October 10, 2025 • 26 mins
Submit any questions you would like answered on the podcast!
🎯 Get your Free SPRS Roadmap Session: https://cmmccomplianceguide.com/free-sprs-roadmap
Our experts will review your SPRS score, documentation, and setup to help you hit 110 with a clear action plan at no cost.
Prime contractors like Lockheed Martin, Raytheon, and Parker Hannifin are demanding proof of compliance before awarding new work — and subcontractors who can’t prove it risk losing contracts.
In this episode, Brooke and Austin from Justice IT Consulting explain exactly what primes are asking for, what documentation they expect (SPRS, SSP, POA&M), and the most common mistakes subcontractors make when trying to prove compliance.
You’ll learn:
- Â Why primes are suddenly enforcing subcontractor compliance
- Â What documents and proof you need ready (SPRS, SSP, POA&M)
- Â The biggest mistakes that lead to false claims risk
- Â What happens when you inflate your SPRS score
- Â How to show compliance even before your Level 2 certification
- Â What steps to take now to get audit-ready and stay competitive
Whether you’re still working toward compliance or just need a second set of eyes, this episode breaks down how to prove your CMMC compliance with confidence — before your primes stop sending work your way.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 00 (00:21):
Hey there and welcome to the CMMC Compliance
Guide Podcast.
I'm Austin and I'm Brooke fromJustice IT Consulting, where we
help businesses like yoursnavigate CMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
(00:42):
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on
track.
Today, we're tackling a bigissue for subcontractors.
Prime contractors likeLockheed, Raytheon, Parker
Hanaffin are all watching, andthey want proof of your
(01:02):
compliance before they'll starthanding you work more and more
often these days.
So, what exactly are Primeslooking for?
And how can you stand out as atrusted partner?
All right, Brooke, let's startat the top.
Why do Prime contractors careso much about subcontractor
compliance?
Speaker 01 (01:19):
Well, they have uh legal obligations to make sure
that their subcontractors uhmeet the same compliance that
they do for each of thoseindividual contracts.
Um the uh DOD has specifiedthat there's a there's a flow
down, and then it's always beenbeen in there, but uh they have
specified that there is a flowdown and that you have to make
sure that any of yoursubcontractors that deal with uh
(01:41):
CUI or that that contract haveto be at the same level you are.
Uh so there's all that's alwaysbeen there, but there's a legal
risk for them.
Um and there's also riskmanagement, of course.
Uh if a subcontractor drops aball or any other number of
problems, uh that's on the uhprime contractor, uh affects the
(02:03):
prime contractor as well.
And they want to make surethey're all of their contracts
are are well and secured and andand uh not in jeopardy.
Speaker 00 (02:11):
Now that we got that covered, what is it exactly
that prime contractors areasking their subcontractors to
show or prove?
Speaker 01 (02:19):
Sure.
So uh what we know what we hearfrom our clients uh what we see
and help them with uh is theprimes uh are asking for SPRS
scores.
Uh what's your SPRS score?
What was your latest one youupdated?
Uh how long ago was it?
Uh all that kind of fun stuff.
And then uh someone want to seeyour SSP.
(02:41):
And so um they have I can tellyou that some of the compliance
departments are very picky onthose SSPs, and they want them
to match the uh the format andthe numbering exactly.
So um, but uh if it doesn'tmatch, then they're like, well,
I don't understand.
And you say, well, see thenumbers here match.
Speaker 00 (03:01):
Um if you look at it anyway, but point is they
There's a lot of things thataren't particularly required by
CMMC, but nonetheless to playball, you have to do it a
certain way.
Speaker 01 (03:10):
Without going into a specific example, I guess, but
uh sometimes those compliancedepartments they don't know the
whole story, they don'tnecessarily understand the whole
trajectory of CMMC or anythinglike that.
And so they just know what'sput in front of them and they
they want to see your SSP andthey want to see that everything
matches the numbers, theeverything else on the numbers
as to the controls andeverything else.
(03:30):
So um that's what they want tosee a lot of times.
Um they'll also ask if you havea POM.
Uh if your score is less than acertain amount, less definitely
less than 110, but some of themwill set it at a different uh
level if there's if you're lessthan that, they want to know if
if you have a POAM in place,plan of action and milestones.
So it's a to-do list to get to110.
(03:52):
Um so uh they'll want to knowif you have a poem in place and
uh you know when you're gonnawhen you plan on having it
cleared up.
So if they ask again in anotheryear and uh you say yes, I do
have a poem in place, and lastyear it said, you know, 10125 on
it, and now it says 10126.
I don't know why.
(04:14):
Uh you know, it's uh outanother year, and yet you have
the same score.
So they may want to know aboutthose poems to to help prove
your case.
Speaker 00 (04:23):
What are the common mistakes that you see our our
customers, subcontractors makewhen trying to prove compliance?
Speaker 01 (04:30):
Inflating their scores.
So, you know, saying you have110 when you might be more like
a minus fifty-six or somethinglike that, or or a seventy or
you know, something like that.
No, I've never seen that.
So uh that's the biggest onereally is inflating your scores
um or just kind of guessing atit and to get that SPRS score
you really do have to go througha a mini assessment to go
(04:52):
through each of those, score itproperly, and and make sure you
understand.
A lot of that has to do withdocumentation and people kind of
skip over the documentation andsay, yeah, yeah, yeah, you
know.
And uh but you can't skip overit.
Uh you gotta have all thedocumentation it talks about and
that impacts a score.
So if you don't have yourauthorized list of users, then
(05:13):
you know you have to countpoints off for that, for
instance.
Speaker 00 (05:16):
So um yeah, you can have you can have done something
technically, but if it's notdocumented, it's like it didn't
have any.
Exactly.
100%.
Speaker 01 (05:24):
Yeah.
Again, most of it isdocumentation and making sure
that you have those technicalcontrols in place uh and that
they're ongoing and monitoredand all that kind of fun stuff.
Another thing that rolls rightinto that is uh bad
documentation.
Uh you know, you don't want toAgain comes up.
