CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
How to Identify and Fix Your NIST 800-171 Weak Spots
Submit any questions you would like answered on the podcast!
Are you sure you're NIST 800-171 compliant? In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke break down the most overlooked NIST 800-171 requirements that continue to trip up DoD contractors—and what you can do today to avoid those costly mistakes.
From data flow diagrams to documentation pitfalls, supply chain risks, and misunderstood MFA and logging requirements, this episode is packed with practical insights and actionable takeaways. If you’re pursuing CMMC Level 2 or just trying to boost your SPRS score, this is a must-listen.
💡 You’ll Learn:
- Why poor scoping is the #1 mistake in compliance
- How to map your CUI data flow across systems and subcontractors
- What assessors really expect from your MFA, logging, and risk assessment controls
- Why your documentation strategy can make or break your assessment
- What it takes to maintain compliance after you’re “done”
- How to use the NIST 800-171A Assessment Guide to conduct a real gap analysis
- The truth about ongoing compliance vs. one-time audits
- GRC tools, POAMs, and how to build your project roadmap
This episode is your self-assessment gut check. Whether you're just starting or already deep into your compliance journey, don’t miss these expert tips.
🔗 For free resources, visit: https://cmmccomplianceguide.com
📅 Meet us at DibCon, June 3–5, in Oklahoma City!
Hey there! Welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free, so if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business going. on track. Today's question is simple, but high stakes. Are you really NIST 800-171 compliant? You might think so, but there are a few controls that contractors overlook all the time, and that can put your contracts and reputation at risk. Brooke, from what we've seen from past DibCAC assessments, what's the biggest misunderstanding contractors have about NIST 800-171?
SPEAKER_02:Probably really the biggest one is scoping. And we've kind of talked about this before, but people don't get their scope quite right. They include too much or try to scope it too narrow and then have data leakage or however you want to phrase that. They didn't take everything into consideration. So scoping is the biggest thing. Folks have a tendency to have a problem with that. Hopefully you find that out rather soon and you don't get too far through an assessment or anything before they kick it back and say, this
SPEAKER_03:is not going to work. So if you're sitting at home trying to figure out if you've gone too far, what is a general rule of thumb that they might could go by to see if they've done a little too much or too little on their scoping?
SPEAKER_02:Well, really a general rule of thumb to do your scoping properly. This is whether you're going to design a new system, whether you have something in place, or you have something in place and you're going to try to design a system. However it works out, the first thing you need to know is is what kind of data, what kind of CUI you're trying to protect. That's key in this, right? Because if you don't know, you may get some of the controls a little not quite right. That's a key thing to know. But really for scoping guidance, once you know that, it's best to draw a data flow diagram. I'm pretty visual, so I can draw a diagram or you can put it in, well, I was going to say Visio. That might be old school these days. I don't know, but I use Visio a lot. So Visio or something like that. I think PowerPoint is a... anything but like I said hand drawing I mean I always hand draw all my network diagrams and everything anyway because I normally draw it redraw it, redraw it till I get it right. And then I go put it in Vizio or whatever you want to put it in. But yeah, the program when you want to use is fine, but you know, hand-drawn is great to get the understanding started. Going down that rabbit hole, but it's not necessarily the tool. But when you start doing your data flow diagram, it's easy to take that at a high level and say, oh yeah, we get it from the internet and we download it into our system. You know, that's our data flow diagram. Specifically, how do You go list out all the actual systems you go to, you know, Lockheed's portal. You go to whoever's portal, download it from that portal, or you get it through secure email or whatever it is. Each one of those is a system. Write all those down. Write down all the systems. Draw out all the systems that you have in place, like Microsoft 365, SharePoint, then email, SharePoint. Whatever you have on-premise, you have your file system, your server shares, you have maybe an ERP or an MRP or something like that, or some other kind of database. You have some other applications that use it. So you've got to list all those systems, all those applications out, and then draw out where your data, your CUI flows to. Once you take all that into account and draw it out, it begins to make a little sense. And if you draw it, it looks like one big giant spaghetti, a bowl of spaghetti, which is probably about right.
