32 CFR Rule Explained: Key Compliance Guide for DoD Contractors

Welcome back to the CMMC Compliance Guide Podcast. Thanks for joining us today. My name is Austin Justice. And I am Brooke Justice. This week we're going over the 32 CFR rule. We covered the 48 CFR rule last week, and we wanted to hit this one a little more in depth. Brooke, I've got some questions for you. Ready?

Shoot, let's go. Let's do it.

Can you walk us through the most critical changes in the proposed 32 CFR rule and how they directly impact DOD subcontractors?

I can. And uh really the kind of the first thing I want to point to is that uh depending on who you talk to, you might get different versions of what's critical, what's important in the 32 CFR rule. So of course we're coming at this from uh from a provider, implementer, and and what our customers see. So what what uh what affects them and you know what matters to them. So that's kind of how we're coming at it. Uh so really uh uh POAMs, uh there's a change on the POAMs, uh FIPS encryption, there's uh FIPS validated encryption, there's not a a change there, but uh it's they doubled down on it. So um 800 uh 172 revision two uh is an important one. Uh ESPs, the all-important external service providers, that's another important one. And uh and then of course, we talked about this last time, uh certification cost. So those are the those are the really the the key things that uh we kind of want to delve into and that that affect our clients and and us.

Aaron Powell Okay. You mentioned POAMs. Um what exactly are POMs? How do the new limitations of on the POAM timelines themselves affect subcontractors seeking CMMC certification?

Aaron Powell So uh what they did do so before, uh if you had a POM and it said uh, you know, technically if it said uh I have this one control, uh we haven't uh got it yet, uh we haven't implemented it yet, but we're gonna implement it by November 1st of 2028 or or 2038. You know, technically, that'd be fine. Might be hard to talk somebody into that, but technically it'd be fine. Well now they've actually put an actual limitation on that. It's 180 days or about six months. Uh so uh where that really comes into play is during the certification assessment. So if you're preparing for your uh to go get your assessment, it doesn't necessarily matter a whole lot. Uh you know, you want to be ready in time. But uh for the POAM, once you get your uh go for your assessment, if you have a POAM item that comes out of that that you have to get completed, it has to be done in 180 days. Um the other thing where it would will probably come into play is if you have any significant changes uh in your business network, for instance, or some other significant change, a company merger, something like that, um that will technically be a that'll be a POAM item that you need to address during that time frame. And uh I would imagine that 180 days would come into play there. Uh so really what that means uh in those instances, you just need to prepare and uh be ready for that. You you've got to prepare for mergers, you've got to prepare for network changes, significant changes. So it's just one of those things you have to prepare for. But 180 days is is the limit now for for poem items. A plu uh and a POM, I didn't explain that, so I apologize to our viewers. Uh some of you probably already know what it is, but it's a plan of action and milestones. And really, that's uh that's a list of to-do items. So we have, you know, for instance, uh 108 out of the 110 controls complete, but these last two uh we still have yet to do. Um and your POAM should say for these controls, this is what we plan on doing, this is the date uh when we plan on getting those done. That's what a poem is.

Okay. We love our uh our jargon, don't we? Oh yes, yes.

That's uh more than a three-letter acronym, but still it's it's an acronym. Right.

So one of the hot topics is FITS uh encryption, FIPS validated encryption. Yes. Um and I was just talking to uh a buddy that a very large company, uh software developer, and he's having to deal with it himself, and he was complaining about it as well. I'm sure. So we're seeing it big to small. Um so I just want to address that a little bit. Uh it's a mandatory requirement under the new rule. Um can you explain why FIPS validation is so important and what the challenges subcontractors might face when implementing it? Sure.

Uh so uh the key the key uh word to understanding this is it's gotta be FIPS validated encryption. Not compliant, not equal to, not similar to, not anything. It's FIPS validated encryption. So in other words, that is the uh that is a company going through and saying, here is our our encryption modules, these are how they work, uh, and the government has to go through uh and look at them, uh verify them, validate them, I guess. So uh bless them, you know, uh and and get them out there and approve them. The problem is that takes a really long time to do, and not all companies want to bother with that. Uh so the uh so the FIPS encryption, uh FIPS validated encryption uh is is a bit of a big deal uh to kind of uh to kind of uh give a couple examples. Uh uh so Windows 2000 Windows Server 2019, 2016, they're both uh they're both FIFS validated, they're on the list, so they're good. Windows Server 2022, it's not. This is 2024, folks. It's been out for two years. It's not FIFS validated yet. Uh it's in the works, but it's not there yet. So the other thing is uh with that example is that uh Windows, there are no currently supported versions of uh Windows 11 or Windows 10 uh that are FIFS validated. There are version older versions that because of their update cycle these days, uh with the feature updates and all that. There are some older versions that are not that are not supported that are FIFS validated, but we're still waiting on the FIS validator for those uh for those. Uh similar to firewalls, everything else, um there they have to be uh in the data the CM CMVP database. C V MP, I might have that wrong, but we'll look it up later. It's not in front of me. So I apologize about that. I I should have that acronym right. Uh anyway, if it's not in that database and and approved, then then it's not FIPS validated. So uh some fire for instance, firewalls, some firewalls uh implement that encryption via uh I I believe via a hardware module. So that model of firewall is gonna be okay. Some do it by a version of uh of firmware. Uh so you gotta know what exactly is FIPS validated, and you have to be able to grab that module from the database in your documentation and and say and prove that this firewall, this version of Windows, whatever it is, is FIPS validated, and here's the documentation.

