March 28, 2025 • 33 mins
Submit any questions you would like answered on the podcast!
In this episode of The CMMC Compliance Guide Podcast, Brooke and Austin dive into a key question many DoD contractors face: Should you handle CMMC compliance yourself or hire a consultant?
We break down the risks, costs, and benefits to help you make the best decision for your business. Discover the 6 major risks of DIY compliance, including:
1️⃣ Losing DoD contracts due to non-compliance
2️⃣ Keeping up with ever-changing CMMC requirements
3️⃣ Hidden costs that make DIY compliance more expensive
4️⃣ The gap in IT teams’ compliance expertise
5️⃣ Security risks that linger even after passing an assessment
6️⃣ How CMMC assessors prioritize well-prepared organizations
🎯 Whether you’re starting your compliance journey or stuck midway, this episode offers actionable advice to help you stay compliant and secure.
🔗 For expert guidance and resources, visit https://cmmccomplianceguide.com/
👍 Don't forget to like, comment, and subscribe for more tips on achieving CMMC compliance with confidence.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Austin (00:00):
Hey there and welcome to the CMMC Compliance Guide
Podcast.
I'm Austin and I'm Brooke fromJustice IT Consulting.
We're here to help businesseslike yours navigate CMMC and
NIST 800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
(00:20):
free, so if you want to tackleit yourself, you're equipped to
do so.
Let's dive into today's episodeand keep your business on
track.
Today we're tackling a questionthat a lot of DOD contractors
wrestle with.
Should you handle CMMCcompliance in-house or should
you bring in an expert?
We'll break down the risks,costs, and benefits so you can
make the smartest decision foryour business.
(00:42):
So at first glance, doing CMMCcompliance yourself seems like
the cheaper option, right?
Brooke (00:48):
Oh, absolutely.
Austin (00:49):
There's no consultant fees, no outside providers, IT
providers that is, to worryabout.
It's just you and your internalIT team and compliance team
team handling the process.
But I'm here to ask you, whatare the real trade-offs of that?
Brooke (01:06):
Well, really, you know, if you, if you implement, if you
just read those controls andyou just implement those
controls, that's, that's all itreally is, right?
And it's, you know, notexactly.
So really the trade-offs are,you know, if you have a, you If
you have a team, an IT team, andthey're well-versed in
(01:26):
compliance, maybe differentcompliance regimes, then they
may understand this, and theymay understand that there's more
to it.
If you have a CMMC expertin-house, somebody that's gone
through the trouble to learnabout it, to go get certified,
all that fun stuff, then yes,you can absolutely do it
in-house.
And you can do it in-house,too, if you want to take the
(01:49):
time to– really should getcertified because it helps with
the knowledge, but at least gothrough the training.
Reading Reddit doesn't do it.
Now, to be clear, Reddit is agood source of information, but
you have to take it with a grainof salt and kind of sort
through it just like asking AIquestions because AI gets things
(02:11):
wrong and, you know, Reddit isjust a plethora of information.
You have to pluck out the goodstuff and figure out what's
really good, what's reallyaccurate.
You really use it to hone yoursearch really more than anything
else.
But if you don't have that timeto really invest in it, the
(02:31):
team to really take and gothrough all that training and
everything, really it's best tofind somebody to help you, that
somebody that has thatexpertise, somebody that's
certified.
Last week we might have gonethrough and talked a little bit
about the differentcertification levels, RP and
RPA, what an RPO is, and thenthe CCP and CCA and the C3PAOs
(02:52):
and all those acronyms.
But you need to understand whatthose are and look for folks
that are certified and able to
Austin (03:00):
help.
I didn't work with a guy, but Iused to know a guy that he got
annoyed with everyone's degreesand their offices and stuff, and
so he got...
and printed out a degree fromGoogle and put it up in a frame.
So that's not good
Brooke (03:15):
enough?
Generally not.
Austin (03:19):
Well, good to know.
So Google and Reddit don'twork.
Brooke (03:21):
And that's not to, again, Reddit is a good source
of information, but just use itfor what it is.
And it's a plethora ofinformation that can be right,
wrong, or somewhere in themiddle.
So I'm not saying don't partakein that.
Austin (03:35):
Good place to start, but probably best go to the
conferences and then go do thetrainings and actually go
through the certificationprocess?
Brooke (03:44):
Going to the conferences, going to
CMMC-specific conferences, gothrough the training, get the
certifications, get yourregistered practitioner,
registered practitioner advancedif you want, CMMC-certified
professional.
You can do the CCA, theCMMC-certified assessor as well,
although at least do thetraining of that.
(04:05):
If you don't want to be on anassessment team, you could
probably do the training, andthat training is very helpful.
Austin (04:10):
Next question for you is, we work with a lot of
companies that decide to eitherfully outsource and hire
somebody or sometimes decide todo it in-house themselves.
So the question is, what aresome of the biggest pitfalls you
see when companies try to goDIY with their CMMC?
Brooke (04:31):
Well, the biggest pitfalls when somebody tries to
go DIY or shoot...
Probably 90% of everybody up tothe last couple of years is
misinterpreting the controls,misinterpreting CMMC and what
we're supposed to be doing.
It takes a lot of learning, alot of just delving in, jumping
(04:54):
in, and not just reading the800-171, but reading the
frameworks, the 853 and otherthings that it refers to,
understanding where it comesfrom, what it's really asking
for.
And all that.
So it's misinterpreting the–and I kind of referenced it in
the first question you asked me.
Don't we just read the controland just implement the control?
(05:16):
It's not that easy because itdoesn't necessarily always mean
what an IT guy like me or you orwhat a bunch of IT guys would
think it means.
Austin (05:26):
Yeah, and this latest conference that we went to, I
think it was CIC– Southwest.
Southwest, yeah.
That's what it was.
Yeah.
We were talking about that, andwe were looking at one of the
images was of how all thedocuments reference each other
and how it was all visually laidout, and it looked like a
complete spaghetti meatballmess.
(05:48):
And then the other thing wasthe NIST 800-171, all the
revisions is not written forsomeone who has an existing
network.
It's written like if you wereto start from zero.
Brooke (06:02):
You know, they brought that up at this last– remember
who talked about it, butsomebody talked about that and I
thought, well, you know, that'sactually a very good point.
And they're right in that, youknow, 800-171 was envisioning
basically setting up a networkfrom scratch.
You know, it's not taking yournetwork that you've had in place
for, you know, 20, 25, 30 yearsand then, you know, trying to
(06:27):
shoehorn CMMC into it.
Austin (06:29):
And so that alone is a pitfall, you know, what's missed
by...
you know, just that beingwritten for a, you know, a blank
slate,
Brooke (06:37):
you know?
Yeah.
Not only that, the, the CEO,the physical CUI that you had
around that wasn't CUI way backwhen, you know?
Uh, yeah, there's, yes,absolutely.
