CMMC Paperwork Without the Pain: How to Simplify Policies, SSP, and Evidence (Level 1 vs Level 2)

Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin and I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance. But today, we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today, we're going to talk about something near and dear to every manufacturer's heart: documentation and paperwork. I'm sure. I have no doubt. Yes. Yes, just kidding. No, not near and dear. Um is typically what we hear from manufacturers as the one thing that they uh don't have figured out or don't like. It's typically um, you know, people running lean teams, uh, maybe an IT guy, an ops manager, or a quality guy multiple wearing multiple hats, uh, as they always do. Um, and probably have a binder or um folder on your desktop somewhere that's old, dusty with a bunch of templates that you haven't visited in a while. Right, exactly. So that's you. Uh today we're gonna be talking about policies and paperwork. So get ready. So, Brooke, let's start with the obvious question. Why do small and mid-sized manufacturers and machine shops uh end up drowning in paperwork that doesn't even doesn't even seem to match their uh day-to-day operations and what they actually do?

It's a good question. I have no clue why. No, I'm just kidding. Uh so uh you know, that's a problem with uh that a lot of folks have with CMMC, especially if they've tried to do it themselves, you know, and downloaded a bunch of templates and all that kind of fun stuff. But really the uh where it really comes from is that most you know, most of the uh uh defense industrial base is uh not huge Lockheed Martin, Bell, and and uh Raytheon type companies. Most of them are are uh going to be small businesses, you know. And uh those small businesses and and even some medium-sized businesses. So they don't necessarily have the the CISO, the CISO, the chief information security officer. They possibly might have a CIO, chief information officer. Um typically they're small teams. Um if at all, uh a lot of our clients, we for instance, we are their team. They don't have a team, so we're their we're their IT team. So um we're their CISO, CIO, we're their help desk, and everything else. So uh but there's a lot that don't have that. And so to be able to um download a few templates and uh put them in place and think they uh address CMMC, that's uh that's a tough one. You know, they're they're busy doing what they're supposed to be doing, you know, running those CNC machines, uh managing other employees, uh you know, uh d doing the business of business, you know, um instead of uh creating documents and and uh templates and and policies and you know all that kind of fun stuff. You know, that's not necessarily their forte. And their forte uh generally is not uh information technology either. So there's I will say that uh most of this is not uh most of CMMC is not about the tech. It's about paperwork, people in process, you know, documentation, make sure you're doing what you say you're doing. Uh but it is about protecting that information, then it, and that is uh a large amount of that is that part is tech. So uh but there's you know template overload. You can go to any number of places and download templates for CMMC. That's great. That'll get you started. You gotta kind of understand what it means. That would that would go a long way to help it. Uh so people start out with all these templates and they really don't um address the way they're doing business, you know. Uh they don't uh they don't really understand what they're supposed to write. They may be overly broad or or um you know not specific enough to to address their environment. You know, and when you're downloading all those uh policy documents uh trying to figure things out, you know, uh Raytheon and uh Lockheed and them uh may need, you know, uh a huge set of policy documents, you know, split out all sorts of fun stuff to uh to get it all covered properly and and and make sure it's understandable and and and everything. But with smaller businesses, you can coalesce a lot of those policies you would normally split out with a larger company. You could make those into into one policy. For instance, I mean there's you know, have a policy for each of the 14 families, you know, of uh of controls and then have some policies or procedures uh and some plans to go along with that uh to cover the other things you need. Um and that'll go uh that'll go a long way towards fulfilling what you what you need for your uh for your small business. You don't necessarily need to split out, you know, every single role or anything. So um another thing is there's no uh no one person necessarily that uh owns these policies to keep them updated to make sure that they address everything that's supposed to be addressed for uh for that small business. Um you know, they may assign the quality guy to do all this, but you know, the quality guy goes, yeah, here's some templates, you know, and and uh but who's supposed to really keep those up to date? Who's supposed to do anything with those? You know.

So um Yeah, typically uh there's either not a champion for compliance and all the paperwork, or there has been one designated, but they're highly under-resourced.

Aaron Ross Powell Highly under-resourced. And and a lot of times when there's a champion, uh uh you know, the the owner or the CEO or whoever says, you know, hey, little Johnny here, uh quality guy, uh I need you to I need you to implement CMMC for us. And so little Johnny goes and talks to the CNC operators and says says, you know, we got to do this. And they're like, yeah, thanks. We're not doing that, you know. Uh so it really needs to have uh champions that uh and somebody it needs to have high-level buy-in and high-level um push to get everything done. So uh a lot of times it doesn't. A lot of times it's a quality guy, the IT guy, you know, and and uh everybody else says, you're telling me we gotta do what? Um and again, I've I've addressed uh this one, the uh note that I have written down is that uh the policies don't actually address the way you work. You know, we've talked I've talked about that already, but um you know it's gotta you've gotta understand the way people work, the way all of your team works. Uh for instance, typically we'll bring in not just the uh executives, but we'll bring in other managers and team members uh or ask them to bring them in. And uh we'll have those policy meetings with everybody. And typically what you find is, you know, the IT guy or the CEO or somebody says, yeah, this is the way we do it. And you know, the guy over here who actually does it says says, well, actually, this is the way it really works. And so you you find a lot of uh of uh good detail out that way, making sure you involve the people that actually do the work or the people that directly manage those people, right?