Yeah, so this seems like it's gonna be I say hesitate to use the word headache because I understand CMMC is, you know, a very needed thing. Um and it's we're uh we're doing it for obvious reasons. Um but it does seem like it's gonna cause quite a bit of the headache for you know implementing it in terms of we're not even you know used to, you know, we're IT guys um first, right? So we're used to just making sure a customer's on the latest um and greatest um Windows version or server version and getting it out there and um you know making sure they're on the best equipment. But now you're telling everyone that we have to be careful about that because it may not be FIPS validated. And so we may have to be may have to hold back a little bit on some of those um either firewall products or Windows versions, or is that right? You do.

Uh but the other thing is uh with with these assessments, and we'll see. We know how they've handled this uh because we've you know you there's there's proof in the DIBCAC assessments they're doing right now. Uh and um so we know how they're handling those and we have to see how it plays out in the actual certification assessments when they come out. Um they'll what they don't want to do is say, yeah, you have to s you have to stay on an unsupported version of Windows that's got all sorts of holes and bugs in it, it's no longer being patched with security patches. You've got to stay on that because it's fifths fifth-validated encryption. I I they're not gonna go that route. Uh so but there's gotta be some leeway there. And of course, we're waiting for the so 32 SR 32 CFR final rule uh to come out. Uh the final rule has not come out yet. Um but we'll see where this goes. Uh they did double down on that in in this proposed rule. Uh so we'll see where the FIPS validated encryption ends up. Really, uh it'd be hard, I understand why they don't want to do it, but I would like to see it FIPS uh compliant encryption or FIPS, you know, uh something like that. Uh because really, I mean there's tons of great encryption algorithms out there that perform well and everything and are very secure, uh, but just have not the the modules have not been approved by the government yet. So it's a it's a bit of a a headache and uh I don't know if it's necessarily a catch-22, but uh you know it's a it's a bit of a headache to deal with.

Yeah, I mean I guess the answer is we just don't know and we're gonna have to wait for guidance and and uh for someone to set the standard uh going forward. Is that right?

I mean, that is right. And we'll exactly we have to wait for that final rule to come out, uh see what that says, and then uh all we can do is prepare then and then we have to see how those first assessments come out, how they shake out with things like, you know, if there's no versions of Windows 10 that are currently supported that are FITS validated, what do we do? Yeah. You know. Uh I think I know. Uh I think uh, you know, you know, we'd rather lean towards keeping everything up to date and patched because that's a lot more important than FIS validated encryption. So keeping it secure. Yes, yeah. Yeah, yeah.

So uh maybe going forward on projects or decision making, um, you know, kind of put security first with knowing that the compliance might change it later, you know, and don't let yourself get caught too far behind on things.

And and I think part of this is gonna be you have to be what they have shown in the DIPCAC assessments is that uh if you were, for instance, if you were uh did have your FITS validated encryption in place and then you had to upgrade or whatever the case may be and you're no longer, then you know you can prove, hey, I was there, and as soon as we're able to be there again, we'll be there. Okay. So That's what I was wondering. Yes, that's a lot different. So having the right equipment in place. So um another firewall, we had it turned on. This you know, uh the Phips encryption uh is not available with this version of firmware. As soon as it comes out, we'll put it back on there, you know, we'll turn it back on or something like that. So those those are the kind of exceptions they're making right now. Um as I understand it. Right. Those are the kind of exceptions they're making right now. But you have to be in the position to be able to turn that, flip that switch and turn it on. Uh you can't just have all sorts of you know consumer grade equipment around and say, yeah, whenever whenever it's uh available, we'll get it. It it doesn't work like that. So right.

Has to be very provable that you're doing the right thing. Absolutely. And you still, at the end of the day, need the exception from them. So yeah. Okay, that makes that makes sense. I appreciate you uh going over that. That might be a selfish question for me, but uh I've always been wondering about the the FIPS encryption, how they're gonna handle it. So all right, moving on. What are the implications of NIST 800-171 uh Rev2 being hard-coded into the new role? Um, should some subcontractors expect further changes as Rev3 is already out, or what do you think is going to happen there?