There's, there's a lot there.
Austin (06:50):
Yep.
There's some, some dustcovering some CUI and some
people's offices.
Moving on a little bit furtherdown that, um, line of
questioning for DIYing yourCMMC.
I'm sure I'm going to mess thatup by the end of this episode.
Brooke (07:06):
DIYing, is that a word?
It
Austin (07:08):
is on HGTV.
That's where I got it from.
I guess, I don't know.
Let's dive into the six majorrisks of DIY CMMC compliance.
Let's start with the biggestrisk, which is losing contracts,
right?
What happens if a companymissteps in compliance?
Brooke (07:28):
That could go a of different directions, none of
them are really good.
So if you misstep, it couldmean that you have to rework
your solutions, whatever youcame up with to meet a control
or some controls or whatever itmay be, whatever that misstep
is, you know.
You might have to reworkthings, which would honestly be
(07:50):
the best out of all that.
You could get dinged for itduring an assessment.
It could be something you can'tPOAM, and therefore you just
fail the assessment.
And then you have to start allover, and you have to spend all
that money all over again.
They do try very hard for thatnot to happen, to ask all the
(08:10):
appropriate questions up frontbefore you get started so that
doesn't happen, but It still canhappen.
I mean, it's not like they getall the details and go through
all the details because that'swork they have to do, right?
But that's a different subject.
So you could fail anassessment.
Or if you have a contractcoming up that requires CMMC, a
(08:34):
contract, certificationassessment and your level two
certification, you have to havethat level two certification in
hand before you can be awardedthat contract.
So you could either lose acontract or you could, if you
completely misstep and say, hey,you know, I don't actually meet
this.
I said I did.
(08:55):
You know, that would be reallybad.
Or you could lose upcomingcontracts.
Austin (08:59):
Well, another thing is that, you know, CMMC is always
evolving.
Brooke (09:03):
Is
Austin (09:03):
it?
Yes, yes.
Constantly.
A couple new updates this yearalone, right?
But it's always evolving.
How do companies keep up withthat?
Brooke (09:13):
Well, the way your company keeps up is there's got
to be, really you have to,somebody has to have the title
of CMMC evangelist or CMMCexpert or something.
Somebody's got to, it's got tobe somebody's responsibility to
keep up with CMMC.
Just like we talked about aminute ago, you know, they'll
want to stay up, stay up on thetraining, go to conferences,
(09:35):
attend meetups maybe, you know,but stay up on this.
This is a, there is a lot tothis and it changes from time to
time.
So it's, It's changed over theyears since 2017 when we got
involved.
It's changed a little bit.
And so there's got to besomebody dedicated to go through
this, and really a team, butsomebody dedicated to go through
(09:58):
this and make sure they'rekeeping up with all the latest
and not only the latest changes,but making sure that all the
latest understanding of whatthings mean.
Austin (10:07):
To piggyback on what you're saying and kind of
something you said earlier was,you know, if– Reddit and Google
are great, but they're not.
They're not the end-all,be-all.
It's not going to get youcompliant.
If you are a quality manager,IT person, whatever, you're the
CMMC evangelist at your companyand you guys have decided to DIY
(10:30):
your CMMC compliance, then youreally need to make sure and
show them this episode that yourboss knows that that $1,000
ticket for one of the CEICevents or conferences is
important and needs to be paidfor.
Um, it really is importantthat, that your boss, um, or
(10:51):
whoever your leadership at your,your company knows that those
conferences are important andthat you need to go to them.
Um, and that, that, that planeflight is important and that
hotel, um, bill is importanttoo.
And that all adds up, that's acouple thousand dollars, you
know, but if you're going to DIYit, that's a cost that you're
signing up for to DIY.
Um, because it's, there's not agood replacement currently for
(11:14):
the information and perspectivethat's shared with those, And
just doing a certificationcourse is great, but you don't
get access to all those people'sperspectives and sessions like
you would at the conference.
(11:34):
And I would say a course orGoogle and Reddit are not
sufficient.
You really need to go to those.
Brooke (11:40):
You do.
And you can interact with a lotof people that are really
experts in their field that way.
Tending those things.
Attending the Cyber AB townhalls, monthly town halls, is a
really good thing to attend.
They answer as many questionsas they can during that.
It's a really good source ofinformation.
But you really have to stay upon that information.
You have to stay current.
(12:01):
And the whole CMMC thing isabout ongoing management of
everything.
And you can consider all thislearning, you know, and it's
learning and keeping yourlearning moving forward.
We're kind of used to it in theIT field because if you don't
go to training, then you kind offall behind very quickly.
Austin (12:24):
Yes.
Yeah.
That's no joke.
I mean– with the courses andgoogle lacks is uh and and the
the publications alone is thatgray area and that's what the
town halls and the conferencesfill in for you is that gray
area where well it says this butwhat does that really mean it
(12:45):
provides that perspective sothat way you're doing what's
accepted practice um so that waywhen that assessor shows up
you're not getting you knowcaught surprised
Brooke (12:53):
the other thing i might add in there is that uh it
really depends on how on whatsort of system you have, what
your system looks like toimplement CMMC on because There
are lots of different ways, lotsof different things, and things
you hear on Reddit and whateverelse may not be exactly correct
(13:14):
or may not apply to you.
But the other thing, going toconferences, most of those
experts will give you theirthoughts, but they'll stay away
from giving you exact advice on,well, what about the CNC
machine and what about this andhow should I do that?
That really gets intoconsulting.
And so that's where, you know,do I need to go hire a
(13:35):
consultant, you know?
or just networking with folksthere and talking to them and
saying, hey, how are youhandling this?
How are you doing this?
How are you doing that?
And getting that informationcan help out as well.
Austin (13:49):
Next one is a lot of companies assume DIY compliance
is going to save them money, butwhat is the hidden cost?
I think we've already mentioneda few items, but what is the
hidden cost of DIY compliance?
Brooke (14:00):
Well, really the hidden cost is when you start out
wanting to DIY, we've just gotto look at these $100 and ten
controls and read them and justimplement it.
That's all we've got to do.
So you think you're going tosave some money by not hiring
somebody, but what hiring–somebody good with expertise can
help with is cutting to thechase and saying, this is what
(14:23):
this means.
This is what this controlmeans.
This is what you have to do.
This is all the documentationyou need for it.
And this is, in your network,these are the things you have to
consider.
And these are, you could do itthis way or you could do it this
way.
You know, going to all theseconferences and you can't skip
the training.
You can't skip all thelearning.
(14:43):
You can't skip all theexperience with all this.
You've got to go to thesethings and you've got to take
the time to do that.
So all the time and expenselearning is very important.
Austin (14:54):
Another one we see a lot is that most IT teams handle
security, cybersecurity, right?
They make the assumption thatIT security and compliance are
pretty equivalent, but we knowit's a completely different
beast altogether, right?
