CMMC Reassessments Explained: What Changes Trigger a New Assessment

Welcome And Town Hall Updates

Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today, we're breaking down some important updates and clarifications that came out from the latest Cyber A B town hall. One of the biggest topics discussed was something that can catch a lot of contractors off guard. When changes to your environment can actually invalidate your assessment. Many companies assume once they pass an assessment or complete a self-assessment, they're good for the next year. But according to Cyber A B guidance, certain changes to your environment can trigger the need for a brand new assessment. So in today's episode, we're going to unpack what those changes look like, who's responsible for making those decisions, and what contractors should be paying attention to if they want to avoid compliance prizes. Well, Brooke, how's the new chair treating you?

The new chair's great. It's nice and comfy.

Yeah, good, good. Uh hopefully it's it's comfy for the whole episode. We we got new chairs because uh the old ones were just uh uh a little rough to sit in after you know an hour here.

They were. They'd they'd uh they'd make your rear end numb after a while. So yeah, so I'm glad to have some nice comfy chairs. Yep.

So uh you know let us know uh on the on the video if they they look good. Um but I'll tell you what, they are comfy.

They are, absolutely.

When Changes Trigger Reassessment

Well, uh let's start with a big topic from town hall um that you attended. Um what happens if something changes in an environment that was originally assessed for CMMC? Does a change automatically invalidate that assessment?

Aaron Powell No, that doesn't automatically invalidate the assessment, really. Uh it depends on the significance of the change, because uh what they said was um then there's it's gonna be really hard to nail down and and clarify, but I'm sure that's coming. The uh but it they said uh if there's a significant change, uh, for instance, to your scope, uh then that can invalidate your assessment and you'll have to go back through and and do another assessment, which isn't exactly inexpensive. So I'm you know I guess the uh the the take the takeaway from the the first question here is don't change your environment. You know, it can grow, but don't change it.

Yeah. Normal move add changes type things, user come, user goes, um, stuff like that. Computers come, computers go. Um, those are in the normal uh business operations category, I would assume. But um, you know, I I think what you're you're saying is, you know, uh typically something happens, examples are made, and we're we're pending uh what you know examples uh are um after people have been assessed for a while and and changes happen and um and you know for the the government or the cyber A B or assessors to start giving us um real world examples of um people that uh you know maybe misclassified what a significant change was exactly and what the implication of that is. So um, but you know, I think you can you probably use um your judgment. If it feels like a significant change, you might you might you know consider it a significant change.

Yeah, we'll get into examples probably here in a minute. But uh yes, if it's uh they the basic s basis is, and they've and they've said this before, there's just been lots of questions about it. And so they're on the town hall, they're trying to trying to help clarify what the DOD has said about uh significant change. So if it's a significant change and changes the scope of the boundary, then you know that's uh that can invalidate your assessment. So be very careful.

Yeah, so don't go into assessment um having pl changes planned, you know, two months later.

Hey, Mr. Assessor, we're we're gonna completely change our environment two months after we get our assessment, by the way. Yeah.

No, I I would not do that. Yeah, yeah.

So plan well.

What Counts As Significant Change

Well that raises another uh big question, which I think we just touched on, but and I know um there are no like real-world working examples, just uh, you know, very public and um uh and and advertised uh uh in in the world of CMMC, um, you know, like the some of the False Claims Act we've seen maybe um uh in terms of examples of what qualifies as a significant change. But they did a bit of a looking, you know, into the looking glass kind of look, uh the Cyber A B and tried to um, you know, give some guidelines as to what might amount to a significant change and what qualifies as significant. Can you go through some of the things that they outline that those might be?

