May 30, 2025 • 51 mins
Submit any questions you would like answered on the podcast!
Missed CEIC West 2025 in Las Vegas? We’ve got your insider recap. In this episode of the CMMC Compliance Guide, Austin and Brooke break down the most critical insights defense contractors need to know—from Katie Arrington’s keynote to real-world flowdown risks, mock assessment walkthroughs, and what AI means for your CUI documentation.
If you’re a small or mid-sized DoD contractor trying to stay compliant with CMMC, NIST 800-171, and DFARS, this episode gives you the takeaways that actually matter.
📞 Have questions? Text, call, or email us. We’ll answer them for free on the podcast.
🔗 Visit www.cmmccomplianceguide.com for free resources
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_02 (00:00):
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting,where we help businesses like
yours navigate CMMC and NIST800-171 compliance.
We're higher guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free, so if you want to do ityourself, you're equipped to do
(00:22):
so.
Let's dive in to today's episodeand keep your business on track.
Today's episode is for those ofyou who could not make it to
Seek West 2025 out in Las Vegas.
It's a premier...
CMMC conference for defensecontractors and aerospace
manufacturers and all of thosein the CMMC defense supply
(00:42):
chain, Brooke and I made thetrip.
We sat through the sessions andwe came back with a stack of
takeaways.
So we're going to focus on whatreally matters for you, what
stood out, what's actuallyuseful for small and mid-sized
businesses, and how to cutthrough the confusion, even if
you don't eat, sleep, andbreathe compliance.
All right, Brooke.
So you sat through KatieArrington's keynote.
(01:04):
And for those of you who don'tknow who Katie Arrington is, do
you mind giving us a breakdownof her real quick?
Katie Arrington, they
SPEAKER_00 (01:12):
call her the mother of CMMC.
And she really is.
She has shepherded this thingthrough.
So she's top level.
In fact, she wasn't able to makethe– what we call CEIC West,
which is CMMC Ecosystem andImplementers Conference.
(01:34):
And they call it SEEK for short.
So SEEK West.
She wasn't able to make that,but she was on the calendar.
She wanted to be there, muchlike she wanted to be at a
couple of these things anyway.
But she was at NATO in Brussels.
And so she joined us by video.
And Katie always has some reallygreat things to say.
(01:54):
I mean, she's...
really good.
She's personable.
She understands.
She's not what a lot of us thinkis a typical government type,
you know.
She says what?
No harm, no ill feelings towardsgovernment types.
She says what's on her mind.
She does say what's on her mind.
Absolutely, 100% she does.
(02:17):
Talk to some people that want toimplement CMMC, and I just want
you to come implement it for us.
Just put it in place, and Andthen that's it.
We always let them know, hey,this is not a tech box.
Implement it and you're donekind of thing.
It's ongoing.
It's management.
It's monitoring.
It's all these things.
(02:37):
And it's written that way.
And so she said it's a culture.
And it's a culture from topdown.
So yes, it is a managementthing.
But All your people have tounderstand it.
You can't do CMMC properlywithout your people knowing what
CUI means and what is CUI.
(02:58):
Which piece of information do Ihave that is CUI?
They have to know about it.
They have to understand it.
It's a culture is what she said.
One of the other things that shesaid was this is– This is by far
the best way– this is the bestdeterrence– this is the best
(03:21):
non-kinetic deterrence for akinetic war basically.
And what she's talking about iswe're trying to secure our
supply chain.
And she talked about before2017, leading up to this, and
even after 2017.
But leading up to this, we'rebleeding, bleeding information
(03:42):
to the CHICOMs, to China andother people, but especially
China.
We've said this before, and shebrought it up.
Just take a look at their plane,their platform that looks
exactly like our Joint StrikeFighter.
And that's not the only thing.
There is...
tons of other things.
(04:03):
Humvees, there's ships, missilesystems, laser systems, you
know, they've gotten informationabout.
There's tons and tons of stuff.
We're just bleeding information.
And One of the best things aboutthe United States of America is
that we have really top talent.
(04:26):
We have really good talent.
We have really good technology.
That talent develops technology.
We stay on the cutting edge.
We develop all sorts of things.
And so that's what helps us stayahead in this race.
And if we're bleeding thatinformation and just handing it
over to China or whoever, thatreally hurts our edge in the
(04:48):
world.
Yeah.
And you may or may not agreewith us being in different parts
of the world or whatever, butwe've got to have a strong
military, and this is for thewarfighter.
It really is.
This is to protect them.
This is to help them, give theman advantage.
We've got to protect thisinformation, and it's
(05:08):
information from each littlewidget on down to the whole
assembly of– The platform,whatever it is, a ship, a plane,
ammunition, a gun, whatever itis.
It's that data and it's everylittle piece that goes into it
is what we're trying to secureand what keeps our warfighters
safe.
SPEAKER_02 (05:29):
In other words, a reinforcement from the existing
administration that is notsomething to get rid of.
That's what I took from hertalk.
It seemed really like a plea forpatriot owner operators like,
you know, Well, she saidsomething about we don't want to
lose contractors, but you've gotto step up to the plate
(05:51):
cybersecurity-wise because theyview it as a core tenet of
lethality.
And that is very important tothe Trump administration and
Doge, she said.
And specifically, she said, Dogeand Elon and crew is that they
see the money leaving or thelosses.
SPEAKER_00 (06:10):
That's one of the things I was going to go over.
Absolutely.
SPEAKER_02 (06:13):
Not actually.
Sorry, I don't mean to get to ittoo soon, but it's not something
they're cutting because they seeit as a protection mechanism to
the money they're alreadylosing.
So it's not on the table for theTrump administration, and she's
part of it.
And so that's– because there's alot of questions out there.
Well, is this going to– becausewe always get that.
(06:35):
Is it going to– Stand test time,is it going to stay through this
administration that's cutting alot?
It's staying.
And so if you're hoping thatit's not, then...
The odds just got very low foryou that it's not sticking
around.
SPEAKER_00 (06:51):
Absolutely, absolutely.
So she did say that.
She did talk about Dozier'skeenly aware of the money that
we're losing, and she said thatwe're probably losing, and this
is her words, or this is aparaphrase of her words.
This is a Brooke Justiceparaphrase.
But the Department of Defense islosing about half of what it
(07:12):
spends on defense every year toChina.
That is striking.
Which is,
SPEAKER_02 (07:19):
we spend a lot on defense.
SPEAKER_00 (07:21):
We spend a lot on defense, and then just turn
around and give our R&D and ourefforts and everything, just
hand it over to China, ishorrible.
And that is what we're trying tostop.
China is welcome to developthings on their own and do all
that, but they are stealingthis.
They are taking it from us.
SPEAKER_02 (07:42):
And who wouldn't?
We probably are doing the sameto them.
I mean that's modern-day war.
If someone already made thenuclear bomb, you try and steal
their secrets before you try andmake it yourself.
SPEAKER_00 (07:54):
So just a few other notes real quick and then we'll
move on.
I know– It was the keynote.
We have other things to talkabout.
It was the keynote.
It was the keynote.
And like I said, Katie Arringtonalways has some really good
stuff to say, and it was a veryimportant part of the
conference.
SPEAKER_02 (08:11):
Well, and it set the tone around compliance and the
way things are headed and aroundeverything else.
I think it is important to–whether you agree with what
we're saying or not, it is whatwas said, and it is where–
Strangely
SPEAKER_00 (08:26):
enough, all the stuff she talked about just
happened to be– who knows ifthey planned it this way.
I don't think it was.
She's pretty off the cuff.
But all the stuff she talkedabout seemed to be themes
throughout all the differentsessions.
Yeah.
Sometimes not, you know, justkind of touching on it a little
bit, but they were thingsthroughout all the sessions.
(08:48):
One of the things she touched onthat I made a note about was
NIST 800-171 Revision 3.
So CMMC, as we've talked aboutbefore, is hard-coded to
Revision 2.
right now.
That will change eventually, andit'll change so CMMC will grow
with the changes in NIST.
(09:11):
We haven't even got off theground, which is the reason
where they stopped and said,hey, R2.
We're sticking with R2.
We're not changing in the middleof the game like this.
So once they get it off theground, expect that for the rule
to be changed to include currentrevisions of NIST 800-171.
And I would expect that maybe inyou know, a couple of years or
(09:31):
something.
And probably as when it getsimplemented, it's likely, this
is the crystal ball, but Ibelieve she said it's likely
that it'll take the form of, youknow, whenever a new assessment,
when you're due for a newassessment, if the R3 has come
out during that time, then atthat next assessment, you'll
(09:53):
need to be R3 compliant.
SPEAKER_02 (09:55):
Yeah, I think they said that for CIC Southwest as
well.
If you can hurry up and getcertified under R2, you're
pretty much set until they moveto R3, which would be probably
your anniversary date forcertification three years later.
Is that what you're talkingabout?
SPEAKER_00 (10:12):
That's exactly what I'm talking about.
And of course, they haven't evenwritten any of that yet, so it
has yet to be seen.
But that's the thinking is whatit's going to be like.
One of the things also thatKatie said was that along with
CMMC as a cultural thing, thatalso this whole thing wraps in
(10:34):
cyber security of course zerotrust and all those kinds of
things get wrapped into this asa cultural thing as just part of
what you do one of the otherthings she talked about which
was one of the sessions and oneof the things I've been talking
about is ethics for everybodyinvolved in the CMMC ecosystem
as far as assessing andimplementation and management of
(10:58):
it and We have some ethicsstatements that we have to hold
to.
And she said ethics is very,very important because this is
hard for the DIB to implementand expensive for the DIB to
implement.
And we don't need...
a bunch of questions aroundethical issues around this
(11:20):
thing.
We need to know that everybody'strustworthy in the whole nine
yards.
So there's ethical codes ofconduct that we have to hold to,
and they're very serious aboutthose.
SPEAKER_02 (11:30):
In fact, the opening remarks after, or I guess prior
to the keynote, but the openingremarks of the conference, I
think probably 60% or more of itwas over the ethics of the CMMC
ecosystem.
They focused pretty They did.
They focused very heavily on it.
SPEAKER_00 (12:03):
Then I didn't catch quite the rest of it.
I think she was talking about weshould see RFPs that include the
48 CFR.
In other words, these proposalsand requests for a proposal
include CMMC and yourcertification assessment on
there.
She also said about the FalseClaims Act and responsibility,
(12:25):
she said that these losses tothe DOD have been coming from
somewhere, right?
Right.
