Excellent video! This is probably the best video on YT on the "real truth" of CMMC in 2022. One of the biggest sources of confusion in the DIB community is that NIST publications historically were written for, and applicable to, *federal* agency IT networks and not private sector contractor IT. The concept of maintaining a 200 page "security plan" document is arguably accepted as reality in many federal agencies, but is often perceived of as gibberish and useless bureaucracy inside of a private for-profit company (large or small). DFARS 7012 and then later CMMC 2.0 pushed the idea that private companies had to implement the government's documentation bureaucracy INTERNALLY on company networks. Documentation for its own sake is fairly useless, costs a lot of money to develop and maintain, and does NOT improve actual IT security. That is why CMMC is getting so much pushback from the DIB contractor community.

Thank you for posting this! Jacob always does a fantastic job with NIST history lessons. I will definitely watch this a few times. By chance are the slides publicly available?

I really enjoy hearing you say out loud much of what I have squirreling around in my head. Thanks for giving voice to the frustration b/c that's how we move forward. I especially liked the idea of adding back classification, implementation priority, and Keywords. I did not throw the meta content out and I want rev 5 to do a release that assigns them back in. (Robin Basham)

31:38 Okay I’m pretty new to IT and Cybersecurity in general. I have a clarifying question: did he basically imply in this talk that the whole NIST standard, which I have seen EVERYWHERE is intended more for information privacy than information security? (I’m not saying he’s wrong it is a genuine question)