The CMMC Reality Check: Gap Assessments, Documentation Overload & Why 30-Day Compliance Claims Are a Red Flag

Hey there. Welcome to the CMMC Compliance Guide Podcast. I'm Stacy. And I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped

Welcome And Today’s Warning

to do so. Let's dive into today's episode and keep your business on track. Today we're talking about something that almost every defense contractor experiences at some point in their CMMC journey. It is the moment they realize that it's way bigger than they thought. So in today's episode, we're going to walk through the exact moments where contractors have that wake-up call and what you should expect so that you are not caught off guard. All right, Brooke, let's start with the first major moment contractors realize that it's more complex than they expected. What usually happens during that initial gap assessment?

Well, normally uh during that uh initial gap assessment, you know, we um at least we find when we go in and do gaps assessments, uh, you know, we start asking them questions, looking at their systems and trying to figure everything out, and and uh they kind of start getting a a worried look on

Gap Assessments Reveal Missing Controls

their face, realizing that, oh, things aren't in quite as good a shape as I thought they might be. Um, you know, and you present them with what you what you find and and all that, and uh tell them where you think the gaps are, where it looks like they are, and and uh it's it's usually a big shock to them. Um some more than others. Some know they're just now getting started and they're expecting a minus 203 or, you know, whatever it is. And and uh but some of them think that they've done a uh you know pretty good job getting ready and uh but they're just not real sure and they want to have somebody come in and check and and uh you know they they uh when the lights shine on it and they they see where they're really at, it uh it shocks them. A lot of times, um I mean we're talking, you know, it can be they think they might have uh close to 110 and and uh I think most of the time we're gonna we usually end up finding that they're uh they've got quite a quite a few controls that they're missing and and some of us because of documentation, they didn't have the documentation right. And uh there's a lot of controls that you know you put something technical in place and you're like, we're good, you know. Well, no, you're not because you've got to have the associated documentation to go along with it. So it ends up, you know, 40, 50, 60 or more controls that that need to be addressed uh you know after we come in and look at it, you know. Um so it's it's just a big shock to a lot of people.

Aaron Powell Another big moment we hear about is when companies start mapping out where their data actually lives, what really happens there?

Well, uh, you know, a lot of times you have an IT guy or maybe the president or the Gym or depending on the size company, it could be, you know, different different role types.

Mapping CUI Turns Into Spaghetti

But you have one person that kind of, you know, hey, this is how things work, you know. I've got everything up here, I know how everything works, and and uh and so they kind of line it out, and then you go in and you make sure that you have uh the the key players in the room and you start asking questions and you know, where do you get it from? Where do you get CUI from? Well, where does it go? Well, what about these systems, or what about this, or what about that, and and suddenly you find out that your CUI uh data flow diagram looks like a bowl of spaghetti. And uh and there's a there's a lot of touch points. And um uh sometimes when we get finished with that, uh generally what we do is we uh on one of the first phone calls we uh or one of the first um web meetings, whatever you want to call it anyway, uh we start drawing that uh just simple little boxes and stuff in Visio, because I'm an old Visio guy. Uh you know, we start drawing it out, and sometimes I run out of space on the paper because on the on the page because there's so many things there, and and we're having to shuffle things around to make sense and and uh then they realize that, oh, I think we need to I think we need to tighten this up a little bit. And uh so so yeah, there's there's a life that goes into that, and and generally when one person was in charge of uh trying to figure out where all the data is, if they even bothered with that, um but when one person is in charge, it usually ends up being quite a bit more than they realize.

Aaron Ross Powell So a lot of companies end up thinking that documentation will be the easy part. What is that assumption breakdown? Trevor Burrus.

