Top CMMC Compliance Mistakes and How to Avoid Them

Welcome And What’s At Stake

Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked through compliance. But today, we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're talking about something that's quietly costing a lot of defense contractors time, money, and sometimes even future contracts. Even though a CMMC 2.0 is now fully enforceable, readiness across the defense industrial base is still surprisingly low. So the challenge isn't always a lack of effort. Many companies are actively trying to prepare for compliance, but they're making a few mistakes, a few early mistakes, that make the process far more expensive and complicated than it needs to be. In today's episode, we're going to break down some of the most common CMMC compliance mistakes we see in small and mid-sized contractors, and more importantly, how to avoid them. Alright, Brooke, let's start with one of the biggest mistakes we see all the time. Still probably the most common. It is. Yes, it is. And that is scope. Why is scope such a critical issue when companies begin their CMMC compliance journey or even sometimes get halfway through and then realize that scope's a problem?

Well, scoping, you know, the first of all you need to know what kind of data you have and how you know what kind of data you have, right? And then what you're supposed to protect. Of course, we're talking about CUI and FCI, but what kind of CUI do you have? Um is it uh, you know, the most common, of course, is going to be controlled technical information. Uh but is it is there are there dissemination controls? Is it uh ITAR type uh uh information or ear or you know, no form or something like that. Uh you need to know what kind of data you have and uh and how you can uh how you can properly how you need to protect it, right? And then you need to figure out all the systems it touches or at least needs to touch. Uh because sometimes when you scope things out, uh you draw your you need to draw a data flow diagram, kind of figure out where all your data flows through all your systems. And I'm not talking just, you know, it goes, uh yeah, sure it goes on to my file server. Okay, well, how does it get there, right? Uh so you need to think about all that and figure out exactly where it goes and exactly where it needs to go. Uh a lot of people, a lot of small organizations, and even some big ones, have a tendency to over-scope and just say, hey, everything's included. Just put it all in, you know. And uh that's great, you know, and uh yes, all your data does need to be protected. I thousand percent agree. But uh, as far as CMMC goes, if you can bring that scope down some, or at least, at the very least, scope some things out of it that you don't need in in your environment, in your CUI uh environment, right? Uh that can save you some money, it can save you a lot of headaches, um, it can save you from having to implement things that you don't necessarily, you know, have to do, right? Um if you underscope and you don't take into consideration all the systems that uh that CUI may touch, uh, you know, one thing we see quite commonly is is uh, hey, it it all goes from the internet on our server, you know. That's it's just on our server. Okay, well, how does it get there? You know, it's protection of CUI just isn't where it's stored at, it's where it's processed and where it's transmitted, right? And so if you get on your workstation, you download that from the internet, and then you copy it to the server or a shared drive, um, and then you put it after that in your ERP or you put or your MRP. Sometimes you might link it, but however, however that may work, you know, then uh at that point, uh where you downloaded it from is maybe we'll consider a maybe a uh uh customer's portal, right? So I'm sure it's compliant, so it's not part of your systems, but you download it from there, you put it in your uh in your on your computer, uh now your computer's in scope, uh, unless you downloaded it straight to the server from the server, and most people don't, uh, and you don't need to be logging onto your server necessarily unless you have a VDI set up, and that's another story. Uh but once you do once you download it to your computer and copy it over to a file server, for instance, now your computer and the server is in scope. And then if you put it in your ERP, whatever system your ERP runs on is in scope. So it may be the file server and then an application server or a database server or something like that. So um it it'll you need to really think about that whole process and think about where it goes. And if you're doing uh whatever process you're doing, can you clean that up, right? Can you uh in other words, tighten that scope up a little bit? And uh if you clean your process up for handling CUI, uh you know, maybe you can scope it down to a few machines, or uh at the very least, maybe you can scope some machines out and not have them in your in your CUI boundary. Uh but scoping is the is the biggest problem. Overscoping is common, uh, and then underscoping in the form of not considering all the systems that touch CUI is a problem also we see quite a bit.

Yeah, underscoping uh I've been seeing a lot lately, especially with um, you know, our favorite term, enclave. Aaron Powell Enclave, yes.

It's in an enclave. It's in an enclave.

I was talking to someone the other day and they were talking about how um, you know, so and so said uh just need to keep it in the enclaves. And I've never heard enclave using the plural.

Well, that's an interesting. I've never heard multiple enclaves either, but yeah.

But so is he was saying that, you know, well, you know, GCC high is an enclave, and then we have this other, you know, tool set that's an enclave, and then and then so we just we just keep it on all the enclaves and are fine. I was like, well, you know, I think I'm on the same page with you, but you know, let's style this back a little bit and just think through the process. It was like, how do you get it from this enclave to the other enclave? Does it have to traverse your computer? It's like, well, yeah. And it's like, okay, well, yeah. So in in the way that you're thinking about this, your computer's an enclave as well, right? So it's that's why we don't like the word enclave, because it can be misleading. So we can prefer to just use the word scope. And so that enclave, which you could say GCC high or prevail or something, or and then this enclave, whatever this other enclave is that you're you know, it's a protected system in your computer, are all part of the same enclave. You know, it's or the same scope, and it all has to be protected and be assessed and have all the 110 controls and 320 sub-objectives, so it's it's all part of the same scope, and that's why we like scope over enclave. Um and I just thought that was an interesting um uh you know perspective and and uh enclave you know, using the plural plural for it. So I've never seen that. Yeah, just this is you know it's important to uh understand how people think about these things, uh so that way you can you know speak to it. And uh and it's yeah, it's uh you what you're just what you're saying is you have to think about the you know things holistically, you know. Uh and and unfortunately and the whole process, every step of the process. And when you think about it holistically, it makes it a little harder. Right. You know, there's not these little um we'll just get GCZ high and we're solved, you know, or fixed. Uh it doesn't work that way. Uh you have to think about the whole process.

