CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
How to Prove CMMC Compliance to Prime Contractors (Before You Lose Contracts)
Submit any questions you would like answered on the podcast!
🎯 Get your Free SPRS Roadmap Session: https://cmmccomplianceguide.com/free-sprs-roadmap
Our experts will review your SPRS score, documentation, and setup to help you hit 110 with a clear action plan at no cost.
Prime contractors like Lockheed Martin, Raytheon, and Parker Hannifin are demanding proof of compliance before awarding new work — and subcontractors who can’t prove it risk losing contracts.
In this episode, Brooke and Austin from Justice IT Consulting explain exactly what primes are asking for, what documentation they expect (SPRS, SSP, POA&M), and the most common mistakes subcontractors make when trying to prove compliance.
You’ll learn:
- Why primes are suddenly enforcing subcontractor compliance
- What documents and proof you need ready (SPRS, SSP, POA&M)
- The biggest mistakes that lead to false claims risk
- What happens when you inflate your SPRS score
- How to show compliance even before your Level 2 certification
- What steps to take now to get audit-ready and stay competitive
Whether you’re still working toward compliance or just need a second set of eyes, this episode breaks down how to prove your CMMC compliance with confidence — before your primes stop sending work your way.
Need help getting your SPRS score to 110 before the New Year?
Schedule your free SPRS Roadmap Session: https://cmmccomplianceguide.com/free-sprs-roadmap
Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin and I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today, we're tackling a big issue for subcontractors. Prime contractors like Lockheed, Raytheon, Parker Hanaffin are all watching, and they want proof of your compliance before they'll start handing you work more and more often these days. So, what exactly are Primes looking for? And how can you stand out as a trusted partner? All right, Brooke, let's start at the top. Why do Prime contractors care so much about subcontractor compliance?
Speaker 01:Well, they have uh legal obligations to make sure that their subcontractors uh meet the same compliance that they do for each of those individual contracts. Um the uh DOD has specified that there's a there's a flow down, and then it's always been been in there, but uh they have specified that there is a flow down and that you have to make sure that any of your subcontractors that deal with uh CUI or that that contract have to be at the same level you are. Uh so there's all that's always been there, but there's a legal risk for them. Um and there's also risk management, of course. Uh if a subcontractor drops a ball or any other number of problems, uh that's on the uh prime contractor, uh affects the prime contractor as well. And they want to make sure they're all of their contracts are are well and secured and and and uh not in jeopardy.
Speaker 00:Now that we got that covered, what is it exactly that prime contractors are asking their subcontractors to show or prove?
Speaker 01:Sure. So uh what we know what we hear from our clients uh what we see and help them with uh is the primes uh are asking for SPRS scores. Uh what's your SPRS score? What was your latest one you updated? Uh how long ago was it? Uh all that kind of fun stuff. And then uh someone want to see your SSP. And so um they have I can tell you that some of the compliance departments are very picky on those SSPs, and they want them to match the uh the format and the numbering exactly. So um, but uh if it doesn't match, then they're like, well, I don't understand. And you say, well, see the numbers here match.
Speaker 00:Um if you look at it anyway, but point is they There's a lot of things that aren't particularly required by CMMC, but nonetheless to play ball, you have to do it a certain way.
Speaker 01:Without going into a specific example, I guess, but uh sometimes those compliance departments they don't know the whole story, they don't necessarily understand the whole trajectory of CMMC or anything like that. And so they just know what's put in front of them and they they want to see your SSP and they want to see that everything matches the numbers, the everything else on the numbers as to the controls and everything else. So um that's what they want to see a lot of times. Um they'll also ask if you have a POM. Uh if your score is less than a certain amount, less definitely less than 110, but some of them will set it at a different uh level if there's if you're less than that, they want to know if if you have a POAM in place, plan of action and milestones. So it's a to-do list to get to 110. Um so uh they'll want to know if you have a poem in place and uh you know when you're gonna when you plan on having it cleared up. So if they ask again in another year and uh you say yes, I do have a poem in place, and last year it said, you know, 10125 on it, and now it says 10126. I don't know why. Uh you know, it's uh out another year, and yet you have the same score. So they may want to know about those poems to to help prove your case.
