How to Triage CMMC Compliance When You’re Overwhelmed and Short on Time

Hey there. Welcome to the CMMC Compliance Guide Podcast. I'm Stacy. And I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and Misty Hundred 171 compliance. We're hard guns getting companies fast track to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're talking about the moment most DOD or DOW now contractors hit a wall with CMMC. Everything feels urgent, everything feels high risk, and no matter how hard you work, it still feels like you're falling behind. If that sounds familiar, this episode is for you. All right, Brooke, let's dive into it.

Let's do it.

Why does CMMC feel so overwhelming for smaller teams?

Well, because it is overwhelming. Because it's a lot. You take a look at it and then you have no clue where to start. Uh even if you've uh you know tried to get started, it just feels like one huge thing after another. Uh you start try to start at you know 3.1.1 and and uh try to get work yourself through uh access control and it's just a it's just a beating, you know, trying to figure all that out. Uh and I understand it's it's a lot. You know, people have a problem trying to figure out uh people haven't done their homework, their initial homework that you really need to do, you know, which is figuring out, you know, what kind of CUI you have, uh and you know, what all is CUI and what what does CUI touch in your systems, you know, your computers, your servers, your ERP, your cloud solutions, you know, what what does what does that CUI touch or what touches that CUI? Uh that's where you really need to start. But a lot of companies just say, you know, well, I've got I do work for the DOD, so it's everywhere and everything, and everybody's in scope. You know, well, it's not exactly the case, you know. I guess it could be, but uh you're that's not necessarily uh true. So, you know, a lot of times it's uh that you're not properly scoping, the scope's way too big. You know, sometimes the uh the the company is, you know, maybe you're uh pretty mature as far as cybersecurity goes, and you've got a lot of those cybersecurity tools and and everything in place like you're supposed to, that's great. Uh where almost everybody fails and needs a lot of help is the documentation because what do we say? Documentation, documentation, documentation. Uh there's a lot of documentation that goes with this, uh more than more than any sane company would do on their own. But uh really there's a lot of documentation. It's just you you gotta say this is what we're say we're doing, and you have proof, say this is the proof that we're actually doing what we say we're doing, right? And so uh but it's it's all just a huge, huge thing to tackle at first if you don't uh take it uh one small bite at a time.

Aaron Ross Powell So what are the biggest mistakes you see companies make when they're feeling that pressure of CMMC compliance?

Aaron Powell Uh really the the biggest uh mistake you know uh people make is really probably just not having a a full understanding of of uh CMMC and just starting at 3.1.1 and and starting there and trying to dig in and trying to understand, you know, what exactly is a process that, you know, that that the uh that they're talking about, you know, trying to trying to understand that stuff and just you get lost in the weeds really quick. And so uh that's really the biggest thing is just not understanding the whole process. Again, not having it scoped properly and thinking you've got to address everything and you know, well, how can you address everything if X, Y, and Z? So um that's really the biggest problem is not understanding the whole thing and just diving in and starting at 311 and and uh going from there.

So how do assessors decide what really matters first?

