CMMC Day 2025 Recap: Key Takeaways, Real-World Mistakes & What SMBs Must Fix Now

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_02 (00:00):
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting,where we help businesses like
yours navigate CMMC and NIST800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance.
But today, we're here to giveyou all the secrets for free, so
if you want to tackle ityourself, you can do so.

(00:23):
Let's dive into today's episodeand keep your business on track.
This episode is for those thatcouldn't attend CMMC Day 2025.
Brooke, you were there this pastMonday.

SPEAKER_00 (00:33):
I was.
Beautiful Washington, D.C.

SPEAKER_02 (00:35):
Absolutely.
You got to sit in on all thesessions and supposedly came out
with a ton of insights.

SPEAKER_00 (00:42):
Yeah, CMMC Day was great.
There was a lot of really goodinformation.

SPEAKER_02 (00:46):
Well, today I'm going to grill him on what stood
out and what matters most forsmall businesses and how to make
sense of it all, even ifcompliance isn't your day job.
What were the biggest themesthis year at CMMC Daytona 25?

SPEAKER_00 (00:59):
As far as the overall themes, one of them was
really one was clarity.
They continue to provide clarityof what's happening, what's
going on, and that nothing ischanging.
There's a bill before Congressto basically do away with CMMC,
and that's It would be very,very surprising if that

(01:22):
happened, put it that way.
But there's continued claritythat there is a schedule.
They're holding to it.
This is moving forward.
That light you see in the tunnelis the CMMC train coming towards
you.
So you need to get ready.
Another thing is phase rollouts.
We're waiting on the 48 CFR,right?

(01:43):
48 CFR is what puts CMMC inplace on contracts.
The 32 CFR rule that just wentfinal at the end of last year,
December, That's what clarifiedCMMC and defined CMMC.
Now, the 48 CFR is what will putit in place on contracts.

(02:07):
That has been pulled back justfor review.
They still expect it to come onthrough.
They've asked for an exceptionto a rule, and I don't remember
the specifics, but they've askedfor an exception on this because
this has been in the works foryears and years.

(02:27):
We're at the finish line.
Can we go ahead and move forwardthis rule as is instead of going
back through and reproposing it,right?
Or reworking the whole thing.
So they're trying to do that.
We'll see where that goes.
But this 48 CFR will comethrough at some point.
We don't know exactly when.

(02:48):
There is a very good likelihoodthat they'll grant that
exception.
because it does deal withdefense, right?
And that's a huge deal.
In fact, there was a goodsession from one of the
company's largest privatelyowned defense contractor.

(03:09):
You all might know who that is.
Anyway, there's some very goodstories about the theft of– the
theft of intellectual propertyand everything from us by the
Chinese that's been happeningover the years.
And, you know, you hear aboutall this, and we've got all this
floating around in our heads,and we know it.
But, you know, hearing thesestories put together and talked

(03:33):
about, you know, together in awhole, you know, is very– I
don't know, humbling,enlightening.
It was enlightening, but wealready know the information,
you know, but it was veryinsightful.
Yes, thank you.
You know, the other thing theytalked about that was a theme
was that you're not going to beable to hide further down in the

(04:00):
universe.
supply chain anymore.
A lot of people aresubcontractors of subcontractors
or even subs of subs of subs orwhatever.
And so they talked a lot aboutthat.
And, you know, primes aresaying, hey, you know, there's
more and more pressure fromprimes to say, hey, are you on
the certification schedule yet?

(04:20):
You know, have you contacted aC3 PAO to get certified for
level two?
So there's more and morepressure because after all,
they're a contractor from thefederal government.
Nothing is assured, so if theydon't have all their subs in
line and can say, yes, we'reready because all of our subs–
we're ready and all of our subsare in line.
If they can't say that, they'regoing to lose out on contracts,

(04:42):
and they don't want to do that.
So they need to make sure theirsubs are ready to go.
Flow down rule, the subs alsoneed to make sure that their
subs are ready to go and allthat kind of fun stuff.
So you're not going to be ableto hide as easily– down the
supply chain anywhere.

SPEAKER_02 (05:02):
Well, I sure know a couple people that are really
betting on that bill to pass.

SPEAKER_00 (05:08):
Yeah, yeah.
There are people out there thatare really, for whatever reason,
they just know that CMMC is notgoing to happen.
And CMMC doesn't have a goodtrack record, so I understand
that.
But it's coming.
So one way or another, it'scoming.

SPEAKER_02 (05:24):
Let's talk about some real-world assessment
lessons you had mentioned.
What are people still gettingwrong?

SPEAKER_00 (05:30):
Uh, what are people still getting wrong?
One of the things is, uh, yourSSP, um, your SSP, some people
make it eight miles long andsome people make it just as
short as possible.
You know, port's too hot.

SPEAKER_02 (05:44):
We will protect COI, done.
Yeah.

SPEAKER_00 (05:47):
Port's too hot, port's too cold, right?
But, uh, it's gotta be justright.
Um, but really the SSP has tohave some very specific
information in it, verydetailed, but you don't need to
make it eight miles long, right?
So the SSP is one of thosethings that people are still
getting wrong that caused themmore work or, you know, possibly

(06:10):
even to fail an assessment.

SPEAKER_02 (06:12):
So how does someone get an SSP right?

SPEAKER_00 (06:14):
Well, for the SSP itself, like I said, I mean,
it's tough without going intoeach of the controls, but you
have to say just an overview ofwith some specifics in it.
This is how we document all theusers.
This is what we do.
This is how it's authorized.
And it's referenced in thispolicy, in this plan or

(06:37):
procedure or whatever.
So you say those kinds of thingsin the SSP.
And that helps out a lot becausethat gives them a good overview.
It shows the assessor that youactually know what you're
talking about and you actuallyhave something in place to go
get the details.
They probably need to go look atthe policy.
But, you know, that's...

(06:59):
that's kind of a high level ofhow you, how you would create a
good SSP.

