How Small Defense Contractors Can Handle CMMC Compliance

Welcome And The Small Business Problem

Hey there, and welcome to the CMMC Compliance Guide Podcast. I'm Austin and I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance. But today, we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. So today we're talking about a situation that a lot of smaller defense contractors find themselves in. It can often feel like uh all these rules and regulations are made with uh big billion dollar uh Fortune 500 companies' budgets in mind. You think? Yeah. It might be. It certainly feels that way. Uh and it might actually be that way. So in today's episode, we're gonna break down what compliance actually looks like when you don't have internal IT, what can be outsourced, what can't, and how small companies are realistically getting this done.

Right.

Let's do it. Okay, Brooke, so let's start with the cold, hard reality. Why is CMMC so much harder for small contractors that don't have an internal IT security or compliance team?

Well, uh really the biggest thing is they just don't have the resources, right? And in small companies, we're no we're no different, right? Uh in small

Why CMMC Hits Small Teams Hard

companies, uh the people have a tendency to wear more than one hat, right? Uh so uh, you know, a lot of a lot of pretty small, uh a lot of very small contractors uh you know may not even have uh anybody dedicated to IT and they just kind of do the best they can. They may have an MSP or they may have an internal IT person that kind of does everything. And when you have an internal IT person or two, uh really they're they're stuck on just you know fixing the printer, fixing Outlook, you know, and uh all those kinds of things, right? And they're they're they're focused on those day-to-day things, not necessarily, you know, don't really have time to really delve into uh something as uh as in-depth as CMMC compliance. So CMMC compliance is or any kind of compliance, really, but CMMC compliance, uh there's a there's a lot to it. You know, it takes it takes some time to read it, really understand it, and and then apply it to your business, right? Uh there's uh you know, you can't just read through a little document, you know, can't read through a little hundred-page document and figure out how to do it and you're you're off to the races. That's what I us IT guys like to do is let's just read the white paper and let's go, you know. Um and uh it it's it's it's great if you can do that, but with CMMC, that isn't quite possible. Uh added to the fact that you know you've got to have good visibility into all the systems, you've got to understand uh you know how how each department conducts their business, uh where data flows, uh, where it actually flows, not where you think it flows, because almost all the time the the CEO and or the IT guy or whoever may be in charge there of of the systems, they think something is happening. It's there's actually it's either different or more things are happening with the data than they really realize. So it's a it's a resources problem. It's it's tough to handle. Um add on top of that, if they have a outsourced IT, the in an MSP, for instance, you know, they if they do, then um they very likely there there's very few MSPs in the country that really focus on CMMC and really understand it. So they have a tendency um to be a normal IT guy, right? And I say that because, you know, that's me, right? They have a tendency to be a normal IT guy and just look at the technical controls and go, I can implement this, you know, and and get it implemented. And then, well, most of it is really documentation. You know, technical controls, you gotta have those in place, uh, but the documentation is really what matters.

So something I see, uh, because I do a lot with like the intake and talking to our customers, I guess before they become customers. Um, and one of the most common things I see uh is uh you know, a company will often just go buy GCC high um and just assume that they've got it covered, right? Um and

The GCC High Tool Trap

uh I I guess you know, maybe uh well I'll I'll not answer my own question. I'll let uh I'll let you answer it. Where where does that thinking go wrong? That you can just go buy GCC high and you know, you're you're mostly way there.

