Attending the John Ellis Talk on CMMC 2.0 hosted by PrVeil

Goals go over CMMC 2.0, talk about scaling audits, sorry no answer on VDI today

@DoctorMac They open up with ransomware being added to threats to R&D and IP. Before CMMC security considered a trade off with cost but now security must get included as a cost. "CMMC is a mindset" that is a new one.

Interesting DIBCAC trains all the other assessors and audits for the other agencies. I wonder if Ellis means just DIA/DOD agencies are all federal agencies.

John Ellis, "The requirements from CMMC are not going away. They are just getting handed back to NIST where they belong. They will be updated in baseline."

A dicussion then on the self-affirmation every year as a way to counter act the self assess and wait three years, plus if anyone one contract requires a CMMC 2+ all contracts in scope.

Then a discussion on phishing or bad system configuartion as the number one attack vector. Translation=pesky humans. i am very glad phishing training doesn't wait till level four of CMMC. That was dumb

Then a review of timeline and reciprocity....they said reciprocity does matter....this to be represents a language shift. i expected non-duplication and it is your job. Ellis just said reciprocity will be codified...I can't imagine reciprocity showing up in 32 or 48

Ellis: Pilot assessments will not continue but you have heard about voluntary. We will see no requirements until rule making process.

If I was a betting person I would assume "voluntary" means Primes and insurance will define "voluntary" do this or "voluntarily give up contracts or insurance"

John Ellis just reminds everyone to start now as 7019 and 171 baseline required now, and then we move into False Claims Act. In 2019 reminds of a case that spiked interest.

Discussion of data shows immediate impact of 2019 Fair Claims Act (rewrite of the the Katie effect)'

Discussions with Law Enforcement reporting including that this is the baseline and this must be assessed.

"That is all I will say about that"

Discussion of a DIBCAC assessment as a holistic approach.

A timeline event. C3PAO will do the same

Pre-coordination

Possible follow up session for pre-coordination. Especially during COVID (Read your documentation. We will) Most companies are harder on themselves (DIBCAC isn't far down the supply chain)

Assessment

Along as week Make Personell available document how to observe day every day hot wash end of the week you get a score 30 day cool down report sent to company and DIB

Adjudication

not discussed

This codifying reciprocity is very interesting to me...I expected the regs to focus on nonduplication with other standards...not codifying reciprocity

Discussion of 7012 FedRAMP or equivalency...The DoD FAQ Procurement question 115 shows how we are going to do it.

We are considering the applicable FedRAMP controls but people should use the Procurement FAQ to predict where we will go.

"To be blunt the C3PAO reciprocity is an issue that brought this up"

We don't "want to double tap" anybody

Ellis has a meeting tomorrow on bifurcated level 2 assessments but he says to be blunt we do not have this figured out but we must have C3PAOs because the Government can not scale