Right. You know, uh I uh uh at CS5, I was at CS CS5 uh just recently last week. Um and uh uh so that'll tell you when we record this, I guess, as opposed to when it airs. Uh but uh just at CS5 and uh somebody um I'll just leave his name out of it for now. It's it's recorded. If you attended it, you can see it. And he stood up and spoke publicly, but um one of the uh gentlemen from one of the prime contractors stood up and and said, Hey, I you know, uh one of the one of the things he said, uh uh really smart guy. Anyway, but he said, you know, I wish y'all would uh stay away from the term enclave and quit talking about enclaves because people think I've all I've got to do is is buy this enclave and it works and it's everything's taken care of, and that's great, except for it doesn't work for manufacturers that great. And uh and here we are, we deal with manufacturers a lot, and we don't deal with uh people that just have a services business or or something that that um that don't necessarily need to worry about operational technology, specialized assets. Uh so we deal with those all the time. And I our our view is that enclaves are really hard to make work. Um but they do fit some people just fine. You know, you can build a VDI Enclave and GCC High and and have yourself a great enclave, or use Prevail, or use any of the other, I think SecureFrame's got one. I mean, but there's tons of uh I don't know about tons, but there's quite a few enclave providers out there that you can use, right? And uh but you have to understand that as long as it's in that little enclave, that that defined boundary, uh you're all good. But once you pierce that to download the information to get it to your CNC machines or you know, out to a vendor or whatever else, then you know, or onto your machine to to manipulate whatever it may be, uh then that that uh the boundary of that enclave goes out the window. Um so you you just have to you have to consider all that. And so uh he had a very good point, you know, when it just doesn't doesn't work real well for manufacturers. An on a traditional way you think about an enclave solution does not work for uh uh for manufacturers or construction folks. So uh and actually I guess it might work a little bit better. Well, anyway, depends on how you do it, but um work a little bit better for construction folks in some manners, but I digress. Uh yes, uh scope is very important. Uh people have a tendency, we used to see over scoping um exclusively, uh not exclusively, but almost exclusively. Uh and but now we're seeing a lot of underscoping and not really considering the whole um uh the whole process, the whole flow of data. Yep, yep.

We used to people would say we'll just keep everything in scope. Now everyone says we're gonna keep everything out of scope. Right. Uh yeah. It's uh you know, I I went to uh Southwest CIC recently and it was interesting because our our booth backdrop, you know, says something about manufacturers, and the number of people that came up to me um said, You do manufacturers, huh? And it's like, how'd you figure that out? Or, you know, uh, you know, we we can't we don't touch manufacturers, like can we talk? You know, because um yeah, no, seriously. And they're like, They don't do manufacturers. They're like, Yeah, we you know, as we stay away from it because because the issues with the OT.

There are some issues, yes.

And I just I I was just so surprised because I'm like, I thought that we were all dealing with manufacturers.

Isn't that what the Defense Industrial Base is, is manufacturers for the for the DOD or DOW?

So I mean not throwing any a shade, I just uh I found it surprising.

CMMC Is Not Just IT

You know, exactly. And it it's there um they're surprising it's it surprises us how many people there are uh that are not manufacturers who are part of the Deb that um the defense industrial base, you know. So I guess there's plenty out there. In my mind, it's like mostly manufacturers.

So guess we're wrong. So another thing we see a lot uh of of companies uh saying is like, oh, you know, we've got our IT team handling CMMC or compliance, um or yeah, we're we're hiring another MSP and they're gonna do our CMMC, you know, um just take care of you know it. Um so point is a lot of people are viewing CMMC and compliance as just an IT issue. Yeah um and they could just hire you know it away or find a new MSP that says they can do CMMC or um just put it all on the back of the IT guy. Uh is that the right way to think about it in your opinion? No, not really. No.

So you know, um the the right MSP uh can handle that for you, the right uh third party can handle that for you. You know, if you um IT can help out, uh drive a lot of the things, uh, but really there needs to be business decision makers heavily involved with that process every step of the way and understand. And it really all boils down to the fact that uh this is gonna change your business processes and you have to have that uh decision maker buy-in, right? So they gotta be part of the decisions if they understand why. They're not gonna say, well, why how why does it cost that much? Why are we gonna do that? You know, why we gotta change things. Um But other than that, uh when it comes time to be assessed, they may be that IT guy or that MSP may be in the room with you to help you out, but they're gonna expect you to know, you know, why this is implemented, where this is in the policies. You know, you may not be able to go find uh, you know, your antervirus settings or your sim settings or show them the sim logs or anything like that. That'll fall to the MSP, that'll fall to the uh IT guy, uh, but you're gonna have to answer those questions. You may defer to them on a lot of things, uh, but they're they want to ask you the questions. They want to ask the the people in charge of the OSC uh the questions and know that they understand and are doing these things. So, like I said, you can absolutely have somebody that's in charge of that program, uh, an MSP that does the security stuff for you or that helps you with uh you know all the policies and implementation and everything, but they're a a part of that, maybe a very important part possibly, uh and uh very uh involved during the assessment part of it, but uh but they're not the you know you can't just say, hey, go handle this. You know, you the uh some of the decision makers have to be in involved with that, and somebody that's that has uh some authority for the company has to be involved in that.

Yeah. So I was I've been doing a lot of lawn work recently. Um, you know, it's uh You've been out mowing people's lawns? My lawn. Come down to my house. No, thank you. Yeah, you got more uh grass than I do. Um but I've been doing uh, you know, my a lot more of my lawn work recently, and winter just passed, grass is growing and I was just as you're telling it. And you were just talking um about that, and it was just made me think, is like, you know, um if your goal is to have pretty lawn um and uh your solution is to hire uh a landscaping company or a lawn maintenance company to come mow the lawn and your lawn's still ugry ugly after three months of them doing it, um then maybe you solved the wrong issue. Maybe you should have been watering the lawn, right? Um maybe your sprinklers are. I was wondering where you were going with that, but that's that's true. Yeah, so I mean it's like that's like the same thing as hiring MSP to fix your CMMC compliance. Like, well maybe that's not the issue. Maybe you know they're part of the problem, you know, but before you ever hire a lawn company to cut your grass, you need to water the dang thing, you know, for for grass to grow. Right. So MSP is part of the solution, uh, you know, for a lot of people, especially if they don't have IT, you know, talent in-house or don't want to pay for it. Um but yeah, you you you have to step back from just the maintenance of everything and and the people that you can hire and and really address the thing holistically. And that's why we, you know, when people come to us, we typically um don't jump right to MSP services and say, you know, come just hire us, we'll take care of everything. We we run them through a consulting engagement first to because oftentimes they don't have all the SSP, the POM policies and the whole compliance, you know, thing.

