August 29, 2025 • 29 mins
Submit any questions you would like answered on the podcast!
Thinking about building an enclave for CMMC compliance? Not so fast.
In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke from Justice IT Consulting break down:
- What an enclave actually is (in plain English)
- When an enclave makes sense (and saves you money)
- When it can hurt your compliance efforts
- What assessors will really be looking for in your audit
If you’ve ever asked, “Do I need an enclave for CMMC?”, this episode is your roadmap to making the right call for your business.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_01 (00:00):
Hey there, and welcome to the CMMC Compliance
Guide Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting,where we help businesses like
yours navigate CMMC and NIST800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
(00:22):
so.
Let's dive into today's episodeand keep your business on track.
Today's topic is one we hearabout constantly.
Do I need an enclave for CMMC.
We're going to break it downwhen an enclave makes sense and
when it might actually createproblems for yourself.
All right, Brooke, let's startat the beginning.
What exactly is an enclave?
SPEAKER_02 (00:42):
An enclave is a place where you put something
separate from the rest of yournetwork.
So take all your data and youseparate it from the rest of
your network.
That's That's really all anenclave is.
It can take lots of forms, butthe idea is that an enclave
lives by itself inside yournetwork or beside your network
(01:02):
or whatever, but it does nottouch the rest of the network
and vice versa.
The rest of the network does nottouch it.
You can do this physically.
You can do it virtually.
You can do it with cloudresources.
It can be a hybrid of one, two,or all three or whatever, but
there's lots of solutions, lotsof ways to achieve it.
You just have to protect thatdata from the rest of the
(01:23):
network.
SPEAKER_01 (01:24):
So, Brooke, when does an enclave make the most
sense for a defense contractor?
SPEAKER_02 (01:30):
Sure.
So, and I might clarify from thelast question, of course, we're
talking about an enclave forCUI, Controlled Unclassified
Information.
You don't have to put FCInecessarily in that enclave.
What makes sense is if only partof your people handle CUI, then
it makes sense to have anenclave to separate it out.
(01:53):
You've got to be able to clearlyidentify that CUI, and you
should do that from the verybeginning and figure out what
kind of CUI you have, figure outwhere it all flows, all that
kind of fun stuff, and how manypeople handle it.
How many people need to handleit?
Does the HR person really needaccess to that CUI?
Unless you're a tinyorganization, my guess is
(02:13):
probably not.
Just because the HR persondoesn't need access to that CUI,
do you need an enclave or not?
How many of Those people in yourorganization need that access to
that CUI.
You might look and see how muchbusiness you have that is DOD
work, that you get CUI from.
(02:35):
If it's 25%, it may make senseto make a CUI enclave.
If your company is very small,for instance, and most of your
people handle CUI, then maybe itdoesn't make sense.
If a limited number of peoplehandle CUI, if a limited number
of your contracts are from theDOD that you get CUI from, those
instances would be goodcandidates for an enclave.
(02:57):
The other thing, you can savemoney, of course, by just
restricting the enclave to asmaller subset of your company.
Sometimes it'll save you somereal money, sometimes it won't.
Budget is definitely aconsideration there, so you need
to take a look at that and seewhat it looks like to have an
enclave versus scoping inabsolutely everything.
Another thing is how you dobusiness, how that enclave
(03:18):
looks, and if that enclave makessense for you.
What is your process flow.
Can it be changed?
Small companies may not fitreally well.
If you need compliance fast,you've got to do it quickly.
I'd be very wary of CMMCcompliance in a box, but there
are some enclave solutions thatyou can deploy rather quickly
and get your documentation inorder, and you can do that
rather quickly.
Depending on how fast you canmove on documentation and
(03:40):
verifying everything and rollingthat out, making sure that all
your physical spaces are securedas well, because that is also
part of your enclave.
If you need to move fast, youmight look at one of those
enclave solutions solutions.
You might say CMMC in a box, Iguess, but it's not really.
My last note here is that youneed to clearly define where CUI
lives.
We've already kind of talkedabout that, but that is utmost
importance, not only for this,but just CMMC in general.
(04:04):
You've got to know what CUI youhave, where it is, and what in
the world is CUI in yourenvironment.
You've got to know all that,figure that out, figure out
anything with any of yourpolicies, anything else with
CMMC, but you also need tofigure that out definitely for
an enclave.
SPEAKER_01 (04:18):
Yeah, so I think we just in invested in some
upgrades to the studio, maybe weshould also get one of those
counters like where you have howmany days since accident.
But this for our podcast, it'llbe how many days since we
mentioned scope, documentation,or your CUI data flow diagram.
It's constantly going to be zerodays since.
SPEAKER_02 (04:41):
It will.
It will.
That'll stay at zero.
SPEAKER_01 (04:43):
That jogs my memory just of a conversation I was
having yesterday with a defensecontractor in terms of Enclave
We're CMMC in a box.
It is generally in good practiceto try and limit your exposure
to CUI as much as possible.
Absolutely.
If you're wanting to decreaseyour risk profile, Enclave is a
way to do that.
Sometimes when it doesn't makesense is when you're a
(05:06):
manufacturer.
For example, I was talking tothis one company yesterday.
They've done a really good jobof really trying to restrict
things.
In a way, it's kind of anEnclave, but just kind of keep
it basically data flowing or CUIfrom their customers.
and going directly into theirvendor that is for COI.
The problem is, and I helpedthem figure out yesterday, is
(05:29):
that it traverses the computerto do that.
And they didn't realize that nowtheir computers are in scope and
they thought they werecompletely out of scope.
Whether it's their clipboard,your copy-paste your clipboard,
or it's just you needing to getit into some G-code onto a
machine or something, ittraverses the computer and the
computer is then in scope fromthat.
(05:50):
So you need to be carefulbecause sometimes an enclave, it
works great, but you don't wantto put a square peg in a round
hole is what I'm trying to say.
SPEAKER_02 (05:58):
You know, the one thing I might remind everybody
of when we said this veryfrequently also, but it's not
just where CUI is stored.
Everybody falls back to that.
Where is the CUI stored?
It's not just where it's stored.
It's where it's processed, whereit's stored, and where it's
transmitted, PST, right?
