CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
Highlights from CS5 East 2025: Operation Midnight Hammer, CMMC Updates, and AI Insights
Submit any questions you would like answered on the podcast!
Get the inside scoop from CS5 East 2025, the largest cybersecurity and compliance event for the Defense Industrial Base. In this episode, Brooke and Stacey from Justice IT Consulting breaks down the biggest CMMC updates, Operation Midnight Hammer, and how AI is reshaping compliance.
Learn what the Cyber AB announced, how CMMC Phase 2 is rolling out, and what contractors should expect next. Whether you’re a Compliance Officer, DoD Program Manager, or small-business GovCon, this recap gives you the context and clarity you need to stay ahead.
Need help getting your SPRS score to 110 before the New Year?
Schedule your free SPRS Roadmap Session: https://cmmccomplianceguide.com/free-sprs-roadmap
Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Stacy and I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hard guns getting companies fast tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're unpacking highlights from the CS5 East 2025 conference, the biggest cybersecurity and compliance event for the Defense Industrial Base. So, Brooke, for the folks who may not know, what exactly is CS5 and how is it different from other CMMC conferences that you've gone to?
Brooke:Well, as you said, it's uh it's the largest uh CMMC conference um out there. It's got lots of great information. Um I think uh they said they had uh a little over eleven hundred uh people sign up to go. Uh that's the people that uh from what I understand, that's the people that signed up to go, not uh, you know, vendors and staff or anything, but that's 1,100 attendees. Uh so that's it's a good showing. It's real good. Uh it grew out of uh a few organizations. Uh it's changed over the years, but is essentially uh the same conference as it started out as, uh just on steroids now. So anyway, started out with CIC. Uh that was uh put on by a company called Future Feed, great GRC tool if you need one. So they put on a conference, a really good conference, lots of really good uh uh really good information. Mark Berman uh is uh uh started Future Feed in this CIC conference. Um they uh the Cyber B also had their own conference, but they decided to team up with uh the CIC conference, the fo folks over at uh Future Feed for the C CIC conference. Uh and they spoiled up a new company, I guess, to uh or something anyway, to uh to uh run it called Forum Makers. And uh so Forum Makers now runs it, uh, but it's um the Cyber A B and the CIC combined, and they called it SEC, which uh is C E I C, which was CMMC Ecosystem Implementation Conference. Uh so they call it there was one on the East Coast, one on the West Coast, uh and um uh the first one I went to, it's the uh first CIC conference actually, I think, was uh was in San Diego and and I really enjoyed it. I've actually never been to San Diego before. Um really great conference. Uh but uh so then anyway, so we're at Seek East and Seek West. Uh then they joined forces with uh uh uh the CS2 series of uh conferences, um and that was put on by Summit 7, I believe. CS5 now is uh uh the cybersecurity supply chain and five from the roughly, I guess however you count them, but five different conferences from before Cyber A B, CIC, um CS2, and CS uh Seek East and Seek West, so uh which those are really kind of the same conference, just on two different coasts, but yeah, who's counting, right? So anyway, so they call it CS5. So uh provide lots of great content. They've uh they've been adapting as they go. Uh they had uh a bunch of roundtables this last time, which uh were pretty good. You could sit down on the round tables and um uh be part of the discussion, uh so there were smaller uh audiences. Uh so it was really good. Uh but anyway, that's where that's what CS5 is and uh what it stood for. Uh next year is going to be back in San Diego again. Or excuse me, uh CS5 West will be in San Diego again, I think in April, I believe. Uh but uh it'll be there at a brand new uh Gaylord they just built. And so the Gaylord, from what I understand, will be less than a year old when they have CI when they have uh see, I can't even get right, when they have CS5 out there. So anyway, uh good conference to go to. Lots of really good information.
Stacey:It seems like CS5 provided a lot of powerful sessions, but there was one in particular where they talked about Operation Midnight Hammer. Can you enlighten us with a little bit of background on that?
