A Conversation with an Assessor ft. Chris Silvers

Hey there. Welcome to the CMMC Compliance Guide Podcast. We're here to help businesses like yours navigate CMMC and MIST 800-171 compliance. We're hired guns getting companies fast tracked to compliance. But today, we're here to give away all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we have special guest Chris, a certified CMMC assessor, certified CMMC professional and provisional instructor. In today's episode, we'll be diving into the ins and outs of CMMC assessment processes. Breaking it down for those of you who are prepared or trying to get prepared for compliance. I'll be playing the role of you, the listener, trying to ask questions that our mutual customers uh Chris is and our customers might likely have. Thanks for joining us today, Chris.

Hey, thanks for having me, Austin. Appreciate it.

Absolutely. Thanks for joining us, Brooke. No problem. Here I am. Glad to be here. Awesome. Well, uh Chris, you were one of the less than 100 individuals officially certified as a um CMMC provisional assessor and instructor. Um you've led CMMC instruction for more than 1,000 students. You've centered um most of your instruction, uh course um of your instruction around course development. Is that right?

Yes. Um have developed some CCA course material. Yeah.

Awesome. Uh and uh you've practiced practice exams. Um and you're one of the 51 officially recognized licensed training providers today.

There's not a lot of well I I work for one. I I I actually work for five licensed training providers, um, but I had I have my you know my preferences.

I gotcha. I gotcha. Um you're one of the first 200 CPMs registered uh out of more than 2,500 active today. And uh you are an active member of many invite-only thought leadership bodies, such as the CMMC Industry Standards Council and the C3PAO Forum. Uh you're positioning on the front lines of the CMMC 2.0 rollout, and your cumulative 25 plus years in cybersecurity are uniquely uh qualify you to guide uh DIB contractors through the certification process. Appreciate you having uh Wow.

That that sounds really important. Who is that guy? I don't know.

I don't know when I grow up, I want to be Chris, man. That's pretty impressive.

Yeah, me too.

Yeah, yeah. I've I've definitely been in this for quite a while. Um, you know, I I used to have like a full head of hair when I was younger. Okay. Uh yeah, absolutely. And and uh and Austin, I really um I appreciate the the intro and and the kind words, but uh honestly, um I I have just over the years developed a real passion for security and for helping small businesses, right? As a small business owner myself, I totally get it. Okay. I I get that like every dollar spent is a dollar that doesn't go in your pocket to feed your family, right? So totally get that.

Absolutely. Well, we appreciate it um and happy to have you here. So uh well let's get into it, guys. So um what are what goal of uh today um is to to bring our mutual um customers, listeners, and um and prospects, um, or anyone really in the needing CMMC or uh cybersecurity compliance um to put everyone in in front or put a you an assessor and us implementers. Um did I get the verbiage right brook for how you okay um put us together and and just kind of fire some questions at both of you um on their behalf, on our listeners' behalf, so that way we can hopefully just kind of um you know break through the the myths and mystery and get some real raw answers. Awesome. Well, what I want to do is start with the basics um for our listeners and and jump into what exactly um a CMMC certified assessor does um how uh you might help businesses um uh that that are needing compliance um to go through the that compliance process.

Yeah, absolutely. Um, absolutely, Austin. I'm assuming that question's for me. Yeah, yeah. Okay, okay, perfect. Yeah, perfect. So um so CMMC uh assessors, uh, and and I really appreciate you not using the other A word uh through this entire podcast so far, uh, because I think that it's really important, you know, distinction between an assessor and an auditor, right? We are not really there to audit um the systems or audit their compliance. We're there to truly assess the compliance. And there's a subtle difference there. Auditing is is definitely checklist based and and you know, focusing on do you really do this? Do you really do this? You know, kind of kind of from that uh it always reminds me of that movie, My Cousin Vinny, right? When he's interviewing the old country boy on the stand and he's talking about his grits, and he's like, Are you sure about that five minutes? Right. Yeah, y'all know the reference, right? Um so assessors, that's not what we're there for. What we're there for is to to it, it's kind of similar to being a teacher. When a teacher gives a test, you can think of a test or an exam as you know something onerous to you, but or you could think of a test as an opportunity to show your knowledge, right? It's an opportunity, it's like the big game. You've been practicing all week, you go to the big game and you show that you now you did your homework, right? You did the work. That's how assessors should, at least in my opinion, they should approach an assessment. This is an opportunity for the OSC to show, to really showcase their compliance. So we want to go into it giving the the, I'm sorry, I'd use an acronym, the organization seeking certification, OSC, give them the opportunity to prove their compliance, right? It's not about we're trying to catch you do something. It should be more about we're gonna give you the opportunity to prove it, right? So um, with that in mind, what to expect from an assessor? You should expect them to follow the Cyber A B's CMMC assessment process, right? And it's also called the CAP. It's gone through multiple revisions over the last four years. Uh, since I, you know, I think the first version of it I saw was version 2.1 during my provisional assessor training. Uh, what we teach is version 5.6.1. And uh hopefully the official final version will be coming really soon, between now and December. And uh it breaks it down into what an assessor, you know, how they are supposed to behave during an assessment. So uh hopefully no one thinks that the assessor is just being cruel, you know, for no reason. They're just they're following the cap. That's what that's what we have to do.

Awesome. Yeah, it's back in the day, uh a couple years ago, um, when this all first came out, we what we would always say to people, because it was all unknown then, was um, you know, if you know if you want to achieve compliance that way, then just make sure it's defensible to an assessor. But now uh it sounds like from what you're saying, is with Lacat, um, that there's actual an outline process that assessors will follow. So if you're if you're an organization seeking um what was it again?

Certification.

Certification. Um and you're worried about how an assessor might treat you. If you go check that the cap out, that'll be kind of a shortcut now.

