CMMC for Small Aerospace Suppliers: Real Costs, DIY Limits, Level 1 vs 2, and the November 2026 Deadline
CMMC Compliance GuideJuly 10, 2026
64
00:32:4522.52 MB

CMMC for Small Aerospace Suppliers: Real Costs, DIY Limits, Level 1 vs 2, and the November 2026 Deadline

Submit any questions you would like answered on the podcast! Small aerospace suppliers are getting hit with the same CMMC questions over and over: what do I actually need to do if my contract requirements aren't clear yet, does redacting a drawing get it out of CUI territory, will a tool like ThreatLocker or Prevail make me compliant, and what is this actually going to cost. In this episode, Stacey and Brooke from Justice IT Consulting go through the real answers small manufacturers, machine ...

Submit any questions you would like answered on the podcast!

Small aerospace suppliers are getting hit with the same CMMC questions over and over: what do I actually need to do if my contract requirements aren't clear yet, does redacting a drawing get it out of CUI territory, will a tool like ThreatLocker or Prevail make me compliant, and what is this actually going to cost. In this episode, Stacey and Brooke from Justice IT Consulting go through the real answers small manufacturers, machine shops, and engineering firms need before the November 10, 2026 DFARS CMMC requirement hits new DOD contracts.

Topics covered:

  • Why you can't fully plan compliance without knowing FCI vs. CUI exposure, and what that means for your Microsoft 365 environment (GCC vs. GCC High)
  • Why redacting a customer name or contract number from a drawing does NOT remove CUI status
  • Why compliance tools alone (ThreatLocker, Prevail, etc.) can't get you certified
  • Realistic cost ranges for CMMC Level 2 certification, and why "$5,000" and "$20,000" quotes are misleading
  • How far a small company can actually get doing CMMC in-house, including where AI-generated policies fall short
  • Whether to start at Level 1 and move up later, or go straight to Level 2
  • What changes for new DOD contracts after November 10, 2026
  • How to get an honest readiness check with a gaps assessment before spending money

We're also co-hosting a free live webinar with FutureFeed and Preveil on shared responsibility in CMMC assessments, covering how to read a customer responsibility matrix and close gaps before they become assessment findings. Tuesday, July 21st at 12 PM Central. 

Register (free, recording sent to all registrants): cmmccomplianceguide.com/podcast

Welcome And What We Cover

Stacey

Hey there. Welcome to the CMMC Compliance Guide Podcast. I'm Stacey. From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800 171 compliance. We're hired guns getting companies fast tracked to compliance. But today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. So today we're doing something a little different. Instead of breaking down a single CMMC topic, we're going to answer some of the most common questions we hear from small aerospace suppliers. These are the questions that manufacturers, machine shops, engineering firms, and subcontractors ask when they're trying to understand how CMMC will impact their business. Many of these companies are trying to get ahead of compliance, but they're stuck because the requirements aren't always clear. So today we're going to walk through the real questions suppliers are asking and the answers they actually need to hear.

Planning Without Clear Flowdowns

Stacey

All right, Brooke, let's start with one of the biggest questions we hear from small aerospace suppliers. They're trying to prepare for CMMC, but they don't know what their customers will require yet. They don't know if their contracts will involve FCI or CUI. They don't know if they'll need level one or level two, and they don't know how far the requirements will flow down the supply chain. So how can a small supplier realistically plan for cybersecurity before those requirements are clear?

