CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
CMMC Compliance Consulting vs. DIY Compliance: Which Is the Smarter, More Cost-Effective Choice?
Submit any questions you would like answered on the podcast!
In this episode of The CMMC Compliance Guide Podcast, Brooke and Austin dive into a key question many DoD contractors face: Should you handle CMMC compliance yourself or hire a consultant?
We break down the risks, costs, and benefits to help you make the best decision for your business. Discover the 6 major risks of DIY compliance, including:
1️⃣ Losing DoD contracts due to non-compliance
2️⃣ Keeping up with ever-changing CMMC requirements
3️⃣ Hidden costs that make DIY compliance more expensive
4️⃣ The gap in IT teams’ compliance expertise
5️⃣ Security risks that linger even after passing an assessment
6️⃣ How CMMC assessors prioritize well-prepared organizations
🎯 Whether you’re starting your compliance journey or stuck midway, this episode offers actionable advice to help you stay compliant and secure.
🔗 For expert guidance and resources, visit https://cmmccomplianceguide.com/
👍 Don't forget to like, comment, and subscribe for more tips on achieving CMMC compliance with confidence.
Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin and I'm Brooke from Justice IT Consulting. We're here to help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free, so if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're tackling a question that a lot of DOD contractors wrestle with. Should you handle CMMC compliance in-house or should you bring in an expert? We'll break down the risks, costs, and benefits so you can make the smartest decision for your business. So at first glance, doing CMMC compliance yourself seems like the cheaper option, right?
Brooke:Oh, absolutely.
Austin:There's no consultant fees, no outside providers, IT providers that is, to worry about. It's just you and your internal IT team and compliance team team handling the process. But I'm here to ask you, what are the real trade-offs of that?
Brooke:Well, really, you know, if you, if you implement, if you just read those controls and you just implement those controls, that's, that's all it really is, right? And it's, you know, not exactly. So really the trade-offs are, you know, if you have a, you If you have a team, an IT team, and they're well-versed in compliance, maybe different compliance regimes, then they may understand this, and they may understand that there's more to it. If you have a CMMC expert in-house, somebody that's gone through the trouble to learn about it, to go get certified, all that fun stuff, then yes, you can absolutely do it in-house. And you can do it in-house, too, if you want to take the time to– really should get certified because it helps with the knowledge, but at least go through the training. Reading Reddit doesn't do it. Now, to be clear, Reddit is a good source of information, but you have to take it with a grain of salt and kind of sort through it just like asking AI questions because AI gets things wrong and, you know, Reddit is just a plethora of information. You have to pluck out the good stuff and figure out what's really good, what's really accurate. You really use it to hone your search really more than anything else. But if you don't have that time to really invest in it, the team to really take and go through all that training and everything, really it's best to find somebody to help you, that somebody that has that expertise, somebody that's certified. Last week we might have gone through and talked a little bit about the different certification levels, RP and RPA, what an RPO is, and then the CCP and CCA and the C3PAOs and all those acronyms. But you need to understand what those are and look for folks that are certified and able to
Austin:help. I didn't work with a guy, but I used to know a guy that he got annoyed with everyone's degrees and their offices and stuff, and so he got... and printed out a degree from Google and put it up in a frame. So that's not good
Brooke:enough? Generally not.
Austin:Well, good to know. So Google and Reddit don't work.
Brooke:And that's not to, again, Reddit is a good source of information, but just use it for what it is. And it's a plethora of information that can be right, wrong, or somewhere in the middle. So I'm not saying don't partake in that.
Austin:Good place to start, but probably best go to the conferences and then go do the trainings and actually go through the certification process?
Brooke:Going to the conferences, going to CMMC-specific conferences, go through the training, get the certifications, get your registered practitioner, registered practitioner advanced if you want, CMMC-certified professional. You can do the CCA, the CMMC-certified assessor as well, although at least do the training of that. If you don't want to be on an assessment team, you could probably do the training, and that training is very helpful.
