Robert M. Lee

With an increase in consumer banking done online post-pandemic, and the current geopolitical situation, it’s important for the Public and Private sectors to share threat intelligence to stop bad actors and Secure the Internet.

5

This is technically the right approach but converging software factories on to a single DevSecOps platform for programs that are in mature development and fielding is going to be a lot of retrofitting that is not trivial. An open standards and open architecture approach for interoperability is probably the best bet, but standardize on a common platform all new programs moving forward. Great to see CYBERCOM starting to take their acquisition authorities to the next phase. Our adversaries are not constrained by their acquisition bureaucracies.

34

If you are following along on the CUI program home game, you know that the CUI program was created to apply a consistent set of requirements across the entire Executive Branch of the federal government which define what is sensitive, unclassified information and how that information should be safeguarded and disseminated. These requirements are defined in 32 CFR 2002, which was published in 2016. When the United States Department of Defense first created DoDI 5200.48 back in 2016 (DoDI 5200.48 defines DoD's implementation of the CUI program), 32 CFR 2002 was pretty new and, understandably, the early version of 5200.48 had some inconsistencies. DoD released an updated version of DoDI 5200.48 about a year and a half ago, and it addressed some of those inconsistencies. DoD recently released an updated policy memo which makes some additional changes to 5200.48. https://lnkd.in/gmsySBBq Those changes have, unfortunately, created a bit of added confusion about when CUI can be disseminated to authorized holders, and especially when: a) the disseminator is a government contractor; and b) the authorized holders are not US persons. The CMMC Information Institute put together the flowchart, below, to try to help walk government contractors through when CUI can be disseminated to someone who is not a US person (or, really, anytime). Hopefully it is helpful!

56

14 Comments

Update on the #CMMC timeline!  During the April The Cyber AB Town hall, Matthew Travis pointed out that CFR 48, the procurement side of the rule, was returned to the DoD and not accepted for release for public comment. The rule was originally expected out for public comment in March 2024; however since it was returned to the DoD on Apr 8 the timeline is unclear. Matt speculated that it could be a simple clerical error that could be quickly addressed enabling the rule to be released for public comment in May 2024. Public comments for CFR 32, the CMMC Program rule, are being adjudicated by the DoD. CFR 32 is still expected to be released in fall of 2024. This rule establishes the CMMC Program and authorizes assessments to begin. Therefore, it is likely that assessments can begin prior to being mandated in contracts. This will give the DoD additional fuel for including CMMC in more contracts once CFR 48 is finalized since organization will have plenty of time to get ready. Will your organization be ready for an CMMC assessment in time to beat the rush to ensure you can bid on contracts when CFR 48 is finalized?

31

3 Comments

SUMMARY: The NSA's Cybersecurity Collaboration Center offers free, proactive cybersecurity support to businesses and federal partners to combat advanced cyber threats. MAIN POINTS: - The CCC provides free threat intelligence and cybersecurity services to private companies with DOD contracts. - Services include threat analysis, mitigation guidance, and direct incident response assistance from NSA experts. - Small and medium-sized businesses can access high-level cybersecurity resources typically reserved for national security. TAKEAWAYS: - CCC aims to bolster public-private cybersecurity cooperation. - Over 1,000 industry partners have enrolled in CCC services. - CCC processes 70 million DNS queries daily, blocking billions of malicious activities. Bailey Bickley #ccc #nsa #dibservices #dib

146

8 Comments

One of the reasons I'm excited about attending the @IPTC Photo-Metadata Conference this year is that I'm really looking forward to hearing a presentation by Neal Krawetz. Neal will be presenting a live demo of research he has gathered over the past year of how the C2PA tools (for provenance and authenticity) still have some holes in their processes. I am all about supporting missions around trust and authenticity in media - but I want to make sure I can see how to get from point A to point Z with transparency, independent governance of data and without it turning into something like digital rights management (DRM) which could lead to silos or channels of content that would only promote or allow only certain publishers to get certificates and be their own verified sources of trust. I keep wanting to use a 'right to repair' your own equipment metaphor, but what I really mean is that I want the 'right to update my own metadata' without having to go through a complex trust and authenticity system that could be hacked anyway but at the same time become the voice of authority.

