August 22, 2025 • 31 mins
Submit any questions you would like answered on the podcast!
Think you’re ready for your CMMC assessment?
In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke break down the difference between being “paper ready” and truly “assessment ready.” From documentation gaps to overlooked technical controls, they share insider tips to help you pass with confidence.
We’ll walk you through the common blind spots that can derail an assessment, how to stress test your compliance program, and what assessors really look for when they walk in the door.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting,where we help businesses like
yours navigate CMMC and NIST800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance.
But today, we're here to giveyou all the secrets for free.
So if you want to tackle ityourself, you're equipped to do
(00:22):
so.
Let's dive into today's episodeand keep your business on track.
In today's episode...
We're talking to those of youwho have already put in the work
for CMMC.
Maybe you've written yourpolicies, completed your SPRS
self-assessment, and upgradedyour IT stack.
You've checked a lot of boxes,but there's still a nagging
question in your mind.
Will all of this actually holdup under an assessment when it
(00:45):
actually matters?
If you've ever looked at yourcompliance program and wondered
how ready you really are, you'llwant to stick around because
we're breaking down exactly howto tell whether you're paper
ready or truly assessment ready.
So today I want to start withsomething we both see all the
time.
Companies think they're ready,but most aren't.
Why is that?
SPEAKER_01 (01:07):
Well, mostly, you know, a lot of companies, they
implement regulations.
CMMC, and it's going to be basedon what they think and how they
view the controls and maybe, ifthey're lucky, how they view the
assessment objectives.
A lot of them don't payattention to much of the
assessment objectives, but it'salso what they see on Reddit and
(01:31):
some of the other things,Substack and whatever else there
may be.
They pay attention to that, butthey haven't had somebody come
in and really challenge theirassumptions and look at it and
say, that looks great.
They That's not exactly whatthat control is talking about.
You've got to look at theassessment objectives.
So a lot of times it's not– it'stheir view of it, which can be
(01:55):
as long as you can argue yourview on some things and say this
is why we're doing this.
For instance, we talked about–people asked some questions
about assault– not just a soleproprietor, but a one-man shop.
They have some contracts.
What do they do about the...
(02:19):
Screening.
Screening.
Thank you very much.
What do they do about thescreening?
And there are some assessorsthat say, well, it doesn't
really apply because they're theowner and all that.
But a lot of assessors, we'veheard this more often than not,
will say they still have to doit.
It's a control and they stillhave to do it.
It doesn't say what screeningis.
(02:40):
You don't have to go do abackground, a full criminal
background check and do a drugtest and everything else.
You get to say what it is.
You just have to argue it to theassessor.
Which is fine.
There's a number of things youcan do.
Austin actually asked thequestion on LinkedIn.
(03:01):
And so go to Austin's or is itCMC?
No, it's my LinkedIn.
Go to Austin's LinkedIn page.
Look at the question he postedand look at the answers.
It's very interesting.
And some of the solutions theysay you can do as a one-man
band.
But those kinds of things youcould argue and say, look, this
is just me and this is the way Ido it.
(03:22):
And And it's documented.
It's in policy.
I can prove that I did this.
Which brings me to the otherthing that people get wrong a
lot is that they don't fullydocument everything.
And you have to have a policy.
Many things you have to have aprocedure and or plan in place
(03:45):
on how to do these things.
So you don't fully document it.
The other thing is you have tohave evidence.
And the more evidence you havefor an assessor, the better.
So So they don't have evidencethat they've done these things
or documented.
So it's good to show anassessor, hey, here's my
evidence from X date whenever Iwent through this, and now
(04:09):
here's evidence from X.
from now when you're coming toassess me.
It's good to have that evidenceso they can look at it and it
gives them warm fuzzies inside.
I guess that's a gap betweenbeing paper ready and truly
ready, but you could also phraseit as being a gap between
technically ready with sometechnical controls in place and
(04:32):
not being truly ready, or notbeing paper being the
documentation, but not beingtruly ready for it.
SPEAKER_00 (04:41):
Yeah, I think it's hard to say.
My first gut reaction is that wetypically see that most people
are far better on the technicalcontrols than they are in
documentation, and theirdocumentation is typically
lackluster.
But oftentimes, it's...
the reverse as well.
(05:01):
You know, their documentationsaying one thing, but the
controls are just not in placeor it's only in place on a
subsection of things.
Like you may have MFA on youremail, but not on local network
access for COI or something likethat.
(05:21):
So, you know, that's, that'sanother thing is that you'd, you
may not have thoughtholistically about the control
and the objectives that you'retrying to meet.
And guess what?
The assessor's going to.
SPEAKER_01 (05:35):
And how do you figure that out with what's in
scope?
With a CUI data flow diagram.
I mean, it's the very beginning.
You make that diagram out, youdesign it, and you list out
everywhere you get it from.
I mean, literally everywhere.
You don't just say, oh, I'll getit from the cloud.
Yeah, but where in the cloud?
(05:55):
Where do you get it from?
Does it come through?
Does it come through email?
Does it come through Lockheedportal, Bell portal?
Where does it come from?
Where does it come from?
Which systems of yours does ittouch?
And that includes physicalsystems like your computers and
servers.
It includes software like yourERP or MRP.
(06:15):
So, yeah, you've got to do thatCUI data flow diagram.
I've harped on that and harpedon that.
I know you probably get tired ofit if you listen to these
episodes.
But that is a very good thing todraw out and to make sure you
take in everything holistically.
SPEAKER_00 (06:31):
Maybe that's the next T-shirt we need.
You've got documentation,documentation, documentation.
Maybe we need something like...
about the data flow diagram orall roads lead back to scoping.
SPEAKER_01 (06:44):
So I went on so much about documentation and would
say documentation,documentation, documentation.
And so they gave me a hard timeand they ended up making some
shirts.
So you may see us at aconference or two wearing these
shirts.
SPEAKER_00 (06:58):
Hey, they're loved.
You know who they're loved by?
The assessors love them.
This is true.
So talking about the assessorsAnd them loving that shirt,
which may be the shirt you wantto wear whenever your assessor
comes in, when they come toassess you.
(07:18):
But only if you have yourdocumentation sorted out.
That's
SPEAKER_01 (07:20):
right.
If you don't have yourdocumentation sorted out, don't
wear a shirt
SPEAKER_00 (07:23):
like this.
Don't imply that you do.
So let's get clear.
Yeah.
When an assessor walks in thedoor, what exactly are they
looking for outside of yourshirt?
