A Digital War or an Unreasonable Ask for SMB's? (WARNING: SOAPBOX EPISODE)

Main Discussion

Hey there. Welcome to the Steam MC Compliance Guide Podcast. I'm Austin and I'm Brooke from Justice IT. We're here to help businesses like yours navigate SteamMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Alright, so today's episode is a little bit of a soapbox for me. So I apologize to everyone. Great. Often on a soapbox. Yeah. And sorry to drag into this. So um, but so I was on a call yesterday, and um I get this a lot. You know, I talk to a lot of our customers, a lot of our prospective customers, yada yada. Um, and what we hear a lot is um that the CMMC ask, um, especially for the SMBs, um, is unreasonable. Uh and uh for things like it's gonna just collapse in on itself and there's no way this is gonna happen. So um either variations of I'm just gonna wait or it's not gonna happen, so I'm just gonna act as if it just implodes. Right. And so, which I get. I mean, it's a fair criticism.

It is, and and I've heard that from quite a few people too.

Right. So it is types of things. Yeah, absolutely. And it is a a large ask. Um, so that is what today's episode is about. Um, is the CMMC mandate um a digital war not on SMBs, but like in fighting back against those that are stealing our uh nation's uh war intellectual property? Um although some SMBs might think it's a war on them, but that is good clarification. Thank you. Might have heard that from some of them. We might have. Right. So is a CMMC mandate a digital war, or is it an unreasonable ask for SMBs in the DOD supply chain? So that is today's episode. The first thing that we're gonna uh hit on, I'm just gonna take because I'm still blabbering along. Yes, you are, but go right ahead. So it is my soapbox, after all. Right. Yeah. Brooke, from a technical standpoint, uh do you think the current CMMC framework is realistic for SMBs to implement? Um, or are there some adjustments that could make it more achievable? Uh well that's a good question.

The Broader Perspective

Uh so is it achievable? Yes it is. Is it expensive? Yes it is. They have made some really good progress in the final, the 32 CFR final rule. Uh some things that we're really worried about. Um, the way they treated uh the way they the the blanket statements and everything with ESPs, external service providers, which included us as a as a managed service provider, an IT provider, um, uh, or a registered practitioning organization. Anyway, it affected us uh and in a big way. And although we're ready for it, it also affected the services we use and it affected them, and so it it effectively shrunk the marketplace down to only a few enterprise providers, which as everyone knows for SMB, enterprise didn't really fit well because it's uh you know a high license count and expensive. So that's just the one thing. But there are several things in a 32 CFR final rule uh that were that they've they've made some uh exceptions, made made some things easier to work with, made some uh um I guess some carve outs, I'm I can't think of the right word, but uh they've made some they've made it easier to work with and understandable. They they've not given a lot of ground as far as making sure that you are you do meet all those controls, but they've given us something to work with. Uh for for instance, uh, you know, the fifth the whole fips encryption thing. Yeah. You know, um if you've got a piece of machinery or a computer that's tied to a piece of machinery that has to have um access, uh has to have has to use CUI uh because it makes parts connected to the network, or whether it's not connected to the network, if it's not connected to the network, you have to use a USB, for instance, to do the whole sneaker net thing. Um anyway, but they've made some um exceptions with uh enduring exceptions uh and a an operational poem stuff like that. But to not stay too long on my soapbox, you you ask the question, is it is it overbearing basically? Uh and it is it is expensive, I'm not gonna lie. Uh it is hard and tough, you know, that's true, but it is definitely doable. Um what I will say is like like a lot of things, it doesn't scale well for the really small shops. So, you know, you're for like five people, ten people, you know, in a in a manufacturing shop, for instance. Uh it's gonna be uh however you want to phrase it, more expensive per capita, more expensive per dollar of revenue uh for them than it is a large organization. Um, but it is doable. Uh you just have to be able to budget for it. They know that this is gonna cost money. Uh, I know there are a lot of people out there that do work not based on actual contracts from the government, but they do stuff as a sub to a prime contractor, and they don't even have they get POs, they don't really have an actual contract that they get that's you know, a one-year contract with four-year four option years. You know, they don't get that, you know. And so that kind of work I have no doubt will change, and especially when everybody has to be certified. Uh, the people that have been faking it and checking boxes off aren't gonna be able to do that. And those are the people that are able to offer the services at lower cost because they're not doing everything they should be. So hang in there, you know. Uh it it it's it'll work out, it'll get there. So it is it's tough, but it can be done. There's a bottom line. I guess I could have just said that to begin with and been done with it, but there's my there's my part.

