July 25, 2025 • 31 mins
Submit any questions you would like answered on the podcast!
48 CFR UPDATE: https://www.ecfr.gov/current/title-48/chapter-2/subchapter-A/part-204/subpart-204.75
Missed the June 2024 Cyber AB Town Hall? We’ve got you covered.
In this episode of the CMMC Compliance Guide, Brooke and Austin break down the biggest takeaways — including how recent leadership changes, service provider requirements, and G-code classification are shaping the path to CMMC compliance.
If you're a DoD contractor or MSP supporting government clients, this is the update you can't afford to miss.
INSIDE THE EPISODE:
- What the new Undersecretary means for CMMC rulemaking
- ESP vs. CSP vs. MSP — and why the difference matters
- Why your IT provider will be assessed with your environment
- How your CAGE code could delay certification
- What assessors say about G-code and CUI
- Upcoming CMMC events you should have on your calendar
UPCOMING CMMC EVENTS MENTIONED:
- Carahsoft CMMC Webinar Series: https://www.carahsoft.com/learn/event/71021-proofpoint-and-microsoft-cmmc-webinar
- National Cyber Summit: https://www.nationalcybersummit.com/
- CS5 East 2025: https://cyberab.org/News-Events/CS5-Conference
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_01 (00:00):
Hey there, welcome to the CMMC Compliance Guide
podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting,where we help businesses like
yours navigate CMMC and NIST800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
(00:22):
so.
Let's dive into today's episodeand keep your business on track.
Today, we're breaking down thekey takeaways from the June 2024
So if you missed it, no worries.
Brooke is going to walk usthrough the highlights and what
they mean for your compliancejourney.
Let's start with the leadershipchanges.
Who is the new Undersecretaryand how does that impact the
(00:44):
Title 48 rulemaking process?
The Honorable Michael
SPEAKER_03 (00:48):
P.
Duffy was recently confirmed bythe Senate as the new
Undersecretary of Defense forAcquisition and Sustainment.
He brings experience from boththe Department of Defense and
the Office of Management andBudget, which is especially
relevant since he will now beoverseeing CMMC Title 48
rulemaking.
The Cyber AB mentioned thatthey're hopeful we'll see the
(01:11):
Title 48 rule later this year.
Hey
SPEAKER_00 (01:13):
everyone, this is Stacey with Justice IT
Consulting jumping in real quickwith some breaking news that
dropped while we were recordingthis episode.
The 48 CFR structure hasofficially been released.
This went live in the eCFR andit confirms exactly what you've
been preparing for.
Starting October 1st, the 48 CFRrule is on track to become a
(01:34):
standard requirement in nearlyall DoD contracts.
So while the the 48 CFR ruleitself is still under review
with OMB, the structure is nowofficially visible and the
writing is on the wall.
CMMC enforcement is coming andis coming fast.
I'll be linking in thedescription below where you can
view that 48 CFR rule structure.
(01:56):
All right, let's get back to theepisode where we left off with
Brooke.
SPEAKER_03 (02:01):
Fingers crossed, October, but Who knows?
So we thought it was going to bethen the Q1, then maybe in Q2
sometime.
And so now, you know, we'relooking at October.
So he was actually confirmed bythe Senate.
So we've...
He's in there.
He's been in the mix, and heunderstands and he knows.
And so we've got a champion topush that rule through.
(02:22):
It's not just the DOD CIO,acting CIO, Katie Arrington by
herself.
Of course, I guess it never was.
There's a whole team there.
But we've got somebody that canactually push that through.
So hopefully we'll see thatTitle 48 rule, the 48 CFR, come
through.
October-ish, maybe.
(02:43):
So, cross our fingers.
And of course, you know, whenthat 48 CFR comes through,
that's a...
That's a very importantmilestone because that'll kick
off the process of the CMMCbeing required on contracts.
And then, of course, there'sfour phases of it.
So that's very important.
Katie Arrington has talked abouthow important that is to get
(03:04):
that through the goalposts andeverything.
So I think this is a good signthat this is going to really
start moving forward.
SPEAKER_01 (03:12):
There were a lot of questions around how service
providers kind of played intothe assessment process for CMMC
assessments Can you help usunderstand the answers to those
questions, how that kind ofclarified?
SPEAKER_03 (03:23):
Just so you know, there are ESPs, external service
providers.
We are an external serviceprovider, an ESP, but we're also
an MSP, a managed serviceprovider.
All the acronyms.
To make it more confusing.
The CMMC doesn't specificallycall out MSPs, but I don't want
(03:45):
to get confused there.
But ESPs are divided into twovery broad categories.
One is CSPs.
It can be an ESP that's a CSP,and a CSP is a cloud service
provider.
That's going to be likeMicrosoft 365, any place that
you might store your files inthe cloud, Box for Government or
(04:09):
Prevail maybe or something likethat.
So those will be CSPs.
And then there are ESPs that arenot CSPs.
I guess that's what they callthem.
So that means everybody else butCSPs, right?
So an an ESP that's not a CSP,external service provider, but
you don't provide cloud servicesdirectly.
You may help clients get thoseCSPs or something like that, but
(04:33):
you don't provide– you're not aCSP yourself.
You're not providing cloud emailor cloud file storage.
You could be, I guess, but thenyou would be a cloud service
provider.
Right.
But if you're an ESP, not a CSP.
SPEAKER_01 (04:47):
And the distinction there probably could be defined
by a cloud service provider is–Something that you could go
source yourself, like gointeract with a web page, spin
up, like, for example, Microsoft365 tenant or something
environment.
That's kind of more in the CSPcategory and your ESP category
(05:10):
would be more like yourconsultant like us or IT guy who
may leverage those services, butit is not directly providing
them.
SPEAKER_03 (05:20):
Correct.
And if it's a service likeMicrosoft 365 that can expand
and contract with your serviceor whatever, not that Microsoft
will let you reduce licenses, bythe way, but that's beside the
point.
Theoretically.
Theoretically.
Those are cloud services.
(05:41):
Anything you get directly from aprovider like us that's not
hosted in the cloud, then that'sgoing to be an ESP, not a CSP.
So those, ESPs not a CSP, aregoing to be assessed along with
the organization seekingcertifications.
They're going to, it's an OSC,they will be assessed along with
(06:04):
that OSC's environment forwhatever security controls that
fall in line.
So mostly it's going to be SPD,of course, security protection
data.
So, and the security protectiondata is, are those security
services that are protecting CEOassets.
The SP and not a CSP'senvironment will be assessed
(06:26):
along with that OSC'senvironment.
Every single time, if a MSP likeus, a managed service provider,
has 25 CMMC clients, we're goingto have to go through that
assessment.
We're going to go through that25 times.
You have to make sure that youhave all your documentation in
line.
