CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
CMMC Day 2025 Recap: Key Takeaways, Real-World Mistakes & What SMBs Must Fix Now
Submit any questions you would like answered on the podcast!
Get the latest insider takeaways from CMMC Day 2025 straight from Washington D.C. In this episode of the CMMC Compliance Guide Podcast, Brooke and Austin break down the most critical updates small and midsized businesses (SMBs) in the defense supply chain need to know now.
We cover:
✅ Why CMMC is NOT going away (despite what skeptics think)
✅ Critical mistakes businesses still make with SSPs, scoping, and access control
✅ Real-world assessment horror stories you need to avoid
✅ Why subcontractors can't hide in the supply chain anymore
✅ Tools, technology, and zero trust lessons from the show floor
Whether you're a manufacturer, IT lead, or compliance manager, this episode delivers actionable insights to help you stay off the DoD's naughty list and win more contracts in 2025.
🎯 Need help? Get your free SPRS Score Roadmap → https://cmmccomplianceguide.com/free-sprs-roadmap
Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke. From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance. But today, we're here to give you all the secrets for free, so if you want to tackle it yourself, you can do so. Let's dive into today's episode and keep your business on track. This episode is for those that couldn't attend CMMC Day 2025. Brooke, you were there this past Monday.
SPEAKER_00:I was. Beautiful Washington, D.C.
SPEAKER_02:Absolutely. You got to sit in on all the sessions and supposedly came out with a ton of insights.
SPEAKER_00:Yeah, CMMC Day was great. There was a lot of really good information.
SPEAKER_02:Well, today I'm going to grill him on what stood out and what matters most for small businesses and how to make sense of it all, even if compliance isn't your day job. What were the biggest themes this year at CMMC Daytona 25?
SPEAKER_00:As far as the overall themes, one of them was really one was clarity. They continue to provide clarity of what's happening, what's going on, and that nothing is changing. There's a bill before Congress to basically do away with CMMC, and that's It would be very, very surprising if that happened, put it that way. But there's continued clarity that there is a schedule. They're holding to it. This is moving forward. That light you see in the tunnel is the CMMC train coming towards you. So you need to get ready. Another thing is phase rollouts. We're waiting on the 48 CFR, right? 48 CFR is what puts CMMC in place on contracts. The 32 CFR rule that just went final at the end of last year, December, That's what clarified CMMC and defined CMMC. Now, the 48 CFR is what will put it in place on contracts. That has been pulled back just for review. They still expect it to come on through. They've asked for an exception to a rule, and I don't remember the specifics, but they've asked for an exception on this because this has been in the works for years and years. We're at the finish line. Can we go ahead and move forward this rule as is instead of going back through and reproposing it, right? Or reworking the whole thing. So they're trying to do that. We'll see where that goes. But this 48 CFR will come through at some point. We don't know exactly when. There is a very good likelihood that they'll grant that exception. because it does deal with defense, right? And that's a huge deal. In fact, there was a good session from one of the company's largest privately owned defense contractor. You all might know who that is. Anyway, there's some very good stories about the theft of– the theft of intellectual property and everything from us by the Chinese that's been happening over the years. And, you know, you hear about all this, and we've got all this floating around in our heads, and we know it. But, you know, hearing these stories put together and talked about, you know, together in a whole, you know, is very– I don't know, humbling, enlightening. It was enlightening, but we already know the information, you know, but it was very insightful. Yes, thank you. You know, the other thing they talked about that was a theme was that you're not going to be able to hide further down in the universe. supply chain anymore. A lot of people are subcontractors of subcontractors or even subs of subs of subs or whatever. And so they talked a lot about that. And, you know, primes are saying, hey, you know, there's more and more pressure from primes to say, hey, are you on the certification schedule yet? You know, have you contacted a C3 PAO to get certified for level two? So there's more and more pressure because after all, they're a contractor from the federal government. Nothing is assured, so if they don't have all their subs in line and can say, yes, we're ready because all of our subs– we're ready and all of our subs are in line. If they can't say that, they're going to lose out on contracts, and they don't want to do that. So they need to make sure their subs are ready to go. Flow down rule, the subs also need to make sure that their subs are ready to go and all that kind of fun stuff. So you're not going to be able to hide as easily– down the supply chain anywhere.
SPEAKER_02:Well, I sure know a couple people that are really betting on that bill to pass.
SPEAKER_00:Yeah, yeah. There are people out there that are really, for whatever reason, they just know that CMMC is not going to happen. And CMMC doesn't have a good track record, so I understand that. But it's coming. So one way or another, it's coming.
SPEAKER_02:Let's talk about some real-world assessment lessons you had mentioned. What are people still getting wrong?
SPEAKER_00:Uh, what are people still getting wrong? One of the things is, uh, your SSP, um, your SSP, some people make it eight miles long and some people make it just as short as possible. You know, port's too hot.
SPEAKER_02:We will protect COI, done. Yeah.