Sure, sure. Uh so um really the significant changes you're talking about are things like if there's a company merger. You know, if you bring on another company, typically, you know, their systems integrate, systems change, you know, all that kind of fun stuff during during a merger. So they've sp they specifically call out mergers and acquisitions, right? Doesn't have to change the the scope, doesn't have to change the environment, but a lot of times it does. So they significant excuse me, they specifically called out uh mergers. Uh anything that uh significantly expands the network or anything that uh like if you um integrate a new network uh into uh the scope, that changes your scope, right? Um if you change MSPs, for instance, if you have an MSP and you change MSPs, uh that very well could uh make a significant change. Um of these things don't have to. If it's just the course of normal business and possibly even now, this is just me spitballing here, but you know, possibly even, you know, just a one-for-one change. Like you take one antivirus out and put another one in, and as long as you got it's all the configurations and everything else is the same, you know, then uh then that's fine. That's like, you know, not exactly like, but seeing as how people are assets, it's kind of like a person leaving and replacing them with another person, right? Uh that's just a one-for-one, one for one change. Roughly not everybody's the same, right? But but uh anyway, uh, you know, something like that may not be a significant change. But um a lot of times with uh, you know, when you if you want to upgrade a tool, a cybersecurity tool, you say, I want to get rid of this tool, this, this, and this tool, and I want to get a tool that does all this combined, right? Because that's what a lot of tools do is they say, we've added on these new features, now you can give those other tools the boot, you know, and uh it's all great and everything, but you gotta figure out how that impacts your environment, you know. May not impact it at all. It may fit right into your SSP, maybe a one-for-one switch out, you know, and again, they didn't clarify that. That's me spitballing. So uh point is though, uh any significant change that might uh impact the scope uh or anything you specifically, especially anything you specifically wrote in, anything that the assessor came and assessed you on specifically. Um, those are uh those that's a really wide-ranging statement too.

So trying to I'm trying to narrow this down and and uh but So if I understand it correctly, um you know, a merger um or an acquisition um might trigger uh uh a new assessment if, for example, um whenever the the new parent company buys uh the company tries to roll all the IT infrastructure up into it. Um maybe they're certified, maybe they're not. Um that could look um like a significant change because I would bet that they absolutely would call that a significant change. Because you're changing your entirety of your enclave or your scope or your network. Um but maybe in merger and acquisition where um a company has bought ownership changes, um, maybe some managerial things, maybe HR, maybe accounting, but largely the I IT infrastructure chain remains unchanged may not um trigger an assessment um if if everything uh you know enclave scope IT network wise.

Um but it also is larger than just IT network. It's the it's the physical scope, it's everything the people, everything else. So uh cage codes, you know, highest level owner, all that kind of fun stuff. You have to you have to keep in mind what's gonna what all is gonna change, you know, with a so if that merger happens, are they just gonna buy the company, let you operate as normal until the next assessment, and then make those changes? I mean that would be ideal, you know.

Um that would be more on the probably not gonna be reassessed side, but if you start integrating things or visitor access control, HR employee screening type things could potentially, you know, anything that's gonna be a a control or a boundary.

Um again, uh really uh the any significant changes that involve things like mergers and acquisitions, significant network expansion, integrating other networks, uh changing uh MSPs. And the reason they call out MSPs and talk about them is because typically if you use an MSP, they're very integrated into the company. Uh so typically if when you change out a MSP, that that'll probably be a significant change.

Yeah. So if your MSP is um, you know, some of them will uh, you know, maybe just provide uh a few standard tool sets that um you got some SRMs from um that, you know, maybe if they're just of course this doesn't always happen, but you know, if they're almost never happens, but for as an example, if they're just providing antivirus for you and you swap out an MSB and just another antivirus, maybe not in an assessment. Right. But if they're you have an MSB and they're more of an extension of your enclave or of your scope um or of your network and and you're storing a lot of stuff with them, um, using a lot of their resources uh and you want to change MSPs, that might trigger an assessment.

Absolutely would.

So there's a spectrum on all of these.

I think it's yeah, and it's hard to tell. Yeah.

So um and it remains to be seen. Now I'm sure there'll be guidance out there eventually. I'm sure people are gonna get it wrong, um, you know, at times, and uh and uh those are this is the the thing with new things uh is that uh you know standard practice uh will uh you know eventually be found.

Exactly. Well, maybe.

Yeah, maybe, yeah, yeah, absolutely. Uh okay. Any other thoughts on significant changes, or you think we beat that dead horse?

Uh not on that specific part of it, no. That's uh I think that's we can keep on going down that rabbit hole, but you know, uh they the short of it is they're trying to clarify that for everybody because there's a lot of questions, and they did come up with some clarification, which always leads to more questions, you know. Uh but there is some clarification uh that we just talked about. So it's uh no use talking about it all over again because there's not just a whole lot there, uh except that you need to stay away from significant changes. Quote, you know.

