The Hidden Operational Workload Behind CMMC Compliance

The Hidden Operational Workload

Why IT Upgrade Thinking Fails

Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Stacey from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800 171 compliance. We're hard guns getting companies fast tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're talking about something that surprises a lot of defense contractors once they start the CMMC process. Most companies assume CMMC is mainly a cybersecurity project. Just install some security tools, write a few policies, and you're ready for an assessment. But in reality, the technical controls are only part of the equation. For small and mid-sized contractors, the biggest challenge is actually the operational workload behind compliance. Documentation, training, evidence collection, asset management, vendor oversight, and continuous monitoring can consume thousands of labor hours every year. So today we're going to break down what that hidden workload actually looks like and why so many companies underestimate it. All right, Brooks. So hopping into it, a lot of companies approach CMMC like it's an IT upgrade. Why does that approach usually fall short with CMMC?

SSP Documentation Tells The Story

You know, uh the IT part of it, the cybersecurity part of it is definitely part of it, and that's that's what it's all kind of built around, except that it's really all built around the business processes, and um you've got to write down what you do, uh how you're doing it, then you've got to actually do what you say you're doing, and then you have to be able to prove that you're that you're doing what you say you're doing, right? So really it's a whole business process and documentation uh for your network. Uh, you know, it's it's easy to throw some security tools in there and say, yep, we're good. In reality, you know, the uh the technical controls just by themselves, the technical controls are really not that hard to get put in place, uh, but it's everything else along along with that. You know, um, you know, is is the is the product compliant or uh can you make it compliant? Um you know, how are you gonna do the logging? How are you gonna do continuous monitoring? You know, the whole nine yards. So really it's about business process and and how how you say you're gonna do everything and how you can prove that.

Aaron Powell So you briefly mentioned documentation. Since that's another area where expectations don't usually match reality, can you go into what role documentation plays um with a system security plan um in CMMC?

Aaron Powell Sure. Uh so your system security plan uh it it tells your story about how you're how you are fulfilling all the controls. Um really most people, you know, you're looking at a two, three hundred page, you know, or a hundred to two hundred, three hundred page uh SSP. Uh and I say that really because you want to address uh the the assessors are gonna assess you based on each assessment objective and the controls, they're not gonna just ask you overall about the control. They're gonna ask you about each assessment objective, and if you meet each of those assessment objectives, then the control is mad, right? So it could be one and one objective or it could be seven objectives. You know, it there's uh for whichever control it is. So um you need to so what you do in your SSP, uh most uh most people do, you should do is is uh write out how you meet each of those assessment objectives, right? Um however you break that out, however you do that. But uh a lot of GRC tools will allow you to write a control statement and then you know a statement for each of the uh each of the assessment objective objectives, which is the way you should do it. So that SSP really uh tells a really good overall story. Your policies and your plans and procedures say, this is how I say I'm gonna do it, right? And your system security plan uh says, here's some details that uh show you uh what we're doing to fulfill those controls, and then you have all your proof and evidence and everything else uh to show you're doing what you're doing, along with the continuous monitoring and all that kind of fun stuff.

Another area that seems to surprise contractors is asset management and scoping. Why is that process so complicated?

Training Beyond Basic Awareness

Well, a lot of people, you know, asset management, well shoot, I'll just uh spit out a list of Active Directory users and and computers, and we got it right there. It's really not how it works. You've got to list out every user, every service account or process in your, you know, something anything that runs automatically, right? Um process, service account, all that kind of fun stuff. Anyway, so a user process uh or a uh devices, any device that connects to that network uh has to be listed, right? And so you've got to list all those out, you've got to categorize all of them and say this is a COI asset, uh, this is a uh security protection asset, this is out of scope, this is a contract risk managed asset, whatever it may be, you've got to you've got to list out what kind of assets those are, and yes, the people too, because people are assets. So the users have to be listed, uh, you know, who's in scope, who's out of scope, who's CUI, um all that kind of fun stuff. So uh it's a it's an undertaking much larger than just spitting out a CSV of uh users and computers.

Aaron Ross Powell Another area that companies often underestimate is training. Why does CMMC put so much emphasis on workforce education?

