How It All Began: The CMMC Compliance Guide Podcast Origin Story

Show Notes

In this special episode, we take you behind the scenes to explore the origin story of the CMMC Compliance Guide Podcast. Join hosts, Austin and Brooke Justice as they share how the podcast began, its mission to help defense contractors navigate the complexities of CMMC compliance, and what drives our passion for making the process hassle-free. Whether you’re new to CMMC or a seasoned professional, this episode offers insights into how we started and why we’re dedicated to supporting your compliance journey.

Key Takeaways:

• Why we launched the CMMC Compliance Guide Podcast
• The challenges that led to the podcast's creation
• How our mission evolved to simplify CMMC compliance for defense contractors
• What's next for the podcast and our community

Transcript

Austin 0:21

Another week, another episode. It's Austin and Brooke here with the uh CMMC Compliance Guide Podcast. Brooke, have you ever wondered how in the heck I roped you into all this when you're not much of a limelight person?

Brooke 0:36

Well, just about every time we do one of these, uh, but I think that's about what we're fixed to talk about.

Austin 0:40

Yep, that's it. That's it. And let's address the uh the elephant in the room, how we're matching today. That was an accident. We didn't intend to do that, but here we are. We're just sticking with it. I just wanted to try out our new shirts. I did too, yeah. Great minds think alike, I guess, right? Absolutely. Oh man. Um, well, uh I was reading a book and um and it was addressing podcasts, and it said, hey, if you're starting a podcast, you should tell people how you started, because they're probably wondering that. So that's what we're doing. Origin story. Yeah, origin story. All right. So um it all started, and we kind of got a phone call from a local machine shop, and um they do pretty much exclusively aerospace stuff, right? You know I'm talking about um fighter jet parts and allegedly stuff like that. Um, and uh ended up changing the direction of our business. Um and that's how our journey to CMMC and NIST 800-171 uh compliance began.

Brooke 1:42

Absolutely.

Austin 1:43

So um I was knowing that, uh I was hoping you can kind of explain how cybersecurity compliance entered the d entered the DOD supply chain.

Brooke 1:54

Sure, sure. And I I wish I had a picture we could put back here, you know, with uh I have a presentation that shows these things. But um uh if you look at PV up exactly what it should have. So uh so if you look at our joint strike fighter, uh uh China, this is my favorite one to show, but anyway, there's more than this example. There are several examples, but uh if you look at our joint strike fighter, um China a few years ago released uh their new fighter that looked amazingly like our joint strike fighter. It's not a coincidence, isn't it? I wonder how that happened. So but you can you can look, they've got uh Humvee look alike, they've got uh uh some other several other things, right? And so um they didn't they didn't necessarily do this by breaking into any of the all the big guys. Not not that they haven't ever had any breaches or anything. I'm not saying that, but um it's they didn't just break into Lockheed Bell or whoever it might be. Uh really what they do is is uh they break into um you know mom what we call mom and pop or small small businesses, small and medium businesses who don't have as much resources to to uh spend on cybersecurity as the bigger guys do, right? And so they broke into their uh they gathered a bunch of their uh citizens up and said, hey, we've got this puzzle, we've got these little widgets that we need you to put together and see what we have. So uh so they did. So um but that's how it all started. Did Lockheed or excuse me, the government said, uh, you know, we've we've got to stop this because really what China just did, uh what China is doing is they are leapfrogging decades of RD and billions and probably trillions of dollars in RD to catch up with us. And we're just giving it to them in in a matter of speaking, but we're just giving it to them. So uh the DOD wants to stop that, and really it's for our safety and security, it's to protect our war fighters. It's you know, there's a lot of good reasons to do this.

Austin 3:54

Aaron Ross Powell And they're outsourcing their uh research and development to us.

Brooke 3:58

Yes, absolutely. Absolutely. Just get a few hackers together and uh you know you got your research and development done.

Austin 4:04

Right. Yeah, yeah. You didn't need to spend those billions and trillions of dollars, no.

