October 31, 2025 • 46 mins
Submit any questions you would like answered on the podcast!
Get the inside scoop from CS5 East 2025, the largest cybersecurity and compliance event for the Defense Industrial Base. In this episode, Brooke and Stacey from Justice IT Consulting breaks down the biggest CMMC updates, Operation Midnight Hammer, and how AI is reshaping compliance.
Learn what the Cyber AB announced, how CMMC Phase 2 is rolling out, and what contractors should expect next. Whether you’re a Compliance Officer, DoD Program Manager, or small-business GovCon, this recap gives you the context and clarity you need to stay ahead.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Stacey (00:21):
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Stacy and I'm Brooke fromJustice IT Consulting, where we
help businesses like yoursnavigate CMMC and NIST 800-171
compliance.
We're hard guns gettingcompanies fast tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
(00:41):
so.
Let's dive into today's episodeand keep your business on
track.
Today we're unpackinghighlights from the CS5 East
2025 conference, the biggestcybersecurity and compliance
event for the Defense IndustrialBase.
So, Brooke, for the folks whomay not know, what exactly is
CS5 and how is it different fromother CMMC conferences that
(01:04):
you've gone to?
Brooke (01:05):
Well, as you said, it's uh it's the largest uh CMMC
conference um out there.
It's got lots of greatinformation.
Um I think uh they said theyhad uh a little over eleven
hundred uh people sign up to go.
Uh that's the people that uhfrom what I understand, that's
the people that signed up to go,not uh, you know, vendors and
staff or anything, but that's1,100 attendees.
(01:27):
Uh so that's it's a goodshowing.
It's real good.
Uh it grew out of uh a feworganizations.
Uh it's changed over the years,but is essentially uh the same
conference as it started out as,uh just on steroids now.
So anyway, started out withCIC.
Uh that was uh put on by acompany called Future Feed,
(01:47):
great GRC tool if you need one.
So they put on a conference, areally good conference, lots of
really good uh uh really goodinformation.
Mark Berman uh is uh uh startedFuture Feed in this CIC
conference.
Um they uh the Cyber B also hadtheir own conference, but they
decided to team up with uh theCIC conference, the fo folks
(02:08):
over at uh Future Feed for the CCIC conference.
Uh and they spoiled up a newcompany, I guess, to uh or
something anyway, to uh to uhrun it called Forum Makers.
And uh so Forum Makers now runsit, uh, but it's um the Cyber A
B and the CIC combined, andthey called it SEC, which uh is
(02:30):
C E I C, which was CMMCEcosystem Implementation
Conference.
Uh so they call it there wasone on the East Coast, one on
the West Coast, uh and um uh thefirst one I went to, it's the
uh first CIC conferenceactually, I think, was uh was in
San Diego and and I reallyenjoyed it.
I've actually never been to SanDiego before.
(02:51):
Um really great conference.
Uh but uh so then anyway, sowe're at Seek East and Seek
West.
Uh then they joined forces withuh uh uh the CS2 series of uh
conferences, um and that was puton by Summit 7, I believe.
CS5 now is uh uh thecybersecurity supply chain and
(03:16):
five from the roughly, I guesshowever you count them, but five
different conferences frombefore Cyber A B, CIC, um CS2,
and CS uh Seek East and SeekWest, so uh which those are
really kind of the sameconference, just on two
different coasts, but yeah,who's counting, right?
So anyway, so they call it CS5.
(03:36):
So uh provide lots of greatcontent.
They've uh they've beenadapting as they go.
Uh they had uh a bunch ofroundtables this last time,
which uh were pretty good.
You could sit down on the roundtables and um uh be part of the
discussion, uh so there weresmaller uh audiences.
Uh so it was really good.
Uh but anyway, that's wherethat's what CS5 is and uh what
(03:59):
it stood for.
Uh next year is going to beback in San Diego again.
Or excuse me, uh CS5 West willbe in San Diego again, I think
in April, I believe.
Uh but uh it'll be there at abrand new uh Gaylord they just
built.
And so the Gaylord, from what Iunderstand, will be less than a
year old when they have CI whenthey have uh see, I can't even
(04:22):
get right, when they have CS5out there.
So anyway, uh good conferenceto go to.
Lots of really goodinformation.
Stacey (04:28):
It seems like CS5 provided a lot of powerful
sessions, but there was one inparticular where they talked
about Operation Midnight Hammer.
Can you enlighten us with alittle bit of background on
that?
Brooke (04:39):
Absolutely.
So uh Operation MidnightHammer, for those of you who uh
uh don't know or or may haveforgotten or maybe you're
thinking, you know, you mightremember it anyway.
Uh Operation Midnight Hammerwas the uh the strike uh of the
bunker buster bombs with thatthe United States dropped on uh
Iran's uh nuclear facilitiesjust recently, um relative
(05:02):
recently.
Uh so um that they discussedthat uh and it really filled in
a hole for me.
Uh it I mean, filled in part ofa hole.
It was just very interesting tofind out, and it's a recent
real world example of uh ofinformation that we're trying to
protect for us, because wedon't want somebody else to do
(05:23):
that what we did to our Iran tous, right?
So uh the Operation MidnightHammer started way back in uh in
the Pentacon uh had a briefingand discussed a lot of this too.
So um but they also had somegood visuals with it and and uh
it was it was impactful and uhvery good uh relev uh uh
(05:47):
relative and and uh timelyinformation.
So um but the uh OperationMidnight Hammer started way
back, I believe, in like 2008.
Uh they hired one guy basicallyto uh find out everything he
could about the Fordo facility,which is one of the nuclear uh
test sites.
And uh then they ended uphiring another guy and then
(06:10):
eventually a staff, and theirsole job was the Fordo facility,
from what I understand fromwhat they report.
Um and so I would guess thatthere were also the same teams
put together for the othersites, uh, but that was their
sole thing.
So they they uh they looked atwhat kind of material uh was
extracted, what kind of dirt androck and all that kind of fun
(06:32):
stuff, uh, how much wasextracted, they looked at um
what the um uh what it was madeout of, how many ventilation
shafts, uh the electrical stuff,that you know, they went over
all the stuff that you wouldn'tnecessarily think would be
really that important, you know,uh information to keep uh not
(06:52):
secret but controlled, right?
And so they um I don't theydidn't go over exactly how they
found all this out, but andthey're not gonna release that,
I'm sure.
I'm sure some of it was bysatellite, but uh there was a
lot of information there thatthey showed that uh had to be
gained somehow.
And uh so anyway, and they putup this, there's a the visual
(07:14):
was that they had a uh theFordow, uh Fordo uh site on a in
a picture, and then they had,you know, all the different
categories of things that theythat they gleaned information
from, like the material theypulled out, electrical,
ventilation shafts, all thatkind of fun stuff.
Um and then they said, youknow, basically, all this is the
Iranian equivalent of CUI.
(07:36):
And so they, you know, theystamped CUI over all that.
Uh but that's a really goodreminder why we're doing this
and what we're trying toprotect.
We're trying to protect our warfighters, trying to protect our
military advantage, trying toprotect our assets here at home,
you know.
Uh the big the big thing ithelped me with is uh we always
(07:57):
try to explain to clients whythis matters, you know.
Um easy to come up with the uhexample of, you know, look at
the you know, the new generationof Chinese fighter jet, the,
you know, Humvee, the uh shipsand uh or uh I think some laser
systems that are like brandspanking new.
Uh, you know, somehow China hasa lot of stuff that looks
(08:20):
amazingly like our stuff, youknow.
So it's easy to point out that,and that's manufacturing.
But what about other areas?
Uh d why do other areas matter?
And one of those, you know, wehave some construction clients,
and those construction clientswere, well, why does it matter,
you know, if we're, you know,where we're uh bulldozing dirt
or what we're doing, you know?
And I was like, well, they I'msure they can tell something
(08:43):
from that.
Well now we have an example touse that says, hey, this is this
is an example that the DOW thatDOW showed uh and explained of
what we used that would beequivalent COI, what we used to
gain information to attack Iran.
And so very successfully attackIran, uh uh uh it looks like.
(09:05):
So um anyway, it helped us outbecause uh construction
companies are in even more of apickle uh we as we've discussed
because of several situations,but uh even more of a pickle
than um than manufacturers are.
So anyway, it's very it's veryinsightful.
Uh the the other part I willsay uh about um not just
(09:28):
Operation Midnight Hammer, butbefore that with Iran, uh if
you'll remember way back in theday, Stuxnet uh was uh computer
virus uh that attacked a uh airgapped network.
It turns out that that was theUnited States and and Israel
that did that.
Um, because actually theunbelievably the uh United
(09:50):
States actually admitted it andsaid, yeah, that was us.
Uh so probably shouldn't dothat, but yeah, neither here nor
there, I guess, but uheverybody knew anyway.
But uh the Stuxnet virus uh itwas very specifically engineered
to do some very specific thingsto their centrifuges that that
enrich uranium.
And so they would report thecorrect, for instance, they
(10:12):
would uh report the correctspeed.
They're very precise, they haveto spin at us at an exact speed
to extract that uh or enrichthat uranium properly.
Um while it would report theright speed, it'd be spinning it
either slower or faster, youknow, not doing what it needed
to do.
Um and so eventually theyfigured it out and figured out
(10:35):
that it was us, and I think partof that came after some
centrifuges broke because theyspun too fast or something.
Um I don't really remember, butthey ended up figuring out it
was us, and they figured outthat, oh crap, we were way
behind the times because notonly could we not protect
against something simple likethat, and I mean we were air
gapped and they got across, youknow.
Um, you know, uh we've got todo something about it.