1

I missed this years conference, but Jason Keller, MA was able to make it to a significant NATO conference on cybersecurity. What stood out in this forum was the collective consensus on the importance of robust cyber infrastructure to ensure a safe digital environment. Here’s where Vistant comes in, and I couldn’t be more excited to share how we’re making a difference. As an industry leader in cybersecurity, Vistant works diligently across the globe, collaborating with local governments and international development agencies to address cybersecurity and resilience needs. Our mission extends beyond borders - we are committed to strengthening vital cyber infrastructures, mitigating disinformation, reducing criminal activity, enhancing data storage and transfer, and accurately reporting and assessing cyber threats. Our team, a blend of highly experienced individuals from tactical, operational, and strategic operations, comprises veterans from NATO, allied militaries, and their civilian government counterparts. We bring a depth of knowledge that’s unparalleled. Vistant’s Cyber Security and Resilience Capabilities are wide-ranging. We offer expert project management and implementation, field technical assistance and response, cybersecurity capacity building and governance, cybersecurity analysis, cyber hygiene assessments, and crisis response for cybersecurity incidents. We take pride in our proven track record. Our experts actively implement cybersecurity programs for the U.S. government in more than 15 countries and for an extensive partner network of national and local businesses. In a world where the digital landscape is constantly evolving, we remain steadfast in our mission to contribute to a safer, more secure digital future. Vistant is looking forward! #Vistant #Cybersecurity #NATO #GlobalResilience #Cycon #CCDOE www.vistantco.com

4

Do you find the false dichotomy between compliance and security to be loathsome, circular, and unhelpful? Are you curious about what security value you're getting for your time, money, and effort when you pursue CMMC certification? Catch the replay of my presentation at CS2 Boston on May 7th at 10am Central (it's free) I'll be answering questions live in chat so come hang out Registration link is in the comments below 👇

65

8 Comments

Organizations globally experience the same classification issues, which are highlighted in the US DoD Inspector General report - Janusnet has the solution for the report's key recommendation: “In coordination with the Office of the DoD Chief Information Officer and DoD Component Heads, develop and implement a DoD‑wide solution for automatically populating documents and emails with the required markings based on a set of selection criteria.” Janusnet enables organizations to mark #CUI and implement the requirements of the United States Department of Defense CUI program

9

In this video, we dive into the complexities of implementing NIST special publication 800-53 in a government organization. The redundancy of federal government entities struggle with reciprocity. We delve into the challenges of implementing NIST Special Publication 800-53 within a single organization and the complexities of replicating this process across different department How Compliance Scorecard dealt with redundancy when working across different government entities and leveraged our Governance as a Service SaaS platform can help. As MSP/IT professionals, we need to understand how these frameworks create operations across various government departments and entities. Heather Noggle and I have some words of wisdom #GovernmentOperations #NIST853 #FedRAMP #EfficiencyMatters #StreamliningProcesses #GovernmentCompliance #ITSecurity #Cybersecurity #DigitalTransformation #GovernmentWorkflow

22

1 Comment

Did you notice a NEW #Defense #CUI category in the #NARA CUI Registry? It is called "𝗣𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲𝗱 𝗦𝗮𝗳𝗲𝘁𝘆 𝗜𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻." Banner marking is just BASIC marking. Category Description: "𝗣𝗦𝗜 𝗶𝘀 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 𝗿𝗲𝗳𝗹𝗲𝗰𝘁𝗶𝘃𝗲 𝗼𝗳 𝗮 𝗱𝗲𝗹𝗶𝗯𝗲𝗿𝗮𝘁𝗶𝘃𝗲 𝗽𝗿𝗼𝗰𝗲𝘀𝘀 𝗶𝗻 𝘁𝗵𝗲 𝘀𝗮𝗳𝗲𝘁𝘆 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻 𝗼𝗿 𝗴𝗶𝘃𝗲𝗻 𝘁𝗼 𝗮 𝘀𝗮𝗳𝗲𝘁𝘆 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗼𝗿 𝗽𝘂𝗿𝘀𝘂𝗮𝗻𝘁 𝘁𝗼 𝗮 𝗽𝗿𝗼𝗺𝗶𝘀𝗲 𝗼𝗳 𝗰𝗼𝗻𝗳𝗶𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝗶𝘁𝘆, 𝘄𝗵𝗶𝗰𝗵 𝘁𝗵𝗲 𝘀𝗮𝗳𝗲𝘁𝘆 𝗽𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝘀 𝗳𝗿𝗼𝗺 𝗯𝗲𝗶𝗻𝗴 𝗿𝗲𝗹𝗲𝗮𝘀𝗲𝗱 𝗼𝘂𝘁𝘀𝗶𝗱𝗲 𝘀𝗮𝗳𝗲𝘁𝘆 𝗰𝗵𝗮𝗻𝗻𝗲𝗹𝘀 𝗼𝗿 𝗳𝗿𝗼𝗺 𝗯𝗲𝗶𝗻𝗴 𝘂𝘀𝗲𝗱 𝗳𝗼𝗿 𝗮𝗻𝘆 𝗽𝘂𝗿𝗽𝗼𝘀𝗲 𝗲𝘅𝗰𝗲𝗽𝘁 𝗺𝗶𝘀𝗵𝗮𝗽 𝗽𝗿𝗲𝘃𝗲𝗻𝘁𝗶𝗼𝗻." https://lnkd.in/guqCWiSH It's important to note that the 𝗡𝗔𝗥𝗔 𝗖𝗨𝗜 𝗥𝗲𝗴𝗶𝘀𝘁𝗿𝘆 is a living document that is constantly evolving and being updated to meet our changing needs. KLC Consulting, Inc. https://klcconsulting.net cmmc@klcconsulting.net #cui #cmmc #dodcmmc #dib #defensecontractor #defensecontracting #defenseindustry #dfars #dfars7012 #nist800171 Kelly Hynes McDermott Maureen Casassa Layla Paoletti Paul Casassa Brian Hubbard Carter Schoenberg Eric L.

