CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
How the DoD’s Cybersecurity Crackdown Could Impact Your Aerospace Contracts
Submit any questions you would like answered on the podcast!
The DoD is tightening its cybersecurity regulations, and your aerospace contracts could be on the line. In this episode of The CMMC Compliance Guide Podcast, we break down the latest changes to CMMC, DFARS, and FAR that could directly impact your business.
Join Austin and Brooke from Justice IT Consulting as they explain:
✅ The upcoming CMMC, DFARS, and FAR rule changes & deadlines
✅ Why self-reported compliance is no longer enough
✅ How SPRS scores and third-party assessments will determine contract eligibility
✅ The legal risks of non-compliance, including False Claims Act violations
✅ Steps you must take right now to stay ahead of the cybersecurity crackdown
Don’t wait until it’s too late! Compliance deadlines are fast approaching, and failing to prepare could mean losing out on DoD contracts. Stay informed, stay compliant, and protect your business.
📌 Download your free guide here: https://cmmccomplianceguide.com/ultimate-aerospace-contractor-guide
📌 Need help with compliance? Contact us at https://cmmccomplianceguide.com
Regulations whisper
Austin:Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke. From Justice IT Consulting. We're here to help businesses like yours navigate CMMC and NIST 800-171 compliance, or hired guns, getting companies fast-tracked to compliance. But today, we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. All right, so Brooke, today we're tackling a massive shift in and cybersecurity regulations for defense contractors. CMMC is changing. DFARS is changing. There's even some proposed rules or something changing with the FAR for people that aren't defense contractors and doing business with the federal government. If your company is in the DoD supply chain, these shifts could impact you and your contracts and even other contracts that you don't necessarily know are connected to the defense. Absolutely. And they're happening fast.
Brooke:They are. They are happening fast.
Austin:Absolutely. So I guess we should also address, I'm back.
Brooke:Yes, you are. For a couple weeks of hiatus?
Austin:Yes, absolutely. A little back injury there, but I'm back and they haven't fired me yet that I know of. He
Brooke:just hasn't seen his pink slip yet.
Austin:Yeah. Maybe it's somewhere on my desk just under all the rest of the papers.
Brooke:Probably so.
Austin:My first question for you about all these changes is why should DOD contractors care about these changes?
Brooke:Well, there's a lot of changes and really it's just the changes show everybody that it's moving forward and it's coming. It could affect your contract eligibility, incident reporting requirements, impact the legal side of things. It's coming and it's There's no putting it off. Doja's not going to put it off. It's coming.
Austin:And speaking of that, because that's actually a hot topic when I'm talking to people. Yes, it is. I mean, nothing political at all here, but administrations change. Things are changing. You see in the news every day there's adjustments. But we seem to have at least grapevine knowledge and reassurance from up high through the DOD and their officials there. I've actually talked to the administration and Elon and Doge. Absolutely. It seems that's still on track.
Brooke:It is. So Katie Arrington, who is now, again, back in a prominent role for CMMC and the DOD. She's a DOD chief information security officer, the CISO officer, excuse me, not offer, the CISO. And she's got another title, deputy chief information officer or something like that. But that makes the CISO anyway so she had talked to she had actually went to talk to Elon Musk Mr. Doge himself and so she said you know everybody's everybody's thinking that this is that Doge is going to you know going to make cuts and this is going to be part of those cuts and everything's going to be delayed again and Elon said no absolutely not that CMMC is very important and we all know we've talked about the reasons you know if you go look at half of China's military equipment, you know, they look strangely like ours. But anyway, you know, he said it's very important. We've got to secure our DOD supply chain and nothing's changing there. So he reassured her that she is the DOD CISO. So, I mean, I'd say that's a pretty high up reassurance there.
