Sum It Up - Episode 8: CMMC, NIST, CUI, & DFARS News and Analysis for April 2023

In this episode Jacob and Jason discuss their takeaways from the Cyber AB Town Hall and dive into several great questions asked during the extended Q&A. Amira Armond stops by to deep dive into the Top 10 “Other Than Satisfied” requirements found during DIBCAC audits. Lauren Ayers also stops by to teach us how to read DFARS clauses like a contracting officer.

Episode Links:
Amira’s LinkedIn: https://www.linkedin.com/in/amira-armond-25a77a141/
Kieri Solutions: https://www.kieri.com/
Amira’s Blog: https://www.cmmcaudit.org/
Lauren LinkedIn: https://www.linkedin.com/in/laurencayers/
Professional Services Council: www.pscouncil.org
PSC June Conference: https://www.pscouncil.org/AcquisitionConference
Cooey Center of Excellence: https://discord.com/invite/rPtTes5bqA
DCMA DIBCAC: https://www.dcma.mil/DIBCAC/
DFARS Cyber FAQs: https://dodprocurementtoolbox.com/faqs/cybersecurity
Stacy Bostjanick at CS2 Huntsville: https://youtu.be/ZvBvzZkwmZg
NARA CUI Registry: https://www.archives.gov/cui/registry/category-list
CMMC CAP (PDF): https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf
CMMC Assessment Guides: https://dodcio.defense.gov/CMMC/Documentation/
NIST RMF: https://csrc.nist.gov/projects/risk-management/about-rmf
NIST SP 800-37: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
2018 CUI Industry Day: https://www.nist.gov/news-events/events/2018/10/controlled-unclassified-information-security-requirements-workshop
The DFARS: https://acquisition.gov/
NMCARS: https://www.secnav.navy.mil/rda/DASN-P/Pages/NMCARS.aspx

Chapters:
(0:00 – 2:50): Introduction 
(2:51 – 14:43): April AB Town Hall Recap
(14:44 – 17:16): Amira Armond Introduction
(17:17 –18:59): Top 10 Failed Requirements Overview
(19:00 – 26:21): No. 10 – 3.4.1 System Baselining
(26:22 – 31:14): No. 9 – 3.6.3 Incident Response Testing
(31:15 – 37:58): No. 8 – 3.3.5 Audit Correlation
(37:59 – 43:28): No. 7 – 3.3.4 Audit Failure Alerting
(43:29 – 47:16): No. 6 – 3.3.3 Event Review
(47:17 – 59:25): No. 5 – 3.11.2 Vulnerability Scan
(59:26 – 1:07:00): No. 4 – 3.11.1 Risk Assessments
(1:07:01 – 1:12:11): No. 3 – 3.14.1 Flaw Remediation
(1:12:12 – 1:21:11): No. 2 – 3.5.3 Multifactor Authentication
(1:21:12 – 1:34:06): No. 1 – 3.13.11 CUI Encryption
(1:34:07 – 1:41:48): Amira on NFO Controls
(1:41:49 - 1:42:58) Amira Armond Wrap Up
(1:42:59 –1:48:48): Q&A – How to get a Joint Surveillance Assessment?
(1:48:49 – 1:56:06): Q&A – SP 800-171r3 updates for CMMC?
(1:56:07 – 1:58:23): Q&A – CMMC Assessment Guide Update?
(1:58:24 – 2:06:06): Q&A – Standard CMMC Artifacts?
(2:06:07 – 2:11:39): Q&A – SP 800-171r3 vs CMMC rulemaking?
(2:11:40 – 2:12:52): Q&A – FedRAMP Moderate equivalency?
(2:12:53 – 2:16:06): RUMOR CONTROL – FedRAMP Moderate Equivalency
(2:16:07 – 2:18:44): Q&A – L2 Assessment guide and 171A differences?
(2:18:45 – 2:22:28): Q&A – CMMC in other FAR clauses?
(2:22:29 – 2:26:40): Q&A – CMMC between agencies?
(2:26:41 – 3:04:07): Listener Q&A – CMMC for election systems?
(3:04:08 – 3:04:06): Lauren Ayers Introduction
(3:04:07 – 3:01:23): Lauren Q&A – CMMC Effective Dates
(3:01:24 – 3:04:08): Wrap Up

#cmmc #dfars #nist #cui #dod #dib #cybersecurity