Austin:Next question for you is, we work with a lot of companies that decide to either fully outsource and hire somebody or sometimes decide to do it in-house themselves. So the question is, what are some of the biggest pitfalls you see when companies try to go DIY with their CMMC?
Brooke:Well, the biggest pitfalls when somebody tries to go DIY or shoot... Probably 90% of everybody up to the last couple of years is misinterpreting the controls, misinterpreting CMMC and what we're supposed to be doing. It takes a lot of learning, a lot of just delving in, jumping in, and not just reading the 800-171, but reading the frameworks, the 853 and other things that it refers to, understanding where it comes from, what it's really asking for. And all that. So it's misinterpreting the– and I kind of referenced it in the first question you asked me. Don't we just read the control and just implement the control? It's not that easy because it doesn't necessarily always mean what an IT guy like me or you or what a bunch of IT guys would think it means.
Austin:Yeah, and this latest conference that we went to, I think it was CIC– Southwest. Southwest, yeah. That's what it was. Yeah. We were talking about that, and we were looking at one of the images was of how all the documents reference each other and how it was all visually laid out, and it looked like a complete spaghetti meatball mess. And then the other thing was the NIST 800-171, all the revisions is not written for someone who has an existing network. It's written like if you were to start from zero.
Brooke:You know, they brought that up at this last– remember who talked about it, but somebody talked about that and I thought, well, you know, that's actually a very good point. And they're right in that, you know, 800-171 was envisioning basically setting up a network from scratch. You know, it's not taking your network that you've had in place for, you know, 20, 25, 30 years and then, you know, trying to shoehorn CMMC into it.
Austin:And so that alone is a pitfall, you know, what's missed by... you know, just that being written for a, you know, a blank slate,
Brooke:you know? Yeah. Not only that, the, the CEO, the physical CUI that you had around that wasn't CUI way back when, you know? Uh, yeah, there's, yes, absolutely. There's, there's a lot there.
Austin:Yep. There's some, some dust covering some CUI and some people's offices. Moving on a little bit further down that, um, line of questioning for DIYing your CMMC. I'm sure I'm going to mess that up by the end of this episode.
Brooke:DIYing, is that a word? It
Austin:is on HGTV. That's where I got it from. I guess, I don't know. Let's dive into the six major risks of DIY CMMC compliance. Let's start with the biggest risk, which is losing contracts, right? What happens if a company missteps in compliance?
Brooke:That could go a of different directions, none of them are really good. So if you misstep, it could mean that you have to rework your solutions, whatever you came up with to meet a control or some controls or whatever it may be, whatever that misstep is, you know. You might have to rework things, which would honestly be the best out of all that. You could get dinged for it during an assessment. It could be something you can't POAM, and therefore you just fail the assessment. And then you have to start all over, and you have to spend all that money all over again. They do try very hard for that not to happen, to ask all the appropriate questions up front before you get started so that doesn't happen, but It still can happen. I mean, it's not like they get all the details and go through all the details because that's work they have to do, right? But that's a different subject. So you could fail an assessment. Or if you have a contract coming up that requires CMMC, a contract, certification assessment and your level two certification, you have to have that level two certification in hand before you can be awarded that contract. So you could either lose a contract or you could, if you completely misstep and say, hey, you know, I don't actually meet this. I said I did. You know, that would be really bad. Or you could lose upcoming contracts.
Austin:Well, another thing is that, you know, CMMC is always evolving.
Brooke:Is
Austin:it? Yes, yes. Constantly. A couple new updates this year alone, right? But it's always evolving. How do companies keep up with that?
Brooke:Well, the way your company keeps up is there's got to be, really you have to, somebody has to have the title of CMMC evangelist or CMMC expert or something. Somebody's got to, it's got to be somebody's responsibility to keep up with CMMC. Just like we talked about a minute ago, you know, they'll want to stay up, stay up on the training, go to conferences, attend meetups maybe, you know, but stay up on this. This is a, there is a lot to this and it changes from time to time. So it's, It's changed over the years since 2017 when we got involved. It's changed a little bit. And so there's got to be somebody dedicated to go through this, and really a team, but somebody dedicated to go through this and make sure they're keeping up with all the latest and not only the latest changes, but making sure that all the latest understanding of what things mean.
