B (3:56)

So my initial thoughts are a couple of interesting things. They almost took a CMMC 3.0 approach to it because Rev3 is in the cards. I have not. And Jacob, this is the crazy part, he talked to hundreds of thousands of companies that do defense work, also are active in gm. You happen to basically stumble upon this because someone just blind messaged me, somebody.

A (4:20)

Sent me a DM on LinkedIn and they were like, hey, this looks a lot like cmmc. And I was like, what is this? And it had been signed and issued and it's in effect. And I'm like, well, this is actually rmf. Yeah.

B (4:30)

And it's a potential requirement of authorization of contract award based on the ciso. On the CMC side, like assessments are different with the different auditing bodies and C3POs. Like there are so many CMMC adjacent things, but also potential things that we could see in the newer version of CMM with the Rev3 adoption. So it's interesting how they basically tried to take the parts of CMMC that they liked, the parts of RMF that they liked, and then just kind of made their own thing without rulemaking. That's the shocker to me.

A (5:04)

Everyone knew this thing was out there, it seems. It's crazy to me, but hey, we live in wild times. I think that one of the big takeaways here is this goes to show, as we have stressed many, many times, CMMC is not the requirements. CMMC is DOD's method for verifying the that you have implemented the requirements in NIST, SP 800, 171. So GSA could use CMMC or they could use what CIO IT Security 21112 R1. Because you have the requirements imposed on you. This is their program for verifying the implementation. So, you know, just sort of scrolling through the first thing that you're going to notice as you scroll through this document is just the right raw amount of deliverables that you have even before the assessment starts. They want things like FIPS 199 security categorization templates filled out. They want Federal Risk and authorization management FedRAMP versus 800171 qualifying comparison templates filled out. They want project work breakdown structured WBS submissions. They want all these things, these things reviewed. They want. There is a lot more stuff that needs to be done than what you might find when you look through the CMMC cap, the CMMC Assessment Process Guide. They want engagement kickoff meetings. Honestly, this reminds me a lot more of the DIBCAC process for running assessments where they want a bunch of paperwork up front, they want coordination meetings, they're going to have tight schedules, they want some very specific information. You and I have talked about this on episodes in the past. Rather than a CMMC style approach where you call up a C3 PAO, you do some pre vetting through phase one and then you're kind of off to the races at that point.

B (6:57)

I think the hard part for me wrestling with. I've never heard of the equivalent of. Yeah, I don't know what they do experience what their bandwidth is because assuming that the DoD has upwards of 300,000 that they asked, GSA probably has how many? A few.

A (7:15)

I have. No, I. Less than that. But I mean it's still going to be lots of companies. I mean you're talking tens of thousands.

B (7:23)

Yeah. I mean what team do they have to validate?

A (7:26)

Good question.

B (7:27)

Validating it on top of you getting an independent assessment.

A (7:30)

Yeah, so just get an independent. Right. So that's the real big difference here is that with CMMC they have, they have created a program where, because you're going through their assessment ecosystem when. And they've sort of pre tailored everything beforehand. If you get a passing score for your CMMC assessment, you're good. The decision is, is greenlighted because you've made it through this process. It's also part of the reason why that this might be the reason why it didn't have to go through rulemaking is that with the GSA process you're going to submit everything, including the output of the assessments and you're going to give it to GSA and they're going to make a decision on a case by case basis about whether it's sufficient, which is how RMF works. But when you have to do it for tens of thousands of companies, you can't do that. It doesn't scale. So I'm not Sure. How they plan on doing it. One of the interesting things here is that the, they have a list of what they call their critical security capabilities. So they, they call out hey, these are the ones that we care about, you know, a lot. Which is much easier to follow than DOD's point system of 5 points, 3 points, 1 points. They call them critical security capabilities. So they list out the requirements under access control, MFA configuration management, the greatest hits that you would come to expect. But they tell you what, what they want to see for those critical capabilities because they think they're critical rather than just being. This is a five point control. Don't mess it up. Next. So there's a little bit more information when it comes to that, that perspective from the agency which is nice but you have this big question mark at the end where it's like okay, we go through the assessment. It isn't a question of pass, fail or poam. You just, you just don't know what they're going to get. So that sort of brings us to the idea of assessments. So under 2.3.1 assessor selection. They are not using CMMC assessors. They don't mention CMMC in this document. They don't mention reciprocity with CMMC in this document. They say that the key to effective assessments is having assessors with the required skills, abilities and technical knowledge to develop assessment plans, perform assessment testing and prepare assessment reports. I agree. They go on to say the assessment must be independent and completed by either a FedRAMP accredited 3 PAO or by an assessment organization approved by the GSA office of the CISO prior to selection. They don't list a group of assessing options that have been approved by the office of the CISO. And I haven't heard any FedRamp3PAO really talking about this process. My first takeaway from there is it sounds expensive because FedRamp3PAOs are probably more expensive than a CMMC C3PAO and you know they're not. FedRamp3PAOs sometimes have CMMC practices but not always. Are the FedRamp3PAOs ready to assess?

B (10:40)

And I and 171. I mean it's a subset of pick and free but also they have to build. What's so confusing? We have a lot of GPA of friends in the. No one has ever mentioned this at all. Yeah, you would think this. We all were LinkedIn. They'd be like new service offering. We'll now assess you the GSA requirements of Rev 3. Like you have to go through train your team.

A (11:04)

Yeah.

B (11:05)

Specifically for something like this, a quick adoption or adaptation, but still.