You have to make sure the ESP,not a CSP, has to make sure...
SPEAKER_01 (06:48):
You have to make sure your IT provider has their
documentation.
If you're an
SPEAKER_03 (06:51):
OSC, you have to make sure your IT provider has
their documentation in line, hasa shared responsibility matrix
or what they're calling it nowis a customer responsibility
matrix.
So a CRM, to make sure you havethat in place, that tells you
what is by control whoseresponsibility that is, that
each control is.
(07:12):
If you have it broken down byassessment objective, even
better.
And the more, you know, youdon't want to get too detailed
in those and write whole booksfor each assessment objective,
but some sort of, some sort ofof explanation that tells uh
what each party does the osc andthe esp not a csp so that the
(07:35):
assessor can understand what'sgoing on right they have to be
able to look at it and go okayyeah that makes sense i get it
you know they can't look at itgo what does this mean you know
um you can't write it so vaguelythat they don't really it
doesn't make sense if you'reESP, your IT provider, is able
to get a CMMC Level 2certification.
(07:56):
There is nowhere that says itwill make it any easier.
However, a lot of C3PAOs andassessors have said, yes,
that'll make things easierbecause we have that Level 2
certification and we still wantto see those documents, but
it'll make the process a loteasier.
So there's that as well.
There's not very many that haveit.
Just be aware that there's abacklog of people that are
(08:17):
trying to get through and getthose certifications.
Okay, so in short, really, whatthey said was ESPs that are not
a CSP are going to be assessedin the OSC scope of their
environment as they fit inthere.
And the short story aboutcertification for the ESP, if
(08:38):
you have one, if your ITprovider has one, it's likely
that that will make thingseasier.
But they're not going to sayit's going to make things
easier, just so you know.
They're not saying, yes, Ipromise it'll make things
easier.
But likely it'll make thingseasier.
SPEAKER_01 (08:52):
There's a lot of implications, no promises.
Right.
Kind of put in layman's termsthere, if you have an IT
provider, they're going to beassessed as part of your
company.
Absolutely.
And then...
if they have any tools that theyuse to fulfill their obligations
to you, the organization that'strying to get certified,
(09:15):
organization seekingcertification, then their tools
will also be assessed as part ofyour assessment.
For example, if they hadantivirus that they installed on
your computers, not only you asthe, say, manufacturer,
aerospace manufacturer, you getassessed, as well as your IT
(09:36):
provider, as well as the toolsthey use, like antivirus, get
assessed all at the same time.
SPEAKER_03 (09:43):
Yeah, the IT provider has to list all their
tools out, what they use, andhave the CRMs from each one of
those.
Those CRMs then flow down tothat database.
ESP, the IT provider, and thenthat then of course flows down
to the company getting thecertification, the OSC.
SPEAKER_01 (10:04):
And the fun part about that, from what I
understand, correct me if I'mwrong, but once that's all done,
If you change anything, like sayyour antivirus or your IT
provider changes it, you're nolonger in compliance.
You're no longer– you have toget essentially recertified.
SPEAKER_03 (10:22):
Yeah, it's a major change.
So I don't know that changingyour antivirus necessarily is
going to be a major change.
You're going to have to assesswhat a major change is.
If you buy a company and add itonto your– or merge them into
your network, of course that'sgoing to be a major change.
Yes, there will be– you have tokind of assess what a major
(10:42):
change is.
major change is going to bebecause they don't they give
some examples, but they don'tspell it out.
So be careful.
And I can tell you that it'sit's tough to get those CRMs
that are good and legitimatefrom your vendors.
And so changing those tool sets,just out, change them out willy
nilly is probably not going tobe part of the process.
(11:05):
And you're not going to want tojust up and change out a bunch
of things or even one or twothings, really.
SPEAKER_01 (11:10):
Yeah.
So if you have an IT providerand And you're, at some point in
the future, going to getassessed.
You probably need to call themtoday and say, hey, for all this
stuff you got installed on mycomputer, do you have a CRM for
it?
Have you gotten a CRM from them?
And if they're like, not sure,or what's a CRM, then you might
(11:34):
want to investigate it.
I think it might be okay if yourassessment...
is out in the future and theysay, no, we don't have it yet,
but they're developing it orlegal's working on it or
something, that might be anacceptable answer.
But it needs to be on theroadmap soon, if not already,
should be already done.
What
SPEAKER_03 (11:52):
I can tell you is we waited and waited and waited for
some of our vendors to havethose CRMs or something to hand
down to us to fulfill ourrequirements.
And They're just not moving fastenough, so we said adios, and
we're going to go a differentdirection.
We had to do that.
(12:13):
We had to make the switch so wecould get those compliance
SPEAKER_01 (12:16):
pieces in.
Which is a very painful switchfor your IT provider.
So to be quite honest, if it'snot in the works right now, it's
not something that you can justhave them change a couple weeks
before assessment or even amonth before.
It takes a lot of planning intheir business to do that
because they're likely using thesame vendors for all of their
(12:37):
customers, kind of like howSouthwest used to fly one plane.
They're trying to get someefficiencies there, which is
part of the business model.
So it really needs to be...
on their roadmap and theirvendors' roadmaps.
SPEAKER_03 (12:52):
It does.
It needs to be on that roadmap.
If it's not already in processand have a date, have a, you
know, yes, this vendor is goingto have it by Q4, you know,
then, you know, they really needto have, because it's not easy
to research and figure out whatto use necessarily.
So that definitely does need tobe in process and a forefront of
(13:13):
their mind of what they're goingto do.
SPEAKER_01 (13:15):
Okay, so tell us, we talked about service providers,
but another thing that's afrequent question or a frequent
gotcha is kind of the cage codesituation and how that plays
into the assessment process.
Can you help us figure out whatthe clarity was around that?
SPEAKER_03 (13:32):
So you have to specify your cage code whenever
you get assessed and for yoursystem that is in scope, you
have to specify your cage codeor cage codes.
They have to be listed becausethat's how the government knows
you is through your cage codesthat you are basically what
identifies you to thegovernment.
But you have to have thatbecause they have to be able to
tie.
(13:52):
When everything's said and done,they have to be able to tie your
score and tie your certificationback to your company, back
through all of their systems.
They upload it to a systemcalled EMAS.
It's got to match in their SPRsystem.
It's all got to match andthey've got to be able to match
it up somehow.
That cage code is veryimportant.
That can derail or hold off anassessment.
(14:15):
So you need to be sure that yourcage code is, that you've got
your company name right youraddress right, you know, all
that kind of fun stuff.
And when you're assessed thatyou built your system on that
cage code and the assessment ison that cage code, not a
different cage code.
There were examples of peoplethat had something, either used
(14:35):
the wrong cage, an old cagecode, or a cage code with
information that didn't match,like an address and stuff like
that, and that held them up.
