January 17, 2025 • 27 mins
Submit any questions you would like answered on the podcast!
In this episode of The CMMC Compliance Guide Podcast, Brooke Justice is joined by guest cohost Stacey Flores, stepping in for Austin Justice, to bring you the key takeaways from the recent CEIC East conference. If you missed the event, don’t worry—Brooke and Stacey are here to fill you in on everything you need to know to navigate the ever-evolving world of CMMC compliance in 2024.
What’s in Store:
- 🚀 CMMC Rollout Updates: Find out why the rollout is moving faster than expected and how prime contractors might push subs to certify early.
- 📋 Certification Timing Tips: Learn how to avoid assessment bottlenecks and prepare your organization now.
- 🔐 Key Regulatory Changes: Get the latest on POAM limits, FIPS encryption updates, ESP requirements, and more.
- 🛠️ Actionable Advice: Practical tips for refining your SSP, aligning with ESPs, and staying ahead in compliance.
Brooke and Stacey dive deep into the insights gained from networking with policy experts, vendors, and assessors at CEIC East, offering practical advice to help you stay on track with compliance and secure your contracts.
Whether you’re a seasoned compliance pro or just starting your journey, this episode has something for everyone.
Engage with Us:
Have questions or need more guidance? Reach out to us at cmmccomplianceguide.com—we’re here to help!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:03):
Compliance mountain.
Hear my call.
Climate and climate might takea fall.
Regulations whisper winds.
Don't stall.
Cmmc ain't gonna make me crawl.
Speaker 2 (00:21):
Hey there and welcome to the CMMC Compliance Guide
podcast.
I'm Stacey.
Speaker 1 (00:26):
And I'm Brooke.
Speaker 2 (00:27):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171 compliance
.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on track
(00:49):
.
So today we're doing a recapepisode, just wrapping up 2024,
now that we're into 2025.
We had some great opportunities.
In November, we actually got togo to the Seek East Conference
in Washington DC.
That's great.
So today we're going to coverthat.
If you didn't get to go, don'tworry, we're going to give you
(01:12):
all the highlights and bestrecaps of that Seek East
Conference.
So Brooke.
Speaker 1 (01:22):
Why did we decide to do this wrap-up episode for the
Seek East Conference?
Well, lots of reasons.
There's lots of stuff thathappened towards the end of the
year and so this will cover kindof the Seek conference and also
cover other things thathappened during the end of the
year and we were so busy wedidn't finish up, we didn't do
those, we didn't do episodes tocover those, and I thought it'd
be a good recap for everybodyjust to talk a little bit about
(01:44):
SeekEast and talk about eventsthat happen towards the end of
the year.
Final rule and everything.
Speaker 2 (01:48):
Absolutely.
Can you give us a recap of whatis Seek, for those who may not
understand or know what Seek is?
Or, you know, just give us arundown of what that looks like?
Speaker 1 (01:59):
Sure, so Seek, and this was Seek East, so SEEK and
this was SEEK East.
Seek is C-E-I-C and it standsfor CMMC Ecosystem
Implementation or ImplementersConference.
I'd have to go look to seewhich version of implement it is
, anyway.
So it started off as CIC, sonot necessarily the ecosystem
(02:22):
part, but CMMC ImplementersConference, and I went for the
first time last year out on theWest Coast in San Diego,
discovered it was a greatconference.
There were people from allparts of the, of the dib, of the
of the CMMC ecosystem out there.
There were.
There were assessors, c3paos.
(02:44):
There were implementers like us.
There were assessors, c3paos,there were implementers like us,
there were products companies,there were a lot of Dib
contractors there, there weregovernment officials there.
It ran the whole gamut.
So it's a really goodconference to go to and get a
good overall perspective, ormaybe a better way to say it is
several different perspectiveson different aspects, or maybe a
better way to say it is severaldifferent perspectives on
(03:04):
different aspects.
Speaker 2 (03:05):
Something that I noticed at the SEEK East
conference is that there was ahuge diversity of people and it
was so interesting to have themcome across our booth and chit
chat with us.
Did you have any networkinginsights that popped out to you
during the conference?
Speaker 1 (03:20):
Yeah, I did.
I mean, of course, I'm on thetechnical side, so I'm always
about all the technical aspectsof it.
I did have some goodconversations with people and
discovered that a lot of peopleare struggling with some of the
same things that we are.
Mostly, it revolves around howdo you implement this for a
small company.
What about FIPS-validatedencryption?
(03:42):
What about CSPs and ESPs andFedRAMP and all that kind of fun
stuff?
You know how do you navigateall that as a small company and
by small company I mean thegovernment's definition of a
small company, which is you knowwhat gets less than 100
employees.
But you know how do younavigate that as a small company
, and there was a lot of peoplethere that were.
(04:03):
It's just still tough to figureit out and do it in a do it
correctly, in a manner that youcan afford.
Speaker 2 (04:09):
Was there anything in particular that stood out to
you during the sessions that youwere able to attend during the
Seekies?
Speaker 1 (04:17):
conference.
So I actually attended thesessions remotely because we
also had a one of the ExpressConnect booths, rooms, suites,
whatever you want to call it.
So I attended some of thoseremotely and really I don't know
that there were any particular,there were just a.
It's always chock full ofcontent and I have a really hard
(04:38):
time picking out any one betterthan the other, but there was
just a lot of really goodcontent, a lot of really good
discussion about controls, aboutall sorts of fun stuff.
Speaker 2 (04:47):
So during the CKIES conference there was a lot of
contention about the fact thatCMMC updates are going to be
rolling out here quickly Sincethen.
Have there been any updatessince November about CMMC?
What can people look out for?
Anything that you could provideinsight on?
Speaker 1 (05:03):
Sure, sure.
The big overall thing really isthat CMMC is proceeding at the
pace that the DOD had originallyintended.
You know, things seem like theywere going to get drawn out and
there's, I can't tell you howmany people.
