December 2021

The guidance suggested below is accurate as of 16 December 2021. On 9 December, Apache publicly disclosed the discovery of a critical vulnerability in their open-source Apache Log4j2 utility. The bug is embedded in software called Log4j, a widely used, publicly available logging utility. The free software is leveraged by cybersecurity practitioners to record (log) user activity and application behavior for subsequent examination to identify potential anomalies.   Following Apache’s disclosure, NIST reported the vulnerability (CVE-2021-44228) on 10 December.  Affected versions of Log4j range from Log4j2 2.0-beta9 through Log4j2 2.14.1. Major service providers including Amazon Web Services, Microsoft, Cisco, Google Cloud and IBM have all reported that some of their services are vulnerable to the bug and the companies are working fastidiously to mitigate the issues.   To help determine whether or not your network is vulnerable or has been exploited, you can leverage this list of hashes associated with vulnerable software versions and you can also use this threat hunting guide to see if the exploit is on your network. In order to effectively mitigate this vulnerability, it is critical for organizations to upgrade to the latest version of the utility – Log4j2 2.16.0. If there is a reason your organization cannot upgrade to 2.16.0, please explore this repair guidance (for versions 2.10 and above).   If you are a DIB contractor and find your network has been exploited, please load the new version immediately. Defense Industrial Base companies should follow up by reporting the network exploitation attempts to the National Defense Information Sharing and Analysis Center (NDISAC) and/or the Department of Defense DIB Collaborative Information Sharing Environment.  

AGENCY: Office of the Under Secretary of Defense for Acquisition and Sustainment, Department of Defense (DoD). ACTION: Advanced Way Forward The changes reflected in the CMMC 2.0 framework will be implemented through the rulemaking process. DoD will pursue rulemaking in both: (1) Title 32 of the Code of Federal Regulations (CFR); and, (2) title 48 CFR, to establish CMMC 2.0 program requirements and implement any needed changes to the CMMC program content in 48 CFR. Both rules will have public comment periods. Publication of title 32 and title 48 CFR rules will implement DoD’s requirements for the updated CMMC version 2.0, which include various modifications from CMMC 1.0. These modifications include: • Eliminating levels 2 and 4, and renaming the remaining three levels in CMMC 2.0 as follows: Level 1 (Foundational) will remain the same as CMMC 1.0 Level 1; Level 2 (Advanced) will be similar to CMMC 1.0 Level 3; Level 3 (Expert) will be similar to CMMC 1.0 Level 5. • Removing CMMC-unique practices and all maturity processes from all levels; • For CMMC Level 1 (Foundational), allowing annual self-assessments with an annual affirmation by DIB company leadership; • Bifurcating CMMC Level 2 (Advanced) assessment requirements: Prioritized acquisitions involving CUI will require an independent third party assessment; Non-prioritized acquisitions involving CUI will require an annual self-assessment and annual company affirmation; • For CMMC Level 3 (Expert), requiring Government-led assessments. • Developing a time-bound and enforceable Plan of Action and Milestone process; and, • Developing a selective, time-bound waiver process, if needed and approved. The title 32 CFR rulemaking for CMMC 2.0 will be followed by additional title 48 CFR rulemaking, as needed, to implement any needed changes to the CMMC program content in 48 CFR. DoD will work through the rulemaking processes as expeditiously as possible. Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the Department will suspend the CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in DoD solicitations. The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking. Further information can be found at: https://www.acq.osd.mil/cmmc/