So what's the key differencebetween IT security,
cybersecurity, and compliance.
Brooke (15:15):
So really, just because you are secure does not mean
you're compliant.
Just because you're compliantalso does not mean you're
secure.
And if you want to be technicalabout it, to really be secure,
you really want to follow somesort of standard, right?
Whether it's CIS, whether it'sNIST CSF, NIST 800-171, and
(15:37):
CMMC, whatever it may be, youwant to follow some framework
because that'll give yousomething to shoot for rather
than going, we follow beststandards.
And what are those beststandards?
Well, and you can explain whatthose are, but how did you come
up with those?
A good cybersecurity frameworkgives you a good place to start.
(15:59):
So really, when you think aboutit, Security can start with a
good compliance framework, butbeing compliant doesn't
necessarily mean you're secure.
But compliance also addressesall the documentation, all the
proof, and of course meetingthose specific standards, but
(16:22):
all the documentation, all theproof to go along with it.
Austin (16:25):
I view compliance...
as kind of a CYA, cover yourassets.
I
Brooke (16:34):
don't know why I'm laughing.
I think I've heard that before.
It
Austin (16:37):
is funny.
I thought
Brooke (16:39):
you were going to say something else for a second.
Go
Austin (16:40):
ahead.
The way I view compliance isthat if you're going to go to
court, sit in front of a judgeand jury, and you had to argue
the case that you were secure–and you did everything and all
your due diligence, you couldeither go against Austin's
(17:02):
cybersecurity best practices,which is me and what I decided
alone, or what's an easier caseto argue in court is I use this
standard that was accepted andpublished by X, Y, and Z.
It's accepted by many, youknow, These compliance regimes
use it, and this is what wefollowed, and here's how we
(17:23):
followed it, and we still gothacked, but that's okay because
we did everything we could, andsometimes you just get hacked.
And we're not liable because wedid everything.
We did our due diligence.
That's kind of how I viewcompliance is that it's, if you,
and cybersecurity issues,frameworks is if you follow one
(17:45):
of those, you're not the onethat's going to take the fall.
It's a standard of thecompliance itself that takes it
right.
So it kind of removes theliability off of you being your
own being the person that saysyou're good rather than you
follow the framework.
Brooke (18:05):
You know, I like that, and yes, that's correct.
Another thing, I was on anotherwebinar yesterday, and
something related came up.
Now, this is one person'sopinion, but it sounded good to
me.
What he said was, You need tobe following some sort of
(18:26):
compliance standard, just like Italked about a minute ago.
Of course, that does not meanyou're secure.
You've got to make sure you gothrough it and actually
implement things that aremeaningful.
But if you follow a standard,that's the first thing.
But if a lawyer has to go tocourt to defend you, he would
rather back you up on somethingthat's backed by the federal
(18:49):
government, aka NIST, thansomething that's not.
like CIS.
I happen to like the CISstandards, but that makes a
difference.
Is a lawyer going to have todefend you based on something
the government put out or basedon something a nonprofit put
(19:09):
out?
I think the CIS is fine.
But, you know, I understandthat.
The government doesn't like toadmit that they're
Austin (19:17):
wrong.
Brooke (19:19):
Right.
And a judge and a jury probablyis going to find a little bit
more weight behind NIST thansomething
Austin (19:28):
else.
So another pitfall is whencompanies think that they're
already compliant and alreadysecure.
The companies that are justconfident that they're compliant
and secure, what What risks dothey face?
Brooke (19:41):
Really, CMMC is not about checking boxes.
It's about reading thecontrols, understanding
controls.
And also we have to implementthe CMMC portion of it.
But understanding thosecontrols, reading through them,
and implementing them as they'remeant, which also requires
reading the backgrounddocumentation and standards as
(20:03):
well.
That would be the risk is youactually aren't covered like you
thought you were unless you'vedone all that work in the
background.
Austin (20:10):
Are you talking about documentation again?
Brooke (20:13):
If you've watched any of our episodes, yes, I'm talking
about documentation.
But I'm also talking aboutdocumentation requirements.
There's also, other than that,it's documentation.
Documentation.
So, yeah.
Austin (20:25):
Stacey puts up this little thing.
Oprah Winfrey, right?
Yeah.
It says documentation,documentation, documentation.
Yes.
We've memefied you.
Brooke (20:35):
Right.
I wonder if I'm going to seemyself around the internet with
the documentation thing.
Austin (20:40):
I may have brought that up just to do the thing.
There you go.
There you go.
So another pitfall, I think thelast one we have, is how does
being unprepared affect acompany's assessment timeline?
Brooke (20:52):
I mean, if you're unprepared for an assessment,
then you really can get behindthe eight ball very quickly.
I mean, I guess if you'reunprepared, you're already
behind the eight ball, but youwould be behind the eight ball a
lot further than you reallyrealize.
It takes longer to implementthese processes.
implement some of these thingsthan you think.
(21:14):
It's not easy just to spool upa GCC high tenant and get
everything migrated over in oneday.
It's not exactly that easy orquick.
But what's also not very easyor quick is getting a C3 PAO to
come do your assessment.
If you're not ready, you've gotto get ready and make sure
(21:36):
you're ready.
Make Make sure all your I's aredotted and all your T's are
crossed.
And you have all yourdocumentation, your SSP.
You've completed your POAM.
You've got all your policiesand plans and procedures.
You've got all your proofready.
Okay.
Make sure you have all thatready.
They'll ask for proof again.
But make sure you have all thatready and give them a call and
(22:01):
say, hey, we need to get on yourschedule.
And they'll say, great.
It's April.
So that means April, May, June,July.
We can fit you in at the end ofJuly.
And you're like, well, I've gotthis contract I'm wanting to
bid on.
Well, you can bid on it.
But you won't be able to winthat contract.
If they award it to you, thenyou have to have that level two
(22:22):
certification, right?
And, of course, there's morecaveats there, but that could be
a scenario.
It absolutely could be ascenario you face is not being
prepared and then not having thetime to get that C-3PAO in, get
everything done.
And, again, if that C-3PAO isfour months out, It may take
(22:46):
them two months or so tocomplete.
So you're looking at the veryleast like six months, if not
longer.
Closer we get, I might add,that those C-3PO's are probably
going to fill up even more.
That's right now when it justkicked off and when people are
just doing this voluntarilyright now.
Austin (23:03):
Moving on a little bit past DIY to hiring a consultant.
If a company decides that DIYcompliance is not the best path
and they want to hire aconsultant, what should they
look for?
in that consultant?
Brooke (23:18):
Well, they should look for somebody that has the
expertise, right?
Somebody that does this.
It's their business.
Somebody that we talked lastepisode, if you happen to watch
that, about the differencebetween RPs, RPAs, CCPs, and
CCAs.
And so now to explain a littlebit of that again, an RP is a
(23:41):
registered practitioner, andit's the low bar for entry.
