Navigating the Complex Landscape of CMMC Compliance w/Jacob Hill

[00:00:00] [SPEAKER_02]: Welcome back climbers. I'm your co-host, Kaylee Floyd, and this is another episode of Climbing Mount CMMC.

[00:00:11] [SPEAKER_02]: In today's episode, Bobby is joined by Jacob Hill, the VP of Cyber at Alamo City Engineering Services

[00:00:17] [SPEAKER_02]: and the founder of GRC Academy. They're going to be discussing the importance of education in

[00:00:23] [SPEAKER_02]: the complex landscape of CMMC compliance. We're so excited for you guys to join us

[00:00:27] [SPEAKER_02]: in today's episode, and we hope that you enjoy. All right, Jacob, thank you so much

[00:00:35] [SPEAKER_00]: for joining us today. I really appreciate you coming on with us. Yeah, thanks so much for having me.

[00:00:40] [SPEAKER_00]: Well, before we get into kind of the education piece, why don't you tell me a little bit about

[00:00:45] [SPEAKER_00]: what it is that you have started and kind of like what it's about?

[00:00:50] [SPEAKER_01]: Yeah, certainly. So for the last few years, I've been running a H1 to 171 and ultimately

[00:00:56] [SPEAKER_01]: I started my career as a CMMC compliance program at a defense contractor. And a few years ago,

[00:01:02] [SPEAKER_01]: I myself was getting started in all of this and I came from an RMF background and I brought

[00:01:09] [SPEAKER_01]: some of that with me, which led to some confusion, right? Because 800 171 is a

[00:01:14] [SPEAKER_01]: derivative and it's similar, right? But there are very big differences. And I remember doing

[00:01:23] [SPEAKER_01]: research trying to figure things out on my own and things like that. And there wasn't a lot of

[00:01:30] [SPEAKER_01]: education focused on defense contractors. There was great content in different places,

[00:01:38] [SPEAKER_01]: but not in one single source. The Cyber AB had the registered practitioner training for

[00:01:44] [SPEAKER_01]: consultants, which is good. And of course, LTPs out there have the CCP, CCA training.

[00:01:53] [SPEAKER_01]: But not so much specific to defense contractors. So a few years ago, I decided, okay, well,

[00:02:00] [SPEAKER_01]: you know, I'm going to go ahead and create something. I'm doing this in my day job.

[00:02:04] [SPEAKER_01]: I've learned a lot over the last few years. Let's go ahead and do this.

[00:02:07] [SPEAKER_01]: And I actually was thinking about putting out on Udemy because my brother, he's a big course

[00:02:13] [SPEAKER_01]: instructor, but he also has his own platform called serveracademy.com. And I was thinking

[00:02:19] [SPEAKER_01]: myself, well, you know, I host and design websites. I have these skills. Let's do our

[00:02:24] [SPEAKER_01]: own platform and see where it goes. And so that's kind of the genesis of GRC Academy

[00:02:31] [SPEAKER_01]: and the CMOS training that I have today. Well, it's kind of funny that you,

[00:02:35] [SPEAKER_00]: I kind of equate it that so many, I think other people have had this same situation when

[00:02:40] [SPEAKER_00]: you go to do a Google search and you come back with nothing, you're like,

[00:02:44] [SPEAKER_00]: what am I about to step into? Because, you know, when you do that kind of searching,

[00:02:49] [SPEAKER_00]: like you were talking about, and you're not finding a lot, you know, you're in for a

[00:02:53] [SPEAKER_00]: fight and a journey because at that point that kind of just tips your hat to say,

[00:02:59] [SPEAKER_00]: you're going to be a bit of the tip of the spear of trying to understand how things are.

[00:03:04] [SPEAKER_00]: And as I was coming in as an MSP, it was the same thing, same way. You know,

[00:03:08] [SPEAKER_00]: I'm like, oh my gosh. And that's part of the reason why we started this podcast,

[00:03:11] [SPEAKER_00]: to try to help other people get more ideas and understanding of how you would interact with an

[00:03:19] [SPEAKER_00]: MSP, whatever things that MSPs should be doing, help educate MSPs that are coming into this space.

[00:03:25] [SPEAKER_00]: And then I saw that you had the GRC site and I was like, oh man, we've got to have you

[00:03:29] [SPEAKER_00]: on the show. So thank you so much again for joining us. You're so welcome. I just

[00:03:36] [SPEAKER_00]: walk me through kind of the perspective of what the GRC training site is really focused on

[00:03:44] [SPEAKER_00]: and how people can utilize that to level up.

