Tom Towler

The US DoD announced the CMMC 2.0 roll out is on track for the start of 2025 - are you ready? Last week at the Potomac Officers Club’s 2024 Cyber Summit, DoD Deputy Chief Information Officer for Cybersecurity and Senior Information Security Officer David McKeown congratulated the ‘tremendous perseverance’ of the architects enabling and enforcing the revised three-tiered incoming compliance program. If you're a contractor or subcontractor within the US DIB supply chain, affirmative compliance is required by Oct. 1st 2026. However, McKeown's announcement that the DoD is on track to officially start rolling out and including CMMC 2.0 in contract paperwork in the first quarter of 2025 calendar year, is an important reminder to prioritise action. Cocoon Data's KBOSS for Workspace is launching just in time to streamline your path to CMMC 2.0. Paired with Google's Assured Control Plus and when appropriately configured, the KBOSS Add-on secures assured workloads to meet CMMC 2.0 and ITAR requirements, setting a new standard for classified collaboration. It's time to get on track, be future-ready with KBOSS. #DoD #CMMC #Cybersecurity #KBOSS #DIB

18

CMMC made headlines again as David McKeown previews CMMC 2.0 Yes we are still waiting for CMMC to become official, but as we have seen since March, the process is continuing on and it seem unabated. What does this mean for you and your organization? If you are like many, thinking that CMMC is not coming, we implore you to think differently and soon! CMMC is not slowing down and if you continue to ignore it you will be left in the dust.If you want to get started. Give us a call today to discuss our vCSO and other security services for Defense Contractors. https://loom.ly/PmPp59o

2

DISA Expands Thunderdome Zero Trust Program Deployment; Brian Hermann, Quoted. ExecutiveGov discusses the Defense Information Systems Agency's (DISA) expansion of the Thunderdome zero trust program. In 2023, the program was deployed to 15 sites and plans are underway to extend it to 60 more sites in 2024. The program involves four key components: 🔐 Customer security stacks 🔗 Software-defined wide area networking 📴 Secure access service edge capability, and 💯 Application security stacks. Brian Hermann, DISA's director of the cybersecurity and analytics directorate, emphasized the program's role in advancing zero trust architecture, which is crucial for organizational security. DISA has also finalized the contracting process to support the U.S. Coast Guard’s network security improvement efforts through Thunderdome. Versa Networks is at the forefront of enhancing cybersecurity with their pivotal role in DISA's Thunderdome project. Their cutting-edge solutions are setting new standards in securing our nation's digital infrastructure. For more details, you can read the full article here:-https://lnkd.in/gfn9pcYM #DISA #Thunderdome #ZeroTrust #Cybersecurity #versanetworks #channelpartners

7

It's #SOFWeek! Cameo Lance, COO, and Josh Baumann, navigation program manager, are in Tampa, Florida, this week, representing RSA during USSOCOM's SOF Week. If you want to learn more about how RSA's Quantum Lovelace Optical Augmentation Kit (QLOAK) can help operators transmit data with the highest level of encryption, stop and say hello 👋 #sof #qkd #dod

24

DISA Expands Thunderdome Zero Trust Program Deployment; Brian Hermann, Quoted. ExecutiveGov discusses the Defense Information Systems Agency's (DISA) expansion of the Thunderdome zero trust program. In 2023, the program was deployed to 15 sites and plans are underway to extend it to 60 more sites in 2024. The program involves four key components: 🔐 Customer security stacks 🔗 Software-defined wide area networking 📴 Secure access service edge capability, and 💯 Application security stacks. Brian Hermann, DISA's director of the cybersecurity and analytics directorate, emphasized the program's role in advancing zero trust architecture, which is crucial for organizational security. DISA has also finalized the contracting process to support the U.S. Coast Guard’s network security improvement efforts through Thunderdome. Versa Networks is at the forefront of enhancing cybersecurity with their pivotal role in DISA's Thunderdome project. Their cutting-edge solutions are setting new standards in securing our nation's digital infrastructure. For more details, you can read the full article here:-https://lnkd.in/gZZFskPA #DISA #Thunderdome #ZeroTrust #Cybersecurity #versanetworks #channelpartners

62

Dave DiEugenio, PMP, CISM, ITIL on supporting a dispersed group of Marine Corps Recruiting recruiters - "Network availability, security and reliability is as important as electricity and heat." Our panel on simplifying software management with Richard Grabowski, Dave DiEugenio and John Schneider just wrapped at Adapt 2024! #AxoniusFederal #FederalCybersecurity #FederalIT #DefenseTech #Adapt2024 #AxoniusAdapt2024

19

4 Comments

3 things have been true since CMMC 2.0 was announced in November 2021 1) CMMC is happening 2) DoD will offer cybersecurity tools and services 3) There is a huge gap between CMMC requirements and DoD's solutions It started with the DoD CIO's Town Hall in February 2022 and has persisted in various panels, presentations, and testimonies since then. Now, years after CMMC became an inevitability, those offerings are formalized in Appendix III of DoD's recent DIB Cyber Strategy: - Network traffic monitoring x2 - Threat detection and blocking x2 - Vulnerability scanning x2 - Cybersecurity program evaluation - Network mapping - Phishing assessments - Asset discovery - Training through Project Spectrum and Blue Cyber Yet the gap between the offerings and the requirements verified by CMMC remains and I see no possible way that changes between now and roll-out of CMMC (which could start as early as the end of this year). The bottom line: hoping that DoD will suddenly change course to match tools and services to the requirements imposed on the DIB is not a strategy. Contractors and subs should plan accordingly.

