I feel like there is definitely a niche here of contracts that are awarded super fast like this and contracts that probably shouldn't really fall under CMMC, in the spirit of protecting the actual important CUI, versus flagging something as CUI and then having a contract for off the shelf parts be flagged as CUI and ultimately just causing the costs of procuring the products go up.

Great episode, but even better, the title referencing South Park is 10/10!!

Great info. It all makes sense that below $250K are that fast because a large majority of those actions are task orders under existing contracts, which are easy to award very fast. That's why they aren't tracking it. It's likely already tracked / determined to be in place because those awards are made under an IDIQ "umbrella" where it was required. Great episode!

Great episode, guys!

MY NAMES NODOSE IN GAME NICE GUIDE WAS HELPFULL

I think DoD has yet to realize the forthcoming ramifications of applying Level 3. Since Level 3 will be contract-specific, and not "across the board" like DFARS 7012 and CMMC Level 2, the contract that requires Level 3 should cover the costs of implementation. Add an estimated $40M+ for compliance (based on the math in the 32 CFR proposed rule) to what DoD thought would be a $10M contract and what will happen? Interesting days ahead. Keep up the great work guys!

Now make a video explaining what all this means for someone outside the industry, lol

I like your funny words magic man

SPRS scores with a User ID = Key Value Pair = The DIB is now tracked

Great job and very informative. Love that you brought up the example of a breach outside the assessed scope. There are a lot of folks out there that believe they can have empty enclaves assessed, while the CUI is yet to be brought into the enclave at the time of assessment. Not good. False Claims.

The DoD confidence identifier is not that crazy of a concept. Currently in SPRS anyone who has had a JSVA has a confidence level for the assessment that indicates it is a “high” confidence score. Same thing goes for DIBCAC High. The confidence next to the score will say one of several things - (basic, medium, or high). When you self-assess you have NO option to change it from “basic”. When the DIBCAC does a medium or high, they enter it as such. All that they’re saying is that very same indicator will be viewable in the unique identifier. But it’s not a rating that you get to choose. If a C3PAO does your assessment, it will show as high confidence and it will be indicated in the identifier.

This is “The Podcast for CMMC” because Jacob Horne has been educating the DIB since its inception.

Confidence level is not your confidence in your security or your sprs score. Basic self assessment is low confidence, 3rd party is moderate confidence and government assessment is high confidence.

This video was so timely and fast that I thumbs upped on two different accounts. Excellent distilling as always guys!

Reporting up (prime to DoD) is limited to those sub-contractors that have a certain percentage of work, over a certain amount, etc.

A number entered by the organization starts with a S and since it is Basic assessment it starts with B so SB followed by the unique number. I would imaging DoD starts with a D and is a DM or DH….

Great discussion as usual, appreciate the rapid response to this news. Could you edit the description to have a link to the Rule like you've done for other main resources on episodes?

"There's really not a whole lot going on." *continues talking for another hour*. Never change man, never change.

Hope you find your dad........😂

Huh

The point about DODUIDs being effective “asset tags” to fully illuminate the extent of the DIB is insightful. What magnitude above the (published) ~291,000 companies will the real number be…?

SUCH a fantastic opportunity for savvy MSPs…

What does this have to do with rampage online Cryptocurrency fraudulent investment, etc.

I attended a Secret Service briefing and their slides had C/FOUO on them. I pointed out that FOUO went away a long time ago and asked if the slides contained CUI. He said no, but wouldn't share the slides.

CMMC PNW happening in Suquamish,WA (just west of Seattle) on August 20th

I never questioned the DoD CUI registry because NARA seemingly left a lot open to the agencies. Will be watching this play out!