For us, a PST is anOutlook-related thing, Outlook
(06:18):
email-related thing, but PST,you've Got to remember that.
Where's CUI processed, stored,and transmitted?
If it's stored in the cloud, butyou connect to the cloud with a
laptop to view it, to look atit, to send it somewhere, guess
what?
That laptop, unless you have,well...
(06:39):
Very strict controls on the...
There are some...
There's one or two instanceswhere that might not be, and
that's VDI, virtual desktopinfrastructure, but something
like that.
But otherwise, that computer isin...
connects and processes that fortransmission or whatever it is,
that would be in scope, yes.
SPEAKER_01 (06:57):
It's more or less directly interacting with that
data, even though it's a websiteor something.
So
SPEAKER_02 (07:02):
when you design your scope, you've got to think about
how do you get that data out ofthat enclave to a CNC machine?
How do you get that data to aprinter?
Is the printer and the computerin the environment?
Do you connect to it?
How do you get the data intothat environment?
How do you get it out of theenvironment to to vendors or to
your shop floor, whatever itmight be.
(07:24):
You absolutely have to thinkabout all that.
And scope.
I mean, again, that's all justscope.
You're scoping your environment.
But you've got to think aboutprocessing, storing, and
transmitting CUI.
All three of those.
SPEAKER_01 (07:35):
Yeah, so it's a great tool in the tool belt, but
you don't want to use a hammerfor a screw.
Use it whenever it makes sense.
But that leads to a great segueto the next question.
When an enclave makes sense,that's great.
When does it not make sense?
When can it hurt you when itWhen is some bad scenarios?
I know we already kind ofmentioned a few.
SPEAKER_02 (07:53):
Really, an enclave can hurt you whenever you don't
take those design considerationsinto account.
When you put this enclave in andyou don't really think about
what is your business process,what is the data flow.
Us as IT guys, we can say, hey,this is great.
You can put this in.
This is how it works.
And you can use it like this.
And then if Charlie over here onthe CNC machine brings his
(08:15):
laptop over and plugs it intothe network and into the enclave
network and gets the data outand and then walks it over and
then plugs it into the othernetwork.
Whatever it might be, then youjust pierce that enclave with
that laptop or a USB stick orwhatever it might be, and you
just expanded the scope of that.
So you've got to think aboutthat.
We talk to our clients aboutthis, and we try to make sure
(08:39):
not just the decision makers areon the initial calls with us,
but some of the people whoactually do the work, you know,
department managers or whateverit might be, that they're They
actually can be part of thatbecause the CEO might say, yeah,
this is the way we do things.
And Charlie comes over and says,actually, this is the way we do
(09:00):
things.
So it really helps to have thatwhole view of what the business
process is.
So you can change the businessprocess or you could modify your
scope to better suit howbusiness is done.
Talking about this, I kind ofoversimplified or generalized
(09:20):
really, but to put it in moreconcrete terms that get your
mind wrapped around this, if yousay we've got GCC High for a
subset of our users and all ofour information is in GCC High.
Great.
That's wonderful.
How do you get it in and out ofthat environment to vendors or
(09:41):
customers and how do you get itin and out of that environment
to are there any other internalsystems that goes to are you a
manufacturer and you need topull it out of there and get it
to the to a CNC machine samething with something like
Prevail you know it's a finesolution you can use that but
(10:02):
it's the same thing if you howdo you use that how do you use
Prevail how does it go in andout of that system where all
does it go and that is thattruly where all the data all the
CUI really is you know and notjust where it's stored again but
where it's processed stored ortransmitted
SPEAKER_01 (10:20):
okay so So let's say you're a defense contractor and
you decided to go the enclaveroute and keep your COI within
it.
What are assessors, which isreally what matters?
I talk about this all the timeis, you know, we can have all
these arguments or philosophicaldiscussions, but nothing really
matters except for what theassessor says.
(10:40):
He's the one giving you the sameapproval.
Yeah.
So what will assessors belooking for during a CMMC audit
or assessment when you have anenclave?
SPEAKER_02 (10:49):
Well, first thing...
I should have my favorite shirton that says documentation,
documentation, documentation,right?
So we'll talk about that again,and that counter goes back to
zero.
Yep.
But they'll be looking for it tobe clearly defined and laid out
so they can understand it.
It's got to be written so notjust that IT person can
(11:09):
understand it or that internalCMMC guy, right?
It's got to be written so otherpeople understand what's going
on.
All your employees that have todeal with it have to understand
you know, how to use it, what itis, all that kind of fun stuff.
They have to be aware of yourSSP and your policies.
Clear documentation, clearlydefined, clearly laid out what
(11:30):
it is.
The clear separation betweenthat and your non-CMMC, non-CUI
network, right?
If you have a CUI network andthen you say the FCI is in the
rest of the network, you canlive in the rest of the network.
There's got to be clearseparation.
It's got to be understandable.
I heard one webinar with someassessors on it yesterday or the
(11:52):
day before.
They were talking about this isgreat to have enclave or these
diagrams that show us how thingswork, but if it's a big diagram
full of spaghetti strings, it'sgoing to be really hard to
understand.
This goes back to you want tomake things easy for the
assessor, make them happy.
You want those assessors to behappy.
(12:13):
It's got to be clearly definedand there's got to be a clear
separation, clear scope for it.
SPEAKER_01 (12:19):
And not all assessors are technical of
nature.
So if you're an IT guy orsomeone who is technical,
putting your SSP and POAMtogether and you're speaking in
tech terms or geek speak, thatmight mess you up.
SPEAKER_02 (12:34):
Right.
And I might point out, all ofthem should be technical to some
degree, but a lot of them havebeen out of the day-to-day IT
tech work for quite a whiledoing these assessments, these
types of assessments andassessments for other things and
they're involved in securitythey're involved in tech they're
involved in data management andeverything but they may not be
(12:57):
involved in which is what you'retalking about in day-to-day tech
work and understand
SPEAKER_01 (13:01):
they're not configuring switches and routers
and stuff on a daily basis they
SPEAKER_02 (13:05):
don't care about the specific ip addresses they don't
care about you know you need topaint the picture yes yeah yeah
so they'll and speaking aboutnetwork diagrams whatnot that's
part of the documentation andthey'll want to see those
diagrams that's part ofexplaining and laying the laying
the whole picture And, ofcourse, it should go without
saying, but your enclave has tomeet all 110 controls and 320
(13:30):
assessment objectives.
