Katie Arrington on DFARS Interim Rule - YouTube youtube.com


there are several pathways a rule can go down, proposed rule and interim rule.

It is a matter of national emergency and national security.

If you read the DFAR interim rule it is pretty impressive amount of money we are talking about here. Even with all that the inter-agency council found it was a matter of national interest.

We are in the public comment period and we adjudicate them as we go.

It isn’t gonna be a light switch. We have a strategic process. This is going to take five years to implement so why delay.

Throughout the video you got a sense of a strategic roll out.

7012 is what we have been focused on like a laser, and that is the DIB cybersecurity requirement in DFAR language.

(Cloud) will have to get certified like any other company. They are probably running at a 4 or 5. When a business decides to use a CSP as a supplement to how they achieve credentials what we will need to do is ensure the CSP has the write credentials from Fedramp. We work through that reciprocity.

Understanding adjudication baselines is important. I am big on adjudication baselines…Make sure it is apples to apples.

remediation needs to be expedient and not a cost to the vendor.

For DoD it is Fedramp and I do not see that changing any time soon.

We need to understand very clearly that the risk far, far of outweighed adversarial impact.

Doing nothing, is not an option. Self report and PO&AM failed. Amazing to see all the positive change around cybersecurity that the CMMC conversation has caused. Without one maturation level in the wild and we are already safer.

Social media and the online presence. Let’s pick apart every little thing…Instead of poking at it get on board with it. You are poking the thing you are trying to feed off of.

If you are critical of it come help. It is one thing to sit on a mountain far, far away and say the village is going to flood. Get in the village, fix the drainage system.

It is real. The interim rule is there. It is not going away. Get on board.

If it was working we would not be were we are.

Prior to coivd from mid 2019 and talking about cybersecurity. We saw a decrease. If we did nothing more than conversation. You can’t fix somethign unless you discuss it and propose solution sets.

The industrial base, the nation defense, we rely 100% on you.

The CMMC is the start of something that will harden our national defense. We will not thwart the adversary completely, but my gosh we will make it harder for them.

We function off of tax dollars. I am really concerened because it my money just like it is your money going into this.

The next thing we need to get good on is sharing threat. Information sharing is the next great barrier we need to get through.

This I think is going to be where a lot of cultural shifts through the CMMC needs to occur. A sense of collective mission rather than contractors fighting for crumbs that fall from the big kid table.

Can’t be an industry where you have to sign an NDA just to go pee.

I think for the CSPs as we look 10-15 years down the line. Likelihood you are living in the cloud. Pretty likely.

There is no 100% secure way to do things. The much communication we have with each other.

This is why we need public domain, or liberally licesnsed, AI and ML models for fighting and sharing threat analysis.

End to end encryption needs to become part of the Cloud. We have to get there. There will be something new every day. Getting the predictive threat from AI is amazing.

7012 you have to think about who 70,19,20,and 21 effect. 7012 is everybody. We no longer put it from contracts that store CUI.

If an adversary can see it, scan it replicate it, its bad.

The aggregate of CUI is the problem. Clear defense contractors are different than people contracting CUI. There are different rules.

That is what this rule change. 7012 is the everyone. Not the somes. People think that what they are not getting is important, but adversary are taking pieces and parts and putting it together.

The adversary knows because we tell them who is on every contract, because we tell them.

It is not the perfect. I hope it never is. I hope we don’t turen into a checklist. It is not the perfect checklist.

It needs to evolve with us. We update and we hold each other accountable for that.

Threat changes. You can’t build perfect. I would rather take a 90% solution to buy down a significant risk than opine a 0% solution and let the adversary have their way with us.

For bid and proposal for a company to position themselves to where they want to be, the capability. You have to get the correct capability in line.

We want companies to strive and want to be better, and also at proposal for a small business there is an investment.

The whole purpose of moving it to at the time of award. 100% to give businesses the opportunity to position themselves. Dress for the job you want, not the one you have.

We are going to work hand in hand to ensure we get it right and do not hamper acquisition. Your point about NIST 171 is spot on. For the better part of five years industry been saying, “Yeah we been doing it”

If you can’t do the work, If you can’t get to trust but verify you can’t do the work. This is not a pass.

People need to remember the good work the NIST has done. Remember the cmmc is 100% based on NIST53 that gave birth to 171 and NIST CRF,m, ISO.

To get to level five you need to have some bits of 53, to get to level 2, to get to level 3 which created 171.

NIST is the basis of model. It has never deviated from that.

What is NIST 53. That is inside the wall. 171 is outside. 53 gave birth to 171.

12, 19,20,21 they are alike but they are the same. NIST is been doing amazing job evolving. People be like you just need to use 53. You can’t because that is for a federal system and there are differences but it is 100% based on the NIST.

This point of confusion drives me crazy. Naming things is hard but use words instead of numbers. So if 53 means something different than 171 but one does not supersede the other call them different things.

Not sure where the culture of naming by number began. Could be old radio/signal cryptology connection. Could be artifact of main frame computers when every bit of data cost money. Think 140 character sms messgae for modern reference.

Either way part of Defense culture that causes confusion that could easily change. You words and not version numbers when different things mean different things. The iPhone 10 is a better version of the iPhone 5. It’s not 5 is meant for government and 10 is meant for public. That makes no sense.

Naming things is hard…..don’t leave it to engineers to do

It is our intent that it (the score) will be in the NDA between the sub and the prime and the teaming agreement. They would disclose it (score) at that time. You say on your website you are ISO certified, you say you are cmmi. Do you need to say your level? If companies put it in their marketing than the adversaries have the line on how to hit you.

It is like your car. You want to show it off but you lock it.The best place to do it is in the teaming agreement. Then the other side, I talk myself out of it. We say it is based on the NIST but the adversary already knows the controls and processes.

In discussion about the Prime and Sub disclosing in the teaming agreement this where the credentialing Working Group can come into play. Watching what we discuss in the W3c Verified Credential Working Group (especially our education sub committee) and also recent work around Distributed Identifiers WG could be a way to have a hashed database that balances the tension between signaling and documenting. Many folks get to blockchainy way too quick but in the end the same JSON-LD used in the DoD funded xAPI project (if the DoD still going that way…please…one performance metadata across DoD tough I do worry the flexibility in the vocab of xAPI schema is too loose…still hoping the WG focusing on writing some kind of vocabulary).

Not my working group so no insight (not that I could share if it was my WG) just curious as someone working on Open Badges since the beginning (as the community skeptic)

It supports 1,000 percent the innovation and capability of the small business because those thresholds are gonna have to be met. If we are smart on this we say 25% of cmmc level 3 work needs to be done by a small business.

Cyber is in everything we do., and if we do not understand the rules of the information superhighway…

Had to finish with the information superhighway, rules of the road, 90’s cliche.

The rest of the video goes into the hard work the AB did and the dust up over payola claims. Lot of shout outs to a lot of great people.