Uh so documentation, uh you know, when we first got into this back in the you know 2017-18, you know, you're you're creating your policies, you have some logs, you

Documentation Becomes The Real Work

you know, put some controls in place and and uh and get your poem ready and you're good to go. And and um of course you have to work through that poem and everything, but uh but the there is there's a ton of documentation that's needed. And generally your your SSP these days, uh you you generally want to break it down per assessment objective because that's how the assessors are gonna ask the questions is per assessment objective. So it could be one assessment objective or it could be you know six or ten or whatever uh assessment objectives. Um but uh you want to break it down by that. Your SSP, you write how you're doing things with with what tools and all that kind of fun stuff. Uh and so that that assessment objective, um, excuse me, that uh system security plan, your SSP, uh I can end up easily being two, two, three hundred pages. Uh I hear of some people that have like 900 page uh SSPs. Um but you know you've you've got to put enough detail in there that it covers everything. Um you don't you don't want to stay away from putting your all your policy language and all your you know procedural language in there. At least I think you want to stay away from that. Um you want to refer to those, get give a some key details about how it works and then refer to that pol those policies. Um But so anyway, your SSP by itself is you know two, three, three hundred and fifty, four hundred pages, I don't know, something like that, um, with everything that goes into it, uh all the statements and uh descriptions and everything else. Uh then you have all your policies. Uh then you're gonna have some plans and some procedures that you that you have to put in there. Um and that's all that's all the documentation uh that's associated with the SSP. Then you're gonna have, when when you get ready for the assessors, you're gonna have all your evidence and all your artifacts that you have to upload. You know, here's here's my logs that uh, you know, my visitor logs, here's screenshots of the intra-ID users or the Active Directory users or the SysPro users or whatever it may be. You know, you here's here's all of this, you know, that we've had to attach to all these controls, and then that, you know, you probably when you get done with all that, uh, and you're ready for an assessment to come, you know, to start, you know, next week or ne tomorrow or whatever it is, you know, uh you probably have four, five, six hundred pieces of evidence. You know, with all the policies and everything else, you probably have four or five, six hundred pieces of evidence there uh for the assessors. And so it's there's a there's a lot of documentation. Uh and and you've got to make sure that you have that. And people just don't realize if it says defined, that probably means that probably if a um an assessment objective says something is defined, that generally means it's in a policy, right? Uh if it says identified, you know, maybe a list, um, and so on and so forth. But um that it spells out and tells you where you have to document things and and it's a lot.

So another big misconception is that CMMC is just for your IT team.

Oh yeah, not at all. Right. This is a this is a business thing. Your IT team will absolutely be a strong part of it, will be a a uh necessary and important part of it, but uh your IT team uh won't be the ones,

CMMC Is A Business Problem

shouldn't be the ones that um put the whole thing together for you. Uh that said, uh depending on how you structure things, they can be a very key part of it, right? But the business decision makers uh and all the different key departments uh and key roles or key players, whatever, uh need to have a hand in it and need to be part of it because this is this is business process. This is how this is how you how you secure your business, right? Not just it's not just some cybersecurity tools. You know, it's how you hire people, you know, it's uh, you know, your drug screening or or well actually maybe not your drug screening, but your your background screening uh process, your, you know, how how do things go when you hire somebody or terminate somebody, you know, and how do you keep track of their keys, you know, who has access to uh the server room, who has access to the front door, you know, and how they have access. And you know, all those kinds of fun things that are not necessarily an IT person's realm. You know, we may uh I say we because I'm an IT person, but you know, we we may know about these things, but those aren't under our a lot of those are not under our specific control. So this this is a business thing, it is not an IT thing.

Aaron Powell You briefly mentioned um cybersecurity tools in regards to CMMC compliance. Um a lot of companies end up thinking that they just need to heavily rely on tools early on. Um what is an issue with that approach?