You know, that that's the whole falling into uh buying a tool to solve the problem trap, right? Uh and buying that tool before you really understand the problem. And uh you've you've got to start with your data flow. And before you actually start with data flow or part of your data flow, however you want to phrase it, you really need to understand what kind of CUI data you have, why you know you have that. Um is it is it uh dissemination controlled, restricted, or not? You know, is it uh is it uh do you deal with ITAR or ER or no foreign uh kind of data? You know, what what exactly kind of uh CUI data do you have? Um so uh, you know CTI can uh controlled technical information uh is uh is common in the you know for manufacturers, of course. And a lot of those, they're gonna be dealing with ITAR. They already know if they're dealing with ITAR, they already know that. They've been dealing with that for a long time. Uh but uh that likely that ITAR some of that ITAR data uh falls under CMMC under or excuse me, under uh uh will be CUI. So they need to know that. Um and they typically people don't have real good insight from their uh from their customer, whether it be the government or especially a prime, uh they may say, yeah, there's there could be there could be some CUI in this uh in this documentation you get for this project, for this contract, right? And uh that's that's not very helpful. It really needs to be marked. Uh in fact, one of the conferences I was just at, they talked about the the need, uh, the real need for um for portion marking from uh from the government, right? We need this portion mark to say these things are CUI, these are not. Um, you know, that would really help because look, you know, a lot of the questions we get are um, you know, well, what is CUI? You know, and how do I know if it's C UI? Well, if I take this out of that, if I if I make this little piece of it, is it still C UI? If I'm you know, are the is G-code C UI? You know, it's and the question is always, it depends. Let's talk about it. And and then the answer uh a lot of times is uh not really sure, but since we're not really sure and don't really understand, you know, exactly what is CUI, then you should treat it as CUI. And especially if you can't get those detailed answers from your contracting officer. Um but back to your question about Microsoft 365 GCC High. It's a great tool to use if you want to use it, uh, but you've got to do your due diligence first. You've gotta do your data flow, figure out where the data comes in from, where it goes to, uh, all that kind of fun stuff, and see if GCC High would it even fit your environment. What it'll fit it in some manner, I have no doubt. Would it fit it enough to take enough burden off of you to uh to make it worth it? Uh a lot of times that answer is no. Um and you can find a less expensive, uh better solution uh to take care of the part that GCC High might be uh handling for you. Right. Uh so uh the confidence trap or the the trap with a tool like that is that a lot of people just go in and say, Yeah, I need to get I see this on I see it on Reddit quite a bit.

But you know, I was about to say, I was like, I don't know where this comes from. Like I want to go find that guy that's probably on Reddit, and I want to go edit it and say, before you go buy GCC high, let's look at scope first. Yeah. Yeah.

Uh you know, it and and a lot of people, I mean that that does fit a lot of people. So uh or I don't know what a lot is, maybe a quarter, a half, a third, I really don't know. Uh, but I can guarantee you a lot of the manufacturers and construction folks um that uh GCC high uh won't fill enough the need. So um you've got to do that data flow diagram and understand what kind of CUI you have first.

Aaron Ross Powell So obviously if you're a uh smaller company uh and you it is a bit of an overwhelming task, there can be the natural you know proclivity to uh outsource something or you know, take some of the burden and put it on someone else, right? Right. Um and so if a company doesn't have internal

Identify CUI And Map Data Flow

IT, what parts of CMMC can realistically be handled by external providers?

Uh well a good bit of it. Um you know if you hire an MSP, now I'm gonna say this with the understanding that uh you need to get somebody that understands their part in this, understands CMMC and what they can do and what they can't, what they what tools they can here we go to the tool discussion again, but uh

