CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
Ceasefire’s Here, But Your Shop’s Still a Target: What the DoD CIO Just Told Defense Contractors
Submit any questions you would like answered on the podcast!
🆓 Need help getting your SPRS score to 110?
Schedule your free SPRS Roadmap Session and get a step-by-step plan to close gaps and stay defensible:
👉 https://cmmccomplianceguide.com/free-sprs-roadmap
The Department of Defense just issued a critical cybersecurity memo—and it's not just for the Lockheeds and Raytheons. In this episode, we break down what small and mid-sized DoD contractors must do now to respond to rising cyber threats—even amid headlines of ceasefire. From multi-factor authentication and patching systems to cloud security guidance and SPRS score readiness, we walk you through the exact steps your organization needs to take.
Resources Mentioned:
Memo: https://media.licdn.com/dms/document/media/v2/D561FAQFbAPookqu2zw/feedshare-document-pdf-analyzed/B56ZefAj13HoAY-/0/1750719415748?e=1751500800&v=beta&t=O6aY3UDi5ijLTGOa6RP4xAWABMPZh-ZKRkXRikiCywg
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://www.cisa.gov/news-events/directives/bod-25-01-implementing-secure-practices-cloud-services
https://www.cisa.gov/cyber-hygiene-services
https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/DIB-Cybersecurity-Services/
https://www.dc3.mil/Missions/DIB-Cybersecurity/DCISE-Resources/
#CMMC #DODCompliance #CyberSecurity #SPRS #DefenseContractor #CyberThreats #NIST800171 #CMMCComplianceGuide
Need help getting your SPRS score to 110 before the New Year?
Schedule your free SPRS Roadmap Session: https://cmmccomplianceguide.com/free-sprs-roadmap
Hey there, welcome to CMMC Compliance Guide Podcast. I'm Stacey.
SPEAKER_01:And I'm Austin.
SPEAKER_00:From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's episode is one of the most important ones we've done thus far. Because even though the headlines say ceasefire between Israel and Iran, the cyber war, that's still live. Right after the ceasefire was announced, Katie Arrington shared an urgent memo from the DOD CIO.
SPEAKER_01:It basically said this, that every defense contractor, regardless of your size, so, and it specifically said that in the memo, that this is for small contractors, mid-sized contractors as well, not just the Lockheeds and Raytheons, Boeings of the world, that you need to raise your cyber defenses and need to do it now.
SPEAKER_00:So let's kind of dive into what's really going on. Why did the DOD feel the need to make this public statement right now?
SPEAKER_01:It's a good question. I mean, you know, we just saw a ceasefire announced and it seems to be being held to currently, at least when we're recording this. Who knows when this gets released what happens. But, you know, it's because geopolitics don't stop at a ceasefire. A cyber war is often conducted without the scrutiny of the press. So that's the one benefit these nation states have and they see in cyberspace is that you don't have a bunch of reporters or running around you know, reporting on things or people with their smartphone recording it, you know, get reports on X or Twitter, you know, those don't happen. So they can be conducted without scrutiny and people directly being aware of it or being reported on. And the US, especially in this memo, has taken a clear stance that its adversaries and their cyber proxies. So a lot of times, The cyber wars are conducted through other groups or entities, not from the nations directly, much like normal or happens that they're already targeting the defense industrial base. You know, this doesn't have this. This happens on. you know, a normal basis, but especially in times of conflict, especially as large as this one, it really ramps up even after the ceasefires. So, yeah. You know, it's not just the primes, not just the big guys. Like I said earlier, this memo is focusing on that the Department of Defense wants to be on high alert. They specifically mentioned and called out, you can go read it. We'll include the link to it in the video description and in the podcast description so you read it for yourself. But they specifically call out the smaller entities as well, not just the primes. So if your shop, your manufacturer makes parts for weapon systems, aircraft, you know, a wire harness or assembly harness or something, and ends up, you know, with Lockheed, Raytheon, Boeing. Chances are you're a target. And that's why the DOD CIO laid out in black and white in that memo. But the NIST SP special publication 800-171 is the minimum requirement. If you handle CUI, you need to be compliant now. Not next year. Not when CMMC becomes a contract clause. Don't get mad at me. This is the Department of Defense saying it.
