Navigating the 48 CFR Rule: Essential Insights for DoD Contractors on CMMC 2.0 Compliance

[00:00:00] The betting odds are that this is going to be October or so whenever they release the final rule for 32 CFR.

[00:00:07] And if that's the case, that puts us at the beginning of the year, 2025.

[00:00:12] Welcome! Austin from Justice IT here and today we're talking about the 48 CFR proposed rule for CMMC.

[00:00:20] I have Brook Justice here.

[00:00:22] From Justice IT, he is our resident compliance guru.

[00:00:26] And funny enough, the man at the helm of Justice IT.

[00:00:30] So that makes us a compliance led company. Thank you, Brook, for coming here today.

[00:00:35] Well, I appreciate y'all having me on and seeing what questions I can answer for you.

[00:00:39] Absolutely! Well, let's get into it.

[00:00:41] Okay.

[00:00:43] So we're getting a lot of questions for our customers with this new change that just came out last week.

[00:00:50] And so we thought we'd sit here and just hit you with some questions that they have

[00:00:55] and that we developed here in turn looking at the compliance.

[00:00:58] First one I've got for you is can you explain the key updates in the new 48 CFR proposed rule

[00:01:06] and how they differ from the existing regulations we already know about?

[00:01:11] Sure! Absolutely!

[00:01:12] So, the most critical update or aspect is that it makes CMMC very real for everybody involved.

[00:01:21] We've now got a proposed rule. It's not gone final, of course.

[00:01:25] But we've got a proposed rule that puts CMMC 2.0 in effect on contracts.

[00:01:32] So, it's real now.

[00:01:34] So, it's going to happen. No more putting it off.

[00:01:37] No more next year, next year, next year.

[00:01:39] So, you pair this. This is a 48 CFR rule.

[00:01:44] It puts it in effect on contracts.

[00:01:45] You pair this with the 32 CFR rule that just came out at the end of the year, the proposed rule.

[00:01:51] It's not final yet.

[00:01:53] And so, with the potential effects with ESPs, external service providers, that it has,

[00:02:01] there's some very critical things that have yet to be answered that will be answered with that.

[00:02:11] And that's a whole other topic. We can discuss that in another video or something.

[00:02:17] But the one other critical aspect is really nothing new.

[00:02:21] It's something that's been out there, but they rephrased it, or they called it out in this one here as the flow down rule.

[00:02:28] So, the CMMC flows down from contractor to contractor to contractor, following CUI and FCI.

[00:02:33] Okay. Yeah, that makes sense.

[00:02:36] Okay. Next one I've got for you is, what are the most significant challenges that DOD contractors will face in complying with the new CMMC 2.0 requirements under the 48 CFR rule?

[00:02:52] Well, the most significant challenge will be that you now actually have to pass a certification to get your, to be CMMC level 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.

[00:03:02] You have to be certified. You haven't passed that certification.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.

[00:03:08] So, the, and what we know so far, there's nobody who's certified yet. So, nobody's gone through those assessments.

[00:03:16] However, the joint, you can do a joint surveillance voluntary assessment, JSVA. And so, you can either volunteer for that, hence the voluntary portion of that. Or I think some are voluntold that they can do that.

[00:03:32] So, those people who go through that JSVA, there's a little bit of leniency there because there's still some questions about CMMC. And it's the government making judgment calls. That's not going to be available whenever the certification process actually comes out and is the law.

[00:03:53] So, the second biggest challenge is really for small businesses. We're a small business. There's a lot of our clients that are, you know, that are small businesses. It's really just for them to be able to afford this. Just to afford the certification alone, the first certification.

[00:04:11] And that happens once every three years. But it's still a chunk of money to be able to afford. And to go along with that, not only the cost of the assessment, but all the documentation. There's documentation and there's documentation. And then there's more documentation.

[00:04:30] Of course.

[00:04:30] So, those are some of the challenges.

[00:04:33] Okay. Awesome. Thank you for that.

[00:04:34] Can you walk us through what the timeline is for the implementation of CMMC 2.0 from the publication of last week's proposed rule to the actual full enforcement of it?

[00:04:49] Sure, sure. So, the 48 CFR, and remember this puts CMMC into effect, CMMC 2.0, into effect on contracts, on new contracts.