Yeah, a good way to fail your assessment is to make a bunch of assumptions. Yeah. Yes. Yeah, assumptions are are not good.

So you know, and when people want us to bring the uh put this documentation together that, you know, we can we can do all that for you, but it's really not for you, it's with you and along with, you know, uh guiding you through it, helping you uh, you know, understand everything and and putting it together for you. So it's not uh you can't just say, go put this together and give it to me. You know, you have to understand the business, and there's not generally there's not one single person that does understand the home business. So you put all those problems together and you get uh you know unnecessarily complex policies or too broad policies that are too broad, you know, to address everything the way they're they should be addressed. Um so that's uh those are those are real problems within uh small companies.

Trevor Burrus Yeah, typically uh when we work with a company, they either don't have documentation or they do they do have it. And so when we look at it, um when they have it, typically have done a find and replace For the company name. For the company name. And that's about all they've modified the template for.

Sometimes they do a find and replace for, you know, like a CEO and replace it with uh you know president or whatever.

But sometimes they'll actually put the people in there, yeah. Uh but but the uh point I'm trying to make here is that um, you know, the the template is written for a fictional company. Yes. Um or the company that created it and then based on themselves. Um and so uh that fictional company uh is doing certain things, and typically um uh either they're not the things that you're doing or uh they're very narrow in um or in a perfect world kind of scenario of the way things are handled, and it's not the way you're doing it. Exactly. Um and so uh it's like you said, it's a great place to start um and give you the the bones. Um, you know, like you ever hear someone, you know, like bought a flipper house, you know, a house to flip, and they're like, it's got good bones. All right. You know, that's what a template is. It's got good bones, but you gotta do the renovation, you know.

It is. Um sorry, go ahead. No, you the the other thing is there are um and I'll just go ahead and name them, but there are there are companies that you can use for uh enclaves and stuff like that, um or enclave type solutions. Uh and Provel is one of those. Prove's you know got a good product. Um but they'll also give you templates, you know. So you can buy this template um policy package, I don't remember what they call it, but anyway, and you grab those templates uh and it even tells you these templates are written with this fictional company in mind. And they tell you about this company and and what it is, and then you've and then the understanding is you've got to go through and make it match your company because you're probably not the exact company that they listed out uh who this is written for. Um so you know, stuff like that's great because, you know, for instance, Prevel, it'll be it'll be um uh the documentation will be written for using Provel in your instance if that's what you do. It's great and wonderful, but I can a hundred, a thousand percent tell you that those documents have to be customized for how you do things because they they do not they don't address everything that needs to be addressed, and they can address everything that uh that you do the way you do it. So they they have to be customized. You can't just take Prevail's documents and do a find in their place. I guess that's a good place to start on day one, but you know, on day two, you've gotta you've gotta go a little further than that. So um but yeah, that there's all sorts of places you can get some really good documentation, but you've got to go the extra m I was gonna say extra mile, but it's probably miles multiple to uh flesh out that documentation.

Yeah. Yeah, the the template will be a good place to start to shortcut a lot of hours of uh getting started, and then yeah, you got the extra miles to go. So before we get uh into simplifying everything, um can you help clear up the confusion and uh kind of frame us properly uh and explain what's actually required for CMMC level one versus say CMMC level two?

Sure. Yeah. So uh CMMC level one is the level one stuff, and level two is the level two stuff. So uh to take that step further, um uh CMMC level one uh is the basic um are the basic controls you need to implement uh to be able to handle FCI, federal contract information. If you handle any CUI at all, you'll need to be level two. Uh level two self-assessed or level two uh C through P A OSS. So um but as far as level one goes, uh 17 controls. Um they're relatively easy to implement. Um and uh you just have to you do have to have a policy. You don't necessarily have to have a giant policy stack, you know, with tons of stuff, tons of plans, tons of procedures, everything else. It's not a bad idea to have in place, but you don't have to have that for level one. Uh you can really generate that with one good uh one good policy that addresses all the controls, all the assessment objectives that are there, um, and uh and get that done and and make sure you have those basic controls in place. Um they're they're pretty typical. Um so depending on how you do business, you might already have these implemented, uh. Or you might have most of them implemented. Um but uh they uh but you do have to document what you're doing, um access control, visitor logs. Uh you may not be doing visitor logs, for instance, but uh you know that's one of the things you have to do, for instance. Uh so uh but it's a lot shorter and simpler to implement, but you do have to have policies, you do have to write that stuff down uh and say this is what we do, and and then you have to do it. And you have to CMMC, even level one, is all about uh ongoing management and ongoing proof that you're doing what you say you're doing. Uh so those visitor logs, those you know, access control, all that kind of fun stuff, you have to you have to keep that up. You can't just it's not none of this is a uh is a one and done. Yeah.