And it takes a few hours worthof watching a course and then a
quick exam.
I don't remember how long theexam was, but we've been doing
this since 2017.
And so I was able to do thatand get it completed pretty
(24:04):
quick.
And truthfully, some of ourother employees that– that
haven't been doing this thatlong, they were able to get it
done pretty quick too.
In other words, RP is notreally that hard.
So really the minimum barrierto entry would be the RP.
RP Advanced, I haven't botheredtaking the time to do that.
(24:25):
I understand that it's betterthan RP.
It's a little more involved.
but it's still not the nextlevel.
Uh, and those are cyber ABcertifications.
The next one would be, or, uh,registrations really.
They're not actualcertifications.
The next one would be a CMMCcertified professional, a CCP.
A CCP is going to know quite abit more, but they take a test
(24:46):
and that, that test is not easy.
It is, you've, you've got toput on your studying hat to, to
get that test done.
It's not like, it's not thehardest thing I've ever done,
but it's, it's not an easy testto pass.
So somebody that has your CCPhas some good knowledge behind
them, right?
Uh, I might step back just alittle bit and explain an RPO.
An RPO is a RegisteredPractitioner Organization, and
(25:08):
that is a company who has RPsthat work for them.
So we have RPs that work forus, so we're an RPO.
But we also have one CCP, andwe're working on some more CCPs.
CCP, I might add, the actual–Training and testing really is
(25:29):
focused around the level onecontrols.
In the training, I don't knowif this was just unique to
Edwards Performance Solutionsthat I took.
I don't think it was.
I think it was because of thegood training they had or the
good book and everything.
They went through every singlecontrol.
(25:49):
They talked about everything.
So it was a good set oftraining.
We discussed a lot in class.
If you go and do CCA, then yourCCA is a CMMC certified
assessor.
That's a high bar.
Also, those people have to,CCPs and CCAs, have to pass a
(26:10):
Tier 3 background check also.
So there's more to it than justthat.
CCAs also have some other highbars they've got to meet.
But I can tell you that mostCCAs, they're probably not going
to be doing yourimplementation.
They may be helping out.
an RP that needs some help orsomething, but they're not going
(26:31):
to be actually doing andhelping out your implementation.
They've got enough assessments.
They're going to be working onthose.
But look for an organizationthat has RPs, RPAs, CCPs.
Those are really the keys.
CCAs is a nice to have, but Ireally think most of those are
going to be working onassessments.
Austin (26:51):
What about businesses that have already started a DIY
business but they're strugglingand realized, okay, maybe I want
to bring in a consultantmidstream.
Brooke (27:00):
I don't think we've run into any of those, have we?
I think they're all of them.
Really, that's just fine.
If you've struggled, that is alot of people, to tell you the
truth, because nobody wants togo out and just spend a ton of
money to get this done.
But at some point, most peoplerealize, unless you have a team,
(27:21):
like we said earlier, that youcan– get certified, send all
these trainings, send toconferences, all that kind of
fun stuff, and really thatbecomes their life.
Unless you have a team you cando that with, then it makes
sense to move on from DIY tohaving a consultant come in and
help you to some degree throughthe whole process or whatever.
(27:45):
But So most people will startout DIY and then say, you know,
this is a lot, you know, and Ineed somebody to help.
And yes, hire a consultant,come in, see what you have.
They can do a kind of a gapsassessment and figure out where
you're at and what you need andmove on from there.
Austin (28:06):
Yeah, that's typically what we'll do is someone will
come in and say, we've beentrying to do this.
And then they're like, we needsome help.
And they always want to figureout where they're at first.
You know, see how far they'vegotten along themselves.
Brooke (28:21):
Yeah.
And what I will say is mostpeople at DIY, they get into it
and they say, we need some help.
And so you'll come in andyou'll say, okay, well, you
know, what kind of CUI do youhave?
And they'll say, well, I don'tknow.
So the very basic stuff is,hey, figure out what kind of CUI
you have and figure out whereyour data comes in and goes to,
(28:43):
your data flow diagram.
Those are key to understandingeverything else.
But that's mostly what we hearis when people– ask is, do you
have, what kind of CUI do youhave?
I don't know.
Do you have any idea where itcomes from, where it goes?
Well, not really.
Austin (29:03):
Well, since we're on the topic, we'll kind of go ahead
and jump into it.
What can companies do if theywant to be proactive to best
approach CMMC compliance?
Brooke (29:16):
Start with a gaps analysis, right?
And figure out where you're at,figure out where you need to
be, and That would be the gap,right?
Right.
So start out with your gapsanalysis.
Invest in strong documentation.
Strong documentation doesn'tnecessarily just mean the
documentation itself.
It means managing thatdocumentation.
And what are you going to dowith that?
Well, that probably reallymeans investing in a GRC tool,
(29:38):
right?
Having a good GRC tool you canuse and keep track of
everything, keep it updated andunderstand what you have there,
assign it to certain people.
You can certainly just have iton F drive or whatever, you
know, but it's hard to assignsign things to people out of the
F drive, right?
So a good GRC tool helps withthat documentation, a good
(29:59):
strong documentation anddocumentation management.
Don't wait on it.
I feel like a broken recordhere too.
Don't wait.
So you've got to get startednow.
This is way more in depth.
If you're trying to DIY it, youknow, you need to start because
(30:21):
you need to really understandit.
You need to really jump in andreally understand, learn, and
figure out what this whole CMMCthing is all about.
So don't wait.
Start now.
There's a lot more to this andthings take a lot more to
implement than you realize.
Really consider hiring anexpert in to come help you.
And just, we talked about whatan expert, you know,
(30:43):
certifications that an expertmight have, you know, looking
and making sure that this is thetype of work they actually do.
You know, and that they reallyunderstand it.
But getting an expert to comehelp will shortcut that.
Yes, you'll have to spend moneyon an expert, but that'll save
time.
It'll actually...
very well could save you somemoney in the long run too.
(31:05):
So those things would be very
Austin (31:08):
helpful.
And we should, on one of theseepisodes here soon, have a guide
of sorts that is coming outthat will help you navigate that
process of who to hire, what tolook for, et cetera.
So look out for that.
Let's sum it up.
I think we're getting towardsthe end of the episode.
If you're a DOD contractor,what's the key takeaway
Brooke (31:30):
here?
The key takeaway really is thatCMMC is not really just an IT
issue.
It is really a business issue.
A business involves the wholebusiness.
It really is a small part of itis IT directly, right?
There's a lot of IT folks thatare involved in this because of
(31:51):
the nature of it.
But But it's not just an ITissue.
It is a business issue.
If you don't have in-houseexpertise or the ability to get
your in-house folks up to speedvery quickly, then that can cost
you more down the road andmaybe lost contracts, lengthier
(32:14):
implementation times, or havingto rework things.
