Why Contractors Fail CMMC Assessments and How to Prepare

Welcome And The Big Surprise

Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin and I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-1701 compliance. We're hired guns getting companies fast-tracked to compliance. But today, we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today, we're talking about something that surprises a lot of defense contractors when they go through a real CMMC assessment. Many companies feel confident they're ready, they've written policies, deployed security tools, and even maybe submitted a strong SPRS score or Spurs score. But when assessors actually evaluate the environment, that confidence doesn't always hold up. In fact, Department of Defense or data has shown that only a small percentage of contractors who believed they were compliant with NIST 800 171 actually met the requirements when it was independently validated. So today we're going to talk about why that gap exists, how assessors actually evaluate compliance, and what contractors need to understand before they schedule their CMMC level two assessment. Alright, Brooke. So a lot of contractors uh often get excited, find a C3PAO, schedule an assessment, and then when it comes time to actually do the assessment, uh you'll hear C three PAOs uh complain about this all the time that uh they have to then reschedule uh because they're not ready. All right. Um so uh why do so many contractors believe that they're compliant, but whenever assessment day starts creeping up, uh they end up finding major gaps or suddenly feel that they're not ready?

Uh well, they're the the I guess well, I'm not an assessor, so and we're not a C3PAO. I just tell you what we've heard. One of the biggest things really is that uh, you know, contractors uh typically there's somebody technical involved in the heavily involved or in charge of the implementation and getting everything ready. You know, maybe that's an IT guy, uh CIO or whatever, um, something like that. But uh they may be in charge of getting it done. And so what do IT guys like me like to do? Get all those technical controls in place. Documentation, yeah, we can put some documentation down, you know. Uh so you know, the uh the assessors might get that documentation or look and go, you know, this you know, what you have in your uh policies doesn't necessarily, you know, uh doesn't necessarily match or uh, you know, looks it appears like you might not be ready, uh, you know, something like that. Or uh, you know, when you do anyway, there's there's all sorts of reasons, but uh more times than not uh the uh contractor just doesn't understand what that assessor is really looking for, right? Uh you can read the assessment uh objectives, or you can read the uh you can read the controls, you can read the assessment objectives, uh the DOD guidance and stuff like that. You can come up with a completely different technical guy, you can come up with something completely different than the assessor does. And the all the other problem is that, you know, us when we're writing this stuff down, some of it just makes sense to us because this is our system, right? So we just you write stuff down. What you really need to do is you need to write your your statements like maybe a third party outside your organization is gonna read it and have to understand it. There's a thought. And to be honest, when you know I first started writing these a while back, you know, I I I did that too, you know. So it makes perfect sense. You know, and then you think about it, and uh, well, an assessor has to come in and they might have to make heads or tails out of this, you know. And uh so they've got to be able to look at it and understand it and needs to tell them a story. The policies need to match, all that kind of fun stuff. And and uh so uh you really need to write your SSP and uh and your all your control statements, your uh assessment objective statements, you need to do everything with somebody else in mind, right? So uh a lot of people a lot of people to treat it like a checklist at first, you know. Hopefully at this point in the uh CMMC uh journey, life cycle, however you want to phrase that, you know, hopefully at this point uh people understand that more and that they uh they need to explain it. But truthfully, uh of course all the people come or that are coming to us are the ones that you know need help and have realized that, oh crap, this is this is something that's gonna be gigantically hard for us to do, right? And so that's that's the people we see. But um being in the community and understanding and hearing, that's that's a very common problem, is that you just don't understand what the assessor is looking for and and you have a tendency to treat it more like a and you have to have a tendency to treat it more like a checkbox. Not literally really like a checkbox, but uh more simply than than the that it really needs to be done.

And uh oftentimes that can be as uh the the realization that they're not ready can be as soon as uh when the uh assessor or C3PAO sends the first request for the evidence package out prior to their assessment date.

They get that assessment package and they look at it and they go, uh hey buddy, you ain't there. So how about we s how about we hold off on this mock?

You know, or the contractor gets the request and they go, You want what?

That's yes. And the uh the assessors know that if you can't uh provide that package within a time frame that they're looking for, uh they know they have a very good idea that you're not gonna be ready. You know. Uh so but the the package is a lot that they want to look at and they want to see. Um depends on how you're doing it exactly, but you know, a lot of times they'll want to see the uh maybe your SSP and then you know an inventory of of everything that you have, you know. And uh once you provide that inventory, if you know, if it's a short list, they'll be going, is is this is this really it? Are you sure? So yeah. Uh it it there's a lot to it. And they they gotta see that there's a lot to that package.