SPEAKER_00:But
SPEAKER_02:once you draw all that out, then you can say, you know what, we need to simplify this. This is the way it looks currently. This is what I want it to look like, and you can then design that. But you've got to draw that data diagram, data flow diagram first, and take everything into consideration. All your portals, all the applications, all the systems you have, take all that into consideration. Also take into consideration, do you send it to some of your subcontractors? You've got to pay attention to flow down, right? So if you send it to some contractors, how do you get it to them? So you've got to make sure you keep your controls in place when it leaves your batteries as well. And then, not that this is part of the data flow diagram, but there's flow down and so contractors are going to have to meet that as well. So it's good to know that your subcontractors are client as well.
SPEAKER_03:So when I think about operationalizing this a little bit, I think of there's three main buckets. Where does it come from? It's a source, right? So if you could map that out, um, you know, is it customers, what customer portals, um, is email, et cetera. And then second is where does it reside while it's here with us, whether it's on a machine or a computer or the file server or the ERP system, wherever that may be on your systems and, um, in software. And then three, where does it travel to? Where does it, right? And what modes or pieces of software or communication channels there? So it's kind of three main buckets. And from there, you might need to bring everyone, programmer, CNC operator, the general manager, the sales person, you know, whoever, you might need to bring them all around a table and put those three buckets on a whiteboard. And then you can map it out. You don't probably just want the quality guy or the owner or the GM just assuming and putting us together. You probably need everyone contributing to that. That is a very good point
SPEAKER_02:because I know that as an IT guy and working with some GMs and owners and whatnot, some CEOs or CFOs or whoever, what we think is happening isn't always what's actually happening. So yes, you need to get some of the people that actually do the work and actually know what's going on, actually have done it and can tell you this is the way we do it. And a lot of times you end up going, yeah, we didn't realize they were doing it that way. So it certainly helps to know all that, yes. So you say a simple thing, just draw a data flow diagram, and it really can get pretty entailed, but simply you need to have a data flow diagram. and know where that data goes that you're trying to protect. It can be a little complicated trying to figure it all out. That's a very needed first step. I guess that would actually be the second step right after knowing what kind of data it is that you're trying to protect.
SPEAKER_03:So let's get into specifics. What are some of the top NIST 800-171 requirements that contractors miss or get wrong? So for multi-factor
SPEAKER_02:authentication, MFA, what we see a lot that people do is they make sure it's in place for remote connections like VPN or something like that and also for admin sessions which is absolutely needed for those it's also needed for network connections to CUI which means if it's going over your your local network if you're connecting to your server over a network which you likely are unless you're working specifically on your desktop or laptop on that hard drive. If you're going across the network to access that data, it's across the network and you have to have MFA in place to protect that. MFA, multi-factor authentication. So that's one of those things that is misunderstood. Next would be risk assessments. Risk assessments need to be done on a periodic schedule, annually for instance. And you need to follow up a risk management framework and methodology, and you need to document everything you do for that risk assessment. So that's another thing that people get wrong or don't follow through with is those risk assessments. Another thing would be logging. A lot of people make sure things are logged. A lot of people think you absolutely have to have a SIM. necessarily have to have a SIM, but you need to protect. The way the controls are written is that it really makes it a lot easier if you use a SIM. A SIM will help you very easily fit all those controls. But it doesn't require SIM for logging, but You have to make sure that you specify what is supposed to be logged. And then you have to make sure that's logged. Make sure the logs are protected. That'll hold nine yards. If you use a cloud sim, that's a whole other ballgame. A sim is a... A sim, there's a... It's not a TLA. I guess that would be a... FLF, four-letter acronym. SIEM is a security information and event management tool. So it gathers all your logs from all the different sources you could gather them from, so your servers, your firewall, workstations, Microsoft 365, GCC High, you know, and whatever other tools that you can integrate into it. is really what you
SPEAKER_03:need to put in. And it more or less conveniently checks all the boxes for the logging. It
SPEAKER_02:does conveniently
SPEAKER_03:check those boxes,
SPEAKER_02:yes. You know, it helps in management. It helps in alerting. It helps secure those logs, the whole nine yards, I guess. But the key to that is you need to make sure you're logging the things that need to be logged, make sure that's defined. A lot of people don't realize if it's defined, you need to write it out and say, this is what we're logging. This is what the logs are supposed to have in them. And then you have to verify and make sure that that's what's actually in the logs. So making sure you do that is, again, that's a part of documentation. So a lot of people know, of course we log things.
