Submit any questions you would like answered on the podcast!
Today’s episode of the CMMC Compliance Guide Podcast dives into the biggest myths that machine shops, fabricators, CNC shops, and mid-sized defense contractors still believe about CMMC. From cloud misconceptions to vendor promises that fall short, Brooke breaks down why these misunderstandings lead to failed assessments and what contractors should be doing instead.
We walk through common assumptions like “cloud keeps me out of scope,” “my vendor is compliant so I’m compliant,” “MFA on email is enough,” “my firewall makes everything compliant,” and “cyber insurance handles reporting.” Each of these has a grain of truth but none of them meet the actual requirements in NIST 800-171 or CMMC Level 2.
You’ll learn:
- Why cloud environments don’t remove your endpoints from scope
- How caching, downloads, and browser access pull systems back into scope
- What vendor claims really don’t cover
- Why MFA must be implemented everywhere CUI is accessed, not just email
- The truth about firewalls and why they’re not “compliance shields”
- Why VDI is helpful but not a magic solution
- What cyber insurance does (and doesn’t) do during an incident
- Why remote workstations and home offices still introduce scope and risk
This episode is packed with clarity, not fear so manufacturers, CNC shops, and GovCon SMBs can make informed decisions, avoid costly assumptions, and protect their DoD contracts.
Episode Transcript
Hey there.
Welcome to the CMMC ComplianceGuide Podcast.
I'm Stacy.
SPEAKER_01 (00:47):
And I'm Brooke.
SPEAKER_00 (00:48):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns, gettingcompanies fast tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on track.
(01:09):
Today we're covering a fun one.
The biggest myths every shopbelieves about CMMC.
From cloud to vendors tofirewalls, there are a lot of
misconceptions floating around.
And if you believe them, youcould fail your assessment.
All right, Brooke.
So the first one we hear a lotis if we just keep all CUI in
the cloud, we're safe and out ofscope.
(01:29):
Is that true or false?
SPEAKER_01 (01:31):
Well, it's true.
If you can actually keep allyour CUI in the cloud and not
touch anything else, sure, thenit's true.
But you really have to thinkabout that.
I mean, uh if you're talkingabout in a cloud, a lot of times
people are talking about a uh uhERP or MRP or whatever it is uh
that's accessed through abrowser.
So you access that uh thatsystem through a browser, and uh
(01:54):
more than likely that uh thatCUI is going to be cached on
your machine somewhere.
If you download documents toview them and click on a PDF to
view it, I hate to tell youthis, but it downloads it as
cache.
And uh, you know, any anytimeany of that touches your
computer, any of that CUItouches your computer, then it's
in scope.
So um and you have to you haveto worry about that.
(02:16):
So it is rare to uh you canconfigure it.
If you have a VDI instance for,you know, uh for instance, uh
VDI instance, for instance.
Uh if you have that, uh then uhthen yeah, and that's your
cloud.
Then yes, uh as long as it'sconfigured properly, then yes,
that could be your uh that couldbe all in scope right there,
(02:39):
just in that in this in the inthe cloud.
But that is that's rarely thecase.
SPEAKER_00 (02:43):
Another big one we hear is my software vendor says
they're CMMC compliant, so we'recovered.
Would that be good enough?
SPEAKER_01 (02:51):
Well, that's a good start.
That is a good start.
That is not a good finish.
I can't tell you how many thatwe've run across that said,
yeah, we're CMMC compliant,we're we're good, you can use
us, and then when you dig intoit, you're like, well, yeah, but
we have some problems.
You know, either we're we'restoring COI or want to store COI
in your in your uh in yourenvironment, but uh you're not
(03:15):
FedRAMP, or you're not you'renot FedRamp authorized or
FedRAMP equivalent, right?
Um or you're not CMMC level twocertified, whatever you need to
be.
So if they're cloud, it's gonnabe uh FedRAMP.
Uh you know, or they say, youknow, we've got some statements
on our website that show howwe're uh how we are uh
compliant.
So you really need to delve intoit and understand that this is
(03:37):
all about scoping.