All right. So we had mentioned uh the evidence package. So normally, you know, you'll hire your C3PAO, your assessment data'll come up, they'll request the evidence and your other documentation and stuff. Um, and then you will uh get to the day where they're either in your conference room at your place of business or over Zoom or something, um, and they have to start validating controls and and determine whether you're meeting things or not, right? Whether things are actually implemented. So how do they actually do that?

Why Objectives Matter More

Well, uh depending on whether it's a mock or not, depending on whether you know you're you're all remote or not, uh they may or may not have to come on site. Um but uh when you're reviewing it with them, they um examine, you know, there's examine, interview, and test, and so they'll examine all your uh documents, all your statements, uh they'll examine uh everything for for that assessment objective, right? And uh they can do that, they can uh interview people. So you say, you know, um my admin here is uh is the one that uh implements all the all the change orders or all the you know whatever it may be in the CLSO, Mr. Admin or Mrs. Admin or Ms. Admin or whatever. Anyway, uh you know, just show me how you do this, you know, or or they'll ask them how do you do this, you know. And so they can explain it. Or, you know, what kind of uh employee training, what kind of train what kind of uh uh training have you gone through? You know, they may ask them that, or did you do any training? Uh in the interview part, they'll test it. So they themselves won't test it, but they'll say, Hey, you have this screenshot here, great, you got this documentation, it says how you do it, it says how you're supposed to do it, you got your documentation that says this is how we do it, you got your screenshot here that says you know the shows you're doing it. Now I need you to show me that login, that uh login banner, or I need you to show me uh some the ACLs on the firewall, or I need you to show me, you know, where your timeout setting is, or the uh the server room door that has the label on it, you know, what whatever it may be. They that's the test. They want to test that control or that uh that assessment objective, right? Um so that's how they do it. Uh and whether it's uh remote or in person, that's that's how it's gonna be done. If they're in person, you know, they'll sit with you in a comfort room or watch you over your shoulder or whatever it may be, uh, you know, so they can see that stuff.

Aaron Powell Thank you for that, Brooke. Uh so another thing we see a lot is that people always talk about the 110 controls, the 110 controls, the 110 controls. Absolutely, right. You know, um and often they forget the importance of the objectives, the 320 objectives, right?

Aaron Powell Those are those are actually more important, yes.

Right. Uh so why are the objectives important whenever the 110 controls are um what everyone talks about?

Uh because well, uh the assessment objectives are what you're graded on, really. Uh the control is what contains the points, uh if you want to look at it that way. But the assessment objectives are are what they uh examine, interview, or test on, right? So uh the the control statement does matter, of course, uh but really what you're being validated on and what you're being what they're looking at is do you meet all these control, uh all these uh assessment objectives? Because you know, there may be 3.1.1 has six uh assessment objectives. So if you don't uh uh if you meet all those assessment objectives, good, that control is met. Right? Uh and if you uh meet five of those assessment objectives and you one is not met, or the assessor thinks one's not met, that whole control just went out the window. You don't you didn't meet it. So now you will find out they won't just tell you, you know, this control's not met. They'll tell you uh which assessment objective, you know. And they they may even uh they'll tell you why, but they won't get into any more details than that because they have to stay because of our code of professional conduct, our code of ethics, right? Uh you gotta s they have to stay a thousand percent they have to stay way away from uh consulting. So if they uh if they even inch up to that line a little bit, they get they get queasy, right? So that's a that's a really big deal. They can't do any they can't be seen as doing any sort of consulting. So but in any case, the question you're asking is you know, the assessment objectives are uh arguably a lot more important than the than the actual control is because if you meet all those assessment objectives, you're good. You're golden. If you miss one, you're not golden anymore. I guess you'd be uh, you know, copper at that point, or you know, maybe that's still kind of expensive, you know, maybe something else. But um in any point, uh in any case, uh those assessment objectives are really what matters.

Yeah, so I guess that that really highlights the uh benefit of a mock. And I know whenever we're talking to customers um and we're kind of coaching them through everything, um, you know, oftentimes they'll you know ask what the value of a mock assessment is, right? Um and I think it's that, right? So you've got you've got the controls, and then you may have, you know, uh some amount, sometimes it's a lot, sometimes it's a little of objectives associated with control, right? And so if you've got all the objectives except for the one, you know, that might blow you up on it, um, it's you know super useful to know that in a mock assessment that um that you've just missed that one because they told you on that you missed this objective, right? And so you can go fix that and then go into your assessment with a lot more confidence um uh and not have to report a failure.

