CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
The Role of NIST 800-171 in Your CMMC Assessment
Submit any questions you would like answered on the podcast!
Confused about where NIST 800-171 fits into your CMMC 2.0 assessment? You’re not alone.
In this episode of the CMMC Compliance Guide, Brooke and Stacey from Justice IT Consulting break it all down in plain English.
We cover the foundation of NIST 800-171, how it maps into the CMMC levels, what assessors actually look for during an audit, and the most common mistakes contractors make. We’ll also touch on the latest updates including: NIST 800-171 Rev 3 and the DoD’s enforcement timelines and finish by answering real listener questions on VoIP, Microsoft 365, and more.
Whether you’re a small defense contractor or managing compliance for a larger team, this episode gives you the practical steps you need to stay compliant, stay secure, and stay ready for your assessment.
Need help getting your SPRS score to 110 before the New Year?
Schedule your free SPRS Roadmap Session: https://cmmccomplianceguide.com/free-sprs-roadmap
Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Stacey. And I'm Brooke. From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hard guns getting companies fast track to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's topic is a big one that confuses a lot of contractors. What's the actual role of NIST 800-171 in your CMMC assessment. We'll break it down how it all fits together, where companies usually slip up, and what assessors really want to see. And make sure to tune in for the end of the episode where we cover this week's listener question. All right, Brooke, let's start at the beginning. What exactly is NIST 800-171? Well,
SPEAKER_01:NIST 800-171 is the foundation of CMMC and the controls that you have to meet for CMMC. It's 110 controls across 14 families. They're really a good set of cybersecurity controls to follow, not just for CMMC, but anything else. CMMC just kind of builds on top of that in a few areas with DFARS rules and whatnot. But NIST 800-171 is the foundation for all the controls.
SPEAKER_00:With that being said, how does NIST 800-171 map into the CMMC levels?
SPEAKER_01:Well, there's three levels, at least now there's three levels. So there's level one, level two, level three. Level one is 15 or 17 controls, whichever direction you look at it from. But 15 controls for the NIST 800-171 really comes from the FAR 52.204-21. And that's really to protect FCI, Federal Contract Information. So, for instance, if you have an enclave that we've talked about quite a few times before, if you have a CUI enclave, which is going to be Level 2, you don't necessarily have to keep all your FCI there, it can stay outside of your level two network as long as the rest of the network is protected at level one. So level two, it's all of your 110 controls across 14 families. It's also 320 assessment objectives in those controls. And that's what's the basis for probably the largest part of CMMC and what the whole whole blue is about. Most everybody from what they say most everybody is going to have to meet level 2 and have a level 2 certification assessment there's going to be some people who don't necessarily have to have a certification assessment for level 2 but can still do self attestation that has yet to be seen who all is going to do what but at this point if you're level 2 I would assume at some point you've got to get everything in place so I would assume at some point you'll have to be level 2 certified if it comes out and you realize that you don't have to be level 2 certified, great. You just saved some money. You don't have to pay for the certification. But you still have to be, you still have to do all the same things. All those controls have to be implemented. All the assessment objectives have to be met. But that's level 2. Level 3, it's going to include everything level 2 does, plus 24 or so additional controls. There's going to be a small subset of contractors that have to be level three. Most everybody we run into, seen it on contracts or been notified they need to be level two. I don't know who's going to be level three, but there will be a few.
