August 15, 2025 • 16 mins
Submit any questions you would like answered on the podcast!
Marking a CMMC control as “Not Applicable” might feel like an easy shortcut but get it wrong, and you could fail your assessment, lose contracts, or even face legal trouble.
In this episode of The CMMC Compliance Guide, Brooke and Stacey from Justice IT Consulting break down the real risks of misusing N/A, share common mistakes companies make, and explain how to properly justify a not applicable control so you stay compliant and avoid False Claims Act issues.
We cover everything from Wi-Fi misconceptions to remote access oversights, mobile device scoping, assessor validation methods, and the legal risks nobody talks about. Whether you’re a one-person shop or managing a complex network, these insights could save you from major headaches come assessment day.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Stacey (00:00):
Hey there, welcome to the CMMC Compliance Guide
podcast.
I'm Stacey.
Brooke (00:04):
And I'm Brooke.
Stacey (00:05):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hard guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on
track.
Today we're tackling somethinga lot of companies get
(00:27):
dangerously wrong, makingrequirements as not applicable.
We're going to walk through whythis can be a serious trap and
how to avoid getting tripped upduring an assessment.
So, Brooke.
Why is not applicable such adangerous designation to throw
around in a CMMC assessment?
Brooke (00:43):
Not applicable is kind of a dangerous thing because you
have to be very careful andmake sure it truly is not
applicable.
Because if it's not, then youcan mark it down, but you need
to explain it and tell why.
And if the assessor looks at itand says, I think you're off
your rocker, then at that point,there's a whole host of things
(01:04):
that could happen depending onwhen that is, when they see
that.
You've got to be very careful.
sure that a control is trulynot applicable.
Stacey (01:12):
Can you go into what are some of the most common ways
companies incorrectly marksomething as not applicable?
Brooke (01:19):
You know some of the some of the ways that people get
this wrong for instance is likeWi-Fi for instance I don't know
why but people seem to have amisconception about Wi-Fi
sometimes.
Maybe all they have is guestWi-Fi, and they say it's guest
(01:40):
Wi-Fi, and it's not applicablehere.
So really, truly, that would beout of scope, but you have to
make sure that it truly isbecause a lot of these companies
you see that have a guest Wi-Finetwork, it's actually on their
regular LAN, so regularcorporate network.
So there may be someprotections added, but you've
(02:03):
got to be very, very carefulVery careful with things like
that.
You know, another thing isremote access.
There's a whole host of ways toaccess your network remotely.
And if there's, you know,people have a tendency of
forgetting, you know, oh, youmean Splashtop is part of that?
You know, yes, if you haveSplashtop installed and you can
access it remotely, which iswhat Splashtop is for, or
(02:25):
LogMeIn or any of those kinds ofremote access programs, yes,
those are in scope and would notbe not applicable if they
connect to your network.
network where there's CUI andyou haven't scoped out what they
connect to.
Public access systems, youcan't just say it's not
applicable for public accesssystems.
(02:47):
For instance, if you have awebsite, if you don't have a
website, absolutely, that wouldprobably, you know, and you
don't have anything else, maybeit is not applicable, but most
people have websites these days,and that would probably you'd
have to make sure that that isin scope.
That's a public access system,and you have to make sure that
(03:09):
there's no CUI posted to it.
You have to have some procedurearound that so it's not
applicable.
I guess that makes itapplicable.
And then mobile devices, youknow, People are always wanting
to say their mobile devices, youknow, they're not in scope or
they're not applicable, youknow, for some of the controls
(03:32):
that address mobile devices.
Then when you find out, youknow, you get your email on
those and then you say that youcan send secure emails out, you
know, is that, you know, are yousure you can reach your
OneDrive files that are in theGovCloud?
Are you sure those are not, areyou sure that phone's not in
scope now, you know, or are yousure it's not applicable Because
(03:53):
most likely that's going to beapplicable.
That's a big sticking point aswell, too.
Stacey (03:57):
We actually did a scoping episode together where
we tackle talking about mobiledevices.
So if you're still a littleconfused about it, definitely
check that out.
We go a little bit deeper onall of those great scoping tips.
Moving onward, how do assessorsvalidate whether an not
applicable claim is valid ornot?
Okay.
Brooke (04:17):
Well, they look at your CUI data flow diagrams.
Hopefully you have that.
They look at your systemsecurity plan.
They look at your networkdiagrams, what you've classified
as in scope, what you'veclassified as out of scope, if
it all makes sense andeverything aligns properly.
