CS5 West 2026 CMMC Recap for Defense Contractor

Welcome And Why CS5 Matters

Hey there. Welcome to the CMMC Compliance Guide podcast. I'm Stacey.

And I'm Brooke.

From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're at Hired Guns getting companies fast tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's episode is going to be a little different because not too long ago, Brooke just got back from CS5 West, which is one of the biggest events in the CMMC ecosystem. So today we're going to break down the biggest takeaways from the conference and what defense contractors should actually be paying attention to right now. All right, Brooke. So after sitting through all those wonderful CS5 sessions, what would you say was the biggest overall theme at CS5 West this year?

Really, the the biggest theme was that uh, you know, this is it's not theoretical. It's not uh something that may happen in the future or anything like that. It's it's here, it's happening at a fast pace.

CMMC Moves From Theory To Reality

It's actually happening um at a faster pace than they than they uh set out for it to happen. Um they're gonna, I think the first uh phase one, they were they wanted to have 500 or so uh certifications uh done and and through uh before May, uh I don't remember what uh when exactly, but the they already had over a thousand um certifications complete. So uh, you know, there's there's gonna be a few more than 500 for the for the first phase one, uh, and it's coming. It's here. Uh we're seeing how assessors are actually assessing things, you know. Um we're seeing uh we're just seeing a lot of uh a lot of information about how things are being done now, right? And how um, you know, documentation and all that kind of fun stuff. So it's not theoretical, it's here. You know, one of the things that uh came up uh that was a constant theme throughout is that the uh the small dib contractors or subcontractors are uh man, they're having a hard time. You know, it's it it's hard for them to afford uh uh and or take the time to uh to become compliant and become uh certified. Um and everybody knew this, everybody, you know, it's and we can go through everything we've already talked about, you know, that uh they've known this since 2017. Uh this is not a surprise. The only surprise in the last couple years should be how much the assessments cost, right? Um so um, you know, and that's you can you can thank the uh you can thank the DOW for that by laying out exactly how many uh you know how many assessors have to take part and laying out the you know, you can thank the cap, you know, and all that kind of fun stuff for the amount of labor that goes into the assessments. But but in any case, uh, you know, they're they're not just real um apologetic about the the cost of implementation because that's been that's been on the books for quite a while. Uh people were supposed to have have taken care of this. Although there are some things that you've realized that we've realized in the past couple of years that, you know, oh hey, you know, this documentation we've had, you know, that we've had policies and we've had this and we do logging and all this kind of fun stuff. It's not quite up to snuff, and we've gotta we've gotta bone up our our um our documentation. So that you know, there's some things like that. And it's understandable, but the basics of it have been in have been around uh how to implement it and everything uh for quite a long time. Um but small uh small contractors certainly are are struggling with the cost and the and the complexity of it.

Aaron Powell Something that we've been hearing buzzing around in terms of what was spoken about at the conference is that people that attended um noticed that companies are running out of time. So what was all that about?