Mergers Networks MSP Swaps

Absolutely. It's like uh looking at a dictionary for the definition of a word and the words in the definition, and you're like, you know. Right. So we talked about significant changes and what might could or might very well be in that category. Uh the easier question maybe to answer uh is what would be uh a more smaller operational change um that would not trigger an assessment?

That would be an insignificant change. Just a bit. Done.

Yeah, then we answer just answer that.

Just answered it. So uh, you know, it could be adding more computers, uh just as a normal course of business, uh replacing computers, add more computers, add more people, changing people out. Those all that stuff is accounted for, you know, in the in this in the NIST 800 171, right? I mean, you can it's the management it's the ongoing management of that network. So uh, you know, none of those things are um would cause a uh uh uh the need for a reassessment.

Yeah. So those are the kind of things that we call in in the industry, uh IT entry, move add changes, you know, so add email, remove an email, you know, change an email to something different, and you could just take that same concept of computer, you know, workstation, phone, tablet, um, etc. Uh, and then a significant change might be more of the project type things, you know, um, where you're you're bringing a new server, um, or you know, you're swapping out your your uh big big tool sets or you know, moving from GCC high to prevail or something, uh those might um, you know, project more things that are more along the lines of projects you have to plan out uh could fall in a significant category, whereas the operational people come, people go, um, computers get upgraded are are fine.

You know, and you do have to plan, I mean, they're invariably the business world, cybersecurity world, you know, none of that is static, right? It all changes. Uh cybersecurity world changes at a amazing pace, right? But um you may wanna, you know, a couple years down the road or a year and a half down the road, you may say, you know what? Uh we wanna we wanna deploy tablets on the floor uh to automate XYZ process, right? That's great. That in my perspective, that's gonna be a significant change. So you gotta plan these things and figure, you know, our assessment here is gonna be for three years, right? And so let's let's think about the things that may be coming and think of if we want to uh you know pre-plan and and set us up set ourselves up for success. Or, you know, is this something we want to look at and we can prep and get ready, build it out, have all our ducks in a row. When it comes time to be reassessed, you can s build that in uh and then get reassessed at that time. Something like that, right? Uh but you you know nothing is static. Or your your uh new technologies, new things come out all the time. You want to be more competitive, so you know, um you but you gotta take that planning into account and figure that out. Or else you'll just be stuck for three years exactly like you are. Unless you want to, you know, go through another assessment. Absolutely.

All right. So we talked about two ends of the spectrum. Um, pretty clear what makes up an insignificant change and a significant change. Um at least it's clear on either side of the spectrum. Right, right. You know, um, but uh most things don't fall on one polar opposite end or the other.

Right and you're gonna be stuck gone. Uh right. Yeah.

Uh and someone's gonna have to make that call, right? Yes. Yeah. So who makes that call? Not me.

Normal Operations That Stay Safe

Uh well, I guess if it's our environment, I guess that would be me. But uh so that that'd be the OSC, the the organization seeking certification. Or I guess uh at that point they'd be certified. But uh so that organization, and specifically the affirming official, the the one who's in charge, the one who's accountable for everything, they'd be the one that makes that call. What I would say though is that don't gloss over it. You know, if something if you say, Oh yeah, it's not a significant change, just integrate all those tablets and everything else and and we'll be good, you know, and we'll just get an assessment when it comes, you know. Uh I I would stay away from that because if anything happens and a breach or a whistleblower, uh, you know, something like that. Really, when you look at all the all the false claims act, and we've said this before, but the uh the whistleblower is by far the the top uh the the where most uh false claims acts start, right? So um so whether it's a false claims act or an actual incident or something like that, uh, and they come in to take a look at your environment and they go, hey, this stuff wasn't in scope, and it's a change, you know, and you can argue your point, but I would not want to be on the end of arguing that point for a false claims act. So uh I'd be very careful of that. Um and and like I said a while ago, plan accordingly, right? And plan that assessment, uh plan that rollout, whatever it is, plan it appropriately and and and uh try to build it all out and get it ready to where you can implement it and then then get assessed or something like that. So uh but to your question, uh is the affirming official really of that organization, whoever's in charge, whoever's accountable, uh that's that's whose call it is to make that call, but make it right.