Yeah, exactly. If you know and the other part of that is that um you want your the C through PAO that's gonna be doing your certification, you want them to do your mock. You don't want somebody else, I mean it if you're way, way off base, way you know, you have no clue, yes, have somebody else come in and do an assessment, and then you can have I would still argue for a uh mock assessment at that point, right? Um because if that see-through PAO that's performing the certification assessment does your mock, you'll know exactly where you stand with that person who is interpreting what you wrote down. If you have somebody else in there to do the mock or some other kind of assessment or prep you and get you ready, then their opinion about how all that's done may be different than that assessor that's assessing you. Ostensibly, it's all supposed to be exactly the same. But it's not. Uh you know, Austin here showed cattle uh when he was growing up and and uh you know you may have uh you may have some cattle that you know win first and second place at you know all these places, and then somewhere else they place eighth or ninth, and you're like, well, why did that happen?

And and uh They're all judged by the same breed standards.

All b same breed standards, yeah, exactly. I mean you have standards you're judged against and everything else. Uh but what did we say about that?

I don't know.

You don't remember?

I don't know what you're talking about.

So uh we always said, well, you know that's one judge's opinion on one day. Oh yeah.

Well, yeah.

You know, it's it's different than some by some other judge's opinion, and it might even be different than his opinion on Tuesday, you know. So anyway.

I must have been clean mucking stalls and and picking up uh cow crap whenever y'all are saying that. Maybe.

But uh yeah, that's uh the same thing with assessors, and not quite to that extent.

But the there's a lot tighter controls.

There are a lot, it's a lot tighter. They have everything very, very defined, but um there is still gonna be some interpretation uh because after all, everybody's uh environment is not the same. Right. Uh so uh they're having to interpret what you wrote down, uh what you're doing, how you did it, all that kind of fun stuff. So that does lead to some discrepancy.

Yeah, and another thing that I see uh people do um that just in my opinion, it's the wrong way. Go about it. Um, you know, you're you're welcome to approach this however you want. It's not necessarily there's not something inherently wrong with it, but oftentimes when someone's starting to get or wanting to get down, you know, through their compliance journey, they always hear about C three PAOs and they want to hire a C through PO, even if they're not, you know, if they're at the beginning of the journey to like do a mock or to do their gaps assessment or something, um, and then uh and then like start implementing. And my personal opinion on that is don't do that. Um one, it's it's gonna be decently expensive. Um, but two, you can just, you know, if you do a good self-assessment, you you have an idea of you know where you're at to begin with, but if you hire an RPO or um you know a CCP or something to come in and help you with your readiness, they can um, you know, help you with uh your self-assessment, your gaps assessment, um, and then shore up a lot of the holes because you're gonna have a lot more gaps than you realize. Um and people even if people know that they have a lot of gaps, whenever we come in and do a gap assessment, we show them they're like, ah, and it's way worse than I thought. Yeah. So just to be honest. Right, right. So I mean, you're welcome to go find a C through Pao and and have them do a mock or uh gap assessment or something for you right off the bat. But my personal opinion would just be wait till you're closer to ready.

On that note, you know, uh and this is not to talk bad about any assessor or any C through PAO or anything like that, but uh they they're doing the assessments, and this is this is what they've been doing. They're they're doing these CMMC assessments and they've also been doing other kinds, you know, SOC uh SOC2 assessments, stuff like that. So uh that's that's what they've been doing, right? Um they're not necessarily on the implementation side of it, so uh they they can't necessarily um always give you the best advice as to how you might handle that. Some of them are some of them been on the implementation side and they they're they're great and and make some good recommendations, you know. Um but uh you want to hire somebody that uh has some expertise in implementation and understands uh the whole um you know, the whole process, right? Uh maybe he's even been through the process, but um you know I and I would say if you're looking for an RPO uh to help you with implementation uh and getting ready, uh then I'd say look for one with a CCP or CCA on staff or more than one CCP or CCA, right? Um RPs are good, but you've you've gotta you've gotta really do your homework. So look for look for an RPO at registered practitioner organization. We're bad about you know uh not remembering to say the whole all the words. Uh so if you're looking for you know a registered practitioner organization, uh RPO, uh you can find them on the Cyber A B marketplace. Uh look for one that has you know CCP or CCAs on staff and and uh that that those can usually get you a a good you know help you with implementation really well. So uh especially if they've been through you know mock assessments, uh certification assessments, whatever it is that you know what I can tell you is those when you start doing that mock assessment, you realize how valuable it is, you know, and how much it helps out. As much as you know you might know and everything else, the first one you go through, you're like, oh yeah. That's uh that's eye-opening.