SPEAKER_02 (07:03):
So it's, it's kind of like at the top of the
hierarchy of like the rest ofthe policies and references and
points to, uh, like the otherthings, like it doesn't
necessarily, uh, addressincident response in its
entirety, but it'll point to theincident response policy.
And then in that you.

SPEAKER_00 (07:21):
And absolutely correct.
That's absolutely correct.
Uh, but you also can't say seeincident response policy.
So you've got, to give ahigh-level overview with some
details in there about how it'sdone.
Because those SSPs, people aregoing to ask to see them.

(07:43):
Vendors are going to ask to seethem.
Not vendors, but your primes andwhatnot.
Can we see your SSP?
That's a whole other discussion,but they may ask to see those.
You want to have a little bit ofdetail in there, but not too
much.
Assessors, again, a Assessorswant to see that and be able to
read your SSP and say, allright, I have a good idea that

(08:07):
they've got these thingsimplemented correctly.
Of course, the devil is in thedetails, but the SSP is one of
those things.
Another thing is poor scoping.
People either scope in too much.
or they don't scope correctly.

(08:28):
And when you think of, if youscope and say, you know, I'm
going to have my enclave, you'regoing to have this enclave, and
well, while everything might bein the enclave, but you have,
you print outside that enclave,or you connect to an unsecure
computer outside that enclave,you know, then that's, you just

(08:49):
pierce that enclave, and you'reat your, Your scoping isn't
correct.
And by scoping too large– if yougo and put everything in scope,
that's going to be right forsome people.
It really is.
But for other people, it's not.

(09:09):
If you can scope and make anenclave, a true enclave, that's
a lot better way to handle itbecause your CMMC– your CUI
scope that you really have totighten down on.
And the amount of stuff that youhave to tighten down on is going
to be a lot smaller.
Um, so

SPEAKER_02 (09:23):
it's a problem with going and like buying a template
or asking chat GPT to make your,your SSP or, you know, it's, uh,
cause it, everything leads backto the scope.
If I understand it right.
It was like in that scope, youreally need to find very, um,
intentionally.
Right.
And so, and then, then comes theSSP, then comes, the policies,

(09:47):
then come the implementation.
So it's all sourced from thescope and you really have to get
that correct.
And jumping to an SSP templateor a chat GPT is not necessarily
going to serve you well.

SPEAKER_00 (10:02):
Data inventory and scoping is where it starts.
You've got to know what you haveand how to protect it and then
you've got to know where toprotect it.
Or if you're creating somethingnew you know or want to create
something new you want to limityour scope how do i how do i
limit that and how do i scopethis properly where we can where

(10:25):
we can do this so some companiescan do that some companies for
their workflow or whatever theydo it just doesn't make sense
and it makes more sense to um tomake your scope a lot wider and
to maybe scope some things outlike your accounting system or
you know whatever it may be butum the uh but scoping is an

(10:45):
issue and understanding yourscope and knowing that, um, that
your, your, anyway, your scopingis everything.
The other thing is your, theassessor is only going to assess
what you tell them is in scope.
Whenever they assess you, uh,they're going to, if they find
out if some employee says, yeah,I use my, uh, no, I don't just

(11:06):
use my home computer.
I don't just use my workcomputer.
I use my home computer too.
And they're like, well, Youknow, are you sure you use your
home computer?
So that may call into question,is their scope proper or not?
You know, did they do thisright?
Did they secure it right?
So in general, the assessor isonly going to assess your scope,

(11:27):
and you don't have to worryabout anything outside of it
unless you're in the assessment.
That leads them to believe that,you know, you didn't scope it
properly or you didn't configureit properly or something, and
there's data leaking out.
Yeah.
Scope is very important.
Not only defining it right, butthen protecting it correctly.

SPEAKER_02 (11:48):
And here in the near future, we're going to be doing
an episode over scoping.
So that way we're trying todistill it down into a...
core concepts in a podcastablelittle bite.
So look forward to that in thefuture if that's something
you're struggling with.

SPEAKER_00 (12:07):
Absolutely.
Another thing is what I justtouched on with scoping is the
boundary of that scope and is ita true boundary or not?
So if you define your, if yousay I have this enclave here and
only what's in this enclave isin scope and that's the only
place CUI is at, great, but ifHow do they get to that?

(12:29):
Is there a computer inside thatthat they have to go use or
switch over to?
How do they get access to thatenvironment?
Is it an RDP session?
Is it a virtual desktopinfrastructure?
And is that VDI sessionconfigured properly?
Can they copy and paste from it?
Can they print from it?

(12:50):
If it's a VDI session and youcan map drives, copy and paste
or print from it from outside ofthat, you know, from the
computer that's connected tothat VDI environment, then
suddenly that computer comesinto scope.
So guess what?
Your enclave that you had justexpanded to, you know, to
whatever is connecting to it.

(13:12):
But they did say they have,there is some clarification that
if you configure those VDIsessions properly, then this is
VDI sessions specifically, butthere are other ways that you
can pierce that gap accidentallyor misconfigured.
But in this VDI example, if youdo have it configured properly

(13:35):
where there can't be any datataken out of that by any of the
means we just talked about, thenthat is okay.
The computer connecting will beout of scope.

SPEAKER_02 (13:45):
Yeah, and to reiterate that, if you're going
through an assessment and you'vegot your scope defined and then
an assessor comes in and asksSusie, it's like, hey, how do
you access this?
And she does something thatexpands the scope.
Then now if you're printing orcopying or accessing CUI where

(14:06):
you shouldn't, but you kind ofhave everything defined in that
scope, then suddenly once theyfigure that out, your scope,
boom, expands, and it's kind ofthe end of an assessment.
Is that right?

SPEAKER_00 (14:18):
Yes, unless it's...
Different assessors may handlethis differently.
If it's something that you cansay USBs weren't blocked, you
know, and they should beblocked, let me block those, and
you come back and prove that andsay we had this in place, we
disabled it for whatever goofyreason, and now it's in place

(14:39):
again, then there's a goodchance that they'll be okay with
that.
A

SPEAKER_02 (14:45):
hole that's easy to plug.