SPEAKER_00:So Brooke, when it comes to an assessment, how do auditors actually check compliance with NIST 800-171? So when
SPEAKER_01:an assessor comes to visit you, you're of course going to work with them ahead of time to make sure that you're ready, or at least as much as you can beforehand to make sure that you're ready. Once you and the see-through PA The assessor determined that everybody thinks you're ready to go through it. You go through it. And when they go to check the controls, they examine, they interview, and they test. Examine will be reviewing documentation, policies, network diagrams, proof that you have, all that kind of fun stuff. Interview is asking Sally Jo, you know, hey, show me how you log in to whatever system it is. you know, that they're looking at. Show me how you log in. And so she'll go and log in and she'll enter her username, she'll enter her password, and then she'll get prompted for MFA, hopefully. And she'll log in and she'll use her MFA to get logged in. And let's say, oh, okay, good. That worked. They'll interview, they'll ask questions. How do you do this? How do you do that? But they'll also test. And part of that testing is asking, say, hey, Sally Jo, can you log in and show me? And so it's examine, interview, and test and so when Sally Jo logs in it shows that she used username password and MFA to get logged in then that's the test for that for that control or that assessment objective however whatever you're looking at at that point but that's how they do that you need to make sure you use an MFA to log in anywhere you access CUI whether it's to initially log into your computer to log into the VDI solution maybe that you're using or whatever it might be to access access that CUI that you're using MFA, multi-factor authentication, in case anybody doesn't know. On logging, you're going to want to make sure that you're logging all of your sources that are key to the CUI enclave or the CUI boundaries, within the CUI boundaries, your servers, your firewall, maybe Microsoft 365 GCC high, whatever it may be, that you're gathering all those logs reviewing them and all that kind of fun stuff you'll have to prove that instant response is another one how are you doing instant response and are you testing it test doesn't have to be a full-blown bring the company down to test it it can be a tabletop exercise you know walk through it make sure that the systems are in place that when you get to something for instance I got to go submit a fake report so you go to the website on the computer where you're supposed to submit that report from if you can't get to that site well now your tabletop exercise just exposed a hole right because you can't get to the site to report that incident so if you can't then you need to look into why why is that medium assurances certificate not working or is it you're using the right computer and all that kind of fun stuff so make sure that's tested but your system security plan your SSP should tell your story about your overall story about how you're protecting how you're fulfilling those controls and protecting CUI so An assessor ought to be able to read that and get a good idea, and then they should be able to delve into your policies and get the detail about how you're fulfilling that control. Plans and procedures are how you're actually doing something, right? You can put all your detail, I guess, in the SSP, but typically your SSP is kind of high level, describes how you do everything, and your policies will contain a lot more detail.
SPEAKER_00:What are the most common mistakes you see contractors make with NIST 800-171?
SPEAKER_01:Inadequate scoping. So if you've not scoped your environment properly, if you scoped it too wide or you scoped it maybe, we wouldn't call it too narrow, or you leave something out that you didn't realize was being used for CUI, that's one reason we tell you when you're scoping, you draw that initial data flow diagram and you include people that actually do the work So when you as an IT person and the general manager get together, you all draw out this wonderful data flow diagram, and you think, yeah, that covers everything. Well, when you actually involve people that actually do the work, they say, well, yeah, but we also do this and this with it. And it goes into this system and that system. And you're wholly surprised that you didn't get everything in. But you can't know everything. You've got to understand exactly what people are doing with things. Maybe it's a businessman. process that needs to change or maybe your data flow diagram needs to meet that process right or needs to reflect that process but inadequate scoping and scoping is built upon that data flow diagram so there's a number one thing that you know you might call a mistake or just an omission a sin of omission I guess so that's number one thing the other thing we see a lot of is missing or weak documentation so your policies I just described how your SSP and your policies, and then your plans and procedures and what they should look like at a high level. I know I didn't go into detail on each one, but the SSP, again, it's a high level. This is how we're implementing these controls, policies, get into the details, thou shalt nots, and how you're actually fulfilling that, the systems that are involved, and all that kind of fun stuff. So a lot of times There are a lot of other compliance regimes, SOCs, I'll reference that one, that you may not necessarily have to have really strict detail about. Well, this one, you do have to have that detail. Those assessors, when they come to assess you, they want to be able to understand and they want to be able to read what you have. And I tell people all the time that they've got to be able to read your SSP and understand as an outsider uh what's what it means and what it's saying and then they have to be able to read your policies and understand really what you're doing if it's just some overall you know we protect cui we don't let