[00:05:02] So, really, if you go back to the 32 CFR that was released at the end of December, that's the one that defined CMMC 2.0. It's still a proposed rule. That one ought to go into effect somewhere around Q1 of 2025.

[00:05:22] And so, at that point, Q1 of 2025 will have assessments available. You can schedule an assessment at that point, a certification assessment and get certified.

[00:05:35] But they won't be required on the contracts until that 48 CFR goes final, which will probably, if the government holds true to their timeline, usual timeline and the way all this goes, it'll probably be the end of Q3 or maybe in Q4 when that goes live of 2025.

[00:05:54] And there's a bit of precedent for that because on the 32 CFR rule, is that correct? They actually followed through on the timeline of things that are supposed to happen. Am I correct about that?

[00:06:05] Yes, they did. And so, we'll see whenever this 32 CFR final rule comes out.

[00:06:14] So, the process now is we're waiting for the final rule to come out.

[00:06:18] Right.

[00:06:18] So, when the final rule comes out, when it comes out, there'll be 60 more days until it goes into effect.

[00:06:25] And so, they're expecting everybody, you know, I guess Vegas is, the betting odds are that this is going to be October or so whenever they release the final rule for 32 CFR.

[00:06:39] And if that's the case, that puts us at the beginning of the year, 2025.

[00:06:43] How should subcontractors approach the certification process, especially those who have never been through a CMNC assessment before?

[00:06:53] Sure. So, the only people or only companies who have been through assessments, certification assessments, are ones who have gone through the Joint Surveillance Voluntary Assessment, the JSBAs.

[00:07:06] And so, we have those as a frame of reference.

[00:07:09] And really, I would say, if you're able to, if you think you're ready, if you think we're ready to go, we're good to go for this,

[00:07:16] I would say, see if you can apply and go through a Joint Surveillance Voluntary Assessment, JSBA, because there's a little leniency there.

[00:07:25] And that's not going to be there for when the CMMC 2.0 really kicks in, probably the end of 2025.

[00:07:34] We'll see when, but, you know, that's the Vegas odds right now.

[00:07:38] But as far as the actual certification process by a C3 PAO, that'll happen once every three years.

[00:07:46] So, this first time it's going to be, there's some questions around exactly what's going to go on, exactly how it's going to be, everything's going to be assessed.

[00:07:56] So, what I would really say is you probably need to hire an assessor from a C3 PAO to come in and do a pre-assessment or a mock assessment.

[00:08:08] Mock assessment specifically means treating it like an assessment.

[00:08:12] Right.

[00:08:13] So, there's some difference there.

[00:08:16] But basically, get some consulting beforehand.

[00:08:18] It's probably going to be about the same price as an actual assessment.

[00:08:22] But it'll be well worth your time because if you do go through that certification assessment and you happen to fail it,

[00:08:29] and it's something significant that you can't fix in the correct timeline, then you're just done.

[00:08:37] You're out.

[00:08:38] And you have to go through that whole process again.

[00:08:41] And the assessors and the C3 PAO can tell you what you failed, but they can't tell you how to fix it.

[00:08:48] They can't do any consulting.

[00:08:52] So, you know, you can go back through that again and then potentially fail it again if you didn't fix it properly.

[00:08:57] You know?

[00:08:57] So, I would really, really suggest hiring somebody to come in ahead of time to do that.

[00:09:03] It's also very worthwhile to look at organizations that are certified that can come in as a certified as a CMMC certified professional or a CMMC certified assessor.

[00:09:15] Same sort of thing I was talking about a minute ago.

[00:09:18] But if they can come in and help you prepare and help you be there and not just help you with the assessment portion of it,

[00:09:23] those are really important things to do to get ready.

[00:09:26] Okay.

[00:09:27] It's like taking a practice test before you go.

[00:09:29] Oh, absolutely.

[00:09:31] Yeah.

[00:09:31] Except this practice test costs a lot more.

[00:09:34] Well, that's true.

[00:09:35] Yeah.

[00:09:36] All right.

[00:09:37] So, what role do prime contractors play in ensuring their subcontractors are compliant with these CMMC requirements?

[00:09:48] So, any prime contractor that is a contractor who gets a contract directly from the government is responsible to make sure that their contractors,

[00:10:00] their subcontractors, are all compliant.

[00:10:03] Or in this case, we're speaking about CMMC level two certification.

[00:10:08] So, they're responsible to make sure that all of their subcontractors are CMMC level two certified.