Brooke

Well, that's a tough question. You know, uh if you don't know what the requirements are, you know, you don't what do you plan for, right? And so uh really it boils down to a few things. One, uh by now, most um if you're dealing directly with the government, there those requirements are there in the contract. The DFARS rules 252.204.7012, uh 7021, and you know, all those. So uh so uh those will be right there in the contract. So that will guide you and tell you uh what where you need to be at, right? Um as far as primes go, those should also still be in those contracts, uh in those POs or whatever you may get from them that constitute a contract. The uh but really you need to know, have some indication of what you need to be uh preparing for because if it's only FCI and it's not CUI, uh the bar for FCI is down here. There is a bar, and you do have to meet that bar. But the uh the FCI bar is quite a bit lower than the than the CUI bar. If you're gonna handle CUI, uh then you have a much higher bar to cross, uh a lot more things to do. Um and the uh then if you have, you gotta find out what kind of CUI you may have, because that'll govern you know quite a few things. You know, and really what I'm talking about there is specified CUI, specify like controlled technical information specified. Uh it gives some uh dissemination and handling control. So um for instance, if you have ITAR data, you know, it may be no foreign or ear or or something like that. Uh so you gotta be aware of those dissemination and handling instructions uh and whether they require some extra uh some extra handling. So for instance, uh if you have that information uh then and you wanna go with uh uh a proper Microsoft 365 cloud, your choice is either GCC or GCC high. And so if you have one of those specified uh uh types of CUI, uh then you're gonna have to go with GCC high. You know? Uh and what I what I tell you specifically about GCC is just be very careful because if you it's not a it's not a simple flip a switch and you move over to another platform. It's a it's a whole migration and it's a whole deal. Um and it depends on how much you're using the platform as to how complicated that may be. But if you migrate from commercial to GCC, you really don't want to have to go migrate from GCC to GCC high later uh because that's just that's a whole nother migration. Um that's even tougher than going from commercial to GCC. So uh, you know, you you've got to be you've got to be aware of that and cognizant of that. And am I sure I'm only gonna be able to handle uh be handling basic CUI and not specified, and that I can go with GCC and be good with that and not go with uh GCC high, for instance. So uh but enough down that rabbit hole. Uh so the point is uh that you want to look and uh talk to your uh talk to your customer and and uh say, hey, what are the what are contractual requirements for uh what we need to be doing, you know? Uh or flip side is if you're not doing this yet, it depends on how far away you are from being ready, but uh if you're not doing if you're not contracting with the government or any primes yet and you want to, uh then you have your choice of what you what you want to do, right? But I can tell you if you if you uh go for uh CMMC level two um and be ready for ITAR and the whole nine yards, then uh that'll that'll probably do you well and it'll be good marketing for you if you get that certification. But you can't take two years to do it. Oh, well, you can. You absolutely can. But uh the marketing opportunity, the the uh getting it done before other people is gonna lose its luster after a while, right? But those people who get uh certified earlier are gonna have their pick of the contracts.

Stacey

Aaron

Why Redacting Drawings Changes Nothing

Stacey

Powell Another question we hear a lot from suppliers involves engineering drawings and CAD files. Some companies believe that if they remove the customer name, the program name, or the contract reference from a drawing, it stops being CUI. Is that actually true?

Brooke

Aaron Powell It does not. That is uh that is a fallacy. That is not true. So um removing any kind of uh marks as to where it came from does not prevent that information from from being CUI. The the if it's drawings, for instance, that those drawings are still CUI. Even if you break those drawings out, those uh what you created from that, uh those smaller, smaller pieces, you know, they're those are still CUI, unless what you created from that is a uh just common off-the-shelf product, right? If it's just a uh COTS product, an off-the-shelf product, then uh or commercial, I guess I should say commercial off-th shelf product. So if it's one of those and you can defend that, absolutely, then that that is not CUI, right? Uh but if you're not sure you can't defend that well, guess what? I think I I'd probably stick with uh being, you know, that that uh uh that derivative is still CUI. The heart of the matter is actually that uh if you redact the uh you know the company name or part number or whatever from it, it does not keep it from being CUI. Uh the only thing that'll keep it from being CUI is if you do some sort of derivative uh drawing or part or piece of that or whatever, uh, and that piece happens to be an off-the-shelf product. That's what'll keep it from being CUI, not that it uh that you redacted some stuff.

Tools Do Not Equal Compliance

Stacey

Aaron Powell Another question we hear from small companies is about tools. They'll ask something like if I buy a platform like Prevail or implement a tool like ThreatLocker, does that make me compliant? So can cybersecurity tools alone make an organization CMMC compliant?

Brooke

Aaron Powell The answer is no. And uh you uh one, you still have to have all your documentation, and those tools are not gonna include all the documentation. You have to have all your policies, you have to have plans, procedures, you have to have authorized user list. Uh those tools are not gonna give you your authorized user list. I mean you you could start with those and export that and say, here's my authorized users, but you still have to make sure that uh that's that includes everybody and that you've categorized them appropriately, that you have admins and non-admins specified on there. Yeah, all sorts of fun stuff, right? So no, the tools cannot make you um uh uh make you compliant. They can't even they really can't even get you there most of the way because of all the documentation you have to that you have to spool up, you have to write. Uh so and they may include documentation. They may say, here, here's this documentation. If you just play the pay this extra fee, you can use our policies. Well, that's great. But those policies are written for a generic company using only their product or or something like that, usually. And they can be a good starting place for you, but there's gonna be some heavy customization with that. So that I've not seen any of those uh policies that come along with services like that that are a-okay, you know. Uh so you'll you'll have your work cut out for you. Those tools will not make you compliant. They won't even fill all of your technical controls. Um that's uh and I guess possibly is there a tool, a CMMC in the box that might fit all your technical controls? Maybe so, but um, but certainly not the uh the documentation

The Real Cost For Small Suppliers

Brooke

controls.

