March 7, 2025 • 50 mins
Submit any questions you would like answered on the podcast!
The DoD is tightening its cybersecurity regulations, and your aerospace contracts could be on the line. In this episode of The CMMC Compliance Guide Podcast, we break down the latest changes to CMMC, DFARS, and FAR that could directly impact your business.
Join Austin and Brooke from Justice IT Consulting as they explain:
✅ The upcoming CMMC, DFARS, and FAR rule changes & deadlines
✅ Why self-reported compliance is no longer enough
✅ How SPRS scores and third-party assessments will determine contract eligibility
✅ The legal risks of non-compliance, including False Claims Act violations
✅ Steps you must take right now to stay ahead of the cybersecurity crackdown
Don’t wait until it’s too late! Compliance deadlines are fast approaching, and failing to prepare could mean losing out on DoD contracts. Stay informed, stay compliant, and protect your business.
📌 Download your free guide here: https://cmmccomplianceguide.com/ultimate-aerospace-contractor-guide
📌 Need help with compliance? Contact us at https://cmmccomplianceguide.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Intro Song (00:09):
Regulations whisper
Austin (00:21):
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting.
We're here to help businesseslike yours navigate CMMC and
NIST 800-171 compliance, orhired guns, getting companies
fast-tracked to compliance.
But today, we're here to giveyou all the secrets for free.
So if you want to tackle ityourself, you're equipped to do
(00:43):
so.
Let's dive into today's episodeand keep your business on
track.
All right, so Brooke, todaywe're tackling a massive shift
in and cybersecurity regulationsfor defense contractors.
CMMC is changing.
DFARS is changing.
There's even some proposedrules or something changing with
the FAR for people that aren'tdefense contractors and doing
(01:08):
business with the federalgovernment.
If your company is in the DoDsupply chain, these shifts could
impact you and your contractsand even other contracts that
you don't necessarily know areconnected to the defense.
Absolutely.
And they're happening fast.
Brooke (01:24):
They are.
They are happening fast.
Austin (01:26):
Absolutely.
So I guess we should alsoaddress, I'm back.
Brooke (01:31):
Yes, you are.
For a couple weeks of hiatus?
Austin (01:34):
Yes, absolutely.
A little back injury there, butI'm back and they haven't fired
me yet that I know of.
He
Brooke (01:42):
just hasn't seen his pink slip yet.
Austin (01:44):
Yeah.
Maybe it's somewhere on my deskjust under all the rest of the
papers.
Brooke (01:48):
Probably so.
Austin (01:50):
My first question for you about all these changes is
why should DOD contractors careabout these changes?
Brooke (01:57):
Well, there's a lot of changes and really it's just the
changes show everybody thatit's moving forward and it's
coming.
It could affect your contracteligibility, incident reporting
requirements, impact the legalside of things.
It's coming and it's There's noputting it off.
(02:19):
Doja's not going to put it off.
It's coming.
Austin (02:21):
And speaking of that, because that's actually a hot
topic when I'm talking topeople.
Yes, it is.
I mean, nothing political atall here, but administrations
change.
Things are changing.
You see in the news every daythere's adjustments.
But we seem to have at leastgrapevine knowledge and
reassurance from up high throughthe DOD and their officials
(02:47):
there.
I've actually talked to theadministration and Elon and
Doge.
Absolutely.
It seems that's still on track.
Brooke (02:54):
It is.
So Katie Arrington, who is now,again, back in a prominent role
for CMMC and the DOD.
She's a DOD chief informationsecurity officer, the CISO
officer, excuse me, not offer,the CISO.
And she's got another title,deputy chief information officer
(03:16):
or something like that.
But that makes the CISO anywayso she had talked to she had
actually went to talk to ElonMusk Mr.
Doge himself and so she saidyou know everybody's everybody's
thinking that this is that Dogeis going to you know going to
make cuts and this is going tobe part of those cuts and
(03:37):
everything's going to be delayedagain and Elon said no
absolutely not that CMMC is veryimportant and we all know we've
talked about the reasons youknow if you go look at half of
China's military equipment, youknow, they look strangely like
ours.
But anyway, you know, he saidit's very important.
(03:58):
We've got to secure our DODsupply chain and nothing's
changing there.
So he reassured her that she isthe DOD CISO.
So, I mean, I'd say that's apretty high up reassurance
there.
Austin (04:13):
I'd say it's probably a good news, bad news situation
for a lot of our...
uh for our customers and a lotof people were really hoping i
yeah i have a lot of people thatwere just sure that that and
you know some some people stillare very sure it's going to
happen despite um what we hearbut uh not everyone's excited
about this continuing so uh wellthe next thing i have for you
(04:36):
um is there's been a lot ofmovement on cmmc defars the far
um can you just kind of broadlywalk us through uh what's
happening with those
Brooke (04:47):
We had the final rule come out in December, so now
you're able to get...
certification, CMMCcertification assessments.
You're able to get those now.
They're not required just yet.
The proposed rule that putsthose on contracts and requires
(05:08):
those, it's still in theprocess.
It was pulled back to look atit to make sure that, you know,
the new administration comingin.
But that's still in the worksand should be coming out pretty
soon.
And so it'll start beingrequired on contracts.
There's some timelines andeverything that go a Along with
that, there's caveats.
(05:29):
But when that comes out, it'llstart being required on
contracts.
We've got the new CAP, the CMMCAssessment Process.
All of us people just call itthe CAP because that's too long
of a word.
But anyway, the CAP 2.0 is out.
It makes some good changes.
And at the CAP, if you haven'tlooked through it, it outlines
(05:51):
how to perform an assessmentfrom the very beginning of the–
organization seekingcertification osc from them
contacting a c3pao who does thewho do the assessments from them
contacting them all the waythrough the process it lays it
all out in in gory detail sothey did that on purpose so they
(06:12):
could so these assessmentscould go as similar and as as so
it could be standardized prettyeasily and so that there's good
with bad that's the good part.
The bad part is, you know,government loves to make things
overly complicated.
So, you know, there you go.
Another thing is, now that CMMCis off and running and, you
(06:40):
know, got all these timelinescoming up, these are DFAR's
rules.
That's defense.
So the FAR is the rest of thefederal government, the rest of
the federal acquisition.
They're in the plan all along.
We've always heard this, youknow, Once CMMC gets going, then
(07:01):
the rest of the federalgovernment is going to follow
suit.
Well, now there's a proposedrule for the FAR to how to
protect CUI.
And so it is the first steps infollowing through and basically
doing CMMC for the rest of thefederal government.
Austin (07:20):
If you are not particularly familiar with DFARs
or FAR, the way I basicallyframe it in my mind, correct me
if I'm wrong, is basically justrules for doing business for the
government.
And defense would be if you'remaking parts that go into the
defense supply chain or doingbusiness in the defense sector
(07:41):
and then forward would just be alot of...
You know, just really anythingfederal government.
I wouldn't say anything, but alot of the federal government.
Brooke (07:51):
Anything with the federal government.
It would be, DFARS is thedefense part of the federal
acquisition.
When you drop that D off, it'sthe rest of the federal
government.
It could be Homeland Security.
It could be any part of therest of the federal government.
There are a couple that aregoing to go first with this
whole CUI protection, andthey're going to get kicked off
first because they're moreimportant.
(08:13):
Okay.
But the whole– when you stepback and look at it, that FAR
rule, proposed rule, is thefirst step in CMMC for the rest
of the federal government.
So it would be a good idea foreverybody to get used to
understand CMMC and how it worksbecause it's coming to the rest
(08:35):
of the federal government.
Austin (08:36):
So, I mean, I think it's fair to say, you know, whether
you supply toilet paper orweapon systems to the
government, at some point you'reprobably going to be touching–
one of these regulations and itmay not necessarily be um you
know the toilet paper itselfthat they're concerned about but
like contract details you knowum stuff like that right i mean
(08:56):
there's there's other 10 othertangential i guess um
information or contractinformation that they want to
keep protected so even if whatseems like what you're providing
seems rather benign it maystill fall under these things
Brooke (09:12):
absolutely there'll probably be a whole lot more so
in the There's three levels.
There's level one, which isbasically protecting FCI, which
I believe it now is CFI, butFCI's federal contract
information, which is non-publicinformation about that
contract.
So if it's not on an openwebsite, then if it's behind a
(09:34):
portal where you have to sign inor something, if that
information is behind thatportal where you have to sign
in, then it's FCI.
If it's out for the whole worldto see, then it's not FCI.
But anything about that federalcontract, that is non-public is
FCI.
Level two is the controlledunclassified information, the
(09:55):
CUI.
So if you protect CUI and yourcontract says you have part of
this contract is you have toprotect this CUI, then then
that's going to be level two,and that's where all this comes
in.
Level three is another stepabove that.
That's going to be– the numbersof those people are going to be
a lot smaller that have tocomply with level three.
(10:16):
But you're right.
There's going to be– I wouldimagine once the rest of the
federal government gets movingforward, there's going to be a
lot of FCI to protect and notnecessarily– Not necessarily all
CUI.
If you go look at the CUIregistry, there's a bunch of
(10:42):
different kinds of CUI,dissemination rules, and all
sorts of fun stuff.
If it falls somewhere in there,then that's data that needs to
be protected.
Austin (10:52):
What does this mean?
What's the impact for companiesthat currently have contracts
that have these requirements?
Brooke (10:59):
Well, it means that for the ones that already have
contracts, They have currentcontracts.
One, if they already have thoseDFARS rules in there, they
should be meeting those DFARSrules.
And they state 100-171, CMMC,all that fun stuff.
But they should be payingattention to those DFARS rules
that are in the contracts.
