tekzar

The guidance suggested below is accurate as of 16 December 2021. On 9 December, Apache publicly disclosed the discovery of a critical vulnerability in their open-source Apache Log4j2 utility. The bug is embedded in software called Log4j, a widely used, publicly available logging utility. The free software is leveraged by cybersecurity practitioners to record (log) user activity and application behavior for subsequent examination to identify potential anomalies.   Following Apache’s disclosure, NIST reported the vulnerability (CVE-2021-44228) on 10 December.  Affected versions of Log4j range from Log4j2 2.0-beta9 through Log4j2 2.14.1. Major service providers including Amazon Web Services, Microsoft, Cisco, Google Cloud and IBM have all reported that some of their services are vulnerable to the bug and the companies are working fastidiously to mitigate the issues.   To help determine whether or not your network is vulnerable or has been exploited, you can leverage this list of hashes associated with vulnerable software versions and you can also use this threat hunting guide to see if the exploit is on your network. In order to effectively mitigate this vulnerability, it is critical for organizations to upgrade to the latest version of the utility – Log4j2 2.16.0. If there is a reason your organization cannot upgrade to 2.16.0, please explore this repair guidance (for versions 2.10 and above).   If you are a DIB contractor and find your network has been exploited, please load the new version immediately. Defense Industrial Base companies should follow up by reporting the network exploitation attempts to the National Defense Information Sharing and Analysis Center (NDISAC) and/or the Department of Defense DIB Collaborative Information Sharing Environment.  

AGENCY: Office of the Under Secretary of Defense for Acquisition and Sustainment, Department of Defense (DoD). ACTION: Advanced Way Forward The changes reflected in the CMMC 2.0 framework will be implemented through the rulemaking process. DoD will pursue rulemaking in both: (1) Title 32 of the Code of Federal Regulations (CFR); and, (2) title 48 CFR, to establish CMMC 2.0 program requirements and implement any needed changes to the CMMC program content in 48 CFR. Both rules will have public comment periods. Publication of title 32 and title 48 CFR rules will implement DoD’s requirements for the updated CMMC version 2.0, which include various modifications from CMMC 1.0. These modifications include: • Eliminating levels 2 and 4, and renaming the remaining three levels in CMMC 2.0 as follows: Level 1 (Foundational) will remain the same as CMMC 1.0 Level 1; Level 2 (Advanced) will be similar to CMMC 1.0 Level 3; Level 3 (Expert) will be similar to CMMC 1.0 Level 5. • Removing CMMC-unique practices and all maturity processes from all levels; • For CMMC Level 1 (Foundational), allowing annual self-assessments with an annual affirmation by DIB company leadership; • Bifurcating CMMC Level 2 (Advanced) assessment requirements: Prioritized acquisitions involving CUI will require an independent third party assessment; Non-prioritized acquisitions involving CUI will require an annual self-assessment and annual company affirmation; • For CMMC Level 3 (Expert), requiring Government-led assessments. • Developing a time-bound and enforceable Plan of Action and Milestone process; and, • Developing a selective, time-bound waiver process, if needed and approved. The title 32 CFR rulemaking for CMMC 2.0 will be followed by additional title 48 CFR rulemaking, as needed, to implement any needed changes to the CMMC program content in 48 CFR. DoD will work through the rulemaking processes as expeditiously as possible. Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the Department will suspend the CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in DoD solicitations. The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking. Further information can be found at: https://www.acq.osd.mil/cmmc/