They may have the policies in the SSP and the POEM or the policies in SSP at least. And we look at them and it's boilerplate uh template stuff, you know, that maybe they put their company name on. You know, we look at it and like, did you read this?

Yeah. So has technology in there they're not even using or I mean it uh so it's important to uh look at the problem holistically first and not just jump to um you know treating it as an IT project. Because there's there's a whole list of other controls and objectives that are physical security that are HR or employee related screening, you know. Um so uh yeah, it's not just an IT project.

You know, identify authorized users. 3.1.1.8, right? Um identify authorized users. Well, you know, IT can pull a list of users out of Active Directory or or uh intra or or whatever or the ERP, you know, whatever. But that doesn't mean that's everybody, and that doesn't classify them and that does not authorize them, you know. So somebody needs to authorize those users, um, bless them, you know. Fine. So uh you know, somebody needs to authorize them, somebody needs to bless them, somebody needs to, you know, say that yes, they are they can work on CUI, you know, or these folks are C UI, these folks are um and yes, people can be CUI assets or SPA and service security protection assets. Uh so these are SPA, there's C UI, these are out of scope, you know. Um I don't know that a uh person can be a specialized asset, but but uh they can certainly be uh SPA and CUI. Maybe if you try hard enough. Maybe so. I I know some people that are pretty special, but um so um but yeah it there's a lot of it that is that IT can help with, uh, but that senior management, executive management authorizers, approvers, or something needs to need to be part of. And your IT department hopefully does not authorize users on their own to be part of your system. So they just they just get the the marching marching orders and implement those marching orders, right?

Evidence That Builds Assessor Trust

Yes, IT people don't need any bigger heads than we already have. So no, no, not at all. So uh next question I got for you uh is about documentation and evidence. So that's another mistake we often see um is what is considered, you know, what what uh documentation is supposed to be, um what's considered evidence and what's not. Um why is that such a misnomer or uh a major issue uh prior to assessment or during an assessment?

Well, uh prior to an assessment, um you know they're gonna they're gonna ask for you know your documentation package, they're gonna ask for all your SSP policies, plans, procedures, poem, hopefully not a poem at that point. Um and uh and all your artifacts, all your evidence. So at that at some point you need to have proof of everything and upload it so they can look through it, right? Uh but before that, um there's all sorts of of um of evidence, artifacts, proof, whatever you want to call it, uh that you need to have on an ongoing basis. And and you need to uh you know keep logs and somehow prove that you're looking at your your uh publicly facing uh uh websites, social media, stuff like that. Prove that you're looking at that. Uh there's some sort of log that says you went out and did that and looked at it and said, yeah, we're good. Uh some kind of log that, you know, some way to prove that um, you know, Stacey asked you that, you know, is it okay to post this? And you said absolutely, and she posted it, right? There's got to be some proof uh that that you follow the procedures because they're gonna say, you know, all right, you say you've been doing this for a year, uh, where is the last time you reviewed your um all your uh events that you're logging? Well, last time I reviewed those was, you know, I don't remember. Um you know, there's all sorts of things you're supposed to be doing on an ongoing basis, and that is part of your evidence. Uh there's also part of your evidence that's um that you'll need to gather, uh you know, screenshots of uh of Active Directory, how things are set up, uh how SIM logs or settings are set, stuff like that that you'll want to keep in there. It's good to keep those in there. Put those in there when you are first creating your documentation so you have that and can show yes, it was set like this right before your assessment. You upload a new screenshot so they can see that. The more evidence and things they see that say, this is what we say we're doing, here's the proof that we're doing what we're doing, and then you can check me on some of these to see that it's actually the case that we're showing you we're doing what we say we're doing, right? And uh so if you have all that in place and they come and talk to you about it, and or you know, you're going through an assessment uh and they say, Can you show this to me? Uh it the more things that match, the fewer questions they'll ask. So that's uh that's your goal. Uh you know, get the get the assessors to ask a f as few questions as possible. And you do that by generating trust with them by making sure that you've got all your I just say all your I's dotted and your T's crossed, right? Make sure you've got your uh again that you you have written down what you say you're doing, that you have proof of what you're doing, uh uh that you're doing what you say you're doing, and then you can show them real time, you know, that that matches.

So hard to build trust without without it actually being done. Yeah. You know.

What you don't want is is assessors going fishing, trying to, you know, find different things and and um you know, picking things out of random and you go check on things. Oh yeah, here you go, here you go, here you go. You found that one setting that I missed. So hopefully you didn't miss any settings, but um and the point here is not to slip things by the assessors, but the the point is to verify your settings, verify everything's good, verify that um and prove it ongoing, uh, you know, so that when they do that assessment, you're all good and they'll ask you fewer questions, it'll be an easy go. Yeah, so it goes. Easier easier a go, I should say.