Austin:I'd say it's probably a good news, bad news situation for a lot of our... uh for our customers and a lot of people were really hoping i yeah i have a lot of people that were just sure that that and you know some some people still are very sure it's going to happen despite um what we hear but uh not everyone's excited about this continuing so uh well the next thing i have for you um is there's been a lot of movement on cmmc defars the far um can you just kind of broadly walk us through uh what's happening with those
Brooke:We had the final rule come out in December, so now you're able to get... certification, CMMC certification assessments. You're able to get those now. They're not required just yet. The proposed rule that puts those on contracts and requires those, it's still in the process. It was pulled back to look at it to make sure that, you know, the new administration coming in. But that's still in the works and should be coming out pretty soon. And so it'll start being required on contracts. There's some timelines and everything that go a Along with that, there's caveats. But when that comes out, it'll start being required on contracts. We've got the new CAP, the CMMC Assessment Process. All of us people just call it the CAP because that's too long of a word. But anyway, the CAP 2.0 is out. It makes some good changes. And at the CAP, if you haven't looked through it, it outlines how to perform an assessment from the very beginning of the– organization seeking certification osc from them contacting a c3pao who does the who do the assessments from them contacting them all the way through the process it lays it all out in in gory detail so they did that on purpose so they could so these assessments could go as similar and as as so it could be standardized pretty easily and so that there's good with bad that's the good part. The bad part is, you know, government loves to make things overly complicated. So, you know, there you go. Another thing is, now that CMMC is off and running and, you know, got all these timelines coming up, these are DFAR's rules. That's defense. So the FAR is the rest of the federal government, the rest of the federal acquisition. They're in the plan all along. We've always heard this, you know, Once CMMC gets going, then the rest of the federal government is going to follow suit. Well, now there's a proposed rule for the FAR to how to protect CUI. And so it is the first steps in following through and basically doing CMMC for the rest of the federal government.
Austin:If you are not particularly familiar with DFARs or FAR, the way I basically frame it in my mind, correct me if I'm wrong, is basically just rules for doing business for the government. And defense would be if you're making parts that go into the defense supply chain or doing business in the defense sector and then forward would just be a lot of... You know, just really anything federal government. I wouldn't say anything, but a lot of the federal government.
Brooke:Anything with the federal government. It would be, DFARS is the defense part of the federal acquisition. When you drop that D off, it's the rest of the federal government. It could be Homeland Security. It could be any part of the rest of the federal government. There are a couple that are going to go first with this whole CUI protection, and they're going to get kicked off first because they're more important. Okay. But the whole– when you step back and look at it, that FAR rule, proposed rule, is the first step in CMMC for the rest of the federal government. So it would be a good idea for everybody to get used to understand CMMC and how it works because it's coming to the rest of the federal government.
Austin:So, I mean, I think it's fair to say, you know, whether you supply toilet paper or weapon systems to the government, at some point you're probably going to be touching– one of these regulations and it may not necessarily be um you know the toilet paper itself that they're concerned about but like contract details you know um stuff like that right i mean there's there's other 10 other tangential i guess um information or contract information that they want to keep protected so even if what seems like what you're providing seems rather benign it may still fall under these things
Brooke:absolutely there'll probably be a whole lot more so in the There's three levels. There's level one, which is basically protecting FCI, which I believe it now is CFI, but FCI's federal contract information, which is non-public information about that contract. So if it's not on an open website, then if it's behind a portal where you have to sign in or something, if that information is behind that portal where you have to sign in, then it's FCI. If it's out for the whole world to see, then it's not FCI. But anything about that federal contract, that is non-public is FCI. Level two is the controlled unclassified information, the CUI. So if you protect CUI and your contract says you have part of this contract is you have to protect this CUI, then then that's going to be level two, and that's where all this comes in. Level three is another step above that. That's going to be– the numbers of those people are going to be a lot smaller that have to comply with level three. But you're right. There's going to be– I would imagine once the rest of the federal government gets moving forward, there's going to be a lot of FCI to protect and not necessarily– Not necessarily all CUI. If you go look at the CUI registry, there's a bunch of different kinds of CUI, dissemination rules, and all sorts of fun stuff. If it falls somewhere in there, then that's data that needs to be protected.
Austin:What does this mean? What's the impact for companies that currently have contracts that have these requirements?
