It's important to be fully prepared for a CMMC assessment by a C3PAO, but what if your humanity kicks in? There is an opportunity to gather more information for your assessor if they allow the re-evaluation. Let's talk about it!
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] Hello Climbers and welcome to Season 3 of Climbing Mount CMMC. Well hello Climbers and welcome back. Today we want to talk about the 10 business day reference that you see in 32 CFR when they talk about re-evaluation about not met controls.
[00:00:26] And I want to talk about that in more detail Kaylee and kind of go over that because I think no one's really talked about it. I did see a post from Vince Scott about it, which is the first time I've heard anybody really talk about it publicly. And I thought his reference and maybe Kaylee you can find the link on it in LinkedIn and maybe drop it in the chat somewhere. Vince, we've had him on our podcast several times, super smart guy.
[00:00:52] And his perspective, which kind of aligns with mine, is that there's some possibilities, some very interesting possibilities with that 10-day reference. So that's what we want to talk about today. Yes, and I think this is really great to first pull up the two references where you can find this. They do connect to each other.
[00:01:15] One place is what Bobby said already, which is the 32 CFR final rule. We're going to have that up on the screen here so that you guys can see if you're looking at this on YouTube. But if you're not, there is a page and there is a portion of the 32 CFR final rule that does state that there is such thing as a security requirement re-evaluation.
[00:01:43] That if something is marked not met, you may be re-evaluated during the course of your level 2 certification assessment and for 10 business days following the active assessment period.
[00:02:02] That is if you get your assessor or your auditor to agree to wait 10 days or whatnot and re-evaluate a not met. Right, and it lists three different stipulations there. It says additional evidence is available to demonstrate the security requirement has been met. Number two, cannot change or limit the effectiveness of other requirements that have been scored met.
[00:02:29] In other words, you can't screw up your existing met score by trying to address however that's been done. I would think nobody would want to do that, right? Right, but if you provide additional evidence and it calls into question other controls because of the way that you – yeah, anyhow. And then number three, the CMMC assessment findings, and this is more specifically what you're talking about, that your assessor has not yet uploaded the result. Not been delivered yet, right? Right. They haven't, you know.
[00:02:59] So all three of those situations are true, then this is a possibility. So let's talk about that. What does that exactly mean, Kaylee? So when you saw that, what did you think?
[00:03:10] Well, I was thinking to myself, you know, if there is a situation where you feel like that the assessor misinterpreted or did not fully get what they were looking for in a security requirement, but you and your company has fully fulfilled this requirement.
[00:04:01] Right, right, right. So, you know, there's – I do – I don't see this as like a, you know, wow, yay, I could still get 10 days though because they're not guaranteeing it in there. But it is an opportunity. Yeah, so let's talk about some scenarios where that – I think that makes a very interesting possibility. So this comes down to just good knowledge about the actual CBMC program.
[00:04:26] So if you didn't know that this existed, this rule wasn't in here, you haven't talked about it with your C3PO in advance before that. And some situation happened and they're like, you know, maybe you're using a technology and the auditor didn't feel like it was FIPS validated. Right. Maybe you were using Windows Hello for Business and the assessor that you had felt like that's a no-go.
[00:04:52] That doesn't consider – that's not considered two-factor authentication, which that's a battleground topic that a lot of people go through. Just, you know, whatever that scenario might be that your auditor has trended not met. And when you're going into your audit, it's really important to kind of understand that your audit is very much like a basketball game or a football game. There's a certain specific cadence to it that has to happen.
[00:05:18] So once the game's on, you can't just sit here and take all the time you want to draw up some plays and, guys, let's kind of drill it. Like, it's like you got a few seconds before you got to get your play in. If not, it's a penalty and you're marching backwards in football. And basketball is the same way. You know, they have a little bit of time when they have – they're writing to them, all right, go out there and execute it. And you got to go. When your audit is on, you've got to boom, boom, boom. We are doing, you know, 3-1-1, alpha, go. Talk to me about that.
[00:05:47] And you're like, what do you mean? Like, that's not the time to be like – you've got to know what you're doing when the auditor is staring you in the eye what's supposed to go on. But there's some times where they might zing you from a different direction that you weren't prepared for. This is where this could really come in to help you is because then you're like, okay, I wasn't expecting them to call this into question about this. And maybe you don't have that evidence prepared. You could go back, find it.
[00:06:14] You call this out to them and say, hey, look, you know, I'm still not able – maybe I'm reaching out to this vendor. I'm waiting for them to get back. You know, hopefully you plead and beg. They'll get back to you within 10 days. And then you can get that specific evidence to kind of then positively flip it to MET. But here's what I have a question about. Is there a world – like I'm thinking about there's this fear with a lot of people of not getting consulting from your C3PO.