(10:58):
So Iran really ramped up theiruh cybersecurity and and uh
offensive and defensive uh cyberoperations.
And so uh as a result, as adirect result of uh Stuxnet, um
they ramped that up and theystarted attacking us ruthlessly,
relentless relentlessly, Ishould say.
Um anyways, we're I meanthere's lots of you know uh
(11:22):
examples of um, you know,Iranian government being behind
all sorts of things.
And there's just a uh we wentover our uh threat uh threat
matrix threat uh notices anyway,today uh during our tech
meeting.
And uh there was a one from uhabout Iran on there about uh
attacking uh over a hundredgovernments.
(11:44):
Um so uh it ramped up as a as adirect correlation to Stuxnet.
And so now do you think thatyou know as a result of of
Operation Midnight Hammer, youthink something might happen?
It's probably a really goodbet.
And uh so anyway, um uh allthat was was very insightful and
(12:07):
uh it it made a made a bigimpact.
At least it made a big impacton me.
I would assume it made a big,big impact on other people, but
uh, you know, anyway, it's a bigimpact on me and it's very good
information.
Stacey (12:18):
Aaron Powell So let's ship some gears over to the CMMC
program itself.
What were the biggest updatesfrom the Cyber A B on the topic
of CMMC?
Brooke (12:29):
Sure, sure.
So um uh some of the updateswere, you know, everybody, you
know, everybody still cling noteverybody, I should say there
are still people that cling to,you know, oh, there's gonna be
some reason that this getsdelayed, you know, and oh now
it's the government shutdown.
The shut government shutdown isgonna delay it.
The government shutdown willnot delay it.
It will go into effect onNovember 10th.
(12:51):
Now the reality is uh it'll goon effect on November 10th, but
s it may not actually be theremay not be anybody writing it
into uh contracts on November10th, right?
Uh so uh that part could bedelayed.
But the starting date won't bedelayed, so that doesn't that
means that November 10th, 2026is still November 10th, 2026.
(13:14):
No matter when they get thisoff the ground, actually written
into contracts.
Um November 10th, 2026 is iswhen phase two starts, right?
Um so it is it is progressinguh um and not stopping.
So that's uh the governmentshutdown won't affect that part
of it.
In fact, there's much of thisuh there's a lot of the I think
(13:37):
on the uh Cyber A B town halllast night, uh it was just last
night I watched the October one.
Um uh they said the same thingand they showed a little graphic
of um all the things that uhwill and won't be proceeding
with the government shutdown.
Uh and there was only there wasonly one thing.
It was some administrative uhprogram manager uh kind of
(14:00):
thing.
So um but everything else isproceeding as it should be.
The uh the background checks orthe um the the background
checks or were the tier threeassessments uh for um s uh CMMC
or uh CMMC certifiedprofessionals and assessors uh
and all that, they they'llthey're proceeding.
You know, that's that's onething.
(14:20):
I figured it's just abackground check.
I'm surely they'll those willbe delayed, you know.
No, they're that office isworking and they're they're
trudging right along.
So uh anyway, November 10th iscoming, that's when it's gonna
go into effect, uh, and it's notgonna be delayed.
Maybe written into contractswill be delayed a little bit,
but other than that, it'scoming.
(14:40):
Uh another thing, uh anothercouple of things uh at the time,
uh at uh CS5 they said 384joint assessments or uh
assessments have been completed.
Um and so uh that number is nowover 400 af as of the uh Cyber
A B Town Hall uh last night.
So it's over 400 now.
(15:01):
So they're they're marchingright along on those.
Um there's several there's Idon't remember how many are in
progress as of the I mean it'salready changed, but as of the
uh CS5, there were 74 inprogress, uh 83 authorized C
through PAOs.
I think that has changed to 84,but there's several in the uh
in the wings there waiting.
(15:22):
Um and we this number of CMMCcertified assessors keeps uh
keeps growing every month, sothat's really good.
That's really that's really thekey to this whole thing is the
certified uh CMMC certifiedassessors.
Uh if we don't have enough, itdoesn't matter how many C
through PAOs we have.
Uh because a lot of C throughPAOs are, you know, one one and
(15:45):
two-person companies or youknow, maybe a little larger, but
uh even even larger ones uhdepend on uh CCAs that are 1099
employees, right?
So um there may be CCAs thatare 1099 employees for several
different C through PAOs.
That does not increase thenumber of CCAs.
It just means that they'reworking their rear end off.
(16:05):
So um so it's uh that number ofCCAs really needs to go up a
lot.
Um and what concern doesconcern me a little bit is it's
not it's not I guess it kind ofconcerns me and it kind of
doesn't, but that's notskyrocketing.
If it was skyrocketing, youalready kind of have to worry
about uh the experience level ofsome of the CCAs.
(16:28):
Um and I don't mean that as aas a slight or uh uh as a as
anything about the d general CCAcommunity.
They're all the most of theones I met are very, very good.
There are some new ones whodon't have much experience.
They're trying very hard tomake sure that doesn't happen
though.
So with the requirements forCCAs.
(16:48):
Um But there's uh uh you knowif if that number were
skyrocketing, I guess you'dprobably have to worry about
that as well.
So you know it's good for thoseCCA numbers to uh to increase.
Uh we need a lot more of them.
Uh I don't know if we're gonnaget a lot more any, you know,
quickly, but uh we need do needa lot more CCAs to to cover all
(17:11):
this demand for the uh theassessments, certification
assessments.
Stacey (17:15):
So it seems like there was some chatter about the Cyber
A B taking on some new roles atCS5.
Could you uh enlighten us withwhat that may be?
Brooke (17:24):
Sure, sure.
So uh Cyber A B is also workingon security controls framework.
Uh and uh they've mentionedthat um a few months back in one
of the town halls, and maybemore than one of the towns uh I
believe it was more than one ofthe town halls.
In fact, they mentioned it lastnight as well.
But uh they're working on that.
Um and uh that is somethingthat I believe uh uh Texas has
(17:49):
adopted uh in one of their newbills, and there's a what it is,
I believe, is a kind of a safeharbor bill.
If you uh adopt these uh thesecurity uh cyber security
controls framework uh and uh runyour business by then, by the
by those by that framework, thenuh you're basically in a safe
(18:11):
harbor for uh cybersecurityclaims against you.
Um I don't know all the detailsabout that, but that's overall
uh overall thing.
So the cyber the securitycontrols framework um uh is a
little more comprehensive thanuh uh NIST 800171.
NIST 800 171 really uh is uhmore about uh um confidentiality
(18:36):
than anything else.
Um but uh anyway, that securitycontrols framework uh seems
like something really good thatthey're building out and what
they're working on.
Uh so they're pretty excitedabout that.
And they also talked about umuh plans to update the licensing
program and over overhaul theuh practitioner path, which is
(18:56):
uh what really needs to be done.
Um it's pretty uh it's a it'spretty easy to get the RP certif
or RP uh the registeredpractitioner right now.
So it does need to beoverhauled.
Um I don't know about the RPadvanced, the RPA.
Uh I haven't really looked atthat one much.
Um and I just haven't lookedinto it.
(19:19):
So I don't know how much moredifficult that one is than the
RP.
Uh but I do know uh most peopleconsider the CCP the starting
place of where you start toreally as far as learning goes
and a certification or some somestamp of approval, the CCP is
really where it starts to showthat you know you've taken some
good training and you know whatyou're talking about.
(19:41):
Um and they also talked aboutrelaunching the C through PAO uh
accreditation process also.
Stacey (19:47):
Aaron Ross Powell So let's pivot a bit and talk about
service providers.
There's been a lot of confusionaround MSPs, CSPs, and ESPs.
Did that come up often?
Brooke (19:58):
All sorts of TLAs, three-letter acronyms that that
come up, yes.
So uh everybody is still uh andnot I keep saying everybody,
and not everybody.
There are still people that areconfused about uh the
difference between ESPs and CSPsand MSSPs and MSPs and all that
kind of fun stuff.
So the overarching uh categoryis ESP, which is external
(20:21):
service provider.
Uh and under that you have uhCSPs, which is a cloud service
provider like Microsoft orAmazon or something like that.
Uh then other than that youhave the category is uh ESP's
not a CSP.
So uh and that's what it'scalled.
(20:44):
So um in that category is MSPis a managed service provider,
or MSSP managed securityservices provider.
Um and a managed servicesprovider is uh that's what we
are, we're a uh outsourced ITcompany basically, and uh so uh
that's what an MSP is.
Uh my uh uh managed securityservices, they suppose they
(21:07):
focus specifically on securityservices, uh like SOC and SIM
and stuff like that.
Uh but there's people that areconfused about what makes one uh
uh one or the other.
Um there's a good definition uhin the Federal Register of the
of uh CSP.
Uh uh go read that, it makes itvery clear what a CSP is,
(21:31):
right?
Um everything else is gonna bean uh ESP.
If uh if you have if you'reproviding some services that
don't handle uh if you'reproviding some services to a uh
an organization seekingcertification, so somebody that
wants to get certified, thenyou're gonna be uh an ESP ESP,
(21:55):
not a CSP.
So uh very clear, right?
Uh but um there are certainthings that uh you know they
talked about what MSPs and RPsand all that kind of fun stuff.
RP is a registeredpractitioner.
Uh it's an individual, and I Iguess actually uh RPO is a
(22:17):
registered practitioningorganization, so that's the
company that employs the RP.
So there are limits of what uhan ESP can do for you, right?
They can't do everything foryou.
Um, even we we tell ourclients, you know, hey, you
know, we'll help you out, we'llshort we'll uh we'll help you
get that uh get ready for thatcertification quicker than
(22:39):
otherwise.
