July 18, 2025 • 17 mins
Submit any questions you would like answered on the podcast!
Are you trying to navigate CMMC and NIST 800-171 with a small team and limited resources?
You're not alone. In this episode of the CMMC Compliance Guide, we’re breaking down six of the most common and confusing questions small DoD contractors ask—and giving you clear, practical answers you can act on immediately.
Join Brooke & Stacey from Justice IT Consulting as they unpack risks of misinterpreting controls, mobile device scope, admin account misuse, CUI data flow diagrams, remote access, and more. Whether you’re prepping for a CMMC Level 2 assessment or just trying to stay ahead, this episode is packed with actionable advice.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Hey there, welcome to the CMMC Compliance Guide
podcast.
I'm Stacy.
And
SPEAKER_01 (00:04):
I'm Brooke.
SPEAKER_00 (00:05):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on track.
If you've ever thought, are wedoing this right?
(00:28):
you're not alone.
Most small teams are trying tointerpret vague guidance, juggle
multiple roles, and still pass aCMMC assessment.
In this episode, we're going tobreak down six common questions
we hear and giving you clearpractical answers so you can act
on it right away.
All right, Brooke, what are therisks of misinterpreting a CMMC
(00:49):
or NIST 800-171 requirement andhow strict are assessors during
reviews?
SPEAKER_01 (00:54):
You really need to focus on the assessment
objectives really because youmeet those and you'll meet the
control.
If you read just the control,you may misunderstand some of
those assessment objectives.
So if you read those and if yougo through and understand them,
then that will help you avoidsome misinterpretation.
But if there are some thingsthat are misinterpreted, then
(01:17):
that will likely– there areseveral things it could lead to.
It could lead, number one, tojust a longer assessment.
It could lead to just kind of afailed start.
So you go, you contact your C3PAO, say, hey, we're ready.
And you pay them a little bitfor the pre-assessment part.
And they go through and say,okay, here's a list.
(01:38):
Do you have all these things?
And you go through and you say,we have all this.
Oh, we don't have this, this,and this.
And they say, well, you're notready.
So then you have to go back andfigure it out and get those
things fixed.
Another risk is going throughthe assessment, depending on
what it is that'smisinterpreted.
But there could be Somethingthat causes you just to have to
(02:01):
write a POAM and take anywherefrom a week to six months to get
it done.
So that could be a delay in theassessment and the
certification.
Could be that it's something youcan't POAM.
and that could lead to failingthe assessment, and then you
have to start all over, spendall that money all over again,
and that wouldn't be a goodfeeling.
(02:23):
If you just happen to make itthrough the assessment and
misinterpreted something, andfor whatever strange reason,
see-through PAO did not catchit, then it's possible you might
have to worry about a FalseClaims Act issue, and that would
be...
Absolutely no fun to deal with.
So those are the risks ofmisinterpretation.
So you've got to make sure youunderstand the control, each
(02:46):
control, but you've got to makesure you know all the assessment
objectives.
3.1.1, that's got six assessmentobjectives associated with it.
So if you don't understand oneof those or you get a little bit
wrong, then that may be an issuefor you.
SPEAKER_00 (03:03):
How should administrative and standard user
roles be Sure.
So, you
SPEAKER_01 (03:13):
know, this is something that is just a basic
IT, something you should do allthe time, and something that's a
best practice is not to use anadmin account for your everyday
activities.
And admins have a tendency to,you know, say, well, none of the
users can have that access.
(03:34):
But it's a pain in the rear forme to have to jump back and
forth between accounts, so I'mgoing to use an admin account.
Well, it's still not smart.
So you really do need toseparate out your admin account
from a daily use account.
For instance, that's what we do.
We need admin access to stuff,but our daily account, what we
(03:55):
use all the time to log in with,it's a regular user account.
And so we have to use an adminaccount separately to do
something for credential data orfor admin type access.
What that does is it reallyminimizes the risk to being
compromised.