Yeah, again comes up.
So uh there's uh documentation.
(05:44):
I should have.
I have a shirt that saysdocumentation, documentation,
documentation, because I saythat a lot.
But yeah, it's uh you've got tohave your documentation in
place.
There is an absolute ton of it.
Uh and um it's you've got tohave that in place.
So uh that's another anotherbig deal um that we see.
I brought it up a minute ago.
(06:06):
Uh another problem is uh uhyour poem, kind of ignoring it
and saying, Here's my poem, andjust kind of setting it off to
the side and going, We're good,let's roll.
You know, and then forgettingthat the poem is a plan of
action and milestones, you know,meaning you have to do
something about it.
So uh if you don't do anythingabout it, then that plan of
(06:26):
action and milestones is a planof inaction and milestones.
I guess that would be a POM orPO whatever plan of action.
Anyway, nevertheless, whateverit is.
We don't need more acronyms.
We don't need any more.
Um yes, that that is a plan ofaction and milestones.
So you have to you have to getthings done on that list.
Cloud services, a lot of peoplehave a tendency to not take
(06:49):
into account their cloudservices, Microsoft 365.
Um, you know, maybe they get uhand shouldn't, but maybe they
get uh CUI through email, ormaybe they send it through
email, uh maybe they send itthrough encrypted email, but
it's but it's uh commercialMicrosoft 365, so that won't
work.
Uh so they've you know they'vegot to address things like that.
(07:12):
Um another big one that uhpeople typically don't have is
incident response.
What is your incident responseplan?
You know, how detailed does itneed to be?
It needs to be detailed enoughto cover your your assets.
So but uh you know, really umyou need to have some sort of
(07:32):
incident response policy andplan and procedure.
Uh and then you need to makesure you have all your bases
covered.
One big one is having a uhmedium assurance certificate
installed on your computer soyou can report incidents within
72 hours.
Uh-huh.
If you don't have thatcertificate installed on your
computer and you have anincident, I can guarantee you
that you won't be able to reportthat incident within the
(07:54):
required 72 hours.
Because you will not get thatcertificate and get it installed
within 72 hours.
If you do, it'll be a miracle.
But uh I wouldn't bet on it,especially if you're having
you're in the middle of anincident, you know.
Now you've got to go focus on,you know, getting those wheels
to turn to to get that mcertificate in place.
Speaker 00 (08:11):
So one I'm gonna add in that I see less often,
although scope is I think alwaysa problem.
Yes.
Um, but uh when we have someonethat comes to us that is
actually reasonably like preppedand ready, and they're like,
hey, we just we need you to helpuh shore up this documentation
piece, like we're just gonnahire you to do that.
Um we typically find that wealways do a gaps analysis
(08:35):
anyway.
Um and this is the reason forit is because they'll they'll
have a big hole in their scope.
Yes.
And so I we'll have someonethat is otherwise buttoned up,
but they'll they'll say, youknow, their CUI comes in from um
you know customer portal, andthen it goes right into a
vendor, and then like, well,hold on one second.
(08:56):
How does it go from customerportal to vendor?
And like, oh, I just downloadit and upload it to the vendor,
and you're like, okay, well nowyour computer's in scope and you
have it as not in scope.
And they're like, oh crap.
Yeah, yeah.
So you'd um it's it is verygood practice to offload the
burden of security andcompliance to other vendors, but
(09:17):
at the end of the day, there'sthere's not a ton of scenarios,
especially if you're amanufacturer and you got real
tangible products or something,that um that your own computers
are not going to be in scope,especially if you're dealing
with CUI yourself.
So um, so that typically peoplewill not have computers in
scope that should be.
(09:37):
And then the other one is justsome big glaring misses that you
just don't always think of.
And so the other day that we wedidn't even think about until
some we're going through the SSPprocess and um and creation of
their SSPs, we identified thatthey would send um some COI um
(10:00):
to print to a print vendor, andthen we're like, oh, well, we
might have to start doingprinting in-house because we
can't find a print vendor that'scompliant, right?
Um, and so we we have tounfortunately in that scenario,
I think we're gonna have tochange their actual business,
maybe not model, but process andworkflow to bring it full fully
(10:20):
in-house.
But those are things that anassessor will likely catch on
to, and if you miss them, thenit's gonna it's gonna mess up
your assessment and cost yousome money because you're gonna
have to go back, fix it, andthen get assessed again.
Right, absolutely.
Speaker 01 (10:36):
Yeah, and uh you know you're talking about scope
and and one of those things thatcauses a problem that causes
people not to think about theircomputer being in scope is the
fact that it's not just storingCUI.
It's not where the CUI isstored, it is, but uh it's also
processing and transmitting.
So processing, storing, andtransmitting CUI.
(10:57):
If whatever piece of thatpuzzle does any of those three
things, processes it, stores it,or transmits it, then that's in
that puts that endpoint orwhatever it is in scope.
Speaker 00 (11:07):
Absolutely.
Okay, we kind of address themistakes that uh we see a lot of
subcontractors make when itcomes to uh compliance and
trying to prove it.
What the natural the naturalfollow-up to that is what are
the consequences?
You know, if someone decides towait or um or even just makes a
mistake and and or doesn't takethis seriously for compliance.
(11:28):
Sure.
Speaker 01 (11:29):
So uh things we've seen is that the prime or main
contractor uh you know can say,hey, we can't send you any more
CUI until you know we know thatyou're compliant or or your
score is right, right?
Uh so they can pause a contractuh if there's something wrong,
or they can uh it can cause youto lose a contract if you find
(11:51):
out there's an issue and you'renot actually compliant when you
uh when you thought you were.
If you're inflate your scorelike we were talking about a
minute ago, then you're at riskof uh having a false false
claims act filed against you.
Uh and one thing I might say isthat there's some of these
false claims acts that have beenum filed against companies that
(12:14):
a lot of them arewhistleblowers.