[00:03:48] [SPEAKER_01]: Certainly. So I have two main CMMC offerings right now. So I have an overview course that's

[00:03:54] [SPEAKER_01]: meant for like practitioners in the weeds, right? And the way I kind of frame it is it's

[00:04:02] [SPEAKER_01]: excellent precursor to going to a CCP course. Cause I think it is beneficial for defense

[00:04:08] [SPEAKER_01]: contractors that send certain staff to CCP because they need to understand what that,

[00:04:14] [SPEAKER_01]: you know, the assessor mindset and make sure that whatever they're implementing or whatever

[00:04:19] [SPEAKER_01]: their MSP is implementing is going to pass muster. And even for MSPs, you know,

[00:04:24] [SPEAKER_01]: they need to have folks in a CCP. But if you go to CCP, not knowing anything about

[00:04:29] [SPEAKER_01]: CMMC, you're going to be in for that fire hose experience.

[00:04:35] [SPEAKER_01]: I can attest. I can attest. Yes. Yes. And so the overview course is an excellent precursor

[00:04:42] [SPEAKER_01]: and excellent primer for the CCP certification. And then I have an awareness course that I

[00:04:47] [SPEAKER_01]: launched earlier this year. That is it's a derivative. It's focused on executives and

[00:04:52] [SPEAKER_01]: management folks. But the courses run through the contractual clauses, cause that's a huge

[00:05:00] [SPEAKER_01]: piece, right? D FAR 7012, 19, 20, and of course 21 we'll see here hopefully pretty soon.

[00:05:09] [SPEAKER_01]: But understanding those and what they actually mean for your business, cause D FAR 7012 just

[00:05:16] [SPEAKER_01]: has so much in it. So just understanding that piece alone. And it's funny cause if you look

[00:05:22] [SPEAKER_01]: at the curriculum, there's a lot that's covered before you even touch CMMC. And that's kind of

[00:05:30] [SPEAKER_01]: an odd thing that you see amongst the defense industrial base is everybody knows what CMMC

[00:05:38] [SPEAKER_01]: kind of means. They may not know exactly what it is, but they know what it means,

[00:05:41] [SPEAKER_01]: right? They have that, they know what the word is. And so, but there's so much that comes

[00:05:49] [SPEAKER_01]: before that. The contractual clauses, as I mentioned, NIST 800171, NIST 800171 alpha,

[00:05:56] [SPEAKER_01]: just understanding all of that and having that foundation going into CMMC and understanding

[00:06:02] [SPEAKER_01]: actually what CMMC is and where it fits is just so important. There's such a history of

[00:06:08] [SPEAKER_00]: things that have a significant impact. You mentioned RMF for those people that may not

[00:06:13] [SPEAKER_00]: be familiar with RMF. RMF is the application of cybersecurity for the government, right?

[00:06:20] [SPEAKER_00]: So those are the standards that Dr. Ross and his team over at NIST kind of helped generate,

[00:06:28] [SPEAKER_00]: which I saw the interview that you had with Dr. Ross on your show. Congratulations. We've

[00:06:32] [SPEAKER_00]: been trying to get him on and we almost got him. We almost got him, but that whole rev three

[00:06:39] [SPEAKER_00]: thing kind of got him pretty busy. So, but we, one of the things that I would say for us

[00:06:50] [SPEAKER_00]: is that as we were coming in as an MSP, we didn't grow up in the DOD or in the Dib space

[00:06:56] [SPEAKER_00]: and having that primer of understanding more of what you're stepping into the type of deep

[00:07:03] [SPEAKER_00]: you're going to be wading into before you even take the CCP, which I absolutely would suggest

[00:07:09] [SPEAKER_00]: that if you're going to get into that space, you want to take your CCP. But if you don't have

[00:07:15] [SPEAKER_00]: a rich history and understanding of where all of this kind of started from, having something

[00:07:21] [SPEAKER_00]: to start from would be helpful, right? Yeah, yeah, certainly. Now, can you walk us through

[00:07:27] [SPEAKER_00]: a little bit about that primer based course as far as what kind of information are you

[00:07:32] [SPEAKER_00]: into them on that start of their journey? Sure. We start with obviously the types

[00:07:39] [SPEAKER_01]: of information that we're dealing with and the two main pieces are federal contract

[00:07:44] [SPEAKER_01]: information and then controlled and classified information. And understanding that is critical

[00:07:49] [SPEAKER_01]: because NIST 800171, CMMC, they're data centric standards. It's all about the CUI mostly

