Jacob Horne’s Post

New podcast is out: 2024 Rulemaking Calendar - Q2 Update Edition This week Jason and I walk through the 8 major rules and revisions you need to know about: ETAs, explanations, potential issues. All in under an hour. Like ❤️, subscribe 🔔, show links in the comments 👇 𝗗𝗜𝗕 𝗖𝗦 𝗣𝗿𝗼𝗴𝗿𝗮𝗺 𝗙𝗶𝗻𝗮𝗹 𝗥𝘂𝗹𝗲  - Published March 2024 - Expands eligibility to the DIB CS Program for non-cleared defense contractors 𝗖𝗜𝗥𝗖𝗜𝗔 𝗣𝗿𝗼𝗽𝗼𝘀𝗲𝗱 𝗥𝘂𝗹𝗲  - Published April 2024 - Duplicates and expands cyber incident reporting requirements 𝗡𝗜𝗦𝗧 𝗦𝗣 𝟴𝟬𝟬-𝟭𝟳𝟭 𝗮𝗻𝗱 𝟭𝟳𝟭𝗔 𝗥𝗲𝘃𝗶𝘀𝗶𝗼𝗻 𝟯  - ETA: May 2024 - Expands the requirements assessed at CMMC Level 2 by ~30% 𝗗𝗙𝗔𝗥𝗦 𝟮𝟱𝟮.𝟮𝟬𝟰-𝟳𝟬𝟭𝟮 𝘃𝟯.𝟬 𝗣𝗿𝗼𝗽𝗼𝘀𝗲𝗱 𝗥𝘂𝗹𝗲  - ETA: Q4 2024 - Hopefully kills the term "CDI", explains international reciprocity, includes SP 800-172 requirements, and explains FedRAMP "equivalency" 𝗡𝗜𝗦𝗧 𝗦𝗣 𝟴𝟬𝟬-𝟭𝟳𝟮 𝗮𝗻𝗱 𝟭𝟳𝟮𝗔 𝗥𝗲𝘃𝗶𝘀𝗶𝗼𝗻 𝟭  - ETA: Q4 2024 - Expands the requirements assess at CMMC Level 3 by TBD% 𝟯𝟮 𝗖𝗙𝗥 𝗖𝗠𝗠𝗖 𝗙𝗶𝗻𝗮𝗹 𝗥𝘂𝗹𝗲  - ETA: 2H 2024 - Establishes the CMMC Program and kicks off the "market roll-out" for assessments 𝟰𝟴 𝗖𝗙𝗥 𝗖𝗠𝗠𝗖 𝗣𝗿𝗼𝗽𝗼𝘀𝗲𝗱 𝗥𝘂𝗹𝗲  - ETA: Q4 2024 (Maybe) - Revises the DFARS 252.204-7021 clause to point to 32 CFR CMMC; kicks off the "phased roll-out" for CMMC level requirements in contracts 𝗙𝗔𝗥 𝗖𝗨𝗜 𝗣𝗿𝗼𝗽𝗼𝘀𝗲𝗱 𝗥𝘂𝗹𝗲  - ETA: 2H 2024 - Establishes SP 800-171 as the minimum requirement for CUI via a federal-wide contract clause

Navigate the Security Maze Wisely! Unravel ISO 27001 vs. NIST Framework with Our Comprehensive Guide. Don't let compliance confusion compromise your business. Gain clarity, secure your operations. Act now for a safeguarded future!

Protecting Controlled Unclassified Information: Drafts of NIST SP 800-171 Rev. 3 and NIST SP 800-171A Rev. 3 Available for Comment The public comment period for both drafts is open through January 12, 2024. We strongly encourage you to use the comment template available on each publication details page, and submit your comments to 800-171comments@list.nist.gov. Reviewers are encouraged to comment on all or parts of both publications. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. https://lnkd.in/gKPbAN-m

Here is the YouTube link of the latest episode of "Because the World Needs More Security Leaders Like You" is now live on YouTube! In this episode, I had the pleasure of interviewing Dr. Ram Kumar G, Ph.D, CISM, PMP, a leading voice in cyber security and risk management. Join us as we dive deep into: - Dr. Kumar's inspiring journey in the field of cyber security - The evolving landscape of AI-driven security solutions - Practical insights on managing vulnerability disclosures - Building a strong security culture within organizations - Advice for aspiring cyber security professionals You won't want to miss this insightful conversation! #CyberSecurity #Podcast #AI #RiskManagement #InformationSecurity #Leadership #YouTube