SPEAKER_01 (07:34):
Outside of my shirt?
Well, if they're looking for myshirt, let me know because that
would be awesome.
Aside from that, the first thingthey'll want is your
documentation.
And your documentation is goingto include your system security
plan, your SSP.
It's going to include, hopefullynot a POAM.
Hopefully by the time theassessor gets there, your POAM
(07:55):
is clear.
But it's going to include yourpolicies also.
It's going to include any plansor procedures you might have.
It's going to include lists ofauthorized lists of users,
devices, processes, stuff likethat.
It's going to include evidence.
Evidence is documented, sothat's documentation.
(08:18):
They're going to want to see allthat.
And what I can tell you is themore you have that and the more
it tells your story and it allworks together and fits together
and is not incongruent, it makessense.
it makes that assessment go alot quicker and a lot easier.
So if they can see that you'vedone everything, they go and
(08:40):
they perform a few tests orinterviews or whatever it may
be, and they see that it workswith your documentation, they
feel really good about it, asthey should.
I mean, if you've got it alldefined really well and then
they go see that things are inplace, you know, there's a lot
less questions and it goes a lotquicker.
(09:01):
Mm-hmm.
And they want to see the thingsthat are documented.
They want to see– I've justtalked about really the testing
and the interviews withemployees.
But they want to see that thosecontrols are implemented.
They want to see that when youlog on to a system that there
(09:22):
truly is MFA.
There's the MFA prompt.
Yeah.
Or how will you implement MFA?
So yes, they want to see thosethings.
They want to see thedocumentation.
And then when they test, theywant to see that that matches
the documentation.
SPEAKER_00 (09:38):
All right, Brooke.
So we go in all the time intocompanies and we get to see what
kind of position they're in whenthey bring us in for CMMC
compliance.
And typically, they're somewhereon the spectrum of not compliant
at all, hasn't done anything,all the way to, you know, we
think we're ready for anassessor.
I don't know if I would say allthe time, but most of the times
(10:00):
we typically identify somecommon blind spots or some traps
that they've fallen into thatthey haven't thought about yet.
So can you just go over what arethe common blind spots or traps
that companies have fallen intothat think that they're almost
ready or are ready forassessment?
SPEAKER_01 (10:17):
Sure, sure.
So if you have some...
Monitoring tools that aredefined in your policies, for
instance, you may monitorwhether your SIM is working or
not and whether the SIM serviceis running or something like
that.
And if it doesn't generate anactionable alert that it's
(10:37):
failed or something, then that'san issue.
So you have to have actionablealerts from any monitoring you
do.
SIM is another thing.
You know, you may say, yes, I'mmonitoring all my logs.
Generally, the way you do thatis going to be a SIM.
You don't have to use a SIM, butreally, you know, to be secure,
(11:02):
you really need to use a SIM.
And it fulfills that control alot easier than trying to say
that you review those manually,
SPEAKER_00 (11:10):
right?
It's also a lot cheaper thanhiring somebody.
It's a lot cheaper
SPEAKER_01 (11:13):
than hiring somebody.
It's a lot cheaper than spendingyour time reviewing those logs.
But if you implement a SIM, youknow, Yes, I've got a SIM.
It's implemented.
I'm monitoring all of my ActiveDirectory logs.
Great.
What about your workstations?
What about your firewall?
What about Microsoft 365 GCC orGCC High?
Or what about these othersystems you may have?
(11:35):
Are you monitoring those logs?
Oh, well.
Maybe not.
So that's a very common one.
You think about, and again, itgoes to scoping.
You got to think, or the dataflow diagram I was talking about
and keeping in mind all thesystems that are in scope.
So you got to think about thatand make sure you include all
those systems when you'redesigning out.
(11:56):
your technical controls, right?
User accounts not aligned totheir roles.
Say there's a, there's a...
I think we've seen that at oneevery time.
I think I can safely say that.
Absolutely.
People have a tendency to givepeople more access than they
need because it's easier to do,or maybe they can't figure out
how to get something donequickly and easily.
So they have a tendency to givepeople more access than they
(12:18):
need.
You know, maybe an accountingperson doesn't need access to
actual CUI, but it was easierbecause of people put this
particular particular thing overon the CUI folder that they
need.
Do they really need access tothat?
Or can you carve that out and doit a different way, change the
workflow just a tad, and make itto where they don't have CUI
(12:39):
access?
And generally, people will say,these people have CUI access.
The accounting folks, no, theaccounting folks don't need it.
It turns out a lot of themhaven't.
So have some access to CUI.
SPEAKER_00 (12:52):
Also, for larger companies that do have IT
departments, A lot of timeswe'll see that they have taken
care of everyone else and madesure that they have
role-appropriate accesscontrols.
But the cobbler's children haveno shoes, and they have, for the
(13:14):
IT department, not done theappropriate task of doing the
same for themselves.
Oftentimes because it– it is apain in the rear as an IT person
to have to switch counts andstuff, but that's what you have
to do, and that will fail you inan assessment.
SPEAKER_01 (13:29):
It'll fail you in an assessment, and it's...
It really is.
We've done that a long time agolike a lot of other folks have
done.
Our daily use account, the onethat we log into the computers
with and whatnot, is not anadmin account.
We don't have access to theadmin tools.
We have to log into somethingelse with MFA to get access with
(13:50):
a different account.
So that's what you need to do.
That's just really it's–Cybersecurity 101, and it's a
good thing to do.
What I can tell you if there'ssome IT folks out there
listening to this is that onceyou get used to doing it that
way, it's just a no-brainer, andit just works, and you just get
(14:14):
used to it.
It's like ripping a Band-Aidoff.
It is.
It's like ripping a Band-Aidoff, and cybersecurity is
inconvenient, but you've got todo it.
Yeah.
Just recently, we know a personin a company that, I guess, got
caught with their pants down, ifyou might use that phrase.
(14:36):
But they were logging in withadmin as their daily account,
and they got compromised.
We'll just leave it there.
No more details.
But it does happen, even withthe smartest people, even with–
Other things in place, it doeshappen.
So that's one of those thingsyou've got to not do is log in
(15:00):
with a privileged account.
You go do that.
only when you have to separatelyfrom your
SPEAKER_00 (15:07):
account.
I was going to use an analogythat's topical.
Doing that is a bit like gettingcaught at a Coldplay concert
with your HR officer.
SPEAKER_01 (15:20):
Yeah, that's very accurate, yes.
So another one I have writtendown to remember is that you've
got all your policies, you'vegot all your plans, You've got
your procedures.