Speaker 00:What are the common mistakes that you see our our customers, subcontractors make when trying to prove compliance?
Speaker 01:Inflating their scores. So, you know, saying you have 110 when you might be more like a minus fifty-six or something like that, or or a seventy or you know, something like that. No, I've never seen that. So uh that's the biggest one really is inflating your scores um or just kind of guessing at it and to get that SPRS score you really do have to go through a a mini assessment to go through each of those, score it properly, and and make sure you understand. A lot of that has to do with documentation and people kind of skip over the documentation and say, yeah, yeah, yeah, you know. And uh but you can't skip over it. Uh you gotta have all the documentation it talks about and that impacts a score. So if you don't have your authorized list of users, then you know you have to count points off for that, for instance.
Speaker 00:So um yeah, you can have you can have done something technically, but if it's not documented, it's like it didn't have any. Exactly. 100%.
Speaker 01:Yeah. Again, most of it is documentation and making sure that you have those technical controls in place uh and that they're ongoing and monitored and all that kind of fun stuff. Another thing that rolls right into that is uh bad documentation. Uh you know, you don't want to Again comes up. Yeah, again comes up. So uh there's uh documentation. I should have. I have a shirt that says documentation, documentation, documentation, because I say that a lot. But yeah, it's uh you've got to have your documentation in place. There is an absolute ton of it. Uh and um it's you've got to have that in place. So uh that's another another big deal um that we see. I brought it up a minute ago. Uh another problem is uh uh your poem, kind of ignoring it and saying, Here's my poem, and just kind of setting it off to the side and going, We're good, let's roll. You know, and then forgetting that the poem is a plan of action and milestones, you know, meaning you have to do something about it. So uh if you don't do anything about it, then that plan of action and milestones is a plan of inaction and milestones. I guess that would be a POM or PO whatever plan of action. Anyway, nevertheless, whatever it is. We don't need more acronyms. We don't need any more. Um yes, that that is a plan of action and milestones. So you have to you have to get things done on that list. Cloud services, a lot of people have a tendency to not take into account their cloud services, Microsoft 365. Um, you know, maybe they get uh and shouldn't, but maybe they get uh CUI through email, or maybe they send it through email, uh maybe they send it through encrypted email, but it's but it's uh commercial Microsoft 365, so that won't work. Uh so they've you know they've got to address things like that. Um another big one that uh people typically don't have is incident response. What is your incident response plan? You know, how detailed does it need to be? It needs to be detailed enough to cover your your assets. So but uh you know, really um you need to have some sort of incident response policy and plan and procedure. Uh and then you need to make sure you have all your bases covered. One big one is having a uh medium assurance certificate installed on your computer so you can report incidents within 72 hours. Uh-huh. If you don't have that certificate installed on your computer and you have an incident, I can guarantee you that you won't be able to report that incident within the required 72 hours. Because you will not get that certificate and get it installed within 72 hours. If you do, it'll be a miracle. But uh I wouldn't bet on it, especially if you're having you're in the middle of an incident, you know. Now you've got to go focus on, you know, getting those wheels to turn to to get that m certificate in place.
Speaker 00:So one I'm gonna add in that I see less often, although scope is I think always a problem. Yes. Um, but uh when we have someone that comes to us that is actually reasonably like prepped and ready, and they're like, hey, we just we need you to help uh shore up this documentation piece, like we're just gonna hire you to do that. Um we typically find that we always do a gaps analysis anyway. Um and this is the reason for it is because they'll they'll have a big hole in their scope. Yes. And so I we'll have someone that is otherwise buttoned up, but they'll they'll say, you know, their CUI comes in from um you know customer portal, and then it goes right into a vendor, and then like, well, hold on one second. How does it go from customer portal to vendor? And like, oh, I just download it and upload it to the vendor, and you're like, okay, well now your computer's in scope and you have it as not in scope. And they're like, oh crap. Yeah, yeah. So you'd um it's it is very good practice to offload the burden of security and compliance to other vendors, but at the end of the day, there's there's not a ton of scenarios, especially if you're a manufacturer and you got real tangible products or something, that um that your own computers are not going to be in scope, especially if you're dealing with CUI yourself. So um, so that typically people will not have computers in scope that should be. And then the other one is just some big glaring misses that you just don't always think of. And so the other day that we we didn't even think about until some we're going through the SSP process and um and creation of their SSPs, we identified that they would send um some COI um to print to a print vendor, and then we're like, oh, well, we might have to start doing printing in-house because we can't find a print vendor that's compliant, right? Um, and so we we have to unfortunately in that scenario, I think we're gonna have to change their actual business, maybe not model, but process and workflow to bring it full fully in-house. But those are things that an assessor will likely catch on to, and if you miss them, then it's gonna it's gonna mess up your assessment and cost you some money because you're gonna have to go back, fix it, and then get assessed again. Right, absolutely.