Much more achievable, but there's uh you still have like uh a pretty decent liability and and burden with CMMC level one, like you were mentioning. Um uh most people um and including a lot of IT providers, um and and compliance people just kind of skip past level one and um and say, yeah, that's easy, just you know, do these things, you're good. But there's um it's kind of a uh unvisited topic, really. Um and it's like to the point at which if you go read um I think it's the I'm gonna get it wrong if I talk about which document I'm referencing, but it it tells you how you're supposed to do a self-attestment. Um and if you go read, you actually have to um level one assessment guide. Yeah, the level one assessment guide. Um and I uh I'm actually talking about um I think it's the 48 CFR. Um but in there um it it says uh what you have to do for a self-attestment, um, and you have to retain all the evidence uh that you used uh for the self-attestment um to prove it, right? And you have to I think it'd retain it for six or seven years or something like that. I can't remember what exactly it is. So go look it up. Don't trust uh my memory here. Um uh but the point is most people just phone in level one. They do, yes. It is much easier, but if you're gonna attest to it, um you have a burden of policy, of documentation, of evidence, and um it's less focused on, but should anything ever happen, or the government come knocking, or everyone anyone ever go look into it, and you attest at some point in time, and you don't have that evidence, and you hadn't done those things, and you hadn't followed you don't have the policies and documentation, you hadn't followed it if you do, uh you're still at a uh significant liability um by having attested to something that you you weren't in every truest sense doing, even if you had antivirus and visitor logs, if you didn't do it the right way, um that's a problem.

It is. You know, and just to go back to that, that would be grounds for a false claim act there. And uh uh most of those false claims acts, just so everyone knows and remembers, are started by whistleblowers. They're not necessarily a breach, uh, but they're started by whistleblowers that says, Hey, you know, I tried to tell them, you know, and they wouldn't listen to me, but these guys say they're doing all this and they're not. So uh that's uh whistleblowers that uh that do that. So it may not be a breach happens, but uh it may be somebody that says, you know, hey, we should be doing things right and we're not. And Uncle Sam, come check these guys out.

Yeah, yeah. Which could be a previous employee, a vendor, you know. You know, a customer. Um because in in normal uh, you know, daily business, uh these are kind of things that you can you can that people just kind of learn how you operate. And uh it is apparent uh you know whether someone is or isn't following some rules and some people may have more information or not. So I'm just trying to point out that those are kind of the exposure points that someone has for a false claims act and who could be, you know, um a whistleblower, not not making a judgment on whether that's good or bad. Um just saying, you know, if you're concerned about your liability um and um you know uh if you're trying to decide whether you should follow the rules uh properly, there is probably more exposure than you're thinking about.

Right.

You know, if you don't absolutely test something you're not doing.

Absolutely. Yeah. So uh you asked about the difference between level one and two. Um so moving on to level two, of course, there's uh you know, 110 controls and there's 320 assessment objectives. Uh there's a requirement for uh a good bit of documentation there. Um so uh you know generally a good idea is to have your you know policies for each of the 14 families, um, but you gotta make sure every all the 110 controls are covered. All the assessment really you need to make sure the assessment objectives are covered through those policies and uh procedures and everything else that you have. Um there's uh you also have to have uh evidence of how you do things. So if you say that uh we have implement uh MFA implemented for computer logons for our workstation logons, then you have to show the configuration of that, uh some screenshots of you know MFA coming up, uh that it actually happens, um, you know, stuff like that. You have to have evidence uh that it's actually in place. Uh then when an assessor comes, you know, they'll want to see it as well, but um but you you have to have all that. Uh you have to have a uh well, I guess you don't have to, but you need a good way to store all that. Um you can absolutely store it in SharePoint or a file system or something like that. Um uh but as long as there's no CUI in it, uh, you know, but you need to think about that. You know, your your documentation should not have any CUI in it. Um SPA, uh you know, uh security protection data, um SPD I guess. Uh so that would, you know, you very well might have uh you do have that in your uh I'd be very surprised if you didn't have some SPD in your uh and your SSP and your po and your policies and stuff. So but the uh the storage of how you store all that, it can go in anything, right? Uh as long as it meets the requirements that that it needs to meet. But um what I would say is really uh a GRC tool is the best place to put that. Um Tool will help you organize everything. It'll keep everybody on the same page without 50 different versions of the same document floating around and wondering is this version one really the real version one? Or is, you know, did I, you know, did somebody save it with the right name? You know, who's uh who's the policy owner and did somebody other than the policy owner save it? You know, what did they anyway? So it gets confusing in a file system unless you're uh very structured in the way you do it and and uh very strict about who can do what and all that kind of fun stuff. So um uh you certainly can do it in a file system, but a GRC tool uh is a very good thing to put in place and use. That like I said, keeps everybody on the same versions, keeps everybody uh it organizes everything very well. Uh the one we use, Future Feed, um, it walks you through all sorts of stuff. It'll put your you basically write out your SSP right there in the uh in Future Feed, and then you can um generate that SSP uh from there as you're filling out the the controls and the assessment objectives and whatnot. Uh it'll show what uh uh proof is available to to look at, of course, uh you know when you're when you uh print out that SSP. Uh anyway, it's uh but it's uh a system like that will help keep everything organized and together in one spot and everybody on the same page a lot better, uh a lot easier uh than a file system. Well now is it more expensive than a file system? Yep. I mean you can a file system is probably what you already have in place, you know. Uh so a GRC tool is gonna cost you some money. So is it worth it? We think it is. Other companies may or may not think it is, but a GRC tool uh really helps out as well.