It's less and less, but I can'ttell you how many people still
say, you know, oh, it's nevergoing to happen, it's never
really going to go into fulleffect.
(05:24):
And I hate to tell you but it'scoming and it's coming in about
the timeline that they said andthey wanted it to, and not only
that, some of us moving alittle bit quicker than you
might think.
So we've got the 32 CFR, finalrule.
It's in place.
Certifications are available,not required yet, but they're
(05:44):
available.
Certification assessments, Ishould say, and I guess the
certifications that come alongwith it, but they're available,
not required.
The 48 CFR rule, the final rule.
This is mid-January, so thefinal rule should be coming out
fairly soon.
So, from what insiders say, so,unless I've missed something,
(06:06):
and it came out, but but uh, theuh, it should be coming out
fairly soon.
Uh, that which is faster on, ifyou look at the whole timeline
and how timeline, on how long itusually takes for the cfr, uh,
for these uh rules to go through.
That's a lot quicker than itwould normally take, but the 48
CFR rule is a lot more simpleone than the 32 CFR was.
(06:31):
The 48 will put it in effect oncontracts, and then, of course,
there will be four phases afterthat, but it should be coming
up pretty soon.
It is coming and it's comingquick, so yeah.
Speaker 2 (06:43):
Are there any expectations that prime
contractors should look out for?
Are there any changes thatmaybe they need to be aware of
with these upcoming changes?
Speaker 1 (06:53):
There is, and they probably wouldn't tell you in
any kind of official capacitybecause they just don't know.
But they actually mentionedthis at the CKEYS conference and
it's been mentioned on some ofthe calls with Cyber AB.
And I've also talked to some ofthe prime contractors, their
(07:15):
compliance department, of coursethat's who I would be dealing
with, right?
But anyway, I've talked to themand I won't name the primes
that I talked with because theyprobably don't want to be named,
but they will most likely berequiring some level of
compliance from their, level ofcertification, from their.
(07:37):
Of course there's only I don'tmean, I guess a percentage of
their clients to be certifiedsooner than would otherwise be
if that client had a directcontract with the government.
So in other words, if the 48CFR rule goes final and 60 days
passes and it's April 1st of 24,then on April 1st of 25, the
(08:04):
certification assessments canstart being required on
contracts.
There's also some verbiage inthere that allows them to put it
off to some option years ormake it a little earlier if they
want to, but basically it'seach phases a year.
So that's the phase.
April 26 is what you would belooking at in this scenario.
That is not definite the primecontractors, very well may say
(08:26):
look, we need as many of oursubs as we can to have
certifications, so we look likea good contractor to go with for
the government right.
Absolutely so that would be goodfor them to get contracts and
then, conversely, going down thechain, it would be good for
those subcontractors to havecertifications in place.
(08:47):
And so, basically, what thecyber AB has said is hey, look,
these phases of this rule, primecontractors could require
something else, something soonerthan otherwise.
So certainly not later.
They can't do it later, butthey may do it sooner.
So the Cyber AB has said thatthe prime contractors that I've
(09:11):
talked to the compliancedepartments They've said look,
our executives want us to be ina good spot and right now we're
doing this and you know we mayrequire certifications early,
later on.
So it's coming, and if you're asub which there's a lot out
there, so you know you very wellcould be required to have a
(09:33):
certification assessment doneearlier.
Or, if not required, justhighly suggested and them
telling you that, hey, you'llwin more contracts if you get
certified earlier.
Speaker 2 (09:44):
Right, absolutely well on that topic.
We know that c3paos are bookedout months in advance yes so
what advice would you give tothose that are kind of holding
out on getting those mockassessments like booked out or,
like you know, just making surethat they're set up for that
certification?
What would you tell them?
(10:04):
In that sense, don't waitreally, I mean, that's it.
Speaker 1 (10:08):
Just don't wait, get everything done, get everything
ready now.
The final rule that camethrough very well may have
changed the way.
You need to do some stuff onthe back end and change some
services up or something, and orwhatever needs to be done.
Go ahead and get it done.
Uh, get everything um compliant, technically compliant, make
sure all your documentation isup to snuff.
And, as we've said in otherother podcasts, you know
(10:31):
documentation, documentation,and they uh also like
documentation.
So, uh, and there's just I can'texplain it enough that they
that you have to do a very goodjob of documentation.
You have to do a very good jobof documentation for your
certification assessment to gowell.
But that way, the better jobyou do on documentation, then
the smoother it's going to be.
(10:52):
I don't I'd hesitate to saythat it'll make it cheaper for
you, but it will be smoother andthat accounts for a lot.
But the you know, like you said, the see-through PAOs, right
now they're booked out throughat least March, if not April.
So, and you, you might be ableto find some that are not, some
that are, you know, may beavailable earlier, but I can
(11:13):
tell you if you want to bebumped up in line.
It'll probably cost you so youknow, because they're having to
put somebody else out to get youbut anyway, they are booked out
and when you, when you getready to do your certification
assessment, not only is it goingto take at least a couple of
(11:33):
months to get it done, but it'sprobably going to take three or
four months to get to the pointto be able to get it started.
So it'll take quite a while.
Speaker 2 (11:42):
Absolutely With the 32 CFR rule.
There have been some changescorrect.
Speaker 1 (11:48):
There have.
Speaker 2 (11:49):
So POAMs and temporary deficiencies.
Is there any changes that wewould like to let our audience
know about?
Speaker 1 (12:00):
What should they be aware of and you know key things
to look out for in that sense.
Sure, so we know from theproposed CFR, 32 CFR, what ended
up in the final 180 days.
Poems are now limited to 180days, which there was no reason
to think that they would changethat.
So poems are 180 days.
But also for your certificationassessment, which is really
(12:20):
where those POAMs really matter.
They also matter onself-attestation, on
self-assessment.
So I'm not saying they don'tmatter there, but they're
limited to 180 days and you canonly POAM certain one-point
items.
So you can't POAM three fivepointers.