Absolutely. All right, going back to uh the assessors and and when they come in, um let's talk about the gap between reality and and documentation. And what I'm trying to look for here is what are some examples that uh assessors commonly find are that are gaps in documentation and evidence when they start reviewing environment?

Uh a lot of uh common things are gonna be your policies uh may not exactly match your uh your control statements or implementation. Or maybe your maybe your what everything is written down doesn't match implementation. Uh hopefully it does, but uh you know uh with your policies you need to need to have some a good set of policies. You need to have a good set of policies. Uh but uh I would say put in your policies exactly what needs to be there and uh nothing more, right? Uh you don't want to get too detailed because those policies lock you in and uh and you have to do it. So um if you go over above and beyond, you know, what needs to be done, then you're you're set and you you you're stuck there and you have to do that, right? Um but you do need to define things like if in your policy, if you say lockout is fifteen minutes and and your uh in your SSP you say it's 10 minutes, you might think that's great, because it's better than my policy, right? And if your implementation it shows 10 minutes, you're like, I'm golden, man, it's better than over here. Not really. They don't even a lot of times it'll be okay, most likely, but a lot of times they don't even like to see, you know, uh at least 15 minutes, or at least, you know, they they want to say that it says 15 minutes here, 15 minutes there, 15 minutes there, right? So it has to all match. That's that's the that's uh what I hear is that's the biggest thing uh that happens is the documentation doesn't match, or maybe you didn't spell something out uh completely uh in in your policies that you need to. Um but I would still caution you from being too verbose, I guess, in your uh in your policies, right? And uh just put in there, you know, like uh you probably you never seen this, but the old Dragnet series on TV. Uh it was e it was on and reruns when I was a kid. So uh anyway, the It was an FBI agent, and he said, you know, Letty was telling him his big long story, and he says, uh, ma'am, just the facts, ma'am. So so whether it's your policies or also when you're talking to the assessor, just the facts, just what they asked for, nothing else, right? You know, the other thing that uh they I don't know how common it is, but the other thing that you'll hear stories about is that they have boilerplate templates in there for their policies. You know. Believe it or not, you actually have to read through the policies you put in there. If it says, you know, insert company name, it's probably not a good thing. It's a red flag. That is a red flag. That will probably, if they see that in the documentation at phase one, they'll say, We're gonna put a pause on this, and uh you need to tell us when you're really ready, you know.

Um that is uh most common are intakes as well. And you know, I'll ask if someone has uh SSP and they're like, oh yeah, yeah, yeah. And they they do, you know, and then you start digging a little deeper, you realize it's something like that. Or, you know, I'll I'll ask, uh, you know, do you have uh um SSP or like an unsupported policies and like yeah, yeah, and you go, okay, do you have an instant response plan? They go, No. You know, so it's just just because you have a Word document with some words on it doesn't mean you know it's it's meeting the uh what they're looking for, right?

Yep. And I can tell you it's a big pain in the rear, but you do need to go and go through all those policies. You need to read through every single bit of it, you know, make sure it matches what you're what is supposed to be in there from from the uh uh assessment objectives, right? Um make sure it matches what's supposed to be what it's supposed to have, and then make sure that it's for your environment and that it's specifically for your environment. And you know if it says, you know, how many minutes or the timeout is, make sure that matches what's actually implemented, right? So absolutely.

SPRS Scores Versus Real Readiness

Absolutely. So um up next, you know, you'll see uh a lot of contractors with um SPRS scores are really or Spurs scores they're really proud of, you know, um, you know, 90s, 110s, stuff like that. Um you know if uh if a contractor feels as if as if they really have a 90 or 110 SPRS score, um does that mean that they're they're ready for a CMMC assessment?

It should, but it doesn't. Uh so uh most of the time, uh unless they've gone through the process and they've they've did an actual real assessment, self-assessment on themselves, you know, um most of the time that score is just gonna be, you know, what how how they think everything's implemented, right? Just going back to the check boxes, you know. Check, check, check, check, check, you know. Um a lot of times those are inflated, uh, and the government knows that. And that's why we ended up with these third-party certifications.

Scope Decisions That Change Everything

That is very true. So I don't think it's an episode um of CMMC Compliance Guide Podcast. If we don't uh mention scope. Right.

