July 25, 2024 • 18 mins
Are you new to an organization and the CMMC burden falls on you? Or is CMMC being prioritized again? Or are you focusing on CMMC for the very first time? Regardless of your answer, this podcast is for you. If you miss some of the core aspects of CMMC early on, the price to pay later can be damaging. Special guest Regan Edens of the CMMC Industry Standards Council and DTC Global joins host Derek White to discuss what OSCs should think about on the front end of their CMMC journey.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to the Quick 10 Podcast brought to you by Quick Track, focusing on all things
(00:07):
FedCon and cyber defense from different perspectives and different personalities, all in 10 ish
minutes. Here's your host, Derek White.
All right. Welcome back to another episode of the Quick 10 Podcast. I am your host, Derek
(00:27):
White, Chief Product Officer here at Quick Track in Beryllium. My guest today is none
other than Regan Edens, who is the, we'll see the Chairman of the CMMC Industry Standards
Council and Key Compliance Officer at DTC Global. And Regan, how are you doing today?
(00:48):
I'm doing great, Derek. Thanks for having me.
Yeah, you bet. You know, it's been many, many years since we first originally met and the
previous episodes we've had here, you know, it's been kind of fun to go through some of
these relationships and conversations that sadly hasn't really gone on a long time. But
(01:08):
to see where things are at now and to see where things are going, thank you for being
on and touching on what's going to be a pretty sensitive topic, I think, to a lot of those
that are listening or watching. And we're going to talk about what it means currently
here as we hit the midway point of 2024 on starting or restarting your CMMC program.
(01:31):
So we know some things happen at the end of the year. We've had some things happen this
year. We've got things that we're speculating that will happen as the rest of the year goes
on before CMMC is something that can be in a requirement in a contract.
So the question to get right into it today is the scenario of we're talking to an organization
(01:54):
right now. Okay. I'll say our audience is in a scenario where CMMC has been prioritized
off and on. Sure. This organization has DFAR 7012. So this is not a new thing to them.
This is something they have to be doing. They are required to be doing. But maybe the organization
(02:15):
lost somebody, they left, and now somebody is there to pick up the pieces. And maybe
that organization hasn't been left in the best scenario. Or maybe leadership has put
it back on the radar after having it sit still waiting for things to be more formalized.
So it's back on the radar. Where are you advising and telling this organization to start today?
(02:42):
Well, that's actually pretty common. And let's start at the beginning. Right? So the organization
has current requirements right now. So we know that the DFAR 252-204 7012 clause is
in their contract. That means that there's a related clauses of the 7019 and 7020. So
(03:06):
likely they have to meet the 7012 requirements. They have to testify to those requirements
and have an updated SPRS score and have that score for them to be eligible for either the
current prime contracts or their current subcontracts. So laying that foundation is really important
because what that does is that says, yeah, we've got a sense of urgency and priority
(03:28):
for CMMC. But reality is that we've sort of been juggling or maybe dropped the ball with
the DFAR 7012 requirements right now. Right? So now we've got really equal footing, which
is we got to own our current liabilities and risks, and we've got to really get position
and focus to be able to meet this impending timeline and deadline that we're going to
(03:53):
see emerge underneath in 2025. So let's take a very close look at what are our requirements
as they are right now, not CMMC, just the DFAR requirements right now.
Yeah.
So we have to have an updated system security plan. And that system security plan has to
be updated annually. That's DOD policy. Right? We have to have conducted our risk assessments
(04:16):
and our security assessments as prerequisites to updating that plan. Okay? And documented
that by the way, even though the NIST standard 171 says, you know, you don't necessarily
have to document it, but we know that for the SPRS score, it requires adequate and sufficient
evidence to justify the score. Right? So for every point value that we have, assuming that
(04:40):
folks in the audience, probably a mixed audience, some of them may know what SPRS is and some
of them may not. But SPRS is a point-based system used to evaluate your current readiness
and compliance with the DFAR 7012. For every single point value, that has to be justified
with adequate and sufficient evidence. If we don't have the evidence and it's not adequate
(05:02):
and sufficient, then we shouldn't be giving ourselves credit for that score.