Austin:To piggyback on what you're saying and kind of something you said earlier was, you know, if– Reddit and Google are great, but they're not. They're not the end-all, be-all. It's not going to get you compliant. If you are a quality manager, IT person, whatever, you're the CMMC evangelist at your company and you guys have decided to DIY your CMMC compliance, then you really need to make sure and show them this episode that your boss knows that that $1,000 ticket for one of the CEIC events or conferences is important and needs to be paid for. Um, it really is important that, that your boss, um, or whoever your leadership at your, your company knows that those conferences are important and that you need to go to them. Um, and that, that, that plane flight is important and that hotel, um, bill is important too. And that all adds up, that's a couple thousand dollars, you know, but if you're going to DIY it, that's a cost that you're signing up for to DIY. Um, because it's, there's not a good replacement currently for the information and perspective that's shared with those, And just doing a certification course is great, but you don't get access to all those people's perspectives and sessions like you would at the conference. And I would say a course or Google and Reddit are not sufficient. You really need to go to those.
Brooke:You do. And you can interact with a lot of people that are really experts in their field that way. Tending those things. Attending the Cyber AB town halls, monthly town halls, is a really good thing to attend. They answer as many questions as they can during that. It's a really good source of information. But you really have to stay up on that information. You have to stay current. And the whole CMMC thing is about ongoing management of everything. And you can consider all this learning, you know, and it's learning and keeping your learning moving forward. We're kind of used to it in the IT field because if you don't go to training, then you kind of fall behind very quickly.
Austin:Yes. Yeah. That's no joke. I mean– with the courses and google lacks is uh and and the the publications alone is that gray area and that's what the town halls and the conferences fill in for you is that gray area where well it says this but what does that really mean it provides that perspective so that way you're doing what's accepted practice um so that way when that assessor shows up you're not getting you know caught surprised
Brooke:the other thing i might add in there is that uh it really depends on how on what sort of system you have, what your system looks like to implement CMMC on because There are lots of different ways, lots of different things, and things you hear on Reddit and whatever else may not be exactly correct or may not apply to you. But the other thing, going to conferences, most of those experts will give you their thoughts, but they'll stay away from giving you exact advice on, well, what about the CNC machine and what about this and how should I do that? That really gets into consulting. And so that's where, you know, do I need to go hire a consultant, you know? or just networking with folks there and talking to them and saying, hey, how are you handling this? How are you doing this? How are you doing that? And getting that information can help out as well.
Austin:Next one is a lot of companies assume DIY compliance is going to save them money, but what is the hidden cost? I think we've already mentioned a few items, but what is the hidden cost of DIY compliance?
Brooke:Well, really the hidden cost is when you start out wanting to DIY, we've just got to look at these $100 and ten controls and read them and just implement it. That's all we've got to do. So you think you're going to save some money by not hiring somebody, but what hiring– somebody good with expertise can help with is cutting to the chase and saying, this is what this means. This is what this control means. This is what you have to do. This is all the documentation you need for it. And this is, in your network, these are the things you have to consider. And these are, you could do it this way or you could do it this way. You know, going to all these conferences and you can't skip the training. You can't skip all the learning. You can't skip all the experience with all this. You've got to go to these things and you've got to take the time to do that. So all the time and expense learning is very important.
Austin:Another one we see a lot is that most IT teams handle security, cybersecurity, right? They make the assumption that IT security and compliance are pretty equivalent, but we know it's a completely different beast altogether, right? So what's the key difference between IT security, cybersecurity, and compliance.