SPEAKER_00 (14:46):
Yeah.
But you really don't want thatblack eye when an assessor
comes, I can tell you that,because that takes their trust
level.
If you've got a great SSP, greatpolicies, they've looked at all
that, and they're all happy withit, and they come to do the
assessment and do something likewhat you're talking about, that
trust level goes from up here.

(15:07):
It just dropped a lot.
So now they're going to be verysuspicious of a lot of other
things, and they're going toreally do a lot more checking.
So you want to keep that trustlevel up here.
And I'm not saying– lie oranything like that not not at
all but you want to keep thattrust level up here so they
don't have to spend that timedigging around and worrying that

(15:27):
there are other things that aremisconfigured

SPEAKER_02 (15:29):
if you've gotten the scope wrong then they're they
start wondering where and theheck else have they messed up
right because it's everythinggoes leads back to the scope
like i will have to go start gochecking maybe it's not the end
of an assessment but it's itcertainly is um The start of an
end.
Yes, yes.
It's not a good thing.
So moving on, you had mentionedkind of access control a little

(15:49):
bit and the simplification ofit.
What are people having struggleswith?
What is tripping people up aboutaccess control?

SPEAKER_00 (15:56):
Well, one of the things that's tripping people up
is, you know, as an IT guy, youask me, do you have a list of
authorized users?
Well, heck yeah.
It's an Active Directory or it'san Azure, you know.
Yeah, I have a list of users.
Well...
That's the identity solution.
That's not who you'veauthorized.

(16:17):
to access that CUI.
It does, it does contain theauthorization, you know, and
those users, there can beaccounting users there, there
can be, you know, marketingusers there.
Sorry, but if there's marketingusers, they don't, they don't
need to access CUI.
So, so you, you know, you canspecify who there has, has, is
authorized to access that, butthat's not a list of authorized

(16:39):
users.
There's, because probably everycompany has cleaning crew or
people outside of the, you know,people who work the machines,
people who do whatever else thatmay not have access to the
system to that.

SPEAKER_02 (16:51):
People that need to access the facility or the
computer system that don'taccess CUI as part of their job.

SPEAKER_00 (16:57):
Right.
This is going to be a list ofeverybody that works for you
who's either employed orcontracted, right?
And are they authorized to seeCUI or not?
Right.
So that's going to be that.
But that's not...

SPEAKER_02 (17:12):
If you're a...
Sorry to interrupt, but ifyou're a manufacturer or someone
that's a defense contractor, andyou have an IT company, Are they
supposed to be on that list?

SPEAKER_00 (17:23):
They are.
You need to have your ITcompany.
You need to specify whetherthey're authorized or not and
what they're authorized to do.
They're not necessarilyauthorized to interact with the
CUI, but they do backups of thesystem probably, and they're
going to need to be able torestore, and that gives them the
ability at some point to see,and that has to be controlled
and all that kind of fun stuff.

(17:44):
Absolutely.
And for most contractors outthere, I would think that at
least most that we run intoThere are some that have 100% of
their business is defenseindustrial-based.
It's for the defense industry.
That's an easy call.
However, some of them, it's 60%or 25% or whatever it might be.

(18:08):
And so guess what?
All those people out on thefloor may only be you know, four
or five of them that deal with,uh, the dib portion of the, of
the business.
And so who out there has theability to see that information,
you know?
So you got to think about allthat.
Um, and so you have to have the,and it could be every, if you
only have 25%, but everybody onthe floor is authorized, then

(18:29):
that's fine.
But you have to list them out,even if they don't have an
account in, um, an activedirectory, right?

SPEAKER_02 (18:36):
If there are another one at you, it's common that we
see smaller, medium businessesand is the owner who doesn't
perform most daily duties isn'tnecessarily making CAD drawings
or milling parts and they'rejust looking at books and
reports and stuff like that dothey get access to CUI because

(18:56):
usually they want the keys tothe kingdom

SPEAKER_00 (18:58):
they usually do want the keys of the kingdom but in
smaller companies you know a lotof times the owner general
manager whatever is going to behave a hand in day-to-day
business you know and they mayneed to help people with with
things and So that'sunderstandable.
But typically as a country–typically as a company grows,
that– GM, president, CEO, needsless and less access to any of

(19:22):
that stuff.
Needs less and less access tothat stuff.
Typically, they always want it,you know, but do you really need
access to that, you know?
So, I mean, that's a goodassumption is that they don't
necessarily need the keys of thekingdom.
So really, identity versusauthorization is what you're

(19:43):
looking for.
Not an identity list, you know,from your Active Directory or
also is everybody in ActiveDirectory in whatever
application you might have.
Is there a different set ofusers?
How does that work?
So it's not identity list.
It's an authorization list ofeverybody that's there.
Can they access or can they not?
Not only people, but think aboutdevices.

(20:03):
What all devices are on thenetwork?
Not just computers and ActiveDirectory.
What about that CNC machine?
What about whatever it may be?
What about that Echo thatsomebody plugged into the
network?
Is that...
that really be on the cuinetwork you know i'll give you a
hint probably not but itprobably is if you're asking us

(20:28):
don't plug it into a businessnetwork but that brings up a
whole other topic of stuff youknow if you have a if you have
an echo this is a little bit ofa tangent but if you have
something like an echo thatlistens to you you know guess
what if it's in an area wherethere's cui it can hear people
talking and guess what it's inscope now So you have to think
about that.

SPEAKER_02 (20:47):
Try and get Amazon to get all the proof that
they're certified and compliant.