(04:16):
If you're a regular user accountand you happen to click on a
link or visit some site that youshouldn't, it's a lot less
likely you'll be compromisedthan if you're an admin account.
Or if you're an admin account,another way to phrase it is it
just makes it a lot easier to becompromised and for that to
(04:36):
spread.
SPEAKER_00 (04:37):
So for the business owners out there, will they need
a written or visual CUI dataflow diagram?
And what is the best way toscope and document that?
SPEAKER_01 (04:46):
You don't have to have a CUI data flow diagram.
However, it's very useful andthe assessors really like to see
it.
It tells them that you've takentime to design everything
properly and discover whereeverything flows, how your CUI
(05:06):
flows through your system andyou that you really actually do
understand it right um but theylike to see that um uh it's also
it helps you tell your story umso uh we were talking to chris
silvers and a c3pao and he saidyou know your ssp is your story
and and uh tell you tell yourstory to the assessor of how you
(05:27):
do things and uh the better youwrite that the better you tell
your story the And the betterthe assessor can understand
that, the better your assessmentis going to go.
You know, if you write somethingthat's, uh, that seems like
you're not telling the truth ornot telling the whole thing,
then, you know, they're going towant to ask more questions.
(05:48):
They're going to want to seemore things, right?
Not that they won't askquestions or see things, but if,
you know, if everything you'reshowing seems upfront and agrees
with your SSP and what you'retelling them, uh, then, you
know, they're more likely tosay, you know, um, I'm good with
what you showed me here.
We don't need to delve into thatanymore.
So you're, you're CUI data flowdiagram is the same thing.
(06:10):
It's part of that story.
You can say, here is how our CUIflows through our systems, into,
through our systems, and out ofour systems.
And that is the first part ofwhat you should do.
Then your SSP tells the rest ofthe story of how you deal with
it, right?
So the CUI data flow diagramsare very important.
(06:32):
We make sure we do those witheverybody.
It's nothing that we can do fora client, for instance, as an
MSP or an implementer or RPO orRP.
Anyway, it's nothing that we cando specifically for the client
because we don't know theirbusiness.
We might know their businessreally well, but we don't know
how they do their job daily.
(06:54):
So it's something we need toloop them in on.
A lot of our clients...
don't know the full scope of– ordon't understand the full scope
of CMMC assessments, all thecontrols and assessment
objectives.
So a lot of them lean on us tosay, hey, this is what we need.
(07:16):
We can help you draw out adiagram, but we need to
collaborate on this.
And so they know how they dothings, how they can do things,
or how things might be able tobe changed if it needs to be.
So that's a good collaborativeeffort.
For a small team, you're goingto want to involve people that
actually do the jobs.
(07:37):
And so you know that this reallyis not– you don't– You as an IT
person or a small team who'skind of overseeing this don't
think, oh, well, we download it,and it goes here, and this is
what we do.
Then you involve somebody thatactually does it, and they say,
oh, no, here's these three otherthings we do with the CUI data.
And so you're like, oh, I didn'tknow that.
(07:58):
So it's good to involve allthose team members, but that CUI
data flow diagram is veryimportant.
It helps tell your story.
SPEAKER_00 (08:05):
Another question that we hear a lot from
businesses is, Do they need toidentify the specific type of
CUI that they're going to handleso that they can implement
proper security controls?
SPEAKER_01 (08:17):
Yes, you do need to know what type of CUI you'll be
handling or you are handling toimplement these controls, right?
To figure out where it can flowin your CUI data flow diagram,
right?
What kind of services you canhave.
You know, it might mean thedifference between GCC and GCC
High.
Microsoft 365...
(08:39):
government community cloud orgovernment community cloud high.
Anyway, it might mean thedifference between those two.
It might mean the differencebetween in a lot of things,
right?
I know it's a challenge.
because most of our clientsstill are not getting documents
(09:00):
that are marked with CUI onthem.
They're starting to.
More and more they're seeingdocuments that are marked with
CUI markings, but generally whattheir contracting officers will
tell them is, oh, everything forthis contract is CUI.