What You Can Outsource Safely

what tools they're able to use and what tools they are not able to use. Um but you know, an MSB can handle, you know, they can handle managing your workstations, the continuous monitoring, they can handle uh, you know, your AV or you know, A V is a kind of an old term, but uh anyway, they can handle your A V, they can handle your backups, they can handle uh your SIM, maybe they can have there's a lot of things that they can they can handle for you, right? Um but again, they have to understand their part in it, and they they also will have to understand that when uh when you get uh your assessment, they'll be in that assessment with you. So it may be one person or two people on that call with you, and so the other thing you have to understand is that when that MSP is on that uh in that assessment with you, in order we always suggest a mock, so it's gonna be the mock and the certification assessment, that likely could be over a hundred hours right there. So there'll be some project charges, I'm sure. Uh but you have to understand that, but most importantly, they have to understand that. They have to understand that they'll have to answer these a lot of questions. Uh an MSSP managed uh security services provider, they're more specific to uh security things like uh uh managed detection and response or uh SIM and a SOC or SIM is a log monitoring, uh security event and uh information monitoring. Uh SOC is a security operations center. Um, you know, they can provide uh MSSPs that can provide those services. Sometimes an MSP also provides those services, but um then you can get an RPO that helps you uh register practitioner organization uh that helps you implement and guide you through and make sure that the uh that everything is covered, that you're doing everything you should, that the MSP is doing everything they should. Um there's I'm sure that there are uh different capabilities of different RPOs, but uh you know, some RPOs can also help you with uh you know all the policies and and all that kind of fun stuff. Your SSP. Um so you can outsource quite a bit of it. But I think this other question is gonna come up here in just a minute. Uh, but that doesn't mean uh that you should shirk any responsibility or or just let them handle it and not pay attention to it. So but there's a there's quite a bit that can be outsourced to someone else. Funny that you bring that up.

Yeah, funny that I bring that up.

That that just might be one of the next questions. Right.

So as he alluded to, um, you know, there's a lot of different responsibilities when it comes to uh making sure that the compliance gets compliant, you know, everything's done properly. Um and you can't fully advocate or you know, outsource everything. You as the company are going to be responsible

Shared Responsibility Matrix Basics

for at least a small but significant portion uh of that. So um which comes in the idea of the shared responsibility matrix or the CRM. Um so if multiple parties are involved, how do companies keep track of who's responsible for what?

Uh well that's a good uh good point. Uh and I'm glad you brought up the shared responsibility matrix because I did not bring it up on the on the last question. So uh the shared responsibility matrix or the govern that's we call it a SRM, but now the government changed and they call it a CRM. For the government, that's a customer responsibility matrix. For everybody else, that's uh that's a uh customer uh relationship management platform, right? So but for the government responsibility matrix, okay? Uh so having that responsibility matrix is very, very important for uh your MSP, for MSSP, for an RPO, whoever might be helping you, it's very important to have that responsibility matrix. So you understand a responsibility matrix will list out all the controls and hopefully all the assessment objectives and say uh this is our responsibility and this is your responsibility, right? Um and so that's actually required. The an assessor is gonna want to see that if you have an external service provider helping you in in some way. Um for those uh for those cloud services that are uh CSP, the cloud service providers like Microsoft 365 GCC High or uh I was gonna say Prevail, but um this is the next one that came to mind. But anyway, any of those that are FedRAMP uh authorized, uh you can get their packet, their FedRAMP package from them and and have that whole package. Uh if they're FedRAMP uh equivalent, uh like Prevail, you can still you still get a package from them and you'll still get that uh responsibility matrix uh so you'll know what you're responsible for, what they're responsible for. This also for MSPs, this you know, the same thing if they're if an MSP is helping a uh an O an OSC, an organization seeking certification. So uh what are you guys it's a manufacturer or a you know construction company or something, uh if they're if they're helping you manage things, whatever tools they have, they're gonna have to have a responsibility matrix that says this is what uh you know the EDR vendor does, and this is what we do, and this is what the client does. So that's you know, they should have that. Um and if you can't get that from the vendor or the MSP, that's a that's a problem. Uh so um though you're you really do need to have those responsibility matrices. Uh and as far as what else uh can't cannot be outsourced, um the assessor is gonna be asking you questions. They're not gonna be asking the MSP or MSSP. The MSP and MSSP uh absolutely can and should be there to answer questions, uh give detailed answers if needed, um, all that kind of fun stuff. And depending on what they do for you, may mean they have a this much of a part in it, or they may have, or that's a small part in it, or they may have a giant part in it. Um, but they will um the responsibility of that, the the accountability of that falls on the company, right? Not the MSP. Uh, you know, company may think that, yes, we outsource everything to this MSP, um, and so they take care of it, they can answer all the questions. That's great, but you're still accountable. You need to make sure they're doing what they say they're doing, right? And how do you do that? Um I mean, I've there's all sorts of ways, you know, quarterly meetings and stuff like that, the responsibility matrix, uh, but there's all sorts of ways to tell that, but you've got to make sure yourself that they're doing what they say they're gonna they're doing, right? Uh in fact, that's what the whole that's what CMMC is about. This is what we say we're gonna do, this is what we're doing, and this is proof of what we're doing, right? Uh so you can tell that uh we're doing what we say we're doing, right?