And disinformation isn't alllost by the DOD, but the DOD's
been paying for all of it, whichmeans the taxpayer, you and me,
have been paying for all this,right?
And so she said the False ClaimsAct will be used, and if
(12:50):
you're...
If you're truly not doing whatyou say you're doing, it's not
just a mistake.
If you're blatantly not doingwhat you're supposed to be
doing, the False Claims Actcanon will come into play.
And she said that someone has topay for the losses for the DOD,
and it needs to stop being thetaxpayer.
That's just a paraphrase, butthat's what Katie said, is it
(13:12):
needs to stop being the taxpayerthat pays for it.
I think she said
SPEAKER_02 (13:16):
it's not going to be us anymore.
SPEAKER_00 (13:17):
So make sure that you also have your insurance–
And that was
SPEAKER_02 (13:25):
a question as to whether or not, you know,
insurance will even pay for it.
But, you know, she's prettyclear that it's not going to be
them anymore.
I would say if you're a lot ofpeople are in the boat of, well,
are we going to commit tospending money?
to keep pursuing this businessor lose it and find replacements
of revenue.
I hear that a lot from peoplethat don't have most of their
(13:45):
revenue share in the defensebucket.
It's probably time to decidethat because they can't go after
China, Russia, North Korea.
Their only enforcement mechanismis you.
And so at some point, someone'sgoing to be made an example of,
and that's already happened withuniversities, and they're going
to start at some point.
And I wouldn't want to be theperson that they get started
(14:08):
with.
SPEAKER_00 (14:09):
Not at all.
The last thing I'll kind oftouch on, I thought this was
very interesting.
You know, at these conferenceswe see vendors and whatnot that
use AI and I'm like, well, youknow, people can't label CUI
correctly and what makes youthink that AI can do any better
if we don't even know how totrain it, you know?
Well, Katie said within 18months or so, AI is going to be
(14:34):
helping with CUI labeling andtagging, and we will see more
CUI documents come through.
So she knows that proper CUIlabeling and marking is a
problem.
It is a giant problem.
It's either not being done orway overdone.
One of the two, it's not It'smostly just not done, at least
(14:55):
as far as our clients see.
It's just not done, right?
There's some that is starting tocome through a little better,
but for the most part, there'sjust a clause on the contract or
the PO or whatever it may be.
Anyway, there's just a defaultclause on there, and that tells
you, hey– There may be CUI here,so you have to treat everything
(15:17):
like a CUI through there.
If you think it's CUI, you haveto treat it like CUI.
We've talked about that.
SPEAKER_02 (15:24):
It seemed to me the way she painted the picture, I
feel like, is that it's going tostart with the human making the
contracts or whatever, and thenit's going to be forced to go
through an AI tagging filter forCUI or whatever, and it's going
to get tagged by the AI, andthat will be– like kind of the
gold standard or thedetermination of how it's
(15:46):
handled will be the AI filter.
And then from that, you're goingto see a higher volume of things
being tagged, you know, CUI orwhatever that needs to be
secure.
So this is going to be anincreased burden on you because
whatever this filter, AI filterthing is they're going to use is
(16:08):
going to be more aggressive, Iguess.
SPEAKER_00 (16:11):
You know, they're going to be using AI which is
smart to try to do somethinglike that.
But that also kind of leads youto think more about some of the
vendors that are using AI.
That AI, of course, if it'sgoing to deal with CUI, there
are certain standards andcertifications and everything
that they have to meet.
It can't just be grok or...
(16:34):
ChatGPT, you can't use thosewith CUI.
Please don't use those with CUI.
It's probably going to be
SPEAKER_02 (16:40):
more expensive than a$20 a month ChatGPT
SPEAKER_00 (16:43):
subscription, isn't it?
Yeah, it'll be a little moreexpensive than that.
But the point is that it can gothrough and help you find and
label your CUI for you.
So there's always going to haveto be some human interaction
with that to make sure it'saccurate and all that kind of
fun stuff.
But there are companies that dothat.
We've not checked any out atthis point yet, but especially
since how Katie...
(17:04):
I think that's probably one ofthose things that is definitely
coming down the pack and can beused.
SPEAKER_02 (17:13):
Well, and we've been having several conversations
with companies.
Be careful what I say here.
But there are AI companies thatdo it for the government.
So that technology is alreadyout there.
They're already buying it.
They're already investing in it.
So it's probably going to be oneof those companies or a
collection of them.
It's not like this is a flyingcar situation where we're
(17:33):
promised to have it.
in however many years.
They've already been buying it.
They already have thetechnology.
It's just a matter ofrepurposing it for this purpose.
SPEAKER_00 (17:43):
There's good things and bad things about artificial
intelligence, AI, but when youget really down to it, we
already use it in our businessquite a bit in a lot of
different areas.
You're not going to call in andtalk to AI.
You're not going to have achatbot with...
Now, some companies do, butyou're not necessarily going to
have a chatbot and have an AIfix stuff for you, but And
(18:04):
there's all sorts of thingsavailable.
But we do use AI in a lot ofdifferent phases of our
business.
So it's out there, and it'sbeing used, and it's very
helpful.
You still have to know how touse it, and you still need to
understand that you've got tocheck it.
Because, you know, I mean,there's talk about AI
hallucinations and all sorts offun stuff.
So it's just like havingsomebody do some work for you
(18:26):
and checking it.
Same thing.
SPEAKER_02 (18:28):
I put a transcript through AI just yesterday,
actually, and I was asking you.
And I said, well, where did thiscome from in the transcript?
And it made up a timestamp andeverything.
And I looked at the timestamp.
It made up a timestamp.
Yeah.
And even the content it wastalking about, it didn't even
exist.
(18:49):
And I was like, oh.
SPEAKER_00 (18:51):
Hopefully you got something out of that Katie
Arrington session we just talkedabout.
It was very beneficial beingthere and listening to her as
always, as it always is, youknow, Katie Arrington speaking.
But Austin, you actuallyattended the mock assessment
session.
So can you give us a peek behindthe curtain on what really
happens when a CMMC assessorcomes into the room?
SPEAKER_02 (19:15):
Yeah.
Yeah.
I found this ratherenlightening.
I know at previous conferences,SEEK East and CIC Southwest, and
they've pretty much done asession like this at every one
of the CMMC conferences.
And it's usually at the end ofthe conference.
It's usually the very lastsession.
Yeah.
Half the people are gone and,you know, but I sat through it
(19:37):
this time and it's actually veryenlightening.
And I found it because I havenever sat through it before and
I don't have as manyconversations with the assessors
as you do.
It was pretty enlightening onhow they do.
And this is theoretical, but howthey do an assessment.
It is it's very enlightening.
logical and verystraightforward.
(19:57):
It's a matter of show me yourSSP, basically, and then show me
your policy for this control.
How are you handling it?
Now show me the evidence for it,which typically they suggested
take form of a screenshot.
So basically, for every controland objective, if I'm getting
(20:20):
this right, you basically wantto have They recommended at
least a piece, at least onepiece of evidence prepared.
So if you have like amulti-factor authentication
requirement and then you haveyour policy on how you're
handling it, you need to.
present the policy and that, andthen show them through at least
(20:41):
a screenshot how you have itworking.
And then they have the option,which you probably need to
assume that they'll take, whichis to then go log into that
system and verify that it'sactually working.
currently done and then it'dprobably be good to time stamp
that screenshot so that theyknow it's within a certain
(21:05):
amount of previous time that itwas recent that you're not just
when we first set it up and youknow it's a year and a half old
so and then that's just then itrepeats it goes to the next
requirement and then you showthem your policy and the
evidence and then and thenthey'll go verify you know if
they need to it's an optionright to verify They don't have
(21:26):
to
SPEAKER_00 (21:29):
verify it.
If you did a good job ofcreating a good SSP, you have
all your policies, you have yourprocedures, you have your proof,
(21:49):
and you did a good thorough jobof it and a good thorough but
concise job of it, right?
So you don't want to make your–there's argument about this part
of it, but most people I'vetalked to said keep your SSP as
concise as possible, which maybe 70 pages, but still.
Yeah.
Anyway, you don't necessarilywant to have a 300-page SSP and
(22:13):
hand this book over to them andsay, here's my SSP, and I'll get
ready for the policies.
But in any case, if you do agood job on your SSP, your
policies, your procedures, andthe proof and everything, maybe
even have a good GRC tool thatyou're using to be able to hand
all this over to them, they willdo some checking.
They will verify a lot of thisstuff.
(22:35):
But then if everything's comingup good– it's probably going to
be a lot easier on you.
Whether you'll save money or notis– I'm not going to say you'll
save money, but you will savemoney in the form of time and
time for them to get through andsay, yep, you're good, and we're
going to certify you at 110.
(22:56):
It's a good thing to have allthat documentation ready to go,
have your proof ready to go, andbe able to show them that you're
ready because that starts off ona really good foot with the
assessors.
If you show them half the stuffthat they need and then they
have to ask for some of theothers and it's not really that
what they need and all that kindof fun stuff.
It's not going to start off onas good a foot, and you can
(23:19):
pretty well bet it'll be a lotmore of an exam for them trying
to figure out, make sure all thecontrols are met and everything.
SPEAKER_02 (23:31):
Much more intimate affair.
Yes, absolutely.
Not that CMMC is not expensiveand time-consuming and
everything else, but theassessment process process, you
know, uh, it can, especiallythe, you know, organization
seeking certification can seemlike, um, a very scary,
(23:51):
mysterious thing.
But if you sit through one ofthose mock assessment sessions,
you realize they come in, theylook at your requirement and
then they looked at your policyand they look for the evidence
and that you just expect forthat to be repeated for every
single requirement there is.
Uh, and if you prepare the bodyof evidence for it, um, then
you're good.
Uh, Assuming that you dideverything.
(24:14):
It's a big starting place.
I understand that, you know, butit's rather straightforward.
And then the other thing tonote, and this is especially
for, you know, those aerospacemanufacturers and small
businesses out there that areoutsourcing their compliance and
cybersecurity and IT to MSP orsomebody like us, is that you
(24:34):
really need to go through acoaching session with your ESP,
you know, your IT provider,because the way I I understand
it is when the assessors aresitting across the table.
Yeah, you want your IT guythere, but your IT guy cannot
answer the questions.
Like they're asking you thequestions and you need to have
an answer for it.
(24:54):
And if you don't have asufficient answer for it, You're
leaning more on the fail sidethan you are on the pass side.
You can't just look over to ITguy every time and have him
answer it.