If you fail a five pointer orthree pointer and can't get it
(12:40):
fixed, like immediately, thenyou just have to fail that
certification and you have to uhgo through another one.
So so that's one, the uh.
They did make room, um, so theydidn't really, didn't really
budge on things like uh, fipsand FIPS validated encryption,
fips-validated cryptography,however you want to phrase it.
(13:02):
But what they did do is theyadded durable, enduring
exceptions and they also addedtemporary deficiencies which you
add in as an operational POAM.
So an operational POAM isdifferent than a regular POAM
and it describes things.
(13:22):
For instance, if you have tocome out, if your firewall's
operating in FIPS mode and youget an update and you have to
update it and it comes out ofFIPS, has to come out of FIPS
mode.
Well, what do you do?
Do you not update it?
Well, no, you really need toupdate it because there's likely
security patches that you'reupdating it for.
So it's very important to dothat.
But that kind of trumps theFIPS mode.
(13:42):
And so your operational POAMwould be that you had to update
your firewall with whateverversion of firmware and it's not
FIPS compliant or FIPSvalidated.
But as soon as one comes outthat's up to date and FIPS
validated, then you'll update it.
And so that's basically whatyour operational POAM would be,
(14:03):
and that's just an example.
So those operational POAMs helpout a lot.
Those enduring exceptions helpout for some of the operational
technology and other things thatyou may need online somehow,
but there's no way they can makeFIPS validated encryption.
Those are where those thingsthose enduring exceptions and
operational POAMs or temporarydeficiencies that's where they
(14:27):
come in.
Temporary deficiency, there'sno timeline on that.
So I was talking to a client.
I was talking to a clientyesterday and explaining the
temporary deficiencies, so hesaid so.
In other words, a temporarydeficiencies could really be
permanent, because if a windows10 is a temporary deficiency,
it's likely that you'll neverever get one that's a FIPS, FIPS
(14:47):
validated.
And I was like, well, I'm notgoing to necessarily say that,
but it may be a while until theyget windows caught up where you
could actually be on a versionthat is FIPS validated and
currently supported, with allthe patches and everything else
in place, but that would beoperational.
Poam.
Speaker 2 (15:06):
So I believe there was also a change with how ESPs
are handled in the 32 CFR rule,correct?
Speaker 1 (15:15):
Yeah, there was, and they did kind of lessen the
burden on CSPs and ESPs or ESPs.
Really, csps are an ESP but CSPis Cloud Service Provider.
I guess I should all these TLAs, all these three-letter
acronyms I should probably saywhat they mean.
A lot of you probably alreadyknow, but ESP is External
(15:36):
Service Provider.
Just a minute ago when we weretalking about POAMs, that's a
plan of action and milestones.
I'm sure there are a wholebunch of others that I said.
But anyway, the ESP is anexternal service provider.
A CSP is a cloud serviceprovider.
So an ESP is an allencompassing term.
That means anybody that, thatorganization that is seeking
(16:00):
certification or assessment,anybody that they use as a third
party to fulfill some of theirbackups or any kind of security
on their network or anythinglike that, that would be an ESP.
That third party is an ESP.
But within ESPs there are CSPscloud service providers and they
(16:20):
have a particular definitionand those cloud service
providers have to be FedRAMPauthorized or equivalent, and
there are when you go get yourcertification assessment.
Whether they're authorized orequivalent does matter probably
to the cost of the assessment,but it matters definitely to the
amount of work the assessor isgoing to have to do.
(16:41):
If they're FedRAMP authorized,then they look at the
authorization and they go great.
If they're a FedRAMP equivalent, you give them all the papers
and they go all right.
Well, I got to sit down and gothrough all these and we got to,
you know.
So it takes a lot more time.
But to go back to your question, after chasing that little
(17:02):
rabbit, esps, with the exceptionof CSPs.
Csps, we're not talking aboutthem.
Esps would, be like us, an ITservice provider or another
three-letter acronym, a MSP.
Speaker 2 (17:16):
So we're an MSP, that's an ESP we love our
acronyms.
Here it's a managed serviceprovider.
Speaker 1 (17:18):
So ESPs like us that are not a CSP, so we're an MSP
we love our acronyms here it's amanaged service provider.
So ESPs like us that are not aCSP.
It was in the proposed rulethat we would have to get the
same certification assessment tobe at the same level that our
customer needed to be at.
I'm sure other people are likeus.
We've got quite a few differentCMMC clients, and so we may
(17:40):
have ones that are a level one,we may have ones that are a
level two self-assessment andthen ones that are level two
certification assessment.
So certification assessment.
So, which would mean, really,that we'd need to get a
certification assessment, evenif we only got one client like
that.
But they've lessened that andsaid, no, you don't, you don't
have to go get a certificationassessment, even if we only got
one client like that, right.
(18:00):
But they've lessened that andsaid, no, you don't have to go
through a certificationassessment.
Any of the services that youprovide for this client that is
covered under CMMC.
You are now in scope for thoseservices, and so you have to be
assessed for those servicesalong with your client.
Which means that if you have 10, 20, 30, 40 clients, guess what
(18:23):
You've got to be assessed 10,20, 30, 40 times on those
assessments with your clients.
So yes, after the first one ortwo you'll probably get really
good at having all the rightdocumentation right here in one
neat little pile, but you dohave to go through it every time
.
So then ESPs like us then haveto decide is it worth it just to
(18:44):
go ahead and get acertification assessment?
And that way, if you get acertification assessment, you
just hand that over to theassessor and say here it is, and
, and that makes life a wholelot easier.
I wouldn't say it's just a.
They look, look at it and sayokay, but it would make things a
lot easier.
But yes, they have light quotelightened the burden on ESPs by
(19:07):
not requiring us to get acertification or be at the same
level.
But we are in scope for theservices we provide.
Speaker 2 (19:14):
Would the CFR final rule also provide clarification
with SPD?
Speaker 1 (19:19):
SPD is security protection data and there are
security protection assets.
Data is what data is.
The security protection data isfrom the security protection
that protects CUI, and asecurity protection asset is an
asset that protects CUI.