SPEAKER_00:Port's too hot, port's too cold, right? But, uh, it's gotta be just right. Um, but really the SSP has to have some very specific information in it, very detailed, but you don't need to make it eight miles long, right? So the SSP is one of those things that people are still getting wrong that caused them more work or, you know, possibly even to fail an assessment.
SPEAKER_02:So how does someone get an SSP right?
SPEAKER_00:Well, for the SSP itself, like I said, I mean, it's tough without going into each of the controls, but you have to say just an overview of with some specifics in it. This is how we document all the users. This is what we do. This is how it's authorized. And it's referenced in this policy, in this plan or procedure or whatever. So you say those kinds of things in the SSP. And that helps out a lot because that gives them a good overview. It shows the assessor that you actually know what you're talking about and you actually have something in place to go get the details. They probably need to go look at the policy. But, you know, that's... that's kind of a high level of how you, how you would create a good SSP.
SPEAKER_02:So it's, it's kind of like at the top of the hierarchy of like the rest of the policies and references and points to, uh, like the other things, like it doesn't necessarily, uh, address incident response in its entirety, but it'll point to the incident response policy. And then in that you.
SPEAKER_00:And absolutely correct. That's absolutely correct. Uh, but you also can't say see incident response policy. So you've got, to give a high-level overview with some details in there about how it's done. Because those SSPs, people are going to ask to see them. Vendors are going to ask to see them. Not vendors, but your primes and whatnot. Can we see your SSP? That's a whole other discussion, but they may ask to see those. You want to have a little bit of detail in there, but not too much. Assessors, again, a Assessors want to see that and be able to read your SSP and say, all right, I have a good idea that they've got these things implemented correctly. Of course, the devil is in the details, but the SSP is one of those things. Another thing is poor scoping. People either scope in too much. or they don't scope correctly. And when you think of, if you scope and say, you know, I'm going to have my enclave, you're going to have this enclave, and well, while everything might be in the enclave, but you have, you print outside that enclave, or you connect to an unsecure computer outside that enclave, you know, then that's, you just pierce that enclave, and you're at your, Your scoping isn't correct. And by scoping too large– if you go and put everything in scope, that's going to be right for some people. It really is. But for other people, it's not. If you can scope and make an enclave, a true enclave, that's a lot better way to handle it because your CMMC– your CUI scope that you really have to tighten down on. And the amount of stuff that you have to tighten down on is going to be a lot smaller. Um, so
SPEAKER_02:it's a problem with going and like buying a template or asking chat GPT to make your, your SSP or, you know, it's, uh, cause it, everything leads back to the scope. If I understand it right. It was like in that scope, you really need to find very, um, intentionally. Right. And so, and then, then comes the SSP, then comes, the policies, then come the implementation. So it's all sourced from the scope and you really have to get that correct. And jumping to an SSP template or a chat GPT is not necessarily going to serve you well.
SPEAKER_00:Data inventory and scoping is where it starts. You've got to know what you have and how to protect it and then you've got to know where to protect it. Or if you're creating something new you know or want to create something new you want to limit your scope how do i how do i limit that and how do i scope this properly where we can where we can do this so some companies can do that some companies for their workflow or whatever they do it just doesn't make sense and it makes more sense to um to make your scope a lot wider and to maybe scope some things out like your accounting system or you know whatever it may be but um the uh but scoping is an issue and understanding your scope and knowing that, um, that your, your, anyway, your scoping is everything. The other thing is your, the assessor is only going to assess what you tell them is in scope. Whenever they assess you, uh, they're going to, if they find out if some employee says, yeah, I use my, uh, no, I don't just use my home computer. I don't just use my work computer. I use my home computer too. And they're like, well, You know, are you sure you use your home computer? So that may call into question, is their scope proper or not? You know, did they do this right? Did they secure it right? So in general, the assessor is only going to assess your scope, and you don't have to worry about anything outside of it unless you're in the assessment. That leads them to believe that, you know, you didn't scope it properly or you didn't configure it properly or something, and there's data leaking out. Yeah. Scope is very important. Not only defining it right, but then protecting it correctly.
SPEAKER_02:And here in the near future, we're going to be doing an episode over scoping. So that way we're trying to distill it down into a... core concepts in a podcastable little bite. So look forward to that in the future if that's something you're struggling with.
SPEAKER_00:Absolutely. Another thing is what I just touched on with scoping is the boundary of that scope and is it a true boundary or not? So if you define your, if you say I have this enclave here and only what's in this enclave is in scope and that's the only place CUI is at, great, but if How do they get to that? Is there a computer inside that that they have to go use or switch over to? How do they get access to that environment? Is it an RDP session? Is it a virtual desktop infrastructure? And is that VDI session configured properly? Can they copy and paste from it? Can they print from it? If it's a VDI session and you can map drives, copy and paste or print from it from outside of that, you know, from the computer that's connected to that VDI environment, then suddenly that computer comes into scope. So guess what? Your enclave that you had just expanded to, you know, to whatever is connecting to it. But they did say they have, there is some clarification that if you configure those VDI sessions properly, then this is VDI sessions specifically, but there are other ways that you can pierce that gap accidentally or misconfigured. But in this VDI example, if you do have it configured properly where there can't be any data taken out of that by any of the means we just talked about, then that is okay. The computer connecting will be out of scope.