I think they really kind of did everybody a favor uh while introducing some problems, but they did everybody a favor by saying, look, it I know that they're marching forward with NIST 800 and they're, you know, revision one, revision two, now they're on revision three and and so on and so forth, but uh while we're getting this revision two implemented and and CMMC implemented, um I think they kind of did everybody a favor by saying, you know what, instead of because there's some there's some a good deal of changes in Rev 3 for uh NIST 800-171, um we're gonna stick with uh 800 800 171 Rev2, and we're gonna hard code that in the CMMC rule. Uh so it's for the foreseeable future until they release another another proposed rule down the road. CMMC is based on Rev2, uh which is good. We'd we don't have to worry about, oh my gosh, here's Rev 3, and we gotta we do gotta do all these changes, uh, and we're still trying to roll this program out, you know. So uh I probably what they'll do in the future, once this program gets rolled out, is say, okay, now uh we're gonna we're gonna have us uh we're gonna release a rule to change that to keep up with the current version. And that's a that's a guess, of course. I have no clue what they're gonna do. Uh but for now, uh it's hard-coded to uh Rev2, and uh we'll be sticking with Rev2 for the foreseeable future. Okay. I I would imagine for quite a few years or a few years.

Yeah. What that sounds like to me is that um we're we're always should expect changes going forward forever because um the cat's out of the bag with technology, it's always changing. And at the end of the day, it's essentially an arms race, right? I mean we're new technology brings new security risk, brings new compliance, and this is gonna be a part of our life going forward, and there's no just getting CMNSC fixed and you know, let's move on to the next thing. Um we're gonna have to uh this is gonna have to be a a a part of our our jobs forever. It is.

And uh, you know, cyber as you said, cybersecurity is ever changing and it changes fast. It changes, you know, the whole tech world changes real really fast. Uh so uh, you know, trying to keep up uh you know uh NIST 800 171, um and mind you, that's not the government, that's not the that's not the DOD doing the changes for NIST 800-171. Um so uh you know, with they're trying to keep up with the times, trying to keep it relevant, uh, and trying not to fall behind, that's all perfectly understandable. But of course, while a whole DIB industry, uh defense industrial base is trying to ramp up on CMMC, it's probably not a good idea to change change the rules of the game in the middle of it or at the beginning of it, really.

So Yeah. So after uh after you spent a little while and um in like the CFR and DFARS and CMMC and NIST, you realize that these are all like nested rules and um frameworks and and governance and that they all kind of reference this like web of of things and and NIST is um they're basically using the NIST 800 171 framework as like cybersecurity best practices. And so they're just referencing it, right? Yes. Yeah, is that more I mean I know I'm kind of summing it up, but skipping a lot.

Yeah, that's pretty close. Um NIST 8 NIST is National Institutes for Standards and Technology. They release standards for all sorts of technology uh and all all the time. I mean there's all sorts of stuff. So um and they do a great job at that. You know, and they if you you know at these conf at these conferences we go to for CMMC uh and and other things, they will let you know we are not the DOD. And the DOD will let you know we're we are not that we are not NIST. So but yes, they do uh rely on those standards uh because they are good standards. They do rely on those. NIST 800 fifty NIST 800 171 uh is a subset or or references back, however you want to phrase it, to NIST 853, which is for federal government networks. Um and uh so this is for basically for contractors uh that do work for the federal government. That's how that's why they came up with it. Uh and it's that's meant that's what it's meant for. Uh so uh anyway, they all they all uh play part in each other. Uh you mentioned D Far's rules, the D Far's rules is is what puts those into effect uh and and references, you know, pulls CMMC, defines CMMC, marries the NIST 800 standard to it. Uh so that's how it called kind of gets married, and you're right, it is kind of a jumble.

Yeah.

Yeah. Well, if you're you're new to the game or you know, you're not familiar with it, it's very uh imposing when you first look at it. And none of it, you know, it doesn't seem to make sense to start with, you know. It's true. That's very true. Yeah. Yes. But it does make sense. I promise that just spend enough time and you'll you'll find it figured out. I still find myself learning some things sometimes. So all right. So this is another big um topic. Um and you know, I'm not sure how many people um are talking about this. I'm very concerned about it, so I'm gonna ask you this again selfishly. And for our viewers, so we've kind of created a chicken and egg problem, you know, uh brown ESPs. So I guess I'll just use my notes uh to make this make sense. What role do ESPs, external service providers, play in Team MC compliance? How does this chicken egg scenario impact subcontractors working with these providers? Specifically, the ESPs have to be certified for the contractor to get certified, but they're certifying the contractors first, and so like what's gonna happen here?

Sure. So first of all, uh an ESP is an external service provider. Uh so an external service provider uh is anyone uh that is a third party that helps a uh one of the uh a contractor basically uh to the federal government that helps them uh in their business network. So it helps process, store, or transmit or protect CUI. So that's what an external service provider is. Um so we we're we as an MSP, as an IT provider. Uh MSP, there's another acronym for you, it's a managed services provider. That's an industry term that probably nobody outside the the industry knows at all. Uh but that's what we call ourselves. So IT providers like us uh are an ESP, and we always uh we always understood that we were going to be an ESP or an external service provider, and that we would probably have to go through the certification for CMMC. And we've uh from the get-go, um uh we you know some people don't realize this term, uh, and I thought it was just kind of known, but we uh I always say we eat our own dog food.