[00:10:15] What that also means is that each one of those subcontractors have to also, it's the flow down rule.

[00:10:21] They have to also make sure that their subcontractors and all the contractors, people they use, to fulfill this contract that they have to be compliant for,

[00:10:33] that all those subcontractors have to be certified and so on and so on.

[00:10:37] That's why it's called a flow down rule because it all rolls downhill.

[00:10:42] Awesome.

[00:10:43] Okay.

[00:10:43] Okay.

[00:10:44] So, I think we've kind of got the housekeeping out of the way.

[00:10:46] We've talked about the easy to answer questions for the 48 CFR rule and really put the role in context for us.

[00:10:55] So, I'd like to go into some more uncomfortable questions that our customers have for us that are the ones that really care about.

[00:11:04] So, let's just get it started.

[00:11:06] So, given the complexities and costs that you mentioned associated with this CMMC 2.0 compliance, how would you respond to the concerns from small businesses, specifically all businesses as well,

[00:11:23] that these regulations may push them out of the defense contracting market?

[00:11:29] Well, I could tell you that I've not ever heard that before, but I'd be lying to you.

[00:11:34] Right.

[00:11:34] There are.

[00:11:36] I mean, I've heard that from several of our clients.

[00:11:38] And, you know, we're a lot of times we're the bearer of the bad news.

[00:11:44] So, we get the front of it.

[00:11:44] And we say, please don't shoot the messenger.

[00:11:48] You know.

[00:11:48] But it's a very good question and a very real concern.

[00:11:53] So, you know, the DOD says that it will cost small entities about $107,000 for the certification.

[00:12:03] And that's just a certification that's not to prepare for it.

[00:12:07] Well, part of that is preparing for the certification.

[00:12:10] But that's not all your services to be compliant, everything you have to do to stay compliant.

[00:12:16] That doesn't include any of that.

[00:12:18] So, just for the certification assessment, $107,000.

[00:12:22] After looking at their costs and talking to several assessors and see-through PAOs and other people that do what we do,

[00:12:31] that's probably about right for small entities.

[00:12:35] And it will go up for larger entities.

[00:12:38] It scales well.

[00:12:39] So, the bigger you get, it doesn't mean if you're double the size of a small entity, you're going to play a double.

[00:12:46] So, really what a lot of our clients are saying is that they want to be ready.

[00:12:52] They want to get certified as soon as they can because they want to use this basically as a marketing opportunity, right,

[00:13:01] to be able to get more business.

[00:13:02] Because if you're one of the first on the bandwagon to be certified, then you're going to have an easier time getting those contracts.

[00:13:10] If they, if the DOD, if you can say, DOD, here it is.

[00:13:14] Here's my certification and I'm good to go.

[00:13:17] Guess what?

[00:13:18] You're going to be the easy company to work with.

[00:13:20] So, for those that go through that certification process and do that, it's a really good thing.

[00:13:28] And also, to go back to the JSVA, that's why a lot of companies, if I say a lot, there's not a lot of companies that are going through it.

[00:13:35] But the companies that are going through the JSVA and are actually voluntary, those companies are doing it because they want to get ahead of the ball.

[00:13:44] They want to be able to say, hey, look, we've gone through our JSVA assessment and we're good to go and we want some of those contracts.

[00:13:54] And so, that's a marketing opportunity.

[00:13:56] You can make that money back.

[00:13:59] It's work.

[00:14:00] I'm not going to lie.

[00:14:01] It's a lot of work, a lot of documentation.

[00:14:04] But it'll, when you get that defense work, it's going to be, at least should be worth it.

[00:14:10] Right.

[00:14:10] Those are some brave souls, but they'll probably get some of the first contracts.

[00:14:14] Yes.

[00:14:14] Right.

[00:14:15] Yes, they will.

[00:14:15] Like I said, it'll be very easy to say, here's my certification.

[00:14:21] You'll be in a database.

[00:14:23] But here's my certification.

[00:14:26] We're good to go.

[00:14:27] And they're going to say, hey, Joe Blow's machine parts over here, they're certified.

[00:14:33] They're the easy one.

[00:14:33] Let's give the contract to them.

[00:14:35] Right.

[00:14:35] Okay.

[00:14:36] Thank you.

[00:14:37] So, the next one I have for you is, what are the potential consequences for subcontractors

[00:14:44] who fail to achieve the required CMMC certification by the deadline, specifically?

