CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
What You Missed at CEIC West 2025: CMMC Culture, AI Labeling, and Subcontractor Risks
Submit any questions you would like answered on the podcast!
Missed CEIC West 2025 in Las Vegas? We’ve got your insider recap. In this episode of the CMMC Compliance Guide, Austin and Brooke break down the most critical insights defense contractors need to know—from Katie Arrington’s keynote to real-world flowdown risks, mock assessment walkthroughs, and what AI means for your CUI documentation.
If you’re a small or mid-sized DoD contractor trying to stay compliant with CMMC, NIST 800-171, and DFARS, this episode gives you the takeaways that actually matter.
📞 Have questions? Text, call, or email us. We’ll answer them for free on the podcast.
🔗 Visit www.cmmccomplianceguide.com for free resources
Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke. From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're higher guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free, so if you want to do it yourself, you're equipped to do so. Let's dive in to today's episode and keep your business on track. Today's episode is for those of you who could not make it to Seek West 2025 out in Las Vegas. It's a premier... CMMC conference for defense contractors and aerospace manufacturers and all of those in the CMMC defense supply chain, Brooke and I made the trip. We sat through the sessions and we came back with a stack of takeaways. So we're going to focus on what really matters for you, what stood out, what's actually useful for small and mid-sized businesses, and how to cut through the confusion, even if you don't eat, sleep, and breathe compliance. All right, Brooke. So you sat through Katie Arrington's keynote. And for those of you who don't know who Katie Arrington is, do you mind giving us a breakdown of her real quick? Katie Arrington, they
SPEAKER_00:call her the mother of CMMC. And she really is. She has shepherded this thing through. So she's top level. In fact, she wasn't able to make the– what we call CEIC West, which is CMMC Ecosystem and Implementers Conference. And they call it SEEK for short. So SEEK West. She wasn't able to make that, but she was on the calendar. She wanted to be there, much like she wanted to be at a couple of these things anyway. But she was at NATO in Brussels. And so she joined us by video. And Katie always has some really great things to say. I mean, she's... really good. She's personable. She understands. She's not what a lot of us think is a typical government type, you know. She says what? No harm, no ill feelings towards government types. She says what's on her mind. She does say what's on her mind. Absolutely, 100% she does. Talk to some people that want to implement CMMC, and I just want you to come implement it for us. Just put it in place, and And then that's it. We always let them know, hey, this is not a tech box. Implement it and you're done kind of thing. It's ongoing. It's management. It's monitoring. It's all these things. And it's written that way. And so she said it's a culture. And it's a culture from top down. So yes, it is a management thing. But All your people have to understand it. You can't do CMMC properly without your people knowing what CUI means and what is CUI. Which piece of information do I have that is CUI? They have to know about it. They have to understand it. It's a culture is what she said. One of the other things that she said was this is– This is by far the best way– this is the best deterrence– this is the best non-kinetic deterrence for a kinetic war basically. And what she's talking about is we're trying to secure our supply chain. And she talked about before 2017, leading up to this, and even after 2017. But leading up to this, we're bleeding, bleeding information to the CHICOMs, to China and other people, but especially China. We've said this before, and she brought it up. Just take a look at their plane, their platform that looks exactly like our Joint Strike Fighter. And that's not the only thing. There is... tons of other things. Humvees, there's ships, missile systems, laser systems, you know, they've gotten information about. There's tons and tons of stuff. We're just bleeding information. And One of the best things about the United States of America is that we have really top talent. We have really good talent. We have really good technology. That talent develops technology. We stay on the cutting edge. We develop all sorts of things. And so that's what helps us stay ahead in this race. And if we're bleeding that information and just handing it over to China or whoever, that really hurts our edge in the world. Yeah. And you may or may not agree with us being in different parts of the world or whatever, but we've got to have a strong military, and this is for the warfighter. It really is. This is to protect them. This is to help them, give them an advantage. We've got to protect this information, and it's information from each little widget on down to the whole assembly of– The platform, whatever it is, a ship, a plane, ammunition, a gun, whatever it is. It's that data and it's every little piece that goes into it is what we're trying to secure and what keeps our warfighters safe.
SPEAKER_02:In other words, a reinforcement from the existing administration that is not something to get rid of. That's what I took from her talk. It seemed really like a plea for patriot owner operators like, you know, Well, she said something about we don't want to lose contractors, but you've got to step up to the plate cybersecurity-wise because they view it as a core tenet of lethality. And that is very important to the Trump administration and Doge, she said. And specifically, she said, Doge and Elon and crew is that they see the money leaving or the losses.
SPEAKER_00:That's one of the things I was going to go over. Absolutely.
SPEAKER_02:Not actually. Sorry, I don't mean to get to it too soon, but it's not something they're cutting because they see it as a protection mechanism to the money they're already losing. So it's not on the table for the Trump administration, and she's part of it. And so that's– because there's a lot of questions out there. Well, is this going to– because we always get that. Is it going to– Stand test time, is it going to stay through this administration that's cutting a lot? It's staying. And so if you're hoping that it's not, then... The odds just got very low for you that it's not sticking around.
SPEAKER_00:Absolutely, absolutely. So she did say that. She did talk about Dozier's keenly aware of the money that we're losing, and she said that we're probably losing, and this is her words, or this is a paraphrase of her words. This is a Brooke Justice paraphrase. But the Department of Defense is losing about half of what it spends on defense every year to China. That is striking. Which is,
SPEAKER_02:we spend a lot on defense.
SPEAKER_00:We spend a lot on defense, and then just turn around and give our R&D and our efforts and everything, just hand it over to China, is horrible. And that is what we're trying to stop. China is welcome to develop things on their own and do all that, but they are stealing this. They are taking it from us.
SPEAKER_02:And who wouldn't? We probably are doing the same to them. I mean that's modern-day war. If someone already made the nuclear bomb, you try and steal their secrets before you try and make it yourself.
SPEAKER_00:So just a few other notes real quick and then we'll move on. I know– It was the keynote. We have other things to talk about. It was the keynote. It was the keynote. And like I said, Katie Arrington always has some really good stuff to say, and it was a very important part of the conference.
SPEAKER_02:Well, and it set the tone around compliance and the way things are headed and around everything else. I think it is important to– whether you agree with what we're saying or not, it is what was said, and it is where– Strangely
SPEAKER_00:enough, all the stuff she talked about just happened to be– who knows if they planned it this way. I don't think it was. She's pretty off the cuff. But all the stuff she talked about seemed to be themes throughout all the different sessions. Yeah. Sometimes not, you know, just kind of touching on it a little bit, but they were things throughout all the sessions. One of the things she touched on that I made a note about was NIST 800-171 Revision 3. So CMMC, as we've talked about before, is hard-coded to Revision 2. right now. That will change eventually, and it'll change so CMMC will grow with the changes in NIST. We haven't even got off the ground, which is the reason where they stopped and said, hey, R2. We're sticking with R2. We're not changing in the middle of the game like this. So once they get it off the ground, expect that for the rule to be changed to include current revisions of NIST 800-171. And I would expect that maybe in you know, a couple of years or something. And probably as when it gets implemented, it's likely, this is the crystal ball, but I believe she said it's likely that it'll take the form of, you know, whenever a new assessment, when you're due for a new assessment, if the R3 has come out during that time, then at that next assessment, you'll need to be R3 compliant.
SPEAKER_02:Yeah, I think they said that for CIC Southwest as well. If you can hurry up and get certified under R2, you're pretty much set until they move to R3, which would be probably your anniversary date for certification three years later. Is that what you're talking about?
SPEAKER_00:That's exactly what I'm talking about. And of course, they haven't even written any of that yet, so it has yet to be seen. But that's the thinking is what it's going to be like. One of the things also that Katie said was that along with CMMC as a cultural thing, that also this whole thing wraps in cyber security of course zero trust and all those kinds of things get wrapped into this as a cultural thing as just part of what you do one of the other things she talked about which was one of the sessions and one of the things I've been talking about is ethics for everybody involved in the CMMC ecosystem as far as assessing and implementation and management of it and We have some ethics statements that we have to hold to. And she said ethics is very, very important because this is hard for the DIB to implement and expensive for the DIB to implement. And we don't need... a bunch of questions around ethical issues around this thing. We need to know that everybody's trustworthy in the whole nine yards. So there's ethical codes of conduct that we have to hold to, and they're very serious about those.
SPEAKER_02:In fact, the opening remarks after, or I guess prior to the keynote, but the opening remarks of the conference, I think probably 60% or more of it was over the ethics of the CMMC ecosystem. They focused pretty They did. They focused very heavily on it.
