CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
Are You Really Ready for a CMMC Assessment?
Submit any questions you would like answered on the podcast!
Think you’re ready for your CMMC assessment?
In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke break down the difference between being “paper ready” and truly “assessment ready.” From documentation gaps to overlooked technical controls, they share insider tips to help you pass with confidence.
We’ll walk you through the common blind spots that can derail an assessment, how to stress test your compliance program, and what assessors really look for when they walk in the door.
Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke. From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance. But today, we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. In today's episode... We're talking to those of you who have already put in the work for CMMC. Maybe you've written your policies, completed your SPRS self-assessment, and upgraded your IT stack. You've checked a lot of boxes, but there's still a nagging question in your mind. Will all of this actually hold up under an assessment when it actually matters? If you've ever looked at your compliance program and wondered how ready you really are, you'll want to stick around because we're breaking down exactly how to tell whether you're paper ready or truly assessment ready. So today I want to start with something we both see all the time. Companies think they're ready, but most aren't. Why is that?
SPEAKER_01:Well, mostly, you know, a lot of companies, they implement regulations. CMMC, and it's going to be based on what they think and how they view the controls and maybe, if they're lucky, how they view the assessment objectives. A lot of them don't pay attention to much of the assessment objectives, but it's also what they see on Reddit and some of the other things, Substack and whatever else there may be. They pay attention to that, but they haven't had somebody come in and really challenge their assumptions and look at it and say, that looks great. They That's not exactly what that control is talking about. You've got to look at the assessment objectives. So a lot of times it's not– it's their view of it, which can be as long as you can argue your view on some things and say this is why we're doing this. For instance, we talked about– people asked some questions about assault– not just a sole proprietor, but a one-man shop. They have some contracts. What do they do about the... Screening. Screening. Thank you very much. What do they do about the screening? And there are some assessors that say, well, it doesn't really apply because they're the owner and all that. But a lot of assessors, we've heard this more often than not, will say they still have to do it. It's a control and they still have to do it. It doesn't say what screening is. You don't have to go do a background, a full criminal background check and do a drug test and everything else. You get to say what it is. You just have to argue it to the assessor. Which is fine. There's a number of things you can do. Austin actually asked the question on LinkedIn. And so go to Austin's or is it CMC? No, it's my LinkedIn. Go to Austin's LinkedIn page. Look at the question he posted and look at the answers. It's very interesting. And some of the solutions they say you can do as a one-man band. But those kinds of things you could argue and say, look, this is just me and this is the way I do it. And And it's documented. It's in policy. I can prove that I did this. Which brings me to the other thing that people get wrong a lot is that they don't fully document everything. And you have to have a policy. Many things you have to have a procedure and or plan in place on how to do these things. So you don't fully document it. The other thing is you have to have evidence. And the more evidence you have for an assessor, the better. So So they don't have evidence that they've done these things or documented. So it's good to show an assessor, hey, here's my evidence from X date whenever I went through this, and now here's evidence from X. from now when you're coming to assess me. It's good to have that evidence so they can look at it and it gives them warm fuzzies inside. I guess that's a gap between being paper ready and truly ready, but you could also phrase it as being a gap between technically ready with some technical controls in place and not being truly ready, or not being paper being the documentation, but not being truly ready for it.
SPEAKER_00:Yeah, I think it's hard to say. My first gut reaction is that we typically see that most people are far better on the technical controls than they are in documentation, and their documentation is typically lackluster. But oftentimes, it's... the reverse as well. You know, their documentation saying one thing, but the controls are just not in place or it's only in place on a subsection of things. Like you may have MFA on your email, but not on local network access for COI or something like that. So, you know, that's, that's another thing is that you'd, you may not have thought holistically about the control and the objectives that you're trying to meet. And guess what? The assessor's going to.
SPEAKER_01:And how do you figure that out with what's in scope? With a CUI data flow diagram. I mean, it's the very beginning. You make that diagram out, you design it, and you list out everywhere you get it from. I mean, literally everywhere. You don't just say, oh, I'll get it from the cloud. Yeah, but where in the cloud? Where do you get it from? Does it come through? Does it come through email? Does it come through Lockheed portal, Bell portal? Where does it come from? Where does it come from? Which systems of yours does it touch? And that includes physical systems like your computers and servers. It includes software like your ERP or MRP. So, yeah, you've got to do that CUI data flow diagram. I've harped on that and harped on that. I know you probably get tired of it if you listen to these episodes. But that is a very good thing to draw out and to make sure you take in everything holistically.
