Pablo Breuer, Ph.D.

Sara Friedman, thanks for the great article! DoD's ramp up plan per the draft 32 CFR Part 170 for the number of assessed orgs isn't the throughput concern. As an authorized C3PAO, we are warning clients to expect heavy market pressure from their Primes when Peak InfoSec and other C3PAOs can start doing assessments to get CMMC Level 2 Certified ASAP. We are hearing consistently that start date will be March 2025. We are already hearing subs are told by their primes to either undergo a JSVA before the start date or be ready to get CMMC L2 Certified during Phase 1. Or, be ready to be dropped from teaming groups... We are also uncertain about if and how DoD would want authorized C3PAOs to prioritize assessments. Logically, companies competing for Phase 2+ contracts and ESPs should have priority. Everyone else gets worked as the ecosystem naturally grows to handle the demand, which I believe it will. In the meantime, we recommend all DIB companies to start their C3PAO selection process now and get on the assessment schedule.

2

In this JSOU Live webinar, I talk about key concerns in the cyber supply chain with my colleagues and we look at ways we can mitigate those threats. If you are interested in C-SCRM, the supply chain, or vulnerabilities please take a look! We recorded this a few years ago, but it is still relevant! #CSCRM #cybersecurity #supplychain https://lnkd.in/eZR5KQck

6

1 Comment

New podcast is up: set phasers to "NFO" edition. Remember that "class deviation" for DFARS clause 252.204-7012? 𝗧𝗵𝗲 𝗴𝗼𝗼𝗱 𝗻𝗲𝘄𝘀: NIST SP 800-171 revision 2 is the requirement for the next several years. 𝗧𝗵𝗲 𝗯𝗮𝗱 𝗻𝗲𝘄𝘀: NIST SP 800-171 revision 2 is the requirement for the next several years. You see while 171r2 is a smaller set of requirements compared to 171r3, it's only smaller because of several questionable and often deeply unhelpful tailoring decisions that allowed the authors to make the document arbitrarily small. This week we dive into the bizarre underbelly of "NFO" controls - cybersecurity requirements that are "𝗲𝘅𝗽𝗲𝗰𝘁𝗲𝗱 𝘁𝗼 𝗯𝗲 𝗿𝗼𝘂𝘁𝗶𝗻𝗲𝗹𝘆 𝘀𝗮𝘁𝗶𝘀𝗳𝗶𝗲𝗱 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝘀𝗽𝗲𝗰𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻" with several examples: - “-1 controls” - Training Records - Independent Assessments - External Connections - Configuration Management - Incident Response Plan - The SA Family Episode links are in the comments 👇 Like ❤️ and subscribe 🔔

49

9 Comments

DoD is proposing to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) 2.0 Program. Read the proposed rule here: https://hubs.li/Q02Lt0VR0 #CMMC #CMMC2.0

10

📢 Attention Defense Contracting Community: 📢 Attention John M. Tenaglia, Principal Director, Defense Pricing and Contracting In light of the recently released MEMORANDUM FOR COMMAND, titled "Class Deviation—Safeguarding Covered Defense Information and Cyber Incident Reporting," it's crucial to reconsider certain aspects of the CMMC 2.0 program. Referencing the initial implementation of DFARS clause 252.204-7012: "(ii)(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017." In this context, the clauses clearly state that THIRD-PARTY Assessments or Certifications of Compliance are NOT recognized by the DoD, nor does the DoD certify that a contractor is compliant with the NIST SP 800-171 security requirements. Implementing these clauses would render the proposed CMMC 2.0 program obsolete and could potentially save $4 billion. Additionally, using NIST SP 800-171 Rev 3 as the standard would allow the Defense Industrial Base (DIB) to submit Organization Defined Parameters (ODP) to meet evolving cybersecurity requirements, ensuring continual security and compliance. Let's align policy with practical, cost-effective cybersecurity measures for our defense contractors.....IMHO K #Cybersecurity #CMMC #DefenseContracting #NISTSP800171#$4B

4

Come see us at the SIA Government Summit (Main Auditorium of the National Housing Center) in DC next week! We will be discussing the path forward to modernization, proliferation of OT/IoT devices in the security space, and the convergence of technologies in an interconnected world. We are honored to have distinguished members of the Federal community on the panel, contributing their experiences and views on a range of topics resonating in the field of physical security today. Hope to see you there! #physicalsecurity, #homelandsecurity, #departmentofdefense, #accesscontrol, #CCTV,

2

Finally some objective analysis. 😱👀

1

As an expert in Cybersecurity I’m headlining this conference!