Which means I've said that a couple times and people just look at me like uh I'm crazy.

Yeah, they're like, w what do you mean? So So I have to explain it. So in other words, uh everything that we tell our clients that they have to be uh uh that they have to have in place, we have those in place too. And we have uh more as well, but uh that helps me sleep well at night, and I'm sure it helps you sleep well at night. Um but uh so we we eat our own dog food. We have all these policies in place. So we always knew from the get-go uh that we were gonna have to be uh CMMC compliant, uh however however that ended up looking, we just we knew that we were gonna have to do that. Or however it ends up, because we're still a little unsure, you know. So um so we always expected that. Um but what with this new rule um what it basically also says is that uh so we I mean uh we we buy services from other providers as well. So uh for instance uh we have a a service that we use for SIM and SOC. Uh SIM is a security information and event uh monitor or management, and uh then um a SOC is a security operations center center. Uh so whenever um whenever you put those together, basically what you're doing is gathering all the logs from all your devices or all your key devices, however you want to do it. But we we do all devices, uh all laptops, desktops, servers, firewalls, the cloud. Uh we do all those, gather them, save those logs, upload those logs to the cloud, and then algorithms and some AI that uh go through those, look for correlations, all that kind of fun stuff, look for bad things happening, and they pop some alerts. There's a uh certified security engineers that look through that, that take take care of looking through it, and I can go on, I can tell a whole story about about that. But I'll that's one thing. That's probably another podcast, so uh or another another one of these things. So um, but uh there's actual real certified people that have eyes on and go through those and and look at those alerts. Uh they weed those alerts out uh and they try to make sense of some of them uh and then they let us know, hey, you know, you need to look at this. Some of them just pop and are that important, and they they say, Hey, uh you gotta you gotta look. at this or we're locking this machine down for you and you need to go look you need to go address it. So that's what a that's what that whole service is. And we don't have the staff to do all that 247, 365 or else our s our you know, just like just like any of the other contractors, uh you know, subcontracts and things, it would be a lot more expensive for them to do that in-house. The same thing for us.

If you're a machinist m or you know machine shop, you could go buy a foundry and smelt your own metal. It's easier to you know buy a block of it. Right.

So same sort of thing. But nevertheless, for instance that Simmons Sox service, the one that we get, that is now because it's a they're classified as a security protection asset, uh because they they help they get log log data and all sorts of other data that uh helps you secure CUI and FCI, that's a security protection asset. And now they have to be uh CMMC level two certified. And so what that means is that and there's a rule uh that says CMMC basically lets you know uh states that you have to have uh the organizations seeking certification so OSCs OSCs that use third party providers, those third party providers, those uh ESPs uh have to be certified before they can even seek certification. So now their our the OSC is seeking certification. Now we got to seek cer we got to be certified before them. And not only that, guess what? Our provider for Sim and SOC now has to be certified before we can get certified because now we're an organization seeking certification. So now you've created a chain effect and that is the chicken and egg you're talking about. So how in the world are they going to handle this? And that's that's a big problem, huge problem, and stands to be a a gigantic problem. How are they gonna address this? Well hopefully they'll make I think they'll make they left themselves a little bit of a door uh and a little bit of a way to address it in the rule, proposed rule. So we'll see if there's a door I'll have to go back. I don't remember the specifics I know I I knew you were going to ask me that I can't believe you don't have everything memorized. What's wrong with you? So um it has I'll have to go back and read it before I forget on another we will that's uh that's another podcast.

Yeah uh so the point is it's the impact is large and affects wide and and deep.

And so they'll have to address that. And and I I'm pretty sure that they they will see that they have to address that. So we'll have to see what they say during the uh when the final rule comes out but they did leave themselves a little bit of an opening as well to be able to address that. So we'll see where that comes out. Okay where it shakes out.

That sounds great. Thank you for that. A little more in the weeds with these all customers like okay this all sounds great but let's get to brass tax. Right. With certification assessments expected to cost a minimum of thirty thousand dollars how do you respond to concerns that these costs may be disproportionately affecting smaller subcontractors.

