May 23, 2025 • 36 mins
Submit any questions you would like answered on the podcast!
Are you sure you're NIST 800-171 compliant? In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke break down the most overlooked NIST 800-171 requirements that continue to trip up DoD contractors—and what you can do today to avoid those costly mistakes.
From data flow diagrams to documentation pitfalls, supply chain risks, and misunderstood MFA and logging requirements, this episode is packed with practical insights and actionable takeaways. If you’re pursuing CMMC Level 2 or just trying to boost your SPRS score, this is a must-listen.
💡 You’ll Learn:
- Why poor scoping is the #1 mistake in compliance
- How to map your CUI data flow across systems and subcontractors
- What assessors really expect from your MFA, logging, and risk assessment controls
- Why your documentation strategy can make or break your assessment
- What it takes to maintain compliance after you’re “done”
- How to use the NIST 800-171A Assessment Guide to conduct a real gap analysis
- The truth about ongoing compliance vs. one-time audits
- GRC tools, POAMs, and how to build your project roadmap
This episode is your self-assessment gut check. Whether you're just starting or already deep into your compliance journey, don’t miss these expert tips.
🔗 For free resources, visit: https://cmmccomplianceguide.com
📅 Meet us at DibCon, June 3–5, in Oklahoma City!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_03 (00:00):
Hey there! Welcome to the CMMC Compliance Guide
(00:03):
Podcast.
I'm Austin.
And I'm Brooke from Justice ITConsulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free, so if you want to tackleit yourself, you're equipped to
do so.
Let's dive into today's episodeand keep your business going.
(00:25):
on track.
Today's question is simple, buthigh stakes.
Are you really NIST 800-171compliant?
You might think so, but thereare a few controls that
contractors overlook all thetime, and that can put your
contracts and reputation atrisk.
Brooke, from what we've seenfrom past DibCAC assessments,
what's the biggestmisunderstanding contractors
have about NIST 800-171?
SPEAKER_02 (00:47):
Probably really the biggest one is scoping.
And we've kind of talked aboutthis before, but people don't
get their scope quite right.
They include too much or try toscope it too narrow and then
have data leakage or however youwant to phrase that.
They didn't take everything intoconsideration.
So scoping is the biggest thing.
(01:08):
Folks have a tendency to have aproblem with that.
Hopefully you find that outrather soon and you don't get
too far through an assessment oranything before they kick it
back and say, this
SPEAKER_03 (01:24):
is not going to work.
So if you're sitting at hometrying to figure out if you've
gone too far, what is a generalrule of thumb that they might
could go by to see if they'vedone a little too much or too
little on their scoping?
SPEAKER_02 (01:36):
Well, really a general rule of thumb to do your
scoping properly.
This is whether you're going todesign a new system, whether you
have something in place, or youhave something in place and
you're going to try to design asystem.
However it works out, the firstthing you need to know is is
what kind of data, what kind ofCUI you're trying to protect.
That's key in this, right?
(01:57):
Because if you don't know, youmay get some of the controls a
little not quite right.
That's a key thing to know.
But really for scoping guidance,once you know that, it's best to
draw a data flow diagram.
I'm pretty visual, so I can drawa diagram or you can put it in,
well, I was going to say Visio.
That might be old school thesedays.
I don't know, but I use Visio alot.
(02:18):
So Visio or something like that.
I think PowerPoint is a...
anything but like I said handdrawing I mean I always hand
draw all my network diagrams andeverything anyway because I
normally draw it redraw it,redraw it till I get it right.
And then I go put it in Vizio orwhatever you want to put it in.
But yeah, the program when youwant to use is fine, but you
(02:40):
know, hand-drawn is great to getthe understanding started.
Going down that rabbit hole, butit's not necessarily the tool.
But when you start doing yourdata flow diagram, it's easy to
take that at a high level andsay, oh yeah, we get it from the
internet and we download it intoour system.
You know, that's our data flowdiagram.
Specifically, how do You go listout all the actual systems you
(03:04):
go to, you know, Lockheed'sportal.
You go to whoever's portal,download it from that portal, or
you get it through secure emailor whatever it is.
Each one of those is a system.
Write all those down.
Write down all the systems.
Draw out all the systems thatyou have in place, like
Microsoft 365, SharePoint, thenemail, SharePoint.
(03:26):
Whatever you have on-premise,you have your file system, your
server shares, you have maybe anERP or an MRP or something like
that, or some other kind ofdatabase.
You have some other applicationsthat use it.
So you've got to list all thosesystems, all those applications
out, and then draw out whereyour data, your CUI flows to.
(03:48):
Once you take all that intoaccount and draw it out, it
begins to make a little sense.
And if you draw it, it lookslike one big giant spaghetti, a
bowl of spaghetti, which isprobably about right.
SPEAKER_00 (04:01):
But
SPEAKER_02 (04:02):
once you draw all that out, then you can say, you
know what, we need to simplifythis.
This is the way it lookscurrently.
This is what I want it to looklike, and you can then design
that.
But you've got to draw that datadiagram, data flow diagram
first, and take everything intoconsideration.
All your portals, all theapplications, all the systems
(04:22):
you have, take all that intoconsideration.
Also take into consideration, doyou send it to some of your
subcontractors?
You've got to pay attention toflow down, right?
So if you send it to somecontractors, how do you get it
to them?
So you've got to make sure youkeep your controls in place when
it leaves your batteries aswell.
(04:44):
And then, not that this is partof the data flow diagram, but
there's flow down and socontractors are going to have to
meet that as well.
So it's good to know that yoursubcontractors are client as
well.
SPEAKER_03 (04:58):
So when I think about operationalizing this a
little bit, I think of there'sthree main buckets.
Where does it come from?
It's a source, right?
So if you could map that out,um, you know, is it customers,
what customer portals, um, isemail, et cetera.
And then second is where does itreside while it's here with us,
whether it's on a machine or acomputer or the file server or
(05:18):
the ERP system, wherever thatmay be on your systems and, um,
in software.
And then three, where does ittravel to?
Where does it, right?
And what modes or pieces ofsoftware or communication
channels there?
So it's kind of three mainbuckets.
And from there, you might needto bring everyone, programmer,
CNC operator, the generalmanager, the sales person, you
(05:42):
know, whoever, you might need tobring them all around a table
and put those three buckets on awhiteboard.
And then you can map it out.
You don't probably just want thequality guy or the owner or the
GM just assuming and putting ustogether.
You probably need everyonecontributing to that.
That is a very good point
SPEAKER_02 (05:56):
because I know that as an IT guy and working with
some GMs and owners and whatnot,some CEOs or CFOs or whoever,
what we think is happening isn'talways what's actually
happening.
So yes, you need to get some ofthe people that actually do the
work and actually know what'sgoing on, actually have done it
(06:17):
and can tell you this is the waywe do it.
And a lot of times you end upgoing, yeah, we didn't realize
they were doing it that way.
So it certainly helps to knowall that, yes.
So you say a simple thing, justdraw a data flow diagram, and it
really can get pretty entailed,but simply you need to have a
(06:37):
data flow diagram.
and know where that data goesthat you're trying to protect.
It can be a little complicatedtrying to figure it all out.
That's a very needed first step.
I guess that would actually bethe second step right after
knowing what kind of data it isthat you're trying to protect.
SPEAKER_03 (06:58):
So let's get into specifics.