SPEAKER_00:Getting into the meat and potatoes of all this, what are the actual steps the DOD is telling us to take?
SPEAKER_01:Yeah, so the memo... Actually, breaks it out pretty simply into about four buckets. The first is reducing the risk of getting hacked. That's the first kind of directive to the defense industrial base. And they specifically call out, make sure you've turned on multi-factor authentication. And news alert, if you didn't know, that was part of the controls already. So you're already supposed to have turned that on. Multi-factor authentication, especially as far as the defense department is concerned, They want to make sure that you've turned it on for remote access, access across the network, and then for admin and privileged logins as well. So they also called out making sure that you patch your systems. So that means anything from your computers to your firewalls, your switches, stuff like that. And it specifically called out that you need to focus on the known exploited vulnerabilities list from CISA. Again, that's another URL that we'll include on the description here. So you can go actually do that. So another part of that first bucket of reducing the risk of getting hacked is shutting down unused ports and services. We're not a big fan of opening ports or services at all. It's hard to make them secure. So we recommend and not doing that as much as possible. And if you have to do it, you have to do it in a very secure way. So if you've got, you know, I think a lot of people out there are probably guilty of having like a remote access port or something open, you need to shut that bad boy. especially in times of high alert, but you really should design a secure solution around it long term. But they call that specifically shutting down those unused ports and services. The other is following CISA's cloud security guidance. It's gonna be in the description as well. Basically, if you're using Microsoft 365, Azure Web Services, really any cloud service provider like that, You need to follow that guidance to basically harden it, lock it down. I'll actually read out the actual verbiage, which is a production or operational tenant as a cloud service provider environment used by the government to conduct official government business, whether operated by the government or a contractor. So that last piece or a contractor means that you are conducting official government business in their eyes. So if you're using Microsoft 365, Azure Web Services, any cloud service provider, and you're basically, you know, the way to think about it would be if you're using it for COI or any contract information, that cloud service that you have then needs to be hardened according to that CISA cloud security guidance. So you need to go do that too. They also mentioned in the memo to check out the free resources from the CISA Cyber Hygiene. Again, another link we'll have below. NSA's Cyber Collaboration Center, another link we'll have below. And then DC3's DC ISE portal as well. Another link we'll have below. But basically, those are three free resources that the Department of Defense provides to their government agencies and their contractors of the defense industrial base to help secure their networks and whatnot. So you can also go find someone commercially to do those things for you. you know, uh, if you're not a fan of using their resources, but they do provide some free resources, um, unless some don't cost a dime, just, you know, some, some initiative and some labor hours there. Uh, that's all the first bucket. So, uh, the second bucket would be work on detecting threats early. Um, that would first and foremost mean turn on, uh, monitoring of system logs. Now, um, A lot of people probably won't like that I'm going to say this, but basically the way we see it here at CMMC Compliance Guide is that the compliance standards basically mandate you have a security SIM, in our opinion, without actually mandating it. It says all the things that a SIM basically does. And it's easier just, in our opinion, to buy that off the shelf and then assuming that it's compliant and fits all the compliance boxes. But go purchase a SIM and implement it. So that way, you can properly go through all those logs, protect them, and review them as needed because otherwise, You have to go into all the different locations and review them in their... their source, which is not easy to do if you're familiar with IT logs and security logs. The Assem collects it all for you. And then it also satisfies some of the other controls like protecting it. The logs, you're supposed to keep them from being deleted and whatnot. So we recommend Assem. The memo doesn't say that. We recommend it, but the memo says that you need to turn on and monitor your system logs. So if anything were to happen, You can go look at those and figure out what happened, or they might be able to give you advance notice of something happening on your network and you'd be able to shut it down before it gets too far gone. The second part of detecting threats early would be to use antivirus and important. update the antivirus with the signatures of the new viruses coming out. So they specifically say, make sure that you're doing that. So I hope that everyone's doing that. That's been a, most people know you need an antivirus for a long time. So I really hope that everyone out there listening is doing