Who Decides And Legal Risk

Yeah. So I think it's important to uh just kind of pause for a minute and and take a second and you know pull back from the details of significant, insignificant, all this fun stuff, and uh and uh bring up a point that we typically uh when we're bringing people through uh building a compliance program, we typically coach them into uh trying to make, you know, and ultimately they make whatever decision they want to for their individual business, but um we try and counsel them or coach them to make a decision that uh allows them some room. Um, for example, one that we bring up a lot is um picking GCC versus GCC high if they're gonna go into a GCC environment. Absolutely. One GCC um precludes you from working on stuff like ITAR, no foreign. Um, so you know, you're you're gonna be stuck in that box for three years. So are you sure that you want to be stuck in that box for three years, or would you rather, you know, uh expand your capabilities, go a little bit further, opt for high, so that way you can uh bid on future work that you don't just foresee in the immediate future right now. Because otherwise, you have to wait three years uh and then make the decision then, you know, and then you may have lost out on contracts in the meantime, right? Yeah, absolutely. And so uh and and the same goes for like um you know, enclaves is real popular um for people to like, well, you know, I know it may not be a perfect thing for my business flow, but if I can get, you know, only have a little bit of um, you know, defense work right now, and if I just buy this enclave and I put everything in there and it's not a perfect thing, but we can just keep our you know our business and um uh just have Bobby, he's in scope and he does uh you know the enclave stuff. But you know, what happens if you want to change that in in three years? And you you have to keep that imperfect um, you know, uh workflow that you've created, painted yourself, you know, into a corner in. Um, and you know, maybe that's good enough for you. Maybe you just want to retain that one contract and that's gonna be work and Bobby's just gonna be the, you know, the CUI guy or something. Uh, but if if you're wanting to expand that in any meaningful way, um, or you know, expand that line of work at all, then uh you might want to think. My point is, whenever you're building out your compliance program, you might want to just leave some room for yourselves and not box yourself into a corner too much. Um, so that way you can you can expand things um and and bring on more work um, you know, uh within your, you know, your three year uh capacity, right? Is that is that fair to say?

Yeah, yeah, absolutely.

So you said uh that ultimately it's on uh the the organization, you at home, who's certified or soon to be certified, or eventually there to decide whether it's a significant change or not. Right. So but you know, you had this assessor, this C three PAO, um come in um and and certify you. Can you just offload that burden to them and say, you know what, Mr. Assessor, you tell me?

Well, you know, the simple answer is no. Uh but the the longer answer to that uh is that um one, if you if you use a C three PAO uh to do your assessment and you like them, then I would probably have a tendency to want to use them again because they've already evaluated your environment once. Uh that said, the capacity of C three PAO market is growing so much, uh you know, you it may be you may be hard pressed to get the same people to assess. You within that C through PAO. I don't really know.

But C through even if you're using the same C three PAO, a lot of them 1099 out their assessors or something. And so you even if you hire the same company, it might be different people coming through the door.

So with that caveat, you know, I mean that uh my tendency would still be to stick with the same company that that assessed me, right? So no uh knowing that or um having that in mind and knowing that uh C through Pa C three PAO cannot assess you and do any consulting, uh then no, I wouldn't ask the C through PAO that they certified us. Uh but you can ask a C three PAO, a n a different one, uh, or a CCA or a lead CCA uh to to come give you some guidance, but it's gonna be just that. It's gonna be guidance, it's gonna be consulting, it's gonna be their recommendation, but not ironclad proof. Or ironclad, it won't be an ironclad decision, right? It'll just be their opinion. And which may be a very good opinion. I'm not saying it's not. Uh and I'm sure it would be a very good opinion, but there's nothing legally binding there. They'll say uh if if they do make it legally binding, I'd be gigantically surprised. But uh, you know, they're likely to say, hey, here's my recommendation. I recommend that you just keep what you got, keep your powder dry for uh for a year and nine months, and then you know, do the but so they may, you know, they may tell you that, but it's just gonna be a recommendation, right? Um but yeah, you you can absolutely get a C3PAO to come in. If it was me and I like my assessor and my the team, then I would definitely would not use them because you couldn't use them again after that to to do another assessment.

So don't uh if you want to use your the pe the company that assessed you in the first place, don't ask them because then they went into consulting for you, and now it creates a conflict of interest and they can't do your next assessment.

Right. That's one of the There also is some question as to whether they would even do that after do any could even or would even do that consulting after they do the assessment. So there's that as well. They may not be able to.