And so they couldn't finishtheir assessment.
SPEAKER_01 (14:46):
And it often presents an issue you see a lot
when businesses are growing orthere's private equity coming
in, the typical playbook is toaggregate many books of business
into one entity and get somecost efficiencies across the
more or less what we call SGAlines in our business, but just
kind of your general and adminexpenses.
(15:07):
So IT is generally consideredthat, accounting, yada, yada.
It just makes it a little morecomplex for KMMC because
essentially your IT system needsto be separate for each
different entity, each differentcage to It's not the whole
truth, but basically you'regoing to need to have an
assessment for each of thosedifferent entities.
So you're not going to be ableto share it in the exact same
(15:28):
way as you could other thingsbecause essentially what they're
worried about is the data thatyou hold as part of your
obligation of fulfilling thecontract.
That's what they want tocontrol, and it unfortunately
traverses the entire IT system,and that's what they want.
Yes,
SPEAKER_03 (15:45):
it absolutely is.
And that also brings up anotherpoint that I left out a second
ago is that you get yourcontracts based on your cage
code.
If you're doing business gettingyour cage code as company A and
then company Z comes in, buysthis company up, aggregates it
all in with company B, C, D, andE, that's great and that's fine.
But are you still doing businessunder that original cage code or
(16:08):
are you doing business under anew cage code?
Or are you going to do businessunder a new entity and how are
you being assessed?
What are you looking for?
So that cage code has to match.
If you're doing business underthat cage code with that one
company A, that's what you haveto put in for your business
systems.
That's what you have to beassessed on.
(16:29):
It all has to match up.
If a PE company comes and buysup a bunch of DOD manufacturers,
that's fine.
And you can even share somesystems as long as you do it
properly.
It's got to be done properly.
But you can share some systemsAs long as it's done right,
that's fine, but that cage codehas to match.
SPEAKER_01 (16:50):
Right.
And you're not going to get acost efficiency on the assessor
because they're going to chargeyou separately each time.
SPEAKER_03 (17:00):
They will.
That's what we've been told.
So there may be assessors thatare willing to give you a break
if you say they're a cookiecutter.
but I wouldn't promise that.
SPEAKER_01 (17:08):
There's a lot of talk around G-code or similar
file formats, basically file orprogram that tells some piece of
manufacturing equipment how tomachine out, cut out, whatever,
make a part, and the part beingCUI.
Some people believe that theG-code or this file that is
(17:30):
telling the machine what to dois not CUI.
Some people believe that it isCUI.
We have our own beliefs on thatfront.
According to the town hall, whatis the stance and what did they
say about it?
SPEAKER_03 (17:44):
Well, first of all, that is a topic of debate quite
a lot.
People say, it's just points.
You go to this point and dothis, this point and do that.
It's not actually CUI.
Well, the long and short of itis, it is CUI.
So, but I saw, I mean, justyesterday, I saw people debating
(18:05):
this on Reddit, you know, oh,it's, you got to consider it
CUI.
No, definitely it's not CUI.
You know, there's no way that'sCUI.
Well, what I can tell you isthat there are plenty of
assessors that I've talked to.
Some of them have questioned,well, I'm not really sure, you
know, and, but most of theassessors have said yes, if that
G-code comes from something thatyou're doing to fulfill a
(18:29):
government contract, and ifyou're a subcontractor, you're
still fulfilling that governmentcontract because it's a contract
with the prime that they havewith the federal government.
So if it's something that you'remaking to fulfill that contract,
unless you can 100% prove thatthere's no CUI in it and that
(18:50):
it's just off-the-shelf stuff,You know, it's going to be CUI.
And to point this out, this iswhat I've heard from many
assessors, many C3PAOs.
I've sat and talked to Jim Gopalabout it.
Great guy.
He's written a bunch of booksabout CUI and about CMMC and
works for, I believe, stillworks with Future Feed.
They actually, the Cyber AB hadJim Gopal on to explain this.
(19:13):
So if the Cyber AB has Jim Gopalon to explain why G-code is
still CUI, I would think thatthey're saying that G-code is
CUI.
You know, I don't think that'stoo far of a step.
You know, it's not a leap.
You know, they're linking itright there.
(19:34):
So anyway, and so he basicallysaid, or he did say that G-code
is CUI if it's, if it's createdin relation to that contract
being fulfilled for thegovernment.
SPEAKER_01 (19:50):
And if you take the stance that we do, which is
essentially let's take the– pathof least resistance to
certification, and that is wedon't want to be arguing with
the assessor too much onassessor day, then you're better
off residing in the camp ofG-code as CUI.
And you can have yourphilosophical debates, but
(20:10):
whenever it comes to real-worldimplementation, we think it's
better to just move forward withthe concept that it is.
And so we just don't worry aboutit after that.
It's protected.
SPEAKER_03 (20:22):
What I might say is that if you don't think it's
CUI, then by all means, when youinterview your C3PAOs, say, do
you believe that G-code is CUI?
And you may have your answerthere.
That's not really part of ourquestionnaire because we go
ahead and say yes fromeverything we know and
(20:44):
understand, G-code is CUI.
So it's not part of ourquestionnaire.
But if you don't believe it'sCUI, then by all means, ask that
question in your C3PAO interviewprocess.
Because you should be, unlessyou know some see-through PAOs,
you should be doing some sort ofinterview process before you
(21:05):
just pull the trigger and hireone.
SPEAKER_01 (21:08):
Yep.
Yeah, and truth be told, thereal implication of whether you
think GCO to CUI or not isreally just...
impacting of scope, right?
So at least for ourmanufacturers that are more
small, medium business,typically what we do is we just
(21:30):
set them up with punch code USBdrives.
And that more or less settlesthe, I mean, with a lot of other
details there, but more or lesssettles the concern around
G-code being CUI and just kindof solves that scoping problem,
right?
So now if you've got moreintricate systems.
(21:52):
or you have like machinemonitoring systems and some
other things going on maybethat's more of a concern for you
but for a lot of shops that isthe easy answer and the easy
solution to g-code being cuifrom a scoping perspective
SPEAKER_03 (22:09):
assets on the floor the cnc machines for instance
would be specialized assetsbecause they're operational
technology and you just have tomake sure that everything's
documented that you follow allthe documentation rules and then
as you said one of the punchcode things so it's a it's a
their FIPS validated encryptionUSB sticks and you put in a code
(22:30):
on the stick itself and itdecrypts it and it looks and
that's good because a lot ofthese machines are older and
they're going to have a hardtime reading some sort of
encrypted drive or you knowwhatever so having that being
able to plug in that USB put inthe code and it looks just like
any normal USB is a is a timesaver and something that where
(22:53):
you just don't have to worryabout encrypted drive being
read.