They're all written.
They're all documented.
They're all there for everybodyto use and look at.
But they actually don't go lookat them or anything, right?
(15:43):
And so when an assessor needs tobe able to pick out an employee,
how about Sally Jo?
We need to go talk to Sally Jo.
And so they go talk to Sally Jo,and they say, you know, I don't
know what question they mightask her, but they're looking at
particular controls and theymight say, where do you have
(16:03):
access to CUI?
Well, what's CUI?
There's problem number one rightthere.
And that will stand out to theassessor.
But yes, everybody has to beaware of CMMC, CUI, how to
protect it.
They need to know their role.
That's specifically called outin the awareness and training.
And not only that, if you have athird party helping you and
(16:28):
working with you on this, that'sgreat.
They can help you get itimplemented a lot quicker.
You still have to know andunderstand it.
You can't just...
blindly follow what they do,what they say to do, and just
say, go implement it all for me,and I don't want to know.
You've got to be involved.
You've got to understand.
You've got to be able to answersome questions from the
(16:49):
assessors.
So you and your employees needto understand, and you need to
understand per your role howyou're supposed to deal with
SPEAKER_00 (16:58):
CUI.
Yeah, that's a lot of times–working with, uh, customers and
prospective customers.
Um, like I just wanted, I wantto hire you to do it for me.
And it's like, well, if I couldsell it to you legally and for
an assessment, uh, to get past,I would, but, um, the CMMC
doesn't work that way.
Um, the furthest you can get isdone with you, you know?
(17:22):
And so, cause at the end of theday, the assessor is going to
be, um, you, your, your RPO, theperson that you're hiring, your
compliance, uh, um, A consultantcan be in the room and there to
help, but they're looking at youon assessment day.
And like you said, you need tobe ready for them to also ask
(17:44):
your employees that have accessto that as well.
So you can kind of treat it likea– Random drug screening, you
know, like you'd be able to pickany one of them out of it at any
point in time and ask them arandom question.
They pass, you know.
Right.
So that's that's kind of levelalready you need to be, which is
not impossible.
(18:05):
You know, these do not need tobe people that are super
technically proficient.
They simply need to know what.
they're dealing with iscontrolled and how they're
handling it.
And if you can just kind ofdrill them on that and train
them up, it is not the...
It is not the easiest, but it'salso not the hardest thing to
(18:25):
accomplish.
SPEAKER_01 (18:26):
And that can all be part of your awareness and
training program.
Right.
That's a really easy thing todo.
The next thing I have isvulnerability management.
You have to manage yourvulnerabilities in your
environment.
You have to show that you'redoing something, right?
And you have to show that you'reaware of what vulnerabilities
are out there, that you'vetested for them, addressed them,
(18:49):
and in some manner.
It doesn't mean that you have toabsolutely 100% clear every
single vulnerability.
You have to assess it, figureout the risk, figure out the
importance and the criticality,and go through it and address
it.
how you see fit.
But you have to actually managethose vulnerabilities.
You can't just say, yes, we scanfor them and so, and then we
(19:12):
don't do anything or maybe wescan for a subset or something
like that.
You have to understand all thevulnerabilities in your system.
If you've got an ESP, not a CSP,or even if you've got a
SPEAKER_00 (19:24):
CSP, that's an ESP.
Which could be misconstrued asan MSP.
So,
SPEAKER_01 (19:30):
too many acronyms.
If you're, you know, if you'renot sure, an ESP is an external
service provider.
A common external serviceprovider is going to be a cloud
service provider, which is likeMicrosoft 365, Amazon Web
Services, stuff like that.
Maybe you have a cloud backup.
That would be a CSP.
(19:50):
A cloud service provider is aCSP.
And the Department of Defense,in all their infinite wisdom,
has said that there are ESPs,and ESPs Some of those ESPs are
CSPs, but then the other onesare called ESPs, not a CSP.
(20:11):
Yes.
Love that one.
So, and, you know, I guess Iunderstand why they did that
because there's a plethora ofTLAs.
Which is what?
Three-letter acronyms.
There's a plethora of TLAs thatdefine all the rest of the ESPs.
And we are one of those.
And we're called an MSP, amanaged service provider.
(20:35):
There's also a managed securityservices provider.
And you can go on and on.
And I guess that would be afour-letter acronym, not a three
one.
But if you're relying on a CSPor an ESP, not a CSP, And that
could be an MSP like us that'shelping you implement these
(20:57):
controls, whether justtechnically or whether, you
know, the whole nine yards, howthey're helping you.
You've got to make sure thatthey're ready also because their
services have to be compliant.
Your controls will flow down tothem.
Right.
So the ones– Related to theservices that they're providing
(21:20):
you.
So if they're just providing youantivirus, for instance, the
controls related to that willflow down to them.
The rest of them won't.
But they do have to show thatthey meet those controls.
SPEAKER_00 (21:30):
And news alert, if you're using an MSP and they're
only providing one or twoservices, say antivirus, and not
the whole enchilada, as we liketo say– They typically, the way
MSPs work, IT providers work, isthey've also installed other
software to help facilitate andsupport, like say your antivirus
(21:56):
that you don't know about, whichwill fall under the scope of
assessment, even if they haven'ttold you about it.
So typically it's a remotemonitoring agent that helps them
manage the antivirus andwhatnot, and also gives them
remote access into your network.
And by proxy, or not by proxy,but directly to your CUI, which
(22:19):
is now in scope.
SPEAKER_01 (22:20):
Generally, they're not going to be installing
software you don't know aboutnecessarily, but it'll be part
of your agreement with them.
If they're just providing justantivirus, I don't really see
anybody doing that these days,but if they are, they're
probably also providing support,whether it's Hourly support or
whatever it is, if they provideyou support, then they've
installed something on yourmachine to be able to remote in
(22:42):
and help you out.
So those tools are going to bein scope as well for what they
do and the services they provideyou.
So I guess really what we shouldsay is if they're providing
antivirus and remote support,something like that.
Right.
(23:02):
But the point is, they will bein scope and they will be
assessed against the controls.
for the services that theyprovide
SPEAKER_00 (23:11):
you.
Okay.
So someone's at home right nowlistening and they think they're
ready, but they don't want topay a big bill or down payment
or deposit to an assessor.
And they want to do some stresstesting and figure out, am I
actually ready to pay thisperson and spend this money?
(23:33):
How can they stress test theirCMMC program?