Brooke:So really, just because you are secure does not mean you're compliant. Just because you're compliant also does not mean you're secure. And if you want to be technical about it, to really be secure, you really want to follow some sort of standard, right? Whether it's CIS, whether it's NIST CSF, NIST 800-171, and CMMC, whatever it may be, you want to follow some framework because that'll give you something to shoot for rather than going, we follow best standards. And what are those best standards? Well, and you can explain what those are, but how did you come up with those? A good cybersecurity framework gives you a good place to start. So really, when you think about it, Security can start with a good compliance framework, but being compliant doesn't necessarily mean you're secure. But compliance also addresses all the documentation, all the proof, and of course meeting those specific standards, but all the documentation, all the proof to go along with it.
Austin:I view compliance... as kind of a CYA, cover your assets. I
Brooke:don't know why I'm laughing. I think I've heard that before. It
Austin:is funny. I thought
Brooke:you were going to say something else for a second. Go
Austin:ahead. The way I view compliance is that if you're going to go to court, sit in front of a judge and jury, and you had to argue the case that you were secure– and you did everything and all your due diligence, you could either go against Austin's cybersecurity best practices, which is me and what I decided alone, or what's an easier case to argue in court is I use this standard that was accepted and published by X, Y, and Z. It's accepted by many, you know, These compliance regimes use it, and this is what we followed, and here's how we followed it, and we still got hacked, but that's okay because we did everything we could, and sometimes you just get hacked. And we're not liable because we did everything. We did our due diligence. That's kind of how I view compliance is that it's, if you, and cybersecurity issues, frameworks is if you follow one of those, you're not the one that's going to take the fall. It's a standard of the compliance itself that takes it right. So it kind of removes the liability off of you being your own being the person that says you're good rather than you follow the framework.
Brooke:You know, I like that, and yes, that's correct. Another thing, I was on another webinar yesterday, and something related came up. Now, this is one person's opinion, but it sounded good to me. What he said was, You need to be following some sort of compliance standard, just like I talked about a minute ago. Of course, that does not mean you're secure. You've got to make sure you go through it and actually implement things that are meaningful. But if you follow a standard, that's the first thing. But if a lawyer has to go to court to defend you, he would rather back you up on something that's backed by the federal government, aka NIST, than something that's not. like CIS. I happen to like the CIS standards, but that makes a difference. Is a lawyer going to have to defend you based on something the government put out or based on something a nonprofit put out? I think the CIS is fine. But, you know, I understand that. The government doesn't like to admit that they're
Austin:wrong.
Brooke:Right. And a judge and a jury probably is going to find a little bit more weight behind NIST than something
Austin:else. So another pitfall is when companies think that they're already compliant and already secure. The companies that are just confident that they're compliant and secure, what What risks do they face?
Brooke:Really, CMMC is not about checking boxes. It's about reading the controls, understanding controls. And also we have to implement the CMMC portion of it. But understanding those controls, reading through them, and implementing them as they're meant, which also requires reading the background documentation and standards as well. That would be the risk is you actually aren't covered like you thought you were unless you've done all that work in the background.
Austin:Are you talking about documentation again?
Brooke:If you've watched any of our episodes, yes, I'm talking about documentation. But I'm also talking about documentation requirements. There's also, other than that, it's documentation. Documentation. So, yeah.
Austin:Stacey puts up this little thing. Oprah Winfrey, right? Yeah. It says documentation, documentation, documentation. Yes. We've memefied you.
Brooke:Right. I wonder if I'm going to see myself around the internet with the documentation thing.
Austin:I may have brought that up just to do the thing. There you go. There you go. So another pitfall, I think the last one we have, is how does being unprepared affect a company's assessment timeline?