[00:06:43] So a lot of people don't ask questions or as many questions as maybe they could because they're fearful about that line and that barrier. But like is there a world, you know, where when you're picking a C3PO, you bring this security requirement reevaluation up and say, are you open to security requirement reevaluations?
[00:07:06] Like does your team, you know, agree to do that if there is a case where that is needed or potentially argued, you know? And like is there a world where they can do that with a C3PO before choosing them as their C3PO? Yeah, you can – I mean you have to word it. You're spot on. You've got to word it in such a way that it doesn't seem like you're asking for consulting, you know, from your C3PO.
[00:07:34] You could say, you know, based on my interpretation, the way that we are perceiving this, that in these scenarios, you know, this is what we're looking for. We feel like that would – this would fall under this situation. You know, what's your perspective on that? And what you want to do is you want to ask it in such a way that the C3PO is like our perspective on this is this. So they're not consulting.
[00:08:00] They're just talking about their perspective because it – again, it's really important to realize like you have to hire your C3PO. These people are auditing. You're paying them to audit you. Yeah. And so you have every right to ask them questions about like how their perspective is on some specific rulings.
[00:08:18] This would be one that I would definitely bring up in advance to kind of just make sure that you're on the same page because, you know, I think this also covers things not related to just them misinterpreting or you believe they might be misinterpreting. I feel like this would even potentially cover some documentation faux pas that perhaps, you know, you have additional evidence to validate you're doing it right, but maybe you're pointing to another number or something.
[00:08:45] This is where – not that I'm trying to interpret this because I think some people have a different opinion from me about how that might go. So this is a great situation like you're talking about, Kaylee, where you would talk with your C3PO in advance and say this is the kind of latitude. You know, I think if I made a mistake in my documentation in this area as far as in how I reference, but we are operating correctly, let me provide additional evidence to show that we are.
[00:09:13] You know, yes, there might be some conflicting situation here, but, I mean, are you going to straight fail a person because, you know, they refer to a different paragraph? Yeah. You know, and it's a different paragraph, but then you can show, okay, I'm referring to a different paragraph here, but obviously we've been following it. Let me provide some additional evidence. The one that I was referring to in that policy is – you get the picture. Now, I don't think it constitutes, hey, we're not doing change control. Let's stand it up right now in 10 days and let's go ahead and prove that. Yeah, right, right.
[00:09:43] You know, that's not wrong. There's only so much you can do in 10 days. Right, but I do believe this provides leeway and I think you absolutely can have a discussion with your auditor in advance. What about, like, is this like a scenario, too, where you can see something happening in the sense of evidence of screenshots? Like if you had some screenshots prepared for something and you gave it to the assessor and the assessor was like,
[00:10:11] like, I don't like how old these screenshots are or maybe I don't – you know, I want to see something with the person that's specifically named in this, you know, this security requirement has this person listed that does this thing and that person is not in this screenshot. Do you have a screenshot? And, like, you're fumbling around, but you don't see it at the time, you know?
[00:10:35] So what if they marked that as not met because they didn't see the screenshots or the evidence that they were looking for at the time? Yeah, yeah. Let's use a good scenario. So let's say you were like, okay, I think this screenshot's great. And you had an employee that knew how to run a KQL query very special that generated that screenshot. And he or she did not save that in the library for you to run it.
[00:11:01] And it proves the way that your SIM is ingesting. Okay, we're just – we're talking theory here. Now, you don't know what that SIM query is off the top of your head, and you can't do it right then. And, you know, maybe it was the last day of the audit, and they decided to do AU domain and some other questions later on. You were trying to find it. You can't figure out how to quite get that information. Right. That would be a situation where you're like, okay, let me talk with some friendly.
[00:11:26] Let me try to get this data out to show them the specific query that proves that. I mean, that's quite a bit of a stretch. I mean, you'd have to – I mean, KQL is not that complicated. But I'm just showing – I'm just trying to kind of provide some because maybe you're using a more complicated SIM tool that requires, you know, more understanding. The people that are there on vacation, I don't know.
[00:11:50] But it's – there's plenty of situations where just the unexpected happens, and you just don't have that evidence that's very relevant. Sure, yeah. Available. Yeah.
[00:12:02] Well, I guess – and so I'm trying to think about too – let's think about it in another perspective of if you get them to agree to do this reevaluation, you're going to be paying more money to sit with the assessor to get this reevaluation done too, right? So they probably – I don't think so. No, I don't think so. They charge you? No, well, I mean – For like extra time?