That can cost you a lot moredown the road.
Consider bringing in a bringingin an expert to help you out to
shortcut that.
A lot of times you'll bespending less in the long run,
believe it or not, but that canreally help.
Austin (32:36):
If you have questions about what we covered, please
reach out.
We're here to help fast trackyour compliance journey and send
us your questions.
We'll answer them for free hereon the podcast.
You can find our contact infoat cmmccomplianceguide.com.
Stay
Brooke (32:52):
tuned for our next episode.
Until then, stay compliant andstay secure.
Hey there and welcome to the CMMC Compliance Guide
Podcast.
I'm Austin and I'm Brooke fromJustice IT Consulting.
We're here to help businesseslike yours navigate CMMC and
NIST 800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
(00:20):
free, so if you want to tackleit yourself, you're equipped to
do so.
Let's dive into today's episodeand keep your business on
track.
Today we're tackling a questionthat a lot of DOD contractors
wrestle with.
Should you handle CMMCcompliance in-house or should
you bring in an expert?
We'll break down the risks,costs, and benefits so you can
make the smartest decision foryour business.
(00:42):
So at first glance, doing CMMCcompliance yourself seems like
the cheaper option, right?
Brooke (00:48):
Oh, absolutely.
Austin (00:49):
There's no consultant fees, no outside providers, IT
providers that is, to worryabout.
It's just you and your internalIT team and compliance team
team handling the process.
But I'm here to ask you, whatare the real trade-offs of that?
Brooke (01:06):
Well, really, you know, if you, if you implement, if you
just read those controls andyou just implement those
controls, that's, that's all itreally is, right?
And it's, you know, notexactly.
So really the trade-offs are,you know, if you have a, you If
you have a team, an IT team, andthey're well-versed in
(01:26):
compliance, maybe differentcompliance regimes, then they
may understand this, and theymay understand that there's more
to it.
If you have a CMMC expertin-house, somebody that's gone
through the trouble to learnabout it, to go get certified,
all that fun stuff, then yes,you can absolutely do it
in-house.
And you can do it in-house,too, if you want to take the
(01:49):
time to– really should getcertified because it helps with
the knowledge, but at least gothrough the training.
Reading Reddit doesn't do it.
Now, to be clear, Reddit is agood source of information, but
you have to take it with a grainof salt and kind of sort
through it just like asking AIquestions because AI gets things
(02:11):
wrong and, you know, Reddit isjust a plethora of information.
You have to pluck out the goodstuff and figure out what's
really good, what's reallyaccurate.
You really use it to hone yoursearch really more than anything
else.
But if you don't have that timeto really invest in it, the
(02:31):
team to really take and gothrough all that training and
everything, really it's best tofind somebody to help you, that
somebody that has thatexpertise, somebody that's
certified.
Last week we might have gonethrough and talked a little bit
about the differentcertification levels, RP and
RPA, what an RPO is, and thenthe CCP and CCA and the C3PAOs
(02:52):
and all those acronyms.
But you need to understand whatthose are and look for folks
that are certified and able to
Austin (03:00):
help.
I didn't work with a guy, but Iused to know a guy that he got
annoyed with everyone's degreesand their offices and stuff, and
so he got...
and printed out a degree fromGoogle and put it up in a frame.
So that's not good
Brooke (03:15):
enough?
Generally not.
Austin (03:19):
Well, good to know.
So Google and Reddit don'twork.
Brooke (03:21):
And that's not to, again, Reddit is a good source
of information, but just use itfor what it is.
And it's a plethora ofinformation that can be right,
wrong, or somewhere in themiddle.
So I'm not saying don't partakein that.
Austin (03:35):
Good place to start, but probably best go to the
conferences and then go do thetrainings and actually go
through the certificationprocess?
Brooke (03:44):
Going to the conferences, going to
CMMC-specific conferences, gothrough the training, get the
certifications, get yourregistered practitioner,
registered practitioner advancedif you want, CMMC-certified
professional.
You can do the CCA, theCMMC-certified assessor as well,
although at least do thetraining of that.
(04:05):
If you don't want to be on anassessment team, you could
probably do the training, andthat training is very helpful.
Austin (04:10):
Next question for you is, we work with a lot of
companies that decide to eitherfully outsource and hire
somebody or sometimes decide todo it in-house themselves.
So the question is, what aresome of the biggest pitfalls you
see when companies try to goDIY with their CMMC?
Brooke (04:31):
Well, the biggest pitfalls when somebody tries to
go DIY or shoot...
Probably 90% of everybody up tothe last couple of years is
misinterpreting the controls,misinterpreting CMMC and what
we're supposed to be doing.
It takes a lot of learning, alot of just delving in, jumping
(04:54):
in, and not just reading the800-171, but reading the
frameworks, the 853 and otherthings that it refers to,
understanding where it comesfrom, what it's really asking
for.
And all that.
So it's misinterpreting the–and I kind of referenced it in
the first question you asked me.
Don't we just read the controland just implement the control?
(05:16):
It's not that easy because itdoesn't necessarily always mean
what an IT guy like me or you orwhat a bunch of IT guys would
think it means.
Austin (05:26):
Yeah, and this latest conference that we went to, I
think it was CIC– Southwest.
Southwest, yeah.
That's what it was.
Yeah.
We were talking about that, andwe were looking at one of the
images was of how all thedocuments reference each other
and how it was all visually laidout, and it looked like a
complete spaghetti meatballmess.
(05:48):
And then the other thing wasthe NIST 800-171, all the
revisions is not written forsomeone who has an existing
network.
It's written like if you wereto start from zero.
Brooke (06:02):
You know, they brought that up at this last– remember
who talked about it, butsomebody talked about that and I
thought, well, you know, that'sactually a very good point.
And they're right in that, youknow, 800-171 was envisioning
basically setting up a networkfrom scratch.
You know, it's not taking yournetwork that you've had in place
for, you know, 20, 25, 30 yearsand then, you know, trying to
(06:27):
shoehorn CMMC into it.
Austin (06:29):
And so that alone is a pitfall, you know, what's missed
by...
you know, just that beingwritten for a, you know, a blank
slate,
Brooke (06:37):
you know?
Yeah.
Not only that, the, the CEO,the physical CUI that you had
around that wasn't CUI way backwhen, you know?
Uh, yeah, there's, yes,absolutely.
There's, there's a lot there.
Austin (06:50):
Yep.
There's some, some dustcovering some CUI and some
people's offices.
Moving on a little bit furtherdown that, um, line of
questioning for DIYing yourCMMC.
I'm sure I'm going to mess thatup by the end of this episode.
Brooke (07:06):
DIYing, is that a word?
It
Austin (07:08):
is on HGTV.
That's where I got it from.
I guess, I don't know.
Let's dive into the six majorrisks of DIY CMMC compliance.
Let's start with the biggestrisk, which is losing contracts,
right?