All goes back to scoping anddocumentation, they're
documented they'redocumentation.
So um uh but you need to reallydelve into it, uh figure out
where your COI and FCI is gonnabe uh and and therefore what
they would have to meet and seeif they're if they meet it.
So I there are very few, veryfew software vendors, uh
(04:02):
relatively few software vendorsuh that really are CMMC
compliant, which would be ifyou're gonna be storing CUI
there, that would be FedRAMP uhauthorized, FedRAM FedRAMP,
moderate authorized or higher,or FedRAMP uh equivalent.
So uh authorized or equivalentis is the uh are the keywords
(04:23):
there.
So uh there are relatively fewthat actually have that
capacity.
Otherwise, you're gonna want tobring that stuff in-house or not
store CUI in there or or figuresomething out.
And if you're not talking aboutCUI and you're talking about um,
you know, a security protectionasset, uh, say it's uh a uh SIM
(04:44):
provider, a uh security event uhand information monitoring.
Maybe I got that backwards, buta sim uh that monitors all your
logs.
If it's cloud-based, it doesn'thave to be FedRAMP moderate
authorized or or equivalent.
Um but you do a customerresponsibility matrix uh is
very, very helpful.
Um assessors are gonna want tosee that customer responsibility
(05:07):
matrix based on uh the NIST 800171 controls, not just some
made-up CRM.
So it's gonna uh and I say madeup, but they're gonna want to
see it based on NIST 800-171.
If it's based on NIST 853, theycan probably do the crosswalk
pretty easily.
Um they should.
(05:29):
If they're assessors, they oughtto be able to do that crosswalk
pretty easily.
If it's based on otherstandards, you're gonna make it
a lot tougher on them.
And and while they might be ableto do the crosswalk, not all
standards uh just because theyhave similar controls don't mean
you have to meet them the sameway.
So uh they don't necessarilymatch up.
Um that's why assessors want tosee those uh CRMs uh based on
(05:53):
customer responsibility matrixbased on NIST 800-171 controls,
CMMC controls.
SPEAKER_00 (05:59):
Aaron Powell Something else we hear pretty
often is if we use two-factorlogin on our URP or email, that
should be good enough, right?
SPEAKER_01 (06:08):
Yeah, they um no, it's not.
So, you know, people don'trealize that um you wherever you
have your CUI, uh wherever youaccess it remotely or over a
network, you have to have MFAenabled.
So that may be that may meanthat you have to have uh uh MFA
enabled on your computer loginand as well on your uh cloud
(06:33):
provider uh login if if you'restoring CUI there.
Really, it's if it's any cloudprovider, I'll tell you right
now that you just might as wellgo ahead and make sure that your
cloud providers, whether itstores CUI or not, uh, has MFA
available and set up uh becauseuh I there's no cloud service
that I can imagine uh that Iwould suggest setting up without
(06:55):
MFA, which is very strangebecause there's our there are
quite a few bank sites thatactually don't offer MFA.
I'll just set a good password.
You know, that's great.
But um but no, it's uh you needto really sit down and that's
scoping again, uh figure outwhere the COI is located at uh
and where that MFA needs to beimplemented.
SPEAKER_00 (07:16):
Aaron Powell Something else we hear sometimes
is um our firewall makeseverything inside it compliant.
What do you have to say aboutthat, Britt?
SPEAKER_01 (07:25):
Uh it'd be nice.
It'd be really nice.
Uh but it doesn't.
Uh it can help, absolutely.
That's your that's your edgeprotection, and that's certainly
part of the controls.
Um, but you need to have, youknow, uh the SIM we just talked
about a minute ago, the securityinformation and event
monitoring.
Uh actually, I take that back.
You're uh you don't have to havea SIM.
(07:46):
Uh let me make that clear.
You don't have to have a SIM,but if you read all the controls
and everything, it's reallywritten to so that you need a
SIM.
If if you don't have a SIMhelping you look through all
those logs, you're sorelymissing out.