Yeah, there is a public version of the cap right now, a draft version out there. They call it 1.0. Um, but I would caution people from going and looking at that. You might as well wait. Hopefully, here in the next couple weeks or so, you'll get a a 2.0 version, and that will literally be the final version. So that'll be the authoritative source. And you and you're right, Austin. They can just look and they'll have a playbook on what the assessor's gonna do because we're bound to to follow that.

Like that makes it a little more um above board, and everyone kind of knows how things are gonna go. So yeah, awesome. Well, I'll shift it over to Brooke a little bit um and uh ask you, Brooke, how how does your or our role uh as an implementer fit into the picture when working with someone like Chris?

Well, really, uh, I mean, we're gonna be uh we would be working with the client, of course, and and uh making sure that they've got most of them, you know, can hardly spell CMMC. So uh it's gonna be us guiding them to uh to help uh and they don't want to know how to spell CMC to CMMC to see. I can't even say it right. Uh but they you know they don't even want to know how to spell it. Uh so it's gonna be us guiding them, making sure that hey, we've got to have this documentation, we need you to do this, you know, we'll we'll do this part because it's technical or whatever, but you know, uh it's it'll be we'll be guiding that whole process with the client, they'll be heavily involved, of course. Uh, but then you know, as far as the assessment process itself, you know, be working with uh work with uh like Chris or you know, another assessor, and and uh they'll you know again, there's no consulting during the assessment process. Uh so they can't you can't say, Hey, you know, how do we do this? You know, but if I give Chris a document and you know, here's a list of users, and Chris says, Well, you know, there's no names on here, you know. Maybe I have a clue, I gotta go get a document with names or something, but um, but uh, you know, working with this sensor, you're truly it's not an adversarial relationship, just as Chris was talking about. It's not um it's not anything like that. It is uh different than the the other A-word you were talking about, Chris. Uh, I try very hard not to use that and to make sure our clients know that uh that it's different. Um, but uh you know it's not an adversarial relationship, it's gonna be something where you're working together uh to try to make sure they've got all the documentation they need. Um you know, uh the more documentation you can have prepared uh ahead of time, uh the better for the assessor. So whatever you can do, you know, uh to make to make life easier for that assessor, uh the better, you know, and and uh because you don't, you know, probably jumping ahead here, but you know, it's kind of kind of like uh when you get pulled over by a cop, you don't want to be a jerk to the cop because they might find a reason to you know ride tickets to you. Right. So uh, you know, you want to be nice to the officers, you want to be nice to the assessors, you don't want to be jerks to them. It it all revolves around it is not an adversarial relationship. They're really just trying to do their part to help you get uh your certification. And what I might say is, you know, when you look for an assessor, you want to you want to talk to them and and understand who they are and all that kind of fun stuff. We've we've met some that we you know uh really feel like uh are gonna do a good job and not uh uh nail you to the wall. So uh but uh all goes back to you know just working with them and and realizing it's not an adversarial relationship.

Yeah.

Yeah. So it's um, you know, I think I don't know if y'all ever watched the movie Dodgeball with Vince Vaughn and she comes there to um do uh do his uh tax audit, sales tax audit or whatever, and she's like, Where's your receipts? And he goes to the closet and has a shoebox of receipts and throws it at her.

Yeah.

Uh you know, I think our goal as implementers is uh to do the opposite of that and you know, to have everything, all the documentation easy put together. Um without you know, no receipts in the shoebox. Um, and because the easier we can make it for the assessor, the easier we make it for the the organization that's trying to get certification, the easier it goes around for everybody else and um and and assessments get done uh quicker and hopefully a little more cost effective for everybody.

Yeah.

Yeah.

That's a great that's a great point. I mean, I I I tell my students all the time, uh, remember assessors are people too.

Let's go like that. Uh and for everyone out there wondering, uh the other A word is not a bad word. Uh but it's auditor, is that right? You guys are yes, yeah. Chris actually said it a while ago. So yeah, yeah.

I I don't mean to make such a big deal of that, okay? I mean, I don't want to get the wrong because because I know a lot of auditors and they're they're fine people. It's just that you know, we we have that impression of you know, like an IRS auditor coming and you know, I see this receipt here, you know, there's a smudge on it. I'm not gonna, you know, that shouldn't count as a write-off. And you're like, what? Yeah. So yeah, so don't don't have that. And and and something, Brooke, you brought up. I I don't know if this is on the agenda, but um, but something you brought up, and I highly recommend to to uh organizations seeking certification is get a coach. All right. Your specialty might be manufacturing, your your specialty might be adhesives, right? I have a client who they know everything about adhesives. I know nothing about it. I mean, I literally barely squeaked by chemistry in college. I think I got a D, okay? So I know nothing about adhesives or chemicals or whatever. They know everything there is to know about that, but they didn't really know anything about CMMC. And so they brought in a coach. And you guys, it sounds like you're very well equipped to have the perspective and help the OSC, you know, coach them up, right? And be there during the assessment. Because sometimes you may need to translate some language between the assessor, whatever they're saying, and you know, whatever, whatever the customer needs. And so I think it's a really important role. And I think that a lot of OSCs underestimate the value of you know, not just having somebody help them prepare, but have them there with you, you know. One of the roles, like early in the in the cap, they talk about the roles and responsibilities. And one of the roles is a point of contact for the OSC. And they specifically say that person doesn't have to be an employee of the OSC, they could be a contractor, a consultant to come in. And I think it's a very valuable role. You're probably undercharging for it, you know.

Well, thank you for bringing that up.

No, it is, it's important, right? Because I mean, as an assessor, I don't want to go in and say, uh, can I see a list of your authorized users? And I look and I see a blank stare. I don't want that.

Where do I get that from?

Yeah, you know, that's uncomfortable. Why, why put yourself in that situation?

