CMMC Evidence 101: How to Prove NIST 800-171 Compliance in a Level 2 Assessment

Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke. From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today, we're talking about something that trips up a lot of companies when they're getting ready for their assessment or going through their readiness. Um, and that is evidence. Not all the policies, the plans, or the binders, but the actual proof that you have to show to the assessor when they want to show up and say, All right, show me all of what you got.

Right.

Okay, bro. So a lot of companies think that once they've got their binder or their policies or their uh 300-page Word document of their SSP, um, that they're covered and they're they're all set. Um why isn't that alone enough?

Yeah, I mean, you go through and look at the I don't know, um, half the controls, 90% of the controls, anyway. Um you know, there's a lot of them that uh that require other things, you know, uh plans, procedures, um logs, uh stuff like that. So um, for instance, you know, what about a visitor log? What about you know, your logs from your servers and stuff like that? So you gotta have you get evidence showing that you're doing what you say you're doing. Uh you gotta have logs to upload from you know visitor lists, stuff like that. You've got to have uh uh an example of the logs uh, you know, for uh for assessors. Um not only, you know, you might show a screenshot of uh a list of logs to say, see, I've been doing it. But you know, screenshot of the logs or maybe some of the logs themselves. Um but be careful where you put that, that you know, there's uh it's gonna have SPA in it or SPD, I guess, in it. So uh anyway, but the screenshot of those logs, uh the logs, the uh what's in the logs, they want to see that you're capturing. If you say you're capturing username, password, stuff like that, they want to see that. So it's it's the details, and they want to see the details. If you give them all the details and not only the just the SSP and the policies, but you know, uh your procedures, your plans, your uh, you know, all your details or your screenshots, all your logs, everything else, then uh that goes a long way to making that assessor feel good about your environment and and that you're doing what you say you're doing. And that, my friends, goes a long way to your uh a successful completion of your uh uh uh getting a L2 certification.

Yeah, so it's not um on uh honesty policy or uh I think uh I think it's called trust but verify.

Yeah. I think that's what it's called.

Yep. The honest system, that's what I was looking for. The honor system, yes.

It is not the honor system. The honor system is great. Uh handshakes don't work in uh in CMMC, unfortunately.

Yep. Speaking of trust but verify, um what do assessors want to see whenever um that you're going through a level two assessment as far as evidence goes more specifically?

Yeah, so they want to see all the details. They want to see really they want to see the who, what, when, where, and why. Or well, maybe not the why, but the who, what, when, where. So uh uh they want to see, you know, they want to see who performed the action, what the action was, uh, where it was, you know, maybe what computer, uh, what system, uh, and when it was. You know, they want to see all those details uh and more in the logs, but they want to see those details, right? And so you've got to be able to prove it. Uh everything in your policies, everything in your plans, you've got to be able to prove that. And so those are the types of things that they're looking for.

Okay. So they need to know the who, the what, the when, the where. Um, but beyond that, what does acceptable evidence actually look like?

Uh acceptable evidence uh could uh can and will be a lot of things. Uh it could be screenshots. Uh you gotta show that your in tune or your active directories, GPOs or settings are, you know, you gotta you gotta show that those are set right. So screenshots of those. Um, you know, you could show screenshots of permissions or you know, you could do reports uh of permissions. So um any reports you do, uh, you know, it'd be good for those to be automated and not manually created. Uh you know, if you can automate those one, it it's when you know when the assessor shows up and they want a new report run, it's easy to get that report to them real quick if they're if they're automated or you can run that report, right? Uh if you got to manually cre manually create it by running a bunch of commands and coalescing all those CSVs and all that kind of fun stuff, eh, they they'll probably take that, but uh uh something that you can produce quickly for them uh is uh a lot better. Uh so if you don't if you have to massage the data a lot, that might turn them off. So uh just remember that. Uh the um logs, you know, logs from your systems, uh from your sim, uh reports from your sim, stuff like that. Uh you don't have to use a sim for CMMC, but when you read uh the audit and accountability uh section, you know, it's really written for a sim. So uh because really, and truthfully, if you don't have a sim in this day and age of looking over all your logs, you're you're doing yourself a dis uh a disservice. Uh you really should have a sim helping you look over those logs. You know, back in the day, I could look over logs uh way back in the day. I could look over look through logs and find problems and and stuff like that, or look at a network trace and find some problems, but there is so much going on and so much obfuscated these days because of encryption and everything else, that it's it really is impossible for a person to look through those logs on their own and and uh find problems. So have a sim help you go through those, alert you on things. So and speaking of alerts and uh you might think of tickets. So a ticketing system is a really good thing to have. So some of those tickets uh where you onboarded a new person or changed somebody's permission or whatever it may be, you know, some of those tickets to say, look, we actually did this. Here's a checklist in that ticket, or you know, maybe your tickets don't have checklists, but um, you know, uh just proof showing that you did what you say you did. And by the way, uh we we always uh we have these conversations with our with our techs quite a bit, you know, put detail in the ticket to tell what so we can go back and look and see what you did, you know. Uh six months from now, a year from now, when we have a similar problem, you go back to look, you don't want to look and say, I fixed it. You know, uh you want to look and see what you did to fix this problem. Uh so same thing with all this. If you're changing somebody's permission, if you're doing whatever, uh just put some detail on there of what you did, right? So and then so an assessor can look at it and go, oh yeah, uh so I understand you did X, Y, and Z and you you completed the ticket. So uh but those tickets are uh a ticket system is uh really good. You can also set ticket systems up to um you know for uh to request approval. Um you can also uh just have a you know a procedure to follow and get that approval from someone and put that in the ticket. Uh but uh some ticketing systems, a lot of them do have uh a way to set up uh approvals to where if it's an onboarding ticket, uh you know, you create the user. If it didn't come from uh your security authorization person, then uh you contact them and you you go through that with the ticket. So really that's the kind of things you're looking for, kind of the kind of details. Um and you're the assessors are looking for uh proof that you're doing what you say you're doing and that you're doing it ongoing, that it's part of your business. It's not just, you know, oh crap, the assessor's here. Let's get all this done, right? Uh and that's that's what CMMC is about, is is management and mon ongoing management and monitoring.