What are some of the top NIST800-171 requirements that
contractors miss or get wrong?
So for multi-factor
SPEAKER_02 (07:06):
authentication, MFA, what we see a lot that people do
is they make sure it's in placefor remote connections like VPN
or something like that and alsofor admin sessions which is
absolutely needed for those it'salso needed for network
(07:27):
connections to CUI which meansif it's going over your your
local network if you'reconnecting to your server over a
network which you likely areunless you're working
specifically on your desktop orlaptop on that hard drive.
If you're going across thenetwork to access that data,
it's across the network and youhave to have MFA in place to
(07:49):
protect that.
MFA, multi-factorauthentication.
So that's one of those thingsthat is misunderstood.
Next would be risk assessments.
Risk assessments need to be doneon a periodic schedule, annually
for instance.
And you need to follow up a riskmanagement framework and
(08:11):
methodology, and you need todocument everything you do for
that risk assessment.
So that's another thing thatpeople get wrong or don't follow
through with is those riskassessments.
Another thing would be logging.
A lot of people make sure thingsare logged.
A lot of people think youabsolutely have to have a SIM.
(08:34):
necessarily have to have a SIM,but you need to protect.
The way the controls are writtenis that it really makes it a lot
easier if you use a SIM.
A SIM will help you very easilyfit all those controls.
But it doesn't require SIM forlogging, but You have to make
sure that you specify what issupposed to be logged.
(08:58):
And then you have to make surethat's logged.
Make sure the logs areprotected.
That'll hold nine yards.
If you use a cloud sim, that's awhole other ballgame.
A sim is a...
A sim, there's a...
It's not a TLA.
I guess that would be a...
FLF, four-letter acronym.
SIEM is a security informationand event management tool.
(09:23):
So it gathers all your logs fromall the different sources you
could gather them from, so yourservers, your firewall,
workstations, Microsoft 365, GCCHigh, you know, and whatever
other tools that you canintegrate into it.
(09:44):
is really what you
SPEAKER_03 (09:47):
need to put in.
And it more or less convenientlychecks all the boxes for the
logging.
It
SPEAKER_02 (09:53):
does conveniently
SPEAKER_03 (09:54):
check those boxes,
SPEAKER_02 (09:55):
yes.
You know, it helps inmanagement.
It helps in alerting.
It helps secure those logs, thewhole nine yards, I guess.
But the key to that is you needto make sure you're logging the
things that need to be logged,make sure that's defined.
A lot of people don't realize ifit's defined, you need to write
(10:17):
it out and say, this is whatwe're logging.
This is what the logs aresupposed to have in them.
And then you have to verify andmake sure that that's what's
actually in the logs.
So making sure you do that is,again, that's a part of
documentation.
So a lot of people know, ofcourse we log things.
SPEAKER_00 (10:35):
Well,
SPEAKER_02 (10:36):
what's in those logs?
stuff.
But you've got to know what's inthose logs and you've got to
make sure that you define allthat.
Just make sure that, again, it'sdocumented.
Make sure that you've definedwhat's supposed to be in the
logs and that you actually arelogging the things that you say
you're logging.
I think you'd mentioned supplychain oversight as well.
(10:59):
You're always supposed to verifythat your suppliers, that
anybody that you handed off thatCUI to or any part of that CUI,
that they are compliant as well.
You've always supposedly, you'realways supposed to do that.
It wasn't done very much.
So they specifically called itout and said, yes, you are
(11:19):
supposed to, it is your job tomake sure that your suppliers,
your vendors, anybody yousubcontract to that touches that
CUI, they have to be the samelevel as you.
Now, it may be that they only,if there's documents that are
portion marked, and I don't knowabout level one and level two, I
guess level one really would bea FCI, but it could possibly be
(11:42):
that you're not passing down aCUI and it's on the FCI.
You're level two, They need tobe level two if you're level
three.
Likely they need to be levelthree.
Really, if you're level three,but you have some information
that's level two, that you knowis level two, then they need to
be at level two, is what Iunderstand.
(12:03):
For instance, Lockheed, they'regoing to be level three.
So actually, anyway.
But they, not all of theirsuppliers for the F-35, have to
be level three.
Some level three, I'm sure.
Most of them level two, and thenI'm sure there are some people
(12:24):
that do some off-the-shelfstuff.
Now that we've made that clearas mud, basically.
But the rule is flow down.
If you send them CUI, they needto be the same level as you are.
SPEAKER_03 (12:36):
How does documentation play in to
compliance misunderstandings?
SPEAKER_02 (12:40):
I don't know.
Have we ever talked aboutdocumentation before?
No, never.
So, you know, there's a smallportion of these controls and
the objectives that aretechnical, and most of this is
process and documentation,right?
But there's a ton ofdocumentation.
(13:02):
If it says...
list you've got to have a listof folks you know if it says
define you've got to have uhsomething written out a policy
written out you have to havepolicies anyway but you have to
have policies you have to haveyour plans uh procedures written
out there's just a ton anabsolute ton of documentation
that needs to be written out notjust your ssp not just your
(13:23):
policies for each of thefamilies that uh you know access
control and awareness andtraining and all that but every
everything you have to have allyour policies and then you have
to have You know, yourprocedures, this is how we do
these things, you know.
Beyond that, to be able to passan assessment, you have to have
(13:44):
all your proof, right?
And so, yes, we've done this,and here is proof.
Here's my documentation thatshows how, you know, our SEM is
set up or how Active Directoryis– this GPO is set, stuff like
that.
You have to have all that proofin there as well.
So there is an absolute
SPEAKER_03 (14:04):
ton of documentation.
You might have to write yourSSP, your POAM, and then write
the policies and document formof how you're going to set up
your network.
And then you might have to, onceyou show them that, actually
show them the network that's setup that would match the
documentation, how it's set up,the network being set up, You
(14:28):
know, maybe some technicalpeople watching, like security
groups, an active directory orsomething.
That's not good enough.
It needs to be in a document,preferably in a GRC tool or
something, right?
But not required.
GRC tool makes it a lot easier.
I can tell you that.
A lot easier.
The reason I bring that up isbecause not every assessor that
(14:48):
we...
come across, but it seems like alot of them might prefer for you
to have a GRC tool.
So if you're looking at quickwins, laying fruit on making the
job easy for the assessor, whichwould probably make the
assessment easier, which mightlend to you passing an
assessment better, you mightwant to look at getting one.
(15:11):
Absolutely.
SPEAKER_02 (15:12):
GRC tool makes it a lot easier.
It'll make an assessor's lifeeasier.
Assessors love to see a GRC toolin place, especially if it's all
fleshed out, you have everythingin there that you already need,
then they have access.
You can either export everythingand get it to them or you can
(15:35):
give them access Depends on theassessor, I think, probably.
You know, we use Future Feed,and they just came out with
Assessor Role, I should say.
Anyway, so you can...
assign an assessor, create theiraccount, and assign them the
assessor role, and it'll givethem read-only access to
everything in there because theyhad specifically asked the
(15:57):
Future Feed guys to put that inplace because they didn't want
to be accused of getting in andchanging anything.
Anyway, so they've created that.
The point is, though, that a GRCtool makes life a whole lot
easier for you and the assessor.
But the assessor will appreciatethat.
And it's certainly not going tohurt your chances, I would
(16:18):
think.
No, unless you have it set upvery poorly.
But if you have that set up verypoorly, then it's probably
likely there's a lot of otherstuff that's done poorly.
