I think DoD has yet to realize the forthcoming ramifications of applying Level 3. Since Level 3 will be contract-specific, and not "across the board" like DFARS 7012 and CMMC Level 2, the contract that requires Level 3 should cover the costs of implementation. Add an estimated $40M+ for compliance (based on the math in the 32 CFR proposed rule) to what DoD thought would be a $10M contract and what will happen? Interesting days ahead. Keep up the great work guys!
Well done on this overview of the process. 🎉. Codification is always a quagmire but it is essential for us to stay on top of. Thank you for helping with this.
Great discussion as usual, appreciate the rapid response to this news. Could you edit the description to have a link to the Rule like you've done for other main resources on episodes?
dunno if youtube allows links in comments, but: www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
Great catch! We updated the description and here is The Proposed Rule: www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
Great job and very informative. Love that you brought up the example of a breach outside the assessed scope. There are a lot of folks out there that believe they can have empty enclaves assessed, while the CUI is yet to be brought into the enclave at the time of assessment. Not good. False Claims.
The point about DODUIDs being effective “asset tags” to fully illuminate the extent of the DIB is insightful. What magnitude above the (published) ~291,000 companies will the real number be…?
A number entered by the organization starts with a S and since it is Basic assessment it starts with B so SB followed by the unique number. I would imaging DoD starts with a D and is a DM or DH….
Confidence level is not your confidence in your security or your sprs score. Basic self assessment is low confidence, 3rd party is moderate confidence and government assessment is high confidence.
The DoD confidence identifier is not that crazy of a concept. Currently in SPRS anyone who has had a JSVA has a confidence level for the assessment that indicates it is a “high” confidence score. Same thing goes for DIBCAC High. The confidence next to the score will say one of several things - (basic, medium, or high). When you self-assess you have NO option to change it from “basic”. When the DIBCAC does a medium or high, they enter it as such. All that they’re saying is that very same indicator will be viewable in the unique identifier. But it’s not a rating that you get to choose. If a C3PAO does your assessment, it will show as high confidence and it will be indicated in the identifier.
Yea they completely missed the mark on this in the video...confidence level does not mean "how confident are you in the accuracy of this assessment?"....it just means was this a Level 1, 2, or 3 Assessment...not a rating of 1-10
This video was so timely and fast that I thumbs upped on two different accounts. Excellent distilling as always guys!
I think DoD has yet to realize the forthcoming ramifications of applying Level 3. Since Level 3 will be contract-specific, and not "across the board" like DFARS 7012 and CMMC Level 2, the contract that requires Level 3 should cover the costs of implementation. Add an estimated $40M+ for compliance (based on the math in the 32 CFR proposed rule) to what DoD thought would be a $10M contract and what will happen? Interesting days ahead. Keep up the great work guys!
Well done on this overview of the process. 🎉. Codification is always a quagmire but it is essential for us to stay on top of. Thank you for helping with this.
This is “The Podcast for CMMC” because Jacob Horne has been educating the DIB since its inception.
Great discussion as usual, appreciate the rapid response to this news.
Could you edit the description to have a link to the Rule like you've done for other main resources on episodes?
dunno if youtube allows links in comments, but: www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
Great catch! We updated the description and here is The Proposed Rule: www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
Great job and very informative. Love that you brought up the example of a breach outside the assessed scope. There are a lot of folks out there that believe they can have empty enclaves assessed, while the CUI is yet to be brought into the enclave at the time of assessment. Not good. False Claims.
The point about DODUIDs being effective “asset tags” to fully illuminate the extent of the DIB is insightful. What magnitude above the (published) ~291,000 companies will the real number be…?
A number entered by the organization starts with a S and since it is Basic assessment it starts with B so SB followed by the unique number. I would imaging DoD starts with a D and is a DM or DH….
Reporting up (prime to DoD) is limited to those sub-contractors that have a certain percentage of work, over a certain amount, etc.
SUCH a fantastic opportunity for savvy MSPs…
Confidence level is not your confidence in your security or your sprs score. Basic self assessment is low confidence, 3rd party is moderate confidence and government assessment is high confidence.
SPRS scores with a User ID = Key Value Pair = The DIB is now tracked
The DoD confidence identifier is not that crazy of a concept. Currently in SPRS anyone who has had a JSVA has a confidence level for the assessment that indicates it is a “high” confidence score. Same thing goes for DIBCAC High. The confidence next to the score will say one of several things - (basic, medium, or high). When you self-assess you have NO option to change it from “basic”. When the DIBCAC does a medium or high, they enter it as such. All that they’re saying is that very same indicator will be viewable in the unique identifier. But it’s not a rating that you get to choose. If a C3PAO does your assessment, it will show as high confidence and it will be indicated in the identifier.
Yea they completely missed the mark on this in the video...confidence level does not mean "how confident are you in the accuracy of this assessment?"....it just means was this a Level 1, 2, or 3 Assessment...not a rating of 1-10
Hope you find your dad........😂
Huh
"There's really not a whole lot going on." *continues talking for another hour*. Never change man, never change.