Absolutely. You said way back in the day, um, when you could when you could look at logs, it doesn't give you a hard time and say, I didn't know Abacus's had logs. Well, that the abacus was a log, you could look at it, yeah, you know. Right. So access control can be one of the more neglected areas, uh, especially say in a a small a smaller operation um where typically everyone, you know, someone says, uh, well, everyone wears multiple hats and we can't really restrict data um, you know, uh to you know Susie or Bill or Bob. Um so it can be kind of one of the areas that red flags can be spotted. So uh what typically goes wrong here, and can you go into a little bit more on access control and and how that relates to evidence?

Sure. And I I will expand a little bit on one of the things you said about uh you know a small shop, everybody wears a lot of hats. And we're a small shop. Everybody wears a lot of hats. Uh so uh, you know, I always challenge folks a little bit and say, look, you know, do you let all your employees see uh see each other's pay scales? You know, do you let them see each other's term or um you know disciplinary records? Do you let them see personal details like that? Oh no, no, no, we don't do that. Ah, well in that case, then not everybody needs access to every piece of data, and you can apply that same principle to CUI, right? And you should apply that same principle to CUI. Not everybody needs to see it really least privilege, right? Uh if those users don't need to see uh certain data, then you really do need to uh to to fix that. You need to have your enclave, uh have your scope, whatever, you know, however you want to define it, uh, and make sure that you have it least privileged as much as possible. But I completely a thousand printers understand, and assessors do, that uh people wear a lot of hats and and Joe Blow over here might, you know, be a machinist and and an accountant, you know. That's not we don't really see that very much, but but uh you know they might be a machinist and an accountant, or they might be uh they might they'll perform multiple roles, you know.

Um front desk or accounting does not necessarily need to access drawings or they might need to see FCI, but not CUI.

So you know, figure out how to split apart your FCI and CUI to where uh yes, to where those accounting users, for instance, and HR users uh and a lot of times those are the same, you know. Sally over here is uh HR and and accounting, you know. Uh so she doesn't necessarily need to see all the specs. You know, make sure those are cordoned off however to where she can't see them, then uh you've got a you've got a very beginning of an enclave or you know, scoping your environment properly. So but that's in the very beginning. We've talked about uh what kind of data you have and scoping and uh all that kind of fun stuff. So that's that's part of that. But uh to your point, uh that's part of uh access control and deciding who can see what, right? And uh people wearing multiple hats and all that. Um so you know, another thing is uh along those lines, uh saying yes, we follow follow the principle of least privilege. Great. How do you do that? You know, uh well, you know, users are not admins and users can only see what they s see what they need to have access to. Great. Show me. Well, how do I show you that? So the point is you ought to be able to show that you have that you perform least that you follow the principle of least privilege. You know, you ought to have screenshots, um you ought to have evidence that shows uh you ought to have your policy ought to explain that, how you do it and how you how you accomplish it, and then you ought to be able to have screenshots and everything that show how you accomplish least privilege. And the fact that Sally over here in HR can't look at the drawings. You know, maybe that would be a good piece of evidence. You know, a list of Active Directory user accounts, that's wonderful, that's great, that's a good place to start, but they're gonna want to know about all your employees. Have a list of all your employees, uh who has system access, who doesn't, who has access to CUI, who is a the you've got to categorize, people are an asset, okay? And you have to categorize all your assets. You have to categorize them as COI assets, uh security protection assets, uh contract risk managed access assets, uh out of scope, um, all that kind of fun stuff. So you've got to you've got to classify those assets. You've got to classify the people as well as your computers, as well as your systems. Uh you've got to classify those things. So um you've got to list out, you know, Sally is uh is out of scope because all she does is QuickBooks and NHR, right? Um so you've got to make sure you do that. It it can include your Active Directory user list. That can be part of your evidence, but you also need to have that full list of all your employees uh to uh to gauge against. And again, uh, you know, ticketing systems. Uh ticketing system is a really good thing to have. Um, you know, we we think that way because we're uh we're an MSP and we live in our ticketing system all day long. So uh and our actually we live in a PSA which does a lot of stuff for us. Part of that is ticketing. Um PSA is professional services automation, it's kind of an R ERP tool, enterprise resource planning, uh, but it's kind of an ERP tool for MSPs like us. So uh but a ticketing system is a real good thing to use. That way when you uh somebody requests access to something, onboarding, offboarding, and we mentioned this a while ago, but uh you know, onboarding, offboarding, change of access, anything like that. You open a ticket, what is it for, and then you record your actions, and then you close a ticket. And then when the assessor comes, you can there's your list of evidence, and you can export those tickets and quarterly, annually, however you want to do it, you can put that put some of that evidence in um hopefully a GRC tool, but maybe a spreadsheet with a folder and a bunch of uh table of contents file. But um you know, you can uh save that evidence uh so they can look and see that yes, you've been doing this, right? So, you know, those are the those are the kind of things that are that that are good pieces of evidence uh for uh for assessors. And I'll go back to the screenshots again, you know, screenshots of settings. Uh screenshots are good, uh, but they show they're very much a point in time. So, you know, if you do uh a good time to do some of those screenshots is if you perform a quarterly ticket for vulnerability scanning, for instance, and vulnerability and security scanning to check on inactive accounts and vulnerabilities that need to be managed and all that kind of fun stuff, uh that is a good time to capture some of that evidence.

Absolutely. Keep it current.

Keep it current, yes.

So not to uh take us too far off the the evidence um talking point and down another rabbit hole, but I'm gonna do it anyway. Uh so but uh you know, talking about the you know, multiple people uh wear multiple hats and everyone accesses everything, um, you know, can be often a um um a roadblock or barrier that we see a lot of times, you know, in say a small machine shop or mid-sized machine shop or really any other small mid-sized company. Um but it can uh it can also it also works in your benefit, you know, in multiple ways. The first big one um is that by giving people limited access, for example, Susie in accounting, um, if we're taking her out of scope and say she doesn't have access to CUI, um then she's not part of the level two assessment, right? Or or in terms of scope. So you're kind of limiting the bat blast radius and the number of things that can go wrong. So really it's a good strategy um from an assessment uh perspective and limiting um your liabilities um to keep the scope as small as which is reasonably possible and that fits in your operations that doesn't cause like you know problems of efficiency, but it helps out um a lot. Absolutely because otherwise your entire operation would have to be assessed. And you know, just the more that scope grows, the more your potential problems do as well, right? Right. Um uh and the the people you have to um make sure are read in to do everything properly and right and uh are gonna get assessed. So that's one. Um the next thing I was gonna say is, you know, kind of a a cousin to that uh point I'm trying to make. Um and it's you know, if you have some owners, you know, um that are um, you know, if you're put in charge of the compliance or IT or you know, kind of piece, and they want you to get this done, um uh, but they don't necessarily want to be uh burdened by all the things that the compliance requires at the same time, you know. So they put you in charge of getting compliance done, but they don't want to have MFA and they don't want to do this and they don't want to do that, and um then take them out of scope.