But as far as these changesgo...
(11:20):
When the 48 CFR finally goesinto effect that requires it on
contracts, you will have to haveyour CMM assuming level two
certification.
You will have to have thatlevel two certification to win
new contracts.
You can bid on that contractwithout necessarily having that
(11:41):
certification yet.
But if it was me, I don't knowthat I would do that because
it's a long process.
And even with just thevoluntary nature right now of
getting CMMC assessments,certification assessments, the
assessors are already booked outthree, four months
Austin (12:03):
plus.
Mm-hmm.
Yeah, and if you are thinkingabout bidding on contracts and
you don't have compliancefigured out yet, give us a
shout.
We can walk you through free ofcharge.
We can just kind of walk youthrough the budgeted line items,
broadly speaking, that youmight want to estimate to make
(12:25):
sure that when you do get thecontract that you're actually
going to make money because youdon't want to lose money on a
contract.
It's the way I understand it isthat you're kind of tied to the
contract once you win it.
Absolutely.
Yeah,
Brooke (12:41):
and that's true.
We can kind of bullet pointthose things.
It's not– some of it's going tobe a lot closer to accurate
than, than others.
Cause we just don't, I mean,when you first talk to somebody,
you know, without reallydelving in and spending a lot of
time figuring things out, youdon't know the environment, but
high level, we can, we cancertainly help out and say, this
is what you're looking at at ahigh level, you know, and then
(13:04):
you can figure out if that's, ifthe, you know, $100,000
contract is worth spending youknow $200,000 on to get
compliant
Austin (13:13):
right exactly yeah so it just might save a lot of people
some headaches so we've beendoing that recently with some
people trying to help them outand some people have decided to
go forward with it and somepeople have just decided to drop
it all together so CMMC hasbeen evolving over the years
past two or three years or sofor itself before that you know
is a different iteration but fora lot of people, these
(13:40):
deadlines are starting to feellike actually real from what I
hear.
Because they are.
Yeah.
Yes.
And I'm even hearing from somepeople that they're like, oh,
it's finally here.
You know, I feel like it's beenhere for a while, but for a lot
of people, it feels real now.
What does this mean forcompanies that are bidding on
duty contracts.
Brooke (13:59):
It means that CMMC is no longer optional.
It was not optional before, butit's really not optional now.
Check the box.
It's coming.
It's here.
There's teeth with it.
You have to prove it.
CMMC is coming.
(14:19):
It's here.
Timelines are...
You can see it I guess you cansee that light at the end of the
tunnel with the train coming orwhatever it may be.
But CMMC is coming, and there'sno stopping it.
It's here.
Your SPRS score?
(14:40):
is very important.
I would say, really, if you'renot at 110 right now, you really
need to see what you can do tobecome 110 and what you need to
do to flesh that out and finishit up because, like I said, it's
not easy.
it's not going to be a shorttimeframe to be able to get your
(15:03):
CMMC certification level twocertification.
Uh, the other thing is, uh,reporting requirements very well
could be changing, uh, for, uh,if you have some sort of
incident.
Um, and if you have some sortof incident and you don't report
it, that's a, it's not a goodthing.
So, um, there's, uh, some legalramifications there, but for
the reporter requirements, uh,right now it's set at 72 hours,
(15:26):
which is reasonable.
Um, the, uh, The FAR rule,proposed rule, sets it at eight
hours, some stuff at eighthours.
So that's a bit of a change.
So you need to know whatdepartment, who you're doing
work for and all that and whatthe reporting requirements are.
Of course, this one's proposed,but from some of the things we
(15:48):
heard in the last conference wewent to, And the sentiment seems
to, at least in the governmentcircles, seems to be that
they'll just make all of themeight hours.
And I think that's a joke, totell you the truth.
And that sets people up forfailure.
So hopefully they don't dothat.
Hopefully cooler minds prevail.
(16:10):
I don't know.
So hopefully they don't do thatand they stick with 72 hours.
But there's some significantchanges coming that you need to
be prepared for.
Austin (16:22):
A lot of people aren't complying or are failing
compliance or the DIPCACs.
And so to move the goalpostseven a little further seems– be
quite an ask.
So I hope they had waited alittle longer to do that, but it
seems like they're wanting togo ahead and move forward with
it, which I understand theirconcern.
(16:42):
It's important stuff.
Brooke (16:45):
And to be clear, when you first report one of these
incidents, you don't have toknow everything.
It's the important...
I think what they feel is theimportant thing is to let them
know that there's an incident orthe possibility of an incident
while you're investigating itand trying to figure it out.
So you can fill in thosedetails later, but still, eight
(17:07):
hours is a very tight reportingrequirement.
Austin (17:09):
At the last conference we were at, can I go on with
what you were saying is for theSPRS score, S-P-R-S, or however
you pronounce it, because I'veheard quite a few options on it.
Take your pick.
Yeah, I like S-P-R-S, but Ihear Spurs a lot.
I don't know if it's arequirement or what it was, but
I remember them saying that 80%of 110, it's like an 80% pass
(17:34):
score.
Would that be like 88 orsomething?
Yes.
Brooke (17:39):
That is– I think what you're getting at is that that's
– To be able to have a POAM andthe things that are able to be
POAMed, you have to get 80% or88% in order to be able to have
that POAM and move forward withit and have that 180 days to
(18:02):
complete it and get it done.
So I think that's what you'rereferring to.
Austin (18:06):
Yeah, yeah, that's exactly.
And I think what I'm trying toget at here is that they're
expecting that to be the minimumthreshold.
They are.
Brooke (18:16):
Yeah.
And I would say don't even payattention to that.
Get the whole thing done.
Because, I mean, it's not justa simple 88% or 80%.
It's that there's nothree-pointers or five-pointers
that can be POAMed and onlycertain one-pointers.
And so it's a whole thing.
So you have to know which onesyou can and can't POAM to be
(18:42):
able to walk that line there.
And really, you're not gettingyourself Right.
Yeah.
A lot of the
Austin (18:53):
things you can go ahead and start implementing unless
you just have a large hardwareproject or, you know, long-term
engagement you have to complete.
I mean, but a lot of technicalcontrols can be implemented
reasonably quickly.
quickly if you have aninfrastructure that can
accommodate it.
Brooke (19:11):
Absolutely.
And to that point, really thebar is if you're starting at
zero or you're just starting offor you haven't got very far,
then the rule of thumb is thatit takes at least 12 to 18
months to go through the wholeprocess to get compliant.
(19:33):
That doesn't include calling upa C3 PAO and say, hey, I want
to get on your list that's threeor four or five months out.
And then a couple of months orso that it takes to go through
the assessment.
So my point that you reallyneed to knock those out and get
that stuff done because it's nota quick thing to get done.
Austin (19:55):
What is a conservative estimate?
What I've been telling peopleis if we start today getting you
compliant, probably– the end ofthat journey is probably a
year.
And that might even be a littlehopeful.
And, you know, the longer youwait.
There's
Brooke (20:13):
some things that just take a while.
I can tell you sometimes justtrying to get a– Get a Microsoft
GCC or GCC high tenant takes along time.
It's like, why are we going incircles here?
But really, it does take awhile to get done, so don't
(20:34):
wait.
You can get...
Austin (20:37):
You can get caught unprepared.
There's one of your twocatchphrases again, don't wait.
Yeah.
And documentation,documentation, documentation.
That's right.
Maybe you've got, you know, theultimate hope and the patron
saint Elon that he cuts thesethings or, you know, you're
really just holding out.
Yeah.
And you want to ignore this.
(21:00):
Yeah.
What happens?
What might happen to you?
What are the ramifications ofignoring it?
Just kind of speculation andbased on what the government is
saying.
Sure.
I mean, it depends on whereyou're at in the
Brooke (21:16):
process and what kind of contracts you have or don't
have.
But if you kind of ignore itand just put it off and put your
fingers in your ear and la, la,la, la, or beg the patron St.
Elon, I guess is what you said,to make some cuts, the
ramifications could be that youjust don't win those new
(21:37):
contracts.
The ramification could be thata prime says, hey, you're
working on this contract now andwe need to get you uh we need
all of our or a certainpercentage of our um of our subs
to be uh cmmc level twocertified we need you to get
certified and at that point youknow it's like oh well you know
(22:00):
sure i can do that it's onlygoing to take me you know eight
twelve eighteen months whateverit may be to to get that done so
um the uh you know the primecontractors uh we're already
starting to see them saying, youknow, we need you to start.
We need you to make that call.
We need you to show us the datethat you have scheduled to meet
(22:22):
with the C3PAO to kick thisoff.
They're asking for that now.
And it's not even required.
So, you know, the primes,sometimes people forget the
primes.
They're They're trying to wincontracts too.
They're just like you and me.
Well, not really just like youand me.
Still a lot more money.
(22:44):
But they're trying to wincontracts.
They're trying to be in thebest position possible.
So they're trying to make suretheir whole ecosystem is in
really good shape.
And so we've heard it fromseveral of them.
They want to get you green intheir system, which means you're
compliant with the wholeecosystem.
with all the controls, uh, andyou have, you know, all your
(23:05):
documentation in place.
Uh, we've heard that for awhile and now we're starting to
see, like I said, uh, themsaying, Hey, now that you're
green in our system, we need youto get your certification.
So, uh, that's coming up.
The other, other thing could beis if you've been checking the
boxes saying, yeah, we'recomplete, we're compliant.
Absolutely.
We got 110, you know?
(23:26):
So, uh, if you've been doingthat and you've, you haven't
realized, uh, that you're not110 and pulled that back some.
You know, you could face somelegal obligations.
You know, some– oh, shoot.
False Claims Act?