SPEAKER_01 (23:37):
When you're going through the implementation, you
get all caught up in the weedsof how you do this and how you
do that and all that kind of funstuff.
It's good to step back onceyou're done for the stress test,
for instance.
So step back once you're doneand then go through every
control and go also throughevery assessment objective
(23:58):
because every control is made upof one or more assessment
objectives.
So go through all thoseassessment objectives and make
sure that you can prove it'simplemented somehow, somewhere.
A lot of, hint, hint, a lot ofit is about documentation,
documentation, documentation.
So, you know, do you have yourauthorized list of users,
(24:18):
processes, and devices, youknow?
Do you have that?
Is it actually, it's not just alist of devices.
It is a list of authorizeddevices.
Who authorized those, you know?
And does that match yourpolicies?
So you go through and make surethat it's provably implemented,
(24:38):
that it is.
Read the words and make sureit's implemented fully.
You go through and do that.
Once you go through that, thathelps out a ton.
Another thing that you canremember is you'll have to have
documentation of your evidence.
So screenshots, logs, stuff likethat, that show that you're
(24:59):
doing something.
what you say you're doing.
It'd be really good to havethose screenshots in there from
sometime before the assessorcomes and then to have those
again to show them, yes, theywere implemented back 18 months
ago and now you're here andthey're still implemented.
(25:21):
You can see that here.
Talk to your users and say, hey,Ask them some questions you
think an assessor might.
My favorite lady, Sally Jo.
So Sally Jo, would you log intoyour computer and show me the
MFA, okay?
Can you show me how you accessCUI?
(25:43):
You know, if she asks you whatCUI is, then you say, well, I
can tell you haven't taken yourtraining or you did not retain
it.
So you might want to addresssomething like that.
So just...
You know, quiz your users.
It doesn't have to be a bigformal thing necessarily, but
just check on them and make surethey understand and are actually
going through the training.
(26:04):
But if you have an MSP, forinstance, make sure that what
you really need from them, ifthey provide you any services,
that are protecting CUI or haveaccess to CUI, then they need to
provide you a CRM.
So a CRM is a CustomerResponsibility Matrix.
(26:25):
And so it just lists out,hopefully by assessment
objective, what they do, whatthey're responsible for, and
what you're responsible for.
And it's clearly defined andunderstood, right?
It doesn't have to be lengthynecessarily, but it needs to be
understood who does what.
And so you should have that.
If you don't have that, ask themfor it.
(26:48):
They very well may be justimplementing these.
If they don't have a standard orif you've got some custom
services, they might have tomake one special for you.
But they should be able to giveyou a CRM.
And the CRM based on...
CMMC and the State Hunter 171controls.
If they don't have a clue how tobegin writing a CRM for you,
(27:11):
that's probably a red flagabout, you know, maybe we need
to rethink this.
SPEAKER_00 (27:17):
Yeah, and you really want to tread lightly there
because once you get certifiedusing a provider, if they're not
fully bought into you– you knowhaving this compliance as a
customer then you're married tothem more or less until your
(27:40):
next assessment comes up becauseyou can't majorly change things
and if they're providing a majorservice and you feel like you
might be a bit of anafterthought to them because
you're you're compliant in a waythat a lot of their other
customers aren't, just keep thatin the back of your head.
Maybe they're fully on boardwith helping you out, but you
(28:03):
need to make sure that they'regoing to be there for the term
of your assessment, and they'regoing to stick around providing
that, and it's not on rockyfooting.
SPEAKER_01 (28:10):
You know, the only other thing is, and it's kind of
a hard one to gauge, but wouldyou be comfortable if an
assessor showed up tomorrowwalking them through this,
explaining everything, and themunderstanding and being good
with what you've done.
And that's a roll of the dice,but you've got to think about
(28:32):
that.
If I have a third party come inand check this out, Can I
explain it well?
Are they going to be on board?
Or are they going to questionme?
Did I really bend over backwardsand twist around too much to say
this control is fulfilled?
And if you did bend backwardsand twist around and everything
else to say why this control isfully implemented, then maybe
(28:59):
you ought to rethink it.
Maybe you ought to figure outanother way to fulfill that.
It may be okay, but what I cantell you is people come up with
some really wacky reasons why acontrol is fulfilled.
And you just need to fulfill it,and you just need to take care
of it with no question.
(29:19):
Some of them are complicatedanyway, but...
But you just need to try just asstraightforward as possible to
fulfill these controls.
SPEAKER_00 (29:28):
Yeah, avoid exceptions.
SPEAKER_01 (29:30):
Yes, avoid exceptions.
And the one thing I see a lot is– and it's less and less now,
thank goodness, because theyactually did– DOD did come out
and clarify this.
But there was one going aroundthat encrypted CUI is no longer
CUI.
UNKNOWN (29:46):
Mm-hmm.
SPEAKER_01 (29:47):
Yes, it's CUI.
Encrypted CUI is CUI.
It's just encrypted.
Which is what you're supposed todo with CUI.
Yes, yes.
Yeah, you've got to be able toexplain these things to an
assessor and...
Basically, you've got to be ableto explain it and feel good
about it.
SPEAKER_00 (30:02):
Comfortable with them
SPEAKER_01 (30:03):
showing up?
Comfortable-ish because I don'tknow about you, but that always
gives me the heebie-jeebiesanyway.
Somebody official coming in tosay, yes, we're going to approve
you or not to keep your milliondollars worth of contracts.
SPEAKER_00 (30:16):
Right, yeah.
Thank you, Brooke.
Appreciate it as always.
SPEAKER_01 (30:18):
Absolutely.
I hope people like our new sign.
SPEAKER_00 (30:22):
We did not mention it.
No, we
SPEAKER_01 (30:24):
didn't.
The whole thing, and I justturned around and realized that
we haven't mentioned that.
We like it.
So hopefully you like that
SPEAKER_00 (30:30):
song.
Drop some comments or hit us upif you like it.
Or if you don't, don't hurt myfeelings.
It's okay to hurt his feelings.
No, I'm kidding.
Hopefully it improves the audioand visual nature of the
podcast.
I think most people arelistening anyway, so I think
(30:51):
this might just be for...
That's true.
If you're
SPEAKER_01 (30:53):
listening, you can't see it anyway.
So we'll just tell you.
It looks really cool.
SPEAKER_00 (30:57):
Yeah.
Yeah, go check us out on YouTubeand see what we're talking
about.
So, all right.
Again, thanks, Brooke.
Guys listening, if you have anyquestions about what we covered,
please reach out to us.
We're here to help fast trackyour compliance journey.