Brooke:Well, it means that for the ones that already have contracts, They have current contracts. One, if they already have those DFARS rules in there, they should be meeting those DFARS rules. And they state 100-171, CMMC, all that fun stuff. But they should be paying attention to those DFARS rules that are in the contracts. But as far as these changes go... When the 48 CFR finally goes into effect that requires it on contracts, you will have to have your CMM assuming level two certification. You will have to have that level two certification to win new contracts. You can bid on that contract without necessarily having that certification yet. But if it was me, I don't know that I would do that because it's a long process. And even with just the voluntary nature right now of getting CMMC assessments, certification assessments, the assessors are already booked out three, four months
Austin:plus. Mm-hmm. Yeah, and if you are thinking about bidding on contracts and you don't have compliance figured out yet, give us a shout. We can walk you through free of charge. We can just kind of walk you through the budgeted line items, broadly speaking, that you might want to estimate to make sure that when you do get the contract that you're actually going to make money because you don't want to lose money on a contract. It's the way I understand it is that you're kind of tied to the contract once you win it. Absolutely. Yeah,
Brooke:and that's true. We can kind of bullet point those things. It's not– some of it's going to be a lot closer to accurate than, than others. Cause we just don't, I mean, when you first talk to somebody, you know, without really delving in and spending a lot of time figuring things out, you don't know the environment, but high level, we can, we can certainly help out and say, this is what you're looking at at a high level, you know, and then you can figure out if that's, if the, you know, $100,000 contract is worth spending you know $200,000 on to get compliant
Austin:right exactly yeah so it just might save a lot of people some headaches so we've been doing that recently with some people trying to help them out and some people have decided to go forward with it and some people have just decided to drop it all together so CMMC has been evolving over the years past two or three years or so for itself before that you know is a different iteration but for a lot of people, these deadlines are starting to feel like actually real from what I hear. Because they are. Yeah. Yes. And I'm even hearing from some people that they're like, oh, it's finally here. You know, I feel like it's been here for a while, but for a lot of people, it feels real now. What does this mean for companies that are bidding on duty contracts.
Brooke:It means that CMMC is no longer optional. It was not optional before, but it's really not optional now. Check the box. It's coming. It's here. There's teeth with it. You have to prove it. CMMC is coming. It's here. Timelines are... You can see it I guess you can see that light at the end of the tunnel with the train coming or whatever it may be. But CMMC is coming, and there's no stopping it. It's here. Your SPRS score? is very important. I would say, really, if you're not at 110 right now, you really need to see what you can do to become 110 and what you need to do to flesh that out and finish it up because, like I said, it's not easy. it's not going to be a short timeframe to be able to get your CMMC certification level two certification. Uh, the other thing is, uh, reporting requirements very well could be changing, uh, for, uh, if you have some sort of incident. Um, and if you have some sort of incident and you don't report it, that's a, it's not a good thing. So, um, there's, uh, some legal ramifications there, but for the reporter requirements, uh, right now it's set at 72 hours, which is reasonable. Um, the, uh, The FAR rule, proposed rule, sets it at eight hours, some stuff at eight hours. So that's a bit of a change. So you need to know what department, who you're doing work for and all that and what the reporting requirements are. Of course, this one's proposed, but from some of the things we heard in the last conference we went to, And the sentiment seems to, at least in the government circles, seems to be that they'll just make all of them eight hours. And I think that's a joke, to tell you the truth. And that sets people up for failure. So hopefully they don't do that. Hopefully cooler minds prevail. I don't know. So hopefully they don't do that and they stick with 72 hours. But there's some significant changes coming that you need to be prepared for.
Austin:A lot of people aren't complying or are failing compliance or the DIPCACs. And so to move the goalposts even a little further seems– be quite an ask. So I hope they had waited a little longer to do that, but it seems like they're wanting to go ahead and move forward with it, which I understand their concern. It's important stuff.
Brooke:And to be clear, when you first report one of these incidents, you don't have to know everything. It's the important... I think what they feel is the important thing is to let them know that there's an incident or the possibility of an incident while you're investigating it and trying to figure it out. So you can fill in those details later, but still, eight hours is a very tight reporting requirement.
Austin:At the last conference we were at, can I go on with what you were saying is for the SPRS score, S-P-R-S, or however you pronounce it, because I've heard quite a few options on it. Take your pick. Yeah, I like S-P-R-S, but I hear Spurs a lot. I don't know if it's a requirement or what it was, but I remember them saying that 80% of 110, it's like an 80% pass score. Would that be like 88 or something? Yes.