SPEAKER_00:Then I didn't catch quite the rest of it. I think she was talking about we should see RFPs that include the 48 CFR. In other words, these proposals and requests for a proposal include CMMC and your certification assessment on there. She also said about the False Claims Act and responsibility, she said that these losses to the DOD have been coming from somewhere, right? Right. And disinformation isn't all lost by the DOD, but the DOD's been paying for all of it, which means the taxpayer, you and me, have been paying for all this, right? And so she said the False Claims Act will be used, and if you're... If you're truly not doing what you say you're doing, it's not just a mistake. If you're blatantly not doing what you're supposed to be doing, the False Claims Act canon will come into play. And she said that someone has to pay for the losses for the DOD, and it needs to stop being the taxpayer. That's just a paraphrase, but that's what Katie said, is it needs to stop being the taxpayer that pays for it. I think she said
SPEAKER_02:it's not going to be us anymore.
SPEAKER_00:So make sure that you also have your insurance– And that was
SPEAKER_02:a question as to whether or not, you know, insurance will even pay for it. But, you know, she's pretty clear that it's not going to be them anymore. I would say if you're a lot of people are in the boat of, well, are we going to commit to spending money? to keep pursuing this business or lose it and find replacements of revenue. I hear that a lot from people that don't have most of their revenue share in the defense bucket. It's probably time to decide that because they can't go after China, Russia, North Korea. Their only enforcement mechanism is you. And so at some point, someone's going to be made an example of, and that's already happened with universities, and they're going to start at some point. And I wouldn't want to be the person that they get started with.
SPEAKER_00:Not at all. The last thing I'll kind of touch on, I thought this was very interesting. You know, at these conferences we see vendors and whatnot that use AI and I'm like, well, you know, people can't label CUI correctly and what makes you think that AI can do any better if we don't even know how to train it, you know? Well, Katie said within 18 months or so, AI is going to be helping with CUI labeling and tagging, and we will see more CUI documents come through. So she knows that proper CUI labeling and marking is a problem. It is a giant problem. It's either not being done or way overdone. One of the two, it's not It's mostly just not done, at least as far as our clients see. It's just not done, right? There's some that is starting to come through a little better, but for the most part, there's just a clause on the contract or the PO or whatever it may be. Anyway, there's just a default clause on there, and that tells you, hey– There may be CUI here, so you have to treat everything like a CUI through there. If you think it's CUI, you have to treat it like CUI. We've talked about that.
SPEAKER_02:It seemed to me the way she painted the picture, I feel like, is that it's going to start with the human making the contracts or whatever, and then it's going to be forced to go through an AI tagging filter for CUI or whatever, and it's going to get tagged by the AI, and that will be– like kind of the gold standard or the determination of how it's handled will be the AI filter. And then from that, you're going to see a higher volume of things being tagged, you know, CUI or whatever that needs to be secure. So this is going to be an increased burden on you because whatever this filter, AI filter thing is they're going to use is going to be more aggressive, I guess.
SPEAKER_00:You know, they're going to be using AI which is smart to try to do something like that. But that also kind of leads you to think more about some of the vendors that are using AI. That AI, of course, if it's going to deal with CUI, there are certain standards and certifications and everything that they have to meet. It can't just be grok or... ChatGPT, you can't use those with CUI. Please don't use those with CUI. It's probably going to be
SPEAKER_02:more expensive than a$20 a month ChatGPT
SPEAKER_00:subscription, isn't it? Yeah, it'll be a little more expensive than that. But the point is that it can go through and help you find and label your CUI for you. So there's always going to have to be some human interaction with that to make sure it's accurate and all that kind of fun stuff. But there are companies that do that. We've not checked any out at this point yet, but especially since how Katie... I think that's probably one of those things that is definitely coming down the pack and can be used.
SPEAKER_02:Well, and we've been having several conversations with companies. Be careful what I say here. But there are AI companies that do it for the government. So that technology is already out there. They're already buying it. They're already investing in it. So it's probably going to be one of those companies or a collection of them. It's not like this is a flying car situation where we're promised to have it. in however many years. They've already been buying it. They already have the technology. It's just a matter of repurposing it for this purpose.
SPEAKER_00:There's good things and bad things about artificial intelligence, AI, but when you get really down to it, we already use it in our business quite a bit in a lot of different areas. You're not going to call in and talk to AI. You're not going to have a chatbot with... Now, some companies do, but you're not necessarily going to have a chatbot and have an AI fix stuff for you, but And there's all sorts of things available. But we do use AI in a lot of different phases of our business. So it's out there, and it's being used, and it's very helpful. You still have to know how to use it, and you still need to understand that you've got to check it. Because, you know, I mean, there's talk about AI hallucinations and all sorts of fun stuff. So it's just like having somebody do some work for you and checking it. Same thing.