Mm-hmm.

So absolutely. You've you've got to understand, you've got to be able to answer those questions, you've got to know those policies, uh, you've got to know the tools that are in place. Um you may not be able to uh show them how the EDR is configured or how 365 GCC high is configured, but uh you can at least say, yeah, we've got 365 GCC high, and my MS Bay can tell you about how it's configured.

So uh as with CMMC, uh we know that cost is a uh a big concern for for everybody, um, especially even more so for smaller companies because they don't have the same resources like I'd mentioned of the you know billion dollar Fortune 500 or whatever companies out there. So um

Cut Costs By Shrinking Scope

what is the most effective way uh that a smaller company or mid-sized company uh can keep the cost of CMMC a little more as much as possible manageable?

Right. So I'll uh uh there's a there's a word that I'll use here in just a minute that we you and I have a have a little bit of an issue with, but uh I would say make your make your scope of of uh where CUI is handled as small as possible. Sometimes you can uh for small companies maybe you can only scope out a little bit, you know. Uh but make that make that scope as small as possible. And that you'll uh again start off with uh knowing what kind of CUI you have. Uh how do you know that? You know, don't just guess, don't just say, well, they told me, you know, find that out. Find out what kind of CUI you have. Uh then your data flow diagrams, draw your data flow diagram out and think about every system that it goes to. Not just it goes from the cloud to my computer or it goes from my cloud to the server. Well, okay, how does it get where does it come from in the cloud? What does it go through? How does it get onto that server? Do you download it on your computer first and transfer it over there? You've got to think about all those systems, right? Uh it could be your ERP system, it could be a file server, could be both, it could be uh customer portals, it could be secure email, it could, there's a million ways it could be, right? But you've got to draw that data flow diagram out. Now you may draw that out and go, oh, holy crap, we need to clean that up a little bit. You know, and you may decide that you want to uh tighten that up a little bit, which is a lot of the times how it goes, right? But you need to at least start off knowing how it's currently, how data is currently flowing. Um so once you do that, you can decide how to how you want to uh make that scope smaller. Now, a lot of people talk about enclave, which is the word I was talking about that you and I have a tendency to to not we use it all the time, but we don't really like to use it because it gives a different uh there's a different concept, a different uh connotation of a false impression of what it can be. Yes, false impression, right. So you think of an enclave, and my enclave is this little little circle here and all the data's in there. How do you get that from your from there to your CNC machine? Well, download it and then put it on an USB and then I plug it in. Or download it, put it on the server, and they connect over the network. Well, guess what you just did? You expanded your scope. It is not just that little uh enclave. So you got to think about your enclave. Uh typically, there are some companies that uh that can do just an enclave with uh virtual desktop infrastructure or VDI machines where they don't have a copy and paste capability, they can't map drives, they can't do anything. It's it really is all in the cloud. If you can do that, more power to you, that's great. Uh, but if you're a manufacturer and you have to get that information out to machines, got to figure out how you're gonna get it out there, right? And so that typically expands your scope beyond beyond your enclave. Or it expands your enclave, however you want to phrase that, however you want to look at it. Um it's not just the simple, clean little enclave that that uh some vendors tell you, you know, hey, just implement an enclave, and we we'll cover, you know, 80% of your uh of your controls, and you got them, you're good, you know. Um that's great. But, you know, if you can do that, even if they do cover 80% of the controls, what about all the documentation that goes with it? What about all the ongoing monitoring? You know, who does that? Where does it go? How does it get updated in the documentation? How do you know all that kind of fun stuff? So uh so you gotta To think about all that. But an enclave or a smaller scope, however you want to phrase that, is the best way to reduce cost for you.