SPEAKER_02:Yeah, and to reiterate that, if you're going through an assessment and you've got your scope defined and then an assessor comes in and asks Susie, it's like, hey, how do you access this? And she does something that expands the scope. Then now if you're printing or copying or accessing CUI where you shouldn't, but you kind of have everything defined in that scope, then suddenly once they figure that out, your scope, boom, expands, and it's kind of the end of an assessment. Is that right?
SPEAKER_00:Yes, unless it's... Different assessors may handle this differently. If it's something that you can say USBs weren't blocked, you know, and they should be blocked, let me block those, and you come back and prove that and say we had this in place, we disabled it for whatever goofy reason, and now it's in place again, then there's a good chance that they'll be okay with that. A
SPEAKER_02:hole that's easy to plug.
SPEAKER_00:Yeah. But you really don't want that black eye when an assessor comes, I can tell you that, because that takes their trust level. If you've got a great SSP, great policies, they've looked at all that, and they're all happy with it, and they come to do the assessment and do something like what you're talking about, that trust level goes from up here. It just dropped a lot. So now they're going to be very suspicious of a lot of other things, and they're going to really do a lot more checking. So you want to keep that trust level up here. And I'm not saying– lie or anything like that not not at all but you want to keep that trust level up here so they don't have to spend that time digging around and worrying that there are other things that are misconfigured
SPEAKER_02:if you've gotten the scope wrong then they're they start wondering where and the heck else have they messed up right because it's everything goes leads back to the scope like i will have to go start go checking maybe it's not the end of an assessment but it's it certainly is um The start of an end. Yes, yes. It's not a good thing. So moving on, you had mentioned kind of access control a little bit and the simplification of it. What are people having struggles with? What is tripping people up about access control?
SPEAKER_00:Well, one of the things that's tripping people up is, you know, as an IT guy, you ask me, do you have a list of authorized users? Well, heck yeah. It's an Active Directory or it's an Azure, you know. Yeah, I have a list of users. Well... That's the identity solution. That's not who you've authorized. to access that CUI. It does, it does contain the authorization, you know, and those users, there can be accounting users there, there can be, you know, marketing users there. Sorry, but if there's marketing users, they don't, they don't need to access CUI. So, so you, you know, you can specify who there has, has, is authorized to access that, but that's not a list of authorized users. There's, because probably every company has cleaning crew or people outside of the, you know, people who work the machines, people who do whatever else that may not have access to the system to that.
SPEAKER_02:People that need to access the facility or the computer system that don't access CUI as part of their job.
SPEAKER_00:Right. This is going to be a list of everybody that works for you who's either employed or contracted, right? And are they authorized to see CUI or not? Right. So that's going to be that. But that's not...
SPEAKER_02:If you're a... Sorry to interrupt, but if you're a manufacturer or someone that's a defense contractor, and you have an IT company, Are they supposed to be on that list?
SPEAKER_00:They are. You need to have your IT company. You need to specify whether they're authorized or not and what they're authorized to do. They're not necessarily authorized to interact with the CUI, but they do backups of the system probably, and they're going to need to be able to restore, and that gives them the ability at some point to see, and that has to be controlled and all that kind of fun stuff. Absolutely. And for most contractors out there, I would think that at least most that we run into There are some that have 100% of their business is defense industrial-based. It's for the defense industry. That's an easy call. However, some of them, it's 60% or 25% or whatever it might be. And so guess what? All those people out on the floor may only be you know, four or five of them that deal with, uh, the dib portion of the, of the business. And so who out there has the ability to see that information, you know? So you got to think about all that. Um, and so you have to have the, and it could be every, if you only have 25%, but everybody on the floor is authorized, then that's fine. But you have to list them out, even if they don't have an account in, um, an active directory, right?
SPEAKER_02:If there are another one at you, it's common that we see smaller, medium businesses and is the owner who doesn't perform most daily duties isn't necessarily making CAD drawings or milling parts and they're just looking at books and reports and stuff like that do they get access to CUI because usually they want the keys to the kingdom
SPEAKER_00:they usually do want the keys of the kingdom but in smaller companies you know a lot of times the owner general manager whatever is going to be have a hand in day-to-day business you know and they may need to help people with with things and So that's understandable. But typically as a country– typically as a company grows, that– GM, president, CEO, needs less and less access to any of that stuff. Needs less and less access to that stuff. Typically, they always want it, you know, but do you really need access to that, you know? So, I mean, that's a good assumption is that they don't necessarily need the keys of the kingdom. So really, identity versus authorization is what you're looking for. Not an identity list, you know, from your Active Directory or also is everybody in Active Directory in whatever application you might have. Is there a different set of users? How does that work? So it's not identity list. It's an authorization list of everybody that's there. Can they access or can they not? Not only people, but think about devices. What all devices are on the network? Not just computers and Active Directory. What about that CNC machine? What about whatever it may be? What about that Echo that somebody plugged into the network? Is that... that really be on the cui network you know i'll give you a hint probably not but it probably is if you're asking us don't plug it into a business network but that brings up a whole other topic of stuff you know if you have a if you have an echo this is a little bit of a tangent but if you have something like an echo that listens to you you know guess what if it's in an area where there's cui it can hear people talking and guess what it's in scope now So you have to think about that.