SPEAKER_00:Well,
SPEAKER_02:what's in those logs? stuff. But you've got to know what's in those logs and you've got to make sure that you define all that. Just make sure that, again, it's documented. Make sure that you've defined what's supposed to be in the logs and that you actually are logging the things that you say you're logging. I think you'd mentioned supply chain oversight as well. You're always supposed to verify that your suppliers, that anybody that you handed off that CUI to or any part of that CUI, that they are compliant as well. You've always supposedly, you're always supposed to do that. It wasn't done very much. So they specifically called it out and said, yes, you are supposed to, it is your job to make sure that your suppliers, your vendors, anybody you subcontract to that touches that CUI, they have to be the same level as you. Now, it may be that they only, if there's documents that are portion marked, and I don't know about level one and level two, I guess level one really would be a FCI, but it could possibly be that you're not passing down a CUI and it's on the FCI. You're level two, They need to be level two if you're level three. Likely they need to be level three. Really, if you're level three, but you have some information that's level two, that you know is level two, then they need to be at level two, is what I understand. For instance, Lockheed, they're going to be level three. So actually, anyway. But they, not all of their suppliers for the F-35, have to be level three. Some level three, I'm sure. Most of them level two, and then I'm sure there are some people that do some off-the-shelf stuff. Now that we've made that clear as mud, basically. But the rule is flow down. If you send them CUI, they need to be the same level as you are.
SPEAKER_03:How does documentation play in to compliance misunderstandings?
SPEAKER_02:I don't know. Have we ever talked about documentation before? No, never. So, you know, there's a small portion of these controls and the objectives that are technical, and most of this is process and documentation, right? But there's a ton of documentation. If it says... list you've got to have a list of folks you know if it says define you've got to have uh something written out a policy written out you have to have policies anyway but you have to have policies you have to have your plans uh procedures written out there's just a ton an absolute ton of documentation that needs to be written out not just your ssp not just your policies for each of the families that uh you know access control and awareness and training and all that but every everything you have to have all your policies and then you have to have You know, your procedures, this is how we do these things, you know. Beyond that, to be able to pass an assessment, you have to have all your proof, right? And so, yes, we've done this, and here is proof. Here's my documentation that shows how, you know, our SEM is set up or how Active Directory is– this GPO is set, stuff like that. You have to have all that proof in there as well. So there is an absolute
SPEAKER_03:ton of documentation. You might have to write your SSP, your POAM, and then write the policies and document form of how you're going to set up your network. And then you might have to, once you show them that, actually show them the network that's set up that would match the documentation, how it's set up, the network being set up, You know, maybe some technical people watching, like security groups, an active directory or something. That's not good enough. It needs to be in a document, preferably in a GRC tool or something, right? But not required. GRC tool makes it a lot easier. I can tell you that. A lot easier. The reason I bring that up is because not every assessor that we... come across, but it seems like a lot of them might prefer for you to have a GRC tool. So if you're looking at quick wins, laying fruit on making the job easy for the assessor, which would probably make the assessment easier, which might lend to you passing an assessment better, you might want to look at getting one. Absolutely.
SPEAKER_02:GRC tool makes it a lot easier. It'll make an assessor's life easier. Assessors love to see a GRC tool in place, especially if it's all fleshed out, you have everything in there that you already need, then they have access. You can either export everything and get it to them or you can give them access Depends on the assessor, I think, probably. You know, we use Future Feed, and they just came out with Assessor Role, I should say. Anyway, so you can... assign an assessor, create their account, and assign them the assessor role, and it'll give them read-only access to everything in there because they had specifically asked the Future Feed guys to put that in place because they didn't want to be accused of getting in and changing anything. Anyway, so they've created that. The point is, though, that a GRC tool makes life a whole lot easier for you and the assessor. But the assessor will appreciate that. And it's certainly not going to hurt your chances, I would think. No, unless you have it set up very poorly. But if you have that set up very poorly, then it's probably likely there's a lot of other stuff that's done poorly. So it's either going to take you... 150 years to get through the assessment, or you won't pass it. But a GRC tool,
SPEAKER_03:completely flesh it out, will help you with that assessment. And the reason I bring that up is because we're big on, I guess we can't say proven best practices, because there's a minority of people who have gone through assessments and been certified. But at this point, we can have accepted best practices or what everyone's saying, assessors mainly, they would wanna see. And so we're big on taking a playbook that is the least path of resistance to get you to certification. So whether it's with us or someone else like GRC tool is part of that. We're going out on the Oregon Trail. You can certainly make your own path Or you could buy a map from the guy at the trading post of the routes that people died less on.