Exactly, exactly. And that, you know, that's a lot of our customers uh have realized, you know, along the way that they don't they don't want to know all the details about CMMC uh necessarily, and they don't want to know, you know, they they've got just like you said, they specialize in manufacturing or adhesives or yeah, non-destructive test, non-destructive testing or whatever it might be, you know. Um and uh they they specialize in that and they want help doing this, you know. They don't have a whole team to be able to hire and set aside to to just do this, so um, or hire internally, I should say. So, you know, that's where folks like us come in. We you know, we help them implement, we help them with uh all their documentation and policies and all that kind of fun stuff. And when y'all come along, uh we sit right there with them and help them get everything ready. So absolutely. That's uh most of our clients realize that some of them uh ask later on after we go through all this. They're like, Well, hey, are y'all gonna be there for that? Yes, we will be there, absolutely.

So yeah, good to hear.

I was just talking to um aerospace machine shop out of Montana yesterday, and uh I asked him, you guys working with anybody um for for compliance or IT? And he said no, and I think that might be a bad thing. So I think that might be what you guys are trying to say.

It might be, yeah. Yeah, because especially especially in aerospace, because you know, they're it in if they if the information that they handle, the CUI particular, has an aerospace or military application, it is quite possible that they would need a level three certification, not just a level two certification. So um, I don't know if you guys have looked at at the uh requirements from 800-172 that that relate to to level three. There that's a pretty high bar. I mean, there's I mean, we thought level two was tough. Man, level three's I mean, wow, it's gonna cost some money big time.

Yes, it will. It sure will.

Yes, yes, it will. Yeah, um, all right. Well, that's that's actually a great uh way to pivot into the next topic. Um, and I kind of wanted to get into the actual assessment process itself, yeah. Um, and and help everyone kind of understand that at a high level. Um, so Chris, I'm gonna um uh P question U first. Um a lot of our question uh our customers, excuse me, um, are unsure um about what the assessment process like actually looks like. Um you know, uh, and it can kind of be scary to them sometimes to think about. So I was hoping you might be able to walk us through um what businesses should expect um when they're being assessed for CMMC clients.

Sure, absolutely. And and uh Austin, you're you're right, it is a great segue into that. And uh as I mentioned, you know, what to expect from the assessor. Well, the assessor's behavior and you know what they're going to do is ruled by this document called the CMMC assessment process, the cap. And I can't stress enough, you know, as soon as you can get your hands on the final copy, look at it, understand it, because it is truly the playbook. Now, the uh version of the cap that we teach in the classes uh is probably you know pretty close to what the final will be, right? So, but I do want to caveat every anything that I tell you about the cap is based on that draft version. So it is subject to change. But generally speaking, the cap has four phases, right? So there's phase one, plan and prepare the assessment, phase two, conduct the assessment, phase three, report recommended assessment results, and then phase four is an optional phase, it's called closeout poams and assessment. So uh I I I don't want to get too deep in the weeds around what a poam is and all that all that stuff, but it's just an optional phase, right? Let's we'll leave it at that for now. The main thing though is is to understand that phase one, that plan and prepare the assessment, is the majority of what's in the cap. Okay. I mean, it's the majority of pages, it's it has the most amount of detail. And the idea there is to not catch the OSC off guard, right? To make sure that by the by the time you finish planning and preparing for the assessment, there is like a 99% chance that the OSC is going to pass the assessment and everything is going to be good, right? So it's it's kind of think of it as like a little toe in the water, you know, to make sure the temp's okay before you go diving in. And I really, I really like how they did this. I mean, I, you know, there's I I kid a lot, and I, you know, I'm kind of sarcastic about you know government bureaucracies and all that, but but honestly, the DOD and the cyber AB did. A great job in designing the cap. Okay. Because that plan and prepare assessment, right? It walks through how an OSC is supposed to, you know, request an assessment. It walks through establishing those roles and responsibilities that I mentioned before. Um it uh as far as the like the point of contact and all that kind of stuff. It talks about ascertaining the assessment conditions, right? So walks into like the scoping and the framing and and all that kind of stuff, right? Trying to figure out it gives the assessor a great idea of what is your environment, right? What are the technologies you've implemented, what's the scope and all that stuff, and then formalizing that pre-assessment planning process and then verifying readiness. So um, I don't know if you guys listen to other podcasts, but um, I I don't want it's probably not appropriate to mention the the name of another podcast, but there's one out there. Uh, it has a number at the end of it. But um anyway, they talk they talked about you know what's gonna happen if an OSC starts going through this planning process and it's discovered that they're just not ready. You know, do they have to continue and go on with the rest of the assessment and pay for the whole assessment? Well, no, they don't. The CAP kind of considers that and says, if if you're not ready at the end of this phase, stop and either uh replan the assessment, reschedule the assessment, just you know, if there's just a scheduling issue, or cancel the assessment altogether. And maybe the OSC needs to work with a different, you know, uh C th through PAO, a CMMC third-party assessment organization. God, I love the acronyms, right? Um, and so they sort of came up with the term of a false start, right? So you didn't you didn't fail your assessment, you just had a little false start, right? And so it's not quite as daunting. And now, granted, that planning process can take uh, you know, a week or two to get things worked out, but at least you haven't paid, you know, for an entire assessment and then just throw away that money. You know, hopefully you're you're paying, you know, just maybe a little upfront planning and scoping fee or something um, you know, for the phase one, right? So um, like I said, I that that phase is so important to allow an OSC the opportunity to kind of figure out are are we actually ready? Right now, the other the other thing that um that we offer as a um as a candidate C through PO right now, uh and actually I've been offering it for quite some time, is a mock assessment, right? I come in and we'll do a pretend assessment. Now, and as long as I don't give you advice, as long as I don't turn it into a consulting engagement and give you recommendations, I can run the assessment just like a real one, but it's not real. And you you get a report that says, you know, if this were a real assessment, here's what your score would have been. Here are the things you would have passed, here are the things you would have failed. And as long as I don't say anything beyond that, then it doesn't take me out of qualification to perform your actual certification assessment. And uh the Cyber A B was very clear about that as far as where is that line. And so, you know, that's a another another opportunity, you know, for certain clients that that want to do that. They want to have like a a pretend, a simulated assessment.