Well, uh if an assessor is uh, you know, if an assessor is helping you with uh you know get this done, uh they're gonna look for low-hanging fruit. They're looking gonna look for those uh non-poemable items, uh, you know, they're gonna look for uh things that are uh big ticket items you can knock out and get you know like five-point controls taken care of, you know, or three-point controls taken care of. Knock out those big things, knock out the things that are easier to take care of, uh, and then work your way down the list. You know, some of those items there's uh some of the things that aren't poemable uh that just make you immediately fail an assessment. Um well, one is if you don't have an SSP created, uh Lord help you if you don't have an SSP and you're actually, you know, uh you think you're farther down the road than you are, because if you don't have an SSP, immediate fail, don't pass go, no questions asked, that's all. So uh but SSP, um MFA in place on on the systems that touch CUI and those uh you know admin accounts, accessing CUI over the network, all that kind of fun stuff. So multi-factor authentication, uh it's gonna be uh uh FIPS validated uh cryptography is gonna be one of those, except that you know there are things that aren't uh, you know, some firewalls, for instance, you may be able to have it under uh FIPS mode, but then you may have to come out of FIPS mode to install the latest security update. That's okay as long as you can show that you have been and that you uh have an uh operational POAM uh to get that back into FIPS mode whenever whenever an update comes out that has uh FIS mode capability again. Controlling public information is one of those. It's not POAMable, you know. So look at the look for the controls that are not POAM that you can't put on a POAM and uh knock those out, try to knock those out first, um, get those done. Once you do your scoping and know what CUI you have, do your scoping, figure out what systems you really do want in scope. Uh, you know, you may start out with your whole company in scope and then decide, oh, you know what? I can squeeze this down from 100 machines to to six machines here, you know. Uh and if you can, great, that's wonderful. If you can't, and every one of them touches CUI except for accounting and HR, then you know, then it's gonna be a big scope. So, but if you can at least scope out uh, you know, accounting and HR, for instance, that'll keep uh some of those controls off. Once you get that scope downright, start creating that SSP, describe how you're how things are handled or gonna be handled, and uh and putting things on the POM, you know. You run across, then you'll have your POM items, look at the ones that uh are not met and you know need to be uh need to be taken care of, the ones that aren't that you can't put on a POM that are not met, and uh get those addressed first.

All right, Brooke. So for those overwhelmed companies, where is a good place for them to start?

Aaron Powell A good place for them to start really is uh once you know your CUI, uh what kind of CUI you have, and and uh by the way, you should know you should figure out how you know that. You know, you've got to know it, not think it, you know. I think I have CTI, you know, I think I have ITAR data, you know, which is not a CUI category, but um, you know, I think I have uh this, that, or the other. Well, you look in your contracts, right? And look and talk to your contract officers, you know. Try to figure that out, try to figure out what CUI you have. Go through and scope everything. After you've done that, scope everything out. Look how it is now and how you want it to be. Because chances are you're gonna want to change some things up uh and and bring that scope down uh a little tighter than than it uh might otherwise be. So really look at scope, try to get that scope as small as you can. Um, you know, some companies that have five, ten, twenty, fifty users, it's it's really hard to uh make that scope a lot smaller than than your whole company, you know. Um larger companies than that, uh you generally have a large enough workforce where you can scope that down into a small area. Um then again, the the percentage of business that you have with the DOD, DOW, sorry, uh that matters too. So but scope. Scope is a big thing. Uh make sure you have your scope correct.

So, Brooke, once scope is under control, what comes next?

Well, once scope is under control, um you really want to do an assessment and kind of go through uh maybe start your SSP and so you can get some uh some items on the POAM and figure out what you need to do there. Um and then once you have everything, uh your POAM listed out, you can look at the controls that are not POAM. So that's gonna be all the five-pointers, all the three-pointers, and some of the one pointer, a few of the one-pointers. So uh look at those, see which ones that are uh eas easier for you to address, you know, and hit some of those five-pointers, hit some of the three-pointers, and and uh start going through that list. I wouldn't necessarily start with um the 3 out 1.1, you know, for instance, is a five-point control, so you can put that one on there. Uh that one's not that one by itself is not necessarily hard, but uh, you know, I wouldn't necessarily go through and do uh all of access control, you know, first. Uh because that's for whatever reason, maybe it's just me, but that seems like a beating just trying to trying to get through all of access control. Uh if uh you know this is your first time trying to go through it with a you know with your company or or it's a somebody you're helping, it's a new company or trying to understand everything. Uh in any case, uh you know, look at those look at those non-Poimo controls. Uh figure out which ones that you can hit and get done first.

Aaron Powell So Brooke, in your experience, where do companies that you've worked with and seen and talked to um waste time on certain areas and don't really help them out in their CMMC journey?