Uh yeah, so um there is uh I mean phase one ends in November November

Phase Deadlines And The Time Crunch

9th, right? Phase two begins on November 10th. That's when certifications will start coming out on contracts. You know, um the primes are already uh wanting and requiring their uh subs to get them. Um and I know uh I know of one prime that's shouting it from the mountaintops, and that you've got to be we we want to firm up our base, our subcontractor base, and get them taken care of now and early. And if you're late to the party, you're gonna get crumbs, you know. Um so uh it's if you're if you're just starting your compliance journey, it takes 12 to 18 months. On a good track, just getting it all done. It takes 12 to 18 months to put everything in place, right? Um if you're in some other phase of it, it may take a little, uh may not take quite as long. Uh, but starting from scratch, I'd I darn well bet on 12 to 18 months. So um, and going through a lot of uh pain of of uh figuring out how to uh get it implemented and and um an upending of your your work processes right now, right? Uh another thing they talked about was uh PALT, which is procurement administrative lead time. Uh so it's basically amount of time between a solicitation being finalized and the contract award happening. Uh so basically that's shrinking. Okay. Um I don't have I don't think I have the numbers here on my little cheat sheet. Um uh so some median uh mean timelines discuss for around 32 days, but uh they had all sorts of charts and graphs on uh you know um on the amount of time lead time for uh for those uh for the procurement industry administrative lead time. So the amount of time you have to show that you're uh get your certification uh and win that award, right? So uh that's shrinking, you s you certainly don't have time to go, you know, hey, I'm gonna I'm gonna go ahead and try to get this uh contract here, and I want to be awarded and I want to be awarded this contract, I'm gonna get certified before it's done. So, you know, if you're a lot of companies are have been have been putting this off, you know. Um we don't have to be certified yet. We're just gonna put it off, and you know, we think we're about ready. Uh and I can tell you everybody that thinks they're about ready or or at some point in the process when we bring them on and do a gaps analysis, they are a lot further behind than than they realized. And uh and a lot of it is documentation and coming up with that documentation, right? Uh some of it is implementation or and uh a lot of it is not scoping properly. We always talk about scope, right? And so you've got to scope properly, you've got to understand where CUI is, all that kind of fun stuff. Uh so you you can't wait uh to go through your to get ready and go through your certification process. It really you need to spoil that up now, get it done. Um you know are there gonna be opportunities for contracts? You know, if you get certified in 2027, I'm sure there probably will be, you know. I but like I said, I know I know somebody well that works at one of the I'm not gonna name them really, but if you're at CS5, uh you probably or in the channel very much, you probably know who I'm talking about. But uh one of them said, like I said a minute ago, they you know, if uh we are firming up our base right now, and if you don't get certified, and show us that you're on a path to get certified very soon, then you know you get certified at the end of the year or next year, great, wonderful, but you're gonna get crumbs. Everybody else is gonna get the preference, right? And so um how true that is, how much that happens, I really don't know, but uh that's what they're saying. Um other other primes are really pushing their their subcontractors to get certified. So don't wait. It's a long process, it's a hard, uh a long, arduous process. So uh get started on it.

So kind of elaborating more on what you mentioned previously about scope, and as Austin would say, all roads lead back to scope.

They do, absolutely.

It seems like that was something that kept coming up over and over again at CS5. Could you elaborate a little bit more about what they're talking about?

Yeah, absolutely. You know, there there was a lot of discussion around scope, because uh,

Scope Mistakes And Enclave Myths

you know, what uh what we find too, uh but what assessors are finding is that you know some of these some of these companies haven't scoped properly, you know. Uh maybe they have an enclave, you know, quote enclave, there's that wonderful word again. Uh maybe they have an enclave and they say all their CUI is in there, but really it's not. You know, uh they said, here's my enclave right here. Everything's in this box. And uh then you find out, oh, there's some computers out here that connect to it that download CUI. And so now your enclave has just been pierced, and and so your on or or it just expanded, however you want to look at it. And then that's another thing that has come up is um the word enclave. Uh you know, enclaves don't necessarily fit for everybody. And it depends on how you really look at an enclave. If you're looking at a truly what we think is enclave, uh, you know, draw a little box around it and no information goes out of that, right? Then you're gonna have a there are very few people, very, very few companies that can uh deal with that. Uh manufacturers, hard time dealing with it. Uh contract uh construction companies, hard time dealing with it, you know. Uh services companies, maybe, you know, uh if you develop applications or you develop AI or whatever for the government, you know, maybe, maybe that'll be, those will be covered. But uh manufacturers and construction companies, they're gonna have a really hard time using an using uh exclusive uh enclave uh option, right? You know, and so so that really goes back to scope. You know, you gotta you've gotta know what kind of CUI you have and uh figure out why why you think that, right? And uh so you've got to know what CUI you have and you've got to know where it resides, you gotta know where it flows, so where the where anything, any s any of your systems that process, transmit, or store CUI, you've got to draw that out in a data flow diagram and figure out uh where everything is and then figure out if you want to tighten how you can tighten that up and s and make that scope smaller, right? So uh but you do have to you do have to take everything, a holistic approach in mind to try to figure that out because a lot of companies underscope, overscoping is a problem too, but um underscoping is is definitely a problem and and will lead to uh will lead to a failed assessment. Overscoping, it'll just lead to, you know, maybe more expense, more a little bit of overkill, right? Or maybe a lot of overkill. I don't really know, but um, but it won't necessarily fail your assessment, whereas underscoping will.