SPEAKER_02:Try and get Amazon to get all the proof that they're certified and compliant.
SPEAKER_00:Right. You need it for that. Yeah. So to go on about access control and authorization and identity, a lot of things that people don't think about is service accounts, application accounts. You have an account that runs your SQL database. A good form is to create a separate account that these applications run in and not just give them, just not run them under system or domain admin, right? You really shouldn't do that. So, but most people will create an application account or, you know, some kind of service account or something like that. Those need to be listed out. Do they have access to CUI or not? Anything that runs anything automated, you know, scheduled tasks or anything else, you know, those, you need to look at those and list those out and say, yes, yes or no, these are authorized to access CUI. So
SPEAKER_02:my printer scanner needs to be an authorized user
SPEAKER_00:well it needs to be an authorized list yes so your printer scanner absolutely it's a device and it needs to be it needs to be listed
SPEAKER_02:i know we keep mentioning scope kind of diving that a little bit more because it was a topic you said of uh of some of the the talks there um so we just kind of want to dive into where cui lives and how business might figure out where their cui is really going and traversing
SPEAKER_00:uh you know really the The first, there's a couple of keys to this. The first key is to figure out what you have. Do you have CUI? What kind of CUI is it? And if you're a manufacturer, hint, hint, it's probably controlled technical information, but not necessarily, I guess. So it could be something else. I think somebody at one of the conferences kind of pegged it at 75% of this information we're talking about because it's the defense industrial base is going to be controlled technical information as far as CUI goes because The CUI registry is huge. There's a lot to the CUI registry, nuclear and PI, PHI, all sorts of fun stuff. You need to figure out what kind of data you have and whether it's specified or not and what kind of dissemination controls are on that. Is it ITAR data? Does it have a no foreign on it, which is no foreign citizens, right? Only U.S. citizens. Similar to ITAR, you know, that's a– well– With ITAR, for us, that's the biggest. Only U.S. citizens can see or access that data, right? So at which point, for instance, if we're talking about Microsoft 365, GCC, or GCC High, that's what makes the difference, right? There's some other things there with GCC and GCC High and why everybody recommends GCC High and not GCC, but that's another whole discussion in and of itself. But anyway, the key is to figure out what kind of information you have. And then you do basically a data flow map, right? And you have to figure out where that goes and think about your whole process, not just I get it from outside and it comes inside my system. Think about where do you get, where, how do you, how does it come into you through email? Do you download from portal? What machine are you on when you get it in email or hopefully not email, but if you get it through email or through a portal, what machine are you on? How do you do that? And then where do you, where do you put that information? Does it go directly into an application of yours, this pro job boss, whatever it may be, uh, or does it go into a file system and you know, where does it flow after that? Is there, you know, is it go somewhere else into a separate application? Where all does it go in your system? Does it get printed out? Is it hard copy? Does it go on a USB stick? What happens to that? So you need to figure out your data flow, all parts of your data flow, draw it out, because most people, it's a lot easier to track it. Most people are a lot more visual with this kind of stuff, you know, a little flow diagram with all your systems. And then if you need to get it out to somebody else outside of your scope, we'll just say organization, but your scope, wherever you scoped, if you need to get it to somebody outside of that, how do you get it to them? You know, again, hopefully not through email, but, or if it's through email, you, Take the appropriate precautions. But how do you get it to them? Is it a portal? Is it a veteran file sharing program? What is it? So how do you get it to them? So you've got to figure out that data flow, where everything goes, what devices it touches. Is it over wireless or not? And all that fun stuff. So once you have that figured out, then... then you can move forward with things. Another thing people talk about is something I just mentioned, is printing it out. People forget about hard, or does it come to you in a hard copy? Do people FedEx you a package? And if they FedEx it, what happens to that hard copy? Do you scan it all in? Do you copy it? What happens with it? But that hard copy of that CUI is CUI. And that brings in also alternate work sites. So, you know, this hard copy of this, for construction companies, for instance, you know, this hard copy of this, it's going to go to that job site in that trailer on the job site, you know. Well, guess what? That's an alternate work location. And that hard copy you have, that's CUI. It has to be protected on that job site. And that job site, you now have an environment of the job site that is part of your scope because it's an alternate work site. So those kinds of things people think about. The other thing is people, they did suggest during CMMC day, there were some people that suggested sending out a CUI survey to staff. There isn't a presumption there. They know what CUI is. That your staff understands how to spell CUI at least, you know. So there you would need to start by making sure that there's where good training comes in. Here is your DOD mandatory CUI training. Go through it. And here's the vendors that we have or the customers we have where we do this work with. Do you think you have CUI? Do you think you touch CUI? What happens to it? So a good idea is to send a survey out to some of your users and maybe key users, maybe not everybody, but maybe key users, and say, where does this CUI live? Because What the general manager thinks is happening may not be actually what's happening. And so like for us in an IT company, it's easy for me to say, here, here's this environment. Here's this enclave for you. Just keep it all in there. It works great. What about this machine I need to get it to? How do I do that? You've got to keep it all in the enclave. Anyway, so it's easy for us to say something
SPEAKER_02:like– How do I get it to the customer? I just emailed it to them.