[00:14:52] Well, the deadline is going to be at contract award.

[00:14:55] Okay.

[00:14:56] So, that's what the proposed rule says.

[00:15:00] That's what we've expected all along.

[00:15:03] But if you don't have that certification by contract award, guess what?

[00:15:08] You don't get it.

[00:15:10] That's the ramification.

[00:15:12] That's the consequence.

[00:15:13] If you're not certified by the time that contract is ready to be awarded.

[00:15:19] So, you won't get that.

[00:15:20] And so, with an economy like it is, I would rather be in a boat of being able to get those

[00:15:31] contracts than miss out on those contracts.

[00:15:33] And, you know, it can be 25% of your business or 95, and that's still a significant chunk

[00:15:40] of, 25% is still a significant chunk of your business to lose.

[00:15:44] Right.

[00:15:45] So, it's a very important thing to be certified.

[00:15:49] And to be there beforehand, you always got to plan for those oopsies.

[00:15:54] You know, it's taken us longer to get certified than I thought it would because we've got to

[00:15:59] do X, Y, or Z.

[00:16:00] So, and depending on how many people have to get certified at a, you know, a certain time

[00:16:07] frame, there may be a crunch time and a, you know, a wait list.

[00:16:11] So, you can't leave that until the last minute.

[00:16:14] Right.

[00:16:15] So, I think the real risk, if I'm understanding it correctly here, is the cost of not being

[00:16:21] prepared when this actually comes through in terms of the contract obligations and the

[00:16:28] timeline associated with getting ready.

[00:16:30] Because it takes so long to get ready that you don't want to leave until the last minute

[00:16:35] because then you're months behind the ball.

[00:16:37] Is that right?

[00:16:38] Yes.

[00:16:39] Absolutely.

[00:16:40] Yeah.

[00:16:41] Bottom line is, if you're not ready, the risk is that you'll lose out on contracts.

[00:16:46] Right.

[00:16:47] Okay.

[00:16:47] Okay.

[00:16:48] So, how does the government plan to enforce these new CMMC requirements?

[00:16:55] And what recourse do subcontractors have if they believe they're unfairly assessed or penalized?

[00:17:02] Well, the way to enforce these new CMMC requirements?

[00:17:07] I mean, it's certification.

[00:17:10] So, you know, you come in, the assessor comes in and certifies you once every three years.

[00:17:15] And that is the process by which they enforce the CMMC guidelines.

[00:17:21] So, it'll be enforced by C3PAO once every three years.

[00:17:27] And then a principal or executive of the company, somebody important.

[00:17:32] It can't be a lowly IT guy.

[00:17:35] Right.

[00:17:35] In fact, we've said this at other times, but this is not an IT issue.

[00:17:39] It's a business issue.

[00:17:41] Right.

[00:17:41] Right.

[00:17:41] So, but it's got to, anyway, an executive or a principal has to attest to it every year

[00:17:47] and say, you know, I promise, you know, that, you know, this is, that we still meet this.

[00:17:53] So, so if you think you've been unfairly assessed, the time to address that is before the assessment

[00:18:02] is over.

[00:18:04] And, you know, it's kind of like talking to a police officer that's pulled you over for speeding

[00:18:08] or something, you know, you don't want to be a jerk to the assessor.

[00:18:13] Right.

[00:18:13] But, you know, you want to bring it up and say, hey, this is not the way I understand

[00:18:18] this or whatever the case may be.

[00:18:20] And just work through it and discuss it and talk about it, you know, and see what they

[00:18:24] can do.

[00:18:24] They can't, again, they can only assess you.

[00:18:27] They can't give you any, any consulting.

[00:18:30] They can't help you out.

[00:18:32] Right.

[00:18:33] The time for that, the time for any of that consulting is beforehand.

[00:18:37] One of the pre-assessments I was talking about or a mock assessment or something like that

[00:18:41] is the time for some of that CMMC consulting.

[00:18:44] But after the fact, if you have been, if you think you've been unfairly assessed on a control

[00:18:51] or, or objective or something, then, then you on appeal with the C3PAO.

[00:18:59] So the C3PAO is the company who provides the assessors.

[00:19:04] So if you've already talked to the assessor and they said, no dice, you know, and they

[00:19:10] turn in the score, then you fill out an appeal.