Take them out of scope. That way they don't have to worry about any of that stuff and they don't can't access any of the data that matters.

Yeah.

So I mean there Austin knows something about that, by the way.

Yeah, hey, absolutely.

Absolutely. We have scoped Austin out. He doesn't have access to any of our any of our critical data, so which I'm happy about.

So um Austin means y'all can ask me to do less things. So this is true.

Yeah, this is true. Austin's been shooting for a way to uh not have to do any uh be involved in anything technical related, and uh he finally got his wish. Not recently, he's he's been scoped out, but you know, he's uh he got his wish.

I'm shooting for uh, you know, uh Margaritas on the beach, you know, and scoped out, you know, here soon. So I'm it's my ultimate end goal, you know. Yeah, I think I did something wrong. I didn't shoot for that too. So uh just kidding. But but no, I mean that's so uh you know, if you have uh owners that want this done, you know, but that aren't necessarily buying into the fact that they also have to do something, um then you can I mean you you have to get to compliance, you have to be compliant, right? Unless you're gonna lie. You know, so that conversation can be made with them, you know, that you know, hey, we're limiting our liability here in terms of scope and what has to be assessed. And you know, if you don't want to do all this crap, you know, that um is a pain in the rear, um, then don't. Uh we'll just kind of scope you out. Um, you know, obviously the owner has to have enough trust in in uh the team they put together and everything to they absolutely do because yes. Yeah. So I mean and and there's there's you know, there's ways to hedge, you know, any risk of, you know, for an owner that um, you know, like break glass scenarios and and whatnot that um you know makes that uh from their perspective a little less um you know uh concerning. Um but uh but yeah it's uh it's typically the best way um to do it um and uh it it's kind of a win-win um you know if you're if you're being if you're this isn't much the the most common thing that we see, you know, uh one of the most common things that we see typically some of them tasked with it, but you know, not everyone wants to jump on board with all the the burdens of day-to-day tasks or cybersecurity or you know um uh that you have to do. So absolutely you brought up uh sims, seams, you know however you want to say it. Um people like to say things different ways uh ways earlier. It's not required um but certainly helps out.

Um I'd like to point out the correct way to say it is sim. So absolutely 100%.

You're going on record yeah yeah we'll start a we'll start a uh a discussion and uh you know people I'm sure post their passions about whether it's sim or seams we'll just go ahead and put your uh physical address mailing address right here where you can send all the hate mail if you disagree I'm kidding um uh yes so uh I have to agree with you but uh so the point is uh there's logging and monitoring is is a heavy burden um when it comes to CMMC compliance um and uh it it it can stress people out um so what are assessors looking for when it comes to logging and monitoring how do uh they want to be shown the evidence that it's actually being done in a way that is satisfactory.

Sure. So you know I mean just look at the controls. You have to define and define means you have to write down so most of this is going to go in your policy about you know what are you logging what sources are you logging uh what kind of events are you logging uh what kind of content is going into that you know um uh is it uh username is it uh computer names is it file name is it dates you know probably yes to all that but uh anyway what kind of things are you logging uh where are you logging it uh what happens with it you know do you have a sim in place are you using a sim and no it does not say are you you know you have to use a sim but as we talked about a minute ago or a sim but uh you know as we talked about uh a little while ago it's uh it it really is written to say you know you should probably put a sim in place so uh you could do it without one but in my estimation and my my opinion is that you know you can't really do good security without having a sim in place these days.

There's just too much dang data you have to look at.

Too much noise. Way too much noise, right. So you need something to help you uh look through that and pop alerts and stuff like that. So uh in any case uh you have to define everything that goes into it. So the assessor is going to want to see what you defined and uh they're gonna want to see that you're capturing from all the sources you said you are they they want to see that uh if you said the usernames, computer names and file names are all in there, they they want to see that that's in there. They want to see that you know those uh failed logon alerts um you know who knows maybe you failed some logons so uh so you can capture those you know or something like that. But uh they want to see that those alerts are working or that those uh logs are working right and then you know part of this is reviewing the logs or reviewing you know the events and stuff like that. So they want to see that you're doing that. You know they want to see that all this is happening. So you have to show some evidence that you're reviewing these because if you say you know scouts what is scout's honor? I don't remember what Scouts Honor is. Yeah there you go I think I don't know it's been years. Austin here was an Eagle Scout. So uh if you're an Eagle Scout don't you remember that stuff forever? I don't know. I mean in any case too many margaritas on the beach. Yeah there you go so they don't say you know they don't take you know Scouts honor I promise I'd do this you know they they want to see evidence that you review that stuff. They want to see evidence that it generates alerts. If you say it generates an alert and a ticket uh they want to see that so uh those can all be part of your of your um evidence so uh they want to see good strong evidence they want to see you know not only the fact that you do have a bunch of logs but the content of those logs uh you know if you say you raise alerts and tickets they want to see that uh so they want to see again they want to see proof that you're doing what you say you're doing that it's monitored and managed.

Okay so logging and monitoring those logs is obviously a real pain in the rear um but so is uh configuration and change management and you know if you've had your uh you know hands in the cookie jar when it comes to IT um and moving things around and fixing things and responding to fires all day um uh and maybe hands in the cookie jar is the wrong metaphor to use there but you know gotten your hands dirty I guess uh um from an IT perspective you know that uh things happen fast and it's it's hard to keep track of things and um but you know compliance demands it so um how uh you know system changes and configurations uh that all needs to be tracked and um and and kept track of for for compliance and for assessors so how how does that come into evidence and uh what do they want to see?