You know, and that's notaccurate.
It's not right.
At that point, they have totreat it like CUI, right?
So, but knowing what kind of CUIyou have would help out a lot.
(09:23):
You can always say, talk to yourcontracting officer, even if
they're not going to markthings, you know, like they
should, you know, say, what typeof CUI is this?
And what are the disseminationrestrictions?
You know, you need to know allthat so you can design your
system appropriately.
SPEAKER_00 (09:40):
Pivoting over to remote access and systems and
scope.
How could businesses configureremote access and VPNs to keep
systems out of scope and dataprotected?
SPEAKER_01 (09:51):
The key thing you need to remember is that if your
system, and we're talking aboutremote access here, okay, so if
your system that you're using toconnect remotely to your
internal business systems whereyou house that CUI, if it can
process, store, or transmit CUI,it's in scope.
(10:15):
So if it touches that CUI, it'sin scope.
So if you connect by VPN, andyou just connect by VPN, and
there's no other configurationsor no other solutions in place,
and I'll get to that in just aminute, but if it's just a VPN
that you're connecting with toget to that, then the machine
you're connecting to the VPNwith, it's in scope.
(10:37):
So it's in scope.
There's no ifs, ands, or buts.
It's in scope.
However...
If you do some sort of VDIsolution, virtual desktop
infrastructure solution, andthat's not just plain remote
desktop, but if you do a VDIsolution and you make sure that
(11:00):
you configure it properly, thenthe machine you're connecting
from to that VDI system, if it'sconfigured properly, then it can
be out of scope.
So for instance, what you needto know is that there can be no
copy and paste, no printing, nodrives mapped, anything like
(11:21):
that, no screenshots.
All that has to be disabled.
If all that's disabled and therecan be no data sharing between
the systems, between the remoteapp remote system you're
connecting from and that VDIsystem, then that remote system
is out of scope, truly.
And they've clarified that, andit's good.
(11:41):
Now, does that keep younecessarily from taking a
picture with a cell phone?
Not really, but it does preventmost of the problems there might
be with remote access.
SPEAKER_00 (11:53):
How should mobile devices, like phones and
tablets, be handled under CMMCif users access email or CUI
remotely?
SPEAKER_01 (12:01):
Scope them out.
Don't use them.
It's the easiest solution.
If you're going to be accessingany kind of CUI from your mobile
device, again, process, store,or transmit.
If you do one of those with anydevice, whether it's a cell
phone, and this just really getspeople.
(12:22):
They're like, well, we're goingGCC high, but I want to be able
to put on my cell phone or GCCit.
I want to be able to put on mycell phone and want to be able
to send and receive CUI.
Well, great.
You can do that.
And that cell phone is now inscope.
It has to be managed.
It has to be encrypted.
It has to follow all standards.
(12:43):
all 110 controls and 320assessment objectives.
So you have to be aware of that.
And for cell phones and tablets,there are management systems for
those, and they're an additionalcost.
I was going to say they're notinexpensive, but they're not
really that expensive.
If you've got just two or threedevices, it's more expensive for
(13:06):
you than if you had 100 devices.
It's more expensive per device,I should say, than if you have
20 or 50 or 100 devices or 1,000or 10,000.
Anyway, those devices are inscope if you access CUI from
them.
If you don't send CUI throughemail, you have different ways
(13:27):
to send them, and you scopeemail out.
then yeah, sure, you can accessyour email with your phone.
But if there's any chance of CUIbeing accessed from that phone,
it's going to be in scope.
So that's why I say scope themout.
Don't use cell phones where youcan connect with CUI.
It's much easier.
SPEAKER_00 (13:48):
For the small teams listening right now, What should
they go check or do this week?
SPEAKER_01 (13:53):
Check for misinterpretations.
So really go through all of theassessment objectives, the
assessment objectives, and gothrough each one of those.
Make sure you understand whatthey're talking about.
Make sure, you know, there'splenty of videos online that
explain each one of thesecontrols and the assessment
objectives, what they reallymean.
