CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
2024 Compliance Wrapped: Insights from CEIC East
Submit any questions you would like answered on the podcast!
In this episode of The CMMC Compliance Guide Podcast, Brooke Justice is joined by guest cohost Stacey Flores, stepping in for Austin Justice, to bring you the key takeaways from the recent CEIC East conference. If you missed the event, don’t worry—Brooke and Stacey are here to fill you in on everything you need to know to navigate the ever-evolving world of CMMC compliance in 2024.
What’s in Store:
- 🚀 CMMC Rollout Updates: Find out why the rollout is moving faster than expected and how prime contractors might push subs to certify early.
- 📋 Certification Timing Tips: Learn how to avoid assessment bottlenecks and prepare your organization now.
- 🔐 Key Regulatory Changes: Get the latest on POAM limits, FIPS encryption updates, ESP requirements, and more.
- 🛠️ Actionable Advice: Practical tips for refining your SSP, aligning with ESPs, and staying ahead in compliance.
Brooke and Stacey dive deep into the insights gained from networking with policy experts, vendors, and assessors at CEIC East, offering practical advice to help you stay on track with compliance and secure your contracts.
Whether you’re a seasoned compliance pro or just starting your journey, this episode has something for everyone.
Engage with Us:
Have questions or need more guidance? Reach out to us at cmmccomplianceguide.com—we’re here to help!
Compliance mountain. Hear my call. Climate and climate might take a fall. Regulations whisper winds. Don't stall. Cmmc ain't gonna make me crawl.
Speaker 2:Hey there and welcome to the CMMC Compliance Guide podcast. I'm Stacey.
Speaker 1:And I'm Brooke.
Speaker 2:From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. So today we're doing a recap episode, just wrapping up 2024, now that we're into 2025. We had some great opportunities. In November, we actually got to go to the Seek East Conference in Washington DC. That's great. So today we're going to cover that. If you didn't get to go, don't worry, we're going to give you all the highlights and best recaps of that Seek East Conference. So Brooke.
Speaker 1:Why did we decide to do this wrap-up episode for the Seek East Conference? Well, lots of reasons. There's lots of stuff that happened towards the end of the year and so this will cover kind of the Seek conference and also cover other things that happened during the end of the year and we were so busy we didn't finish up, we didn't do those, we didn't do episodes to cover those, and I thought it'd be a good recap for everybody just to talk a little bit about SeekEast and talk about events that happen towards the end of the year. Final rule and everything.
Speaker 2:Absolutely. Can you give us a recap of what is Seek, for those who may not understand or know what Seek is? Or, you know, just give us a rundown of what that looks like?
Speaker 1:Sure, so Seek, and this was Seek East, so SEEK and this was SEEK East. Seek is C-E-I-C and it stands for CMMC Ecosystem Implementation or Implementers Conference. I'd have to go look to see which version of implement it is, anyway. So it started off as CIC, so not necessarily the ecosystem part, but CMMC Implementers Conference, and I went for the first time last year out on the West Coast in San Diego, discovered it was a great conference. There were people from all parts of the, of the dib, of the of the CMMC ecosystem out there. There were. There were assessors, c3paos. There were implementers like us. There were assessors, c3paos, there were implementers like us, there were products companies, there were a lot of Dib contractors there, there were government officials there. It ran the whole gamut. So it's a really good conference to go to and get a good overall perspective, or maybe a better way to say it is several different perspectives on different aspects, or maybe a better way to say it is several different perspectives on different aspects.
Speaker 2:Something that I noticed at the SEEK East conference is that there was a huge diversity of people and it was so interesting to have them come across our booth and chit chat with us. Did you have any networking insights that popped out to you during the conference?
Speaker 1:Yeah, I did. I mean, of course, I'm on the technical side, so I'm always about all the technical aspects of it. I did have some good conversations with people and discovered that a lot of people are struggling with some of the same things that we are. Mostly, it revolves around how do you implement this for a small company. What about FIPS-validated encryption? What about CSPs and ESPs and FedRAMP and all that kind of fun stuff? You know how do you navigate all that as a small company and by small company I mean the government's definition of a small company, which is you know what gets less than 100 employees. But you know how do you navigate that as a small company, and there was a lot of people there that were.
Speaker 1:It's just still tough to figure it out and do it in a do it correctly, in a manner that you can afford.