So yeah, well, it really depends on you know where you're putting your money and how you value certain different things and your resources. Uh for us, um, you know, we're we're a service provider. At the end of the day, um you know, however you look at it, our customers are basically paying for our labor. Um and so uh we have found that um, you know, uh typically we get a more affordable result for our customers if we use a GRC platform um because it um it does all the things you said it does, and it just it it creates efficiency, and efficiency is created by spending money. Um it is. So it's you you know, but for us the ROI is there. Um whether that applies to you internally, um, you know, do a demo. Uh you don't have to do future feed, but look at whatever is out there. I think there's free ones too. Sure. Um but you know, it may be worth the extra investment of of time and andor money um because you you might get some efficiencies that that you buy there with uh one or the other. So all right, getting into the uh nuts and bolts of documentation. Um if a small or mid-sized, say machine shop um or engineering firm or something like that um wants to simplify their documentation but without taking shortcuts or jeopardizing, you know, passing an assessment, um, how would they make that happen?

Uh well the way they make that happen really is uh uh we've kind of mentioned it already, but uh consolidate uh everything you can. Um take those policies and make one policy per family, right? Uh one for access control, one for awareness and training, and and so on and so forth, right? Uh make one policy uh per family. Uh go through and and however you structure them, just uh you can put sections for you know each of the different uh controls and uh and whatnot. Some of the controls are related, you can bundle them under one session uh section or something. But uh, you know, just make sure all those are addressed in there, uh but consolidate uh into from 50 policies down to you know uh 14 policies, I guess, in a or maybe maybe a couple more than that, but uh as few policies as you can. You know, start off with a 14, uh the 14 families, and then whatever other policies you may need uh to finish addressing that, uh finish addressing all the controls and everything, uh do that. But uh consolidate as much as you can uh in into those policies and realize that um, you know, there's uh uh you know access control is a good one. You know, it talks about um, you know, there's a assessment objective for, you know, uh for user accounts, for devices, and for service accounts. And well, you can kind of you can write that very easily and it's you know, you can write all those uh objectives very easily and condense that down from the you know from the length that may be to write each one individually uh down into uh uh a shorter, simpler paragraph or or something like that. So um so consolidate uh you know any policies might be related, but uh you know, any policies you can, certainly one per family uh is a good way to go. That also keeps it um understandable and relate relatable for the assessors. Because if you have policies all over the place, uh it's hard for them to follow. If they don't follow one for each of the families, you know is it even you know, is it even really covering everything? You know, so it's they need to be written for CMMC um to get the to get the most out of I guess they don't necessarily have to be written for CMMC, but they do absolutely have to control uh cover all the controls. So um because there may be multiple frameworks that you you have to you have to follow. Uh and I'd say, you know, your SSP, just remember that your SSP should tell a story of of uh how you're doing everything. So for each of the controls, and I'd say each of the assessment objectives, if you're using a GRC tool, it's easy to put those uh assessment objectives in there, uh statements for assess assessment objectives, and uh have those uh address uh be addressed in your SSP. Um but at the very least, uh make sure those uh in each of the controls, your statement uh addresses all of the uh assessment objectives. But in any case, uh that SSP needs to tell the story of how you're doing everything. Um you can put some details in there, but I would refrain from making your SSP 400 pages long. Some people do that, and if that's you and you like it and you think it works out great, more power to you. That is not that's not the way I do it. Uh that's not the way that I've talked to uh, you know, plenty of assessors that I've talked to uh like to see uh the the SSP tell the story and uh more of the detail uh of what exactly you do and the policies and policies and then plans and procedures, of course.