it you know it's supposed to be in all the correct systems and uh you know that kind of stuff and they're like well what does this mean you know uh so they're all your assessors are going to be technical people uh but they may may have been out of it for a a year, two years, 10 years, 20 years, doing assessment type things. But they are technical people. They understand the technical details. They're an outsider. They're not necessarily in IT or in your business because, again, not all of this is about IT. In fact, most of us not. But it needs to be written where an outsider can understand it and glean details out of that. MFA is another one those things that, uh, people, uh, people kind of miss, uh, MFA, uh, it was clarified. MFA does need to be implemented anywhere, uh, that you access MFA across a network or remotely, uh, or any kind of, uh, privileged functions, admin type functions. So, uh, basically you have to have, you have to implement MFA everywhere. So, uh, MFA is one of those that people, uh, miss consistently. Risk assessments is another one. You've got to assess your risk. You need to assess it, say, annually. It's not just a checkbox that you can go over once and you're done. You've got to assess your risk all the time. You also have to assess your security controls to make sure that your security controls are still applicable. We do each of those annually for us or clients. We do each of those annually. Change management is a big one. Change management is easy to not follow. You know, when you get in the business of doing business every day, if there's a problem, you just need to fix that problem. So change management is a big thing. You know, if you have some changes coming up, they need to be documented. They need to be approved. You need to at least look back on it, if nothing else. You do need to follow your change management policy and procedures.
SPEAKER_00:So there's been a lot of news lately surrounding NIST 800-170 Are there any updates people should know about?
SPEAKER_01:Yeah, so there is NIST 800-171 Revision 3 out there. The last, the CMMC 32 CFR rule that came out that defined CMMC locked it down to NIST 800-171 Revision 2. So we're hard-coded Revision 2 until they change that. And they'll have to specifically change it Everybody kind of expects them to change to revision three. And everybody, really, most people I talk to expect the change to be to keep pace with the current revision of NIST 800-171. Right now, that's revision three. I haven't kept up. I don't know if revision four is out there or not or if they're considering anything. But the idea is to keep pace at some point. But right now, while they're trying to get while they're trying to get CMMC implemented, they've hard-coded it to revision 2. So probably we'll look for that to change in a couple years, maybe, something like that. They want to get this under the belt and going. And the thought is that revision 3 may come into play. They may change the rule and say it comes into play when your certification comes up for renewal. You wouldn't necessarily have to do that in the middle and change it. Oh, you know, I just got certified six months ago. Now there's revision three and they said we have to be, you know, certified on that. So they expect not to change it in the middle and most likely just to be on your next certification assessment. Whenever that comes out, it's not come out yet. We're, like I said, we're still, we're hard-coded on revision two for NIST 800-171 right now. For the foreseeable future, we will be. The The big news right now is that as of this podcast recording, the 48 CFR has passed review and been handed back to the DOD. It's come out of OIRA, and so they've blessed it and said, you know, you're good, and so it could be plummished tomorrow. Well, no, today is a Friday, so... It won't be published tomorrow. Not that you know that because you're watching this on a different day. But it could be released very, very shortly. But who knows? Clock is ticking. It's coming out. I would expect it, if nothing else, to be right around the 1st of October if they haven't already released it by then. But that 48 CFR is what puts CMMC in place on contracts. And that's a big one. When it comes out, you have a definite timeline when you have to start getting your Level 2 certification. There's no more waiting and playing the game to see if you're going to have to do it or not. The clock is ticking then, a definite clock. It's been ticking. It's just nobody knew towards what date. So now you'll have a definite date once that gets released. And there's four phases to it. first phase is pretty much exactly like what you're doing right now except you have a you know definitive date um the second phase uh they're all a year each so the second phase uh a year from whenever it comes out uh is going to be when those level two certifications are implemented on contracts and that's on new contracts that's not existing contracts so really technically i guess uh you know if you don't uh if you don't want to win any new contracts for a while i We'll just say October 2026, then you can probably wait a little while, but new contracts will start to have that on there. Absolutely. The other thing is, and I wish I could remember who it was, but there's an entity that has fallen victim to the False Claims Act. They said they were implementing these controls, and it turns out they weren't. And not just that they had tried to tried and didn't do it right, but they just weren't. So that's a false claims act. I believe there was some sort of breach, but they self-reported that they didn't have these things covered, and they were given a little bit of leniency, but they still got like a$1.7 million fine. So if that's leniency, I guess the leniency would be that the fine wasn't bigger and they didn't get sued or anything. But the False Claims Act is a big deal, and they are using that, and the DOJ is going after people on that. So just be aware of that.