SPEAKER_02:I put a transcript through AI just yesterday, actually, and I was asking you. And I said, well, where did this come from in the transcript? And it made up a timestamp and everything. And I looked at the timestamp. It made up a timestamp. Yeah. And even the content it was talking about, it didn't even exist. And I was like, oh.
SPEAKER_00:Hopefully you got something out of that Katie Arrington session we just talked about. It was very beneficial being there and listening to her as always, as it always is, you know, Katie Arrington speaking. But Austin, you actually attended the mock assessment session. So can you give us a peek behind the curtain on what really happens when a CMMC assessor comes into the room?
SPEAKER_02:Yeah. Yeah. I found this rather enlightening. I know at previous conferences, SEEK East and CIC Southwest, and they've pretty much done a session like this at every one of the CMMC conferences. And it's usually at the end of the conference. It's usually the very last session. Yeah. Half the people are gone and, you know, but I sat through it this time and it's actually very enlightening. And I found it because I have never sat through it before and I don't have as many conversations with the assessors as you do. It was pretty enlightening on how they do. And this is theoretical, but how they do an assessment. It is it's very enlightening. logical and very straightforward. It's a matter of show me your SSP, basically, and then show me your policy for this control. How are you handling it? Now show me the evidence for it, which typically they suggested take form of a screenshot. So basically, for every control and objective, if I'm getting this right, you basically want to have They recommended at least a piece, at least one piece of evidence prepared. So if you have like a multi-factor authentication requirement and then you have your policy on how you're handling it, you need to. present the policy and that, and then show them through at least a screenshot how you have it working. And then they have the option, which you probably need to assume that they'll take, which is to then go log into that system and verify that it's actually working. currently done and then it'd probably be good to time stamp that screenshot so that they know it's within a certain amount of previous time that it was recent that you're not just when we first set it up and you know it's a year and a half old so and then that's just then it repeats it goes to the next requirement and then you show them your policy and the evidence and then and then they'll go verify you know if they need to it's an option right to verify They don't have to
SPEAKER_00:verify it. If you did a good job of creating a good SSP, you have all your policies, you have your procedures, you have your proof, and you did a good thorough job of it and a good thorough but concise job of it, right? So you don't want to make your– there's argument about this part of it, but most people I've talked to said keep your SSP as concise as possible, which may be 70 pages, but still. Yeah. Anyway, you don't necessarily want to have a 300-page SSP and hand this book over to them and say, here's my SSP, and I'll get ready for the policies. But in any case, if you do a good job on your SSP, your policies, your procedures, and the proof and everything, maybe even have a good GRC tool that you're using to be able to hand all this over to them, they will do some checking. They will verify a lot of this stuff. But then if everything's coming up good– it's probably going to be a lot easier on you. Whether you'll save money or not is– I'm not going to say you'll save money, but you will save money in the form of time and time for them to get through and say, yep, you're good, and we're going to certify you at 110. It's a good thing to have all that documentation ready to go, have your proof ready to go, and be able to show them that you're ready because that starts off on a really good foot with the assessors. If you show them half the stuff that they need and then they have to ask for some of the others and it's not really that what they need and all that kind of fun stuff. It's not going to start off on as good a foot, and you can pretty well bet it'll be a lot more of an exam for them trying to figure out, make sure all the controls are met and everything.
SPEAKER_02:Much more intimate affair. Yes, absolutely. Not that CMMC is not expensive and time-consuming and everything else, but the assessment process process, you know, uh, it can, especially the, you know, organization seeking certification can seem like, um, a very scary, mysterious thing. But if you sit through one of those mock assessment sessions, you realize they come in, they look at your requirement and then they looked at your policy and they look for the evidence and that you just expect for that to be repeated for every single requirement there is. Uh, and if you prepare the body of evidence for it, um, then you're good. Uh, Assuming that you did everything. It's a big starting place. I understand that, you know, but it's rather straightforward. And then the other thing to note, and this is especially for, you know, those aerospace manufacturers and small businesses out there that are outsourcing their compliance and cybersecurity and IT to MSP or somebody like us, is that you really need to go through a coaching session with your ESP, you know, your IT provider, because the way I I understand it is when the assessors are sitting across the table. Yeah, you want your IT guy there, but your IT guy cannot answer the questions. Like they're asking you the questions and you need to have an answer for it. And if you don't have a sufficient answer for it, You're leaning more on the fail side than you are on the pass side. You can't just look over to IT guy every time and have him answer it. Because I understand that you're offlifting this burden from yourself, but you said something earlier. You can outsource the burden or the responsibility, but not the... What did you say?