Yeah, be quiet. That's my soapbox on ears. No, I'm kidding. Yeah, that's the best way to um sum it up. It's it's tough, but it can be done. Yes. So that I think kind of segues into what my actual soapbox is, and um it's it's tough but it can be done, and the government knows that. Right. And they know that they're asking you to step up the game. Um, and uh if you view it like me, they're fine with some collateral damage. And that that may be just like the You're not gonna say that. Yeah. Well, I'm saying it. Allegedly, I'm saying it. Um yeah, so uh and so here's why I'm saying that. I'm not trying to be salacious or anything else, but my perspective is that um the government, the DOD, is um fighting a war um through regulation and compliance. Because much like you saw in I think the 90s and early 2000s, um, a lot of our manufacturing went to China. And this is just an example, um, but it is just a fact. A lot of our manufacturing has a bunch of our manufacturers.

Yeah.

Went to our so they made it very attractive um for our manufacturing companies, there's other aspects there, to come to China. Um, and then they created a lot of joint ventures, a lot of companies, and then they learned um our uh from uh our some of our companies, their manufacturing processes, and then got the IP, and then suddenly you have them creating competitors, um, even sometimes where they're just changing one letter, Chevy is now they have a cherry, and then they have the Chevy Spark that is I forget what they named the Chevy Spark, but now they're selling it. Um, and so point is um uh that we we've gone through this process of giving away a lot of our IP and a lot of our manufacturing. Absolutely. Um, and now it's um uh now the other nation states, and China's just an example. Um uh this is why the uh DOD is doing this. You have North Korea, you have Russia, you have China and everybody else using their cyber warfare to get into the Lockheeds, the uh Parker Hanfans, Raytheons, and then they uh, you know, they have you know billion-dollar cybersecurity budgets or whatever. Um, and so they found out it was easier to um go further down the supply chain and get uh uh into these smaller companies that have pieces of the puzzle of classified information, and that's what controlled unclassified information is it's a piece of classified information. So um it's a derivative of it, basically, right? So, anyway, my point with this is that in the Department of Defense views, whether they say it or not, I think that they are fighting a war through regulatory compliance because they want to keep all of the money we spend, all of our weapon systems guarded. And if you view it as if they're fighting a digital war against other nation states from stealing our intellectual property, and you understand that that is their goal and their game plan, then you suddenly understand that they don't they don't put as much stock into the economics of it and whether or not it's as achievable for these smaller SPs or not. So, I mean they're gonna they're doing some things to make it a little easier, but at the end of the day, I don't think they care as much about making sure that everybody stays in the supply chain. And so I think if you view it from that perspective, um that they're just gonna go forward with this regardless. Um I don't think it's a good idea necessarily to just uh gamble on the uh the fact that this may just implode on itself. Because even if it does, I think they may keep going forward. And I'm willing uh to say that if I'm wrong in three or four years, then come get me and tell me tell me I was wrong. But that's my opinion.

They'll buy you a steak if uh if he's wrong, so I'll just take him up.

If I can afford it, then because uh but anyway, so uh that's my perspective, and I think you can see the reinforcement um from uh some of the policy that they're that they're taking. Um uh like you have them, they're starting to talk a lot about the False Claims Act and putting people in prison, um, levying fines against them um uh for saying that they were compliant and they're not. So my point is they're telling you that this is serious, they're treating this as if it's serious. If they're willing to put you in prison over it, maybe you should take them seriously. That's my thought. And that's my soapbox. Um I'll get off of it. Uh, but I want to tee up uh to you on my tirade there, um, what your opinion on the DOD uh DoD's approach is and whether you agree with me or not.

Yeah.