False Claims Act, yeah, sorry.
(23:47):
You know, they've made someexamples of some institutions
for the False Claims Act.
So if you don't, if you've beensaying you're compliant and
you're really not quite thereyet, then you could be subject
to the False Claims Act.
And that's nowhere I'd want tobe, I can tell you that.
(24:08):
So those are the ramificationsat a high level, you know, lost
money.
Um, Lost reputation, legalchallenges, stuff like that.
Or you just decide to go just acompletely different direction
and forget about the DOD foryour business.
Austin (24:27):
Yeah, so I guess if you've been generous with your
self-attestation or SPRS scorein the past and you're still
performing on contracts thatrequire this compliance and
you're thinking about ignoringit, that could put you at quite
a bit of risk if you're stillperforming on those contracts
(24:52):
and have no intention of takingcare of this, just to make that
clear.
And it could.
And
Brooke (24:58):
to go back to something I've always said again, and If
you meet those controlstechnically, but you don't have
all your documentation, all yourpolicies, all your plans, all
your procedures, I would hopeyou have your SSP, your list,
(25:19):
your proof.
If you don't have all that,which is documentation,
documentation, documentation.
If you don't have all that,then you're not compliant.
And that's what a lot of peopledon't realize.
This really isn't an ITproblem.
Even though we're an IT shop,you helping folks with this.
This is not an IT problem.
This is really a businessproblem that you can put some
(25:40):
technical controls in place, butthere's a lot of people and
process and everything else thatgoes with it.
It's a whole company that doesthis.
It is not the IT department.
In fact, most companies thatgrab their IT guy or maybe their
quality guy or whatever but youknow they grab their in a lot
of places the quality guy is theIT guy you know they grab the
(26:03):
IT guy and say hey let's getcompliant and do what we can and
then the IT guy goes oh wellyou know we've got to spend
money to do this and this, andthey're like, oh, no, we can't
spend money.
It can't be the IT guy leadingit necessarily unless he has
buy-in from the uppermanagement, from whoever's
(26:24):
leading the company.
This is a people-in-processproblem with an IT component.
It is not just an IT problem.
Austin (26:35):
Yeah, and...
Just to riff on what you'resaying there a little bit, when
you say documentation, a lot ofpeople think, oh, my SSP, my
POAM, my policies, but that'sactually a small portion of your
documentation, right?
There's a whole other portionthat is an everyday, living,
breathing piece of documentationthat's you've installed patches
(26:58):
that whenever you made achange, it was documented in
what you did on the network.
If you had a virus orsomething, of course there's
reporting or whateverrequirements might happen there,
but as you make configurationchanges, new applications
installed, stuff like that, allthat has to be documented and
then shown to the assessor andthen That can't be like the last
(27:22):
two weeks if you've decided...
you know, that you wanted tostart collecting it so that way
you could pass your assessment.
It has to be like past sixmonths or more, right?
Yeah, and I may have used somewrong examples on what needs to
be documentation, but I thinkthat's, is that mostly correct?
No, it's good examples.
Brooke (27:38):
You're right.
I mean, you have to show, youknow, your change procedures and
that you're following them.
You have to show that youreally are updating things.
You have to show that youreally are managing this whole
thing.
You have to show that you arecollecting the logs.
You are reviewing the logs.
You know, You have to show allthis stuff, and it's got to be
documented.
And so not only that, I mean,you have to have all of the
(28:03):
assets that are on your networklisted out, including people.
You have to have them alllisted out and classified.
What kind of assets are they?
How many people have actuallydone that?
But– Yes, there's a lot ofdocumentation.
Your policies, you should haveyour SSP.
That's really the easiest oneto get in place.
(28:24):
But you should have all yourpolicies backing that up, all
your plans and procedures.
And those are the base level.
Then all your otherdocumentation to go along with
that, the lists, the approvals,everything we just mentioned.
Austin (28:40):
Well, now assume that you're a contractor that is
wanting to do something aboutit.
what, and wanting to stay aheadof this, what should they be
doing today to get compliant?
Brooke (28:57):
So really, I mean, you should know your SPRS score or
SPUR score, however you want tophrase that.
I really, you like saying SPRS,and all the people I talk with
in the meetings and everything,they always say SPURs, so I
always call it SPURs.
But, you know, know what yourSPUR score is, know if it's
accurate, know what you've gotto do to get that...
(29:19):
to raise that...
to get that on up to 110.
You should...
prepare for a third-partyassessment, a CMMC certification
assessment, and that's part ofgetting that SPUR score up to
110.
But you should get ready forthat assessment because they
(29:40):
will assess you not only yourtechnical controls but all the
documentation we just talkedabout.
All that documentation is goingto need to be in line and
ready.
And I think somebody– I thinkthe last conference, one of the
assessors said if they ask foryour SSP, I think they said.
(30:05):
I can't remember.
If they ask for something, yourSSP, and it takes more than a
day to get it back to them,100%, you're not ready.
So that's what they'veexperienced.
So if it takes more than a dayto get that SSP to them, then
they know they're not ready.
Because that should be– youshould be able to– spit that out
(30:26):
and get it right over to thembecause that's, like I said,
that is the basis.
That's what everybody's beenkind of really working off of.
Oh, this is my documentation.
This SSP is what I got to have.
It is part of it.
You know, it's a, it's a,that's a start.
Right.
So, and it also depends on howpeople do their SSP and their
(30:47):
policies differently.
And we won't really, you know,where you put more of the detail
and whatnot.
And we won't really get intothat right now, but, um,
Understand your CUI.
What kind of CUI do you have?
I can't tell you how manypeople we say, or what kind of
CUI do you have?
And I go, I don't know.
What do your contracts say?
(31:10):
What do the markings say?
And of course...
There's a lot of our clientsthat don't even get marked CUI.
It's getting better now, butthere's a lot that don't get
marked CUI.
But you should know what kindof CUI that you have because
that's important to be able toscope your whole network.
And so understand your CUI,understand where it goes in your
(31:34):
network, but also make surethat your supply chain is ready.
If the primes are having tomake sure their supply chain is
ready, which is you, or whichcould be you, then you also,
there's flow down.
It's always been there, but itwas recently called out,
(31:54):
specified, hey, you need to makesure that your subcontractors,
the people that you have do workfor you, are compliant as well.
If they get CUI, it needs to beprotected, and they need to be
able to prove that to you, justlike you have to prove it to the
primes.
And the last thing is...
really get that assessmentbooked.
(32:14):
When you think you're ready, goahead and book that assessment.
Or if you have just a couplethings to clean up and you're
sure you can get it done, bookthat assessment.
Because those assessments, likeI said, just now in the
voluntary voluntary period uhthey're three and four months
out and so uh there are morec3paos and more assessors coming
(32:37):
on online but not at a fastpace right um the the demand for
those assessments is just goingto keep increasing as
especially as we get closer tothat 48 cfr rule going final and
being required on contracts umso uh if you think you're ready
or We're very close to beingready.
(32:58):
Make that call.
I can guarantee you thatassessor, that C3PAO is going to
say, hey, great, I'd love towork with you.
Let's make sure you're ready.
And so they're going to ask yousome questions and to show them
some stuff and, you know, whatdo you have.
And they don't want you to sendthem any of your policies and
(33:19):
stuff like that, but maybe alist of what you have, stuff
like that.
So they want to make sure thatyou're ready and they don't
waste your time and their time.
because they're, like I said,they're backed up.
They've got a lot
Austin (33:33):
going on.
Yeah, don't phone that part ineither because they're trying to
save you money on that one.
Because you're going to wastethousands of dollars if you
schedule an assessment andyou're not ready.
Brooke (33:45):
Yes.
And, you know, hopefully thatfleshes out in the very first
part because most of them areprobably going to, they want to
know what you have ready.
And then from that, they oughtto be able to tell if you can
move forward to the next part,which is probably pay them, uh,
some sort of retainer, not thewhole amount, but some retainer
to go through and verify thatyou're ready.
(34:06):
Um, and then if you're not, ifthey can tell at that point,
you're not ready, they'll go,let's hold off and circle back
up when you're ready becauseyou're not ready.
Um, so, and again, we've saidthis in the past, they can't
provide, um, any consulting toyou.
They can't sit down and say,all right, well, these are, this
is what you got to do.
(34:26):
And this is how you can do it.
They can't do that.
And, uh, Well, they could dothat, but they can't do the
assessment for you after that.
Somebody else would have to.
So absolutely, if you gothrough an assessment, if you
get to that point and you gothrough an assessment and you
have a five-pointer or athree-pointer that can't be
(34:47):
POAMed and you can't fix it likeright now, then you just wasted
all that money for thatassessment and you've got to
reschedule it, which is going tobe another three or four months
out, another couple monthscompleted.
Austin (35:01):
In terms of when you're looking at an assessor– And
interviewing them, gettingquotes from my understanding.
And I'm not saying because Idon't have experience with
assessors that are that do this,where they just give you a one
fixed project fee, you pay itand everything's good.
(35:21):
I think it's.
From what I've been able totell, it's best to work with an
assessor that's going tobenchmark it in terms of the
engagement.
So they'll work with you ininstallments probably isn't the
word, but in phases, right, Ithink is a better word, because
(35:41):
they'll help get you throughthat process because it's– it's
hard to give you a price becauseeveryone's different.
That's just, you know, a flatfee.
And if they do and you pay forthe entirety of it up front and
you're not ready or you fail,then it's paid for, right?
(36:03):
And so, but if you work withsomebody that's going to phase
it out like that or benchmarkit, they understand what is
required in the assessmentprocess and your piece of it.
And it's just, it might workout better for you.