Brooke:Absolutely. So uh Operation Midnight Hammer, for those of you who uh uh don't know or or may have forgotten or maybe you're thinking, you know, you might remember it anyway. Uh Operation Midnight Hammer was the uh the strike uh of the bunker buster bombs with that the United States dropped on uh Iran's uh nuclear facilities just recently, um relative recently. Uh so um that they discussed that uh and it really filled in a hole for me. Uh it I mean, filled in part of a hole. It was just very interesting to find out, and it's a recent real world example of uh of information that we're trying to protect for us, because we don't want somebody else to do that what we did to our Iran to us, right? So uh the Operation Midnight Hammer started way back in uh in the Pentacon uh had a briefing and discussed a lot of this too. So um but they also had some good visuals with it and and uh it was it was impactful and uh very good uh relev uh uh relative and and uh timely information. So um but the uh Operation Midnight Hammer started way back, I believe, in like 2008. Uh they hired one guy basically to uh find out everything he could about the Fordo facility, which is one of the nuclear uh test sites. And uh then they ended up hiring another guy and then eventually a staff, and their sole job was the Fordo facility, from what I understand from what they report. Um and so I would guess that there were also the same teams put together for the other sites, uh, but that was their sole thing. So they they uh they looked at what kind of material uh was extracted, what kind of dirt and rock and all that kind of fun stuff, uh, how much was extracted, they looked at um what the um uh what it was made out of, how many ventilation shafts, uh the electrical stuff, that you know, they went over all the stuff that you wouldn't necessarily think would be really that important, you know, uh information to keep uh not secret but controlled, right? And so they um I don't they didn't go over exactly how they found all this out, but and they're not gonna release that, I'm sure. I'm sure some of it was by satellite, but uh there was a lot of information there that they showed that uh had to be gained somehow. And uh so anyway, and they put up this, there's a the visual was that they had a uh the Fordow, uh Fordo uh site on a in a picture, and then they had, you know, all the different categories of things that they that they gleaned information from, like the material they pulled out, electrical, ventilation shafts, all that kind of fun stuff. Um and then they said, you know, basically, all this is the Iranian equivalent of CUI. And so they, you know, they stamped CUI over all that. Uh but that's a really good reminder why we're doing this and what we're trying to protect. We're trying to protect our war fighters, trying to protect our military advantage, trying to protect our assets here at home, you know. Uh the big the big thing it helped me with is uh we always try to explain to clients why this matters, you know. Um easy to come up with the uh example of, you know, look at the you know, the new generation of Chinese fighter jet, the, you know, Humvee, the uh ships and uh or uh I think some laser systems that are like brand spanking new. Uh, you know, somehow China has a lot of stuff that looks amazingly like our stuff, you know. So it's easy to point out that, and that's manufacturing. But what about other areas? Uh d why do other areas matter? And one of those, you know, we have some construction clients, and those construction clients were, well, why does it matter, you know, if we're, you know, where we're uh bulldozing dirt or what we're doing, you know? And I was like, well, they I'm sure they can tell something from that. Well now we have an example to use that says, hey, this is this is an example that the DOW that DOW showed uh and explained of what we used that would be equivalent COI, what we used to gain information to attack Iran. And so very successfully attack Iran, uh uh uh it looks like. So um anyway, it helped us out because uh construction companies are in even more of a pickle uh we as we've discussed because of several situations, but uh even more of a pickle than um than manufacturers are. So anyway, it's very it's very insightful. Uh the the other part I will say uh about um not just Operation Midnight Hammer, but before that with Iran, uh if you'll remember way back in the day, Stuxnet uh was uh computer virus uh that attacked a uh air gapped network. It turns out that that was the United States and and Israel that did that. Um, because actually the unbelievably the uh United States actually admitted it and said, yeah, that was us. Uh so probably shouldn't do that, but yeah, neither here nor there, I guess, but uh everybody knew anyway. But uh the Stuxnet virus uh it was very specifically engineered to do some very specific things to their centrifuges that that enrich uranium. And so they would report the correct, for instance, they would uh report the correct speed. They're very precise, they have to spin at us at an exact speed to extract that uh or enrich that uranium properly. Um while it would report the right speed, it'd be spinning it either slower or faster, you know, not doing what it needed to do. Um and so eventually they figured it out and figured out that it was us, and I think part of that came after some centrifuges broke because they spun too fast or something. Um I don't really remember, but they ended up figuring out it was us, and they figured out that, oh crap, we were way behind the times because not only could we not protect against something simple like that, and I mean we were air gapped and they got across, you know. Um, you know, uh we've got to do something about it. So Iran really ramped up their uh cybersecurity and and uh offensive and defensive uh cyber operations. And so uh as a result, as a direct result of uh Stuxnet, um they ramped that up and they started attacking us ruthlessly, relentless relentlessly, I should say. Um anyways, we're I mean there's lots of you know uh examples of um, you know, Iranian government being behind all sorts of things. And there's just a uh we went over our uh threat uh threat matrix threat uh notices anyway, today uh during our tech meeting. And uh there was a one from uh about Iran on there about uh attacking uh over a hundred governments. Um so uh it ramped up as a as a direct correlation to Stuxnet. And so now do you think that you know as a result of of Operation Midnight Hammer, you think something might happen? It's probably a really good bet. And uh so anyway, um uh all that was was very insightful and uh it it made a made a big impact. At least it made a big impact on me. I would assume it made a big, big impact on other people, but uh, you know, anyway, it's a big impact on me and it's very good information.