Speaker 2:Was there anything in particular that stood out to you during the sessions that you were able to attend during the Seekies?
Speaker 1:conference. So I actually attended the sessions remotely because we also had a one of the Express Connect booths, rooms, suites, whatever you want to call it. So I attended some of those remotely and really I don't know that there were any particular, there were just a. It's always chock full of content and I have a really hard time picking out any one better than the other, but there was just a lot of really good content, a lot of really good discussion about controls, about all sorts of fun stuff.
Speaker 2:So during the CKIES conference there was a lot of contention about the fact that CMMC updates are going to be rolling out here quickly Since then. Have there been any updates since November about CMMC? What can people look out for? Anything that you could provide insight on?
Speaker 1:Sure, sure. The big overall thing really is that CMMC is proceeding at the pace that the DOD had originally intended. You know, things seem like they were going to get drawn out and there's, I can't tell you how many people. It's less and less, but I can't tell you how many people still say, you know, oh, it's never going to happen, it's never really going to go into full effect. And I hate to tell you but it's coming and it's coming in about the timeline that they said and they wanted it to, and not only that, some of us moving a little bit quicker than you might think. So we've got the 32 CFR, final rule. It's in place. Certifications are available, not required yet, but they're available. Certification assessments, I should say, and I guess the certifications that come along with it, but they're available, not required.
Speaker 1:The 48 CFR rule, the final rule. This is mid-January, so the final rule should be coming out fairly soon. So, from what insiders say, so, unless I've missed something, and it came out, but but uh, the uh, it should be coming out fairly soon. Uh, that which is faster on, if you look at the whole timeline and how timeline, on how long it usually takes for the cfr, uh, for these uh rules to go through. That's a lot quicker than it would normally take, but the 48 CFR rule is a lot more simple one than the 32 CFR was. The 48 will put it in effect on contracts, and then, of course, there will be four phases after that, but it should be coming up pretty soon. It is coming and it's coming quick, so yeah.
Speaker 2:Are there any expectations that prime contractors should look out for? Are there any changes that maybe they need to be aware of with these upcoming changes?
Speaker 1:There is, and they probably wouldn't tell you in any kind of official capacity because they just don't know. But they actually mentioned this at the CKEYS conference and it's been mentioned on some of the calls with Cyber AB. And I've also talked to some of the prime contractors, their compliance department, of course that's who I would be dealing with, right? But anyway, I've talked to them and I won't name the primes that I talked with because they probably don't want to be named, but they will most likely be requiring some level of compliance from their, level of certification, from their.
Speaker 1:Of course there's only I don't mean, I guess a percentage of their clients to be certified sooner than would otherwise be if that client had a direct contract with the government. So in other words, if the 48 CFR rule goes final and 60 days passes and it's April 1st of 24, then on April 1st of 25, the certification assessments can start being required on contracts. There's also some verbiage in there that allows them to put it off to some option years or make it a little earlier if they want to, but basically it's each phases a year. So that's the phase. April 26 is what you would be looking at in this scenario. That is not definite the prime contractors, very well may say look, we need as many of our subs as we can to have certifications, so we look like a good contractor to go with for the government right.
Speaker 1:Absolutely so that would be good for them to get contracts and then, conversely, going down the chain, it would be good for those subcontractors to have certifications in place. And so, basically, what the cyber AB has said is hey, look, these phases of this rule, prime contractors could require something else, something sooner than otherwise. So certainly not later. They can't do it later, but they may do it sooner. So the Cyber AB has said that the prime contractors that I've talked to the compliance departments They've said look, our executives want us to be in a good spot and right now we're doing this and you know we may require certifications early, later on. So it's coming, and if you're a sub which there's a lot out there, so you know you very well could be required to have a certification assessment done earlier. Or, if not required, just highly suggested and them telling you that, hey, you'll win more contracts if you get certified earlier.
Speaker 2:Right, absolutely well on that topic. We know that c3paos are booked out months in advance yes so what advice would you give to those that are kind of holding out on getting those mock assessments like booked out or, like you know, just making sure that they're set up for that certification? What would you tell them? In that sense, don't wait really, I mean, that's it.