Aaron Powell Where folks waste time is they um they don't get a good grasp on what needs to be done and they don't uh get a good scope of their system. Uh if you, you know, again, if you start off with knowing what CUI you have and knowing how you know you know that. Uh is that too many no's knowing how you know you know that? Uh anyway, uh but uh knowing what kind of CUI you have, where it comes from, how you know that, uh, and then scoping your system. If you've got all that done, um and you uh, you know, a lot of people want to jump right into, you know, this is overwhelming. Let's get a let's get a tool to help us out, you know. So they go spend 20, 40,000, 50, 100,000, 200,000, whatever it may be, on a tool, you know, to help them out. And the company says, yeah, put all your CUI in here and this CUI in a box. Uh uh, and then I'm not degrading the you know, those solutions. There's a there's a lot of good ones out there that you can use. You just have to understand how to use them. Uh so uh I would recommend again scoping everything out, figuring out how you want to handle that data, because likely it's not necessarily how you handle it today. Your business processes are probably gonna have to change somewhat. So if you want a tool to help you out, great, but I almost guarantee you, especially for manufacturers, and you know, for uh construction companies too, you know, uh you're not gonna be able to buy a tool uh and have that have all your COI in that tool and everything be hunky-dory okay and nothing else in scope. Uh that rarely happens. I'm sure it does happen for plenty of people, but uh, you know, manufacturers, that's hard to do. Uh it's hard to do for construction companies, I can tell you that. You've really got to figure out what you need, what you need, what tools can fill those roles. Uh so don't just go out and buy a tool and and then figure out what else you need. You know, figure out what you need and where tools might fit in. You know, another thing I might say is a um, you know, keep your keep I'm a big fan of uh keep it simple, stupid, right? The KISS method uh, you know, for policies for everything. Uh you can write an SSP that's 400 pages long if you want to. You can write a policy that's 300 pages long, uh, you know, but it's not it's not really doable because there's nobody's gonna go read all that stuff, right? Uh well assessor might, but you know, your employees aren't really. I mean, are you really gonna expect them to sit down and read that stuff, you know, uh once, twice a year, whatever it may be, to make sure that they know the policies they're supposed to know? Um so you know, write those policies uh as concise as possible while still making sure you have all the details in there. The unfortunate thing is they're probably not gonna be one pagers. Uh I love to have one-pagers, but you know, that's just not possible a lot of times. So uh, or that's just not possible. So um the uh making sure you keep everything as concise as possible, easy to digest. You know, that's that's uh that's really important. The other thing that uh that people spend a lot of time on is uh speaking about the tools again. You know, when you go look at vendors, you know, looking at all these vendors and trying to figure out if they make controls and you know, a real simple deal is understanding whether they're gonna process, store, transmit CUI, okay, uh, and whether it's in the cloud or on-prem, all those are gonna matter. Uh and whether they process, store, transmit uh SPD, security protection data, right? Uh which would make them an SPA, a security protection asset, uh, in which case they have to meet all the controls uh that they help fulfill, right? They don't have to meet all 110, but they do have to show how they handle the controls that they help fulfill to protect that CUI data. Uh so for those can, for instance, uh if you're evaluating cloud vendors for COI, uh they're either going to need to be uh FedRAP moderate uh uh authorized or equivalent or higher, right? Uh so uh if you're looking for a vendor that can help you with a cloud platform for you know some sort of uh SPD, you know, say for instance uh a SIM that may be uh based in the cloud, you're gonna want to make sure that that uh that that vendor has a uh CRM customer responsibility matrix uh that's based on Nestane Hern 171, CMMC, you know, so you can uh show the assessor here's what uh here's the their responsibilities and our responsibility for this for this tool and what they cover, right? Uh so you're just gonna want to cut to the chase and start there. Don't even talk to anybody. You know, if if this is meant to help with CMMC, don't even talk to anybody that doesn't meet those right out of the gate, right? Um so those are really those are really big things.

So for the companies that have limited time and resources, what is the best way they should approach policies?

Aaron Powell The way to approach policies is just and you might again you may have to change some of your uh business processes. Uh so uh but write down what you do, right? And uh these this is how we handle reviewing logs, this is how we handle reviewing uh authorized users, uh this is how we um onboard new uh employees, whatever it may be, uh you know, write down what you do, right? Uh and of course make sure it covers every all the assessment objectives in the in the control uh uh or all the controls that uh matter for that policy. Um but then the other thing is uh if you're if you write down what you're doing, right, you have a lot better chance to to make sure that you're uh you actually do it. But the second part there is you gotta make sure that you actually do it and uh that you you have a way to capture that you perform those things. It can be email, although that's kind of messy and hard to search, so I don't recommend that, but it can be email. Uh it can be, you know, a uh some things can just be an Excel spreadsheet where you keep, you know, keep logs. Uh, you know, but uh you've got to have some way to prove and show that you're doing what you say you're doing.