Brooke:I mean, if you're unprepared for an assessment, then you really can get behind the eight ball very quickly. I mean, I guess if you're unprepared, you're already behind the eight ball, but you would be behind the eight ball a lot further than you really realize. It takes longer to implement these processes. implement some of these things than you think. It's not easy just to spool up a GCC high tenant and get everything migrated over in one day. It's not exactly that easy or quick. But what's also not very easy or quick is getting a C3 PAO to come do your assessment. If you're not ready, you've got to get ready and make sure you're ready. Make Make sure all your I's are dotted and all your T's are crossed. And you have all your documentation, your SSP. You've completed your POAM. You've got all your policies and plans and procedures. You've got all your proof ready. Okay. Make sure you have all that ready. They'll ask for proof again. But make sure you have all that ready and give them a call and say, hey, we need to get on your schedule. And they'll say, great. It's April. So that means April, May, June, July. We can fit you in at the end of July. And you're like, well, I've got this contract I'm wanting to bid on. Well, you can bid on it. But you won't be able to win that contract. If they award it to you, then you have to have that level two certification, right? And, of course, there's more caveats there, but that could be a scenario. It absolutely could be a scenario you face is not being prepared and then not having the time to get that C-3PAO in, get everything done. And, again, if that C-3PAO is four months out, It may take them two months or so to complete. So you're looking at the very least like six months, if not longer. Closer we get, I might add, that those C-3PO's are probably going to fill up even more. That's right now when it just kicked off and when people are just doing this voluntarily right now.
Austin:Moving on a little bit past DIY to hiring a consultant. If a company decides that DIY compliance is not the best path and they want to hire a consultant, what should they look for? in that consultant?
Brooke:Well, they should look for somebody that has the expertise, right? Somebody that does this. It's their business. Somebody that we talked last episode, if you happen to watch that, about the difference between RPs, RPAs, CCPs, and CCAs. And so now to explain a little bit of that again, an RP is a registered practitioner, and it's the low bar for entry. And it takes a few hours worth of watching a course and then a quick exam. I don't remember how long the exam was, but we've been doing this since 2017. And so I was able to do that and get it completed pretty quick. And truthfully, some of our other employees that– that haven't been doing this that long, they were able to get it done pretty quick too. In other words, RP is not really that hard. So really the minimum barrier to entry would be the RP. RP Advanced, I haven't bothered taking the time to do that. I understand that it's better than RP. It's a little more involved. but it's still not the next level. Uh, and those are cyber AB certifications. The next one would be, or, uh, registrations really. They're not actual certifications. The next one would be a CMMC certified professional, a CCP. A CCP is going to know quite a bit more, but they take a test and that, that test is not easy. It is, you've, you've got to put on your studying hat to, to get that test done. It's not like, it's not the hardest thing I've ever done, but it's, it's not an easy test to pass. So somebody that has your CCP has some good knowledge behind them, right? Uh, I might step back just a little bit and explain an RPO. An RPO is a Registered Practitioner Organization, and that is a company who has RPs that work for them. So we have RPs that work for us, so we're an RPO. But we also have one CCP, and we're working on some more CCPs. CCP, I might add, the actual– Training and testing really is focused around the level one controls. In the training, I don't know if this was just unique to Edwards Performance Solutions that I took. I don't think it was. I think it was because of the good training they had or the good book and everything. They went through every single control. They talked about everything. So it was a good set of training. We discussed a lot in class. If you go and do CCA, then your CCA is a CMMC certified assessor. That's a high bar. Also, those people have to, CCPs and CCAs, have to pass a Tier 3 background check also. So there's more to it than just that. CCAs also have some other high bars they've got to meet. But I can tell you that most CCAs, they're probably not going to be doing your implementation. They may be helping out. an RP that needs some help or something, but they're not going to be actually doing and helping out your implementation. They've got enough assessments. They're going to be working on those. But look for an organization that has RPs, RPAs, CCPs. Those are really the keys. CCAs is a nice to have, but I really think most of those are going to be working on assessments.
Austin:What about businesses that have already started a DIY business but they're struggling and realized, okay, maybe I want to bring in a consultant midstream.
