Jacob Horne’s Post

Why did NIST add 19 new requirements in NIST SP 800-171 revision 3? Experience and judgement according to Ron Ross. The 19: 3.4.10 - System Component Inventory 3.4.11 - Information Location 3.4.12 - System and Component Configuration for High-Risk Areas 3.5.12 - Authenticator Management 3.6.4 - Incident Response Training 3.6.5 - Incident Response Plan 3.10.7 - Physical Access Control 3.10.8 - Access Control for Transmission  3.11.4 - Risk Response 3.12.5 - Information Exchange 3.14.8 - Information Management and Retention 3.15.1 - Policy and Procedures 3.15.3 - Rules of Behavior 3.16.1 - Security Engineering Principles 3.16.2 - Unsupported System Components 3.16.3 - External System Services 3.17.1 - Supply Chain Risk Management Plan 3.17.2 - Acquisition Strategies, Tools, and Methods 3.17.3 - Supply Chain Requirements and Processes

NIST on defining organizationally defined parameters in SP 800-171r3: "There will have to be an organization that will step up and take responsibility. It could be a joint organization that covers the entire federal government. If that doesn't happen, maybe the DoD will step into the breach and define them, but somebody who cares about what those ODPs are will have to define them." My money is on the DoD leading the way while the rest of the federal agencies follow their guidance. I don't think the old National Archives and Records Administration (NARA) is coming back. Once CMMC 2.0 rulemaking wraps up in Q1 2025 I expect DoD will start a new round of CMMC rulemaking to update the program for SP 800-171r3, SP 800-172r1, and all of the corresponding ODPs that they care about.

Back from my three week walkabout. Here's something I pondered: 𝗜𝘀 𝘁𝗵𝗲𝗿𝗲 𝗮 𝗺𝗲𝗱𝗶�� 𝗰𝗼𝘃𝗲𝗿𝗮𝗴𝗲 𝗯𝗶𝗮𝘀 𝗮𝗴𝗮𝗶𝗻𝘀𝘁 𝘁𝗵𝗲 𝗖𝗠𝗠𝗖 𝗽𝗿𝗼𝗴𝗿𝗮𝗺? Not so long ago we were inundated by breathless editorials prattling on about CMMC being "delayed". Every one of those headlines was fueled by something known as the "Unified Agenda" which documents the rulemaking activities that federal agencies plan to execute within the next 12 months. If any agency plans to issue an advance notice of rulemaking, a proposed rule, or a final rule, then the estimated timeline goes in the agenda. The Unified Agenda is published twice a year, typically: - The "Spring Agenda" ~July. - The "Fall Agenda" ~December. The Spring 2024 Unified Agenda was published on 𝗝𝘂𝗹𝘆 𝟳𝘁𝗵, 𝟮𝟬𝟮𝟰 . However, everything in the current Spring Agenda was submitted on 𝗠𝗮𝗿𝗰𝗵 𝟮𝟮, 𝟮𝟬𝟮𝟰. Unfortunately, these estimates are several months old by the time they are published because Office of Information and Regulatory Affairs (OIRA) puts out a data call for agency submissions long before the Unified Agenda is officially published. This makes the agenda a lagging indicator of progress. Of course that detail never makes it into the coverage of CMMC rulemaking. That means all of the estimates reflect what the agencies expected in early 𝗤𝟭 𝟮𝟬𝟮𝟰 (if not earlier). 𝗔𝘀 𝗳𝗮𝗿 𝗮𝘀 𝗖𝗠𝗠𝗖 𝗶𝘀 𝗰𝗼𝗻𝗰𝗲𝗿𝗻𝗲𝗱, 𝗵𝗲𝗿𝗲'𝘀 𝘄𝗵𝗮𝘁 𝗗𝗼𝗗 𝗮𝗻𝘁𝗶𝗰𝗶𝗽𝗮𝘁𝗲𝗱 𝟳 𝗺𝗼𝗻𝘁𝗵𝘀 𝗮𝗴𝗼: - 32 CFR CMMC Final Rule: November 2024 - 48 CFR CMMC Proposed Rule: August 2024 This is very interesting because the 32 CFR rule was sent to OIRA for final review at the end of June, 𝟱 𝗺𝗼𝗻𝘁𝗵𝘀 𝗳𝗮𝘀𝘁𝗲𝗿 𝘁𝗵𝗮𝗻 𝘁𝗵𝗲𝘆 𝗲𝘀𝘁𝗶𝗺𝗮𝘁𝗲𝗱. The 48 CFR rule went to OIRA mid-May, 𝟮.𝟱 𝗺𝗼𝗻𝘁𝗵𝘀 𝗳𝗮𝘀𝘁𝗲𝗿. And the media landscape? Crickets. Where are the superficial headlines describing CMMC's acceleration? Where are the articles about DoD smashing their rulemaking estimates? Why is it that we only get coverage about the precarity of CMMC rather than it's objective progress through the rulemaking morass? What do you think?