So it's either going to takeyou...
150 years to get through theassessment, or you won't pass
it.
(16:38):
But a GRC tool,
SPEAKER_03 (16:39):
completely flesh it out, will help you with that
assessment.
And the reason I bring that upis because we're big on, I guess
we can't say proven bestpractices, because there's a
minority of people who have gonethrough assessments and been
certified.
But at this point, we can haveaccepted best practices or what
(17:02):
everyone's saying, assessorsmainly, they would wanna see.
And so we're big on taking aplaybook that is the least path
of resistance to get you tocertification.
So whether it's with us orsomeone else like GRC tool is
part of that.
We're going out on the OregonTrail.
(17:24):
You can certainly make your ownpath Or you could buy a map from
the guy at the trading post ofthe routes that people died less
on.
SPEAKER_02 (17:34):
I don't know that I've had the CMMC assessment
process compared to the OregonTrail before, but that's pretty
good.
SPEAKER_03 (17:41):
Yeah, I mean, I was just thinking about it.
I remember playing that game asa kid.
I think everyone did, and it'skind of like that.
It's fraught with adversity anddanger.
There sure is a heck of a way tomake it easier.
And that is to build on thosethat have gone before you or
listen to the people that you'regoing to be beholden to and make
(18:06):
your job a little easier.
Just to tack on to that,
SPEAKER_02 (18:09):
you know, that's one of the things that you want to
look for when knowing who totrust is folks that are, you
know, provide registeredpractitioner in a registered
practitioner organization, an RPand RPO.
They get registered through theCyber AB.
(18:29):
That's very minimum, and to tellyou the truth, the bar is pretty
low for that.
The next really good step is aCMMC-certified professional.
And there's a lot of folks,including us, who have gone
through that training, becauseit basically teaches you how to
do an assessment.
And so that is, it's beeneye-opening for for us, for some
(18:56):
of our folks who have gonethrough it.
So that's great.
CCAs can help out a lot,although there's going to be a
lot of them that are very, verybusy right now.
But yeah, look for those kindsof things.
And people have been doing thisfor a while and understand it
(19:18):
have been and working
SPEAKER_03 (19:21):
through this process.
I didn't intentionally do this,but it seems like a good setup
for our next topic that wewanted to get into, which is
some contractors say that theguidance is vague.
Why does this create
SPEAKER_02 (19:35):
issues?
Some of these NIST controls,they leave some flexibility, and
they're pretty prescriptive, butthere's a little bit of
flexibility there to...
to adapt these to your ownsystem and cover these controls
how you see fit.
(19:56):
So that flexibility, even thoughit's pretty prescriptive, there
is a good bit of flexibilitythere.
So that flexibility, leads tosome misinterpretation.
Really, where you need to startis looking at the NIST 800-171A,
(20:19):
which is the assessmenttemplate.
It says when you're going toassess someone, this is how you
do it.
SPEAKER_00 (20:27):
You
SPEAKER_02 (20:27):
do this, you do this, and you interview, you
test, all this kind of funstuff.
So it goes through the wholething, and so you need to go
through that and look at that.
If things are still unclear...
You can see where these controlscome from.
And, you know, for instance,some of them reference NIST
(20:47):
800-53, which is a governmentdocument.
And that government document iswhat governments have to follow.
Instead of NIST 800-171, theyfollow NIST 800-53.
But a lot of the controlsreference back to that and to
some other areas.
(21:08):
So once you read that document,that documentation is based on,
that'll usually clear it uppretty good.
You know, there is still roomfor some flexibility and some
misinterpretation or some seeingthings a little differently.
And that's okay.
But you know, if your assessorsees something differently than
(21:32):
you do, you can make your case.
You really need to make sureyou're on solid footing.
And really, if you're on solidfooting, the assessor is
probably going to understand andgo, I see what you're doing and
I see that it does meet thesecontrols and these objectives.
But if you don't read theassessment guide and you don't
(21:57):
look at any of the supportingdocumentation, then yes, some of
these can be misinterpreted.
So
SPEAKER_03 (22:02):
another thing I wanted to bring up, a mindset
issue a lot of people havearound compliance and the fact
that it's not a one-time event.
You see this a lot.
Typically, people think thatthey can just get some things
done, do some paperwork, and bedone with it.
And additionally, what thatleads to is, okay, well, why
(22:25):
does this cost money?
a lot of money.
I might pay for my ISO audit orsomething and it's just done and
we revisit later.
Why does this have such a highcarrying cost in terms of
whether it's software tools,security licenses, GCC and
(22:48):
Microsoft license upgrades?
Why is it like this?
You have a a lot of frustrationsand confusion around that being
the case.
And that it's not a one and doneproject.
Can you speak to that?
SPEAKER_02 (23:02):
People
SPEAKER_03 (23:02):
getting these ITAR
SPEAKER_02 (23:05):
or ISO audits, you know, and that leads to a lot of
misunderstanding too, becausethey think, oh, well, this is
just another one like those, youknow, it ought to cost two,
three, four, five, six, seven,eight,$10,000, whatever, and
we're done,
SPEAKER_01 (23:19):
you know.
SPEAKER_02 (23:19):
Come in for a couple of weeks and, They're done,
right?
They write up some things thatwe need to do and everything's
good.
Well, this is not like that.
So, and we've had people say,you know, I just want you to put
it in place, you know, and we'lltake care of it, you know.
Well, which is fine.
And we can do that.
(23:40):
But what needs to be understoodis that this whole nest, excuse
me, Sorry to say 1-800.
It's not a phone number.
So this whole NIST 800-171 thingand CMMC is not a one and done.
It's written for management,ongoing management, ongoing
(24:01):
compliance, ongoing monitoring.
It's written for that.
I mean, it's all throughout it.
So if you bother to read it, youcan see that, right?
So we just let people know that,hey, look, this is...
what I just said, it's made forongoing management, monitoring,
and maintenance.
(24:21):
There's no putting something inplace and being done with it.
It's like a, and really, to tellyou the truth, any IT, this is
not necessarily, this is notstrictly IT, of course, but
there is a technical component,but in IT, people just want
stuff put in.
They don't want to have tomanage it, they don't want
(24:42):
anything, and that's that isreally doing a disservice
because there's no updates beingdone, there's no monitoring
being done.
I can't tell you how many timesthat we've been called in to
somebody new to help out withsomething, and we go to look at
their backups, and we're like,you know, your latest backup you
have is eight months old.
(25:02):
It's been backing up, and theyset it up to backup.
Yeah, but it failed here.
And it's been failing eversince.
Did you check it?
Well, no, we didn't check it.
So that's what this is writtenfor.
It's for ongoing maintenance,monitoring, ongoing care and
feeding.
And so that's what this wholething is about.
(25:23):
And so you've got to understandthat.
It can't just be one and done.
Now, somebody like us can comeand put everything in place for
you, but then you have to gomanage it and that's fine as
long as you take care of it andall that kind of fun stuff.
But somebody has to manage that,whether it's you, whether it's
(25:45):
Fred down the street, That mightnot work, but anyway, no matter
who it
SPEAKER_03 (25:50):
is, somebody has got to take care of it.
And that would take form ofapproved patches written down,
confirmed that it took place,that it was installed.
That would take form in the factthat there is record of a log
being reviewed and a result,whether it's remediation or
otherwise, happening.