SPEAKER_00:Maybe that's the next T-shirt we need. You've got documentation, documentation, documentation. Maybe we need something like... about the data flow diagram or all roads lead back to scoping.
SPEAKER_01:So I went on so much about documentation and would say documentation, documentation, documentation. And so they gave me a hard time and they ended up making some shirts. So you may see us at a conference or two wearing these shirts.
SPEAKER_00:Hey, they're loved. You know who they're loved by? The assessors love them. This is true. So talking about the assessors And them loving that shirt, which may be the shirt you want to wear whenever your assessor comes in, when they come to assess you. But only if you have your documentation sorted out. That's
SPEAKER_01:right. If you don't have your documentation sorted out, don't wear a shirt
SPEAKER_00:like this. Don't imply that you do. So let's get clear. Yeah. When an assessor walks in the door, what exactly are they looking for outside of your shirt?
SPEAKER_01:Outside of my shirt? Well, if they're looking for my shirt, let me know because that would be awesome. Aside from that, the first thing they'll want is your documentation. And your documentation is going to include your system security plan, your SSP. It's going to include, hopefully not a POAM. Hopefully by the time the assessor gets there, your POAM is clear. But it's going to include your policies also. It's going to include any plans or procedures you might have. It's going to include lists of authorized lists of users, devices, processes, stuff like that. It's going to include evidence. Evidence is documented, so that's documentation. They're going to want to see all that. And what I can tell you is the more you have that and the more it tells your story and it all works together and fits together and is not incongruent, it makes sense. it makes that assessment go a lot quicker and a lot easier. So if they can see that you've done everything, they go and they perform a few tests or interviews or whatever it may be, and they see that it works with your documentation, they feel really good about it, as they should. I mean, if you've got it all defined really well and then they go see that things are in place, you know, there's a lot less questions and it goes a lot quicker. Mm-hmm. And they want to see the things that are documented. They want to see– I've just talked about really the testing and the interviews with employees. But they want to see that those controls are implemented. They want to see that when you log on to a system that there truly is MFA. There's the MFA prompt. Yeah. Or how will you implement MFA? So yes, they want to see those things. They want to see the documentation. And then when they test, they want to see that that matches the documentation.
SPEAKER_00:All right, Brooke. So we go in all the time into companies and we get to see what kind of position they're in when they bring us in for CMMC compliance. And typically, they're somewhere on the spectrum of not compliant at all, hasn't done anything, all the way to, you know, we think we're ready for an assessor. I don't know if I would say all the time, but most of the times we typically identify some common blind spots or some traps that they've fallen into that they haven't thought about yet. So can you just go over what are the common blind spots or traps that companies have fallen into that think that they're almost ready or are ready for assessment?
SPEAKER_01:Sure, sure. So if you have some... Monitoring tools that are defined in your policies, for instance, you may monitor whether your SIM is working or not and whether the SIM service is running or something like that. And if it doesn't generate an actionable alert that it's failed or something, then that's an issue. So you have to have actionable alerts from any monitoring you do. SIM is another thing. You know, you may say, yes, I'm monitoring all my logs. Generally, the way you do that is going to be a SIM. You don't have to use a SIM, but really, you know, to be secure, you really need to use a SIM. And it fulfills that control a lot easier than trying to say that you review those manually,
SPEAKER_00:right? It's also a lot cheaper than hiring somebody. It's a lot cheaper
SPEAKER_01:than hiring somebody. It's a lot cheaper than spending your time reviewing those logs. But if you implement a SIM, you know, Yes, I've got a SIM. It's implemented. I'm monitoring all of my Active Directory logs. Great. What about your workstations? What about your firewall? What about Microsoft 365 GCC or GCC High? Or what about these other systems you may have? Are you monitoring those logs? Oh, well. Maybe not. So that's a very common one. You think about, and again, it goes to scoping. You got to think, or the data flow diagram I was talking about and keeping in mind all the systems that are in scope. So you got to think about that and make sure you include all those systems when you're designing out. your technical controls, right? User accounts not aligned to their roles. Say there's a, there's a... I think we've seen that at one every time. I think I can safely say that. Absolutely. People have a tendency to give people more access than they need because it's easier to do, or maybe they can't figure out how to get something done quickly and easily. So they have a tendency to give people more access than they need. You know, maybe an accounting person doesn't need access to actual CUI, but it was easier because of people put this particular particular thing over on the CUI folder that they need. Do they really need access to that? Or can you carve that out and do it a different way, change the workflow just a tad, and make it to where they don't have CUI access? And generally, people will say, these people have CUI access. The accounting folks, no, the accounting folks don't need it. It turns out a lot of them haven't. So have some access to CUI.