We've already mentioned documentation.

Right. So yeah. So yeah, we got both documentation and and scope now. So we're we're rounded out, we're set. Right. Um so uh, you know, in particular, talking about assessments and and you know, hiring a C through PO, having to come in and do your assessment. What role does scope play and why is it such a big deal with an assessment?

Uh well really it can make things easier difficult. Right. Uh and and a lot of people, in our experience, we we do a lot of manufacturer, so uh having an on having a true enclave, like you would your first the first picture in rear mind about an on what an enclave is, you know, um it just doesn't work for a lot of people. It does work for people that are office only, you know. Uh works great for C through PAOs. I'm sure it works good for other dib contractors. I hear it does. But for for actual uh manufacturers and and and construction folks, um that enclave uh breaks down. So um doesn't break down completely. You just have to expand the scope outside the enclave a little bit, so uh or a lot maybe. Um but uh scope matters a whole lot. Uh that's the very first thing you actually the very first thing you should uh you should start with, and you could make it part of scope or say it's a separate part, but uh is figuring out what data do you have? You know, what kind of CUI do you have? Or what what kind of CUI do you want to plan on having if you don't have any right now, right? Um what do you want to build it to to fit? So um uh so you start off with that scope, you figure out uh what all mach what what all has to be in the scope and one doesn't, you know? Um and you you write your policies, your your data flow diagram, your network diagram, or your all your uh your SSP and your all your policies, considering what's in scope, and leave what's what needs to be uh what can be out of scope, you leave that out. That'll that'll make it a lot easier on you. Uh if you just say everything's in scope, just put everything in scope. That'll that'll make your life difficult. There is, you know, there are quite a few contractors who all their business is DOD or DOW, right? And so uh if it's all DOW work and all C UI work, then yeah, probably most everything's gonna be in scope, right? Uh it in some manner, right? Uh however, you can scope out the accounting folks, you can scope out the HR folks, uh, you know, stuff like that. So you can you can start thinking about that and carving things out that you don't have to that you don't have to scope in it. And that that makes things easier, makes your life easier, um, makes the assessors happy that you know they don't have to worry about some of this stuff. I assume it does. I you know Yeah.

Yeah, no, uh so I was talking to someone yesterday in machine shop, um, and uh we were talking about his scope um and and everything, and then I could see just kind of the light bulb, you know, turn on over his head, and we were talking about it, and and he was like, Well, so does that mean like my physical shop floor, you know, like it's in scope? And I was like, Well, if you're doing it the way that you're describing it, yes, it it does. And so as that means we have to have physical access control of the building. I was like, Well, yes, and sort of talk about the employee entrance and the front door and receiving where they get bar bar stock.

Oh, we just leave all our doors open, it gets hot in there.

What Separates 110 From 109

Right. That's an issue. Well, and uh for him, um, you know, it's uh we start talking about more and more, and then um he uh we talked about you know what how they do the rault doors in the back, you know. Um and then he realized, you know, he's got this big, you know, um uh on the back of their property, just a big gaping hold, you know, to um they got a fence on the front but on the back. And he's like, well, I have to build a fence now. And I was like, well, it's one way, you know. Um and so uh it just at that point, you know, when he realized that the enclave that he was talking about and wanting, um, you know, started to, you know, creep into the actual physical, you know, uh part of the building, into the property, into the fence line, you know, he just kind of realized the full breadth of scope and um and it kind of overwhelmed him because you know he he was looking to get into defense work and uh he was trying to figure out you know if uh this is something he wanted to do or not. And I hope I didn't ruin his day, but uh nonetheless, uh I you know he he uh we were able to get him in the right direction. So yeah, it can it can be um understanding um what your scope is uh and um what what an enclave actually includes, especially for someone like a manufacturer is um is is more than what you might see online or advertised um out there. So absolutely. So let's talk about the role goal uh that everyone has, um, and that is passing an assessment. Making a hundred and ten. Right. Exactly. So what separates the companies that pass their assessments from the ones that don't quite get there?