Speaker 01:Yeah, and uh you know you're talking about scope and and one of those things that causes a problem that causes people not to think about their computer being in scope is the fact that it's not just storing CUI. It's not where the CUI is stored, it is, but uh it's also processing and transmitting. So processing, storing, and transmitting CUI. If whatever piece of that puzzle does any of those three things, processes it, stores it, or transmits it, then that's in that puts that endpoint or whatever it is in scope.
Speaker 00:Absolutely. Okay, we kind of address the mistakes that uh we see a lot of subcontractors make when it comes to uh compliance and trying to prove it. What the natural the natural follow-up to that is what are the consequences? You know, if someone decides to wait or um or even just makes a mistake and and or doesn't take this seriously for compliance. Sure.
Speaker 01:So uh things we've seen is that the prime or main contractor uh you know can say, hey, we can't send you any more CUI until you know we know that you're compliant or or your score is right, right? Uh so they can pause a contract uh if there's something wrong, or they can uh it can cause you to lose a contract if you find out there's an issue and you're not actually compliant when you uh when you thought you were. If you're inflate your score like we were talking about a minute ago, then you're at risk of uh having a false false claims act filed against you. Uh and one thing I might say is that there's some of these false claims acts that have been um filed against companies that a lot of them are whistleblowers. They're not you know the government there are some that are there was an incident and they research that incident and they figure out the subcontractor wasn't uh or contractor, whoever wasn't compliant, and then they fine them and you know say, Hey, false claims act because you had said you had these things in place and you just absolutely didn't, right? Um not necessarily a mistake, but you just absolutely didn't. Most of the time they're not uh they're not nailing people up against the wall that I could tell at least uh for making a mistake. It's people who are flagrantly violating and actually falsely claiming that they're compliant when they're not, right? Uh so uh you could get a false claims act filed against you. Uh that's it, that would be a bad thing, very bad thing. Yeah. Um that could there's a lot of results of that. Uh most of them are gonna be big fines, but uh could result in jail time too, depending on what happened.
Speaker 00:Not to mention, I don't know about everyone else out there, but I know how much Archie lawyer charges. So um just to be, you know, even you know, before jail time and all the other, you know, consequences, uh you you're gonna have some costs. Yes, absolutely. Just at the start of it.
Speaker 01:Even if everything turns out okay. Yeah. You know, you're gonna there'll be some cost there. So um but yeah, that's the uh false claims act is a big deal, you can lose your contracts. Uh and then it's reputational damage. You know. Um if uh some incident happens and turns out that you aren't covering something that you were supposed to, you know, that's a that's a black eye on you. And as that contractor or subcontractor want to go find somebody who they're more comfortable with or they're okay with you, you know, it's so it's uh having a black eye is not necessarily a good thing.
Speaker 00:Yeah, I see I think two of the biggest motivating factors when I'm working with customers or when they're when they come to us um is um just being able to answer the questionnaires and go back to their customers with like a very good level of good faith that they're actually doing what you know their obligations are, you know, that's one. And then um two uh is the obvious of the not wanting to lose the revenue, right? And so I think those are the two biggest motivating factors we see um that that that are motivating for people as far as consequences go. Yeah. Okay, so let's say that you're working towards compliance or or maybe even you're already there. Um if that's the case, either at the end of your journey, whenever you've you've got everything compliant, or or if you are compliant today, how does a subcontractor prove compliance to their primes in a way that the plant primes can trust?