Sure. So you know again back in the day uh you know we used to use just a spreadsheet. Here's my change management system. It's a spreadsheet and uh this these are the changes that I make right um but uh you know what CMMC requires is you have a a baseline and then uh you know you start from a baseline you have your security configurations and all that kind of fun stuff uh and then um you track any changes and that you test those changes before they uh go out to the wider system right uh or take into account security implications all that kind of fun stuff uh so they want to see that that happens a great way to do that is uh I'll refer back to a ticketing system you know uh if you have some sort of ticketing system uh or a PSA you know MSPs are gonna have that PSA that we talked about so um like Autotask and I think Ninja has one connectwise and I mean there's a million of them out there. Jira is one um so there's there's a bunch of ticketing systems uh pick one it can work uh so uh of course you've got to make sure you what uh what data you put in there and it's okay to put that data in there so that said uh you know use that ticketing system and anytime there's change management make that ticket a change management ticket you know that you can a lot of a lot of ticketing systems there there can be different kinds of tickets you know a a problem ticket an issue uh a uh recurring issue a change management um you know something like that so uh move add change kind of ticket uh so uh just make sure you create that ticket make sure you uh go through all the steps if you have ticket templates that say you know you need to do this this and this then uh you can check those off as you get those done uh then that's great. So but you have you have that ticketing system you have a way to document that and you have a way to report on that also if you use a ticketing system. So uh but they want to, you know, assessors want to see that uh proof that uh you did everything you're supposed to you did everything you're saying you're you were doing uh that you took the change uh looked at the change that needed to be made you consider the security ramifications uh maybe you were able to test it beforehand uh that you rolled it out that you verified it doesn't affect any other security or if it does for instance if you have to make a change update um update the firmware on a firewall for instance uh if it's one of the firewalls where you know the uh FIPS mode is dependent upon uh firmware versions you know possibly in that ticket uh in that ticket would also kick off a a uh operational POAM uh but uh maybe that ticket uh you've got to for security reasons you've got to install that new firmware and so you install the new firmware it's got to come out of FIPS mode to do that uh you verify that all the all the right all your security settings are still set with the exception of FIPS mode uh and then you have an operational POAM after that and and you have you know uh evidence that you created that uh you know yes I created a operational POAM item that says that you know once this thing goes once we have FIPS mode available for uh for this appliance again we'll implement FIPS mode right so as long as you document all that then that's what you need if it's in a spreadsheet great that if you're at if that's the way you're uh doing uh change management and change tracking change management tracking however you want to I guess I guess tracking is management so anyway change however you want to do change management if it's a spreadsheet or whatever that's fine uh it's gotta be easy for the uh assessor to look through and understand um the ticketing system is great like I said so uh it it manages all its stuff for you and is arguably better than a sp a bunch of different spreadsheets for different things.

Yeah and you had to hit on a point that I think is important to um not dive too much in the weeds but um just highlight for a second and that's um SPD and say and the config uh with the configuration management and changes um you know if you're if you are using a ticketing system say one that's off the shelf or a cloud version um or your IT provider is then um a lot of that information in terms of um configuration management can be in there but but you have to be like you said careful about what goes in there. So um for example uh you know uh I I you know like usernames and passwords is obvious right that can't be in your ticketing system especially if it's not compliant if it's cloud it has to be FedRAMP you know um so you'd need a um a you know password fault system that's FedRAMP right um uh for example other things I'm guessing um you make sure I'm getting in the right ballpark here is IP addresses actual configuration files you know for example if you were to export a yeah a sonic or firewall um config file or something you wouldn't want to attach that to the to the you know ticketing system you'd want to store that somewhere that C UI you know uh could be or well where SPD I guess could be stored uh because that's what it would be categorized as. Um but it needs to be uh you know protected like the COI uh that it's protecting um because that's what SPD is so um you you can you can do all those things use a ticketing system but you have to be careful about the actual data and you have to be real specific and break it down uh because if that stuff is in there that is a big big issue. So the generalities of it can be there but the very specific specificities can't be.

Yeah that that all goes back to scoping again. So what kind of data do you have you know and uh where do you keep that data? What is your data flow diagram? What systems are in scope and what are not uh are they on premise or are they cloud and all that kind of fun stuff. So it goes back to scope. Uh you know the short answer is uh if if you have an on-premise uh uh ticketing system and uh you do put SPD in there uh and it's in scope with the with everything else for your sit for your uh for your network then then you're probably good there. But uh if you have a cloud system, cloud uh ticketing system uh then it's SPD is that SPD in there and can you get uh like a for instance a customer relations uh responsibility matrix a CRM or a shared responsibility matrix is the is the actual term most people use until the government changed what they use. But uh can you get that from your vendor, you know, and can you get a a CRM that is based on uh NIST 800 171 C or CMMC right uh can you get one based on that or is it just some general uh responsibility matrix so um they've got a an assessor has to be able to map that back to or you need to do it for them uh back to uh CMMC controls um and if you can't get that uh responsibility matrix from your vendor then you probably and it's not FedRAM then you probably don't need to be putting SPD in it right and you probably need to avoid that. So um we avoid putting SPD in our ticketing system uh and we that goes in our um documentation system and or password manager whatever it may be uh for that ours is all in one but um anyway that's uh you just need to scope that properly and make sure that whatever you're using can handle the data that compliance wise that you're putting in there.

And again as we say all roads lead back to scope.

All all roads lead back to scope that's right.

Okay let's talk manufacturers um they face some unique challenges um in terms of the actual reality of the the shop floor and you know you know parts being produced from COI right um so what do assessors focus on there and what should a manufacturer expect?

Well uh they're they're gonna want to see that you scoped everything uh properly going back to your scoping question you know scoping so uh you know they're gonna want to look at your scope and make sure see that they're not gonna go check on things that you said were out of scope and go uh aha you know uh but if something leads them to that then you know then they're gonna say aha so um so in other words they're not looking to fail you uh but you know if uh Sally Joe says you know um I use this machine over here to look at my drawings and they're like well I thought you said that was out of scope and you're like Sally shh be quiet. So uh so you know those questions this all goes back to the scoping question you know you should have uh you should have people that perform the jobs in the d in the room discussing with you you know whether it's a manager or something like that, not just executives and IT people. You should have people that perform some of the jobs in there so they can go, uh you know, we don't actually do it that way.