What happens if a companymissteps in compliance?
Brooke (07:28):
That could go a of different directions, none of
them are really good.
So if you misstep, it couldmean that you have to rework
your solutions, whatever youcame up with to meet a control
or some controls or whatever itmay be, whatever that misstep
is, you know.
You might have to reworkthings, which would honestly be
(07:50):
the best out of all that.
You could get dinged for itduring an assessment.
It could be something you can'tPOAM, and therefore you just
fail the assessment.
And then you have to start allover, and you have to spend all
that money all over again.
They do try very hard for thatnot to happen, to ask all the
(08:10):
appropriate questions up frontbefore you get started so that
doesn't happen, but It still canhappen.
I mean, it's not like they getall the details and go through
all the details because that'swork they have to do, right?
But that's a different subject.
So you could fail anassessment.
Or if you have a contractcoming up that requires CMMC, a
(08:34):
contract, certificationassessment and your level two
certification, you have to havethat level two certification in
hand before you can be awardedthat contract.
So you could either lose acontract or you could, if you
completely misstep and say, hey,you know, I don't actually meet
this.
I said I did.
(08:55):
You know, that would be reallybad.
Or you could lose upcomingcontracts.
Austin (08:59):
Well, another thing is that, you know, CMMC is always
evolving.
Brooke (09:03):
Is
Austin (09:03):
it?
Yes, yes.
Constantly.
A couple new updates this yearalone, right?
But it's always evolving.
How do companies keep up withthat?
Brooke (09:13):
Well, the way your company keeps up is there's got
to be, really you have to,somebody has to have the title
of CMMC evangelist or CMMCexpert or something.
Somebody's got to, it's got tobe somebody's responsibility to
keep up with CMMC.
Just like we talked about aminute ago, you know, they'll
want to stay up, stay up on thetraining, go to conferences,
(09:35):
attend meetups maybe, you know,but stay up on this.
This is a, there is a lot tothis and it changes from time to
time.
So it's, It's changed over theyears since 2017 when we got
involved.
It's changed a little bit.
And so there's got to besomebody dedicated to go through
this, and really a team, butsomebody dedicated to go through
(09:58):
this and make sure they'rekeeping up with all the latest
and not only the latest changes,but making sure that all the
latest understanding of whatthings mean.
Austin (10:07):
To piggyback on what you're saying and kind of
something you said earlier was,you know, if– Reddit and Google
are great, but they're not.
They're not the end-all,be-all.
It's not going to get youcompliant.
If you are a quality manager,IT person, whatever, you're the
CMMC evangelist at your companyand you guys have decided to DIY
(10:30):
your CMMC compliance, then youreally need to make sure and
show them this episode that yourboss knows that that $1,000
ticket for one of the CEICevents or conferences is
important and needs to be paidfor.
Um, it really is importantthat, that your boss, um, or
(10:51):
whoever your leadership at your,your company knows that those
conferences are important andthat you need to go to them.
Um, and that, that, that planeflight is important and that
hotel, um, bill is importanttoo.
And that all adds up, that's acouple thousand dollars, you
know, but if you're going to DIYit, that's a cost that you're
signing up for to DIY.
Um, because it's, there's not agood replacement currently for
(11:14):
the information and perspectivethat's shared with those, And
just doing a certificationcourse is great, but you don't
get access to all those people'sperspectives and sessions like
you would at the conference.
(11:34):
And I would say a course orGoogle and Reddit are not
sufficient.
You really need to go to those.
Brooke (11:40):
You do.
And you can interact with a lotof people that are really
experts in their field that way.
Tending those things.
Attending the Cyber AB townhalls, monthly town halls, is a
really good thing to attend.
They answer as many questionsas they can during that.
It's a really good source ofinformation.
But you really have to stay upon that information.
You have to stay current.
(12:01):
And the whole CMMC thing isabout ongoing management of
everything.
And you can consider all thislearning, you know, and it's
learning and keeping yourlearning moving forward.
We're kind of used to it in theIT field because if you don't
go to training, then you kind offall behind very quickly.
Austin (12:24):
Yes.
Yeah.
That's no joke.
I mean– with the courses andgoogle lacks is uh and and the
the publications alone is thatgray area and that's what the
town halls and the conferencesfill in for you is that gray
area where well it says this butwhat does that really mean it
(12:45):
provides that perspective sothat way you're doing what's
accepted practice um so that waywhen that assessor shows up
you're not getting you knowcaught surprised
Brooke (12:53):
the other thing i might add in there is that uh it
really depends on how on whatsort of system you have, what
your system looks like toimplement CMMC on because There
are lots of different ways, lotsof different things, and things
you hear on Reddit and whateverelse may not be exactly correct
(13:14):
or may not apply to you.
But the other thing, going toconferences, most of those
experts will give you theirthoughts, but they'll stay away
from giving you exact advice on,well, what about the CNC
machine and what about this andhow should I do that?
That really gets intoconsulting.
And so that's where, you know,do I need to go hire a
(13:35):
consultant, you know?
or just networking with folksthere and talking to them and
saying, hey, how are youhandling this?
How are you doing this?
How are you doing that?
And getting that informationcan help out as well.
Austin (13:49):
Next one is a lot of companies assume DIY compliance
is going to save them money, butwhat is the hidden cost?
I think we've already mentioneda few items, but what is the
hidden cost of DIY compliance?
Brooke (14:00):
Well, really the hidden cost is when you start out
wanting to DIY, we've just gotto look at these $100 and ten
controls and read them and justimplement it.
That's all we've got to do.
So you think you're going tosave some money by not hiring
somebody, but what hiring–somebody good with expertise can
help with is cutting to thechase and saying, this is what
(14:23):
this means.
This is what this controlmeans.
This is what you have to do.
This is all the documentationyou need for it.
And this is, in your network,these are the things you have to
consider.
And these are, you could do itthis way or you could do it this
way.
You know, going to all theseconferences and you can't skip
the training.
You can't skip all thelearning.
(14:43):
You can't skip all theexperience with all this.
You've got to go to thesethings and you've got to take
the time to do that.
So all the time and expenselearning is very important.
Austin (14:54):
Another one we see a lot is that most IT teams handle
security, cybersecurity, right?
They make the assumption thatIT security and compliance are
pretty equivalent, but we knowit's a completely different
beast altogether, right?
So what's the key differencebetween IT security,
cybersecurity, and compliance.
Brooke (15:15):
So really, just because you are secure does not mean
you're compliant.
Just because you're compliantalso does not mean you're
secure.
And if you want to be technicalabout it, to really be secure,
you really want to follow somesort of standard, right?
Whether it's CIS, whether it'sNIST CSF, NIST 800-171, and
(15:37):
CMMC, whatever it may be, youwant to follow some framework
because that'll give yousomething to shoot for rather
than going, we follow beststandards.
And what are those beststandards?