SPEAKER_01 (13:32):
Absolutely.
That's, again, that company Iwas talking to yesterday, one
thing that I was trying toportray to them is that now that
those computers are in scopewith, you know, because the COI
traverses that computer, youknow, that just has to meet all
110 controls.
have an antivirus doesn't justmake it secure like all 110
(13:53):
controls in the nest 800 171 ref2 right now need to be applied
to that computer because it hascoi and um sometimes that's a
hard-pilled swallow it is butyeah that's um anytime you have
coi that's like you're doingwith the enclave you're trying
to limit how far things go umyou you don't realize that you
(14:15):
need all all protections onthose things so
SPEAKER_02 (14:18):
it's kind of like uh i mean it's The same thing
happens in your non-CUI network.
We're always talking aboutshadow IT.
Instead of calling IT and tryingto get wireless fixed in a
certain area, does somebodybring a little wireless router
in and plug it in and justconnect to that and get their
good wireless?
We have seen that before where acompany didn't want to spend
(14:43):
money on redoing their wireless,and so they would just buy it
wherever they needed betterwire.
They just buy a little wireless,not access point, but a router,
a wireless router, and go plugit in and plug it into the
network and use it where theyneeded it.
And that happened at one time.
Alarm bells went off.
(15:03):
The SIM alerted us.
You know, we, all hands on deck,we're trying to figure out what
in the world was phoning back toChina, you know?
So we narrowed it down, and itturned out it was an
off-the-shelf, cheap littlewireless access point or
wireless router that somebodyplugged in, and we're like, you
know, You can't do that,especially since you're a CMMC.
(15:26):
But yeah, that happens inregular networks.
And really, if you really sitback and look at it, there are a
couple of onerous things in it.
But at least all the NIST800-171 controls, they're pretty
(15:46):
straightforward, pretty righton.
good security that you want tohave.
You know, it doesn't even reallygo that much in depth into, you
know, into really deep, goodcybersecurity.
And there's a lot of stuff thatleaves off, but, um, it's good,
basic cybersecurity with, with acouple of owners things in it.
(16:07):
But other than that, it's, it'sreally good.
Uh, so it's not even, it's, thebar is not even way high for the
state of 171.
Um, so, uh, it's a really good,um, really good set of controls
to adhere to.
SPEAKER_01 (16:23):
You might get some hate mail after that comment.
The bar's not that high.
I might get some hate mail.
We'll put your address downhere.
Right.
SPEAKER_02 (16:31):
So really, it's not the onerous thing really about
this whole CMMC thing isdocumentation.
That's one of the big things.
You should document everythinganyway, but there is a ton, a
ton, a ton of documentation thatyou have to do, which you
There's a lot of documentationyou should do with your networks
(16:53):
anyway that people just don'tdo.
They depend on that one IT guyto keep everything filed away up
here in their mind.
He's busy fighting fires all daylong.
Yeah, and they're busy fightingfires.
But there's my soapbox about theNIST 800-171.
All the technical controls,they're pretty much right in
(17:15):
line.
You really need to do all those
SPEAKER_01 (17:16):
anyway.
Well, your story about the cheap– router um just kind of brings
up a point that we talk about uma lot here internally at our
company um i don't know that wementioned a lot on the podcast
or or facing um you know out tothe public and and that is uh
(17:37):
everyone's um gut instinct is tohave implemented controls with a
technical tool or a piece ofsoftware or some um policy you
can configure on a certain thatprevents something, but at the
end of the day, a large amountof the controls and the things
(18:00):
that you have to implement arecontrolling people's actions and
people-based anddocumentation-based.
There's no amount of technicalcontrol or software that you can
buy that can prevent that personfrom walking in and plugging
that thing in.
You could even get AI camerasand put them in the parking lot
(18:21):
and guess what's in people'spockets.
But why do all that whenever youcan just have a policy that
says, hey, don't do this.
Don't click on that.
And then train them, you know,because, yeah, don't click on
that.
Don't bring this in.
Don't do that.
And then your technicalcontrols, your security
(18:41):
implement is more or lessdesigned to be the safety net.
So you really need to start withthe people, the processes, the
documentation, and then you kindof fill it in with the technical
controls that you can implementin a reasonable nature that
(19:01):
satisfies the objectives and thecontrols after that.
Start with the people, process,documentation first.
SPEAKER_02 (19:11):
Yeah, absolutely.
Training is one of thoseexamples.
You don't have to have anelectronic security awareness
training platform You can doyour training manually.
You can hold a class and do thistraining and then write it down,
document it.
At some point you'll have to– Iguess you don't have to
(19:32):
necessarily.
Well, at some point you will.
But at some point you'll have totake that piece of paper and
you'll have to copy it andupload it for proof that you
actually did that training andhave people sign off and all
that.
But the point is you can conductthat training manually if you
want to.
You don't have to do– have tohave an electronic platform to
do that.
(19:53):
It's a lot easier.
Yeah.
It's a lot easier to implementand take care of and stay on top
of than, you know, Joe Blowhaving 10 hats that he wears and
trying to remember they need todo training again, you know.
Right.
Before, you know, hold atraining class.
Yeah.
Definitely.
SPEAKER_01 (20:09):
Yeah, there's some places where, you know, I think
just like you said, a softwaresystem for that makes it much
easier.
And then on the other side ofthings, we walked into a defense
contractor the other day herelocally and you can you have to
sign people in especially if youhave like ITAR stuff you know
and a lot of people go theclipboard route you know and
(20:32):
badges and a log it's simpleit's reliable it's in the scheme
of things pretty cheap oraffordable but this place had a
real nice fancy camera and iPadsystem and a printer for badges
instant Badges being printed andeverything, and it didn't work.
(20:55):
We had to heck with trying toget it to end.
Anyway, so I've never walkedinto a defense contractor where
the clipboard didn't work.
So if you're at home listeningto us and you're thinking about
pulling the trigger on anenclave, what questions should
you ask yourself beforeproceeding?