Sounds like you're pro-enclave. I am pro-enclave.

You just got to understand the definition of enclave. Right. What's the meaning? What is the what is that uh what is the meaning of the depends on what the meaning of the word is is.

Some uh somebody said that. Right. What are some of the biggest mistakes we see smaller contractors make when trying to do this without internal IT?

We just talked about a lot of them. So um really the biggest mistake is they try to buy a tool to solve the problem. They don't they don't understand, they don't take the time to understand what kind of CUI they have, where does

Common Mistakes And What Works

it live, where is it processed, where is it how is it transmitted, which is a data flow diagram, right? And so uh they don't take the time to understand all that, and maybe they don't know to understand all that, uh, but that's the biggest mistake we we commonly see is they don't, you know, and they and they may even know that it lives on my server, you know. All right, well, how does it get there? You know, where does it go after that? And what do you mean on your server? Is there an ERP, uh MRP, is there is it a file server? Is it you know, how do you have that how do you have that going, right? So it really is just not understanding what kind of CUI and not understanding the data flow. And I guess the uh the the other thing that that leads into is thinking uh thinking that a tool can solve the problem. You know, that's a that's a big mistake, but it's it's preceded by the other by what we just talked about, right? Uh so uh a lot of people just you know, yeah, I want to we're gonna buy GCC high, we're gonna put it in place, and and we'll be good, you know. Yeah, but all your data doesn't live in GCC high, so how are you gonna cover that? You know? So that's a that's the mistakes I would say that we see most often.

What do you see our most successful smaller contractors doing when it comes to really you know ACEN compliance and and getting down the path of actually doing this in a manageable way that actually gets you compliant and not just you know saying we are um and uh can actually exist in their workflows on a day-to-day basis in their business. Um what do you see those uh smaller companies that are actually being successful with this doing?

Well generally those uh smaller companies are that don't have the internal resources to uh to do this, uh to take it on. And you know, even if you have a person you can assign to it, you have to realize uh how much time uh and effort it's gonna take just to understand CMMC. Understand what all the uh controls and assessment objectives mean, uh, and then find the tools and be able to implement them and and uh come up with your documentation. How do you write the policies? How are those assessors gonna want to see them? You know? Uh how do you and how do you fill out your SSP to where an assessor will uh you know give you the thumbs up on it, you know? How how do you do all that? That doesn't happen by just reading the by reading the you know assessment guide, you know. Um the uh so it really takes a lot of time to really delve into it and understand it. Uh so the most successful companies uh hire somebody that uh to to come in and help them. And you gotta be careful about who you hire, of course, you know, but um you know generally you want uh you want a CMMC certified professional or a CMMC certified assessor uh to come in and help. Um you know if the company's a registered practitioner practitioner organization, uh RPO, uh that's great. But you also need to make sure they have some other experience and other other certifications on hand, right? Uh because there's uh that is a RPO is just like the basic entry level to to be able to help you. Um it also helps if uh they've been through an assessment or a mock assessment or been part of an assessment or mock assessment because they'll know how those uh assessors uh want to see things. It's one thing to understand everything, but it's another thing to understand how the assessors want to see it, right? Um how do I design this policy to where it's not too restrictive, but it still answers all the questions that the assessor wants to see and answers all the it addresses all the controls. Um so you've got to know how to write those policies, you've got to know what the assessors want to see. And so the most successful companies uh out there, uh smaller businesses are gonna uh that we see are gonna be hiring somebody, hiring a company to come help them, uh, and hiring one that that they've vetted that knows what they're doing and and has been in the CMNC space um and has been through mock assessments or assessments or been part of them or something like that. That's that's what we see uh being most successful.