Um, you know, easy button orrocket assist or whatever you
want to call it.
It's uh you know, there'sdifferent marketing language all
around it.
But uh the uh the fact of thematter is, is that no matter who
it is, they the ESP cannot doit for you.
They can do a lot of it for youand with you.
(23:01):
There's a lot you have to do,and there's a lot that you have
to uh be part of.
And not only that, uh when itcomes time for uh certification
assessment, the uh the companygetting assessed, the one
seeking the certification, uhthey have to uh know and
understand what what the hecktheir SPAN what the heck their
(23:25):
SSP says, you know.
Uh they can't just go, yeah, II don't know, ask him.
You know.
Uh they have to they have tohave some knowledge about it.
They don't have to have deepknowledge, but uh after all, uh
you everybody, no matter how bigthe company is, everybody
outsources uh some stuff, right?
And that's because you knowthey want to focus on this and
(23:48):
they want somebody else to dothe rest.
So um an uh ESP and MSP, theycan they can do a lot of that
work for you and uh help guideyou through it, um, but they
can't do it for you.
And so uh people need tounderstand that.
Companies that are looking tobe certified need to understand
that.
So um and then there aredifferent levels of companies
(24:10):
that do it for you and with you,right?
Uh we have a tendency to do asmuch as we can and uh to hold
our clients' hands and walk themthrough it and explain
everything, um, you know, howeverything works and what your
options are.
You know, some providers say,here's our solution right here,
and you put that in place andyou're good, you know.
(24:32):
Uh we have a tendency to thinkthat that's not the way to do it
because not everybody fits inthis little cookie cutter box.
So um and then when you realizethat you don't necessarily fit
in that cookie cutter box, yougotta figure out how to address
the pieces that don't fit in.
And that's where we help ourclients is trying to figure out
(24:53):
what to do with those thingsthat don't necessarily fit in a
nice, neat little box.
So uh but that's uh that's abig thing with uh MSPs, ESPs,
CSPs, and all that.
Stacey (25:03):
Aaron Ross Powell So it seems like there was some
conversation about what CMMCdoesn't do.
Can you touch on that a littlebit?
Brooke (25:11):
Uh sure.
Uh I think you're talking alonglines of uh legal uh immunity.
Uh so CMMC, if you've puteverything in place, does not
provide uh legal immunity toanything.
However, uh if you if you'veput CMMC in place as you should,
have all the documentation andyou're you're doing the things
(25:34):
you say that you're doing uhbecause no solution is a hundred
percent bulletproof, right?
If there's some breach orsomething that happens as a
result, uh you can say, look,here's all our documentation,
here's what all we had in place.
Um you can use the old AppleApple excuses that it was a very
(25:55):
sophisticated attack, you know.
Uh and I guess more than justApple says that.
But uh anyway, they uh so butif you have everything put in
place, you have all yourdocumentation, uh you can prove
that you were doing what yousaid you were doing, um, then
you've got you don't have alegal immunity, but you've got
something to fall back on andsomething that will help you out
(26:16):
a lot.
So uh while it's not legalimmunity, it certainly does help
that you can prove all this.
It's a lot better than nothaving all the documentation in
place and not having all the allthe items, or even maybe having
all the uh technical controlsin place but not having the
documentation to back it up.
Uh you're not as nearly as ingood a place with the technical
(26:38):
just the technical controls inplace as if you would be as if
you had documented everything.
Because that way when somethinghappens, you can say I was
doing everything I was supposedto.
In fact, I was doing more thanI was supposed to, uh, and it
still happened, you know.
So you have some uh just likethe Texas Safe Harbor law we
were talking about a minute ago,um, you have some help on that.
(26:59):
Well, it's not a Texas SafeHarbor law is a law, I guess,
anyway, but um so that I guessthat does provide some sort of
immunity of sorts.
Uh CMMC does not provideimmunity, but does provide a lot
of help.
Stacey (27:14):
I know we kind of talked about the complexities of the
construction industry with CMMC.
Um it seems like there was somediscussion at CS5 about COI in
construction.
Could you go into that a littlebit deeper?
Brooke (27:27):
Yeah.
Uh so as we talked about aminute ago, uh there there is a
lot of um a lot of nuances anduh and uh the ways that uh
construction companies work uhthat um are are hard to cover
and not addressed well with uhCMMC.
(27:49):
One of those things is um fromwhat I understand, and I did
we've got a some constructionclients, and I didn't even
realize this, but um I guess onsome federal uh DOD projects uh
in construction they uh issue adifferent cage code or something
for different projects.
Uh and so um that's an issuewhen you've been certified and
(28:13):
you have all your cage codeslisted and there's another cage
code that comes into a questionthere, how do you that that's
not in your certified list nowand it can't be added after a
certain amount of time.
Um what I understand is there'sif you've got a C through PAO
that understands and knowswhat's going on, I think they
(28:33):
can help out there.
That's the gist I got.
So but uh it's not a that'sjust one of those things that
the government didn't thinkabout, right?
Uh you know, how do you do allthis?
Well, once you lock in these uhcage codes, they're in concrete
and you can't change them,supposedly.
Uh and but yet here onconstruction projects, we're
(28:55):
gonna issue temporary cage codesover here.
So um, I don't know all theparticulars about that, but
that's how it was explained touh to us in that uh in that
session.
Uh the other thing is that umuh construction companies, you
know, they have to think aboutum, you know, their construction
(29:16):
trailers and uh job sites andhow CUI is performed there uh or
how CUI is is uh accessedthere.
Um if you are on a on an actualon an ab on a base, uh it's a
little bit different.
Uh if there's other differentthere may be other projects that
have CUI, they're notnecessarily on a base, I would
(29:38):
think.
Uh but if you're uh on a basethat uh helps you out some as
far as uh CUI goes.
Uh and another thing is with uhconstruction companies, you
know, a lot of them uh they'llsend off their drawings to uh
some print uh company to getthem printed out for them.
Well, guess what?
(29:58):
If those drawings are CUI,you've got a big problem there.
Um so maybe you have to buyyourself a large format printer,
you know, and uh haul it aroundfrom job site to job site.
I don't really know.
Uh it's that's a tough one tocover.
Um but uh there's and there'sdifferent ways it can be
covered.
You can go all digital, um, youcan issue laptops, you can
(30:21):
issue You tablets, you can uhbuy your own large format
printer, whatever it may be.
Uh but there's severaldifferent ways to uh address it
depending on uh how you do yourbusiness and your workflow and
you know how you might be uhwhat might be open for change.
Um the other thing is that uhthey said that uh forty-five
(30:45):
percent of federal agenciesstill don't have a formal COI
program.
And uh the COI rule uh that wasrecently uh published as a as a
proposed rule um for the restof the federal government, uh I
would think that would changethat.
Uh of course it's justproposed, so it hasn't even
kicked off yet, but uh I wouldthink that would change that.
(31:06):
But uh they uh the forty-fivepercent of the federal
government doesn't have a fformal CUI program and they're
expecting uh mom and pop shopsto to put this in place.
You know, another thing aboutuh construction companies,
really about uh manufacturingcompanies I should say, um that
they talked about uh duringthis, because this was a session
(31:28):
about uh uh CUI andmanufacturing and construction.
Construction took a lot of alot of the discussion because of
the the uh complexities there.
Uh but in uh uh inmanufacturing uh they've said
that uh there's typically uh wetell our clients that what the
(31:50):
CMMC um program office says isthat the parts, the actual
physical parts themselves arenot C UI.
Well there is some debate aboutthat.
So the uh DC um DCSA uh doessay that uh uh uh physical uh
(32:11):
parts are um or physicalcomponents, physical objects,
however you want to phrase it,they are C UI.
So there is a bit of adisagreement there.
And then if they are, thentechnically really that poses
some uh some more complianceissues.
Uh only other thing I was gonnasay uh along these lines uh is
(32:32):
related, but not specificallyabout uh construction and and uh
manufacturing, but definitelyabout CUIs that there have been
uh some intelligence agenciesthat have complained, some
intelligence agencies that areused to secret uh uh classified
information, not unclassified,but they're used to the whole
secret classification, right?
(32:53):
Uh some intelligence agenciesthat have complained that uh
CMMC is too complex, so too hardto manage.
Uh so uh th I guess that was uhjust an anecdote, you know,
about uh how how difficult itis.
Uh don't know uh theparticulars about that, but that
was very interesting.
Stacey (33:12):
Aaron Powell So it seems like there was some
conversation about AI.
Could you delve into what theywere saying about using AI for
compliance?
Brooke (33:22):
Sure.
So uh you know I think uh AI ishere and it's probably here to
stay, maybe, you know.
Uh so uh and it's in uh reallyit's in so many parts of your
life that you you think yourealize it and you probably
don't really realize how manyparts of your life that AI is
in.
So we use it in our business.
(33:43):
Uh you know, um we haveservices that use AI along with
algorithms to go through uh loguh events, you know, stuff like
that.
Um we use it a lot for you knowfor other things, but with with
anything AI, uh you know, mywife even uh she teaches some
college classes and and uh whenuh students write speeches, it's
(34:07):
obvious when they have onethat's written by AI.
I mean it's so obvious that uhAI wrote one and not the
student.
And so you have to know how touse AI.
You know, for those collegestudents, you know, I tell my
wife, you know, let tell themthey can use AI, but they gotta
learn how to use it right.
Which means that they have toknow the subject and they have
to know the rules, and so theyhave to be able to tell AI how
(34:30):
to write that, and they have totell AI how to correct that,
right?
And so they have to know it.