SPEAKER_00 (20:55):
Right.
You need it for that.
Yeah.
So to go on about access controland authorization and identity,
a lot of things that peopledon't think about is service
accounts, application accounts.
You have an account that runsyour SQL database.
A good form is to create aseparate account that these
applications run in and not justgive them, just not run them

(21:17):
under system or domain admin,right?
You really shouldn't do that.
So, but most people will createan application account or, you
know, some kind of serviceaccount or something like that.
Those need to be listed out.
Do they have access to CUI ornot?
Anything that runs anythingautomated, you know, scheduled
tasks or anything else, youknow, those, you need to look at
those and list those out andsay, yes, yes or no, these are

(21:42):
authorized to access CUI.
So

SPEAKER_02 (21:44):
my printer scanner needs to be an authorized user

SPEAKER_00 (21:46):
well it needs to be an authorized list yes so your
printer scanner absolutely it'sa device and it needs to be it
needs to be listed

SPEAKER_02 (21:55):
i know we keep mentioning scope kind of diving
that a little bit more becauseit was a topic you said of uh of
some of the the talks there umso we just kind of want to dive
into where cui lives and howbusiness might figure out where
their cui is really going andtraversing

SPEAKER_00 (22:12):
uh you know really the The first, there's a couple
of keys to this.
The first key is to figure outwhat you have.
Do you have CUI?
What kind of CUI is it?
And if you're a manufacturer,hint, hint, it's probably
controlled technicalinformation, but not
necessarily, I guess.
So it could be something else.
I think somebody at one of theconferences kind of pegged it at

(22:34):
75% of this information we'retalking about because it's the
defense industrial base is goingto be controlled technical
information as far as CUI goesbecause The CUI registry is
huge.
There's a lot to the CUIregistry, nuclear and PI, PHI,
all sorts of fun stuff.
You need to figure out what kindof data you have and whether

(22:57):
it's specified or not and whatkind of dissemination controls
are on that.
Is it ITAR data?
Does it have a no foreign on it,which is no foreign citizens,
right?
Only U.S.
citizens.
Similar to ITAR, you know,that's a– well– With ITAR, for
us, that's the biggest.
Only U.S.
citizens can see or access thatdata, right?

(23:20):
So at which point, for instance,if we're talking about Microsoft
365, GCC, or GCC High, that'swhat makes the difference,
right?
There's some other things therewith GCC and GCC High and why
everybody recommends GCC Highand not GCC, but that's another
whole discussion in and ofitself.
But anyway, the key is to figureout what kind of information you

(23:44):
have.
And then you do basically a dataflow map, right?
And you have to figure out wherethat goes and think about your
whole process, not just I get itfrom outside and it comes inside
my system.
Think about where do you get,where, how do you, how does it
come into you through email?
Do you download from portal?

(24:05):
What machine are you on when youget it in email or hopefully not
email, but if you get it throughemail or through a portal, what
machine are you on?
How do you do that?
And then where do you, where doyou put that information?
Does it go directly into anapplication of yours, this pro
job boss, whatever it may be,uh, or does it go into a file
system and you know, where doesit flow after that?

(24:25):
Is there, you know, is it gosomewhere else into a separate
application?
Where all does it go in yoursystem?
Does it get printed out?
Is it hard copy?
Does it go on a USB stick?
What happens to that?
So you need to figure out yourdata flow, all parts of your
data flow, draw it out, becausemost people, it's a lot easier
to track it.

(24:46):
Most people are a lot morevisual with this kind of stuff,
you know, a little flow diagramwith all your systems.
And then if you need to get itout to somebody else outside of
your scope, we'll just sayorganization, but your scope,
wherever you scoped, if you needto get it to somebody outside of
that, how do you get it to them?
You know, again, hopefully notthrough email, but, or if it's

(25:08):
through email, you, Take theappropriate precautions.
But how do you get it to them?
Is it a portal?
Is it a veteran file sharingprogram?
What is it?
So how do you get it to them?
So you've got to figure out thatdata flow, where everything
goes, what devices it touches.
Is it over wireless or not?
And all that fun stuff.
So once you have that figuredout, then...

(25:28):
then you can move forward withthings.
Another thing people talk aboutis something I just mentioned,
is printing it out.
People forget about hard, ordoes it come to you in a hard
copy?
Do people FedEx you a package?
And if they FedEx it, whathappens to that hard copy?
Do you scan it all in?
Do you copy it?

(25:50):
What happens with it?
But that hard copy of that CUIis CUI.
And that brings in alsoalternate work sites.
So, you know, this hard copy ofthis, for construction
companies, for instance, youknow, this hard copy of this,

(26:12):
it's going to go to that jobsite in that trailer on the job
site, you know.
Well, guess what?
That's an alternate worklocation.
And that hard copy you have,that's CUI.
It has to be protected on thatjob site.
And that job site, you now havean environment of the job site
that is part of your scopebecause it's an alternate work
site.

(26:33):
So those kinds of things peoplethink about.
The other thing is people, theydid suggest during CMMC day,
there were some people thatsuggested sending out a CUI
survey to staff.
There isn't a presumption there.
They know what CUI is.
That your staff understands howto spell CUI at least, you know.
So there you would need to startby making sure that there's

(26:59):
where good training comes in.
Here is your DOD mandatory CUItraining.
Go through it.
And here's the vendors that wehave or the customers we have
where we do this work with.
Do you think you have CUI?
Do you think you touch CUI?
What happens to it?
So a good idea is to send asurvey out to some of your users

(27:22):
and maybe key users, maybe noteverybody, but maybe key users,
and say, where does this CUIlive?
Because What the general managerthinks is happening may not be
actually what's happening.
And so like for us in an ITcompany, it's easy for me to
say, here, here's thisenvironment.
Here's this enclave for you.

(27:42):
Just keep it all in there.
It works great.
What about this machine I needto get it to?
How do I do that?
You've got to keep it all in theenclave.
Anyway, so it's easy for us tosay something

SPEAKER_02 (27:54):
like– How do I get it to the customer?
I just emailed it to them.

SPEAKER_00 (27:56):
Yeah, yeah.
So it's easy for somebody that'snot doing the job to say, just
do it this way.
And so you've got to includethose people and figure out–
where your CUI is living at andwhat happens with it.