A (11:10)

Well, you know, here's a good question is, you know, the GSA doesn't mention CMMC because maybe CMMC is on Rev 2 and they're on Rev 3. Will the DoD moving to Rev 3 on CMMC 3.0 if you will establish reciprocity, like if you've gone through this process, do you get recognized by DoD? Maybe they don't give you CMMC status, but they're willing to accept it and you've got the hookup with a three PAO or who? I don't know. Like whatever the process is, it'll be interesting to see how that gets navigated because now we're in the situation where we haven't found any of those companies, but I'm sure they exist. You've got one customer saying you need Rev3 in this huge process and you've got another customer saying you've got Rev2 and this other process. It seems odd to me that they did this because we're still waiting on the FAR CUI final rule. GSA is on the FAR Council with the DoD know what's going on. I would hope so. Like, I. I don't really know. You know, something else to think in here too. Yeah, there's a lot of. There's a lot of stuff to go through. We won't go through all 45 pages. There are annual deliverables with this process. Under CNMC, you have annual affirmations where you're attesting that you are affirming or whatever the verb is that you are keeping up with all the things that you. That you implemented via your assessment that you actually do every three years. Here you have the assessment every three years. But under annual deliverables, the following deliverables will be provided to the GSA izzo, ISM and or contract officer's representative on an annual basis or when there is a major change in the system which isn't defined. The updated ssp, the updated impact assessment, and a penetration test every year.

B (13:00)

So one other thing that we talked about a few days ago was responsibilities as well. Even if you think you have an incident they want you to report. Wasn't that right in the.

A (13:09)

It's not even after you suspected incidences suspect. Yep.

B (13:13)

It's an hour.

A (13:15)

Within one hour.

B (13:16)

Yeah, one hour.

A (13:17)

Typically, what's happened in past rulemaking is every time there's a law or a regulation that wants to tighten the screws on incident reporting, almost always the initial Language says suspected or confirmed incidents must be reported in X number of hours. And industry always pushes back and they go, you want me to report every suspected incident rather than a confirmed incident. It doesn't make any sense. They always take it out. This didn't go through rulemaking, it didn't go through the comment process. And so they've got suspected incident within an hour. That would get eviscerated in the comment process for good reason. Like even DOD has had the language. It's like you got to report within 72 hours but it is known confirmed actual incidents, not anything that you suspect would be an incident.

B (14:06)

That's so you have annual deliverables. You have to go through an independent assessment. All of those deliverables have to be obviously given to the CI.

A (14:15)

Then you got to go through the authorize step.

B (14:18)

Yeah step. You have to report suspected incidents within an hour. I don't know if GSA is going to get a lot of CUI related participants in the.

A (14:28)

Yeah, I mean, but that's also like you said, I mean I, you have. No one's talking about it. And it's like, you know, whether they like it, dislike it, you know, what, what's good, what's bad. Anyways, you know, one of the last thoughts here that people might find interesting in the document is appendix C. They always bury the good stuff in the appendices. Appendix C is what they call showstopper security requirements for the non federal security approval process. So these are the requirements that they would consider to be showstoppers. Right. If you don't have these implemented then they're not going to get through the authorized step. These would be the five point equivalent controls, if you will. And they list them all out by the requirement number and the description of the control. So there's probably about eight of them in here. So definitely check those out. It's an analysis that I think we probably do in the future of like the overlap between. GSA thinks that these are important, but DoD thinks that these are important. We're talking about the same baseline. We're talking about the same baseline for the same category of data. Now we've got two agencies who literally work together on the FAR CUI rule and they think that different requirements, requirements are different criticalities they're reporting. I mean this is exactly why you wanted the FAR CUI rule was to avoid this process. So there you go. If you are a GSA contractor out there and you're interested, let us know what's going on. Have you heard about this? I mean, this is revision one. They came out with the original version in 2022. Apparently never heard anything about it. They've updated it for 171 rev3. Are they bugging you about it? Is this real? Was there a comment process that we didn't hear about? Somehow if you're a defense contractor and you have to do GSA work, are you hearing about this? Are you worried about this? Is this complete news to you? We're sort of learning about this along with everybody else. I was very surprised that the GSA did not take the opportunity to come out and be like, we did it, we did it because remember, DHS and DOD went at it for years where they were like, yeah, CMMC is cool, but we're going to do our own thing over here and we got our own scoring system and we think these are the priority controls. And it was back and forth and back and forth, but they made a lot of noise about it. GSA just kind of posted this and then. And that was kind of it. So what do you think? Do you like the examples that are in here? Do you think that DoD should borrow from what they're doing moving into CMMC 3.0? Because we're waiting on that proposed rule to get published. They're going to be looking for public comments. So should they adopt some of the example language out of this document for. For CMMC guidance? Should they adopt the way that the assessment Process runs for CIO IT Security 21,112R1 for CAP 2.0 under CMMC? Do you think that they should have just used CMMC instead of coming up with this process? Do you think that all the agencies are going to come up with their own flavors? Probably the worst possible, the worst possible timeline would be if they all come up with their own six different enclaves.

B (17:39)

I got my VHS enclave.

A (17:43)

You know, it's. It. The, the whole idea here was you have a standard baseline so that we can share the data and that the data, so that the data is protected the same way. And here they're saying we're going to evaluate every system on a case by case basis. That immediately is going to. To me, the deity is going to be like, well, you know, this is the problem the RMF world has where one authorizing official says, I'm willing to accept X risk. The other authorizing official says, I'm not willing to do that. So I'm not going to have reciprocity between these two systems, even though the entire system was created so that all the aos would agree. If you decide it's fine, then I trust that it's also fine. And it just didn't really work out. So let us know. Have you heard about it? Did we completely miss the news on this? Is this the first, you know, first that anybody's talking about it? Let us know and hopefully we can hear from GSA soon and get some updates and we'll see you next week.