Actually, absolutely. So uh I wish and I think this is probably the I know there's uh at least a second podcast we've done where I've said this, but I wish we had a picture back here of a few of the things that uh China's copied joint strike fighter, Humvee, and and different things, uh, because you can see, you know, when you show uh our joint strike fighter and and the Chinese J something anyway, if you show those side by sides, my gosh, they look look almost identical, you know, for some strange reason. And uh so this whole thing is to prevent that, right? Because they're stealing all this. And so the reason the United States has a military advantage in the world uh is because of our our technology uh and and you know you can name all sorts of other things, but one of the big things is technology, and so we've been ahead of that technological curve, we've been ahead of that and been able to uh create quicker and faster than than other uh nations, especially our adversaries around the world. We have a good economy to uh base that off of. We've got we're still one of the largest, yeah. So, I mean, it's the the American experiment experiment has worked, it's it's you know, we've got all that going for us. So uh, and that's why we've been able to you can disagree with some of that, I'm sure. But point is we've got a good economy. And we're just sharing opinions here, yeah. And and so with that good economy, uh, we've been able to pay for uh staying ahead of the technological curve. And uh it's not like China doesn't have smart people, it's not like Russia doesn't have smart people. They they do, they have some very smart people. Uh they have some uh very good at cybersecur, uh I'll just say cyber, cybersecurity, cyber warfare, cyber, you know, they're very good at all that. So, but we have we're no slouches, you know. Uh we've got uh we've got a bunch of smart people uh and we've got money to back it up. And you unfortunately you have to have that. You have to have some resources to back up uh to back that up. So um, but uh what China has been able to do to your point, they've been able to leapfrog uh decades of RD research and development. They've been able to leapfrog billions or trillions of dollars spent uh on that RD and trial and error. Well, I guess that's what RD is, but anyway, been able been able to leapfrog decades of RD and trillions and trillions of dollars that they didn't have to spend. They just come and break into somebody's computer and steal something, you know? And uh so as you said, it's not it's not like Lockheed and all them haven't had any cybersecurity uh incidents. They have, but uh they don't get the bulk of their information from there necessarily. It's a lot easier to break into a you know 20-person machine shop that's machining some little widget or some widgets for the F-35 or whatever it may be. Uh and it's a lot easier to break in there, send them an email that they click on, and you know, suddenly there's a a Trojan on their computer, you know? And uh they realize what they have and then they ex-fill it, right? Uh so and then they just put puzzle pieces together. That's how they get the joint strike fighter. Um, like like I have pictures back here to show you, but uh, that's how they get those. They've stolen all that stuff. So um, and it really, when you get down to it, that's what gives us our technological advantage, but it also is what protects our warfighters. We don't have to go out there and fight with sticks and stones and and uh blunt objects and sharp blades. You know, we we can uh we have some more technological advances that we can use uh and use a smaller fighting force, a smarter fighting force. Uh, and so um this helps our this helps our warfighter. So uh that's that's what this whole effort is is to protect our warfighter and to protect our advantage technologically. So that's what it's all about. It's all about that warfare, like you were talking about, and the way they address it, uh we're a freedom, we're a free country, right? And so uh the way they address it is by policy. You know, it's not like the government can come and just say, you've got to do this. They were like, well, if you want to do business with us, this is what you have to do, and we don't want to have a revolt against this completely. And so uh, because they they do need all the SMBs, they do need uh all those uh companies making parts and doing things for them, or else they just couldn't survive. Yeah, otherwise they would have just mandated it and said, you know, this is the way it's gonna be, you know. Exactly. Yeah, so they uh or they would have provided the security themselves, you know. So they can't do that. Uh so it's done through policy like this, and and it it's taken a long time to come to fruition. Uh, but it's it's a freight trade and it's coming now.

So it is it is not stopping. If you if you sit on those town halls or if you talk to people or you talk to assessors, uh there's there's not a lot of give and take. Uh it's like the standards have been out for a while. They are what they are. We're we're gonna double down on them. We're not gonna make them uh less stringent. It's kind of the theme or uh feeling you get from them. But so to get back to the reason that the DoD is doing this, trying to protect um our nation's uh IP and IP would be intellectual property, not TCP IP, just in case there's any geeks like us.

I don't think there are. Actually, now that I say that, you're probably right. Well, maybe, I don't know.