Why Defense Industrial Base (DIB) Scores Matter? Required for existing contracts Understand your contract to make sure you know if the requirements are pre or post award Foundational Level are what companies are expected to have in place now DFARS 7012, 7019 and 7020 still apply FAR 17 controls still hold (NIST 800-171) DFARS 7019 requires a self-assessment and accurate reporting of your Supplier Performance Risk System (SPRS) score DoD is perusing False Claims Act if you are not abiding by the regulation CMMC 2.0 Level 1 is the same as CMMC 1.0 Level 1 We believe your work at the Foundational Level (CMMC 2.0 Level 1) should be performed in such a manner to prepare you form CMMC 2.0 Level 3. This means having documented and implemented policies and procedures as evidence This documentation will make it easier for you to do your future self-assessments You are responsible for ensuring that your sub-contractors are compliant If your sub cannot do the basics you may want to look elsewhere You could possibly “enclave” them into your environment if they cannot get their act together One person companies still must comply at Level 1 and possibly higher We have had a great deal of success with very small companies as well as larger organizations DO NOT IGNORE THESE REQUIREMENTS – The Goal is to protect the DIB

GjB and Associates reaction based on the links to DoD websites contained in the link below: https://www.defense.gov/News/Releases/Release/Article/2833006/strategic-direction-for-cybersecurity-maturity-model-certification-cmmc-program/ The five levels of CMMC 1.0 have been condensed into three levels. Level 1 “Foundational” appears to consolidate the old Level 1 “Basic” and Level 2 “Intermediate”. It also changes it from a certification based on a third-party assessment to an annual self-assessment. This is HUGE because under CMMC 1.0 it was estimated that 60% of the DIB would require Level 1 Basic and 10% would require Level 2 Intermediate. ~70% of the DIB companies will **not** be required to obtain a triennial third-party assessment but will need to register a self-assessment score annually. Level 2 “Advanced” is the old Level 3. A good change in my opinion. Level 3 “Expert” consolidates the old Level 4 “Proactive” and Level 5 “Advanced.” Another good change. More Detail on the Levels Level 1, the “foundational level,” will include 17 cybersecurity practices and require affected contractors to conduct annual self-assessments, according to a Pentagon website outlining CMMC 2.0.  Senior executive will be required to sign off on the self-assessment Level 2, the “advanced” level, will require 110 practices aligned with the National Institute of Standards and Technology Special Publication 800-171, also known as NIST SP 800-171. Triennial third-party assessments for critical national security information Annual self-assessment for selected programs (bifurcation) Limited use of POAMs is expected. A minimal threshold score will be identified in the future by the DoD POAM’s not allowed for highest-weighted requirements POAM’s are now more critical Waivers Only allowed in select mission-critical instances Time-bound – no endless use of POAM’s Requires DoD approval A limited number of waivers will be given Level 2 Bifurcation: Not yet available. Department will determine what qualifies for what. The impact of a compromise on the CUI will be taken under consideration for the determination of bifurcation Level 3, the “expert” level, will include 110 or more practices aligned with NIST SP 800-171. Going Forward/Summary Notably, all companies in the Level 1 category and a subset of companies in Level 2, will be able to conduct self-assessments rather than having to pay for third-party assessments. Other companies in Level 2 will have to undergo triannual third-party assessments, while all companies in Level 3 will have to undergo triannual government-led not CMMC-led assessments. Unlike the old model, CMMC 2.0 will allow for waivers to the cybersecurity requirements “under certain limited circumstances” for “selection mission-critical requirements.” Senior Pentagon leadership will have to sign off on waiver requests. Additionally, the Defense Department plans to specify a baseline number of requirements that must be achieved before contract award but will allow companies to complete the remaining requirements later following a “plan of actions and milestones,” or POAM, that would need to be in place. CMMC 1.0 had no such provisions. The CMMC 2.0 changes will be implemented after the completion of the rulemaking process for the Code of Federal Regulations and the Defense Federal Acquisition Regulation Supplement, following a public comment period. If our simplification is close to accurate, it will reduce the annual assessment costs for CMMC across the DIB by well over 50% from the DFARS Case 2019-D041.  This puts the onus on vendors requiring Level 1 to perform an accurate self-assessment or risk an audit by DCMA that could result in severe punishment.  Whistleblowers are financially incentivized to report those that file false assessments and thusly a possible False Claims Act violation and a potential fine.  The Whistleblower could share as much as 1/3 of the fine.  This is a very good approach and essentially makes the DFARS 252.204-7019 “Interim Rule” the “Permanent Rule” for most of the DIB. The independent third-party assessments are still required for Levels 2 & 3 and put the emphasis where it belongs.  However, there will be a bifurcation of Level 2 and this is yet to be determined and communicated. I believe that the RPO companies in the CMMC ecosystem of practitioners will thrive but there will be far fewer C3PAO companies because there will be fewer vendors that need independent assessment.  The CMMC 2.0 approach appears to be much more realistic and cost-effective than the CMMC 1.0 approach. Rulemaking must be completed to implement CMMC 2.0. Rulemaking – Codifying CMMC 2.0 Rulemaking under 32 CFR to establish CMMC program Rulemaking under 48 CFR is required to update the contractual requirement in the DFARS to implement the CMMC 2.0 9-24 months to complete Rulemaking.  There will be a 60-day public comment period Contractors are directed by the DoD to complete your 110 requirements and not wait for the Rulemaking to be completed DoD can perform an audit at any time CMMC 1.0 requirements are gone          