At CS5 West, did they talk about operational workload and maybe some business processes?

Yeah, absolutely. If we've said this, a lot of people have said this. CMMC is not an IT project. IT certainly has a uh big seat at the table, but um but not the only seat, not you

CMMC Is A Business Change

know, IT doesn't run the business. Uh so uh well, except maybe in our case we're an IT company, so it's a little different. But uh, you know, IT doesn't run the business, so um you need to have uh you know your business leaders, you need to have uh, you know, anybody, uh the people that do the work, you know, involved. Uh you've got to know how those processes really work. You know, me as an IT person, I might think, you know, this is the way it works, you know, ABC 123, and then somebody in production may come and say, no, no, no, we we also do these things. And uh, I mean, I just found out uh from a longtime client that, you know, uh they did something a little differently than uh I could swear that we've talked about in the past, but maybe not. Uh, you know, but they they do some things differently because we sat down and specifically talked about um uh a couple of these controls and and uh so uh but you gotta have the right people in the room and and of course ask the right questions. This is by and large a documentation and uh process change or uh compliance, right? So um, yes, there are some cybersecurity controls you have to implement, but you've got to identify them, you've got to define them, you've got to authorize them. You know, none of that is IT. So uh some of that may be. There may be drawn a network diagram, for instance. Uh, but uh that's you know that is not specifically an IT uh problem. It's a company problem.

Aaron Powell It looks like there's a lot of chatter about continuous compliance. Can you elaborate on what was being talked about?

Sure. Um, you know, they uh really the whole uh NIST 800171 and CMMC are not written to be a you know uh one and done kind of thing, or even

Continuous Compliance And Ongoing Evidence

once every three years and done kind of thing. It is an ongoing is meant for ongoing management and compliance, right? Uh so you gotta have uh things to monitor your controls, you gotta have meetings to review things, you gotta, you know, review those logs, you gotta uh make sure you sign off on the visitor check-in, uh, check-in log, all that kind of fun stuff. And this is meant for ongoing management, ongoing monitoring and review. There are all sorts of companies popping up, um AI companies, for instance, that'll help you gather uh your documentation or your uh artifacts, you know, and uh do that on an automated basis. I don't really know about giving any of those access to my environment, but you know, there are those uh there are those uh platforms that will do that kind of stuff for you. So um, but it it's all about ongoing monitoring and maintenance and management.

So, Rick, was there anything interesting around assessments themselves and what that entails?

Sure. Uh, you know, everybody uh there's a couple things really, but the lowdown, the basics, the takeaway is that uh you really, really should do a mock assessment with the C through PAO that is going to do your certification

