CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
Top 12 CMMC Level 2 Requirements Explained: Gap Assessments, Scope, SSP, and POA&M
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Submit any questions you would like answered on the podcast!
In this episode of the CMMC Compliance Guide Podcast, Stacey and Austin from Justice IT Consulting walk through the top 12 essentials every contractor needs to achieve CMMC Level 2 compliance especially small and mid-sized defense manufacturers.
You’ll learn how to start compliance the right way with a formal gap assessment, define and shrink your CUI scope, and build a System Security Plan (SSP) that maps to all 110 NIST 800-171 controls. We break down how to write an actionable Plan of Action & Milestones (POA&M), implement MFA correctly, enforce least-privilege access control, and deploy proper device protection across your environment.
We also cover commonly misunderstood requirements around FIPS-validated encryption, centralized logging/SIEM, removable media, CNC/OT assets, data handling, and ongoing vulnerability + risk assessments.
Finally, we answer a listener question on secure data transfer and why customer portals or GCC/GCC High environments are often superior to “secure links” inside commercial Microsoft 365 tenants.
Hey there. Welcome to the CMMC Compliance Guide Podcast. I'm Stacey.
AustinAnd I'm Austin.
StaceyFrom Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast track to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're breaking down what we consider to be the top 12 essentials every contractor needs to be CMMC level two compliant, especially if you're a smaller, mid-sized business. These are the requirements that most often make or break an audit. All right, Austin, before we get into the documents or tools, where does a company start with all of this?
AustinWell, from our perspective, the only place to start properly is with a gaps assessment. Think of it like whenever you go to the doctor's office, the first thing they're going to do is some sort of a test, whether it's a blood test is a great example to really, you know, dive into the actual data, the tangible information, and uh to show kind of what your status of health is. Um we consider the place to start for compliance and CMMC compliance specifically is to start with a gaps analysis, which is kind of like the blood test uh you know, for your company for compliance, and it shows exactly um where you are on your journey to compliance. So um where you are now and where you need to be. Simply stated, just the gaps, you know, what what you need to fill to actually be compliant. So that is the best place uh and an only place really to start, in our opinion. Um you can do one uh informally, um, you know, just kind of a gut check. But what we really um the only proper way to do it is to do a formal gaps assessment where you go check every single control um and see where you're out, uh where you're at on it, and actually uh generate the evidence for it as well. So that way you have a um 100% like solid starting point of of where you're at. And then that gaps analysis, that gaps assessment um shows you um what kind of program you need to build. Um compliance uh management program is kind of what I call it. Um, but your uh what you need to build for your system security plan. So it's a starting point, um, and then you can start kind of filling in the holes. Um and with with that baseline, you can create your SSP and your POAM, your plan of action on milestones, your roadmap to get to compliance.
StaceySo once the gap assessment's done and you've got your diagnosis, what comes next?
AustinWell, that's a great question. So uh the next step um would be uh creating your system security plan um and then uh defining your scope. Um and we feel like a lot of people skip this part and they just want to go straight to pulling a template down or you know, drafting their system security plan. Um and and really uh I mean you can start it, but you can't get too far without defining your scope first. Um and that simply stated is figuring out where in your business CUI controlled unclassified information resides in your company. Typically, um it's gonna be downloaded from a customer portal or emailed to you, um, unfortunately, sometimes or some other means. But uh you you want to start with as soon as it gets into your network, your email systems, um, your computer, um, as soon as it gets to you, that's where scope starts. And then as it travels through the company, um, whether it's through quoting or through programming and out to the machine, you know, if you're a uh, for example, a CNC machine shop or um something like that, um, scope will go all the way out to the the machines on the floor um and in those people's hands, um, and uh ultimately to the um the finished part uh and and your you know your your travelers um uh and and other paper items are also COI as well. So you want to you want to map that journey out. Um so you start with a journey, um, and then that will tell you kind of everything it touches throughout that journey. It defines the scope. So for example, you might be thinking, well, that kind of sounds like my whole dang network, my whole, my whole company, right? Well, it's not necessarily because you know your your front office person or um you know your your accountant um isn't necessarily touching programming files or or customer um you know uh requests for quotes or or you know data coming in or anything like that. So um you you really want to carve um all those people that aren't touching that stuff out, um, and that is what's defining scope. So and you just draw that you know that line um and then um you've got your scope, and then you can start writing your system security plan. Um and your system security plan is is basically um your playbook um on how you're gonna tackle compliance um and and satisfy all 110 controls um and and uh to be compliant.