[00:19:13] There will be a formal appeal document process coming out.

[00:19:18] But you basically appeal to the C3PAO.

[00:19:21] They take a look at it.

[00:19:23] They talk to you.

[00:19:23] They talk to the assessor.

[00:19:26] And they, they make a ruling on it basically, which kind of seems unfair because this is

[00:19:31] a company that assessed you.

[00:19:33] But an assessor is like a judge, you know, in a contest sort of, not exactly.

[00:19:39] I don't want to, I don't want to degrade what an assessor is doing, but they're sort of

[00:19:42] like a judge, but you know, they can, one assessor can say, I can understand that.

[00:19:48] And other assessors say, no, it really means this, you know.

[00:19:50] But, you know, a C3PAO can look at it and say, make a judgment call.

[00:19:56] Yes, I think you're right.

[00:19:58] Or no, the assessor is right.

[00:20:00] We're going to stick with our ruling.

[00:20:01] At that point, you should be able to appeal to the cyber AB, the board that oversees all

[00:20:08] the C3PAOs.

[00:20:10] And then they'll make a final determination.

[00:20:11] Okay.

[00:20:13] So there is a process that, if needed to be used, a formal process to appeal, but appeals

[00:20:22] are never ideal.

[00:20:23] Right.

[00:20:24] Because, I mean, a penal's appeal, it's never guaranteed.

[00:20:29] And again, like you said, it's, you're going to be re-judged by the same general entity

[00:20:36] that had previously judged you, right?

[00:20:39] So it sounds like to me, tell me if I'm wrong, but there might be some good legwork associated

[00:20:48] that subcontractors or contractors might want to do in terms of, can they pick their assessor?

[00:20:56] Can they interview their assessors?

[00:20:58] Can you find your own?

[00:20:59] What a very good question.

[00:21:00] So, yes, you can pick your assessor and say, I want Johnny Appleseed here to do my assessment.

[00:21:11] And that doesn't mean that you'll definitely get Johnny Appleseed, but because Johnny Appleseed

[00:21:17] may be a hundred clients deep in this, and you may need it before a certain timeline,

[00:21:23] before a certain timeframe.

[00:21:24] Which goes back to being prepared.

[00:21:26] Being prepared, yes, exactly.

[00:21:27] Exactly.

[00:21:28] So, I've done, so the reason, we've got, I've gone to a lot of CMFC conferences, talked

[00:21:34] to a lot of assessors, and one of the things that I'm definitely really afraid of for us

[00:21:40] and our clients is getting one of those jerk assessors, you know?

[00:21:44] They're just, they just want to stick it to you, you know?

[00:21:47] No offense to assessors, but there are, there's always 10% of people, right?

[00:21:50] People are people.

[00:21:51] Yeah.

[00:21:51] Yeah.

[00:21:51] There's good people in everything, there's bad people in everything.

[00:21:54] And I'm not, not that they're bad, but they're very strict in the way they assess everything,

[00:22:01] the way they do everything.

[00:22:02] So, we want to look for those assessors that, not anybody that'll skirt the rules, but people

[00:22:11] that will understand and say, understand how you've done things, have some idea of technology

[00:22:18] and all that kind of fun stuff.

[00:22:21] And so, through going through these assessments, or excuse me, going to these conferences and

[00:22:27] talking to a bunch of assessors and all that kind of fun stuff, we've actually identified

[00:22:32] some assessors that we want to work with.

[00:22:35] And, you know, we've also identified some that are great people, but we'll probably call

[00:22:41] on somebody else.

[00:22:42] So, and it's good to have a few of them to be able to choose from.

[00:22:47] And so, we've got a few, we've got a few names that people we want to work with.

[00:22:53] So, yes, you can absolutely choose.

[00:22:55] Doesn't necessarily mean because of the reasons I said a minute ago that you'll get that one.

[00:22:59] But, yes, you can choose.

[00:23:01] Right.

[00:23:02] So, good idea.

[00:23:03] Never discurve any rules, of course.

[00:23:05] Oh, of course.

[00:23:06] But it would be ideal to do the legwork, be prepared, get certified early.

[00:23:11] So, that way you can find somebody that's going to be very studious about it, but also

[00:23:17] very understanding and be able to interpret the rules in the proper ways.

[00:23:23] So, and not hold you so close to the fire with such strict enforcement that it's going

[00:23:30] to hurt.