Because I understand that you'reofflifting this burden from
yourself, but you said somethingearlier.
You can outsource the burden orthe responsibility, but not
the...
What did you say?
SPEAKER_00 (25:14):
Accountability.
Accountability,
SPEAKER_02 (25:16):
yeah.
So they're expecting you to beeducated enough on your own
policies and et cetera to beable to answer the questions.
And if you need to refer to theIT person at some point, then...
then that's fine, but you haveto answer all the questions
first, which is probably a bigask for a lot of owners or
managers out there.
SPEAKER_00 (25:36):
It is a big ask, and really what that boils down to
is read your SSP, have a goodSSP, and then read your SSP,
whether you created it orsomebody created it for you, and
you should know that anyway.
Most of the clients we workwith, We sit through so many
(25:56):
sessions going over all thepolicies, going over the SSP.
Here's your SSP.
Here's what it looks like.
And the point is you need toknow all this stuff.
And maybe not all the details,remember it exactly, but you
need to, yes, whenever we loginto a computer, we have to put
in a code.
(26:17):
What's that thing called?
Yeah, so that kind of stuff isfine.
And then you can say, hey,Austin, what was that called?
It's multi-factorauthentication.
Oh, yeah, yeah, multi-factorauthentication.
So that's okay, but you've gotto show that you know what's
going on and you know what'simplemented and that you're
(26:39):
using it and that it's aculture.
So you can have a goodcybersecurity culture and not
know all the details of theexact culture tools that your
MSP puts in place you know yeahwe have some sort of thing that
blocks programs whenever theyrun you know that's an
application whitelisting youknow stuff like that
SPEAKER_02 (27:00):
and that's why you can't just go on the internet
and buy a template you'd be goodyou know that's your SSP because
of that reason right because youhave to you really have to be
very familiar with it and that'skind of tell you how the sausage
is made that's how we go aboutour SSP Thank you.
(27:35):
on the outset of when it'screated of and it's in
completely in there what we'rethere to advise and help them
develop what is what will workor what is defensible or not in
front of a assessor whenever wecreate your SSP ultimately it's
in their hands like this is howour process works and they talk
amongst themselves and then wedevelop an SSP out of that and
(27:58):
so that's why we take that thatboot camp you know very
labor-intensive effort becauseif you're just implementing
implementing an off-the-shelfSSP template and you're not, you
know, you're modifying itheavily, then it's not going to
be sufficient.
All right, bro, let's shiftgears a little bit from the big
picture and audits today-to-day.
(28:19):
What stood out in the Creaturesof Habit session and what are
smart teams actually doing tostay ready for compliance and
certification?
SPEAKER_00 (28:27):
Well, this is a great session.
It addressed a lot of therealities, a lot of things for
small, mid-sized teams, right?
And it really goes back to whatKatie Errington said.
You know, it's culture.
You've got to build this in.
It's got to be culture.
(28:47):
It's got to be something you doall the time.
It could be things like everyFriday of every week, you go
through and you do log review.
Every month, you've got areminder that pops up for you to
do the visitor log review.
Quarterly, you go through yourSSP and POAM, if you have a
(29:08):
POAM.
And that should probably be moreoften than quarterly if you're
trying to wrap it up.
But especially Mm-hmm.
(29:31):
a lot of the GRC tools, I wouldrecommend highly using, I would
say this every single time, Ithink, almost as much as
documentation, documentation,documentation.
Oh, we got it in.
But, and it's all aboutdocumentation, but if you use a
GRC tool, and you should, most,not most, but a lot of those GRC
(29:54):
tools, you can assignresponsibility, you can assign
reminders, and it'll shoot out areminder and say, hey, You need
to follow up on this control.
It's time to review yoursecurity controls.
It's time to do your riskassessment.
You can have those kind ofthings pop up and remind you
that that needs to be done.
(30:18):
So a GRC tool is something tohelp you remember to do this on
an ongoing basis.
On Monday mornings, I come inand I have a list of business
things that I've got to do everyMonday morning.
And I've got to block out thattime so I can get it done.
But I have a reminder pop-upthat says do this, this, this.
Otherwise, I get strung outdoing 99 other things.
If you have those reminders,have something to help you make
(30:40):
this a culture, make itsomething that is just part of
your everyday life, that's thebiggest thing is to make it a
culture, make it part of youreveryday life, at least at work.
And have a tool to help you out,whether it's a GRC tool or SANA
or something like that.
Something like that will helpmake it– a culture for you?
SPEAKER_02 (31:02):
Yeah, just imagine, you know, we're all probably
used to paying our bills mostlyon automatic withdraw, right?
But, you know, go back 15 yearsbefore that was widespread, you
had reminders, you know, and itmight have just been getting the
bill in the mail.
But so there's trigger point,even outside of the compliance
thing, you know, like, we havescheduled tickets and stuff to
(31:25):
remind us to get our backupchecks done, right?
I mean, so if you build If youoperationalize it, that's the
whole point.
Operationalize it, put it in asystem, and then implement it.
then you're good.
It just gets done.
And then you have the body ofevidence.
And that's why we like, youknow, mentioned future feed so
much is because it's, it's builtso well, all those things are
(31:47):
built in and all the evidencefor you doing those tasks is
already in the system.
And so whenever the time forassessment, then it's just
there, right?
Absolutely.
And so, you know, not trying toask you to buy it from us, go
get it, you know, it's cost thesame regardless, but it's a good
tool.
You should check it out becauseit has those things.
(32:08):
Okay.
Let's talk for I think theredheaded stepchild of CMMC
compliance, which I can saybecause I'm redheaded.
And it's one of those areasthat, you know, even the primes
get tripped up with all theirmoney and funding.
What came out of the Sequestsession on flowdowns?
SPEAKER_00 (32:27):
Well, flowdowns is a big thing, and it's one of those
things that we know the primesare doing this because they're
requiring their subcontractorsto be compliant, but their
subcontractors are notnecessarily requiring their
subcontractors or vendors oroutsourced people, however you
want to phrase it.
They're not requiring thosepeople to be the same kind of
(32:51):
compliant they are.
And the short of it is that ifyou take any part of that CUI
and hand it off to somebody elseto make a small part of whatever
widget you make, then thatvendor, that person, that
company that is making thatsmall part for that widget also
(33:12):
has to be compliant.
And it's up to you, since you'resubcontracting, to make sure
that they are.
It doesn't mean you need to goassess them But it does mean
that you, at the very least,need to have a questionnaire
where they sign their life awayand sign in blood or whatever it
may be, that they are CMMC Level2 compliant, right?
(33:33):
If you have to be Level 2compliant.
Level 1, same thing.
When it comes time for you toget your CMMC Level 2
certification and you have thatcertification and you have to
have that to do business and youflow down, you know, same thing,
you somebody's making a part foryou uh and you have to give them
some of that cui data to do thatuh with then they also have they
(33:58):
have to have the same complianceyou do if you have to have a
level two certification theyhave to have a level two
certification that simple andyou know people really want to
say you know well you know it'snot really cui it's just a
little piece and you know ifit's not conscious if it's not
off the shelf stuff you knowlike just a regular roll of
(34:19):
12-gauge copper wire.
If it's not something that's offthe shelf and they don't know
what it's for, you're justordering off-the-shelf stuff.
If it's not that and it'ssomething special made in
accordance with this contractfor the government, then it has
to be– they have to have thesame level of compliance you do.
SPEAKER_02 (34:42):
It gets tricky because typically– You know, you
may not be– the subcontractormay not be supplying, you know,
like you said, it might be anoff-shelf part.
But they're probably gettingsome other tangential
information that's connected tothat that now makes them have to
be certified, you know, andcompliant as I was looking for.
(35:07):
Because we've got distributorsthat don't manufacture anything
that are– you know, have to be.
Um, so if they have to be, youknow, if you got anyone that's
making parts there, you know,it's, I'm just saying it, uh,
it's probably.
you're probably an area thatyou're going to want to look at
because it's even if people withoff the shelf parts are having
(35:28):
to be compliant, you know, it's,it's probably more people than
you're expecting of yoursubcontractors that, that you
need, that you're responsiblefor.
And you probably need to look atit because of like, we talked
about the false claims actearlier when, if you're familiar
with the government at all, whenthey go to enforce something,
they like a, take the, you know,take the book and throw it at
(35:52):
you approach and see whatsticks.
They've decided they want topursue you.
They're going to start with theFalse Claims Act, but they're
also going to look at all theseother pieces like, well, did you
do the flow down correctly?
Did you do this?
Did you do that?
So it's going to be one of thoseother pieces where they're going
to try and get you, not to makethe government sound like a
boogeyman, but it's just how itoperates.
(36:13):
You see in law enforcementinvestigations and stuff all the
time how it operates.
So you want to make sure allyour pieces are buttoned up so
that way it's not a liabilityfor you.
SPEAKER_00 (36:24):
This is all part of the process.
of being compliant.
And what I would also say isthat if you're not currently
doing anything to verify yoursubcontractors right now, start.
They don't want to be surprisedwith this any more than you want
to be surprised by, you know,hey, guess what?
You have to be level twocertified tomorrow or else you
don't, you know, we're going tokill this contract.
(36:46):
You know, you don't want that.
And they don't either, you know.
So start now with them.
Say, you know, you're makingthis part in accordance with
this contract.
that we're performing for thefederal government or for
Lockheed that's performing forthe federal government.
We have to be compliant.
Now you have to be compliant.
And you may be able to offersome help for them to be
(37:07):
compliant or offer a referral tosay, hey, go talk to these
people.
They can help.
They helped us or whatever itmay be.
SPEAKER_02 (37:15):
It really benefits you to do this because giving
them the longest head start youcan protects you because imagine
now you're on a deadline and Andnow you have to replace a
subcontractor that has aspecific part or deliverable for
you.
And now you have to find someonethat's going to– that is
certified and is going to supplyit at least at a similar cost.
(37:40):
And what if the cost is nowhigher and now that messes up
your margins of the contract andnow you have to perform– an
unprofitable contract because,you know, now you had to
scramble last minute to find asupplier that can check these
boxes for you.
So it's as much your problem asit is theirs and
SPEAKER_00 (37:55):
probably more so your problem.
Katie Arrington also addressedthis in her keynote.
She said that they're having toask for some more money in their
budget.
You wonder why, you know,defense budget is so big and
this, that, and the other.
Well, look at all thiscompliance and look at all the
complicated things they have todo or they require money
contractors and subcontractorsto do.