If it doesn't, securityprotection asset is is an asset
that protects CUI.
(19:40):
If it doesn't protect CUI, thenthey don't really care about it
.
Uh, it matters to you, but uh,but uh, it doesn't matter to
them.
So that would be things like um,your SIM, uh your security, uh,
information and event monitor.
Uh, your, um, antivirus, yourremote monitoring, if you manage
(20:02):
patches, how you manage thosepatches.
Those kinds of things would bein scope because they serve as
protection for CUI.
So that data that's on them isSPD.
That SPD has to be protectedlike the CUI.
It has to come under the sameprotection.
So I was hoping that thatwouldn't necessarily mean that
(20:23):
they have to be FedRAMP or haveFIPS validated cryptography, but
it says like CUI, so they'resupposed to be protected the
same way.
The data they protect is so,yeah, those SPD, any services.
For instance, we have a SIMservice and that SIM service has
(20:44):
to be FedRAMP.
So FedRAMP, authorized orequivalent, and then there's a
whole authorized or equivalentthing we talked about a minute
ago.
So, yes, that is a big deal.
Not unexpected, but a big deal.
Speaker 2 (20:58):
We're going to pivot a little bit over to the 48 CFR
proposed rule.
There was quite a few updatesthat happened since this last
year and here in 2024.
What is that 48 CFR timeline?
Were there any updates on that?
What could you share?
Speaker 1 (21:13):
Sure, so the 48 CFR proposed rule is out and, as I
alluded to earlier or I guess Ididn't actually allude to it, I
actually said it.
As I alluded to earlier, or Iguess I didn't actually allude
to it, I actually said it butit's kind of everybody in the
DOD people that have somethingto do with this in the DOD and
would say anything about it havesaid that they expect this to
(21:35):
be to come out in Q1 of thisyear.
Right, the final rule, 48 CFRfinal rule to come out Q1 this
year.
And really what I understoodwas January, february.
It's mid-January, so I wouldexpect it at any time.
Really now I haven't heardlately where it was actually at
exactly in the process, but Iwould expect that final rule to
(21:57):
come out very soon After itcomes out, you have 60 days for
it to actually become effective.
So if it comes out, for instance, february 1st, that would be
February March, it would beApril 1st, and that was kind of
why I used April 1st on theexample a while ago.
So it would be 60 days fromthat date.
So, like they did with the 32CFR rule, it's likely to go into
(22:18):
effect on a weekday, not aweekend After that you're
looking probably at April, or soApril or May, something like
that for it to go into effect,if it goes the way people are
thinking of it, it has to comeout first.
So we'll see, but it shouldcome out very soon.
And then, as far as thetimelines on that, it's not a
the first phase is not sixmonths, it's a year now and
(22:41):
every and all four phases are ayear.
So phase one is going to belevel one and level two
self-assessments Level one andlevel two self-assessments.
That'll continue for a year.
That'll be what's required.
In effect, that's really whatwe're doing right now.
It's kind of written in stonein this rule.
And then the next phase startsa year after that.
(23:01):
So in my example that would beApril or May of 2026.
And so at that point that'swhen the certification
assessments could be required oncontracts.
And again, they did leave alittle wiggle room to say we can
require it on some contracts alittle before If we need to, we
see fit, or could, with optionyears, uh, on a contract, um, we
(23:25):
can make a little later, likethat on the on contracts that
start during that term.
So so they did leave themselvesa little bit of wiggle room, but
in essence it's supposed tostart in that time frame around
april may of 2026.
Again, that's um kind of shotin the dark there, uh, or
educated guess, and then they goon from there.
Level three, uh, would be thenext, and they put them on more
and more contracts.
(23:45):
So anyway, there's a four-yearprocess there.
After that's over, it'ssupposed to be required on every
single contract.
Speaker 2 (23:53):
What is your advice to those in terms of the
timeline and rollout of the 48CFR proposed rule and kind of
like what you had mentioned?
What are the best actionablesteps that people should take
following that timeline?
Speaker 1 (24:07):
Don't wait.
I mean I think I kind of jumpedahead a little bit on some of
this, but it's, you know.
It may sound if I tell you hey,you know, you don't have to
worry about your certificationassessment until you know April
or May of 2026, you're like,woohoo, we've got you know over
a year.
That's not necessarily the casebecause, as I said, primes
(24:30):
could require of their subs orsubs could require of their subs
sooner.
However, I kind of doubt thatnecessarily would happen.
But primes very well mayrequire of their subs sooner
than they have to have it ormake it highly desirable or
highly they may be pushing forit to get that earlier.
But it's coming.
There's a long wait line forC3PAOs and there's, I think,
(24:57):
last count they had to gothrough and get reauthorized and
everything.
The last count I heard was theyhad 37 C3PAOs ready to rock and
roll.
There were about, I think, 51C3PAOs before they had to do the
recertification thing orreauthorization thing.
They're going through thatprocess and trying to get done
what they need to get done andso we'll have all those ready.
(25:20):
But still, 51 is not that many.
There are new ones coming alongbut there's a very high bar for
C3PAOs and for lead assessorsand there should be, but there's
a very high bar and so there'snot likely going to be a large
(25:40):
influx of a lot of C3PAOs, whichwould be very nice to have, at
least you know, on this side ofit.
But, yes, so don't wait, getyour ducks in a row now, as soon
as you think you're readypotentially ready and that means
documentation and everything,not just the technical controls.
It guys like me like to focuson the technical controls and
(26:01):
we've got all that covered.
Oh, you need documentation onall this.
Well, you know, but thedocumentation is technical.
Controls are obvious andimportant, but the documentation
is very, very important andvery necessary and you have to
have that in place and ready togo.
(26:24):
So I would say don't wait, getit all done, get it taken care
of.
As soon as you have that towhere you think you're ready,
then I would go ahead and pullthe trigger on trying to get
certified, absolutely.