Stacey

Aaron Powell All right. Let's go into the million-dollar question. The question about how much is this gonna actually cost?

Brooke

Aaron Ross Powell That's funny that you said it's a million-dollar question.

Stacey

So companies hear widely different numbers. Some hear five thousand dollars, other hear twenty thousand, and sometimes they hear over a hundred thousand. So what does CMMC realistically cost for a small aerospace supplier?

Brooke

Aaron Ross Powell Well, if you're so there's a lot of things to consider. So if you're a small aerospace um manufacturer, for instance, um you know the the number is not gonna be 5,000 and it's not gonna be 20,000. Uh the assessments, if you if you look at what the DOD put out, just getting ready for uh if you've got everything in place already and you prep for the assessment and have the assessment, that's gonna be over $100,000, including all your time, see-through PAO's time, and anybody else you might need help with. So that's including your time, because your time is worth something, you can't say that's free, right? Uh because you won't spend 10 or 20 or even 50 or 100 hours at it. You'll spend a lot more than that uh if you're starting from zero, right? Um so that's just for the certification itself. That's not even uh implementing all the controls, that's not writing all your documentation, uh, that's not all that. So, you know, you're probably looking, you know, you're probably looking at closer to a couple hundred thousand for that. Um but there's numbers all over the place. Uh so I'm not, you know, that's not a hard number. That's not a, you know, not telling you that's what we charge or anything like that. I mean, we go, we don't have a uh we don't really believe in a uh a we believe in a structured solution, but one that's customized for for clients, right? Uh because not everybody is the same. Everybody started in a different place, and not every s every uh CMMC compliance in a box will fit them, right? Um in fact it hardly fits any s any uh any manufacturers or any construction companies, right? Uh so you know uh you've got to implement all that. Uh it takes quite a bit, it takes quite a few hours. Those hours are gonna come from somewhere, those products that you need are gonna come from somewhere, and uh somebody's gotta pay for them. Uh whether you do them and have people into it do it internally, or whether you hire, uh it's gonna cost you one way or another, right? So um it's it's uh it's gonna be just the assessment itself again uh is this actually the assessment itself, just the one certification assessment. You might be able to get away with forty thousand dollars, you know, that's great. You might be able to get away with a mock assessment prior to that for twenty thousand, but that's just the assessments. That's you know, what about all your dot all your uh artifacts and evidence you gotta have together to be ready for that assessment? Uh you know, there's a lot that goes into that. So that's that's not the only cost. So that's why the assessment and prepping for that assessment uh cost so

How Far You Can DIY

Brooke

much.

Stacey

Aaron Powell Another big question we hear from manufacturers is whether they can implement CMMC themselves. So a lot of companies ask if they can write policies on their own, implement the controls internally, or use templates and tools like ChatGPT to help get them started. How far can a small company realistically get on their own?

Brooke

Well, I mean depends on how much, how many resources you want to throw at it and how many you can afford to throw at it and how many people you have. But what I can tell you is uh one, yes, a small company can absolutely do it on their own, right? Uh but if you're starting from zero or near zero or even twenty-five percent, um somebody is gonna you're gonna want to send probably more than one person uh to a lot of CMMC training, a lot of CMMC events. They're gonna have to be exposed to that whole CMMC world and understand when it says, you know, define your uh authorized users, what what does that really mean? You know? Um so you know, we as an IT guy, I'm like, well, yeah, they're defined. They're defined in Active Directory. You know, that's it's not the case. It that doesn't work. You can't say, Mr. Assessor, yeah, they're right here in Active Directory. That that doesn't work. Now there's more to it than that. So you've got to you have to understand what the assessor is looking for, what those controls are actually uh that are written, what what they're actually saying. Uh so you'll have to, there's a lot, a lot of upfront effort you're gonna have to put in uh to learning all of that. You can shortcut that by hiring someone and someone that knows what they're doing. So look for, don't just look for a registered practitioner, uh registered practitioning organization, but look for people that are um that have CCP certifications, uh CMMC certified professionals, uh, CCA certifications, uh CMMC certified assessors, uh, those are the people that are they're gonna know more what they're doing for this, uh than also look for some people that have been through some assessments before. Uh I can tell you from experience that it is very eye-opening going through your first assessment. So um even as as good as you think you might have everything uh spelled out, you know, there's a difference between what an assessor might think and and what you think. You're like, well, how do you I this is, you know, as an as an IT guy, you're going through going, well, of course this makes sense, you know. And he was like, well, I don't know. This is the way I see it. And and uh you say, well, okay, well, I can understand that. Well, maybe uh maybe we define this a little bit better to where any old Joe can read it and understand it, right? Uh which is, by the way, what you want to take into account is uh not just from your perspective of being inside and knowing how everything is laid out, you don't need to write everything from that perspective. Uh you need to write it from a perspective of you're writing it for somebody else to come in and read it and understand it, right? So uh it's gotta be written from that perspective. You've gotta uh gotta have it well defined, you've got to really understand what uh the controls and objectives are and what they're saying, and you've got to know what the assessments assessors are looking for. So so yes, it can be done, but it's a it's a tall ask.