I love that. That's a really good point, Chris, about the mock assessment. I hadn't uh really thought about it that way before. Uh, you know, thought about you know having some consulting beforehand and then going through an assessment. Uh but having a mock assessment would would allow you to have the same uh assessor come back, a same C3P come back and and uh perform that uh assessment, uh because you've not provide provided any consulting very much. Right, yeah. I mean it's very good point.

Yeah, as long as everybody understands that, you know what it what is it the the stockbroker says, you know, past performance is not an indicator of future performance or something like that. There's no because you know they're they're very clear, no one can guarantee you that you're going to pass an assessment, right? That even the same person performing a mock assessment, it is against the code of professional conduct to for them to turn around and guarantee that an organization will pass six months later because things could change.

That comes up more than once in that code of professional conduct, doesn't it?

Yes, yes, it does. Yeah, that that's the one thing that I don't imagine will change, right? Um, which by the way is another document they're working on finalizing is the code of professional conduct.

Yep, absolutely.

Yeah, so that those are two great gold nuggets. I just love um because I mean for a lot of our customers, I mean, these are family businesses they've worked their life on, it's their baby, it it feeds, you know, a lot of people in the community, employees, their family. And we at the end of the day, we're playing a high-stakes game, you know. Um, and and well, for a lot of the customers, I mean, if you're if you've got some defense work, it's probably a large portion percentage of your revenue. Um, and if if you fail an assessment and you know you're at some point you stop getting that that revenue coming in, it it could really hurt, it could put you out of business. And yeah, so you're really taking the stakes from really high and you're lowering them if you if you one, you have the false start provision, you know, that you can if if you start an assessment, you can get out if you're maybe not ready. And two, if you do a mock assessment um uh before before your actual assessment, then you're you're just increasing the likelihood that you're gonna pass and and you're you're lowering the mistakes. So I really like that.

Yeah, absolutely. And and Austin, it it's interesting you brought that up of you know, what are the consequences of failing the assessment, right? Um, yeah, your your contracts go away, right? You can't you can't really bid on any contracts anymore. But what I think is really interesting, right, is there's another consequence. And I don't know if you guys read the news yesterday, but uh uh Penn State actually uh settled their false claims act case. Um, they settled for a little over$2 million. Um, and uh my alma mater, Georgia Tech, is actually in the midst of a false claims suit that uh was brought by the Department of Justice. And so not only if you fail an assessment, not only do you lose the contracts, but it's possible if you had submitted an SPRS score before, right? So I'm I'm assuming your customers are probably familiar with SPRS, right? The Spurs. If you had submitted a score before that said 110, like you're perfect, and then you fail an assessment, what does that mean? Was that score a false claims? A false claim? And could the DOG come after you and decide to to you know sue you for uh for breach uh or for a violation of the false claims act, right? Which means they can claim triple the amount of the contracts that you have gotten in the past, plus I don't remember what it is, like 50 grand or something, whatever whatever$2,000 uh uh was in the during the Civil War adjusted by inflation. So who knows how much money that is now, right? Yeah. Um, yeah, and and I mean it's serious because honestly, as a small business person, the thing that scares me the most out of all the different risks that I that I you know accept and try to mitigate, it's legal risk. Because I just don't know, you know. I mean, you can you can literally be sued out of business.

You can, and that false claims act is uh that's the real deal. Um yeah, what I can and and you don't want to mess with it because you don't want to test it, you know. It's yeah, just stay way away from that, and uh, but what I can say from what I've read about at least the Georgia Tech one, it seemed like that one was pretty egregious, you know. Uh yeah, they're they're talking about you're like, really? You did that?

Yeah, yeah, yeah. They're they're they're talking like 30, 30, 50 million, something like that. Um yeah, yeah, they haven't settled yet. So I I've been watching that really closely. In fact, I'm giving a presentation at a at a conference um on Friday, this coming Friday, uh at the Converge Cybersecurity Conference. And uh, we're gonna talk about that case exclusively um dur during the talk because it it's a big deal. It really is.

It is a big deal. Uh and like I said, the the stuff that they did, uh not not necessarily just the judgment, but the stuff that Georgia Tech is as at least alleged to have done, right? Uh was pretty out there, you know. They just completely didn't do it, you know.

Well, yeah, and and the scary part is how many other universities are like doing the same thing?

How many universities, how many, and and that's what the DLD is worried about, is people just go check, check, check, check, check, check. Yep, you know, and uh people are like, Well, why are why are they doing all this? Why do we have to well a bunch of people just go check the boxes? Yeah, and they don't actually do it, you know. And and our clients are, you know, I know they're uh our clients are they all we hear a lot of them complain about the fact that other people don't do this, you know, they don't go through the process and they just check the boxes, you know. They're like, we're we're spending all this money, we're doing all that, spending all this time, all this effort, you know, and and uh Joe Blow down the street, you know, we don't think they're doing it because there's there's no way they can be doing that, you know.

Yep. Well, once once once they have some evidence, there's this thing called whistleblower, whistleblower protection, and uh yeah, I I I see that's what I anticipate happening, right? Because once you get the lawyers involved, right, it all it all changes, right? It's all fun and games until the lawyers get involved. And there are law firms out there that are advertising, you know, is your competitor, you know, uh submitting cost false claims. Do you have evidence of that? Come talk to us, right? Because well, because the lawyer gets a percentage. I mean, they're they take these cases on contingency, right? And so, you know, the same thing happened when they passed the um California Consumer Privacy Act, the CCPA. Um that was back what seven, eight years ago now. Um, when they passed that, all of a sudden, if you went out to California, you would see these ads, these billboards, right? Is is somebody misusing your information, call us, you know. 1-800, we'll sue them, right? Um, because there was money to be made. And you know, welcome to America.

Okay. Oh man. Um so Chris, um, thank you for all that. Uh one of the other questions that we get um is how long would an assessment take? Um Yeah.