Please text, email, or call inyour questions.
(31:17):
We'll answer them for free hereon the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
Stay tuned for our next episode.
Until then, stay compliant, staysecure, and make sure to
subscribe.
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting,where we help businesses like
yours navigate CMMC and NIST800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance.
But today, we're here to giveyou all the secrets for free.
So if you want to tackle ityourself, you're equipped to do
(00:22):
so.
Let's dive into today's episodeand keep your business on track.
In today's episode...
We're talking to those of youwho have already put in the work
for CMMC.
Maybe you've written yourpolicies, completed your SPRS
self-assessment, and upgradedyour IT stack.
You've checked a lot of boxes,but there's still a nagging
question in your mind.
Will all of this actually holdup under an assessment when it
(00:45):
actually matters?
If you've ever looked at yourcompliance program and wondered
how ready you really are, you'llwant to stick around because
we're breaking down exactly howto tell whether you're paper
ready or truly assessment ready.
So today I want to start withsomething we both see all the
time.
Companies think they're ready,but most aren't.
Why is that?
SPEAKER_01 (01:07):
Well, mostly, you know, a lot of companies, they
implement regulations.
CMMC, and it's going to be basedon what they think and how they
view the controls and maybe, ifthey're lucky, how they view the
assessment objectives.
A lot of them don't payattention to much of the
assessment objectives, but it'salso what they see on Reddit and
(01:31):
some of the other things,Substack and whatever else there
may be.
They pay attention to that, butthey haven't had somebody come
in and really challenge theirassumptions and look at it and
say, that looks great.
They That's not exactly whatthat control is talking about.
You've got to look at theassessment objectives.
So a lot of times it's not– it'stheir view of it, which can be
(01:55):
as long as you can argue yourview on some things and say this
is why we're doing this.
For instance, we talked about–people asked some questions
about assault– not just a soleproprietor, but a one-man shop.
They have some contracts.
What do they do about the...
(02:19):
Screening.
Screening.
Thank you very much.
What do they do about thescreening?
And there are some assessorsthat say, well, it doesn't
really apply because they're theowner and all that.
But a lot of assessors, we'veheard this more often than not,
will say they still have to doit.
It's a control and they stillhave to do it.
It doesn't say what screeningis.
(02:40):
You don't have to go do abackground, a full criminal
background check and do a drugtest and everything else.
You get to say what it is.
You just have to argue it to theassessor.
Which is fine.
There's a number of things youcan do.
Austin actually asked thequestion on LinkedIn.
(03:01):
And so go to Austin's or is itCMC?
No, it's my LinkedIn.
Go to Austin's LinkedIn page.
Look at the question he postedand look at the answers.
It's very interesting.
And some of the solutions theysay you can do as a one-man
band.
But those kinds of things youcould argue and say, look, this
is just me and this is the way Ido it.
(03:22):
And And it's documented.
It's in policy.
I can prove that I did this.
Which brings me to the otherthing that people get wrong a
lot is that they don't fullydocument everything.
And you have to have a policy.
Many things you have to have aprocedure and or plan in place
(03:45):
on how to do these things.
So you don't fully document it.
The other thing is you have tohave evidence.
And the more evidence you havefor an assessor, the better.
So So they don't have evidencethat they've done these things
or documented.
So it's good to show anassessor, hey, here's my
evidence from X date whenever Iwent through this, and now
(04:09):
here's evidence from X.
from now when you're coming toassess me.
It's good to have that evidenceso they can look at it and it
gives them warm fuzzies inside.
I guess that's a gap betweenbeing paper ready and truly
ready, but you could also phraseit as being a gap between
technically ready with sometechnical controls in place and
(04:32):
not being truly ready, or notbeing paper being the
documentation, but not beingtruly ready for it.
SPEAKER_00 (04:41):
Yeah, I think it's hard to say.
My first gut reaction is that wetypically see that most people
are far better on the technicalcontrols than they are in
documentation, and theirdocumentation is typically
lackluster.
But oftentimes, it's...
the reverse as well.
(05:01):
You know, their documentationsaying one thing, but the
controls are just not in placeor it's only in place on a
subsection of things.
Like you may have MFA on youremail, but not on local network
access for COI or something likethat.
(05:21):
So, you know, that's, that'sanother thing is that you'd, you
may not have thoughtholistically about the control
and the objectives that you'retrying to meet.
And guess what?
The assessor's going to.
SPEAKER_01 (05:35):
And how do you figure that out with what's in
scope?
With a CUI data flow diagram.
I mean, it's the very beginning.
You make that diagram out, youdesign it, and you list out
everywhere you get it from.
I mean, literally everywhere.
You don't just say, oh, I'll getit from the cloud.
Yeah, but where in the cloud?
(05:55):
Where do you get it from?
Does it come through?
Does it come through email?
Does it come through Lockheedportal, Bell portal?
Where does it come from?
Where does it come from?
Which systems of yours does ittouch?
And that includes physicalsystems like your computers and
servers.
It includes software like yourERP or MRP.
(06:15):
So, yeah, you've got to do thatCUI data flow diagram.
I've harped on that and harpedon that.
I know you probably get tired ofit if you listen to these
episodes.
But that is a very good thing todraw out and to make sure you
take in everything holistically.
SPEAKER_00 (06:31):
Maybe that's the next T-shirt we need.
You've got documentation,documentation, documentation.
Maybe we need something like...
about the data flow diagram orall roads lead back to scoping.
SPEAKER_01 (06:44):
So I went on so much about documentation and would
say documentation,documentation, documentation.
And so they gave me a hard timeand they ended up making some
shirts.
So you may see us at aconference or two wearing these
shirts.
SPEAKER_00 (06:58):
Hey, they're loved.
You know who they're loved by?
The assessors love them.
This is true.
So talking about the assessorsAnd them loving that shirt,
which may be the shirt you wantto wear whenever your assessor
comes in, when they come toassess you.
(07:18):
But only if you have yourdocumentation sorted out.
That's
SPEAKER_01 (07:20):
right.
If you don't have yourdocumentation sorted out, don't
wear a shirt
SPEAKER_00 (07:23):
like this.
Don't imply that you do.
So let's get clear.
Yeah.
When an assessor walks in thedoor, what exactly are they
looking for outside of yourshirt?
SPEAKER_01 (07:34):
Outside of my shirt?
Well, if they're looking for myshirt, let me know because that
would be awesome.
Aside from that, the first thingthey'll want is your
documentation.