StaceySo as you mentioned, the gap assessment shows what's missing and the SSP shows how you'll meet the controls. So where does the plan of action and milestones fit in?
AustinYeah, so plan of action and milestones, if we're going with a doctor analogy here, and the blood test um would be essentially your prescription, right? So, you know, uh you've got this problem on your your blood test, for example, um, and so you get these pills. Um, well, uh in the compliance, you know, uh using that analogy, moving it towards compliance, um, this would be defining things like I have to implement multi-factor authentication on this computer or this network or this cloud application, or um, we have CUI in this cloud application, so it needs to be a Fed ramp or something like that. So it's simply um just kind of a prescriptive uh list of things that you need to do to satisfy all the controls listed out in CMMC and the NIST 800-171, um, how you're gonna satisfy them. So it's it's simply the the essentially the POM plan of action milestones is the treatment plan, it's the prescription uh of all the things that you have to do um that you're not doing now um to satisfy compliance so that way you can then get compliance. Uh and to add on to that, um, you know, that that POAM is gonna list you're gonna have to list out your deficiencies. So, and then what you're doing and who is responsible for fixing them. So, um, and then what your target dates are. Um and Brooke's not here today here or resident compliance expert, so I won't speak to the the particulars about that. We're gonna kind of keep it broad today uh within my wheelhouse. Um uh, but there is a limit to um the the dates that you can put on POMs now. Um so you can't just simply say, um, you know, we're gonna fix this in you know three years. Um, you know, the you you pretty much need to get compliant ASAP these days. So um you can't just uh perpetually have things on the POM just sitting around saying, yeah, I'll get around to it. That doesn't work anymore. Um it never really did, um, but it was used that way uh uh by some people a lot of the times. So um just something to watch out for there.
StaceySo Austin, at what point do written policies come into play?
AustinYeah, yeah. So um you're gonna have usually how your policies, procedures, and your SSP are written is gonna be uh you're gonna have your system security plan, which is kind of your overarching framework for um how stating how you're gonna be compliant basically to your assessor. You kind of want to write it um mapped out to the controls themselves, and then essentially tell the assessor um how you're satisfying that control. And then all of your policies uh basically support that. So you don't want to necessarily have, for example, your entire incident response plan written inside of your SSP. Now, some people do that. Um, there's no um nothing saying that you have to do it this way or that way. Um, but we really like to stick with uh best practices, things that we know assessors are looking for. We're basically shooting for um, you know, the tried and true path that we know and we've been told gets you to a compliant situation. Um and uh if we're looking at that as uh the goal, which is typically what we counsel our customers um to shoot for, um, is having the SSP as the overarching kind of framework and then all of your supporting policies, like um your patching policy, your instant response plan, your you know, awareness training, all that stuff is um basically supporting policies to the system security plan. So that's kind of where it comes into play. So they're all going to be different documents that you just you kind of package together um and support each other, and uh, and that's how we do it. And another real important note here um while we're talking about documentation um and uh policies and SSP and and all of that um is that the these policies and the SSP have to be things they have to say what you're actually doing. So you can't just have some template that you've downloaded and put your name on and and and changed a few things on. Like it, you need to say, you know, what tools you're using, how it's satisfying the controls, um, and and how you're doing things in those tool sets. Um keeping it way too general is not good. Also being way too specific is not good. So there's a you know, you want to stay in the middle um and a happy medium there. Um but the the major point I'm trying to really put across here is that um you really need to have um custed custom drafted uh documentation based on exactly what you're doing, not something that's off the shelf that maybe you got from a vendor or a um that that's giving you um uh you know one of the tools that you're using for compliance, because if if you're using that, then uh it's it's a good place to start, but you didn't need a custom draft on top of it because um it it's not gonna address all the other things in your environment. Um and you have to do that and you have to add it to whatever template or or documentation that you you currently have. So uh only point I'm trying to get across there is that you you really need to make sure it says exactly what you're doing um and it's specific to you.
StaceySo pivoting a little bit onto multi-factor authentication, why is this one such a big deal?