[00:12:30] It should be – I think it shouldn't require a ton of effort to present this information. Like again, I think the assumption here by the way they're writing it is it's not that substantive that requires – You think it's just cut and dry. Like here is the image and – Like, well, here's the document. Here's the document.
[00:12:50] Or let's set up a 30-minute call, and then I can show you right here, look, I'm going to open the system up, and here's the correct query that shows you all this information, and here's the history, and I can run that report now. Yeah. Okay. Good. Yeah. We got it. Thank you.
[00:13:05] You know, it could be, you know, here's some additional background checked information on this, or here is – you know, I pulled some additional tickets out of our ticketing system that shows how we actually did these things. You know, Sally's back from vacation, or she's now come out of a coma, and she now knows what's happened, and we can now talk to her. Sally. Go away.
[00:13:35] Sally's been through it. Yeah. I mean, you've seen those movies. You know how it goes. But, you know, I don't want to read into this too much as far as in like this is our savior for us to just go in not well prepared. No, because it's still just 10 days even if you get it. But I think what it does do is it provides you a little bit more grace that if you had a three- or five-pointer that's going to send you right back to the reassessment process. Sure.
[00:14:01] This 10 days could save your bacon that you might be able to show that, hey, we actually are doing it, and you have some time to say, okay, I know we ran out of time in our three-day assessment. Can you please not submit the results? Give us a little bit more time to provide this information for you. Could you potentially create another policy that backs it up? I don't know.
[00:14:29] That where it comes back to the auditor where it's like, well, I don't – if that's a policy that you just resurrected from scratch, no one's following it yet because you just literally made it right now. We made it within 10 days, but we didn't have it 10 days. Right. That would be a really tough sell. But if it's like maybe I changed a line that appropriately referenced the way that we are doing our business and operate, and I can show you the tickets, perhaps you might get some grace from your auditor there.
[00:14:56] These are types of situations where I don't think the auditor would necessarily stand out in front of a 300-person crowd and state their perspective of how they would be very graceful in that situation. I think they would just rather be like, let's just talk about it between me and you because – Because it really does depend on the scenario I believe. Right. Absolutely.
[00:15:16] And keep in mind, and I mean this in my absolute – like with CMMC, like they could – you could almost feel every control if they really wanted to be like super – like I'm going to get down into it. So the auditor, really their job is like we want you to pass. Help us get there. Yeah.
[00:15:38] You know, their attitude, just like a referee in football or basketball or anything, our job is to make sure that the game is fair and is executing and moving forward, not to be the instrumenter and determiner of the game. But man, do I wish that we had some sort of like crowd to boo the assessor if they were me? God, wouldn't that be a little bit easier? It's all the employees. All the employees are around. Right, yeah. Yeah.
[00:16:05] They're like boo when they like – like not – I'm thinking this is not met and we're all like no. That would be pretty interesting. When you go to do your assessment, you'd be in the middle of an arena and like everybody's around like looking at you and you're just like I think not met. No. They're not met. Yeah, they're throwing tomatoes at the assessor. Oh my god. Right, yeah. Yeah, that would be great. Bless our hearts. We love you guys. I'm sorry about saying that. But I will say though, let's just clarify too.
[00:16:34] If we haven't already said that just in case, I can't remember. But this is also – this is stated specifically in the CAP. Yeah. And I have it – I'll put it on the screen right here if I haven't already. And it references back to what we stated in the 32 CFR final rule. So if you're wondering what the assessors are looking at as well, which they should be looking at the final rule too. But the CAP itself does refer to this 10 business days that we've said previously.
[00:17:04] But it does state the word may. Assessors may reevaluate, not met. So it is entirely up to them at the end of the day. Yeah, and I think these are great situations where it – I think that's them trying to provide that, you know, tie goes to the defender kind of situation where it's like we're not sure. Help us get there. Give us a little bit more time.
[00:17:30] You know, we'll give you a little more time to try to gather what you're doing. But every auditor that I've worked with or looked at is – you've got to show them respect when you walk in the door, okay? Listen to what I'm telling you right now, okay? When you're talking with your auditor, you need to show them respect by being prepared, okay? They do not like it. Right. They don't like it when you've wasted their time.
[00:17:55] A lot of time auditors have spent considerable amount of effort to get where they're at to provide those audits. They didn't – I mean, yes, is it an opportunity for you to make money? Absolutely, 100%. But I have not met an auditor that is not passionate about what they're doing because they believe in what they're trying to accomplish. Every one of them believes in the United States of America. They want to see it protected. They want to make sure this program really goes well. At the same time, they're going to make some good money doing it, so that's cool on them.
