Notes on Bob Metzger comments on DFAR Clause
Bob Metzger on the DFARS Interim Rule and Cloud Compliance - YouTube youtube.com
Notes on Bob Metzger on the DFARS Interim Rule and Cloud Compliance
several billion dollars to one one trillion dollars stolen
Without more rigor their is not much confidence the DIb is protecting forms of controlled unclassified inforamtion.
Most important is controlled technical information but there are number of other categories of controlled unclassified information.
adversaries can grab massive amounts of personal data about yopur employees and use machine learning for
DFAR Clause recognizes cloud but only to a little extent.
What does equivalent mean? the federal government has not understood how the could works.
Sustainment isn’t just getting a cmmc certificate. That is static. Security is dynamic.
Interm Final rule and DoD has power to do this. It is within the power of the DoD to issue a ruyle that is effective immediatley upon publiction.
Rule is two months from now
Once we hit the 60 days we will see it in every solicitation
It is sort of two rules combined into one. A two pronged approach in the regiulation. First prong you have to have an assessment by the DoD on three levels, low, medium and high.
CMMC is not required in every solitician until Sept 30, 2025. What is required as of November 30, 2020 you satisfy requirement for what is called a DoD assesment.
Based on only 800-171. It does not include any of the new practices in CMMC. You would not look to a CMMC guide but to NIST SP 171-800A
DoD has the authority to assess on three levels low, medium, and high. Low assessment means low degree of rigor in assessment beacuse the contractor is assessing itself and a low degree of confidence in the assessment. Medium requires some degree of onsite work by DMCA. High requires a more intensive level of on site demonstration of your security.
But what will require most companies is the low assessment. There are some suprises in this regulation. It says every company in the DIB, except for a small number they are going to have to submit thsi self assessment using the November 2019 methodology using the supplier performance management system.
There are two parts -19 and -20. What is says is effectivley is every company can expect to see this defense assessment rquirement in any defense solicitation or contract.
That methodology starts with a high score of 110 corresponding to the requirements in SP 800-171.
Some of the NIST requirement have a 5 point value and some have a three point value.
PoAM does not give you credit for what you don’t meet.
The way that this work is each company should conduct their own risk assessment and submit to SRPS.
Likely to be an immediate effort by immediate companies to iednity CUI, and develop a plan of action. Will try rapidly to get basic score.
You can bid on a contract without a score but you can not be awarded.
It is not CMMC. It is the precursor due in two months.
Also some temptation by some companies to embellish. That gcould be hazardous beciase this is a form of providing information of the government., representation, mateiral to your ability to get work that could rise to the fair clause act. Lot of attention of meeting the basic 171 requirements.
We have five years to get to the point of CMMC as a contract requirement will apply to every solictation. During the first five years there will be this defense assessment clause. It is now authorized for the DoD to require a CMMC requirment on some contracts.
First gate requirements activity requires CMMC
Second gate must put in the solicitation
Then the office of Secreatry of Defense has to decide if CMMC requirement applies.
171 has proven hard to do. CMMC is even harder. This gives you an onramp.