And your documentation is goingto include your system security
plan, your SSP.
It's going to include, hopefullynot a POAM.
Hopefully by the time theassessor gets there, your POAM
(07:55):
is clear.
But it's going to include yourpolicies also.
It's going to include any plansor procedures you might have.
It's going to include lists ofauthorized lists of users,
devices, processes, stuff likethat.
It's going to include evidence.
Evidence is documented, sothat's documentation.
(08:18):
They're going to want to see allthat.
And what I can tell you is themore you have that and the more
it tells your story and it allworks together and fits together
and is not incongruent, it makessense.
it makes that assessment go alot quicker and a lot easier.
So if they can see that you'vedone everything, they go and
(08:40):
they perform a few tests orinterviews or whatever it may
be, and they see that it workswith your documentation, they
feel really good about it, asthey should.
I mean, if you've got it alldefined really well and then
they go see that things are inplace, you know, there's a lot
less questions and it goes a lotquicker.
(09:01):
Mm-hmm.
And they want to see the thingsthat are documented.
They want to see– I've justtalked about really the testing
and the interviews withemployees.
But they want to see that thosecontrols are implemented.
They want to see that when youlog on to a system that there
(09:22):
truly is MFA.
There's the MFA prompt.
Yeah.
Or how will you implement MFA?
So yes, they want to see thosethings.
They want to see thedocumentation.
And then when they test, theywant to see that that matches
the documentation.
SPEAKER_00 (09:38):
All right, Brooke.
So we go in all the time intocompanies and we get to see what
kind of position they're in whenthey bring us in for CMMC
compliance.
And typically, they're somewhereon the spectrum of not compliant
at all, hasn't done anything,all the way to, you know, we
think we're ready for anassessor.
I don't know if I would say allthe time, but most of the times
(10:00):
we typically identify somecommon blind spots or some traps
that they've fallen into thatthey haven't thought about yet.
So can you just go over what arethe common blind spots or traps
that companies have fallen intothat think that they're almost
ready or are ready forassessment?
SPEAKER_01 (10:17):
Sure, sure.
So if you have some...
Monitoring tools that aredefined in your policies, for
instance, you may monitorwhether your SIM is working or
not and whether the SIM serviceis running or something like
that.
And if it doesn't generate anactionable alert that it's
(10:37):
failed or something, then that'san issue.
So you have to have actionablealerts from any monitoring you
do.
SIM is another thing.
You know, you may say, yes, I'mmonitoring all my logs.
Generally, the way you do thatis going to be a SIM.
You don't have to use a SIM, butreally, you know, to be secure,
(11:02):
you really need to use a SIM.
And it fulfills that control alot easier than trying to say
that you review those manually,
SPEAKER_00 (11:10):
right?
It's also a lot cheaper thanhiring somebody.
It's a lot cheaper
SPEAKER_01 (11:13):
than hiring somebody.
It's a lot cheaper than spendingyour time reviewing those logs.
But if you implement a SIM, youknow, Yes, I've got a SIM.
It's implemented.
I'm monitoring all of my ActiveDirectory logs.
Great.
What about your workstations?
What about your firewall?
What about Microsoft 365 GCC orGCC High?
Or what about these othersystems you may have?
(11:35):
Are you monitoring those logs?
Oh, well.
Maybe not.
So that's a very common one.
You think about, and again, itgoes to scoping.
You got to think, or the dataflow diagram I was talking about
and keeping in mind all thesystems that are in scope.
So you got to think about thatand make sure you include all
those systems when you'redesigning out.
(11:56):
your technical controls, right?
User accounts not aligned totheir roles.
Say there's a, there's a...
I think we've seen that at oneevery time.
I think I can safely say that.
Absolutely.
People have a tendency to givepeople more access than they
need because it's easier to do,or maybe they can't figure out
how to get something donequickly and easily.
So they have a tendency to givepeople more access than they
(12:18):
need.
You know, maybe an accountingperson doesn't need access to
actual CUI, but it was easierbecause of people put this
particular particular thing overon the CUI folder that they
need.
Do they really need access tothat?
Or can you carve that out and doit a different way, change the
workflow just a tad, and make itto where they don't have CUI
(12:39):
access?
And generally, people will say,these people have CUI access.
The accounting folks, no, theaccounting folks don't need it.
It turns out a lot of themhaven't.
So have some access to CUI.
SPEAKER_00 (12:52):
Also, for larger companies that do have IT
departments, A lot of timeswe'll see that they have taken
care of everyone else and madesure that they have
role-appropriate accesscontrols.
But the cobbler's children haveno shoes, and they have, for the
(13:14):
IT department, not done theappropriate task of doing the
same for themselves.
Oftentimes because it– it is apain in the rear as an IT person
to have to switch counts andstuff, but that's what you have
to do, and that will fail you inan assessment.
SPEAKER_01 (13:29):
It'll fail you in an assessment, and it's...
It really is.
We've done that a long time agolike a lot of other folks have
done.
Our daily use account, the onethat we log into the computers
with and whatnot, is not anadmin account.
We don't have access to theadmin tools.
We have to log into somethingelse with MFA to get access with
(13:50):
a different account.
So that's what you need to do.
That's just really it's–Cybersecurity 101, and it's a
good thing to do.
What I can tell you if there'ssome IT folks out there
listening to this is that onceyou get used to doing it that
way, it's just a no-brainer, andit just works, and you just get
(14:14):
used to it.
It's like ripping a Band-Aidoff.
It is.
It's like ripping a Band-Aidoff, and cybersecurity is
inconvenient, but you've got todo it.
Yeah.
Just recently, we know a personin a company that, I guess, got
caught with their pants down, ifyou might use that phrase.
(14:36):
But they were logging in withadmin as their daily account,
and they got compromised.
We'll just leave it there.
No more details.
But it does happen, even withthe smartest people, even with–
Other things in place, it doeshappen.
So that's one of those thingsyou've got to not do is log in
(15:00):
with a privileged account.
You go do that.
only when you have to separatelyfrom your
SPEAKER_00 (15:07):
account.
I was going to use an analogythat's topical.
Doing that is a bit like gettingcaught at a Coldplay concert
with your HR officer.
SPEAKER_01 (15:20):
Yeah, that's very accurate, yes.
So another one I have writtendown to remember is that you've
got all your policies, you'vegot all your plans, You've got
your procedures.
They're all written.
They're all documented.
They're all there for everybodyto use and look at.
But they actually don't go lookat them or anything, right?
(15:43):
And so when an assessor needs tobe able to pick out an employee,
how about Sally Jo?