Uh what separates the uh 110 from 109 and blow? Uh um you know most of the time. It so uh a lot of things we already talked about, right? Uh a lot of times it's documentation, you know. Uh you've got to pay attention to details, you've got to spend a lot of time doing this, and you can outsource a good bit of it, right, to somebody else to help you. You still have to be part of it. You still have to understand everything. The assessors will ask you, you know, how this control is is put in place, and you'll have to be able to come up with some sort of answer that's close to not close to, that is right, you know. Uh you may be able to lean on the other people to fill in and to help out and all that kind of fun stuff. But they'll expect you to know these things, right? And uh at least know the high-level part of it. Um and what's in your policies, right? And so uh you can read. So read those policies. Uh you know, the last homework we we give people uh, you know, that we're working with is uh all right, now we've gone th we've done this, we've implemented it, we do our uh quarterly and annual reviews, and we do this and that. And now you need to go back and uh uh I know you've reviewed this stuff, but you need to go back right before the assessment. You need to read through every single policy, you need to read through every single control, every single assessment objectives, look at all the stuff that's uh associated with it and make sure that you understand it all and and that you you that's all jumbled around in your mind. Because what I can tell you is when you get to that assessment, uh you're you're nervous. You're you know, it's our our mock, you know, uh I was a nervous wreck. And I I found myself not being able to think and and going, I don't even remember where to go look for this, you know. And I just have to ask you know, our engineer, I hey, you know, I it needs you to show this, you know. And uh and he's like, oh sure. Uh oh yeah, yeah. Okay. You know, and so um first when you go through, you know, for your your mock is gonna be a if I encourage you to do a mock. So assuming you do that anyway, you're gonna be a nervous wreck. Uh at least you'll start out like that. Um you know, by the second day and third day it'll be better. But um I can tell you my my stomach still hurt on the third day, but you know. Um so really um you know you need to you need to know your documentation, right? Uh all of it, your SSP, your policies, your assessment objectives, you need to know all that. You need to be up and current on it and and have that fresh in your mind, you know. If you just if you just reviewed it three months ago, good on you. You have to, but um uh or you have to review it. But if you just reviewed it three months ago, great. But that's three months ago, you know? So uh you've been doing other work things since then, so go back and review it.

Get rid of your weekend plans before the Monday they come in, you know. Yeah, right, right.

You know, the other big thing that that uh that catches people is that they can't show where they have reviewed these things. They can't show where they have, you know, um reviewed the system security plan. They can't show where they've reviewed the um uh all of the logs that are all the events that are supposed to be logged. They can't, you know, they can't show that they've actually done that. Oh yeah, yeah, we did it. Okay, great. I trust you, but you know, trust but verify. So let me let me see where where have you reviewed this. So a lot of people fall down there. Um and you know, if you just got this implemented and and went into your you know mock assessment, uh great. But I would encourage you to have your first review so you can show that you reverred you've reverred reviewed everything. Uh I would encourage you to have that review uh and review everything you have to review right before that mock. That way you can say, yes, we started, we got all this in place and we started it. Uh otherwise, if you've been doing this, that's wonderful. But you've got to have, you know, a ticketing system helps, you know, it can send you reminders, pop up tickets, you know, go do a vulnerability scan, go do this, go do that, you know, and uh and then enter it into your system. You got documentation there. You may have a GRC platform, you can upload it to that. Um so uh that that ongoing evidence, they'll they'll want to see that, right? Um and if you don't have it, that that may be a sticking point, especially if you can't produce anything that shows that you reviewed it. You know, that that will be a sticking point. Uh they c they can understand if it's your first time doing it, uh and you just completed that right before the the the assessment. Um but again if you say it's been in place for a year, where's are your reviews? Right. So that's another thing that catches people. Again, another thing that uh that catches people is is just the congruency between the the policies and the the statements and and the implementation. You know, make sure that matches. Uh if you know uh I've seen that I've seen them complain about uh you know, well your your uh your policy says that your password history uh is at least five, you know. You had it set to twenty-four, and you're like, well, yeah, that's that's better, you know. And it's at least, you know, and they're like, well, yeah, but it doesn't match. And you can argue that point, you know. Um but do you really want to have to argue small points like that? You know? So if you've got it set at 24, your password history at 24, just put in your policy 24, right? Um unless there's a reason to leave it like that, you know. Um, and then you have to think about all your different systems, you know, Active Directory, Intra, uh you may use Kahua or uh JobBoss or you know, whatever it may be. You gotta think about all the different systems that you use, Prevail or or whatever, and you know, what about you know the users in there? What about the the log in there? What about all that kind of fun stuff? So don't forget those things. Of course, that's part of scope. So I guess I'm saying scope is part of the pro is part of the problem too. Back to scope. Yeah, that's right. But but most problems are documentation related.

Awesome. Well, thank you, Brooke. Well, I think we've got a meeting run too, so we're gonna go ahead and wrap it up there. Um thank you guys for joining us today. If you have questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmc complianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.