If you need certification, youknow, or looking to do that for
marketing purposes, you know,try to market your business
better to the, to the primes orDOD.
Maybe that your organizationhas been told you only need a
(26:46):
self-assessment?
I don't really know.
Everybody I've talked to isexpecting level two
certification assessments.
Speaker 2 (26:52):
Well, perfect, I think that is our wrap up of
2024 and our Seek Eastconference that we attended.
If you have any questions aboutwhat we covered today, or if
you have any questions of anytopics or general questions that
you'd like to throw out there,we'd love to hear them and
(27:12):
answer them for free.
So please text, email or callus and ask your questions.
We'll answer them for free hereon the podcast, and you can
find our contact information atcmmccomplianceguidecom.
Compliance mountain.
Hear my call.
Climate and climate might takea fall.
Regulations whisper winds.
Don't stall.
Cmmc ain't gonna make me crawl.
Speaker 2 (00:21):
Hey there and welcome to the CMMC Compliance Guide
podcast.
I'm Stacey.
Speaker 1 (00:26):
And I'm Brooke.
Speaker 2 (00:27):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171 compliance
.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on track
(00:49):
.
So today we're doing a recapepisode, just wrapping up 2024,
now that we're into 2025.
We had some great opportunities.
In November, we actually got togo to the Seek East Conference
in Washington DC.
That's great.
So today we're going to coverthat.
If you didn't get to go, don'tworry, we're going to give you
(01:12):
all the highlights and bestrecaps of that Seek East
Conference.
So Brooke.
Speaker 1 (01:22):
Why did we decide to do this wrap-up episode for the
Seek East Conference?
Well, lots of reasons.
There's lots of stuff thathappened towards the end of the
year and so this will cover kindof the Seek conference and also
cover other things thathappened during the end of the
year and we were so busy wedidn't finish up, we didn't do
those, we didn't do episodes tocover those, and I thought it'd
be a good recap for everybodyjust to talk a little bit about
(01:44):
SeekEast and talk about eventsthat happen towards the end of
the year.
Final rule and everything.
Speaker 2 (01:48):
Absolutely.
Can you give us a recap of whatis Seek, for those who may not
understand or know what Seek is?
Or, you know, just give us arundown of what that looks like?
Speaker 1 (01:59):
Sure, so Seek, and this was Seek East, so SEEK and
this was SEEK East.
Seek is C-E-I-C and it standsfor CMMC Ecosystem
Implementation or ImplementersConference.
I'd have to go look to seewhich version of implement it is
, anyway.
So it started off as CIC, sonot necessarily the ecosystem
(02:22):
part, but CMMC ImplementersConference, and I went for the
first time last year out on theWest Coast in San Diego,
discovered it was a greatconference.
There were people from allparts of the, of the dib, of the
of the CMMC ecosystem out there.
There were.
There were assessors, c3paos.
(02:44):
There were implementers like us.
There were assessors, c3paos,there were implementers like us,
there were products companies,there were a lot of Dib
contractors there, there weregovernment officials there.
It ran the whole gamut.
So it's a really goodconference to go to and get a
good overall perspective, ormaybe a better way to say it is
several different perspectiveson different aspects, or maybe a
better way to say it is severaldifferent perspectives on
(03:04):
different aspects.
Speaker 2 (03:05):
Something that I noticed at the SEEK East
conference is that there was ahuge diversity of people and it
was so interesting to have themcome across our booth and chit
chat with us.
Did you have any networkinginsights that popped out to you
during the conference?
Speaker 1 (03:20):
Yeah, I did.
I mean, of course, I'm on thetechnical side, so I'm always
about all the technical aspectsof it.
I did have some goodconversations with people and
discovered that a lot of peopleare struggling with some of the
same things that we are.
Mostly, it revolves around howdo you implement this for a
small company.
What about FIPS-validatedencryption?
(03:42):
What about CSPs and ESPs andFedRAMP and all that kind of fun
stuff?
You know how do you navigateall that as a small company and
by small company I mean thegovernment's definition of a
small company, which is you knowwhat gets less than 100
employees.
But you know how do younavigate that as a small company
, and there was a lot of peoplethere that were.
(04:03):
It's just still tough to figureit out and do it in a do it
correctly, in a manner that youcan afford.
Speaker 2 (04:09):
Was there anything in particular that stood out to
you during the sessions that youwere able to attend during the
Seekies?
Speaker 1 (04:17):
conference.
So I actually attended thesessions remotely because we
also had a one of the ExpressConnect booths, rooms, suites,
whatever you want to call it.
So I attended some of thoseremotely and really I don't know
that there were any particular,there were just a.
It's always chock full ofcontent and I have a really hard
(04:38):
time picking out any one betterthan the other, but there was
just a lot of really goodcontent, a lot of really good
discussion about controls, aboutall sorts of fun stuff.
Speaker 2 (04:47):
So during the CKIES conference there was a lot of
contention about the fact thatCMMC updates are going to be
rolling out here quickly Sincethen.
Have there been any updatessince November about CMMC?
What can people look out for?
Anything that you could provideinsight on?
Speaker 1 (05:03):
Sure, sure.
The big overall thing really isthat CMMC is proceeding at the
pace that the DOD had originallyintended.
You know, things seem like theywere going to get drawn out and
there's, I can't tell you howmany people.
It's less and less, but I can'ttell you how many people still
say, you know, oh, it's nevergoing to happen, it's never
really going to go into fulleffect.
(05:24):
And I hate to tell you but it'scoming and it's coming in about
the timeline that they said andthey wanted it to, and not only
that, some of us moving alittle bit quicker than you
might think.
So we've got the 32 CFR, finalrule.
It's in place.
Certifications are available,not required yet, but they're
(05:44):
available.
Certification assessments, Ishould say, and I guess the
certifications that come alongwith it, but they're available,
not required.
The 48 CFR rule, the final rule.
This is mid-January, so thefinal rule should be coming out
fairly soon.
So, from what insiders say, so,unless I've missed something,
(06:06):
and it came out, but but uh, theuh, it should be coming out
fairly soon.