It still leads to the sameoutcome.
It's just that they didn't haveto do all the work to get
there, you know.
Um, which is fine.
You know, calculators when theycame out, you know, I was uh I
couldn't believe that uh, youknow, we you were able to use
graphing calculators when I wasin school, uh but uh for some
(34:53):
stuff.
But you know, my kids went toschool and they could just use
calculators.
And I thought, well, you know,how is that teaching them
anything if they can if they canuse calculators?
So AI, same thing, you know,they have to understand you have
to understand everything.
So uh the same thing applieshere to the IT world, uh to the
tech all the rest of thetechnical world, and to CMMC,
(35:14):
right?
Uh so you have to realize whatinformation you're feeding in,
um where that uh data is storedat, uh if it goes uh out of your
environment, uh you know, whatyou don't want is uh to draft
all of your policies and allyour uh stuff that may contain
uh security protection data,SPD, um at the minimum, CUI
(35:41):
also, but uh you know have allyour uh configuration and all
your technical information init, you don't want to draft that
on Chat GPT because then it hasall that information and can
use it to learn on uh use it onits learning model.
You don't want that.
So uh and if it's CUI, thenthat CUI is now out, you know,
(36:04):
uh uh in the in the wild world,right?
Uh the Wild West.
And so uh you have to make surethat uh you use AI uh that is
um in a in a closed environmentin uh you know a an enclave, for
instance.
Uh you have to have you have toput some parameters around it
to make sure that that it's usedproperly, that it's a cloud
(36:29):
service, so if it's gonna doanything with CUI, guess what?
It has to be FedRAMP, uhFedRAMP moderate, uh authorized,
or higher, or or equivalent, Iguess.
Uh there are also some um sometools, CMM tools in the CMMC
ecosystem that use AI.
And um I haven't reallynecessarily looked into them in
(36:50):
depth, uh, but from what Iunderstand, they they have their
own environment.
Um it doesn't the informationdoes not get out of that
environment.
Uh so you have to think aboutthose things.
You know, I have down here thatdefine AI boundaries using zero
trust principles.
Uh zero trust is a is a reallyit's just a really good
principle to start with andoperate by, right?
(37:11):
Um host or configure uhlanguage models, large language
models in uh in an enclave or inin uh a controlled
infrastructure, uh closedinfrastructure, right?
Closed environment.
Um use AI to draftdocumentation or summarize the
(37:32):
logs, but again, this is whereyou gotta know how to use AI.
You know, use it to, you know.
Yesterday I was using it to umthis is kind of goofy and dumb,
but uh yesterday I was using itto um write some formulas to dig
through some giant Excelspreadsheets and and get some
data for me.
(37:52):
And uh, you know, you have itwrite a formula, you look at it,
and you're like, well, okay,that looks right.
You use it, and then you'relike, well, that data doesn't
look right, and so you look atit.
Oh, here's the problem.
All right, now rewrite it anddo this, you know.
So you you have to understandwhat it's doing and you have to
understand how to use it.
So it applies in my wife'scollege classes, and it applies
(38:15):
in CMMC.
Same thing, right?
Uh and you can run AI-driven uhregulatory gaps analyses.
Um it'll help you find thingsthat you've missed, but also
just remember that AI canhallucinate.
It doesn't mean that it doesall the time, but you know, it
can catch some of the thingsthat you might have missed, you
(38:35):
know.
Um so you can use it to checkyou, you can use it to help out.
Again, however you use it,you've got to know how to use it
and you've got to use itappropriately.
Stacey (38:46):
All right, Brooke, rounding out all of the CS5
conference information, what'syour biggest takeaway from the
whole event?
Brooke (38:55):
Uh well the biggest takeaway is the is really the
the takeaway that I have a lotis that it's it it's about
national security.
You know.
Uh one of the last conferences,uh Katie Arrington talked about
um, you know, the the Chinathreat and how much we're losing
to China.
Uh, you know, this time theytalked about the whole uh Iran
(39:17):
thing with the Midnight Hammerand CUI, you know, we talked
about.
So it's uh it's about uhnational security.
All all all aspects of nationalsecurity, it really is.
Um yes, it's a big pain in thebutt, you know, and any security
is gonna be a pain uh uhbecause not having security is
(39:38):
much easier.
You can just r run willy-nillyand do whatever you want, you
know.
Uh but you know, you have alittle security and it's it's
inconvenient.
The key is keeping thatbalance, right?
Keeping everything secure whilestill being as productive as
possible.
You know, the other thing is uhI I heard this multiple times
(39:58):
uh uh in some of the sessionsand also speaking with assessors
and see through PAOs, you know,their goal is not to to fail
you, their goal is not to stickit to you, you know, or say this
is the only way this rule canbe implemented, you know.
Um their goal is to make surethat you're uh covering those um
(40:20):
uh controls and assessmentobjectives uh and what you're
doing is working.
And you're is what you're doingis covering those uh objectives
properly.
So they're they're assessing,right?
It's not an audit necessarily,but they're assessing whether
what you're doing meets thosecontrols or not.
Um and so there is uh there'ssome leeway to figure out, you
(40:44):
know, whether this, you know,this works this way or that way
or or whatever.
So it's a you know, they'rethey're there to just make sure
that you're covering thosecontrols, not to be a not to be
a hard ass, basically, right?
So and uh one of the uh one ofthe panelists said that uh RPOs,
(41:05):
uh I can't remember who it wasthat said it, but uh RPOs are uh
are becoming uh cybertherapists.
So uh, you know, I thought,well, that's really not that far
from uh from uh right.
You know, I mean that that'sit's true really.
Uh you know, RPOs really aretrying to shepherd, you know,
companies through this thing andand help them out and help them
(41:27):
get through it, and listen totheir moaning and groaning and
complaining, you know, andeverything else.
And and uh again, uh RPO is notthere to you know beat you into
shape, but here to say, youknow, here's the control and
here's some ways you can addressit.
This is what we recommend, youknow, and and so uh at least
that's how we address it.
And I'm sure that's the way uhother people address it too.
(41:48):
But you know, RPO's being a uhuh a uh cyber therapist was a
was a very interesting way toput it.
Stacey (41:56):
Aaron Powell I know you met a lot of great people at
CS5.
I think you had a special shoutout that we wanted to mention.
Brooke (42:03):
Uh yeah, that's right.
So uh uh you know we've hadpeople contact us and usually
it's by phone or email, youknow.
Uh they watch the podcast andand uh so they contact us to ask
questions, ask us to you knowdo an assessment or whatever it
might be, you know.
Um uh but uh while I was atCS5, I actually ran into
somebody that recognized me, sothey weren't just a listener,
(42:25):
but they I guess they theyactually watched too.
So but I ran into uh gentlemannamed uh Mark Murphy.
I wanted to give you uh givehim a shout out.
So hey, thanks for uh thanksfor watching and thanks for
listening.
We really appreciate it.
Uh so it's always nice to runinto people that have uh that
have listened to our listened toor watched our our podcasts.
Stacey (42:43):
Aaron Powell Before we wrap up today's episode, we're
gonna answer a listener questionfrom at Maskem Adventures on
episode 24.
They asked, so if you had a CUIdrawing and created yourself a
MasterCam G code file, is that Gcode still CUI?
Brooke (43:04):
Well the short answer is yes.
The much longer answer is uh weactually had uh this is still a
debate, right?
Um I would say yes to make surethat you're covered.
Or uh when you're doing C3PAOuh interviews, you know, uh
specifically ask them what theythink, you know, and uh and you
(43:26):
can go from there.
But um uh there's uh Jim Gopeluh wrote some books about CUI,
uh really smart guy, and hesays, you know, it those parts
are CUI.
Or those excuse me, that G codeis C UI, you know, uh because
(43:47):
it's it's that informationthat's derived from from uh
drawings or something on thatcontract.
And so uh it's gonna be derivedCUI, right?
So there there is a possibilitythat that G-code may be a a
COTS product, uh a commonoff-the-shelf product, you know.
(44:07):
Um so if it's just anoff-the-shelf product, a piece
that you sell, you know, to umBoeing as for commercial planes
and also for uh DOD planes, youknow, maybe that would be
off-the-shelf stuff and thatthat wouldn't be CUI.
(44:27):
Uh but generally uh that G codeis gonna be C UI.
Uh I would go ahead, I counselall of our clients just consider
it CUI, protect it.
There are ways to do that.
Uh there are ways around, youknow, uh hard stuff that that
make it really hard to to figureout how to keep it encrypted
properly and all that kind offun stuff.
(44:48):
Um but you can still do allthat uh and and that be
considered CUI.
So uh but um we were in aconversation about that.
Uh somebody really smart that II know and respect uh said, you
know, no, it's it it doesn'thave to be C UI.
You know, you can call itinstead of uh, you know, uh
(45:11):
whatever the actual part nameis, you know, you can just call
it you know lettuce or or youknow, or uh table leg or you
know, something like that,something that's not right.
And I said, well, you know,that's fine, that's all good.
But you've got to have somesort of matrix to uh, you know,
to map those parts andsomewhere.
They said, yeah, and you justkeep it safe.
(45:31):
And so now you're having tokeep uh, you know, a uh a matrix
of names safe somewhere thatmaps all those all those parts,
you know, uh which is fine, youknow.
Uh but it seems like uh thatvery well may fit some people,
it may work for some people, youknow.
(45:53):
Um and if it does, great.
If not, there's there's easyways, uh easy-ish ways uh to
say, yeah, it is CUI, and thisis how we're gonna protect it,
you know.
Uh so uh I would just say yes,G code is CUI and protect it
accordingly.