Aaron Powell I mean you do have to have tools to help you out, but from the word tools, it's a tool

Tools And Enclaves Can Mislead

to help do something, you know? Uh a hammer is not necessarily gonna help you drive a car. Uh you know, or I should say maybe you know, a crescent wrench is not gonna help you drive a car. Um you know, maybe if you don't have a steering wheel, you have some vice grips, you you know uh clamp them to the nut on the steering wheel where the steering wheel would be. I guess you could use that, but uh I digress. Point is uh, you know, you don't drive the car with a crescent wrench, but you may use the crescent wrench on the car to perform a job, right? Um so uh I that I know that may be a terrible uh example, but um I just hear the people complaining about that right now. But but uh you know, tools are just that, they're tools. Um people want to go all in with an enclave solution. Um we talk about that all the time here on this podcast, and it's it's great to try to use an enclave, but you've got to realize really what you're talking about. If you're talking about an enclave that's everything's contained in this box and we inherit 80% of the controls from them, that's great. But do you really? You know, uh do your data flow diagram, figure out where everything goes. Does anything come out of that enclave and go to something else? If it does, you just pierce that enclave and now you have other things in scope, right? So uh that's typically the way it works with an enclave, unless you're a cloud-only shop, and we deal with manufacturers a lot and we deal with uh construction companies a lot, and I can guarantee you there's not very many of those that are, you know, can survive in a little uh enclave because they have to get that information out somehow to do their job, right? Um But you absolutely need tools. Uh you know, we have to find the best tool for the job that fits not just price-wise, not just function-wise, but there's there's all sorts of other things that you have to figure in on those tools, you know. And uh you don't want tools to overlap, all that kind of fun stuff, but uh when tools are a secondary secondary concern. Uh they really are. Uh so you you figure out what you're doing and what you need to secure, and and then you go into how you need to secure it, and then you look at what tools might fit that uh fit that job, right? Um so uh that's that's where a tool uh conversation can come in. You know, a lot of people I I can't tell you the number of people that uh we come to a guide's analysis and they've already bought Microsoft GCC high, Microsoft 365 GCC high. That's great, but you may not need that. You've got a server on site and you don't really do anything in the cloud, that didn't really get you that far down the road, you know. Uh they might buy, you know, one of the other cloud sharing tools. They might buy, you know, uh Apricorn drives or or something like that. But um those tools are uh should be the secondary or tertiary or something like that uh conversation, not the primary conversation. Uh you need to figure out what you need to secure and what you're doing first.

Aaron Powell Something a lot of companies tend to misinterpret as the CMMC timelines and how quick that goes by. Um can you go into how long this actually takes to accomplish? Aaron Powell Sure.

And we're talking about the timeline to go through and uh be compliant, right? Uh so that's really what we're talking about.

Realistic Timelines And Hidden Time Sinks

Um you know it it it takes time. Uh it just takes a lot of time to go through and understand all um all of the uh controls, all the assessment objectives, what they're really asking, how you can implement them in your business and and all that. From the you know, previous question about tools, you know, it'd be great if you just throw a tool in, uh write a write a little bit of documentation, you'd be good to go. You could be compliant in 30 days. It's normally, depending on where you're starting at, it's normally six to twelve months, you know, or so uh before you can be compliant and be ready for that certification assessment. Uh however, if you're starting from zero, uh it can be it could be 18 months. And and this is if you're making decisions, spending money and and getting going, you know, and not not dilly-dallying. So uh it just takes time to get all this in place. It takes time to write the write the policies, write the procedures, or update them, or or whatever. It takes time to write your uh SSP. Um, you know, we talked about the documentation, how much documentation there was. It just takes time. It doesn't matter what kind of great, wonderful templates that that you start out with, you've got to customize it to your business and how you're doing, how you're working, and you've got to fill that SSP out, customize for your business. That is not a template. You can't, well it could start out as a template, but uh you've got to customize it for your business. And that is 320 assessment objectives that you have to customize for your business, you know. So that'll take some time. It takes time to link all this together. Um, you know, I can tell you whenever you go uh to get your uh certification or certification or mock assessment, uh, you know, they're gonna want to see your uh all your SSP, your policies, your plans, procedures, uh, all your artifacts, and everything's gonna have to be mapped correctly. And so you've either got to use a GRC tool to help you do that, or frustratingly enough, even if you can export out of your GRC tool and have it in a nice structured format with some mapping and everyone, all that kind of fun stuff, a lot of them want to see it in their own folder structure. So you got to take it out of the folder structure that the GRC tool is using and uh put it in the C through PAO's own folder structure. So you got to know how to do that. You gotta know what goes where. And that takes that's hours worth of work right there, which I can understand saying it's hours worth of work. I can understand why you know the C through PAO might want it in their own format so they can be much more standard about how they do things. I get it. It's just frustrating. So uh but yeah, that is hours worth of work trying to get all the documents uh in the right places. Get, you know, if you have, for instance, one copy of uh screenshot that applies to several different assessment objectives, now you've got to put that in different places. And it's just it there's a lot of this is that is time consuming. Uh and so that's just an example. Uh I'm not complaining, or I guess I am complaining, but I'm not it's not really about that. It's really just an example of uh that's an example of the time it takes to do something that should be simple, right? Uh so it it takes time to write your SSP, it takes time to write your policies, takes time to uh implement these things, change your process. Uh you you know, you decide one of the things you need to do is put a uh an access control, an electronic access control uh in place for your uh key cards for your employees. And uh sure, that's great, but you gotta go through the process of you know bidding it out, make sure it's built properly, installed properly, uh make sure now after it's done that it's documented properly. That doesn't happen overnight. That it's it all takes some time.