2

1 Comment

Solutions exist for secure mobile communications! As this alert from the FBI on risks to mobile communications circulates, know that the ATARC (Advanced Technology Academic Research Center) Future of Secure Work (FSW) Work Group has a series of concise white papers that outline solutions and steps to expand secure mobile communications while enhancing security. Organizations can have both mobile communications and improved security. Elizabeth Wyckoff Heather McMahon Jamie J. Randy Siegel Mark Gorak Nox Landa Michael Campbell James Stanger #communication #security #mobility #survivability

30

1 Comment

Working on a CMMCaudit .org blog about brand new defense contractors that realize they need a #CMMC Level 2 certification to start bidding. And of course, there is no spare money to be found. What are the most efficient options for them? The good news is that these companies don't have much infrastructure. Meaning that they are probably operating from a few personal laptops, with no investment in a larger IT network. They've avoided 'technical debt' - having an existing mission-critical network that never had cybersecurity as a priority (very expensive to upgrade). My initial response is summed up as... - The cost of having a NIST SP 800-171 compliant network can be viewed similarly to renting a facility or buying machinery. Just a capital requirement to win work. I do understand that CMMC certification costs could easily double the first year cost of an defense contractor that offers skilled FTEs or tech work. I'm not trying to minimize how hard this is. But lots of businesses need to get investment before they start; CMMC is just another ?$60-$100k?. It should be a huge market advantage to be certified in 2025. - I can think of a dozen vendors that have built CMMC Level 2 compliant solutions. Reaching out to those companies, rather than trying to reinvent the wheel yourself, will likely cost you 15-50% of what it would cost to in-house your compliance. For example, my (completely unscientific) estimate is that it costs $300k-800k to architect and maintain a functional small business network from scratch (almost entirely labor costs, year 1-2). In comparison: from what I've heard; CMMC-oriented Managed Services Providers will build a functional small network for you for about $70k and maintain it for ~60k a year. I also know of one vendor that offers a CMMC Level 2 virtual enclave for about $3-4k per month. Kieri Solutions - Authorized C3PAO (my company) offers a Reference Architecture (full build instructions, engineering support support, and training/instructions to maintain Level 2 compliance) for a bit less than $15k. Optionally, we can build it for you and do all the compliance actions necessary to be ready for certification. But you need to supply a smart system administrator to be responsible for the network long-term. Not for every company. My ask: If you are a vendor offering CMMC Level 2 compliant networks as a solution, please comment with your brand and give a price-range for a small network (10 users, no special technology) for year 1+2. I will delete replies that do not include a price range! If you aren't a vendor, but have some tips for how to get a certifiable network built for cheap, please also respond! I plan to summarize your offerings and ideas in a post on CMMCAudit .ORG. Here are some people you should follow (that I hope will reply): Andy Sauer Ryan Heidorn Ben Gerenstein, Glenda R. Snodgrass, CCP/CCA Bobby Guerra

105

28 Comments

Listening to a great talk on single point of failure supply chain by Tarah Wheeler at the IANS Boston security forum. Great talk and a great introduction to the discussion led later today on this issue. If you are here and want to continue this massively important issue join my session on supply chain at 1:05 PM. I believe this is one of the biggest problems in cybersecurity today. What can you do about it? What are you doing about it? Tarah is bringing up some great points. Have you implemented her suggestions? What have been your challenges? Have you considered the wide variety of sources of supply chain attacks? Software updates are not the only thing you need to worry about. What tools exist to help you defend against these attacks? This was a great introduction to today’s discussion and I hope it helps people consider the severity of this issue. Come to learn and share how you are dealing with supply chain attacks with your peers.