Yeah, I love that. Um, I I used to uh I used to do forensics and someone would ask me, well, how long is it gonna take you to find uh you know, find the the smoking gun that we need? And I would say, well, I would say two things, uh, because I I'm a fisherman, so I would say, well, how long does it take to catch a fish? Right? Oh no, you know, or how long is a piece of string? Well, I don't know, right? Um, yeah, uh and and not to be glib, but honestly, the answer is that depends. It's it is the scoping of the assessment, right? Um, I can give you kind of a minimum, right? Uh my thought is that the that the assessment itself, right, including the planning phase, um, well, uh and and including the reporting and everything, I think a good estimate is probably five to six weeks is a is a minimum uh duration of time. Okay. Um the the the level of effort that the uh assessment organization is gonna have to put forth is probably not you know six times not 240 hours, okay. But because there's a back and forth, because there's you know, I need this piece of documentation, I'm waiting, right? I need to schedule an interview with this person, I'm waiting, right? There's there is gonna be a certain amount of waiting. So I think five to six weeks is probably a minimum, you know. If you're a small contractor and you know, you you only use an enclave, right? Now I know you guys work with a lot of manufacturers, so that time frame may go up a little bit because there's going to be some on-premise, as we in the IT folks say, you know, on site, we're gonna have to come to your location. So there's gonna have to be logistics involved in that and scheduling and all that stuff. So that may extend it out a little bit, right? But from a cost perspective, it doesn't really impact it that much. It's just more duration.

Awesome. And so I assume that um say you have everything put together and um and organized, that might make that go quicker.

Yeah, absolutely. Yeah, absolutely. I mean, the more the more documentation you have and the better organized your documentation is, the more the assessor can can mark off and say, Yeah, that it really appears that they're performing this practice. I don't need to ask them any questions. So we save the interview, or I don't need to see it firsthand. We save that portion of either the screen sharing session or the on-site. Now, um, I do want to want to kind of caveat that a little bit with the current version of the cap, the draft version, has 15 assessment objectives that require an assessor to go on site and physically view them. So if you are processing, storing or transmitting CUI on site, like in a manufacturing area, expect the assessor to come and at a minimum check those 15 things because and they don't really have a choice, right? The assessor has to do that.

Absolutely. I love that. Um, Brooke, I was gonna bring bring up um how we help do that, but I'm actually gonna do that to you because that's uh my job as a customer in this uh in this podcast. So how might we um help businesses um through this assessment process to make sure that they're fully prepared for someone like Chris? So whenever he comes, step through the door and check those 15 things and and and verify everything.

Sure. Uh yeah, so it's you know, it goes back to some of the stuff we were talking about earlier as well. Uh, you know, not only do you need to make sure that you know all the controls are implemented and working, right? Uh, but you need to make sure you have that everything is documented. You have your list, you have your policies, your you have all that stuff uh well organized, like Chris said. Um, you know, all your proof, everything, everything you need, uh, you need to have that all together. Uh, and don't uh we use a grc platform to make sure that uh we have all our documentation in one spot. Uh I've heard from a couple of different things from different assessors, whether you export it out of there or give the assessor access to that platform. You know, maybe Chris might have a uh you know, have input on that. But um, you know, really the point is uh that you have it all together in one spot, organized, easily attainable. Uh you can get it to the assessor easily, you know, uh all that. And that if if you can do that, that'll make the whole process go a whole lot better. Um, you know, and it's and of course that just goes back to preparation, preparation, preparation, preparation. Uh, and I uh Chris, one of the things, uh questions I have is I know there's an a you know a planning portion you were talking about, because really before you can come in uh and the cat spells it out, before you can even come to an agreement for the assessment for the client, you've got you put in a ton of hours before you can even get there. Um, so I'm I'm sure some of the um I understand the you know the documents you'd have to you know uh trade back and forth, well not trade back and forth, but hand over. But uh I guess at that point in the planning portion that would come out that you have everything organized in the GRC platform, for instance, and all that kind of fun stuff.

Yeah, absolutely. I mean, I uh you know, they one of the steps in uh in the planning process, and and by the way, I mean I I I outlined like six steps within that phase, but but they're actually like I don't know, if you count the substeps and everything, there's like 30 of them. Okay, so it really gets down very granular, but one of them uh well actually the last substep of the planning phase is to execute the C through PAO to OSC contractual agreement. So literally they outline, okay, now propose a price and have the OSC consider the price and potentially sign off for the rest of the assessment. Right. So um, so really and truly, when you reach out to a C through PAO, if they just give you a price for the entire assessment, I would honestly I would kind of question that. I would say, how how is it you can and and even if they send you this, you know, really long detailed scoping survey, which a lot of them have, and and I have something like that myself, um, just based on a five-page survey that you answered some questions, how could they really tell you um, you know, with with confidence what they're gonna charge you for the entire assessment, not just the planning phase, right? Now, you know, I mean, every business says it different. If they're if they're willing to take that risk, then good for them. Um, you know, but honestly, I I want to know, I want to know as much information as I can. And if if I have a document, an official document of a CMMC assessment process that says I'm not supposed to give you a price until the end of phase one, then that sounds good to me. I'll I'll wait as long as I can. Because even you know, if you say you've got you know 200 policies, okay, well, how long are those policies? How many pages are they, right? And how well are they organized? Are you using a GRC platform that you know that makes it really easy for me to find stuff? Or is it just, you know, is it a box full of receipts, right, that you're dumping on my desk, right? I mean, it's all about time, right? It's all about you know the time and the opportunity cost of the assessor. And um, and really, you know, what you said, Brooke, it definitely resonates with me, man. I mean, I, you know, if you're organized and I can rip through stuff and and I know exactly where to look in each individual document, then yeah, I that's gonna affect the price. Absolutely.

So that's actually happy that you guys um got there on the price because that was the next kind of category is the top customer concerns. I think you guys have covered a lot of them, failing assessment and whatnot. But um one I'd like to uh I guess maybe have a little more structured um uh talk on is what obviously we can't answer what it's gonna cost, right? But what what makes up the costs in an assessment um from Chris your angle of being an assessor and doing the assessment in Brooke from uh your angle of um you know having to be there um for you know invitation and and therefore the assessment. So I'll let you hit that first, Chris, and then Brooke.