SPEAKER_01 (22:56):
Okay, so if folks want to stay up to date and get
more involved in the CMMCcommunity, what upcoming events
can they keep on their radar orput on their calendar?
SPEAKER_03 (23:05):
Well, first thing is the Cyber AB town halls really
are good.
You can come here and listen tous, and we'll give you the
lowdown on the town halls,absolutely 100%.
But you can also attend thosetown halls.
They're an hour.
They're once a month.
They're usually at 5 o'clock, 5p.m.
Central time, I should say.
So anyway, they're at 5 p.m.
Central time, last an hour.
(23:27):
They have really goodinformation, you know, like...
Jim Gopel on.
They have some guests from timeto time to explain some things.
And so you pretty well guessthat the guests that they have
on, they're going to be veryknowledgeable.
And they're going to have, whilethe Cyber AB is not going to put
(23:48):
their stamp of approval directlyon them, they're not going to
have them on their town hallunless they approve of what
they're saying.
SPEAKER_01 (23:55):
It's a real good way to understand which way the
wind's blowing.
SPEAKER_03 (23:58):
Yes, it is.
Absolutely is.
There's also a...
Kerasoft.
Kerasoft is a company that sellsa lot of government and CMMC
type solutions, softwaresolutions.
So there's a lot of FedRAMP typesoftware that you can, FedRAMP
authorized software that you canget through them.
(24:20):
They're a great resource forthat kind of fun stuff.
But they have a webinar seriesthat runs, a virtual webinar
series that runs from June 29thto the 31st.
And they say they'll featurespeakers from across the
ecosystem.
I have no doubt that that'll bea good one because Kerasoft is,
we use them for some things andthey're a good group of folks.
(24:40):
Then there's a National CyberSummit happening September 23rd
through the 25th in Huntsville,Alabama.
That's for great in-personnetworking.
And then there's a conferencecalled CS5.
I'd say it's a brand newconference, but it's really not.
These conferences started off asCIC, CMMC Implementation
Conferences.
Those folks partnered withCyberAB.
(25:01):
They became CEEC, C-E-I-C Andnow they've teamed up with the
Cybersecurity CS2, I think,conference folks.
So now there's those threeorganizations together.
They've pulled their resources,and now it's going to be the CS5
conference.
So it's a new, instead of SeekEast and Seek West, this is
going to be the CS5.
It may be the CS5 East, maybe.
(25:23):
I don't know if they're going tocall it CS5 East.
I'd have to go look and see, butI would imagine they would
because they'll have a WestCoast conference.
But the CS5 is scheduled forOctober 16th and 17th.
That's going to be in D.C.
at National Harbor again.
That's a great one to go to ifyou're trying to figure out the
whole CMMC thing, get a lot ofinformation.
They have tons and tons of goodinformation.
(25:45):
It's a really good one to go to.
So those are the main onescoming up that I would suggest.
And like I said, Cyber AB townhalls are monthly.
So they happen every month.
Go on their website, look forthe town hall link, and you'll
see where you can sign up forthose.
Or if you just want a shorter,quick and dirty update from the
town halls, come to us andlisten to us talk about it.
SPEAKER_01 (26:08):
Absolutely.
All right.
Based on everything shared inthe town hall and what we talked
about today, what is your advicefor businesses trying to stay
ahead of CMMC requirements?
What is the takeaway for today'sepisode?
SPEAKER_03 (26:24):
So really, the biggest advice is that October
is just really around thecorner.
I mean, it's already July.
It seems like just a couple ofdays ago it was January, right?
So, but October's coming upquick.
And if the 48 CFR or the title48, however you want to
reference it is, if it's goingto be actually.
If it's actually going to comeout in October, that really is
(26:47):
just around the corner, and youreally need to get ready for it.
Again, double-check your cagecode.
Make sure that how you're doingbusiness is how you're assessed,
basically.
How you're doing business andgetting those contracts.
What is your cage code?
Is it right?
Is all the correct informationthere?
Make sure that your ITproviders, your other servers,
(27:08):
any other CSPs, make sure thatyou have all the documentation
you need.
If they're FedRAMP If you needto have that documentation for
CSPs, if they're your ITprovider or an ESP that's not a
CSP, then you may need to makesure you have your CRMs.
SPEAKER_01 (27:23):
And if you're wondering, you know, if you talk
to your IT guy or if you'reneeding to look for someone to
help you on this, we're tryingto put together a little
checklist of sorts so that waypeople know the right questions
to ask.
It's not done yet.
It's not available.
But if you watch this episodeand you want it, just email us
and we'll send you the draft.
(27:43):
as long as you be kind to usabout the draft.
Right.
SPEAKER_03 (27:48):
Absolutely.
You know, and again, make surethat if you're not going to–
make sure you have your G codespelled out and you know how
you're treating your G code.
I'd say treat it as CUI becausethat's the lion's share of what
everybody says.
You have to take some leaps ofdescriptions to, I guess anyway,
to not call it CUI.
(28:10):
And have a good strong SSP.
Make sure it tells your story.
We've talked about this before.
Your SSP needs to tell yourstory.
SPEAKER_01 (28:15):
We did have a question.
I believe the question was fromour scoping episode.
And the question was, can an SSPdouble as a policy?
SPEAKER_03 (28:26):
So that's a very good question.
I would suggest that it notdouble as a policy, that you use
your CSP to tell your story andhow you're doing things and keep
it.
Even if you keep it prettysuccinct, it's still going to be
probably kind of long.
But if you start puttingeverything into your CSP, all
(28:47):
the little minute details of howeverything is done and
everything, your SSP is going toget very, very long, very
complicated to read.
So what we suggest is havingyour SSP and then have it refer
to– describes overview of howthings are doing.
So how things are done.
(29:08):
So your assessor gets a goodidea, right?
I mean, they just need to readthrough that and go, yeah, okay,
I get it.
You know, uh, these are howthings laid out and this is,
this is how they do all of them.
Now, uh, what are the nittygritty details of how, uh,
access control is implemented,right?
And that should be in yourpolicies.
(29:28):
Can it be in your SSP?
Yeah, it can be in your SSP.
Um, and I, I know, uh, I've beenat some conferences where people
said, yeah, we just put it inour SSP and our SSP is 350 pages
long.
I don't necessarily think that'sthe best way to do it.
The majority of assessors thatI've talked to SSP needs to tell
(29:49):
your story and refer to policiesthat give the nitty-gritty
detail.
And if you have policies that,you know, a policy for each
family, you can group those veryeasily into those families.
It works out very well that way.
So short answer is, yes, itcould double as your policy, or
you could put your policies allin your SSP.
(30:09):
I would suggest not doing that,though, and having a more
concise SSP that tells yourstory with the policies.
Awesome.
I think I've said that like fivetimes.
So
SPEAKER_01 (30:19):
hopefully we answered that question for you.