We need to go talk to Sally Jo.
And so they go talk to Sally Jo,and they say, you know, I don't
know what question they mightask her, but they're looking at
particular controls and theymight say, where do you have
(16:03):
access to CUI?
Well, what's CUI?
There's problem number one rightthere.
And that will stand out to theassessor.
But yes, everybody has to beaware of CMMC, CUI, how to
protect it.
They need to know their role.
That's specifically called outin the awareness and training.
And not only that, if you have athird party helping you and
(16:28):
working with you on this, that'sgreat.
They can help you get itimplemented a lot quicker.
You still have to know andunderstand it.
You can't just...
blindly follow what they do,what they say to do, and just
say, go implement it all for me,and I don't want to know.
You've got to be involved.
You've got to understand.
You've got to be able to answersome questions from the
(16:49):
assessors.
So you and your employees needto understand, and you need to
understand per your role howyou're supposed to deal with
SPEAKER_00 (16:58):
CUI.
Yeah, that's a lot of times–working with, uh, customers and
prospective customers.
Um, like I just wanted, I wantto hire you to do it for me.
And it's like, well, if I couldsell it to you legally and for
an assessment, uh, to get past,I would, but, um, the CMMC
doesn't work that way.
Um, the furthest you can get isdone with you, you know?
(17:22):
And so, cause at the end of theday, the assessor is going to
be, um, you, your, your RPO, theperson that you're hiring, your
compliance, uh, um, A consultantcan be in the room and there to
help, but they're looking at youon assessment day.
And like you said, you need tobe ready for them to also ask
(17:44):
your employees that have accessto that as well.
So you can kind of treat it likea– Random drug screening, you
know, like you'd be able to pickany one of them out of it at any
point in time and ask them arandom question.
They pass, you know.
Right.
So that's that's kind of levelalready you need to be, which is
not impossible.
(18:05):
You know, these do not need tobe people that are super
technically proficient.
They simply need to know what.
they're dealing with iscontrolled and how they're
handling it.
And if you can just kind ofdrill them on that and train
them up, it is not the...
It is not the easiest, but it'salso not the hardest thing to
(18:25):
accomplish.
SPEAKER_01 (18:26):
And that can all be part of your awareness and
training program.
Right.
That's a really easy thing todo.
The next thing I have isvulnerability management.
You have to manage yourvulnerabilities in your
environment.
You have to show that you'redoing something, right?
And you have to show that you'reaware of what vulnerabilities
are out there, that you'vetested for them, addressed them,
(18:49):
and in some manner.
It doesn't mean that you have toabsolutely 100% clear every
single vulnerability.
You have to assess it, figureout the risk, figure out the
importance and the criticality,and go through it and address
it.
how you see fit.
But you have to actually managethose vulnerabilities.
You can't just say, yes, we scanfor them and so, and then we
(19:12):
don't do anything or maybe wescan for a subset or something
like that.
You have to understand all thevulnerabilities in your system.
If you've got an ESP, not a CSP,or even if you've got a
SPEAKER_00 (19:24):
CSP, that's an ESP.
Which could be misconstrued asan MSP.
So,
SPEAKER_01 (19:30):
too many acronyms.
If you're, you know, if you'renot sure, an ESP is an external
service provider.
A common external serviceprovider is going to be a cloud
service provider, which is likeMicrosoft 365, Amazon Web
Services, stuff like that.
Maybe you have a cloud backup.
That would be a CSP.
(19:50):
A cloud service provider is aCSP.
And the Department of Defense,in all their infinite wisdom,
has said that there are ESPs,and ESPs Some of those ESPs are
CSPs, but then the other onesare called ESPs, not a CSP.
(20:11):
Yes.
Love that one.
So, and, you know, I guess Iunderstand why they did that
because there's a plethora ofTLAs.
Which is what?
Three-letter acronyms.
There's a plethora of TLAs thatdefine all the rest of the ESPs.
And we are one of those.
And we're called an MSP, amanaged service provider.
(20:35):
There's also a managed securityservices provider.
And you can go on and on.
And I guess that would be afour-letter acronym, not a three
one.
But if you're relying on a CSPor an ESP, not a CSP, And that
could be an MSP like us that'shelping you implement these
(20:57):
controls, whether justtechnically or whether, you
know, the whole nine yards, howthey're helping you.
You've got to make sure thatthey're ready also because their
services have to be compliant.
Your controls will flow down tothem.
Right.
So the ones– Related to theservices that they're providing
(21:20):
you.
So if they're just providing youantivirus, for instance, the
controls related to that willflow down to them.
The rest of them won't.
But they do have to show thatthey meet those controls.
SPEAKER_00 (21:30):
And news alert, if you're using an MSP and they're
only providing one or twoservices, say antivirus, and not
the whole enchilada, as we liketo say– They typically, the way
MSPs work, IT providers work, isthey've also installed other
software to help facilitate andsupport, like say your antivirus
(21:56):
that you don't know about, whichwill fall under the scope of
assessment, even if they haven'ttold you about it.
So typically it's a remotemonitoring agent that helps them
manage the antivirus andwhatnot, and also gives them
remote access into your network.
And by proxy, or not by proxy,but directly to your CUI, which
(22:19):
is now in scope.
SPEAKER_01 (22:20):
Generally, they're not going to be installing
software you don't know aboutnecessarily, but it'll be part
of your agreement with them.
If they're just providing justantivirus, I don't really see
anybody doing that these days,but if they are, they're
probably also providing support,whether it's Hourly support or
whatever it is, if they provideyou support, then they've
installed something on yourmachine to be able to remote in
(22:42):
and help you out.
So those tools are going to bein scope as well for what they
do and the services they provideyou.
So I guess really what we shouldsay is if they're providing
antivirus and remote support,something like that.
Right.
(23:02):
But the point is, they will bein scope and they will be
assessed against the controls.
for the services that theyprovide
SPEAKER_00 (23:11):
you.
Okay.
So someone's at home right nowlistening and they think they're
ready, but they don't want topay a big bill or down payment
or deposit to an assessor.
And they want to do some stresstesting and figure out, am I
actually ready to pay thisperson and spend this money?
(23:33):
How can they stress test theirCMMC program?
SPEAKER_01 (23:37):
When you're going through the implementation, you
get all caught up in the weedsof how you do this and how you
do that and all that kind of funstuff.
It's good to step back onceyou're done for the stress test,
for instance.