Yeah. Fair enough. Fair enough. So likely you're gonna be uh if you if you do want an outside opinion um and some guidance, you'd you'd be looking at just hiring a a CCA, uh uh certified assessor or something um to help guide you through that decision. Um, but it'd be a bit like hiring uh a lawyer um to give you you know good sound advice. You'd you may take it, but you may end up in court anyway. Right? Yes, exactly.

Exactly. Um but not. I thought we were thought you were gonna tell me about the expense of hiring a oh well.

Which may that may be true too. I thought that was just assumed. No, I'm kidding. Um but yeah, I mean you're uh it it's good uh especially if you're unsure of something to get you know, maybe someone that can give you good guidance, but at the end of the day, um you're in charge and have to make uh unfortunately um imperfect decisions on imperfect information uh until any more concrete guidance comes out. So um that's the unfortunate reality of the situation. Yes. There is the three-year anniversary date of your assessment and your certification, uh which you need to get recertified and reassessed. Um there is something uh about annual affirmations. Um can you tell me more about that?

Plan Scope So You Don’t Stall

Sure. Yeah. So uh the first part that is required really is the is the uh certification assessment by C3PAO, right? And uh that's once every three years. Yay, wonderful, you know, not every year. Uh but uh uh along with that comes annual affirmations by the by the uh affirming official, right? Uh whoever is accountable, whoever's in charge. Um and so uh you do have to affirm annually that you still meet that 110 controls. There's been no significant changes uh in the whole nine yards. So you do have to do that. So you are on record saying, you know, I guess that that crossing your fingers would be, you know, for luck, but it's a Boy Scout thing anyway. Um nevertheless, you may do both. You may do both, that's right. Uh you know, the so the annual affirmation is I promise, you know, we haven't made any significant changes, or you know, uh, we're still at 110, we still meet all the controls. And so uh that's what the annual affirmation is. And when you affirm that, you're legally saying, you know, that yes, we're we're still good. So if you're affirming that, I would make sure there's there's no significant changes.

So the unfortunate thing is that the the certification is not just a full-on, you know, uh abdication of liability. Like you get your certification, you're good. It's on the assessing firm, um, the C3 uh PAO uh until you get certified again. Um doesn't work that way, you're you're still, you know, gonna be in hot water if something goes wrong. Um it's not all about the assessment. Um you have to keep this up continually, and um the government's gonna be expecting you uh to do so regardless of certification.

Yes, absolutely. You know, the whole thing is built around uh the all of NIST 800 171 is built around ongoing management and monitoring and and uh and so that you know this affirmation piece is just another another extension of that is ongoing, you know, yes, we're we're covering everything like we're supposed to.

Yeah. So your sleepless nights may not end after certification. So they may just change to other worries. Exactly. So we had mentioned that uh you know they we we have imperfect information right now and and guidance on the imperfect information coming from the government, is that what you're saying?

I d I d do not believe that.

I've heard I've heard other people say it. I'm not saying that. Let me be clear.

Uncle Sam, I'm not saying that, I promise.

No. Yes, we've got imperfect information um coming out, and uh we have some guidance, but it's not perfect. Um it, of course, would be great if we could get some additional clarification. Um But you gotta be careful what you wish for, too. Well, yeah. True. Um so did in the town hall, do they mention anything about any additional clarification on this coming down the pipe at all?

Or there's nothing concrete, of course. They're not saying by, you know, by June 1st, you know, we're gonna have, you know, some more clear they're not saying that at all. But they do know that it's a huge question. They do realize that it's all but a wide open explanation, right? So who decides what's significant? You know, and then they've they've laid down some examples, you know, like the company Mergers, you know, and things like that. So they have laid down some examples, but it's still there that still leads a wide swath of things that could be or or could not be a significant change. So they understand that and expect more guidance to come on, you know, uh down the road some. Uh I would not depend on that guidance to go one way or another or come very soon, but uh or or be explicit, much more explicit than they already are. Because really, if you think about it, how do you tell people exactly what is a significant change in their network? I mean, of all the clients we have, as standardized as we try to make the networks, they're all a little different, you know. Um and so to say that they're all not gonna change or to say we're gonna do this exactly to everybody, you know, um uh is that's a that's a hard nut to crack, right? So it is it's gonna be a hard nut to crack for anybody, the federal government or anybody to uh explicitly say uh what is a significant change. And I know there's people out there who say, oh, they can do it, and this is what a significant change could should be. I guarantee you that's still gonna lead questions. Guaranteed. So uh people argue the point all they want, and I don't really know that they are, but um point is it's a difficult thing to explain and and define. Uh but more definition will be coming. More imperfect information will be coming, uh sure. So expect that. Uh just don't expect anything concrete or or soon.