SPEAKER_02:I don't know that I've had the CMMC assessment process compared to the Oregon Trail before, but that's pretty good.
SPEAKER_03:Yeah, I mean, I was just thinking about it. I remember playing that game as a kid. I think everyone did, and it's kind of like that. It's fraught with adversity and danger. There sure is a heck of a way to make it easier. And that is to build on those that have gone before you or listen to the people that you're going to be beholden to and make your job a little easier. Just to tack on to that,
SPEAKER_02:you know, that's one of the things that you want to look for when knowing who to trust is folks that are, you know, provide registered practitioner in a registered practitioner organization, an RP and RPO. They get registered through the Cyber AB. That's very minimum, and to tell you the truth, the bar is pretty low for that. The next really good step is a CMMC-certified professional. And there's a lot of folks, including us, who have gone through that training, because it basically teaches you how to do an assessment. And so that is, it's been eye-opening for for us, for some of our folks who have gone through it. So that's great. CCAs can help out a lot, although there's going to be a lot of them that are very, very busy right now. But yeah, look for those kinds of things. And people have been doing this for a while and understand it have been and working
SPEAKER_03:through this process. I didn't intentionally do this, but it seems like a good setup for our next topic that we wanted to get into, which is some contractors say that the guidance is vague. Why does this create
SPEAKER_02:issues? Some of these NIST controls, they leave some flexibility, and they're pretty prescriptive, but there's a little bit of flexibility there to... to adapt these to your own system and cover these controls how you see fit. So that flexibility, even though it's pretty prescriptive, there is a good bit of flexibility there. So that flexibility, leads to some misinterpretation. Really, where you need to start is looking at the NIST 800-171A, which is the assessment template. It says when you're going to assess someone, this is how you do it.
SPEAKER_00:You
SPEAKER_02:do this, you do this, and you interview, you test, all this kind of fun stuff. So it goes through the whole thing, and so you need to go through that and look at that. If things are still unclear... You can see where these controls come from. And, you know, for instance, some of them reference NIST 800-53, which is a government document. And that government document is what governments have to follow. Instead of NIST 800-171, they follow NIST 800-53. But a lot of the controls reference back to that and to some other areas. So once you read that document, that documentation is based on, that'll usually clear it up pretty good. You know, there is still room for some flexibility and some misinterpretation or some seeing things a little differently. And that's okay. But you know, if your assessor sees something differently than you do, you can make your case. You really need to make sure you're on solid footing. And really, if you're on solid footing, the assessor is probably going to understand and go, I see what you're doing and I see that it does meet these controls and these objectives. But if you don't read the assessment guide and you don't look at any of the supporting documentation, then yes, some of these can be misinterpreted. So
SPEAKER_03:another thing I wanted to bring up, a mindset issue a lot of people have around compliance and the fact that it's not a one-time event. You see this a lot. Typically, people think that they can just get some things done, do some paperwork, and be done with it. And additionally, what that leads to is, okay, well, why does this cost money? a lot of money. I might pay for my ISO audit or something and it's just done and we revisit later. Why does this have such a high carrying cost in terms of whether it's software tools, security licenses, GCC and Microsoft license upgrades? Why is it like this? You have a a lot of frustrations and confusion around that being the case. And that it's not a one and done project. Can you speak to that?
SPEAKER_02:People
SPEAKER_03:getting these ITAR
SPEAKER_02:or ISO audits, you know, and that leads to a lot of misunderstanding too, because they think, oh, well, this is just another one like those, you know, it ought to cost two, three, four, five, six, seven, eight,$10,000, whatever, and we're done,
SPEAKER_01:you know.