At least that's my personalopinion on how um it's my
personal opinion on it so
Brooke (36:22):
yeah and to be to be clear they they're not gonna um
which is probably not whatyou're talking about but they're
not going to um piecemeal thewhole thing uh it'll be like i
was talking about an initialupfront quick list of here's
what i have ready cool we canproceed to the next phase which
is you proving that you're readyand it's going to cost this
(36:46):
much, you know, $5,000 orwhatever it may be, to look
through some of thisdocumentation to see that you
really are ready.
And then after that, they cansay, all right, to do this, it's
going to be $50,000 or whateverthe cost may be at that point.
And once you pay that $50,000,you are on the hook and you do
go through it.
And if it turns out you do failone of those five pointers at
(37:09):
that point, even though you'vetried to And the assessor has
tried to make sure that you'reready because you just don't
know those things, a lot ofthose things.
But if you do fail one of thosethree-pointers or
five-pointers, then there's notmuch that can be done.
Austin (37:26):
Exactly.
That's exactly what I'm tryingto say.
And I just know in dealing witha lot of– business owners and
uh and on quotes and stuff thata lot of times just give me the
brass tacks i want the price forit um the whole thing you know
up front tell me which icompletely get but for something
like this um it doesn't quitetranslate um so if you're
(37:48):
wanting to get that it might endup biting you in the rear on on
that one so and the other thingi was wanting to bring up um in
terms of you're talking aboutbooking the assessment early um
we were at uh cic Southwest lastweek or a week before.
Um, and, uh, I just didn'tclick for me.
Um, uh, I'm sure we've read itor talked about it.
(38:12):
Um, but there's with all thesechanges coming, there's going to
be a NIST provision for the800-171 or something.
Um, and, um, there's sometimeframe where if you get
assessed, uh, earlier, you getto come in under the wire with
(38:32):
the less stringent or at leastnot changed requirements.
Um, and instead of having an, awhole new set of requirements
that you have to, um, adhere to.
Um, can you, can you explainthat for us?
Sure.
Brooke (38:45):
Sure.
Uh, you're right.
So the, uh, actually therevision three of NIST 800-171,
um, to back up a little bit, uh,NIST 800-171 revision two is
hard coded right now for, uh,for CMMC.
Uh, so that's, that's what you,that's what you're held against
those controls that you'remeasured against.
(39:06):
However, uh, NIST 800-171R2 hasbeen superseded by Revision 3.
So this was a big deal when itcame out and everybody was,
including us, running aroundlike chickens with their heads
cut off going, oh my gosh, look,we've got to change everything
now and CMMC isn't even out.
And they said, oh, don't worryabout it.
It's just going to be Revision2.
(39:26):
Oh, thank goodness.
Just Revision 2.
Good.
That's all we have to worryabout.
We have to worry about thecontrols and everything that we
have been having to worry aboutthe whole time and it's not
going to change right now.
Well, The next major, afterthey get this required on
contracts through the 48 CFR,when it finally comes out,
(39:48):
sometime soon.
Who knows?
You know, maybe...
into Q1, probably beginning ofQ2, whenever that 48 CFR comes
out that requires CMMC oncontracts.
So whenever that comes out,after that, they're going to
start working on the next majorrevision, which will include
(40:11):
revision three of NIST 800-171,which means it'll probably take
a year and a half-ish.
Who knows?
But And the timeline of CMMC,not that long.
And I don't know about you, butI can't believe it's already
March of this year.
(40:31):
So the point being, time isflying.
And so revision three of NIST800-171 will be coming.
And it would be better to goahead and, if you can, go ahead
and– Well, go ahead and getcertified on revision two
because once you get yourcertification, it's good for
(40:53):
three years.
And if a change comes out forrevision three during that
point, during those three years,your level two certification is
gone.
golden and good until it runsout and then you have to worry
about revision three well youprobably want to plan for it but
other than that yourcertification itself is good for
(41:15):
those three years it doesn'thave to be you don't have to be
reassessed or anything so that'sthat's really good because
likely there's going to probablybe a lot of people that get
assessed and then that change isgoing to happen so if you look
at the timeline you're probablyjust spitballing here this is
nothing official I promise.
(41:35):
But just from a guess, kind ofwhat everybody's kind of looking
at, you're looking at maybeJune or so.
So if this comes out in April,the 48 CFR comes out in April,
you've got to give it 60 days.
So it's April, May, June.
So if it comes out in June, andgoes final and then goes
(42:01):
official in June, that meansthat first phase starts and you
have until June the next year.
Phase one is onlyself-attestation.
It's more serious, but it'sself-attestation.
Pretty much what you've beendoing all along, except that
you...
You better be doing it right.
So self-attestation for thefirst year.
(42:25):
The second year, each phase isa year.
There are four phases to it.
The second year that starts,the second phase that starts in
June or about June, I shouldn'tsay it starts in June, about
June of 26, 2026, is when itwill actually start being
required on contracts.
Austin (42:45):
Okay.
Brooke (42:47):
caveats to that and I'll mention them in just a second
we've mentioned them severaltimes but so you're looking
maybe at June at 2026 beingrequired on contracts which
means potentially potentiallythat you might not have to be
have your level 2 certificationuntil later in the year 2026 or
(43:08):
maybe even the beginning of 2027when they say okay it's time
you have to have it well As verypossible, by that time,
revision three could becomecodified in the DFARS rules and
the CMMC, and you might have tochange gears a little bit and be
compliant with revision three.
(43:31):
So that's kind of what we'retalking about here.
If you get assessed right nowor sometime before then on
revision two, what everybody'shad to worry about the whole
time, then that'll be good forthree years, and you don't have
to worry about revision three.
Revision 3 is not terrible, butthere are changes, and there's
(43:52):
still 110 controls, but they'renot all the same 110 controls.
They combined some.
They added some.
So Revision 3 is a change.
It'll be better to get ahead ofthe ball on that one as well.
And, again, that's anotherdon't wait, another reason not
to
Austin (44:12):
wait.
Just thinking about how all ofthe– and 800-171-REV-2, because
that's the one that's hard-codedright now, right?
Yes.
There's a lot of things thathave taken a while to come to
accepted practice or consensusin the circles.
So...
So we're benefiting from thatin this time frame for REV2,
(44:38):
knowing what assessors have saidthey will pass, what the
general consensus is, what thegovernment and Department of
Defense is saying that they'recomfortable with.
And so all that collectiveinformation gives us and y'all
an action plan on how toimplement these controls.
(44:59):
And just with REV3, you kind ofFor the changes, for some of
those things, you kind of startthat time frame over again.
And so it just– it decreasesyour risk profile in terms of
getting– denied certification
Brooke (45:20):
so get assessed on something you know
Austin (45:22):
right
Brooke (45:22):
something that's brand
Austin (45:23):
new exactly let someone else do that what should
businesses if you're a umaerospace manufacturer defense
manufacturer uh if you're just adefense subcontractor you're in
the supply chain somewhere umwhat should they take away from
today's episode
Brooke (45:42):
uh well uh cmmc is here uh it's coming the the The rest
of it is coming.
It's not stopping.
It's not going away.
It's coming.
Your SPUR score is veryimportant.
SPRS for you and some of thoseother folks out there.
So your SPRS SPUR score is veryimportant.
(46:02):
Make sure you know where it'sat and where it needs to be and
start working on that.
Self-attestation is largelygoing to go away, not
completely, but most folkslikely will fall into the realm
of needing to be level twocertified.
(46:23):
If you're level two, thelikelihood is most of those are
going to have to be level twocertified, not self-attestation.
Your supply chain, yourvendors, the flow down rule,
that's a real thing.
You got to make sure that yoursuppliers are covered because if
(46:45):
your suppliers and all yourvendors, all your...
service providers, right?
So we're a service provider forour clients.
We don't have federalcontracts.
We work for people that do,right?
And so we help them with allthis.
So we are one of theirsuppliers, one of their vendors,
one of their service providers.
(47:06):
So make sure all the peoplethat help you out with your
business and those banners, makesure that they're compliant
where they need to be.
Don't shortcut it.
Don't assume that, you know,well, you know, we say that this
(47:28):
is not CUI that we're handingdown to these folks.
Well, you better be able toprove that to an assessor and
them understand that, oh, yeah,this is, you know, they're not
covered in this, right?
So assessments will be in high,actually, they won't, I was
(47:48):
going to say they will be inhigh demand.
They are in high demand.
And that will not slow down forthe next probably four or five
years.
Maybe four years.
But it's not going to slow downbecause there's only a certain
amount of C-3PO's and assessors.
(48:08):
And there's 80,000 whatever inthe companies in the DIB that
will need to be certified.
So...
You know, there's That's a lotof work for not very many
C3PAOs.
So they're in high demand andjust realize that as you're
(48:32):
getting ready for all this.
Austin (48:33):
If you don't mind me adding one in there.
Sure.
You're talking about the supplychain because we're IT
providers and stop of mind.
Make sure you ask your ITprovider if you're using someone
that's outsourced if theyintend on getting certified
themselves because they need tobe certified.
(48:54):
And if they're not, then youneed to ask them if they can
pass the assessment with youbecause, and you're going to
have, by the way, have to payfor that.
Um, so you're going to have topay for the additional hours it
takes for them to assess your itprovider.
And if they fail, you fail.
So, uh, before you reach out toa assessor and, and get a bid
(49:18):
and, and start spending money,talk to your it provider first,
if you're outsourcing it, um,because that could be a hidden
little gotcha if you're notlooking at it.
Um, And I think we've mentionedthat in the past, but in terms
of action items, I just want tothrow that in there.
So we have a PDF that we'vecollected a lot of this
information, and we're going todrop it in the description down
(49:41):
below.