Aaron Powell Yeah, like most things in life, typically rushing it is gonna get you a pretty bad job. So I would say the same thing applies with CMMC. You have to be very meticulous and um prepared in what you uh need to present forward to those see through PAOs.

Aaron Powell Absolutely. And and again, that documentation piece is is what's critical. You know, you want to like the access control system I just used it as an as an example. You know, you want to make sure that what you said needed to be put in place, what you agreed on, and what was put in place is all correct, and then make sure that is reflected in documentation that you have.

Aaron Powell So one thing that I feel like doesn't really get talked enough is the legal side of CMMC compliance. So when do companies realize that this is not just a compliance issue?

Well, uh generally uh well uh I guess a wake up one of the wake-up calls is when they have to attest and uh sign a blood

Legal Risk And The False Claims Act

oath, basically, that uh their score in SPRS is is what they really have, right? Uh because they're held legally responsible for that. If you pay any attention at all uh to any of the CMMC news, it doesn't show up on them on any of the major news cycles or anything like that. But if you pay any attention to any of the CMC news, see MMC news, uh then you'll see some of these companies that and uh institutions that have been uh caught in the False Claims Act and and you don't want to be caught in the False Claims Act. I'd I want to stay way away from that. Um you know it's it's one thing to have a simple misunderstanding of the way something should be implemented or or the you know the way that uh you think it was uh anyway, the way you think it should be implemented and the way the assessor thinks it's some should be implemented, that's one thing. But saying you're doing something and not actually doing it, or or just not understanding that you know define means, you know, document, you should have a policy, you know, uh that those are those are bad things to happen, you know, and you don't want to be on the wrong side of a false claims act.

So Brick, if you had to summarize all of this, what is the biggest takeaway for contractors listening right now?

CMMC is a uh is is not a quick, easy thing to get done. Um and even when you think, oh no, it's not a quick, easy thing to get done, it's even a lot more complicated than that.