Fair enough. Fair enough. Wilbrook, was there anything else from the town hall that uh I'd hadn't mentioned yet today?

Getting Outside Guidance Without Conflicts

Annual Affirmations And Ongoing Accountability

Well, you know, there was lots of things from the town hall, but uh, you know, a lot of the town halls are inside baseball for all the CMMC geeks, you know, like us that uh that do this stuff day in, day out. It's riveting and exciting. It's riveting and exciting. How many C3POs are there today? How many LC how many league CCAs are there, you know, and stuff like that. So I I don't really remember. I think, you know, we've created now that we've created one or two of these episodes, and uh, you know, I guess maybe I'm getting old and I forget these things. I don't really know, but I I think we might have mentioned this rule change. Yeah. Thank you very much. We might have uh mentioned this. But in any case, uh it doesn't necessarily directly affect CMMC, but there have been there's a uh proposed FAR rule out there, FAR CUI rule. Uh so not DFARS, but FAR, which is the rest of the federal government. And really what they're trying to do is uh coalesce everything behind uh the CMMC program. Uh maybe not exactly CMMC, I don't really know. It's yet to be seen, uh, but they are coalescing behind CUI and uh protecting CUI. And so they've made some rule changes that uh uh really just align uh the far uh the FAR rules uh with you know with what's going on in a CMMC right now. So for instance, and I have to pull it up on my phone here because uh I couldn't remember what it changed to, but for the the FAR52.204-21, uh the just the basic safeguarding uh rule, uh the new RF uh RFO clause of deviation is FAR52.4240-93. Um let's see. Uh there are uh 7019 was retired. The DFARS uh 252.204-7019 was retired because it's no longer needed. The DFARS 252.204-7020 uh is now uh and that's the one um that's the one that uh about the the defined CMMC, right? So uh it is now uh DFARS 252.240-7997. Uh the 7021, the two two five two dot two oh four-seventy twenty-one uh has not been changed. So really those uh FAR CUI changes uh or those uh those rule changes are really just meant to uh bring those FAR rules and you know the all those into uh align uh alignment, I should say. I was gonna say alliance. They're they're an alliance together, but uh anyway, uh just should bring those into alignment, really is all that's for. But uh what I would what I take from that is that something akin to CMMC is is coming, you know, for the rest of the federal government. Won't be as seen as how the rollout for CMMC has been. I would not expect for uh the uh uh as an exact copy of CMC to be rolled out to the rest of the federal government tomorrow. But uh it something like that is coming for the rest of the federal government, right? So they've said that that's what they wanted to do. Uh the DOD was their testing grounds, uh mainly because it was so important. Um But they wanna they want to make everything the same, want to get everybody on the same page uh and treat everything the same because there's uh different islands all over the place of the way they treated information and the way they protected information. So they're trying to align those. Uh the other thing, uh, and we've talked about this, I know we've talked about this uh on one of the last episodes, uh, but is uh paper C UI. So uh if you have just paper CUI or if uh well if you have just paper CUI, you don't store it electronically anywhere, you don't uh transmit it or electronically anywhere or anything, you literally actually really, really, really I don't know how many really's I can say, but uh you get it just via paper. Uh now there are protections for that, but uh if it's just paper, you're not subject to CUI rules. Uh so uh you're not subject to CMMC level two certifications, I should say, uh is what you're not subject to. So because it's a piece of paper, it's not electronic. So CMMC level two would not apply. The whole of the level two would not apply, right? So those are really the other ones. Everything else with uh town hall uh uh was pretty much just uh inside baseball stuff. It's uh very interesting, good for us to know and and uh take note of, but um nothing really of giant interest for OSCs.

Well, I appreciate it, Brooke. What what would you say the biggest takeaway from the town hall was?