Mock Assessments And Documentation Gaps

assessment. Uh because from experience I can tell you the different assessors will will absolutely assess differently. You know, as as structured and everything as they make all this, uh different assessors will assess differently. Uh right, wrong, or indifferent, however you want to look at it, uh they will do it differently. So and and wildly differently. So those mock assessments are are critical, right? Uh because you you want to do you get all ready, maybe even do a reading assess uh readiness assessment with uh a uh you could do it with a C through PAO, an RPO, you could do it with uh, you know, if it's an RPO, do it with one that's got a has some CCPs and you know, maybe even a CCA on staff, but you know, some people who know that we're talk what they're talking about that you know they've been in this and and they've uh been through some of it. So uh but you know, an RPO, um a C through PO to help you get ready, uh, or maybe you have internal people that have gone through all this, right? Uh and really know what they're talking about and really understand all of it. And understand the assessment part, not just the controls and how to implement them, but the assessment part, right? So you have that, but then you have your mock assessment with the actual C through PAO that will do your certification assessment. And they perform the mock assessment exactly like they will do the uh certification assessment. The only thing is they just they don't uh validate and upload everything to EMAS. Uh so none of us reported. It's a uh, you know, here's how you did, uh, here's the controls that were met and not met. Now, when I say exactly like the assess the certification assessment, that means they can't do any kind of thing that would even they could even misconstrue as uh as consulting. Because that is a as a line they don't they do not cross, they don't want to cross. The you know that code of professional conduct is is uh they hammer that into us. Everybody that's certified in the ecosystem, they hammer that into you. Nothing that e could even be misconstrued as consulting, right? They can't they can tell you what you missed and maybe the basic of basics of why you missed it, but they can't get into details and that give you ideas of how to fix that, right? Uh oh well, this is what you need to do to go to fix that, right? Um so uh but those mock assessments, everybody agrees they're they're pretty critical to to having a successful uh certification assessment. And you don't want to go through a certification assessment and and fail it. Um, you know, and what I can tell you is, yeah, you can have some POAM items that you can close out in 180 days, or you have 180 days to close them out. That's great and wonderful. Except the five-pointers and three-pointers, they can't, those can't be POM. Some of the one-pointers can't be POM'd. You know what can be POAM'd? All the easy stuff. So I, you know, that that kind of defeats the purpose, you know. It's uh all the all the hard stuff that can't be POAM'd, and and um, and so you're you're probably not gonna miss one of the easy things. It's probably gonna be one of the hard things you miss. And if you miss one assessment objective on one of those five-pointers or three-pointers, then you're out of luck. So that's why those uh mock assessments are are critical, super critical. Uh, the other thing they talked about was that what they're finding from a C3 PAO's perspective, uh, there's a lot of companies that are not ready. Now, when you back up a little bit and really think about what not ready means, yes, technically these companies are just not ready. Um, but what they're finding is that the documentation uh doesn't hold up to where they want it to hold up to, right? Um one assessor may think some things are okay and another assessor won't, and they may be mixed on some other things. Um, but you really need to have your documentation buttoned up, and that is the biggest thing, biggest problem uh that is slowing down assessments right now is that documentation piece. Uh or I mean that's a huge piece of it. But anyway, the documentation. Not that documentation is in bad shape, not that uh, you know uh not that you don't have it or anything like that, but uh maybe it's it's not how the uh assessor wants to see it, you know, or um it's not clear enough. Right. Uh so those the documentation is a big, big thing uh of of why people are not um are not moving through those mock assessments and certification assessments.

Aaron Powell It looks like some hot topics around CMMC like G code and CUI were discussed. Um yeah. There's uh not a CMMC conference if that's not brought up. So if you could elaborate on what was being said about those topics, um that would be awesome.

Aaron Powell Yeah, really. There's uh you know, there is

G-Code Debate And Defining CUI

a a raging debate over whether G code uh and and those kinds of uh derived information. I'll I'll refrain from calling it CUI because that's the debate, right? But that derived information that comes from the uh specs and documents that that you may get that are definitely CUI, right? Um you know, there are there are those that say absolutely definitely, if it's created uh in the performance of that contract uh from CUI, right, then yes, that's gonna be CUI. So G-code, unless you can definitely and and uh unless you can definitely say that this G-code is just a small piece that is gonna be a uh regular off-the-shelf product that I sell to anybody, you know, unless you can say that, and unless you can document that and document why you're saying that, then I'd consider G-code uh and the other types of code like that. Uh anyway, I'd consider G code uh CUI. Uh that is the safest thing to do. Um you may be able to argue your way out of it, uh, but uh there may be an assessor that says, you know, nope, that's that's G-code is CUI. You know, of course that could be one of the uh questions that you ask your you when you're interviewing C3PAOs, that could be one of the questions you ask. Uh I can almost guarantee that uh they will not have a uh very good uh detailed explanation of whether it is or not. Uh the the the short answer is gonna be, well, it depends, you know. So um but if you're if you're gonna say that your G code is not C UI, then you need to document it very well. And be able to ar argue it articulately, um, if that's where articulately, anyway, uh to the assessor, right? And in CMMC speak, not in manufacturing. Well, maybe in manufacturing speak too, but um they they've got to understand why it's not CUI. So um barring that, barring that really good documented, um, really detailed explanation, be safe and call it CUI.