They're not you know thegovernment there are some that
are there was an incident andthey research that incident and
they figure out thesubcontractor wasn't uh or
contractor, whoever wasn'tcompliant, and then they fine
them and you know say, Hey,false claims act because you had
said you had these things inplace and you just absolutely
(12:35):
didn't, right?
Um not necessarily a mistake,but you just absolutely didn't.
Most of the time they're not uhthey're not nailing people up
against the wall that I couldtell at least uh for making a
mistake.
It's people who are flagrantlyviolating and actually falsely
claiming that they're compliantwhen they're not, right?
Uh so uh you could get a falseclaims act filed against you.
(12:58):
Uh that's it, that would be abad thing, very bad thing.
Yeah.
Um that could there's a lot ofresults of that.
Uh most of them are gonna bebig fines, but uh could result
in jail time too, depending onwhat happened.
Speaker 00 (13:10):
Not to mention, I don't know about everyone else
out there, but I know how muchArchie lawyer charges.
So um just to be, you know,even you know, before jail time
and all the other, you know,consequences, uh you you're
gonna have some costs.
Yes, absolutely.
Just at the start of it.
Speaker 01 (13:27):
Even if everything turns out okay.
Yeah.
You know, you're gonna there'llbe some cost there.
So um but yeah, that's the uhfalse claims act is a big deal,
you can lose your contracts.
Uh and then it's reputationaldamage.
You know.
Um if uh some incident happensand turns out that you aren't
covering something that you weresupposed to, you know, that's a
(13:47):
that's a black eye on you.
And as that contractor orsubcontractor want to go find
somebody who they're morecomfortable with or they're okay
with you, you know, it's soit's uh having a black eye is
not necessarily a good thing.
Speaker 00 (14:02):
Yeah, I see I think two of the biggest motivating
factors when I'm working withcustomers or when they're when
they come to us um is um justbeing able to answer the
questionnaires and go back totheir customers with like a very
good level of good faith thatthey're actually doing what you
know their obligations are, youknow, that's one.
And then um two uh is theobvious of the not wanting to
(14:27):
lose the revenue, right?
And so I think those are thetwo biggest motivating factors
we see um that that that aremotivating for people as far as
consequences go.
Yeah.
Okay, so let's say that you'reworking towards compliance or or
maybe even you're alreadythere.
Um if that's the case, eitherat the end of your journey,
whenever you've you've goteverything compliant, or or if
(14:49):
you are compliant today, howdoes a subcontractor prove
compliance to their primes in away that the plant primes can
trust?
Speaker 01 (14:57):
Well, eventually it's going to be having that
level two certification and uhhaving that official stamp of
approval, right?
But until then, you have tomake sure that your SPRS score
is accurate.
Uh even if you go back throughand do a do an assessment like
you should, and it ends upinstead of at 110 where you
thought it was, it ends up at a70 or something like that, or or
(15:18):
even a minus 56, or who knows.
But uh I would put an accurateSPRS score in and definitely
make sure that you have your POMgenerated and that you're
actually working on it andworking through it.
The primes are going to be uhappreciative of that.
Your SSP should tell yourstory.
We've talked about this before,but uh your SSP should tell
(15:39):
your stories.
A an assessor ought to be ableto look at your SSP and
understand basically how yoursystem's put in place and how
you're addressing the controls.
Uh SSP, you don't have to gointo detail necessarily, but
they have to understand howyou're doing these things.
So use the SSP to do that.
Develop a good strong SSP.
It should inspire confidence.
(16:00):
It should inspire confidence,absolutely, it should.
So um the other thing is thatagain that POAM, make sure that
you're uh working through thatPOAM, uh addressing all the
things that need to beaddressed.
Most of the time you take thatPOAM and you list out all these
controls and then you groupthose controls together into
projects, and usually a projectwill knock out several controls
(16:21):
at a time and you can address itlike that.
That's that's uh you knowthat's typical.
Um make sure that you uh havetechnical proof if you ever so
you can show it if you ever needit.
You'll definitely need thattechnical proof whenever you get
to a level two certification,but make sure you have that
technical proof.
And then make sure that uh it'sref uh organized well and all
(16:43):
together in one spot.
Typically we tell you a GRCtool because it's the easiest
way to keep track of that.
But however you want to do it,but make sure it's organized
well, it's all in one spot, easyto find, easy to get hold of uh
a key document or two and giveit to your um give it or a
screenshot to your uh primecontractor uh so they're
(17:06):
comfortable with it.
Um those are the things thatyou need to be doing now.
Uh the biggest things are againuh having a good strong SSP,
telling your whole story, andmaking sure your SSP score is
right, and work on that poem.
Get it closed out.
Speaker 00 (17:21):
Absolutely.
Okay.
I know there's been some recentupdates in the CMMC sphere or
ecosystem that might have someprimes uh uh more urgently
knocking at your door or sendingyou letters, and and much like
our listeners may have alreadynoticed, and so they might be
wondering why that's the case.
You know, uh so what updates,if any, has of happened as of
(17:44):
recent that it's making thosethose contractors and and primes
uh knock at the door?
Speaker 01 (17:49):
Sure.
Uh so there's a couple ofupdates, a 32 CFR and a 48 CFR
that uh went into effect thatreally put this in motion and
put a finite timeline on it.
32 CFR is the one that wentinto effect in uh December of
2024, uh, and it's whatclarified and defined CMMC
(18:09):
itself, right?
The CMMC program.
The uh 48 CFR just went intoeffect, or excuse me, just was
published in September or onSeptember 10th of 2025.
And uh it goes into effect uhNovember 10th of uh 2025.
And so that 48 CFR is the onethat puts the 32 CFR in place on
(18:31):
contracts.
Again, there's four phases tothat, but the first phase uh is
gonna be kicking off uh herepretty soon.
So your your prime primecontractors uh they've already,
before the 48 CFR was evenreleased, uh they've already
been uh starting to be a littlepushy saying, hey, you know,
when are you gonna when do youhave your uh level two
(18:52):
certification scheduled for?
Can you show me that you haveit scheduled?
You know, uh so they've beenasking those questions,
prompting, pushing, you know,kindly and all this kind of fun
stuff.