It is a compliance log guess. So um we don't know. Let us know in the comments. So all that intellectual property, government's goal is to protect it. Do you feel like the CMMC compliance regulations, standards, technical safeguards, whatever you want to call it, do the job of keeping all the nation states out? Like, is there at least some silver lining here that you know maybe we can feel better that we're a little more protected?

I've I've always liked the NIST 800 171 compared to other compliance regimes. I've always liked this one. It's it's pretty prescriptive. Um, it doesn't tell you exactly what you have to do, but you know, it lays out you've got to do these things, and you know, like uh you can say you meet uh ISO 27001, but you kind of get to build it yourself. And I know that's a we won't get into a big discussion about that, but um this one is very you have to follow these controls, you know. You have to uh authorize people, you have to have a list of those people, you have to uh use FIPS encryption for CUI, you know. Uh so they're it's very prescriptive in that manner. Uh it doesn't say how you have to do that necessarily, but it says you have to do those things. So uh but it covers covers mo covers the bases uh for for us as an IT provider. Um it has all the things that we would we would want somebody to have. Um you know, our all of our clients we've we wish they would have all these uh uh all these solutions in place to meet these controls, right? Um but you know, as again we're a free country and not all our businesses want to pay for that. So but uh but uh you know it's it's a very it's a very good uh compliance regime and I think it it does a good job of uh I think it does a good job of keeping the bad guys out. Some of it is if you actually do what you say you're doing. Uh and I will say there are a few things uh you have to review logs, for instance, right? Uh well you know, if you're gonna I I have no idea how this would pass an assessor, but you know, if you say, yeah, we we have all the logs and we have them right here and we get alerts, we'd look, we'd look over those alerts, you know, 10,000 alerts or whatever, you know. And is that really doable? Well, probably not. Uh, you know, you really have to have some service that goes through those alerts, narrows them down, correlates them, does whatever, you know. Uh so uh, and I know I'm kind of vague on that one, but some people just want to say they gather the logs and they look through them. Uh that that really doesn't fly and it doesn't work. So technically you are meeting the uh control. Uh again, I don't know how assessor would assess that, but uh I have a feeling. So but you have to have some service in place to help you because they're just thousands and thousands and tens of thousands, and depending on how big you are, millions of uh log entries a day. So it's gotta pass the assessor's sniff test. It does have to pass to see whether it's yeah BS or not, right? So so to go along with it, you do have to make sure you're doing things correctly, but uh but it's pretty prescriptive, and it's if you follow things with an open mind and and address them like you think you should, then it it'll be covered and it keeps bad guys out.

Economic Considerations for SMBs

So I think that so this is the typical vein of of conversation is um uh usually um people um question whether or not the CNC will continue on, um you know, whether it's uh an uh uh unnecessary burden on the supply chain. Um and the next thing um usually that uh people will go to is um whether it's even worth it for. Them to stay in the business or not. It's a good question to ask yourself. Very reasonable. Very reasonable question. Very fair. Yeah. Because I mean, it is business. We're not war fighters, right? We're not soldiers. So we're not mandated to do this just because we have to. If we want to be part of defense work, then this is the ask, right? It's part of what they part of the job. So you don't have to be a part of it. But if you want to, then you have to do this, is what the government's saying, right? So if you want to opt out, perfectly fine. And so people will say they aren't sure whether it's even the economic value is worth it. And I agree. And I say, at the end of the day, you know, it's in the numbers. So you go your PL, you go to your sales summary by customer, and you go, who is who here is responsible for my DOD work? Number of revenue from it, you know, percentage, whatever. Does this amount justify that I invest, because that's what it is. You're investing in cybersecurity and compliance to keep this revenue or get more of it. And if we assume that there's going to be some frictional change in the supply chain of people not doing it, then there's going to be some uh contract value or uh move from people that aren't uh being compliant to people that are. So you should I would assume you should be able to make more money. So if if that equation of does my current revenue justify it and or the potential revenue I could get, um, then that's the equation or or the uh formula you put together to decide whether it's worth it to stay in CMMC. And so, you know, I've talked to people that um you know have like 10-20% of the revenue from aerospace or or do, and they're like, I'm not sure if it's worth it. I'm like, yeah, that's a very reasonable uh question. And then I have people that have like 60% of the revenue from aerospace or do, and I'm like, I don't know if you can replace that revenue in the next three years, but to me, I think I would invest. Um, but yeah, I don't know what people's profit margins are, I don't know. Um so anyway, that's my take on whether uh it's justifiable to stay in defense work and invest in CMMC. Um I think it's a simple, simple answer. Uh, what is your thought?