Plenty of useful information packed into Summit 7's SummitUp Podcast this week, a particularly solid piece from Jacob Horne is a deep dive on the genesis and composition of the "Policy" requirement that has been on the In and Out NIST Burger menu all along. To level set and unify in language, Horne wisely points to NIST SP 800-12 from the Paleolithic period of formalized, regulated governance. Also important to note is how modern NIST SPs 800-171 and 53 (and their assessment 'a' counterparts) mandate event driven and less than annually Organizational Defined Parameter (ODP) specified cadence of review and refresh of said policies(see below). At the peril of abusing the well-abused parlance of "left-of-boom", this is very much a regulatory boom organizations would be wise to get to the left of as soon and as proactively as possible. Auditors will feast upon organizations that fail to do so in the nearer-than-you-think future. One other note, resources like this podcast featuring Horne and Jason Sproesser are out there, FOR FREE! This is the golden age of excellent cybersecurity podcasts, I hope folks at all levels of the ecosystem are partaking of these great contributions to rise all cyber boats. Section 2.5 - Information Security Policy Information security policy is defined as an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information. In making these decisions, managers face difficult decisions with regard to resource allocation, competing objectives, and organizational strategy, all of which relate to protecting technical and information resources as well as guiding employee behavior. Managers at all levels make choices that can affect policy, with the scope of the policy’s applicability varying according to the scope of the manager’s authority https://lnkd.in/e27_Wsa3

Join Eclypsium on April 25 to explore NIST's #CybersecurityFramework (CSF 2.0) updates. Learn how the new governance category can strengthen your defense against evolving #cyberthreats. To sign up: https://ow.ly/PFBx30sBH8w

Glad to be featured in the “Because the World Needs More Security Leaders Like You” episode hosted by Amritanshu Bhardwaj where I share my cyber security career journey, GRC domain, AI risks, pointers for aspirants, etc. Many thanks to Amritanshu for the invite and opportunity! #cybercareer #cybersecuritygrc #cybersecurity #grateful

If you are the president or COO of a manufacturing company, encryption of data is likely not something you have immersed yourself in. However, compliance with NIST SP 800-171 does require some understanding of data encryption. If you do not have an IT department or an IT manager, how can you wrap your arms around these requirements? On June 26th at 1 PM EST Robert McVay will be presenting a free webinar on encryption as it relates to NIST 800-171r2 and the protection of CUI. If you have questions about the encryption controls, you will also be able to ask questions during the presentation. Register here!

=============================================          BREAKING NEWS: NIST SP 800-171 Rev 3 Leaked ============================================= Okay, if you are trying to keep up with the status of NIST Special Publication (SP) 800-171 Revision 3, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," well it leaked. Links are below... Kudos to Joe Scholefield, CCP for figuring it out. Sorry Ron Ross & Victoria Yan Pillitteri--enquiring minds wanted to know. If you are in Defense Industrial Base (#DIB) and subject to DFARS Clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," you should do the following: 1. Continue to follow the "Class Deviation on Cybersecurity Standards for     Covered Contractor Information Systems" and stick to NIST SP 800-171     Rev 2 (c.f., https://lnkd.in/eY88rE47) 2. Add changes required to your security posture required under NIST SP     800-171 R3 to your Risk Registry 3. Add a POA&M entry to plan for and begin implementation of NIST SP     800-171 R3 Security Requirements 4. Go read the new revisions 5. IGNORE THE CMMC FUD STORM ABOUT TO KICK OFF. Call an Authorized     C3PAO for pragmatic guidance Okay, here are the links to NIST SP 800-171 Rev 3 and NIST SP 800-171A Rev3: - https://lnkd.in/eCsGFHQP - https://lnkd.in/eTaf9cfB ================================================= Peak InfoSec Homepage: https://peakinfosec.com As the CMMC Churns Episodes: https://lnkd.in/eVGYGs3g Contact Peak InfoSec for Support: https://lnkd.in/e8sM_2Z3 Email: cmmc@peakinfosec.us ================================================= #cuicon #cmmc #cmmc2 #32cfrpart2002 #32cfrpart170 #infosec #informationsecurity #compliance #cybersecurity #cui #fci #cmmcab #thecyberab #nist800171 #defenseindustry #defensecontractors #defensecontracting #grc #manufacturing #dfars #manufacturingindustry #dib #satellite #satellitecommunications #satellitesystems #managedserviceprovider #msp #managedsecurityservices #mssp #DoD #GovCon #governmentcontracting #SmallBusiness #contracts #contractors 

Measurement Guide for Information Security: Draft of NIST SP 800-55 Available for Comment: The initial public drafts (ipd) of NIST Special Publication (SP) 800-55, Measurement Guide for Information Security, Volume 1 — Identifying and Selecting Measures, and Volume 2 — Developing an Information Security Measurement Program, are now available for public review and comment through March 18, 2024.  This update to SP 800-55 is comprised of two volumes. Volume 1 … Continue reading Measurement Guide for Information Security: Draft of NIST SP 800-55 Available for Comment