SPEAKER_00:Yeah, yeah. So it's easy for somebody that's not doing the job to say, just do it this way. And so you've got to include those people and figure out– where your CUI is living at and what happens with it.
SPEAKER_02:Yeah, and that's one of the biggest struggles that we find when we're first engaging with somebody to get them from noncompliance to compliance. Further down that path is we always typically get a moment of panic because what's happened is in all your years of business, you found the path of least resistance to get data, you know, around the office, around the shop floor and that. that you're doing may be working for you now, and you may be able to get it in a situation where it is compliant, but oftentimes it needs to be adjusted. And so-
SPEAKER_00:Oh my God, we've got to change everything. It's going to change our whole flow. Everybody's going to be upended.
SPEAKER_02:Yeah. So you, and there may be some processes that your employees are doing that you don't necessarily know, or your coworkers are doing that you don't necessarily know are happening to get their job done on a daily basis. And so, And because it's the path of least resistance, very well may not be compliant.
SPEAKER_00:You said that that's one of the most common things that happen. Another common thing that happens is when you initially start in on conversations with a new client, one of the things that happens is, well, I don't know what CUI is. Can you tell me what CUI is? So a lot of people are starting at that level and don't really understand. So that's why we say you've got to start with the basics and figure this out from the beginning. Because if you don't start there, you're starting off on some possibly very likely some bad assumptions.
SPEAKER_02:Yeah, another thing we face is, okay, I get it, I get it, I get it. We're not compliant. Just get me there. Let's just implement. It's like, well, okay, sounds great. But we still have to go back to the fundamentals because we're going to skip through a lot of stuff and you're still going to end up not being compliant. Like we still have to do a gaps assessment analysis or some some form of understanding where you are and where you need to be, what's happening in the business, what's going on, even as the business owner that's working in every day or the GM or the quality manager. You might think, you know, but you really don't. Right. So you still have to do that process, even though it seems like an unnecessary role. roadblock. Another popular thing, especially among the technical crowd or if you're working at a company trying to get compliance, real easy to go down the path of I'm going to buy a tool and I'm going to get compliant. So let's talk about tools, technology, some zero trust stuff that you had mentioned going to the show. We can get some of the technical points and also address what some non-technical people should know about tools.
SPEAKER_00:You know, one of the things we talk about is Microsoft 365 GCC and GCHC high because pretty much everybody understands the Microsoft commercial environment is not going to work for CUI. When you go look at the basic NIST 800-171 tenants, you're tempted to say, oh, this is FedRAMP and we can configure it like we need it. And that's A large part true, except that it leaves out some core things with CMMC, like the DFAR 7012, 252.204-7012, the incident response kind of stuff in there, which pushes you over into Microsoft 365 GCC or GCC High that says you need to go use one of those solutions. And Microsoft has a good diagram of what kind of information for all the different compliances Sieges, everything, right? Which environment will fit. And they've got commercial, GCC, GCC High, DOD, and Secret, I think, is what they have, if I'm not mistaken. Anyway, but we generally just look at the... up through GCC High. Technically, if you go, you can go with GCC if your information is not specified and doesn't have a dissemination control that prevents that information from leaving the country or leaving U.S. citizen control, right? There or not, you'll have to get the shared responsibility matrix. You'll have to get, I understand it for assessors, you'll want a body of evidence to be able to prove that this is, because it's not It's not FedRAMP authorized in the same way.
SPEAKER_02:You also don't want to design a system that precludes you from getting another contract. Exactly, and that's the other thing. Just to fit
SPEAKER_00:what works today. If you've got controlled technical information that there's no dissemination statement on, we'd have to see that. Potentially, I guess it could go into GCC. But really, you don't want to put yourself in that kind of position and then have to move over to GCC High because if there is any sort of dissemination control on it, you've got to use GCC High. GCC High is also federally authorized, and so you could use it. The– So really, it's a lot safer just to go ahead. This is what everybody says, and it's frustrating trying to figure out why in the world you can't go GCC and need to go GCC high, but it is a lot safer just to move into GCC high. If you're going to whatever accounts, whether it's a subset or however you do it, anyway, it's a lot safer just to move over and use GCC high.
SPEAKER_02:Yeah, it's frustrating because it's four times the cost of commercial. Microsoft. And
SPEAKER_00:it's an upfront payment for the year for annual year. And, you know, here's your$20,000 bill. Salt in the
SPEAKER_02:wound, you know, all for$20,000
SPEAKER_00:is kind of a small bill too, by the way.