So now we understand that not only do we have to have meet these current requirements, but
we have to have the appropriate documentation in place, very detailed, in order to sustain
and support the current eligibility requirements. So, you know, oftentimes, the very first questions
(05:27):
that I ask is, all right, when was the last time that whoever's in charge now took a look
at the system security plan? When was the last time that they conducted their risk assessment
or their security assessment? DTC Global will call them RSA, right? You know, combined together.
So when did we do that last? And, you know, many people call that a gap analysis, but
(05:47):
in my humble opinion, that's not enough because we're looking at gaps, we're looking at non-conformities,
and we're also looking at areas of conformity, right? So we just don't want to understand
where our gaps are. We have to understand where we're not compliant and we thought we
were compliant. And we also have to understand the areas that we really need to address in
(06:09):
order to have adequate and sufficient evidence to sustain the score we give ourselves. So,
that foundation, that foundation sort of lays the groundwork for where are we now? Who's
been involved? Who's in charge, right? Do we have advocacy at the senior executive level?
Do we have participation led by the IT team? Do we have participation led by our CUI stakeholders?
(06:34):
That's what I call those folks who send and receive and develop CUI in performance of
their contract, right? Do they even know that they develop CUI or likely, very likely in
a manufacturing environment, that they develop CUI in performance of their contract? So,
do we have folks like Quality involved? Do we have folks, do we currently produce or
(06:58):
handle export controlled information? So, the next real step on that process is who
are our stakeholders and then begin that CUI discovery process? Are they aware of the types
and categories of CUI that they actually receive and develop in performance of their contracts?
(07:19):
So, very likely, it's going to be controlled technical information and export controlled
information. And do we have any in-house expertise about those two different types of information?
Because yes, they are very similar, but they're very, very important differences according
to DOD policy. So, now we establish the fact that we need some stakeholders on the business
side. This isn't an IT project. And if we leave it to the IT folks, we're absolutely
(07:43):
going to fail. So, there's no way to survive a US government audit or an audit by a prime
contractor if we leave it to the IT people, right?
Yeah. And that's not a knock on the IT side either. It's that this is an IT and security
working together problem, right? That's what the requirements say. And I think the scenario
(08:06):
that we're talking about here, and then I'll let you obviously finish here, is you've seen
a lot of this in the last two years where it was an IT project and that person or people
don't work there anymore. And it's not necessarily because they were told to leave. They were,
I think, personally, I think we see this, like they can see that this is going to be
a tough to not get buy-in from leadership and try to have a successful outcome here.
(08:30):
And they've gone somewhere else, right? And now because they put it on one person, that
person's not there anymore. The new person who comes in is looking at a mess. Like, how
do I make something of this? So, yes, I think that's a huge point when it comes to passing
an assessment is a totally different scenario than getting something put together to then
run an assessment. So, sorry, keep going.
(08:50):
No, no, no. I mean, you're spot on, Derek. Remember that my responsibilities as an IT
person are to provide the infrastructure and the resources for a business to run on the
IT side, right? And to provide security for those requirements and provide compliance
for the things that I'm responsible for. And if I switch hats, who's responsible for the
(09:15):
actual information? Because as the IT guy, I'm not responsible for the information. I'll
defend or I will make compliant whatever the information is, but I don't know where the
information is. I don't develop the information. I don't receive the information. So, the IT
stakeholders have, in my mind, actually the greatest responsibility because they're a
(09:39):
living breathing thing that's taking place during the performance of the contract. And
oftentimes the IT teams don't know that much about the actual contract performance and
what's taking place.
Yeah.
You've got this harmonious relationship between the IT infrastructure and what happens, Derek,
if we outsource part of that, right? Do they know what responsibilities are on their plate?
(10:05):
Do they know what the expectations are? Do they know that compliance is coming for those
outside services that we may external service providers that we may outsource? What happens
if we, you know, we may be a medium or small size ship, but what happens if we have a mothership?