SPEAKER_02:Come in for a couple of weeks and, They're done, right? They write up some things that we need to do and everything's good. Well, this is not like that. So, and we've had people say, you know, I just want you to put it in place, you know, and we'll take care of it, you know. Well, which is fine. And we can do that. But what needs to be understood is that this whole nest, excuse me, Sorry to say 1-800. It's not a phone number. So this whole NIST 800-171 thing and CMMC is not a one and done. It's written for management, ongoing management, ongoing compliance, ongoing monitoring. It's written for that. I mean, it's all throughout it. So if you bother to read it, you can see that, right? So we just let people know that, hey, look, this is... what I just said, it's made for ongoing management, monitoring, and maintenance. There's no putting something in place and being done with it. It's like a, and really, to tell you the truth, any IT, this is not necessarily, this is not strictly IT, of course, but there is a technical component, but in IT, people just want stuff put in. They don't want to have to manage it, they don't want anything, and that's that is really doing a disservice because there's no updates being done, there's no monitoring being done. I can't tell you how many times that we've been called in to somebody new to help out with something, and we go to look at their backups, and we're like, you know, your latest backup you have is eight months old. It's been backing up, and they set it up to backup. Yeah, but it failed here. And it's been failing ever since. Did you check it? Well, no, we didn't check it. So that's what this is written for. It's for ongoing maintenance, monitoring, ongoing care and feeding. And so that's what this whole thing is about. And so you've got to understand that. It can't just be one and done. Now, somebody like us can come and put everything in place for you, but then you have to go manage it and that's fine as long as you take care of it and all that kind of fun stuff. But somebody has to manage that, whether it's you, whether it's Fred down the street, That might not work, but anyway, no matter who it
SPEAKER_03:is, somebody has got to take care of it. And that would take form of approved patches written down, confirmed that it took place, that it was installed. That would take form in the fact that there is record of a log being reviewed and a result, whether it's remediation or otherwise, happening. That would take place in someone looking at the antivirus system that you have and doing necessary steps there looking at potential false positives that would look like someone going on all the computers performing maintenance and then logging and recording it right so those those are actions that have to happen you would have to use someone existing on your staff and give them those new additional duties hire someone internally to fill that that those new shoes or hire it out to a contractor to complete them for you but regardless they have to happen
SPEAKER_02:absolutely uh and you know to step back from technical a little bit you know what about your uh authorized user device and process list you know the work exactly yeah isn't that an active directory no it's not it's That could be part of it, but that's your identification, not your authorization list. So who reviews that? How often do you do it? Is it documented? What about... your sign-in sheet for people visiting your facility. Do you have those? Do you keep them? Where do you document them? What happens with those? That's ongoing. What about vulnerabilities? Is there somebody that watches for vulnerabilities to come out? Is there any kind of documentation? There's all sorts of stuff that has to happen on a scheduled basis or a routine basis. It's scheduled also, but on a routine basis. the whole ongoing therapy.
SPEAKER_03:Right. And there's a lot of low-hanging fruit. Things like Susie at the front desk can now be in charge of the sign-in sheet and she records it a certain way and that's an easy offload to an existing role. And she's in charge of if somebody doesn't sign in, she goes and tackles them. Right. But then there's a whole slew of new traditional duties that are not easily assigned to existing seats. Correct. And that's mandated by the compliance itself. So we bring all that up, not necessarily to scare you, although it may, but really to get at the point of how this episode started out, whether or not you're actually an S-800-171 compliant. And those are... some gut checks that you can do to yourself to determine whether or not you might be compliant so um really what we're trying to do is generate a little self-assessment for yourself so that way you are empowered to know whether what camp you might be in there right and so if uh you checked Yes to all those boxes. All that all sounds like stuff I'm doing. Fantastic. You are doing phenomenal. If anything like that sounded like maybe not, I want to make sure we provide some actionable takeaways that those people can go forth with and do to maybe get themselves from not compliant today to a little bit further down that path. So what are some actionable takeaways that a listener at home might do to... to get more compliant.
SPEAKER_02:Technically, first things first is what I mentioned earlier, is to identify your type of CUI you're trying to protect in the data flow diagram, right? But really, the next step is to do a full gaps analysis. Make sure that you know where you're at right now. And truly where you're at, not just, oh, yeah, yeah, sure, we do that. But you've got to go through every single one of the 320 objectives and and say, do I meet this or do I not meet it? How do I meet it? What is lacking if I don't meet it? Go through every single one of those. And by the way, if there's five, for instance, if there's five assessment objectives underneath one control, then if you meet four of those and you don't meet one, it's not complete yet, that control is not met. So, I mean, it's that simple. You've got to meet all those assessment objectives underneath the control for that control to be met.