SPEAKER_00:So, Brooke, for the small defense contractors just trying to get ready, what are the practical steps to bridge that gap with NIST 800-171?
SPEAKER_01:If you're a small contractor and trying to get ready, it depends on where you're at, but I would say... Stop where you're at. Look back. Have you drawn that data flow diagram we keep talking about? First of all, just do an overall data flow diagram that includes CUI and non-CUI so you can figure it all out. But the data flow diagram that an assessor is going to want to see has to do with CUI. So have you done that CUI data flow diagram as a basis for trying to determine where your system boundaries are, what is in scope for CUI, and what's in scope for FCI, really. But your CUI boundary is really what you need to be aware of and need to scope properly. So start there. If you're already 50% down the road, I guess, maybe, however you gaze that, stop and make sure that you've done that and that you've included all the systems that need being include that you've really put thought into that because you may realize that, oh, we didn't include some of these systems that we're using. Do we need to change our business process or do we need to amend our scope? You know, what do we need to do? So that's a big thing. I'll talk about it again. Your SSP, build a good, strong SSP that tells your story about how you're protecting CUI, tells your story about how you're are fulfilling those controls and those assessment objectives. If you go to the assessment objective level, the auditor, excuse me, not the auditors, they will bristle if you call them an auditor, but the, uh, the assessors, uh, will, uh, really, really do like to see, uh, this brought down to the assessment objective level. Um, cause some of the, some of the controls are a little broad and, um, but when you read the assessment objectives, it makes them a little more clear. Um, so, uh, A good, strong SSP is a good thing to make sure you build. It's your first document that gives a good overview. Prioritize those high-risk controls and low-hanging fruit also that you can get covered pretty easily. MFA is one of those. Gathering and protecting your audit logs. We always recommend a SIM. The controls are written really you don't have to have a sim a sim is a security information and event monitoring system so you don't really have to have a sim but the way the controls are written you really need a sim to cover all that because what a sim does for you is it helps you go through all those logs tens of thousands of log entries or or hundreds of thousands, depending on how many systems there are, how big the systems are, how many people there are. Anyway, but there's a lot of log entries. And for a person to actually sit down and review those log entries, really it's impossible to do properly. You can say you're doing it, and an assessor might be okay with that, but they're going to want to see proof. They're going to examine, interview, and test. to determine if you're actually doing that. And there has to be proof that you're doing it. You can't just say, oh, yeah, yeah, sure, we're doing that. So a sim really helps bridge that gap to where you don't have to dedicate a person to reading logs. So a sim helps bridge that gap. Usually it's a pretty easy thing to put in place, so that's a really important one. The other thing is once you've gone past that, just make sure all your documentation is in order. Make sure that your SSP and your policies and any plans and procedures are all signed off on, authorized, and make sure that you're gathering your proof. Make sure that all the stuff you say you're doing, you're actually doing. So those are the things that a small contractor can look at from going back and reviewing the beginning to going through catching some low hanging fruit and stuff like that.
SPEAKER_00:All right, Brooke, we are going to tackle this week's listener questions. Bobby left us some lovely questions that we can address here. So the first question is, how are VoIP systems handled in CMMC 2.0?