[00:07:56] [SPEAKER_01]: and then FCI also. So understanding what those are is really important because that's what we

[00:08:03] [SPEAKER_01]: have to protect. And you can go down a rabbit hole on that topic alone. What I try to do in

[00:08:11] [SPEAKER_01]: the course is cover, I don't cover edge cases because it's online self-paced, right? You

[00:08:17] [SPEAKER_01]: can't cover edge cases. That's where the really smart consultants come in. But I touch

[00:08:23] [SPEAKER_01]: on the CUI, the FCI, what that is, what are the legal definitions and then jumping through 800171,

[00:08:30] [SPEAKER_01]: walking through some of the security controls. What are the NFO controls being that we're still

[00:08:35] [SPEAKER_01]: on NIST 800171 R2, which feels like old news now, right? Right. And then 800171 alpha,

[00:08:42] [SPEAKER_01]: what's the significance of that and how you should be using it even as you implement?

[00:08:47] [SPEAKER_01]: What's an SSP? What's a poem? And then walking through the FAR and DFAR clauses

[00:08:54] [SPEAKER_01]: and really just understanding what the FAR and DFARs is. Because if you don't have a

[00:09:00] [SPEAKER_01]: DOD acquisition background or if you're not running a business and already familiar with

[00:09:05] [SPEAKER_01]: that, that's really helpful. Running through 7012, 1920, and then summarizing the information.

[00:09:11] [SPEAKER_01]: And then jumping into the DOD assessment methodology, the SPRS scoring, the fuzzy math

[00:09:17] [SPEAKER_01]: that DOD created there coming up with an SPRS score. And then we jump into FedRAMP.

[00:09:24] [SPEAKER_01]: And what is FedRAMP? Talk about it from an overview standpoint and how does that map back

[00:09:30] [SPEAKER_01]: into DFAR 7012 requirements. And then of course, the FedRAMP equivalency memo that

[00:09:35] [SPEAKER_01]: came out earlier this year. I mean, there's so much to know here.

[00:09:41] [SPEAKER_01]: How the FedRAMP marketplace can help you. And then finally, jumping into CMMC and

[00:09:48] [SPEAKER_01]: understanding the timeline and- That's so much. And it's hard to imagine.

[00:09:54] [SPEAKER_00]: That's a primer. Yeah. Right? That's getting you ready to really dive into the meat potatoes of

[00:10:00] [SPEAKER_00]: a CCP course. Yes. Because it's deep. The CCP gets very, very deep. Yes. Yes. And I wish

[00:10:07] [SPEAKER_00]: I would have had that going into there. And so, I sort of just did exactly what you talked about.

[00:10:14] [SPEAKER_00]: I just stepped into the CCP and I was like, oh my Lord. I was looking up stuff, making so

[00:10:21] [SPEAKER_00]: many notes, doing so much more studying, trying to understand. And I would not recommend

[00:10:28] [SPEAKER_00]: that methodology. So yeah, trying to just get a general idea. If you're coming in

[00:10:33] [SPEAKER_00]: more from my direction, from the MSP space, which you're like, okay, I want to support those

[00:10:38] [SPEAKER_00]: clients. But these clients that you might be supporting may have cut their teeth and have

[00:10:43] [SPEAKER_00]: grown up supporting the DOD. It depends on the volume of contracts that they might be supporting.

[00:10:50] [SPEAKER_00]: It may be a small percentage of their business or it could be all of their business. You don't

[00:10:54] [SPEAKER_00]: really know that client that you're engaging with, but they know their industry. And if

[00:11:00] [SPEAKER_00]: you're going to be appropriately supporting them, you need to understand sort of where

[00:11:03] [SPEAKER_00]: they're coming from. And what you kind of described will definitely help someone understand

[00:11:08] [SPEAKER_00]: more about what they're going to be waiting into and how they can be helpful and not a

[00:11:15] [SPEAKER_00]: hindrance. Just the whole FedRAMP conversation and how those things connect are very, very

[00:11:22] [SPEAKER_00]: helpful. But there's so many different government bodies that are involved.

[00:11:27] [SPEAKER_00]: And can you just sort of talk to me a little bit about NIST for those that may not be as

[00:11:33] [SPEAKER_00]: knowledgeable about what their role is in the CMMC ecosystem and then how you discuss that

[00:11:40] [SPEAKER_01]: in your course? Sure, sure. So NIST is the National Institutes of Science and Technology.