On November 3rd, PreVeil’s 2nd Annual CMMC Summit will provide an exclusive opportunity to learn and gain insights on the CMMC Program from leading compliance experts.    Sign up to hear from scheduled speakers:  o   Karlton Johnson(Chair, CMMC-AB)  o   Robert Metzger (RJO) o   Stacy High-Brinkley (Cask – C3PAO),  o   Karen Stanford (C3PAO Candidate)  o   Robert Teague (Redspin- C3PAO)  o   Ted Steffan (Sr. Security Partner Strategist at AWS)  o   And more….   Don’t miss this incredible opportunity. Sign up today! https://us02web.zoom.us/webinar/register/1016351273856/WN_6pPldwpvQ2yOA_9davoKug

The Government is preparing to pursue new False Claims Act cases against DoD contractors who misrepresent their cybersecurity compliance status. Just last week, Deputy Attorney General Monaco said “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards” See the full news release here: https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative This highly relevant recent bulletin from the U.S. Department of Justice also states: “The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursuing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation.” This is a great follow-up that reinforces former federal prosecutor Kenji Price, who emphasized the emergence of the FCA as a Federal Government tool to enforce cybersecurity. All DoD contractors should be paying close attention to these developments, and making plans accordingly. Please let us know if you have any questions about this topic or suggestions for related matters that you’d like to see addressed in future webinars. This further emphasizes why you should continue with your NIST 800-171 compliance efforts and ensure that you are minimally at the level set in the DoD Interim Rule of November 2020. SERVICES We will perform a pre CMMC review to help you prepare for your CMMC at levels 1-3. This includes setting up NIST 800-171 score and starting you on your way to complete your SSP and POAM. Our goal is to make you as self- sufficient as you want. GJB and Associates provides multiple packages for these services. For more information, please email sales@gjbandassociates.com.

Please note: the FAR CUI rule (FAR Case 2017-016) appears to be on schedule for publication by the end of the year. This rule does two big things: 1) Provides a framework for identifying CUI in government contracts. 2) Mandates NIST SP 800-171 as the minimum requirements for safeguarding CUI for all agencies and their contractors. Regardless of what happens to CMMC in name or substance, NIST SP 800-171 remains the standard for compliance. Doubts around CMMC have more to do with “how” NIST SP 800-171 will be verified for contractors rather than “if”. Thousands of companies have conducted NIST SP 800-171 self-assessments, calculated their scores according to the DoD Assessment Methodology, and officially reported those scores to the government via SPRS to comply with the DFARS interim rule issued in November 2020. It is estimated that many of these companies have been “generous” with their scores. Fedscoop May 13, 2021 issue states: The DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) approved the first company, which was not named, to move forward in the Cybersecurity Maturity Model Certification (CMMC) process, a spokesperson told FedScoop. Now, it is up to the CMMC Accreditation Body (CMMC-AB) to grant the company Certified Third Party Assessment Organization (C3PAO) status, meaning that it can officially assess the maturity of defense contractors’ cybersecurity in compliance with new CMMC requirements. DIBCAC can come calling to verify your score at any time. Are you “sincerely or generously” prepared? SERVICES We will perform a pre CMMC review to help you prepare for your CMMC at levels 1-3. This includes setting up NIST 800-171 score and starting you on your way to complete your SSP and POAM. Our goal is to make you as self- sufficient as you want. GJB and Associates provides multiple packages for these services. For more information, please email sales@gjbandassociates.com.