For instance, if you, you know,Fill out a data flow diagram
(04:40):
and you say it comes into yourserver, but on your server
there's no ACLs or anything thatclassify, for instance, CUI
from anything else, then that'sgoing to be a problem.
So they look at your SSPs.
They talk to your staff.
(05:01):
Part of this whole thing isinterview questions.
So they'll want to talk to someof your staff.
They'll say, Stacy.
you know, can you access any ofthe client data?
As a marketing person, can youaccess any of the client data?
No, I can't.
Well, can you show me?
Yeah, sure.
Right here is the IT folder.
Oh, I just got into it.
And so that's– then theassessor– excuse me, not
(05:25):
auditor.
The assessor would say, oh,well, that may be an issue.
So, you know, they interviewstaff.
They, you know, they look atyour– all your– all your proof,
your network diagrams, like Isaid, all that kind of fun stuff
to kind of go through it andunderstand how everything is
built out and make sure it alljives and works together.
(05:48):
So if they cover something thatyou've defined, if they
discover something that you'vedefined as not applicable, then
I realize probably the example Iused is probably not the best
example, but the point still isvalid.
They can still...
interview staff and if theydiscover that something you
(06:11):
marked is not applicable, thenthey can say, hey look, this is
actually applicable here and nowthis control is going to be
scored as not met instead of notapplicable.
Stacey (06:25):
Now that we've covered all the do-nots for marking as
not applicable, when is it okayto mark a control as not
applicable?
Brooke (06:33):
So it's only when the technology, the process, the...
All the assessment objectivesfor that control, it's only when
those are completely absent forthat control that you can mark
that as not applicable.
You can't mark it as notapplicable because it's too
(06:54):
expensive or too hard.
So you've got to be verycareful when you do that.
And even if you do mark it asnot applicable, you really have
to define that and prove to theassessor, say, this is not
applicable, and this is why it'snot applicable.
And you can see this in my dataflow diagram.
(07:15):
You can see this in our networkdiagrams.
And this is why it's notapplicable.
And not only explain it, butmake sure you include evidence
if there's any evidence you caninclude for a not applicable.
So that's not necessarily thesame as proving a negative, but
that was– if there's anyevidence that you can show to
(07:38):
say this is not applicable, thenthat evidence– anything to make
sure that you can convince thatassessor that it truly is not
applicable because that's a– Iguess what I'm trying to say is
that should be a very highstandard.
So to say something's notapplicable and just doesn't
apply to me is not good enough.
(07:58):
The other thing you can do...
And admittedly, this is a lotharder.
But if you want to classify acontrol as not applicable, you
can get an exception from theDOD CIO.
So I guess you could contactKatie Arrington's office, say,
hey, this doesn't apply to us,and this is why, but I want a
(08:21):
formal exception from you so Ican have that and show the
assessor.
If you want to be verycomfortable with it...
I'm sure there have beenprobably people that have asked
for that, but I don't know ofany particularly.
And that would be a very tallbar, a very high bar to cross
(08:43):
for me to say, yeah, let's go toKatie Arrington and ask her in
her office if we can be acceptedfrom this.
But you can.
That is allowed for in CMMC andthe NIST 800-171.
And just I've got a note herejust to remind me to remind you
is that cost and difficulty isnot an excuse to classify
(09:07):
something as not applicable.
You know, that's going to costtwenty thousand dollars to, you
know, to fix that one.
It doesn't matter.
The way the DOD sees it is thatyou should have already had all
this figured out by now, andthe only cost you necessarily
should be worrying about is thecost of assessment.
The cost of meeting all thecontrols should already be done
(09:29):
and already be water under thebridge.
Everybody already knows thatand what they should be doing.
I guess the only reason youmight not know that is if you
didn't have any contracts yet.
But that's just the way the DODsees it.
that they already should havebeen done and met by now.
And those costs to be compliantsure are to be sunk costs.
Stacey (09:50):
Let's talk about the big scary risks with not applicable
is the legal risks thatnobody's talking about.
So what are those bigger risksthat are beyond just failing
your assessment?
Brooke (10:05):
Well, there's failing your assessment, but there's
also...
The False Claims Act alwayscomes in, something like this.
If you knowingly said somethingwas not applicable and you were
just hoping to slide it underthe radar or something like
that.
The False Claims Act alwayscomes in, and then it turns into
a legal risk.
(10:26):
There's all sorts of thingsthat could happen.