[00:23:30] Right.

[00:23:31] Exactly.

[00:23:32] Okay.

[00:23:32] The only other thing I'll reiterate, not add, but reiterate, is that along with the preparedness

[00:23:38] that we've been talking about and hammering on and several of these questions.

[00:23:42] It's starting to be a theme.

[00:23:43] I think there is a theme there.

[00:23:45] So, but it's to get those, is to start early, be prepared, hire that assessor to come in

[00:23:54] and help you with the pre-assessment.

[00:23:55] Even if you've got a company like us who have, who are certified, who've gone through this, been

[00:24:02] involved in it for several years, for that first go-round, you know, it's really good

[00:24:09] idea to get somebody to come in and do a pre-assessment and to bless you and say, yes,

[00:24:13] I think you're good and you should, nobody can guarantee anything.

[00:24:17] In fact, when you become certified by the cyber AB, it specifically states that you can't

[00:24:25] guarantee anything.

[00:24:26] Right.

[00:24:26] So, it's never a good idea to do it anyway, but by the cyber AB rules, they are forbidden

[00:24:31] from guaranteeing any outcomes, which makes total sense.

[00:24:35] Right.

[00:24:36] Absolutely.

[00:24:37] Yeah.

[00:24:37] So, it's...

[00:24:37] Preparedness.

[00:24:38] Yes, absolutely.

[00:24:39] And it's a good idea to avoid anybody just to get that out there that does guarantee things

[00:24:44] because that might be a sign to call somebody else.

[00:24:50] Yes, absolutely.

[00:24:51] Absolutely.

[00:24:52] Absolutely.

[00:24:53] Okay.

[00:24:53] With the phased rollout of the CMMC requirements, do you think there is a sufficient clarity

[00:24:59] and support from the DOD to help those subcontractors meet the deadlines?

[00:25:06] Specifically, I'm talking about those that are less resourced.

[00:25:11] Well, to be fair, at this point, no, I don't think that there's enough clarity in some of

[00:25:18] these important points, especially some of them with this proposed 32 CFR rule with ESPs,

[00:25:28] External Service Providers.

[00:25:29] Okay.

[00:25:29] So, I don't think there's enough clarity, but fear not, because that 32 CFR rule, the

[00:25:35] final rule should be out towards the end of this year.

[00:25:38] And at that point, we'll definitely have some clarity around that.

[00:25:45] So, as for DOD support, so the support they provide is information overload, basically.

[00:25:55] There's tons of information, you know, how the government is.

[00:25:58] They're very wordy on everything.

[00:26:01] And the thought that they have given enough warning on compliance.

[00:26:05] So, they've been warning you since 2017 that you have to be compliant with NIST 800-171.

[00:26:12] So, things have changed over time, but really, the base rules, the base controls that you've

[00:26:24] had to comply with ever since the end of 2017 have not changed.

[00:26:29] There's a few little things that have changed here and there.

[00:26:32] CMMC program itself has changed, but the controls really have not significantly changed.

[00:26:42] We always also hear of grants and nonprofits that help with, that can help companies.

[00:26:52] When you really look into it, normally what that means is they'll help you, but you still

[00:27:01] have a lot of legwork to do.

[00:27:05] So, it's not to bash any of those nonprofits.

[00:27:07] They help you understand and all that, but you still have, it's not a magic bullet.

[00:27:15] So, there is that help out there, but you still have a lot of legwork to do.

[00:27:21] You have to do all the work.

[00:27:22] Yeah.

[00:27:23] There seems to be a lot of resources from nonprofits or even free templates or templates you can

[00:27:31] buy for a lower cost.

[00:27:35] But I think in terms of your paperwork and there are some consulting, I think, from these

[00:27:41] agencies and whatnot.

[00:27:43] But I think the real burden is the implementation of it.

[00:27:49] And there's not a lot of help there from what I've seen.

[00:27:52] Am I right?

[00:27:53] Right.

[00:27:53] No, that's correct.

[00:27:54] The real burden is implementation.

[00:27:56] And then part of that implementation, I was going to say another part, but really part

[00:28:02] of that implementation is documentation.

[00:28:04] And like I said a while ago, it's also documentation.

[00:28:07] And it's more documentation.

[00:28:09] So, just the amount of documentation you have to provide for this and from the get-go to prove

[00:28:15] that you've been doing this, right?