Well, and you can explain whatthose are, but how did you come
up with those?
A good cybersecurity frameworkgives you a good place to start.
(15:59):
So really, when you think aboutit, Security can start with a
good compliance framework, butbeing compliant doesn't
necessarily mean you're secure.
But compliance also addressesall the documentation, all the
proof, and of course meetingthose specific standards, but
(16:22):
all the documentation, all theproof to go along with it.
Austin (16:25):
I view compliance...
as kind of a CYA, cover yourassets.
I
Brooke (16:34):
don't know why I'm laughing.
I think I've heard that before.
It
Austin (16:37):
is funny.
I thought
Brooke (16:39):
you were going to say something else for a second.
Go
Austin (16:40):
ahead.
The way I view compliance isthat if you're going to go to
court, sit in front of a judgeand jury, and you had to argue
the case that you were secure–and you did everything and all
your due diligence, you couldeither go against Austin's
(17:02):
cybersecurity best practices,which is me and what I decided
alone, or what's an easier caseto argue in court is I use this
standard that was accepted andpublished by X, Y, and Z.
It's accepted by many, youknow, These compliance regimes
use it, and this is what wefollowed, and here's how we
(17:23):
followed it, and we still gothacked, but that's okay because
we did everything we could, andsometimes you just get hacked.
And we're not liable because wedid everything.
We did our due diligence.
That's kind of how I viewcompliance is that it's, if you,
and cybersecurity issues,frameworks is if you follow one
(17:45):
of those, you're not the onethat's going to take the fall.
It's a standard of thecompliance itself that takes it
right.
So it kind of removes theliability off of you being your
own being the person that saysyou're good rather than you
follow the framework.
Brooke (18:05):
You know, I like that, and yes, that's correct.
Another thing, I was on anotherwebinar yesterday, and
something related came up.
Now, this is one person'sopinion, but it sounded good to
me.
What he said was, You need tobe following some sort of
(18:26):
compliance standard, just like Italked about a minute ago.
Of course, that does not meanyou're secure.
You've got to make sure you gothrough it and actually
implement things that aremeaningful.
But if you follow a standard,that's the first thing.
But if a lawyer has to go tocourt to defend you, he would
rather back you up on somethingthat's backed by the federal
(18:49):
government, aka NIST, thansomething that's not.
like CIS.
I happen to like the CISstandards, but that makes a
difference.
Is a lawyer going to have todefend you based on something
the government put out or basedon something a nonprofit put
(19:09):
out?
I think the CIS is fine.
But, you know, I understandthat.
The government doesn't like toadmit that they're
Austin (19:17):
wrong.
Brooke (19:19):
Right.
And a judge and a jury probablyis going to find a little bit
more weight behind NIST thansomething
Austin (19:28):
else.
So another pitfall is whencompanies think that they're
already compliant and alreadysecure.
The companies that are justconfident that they're compliant
and secure, what What risks dothey face?
Brooke (19:41):
Really, CMMC is not about checking boxes.
It's about reading thecontrols, understanding
controls.
And also we have to implementthe CMMC portion of it.
But understanding thosecontrols, reading through them,
and implementing them as they'remeant, which also requires
reading the backgrounddocumentation and standards as
(20:03):
well.
That would be the risk is youactually aren't covered like you
thought you were unless you'vedone all that work in the
background.
Austin (20:10):
Are you talking about documentation again?
Brooke (20:13):
If you've watched any of our episodes, yes, I'm talking
about documentation.
But I'm also talking aboutdocumentation requirements.
There's also, other than that,it's documentation.
Documentation.
So, yeah.
Austin (20:25):
Stacey puts up this little thing.
Oprah Winfrey, right?
Yeah.
It says documentation,documentation, documentation.
Yes.
We've memefied you.
Brooke (20:35):
Right.
I wonder if I'm going to seemyself around the internet with
the documentation thing.
Austin (20:40):
I may have brought that up just to do the thing.
There you go.
There you go.
So another pitfall, I think thelast one we have, is how does
being unprepared affect acompany's assessment timeline?
Brooke (20:52):
I mean, if you're unprepared for an assessment,
then you really can get behindthe eight ball very quickly.
I mean, I guess if you'reunprepared, you're already
behind the eight ball, but youwould be behind the eight ball a
lot further than you reallyrealize.
It takes longer to implementthese processes.
implement some of these thingsthan you think.
(21:14):
It's not easy just to spool upa GCC high tenant and get
everything migrated over in oneday.
It's not exactly that easy orquick.
But what's also not very easyor quick is getting a C3 PAO to
come do your assessment.
If you're not ready, you've gotto get ready and make sure
(21:36):
you're ready.
Make Make sure all your I's aredotted and all your T's are
crossed.
And you have all yourdocumentation, your SSP.
You've completed your POAM.
You've got all your policiesand plans and procedures.
You've got all your proofready.
Okay.
Make sure you have all thatready.
They'll ask for proof again.
But make sure you have all thatready and give them a call and
(22:01):
say, hey, we need to get on yourschedule.
And they'll say, great.
It's April.
So that means April, May, June,July.
We can fit you in at the end ofJuly.
And you're like, well, I've gotthis contract I'm wanting to
bid on.
Well, you can bid on it.
But you won't be able to winthat contract.
If they award it to you, thenyou have to have that level two
(22:22):
certification, right?
And, of course, there's morecaveats there, but that could be
a scenario.
It absolutely could be ascenario you face is not being
prepared and then not having thetime to get that C-3PAO in, get
everything done.
And, again, if that C-3PAO isfour months out, It may take
(22:46):
them two months or so tocomplete.
So you're looking at the veryleast like six months, if not
longer.
Closer we get, I might add,that those C-3PO's are probably
going to fill up even more.
That's right now when it justkicked off and when people are
just doing this voluntarilyright now.
Austin (23:03):
Moving on a little bit past DIY to hiring a consultant.
If a company decides that DIYcompliance is not the best path
and they want to hire aconsultant, what should they
look for?
in that consultant?
Brooke (23:18):
Well, they should look for somebody that has the
expertise, right?
Somebody that does this.
It's their business.
Somebody that we talked lastepisode, if you happen to watch
that, about the differencebetween RPs, RPAs, CCPs, and
CCAs.
And so now to explain a littlebit of that again, an RP is a
(23:41):
registered practitioner, andit's the low bar for entry.
And it takes a few hours worthof watching a course and then a
quick exam.
I don't remember how long theexam was, but we've been doing
this since 2017.
And so I was able to do thatand get it completed pretty
(24:04):
quick.
And truthfully, some of ourother employees that– that
haven't been doing this thatlong, they were able to get it
done pretty quick too.
In other words, RP is notreally that hard.
So really the minimum barrierto entry would be the RP.
RP Advanced, I haven't botheredtaking the time to do that.
(24:25):
I understand that it's betterthan RP.