(21:15):
Do you know what is CUI?
Do
SPEAKER_02 (21:16):
you know what CUI you have?
You have to define– you have todefine and understand what
you're trying to protect, whatyou're trying to make it, what
you might want to make anenclave for before you even
attempt to, to do that, to thinkabout it.
Right.
So understand what CUI is, whatCUI you have, understand what it
is in your environment that isCUI.
(21:36):
Right.
And that's the first thing yougotta, uh, you gotta kind of
figure out.
Um, then you gotta think about,uh, how many people, how many
people need access to that CUI?
How many people truly needaccess to that CUI?
UNKNOWN (21:50):
Um,
SPEAKER_02 (21:51):
can I keep that CUI separate from FCI?
Because that'll narrow it down alot.
Your accounting people, theymight need access to that FCI to
bill and stuff like that, butthey don't necessarily need
access to the CUI.
So can you limit it by thenumber of people that touch CUI?
(22:11):
Or think about how much yourbusiness is with the Defense
Department.
Is it 25%?
Is it easily...
Can I limit it to certainmachines?
Can I limit it to certain CNCmachines, for instance?
Can I limit it to certaincomputers that have access and
(22:31):
not others?
Again, that kind of goes backalso to how many people access
the CUI, but what is yourpercentage of business?
Because even if your percentageof business is 100% DOD, maybe
not that many people access theCUI.
Maybe your CNC folks and yourdesign folks access it But
(22:52):
nobody else does.
Percentage also matters, too,because that will also guide you
on how many people need accessto it as well.
Can you support a dual– it'sgoing to end up being a dual
setup, right?
Because you have to have– andyou can argue the definition of
that.
But what I mean is you're goingto have an enclave you have to
take care of that is CMMC– needsto stay CMMC compliant.
(23:17):
And you can't just– you can'tpierce that veil just to make
things easy.
This is what we talked about awhile ago.
So you're going to have tomaintain two separate
environments.
How are you going to do that?
Are there people that work onCUI DOD work and do those same
people work on non-DOD workthat's not in Enclave?
(23:39):
And how do they do that?
Is it the same part with acouple of little different
things that's a CUI?
So you've got to kind of figurethat out.
That's your work.
workflow, right?
There's your process.
How are these people workingnow?
How can we leave that unchangedat most?
(24:00):
Or how can we leave that mostunchanged, right?
And you may have to completelychange up the way they work,
which is fine.
Sometimes you just got to upendpeople and say, hey, here's a
new way to do it.
This computer is used for allyour other work.
This computer is used for yourDOD work that has CUI, right?
(24:20):
So those are the things you canthink of so August of 2025 from
this point I would say if you'renot well on your way to having
all your controls and assessmentobjectives fully met fully
implemented then you need tostart right now because the
(24:41):
likelihood is and we won't getinto the whole timeline but the
likelihood is that that 48 CFRis going to come out around
October It could be September.
It could be November.
But that's what everybodyexpects to see.
And I know that you can say,yeah, they said that before and
blah, blah, blah.
But there's a lot of reasons forthat.
(25:03):
And I really think they're goingto come out with it September,
October, November, right aroundthat time frame.
It aligns with a whole lot ofstuff.
And they're really pushing.
They know they need it.
And then it's got four phases toit.
The first phase is planning.
pretty much what everybody isdoing now, uh, except a little
(25:23):
more teeth in it and a definitea hundred percent timeline.
Um, no more guessing after itdrops.
Uh, so if it drops in October,uh, you can expect to see a year
later and, and, uh, depending onwhether they hold to the 60
days, uh, before it fullyimplements or not, uh, I just
kind of thought they would, butI've heard that, uh, several
(25:46):
people say that they don't haveto, and they might not, uh,
because this that wouldn'tnecessarily impact anybody
because they see this as not asignificant economic impact.
Now that you've fallen over onthe floor, you can get back up
for a second and listen.
(26:07):
Not to everyone I talk to.
There's a reason for that.
But anyway, the point is theydon't necessarily have to wait
60 days.
But if they do, you're talkingabout December of 25 when it
goes into effect and thenDecember of 26 when CMMC is
required, a Level 2certification is required to get
(26:29):
a contract award.
And then...
contractors, the primecontractors are already
requiring, asking for, notrequiring necessarily yet, but
they're really pushing heavy toget their subcontractors
certified.
They're asking, you know, hey,we need you to show us a date
when you're scheduled to haveyour certification assessment,
(26:52):
right?
And so all that, you know,dialogue to tell you, I wouldn't
wait.
I would start now and make sureyou uh you get everything
implemented and you're notrushing at the very end if you
do find yourself rushing in thevery end then uh you know or or
maybe a prime contractor saysyou know i need to win this
(27:14):
contract you got to have thatcertification in hand and then
maybe you do say hey i'm gonnahurry up i'm gonna implement
this enclave i'm gonna if itupends the way we do work that's
fine but you know so maybethat's a good reason to
implement an enclave like rightnow you know um there's there
could be a reason why you haveto and why would want to
implement it quickly within afew months.
(27:36):
If you want to start from zeroand get done, a very
well-defined enclave would helpyou do that quickly.
But you've got to either makeyour business fit it or make it
fit your business, however youwant to phrase that.
Generally, that takes a littlelonger, but if you're going to
do it, an enclave will help youdo that quicker.
SPEAKER_01 (27:54):
And sum that up in plain English terms, as the
late, great Ricky Bobby said, ifyou ain't first, you're last,
and Uncle Sam's trying to befirst.
They're pushing hard on thisthing.
They are pushing hard on thisthing.
They're not kicking the can muchlonger, they seem.
SPEAKER_02 (28:06):
No, they're not.
And the sad thing is you willsee some really small companies
will fall out most likelybecause of this.
And there may be some other onesthat aren't necessarily very
small, but they decide thatthey're going to pass on it
because they don't have enoughbusiness, they think, to support
it.
The other thing I'll say thereis that since there are going to
(28:29):
be people falling off, you canuse this to your advantage to
win more of those DOD contracts.
SPEAKER_01 (28:36):
As always, thank you, Brooke.