[00:28:18] Because this isn't a once and done thing.

[00:28:19] This is something you manage on a recurring basis.

[00:28:22] The other thing that DOD says that they've done in the phased rollout to help with small

[00:28:29] entities is really the phased rollout itself.

[00:28:33] They definitely refer to that.

[00:28:36] Out of the 60,000 entities that are contractors that they have, there's going to be 1,100 the

[00:28:46] first year.

[00:28:47] So, that's a very small percentage that have to be level two certified.

[00:28:52] So, that's another way that they've said that they've helped small business with this, helped

[00:29:01] them along with this and be prepared because only 1,100 or so will have to be certified.

[00:29:07] Now, how that will actually shake out?

[00:29:09] Whatever, you know, Lockheed gets their contracts and says, oh yeah, now we have these 52 contractors

[00:29:15] here for this fund contract that now have to be level two compliant.

[00:29:19] You know, we'll have to see how that actually shakes out.

[00:29:23] Right.

[00:29:23] But the whole point is that there's a smaller percentage the first year, a pretty small percentage

[00:29:29] the first year that will have to be level two certified.

[00:29:31] You have to go through that assessment.

[00:29:33] Okay.

[00:29:34] What do you believe the biggest misconception is about CMC 2.0 compliance among subcontractors

[00:29:42] and how they can overcome it?

[00:29:46] Well, the main misconceptions and misunderstandings that I see are some of them are kind of subconscious,

[00:29:52] I guess, but really those are that you can do it in your spare time.

[00:29:57] You can do your regular job and then you can finish this as you have time.

[00:30:02] Or you don't need to hire anyone, which kind of goes in with that.

[00:30:07] Or you just have to follow a checklist.

[00:30:09] Just give me the checklist.

[00:30:10] I just need to know what I need to do.

[00:30:12] That's not a checklist.

[00:30:13] Sorry.

[00:30:14] So those are the main misconceptions.

[00:30:16] The fact that there are 110 controls and 320 objectives that make up those controls should

[00:30:24] help you understand that your more spare time, that it's more than spare time will allow.

[00:30:31] This also requires some deep understanding of those controls and those objectives and how

[00:30:36] they apply specifically to your instance.

[00:30:44] So if you hire somebody to help, even though it may be expensive, it'll help you shrink that

[00:30:50] timeline.

[00:30:50] It'll help you make sure that you get those controls addressed as they should be, those

[00:30:55] objectives addressed as they should be.

[00:30:57] And this certainly is not a checklist of things that you can do to implement and check off,

[00:31:02] of course.

[00:31:04] In actuality, I guess we do try to make it as much of a checklist as possible because you

[00:31:10] want a repeatable process.

[00:31:12] Right.

[00:31:13] Otherwise, if everything is 100% custom, then it gets really expensive really fast.

[00:31:18] So you want a repeatable process.

[00:31:21] So in essence, you do have sort of a checklist, but you have to apply it to each unique environment.

[00:31:29] Some people will have some stuff they have to keep on premise.

[00:31:35] It's very common in manufacturing.

[00:31:37] Some people will be able to put everything in the cloud.

[00:31:39] Right.

[00:31:40] You know, and then there's going to be a lot who are hybrid.

[00:31:43] So, but we do have, you know, a repeatable process.

[00:31:52] But it's not necessarily a checklist, but it's a repeatable process.

[00:31:57] Right.

[00:31:58] Yeah.

[00:31:58] So maybe less checklist won't cut it, but a systemized approach to your businesses.

[00:32:03] Yeah.

[00:32:03] That is a very good way to put it.

[00:32:04] Yes.

[00:32:05] Absolutely.

[00:32:06] I think that stands to reason because I think I filled a lot of the first time calls from

[00:32:12] our customers and I'm usually the first face they see.

[00:32:15] And I think the most common thing I hear is I'm overwhelmed and frustrated at trying to

[00:32:21] do this myself.

[00:32:22] And so I finally decided to reach out.

[00:32:24] Yes.

[00:32:25] I think that's probably about 100% of our clients that have reached out to us as they try

[00:32:30] to do this themselves.

[00:32:31] And then, yeah, they just got overwhelmed and decided they need help.

[00:32:34] Absolutely.

[00:32:36] Last question I have for you is if you could give one piece of advice, one takeaway for

[00:32:44] this video to DOD subcontractors preparing for CMNC 2.0 compliance, what would that be?