I'll add one. I know I asked the question, but I'll answer my own question as well. I was just talking with uh one of our engineers and I was actually a little late to the podcast uh because You were, I had to holler at you, yes. My apologies. Uh but uh but yeah, and we were we were just talking about some of our, you know, customers and uh and people that we uh work with and how it's funny how some of them like may have you know may have one uh company that has half or more of their business in the defense space and they just do not take compliance seriously, like it's you know, they don't see it for what it is, the rules, you know, they try to find ways around, you know, how they might be able to attack it a different way. And there's there's value in finding novel solutions to things. I'm not saying there's not. But um, you know and then you'll have another company that um is really eager um and has a smaller portion of their, you know, maybe 10-15% of their uh business that's defense, but they're like, I see this as an out opportunity, and so they really want to, you know, attack it and and you know uh achieve what the compliance is trying to achieve, right? And so and they were thinking about it the right way. It's like how do I actually, you know, design this in a way that I can make this work in my business, you know, and um make uh things, you know, I know I'm gonna have to do all this other crap, you know, all this compliance crap, um, but how do I make it easier, right? You know, that we can do this, you know, securely, compliantly, but and you know, as easy as it can be and and in those constraints, right? Um and so I would say uh successful um uh company has the right mindset around compliance. Like and so if you if you view compliance as okay, you know, like it or not, we gotta do it. So let's do it with the full intention of actually meeting the rules and following the rules and understanding that, you know, we can't just get an enclave and then put it in our downloads folder and just ignore that, you know, and the computer's not part of scope, and we'll just things like that, you know. It's uh I think mindset is a big piece of of companies being successful because then you can get proper decisions made and things move quicker, and um, it really just uh helps the larger organization out.

It does. It does. You know, one of the other things, um kind of related to everything we've been talking about, but when you take those things seriously and when you hire somebody that knows what they're doing, this will kind of happen by nature. But the the process needs to be structured, needs to be uh, you know, start from start from step one, don't don't try to skip steps, you know. Uh but um the old phrase measure twice, cut once, uh, you know, that's uh that holds true here too. If you if you plan properly and you go through and and take time to understand everything and to implement everything properly and uh to get on that right path, and it's a different culture than you've had. So get on that right path to a different culture. Then once you pull the trigger and you make that make that cut, I guess, anyway, uh the you know, you're gonna be in a much better position than uh than trying to hurry things or skipping past a few steps or you know, thinking about that tool first. You know, hey, we bought uh we bought Microsoft 365 GCC High, and um and we're gonna use that. And so now I want to hire you to come in and help me out. Well, great. Let's back up. Let's do a a complete gaps analysis and let's do it and figure out what kind of CUI you have, why you think that, uh, and do a data flow. That you gotta start at the beginning. You can't you can't skip past that. And e companies that we bring on, even if they think they've think they're down the path a little ways, we always stop back up because we don't know. So we always stop back up, do a gaps analysis, figure out where they're at, and then ask them about, you know, CUI, kind of you have, you know, let's draw a data flow diagram, let's let's see what that looks like, and um and get that all taken care of. And and uh then you have a really good idea of of how this is you know how you can proceed, right? So but you gotta you gotta start start at step one. You can't you can't skip past that. So again, the whole measure twice, cut once.

Yeah, so I got another one of my seemingly unrelated anecdotes to share here. So but I warned about it this time.

So hey, at least uh, you know, measure twice, cut once that fits for manufacturers because a lot of them cut things.