(14:14):
There's a lot of different waysto achieve each one of these to
cover each of these assessmentobjectives.
through and make sure youunderstand really understand all
those assessment objectives useseparate admin and user accounts
so your normal everyday accountthat you log on your computer
with and use it's got to be anormal user account it cannot it
(14:35):
cannot be an elevated privilegeaccount it's got to be a user
account your admin accountsshould be used for system admin
access only so separate thoseaccounts don't use system admin
accounts to do any kind ofnormal everyday work.
Another thing is the CUI dataflow diagram we were talking
(14:55):
about.
Although it's not required atall, you don't have to do that,
it is a very good document tohave, very good process to go
through.
It really does help youunderstand where everything
goes.
It lays it out in a nice pictureformat.
I guess you can do a data flowdiagram and text, but most
(15:20):
people are visual with that kindof stuff.
But if you have your CUI dataflow diagram, it lays it out
really good, shows you've wentthrough that process.
You actually did go through theprocess, and so it helps you
out, understand where everythingis at, and it helps– helps with
your assessment.
Knowing your CUI type.
(15:41):
It's just really important toknow what kind you have.
It's a big challenge, but you'vegot to know that your
contracting officer can helpout.
I know sometimes it's a pain andthey don't necessarily give you
exactly what you want, but youcan get the information you
really have to have from them.
Secure remote access.
(16:02):
Go VDI solution with the correctconfiguration if you want to
scope out endpoints that areconnecting to that VDI solution.
That's the best way to go.
Lockdown, I would say scope outmobile devices if you can.
If you can't, then they're inscope and you have to manage
them, encrypt them, all thatkind of fun stuff.
(16:24):
So inventory them.
Everything, all those controlsand assessment objectives apply
there.
So if you can, scope them out.
If you can't, then you've got tomanage them.
And I believe that is all of theitems we talked about, and let's
hit those at a high level.
SPEAKER_00 (16:45):
If you have questions about what we covered,
reach out to us.
We're here to help fast-trackyour compliance journey.
You can text, email, or call us,and we'll answer your questions
for free here on the podcast.
You can find our contact info atcmmccomplianceguide.com.
Stay tuned for our next episode.
Until then, stay compliant andstay secure.
(17:06):
Like, subscribe, and share.
Hey there, welcome to the CMMC Compliance Guide
podcast.
I'm Stacy.
And
SPEAKER_01 (00:04):
I'm Brooke.
SPEAKER_00 (00:05):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on track.
If you've ever thought, are wedoing this right?
(00:28):
you're not alone.
Most small teams are trying tointerpret vague guidance, juggle
multiple roles, and still pass aCMMC assessment.
In this episode, we're going tobreak down six common questions
we hear and giving you clearpractical answers so you can act
on it right away.
All right, Brooke, what are therisks of misinterpreting a CMMC
(00:49):
or NIST 800-171 requirement andhow strict are assessors during
reviews?
SPEAKER_01 (00:54):
You really need to focus on the assessment
objectives really because youmeet those and you'll meet the
control.
If you read just the control,you may misunderstand some of
those assessment objectives.
So if you read those and if yougo through and understand them,
then that will help you avoidsome misinterpretation.
But if there are some thingsthat are misinterpreted, then
(01:17):
that will likely– there areseveral things it could lead to.
It could lead, number one, tojust a longer assessment.
It could lead to just kind of afailed start.
So you go, you contact your C3PAO, say, hey, we're ready.
And you pay them a little bitfor the pre-assessment part.
And they go through and say,okay, here's a list.
(01:38):
Do you have all these things?
And you go through and you say,we have all this.
Oh, we don't have this, this,and this.
And they say, well, you're notready.
So then you have to go back andfigure it out and get those
things fixed.
Another risk is going throughthe assessment, depending on
what it is that'smisinterpreted.
But there could be Somethingthat causes you just to have to
(02:01):
write a POAM and take anywherefrom a week to six months to get
it done.