Stacey:Aaron Powell So let's ship some gears over to the CMMC program itself. What were the biggest updates from the Cyber A B on the topic of CMMC?
Brooke:Sure, sure. So um uh some of the updates were, you know, everybody, you know, everybody still cling not everybody, I should say there are still people that cling to, you know, oh, there's gonna be some reason that this gets delayed, you know, and oh now it's the government shutdown. The shut government shutdown is gonna delay it. The government shutdown will not delay it. It will go into effect on November 10th. Now the reality is uh it'll go on effect on November 10th, but s it may not actually be there may not be anybody writing it into uh contracts on November 10th, right? Uh so uh that part could be delayed. But the starting date won't be delayed, so that doesn't that means that November 10th, 2026 is still November 10th, 2026. No matter when they get this off the ground, actually written into contracts. Um November 10th, 2026 is is when phase two starts, right? Um so it is it is progressing uh um and not stopping. So that's uh the government shutdown won't affect that part of it. In fact, there's much of this uh there's a lot of the I think on the uh Cyber A B town hall last night, uh it was just last night I watched the October one. Um uh they said the same thing and they showed a little graphic of um all the things that uh will and won't be proceeding with the government shutdown. Uh and there was only there was only one thing. It was some administrative uh program manager uh kind of thing. So um but everything else is proceeding as it should be. The uh the background checks or the um the the background checks or were the tier three assessments uh for um s uh CMMC or uh CMMC certified professionals and assessors uh and all that, they they'll they're proceeding. You know, that's that's one thing. I figured it's just a background check. I'm surely they'll those will be delayed, you know. No, they're that office is working and they're they're trudging right along. So uh anyway, November 10th is coming, that's when it's gonna go into effect, uh, and it's not gonna be delayed. Maybe written into contracts will be delayed a little bit, but other than that, it's coming. Uh another thing, uh another couple of things uh at the time, uh at uh CS5 they said 384 joint assessments or uh assessments have been completed. Um and so uh that number is now over 400 af as of the uh Cyber A B Town Hall uh last night. So it's over 400 now. So they're they're marching right along on those. Um there's several there's I don't remember how many are in progress as of the I mean it's already changed, but as of the uh CS5, there were 74 in progress, uh 83 authorized C through PAOs. I think that has changed to 84, but there's several in the uh in the wings there waiting. Um and we this number of CMMC certified assessors keeps uh keeps growing every month, so that's really good. That's really that's really the key to this whole thing is the certified uh CMMC certified assessors. Uh if we don't have enough, it doesn't matter how many C through PAOs we have. Uh because a lot of C through PAOs are, you know, one one and two-person companies or you know, maybe a little larger, but uh even even larger ones uh depend on uh CCAs that are 1099 employees, right? So um there may be CCAs that are 1099 employees for several different C through PAOs. That does not increase the number of CCAs. It just means that they're working their rear end off. So um so it's uh that number of CCAs really needs to go up a lot. Um and what concern does concern me a little bit is it's not it's not I guess it kind of concerns me and it kind of doesn't, but that's not skyrocketing. If it was skyrocketing, you already kind of have to worry about uh the experience level of some of the CCAs. Um and I don't mean that as a as a slight or uh uh as a as anything about the d general CCA community. They're all the most of the ones I met are very, very good. There are some new ones who don't have much experience. They're trying very hard to make sure that doesn't happen though. So with the requirements for CCAs. Um But there's uh uh you know if if that number were skyrocketing, I guess you'd probably have to worry about that as well. So you know it's good for those CCA numbers to uh to increase. Uh we need a lot more of them. Uh I don't know if we're gonna get a lot more any, you know, quickly, but uh we need do need a lot more CCAs to to cover all this demand for the uh the assessments, certification assessments.