Yeah, so um I get this question all the time, right? How much is this gonna cost? And and you know, I ask that question a lot. Okay, someone tries to sell me something, I'm like, okay, well, how much does it cost? You want to know? Because if I can't afford it, then I need to quit thinking about it, right? Because all that's gonna do is cause me pain, you know.

Oh, I want that, but it's Too expensive. Oh, but I still want it. Right. Somebody made me want it. Right. So I don't want to want it unless I can afford it. Right.

And and also, it's one of the first things that I tell you know clients when they come to me and say, I've heard about the CMMC thing. Should I do it? And I'm like, well, you know, that is the question. Should you do it at all? Right? Look at your business. What percentage of your business would go away if you just didn't do CMMC, if you didn't do DOD? And compare that to a ballpark estimate of what it's going to cost to become compliant, which includes getting an assessment. But honestly, getting an assessment is really small the small part of that equation, right? Getting compliant and maintaining compliance is the bulk of the expense. And compare those two numbers. And if it doesn't make sense, I honestly had a client um reach out in 2020 when this whole thing first started, and they wanted a mock assessment. I tried to talk them into a consulting engagement, but they wouldn't go for it. They wanted a mock assessment. I'm like, okay, fine. I'll give you a mock assessment. Just realize I can't give you advice. We went through the mock assessment. They they used the results of the mock assessment to calculate what it would cost them to become compliant, and they decided to jump out of the game. They literally said it's just not worth it. You know, um, we just can't see how the value of the contracts is going to compensate us for the cost involved in becoming compliant. Now, remember, that was that was version one of the model. So, you know, maybe they need to adjust it a little bit, but still, right? It's valid. And so um, all that to say that uh I've kind of come up with some general ballpark ideas around what an assessment will cost, right? Um, you know, because I hate it when somebody says, How much is that gonna cost? And I can't give them a straight answer, right? So, much like the how long is it gonna take, right? I've sort of honed it down uh mentally into well, what is the minimum? Okay, because you know, could you conceivably get it for this cheap? And um there's there's one question right now as far as FedRAMP equivalency. And I don't want to dig into too much of the details, but depending on how that shakes out, and it's it's really not it's really not quite clear in the rule, um, it's gonna need some interpretation from the Cyber A B and the DOD. But depending on how that shakes out, I think that's gonna make a difference of probably$20,000. All right. So if it turns out that equivalency is what we thought it was previously, um, and you know it's sort of a get out of jail free card kind of situation, you could probably get an assessment for$40,000. All right, that's possible. Now remember, probably not for a manufacturer, sad to say, because you've got on-premise stuff. I'm talking about a total cloud enclave environment,$40,000. If the FedRamp equivalency goes the other way, which it looks fairly likely, you're looking at probably 60 grand for a small assessment, right? Um, and I know that sounds like a lot of money, but I think Brooke will probably attest to say, uh, yeah, but be but getting compliant and maintaining compliant is gonna cost at least two to three times that, right? If not even more, right?

Implementing over time, absolutely.

Yeah, yeah. Implementing these solutions are not cheap.

So uh one question for you, real quick, Chris. When uh if somebody hires you to come do a mock assessment for them, uh I mean, you've I would imagine, you know, besides submitting everything, uh, you know, that would be uh pretty much uh it'd be very close. So yeah, would uh would you consider if I I've got a I've gotta help my clients budget for these things, right? Yep. And you've got to consider this much, you've got to plan for this much. Um, you know, would the mock assessment be uh about the same?

Yeah, the the mock assessment is a little bit less because of the the lack of having to report. And believe it or not, I mean, I thought I was like, okay, so we have to upload the report to this website called EMass, right? Um, you know, that takes five minutes. I've uploaded things to to websites before. It doesn't take much time, but apparently it does.

Of course.

Because because that emass platform is, I think it's I think it's administered by the Navy or something. And apparently it's a big deal. It takes a long time, like you know, like 20 or 30 hours to to make sure that everything's right, and you know, it uses JSON and you have to edit the files and blah, blah, blah. And I'm like, okay, well, then I guess we gotta account for that. So, you know, that's that's a pretty good bit of time. So um I've tried to make mock assessments as as you know affordable as possible. The problem is that um that that following the cap, okay, that the idea is we make it as real as as possible. And the problem is when you get into that scoping exercise, when I start asking questions about the scope, companies very quickly realize that they don't understand scoping, right? And so we end up with a false start and have to start over. And I have to send them back to okay, well, who's your consultant? Because they need to work with you on scoping, because you you've not created an appropriate scoping package, right? And um, there was a uh a speaker at I think it was the CIC conference out in San Diego um this past year. And I'm trying, I'm I'm thinking it was Amy Williams, but it may have been somebody else. Apologies uh if I if I didn't remember the right person, but but they expressed it really well. They said the scoping package is a story. You're telling the assessor a story. So think of it as that. Think of it like a marketing package that you would hand a potential client to say, here's our scope. Isn't our scope great? It's solid. You can depend on our scope, right? It's reliable, it's professional. We've we've done it right. That's how you need to approach your scope package because the assessor is not supposed to help you develop the scope. They're very clear. Assessor can't help you develop your scope. They are to approve it or not approve it, and that's it. That's their only choices. So you want to make sure you sell that scoping package hard. Because otherwise, they can't go forward.

Yeah, yeah, that's a very good point. I uh I must have missed that particularly, you know, uh, because that's a that's a very good way to put it.

I like yeah, yeah. It was a great way to put it. It's a it's a story that you're telling, and and you're trying to sell that package to the assessor to convince them that you've done the appropriate scoping and you know what you're doing, and that that the scope's not going to change, you know. They're not the assessor's not gonna stumble across, they're not gonna come on site and stumble across some server and say, hey, wait a minute, this wasn't on the list of the scope. Is this thing in scope or not? Because that's you know, that that that'll kill an assessment right away.