So that could be a delay in theassessment and the
certification.
Could be that it's something youcan't POAM.
and that could lead to failingthe assessment, and then you
have to start all over, spendall that money all over again,
and that wouldn't be a goodfeeling.
(02:23):
If you just happen to make itthrough the assessment and
misinterpreted something, andfor whatever strange reason,
see-through PAO did not catchit, then it's possible you might
have to worry about a FalseClaims Act issue, and that would
be...
Absolutely no fun to deal with.
So those are the risks ofmisinterpretation.
So you've got to make sure youunderstand the control, each
(02:46):
control, but you've got to makesure you know all the assessment
objectives.
3.1.1, that's got six assessmentobjectives associated with it.
So if you don't understand oneof those or you get a little bit
wrong, then that may be an issuefor you.
SPEAKER_00 (03:03):
How should administrative and standard user
roles be Sure.
So, you
SPEAKER_01 (03:13):
know, this is something that is just a basic
IT, something you should do allthe time, and something that's a
best practice is not to use anadmin account for your everyday
activities.
And admins have a tendency to,you know, say, well, none of the
users can have that access.
(03:34):
But it's a pain in the rear forme to have to jump back and
forth between accounts, so I'mgoing to use an admin account.
Well, it's still not smart.
So you really do need toseparate out your admin account
from a daily use account.
For instance, that's what we do.
We need admin access to stuff,but our daily account, what we
(03:55):
use all the time to log in with,it's a regular user account.
And so we have to use an adminaccount separately to do
something for credential data orfor admin type access.
What that does is it reallyminimizes the risk to being
compromised.
(04:16):
If you're a regular user accountand you happen to click on a
link or visit some site that youshouldn't, it's a lot less
likely you'll be compromisedthan if you're an admin account.
Or if you're an admin account,another way to phrase it is it
just makes it a lot easier to becompromised and for that to
(04:36):
spread.
SPEAKER_00 (04:37):
So for the business owners out there, will they need
a written or visual CUI dataflow diagram?
And what is the best way toscope and document that?
SPEAKER_01 (04:46):
You don't have to have a CUI data flow diagram.
However, it's very useful andthe assessors really like to see
it.
It tells them that you've takentime to design everything
properly and discover whereeverything flows, how your CUI
(05:06):
flows through your system andyou that you really actually do
understand it right um but theylike to see that um uh it's also
it helps you tell your story umso uh we were talking to chris
silvers and a c3pao and he saidyou know your ssp is your story
and and uh tell you tell yourstory to the assessor of how you
(05:27):
do things and uh the better youwrite that the better you tell
your story the And the betterthe assessor can understand
that, the better your assessmentis going to go.
You know, if you write somethingthat's, uh, that seems like
you're not telling the truth ornot telling the whole thing,
then, you know, they're going towant to ask more questions.
(05:48):
They're going to want to seemore things, right?
Not that they won't askquestions or see things, but if,
you know, if everything you'reshowing seems upfront and agrees
with your SSP and what you'retelling them, uh, then, you
know, they're more likely tosay, you know, um, I'm good with
what you showed me here.
We don't need to delve into thatanymore.
So you're, you're CUI data flowdiagram is the same thing.
(06:10):
It's part of that story.
You can say, here is how our CUIflows through our systems, into,
through our systems, and out ofour systems.
And that is the first part ofwhat you should do.
Then your SSP tells the rest ofthe story of how you deal with
it, right?
So the CUI data flow diagramsare very important.
(06:32):
We make sure we do those witheverybody.
It's nothing that we can do fora client, for instance, as an
MSP or an implementer or RPO orRP.
Anyway, it's nothing that we cando specifically for the client
because we don't know theirbusiness.
We might know their businessreally well, but we don't know
how they do their job daily.
(06:54):
So it's something we need toloop them in on.
A lot of our clients...
don't know the full scope of– ordon't understand the full scope
of CMMC assessments, all thecontrols and assessment
objectives.
So a lot of them lean on us tosay, hey, this is what we need.