That's gonna start being lesskind and more pushy, I'm sure,
along the way.
But you know, sooner Novembergets here, and then as time goes
on after that, uh they'lldefinitely prime contractors are
(19:14):
definitely wanna gonna want tosee that uh you have uh a level
two certification uh or at leastthat you have one plan and uh
to to to take place.
So they're gonna want to knowthat because they need to have
their huge contractor,subcontractor base uh squared
away and in good shape beforethey m can move forward on some
contracts.
So they're they're they're abusiness just like everybody
(19:37):
else.
They just happen to be a lotbigger.
And uh so they want to getthose contracts and they know
that they have to be compliant,but they need their subs to be
compliant as well.
They're the appropriate subs, Ishould say.
Uh anyway, compliant as well.
Speaker 00 (19:52):
Yeah, I think it's a key sh piece of the strategy in
terms of the enforcement tomake sure people actually do all
this stuff, is you know, a lotof their defense spending is
spent is put in the buckets ofthe primes, right?
You know, um the larger primes,I should say.
And so the flowdown is a is akeystone piece of that
enforcement mechanism to reallypush them to make everyone else.
(20:13):
So they're kind of using theprimes as piece of kind of their
enforcement wing.
Speaker 01 (20:17):
So you know the other thing you just said at
enforcement.
We are starting to see moreenforcement in the way of false
claims acts being filed againstcompanies for for saying they
were compliant and not beingcompliant.
You know, if you if you sayyou're at 110, you better be at
110.
So uh but we see some of thoseuh ramping up.
Speaker 00 (20:39):
So let's say that you are in the majority out
there where you're not a bigcouple billion dollar prime and
you're one of the smallest shopsout there that are serving the
primes.
What practical steps couldthose subcontractors that are
listening take today to actuallygo get off YouTube or Spotify
or Apple or wherever you'relistening and go implement?
(21:01):
What what could they do?
Sure.
Speaker 01 (21:03):
So, you know, maybe in the first 30 days or so you
take a good hard look and uhfirst understand what kind of
CUI you have.
Is it controlled technicalinformation?
Is it something else?
Is there any are there anydissemination restrictions?
So no foreign or are is it ITARdata, you know, what is there
(21:23):
any dissemination restrictions?
Uh that's typically that's thehardest thing to do is figure
out what CUI you have, what kindof CUI, uh, and the
restrictions on it because it'sgenerally kind of nebulous and
contractors will say, yeah, sureeverything under this contract
is CUI.
So you need to ask and findthat out and figure that out,
figure out why you know whatkind of CUI you have and if it's
(21:45):
truth it's if it's actually thetruth or not, right?
Is this just what I think Ihave to have or or think I have?
So figure out that CUI.
Draw yourself a data flowdiagram, figure out where the
CUI comes, all the systems andall the places that that CUI
comes from, where it goes, whereit's transmitted to, where it's
stored, where it's processed,figure out where it goes and all
(22:07):
your different systems.
That may be cloud vendors likeMicrosoft 365, it may be an
on-premise server, it might be acloud file and file share and
sync tool, could be your MRP,could be whatever.
So make sure you draw out thatdata flow diagram, put all your
arrows, figure out where getthat good spaghetti diagram
(22:27):
going on, and figure out whereeverything goes, and then figure
out where it goes outside ofyour system.
Do you have subs it goes to?
You know, put that in there aswell.
That gives you a good idea ofwhat your scope should be, or
gives you an idea of what yourscope is.
And then if you want to tightenyour scope down, you can
certainly look at that and go,oh wow, you know, that's a
that's a lot.
Maybe we need to fix that.
(22:49):
But that'll that really helpsget you uh on a good foot moving
forward, making sure that youunderstand those data flows,
make sure you understand whattype of CUI you have, uh, and
then after you do that, do afull self-assessment.
There is a NIST 800-171 Alpha,NIST NIST 800-171A, that is the
uh assessment guide.
(23:10):
So go through that.
Yes, it's long, it's a pain inthe rear, but go through that,
uh, figure out where you're aton each of those controls, um,
and uh then you can haveyourself uh you'll have your
self-assessment, you'll haveyour gaps analysis basically
from that.
So um uh that's a good place tostart.
You know, in the next 30 daysmaybe uh you could draft your uh
(23:34):
SSP, which again tells yourstory, right?
How you're protecting that CUI,how you're covering each one of
those controls.
Uh so draft your SSP, get itwritten out, get it all figured
out there, and then you can comeup with your POAM after that,
control by control, and haveyour poem all spelled out, come
up with some projects to do, andthen you know, in the next
(23:57):
however long, you know, maybenine months to a year or
whatever, or maybe two months ifyou're really a go-getter.
Uh so uh go through that poem,implement everything you need to
get implemented.
Once you have everythingimplemented, then you can have
you can figure out if you want amock assessment or some
consulting, somebody to come inand say, you know, looks good or
(24:18):
you need to do this stuff, uh,and then after that, you can
schedule your level twocertification.
So that's that's a goodtimeline.
But the first things first isknow what kind of CUI you have,
why you know that, draw yourdata flow diagram, and that'll
help you scope everything outproperly.
Even if you've already goteverything scoped out, if you
haven't done those first twothings, it's a really good thing
(24:39):
to do.
Speaker 00 (24:40):
Okay.
And maybe if all that sounds alittle bit overwhelming, or say
you're you know somewherefurther down that path and
you're just wanting a closerlook, a second set of eyes to
look at it, wondering whetheryour SPRS score documentation or
overall setups good enough fora for a prime, then that's
exactly why we offer our freeSPRS roadmap session.
(25:03):
Yeah, so just a reminder foreveryone out there, we're still
offering and doing that forpeople.
Even if you've already done theheavy lifting, we can review
your self-assessment, go throughyour policy list, look at your
current setup, and help youvalidate where you're solid and
where you might need some help.
So again, just a good chance toget a second set of eyes on
(25:23):
things.
It's totally free.
