Stay updated on the latest DIB rulemaking updates for 2024, including CMMC, DFARS, NIST, and more. Get insights on incident reporting, cybersecurity requirements, and upcoming regulations in this informative podcast summary.
Watch the Podcast
What's the latest with DFARS, CMMC, FAR, and NIST and other DIB rules this year?
Q2 2024 is upon us so this week we are updating the rulemaking calendar based on what we know about DFARS, CMMC, the FAR, and NIST revisions. If the Summer doldrums push things into the Fall, then we could be in for a relentless rulemaking/holiday season.
What's the latest with the ๐๐๐ ๐๐ฆ ๐ฃ๐ฟ๐ผ๐ด๐ฟ๐ฎ๐บ ๐๐ถ๐ป๐ฎ๐น ๐ฅ๐๐น๐ฒ?
- Published March 2024
- Expands eligibility to the DIB CS Program for non-cleared defense contractors
- What to know:
- DoD commonly references the DIB CS Program expansion in response to criticism about not providing defense contractors with sufficient cybersecurity tools and resources.
- While the DIB CS Program helps contextualize cyber threats through strong information sharing relationships, there is little compliance value for facilitating NIST and CMMC requirements.
What's the latest with the ๐๐๐ฅ๐๐๐ ๐ฃ๐ฟ๐ผ๐ฝ๐ผ๐๐ฒ๐ฑ ๐ฅ๐๐น๐ฒ?
- Published April 2024
- Duplicates and expands cyber incident reporting requirements
- What to know:
- Defense contractors are โcovered entitiesโ under the proposed rule and will have expanded cyber incident reporting requirements on top of their existing obligations pursuant to DFARS contract clause 252.204-7012.
- If DoD and CISA can reach an agreement, DIB suppliers may be able to report to only one agency instead of two.
What's the latest with the ๐ก๐๐ฆ๐ง ๐ฆ๐ฃ ๐ด๐ฌ๐ฌ-๐ญ๐ณ๐ญ ๐ฎ๐ป๐ฑ ๐ญ๐ณ๐ญ๐ ๐ฅ๐ฒ๐๐ถ๐๐ถ๐ผ๐ป ๐ฏ?
- ETA: May 2024
- Expands the requirements assessed at CMMC Level 2 by ~30%
- What to know:
- If DoD doesnโt issue an implementation waiver (known as a โclass deviationโ), then defense contractors will need to implement SP 800-171 revision 3 as soon as they receive a solicitation after the final revision is published.
- The CMMC proposed rule specifies SP 800-171 revision 2 so unless DoD is able to sync-up DFARS 7012 and CMMC contractors will need to juggle two different cyber requirement baselines.
What's the latest with the ๐๐๐๐ฅ๐ฆ ๐ฎ๐ฑ๐ฎ.๐ฎ๐ฌ๐ฐ-๐ณ๐ฌ๐ญ๐ฎ ๐๐ฏ.๐ฌ ๐ฃ๐ฟ๐ผ๐ฝ๐ผ๐๐ฒ๐ฑ ๐ฅ๐๐น๐ฒ
- ETA: Q4 2024
- Hopefully kills the term "CDI", explains international reciprocity, includes SP 800-172 requirements, and explains FedRAMP "equivalency"
- What to know:
- The DFARS 7012 rulemaking process isnโt run by the same Pentagon team that runs CMMC rulemaking so updates and cross-collaboration are hard to come by.
- All of the various DFARS clauses (7019, 7020, 7021) and assessment programs like CMMC and the DoD Assessment Methodology (โDoDAMโ) are intended to verify the implementation of requirements imposed by DFARS 252.204-7012 โ it is the center of gravity.
What's the latest with ๐ก๐๐ฆ๐ง ๐ฆ๐ฃ ๐ด๐ฌ๐ฌ-๐ญ๐ณ๐ฎ ๐ฎ๐ป๐ฑ ๐ญ๐ณ๐ฎ๐ ๐ฅ๐ฒ๐๐ถ๐๐ถ๐ผ๐ป ๐ญ?
- ETA: Q4 2024
- Expands the requirements assess at CMMC Level 3 by TBD%
- What to know:
- Unlike NIST SP 800-171, the requirements in SP 800-172 arenโt capped by the size of the SP 800-53 moderate baseline.
- The requirements in SP 800-172 can therefore be esoteric, complex, and expensive.
What's the latest with the ๐ฏ๐ฎ ๐๐๐ฅ ๐๐ ๐ ๐ ๐๐ถ๐ป๐ฎ๐น ๐ฅ๐๐น๐ฒ?
- ETA: 2H 2024
- Establishes the CMMC Program at Title 32 of the Code of Federal Regulations
- What to know:
- DoD (and the Office of Management and Budget) are highly motivated to publish the final rule before the November election in order to avoid additional red tape.
- Kicks off the "market roll-out" for assessments: a situation where companies can pay a C3PAO for an official CMMC assessment prior to the DoD requiring CMMC certification in contracts (see below).
- A large gap between the market roll-out and the contractual โphased roll-outโ will result in market forces driving assessment requirements long before DoD requires it in a single contract (see below).
What's the latest with the ๐ฐ๐ด ๐๐๐ฅ ๐๐ ๐ ๐ ๐ฃ๐ฟ๐ผ๐ฝ๐ผ๐๐ฒ๐ฑ ๐ฅ๐๐น๐ฒ?
- ETA: Q4 2024 (Maybe)
- Revises the DFARS 252.204-7021 clause to point to 32 CFR CMMC
- What to know:
- Kicks off the "phased roll-out" for CMMC level requirements in contracts.
- As of late April 2024 the rule is delayed due to internal revisions. While this is completely normal it will significantly extend the time between the market and phased roll-outs โ many companies will be pushed to attain CMMC certification by market forces outside of DoDโs control.
What's the latest with the ๐๐๐ฅ ๐๐จ๐ ๐ฃ๐ฟ๐ผ๐ฝ๐ผ๐๐ฒ๐ฑ ๐ฅ๐๐น๐ฒ?
- ETA: 2H 2024
- Establishes SP 800-171 as the minimum requirement for CUI via a federal-wide contract clause
- What to know:
- The FAR CUI rule is the third piece of the three-part plan to implement the federal Controlled Unclassified Information program, but it has been missing in action since 2016.
- The rule will likely drive other federal agencies reject contractor self-attested implementation of cyber requirements possibly expanding the requirement for CMMC certification.
Episode Links:
- Register for our upcoming CS2 Replay here
- Q1 Rulemaking Calendar
Sum IT Up Podcast
With Jacob Horne and Jason Sproesser
We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.