Does the mothership know that they might be involved, depending upon the shared services,
(10:27):
involved in actually being compliant, being required to be compliant? So, we've got these
real challenges about, that are happening on both sides of the fence. The most important
control of all the controls is 313, which is, how do we control the flow of CUI? At
the end of the day, every single one of the controls and safeguarding requirements is
(10:50):
about the protection and the confidentiality of CUI. So, where does that CUI flow, wherever
it goes, inside of our business process and wherever it goes, inside the IT infrastructure
that supports that business process, in order to deliver the products and services that
we're contracted to do. So, we have to be able to have a situation, awareness and knowledge
that controlling the flow of CUI is a bifurcated process. You've got one side of the fence,
(11:15):
you've got the business process stakeholders. The other side of the fence, you've got your
folks out there who are providing the IT infrastructure or coordinating those services, right?
So, now that we laid that foundation, that I'm not just the IT person sitting inside
of my cube, wondering, how am I going to possibly get all this done, when I'm frustrated or
(11:36):
that I don't really understand the requirements very well and I don't understand what CUI
is and I really don't understand how these requirements really apply, in terms of the
management, operational and maybe some of the technical controls, yes, but the management
and operational controls that are going to take place, again, beyond my air of responsibility,
beyond my air of accountability. Now, I can't hold, you know, I don't have the power to
(11:59):
hold people accountable. And so, I need that senior executive buy-in. So, that sort of
foundational reset is really, really important, in order to make progress. Because what's
going to end up happening is, if I'm the IT person and I open up the good book, NIST 800-171
(12:20):
and I started Access Control, I'm going to realize that I'm going to get three-fourths
the way through the controls, I'm going to get into configuration management. I'm going
to get into controls like 346, 347, 313-1. And I'm going to realize that there are parts
of the company that I thought were going to be in scope, that are not allowed to be in
(12:41):
scope because they're not essential capabilities. And we've got the split environment that we
do. We don't do all military stuff. We do about 20 or 30% of our stuff is military or
DoD stuff. So, we've got 70% of our work is not even, is not, has no relationship to the
DoD work at all. So, now, how do I manage those resources and that IT flow and the challenges
(13:09):
regarding scoping and regarding isolation and regarding essential capabilities and central
programs and essential services? How do I manage that when I'm three-fourths the way
through the book and then I discover that I've got to, and I don't know anything about
the essential capabilities, what does it take to execute the contract? Well, I mean, I've
got some idea, but I don't know everything. So, now, I have to three-fourths the way through
(13:31):
the book. I've got to stop if I realize where I've gone wrong. Then, I've got to find my
IT stakeholder, my CY stakeholder, and find out what is it that they need to do their
job. And now, I have to undo all the previous work that I just did because now, I realize
that there's these other responsibilities that we have to incorporate of people I don't
(13:51):
control. So, having that reset and understanding the fact that the requirements, number one,
should not be implemented. This is not a romance novel. We're not starting at page one of this
page 171 and reading it from front cover to back cover, right?
Yep. Spoiler alert, the good stuff is the middle
towards the back, right? That's the stuff that the IT people should be aware about because
(14:15):
that sets the boundary of the environment along with the scoping guide.
Yeah. Scoping guide, Reagan, what's that, right?
What are these other resources that I need? So, now, I have to realize as an IT person
that not only do I need the NIST 800 171, the revision two is a primary resource, but
I also need these additional resources that I may have, if I was there previously, in
(14:42):
the previous years, I may have thought that the CMMC assessment guide or something like
that was the Bible and that I was going to use that as my primary reference. And of course,
we know, you and I both know that that was never true, but we're thankful that the rule
actually caught up with it, right? Yeah.
And so, we know that those changes are important and we got to be aware of those changes.
(15:04):
Yeah. And we're going to have to wrap up here because that's all. So, first off, yes, thank
you for walking through that because we've seen way more conversations as I'm sure you
have to in the last six months of I need help. I got to figure out where to start. And I
will say from our lens and what we've seen because you can't be required to be CMMC certified
(15:25):
yet. So, what seems to be working really well is for these individuals or these teams who
are trying to clean up a mess is that when they develop a really strong plan of how they're
going to do it, that gets accepted, builds a lot of confidence with their mothership,
if you will, or somebody, right? To buy in leadership is, hey, you know what? I wasn't
here. To your point on responsibility, this is where we're at. This is a moment in time
(15:48):
assessment which they're required to do. This is where we are short, but here is what we
are capable of doing and here is what we're not. So, we're going to allocate these resources
to these, right? And like build an actual plan, like you said, rather than read the
book from the beginning and then get three quarters of the way through the book. And
now someone says, well, show me your plan. Like, how are you actually going to get there
by then? So, I don't really know. We're just trying to figure it out. So, I think that's
(16:11):
a really good topic point. Again, we've talked about this on the previous episodes. We're
going to revisit these topics and we'll call it six months or so once the rule is in place
and things are starting to happen and there's more feedback from whether it's DOD or assessors
or whoever on how it's going. I think topics like this are going to be very, very important
(16:32):
for people to do something, right? Get in there and start doing what you can. So, last
thing for you.