Evidence Collection And AI Caution

Well, uh for the same reason that everybody should really. But uh, you know, there's basic your cybersecurity trainer, you're supposed to go through how to handle uh your basic cybersecurity. There's your insider threat awareness that it specifically calls out. Uh and then there's you know how to handle CUI. Um but then the people that have security functions, how are they trained, right? What do they what do they do? So it's not just your basic cybersecurity training and and that's it. So it's any anybody that has a security function. Uh so for instance, you know, we're a we're an MSP, so we would have that security function. How do how do you train those employees? You know? Um and you have to you have to lay out a plan. You know, a lot of people, a lot of a lot of companies there's not a specific laid-out plan, and uh you've got to figure figure something out. It doesn't mean that you have to say uh this position is gonna have uh X, Y, and Z, and this position is gonna have one, two, three. It can, and some of that can be part of it, uh, but uh you can also say this is it would list out how you're gonna address it. For instance, you know, maybe uh you talk with the employees and you have some suggested training and then you firm up a a uh training schedule with that employee at the beginning of the year and their employee review or something like that, uh and and you go over you know gaps that they need to to study. That that should work as well. Uh so uh but they do need to have training beyond uh everybody has to have the cybersecurity training, how to handle the CUI and insider threat awareness training. But then your don't forget your IT department or whoever is your security personnel, um, cybersecurity personnel that has uh has a security function. Uh they have to take some sort of training to address their security function.

Aaron Powell So hopping into evidence, that's something we hear a lot about during assessments.

Yeah, yes, it is.

Why is evidence collection such a big part of the process as a whole?

Well, that's the that's the whole you have to prove what you're doing, you you have to prove you're doing what you say you're doing, right? Uh so and I can tell you the more evidence you have in uh for an assessment um to show uh how you're addressing all this stuff, uh the better. The more the address the the more um if it's unrelated evidence, it doesn't really matter, of course, but you know, the more uh the more evidence you have in there to show what you're doing, what you're doing, uh and the different aspects of whatever it may be. Um think audit logging, for instance, you know. Um the more evidence you have in there, uh the better. You know, you have uh it that serves two functions really. Um uh the assessor can see all these things, and they might ask you to go, you know, show you something if it matches the document or the the evidence, the artifacts you put in. They're probably okay with it, especially if everything that you show them matches and everything's good. They're they'll ask you fewer questions, most likely. Not that's not a given, but that's uh that's most likely. Uh the other thing that helps, what I can tell you is when you're going through an assessment, you're you're kind of you know uptight and and worried and and uh maybe not worried, but you know, on edge a little bit. And sometimes you just can't remember where in the world to go to click on something to find it. And and uh if you have that screenshot there, you can go, oh yeah, I know where that's at, then you can go find it and and show it to them. So it serves two purposes there. It does help out when you're in an assessment trying to find those things. You know, one other thing that I that I ran across that I've seen a few places, uh, and I just saw something about it this morning and it reminded me. Uh, but on the evidence collection part, there's some uh agentic AI out there that you can train to go collect inform to go collect evidence for you and do that on an ongoing basis and stick it in there to to show that you have uh that you're doing this, right? And so you don't have to go manually do that. That's all great, that's wonderful. Be great when we can automate everything, you know. But then again, you know, AI taking over the world is you know, is a it's probably uh it's a little concerning, right? So uh the first thing I worry about there is is uh security, you know. Um you've you've got to be very careful, make sure it's you know, whatever you do with AI is secure uh and and compliant. Um but then the other thing is applicability, you know. You can't just 100% trust the AI to just do what it's use uh what it's gonna do. Now, one of those that's specifically tailor-made and trained for evidence collection for a CMMC is probably a little better than your generic AI that you know gets more th more things uh well that gets some things wrong, right? Uh it's AI, it'll still get some things wrong. Uh so I I don't know where I fall on that. Well, I d actually I do know where I fall on it. I fall on the I'm skeptical right now side. Yeah. And we're gonna hold that at uh arm's length. But point is there's there's some of those tools out there and they may be useful. They may be able to help. So uh look into those. Those can help you absolutely with uh some uh with some continuous monitoring and evidence gathering. Again, with the caveat that me, myself, you know, uh we're gonna hold that at arm's length until we have time to really investigate really well.