It's a little more involved.
but it's still not the nextlevel.
Uh, and those are cyber ABcertifications.
The next one would be, or, uh,registrations really.
They're not actualcertifications.
The next one would be a CMMCcertified professional, a CCP.
A CCP is going to know quite abit more, but they take a test
(24:46):
and that, that test is not easy.
It is, you've, you've got toput on your studying hat to, to
get that test done.
It's not like, it's not thehardest thing I've ever done,
but it's, it's not an easy testto pass.
So somebody that has your CCPhas some good knowledge behind
them, right?
Uh, I might step back just alittle bit and explain an RPO.
An RPO is a RegisteredPractitioner Organization, and
(25:08):
that is a company who has RPsthat work for them.
So we have RPs that work forus, so we're an RPO.
But we also have one CCP, andwe're working on some more CCPs.
CCP, I might add, the actual–Training and testing really is
(25:29):
focused around the level onecontrols.
In the training, I don't knowif this was just unique to
Edwards Performance Solutionsthat I took.
I don't think it was.
I think it was because of thegood training they had or the
good book and everything.
They went through every singlecontrol.
(25:49):
They talked about everything.
So it was a good set oftraining.
We discussed a lot in class.
If you go and do CCA, then yourCCA is a CMMC certified
assessor.
That's a high bar.
Also, those people have to,CCPs and CCAs, have to pass a
(26:10):
Tier 3 background check also.
So there's more to it than justthat.
CCAs also have some other highbars they've got to meet.
But I can tell you that mostCCAs, they're probably not going
to be doing yourimplementation.
They may be helping out.
an RP that needs some help orsomething, but they're not going
(26:31):
to be actually doing andhelping out your implementation.
They've got enough assessments.
They're going to be working onthose.
But look for an organizationthat has RPs, RPAs, CCPs.
Those are really the keys.
CCAs is a nice to have, but Ireally think most of those are
going to be working onassessments.
Austin (26:51):
What about businesses that have already started a DIY
business but they're strugglingand realized, okay, maybe I want
to bring in a consultantmidstream.
Brooke (27:00):
I don't think we've run into any of those, have we?
I think they're all of them.
Really, that's just fine.
If you've struggled, that is alot of people, to tell you the
truth, because nobody wants togo out and just spend a ton of
money to get this done.
But at some point, most peoplerealize, unless you have a team,
(27:21):
like we said earlier, that youcan– get certified, send all
these trainings, send toconferences, all that kind of
fun stuff, and really thatbecomes their life.
Unless you have a team you cando that with, then it makes
sense to move on from DIY tohaving a consultant come in and
help you to some degree throughthe whole process or whatever.
(27:45):
But So most people will startout DIY and then say, you know,
this is a lot, you know, and Ineed somebody to help.
And yes, hire a consultant,come in, see what you have.
They can do a kind of a gapsassessment and figure out where
you're at and what you need andmove on from there.
Austin (28:06):
Yeah, that's typically what we'll do is someone will
come in and say, we've beentrying to do this.
And then they're like, we needsome help.
And they always want to figureout where they're at first.
You know, see how far they'vegotten along themselves.
Brooke (28:21):
Yeah.
And what I will say is mostpeople at DIY, they get into it
and they say, we need some help.
And so you'll come in andyou'll say, okay, well, you
know, what kind of CUI do youhave?
And they'll say, well, I don'tknow.
So the very basic stuff is,hey, figure out what kind of CUI
you have and figure out whereyour data comes in and goes to,
(28:43):
your data flow diagram.
Those are key to understandingeverything else.
But that's mostly what we hearis when people– ask is, do you
have, what kind of CUI do youhave?
I don't know.
Do you have any idea where itcomes from, where it goes?
Well, not really.
Austin (29:03):
Well, since we're on the topic, we'll kind of go ahead
and jump into it.
What can companies do if theywant to be proactive to best
approach CMMC compliance?
Brooke (29:16):
Start with a gaps analysis, right?
And figure out where you're at,figure out where you need to
be, and That would be the gap,right?
Right.
So start out with your gapsanalysis.
Invest in strong documentation.
Strong documentation doesn'tnecessarily just mean the
documentation itself.
It means managing thatdocumentation.
And what are you going to dowith that?
Well, that probably reallymeans investing in a GRC tool,
(29:38):
right?
Having a good GRC tool you canuse and keep track of
everything, keep it updated andunderstand what you have there,
assign it to certain people.
You can certainly just have iton F drive or whatever, you
know, but it's hard to assignsign things to people out of the
F drive, right?
So a good GRC tool helps withthat documentation, a good
(29:59):
strong documentation anddocumentation management.
Don't wait on it.
I feel like a broken recordhere too.
Don't wait.
So you've got to get startednow.
This is way more in depth.
If you're trying to DIY it, youknow, you need to start because
(30:21):
you need to really understandit.
You need to really jump in andreally understand, learn, and
figure out what this whole CMMCthing is all about.
So don't wait.
Start now.
There's a lot more to this andthings take a lot more to
implement than you realize.
Really consider hiring anexpert in to come help you.
And just, we talked about whatan expert, you know,
(30:43):
certifications that an expertmight have, you know, looking
and making sure that this is thetype of work they actually do.
You know, and that they reallyunderstand it.
But getting an expert to comehelp will shortcut that.
Yes, you'll have to spend moneyon an expert, but that'll save
time.
It'll actually...
very well could save you somemoney in the long run too.
(31:05):
So those things would be very
Austin (31:08):
helpful.
And we should, on one of theseepisodes here soon, have a guide
of sorts that is coming outthat will help you navigate that
process of who to hire, what tolook for, et cetera.
So look out for that.
Let's sum it up.
I think we're getting towardsthe end of the episode.
If you're a DOD contractor,what's the key takeaway
Brooke (31:30):
here?
The key takeaway really is thatCMMC is not really just an IT
issue.
It is really a business issue.
A business involves the wholebusiness.
It really is a small part of itis IT directly, right?
There's a lot of IT folks thatare involved in this because of
(31:51):
the nature of it.
But But it's not just an ITissue.
It is a business issue.
If you don't have in-houseexpertise or the ability to get
your in-house folks up to speedvery quickly, then that can cost
you more down the road andmaybe lost contracts, lengthier
(32:14):
implementation times, or havingto rework things.
That can cost you a lot moredown the road.
Consider bringing in a bringingin an expert to help you out to
shortcut that.
A lot of times you'll bespending less in the long run,
believe it or not, but that canreally help.
Austin (32:36):
If you have questions about what we covered, please
reach out.
We're here to help fast trackyour compliance journey and send
us your questions.
We'll answer them for free hereon the podcast.
You can find our contact infoat cmmccomplianceguide.com.
Stay
Brooke (32:52):
tuned for our next episode.
Until then, stay compliant andstay secure.
Popular Podcasts
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.