New podcast is up: fun with organizationally defined parameters edition Let's take a gander at requirement 3.1.8 in NIST SP 800-171 revision 2. 𝗟𝗶𝗺𝗶𝘁 𝘂𝗻𝘀𝘂𝗰𝗰𝗲𝘀𝘀𝗳𝘂𝗹 𝗹𝗼𝗴𝗼𝗻 𝗮𝘁𝘁𝗲𝗺𝗽𝘁𝘀 That's it. That's all it says. The thing to ask yourself is how would an organization implement such a requirement? What, specifically, would they do? Thankfully, NIST SP 800-171 rev. 3 ditches the riddles and uses the control language found in NIST SP 800-53. The same 3.1.8 requirement now says: a. Enforce a limit of [𝘰𝘳𝘨𝘢𝘯𝘪𝘻𝘢𝘵𝘪𝘰𝘯-𝘥𝘦𝘧𝘪𝘯𝘦𝘥 𝘯𝘶𝘮𝘣𝘦𝘳] consecutive invalid logon attempts by a user during a [𝘰𝘳𝘨𝘢𝘯𝘪𝘻𝘢𝘵𝘪𝘰𝘯-𝘥𝘦𝘧𝘪𝘯𝘦𝘥 𝘵𝘪𝘮𝘦 𝘱𝘦𝘳𝘪𝘰𝘥]. b. When the maximum number of unsuccessful attempts is exceeded, automatically (one or more): - 𝘭𝘰𝘤𝘬 𝘵𝘩𝘦 𝘢𝘤𝘤𝘰𝘶𝘯𝘵 𝘰𝘳 𝘯𝘰𝘥𝘦 𝘶𝘯𝘵𝘪𝘭 𝘳𝘦𝘭𝘦𝘢𝘴𝘦𝘥 𝘣𝘺 𝘢𝘯 𝘢𝘥𝘮𝘪𝘯𝘪𝘴𝘵𝘳𝘢𝘵𝘰𝘳;  - 𝘥𝘦𝘭𝘢𝘺 𝘯𝘦𝘹𝘵 𝘭𝘰𝘨𝘰𝘯 𝘱𝘳𝘰𝘮𝘱𝘵;  - 𝘯𝘰𝘵𝘪𝘧𝘺 𝘴𝘺𝘴𝘵𝘦𝘮 𝘢𝘥𝘮𝘪𝘯𝘪𝘴𝘵𝘳𝘢𝘵𝘰𝘳;  - 𝘵𝘢𝘬𝘦 𝘰𝘵𝘩𝘦𝘳 𝘢𝘤𝘵𝘪𝘰𝘯 Without prescribing specific values, the new 3.1.8 (which is actually the old AC-7 from SP 800-53) provides a framework for limiting unsuccessful logons that is much more clear. We go through several examples in the episode as well as the textbook explanation of ODPs found in NIST guidance. Episode links are in the comments below 👇 Like ❤️ and subscribe 🔔

🚨 𝗕𝗪𝗢𝗢𝗣 𝗕𝗪𝗢𝗢𝗣 🚨 📣 𝗖𝗠𝗠𝗖 𝗙𝗜𝗡𝗔𝗟 𝗥𝗨𝗟𝗘 𝗔𝗟𝗘𝗥𝗧 📣 ⚠ 𝗧𝗛𝗜𝗦 𝗜𝗦 𝗡𝗢𝗧 𝗔 𝗗𝗥𝗜𝗟𝗟 ⚠ Well folks, they really did it and I got a raven in the middle of vacay. Just 185 days after the CMMC proposed rule was published, the DoD has officially submitted the 32 CFR CMMC program rule and all supporting documentation to OIRA for final review. This is the last step before publication of the final rule in the Federal Register. OIRA has up to 90 - 120 days for their review. 𝗧𝗵𝗮𝘁 𝗽𝘂𝘁𝘀 𝘁𝗵𝗲 𝗽𝘂𝗯𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝘄𝗶𝗻𝗱𝗼𝘄 𝗯𝗲𝘁𝘄𝗲𝗲𝗻 𝗹𝗮𝘁𝗲 𝗦𝗲𝗽𝘁𝗲𝗺𝗯𝗲𝗿 - 𝗹𝗮𝘁𝗲 𝗢𝗰𝘁𝗼𝗯𝗲𝗿. Once published, there will be a delay of ~60 days before the final rule is "effective". At that point, that's it. The CMMC program will be official. A couple of notes: - DoD ripped through 𝗼𝘃𝗲𝗿 𝟭,𝟴𝟬𝟬 𝗽𝘂𝗯𝗹𝗶𝗰 𝗰𝗼𝗺𝗺𝗲𝗻𝘁𝘀, made their edits, and officially submitted the final rule in six months and two days so the odds of any major changes from the proposed rule in response to public comments is extremely low. - The rule is officially in the queue well ahead of the November election and I wouldn't be surprised to see OIRA wrap up well before the 90 day mark. - For those keeping score at home DoD pumped out this final rule 𝟱𝟱% 𝗳𝗮𝘀𝘁𝗲𝗿 𝘁𝗵𝗮𝗻 𝘁𝗵𝗲 𝗮𝘃𝗲𝗿𝗮𝗴𝗲 (127 business days instead of 283). I hope companies have been using the last several years of prep time wisely. “𝘐𝘵’𝘴 𝘰𝘯𝘭𝘺 𝘸𝘩𝘦𝘯 𝘵𝘩𝘦 𝘵𝘪𝘥𝘦 𝘨𝘰𝘦𝘴 𝘰𝘶𝘵 𝘵𝘩𝘢𝘵 𝘺𝘰𝘶 𝘥𝘪𝘴𝘤𝘰𝘷𝘦𝘳 𝘸𝘩𝘰’𝘴 𝘣𝘦𝘦𝘯 𝘴𝘸𝘪𝘮𝘮𝘪𝘯𝘨 𝘯𝘢𝘬𝘦𝘥” - Warren Buffet Happy Friday 🚨 𝗕𝗪𝗢𝗢𝗣 𝗕𝗪𝗢𝗢𝗣 🚨 📣 𝗖𝗠𝗠𝗖 𝗙𝗜𝗡𝗔𝗟 𝗥𝗨𝗟𝗘 𝗔𝗟𝗘𝗥𝗧 📣 ⚠ 𝗧𝗛𝗜𝗦 𝗜𝗦 𝗡𝗢𝗧 𝗔 𝗗𝗥𝗜𝗟𝗟 ⚠