So you know, yeah, yeah. True, true. Uh but I was uh so you know those curb numbers on

Measure Twice Cut Once Mindset

you know your house, right? It's says what you know number your house is, right? So uh we bought our should. Well, when we bought our house, it didn't, right? There's just nothing there, right? Um, and uh long story short, decided to, you know, I was like, yeah, I can do that myself, right? You know, easy deal. Yeah, easy deal. So um bought a stencil, you know, got the paint, um, and then I taped it off. Um, you know, we just did very simple, you know, black and white. So put a a white background, sprayed that on, and then stenciled on the black numbers. And um I was sitting there, you know, taping off the the uh curb, and um I was like, you know, I might over spray on this a little bit. And you know, so I put like two, you know, rolls of two strips of tape, and I was like, ah, that's probably fine, you know. It's like it it's not that bad, you know, it's just a curb, whatever. And so I go about my business, and then um I pull it all up, and it's kind of bright that day, um, you know, sun shining, and then I come back the next day, and you just the most egregious overspray. Like there's there's blank concrete, and then there's where I intended to paint, and then there's just a crap ton of overspray white paint on the curb. And I was like, I do every time I do this, like I always do things to try and do it right, and then you know, I was in a rush that day, and so um it's like every time I, you know, am in a rush or I try to cut corners, like it bites me in the rear every freaking time. Right. And here it is, I got lured into it again, you know, and so what did I have to do? I had to spend like the next you know day or two applying paint, you know, stripper and um and then spraying it off and getting the all the overspray off when I could have just spent like maybe not the first time another 30 seconds to just do a couple more layers of tape so catch the overspray. And I didn't. I was like, it'll be fine. And so anyway, so don't uh don't do that to your compliance because it's be even more expensive than that, you know, that paint.

We have another story about but building a deer blind that that kind of that kind of stuff happened with too.

So it's Hey that deer blind's fine.

There there are there are some crooked boards, but uh you know, uh but it is still standing after I don't know how many years, but it's still up and it's it's uh it is very, very heavy. We had some uh 70 mile an hour winds, and I was worried about it being blown over and went out to take a look at it. Nope, it's fine.

There's a reason we built it in place. Yes, yeah.

But it is not all is not necessarily the straightest thing, and the and the windows could use some help, you know, but uh but anyway.

Deer don't like, you know, when things are like you know, straight right angle objects. So there you go. You want it to be wavy and you know uh that must be it. Yeah, so that was intentional. So if someone is uh listening right now and they actually made it through all of my anecdotes and uh and the deer blind situation, um and they don't have an internal IT team, what's the biggest takeaway they uh should take home today?

Uh well the biggest takeaway is that uh CMMC is still achievable.

Biggest Takeaway And How To Get Help

Uh yes, you'll have to spend some money, um, but it's either money or a whole lot of time and a whole lot of learning. And I can tell you with a whole lot of learning and time that uh failure is gonna happen and you're gonna not not necessarily a failed assessment could be, but uh you know that that knowledge gap takes a while to uh to overcome. So uh it is achievable. You will have to spend some money on it. Uh there is a lot of labor involved, and just you have to understand that going in. Um but um you know, do your due diligence, make sure you hire somebody that uh is in that arena and understands and knows. Uh particularly, you know, look for uh you know, CMMC certified professionals and CMMC certified assessors. Um that will help out a whole bunch. Uh people that have either been part of or been through a mock assessment or a real assessment or certification assessment, I should say. Uh so uh that that really helps out uh to do those kind of things. And then you've got to also understand that you can absolutely hire somebody to come in and help with you or help you uh with this, and uh they can they can do a lot of the heavy lift for you. You still have to be a very active part of it. You still have to understand it. You're gonna be asked the questions, you've got to remember that, and you've got to take that into account. Um we make our I say make, I thought that may not be the the right right phrase, but uh uh we have several meetings with our clients and go through several hours worth of developing the policies and the SSP and uh deciding on solutions and all that kind of fun stuff. So they're they're part of that. I can't tell you that they all stay awake, but they they are part of that. And so that's what you that's what they need to do. That's what you need to do is make sure that you find somebody uh that will bring you through this and make you part of that process with them.

So absolutely. Well, thank you, Brooke, uh, for your time today, and thank you guys for joining us. If you have any questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.