SPEAKER_02:But for email, you know, if you're been paying for it, you know, previous and just kind of a frustrating expense. It is. Yes. And so, but just, you know, we have not seen really a good argument for, you There's only been good arguments for going GCC high in terms of the holistic picture, making sure that you can get contracts, making sure that, you know, you've buttoned everything up because we're big believers in let's go with a very defensible position. That's accepted practice that people, you know, believe in that assessors are like, yeah, we would go that way instead of trying to fight and prove every corner. You know, when the assessor comes up and is trying to assess whether you're compliant or not, it's easy in that sense to take the passive least resistance from a compliance perspective and just bite the bullet and do what the assessors want and the government is wanting and just bite the bullet.
SPEAKER_00:Absolutely. And the other thing you need to think about is this is all to say there are also other tools that will fit that arena there for email and file sharing and stuff like that. There's Reveal and I think Exostar has their own version and stuff like that. You just got to consider the pros and the cons of each. You know, And we won't go into those here, but there are other solutions. It's just more typical to talk about Microsoft 365, GCC, and GCCI. But there are absolutely other tools. You just need to look at them and figure out what fits your company best cost-wise, workflow and everything else. So one of the benefits I will say is if you choose a Microsoft solution, 365 GCC high, is that you have, it's not just email and it's not just file sharing, external file sharing. There's Intune you can use and manage your systems. There's all sorts of stuff, benefits you get from that. from being able to do that. But it depends on how you scope everything and what you want to happen, right, with how you want your COI to be scoped or your system to be scoped for your COI. So that all matters. So that's a little bit deeper of a discussion. But everybody wants to know about tools. And so this is basically the warning that, just like you hear everywhere else probably, is that Microsoft 365 GCC High is the way to go rather than GCC. One of the other things... two tools that everybody always wonders about is antivirus. And one thing you have to think about is, you know, that antivirus or that endpoint protection, just antivirus any longer. But anyway, that endpoint protection, how is it managed? You know, if it's managed in the cloud anywhere, the information it has access to and the information that comes out of that is likely going to contain security protection data. And that whatever it is, Microsoft, wherever there's Defender, Sentinel One, or whatever it may be, that's a security protection asset. So that service now falls into scope for security protection data. So you've got to keep that in mind, right? And whatever service you're using to manage that, if it's all on premise, all in your systems, great. If it's not, there's a cloud involved, then you need to consider that. But one of the tools that people are are using that's especially, if you go, this is one of the benefits of going 365 GCC high is Windows Defender. All right. You know, another thing that somebody, they talked about, they kind of joked that zero trust is a lifestyle choice. And I guess that might be a lifestyle choice, but zero trust is one of those things that was not really necessarily envisioned Well, as far as a product goes. It was
SPEAKER_02:first coming out around 2017 when they were first really pushing the first version, like NIST.
SPEAKER_00:But now there's a lot of zero-trust choices around. And so really, if you think about it, zero-trust is the way you should configure your networks, and it fits very well with CMMC because you– It's least privilege because you start with zero, zero trust. So you start with zero trust and you say, you know, this is trusted, that's trusted. You know, it's a very simplified view of it.
SPEAKER_02:Zero trust for the non-technical people is if you're going to a bar or a club and there's a guest list, you have to be on the guest list first before you get– allowed in the club, right? And so that's zero trust, but a lot more expansive and complicated for computers because you can do that all the way down to applications that run, how they access network resources, how they traverse specific applications, accessing specific files and different pieces of storage. There's a whole lot to it. And it's one of the... It can be an absolute disaster if it's implemented incorrectly or poorly. And if it's implemented well or good, it is a biggest bang for your buck as far as trying to forget compliance, just keep things or people out of the club that you don't want. So it works pretty well. It's just a bit of an administrative burden. And if it's not done right, it can be a disaster. But I'll let you take it from there.
SPEAKER_00:No, it's a very good explanation. And again, zero trust is what it says. You start with no trust at all. Whatever it is, we don't trust it. We assume that bad stuff is happening and it's got to be authorized. So whatever it is, network access, it's whatever it may be, file access. But that's zero trust, deny by default. That's a firewall rule too. You deny by default and approve specifically and it whatever you want. But anyway, zero trust is a thing. It's a good thing to implement. But you also, you can't just grab any solution. You need to understand whether it's going to have access to CUI and whether it's going to have security protection data, SPD. Hint, hint. Yes, it is. So you've got to think about those things and whatever solution you look at.
SPEAKER_02:Moving on to the less formal aspect of it. Always when you go to a conference, there's the keynotes, there's the breakouts. And then there's the cocktail discussions. There's the at-lunch discussions. There's basically the networking that goes on and the general sense of what people are talking about and what kind of the hubbub and buzz is. What do you feel like for people that didn't go and didn't get to experience? What do you think the hubbub and the buzz was?
SPEAKER_00:The hubbub and the buzz really was the thing But, you know, as far as interesting chats and everything, interesting things that went on that weren't necessarily sessions and specifically CMMC controls and rules and stuff like that. One of the things was talk to another service provider like us. And there are a lot of people out there who don't understand why it's going to cost so much and don't understand what is CUI, you know, and how do I design it. And so, you know, at that point, you know, it becomes a discussion with someone about, or I guess really at that point, it becomes a discussion, do you want to hire somebody in-house? Because I guarantee you, if you just say, hey, Mr. Quality Manager, Mr. IT person, whatever it may be, you're in charge of our CMMC compliance. Congratulations. I know you have a full-time job, but you can do this too. You know, that really is not a problem. going to work it may work for them to kind of manage the project but and and escorted along but they're going to need a lot of help so you either hire that help internally and there really needs to be somebody that is that is this is their focus you know this is what they do or multiple somebodies depending on the size of your organization so this needs to be their focus they need to do this they need to work on compliance they need to work on security and they need to work on business process and documentation everything involved right so it's Somebody needs to be hired to do that or you need to find someone to contract with to help you with it, to help you decide how to do that. And it's not just hiring somebody and saying– either a contractor or an internal hire. It's not just hiring somebody and saying, hey, help us with this. It's do you already have experience here? Can you come up to speed? Because if you hire somebody internally, if they hadn't already been doing this, they're going to have to come up to speed with CMMC. I guarantee you, you'll want to send them. It's expensive, but you'll want to send them to conferences. You'll want to give them training. They'll need to do the RP, RPO, or excuse me, not RPO, RP, RPA. Those are really basic. So you'll want to do a CCP, maybe even a CCA. Those are registered practitioners in RP. Registered Practitioner Advanced is an RPA. Those are both obtained through the Cyber AB. A CCP is a CMMC-certified professional, and that is through a licensed training provider. And it's a week-long class, very detailed, intense week-long class and detailed, intense test. Okay. Not so intense it's impossible to pass, but you need to know what you're doing to pass that. And then a CCA is for an assessor. It's a CMMC-certified assessor, which is good because a CCP– you'll understand how assessors are going to assess things. And CCA goes really into depth in that. So if you send somebody to take some CCA training, become a CCA, there's some hurdles there to actually become a CMMC certified assessor. So whether you want them to actually become certified or not, It would be up to you. But the training and the test is very, very beneficial. So those are all things. If I was to hire an internal person to do this, I would send them through all that. And send them to multiple conferences. It's not an inexpensive endeavor. Otherwise, you look for a company to hire to help you with that, to contract to help you with that. And you need to make sure that they have RPs. CCPs maybe even CCAs on staff but you need to look for those companies that have that as well and and part of their life is CMMC. So you don't want to just hire any old Joe off the street that doesn't have any credentials or any way to say, I have this experience, right? But that's one of the things that came up is that there are lots of people out there, lots of companies who still are struggling to implement this. And so that's one of the things that came up. Another interesting thing that came up I referenced a while ago is the reason all this is in play You just look towards China and look at their military equipment. You know, their plane that looks like– I don't have the model numbers here in front of me. I can't remember. But their plane looks like a joint strike fighter. Their Humvee look alike. You know, they've got ships. They've got missiles. There's all sorts of things that they have that– They look amazingly like ours for some strange reason. And the reason is not so strange. We know what's happening. There's a huge intellectual property theft problem going on, and it's still going on to this day. They're masters at it. They started way back a long time ago. And, you know, our business and our politicians and everybody else, everybody really was just, you know, very interested in helping China along, come into the global economy. You know, we'll send people over to your country. to help you out. Uh, we'll teach you how to do, how to implement these cell networks, you know, and all that kind of fun stuff. Well, meanwhile, China's stealing all that intellectual property. And, um, uh, one of the sessions outlined two companies, I called it company a and company B. Um, and, uh, Company A was a$300 billion company in the early 2000s. They had a global presence. Their network equipment was everywhere. Here I am thinking, my gosh, that's Cisco. There was another company, too, that was everywhere. I remember buying their equipment. That's great equipment. Let's buy this. Anyway, but their equipment was everywhere, and the Chinese hacked them, and they had been in their network forever. for decades, actually, but over a decade, they had been in their network stealing stuff. And they found out about it. And you know what they did initially about it? Zero zilch, nothing. It's not that big of a deal. We're smart people. We have... We're constantly innovating. Guess what? They're stealing that innovation. And so what happened to Nortel Networks? Does anybody out there buy any Nortel Networks equipment these days? Not anymore. Not anymore. They went bankrupt. And, you know, they stole all their stuff. And they started selling it cheaper under Chinese names, you know. Same thing with Company B, who was, I don't remember, under$100 billion. Somewhere just under$100 billion or something company. They have telecommunications gear everywhere. Telecommunications, I'll say endpoints at the outset anyway, everywhere. Yeah. And anyway, they sold Global. They were a big company. And then they started working with China. China said, hey, we need help with our stuff. Can you help us out? Oh, yeah, we'll help you out. And, well, when they did, they stole a bunch of stuff, and then they started replicating it. And that company was helping set it up in their country. So they're learning how to do this. And so that company is Motorola. And so Motorola is a shadow of its former self now, and they're not in the business segments they were. They've sold all that off, and now they're in other segments. And so one of the companies that came as a result of all this is Huawei, and they– They're 30% of the global telecommunications network now. They have an amazing ability to spy into other countries now. And it's all because of how we kind of dismissed it and just let it go. And it's great business. It'll be great business for us. It's great business for them. It's all wonderful until it's not. So start there and then fast forward, and they're still stealing all of our stuff. And all these years we've been going, it's okay, we want the business. It's okay, we want the business. And now we're starting to lose our– we can see– I'm not going to say we're starting to lose, but– I know military people will say that's not right. But we're getting to the point where we could see where we will lose our advantage because a lot of our advantage is technological.