Brooke:That is– I think what you're getting at is that that's– To be able to have a POAM and the things that are able to be POAMed, you have to get 80% or 88% in order to be able to have that POAM and move forward with it and have that 180 days to complete it and get it done. So I think that's what you're referring to.
Austin:Yeah, yeah, that's exactly. And I think what I'm trying to get at here is that they're expecting that to be the minimum threshold. They are.
Brooke:Yeah. And I would say don't even pay attention to that. Get the whole thing done. Because, I mean, it's not just a simple 88% or 80%. It's that there's no three-pointers or five-pointers that can be POAMed and only certain one-pointers. And so it's a whole thing. So you have to know which ones you can and can't POAM to be able to walk that line there. And really, you're not getting yourself Right. Yeah. A lot of the
Austin:things you can go ahead and start implementing unless you just have a large hardware project or, you know, long-term engagement you have to complete. I mean, but a lot of technical controls can be implemented reasonably quickly. quickly if you have an infrastructure that can accommodate it.
Brooke:Absolutely. And to that point, really the bar is if you're starting at zero or you're just starting off or you haven't got very far, then the rule of thumb is that it takes at least 12 to 18 months to go through the whole process to get compliant. That doesn't include calling up a C3 PAO and say, hey, I want to get on your list that's three or four or five months out. And then a couple of months or so that it takes to go through the assessment. So my point that you really need to knock those out and get that stuff done because it's not a quick thing to get done.
Austin:What is a conservative estimate? What I've been telling people is if we start today getting you compliant, probably– the end of that journey is probably a year. And that might even be a little hopeful. And, you know, the longer you wait. There's
Brooke:some things that just take a while. I can tell you sometimes just trying to get a– Get a Microsoft GCC or GCC high tenant takes a long time. It's like, why are we going in circles here? But really, it does take a while to get done, so don't wait. You can get...
Austin:You can get caught unprepared. There's one of your two catchphrases again, don't wait. Yeah. And documentation, documentation, documentation. That's right. Maybe you've got, you know, the ultimate hope and the patron saint Elon that he cuts these things or, you know, you're really just holding out. Yeah. And you want to ignore this. Yeah. What happens? What might happen to you? What are the ramifications of ignoring it? Just kind of speculation and based on what the government is saying. Sure. I mean, it depends on where you're at in the
Brooke:process and what kind of contracts you have or don't have. But if you kind of ignore it and just put it off and put your fingers in your ear and la, la, la, la, or beg the patron St. Elon, I guess is what you said, to make some cuts, the ramifications could be that you just don't win those new contracts. The ramification could be that a prime says, hey, you're working on this contract now and we need to get you uh we need all of our or a certain percentage of our um of our subs to be uh cmmc level two certified we need you to get certified and at that point you know it's like oh well you know sure i can do that it's only going to take me you know eight twelve eighteen months whatever it may be to to get that done so um the uh you know the prime contractors uh we're already starting to see them saying, you know, we need you to start. We need you to make that call. We need you to show us the date that you have scheduled to meet with the C3PAO to kick this off. They're asking for that now. And it's not even required. So, you know, the primes, sometimes people forget the primes. They're They're trying to win contracts too. They're just like you and me. Well, not really just like you and me. Still a lot more money. But they're trying to win contracts. They're trying to be in the best position possible. So they're trying to make sure their whole ecosystem is in really good shape. And so we've heard it from several of them. They want to get you green in their system, which means you're compliant with the whole ecosystem. with all the controls, uh, and you have, you know, all your documentation in place. Uh, we've heard that for a while and now we're starting to see, like I said, uh, them saying, Hey, now that you're green in our system, we need you to get your certification. So, uh, that's coming up. The other, other thing could be is if you've been checking the boxes saying, yeah, we're complete, we're compliant. Absolutely. We got 110, you know? So, uh, if you've been doing that and you've, you haven't realized, uh, that you're not 110 and pulled that back some. You know, you could face some legal obligations. You know, some– oh, shoot. False Claims Act? False Claims Act, yeah, sorry. You know, they've made some examples of some institutions for the False Claims Act. So if you don't, if you've been saying you're compliant and you're really not quite there yet, then you could be subject to the False Claims Act. And that's nowhere I'd want to be, I can tell you that. So those are the ramifications at a high level, you know, lost money. Um, Lost reputation, legal challenges, stuff like that. Or you just decide to go just a completely different direction and forget about the DOD for your business.