(38:16):
But where a lot of things arebeing cut, And Katie Arrington
says, look, you want us to dosomething about this because you
have to meet all these controlsnow.
And you've had to meet themsince 2017.
But what they are doing issaying, look, we need some more
money in our budget because weknow that the price is going to
(38:38):
increase on a lot of thesethings because people are now
actually having to go throughthis and actually having to do a
certification and spend themoney on this.
So the cost of these goods aregoing to go up.
And so they realize that.
They recognize that.
How much that'll actually meanto you, I don't really know.
They're at least recognizing thefact that they know it costs
money and they know thatcompliance makes things more
(39:01):
expensive, but it also makes thesupply chain safer.
All right, so Austin, thissession had one of the most
interesting titles of the wholeconference, false starts.
So what's the story there?
SPEAKER_02 (39:14):
It really all goes back to accountability and like
templates in terms ofcompliance, right?
So accountability, Lies with theorganization, not your
contractors.
And it's going to be the companyand the person signing all these
papers and the contracts.
Right.
And so that was basically thecore message of this kind of
goes back to what we were sayingearlier with the templates thing
(39:37):
and why just going buying atemplate off the Internet is.
is not good enough.
Right.
Right.
Or just listening to a podcastlike this is not good enough.
Wait a minute.
Listening to our podcast is notenough?
Hopefully it's helpful.
And we try our best, you know,and what we're trying to do is
demystify, put compliance inplain English.
(39:59):
We try to do that as much sothat way we can give you a head
start or a foundation to go doit yourself, right?
Right.
The problem is you still have todo it yourself, you know?
Yes.
And I think that's kind of thepoint, you know, so you can rely
on third parties like us oreverything else.
But at the end of the day, theaccountability stays with you.
And that's kind of what themessage was and which is true.
Um, and we just said it earliertoo, whenever you're going to be
(40:22):
getting assessed, you're the oneanswering the questions.
You can't just lean on your itperson, right?
Which is kind of unfortunatebecause you wish you could just
pay someone to do it and takecare of it for you.
Um, but that's not how thegovernment set it up.
You know, uh, they can do mostof it for you, but you're,
you're still the, where the buckstops.
Right.
Um, and so, uh, You really needto make sure that your SSPs are
(40:44):
tied back to the controlthemselves.
You can go read the paperwork orif you have an ESP or MSP or IT
guy like us, sit them down or ona Zoom call or whatever and walk
through your SSP and make surethat these things are actually
done.
I can't tell you how many timesthat we'll go in somewhere and
(41:04):
do an engagement where, youYeah.
because it uses TLS orsomething.
Well, and that's not what thatmeans.
You have to send emailsencrypted.
(41:25):
Just the fact that it usesencryption to communicate to the
email server, and sorry for thetechnical stuff here, doesn't
mean it's encrypted, right?
So anyway, there's a lot.
It matters who you pick as wellin terms of who you're
contracting these things out to,right?
So it just ultimately dials backto your due diligence on parties
(41:46):
that you're using to outsourcesome of these compliance
responsibilitiesresponsibilities or you might
call them burdens too.
Um, and then, uh, realizing thefact that the accountability
ultimately sits with you and,and you need to have, um, some
sort of day-to-day driver, um,or, uh, you know, a stakeholding
(42:07):
in it, um, that, uh, you, youhave some familiarity with, um,
your compliance before theassessment comes around.
So, Brooke, you sat on a couplesessions that collectively had
talked about the SRM-CRM, whichmost of us know is a shared
responsibilities matrix.
(42:28):
Yes.
And then I won't get intoexplaining it.
I'll let you do that.
And then the CRM is thegovernment newly coined term for
it.
So it's the same thing.
SRM-CRM.
SPEAKER_00 (42:40):
Might as well change the acronym and make it really
confusing.
Right.
UNKNOWN (42:42):
Yeah.
Yeah.
So and then uh, Another bigtakeaway you had mentioned was
the FedRAMP equivalency and someguidelines or developments on
that.
Can you share with us?
Sure.
SPEAKER_00 (42:54):
And this is something we brought up before.
If you use a cloud service,well, or file storage, something
like that, we'll just say filestorage.
If you use a cloud service forthat and you put CUI in there,
then it has to be FedRAMPauthorized or equivalent.
So it's got to be FedRAMPauthorized and be able to meet
(43:16):
some requirements and DFARs, orit has to be FedRAMP equivalent.
SPEAKER_02 (43:20):
For the authorized, that means they go through some
sort of third-party processwhere they get something that
says that they're authorized,and the equivalence means that
they're going to be assessed thesame time you are?
SPEAKER_00 (43:31):
No.
No?
That's not actually it.
So you'll have a third partycome in either way and assess
you.
But if you're a FedRAMPauthorized, you'll show up on
the FedRAMP marketplace.
Okay.
And it's...
A longer process, but from whatI've heard, the equivalency is
(43:51):
ostensibly a more difficultprocess, more involved process.
That's just what I've heard.
But the equivalency can happenfaster.
So that's why a lot of companiesare choosing to do equivalency
and not necessarily authorized.
Or maybe equivalency, get itdone right now, and then work on
their authorization.
And also for authorization, youhave to have a federal entity
(44:14):
that's willing to sponsor you.
So maybe they don't have thatyet, or maybe they're working on
doing that.
But equivalency, you can get a3PAO to come assess you, say
you're good, and what you'llneed– And once somebody can say
they're FedRAMP equivalent,that's great.
(44:35):
But what do you have to proveit?
So it means something veryspecific with the federal
government, and they've outlinedthat.
So you will get a SAR securityassessment report, I believe is
what that is.
But you'll get an SAR that– theCSP who got their FedRAMP
(44:56):
equivalency will have that SAR,and they'll have a body of
evidence also.
And then they'll, of course,have the CRM, which is the new
acronym for SRM.
CRM is Customer ResponsibilityMatrix.
SRM is Shared ResponsibilityMatrix.
That one makes more sense to me,but what do I know?
(45:17):
So it's a CRM.
So you really need all three ofthose for the assessment to say,
here's the service that we usethat's FedRAMP equivalent, and
here's my documentation for it.
The problem with equivalency isthat assessor will have to go
through that stuff and actuallyreview it.
So it takes a little bit moretime than it does a federally
(45:39):
authorized provider.
In reality, they'll probablyreview the SAR and probably not
so much the body of evidencebecause it's a whole jumble of
stuff that's hard to go through.
But those are the things youneed if you if you use a FedRAMP
equivalent service and you needto remember that.
(46:00):
You can't just use it and assumeyou'll be able to get that off
the cuff really quick.
So you need to prepare and makesure you have that ready.
SPEAKER_02 (46:08):
So when you're interviewing, say, a file share,
file storage provider, then youneed to ask them, can you
provide a SAR, a CRM or SRMantibody of evidence?
And then that will tell youwhether or not You can use them
for that.
Yes.
SPEAKER_00 (46:26):
Absolutely.
One of the other things that wasin one of the sessions that I
was in, really it was aboutbuilding out a CRM slash SRM.
It was about building one ofthose out.
But their point was something webrought up several times.
You can flow down theresponsibility line.
(46:46):
from, you know, say we perform aservice for you, you can flow
down that responsibility to theOSC or OSA, whichever, but
anyway, that responsibility canflow down to them, but not the
accountability.
Whoever that is that is going tobe assessed still is
(47:09):
accountable.
It's not the service providerthat's accountable.
They may be responsible for acontrol or an assessment
objective, really.
They may have someresponsibility for that, but
they're not accountable.
That OSC is the organizationseeking certification.
So that OSC.
(47:30):
It's
SPEAKER_02 (47:30):
most likely
SPEAKER_00 (47:31):
you.
Yes.
Yes.
That OSC is the one that isaccountable.
And if one of those items arenot inherited or they think one
is inherited and it's not, andthen they're not covered for it,
then in the end, it's not theservice provider who gets in
trouble for that or facesbacklash from the assessor.
(47:52):
They may face backlash from you.
But they don't face backlashes.
They don't have anything to do.
The C3PAO doesn't care aboutwhose fault it is.
They're holding the OSCaccountable.
SPEAKER_02 (48:03):
Yeah.
In terms of certification, it'sall on you.
What happens after that is whathappens after that.
Yes, absolutely.
Sounds like to me– in terms ofjust kind of distilling this
down into some action items forthe listeners, is that you
really need to revisit your SSPand your POAM or any other
(48:24):
documents and policies you have.
And don't just rely on your...
your preconception or memory ofit, you need to go visit those
actual documents and try and mapit to the controls and see
whether it reflects your currentenvironment.
And if it doesn't, if anassessor walked in tomorrow,
(48:45):
what would happen?
And so you should ask yourself.
SPEAKER_00 (48:49):
And I would say really, not just the controls,
but you need to map it to theassessment objective level.
SPEAKER_02 (48:55):
Right.
Second, I would say that youneed to put some start with at
least a quarterly review, um,for compliance and then kind of
add on from there, um, andinvite more people than
yourself, you know, um, all yourstakeholders, um, that are going
to be touching compliance, atleast one decision maker, cause
(49:15):
it's going to be on them, youknow, um, uh, and, uh, and start
getting some things on thecalendar so you can start
reviewing this, uh, on a regularbasis.
Absolutely.
Um, Third, like you said, youreally need to go reanalyze your
subcontractor relationships.
Dig into the information yousend them and what kind of
(49:41):
relationship you have with them,who touches COI, who is subject
to the flow down role.
SPEAKER_00 (49:49):
Analyze that.
Anything else you've got?
No, just remember who'saccountable.
I guess that would be yes.
And remember who's accountable.
It is the OSC.
It is not the service provider.
If You have somebody helpingyou.
Now, you would hold that serviceprovider accountable for what
they say they're doing.
Right.
But there should be a CRM or SRMthat makes that pretty clear.
(50:10):
It should be spelled out reallywell.
You know, a CRM or SRM that'scolor-coded is great, you know,
to kind of a quick view at it.
But really it should probably befleshed out a little more than
that than just being color-codedbecause a lot of that
color-coding is myresponsibility, your
(50:31):
responsibility, or shared.
That's as far as it goes.
For color coding, you've gotthree colors, basically.
And that doesn't tell you just awhole lot.
But if it's fleshed out a littlemore than that, you can tell who
has to define this and who hasto implement this and what the
shared may mean, for
SPEAKER_02 (50:50):
instance.
Yeah.
So if you're subcontractors orproviders or technology team
can't confidently answer some ofthese questions that we've posed
here today, then you might wantto take a closer look.