A lot of people hope poems will save them. What's your take on that concept?

Well, uh poems only well, if you're uh going through uh an assessment, poems will only save you for six months. So uh if you don't have that poem uh cleared up in six months, uh when you've got an assessment, then you they will just declare those not met and uh you will have failed your uh level two certification. If you clear all those in six months, you know, you you get your all clear, you get scored, and you're good. A POAM, a plan of action and milestones, uh is one thing. An operational POAM is as something else, it's still POM, uh, but it's for those items like what we talked about a minute ago, the the FIPS mode for, you know, say a firewall, um uh or Windows 10 or 11. Uh well, not now, not 10 now. Hopefully you don't have 10 in Windows 10 in your environment anymore. Uh but uh you know, Windows 11, there's no versions of Windows 11, no currently supported versions of Windows 11 that have FIPS mode uh uh that are FIPS validated. Um there are in Windows Server uh 1619, and I think there's some modules for 22, uh, but 25 that has no FIPS mode for it, so uh no FIS validation, excuse me, for it. It does have FIPS mode, but it's not FIPS validated. So, you know, if if you have to take your firewall out of uh FIPS mode again to you know to install the latest patch, uh they would rip much rather you have the latest patch and be secure than have you know FIFS validated cryptography. So uh things are still going to be encrypted, they're just not gonna be encrypted with FIFS validated cryptography necessarily. Uh so that's much better. Uh not having FITS validated cryptography is much better than not having a uh uh the latest security update, right? Uh same thing goes for Windows 11, you know. Uh if it's uh you know, if if you have Windows 11 in your environment, which if you're listening, you probably do. I can't imagine you don't. You might be in all Linux or all Mac Shop or you know, something like that. But uh there are no Windows 11 versions currently supported that have FIPS uh validation. So uh that will go on your operational POAM. Though and you know, the firewall in this instance would go on your operational POAM. And whenever you know, on your operational POAM, uh this is it was in FIPS mode and had to bring it out, or Windows 11 may not have ever been, but um whenever that whenever FIPS validation comes out for this operating system, for this um you know, uh for the firmware, for the uh for the firewall, whatever it may be, whatever that comes out, we'll install it and get it back in compliance. So that's an operational poem. They they made an exception for that because they understand that you know uh FIPS mode, uh FIPS validated cryptography can be an issue sometimes. So, you know, operational poem for those kinds of things are the way to go. Uh but as far as a poam goes, uh if you get a If you bring an assessor in, and there are other ways to handle this where this doesn't happen, but if you bring an assessor in, they say, you know, you haven't uh met all the controls and uh but you did meet all the ones that are not POAMable. So you've uh made a uh a minimum score of 88, for instance, uh uh to be able to um have a POAM and have the opportunity to fix it. Uh so if you're in that position, that's that's good. You have 180 days to fix those controls before they come back in and uh finish the assessment. Or before they call you back and say, Hey, Stacy, we're ready to come out, and and you say, Well, we're not quite ready for you, and they say, Well, tomorrow is the cutoff date or you're gonna be rated by tomorrow, and you say, Well, no, I'm not, they're gonna say, Well, I'm sorry. They won't bother coming out, but uh anyway, you won't pass the assessment. But the 88 will give you 180 days. Uh, but what I'll tell you is a way to keep from getting there in the first place. Uh well, a way to get there from uh in the first place without spending uh with uh without having that happen to you is spend more money. Uh and the way what I mean by that is uh you can do a mock assessment, and so that mock assessment will cover everything, but it's basically off the record, right? Uh they'll say they can't give you any consulting, they can't tell you how to fix the things that are not uh that are not met, but you can make a score of 20, and you know it's okay. Well, it's not really okay, but it's okay. Um, you know, if if you think you're ready and somebody comes in and gives you a mock assessment and you score 20, uh, you know, I would question whether, you know, uh I would question a lot of things. But point is it doesn't really matter for a mock assessment, they'll show you everything you've you've not completed. Uh, and they can in a lot of cases they can tell you why. They can't tell you how to fix it, and they can't give you any uh any sort of guidance, any sort of nudge one way or the other, because that's consulting, and they can't do that. And a mock assessment is a C through PAO coming out and doing doing an assessment like normal, except that they don't formalize it, upload it, and or anything like that. So um and then the the uh the second part of that is that they are gonna be the ones that actually do your assessment. So that's a good thing if you have a C through PAO come out and do a mock in preparation for the real assessment because they're the ones that are, you know, they're gonna be doing the assessment. They can tell you where you've where you failed, where you've not met controls. Um so that that's a huge help there. It is more money, but especially in the early days for CMMC, that's really uh uh really worth it.