it, has one, but you know, another, it sounds like simple fundamental stuff, but you know, you have antivirus and you think that the the patches and updates are being applied just automatically and you haven't checked it you're probably wrong um and i i don't say that to be uh controversial other than the fact that whenever we go into new networks that like we manage and stuff typically uh the backups they think they're being completed aren't being completed the antivirus updates that they think are being done aren't being done or half the workstations are out of date. And it goes on. So it's not good enough just having it installed. You need to make sure that the updates are actually applying and working and nothing's broken there. So another piece of detecting the threats early, the memo says, is to review access controls for any third party vendors or partners, basically. And so The idea there being that you don't want to be exploited through their access means, right? So check those. And if your vendor is doing anything on your behalf or on your network or whatever it may be, don't just assume that they're doing things securely. For example, I know that whenever I walk into a doctor's office that I can, I can spot 10 HIPAA violations whenever I go in there for my appointment. You know, it's just because they're a doctor's office, they don't assume that they're following the HIPAA guidelines, right? Same for your vendors, you know, just cause you've hired them and they do a good job. You know, you may love your doctor, but it doesn't mean that they're actually you know, securing your data, um, or your network the way that they should be. So you need to ask those hard questions. It doesn't mean, you know, maybe that you need to fire them, but, um, ask the questions that way they can do it and protect yourself. Right. The third bucket, um, is be ready for an incident. So, um, you know, that may sound, um, rather easy or like, oh yeah, sure, we're ready. If something hits a fan, then I'll call my IT guy or something. But it's actually a lot harder than that. And if you've ever been on the receiving side of a breach or remediating a breach, you realize how important an incident response plan is. whenever you need it. So for example, if someone gets ransomwared, um, you know, whether the it guy, uh, or your company is there and answering the phone or not, um, you know, it is one thing. Um, but what the actual pre-planned directives are, you know, sitting in what roles, you know, so do you need to contact your lawyer? What communication needs to go out to customers or your employees? What's the decision process for leadership? Do you need to, um, work with your cyber insurance provider. You know, on that specifically, a lot of times they require a lot of things from you. And if you if you veer off of what their required track is, you don't get coverage. So you really need, that's just an example, but you really need to think through all these things before it happens, because chances are you're gonna miss it in the storm of everything. And it's specifically mentioned in the memo that you need to have an incident response plan pre-planned, and then it'd be a good idea if you tested it as well, make sure that things go right. And again, News alert to anyone that doesn't know, but all the controls require for you to have a plan in place for that already. So bucket number four would be recovering from an attack, which would be making sure you're able to recover from an attack, rather. First, it mentions to test your backups. Again, I mentioned earlier, just because you have the backups turned on doesn't mean they're working. Most of the times when we come in to a new environment and that hadn't been checked on a regular basis, they're not working or some portion of them aren't or they're corrupted. So you really need to test them because things happen, especially with technology. And then second to that is make sure that they're isolated. So the reason for that is is that if your company gets hacked and the backups are on the same network that's hacked, then hackers know and even just the malware and viruses that are coded know to go look for backups. So it doesn't even require a person doing it. A lot of times they go look for backups and they'll go delete them or they'll extract them and pull them elsewhere. But they know to look for that because you know, the ability to recover from a backup really undermines the person that's attacking you, right? So that is specifically looked for during a breach. The other part of recovering from an attack is that if you're on operational technology, Most of you guys are, unless you're just a full on digital firm, everything's digital. Manufacturers are all running operational tech. So think your CNC machines, all your PLC cards, all of that stuff is operational technology. And so the memo, calls out in there to conduct a test of manual controls to ensure that the critical functions remain operational. If your organization's network is unavailable, hacked, ransomwared, down or otherwise, you know, untrusted. So if you have to disconnect the operational tech from the network, you need a plan to be able to still run your shop floor, right? So even if your network goes down, you still need to ship parts. That's part of the resilience that the Defense Department is trying to build in their supply chain.