Well, it'd have to be the whole significant change thing, what most of our podcast was uh about today. Uh and that is uh you know um stay away from any significant changes, you know. Uh plan for the future when before when you're planning to go through this and get that assessment, make sure that you have yourself set up to be able to take care of future business needs as much as you can. I mean you can't you can't see everything, right? Uh but you gotta you gotta take that into account. So um so you don't have any big significant changes. And if you do have a big significant change, go through another assessment. It's just money. Yeah. And time. I should say definitely time.

So you'd consider that takeaway significant. Yes. Absolutely. Hey, we got uh an answer on something. Right. Yeah. Uh well, I think we had a listener question we wanted to respond to real quick before we close out. The listener question um was uh about something I think a lot of people are running into right now, especially at level one. Um we keep seeing level one uh pop up.

Uh I don't know it pops up more and more, doesn't it?

Yep. I think you're seeing a lot of people um subcontractors seeing the trickle down of level one. I think that's why we're we're hearing a lot about it right now. Donald Binkley said, you've mentioned a few times FCI, or you mentioned FCI a few times. It's been a big concern of his uh COI tends to be easier to recognize uh because it is marked sometimes, uh, but FCI isn't always labeled. There doesn't seem to be a clear marking requirement, uh, so it feels like you just have to know uh what it is to protect it. Is there any guidance on how to properly identify FCI? And when it comes to CMMC level one and FAR 5220421, are you expected to follow FCI through your environment the same way you would with CUI? You want to take the first whack at that?

FAR CUI Rule And Paper CUI

Uh sure. So uh Donald, thanks for the question. And uh, you know, welcome to the world of CMMC. But uh FCI, and I'd like to say also, you know, if you're getting CUI that's marked, that's great. Uh most of our clients hardly get any CUI that's marked. And what they get marked is generally not marked properly. So um that that's something that everybody fights, right? Um and that the federal government knows and they're trying to fix. Uh so uh but about FCI, FCI is federal contract information that's any information about the contract uh that is not public. So for instance, if it's not uh if you have to log in and see it, that information, uh then that's gonna be FCI. Uh and that's what we tell our clients, right? Uh if it's publicly available information, then that part is not FCI, right? Um but anything about that that is not public information uh is FCI. And that's the clearest answer I can give you, other than the actual lawful definition of it. But it's you know things aren't gonna be marked as FCI. Uh it's just gonna be that contract information, right? Uh and that's gonna be that's gonna be FCI for you, the the stuff that's non-public. So the question as to whether you follow it through your environment, uh you you have to protect it. Um you know, you have to have authorized access to it. Um you know, we can go through the 15 or 17 controls, depending on how you look at it. Uh we can go through those controls, and we actually did a couple of uh segments ago. Um I think everything that I've referred to on the podcast was a couple of couple of podcasts ago. So it might not be a couple, uh, but uh we do have uh a uh podcast specifically about level one because we've gotten so many questions about level one. Uh but yes, it is it is hard. Um but really it's uh it's a lot simpler really than CUI is. So anything anything about that contract, if it's not CUI, anything about that contract uh that is not publicly available, that is going to be considered FCI and it has to be protected as such against those 15 controls. Or 17, however you look at them.

Listener Question How To Spot FCI

Yeah, and we we've got a level one guide coming out that's pretty decently comprehensive, depending on how you look at it. Um it kind of walks through uh uh the main issues, types of evidence, and and stuff that you need. It's it's mainly around the risk of add attesting to level one um if you haven't done the certain things that you're legally obligated to do. Um, but it it kind of walks you through um, you know, tangentially uh some of this other stuff he's mentioning. Um the way we typically look, and we'll we'll try and comment under his uh his comment uh whenever we get that done. If we can remember, we'll uh when we're done with it, we'll so we can uh find it, download it. It's gonna be a free resource we we uh put out there. Um but the way we typically think of FCI um is it's it's generally gonna be, you know, any type of invoicing information, um like you said, anything, anything in performance of that contract or information you got from them or or maybe even created as a result of um uh that. Um and so it's it's gonna be a lot of the information in any if any a lot of the data in any information system you have. So um if it's QuickBooks, if it's your email, if it's your computer, if it's you know any system, computer or thing, cloud application that you have access to, and you're putting generating data or downloading and storing it in there, um, it's probab and you and you do federal contracting stuff, it's you're probably gonna have FCI and most of those things. And so the best thing to do um is take those 17 or 15, depending on how you're looking at it, controls, and and all of those systems that you are touching and and using, um, you need to uh apply those controls against it and then have evidence for it. So, for example, if you're using QuickBooks, um, you would need to turn on multi-factor authentication, right? Um, that's it's one of the uh controls. There's some other controls you have to have unique logins that things you can't just have shared um accounts accessing things. Um so they're they're easier to uh to accomplish. It's not you know all 110, 320 sub objectives. It's um it oftentimes is uh what is considered basic cybersecurity hygiene, but but mainly you have to document it um your the the the breadth of your um protection of of FCI uh and um and then have the evidence that that it is protected. So it's uh it's a lower bar uh to entry. Um and and we'll release that guide. I think that'll answer some of the questions um and and we may not have answered all of them here, but hopefully uh that was helpful, Donald. Thank you for your question.