(26:10):
That would take place in someonelooking at the antivirus system
that you have and doingnecessary steps there looking at
potential false positives thatwould look like someone going on
all the computers performingmaintenance and then logging and
recording it right so thosethose are actions that have to
happen you would have to usesomeone existing on your staff
(26:34):
and give them those newadditional duties hire someone
internally to fill that thatthose new shoes or hire it out
to a contractor to complete themfor you but regardless they have
to happen
SPEAKER_02 (26:46):
absolutely uh and you know to step back from
technical a little bit you knowwhat about your uh authorized
user device and process list youknow the work exactly yeah isn't
that an active directory no it'snot it's That could be part of
it, but that's youridentification, not your
authorization list.
So who reviews that?
(27:07):
How often do you do it?
Is it documented?
What about...
your sign-in sheet for peoplevisiting your facility.
Do you have those?
Do you keep them?
Where do you document them?
What happens with those?
That's ongoing.
What about vulnerabilities?
(27:28):
Is there somebody that watchesfor vulnerabilities to come out?
Is there any kind ofdocumentation?
There's all sorts of stuff thathas to happen on a scheduled
basis or a routine basis.
It's scheduled also, but on aroutine basis.
the whole ongoing therapy.
SPEAKER_03 (27:45):
Right.
And there's a lot of low-hangingfruit.
Things like Susie at the frontdesk can now be in charge of the
sign-in sheet and she records ita certain way and that's an easy
offload to an existing role.
And she's in charge of ifsomebody doesn't sign in, she
goes and tackles them.
Right.
But then there's a whole slew ofnew traditional duties that are
(28:05):
not easily assigned to existingseats.
Correct.
And that's mandated by thecompliance itself.
So we bring all that up, notnecessarily to scare you,
although it may, but really toget at the point of how this
episode started out, whether ornot you're actually an S-800-171
(28:25):
compliant.
And those are...
some gut checks that you can doto yourself to determine whether
or not you might be compliant soum really what we're trying to
do is generate a littleself-assessment for yourself so
that way you are empowered toknow whether what camp you might
be in there right and so if uhyou checked Yes to all those
(28:48):
boxes.
All that all sounds like stuffI'm doing.
Fantastic.
You are doing phenomenal.
If anything like that soundedlike maybe not, I want to make
sure we provide some actionabletakeaways that those people can
go forth with and do to maybeget themselves from not
(29:08):
compliant today to a little bitfurther down that path.
So what are some actionabletakeaways that a listener at
home might do to...
to get more compliant.
SPEAKER_02 (29:19):
Technically, first things first is what I mentioned
earlier, is to identify yourtype of CUI you're trying to
protect in the data flowdiagram, right?
But really, the next step is todo a full gaps analysis.
Make sure that you know whereyou're at right now.
And truly where you're at, notjust, oh, yeah, yeah, sure, we
(29:40):
do that.
But you've got to go throughevery single one of the 320
objectives and and say, do Imeet this or do I not meet it?
How do I meet it?
What is lacking if I don't meetit?
Go through every single one ofthose.
And by the way, if there's five,for instance, if there's five
(30:00):
assessment objectives underneathone control, then if you meet
four of those and you don't meetone, it's not complete yet, that
control is not met.
So, I mean, it's that simple.
You've got to meet all thoseassessment objectives underneath
(30:23):
the control for that control tobe met.
SPEAKER_03 (30:26):
But, yes.
Sorry to hop on that train ofthought is, I believe, and
you're going to have to correctme, but the Existar website has
an SPR self-assessment website.
tool or PDF or Excel sheet Ithink that's available that you
could use for free to assessyourself and I think There's
(30:49):
something available from NISTmaybe as well, like how to
conduct a self-assessment andGAPS assessment.
Isn't there a couple ofresources out there that they
could go just download for freewithout putting their
information in?
Yeah, absolutely.
I mean,
SPEAKER_02 (31:04):
there's all sorts of spreadsheets out there that you
can download.
And the best thing to do really,if you're starting out trying to
figure out where you're at, isto download that NIST 800-171-A.
That's the assessment guide.
And so do that.
The level two assessment guideis level one and level two for
(31:26):
CMMC.
But you download that assessmentguide and go through it and fill
out, you know, do I meet thisobjective?
Do I meet that objective?
And go through every single one.
And then from that assessment,from that gaps analysis, Then
you can say, these are all theones I don't meet.
(31:49):
And then you start grouping themtogether and you list them out.
Here's my POAM.
I got to finish all these,right?
And so that's your POAM, yourplan of action and milestones.
And so it's your plan to geteverything done, right?
So you list out all that.
You try to group those togetherinto projects.
And from there, you can startguesstimating outcomes.
(32:13):
Estimating, estimating youramount of time and effort
involved in each one of these,the cost involved.
Estimating is just a confidentestimate, by the way.
Yes, yes.
So you can divide it out then.
Once you have your POAM dividedup into projects and you know
your time involved, the effortamount involved, the complexity,
(32:39):
the cost, and the priority oneach one of these, And maybe you
look at these and you add up thenumber of points it's going to
add for each one of theseprojects you complete.
And so you know where your SPRSscore goes each time that you
complete something.
So that may be somethingimportant for you to do.
But once you get that projectlist created, then you can start
(33:03):
cranking out those projects.
Get some quotes, get prices toit, and start doing that.
But really, it starts with agood gaps analysis.
Everything can be built out fromthere.
And do it by assessmentobjective, not just by control.
You can do it by control, butyou're still going to have to
take each of the objectives intoaccount anyway.
(33:26):
Save your brains and processingpower and go by objective.
Yeah, just go through each oneof those.
But yeah, that's what I wouldsuggest is that that gaps
analysis is going to be key.
Another thing that you reallyneed to do, say what can they do
today to get started, aside fromthe Data inventory, basically,
(33:46):
like I said, and the data flowdiagram.
You do your gaps analysis.
Very important to do that byobjective, assessment objective.
It's also important to make surethat you have decision makers
involved in this.
It can't just be your IT guy.
It can't just be a quality guysaying, hey, here's all this
stuff, and here's all this stuffwe've got to spend money on,
(34:08):
because the C-level guys aregoing to be going, we need to
spend all that money.
Surely we don't, you know?
So you really need to have somedecision makers involved so
these projects have legs and soyou can get it done.
Because that's very important.
SPEAKER_03 (34:25):
Otherwise it just becomes a justification like...
sort of situation.
Why do we have to spend thismuch?
But if you put someone that's adecision maker to go in, then
it's like, okay, we have tobecause...
If they're involved in
SPEAKER_02 (34:41):
that project, involved in drawing all that
out, then it's pretty muchassumed that you've got to go
through this, you've got to getit done.
If you want to become compliant,there's always the
SPEAKER_03 (34:52):
option not to,
SPEAKER_02 (34:53):
right?
Right, right.
And the other thing along withthat to keep in mind, again, is
what we just talked about, isthat it This is ongoing.
You'll do this if there's anychanges.
You're going to have anotherpoem.
This is an ongoing process.
There's several things that haveto be completed periodically and
(35:14):
managed ongoing.
SPEAKER_03 (35:16):
Well, Brooke, do you have anything else for us?
I think that pretty well coversit for this episode.
Okay.
Awesome.
We'll be at DivCon June 2nd or3rd, I think.
Google it.
SPEAKER_02 (35:26):
It's June 3rd through 5th.
DivCon in...