So check that out.
Download it.
If you're bad at taking noteslike me, I always like to have
something to reference.
So you can take that with you.
And if you have any questionsabout what we covered, reach out
to us, please.
We're here to help fast-trackyour compliance journey.
Text, email, or call in yourquestions.
(50:02):
We'll answer them for free hereon the podcast.
You can find our contact infoat cmmccomplianceguide.com.
Stay tuned for our nextepisode.
Until then, stay compliant andstay secure.
Like, subscribe, and share,please.
Regulations whisper
Austin (00:21):
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting.
We're here to help businesseslike yours navigate CMMC and
NIST 800-171 compliance, orhired guns, getting companies
fast-tracked to compliance.
But today, we're here to giveyou all the secrets for free.
So if you want to tackle ityourself, you're equipped to do
(00:43):
so.
Let's dive into today's episodeand keep your business on
track.
All right, so Brooke, todaywe're tackling a massive shift
in and cybersecurity regulationsfor defense contractors.
CMMC is changing.
DFARS is changing.
There's even some proposedrules or something changing with
the FAR for people that aren'tdefense contractors and doing
(01:08):
business with the federalgovernment.
If your company is in the DoDsupply chain, these shifts could
impact you and your contractsand even other contracts that
you don't necessarily know areconnected to the defense.
Absolutely.
And they're happening fast.
Brooke (01:24):
They are.
They are happening fast.
Austin (01:26):
Absolutely.
So I guess we should alsoaddress, I'm back.
Brooke (01:31):
Yes, you are.
For a couple weeks of hiatus?
Austin (01:34):
Yes, absolutely.
A little back injury there, butI'm back and they haven't fired
me yet that I know of.
He
Brooke (01:42):
just hasn't seen his pink slip yet.
Austin (01:44):
Yeah.
Maybe it's somewhere on my deskjust under all the rest of the
papers.
Brooke (01:48):
Probably so.
Austin (01:50):
My first question for you about all these changes is
why should DOD contractors careabout these changes?
Brooke (01:57):
Well, there's a lot of changes and really it's just the
changes show everybody thatit's moving forward and it's
coming.
It could affect your contracteligibility, incident reporting
requirements, impact the legalside of things.
It's coming and it's There's noputting it off.
(02:19):
Doja's not going to put it off.
It's coming.
Austin (02:21):
And speaking of that, because that's actually a hot
topic when I'm talking topeople.
Yes, it is.
I mean, nothing political atall here, but administrations
change.
Things are changing.
You see in the news every daythere's adjustments.
But we seem to have at leastgrapevine knowledge and
reassurance from up high throughthe DOD and their officials
(02:47):
there.
I've actually talked to theadministration and Elon and
Doge.
Absolutely.
It seems that's still on track.
Brooke (02:54):
It is.
So Katie Arrington, who is now,again, back in a prominent role
for CMMC and the DOD.
She's a DOD chief informationsecurity officer, the CISO
officer, excuse me, not offer,the CISO.
And she's got another title,deputy chief information officer
(03:16):
or something like that.
But that makes the CISO anywayso she had talked to she had
actually went to talk to ElonMusk Mr.
Doge himself and so she saidyou know everybody's everybody's
thinking that this is that Dogeis going to you know going to
make cuts and this is going tobe part of those cuts and
(03:37):
everything's going to be delayedagain and Elon said no
absolutely not that CMMC is veryimportant and we all know we've
talked about the reasons youknow if you go look at half of
China's military equipment, youknow, they look strangely like
ours.
But anyway, you know, he saidit's very important.
(03:58):
We've got to secure our DODsupply chain and nothing's
changing there.
So he reassured her that she isthe DOD CISO.
So, I mean, I'd say that's apretty high up reassurance
there.
Austin (04:13):
I'd say it's probably a good news, bad news situation
for a lot of our...
uh for our customers and a lotof people were really hoping i
yeah i have a lot of people thatwere just sure that that and
you know some some people stillare very sure it's going to
happen despite um what we hearbut uh not everyone's excited
about this continuing so uh wellthe next thing i have for you
(04:36):
um is there's been a lot ofmovement on cmmc defars the far
um can you just kind of broadlywalk us through uh what's
happening with those
Brooke (04:47):
We had the final rule come out in December, so now
you're able to get...
certification, CMMCcertification assessments.
You're able to get those now.
They're not required just yet.
The proposed rule that putsthose on contracts and requires
(05:08):
those, it's still in theprocess.
It was pulled back to look atit to make sure that, you know,
the new administration comingin.
But that's still in the worksand should be coming out pretty
soon.
And so it'll start beingrequired on contracts.
There's some timelines andeverything that go a Along with
that, there's caveats.
(05:29):
But when that comes out, it'llstart being required on
contracts.
We've got the new CAP, the CMMCAssessment Process.
All of us people just call itthe CAP because that's too long
of a word.
But anyway, the CAP 2.0 is out.
It makes some good changes.
And at the CAP, if you haven'tlooked through it, it outlines
(05:51):
how to perform an assessmentfrom the very beginning of the–
organization seekingcertification osc from them
contacting a c3pao who does thewho do the assessments from them
contacting them all the waythrough the process it lays it
all out in in gory detail sothey did that on purpose so they
(06:12):
could so these assessmentscould go as similar and as as so
it could be standardized prettyeasily and so that there's good
with bad that's the good part.
The bad part is, you know,government loves to make things
overly complicated.
So, you know, there you go.
Another thing is, now that CMMCis off and running and, you
(06:40):
know, got all these timelinescoming up, these are DFAR's
rules.
That's defense.
So the FAR is the rest of thefederal government, the rest of
the federal acquisition.
They're in the plan all along.
We've always heard this, youknow, Once CMMC gets going, then
(07:01):
the rest of the federalgovernment is going to follow
suit.
Well, now there's a proposedrule for the FAR to how to
protect CUI.
And so it is the first steps infollowing through and basically
doing CMMC for the rest of thefederal government.
Austin (07:20):
If you are not particularly familiar with DFARs
or FAR, the way I basicallyframe it in my mind, correct me
if I'm wrong, is basically justrules for doing business for the
government.
And defense would be if you'remaking parts that go into the
defense supply chain or doingbusiness in the defense sector
(07:41):
and then forward would just be alot of...
You know, just really anythingfederal government.
I wouldn't say anything, but alot of the federal government.
Brooke (07:51):
Anything with the federal government.
It would be, DFARS is thedefense part of the federal
acquisition.
When you drop that D off, it'sthe rest of the federal
government.
It could be Homeland Security.
It could be any part of therest of the federal government.
There are a couple that aregoing to go first with this
whole CUI protection, andthey're going to get kicked off
first because they're moreimportant.
(08:13):
Okay.
But the whole– when you stepback and look at it, that FAR
rule, proposed rule, is thefirst step in CMMC for the rest
of the federal government.
So it would be a good idea foreverybody to get used to
understand CMMC and how it worksbecause it's coming to the rest
(08:35):
of the federal government.
Austin (08:36):
So, I mean, I think it's fair to say, you know, whether
you supply toilet paper orweapon systems to the
government, at some point you'reprobably going to be touching–
one of these regulations and itmay not necessarily be um you
know the toilet paper itselfthat they're concerned about but
like contract details you knowum stuff like that right i mean
(08:56):
there's there's other 10 othertangential i guess um
information or contractinformation that they want to
keep protected so even if whatseems like what you're providing
seems rather benign it maystill fall under these things
Brooke (09:12):
absolutely there'll probably be a whole lot more so
in the There's three levels.
There's level one, which isbasically protecting FCI, which
I believe it now is CFI, butFCI's federal contract
information, which is non-publicinformation about that
contract.
So if it's not on an openwebsite, then if it's behind a
(09:34):
portal where you have to sign inor something, if that
information is behind thatportal where you have to sign
in, then it's FCI.
If it's out for the whole worldto see, then it's not FCI.
But anything about that federalcontract, that is non-public is
FCI.
Level two is the controlledunclassified information, the
(09:55):
CUI.
So if you protect CUI and yourcontract says you have part of
this contract is you have toprotect this CUI, then then
that's going to be level two,and that's where all this comes
in.
Level three is another stepabove that.
That's going to be– the numbersof those people are going to be
a lot smaller that have tocomply with level three.
(10:16):
But you're right.
There's going to be– I wouldimagine once the rest of the
federal government gets movingforward, there's going to be a
lot of FCI to protect and notnecessarily– Not necessarily all
CUI.
If you go look at the CUIregistry, there's a bunch of
(10:42):
different kinds of CUI,dissemination rules, and all
sorts of fun stuff.
If it falls somewhere in there,then that's data that needs to
be protected.
Austin (10:52):
What does this mean?
What's the impact for companiesthat currently have contracts
that have these requirements?
Brooke (10:59):
Well, it means that for the ones that already have
contracts, They have currentcontracts.
One, if they already have thoseDFARS rules in there, they
should be meeting those DFARSrules.
And they state 100-171, CMMC,all that fun stuff.
But they should be payingattention to those DFARS rules
that are in the contracts.
But as far as these changesgo...
(11:20):
When the 48 CFR finally goesinto effect that requires it on
contracts, you will have to haveyour CMM assuming level two
certification.
You will have to have thatlevel two certification to win
new contracts.
You can bid on that contractwithout necessarily having that
(11:41):
certification yet.
But if it was me, I don't knowthat I would do that because
it's a long process.
And even with just thevoluntary nature right now of
getting CMMC assessments,certification assessments, the
assessors are already booked outthree, four months
Austin (12:03):
plus.
Mm-hmm.