You could lose your contract,and that's bad enough.
You could be fined.
I know there's a couple ofuniversities, somebody else,
another company anyway, they'vebeen fined millions of dollars
because they just said, hey, allthese don't apply to us.
(10:47):
And it wasn't true.
And it was a blatantly falsestatement.
Now, if it's just a screw upand a disagreement with an
assessor, that's I would think,and this is not legal advice,
(11:07):
but I would think that that's alot less likely to end up with
the False Claims Act.
But if it's something you justblatantly, you know, said these
don't apply and you made upsome, you know, some false
information to say, you know,there are some information maybe
that wasn't completelyaccurate.
Maybe you left out some things,you know.
You know, there is a sin ofomission, you know, crime of
(11:32):
omission, however you want to,whatever that is.
So if you leave out somethings, you know, to say, yes,
this is, if you would have putthose things in, it would be
applicable, but, you know, Whenyou leave those out, that is a
sin of omission, and that canlead you to a False Claims Act.
So the False Claims Act is athing to stay way away from.
(11:55):
Steer way clear of that.
So just be very careful.
And, you know, the other thingto go along with the False
Claims Act is, you know, thereare whistleblower protections.
So if you're not doing thingsproperly and you're just trying
to skirt by and see if you canget everything done properly, or
done, I guess, improperly, Butanyway, you're trying to get
(12:17):
everything done.
There are whistleblowerprotections.
And if somebody, one of youremployees decides that, you
know, hey, I want no part ofthis because it's not right,
they can go and turn you in.
So it is a thing to be verycareful of.
And again, steer way clear ofthat.
But there are whistleblowerprotections.
(12:37):
So it's not like you can skirtthrough and keep a short leash
on all your employees to makesure they don't spill the beans.
Stacey (12:45):
Seems like the The intention is very important when
you're checking that off.
Brooke (12:50):
Yes.
The intention is important.
Where it would fall isanybody's guess because there's
all sorts of– it really willdepend on the situation.
I can't tell you that if it wasjust completely unintentional
that it wouldn't end up there,but the likelihood is a lot less
that if it's unintentional andpurely a mistake– it probably
(13:14):
won't end up with the FalseClaims Act.
Stacey (13:16):
Now that we've covered all the big, scary legal risks,
let's jump into how we can avoidall of those when we mark off
as not applicable.
So could you delve into maybesome tips and tricks and to-dos
that our listeners can do tomake sure they don't fall into
that trap?
Brooke (13:36):
Sure.
So, you know, the biggest thingis...
Just assume all the controlsapply to you.
For instance, even if you don'thave remote access, we don't
have remote access, but here'sour policy in case we decide to
turn this on.
This is what we'll do.
I'm just a one-man shop, and Idon't have any other employees,
(14:00):
but this is what I would do if Ihire somebody else.
That's an easy thing to do.
So I'd be very, very judiciouswith the not applicable.
For instance, if you're aone-man shop, there's a lot of
this stuff you can go, I'm goingto throw this out the door
because most of that doesn'tapply to me.
It does, and just becauseyou're a one-man shop doesn't
(14:25):
mean you don't need anycybersecurity training, even if
you're a smart guy or a smartwoman.
So you need to really thinkabout whether– those controls
don't apply to you.
And so use NA very, verysparingly.
Be very judicious with it.
Make sure if you do use them,if you do use a not applicable,
(14:48):
make sure that it truly is andmake sure you have, you
explained it, why it's notapplicable.
Make sure that you haveevidence.
Make sure that you have allyour I's dotted and your T's
crossed.
So make sure that your eyes arenot crossing your T's dotted, I
guess.
And, you know, if you'reunsure, then ask for help.
(15:09):
You know, look for an RPO, lookfor a CCP or CCA or something
like that, somebody that doesimplementation, and ask them for
some help and some guidance.
And if you're looking for aplace to, you know, say, I have
no clue, I don't know anybodythat's an implementer, I don't
know any IT folks, I don't knowanything like that, where you
(15:30):
would go is you start– It's aCyberAB marketplace.
And so you'd go to cyberab.org.
That's cyberalphabravo.org.
And you go there.
I think the CMMC marketplace isover on the right-hand side.
You click on that, and you canfilter for RPOs.
You can filter for CCAs andCCPs.
(15:51):
And then you can also filter, Ithink, for the area of the
United States it's in.
I don't remember off the top ofmy head.
I think it's by state.