Oklahoma,
SPEAKER_03 (35:30):
the beautiful big city bright lights of Oklahoma
City.
If you want a shirt,Documentation, documentation,
documentation shirt.
I promised Brooke that wewouldn't put his face on there,
so sorry.
We couldn't give him away if youdid that.
But we'll have the shirts, sostop and see us there.
(35:51):
We'd love to meet you.
Otherwise, if you have questionsabout what we covered, please
reach out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions.
We'll answer them for free.
He You can find our contactinformation at
cmmccomplianceguide.com.
(36:11):
Stay tuned for our next episode.
Until then, stay compliant andstay secure.
Like, subscribe, and share.
Hey there! Welcome to the CMMC Compliance Guide
(00:03):
Podcast.
I'm Austin.
And I'm Brooke from Justice ITConsulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free, so if you want to tackleit yourself, you're equipped to
do so.
Let's dive into today's episodeand keep your business going.
(00:25):
on track.
Today's question is simple, buthigh stakes.
Are you really NIST 800-171compliant?
You might think so, but thereare a few controls that
contractors overlook all thetime, and that can put your
contracts and reputation atrisk.
Brooke, from what we've seenfrom past DibCAC assessments,
what's the biggestmisunderstanding contractors
have about NIST 800-171?
SPEAKER_02 (00:47):
Probably really the biggest one is scoping.
And we've kind of talked aboutthis before, but people don't
get their scope quite right.
They include too much or try toscope it too narrow and then
have data leakage or however youwant to phrase that.
They didn't take everything intoconsideration.
So scoping is the biggest thing.
(01:08):
Folks have a tendency to have aproblem with that.
Hopefully you find that outrather soon and you don't get
too far through an assessment oranything before they kick it
back and say, this
SPEAKER_03 (01:24):
is not going to work.
So if you're sitting at hometrying to figure out if you've
gone too far, what is a generalrule of thumb that they might
could go by to see if they'vedone a little too much or too
little on their scoping?
SPEAKER_02 (01:36):
Well, really a general rule of thumb to do your
scoping properly.
This is whether you're going todesign a new system, whether you
have something in place, or youhave something in place and
you're going to try to design asystem.
However it works out, the firstthing you need to know is is
what kind of data, what kind ofCUI you're trying to protect.
That's key in this, right?
(01:57):
Because if you don't know, youmay get some of the controls a
little not quite right.
That's a key thing to know.
But really for scoping guidance,once you know that, it's best to
draw a data flow diagram.
I'm pretty visual, so I can drawa diagram or you can put it in,
well, I was going to say Visio.
That might be old school thesedays.
I don't know, but I use Visio alot.
(02:18):
So Visio or something like that.
I think PowerPoint is a...
anything but like I said handdrawing I mean I always hand
draw all my network diagrams andeverything anyway because I
normally draw it redraw it,redraw it till I get it right.
And then I go put it in Vizio orwhatever you want to put it in.
But yeah, the program when youwant to use is fine, but you
(02:40):
know, hand-drawn is great to getthe understanding started.
Going down that rabbit hole, butit's not necessarily the tool.
But when you start doing yourdata flow diagram, it's easy to
take that at a high level andsay, oh yeah, we get it from the
internet and we download it intoour system.
You know, that's our data flowdiagram.
Specifically, how do You go listout all the actual systems you
(03:04):
go to, you know, Lockheed'sportal.
You go to whoever's portal,download it from that portal, or
you get it through secure emailor whatever it is.
Each one of those is a system.
Write all those down.
Write down all the systems.
Draw out all the systems thatyou have in place, like
Microsoft 365, SharePoint, thenemail, SharePoint.
(03:26):
Whatever you have on-premise,you have your file system, your
server shares, you have maybe anERP or an MRP or something like
that, or some other kind ofdatabase.
You have some other applicationsthat use it.
So you've got to list all thosesystems, all those applications
out, and then draw out whereyour data, your CUI flows to.
(03:48):
Once you take all that intoaccount and draw it out, it
begins to make a little sense.
And if you draw it, it lookslike one big giant spaghetti, a
bowl of spaghetti, which isprobably about right.
SPEAKER_00 (04:01):
But
SPEAKER_02 (04:02):
once you draw all that out, then you can say, you
know what, we need to simplifythis.
This is the way it lookscurrently.
This is what I want it to looklike, and you can then design
that.
But you've got to draw that datadiagram, data flow diagram
first, and take everything intoconsideration.
All your portals, all theapplications, all the systems
(04:22):
you have, take all that intoconsideration.
Also take into consideration, doyou send it to some of your
subcontractors?
You've got to pay attention toflow down, right?
So if you send it to somecontractors, how do you get it
to them?
So you've got to make sure youkeep your controls in place when
it leaves your batteries aswell.
(04:44):
And then, not that this is partof the data flow diagram, but
there's flow down and socontractors are going to have to
meet that as well.
So it's good to know that yoursubcontractors are client as
well.
SPEAKER_03 (04:58):
So when I think about operationalizing this a
little bit, I think of there'sthree main buckets.
Where does it come from?
It's a source, right?
So if you could map that out,um, you know, is it customers,
what customer portals, um, isemail, et cetera.
And then second is where does itreside while it's here with us,
whether it's on a machine or acomputer or the file server or
(05:18):
the ERP system, wherever thatmay be on your systems and, um,
in software.
And then three, where does ittravel to?
Where does it, right?
And what modes or pieces ofsoftware or communication
channels there?
So it's kind of three mainbuckets.
And from there, you might needto bring everyone, programmer,
CNC operator, the generalmanager, the sales person, you
(05:42):
know, whoever, you might need tobring them all around a table
and put those three buckets on awhiteboard.
And then you can map it out.
You don't probably just want thequality guy or the owner or the
GM just assuming and putting ustogether.
You probably need everyonecontributing to that.
That is a very good point
SPEAKER_02 (05:56):
because I know that as an IT guy and working with
some GMs and owners and whatnot,some CEOs or CFOs or whoever,
what we think is happening isn'talways what's actually
happening.
So yes, you need to get some ofthe people that actually do the
work and actually know what'sgoing on, actually have done it
(06:17):
and can tell you this is the waywe do it.
And a lot of times you end upgoing, yeah, we didn't realize
they were doing it that way.
So it certainly helps to knowall that, yes.
So you say a simple thing, justdraw a data flow diagram, and it
really can get pretty entailed,but simply you need to have a
(06:37):
data flow diagram.
and know where that data goesthat you're trying to protect.
It can be a little complicatedtrying to figure it all out.
That's a very needed first step.
I guess that would actually bethe second step right after
knowing what kind of data it isthat you're trying to protect.
SPEAKER_03 (06:58):
So let's get into specifics.
What are some of the top NIST800-171 requirements that
contractors miss or get wrong?
So for multi-factor
SPEAKER_02 (07:06):
authentication, MFA, what we see a lot that people do
is they make sure it's in placefor remote connections like VPN
or something like that and alsofor admin sessions which is
absolutely needed for those it'salso needed for network
(07:27):
connections to CUI which meansif it's going over your your
local network if you'reconnecting to your server over a
network which you likely areunless you're working
specifically on your desktop orlaptop on that hard drive.
If you're going across thenetwork to access that data,
it's across the network and youhave to have MFA in place to
(07:49):
protect that.
MFA, multi-factorauthentication.
So that's one of those thingsthat is misunderstood.