Stacey (46:11):
If you have any questions about what we covered,
reach out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions, and we'll answer them
for free here on the podcast.
You can find our contact infoat cmc complianceguide.com.
Stay tuned for our nextepisode.
Until then, stay compliant andstay secure, and make sure to
subscribe.
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Stacy and I'm Brooke fromJustice IT Consulting, where we
help businesses like yoursnavigate CMMC and NIST 800-171
compliance.
We're hard guns gettingcompanies fast tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
(00:41):
so.
Let's dive into today's episodeand keep your business on
track.
Today we're unpackinghighlights from the CS5 East
2025 conference, the biggestcybersecurity and compliance
event for the Defense IndustrialBase.
So, Brooke, for the folks whomay not know, what exactly is
CS5 and how is it different fromother CMMC conferences that
(01:04):
you've gone to?
Brooke (01:05):
Well, as you said, it's uh it's the largest uh CMMC
conference um out there.
It's got lots of greatinformation.
Um I think uh they said theyhad uh a little over eleven
hundred uh people sign up to go.
Uh that's the people that uhfrom what I understand, that's
the people that signed up to go,not uh, you know, vendors and
staff or anything, but that's1,100 attendees.
(01:27):
Uh so that's it's a goodshowing.
It's real good.
Uh it grew out of uh a feworganizations.
Uh it's changed over the years,but is essentially uh the same
conference as it started out as,uh just on steroids now.
So anyway, started out withCIC.
Uh that was uh put on by acompany called Future Feed,
(01:47):
great GRC tool if you need one.
So they put on a conference, areally good conference, lots of
really good uh uh really goodinformation.
Mark Berman uh is uh uh startedFuture Feed in this CIC
conference.
Um they uh the Cyber B also hadtheir own conference, but they
decided to team up with uh theCIC conference, the fo folks
(02:08):
over at uh Future Feed for the CCIC conference.
Uh and they spoiled up a newcompany, I guess, to uh or
something anyway, to uh to uhrun it called Forum Makers.
And uh so Forum Makers now runsit, uh, but it's um the Cyber A
B and the CIC combined, andthey called it SEC, which uh is
(02:30):
C E I C, which was CMMCEcosystem Implementation
Conference.
Uh so they call it there wasone on the East Coast, one on
the West Coast, uh and um uh thefirst one I went to, it's the
uh first CIC conferenceactually, I think, was uh was in
San Diego and and I reallyenjoyed it.
I've actually never been to SanDiego before.
(02:51):
Um really great conference.
Uh but uh so then anyway, sowe're at Seek East and Seek
West.
Uh then they joined forces withuh uh uh the CS2 series of uh
conferences, um and that was puton by Summit 7, I believe.
CS5 now is uh uh thecybersecurity supply chain and
(03:16):
five from the roughly, I guesshowever you count them, but five
different conferences frombefore Cyber A B, CIC, um CS2,
and CS uh Seek East and SeekWest, so uh which those are
really kind of the sameconference, just on two
different coasts, but yeah,who's counting, right?
So anyway, so they call it CS5.
(03:36):
So uh provide lots of greatcontent.
They've uh they've beenadapting as they go.
Uh they had uh a bunch ofroundtables this last time,
which uh were pretty good.
You could sit down on the roundtables and um uh be part of the
discussion, uh so there weresmaller uh audiences.
Uh so it was really good.
Uh but anyway, that's wherethat's what CS5 is and uh what
(03:59):
it stood for.
Uh next year is going to beback in San Diego again.
Or excuse me, uh CS5 West willbe in San Diego again, I think
in April, I believe.
Uh but uh it'll be there at abrand new uh Gaylord they just
built.
And so the Gaylord, from what Iunderstand, will be less than a
year old when they have CI whenthey have uh see, I can't even
(04:22):
get right, when they have CS5out there.
So anyway, uh good conferenceto go to.
Lots of really goodinformation.
Stacey (04:28):
It seems like CS5 provided a lot of powerful
sessions, but there was one inparticular where they talked
about Operation Midnight Hammer.
Can you enlighten us with alittle bit of background on
that?
Brooke (04:39):
Absolutely.
So uh Operation MidnightHammer, for those of you who uh
uh don't know or or may haveforgotten or maybe you're
thinking, you know, you mightremember it anyway.
Uh Operation Midnight Hammerwas the uh the strike uh of the
bunker buster bombs with thatthe United States dropped on uh
Iran's uh nuclear facilitiesjust recently, um relative
(05:02):
recently.
Uh so um that they discussedthat uh and it really filled in
a hole for me.
Uh it I mean, filled in part ofa hole.
It was just very interesting tofind out, and it's a recent
real world example of uh ofinformation that we're trying to
protect for us, because wedon't want somebody else to do
(05:23):
that what we did to our Iran tous, right?
So uh the Operation MidnightHammer started way back in uh in
the Pentacon uh had a briefingand discussed a lot of this too.
So um but they also had somegood visuals with it and and uh
it was it was impactful and uhvery good uh relev uh uh
(05:47):
relative and and uh timelyinformation.
So um but the uh OperationMidnight Hammer started way
back, I believe, in like 2008.
Uh they hired one guy basicallyto uh find out everything he
could about the Fordo facility,which is one of the nuclear uh
test sites.
And uh then they ended uphiring another guy and then
(06:10):
eventually a staff, and theirsole job was the Fordo facility,
from what I understand fromwhat they report.
Um and so I would guess thatthere were also the same teams
put together for the othersites, uh, but that was their
sole thing.
So they they uh they looked atwhat kind of material uh was
extracted, what kind of dirt androck and all that kind of fun
(06:32):
stuff, uh, how much wasextracted, they looked at um
what the um uh what it was madeout of, how many ventilation
shafts, uh the electrical stuff,that you know, they went over
all the stuff that you wouldn'tnecessarily think would be
really that important, you know,uh information to keep uh not
(06:52):
secret but controlled, right?
And so they um I don't theydidn't go over exactly how they
found all this out, but andthey're not gonna release that,
I'm sure.
I'm sure some of it was bysatellite, but uh there was a
lot of information there thatthey showed that uh had to be
gained somehow.
And uh so anyway, and they putup this, there's a the visual
(07:14):
was that they had a uh theFordow, uh Fordo uh site on a in
a picture, and then they had,you know, all the different
categories of things that theythat they gleaned information
from, like the material theypulled out, electrical,
ventilation shafts, all thatkind of fun stuff.
Um and then they said, youknow, basically, all this is the
Iranian equivalent of CUI.
(07:36):
And so they, you know, theystamped CUI over all that.
Uh but that's a really goodreminder why we're doing this
and what we're trying toprotect.
We're trying to protect our warfighters, trying to protect our
military advantage, trying toprotect our assets here at home,
you know.
Uh the big the big thing ithelped me with is uh we always
(07:57):
try to explain to clients whythis matters, you know.
Um easy to come up with the uhexample of, you know, look at
the you know, the new generationof Chinese fighter jet, the,
you know, Humvee, the uh shipsand uh or uh I think some laser
systems that are like brandspanking new.
Uh, you know, somehow China hasa lot of stuff that looks
(08:20):
amazingly like our stuff, youknow.
So it's easy to point out that,and that's manufacturing.
But what about other areas?
Uh d why do other areas matter?
And one of those, you know, wehave some construction clients,
and those construction clientswere, well, why does it matter,
you know, if we're, you know,where we're uh bulldozing dirt
or what we're doing, you know?
And I was like, well, they I'msure they can tell something
(08:43):
from that.
Well now we have an example touse that says, hey, this is this
is an example that the DOW thatDOW showed uh and explained of
what we used that would beequivalent COI, what we used to
gain information to attack Iran.
And so very successfully attackIran, uh uh uh it looks like.
(09:05):
So um anyway, it helped us outbecause uh construction
companies are in even more of apickle uh we as we've discussed
because of several situations,but uh even more of a pickle
than um than manufacturers are.
So anyway, it's very it's veryinsightful.
Uh the the other part I willsay uh about um not just
(09:28):
Operation Midnight Hammer, butbefore that with Iran, uh if
you'll remember way back in theday, Stuxnet uh was uh computer
virus uh that attacked a uh airgapped network.
It turns out that that was theUnited States and and Israel
that did that.
Um, because actually theunbelievably the uh United
(09:50):
States actually admitted it andsaid, yeah, that was us.
Uh so probably shouldn't dothat, but yeah, neither here nor
there, I guess, but uheverybody knew anyway.
But uh the Stuxnet virus uh itwas very specifically engineered
to do some very specific thingsto their centrifuges that that
enrich uranium.
And so they would report thecorrect, for instance, they
(10:12):
would uh report the correctspeed.
They're very precise, they haveto spin at us at an exact speed
to extract that uh or enrichthat uranium properly.
Um while it would report theright speed, it'd be spinning it
either slower or faster, youknow, not doing what it needed
to do.
Um and so eventually theyfigured it out and figured out
(10:35):
that it was us, and I think partof that came after some
centrifuges broke because theyspun too fast or something.
Um I don't really remember, butthey ended up figuring out it
was us, and they figured outthat, oh crap, we were way
behind the times because notonly could we not protect
against something simple likethat, and I mean we were air
gapped and they got across, youknow.
Um, you know, uh we've got todo something about it.
(10:58):
So Iran really ramped up theiruh cybersecurity and and uh
offensive and defensive uh cyberoperations.
And so uh as a result, as adirect result of uh Stuxnet, um
they ramped that up and theystarted attacking us ruthlessly,
relentless relentlessly, Ishould say.
Um anyways, we're I meanthere's lots of you know uh
(11:22):
examples of um, you know,Iranian government being behind
all sorts of things.