New podcast is up: set phasers to "NFO" edition. Remember that "class deviation" for DFARS clause 252.204-7012? 𝗧𝗵𝗲 𝗴𝗼𝗼𝗱 𝗻𝗲𝘄𝘀: NIST SP 800-171 revision 2 is the requirement for the next several years. 𝗧𝗵𝗲 𝗯𝗮𝗱 𝗻𝗲𝘄𝘀: NIST SP 800-171 revision 2 is the requirement for the next several years. You see while 171r2 is a smaller set of requirements compared to 171r3, it's only smaller because of several questionable and often deeply unhelpful tailoring decisions that allowed the authors to make the document arbitrarily small. This week we dive into the bizarre underbelly of "NFO" controls - cybersecurity requirements that are "𝗲𝘅𝗽𝗲𝗰𝘁𝗲𝗱 𝘁𝗼 𝗯𝗲 𝗿𝗼𝘂𝘁𝗶𝗻𝗲𝗹𝘆 𝘀𝗮𝘁𝗶𝘀𝗳𝗶𝗲𝗱 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝘀𝗽𝗲𝗰𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻" with several examples: - “-1 controls” - Training Records - Independent Assessments - External Connections - Configuration Management - Incident Response Plan - The SA Family Episode links are in the comments 👇 Like ❤️ and subscribe 🔔

New podcast is up: scheduled post while on vacay edition. Anyways, what I used to say: 90% of the questions in the CMMC ecosystem could be answered if people read the first three chapters of NIST SP 800-53. What I say now: 90% of the questions in the CMMC ecosystem could be answered if people took the new RMF-series training courses from NIST. There is a one hour course for each RMF special publication: 𝗦𝗣 𝟴𝟬𝟬-𝟯𝟳 - Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy 𝗦𝗣 𝟴𝟬𝟬-𝟱𝟯 - Security and Privacy Controls for Information Systems and Organizations 𝗦𝗣 𝟴𝟬𝟬-𝟱𝟯𝗔 - Assessing Security and Privacy Controls in Information Systems and Organizations 𝗦𝗣 𝟴𝟬𝟬-𝟱𝟯𝗕 - Control Baselines for Information Systems and Organizations There is new info. There are new charts. The courses are good. You should take them. The courses should be mandatory pre-requisites to any CMMC training. Check out the latest podcast for our course review (links below 👇) Like ❤️ and subscribe 🔔

Last manual post before I log out for three weeks. No vacation posts until after vacay is over, folks. ✌

Fun fact: the number system in NIST SP 800-53 is like the rings in a tree. The larger the number, the newer the control. Conversely, the smaller the number, the longer it's been in the catalog. The first control in every NIST control family is Policy and Procedures. The obvious pattern reflects NIST's fundamental philosophy regarding security controls: Security controls are selected, tailored, and implemented in order to enforce policy which documents the decisions of senior leadership. This concept is so fundamental to NIST's world view that when they were creating NIST SP 800-171 for companies that already worked with sensitive, regulated government data it made perfect sense to assume that policies, procedure, thorough documentation already existed. Was that a reasonable decision? Maybe. Maybe not. Either way, it turned out that almost no one had such documentation and thus we ended up with a derivative of the "-1 controls" in NIST SP 800-171 revision 3 (see requirement 3.15.1).

New podcast is live: people's choice edition CMMC assessments are difficult, but CMMC certifications are achievable. That's assuming you have passed through the “assessment feasibility determination” prior to the actual assessment. For many companies, failing CMMC assessments won’t be their biggest problem – it will be qualifying for the assessment in the first place. Failing the feasibility determination isn't the same as failing your assessment and many companies will fail to qualify for an assessment at all. But there's no name for this phenomenon - until now. Two weeks ago I asked the LinkedIn hive mind which name we should use and 66% of respondents voted for "False Start". This week on the show we dive into the details of "CMMC False Starts". Episode links are in the comments below 👇 Like ❤️ and subscribe 🔔