But there's all sorts of stuffyou can filter on and search for
RPOs there.
Stacey (16:07):
If you have any questions about what we covered,
reach out to us.
We're here to help fast-trackyour compliance journey.
Text, email, or call in yourquestions, and we'll answer them
for free here on the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
Stay tuned for our nextepisode.
Until then, stay compliant andstay secure and make sure to
(16:28):
subscribe.
Hey there, welcome to the CMMC Compliance Guide
podcast.
I'm Stacey.
Brooke (00:04):
And I'm Brooke.
Stacey (00:05):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hard guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on
track.
Today we're tackling somethinga lot of companies get
(00:27):
dangerously wrong, makingrequirements as not applicable.
We're going to walk through whythis can be a serious trap and
how to avoid getting tripped upduring an assessment.
So, Brooke.
Why is not applicable such adangerous designation to throw
around in a CMMC assessment?
Brooke (00:43):
Not applicable is kind of a dangerous thing because you
have to be very careful andmake sure it truly is not
applicable.
Because if it's not, then youcan mark it down, but you need
to explain it and tell why.
And if the assessor looks at itand says, I think you're off
your rocker, then at that point,there's a whole host of things
(01:04):
that could happen depending onwhen that is, when they see
that.
You've got to be very careful.
sure that a control is trulynot applicable.
Stacey (01:12):
Can you go into what are some of the most common ways
companies incorrectly marksomething as not applicable?
Brooke (01:19):
You know some of the some of the ways that people get
this wrong for instance is likeWi-Fi for instance I don't know
why but people seem to have amisconception about Wi-Fi
sometimes.
Maybe all they have is guestWi-Fi, and they say it's guest
(01:40):
Wi-Fi, and it's not applicablehere.
So really, truly, that would beout of scope, but you have to
make sure that it truly isbecause a lot of these companies
you see that have a guest Wi-Finetwork, it's actually on their
regular LAN, so regularcorporate network.
So there may be someprotections added, but you've
(02:03):
got to be very, very carefulVery careful with things like
that.
You know, another thing isremote access.
There's a whole host of ways toaccess your network remotely.
And if there's, you know,people have a tendency of
forgetting, you know, oh, youmean Splashtop is part of that?
You know, yes, if you haveSplashtop installed and you can
access it remotely, which iswhat Splashtop is for, or
(02:25):
LogMeIn or any of those kinds ofremote access programs, yes,
those are in scope and would notbe not applicable if they
connect to your network.
network where there's CUI andyou haven't scoped out what they
connect to.
Public access systems, youcan't just say it's not
applicable for public accesssystems.
(02:47):
For instance, if you have awebsite, if you don't have a
website, absolutely, that wouldprobably, you know, and you
don't have anything else, maybeit is not applicable, but most
people have websites these days,and that would probably you'd
have to make sure that that isin scope.
That's a public access system,and you have to make sure that
(03:09):
there's no CUI posted to it.
You have to have some procedurearound that so it's not
applicable.
I guess that makes itapplicable.
And then mobile devices, youknow, People are always wanting
to say their mobile devices, youknow, they're not in scope or
they're not applicable, youknow, for some of the controls
(03:32):
that address mobile devices.
Then when you find out, youknow, you get your email on
those and then you say that youcan send secure emails out, you
know, is that, you know, are yousure you can reach your
OneDrive files that are in theGovCloud?
Are you sure those are not, areyou sure that phone's not in
scope now, you know, or are yousure it's not applicable Because
(03:53):
most likely that's going to beapplicable.
That's a big sticking point aswell, too.
Stacey (03:57):
We actually did a scoping episode together where
we tackle talking about mobiledevices.
So if you're still a littleconfused about it, definitely
check that out.
We go a little bit deeper onall of those great scoping tips.
Moving onward, how do assessorsvalidate whether an not
applicable claim is valid ornot?
Okay.
Brooke (04:17):
Well, they look at your CUI data flow diagrams.
Hopefully you have that.
They look at your systemsecurity plan.
They look at your networkdiagrams, what you've classified
as in scope, what you'veclassified as out of scope, if
it all makes sense andeverything aligns properly.
For instance, if you, you know,Fill out a data flow diagram
(04:40):
and you say it comes into yourserver, but on your server
there's no ACLs or anything thatclassify, for instance, CUI
from anything else, then that'sgoing to be a problem.
So they look at your SSPs.
They talk to your staff.
(05:01):
Part of this whole thing isinterview questions.