Brooke 4:08

No, not at all.

Austin 4:09

Smart strategy. They're good at it. Yep, absolutely. So that goes for you know, really all the nation states. Yeah.

Brooke 4:18

China's just it's just so glaringly obvious with China, you know. Uh and it's and it's not just the DOD. It I mean, it is they steal all sorts of technology from us, and they have for a really long time. So anyway, that's why that's where this comes from and what the what the DOD is trying to protect.

Austin 4:35

Trevor Burrus, Jr. Well, now that we are gonna put this on the internet, you can no longer go to China anymore. So I guess they got that off the I think I just got banned. Yep. So I wouldn't go. Um might not come back. Um so we we got that phone call uh from that aerospace machine shop and they found us uh via Google. Google. I've been having trouble talking all day, so I'm glad that today we're recording.

Brooke 5:03

Yeah, Gouda.

Austin 5:03

It is good uh on a burger. Um melt it over patty, but absolutely, but it is, it is. I'm good at those uh getting off topic. So anyway, we got that phone call. Uh they found us on the Google via Google. Yep is what I was trying to say. Um and uh basically it it came from you know their their buyer at Lockheed um is who they allegedly worked for. Uh and allegedly, yes. And uh I think maybe possibly maybe possibly. Um and uh it basically said that they needed to comply with NIST 800-171. Yes. Right. And so we didn't really fully understand what it was at the time. Uh I mean we're familiar with NIST. We were doing cybersecurity, that's how they found us actually, uh just searching cybersecurity and asked if we'd help, and we said we'll figure it out. So um that was back in 2017. Uh that's kind of when NIST 800-171 uh all started. It's not really when it started, but that's kind of when they were really pushing for it. So um can you explain kind of how we we uh took the time to research and figure out and and our partnership with Bo and and how all that went down?

Brooke 6:21

Uh sure, sure. So um as you said, we've always tried to lean real heavily into cybersecurity because frankly, uh there's there's a lot of risk there. And if we don't protect ourselves and protect our clients well, uh that that's that's risk for us, and their risk is also our risk. And uh as a as business owners, uh it's hard to just accept that risk and not do anything about it. And so uh we're able to sleep a little better at night when we when we provide better cybersecurity. So we already did that. And and uh so when we looked at NIST 800-171, uh we read through it and we were like there were a couple of onerous things in there, but you know, really we looked at it and thought, gosh, this is this is everything that we want all of our customers to have. This is our like our well, our full stack. Oops, sorry, uh my hand went off screen, I see. So uh anyway, this is our full stack uh uh in a matter of speaking in in our industry parlance, but uh what we want our all of our clients to have is what m it's what helps us sleep better at night, right? And uh because it keeps them safe, keeps us safe. So we we really kind of really realize that. Um so uh but we we did um we did also realize that a big part of that is is uh it's it's you know partly cybersecurity technology, uh, and and a lot of it is policy and procedures and and how you implement everything, right? And so we realized that. And uh being a person that uh you know I just like to get down to brass tacks and uh I like to get things done and be done with it. I don't like to write policies, I don't like, you know, all that kind of fun stuff, although I do a lot of that these days. But uh we partnered with uh we we knew a gentleman through some other contacts uh uh named Bo Birdwell and he commanded uh in his previous life.

Austin 8:17

Uh I realize I should have written all of this down so we didn't get it wrong.

Brooke 8:22

Um and I didn't. So Am I addressing another question ahead of time?

Austin 8:25

No, no. Uh I'm just realizing we may get his credentials wrong.