SPEAKER_00 (51:03):
Yeah.
Yes.
SPEAKER_02 (51:04):
All right.
Thank you guys for joining us.
If you have any questions aboutwhat we covered, please reach
out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions.
We'll answer them for free hereon the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
Stay tuned for our next episode.
(51:24):
Until then, stay compliant andstay secure.
Like, subscribe, or share.
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting,where we help businesses like
yours navigate CMMC and NIST800-171 compliance.
We're higher guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free, so if you want to do ityourself, you're equipped to do
(00:22):
so.
Let's dive in to today's episodeand keep your business on track.
Today's episode is for those ofyou who could not make it to
Seek West 2025 out in Las Vegas.
It's a premier...
CMMC conference for defensecontractors and aerospace
manufacturers and all of thosein the CMMC defense supply
(00:42):
chain, Brooke and I made thetrip.
We sat through the sessions andwe came back with a stack of
takeaways.
So we're going to focus on whatreally matters for you, what
stood out, what's actuallyuseful for small and mid-sized
businesses, and how to cutthrough the confusion, even if
you don't eat, sleep, andbreathe compliance.
All right, Brooke.
So you sat through KatieArrington's keynote.
(01:04):
And for those of you who don'tknow who Katie Arrington is, do
you mind giving us a breakdownof her real quick?
Katie Arrington, they
SPEAKER_00 (01:12):
call her the mother of CMMC.
And she really is.
She has shepherded this thingthrough.
So she's top level.
In fact, she wasn't able to makethe– what we call CEIC West,
which is CMMC Ecosystem andImplementers Conference.
(01:34):
And they call it SEEK for short.
So SEEK West.
She wasn't able to make that,but she was on the calendar.
She wanted to be there, muchlike she wanted to be at a
couple of these things anyway.
But she was at NATO in Brussels.
And so she joined us by video.
And Katie always has some reallygreat things to say.
(01:54):
I mean, she's...
really good.
She's personable.
She understands.
She's not what a lot of us thinkis a typical government type,
you know.
She says what?
No harm, no ill feelings towardsgovernment types.
She says what's on her mind.
She does say what's on her mind.
Absolutely, 100% she does.
(02:17):
Talk to some people that want toimplement CMMC, and I just want
you to come implement it for us.
Just put it in place, and Andthen that's it.
We always let them know, hey,this is not a tech box.
Implement it and you're donekind of thing.
It's ongoing.
It's management.
It's monitoring.
It's all these things.
(02:37):
And it's written that way.
And so she said it's a culture.
And it's a culture from topdown.
So yes, it is a managementthing.
But All your people have tounderstand it.
You can't do CMMC properlywithout your people knowing what
CUI means and what is CUI.
(02:58):
Which piece of information do Ihave that is CUI?
They have to know about it.
They have to understand it.
It's a culture is what she said.
One of the other things that shesaid was this is– This is by far
the best way– this is the bestdeterrence– this is the best
(03:21):
non-kinetic deterrence for akinetic war basically.
And what she's talking about iswe're trying to secure our
supply chain.
And she talked about before2017, leading up to this, and
even after 2017.
But leading up to this, we'rebleeding, bleeding information
(03:42):
to the CHICOMs, to China andother people, but especially
China.
We've said this before, and shebrought it up.
Just take a look at their plane,their platform that looks
exactly like our Joint StrikeFighter.
And that's not the only thing.
There is...
tons of other things.
(04:03):
Humvees, there's ships, missilesystems, laser systems, you
know, they've gotten informationabout.
There's tons and tons of stuff.
We're just bleeding information.
And One of the best things aboutthe United States of America is
that we have really top talent.
(04:26):
We have really good talent.
We have really good technology.
That talent develops technology.
We stay on the cutting edge.
We develop all sorts of things.
And so that's what helps us stayahead in this race.
And if we're bleeding thatinformation and just handing it
over to China or whoever, thatreally hurts our edge in the
(04:48):
world.
Yeah.
And you may or may not agreewith us being in different parts
of the world or whatever, butwe've got to have a strong
military, and this is for thewarfighter.
It really is.
This is to protect them.
This is to help them, give theman advantage.
We've got to protect thisinformation, and it's
(05:08):
information from each littlewidget on down to the whole
assembly of– The platform,whatever it is, a ship, a plane,
ammunition, a gun, whatever itis.
It's that data and it's everylittle piece that goes into it
is what we're trying to secureand what keeps our warfighters
safe.
SPEAKER_02 (05:29):
In other words, a reinforcement from the existing
administration that is notsomething to get rid of.
That's what I took from hertalk.
It seemed really like a plea forpatriot owner operators like,
you know, Well, she saidsomething about we don't want to
lose contractors, but you've gotto step up to the plate
(05:51):
cybersecurity-wise because theyview it as a core tenet of
lethality.
And that is very important tothe Trump administration and
Doge, she said.
And specifically, she said, Dogeand Elon and crew is that they
see the money leaving or thelosses.
SPEAKER_00 (06:10):
That's one of the things I was going to go over.
Absolutely.
SPEAKER_02 (06:13):
Not actually.
Sorry, I don't mean to get to ittoo soon, but it's not something
they're cutting because they seeit as a protection mechanism to
the money they're alreadylosing.
So it's not on the table for theTrump administration, and she's
part of it.
And so that's– because there's alot of questions out there.
Well, is this going to– becausewe always get that.
(06:35):
Is it going to– Stand test time,is it going to stay through this
administration that's cutting alot?
It's staying.
And so if you're hoping thatit's not, then...
The odds just got very low foryou that it's not sticking
around.
SPEAKER_00 (06:51):
Absolutely, absolutely.
So she did say that.
She did talk about Dozier'skeenly aware of the money that
we're losing, and she said thatwe're probably losing, and this
is her words, or this is aparaphrase of her words.
This is a Brooke Justiceparaphrase.
But the Department of Defense islosing about half of what it
(07:12):
spends on defense every year toChina.
That is striking.
Which is,
SPEAKER_02 (07:19):
we spend a lot on defense.
SPEAKER_00 (07:21):
We spend a lot on defense, and then just turn
around and give our R&D and ourefforts and everything, just
hand it over to China, ishorrible.
And that is what we're trying tostop.
China is welcome to developthings on their own and do all
that, but they are stealingthis.
They are taking it from us.
SPEAKER_02 (07:42):
And who wouldn't?
We probably are doing the sameto them.
I mean that's modern-day war.
If someone already made thenuclear bomb, you try and steal
their secrets before you try andmake it yourself.
SPEAKER_00 (07:54):
So just a few other notes real quick and then we'll
move on.
I know– It was the keynote.
We have other things to talkabout.
It was the keynote.
It was the keynote.
And like I said, Katie Arringtonalways has some really good
stuff to say, and it was a veryimportant part of the
conference.
SPEAKER_02 (08:11):
Well, and it set the tone around compliance and the
way things are headed and aroundeverything else.
I think it is important to–whether you agree with what
we're saying or not, it is whatwas said, and it is where–
Strangely
SPEAKER_00 (08:26):
enough, all the stuff she talked about just
happened to be– who knows ifthey planned it this way.
I don't think it was.
She's pretty off the cuff.
But all the stuff she talkedabout seemed to be themes
throughout all the differentsessions.
Yeah.
Sometimes not, you know, justkind of touching on it a little
bit, but they were thingsthroughout all the sessions.
(08:48):
One of the things she touched onthat I made a note about was
NIST 800-171 Revision 3.
So CMMC, as we've talked aboutbefore, is hard-coded to
Revision 2.
right now.
That will change eventually, andit'll change so CMMC will grow
with the changes in NIST.
(09:11):
We haven't even got off theground, which is the reason
where they stopped and said,hey, R2.
We're sticking with R2.
We're not changing in the middleof the game like this.
So once they get it off theground, expect that for the rule
to be changed to include currentrevisions of NIST 800-171.
And I would expect that maybe inyou know, a couple of years or
(09:31):
something.
And probably as when it getsimplemented, it's likely, this
is the crystal ball, but Ibelieve she said it's likely
that it'll take the form of, youknow, whenever a new assessment,
when you're due for a newassessment, if the R3 has come
out during that time, then atthat next assessment, you'll
(09:53):
need to be R3 compliant.
SPEAKER_02 (09:55):
Yeah, I think they said that for CIC Southwest as
well.
If you can hurry up and getcertified under R2, you're
pretty much set until they moveto R3, which would be probably
your anniversary date forcertification three years later.
Is that what you're talkingabout?
SPEAKER_00 (10:12):
That's exactly what I'm talking about.
And of course, they haven't evenwritten any of that yet, so it
has yet to be seen.
But that's the thinking is whatit's going to be like.
One of the things also thatKatie said was that along with
CMMC as a cultural thing, thatalso this whole thing wraps in
(10:34):
cyber security of course zerotrust and all those kinds of
things get wrapped into this asa cultural thing as just part of
what you do one of the otherthings she talked about which
was one of the sessions and oneof the things I've been talking
about is ethics for everybodyinvolved in the CMMC ecosystem
as far as assessing andimplementation and management of
(10:58):
it and We have some ethicsstatements that we have to hold
to.
And she said ethics is very,very important because this is
hard for the DIB to implementand expensive for the DIB to
implement.
And we don't need...
a bunch of questions aroundethical issues around this
(11:20):
thing.
We need to know that everybody'strustworthy in the whole nine
yards.
So there's ethical codes ofconduct that we have to hold to,
and they're very serious aboutthose.
SPEAKER_02 (11:30):
In fact, the opening remarks after, or I guess prior
to the keynote, but the openingremarks of the conference, I
think probably 60% or more of itwas over the ethics of the CMMC
ecosystem.
They focused pretty They did.
They focused very heavily on it.
SPEAKER_00 (12:03):
Then I didn't catch quite the rest of it.
I think she was talking about weshould see RFPs that include the
48 CFR.
In other words, these proposalsand requests for a proposal
include CMMC and yourcertification assessment on
there.
She also said about the FalseClaims Act and responsibility,
(12:25):
she said that these losses tothe DOD have been coming from
somewhere, right?
Right.
And disinformation isn't alllost by the DOD, but the DOD's
been paying for all of it, whichmeans the taxpayer, you and me,
have been paying for all this,right?
And so she said the False ClaimsAct will be used, and if
(12:50):
you're...
If you're truly not doing whatyou say you're doing, it's not
just a mistake.
If you're blatantly not doingwhat you're supposed to be
doing, the False Claims Actcanon will come into play.