So they'll want to talk to someof your staff.
They'll say, Stacy.
you know, can you access any ofthe client data?
As a marketing person, can youaccess any of the client data?
No, I can't.
Well, can you show me?
Yeah, sure.
Right here is the IT folder.
Oh, I just got into it.
And so that's– then theassessor– excuse me, not
(05:25):
auditor.
The assessor would say, oh,well, that may be an issue.
So, you know, they interviewstaff.
They, you know, they look atyour– all your– all your proof,
your network diagrams, like Isaid, all that kind of fun stuff
to kind of go through it andunderstand how everything is
built out and make sure it alljives and works together.
(05:48):
So if they cover something thatyou've defined, if they
discover something that you'vedefined as not applicable, then
I realize probably the example Iused is probably not the best
example, but the point still isvalid.
They can still...
interview staff and if theydiscover that something you
(06:11):
marked is not applicable, thenthey can say, hey look, this is
actually applicable here and nowthis control is going to be
scored as not met instead of notapplicable.
Stacey (06:25):
Now that we've covered all the do-nots for marking as
not applicable, when is it okayto mark a control as not
applicable?
Brooke (06:33):
So it's only when the technology, the process, the...
All the assessment objectivesfor that control, it's only when
those are completely absent forthat control that you can mark
that as not applicable.
You can't mark it as notapplicable because it's too
(06:54):
expensive or too hard.
So you've got to be verycareful when you do that.
And even if you do mark it asnot applicable, you really have
to define that and prove to theassessor, say, this is not
applicable, and this is why it'snot applicable.
And you can see this in my dataflow diagram.
(07:15):
You can see this in our networkdiagrams.
And this is why it's notapplicable.
And not only explain it, butmake sure you include evidence
if there's any evidence you caninclude for a not applicable.
So that's not necessarily thesame as proving a negative, but
that was– if there's anyevidence that you can show to
(07:38):
say this is not applicable, thenthat evidence– anything to make
sure that you can convince thatassessor that it truly is not
applicable because that's a– Iguess what I'm trying to say is
that should be a very highstandard.
So to say something's notapplicable and just doesn't
apply to me is not good enough.
(07:58):
The other thing you can do...
And admittedly, this is a lotharder.
But if you want to classify acontrol as not applicable, you
can get an exception from theDOD CIO.
So I guess you could contactKatie Arrington's office, say,
hey, this doesn't apply to us,and this is why, but I want a
(08:21):
formal exception from you so Ican have that and show the
assessor.
If you want to be verycomfortable with it...
I'm sure there have beenprobably people that have asked
for that, but I don't know ofany particularly.
And that would be a very tallbar, a very high bar to cross
(08:43):
for me to say, yeah, let's go toKatie Arrington and ask her in
her office if we can be acceptedfrom this.
But you can.
That is allowed for in CMMC andthe NIST 800-171.
And just I've got a note herejust to remind me to remind you
is that cost and difficulty isnot an excuse to classify
(09:07):
something as not applicable.
You know, that's going to costtwenty thousand dollars to, you
know, to fix that one.
It doesn't matter.
The way the DOD sees it is thatyou should have already had all
this figured out by now, andthe only cost you necessarily
should be worrying about is thecost of assessment.
The cost of meeting all thecontrols should already be done
(09:29):
and already be water under thebridge.
Everybody already knows thatand what they should be doing.
I guess the only reason youmight not know that is if you
didn't have any contracts yet.
But that's just the way the DODsees it.
that they already should havebeen done and met by now.
And those costs to be compliantsure are to be sunk costs.
Stacey (09:50):
Let's talk about the big scary risks with not applicable
is the legal risks thatnobody's talking about.
So what are those bigger risksthat are beyond just failing
your assessment?
Brooke (10:05):
Well, there's failing your assessment, but there's
also...
The False Claims Act alwayscomes in, something like this.
If you knowingly said somethingwas not applicable and you were
just hoping to slide it underthe radar or something like
that.
The False Claims Act alwayscomes in, and then it turns into
a legal risk.
(10:26):
There's all sorts of thingsthat could happen.
You could lose your contract,and that's bad enough.
You could be fined.
I know there's a couple ofuniversities, somebody else,
another company anyway, they'vebeen fined millions of dollars
because they just said, hey, allthese don't apply to us.
(10:47):
And it wasn't true.
And it was a blatantly falsestatement.
