Tom Conkle’s Post

Looking for an overview of #NIST SP 800-171 Rev 2? Kelly Hood addresses common questions about the standard, clarifies its purpose, and talks about what's in it!  This video provides a great overview to help you get started with SP 800-171 Rev 2, including those starting their #CMMC journey. https://lnkd.in/e8HU9NT8

Profiles are an important concept within the NIST Cybersecurity Framework (CSF) v2.0. Profiles help organize capabilities for achieving the Functions, Categories, or Subcategories in the CSF. There are two types of Profiles: Community and Organizational. Community Profiles: These profiles are crafted by communities with specific focuses, whether it’s industry-specific, technology-centric, or addressing particular challenges like ransomware. Community Profiles are provide insights and best practices, providing a solid foundation for initiatives such as Incident Response Plans or IoT security integration. Explore the wealth of knowledge freely available a https://lnkd.in/eiNyGrCG Organizational Profiles: A powerful tool for sharing cybersecurity capabilities with internal and external stakeholders. They offer a clear, structured way to identify gaps and demonstrate capabilities, ensuring everyone is on the same page. Have you developed an Organizational Profile to capture your capabilities and pinpoint areas for improvement? Optic's free profile template is a fantastic starting point. Check it out here: https://lnkd.in/esUJnjGP For more in-depth information on CSF Profiles, feel free to reach out or visit the check out the NIST resources: https://lnkd.in/ed3U37Uw #CSF20 #NISTCSF

When preparing for #CMMC, understanding where you store, process, or transmit #FCI and #CUI is critical. Most organizations can achieve efficiencies by limiting where FCI and CUI are located within the organization. If there are separate environments that don't store, process, or transmit CUI, including cloud services (e.g., ServiceNow, Gmail), you can scope them out of your CMMC environment. However, you should be prepared to show a policy or other administrative control that proves these services are not authorized for CUI by your organization. Simply stating that workstations and servers are out of scope is not sufficient. You must demonstrate how they are 'out of scope.' You must either physically or logically separate them. Most organizations create separate networks isolated through properly configured segmented VLANs, creating a separate enclave within their environment where CUI is stored, processed, and transmitted. If the environments are logically separated, then you can declare the assets out of scope. If the assets are on the same network, they are not out of scope for CMMC. Even if you have a policy, backed by training and business processes, that does not authorize CUI to be on an asset within a network with other CUI devices, the asset is still in scope. However, it may be a Contractor Risk Managed Asset (CRMA). It's important to understand the difference between CRMA and out-of-scope assets to ensure the appropriate controls are applied to the appropriate assets. Have you developed your CMMC scope? Understanding where CUI is in your environment is critical when scoping a CMMC L2 environment. We find that many organizations start with the wrong understanding of where CUI is located before beginning to build out their controls. When this occurs and the scope is later updated, all the controls previously implemented must be revisited for the newly scoped-in assets. Just like you measure twice before cutting, you should verify and validate your scope before you implement your CMMC L2 controls. If you have questions about scoping your environment, reach out! My team, at Optic Cyber Solutions, has worked with organizations to help scope environments in a cost-effective manner that meets their business needs for today and tomorrow.

Lots of buzz in the #CMMC Community today! Yesterday, #DoD released the CMMC Program rule back to #OMB for publishing. Therefore, DoD has completed adjudicating all public comments and believes the program is ready to go live. You can follow its progress on the OMB's website: https://lnkd.in/eM5QatEk What does this mean for the DIB? The CMMC Program rule remains on track to be finalized in (or before) October 2024. Therefore, CMMC Third Party Organizations (#C3PAO) will be able to perform CMMC assessments. 48 CFR, the CMMC acquisition rule, isn't expected to be finalized until 2025 mandating CMMC in DoD contracts. Therefore, DoD is giving the DIB time to get certified before it is mandated in contracts. If you're not familiar with CMMC or would like help preparing for assessments, reach out. My team at Optic Cyber Solutions has been helping organizations prepare for CMMC leveraging existing capabilities to help minimize some of the burden of CMMC. Need help? Reach out at info@OpticCyber.com today!