Derek, I just wanted to summarize. The theme of what I just talked about over the short
few minutes is that the IT team needs to discover what they don't know.
Yes.
Right? And by discovering what they don't know, they're going to find out that they
(16:53):
cannot do it alone and they really need to buckle down. And it is a team effort, as you
just said, Derek.
Well, where can people go to talk to Reagan and his team for help?
Sure. So, you can reach out to us at DTCGlobal.us, okay? And there's another DTC Global out there,
(17:17):
I guess, in Florida or whatnot, but they do IT support. You can also reach out to the
CMC Industry Standards Council and we established that as a mechanism for good folks out there
who are anxious and worried about discovering what they don't know, right? You've participated
in this for many years now, Derek, you and Eric both, along with other folks from Creek
(17:41):
Track, Brooke, and so on and so forth. And reach out to us in the CMC Industry Standards
Council and submit the questions and we'll make sure that you get the answers that you
can depend on with reliable and consistent information that's really consistent with
the standard and give you the guidance and direction that you need.
(18:02):
Perfect. Love it. Thank you, Reagan. Appreciate you having time on. I know it's hard to get
through some of these topics in 10-ish minutes, but when they're relevant topics, we need
to get through them and give people a real good lens. So, thanks for those for listening.
And if you want to subscribe on YouTube or go to your favorite podcast platform and follow
along for past episodes and future episodes, you know the drill. Thank you again, Reagan,
(18:26):
for joining us and we'll talk to you next time. Absolutely. Look forward to it, Derek.
Take care. Thank you for listening to this episode and
make sure to subscribe to the Quick 10 Podcast wherever you get your podcasts and check us
out on YouTube as well. For more information about Quick Track, visit our website at www.quicktrack.com.
(18:50):
That's C-U-I-C-K-T-R-A-C dot com.
Welcome to the Quick 10 Podcast brought to you by Quick Track, focusing on all things
(00:07):
FedCon and cyber defense from different perspectives and different personalities, all in 10 ish
minutes. Here's your host, Derek White.
All right. Welcome back to another episode of the Quick 10 Podcast. I am your host, Derek
(00:27):
White, Chief Product Officer here at Quick Track in Beryllium. My guest today is none
other than Regan Edens, who is the, we'll see the Chairman of the CMMC Industry Standards
Council and Key Compliance Officer at DTC Global. And Regan, how are you doing today?
(00:48):
I'm doing great, Derek. Thanks for having me.
Yeah, you bet. You know, it's been many, many years since we first originally met and the
previous episodes we've had here, you know, it's been kind of fun to go through some of
these relationships and conversations that sadly hasn't really gone on a long time. But
(01:08):
to see where things are at now and to see where things are going, thank you for being
on and touching on what's going to be a pretty sensitive topic, I think, to a lot of those
that are listening or watching. And we're going to talk about what it means currently
here as we hit the midway point of 2024 on starting or restarting your CMMC program.
(01:31):
So we know some things happen at the end of the year. We've had some things happen this
year. We've got things that we're speculating that will happen as the rest of the year goes
on before CMMC is something that can be in a requirement in a contract.
So the question to get right into it today is the scenario of we're talking to an organization
(01:54):
right now. Okay. I'll say our audience is in a scenario where CMMC has been prioritized
off and on. Sure. This organization has DFAR 7012. So this is not a new thing to them.
This is something they have to be doing. They are required to be doing. But maybe the organization
(02:15):
lost somebody, they left, and now somebody is there to pick up the pieces. And maybe
that organization hasn't been left in the best scenario. Or maybe leadership has put
it back on the radar after having it sit still waiting for things to be more formalized.
So it's back on the radar. Where are you advising and telling this organization to start today?