And there's just a uh we wentover our uh threat uh threat
matrix threat uh notices anyway,today uh during our tech
meeting.
And uh there was a one from uhabout Iran on there about uh
attacking uh over a hundredgovernments.
(11:44):
Um so uh it ramped up as a as adirect correlation to Stuxnet.
And so now do you think thatyou know as a result of of
Operation Midnight Hammer, youthink something might happen?
It's probably a really goodbet.
And uh so anyway, um uh allthat was was very insightful and
(12:07):
uh it it made a made a bigimpact.
At least it made a big impacton me.
I would assume it made a big,big impact on other people, but
uh, you know, anyway, it's a bigimpact on me and it's very good
information.
Stacey (12:18):
Aaron Powell So let's ship some gears over to the CMMC
program itself.
What were the biggest updatesfrom the Cyber A B on the topic
of CMMC?
Brooke (12:29):
Sure, sure.
So um uh some of the updateswere, you know, everybody, you
know, everybody still cling noteverybody, I should say there
are still people that cling to,you know, oh, there's gonna be
some reason that this getsdelayed, you know, and oh now
it's the government shutdown.
The shut government shutdown isgonna delay it.
The government shutdown willnot delay it.
It will go into effect onNovember 10th.
(12:51):
Now the reality is uh it'll goon effect on November 10th, but
s it may not actually be theremay not be anybody writing it
into uh contracts on November10th, right?
Uh so uh that part could bedelayed.
But the starting date won't bedelayed, so that doesn't that
means that November 10th, 2026is still November 10th, 2026.
(13:14):
No matter when they get thisoff the ground, actually written
into contracts.
Um November 10th, 2026 is iswhen phase two starts, right?
Um so it is it is progressinguh um and not stopping.
So that's uh the governmentshutdown won't affect that part
of it.
In fact, there's much of thisuh there's a lot of the I think
(13:37):
on the uh Cyber A B town halllast night, uh it was just last
night I watched the October one.
Um uh they said the same thingand they showed a little graphic
of um all the things that uhwill and won't be proceeding
with the government shutdown.
Uh and there was only there wasonly one thing.
It was some administrative uhprogram manager uh kind of
(14:00):
thing.
So um but everything else isproceeding as it should be.
The uh the background checks orthe um the the background
checks or were the tier threeassessments uh for um s uh CMMC
or uh CMMC certifiedprofessionals and assessors uh
and all that, they they'llthey're proceeding.
You know, that's that's onething.
(14:20):
I figured it's just abackground check.
I'm surely they'll those willbe delayed, you know.
No, they're that office isworking and they're they're
trudging right along.
So uh anyway, November 10th iscoming, that's when it's gonna
go into effect, uh, and it's notgonna be delayed.
Maybe written into contractswill be delayed a little bit,
but other than that, it'scoming.
(14:40):
Uh another thing, uh anothercouple of things uh at the time,
uh at uh CS5 they said 384joint assessments or uh
assessments have been completed.
Um and so uh that number is nowover 400 af as of the uh Cyber
A B Town Hall uh last night.
So it's over 400 now.
(15:01):
So they're they're marchingright along on those.
Um there's several there's Idon't remember how many are in
progress as of the I mean it'salready changed, but as of the
uh CS5, there were 74 inprogress, uh 83 authorized C
through PAOs.
I think that has changed to 84,but there's several in the uh
in the wings there waiting.
(15:22):
Um and we this number of CMMCcertified assessors keeps uh
keeps growing every month, sothat's really good.
That's really that's really thekey to this whole thing is the
certified uh CMMC certifiedassessors.
Uh if we don't have enough, itdoesn't matter how many C
through PAOs we have.
Uh because a lot of C throughPAOs are, you know, one one and
(15:45):
two-person companies or youknow, maybe a little larger, but
uh even even larger ones uhdepend on uh CCAs that are 1099
employees, right?
So um there may be CCAs thatare 1099 employees for several
different C through PAOs.
That does not increase thenumber of CCAs.
It just means that they'reworking their rear end off.
(16:05):
So um so it's uh that number ofCCAs really needs to go up a
lot.
Um and what concern doesconcern me a little bit is it's
not it's not I guess it kind ofconcerns me and it kind of
doesn't, but that's notskyrocketing.
If it was skyrocketing, youalready kind of have to worry
about uh the experience level ofsome of the CCAs.
(16:28):
Um and I don't mean that as aas a slight or uh uh as a as
anything about the d general CCAcommunity.
They're all the most of theones I met are very, very good.
There are some new ones whodon't have much experience.
They're trying very hard tomake sure that doesn't happen
though.
So with the requirements forCCAs.
(16:48):
Um But there's uh uh you knowif if that number were
skyrocketing, I guess you'dprobably have to worry about
that as well.
So you know it's good for thoseCCA numbers to uh to increase.
Uh we need a lot more of them.
Uh I don't know if we're gonnaget a lot more any, you know,
quickly, but uh we need do needa lot more CCAs to to cover all
(17:11):
this demand for the uh theassessments, certification
assessments.
Stacey (17:15):
So it seems like there was some chatter about the Cyber
A B taking on some new roles atCS5.
Could you uh enlighten us withwhat that may be?
Brooke (17:24):
Sure, sure.
So uh Cyber A B is also workingon security controls framework.
Uh and uh they've mentionedthat um a few months back in one
of the town halls, and maybemore than one of the towns uh I
believe it was more than one ofthe town halls.
In fact, they mentioned it lastnight as well.
But uh they're working on that.
Um and uh that is somethingthat I believe uh uh Texas has
(17:49):
adopted uh in one of their newbills, and there's a what it is,
I believe, is a kind of a safeharbor bill.
If you uh adopt these uh thesecurity uh cyber security
controls framework uh and uh runyour business by then, by the
by those by that framework, thenuh you're basically in a safe
(18:11):
harbor for uh cybersecurityclaims against you.
Um I don't know all the detailsabout that, but that's overall
uh overall thing.
So the cyber the securitycontrols framework um uh is a
little more comprehensive thanuh uh NIST 800171.
NIST 800 171 really uh is uhmore about uh um confidentiality
(18:36):
than anything else.
Um but uh anyway, that securitycontrols framework uh seems
like something really good thatthey're building out and what
they're working on.
Uh so they're pretty excitedabout that.
And they also talked about umuh plans to update the licensing
program and over overhaul theuh practitioner path, which is
(18:56):
uh what really needs to be done.
Um it's pretty uh it's a it'spretty easy to get the RP certif
or RP uh the registeredpractitioner right now.
So it does need to beoverhauled.
Um I don't know about the RPadvanced, the RPA.
Uh I haven't really looked atthat one much.
Um and I just haven't lookedinto it.
(19:19):
So I don't know how much moredifficult that one is than the
RP.
Uh but I do know uh most peopleconsider the CCP the starting
place of where you start toreally as far as learning goes
and a certification or some somestamp of approval, the CCP is
really where it starts to showthat you know you've taken some
good training and you know whatyou're talking about.
(19:41):
Um and they also talked aboutrelaunching the C through PAO uh
accreditation process also.
Stacey (19:47):
Aaron Ross Powell So let's pivot a bit and talk about
service providers.
There's been a lot of confusionaround MSPs, CSPs, and ESPs.
Did that come up often?
Brooke (19:58):
All sorts of TLAs, three-letter acronyms that that
come up, yes.
So uh everybody is still uh andnot I keep saying everybody,
and not everybody.
There are still people that areconfused about uh the
difference between ESPs and CSPsand MSSPs and MSPs and all that
kind of fun stuff.
So the overarching uh categoryis ESP, which is external
(20:21):
service provider.
Uh and under that you have uhCSPs, which is a cloud service
provider like Microsoft orAmazon or something like that.
Uh then other than that youhave the category is uh ESP's
not a CSP.
So uh and that's what it'scalled.
(20:44):
So um in that category is MSPis a managed service provider,
or MSSP managed securityservices provider.
Um and a managed servicesprovider is uh that's what we
are, we're a uh outsourced ITcompany basically, and uh so uh
that's what an MSP is.
Uh my uh uh managed securityservices, they suppose they
(21:07):
focus specifically on securityservices, uh like SOC and SIM
and stuff like that.
Uh but there's people that areconfused about what makes one uh
uh one or the other.
Um there's a good definition uhin the Federal Register of the
of uh CSP.
Uh uh go read that, it makes itvery clear what a CSP is,
(21:31):
right?
Um everything else is gonna bean uh ESP.
If uh if you have if you'reproviding some services that
don't handle uh if you'reproviding some services to a uh
an organization seekingcertification, so somebody that
wants to get certified, thenyou're gonna be uh an ESP ESP,
(21:55):
not a CSP.
So uh very clear, right?
Uh but um there are certainthings that uh you know they
talked about what MSPs and RPsand all that kind of fun stuff.
RP is a registeredpractitioner.
Uh it's an individual, and I Iguess actually uh RPO is a
(22:17):
registered practitioningorganization, so that's the
company that employs the RP.
So there are limits of what uhan ESP can do for you, right?
They can't do everything foryou.
Um, even we we tell ourclients, you know, hey, you
know, we'll help you out, we'llshort we'll uh we'll help you
get that uh get ready for thatcertification quicker than
(22:39):
otherwise.
Um, you know, easy button orrocket assist or whatever you
want to call it.
It's uh you know, there'sdifferent marketing language all
around it.
But uh the uh the fact of thematter is, is that no matter who
it is, they the ESP cannot doit for you.
They can do a lot of it for youand with you.