Uh and I would I would argueyou're really not that secure if
you're not having a if you don'thave a SIM or something watching
(08:08):
the logs helping you, becausethat is tens of thousands of log
entries to to pour through, andI can almost guarantee you
you're not doing it.
So uh so it doesn't require asim, but it kind of requires a
sim.
So uh but uh to go back to yourquestion about the firewall, uh
there's it's certainly a veryimportant part of it.
Uh and uh you need to configureit, make sure it's everything's
(08:31):
scoped properly, but you need tomake sure your network and all
the endpoints behind it arescoped properly and secured,
VLAN, however you need to uhsubnet it, however you need to
divide it up, you need to scopeyour environment, draw out your
boundary, and figure that out,and then implement all the
controls like the SIM, like anantivirus, like a uh, you know
(08:54):
everything else is going to bepart of that.
So yes, firewall is one part ofit.
SPEAKER_00 (08:57):
Aaron Powell So what about the idea if we don't print
CUI and only view it on ourscreens, we avoid scope.
SPEAKER_01 (09:04):
Aaron Powell Well, there's uh uh a few things
there.
Uh so if you just view it on acomputer, that's great.
Uh unless it's a uh unless it'sa VDI situation uh where you've
secured it properly, then thatendpoint you're viewing it on is
going to be in scope.
Uh also the people viewing it,people are part of your assets
(09:26):
and and they're in scope aswell.
So uh they'll have to beauthorized to be able to view
CUI.
While if if you've got a VDIenvironment set up, maybe that
uh endpoint uh is not in scope.
And that'd be great.
Guess what?
The people looking at it are inscope.
So they have to be authorized.
One way or another, they have tobe authorized to be able to view
(09:47):
that.
SPEAKER_00 (09:47):
Here's another one to throw at you.
So if everything is in thecloud, there's nothing for
attackers to get locally, right?
SPEAKER_01 (09:56):
Uh that goes back to I think uh the first question we
talked about, but uh that isuntrue.
Uh it is not accurate.
So uh if everything's in thecloud, that's great.
Uh but uh when you access,unless it's again, we'll talk
about the VDI solution.
Unless it's a VDI solutionthat's configured properly, that
you know, clipboard access isdisabled, the map drives are
(10:17):
disabled, and and all that kindof fun stuff, then uh uh if it
if that's configured properly,the VDI, that's correct.
The endpoint is not in scope.
Anything else other than that,your endpoint's likely going to
be in scope.
Uh because it's that you touchon those CUI files, your
computer, uh for one, it uh itcaches those files.
(10:39):
Uh the and the uh control, uhall the controls that discuss
CUI is processing, storing, andtransmitting COI.
So if you click on thatdocument, again, we're not
talking about a VDI environment,but a VDI, I've said this about
a hundred times in this podcast,is virtual desktop
infrastructure.
So uh, but um if you don't knowwhat that is, uh look it up.
(11:03):
It's a protected way that youcould uh set up that
environment, a remote way to getto uh to that environment as
well.
So uh but it's a it's a wholething.
But uh aside from VDI, uh thatcomputer, if you click on uh a
piece of CUI, it's gonna processon that computer so it can read
it and open it up.
Uh it's gonna store uh a cache aportion of that on the uh on the
(11:27):
local computer.
So you've got that that computeris in scope.
So uh store it all in the clouddoesn't mean no risk.
It helps out with the risk, nodoubt, uh if it if your cloud
environment is properlyconfigured, but uh but it does
not re it does not uh uh doesnot reduce all the risk.
SPEAKER_00 (11:49):
Aaron Powell So here's a fun one.
Cyber insurance will handleincident detection reporting for
us, true or false?
SPEAKER_01 (11:57):
They will not handle the I guess they may help with
the reporting and tell you whereyou need to report it at, maybe.
Uh generally cyber insurance, uhthey're they're gonna require
you to have your incidentresponse plan and they're gonna
require certain things to be inyour incident response plan, and
they're also usually gonnarequire uh that you hire their I
(12:20):
don't know about usually I don'tknow how I don't know the
percentage, but a lot of thetimes they're gonna require you
to use their forensics companiesuh or partners um to help
investigate that incident,right?
