New CMMC FAQ Clarifications: Joint Ventures, Paper-Only CUI, Reassessment Triggers & Where MSPs Actually Fit in Scope

Welcome And What’s Changing

Hey there. Welcome to the CMMC Compliance Guide podcast. I'm Stacy.

And I'm Brooke.

From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hard guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're talking about several new clarifications that recently came out in the Department of Defense's updated CMMC frequently asked questions document. We're talking about things like joint ventures, whether paper-only CUI requires an assessment, what actually counts as a significant change after certification, and how MSPs and MSSPs fit into assessment scope. So let's dive right into it. Okay, Brooke, let's start with joint ventures because we see more and more contractors teaming up to pursue opportunities. A lot of people assume that if both companies already have a CMMC status, then the joint venture automatically inherits that status. Is that really how it works?

Well, not necessarily.

Joint Ventures Don’t Inherit Certification

Or merged with or acquired. Well, if it's a joint venture, I guess they're buying it anyway, or investing in it or whatever. But um so it really it wholly depends on how you're doing business and what you intend to do, uh how how that contract comes down to that company that's doing the work, right? Uh so you know, if you're if uh I mean there's a ton of different ways, I guess, to look at it, but you know, if a uh joint venture or a you know PE company or something came in and bought a company out and is going to change the structure of that company and how it works, then you very well might have something to worry about, but the they won't inherit the controls or they won't inherit the certification at all.

So another clarification that caught a lot of people's attention involved hard copy CUI. We've talked to companies that keep everything on paper and assume CMMC doesn't really apply to them. What does that new guidance say about that?

Well, you know, this is interesting.

Paper-Only CUI And Assessment Rules

It's bad for the uh for the manufacturers, but for the construction folks, it's even worse. You know. They say, well, what about, you know, I know uh I know so-and-so over here, you know, they're not uh they're not CMMC certified, and they they have no they're not even gonna bother going to get it, you know, and and uh, you know, all that kind of fun stuff. And I won't tell you some of the other things they said, but uh, you know, they're they're very worried about that. Um so uh a little while back the Army came out and said, hey, you know what? If all you do is give paper CUI to a sub, right, uh, and they don't have they don't put it in any of their electronic systems, they just use that paper, they don't copy it, they don't scan it, they don't nothing. They don't, you know, retype it or anything. It's not digitized. Right, it's not digitized, they don't go, you know, draw it themselves into their systems, then then um then that papers that paper CUI uh just has to be controlled like like a paper CUI uh by DOD I DOD instruction 5200.48. Uh so there are controls around it, but that company does not have to have a level two certification. They don't have to be assessed to CMMC standards, right? And so uh that was a that was a godsend for a bunch of, especially contractors, uh that are contractoring out to all these small companies that there's no way that they're gonna spend you know $100,000 just on certification, right? Um so uh so if you have paper CUI, it doesn't go into any electric uh electronic systems, uh doesn't get transcribed or you know, put in any way in any uh electronic systems, then yes, that that does not require uh uh the same level of protection, it does not require CMMC level two certification or assessment.

So one of the big questions that we hear often is that after a company achieves uh their compliance, what happens next? So what specifically qualifies as a significant change that could require reassessment?

Uh yeah, so you you want to stay away from the uh the uh significant change. So uh

Significant Changes And Reassessment Triggers

they've they've come out, and I'm sure they'll come out again and try to explain what significant means. Uh but they did specifically call out mergers and acquisitions, right? Uh that that likely would uh if there is a merger of companies, you know, again, this is also going to depend on how they do business. If they if they merge, but the companies do still do business as how they used to with the separate systems and all that, then likely, no likely, because I don't know every particular instance, but uh likely it wouldn't require a reassessment. But when you start wanting to gain the efficiency of having one company rather than two, having one IT department, having one directory, having one, you know, all that kind of fun stuff, that changes the scope. So that will absolutely 100% uh require reassessment. And so you want to stay away from those kinds of changes. You want to pay attention to when your certification date is coming up again, you know. Oh, hey, it's uh it's uh a year out, so let's start planning this and let's get ready to cut over, and then you know, you could have to figure out how that works exactly. But uh, you know, uh at that point you'd want to wait until that point to do something. Otherwise, you will have to go through that reassessment, and it will be a complete reassessment. And if the systems are merged and all that, you may feel comfortable going through just straight to the certification assessment. Um but you know, early in the game like this, I would still think about doing a mock, even though you may have done two mocks and two certifications already. You know, if you merge systems, um it really depends on uh on a number of factors. But really, if you do that, consider doing going ahead and doing another mock again, right? So uh but yeah, it's uh those kinds of changes that change the scope um or change how the company will do will receive contracts, those you know, cage codes, stuff like that, high level, highest level owner, all that kind of fun stuff, that that very well may uh cause a reassessment, cause an invalidation of your current certification, I should say, which will require a new assessment.