(07:16):
We can help you draw out adiagram, but we need to
collaborate on this.
And so they know how they dothings, how they can do things,
or how things might be able tobe changed if it needs to be.
So that's a good collaborativeeffort.
For a small team, you're goingto want to involve people that
actually do the jobs.
(07:37):
And so you know that this reallyis not– you don't– You as an IT
person or a small team who'skind of overseeing this don't
think, oh, well, we download it,and it goes here, and this is
what we do.
Then you involve somebody thatactually does it, and they say,
oh, no, here's these three otherthings we do with the CUI data.
And so you're like, oh, I didn'tknow that.
(07:58):
So it's good to involve allthose team members, but that CUI
data flow diagram is veryimportant.
It helps tell your story.
SPEAKER_00 (08:05):
Another question that we hear a lot from
businesses is, Do they need toidentify the specific type of
CUI that they're going to handleso that they can implement
proper security controls?
SPEAKER_01 (08:17):
Yes, you do need to know what type of CUI you'll be
handling or you are handling toimplement these controls, right?
To figure out where it can flowin your CUI data flow diagram,
right?
What kind of services you canhave.
You know, it might mean thedifference between GCC and GCC
High.
Microsoft 365...
(08:39):
government community cloud orgovernment community cloud high.
Anyway, it might mean thedifference between those two.
It might mean the differencebetween in a lot of things,
right?
I know it's a challenge.
because most of our clientsstill are not getting documents
(09:00):
that are marked with CUI onthem.
They're starting to.
More and more they're seeingdocuments that are marked with
CUI markings, but generally whattheir contracting officers will
tell them is, oh, everything forthis contract is CUI.
You know, and that's notaccurate.
It's not right.
At that point, they have totreat it like CUI, right?
So, but knowing what kind of CUIyou have would help out a lot.
(09:23):
You can always say, talk to yourcontracting officer, even if
they're not going to markthings, you know, like they
should, you know, say, what typeof CUI is this?
And what are the disseminationrestrictions?
You know, you need to know allthat so you can design your
system appropriately.
SPEAKER_00 (09:40):
Pivoting over to remote access and systems and
scope.
How could businesses configureremote access and VPNs to keep
systems out of scope and dataprotected?
SPEAKER_01 (09:51):
The key thing you need to remember is that if your
system, and we're talking aboutremote access here, okay, so if
your system that you're using toconnect remotely to your
internal business systems whereyou house that CUI, if it can
process, store, or transmit CUI,it's in scope.
(10:15):
So if it touches that CUI, it'sin scope.
So if you connect by VPN, andyou just connect by VPN, and
there's no other configurationsor no other solutions in place,
and I'll get to that in just aminute, but if it's just a VPN
that you're connecting with toget to that, then the machine
you're connecting to the VPNwith, it's in scope.
(10:37):
So it's in scope.
There's no ifs, ands, or buts.
It's in scope.
However...
If you do some sort of VDIsolution, virtual desktop
infrastructure solution, andthat's not just plain remote
desktop, but if you do a VDIsolution and you make sure that
(11:00):
you configure it properly, thenthe machine you're connecting
from to that VDI system, if it'sconfigured properly, then it can
be out of scope.
So for instance, what you needto know is that there can be no
copy and paste, no printing, nodrives mapped, anything like
(11:21):
that, no screenshots.
All that has to be disabled.
If all that's disabled and therecan be no data sharing between
the systems, between the remoteapp remote system you're
connecting from and that VDIsystem, then that remote system
is out of scope, truly.
And they've clarified that, andit's good.
(11:41):
Now, does that keep younecessarily from taking a
picture with a cell phone?
Not really, but it does preventmost of the problems there might
be with remote access.
SPEAKER_00 (11:53):
How should mobile devices, like phones and
tablets, be handled under CMMCif users access email or CUI
remotely?
SPEAKER_01 (12:01):
Scope them out.
Don't use them.
It's the easiest solution.