We appreciate it.
And to the audience, if you haveany questions about what we
covered, please reach out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions and we'll answer them
for free here on the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
(29:00):
Stay tuned for our next episode.
Until then, Stay compliant.
Stay secure.
Please make sure to subscribe.
Hey there, and welcome to the CMMC Compliance
Guide Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting,where we help businesses like
yours navigate CMMC and NIST800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
(00:22):
so.
Let's dive into today's episodeand keep your business on track.
Today's topic is one we hearabout constantly.
Do I need an enclave for CMMC.
We're going to break it downwhen an enclave makes sense and
when it might actually createproblems for yourself.
All right, Brooke, let's startat the beginning.
What exactly is an enclave?
SPEAKER_02 (00:42):
An enclave is a place where you put something
separate from the rest of yournetwork.
So take all your data and youseparate it from the rest of
your network.
That's That's really all anenclave is.
It can take lots of forms, butthe idea is that an enclave
lives by itself inside yournetwork or beside your network
(01:02):
or whatever, but it does nottouch the rest of the network
and vice versa.
The rest of the network does nottouch it.
You can do this physically.
You can do it virtually.
You can do it with cloudresources.
It can be a hybrid of one, two,or all three or whatever, but
there's lots of solutions, lotsof ways to achieve it.
You just have to protect thatdata from the rest of the
(01:23):
network.
SPEAKER_01 (01:24):
So, Brooke, when does an enclave make the most
sense for a defense contractor?
SPEAKER_02 (01:30):
Sure.
So, and I might clarify from thelast question, of course, we're
talking about an enclave forCUI, Controlled Unclassified
Information.
You don't have to put FCInecessarily in that enclave.
What makes sense is if only partof your people handle CUI, then
it makes sense to have anenclave to separate it out.
(01:53):
You've got to be able to clearlyidentify that CUI, and you
should do that from the verybeginning and figure out what
kind of CUI you have, figure outwhere it all flows, all that
kind of fun stuff, and how manypeople handle it.
How many people need to handleit?
Does the HR person really needaccess to that CUI?
Unless you're a tinyorganization, my guess is
(02:13):
probably not.
Just because the HR persondoesn't need access to that CUI,
do you need an enclave or not?
How many of Those people in yourorganization need that access to
that CUI.
You might look and see how muchbusiness you have that is DOD
work, that you get CUI from.
(02:35):
If it's 25%, it may make senseto make a CUI enclave.
If your company is very small,for instance, and most of your
people handle CUI, then maybe itdoesn't make sense.
If a limited number of peoplehandle CUI, if a limited number
of your contracts are from theDOD that you get CUI from, those
instances would be goodcandidates for an enclave.
(02:57):
The other thing, you can savemoney, of course, by just
restricting the enclave to asmaller subset of your company.
Sometimes it'll save you somereal money, sometimes it won't.
Budget is definitely aconsideration there, so you need
to take a look at that and seewhat it looks like to have an
enclave versus scoping inabsolutely everything.
Another thing is how you dobusiness, how that enclave
(03:18):
looks, and if that enclave makessense for you.
What is your process flow.
Can it be changed?
Small companies may not fitreally well.
If you need compliance fast,you've got to do it quickly.
I'd be very wary of CMMCcompliance in a box, but there
are some enclave solutions thatyou can deploy rather quickly
and get your documentation inorder, and you can do that
rather quickly.
Depending on how fast you canmove on documentation and
(03:40):
verifying everything and rollingthat out, making sure that all
your physical spaces are securedas well, because that is also
part of your enclave.
If you need to move fast, youmight look at one of those
enclave solutions solutions.
You might say CMMC in a box, Iguess, but it's not really.
My last note here is that youneed to clearly define where CUI
lives.
We've already kind of talkedabout that, but that is utmost
importance, not only for this,but just CMMC in general.
(04:04):
You've got to know what CUI youhave, where it is, and what in
the world is CUI in yourenvironment.
You've got to know all that,figure that out, figure out
anything with any of yourpolicies, anything else with
CMMC, but you also need tofigure that out definitely for
an enclave.
SPEAKER_01 (04:18):
Yeah, so I think we just in invested in some
upgrades to the studio, maybe weshould also get one of those
counters like where you have howmany days since accident.
But this for our podcast, it'llbe how many days since we
mentioned scope, documentation,or your CUI data flow diagram.
It's constantly going to be zerodays since.
SPEAKER_02 (04:41):
It will.
It will.
That'll stay at zero.
SPEAKER_01 (04:43):
That jogs my memory just of a conversation I was
having yesterday with a defensecontractor in terms of Enclave
We're CMMC in a box.
It is generally in good practiceto try and limit your exposure
to CUI as much as possible.
Absolutely.
If you're wanting to decreaseyour risk profile, Enclave is a
way to do that.
Sometimes when it doesn't makesense is when you're a
(05:06):
manufacturer.
For example, I was talking tothis one company yesterday.
They've done a really good jobof really trying to restrict
things.
In a way, it's kind of anEnclave, but just kind of keep
it basically data flowing or CUIfrom their customers.
and going directly into theirvendor that is for COI.
The problem is, and I helpedthem figure out yesterday, is
(05:29):
that it traverses the computerto do that.
And they didn't realize that nowtheir computers are in scope and
they thought they werecompletely out of scope.
Whether it's their clipboard,your copy-paste your clipboard,
or it's just you needing to getit into some G-code onto a
machine or something, ittraverses the computer and the
computer is then in scope fromthat.
(05:50):
So you need to be carefulbecause sometimes an enclave, it
works great, but you don't wantto put a square peg in a round
hole is what I'm trying to say.
SPEAKER_02 (05:58):
You know, the one thing I might remind everybody
of when we said this veryfrequently also, but it's not
just where CUI is stored.
Everybody falls back to that.
Where is the CUI stored?
It's not just where it's stored.
It's where it's processed, whereit's stored, and where it's
transmitted, PST, right?
For us, a PST is anOutlook-related thing, Outlook
(06:18):
email-related thing, but PST,you've Got to remember that.
Where's CUI processed, stored,and transmitted?
If it's stored in the cloud, butyou connect to the cloud with a
laptop to view it, to look atit, to send it somewhere, guess
what?