I can imagine that you probably want to move strategically with that because not only is it the reassessment, but it's the reassessment cost added there. So it's not cheap.

Right. That that's not cheap, and you know, all the work to get there is not cheap, you know, and and uh so you know it's a it's it's a process that you need to plan very well for and think about all the risk involved.

Aaron Powell All right. Let's jump into managed service providers because this is another area where there are a lot of assumptions. So if an MSP provides infrastructure or support for an environment that contains CUI, does that MSP automatically need its own CMMC certification?

Aaron Powell Not at all. Um so the uh the

MSPs In Scope Without Certification

MSP does not need their own certification. Uh it will make things easier uh for the assessor and for the OSC and for the MSP. Um OSC is going to be the organization seeking certification, which is the contractor that has the contract that hired the MSP, basically, right? Um so uh but it doesn't require uh the MSP to have a certification, although it is helpful. What it will require of the uh MSP uh is that they're part of that assessment. And so what I can tell you is being part of that assessment uh is no small task. It's it's uh it's a lot of prep, it's a lot of uh you know, sitting down and going through it. Uh you've got to have somebody knowledgeable uh about CMMC and about your systems, uh about the policies involved, the uh responsibility matrices involved, and all that kind of fun stuff. You've got to have somebody, uh somebody or somebody's uh familiar with all that to sit through uh through the assessment. So uh there's I'm sure they might be we we set through the whole assessment with our clients. That's just what we do. Uh and we devote a lot of time to it. We do devote a lot of time, of course, to prep. But um I'm sure that they could probably uh set it to where the MSP doesn't necessarily have to be there every day, but um or maybe not all day every day. Uh but there are there are quite a few uh we say there's tons and tons of documentation, which is true. There's not many of the controls that you can just do technically and not have you know documentation uh uh to back well you have to really have to have documentation for everything, but there's there's not a lot that the that are just the company um themselves with no MSP at all. Um so the MSP dependent on what the MSP does, of course. We have a tendency to be you know a completely outsourced IT department for uh for our clients, so we do a lot for them. So we've there's I don't see how we could not be on the call every day with the uh with the assessors in the company. So um so there's there's a lot of time commitment, there's uh all sorts of documentation and proof and everything else that the MSP will uh have to have ready and and show uh during the assessment. Uh so there's it's a it's a tall ask. And if you have more than one, if if you're an MSP and you have more than one client, then you know you might look at getting a certification. You know, is it expensive? Yes, it is. Uh will it help you and your clients with this? Will it help you with anything else down the road? You know, so those are the questions you have to ask yourself if you're an MSP. Um but short answer is no, you don't have to have a certification if you're an MSP, but you do have to have your ducks in a row, you have to have all your documentation. You you absolutely have to have your uh customer responsibility matrix. And and the that's a CRM, so the CRMs of all your security products that you use to secure their environment.

Aaron Powell Here's another situation we see pretty often. Let's say an MSP provides IT support and an MSSP manages security tools, but neither vendors ever directly receive CUI. Many companies assume that means these providers are out of scope. Would that be true?