SPEAKER_00:Accountability. Accountability,
SPEAKER_02:yeah. So they're expecting you to be educated enough on your own policies and et cetera to be able to answer the questions. And if you need to refer to the IT person at some point, then... then that's fine, but you have to answer all the questions first, which is probably a big ask for a lot of owners or managers out there.
SPEAKER_00:It is a big ask, and really what that boils down to is read your SSP, have a good SSP, and then read your SSP, whether you created it or somebody created it for you, and you should know that anyway. Most of the clients we work with, We sit through so many sessions going over all the policies, going over the SSP. Here's your SSP. Here's what it looks like. And the point is you need to know all this stuff. And maybe not all the details, remember it exactly, but you need to, yes, whenever we log into a computer, we have to put in a code. What's that thing called? Yeah, so that kind of stuff is fine. And then you can say, hey, Austin, what was that called? It's multi-factor authentication. Oh, yeah, yeah, multi-factor authentication. So that's okay, but you've got to show that you know what's going on and you know what's implemented and that you're using it and that it's a culture. So you can have a good cybersecurity culture and not know all the details of the exact culture tools that your MSP puts in place you know yeah we have some sort of thing that blocks programs whenever they run you know that's an application whitelisting you know stuff like that
SPEAKER_02:and that's why you can't just go on the internet and buy a template you'd be good you know that's your SSP because of that reason right because you have to you really have to be very familiar with it and that's kind of tell you how the sausage is made that's how we go about our SSP Thank you. on the outset of when it's created of and it's in completely in there what we're there to advise and help them develop what is what will work or what is defensible or not in front of a assessor whenever we create your SSP ultimately it's in their hands like this is how our process works and they talk amongst themselves and then we develop an SSP out of that and so that's why we take that that boot camp you know very labor-intensive effort because if you're just implementing implementing an off-the-shelf SSP template and you're not, you know, you're modifying it heavily, then it's not going to be sufficient. All right, bro, let's shift gears a little bit from the big picture and audits to day-to-day. What stood out in the Creatures of Habit session and what are smart teams actually doing to stay ready for compliance and certification?
SPEAKER_00:Well, this is a great session. It addressed a lot of the realities, a lot of things for small, mid-sized teams, right? And it really goes back to what Katie Errington said. You know, it's culture. You've got to build this in. It's got to be culture. It's got to be something you do all the time. It could be things like every Friday of every week, you go through and you do log review. Every month, you've got a reminder that pops up for you to do the visitor log review. Quarterly, you go through your SSP and POAM, if you have a POAM. And that should probably be more often than quarterly if you're trying to wrap it up. But especially Mm-hmm. a lot of the GRC tools, I would recommend highly using, I would say this every single time, I think, almost as much as documentation, documentation, documentation. Oh, we got it in. But, and it's all about documentation, but if you use a GRC tool, and you should, most, not most, but a lot of those GRC tools, you can assign responsibility, you can assign reminders, and it'll shoot out a reminder and say, hey, You need to follow up on this control. It's time to review your security controls. It's time to do your risk assessment. You can have those kind of things pop up and remind you that that needs to be done. So a GRC tool is something to help you remember to do this on an ongoing basis. On Monday mornings, I come in and I have a list of business things that I've got to do every Monday morning. And I've got to block out that time so I can get it done. But I have a reminder pop-up that says do this, this, this. Otherwise, I get strung out doing 99 other things. If you have those reminders, have something to help you make this a culture, make it something that is just part of your everyday life, that's the biggest thing is to make it a culture, make it part of your everyday life, at least at work. And have a tool to help you out, whether it's a GRC tool or SANA or something like that. Something like that will help make it– a culture for you?
SPEAKER_02:Yeah, just imagine, you know, we're all probably used to paying our bills mostly on automatic withdraw, right? But, you know, go back 15 years before that was widespread, you had reminders, you know, and it might have just been getting the bill in the mail. But so there's trigger point, even outside of the compliance thing, you know, like, we have scheduled tickets and stuff to remind us to get our backup checks done, right? I mean, so if you build If you operationalize it, that's the whole point. Operationalize it, put it in a system, and then implement it. then you're good. It just gets done. And then you have the body of evidence. And that's why we like, you know, mentioned future feed so much is because it's, it's built so well, all those things are built in and all the evidence for you doing those tasks is already in the system. And so whenever the time for assessment, then it's just there, right? Absolutely. And so, you know, not trying to ask you to buy it from us, go get it, you know, it's cost the same regardless, but it's a good tool. You should check it out because it has those things. Okay. Let's talk for I think the redheaded stepchild of CMMC compliance, which I can say because I'm redheaded. And it's one of those areas that, you know, even the primes get tripped up with all their money and funding. What came out of the Sequest session on flowdowns?