SPEAKER_03:But, yes. Sorry to hop on that train of thought is, I believe, and you're going to have to correct me, but the Existar website has an SPR self-assessment website. tool or PDF or Excel sheet I think that's available that you could use for free to assess yourself and I think There's something available from NIST maybe as well, like how to conduct a self-assessment and GAPS assessment. Isn't there a couple of resources out there that they could go just download for free without putting their information in? Yeah, absolutely. I mean,
SPEAKER_02:there's all sorts of spreadsheets out there that you can download. And the best thing to do really, if you're starting out trying to figure out where you're at, is to download that NIST 800-171-A. That's the assessment guide. And so do that. The level two assessment guide is level one and level two for CMMC. But you download that assessment guide and go through it and fill out, you know, do I meet this objective? Do I meet that objective? And go through every single one. And then from that assessment, from that gaps analysis, Then you can say, these are all the ones I don't meet. And then you start grouping them together and you list them out. Here's my POAM. I got to finish all these, right? And so that's your POAM, your plan of action and milestones. And so it's your plan to get everything done, right? So you list out all that. You try to group those together into projects. And from there, you can start guesstimating outcomes. Estimating, estimating your amount of time and effort involved in each one of these, the cost involved. Estimating is just a confident estimate, by the way. Yes, yes. So you can divide it out then. Once you have your POAM divided up into projects and you know your time involved, the effort amount involved, the complexity, the cost, and the priority on each one of these, And maybe you look at these and you add up the number of points it's going to add for each one of these projects you complete. And so you know where your SPRS score goes each time that you complete something. So that may be something important for you to do. But once you get that project list created, then you can start cranking out those projects. Get some quotes, get prices to it, and start doing that. But really, it starts with a good gaps analysis. Everything can be built out from there. And do it by assessment objective, not just by control. You can do it by control, but you're still going to have to take each of the objectives into account anyway. Save your brains and processing power and go by objective. Yeah, just go through each one of those. But yeah, that's what I would suggest is that that gaps analysis is going to be key. Another thing that you really need to do, say what can they do today to get started, aside from the Data inventory, basically, like I said, and the data flow diagram. You do your gaps analysis. Very important to do that by objective, assessment objective. It's also important to make sure that you have decision makers involved in this. It can't just be your IT guy. It can't just be a quality guy saying, hey, here's all this stuff, and here's all this stuff we've got to spend money on, because the C-level guys are going to be going, we need to spend all that money. Surely we don't, you know? So you really need to have some decision makers involved so these projects have legs and so you can get it done. Because that's very important.
SPEAKER_03:Otherwise it just becomes a justification like... sort of situation. Why do we have to spend this much? But if you put someone that's a decision maker to go in, then it's like, okay, we have to because... If they're involved in
SPEAKER_02:that project, involved in drawing all that out, then it's pretty much assumed that you've got to go through this, you've got to get it done. If you want to become compliant, there's always the
SPEAKER_03:option not to,
SPEAKER_02:right? Right, right. And the other thing along with that to keep in mind, again, is what we just talked about, is that it This is ongoing. You'll do this if there's any changes. You're going to have another poem. This is an ongoing process. There's several things that have to be completed periodically and managed ongoing.
SPEAKER_03:Well, Brooke, do you have anything else for us? I think that pretty well covers it for this episode. Okay. Awesome. We'll be at DivCon June 2nd or 3rd, I think. Google it.
SPEAKER_02:It's June 3rd through 5th. DivCon in... Oklahoma,
SPEAKER_03:the beautiful big city bright lights of Oklahoma City. If you want a shirt, Documentation, documentation, documentation shirt. I promised Brooke that we wouldn't put his face on there, so sorry. We couldn't give him away if you did that. But we'll have the shirts, so stop and see us there. We'd love to meet you. Otherwise, if you have questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions. We'll answer them for free. He You can find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant and stay secure. Like, subscribe, and share.
.jpg)