Next would be risk assessments.
Risk assessments need to be doneon a periodic schedule, annually
for instance.
And you need to follow up a riskmanagement framework and
(08:11):
methodology, and you need todocument everything you do for
that risk assessment.
So that's another thing thatpeople get wrong or don't follow
through with is those riskassessments.
Another thing would be logging.
A lot of people make sure thingsare logged.
A lot of people think youabsolutely have to have a SIM.
(08:34):
necessarily have to have a SIM,but you need to protect.
The way the controls are writtenis that it really makes it a lot
easier if you use a SIM.
A SIM will help you very easilyfit all those controls.
But it doesn't require SIM forlogging, but You have to make
sure that you specify what issupposed to be logged.
(08:58):
And then you have to make surethat's logged.
Make sure the logs areprotected.
That'll hold nine yards.
If you use a cloud sim, that's awhole other ballgame.
A sim is a...
A sim, there's a...
It's not a TLA.
I guess that would be a...
FLF, four-letter acronym.
SIEM is a security informationand event management tool.
(09:23):
So it gathers all your logs fromall the different sources you
could gather them from, so yourservers, your firewall,
workstations, Microsoft 365, GCCHigh, you know, and whatever
other tools that you canintegrate into it.
(09:44):
is really what you
SPEAKER_03 (09:47):
need to put in.
And it more or less convenientlychecks all the boxes for the
logging.
It
SPEAKER_02 (09:53):
does conveniently
SPEAKER_03 (09:54):
check those boxes,
SPEAKER_02 (09:55):
yes.
You know, it helps inmanagement.
It helps in alerting.
It helps secure those logs, thewhole nine yards, I guess.
But the key to that is you needto make sure you're logging the
things that need to be logged,make sure that's defined.
A lot of people don't realize ifit's defined, you need to write
(10:17):
it out and say, this is whatwe're logging.
This is what the logs aresupposed to have in them.
And then you have to verify andmake sure that that's what's
actually in the logs.
So making sure you do that is,again, that's a part of
documentation.
So a lot of people know, ofcourse we log things.
SPEAKER_00 (10:35):
Well,
SPEAKER_02 (10:36):
what's in those logs?
stuff.
But you've got to know what's inthose logs and you've got to
make sure that you define allthat.
Just make sure that, again, it'sdocumented.
Make sure that you've definedwhat's supposed to be in the
logs and that you actually arelogging the things that you say
you're logging.
I think you'd mentioned supplychain oversight as well.
(10:59):
You're always supposed to verifythat your suppliers, that
anybody that you handed off thatCUI to or any part of that CUI,
that they are compliant as well.
You've always supposedly, you'realways supposed to do that.
It wasn't done very much.
So they specifically called itout and said, yes, you are
(11:19):
supposed to, it is your job tomake sure that your suppliers,
your vendors, anybody yousubcontract to that touches that
CUI, they have to be the samelevel as you.
Now, it may be that they only,if there's documents that are
portion marked, and I don't knowabout level one and level two, I
guess level one really would bea FCI, but it could possibly be
(11:42):
that you're not passing down aCUI and it's on the FCI.
You're level two, They need tobe level two if you're level
three.
Likely they need to be levelthree.
Really, if you're level three,but you have some information
that's level two, that you knowis level two, then they need to
be at level two, is what Iunderstand.
(12:03):
For instance, Lockheed, they'regoing to be level three.
So actually, anyway.
But they, not all of theirsuppliers for the F-35, have to
be level three.
Some level three, I'm sure.
Most of them level two, and thenI'm sure there are some people
(12:24):
that do some off-the-shelfstuff.
Now that we've made that clearas mud, basically.
But the rule is flow down.
If you send them CUI, they needto be the same level as you are.
SPEAKER_03 (12:36):
How does documentation play in to
compliance misunderstandings?
SPEAKER_02 (12:40):
I don't know.
Have we ever talked aboutdocumentation before?
No, never.
So, you know, there's a smallportion of these controls and
the objectives that aretechnical, and most of this is
process and documentation,right?
But there's a ton ofdocumentation.
(13:02):
If it says...
list you've got to have a listof folks you know if it says
define you've got to have uhsomething written out a policy
written out you have to havepolicies anyway but you have to
have policies you have to haveyour plans uh procedures written
out there's just a ton anabsolute ton of documentation
that needs to be written out notjust your ssp not just your
(13:23):
policies for each of thefamilies that uh you know access
control and awareness andtraining and all that but every
everything you have to have allyour policies and then you have
to have You know, yourprocedures, this is how we do
these things, you know.
Beyond that, to be able to passan assessment, you have to have
(13:44):
all your proof, right?
And so, yes, we've done this,and here is proof.
Here's my documentation thatshows how, you know, our SEM is
set up or how Active Directoryis– this GPO is set, stuff like
that.
You have to have all that proofin there as well.
So there is an absolute
SPEAKER_03 (14:04):
ton of documentation.
You might have to write yourSSP, your POAM, and then write
the policies and document formof how you're going to set up
your network.
And then you might have to, onceyou show them that, actually
show them the network that's setup that would match the
documentation, how it's set up,the network being set up, You
(14:28):
know, maybe some technicalpeople watching, like security
groups, an active directory orsomething.
That's not good enough.
It needs to be in a document,preferably in a GRC tool or
something, right?
But not required.
GRC tool makes it a lot easier.
I can tell you that.
A lot easier.
The reason I bring that up isbecause not every assessor that
(14:48):
we...
come across, but it seems like alot of them might prefer for you
to have a GRC tool.
So if you're looking at quickwins, laying fruit on making the
job easy for the assessor, whichwould probably make the
assessment easier, which mightlend to you passing an
assessment better, you mightwant to look at getting one.
(15:11):
Absolutely.
SPEAKER_02 (15:12):
GRC tool makes it a lot easier.
It'll make an assessor's lifeeasier.
Assessors love to see a GRC toolin place, especially if it's all
fleshed out, you have everythingin there that you already need,
then they have access.
You can either export everythingand get it to them or you can
(15:35):
give them access Depends on theassessor, I think, probably.
You know, we use Future Feed,and they just came out with
Assessor Role, I should say.
Anyway, so you can...
assign an assessor, create theiraccount, and assign them the
assessor role, and it'll givethem read-only access to
everything in there because theyhad specifically asked the
(15:57):
Future Feed guys to put that inplace because they didn't want
to be accused of getting in andchanging anything.
Anyway, so they've created that.
The point is, though, that a GRCtool makes life a whole lot
easier for you and the assessor.
But the assessor will appreciatethat.
And it's certainly not going tohurt your chances, I would
(16:18):
think.
No, unless you have it set upvery poorly.
But if you have that set up verypoorly, then it's probably
likely there's a lot of otherstuff that's done poorly.
So it's either going to takeyou...
150 years to get through theassessment, or you won't pass
it.
(16:38):
But a GRC tool,
SPEAKER_03 (16:39):
completely flesh it out, will help you with that
assessment.
And the reason I bring that upis because we're big on, I guess
we can't say proven bestpractices, because there's a
minority of people who have gonethrough assessments and been
certified.
But at this point, we can haveaccepted best practices or what
(17:02):
everyone's saying, assessorsmainly, they would wanna see.
And so we're big on taking aplaybook that is the least path
of resistance to get you tocertification.
So whether it's with us orsomeone else like GRC tool is
part of that.