Stacey

Aaron

Ongoing Workload And Automation

Stacey

Powell Another concern we hear from business owners is about the day-to-day workload. They assume compliance means constant reporting, constant monitoring, and endless documentation. CMNC compliance is basically a full-time job.

Brooke

It can be, yes. Uh what helps is when you integrate it with your uh it is added on duties, right? Um but you can automate a lot of stuff. We have, for instance, we have uh we have for us, we have tickets that pop for our for us for our clients that say, you know, hey, it's time to do your um uh vulnerability scan and security assessment, right? It's time to review your authorized users. We have uh, for instance, we we schedule quarterly meetings with the clients so we can go over all the things we're supposed to quarterly. We've got a list of those things. Uh these are and this is something that we do with clients anyway, but we just tailor it to uh CMMC, which is not which just is it is showing you that we uh do our what we do currently, we just amend that process a little bit, right? And so uh yes, it is more, it adds on more. There is more documentation. You do have to manage your documentation when it's time for, you know, I gotta go get the visitor list and I gotta review it and uh make sure that I, you know, and know who everybody was or or am comfortable with all of it. If it's all good, I don't see a problem on there, I sign it and date it and then scan it and upload it. You know, uh so those are those are all we have, you know, automated reminders, for instance. So yes, it is extra stuff to do, um, and it can be a full-time job if you let it, uh, but it can also be built into just your regular workday stuff. Uh if you dip down on just one person to do all of it, yeah, it's uh it can be it can be quite a lot. But generally you're gonna spread out the load between a few people. So it's it's uh it's workable.

Stacey

Aaron Ross Powell Another common assumption we hear is that companies should start with level one and then work their way up to level two later. Is that actually the right approach to go about things?

Brooke

Uh sometimes it is. Um it depends on how you want to go about it. But if you know you're gonna have to be level two, just do your full scope and figure out uh do your data flow diagram, figure out what kind of CUI you have, where it goes, all that kind of fun stuff. Uh and then it may be that you have an enclave that's level two and the rest of the network is level one, right? Um so uh if you're if you're building things and and changing things to uh to meet for level one, what it makes if you know you have to be level two, does it make sense just to go ahead and do that? Is it a lot higher bar to do level two? Absolutely yes. Uh gigantically higher. So there's a lot more to it. You're talking 320 assessment objectives versus I I don't remember what level one is, but it's like 50 or so, something like that. So yeah, it's quite a few more. Uh there are assessment objectives and controls you have to

Level One Or Jump To Level Two

Brooke

meet for level one. You know, so it's not it's not nothing. So you do have to do that, but uh it is a lot easier to meet level one. And if you don't know where you need to be uh, you know, in a year, uh you don't have any uh CY contracts right now, yeah, level one might be a great place to start. Uh but if you know you have to do it, then uh you know, for instance, the deadline on November 10th is is approaching where those contracts are gonna start having the requirement to be certified before you can win a contract. Uh those new contracts are gonna start having that requirement. So uh if that's the date you're shooting for, I man, I'd just go, or even you know, shortly after that or within the next few months or half a year after that, I would still go ahead and just go straight to level two. So it's it's quite depending on depending on where you're at. But if you're talking about do I go to level one or level two, you're probably close to zero at the you know, close to start. Uh I would I would go directly to level two.