Austin:Yeah, so I guess if you've been generous with your self-attestation or SPRS score in the past and you're still performing on contracts that require this compliance and you're thinking about ignoring it, that could put you at quite a bit of risk if you're still performing on those contracts and have no intention of taking care of this, just to make that clear. And it could. And
Brooke:to go back to something I've always said again, and If you meet those controls technically, but you don't have all your documentation, all your policies, all your plans, all your procedures, I would hope you have your SSP, your list, your proof. If you don't have all that, which is documentation, documentation, documentation. If you don't have all that, then you're not compliant. And that's what a lot of people don't realize. This really isn't an IT problem. Even though we're an IT shop, you helping folks with this. This is not an IT problem. This is really a business problem that you can put some technical controls in place, but there's a lot of people and process and everything else that goes with it. It's a whole company that does this. It is not the IT department. In fact, most companies that grab their IT guy or maybe their quality guy or whatever but you know they grab their in a lot of places the quality guy is the IT guy you know they grab the IT guy and say hey let's get compliant and do what we can and then the IT guy goes oh well you know we've got to spend money to do this and this, and they're like, oh, no, we can't spend money. It can't be the IT guy leading it necessarily unless he has buy-in from the upper management, from whoever's leading the company. This is a people-in-process problem with an IT component. It is not just an IT problem.
Austin:Yeah, and... Just to riff on what you're saying there a little bit, when you say documentation, a lot of people think, oh, my SSP, my POAM, my policies, but that's actually a small portion of your documentation, right? There's a whole other portion that is an everyday, living, breathing piece of documentation that's you've installed patches that whenever you made a change, it was documented in what you did on the network. If you had a virus or something, of course there's reporting or whatever requirements might happen there, but as you make configuration changes, new applications installed, stuff like that, all that has to be documented and then shown to the assessor and then That can't be like the last two weeks if you've decided... you know, that you wanted to start collecting it so that way you could pass your assessment. It has to be like past six months or more, right? Yeah, and I may have used some wrong examples on what needs to be documentation, but I think that's, is that mostly correct? No, it's good examples.
Brooke:You're right. I mean, you have to show, you know, your change procedures and that you're following them. You have to show that you really are updating things. You have to show that you really are managing this whole thing. You have to show that you are collecting the logs. You are reviewing the logs. You know, You have to show all this stuff, and it's got to be documented. And so not only that, I mean, you have to have all of the assets that are on your network listed out, including people. You have to have them all listed out and classified. What kind of assets are they? How many people have actually done that? But– Yes, there's a lot of documentation. Your policies, you should have your SSP. That's really the easiest one to get in place. But you should have all your policies backing that up, all your plans and procedures. And those are the base level. Then all your other documentation to go along with that, the lists, the approvals, everything we just mentioned.
Austin:Well, now assume that you're a contractor that is wanting to do something about it. what, and wanting to stay ahead of this, what should they be doing today to get compliant?