We're going out on the OregonTrail.
(17:24):
You can certainly make your ownpath Or you could buy a map from
the guy at the trading post ofthe routes that people died less
on.
SPEAKER_02 (17:34):
I don't know that I've had the CMMC assessment
process compared to the OregonTrail before, but that's pretty
good.
SPEAKER_03 (17:41):
Yeah, I mean, I was just thinking about it.
I remember playing that game asa kid.
I think everyone did, and it'skind of like that.
It's fraught with adversity anddanger.
There sure is a heck of a way tomake it easier.
And that is to build on thosethat have gone before you or
listen to the people that you'regoing to be beholden to and make
(18:06):
your job a little easier.
Just to tack on to that,
SPEAKER_02 (18:09):
you know, that's one of the things that you want to
look for when knowing who totrust is folks that are, you
know, provide registeredpractitioner in a registered
practitioner organization, an RPand RPO.
They get registered through theCyber AB.
(18:29):
That's very minimum, and to tellyou the truth, the bar is pretty
low for that.
The next really good step is aCMMC-certified professional.
And there's a lot of folks,including us, who have gone
through that training, becauseit basically teaches you how to
do an assessment.
And so that is, it's beeneye-opening for for us, for some
(18:56):
of our folks who have gonethrough it.
So that's great.
CCAs can help out a lot,although there's going to be a
lot of them that are very, verybusy right now.
But yeah, look for those kindsof things.
And people have been doing thisfor a while and understand it
(19:18):
have been and working
SPEAKER_03 (19:21):
through this process.
I didn't intentionally do this,but it seems like a good setup
for our next topic that wewanted to get into, which is
some contractors say that theguidance is vague.
Why does this create
SPEAKER_02 (19:35):
issues?
Some of these NIST controls,they leave some flexibility, and
they're pretty prescriptive, butthere's a little bit of
flexibility there to...
to adapt these to your ownsystem and cover these controls
how you see fit.
(19:56):
So that flexibility, even thoughit's pretty prescriptive, there
is a good bit of flexibilitythere.
So that flexibility, leads tosome misinterpretation.
Really, where you need to startis looking at the NIST 800-171A,
(20:19):
which is the assessmenttemplate.
It says when you're going toassess someone, this is how you
do it.
SPEAKER_00 (20:27):
You
SPEAKER_02 (20:27):
do this, you do this, and you interview, you
test, all this kind of funstuff.
So it goes through the wholething, and so you need to go
through that and look at that.
If things are still unclear...
You can see where these controlscome from.
And, you know, for instance,some of them reference NIST
(20:47):
800-53, which is a governmentdocument.
And that government document iswhat governments have to follow.
Instead of NIST 800-171, theyfollow NIST 800-53.
But a lot of the controlsreference back to that and to
some other areas.
(21:08):
So once you read that document,that documentation is based on,
that'll usually clear it uppretty good.
You know, there is still roomfor some flexibility and some
misinterpretation or some seeingthings a little differently.
And that's okay.
But you know, if your assessorsees something differently than
(21:32):
you do, you can make your case.
You really need to make sureyou're on solid footing.
And really, if you're on solidfooting, the assessor is
probably going to understand andgo, I see what you're doing and
I see that it does meet thesecontrols and these objectives.
But if you don't read theassessment guide and you don't
(21:57):
look at any of the supportingdocumentation, then yes, some of
these can be misinterpreted.
So
SPEAKER_03 (22:02):
another thing I wanted to bring up, a mindset
issue a lot of people havearound compliance and the fact
that it's not a one-time event.
You see this a lot.
Typically, people think thatthey can just get some things
done, do some paperwork, and bedone with it.
And additionally, what thatleads to is, okay, well, why
(22:25):
does this cost money?
a lot of money.
I might pay for my ISO audit orsomething and it's just done and
we revisit later.
Why does this have such a highcarrying cost in terms of
whether it's software tools,security licenses, GCC and
(22:48):
Microsoft license upgrades?
Why is it like this?
You have a a lot of frustrationsand confusion around that being
the case.
And that it's not a one and doneproject.
Can you speak to that?
SPEAKER_02 (23:02):
People
SPEAKER_03 (23:02):
getting these ITAR
SPEAKER_02 (23:05):
or ISO audits, you know, and that leads to a lot of
misunderstanding too, becausethey think, oh, well, this is
just another one like those, youknow, it ought to cost two,
three, four, five, six, seven,eight,$10,000, whatever, and
we're done,
SPEAKER_01 (23:19):
you know.
SPEAKER_02 (23:19):
Come in for a couple of weeks and, They're done,
right?
They write up some things thatwe need to do and everything's
good.
Well, this is not like that.
So, and we've had people say,you know, I just want you to put
it in place, you know, and we'lltake care of it, you know.
Well, which is fine.
And we can do that.
(23:40):
But what needs to be understoodis that this whole nest, excuse
me, Sorry to say 1-800.
It's not a phone number.
So this whole NIST 800-171 thingand CMMC is not a one and done.
It's written for management,ongoing management, ongoing
(24:01):
compliance, ongoing monitoring.
It's written for that.
I mean, it's all throughout it.
So if you bother to read it, youcan see that, right?
So we just let people know that,hey, look, this is...
what I just said, it's made forongoing management, monitoring,
and maintenance.
(24:21):
There's no putting something inplace and being done with it.
It's like a, and really, to tellyou the truth, any IT, this is
not necessarily, this is notstrictly IT, of course, but
there is a technical component,but in IT, people just want
stuff put in.
They don't want to have tomanage it, they don't want
(24:42):
anything, and that's that isreally doing a disservice
because there's no updates beingdone, there's no monitoring
being done.
I can't tell you how many timesthat we've been called in to
somebody new to help out withsomething, and we go to look at
their backups, and we're like,you know, your latest backup you
have is eight months old.
(25:02):
It's been backing up, and theyset it up to backup.
Yeah, but it failed here.
And it's been failing eversince.
Did you check it?
Well, no, we didn't check it.
So that's what this is writtenfor.
It's for ongoing maintenance,monitoring, ongoing care and
feeding.
And so that's what this wholething is about.
(25:23):
And so you've got to understandthat.
It can't just be one and done.
Now, somebody like us can comeand put everything in place for
you, but then you have to gomanage it and that's fine as
long as you take care of it andall that kind of fun stuff.
But somebody has to manage that,whether it's you, whether it's
(25:45):
Fred down the street, That mightnot work, but anyway, no matter
who it
SPEAKER_03 (25:50):
is, somebody has got to take care of it.
And that would take form ofapproved patches written down,
confirmed that it took place,that it was installed.
That would take form in the factthat there is record of a log
being reviewed and a result,whether it's remediation or
otherwise, happening.
(26:10):
That would take place in someonelooking at the antivirus system
that you have and doingnecessary steps there looking at
potential false positives thatwould look like someone going on
all the computers performingmaintenance and then logging and
recording it right so thosethose are actions that have to
happen you would have to usesomeone existing on your staff
(26:34):
and give them those newadditional duties hire someone
internally to fill that thatthose new shoes or hire it out
to a contractor to complete themfor you but regardless they have
to happen
SPEAKER_02 (26:46):
absolutely uh and you know to step back from
technical a little bit you knowwhat about your uh authorized
user device and process list youknow the work exactly yeah isn't
that an active directory no it'snot it's That could be part of
it, but that's youridentification, not your
authorization list.