Stacey

Aaron Powell So you kind of brushed up on the uh big jump between level one and two. Can you go into detail of like what that really entails when you go from a level one to a level two?

Brooke

Uh well, sure. That's uh uh for level one you have uh you know 17 controls that you have to address uh somewhere I have to look at them again to remember, but somewhere around 50 uh objectives. When you go to level two, it's 110 controls and 320 objectives. Um level one is around basic safeguarding, uh authorized user list, you know, all that kind of fun stuff. You have to have um uh some evidence on hand and and everything. So you've got to have all that. But level two is is a lot more than that, and it's a lot more in-depth, a lot more quite a few more policies. Level one, you can probably get away with uh one policy, one long policy to to take care of it. Um you know, it depends on how you write it and what you're doing exactly. But um but uh with uh level two, you're gonna have multiple policies, plans, procedures, um, you're gonna have all sorts of lists and diagrams and everything else. So it's uh level two is is a heavy lift. Whereas uh level one uh is is something you have to do and it's not nothing, but it's quite a bit easier than level two.

Stacey

Aaron Powell Another question we hear a lot about is documentation templates. Many companies assume the government provides ready-to-use policies or documentation guides. So is that really the case?

Brooke

Uh well, uh there may be some templates you can use somewhere, uh, but wherever you get templates from, uh they are just templates. And you do have to go through and customize them because they're not going to be written for your company, how you're doing business, how your data flow goes. Um you know, maybe maybe you've scoped out um maybe you've scoped out uh wireless and mobile devices and um you know some of those other things. Maybe you've scoped all those email, maybe you've scoped email out, you know, and uh you've tried to really tighten that uh tighten that down. Well, you know, policies are probably generally gonna address all those things. And so um you'll have to go back and and amend those policies. So uh yes, there are templates that you can use. I I would absolutely use a template to get started. Um uh but you also have to realize uh wonder where

Templates And AI With Guardrails

Brooke

you're getting those templates and how good they may be, right? Um if they're if they come at a small price along with some other package you're getting, they're probably not that great. Uh if they um if they're free, uh Again, they're probably not that great, although they might be a good place for you to start. Another thing uh I'd touch on is uh using AI to help you with their policies. Um, to be honest, I use AI for you know to write help me word policies better because I'm a bullet point guy. I want everything to be bullet points. Bullet point one, two, three, and I want it to be a short sentence, you know. That's not really that doesn't really work out all the time. So, you know, I might have AI help me flesh some things out. Um uh but I but you it's a tool, right? Just like anything else, just like your computer is a tool, um, you know, you've got to use it as a tool. So you can use that to to help you out, but you've got to have the knowledge to know what all is supposed to be in there and what AI has missed or what they got wrong or whatever else. So I'm not telling you you can't use AI or that you shouldn't use AI. AI is great, you know, wonderful, but you've got to check on it. It's a petulant 16-year-old kid, you know.

Stacey

So who hallucinates from time to time.

Brooke

So who hallucinates, yes, from time to time, absolutely. You know, they might not uh it might not address if you ask them to draft a policy for access control for you, uh that'd be a great place to start, but you better go in and make sure that uh you know you address 3.1.1, 3.1.2, and you know what make sure all those are addressed in that policy because sometimes it leaves it out, and sometimes if you uh it it just it matches things wrong. So um I've seen all that. Um you just have to be very careful with AI, just like you have to be very careful with templates. So those those policies that you either get from templates or get AI to help you with, uh, or a consultant, you know. Uh all those are going to be, although the consultant can probably work with you and you know tailor it more towards your business, you s but you still do need to check it. You're responsible, you're accountable for those policies. So but uh otherwise the the AI and the and the policy templates, uh yes, you'll you can use those, but you'll definitely want to check it and verify, customize it for your business.

Stacey

Aaron Powell So taking a step back to look at the big picture here for a moment, what actually happens when CMMC becomes a requirement in all of the new DOW contracts?