If you see it and we didn't andyou want more info on it.
Hit us up again, and we're happyto dive in more on it.
Just hit us with your follow-upquestions.
Well, if you have questionsabout what we covered, please
(30:41):
reach out to us.
We're here to help fast-trackyour compliance journey.
Text, email, or call yourquestions.
We'll answer them for free hereon the podcast like we just did.
And you can find our contactinformation at
cmmccomplianceguide.com orsimply leave a comment.
Stay tuned for our next episode.
Until then, stay compliant.
(31:01):
Stay secure and pleasesubscribe.
Hey there, welcome to the CMMC Compliance Guide
podcast.
I'm Austin.
And I'm Brooke.
From Justice IT Consulting,where we help businesses like
yours navigate CMMC and NIST800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
(00:22):
so.
Let's dive into today's episodeand keep your business on track.
Today, we're breaking down thekey takeaways from the June 2024
So if you missed it, no worries.
Brooke is going to walk usthrough the highlights and what
they mean for your compliancejourney.
Let's start with the leadershipchanges.
Who is the new Undersecretaryand how does that impact the
(00:44):
Title 48 rulemaking process?
The Honorable Michael
SPEAKER_03 (00:48):
P.
Duffy was recently confirmed bythe Senate as the new
Undersecretary of Defense forAcquisition and Sustainment.
He brings experience from boththe Department of Defense and
the Office of Management andBudget, which is especially
relevant since he will now beoverseeing CMMC Title 48
rulemaking.
The Cyber AB mentioned thatthey're hopeful we'll see the
(01:11):
Title 48 rule later this year.
Hey
SPEAKER_00 (01:13):
everyone, this is Stacey with Justice IT
Consulting jumping in real quickwith some breaking news that
dropped while we were recordingthis episode.
The 48 CFR structure hasofficially been released.
This went live in the eCFR andit confirms exactly what you've
been preparing for.
Starting October 1st, the 48 CFRrule is on track to become a
(01:34):
standard requirement in nearlyall DoD contracts.
So while the the 48 CFR ruleitself is still under review
with OMB, the structure is nowofficially visible and the
writing is on the wall.
CMMC enforcement is coming andis coming fast.
I'll be linking in thedescription below where you can
view that 48 CFR rule structure.
(01:56):
All right, let's get back to theepisode where we left off with
Brooke.
SPEAKER_03 (02:01):
Fingers crossed, October, but Who knows?
So we thought it was going to bethen the Q1, then maybe in Q2
sometime.
And so now, you know, we'relooking at October.
So he was actually confirmed bythe Senate.
So we've...
He's in there.
He's been in the mix, and heunderstands and he knows.
And so we've got a champion topush that rule through.
(02:22):
It's not just the DOD CIO,acting CIO, Katie Arrington by
herself.
Of course, I guess it never was.
There's a whole team there.
But we've got somebody that canactually push that through.
So hopefully we'll see thatTitle 48 rule, the 48 CFR, come
through.
October-ish, maybe.
(02:43):
So, cross our fingers.
And of course, you know, whenthat 48 CFR comes through,
that's a...
That's a very importantmilestone because that'll kick
off the process of the CMMCbeing required on contracts.
And then, of course, there'sfour phases of it.
So that's very important.
Katie Arrington has talked abouthow important that is to get
(03:04):
that through the goalposts andeverything.
So I think this is a good signthat this is going to really
start moving forward.
SPEAKER_01 (03:12):
There were a lot of questions around how service
providers kind of played intothe assessment process for CMMC
assessments Can you help usunderstand the answers to those
questions, how that kind ofclarified?
SPEAKER_03 (03:23):
Just so you know, there are ESPs, external service
providers.
We are an external serviceprovider, an ESP, but we're also
an MSP, a managed serviceprovider.
All the acronyms.
To make it more confusing.
The CMMC doesn't specificallycall out MSPs, but I don't want
(03:45):
to get confused there.
But ESPs are divided into twovery broad categories.
One is CSPs.
It can be an ESP that's a CSP,and a CSP is a cloud service
provider.
That's going to be likeMicrosoft 365, any place that
you might store your files inthe cloud, Box for Government or
(04:09):
Prevail maybe or something likethat.
So those will be CSPs.
And then there are ESPs that arenot CSPs.
I guess that's what they callthem.
So that means everybody else butCSPs, right?
So an an ESP that's not a CSP,external service provider, but
you don't provide cloud servicesdirectly.
You may help clients get thoseCSPs or something like that, but
(04:33):
you don't provide– you're not aCSP yourself.
You're not providing cloud emailor cloud file storage.
You could be, I guess, but thenyou would be a cloud service
provider.
Right.
But if you're an ESP, not a CSP.
SPEAKER_01 (04:47):
And the distinction there probably could be defined
by a cloud service provider is–Something that you could go
source yourself, like gointeract with a web page, spin
up, like, for example, Microsoft365 tenant or something
environment.
That's kind of more in the CSPcategory and your ESP category
(05:10):
would be more like yourconsultant like us or IT guy who
may leverage those services, butit is not directly providing
them.
SPEAKER_03 (05:20):
Correct.
And if it's a service likeMicrosoft 365 that can expand
and contract with your serviceor whatever, not that Microsoft
will let you reduce licenses, bythe way, but that's beside the
point.
Theoretically.
Theoretically.
Those are cloud services.
(05:41):
Anything you get directly from aprovider like us that's not
hosted in the cloud, then that'sgoing to be an ESP, not a CSP.
So those, ESPs not a CSP, aregoing to be assessed along with
the organization seekingcertifications.
They're going to, it's an OSC,they will be assessed along with
(06:04):
that OSC's environment forwhatever security controls that
fall in line.
So mostly it's going to be SPD,of course, security protection
data.
So, and the security protectiondata is, are those security
services that are protecting CEOassets.
The SP and not a CSP'senvironment will be assessed
(06:26):
along with that OSC'senvironment.
Every single time, if a MSP likeus, a managed service provider,
has 25 CMMC clients, we're goingto have to go through that
assessment.
We're going to go through that25 times.
You have to make sure that youhave all your documentation in
line.
You have to make sure the ESP,not a CSP, has to make sure...
SPEAKER_01 (06:48):
You have to make sure your IT provider has their
documentation.
If you're an
SPEAKER_03 (06:51):
OSC, you have to make sure your IT provider has
their documentation in line, hasa shared responsibility matrix
or what they're calling it nowis a customer responsibility
matrix.
So a CRM, to make sure you havethat in place, that tells you
what is by control whoseresponsibility that is, that
each control is.
(07:12):
If you have it broken down byassessment objective, even
better.