SPEAKER_02 (28:10):
Yeah, and that's one of the biggest struggles that we
find when we're first engagingwith somebody to get them from
noncompliance to compliance.
Further down that path is wealways typically get a moment of
panic because what's happened isin all your years of business,

(28:31):
you found the path of leastresistance to get data, you
know, around the office, aroundthe shop floor and that.
that you're doing may be workingfor you now, and you may be able
to get it in a situation whereit is compliant, but oftentimes
it needs to be adjusted.

(28:51):
And so-

SPEAKER_00 (28:53):
Oh my God, we've got to change everything.
It's going to change our wholeflow.
Everybody's going to be upended.

SPEAKER_02 (28:58):
Yeah.
So you, and there may be someprocesses that your employees
are doing that you don'tnecessarily know, or your
coworkers are doing that youdon't necessarily know are
happening to get their job doneon a daily basis.
And so, And because it's thepath of least resistance, very
well may not be compliant.

SPEAKER_00 (29:17):
You said that that's one of the most common things
that happen.
Another common thing thathappens is when you initially
start in on conversations with anew client, one of the things
that happens is, well, I don'tknow what CUI is.
Can you tell me what CUI is?
So a lot of people are startingat that level and don't really
understand.

(29:38):
So that's why we say you've gotto start with the basics and
figure this out from thebeginning.
Because if you don't startthere, you're starting off on
some possibly very likely somebad assumptions.

SPEAKER_02 (29:51):
Yeah, another thing we face is, okay, I get it, I
get it, I get it.
We're not compliant.
Just get me there.
Let's just implement.
It's like, well, okay, soundsgreat.
But we still have to go back tothe fundamentals because we're
going to skip through a lot ofstuff and you're still going to
end up not being compliant.
Like we still have to do a gapsassessment analysis or some some
form of understanding where youare and where you need to be,

(30:15):
what's happening in thebusiness, what's going on, even
as the business owner that'sworking in every day or the GM
or the quality manager.
You might think, you know, butyou really don't.
Right.
So you still have to do thatprocess, even though it seems
like an unnecessary role.
roadblock.
Another popular thing,especially among the technical
crowd or if you're working at acompany trying to get

(30:38):
compliance, real easy to go downthe path of I'm going to buy a
tool and I'm going to getcompliant.
So let's talk about tools,technology, some zero trust
stuff that you had mentionedgoing to the show.
We can get some of the technicalpoints and also address what
some non-technical people shouldknow about tools.

SPEAKER_00 (30:57):
You know, one of the things we talk about is
Microsoft 365 GCC and GCHC highbecause pretty much everybody
understands the Microsoftcommercial environment is not
going to work for CUI.
When you go look at the basicNIST 800-171 tenants, you're
tempted to say, oh, this isFedRAMP and we can configure it

(31:19):
like we need it.
And that's A large part true,except that it leaves out some
core things with CMMC, like theDFAR 7012, 252.204-7012, the
incident response kind of stuffin there, which pushes you over
into Microsoft 365 GCC or GCCHigh that says you need to go

(31:41):
use one of those solutions.
And Microsoft has a good diagramof what kind of information for
all the different compliancesSieges, everything, right?
Which environment will fit.
And they've got commercial, GCC,GCC High, DOD, and Secret, I

(32:03):
think, is what they have, if I'mnot mistaken.
Anyway, but we generally justlook at the...
up through GCC High.
Technically, if you go, you cango with GCC if your information
is not specified and doesn'thave a dissemination control
that prevents that informationfrom leaving the country or
leaving U.S.
citizen control, right?
There or not, you'll have to getthe shared responsibility

(32:27):
matrix.
You'll have to get, I understandit for assessors, you'll want a
body of evidence to be able toprove that this is, because it's
not It's not FedRAMP authorizedin the same way.

SPEAKER_02 (32:39):
You also don't want to design a system that
precludes you from gettinganother contract.
Exactly, and that's the otherthing.
Just to fit

SPEAKER_00 (32:48):
what works today.
If you've got controlledtechnical information that
there's no disseminationstatement on, we'd have to see
that.
Potentially, I guess it could gointo GCC.
But really, you don't want toput yourself in that kind of
position and then have to moveover to GCC High because if
there is any sort ofdissemination control on it,
you've got to use GCC High.

(33:09):
GCC High is also federallyauthorized, and so you could use
it.
The– So really, it's a lot saferjust to go ahead.
This is what everybody says, andit's frustrating trying to
figure out why in the world youcan't go GCC and need to go GCC
high, but it is a lot safer justto move into GCC high.

(33:32):
If you're going to whateveraccounts, whether it's a subset
or however you do it, anyway,it's a lot safer just to move
over and use GCC high.

SPEAKER_02 (33:41):
Yeah, it's frustrating because it's four
times the cost of commercial.
Microsoft.
And

SPEAKER_00 (33:49):
it's an upfront payment for the year for annual
year.
And, you know, here's your$20,000 bill.
Salt in the

SPEAKER_02 (33:55):
wound, you know, all for$20,000

SPEAKER_00 (33:58):
is kind of a small bill too, by the way.

SPEAKER_02 (34:02):
But for email, you know, if you're been paying for
it, you know, previous and justkind of a frustrating expense.
It is.
Yes.
And so, but just, you know, wehave not seen really a good
argument for, you There's onlybeen good arguments for going
GCC high in terms of theholistic picture, making sure
that you can get contracts,making sure that, you know,

(34:22):
you've buttoned everything upbecause we're big believers in
let's go with a very defensibleposition.
That's accepted practice thatpeople, you know, believe in
that assessors are like, yeah,we would go that way instead of
trying to fight and prove everycorner.
You know, when the assessorcomes up and is trying to assess

(34:43):
whether you're compliant or not,it's easy in that sense to take
the passive least resistancefrom a compliance perspective
and just bite the bullet and dowhat the assessors want and the
government is wanting and justbite the bullet.

SPEAKER_00 (34:57):
Absolutely.
And the other thing you need tothink about is this is all to
say there are also other toolsthat will fit that arena there
for email and file sharing andstuff like that.
There's Reveal and I thinkExostar has their own version
and stuff like that.
You just got to consider thepros and the cons of each.
You know, And we won't go intothose here, but there are other

(35:18):
solutions.
It's just more typical to talkabout Microsoft 365, GCC, and
GCCI.
But there are absolutely othertools.
You just need to look at themand figure out what fits your
company best cost-wise, workflowand everything else.
So one of the benefits I willsay is if you choose a Microsoft

(35:40):
solution, 365 GCC high, is thatyou have, it's not just email
and it's not just file sharing,external file sharing.
There's Intune you can use andmanage your systems.
There's all sorts of stuff,benefits you get from that.
from being able to do that.
But it depends on how you scopeeverything and what you want to

(36:03):
happen, right, with how you wantyour COI to be scoped or your
system to be scoped for yourCOI.
So that all matters.
So that's a little bit deeper ofa discussion.
But everybody wants to knowabout tools.
And so this is basically thewarning that, just like you hear
everywhere else probably, isthat Microsoft 365 GCC High is

(36:24):
the way to go rather than GCC.
One of the other things...
two tools that everybody alwayswonders about is antivirus.
And one thing you have to thinkabout is, you know, that
antivirus or that endpointprotection, just antivirus any
longer.
But anyway, that endpointprotection, how is it managed?
You know, if it's managed in thecloud anywhere, the information

(36:45):
it has access to and theinformation that comes out of
that is likely going to containsecurity protection data.
And that whatever it is,Microsoft, wherever there's
Defender, Sentinel One, orwhatever it may be, that's a
security protection asset.
So that service now falls intoscope for security protection

(37:07):
data.
So you've got to keep that inmind, right?
And whatever service you'reusing to manage that, if it's
all on premise, all in yoursystems, great.
If it's not, there's a cloudinvolved, then you need to
consider that.
But one of the tools that peopleare are using that's especially,
if you go, this is one of thebenefits of going 365 GCC high

(37:30):
is Windows Defender.
All right.
You know, another thing thatsomebody, they talked about,
they kind of joked that zerotrust is a lifestyle choice.
And I guess that might be alifestyle choice, but zero trust
is one of those things that wasnot really necessarily
envisioned Well, as far as aproduct goes.

(37:51):
It was

SPEAKER_02 (37:52):
first coming out around 2017 when they were first
really pushing the firstversion, like NIST.

SPEAKER_00 (38:01):
But now there's a lot of zero-trust choices
around.
And so really, if you thinkabout it, zero-trust is the way
you should configure yournetworks, and it fits very well
with CMMC because you– It'sleast privilege because you
start with zero, zero trust.
So you start with zero trust andyou say, you know, this is

(38:22):
trusted, that's trusted.
You know, it's a very simplifiedview of it.

SPEAKER_02 (38:27):
Zero trust for the non-technical people is if
you're going to a bar or a cluband there's a guest list, you
have to be on the guest listfirst before you get– allowed in
the club, right?
And so that's zero trust, but alot more expansive and
complicated for computersbecause you can do that all the

(38:47):
way down to applications thatrun, how they access network
resources, how they traversespecific applications, accessing
specific files and differentpieces of storage.
There's a whole lot to it.
And it's one of the...

(39:08):
It can be an absolute disasterif it's implemented incorrectly
or poorly.
And if it's implemented well orgood, it is a biggest bang for
your buck as far as trying toforget compliance, just keep
things or people out of the clubthat you don't want.
So it works pretty well.

(39:30):
It's just a bit of anadministrative burden.
And if it's not done right, itcan be a disaster.
But I'll let you take it fromthere.

SPEAKER_00 (39:37):
No, it's a very good explanation.
And again, zero trust is what itsays.
You start with no trust at all.
Whatever it is, we don't trustit.
We assume that bad stuff ishappening and it's got to be
authorized.
So whatever it is, networkaccess, it's whatever it may be,
file access.

(39:58):
But that's zero trust, deny bydefault.
That's a firewall rule too.
You deny by default and approvespecifically and it whatever you
want.
But anyway, zero trust is athing.
It's a good thing to implement.
But you also, you can't justgrab any solution.
You need to understand whetherit's going to have access to CUI

(40:21):
and whether it's going to havesecurity protection data, SPD.
Hint, hint.
Yes, it is.
So you've got to think aboutthose things and whatever
solution you look at.

SPEAKER_02 (40:31):
Moving on to the less formal aspect of it.
Always when you go to aconference, there's the
keynotes, there's the breakouts.
And then there's the cocktaildiscussions.
There's the at-lunchdiscussions.
There's basically the networkingthat goes on and the general
sense of what people are talkingabout and what kind of the

(40:55):
hubbub and buzz is.
What do you feel like for peoplethat didn't go and didn't get to
experience?
What do you think the hubbub andthe buzz was?

SPEAKER_00 (41:04):
The hubbub and the buzz really was the thing But,
you know, as far as interestingchats and everything,
interesting things that went onthat weren't necessarily
sessions and specifically CMMCcontrols and rules and stuff
like that.
One of the things was talk toanother service provider like

(41:25):
us.
And there are a lot of peopleout there who don't understand
why it's going to cost so muchand don't understand what is
CUI, you know, and how do Idesign it.
And so, you know, at that point,you know, it becomes a
discussion with someone about,or I guess really at that point,

(41:48):
it becomes a discussion, do youwant to hire somebody in-house?
Because I guarantee you, if youjust say, hey, Mr.
Quality Manager, Mr.
IT person, whatever it may be,you're in charge of our CMMC
compliance.
Congratulations.
I know you have a full-time job,but you can do this too.
You know, that really is not aproblem.
going to work it may work forthem to kind of manage the

(42:11):
project but and and escortedalong but they're going to need
a lot of help so you either hirethat help internally and there
really needs to be somebody thatis that is this is their focus
you know this is what they do ormultiple somebodies depending on
the size of your organization sothis needs to be their focus

(42:32):
they need to do this they needto work on compliance they need
to work on security and theyneed to work on business process
and documentation everythinginvolved right so it's Somebody
needs to be hired to do that oryou need to find someone to
contract with to help you withit, to help you decide how to do

(42:53):
that.
And it's not just hiringsomebody and saying– either a
contractor or an internal hire.
It's not just hiring somebodyand saying, hey, help us with
this.
It's do you already haveexperience here?
Can you come up to speed?
Because if you hire somebodyinternally, if they hadn't
already been doing this, they'regoing to have to come up to
speed with CMMC.

(43:14):
I guarantee you, you'll want tosend them.
It's expensive, but you'll wantto send them to conferences.
You'll want to give themtraining.
They'll need to do the RP, RPO,or excuse me, not RPO, RP, RPA.
Those are really basic.
So you'll want to do a CCP,maybe even a CCA.

(43:35):
Those are registeredpractitioners in RP.
Registered Practitioner Advancedis an RPA.
Those are both obtained throughthe Cyber AB.
A CCP is a CMMC-certifiedprofessional, and that is
through a licensed trainingprovider.

(43:56):
And it's a week-long class, verydetailed, intense week-long
class and detailed, intensetest.
Okay.
Not so intense it's impossibleto pass, but you need to know
what you're doing to pass that.
And then a CCA is for anassessor.
It's a CMMC-certified assessor,which is good because a CCP–

(44:21):
you'll understand how assessorsare going to assess things.
And CCA goes really into depthin that.
So if you send somebody to takesome CCA training, become a CCA,
there's some hurdles there toactually become a CMMC certified
assessor.
So whether you want them toactually become certified or

(44:42):
not, It would be up to you.
But the training and the test isvery, very beneficial.
So those are all things.
If I was to hire an internalperson to do this, I would send
them through all that.
And send them to multipleconferences.
It's not an inexpensiveendeavor.
Otherwise, you look for acompany to hire to help you with

(45:04):
that, to contract to help youwith that.
And you need to make sure thatthey have RPs.
CCPs maybe even CCAs on staffbut you need to look for those
companies that have that as welland and part of their life is
CMMC.

(45:25):
So you don't want to just hireany old Joe off the street that
doesn't have any credentials orany way to say, I have this
experience, right?
But that's one of the thingsthat came up is that there are
lots of people out there, lotsof companies who still are
struggling to implement this.
And so that's one of the thingsthat came up.

(45:46):
Another interesting thing thatcame up I referenced a while ago
is the reason all this is inplay You just look towards China
and look at their militaryequipment.
You know, their plane that lookslike– I don't have the model
numbers here in front of me.
I can't remember.
But their plane looks like ajoint strike fighter.
Their Humvee look alike.

(46:07):
You know, they've got ships.
They've got missiles.
There's all sorts of things thatthey have that– They look
amazingly like ours for somestrange reason.
And the reason is not sostrange.
We know what's happening.
There's a huge intellectualproperty theft problem going on,
and it's still going on to thisday.
They're masters at it.
They started way back a longtime ago.

(46:28):
And, you know, our business andour politicians and everybody
else, everybody really was just,you know, very interested in
helping China along, come intothe global economy.
You know, we'll send people overto your country.
to help you out.
Uh, we'll teach you how to do,how to implement these cell
networks, you know, and all thatkind of fun stuff.

(46:48):
Well, meanwhile, China'sstealing all that intellectual
property.
And, um, uh, one of the sessionsoutlined two companies, I called
it company a and company B.
Um, and, uh, Company A was a$300billion company in the early
2000s.
They had a global presence.

(47:09):
Their network equipment waseverywhere.
Here I am thinking, my gosh,that's Cisco.
There was another company, too,that was everywhere.
I remember buying theirequipment.
That's great equipment.
Let's buy this.
Anyway, but their equipment waseverywhere, and the Chinese
hacked them, and they had beenin their network forever.

(47:32):
for decades, actually, but overa decade, they had been in their
network stealing stuff.
And they found out about it.
And you know what they didinitially about it?
Zero zilch, nothing.
It's not that big of a deal.
We're smart people.
We have...
We're constantly innovating.

(47:53):
Guess what?
They're stealing thatinnovation.
And so what happened to NortelNetworks?
Does anybody out there buy anyNortel Networks equipment these
days?
Not anymore.
Not anymore.
They went bankrupt.
And, you know, they stole alltheir stuff.
And they started selling itcheaper under Chinese names, you
know.
Same thing with Company B, whowas, I don't remember, under$100

(48:17):
billion.
Somewhere just under$100 billionor something company.
They have telecommunicationsgear everywhere.
Telecommunications, I'll sayendpoints at the outset anyway,
everywhere.
Yeah.
And anyway, they sold Global.

(48:37):
They were a big company.
And then they started workingwith China.
China said, hey, we need helpwith our stuff.
Can you help us out?
Oh, yeah, we'll help you out.
And, well, when they did, theystole a bunch of stuff, and then
they started replicating it.
And that company was helping setit up in their country.
So they're learning how to dothis.

(48:59):
And so that company is Motorola.
And so Motorola is a shadow ofits former self now, and they're
not in the business segmentsthey were.
They've sold all that off, andnow they're in other segments.
And so one of the companies thatcame as a result of all this is
Huawei, and they– They're 30% ofthe global telecommunications

(49:23):
network now.
They have an amazing ability tospy into other countries now.
And it's all because of how wekind of dismissed it and just
let it go.
And it's great business.
It'll be great business for us.
It's great business for them.
It's all wonderful until it'snot.

(49:44):
So start there and then fastforward, and they're still
stealing all of our stuff.
And all these years we've beengoing, it's okay, we want the
business.
It's okay, we want the business.
And now we're starting to loseour– we can see– I'm not going

(50:05):
to say we're starting to lose,but– I know military people will
say that's not right.
But we're getting to the pointwhere we could see where we will
lose our advantage because a lotof our advantage is
technological.

SPEAKER_02 (50:18):
We used to– quite a lead, they say, on China and
other countries from atechnological perspective.
But now it's like only a fewyears.

SPEAKER_00 (50:29):
Yeah.
Head start.
It is.
It is.
It really is.
Yeah.
You look at all sorts of stuff.
AI requires big data centers.
You can argue about where theUnited States and China is and
the AI race.
Those are good arguments tohave, but the point is they're
still stealing a lot of thatstuff.

(50:51):
And they don't care aboutenvironmental policies.
They'll go build as many datacenters and run them off of coal
or whatever they need to runthem off of to get those data
centers up and going.
And we constrain ourselves alot, but the point is that there
really is a threat of fromChina, but also other countries,

(51:15):
you know, there really is athreat to us and we need to keep
our advantage, intellectualproperty and the military and
the, we need to keep our edgethere and not just, we've been
given it away.
Frankly, we've been given itaway and we need to stop giving
it away.

SPEAKER_02 (51:31):
So you're, that's kind of some of the conversation
amongst the people at the, atthe show is maybe more than just
the business aspect.
There is, yes.
To all this.
Kind of just wrapping it upbringing it home.
We've talked about scope.
We've talked about what peopleare doing wrong or still getting
tripped up.
We've talked about some accesscontrol.
We've talked about the hubbub,and we've talked about the

(51:51):
themes from CMMC Day 2025.
What are some good, actionablesteps that people can take based
on the information that wasavailable that you kind of
learned at CMMC Day 2025?
One

SPEAKER_00 (52:06):
of those things, to boil it all down, is trying to
figure out how to get started.
You start at the beginning,right?
You know, start in the middle.
You figure out where thebeginning is, and we've told you
where the beginning is.
The beginning is figuring outwhat data you have or will have
or potentially have, however,wherever you are in the process.

(52:27):
What data is it and where doesit go?
Scope everything properly.
That is the very beginning.
You have to figure out what youhave, where all it goes, where
it comes from, where it goes inyour systems, all that kind of
fun stuff.
Map that out properly and comeup with a scope.
And if it's all over the place,you probably want to narrow your

(52:47):
scope so you don't have toscope.
You can change your scope andchange where CUI goes.
That's a change of businesspractices and business
processes, I should say.
The idea is to start at thebeginning.
What data do you have?
Where's it coming from?
Where's it going?
So another thing that kind ofgoes in with that is there's a
lot of people who have alreadystarted this process.

(53:09):
And however far down the processyou might think, you know, we
thought we were done.
But when, you know, step back,come out.
Review where you're at.
Go back to the beginning andfigure out what kind of data you
have and if it's scopedcorrectly.
And then look at yourdocumentation.
Your SSP is important.
Look at that SSP.

(53:30):
Is it concise?
and contain enough details.
Are your policies correct?
Are they overly broad?
Those kind of things.
Your documentation, you want totake a really good look at.
Once you start at the beginning,you need to look at your
documentation and see that yourdocumentation is appropriate.

(53:50):
And there will be a lot ofdocumentation.
I say keep your SSP concise.
And just by concise, I mean notAgain, not eight miles long.
So enough details to explainwhat you're doing, but not your
whole policy inside your SSP.

(54:13):
It can reference your policy,but then again, it can't just
reference your policy.
You need to have some details init.
So those are the things I wouldsay that people should do next
is start at the beginning.
Even if you're all the waythrough, almost to the finish
line, go back, start at thebeginning, did you start out
properly?
And if you started this severalyears ago, the likelihood is

(54:36):
that you didn't start itproperly and just go back and
review.

SPEAKER_02 (54:39):
We always recommend whether someone is DIYing or not
to work with some certifiedprofessionals just to get help
and help with the guidance.
If you want help with that,you're welcome to reach out to
us.
We'll drop a link down below.
We're offering a free roadmap toan SPRS 110.
So basically look at where youare now, look at your policies,

(55:00):
spend a Lars with you to figureout what steps you could take to
get it in a better position.
So not a sales pitch oranything.
It's just we're reallyeducationally focused here,
hence the podcast.
And so we just want to helpoffer that as a resource for our
listeners.
Well, do you have anything elseto add for CMMC Day 2025?

(55:22):
I

SPEAKER_00 (55:22):
think that pretty well covered.
It's a really good conference.
So if you missed it this year,you know, watch this podcast.
So I guess if you're at thispoint, you're watching this
podcast, but, uh, and then theother thing is a sign up for
next year.
Like I said, it's a good one.
It's a one day or there was acouple other days of that
conference, but they deal withother, other related things, but
other things, uh, seem to say Cday is really good to the point.

(55:45):
Uh, it's a good thing to go togo do.

SPEAKER_02 (55:48):
Awesome.
And we're going to be at, uh,Sequest in Las Vegas in a couple
of weeks.

SPEAKER_00 (55:52):
We will, we'll be at Sequest.
Absolutely.

SPEAKER_02 (55:54):
We will not be exhibiting.
Uh, but if you want to stop by,have lunch with us or, uh, chat
with us um you know in the inthe commons um then then we will
be there so just look for asmiling face if you have
questions about what we coveredplease reach out to us we're
happy to help fast track youthrough your compliance journey
uh text email or call in yourquestions uh we're here to

(56:15):
answer them for free on thepodcast you can find our contact
information atcmmccomplianceguide.com stay
tuned for our next episode untilthen stay compliant stay secure
and Like, subscribe, and share.

All Episodes

Episode Transcript

Popular Podcasts

Bookmarked by Reese's Book Club

Dateline NBC

On Purpose with Jay Shetty

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}CMMC Day 2025 Recap: Key Takeaways, Real-World Mistakes & What SMBs Must Fix Now

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Bookmarked by Reese's Book Club

Dateline NBC

On Purpose with Jay Shetty

All Episodes

CMMC Day 2025 Recap: Key Takeaways, Real-World Mistakes & What SMBs Must Fix Now

Bookmarked by Reese's Book Club