SPEAKER_00:Also, for larger companies that do have IT departments, A lot of times we'll see that they have taken care of everyone else and made sure that they have role-appropriate access controls. But the cobbler's children have no shoes, and they have, for the IT department, not done the appropriate task of doing the same for themselves. Oftentimes because it– it is a pain in the rear as an IT person to have to switch counts and stuff, but that's what you have to do, and that will fail you in an assessment.
SPEAKER_01:It'll fail you in an assessment, and it's... It really is. We've done that a long time ago like a lot of other folks have done. Our daily use account, the one that we log into the computers with and whatnot, is not an admin account. We don't have access to the admin tools. We have to log into something else with MFA to get access with a different account. So that's what you need to do. That's just really it's– Cybersecurity 101, and it's a good thing to do. What I can tell you if there's some IT folks out there listening to this is that once you get used to doing it that way, it's just a no-brainer, and it just works, and you just get used to it. It's like ripping a Band-Aid off. It is. It's like ripping a Band-Aid off, and cybersecurity is inconvenient, but you've got to do it. Yeah. Just recently, we know a person in a company that, I guess, got caught with their pants down, if you might use that phrase. But they were logging in with admin as their daily account, and they got compromised. We'll just leave it there. No more details. But it does happen, even with the smartest people, even with– Other things in place, it does happen. So that's one of those things you've got to not do is log in with a privileged account. You go do that. only when you have to separately from your
SPEAKER_00:account. I was going to use an analogy that's topical. Doing that is a bit like getting caught at a Coldplay concert with your HR officer.
SPEAKER_01:Yeah, that's very accurate, yes. So another one I have written down to remember is that you've got all your policies, you've got all your plans, You've got your procedures. They're all written. They're all documented. They're all there for everybody to use and look at. But they actually don't go look at them or anything, right? And so when an assessor needs to be able to pick out an employee, how about Sally Jo? We need to go talk to Sally Jo. And so they go talk to Sally Jo, and they say, you know, I don't know what question they might ask her, but they're looking at particular controls and they might say, where do you have access to CUI? Well, what's CUI? There's problem number one right there. And that will stand out to the assessor. But yes, everybody has to be aware of CMMC, CUI, how to protect it. They need to know their role. That's specifically called out in the awareness and training. And not only that, if you have a third party helping you and working with you on this, that's great. They can help you get it implemented a lot quicker. You still have to know and understand it. You can't just... blindly follow what they do, what they say to do, and just say, go implement it all for me, and I don't want to know. You've got to be involved. You've got to understand. You've got to be able to answer some questions from the assessors. So you and your employees need to understand, and you need to understand per your role how you're supposed to deal with
SPEAKER_00:CUI. Yeah, that's a lot of times– working with, uh, customers and prospective customers. Um, like I just wanted, I want to hire you to do it for me. And it's like, well, if I could sell it to you legally and for an assessment, uh, to get past, I would, but, um, the CMMC doesn't work that way. Um, the furthest you can get is done with you, you know? And so, cause at the end of the day, the assessor is going to be, um, you, your, your RPO, the person that you're hiring, your compliance, uh, um, A consultant can be in the room and there to help, but they're looking at you on assessment day. And like you said, you need to be ready for them to also ask your employees that have access to that as well. So you can kind of treat it like a– Random drug screening, you know, like you'd be able to pick any one of them out of it at any point in time and ask them a random question. They pass, you know. Right. So that's that's kind of level already you need to be, which is not impossible. You know, these do not need to be people that are super technically proficient. They simply need to know what. they're dealing with is controlled and how they're handling it. And if you can just kind of drill them on that and train them up, it is not the... It is not the easiest, but it's also not the hardest thing to accomplish.