And she said that someone has topay for the losses for the DOD,
and it needs to stop being thetaxpayer.
That's just a paraphrase, butthat's what Katie said, is it
(13:12):
needs to stop being the taxpayerthat pays for it.
I think she said
SPEAKER_02 (13:16):
it's not going to be us anymore.
SPEAKER_00 (13:17):
So make sure that you also have your insurance–
And that was
SPEAKER_02 (13:25):
a question as to whether or not, you know,
insurance will even pay for it.
But, you know, she's prettyclear that it's not going to be
them anymore.
I would say if you're a lot ofpeople are in the boat of, well,
are we going to commit tospending money?
to keep pursuing this businessor lose it and find replacements
of revenue.
I hear that a lot from peoplethat don't have most of their
(13:45):
revenue share in the defensebucket.
It's probably time to decidethat because they can't go after
China, Russia, North Korea.
Their only enforcement mechanismis you.
And so at some point, someone'sgoing to be made an example of,
and that's already happened withuniversities, and they're going
to start at some point.
And I wouldn't want to be theperson that they get started
(14:08):
with.
SPEAKER_00 (14:09):
Not at all.
The last thing I'll kind oftouch on, I thought this was
very interesting.
You know, at these conferenceswe see vendors and whatnot that
use AI and I'm like, well, youknow, people can't label CUI
correctly and what makes youthink that AI can do any better
if we don't even know how totrain it, you know?
Well, Katie said within 18months or so, AI is going to be
(14:34):
helping with CUI labeling andtagging, and we will see more
CUI documents come through.
So she knows that proper CUIlabeling and marking is a
problem.
It is a giant problem.
It's either not being done orway overdone.
One of the two, it's not It'smostly just not done, at least
(14:55):
as far as our clients see.
It's just not done, right?
There's some that is starting tocome through a little better,
but for the most part, there'sjust a clause on the contract or
the PO or whatever it may be.
Anyway, there's just a defaultclause on there, and that tells
you, hey– There may be CUI here,so you have to treat everything
(15:17):
like a CUI through there.
If you think it's CUI, you haveto treat it like CUI.
We've talked about that.
SPEAKER_02 (15:24):
It seemed to me the way she painted the picture, I
feel like, is that it's going tostart with the human making the
contracts or whatever, and thenit's going to be forced to go
through an AI tagging filter forCUI or whatever, and it's going
to get tagged by the AI, andthat will be– like kind of the
gold standard or thedetermination of how it's
(15:46):
handled will be the AI filter.
And then from that, you're goingto see a higher volume of things
being tagged, you know, CUI orwhatever that needs to be
secure.
So this is going to be anincreased burden on you because
whatever this filter, AI filterthing is they're going to use is
(16:08):
going to be more aggressive, Iguess.
SPEAKER_00 (16:11):
You know, they're going to be using AI which is
smart to try to do somethinglike that.
But that also kind of leads youto think more about some of the
vendors that are using AI.
That AI, of course, if it'sgoing to deal with CUI, there
are certain standards andcertifications and everything
that they have to meet.
It can't just be grok or...
(16:34):
ChatGPT, you can't use thosewith CUI.
Please don't use those with CUI.
It's probably going to be
SPEAKER_02 (16:40):
more expensive than a$20 a month ChatGPT
SPEAKER_00 (16:43):
subscription, isn't it?
Yeah, it'll be a little moreexpensive than that.
But the point is that it can gothrough and help you find and
label your CUI for you.
So there's always going to haveto be some human interaction
with that to make sure it'saccurate and all that kind of
fun stuff.
But there are companies that dothat.
We've not checked any out atthis point yet, but especially
since how Katie...
(17:04):
I think that's probably one ofthose things that is definitely
coming down the pack and can beused.
SPEAKER_02 (17:13):
Well, and we've been having several conversations
with companies.
Be careful what I say here.
But there are AI companies thatdo it for the government.
So that technology is alreadyout there.
They're already buying it.
They're already investing in it.
So it's probably going to be oneof those companies or a
collection of them.
It's not like this is a flyingcar situation where we're
(17:33):
promised to have it.
in however many years.
They've already been buying it.
They already have thetechnology.
It's just a matter ofrepurposing it for this purpose.
SPEAKER_00 (17:43):
There's good things and bad things about artificial
intelligence, AI, but when youget really down to it, we
already use it in our businessquite a bit in a lot of
different areas.
You're not going to call in andtalk to AI.
You're not going to have achatbot with...
Now, some companies do, butyou're not necessarily going to
have a chatbot and have an AIfix stuff for you, but And
(18:04):
there's all sorts of thingsavailable.
But we do use AI in a lot ofdifferent phases of our
business.
So it's out there, and it'sbeing used, and it's very
helpful.
You still have to know how touse it, and you still need to
understand that you've got tocheck it.
Because, you know, I mean,there's talk about AI
hallucinations and all sorts offun stuff.
So it's just like havingsomebody do some work for you
(18:26):
and checking it.
Same thing.
SPEAKER_02 (18:28):
I put a transcript through AI just yesterday,
actually, and I was asking you.
And I said, well, where did thiscome from in the transcript?
And it made up a timestamp andeverything.
And I looked at the timestamp.
It made up a timestamp.
Yeah.
And even the content it wastalking about, it didn't even
exist.
(18:49):
And I was like, oh.
SPEAKER_00 (18:51):
Hopefully you got something out of that Katie
Arrington session we just talkedabout.
It was very beneficial beingthere and listening to her as
always, as it always is, youknow, Katie Arrington speaking.
But Austin, you actuallyattended the mock assessment
session.
So can you give us a peek behindthe curtain on what really
happens when a CMMC assessorcomes into the room?
SPEAKER_02 (19:15):
Yeah.
Yeah.
I found this ratherenlightening.
I know at previous conferences,SEEK East and CIC Southwest, and
they've pretty much done asession like this at every one
of the CMMC conferences.
And it's usually at the end ofthe conference.
It's usually the very lastsession.
Yeah.
Half the people are gone and,you know, but I sat through it
(19:37):
this time and it's actually veryenlightening.
And I found it because I havenever sat through it before and
I don't have as manyconversations with the assessors
as you do.
It was pretty enlightening onhow they do.
And this is theoretical, but howthey do an assessment.
It is it's very enlightening.
logical and verystraightforward.
(19:57):
It's a matter of show me yourSSP, basically, and then show me
your policy for this control.
How are you handling it?
Now show me the evidence for it,which typically they suggested
take form of a screenshot.
So basically, for every controland objective, if I'm getting
(20:20):
this right, you basically wantto have They recommended at
least a piece, at least onepiece of evidence prepared.
So if you have like amulti-factor authentication
requirement and then you haveyour policy on how you're
handling it, you need to.
present the policy and that, andthen show them through at least
(20:41):
a screenshot how you have itworking.
And then they have the option,which you probably need to
assume that they'll take, whichis to then go log into that
system and verify that it'sactually working.
currently done and then it'dprobably be good to time stamp
that screenshot so that theyknow it's within a certain
(21:05):
amount of previous time that itwas recent that you're not just
when we first set it up and youknow it's a year and a half old
so and then that's just then itrepeats it goes to the next
requirement and then you showthem your policy and the
evidence and then and thenthey'll go verify you know if
they need to it's an optionright to verify They don't have
(21:26):
to
SPEAKER_00 (21:29):
verify it.
If you did a good job ofcreating a good SSP, you have
all your policies, you have yourprocedures, you have your proof,
(21:49):
and you did a good thorough jobof it and a good thorough but
concise job of it, right?
So you don't want to make your–there's argument about this part
of it, but most people I'vetalked to said keep your SSP as
concise as possible, which maybe 70 pages, but still.
Yeah.
Anyway, you don't necessarilywant to have a 300-page SSP and
(22:13):
hand this book over to them andsay, here's my SSP, and I'll get
ready for the policies.
But in any case, if you do agood job on your SSP, your
policies, your procedures, andthe proof and everything, maybe
even have a good GRC tool thatyou're using to be able to hand
all this over to them, they willdo some checking.
They will verify a lot of thisstuff.
(22:35):
But then if everything's comingup good– it's probably going to
be a lot easier on you.
Whether you'll save money or notis– I'm not going to say you'll
save money, but you will savemoney in the form of time and
time for them to get through andsay, yep, you're good, and we're
going to certify you at 110.
(22:56):
It's a good thing to have allthat documentation ready to go,
have your proof ready to go, andbe able to show them that you're
ready because that starts off ona really good foot with the
assessors.
If you show them half the stuffthat they need and then they
have to ask for some of theothers and it's not really that
what they need and all that kindof fun stuff.
It's not going to start off onas good a foot, and you can
(23:19):
pretty well bet it'll be a lotmore of an exam for them trying
to figure out, make sure all thecontrols are met and everything.
SPEAKER_02 (23:31):
Much more intimate affair.
Yes, absolutely.
Not that CMMC is not expensiveand time-consuming and
everything else, but theassessment process process, you
know, uh, it can, especiallythe, you know, organization
seeking certification can seemlike, um, a very scary,
(23:51):
mysterious thing.
But if you sit through one ofthose mock assessment sessions,
you realize they come in, theylook at your requirement and
then they looked at your policyand they look for the evidence
and that you just expect forthat to be repeated for every
single requirement there is.
Uh, and if you prepare the bodyof evidence for it, um, then
you're good.
Uh, Assuming that you dideverything.
(24:14):
It's a big starting place.
I understand that, you know, butit's rather straightforward.
And then the other thing tonote, and this is especially
for, you know, those aerospacemanufacturers and small
businesses out there that areoutsourcing their compliance and
cybersecurity and IT to MSP orsomebody like us, is that you
(24:34):
really need to go through acoaching session with your ESP,
you know, your IT provider,because the way I I understand
it is when the assessors aresitting across the table.
Yeah, you want your IT guythere, but your IT guy cannot
answer the questions.
Like they're asking you thequestions and you need to have
an answer for it.
(24:54):
And if you don't have asufficient answer for it, You're
leaning more on the fail sidethan you are on the pass side.
You can't just look over to ITguy every time and have him
answer it.
Because I understand that you'reofflifting this burden from
yourself, but you said somethingearlier.
You can outsource the burden orthe responsibility, but not
the...
What did you say?
SPEAKER_00 (25:14):
Accountability.
Accountability,
SPEAKER_02 (25:16):
yeah.
So they're expecting you to beeducated enough on your own
policies and et cetera to beable to answer the questions.