SPEAKER_00:Well, flowdowns is a big thing, and it's one of those things that we know the primes are doing this because they're requiring their subcontractors to be compliant, but their subcontractors are not necessarily requiring their subcontractors or vendors or outsourced people, however you want to phrase it. They're not requiring those people to be the same kind of compliant they are. And the short of it is that if you take any part of that CUI and hand it off to somebody else to make a small part of whatever widget you make, then that vendor, that person, that company that is making that small part for that widget also has to be compliant. And it's up to you, since you're subcontracting, to make sure that they are. It doesn't mean you need to go assess them But it does mean that you, at the very least, need to have a questionnaire where they sign their life away and sign in blood or whatever it may be, that they are CMMC Level 2 compliant, right? If you have to be Level 2 compliant. Level 1, same thing. When it comes time for you to get your CMMC Level 2 certification and you have that certification and you have to have that to do business and you flow down, you know, same thing, you somebody's making a part for you uh and you have to give them some of that cui data to do that uh with then they also have they have to have the same compliance you do if you have to have a level two certification they have to have a level two certification that simple and you know people really want to say you know well you know it's not really cui it's just a little piece and you know if it's not conscious if it's not off the shelf stuff you know like just a regular roll of 12-gauge copper wire. If it's not something that's off the shelf and they don't know what it's for, you're just ordering off-the-shelf stuff. If it's not that and it's something special made in accordance with this contract for the government, then it has to be– they have to have the same level of compliance you do.
SPEAKER_02:It gets tricky because typically– You know, you may not be– the subcontractor may not be supplying, you know, like you said, it might be an off-shelf part. But they're probably getting some other tangential information that's connected to that that now makes them have to be certified, you know, and compliant as I was looking for. Because we've got distributors that don't manufacture anything that are– you know, have to be. Um, so if they have to be, you know, if you got anyone that's making parts there, you know, it's, I'm just saying it, uh, it's probably. you're probably an area that you're going to want to look at because it's even if people with off the shelf parts are having to be compliant, you know, it's, it's probably more people than you're expecting of your subcontractors that, that you need, that you're responsible for. And you probably need to look at it because of like, we talked about the false claims act earlier when, if you're familiar with the government at all, when they go to enforce something, they like a, take the, you know, take the book and throw it at you approach and see what sticks. They've decided they want to pursue you. They're going to start with the False Claims Act, but they're also going to look at all these other pieces like, well, did you do the flow down correctly? Did you do this? Did you do that? So it's going to be one of those other pieces where they're going to try and get you, not to make the government sound like a boogeyman, but it's just how it operates. You see in law enforcement investigations and stuff all the time how it operates. So you want to make sure all your pieces are buttoned up so that way it's not a liability for you.
SPEAKER_00:This is all part of the process. of being compliant. And what I would also say is that if you're not currently doing anything to verify your subcontractors right now, start. They don't want to be surprised with this any more than you want to be surprised by, you know, hey, guess what? You have to be level two certified tomorrow or else you don't, you know, we're going to kill this contract. You know, you don't want that. And they don't either, you know. So start now with them. Say, you know, you're making this part in accordance with this contract. that we're performing for the federal government or for Lockheed that's performing for the federal government. We have to be compliant. Now you have to be compliant. And you may be able to offer some help for them to be compliant or offer a referral to say, hey, go talk to these people. They can help. They helped us or whatever it may be.
SPEAKER_02:It really benefits you to do this because giving them the longest head start you can protects you because imagine now you're on a deadline and And now you have to replace a subcontractor that has a specific part or deliverable for you. And now you have to find someone that's going to– that is certified and is going to supply it at least at a similar cost. And what if the cost is now higher and now that messes up your margins of the contract and now you have to perform– an unprofitable contract because, you know, now you had to scramble last minute to find a supplier that can check these boxes for you. So it's as much your problem as it is theirs and
SPEAKER_00:probably more so your problem. Katie Arrington also addressed this in her keynote. She said that they're having to ask for some more money in their budget. You wonder why, you know, defense budget is so big and this, that, and the other. Well, look at all this compliance and look at all the complicated things they have to do or they require money contractors and subcontractors to do. But where a lot of things are being cut, And Katie Arrington says, look, you want us to do something about this because you have to meet all these controls now. And you've had to meet them since 2017. But what they are doing is saying, look, we need some more money in our budget because we know that the price is going to increase on a lot of these things because people are now actually having to go through this and actually having to do a certification and spend the money on this. So the cost of these goods are going to go up. And so they realize that. They recognize that. How much that'll actually mean to you, I don't really know. They're at least recognizing the fact that they know it costs money and they know that compliance makes things more expensive, but it also makes the supply chain safer. All right, so Austin, this session had one of the most interesting titles of the whole conference, false starts. So what's the story there?