Speaker 1:Just don't wait, get everything done, get everything ready now. The final rule that came through very well may have changed the way. You need to do some stuff on the back end and change some services up or something, and or whatever needs to be done. Go ahead and get it done. Uh, get everything um compliant, technically compliant, make sure all your documentation is up to snuff. And, as we've said in other other podcasts, you know documentation, documentation, and they uh also like documentation.
Speaker 1:So, uh, and there's just I can't explain it enough that they that you have to do a very good job of documentation. You have to do a very good job of documentation for your certification assessment to go well. But that way, the better job you do on documentation, then the smoother it's going to be. I don't I'd hesitate to say that it'll make it cheaper for you, but it will be smoother and that accounts for a lot. But the you know, like you said, the see-through PAOs, right now they're booked out through at least March, if not April. So, and you, you might be able to find some that are not, some that are, you know, may be available earlier, but I can tell you if you want to be bumped up in line.
Speaker 1:It'll probably cost you so you know, because they're having to put somebody else out to get you but anyway, they are booked out and when you, when you get ready to do your certification assessment, not only is it going to take at least a couple of months to get it done, but it's probably going to take three or four months to get to the point to be able to get it started. So it'll take quite a while.
Speaker 2:Absolutely With the 32 CFR rule. There have been some changes correct.
Speaker 1:There have.
Speaker 2:So POAMs and temporary deficiencies. Is there any changes that we would like to let our audience know about?
Speaker 1:What should they be aware of and you know key things to look out for in that sense. Sure, so we know from the proposed CFR, 32 CFR, what ended up in the final 180 days. Poems are now limited to 180 days, which there was no reason to think that they would change that. So poems are 180 days. But also for your certification assessment, which is really where those POAMs really matter. They also matter on self-attestation, on self-assessment. So I'm not saying they don't matter there, but they're limited to 180 days and you can only POAM certain one-point items. So you can't POAM three five pointers. If you fail a five pointer or three pointer and can't get it fixed, like immediately, then you just have to fail that certification and you have to uh go through another one. So so that's one, the uh. They did make room, um, so they didn't really, didn't really budge on things like uh, fips and FIPS validated encryption, fips-validated cryptography, however you want to phrase it. But what they did do is they added durable, enduring exceptions and they also added temporary deficiencies which you add in as an operational POAM.
Speaker 1:So an operational POAM is different than a regular POAM and it describes things. For instance, if you have to come out, if your firewall's operating in FIPS mode and you get an update and you have to update it and it comes out of FIPS, has to come out of FIPS mode. Well, what do you do? Do you not update it? Well, no, you really need to update it because there's likely security patches that you're updating it for. So it's very important to do that. But that kind of trumps the FIPS mode. And so your operational POAM would be that you had to update your firewall with whatever version of firmware and it's not FIPS compliant or FIPS validated. But as soon as one comes out that's up to date and FIPS validated, then you'll update it. And so that's basically what your operational POAM would be, and that's just an example.
Speaker 1:So those operational POAMs help out a lot. Those enduring exceptions help out for some of the operational technology and other things that you may need online somehow, but there's no way they can make FIPS validated encryption. Those are where those things those enduring exceptions and operational POAMs or temporary deficiencies that's where they come in. Temporary deficiency, there's no timeline on that. So I was talking to a client. I was talking to a client yesterday and explaining the temporary deficiencies, so he said so. In other words, a temporary deficiencies could really be permanent, because if a windows 10 is a temporary deficiency, it's likely that you'll never ever get one that's a FIPS, FIPS validated. And I was like, well, I'm not going to necessarily say that, but it may be a while until they get windows caught up where you could actually be on a version that is FIPS validated and currently supported, with all the patches and everything else in place, but that would be operational. Poam.
Speaker 2:So I believe there was also a change with how ESPs are handled in the 32 CFR rule, correct?
Speaker 1:Yeah, there was, and they did kind of lessen the burden on CSPs and ESPs or ESPs. Really, csps are an ESP but CSP is Cloud Service Provider. I guess I should all these TLAs, all these three-letter acronyms I should probably say what they mean. A lot of you probably already know, but ESP is External Service Provider. Just a minute ago when we were talking about POAMs, that's a plan of action and milestones. I'm sure there are a whole bunch of others that I said. But anyway, the ESP is an external service provider.