So they they help with thoseincidents and uh that forensics
company is gonna help managethat incident.
(12:40):
Uh, but with CMMC, at least asfar as CMMC goes, we're not
talking about any statereporting or anything else, uh,
or other countries or anythinglike that, uh, or other, you
know, other uh industries otherthan DOD.
As far as CMMC goes, you alreadyknow where you need to report
(13:01):
that, and that's the uh DCthree.
Uh and you have to have yourhave to have your uh medium
assurance certificate alreadyinstalled on some comp on a at
least a computer, hopefully twoor three computers, uh just in
case one of those is in the lineof fire.
Uh but uh you know that you'llneed to report uh the incident
(13:21):
there uh within 72 hours.
So uh so you already know that,but your uh those cyber
insurance companies uh withtheir forensics uh teams that
help them investigate thesethings, they're probably gonna
help guide you through thatprocess.
Uh you just may need to makesure that you've documented it
(13:42):
properly and included what theywant you to do in your incident
response plan.
Uh they're they're gonna guideevery part of it from reporting
to talking to legal counsel towhen to restore, how to restore,
all that kind of fun stuff.
Uh and depending on what kind ofincident it is, of course.
SPEAKER_00 (14:01):
So last myth of the episode.
If I log in from home, thatdoesn't matter as long as it's
secure.
SPEAKER_01 (14:10):
Well, that could be true.
Uh again, we're gonna refer backto the uh VDI instance, right?
Um if you secured that properly,uh then then that could be true.
But you also have to uh makesure that your uh remote
workplaces, your alternate worksites, uh meet all the proper
(14:32):
controls.
So you have to be aware of that,you have to know that it can be
home, but but you need to makesure that you've taken all the
proper precautions.
Using a VDI instance uh makesthat a lot easier, but it does
not absolve you of all uh allrisk and does not uh you know
make it okay to do anythinganywhere.
(14:52):
So um again, it matters uh whereand how you view that CUI.
Uh hopefully from your VDIsetup, you've not you know
allowed printing to anywhere,you know, uh because that would
be a big no-do.
But yes, home computers docount, and and generally what
you're gonna want to do is isnot count uh not let home
(15:17):
computers touch yourenvironment.
You're still gonna want toaccess that VDI for something
that you can control.
Uh that way you know it's notjust wide open to to anything.
So um now what you controldoesn't necessarily have to be
in scope if it's a VDI instance,but um but you don't want to
allow just anything can toconnect to it.
SPEAKER_00 (15:38):
So just wrapping everything up for our listeners,
it seems like the biggesttakeaway here with all of these
myths that you've demystifiedfor us is that cloud, vendors,
firewalls, and insurance aren'tsilver bullets for CMMC
compliance.
Um you'll still need localcontrols, our favorite proper
documentation, and FedRAMP readyplatforms to pass an assessment.
SPEAKER_01 (16:01):
Yes, that is correct.
And you don't necessarily uhthere most of that you do need,
you don't necessarily need aFedRAMP provider, only if you're
using have CUI in the cloudsomewhere.
Um but uh yes, I mean you needto scope your environment
properly uh and then build itout properly.
None of those are silverbullets.
There's no, you know, be carefulof uh we call it CMMC in a box,
(16:24):
but you know, there are CMMC ina box solutions that you can
customize to your situation,which is just fine, you know.
Um but be careful thosesituations where a vendor says,
All you need, all you need isthis little product here, and
you're fine.
You know, you you just gotta rugo into that your with your eyes
wide open and realize that it'snot just that little box, it's
(16:46):
gonna be other things.
Everything that touches thatlittle box, basically.
So um yeah, there's there'squite a bit to that.
SPEAKER_00 (16:55):
Well, thank you, Brooke.
I appreciate that.
Absolutely.
If you have questions about whatwe covered, reach out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions, and we'll answer them
for free here on the podcast.
You can find our contactinformation at cmc compliance
guide.com.
Stay tuned for our next episode.