Tools Come After The Controls

Yeah, absolutely. Uh now I think back to uh way back when when we first had to implement um our visitor logs, you know. Um and so, you know, we started with a clipboard at the door, but um and you know what we still do, right? Right. Um but uh you know when he first put it up there, magically it doesn't fill itself out, right? People actually had to do something. Right. So we had to, you know, make a very intentional um effort of changing behavior um uh for a good long time before it actually started getting done and being part of, you know, um without us having to uh make sure it happened every time someone walked in the door. Um but the point is, you know, you can implement the clipboard and it can hang there on the wall, but if it never gets filled out, you don't have any freaking evidence. Right. Right? So um, you know, that's you use that same concept and you extrapolate it out to, you know, your security logs um and everything else, all the 110 controls and 320 subjectives and all the other things you have to prove, um that same concept stands for each of them. Right. Absolutely. You have to have to have that. So next question uh or mistake that I've got for you is uh close cousin to treating CMMC as an IT only project, right? Um but it's one that we see very frequently, and um, you know, it's uh typically leadership or something will treat CMMC as an IT project, and then the IT team or whoever's you know more technical in nature on the team um focuses just on tools and tool sets and vendors that they can hire and or or buy and implement. Um so we see a lot of companies focusing heavily on tools or vendors like manavirus or encryption or firewalls. Um is that the right priority?

No, it is not. Um just worry about the controls and then figure out uh if uh whatever tools you have will work or if you need to build something else in, right? And tools do matter, right? Um not every tool will work for a CMMC. You know, if you have a a cloud backup, for instance, uh you most likely you're gonna have to rethink that. Uh but uh you need to think about, you need to really you need to go through uh and do a gaps assessment and do a uh you know generate a poem uh and to figure out where you're at and where you really need to be, and you need to look at that holistically so you can make good dis good holistic uh all-encompassing decisions, right? So yes, you very well may need uh a different A V uh antivirus, you very well may need uh a different SIM tool that uh will meet compliance. You uh you may need another backup or something like that. Uh but if you just choose the backup first and say, yeah, we're gonna go with this backup, and then later on you go, you know, we're gonna change our setup and we're gonna change how this works. Well, that just implemented or that just impacted your backup, for instance, you know. So tools are important and you need to make sure they're compliant in whatever manner they may need may need to be compliant for. You gotta consider whether they touch CUI or not, uh process, store, or transmit uh CUI, or whether they uh secure any of that CUI, right? So uh your antivirus, your SIM, uh if you use an MSP, their um their RMM tools, uh all sorts of stuff, stuff like that. So those are things you need to keep in mind um when uh when when thinking about tools, but tools are are a secondary thing that you worry about along with a poem. Yeah.

Yeah, it's uh two common examples I use um to kind of explain why tools aren't typically the solution for people um is well one, like the clipboard I mentioned earlier. So if you want to buy a tool to solve your visitor log issue, you can go spend thousands of dollars on an iPad system and a printed badge deal and you know, a database and the whole nine yards. Um but you know, if you just did a gaps analysis, looked at the controls and the objectives, and realized that you could have just used a clipboard and saved a bunch of money, um, you know, uh you didn't have to get a tool, right? Uh same thing uh for void uh you know phone calls, um uh and and web meetings and stuff. So if you just w want a tool to solve the issue, um you may not even be discussing CUI or sharing your screen with CUI or something, um, and may not need a you know fully Fed ramp VoIP for phone, you know, uh system uh solution at all. You know, it may not even be in scope. Um, and you've just went and spent money on a you know 4x the cost of a commercial um you know system. And by the way, FedRamp VoIP, good luck, because there's only about one provider that I know of that uh will satisfy that. Um and it's expensive and it's not a you know uh uh anyway, point is that uh if you're going tools first, um you're you're doing disservice to yourself because one, you may not even have to implement it. Right. Right. And so that's additional cost that you've thus spent without you know just going back to the fundamentals and seeing um what you actually need to do.

Are you talking about are you wait a minute? Are you talking about scoping? Yeah, scoping. Okay, yeah. Yeah, scoping. So you gotta scope everything properly.

And this is why we always say all roads lead back to scope. Yeah. So but yeah, I mean, so you've just done yourself a disservice um uh on a m multitude of different um for multi multitude of different reasons. So um, you know, if you start with scoping, um, start with, you know, how you can achieve or or satisfy these controls, and then go find tools um because you're putting the cart before them.

Yeah, absolutely. Think about it holistically, uh generally when you uh draw out your data flow diagram, uh scope everything, uh start designing your scope and figuring all the systems out and everything else, uh a lot of times you can go, you know what? We can we can do a little bit better here. And uh you can tighten that scope up a little bit and say, VoIP out of scope, you know, email out of scope. You know, you can you can uh you can tighten that scope up and and that helps a lot.

Aaron Ross Powell How many times have we had someone come to us where um you know they had a false start on CNC compliance and first thing they went and did was buy um GCC high and then get it all set up um and stuff moved over to it, but didn't even set it up correctly.

That is true. Yeah, GCC high, you you still gotta set it up. Doesn't set itself up. You've got to document everything.

Yeah, you know, so exactly. So it's not set up correctly, and then um then later to realize that they didn't even have to put email in scope to begin with. Yep. And they just spent all this money and you know, all this money on the license costs. Uh so that's you know, perfect example. Absolutely. Yep. So we had just mentioned, you know, uh a lot of people, you know, a common trap to fall into is just going and buying GCC High and saying, all right, we're compliant now, you know, not even setting it up properly uh after purchase. Um so uh this question or mistake is about um, you know, they buy a tool, um, now they say since we bought said tool, we're now we're compliant, right? So why is that a risky move?