SPEAKER_02:We used to– quite a lead, they say, on China and other countries from a technological perspective. But now it's like only a few years.
SPEAKER_00:Yeah. Head start. It is. It is. It really is. Yeah. You look at all sorts of stuff. AI requires big data centers. You can argue about where the United States and China is and the AI race. Those are good arguments to have, but the point is they're still stealing a lot of that stuff. And they don't care about environmental policies. They'll go build as many data centers and run them off of coal or whatever they need to run them off of to get those data centers up and going. And we constrain ourselves a lot, but the point is that there really is a threat of from China, but also other countries, you know, there really is a threat to us and we need to keep our advantage, intellectual property and the military and the, we need to keep our edge there and not just, we've been given it away. Frankly, we've been given it away and we need to stop giving it away.
SPEAKER_02:So you're, that's kind of some of the conversation amongst the people at the, at the show is maybe more than just the business aspect. There is, yes. To all this. Kind of just wrapping it up bringing it home. We've talked about scope. We've talked about what people are doing wrong or still getting tripped up. We've talked about some access control. We've talked about the hubbub, and we've talked about the themes from CMMC Day 2025. What are some good, actionable steps that people can take based on the information that was available that you kind of learned at CMMC Day 2025? One
SPEAKER_00:of those things, to boil it all down, is trying to figure out how to get started. You start at the beginning, right? You know, start in the middle. You figure out where the beginning is, and we've told you where the beginning is. The beginning is figuring out what data you have or will have or potentially have, however, wherever you are in the process. What data is it and where does it go? Scope everything properly. That is the very beginning. You have to figure out what you have, where all it goes, where it comes from, where it goes in your systems, all that kind of fun stuff. Map that out properly and come up with a scope. And if it's all over the place, you probably want to narrow your scope so you don't have to scope. You can change your scope and change where CUI goes. That's a change of business practices and business processes, I should say. The idea is to start at the beginning. What data do you have? Where's it coming from? Where's it going? So another thing that kind of goes in with that is there's a lot of people who have already started this process. And however far down the process you might think, you know, we thought we were done. But when, you know, step back, come out. Review where you're at. Go back to the beginning and figure out what kind of data you have and if it's scoped correctly. And then look at your documentation. Your SSP is important. Look at that SSP. Is it concise? and contain enough details. Are your policies correct? Are they overly broad? Those kind of things. Your documentation, you want to take a really good look at. Once you start at the beginning, you need to look at your documentation and see that your documentation is appropriate. And there will be a lot of documentation. I say keep your SSP concise. And just by concise, I mean not Again, not eight miles long. So enough details to explain what you're doing, but not your whole policy inside your SSP. It can reference your policy, but then again, it can't just reference your policy. You need to have some details in it. So those are the things I would say that people should do next is start at the beginning. Even if you're all the way through, almost to the finish line, go back, start at the beginning, did you start out properly? And if you started this several years ago, the likelihood is that you didn't start it properly and just go back and review.
SPEAKER_02:We always recommend whether someone is DIYing or not to work with some certified professionals just to get help and help with the guidance. If you want help with that, you're welcome to reach out to us. We'll drop a link down below. We're offering a free roadmap to an SPRS 110. So basically look at where you are now, look at your policies, spend a Lars with you to figure out what steps you could take to get it in a better position. So not a sales pitch or anything. It's just we're really educationally focused here, hence the podcast. And so we just want to help offer that as a resource for our listeners. Well, do you have anything else to add for CMMC Day 2025? I
SPEAKER_00:think that pretty well covered. It's a really good conference. So if you missed it this year, you know, watch this podcast. So I guess if you're at this point, you're watching this podcast, but, uh, and then the other thing is a sign up for next year. Like I said, it's a good one. It's a one day or there was a couple other days of that conference, but they deal with other, other related things, but other things, uh, seem to say C day is really good to the point. Uh, it's a good thing to go to go do.
SPEAKER_02:Awesome. And we're going to be at, uh, Sequest in Las Vegas in a couple of weeks.
SPEAKER_00:We will, we'll be at Sequest. Absolutely.
SPEAKER_02:We will not be exhibiting. Uh, but if you want to stop by, have lunch with us or, uh, chat with us um you know in the in the commons um then then we will be there so just look for a smiling face if you have questions about what we covered please reach out to us we're happy to help fast track you through your compliance journey uh text email or call in your questions uh we're here to answer them for free on the podcast you can find our contact information at cmmccomplianceguide.com stay tuned for our next episode until then stay compliant stay secure and Like, subscribe, and share.
.jpg)
