Most people mistaken believe that their cybersecurity requirements stem from the Cybersecurity Maturity Model Certification Program (CMMC). CMMC is simply a verification program that proves if you have implemented the requirements imposed by DFARS clause 252.204-7012. Ultimately, DFARS clause 252.204-7012 is the center of gravity for all the cybersecurity stuff that comes with being a defense contractor. This week is an important primer on DFARS 7012 because even though it's only 13 paragraphs long, few people take the time to read it closely.

Register for CS2 Reston: https://cs2.cloud/reston

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

DFARS 7008: https://youtu.be/vgrRGIWboKc?si=TFuX_wYBgfDhNQ8X

DFARS 7012: https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.

The History of CMMC: https://youtu.be/jbY2irZ1ePg?si=Khw6kLH5JnXfiTs6

7012 Class Deviation: https://youtu.be/voziZRAMvv4?si=2TczM85cISzpd63V

FedRAMP equivalency memo: https://youtu.be/torWNL3U7ZY?si=_tAubFpxJxtqrS6L

After 100 episodes diving into every possible rabbit hole to help illuminate the bigger picture around CMMC we're starting over at square zero: the “DFARS Cyber Series” of contract clauses. First up: the solicitation provision 252.204-7008. Although 7008 doesn't have the notoriety of it's big brother DFARS 252.204-7012, it is the first domino that triggers the cascade of cybersecurity compliance obligations that ultimately culminate in CMMC assessment.

Register for CS2 Reston: https://cs2.cloud/reston

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

DFARS 252.204-7008: https://www.acquisition.gov/dfars/252.204-7008-compliance-safeguarding-covered-defense-information-controls.

The 2016 final rule: https://www.federalregister.gov/documents/2016/10/21/2016-25315/defense-federal-acquisition-regulation-supplement-network-penetration-reporting-and-contracting-for

The Department of Justice finally did it: they went after a small defense contractor for failure to comply with their contractually obligated cybersecurity requirements. This case has it all from fake SPRS scores to whistleblowers getting paid hundreds of thousands of dollars to contractors paying millions in fines. All thanks to the same set of contract clauses in every DoD contract and the same errors committed by the vast majority of defense contractors.

Register for CS2 Reston: https://cs2.cloud/reston

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

DOJ press release: https://www.justice.gov/opa/pr/defense-contractor-morsecorp-inc-agrees-pay-46-million-settle-cybersecurity-fraud

Law firm press release: https://www.prnewswire.com/news-releases/morsecorp-agrees-to-pay-4-6-million-to-settle-landmark-cybersecurity-false-claims-act-case-brought-by-whistleblower-law-collaborative-client-302412118.html?tc=eml_cleartime

FCA w/ Stephanie Siegmann: https://youtu.be/d1yweDy2wV4?si=_CgQ3WTV2ynVbEyL

FCA w/ Alex Canizares: https://youtu.be/Tga0krfIrEk?si=oOXG-zvYcV_mGTL2

The Cyber AB is back with their monthly Town Hall meeting which can only mean one thing; Joy is here to co-host the show, and we are gonna break down the information distributed during the meeting. The ecosystem is growing, CMMC is going international, and so much more! Tune in to see what we have to say!

Register for CS2 Reston: https://cs2.cloud/reston

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

Sum IT Up ‘Canada's CMMC': https://youtu.be/AFe8CeIosYk?si=3Um3sXa1IEoTvAbD

AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/march-town-hall

The Canadian Program for Cyber Security Certification (CPCSC) requires defense contractors to undergo assessment against NIST SP 800-171 revision 3. That's a big problem for contractors who also do work for the U.S. Department of Defense because CMMC currently evaluates NIST SP 800-171 revision 2 and will for quite some time. In this episode we dive into what we know about Canada's version of CMMC and how close (or far) we are from reciprocity between the programs and what might be done to close the gap.

Register for CS2 Reston: https://cs2.cloud/reston

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

CPCSC Info: https://www.canada.ca/en/public-services-procurement/services/industrial-security/security-requirements-contracting/cyber-security-certification-defence-suppliers-canada.html

At long last we've come to the fourth and final episode covering every finding and allegation in the DoD Inspector General Report on the CMMC process for authorizing 3rd-party assessment organizations. So far none of the 10 findings come anywhere close spelling doom for the CMMC program. Perhaps the juiciest scandals were saved for last?

Register for CS2 Reston: https://cs2.cloud/reston

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

DoD IG report: https://www.dodig.mil/reports.html/Article/4028189/audit-of-the-dods-process-for-authorizing-third-party-organizations-to-perform/

IG Report Part 1: https://youtu.be/RNafaUlgBGo?si=4prcpAp3GUAhk8nN

IG Report Part 2: https://youtu.be/_kU7N2uI3xU?si=li1PwnG-FRSBjzyb

IG Report Part 3: https://youtu.be/3ND8RG2cKEc?si=ap5N5jasjYSztUVn

We're almost done with our exploration of DoD Inspector General audit of the CMMC C3PAO authorization process. The last two recommendations might be the most perplexing of all. Maybe the Inspector General saved the best for last?

Register for CS2 Reston: https://cs2.cloud/reston

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

DoD IG report: https://www.dodig.mil/reports.html/Article/4028189/audit-of-the-dods-process-for-authorizing-third-party-organizations-to-perform/

IG Report Part 1: https://youtu.be/RNafaUlgBGo?si=4prcpAp3GUAhk8nN

IG Report Part 2: https://youtu.be/_kU7N2uI3xU?si=li1PwnG-FRSBjzyb

The Cyber AB is back with their monthly Town Hall meeting. This week we dive into “what's new” with the CMMC Program for the month of February covering things like: What do the ecosystem numbers look like right now? What's up with T3 suitability? Can people announce if they're certified yet? And so much more!

Register for CS2 Reston: https://cs2.cloud/reston

Register for S7 Live: https://www.summit7.us/s7live

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo