July 4, 2025 • 26 mins
Submit any questions you would like answered on the podcast!
Happy 4th of July from the team at CMMC Compliance Guide Podcast! While you're celebrating freedom, hot dogs, and fireworks — don’t forget about safeguarding the data that defends that freedom. 🛡️
In this special edition, we're tackling what really works for CMMC compliance on the shop floor. From coolant-soaked travelers to ancient XP machines, this is your no-nonsense guide to staying compliant in real-world CNC and aerospace manufacturing environments.
Skip the theory. Get the real-world playbook. Because you can't afford to shut down production just to pass an audit.
📞 Need help with CMMC or NIST 800-171?
We fast-track defense manufacturers to compliance — or give you the tools to do it yourself.
👉 Visit https://www.cmmccomplianceguide.com to download free resources or schedule a discovery call.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:05):
from Justice IT Consulting.
We are here to help businesseslike yours navigate CMNC and
NIST 800-171 compliance.
We're hired guns, gettingcompanies fast-tracked to
compliance.
But today, we're here to giveyou all the secrets for free.
So if you want to tackle ityourself, you are equipped to do
so.
Let's dive into today's episode.
(00:26):
CMMC on the shop floor, a no BSguide for CNC and aerospace
machine shops.
If you've ever looked at yourCNC machines, coolant soaked
travelers, and that old XPmachine in the corner and
thought, how can I make thisCMMC?
You're not alone.
Most of the advice out there isbuilt for IT guys, enterprises,
(00:46):
and not machine shops.
Certainly, not ones running DoDor ITAR jobs with two or three
shifts and production that can'tstop.
This episode is a real-worldplaybook for making compliance
work in environments like yours.
Okay, so first question I've gotfor you, Brooke, is probably one
(01:07):
of the most deliberatedquestions for manufacturing
floors and machine shops, andthat is, what actually counts as
CUI?
Because CUI determines scope andhow much you have to protect for
CMMC.
Right.
SPEAKER_01 (01:24):
So hopefully all your CUI, first of all, is
coming in properly marked.
So try not to laugh.
We know all of it comes inproperly marked.
I know it doesn't, but...
So what you have coming in isCUI, properly marked or not.
To address the or not part, ifyou have what you think is CUI
(01:52):
and it's not marked, thentechnically you should go back
to your customer and say, hey, Ithink we got this.
It looks like CUI.
It smells like CUI.
It quacks like CUI.
I think it's CUI.
So should this be marked CUI?
And they can either tell you yesor no.
or no, or they may just tellyou, yeah, everything under this
contract is CUI, which isanother case altogether.
(02:15):
But the other thing with this isif you think it's CUI, you have
to protect it like it's CUI.
And you can't just turn a blindeye and go, nope, it's not
marked, and so I don't thinkit's CUI.
So if you think it's CUI, thenyou have to protect it like CUI.
At some point, hopefully, thegovernment and the primes get
(02:35):
better about marking it.
But assuming you know what CUIis and it's marked, come into
your shop, then you have thatpaperwork that is CUI and you
know that's CUI.
So anything that comes fromthat, any derivatives from that,
like drawings, drawings ofdifferent parts or something
like that that come from that,they're going to be CUI, unless
(03:01):
for some strange reason you pullout something off of that
drawing and it's only anoff-the-shelf product and it is
not anything CUI and you'll haveto prove that but if it's done
in performance of that contractyou can pretty well bet it's
CUI.
The G-code that you send tomachines, that's CUI.
(03:23):
In fact, the cyber AB just hadon the last town hall in June
had Jim Gopal on.
He's a really bright guy.
He's written like three books onCUI.
He's legal counsel for FutureFeed and has been in and around
the industry and DOD and allthat for a long time.
(03:46):
Anyway, I would say he's anauthority on CUI.
He said that the majority of thetime that G-code is going to be
CUI.
You can consider it CUI.
What's not CUI, surprisingly,and there's a little bit of
(04:07):
debate on this, because in someplaces it's not well-defined,
but what's not CUI, andeverybody pretty much agrees on
this, is the actual part.
Now why that's not CUI, I don'tknow.
Maybe it's not information.
You can glean information fromit, but anyway, generally the
(04:29):
actual part that you're makingis not considered CUI.
Not that you should, you know,Go send it to a foreign country
or anything.
So yeah, all those things areconsidered CUI.
I have another thing on herejust to remind me.
Something you mentioned, thatcoolant-soaked traveler.
(04:52):
Those are also considered CUI.
So paper CUI, hard copy, that'sstill CUI.
It still needs to be protected.
If you're not using it, it needsto be covered up or it needs to
be
SPEAKER_00 (05:04):
locked away in a drawer.
All those drawings and prints.
The travelers with part specs,specifically the specs, and
G-code, pretty much rule ofthumb, you can consider CY.
Just a quick follow-up on that,Brooke.
I know this is the CMMCCompliance Guide podcast, but in
(05:24):
terms of the VIN diagram, weoften overlap a lot with ITAR
regulations and weapon systems,just naturally, being a defense
regulation, right?
So I want to do, although we'renot ITAR experts, just
specifically address ITAR datareal quick because we do see
(05:45):
that a lot.
What do you do with ITAR data?
SPEAKER_01 (05:48):
Generally, ITAR data, the biggest thing for CMMC
and CUI is that that ITAR datais going to be export
controlled, and only US citizenscan access that data.
If it's properly marked, it'sgoing to say CUI, probably
controlled technicalinformation, and then no foreign
(06:10):
citizens can view it, orsomething like that.
It's going to have some sort ofdissemination restriction on it.
And so technically, you justhave to worry about CUI, but you
can pretty well bet that thatITAR data is going to be export
controlled.
And that means a lot for whetheryou go with GCC or GCC High.
(06:31):
And there's a very small window.
Well, in general with defensecontractors that manufacturers,
that's a really small window ofpeople that can use GCC as
opposed to GCC High.
But it affects other things likethat, the services, the cloud
(06:52):
services you use and things likethat.
SPEAKER_00 (06:54):
Yeah, and I think that's a good thing to touch on,
the importance of if you're nothandling ITAR data right now or
you're trying to maybe get intoa GCC instead of GCC High,
really step back and think.
what might I bid on in thefuture so you don't exclude
yourself from work.
Now, if you just want to build asystem that is set up to do
(07:18):
exactly what you're doing now,then by all means, go ahead.
But some of those things cost alot of money to engineer later
to satisfy a bid requirement.
So understand that if you're notbuilding out for ITAR
regulations or...
I'm not sure the specifics, whatwould get you in GCC versus GCC
(07:38):
high, but just make sure thatyou're not putting yourself,
backing yourself into a corneron what you can bid for in the
future.
So another question I want tobring up is enclaves.
Machine shops, manufacturers arealways told, just get an
enclave, put an enclave.
To enclave or not to enclave?
Yes.
And you'll just be good, whichis often good advice, but for
manufacturers, specificallymanufacturers, it's different.
(08:00):
And I'd
SPEAKER_01 (08:00):
say specifically small manufacturers.
SPEAKER_00 (08:02):
Specifically small manufacturers, yeah, exactly.
And...
There's reasons for that, andthere's reasons why you might,
not that it's bad advice, butcan you just kind of walk us
through how that doesn't, applyor is maybe not always working
for a CNC shop or a smallmanufacturer?
(08:22):
An enclave
SPEAKER_01 (08:23):
cannon will work if you can separate out the CMMC
work from everything else.
And that may mean that you haveto have two versions, two
computers with solid works,depending on how you want to do
your enclave.
If you can separate that out,then an enclave is a good thing.
Because you don't want to piercethat enclave, because once you
(08:46):
pierce the enclave, whatever youpierced it with, now that's in
scope.
So you just expanded yourenclave, right?
So you need to think about that.
And if you can do that, that'dbe great.
A lot of small shops, if theyget the majority of their
business from the DOD, and somost of their business or all
(09:07):
their business is Well, that'sunderstandable if it's all, but
if it's most of your businessthat is DoD, then it's likely
that everybody will have theneed to touch CUI.
It's possible that you mighthave to scope some people out of
it, like whoever deals withaccounting and QuickBooks.
(09:30):
You can scope them out.
But in that case, your enclaveis large and your non-enclave is
small.
So yeah, for small shops thathave most of their work with the
DoD, it's kind of hard to do tocreate an enclave, because that
(09:51):
enclave is basically sayingwe're gonna take all the CMMC
stuff and we're gonna put it inthis enclave and everybody else
is gonna be outside of
SPEAKER_02 (09:59):
that.
SPEAKER_01 (10:00):
If you have a larger shop and you have 50-50 work,
50% DOD and 50% not, it makessense.
Or 25-75, or maybe even 75-25.
It makes sense because you'restill going to have a lot of
people that don't need to bedoing that work.
But for small shops, sometimesthe owner and Somebody else are
(10:26):
the ones that send out thequotes and pitch in on getting
drawings and whatever else.
They may need access to thatCUI.
In a small business, you wear alot of hats.
That's just how it goes in smallbusiness.
(10:47):
So those are the kind of reasonsthat a CMMC enclave might not
work.
But if you can do an enclave,it's a really good thing to do
and to separate
SPEAKER_00 (10:58):
everything out.
Another thing I'd like to bringup, just to kind of close this
question out, is like, forexample, you brought up the G
code earlier and how it's oftenconsidered CUI, right?
Yes.
So...
If that G-code is created in theenclave and you need to get it
to the CNC machine, does thatnot break the enclave?
(11:18):
Well, you can put it on a...
SPEAKER_01 (11:20):
on a FIPS-validated encrypted USB stick, for
instance.
They have these little USBsticks with a little code on
them.
Very handy, easy to use.
They work on older equipment aswell as newer equipment.
It just shows up just as aregular USB.
So those are really good ways todo that.
Now that that now has CUI on it,and it has to be labeled, it has
(11:46):
to be protected, the whole nineyards, but that's a good way to
get it over there, is tosynchronate it, basically, to
SPEAKER_00 (11:52):
your CNC machines.
The reason I bring it up isbecause oftentimes when people
are told to get an enclave, it'sin the cloud somewhere, you
know, and they're wanting to getin VDI solutions, is oftentimes
what people think of as anenclave.
So if you're dialing into a VDIsolution and you download that
(12:14):
CUI onto a stick.
To put it on the stick is thecomputer you download it to now
in scope.
SPEAKER_01 (12:19):
Yes.
SPEAKER_00 (12:20):
If you use a
SPEAKER_01 (12:20):
VDI solution and you don't kill all means to move
information back and forthbetween the computer that
connects to the VDI system andthe VDI system, in other words,
you've got to kill copy andpaste, you've got to kill the
drive mappings, you've got tokill printing, you've got to
kill all those things anddisallow all that.
If you disallow all that, thenthe machine that connects to
(12:42):
that VDI system, yes, it's outof scope.
But that also means that youcan't download data from that
and put it on, I mean, you justkilled the ability to do that.
So you can't download that datato that computer.
If you leave that open, and theability to download that
SPEAKER_00 (13:00):
data, then that machine is now in scope.
I'd just like to bring that upbecause you get caught, the
wrench gets thrown in the planwhenever the details come out,
right?
Yes.
And that's often an enclave or aVDI solution solves all your
problems as a defense contractoruntil you actually put it in
(13:23):
your workflow and you need toget the dang file to the
machine.
Yep.
the cutting file, right?
It's where like a VDI solution,hosted desktops dying and just
offloading all of thisresponsibility to a solution
provider just doesn't work.
If that CUI has to get into yourbuilding and onto a machine,
(13:46):
you're gonna have to scopesomething in the building
regardless.
Okay, getting to the no BSportion of this guide for real
world shops.
what actually works for realworld actually producing parts
and getting defense work, nottheoretical, not someone that
(14:06):
wants to get into it, but shopsthat are actually doing this,
what do they do and what works?
SPEAKER_01 (14:11):
Well, we addressed some of it already.
You know, a good solution is tohave your CNC machines off the
network and that way and have aUSB stick that's encrypted with
FIPS validated cryptography.
And then one that has a littlecode on it that you can punch
in.
Again, those are, we've foundthat those are really good.
(14:33):
Old machines can read them,because some of these CNC
machines are a little old, andyou don't want them on the
network.
So that works really well.
You can put them on the network,but you have to be very careful
what you do, and you have tosecure them on a secure VLAN or
a secure subnet, either one, andmake sure that you cross all
(14:56):
your T's, dot all your I's.
the uh...
the usbs also Just likeeverything else you have, they
have to be inventoried, theyhave to be kept track of, they
have to be protected.
So don't forget that part.
Not only do they need to havethat FIPS validated encryption
(15:18):
if they hold CUI, but they'vegot to be labeled, inventoried,
tracked, everything.
The other thing is travelers.
If you have a printer in yourenclave environment, you can
print out that CUI and ittraveler and use that traveler
to go do your work.
(15:39):
Do you have to have a coversheet on that traveler?
SPEAKER_00 (15:42):
Yes, you should have a cover sheet to cover it up
when you're not using it.
Following up on that question alittle bit, Brooke, I just want
to dive into the USB thing youmentioned earlier with the punch
code on the stick.
It's actually like a physical...
like a lock or something.
There's a little keypad, yeah.
And so you physically punch itin and then there's a little
(16:05):
electric card or something thatunlocks the encryption once it's
plugged in and you punch thatcode in.
So it removes all passwords andtyping in.
I want to dive into thatbecause...
It's a very simple process.
You might have to buy a bunch of$100 USBs, which seems
ridiculous.
It solves a lot of problems, itseems, and over-engineering
(16:30):
solutions in a lot of shops.
And it replicates the workflowthat a lot of shops currently
have.
And I just kind of want to diveinto that a little bit more
because I don't think thatpeople think I think people
think really complicatedsolutions to solve these things.
In reality, they could use a USBstick like this and avoid a lot
(16:52):
of frickin' headache.
You can design a
SPEAKER_01 (16:54):
solution where you can get those on the network.
You still have to secure the CNCmachines, that is, because most
of them are going to be older.
You're not going to be able tosecure them.
You can't put all your securitysoftware on them, the whole nine
yards, because they controlmachinery.
And a lot of times you'll voidthe warranty with those if you
(17:16):
put your own security softwareon there.
Which is fun.
If you, you can put them on yournetwork again, but you have to
secure it off, you have todesign it right to make sure
that you're taking all theproper precautions.
I have seen, I went to amanufacturing show, and there
(17:39):
was a vendor there, a largevendor, that was selling a
device that was sent between asecure and an unsecure network,
basically, so your CNC networkand your CNC machine network,
right?
And it would be the director ofthe data, And so it could take
in the encrypted data, and thenit can move it over, and there's
(18:02):
all sorts of parameters you putaround this, right, to keep it
safe.
And then the CNC machines canthen take that from the other
side with less or poorencryption or whatever, anyway,
and pull that off and use thatfor the CNC machine side.
It's a great idea, and you canbridge two networks like that
(18:25):
and still do it over thenetwork.
However, those machines werelike$15,000 each, and they only
go to one CNC machine.
We have quite a fewmanufacturing customers, and I
don't know any of them that justhave one or two CNC machines.
(18:45):
That expense would rack upreally quick.
Just like you said, a reallygood solution to avoid cost is
to have your FIPS validated andencrypted USB drive.
And like I said, the one withthe little keypad on it, those
work well.
(19:06):
If you use that to move data andthen cover your bases with your
other things, inventory it,track it, label it, all that
kind of fun stuff, then you'vegot your solution in place and
that's a very workable and verysecure
SPEAKER_00 (19:21):
solution.
I think the last question is areally good segue into this one.
So I'll go ahead and ask you,how do you handle old CNCs and
operational technology, OT andCMMC speak?
Right.
How do you handle that in termsof CMNC compliance and if you
(19:41):
want to connect them to yournetwork or should you?
What are your thoughts on that?
For CNC
SPEAKER_01 (19:45):
machines, operational technology, internet
of things, stuff like that,they're counted as specialized
assets and as long as you securethem in some way, and certainly
keeping them off the networkdoes secure them.
Sometimes, though, those need toconnect for updates or something
(20:07):
like that, so you may need toput them on a secure VLAN or
secure subnet.
You may have a rule in yourfirewall, for instance, to only
allow access to vendorA.com orsomething to download updates or
something like that.
Rule can be turned on or off,you know, whenever you need to
access it.
But you could do something likethat.
(20:29):
But those specialized assets, aslong as you have secured them
away from your CUI network, yourCMMC certified network, as long
as you have secured them offfrom that, then as long as you
have them inventoried and say,yes, we have these,
SPEAKER_00 (20:43):
then they're out of scope.
So my next question for you is,what does an assessor actually
want to see?
All the CMMC controls and allthat stuff doesn't really
ultimately matter.
You know, it does, but at theend of the day, it's your
assessor is the one that'scertifying you, right?
Right.
Absolutely.
Let's talk real world.
No BS is the theme of thisepisode.
So brass tacks, what doassessors actually want to see?
SPEAKER_01 (21:07):
Well, as far as we're talking about operational
technology mainly, so they'regoing to want to make sure that
you have everything documented,you have a list of all that
equipment, and that you knowwhere it is and all that kind of
fun stuff.
They want to see your networkdiagram, how it's designed.
They're going to want to seeyour policies, for how your
(21:30):
policies are written, for thatOT equipment, for the process to
get information over to them,like the USPs we talked about.
They're going to want to seeyour SSP and how you, your
overview of how you, well,assuming that's what your SSP
is, but anyway, your overview ofhow you how you've secured those
(21:52):
and what you're doing with thatOT.
That's basically what they'regoing to want to see.
They're also going to want tosee some proof, so screenshots
of how, if it's connected bynetwork, screenshots of how it's
actually configured, stuff likethat.
They'll also probably ask you,you know, questions about you
(22:18):
know how do you do this how doyou do that to make sure it
SPEAKER_00 (22:20):
meshes with what you've got documented in summary
what an assessor wants to see isif you're actually if you're
doing it it needs to bedocumented if you're not doing
it don't fake it because they'llbe able to smell that out right
yes okay so if i'm a machineshop and by the way it's july
4th Fourth America's birthday.
(22:47):
Happy birthday, America.
I got my shirt.
Nice shirt there, yeah.
Thank you.
I think this episode comes outon July 4th, so that's why I
brought that up.
So if I'm at Machine Shop nowlistening on July 4th, America's
birthday, what should I go checkor do this next week when I come
(23:08):
into the office Monday,sunburnt, and with a bunch of
burgers and hot dogs in mybelly?
What should I do first thingwhen I get to work?
Well, you should first of allmake
SPEAKER_01 (23:19):
sure before you get to work that all the fireworks
have been cleaned up.
So there's always a big messafter shooting off all the
fireworks.
So really what you need to do ismap your CUI flow.
It's a data flow diagram.
Figure out where it comes from,where it goes to within your
systems, cloud systems included,like Microsoft 365, for
(23:41):
instance.
figure out where it goes, figureout where it goes out to
subcontractors or your vendorsif it does.
So do that data flow diagram.
Create some networksegmentation, either VLANs,
(24:01):
subnets or air gaps or somethinglike that to separate that
operational technology.
Lock down your USB usage.
So just like we talked about,you can tell we like those USB
sticks that have a FIS validatedencryption and have the little
keypads on them because theywork with old equipment as well
(24:24):
as new equipment.
You don't have to worry becausesometimes Sometimes you run
across the newer USBs that don'treally work on, some of the
security features don'tnecessarily work on the old
stuff, but those seem to worknice.
Handled paper, you still need toprotect paper CUI, hard copy
(24:45):
CUI.
You still need to cover it upwhen you're not using it, put it
away when, Covered up whereyou're not using it at the time.
If you're overnight or whatever,you know, or not using it at
all, it needs to be put up andlocked up.
So
SPEAKER_00 (25:03):
don't forget about your paper, your hard copy CUI.
Yeah, everyone's always realbummed to hear that the paper's
CUI too.
Yes.
And the other
SPEAKER_01 (25:11):
bad part, and we'll just touch on it here and leave
you with this bad taste in yourmouth, but the old CUI you have
from like stuff you did, youknow, 10 years ago, guess what?
That's CUI, and it matters, andit has to be protected.
So don't forget about that CUI.
(25:32):
We'll just touch on that forright now.
Document all your legacysystems.
Don't ignore them.
Make sure you explain them.
And explain them is a good segueinto your SSP.
Your SSP should tell a story.
of a story of how you do things.
(25:53):
They should be able to readthrough that and understand
everything from a high-levelview, how you're doing
everything, how you're meetingall those controls and all those
assessment objectives.
SPEAKER_00 (26:05):
If you have any questions about what we covered
here, please reach out to us.
We're here to help fast-trackyour compliance journey.
You can text, email, or call us,and we'll answer your questions
for free here on the podcast.
Find our contact information atcmmccomplianceguide.com.
Stay tuned for our next episode.
Until then, stay compliant, staysecure.
(26:27):
Like, subscribe, and share.
from Justice IT Consulting.
We are here to help businesseslike yours navigate CMNC and
NIST 800-171 compliance.
We're hired guns, gettingcompanies fast-tracked to
compliance.
But today, we're here to giveyou all the secrets for free.
So if you want to tackle ityourself, you are equipped to do
so.
Let's dive into today's episode.
(00:26):
CMMC on the shop floor, a no BSguide for CNC and aerospace
machine shops.
If you've ever looked at yourCNC machines, coolant soaked
travelers, and that old XPmachine in the corner and
thought, how can I make thisCMMC?
You're not alone.
Most of the advice out there isbuilt for IT guys, enterprises,
(00:46):
and not machine shops.
Certainly, not ones running DoDor ITAR jobs with two or three
shifts and production that can'tstop.
This episode is a real-worldplaybook for making compliance
work in environments like yours.
Okay, so first question I've gotfor you, Brooke, is probably one
(01:07):
of the most deliberatedquestions for manufacturing
floors and machine shops, andthat is, what actually counts as
CUI?
Because CUI determines scope andhow much you have to protect for
CMMC.
Right.
SPEAKER_01 (01:24):
So hopefully all your CUI, first of all, is
coming in properly marked.
So try not to laugh.
We know all of it comes inproperly marked.
I know it doesn't, but...
So what you have coming in isCUI, properly marked or not.
To address the or not part, ifyou have what you think is CUI
(01:52):
and it's not marked, thentechnically you should go back
to your customer and say, hey, Ithink we got this.
It looks like CUI.
It smells like CUI.
It quacks like CUI.
I think it's CUI.
So should this be marked CUI?
And they can either tell you yesor no.
or no, or they may just tellyou, yeah, everything under this
contract is CUI, which isanother case altogether.
(02:15):
But the other thing with this isif you think it's CUI, you have
to protect it like it's CUI.
And you can't just turn a blindeye and go, nope, it's not
marked, and so I don't thinkit's CUI.
So if you think it's CUI, thenyou have to protect it like CUI.
At some point, hopefully, thegovernment and the primes get
(02:35):
better about marking it.
But assuming you know what CUIis and it's marked, come into
your shop, then you have thatpaperwork that is CUI and you
know that's CUI.
So anything that comes fromthat, any derivatives from that,
like drawings, drawings ofdifferent parts or something
like that that come from that,they're going to be CUI, unless
(03:01):
for some strange reason you pullout something off of that
drawing and it's only anoff-the-shelf product and it is
not anything CUI and you'll haveto prove that but if it's done
in performance of that contractyou can pretty well bet it's
CUI.
The G-code that you send tomachines, that's CUI.
(03:23):
In fact, the cyber AB just hadon the last town hall in June
had Jim Gopal on.
He's a really bright guy.
He's written like three books onCUI.
He's legal counsel for FutureFeed and has been in and around
the industry and DOD and allthat for a long time.
(03:46):
Anyway, I would say he's anauthority on CUI.
He said that the majority of thetime that G-code is going to be
CUI.
You can consider it CUI.
What's not CUI, surprisingly,and there's a little bit of
(04:07):
debate on this, because in someplaces it's not well-defined,
but what's not CUI, andeverybody pretty much agrees on
this, is the actual part.
Now why that's not CUI, I don'tknow.
Maybe it's not information.
You can glean information fromit, but anyway, generally the
(04:29):
actual part that you're makingis not considered CUI.
Not that you should, you know,Go send it to a foreign country
or anything.
So yeah, all those things areconsidered CUI.
I have another thing on herejust to remind me.
Something you mentioned, thatcoolant-soaked traveler.
(04:52):
Those are also considered CUI.
So paper CUI, hard copy, that'sstill CUI.
It still needs to be protected.
If you're not using it, it needsto be covered up or it needs to
be
SPEAKER_00 (05:04):
locked away in a drawer.
All those drawings and prints.
The travelers with part specs,specifically the specs, and
G-code, pretty much rule ofthumb, you can consider CY.
Just a quick follow-up on that,Brooke.
I know this is the CMMCCompliance Guide podcast, but in
(05:24):
terms of the VIN diagram, weoften overlap a lot with ITAR
regulations and weapon systems,just naturally, being a defense
regulation, right?
So I want to do, although we'renot ITAR experts, just
specifically address ITAR datareal quick because we do see
(05:45):
that a lot.
What do you do with ITAR data?
SPEAKER_01 (05:48):
Generally, ITAR data, the biggest thing for CMMC
and CUI is that that ITAR datais going to be export
controlled, and only US citizenscan access that data.
If it's properly marked, it'sgoing to say CUI, probably
controlled technicalinformation, and then no foreign
(06:10):
citizens can view it, orsomething like that.
It's going to have some sort ofdissemination restriction on it.
And so technically, you justhave to worry about CUI, but you
can pretty well bet that thatITAR data is going to be export
controlled.
And that means a lot for whetheryou go with GCC or GCC High.
(06:31):
And there's a very small window.
Well, in general with defensecontractors that manufacturers,
that's a really small window ofpeople that can use GCC as
opposed to GCC High.
But it affects other things likethat, the services, the cloud
(06:52):
services you use and things likethat.
SPEAKER_00 (06:54):
Yeah, and I think that's a good thing to touch on,
the importance of if you're nothandling ITAR data right now or
you're trying to maybe get intoa GCC instead of GCC High,
really step back and think.
what might I bid on in thefuture so you don't exclude
yourself from work.
Now, if you just want to build asystem that is set up to do
(07:18):
exactly what you're doing now,then by all means, go ahead.
But some of those things cost alot of money to engineer later
to satisfy a bid requirement.
So understand that if you're notbuilding out for ITAR
regulations or...
I'm not sure the specifics, whatwould get you in GCC versus GCC
(07:38):
high, but just make sure thatyou're not putting yourself,
backing yourself into a corneron what you can bid for in the
future.
So another question I want tobring up is enclaves.
Machine shops, manufacturers arealways told, just get an
enclave, put an enclave.
To enclave or not to enclave?
Yes.
And you'll just be good, whichis often good advice, but for
manufacturers, specificallymanufacturers, it's different.
(08:00):
And I'd
SPEAKER_01 (08:00):
say specifically small manufacturers.
SPEAKER_00 (08:02):
Specifically small manufacturers, yeah, exactly.
And...
There's reasons for that, andthere's reasons why you might,
not that it's bad advice, butcan you just kind of walk us
through how that doesn't, applyor is maybe not always working
for a CNC shop or a smallmanufacturer?
(08:22):
An enclave
SPEAKER_01 (08:23):
cannon will work if you can separate out the CMMC
work from everything else.
And that may mean that you haveto have two versions, two
computers with solid works,depending on how you want to do
your enclave.
If you can separate that out,then an enclave is a good thing.
Because you don't want to piercethat enclave, because once you
(08:46):
pierce the enclave, whatever youpierced it with, now that's in
scope.
So you just expanded yourenclave, right?
So you need to think about that.
And if you can do that, that'dbe great.
A lot of small shops, if theyget the majority of their
business from the DOD, and somost of their business or all
(09:07):
their business is Well, that'sunderstandable if it's all, but
if it's most of your businessthat is DoD, then it's likely
that everybody will have theneed to touch CUI.
It's possible that you mighthave to scope some people out of
it, like whoever deals withaccounting and QuickBooks.
(09:30):
You can scope them out.
But in that case, your enclaveis large and your non-enclave is
small.
So yeah, for small shops thathave most of their work with the
DoD, it's kind of hard to do tocreate an enclave, because that
(09:51):
enclave is basically sayingwe're gonna take all the CMMC
stuff and we're gonna put it inthis enclave and everybody else
is gonna be outside of
SPEAKER_02 (09:59):
that.
SPEAKER_01 (10:00):
If you have a larger shop and you have 50-50 work,
50% DOD and 50% not, it makessense.
Or 25-75, or maybe even 75-25.
It makes sense because you'restill going to have a lot of
people that don't need to bedoing that work.
But for small shops, sometimesthe owner and Somebody else are
(10:26):
the ones that send out thequotes and pitch in on getting
drawings and whatever else.
They may need access to thatCUI.
In a small business, you wear alot of hats.
That's just how it goes in smallbusiness.
(10:47):
So those are the kind of reasonsthat a CMMC enclave might not
work.
But if you can do an enclave,it's a really good thing to do
and to separate
SPEAKER_00 (10:58):
everything out.
Another thing I'd like to bringup, just to kind of close this
question out, is like, forexample, you brought up the G
code earlier and how it's oftenconsidered CUI, right?
Yes.
So...
If that G-code is created in theenclave and you need to get it
to the CNC machine, does thatnot break the enclave?
(11:18):
Well, you can put it on a...
SPEAKER_01 (11:20):
on a FIPS-validated encrypted USB stick, for
instance.
They have these little USBsticks with a little code on
them.
Very handy, easy to use.
They work on older equipment aswell as newer equipment.
It just shows up just as aregular USB.
So those are really good ways todo that.
Now that that now has CUI on it,and it has to be labeled, it has
(11:46):
to be protected, the whole nineyards, but that's a good way to
get it over there, is tosynchronate it, basically, to
SPEAKER_00 (11:52):
your CNC machines.
The reason I bring it up isbecause oftentimes when people
are told to get an enclave, it'sin the cloud somewhere, you
know, and they're wanting to getin VDI solutions, is oftentimes
what people think of as anenclave.
So if you're dialing into a VDIsolution and you download that
(12:14):
CUI onto a stick.
To put it on the stick is thecomputer you download it to now
in scope.
SPEAKER_01 (12:19):
Yes.
SPEAKER_00 (12:20):
If you use a
SPEAKER_01 (12:20):
VDI solution and you don't kill all means to move
information back and forthbetween the computer that
connects to the VDI system andthe VDI system, in other words,
you've got to kill copy andpaste, you've got to kill the
drive mappings, you've got tokill printing, you've got to
kill all those things anddisallow all that.
If you disallow all that, thenthe machine that connects to
(12:42):
that VDI system, yes, it's outof scope.