Well again, that's cart before the horse, right? Yeah. Um and and and there's two different things to buy in a tool, right? And uh and a compliant tool or being compliant with the tool you buy. Uh one, there's there are, believe it or not, there's some vendors out there that say, hey, use our product, we're CMMC compliant. But then when you actually go look to see if they're a FedRamp moderate, uh uh authorized or equivalent, they're not. Um do they have any guidance? Do they have a uh customer responsibility matrix or a shared responsibility matrix, whatever you want to call it? Do they even have that? Uh how do they how do they say you're supposed to be CMMC compliant with their solution? You know, those those details are few and far between when you really start looking at some of these tools and then you realize, oh yeah, uh I have to figure out how to be compliant with this tool. It doesn't just help me. So this question wasn't about ERPs. Oh wait, never mind. Sorry. That could be any tool, right? Not just a DRP. It just isn't a lot of time, the ERP. Yeah, a lot of times it is. Yeah. So um but you know, uh a tool does not make you compliant. Uh a tool may help you be compliant uh and may may serve some purpose, it may cover some controls, but again, you need to scope, you need to document, you need to figure out what controls it fulfills for you. Uh the all-important customer responsibility matrix will show you their responsibility and your responsibility. Um or in the case of uh you know an MSP, same thing with an MSP, but there may be, you know, one of their tools that has customer responsibility, MSP responsibility, and and uh customer responsibility, for instance. So I mean there there could be more to that than just two two columns of responsibility, but um I can guarantee if there's anybody that says uh our hundred our controls flow down to you a hundred percent, I would say that's a unicorn. Wonderful if that happens, but check it out and and understand how that happens. Because that's probably not the case. Um so uh but you you know you gotta verify what is actually covered, what's not, what controls, really not what controls they cover, but what assessment objectives they cover, you know, uh and how they're covered. So you just gotta do your due diligence and figure all that out. Uh but it is hard to buy a tool and be compliant. It's even hard to buy a tool and be 50% compliant.

So yeah. So if you haven't noticed, uh I've been doing a lot of lawn work recently. I I I think you mentioned that. Did I?

But you refused to come down and do my lawn.

Yeah. Oh no, sorry, too much grass. So uh to my lawn company um finally upset me the last time, so I got rid of them. And um but I didn't have a mower. Right. So So you had to get a tool. I had to get a tool.

But the thing is compliant.

Yes. Well, here's the deal. I had bought it and then I brought it home, and then my lawn still wasn't cut. Right?

So it didn't it didn't fulfill 100% of the controls you set out, right?

Right. So I had to go actually cut the lawn. And now every week I have to cut the lawn with the mower bot, right? So maybe a little bit of regret higher firing the company, but point is, you know, I bought the tool, but you know, still have the action of mowing the lawn to take. Um, just buying the mower alone doesn't didn't solve it, you know. I do have a suggestion.

Yeah uh once your daughter gets old enough, you won't ever have to worry about that again. Uh she can start mowing for you and and there you go. Problem solved.

I got about 10 years of mowing lawns. Uh you know.

Yeah. You know, maybe when she's you know four or five, she can figure it out, right?

That's my hope. But for some reason I'm not just joking, okay?

We're not, you know, I don't really think a four or five-year-old should mow your lawn, but you know.

It's an electric lawn mower.

It's safer somehow. You bought the wrong tool. It was not compliant. You should have bought one of those lawn robots.

Yeah. I thought about it. I thought about it. But um the to get one that doesn't sell your information to China, or not, excuse me, it doesn't sell it, but is is, you know.

As a danger of uploading whatever information.

It does upload it in China. Um it is uh significantly more expensive. Yeah.

So you're saying there's probably there's very few American-made uh lawn robots, is what you're saying. Yeah.

Yeah.

So just like the American-made drones. You can buy an American-made drone, uh, but they're specialty ones for agriculture or movie making or you know, stuff like that, and they start around$5,000. Yeah. They're cool. They're they're good, but they uh they're not the DJI drones.

Something about you know, uh being working in compliance and cybersecurity, it just bothered me to buy a I don't blame you.

I don't blame you a bit.

So here I am on my liner a week. So I feel for you. Yeah, there we go.

Anyway, moving on. Well, we're supposed to be talking about CMMC, and somehow we're talking about lawns and uh DJI drones. So go ahead.

Start Now Or Miss Deadlines

I'm the the master of uh rabbit holes, uh rabbit trails, or whatever you're gonna call it. So all right. Uh mistake number six I got for you that we see a lot um is waiting a little bit too long to start. So a lot of times we'll talk to companies that you know have a contract or two or are looking to get into it, or um, you know, they're just now getting letters or something from their primes, and so they know that there's some, you know, um uh time period that they have and they're they s you know, they just say we'll just do this later, you know, kick the can down um the road a little bit more. So um you know, why why do we often see that biting people in the butt? Um and uh when from your perspective do you think uh companies should start preparing for CMMC? Yesterday.

So uh it it is not a fast process. Uh even if you green light before you even get costs, if you green light all projects and say just implement them, it's gonna take months, right? Uh and it's gonna take months to get everything implemented and get some get uh uh get all your documentation squared away, get a C through PAO on board to get you assessed. And uh we always recommend a mock assessment at this point, recommend a mock assessment before um moving forward with an actual certification assessment. So that adds time to it. It is not a fast process. Uh if anybody tells you, you know, we can get you we can get you all covered in 60 days and uh get your assessment ready in 60 days or you know, 30 days, or really even 90 days, uh depends on where you're at. But um you know, I'd be very cautious about that. Um so it does take some time. Uh generally when you lay everything out, get your poem, and say these are the things that need to be done, it takes time to roll through those poem items and and get them all complete, right? It is a lot of times it's a uh either a disruption or a change to your uh work process, you know, for that CUI. So there's things that are going to change, things you have to think think about for business uh related items, business related processes, you know. Uh so it's it's never a quick process. Uh so and the uh time for those uh for the 48 CFR to be and f to enforce CMMC level two certifications on contracts, that's November 10th. And that's federal government contracts, November 10th this year. Uh so uh primes are already pressing pressing more and more their subs to uh to get that certification and be ready, right? Uh because they want to be ready. They want to be good to go. Um they're already seeing, you know, some contracts that say, you know, uh we really want to have this, at least from what I hear from some of them. Um so they need to have their their base ready to go. Um so uh it's it's a uh it's a timing game now, and I know some primes uh uh are uh they're basically saying uh telling some people if if you're not ready now, you're already behind the game. You know, if you don't have a certification right now or have it planned very soon, you're behind the game and you're gonna be you're gonna be with the leftovers, you know. So um I don't necessarily think that's the same for all primes, uh, but there are some that are saying things similar to that. So uh now is the time, yesterday is the time to uh get busy and get on this.