(02:42):
Well, that's actually pretty common. And let's start at the beginning. Right? So the organization
has current requirements right now. So we know that the DFAR 252-204 7012 clause is
in their contract. That means that there's a related clauses of the 7019 and 7020. So
(03:06):
likely they have to meet the 7012 requirements. They have to testify to those requirements
and have an updated SPRS score and have that score for them to be eligible for either the
current prime contracts or their current subcontracts. So laying that foundation is really important
because what that does is that says, yeah, we've got a sense of urgency and priority
(03:28):
for CMMC. But reality is that we've sort of been juggling or maybe dropped the ball with
the DFAR 7012 requirements right now. Right? So now we've got really equal footing, which
is we got to own our current liabilities and risks, and we've got to really get position
and focus to be able to meet this impending timeline and deadline that we're going to
(03:53):
see emerge underneath in 2025. So let's take a very close look at what are our requirements
as they are right now, not CMMC, just the DFAR requirements right now.
Yeah.
So we have to have an updated system security plan. And that system security plan has to
be updated annually. That's DOD policy. Right? We have to have conducted our risk assessments
(04:16):
and our security assessments as prerequisites to updating that plan. Okay? And documented
that by the way, even though the NIST standard 171 says, you know, you don't necessarily
have to document it, but we know that for the SPRS score, it requires adequate and sufficient
evidence to justify the score. Right? So for every point value that we have, assuming that
(04:40):
folks in the audience, probably a mixed audience, some of them may know what SPRS is and some
of them may not. But SPRS is a point-based system used to evaluate your current readiness
and compliance with the DFAR 7012. For every single point value, that has to be justified
with adequate and sufficient evidence. If we don't have the evidence and it's not adequate
(05:02):
and sufficient, then we shouldn't be giving ourselves credit for that score.
So now we understand that not only do we have to have meet these current requirements, but
we have to have the appropriate documentation in place, very detailed, in order to sustain
and support the current eligibility requirements. So, you know, oftentimes, the very first questions
(05:27):
that I ask is, all right, when was the last time that whoever's in charge now took a look
at the system security plan? When was the last time that they conducted their risk assessment
or their security assessment? DTC Global will call them RSA, right? You know, combined together.
So when did we do that last? And, you know, many people call that a gap analysis, but
(05:47):
in my humble opinion, that's not enough because we're looking at gaps, we're looking at non-conformities,
and we're also looking at areas of conformity, right? So we just don't want to understand
where our gaps are. We have to understand where we're not compliant and we thought we
were compliant. And we also have to understand the areas that we really need to address in
(06:09):
order to have adequate and sufficient evidence to sustain the score we give ourselves. So,
that foundation, that foundation sort of lays the groundwork for where are we now? Who's
been involved? Who's in charge, right? Do we have advocacy at the senior executive level?
Do we have participation led by the IT team? Do we have participation led by our CUI stakeholders?
(06:34):
That's what I call those folks who send and receive and develop CUI in performance of
their contract, right? Do they even know that they develop CUI or likely, very likely in
a manufacturing environment, that they develop CUI in performance of their contract? So,
do we have folks like Quality involved? Do we have folks, do we currently produce or
(06:58):
handle export controlled information? So, the next real step on that process is who
are our stakeholders and then begin that CUI discovery process? Are they aware of the types
and categories of CUI that they actually receive and develop in performance of their contracts?
(07:19):
So, very likely, it's going to be controlled technical information and export controlled
information. And do we have any in-house expertise about those two different types of information?
Because yes, they are very similar, but they're very, very important differences according
to DOD policy. So, now we establish the fact that we need some stakeholders on the business
side. This isn't an IT project. And if we leave it to the IT folks, we're absolutely
(07:43):
going to fail. So, there's no way to survive a US government audit or an audit by a prime
contractor if we leave it to the IT people, right?
Yeah. And that's not a knock on the IT side either. It's that this is an IT and security
working together problem, right? That's what the requirements say. And I think the scenario
(08:06):
that we're talking about here, and then I'll let you obviously finish here, is you've seen
a lot of this in the last two years where it was an IT project and that person or people
don't work there anymore. And it's not necessarily because they were told to leave. They were,
I think, personally, I think we see this, like they can see that this is going to be
a tough to not get buy-in from leadership and try to have a successful outcome here.