And the more, you know, youdon't want to get too detailed
in those and write whole booksfor each assessment objective,
but some sort of, some sort ofof explanation that tells uh
what each party does the osc andthe esp not a csp so that the
(07:35):
assessor can understand what'sgoing on right they have to be
able to look at it and go okayyeah that makes sense i get it
you know they can't look at itgo what does this mean you know
um you can't write it so vaguelythat they don't really it
doesn't make sense if you'reESP, your IT provider, is able
to get a CMMC Level 2certification.
(07:56):
There is nowhere that says itwill make it any easier.
However, a lot of C3PAOs andassessors have said, yes,
that'll make things easierbecause we have that Level 2
certification and we still wantto see those documents, but
it'll make the process a loteasier.
So there's that as well.
There's not very many that haveit.
Just be aware that there's abacklog of people that are
(08:17):
trying to get through and getthose certifications.
Okay, so in short, really, whatthey said was ESPs that are not
a CSP are going to be assessedin the OSC scope of their
environment as they fit inthere.
And the short story aboutcertification for the ESP, if
(08:38):
you have one, if your ITprovider has one, it's likely
that that will make thingseasier.
But they're not going to sayit's going to make things
easier, just so you know.
They're not saying, yes, Ipromise it'll make things
easier.
But likely it'll make thingseasier.
SPEAKER_01 (08:52):
There's a lot of implications, no promises.
Right.
Kind of put in layman's termsthere, if you have an IT
provider, they're going to beassessed as part of your
company.
Absolutely.
And then...
if they have any tools that theyuse to fulfill their obligations
to you, the organization that'strying to get certified,
(09:15):
organization seekingcertification, then their tools
will also be assessed as part ofyour assessment.
For example, if they hadantivirus that they installed on
your computers, not only you asthe, say, manufacturer,
aerospace manufacturer, you getassessed, as well as your IT
(09:36):
provider, as well as the toolsthey use, like antivirus, get
assessed all at the same time.
SPEAKER_03 (09:43):
Yeah, the IT provider has to list all their
tools out, what they use, andhave the CRMs from each one of
those.
Those CRMs then flow down tothat database.
ESP, the IT provider, and thenthat then of course flows down
to the company getting thecertification, the OSC.
SPEAKER_01 (10:04):
And the fun part about that, from what I
understand, correct me if I'mwrong, but once that's all done,
If you change anything, like sayyour antivirus or your IT
provider changes it, you're nolonger in compliance.
You're no longer– you have toget essentially recertified.
SPEAKER_03 (10:22):
Yeah, it's a major change.
So I don't know that changingyour antivirus necessarily is
going to be a major change.
You're going to have to assesswhat a major change is.
If you buy a company and add itonto your– or merge them into
your network, of course that'sgoing to be a major change.
Yes, there will be– you have tokind of assess what a major
(10:42):
change is.
major change is going to bebecause they don't they give
some examples, but they don'tspell it out.
So be careful.
And I can tell you that it'sit's tough to get those CRMs
that are good and legitimatefrom your vendors.
And so changing those tool sets,just out, change them out willy
nilly is probably not going tobe part of the process.
(11:05):
And you're not going to want tojust up and change out a bunch
of things or even one or twothings, really.
SPEAKER_01 (11:10):
Yeah.
So if you have an IT providerand And you're, at some point in
the future, going to getassessed.
You probably need to call themtoday and say, hey, for all this
stuff you got installed on mycomputer, do you have a CRM for
it?
Have you gotten a CRM from them?
And if they're like, not sure,or what's a CRM, then you might
(11:34):
want to investigate it.
I think it might be okay if yourassessment...
is out in the future and theysay, no, we don't have it yet,
but they're developing it orlegal's working on it or
something, that might be anacceptable answer.
But it needs to be on theroadmap soon, if not already,
should be already done.
What
SPEAKER_03 (11:52):
I can tell you is we waited and waited and waited for
some of our vendors to havethose CRMs or something to hand
down to us to fulfill ourrequirements.
And They're just not moving fastenough, so we said adios, and
we're going to go a differentdirection.
We had to do that.
(12:13):
We had to make the switch so wecould get those compliance
SPEAKER_01 (12:16):
pieces in.
Which is a very painful switchfor your IT provider.
So to be quite honest, if it'snot in the works right now, it's
not something that you can justhave them change a couple weeks
before assessment or even amonth before.
It takes a lot of planning intheir business to do that
because they're likely using thesame vendors for all of their
(12:37):
customers, kind of like howSouthwest used to fly one plane.
They're trying to get someefficiencies there, which is
part of the business model.
So it really needs to be...
on their roadmap and theirvendors' roadmaps.
SPEAKER_03 (12:52):
It does.
It needs to be on that roadmap.
If it's not already in processand have a date, have a, you
know, yes, this vendor is goingto have it by Q4, you know,
then, you know, they really needto have, because it's not easy
to research and figure out whatto use necessarily.
So that definitely does need tobe in process and a forefront of
(13:13):
their mind of what they're goingto do.
SPEAKER_01 (13:15):
Okay, so tell us, we talked about service providers,
but another thing that's afrequent question or a frequent
gotcha is kind of the cage codesituation and how that plays
into the assessment process.
Can you help us figure out whatthe clarity was around that?
SPEAKER_03 (13:32):
So you have to specify your cage code whenever
you get assessed and for yoursystem that is in scope, you
have to specify your cage codeor cage codes.
They have to be listed becausethat's how the government knows
you is through your cage codesthat you are basically what
identifies you to thegovernment.
But you have to have thatbecause they have to be able to
tie.
(13:52):
When everything's said and done,they have to be able to tie your
score and tie your certificationback to your company, back
through all of their systems.
They upload it to a systemcalled EMAS.
It's got to match in their SPRsystem.
It's all got to match andthey've got to be able to match
it up somehow.
That cage code is veryimportant.
That can derail or hold off anassessment.
(14:15):
So you need to be sure that yourcage code is, that you've got
your company name right youraddress right, you know, all
that kind of fun stuff.
And when you're assessed thatyou built your system on that
cage code and the assessment ison that cage code, not a
different cage code.
There were examples of peoplethat had something, either used
(14:35):
the wrong cage, an old cagecode, or a cage code with
information that didn't match,like an address and stuff like
that, and that held them up.
And so they couldn't finishtheir assessment.
SPEAKER_01 (14:46):
And it often presents an issue you see a lot
when businesses are growing orthere's private equity coming
in, the typical playbook is toaggregate many books of business
into one entity and get somecost efficiencies across the
more or less what we call SGAlines in our business, but just
kind of your general and adminexpenses.
(15:07):
So IT is generally consideredthat, accounting, yada, yada.
It just makes it a little morecomplex for KMMC because
essentially your IT system needsto be separate for each
different entity, each differentcage to It's not the whole
truth, but basically you'regoing to need to have an
assessment for each of thosedifferent entities.