So step back once you're doneand then go through every
control and go also throughevery assessment objective
(23:58):
because every control is made upof one or more assessment
objectives.
So go through all thoseassessment objectives and make
sure that you can prove it'simplemented somehow, somewhere.
A lot of, hint, hint, a lot ofit is about documentation,
documentation, documentation.
So, you know, do you have yourauthorized list of users,
(24:18):
processes, and devices, youknow?
Do you have that?
Is it actually, it's not just alist of devices.
It is a list of authorizeddevices.
Who authorized those, you know?
And does that match yourpolicies?
So you go through and make surethat it's provably implemented,
(24:38):
that it is.
Read the words and make sureit's implemented fully.
You go through and do that.
Once you go through that, thathelps out a ton.
Another thing that you canremember is you'll have to have
documentation of your evidence.
So screenshots, logs, stuff likethat, that show that you're
(24:59):
doing something.
what you say you're doing.
It'd be really good to havethose screenshots in there from
sometime before the assessorcomes and then to have those
again to show them, yes, theywere implemented back 18 months
ago and now you're here andthey're still implemented.
(25:21):
You can see that here.
Talk to your users and say, hey,Ask them some questions you
think an assessor might.
My favorite lady, Sally Jo.
So Sally Jo, would you log intoyour computer and show me the
MFA, okay?
Can you show me how you accessCUI?
(25:43):
You know, if she asks you whatCUI is, then you say, well, I
can tell you haven't taken yourtraining or you did not retain
it.
So you might want to addresssomething like that.
So just...
You know, quiz your users.
It doesn't have to be a bigformal thing necessarily, but
just check on them and make surethey understand and are actually
going through the training.
(26:04):
But if you have an MSP, forinstance, make sure that what
you really need from them, ifthey provide you any services,
that are protecting CUI or haveaccess to CUI, then they need to
provide you a CRM.
So a CRM is a CustomerResponsibility Matrix.
(26:25):
And so it just lists out,hopefully by assessment
objective, what they do, whatthey're responsible for, and
what you're responsible for.
And it's clearly defined andunderstood, right?
It doesn't have to be lengthynecessarily, but it needs to be
understood who does what.
And so you should have that.
If you don't have that, ask themfor it.
(26:48):
They very well may be justimplementing these.
If they don't have a standard orif you've got some custom
services, they might have tomake one special for you.
But they should be able to giveyou a CRM.
And the CRM based on...
CMMC and the State Hunter 171controls.
If they don't have a clue how tobegin writing a CRM for you,
(27:11):
that's probably a red flagabout, you know, maybe we need
to rethink this.
SPEAKER_00 (27:17):
Yeah, and you really want to tread lightly there
because once you get certifiedusing a provider, if they're not
fully bought into you– you knowhaving this compliance as a
customer then you're married tothem more or less until your
(27:40):
next assessment comes up becauseyou can't majorly change things
and if they're providing a majorservice and you feel like you
might be a bit of anafterthought to them because
you're you're compliant in a waythat a lot of their other
customers aren't, just keep thatin the back of your head.
Maybe they're fully on boardwith helping you out, but you
(28:03):
need to make sure that they'regoing to be there for the term
of your assessment, and they'regoing to stick around providing
that, and it's not on rockyfooting.
SPEAKER_01 (28:10):
You know, the only other thing is, and it's kind of
a hard one to gauge, but wouldyou be comfortable if an
assessor showed up tomorrowwalking them through this,
explaining everything, and themunderstanding and being good
with what you've done.
And that's a roll of the dice,but you've got to think about
(28:32):
that.
If I have a third party come inand check this out, Can I
explain it well?
Are they going to be on board?
Or are they going to questionme?
Did I really bend over backwardsand twist around too much to say
this control is fulfilled?
And if you did bend backwardsand twist around and everything
else to say why this control isfully implemented, then maybe
(28:59):
you ought to rethink it.
Maybe you ought to figure outanother way to fulfill that.
It may be okay, but what I cantell you is people come up with
some really wacky reasons why acontrol is fulfilled.
And you just need to fulfill it,and you just need to take care
of it with no question.
(29:19):
Some of them are complicatedanyway, but...
But you just need to try just asstraightforward as possible to
fulfill these controls.
SPEAKER_00 (29:28):
Yeah, avoid exceptions.
SPEAKER_01 (29:30):
Yes, avoid exceptions.
And the one thing I see a lot is– and it's less and less now,
thank goodness, because theyactually did– DOD did come out
and clarify this.
But there was one going aroundthat encrypted CUI is no longer
CUI.
UNKNOWN (29:46):
Mm-hmm.
SPEAKER_01 (29:47):
Yes, it's CUI.
Encrypted CUI is CUI.
It's just encrypted.
Which is what you're supposed todo with CUI.
Yes, yes.
Yeah, you've got to be able toexplain these things to an
assessor and...
Basically, you've got to be ableto explain it and feel good
about it.
SPEAKER_00 (30:02):
Comfortable with them
SPEAKER_01 (30:03):
showing up?
Comfortable-ish because I don'tknow about you, but that always
gives me the heebie-jeebiesanyway.
Somebody official coming in tosay, yes, we're going to approve
you or not to keep your milliondollars worth of contracts.
SPEAKER_00 (30:16):
Right, yeah.
Thank you, Brooke.
Appreciate it as always.
SPEAKER_01 (30:18):
Absolutely.
I hope people like our new sign.
SPEAKER_00 (30:22):
We did not mention it.
No, we
SPEAKER_01 (30:24):
didn't.
The whole thing, and I justturned around and realized that
we haven't mentioned that.
We like it.
So hopefully you like that
SPEAKER_00 (30:30):
song.
Drop some comments or hit us upif you like it.
Or if you don't, don't hurt myfeelings.
It's okay to hurt his feelings.
No, I'm kidding.
Hopefully it improves the audioand visual nature of the
podcast.
I think most people arelistening anyway, so I think
(30:51):
this might just be for...
That's true.
If you're
SPEAKER_01 (30:53):
listening, you can't see it anyway.
So we'll just tell you.
It looks really cool.
SPEAKER_00 (30:57):
Yeah.
Yeah, go check us out on YouTubeand see what we're talking
about.
So, all right.
Again, thanks, Brooke.
Guys listening, if you have anyquestions about what we covered,
please reach out to us.
We're here to help fast trackyour compliance journey.
Please text, email, or call inyour questions.
(31:17):
We'll answer them for free hereon the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
Stay tuned for our next episode.
Until then, stay compliant, staysecure, and make sure to
subscribe.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com