This isn't a sales pitch, youknow, and and you'll walk away
with a clear plan on how to hit110 your SPRS score and and
hopefully stay there.
So um, anyway, we've got thatlink in the description below.
Um, welcome to take advantageof it, or if you're good, no
worries at all.
So I will think that's it fortoday, guys.
(25:43):
Really appreciate it.
If you have any questions aboutwhat we covered, please reach
out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions, and we'll answer them
for free here on the podcast.
You can find our contactinformation at cmc
complianceguide.com.
Stay tuned for our nextepisode.
(26:04):
Until then, stay compliant,stay secure, and make sure you
subscribe.
Hey there and welcome to the CMMC Compliance
Guide Podcast.
I'm Austin and I'm Brooke fromJustice IT Consulting, where we
help businesses like yoursnavigate CMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
(00:42):
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on
track.
Today, we're tackling a bigissue for subcontractors.
Prime contractors likeLockheed, Raytheon, Parker
Hanaffin are all watching, andthey want proof of your
(01:02):
compliance before they'll starthanding you work more and more
often these days.
So, what exactly are Primeslooking for?
And how can you stand out as atrusted partner?
All right, Brooke, let's startat the top.
Why do Prime contractors careso much about subcontractor
compliance?
Speaker 01 (01:19):
Well, they have uh legal obligations to make sure
that their subcontractors uhmeet the same compliance that
they do for each of thoseindividual contracts.
Um the uh DOD has specifiedthat there's a there's a flow
down, and then it's always beenbeen in there, but uh they have
specified that there is a flowdown and that you have to make
sure that any of yoursubcontractors that deal with uh
(01:41):
CUI or that that contract haveto be at the same level you are.
Uh so there's all that's alwaysbeen there, but there's a legal
risk for them.
Um and there's also riskmanagement, of course.
Uh if a subcontractor drops aball or any other number of
problems, uh that's on the uhprime contractor, uh affects the
(02:03):
prime contractor as well.
And they want to make surethey're all of their contracts
are are well and secured and andand uh not in jeopardy.
Speaker 00 (02:11):
Now that we got that covered, what is it exactly
that prime contractors areasking their subcontractors to
show or prove?
Speaker 01 (02:19):
Sure.
So uh what we know what we hearfrom our clients uh what we see
and help them with uh is theprimes uh are asking for SPRS
scores.
Uh what's your SPRS score?
What was your latest one youupdated?
Uh how long ago was it?
Uh all that kind of fun stuff.
And then uh someone want to seeyour SSP.
(02:41):
And so um they have I can tellyou that some of the compliance
departments are very picky onthose SSPs, and they want them
to match the uh the format andthe numbering exactly.
So um, but uh if it doesn'tmatch, then they're like, well,
I don't understand.
And you say, well, see thenumbers here match.
Speaker 00 (03:01):
Um if you look at it anyway, but point is they
There's a lot of things thataren't particularly required by
CMMC, but nonetheless to playball, you have to do it a
certain way.
Speaker 01 (03:10):
Without going into a specific example, I guess, but
uh sometimes those compliancedepartments they don't know the
whole story, they don'tnecessarily understand the whole
trajectory of CMMC or anythinglike that.
And so they just know what'sput in front of them and they
they want to see your SSP andthey want to see that everything
matches the numbers, theeverything else on the numbers
as to the controls andeverything else.
(03:30):
So um that's what they want tosee a lot of times.
Um they'll also ask if you havea POM.
Uh if your score is less than acertain amount, less definitely
less than 110, but some of themwill set it at a different uh
level if there's if you're lessthan that, they want to know if
if you have a POAM in place,plan of action and milestones.
So it's a to-do list to get to110.
(03:52):
Um so uh they'll want to knowif you have a poem in place and
uh you know when you're gonnawhen you plan on having it
cleared up.
So if they ask again in anotheryear and uh you say yes, I do
have a poem in place, and lastyear it said, you know, 10125 on
it, and now it says 10126.
I don't know why.
(04:14):
Uh you know, it's uh outanother year, and yet you have
the same score.
So they may want to know aboutthose poems to to help prove
your case.
Speaker 00 (04:23):
What are the common mistakes that you see our our
customers, subcontractors makewhen trying to prove compliance?
Speaker 01 (04:30):
Inflating their scores.
So, you know, saying you have110 when you might be more like
a minus fifty-six or somethinglike that, or or a seventy or
you know, something like that.
No, I've never seen that.
So uh that's the biggest onereally is inflating your scores
um or just kind of guessing atit and to get that SPRS score
you really do have to go througha a mini assessment to go
(04:52):
through each of those, score itproperly, and and make sure you
understand.
A lot of that has to do withdocumentation and people kind of
skip over the documentation andsay, yeah, yeah, yeah, you
know.
And uh but you can't skip overit.
Uh you gotta have all thedocumentation it talks about and
that impacts a score.
So if you don't have yourauthorized list of users, then
(05:13):
you know you have to countpoints off for that, for
instance.
Speaker 00 (05:16):
So um yeah, you can have you can have done something
technically, but if it's notdocumented, it's like it didn't
have any.
Exactly.
100%.
Speaker 01 (05:24):
Yeah.
Again, most of it isdocumentation and making sure
that you have those technicalcontrols in place uh and that
they're ongoing and monitoredand all that kind of fun stuff.
Another thing that rolls rightinto that is uh bad
documentation.
Uh you know, you don't want toAgain comes up.
Yeah, again comes up.
So uh there's uh documentation.
(05:44):
I should have.
I have a shirt that saysdocumentation, documentation,
documentation, because I saythat a lot.
But yeah, it's uh you've got tohave your documentation in
place.
There is an absolute ton of it.
Uh and um it's you've got tohave that in place.
So uh that's another anotherbig deal um that we see.
I brought it up a minute ago.
(06:06):
Uh another problem is uh uhyour poem, kind of ignoring it
and saying, Here's my poem, andjust kind of setting it off to
the side and going, We're good,let's roll.
