-cant-be-measured