Well, uh you're right. It's just uh, you know, you look at your PL and and uh how much you can charge for your product and if this is a worthwhile investment, you know. Uh but you know uh I mean it's just really just as simple as that. Uh you just have to figure out, you know, it's gonna be, you know, it's gonna start around just to get certified, it's gonna start around a hundred thousand at the low point, uh really higher than that, but it's gonna start around a hundred thousand just to get certified every three years.

Break that hundred thousand dollars for us down.

Um, how much of that is assessor, how much of that is antivirus, how much like you know, as broad as you can get, but oh no, that is uh that is just the certification assessment. Uh and that was before uh the final rule uh and and the 48 CFR Away where they require two assessors per assessment. Uh so that has raised the price a little bit. So really it's more than 100,000. It's probably uh, you know, it's probably closer to 120,000, 110,000, I don't know, something like that. But that's again, that's a low bar. That's for that's for the small shops. That's not for the big ones. And so that would be, you know, uh see-through pao's time. That would be uh either a provider like us or all the time you're gonna spend internally uh doing it. It's also uh for any preparation you need to have specifically for the assessment, okay? And that's just we'll just round off to we'll just round off to 110,000. So 110,000, that's just for that. That's just for certification. So once every three years. Um you know that does not count the cost of uh the services. So if you're a you know an SMB and you need to hire a provider to come help you because you don't have the internal expertise, which I can tell you, it'll be a lot cheaper hiring a provider, an IT provider to come or uh an IT provider that knows what they're doing. It'll be a lot cheaper to hire them to come help you out and do this than it will be to hire somebody internally to do it, uh, because then they they're more expensive and then they have to go still buy all the solutions and all that kind of fun stuff. So um, but again, that$110,000,$120,000 does not include uh everything you have to do put in place, you know, and that could be you know for recurring recurring services to an IT provider like us, it could be sixty thousand a year, it could be seventy-five, it could be a hundred thousand, depending on how big you are, depending on what kind of environment you have, you know, um, and that's just ongoing. And then uh you also have there'll be some projects in there, you know. Will your current environment work? There are likely changes that need to happen. So you're gonna have ten, twenty, thirty, forty hundred thousand dollars in projects you need to pay for. So, you know, these are not small numbers. So if you've got a five hundred thousand dollar book of business from uh from a prime that you you work on and you make I don't know, fifteen percent profit, twenty percent profit. I I have no clue, but you know, figure out what profit you make on that and is it worth the hundred and twenty thousand plus the sixty to a hundred thousand services plus the projects you're gonna have to put in place, is it worth it? You know, and it for a book of business like that, it may not be, you know. Uh or you got to use it as a marketing thing, uh, which a lot of our uh a lot of our clients are intending on. Um, and I do have something else I'll I'll mention that we talked about a little earlier. Um uh but a lot of our clients are intending on using this as marketing, saying, hey, look, uh, we meet all the controls. We are now at a hundred and ten uh 110 SPRS score, which just means you meet all the controls. Um and uh and we're in your system, we're green and we're good to go. Um that I'm not gonna tell you that will definitely mean you get more contracts, but uh that that should mean you get contracts quicker and earlier than anybody else that's behind the behind the eight ball. So because it really it's gonna start meaning something at the end of this year, um your SPRS score. So uh and so the other thing I was gonna tell you about is I probably shouldn't name the uh let's not name them. I shouldn't name the prime. I'm definitely not gonna name our client, but uh uh I think that's a good story. I think I know you're gonna say I should ask you to. I won't name the prime. They're uh one of the primes that's um a good word would be uh they're they're persnickety about all these controls. So I've gone back and forth with them on some of these controls before, uh, and they're just persnickety about them, and and really, you know, uh want to nail them down and be very specific. So um, but I understand why, uh, but I had a good conversation with their person that's in charge of compliance. Um she told me you know, really we want we want our uh we want the subcontractor to be green in our system, and our CEO has this as a uh as a as a goal. Uh we want to get uh we want to be in the best place possible to get all the contracts we can uh from or I guess that those were not her words. This is all my paraphrasing. So we want to be as good in a good position as possible to get uh to get contracts from the federal government, and so what that means is making sure that all of our subcontractors are in the best position possible. So they're really pushing their subcontractors to uh to be green in their system, which means they have 110 on the SPRS score. So um, you know, this particular client had uh uh FIPS FIPS encryption left on some things uh that wasn't in in uh across everything yet. So um uh but the uh the final rule just came out too, and that gave us some breathing room, so or some uh some things we could do. So um, but the uh anyway, they wanted they wanted them to be green, and they they they told them we're just trying to get you in the best spot so you can get contracts easily. And uh we want to be we want to get all our con more as many of our subcontractors in that green area as we can so we can be in a in a better spot. And I kind of just that's just a repeat. Um, but they're really pushing to get this done by the end of this year, uh, or as early as possible. Right? And uh and it's all understandable, and it's all I mean it was a really good conversation. I'm really glad I talked to her and um and and understood that because we we hear that, we see it in forums, we s we were at the shows and we talked at the conferences, CMMC conferences, uh, and talk to people and hear this stuff, you know. But uh that was the first time I've really had a really good conversation with one of these prime contractors uh that just laid it all out on the table. And and basically they're just trying to get you in a really good position, and they want all their contractors to be there uh to get it is ostensibly what they were saying without coming. And she said, I can't really come right out, just like I said a minute ago, I can't really come right out and tell you you'll get more contracts, but you'll be in a really good position to get contract contracts. So it's like, well, okay, you know, that's what she's saying basically is is if you're green, you know, if you've got if you've got 110 on SPRS, uh you'll be in a really good position to get contracts, and it'll be easy for us to hand you contracts.

