Відео

I'm pretty sure that the NIST narrator is a live recording, spliced together from multiple takes. The RMF introductory course is listed as (3) hours, with 800-53 as (1) hour, 800-53a as (1) hour, and 53b only 45 minutes. Time well spent.

Thanks for the heads up and keep us abreast!

Great discussion! The link you have above is to the CPRT, not the training courses. The training courses are at [ csrc . nist . gov ] /News/2024/online-intro-courses-for-nist-sp-800-53

Thank you for giving voice to the coupling between functionality and assurance. As a quality assurance / math mematjcs teacher joining the CMMC assessment works, you’ve nailed it. ❤❤❤❤

I think these are the courses. csrc.nist.gov/Projects/risk-management/rmf-courses

Thank you! This is a masterpiece to understand the US national cybersecurity approach. And I love the last part! CMMC tells MSPs/MSSPs like If you don't have responsibility to protect your clients, you can't do that business (earn money). Many MSPs/MSSPs don't understand impact brought by CMMC. This is not the only DoD thing. This plays a role like Privacy act + Financial regulation. Globally applied Regulatory and Contract-based Confidentiality-focused data protection rule. It's tough!

Great podcast, thanks guys!

Wow - this should be required viewing for every sub in the system. Thanks.

Peak Infosec has a pretty good pre-assessment guide to fill out before they come out, it's 5 pages of questions. It's on their website.

I think "False Start" accurately communicates the status ... exactly like football ... the team is prepared and capable but is just a half-second premature.

Great job putting a name to this Jacob. Much needed.

Comment on Jason's question about is their a document that outlines what evidence is needed and Jacob you answer "Nope," facisouly. In addition to the 171A (which includes a LOT under what could be evidence), there is one thing that kind of answers what Jason is looking for. DIBCAC has published a list of the kinds of evidence they are looking for. Things like Screen shot, or documentation. This can be extracted from the access DB (I know, I know..) that they have posted to their web page. It is not definitive, and hard to get to but.... it is something and I use that as a general guide.

Why not call the Assessment Guide CAG? Because then they would have to be qualified to launch planes.

My prefered analogy for this situation is the scene from The Office where the italian salesman goes out to dinner with Michael and tells the waitress to send the food back. Thanks so much for the great information! I think more podcasts about the CAP and getting more detailed about each step in the assessment process would be incredibly beneficial. When I started working towards a CMMC assessment for my organization I thought it was just implementing the 171 controls, but it seems every day I learn there is more to the program. Explaining the assessment process in full would no doubt be a major help those working through this program. Even going more in depth into what qualifies as "evidence" for the feasibility assessment is important. I've had MSPs tell me that their clients have been denied a JSVA because they didn't have proof of a FIPS validation for whatever cryptographic modules they were using to secure CUI. While this example may get into the realm of examining evidence versus verifying existance, there is certainly room to discuss what may count as evidence for the feasibility assessment outside of your policies and procedures for the 171 controls. "If there is no evidence, I send it back"

I would like to contact this speaker. Does anyone have a good link to make connection. I am SB director within AF and would like to discuss

How can I get the handout that was given to the audience?

Meanwhile, the DOD is out there calling this "Basic Cyber Hygiene" that only the federal Government and Large Enterprises were doing in 2017. Remember the profit rate on SBIR Cost Plus contract is 8%.

Perfect timing for this! I’m still having trouble reconciling the past few years of App E is required because it’s assumed to be in place, with this take. But I agree that you really can’t do it without the -1 documentation 😁

The MLB is in a MUCH better place with Angel Hernandez gone. Baseball fans rejoice!

Thanks for all the great content guys. Greatly appreciate what you do for the community

Agencies are already establishing their own approaches to protecting CUI. The HSFAR that DHS already has in effect (88 FR 40560, HSAR Case 2015-001, DHS Docket No. DHS-2017-0006) requires DHS Contractors to have an independent third-party assessment on the NIST 800-53 Moderate Risk Baseline, completely independent of CMMC, or the Department of Ed requirements for post-secondary institutions to apply NIST 800-171 to the financial information of students already create the specific issues you discuss with the different agencies having different approaches to implement 800-171. In that vein, I can't think of a Department whose interests would be more aligned with DoD that DHS, and DHS, to quote Fleetwood Mac, looked at CMMC and decided to "go your own way". The other thing here is that all CUI, while it may be defined by NARA, it may not have the same degree of risk across agencies. From that perspectice applying data governance principles, each agency may be allowed to make its own determination that it's ok with self-assessment, ok with an appropriate independent third-party assessment by CPAs or CISAs, or provide contracting units or Contracting Officers more leeway into including or waiving the agency-specific clause. bdr

This is a huge FAR reaching rule... (I see what you did there......) 🙂

I dont think they will define ODP's in the FAR rule. What if they mandate 171 current version? Invalidating the class deviation? All kinds of questions. Great podcast!