The rule that uh Donald referenced, the the uh 52.4204-21 uh tells you what it is as as much as you can know. Right. Uh you know, information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public, such as on pub public websites, uh or simple transactional information such as necessary to process payments. Right. So, you know, if if you're just running uh just a straight invoice um you know through the the government to through QuickBooks to for You know, for them to pay on, and that may not be a FCI, you know. Um but that it that is the definition, that is what they call FCI, right? Uh so it's information on that contract that's not intended for public release. So and public release to them means not on not on a public website. And to me, I take it that that's uh something that you don't have to log into, right? So if it's if a person's name is on a uh public website somewhere, you know, uh on a directory or uh something like that, then I would imagine that that's not FCI, you know. Uh but uh it's uh that's about as specific as really as you can get. It's not gonna be marked. Uh and they're uh, you know, they're having a hard enough time marking CUI. Uh so uh, you know, I hope that helps out a little bit. Uh uh that that uh guide that you're talking about uh will definitely help out. Uh we'll get that posted. Uh but yeah, and and FCI uh is is not nothing, right? Uh you do have to protect it and you do have to uh you know have your documentation and your evidence. So don't just uh don't just phone that one in. I would not want to get in trouble for that either. So yeah.

Yeah. Yeah, I mean, and and uh the the definition alone uh you know pretty much lends itself to be uh anything is assigned FCI, right? You know, I mean if it's not in a newspaper, on a public social media account, or or like on public website, um um if you can't find it explicitly in one of those arenas, then by the example they gave you, it's it's FCI. Right. Right. So if if you talk to them on the phone, you learned it. If you got a PO, you know, all those things, FCI. Yeah. You just have to assume by the by the definition they gave you. So um, yeah, it's uh unfortunately um you can just assume it's everything, you know, for the most part. So um or you know, just start there, right? Right. Yeah, and just yeah.

Generally, you know, a good a good practice, uh just for an example, a good practice for for your network is to have a CUI enclave and then build the rest of your the rest of your network to uh your CIU CUI enclave is gonna be level two, of course, right? And the rest of your on your the rest of your network you're gonna build to level one. So um I know that doesn't really help with the definition or how to identify it, uh, but those are basic safeguards that that you should take into account. You just gotta make sure that um that it's documented and that you have evidence.

Yeah. Yeah. That is the real gotcha is the evidence and the documentation of it. I mean, it's um the main thing that's gonna get you in trouble. So or keep you out of trouble. Well, which is way more important.

You know, if you have your document, you say, yes, we're doing these things, here's our evidence, here's our you know, here's our policy or policies, whatever, uh, you know, uh, and we were doing everything right, and the federal government can look and say, Yep, this is just an unfortunate incident, I guess you're okay. You know, uh that would be the that would be the best thing if an incident or a whistleblower happened, you know. Um but yeah, it's it's not uh level one is not nothing.

Wrap Up And How To Contact Us

Absolutely, absolutely. Well, thank you, Brooke, uh, for helping guide us through that. And Donald, hopefully we answered your question. If there's any um uh additional questions that we created out of that answer or something that we missed or didn't address, please hit us up again. Uh, we love listener questions and we're we're happy to uh try and answer them as best we can.

Absolutely.

All right, awesome. Well, I think that's it today, uh, Brooke, and everyone, thank you for joining us today. If you have any questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmc complianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.