So who reviews that?
(27:07):
How often do you do it?
Is it documented?
What about...
your sign-in sheet for peoplevisiting your facility.
Do you have those?
Do you keep them?
Where do you document them?
What happens with those?
That's ongoing.
What about vulnerabilities?
(27:28):
Is there somebody that watchesfor vulnerabilities to come out?
Is there any kind ofdocumentation?
There's all sorts of stuff thathas to happen on a scheduled
basis or a routine basis.
It's scheduled also, but on aroutine basis.
the whole ongoing therapy.
SPEAKER_03 (27:45):
Right.
And there's a lot of low-hangingfruit.
Things like Susie at the frontdesk can now be in charge of the
sign-in sheet and she records ita certain way and that's an easy
offload to an existing role.
And she's in charge of ifsomebody doesn't sign in, she
goes and tackles them.
Right.
But then there's a whole slew ofnew traditional duties that are
(28:05):
not easily assigned to existingseats.
Correct.
And that's mandated by thecompliance itself.
So we bring all that up, notnecessarily to scare you,
although it may, but really toget at the point of how this
episode started out, whether ornot you're actually an S-800-171
(28:25):
compliant.
And those are...
some gut checks that you can doto yourself to determine whether
or not you might be compliant soum really what we're trying to
do is generate a littleself-assessment for yourself so
that way you are empowered toknow whether what camp you might
be in there right and so if uhyou checked Yes to all those
(28:48):
boxes.
All that all sounds like stuffI'm doing.
Fantastic.
You are doing phenomenal.
If anything like that soundedlike maybe not, I want to make
sure we provide some actionabletakeaways that those people can
go forth with and do to maybeget themselves from not
(29:08):
compliant today to a little bitfurther down that path.
So what are some actionabletakeaways that a listener at
home might do to...
to get more compliant.
SPEAKER_02 (29:19):
Technically, first things first is what I mentioned
earlier, is to identify yourtype of CUI you're trying to
protect in the data flowdiagram, right?
But really, the next step is todo a full gaps analysis.
Make sure that you know whereyou're at right now.
And truly where you're at, notjust, oh, yeah, yeah, sure, we
(29:40):
do that.
But you've got to go throughevery single one of the 320
objectives and and say, do Imeet this or do I not meet it?
How do I meet it?
What is lacking if I don't meetit?
Go through every single one ofthose.
And by the way, if there's five,for instance, if there's five
(30:00):
assessment objectives underneathone control, then if you meet
four of those and you don't meetone, it's not complete yet, that
control is not met.
So, I mean, it's that simple.
You've got to meet all thoseassessment objectives underneath
(30:23):
the control for that control tobe met.
SPEAKER_03 (30:26):
But, yes.
Sorry to hop on that train ofthought is, I believe, and
you're going to have to correctme, but the Existar website has
an SPR self-assessment website.
tool or PDF or Excel sheet Ithink that's available that you
could use for free to assessyourself and I think There's
(30:49):
something available from NISTmaybe as well, like how to
conduct a self-assessment andGAPS assessment.
Isn't there a couple ofresources out there that they
could go just download for freewithout putting their
information in?
Yeah, absolutely.
I mean,
SPEAKER_02 (31:04):
there's all sorts of spreadsheets out there that you
can download.
And the best thing to do really,if you're starting out trying to
figure out where you're at, isto download that NIST 800-171-A.
That's the assessment guide.
And so do that.
The level two assessment guideis level one and level two for
(31:26):
CMMC.
But you download that assessmentguide and go through it and fill
out, you know, do I meet thisobjective?
Do I meet that objective?
And go through every single one.
And then from that assessment,from that gaps analysis, Then
you can say, these are all theones I don't meet.
(31:49):
And then you start grouping themtogether and you list them out.
Here's my POAM.
I got to finish all these,right?
And so that's your POAM, yourplan of action and milestones.
And so it's your plan to geteverything done, right?
So you list out all that.
You try to group those togetherinto projects.
And from there, you can startguesstimating outcomes.
(32:13):
Estimating, estimating youramount of time and effort
involved in each one of these,the cost involved.
Estimating is just a confidentestimate, by the way.
Yes, yes.
So you can divide it out then.
Once you have your POAM dividedup into projects and you know
your time involved, the effortamount involved, the complexity,
(32:39):
the cost, and the priority oneach one of these, And maybe you
look at these and you add up thenumber of points it's going to
add for each one of theseprojects you complete.
And so you know where your SPRSscore goes each time that you
complete something.
So that may be somethingimportant for you to do.
But once you get that projectlist created, then you can start
(33:03):
cranking out those projects.
Get some quotes, get prices toit, and start doing that.
But really, it starts with agood gaps analysis.
Everything can be built out fromthere.
And do it by assessmentobjective, not just by control.
You can do it by control, butyou're still going to have to
take each of the objectives intoaccount anyway.
(33:26):
Save your brains and processingpower and go by objective.
Yeah, just go through each oneof those.
But yeah, that's what I wouldsuggest is that that gaps
analysis is going to be key.
Another thing that you reallyneed to do, say what can they do
today to get started, aside fromthe Data inventory, basically,
(33:46):
like I said, and the data flowdiagram.
You do your gaps analysis.
Very important to do that byobjective, assessment objective.
It's also important to make surethat you have decision makers
involved in this.
It can't just be your IT guy.
It can't just be a quality guysaying, hey, here's all this
stuff, and here's all this stuffwe've got to spend money on,
(34:08):
because the C-level guys aregoing to be going, we need to
spend all that money.
Surely we don't, you know?
So you really need to have somedecision makers involved so
these projects have legs and soyou can get it done.
Because that's very important.
SPEAKER_03 (34:25):
Otherwise it just becomes a justification like...
sort of situation.
Why do we have to spend thismuch?
But if you put someone that's adecision maker to go in, then
it's like, okay, we have tobecause...
If they're involved in
SPEAKER_02 (34:41):
that project, involved in drawing all that
out, then it's pretty muchassumed that you've got to go
through this, you've got to getit done.
If you want to become compliant,there's always the
SPEAKER_03 (34:52):
option not to,
SPEAKER_02 (34:53):
right?
Right, right.
And the other thing along withthat to keep in mind, again, is
what we just talked about, isthat it This is ongoing.
You'll do this if there's anychanges.
You're going to have anotherpoem.
This is an ongoing process.
There's several things that haveto be completed periodically and
(35:14):
managed ongoing.
SPEAKER_03 (35:16):
Well, Brooke, do you have anything else for us?
I think that pretty well coversit for this episode.
Okay.
Awesome.
We'll be at DivCon June 2nd or3rd, I think.
Google it.
SPEAKER_02 (35:26):
It's June 3rd through 5th.
DivCon in...
Oklahoma,
SPEAKER_03 (35:30):
the beautiful big city bright lights of Oklahoma
City.
If you want a shirt,Documentation, documentation,
documentation shirt.
I promised Brooke that wewouldn't put his face on there,
so sorry.
We couldn't give him away if youdid that.
But we'll have the shirts, sostop and see us there.
(35:51):
We'd love to meet you.
Otherwise, if you have questionsabout what we covered, please
reach out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions.
We'll answer them for free.
He You can find our contactinformation at
cmmccomplianceguide.com.
(36:11):
Stay tuned for our next episode.
Until then, stay compliant andstay secure.
Like, subscribe, and share.
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!