Speaker 1:A CSP is a cloud service provider. So an ESP is an all encompassing term. That means anybody that, that organization that is seeking certification or assessment, anybody that they use as a third party to fulfill some of their backups or any kind of security on their network or anything like that, that would be an ESP. That third party is an ESP. But within ESPs there are CSPs cloud service providers and they have a particular definition and those cloud service providers have to be FedRAMP authorized or equivalent, and there are when you go get your certification assessment.
Speaker 1:Whether they're authorized or equivalent does matter probably to the cost of the assessment, but it matters definitely to the amount of work the assessor is going to have to do. If they're FedRAMP authorized, then they look at the authorization and they go great. If they're a FedRAMP equivalent, you give them all the papers and they go all right. Well, I got to sit down and go through all these and we got to, you know. So it takes a lot more time. But to go back to your question, after chasing that little rabbit, esps, with the exception of CSPs. Csps, we're not talking about them. Esps would, be like us, an IT service provider or another three-letter acronym, a MSP.
Speaker 2:So we're an MSP, that's an ESP we love our acronyms. Here it's a managed service provider.
Speaker 1:So ESPs like us that are not a CSP, so we're an MSP we love our acronyms here it's a managed service provider. So ESPs like us that are not a CSP. It was in the proposed rule that we would have to get the same certification assessment to be at the same level that our customer needed to be at. I'm sure other people are like us. We've got quite a few different CMMC clients, and so we may have ones that are a level one, we may have ones that are a level two self-assessment and then ones that are level two certification assessment. So certification assessment. So, which would mean, really, that we'd need to get a certification assessment, even if we only got one client like that. But they've lessened that and said, no, you don't, you don't have to go get a certification assessment, even if we only got one client like that, right. But they've lessened that and said, no, you don't have to go through a certification assessment.
Speaker 1:Any of the services that you provide for this client that is covered under CMMC. You are now in scope for those services, and so you have to be assessed for those services along with your client. Which means that if you have 10, 20, 30, 40 clients, guess what You've got to be assessed 10, 20, 30, 40 times on those assessments with your clients. So yes, after the first one or two you'll probably get really good at having all the right documentation right here in one neat little pile, but you do have to go through it every time.
Speaker 1:So then ESPs like us then have to decide is it worth it just to go ahead and get a certification assessment? And that way, if you get a certification assessment, you just hand that over to the assessor and say here it is, and, and that makes life a whole lot easier. I wouldn't say it's just a. They look, look at it and say okay, but it would make things a lot easier. But yes, they have light quote lightened the burden on ESPs by not requiring us to get a certification or be at the same level. But we are in scope for the services we provide.
Speaker 2:Would the CFR final rule also provide clarification with SPD?
Speaker 1:SPD is security protection data and there are security protection assets. Data is what data is. The security protection data is from the security protection that protects CUI, and a security protection asset is an asset that protects CUI. If it doesn't, security protection asset is is an asset that protects CUI. If it doesn't protect CUI, then they don't really care about it. Uh, it matters to you, but uh, but uh, it doesn't matter to them.
Speaker 1:So that would be things like um, your SIM, uh your security, uh, information and event monitor. Uh, your, um, antivirus, your remote monitoring, if you manage patches, how you manage those patches. Those kinds of things would be in scope because they serve as protection for CUI. So that data that's on them is SPD. That SPD has to be protected like the CUI. It has to come under the same protection. So I was hoping that that wouldn't necessarily mean that they have to be FedRAMP or have FIPS validated cryptography, but it says like CUI, so they're supposed to be protected the same way. The data they protect is so, yeah, those SPD, any services. For instance, we have a SIM service and that SIM service has to be FedRAMP. So FedRAMP, authorized or equivalent, and then there's a whole authorized or equivalent thing we talked about a minute ago. So, yes, that is a big deal. Not unexpected, but a big deal.
Speaker 2:We're going to pivot a little bit over to the 48 CFR proposed rule. There was quite a few updates that happened since this last year and here in 2024. What is that 48 CFR timeline? Were there any updates on that? What could you share?