58

8 Comments

Emerging technologies like automation and AI are set to revolutionize the United States Department of Defense's Cyber Operational Readiness Assessment (CORA). At AFCEA #TechNetCyber, defense leaders highlighted how these advancements will streamline the process and boost cyber resilience. Read more: https://lnkd.in/eXXAEaF9

18

Could the DoD's C4SB Actually Reduce CMMC Costs for SMBs? C4SB is a cloud-based capability that will allow small businesses to collaborate and conduct work on government contracts in a secure commercial environment. The DASA DES Cyber Focal Division is issuing this sources sought synopsis as a means of conducting market research to identify parties having an interest in and the resources to support the requirement for Cybersecurity for Small Business (C4SB). Link to the sources sought is in the comments The purpose of C4SB is to reduce cost to small businesses for protection of government data, minimize the compliance burden to participate in government contracts and improve secure collaboration and communication amongst vendors and government personnel in the execution of these contracts. P.S. Do you think that the C4SB cloud solution is a viable approach to help reduce cybersecurity related costs for small defense contractors?

3

1 Comment

Data erasure standards like DoD 5220.22-M/ECE and NIST SP 800-88, Rev. 1 may not change every year, but small updates can make a big difference to ITAD operations. Catch up on the changing landscape for erasure standards. https://bit.ly/3zpaFyF #ITAD #dataerasure

15

The DoD has unveiled the Fulcrum Advanced Strategic Plan, a comprehensive roadmap designed to drive growth, innovation, and operational excellence. What are your thoughts about the new DOD Strategy? We found a highlight about changes in Software Supply Chain Security Section - 1.3.6 Building Supply Chain Security Ensuring the supply chain is secured provides flexibility to accelerate the acquisition of national security systems while reducing the risk of injecting unnecessary system vulnerabilities. The document also highlights the Key Lines of Effort: 1️⃣ Provide Joint Warfighting IT Capabilities: Enhance strategic dominance with advanced, secure, and interoperable IT systems. This includes leveraging AI and machine learning to outpace adversaries and ensure superior operational capabilities. 2️⃣ Modernize Information Networks and Compute: Transition to a data-centric Zero Trust security model, optimizing the DoDIN foundation for performance and resilience. This effort aims to integrate scalable, secure IT infrastructure that adapts to modern threats. 3️⃣ Optimize IT Governance: Streamline IT governance processes to enhance efficiency and mission alignment. This involves overhauling governance tools, improving data quality, consolidating legacy systems, and accelerating IT acquisition with DevSecOps practices. 4️⃣ Cultivate a Premier Digital Workforce: Build and maintain a highly skilled digital workforce ready to deploy emerging technologies. Focus areas include continuous learning, competitive compensation, and fostering collaborative partnerships with industry and academia. #cybersecurity #dod #compliance #fulcrum

2

Yesterday, I had the pleasure of attending #CMMCDay. There were a lot of great discussions kicked off by Matthew Travis, The Cyber AB. I took a few key points from the discussion throughout the day. 1. False Claims Act - This will continue to be the primary compliance review for the DoD. Why not 'deputize' those within the DIB to police themselves. With the payouts being received from false claims act, it appears that it will be an effective tool for the DoD. 2. Rulemaking Timeline - The DoD continues to adjudicate public comments on the #CMMC Program rule (CFR 32) and all indications are that it will be released by fall 2024. This rule will make CMMC affective and allow certifications to begin outside the Joint Surveillance Assessment (JSVA) Program. CFR 48 that will mandate CMMC be included in contracts is expected to be delayed until later in 2025. Therefore, the DoD will essentially provide a grace period from Fall 2024 to mid/late 2025 for organizations to get certified prior to mandating it in contracts. 3. Not Just Technology - CMMC is a verification and validation program. Organizations must demonstrate that they are implementing the CMMC Requirements to a third-party assessor; while some controls (e.g., encryption, malicious code scanning) can be performed using technology, other controls (e.g., background screening, training, security assessments) require people to perform. 4. 100% Ready - There was a lot of discussion on the activities within the JSVA. These assessments provide insight into what organizations can expect during a CMMC assessment. One of the key themes coming from these assessments is if you aren't 100% convinced your organization is ready for an assessment - then you’re not ready! If you couldn’t attend and want to learn more about these and other topics, send me a note. I'd be happy to share additional insights. If you were able to attend, what key points did you take away from the event?

14