(23:01):
There's a lot you have to do,and there's a lot that you have
to uh be part of.
And not only that, uh when itcomes time for uh certification
assessment, the uh the companygetting assessed, the one
seeking the certification, uhthey have to uh know and
understand what what the hecktheir SPAN what the heck their
(23:25):
SSP says, you know.
Uh they can't just go, yeah, II don't know, ask him.
You know.
Uh they have to they have tohave some knowledge about it.
They don't have to have deepknowledge, but uh after all, uh
you everybody, no matter how bigthe company is, everybody
outsources uh some stuff, right?
And that's because you knowthey want to focus on this and
(23:48):
they want somebody else to dothe rest.
So um an uh ESP and MSP, theycan they can do a lot of that
work for you and uh help guideyou through it, um, but they
can't do it for you.
And so uh people need tounderstand that.
Companies that are looking tobe certified need to understand
that.
So um and then there aredifferent levels of companies
(24:10):
that do it for you and with you,right?
Uh we have a tendency to do asmuch as we can and uh to hold
our clients' hands and walk themthrough it and explain
everything, um, you know, howeverything works and what your
options are.
You know, some providers say,here's our solution right here,
and you put that in place andyou're good, you know.
(24:32):
Uh we have a tendency to thinkthat that's not the way to do it
because not everybody fits inthis little cookie cutter box.
So um and then when you realizethat you don't necessarily fit
in that cookie cutter box, yougotta figure out how to address
the pieces that don't fit in.
And that's where we help ourclients is trying to figure out
(24:53):
what to do with those thingsthat don't necessarily fit in a
nice, neat little box.
So uh but that's uh that's abig thing with uh MSPs, ESPs,
CSPs, and all that.
Stacey (25:03):
Aaron Ross Powell So it seems like there was some
conversation about what CMMCdoesn't do.
Can you touch on that a littlebit?
Brooke (25:11):
Uh sure.
Uh I think you're talking alonglines of uh legal uh immunity.
Uh so CMMC, if you've puteverything in place, does not
provide uh legal immunity toanything.
However, uh if you if you'veput CMMC in place as you should,
have all the documentation andyou're you're doing the things
(25:34):
you say that you're doing uhbecause no solution is a hundred
percent bulletproof, right?
If there's some breach orsomething that happens as a
result, uh you can say, look,here's all our documentation,
here's what all we had in place.
Um you can use the old AppleApple excuses that it was a very
(25:55):
sophisticated attack, you know.
Uh and I guess more than justApple says that.
But uh anyway, they uh so butif you have everything put in
place, you have all yourdocumentation, uh you can prove
that you were doing what yousaid you were doing, um, then
you've got you don't have alegal immunity, but you've got
something to fall back on andsomething that will help you out
(26:16):
a lot.
So uh while it's not legalimmunity, it certainly does help
that you can prove all this.
It's a lot better than nothaving all the documentation in
place and not having all the allthe items, or even maybe having
all the uh technical controlsin place but not having the
documentation to back it up.
Uh you're not as nearly as ingood a place with the technical
(26:38):
just the technical controls inplace as if you would be as if
you had documented everything.
Because that way when somethinghappens, you can say I was
doing everything I was supposedto.
In fact, I was doing more thanI was supposed to, uh, and it
still happened, you know.
So you have some uh just likethe Texas Safe Harbor law we
were talking about a minute ago,um, you have some help on that.
(26:59):
Well, it's not a Texas SafeHarbor law is a law, I guess,
anyway, but um so that I guessthat does provide some sort of
immunity of sorts.
Uh CMMC does not provideimmunity, but does provide a lot
of help.
Stacey (27:14):
I know we kind of talked about the complexities of the
construction industry with CMMC.
Um it seems like there was somediscussion at CS5 about COI in
construction.
Could you go into that a littlebit deeper?
Brooke (27:27):
Yeah.
Uh so as we talked about aminute ago, uh there there is a
lot of um a lot of nuances anduh and uh the ways that uh
construction companies work uhthat um are are hard to cover
and not addressed well with uhCMMC.
(27:49):
One of those things is um fromwhat I understand, and I did
we've got a some constructionclients, and I didn't even
realize this, but um I guess onsome federal uh DOD projects uh
in construction they uh issue adifferent cage code or something
for different projects.
Uh and so um that's an issuewhen you've been certified and
(28:13):
you have all your cage codeslisted and there's another cage
code that comes into a questionthere, how do you that that's
not in your certified list nowand it can't be added after a
certain amount of time.
Um what I understand is there'sif you've got a C through PAO
that understands and knowswhat's going on, I think they
(28:33):
can help out there.
That's the gist I got.
So but uh it's not a that'sjust one of those things that
the government didn't thinkabout, right?
Uh you know, how do you do allthis?
Well, once you lock in these uhcage codes, they're in concrete
and you can't change them,supposedly.
Uh and but yet here onconstruction projects, we're
(28:55):
gonna issue temporary cage codesover here.
So um, I don't know all theparticulars about that, but
that's how it was explained touh to us in that uh in that
session.
Uh the other thing is that umuh construction companies, you
know, they have to think aboutum, you know, their construction
(29:16):
trailers and uh job sites andhow CUI is performed there uh or
how CUI is is uh accessedthere.
Um if you are on a on an actualon an ab on a base, uh it's a
little bit different.
Uh if there's other differentthere may be other projects that
have CUI, they're notnecessarily on a base, I would
(29:38):
think.
Uh but if you're uh on a basethat uh helps you out some as
far as uh CUI goes.
Uh and another thing is with uhconstruction companies, you
know, a lot of them uh they'llsend off their drawings to uh
some print uh company to getthem printed out for them.
Well, guess what?
(29:58):
If those drawings are CUI,you've got a big problem there.
Um so maybe you have to buyyourself a large format printer,
you know, and uh haul it aroundfrom job site to job site.
I don't really know.
Uh it's that's a tough one tocover.
Um but uh there's and there'sdifferent ways it can be
covered.
You can go all digital, um, youcan issue laptops, you can
(30:21):
issue You tablets, you can uhbuy your own large format
printer, whatever it may be.
Uh but there's severaldifferent ways to uh address it
depending on uh how you do yourbusiness and your workflow and
you know how you might be uhwhat might be open for change.
Um the other thing is that uhthey said that uh forty-five
(30:45):
percent of federal agenciesstill don't have a formal COI
program.
And uh the COI rule uh that wasrecently uh published as a as a
proposed rule um for the restof the federal government, uh I
would think that would changethat.
Uh of course it's justproposed, so it hasn't even
kicked off yet, but uh I wouldthink that would change that.
(31:06):
But uh they uh the forty-fivepercent of the federal
government doesn't have a fformal CUI program and they're
expecting uh mom and pop shopsto to put this in place.
You know, another thing aboutuh construction companies,
really about uh manufacturingcompanies I should say, um that
they talked about uh duringthis, because this was a session
(31:28):
about uh uh CUI andmanufacturing and construction.
Construction took a lot of alot of the discussion because of
the the uh complexities there.
Uh but in uh uh inmanufacturing uh they've said
that uh there's typically uh wetell our clients that what the
(31:50):
CMMC um program office says isthat the parts, the actual
physical parts themselves arenot C UI.
Well there is some debate aboutthat.
So the uh DC um DCSA uh doessay that uh uh uh physical uh
(32:11):
parts are um or physicalcomponents, physical objects,
however you want to phrase it,they are C UI.
So there is a bit of adisagreement there.
And then if they are, thentechnically really that poses
some uh some more complianceissues.
Uh only other thing I was gonnasay uh along these lines uh is
(32:32):
related, but not specificallyabout uh construction and and uh
manufacturing, but definitelyabout CUIs that there have been
uh some intelligence agenciesthat have complained, some
intelligence agencies that areused to secret uh uh classified
information, not unclassified,but they're used to the whole
secret classification, right?
(32:53):
Uh some intelligence agenciesthat have complained that uh
CMMC is too complex, so too hardto manage.
Uh so uh th I guess that was uhjust an anecdote, you know,
about uh how how difficult itis.
Uh don't know uh theparticulars about that, but that
was very interesting.
Stacey (33:12):
Aaron Powell So it seems like there was some
conversation about AI.
Could you delve into what theywere saying about using AI for
compliance?
Brooke (33:22):
Sure.
So uh you know I think uh AI ishere and it's probably here to
stay, maybe, you know.
Uh so uh and it's in uh reallyit's in so many parts of your
life that you you think yourealize it and you probably
don't really realize how manyparts of your life that AI is
in.
So we use it in our business.
(33:43):
Uh you know, um we haveservices that use AI along with
algorithms to go through uh loguh events, you know, stuff like
that.
Um we use it a lot for you knowfor other things, but with with
anything AI, uh you know, mywife even uh she teaches some
college classes and and uh whenuh students write speeches, it's
(34:07):
obvious when they have onethat's written by AI.
I mean it's so obvious that uhAI wrote one and not the
student.
And so you have to know how touse AI.
You know, for those collegestudents, you know, I tell my
wife, you know, let tell themthey can use AI, but they gotta
learn how to use it right.
Which means that they have toknow the subject and they have
to know the rules, and so theyhave to be able to tell AI how
(34:30):
to write that, and they have totell AI how to correct that,
right?
And so they have to know it.
It still leads to the sameoutcome.
It's just that they didn't haveto do all the work to get
there, you know.
Um, which is fine.
You know, calculators when theycame out, you know, I was uh I
couldn't believe that uh, youknow, we you were able to use
graphing calculators when I wasin school, uh but uh for some
(34:53):
stuff.
But you know, my kids went toschool and they could just use
calculators.