That laptop, unless you have,well...
(06:39):
Very strict controls on the...
There are some...
There's one or two instanceswhere that might not be, and
that's VDI, virtual desktopinfrastructure, but something
like that.
But otherwise, that computer isin...
connects and processes that fortransmission or whatever it is,
that would be in scope, yes.
SPEAKER_01 (06:57):
It's more or less directly interacting with that
data, even though it's a websiteor something.
So
SPEAKER_02 (07:02):
when you design your scope, you've got to think about
how do you get that data out ofthat enclave to a CNC machine?
How do you get that data to aprinter?
Is the printer and the computerin the environment?
Do you connect to it?
How do you get the data intothat environment?
How do you get it out of theenvironment to to vendors or to
your shop floor, whatever itmight be.
(07:24):
You absolutely have to thinkabout all that.
And scope.
I mean, again, that's all justscope.
You're scoping your environment.
But you've got to think aboutprocessing, storing, and
transmitting CUI.
All three of those.
SPEAKER_01 (07:35):
Yeah, so it's a great tool in the tool belt, but
you don't want to use a hammerfor a screw.
Use it whenever it makes sense.
But that leads to a great segueto the next question.
When an enclave makes sense,that's great.
When does it not make sense?
When can it hurt you when itWhen is some bad scenarios?
I know we already kind ofmentioned a few.
SPEAKER_02 (07:53):
Really, an enclave can hurt you whenever you don't
take those design considerationsinto account.
When you put this enclave in andyou don't really think about
what is your business process,what is the data flow.
Us as IT guys, we can say, hey,this is great.
You can put this in.
This is how it works.
And you can use it like this.
And then if Charlie over here onthe CNC machine brings his
(08:15):
laptop over and plugs it intothe network and into the enclave
network and gets the data outand and then walks it over and
then plugs it into the othernetwork.
Whatever it might be, then youjust pierce that enclave with
that laptop or a USB stick orwhatever it might be, and you
just expanded the scope of that.
So you've got to think aboutthat.
We talk to our clients aboutthis, and we try to make sure
(08:39):
not just the decision makers areon the initial calls with us,
but some of the people whoactually do the work, you know,
department managers or whateverit might be, that they're They
actually can be part of thatbecause the CEO might say, yeah,
this is the way we do things.
And Charlie comes over and says,actually, this is the way we do
(09:00):
things.
So it really helps to have thatwhole view of what the business
process is.
So you can change the businessprocess or you could modify your
scope to better suit howbusiness is done.
Talking about this, I kind ofoversimplified or generalized
(09:20):
really, but to put it in moreconcrete terms that get your
mind wrapped around this, if yousay we've got GCC High for a
subset of our users and all ofour information is in GCC High.
Great.
That's wonderful.
How do you get it in and out ofthat environment to vendors or
(09:41):
customers and how do you get itin and out of that environment
to are there any other internalsystems that goes to are you a
manufacturer and you need topull it out of there and get it
to the to a CNC machine samething with something like
Prevail you know it's a finesolution you can use that but
(10:02):
it's the same thing if you howdo you use that how do you use
Prevail how does it go in andout of that system where all
does it go and that is thattruly where all the data all the
CUI really is you know and notjust where it's stored again but
where it's processed stored ortransmitted
SPEAKER_01 (10:20):
okay so So let's say you're a defense contractor and
you decided to go the enclaveroute and keep your COI within
it.
What are assessors, which isreally what matters?
I talk about this all the timeis, you know, we can have all
these arguments or philosophicaldiscussions, but nothing really
matters except for what theassessor says.
(10:40):
He's the one giving you the sameapproval.
Yeah.
So what will assessors belooking for during a CMMC audit
or assessment when you have anenclave?
SPEAKER_02 (10:49):
Well, first thing...
I should have my favorite shirton that says documentation,
documentation, documentation,right?
So we'll talk about that again,and that counter goes back to
zero.
Yep.
But they'll be looking for it tobe clearly defined and laid out
so they can understand it.
It's got to be written so notjust that IT person can
(11:09):
understand it or that internalCMMC guy, right?
It's got to be written so otherpeople understand what's going
on.
All your employees that have todeal with it have to understand
you know, how to use it, what itis, all that kind of fun stuff.
They have to be aware of yourSSP and your policies.
Clear documentation, clearlydefined, clearly laid out what
(11:30):
it is.
The clear separation betweenthat and your non-CMMC, non-CUI
network, right?
If you have a CUI network andthen you say the FCI is in the
rest of the network, you canlive in the rest of the network.
There's got to be clearseparation.
It's got to be understandable.
I heard one webinar with someassessors on it yesterday or the
(11:52):
day before.
They were talking about this isgreat to have enclave or these
diagrams that show us how thingswork, but if it's a big diagram
full of spaghetti strings, it'sgoing to be really hard to
understand.
This goes back to you want tomake things easy for the
assessor, make them happy.
You want those assessors to behappy.
(12:13):
It's got to be clearly definedand there's got to be a clear
separation, clear scope for it.
SPEAKER_01 (12:19):
And not all assessors are technical of
nature.
So if you're an IT guy orsomeone who is technical,
putting your SSP and POAMtogether and you're speaking in
tech terms or geek speak, thatmight mess you up.
SPEAKER_02 (12:34):
Right.
And I might point out, all ofthem should be technical to some
degree, but a lot of them havebeen out of the day-to-day IT
tech work for quite a whiledoing these assessments, these
types of assessments andassessments for other things and
they're involved in securitythey're involved in tech they're
involved in data management andeverything but they may not be
(12:57):
involved in which is what you'retalking about in day-to-day tech
work and understand
SPEAKER_01 (13:01):
they're not configuring switches and routers
and stuff on a daily basis they
SPEAKER_02 (13:05):
don't care about the specific ip addresses they don't
care about you know you need topaint the picture yes yeah yeah
so they'll and speaking aboutnetwork diagrams whatnot that's
part of the documentation andthey'll want to see those
diagrams that's part ofexplaining and laying the laying
the whole picture And, ofcourse, it should go without
saying, but your enclave has tomeet all 110 controls and 320
(13:30):
assessment objectives.