Uh, that which is faster on, ifyou look at the whole timeline
and how timeline, on how long itusually takes for the cfr, uh,
for these uh rules to go through.
That's a lot quicker than itwould normally take, but the 48
CFR rule is a lot more simpleone than the 32 CFR was.
(06:31):
The 48 will put it in effect oncontracts, and then, of course,
there will be four phases afterthat, but it should be coming
up pretty soon.
It is coming and it's comingquick, so yeah.
Speaker 2 (06:43):
Are there any expectations that prime
contractors should look out for?
Are there any changes thatmaybe they need to be aware of
with these upcoming changes?
Speaker 1 (06:53):
There is, and they probably wouldn't tell you in
any kind of official capacitybecause they just don't know.
But they actually mentionedthis at the CKEYS conference and
it's been mentioned on some ofthe calls with Cyber AB.
And I've also talked to some ofthe prime contractors, their
(07:15):
compliance department, of coursethat's who I would be dealing
with, right?
But anyway, I've talked to themand I won't name the primes
that I talked with because theyprobably don't want to be named,
but they will most likely berequiring some level of
compliance from their, level ofcertification, from their.
(07:37):
Of course there's only I don'tmean, I guess a percentage of
their clients to be certifiedsooner than would otherwise be
if that client had a directcontract with the government.
So in other words, if the 48CFR rule goes final and 60 days
passes and it's April 1st of 24,then on April 1st of 25, the
(08:04):
certification assessments canstart being required on
contracts.
There's also some verbiage inthere that allows them to put it
off to some option years ormake it a little earlier if they
want to, but basically it'seach phases a year.
So that's the phase.
April 26 is what you would belooking at in this scenario.
That is not definite the primecontractors, very well may say
(08:26):
look, we need as many of oursubs as we can to have
certifications, so we look likea good contractor to go with for
the government right.
Absolutely so that would be goodfor them to get contracts and
then, conversely, going down thechain, it would be good for
those subcontractors to havecertifications in place.
(08:47):
And so, basically, what thecyber AB has said is hey, look,
these phases of this rule, primecontractors could require
something else, something soonerthan otherwise.
So certainly not later.
They can't do it later, butthey may do it sooner.
So the Cyber AB has said thatthe prime contractors that I've
(09:11):
talked to the compliancedepartments They've said look,
our executives want us to be ina good spot and right now we're
doing this and you know we mayrequire certifications early,
later on.
So it's coming, and if you're asub which there's a lot out
there, so you know you very wellcould be required to have a
(09:33):
certification assessment doneearlier.
Or, if not required, justhighly suggested and them
telling you that, hey, you'llwin more contracts if you get
certified earlier.
Speaker 2 (09:44):
Right, absolutely well on that topic.
We know that c3paos are bookedout months in advance yes so
what advice would you give tothose that are kind of holding
out on getting those mockassessments like booked out or,
like you know, just making surethat they're set up for that
certification?
What would you tell them?
(10:04):
In that sense, don't waitreally, I mean, that's it.
Speaker 1 (10:08):
Just don't wait, get everything done, get everything
ready now.
The final rule that camethrough very well may have
changed the way.
You need to do some stuff onthe back end and change some
services up or something, and orwhatever needs to be done.
Go ahead and get it done.
Uh, get everything um compliant, technically compliant, make
sure all your documentation isup to snuff.
And, as we've said in otherother podcasts, you know
(10:31):
documentation, documentation,and they uh also like
documentation.
So, uh, and there's just I can'texplain it enough that they
that you have to do a very goodjob of documentation.
You have to do a very good jobof documentation for your
certification assessment to gowell.
But that way, the better jobyou do on documentation, then
the smoother it's going to be.
(10:52):
I don't I'd hesitate to saythat it'll make it cheaper for
you, but it will be smoother andthat accounts for a lot.
But the you know, like you said, the see-through PAOs, right
now they're booked out throughat least March, if not April.
So, and you, you might be ableto find some that are not, some
that are, you know, may beavailable earlier, but I can
(11:13):
tell you if you want to bebumped up in line.
It'll probably cost you so youknow, because they're having to
put somebody else out to get youbut anyway, they are booked out
and when you, when you getready to do your certification
assessment, not only is it goingto take at least a couple of
(11:33):
months to get it done, but it'sprobably going to take three or
four months to get to the pointto be able to get it started.
So it'll take quite a while.
Speaker 2 (11:42):
Absolutely With the 32 CFR rule.
There have been some changescorrect.
Speaker 1 (11:48):
There have.
Speaker 2 (11:49):
So POAMs and temporary deficiencies.
Is there any changes that wewould like to let our audience
know about?
Speaker 1 (12:00):
What should they be aware of and you know key things
to look out for in that sense.
Sure, so we know from theproposed CFR, 32 CFR, what ended
up in the final 180 days.
Poems are now limited to 180days, which there was no reason
to think that they would changethat.
So poems are 180 days.
But also for your certificationassessment, which is really
(12:20):
where those POAMs really matter.
They also matter onself-attestation, on
self-assessment.
So I'm not saying they don'tmatter there, but they're
limited to 180 days and you canonly POAM certain one-point
items.
So you can't POAM three fivepointers.
If you fail a five pointer orthree pointer and can't get it
(12:40):
fixed, like immediately, thenyou just have to fail that
certification and you have to uhgo through another one.
So so that's one, the uh.
They did make room, um, so theydidn't really, didn't really
budge on things like uh, fipsand FIPS validated encryption,
fips-validated cryptography,however you want to phrase it.
(13:02):
But what they did do is theyadded durable, enduring
exceptions and they also addedtemporary deficiencies which you
add in as an operational POAM.
So an operational POAM isdifferent than a regular POAM
and it describes things.
(13:22):
For instance, if you have tocome out, if your firewall's
operating in FIPS mode and youget an update and you have to
update it and it comes out ofFIPS, has to come out of FIPS
mode.
Well, what do you do?