Well, they're maybe out of scope for the CUI, but uh you got to

MSSPs, SPD, And Security Tool Scope

understand the different categories uh of data. Uh one is uh the CUI, of course, controlled unclassified information. Uh the other one is uh SPD or SPA. Uh SPD is the data, so security protection data. If something processes security protection data or holds it, then it's a security protection asset, right? So if you hold a process SPD, then you're an SPA. So um and that includes people, that includes MSPs, that includes whatever security tool you might have. And so when you're thinking about a security, you're anything, any of your tools that help secure the environment of the CUI are going to be in scope as far as being uh being in the assessment scope. They may not be in scope for CUI, but they're in the assessment scope. You will be assessed on those security controls. Uh if you provide a SIM that's a cloud-hosted SIM, uh SIM is a security uh information and event uh monitor. Uh so if you provide that, that'll be in scope. You'll have to have a CRM for it. It'll have to say what uh what you do and what what the SIM vendor does. Um, you know, and then you'll have to make sure that the SSP says, you know, what exactly you do and what the client's responsible for. Um well we generally write that in the SSP, but in the in your CRM, that would be what is in your CRM in detail, uh actually. So uh but nevertheless, uh even if you never see CUI, uh you're still in the assessment scope for security, uh for security protection. Any security that protects uh CUI in any manner is gonna be in scope. Your your RMM, your remote monitoring and management tool, uh is gonna be in scope. It'll be in scope at least for SPD because it provides updates, you can run scripts with it, uh monitor the machine, uh get alerts from it, all that kind of fun stuff. Those are all security actions. You can't say they're not, uh, but you have to uh also make sure it's configured uh to where uh you don't have a chance of seeing CUI when you hop on somebody's machine, right? Uh so there are ways to scope that out of CUI, but you have to know how to do that. And you also have to be able to get the CRM for that for that RMM tool. Um in any case, uh you are still in the assessment scope for the question. You're still in the assessment scope with SPD as an MSP. Is that enough TLAs for you? That would be a TLA, it would be a three-letter acronym. So there's a bunch of those.

Yeah, there's plenty in CMMC.

Yeah, plenty. CMC, the military, MSP, the IT world. Yeah.

All right. We're gonna wrap up with this final question that creates a lot of confusion. If my MSP manages my cloud environment, does that automatically make them a cloud service provider?

Aaron Powell It does not. Um, there are uh there's five basic rules that uh you can look at that the DOD laid out

When An MSP Is Not A CSP

that shows why you would or would not be uh a cloud service provider. But most MSPs are not going to be considered a cloud service provider. You have to have a um something that the user that the end user can uh provision easily and quickly by themselves, right? Something that doesn't require uh the MSP's intervention. Um we don't really have any of that on our side. I'm sure there may be some MSPs that have automated some of those things. Um but there's also a difference between uh just playing automation and being a cloud service provider. So there are like five bullets that you have to worry about, five things you have to worry about. Uh but most of the time an MSP is not gonna be a cloud service provider. They will be an external service provider, which is external service provider is the whole umbrella, and then there's uh and that's an ESP. So there's ESPs that are CSPs, which is a cloud service provider. So ESP that is a CSP, or ESPs that are not a CSP. That's how they define that. So uh they're all they're all ESPs. Uh but if you're a CSP, then that you're your own category, right? If you're not a CSP, then you're just one of the rest. And so that could be your SIM tool if it's cloud hosted. That could be um the that could be the MSP, um, that could be uh your RMM tool, that could be a whole lot of things. So the short answer to your question is no, that does not automatically make an MSP a cloud service provider, a CSP.

Before we wrap up today's episode, we actually have a listener question from FedCon. So Austin was um in beautiful Washington, D.C. over the week and he actually met one of our listeners. We didn't get their name, unfortunately, but thank you so much for submitting a question. Um It's always wonderful when we get to hear from you guys in person.

Subcontractor Access And Required Training

It's pretty awesome that we get to put a face to the name most of the time. So but without further ado, the question is if I give a subcontractor access to my systems for CUI, do I need to do all the training, awareness, and screening for them too?

Yes. Uh and it also depends on what that contractor is doing for you uh and what they have access to. But yes, they'll they'll need to do the same thing uh that your employees do is you know, take the training. So if they're uh for us, you know, if we hire a contractor in here to come be a uh technician, you know, and and help our customers, absolutely thousand percent, they do have to take all this all the cybersecurity training. Uh but now if you hire a contractor to come in and sweep the floors, probably not. You know. So uh but uh yes, the the uh most of the time I don't know about most of the time. The way I think about a contractor, uh, you know, to come in and work in your business, they're gonna need that training. Not necessarily all the time, depends on what they're doing for you. Uh, but I would I would depend on if it if they're a part of your business doing the main part that that brings uh you know security protection day or CUI or uh you know something adjacent there, then yes, they're gonna have to do all the all the trading and everything. And if you have them doing something significant in your enterprise anyway, or in your company anyway, then I would argue that yes, you're gonna want to they're gonna you're gonna want to make sure that they're trained on cybersecurity and trained on the things they need to be trained on to be secure and safe and do their job well. So short answer is yes, longer answer is maybe.

Wonderful. All right. Well, thank you so much for answering all those questions, Brooke.

No problem.

If you have any questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at cmc

Wrap Up And How To Send Questions

compliance guide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.