So I like to tell our customers that we try and do uh the minimally sufficient um amount uh to be compliant, not to skirt anything. No, because it's it's optimal, because if you go much beyond that, um you're kind of given some rope to hang yourself with. And um, and not in a necessarily a bad way, but if you're just um if if you go way too far into uh the weeds and and everything else, you're just you're providing a a lot more things you have to do and prove and and everything else, whenever uh you you just want to uh answer the question, be compliant, and and that's it. If you if you're gonna go the extra mile, say, um on your security logging or uh you know whatever else, um that's great. But um, you know, just just do what's required um in terms of compliance and everything else. So like for example, everyone giving a real world example. We have a uh a company that we're working with, and um they're keeping all of their um uh all of their network to the level two standards. Now they've got an enclave um that is gonna be assessed. Right. Right. And so that is um, you know, that's kind of the scope what we've put out into um the documentation and everything else. Um and they're going the extra mile on the rest of their network to keep it level two just to be secure. Right. Um but we're not, you know, we're are we're limiting the scope to just the enclave where the CUI is, just because what is the point in getting the rest of the network assessed? There's not. It's just gonna make the the the burden of assessment much larger. And that's what I mean by that.

Yes. And yeah, think about your policies and what uh you know uh in your SSP as well. But um but what do you want to write in there and what do you want to be uh held accountable for? Uh if you keep most of your logs for a year, um but some of them are only 90 days, for instance, uh you know, you don't want to say, you know, yes, we keep our logs, uh our logs are uh have one year retention, blah, blah, blah. Because when the assessor comes to look and says, Yeah, but this one is 90 days, and you're like, oh yeah, accept that one. You know. So, you know, the way to write that is to say what exactly what you do, or say our logs are uh kept for a minimum of 90 days. Um so just think about those things and uh write them appropriately to make sure you address those and uh you know, just the facts, ma'am. You know, the old uh well those of the those of you that are old enough to remember Dragnet, the old TV show. But you're probably not. Yeah, exactly. Uh so you know they say just the facts, ma'am. Uh so you know, assessors, uh they you give them just the facts, the these policies and everything. Uh you give them the just what needs to be in there. Uh you don't want to go on at length because uh, like you said, you know, then you're holding yourself accountable to things you don't necessarily have to hold yourself accountable to. So um uh and I can't think of a good idea other than a good example other than logs right now. But logs is an easy example. It's an easy one. So uh but uh they should address everything you do, um and you should write them in a in such a way that it it gives you um gives you some room. Not that you want to write them overly broad, I'm not saying that, but just an example of the logs. So it meets the requirements, it meets what you're doing, uh, and you can you can do more, but you've got to show that it's at least what you said. So if you do say, I've also had assessors say if you do say the logs are kept for 90 days and they say, for instance, uh because logs is the only example I can think of, uh if you our logs are kept for 90 days and they're looking to say, they're kept for 120 days. You know, this is wrong. You know. So if you change that and say they're kept for at least 90 days, then you're good.

So the way it's written is important. Yes. Yeah. Yeah. So um and then other thing I was gonna say is uh a lot of assessors don't give out extra credit. No, yeah. They don't give out extra credit. Remember it's a pass fail. Yes.

Absolutely. The w the other note I have down here uh to remember uh is that uh stop creating multiple layers of documents, right? And that just goes back to everything we were just saying. Um, you know, uh you're at you need your SSP, you need your policies, uh some of those plans and procedures are required. Make sure you get all those in and just keep those uh as succinct as as possible. They're gonna they're gonna be uh end up being they're gonna they're they're always longer than I I like them to be because I want it to be bulleted really short and be like half a page. That's not possible. But that's what I would like. Um But uh you know those policies need to be nice and uh succinct to the point but still cover everything. Uh and then of course you're gonna have to have all your um all your document all of your supporting documentation, your uh screenshots of everything you're doing, your how your things are configured, everything else um that you're gonna have to have. Uh GRC tool is a great place to keep all that stuff because you can attach it right to those controls. Or you can put it in there and attach it to multiple controls if you need to, and that will happen. Um and it's hard to it's hard necessarily to attach it to multiple controls uh in um in a filing system, in a file system. You can. You can create links and all sorts of fun stuff, uh, but uh it's in my mind it's easier to do in a GRC tool.

So when it comes to getting assessed, uh what do assessors actually care about most when it comes to documentation?

Uh they care that your SSP is uh well defined, that uh it lays out uh uh, like I said, a story of how you're protecting everything, how you're fulfilling uh those controls. They care about that. They care about uh your policies mapping to NIST 800 171 controls, um and uh that they show further what you're doing, you know, define what you're doing. They also care about evidence. Uh uh if you've hopefully you've got some evidence for them to look at already. Uh hopefully you've produced all that. And uh when you uh when you provide them documentation before they come out, they can look through it and they can go, wow, these folks are really put together. And you know, and they can come out and say, All right, show us your password policy. And you can pull up that password policy, show them, okay, good, you know. Um if you stumble around and can't figure it out, can't figure out where it's at, or um you know, you have to say, you know, don't don't look. Let me change something real quick, you know. But you know, maybe that's a maybe that's a problem. Uh but uh they care that you can produce that um proof and those logs and everything. They they they care that you can produce that quickly and efficiently. Um and that uh you have something already implemented and you're not having to play catch-up or anything. So those are the kind of things they care about. Uh and like I see if if you have if you have all your documentation, uh you have your SSP, your policies, your procedures, and your plans, um uh and then you know they're all of course mapped to NIST 800171 controls and and CMMC uh and then your uh and then you provide all that evidence, um your assessment is gonna go a lot quicker. If it's if you've got all that taken care of, you've got all that evidence already, uh it's already uploaded uh to wherever it goes, uh file system aura GRC tool. When you provide them um all the documentation that they request and they see all that, uh that should hopefully make your assessment go a lot quicker. Won't be any cheaper, just so you know, but it'll make it go quicker.