Yesterday, The Cyber AB held their June Town Hall! Matthew Travis re-attested that we're still expecting the Title 32 Rule to be finalized in Q4 2024, which will enable #CMMC certifications to begin. With the Title 48 Rule currently under review at OIRA, we anticipate that CMMC will officially start to show up in DoD contracts as early as Q1 2025. It is projected that between 50,000-80,000 companies will need to meet the Level 1 requirements, while around 80,000 companies are expected to need to reach Level 2. There was also an overview of the new MSPCyberX, presented by Brian Hubbard, highlighting resources available to help MSPs meet their CMMC certification requirements. Brian emphasized that #MSPCyberX aims to be an educational resource for MSPs, helping them prepare for CMMC through a collaborative platform that offers resources, an interactive space, and collaborative workshops. At Optic Cyber Solutions, we've been lucky enough to be able to work with the MSPCyberX since it's creation and have been able to contribute to the resources available through the community. Let me know if you have any questions on the current status of the program or feel free to reach out if you're looking to get started preparing for CMMC! #SecureTheDIB #CyberAB #OpticCyber

Great panels kicking off the NIST "Ready, Set, Update! Privacy Framework 1.1 + Data Governance and Management Profile Workshop" this morning. It was exciting to hear how the NIST Privacy Framework (PF) is being used to: * Help communicate privacy expectations within organizations * Align multiple laws and regulations to common organizational privacy goals * Streamline complementary capabilities within the organization by pairing the PF with the Cybersecurity Framework (CSF) * Updating and maintaining organizational policies to align with PF outcomes How have you used the PF 1.0? Looking forward to this afternoon's breakout session to help guide the improvements of PF 1.1

Have you heard, the #CMMC Program rule (32 CFR) is expected to be finalized later this year? This rule enables organizations within the Defense Industrial Base (#DIB) to start getting CMMC certifications. However, the CMMC acquisition rule (48 CRF) isn't expected to be finalized until 2025. Therefore, while certifications will be available they won't be mandatory until a later date. Additionally, DoD has already introduced a phased rollout which will give organizations an additional six months before they may be required to get a third party certification. Should you wait until CMMC is required in your contract? If you're a prime, can you run the risk of not accepting an award of a new contract or an option year of an existing contract? If you're a subcontractor, when will your prime expect you to be certified? Remember, they can't use you on their contract if you are not certified. Primes are likely to be a bigger driver for CMMC than the DoD as the program roles out. Primes run the risk of losing contracts and penalties if they don't ensure their subs are compliant with CMMC. We know that organizations preparing for CMMC Level 2 certifications typically take 6 - 18 months. Therefore, even with the phased rollout and rules not being final if you haven't started your probably falling behind. If you're not sure where to start, or if you'll need to meet these requirements reach out. It's better to ask now than to wait until you're under the gun!

Today's the day! I'm looking forward to this afternoon's discussion with Kelly Hood to review the #NIST #CybersecurityFramework v2.0. During the session we will highlight:  💡What is the #CSF v2.0  💡What changed from v1.1  💡What you should know   💡What to do with this understanding Have you registered? If not, there is still time using the link below. https://lnkd.in/eJ_8Vmam NIST Cybersecurity Framework v2.0 Explained Jun. 18, 2024 | 1 PM ET | 10 AM PT

Since the release of SP 80-171r3, there has been a lot of discussion on Organization-Defined Parameters or ODPs. ODPs are new to SP 800-171, but not new to security control sets. They’ve been around since 2005 with the introduction of SP 800-53. I’ve spoken to several people that say they can’t begin preparing for SP 800-171r3 because the [insert federal agency] has not defined the ODPs. However, many agencies and the FedRAMP PMO have already defined ODPs for SP 800-53r5 which is the source of SP 800-171r3; therefore, we have an indication of what to expect for SP 800-171 ODPs. Not sufficient? #NIST is one step ahead of you. SP 800-171r3 states “If a federal agency or a consortium of agencies do not specify a particular value or range of values for an ODP, nonfederal organizations must assign the value or values to complete the security requirement.” Therefore, you get to decide the ODP values when guidance isn’t available. There are many reasons not to worry about SP 800-171r3 today (e.g., #DFARS Class Deviation, no FAR Mandate – yet, still working on implementing SP 800-171r2, #CMMC); however, not having ODP values isn’t one of them. If you need help implementing SP 800-171, reach out. I’d be happy to discuss how Optic can help you implement SP 800-171r2 today while keeping an eye towards the future, so you don’t have to rip and replace when SP 800-171r3 becomes a requirement. Also, if you’re just getting started, check out our template for capturing what you’re already doing against SP 800-171r3 here: https://lnkd.in/eyV3XNpz #SP800171 #SP80053

Starting hear the buzz around the Cybersecurity Maturity Model Certification (#CMMC) program? As CMMC comes closer to completing rulemaking and becoming a requirement for DoD contractors with Federal Contract Information (#FCI) and Controlled Unclassified Information (#CUI), more an more people are talking about it. Want to learn more but not sure where to start? Check out #OpticCyber's latest video with Kelly Hood providing an overview of CMMC! 👇 https://lnkd.in/gm23zP_S