All of this points to the fact that while rulemaking is the mechanism to implement these types of programs, it is unsuited to the realities in the field. So there exists a conundrum ... the government cannot implement this type of program without rulemaking, yet rulemaking is too inefficient to meet the needs of the government's partners and cumbersome to address the dynamic nature of cybersecurity. This is one of the items that is going to have to be worked through before the next iteration of rulemaking. Both actions will help make the rulemaking associated with adopting NIST 800-171 R3 into the ecosystem more effective for everyone involved. bdr

i'm rewatching a few of these to create documentation - love you two together. Jacob is just rolling laughing and I love Jason's reactions, which is all of us out here trying to make it work. Appreciate all the work you guys do!

Keep in mind, the CUI example is just one of many. If you work in the weeds and actually have to make this stuff work, you will soon realize some controls are pretty much impossible. After spending hundreds of thousands of dollars on many different consultants to get our business compliant, none actually added extra security to our infrastructure. They left us with all the heavy lifting with no real path to the finish line. We filled out endless questionnaires so they could deliver a bunch of template driven documents. Many consultants just did a lot of wordsmithing to show compliance. Last time I checked, our adversaries are not going to run away when they see great wordsmithing. Such a waste of time and money to attempt to bring us compliant. We can always do better at our security but spending a disproportional amount of money on some of these controls is not going to deter our adversaries.

I hate to say this, but the more I listen to all of you the more I realize you have never actually managed an IT infrastructure in a company that produces military hardware. These are very rapidly changing environments which do not fit your discussion. You need to get out and actually do some of this work before acting like this is all reasonable. Shame on you for promoting this vendor driven business.

I've been hoping you guys would discuss Copilot. Most of us are still unclear as to when we're required to be in GCC/GCC HIGH, etc.

Thank you guys! I'm so grateful for your linkedin posts, explanatory podcasts and just being an evangelist. It's hard to keep up on everything while you're doing "all the things" and understanding the Rules are not for the faint of heart. I will read it, but i will always come look here before i brief anyone on what i think it means :-) !!!

hello again

cmmc

This is insane. Honestly. So much information! It will take 72 hours to just build the report!

Great info and discussion 🚨🚨🚨🔐

This is some great (BEEP)! hahaha .... ;) Seriously, this is a great presentation. I need to share this with the business owner and plan some mock reports (maybe using templates that validate our controls) to get the IT crew some muscle memory that I hope we never have to use. Thanks all.

They want all that in 72 hours? Lol, better buy stock in Mandiant.

12:30-ish... if a ransomware-actor shows you they have your data, IMO that's a "substantial loss" of confidentiality in & of itself, regardless of whether they publish it or not - it's an indication your network / systems have been breached by unknown numbers of unauthorized persons, for a significant enough time period to capture your infomation to qualify as #1 of the 4. You've lost containment of the data you're responsible for securing, game over, thanks for playing.

Ricky Williams in a Dolphins uniform, was the best way to imagine Ricky Williams.

I love these - please keep them up. Quick question on identifying a date by which we would have a validated module (per the Windows 11 discussion, although this is applicable to Sonoma and others)... how do you determine that date? I can see adding to the maintenance checklist rhythm a task to check for new certificates, but the CMVP website doesn't provide a timeline or ETAs (that I've found - I've missed things before). We can see the in- process modules or the implementation in process lists, and their last status update, but other than cornering Jason and forcing him to use some of his mad Trigonometry skills, what are your best suggestions for where we could source expected dates and demonstrate a satisfying response?

I am so glad I found your series! 🎉 Thank you both for taking the time to break this down into a more consumable format. This is just another reason I would love to work with Summit 7!!!!!

I worked for DIBCAC as a lead for 3 years. 2/3 of the assessors lack IT experience (And half of them don't have a degree). They hired the lowest common denominator after Mr. King left (Previous Director). Management trained them to search for information using Google, and they pretend they know what they're doing. It's the worst job I had, so I left.

I worked for DIBCAC as a lead for 2 years. 2/3 of the assessors lack IT experience. They hired the lowest common denominator after Mr. King left (Previous Director). Management trained them to search for information using Google, and they pretend they know what they're doing. It's the worst job I had, so I left.

I was wondering if you were going to mention the duplication between CIRCIA reporting requirements and SEC cyber incident reporting requirements. You did, at around 28:02 . Well done! 👍

CIRCIA applies to my work. thank you for keeping up with these changed.

Cant hear the dude in the bottom left...

Can barely hear Daniel...

39 seconds in and I hear my mother-in-law? 🤣🤣🤣

So, MSP reporting requirements under the Proposed Rule would require clients in GCC High enclaves to report an incident to CISA based on the Microsoft compromise, right? BDR

Thank you for sharing...

Appreciate the straight talk.

Love the eclipse glasses