All right, Brooke. So wrapping everything up, what's the biggest takeaway for our listeners at home?

Well, the biggest takeaway, and you know, I'm gonna sound like a broken record, uh, but uh it really is where you need to start. You know, the biggest takeaway is that start with knowing what kind of CUI you have. And and when I say no, you gotta know it, not think it. You know, I think I have, you know, controlled technical information, uh basic controlled technical information or whatever it may be, um, or specified. Uh you need to find out. And you know, a lot of it is probably uh pretty common sense, but you need to know why you know and and verify that, right? So know this, know the type of CUI that you have. Second thing is uh scope your environment. And uh you can start figuring out scope, and then likelihood is that you're gonna say, you know what, we're gonna take and we're gonna scope this down uh from everybody and everything to be somewhat less than everybody and everything. So can figure, uh figure out what the scope needs to be, uh, because it may not be that currently. So figure out what it needs to be. Um and then go through and start writing your assessment and uh excuse me, start writing in your SSP. This is how we're gonna fulfill all the controls, and with that, you can say met not met, and you can put things on the POAM. And uh and I would say a lot of those things you can put on the POAM at the assessment objective level rather than the control level. You could probably a lot of things you can get away with just putting the control on there. But uh, you know, some of the assessment objectives, you might have some of those covered, you know. Uh and so you can put the assessment objectives that are not covered uh on the on the POAM. Once you get the POM all done, you have everything listed out, uh then from there you can look at the ones, say, you know, if I uh implement, you know, prevail and I use it this way, I can cover these controls. Uh and you know, they'll give me some inheritance, uh partial inheritance for some for these things, right? And uh and you can start going from there and looking at how you want, you know, what projects may come out of those. So you can lump those uh lump those poem objects, uh either the controls or the assessment objectives, you can lump those into uh different projects. Uh so there's a lot of it this documentation, a lot of it this policy, uh especially at the assessment objective level. So you can take all those and throw them into a project to create the policies, for instance. And there's some of them that you can cover by uh creating an authorized or a you know, authorized CUI user and computer list, or accountant user, however you want to phrase it. Uh we have a tendency to try to make one uh one spreadsheet with users, uh service accounts is what we call them, but they're processes uh and and computers in it, and with phone, I should say devices. Uh so um computers, phones, whatever device may be on the network, uh, and then put the categories with them, put the groups they're in, all that kind of fun stuff. And that way it's on one spreadsheet. Uh that can be that can get uh fairly unwieldy the larger the organization is, so you may need to uh break that out, you know, into different spreadsheets. You know, absolutely if you need to break that out uh because it gets unwieldy, do so. Uh, but you know, maybe the list you make, there may be technologies you put in place. Uh application whitelisting will cover some. For instance, uh, you know, uh putting a sim uh and a sock in place may help with uh a few of those. So uh just go through and group those, group those into projects that you can do, and that'll help you. Once you look at those projects, you'll go, Whew, that's a lot, but it's uh it looks like I can handle it now. So that's a really good way to go about it. And not only is that a good way to go about it, the other thing I might add is that uh along the way, while you're configuring your systems or going in and verifying that settings, you know, how how is this set? Where's the setting at? Grab some screenshots. That's your proof. Uh export logs, you know, do whatever you need to do, grab that proof then, document that proof so you have it, and you've started off now with with some of your artifacts. And that's a that's a really good place to start.

If you have any questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at CMMC Compliance Guide dot com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.