So with CMMC compliance, there's always enforcement. Uh can you delve into what they talked about in terms of enforcing CMMC?

Yeah, there's a few things there, but uh really uh I think what we're talking about is um, you know, annual aff annual affirmations. Uh, you know, you get certified and then uh some

Annual Affirmations And False Claims Risk

lucky person, uh some authorizing official uh gets to go on annually and say, yes, we're still uh we're still meeting uh uh CMMC uh compliance, right? Uh it was suggested that you have uh you know a company come in and do a third-party company come in and do a uh do a an assessment, right? And make sure that not a certification assessment, but a readiness assessment kind of thing, uh to verify that yes, you still uh meet all those. Because if you do say, you know, yes, scouts honor, however that is, we're still 110, we meet uh CMMC compliance, uh, and uh there is some sort of uh problem, and uh there's a a uh false claims act opened up. Um they're gonna if you have somebody that has come in and performed that assessment, you have some arrows in your quiver to say, hey, look, this is why uh I said that I'm still compliant, because we had a third party come in and verify that we are, right? And so uh, but that it can open you up to false claims acts. So uh you just gotta be very careful about that and make sure that truly nothing has changed. Truly you're still doing everything you say you're uh we're doing, all the all the ongoing management monitoring and and everything else that you actually are doing that, that's what you're attesting to. So or that's what you're affirming. So just make sure that you're doing that. Um most of these things are opened up by uh most of the false claims acts are are opened up by uh not a a breach or something, but but by whistleblower. And I did find one more thing out at CS5, I think it's CS5, it might have been uh CMMC Day, but uh uh they said that if you go look, most of the people who uh filed the False Claims Act, the whistleblower themselves, were were IT people. So uh that are maybe uh unhappy with uh you know the way things are going. So so be careful.

All right, Breck. For our listeners at home and those that couldn't attend CS5 West this year, what is the biggest takeaway that they should leave with?

Uh well, one it's a it's a great event. There's a lot of information. There's a lot of people, there's a lot of CMMC movers and shakers there. Katie Errington was there. Uh she's always great. If you haven't heard her speak, I

The One Takeaway: Do Not Wait

would uh I would make it a point of of um finding her somewhere uh and listen to her speak. Uh Stacy Bostanic, you know, she's great. She wasn't, uh I don't believe she was at CS5. I didn't hear, but I did see her at CMMC Day. She was awesome. Um but there's all sorts of of great things. CS5 West is in San Diego. Uh great place to go. I enjoyed it. Um so it's uh you know it's a good place to go. But as far as the takeaways, takeaways really are that CMMC is here, it's real. Um November really is it's already May, right? So November is just right around the corner. Uh so phase two is uh gonna start in a few short months. Um and uh there is no time to waste. Uh if you want to be part of the dib, you really, really need to get in on uh making sure that you're uh level two certified and understand that at the most perfect timeline uh starting from scratch, you may get to the point where, you know, you say it's 12 to 18 months to implement. You go do your mock and do your certification assessment, and then you find out that, you know, oh, we need to push the certification assessment because we didn't do well in our mock because we've got to clean up some documentation, right? So um you, you know, documentation is not the easiest thing to do. There's there's a lot of time spent on getting all the documentation right and all the documentation in place and linked together that uh uh how it needs to be done. So uh but the biggest takeaway is that it's here, uh it's off to a huge run and start, um, and it's it's moving forward. So uh don't get left behind. Don't want to sound like uh the sky's falling kind of kind of person, but uh uh it really is off to the races and and coming uh very quick uh and have no clue how much you know how much to listen to those prime contractors that are saying you know, either do it now or you'll get crumbs, you know, but uh they're out there saying that right now. Some of them are so anyway. Biggest takeaway is get busy.

Perfect. Thank you so much, Brooke.

No problem.

If you have questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at cmc compliance guide.com. Stay tuned for our next episode. Until then, stay compliant,

How To Send Questions And Subscribe

stay secure, and make sure to subscribe.