Yeah we we do not like the approach and we do not take the approach of uh let's just figure this out at the top and force it down you know everyone's throats um it's just we you know get all stakeholders in the room together um that have the information how the business out actually runs and then collectively come to a decision on each control how you're gonna solve it um because otherwise you're gonna lead lead to that problem in the assessment.

We always we always find something when we're talking to people and and include people you know uh stakeholders uh include people that actually do the job uh you know they always say well this is the way we handle we we actually do do it this way and you know the executives or the IT people are like I had no clue. What? You know so uh but so just be aware of that and they're gonna you know they're gonna show up physically and they're gonna want to see things right and so you know if they walk out on the shop floor and they see a sticky note with somebody's password on a computer and then they find out that uh everybody here logs in as Sally Joe because uh you know she's the only one that has access to the drawings, you know, that's an issue. That's essentially a shared account, right? Not only is she sharing credentials, but that's a shared account. So uh that doesn't work. Um USB storage is another one one of those big things. You've got to control those USB sticks, right? So uh they they have to meet certain controls uh but one of them is that you have to know uh they they need to be serialized they need to be labeled uh and then you need to control uh what gets plugged in where so if you have a you can use do that through Active Directory is a good way good technical control to use. There's you can use programs like ThreatLocker you can control USBs through there. There's a there's a a bunch of other ways to do it but um you know uncontrolled USBs is a problem right um legacy systems that can't be patched you know uh in a typical manufacturer you're you're gonna have some of these machines that the vendor gave you a uh well they didn't give it to you bought it and along with with the uh CNC machine or whatever it might be but uh you know you got a computer along with it and it's Windows XP for instance or Windows 7 or maybe even if you're lucky Windows 10 you know uh but if it's uh if it's out of support and not able to be patched that's a big issue for you and it shouldn't be on your network. Right uh and you need to figure out a workaround and how to work with that machine and how to scope it properly and all that. So that's a that's a common issue that bites uh manufacturers. So uh and you know well it's e you know it works great we just send our files to it and then we pull files off of it you know it works wonderfully you know well I'm sure it does but it's insecure you know so uh those are those are the kind of things you need to think about and the kind of things the uh the assessors will will notice right and you know I said you need to uh I've got a note here about compensating controls so uh I you know I said you need to figure out a way around it so uh you know if you have some compensating controls in place that's fine they need to be defined uh and uh you need to make sure that you're following those and then you can prove that right those are all good and the you know the other big thing is network segmentation you know do you actually segment to your network or do you depend on ACLs or you know how how do you do that? So um network segmentation does a does a lot of really good things for you. So uh can do a lot of really good things for you. Uh so uh those are the kind of things that'll uh that'll help people out. You know, like I said those are common problems with manufacturers is the out of uh out-of-support machines, the everything on the net on one network, uh USBs floating around that uh you know aren't encrypted and nobody knows where they are or whose is whose or what's what you know the here's one we can use it you know this kind of thing it doesn't it doesn't fly.

So you remember whenever you were younger and your mom would just pull the the dinner out of the oven and put it on the on the table and If you tried to reach at it, she'd slap your hand and say, you know, it's just out of the oven, it's too hot, you can't touch it.

Yeah. I remember that.

Okay. Well, can't do that with your evidence. Right? Well, I think that was a little bit of a stretch, but go ahead. I'm committed to it now. So you are. Yeah. Um so my point is just that um, you know, uh there has to be some historical um proof that you've been doing what your policies and everything say that you're doing, right? Yes. And so if it's all, you know, fresh out the oven and just, you know, a few minutes old.

Um Third is I I get it now. Yeah, okay. Hopefully you get it now.

See, so you gotta stick to the act, you know. Uh uh and it'll come you can pull through, you know. Um so yeah, it just it can't all be, you know, fresh out of the oven. Right. Um, because uh assessors will call BS on that, you know, um, you know, more or less, right? I mean there has to be some um history there. And so can you tell us the problem with that?

Sure. Uh you know, it's uh you're again, this is CMMC and Nisday Herm 171 are built for ongoing management and ongoing monitoring. So uh if your environment has been operating for the last 25 years and you've said for the since 2018 that uh you know we're good to go, you know, and uh but yet all your evidence is from yesterday, uh then you know that throws some throws a lot of questions in there. Uh there could be very valid reasons why it's all from yesterday or or two weeks ago or whatever it may be. Um, you know, maybe you just stood it up, maybe uh whatever it may be, maybe uh all that is true. Uh but uh if you know if it's been in existence for a long time and you've been doing this work for a long time, they expect to see that work, uh, that evidence. And surely you have some evidence that you've been doing most or some of your controls for a while. Um if the only tickets you have are from you know two weeks ago that you created a new user and you don't have any before that, if all your logs are from two weeks ago uh and no earlier than that, you know, that may be an issue. Uh that's gonna raise some questions for the auditor. The assessor, sorry, assessor. Uh they are assessors. Broke your own rule there. They're assessors, they're not auditors. So um so but they will uh that'll raise some questions for them. So uh that's why you really need to, once you get this in place, you you really need to start gathering that evidence and and have that ongoing so you can say, yes, you know, uh scouts honor, you know, we do do this. And here's the evidence. So uh trust but verify. So uh they want to see that ongoing evidence that you've been doing it.

So uh, you know, it has to be reasonable uh for the most part, right? So if everything's new, probably red flag, right? But if you have, you know, pretty good history and everything else, and there's a reasonable explanation for some evidence that is new, then it's probably not the biggest deal in the world, right?

Right, exactly.

So we talked about logging, we talked about the age of evidence, we talked about what form it can take, screenshots, you know, configuration management, all the stuff we've talked about. Um that's all great and good. Um but in terms of you know the evidence and showing it to the assessor and and where you know where we store all this stuff, um what does that need to look like? The organization and storage of evidence. Sure.

