Alright. Welcome back to the Deep Dive. Today, we're, we're gonna be tackling something, I think pretty important, especially for those of you out there working with the Department of Defense contracts. Definitely a hot topic for sure. It's the cybersecurity maturity model certification or CMMC, as I'm sure a lot of you know it. Right. Right. You've shared some really in-depth information with me about this framework. Yeah. And I've been going through it, and, and it's really interesting how much it relies on these NIST publications, the NIST standards. Absolutely. Very closely intertwined. So our goal today is, first of all, just to make sure everyone really gets what CMMC is. Like, what is it at its core? Yeah. And then we'll go a little deeper, and we'll look at, like, why is there such a close connection to all these NIST standards? Right. Right. What's the reasoning there? Exactly. What's the strategy? And then most importantly, what does this actually mean for you and the work you're doing every day? Yeah. Making it practical. Exactly. So we'll be pulling from your document here. We'll be looking at the different CMMC levels. How they connect with NIST SP eight hundred one seventy one rev in two. That seems to be a really, really key document in all this. Absolutely. A cornerstone. The scoring the scoring system, how does that actually work? That's pretty intricate. Yeah. Yeah. It looks it. We'll touch on NIST SP eight hundred one seventy two. Another important piece of the puzzle. And, of course, we gotta talk about rev in three, the move to NIST SP eight hundred one seventy one rev in three, which seems to be on everybody's mind. Definitely a big shift on the horizon. Okay. So before we get too far, let's back up. In the simplest terms, what is CMMC? What are we talking about here? So at its heart, CMMC, the cybersecurity maturity model certification, it's a framework. It's a framework put in place by the Department of Defense, the DOD. Yeah. And the whole point of it is to protect information Excellent. Sensitive information Okay. Related to government contracts. Specifically, we're talking about federal contract information, FCI, and then there's controlled unclassified information, CUI. And this is all happening within the defense industrial base. So you can think of it as, like, a standardized way for the DOD to look at its contractors and say, okay. How mature is your cybersecurity program? Yeah. That's what CMMC is all about. So it's really about the DOD having some assurance about the companies it's working with. Exactly. Okay. So we keep hearing NIST NIST NIST. Right. National Institute of Standards and Technology. Yep. So why is CMMC so closely tied to these NIST standards? What's the logic behind that? Well, I think what's really smart here is that they're not trying to reinvent the wheel. Yeah. That makes sense. They're taking these existing federal cybersecurity requirements that are already well established, these NIST standards. Right. And they're building on top of that. So from a practical standpoint, it means the implementation should be a little smoother for contractors because they're working with familiar stuff. Okay. But more importantly, I think it's about risk mitigation. These NIST standards, they've been vetted. They're respected. They represent best practices. So the DOD is essentially saying, look. We wanna protect this sensitive data, and we're gonna leverage this existing expertise instead of starting from scratch. So it's like a force multiplier in a way. Right. Okay. That makes a lot of sense. So you mentioned levels, CMMC levels. Yeah. Walk us through those. Okay. So right now, there are three main levels to CMMC. Okay. You've got level one, which you could think of as the basic level, the foundational level. Right. And that one aligns with FR clause 52.20421. Right. 15 basic security requirements. Pretty straightforward. Okay. Now level two is where things get a little more serious. Okay. This is like the heart of CMMC. Alright. And it lines up directly with NIST SP eight hundred one seventy one Reverend two. That seems to be the big one. It is. It is. This is where you have a 10 security requirements. Mhmm. And they're organized into 14 different families, these families of controls. And what's important here is that compliance with level two, it's not optional. Right. It's mandated by DFARS. Specifically, DFARS clause two five two point two zero four seven zero twelve. So if you're working with the DOD at this level, you gotta have this? You gotta have it. Okay. So what about level three? Level three takes things even further. So it builds on what's already there in level two, that foundation of security. Okay. But then it adds another 24 security requirements on top of that. Oh, wow. And these come from NIST SP eight hundred one seventy two. Okay. And they're really focused on, like, the heavy hitters. We're talking advanced persistent threats, EPTs. You know, they're really sophisticated adversaries. So to even get to level three, you have to have already passed a level two assessment. So it's like a step up. You gotta be level two compliant first. Absolutely. It's a progression. Okay. So we've talked about NIST SP eight hundred one seventy one rev two. That seems to be the core of level two. Absolutely. So break it down for us. Like, what are the big things we need to know about this document? Okay. So NIST eight hundred one seventy one rev two, it's all about setting up a strong baseline of security. Specifically for protecting that controlled unclassified information, CUI, when it's on systems that aren't owned by the federal government. Right. Contractor system. Exactly. So as we've said, a 10 security requirements. Right. But it's not enough to just, like, know about those requirements. Yeah. You gotta have a plan for how you're implementing them. Okay. And that's where the system security plan comes in, the SSP. What's the SSP? It's a detailed document that lays out exactly how you're meeting each one of those 10 requirements. So it's like your blueprint? Exactly. And then there's the POA and M Yeah. The plan of action and milestones. Right. Right. And that's for the things you haven't fully implemented yet. Okay. Like, here's what we're gonna do, and here's our timeline for getting there. And the whole thing, your compliance with NIST SP eight hundred one seventy one reverent two, it's validated in a couple of ways. Okay. First, you have to do your own self assessment. Right. But then for CMMC level two, you might also have a third party assessment. Oh, okay. These These are done by c three PAOs, which are certified third party assessment organizations. So it's not just taking your word for it. Exactly. There's oversight. Alright. So it's pretty rigorous then. It is. Now you mentioned this scoring system for NIST SP eight hundred one seventy one reverend two. Yeah. That sounds kinda complicated. Can you break that down a bit? So the scoring is based on this thing called the DOD assessment methodology. Right. And they're