SPEAKER_00:So let's tie all of that together. Austin, can you explain why this is just more than a heads up?
SPEAKER_01:You know, it's because the Department of Defense is not just sending out memos just to look busy and stuff like that. So they're signaling... you know, what's coming next. So there, there is actually a concern at the defense department at the department of defense, um, that there's a heightened concern, um, for cyber threats. So that's the reason they're doing it. They wouldn't be doing it otherwise. I mean, they, they've already been saying, um, very often how important CMMC is and how much you need to comply. I mean, it's been going on for years. The fact that this memo is coming out on top of the ceasefire and kind of everything that's going on in terms of the geopolitical stuff in the world right now, it's very intentional because it's something they're actively concerned about. This basically means that even with the ceasefire, you should assume that since they put this memo out, that the cyber attacks are increasing. The war in cyberspace is always on, and the digital attacks that happen in cyberspace support the kinetic ones like the bombs dropping in the real world. And when the ceasefire is happening, the cyberspace war is supplemental to it.
SPEAKER_00:So to tie everything together, Austin, what should a listener do this week in accordance to all of these news, the memos, and what's happening in the news right now?
SPEAKER_01:If we're thinking about the average small to mid-sized contractor, aerospace, defense manufacturer out there, really it all comes back to is the controls that your contracts say you have to comply with, right? So the cybersecurity controls specifically is what we're talking about. So, and... All the memo is saying, although very importantly and very urgently, is that you really need to make sure that you're doing those things. So we like to use your SPRS score, SPURS score, as basically a starting point to determine where you are on the path for controls, right? So, because that's what it's there for, right? So if you're a contractor out there, you don't really know where to start, go look at what your Spurs score says, what you said your Spurs score is, and then ask yourself whether or not that's actually true, right? So start there. And if it's not 110, you know, which is a perfect score or close to it, like actually 110 and not, one that you're just kind of hope and prayer putting in there, then you need to get that score up, right? So, and do all those things the controls are saying. Second would be to go review your multi-factor authentication. Again, that's remote access, that's access across the network, and then your MFA for privileged accounts or administrative accounts. Then go check your backups. Make sure that they're actually completing. Maybe that you actually have backups first and then that they're actually completing correctly and then test them. Make sure that you can restore from a backup, open a file or something like that. Make sure it actually works. Then check your patches. Basically, are your firewalls up to date with the latest firmware? Are your computers up to date with the latest Windows or Adobe updates? Are your switches up to date? Anything that runs software on your network needs to be up to date with the latest, at least security patches. And if you're not up to snuff on your SPRS core yet, They're quick wins that help protect yourself. So, you know, you can really, you can cover your butt a little bit from getting hacked and being forced to let the Department of Defense know that you're not doing what you're supposed to be doing. Now, we don't condone that, but we know people out there are in that boat. So if you're looking to really mitigate risk here, that's the first place to start. And then it would be going and implementing all the controls and doing what you're supposed to be doing. Another thing to do would be to use the CISA's cyber hygiene tools. They're free out there. The Department of Defense provides them for you for the purpose of securing the supply chain. Or you could use commercial platforms that are important or compliant. that can do the same thing. Another thing to do would be to schedule a response drill. So make sure that your incident response plan actually works and makes sense through a mock disaster or hack or breach, that your backups actually work. And if this is all over your head and seems very overwhelming, call somebody, get help.
SPEAKER_00:At note, if you're having trouble figuring all of this out, we're actually offering a free SPRS roadmap session. So you can check that out in the description below. It can give you clarity on where you stand and what to fix first. So in that session, we'll walk you through your current SPRS standing, a plain English summary of your gaps, and also a clear roadmap to hit 110 so you can stay defensible. Most importantly, in the description below as well, we will link to the memo. So if you really want to go back and read that for yourself, you can do so. And we'll also put in the description those resources that Austin mentioned previously as well. So you'll have access to all of those great stuff. If you have any questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions and we'll answer them for free here on the podcast. You can find our contact info at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant and stay secure. Like, subscribe, and share.
.jpg)