How do I respond to that? Uh well th they're uh other than they're right. I mean we've heard from some of our clients, you know I mean we've got some clients are really small like less than 10 people, some that are 2030 and some that are larger than that. You know and so some of them just realize I guess all of them realize but I some of them may be some of them are the bigger you are the easier it is to to handle it, right? Right. But the problem you have the more resources to be able to handle that. Exactly. So they've they're uh after talking to multiple access uh assessors and going through some classes to be certified and we hit we hit on this during the last podcast too so anyway after uh after going through those classes and getting certified I realize how many hours go into this and uh an assessor has before they even before you can even sign an agreement with an assessor and they can send you a bill, they've got roughly 40 hours in it. And that's not 40 hours of somebody that makes minimum wage. That is 40 hours of a of a pretty expensive person. You know so they've got they've got some time and money investment in it and that's before they even get started. And I just say that to let you know that the assessors uh are not gouging people and they're not uh there's more to it than it seems there may be some I'm not gonna say there's none. But uh the the assessors in general are not gouging people and are not you know they're they're good folks. I've talked to a lot of them uh they're good folks. So um but they've just there's a big time investment there. And and a big time investment for people that are that are highly qualified. And with uh with how they limit these assessments these these assessment assessor certifications they are they are limiting the pool of those and rightly so, but they're limiting the pool of those assessors to not be available to just any any Joe, right? And so that pool is kind of small, very talented and there's a lot of very talented people there.

So not only are there there's a lot more to it, there's a lot more hours and work that is involved, the you also have the market effect that the number of available people to do the job increases the price as well.

Yes it could it could all that really just to say that um you know it's expensive to start with because of all those factors. And and you've got a a a low bar or you've got a high minimum part I guess I should say. But that low bar is kind of high or that entry bar is kind of high because of that. You've got all this set work that you have to do up front and so those certifications are going to cost a minimum of$25 or$30,000 no matter how b how big you are. You can be five people you can be two people and it'll probably it's probably going to be twenty five thirty thousand dollars. And that's just the certification assessment you go look at the number of hours that they uh say that uh should be spent on this thing and and they come up with you know an estimate of$107,000 for small entities. Uh and that that's once every three years. So I guess you could argue it's you know thirty, thirty whatever thousand dollars you know per year but that's that's still a lot for a some a f a two to five person company or or ten, fifteen, twenty person company to afford. They weren't paying it before. Yeah. So that is understandable and that's understandable that they're uh that they're worried about that. It's possible that there may be some uh always hear about grants, always hear about you know help with this. The the stuff that I've seen available is through nonprofits or something that may be, you know, they say they basically explain it all to you and say here's how it is, here's how it works and this is what it really means. Here you go, you go implement it. Yeah. So that's nice. But you know a five person company doesn't have time to implement all the controls for uh and all the objectives for for CMMC.

And we we've talked about this before and I mean it's just I'm gonna go back to it. It's the real burden is implementation. I mean you're gonna the assessments cost money you know everything else but the real burden of this is implementation. And that's and you can't be compliant get certified if you if you don't have all the security tools, all the proof, you know, all the daily the person if you have you know IT or security people on staff to do the job or paying for you know a provider to do it for you like it's that is the burden of it.

So yeah. You know and the people that have gone through and and checked a bunch of boxes and put it in place, you know, you're put CMMC in place and maybe kind of fuzzed it a little bit, you know, uh and not spent much money on it and said yeah we're we're uh compliant now they're gonna have a certification that they have to go through and now they're realizing that oh gosh this is going to cost a lot more money you know and why is it gonna cost us? Well it's gonna cost that much because you actually have to you actually have to put the right solutions in place and they actually have to be managed and there actually has to be a lot of documentation. In fact there's a lot more documentation uh for this thing than than I even realized um you know uh as we went you know we've got all sorts of things documented you know but but the but the level of documentation they want on everything. I mean we have to for instance the the FIS validation we have to look for our vendors we have to get the certification uh documents the proper word excuse me so I apologize but have to get the certification documents from the website and document those so you can say yes this module is uh FIPS validated and here is you know here's the proof and so we we have to have all that on file and and that's just one part. I mean so that's just an example of uh proof uh and documentation that you have to have there's a lot.

Yeah and is you're really just not doing yourself a favor if you're going through that exostar SPRS assessment and saying you're 110 and you're not or you're checking those boxes because all you're doing is creating that CMMC debt for later uh and your your contracts the amount of money they're paying you are not going to compensate you correctly for what you haven't done. And so you know that's just that's just true for everything. I mean the the more that you don't do correctly in the right way the more you're hurting yourself later. You know and so it's it's really just best to spite the bullet and address it. So because it's gonna cause you problems later. So and uh there you know um if you get found out for and there's some some other consequences of that isn't there? Yes there is yes there is so I not I wouldn't want those consequences personally.

So that's false claims act that's uh they have uh they've made an example of a few people uh it's been in the news and that you know the false claims act is is another one of those things that that I didn't list out in the things that are it's not changed. But um anyway that's something that every time you hear well at every in at every conference and everything you always hear about the False Claims Act, how important it is and and how you can you know face some severe consequences. And I know I don't want to face those consequences but you know I consider it one of those things that's that's a yeah it's that's understandable and we you know you know that's that's uh just a given. So but yeah that's a big deal and and uh there's a lot of people that make a lot bigger deal out of it as it should be but I don't it's not a change, it's nothing new, it's and it's perfectly understandable.