Stacey:So it seems like there was some chatter about the Cyber A B taking on some new roles at CS5. Could you uh enlighten us with what that may be?
Brooke:Sure, sure. So uh Cyber A B is also working on security controls framework. Uh and uh they've mentioned that um a few months back in one of the town halls, and maybe more than one of the towns uh I believe it was more than one of the town halls. In fact, they mentioned it last night as well. But uh they're working on that. Um and uh that is something that I believe uh uh Texas has adopted uh in one of their new bills, and there's a what it is, I believe, is a kind of a safe harbor bill. If you uh adopt these uh the security uh cyber security controls framework uh and uh run your business by then, by the by those by that framework, then uh you're basically in a safe harbor for uh cybersecurity claims against you. Um I don't know all the details about that, but that's overall uh overall thing. So the cyber the security controls framework um uh is a little more comprehensive than uh uh NIST 800171. NIST 800 171 really uh is uh more about uh um confidentiality than anything else. Um but uh anyway, that security controls framework uh seems like something really good that they're building out and what they're working on. Uh so they're pretty excited about that. And they also talked about um uh plans to update the licensing program and over overhaul the uh practitioner path, which is uh what really needs to be done. Um it's pretty uh it's a it's pretty easy to get the RP certif or RP uh the registered practitioner right now. So it does need to be overhauled. Um I don't know about the RP advanced, the RPA. Uh I haven't really looked at that one much. Um and I just haven't looked into it. So I don't know how much more difficult that one is than the RP. Uh but I do know uh most people consider the CCP the starting place of where you start to really as far as learning goes and a certification or some some stamp of approval, the CCP is really where it starts to show that you know you've taken some good training and you know what you're talking about. Um and they also talked about relaunching the C through PAO uh accreditation process also.
Stacey:Aaron Ross Powell So let's pivot a bit and talk about service providers. There's been a lot of confusion around MSPs, CSPs, and ESPs. Did that come up often?
Brooke:All sorts of TLAs, three-letter acronyms that that come up, yes. So uh everybody is still uh and not I keep saying everybody, and not everybody. There are still people that are confused about uh the difference between ESPs and CSPs and MSSPs and MSPs and all that kind of fun stuff. So the overarching uh category is ESP, which is external service provider. Uh and under that you have uh CSPs, which is a cloud service provider like Microsoft or Amazon or something like that. Uh then other than that you have the category is uh ESP's not a CSP. So uh and that's what it's called. So um in that category is MSP is a managed service provider, or MSSP managed security services provider. Um and a managed services provider is uh that's what we are, we're a uh outsourced IT company basically, and uh so uh that's what an MSP is. Uh my uh uh managed security services, they suppose they focus specifically on security services, uh like SOC and SIM and stuff like that. Uh but there's people that are confused about what makes one uh uh one or the other. Um there's a good definition uh in the Federal Register of the of uh CSP. Uh uh go read that, it makes it very clear what a CSP is, right? Um everything else is gonna be an uh ESP. If uh if you have if you're providing some services that don't handle uh if you're providing some services to a uh an organization seeking certification, so somebody that wants to get certified, then you're gonna be uh an ESP ESP, not a CSP. So uh very clear, right? Uh but um there are certain things that uh you know they talked about what MSPs and RPs and all that kind of fun stuff. RP is a registered practitioner. Uh it's an individual, and I I guess actually uh RPO is a registered practitioning organization, so that's the company that employs the RP. So there are limits of what uh an ESP can do for you, right? They can't do everything for you. Um, even we we tell our clients, you know, hey, you know, we'll help you out, we'll short we'll uh we'll help you get that uh get ready for that certification quicker than otherwise. Um, you