You know, and then forgettingthat the poem is a plan of
action and milestones, you know,meaning you have to do
something about it.
So uh if you don't do anythingabout it, then that plan of
(06:26):
action and milestones is a planof inaction and milestones.
I guess that would be a POM orPO whatever plan of action.
Anyway, nevertheless, whateverit is.
We don't need more acronyms.
We don't need any more.
Um yes, that that is a plan ofaction and milestones.
So you have to you have to getthings done on that list.
Cloud services, a lot of peoplehave a tendency to not take
(06:49):
into account their cloudservices, Microsoft 365.
Um, you know, maybe they get uhand shouldn't, but maybe they
get uh CUI through email, ormaybe they send it through
email, uh maybe they send itthrough encrypted email, but
it's but it's uh commercialMicrosoft 365, so that won't
work.
Uh so they've you know they'vegot to address things like that.
(07:12):
Um another big one that uhpeople typically don't have is
incident response.
What is your incident responseplan?
You know, how detailed does itneed to be?
It needs to be detailed enoughto cover your your assets.
So but uh you know, really umyou need to have some sort of
(07:32):
incident response policy andplan and procedure.
Uh and then you need to makesure you have all your bases
covered.
One big one is having a uhmedium assurance certificate
installed on your computer soyou can report incidents within
72 hours.
Uh-huh.
If you don't have thatcertificate installed on your
computer and you have anincident, I can guarantee you
that you won't be able to reportthat incident within the
(07:54):
required 72 hours.
Because you will not get thatcertificate and get it installed
within 72 hours.
If you do, it'll be a miracle.
But uh I wouldn't bet on it,especially if you're having
you're in the middle of anincident, you know.
Now you've got to go focus on,you know, getting those wheels
to turn to to get that mcertificate in place.
Speaker 00 (08:11):
So one I'm gonna add in that I see less often,
although scope is I think alwaysa problem.
Yes.
Um, but uh when we have someonethat comes to us that is
actually reasonably like preppedand ready, and they're like,
hey, we just we need you to helpuh shore up this documentation
piece, like we're just gonnahire you to do that.
Um we typically find that wealways do a gaps analysis
(08:35):
anyway.
Um and this is the reason forit is because they'll they'll
have a big hole in their scope.
Yes.
And so I we'll have someonethat is otherwise buttoned up,
but they'll they'll say, youknow, their CUI comes in from um
you know customer portal, andthen it goes right into a
vendor, and then like, well,hold on one second.
(08:56):
How does it go from customerportal to vendor?
And like, oh, I just downloadit and upload it to the vendor,
and you're like, okay, well nowyour computer's in scope and you
have it as not in scope.
And they're like, oh crap.
Yeah, yeah.
So you'd um it's it is verygood practice to offload the
burden of security andcompliance to other vendors, but
(09:17):
at the end of the day, there'sthere's not a ton of scenarios,
especially if you're amanufacturer and you got real
tangible products or something,that um that your own computers
are not going to be in scope,especially if you're dealing
with CUI yourself.
So um, so that typically peoplewill not have computers in
scope that should be.
(09:37):
And then the other one is justsome big glaring misses that you
just don't always think of.
And so the other day that we wedidn't even think about until
some we're going through the SSPprocess and um and creation of
their SSPs, we identified thatthey would send um some COI um
(10:00):
to print to a print vendor, andthen we're like, oh, well, we
might have to start doingprinting in-house because we
can't find a print vendor that'scompliant, right?
Um, and so we we have tounfortunately in that scenario,
I think we're gonna have tochange their actual business,
maybe not model, but process andworkflow to bring it full fully
(10:20):
in-house.
But those are things that anassessor will likely catch on
to, and if you miss them, thenit's gonna it's gonna mess up
your assessment and cost yousome money because you're gonna
have to go back, fix it, andthen get assessed again.
Right, absolutely.
Speaker 01 (10:36):
Yeah, and uh you know you're talking about scope
and and one of those things thatcauses a problem that causes
people not to think about theircomputer being in scope is the
fact that it's not just storingCUI.
It's not where the CUI isstored, it is, but uh it's also
processing and transmitting.
So processing, storing, andtransmitting CUI.
(10:57):
If whatever piece of thatpuzzle does any of those three
things, processes it, stores it,or transmits it, then that's in
that puts that endpoint orwhatever it is in scope.
Speaker 00 (11:07):
Absolutely.
Okay, we kind of address themistakes that uh we see a lot of
subcontractors make when itcomes to uh compliance and
trying to prove it.
What the natural the naturalfollow-up to that is what are
the consequences?
You know, if someone decides towait or um or even just makes a
mistake and and or doesn't takethis seriously for compliance.
(11:28):
Sure.
Speaker 01 (11:29):
So uh things we've seen is that the prime or main
contractor uh you know can say,hey, we can't send you any more
CUI until you know we know thatyou're compliant or or your
score is right, right?
Uh so they can pause a contractuh if there's something wrong,
or they can uh it can cause youto lose a contract if you find
(11:51):
out there's an issue and you'renot actually compliant when you
uh when you thought you were.
If you're inflate your scorelike we were talking about a
minute ago, then you're at riskof uh having a false false
claims act filed against you.
Uh and one thing I might say isthat there's some of these
false claims acts that have beenum filed against companies that
(12:14):
a lot of them arewhistleblowers.
They're not you know thegovernment there are some that
are there was an incident andthey research that incident and
they figure out thesubcontractor wasn't uh or
contractor, whoever wasn'tcompliant, and then they fine
them and you know say, Hey,false claims act because you had
said you had these things inplace and you just absolutely
(12:35):
didn't, right?
Um not necessarily a mistake,but you just absolutely didn't.
Most of the time they're not uhthey're not nailing people up
against the wall that I couldtell at least uh for making a
mistake.
It's people who are flagrantlyviolating and actually falsely
claiming that they're compliantwhen they're not, right?
Uh so uh you could get a falseclaims act filed against you.
(12:58):
Uh that's it, that would be abad thing, very bad thing.
Yeah.