It's not anything I would want to intentionally go against. Right yeah and I'm not gonna roll the dice either yeah yeah no matter if you think this is uh unfair to small businesses I wouldn't want to risk my you know right I would just pay the money and and not risk it for myself. But you're able to make your own decisions. So anyway we got off on a tangent there. We did. But we can get back. So all right so we already talked about FIPS already so we can skip this one but I'll let you decide. Given the strict uh requirements for FIPS validated encryption and the slow process of that validation how do you suggest subcontractors stay compliant while waiting for updates to the validation process I think you um mentioned that earlier I'll you can just re- Yeah next. Okay, go ahead.

No I there's really not. I mean we already f uh we already covered it and it's it's a tough uh it's a tough deal. So you you really need to be have that uh FIPS validated encryption in place and those places that you don't uh like Windows 10 and 11 for instance uh you have to have the ability to turn that turn that wrap back on whenever uh whatever it is FIPS validated very cool all right moving along just rewind if you want to know to answer that question. All right what do you think the biggest obstacle for contractors will be once the proposed rule is finalized are there any steps uh that they can take now to get ahead of these challenges well it's always good to prepare and it's always good uh to make sure you read up and understand uh the um you know all the rules uh all the controls all the objectives um but as far as the final rule goes um you know the things I listed off are you know are important to know about uh the poems being limited to 180 days uh the FIPS encryption that we've uh we've beaten beaten beaten until you know we can't beat it anymore. The uh ESPs uh uh and the certification cost I mean those those are really you know you address all those and make you know you're good uh as far as the changes go. But really the biggest thing I would say is is be prepared and don't get caught behind. Because there is there's just uh a lot to do and for somebody to come along and say okay uh and really this is going to be required when it when this is put in place it's gonna be on new contracts. So um now there are you know one of my one of our clients brought up the other day well we don't have contracts really but we do uh we do work under this other program. I don't remember what it was called and uh but it's a it's a program uh where they are able to bid on work and it's not it's not really a contract they just get a PO and so I asked them well you know is that is there a D Farge rule on that PO anywhere? And they'll have to go back and look at it. So that and that this just I just found out just recently so there may be a D Farge rule listed buried somewhere on the PO I wouldn't doubt that a bit but as far as they knew they uh well they don't have any contracts really that they could tell me about so it may be a little bit different for them. You know Lockheed may come up and say you know hey on this date these POs from here on out uh you have to have you have to meet CMMC level two you have to be CMMC level two certified. So there may be some difference there. But as far as the whole rule goes and everything we're talking about it everything has to do and everything the government talks about, everything has to do with contracts. So any this when it goes into effect it'll be on new contracts. That's what it'll be on. I guess it's a it's a good point to make I think to on work your bidding double check that if you're not compliant that that it's not nested or somewhere deep in the fine print so you're not exposing yourself to quite a significant amount of money you have to spend for that PO or you know and we can tell you all day long that hey look at your contract you know it's there's a defrared rule on there it's defrares two five two two oh four uh seventy twelve seventy nineteen seventy twenty twenty one it's something's gonna be on there, right? And uh and but it's another thing to actually go looking for that. And then that you know where is it at? I couldn't tell you. You know our our clients probably could but you know we tell them look on your contracts and there's probably going to be 7012 on there and and maybe some others. So and I know that uh you know I've seen some of the I haven't seen those contracts but I've seen emails and other things come through that they show us that say you know can you help me with this? In essence or in short I know well I've talked at length about this or already but uh so this is about contract new contracts whenever it finally goes into effect. And uh so my suggestion really is that you don't wait because uh there's a lot of work to do there's a lot of things to get done. Even when you think you have everything done you're gonna go to get certified and they're gonna say oh hey you know what about this here and this here you're like well you know we didn't think that needed to be we thought that was out of out of scope you know and they say well I don't think so because of this. Whatever it may be. That may not be the conversation but there very well may be some things that you have to work on last minute. And so you don't want to leave you know have 30 days we've got to get this contract because this contract will replace some other ones that we're losing at the end of you know in two months and so we have to have this new contract and we've got to be certified before we have this contract. You don't want to be in a position of rushing to get everything done and not being able to.

Yeah and if you've got you know I know CMMC 2.0 and these new rules are a whole nother beast but a lot of the contracts and POs out there to this day already require most of this stuff by way of NIST 800 171 right? Uh by yes through DFAR's rules that that re that implement that yes. So even if you haven't heard and gotten that email your buyer calling you probably going to look and see if it is a requirement of any existing contracts you have because like you said I'd I wouldn't want to get caught down the line going oh man I gotta do all this ASAP and it's hard to find an assessor get certified and if I don't do this my revenue dries up in X amount of days. It seems like a stressful day to me. And I try to avoid stressful days very stressful yes absolutely heads up there. All right cool so moving on there's been some concern that the tight deadlines for POAMs could lead to certification lapses. How can contractors avoid falling into that trap? And what options do they have if they face delays?