Do you not update it?
Well, no, you really need toupdate it because there's likely
security patches that you'reupdating it for.
So it's very important to dothat.
But that kind of trumps theFIPS mode.
(13:42):
And so your operational POAMwould be that you had to update
your firewall with whateverversion of firmware and it's not
FIPS compliant or FIPSvalidated.
But as soon as one comes outthat's up to date and FIPS
validated, then you'll update it.
And so that's basically whatyour operational POAM would be,
(14:03):
and that's just an example.
So those operational POAMs helpout a lot.
Those enduring exceptions helpout for some of the operational
technology and other things thatyou may need online somehow,
but there's no way they can makeFIPS validated encryption.
Those are where those thingsthose enduring exceptions and
operational POAMs or temporarydeficiencies that's where they
(14:27):
come in.
Temporary deficiency, there'sno timeline on that.
So I was talking to a client.
I was talking to a clientyesterday and explaining the
temporary deficiencies, so hesaid so.
In other words, a temporarydeficiencies could really be
permanent, because if a windows10 is a temporary deficiency,
it's likely that you'll neverever get one that's a FIPS, FIPS
(14:47):
validated.
And I was like, well, I'm notgoing to necessarily say that,
but it may be a while until theyget windows caught up where you
could actually be on a versionthat is FIPS validated and
currently supported, with allthe patches and everything else
in place, but that would beoperational.
Poam.
Speaker 2 (15:06):
So I believe there was also a change with how ESPs
are handled in the 32 CFR rule,correct?
Speaker 1 (15:15):
Yeah, there was, and they did kind of lessen the
burden on CSPs and ESPs or ESPs.
Really, csps are an ESP but CSPis Cloud Service Provider.
I guess I should all these TLAs, all these three-letter
acronyms I should probably saywhat they mean.
A lot of you probably alreadyknow, but ESP is External
(15:36):
Service Provider.
Just a minute ago when we weretalking about POAMs, that's a
plan of action and milestones.
I'm sure there are a wholebunch of others that I said.
But anyway, the ESP is anexternal service provider.
A CSP is a cloud serviceprovider.
So an ESP is an allencompassing term.
That means anybody that, thatorganization that is seeking
(16:00):
certification or assessment,anybody that they use as a third
party to fulfill some of theirbackups or any kind of security
on their network or anythinglike that, that would be an ESP.
That third party is an ESP.
But within ESPs there are CSPscloud service providers and they
(16:20):
have a particular definitionand those cloud service
providers have to be FedRAMPauthorized or equivalent, and
there are when you go get yourcertification assessment.
Whether they're authorized orequivalent does matter probably
to the cost of the assessment,but it matters definitely to the
amount of work the assessor isgoing to have to do.
(16:41):
If they're FedRAMP authorized,then they look at the
authorization and they go great.
If they're a FedRAMP equivalent, you give them all the papers
and they go all right.
Well, I got to sit down and gothrough all these and we got to,
you know.
So it takes a lot more time.
But to go back to your question, after chasing that little
(17:02):
rabbit, esps, with the exceptionof CSPs.
Csps, we're not talking aboutthem.
Esps would, be like us, an ITservice provider or another
three-letter acronym, a MSP.
Speaker 2 (17:16):
So we're an MSP, that's an ESP we love our
acronyms.
Here it's a managed serviceprovider.
Speaker 1 (17:18):
So ESPs like us that are not a CSP, so we're an MSP
we love our acronyms here it's amanaged service provider.
So ESPs like us that are not aCSP.
It was in the proposed rulethat we would have to get the
same certification assessment tobe at the same level that our
customer needed to be at.
I'm sure other people are likeus.
We've got quite a few differentCMMC clients, and so we may
(17:40):
have ones that are a level one,we may have ones that are a
level two self-assessment andthen ones that are level two
certification assessment.
So certification assessment.
So, which would mean, really,that we'd need to get a
certification assessment, evenif we only got one client like
that.
But they've lessened that andsaid, no, you don't, you don't
have to go get a certificationassessment, even if we only got
one client like that, right.
(18:00):
But they've lessened that andsaid, no, you don't have to go
through a certificationassessment.
Any of the services that youprovide for this client that is
covered under CMMC.
You are now in scope for thoseservices, and so you have to be
assessed for those servicesalong with your client.
Which means that if you have 10, 20, 30, 40 clients, guess what
(18:23):
You've got to be assessed 10,20, 30, 40 times on those
assessments with your clients.
So yes, after the first one ortwo you'll probably get really
good at having all the rightdocumentation right here in one
neat little pile, but you dohave to go through it every time
.
So then ESPs like us then haveto decide is it worth it just to
(18:44):
go ahead and get acertification assessment?
And that way, if you get acertification assessment, you
just hand that over to theassessor and say here it is, and
, and that makes life a wholelot easier.
I wouldn't say it's just a.
They look, look at it and sayokay, but it would make things a
lot easier.
But yes, they have light quotelightened the burden on ESPs by
(19:07):
not requiring us to get acertification or be at the same
level.
But we are in scope for theservices we provide.
Speaker 2 (19:14):
Would the CFR final rule also provide clarification
with SPD?
Speaker 1 (19:19):
SPD is security protection data and there are
security protection assets.
Data is what data is.
The security protection data isfrom the security protection
that protects CUI, and asecurity protection asset is an
asset that protects CUI.
If it doesn't, securityprotection asset is is an asset
that protects CUI.
(19:40):
If it doesn't protect CUI, thenthey don't really care about it
.
Uh, it matters to you, but uh,but uh, it doesn't matter to
them.
So that would be things like um,your SIM, uh your security, uh,
information and event monitor.
Uh, your, um, antivirus, yourremote monitoring, if you manage
(20:02):
patches, how you manage thosepatches.
Those kinds of things would bein scope because they serve as
protection for CUI.
So that data that's on them isSPD.
That SPD has to be protectedlike the CUI.
It has to come under the sameprotection.