Was pushed this CMMC X.0 stuff. US just needs to be honest as opposed to sending these presenters out here without any real mention of Google LLC, Microsoft Github and AWS (hold bulk majority of US data in some form) Having a pending CFR update out for comment reaction for 5+ years will continue to have the conundrum of trying to have orgs DoD compliant when the server side cannot offer wholly compliant ops on their side. Heard additional missquotes regarding how Federal Register processes rule, but that is bound to happen when CMMC omits the items needed prior to trying to enforce CMMC to end users (i.e. IT cybersecurity orgs, small businesses, etc)

I really appreciate the work and the effort that the Summit 7 team puts into this, It provides valuable insight into the entire environment under which the DIB needs to operate. A data owner cannot have an effective information security program if it cannot conduct effective data governance for its data. It cannot direct its supply chain regarding appropriate protective measures if it cannot accurately identify and classify the data it will share with its contractors. This, in and of itself, should exclude the DoD from the consideration set for the Executive Agent. See the findings in DODIG-2019-105, DODIG-2021-135, and DODIG‑2023‑078. There is also the lack of engagement and lack of activities that would signal an agency has the capabilities to be an effective program manager - I specifically refer to the communication findings in GAO-22-104679 where the extent of addressing the communications findings was "we updated the web site", but performance from that point forward seem to indicate the anticipated staffing increases did not happen. It also raises the spectre of whether any specific existing agency, function, or group within the government has the necessary acumen or ability to perform the role of the Executive Agent for the CUI program. This also begs the question if the velocity of change within the global threat environment and the complexity of the implementation of information security across a diverse set of stakeholders is too large for traditional government approaches to address the root causes of vulnerabiilty within the environment. Specifically, while rulemaking is the only method to enact these programs, is rulemaking too slow, cumbersome, and inflexible to adequately manage the requirements of a rapidly changing environment like the information security threat environment where the situation evolves on an ongoing basis, like the proliferation of threat actors and their development of attack vectors and capabilities? bdr

Thank you for your good work. We are a cybersecurity company and we are helping smaller DIB companies comply. We consider you guys as one of our key informational resources. Thank you.

What if they had to redact the footnote because it was overmarked as CUI and there was no clear authority on who could mark it for release? ;)

That memo even stated "While the Information Management and Classification Interagency Policy Committee (IPC) [created by the National Security Council (NSC)] is undertaking its work, departments and agencies should consider whether to place on hold any efforts within departments and agencies to significantly overhaul information management, classification, and declassification policies, and should coordinate with the NSC staff in any such decisions." So likely lots of agencies are "on hold"

The other issue with representing an ODP value in a policy or a standard and then having less rigorous standard, it creates a deceptive trade practice and introduces legal jeopardy under both contract law and under FTC Act Section 5 Unfair and Deceptive Trade Practices. Part of the complaint about the standards themselves not being prescriptive is because the IT professionals who are tasked with implementing them in private industry do not have the expertise or acumen regarding information security control objectives nor the understanding of what it means to appropriately implement the control. Remember, we're dealing with an assumption that the average IT leader has CIO or Chief Information System Officer experience and a support staff member with 7-10 years of cyber experience . To review: I've worked with 45 private sector assessments, 3 clients had an IT leader with CIO/CISO experience, 1 client had an IT staff member with the 7-10 years experience. Most of the manufacturing clients I've worked with either have assigned their Director of Manufacturing the Director of IT role - because the IT makes the manufacturing lines run - or have an individual who has network or system operations experience. My instinct is these are individuals who would like to know both the "how" and the values because they don't have the expertise to do it themselves. The other issue that needs to be addressed - and I'm kind of disappointed it didn't come up - is that ODP values should also be based on a risk assessment of the environment. The need encryption in an SQL database that's the DMZ away from the internet is different from a database on an AS400 that only has local access. bdr

I guess this overconfidence explains why it is so difficult to convince DIB companies to engage with a DFARS/CMMC preparation company. This really proves once again that nothing will change until the Govt. mandates AND enforces the requirement. Thanks for another good episode guys.

Good stuff

Thanks again for continuing to bring to the surface objective evidence identifying specific areas of improvement in order to actually implement cyber security.

ODPs in and of themselves are not problematic. The way NIST allowed for the Government entity that is contractually invoking Rev 3 to specify ODP values is a HUGE issue. If we could specify our own it would be much easier. Just think - you set your session timeout to 20 minutes and some DoD agency wants it to be 15 or less. You choose to comply and go through all the configuration management hoops to change it to 15 minutes - yay! Three months later a different agency requires 10 minutes or less. Let's hope DoD can actually define a standard set of values that are accepted by all the different Government agencies.