[00:11:46] [SPEAKER_01]: The acronym's getting dangerous here, defining acronyms. But any case, there is a body within

[00:11:54] [SPEAKER_01]: NIST and they are responsible for creating what is the... It's not a standard. It's a special

[00:12:02] [SPEAKER_01]: publication called NIST 800171. And that is a tailored version of NIST 80053, essentially.

[00:12:12] [SPEAKER_01]: And NIST 80053 is the RMF security controls. And so they created a tailored version focused

[00:12:20] [SPEAKER_01]: on confidentiality. And the output of that is NIST 800171. R2 is a set of 110 security

[00:12:28] [SPEAKER_01]: controls. R3 is 90-ish. I don't remember exactly the number there. But right now we're still

[00:12:36] [SPEAKER_01]: operating on revision two. And that's another whole other conversation because the CMMC program

[00:12:42] [SPEAKER_01]: will have to go through more rulemaking to adopt revision three, which I'm sure will be,

[00:12:49] [SPEAKER_01]: I don't know, my opinion is that it'll probably be a few years because they took a

[00:12:53] [SPEAKER_01]: few years to adopt revision five of NIST 80053, which are the RMF security controls on the DOD

[00:13:00] [SPEAKER_01]: side. So, you know... That's a good barometer. Yeah. Yeah, yeah, exactly. So NIST 800171 has

[00:13:06] [SPEAKER_01]: the number of security control families and everything ranging from access control to

[00:13:14] [SPEAKER_01]: policy-oriented items, separation of duties, you know, things like that. But it's all

[00:13:21] [SPEAKER_01]: focused on confidentiality. The publication does say that integrity is covered in there,

[00:13:27] [SPEAKER_01]: but the focus really is confidentiality. Yeah. And I was surprised as I was jumping

[00:13:33] [SPEAKER_00]: into there as a MSP, you know, we look at things holistically. I kind of came from CIS,

[00:13:42] [SPEAKER_00]: which understands more of a general focus and trying to wrap everything around there.

[00:13:49] [SPEAKER_00]: You touched on something really important. It's a special publication. It's not specifically

[00:13:53] [SPEAKER_00]: a framework like CIS, for example. Dr. Ross, who is a big, you know... I don't know the right

[00:14:04] [SPEAKER_00]: term to use, but he's been instrumental in the NIST and works at that organization

[00:14:11] [SPEAKER_00]: and helped write, if not most of write, the 800171-171A that we kind of base that CMMC

[00:14:21] [SPEAKER_00]: off of. But he talks about how it's not a framework. It's really focused on one

[00:14:28] [SPEAKER_00]: sort of focus. And you touched on that a little bit. Can you kind of go a little

[00:14:31] [SPEAKER_00]: bit more about the real focus of what that standard publication is trying to accomplish?

[00:14:37] [SPEAKER_01]: Yeah. And it goes back to the executive order, I think 13556, I put him up mistaken,

[00:14:43] [SPEAKER_01]: under the Obama administration, title controlled and classified information. And so one of the

[00:14:48] [SPEAKER_01]: tasking in there was to create essentially a set of security requirements focused on

[00:14:55] [SPEAKER_01]: confidentiality. And so NARA was the executive agent, is the executive agent.

[00:15:01] [SPEAKER_01]: And I'm just smiling because I listened to Jacob Horne's podcast.

[00:15:06] [SPEAKER_01]: Same here. Yeah, I know we're going with that.

[00:15:09] [SPEAKER_01]: Yeah, go listen to that, folks. But in any case, NARA is the executive agent,

[00:15:13] [SPEAKER_01]: and they delegated to NIST and said, Hey, NIST, you already do security controls,

[00:15:18] [SPEAKER_01]: you do this, you know. And so NIST went off and developed NIST 800171. And I'll admit,

[00:15:30] [SPEAKER_01]: I was not paying attention when revision one came out. So I'm most familiar with revision two,

[00:15:36] [SPEAKER_01]: of course. But that's kind of the backstory there. And there are a lot of things there,

[00:15:47] [SPEAKER_01]: because availability isn't covered. And so to your point, NIST 800171, it's just a

[00:16:00] [SPEAKER_01]: comprehensive security program by any means. But it's all about the regulated CUI. And actually,

[00:16:09] [SPEAKER_01]: 800171 is all about CUI, protecting the confidentiality of that. But yes, not a

[00:16:16] [SPEAKER_00]: comprehensive security program. Well, because they don't even specifically

[00:16:21] [SPEAKER_00]: have mandates on backup, those types of things. You know, they don't have the triad,

[00:16:29] [SPEAKER_00]: CIA of not the CIA, like the Central Intelligence Agency. But like, what's the CIA stand for?