SPEAKER_01 (13:32):
Absolutely.
That's, again, that company Iwas talking to yesterday, one
thing that I was trying toportray to them is that now that
those computers are in scopewith, you know, because the COI
traverses that computer, youknow, that just has to meet all
110 controls.
have an antivirus doesn't justmake it secure like all 110
(13:53):
controls in the nest 800 171 ref2 right now need to be applied
to that computer because it hascoi and um sometimes that's a
hard-pilled swallow it is butyeah that's um anytime you have
coi that's like you're doingwith the enclave you're trying
to limit how far things go umyou you don't realize that you
(14:15):
need all all protections onthose things so
SPEAKER_02 (14:18):
it's kind of like uh i mean it's The same thing
happens in your non-CUI network.
We're always talking aboutshadow IT.
Instead of calling IT and tryingto get wireless fixed in a
certain area, does somebodybring a little wireless router
in and plug it in and justconnect to that and get their
good wireless?
We have seen that before where acompany didn't want to spend
(14:43):
money on redoing their wireless,and so they would just buy it
wherever they needed betterwire.
They just buy a little wireless,not access point, but a router,
a wireless router, and go plugit in and plug it into the
network and use it where theyneeded it.
And that happened at one time.
Alarm bells went off.
(15:03):
The SIM alerted us.
You know, we, all hands on deck,we're trying to figure out what
in the world was phoning back toChina, you know?
So we narrowed it down, and itturned out it was an
off-the-shelf, cheap littlewireless access point or
wireless router that somebodyplugged in, and we're like, you
know, You can't do that,especially since you're a CMMC.
(15:26):
But yeah, that happens inregular networks.
And really, if you really sitback and look at it, there are a
couple of onerous things in it.
But at least all the NIST800-171 controls, they're pretty
(15:46):
straightforward, pretty righton.
good security that you want tohave.
You know, it doesn't even reallygo that much in depth into, you
know, into really deep, goodcybersecurity.
And there's a lot of stuff thatleaves off, but, um, it's good,
basic cybersecurity with, with acouple of owners things in it.
(16:07):
But other than that, it's, it'sreally good.
Uh, so it's not even, it's, thebar is not even way high for the
state of 171.
Um, so, uh, it's a really good,um, really good set of controls
to adhere to.
SPEAKER_01 (16:23):
You might get some hate mail after that comment.
The bar's not that high.
I might get some hate mail.
We'll put your address downhere.
Right.
SPEAKER_02 (16:31):
So really, it's not the onerous thing really about
this whole CMMC thing isdocumentation.
That's one of the big things.
You should document everythinganyway, but there is a ton, a
ton, a ton of documentation thatyou have to do, which you
There's a lot of documentationyou should do with your networks
(16:53):
anyway that people just don'tdo.
They depend on that one IT guyto keep everything filed away up
here in their mind.
He's busy fighting fires all daylong.
Yeah, and they're busy fightingfires.
But there's my soapbox about theNIST 800-171.
All the technical controls,they're pretty much right in
(17:15):
line.
You really need to do all those
SPEAKER_01 (17:16):
anyway.
Well, your story about the cheap– router um just kind of brings
up a point that we talk about uma lot here internally at our
company um i don't know that wementioned a lot on the podcast
or or facing um you know out tothe public and and that is uh
(17:37):
everyone's um gut instinct is tohave implemented controls with a
technical tool or a piece ofsoftware or some um policy you
can configure on a certain thatprevents something, but at the
end of the day, a large amountof the controls and the things
(18:00):
that you have to implement arecontrolling people's actions and
people-based anddocumentation-based.
There's no amount of technicalcontrol or software that you can
buy that can prevent that personfrom walking in and plugging
that thing in.
You could even get AI camerasand put them in the parking lot
(18:21):
and guess what's in people'spockets.
But why do all that whenever youcan just have a policy that
says, hey, don't do this.
Don't click on that.
And then train them, you know,because, yeah, don't click on
that.
Don't bring this in.
Don't do that.
And then your technicalcontrols, your security
(18:41):
implement is more or lessdesigned to be the safety net.
So you really need to start withthe people, the processes, the
documentation, and then you kindof fill it in with the technical
controls that you can implementin a reasonable nature that
(19:01):
satisfies the objectives and thecontrols after that.
Start with the people, process,documentation first.
SPEAKER_02 (19:11):
Yeah, absolutely.
Training is one of thoseexamples.
You don't have to have anelectronic security awareness
training platform You can doyour training manually.
You can hold a class and do thistraining and then write it down,
document it.
At some point you'll have to– Iguess you don't have to
(19:32):
necessarily.
Well, at some point you will.
But at some point you'll have totake that piece of paper and
you'll have to copy it andupload it for proof that you
actually did that training andhave people sign off and all
that.
But the point is you can conductthat training manually if you
want to.
You don't have to do– have tohave an electronic platform to
do that.
(19:53):
It's a lot easier.
Yeah.
It's a lot easier to implementand take care of and stay on top
of than, you know, Joe Blowhaving 10 hats that he wears and
trying to remember they need todo training again, you know.
Right.
Before, you know, hold atraining class.
Yeah.
Definitely.
SPEAKER_01 (20:09):
Yeah, there's some places where, you know, I think
just like you said, a softwaresystem for that makes it much
easier.
And then on the other side ofthings, we walked into a defense
contractor the other day herelocally and you can you have to
sign people in especially if youhave like ITAR stuff you know
and a lot of people go theclipboard route you know and
(20:32):
badges and a log it's simpleit's reliable it's in the scheme
of things pretty cheap oraffordable but this place had a
real nice fancy camera and iPadsystem and a printer for badges
instant Badges being printed andeverything, and it didn't work.
(20:55):
We had to heck with trying toget it to end.
Anyway, so I've never walkedinto a defense contractor where
the clipboard didn't work.
So if you're at home listeningto us and you're thinking about
pulling the trigger on anenclave, what questions should
you ask yourself beforeproceeding?
(21:15):
Do you know what is CUI?
Do
SPEAKER_02 (21:16):
you know what CUI you have?