looking at how well you're meeting the objectives from NIST SP eight hundred one seven one a. It's all connected. Okay. Now the perfect score, if you get everything right, is a 10 points. Okay. One point for each of those 10 requirements. Because this But, of course, if you're missing stuff, you get points deducted. Right. And there's some requirements that are just nonnegotiable. You have to have those implemented fully to even be in the game. So it's not just about getting a passing score. Some things are just must haves. Absolutely. And then each requirement, it gets assigned a weight, you know, like a point value. Mhmm. Either one, three, or five points. So some are more important than others. Exactly. And so the way the math works out, your score could range anywhere from negative two zero three to that maximum of 110. Negative. How do you get a negative score? Well, it's based on the point deductions and the weighting of the requirements. Interesting. And generally speaking, you need at least 88 points to pass. Okay. But here's where it gets really interesting. There's this partial credit system, and it applies specifically to two areas, multifactor authentication, MFA, and then FIPS compliance Okay. Federal information processing standards. Yeah. So with MFA, let's say you haven't implemented it at all or you've only done it for regular users, but not for people with remote access or privileged accounts. Okay. That's a five point deduction right there. Oh, wow. Now if you have MFA for those remote and privileged users, but not for everyone else, it's a three point deduction. Interesting. And then with FIPS, if you're not using any cryptography, that's a five point hit. Okay. But if you are using cryptography, but it's not FIPS validated like it needs to be in certain cases, It's a three point deduction. So they're giving you some leeway there. They are. I think it shows that they understand that getting fully compliant right away can be a big lift, especially for small organizations. So they're incentivizing progress. Okay. Like, get at least some of these key security measures in place, and you'll get some credit for it. And overall, it's about strengthening the security posture of the entire defense industrial base. So it's a more pragmatic approach. Exactly. Now let's talk a little bit about NIST SP eight hundred one seventy two and these organization defined parameters, the ODPs. Right. How do those fit into this whole CMMC framework, especially when we get to level three? So this is all about dealing with more advanced threats. Okay. Remember, CMMC level three incorporates those 24 extra security requirements from NIST SP eight hundred one seventy two. Right. And those are aimed at APTs, those advanced persistent threats. These are the groups that are really sophisticated. They have lots of resources, and they're playing the long game. Serious players. Exactly. Now the ODPs, the organization defined parameters, they're really important here because they give you some flexibility. Oh, yeah. You can actually tailor specific security values configurations to fit your specific needs and your own risk assessments. So it's not just a one size fits all approach. So there's some room for customization. There is. But the key is you still have to meet the intent of the security controls. Okay. So NIST SP eight hundred one seventy two, it's building on what's already there in eight hundred one seventy one rev two. Right. Adding more layers of defense, and then those ODPs allow you to fine tune those defenses to fit your specific mission. So it's a more tailored, more adaptable approach. Exactly. Okay. Now the big question on everybody's mind, the transition to NIST SP eight hundred one seventy one rev in three Right. What do we need to know about that? So it's definitely happening. Okay. The DOD is gonna formally adopt rev in three, but they're gonna do it through their rule making process. Okay. So right now, because of this thing called the DFARS seventy twelve class deviation Mhmm. All the assessments, they're still being done against rev and two. So rev and two is still the standard for now? It is. And that's not gonna change until they officially adopt rev three. Okay. And it's important to know that they're gonna develop a whole new scoring system for rev three. Oh, wow. So all that stuff we just talked about, that might change. It might. So even though rev three isn't officially here yet, organizations can actually start implementing those requirements voluntarily. Okay. Get a head start. Yeah. But here's the catch, and this is really important. Even if you start working on rev three, you can't let go of rev two. Okay. You still have to be fully compliant with rev two for any assessments, any current work you're doing with the DOD. So you can't just jump ship and ignore the current rules. Exactly. You gotta stay compliant with what's in place now while you're preparing for the future. So two pronged approach. Yes. Okay. So what are some of the big changes we can expect with Rev three? Well, one of the biggest things is that they're really emphasizing flexibility. Okay. And they're doing that through those organization defined parameters, the ODPs. We talked about those. Right. Right. So even more tailoring of your security controls to fit your specific needs and your risk profile Mhmm. It's all about being more risk based, more context aware. So it's more nuanced approach to security. Exactly. Now for those listening who are, you know, starting to think about this transition, what's your advice? What should they be doing to get ready? Okay. First things first, you gotta understand the differences between Reven two and Reven three. Okay. Do a gap analysis. Yeah. Figure out where you need to make changes. Yeah. Then you gotta update your system security plan, your SSP Makes sense. And start implementing those revenue three controls where you can. Okay. But and I can't emphasize this enough. You have to stay compliant with rev two the whole time. Got it. Don't lose sight of the present while you're working on the future. Exactly. Okay. So let's wrap things up. What are the big takeaways from our deep dive today? Okay. So number one, CMMC level two is all about NIST SP eight hundred one seventy one, reverence two. Okay. Know that document inside and out. Number two, that scoring system for reverend two. It's detailed. It's got some quirks, especially with the partial credit for MFA and FIPS. Right. Pay attention to those details. Okay. Number three, CMMC level three. It builds on level two, adds more requirements from 800 to one seventy two, and brings in those ODPs, those organization defined parameters for more flexibility. Okay. Number four, the move to revrent three is coming, but it's not here yet. Revrin two is still the standard for assessments. Right. And number five, the most important takeaway of all, stay compliant with the current requirements. Don't let anything slip through the cracks. Great summary. So here's something for everyone to think about as we go.