Yeah, I mean if you have contracts that require this, you know, either you know the older contracts that don't have the hard and fast certification requirement, but they've you know some DFARS clause or something, um, and you don't want to lose that revenue, uh yeah, you I mean you need to do something about it. You know. If you are considering defense work or you know, some sort of aerospace work that has um you know the requirements on it in the future, then by all means you can wait. Uh but yeah, it's if you're if you're concerned at all about those contracts um going to somebody else, then it uh yeah, I yeah you shouldn't be waiting.

Right. Uh it it really appears like it's gonna be a boon for those people on November 10th of this year. It's gonna be a boon for those companies who didn't wait and and got a went ahead and completed everything and got assessed and got their certification.

SPRS Scores And False Claims Risk

Mm-hmm. Absolutely. So the this uh next mistake, um, it uh makes me laugh because uh I don't think we've talked about this on the podcast yet, but I was at uh so I go to our conferences at the exhibitor booth, um, and then uh you know talk to people. That's my job. Um and at one of the conferences I was at last, um uh and I gotta be vague here because he said he didn't want to be on the podcast or anything, um, but a gentleman from the Department of War stopped in and talked to me. You remember that? Um and just uh the long and short of it was uh he was very interested in um you know just uh anyone misrepresenting um you know ITAR status or um or anything just misrepresenting what they're compliant to or otherwise essentially just you know lying to the government, right? Um uh because very excited about um pursuing that. So um anyway, and that's where I'll leave it. Um but uh anyway, so because just laugh because uh the next question that I have here or mistake is let's talk about um SPRS scores, SPRS scores or Spurs scores for a moment. Uh why can submitting an inaccurate score be so risky?

Uh False Claims Act. Yeah. You know. Uh so if you say, yeah, we're good, we're at 110, and you don't have all your policies, all your plans, your SSP, uh all square. Away all assessment ready, if not already assessed, but if assessment ready. And that's a whole nother thing that we've talked about on other podcasts. But everything we've been talking about on this one, make sure that you know you have written down what you say you're doing, and uh then you have then you're doing what you say you're doing and you have proof of what you uh that you're doing what you're saying you're doing. Follow those match, you know, uh then and you have ongoing evidence of all that, then then you're you're probably okay. But you know, if if they've said, yeah, we got MFA in place and and uh you know we've got a firewall in place and and we're good and we're we've got a, you know, we looked and we've got 110, or we've got 107, or we got you know, whatever it may be. Um, did you really do an assessment, a proper assessment, and make sure that that's what you have? Uh if if there's and still if you go look at all the people that uh all the companies that have been brought up on uh that have been charged with false claim by the false claims act, uh most of those are whistleblowers. So it's uh you know, some guy saying, hey, this company I work for, they say they're doing everything and they're not doing everything, and it's pissing me off. So I'm gonna go whistleblower, you know, and blow my whistle or I rephrase that. Uh you know, if you go look at uh, you know, all these whistleblowers and the uh the amount of the fines that the companies pay, you know, the whi whistleblowers get uh a certain percentage of that. I don't remember what it is, I think it may be 20 percent, I don't really know, but you know, twenty percent of a couple million dollars is nothing to sneeze at, right? And so uh that's a that's a big incentive for somebody to to blow the whistle on you and say that they're not you're not doing the right thing, right? So a lot of these uh a lot of these False Claims Act are still uh whistleblowers. Uh there are some that come from incidents, you know, some incident happened and they investigated and uh you know they found a problem and they said, look, you said you were doing this, you know, and you're obviously not. Now if I don't know, but uh I would assume if if you're making a good effort to uh to do all this and uh this is the way we understood this, and this is the way we implemented it, and you know I said we'd do, you know, a password history of at least five and you've got twenty-four, they're probably not gonna complain about that, you know. Uh but you know uh if it's a if it is a problem where you actually said you're doing something and you're just completely not uh doing it, uh then that's that's a problem. That's a false claim, right? So um so that there have been incidents, uh, but most of them are whistleblowers. Uh either way, if you say your SPRS score is a certain amount and it's not, uh however it works, whether it's a whistleblower or an incident, that is grounds for a for a false claims act. So uh be very careful about that.

Yeah, if you're if you ever um you know a nerd like me um who has uh you know uh you know finds this stuff interesting, if you ever go look at like when someone gets um the book thrown at them um or like some, you know, whether it's a celebrity or whatever, what have you, and the FBI or something gets something on them, if you actually go look at what um they're prosecuting them for, what they found them on, it's almost always a technicality. A technicality like that um that is when they did uh uh what is it called a deposition or whatever. Anyway, whenever they said something that then later contradicted what they found or what they then uh did another interview and it contradicted what they said previously. And so it's like I don't know, I don't know what the actual stats are, but it seems like every time you look at it, it's like 90 plus percent uh of the times that someone gets put in jail or a fine or you know um the the government prosecutes them on something, it's from a misrepresentation like that. Um or not, doesn't matter, you know. Uh and so I don't know, that's uh uh I don't know if you know me, um I could all complain about you know taxes in the government a lot. Tax day was just last week, but I still paid my taxes. Was it really? What? Yeah, right, yeah. Yeah, by the way. Um so uh anyway, so you know it's uh I'm I'm a little too scared to misrepresent something to the government. Absolutely. Absolutely. Maybe you know, other people out there um don't have a problem with that, but I it makes me uncomfortable.

Yep. You know, and this all started a long time ago with no teeth in it, and you know, go and go implement this stuff and and uh tell us you've implemented it, you know. So a lot of people went and and did that. And some people, you know, uh implemented it in a way that they thought was uh compliant and maybe wasn't. Uh but some people just went and you know it was a checkbox for them. And so they say, yep, we're good to go. And they weren't. So um yeah, it's that's a that's a problem.

CMMC Applies To Subs Too

Absolutely. You might have someone from the Department of War show up. Yeah, you don't want that, absolutely. So uh the final misconception or mistake I want to talk about um is that uh we sometimes sometimes hear people say that CMFC only applies to the the larger prime contractors. Um is that true?