Now, if it's just a screw upand a disagreement with an
assessor, that's I would think,and this is not legal advice,
(11:07):
but I would think that that's alot less likely to end up with
the False Claims Act.
But if it's something you justblatantly, you know, said these
don't apply and you made upsome, you know, some false
information to say, you know,there are some information maybe
that wasn't completelyaccurate.
Maybe you left out some things,you know.
You know, there is a sin ofomission, you know, crime of
(11:32):
omission, however you want to,whatever that is.
So if you leave out somethings, you know, to say, yes,
this is, if you would have putthose things in, it would be
applicable, but, you know, Whenyou leave those out, that is a
sin of omission, and that canlead you to a False Claims Act.
So the False Claims Act is athing to stay way away from.
(11:55):
Steer way clear of that.
So just be very careful.
And, you know, the other thingto go along with the False
Claims Act is, you know, thereare whistleblower protections.
So if you're not doing thingsproperly and you're just trying
to skirt by and see if you canget everything done properly, or
done, I guess, improperly, Butanyway, you're trying to get
(12:17):
everything done.
There are whistleblowerprotections.
And if somebody, one of youremployees decides that, you
know, hey, I want no part ofthis because it's not right,
they can go and turn you in.
So it is a thing to be verycareful of.
And again, steer way clear ofthat.
But there are whistleblowerprotections.
(12:37):
So it's not like you can skirtthrough and keep a short leash
on all your employees to makesure they don't spill the beans.
Stacey (12:45):
Seems like the The intention is very important when
you're checking that off.
Brooke (12:50):
Yes.
The intention is important.
Where it would fall isanybody's guess because there's
all sorts of– it really willdepend on the situation.
I can't tell you that if it wasjust completely unintentional
that it wouldn't end up there,but the likelihood is a lot less
that if it's unintentional andpurely a mistake– it probably
(13:14):
won't end up with the FalseClaims Act.
Stacey (13:16):
Now that we've covered all the big, scary legal risks,
let's jump into how we can avoidall of those when we mark off
as not applicable.
So could you delve into maybesome tips and tricks and to-dos
that our listeners can do tomake sure they don't fall into
that trap?
Brooke (13:36):
Sure.
So, you know, the biggest thingis...
Just assume all the controlsapply to you.
For instance, even if you don'thave remote access, we don't
have remote access, but here'sour policy in case we decide to
turn this on.
This is what we'll do.
I'm just a one-man shop, and Idon't have any other employees,
(14:00):
but this is what I would do if Ihire somebody else.
That's an easy thing to do.
So I'd be very, very judiciouswith the not applicable.
For instance, if you're aone-man shop, there's a lot of
this stuff you can go, I'm goingto throw this out the door
because most of that doesn'tapply to me.
It does, and just becauseyou're a one-man shop doesn't
(14:25):
mean you don't need anycybersecurity training, even if
you're a smart guy or a smartwoman.
So you need to really thinkabout whether– those controls
don't apply to you.
And so use NA very, verysparingly.
Be very judicious with it.
Make sure if you do use them,if you do use a not applicable,
(14:48):
make sure that it truly is andmake sure you have, you
explained it, why it's notapplicable.
Make sure that you haveevidence.
Make sure that you have allyour I's dotted and your T's
crossed.
So make sure that your eyes arenot crossing your T's dotted, I
guess.
And, you know, if you'reunsure, then ask for help.
(15:09):
You know, look for an RPO, lookfor a CCP or CCA or something
like that, somebody that doesimplementation, and ask them for
some help and some guidance.
And if you're looking for aplace to, you know, say, I have
no clue, I don't know anybodythat's an implementer, I don't
know any IT folks, I don't knowanything like that, where you
(15:30):
would go is you start– It's aCyberAB marketplace.
And so you'd go to cyberab.org.
That's cyberalphabravo.org.
And you go there.
I think the CMMC marketplace isover on the right-hand side.
You click on that, and you canfilter for RPOs.
You can filter for CCAs andCCPs.
(15:51):
And then you can also filter, Ithink, for the area of the
United States it's in.
I don't remember off the top ofmy head.
I think it's by state.
But there's all sorts of stuffyou can filter on and search for
RPOs there.
Stacey (16:07):
If you have any questions about what we covered,
reach out to us.
We're here to help fast-trackyour compliance journey.
Text, email, or call in yourquestions, and we'll answer them
for free here on the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
Stay tuned for our nextepisode.
Until then, stay compliant andstay secure and make sure to
(16:28):
subscribe.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com