Yeah, and if you are thinkingabout bidding on contracts and
you don't have compliancefigured out yet, give us a
shout.
We can walk you through free ofcharge.
We can just kind of walk youthrough the budgeted line items,
broadly speaking, that youmight want to estimate to make
(12:25):
sure that when you do get thecontract that you're actually
going to make money because youdon't want to lose money on a
contract.
It's the way I understand it isthat you're kind of tied to the
contract once you win it.
Absolutely.
Yeah,
Brooke (12:41):
and that's true.
We can kind of bullet pointthose things.
It's not– some of it's going tobe a lot closer to accurate
than, than others.
Cause we just don't, I mean,when you first talk to somebody,
you know, without reallydelving in and spending a lot of
time figuring things out, youdon't know the environment, but
high level, we can, we cancertainly help out and say, this
is what you're looking at at ahigh level, you know, and then
(13:04):
you can figure out if that's, ifthe, you know, $100,000
contract is worth spending youknow $200,000 on to get
compliant
Austin (13:13):
right exactly yeah so it just might save a lot of people
some headaches so we've beendoing that recently with some
people trying to help them outand some people have decided to
go forward with it and somepeople have just decided to drop
it all together so CMMC hasbeen evolving over the years
past two or three years or sofor itself before that you know
is a different iteration but fora lot of people, these
(13:40):
deadlines are starting to feellike actually real from what I
hear.
Because they are.
Yeah.
Yes.
And I'm even hearing from somepeople that they're like, oh,
it's finally here.
You know, I feel like it's beenhere for a while, but for a lot
of people, it feels real now.
What does this mean forcompanies that are bidding on
duty contracts.
Brooke (13:59):
It means that CMMC is no longer optional.
It was not optional before, butit's really not optional now.
Check the box.
It's coming.
It's here.
There's teeth with it.
You have to prove it.
CMMC is coming.
(14:19):
It's here.
Timelines are...
You can see it I guess you cansee that light at the end of the
tunnel with the train coming orwhatever it may be.
But CMMC is coming, and there'sno stopping it.
It's here.
Your SPRS score?
(14:40):
is very important.
I would say, really, if you'renot at 110 right now, you really
need to see what you can do tobecome 110 and what you need to
do to flesh that out and finishit up because, like I said, it's
not easy.
it's not going to be a shorttimeframe to be able to get your
(15:03):
CMMC certification level twocertification.
Uh, the other thing is, uh,reporting requirements very well
could be changing, uh, for, uh,if you have some sort of
incident.
Um, and if you have some sortof incident and you don't report
it, that's a, it's not a goodthing.
So, um, there's, uh, some legalramifications there, but for
the reporter requirements, uh,right now it's set at 72 hours,
(15:26):
which is reasonable.
Um, the, uh, The FAR rule,proposed rule, sets it at eight
hours, some stuff at eighthours.
So that's a bit of a change.
So you need to know whatdepartment, who you're doing
work for and all that and whatthe reporting requirements are.
Of course, this one's proposed,but from some of the things we
(15:48):
heard in the last conference wewent to, And the sentiment seems
to, at least in the governmentcircles, seems to be that
they'll just make all of themeight hours.
And I think that's a joke, totell you the truth.
And that sets people up forfailure.
So hopefully they don't dothat.
Hopefully cooler minds prevail.
(16:10):
I don't know.
So hopefully they don't do thatand they stick with 72 hours.
But there's some significantchanges coming that you need to
be prepared for.
Austin (16:22):
A lot of people aren't complying or are failing
compliance or the DIPCACs.
And so to move the goalpostseven a little further seems– be
quite an ask.
So I hope they had waited alittle longer to do that, but it
seems like they're wanting togo ahead and move forward with
it, which I understand theirconcern.
(16:42):
It's important stuff.
Brooke (16:45):
And to be clear, when you first report one of these
incidents, you don't have toknow everything.
It's the important...
I think what they feel is theimportant thing is to let them
know that there's an incident orthe possibility of an incident
while you're investigating itand trying to figure it out.
So you can fill in thosedetails later, but still, eight
(17:07):
hours is a very tight reportingrequirement.
Austin (17:09):
At the last conference we were at, can I go on with
what you were saying is for theSPRS score, S-P-R-S, or however
you pronounce it, because I'veheard quite a few options on it.
Take your pick.
Yeah, I like S-P-R-S, but Ihear Spurs a lot.
I don't know if it's arequirement or what it was, but
I remember them saying that 80%of 110, it's like an 80% pass
(17:34):
score.
Would that be like 88 orsomething?
Yes.
Brooke (17:39):
That is– I think what you're getting at is that that's
– To be able to have a POAM andthe things that are able to be
POAMed, you have to get 80% or88% in order to be able to have
that POAM and move forward withit and have that 180 days to
(18:02):
complete it and get it done.
So I think that's what you'rereferring to.
Austin (18:06):
Yeah, yeah, that's exactly.
And I think what I'm trying toget at here is that they're
expecting that to be the minimumthreshold.
They are.
Brooke (18:16):
Yeah.
And I would say don't even payattention to that.
Get the whole thing done.
Because, I mean, it's not justa simple 88% or 80%.
It's that there's nothree-pointers or five-pointers
that can be POAMed and onlycertain one-pointers.
And so it's a whole thing.
So you have to know which onesyou can and can't POAM to be
(18:42):
able to walk that line there.
And really, you're not gettingyourself Right.
Yeah.
A lot of the
Austin (18:53):
things you can go ahead and start implementing unless
you just have a large hardwareproject or, you know, long-term
engagement you have to complete.
I mean, but a lot of technicalcontrols can be implemented
reasonably quickly.
quickly if you have aninfrastructure that can
accommodate it.
Brooke (19:11):
Absolutely.
And to that point, really thebar is if you're starting at
zero or you're just starting offor you haven't got very far,
then the rule of thumb is thatit takes at least 12 to 18
months to go through the wholeprocess to get compliant.
(19:33):
That doesn't include calling upa C3 PAO and say, hey, I want
to get on your list that's threeor four or five months out.
And then a couple of months orso that it takes to go through
the assessment.
So my point that you reallyneed to knock those out and get
that stuff done because it's nota quick thing to get done.
Austin (19:55):
What is a conservative estimate?
What I've been telling peopleis if we start today getting you
compliant, probably– the end ofthat journey is probably a
year.
And that might even be a littlehopeful.
And, you know, the longer youwait.
There's
Brooke (20:13):
some things that just take a while.
I can tell you sometimes justtrying to get a– Get a Microsoft
GCC or GCC high tenant takes along time.
It's like, why are we going incircles here?
But really, it does take awhile to get done, so don't
(20:34):
wait.
You can get...
Austin (20:37):
You can get caught unprepared.
There's one of your twocatchphrases again, don't wait.
Yeah.
And documentation,documentation, documentation.
That's right.
Maybe you've got, you know, theultimate hope and the patron
saint Elon that he cuts thesethings or, you know, you're
really just holding out.
Yeah.
And you want to ignore this.
(21:00):
Yeah.
What happens?
What might happen to you?
What are the ramifications ofignoring it?
Just kind of speculation andbased on what the government is
saying.
Sure.
I mean, it depends on whereyou're at in the
Brooke (21:16):
process and what kind of contracts you have or don't
have.
But if you kind of ignore itand just put it off and put your
fingers in your ear and la, la,la, la, or beg the patron St.
Elon, I guess is what you said,to make some cuts, the
ramifications could be that youjust don't win those new
(21:37):
contracts.
The ramification could be thata prime says, hey, you're
working on this contract now andwe need to get you uh we need
all of our or a certainpercentage of our um of our subs
to be uh cmmc level twocertified we need you to get
certified and at that point youknow it's like oh well you know
(22:00):
sure i can do that it's onlygoing to take me you know eight
twelve eighteen months whateverit may be to to get that done so
um the uh you know the primecontractors uh we're already
starting to see them saying, youknow, we need you to start.
We need you to make that call.
We need you to show us the datethat you have scheduled to meet
(22:22):
with the C3PAO to kick thisoff.
They're asking for that now.
And it's not even required.
So, you know, the primes,sometimes people forget the
primes.
They're They're trying to wincontracts too.
They're just like you and me.
Well, not really just like youand me.
Still a lot more money.
(22:44):
But they're trying to wincontracts.
They're trying to be in thebest position possible.
So they're trying to make suretheir whole ecosystem is in
really good shape.
And so we've heard it fromseveral of them.
They want to get you green intheir system, which means you're
compliant with the wholeecosystem.
with all the controls, uh, andyou have, you know, all your
(23:05):
documentation in place.
Uh, we've heard that for awhile and now we're starting to
see, like I said, uh, themsaying, Hey, now that you're
green in our system, we need youto get your certification.
So, uh, that's coming up.
The other, other thing could beis if you've been checking the
boxes saying, yeah, we'recomplete, we're compliant.
Absolutely.
We got 110, you know?
(23:26):
So, uh, if you've been doingthat and you've, you haven't
realized, uh, that you're not110 and pulled that back some.
You know, you could face somelegal obligations.
You know, some– oh, shoot.
False Claims Act?
False Claims Act, yeah, sorry.
(23:47):
You know, they've made someexamples of some institutions
for the False Claims Act.
So if you don't, if you've beensaying you're compliant and
you're really not quite thereyet, then you could be subject
to the False Claims Act.
And that's nowhere I'd want tobe, I can tell you that.
(24:08):
So those are the ramificationsat a high level, you know, lost
money.
Um, Lost reputation, legalchallenges, stuff like that.
Or you just decide to go just acompletely different direction
and forget about the DOD foryour business.