Well, it'll be cheaper in the fact that uh you won't have to redo it. Well, yes, that's true.

It will be cheaper because of that, yes.

Yeah. So um you'd yeah. Have you ever seen Wolf of Wall Street? Yes. Okay. Um it is not the most PC movie, um, but it's no, not really. No. It's it's one of my favorite movies just because it's uh I don't know, it's so well done and it's over the top and everything. But anyway, uh and Leonard Leonardo DiCaprio, um DiCaprio, uh uh anyway, um uh is this really good act actor in it. Anyway, uh there's a scene in there where uh they're getting audited by I think it's the SEC um or something, you know, one of the money auditors. Um and uh what they do is uh they uh are just putting roadblocks at the roadblocks for the auditors. And at one point they bring them into the office and like, yeah, can I do anything for you? And then they stick them in this conference room that's like turned down to like 55 degrees and freeze them out, and they're in there shivering, and they just bring uh boxes and boxes of bank, uh, you know, those bank boxes of paper and just stack them up in front of them and slam the door and walk out right after they're done being nice to them. Um and I just thought that was hilarious, but uh that's not what you want to do with your assessors.

No, you'd do that to an assessor, and uh you'd very well may fail.

In fact, I wouldn't be surprised if you didn't. Right. You'd you want to do the opposite, actually, you know. So it's a funny scene. Yeah. Um, but really uh to make your assessment go well, um, you really kind of want to lay out the red carpet for them. You want to make their job easy, you want to have an answer to every question, you know, be able to pull up, you know, have everything at the ready, um, be able to pull up uh things and they ask for them, like you said, uh very easily. Uh so you kind of want to do the opposite of that.

So when you say roll out the red carpet, are you talking about having like coffee and colachis and mimosas and and uh special gifts for them or something?

Uh you take that however you want to. I'm not I'm not sure.

I mean coffee and colachis are probably okay. The rest of the stuff is probably not. Um But really you're talking about roll out the red carpet, make it easy for them and and uh provide everything they need, every all the documentation, everything. Yep. Absolutely.

Absolutely. All right. Let's take it from the other side. Um What happens when a company oversimplifies and removes too much?

Well, that's a problem too. If you oversimplify, um you do need to be you you should be concise and you should be uh keep everything as as uh anyway, just concise. I was gonna say short, but uh you know, just as as concise as possible. You know, you want everything to be in there, you want it to be accurate, you want uh the whole picture laid out for the assessor. Um but you know, don't don't go on, you know, don't have a don't have a 400 page SSP, you know. Uh but again, some of you may like a four 400-page MSP or SSP, hey, that's fine. Um but uh point is don't go on ad no ad nauseum, uh, you know, but don't way oversimplify either. You know, if you say you know we patch monthly and then um you don't define how you do it, and you're like, well, Windows, you know, we just let Windows run, you know. And how do you verify that? How do you what do you do to verify those patches went out? What do you do to verify that Windows update's really running? You know, all that kind of fun stuff. So um, you know, are you actually doing it? You know, so um letting Windows do it for you and not writing it down and explaining what you do and what you do to monitor and all that, uh that's where the problem comes in. So um you know, we talk to a lot of IT guys. I'm an IT guy too, so I'm I'm guilty. But uh you know, we talk to a lot of IT guys, and this, you know, you say how often do you patch? You know, oh we patch monthly, you know. Uh the week after patch Tuesday, for instance, for for Microsoft. Uh because rarely do you want to patch everything the day the patches come out. You want to have your pilot group patch those, cross your fingers, if everything's good, a week later you patch everything else.

You're not telling me Microsoft makes mistakes.

Never mind. They're definitely not on the uh uh just get it out right now and we'll fix the problems later, bandwagon. Just kidding, they are. Um I think every software vendor is there. But anyway, um uh you know if the so that's an example on the patching. You know, you need to um you need to define what you do, you need to make sure you address all the controls, you need to make sure it's monitored, you need to explain. Explain how all that's done. Uh oh, I know uh the IT guys, uh you know, IT guy always says, yeah, we're patching monthly, you know. Um okay, well, how are you doing that? Oh, this is Windows Windows automatic update. All right, well, where does it say that? What do you mean? It just happens, you know. Well, that's great. You know, well, how do you monitor it? I have to monitor it. You know, so uh anyway, so yes, make sure that you don't way oversimplify it and leave out crucial details.

There needs to be a verifiable process.