So I was hoping that thatwouldn't necessarily mean that
(20:23):
they have to be FedRAMP or haveFIPS validated cryptography, but
it says like CUI, so they'resupposed to be protected the
same way.
The data they protect is so,yeah, those SPD, any services.
For instance, we have a SIMservice and that SIM service has
(20:44):
to be FedRAMP.
So FedRAMP, authorized orequivalent, and then there's a
whole authorized or equivalentthing we talked about a minute
ago.
So, yes, that is a big deal.
Not unexpected, but a big deal.
Speaker 2 (20:58):
We're going to pivot a little bit over to the 48 CFR
proposed rule.
There was quite a few updatesthat happened since this last
year and here in 2024.
What is that 48 CFR timeline?
Were there any updates on that?
What could you share?
Speaker 1 (21:13):
Sure, so the 48 CFR proposed rule is out and, as I
alluded to earlier or I guess Ididn't actually allude to it, I
actually said it.
As I alluded to earlier, or Iguess I didn't actually allude
to it, I actually said it butit's kind of everybody in the
DOD people that have somethingto do with this in the DOD and
would say anything about it havesaid that they expect this to
(21:35):
be to come out in Q1 of thisyear.
Right, the final rule, 48 CFRfinal rule to come out Q1 this
year.
And really what I understoodwas January, february.
It's mid-January, so I wouldexpect it at any time.
Really now I haven't heardlately where it was actually at
exactly in the process, but Iwould expect that final rule to
(21:57):
come out very soon After itcomes out, you have 60 days for
it to actually become effective.
So if it comes out, for instance, february 1st, that would be
February March, it would beApril 1st, and that was kind of
why I used April 1st on theexample a while ago.
So it would be 60 days fromthat date.
So, like they did with the 32CFR rule, it's likely to go into
(22:18):
effect on a weekday, not aweekend After that you're
looking probably at April, or soApril or May, something like
that for it to go into effect,if it goes the way people are
thinking of it, it has to comeout first.
So we'll see, but it shouldcome out very soon.
And then, as far as thetimelines on that, it's not a
the first phase is not sixmonths, it's a year now and
(22:41):
every and all four phases are ayear.
So phase one is going to belevel one and level two
self-assessments Level one andlevel two self-assessments.
That'll continue for a year.
That'll be what's required.
In effect, that's really whatwe're doing right now.
It's kind of written in stonein this rule.
And then the next phase startsa year after that.
(23:01):
So in my example that would beApril or May of 2026.
And so at that point that'swhen the certification
assessments could be required oncontracts.
And again, they did leave alittle wiggle room to say we can
require it on some contracts alittle before If we need to, we
see fit, or could, with optionyears, uh, on a contract, um, we
(23:25):
can make a little later, likethat on the on contracts that
start during that term.
So so they did leave themselvesa little bit of wiggle room, but
in essence it's supposed tostart in that time frame around
april may of 2026.
Again, that's um kind of shotin the dark there, uh, or
educated guess, and then they goon from there.
Level three, uh, would be thenext, and they put them on more
and more contracts.
(23:45):
So anyway, there's a four-yearprocess there.
After that's over, it'ssupposed to be required on every
single contract.
Speaker 2 (23:53):
What is your advice to those in terms of the
timeline and rollout of the 48CFR proposed rule and kind of
like what you had mentioned?
What are the best actionablesteps that people should take
following that timeline?
Speaker 1 (24:07):
Don't wait.
I mean I think I kind of jumpedahead a little bit on some of
this, but it's, you know.
It may sound if I tell you hey,you know, you don't have to
worry about your certificationassessment until you know April
or May of 2026, you're like,woohoo, we've got you know over
a year.
That's not necessarily the casebecause, as I said, primes
(24:30):
could require of their subs orsubs could require of their subs
sooner.
However, I kind of doubt thatnecessarily would happen.
But primes very well mayrequire of their subs sooner
than they have to have it ormake it highly desirable or
highly they may be pushing forit to get that earlier.
But it's coming.
There's a long wait line forC3PAOs and there's, I think,
(24:57):
last count they had to gothrough and get reauthorized and
everything.
The last count I heard was theyhad 37 C3PAOs ready to rock and
roll.
There were about, I think, 51C3PAOs before they had to do the
recertification thing orreauthorization thing.
They're going through thatprocess and trying to get done
what they need to get done andso we'll have all those ready.
(25:20):
But still, 51 is not that many.
There are new ones coming alongbut there's a very high bar for
C3PAOs and for lead assessorsand there should be, but there's
a very high bar and so there'snot likely going to be a large
(25:40):
influx of a lot of C3PAOs, whichwould be very nice to have, at
least you know, on this side ofit.
But, yes, so don't wait, getyour ducks in a row now, as soon
as you think you're readypotentially ready and that means
documentation and everything,not just the technical controls.
It guys like me like to focuson the technical controls and
(26:01):
we've got all that covered.
Oh, you need documentation onall this.
Well, you know, but thedocumentation is technical.
Controls are obvious andimportant, but the documentation
is very, very important andvery necessary and you have to
have that in place and ready togo.
(26:24):
So I would say don't wait, getit all done, get it taken care
of.
As soon as you have that towhere you think you're ready,
then I would go ahead and pullthe trigger on trying to get
certified, absolutely.
If you need certification, youknow, or looking to do that for
marketing purposes, you know,try to market your business
better to the, to the primes orDOD.
Maybe that your organizationhas been told you only need a
(26:46):
self-assessment?
I don't really know.
Everybody I've talked to isexpecting level two
certification assessments.
Speaker 2 (26:52):
Well, perfect, I think that is our wrap up of
2024 and our Seek Eastconference that we attended.
If you have any questions aboutwhat we covered today, or if
you have any questions of anytopics or general questions that
you'd like to throw out there,we'd love to hear them and
(27:12):
answer them for free.
So please text, email or callus and ask your questions.
We'll answer them for free hereon the podcast, and you can
find our contact information atcmmccomplianceguidecom.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.