If you're going to be accessingany kind of CUI from your mobile
device, again, process, store,or transmit.
If you do one of those with anydevice, whether it's a cell
phone, and this just really getspeople.
(12:22):
They're like, well, we're goingGCC high, but I want to be able
to put on my cell phone or GCCit.
I want to be able to put on mycell phone and want to be able
to send and receive CUI.
Well, great.
You can do that.
And that cell phone is now inscope.
It has to be managed.
It has to be encrypted.
It has to follow all standards.
(12:43):
all 110 controls and 320assessment objectives.
So you have to be aware of that.
And for cell phones and tablets,there are management systems for
those, and they're an additionalcost.
I was going to say they're notinexpensive, but they're not
really that expensive.
If you've got just two or threedevices, it's more expensive for
(13:06):
you than if you had 100 devices.
It's more expensive per device,I should say, than if you have
20 or 50 or 100 devices or 1,000or 10,000.
Anyway, those devices are inscope if you access CUI from
them.
If you don't send CUI throughemail, you have different ways
(13:27):
to send them, and you scopeemail out.
then yeah, sure, you can accessyour email with your phone.
But if there's any chance of CUIbeing accessed from that phone,
it's going to be in scope.
So that's why I say scope themout.
Don't use cell phones where youcan connect with CUI.
It's much easier.
SPEAKER_00 (13:48):
For the small teams listening right now, What should
they go check or do this week?
SPEAKER_01 (13:53):
Check for misinterpretations.
So really go through all of theassessment objectives, the
assessment objectives, and gothrough each one of those.
Make sure you understand whatthey're talking about.
Make sure, you know, there'splenty of videos online that
explain each one of thesecontrols and the assessment
objectives, what they reallymean.
(14:14):
There's a lot of different waysto achieve each one of these to
cover each of these assessmentobjectives.
through and make sure youunderstand really understand all
those assessment objectives useseparate admin and user accounts
so your normal everyday accountthat you log on your computer
with and use it's got to be anormal user account it cannot it
(14:35):
cannot be an elevated privilegeaccount it's got to be a user
account your admin accountsshould be used for system admin
access only so separate thoseaccounts don't use system admin
accounts to do any kind ofnormal everyday work.
Another thing is the CUI dataflow diagram we were talking
(14:55):
about.
Although it's not required atall, you don't have to do that,
it is a very good document tohave, very good process to go
through.
It really does help youunderstand where everything
goes.
It lays it out in a nice pictureformat.
I guess you can do a data flowdiagram and text, but most
(15:20):
people are visual with that kindof stuff.
But if you have your CUI dataflow diagram, it lays it out
really good, shows you've wentthrough that process.
You actually did go through theprocess, and so it helps you
out, understand where everythingis at, and it helps– helps with
your assessment.
Knowing your CUI type.
(15:41):
It's just really important toknow what kind you have.
It's a big challenge, but you'vegot to know that your
contracting officer can helpout.
I know sometimes it's a pain andthey don't necessarily give you
exactly what you want, but youcan get the information you
really have to have from them.
Secure remote access.
(16:02):
Go VDI solution with the correctconfiguration if you want to
scope out endpoints that areconnecting to that VDI solution.
That's the best way to go.
Lockdown, I would say scope outmobile devices if you can.
If you can't, then they're inscope and you have to manage
them, encrypt them, all thatkind of fun stuff.
(16:24):
So inventory them.
Everything, all those controlsand assessment objectives apply
there.
So if you can, scope them out.
If you can't, then you've got tomanage them.
And I believe that is all of theitems we talked about, and let's
hit those at a high level.
SPEAKER_00 (16:45):
If you have questions about what we covered,
reach out to us.
We're here to help fast-trackyour compliance journey.
You can text, email, or call us,and we'll answer your questions
for free here on the podcast.
You can find our contact info atcmmccomplianceguide.com.
Stay tuned for our next episode.
Until then, stay compliant andstay secure.
(17:06):
Like, subscribe, and share.
Popular Podcasts
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!