SPEAKER_02:It really all goes back to accountability and like templates in terms of compliance, right? So accountability, Lies with the organization, not your contractors. And it's going to be the company and the person signing all these papers and the contracts. Right. And so that was basically the core message of this kind of goes back to what we were saying earlier with the templates thing and why just going buying a template off the Internet is. is not good enough. Right. Right. Or just listening to a podcast like this is not good enough. Wait a minute. Listening to our podcast is not enough? Hopefully it's helpful. And we try our best, you know, and what we're trying to do is demystify, put compliance in plain English. We try to do that as much so that way we can give you a head start or a foundation to go do it yourself, right? Right. The problem is you still have to do it yourself, you know? Yes. And I think that's kind of the point, you know, so you can rely on third parties like us or everything else. But at the end of the day, the accountability stays with you. And that's kind of what the message was and which is true. Um, and we just said it earlier too, whenever you're going to be getting assessed, you're the one answering the questions. You can't just lean on your it person, right? Which is kind of unfortunate because you wish you could just pay someone to do it and take care of it for you. Um, but that's not how the government set it up. You know, uh, they can do most of it for you, but you're, you're still the, where the buck stops. Right. Um, and so, uh, You really need to make sure that your SSPs are tied back to the control themselves. You can go read the paperwork or if you have an ESP or MSP or IT guy like us, sit them down or on a Zoom call or whatever and walk through your SSP and make sure that these things are actually done. I can't tell you how many times that we'll go in somewhere and do an engagement where, you Yeah. because it uses TLS or something. Well, and that's not what that means. You have to send emails encrypted. Just the fact that it uses encryption to communicate to the email server, and sorry for the technical stuff here, doesn't mean it's encrypted, right? So anyway, there's a lot. It matters who you pick as well in terms of who you're contracting these things out to, right? So it just ultimately dials back to your due diligence on parties that you're using to outsource some of these compliance responsibilities responsibilities or you might call them burdens too. Um, and then, uh, realizing the fact that the accountability ultimately sits with you and, and you need to have, um, some sort of day-to-day driver, um, or, uh, you know, a stakeholding in it, um, that, uh, you, you have some familiarity with, um, your compliance before the assessment comes around. So, Brooke, you sat on a couple sessions that collectively had talked about the SRM-CRM, which most of us know is a shared responsibilities matrix. Yes. And then I won't get into explaining it. I'll let you do that. And then the CRM is the government newly coined term for it. So it's the same thing. SRM-CRM.
SPEAKER_00:Might as well change the acronym and make it really confusing. Right.
UNKNOWN:Yeah. Yeah. So and then uh, Another big takeaway you had mentioned was the FedRAMP equivalency and some guidelines or developments on that. Can you share with us? Sure.
SPEAKER_00:And this is something we brought up before. If you use a cloud service, well, or file storage, something like that, we'll just say file storage. If you use a cloud service for that and you put CUI in there, then it has to be FedRAMP authorized or equivalent. So it's got to be FedRAMP authorized and be able to meet some requirements and DFARs, or it has to be FedRAMP equivalent.
SPEAKER_02:For the authorized, that means they go through some sort of third-party process where they get something that says that they're authorized, and the equivalence means that they're going to be assessed the same time you are?