[00:32:53] Don't wait.

[00:32:54] Okay.

[00:32:55] So don't wait, whatever you do.

[00:32:58] This is not something that can happen overnight or even in a couple of weeks.

[00:33:02] Mm-hmm.

[00:33:02] You know, back in the day before the certification part of this assessment, you know, you could

[00:33:07] be compliant in two weeks.

[00:33:11] You know, we could come in and help you out.

[00:33:12] We could give your SSP, your POAM, all your policies and your plans and say, there you

[00:33:19] go.

[00:33:20] There's your roadmap.

[00:33:20] There's what you got to do.

[00:33:21] Now you're compliant.

[00:33:35] Mm-hmm.

[00:33:36] You need to prepare.

[00:33:38] So it's a lot different in that manner than it was back when it all started.

[00:33:45] So in other words, a lot of work.

[00:33:46] So again, preparedness is the word of the day.

[00:33:52] So don't wait, be prepared, get prepared early.

[00:33:55] And the other thing, I know you didn't ask for two things.

[00:33:57] I'll take it though.

[00:33:58] You know, but the other thing really is, I have to say it one more time, it's documentation.

[00:34:04] And it's also documentation and it's also documentation and it's most frankly more documentation.

[00:34:11] So there's kind of a theme there.

[00:34:14] Don't wait.

[00:34:14] And it's a lot of documentation, right?

[00:34:16] But at the end of the day, the only thing that will prove to an auditor or an assessor

[00:34:21] that you've been doing what you're supposed to be doing is the documentation to prove

[00:34:25] it, right?

[00:34:26] It is.

[00:34:26] It is.

[00:34:27] Absolutely.

[00:34:28] Absolutely.

[00:34:29] Yeah.

[00:34:29] It's, I know you didn't ask anything from me, but I would like to share, you brought up

[00:34:36] how burdensome this has become since 2017 to now, going out there and talking to other

[00:34:43] IT providers, ESPs and implementers.

[00:34:49] Specifically in the IT space, what I hear is we're no longer doing that.

[00:34:54] So you're actually seeing a lot of service providers in terms of more of the IT side exiting.

[00:35:01] Yes.

[00:35:02] I feel just because it is burdensome now because you actually have to do things and comply

[00:35:07] and prove it.

[00:35:09] There is.

[00:35:10] You know, I've heard that from a lot of our, a lot of other of our friends and compadres

[00:35:19] who are in this IT business.

[00:35:21] You know, there, you know, we had, we have some, uh, CMMC clients and we're just not doing

[00:35:27] this and they're going to have to go find somebody else.

[00:35:29] Yeah.

[00:35:29] You know, it is burdensome and for small businesses, it is hard.

[00:35:33] Um, so there's a lot of them that are saying that.

[00:35:36] And this 32 CFR rule, uh, depending on how it treats, how it ends up treating, uh, ESPs,

[00:35:45] external service providers with that definition, we're in our external service bladder, but

[00:35:51] also the companies we use for services like, uh, SIM for log management and, uh, security

[00:35:59] operations center, um, you know, a lot of those businesses that we use to fulfill, uh,

[00:36:05] uh, those parts of CMMC compliance, um, out of all of our vendors that we use, there's

[00:36:11] only a couple of them that said, yeah, we're, we're going to be, we're doing this and we're

[00:36:15] going to be ready with you.

[00:36:16] You know?

[00:36:16] Um, so that means there's going to be a change on the service provider side as far as the

[00:36:25] underlying tools and how you, how you address this.

[00:36:28] Uh, so there's going to be some, there's going to be some big changes coming on.

[00:36:32] Awesome.

[00:36:32] Thank you.

[00:36:33] Uh, thank you everybody.

[00:36:34] I think that's all we have, um, here today.

[00:36:37] Uh, thank you for making it this far if you have, uh, and, uh, if you want something to

[00:36:42] take home to reference later, uh, so you don't have to watch, uh, this video again, we should

[00:36:47] have down below, um, a report that goes over everything on the 48 CFR rule, uh, summarized

[00:36:54] and a little bit in detail.

[00:36:55] So you can download that and, uh, take it with you, uh, show your boss, reference it

[00:36:59] later.

[00:37:00] It should all be there.

[00:37:03] All right.

[00:37:04] There we go.