Um that could there's a lot ofresults of that.
Uh most of them are gonna bebig fines, but uh could result
in jail time too, depending onwhat happened.
Speaker 00 (13:10):
Not to mention, I don't know about everyone else
out there, but I know how muchArchie lawyer charges.
So um just to be, you know,even you know, before jail time
and all the other, you know,consequences, uh you you're
gonna have some costs.
Yes, absolutely.
Just at the start of it.
Speaker 01 (13:27):
Even if everything turns out okay.
Yeah.
You know, you're gonna there'llbe some cost there.
So um but yeah, that's the uhfalse claims act is a big deal,
you can lose your contracts.
Uh and then it's reputationaldamage.
You know.
Um if uh some incident happensand turns out that you aren't
covering something that you weresupposed to, you know, that's a
(13:47):
that's a black eye on you.
And as that contractor orsubcontractor want to go find
somebody who they're morecomfortable with or they're okay
with you, you know, it's soit's uh having a black eye is
not necessarily a good thing.
Speaker 00 (14:02):
Yeah, I see I think two of the biggest motivating
factors when I'm working withcustomers or when they're when
they come to us um is um justbeing able to answer the
questionnaires and go back totheir customers with like a very
good level of good faith thatthey're actually doing what you
know their obligations are, youknow, that's one.
And then um two uh is theobvious of the not wanting to
(14:27):
lose the revenue, right?
And so I think those are thetwo biggest motivating factors
we see um that that that aremotivating for people as far as
consequences go.
Yeah.
Okay, so let's say that you'reworking towards compliance or or
maybe even you're alreadythere.
Um if that's the case, eitherat the end of your journey,
whenever you've you've goteverything compliant, or or if
(14:49):
you are compliant today, howdoes a subcontractor prove
compliance to their primes in away that the plant primes can
trust?
Speaker 01 (14:57):
Well, eventually it's going to be having that
level two certification and uhhaving that official stamp of
approval, right?
But until then, you have tomake sure that your SPRS score
is accurate.
Uh even if you go back throughand do a do an assessment like
you should, and it ends upinstead of at 110 where you
thought it was, it ends up at a70 or something like that, or or
(15:18):
even a minus 56, or who knows.
But uh I would put an accurateSPRS score in and definitely
make sure that you have your POMgenerated and that you're
actually working on it andworking through it.
The primes are going to be uhappreciative of that.
Your SSP should tell yourstory.
We've talked about this before,but uh your SSP should tell
(15:39):
your stories.
A an assessor ought to be ableto look at your SSP and
understand basically how yoursystem's put in place and how
you're addressing the controls.
Uh SSP, you don't have to gointo detail necessarily, but
they have to understand howyou're doing these things.
So use the SSP to do that.
Develop a good strong SSP.
It should inspire confidence.
(16:00):
It should inspire confidence,absolutely, it should.
So um the other thing is thatagain that POAM, make sure that
you're uh working through thatPOAM, uh addressing all the
things that need to beaddressed.
Most of the time you take thatPOAM and you list out all these
controls and then you groupthose controls together into
projects, and usually a projectwill knock out several controls
(16:21):
at a time and you can address itlike that.
That's that's uh you knowthat's typical.
Um make sure that you uh havetechnical proof if you ever so
you can show it if you ever needit.
You'll definitely need thattechnical proof whenever you get
to a level two certification,but make sure you have that
technical proof.
And then make sure that uh it'sref uh organized well and all
(16:43):
together in one spot.
Typically we tell you a GRCtool because it's the easiest
way to keep track of that.
But however you want to do it,but make sure it's organized
well, it's all in one spot, easyto find, easy to get hold of uh
a key document or two and giveit to your um give it or a
screenshot to your uh primecontractor uh so they're
(17:06):
comfortable with it.
Um those are the things thatyou need to be doing now.
Uh the biggest things are againuh having a good strong SSP,
telling your whole story, andmaking sure your SSP score is
right, and work on that poem.
Get it closed out.
Speaker 00 (17:21):
Absolutely.
Okay.
I know there's been some recentupdates in the CMMC sphere or
ecosystem that might have someprimes uh uh more urgently
knocking at your door or sendingyou letters, and and much like
our listeners may have alreadynoticed, and so they might be
wondering why that's the case.
You know, uh so what updates,if any, has of happened as of
(17:44):
recent that it's making thosethose contractors and and primes
uh knock at the door?
Speaker 01 (17:49):
Sure.
Uh so there's a couple ofupdates, a 32 CFR and a 48 CFR
that uh went into effect thatreally put this in motion and
put a finite timeline on it.
32 CFR is the one that wentinto effect in uh December of
2024, uh, and it's whatclarified and defined CMMC
(18:09):
itself, right?
The CMMC program.
The uh 48 CFR just went intoeffect, or excuse me, just was
published in September or onSeptember 10th of 2025.
And uh it goes into effect uhNovember 10th of uh 2025.
And so that 48 CFR is the onethat puts the 32 CFR in place on
(18:31):
contracts.
Again, there's four phases tothat, but the first phase uh is
gonna be kicking off uh herepretty soon.
So your your prime primecontractors uh they've already,
before the 48 CFR was evenreleased, uh they've already
been uh starting to be a littlepushy saying, hey, you know,
when are you gonna when do youhave your uh level two
(18:52):
certification scheduled for?
Can you show me that you haveit scheduled?
You know, uh so they've beenasking those questions,
prompting, pushing, you know,kindly and all this kind of fun
stuff.
That's gonna start being lesskind and more pushy, I'm sure,
along the way.
But you know, sooner Novembergets here, and then as time goes
on after that, uh they'lldefinitely prime contractors are
(19:14):
definitely wanna gonna want tosee that uh you have uh a level
two certification uh or at leastthat you have one plan and uh
to to to take place.
So they're gonna want to knowthat because they need to have
their huge contractor,subcontractor base uh squared
away and in good shape beforethey m can move forward on some
contracts.
So they're they're they're abusiness just like everybody
(19:37):
else.
They just happen to be a lotbigger.