(08:30):
And they've gone somewhere else, right? And now because they put it on one person, that
person's not there anymore. The new person who comes in is looking at a mess. Like, how
do I make something of this? So, yes, I think that's a huge point when it comes to passing
an assessment is a totally different scenario than getting something put together to then
run an assessment. So, sorry, keep going.
(08:50):
No, no, no. I mean, you're spot on, Derek. Remember that my responsibilities as an IT
person are to provide the infrastructure and the resources for a business to run on the
IT side, right? And to provide security for those requirements and provide compliance
for the things that I'm responsible for. And if I switch hats, who's responsible for the
(09:15):
actual information? Because as the IT guy, I'm not responsible for the information. I'll
defend or I will make compliant whatever the information is, but I don't know where the
information is. I don't develop the information. I don't receive the information. So, the IT
stakeholders have, in my mind, actually the greatest responsibility because they're a
(09:39):
living breathing thing that's taking place during the performance of the contract. And
oftentimes the IT teams don't know that much about the actual contract performance and
what's taking place.
Yeah.
You've got this harmonious relationship between the IT infrastructure and what happens, Derek,
if we outsource part of that, right? Do they know what responsibilities are on their plate?
(10:05):
Do they know what the expectations are? Do they know that compliance is coming for those
outside services that we may external service providers that we may outsource? What happens
if we, you know, we may be a medium or small size ship, but what happens if we have a mothership?
Does the mothership know that they might be involved, depending upon the shared services,
(10:27):
involved in actually being compliant, being required to be compliant? So, we've got these
real challenges about, that are happening on both sides of the fence. The most important
control of all the controls is 313, which is, how do we control the flow of CUI? At
the end of the day, every single one of the controls and safeguarding requirements is
(10:50):
about the protection and the confidentiality of CUI. So, where does that CUI flow, wherever
it goes, inside of our business process and wherever it goes, inside the IT infrastructure
that supports that business process, in order to deliver the products and services that
we're contracted to do. So, we have to be able to have a situation, awareness and knowledge
that controlling the flow of CUI is a bifurcated process. You've got one side of the fence,
(11:15):
you've got the business process stakeholders. The other side of the fence, you've got your
folks out there who are providing the IT infrastructure or coordinating those services, right?
So, now that we laid that foundation, that I'm not just the IT person sitting inside
of my cube, wondering, how am I going to possibly get all this done, when I'm frustrated or
(11:36):
that I don't really understand the requirements very well and I don't understand what CUI
is and I really don't understand how these requirements really apply, in terms of the
management, operational and maybe some of the technical controls, yes, but the management
and operational controls that are going to take place, again, beyond my air of responsibility,
beyond my air of accountability. Now, I can't hold, you know, I don't have the power to
(11:59):
hold people accountable. And so, I need that senior executive buy-in. So, that sort of
foundational reset is really, really important, in order to make progress. Because what's
going to end up happening is, if I'm the IT person and I open up the good book, NIST 800-171
(12:20):
and I started Access Control, I'm going to realize that I'm going to get three-fourths
the way through the controls, I'm going to get into configuration management. I'm going
to get into controls like 346, 347, 313-1. And I'm going to realize that there are parts
of the company that I thought were going to be in scope, that are not allowed to be in
(12:41):
scope because they're not essential capabilities. And we've got the split environment that we
do. We don't do all military stuff. We do about 20 or 30% of our stuff is military or
DoD stuff. So, we've got 70% of our work is not even, is not, has no relationship to the
DoD work at all. So, now, how do I manage those resources and that IT flow and the challenges
(13:09):
regarding scoping and regarding isolation and regarding essential capabilities and central
programs and essential services? How do I manage that when I'm three-fourths the way
through the book and then I discover that I've got to, and I don't know anything about
the essential capabilities, what does it take to execute the contract? Well, I mean, I've
got some idea, but I don't know everything. So, now, I have to three-fourths the way through
(13:31):
the book. I've got to stop if I realize where I've gone wrong. Then, I've got to find my
IT stakeholder, my CY stakeholder, and find out what is it that they need to do their
job. And now, I have to undo all the previous work that I just did because now, I realize
that there's these other responsibilities that we have to incorporate of people I don't
(13:51):
control. So, having that reset and understanding the fact that the requirements, number one,
should not be implemented. This is not a romance novel. We're not starting at page one of this
page 171 and reading it from front cover to back cover, right?