You have to define– you have todefine and understand what
you're trying to protect, whatyou're trying to make it, what
you might want to make anenclave for before you even
attempt to, to do that, to thinkabout it.
Right.
So understand what CUI is, whatCUI you have, understand what it
is in your environment that isCUI.
(21:36):
Right.
And that's the first thing yougotta, uh, you gotta kind of
figure out.
Um, then you gotta think about,uh, how many people, how many
people need access to that CUI?
How many people truly needaccess to that CUI?
UNKNOWN (21:50):
Um,
SPEAKER_02 (21:51):
can I keep that CUI separate from FCI?
Because that'll narrow it down alot.
Your accounting people, theymight need access to that FCI to
bill and stuff like that, butthey don't necessarily need
access to the CUI.
So can you limit it by thenumber of people that touch CUI?
(22:11):
Or think about how much yourbusiness is with the Defense
Department.
Is it 25%?
Is it easily...
Can I limit it to certainmachines?
Can I limit it to certain CNCmachines, for instance?
Can I limit it to certaincomputers that have access and
(22:31):
not others?
Again, that kind of goes backalso to how many people access
the CUI, but what is yourpercentage of business?
Because even if your percentageof business is 100% DOD, maybe
not that many people access theCUI.
Maybe your CNC folks and yourdesign folks access it But
(22:52):
nobody else does.
Percentage also matters, too,because that will also guide you
on how many people need accessto it as well.
Can you support a dual– it'sgoing to end up being a dual
setup, right?
Because you have to have– andyou can argue the definition of
that.
But what I mean is you're goingto have an enclave you have to
take care of that is CMMC– needsto stay CMMC compliant.
(23:17):
And you can't just– you can'tpierce that veil just to make
things easy.
This is what we talked about awhile ago.
So you're going to have tomaintain two separate
environments.
How are you going to do that?
Are there people that work onCUI DOD work and do those same
people work on non-DOD workthat's not in Enclave?
(23:39):
And how do they do that?
Is it the same part with acouple of little different
things that's a CUI?
So you've got to kind of figurethat out.
That's your work.
workflow, right?
There's your process.
How are these people workingnow?
How can we leave that unchangedat most?
(24:00):
Or how can we leave that mostunchanged, right?
And you may have to completelychange up the way they work,
which is fine.
Sometimes you just got to upendpeople and say, hey, here's a
new way to do it.
This computer is used for allyour other work.
This computer is used for yourDOD work that has CUI, right?
(24:20):
So those are the things you canthink of so August of 2025 from
this point I would say if you'renot well on your way to having
all your controls and assessmentobjectives fully met fully
implemented then you need tostart right now because the
(24:41):
likelihood is and we won't getinto the whole timeline but the
likelihood is that that 48 CFRis going to come out around
October It could be September.
It could be November.
But that's what everybodyexpects to see.
And I know that you can say,yeah, they said that before and
blah, blah, blah.
But there's a lot of reasons forthat.
(25:03):
And I really think they're goingto come out with it September,
October, November, right aroundthat time frame.
It aligns with a whole lot ofstuff.
And they're really pushing.
They know they need it.
And then it's got four phases toit.
The first phase is planning.
pretty much what everybody isdoing now, uh, except a little
(25:23):
more teeth in it and a definitea hundred percent timeline.
Um, no more guessing after itdrops.
Uh, so if it drops in October,uh, you can expect to see a year
later and, and, uh, depending onwhether they hold to the 60
days, uh, before it fullyimplements or not, uh, I just
kind of thought they would, butI've heard that, uh, several
(25:46):
people say that they don't haveto, and they might not, uh,
because this that wouldn'tnecessarily impact anybody
because they see this as not asignificant economic impact.
Now that you've fallen over onthe floor, you can get back up
for a second and listen.
(26:07):
Not to everyone I talk to.
There's a reason for that.
But anyway, the point is theydon't necessarily have to wait
60 days.
But if they do, you're talkingabout December of 25 when it
goes into effect and thenDecember of 26 when CMMC is
required, a Level 2certification is required to get
(26:29):
a contract award.
And then...
contractors, the primecontractors are already
requiring, asking for, notrequiring necessarily yet, but
they're really pushing heavy toget their subcontractors
certified.
They're asking, you know, hey,we need you to show us a date
when you're scheduled to haveyour certification assessment,
(26:52):
right?
And so all that, you know,dialogue to tell you, I wouldn't
wait.
I would start now and make sureyou uh you get everything
implemented and you're notrushing at the very end if you
do find yourself rushing in thevery end then uh you know or or
maybe a prime contractor saysyou know i need to win this
(27:14):
contract you got to have thatcertification in hand and then
maybe you do say hey i'm gonnahurry up i'm gonna implement
this enclave i'm gonna if itupends the way we do work that's
fine but you know so maybethat's a good reason to
implement an enclave like rightnow you know um there's there
could be a reason why you haveto and why would want to
implement it quickly within afew months.
(27:36):
If you want to start from zeroand get done, a very
well-defined enclave would helpyou do that quickly.
But you've got to either makeyour business fit it or make it
fit your business, however youwant to phrase that.
Generally, that takes a littlelonger, but if you're going to
do it, an enclave will help youdo that quicker.
SPEAKER_01 (27:54):
And sum that up in plain English terms, as the
late, great Ricky Bobby said, ifyou ain't first, you're last,
and Uncle Sam's trying to befirst.
They're pushing hard on thisthing.
They are pushing hard on thisthing.
They're not kicking the can muchlonger, they seem.
SPEAKER_02 (28:06):
No, they're not.
And the sad thing is you willsee some really small companies
will fall out most likelybecause of this.
And there may be some other onesthat aren't necessarily very
small, but they decide thatthey're going to pass on it
because they don't have enoughbusiness, they think, to support
it.
The other thing I'll say thereis that since there are going to
(28:29):
be people falling off, you canuse this to your advantage to
win more of those DOD contracts.
SPEAKER_01 (28:36):
As always, thank you, Brooke.
We appreciate it.
And to the audience, if you haveany questions about what we
covered, please reach out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions and we'll answer them
for free here on the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
(29:00):
Stay tuned for our next episode.
Until then, Stay compliant.
Stay secure.
Please make sure to subscribe.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.