So you're not going to be ableto share it in the exact same
(15:28):
way as you could other thingsbecause essentially what they're
worried about is the data thatyou hold as part of your
obligation of fulfilling thecontract.
That's what they want tocontrol, and it unfortunately
traverses the entire IT system,and that's what they want.
Yes,
SPEAKER_03 (15:45):
it absolutely is.
And that also brings up anotherpoint that I left out a second
ago is that you get yourcontracts based on your cage
code.
If you're doing business gettingyour cage code as company A and
then company Z comes in, buysthis company up, aggregates it
all in with company B, C, D, andE, that's great and that's fine.
But are you still doing businessunder that original cage code or
(16:08):
are you doing business under anew cage code?
Or are you going to do businessunder a new entity and how are
you being assessed?
What are you looking for?
So that cage code has to match.
If you're doing business underthat cage code with that one
company A, that's what you haveto put in for your business
systems.
That's what you have to beassessed on.
(16:29):
It all has to match up.
If a PE company comes and buysup a bunch of DOD manufacturers,
that's fine.
And you can even share somesystems as long as you do it
properly.
It's got to be done properly.
But you can share some systemsAs long as it's done right,
that's fine, but that cage codehas to match.
SPEAKER_01 (16:50):
Right.
And you're not going to get acost efficiency on the assessor
because they're going to chargeyou separately each time.
SPEAKER_03 (17:00):
They will.
That's what we've been told.
So there may be assessors thatare willing to give you a break
if you say they're a cookiecutter.
but I wouldn't promise that.
SPEAKER_01 (17:08):
There's a lot of talk around G-code or similar
file formats, basically file orprogram that tells some piece of
manufacturing equipment how tomachine out, cut out, whatever,
make a part, and the part beingCUI.
Some people believe that theG-code or this file that is
(17:30):
telling the machine what to dois not CUI.
Some people believe that it isCUI.
We have our own beliefs on thatfront.
According to the town hall, whatis the stance and what did they
say about it?
SPEAKER_03 (17:44):
Well, first of all, that is a topic of debate quite
a lot.
People say, it's just points.
You go to this point and dothis, this point and do that.
It's not actually CUI.
Well, the long and short of itis, it is CUI.
So, but I saw, I mean, justyesterday, I saw people debating
(18:05):
this on Reddit, you know, oh,it's, you got to consider it
CUI.
No, definitely it's not CUI.
You know, there's no way that'sCUI.
Well, what I can tell you isthat there are plenty of
assessors that I've talked to.
Some of them have questioned,well, I'm not really sure, you
know, and, but most of theassessors have said yes, if that
G-code comes from something thatyou're doing to fulfill a
(18:29):
government contract, and ifyou're a subcontractor, you're
still fulfilling that governmentcontract because it's a contract
with the prime that they havewith the federal government.
So if it's something that you'remaking to fulfill that contract,
unless you can 100% prove thatthere's no CUI in it and that
(18:50):
it's just off-the-shelf stuff,You know, it's going to be CUI.
And to point this out, this iswhat I've heard from many
assessors, many C3PAOs.
I've sat and talked to Jim Gopalabout it.
Great guy.
He's written a bunch of booksabout CUI and about CMMC and
works for, I believe, stillworks with Future Feed.
They actually, the Cyber AB hadJim Gopal on to explain this.
(19:13):
So if the Cyber AB has Jim Gopalon to explain why G-code is
still CUI, I would think thatthey're saying that G-code is
CUI.
You know, I don't think that'stoo far of a step.
You know, it's not a leap.
You know, they're linking itright there.
(19:34):
So anyway, and so he basicallysaid, or he did say that G-code
is CUI if it's, if it's createdin relation to that contract
being fulfilled for thegovernment.
SPEAKER_01 (19:50):
And if you take the stance that we do, which is
essentially let's take the– pathof least resistance to
certification, and that is wedon't want to be arguing with
the assessor too much onassessor day, then you're better
off residing in the camp ofG-code as CUI.
And you can have yourphilosophical debates, but
(20:10):
whenever it comes to real-worldimplementation, we think it's
better to just move forward withthe concept that it is.
And so we just don't worry aboutit after that.
It's protected.
SPEAKER_03 (20:22):
What I might say is that if you don't think it's
CUI, then by all means, when youinterview your C3PAOs, say, do
you believe that G-code is CUI?
And you may have your answerthere.
That's not really part of ourquestionnaire because we go
ahead and say yes fromeverything we know and
(20:44):
understand, G-code is CUI.
So it's not part of ourquestionnaire.
But if you don't believe it'sCUI, then by all means, ask that
question in your C3PAO interviewprocess.
Because you should be, unlessyou know some see-through PAOs,
you should be doing some sort ofinterview process before you
(21:05):
just pull the trigger and hireone.
SPEAKER_01 (21:08):
Yep.
Yeah, and truth be told, thereal implication of whether you
think GCO to CUI or not isreally just...
impacting of scope, right?
So at least for ourmanufacturers that are more
small, medium business,typically what we do is we just
(21:30):
set them up with punch code USBdrives.
And that more or less settlesthe, I mean, with a lot of other
details there, but more or lesssettles the concern around
G-code being CUI and just kindof solves that scoping problem,
right?
So now if you've got moreintricate systems.
(21:52):
or you have like machinemonitoring systems and some
other things going on maybethat's more of a concern for you
but for a lot of shops that isthe easy answer and the easy
solution to g-code being cuifrom a scoping perspective
SPEAKER_03 (22:09):
assets on the floor the cnc machines for instance
would be specialized assetsbecause they're operational
technology and you just have tomake sure that everything's
documented that you follow allthe documentation rules and then
as you said one of the punchcode things so it's a it's a
their FIPS validated encryptionUSB sticks and you put in a code
(22:30):
on the stick itself and itdecrypts it and it looks and
that's good because a lot ofthese machines are older and
they're going to have a hardtime reading some sort of
encrypted drive or you knowwhatever so having that being
able to plug in that USB put inthe code and it looks just like
any normal USB is a is a timesaver and something that where
(22:53):
you just don't have to worryabout encrypted drive being
read.
SPEAKER_01 (22:56):
Okay, so if folks want to stay up to date and get
more involved in the CMMCcommunity, what upcoming events
can they keep on their radar orput on their calendar?
SPEAKER_03 (23:05):
Well, first thing is the Cyber AB town halls really
are good.
You can come here and listen tous, and we'll give you the
lowdown on the town halls,absolutely 100%.
But you can also attend thosetown halls.
They're an hour.
They're once a month.
They're usually at 5 o'clock, 5p.m.
Central time, I should say.
So anyway, they're at 5 p.m.
Central time, last an hour.
(23:27):
They have really goodinformation, you know, like...
Jim Gopel on.