know, easy button or rocket assist or whatever you want to call it. It's uh you know, there's different marketing language all around it. But uh the uh the fact of the matter is, is that no matter who it is, they the ESP cannot do it for you. They can do a lot of it for you and with you. There's a lot you have to do, and there's a lot that you have to uh be part of. And not only that, uh when it comes time for uh certification assessment, the uh the company getting assessed, the one seeking the certification, uh they have to uh know and understand what what the heck their SPAN what the heck their SSP says, you know. Uh they can't just go, yeah, I I don't know, ask him. You know. Uh they have to they have to have some knowledge about it. They don't have to have deep knowledge, but uh after all, uh you everybody, no matter how big the company is, everybody outsources uh some stuff, right? And that's because you know they want to focus on this and they want somebody else to do the rest. So um an uh ESP and MSP, they can they can do a lot of that work for you and uh help guide you through it, um, but they can't do it for you. And so uh people need to understand that. Companies that are looking to be certified need to understand that. So um and then there are different levels of companies that do it for you and with you, right? Uh we have a tendency to do as much as we can and uh to hold our clients' hands and walk them through it and explain everything, um, you know, how everything works and what your options are. You know, some providers say, here's our solution right here, and you put that in place and you're good, you know. Uh we have a tendency to think that that's not the way to do it because not everybody fits in this little cookie cutter box. So um and then when you realize that you don't necessarily fit in that cookie cutter box, you gotta figure out how to address the pieces that don't fit in. And that's where we help our clients is trying to figure out what to do with those things that don't necessarily fit in a nice, neat little box. So uh but that's uh that's a big thing with uh MSPs, ESPs, CSPs, and all that.
Stacey:Aaron Ross Powell So it seems like there was some conversation about what CMMC doesn't do. Can you touch on that a little bit?
Brooke:Uh sure. Uh I think you're talking along lines of uh legal uh immunity. Uh so CMMC, if you've put everything in place, does not provide uh legal immunity to anything. However, uh if you if you've put CMMC in place as you should, have all the documentation and you're you're doing the things you say that you're doing uh because no solution is a hundred percent bulletproof, right? If there's some breach or something that happens as a result, uh you can say, look, here's all our documentation, here's what all we had in place. Um you can use the old Apple Apple excuses that it was a very sophisticated attack, you know. Uh and I guess more than just Apple says that. But uh anyway, they uh so but if you have everything put in place, you have all your documentation, uh you can prove that you were doing what you said you were doing, um, then you've got you don't have a legal immunity, but you've got something to fall back on and something that will help you out a lot. So uh while it's not legal immunity, it certainly does help that you can prove all this. It's a lot better than not having all the documentation in place and not having all the all the items, or even maybe having all the uh technical controls in place but not having the documentation to back it up. Uh you're not as nearly as in good a place with the technical just the technical controls in place as if you would be as if you had documented everything. Because that way when something happens, you can say I was doing everything I was supposed to. In fact, I was doing more than I was supposed to, uh, and it still happened, you know. So you have some uh just like the Texas Safe Harbor law we were talking about a minute ago, um, you have some help on that. Well, it's not a Texas Safe Harbor law is a law, I guess, anyway, but um so that I guess that does provide some sort of immunity of sorts. Uh CMMC does not provide immunity, but does provide a lot of help.
Stacey:I know we kind of talked about the complexities of the construction industry with CMMC. Um it seems like there was some discussion at CS5 about COI in construction. Could you go into that a little bit deeper?