And I thought, well, you know,how is that teaching them
anything if they can if they canuse calculators?
So AI, same thing, you know,they have to understand you have
to understand everything.
So uh the same thing applieshere to the IT world, uh to the
tech all the rest of thetechnical world, and to CMMC,
(35:14):
right?
Uh so you have to realize whatinformation you're feeding in,
um where that uh data is storedat, uh if it goes uh out of your
environment, uh you know, whatyou don't want is uh to draft
all of your policies and allyour uh stuff that may contain
uh security protection data,SPD, um at the minimum, CUI
(35:41):
also, but uh you know have allyour uh configuration and all
your technical information init, you don't want to draft that
on Chat GPT because then it hasall that information and can
use it to learn on uh use it onits learning model.
You don't want that.
So uh and if it's CUI, thenthat CUI is now out, you know,
(36:04):
uh uh in the in the wild world,right?
Uh the Wild West.
And so uh you have to make surethat uh you use AI uh that is
um in a in a closed environmentin uh you know a an enclave, for
instance.
Uh you have to have you have toput some parameters around it
to make sure that that it's usedproperly, that it's a cloud
(36:29):
service, so if it's gonna doanything with CUI, guess what?
It has to be FedRAMP, uhFedRAMP moderate, uh authorized,
or higher, or or equivalent, Iguess.
Uh there are also some um sometools, CMM tools in the CMMC
ecosystem that use AI.
And um I haven't reallynecessarily looked into them in
(36:50):
depth, uh, but from what Iunderstand, they they have their
own environment.
Um it doesn't the informationdoes not get out of that
environment.
Uh so you have to think aboutthose things.
You know, I have down here thatdefine AI boundaries using zero
trust principles.
Uh zero trust is a is a reallyit's just a really good
principle to start with andoperate by, right?
(37:11):
Um host or configure uhlanguage models, large language
models in uh in an enclave or inin uh a controlled
infrastructure, uh closedinfrastructure, right?
Closed environment.
Um use AI to draftdocumentation or summarize the
(37:32):
logs, but again, this is whereyou gotta know how to use AI.
You know, use it to, you know.
Yesterday I was using it to umthis is kind of goofy and dumb,
but uh yesterday I was using itto um write some formulas to dig
through some giant Excelspreadsheets and and get some
data for me.
(37:52):
And uh, you know, you have itwrite a formula, you look at it,
and you're like, well, okay,that looks right.
You use it, and then you'relike, well, that data doesn't
look right, and so you look atit.
Oh, here's the problem.
All right, now rewrite it anddo this, you know.
So you you have to understandwhat it's doing and you have to
understand how to use it.
So it applies in my wife'scollege classes, and it applies
(38:15):
in CMMC.
Same thing, right?
Uh and you can run AI-driven uhregulatory gaps analyses.
Um it'll help you find thingsthat you've missed, but also
just remember that AI canhallucinate.
It doesn't mean that it doesall the time, but you know, it
can catch some of the thingsthat you might have missed, you
(38:35):
know.
Um so you can use it to checkyou, you can use it to help out.
Again, however you use it,you've got to know how to use it
and you've got to use itappropriately.
Stacey (38:46):
All right, Brooke, rounding out all of the CS5
conference information, what'syour biggest takeaway from the
whole event?
Brooke (38:55):
Uh well the biggest takeaway is the is really the
the takeaway that I have a lotis that it's it it's about
national security.
You know.
Uh one of the last conferences,uh Katie Arrington talked about
um, you know, the the Chinathreat and how much we're losing
to China.
Uh, you know, this time theytalked about the whole uh Iran
(39:17):
thing with the Midnight Hammerand CUI, you know, we talked
about.
So it's uh it's about uhnational security.
All all all aspects of nationalsecurity, it really is.
Um yes, it's a big pain in thebutt, you know, and any security
is gonna be a pain uh uhbecause not having security is
(39:38):
much easier.
You can just r run willy-nillyand do whatever you want, you
know.
Uh but you know, you have alittle security and it's it's
inconvenient.
The key is keeping thatbalance, right?
Keeping everything secure whilestill being as productive as
possible.
You know, the other thing is uhI I heard this multiple times
(39:58):
uh uh in some of the sessionsand also speaking with assessors
and see through PAOs, you know,their goal is not to to fail
you, their goal is not to stickit to you, you know, or say this
is the only way this rule canbe implemented, you know.
Um their goal is to make surethat you're uh covering those um
(40:20):
uh controls and assessmentobjectives uh and what you're
doing is working.
And you're is what you're doingis covering those uh objectives
properly.
So they're they're assessing,right?
It's not an audit necessarily,but they're assessing whether
what you're doing meets thosecontrols or not.
Um and so there is uh there'ssome leeway to figure out, you
(40:44):
know, whether this, you know,this works this way or that way
or or whatever.
So it's a you know, they'rethey're there to just make sure
that you're covering thosecontrols, not to be a not to be
a hard ass, basically, right?
So and uh one of the uh one ofthe panelists said that uh RPOs,
(41:05):
uh I can't remember who it wasthat said it, but uh RPOs are uh
are becoming uh cybertherapists.
So uh, you know, I thought,well, that's really not that far
from uh from uh right.
You know, I mean that that'sit's true really.
Uh you know, RPOs really aretrying to shepherd, you know,
companies through this thing andand help them out and help them
(41:27):
get through it, and listen totheir moaning and groaning and
complaining, you know, andeverything else.
And and uh again, uh RPO is notthere to you know beat you into
shape, but here to say, youknow, here's the control and
here's some ways you can addressit.
This is what we recommend, youknow, and and so uh at least
that's how we address it.
And I'm sure that's the way uhother people address it too.
(41:48):
But you know, RPO's being a uhuh a uh cyber therapist was a
was a very interesting way toput it.
Stacey (41:56):
Aaron Powell I know you met a lot of great people at
CS5.
I think you had a special shoutout that we wanted to mention.
Brooke (42:03):
Uh yeah, that's right.
So uh uh you know we've hadpeople contact us and usually
it's by phone or email, youknow.
Uh they watch the podcast andand uh so they contact us to ask
questions, ask us to you knowdo an assessment or whatever it
might be, you know.
Um uh but uh while I was atCS5, I actually ran into
somebody that recognized me, sothey weren't just a listener,
(42:25):
but they I guess they theyactually watched too.
So but I ran into uh gentlemannamed uh Mark Murphy.
I wanted to give you uh givehim a shout out.
So hey, thanks for uh thanksfor watching and thanks for
listening.
We really appreciate it.
Uh so it's always nice to runinto people that have uh that
have listened to our listened toor watched our our podcasts.
Stacey (42:43):
Aaron Powell Before we wrap up today's episode, we're
gonna answer a listener questionfrom at Maskem Adventures on
episode 24.
They asked, so if you had a CUIdrawing and created yourself a
MasterCam G code file, is that Gcode still CUI?
Brooke (43:04):
Well the short answer is yes.
The much longer answer is uh weactually had uh this is still a
debate, right?
Um I would say yes to make surethat you're covered.
Or uh when you're doing C3PAOuh interviews, you know, uh
specifically ask them what theythink, you know, and uh and you
(43:26):
can go from there.
But um uh there's uh Jim Gopeluh wrote some books about CUI,
uh really smart guy, and hesays, you know, it those parts
are CUI.
Or those excuse me, that G codeis C UI, you know, uh because
(43:47):
it's it's that informationthat's derived from from uh
drawings or something on thatcontract.
And so uh it's gonna be derivedCUI, right?
So there there is a possibilitythat that G-code may be a a
COTS product, uh a commonoff-the-shelf product, you know.
(44:07):
Um so if it's just anoff-the-shelf product, a piece
that you sell, you know, to umBoeing as for commercial planes
and also for uh DOD planes, youknow, maybe that would be
off-the-shelf stuff and thatthat wouldn't be CUI.
(44:27):
Uh but generally uh that G codeis gonna be C UI.
Uh I would go ahead, I counselall of our clients just consider
it CUI, protect it.
There are ways to do that.
Uh there are ways around, youknow, uh hard stuff that that
make it really hard to to figureout how to keep it encrypted
properly and all that kind offun stuff.
(44:48):
Um but you can still do allthat uh and and that be
considered CUI.
So uh but um we were in aconversation about that.
Uh somebody really smart that II know and respect uh said, you
know, no, it's it it doesn'thave to be C UI.
You know, you can call itinstead of uh, you know, uh
(45:11):
whatever the actual part nameis, you know, you can just call
it you know lettuce or or youknow, or uh table leg or you
know, something like that,something that's not right.
And I said, well, you know,that's fine, that's all good.
But you've got to have somesort of matrix to uh, you know,
to map those parts andsomewhere.
They said, yeah, and you justkeep it safe.
(45:31):
And so now you're having tokeep uh, you know, a uh a matrix
of names safe somewhere thatmaps all those all those parts,
you know, uh which is fine, youknow.
Uh but it seems like uh thatvery well may fit some people,
it may work for some people, youknow.
(45:53):
Um and if it does, great.
If not, there's there's easyways, uh easy-ish ways uh to
say, yeah, it is CUI, and thisis how we're gonna protect it,
you know.
Uh so uh I would just say yes,G code is CUI and protect it
accordingly.
Stacey (46:11):
If you have any questions about what we covered,
reach out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions, and we'll answer them
for free here on the podcast.
You can find our contact infoat cmc complianceguide.com.
Stay tuned for our nextepisode.
Until then, stay compliant andstay secure, and make sure to
subscribe.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Bobby Bones Show
Listen to 'The Bobby Bones Show' by downloading the daily full replay.