SPEAKER_01:And that can all be part of your awareness and training program. Right. That's a really easy thing to do. The next thing I have is vulnerability management. You have to manage your vulnerabilities in your environment. You have to show that you're doing something, right? And you have to show that you're aware of what vulnerabilities are out there, that you've tested for them, addressed them, and in some manner. It doesn't mean that you have to absolutely 100% clear every single vulnerability. You have to assess it, figure out the risk, figure out the importance and the criticality, and go through it and address it. how you see fit. But you have to actually manage those vulnerabilities. You can't just say, yes, we scan for them and so, and then we don't do anything or maybe we scan for a subset or something like that. You have to understand all the vulnerabilities in your system. If you've got an ESP, not a CSP, or even if you've got a
SPEAKER_00:CSP, that's an ESP. Which could be misconstrued as an MSP. So,
SPEAKER_01:too many acronyms. If you're, you know, if you're not sure, an ESP is an external service provider. A common external service provider is going to be a cloud service provider, which is like Microsoft 365, Amazon Web Services, stuff like that. Maybe you have a cloud backup. That would be a CSP. A cloud service provider is a CSP. And the Department of Defense, in all their infinite wisdom, has said that there are ESPs, and ESPs Some of those ESPs are CSPs, but then the other ones are called ESPs, not a CSP. Yes. Love that one. So, and, you know, I guess I understand why they did that because there's a plethora of TLAs. Which is what? Three-letter acronyms. There's a plethora of TLAs that define all the rest of the ESPs. And we are one of those. And we're called an MSP, a managed service provider. There's also a managed security services provider. And you can go on and on. And I guess that would be a four-letter acronym, not a three one. But if you're relying on a CSP or an ESP, not a CSP, And that could be an MSP like us that's helping you implement these controls, whether just technically or whether, you know, the whole nine yards, how they're helping you. You've got to make sure that they're ready also because their services have to be compliant. Your controls will flow down to them. Right. So the ones– Related to the services that they're providing you. So if they're just providing you antivirus, for instance, the controls related to that will flow down to them. The rest of them won't. But they do have to show that they meet those controls.
SPEAKER_00:And news alert, if you're using an MSP and they're only providing one or two services, say antivirus, and not the whole enchilada, as we like to say– They typically, the way MSPs work, IT providers work, is they've also installed other software to help facilitate and support, like say your antivirus that you don't know about, which will fall under the scope of assessment, even if they haven't told you about it. So typically it's a remote monitoring agent that helps them manage the antivirus and whatnot, and also gives them remote access into your network. And by proxy, or not by proxy, but directly to your CUI, which is now in scope.
SPEAKER_01:Generally, they're not going to be installing software you don't know about necessarily, but it'll be part of your agreement with them. If they're just providing just antivirus, I don't really see anybody doing that these days, but if they are, they're probably also providing support, whether it's Hourly support or whatever it is, if they provide you support, then they've installed something on your machine to be able to remote in and help you out. So those tools are going to be in scope as well for what they do and the services they provide you. So I guess really what we should say is if they're providing antivirus and remote support, something like that. Right. But the point is, they will be in scope and they will be assessed against the controls. for the services that they provide
SPEAKER_00:you. Okay. So someone's at home right now listening and they think they're ready, but they don't want to pay a big bill or down payment or deposit to an assessor. And they want to do some stress testing and figure out, am I actually ready to pay this person and spend this money? How can they stress test their CMMC program?
SPEAKER_01:When you're going through the implementation, you get all caught up in the weeds of how you do this and how you do that and all that kind of fun stuff. It's good to step back once you're done for the stress test, for instance. So step back once you're done and then go through every control and go also through every assessment objective because every control is made up of one or more assessment objectives. So go through all those assessment objectives and make sure that you can prove it's implemented somehow, somewhere. A lot of, hint, hint, a lot of it is about documentation, documentation, documentation. So, you know, do you have your authorized list of users, processes, and devices, you know? Do you have that? Is it actually, it's not just a list of devices. It is a list of authorized devices. Who authorized those, you know? And does that match your policies? So you go through and make sure that it's provably implemented, that it is. Read the words and make sure it's implemented fully. You go through and do that. Once you go through that, that helps out a ton. Another thing that you can remember is you'll have to have documentation of your evidence. So screenshots, logs, stuff like that, that show that you're doing something. what you say you're doing. It'd be really good to have those screenshots in there from sometime before the assessor comes and then to have those again to show them, yes, they were implemented back 18 months ago and now you're here and they're still implemented. You can see that here. Talk to your users and say, hey, Ask them some questions you think an assessor might. My favorite lady, Sally Jo. So Sally Jo, would you log into your computer and show me the MFA, okay? Can you show me how you access CUI? You know, if she asks you what CUI is, then you say, well, I can tell you haven't taken your training or you did not retain it. So you might want to address something like that. So just... You know, quiz your users. It doesn't have to be a big formal thing necessarily, but just check on them and make sure they understand and are actually going through the training. But if you have an MSP, for instance, make sure that what you really need from them, if they provide you any services, that are protecting CUI or have access to CUI, then they need to provide you a CRM. So a CRM is a Customer Responsibility Matrix. And so it just lists out, hopefully by assessment objective, what they do, what they're responsible for, and what you're responsible for. And it's clearly defined and understood, right? It doesn't have to be lengthy necessarily, but it needs to be understood who does what. And so you should have that. If you don't have that, ask them for it. They very well may be just implementing these. If they don't have a standard or if you've got some custom services, they might have to make one special for you. But they should be able to give you a CRM. And the CRM based on... CMMC and the State Hunter 171 controls. If they don't have a clue how to begin writing a CRM for you, that's probably a red flag about, you know, maybe we need to rethink this.