Brooke:Yeah. Uh so as we talked about a minute ago, uh there there is a lot of um a lot of nuances and uh and uh the ways that uh construction companies work uh that um are are hard to cover and not addressed well with uh CMMC. One of those things is um from what I understand, and I did we've got a some construction clients, and I didn't even realize this, but um I guess on some federal uh DOD projects uh in construction they uh issue a different cage code or something for different projects. Uh and so um that's an issue when you've been certified and you have all your cage codes listed and there's another cage code that comes into a question there, how do you that that's not in your certified list now and it can't be added after a certain amount of time. Um what I understand is there's if you've got a C through PAO that understands and knows what's going on, I think they can help out there. That's the gist I got. So but uh it's not a that's just one of those things that the government didn't think about, right? Uh you know, how do you do all this? Well, once you lock in these uh cage codes, they're in concrete and you can't change them, supposedly. Uh and but yet here on construction projects, we're gonna issue temporary cage codes over here. So um, I don't know all the particulars about that, but that's how it was explained to uh to us in that uh in that session. Uh the other thing is that um uh construction companies, you know, they have to think about um, you know, their construction trailers and uh job sites and how CUI is performed there uh or how CUI is is uh accessed there. Um if you are on a on an actual on an ab on a base, uh it's a little bit different. Uh if there's other different there may be other projects that have CUI, they're not necessarily on a base, I would think. Uh but if you're uh on a base that uh helps you out some as far as uh CUI goes. Uh and another thing is with uh construction companies, you know, a lot of them uh they'll send off their drawings to uh some print uh company to get them printed out for them. Well, guess what? If those drawings are CUI, you've got a big problem there. Um so maybe you have to buy yourself a large format printer, you know, and uh haul it around from job site to job site. I don't really know. Uh it's that's a tough one to cover. Um but uh there's and there's different ways it can be covered. You can go all digital, um, you can issue laptops, you can issue You tablets, you can uh buy your own large format printer, whatever it may be. Uh but there's several different ways to uh address it depending on uh how you do your business and your workflow and you know how you might be uh what might be open for change. Um the other thing is that uh they said that uh forty-five percent of federal agencies still don't have a formal COI program. And uh the COI rule uh that was recently uh published as a as a proposed rule um for the rest of the federal government, uh I would think that would change that. Uh of course it's just proposed, so it hasn't even kicked off yet, but uh I would think that would change that. But uh they uh the forty-five percent of the federal government doesn't have a f formal CUI program and they're expecting uh mom and pop shops to to put this in place. You know, another thing about uh construction companies, really about uh manufacturing companies I should say, um that they talked about uh during this, because this was a session about uh uh CUI and manufacturing and construction. Construction took a lot of a lot of the discussion because of the the uh complexities there. Uh but in uh uh in manufacturing uh they've said that uh there's typically uh we tell our clients that what the CMMC um program office says is that the parts, the actual physical parts themselves are not C UI. Well there is some debate about that. So the uh DC um DCSA uh does say that uh uh uh physical uh parts are um or physical components, physical objects, however you want to phrase it, they are C UI. So there is a bit of a disagreement there. And then if they are, then technically really that poses some uh some more compliance issues. Uh only other thing I was gonna say uh along these lines uh is related, but not specifically about uh construction and and uh manufacturing, but definitely about CUIs that there have been uh some intelligence agencies that have complained, some intelligence agencies that are used to secret uh uh classified information, not unclassified, but they're used to the whole secret classification, right? Uh some intelligence agencies that have complained that uh CMMC is too complex, so too hard to manage. Uh so uh th I guess that was uh just an anecdote, you know, about uh how how difficult it is. Uh don't know uh the particulars about that, but that was very interesting.
Stacey:Aaron Powell So it seems like there was some conversation about AI. Could you delve into what they were saying about using AI for compliance?