SPEAKER_01:That is a good question. So from what I understand from assessors is the if you have a VoIP system on premise, it doesn't necessarily come in scope because it's in your boundary. If you discuss CUI over a phone, then anything outside that is carrier grade, however the connections may be to the carrier. So that's okay. Hosted VoIP systems, that's where the sticky part comes in. From what a lot of assessors have said is that they're going to look to see that those are the those are secured and that they... If it's a cloud-hosted system, it's got to follow all the same controls, right? So that's a really tough one. If you have a traditional phone system that is similar, I guess, in scope to an on-premise VoIP system, but if you have an on-premise phone system, same thing. You don't have to... It's not... It doesn't have to meet the same requirements because it's on-premise and within scope. But the hosted VoIP is a sticky issue. A lot of times you can, if you've got Zoom, Federal Zoom, whatever they call that, I think it's Zoom Federal. Anyway, Zoom Federal, or if you've got Microsoft 365 GCC High and you use Teams, that can be used. So some of those systems can be used because, of course, they're federal. So you can cover it that way. And that's a good way to cover that.
SPEAKER_00:Bobby's second question is, if Bobby moves to Teams, would that be an issue?
SPEAKER_01:Well, a good old answer of it depends. And I think there's another question here that this will touch on as well. Teams will be an issue if you discuss CUI over Teams. Teams, or if you have, I mean, Teams, you can store files in there and all sorts of fun stuff, right? So if you're using commercial 365, yes, Teams is an issue. If you're using GCC, there's a limited fit for Microsoft 365 GCC. If you're using GCC High, then you'll like as long as everything's configured properly and all that kind of fun stuff, then yes, that should be fine.
SPEAKER_00:Next question from Bobby. What about a company like Dialpad.com?
SPEAKER_01:So Dialpad.com if I understand properly uses some AI and helps you with meetings and selling and stuff like that. I would definitely try to scope that out of your CUI environment and try to really scope it out of your FCI environment, you can still use it to talk to potential clients and stuff like that, I guess, but you've got to be careful what goes in there, right? So that's one of those things that's just unfortunate, but because of all the new cool stuff coming out that can help, it can also be a problem. So that's one of those things that you've got to watch. I would personally just scope it out and make sure that everybody knows that you can't discuss any CUI over that.
SPEAKER_00:Bobby also wanted to know, how will M365, so Microsoft 365, be evaluated in the audit?
SPEAKER_01:Well, it depends on whether it's scoped in or scoped out. It depends on how you're using it. But assuming it is in scope, then they're going to evaluate however you're using it. So if you tell them that, yes, we send and receive CUI through email, and yes, we store CUI on the platform, then it's going to be evaluated for all the controls that matter. The thing that I'll tell you is that if it's in scope for CUI, Microsoft 365 Commercial will not work. Microsoft 365 GCC, which is Government Community Cloud, can work in some narrow instances. If you want to be safe, Microsoft 365 GCC High will work. So again, everything has to be configured properly, but that's how they'll, if it's in scope, they're going to evaluate it against all the 110 control. Again, commercial won't work, GCC in a narrow scope, and GCC High will work, will definitely work for you.
SPEAKER_00:On that same note, Bobby was curious if they need to use Business Premium or will they have to move to Microsoft 365? 365 E5
SPEAKER_01:well you can't use business premium or E5 or E anything because those are on the commercial platform so and this is assuming that it's in scope for CUI so if it's in scope for CUI you have to move to a GCC or GCC high version and those are going to those plans are going to start well not all the plans but anyway there'll be Microsoft 365 GCC G E3 or G5 or something like that. And everything will have either G3, G5 or federal government or something like that in the title. But it has to be on that platform. Premium is not on the GCC or GCC high platform. And neither are the E5 and E3. E5 and E3, I believe, roughly equate to the same G series that's on those platforms.
SPEAKER_00:Thank you, Brooke. for answering those listener questions. If you have any questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions and we'll answer them for free here on the podcast. You can find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.
.jpg)