POAMs are limited to 180 days now assuming that doesn't change in the final rule but I don't think it will uh I don't expect that one to change because that that just you've got to have some sort of time time limit on it or else people will take advantage of it, right? There's 180 days uh for the POAMs and really to be certified you cannot have an open POAM item. So if you're waiting on certification to get a contract or or or something of that nature uh whatever you're waiting on it for you're waiting on certification and uh going through that process and now you have an open POAM item that says you need to implement FIPS validated encryption for XYZ right or whatever it may be. Uh you have 180 days now to get that done.

If you don't get it done then uh sorry about that guys we had uh some technical difficulties with our equipment we just uh bought new stuff so we're learning it so hey are we a technology company I'm I'm just wondering how we I was about to say leave it to the IT company to have a um technology screw up right in the middle of a podcast right of course we are an we are an IT company not an audio visual company so you know they are very different. I don't know how to work any of this we were talking about the POAMs I don't know if you remember where you're at um and the time lapses and how to address that.

Yeah I don't remember exactly where I was at but the about the concerns of the tight deadline tight deadlines for POAMs. So really um that all goes back to I mean the the rule uh defines uh the timelines for po uh how long you can have an open POAM item that's 180 days about six months completely understandable you don't really where it matters is uh getting your certification okay uh because you cannot get certified with an open POM item you can go through certification with an open POAM item but until you get that done then uh once that's done they have to follow up with you verify that that's done and then they can issue certain you can be certified after that. So um so that's understandable they don't want to wait forever you know there's a there's got to be a point you know so six months is a is a good is a good point. Um so how do you uh attack that how do you avoid falling into a a trap or a delay uh well is to do everything you can uh before that just a minute I talked about preparation a minute ago and it's all about preparation you gotta prepare you gotta be gotta make sure that you've done everything uh crossed all your T's dotted all of your I's eyes have to be dotted you've got to make sure you've got everything done before you go for that certification so um so that that's really where the poems matter. If you're just working on getting certified, you know it doesn't matter really because you're working towards getting certified but once you have that C through PAL come in that's the point at which you really need to get that done. So but preparation is the key hiring somebody to come in for the certification to do either a mock assessment or uh maybe just to do some hiring a I should say a certified assessor to come in and do a mock assessment or just consulting to look over everything to make sure you're ready for assessment. That's always a good idea. That's part of preparation. Yes it does cost more money. As we get started down this journey you know for the very first time it's not necessarily a bad idea to make sure you have everything ready. So that's always a that's always a great idea but you have to have that uh you have to have all your poem items completed to be able to have to be able to get certified. So this certification it and like some of the other things where you say you know hey yes I'm working on this and this is what I plan to do and the auditor comes back you know next year and he says hey have you made progress on this yeah I'm making progress it's not like that you have to be a hundred percent or nothing. It's it's pass or fell.

Pass or fell a hundred or a zero. So um and it's not pass or fell at 70 like it used to be back in college or something right it's a hundred. Right exactly cool um so if we were right in the middle of just the most enthralling information that we didn't get to for you um comment below we'll try to get an answer um text us uh you can find it on our website or or email us at cmc at justiceitc.com and we'll get an answer to you sorry about that all right moving on I'm gonna bring this back home uh or bring this home and and you know ask you know what how how our audience can use this information to make an impact in their business um so the first one is uh for those in our audience that are more on the beginning side than later stages of uh their CMMC journey what are the first three steps you'd recommend they take to ensure they're on the right path uh just beginning their uh compliance journey yeah um so I would say uh really uh hire somebody uh that knows uh what they're doing somebody that um you know has uh you can go to the uh the cyber A B is the

Board that oversees all this, uh, you can go to the cyberab.org and you can look at the marketplace and you can find people that are registered practitioners, you can find people that are uh certified assessors, uh, hire somebody that can come in and help you make heads or tails uh because there are a hundred and ten controls, but within those hundred and ten controls there are three hundred and twenty objectives you have to meet. So what exactly does this mean? You know, what exactly are we supposed to implement? You can struggle through all that, you can read all the documentation you want to, but really uh a little help uh goes a long way. A little knowledgeable help goes a long way, so to help that. Um you know the second thing is uh again I would say don't wait, prepare now, um uh start working on it. Um and and you know, the other thing I'd tell you is that you can't do this in your spare time. This is this is this is not a this is not a spare time thing. Uh so uh you know if you try to do this in your spare time, you're gonna be working on it forever and you're never gonna be certified. Uh can't tell you another people that we've uh number of companies that we've helped out that they said, you know, uh we need a little help or we need or we helped them with a gaps assessment, for instance. Uh you know, helping with a gaps assessment and then uh they struggle and struggle and struggle on their own uh and then they come back and say, Hey, can you help us implement this? You know, so um so uh you know, not waiting, getting the job done, uh getting started, and uh hiring somebody to come in and help uh you make heads or tails of it is is uh is really important.

Absolutely. Okay. So what's one misconception uh about CMMC compliance that you encounter most frequency most frequently, I should say, and how do you correct it?