Absolutely, I like that. It's uh I mean it's funny how many things in business is uh never guaranteed. You know.

Practical Steps for SMBs

Yeah, it is. Uh and it's and it's not guaranteed you'll get more contracts, but if you spend the time and money and you're able to spend that time and money uh to be fully compliant and have and there's like we said on other uh podcasts, there's a ton of documentation, an absolute ton of documentation that has to be in place. Ongoing documentation, then also proof uh you know uh of that the controls are in place. That all has to be you have to have all that documentation. And it's a it's a lot. Uh so uh if you have all that, then they're trying very hard, at least the primes are trying very hard to make sure they explain to the subs that you know if you get in this green area, the 110, that you'll be in a really good position to get those contracts. So it can be worth it for you.

Okay. Well, uh now that we've kind of talked about all the conceptual ideas and and uh all the things that aren't guaranteed, but seem likely. Um I do like to close out all these episodes with um some practical, actionable steps. So, um, because at the end of the day, all we can do is um just take the next you know step forward, right? So um a question for you, um, and I've got some my own opinions here, but I'm gonna let you take this one first. Um, is what are some practical steps today that or a practical framework that uh an S and B, since that's who we're talking about in today's episode, that they can go from not compliant to compliant. Um, you know, all from whether it's uh SBRS self-assessment or or whatever, if they're if they're if they've taken no steps uh to get compliant, um, and uh today those episode and said, okay, I want to get applying now, how would you uh advise them to do so?