Speaker 1:Sure, so the 48 CFR proposed rule is out and, as I alluded to earlier or I guess I didn't actually allude to it, I actually said it. As I alluded to earlier, or I guess I didn't actually allude to it, I actually said it but it's kind of everybody in the DOD people that have something to do with this in the DOD and would say anything about it have said that they expect this to be to come out in Q1 of this year. Right, the final rule, 48 CFR final rule to come out Q1 this year. And really what I understood was January, february. It's mid-January, so I would expect it at any time. Really now I haven't heard lately where it was actually at exactly in the process, but I would expect that final rule to come out very soon After it comes out, you have 60 days for it to actually become effective.
Speaker 1:So if it comes out, for instance, february 1st, that would be February March, it would be April 1st, and that was kind of why I used April 1st on the example a while ago. So it would be 60 days from that date. So, like they did with the 32 CFR rule, it's likely to go into effect on a weekday, not a weekend After that you're looking probably at April, or so April or May, something like that for it to go into effect, if it goes the way people are thinking of it, it has to come out first. So we'll see, but it should come out very soon. And then, as far as the timelines on that, it's not a the first phase is not six months, it's a year now and every and all four phases are a year.
Speaker 1:So phase one is going to be level one and level two self-assessments Level one and level two self-assessments. That'll continue for a year. That'll be what's required. In effect, that's really what we're doing right now. It's kind of written in stone in this rule. And then the next phase starts a year after that. So in my example that would be April or May of 2026. And so at that point that's when the certification assessments could be required on contracts. And again, they did leave a little wiggle room to say we can require it on some contracts a little before If we need to, we see fit, or could, with option years, uh, on a contract, um, we can make a little later, like that on the on contracts that start during that term.
Speaker 1:So so they did leave themselves a little bit of wiggle room, but in essence it's supposed to start in that time frame around april may of 2026. Again, that's um kind of shot in the dark there, uh, or educated guess, and then they go on from there. Level three, uh, would be the next, and they put them on more and more contracts. So anyway, there's a four-year process there. After that's over, it's supposed to be required on every single contract.
Speaker 2:What is your advice to those in terms of the timeline and rollout of the 48 CFR proposed rule and kind of like what you had mentioned? What are the best actionable steps that people should take following that timeline?
Speaker 1:Don't wait. I mean I think I kind of jumped ahead a little bit on some of this, but it's, you know. It may sound if I tell you hey, you know, you don't have to worry about your certification assessment until you know April or May of 2026, you're like, woohoo, we've got you know over a year. That's not necessarily the case because, as I said, primes could require of their subs or subs could require of their subs sooner. However, I kind of doubt that necessarily would happen. But primes very well may require of their subs sooner than they have to have it or make it highly desirable or highly they may be pushing for it to get that earlier. But it's coming.
Speaker 1:There's a long wait line for C3PAOs and there's, I think, last count they had to go through and get reauthorized and everything. The last count I heard was they had 37 C3PAOs ready to rock and roll. There were about, I think, 51 C3PAOs before they had to do the recertification thing or reauthorization thing. They're going through that process and trying to get done what they need to get done and so we'll have all those ready. But still, 51 is not that many. There are new ones coming along but there's a very high bar for C3PAOs and for lead assessors and there should be, but there's a very high bar and so there's not likely going to be a large influx of a lot of C3PAOs, which would be very nice to have, at least you know, on this side of it.
Speaker 1:But, yes, so don't wait, get your ducks in a row now, as soon as you think you're ready potentially ready and that means documentation and everything, not just the technical controls. It guys like me like to focus on the technical controls and we've got all that covered. Oh, you need documentation on all this. Well, you know, but the documentation is technical. Controls are obvious and important, but the documentation is very, very important and very necessary and you have to have that in place and ready to go. So I would say don't wait, get it all done, get it taken care of. As soon as you have that to where you think you're ready, then I would go ahead and pull the trigger on trying to get certified, absolutely.
Speaker 1:If you need certification, you know, or looking to do that for marketing purposes, you know, try to market your business better to the, to the primes or DOD. Maybe that your organization has been told you only need a self-assessment? I don't really know. Everybody I've talked to is expecting level two certification assessments.
Speaker 2:Well, perfect, I think that is our wrap up of 2024 and our Seek East conference that we attended. If you have any questions about what we covered today, or if you have any questions of any topics or general questions that you'd like to throw out there, we'd love to hear them and answer them for free. So please text, email or call us and ask your questions. We'll answer them for free here on the podcast, and you can find our contact information at cmmccomplianceguidecom.
.jpg)