[00:16:38] [SPEAKER_00]: Yeah, integrity and availability. Yeah, like those three acronyms that you see that,

[00:16:43] [SPEAKER_00]: that are pretty important in trying to have a good holistic. And so

[00:16:50] [SPEAKER_00]: you've got to be ready for your audit. And there's a lot of deep focus in the audit logs,

[00:16:56] [SPEAKER_00]: separation of duties around audit logs, collusion and making sure that certain people that have

[00:17:02] [SPEAKER_00]: admin rights can't do everything that could have an impact on your availability of your

[00:17:08] [SPEAKER_00]: log information. If you have an end center, you're trying to track those types of things.

[00:17:12] [SPEAKER_00]: So it's very much about tracking that CUI or control unclassified information as it's moving

[00:17:18] [SPEAKER_00]: through your organization and where it's sitting. But it so not only do you have to think about,

[00:17:25] [SPEAKER_00]: and I'm just saying this as an MSP, not only do you have to think about making sure the client

[00:17:29] [SPEAKER_00]: passes the audit, you still have to wrap or other things around that that aren't going

[00:17:33] [SPEAKER_00]: to be audited because that's the right thing to do to keep your organization you're supporting

[00:17:38] [SPEAKER_00]: healthy and safe. Because that is not the end all be all there's a lot more to making

[00:17:43] [SPEAKER_00]: sure an organization is going to be safe. So, you know, it's a tall order. So not only do

[00:17:48] [SPEAKER_00]: you have to be ready for your audit, but you also have to make sure your client is safe

[00:17:51] [SPEAKER_00]: and secure. Just because they're compliant doesn't mean they're safe and secure necessarily,

[00:17:56] [SPEAKER_00]: which is kind of weird to say that out loud. But I mean, that sort of reality.

[00:18:01] [SPEAKER_01]: Yeah, without a doubt. And this may be jumping ahead a little bit. But

[00:18:06] [SPEAKER_01]: looking at the CMMC program rule, I think there are some gotchas there,

[00:18:11] [SPEAKER_01]: definitely that people will not see because they're not reading. I mean, who has time to

[00:18:17] [SPEAKER_01]: read, right? Read the manual. I did back when it came out and when I was updating my course.

[00:18:25] [SPEAKER_01]: And one of the things I pulled out was the affirmation requirements. If you look in the

[00:18:31] [SPEAKER_01]: rule, there are there's a section dedicated to annual affirmations of continued compliance.

[00:18:37] [SPEAKER_01]: And one of the things that I think is going to be a gotcha for defense contractors,

[00:18:42] [SPEAKER_01]: I mean, really anyone who has to undergo a CMMC certification, because as you know,

[00:18:47] [SPEAKER_01]: external service providers, MSPs are in this ballgame too. When you're doing an annual

[00:18:53] [SPEAKER_01]: affirmation of compliance, you're saying that yes, we're still compliant. So let me back up.

[00:18:59] [SPEAKER_01]: So get CMMC certified. Okay, that's three years. But every year you have to

[00:19:04] [SPEAKER_01]: right firm that you're still good to go. And also, and this is this is I think what

[00:19:09] [SPEAKER_01]: people are going to miss that your CMMC assessment scope has not changed. So what that means

[00:19:14] [SPEAKER_01]: is whatever you certified has to be in your concrete, you know what I mean? And just from

[00:19:22] [SPEAKER_01]: my perspective, as a defense contractor, I know my user base and they're going to want to see

[00:19:29] [SPEAKER_01]: more changes, more systems come in as systems evolve and things like that,

[00:19:34] [SPEAKER_01]: more than just security updates happening, right? You know, and so

[00:19:40] [SPEAKER_00]: organizations going to change. And so part of that self assessment yearly should be making

[00:19:44] [SPEAKER_00]: sure that you're making the necessary adjustments so that when I see in three years, the auditor

[00:19:49] [SPEAKER_00]: is going to do the assessment. And if you are way out of balance, you're going to be

[00:19:54] [SPEAKER_00]: in a lot of trouble. And what I'm seeing interestingly enough is some C3P at organizations

[00:19:59] [SPEAKER_00]: are signing agreements for that three year term. So they're so they'll hit you for the three year,

[00:20:05] [SPEAKER_00]: but then they'll have a refresher at the end of that second year. You know, so you do your

[00:20:10] [SPEAKER_00]: first year, your assessment and then when you go into your second year, they'll have a refresher.