8

This week's podcast, CIRCIA Rulemaking: Double Incident Reporting for the DIB. Defense contractors have had cyber incident reporting obligations under DFARS clause 252.204-7012 for many years. Recently, however, CISA issued a 457-page proposed rule implementing the 2022 Cyber Incident Reporting for Critical Infrastructure Act. Unless CISA and DoD can reach an agreement, DIB contractors will have duplicative incident reporting obligations for two different agencies. Links to watch/listen are in the comments ⬇ #DIB #DOD #cyber

14

2 Comments

Yesterday had some significant announcements from the United States Department of Defense #FFRDC and #UARC community, with the next leaders of three major organizations being announced on the same day. Mark Peters will become MITRE's new CEO (https://lnkd.in/ev8vf2iw). Melissa Choi will become MIT Lincoln Laboratory's next Director (https://lnkd.in/eBqvFgUx). John Beieler will become University of Maryland Applied Research Laboratory for Intelligence and Security's next Executive Director (https://lnkd.in/eeS2XaHt). Personally I think this is a momentous point in time for the DOD and the FFRDC/UARC community. Technology's importance to the future of warfighting could never be stronger, but so too is the importance of technology in pre-conflict economic competition. DOD is in a unique position to integrate across these domains, and having three new leaders with such strong S&T credentials puts the FFRDC/UARC community and the DOD in an excellent position to succeed.

147

3 Comments

Another case of cyber risk elevation in critical infrastructure with the Andariel group, also known as Silent Chollima, Onyx Sleet, and primarily targeting defense, aerospace, nuclear, and engineering organizations in the US, Japan, South Korea, and India. Corporations with industrial facilities or physical assets can get a better grasp of their cyber risk by using DeNexus' advanced solution for cyber risk management: - Get all your internal cybersecurity telemetry to feed automatically into our models - Translate technical cybersecurity data (CVEs, security control compliance) into business metrics - Prioritize risk mitigation projects for a true risk-based approach to cybersecurity - Engage executives, boards and CFO with business metrics to justify investments - Show the value of your cybersecurity efforts in business terms. https://lnkd.in/g74gGnpF

5

Washington, D.C.: Today, the Biden administration proposed banning certain software and hardware (from adversarial nations) in vehicles connected to the internet, citing national security risks. 🚗 🚛 🚙 🚐 The U.S. Department of Commerce's proposed rule would ban importing cars with vehicle connectivity systems and automated driving systems developed in China and Russia. 👥 🆙 My brilliant Forescout Technologies Inc. colleague Rik Ferguson and I have closely tracked this issue and explored the national security problems surrounding connected vehicles imported by foreign adversaries when the Department of Commerce first announced its inquiry in March. ❗ "These risks extend beyond data privacy concerns. While we benefit greatly from the shift to a more digital and connected world, those connections create new avenues for espionage and sabotage. We must remain vigilant in identifying and securing those vulnerabilities, including potential vulnerabilities present in connected vehicles,” said Undersecretary for Industry and Security Alan Estevez. ✅ "Consider the American Security Drone Act of 2023, which prohibits federal agencies and federally funded programs from purchasing or using drones manufactured in countries that are viewed as threats to U.S. national security. This regulation was introduced after Chinese-manufactured drones already swarmed the U.S. market. Perhaps the Biden administration can avoid this situation from happening again with connected vehicles by acting proactively." Stay Frosty! ☃ You can read our oped here:

103

18 Comments

I’ve been involved with applied Defense RDT&E for over 20 years (wow that slaps) and been the Principal or Technical Lead on over 100 programs. As a Human Factors / Cognitive Systems expert, I often have the luxury of finding a way to meaningfully contribute to any research program that catches my interest, simply due to the fact that everything (at least that interests me) is aligned to enabling, amplifying, or protecting a human user.  Our new OTA with SOCOM represents the first time in a quite a while where the stars are aligning to provide a perfect opportunity that has a Operator-centric focus, a customer that understands the importance of that focus, the funding and runway to achieve meaningful outcomes, and a Defense-related mission need that is at once salient today, critical for the future, and directly in line with the emerging technologies that interest me most today.  Needless to say, it’s an exciting time for me, and our rapidly growing team of engineers, data scientists, and operational experts, to be challenged with an impactful operational problem to solve. 

25

4 Comments

This week I shared thoughts on the #threat of Chinese malicious cyber activity and the importance of #cybersecurity at a keynote speech to the Air Force Technical Applications Center in sunny Florida. During AFTAC's Cybersecurity Day, I encouraged DoD members and industry partners alike to go to NSA.gov to learn from some of the over 75 Cybersecurity Advisories we've published about the threat and what to do about it. We talked about threats like #VOLTTYPHOON and the tactic of #livingofftheland to access and operate in our networks. Products on NSA.gov offer ways to become a hard target by employing #zerotrust principles. We can't choose to not be targets, but we can and must choose to be HARD targets...

199

2 Comments