And if you need to refer to theIT person at some point, then...
then that's fine, but you haveto answer all the questions
first, which is probably a bigask for a lot of owners or
managers out there.
SPEAKER_00 (25:36):
It is a big ask, and really what that boils down to
is read your SSP, have a goodSSP, and then read your SSP,
whether you created it orsomebody created it for you, and
you should know that anyway.
Most of the clients we workwith, We sit through so many
(25:56):
sessions going over all thepolicies, going over the SSP.
Here's your SSP.
Here's what it looks like.
And the point is you need toknow all this stuff.
And maybe not all the details,remember it exactly, but you
need to, yes, whenever we loginto a computer, we have to put
in a code.
(26:17):
What's that thing called?
Yeah, so that kind of stuff isfine.
And then you can say, hey,Austin, what was that called?
It's multi-factorauthentication.
Oh, yeah, yeah, multi-factorauthentication.
So that's okay, but you've gotto show that you know what's
going on and you know what'simplemented and that you're
(26:39):
using it and that it's aculture.
So you can have a goodcybersecurity culture and not
know all the details of theexact culture tools that your
MSP puts in place you know yeahwe have some sort of thing that
blocks programs whenever theyrun you know that's an
application whitelisting youknow stuff like that
SPEAKER_02 (27:00):
and that's why you can't just go on the internet
and buy a template you'd be goodyou know that's your SSP because
of that reason right because youhave to you really have to be
very familiar with it and that'skind of tell you how the sausage
is made that's how we go aboutour SSP Thank you.
(27:35):
on the outset of when it'screated of and it's in
completely in there what we'rethere to advise and help them
develop what is what will workor what is defensible or not in
front of a assessor whenever wecreate your SSP ultimately it's
in their hands like this is howour process works and they talk
amongst themselves and then wedevelop an SSP out of that and
(27:58):
so that's why we take that thatboot camp you know very
labor-intensive effort becauseif you're just implementing
implementing an off-the-shelfSSP template and you're not, you
know, you're modifying itheavily, then it's not going to
be sufficient.
All right, bro, let's shiftgears a little bit from the big
picture and audits today-to-day.
(28:19):
What stood out in the Creaturesof Habit session and what are
smart teams actually doing tostay ready for compliance and
certification?
SPEAKER_00 (28:27):
Well, this is a great session.
It addressed a lot of therealities, a lot of things for
small, mid-sized teams, right?
And it really goes back to whatKatie Errington said.
You know, it's culture.
You've got to build this in.
It's got to be culture.
(28:47):
It's got to be something you doall the time.
It could be things like everyFriday of every week, you go
through and you do log review.
Every month, you've got areminder that pops up for you to
do the visitor log review.
Quarterly, you go through yourSSP and POAM, if you have a
(29:08):
POAM.
And that should probably be moreoften than quarterly if you're
trying to wrap it up.
But especially Mm-hmm.
(29:31):
a lot of the GRC tools, I wouldrecommend highly using, I would
say this every single time, Ithink, almost as much as
documentation, documentation,documentation.
Oh, we got it in.
But, and it's all aboutdocumentation, but if you use a
GRC tool, and you should, most,not most, but a lot of those GRC
(29:54):
tools, you can assignresponsibility, you can assign
reminders, and it'll shoot out areminder and say, hey, You need
to follow up on this control.
It's time to review yoursecurity controls.
It's time to do your riskassessment.
You can have those kind ofthings pop up and remind you
that that needs to be done.
(30:18):
So a GRC tool is something tohelp you remember to do this on
an ongoing basis.
On Monday mornings, I come inand I have a list of business
things that I've got to do everyMonday morning.
And I've got to block out thattime so I can get it done.
But I have a reminder pop-upthat says do this, this, this.
Otherwise, I get strung outdoing 99 other things.
If you have those reminders,have something to help you make
(30:40):
this a culture, make itsomething that is just part of
your everyday life, that's thebiggest thing is to make it a
culture, make it part of youreveryday life, at least at work.
And have a tool to help you out,whether it's a GRC tool or SANA
or something like that.
Something like that will helpmake it– a culture for you?
SPEAKER_02 (31:02):
Yeah, just imagine, you know, we're all probably
used to paying our bills mostlyon automatic withdraw, right?
But, you know, go back 15 yearsbefore that was widespread, you
had reminders, you know, and itmight have just been getting the
bill in the mail.
But so there's trigger point,even outside of the compliance
thing, you know, like, we havescheduled tickets and stuff to
(31:25):
remind us to get our backupchecks done, right?
I mean, so if you build If youoperationalize it, that's the
whole point.
Operationalize it, put it in asystem, and then implement it.
then you're good.
It just gets done.
And then you have the body ofevidence.
And that's why we like, youknow, mentioned future feed so
much is because it's, it's builtso well, all those things are
(31:47):
built in and all the evidencefor you doing those tasks is
already in the system.
And so whenever the time forassessment, then it's just
there, right?
Absolutely.
And so, you know, not trying toask you to buy it from us, go
get it, you know, it's cost thesame regardless, but it's a good
tool.
You should check it out becauseit has those things.
(32:08):
Okay.
Let's talk for I think theredheaded stepchild of CMMC
compliance, which I can saybecause I'm redheaded.
And it's one of those areasthat, you know, even the primes
get tripped up with all theirmoney and funding.
What came out of the Sequestsession on flowdowns?
SPEAKER_00 (32:27):
Well, flowdowns is a big thing, and it's one of those
things that we know the primesare doing this because they're
requiring their subcontractorsto be compliant, but their
subcontractors are notnecessarily requiring their
subcontractors or vendors oroutsourced people, however you
want to phrase it.
They're not requiring thosepeople to be the same kind of
(32:51):
compliant they are.
And the short of it is that ifyou take any part of that CUI
and hand it off to somebody elseto make a small part of whatever
widget you make, then thatvendor, that person, that
company that is making thatsmall part for that widget also
(33:12):
has to be compliant.
And it's up to you, since you'resubcontracting, to make sure
that they are.
It doesn't mean you need to goassess them But it does mean
that you, at the very least,need to have a questionnaire
where they sign their life awayand sign in blood or whatever it
may be, that they are CMMC Level2 compliant, right?
(33:33):
If you have to be Level 2compliant.
Level 1, same thing.
When it comes time for you toget your CMMC Level 2
certification and you have thatcertification and you have to
have that to do business and youflow down, you know, same thing,
you somebody's making a part foryou uh and you have to give them
some of that cui data to do thatuh with then they also have they
(33:58):
have to have the same complianceyou do if you have to have a
level two certification theyhave to have a level two
certification that simple andyou know people really want to
say you know well you know it'snot really cui it's just a
little piece and you know ifit's not conscious if it's not
off the shelf stuff you knowlike just a regular roll of
(34:19):
12-gauge copper wire.
If it's not something that's offthe shelf and they don't know
what it's for, you're justordering off-the-shelf stuff.
If it's not that and it'ssomething special made in
accordance with this contractfor the government, then it has
to be– they have to have thesame level of compliance you do.
SPEAKER_02 (34:42):
It gets tricky because typically– You know, you
may not be– the subcontractormay not be supplying, you know,
like you said, it might be anoff-shelf part.
But they're probably gettingsome other tangential
information that's connected tothat that now makes them have to
be certified, you know, andcompliant as I was looking for.
(35:07):
Because we've got distributorsthat don't manufacture anything
that are– you know, have to be.
Um, so if they have to be, youknow, if you got anyone that's
making parts there, you know,it's, I'm just saying it, uh,
it's probably.
you're probably an area thatyou're going to want to look at
because it's even if people withoff the shelf parts are having
(35:28):
to be compliant, you know, it's,it's probably more people than
you're expecting of yoursubcontractors that, that you
need, that you're responsiblefor.
And you probably need to look atit because of like, we talked
about the false claims actearlier when, if you're familiar
with the government at all, whenthey go to enforce something,
they like a, take the, you know,take the book and throw it at
(35:52):
you approach and see whatsticks.
They've decided they want topursue you.
They're going to start with theFalse Claims Act, but they're
also going to look at all theseother pieces like, well, did you
do the flow down correctly?
Did you do this?
Did you do that?
So it's going to be one of thoseother pieces where they're going
to try and get you, not to makethe government sound like a
boogeyman, but it's just how itoperates.
(36:13):
You see in law enforcementinvestigations and stuff all the
time how it operates.
So you want to make sure allyour pieces are buttoned up so
that way it's not a liabilityfor you.
SPEAKER_00 (36:24):
This is all part of the process.
of being compliant.
And what I would also say isthat if you're not currently
doing anything to verify yoursubcontractors right now, start.
They don't want to be surprisedwith this any more than you want
to be surprised by, you know,hey, guess what?
You have to be level twocertified tomorrow or else you
don't, you know, we're going tokill this contract.
(36:46):
You know, you don't want that.
And they don't either, you know.
So start now with them.
Say, you know, you're makingthis part in accordance with
this contract.
that we're performing for thefederal government or for
Lockheed that's performing forthe federal government.
We have to be compliant.
Now you have to be compliant.
And you may be able to offersome help for them to be
(37:07):
compliant or offer a referral tosay, hey, go talk to these
people.
They can help.
They helped us or whatever itmay be.
SPEAKER_02 (37:15):
It really benefits you to do this because giving
them the longest head start youcan protects you because imagine
now you're on a deadline and Andnow you have to replace a
subcontractor that has aspecific part or deliverable for
you.
And now you have to find someonethat's going to– that is
certified and is going to supplyit at least at a similar cost.
(37:40):
And what if the cost is nowhigher and now that messes up
your margins of the contract andnow you have to perform– an
unprofitable contract because,you know, now you had to
scramble last minute to find asupplier that can check these
boxes for you.
So it's as much your problem asit is theirs and
SPEAKER_00 (37:55):
probably more so your problem.
Katie Arrington also addressedthis in her keynote.
She said that they're having toask for some more money in their
budget.
You wonder why, you know,defense budget is so big and
this, that, and the other.
Well, look at all thiscompliance and look at all the
complicated things they have todo or they require money
contractors and subcontractorsto do.
(38:16):
But where a lot of things arebeing cut, And Katie Arrington
says, look, you want us to dosomething about this because you
have to meet all these controlsnow.
And you've had to meet themsince 2017.
But what they are doing issaying, look, we need some more
money in our budget because weknow that the price is going to
(38:38):
increase on a lot of thesethings because people are now
actually having to go throughthis and actually having to do a
certification and spend themoney on this.
So the cost of these goods aregoing to go up.