[00:20:13] [SPEAKER_00]: That way when you when they when you do your three year certification again, you're not so

[00:20:18] [SPEAKER_00]: far off, which I thought was that's very helpful in it. And I think that kind of helps

[00:20:23] [SPEAKER_00]: address those concerns you have, but not all C3POs are going to be doing that some may

[00:20:27] [SPEAKER_00]: charge you for the assessment and then reach out to us in three years.

[00:20:31] [SPEAKER_00]: There's no requirement about specifically how those C3Os are going to engage you. So

[00:20:38] [SPEAKER_01]: choose wisely, I guess. Yeah. Yeah. And I do think that's a wise decision

[00:20:42] [SPEAKER_01]: and the ISO 27,000 in one world. That's that that is the norm. They come in for

[00:20:47] [SPEAKER_01]: surveillance audits. You know, you're doing your internal audits. They come back every year

[00:20:53] [SPEAKER_01]: surveillance audit. So I think that makes a lot of sense and actually, you know,

[00:20:58] [SPEAKER_01]: eliminate some risk, maybe mitigates it of that false claims act thing that, you know,

[00:21:05] [SPEAKER_01]: is lingering out there. You're saying, yes, we're still good to go. But you know,

[00:21:09] [SPEAKER_01]: it's not it's almost like a transferring of risk, you know what I mean to the C3P AO

[00:21:14] [SPEAKER_01]: and just that extra solid check. Yes, we are still compliant. So

[00:21:21] [SPEAKER_00]: so let's let me ask you some questions about specific or not really specific controls,

[00:21:28] [SPEAKER_00]: but the controls that you feel based on your experience and working in the GRC

[00:21:33] [SPEAKER_00]: assistance and helping what are some controls that you find a lot of people just come in,

[00:21:38] [SPEAKER_00]: maybe they came in from RMF and they have, you know, the wiring concept this way. And

[00:21:43] [SPEAKER_00]: it's not quite the same when you look at it from a CMMC perspective or maybe from an MSP

[00:21:49] [SPEAKER_00]: perspective, they might have a different way of looking at it. What are some controls or

[00:21:55] [SPEAKER_00]: concepts that people sometimes get wrong that are that you run into on a regular basis?

[00:22:02] [SPEAKER_01]: Yeah, there is one in particular and it's about FIPS and I don't remember there's a

[00:22:08] [SPEAKER_01]: few controls about FIPS encryption and I don't remember exactly which one this is.

[00:22:15] [SPEAKER_01]: But it's it might be three dot 13 dot 11. And this was some confusion that I had.

[00:22:25] [SPEAKER_01]: And the point here is that it's so important to read the control text,

[00:22:29] [SPEAKER_01]: to read the discussion, and then also for the further discussion that CMMC, you know,

[00:22:35] [SPEAKER_01]: adds is clarity. And then the 800 171 A assessment guidance, the assessment objectives,

[00:22:43] [SPEAKER_01]: because if you don't go down to the 800 171 alpha level, you're going to miss stuff.

[00:22:48] [SPEAKER_01]: And that's what an assessor is going to be using when they assess you. So you want to

[00:22:52] [SPEAKER_01]: make sure when you're implementing your double checking yourself to make sure you've accounted

[00:22:55] [SPEAKER_01]: for everything that they'll be looking for. But one of the things in these FIPS controls is

[00:23:05] [SPEAKER_01]: there's a there's a section in there that talks about the applicability of FIPS and when it's

[00:23:12] [SPEAKER_01]: required and when it's not. OK, and it's that whole conversation of, well, if you're inside of

[00:23:20] [SPEAKER_01]: your protected boundary, FIPS is not necessarily required. But when you're trans, you're going

[00:23:27] [SPEAKER_01]: outside of your boundary, you know, that's FIPS is a definite requirement for data in transit.

[00:23:32] [SPEAKER_01]: So the normal concept is just FIPS everywhere. And that's fine, you know, but if you can't do that,

[00:23:39] [SPEAKER_01]: then just knowing that there is some ease, you know, there is some I can't think of the right

[00:23:47] [SPEAKER_01]: word, but these controls, depending on how you implement them, can cost a lot of money.