Um really uh for for new people coming in and us talking to new people, it's it's that they don't really realize what all is involved. So um that they and and I just mentioned it, mentioned one of these things, but it's that you can do it, you know, you can assign it to, you know, a low-level Fred over here, and he can work on it in his spare time and and get you certified. That's not how it works. Uh CMMC is a uh is a business decision, it is a business process. Uh um you know, it's it's something that it works on all your business processes, it's not an IT thing. It's not, you know, it is partly IT and technology, but uh in large part it's your business processes uh that it addresses, your policies, you know, how you do everything. That's what it addresses. So you have to have high-level stakeholder uh involvement. Uh you have to have uh knowledgeable people that uh know what they're doing and have the time to do it. So uh it's not something you can do in your spare time, or it's not something that low-level f I h I hate to pick on people with the name Fred, but uh maybe low-level Brooke. I don't really know. But uh uh so if you know you can't just assign it to somebody who you think Mike can do it in their spare time. It it is not that kind of thing.

Yeah. I'll hear a lot um from the quality guy that um has been tasked with this and uh he's calling me saying that he's on high blood pressure medicine now and uh that he's been having to do I'm just kidding about that, but uh you know, working through it for months and uh you know he's just at a loss. And um and so it's it's frequent to I mean it's it's natural, you know, um to do that. Uh and you can do that with a lot of things, but this is one of those um things you can't. Yeah.

The quality I can, you know, if you give them authority to kind of head out the program and to draw in help, you know, outside help, inside help. If you give them a budget. You know, yeah, a budget and some authority, you know, uh then they can work with everybody. They don't have to have the authority of a C level uh uh position, but you know, they have to have authority to gather people together and say, hey, we need to work this problem out and make some decisions. Right. Um but uh yes, it's it's not a uh it's not a simple, you know, assign this to somebody and and let them do it in their spare time. And by the way, you have to get your other job done where we're making money first, you know. Which is understandable. They need to, you know, they need to be doing their job that that brings in the brings in the bucks.

So yeah, you you do need a a compliance champion or you know, someone with that hat in the business, especially if you have um if you're relying on um outside or or third party providers like us, um, because I mean you need someone to um it uh tr transfer everything to the internal team at the at minimum, and then um it's always a good idea um as a business to have someone um check up with, I mean, it's as on on your providers and and make sure things are getting done. So um that's just good practice. So I think it is good to have put that hat on someone in the business regardless of you have um service providers or not. Absolutely. Yeah. All right, last one for you, and we'll close her out, is how should subcontractors handle the added responsibility of ensuring that their subcontractors are compliant as well?

That is a good question. Uh so we've had uh, you know, some uh discussions over time and especially here recently, uh now that all this is really really starting to come to fruition. Uh like, you know, some of our clients are like, wait, you mean we have to make sure our subcontractors are compliant too? And I'm like, well, that's you know, we've yes, and uh we've let you know that before. And you know, it's one of those things that is mentioned along with everything else, I'm sure, and it just doesn't sink in, you know. But I mean what they're they're in the same position as uh like Lockheed is, for instance. You know, they they're the ones that get the original contract and then it's flowing down to them uh because they do work for Lockheed and they build uh a little widget, you know, whatever it may be, or they test a little widget, or they provide some manpower, whatever it might be. Um so uh but it flows down to them. But guess what? It also needs to flow down uh to your to your subcontractors too. So whenever uh you know, CMMC certification comes out and people have to be certified, it'll start to be a little bit easier because you know you can ask them if they're certified. Uh but somehow right now you've got to develop a questionnaire to say, hey, just like Lockheed does for you, it doesn't necessarily have to be that in depth, but you know, do you meet these DFARS rules? You know, are you compliant? And uh and you I mean you have to go off what they say, right? Um so uh but that's that's really what it is. Uh and if they're not compliant and say they're not gonna be, and just sad hard fact of the matter is that uh you've got to find somebody else, you know, and they need to understand that. Uh because uh whatever and that's assuming that you are uh that these are subcontractors that are that that are receiving CUI from you that you got from Lockheed or the federal government or Bell or any of the other primes, you know. Uh I'm sorry I single out Lockheed, but um anyway, if if you you know if you're one of those subcontractors that gets information, a CUI and FCI from a prime, uh then uh your subcontractors, if you if they get any part of that FCI or uh CUI, uh then they also have to be. So you have to have some sort of documentation saying that you ask them and yes, they are compliant. Or whenever the certification comes out, yes, they are certified.

Okay. Very cool. Well, I think uh unless you have anything else to add, I think we're done.

I think we are, and I may have rambled on some of these questions, and I apologize, uh, but I kind of get caught in my own mind going in circles and and uh you know so but there's there's lots more topics we could go over uh, you know, in other other podcasts, and I'm sure that we uh we hit on some of those. So we may be going over some of those.

Well, we'll forgive you for it this time. Thank you guys. We'll be back next week.