Right. Absolutely.

Um from the implementer's perspective, what uh what costs are there for an assessment?

Well, um, as far as implement uh from an implementer's side, uh, our consulting uh sort of side, uh, we're gonna be there through the process, through uh the preparation. There's gonna be you can get all sorts of documents prepared and and uploaded into your uh grc platform of choice. And by the way, we have a favorite one, but we'll you know, ask me later and I'll tell you. Um at least for CMMC specifically, which probably tells you what it is. But uh, we have a we have a favorite GRC platform because it just flat works. Um and I've heard, I think I've I think you've said favorable things about it too, Chris. But in any case, uh, you know, you can have everything uploaded, but you know, some of the things you need to have, send me your proof, you know, and that can't be generated six months ahead of time necessarily. Uh so the proof you have uh that has to be recent. Uh, you know, you if you're you're missing three employees off your list, you know, oh well, those are new employees. Well, that that's probably a problem, you know. So some of those things can't be done. So though you can have all the preparation done, you need to finish up uh with your proof, make sure you've dotted all your i's, crossed all your t's, um all that. So that that's gonna be a little bit of a cost there for you. The uh the other thing is we we sit down and we're through we're there through the whole process. We plan to be there through the whole process. Uh, and I know, like I said, most of our clients don't even want to know how to spell CMMC. So uh they they want us there through the whole process. Yeah. Um that's a value. We just plan on that. So it'll be it's for for us on the uh IT provider side um and cybersecurity side. We uh that's out of normal scope, so that's a project. You know, anything that's a project is out of scope, you know, new new servers, new location, you know, whatever it is. Those are those are uh those are projects. So this would be another project basically for our client. And so it'll be us being there the whole time, uh working with the assessor, uh, getting that ready, and and it'll be somewhere close to the same amount of hours that the uh you know that an assessor spends on this. Uh so we've been we've been telling them it'll be close to the uh assessment, close to the assessment cost, is what we've been telling our clients.

Interesting. But that and and that's just your cost. That's not the cost of them implementing additional solutions, like if they needed MFA, if they needed multi-factor authentication, that would be over and above your cost, right?

Correct. Yeah, and that's that is all those already implemented.

Right.

Yeah, see that's us being there, and and generally we're the ones providing all uh working with them on all that, so we make sure all that's done ahead of time, and they've already they've already um uh absorbed that cost or uh spent, you know, they've already they already meet that bar. So yes, this is above and beyond uh the implementation itself.

So for us, it's mostly going to be our time spent in meetings and and uh you know being there with the assessor or um in any preparation that needs to happen.

Yeah, generating the documents, uh getting access to you know the grc platform we're exporting all of it, whatever it may be, uh getting the documents to uh to the assessor. Uh there's I have no doubt that you're you know that you uh that you give everything to the assessor, and the assessor's like, well, we still need one, two, three, and a, b, and c. You know, and so then you have to go, you know, find that. And so um, you know, that's as as much as you can prepare, there's always going to be those other things. But yes, that's that's basically what it's gonna be sitting there with the uh being with the assessors, being available to them, working with them, generating all that content.

Uh the next topic I had, which I think we can probably skip because it was um how to approach an assessor. And from what I hear you guys clearly song, it's nice. It's not an adversarial relationship. Uh yeah.

With your palms up, you know.

Um go check the gap out um and maybe read them on that so you know what they might be asking for uh when they come knocking on the door. Um and and most of all, have documentation and be organized.

Yeah. And and and I I do want to mention something that that I mentioned quite often in in the courses is um if somebody asks you if you're wearing a watch, don't tell them what time it is. All right.

Thank you for bringing that up. I I meant to mention that.

Yeah, listen listen to the question, take a breath, pause, think about what they are asking me for, and then answer what you think they're asking you for. Right? And don't answer anymore, don't keep going. All right, there's no need to because honestly, as an assessor, I just want you to answer my question anyway. I don't care what other stuff, I really don't, and you're just wasting my time and your time, and you might be getting yourself in trouble.

That's the important part there.

Yeah. I mean, if if I walk up to the building and you know, I walk around the building and uh maybe I even check the doors to make sure they're all locked, right? And I come around the front and I say, okay, you know, let's talk about physical security. And you and I say, you know, I noticed there were no doors propped open. That's awesome. So, you know, is that a policy? Don't tell me that, yeah, it's a policy, but you know, yesterday we ran through the building and reminded everybody because employees are always propping the doors open.

I'm like, stop, stop, I don't need, you know.

La la la la. Yeah, yeah. It's like, yeah, I got this box of receipts, but the the real receipts are in the other closet. I don't say that.

Your best foot forward.

Yeah, yeah. Just answer the question that was asked. You know, and and also when the assessor is taking notes, right? I notice this all the time, not just in CMMC, but otherwise. Uh, when when I'm taking notes, I I don't continue talking. So it becomes a little bit of an uncomfortable silence. Coach, you know, and and this is where the coaching comes into play. When you do a mock assessment, that happens, right? And so as the person on the other side of the table, be get comfortable with that silence. If you know, if you need something to do, you know, play play with a phone or you know, play with a thumb drive, or you know, look at your phone or something. You know, go go go look at Facebook or something. Don't feel the need to fill the silence because it's probably just gonna get you in trouble. Yeah, absolutely.

And even if it doesn't get you in trouble, it can lead you some down some rabbit holes that you didn't really need to go down, you know.

Yeah, exactly. Yeah, yeah. Let let the assessor take their notes, you know, just get comfortable with that silence. It it happens, right?