[00:18:24] But like they're – every one of them are – they're in it for the country. Everyone that I've seen, they are – they believe in it. And that's one of the cool things that I like about the ecosystem. So they're rooting for you. They want you to succeed, but they also don't want you to be disrespectful by the fact that when you walk into your audit that you have not understood the actual controls, the assessment objectives. You've not prepared the evidence. You don't understand the cadence of the game.
[00:18:50] I can't tell you how many times – I one time went to a middle school basketball game, and they did not understand the fundamentals that the team with the ball – like they can't just stand in the paint as long as they want. Like, no, there's a certain amount of time you can't be in the paint. You get a penalty for that. Like, they didn't understand that, and so they just kept getting penalties. They're like, what am I getting a penalty for?
[00:19:14] And the coach had to call them back and talk about, look, guys, this is how this – they didn't understand the mechanics of how the game is working, right? So they went into that not even understanding the way the game is going to work. You know, like in football, like what does getting online mean? How many people are supposed to be online? Like, they don't understand that. Auditors don't like it when you show up, and you just don't understand how that game is supposed to be played when it comes time. Because they've got a certain amount of time that they've got to complete their audit.
[00:19:43] And if you're not prepared to execute it efficiently and quickly for them, and they're sitting here having to wait while you're trying to fiddle and get stuff together, they will not be kind to you, rightfully so. You know, the auditors want you to wait on them, not them waiting on you. Yeah.
[00:20:05] So – but if you've done a great job of always staying on the ball and staying ahead of, they will gladly give you that grace. Yeah. If you need it. Yeah. So – Wow. You know, this is a really heavy sports illustration. It was, wasn't it? It's harder for me to follow as a theater kid. You know, I didn't do any of that stuff. I'm sure you could bring some theater analogies.
[00:20:33] Yeah, help – I guess I got to be prepared next time with some theater kid. And I don't think any theater kids are listening to this right now, though, if I'm being honest. Who knows? But, yes, I hope that this was – again, this is going to be a quicker episode to really just open up some conversation about this reevaluation period and opportunity. Let's link Vince on this.
[00:21:00] So when it comes out, I want to link him on that because I thought his post was really cool. Yeah, yeah. Thank you, Vince, Scott, for allowing us to have – God bless you, man. God bless you for your service, sir. And so, yeah, I hope that this gives you guys an opportunity to have some discussion and just some thought about maybe how you can, one, just have better conversations maybe with your C3PAO before stepping into an assessment to fully know what their opinions are on things like this.
[00:21:28] But also just an opportunity to – I mean, obviously prepare the best you can for your assessment. Go into it knowing exactly what you're going to do. But if something does happen where maybe you don't have something perfectly right and there is an opportunity to correct it that you could possibly, within 10 days, help yourself go from not met to met. So I do hope that this was beneficial to all of you listening.
[00:21:56] If you have any comments, thoughts, ideas about this, please make sure to message us on LinkedIn or share your thoughts on our YouTube channel as well and our comment section. Maybe some scenarios of how you think this could save someone's bacon. Oh, yeah, yeah. If you feel like maybe we're a little more conservative, maybe you think this goes further. Right, right. And if you're our C3PAO, don't comment anything. Don't say anything. Okay? What are you doing? Get off this. I'm just kidding.
[00:22:26] Oh, gosh. Okay. We need to hang up. Well, Kaylee, at the time of this recording, we're mid-phase one to phase two. So we're – fingers crossed phase two is coming in just a few weeks. Yeah. Yeah. If you're seeing this, we're on the other side. Yeah, right. We're hopefully optimistic. Yeah. We spent a tremendous amount of time preparing for it. Plus we had our mock assessment. Right. Right. You know, in the past.
[00:22:52] So – but I mean that's why this 10 days is so nice because you've got to trust in your humanity in a not a good way, right? So like when you're coming in here, there is absolutely a possibility. And this is where that 10 days kind of thing could save your bacon because you don't want to fail just by the human factor, some three or five pointer. And you're doing it all right, right? You showed up prepared. You're doing your stuff right. But just dadgummit humanity kicked in. You know?
[00:23:18] How can we – what can we do to turn this thing around instead of having to go right back to a whole reassessment again? Yeah. This could save your bacon. Totally. I think we should put that on a shirt. Dadgummit my humanity kicked in. Right. Yeah. That's all. That's actually really funny. All right, guys. We're going to hang up this call before we talk too much. We hope you guys enjoyed today's episode. Tune in next Thursday for another episode of Season 3 of Climate Mount CMMC.
[00:23:47] But as always, guys, keep on climbing. See ya. Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news. We hope you guys enjoyed today's episode and listen out for the next one. But until then, keep on climbing.