Brooke:So really, I mean, you should know your SPRS score or SPUR score, however you want to phrase that. I really, you like saying SPRS, and all the people I talk with in the meetings and everything, they always say SPURs, so I always call it SPURs. But, you know, know what your SPUR score is, know if it's accurate, know what you've got to do to get that... to raise that... to get that on up to 110. You should... prepare for a third-party assessment, a CMMC certification assessment, and that's part of getting that SPUR score up to 110. But you should get ready for that assessment because they will assess you not only your technical controls but all the documentation we just talked about. All that documentation is going to need to be in line and ready. And I think somebody– I think the last conference, one of the assessors said if they ask for your SSP, I think they said. I can't remember. If they ask for something, your SSP, and it takes more than a day to get it back to them, 100%, you're not ready. So that's what they've experienced. So if it takes more than a day to get that SSP to them, then they know they're not ready. Because that should be– you should be able to– spit that out and get it right over to them because that's, like I said, that is the basis. That's what everybody's been kind of really working off of. Oh, this is my documentation. This SSP is what I got to have. It is part of it. You know, it's a, it's a, that's a start. Right. So, and it also depends on how people do their SSP and their policies differently. And we won't really, you know, where you put more of the detail and whatnot. And we won't really get into that right now, but, um, Understand your CUI. What kind of CUI do you have? I can't tell you how many people we say, or what kind of CUI do you have? And I go, I don't know. What do your contracts say? What do the markings say? And of course... There's a lot of our clients that don't even get marked CUI. It's getting better now, but there's a lot that don't get marked CUI. But you should know what kind of CUI that you have because that's important to be able to scope your whole network. And so understand your CUI, understand where it goes in your network, but also make sure that your supply chain is ready. If the primes are having to make sure their supply chain is ready, which is you, or which could be you, then you also, there's flow down. It's always been there, but it was recently called out, specified, hey, you need to make sure that your subcontractors, the people that you have do work for you, are compliant as well. If they get CUI, it needs to be protected, and they need to be able to prove that to you, just like you have to prove it to the primes. And the last thing is... really get that assessment booked. When you think you're ready, go ahead and book that assessment. Or if you have just a couple things to clean up and you're sure you can get it done, book that assessment. Because those assessments, like I said, just now in the voluntary voluntary period uh they're three and four months out and so uh there are more c3paos and more assessors coming on online but not at a fast pace right um the the demand for those assessments is just going to keep increasing as especially as we get closer to that 48 cfr rule going final and being required on contracts um so uh if you think you're ready or We're very close to being ready. Make that call. I can guarantee you that assessor, that C3PAO is going to say, hey, great, I'd love to work with you. Let's make sure you're ready. And so they're going to ask you some questions and to show them some stuff and, you know, what do you have. And they don't want you to send them any of your policies and stuff like that, but maybe a list of what you have, stuff like that. So they want to make sure that you're ready and they don't waste your time and their time. because they're, like I said, they're backed up. They've got a lot
Austin:going on. Yeah, don't phone that part in either because they're trying to save you money on that one. Because you're going to waste thousands of dollars if you schedule an assessment and you're not ready.
Brooke:Yes. And, you know, hopefully that fleshes out in the very first part because most of them are probably going to, they want to know what you have ready. And then from that, they ought to be able to tell if you can move forward to the next part, which is probably pay them, uh, some sort of retainer, not the whole amount, but some retainer to go through and verify that you're ready. Um, and then if you're not, if they can tell at that point, you're not ready, they'll go, let's hold off and circle back up when you're ready because you're not ready. Um, so, and again, we've said this in the past, they can't provide, um, any consulting to you. They can't sit down and say, all right, well, these are, this is what you got to do. And this is how you can do it. They can't do that. And, uh, Well, they could do that, but they can't do the assessment for you after that. Somebody else would have to. So absolutely, if you go through an assessment, if you get to that point and you go through an assessment and you have a five-pointer or a three-pointer that can't be POAMed and you can't fix it like right now, then you just wasted all that money for that assessment and you've got to reschedule it, which is going to be another three or four months out, another couple months completed.
Austin:In terms of when you're looking at an assessor– And interviewing them, getting quotes from my understanding. And I'm not saying because I don't have experience with assessors that are that do this, where they just give you a one fixed project fee, you pay it and everything's good. I think it's. From what I've been able to tell, it's best to work with an assessor that's going to benchmark it in terms of the engagement. So they'll work with you in installments probably isn't the word, but in phases, right, I think is a better word, because they'll help get you through that process because it's– it's hard to give you a price because everyone's different. That's just, you know, a flat fee. And if they do and you pay for the entirety of it up front and you're not ready or you fail, then it's paid for, right? And so, but if you work with somebody that's going to phase it out like that or benchmark it, they understand what is required in the assessment process and your piece of it. And it's just, it might work out better for you. At least that's my personal opinion on how um it's my personal opinion on it so
Brooke:yeah and to be to be clear they they're not gonna um which is probably not what you're talking about but they're not going to um piecemeal the whole thing uh it'll be like i was talking about an initial upfront quick list of here's what i have ready cool we can proceed to the next phase which is you proving that you're ready and it's going to cost this much, you know, $5,000 or whatever it may be, to look through some of this documentation to see that you really are ready. And then after that, they can say, all right, to do this, it's going to be $50,000 or whatever the cost may be at that point. And once you pay that $50,000, you are on the hook and you do go through it. And if it turns out you do fail one of those five pointers at that point, even though you've tried to And the assessor has tried to make sure that you're ready because you just don't know those things, a lot of those things. But if you do fail one of those three-pointers or five-pointers, then there's not much that can be done.