Speaker 01:Well, eventually it's going to be having that level two certification and uh having that official stamp of approval, right? But until then, you have to make sure that your SPRS score is accurate. Uh even if you go back through and do a do an assessment like you should, and it ends up instead of at 110 where you thought it was, it ends up at a 70 or something like that, or or even a minus 56, or who knows. But uh I would put an accurate SPRS score in and definitely make sure that you have your POM generated and that you're actually working on it and working through it. The primes are going to be uh appreciative of that. Your SSP should tell your story. We've talked about this before, but uh your SSP should tell your stories. A an assessor ought to be able to look at your SSP and understand basically how your system's put in place and how you're addressing the controls. Uh SSP, you don't have to go into detail necessarily, but they have to understand how you're doing these things. So use the SSP to do that. Develop a good strong SSP. It should inspire confidence. It should inspire confidence, absolutely, it should. So um the other thing is that again that POAM, make sure that you're uh working through that POAM, uh addressing all the things that need to be addressed. Most of the time you take that POAM and you list out all these controls and then you group those controls together into projects, and usually a project will knock out several controls at a time and you can address it like that. That's that's uh you know that's typical. Um make sure that you uh have technical proof if you ever so you can show it if you ever need it. You'll definitely need that technical proof whenever you get to a level two certification, but make sure you have that technical proof. And then make sure that uh it's ref uh organized well and all together in one spot. Typically we tell you a GRC tool because it's the easiest way to keep track of that. But however you want to do it, but make sure it's organized well, it's all in one spot, easy to find, easy to get hold of uh a key document or two and give it to your um give it or a screenshot to your uh prime contractor uh so they're comfortable with it. Um those are the things that you need to be doing now. Uh the biggest things are again uh having a good strong SSP, telling your whole story, and making sure your SSP score is right, and work on that poem. Get it closed out.
Speaker 00:Absolutely. Okay. I know there's been some recent updates in the CMMC sphere or ecosystem that might have some primes uh uh more urgently knocking at your door or sending you letters, and and much like our listeners may have already noticed, and so they might be wondering why that's the case. You know, uh so what updates, if any, has of happened as of recent that it's making those those contractors and and primes uh knock at the door?
Speaker 01:Sure. Uh so there's a couple of updates, a 32 CFR and a 48 CFR that uh went into effect that really put this in motion and put a finite timeline on it. 32 CFR is the one that went into effect in uh December of 2024, uh, and it's what clarified and defined CMMC itself, right? The CMMC program. The uh 48 CFR just went into effect, or excuse me, just was published in September or on September 10th of 2025. And uh it goes into effect uh November 10th of uh 2025. And so that 48 CFR is the one that puts the 32 CFR in place on contracts. Again, there's four phases to that, but the first phase uh is gonna be kicking off uh here pretty soon. So your your prime prime contractors uh they've already, before the 48 CFR was even released, uh they've already been uh starting to be a little pushy saying, hey, you know, when are you gonna when do you have your uh level two certification scheduled for? Can you show me that you have it scheduled? You know, uh so they've been asking those questions, prompting, pushing, you know, kindly and all this kind of fun stuff. That's gonna start being less kind and more pushy, I'm sure, along the way. But you know, sooner November gets here, and then as time goes on after that, uh they'll definitely prime contractors are definitely wanna gonna want to see that uh you have uh a level two certification uh or at least that you have one plan and uh to to to take place. So they're gonna want to know that because they need to have their huge contractor, subcontractor base uh squared away and in good shape before they m can move forward on some contracts. So they're they're they're a business just like everybody else. They just happen to be a lot bigger. And uh so they want to get those contracts and they know that they have to be compliant, but they need their subs to be compliant as well. They're the appropriate subs, I should say. Uh anyway, compliant as well.
Speaker 00:Yeah, I think it's a key sh piece of the strategy in terms of the enforcement to make sure people actually do all this stuff, is you know, a lot of their defense spending is spent is put in the buckets of the primes, right? You know, um the larger primes, I should say. And so the flowdown is a is a keystone piece of that enforcement mechanism to really push them to make everyone else. So they're kind of using the primes as piece of kind of their enforcement wing.
Speaker 01:So you know the other thing you just said at enforcement. We are starting to see more enforcement in the way of false claims acts being filed against companies for for saying they were compliant and not being compliant. You know, if you if you say you're at 110, you better be at 110. So uh but we see some of those uh ramping up.