Brooke:Sure. So uh you know I think uh AI is here and it's probably here to stay, maybe, you know. Uh so uh and it's in uh really it's in so many parts of your life that you you think you realize it and you probably don't really realize how many parts of your life that AI is in. So we use it in our business. Uh you know, um we have services that use AI along with algorithms to go through uh log uh events, you know, stuff like that. Um we use it a lot for you know for other things, but with with anything AI, uh you know, my wife even uh she teaches some college classes and and uh when uh students write speeches, it's obvious when they have one that's written by AI. I mean it's so obvious that uh AI wrote one and not the student. And so you have to know how to use AI. You know, for those college students, you know, I tell my wife, you know, let tell them they can use AI, but they gotta learn how to use it right. Which means that they have to know the subject and they have to know the rules, and so they have to be able to tell AI how to write that, and they have to tell AI how to correct that, right? And so they have to know it. It still leads to the same outcome. It's just that they didn't have to do all the work to get there, you know. Um, which is fine. You know, calculators when they came out, you know, I was uh I couldn't believe that uh, you know, we you were able to use graphing calculators when I was in school, uh but uh for some stuff. But you know, my kids went to school and they could just use calculators. And I thought, well, you know, how is that teaching them anything if they can if they can use calculators? So AI, same thing, you know, they have to understand you have to understand everything. So uh the same thing applies here to the IT world, uh to the tech all the rest of the technical world, and to CMMC, right? Uh so you have to realize what information you're feeding in, um where that uh data is stored at, uh if it goes uh out of your environment, uh you know, what you don't want is uh to draft all of your policies and all your uh stuff that may contain uh security protection data, SPD, um at the minimum, CUI also, but uh you know have all your uh configuration and all your technical information in it, you don't want to draft that on Chat GPT because then it has all that information and can use it to learn on uh use it on its learning model. You don't want that. So uh and if it's CUI, then that CUI is now out, you know, uh uh in the in the wild world, right? Uh the Wild West. And so uh you have to make sure that uh you use AI uh that is um in a in a closed environment in uh you know a an enclave, for instance. Uh you have to have you have to put some parameters around it to make sure that that it's used properly, that it's a cloud service, so if it's gonna do anything with CUI, guess what? It has to be FedRAMP, uh FedRAMP moderate, uh authorized, or higher, or or equivalent, I guess. Uh there are also some um some tools, CMM tools in the CMMC ecosystem that use AI. And um I haven't really necessarily looked into them in depth, uh, but from what I understand, they they have their own environment. Um it doesn't the information does not get out of that environment. Uh so you have to think about those things. You know, I have down here that define AI boundaries using zero trust principles. Uh zero trust is a is a really it's just a really good principle to start with and operate by, right? Um host or configure uh language models, large language models in uh in an enclave or in in uh a controlled infrastructure, uh closed infrastructure, right? Closed environment. Um use AI to draft documentation or summarize the logs, but again, this is where you gotta know how to use AI. You know, use it to, you know. Yesterday I was using it to um this is kind of goofy and dumb, but uh yesterday I was using it to um write some formulas to dig through some giant Excel spreadsheets and and get some data for me. And uh, you know, you have it write a formula, you look at it, and you're like, well, okay, that looks right. You use it, and then you're like, well, that data doesn't look right, and so you look at it. Oh, here's the problem. All right, now rewrite it and do this, you know. So you you have to understand what it's doing and you have to understand how to use it. So it applies in my wife's college classes, and it applies in CMMC. Same thing, right? Uh and you can run AI-driven uh regulatory gaps analyses. Um it'll help you find things that you've missed, but also just remember that AI can hallucinate. It doesn't mean that it does all the time, but you know, it can catch some of the things that you might have missed, you know. Um so you can use it to check you, you can use it to help out. Again, however you use it, you've got to know how to use it and you've got to use it appropriately.
Stacey:All right, Brooke, rounding out all of the CS5 conference information, what's your biggest takeaway from the whole event?
Brooke:Uh well the biggest takeaway is the is really the the takeaway that I have a lot is that it's it it's about national security. You know. Uh one of the last conferences, uh Katie Arrington talked about um, you know, the the China threat and how much we're losing to China. Uh, you know, this time they talked about the whole uh Iran thing with the Midnight Hammer and CUI, you know, we talked about. So it's uh it's about uh national security. All all all aspects of national security, it really is. Um yes, it's a big pain in the butt, you know, and any security is gonna be a pain uh uh because not having security is much easier. You can just r run willy-nilly and do whatever you want, you know. Uh but you know, you have a little security and it's it's inconvenient. The key is keeping that balance, right? Keeping everything secure while still being as productive as possible. You know, the other thing is uh I I heard this multiple times uh uh in some of the sessions and also speaking with assessors and see through PAOs, you know, their goal is not to to fail you, their goal is not to stick it to you, you know, or say this is the only way this rule can be implemented, you know. Um their goal is to make sure that you're uh covering those um uh controls and assessment objectives uh and what you're doing is working. And you're is what you're doing is covering those uh objectives properly. So they're they're assessing, right? It's not an audit necessarily, but they're assessing whether what you're doing meets those controls or not. Um and so there is uh there's some leeway to figure out, you know, whether this, you know, this works this way or that way or or whatever. So it's a you know, they're they're there to just make sure that you're covering those controls, not to be a not to be a hard ass, basically, right? So and uh one of the uh one of the panelists said that uh RPOs, uh I can't remember who it was that said it, but uh RPOs are uh are becoming uh cyber therapists. So uh, you know, I thought, well, that's really not that far from uh from uh right. You know, I mean that that's it's true really. Uh you know, RPOs really are trying to shepherd, you know, companies through this thing and and help them out and help them get through it, and listen to their moaning and groaning and complaining, you know, and everything else. And and uh again, uh RPO is not there to you know beat you into shape, but here to say, you know, here's the control and here's some ways you can address it. This is what we recommend, you know, and and so uh at least that's how we address it. And I'm sure that's the way uh other people address it too. But you know, RPO's being a uh uh a uh cyber therapist was a was a very interesting way to put it.