42

12 Comments

A great article in Cyber Defense Review on Mission Thread Analysis. "Mission Thread Analysis (MTA) is a process to help build understanding and consensus between customers (operational force) and providers (network operators and defenders), offering an analytical framework where both sides detail their operational and technical requirements. MTA requires mission owners to analyze, prioritize, and depict a mission as a series of steps within a Mission Process Thread (MPT), including the data pathways or Mission Engineering Threads (MEngTs) required to complete the mission. Integrating MTA results with threat intelligence enables appropriate planning and coordination to apply the right capability to perform DCO in support of Army requirements."

17

For those who missed my presentation at CMMC Day, a summary: There are two CMMC rules on two different rulemaking timelines that will lead to one giant gap between when DoD says you need CMMC and when the market says you need CMMC. The background info: The first rule codifies the CMMC program (the three levels, POAMs, waivers, roles and responsibilities, etc.). - This rule is the "32 CFR CMMC" rule. - Once this rule is final and effective, the CMMC marketplace is live (something I call the "market roll-out"). - That means your customers and your competitors will immediately pressure you to get certified. The second rule revises the DFARS clause 252.204-7021 created by the 2020 CMMC rule to match the details of the program at 32 CFR. - This rule is the "48 CFR CMMC" rule. - Once this rule is final and effective, DoD will begin inserting CMMC level requirements pursuant to the DFARS 7021 clause in contracts in phases. - Hence the name "phased roll-out". The 32 CFR CMMC rule was published just after Christmas 2023. Normally DoD rules take ~280 business days after publication to adjudicate public comments and publish a final rule. This puts the window for a 32 CFR CMMC final rule ~Q1 2025. However, DoD and OMB are highly motivated to wrap up rulemaking before the election adds time to the miscellaneous red tape that occurs when a final rule is published. There are many reasons to believe that DoD will beat the average timeline by a few months and meet their goal (for the sake of space, comment below if you'd like to know what those reasons are). In parallel, the 48 CFR CMMC proposed rule was originally slated for Q1 2024 publication with a Q1 2025 final rule. Unfortunately, the 48 CFR rule is behind schedule and was recently sent back for revisions which could add weeks/months before the proposed rule is published. If the average timeline applies to the 48 CFR rule once published in Q4 2024, then the gap between the two rules could be upwards of a year, possibly longer. As a result, all of the chaos resulting from CMMC will set-in by Q1 2025 but DoD will be able to say "we haven't required CMMC in a single contract yet".

163

19 Comments

GSA announced last week that, "Starting June 8, 2024, GSA will begin collecting Common [#SSDF Attestation] Forms for new contracts (including micro-purchases) and the exercise of contract options, that include the use of software, regardless of whether or not the software is considered critical." This is a major update because it means all vendors dealing with GSA or a GSA contracts must comply in June and NOT in September, like originally thought. #ZeroTrust, #CyberSecurity, #SoftwareDevelopment, #DepartmentOfDefense, #InfoSec, #NationalSecurity, #DefenseTech, #CyberDefense, #SecureSoftware, #MilitaryTechnology, #DevSecOps, #InformationSecurity, #CyberAwareness, #GovernmentTech, #CyberThreats, #TechInnovation, #DigitalTransformation, #CloudSecurity, #DataProtection, #NetworkSecurity, #SecurityArchitecture, #CyberResilience, #IdentityManagement, #Encryption, #Compliance, #SecureCoding, #CyberRiskManagement, #AIInCybersecurity, #ThreatIntelligence, #CriticalInfrastructure, #CyberLaw, #CyberEthics, #TechnologyLeadership, #PublicSectorInnovation, #TechGovernance, #SecureByDesign, #PrivacyByDesign, #MilitaryInnovation, #DefenseStrategies, #CyberWarfare, #CyberDiplomacy, #GovernmentContracting, #DefenseContractors, #MilitaryTec, #TechPolicy, #SecureInfrastructure, #NationalCybersecurity, #TechForDefense, #SecureDevelopment, #GovernmentIT 

16

2 Comments