But that also means that youcan't download data from that
and put it on, I mean, you justkilled the ability to do that.
So you can't download that datato that computer.
If you leave that open, and theability to download that
SPEAKER_00 (13:00):
data, then that machine is now in scope.
I'd just like to bring that upbecause you get caught, the
wrench gets thrown in the planwhenever the details come out,
right?
Yes.
And that's often an enclave or aVDI solution solves all your
problems as a defense contractoruntil you actually put it in
(13:23):
your workflow and you need toget the dang file to the
machine.
Yep.
the cutting file, right?
It's where like a VDI solution,hosted desktops dying and just
offloading all of thisresponsibility to a solution
provider just doesn't work.
If that CUI has to get into yourbuilding and onto a machine,
(13:46):
you're gonna have to scopesomething in the building
regardless.
Okay, getting to the no BSportion of this guide for real
world shops.
what actually works for realworld actually producing parts
and getting defense work, nottheoretical, not someone that
(14:06):
wants to get into it, but shopsthat are actually doing this,
what do they do and what works?
SPEAKER_01 (14:11):
Well, we addressed some of it already.
You know, a good solution is tohave your CNC machines off the
network and that way and have aUSB stick that's encrypted with
FIPS validated cryptography.
And then one that has a littlecode on it that you can punch
in.
Again, those are, we've foundthat those are really good.
(14:33):
Old machines can read them,because some of these CNC
machines are a little old, andyou don't want them on the
network.
So that works really well.
You can put them on the network,but you have to be very careful
what you do, and you have tosecure them on a secure VLAN or
a secure subnet, either one, andmake sure that you cross all
(14:56):
your T's, dot all your I's.
the uh...
the usbs also Just likeeverything else you have, they
have to be inventoried, theyhave to be kept track of, they
have to be protected.
So don't forget that part.
Not only do they need to havethat FIPS validated encryption
(15:18):
if they hold CUI, but they'vegot to be labeled, inventoried,
tracked, everything.
The other thing is travelers.
If you have a printer in yourenclave environment, you can
print out that CUI and ittraveler and use that traveler
to go do your work.
(15:39):
Do you have to have a coversheet on that traveler?
SPEAKER_00 (15:42):
Yes, you should have a cover sheet to cover it up
when you're not using it.
Following up on that question alittle bit, Brooke, I just want
to dive into the USB thing youmentioned earlier with the punch
code on the stick.
It's actually like a physical...
like a lock or something.
There's a little keypad, yeah.
And so you physically punch itin and then there's a little
(16:05):
electric card or something thatunlocks the encryption once it's
plugged in and you punch thatcode in.
So it removes all passwords andtyping in.
I want to dive into thatbecause...
It's a very simple process.
You might have to buy a bunch of$100 USBs, which seems
ridiculous.
It solves a lot of problems, itseems, and over-engineering
(16:30):
solutions in a lot of shops.
And it replicates the workflowthat a lot of shops currently
have.
And I just kind of want to diveinto that a little bit more
because I don't think thatpeople think I think people
think really complicatedsolutions to solve these things.
In reality, they could use a USBstick like this and avoid a lot
(16:52):
of frickin' headache.
You can design a
SPEAKER_01 (16:54):
solution where you can get those on the network.
You still have to secure the CNCmachines, that is, because most
of them are going to be older.
You're not going to be able tosecure them.
You can't put all your securitysoftware on them, the whole nine
yards, because they controlmachinery.
And a lot of times you'll voidthe warranty with those if you
(17:16):
put your own security softwareon there.
Which is fun.
If you, you can put them on yournetwork again, but you have to
secure it off, you have todesign it right to make sure
that you're taking all theproper precautions.
I have seen, I went to amanufacturing show, and there
(17:39):
was a vendor there, a largevendor, that was selling a
device that was sent between asecure and an unsecure network,
basically, so your CNC networkand your CNC machine network,
right?
And it would be the director ofthe data, And so it could take
in the encrypted data, and thenit can move it over, and there's
(18:02):
all sorts of parameters you putaround this, right, to keep it
safe.
And then the CNC machines canthen take that from the other
side with less or poorencryption or whatever, anyway,
and pull that off and use thatfor the CNC machine side.
It's a great idea, and you canbridge two networks like that
(18:25):
and still do it over thenetwork.
However, those machines werelike$15,000 each, and they only
go to one CNC machine.
We have quite a fewmanufacturing customers, and I
don't know any of them that justhave one or two CNC machines.
(18:45):
That expense would rack upreally quick.
Just like you said, a reallygood solution to avoid cost is
to have your FIPS validated andencrypted USB drive.
And like I said, the one withthe little keypad on it, those
work well.
(19:06):
If you use that to move data andthen cover your bases with your
other things, inventory it,track it, label it, all that
kind of fun stuff, then you'vegot your solution in place and
that's a very workable and verysecure
SPEAKER_00 (19:21):
solution.
I think the last question is areally good segue into this one.
So I'll go ahead and ask you,how do you handle old CNCs and
operational technology, OT andCMMC speak?
Right.
How do you handle that in termsof CMNC compliance and if you
(19:41):
want to connect them to yournetwork or should you?
What are your thoughts on that?