I it it it can take a lot of forms, it can be however you want it to be, right? Uh there are definitely people that uh do this in Word documents and spreadsheets, you know, and then a folder uh with a table of contents for all evidence and the evidence named appropriately. So if you have that, just make sure you're very diligent about uh, you know, maybe you put hyperlinks into the evidence, maybe you uh do whatever, but you have to have have to make it easier for you and the auditor. Um somebody that doesn't know your system and know what you've been doing, you have to make it easy for them to find all the documents, find all the evidence, and all that kind of fun stuff. So that's great. However, I'm a giant fan of uh GRC tool because it's a lot easier to keep that stuff together in one spot, have the correct version everybody's looking at, you know. Oh, wait, sorry, we didn't get the right version in that folder. Let me copy it over real quick, or you know, whatever it might be. Um but if you have GRC tool, uh all that's in one spot, uh, you can either give the assessor access to it, uh, some like that, uh, or you can export it. A lot of GRC tools uh will allow you to export out of there in a in a package to give to the uh to give to the assessor, and that's what some assessors want. So um, but uh grc tool is a really good way to get all your all your information in one spot, get it all linked together as it should be. Uh, you know, you can have one piece of evidence and it may apply to, you know, I don't know, 10 different assessment objectives or you know, several controls or whatever it might be, uh, it may apply to several different things. And so in a GRC tool, you just create that relationship and and it's good to go. It shows up there. They can see all the evidence, they can see the supporting documentation, and and you're good to go. So um big fan of GRC tools. We use Future Feed. I'll give a shout out here for Future Feed. Um, it's a really good tool. Uh, it is a lot of work, but guess what? CMMC is a lot of work, so it just makes you it it gives you the ability to uh fill everything out properly.

It's a tool.

It's a tool, but it makes it easy to see what needs to be filled out properly, and so uh and it gives you guidance and all that kind of fun stuff because you know some of these things you get, you know, you're doing uh ten different things because nobody's job is just one control, you know. So you're some of these things you're gonna have to go back and think about and look up or whatever. So they they have uh guidance on there that can help you out a little bit. Um uh but the s the whole structure of it and future feed is is really good and really conducive to making sure that you get everything in there that needs to be in there for for the assessment.

Absolutely. Yeah, and as uh for everything with uh CMMC compliance, if you're looking for a silver bullet solution that's gonna solve all your woes and uh just you know uh be a everything just solved, you know, immediately, uh then you're you know, you're just it's not gonna happen. So yeah, unless you live in some very special, you know, use case or something, um uh you know, it's just it's it's likely not achievable. So um yeah, any everything we're talking about is how to make things a lot a lot easier, how to approach things, you know, simply or or um you know, um with the best mindset. Um but everything still requires work, you know.

Everything still requires work and there's a price to it, whether it's labor or or dollars, uh the everything is there's a price to everything. So uh you can have a free solution, but it's gonna require some labor. You can you know, so uh you can use all spreadsheets and doc word documents and everything, be a lot of work. You can use a GRC tool, it'd be less work, but you pay for it.

So absolutely, absolutely. So it's probably pretty reasonable if you've been sitting here listening to us um this whole time that um you might be feeling a little overwhelmed, especially if you're a small, uh mid-size, you know, team uh that is uh tasked with handling this. Um uh and so my question to you is what would be the best advice that you have for smaller companies that are feeling a little a little bit overwhelmed right now.

Uh it is easy for a small shoot, it's easy for big companies to feel overwhelmed, but it's very easy for a small company to feel overwhelmed to follow this. Uh so you know, one of the things is make evidence collection a normal part of your operations, you know. Um make uh, you know, exporting logs and stuff like that a normal part of your operations. Uh it could be it could take the form of, you know, it becomes a ticketing system again, you know. Uh if you have a quarterly ticket to do vulnerability scanning and X, Y, and Z, that's a good time to take a bunch of the screenshots to gather a bunch of that evidence and put them in your GRC tool or maybe in your in your uh folder structure in the appropriate place, giving them a good naming convention, right? Uh so uh that'd be a good time to do that. But if you have something to help you remember to do all those things and somewhere to record that you did it, say ticketing system, uh or you know, you can do that in your GRC tool also, but um ticketing system in conjunction with the GRC tool really does a lot for you. Uh so uh if you if you make sure you have something to remind you to do that, those things, uh that would be a really good thing for small companies to do. Again, if you use a ticketing system, uh you can do a lot with that. You know, schedule recurring tickets that pop up and remind you, oh hey, it's time for the assessment. Oh, hey, it's time for um, you know, our annual review of the security, uh, the SSP. It's our it's our annual time for our annual review of the, you know, to do the risk assessment or whatever it might be, uh, ticketing system will help you do that. GRC tools can help do that too. They're just not a full-fledged ticketing system. Uh and and that ticketing system fills a lot of the holes where a GRC tool won't. Um so yes, you could use a GRC tool uh in many cases to do some of this, but ticketing system works a lot better. So if you can implement some sort of ticketing system, again, there's a million out there uh from JIRA to AutoTask to ConnectWise, you know, there's there's a bunch of them out there. So um and there's free ones. So I guess is Jira free? I don't really know. I I just know people use it. I've not actually used JIRA.

So it's been a long time since we looked for ticketing systems. So then we did not set a lot of free ones.

Yeah. Uh so you know, if you do this, it um it it helps it helps remind you to do these things uh and and you can have a place to log it. Uh and it also, if you do follow this and get reminded and finish those tickets and log all that stuff, uh, then that spreads the work out for collecting the evidence, right? Um so not what I will tell you is that you know, when you go through an assessment, probably is good to go ahead and get them all the evidence. They're gonna want to see recent evidence. So if the last time you did this was three months ago, they're gonna go, yeah, I want to see some recent stuff. So uh so right before an assessment, you know, they're you'll probably spend a lot of time uh getting a fresh set of uh of all that evidence, you know. So um uh and you'll put put all that in there, but the effort will be uh spread out uh and not uh and managed through you know uh through that ticketing system.

So that's some good advice for uh someone that might be feeling overwhelmed, but uh what would you say the biggest takeaway from today is?