(17:16):
Until then, stay compliant, staysecure, and make sure to
subscribe.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Burden
The Burden is a documentary series that takes listeners into the hidden places where justice is done (and undone). It dives deep into the lives of heroes and villains. And it focuses a spotlight on those who triumph even when the odds are against them. Season 5 - The Burden: Death & Deceit in Alliance On April Fools Day 1999, 26-year-old Yvonne Layne was found murdered in her Alliance, Ohio home. David Thorne, her ex-boyfriend and father of one of her children, was instantly a suspect. Another young man admitted to the murder, and David breathed a sigh of relief, until the confessed murderer fingered David; “He paid me to do it.” David was sentenced to life without parole. Two decades later, Pulitzer winner and podcast host, Maggie Freleng (Bone Valley Season 3: Graves County, Wrongful Conviction, Suave) launched a “live” investigation into David's conviction alongside Jason Baldwin (himself wrongfully convicted as a member of the West Memphis Three). Maggie had come to believe that the entire investigation of David was botched by the tiny local police department, or worse, covered up the real killer. Was Maggie correct? Was David’s claim of innocence credible? In Death and Deceit in Alliance, Maggie recounts the case that launched her career, and ultimately, “broke” her.” The results will shock the listener and reduce Maggie to tears and self-doubt. This is not your typical wrongful conviction story. In fact, it turns the genre on its head. It asks the question: What if our champions are foolish? Season 4 - The Burden: Get the Money and Run “Trying to murder my father, this was the thing that put me on the path.” That’s Joe Loya and that path was bank robbery. Bank, bank, bank, bank, bank. In season 4 of The Burden: Get the Money and Run, we hear from Joe who was once the most prolific bank robber in Southern California, and beyond. He used disguises, body doubles, proxies. He leaped over counters, grabbed the money and ran. Even as the FBI was closing in. It was a showdown between a daring bank robber, and a patient FBI agent. Joe was no ordinary bank robber. He was bright, articulate, charismatic, and driven by a dark rage that he summoned up at will. In seven episodes, Joe tells all: the what, the how… and the why. Including why he tried to murder his father. Season 3 - The Burden: Avenger Miriam Lewin is one of Argentina’s leading journalists today. At 19 years old, she was kidnapped off the streets of Buenos Aires for her political activism and thrown into a concentration camp. Thousands of her fellow inmates were executed, tossed alive from a cargo plane into the ocean. Miriam, along with a handful of others, will survive the camp. Then as a journalist, she will wage a decades long campaign to bring her tormentors to justice. Avenger is about one woman’s triumphant battle against unbelievable odds to survive torture, claim justice for the crimes done against her and others like her, and change the future of her country. Season 2 - The Burden: Empire on Blood Empire on Blood is set in the Bronx, NY, in the early 90s, when two young drug dealers ruled an intersection known as “The Corner on Blood.” The boss, Calvin Buari, lived large. He and a protege swore they would build an empire on blood. Then the relationship frayed and the protege accused Calvin of a double homicide which he claimed he didn’t do. But did he? Award-winning journalist Steve Fishman spent seven years to answer that question. This is the story of one man’s last chance to overturn his life sentence. He may prevail, but someone’s gotta pay. The Burden: Empire on Blood is the director’s cut of the true crime classic which reached #1 on the charts when it was first released half a dozen years ago. Season 1 - The Burden In the 1990s, Detective Louis N. Scarcella was legendary. In a city overrun by violent crime, he cracked the toughest cases and put away the worst criminals. “The Hulk” was his nickname. Then the story changed. Scarcella ran into a group of convicted murderers who all say they are innocent. They turned themselves into jailhouse-lawyers and in prison founded a lway firm. When they realized Scarcella helped put many of them away, they set their sights on taking him down. And with the help of a NY Times reporter they have a chance. For years, Scarcella insisted he did nothing wrong. But that’s all he’d say. Until we tracked Scarcella to a sauna in a Russian bathhouse, where he started to talk..and talk and talk. “The guilty have gone free,” he whispered. And then agreed to take us into the belly of the beast. Welcome to The Burden.