No, that's not true. Um and there are a couple things here that uh we usually see. You know, one of those one of those items that uh people think about is that, you know, they they haven't seen the DFARS controls or their Prime hasn't told them that they have to be uh that they specifically have to be compliant or something like that. But you ask them if they've looked at their contracts or their POs or whatever it may be, and uh look for the DFARS rules, right? In the 7012 or anything else, 7021. Um, you know, have you actually looked for those? Well, no. You know uh you might want to go look for those. You know, well we don't have any ITAR information. Okay, great. That's wonderful. But what about the rest of it? Because ITAR is a small part. Well, actually, I don't know what percentage of it it is. I would think that there's probably a uh pretty decent percentage, but uh anyway, that is not all the information that needs to be protected. So um uh so yeah, that's uh they actually need to look at their contracts and make sure that uh whether they need to be uh CMMC compliant or not, right? Uh they should have been notified by their primes already, uh, or they might have just been selectively uh forgetting or something like that. But the you know you need to pay attention to those contracts and those POs. Uh you know the other thing is they you know people have a tendency to say, well, we can just strip all the information off, you know, and that way it's unidentifiable. Uh you're gonna have to prove that in a in a in a very good way uh to to be okay, right? Uh and so some people say that as far as their information goes, some people say it as far as you know getting it out to other parts of their company or subs or whatever. Potentially you might be able to uh you know, if it's a if you make a widget that is composed of several widgets, and you know, you may be able to take one piece off that that may be a off-the-shelf piece, you know, you can verify and show but that it's off the shelf piece, but I would definitely document that, right? Why you think, why you came up with that reasoning, all that kind of fun stuff, and have that documented, have that proof there ready. Uh otherwise, everything that's created uh for that contract, uh that's processed, held, created for that contract, anything like that, um uh uh has a likelihood of being CUI, right? Uh should be uh should all be marked when it comes into you. Uh and I pray that it is. It'll make things very easy for you. But 90%, I take that back, 99%, uh 99.9%, I don't know, of uh of stuff that comes to uh subcontractors is not marked, right? That doesn't have CUI on it. Or uh, you know, the contract officer might say, you know, all of it's C UI. You know, that's a blanket statement for them. Yeah, see here there's a 7012 clause and and everything's C UI in there. Great. Can you be more specific? And you know, that you can ask them questions and get them, you know, all that kind of fun stuff, but people generally don't want to press too much and don't want to bite the hand that feeds them. I understand that. Uh, but you gotta understand that any information you get that you think might be CUI or that somebody says might be C UI, you've got to treat it like C UI. You may not be able to mark it as you know, as a CUI document, uh, but you need to treat it like CUI, like it's potential CUI and and protect it. Right. So uh that's a that's a big thing that we see is you know, we'll just strip all the information off and we can send it down the line and and uh you know it doesn't have anything identifiable from the contractor on it, so we're good to go. No, we're not really, you know.

Why Seemingly Small Data Matters

Yeah. If I, you know, worked at Lockheed and I took the blueprints for the F-35 and took a Sharpie and scrubbed out F-35 on the title, and I went and ran it over to the Chinese government, pretty sure they'd throw me in jail. Or worse. All right. Um, and that's the same concept. Like it's, you know, I mean, it's still um like the specs and you know what it is, you know, is you know, regardless whether it's scrubbed or not, is is still sensitive data. Yeah. It's still sensitive, you know. And so if if you just if you go back to what the intention of what you know the government says they're trying to do, and uh which is you know, stop the hemorrhaging of our you know, sensitive information going to other nation states is essentially if you sum it up, that's basically what it is. Um if you work with that intention in mind and you apply, you know, is this is this achieving that goal or not, um it makes uh a lot of these um workarounds and loopholes people try to find. Um it makes you really realize how I'm sorry to say it, but some ridiculous some of them are. Um not trying to offend anybody with that, but it's just at the end of the day, I mean, are we are we achieving the goal that the government set out or with or not, you know? Um if the answer is probably no, then it's probably not the right should go.

Yep. So a couple things with that. One, um they there's there's multiple things about G-code, for instance, right? G code is just instructions telling a CNC machine what to do. That's all it is. That is is uh gonna be classified as C UI. People still argue that. I understand, I get it, but uh that is still CUI because you can take those instructions and understand what the part is, right? Um the second part of that, um I've seen several references of this, several um, you know, stuff the uh Department of War said and all that kind of fun stuff. But it's if you look at um you just take the Iran War, okay? Uh Midnight Hammer and Operation Fury, oper is that what it is, Operation Fury, Epic Fury or Epic Fury, I don't know. Anyway, um you take those and uh uh and we'll for instance the um Midnight Hammer one, you know. Uh all that information that we had uh to figure everything out for where they were gonna strike, what everything was made of, how much of everything was there, all that kind of fun stuff. Everything there, uh that all most likely would have been CUI. Right. And so uh that wasn't protected properly on their end. Uh and of course, I guess part of that is that we have an awesome intelligence uh capability. But aside from that, uh, you know, that all is CUI and uh wasn't protected enough and and we're able to use that to do what we did, right? Um there's all sorts of other other things about that, but at the previous CS5, they had a had a whole session on that and and uh kind of showed a whole thing and that that kind of hit home a little bit about, oh, you know what? The amount of dirt that came out of there, what kind of concrete, the the um the specks of the concrete, the amount of the concrete, the you know, the size of the holes and everything else. Some of it can be seen with satellite, but some of it can't, right? Uh you know, all that would have been CUI and uh it would be protected, you know. So uh it's like, oh that's uh that kind of makes sense. Uh so absolutely.