The biggest takeaway is to remember that uh you know CMMC is not about uh just having the perfect paperwork, the perfect policies, the perfect SSP. It's about ongoing management, ongoing monitoring, and being able to prove it. If you can uh prove that you know you're doing what you say you're doing, you you know, you're all all your all your perfect policies, uh, and I put that in quotes uh because I've never seen a perfect policy, but um anyway, uh all your uh perfect policies, all your you know, very detailed policies, your very detailed SSP, that's great. Uh but if uh you need to be able to show that uh you're doing everything you say you're doing, and that's all your evidence, all your logs, all your uh everything else. So uh if all your policies and all your evidence match up, that'll go a long way to uh uh showing real world beh real world behavior. And then when that assessor shows up and asks Sally Joe, we'll pick on Sally Joe again, you know. Sally Joe, can you show me uh, you know, where you store your COI? Yes, it's right here in uh our COI storage location of choice, whatever it might be. It's right here on our file server in this special folder. If it's it's right here in uh Prevel or whatever it might be, you know, our or uh CCC high. It's it's is this is right here great, you know. So they want to see that those uh that you've explained what you're doing, that you monitor what you're doing, uh, and that you're you're actually doing what you say you're doing, right? So if all those line up, your assessment is gonna go swimmingly. It's gonna go great. So and I, you know, those assessments, if if you've got all that documentation ready uh and and they come out and their questions all line up and they're good, a practice run with your employees might be a good thing to do, uh, just so they don't stammer all over themselves and all that kind of fun stuff. But uh, you know, as long as all that goes well and everything lines up, those assessments really go uh pretty quickly as far as on site, right? Uh and as far as dealing with you goes, uh those go pretty quickly. And uh because they can uh look through all that evidence, all those all your documentation beforehand, and uh be ready to ask questions and look at things, and then when you show them everything matches up, they're not gonna go digging a whole lot deeper and and they'll they'll go on and say, everything looks good, right? So uh those assessments can go pretty quick if you have everything in line.

All right, it's come about that time uh towards the end of the podcast, uh, where we have a listener question.

Oh right, that's great.

Yeah. Uh so uh it is uh we received it after episode 43. Um and it comes from I think I remember this one.

Go ahead. Oh, do you?

Okay, good, good. Um comes from uh at Donald Binkley, I believe, on YouTube. Um and I'm gonna try and summarize it the best I can here. So Donald was just hired as a junior admin at a small business and quickly realized he was the only uh IT person. Then he got hit with, have you heard of CMMC? Uh and he was told uh just to figure it out. Um, and he's been handling IT operations, security controls, policies, procedures, documentation, and compliance all by himself for uh about over a year now. Uh he says the overwhelm of that is is pretty real. Um uh and he feels like they're still a long way off. So uh the question I think is um in your experience, Brooke, have you seen organizations put the responsibility of CMMC level two on one person uh and have it be sustainable uh or even potentially past assessment?

What I will say is, Donald, uh you're the only person this has ever happened to. This never happens to anybody else, and you're you're it's a one in a million cases. No, I'm just kidding. Uh this happens all the time. Uh and Donald overwhelm Israel, and you are right, and we see it all the time. Uh, you know, companies just don't understand, leadership just doesn't understand, and they say, you know, I I know we got to be compliant with the CMMC stuff to keep our contracts, you know. Mr. IT guy, handle this crap. And uh and the IT guy looks at it and goes, uh-oh. There's a lot to this. So Donald, you're right. There is a lot to it. Uh, it is overwhelming, especially if you've just been thrown into IT. Uh and I don't recall uh how long you've been in IT or anything else, but um He is new to it if I new to it, okay. So but in any case, you know, it it seems like uh IT people and quality people are the people that uh get this dumped on and they go, you know, handle it, you know, go take care of it. And you're a roll-go-getter. Yeah, you're a real getter getter. You've done great job so far. You you wear you wear ten hats, why not one more? You know, this it's just one more hat, small hat, you know. Um I got news for you. This is a gigantic hat to wear, the CMMC is. Uh so can it be sustainable? Uh can it be uh doable for one person? Um the answer is yes and no. Uh so no, not really, really specifically for one person uh to do it. It's not really sustainable, it's not really doable. Um you will have to get a lot of help. You leadership will have to be involved. Um they're gonna have to okay, you know, expenditure of money, they're gonna have to okay changing the environment, they're gonna have to okay uh changing the work processes, they're they're gonna have to be okay with all that, and I guarantee you they don't give you the authority to do all that without asking, right? Uh so uh leadership is gonna need to be involved in this. Uh if you are just getting started in it, uh expect to go through a lot of learning. Uh your uh the other thing the leadership team should do is make sure that they invest in your education, right? They need to send you to CMMC conferences, they need to send you to uh get a uh get your RP, your um registered practitioner. Uh you need to get your and that's uh, you know, that's a good dip starting point. That's a good dip your toe in it. That is that is really just dipping a toe in it. So uh, but it's a good thing to have. So, you know, um, you know, get your RP, that'll dip your toe in it. Go for your uh CMMC certified practitioner, your CCP. Uh that'll that'll get you both in with both feet. Uh once you get that, uh I would say at least you don't have to become a CCA because there's some requirements to actually get your certification, your CCA uh certified assessor uh certification. Uh anyway, there's uh some actual requirements to participate on uh assessments and stuff. So uh and a background check. Background check is okay, you can pass that. Well, most people probably pass that. In any case, get your CCP, go for it, go to a CCA class, go through the whole class. If you can get your CCA certification, that's great. But uh but at least go to those classes, expose yourself to the the CMMC ecosystem, right, by going to some of these conferences, and and that's where you start getting some understanding. Uh it's uh we we say it's dangerous to get your CMMC advice online, and it is, uh, with the exception that as long as you understand it's dangerous, it's good to go look at the discussions on Reddit and uh all the other places where you can go look uh to. discussions and and see people's take on that. It it helps inform you, right?

Attend the town halls.

Thank you. Attend town halls. That's free. That's free. That's a big thing. Attend the town halls. Uh they always go over uh all the latest things, all the things that are coming up. They tell you, you know, all sorts of stuff. They cover um you know they've um one of the things I covered is uh G-code. You know, they've had somebody on there to explain why G code should be classified as should be considered CUI.

If you're looking with for I don't maybe not the most authoritative take on things, but if you're looking for um you know what is generally accepted as best practice and most assessors will agree with, the town hall is a good place to look for some of that information. It is Reddit not always. Reddit not always.

You've got to take Reddit and things like that with a grain of salt because they're even even people who tell you they're assessors, they might be an assessor but they might be a brand new assessor you know or they might be the kind of assessor that you don't really want doing your assessment.

Trevor Burrus An assessor is not the same thing as a C three PAO you know?