NIST demonstrating American belief in freedoms with ODP!? Yay NIST

Those shirts are awesome! Where can I get one?

So much for a social media free va-cay Jacob

Incredible!

Thank you gentlemen!

Time to track for any updates after Chevron was reversed by SCOTUS.

If it's not on the calendar, it's not actually a thing. And if it's not on the calendar two weeks or more ahead of time, it probably isn't going to happen, because we go as far as scheduling our free time and DO NOT mess around with moving things around. Jason brought up a great point about phantom tasks and other priorities that try to slip in.

Three thoughts: 1) In the consulting world, scoping and assessment planning are considered pre-sales and performed at no charge. I made this comment when the CAP was released, and I don't know if a C3PAO will be able to charge for Phase 1 steps 1.1-1.6. It may mean that 1.7 is either the paid portion or moved to Phase 2. I'd also make the point that if a Lead Assessor can't get a feel for an OSC's readiness in steps 1.1-1.6, they probably shouldn't be a Lead Assessor - or they're asking the wrong questions and having the wrong conversations. 2) There are different levels of assessment, and I'm not sure that anywhere in the SPRS scoring process a Contractor is required to base their assessment and the resulting score on evidence (I'm happy to be proven wrong). I believe the direction is that the Contractor must determine if its practices as defined in the SSP meet each one of individual the NIST 800-171A assessment objective. If my understanding is accurate, then the argument made in the podcast that a Contractor should have "evidence from when the SPRS score was calcuated" is unfounded and inaccurate. 3) The issue with a significant number of Contractors having to replan, reschedule, or cancel CMMC assessments is that means they cannot bid on DoD contracts. If the backlog of Contractors who have false started becomes signficant enough, DoD will need to either not include the clauses or waive them to ensure that contracts can be fulfilled. This is the true risk to the program, and why it may become a zombie program that should keep us all up at night. For the record, most Contractors I have worked with where we determined their initial SPRS score did not use an evidence-based methodology. That is what would occur in an audit, and SPRS scoring is based on an assessment of how practices expressed in an SSP align with the NIST 800-171A assessment objectives. As we all know, CMMC is not an audit, it is a "conformity assessment". Which, at the end of the day, a trained auditor such as myself can understand the distinction between "audit" and "conformity assessment" but for Contractors ... if it waddles like an audit, swims like an audit, quacks like an audit, and you have produce and defend evidence like it's an audit - it's an audit. Now, my recommendation to my clients is that they deliver a full package of evidence prepared with a degree of rigor so it could pass a formal audit. Then, when I have my CCA and appear as an expert witness on behalf of my clients I can say, "Audit the evidence. We don't need to talk about that". bdr

I'm pretty sure that the NIST narrator is a live recording, spliced together from multiple takes. The RMF introductory course is listed as (3) hours, with 800-53 as (1) hour, 800-53a as (1) hour, and 53b only 45 minutes. Time well spent.

Thanks for the heads up and keep us abreast!

Great discussion! The link you have above is to the CPRT, not the training courses. The training courses are at [ csrc . nist . gov ] /News/2024/online-intro-courses-for-nist-sp-800-53

Thank you for giving voice to the coupling between functionality and assurance. As a quality assurance / math mematjcs teacher joining the CMMC assessment works, you’ve nailed it. ❤❤❤❤

I think these are the courses. csrc.nist.gov/Projects/risk-management/rmf-courses

Thank you! This is a masterpiece to understand the US national cybersecurity approach. And I love the last part! CMMC tells MSPs/MSSPs like If you don't have responsibility to protect your clients, you can't do that business (earn money). Many MSPs/MSSPs don't understand impact brought by CMMC. This is not the only DoD thing. This plays a role like Privacy act + Financial regulation. Globally applied Regulatory and Contract-based Confidentiality-focused data protection rule. It's tough!