Uh so the first steps you want to do is understand what CUI uh you need to understand how to spell CUI and what it means. Uh and you want to understand uh FCI, so federal contract information and controlled unclassified information, because that's what all this is about. The big deal is about CUI, controlled unclassified information. So you you need to know what that is, you need to know what information you have is CUI. Okay. Um, and it doesn't have to be when you're first starting out and trying to figure this out, it doesn't have to be specifically which documents right now are CUI, but you know, in in general, where what do I have that CUI? You know, uh is it spelled out on the contracts? Are the documents marked? Probably not. Uh or you know, what what is CUI, right? And so after you figure that out, then draw yourself out a data flow diagram. So how does that CUI come in? Where is it where does it come from? How does it come in? Where does it go when it comes into my systems, right? Uh, and then you need to define your systems and understand what you have, uh, because a lot of people with just the IT sprawl and growth that you have, and you know, you're like, oh, I forgot about, you know, uh I forgot about we had an instance of E2 over here, and I I forgot, you know, or whatever, it might be hard to forget about that one, but um, you know, IT sprawl is a real thing, and you sometimes forget what all is where and how things are connected and all that. So scanner folder, it's a good example. Yeah, scanner folder, you know, you scan those drawings in or something, or you whatever. So never delete them, but they're open to the guest Wi-Fi or so you need to understand where that CUI comes into your systems, where it resides in your systems, where it if it traverses throughout your systems, where it goes, and and then if it goes out from you, where where does it go, you know, and how does it get there? So that's a data flow diagram. So understand your CUI, understand where your data flow, so draw a data flow diagram, and then with that, you can describe your uh your environment really well, and your environment that's in scope, right? And so uh then so that leads you to scoping, right? So uh at that point you can scope your environment and uh define it really well. And we had a podcast with uh Chris Silvers. Uh we really appreciate it, Chris. Um, if you're out there watching, but uh one of the things he said was that uh you've got to tell your um scoping is telling a story, it's selling your idea of your scope, and so you've got to do a sales job on your scope to the assessor. This is why, and this is why we do this, and this is you know, uh so you've got to sell your scoping. So it's not just a um just not some broad idea, you know, with one statement or something. It's a it's it's more detailed than that. So you gotta scope your network after that. So understand CUI, understand the data flow where it goes, scope your environment real good, and then once you do that, then you have it kind of laid out and uh can understand how you need to implement the hundred and ten controls or three hundred and twenty objectives. Okay, um that's that's the in-depth hard part. Uh, understandably, that and all the documentation you gotta create and save and all that on the way. Um the next thing I would say, uh actually you just asked about getting started, but uh the uh the next thing I would say is that uh you get a really good GRC platform, and we've got one uh that we use and uh it's it's specifically for uh CMMC. Uh it works great, it's it's better than all the other GRC platforms out there that we've tried. Uh we really like it. Um I don't think there's a problem giving them a shout out. No, uh it's Future Feed. Uh uh folks over there are great, they've done a wonderful job with uh Future Feed. Uh so you know Mark Berman uh done a really good job. Um we do use it, they're not paying us to say that. No, yeah, but that's a good idea. And no, I'm just kidding. Um, so uh but anyway, great product. It makes it I won't say easy because it there's really nothing about this is easy, but it makes it MMC. It contains everything for you. So uh it's a really good product. So those those things are the most important high-level things you can do uh to to move forward with being compliant.

Uh I'd say uh like everything you said, but I'd say if you're um you know, we're we're coming from the the skeptic SMB um uh opinion here, which again I completely understand. I'm not uh saying that you're wrong. But if if uh you are skeptical, um but you do have or are looking for defense work, um, then I would start by pulling out your sales by customer summary. And then doing some quick borrow napkin math and go, okay, how much of my business is um is DOD or could be misconstrued as such. And then um then I'd go through my email and search XOSTar SPRS or SPRS or CMMC and see how many times I've been asked um by my uh my my primes, my customers um about compliance. Um I'll see if I ever filled anything out. Um my point here is that I would go look at my risk profile. Um and you know, if you're skeptical, I I would go just see what the risk profile is and then go Google um about China, North Korea, Russia, um CUI, uh, and and whether or not they're stealing this, and then you go um look at go look for yourself on on the Google, um and um and and see why the DOD is doing this, then search uh for uh false claims act. What is Chris what Chris brought up? Was it Missouri State? Um there's uh Georgia Georgia Georgia Tech, I think, uh Penn State. Yeah, so go Google those cases.

And uh there's another university too, but I can't remember off the top of my head.