For CNC
SPEAKER_01 (19:45):
machines, operational technology, internet
of things, stuff like that,they're counted as specialized
assets and as long as you securethem in some way, and certainly
keeping them off the networkdoes secure them.
Sometimes, though, those need toconnect for updates or something
(20:07):
like that, so you may need toput them on a secure VLAN or
secure subnet.
You may have a rule in yourfirewall, for instance, to only
allow access to vendorA.com orsomething to download updates or
something like that.
Rule can be turned on or off,you know, whenever you need to
access it.
But you could do something likethat.
(20:29):
But those specialized assets, aslong as you have secured them
away from your CUI network, yourCMMC certified network, as long
as you have secured them offfrom that, then as long as you
have them inventoried and say,yes, we have these,
SPEAKER_00 (20:43):
then they're out of scope.
So my next question for you is,what does an assessor actually
want to see?
All the CMMC controls and allthat stuff doesn't really
ultimately matter.
You know, it does, but at theend of the day, it's your
assessor is the one that'scertifying you, right?
Right.
Absolutely.
Let's talk real world.
No BS is the theme of thisepisode.
So brass tacks, what doassessors actually want to see?
SPEAKER_01 (21:07):
Well, as far as we're talking about operational
technology mainly, so they'regoing to want to make sure that
you have everything documented,you have a list of all that
equipment, and that you knowwhere it is and all that kind of
fun stuff.
They want to see your networkdiagram, how it's designed.
They're going to want to seeyour policies, for how your
(21:30):
policies are written, for thatOT equipment, for the process to
get information over to them,like the USPs we talked about.
They're going to want to seeyour SSP and how you, your
overview of how you, well,assuming that's what your SSP
is, but anyway, your overview ofhow you how you've secured those
(21:52):
and what you're doing with thatOT.
That's basically what they'regoing to want to see.
They're also going to want tosee some proof, so screenshots
of how, if it's connected bynetwork, screenshots of how it's
actually configured, stuff likethat.
They'll also probably ask you,you know, questions about you
(22:18):
know how do you do this how doyou do that to make sure it
SPEAKER_00 (22:20):
meshes with what you've got documented in summary
what an assessor wants to see isif you're actually if you're
doing it it needs to bedocumented if you're not doing
it don't fake it because they'llbe able to smell that out right
yes okay so if i'm a machineshop and by the way it's july
4th Fourth America's birthday.
(22:47):
Happy birthday, America.
I got my shirt.
Nice shirt there, yeah.
Thank you.
I think this episode comes outon July 4th, so that's why I
brought that up.
So if I'm at Machine Shop nowlistening on July 4th, America's
birthday, what should I go checkor do this next week when I come
(23:08):
into the office Monday,sunburnt, and with a bunch of
burgers and hot dogs in mybelly?
What should I do first thingwhen I get to work?
Well, you should first of allmake
SPEAKER_01 (23:19):
sure before you get to work that all the fireworks
have been cleaned up.
So there's always a big messafter shooting off all the
fireworks.
So really what you need to do ismap your CUI flow.
It's a data flow diagram.
Figure out where it comes from,where it goes to within your
systems, cloud systems included,like Microsoft 365, for
(23:41):
instance.
figure out where it goes, figureout where it goes out to
subcontractors or your vendorsif it does.
So do that data flow diagram.
Create some networksegmentation, either VLANs,
(24:01):
subnets or air gaps or somethinglike that to separate that
operational technology.
Lock down your USB usage.
So just like we talked about,you can tell we like those USB
sticks that have a FIS validatedencryption and have the little
keypads on them because theywork with old equipment as well
(24:24):
as new equipment.
You don't have to worry becausesometimes Sometimes you run
across the newer USBs that don'treally work on, some of the
security features don'tnecessarily work on the old
stuff, but those seem to worknice.
Handled paper, you still need toprotect paper CUI, hard copy
(24:45):
CUI.
You still need to cover it upwhen you're not using it, put it
away when, Covered up whereyou're not using it at the time.
If you're overnight or whatever,you know, or not using it at
all, it needs to be put up andlocked up.
So
SPEAKER_00 (25:03):
don't forget about your paper, your hard copy CUI.
Yeah, everyone's always realbummed to hear that the paper's
CUI too.
Yes.
And the other
SPEAKER_01 (25:11):
bad part, and we'll just touch on it here and leave
you with this bad taste in yourmouth, but the old CUI you have
from like stuff you did, youknow, 10 years ago, guess what?
That's CUI, and it matters, andit has to be protected.
So don't forget about that CUI.
(25:32):
We'll just touch on that forright now.
Document all your legacysystems.
Don't ignore them.
Make sure you explain them.
And explain them is a good segueinto your SSP.
Your SSP should tell a story.
of a story of how you do things.
(25:53):
They should be able to readthrough that and understand
everything from a high-levelview, how you're doing
everything, how you're meetingall those controls and all those
assessment objectives.
SPEAKER_00 (26:05):
If you have any questions about what we covered
here, please reach out to us.
We're here to help fast-trackyour compliance journey.
You can text, email, or call us,and we'll answer your questions
for free here on the podcast.
Find our contact information atcmmccomplianceguide.com.
Stay tuned for our next episode.
Until then, stay compliant, staysecure.
(26:27):
Like, subscribe, and share.
Popular Podcasts
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.