Compliance Never Truly Ends

So it's actually really interesting. It is. Have it hallucinate your evidence. That might not be the best. All right, Brooke. Once companies achieve compliance, are they finished with the work?

Supply Chain Flowdown To Subcontractors

Oh, absolutely. You can just put it up and never think about it again. No, just kidding. Not really. Please don't take that clip and and um out of context. So uh no, it is not over. It's uh the hard part, uh once you've uh gotten through your assessment, I'd say the hard part is over uh because you've got that certification, you're good, but it is a continuous, it is CMMC and NIST 800-171 are built for ongoing management, right? They're not they're not built to, you know, write some policies and stick them up on the shelf, you know, like people do for uh other compliance standards, we'll just say that. Um you've gotta continuously give it together evidence, uh, you've got to document changes to the to the network, to the uh, you know, whatever it may be, you've got to document changes. Um if you, you know, do you never ever bring on any more employees? Do you never ever, you know, uh lose employees, you know? Uh that's a simple thing that that's gonna you need to document those things, you know. How did you onboard them? How did you give them access? How'd you, you know, uh so those are the things that you're gonna want to document and and keep of how you did it and that you followed your policies.

Let's chat about the supply chain for a second. How does CMMC affect subcontractors?

The uh it does affect them. So it's uh there is they the it flowdown has always been there, but they've specifically called it out and they keep talking about it. Uh so uh CUI flow down rules are a real thing, right? Um anything that is anything that is performed, and I'll uh I have to go back and look at the uh statement, but anything anything that is performed, created, or or held uh and the performance of that contract for uh for the government um is is in scope and can be considered CUI. If it's marked CUI and you make some uh you get a drawing or some specs and you make a drawing of that or uh you you break it down into smaller parts, then you know that's very likely going to be CUI. Um, you know, if you send it off to a a subcontractor to finish a part out or do something to or or make something to you know to sell to you or whatever it may be, that CUI flows down to that, um, to that subcontractor. And you have to do your due diligence to make sure that they are uh they meet the same for that contract, whatever it is, that they meet the same um CMMC level requirements you have to meet. Right? Same thing. The big primes are doing that, they have contracts and they want you to be the same level they are for that contract. They have a bunch of contracts, I know, and uh contractors, subcontractors work on more than one contract at a time, I know that. And some of them, you know, most of them, uh a lot of them out there, you know, get POs to do things, you know. So I get all that. But you're if you're a subcontractor, that controlled, unclassified information comes to you, uh then you have to meet those controls. And then if it go if that same or related uh CUI goes flows down to one of your subcontractors, then that flow down uh goes down to them as well, and they have to be compliant. Uh and you're responsible to make sure that that they are compliant. Um and that can be a questionnaire, that can be, you know, hey, show me your certification, whatever, whatever that contract requires, you know, you're gonna have to make sure you have some sort of uh uh process in place to to CYA. You gotta make sure that you're good to go and that you've done your due diligence. Uh now if they've lied about a bunch of stuff, there's you know, it's not necessarily your uh your duty to go investigate and make sure they're not lying or anything like that. Uh then again, if you think they might be, I would walk back and you know, drop that right there. But in any case, um the uh the flowdown is a real thing. It does affect contractors, subcontractors, subs of subs, subs of subs of subs, you know. Uh we get quite we get asked this question all the time. It's a big problem in uh in manufacturing, but it's also a gigantic problem in uh in construction. So um, you know, they they're like we have some clients that said, you know, if we have to flow down these requirements to our subcontractors, we won't have any subcontractors to use, you know. We can't get Jose the concrete guy to come out here and pour any concrete. Well, you've got to figure out, you know, if if there's something that is going down to that subcontractor, is it an off the uh off-the-shelf product or is it something that's uh that may not be off the shelf? Is it special concrete or is it, you know, what is it, right? Uh so if it's truly an off-the-shelf product, you may be off the hook. But uh as far as flowdown, but that is a uh that's not something that's not an easy blanket thing to say.

Yeah, don't hold your breath on it.

How To Reach Us And Subscribe

Exactly. I would I would err on the side of caution, you know, rather than not. So uh but that flowdown is a real thing, and they want everybody to uh make sure that they're following that.

Well, thank you, Brooke, for providing your insight. If you have questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You'll can find our contact information at cmc compliance guide dot com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.