Brooke

Uh so when it comes to requirement uh no on November 10th of this year, 2026, uh so this is uh July, so July, August, September, October, November. So you have less than five months, right? From this recording. I don't know when you'll listen to this, but five months from this rec less than five months from this recording. So um uh when it becomes uh when when phase two goes into effect, uh then they're gonna start requiring. Now they did leave themselves a little bit of wiggle room, okay, but for all new contracts, it's not retroactive. Uh well they actually left them some wiggle room there, but it's generally not retroactive. So um they uh on November 10th, all the new contracts that are coming out, you'll have to have that certification completed and in place before you can win that award. Right? You can bid for the contract without it. But you

What Changes After November 10

Brooke

gotta be careful because these um one of our podcasts, we went over the timeline, and I don't remember the exact timeline, but the timelines between bidding and award are are shrinking or kind of small. Or not kind of small, but they are uh as t in terms of g uh prepping and uh becoming uh prepping for certification, uh becoming certified and all that, uh that timeline uh will not fit in very well. So if you're if you're going through your assessment right now but you don't quite have it and you're pretty confident that you're you'll do well on it, or maybe you've been through your mock assessment and now you've got to go through a certification assessment, uh, you know, then that may that may work for you, right? But if if you're not really positive that you're ready for that uh certification uh and you bid on a contract when they say, Hey, great, uh, you know, you've won this contract, we need to see your uh certification. And you're like, well, I don't have it yet, can you wait a month? You know, that might be an issue. So uh but basically for new contracts coming out uh after November 10th, uh with a couple of different caveats and low leeway they b they left themselves uh on on those uh you'll start seeing the the need to be CMMC level two certified before you can be awarded that contract.

Stacey

Before companies spend thousands of dollars preparing for CMMC, they want to know where they stand today. How can aerospace suppliers determine their current readiness?

Brooke

Uh really it starts with a third party coming in and and uh doing a gaps assessment, right? Uh and you want to start at a gaps assessment, um, not somewhere in the middle, uh, because you got to start it uh at the beginning for somebody to come through and just look through everything from a bank blank slate and uh and say, yeah, uh you got this and this in place, but you don't have this in place. You don't have that in place, you know? And uh say these are the things you're missing. And that may not there's people call different things gap assessments. Uh you can do a gap assessment while you go through all the controls, uh, but not do a full uh uh POAM creation, right? Uh plan of action and milestones. Um we generally start with a uh gaps assessment at first, and then the next phase is building out the SSP and the policies uh uh and everything else and then and then developing the POAM. And so those are all the things you have to do, all the thing all all the stuff that still has yet to be implemented or completed. Uh so the gaps assessment

Readiness Checks With Gap Assessments

Brooke

may not be your POAM, but the gaps assessment will at least tell you, you know, a third party comes in and says, you know, you're missing on these 10 controls, we don't think you meet these, then that gives you a really good idea, right? So I would I would suggest highly starting with a gaps analysis. You know, when you start with a gaps analysis, uh then you have a, you know, you you at the very least you have an estimated SPR score you can use, right? Um The unfortunate thing is when we when we go in, uh, you know, somebody that thinks they're in in decent shape, we go in and and uh do a gaps assessment and say, look, we you know, the way we look at it, your score is uh, you know, negative 15 or something. And and they're like, well, how how can that be? I thought we were like 98. And so uh there's there's oftentimes there's a a different view on it, but the different view comes in from being through those assessments, right? Uh so uh really I'd I would highly suggest a uh gaps analysis from somebody who's who's in who's in that CMMC business who does uh does those things who's helps if they've been through assessments and they know what those assessors are looking for. Uh also it can help if you have uh uh an assessor come and do it. Um with assessors coming and doing your gaps analysis, um assessors are uh some assessors are a little bit better technically than others are. Uh so there may be some uh explanation of things that uh stuff that has to go on. Uh but uh if you get somebody that understands the controls and the implementation, the technical parts of it, uh that that really helps out.

Stacey

All right, before we send you guys off for today's episode, we wanted to mention um a pretty awesome webinar that Brooke is gonna be uh co-hosting on. So we're teaming up with FutureFeed and Prevail for a free live webinar built specifically for those that have DOD or DOW contracts that are navigating shared responsibility in their CMMC assessments. So if you're using cloud tools, third-party platforms, or a managed service provider, there's a good chance there are controls in your environment that nobody has clearly claimed. And that's exactly what assessors are trading to find. So join us on Tuesday, July 21st at 12 p.m. Central Time, and we'll walk you through how to read a customer responsibility matrix, identify where responsibility actually sits, and close the gaps before they become findings that put your contracts at risk. So you can sign up for free. Um, it's a live webinar that will be recorded. So even if you can't attend that specific time, it's worth signing up and we'll send you that recording. Um and you can register at cmc compliance guide.com forward slash podcast. If you have questions about what we covered, reach out to us. We're here to help fast

Webinar Invite And Closing Notes

Stacey

track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at cmc compliance guide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.