[00:23:53] [SPEAKER_01]: Yeah. And sometimes you might get some gold plating going on. Because I will tell you this,

[00:24:00] [SPEAKER_01]: as I've been implementing the controls and things like that, it's very easy to get away from what

[00:24:06] [SPEAKER_01]: the intent of the control is. You have as you have these conversations as you're deriving

[00:24:11] [SPEAKER_01]: requirements for your systems, you kind of got to trace it back, make sure you have the

[00:24:16] [SPEAKER_01]: control up and all the associated language, because it's easy to go off into engineering

[00:24:23] [SPEAKER_01]: land and like, yes, we could do it this way, this way, that way. But you may very well go

[00:24:28] [SPEAKER_01]: be going well beyond what the requirement is, which you know, you might need to but

[00:24:33] [SPEAKER_01]: you don't you don't have to you just go back to the control language.

[00:24:38] [SPEAKER_00]: I love the fact that they allow you for that because there are certain applications or systems

[00:24:43] [SPEAKER_00]: that just do not accommodate that type of FIPS validated cryptography. When you turn

[00:24:52] [SPEAKER_00]: that on as a policy, there's a GPO or Group Policy Edit that you can make on those to enforce

[00:24:59] [SPEAKER_00]: FIPS mode communication on the Windows systems. And when you do that, some applications are not

[00:25:05] [SPEAKER_00]: very friendly to that. And so if you have that boundary control, that can help you dodge that

[00:25:12] [SPEAKER_00]: potential challenge. There are other ways to get around it. But that would be the probably

[00:25:17] [SPEAKER_00]: easiest way of still like what you're saying is meeting the objectives that need to happen,

[00:25:22] [SPEAKER_00]: but yet not spending more money than you need to tell them the client they might have to

[00:25:27] [SPEAKER_00]: transition from a specific app they're used to using or creating additional boundaries that may

[00:25:32] [SPEAKER_00]: not necessarily be required. Interestingly enough, if I do remember correctly, I think

[00:25:38] [SPEAKER_00]: they remove that physical security protection option and rev three, I think they're actually

[00:25:43] [SPEAKER_00]: enforcing encryption now pretty much hardcore style, which that'll be interesting to see how

[00:25:49] [SPEAKER_00]: that plays out. Yeah, so I might be wrong about that. But I don't I don't I think that was one

[00:25:55] [SPEAKER_00]: of the shockers I was looking at when I saw rev three. It's like they're not allow you

[00:25:59] [SPEAKER_00]: to use the physical protection to help mitigate that. And if that's the case, then

[00:26:04] [SPEAKER_01]: yeah, that's gonna be interesting. Right, right. Another point there is 800 171 rev two is

[00:26:10] [SPEAKER_01]: I mean, at this point, it's several years old, it is antiquated. There's some things in

[00:26:15] [SPEAKER_01]: there that, you know, are have aged and they're showing it. So as you're implementing,

[00:26:25] [SPEAKER_01]: you know, it's a good idea to look forward to what revision three has when you're implementing

[00:26:30] [SPEAKER_01]: this, you know, security control family in our two, go ahead and do that look ahead.

[00:26:36] [SPEAKER_01]: Because there's, there's nothing more frustrating than having to rip and replace

[00:26:42] [SPEAKER_01]: or an unplanned upgrade because, you know, because you didn't plan ahead. So you know,

[00:26:49] [SPEAKER_01]: looking at revision three is a great idea, even just to future yourself.

[00:26:54] [SPEAKER_00]: Well, it just that reinforces the importance of knowledge of, you know, working and your way

[00:27:01] [SPEAKER_00]: up and knowledge and getting experience in GRC and understanding how to do those types of

[00:27:07] [SPEAKER_00]: and then dipping in further into the knowledge, I highly suggest getting CCP certified if you're

[00:27:13] [SPEAKER_00]: going to be helping lead the charge of an implementation for CMMC inside your organization

[00:27:17] [SPEAKER_00]: or working in conjunction with others that are going to be doing that. The CCP is a great

[00:27:24] [SPEAKER_00]: thing to start having kind of boundary old knowledge and that primer before you step in

[00:27:32] [SPEAKER_00]: would help out tremendously if you haven't had a lot of experience coming in there.

[00:27:35] [SPEAKER_00]: I didn't have that and boy, it was a punch in the face for me. And I didn't really know about

[00:27:39] [SPEAKER_00]: the options that you guys provided or I probably would have taken it up on and it would have been

[00:27:45] [SPEAKER_00]: more of a slower ascent versus a rocket for us. And that was, you know, pulling those

[00:27:54] [SPEAKER_00]: G forces can be really hurtful on your brain. Yes. Well, Jacob, thank you so much for

[00:28:01] [SPEAKER_00]: time and talking with us today. Is there any other areas you'd like us to cover?