Needs to be a verifiable process, exactly. Uh you know, another one is incident response policies, uh policy plan and procedure, you know. Um what does your incident response look like? Do you have a policy? Do you actually do what that policy says? Have you ever looked at the policy beyond the time that you you uh initially created it? Uh ideally, you know, that incident response policy. Well, not just ideally, but you know because you're supposed to uh test it. Uh you know, hopefully it's been tested and you actually go through it and fix things that that aren't right or or that you need to expand on or cut out or whatever every time you test that incident response policy, because every incident response policy is made to be changed, believe me. Um so uh you know, a lot of those a lot of people just write their incident response policy and don't ever do anything else with it, and it doesn't really address what they do, you know. And if God forbid they have an incident, you know, they forget, you know, that there is an incident response policy.

Aaron Powell So there's only three truths in uh the world, and that's uh death, taxes, and that your incident response policy is will change. That's right.

That's right. Uh you know, another another thing that gets people uh is your uh inventory, right? Your inventory of uh just take devices, for instance, you know. Um Yeah, I've got an inventory of devices. It's in Active Directory, you know. That's that's overly simplified. That is not what your uh inventory is supposed to be. You it's it doesn't come from it it can come partly from Active Directory, but what else is on your network, you know? How do you verify that? How is it authorized, you know? Uh so all that is in there. You can't just say, yeah, it's in Active Directory or or Intune or whatever it may be. Uh you've got to verify what's in there, what's not. Everything's gotta be on that inventory, inventory sheet. So that's another big one that uh that catches people. That uh, you know, us IT guys go, yeah, I got a inventory, is right in Active Directory. I can write a PowerShell script and pop it right out. If threat locker doesn't block the PowerShell script.

Feel like we're on the path of uh a little red riding hood. One's a little too hot, one's a little too cold, you know, too much simplification, you know, not enough. Get that peas and pores just right. All right. So what is just right, you know, for a a small, you know, like mid-sized airspace contractor or machine shop or something like that. What does uh you know, that porridge just right look right in terms of documentation? Your documentation porridge.

Right. Uh so really what this looks like uh, you know, is is what we've already talked about a lot, you know, uh making sure that those policies are concise, making sure that they're uh but everything is addressed, right? Make sure that you have all that documentation, you know, everything we've already talked about. But the other part of this is management uh and and ongoing monitoring, ongoing this is CMMC and NISTARM171 are all about ongoing management and making sure that this is you do the care and feeding of the program, right? It's not a set it and forget it. You know. Wish it was, but it's not. And really, we've talked about this in other um podcasts. Um people like to think that IT is set it and forget it. And uh although you can automate a lot of stuff, you can automate all those updates, you can automate your backups, you know, uh it is not set it and forget it. You know, you you hope, you cross your fingers that you set it and can forget it, and you can trust, but you also need to verify, right? You can trust but verify, right? So you gotta go back as and as a managed service provider, it's great that we have all those automated things for backups and and uh testing the recovery and all that kind of fun stuff. But we also go in there and check that, make sure that we actually can recover, you know. Uh we've got to do some test recoveries, make sure that happens for you know, for patching, we've got to monitor that and make sure it actually happens, you know. Um make sure that those Windows machines upgrade, you know, Windows 11 upgrades past uh 24H2, for instance. And some of you may have no clue what that means, but uh some of you may. Um but you know, you've got to all those things are automated and supposed to happen, but you've got to verify that they happen. You've got to manage those things. Uh so having uh quarterly rolling reviews, uh not annual chaos. So you have you identify all the things that you need to uh be keeping track of and you have some quarterly reviews of those things. Um for thing it may be for your visitor log, it may be that you want to do that weekly or monthly, you know, for instance. But uh do things at least on a quarterly basis. Some things will need to be more than that. Uh set up some your GRC tool. If you use a GRC tool, probably has uh a function in it for recurring tasks or reminders or or something like that. Utilize that to help you out. Um assign real owners that take care of these things, right? Um it doesn't need to be all in one person, although if you're a really small shop, it's gonna be all on one person. Uh and yes, it's a it's a lot of work. Um but uh you know, assign somebody to take care of it so it's it's in their wheelhouse, they have to get it done, it's their responsibility, right? Um responsibility and accountability can be different people, you know. You think about the racy model, responsible, accountable, consulted, and informed, right? Um so some of those GRC tools use that model to assign uh to assign things to people. Um use version control on the tools that you have. Um again, if you're using a a filing system or you know if you're using a file system, uh that's very important to make sure that you rigidly stick to those uh that version control, right? If you use a GRC tool, some of that's uh automated for you. So uh, well, it is automated for you, but I guess on all the GRC tools I've seen are that's kind of automated, but uh anyway, they have a version control to help you out, um and they'll show history and all that kind of fun stuff. So uh but make sure that you use version control. Um if you're uh again, I'll go back to make sure that you uh if you can uh spend the money to get a GRC tool, uh they go everywhere from you know free to not cost them very much to being pretty expensive. So um look at a few uh and figure out what you want and what what'll fit the bill for you. Um ask us if you want to. I can already tell you we'll recommend future feed if that's if you just need CMMC compliance and there's not other frameworks. Um but uh if you use a GRC tool, um make sure you get that uh evidence in there and make sure you link it to the right controls uh or the right assessment objectives, whatever it may be. Um in Future Feed I think it's uh the controls you map it to. But any in any case, um it's one of those things where in a GRC tool you can usually map that piece of evidence to multiple places uh because sometimes that that'll that helps, right? If you don't uh if you don't use a uh GRC tool. I've said GRC about a hundred times uh through this uh through this podcast, so I should uh probably define it in case this may be your uh first time out of the box learning about all this. GRC means governance, risk, and compliance. So it's just a tool uh a tool to manage all that. So um all your governance.