Austin (24:27):
Yeah, so I guess if you've been generous with your
self-attestation or SPRS scorein the past and you're still
performing on contracts thatrequire this compliance and
you're thinking about ignoringit, that could put you at quite
a bit of risk if you're stillperforming on those contracts
(24:52):
and have no intention of takingcare of this, just to make that
clear.
And it could.
And
Brooke (24:58):
to go back to something I've always said again, and If
you meet those controlstechnically, but you don't have
all your documentation, all yourpolicies, all your plans, all
your procedures, I would hopeyou have your SSP, your list,
(25:19):
your proof.
If you don't have all that,which is documentation,
documentation, documentation.
If you don't have all that,then you're not compliant.
And that's what a lot of peopledon't realize.
This really isn't an ITproblem.
Even though we're an IT shop,you helping folks with this.
This is not an IT problem.
This is really a businessproblem that you can put some
(25:40):
technical controls in place, butthere's a lot of people and
process and everything else thatgoes with it.
It's a whole company that doesthis.
It is not the IT department.
In fact, most companies thatgrab their IT guy or maybe their
quality guy or whatever but youknow they grab their in a lot
of places the quality guy is theIT guy you know they grab the
(26:03):
IT guy and say hey let's getcompliant and do what we can and
then the IT guy goes oh wellyou know we've got to spend
money to do this and this, andthey're like, oh, no, we can't
spend money.
It can't be the IT guy leadingit necessarily unless he has
buy-in from the uppermanagement, from whoever's
(26:24):
leading the company.
This is a people-in-processproblem with an IT component.
It is not just an IT problem.
Austin (26:35):
Yeah, and...
Just to riff on what you'resaying there a little bit, when
you say documentation, a lot ofpeople think, oh, my SSP, my
POAM, my policies, but that'sactually a small portion of your
documentation, right?
There's a whole other portionthat is an everyday, living,
breathing piece of documentationthat's you've installed patches
(26:58):
that whenever you made achange, it was documented in
what you did on the network.
If you had a virus orsomething, of course there's
reporting or whateverrequirements might happen there,
but as you make configurationchanges, new applications
installed, stuff like that, allthat has to be documented and
then shown to the assessor andthen That can't be like the last
(27:22):
two weeks if you've decided...
you know, that you wanted tostart collecting it so that way
you could pass your assessment.
It has to be like past sixmonths or more, right?
Yeah, and I may have used somewrong examples on what needs to
be documentation, but I thinkthat's, is that mostly correct?
No, it's good examples.
Brooke (27:38):
You're right.
I mean, you have to show, youknow, your change procedures and
that you're following them.
You have to show that youreally are updating things.
You have to show that youreally are managing this whole
thing.
You have to show that you arecollecting the logs.
You are reviewing the logs.
You know, You have to show allthis stuff, and it's got to be
documented.
And so not only that, I mean,you have to have all of the
(28:03):
assets that are on your networklisted out, including people.
You have to have them alllisted out and classified.
What kind of assets are they?
How many people have actuallydone that?
But– Yes, there's a lot ofdocumentation.
Your policies, you should haveyour SSP.
That's really the easiest oneto get in place.
(28:24):
But you should have all yourpolicies backing that up, all
your plans and procedures.
And those are the base level.
Then all your otherdocumentation to go along with
that, the lists, the approvals,everything we just mentioned.
Austin (28:40):
Well, now assume that you're a contractor that is
wanting to do something aboutit.
what, and wanting to stay aheadof this, what should they be
doing today to get compliant?
Brooke (28:57):
So really, I mean, you should know your SPRS score or
SPUR score, however you want tophrase that.
I really, you like saying SPRS,and all the people I talk with
in the meetings and everything,they always say SPURs, so I
always call it SPURs.
But, you know, know what yourSPUR score is, know if it's
accurate, know what you've gotto do to get that...
(29:19):
to raise that...
to get that on up to 110.
You should...
prepare for a third-partyassessment, a CMMC certification
assessment, and that's part ofgetting that SPUR score up to
110.
But you should get ready forthat assessment because they
(29:40):
will assess you not only yourtechnical controls but all the
documentation we just talkedabout.
All that documentation is goingto need to be in line and
ready.
And I think somebody– I thinkthe last conference, one of the
assessors said if they ask foryour SSP, I think they said.
(30:05):
I can't remember.
If they ask for something, yourSSP, and it takes more than a
day to get it back to them,100%, you're not ready.
So that's what they'veexperienced.
So if it takes more than a dayto get that SSP to them, then
they know they're not ready.
Because that should be– youshould be able to– spit that out
(30:26):
and get it right over to thembecause that's, like I said,
that is the basis.
That's what everybody's beenkind of really working off of.
Oh, this is my documentation.
This SSP is what I got to have.
It is part of it.
You know, it's a, it's a,that's a start.
Right.
So, and it also depends on howpeople do their SSP and their
(30:47):
policies differently.
And we won't really, you know,where you put more of the detail
and whatnot.
And we won't really get intothat right now, but, um,
Understand your CUI.
What kind of CUI do you have?
I can't tell you how manypeople we say, or what kind of
CUI do you have?
And I go, I don't know.
What do your contracts say?
(31:10):
What do the markings say?
And of course...
There's a lot of our clientsthat don't even get marked CUI.
It's getting better now, butthere's a lot that don't get
marked CUI.
But you should know what kindof CUI that you have because
that's important to be able toscope your whole network.
And so understand your CUI,understand where it goes in your
(31:34):
network, but also make surethat your supply chain is ready.
If the primes are having tomake sure their supply chain is
ready, which is you, or whichcould be you, then you also,
there's flow down.
It's always been there, but itwas recently called out,
(31:54):
specified, hey, you need to makesure that your subcontractors,
the people that you have do workfor you, are compliant as well.
If they get CUI, it needs to beprotected, and they need to be
able to prove that to you, justlike you have to prove it to the
primes.
And the last thing is...
really get that assessmentbooked.
(32:14):
When you think you're ready, goahead and book that assessment.
Or if you have just a couplethings to clean up and you're
sure you can get it done, bookthat assessment.
Because those assessments, likeI said, just now in the
voluntary voluntary period uhthey're three and four months
out and so uh there are morec3paos and more assessors coming
(32:37):
on online but not at a fastpace right um the the demand for
those assessments is just goingto keep increasing as
especially as we get closer tothat 48 cfr rule going final and
being required on contracts umso uh if you think you're ready
or We're very close to beingready.
(32:58):
Make that call.
I can guarantee you thatassessor, that C3PAO is going to
say, hey, great, I'd love towork with you.
Let's make sure you're ready.
And so they're going to ask yousome questions and to show them
some stuff and, you know, whatdo you have.
And they don't want you to sendthem any of your policies and
(33:19):
stuff like that, but maybe alist of what you have, stuff
like that.
So they want to make sure thatyou're ready and they don't
waste your time and their time.
because they're, like I said,they're backed up.
They've got a lot
Austin (33:33):
going on.
Yeah, don't phone that part ineither because they're trying to
save you money on that one.
Because you're going to wastethousands of dollars if you
schedule an assessment andyou're not ready.
Brooke (33:45):
Yes.
And, you know, hopefully thatfleshes out in the very first
part because most of them areprobably going to, they want to
know what you have ready.
And then from that, they oughtto be able to tell if you can
move forward to the next part,which is probably pay them, uh,
some sort of retainer, not thewhole amount, but some retainer
to go through and verify thatyou're ready.
(34:06):
Um, and then if you're not, ifthey can tell at that point,
you're not ready, they'll go,let's hold off and circle back
up when you're ready becauseyou're not ready.
Um, so, and again, we've saidthis in the past, they can't
provide, um, any consulting toyou.
They can't sit down and say,all right, well, these are, this
is what you got to do.
(34:26):
And this is how you can do it.
They can't do that.
And, uh, Well, they could dothat, but they can't do the
assessment for you after that.
Somebody else would have to.
So absolutely, if you gothrough an assessment, if you
get to that point and you gothrough an assessment and you
have a five-pointer or athree-pointer that can't be
(34:47):
POAMed and you can't fix it likeright now, then you just wasted
all that money for thatassessment and you've got to
reschedule it, which is going tobe another three or four months
out, another couple monthscompleted.
Austin (35:01):
In terms of when you're looking at an assessor– And
interviewing them, gettingquotes from my understanding.
And I'm not saying because Idon't have experience with
assessors that are that do this,where they just give you a one
fixed project fee, you pay itand everything's good.
(35:21):
I think it's.
From what I've been able totell, it's best to work with an
assessor that's going tobenchmark it in terms of the
engagement.
So they'll work with you ininstallments probably isn't the
word, but in phases, right, Ithink is a better word, because
(35:41):
they'll help get you throughthat process because it's– it's
hard to give you a price becauseeveryone's different.
That's just, you know, a flatfee.
And if they do and you pay forthe entirety of it up front and
you're not ready or you fail,then it's paid for, right?
(36:03):
And so, but if you work withsomebody that's going to phase
it out like that or benchmarkit, they understand what is
required in the assessmentprocess and your piece of it.
And it's just, it might workout better for you.
At least that's my personalopinion on how um it's my
personal opinion on it so
Brooke (36:22):
yeah and to be to be clear they they're not gonna um
which is probably not whatyou're talking about but they're
not going to um piecemeal thewhole thing uh it'll be like i
was talking about an initialupfront quick list of here's
what i have ready cool we canproceed to the next phase which
is you proving that you're readyand it's going to cost this
(36:46):
much, you know, $5,000 orwhatever it may be, to look
through some of thisdocumentation to see that you
really are ready.
And then after that, they cansay, all right, to do this, it's
going to be $50,000 or whateverthe cost may be at that point.