[00:28:07] [SPEAKER_01]: Well, I really appreciate you having me on. Thank you so much. I think the last thing I just

[00:28:13] [SPEAKER_01]: say is that before you begin implementing, make sure that you understand the requirements

[00:28:19] [SPEAKER_01]: behind this. You'll learn a lot. Even if you don't take my course, you know,

[00:28:24] [SPEAKER_01]: you'll learn a lot just by reading the special publication, by reading the CMMC

[00:28:29] [SPEAKER_01]: documentation. If you want to kind of fast track that knowledge, you know, my course is out there,

[00:28:34] [SPEAKER_01]: but I would just say prepare, make sure that you know what the requirements are. Make sure

[00:28:41] [SPEAKER_01]: you understand how all this fits together because your implementation decisions are

[00:28:47] [SPEAKER_01]: going to cost could cost you a lot of money down the road. And also just don't be led

[00:28:54] [SPEAKER_01]: blindly by a consultant and take the time to educate yourself because you want to make sure,

[00:29:01] [SPEAKER_01]: one, that that consultant is leading you down the right road because ultimately

[00:29:06] [SPEAKER_01]: it's your business. You know, you're, you're the one getting CMMC certified. So just educate

[00:29:13] [SPEAKER_01]: yourself, educate yourself, and just know where you're going. Don't be led blindly by the hand.

[00:29:20] [SPEAKER_00]: Yeah, that's such a good point there, Jacob, because we, we tell our clients, look, if you're

[00:29:25] [SPEAKER_00]: working with us, we still recommend that in the scoping call, but we have a C3PO or another

[00:29:30] [SPEAKER_00]: organization that can work with us and you on, because the scoping is such a critical aspect

[00:29:36] [SPEAKER_00]: of the journey, making sure that the architecture is done because you're going to spend a lot

[00:29:40] [SPEAKER_00]: of project money to get that scope built out. And then if you don't make the right choices,

[00:29:47] [SPEAKER_00]: then all of a sudden now you're like, you're saying you're ripping stuff out at the 11th hour

[00:29:51] [SPEAKER_00]: trying to address those types of challenges. You could potentially find out when it's assessment

[00:29:56] [SPEAKER_00]: time, which is not the right time. You want to find out that isn't going to go well for you.

[00:30:01] [SPEAKER_00]: And so having just a sit down conversation with a third party organization, like a CCA or,

[00:30:08] [SPEAKER_00]: or a C3PO that obviously if you engage them for consulting, they can't be your assessor,

[00:30:13] [SPEAKER_00]: but you can leverage those senior knowledges of experienced organizations that have gone through

[00:30:22] [SPEAKER_00]: surveillance assessments and have worked through those types of things with DIPCAC.

[00:30:26] [SPEAKER_00]: They're going to be invaluable that when you sit down and explain to them how you're doing

[00:30:30] [SPEAKER_00]: stuff, they can really make sure that you're not going to drive yourself into the ditch

[00:30:35] [SPEAKER_00]: and find out when it's too late. That's a great point, Jacob. Thank you for mentioning

[00:30:39] [SPEAKER_00]: that. Oh, sure. Sure. Well again, thank you again, sir, for joining us. And I, if you could share

[00:30:46] [SPEAKER_00]: some information about people, how they could maybe connect with you or find you. Oh, sure.

[00:30:51] [SPEAKER_01]: Yep. I post a lot on LinkedIn. You can find me there. I'm sure links will be in the

[00:30:55] [SPEAKER_01]: description. GRCacademy.io is my website. And again, thank you so much for having me on.

[00:31:03] [SPEAKER_00]: Well, everybody, if you are just tuning in for your first time, this was a good one.

[00:31:08] [SPEAKER_00]: Jacob has got some great information that you definitely need to check out

[00:31:12] [SPEAKER_00]: and is a great way to start your journey and trying to understand what you're in for and

[00:31:17] [SPEAKER_00]: what you're kind of looking down the barrel of. The other thing that I'd like to just mention is,

[00:31:21] [SPEAKER_00]: you know, hit follow, hit subscribe. If you have suggestions on what you'd like to see us

[00:31:26] [SPEAKER_00]: in future content, let us know. We always are open to new ideas. And until next time, everybody,

[00:31:33] [SPEAKER_02]: keep on climbing. Make sure to follow us on LinkedIn and YouTube to stay up to date on the

[00:31:38] [SPEAKER_02]: latest CMMC news. We hope you guys enjoyed today's episode and listen out for the next one.

[00:31:44] [SPEAKER_02]: But until then, keep on climbing.