A. Benefits The theft of intellectual property and sensitive information from all U.S. industrial sectors due to malicious cyber activity threatens U.S. economic and national security. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation, as well as significantly increase risk to national security. This rule is expected to enhance the protection of FCI and CUI within the DIB sector. B. Costs A Regulatory Impact Analysis (RIA) that includes a detailed discussion and explanation about the assumptions and methodology used to estimate the cost of this regulatory action is available at www.regulations.gov. SERVICES We will perform a pre CMMC review to help you prepare for your CMMC at levels 1-3. This includes setting up NIST 800-171 score and starting you on your way to complete your SSP and POAM. Our goal is to make you as self- sufficient as you want. GJB and Associates provides multiple packages for these services. For more information, please email sales@gjbandassociates.com.

This rule creates the following new solicitation provision and contract clauses: -DFARS 252.204–7019, Notice of NIST SP 800–171 DoD Assessment Requirements -DFARS clause 252.204–7020, NIST SP 800–171 DoD Assessment Requirements -DFARS clause 252.204–7021, Cybersecurity Maturity Model Certification Requirements. The objective of this rule is provide the Department with: 1. The ability to assess contractor implementation of NIST SP 800–171 security requirements, as required by DFARS clause 252.204– 7012, Safeguarding Covered Defense Information and Cyber Incident Reporting 2. Assurances that DIB contractors can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flowed down to subcontractors in a multi-tier supply chain. Flowdown of the requirements is necessary to respond to threats that reach even the lowest tiers in the supply chain. Therefore, to achieve the desired policy outcome, DoD intends to apply the new provision and clauses to contracts and subcontracts for the acquisition of commercial items and to acquisitions valued at or below the simplified acquisition threshold, but greater than the micro- purchase threshold. The provision and clauses will not be applicable to contracts or subcontracts exclusively for the acquisition of commercially available off-the-shelf items. SERVICES We will perform a pre CMMC review to help you prepare for your CMMC at levels 1-3. This includes setting up NIST 800-171 score and starting you on your way to complete your SSP and POAM. Our goal is to make you as self- sufficient as you want. GJB and Associates provides multiple packages for these services. For more information, please email sales@gjbandassociates.com.

This rule adds a new DFARS subpart, Subpart 204.75, Cybersecurity Maturity Model Certification (CMMC), to specify the policy and procedures for awarding a contract, or exercising an option on a contract, that includes the requirement for a CMMC certification. Specifically, this subpart directs contracting officers to verify in SPRS that the apparently successful offeror’s or contractor’s CMMC certification is current and meets the required level prior to making the award. A new DFARS clause 252.204–7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in all solicitations and contracts or task orders or delivery orders, excluding those exclusively for the acquisition of COTS items. This DFARS clause requires a contractor to: Maintain the requisite CMMC level for the duration of the contract; ensure that its subcontractors also have the appropriate CMMC level prior to awarding a subcontract or other contractual instruments; and include the requirements of the clause in all subcontracts or other contractual instruments. SERVICES We will perform a pre CMMC review to help you prepare for your CMMC at levels 1-3. This includes setting up NIST 800-171 score and starting you on your way to complete your SSP and POAM. Our goal is to make you as self- sufficient as you want. GJB and Associates provides multiple packages for these services. For more information, please email sales@gjbandassociates.com.