SPEAKER_00:No. No? That's not actually it. So you'll have a third party come in either way and assess you. But if you're a FedRAMP authorized, you'll show up on the FedRAMP marketplace. Okay. And it's... A longer process, but from what I've heard, the equivalency is ostensibly a more difficult process, more involved process. That's just what I've heard. But the equivalency can happen faster. So that's why a lot of companies are choosing to do equivalency and not necessarily authorized. Or maybe equivalency, get it done right now, and then work on their authorization. And also for authorization, you have to have a federal entity that's willing to sponsor you. So maybe they don't have that yet, or maybe they're working on doing that. But equivalency, you can get a 3PAO to come assess you, say you're good, and what you'll need– And once somebody can say they're FedRAMP equivalent, that's great. But what do you have to prove it? So it means something very specific with the federal government, and they've outlined that. So you will get a SAR security assessment report, I believe is what that is. But you'll get an SAR that– the CSP who got their FedRAMP equivalency will have that SAR, and they'll have a body of evidence also. And then they'll, of course, have the CRM, which is the new acronym for SRM. CRM is Customer Responsibility Matrix. SRM is Shared Responsibility Matrix. That one makes more sense to me, but what do I know? So it's a CRM. So you really need all three of those for the assessment to say, here's the service that we use that's FedRAMP equivalent, and here's my documentation for it. The problem with equivalency is that assessor will have to go through that stuff and actually review it. So it takes a little bit more time than it does a federally authorized provider. In reality, they'll probably review the SAR and probably not so much the body of evidence because it's a whole jumble of stuff that's hard to go through. But those are the things you need if you if you use a FedRAMP equivalent service and you need to remember that. You can't just use it and assume you'll be able to get that off the cuff really quick. So you need to prepare and make sure you have that ready.
SPEAKER_02:So when you're interviewing, say, a file share, file storage provider, then you need to ask them, can you provide a SAR, a CRM or SRM antibody of evidence? And then that will tell you whether or not You can use them for that. Yes.
SPEAKER_00:Absolutely. One of the other things that was in one of the sessions that I was in, really it was about building out a CRM slash SRM. It was about building one of those out. But their point was something we brought up several times. You can flow down the responsibility line. from, you know, say we perform a service for you, you can flow down that responsibility to the OSC or OSA, whichever, but anyway, that responsibility can flow down to them, but not the accountability. Whoever that is that is going to be assessed still is accountable. It's not the service provider that's accountable. They may be responsible for a control or an assessment objective, really. They may have some responsibility for that, but they're not accountable. That OSC is the organization seeking certification. So that OSC. It's
SPEAKER_02:most likely
SPEAKER_00:you. Yes. Yes. That OSC is the one that is accountable. And if one of those items are not inherited or they think one is inherited and it's not, and then they're not covered for it, then in the end, it's not the service provider who gets in trouble for that or faces backlash from the assessor. They may face backlash from you. But they don't face backlashes. They don't have anything to do. The C3PAO doesn't care about whose fault it is. They're holding the OSC accountable.
SPEAKER_02:Yeah. In terms of certification, it's all on you. What happens after that is what happens after that. Yes, absolutely. Sounds like to me– in terms of just kind of distilling this down into some action items for the listeners, is that you really need to revisit your SSP and your POAM or any other documents and policies you have. And don't just rely on your... your preconception or memory of it, you need to go visit those actual documents and try and map it to the controls and see whether it reflects your current environment. And if it doesn't, if an assessor walked in tomorrow, what would happen? And so you should ask yourself.
SPEAKER_00:And I would say really, not just the controls, but you need to map it to the assessment objective level.
SPEAKER_02:Right. Second, I would say that you need to put some start with at least a quarterly review, um, for compliance and then kind of add on from there, um, and invite more people than yourself, you know, um, all your stakeholders, um, that are going to be touching compliance, at least one decision maker, cause it's going to be on them, you know, um, uh, and, uh, and start getting some things on the calendar so you can start reviewing this, uh, on a regular basis. Absolutely. Um, Third, like you said, you really need to go reanalyze your subcontractor relationships. Dig into the information you send them and what kind of relationship you have with them, who touches COI, who is subject to the flow down role.
SPEAKER_00:Analyze that. Anything else you've got? No, just remember who's accountable. I guess that would be yes. And remember who's accountable. It is the OSC. It is not the service provider. If You have somebody helping you. Now, you would hold that service provider accountable for what they say they're doing. Right. But there should be a CRM or SRM that makes that pretty clear. It should be spelled out really well. You know, a CRM or SRM that's color-coded is great, you know, to kind of a quick view at it. But really it should probably be fleshed out a little more than that than just being color-coded because a lot of that color-coding is my responsibility, your responsibility, or shared. That's as far as it goes. For color coding, you've got three colors, basically. And that doesn't tell you just a whole lot. But if it's fleshed out a little more than that, you can tell who has to define this and who has to implement this and what the shared may mean, for
SPEAKER_02:instance. Yeah. So if you're subcontractors or providers or technology team can't confidently answer some of these questions that we've posed here today, then you might want to take a closer look.
SPEAKER_00:Yeah. Yes.
SPEAKER_02:All right. Thank you guys for joining us. If you have any questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions. We'll answer them for free here on the podcast. You can find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant and stay secure. Like, subscribe, or share.
.jpg)