Brooke 8:28

Um I think there I think I've got him right. But anyway, I think believe he's a commander of a a cyber squadron. Uh all that is public information, so I'm not telling anything. I can't plus he he didn't tell us anything that he couldn't tell us. The stuff he could tell us was pretty cool, but anyway, he commanded a cyber squadron that did offensive-defensive uh capabilities for the United States. Um and he was he is very credentialed and very capable and and uh rose up through the ranks. Uh he did that in the Air Force. Uh just a awesome, awesome individual, and uh and just a great guy too. I love Bo to death. Um and so he uh he got out, went into the private sector, uh, worked for um a company, uh a large, large company, uh decided that uh he heard about this NIST 800 171 thing coming, and it was actually gonna start happening. And uh so he decided he wanted to start his own company, um, started it, and uh he was doing he was doing the implementation basically of uh or doing the policies and procedures, gaps analysis, all that kind of fun stuff, and then setting everybody up with a POAM basically for NIST 800-171. And uh so that's what we needed and what we wanted, and so we partnered with him, and we also helped him develop uh policies, you know, like you know, Bo, that's you're thinking along the lines of a 30,000-person company or you know, whatever it is. Let's bring this down a little bit and then and uh look at, you know, uh talk about small and medium business.

Austin 9:59

You know, how can we make this feasible for a machine shop? Yes. Exactly.

Brooke 10:03

You know, 50 employees or 50 employees, 100 employees, five employees. You know, how are you going to do this for those organizations?

Austin 10:09

You know, but also make the government happy.

Brooke 10:10

Aaron Ross Powell And also make the government happy, right? So there and there's a way to do that. But we discussed all this, talked about how you know how the policies should be and how you know what what to implement and all that kind of fun stuff. So uh I really enjoyed working with Bo and really enjoyed helping him get his company off the ground. Uh I don't know if if I'm jumping ahead or not, but uh we ended up at uh we ended up he he decided that starting a small business uh wasn't for him and uh he wanted to go back and work uh in the corporate world, uh which is understandable because running a small business and growing a small business is not the easiest thing in the world. So uh so he did for some crazy reason we want to do that. But um anyway, he decided he wanted to go back in the corporate world and we were able to uh basically purchase uh um come into a business deal with him to use the the the product and everything that he created, so um, so which we really appreciate. And so that's that's where we came in and uh we started doing the other part of that that I said we didn't like before. The other thing Bo helped me realize is that oh, this is doable and I can do it, and I can do it and and enjoy it, you know. So the uh so the gaps analysis, the SSP, the policies, the POEM, all that kind of fun stuff, you know, we do that all the time these days. So there's a very long-winded answer uh to that question. Hey, but it's the answer, isn't it? Yeah.

Austin 11:38

So I mean, yeah, that uh That's great, thank you. So I mean that's we basically after that went back to that um aerospace machine shop and um and they're still customer to this day and they are um and we took what we learned um with them and and now we're doing it um you know for for you know anyone in the DOD supply chain that that needs their their CMMC um not done for them because we can't do everything for them but done with them. Right. Um so and so we're we're kind of um you know their guide, their Sherpa on the uh trek up the uh up Everest, the compliance mountain. Good way to put it. Yeah. Um and so that was basically the idea for the podcast is you know, um, you know, we we've got people paying us to to do this with them and be their compliance guide. And so we're like, you know what, we could go put this out in the internet and share the secrets and um help people uh educate and tell everyone everything we know. Um and because um, you know, it's uh it's hard to find information out there, and especially for compliance and CMMC sp in particular, all the information you find is super technical and hard to read. Yes, it is. Yeah. So we're hoping to be that intermediary and um and help help with that. Absolutely.

Brooke 13:05

And you know, just to build one more uh on what you just said just now, um you know it's it's hard to understand this kind of technical. The other thing it is, is when you look at the 110 controls and the 320 objectives that make up uh NIST 800-171, uh revision two, um, when you look all that up, uh that's fine to read all that, but then guess what? It refers back to other documents like NIST 853, and so you have to then go read those to get some context and understand what they're getting at. So um, so there's a lot of reading, a lot of research. Um Bo helped us understand that and helped us get through it, and and uh is that a lot of that just drives me crazy. Just put just put it right there. I just need to know, just bullet point it, you know. But uh anyway, so uh there is a lot to that, to reading those controls and objectives and and understanding what's behind them too.