Right. An assessor is part of a on staff of the C3PAO handing out certificates.

You know they may have gotten their assessor you know certification but they may have not taken place in an assessment.

Is that fair to say they'll have yes but uh I believe part of that requirement to get your certification is to uh to take uh part in some assessments. So maybe I'm wrong about that one. But point is even if you have you've maybe just taken part as a CCP. Because as a CCP you can take uh part in assessments. Um so maybe you've taken part in a couple of assessments uh but it's just uh taking part in assessment doesn't mean that you have really delved in and done a lot with that and understood real world environments on you know because real world environments are a lot different than you know thinking up here at 30,000 feet where you don't really touch any implementations, right? In any case to go back to the question about uh about Donald uh and his question so uh if you go to some of those CMMC conferences take part in that uh uh CMMC town uh cyber A B town hall um and you get your CCP stuff like that uh get some real good education then you can start uh figuring out how to really scope your environment um figure out what kind of information you have what the scope is what it should be uh you know whether you need to do a small enclave or whether the only business you have is through you know uh the Department of Defense you know with CUI uh so uh you can start there after that but starting to implement without any of that knowledge is a recipe for disaster the uh the best thing is uh if you want to get it done quicker is to hire somebody to help you out you know uh they can teach you and uh you can learn along the way uh and that's great you need to because uh at the end of the day uh you and your leadership will have will be the ones that the C through PO that the that the assessor is asking questions of if you have somebody helping you implement everything they can be part of that conversation but part of that conversation not the only they can't be answering all the questions for you so um they can answer they could be part of all the questions I guess but uh they can't necessarily be the only one answering the questions so one person can do it um if given the proper resources I think is the answer so that's exactly it yes and the proper resources may take form in um you know if you're the you know junior admin doing all the IT stuff then bringing in a uh you know outside consultant to kind of help shore up and and direct you properly from a compliance perspective or it could be bringing in a properly vetted uh ESP or or MSP or IT outsourcing company to take care of all the help tickets while you go get um you know your your proper credentials and and uh learning done and and training done so that way you can drive the the compliance paperwork and and decisions.

But um to be uh the person doing all the help desk tickets, um doing all the projects and um building a compliance program from scratch um is kind of hard to ask uh anyone to do just by themselves unless they're just a Wonder Boy um or girl. Uh um and but yeah I mean so and then you know uh always money is gonna have to be spent you know that's another resource as well. So money's always gonna have to spend um you know it can't be done with um just the things that you guys have in place. There's gonna have to be some money spent somewhere absolutely and it's not gonna be um you know uh a small amount you know an assessment alone you know is tens of thousands of dollars um and then the readiness to get there whether it's in you know GRC platforms or cybersecurity um services to to check off some of those control boxes um or you know if you're if you're can't do anything on premise and you you know need to um you know source some FedRAMP you know um tools and and software uh you know it you're gonna have to have the resources.

You will you'll have to have the resources and you know one of the things you mentioned is you know again going back to you know leadership saying Mr. IT guy I'm sure quality guy you know this is this is your baby we need you to implement this um that's great but I can tell you normally what happens is they're they're responsible for all of the uh care and feeding of of the information systems they they do all the IT right they take care of printers when they're not working outlook when it's bro broken um bad Wi-Fi signal uh you know why can't I share my screen and zoom you know uh you know stuff like that so if they expect you to do uh they they expect you to do all that right as an IT guy um so what has to be realized is that this is a full-time job CMMC implementing CMMC is a full-time job by itself and uh even if you stretch it out over a long period of time uh which it'll have to be if you're starting from scratch um it's still a full-time job so uh what you said a minute ago you know about uh you know if you're busy uh fixing Outlook you know and fixing printers and and uh standing up new servers and stuff where are you gonna find the time to learn about CMMC go to events listen to the Cyber A B Town hall and implement all the things that all 320 assessment objectives that you have to implement where are you going to find the time to do that? And the answer is you're not so you have to have those resources uh however whatever form they take uh you know there's gonna have to be some more resources uh provided uh for you to be able to finish that so it could be outside consultants come in and help you out uh that's the best easiest quickest way to do that of course you have to do your homework and find good ones uh or if you want to if everything has to be done all in-house you're gonna have to get some a lot of education and uh you're gonna have to make sure that your understanding of you know uh you know 3.1.1 is is really what they're looking for, you know uh because a lot of times an IT guy's uh understanding of uh one of the controls is uh is not what the assessors not what they're really getting at you know not the what not what the assessors are looking for and not what the not what the control is actually looking for. So um you got to realize that it's a whole thing about you know active directory user list. You know IT guy says yeah we got we got all of our users it's right here in Active Directory you know yeah that that's part of it that's a good part of it but it's not all of it. So uh as long as you realize that stuff and realize that there's a lot of education there, you can do it on your own. But um again that's more resources being thrown at it resources one way or the other are going to have to be thrown at the problem.

So that's a great segue into our next piece um I wanted to highlight our free uh SPRS uh roadmap. Um so if you're out there and the everything we've talked about today evidence and all these controls and things you have to do are um you know kind of making you feel overwhelmed and you feel like you want um you know a second look um or a gut check on uh where you're at on your compliance journey um we can do that it's free um and uh it's uh it's about 90 minutes where uh we can help you understand uh three basic things um where you actually stand um with your SBRS score um basically uh you know where you're at on all 110 controls that's what the SBRS score is um what gaps um within those controls are putting you uh or your contracts at risk um and then uh kind of our um flour first blush take on what a realistic path from uh where you are today to a more compliant um spot uh in the future would would might look like so uh we can do that we'll go through all um 110 uh controls um uh and just kind of get your reporting on it and then develop a um just kind of written deliverable for you um to take back um and and uh see how you might fill some of those gaps so uh that's free um we've got the uh link down below probably in the description is where it'll go um if you want to take advantage of that um but i don't want to spend too much time on it just you know throw it out there um that um that is uh uh something that you can take advantage of of if you want to absolutely uh but I think that's all we have today so uh if you have questions about what we covered please reach out to us we're here to help fast track your compliance journey please text email or call your questions call call in your questions and we'll answer uh them for free here on the podcast you can find our contact information at cmccompliance guide dot com. Stay tuned for our next episode. Until then stay compliant stay secure and make sure to subscribe