Oh yeah, I mean the information's actionable. It is. And so if you if you're making a you know, you know, bring that out relate that to the common job shop, right? Um CNC manufacture, you know, um building, you know, parts that they, you know, received. Um if there's some sort of information, vulnerability, weakness, you know, or something about the you know, anything of that part that they can glean from the information that you gave that they can then, you know, use uh against us, you know, if if that piece went into the F-35 or whatever else it might go into, um, then that piece of information is now actionable that can be used against us in, you know, a theater or um same, you know, you're you're talking about the you know, the amount of you know, dirt that was taken out of a hole or something, may seem irrelevant to um the person that's you know has a shovel in their hands, but to the right person it's very actionable information that uh you know they can then calculate the right bunker buster they needed to destroy whatever they want to destroy or whatever. So it's um that's why those specs, that's why those drawings, even if it's not, you know, the full enchilada, you know, the you know, an actual complete, you know, aircraft or whatever it is matters because um, you know, if it's if it's not reverse engineering our information, it could be vulnerabilities, you know, that they can exploit. So that's what they're trying to protect.

Absolutely. You know, uh Katie Arrington uh was at CS5 this last time and and has also spoken before. And if you hadn't heard Katie Errington, she's a she's phenomenal. Uh just really everybody loves her, you know. Uh well I don't know about everybody, but uh there's quite a few that do. Um anyway, she's just phenomenal. Uh uh my wife went to CS5 with me and uh she got to meet Kate Arrington and speak with her and and uh got her picture taken and all that kind of fun stuff.

And um I think she's been she in the past she'd zoomed in uh to a lot of them. So she was there this time.

Level One Controls Listener Question

Yeah, she was actually there in person this time. Of course, she's not with the DOW anymore, of course. But uh and there's a whole story there. If you went to CS5, you heard it. But uh anyway. But she said, you know, it's uh uh what they aim that's what what you're exact what you're talking about is what they aim to to stop, and part of that uh has to do with advanced persistent threats, right? And uh they they gotta put a stop to those. Uh because generally, you know, especially the mom and pop shops, I say mom and pop, you know, they might be, you know, fifty or a hundred million dollars uh annual revenue, but still a small shop, right? Um so but a quote mom and pop shop uh may not have uh the same kind of resources that Lockheed or Bell or Raytheon have, uh but that's where that's where adversaries are uh getting in easily and being able to uh to glean this information. But the other thing they're worried about, not only this information escaping, you know, to China or wherever, uh they're also worried about them introducing some small variants that that'll pass through maybe uh you know quality or or or something like that, or and and then introducing something that shows up, you know, after a machine has been in service for, you know, two or three years or something, and you know, parts start wearing out and breaking and and stuff, and they have to start replacing things and figuring out what's going on, and suddenly it's like, hey, this part is it exactly spec, you know, and there's something's wrong with it. So those are the kind of things they're worried about. Tolerance is off here. Tolerance is off, yeah. Um so those are the kind of things they're worried about too. Uh they don't want those to show up in the in the supply chain. You've got a huge supply chain, you know. Uh I've heard, you know, 300,000 contractors and subcontractors, uh a part of the dib. I've heard, you know, this weekend, this weekend they were talking about 150,000. You don't really know the actual number of of uh contractors and subcontractors because there's you know contractors, tier one subs, tier two, tier three, there's all sorts out there. So um anyway, but it's there's a big supply chain, um, and and it needs to be secured, and and this is what they're they're doing to secure it, and that's that's why the advanced persistent threats, the leak of information, the worry about changing those you know, some of those specs in just the most minor of ways, uh stuff like that. That's it, that's what they aim to uh to protect.

So uh before we wrap up, we've got a uh listener question uh that ties directly into uh what we covered in episode 47, uh where we were going through some uh CMMC facts, frequently asked questions. Um so this comes from David, and he says, I was told that now for level one, the list of controls is much smaller and based on FAR clause 5220421 with around 20 controls. When I first looked at level one, there were over 100 controls. How does that differ from what you talked about here, referencing episode 47, which um cannot remember exactly what episode 47 was?

Oh, come on, you don't remember everything we talked about on that episode.

Sorry.

Uh it shouldn't differ significantly. Should we should have talked about all this, but 52.204-21 um is your basic safeguarding uh and it covers 15 controls, and then uh you look at uh the level one um assessment guide. That's a really good place to look and and understanding it. Um and there's a scoping guide as well, and you can look it from the DOD site, not DOW site, uh, and uh and you can look for that and download it uh and it goes through everything. And that there's I believe I haven't gone and counted them again, but I believe there's like 59 assessment objectives. Uh that's not the controls, that's the assessment objectives. But um anyway, it's significantly less than a level two, of course. It's level one is FCI. Um but that uh that is what that is what is covered, uh that's what covers FCI, right? Your basic safeguarding controls, you uh make sure those are covered. And there is documentation and there is proof that you have to have, right? Uh there's some technical things you have to have in place, but um you do uh it's uh it's significantly easier to meet uh level one than level two. Uh but there's fifteen controls or seventeen, depending on uh which direction you look at it, but uh and fifty-nine assessment objectives. But that level one uh assessment guide uh is a really good place to look.

Okay. And then yeah, I think um we're almost done with our um resource. It's called uh read this before you self-est self-attest to CMMC level one. Um and it may answer some of your questions, David. Um, and it's almost ready for the light of day. Um I think it's in final revision. So um if you uh text our uh number or uh hit us up on our email or um or just reach out to us, we can get that to you if if that might answer your question. Um it uh basically uh answers what type of evidence you need, um what uh self-attesting is and kind of the gotchas that people don't realize. It's not really gotcha, they're spelt out, but people just skip right past them.

Yeah, people have phoned in level one and said, Yeah, we're good go, you know. And and you you do need to take a look at it and make sure you're actually covered, right? Uh because it's not nothing, but it is significantly less than level two.

Free Help And Closing

Yes, and it is telling the government uh that you're doing something. Yes. And as we spoke about earlier, um you don't want to misrepres or I don't want to misrepresent things of the government. So uh but anyway, yeah, it's it answers um a lot of the things about CMMC level one. So maybe that's not a direct answer to your question, but it might get you where you're wanting to go. So uh Alright, cool. Thank you, Brooke. Appreciate it. Absolutely. Anytime. Absolutely. Thanks for all the answers and enlightening us today. Um, thank you guys for joining us. If you have questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmccompliance guide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.