Biggest Takeaway And Do Not Wait

So uh you really need to have somebody on board that uh that knows what they're doing, uh that hopefully has been through uh you know some sort of uh training, uh mock assessments, certification assessments, you know, whatever it may be. Uh somebody who's been through that and understands what assessors are looking for, um, you know, uh an understanding of how long it takes to actually get the documentation done. You know, if you're uh November 10th of this year is coming up quick, and that's when, you know, you can argue about what exactly this means, but that's when CMMC certifications are gonna be required on contracts. Uh the Department of War did give themselves a little bit of wiggle room. You know, they can say uh in a couple of different ways, but one of the ways is um they can say, we're gonna this contract coming out, we're gonna uh uh certification is not required for award of the contract, but it'll be required in option year one. Because there's uh generally the way they work is they uh they're a five-year contract, and so they have uh a one-year um commitment, and then four option years after that. So uh so they may say on this contract, it's not required in year one, but or or the uh a front year that you you sign up with, but option year one, uh that first option year, it will uh the certification will apply then giving you some time and a definite timeline when you know you'll you'll have to do that. Um so uh don't wait. Uh that's coming up fast, and this is this is June right now when we're recording this. So this is uh June, July, August, September, October June, July, August, September, October, November, six months away. Um so uh and at this point uh right about six months away, I guess. So um but don't wait. This stuff takes quite a while to get in place, quite a while to do. Uh I know that there's there's companies out there that say we can get you certified, uh, we can get you ready for assessment in 30 days or 60 days or you know, whatever. They may very well do it, but be very leery and do your homework really well before uh before you go down that road because there's I don't want to say snake oil, but uh there are some uh there are some things that that they uh may cover and just uh and and may not cover that you need to be covered, right? So uh those are generally enclave solutions. Um but point is there's a lot more to this uh than just spitting out some policies and throwing a tool in place and and getting going. There's there's quite a bit to it. So you gotta we wanna hire somebody that really knows what they're doing, somebody's been trained, somebody's been around the block with it.

So we're gonna move on to one of our favorite segments of the show, which is listener questions.

Absolutely.

We got a listener question on episode 39 that goes over CMMC level one, and they asked, are out-of-date operating systems able to be compliant, or would all old Windows 10 PCs have to have Windows

Listener Question On Windows Upgrades

11 on them?

Aaron Powell And this was a CMMC level one question, is that right?

It sure was.

Okay. Well, it doesn't really matter. Uh uh either way, they'll have to be updated because um there's there's a little less language, or there's a a good bit that less language as far as what you have to do for risk assessments and and uh all that kind of fun stuff. But level one, you still have to uh do flaw remediation. And okay, you have to uh do that. And you know that uh one of the flaws, uh, you know, Windows 10, there's no more patches coming out for them. Um unless you've gotten the extended uh extended SKU, I don't remember what it's called, but uh anyway, the extended version of Windows 10, which I can tell you is uh from what I've heard, uh we've stayed way away from it and we've just you got to upgrade to 11, right? Uh but that's uh it's not been an easy path and not been a sure path to get those patches applied. Uh it's been kind of messy. So uh but uh you do have to have a way to install patches for everything, not just Windows, but uh your firewall, um anything that's in scope. Um uh I mean I can list off a lot of things, but it depends on what's in scope, really. Um so you have to have a way to uh remediate flaws, install patches, stuff like that. So uh yeah, Windows 10 needs to be upgraded to Windows 11. Um technically, I guess you could uh I don't even know if it's still available, but you could buy the extended version of Windows 10 uh and be able to say, yes, we have that and we can install patches, but that is a um it's not gonna last forever. And uh from all the noise that I've heard is that it's it doesn't work very well. So an assessor might ask you to prove that you're on the latest patch. And so if it's been having problems and you can't prove that, you know, or or or whatever anyway, that's a that's an issue, right? Uh and I guess actually you're not gonna get a an assessor for level one. So uh there's that. But um but you do have to uh self self-attest. And um, you know, even for level one, there's there's probably less of a worry about false claims for level one. Uh, but even for level one, I would still want to make sure that I'm I'm up and up and got everything covered like I'm supposed to cut, have them covered. Uh so yes, Windows 10, I would say, uh with those with those caveats, but I would say yes, Windows 10 does need to be upgraded to Windows 11 so you can get current patches, along with anything else that might be in scope, like your firewall or network equipment, whatever it may be.

Perfect. Well, thank you so much for that, Brooke. If you have questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at cmccomplianceguide.com. Stay tuned for our next

How To Send Questions And Subscribe

episode. Until then, stay compliant, stay secure, and make sure to subscribe.