And once you pay that $50,000,you are on the hook and you do
go through it.
And if it turns out you do failone of those five pointers at
(37:09):
that point, even though you'vetried to And the assessor has
tried to make sure that you'reready because you just don't
know those things, a lot ofthose things.
But if you do fail one of thosethree-pointers or
five-pointers, then there's notmuch that can be done.
Austin (37:26):
Exactly.
That's exactly what I'm tryingto say.
And I just know in dealing witha lot of– business owners and
uh and on quotes and stuff thata lot of times just give me the
brass tacks i want the price forit um the whole thing you know
up front tell me which icompletely get but for something
like this um it doesn't quitetranslate um so if you're
(37:48):
wanting to get that it might endup biting you in the rear on on
that one so and the other thingi was wanting to bring up um in
terms of you're talking aboutbooking the assessment early um
we were at uh cic Southwest lastweek or a week before.
Um, and, uh, I just didn'tclick for me.
Um, uh, I'm sure we've read itor talked about it.
(38:12):
Um, but there's with all thesechanges coming, there's going to
be a NIST provision for the800-171 or something.
Um, and, um, there's sometimeframe where if you get
assessed, uh, earlier, you getto come in under the wire with
(38:32):
the less stringent or at leastnot changed requirements.
Um, and instead of having an, awhole new set of requirements
that you have to, um, adhere to.
Um, can you, can you explainthat for us?
Sure.
Brooke (38:45):
Sure.
Uh, you're right.
So the, uh, actually therevision three of NIST 800-171,
um, to back up a little bit, uh,NIST 800-171 revision two is
hard coded right now for, uh,for CMMC.
Uh, so that's, that's what you,that's what you're held against
those controls that you'remeasured against.
(39:06):
However, uh, NIST 800-171R2 hasbeen superseded by Revision 3.
So this was a big deal when itcame out and everybody was,
including us, running aroundlike chickens with their heads
cut off going, oh my gosh, look,we've got to change everything
now and CMMC isn't even out.
And they said, oh, don't worryabout it.
It's just going to be Revision2.
(39:26):
Oh, thank goodness.
Just Revision 2.
Good.
That's all we have to worryabout.
We have to worry about thecontrols and everything that we
have been having to worry aboutthe whole time and it's not
going to change right now.
Well, The next major, afterthey get this required on
contracts through the 48 CFR,when it finally comes out,
(39:48):
sometime soon.
Who knows?
You know, maybe...
into Q1, probably beginning ofQ2, whenever that 48 CFR comes
out that requires CMMC oncontracts.
So whenever that comes out,after that, they're going to
start working on the next majorrevision, which will include
(40:11):
revision three of NIST 800-171,which means it'll probably take
a year and a half-ish.
Who knows?
But And the timeline of CMMC,not that long.
And I don't know about you, butI can't believe it's already
March of this year.
(40:31):
So the point being, time isflying.
And so revision three of NIST800-171 will be coming.
And it would be better to goahead and, if you can, go ahead
and– Well, go ahead and getcertified on revision two
because once you get yourcertification, it's good for
(40:53):
three years.
And if a change comes out forrevision three during that
point, during those three years,your level two certification is
gone.
golden and good until it runsout and then you have to worry
about revision three well youprobably want to plan for it but
other than that yourcertification itself is good for
(41:15):
those three years it doesn'thave to be you don't have to be
reassessed or anything so that'sthat's really good because
likely there's going to probablybe a lot of people that get
assessed and then that change isgoing to happen so if you look
at the timeline you're probablyjust spitballing here this is
nothing official I promise.
(41:35):
But just from a guess, kind ofwhat everybody's kind of looking
at, you're looking at maybeJune or so.
So if this comes out in April,the 48 CFR comes out in April,
you've got to give it 60 days.
So it's April, May, June.
So if it comes out in June, andgoes final and then goes
(42:01):
official in June, that meansthat first phase starts and you
have until June the next year.
Phase one is onlyself-attestation.
It's more serious, but it'sself-attestation.
Pretty much what you've beendoing all along, except that
you...
You better be doing it right.
So self-attestation for thefirst year.
(42:25):
The second year, each phase isa year.
There are four phases to it.
The second year that starts,the second phase that starts in
June or about June, I shouldn'tsay it starts in June, about
June of 26, 2026, is when itwill actually start being
required on contracts.
Austin (42:45):
Okay.
Brooke (42:47):
caveats to that and I'll mention them in just a second
we've mentioned them severaltimes but so you're looking
maybe at June at 2026 beingrequired on contracts which
means potentially potentiallythat you might not have to be
have your level 2 certificationuntil later in the year 2026 or
(43:08):
maybe even the beginning of 2027when they say okay it's time
you have to have it well As verypossible, by that time,
revision three could becomecodified in the DFARS rules and
the CMMC, and you might have tochange gears a little bit and be
compliant with revision three.
(43:31):
So that's kind of what we'retalking about here.
If you get assessed right nowor sometime before then on
revision two, what everybody'shad to worry about the whole
time, then that'll be good forthree years, and you don't have
to worry about revision three.
Revision 3 is not terrible, butthere are changes, and there's
(43:52):
still 110 controls, but they'renot all the same 110 controls.
They combined some.
They added some.
So Revision 3 is a change.
It'll be better to get ahead ofthe ball on that one as well.
And, again, that's anotherdon't wait, another reason not
to
Austin (44:12):
wait.
Just thinking about how all ofthe– and 800-171-REV-2, because
that's the one that's hard-codedright now, right?
Yes.
There's a lot of things thathave taken a while to come to
accepted practice or consensusin the circles.
So...
So we're benefiting from thatin this time frame for REV2,
(44:38):
knowing what assessors have saidthey will pass, what the
general consensus is, what thegovernment and Department of
Defense is saying that they'recomfortable with.
And so all that collectiveinformation gives us and y'all
an action plan on how toimplement these controls.
(44:59):
And just with REV3, you kind ofFor the changes, for some of
those things, you kind of startthat time frame over again.
And so it just– it decreasesyour risk profile in terms of
getting– denied certification
Brooke (45:20):
so get assessed on something you know
Austin (45:22):
right
Brooke (45:22):
something that's brand
Austin (45:23):
new exactly let someone else do that what should
businesses if you're a umaerospace manufacturer defense
manufacturer uh if you're just adefense subcontractor you're in
the supply chain somewhere umwhat should they take away from
today's episode
Brooke (45:42):
uh well uh cmmc is here uh it's coming the the The rest
of it is coming.
It's not stopping.
It's not going away.
It's coming.
Your SPUR score is veryimportant.
SPRS for you and some of thoseother folks out there.
So your SPRS SPUR score is veryimportant.
(46:02):
Make sure you know where it'sat and where it needs to be and
start working on that.
Self-attestation is largelygoing to go away, not
completely, but most folkslikely will fall into the realm
of needing to be level twocertified.
(46:23):
If you're level two, thelikelihood is most of those are
going to have to be level twocertified, not self-attestation.
Your supply chain, yourvendors, the flow down rule,
that's a real thing.
You got to make sure that yoursuppliers are covered because if
(46:45):
your suppliers and all yourvendors, all your...
service providers, right?
So we're a service provider forour clients.
We don't have federalcontracts.
We work for people that do,right?
And so we help them with allthis.
So we are one of theirsuppliers, one of their vendors,
one of their service providers.
(47:06):
So make sure all the peoplethat help you out with your
business and those banners, makesure that they're compliant
where they need to be.
Don't shortcut it.
Don't assume that, you know,well, you know, we say that this
(47:28):
is not CUI that we're handingdown to these folks.
Well, you better be able toprove that to an assessor and
them understand that, oh, yeah,this is, you know, they're not
covered in this, right?
So assessments will be in high,actually, they won't, I was
(47:48):
going to say they will be inhigh demand.
They are in high demand.
And that will not slow down forthe next probably four or five
years.
Maybe four years.
But it's not going to slow downbecause there's only a certain
amount of C-3PO's and assessors.
(48:08):
And there's 80,000 whatever inthe companies in the DIB that
will need to be certified.
So...
You know, there's That's a lotof work for not very many
C3PAOs.
So they're in high demand andjust realize that as you're
(48:32):
getting ready for all this.
Austin (48:33):
If you don't mind me adding one in there.
Sure.
You're talking about the supplychain because we're IT
providers and stop of mind.
Make sure you ask your ITprovider if you're using someone
that's outsourced if theyintend on getting certified
themselves because they need tobe certified.
(48:54):
And if they're not, then youneed to ask them if they can
pass the assessment with youbecause, and you're going to
have, by the way, have to payfor that.
Um, so you're going to have topay for the additional hours it
takes for them to assess your itprovider.
And if they fail, you fail.
So, uh, before you reach out toa assessor and, and get a bid
(49:18):
and, and start spending money,talk to your it provider first,
if you're outsourcing it, um,because that could be a hidden
little gotcha if you're notlooking at it.
Um, And I think we've mentionedthat in the past, but in terms
of action items, I just want tothrow that in there.
So we have a PDF that we'vecollected a lot of this
information, and we're going todrop it in the description down
(49:41):
below.
So check that out.
Download it.
If you're bad at taking noteslike me, I always like to have
something to reference.
So you can take that with you.
And if you have any questionsabout what we covered, reach out
to us, please.
We're here to help fast-trackyour compliance journey.
Text, email, or call in yourquestions.
(50:02):
We'll answer them for free hereon the podcast.
You can find our contact infoat cmmccomplianceguide.com.
Stay tuned for our nextepisode.
Until then, stay compliant andstay secure.
Like, subscribe, and share,please.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com