You know, it Austin mentioned the cap a minute ago, and I might just uh you kind of you've uh you pretty much said it, but it's it's very it's a very prescriptive model, you know. Yeah, uh it outlines it very well. And I uh, you know, you're like, why do they have to write everything down and really tell you exact, you know, here's the point where you have to, you know, uh, you know, give them a quote and uh and an agreement to sign, you know, and uh, you know, why does it have to be there? Well, the the good thing is with all this is that one of the things I think they're trying to do is is make sure that all the assessments are the same and there's not a lot of yeah wiggle room to you know interpret and and wonder if the assessments are really going as they're supposed to be going. So yeah. Um they're very prescriptive. I think I think that's a good thing. Um, I think it'll help out the industry a whole lot.

So yeah, absolutely. Well, it it's I think it speaks to what Austin was talking about when when when he he mentioned uh you know, you got a contractor who looks at Joe down the street who's not compliant and and you know outbidding them because their prices are lower. Well, you know, we sort of we're we're concerned with the same thing with assessment companies, right? We don't we don't want these assess these fly by night assessment companies to swoop in and you know sell assessments for$19.99 when they don't accomplish the objective of actually validating that the contractor is doing what they're supposed to be doing, right? Right. We we want that that level playing field.

It's a good thing.

Yeah, absolutely.

Only way to make sure competition is productive competition is that everyone's on the same. Yeah, so awesome. So uh I think we're kind of closing out um here, and I just wanted to end um with some actionable actionable tips for uh our listeners. So um that organization seeking certification, um Chris and then Brooke, what is uh one or two actionable steps today they can they can take to prepare for their assessment?

Yeah, you um I mean uh you you probably uh you probably already heard it if you've been listening to this podcast. Uh read the cap. I mean, you can read the draft one, just realize that it might change. So, you know, I mean there is a draft out there on the cyberab.org website. Um if you have the time and inclination, absolutely feel free to go out to the dod, uh, their CIO um site. I believe it's dodcio.defense.gov, if I'm not mistaken. Um, it has a lot of information out there. It's got all the assessment guides and scoping guides and all that stuff. If if you have the time. If you don't have the time, get in touch with someone who does. Okay. Just anybody. Okay. Go out to the Cyber A B marketplace. You can find registered practitioners, you can find CMMC certified professionals, CMMC certified assessors, you can find C through PAOs, you know, provisional instructors like myself. Contact information is out there on the on the marketplace. Use that as your source of finding help, right? Because it will be worth it. Right. If you don't have the time, I understand that it's all about opportunity cost, but somebody's gonna have to spend the time. So you're either gonna have to spend it yourself or pay for somebody else to spend it.

Uh, you know, that's a very good point. It's uh there is a I just had a conversation with somebody yesterday. You know, they were asking, you know what it would take, and should they hire somebody to come help? And so well, you're gonna if you're if you're not already up to speed, you've got a lot of reading, a lot of studying, a lot of training to do, uh, and a lot of understanding how it's gonna be, how the assessments are gonna go. But there's a lot there to understand and do. And so if you don't want to, don't want to or not able to spend the time to do that, then it's better to go hire somebody to come help you because it's gonna cost you either way. It's gonna cost you time with your own time, which is which is money, uh, or it's gonna cost you money for somebody else's time. So yeah. Um so yeah, that's that's very important. Um, you know, and I I'll go back to uh I feel like a broken record. I've said this during this uh podcast, and I've said it in some of our other ones, but really it's preparation, you know. Uh not just what Chris said uh, you know, about spending the time to learn and do it or getting somebody else, but it's preparation. You've got to you've got to be prepared. You can't just say, you know, not be either not be there or posture there and then say, hey, I want to be certified, you know, in in uh March, you know, probably not gonna happen, you know. Uh so uh it's preparation. You've got to you've got to implement everything, make sure you're there, you've gotta, you know, uh get all your ducks in a row. I mean, you've you've got to be prepared for this, and you've got to be prepared for an assessor to come along and assess. I mean, there's there's preparation uh and implementation for all that, and then there's preparation for the assessments. Uh, I mean, there's there's a lot of preparation. So that's a it's an old boy scout rule. Be prepared, right?

Awesome. So read the cap and be prepared.

There you go.

Awesome. Thank you both for your time. Um, Chris, if we could give you a shout out, um I realize we didn't I don't think we mentioned uh the business you run and everything earlier, which you probably should have. So if you could now, um, you know, share about your business, where people can find you, um that sure.

So uh for the most part, if you go out on the internet, I mean literally on the internet, LinkedIn, Twitter, wherever you are, and just shout out CG Silvers, right? Um, then you'll probably get me, right? Um, just it, you know, for full disclosure, my full name is Christopher Guard Silvers, like G-U-A-R-D. I know, weird. I'm in security. And so uh, so 20 some odd years ago, I bought the domain cgsilvers.com, and pretty much, you know, on all the social medias, I'm CG Silvers, right? So, yeah, I have a website, cgsilvers.com. Um, in addition to CMMC, just really quickly, uh, we also do penetration testing of all types, wireless, web, you know, network, all that stuff. We specialize in social engineering as well, like phishing and voice phishing and and physical, you know, people hire me to break into banks and stuff like that. Um, we do a little bit of incident response, not emergency, but we do like tabletop exercises, things like that. And then we have an education uh offering as well. Uh, we use uh team-based competitive learning, um, which I'm really into, very passionate about. So uh so, like I say, in addition to CMMC, we do those things and we we do other compliance frameworks as well, like HIPAA and PCI and things like that.

Awesome. Thank you, Chris. So go uh check Chris out if you're needing a good assessor or um anyone penetration test or break in a bank for you, anything like that. So make sure it's a reason high.

Yeah, although although I I will not break into your girlfriend's Facebook account, okay? Please, no more requests for that.

Good enough. Uh well, thank you both, Chris, Brooke, um, for all your fantastic insights. Um, hope this conversation gives our listeners a better understanding of what to expect from a CMMC assessment and how to prepare for it. Um as always, if you need help with implementation and have questions, feel free to reach out to our team here at Justice IT. Um until next time, uh we'll see you then. But eat your business and secure and comply, guys.