And uh so they want to getthose contracts and they know
that they have to be compliant,but they need their subs to be
compliant as well.
They're the appropriate subs, Ishould say.
Uh anyway, compliant as well.
Speaker 00 (19:52):
Yeah, I think it's a key sh piece of the strategy in
terms of the enforcement tomake sure people actually do all
this stuff, is you know, a lotof their defense spending is
spent is put in the buckets ofthe primes, right?
You know, um the larger primes,I should say.
And so the flowdown is a is akeystone piece of that
enforcement mechanism to reallypush them to make everyone else.
(20:13):
So they're kind of using theprimes as piece of kind of their
enforcement wing.
Speaker 01 (20:17):
So you know the other thing you just said at
enforcement.
We are starting to see moreenforcement in the way of false
claims acts being filed againstcompanies for for saying they
were compliant and not beingcompliant.
You know, if you if you sayyou're at 110, you better be at
110.
So uh but we see some of thoseuh ramping up.
Speaker 00 (20:39):
So let's say that you are in the majority out
there where you're not a bigcouple billion dollar prime and
you're one of the smallest shopsout there that are serving the
primes.
What practical steps couldthose subcontractors that are
listening take today to actuallygo get off YouTube or Spotify
or Apple or wherever you'relistening and go implement?
(21:01):
What what could they do?
Sure.
Speaker 01 (21:03):
So, you know, maybe in the first 30 days or so you
take a good hard look and uhfirst understand what kind of
CUI you have.
Is it controlled technicalinformation?
Is it something else?
Is there any are there anydissemination restrictions?
So no foreign or are is it ITARdata, you know, what is there
(21:23):
any dissemination restrictions?
Uh that's typically that's thehardest thing to do is figure
out what CUI you have, what kindof CUI, uh, and the
restrictions on it because it'sgenerally kind of nebulous and
contractors will say, yeah, sureeverything under this contract
is CUI.
So you need to ask and findthat out and figure that out,
figure out why you know whatkind of CUI you have and if it's
(21:45):
truth it's if it's actually thetruth or not, right?
Is this just what I think Ihave to have or or think I have?
So figure out that CUI.
Draw yourself a data flowdiagram, figure out where the
CUI comes, all the systems andall the places that that CUI
comes from, where it goes, whereit's transmitted to, where it's
stored, where it's processed,figure out where it goes and all
(22:07):
your different systems.
That may be cloud vendors likeMicrosoft 365, it may be an
on-premise server, it might be acloud file and file share and
sync tool, could be your MRP,could be whatever.
So make sure you draw out thatdata flow diagram, put all your
arrows, figure out where getthat good spaghetti diagram
(22:27):
going on, and figure out whereeverything goes, and then figure
out where it goes outside ofyour system.
Do you have subs it goes to?
You know, put that in there aswell.
That gives you a good idea ofwhat your scope should be, or
gives you an idea of what yourscope is.
And then if you want to tightenyour scope down, you can
certainly look at that and go,oh wow, you know, that's a
that's a lot.
Maybe we need to fix that.
(22:49):
But that'll that really helpsget you uh on a good foot moving
forward, making sure that youunderstand those data flows,
make sure you understand whattype of CUI you have, uh, and
then after you do that, do afull self-assessment.
There is a NIST 800-171 Alpha,NIST NIST 800-171A, that is the
uh assessment guide.
(23:10):
So go through that.
Yes, it's long, it's a pain inthe rear, but go through that,
uh, figure out where you're aton each of those controls, um,
and uh then you can haveyourself uh you'll have your
self-assessment, you'll haveyour gaps analysis basically
from that.
So um uh that's a good place tostart.
You know, in the next 30 daysmaybe uh you could draft your uh
(23:34):
SSP, which again tells yourstory, right?
How you're protecting that CUI,how you're covering each one of
those controls.
Uh so draft your SSP, get itwritten out, get it all figured
out there, and then you can comeup with your POAM after that,
control by control, and haveyour poem all spelled out, come
up with some projects to do, andthen you know, in the next
(23:57):
however long, you know, maybenine months to a year or
whatever, or maybe two months ifyou're really a go-getter.
Uh so uh go through that poem,implement everything you need to
get implemented.
Once you have everythingimplemented, then you can have
you can figure out if you want amock assessment or some
consulting, somebody to come inand say, you know, looks good or
(24:18):
you need to do this stuff, uh,and then after that, you can
schedule your level twocertification.
So that's that's a goodtimeline.
But the first things first isknow what kind of CUI you have,
why you know that, draw yourdata flow diagram, and that'll
help you scope everything outproperly.
Even if you've already goteverything scoped out, if you
haven't done those first twothings, it's a really good thing
(24:39):
to do.
Speaker 00 (24:40):
Okay.
And maybe if all that sounds alittle bit overwhelming, or say
you're you know somewherefurther down that path and
you're just wanting a closerlook, a second set of eyes to
look at it, wondering whetheryour SPRS score documentation or
overall setups good enough fora for a prime, then that's
exactly why we offer our freeSPRS roadmap session.
(25:03):
Yeah, so just a reminder foreveryone out there, we're still
offering and doing that forpeople.
Even if you've already done theheavy lifting, we can review
your self-assessment, go throughyour policy list, look at your
current setup, and help youvalidate where you're solid and
where you might need some help.
So again, just a good chance toget a second set of eyes on
(25:23):
things.
It's totally free.
This isn't a sales pitch, youknow, and and you'll walk away
with a clear plan on how to hit110 your SPRS score and and
hopefully stay there.
So um, anyway, we've got thatlink in the description below.
Um, welcome to take advantageof it, or if you're good, no
worries at all.
So I will think that's it fortoday, guys.
(25:43):
Really appreciate it.
If you have any questions aboutwhat we covered, please reach
out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions, and we'll answer them
for free here on the podcast.
You can find our contactinformation at cmc
complianceguide.com.
Stay tuned for our nextepisode.
(26:04):
Until then, stay compliant,stay secure, and make sure you
subscribe.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.