They have some guests from timeto time to explain some things.
And so you pretty well guessthat the guests that they have
on, they're going to be veryknowledgeable.
And they're going to have, whilethe Cyber AB is not going to put
(23:48):
their stamp of approval directlyon them, they're not going to
have them on their town hallunless they approve of what
they're saying.
SPEAKER_01 (23:55):
It's a real good way to understand which way the
wind's blowing.
SPEAKER_03 (23:58):
Yes, it is.
Absolutely is.
There's also a...
Kerasoft.
Kerasoft is a company that sellsa lot of government and CMMC
type solutions, softwaresolutions.
So there's a lot of FedRAMP typesoftware that you can, FedRAMP
authorized software that you canget through them.
(24:20):
They're a great resource forthat kind of fun stuff.
But they have a webinar seriesthat runs, a virtual webinar
series that runs from June 29thto the 31st.
And they say they'll featurespeakers from across the
ecosystem.
I have no doubt that that'll bea good one because Kerasoft is,
we use them for some things andthey're a good group of folks.
(24:40):
Then there's a National CyberSummit happening September 23rd
through the 25th in Huntsville,Alabama.
That's for great in-personnetworking.
And then there's a conferencecalled CS5.
I'd say it's a brand newconference, but it's really not.
These conferences started off asCIC, CMMC Implementation
Conferences.
Those folks partnered withCyberAB.
(25:01):
They became CEEC, C-E-I-C Andnow they've teamed up with the
Cybersecurity CS2, I think,conference folks.
So now there's those threeorganizations together.
They've pulled their resources,and now it's going to be the CS5
conference.
So it's a new, instead of SeekEast and Seek West, this is
going to be the CS5.
It may be the CS5 East, maybe.
(25:23):
I don't know if they're going tocall it CS5 East.
I'd have to go look and see, butI would imagine they would
because they'll have a WestCoast conference.
But the CS5 is scheduled forOctober 16th and 17th.
That's going to be in D.C.
at National Harbor again.
That's a great one to go to ifyou're trying to figure out the
whole CMMC thing, get a lot ofinformation.
They have tons and tons of goodinformation.
(25:45):
It's a really good one to go to.
So those are the main onescoming up that I would suggest.
And like I said, Cyber AB townhalls are monthly.
So they happen every month.
Go on their website, look forthe town hall link, and you'll
see where you can sign up forthose.
Or if you just want a shorter,quick and dirty update from the
town halls, come to us andlisten to us talk about it.
SPEAKER_01 (26:08):
Absolutely.
All right.
Based on everything shared inthe town hall and what we talked
about today, what is your advicefor businesses trying to stay
ahead of CMMC requirements?
What is the takeaway for today'sepisode?
SPEAKER_03 (26:24):
So really, the biggest advice is that October
is just really around thecorner.
I mean, it's already July.
It seems like just a couple ofdays ago it was January, right?
So, but October's coming upquick.
And if the 48 CFR or the title48, however you want to
reference it is, if it's goingto be actually.
If it's actually going to comeout in October, that really is
(26:47):
just around the corner, and youreally need to get ready for it.
Again, double-check your cagecode.
Make sure that how you're doingbusiness is how you're assessed,
basically.
How you're doing business andgetting those contracts.
What is your cage code?
Is it right?
Is all the correct informationthere?
Make sure that your ITproviders, your other servers,
(27:08):
any other CSPs, make sure thatyou have all the documentation
you need.
If they're FedRAMP If you needto have that documentation for
CSPs, if they're your ITprovider or an ESP that's not a
CSP, then you may need to makesure you have your CRMs.
SPEAKER_01 (27:23):
And if you're wondering, you know, if you talk
to your IT guy or if you'reneeding to look for someone to
help you on this, we're tryingto put together a little
checklist of sorts so that waypeople know the right questions
to ask.
It's not done yet.
It's not available.
But if you watch this episodeand you want it, just email us
and we'll send you the draft.
(27:43):
as long as you be kind to usabout the draft.
Right.
SPEAKER_03 (27:48):
Absolutely.
You know, and again, make surethat if you're not going to–
make sure you have your G codespelled out and you know how
you're treating your G code.
I'd say treat it as CUI becausethat's the lion's share of what
everybody says.
You have to take some leaps ofdescriptions to, I guess anyway,
to not call it CUI.
(28:10):
And have a good strong SSP.
Make sure it tells your story.
We've talked about this before.
Your SSP needs to tell yourstory.
SPEAKER_01 (28:15):
We did have a question.
I believe the question was fromour scoping episode.
And the question was, can an SSPdouble as a policy?
SPEAKER_03 (28:26):
So that's a very good question.
I would suggest that it notdouble as a policy, that you use
your CSP to tell your story andhow you're doing things and keep
it.
Even if you keep it prettysuccinct, it's still going to be
probably kind of long.
But if you start puttingeverything into your CSP, all
(28:47):
the little minute details of howeverything is done and
everything, your SSP is going toget very, very long, very
complicated to read.
So what we suggest is havingyour SSP and then have it refer
to– describes overview of howthings are doing.
So how things are done.
(29:08):
So your assessor gets a goodidea, right?
I mean, they just need to readthrough that and go, yeah, okay,
I get it.
You know, uh, these are howthings laid out and this is,
this is how they do all of them.
Now, uh, what are the nittygritty details of how, uh,
access control is implemented,right?
And that should be in yourpolicies.
(29:28):
Can it be in your SSP?
Yeah, it can be in your SSP.
Um, and I, I know, uh, I've beenat some conferences where people
said, yeah, we just put it inour SSP and our SSP is 350 pages
long.
I don't necessarily think that'sthe best way to do it.
The majority of assessors thatI've talked to SSP needs to tell
(29:49):
your story and refer to policiesthat give the nitty-gritty
detail.
And if you have policies that,you know, a policy for each
family, you can group those veryeasily into those families.
It works out very well that way.
So short answer is, yes, itcould double as your policy, or
you could put your policies allin your SSP.
(30:09):
I would suggest not doing that,though, and having a more
concise SSP that tells yourstory with the policies.
Awesome.
I think I've said that like fivetimes.
So
SPEAKER_01 (30:19):
hopefully we answered that question for you.
If you see it and we didn't andyou want more info on it.
Hit us up again, and we're happyto dive in more on it.
Just hit us with your follow-upquestions.
Well, if you have questionsabout what we covered, please
(30:41):
reach out to us.
We're here to help fast-trackyour compliance journey.
Text, email, or call yourquestions.
We'll answer them for free hereon the podcast like we just did.
And you can find our contactinformation at
cmmccomplianceguide.com orsimply leave a comment.
Stay tuned for our next episode.
Until then, stay compliant.
(31:01):
Stay secure and pleasesubscribe.
Popular Podcasts
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!