And so they realize that.
They recognize that.
How much that'll actually meanto you, I don't really know.
They're at least recognizing thefact that they know it costs
money and they know thatcompliance makes things more
(39:01):
expensive, but it also makes thesupply chain safer.
All right, so Austin, thissession had one of the most
interesting titles of the wholeconference, false starts.
So what's the story there?
SPEAKER_02 (39:14):
It really all goes back to accountability and like
templates in terms ofcompliance, right?
So accountability, Lies with theorganization, not your
contractors.
And it's going to be the companyand the person signing all these
papers and the contracts.
Right.
And so that was basically thecore message of this kind of
goes back to what we were sayingearlier with the templates thing
(39:37):
and why just going buying atemplate off the Internet is.
is not good enough.
Right.
Right.
Or just listening to a podcastlike this is not good enough.
Wait a minute.
Listening to our podcast is notenough?
Hopefully it's helpful.
And we try our best, you know,and what we're trying to do is
demystify, put compliance inplain English.
(39:59):
We try to do that as much sothat way we can give you a head
start or a foundation to go doit yourself, right?
Right.
The problem is you still have todo it yourself, you know?
Yes.
And I think that's kind of thepoint, you know, so you can rely
on third parties like us oreverything else.
But at the end of the day, theaccountability stays with you.
And that's kind of what themessage was and which is true.
Um, and we just said it earliertoo, whenever you're going to be
(40:22):
getting assessed, you're the oneanswering the questions.
You can't just lean on your itperson, right?
Which is kind of unfortunatebecause you wish you could just
pay someone to do it and takecare of it for you.
Um, but that's not how thegovernment set it up.
You know, uh, they can do mostof it for you, but you're,
you're still the, where the buckstops.
Right.
Um, and so, uh, You really needto make sure that your SSPs are
(40:44):
tied back to the controlthemselves.
You can go read the paperwork orif you have an ESP or MSP or IT
guy like us, sit them down or ona Zoom call or whatever and walk
through your SSP and make surethat these things are actually
done.
I can't tell you how many timesthat we'll go in somewhere and
(41:04):
do an engagement where, youYeah.
because it uses TLS orsomething.
Well, and that's not what thatmeans.
You have to send emailsencrypted.
(41:25):
Just the fact that it usesencryption to communicate to the
email server, and sorry for thetechnical stuff here, doesn't
mean it's encrypted, right?
So anyway, there's a lot.
It matters who you pick as wellin terms of who you're
contracting these things out to,right?
So it just ultimately dials backto your due diligence on parties
(41:46):
that you're using to outsourcesome of these compliance
responsibilitiesresponsibilities or you might
call them burdens too.
Um, and then, uh, realizing thefact that the accountability
ultimately sits with you and,and you need to have, um, some
sort of day-to-day driver, um,or, uh, you know, a stakeholding
(42:07):
in it, um, that, uh, you, youhave some familiarity with, um,
your compliance before theassessment comes around.
So, Brooke, you sat on a couplesessions that collectively had
talked about the SRM-CRM, whichmost of us know is a shared
responsibilities matrix.
(42:28):
Yes.
And then I won't get intoexplaining it.
I'll let you do that.
And then the CRM is thegovernment newly coined term for
it.
So it's the same thing.
SRM-CRM.
SPEAKER_00 (42:40):
Might as well change the acronym and make it really
confusing.
Right.
UNKNOWN (42:42):
Yeah.
Yeah.
So and then uh, Another bigtakeaway you had mentioned was
the FedRAMP equivalency and someguidelines or developments on
that.
Can you share with us?
Sure.
SPEAKER_00 (42:54):
And this is something we brought up before.
If you use a cloud service,well, or file storage, something
like that, we'll just say filestorage.
If you use a cloud service forthat and you put CUI in there,
then it has to be FedRAMPauthorized or equivalent.
So it's got to be FedRAMPauthorized and be able to meet
(43:16):
some requirements and DFARs, orit has to be FedRAMP equivalent.
SPEAKER_02 (43:20):
For the authorized, that means they go through some
sort of third-party processwhere they get something that
says that they're authorized,and the equivalence means that
they're going to be assessed thesame time you are?
SPEAKER_00 (43:31):
No.
No?
That's not actually it.
So you'll have a third partycome in either way and assess
you.
But if you're a FedRAMPauthorized, you'll show up on
the FedRAMP marketplace.
Okay.
And it's...
A longer process, but from whatI've heard, the equivalency is
(43:51):
ostensibly a more difficultprocess, more involved process.
That's just what I've heard.
But the equivalency can happenfaster.
So that's why a lot of companiesare choosing to do equivalency
and not necessarily authorized.
Or maybe equivalency, get itdone right now, and then work on
their authorization.
And also for authorization, youhave to have a federal entity
(44:14):
that's willing to sponsor you.
So maybe they don't have thatyet, or maybe they're working on
doing that.
But equivalency, you can get a3PAO to come assess you, say
you're good, and what you'llneed– And once somebody can say
they're FedRAMP equivalent,that's great.
(44:35):
But what do you have to proveit?
So it means something veryspecific with the federal
government, and they've outlinedthat.
So you will get a SAR securityassessment report, I believe is
what that is.
But you'll get an SAR that– theCSP who got their FedRAMP
(44:56):
equivalency will have that SAR,and they'll have a body of
evidence also.
And then they'll, of course,have the CRM, which is the new
acronym for SRM.
CRM is Customer ResponsibilityMatrix.
SRM is Shared ResponsibilityMatrix.
That one makes more sense to me,but what do I know?
(45:17):
So it's a CRM.
So you really need all three ofthose for the assessment to say,
here's the service that we usethat's FedRAMP equivalent, and
here's my documentation for it.
The problem with equivalency isthat assessor will have to go
through that stuff and actuallyreview it.
So it takes a little bit moretime than it does a federally
(45:39):
authorized provider.
In reality, they'll probablyreview the SAR and probably not
so much the body of evidencebecause it's a whole jumble of
stuff that's hard to go through.
But those are the things youneed if you if you use a FedRAMP
equivalent service and you needto remember that.
(46:00):
You can't just use it and assumeyou'll be able to get that off
the cuff really quick.
So you need to prepare and makesure you have that ready.
SPEAKER_02 (46:08):
So when you're interviewing, say, a file share,
file storage provider, then youneed to ask them, can you
provide a SAR, a CRM or SRMantibody of evidence?
And then that will tell youwhether or not You can use them
for that.
Yes.
SPEAKER_00 (46:26):
Absolutely.
One of the other things that wasin one of the sessions that I
was in, really it was aboutbuilding out a CRM slash SRM.
It was about building one ofthose out.
But their point was something webrought up several times.
You can flow down theresponsibility line.
(46:46):
from, you know, say we perform aservice for you, you can flow
down that responsibility to theOSC or OSA, whichever, but
anyway, that responsibility canflow down to them, but not the
accountability.
Whoever that is that is going tobe assessed still is
(47:09):
accountable.
It's not the service providerthat's accountable.
They may be responsible for acontrol or an assessment
objective, really.
They may have someresponsibility for that, but
they're not accountable.
That OSC is the organizationseeking certification.
So that OSC.
(47:30):
It's
SPEAKER_02 (47:30):
most likely
SPEAKER_00 (47:31):
you.
Yes.
Yes.
That OSC is the one that isaccountable.
And if one of those items arenot inherited or they think one
is inherited and it's not, andthen they're not covered for it,
then in the end, it's not theservice provider who gets in
trouble for that or facesbacklash from the assessor.
(47:52):
They may face backlash from you.
But they don't face backlashes.
They don't have anything to do.
The C3PAO doesn't care aboutwhose fault it is.
They're holding the OSCaccountable.
SPEAKER_02 (48:03):
Yeah.
In terms of certification, it'sall on you.
What happens after that is whathappens after that.
Yes, absolutely.
Sounds like to me– in terms ofjust kind of distilling this
down into some action items forthe listeners, is that you
really need to revisit your SSPand your POAM or any other
(48:24):
documents and policies you have.
And don't just rely on your...
your preconception or memory ofit, you need to go visit those
actual documents and try and mapit to the controls and see
whether it reflects your currentenvironment.
And if it doesn't, if anassessor walked in tomorrow,
(48:45):
what would happen?
And so you should ask yourself.
SPEAKER_00 (48:49):
And I would say really, not just the controls,
but you need to map it to theassessment objective level.
SPEAKER_02 (48:55):
Right.
Second, I would say that youneed to put some start with at
least a quarterly review, um,for compliance and then kind of
add on from there, um, andinvite more people than
yourself, you know, um, all yourstakeholders, um, that are going
to be touching compliance, atleast one decision maker, cause
(49:15):
it's going to be on them, youknow, um, uh, and, uh, and start
getting some things on thecalendar so you can start
reviewing this, uh, on a regularbasis.
Absolutely.
Um, Third, like you said, youreally need to go reanalyze your
subcontractor relationships.
Dig into the information yousend them and what kind of
(49:41):
relationship you have with them,who touches COI, who is subject
to the flow down role.
SPEAKER_00 (49:49):
Analyze that.
Anything else you've got?
No, just remember who'saccountable.
I guess that would be yes.
And remember who's accountable.
It is the OSC.
It is not the service provider.
If You have somebody helpingyou.
Now, you would hold that serviceprovider accountable for what
they say they're doing.
Right.
But there should be a CRM or SRMthat makes that pretty clear.
(50:10):
It should be spelled out reallywell.
You know, a CRM or SRM that'scolor-coded is great, you know,
to kind of a quick view at it.
But really it should probably befleshed out a little more than
that than just being color-codedbecause a lot of that
color-coding is myresponsibility, your
(50:31):
responsibility, or shared.
That's as far as it goes.
For color coding, you've gotthree colors, basically.
And that doesn't tell you just awhole lot.
But if it's fleshed out a littlemore than that, you can tell who
has to define this and who hasto implement this and what the
shared may mean, for
SPEAKER_02 (50:50):
instance.
Yeah.
So if you're subcontractors orproviders or technology team
can't confidently answer some ofthese questions that we've posed
here today, then you might wantto take a closer look.
SPEAKER_00 (51:03):
Yeah.
Yes.
SPEAKER_02 (51:04):
All right.
Thank you guys for joining us.
If you have any questions aboutwhat we covered, please reach
out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions.
We'll answer them for free hereon the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
Stay tuned for our next episode.
(51:24):
Until then, stay compliant andstay secure.
Like, subscribe, or share.
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!