Summit 7 Presents: Sum It Up - Ep. 2: CMMC News Roundup and Analysis for October 2022



Published
In this episode Jacob and Jason dive into the October 2022 Cyber AB Town Hall by exploring the questions (both answered and unanswered) submitted during the town hall Q&A segment. Jason provides his thoughts on the quality of the updated Registered Practitioner training. Time is spent on Rumor Control: Large prime contractors are seemingly requiring everyone to get #CMMC Level 2 certified and there’s not much that #DoD can do to stop them. Jacob discusses the specter of #NIST SP #800-171 Appendix E and why they remain a thorn in everyone’s sides. Other questions addressed: Are the rumors of Congressional funding for CMMC actually true? Is DoD actually bad at communicating? Why is it so hard to know how many requirements correspond to CMMC Level 1? The show wraps up with a brief discussion of NIST SP 800-172 and the newly released #CISA Cross-Sector Cybersecurity Performance Goals.

Episode Links:

Cyber AB Town Hall: https://cyberab.org/News-Events/Town-halls

CMMC Level 3 Likelihood: https://www.linkedin.com/posts/jacob-evan-horne_cmmc-cybersecurity-govcon-activity-6978019292143394816-0OGI?utm_source=share&utm_medium=member_desktop

NFO Controls in CMMC: https://www.youtube.com/watch?v=9UyyONyOjJg

NIST SP 800-171 Comment summary: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft

CMMC Delta 20 rationale: https://insights.sei.cmu.edu/blog/beyond-nist-sp-800-171-20-additional-practices-cmmc/

The SA-9 Control: https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-9

CMMC Documentation: https://www.acq.osd.mil/cmmc/documentation.html

DFARS Rulemaking on funding (2016): https://www.federalregister.gov/d/2016-25315/p-139

DoD Testimony on Communication and Industry Engagement: https://www.armed-services.senate.gov/hearings/cybersecurity-of-the-defense-industrial-base

OMB Rules Under Review: https://www.reginfo.gov/public/jsp/EO/eoDashboard.myjsp

7 Steps to CMMC: https://www.summit7.us/7-steps-to-cmmc

FAR 52.204-21: https://www.acquisition.gov/far/52.204-21

NIST SP 800-172: https://csrc.nist.gov/publications/detail/sp/800-172/final

DoD hopes Primes Don’t Require Level 2: https://www.linkedin.com/posts/jacob-evan-horne_cmmc-cybersecurity-govcon-activity-6973293313240047617-YCGe?utm_source=share&utm_medium=member_desktop

Public/Private Partnership Overview: https://www.chathamhouse.org/sites/default/files/publications/ia/INTA92_1_03_Carr.pdf

CISA Cross-Sector Cyber Performance Goals: https://www.cisa.gov/cpg

James Dempsey on Measurable Standards: https://www.lawfareblog.com/cybersecurity-regulation-its-not-performance-based-if-outcomes-cant-be-measured


Chapters:
(0:00 - 3:22): Introduction
(3:23 - 6:48): Trick-or-treat? Try 800-53
(6:49 - 11:42): Town Hall - Joint Surveillance
(11:43 - 19:00): Town Hall - CAICO Update
(19:01 - 28:54): Thoughts on RP Training
(28:55 - 32:14): Town Hall - CMMC Ecosystem Summit
(32:15 - 46:35): Town Hall - Rumor Control
(46:36 - 48:01): 2023 - 2026 Phased Roll-Out
(48:02 - 50:23): Primes Requiring CMMC Level 2
(50:24 - 59:38): Town Hall Q&A - NFO Controls
(59:39 - 1:09:52): 800-171 Rev. 3 Comment Summary
(1:09:53 - 1:23:41): Town Hall Q&A - FedRAMP Moderate & The CAP
(1:23:42 - 1:27:35): Town Hall Q&A - Policy vs SMBs
(1:27:36 - 1:41:01): CMMC Funding Rumors?
(1:41:02 - 1:56:23): Town Hall Q&A - Rulemaking & Lack of DoD Communication
(1:56:24 - 2:02:09): Not Enough Assessors?
(2:02:10 - 2:17:03): CMMC Level 1 Controversy
(2:17:04 - 2:26:25): CMMC Level 3 & NIST SP 800-172
(2:26:26 - 2:34:16): CISA Cross-Sector Performance Goals
(2:34:17 - 2:37:36): Wrap Up
Category
Management
Be the first to comment