Austin:Exactly. That's exactly what I'm trying to say. And I just know in dealing with a lot of– business owners and uh and on quotes and stuff that a lot of times just give me the brass tacks i want the price for it um the whole thing you know up front tell me which i completely get but for something like this um it doesn't quite translate um so if you're wanting to get that it might end up biting you in the rear on on that one so and the other thing i was wanting to bring up um in terms of you're talking about booking the assessment early um we were at uh cic Southwest last week or a week before. Um, and, uh, I just didn't click for me. Um, uh, I'm sure we've read it or talked about it. Um, but there's with all these changes coming, there's going to be a NIST provision for the 800-171 or something. Um, and, um, there's some timeframe where if you get assessed, uh, earlier, you get to come in under the wire with the less stringent or at least not changed requirements. Um, and instead of having an, a whole new set of requirements that you have to, um, adhere to. Um, can you, can you explain that for us? Sure.
Brooke:Sure. Uh, you're right. So the, uh, actually the revision three of NIST 800-171, um, to back up a little bit, uh, NIST 800-171 revision two is hard coded right now for, uh, for CMMC. Uh, so that's, that's what you, that's what you're held against those controls that you're measured against. However, uh, NIST 800-171R2 has been superseded by Revision 3. So this was a big deal when it came out and everybody was, including us, running around like chickens with their heads cut off going, oh my gosh, look, we've got to change everything now and CMMC isn't even out. And they said, oh, don't worry about it. It's just going to be Revision 2. Oh, thank goodness. Just Revision 2. Good. That's all we have to worry about. We have to worry about the controls and everything that we have been having to worry about the whole time and it's not going to change right now. Well, The next major, after they get this required on contracts through the 48 CFR, when it finally comes out, sometime soon. Who knows? You know, maybe... into Q1, probably beginning of Q2, whenever that 48 CFR comes out that requires CMMC on contracts. So whenever that comes out, after that, they're going to start working on the next major revision, which will include revision three of NIST 800-171, which means it'll probably take a year and a half-ish. Who knows? But And the timeline of CMMC, not that long. And I don't know about you, but I can't believe it's already March of this year. So the point being, time is flying. And so revision three of NIST 800-171 will be coming. And it would be better to go ahead and, if you can, go ahead and– Well, go ahead and get certified on revision two because once you get your certification, it's good for three years. And if a change comes out for revision three during that point, during those three years, your level two certification is gone. golden and good until it runs out and then you have to worry about revision three well you probably want to plan for it but other than that your certification itself is good for those three years it doesn't have to be you don't have to be reassessed or anything so that's that's really good because likely there's going to probably be a lot of people that get assessed and then that change is going to happen so if you look at the timeline you're probably just spitballing here this is nothing official I promise. But just from a guess, kind of what everybody's kind of looking at, you're looking at maybe June or so. So if this comes out in April, the 48 CFR comes out in April, you've got to give it 60 days. So it's April, May, June. So if it comes out in June, and goes final and then goes official in June, that means that first phase starts and you have until June the next year. Phase one is only self-attestation. It's more serious, but it's self-attestation. Pretty much what you've been doing all along, except that you... You better be doing it right. So self-attestation for the first year. The second year, each phase is a year. There are four phases to it. The second year that starts, the second phase that starts in June or about June, I shouldn't say it starts in June, about June of 26, 2026, is when it will actually start being required on contracts.
Austin:Okay.