Yep. Spoiler alert, the good stuff is the middle
towards the back, right? That's the stuff that the IT people should be aware about because
(14:15):
that sets the boundary of the environment along with the scoping guide.
Yeah. Scoping guide, Reagan, what's that, right?
What are these other resources that I need? So, now, I have to realize as an IT person
that not only do I need the NIST 800 171, the revision two is a primary resource, but
I also need these additional resources that I may have, if I was there previously, in
(14:42):
the previous years, I may have thought that the CMMC assessment guide or something like
that was the Bible and that I was going to use that as my primary reference. And of course,
we know, you and I both know that that was never true, but we're thankful that the rule
actually caught up with it, right? Yeah.
And so, we know that those changes are important and we got to be aware of those changes.
(15:04):
Yeah. And we're going to have to wrap up here because that's all. So, first off, yes, thank
you for walking through that because we've seen way more conversations as I'm sure you
have to in the last six months of I need help. I got to figure out where to start. And I
will say from our lens and what we've seen because you can't be required to be CMMC certified
(15:25):
yet. So, what seems to be working really well is for these individuals or these teams who
are trying to clean up a mess is that when they develop a really strong plan of how they're
going to do it, that gets accepted, builds a lot of confidence with their mothership,
if you will, or somebody, right? To buy in leadership is, hey, you know what? I wasn't
here. To your point on responsibility, this is where we're at. This is a moment in time
(15:48):
assessment which they're required to do. This is where we are short, but here is what we
are capable of doing and here is what we're not. So, we're going to allocate these resources
to these, right? And like build an actual plan, like you said, rather than read the
book from the beginning and then get three quarters of the way through the book. And
now someone says, well, show me your plan. Like, how are you actually going to get there
by then? So, I don't really know. We're just trying to figure it out. So, I think that's
(16:11):
a really good topic point. Again, we've talked about this on the previous episodes. We're
going to revisit these topics and we'll call it six months or so once the rule is in place
and things are starting to happen and there's more feedback from whether it's DOD or assessors
or whoever on how it's going. I think topics like this are going to be very, very important
(16:32):
for people to do something, right? Get in there and start doing what you can. So, last
thing for you.
Derek, I just wanted to summarize. The theme of what I just talked about over the short
few minutes is that the IT team needs to discover what they don't know.
Yes.
Right? And by discovering what they don't know, they're going to find out that they
(16:53):
cannot do it alone and they really need to buckle down. And it is a team effort, as you
just said, Derek.
Well, where can people go to talk to Reagan and his team for help?
Sure. So, you can reach out to us at DTCGlobal.us, okay? And there's another DTC Global out there,
(17:17):
I guess, in Florida or whatnot, but they do IT support. You can also reach out to the
CMC Industry Standards Council and we established that as a mechanism for good folks out there
who are anxious and worried about discovering what they don't know, right? You've participated
in this for many years now, Derek, you and Eric both, along with other folks from Creek
(17:41):
Track, Brooke, and so on and so forth. And reach out to us in the CMC Industry Standards
Council and submit the questions and we'll make sure that you get the answers that you
can depend on with reliable and consistent information that's really consistent with
the standard and give you the guidance and direction that you need.
(18:02):
Perfect. Love it. Thank you, Reagan. Appreciate you having time on. I know it's hard to get
through some of these topics in 10-ish minutes, but when they're relevant topics, we need
to get through them and give people a real good lens. So, thanks for those for listening.
And if you want to subscribe on YouTube or go to your favorite podcast platform and follow
along for past episodes and future episodes, you know the drill. Thank you again, Reagan,
(18:26):
for joining us and we'll talk to you next time. Absolutely. Look forward to it, Derek.
Take care. Thank you for listening to this episode and
make sure to subscribe to the Quick 10 Podcast wherever you get your podcasts and check us
out on YouTube as well. For more information about Quick Track, visit our website at www.quicktrack.com.
(18:50):
That's C-U-I-C-K-T-R-A-C dot com.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com