Speaker 00:So let's say that you are in the majority out there where you're not a big couple billion dollar prime and you're one of the smallest shops out there that are serving the primes. What practical steps could those subcontractors that are listening take today to actually go get off YouTube or Spotify or Apple or wherever you're listening and go implement? What what could they do? Sure.
Speaker 01:So, you know, maybe in the first 30 days or so you take a good hard look and uh first understand what kind of CUI you have. Is it controlled technical information? Is it something else? Is there any are there any dissemination restrictions? So no foreign or are is it ITAR data, you know, what is there any dissemination restrictions? Uh that's typically that's the hardest thing to do is figure out what CUI you have, what kind of CUI, uh, and the restrictions on it because it's generally kind of nebulous and contractors will say, yeah, sure everything under this contract is CUI. So you need to ask and find that out and figure that out, figure out why you know what kind of CUI you have and if it's truth it's if it's actually the truth or not, right? Is this just what I think I have to have or or think I have? So figure out that CUI. Draw yourself a data flow diagram, figure out where the CUI comes, all the systems and all the places that that CUI comes from, where it goes, where it's transmitted to, where it's stored, where it's processed, figure out where it goes and all your different systems. That may be cloud vendors like Microsoft 365, it may be an on-premise server, it might be a cloud file and file share and sync tool, could be your MRP, could be whatever. So make sure you draw out that data flow diagram, put all your arrows, figure out where get that good spaghetti diagram going on, and figure out where everything goes, and then figure out where it goes outside of your system. Do you have subs it goes to? You know, put that in there as well. That gives you a good idea of what your scope should be, or gives you an idea of what your scope is. And then if you want to tighten your scope down, you can certainly look at that and go, oh wow, you know, that's a that's a lot. Maybe we need to fix that. But that'll that really helps get you uh on a good foot moving forward, making sure that you understand those data flows, make sure you understand what type of CUI you have, uh, and then after you do that, do a full self-assessment. There is a NIST 800-171 Alpha, NIST NIST 800-171A, that is the uh assessment guide. So go through that. Yes, it's long, it's a pain in the rear, but go through that, uh, figure out where you're at on each of those controls, um, and uh then you can have yourself uh you'll have your self-assessment, you'll have your gaps analysis basically from that. So um uh that's a good place to start. You know, in the next 30 days maybe uh you could draft your uh SSP, which again tells your story, right? How you're protecting that CUI, how you're covering each one of those controls. Uh so draft your SSP, get it written out, get it all figured out there, and then you can come up with your POAM after that, control by control, and have your poem all spelled out, come up with some projects to do, and then you know, in the next however long, you know, maybe nine months to a year or whatever, or maybe two months if you're really a go-getter. Uh so uh go through that poem, implement everything you need to get implemented. Once you have everything implemented, then you can have you can figure out if you want a mock assessment or some consulting, somebody to come in and say, you know, looks good or you need to do this stuff, uh, and then after that, you can schedule your level two certification. So that's that's a good timeline. But the first things first is know what kind of CUI you have, why you know that, draw your data flow diagram, and that'll help you scope everything out properly. Even if you've already got everything scoped out, if you haven't done those first two things, it's a really good thing to do.
Speaker 00:Okay. And maybe if all that sounds a little bit overwhelming, or say you're you know somewhere further down that path and you're just wanting a closer look, a second set of eyes to look at it, wondering whether your SPRS score documentation or overall setups good enough for a for a prime, then that's exactly why we offer our free SPRS roadmap session. Yeah, so just a reminder for everyone out there, we're still offering and doing that for people. Even if you've already done the heavy lifting, we can review your self-assessment, go through your policy list, look at your current setup, and help you validate where you're solid and where you might need some help. So again, just a good chance to get a second set of eyes on things. It's totally free. This isn't a sales pitch, you know, and and you'll walk away with a clear plan on how to hit 110 your SPRS score and and hopefully stay there. So um, anyway, we've got that link in the description below. Um, welcome to take advantage of it, or if you're good, no worries at all. So I will think that's it for today, guys. Really appreciate it. If you have any questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmc complianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure you subscribe.
.jpg)