Brooke:caveats to that and I'll mention them in just a second we've mentioned them several times but so you're looking maybe at June at 2026 being required on contracts which means potentially potentially that you might not have to be have your level 2 certification until later in the year 2026 or maybe even the beginning of 2027 when they say okay it's time you have to have it well As very possible, by that time, revision three could become codified in the DFARS rules and the CMMC, and you might have to change gears a little bit and be compliant with revision three. So that's kind of what we're talking about here. If you get assessed right now or sometime before then on revision two, what everybody's had to worry about the whole time, then that'll be good for three years, and you don't have to worry about revision three. Revision 3 is not terrible, but there are changes, and there's still 110 controls, but they're not all the same 110 controls. They combined some. They added some. So Revision 3 is a change. It'll be better to get ahead of the ball on that one as well. And, again, that's another don't wait, another reason not to
Austin:wait. Just thinking about how all of the– and 800-171-REV-2, because that's the one that's hard-coded right now, right? Yes. There's a lot of things that have taken a while to come to accepted practice or consensus in the circles. So... So we're benefiting from that in this time frame for REV2, knowing what assessors have said they will pass, what the general consensus is, what the government and Department of Defense is saying that they're comfortable with. And so all that collective information gives us and y'all an action plan on how to implement these controls. And just with REV3, you kind of For the changes, for some of those things, you kind of start that time frame over again. And so it just– it decreases your risk profile in terms of getting– denied certification
Brooke:so get assessed on something you know
Austin:right
Brooke:something that's brand
Austin:new exactly let someone else do that what should businesses if you're a um aerospace manufacturer defense manufacturer uh if you're just a defense subcontractor you're in the supply chain somewhere um what should they take away from today's episode
Brooke:uh well uh cmmc is here uh it's coming the the The rest of it is coming. It's not stopping. It's not going away. It's coming. Your SPUR score is very important. SPRS for you and some of those other folks out there. So your SPRS SPUR score is very important. Make sure you know where it's at and where it needs to be and start working on that. Self-attestation is largely going to go away, not completely, but most folks likely will fall into the realm of needing to be level two certified. If you're level two, the likelihood is most of those are going to have to be level two certified, not self-attestation. Your supply chain, your vendors, the flow down rule, that's a real thing. You got to make sure that your suppliers are covered because if your suppliers and all your vendors, all your... service providers, right? So we're a service provider for our clients. We don't have federal contracts. We work for people that do, right? And so we help them with all this. So we are one of their suppliers, one of their vendors, one of their service providers. So make sure all the people that help you out with your business and those banners, make sure that they're compliant where they need to be. Don't shortcut it. Don't assume that, you know, well, you know, we say that this is not CUI that we're handing down to these folks. Well, you better be able to prove that to an assessor and them understand that, oh, yeah, this is, you know, they're not covered in this, right? So assessments will be in high, actually, they won't, I was going to say they will be in high demand. They are in high demand. And that will not slow down for the next probably four or five years. Maybe four years. But it's not going to slow down because there's only a certain amount of C-3PO's and assessors. And there's 80,000 whatever in the companies in the DIB that will need to be certified. So... You know, there's That's a lot of work for not very many C3PAOs. So they're in high demand and just realize that as you're getting ready for all this.
Austin:If you don't mind me adding one in there. Sure. You're talking about the supply chain because we're IT providers and stop of mind. Make sure you ask your IT provider if you're using someone that's outsourced if they intend on getting certified themselves because they need to be certified. And if they're not, then you need to ask them if they can pass the assessment with you because, and you're going to have, by the way, have to pay for that. Um, so you're going to have to pay for the additional hours it takes for them to assess your it provider. And if they fail, you fail. So, uh, before you reach out to a assessor and, and get a bid and, and start spending money, talk to your it provider first, if you're outsourcing it, um, because that could be a hidden little gotcha if you're not looking at it. Um, And I think we've mentioned that in the past, but in terms of action items, I just want to throw that in there. So we have a PDF that we've collected a lot of this information, and we're going to drop it in the description down below. So check that out. Download it. If you're bad at taking notes like me, I always like to have something to reference. So you can take that with you. And if you have any questions about what we covered, reach out to us, please. We're here to help fast-track your compliance journey. Text, email, or call in your questions. We'll answer them for free here on the podcast. You can find our contact info at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant and stay secure. Like, subscribe, and share, please.
.jpg)