Austin 13:59

Absolutely. A lot of time, a lot of legwork, a lot of reading, um enthralling reading that you don't want to do right before you sleep, right? It will put you to sleep. Yeah, yeah. Um uh so yeah, I mean that's uh that's basically the creation of the podcast itself. You know, that's our our journey, and then uh, you know, we created the podcast for that reason. Um and you know, our our mission with this podcast is to help um, you know, the the CNC machine shop trying to get into DOD work or the small business that um you know has been passed down to generation to generation and and now it's in the sun's hands to um figure out this new issue um and and keep uh all those employees um at the at the shop employed and and that that family business going. Um and or even just uh you know the larger company that uh quality guy or um compliance manager that doesn't know where to start but have been put in charge of it. So that's that's who we're here to help. So I guess what I'm trying to say is um you know if we could start from scratch uh and figure this out, you can too. Uh and and that's why we're here uh and we're we're trying to be here uh to make it as easy as possible for you. So uh I also just want to encourage our listeners um to to reach out in the comments, um, text us, um, email us, uh, give us a call, all of our information is available. You'll see it uh below, you'll see it on our websites. Um uh please, please reach out and ask your questions. Um we'll answer them here for free um when you might have to pay for uh a compliance person a lot of money to get them answered. So get them to us um and we'll feature them here on the show. We'd like we'd love um to get those answers um out there for you and so everyone else can learn um from your question too, because chances are if you're having that question, everyone else probably is too. So uh be brave enough to ask it, please. Um and um make sure you uh make sure you uh what is it happen? What happens whenever you follow somebody on a podcast? I'm losing my mind right now trying to think of the word follow us. Um you know the word I'm talking about. Wow, this is making us look really good right now.

Brooke 16:32

I don't know. I'm not real good at social media, just follow us on the yeah, yeah.

Austin 16:35

Do the thing that yeah, that you uh subscribe. That's the word I was looking for. That's a yes, yeah. Subscribe to the podcast, please, and get notified. Um anyway, uh, and uh I think that's pretty much what we've got. Um we've got uh some uh new podcasts coming up. Um uh we're I think we might have a conversation with an assessor. Um, so I don't know when that's gonna be, but um, we're gonna actually have a certified assessor sitting down um uh and talking to us and kind of spilling the beans on how they're going to assess and certify um uh companies like yourselves. Um and so if you've got any questions for an assessor, um it might be a good time to submit because here in the next couple weeks we'll have we'll have him on the show.

Brooke 17:23

Absolutely. Yeah. Um I talked to him, he was excited about being on, and and uh and and I, you know, I've I went through and got some training myself. I was got some assessor training. I'm not a I'm not a CCA, I'm a CCP, uh, but I did get some assessor training because I wanted to know for our clients how all this is gonna shake out and what it's gonna look like, you know. Uh so um but it it it's good to listen to me tell you what assessors will do, but uh after all, you know, I'm I'm not an assessor. I I didn't do I didn't get that so I can be an assessor. I got it so I could understand, I got that certification so I'll know how better to implement and and how to answer questions and what they're looking for. But uh so it'll be good to have an assessor on and talk to him and ask him some questions and uh hear it from from the horse's mouth, you know, uh if you will. Uh so uh so yeah, it'll be good. He's a good guy, uh very knowledgeable, so it'll be good to have him on.

Austin 18:20

Yeah, absolutely. And uh we're also gonna be at um all the CMMC events. Um we're gonna be there as a a vendor and as uh attendees. So um we're gonna go uh learn all that stuff so that way you don't have to go fly out to DC and all these places, and then we're we're gonna try to do a show from um a show from the show uh and and just kind of tell you guys what we're learning there um and and distill that to you and actual information.

Brooke 18:45

So But if you do happen to come, look us up. We'd be happy to talk to you there at the show. Uh we'll both be there, probably have uh another person or two there, and and um uh we'd absolutely love to talk to you.

Austin 18:56

Awesome. I think that's it. You got anything else? That's it. All right. Thank you guys. Like, subscribe was the word, uh and we'll see you next time.