All your governance, your risks, all your risks, and your compliance.

And all your compliance, yes. Uh so uh if you don't have a GRC tool and you're doing it uh old school on um you know file system, uh build yourself a matrix of uh of your evidence and what uh what controls map to which evidence. Um it's good for the assessors uh if you put links in there or at least if you if not a link, put a file path, you know, uh relative to where it's stored at so they can find that stuff easily. Um because at some point uh you're gonna package all that stuff up and give it to them, right? Uh so Again, this is going back to the red carpet. This is going back to the red carpet, yes. You want to make it easy for them, you don't want to make it hard. So um treat them well, give them all the information they need. Uh and as long as you actually do cover all the controls you're supposed to cover, then you'll pass. And uh it'll go if you have all that documentation laid out, all your evidence in there should go uh quicker than not. Uh and you know, I've had uh had some assessors tell me that they get the documentation and uh have their meeting with uh the people that they need to meet with uh on site, some remote or whatever needs to happen, uh and the next day they issue a um certification. So um or tell them that they're certified and go through that process, I guess. But uh anyway, so it's it can go very quickly if if you've got everything ready.

So if you could sum it all up together um for us, uh for the viewers back at home, for contractors, manufacturers, machine shops, engineering firms out there that currently feel buried uh in documentation and uh don't know where to start.

Sure. So uh, you know, you don't need more and more and more documents, although even if you're keeping things concise uh and and just as short as possible, it it very it will feel like that. Uh you know, if you're if this is not your daily gig, that uh that you you know compliance is not your daily gig, uh it's gonna feel like you're drowning in documents uh uh regardless. But um uh like I said, be concise, have just the amount of documents you need. Uh don't go uh any more overboard than you need to. Uh I would argue that CMMC is overboard on documentation, but uh it's everything that's needed to prove all this. And that's what that's what it's all about. So uh but make sure you have the right documentation. Uh make sure you keep it as simplistic or simplistic. I don't like that word necessarily. I've you've heard me say concise. I like that word. Sounds more elegant. It sounds more elegant. It sounds more something. You know, I don't really know. Um but you know, you've got to make sure you have you've you've addressed everything in there, uh, but keep it as as short, as concise as possible while m making sure that the auditors understand. Um you know, a third party can come and read that and understand, and uh it doesn't uh go on where it doesn't need to go on, or you know, drag on where it needs to dra doesn't need to drag on. So uh, you know, if your policies and SSP and everything else match the match your environment, uh you know, match everything you're doing, uh then that's gonna make a happy assessor. That's also gonna make a happy you because that'll that'll mean that you pass.

So absolutely. Well, thank you, Brooke. As always, appreciate your insight and and your time with us here today. Um if you haven't noticed, um my uh my get up, my outfit here today, um Texas chic uh holiday clothing. Right. I've got my uh largemouth bass um with a uh Santa hat.

I did not get the Christmas shirt memo for some reason. So uh you know it is what it is, I guess.

You must have missed it. It's uh must have got caught in the spam filter.

So you probably won't be seeing this before Christmas, but if you see this after Christmas, that's why. Uh it's Christmas is coming up.

So uh we're recording this though the week before Christmas. So um, so yeah, this will probably come out first week of January, uh I think, just right after Christmas.

See, we should have thought about that. You should have worn a Christmas shirt back in November.

I know. I should have thought about it. So it's they didn't have them on the shelves yet, you know. I'm sure that's my excuse. So but um thank you guys. Merry Christmas, happy doll holidays, uh happy Hanukkah, Merry Festivus for the rest of us, you know, all the fun stuff from the CMMC compliance guide team. We appreciate you guys. If you have questions about what we covered, uh please reach out to us. We're here to help fast track your compliance journey. Uh text, email, or call in your questions. Uh, we'll answer them for free here on the podcast.

Um and if you have any questions about Austin's uh Christmas shirt, he can tell you where to get it.

Absolutely. And tell you what, it's uh Magellan at Academy. It's uh only during uh Christmas time. So uh you can find our contact information at cmccomplianceguide.com. Uh please stay tuned for our next episode. Uh until then, stay compliant, stay secure, and make sure to subscribe.