Surely with the information we're giving you here, you can find um uh the DOD using the False Claims Act to prosecute um those entities and others um that have said they've been compliant um or maybe misconstrued that they were, um uh, and go convince yourself that this is actually important, and then make a decision whether it's something you're gonna do or not. Because I'm not trying to necessarily convince you to go, you know, go use our services or go get compliant, you know. I'm not um uh here, you know, trying to champion for the DOD, we're just uh implementer, we're here to do a job for our customers. What I'm trying to get you to do is not get caught um in a bad situation. So whether that's in jail, whether that's at a sudden loss of revenue, um, and if it's something you don't want to do, then right now start looking for other revenue sources. Go find new customers because I'm pretty sure we're pretty sure, and the government's telling us that in the next two or three years, this is gonna be the real deal, and you're gonna feel the hurt if you're not ready. Um, and it may not be jail time, but it sure could be the fact that you're no longer getting contracts. And you mean no hard time is a business. Um sometimes the the hardest hurting thing is that when you're not growing and you're you're starting to like wane off, and it seems like nothing you can do is right. Um, and you might find yourself in that spot if you're not positioned to get new um new revenue, if your whole business is centered around duty work or at least a large portion of it. So that'd be my action step for today.

Closing Thoughts and Next Steps

For sure. It's it's you know, and you're talking about preparation, really, you know, uh, and that's a word that keeps coming up on all these podcasts is be prepared, preparation. Uh, and you do have to be prepared. The uh we won't talk specific timeline, but what I can tell you is the timeline that you look and laid out by the uh by the the CFR rules, um that's all nice and great and everything, but they did give themselves a little bit of wiggle room both to do a few a little early and to put some on some option ears a little late. Uh but uh at the Don't say is that a prime using a subcontractor isn't gonna want you to be certified before you have to be certified. So there's that. If you you know, so you got to keep that in mind and realize that if you want to the prime these primes might say if you want any new business, you have to be certified by X date, you know.

That's where a lot of our customers come from is um they the bigger primes out there said we have these contracts, we need you to be compliant. Absolutely, and we need you to test that you are, and so they're already doing that as early as 2017. So sorry I'm interrupting.

No, that's good. I mean that's you just have to be prepared and you have to understand that the the dates you see and can suss out from you know uh from those rules and everything, uh, when the certifications are gonna be starting required uh uh start being required on contracts, that may come early, either because the government requires a little early on a contract or two, or maybe more than that, but anyway, or because the primes say we're we want to be ready and we're gonna require you to be certified sooner. So uh the Cyber A B uh on the last, I think the last town hall said that. You know, we don't we have no clue what the primes are gonna say. You know, they very well uh you know, if I was them, I'd want my subs to be certified ahead of time, so you know, at least a portion of them, so we can move forward on these contracts and won't have to worry about it.

So um anyway, preparation is the is the key word there. We'll rename the podcast uh CNC preparation. That's all it is, yeah. So again, we're not trying to sit here and um convince you uh of anything other than um just take it seriously, you know. So make your own choice of then day. Um freight training, it's coming. Yeah, yeah. And it's coming slow, but it's coming. So they keep making it more and more real. So uh we're gonna be at the what's the conference name? I was gonna wrong. They call it Seek. Seek.

Seek Conference East, Seek East. Yes, is what's called C E I C. Uh CMMC Ecosystem Implementers Conference, I believe is what it stands for. Uh we'll be there. I went to the one that was just CIC uh last year in San Diego. Uh it was a great conference for implementers, for assessors, for uh DIP companies, uh for you know, uh, well, I guess we're an implementer company, but anyway, so uh it was just a good broad spectrum um conference. So if you get a chance to go, of course it's a little short notice, but uh it's a it'll be a good conference. And uh it is November 21st and 22nd, I believe. Yeah. A pre-day, I think, is the 20th. Uh on my birthday. So uh early birthday. Thank you.

Yeah. Good conference. Yeah. Okay, cool. So yeah, if you're there, um come see us. Um if not, we're gonna try um we're gonna, I don't know, we don't know what our schedule's gonna be, but we're gonna try and do a mid pod like mid um conference podcast where we're giving you like our um thoughts at the time of what's happening, and we'll try and get that posted. I have no idea if that's possible. And then for sure though, we will do a podcast after the show um and give you our actual organized thoughts. So um that should be one of the next one or two episodes. So check it out. Um definitely do it. Yes, please like, subscribe, um, also please comment, text, email um us any of your questions. We really want um people to ask questions so that we don't have to go pay somebody, that's the whole point of those podcasts that we're here trying to give it away for free. So use it, abuse it, ask us.

Thank you, guys.