Brooke:I don't think we've run into any of those, have we? I think they're all of them. Really, that's just fine. If you've struggled, that is a lot of people, to tell you the truth, because nobody wants to go out and just spend a ton of money to get this done. But at some point, most people realize, unless you have a team, like we said earlier, that you can– get certified, send all these trainings, send to conferences, all that kind of fun stuff, and really that becomes their life. Unless you have a team you can do that with, then it makes sense to move on from DIY to having a consultant come in and help you to some degree through the whole process or whatever. But So most people will start out DIY and then say, you know, this is a lot, you know, and I need somebody to help. And yes, hire a consultant, come in, see what you have. They can do a kind of a gaps assessment and figure out where you're at and what you need and move on from there.
Austin:Yeah, that's typically what we'll do is someone will come in and say, we've been trying to do this. And then they're like, we need some help. And they always want to figure out where they're at first. You know, see how far they've gotten along themselves.
Brooke:Yeah. And what I will say is most people at DIY, they get into it and they say, we need some help. And so you'll come in and you'll say, okay, well, you know, what kind of CUI do you have? And they'll say, well, I don't know. So the very basic stuff is, hey, figure out what kind of CUI you have and figure out where your data comes in and goes to, your data flow diagram. Those are key to understanding everything else. But that's mostly what we hear is when people– ask is, do you have, what kind of CUI do you have? I don't know. Do you have any idea where it comes from, where it goes? Well, not really.
Austin:Well, since we're on the topic, we'll kind of go ahead and jump into it. What can companies do if they want to be proactive to best approach CMMC compliance?
Brooke:Start with a gaps analysis, right? And figure out where you're at, figure out where you need to be, and That would be the gap, right? Right. So start out with your gaps analysis. Invest in strong documentation. Strong documentation doesn't necessarily just mean the documentation itself. It means managing that documentation. And what are you going to do with that? Well, that probably really means investing in a GRC tool, right? Having a good GRC tool you can use and keep track of everything, keep it updated and understand what you have there, assign it to certain people. You can certainly just have it on F drive or whatever, you know, but it's hard to assign sign things to people out of the F drive, right? So a good GRC tool helps with that documentation, a good strong documentation and documentation management. Don't wait on it. I feel like a broken record here too. Don't wait. So you've got to get started now. This is way more in depth. If you're trying to DIY it, you know, you need to start because you need to really understand it. You need to really jump in and really understand, learn, and figure out what this whole CMMC thing is all about. So don't wait. Start now. There's a lot more to this and things take a lot more to implement than you realize. Really consider hiring an expert in to come help you. And just, we talked about what an expert, you know, certifications that an expert might have, you know, looking and making sure that this is the type of work they actually do. You know, and that they really understand it. But getting an expert to come help will shortcut that. Yes, you'll have to spend money on an expert, but that'll save time. It'll actually... very well could save you some money in the long run too. So those things would be very
Austin:helpful. And we should, on one of these episodes here soon, have a guide of sorts that is coming out that will help you navigate that process of who to hire, what to look for, et cetera. So look out for that. Let's sum it up. I think we're getting towards the end of the episode. If you're a DOD contractor, what's the key takeaway
Brooke:here? The key takeaway really is that CMMC is not really just an IT issue. It is really a business issue. A business involves the whole business. It really is a small part of it is IT directly, right? There's a lot of IT folks that are involved in this because of the nature of it. But But it's not just an IT issue. It is a business issue. If you don't have in-house expertise or the ability to get your in-house folks up to speed very quickly, then that can cost you more down the road and maybe lost contracts, lengthier implementation times, or having to rework things. That can cost you a lot more down the road. Consider bringing in a bringing in an expert to help you out to shortcut that. A lot of times you'll be spending less in the long run, believe it or not, but that can really help.
Austin:If you have questions about what we covered, please reach out. We're here to help fast track your compliance journey and send us your questions. We'll answer them for free here on the podcast. You can find our contact info at cmmccomplianceguide.com. Stay
Brooke:tuned for our next episode. Until then, stay compliant and stay secure.
.jpg)