SPEAKER_00:Yeah, and you really want to tread lightly there because once you get certified using a provider, if they're not fully bought into you– you know having this compliance as a customer then you're married to them more or less until your next assessment comes up because you can't majorly change things and if they're providing a major service and you feel like you might be a bit of an afterthought to them because you're you're compliant in a way that a lot of their other customers aren't, just keep that in the back of your head. Maybe they're fully on board with helping you out, but you need to make sure that they're going to be there for the term of your assessment, and they're going to stick around providing that, and it's not on rocky footing.
SPEAKER_01:You know, the only other thing is, and it's kind of a hard one to gauge, but would you be comfortable if an assessor showed up tomorrow walking them through this, explaining everything, and them understanding and being good with what you've done. And that's a roll of the dice, but you've got to think about that. If I have a third party come in and check this out, Can I explain it well? Are they going to be on board? Or are they going to question me? Did I really bend over backwards and twist around too much to say this control is fulfilled? And if you did bend backwards and twist around and everything else to say why this control is fully implemented, then maybe you ought to rethink it. Maybe you ought to figure out another way to fulfill that. It may be okay, but what I can tell you is people come up with some really wacky reasons why a control is fulfilled. And you just need to fulfill it, and you just need to take care of it with no question. Some of them are complicated anyway, but... But you just need to try just as straightforward as possible to fulfill these controls.
SPEAKER_00:Yeah, avoid exceptions.
SPEAKER_01:Yes, avoid exceptions. And the one thing I see a lot is– and it's less and less now, thank goodness, because they actually did– DOD did come out and clarify this. But there was one going around that encrypted CUI is no longer CUI.
UNKNOWN:Mm-hmm.
SPEAKER_01:Yes, it's CUI. Encrypted CUI is CUI. It's just encrypted. Which is what you're supposed to do with CUI. Yes, yes. Yeah, you've got to be able to explain these things to an assessor and... Basically, you've got to be able to explain it and feel good about it.
SPEAKER_00:Comfortable with them
SPEAKER_01:showing up? Comfortable-ish because I don't know about you, but that always gives me the heebie-jeebies anyway. Somebody official coming in to say, yes, we're going to approve you or not to keep your million dollars worth of contracts.
SPEAKER_00:Right, yeah. Thank you, Brooke. Appreciate it as always.
SPEAKER_01:Absolutely. I hope people like our new sign.
SPEAKER_00:We did not mention it. No, we
SPEAKER_01:didn't. The whole thing, and I just turned around and realized that we haven't mentioned that. We like it. So hopefully you like that
SPEAKER_00:song. Drop some comments or hit us up if you like it. Or if you don't, don't hurt my feelings. It's okay to hurt his feelings. No, I'm kidding. Hopefully it improves the audio and visual nature of the podcast. I think most people are listening anyway, so I think this might just be for... That's true. If you're
SPEAKER_01:listening, you can't see it anyway. So we'll just tell you. It looks really cool.
SPEAKER_00:Yeah. Yeah, go check us out on YouTube and see what we're talking about. So, all right. Again, thanks, Brooke. Guys listening, if you have any questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Please text, email, or call in your questions. We'll answer them for free here on the podcast. You can find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.
.jpg)