Stacey:Aaron Powell I know you met a lot of great people at CS5. I think you had a special shout out that we wanted to mention.
Brooke:Uh yeah, that's right. So uh uh you know we've had people contact us and usually it's by phone or email, you know. Uh they watch the podcast and and uh so they contact us to ask questions, ask us to you know do an assessment or whatever it might be, you know. Um uh but uh while I was at CS5, I actually ran into somebody that recognized me, so they weren't just a listener, but they I guess they they actually watched too. So but I ran into uh gentleman named uh Mark Murphy. I wanted to give you uh give him a shout out. So hey, thanks for uh thanks for watching and thanks for listening. We really appreciate it. Uh so it's always nice to run into people that have uh that have listened to our listened to or watched our our podcasts.
Stacey:Aaron Powell Before we wrap up today's episode, we're gonna answer a listener question from at Maskem Adventures on episode 24. They asked, so if you had a CUI drawing and created yourself a MasterCam G code file, is that G code still CUI?
Brooke:Well the short answer is yes. The much longer answer is uh we actually had uh this is still a debate, right? Um I would say yes to make sure that you're covered. Or uh when you're doing C3PAO uh interviews, you know, uh specifically ask them what they think, you know, and uh and you can go from there. But um uh there's uh Jim Gopel uh wrote some books about CUI, uh really smart guy, and he says, you know, it those parts are CUI. Or those excuse me, that G code is C UI, you know, uh because it's it's that information that's derived from from uh drawings or something on that contract. And so uh it's gonna be derived CUI, right? So there there is a possibility that that G-code may be a a COTS product, uh a common off-the-shelf product, you know. Um so if it's just an off-the-shelf product, a piece that you sell, you know, to um Boeing as for commercial planes and also for uh DOD planes, you know, maybe that would be off-the-shelf stuff and that that wouldn't be CUI. Uh but generally uh that G code is gonna be C UI. Uh I would go ahead, I counsel all of our clients just consider it CUI, protect it. There are ways to do that. Uh there are ways around, you know, uh hard stuff that that make it really hard to to figure out how to keep it encrypted properly and all that kind of fun stuff. Um but you can still do all that uh and and that be considered CUI. So uh but um we were in a conversation about that. Uh somebody really smart that I I know and respect uh said, you know, no, it's it it doesn't have to be C UI. You know, you can call it instead of uh, you know, uh whatever the actual part name is, you know, you can just call it you know lettuce or or you know, or uh table leg or you know, something like that, something that's not right. And I said, well, you know, that's fine, that's all good. But you've got to have some sort of matrix to uh, you know, to map those parts and somewhere. They said, yeah, and you just keep it safe. And so now you're having to keep uh, you know, a uh a matrix of names safe somewhere that maps all those all those parts, you know, uh which is fine, you know. Uh but it seems like uh that very well may fit some people, it may work for some people, you know. Um and if it does, great. If not, there's there's easy ways, uh easy-ish ways uh to say, yeah, it is CUI, and this is how we're gonna protect it, you know. Uh so uh I would just say yes, G code is CUI and protect it accordingly.
Stacey:If you have any questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at cmc complianceguide.com. Stay tuned for our next episode. Until then, stay compliant and stay secure, and make sure to subscribe.
.jpg)