AustinWell, this one's such a big deal because it's it's commonly misunderstood. Um and it's typically underimplemented. And what I mean by that is, you know, a lot of times uh people will be like, oh, well, I have it turned on on my email, so I'm I'm set. And it's like, well, yeah, you have it set for your email, but what about um anywhere else that you have CUI? Um uh and and that you're accessing it remotely. And uh an important note uh to keep in the back of your head is that remotely, in terms of CMMC level two, even means across your local network. And what I mean by that is if I'm sitting in my office here and I'm connecting to a computer across, you know, just 10 foot over, and I'm not sitting in front of it, for example, a server or something, or a QuickBooks computer or something like that, um, that has to have multi-factor authentication. So if it's not directly, if you're not accessing the data directly on your computer that's sitting in front of you, it has to have multi-factor authentication. And so that's one that um people get tripped up on a lot because it's it's it's one that's kind of specific to CMMC compliance, because um it's not a lot of other uh people require it that way. So it's kind of a um a special uh it's it's not commonly adopted that way, I should say. Um so it's it's misunderstood, and then it's typically not set up on all the tool sets. So um it's gonna be anywhere that you have CUI and in your scope, you need to have um two-factor authentication turned on. So if you're using G first, you shouldn't be using commercial. Um, you should be using GCC or GCC high for Microsoft 365 or email. So that needs to be turned on. Um and then um if you have your backups hosted somewhere, uh, then that needs to have multi-factor authentication, right? If you have a cloud app, um, well, the cloud app needs to be um uh most likely FedRAMP in most scenarios, um, you know, compliant or otherwise compliant, and that needs to have multi-factor authentication turned on. Um and uh the the list goes on. So typically it's a big deal because it's misunderstood where it needs to be implemented. Um I just gave a couple examples about uh that and then that it's also underimplemented and people don't really truly understand the uh the number of things they have to turn it on. Um and that's why we really counsel people to start with scope first, because if you you really do map out that data you get from the customer and and who it touches and and what programs it's touching as it travels through your business, um, and you you actually talk to the people doing it, you don't just you know report on what you know um because you may not know necessarily, for example, all the programs your programmer is using um all the time. You want to go ask them, okay, whenever you get this and interview them, um, what do you do with it? What programs do you use? Where does it go? Um, and then you just sketch that out um in Visio or on whiteboard or um PowerPoint or wherever you want to put it, um then you've kind of got uh more or less uh a starting point for a list of applications um and computers and servers that you need to turn multi-factor authentication on. So uh and then of course you need to have um all of the evidence um that you haven't turned on whenever when it's time for assessment, but that's a whole nother deal.
StaceySo what about access control? What are assessors looking for there?
AustinYeah, so access control, um it it can sound real complicated, but basically what is trying to be accomplished is um people um and programs and software, by the way, or service accounts as well, um, like administrator accounts or um your your scanner printer and stuff like that also need to be thought about. Um but uh the easy examples are people, right? And so the the goal um is to uh control um the access that people or your resources have um in a manner that is um appropriate to the job function that they are um executing and uh uh in a way that uh it gives them just what they need uh to get their job done, but nothing more. So um the concept uh for that is called least privilege. Um so you know, if you've got um Betty Sue, the bookkeeper, right? Uh she has no need to access um drawing files. So you do not give her that privilege. Now, you know, is she gonna do anything with them? Nefarious, or you know, is it it's not HR files, it's not uh, you know, profit and loss statements. Uh well I guess she's the bookkeeper, she's seen that anyway, but um, you know, it's uh it's not information that typically you would be concerned about um uh protecting um in the sense of like HR data or you know very sensitive information. Um typically businesses view it as like, well, that's you know, that's our main deliverable. Everyone sees the you know how the sausage is made, right? Um uh but really uh from a compliance perspective, you want to you want to restrict um that person's access to whatever duty they have. And then you also need to be able to restrict um uh uh and control accounts as people come and go. So uh another piece of that is um, you know, you you need to review um, you know, as you hire and fire people, uh, those need to be, you know, either enabled or disabled or uh or what have you. Um and then you also need to have some sort of um uh cadence of checking to make sure that nothing was missed as well. So like a catch-all. Um and so uh the goal of access control is to um contain the the scope of which of what people can touch in the business, um, making sure that it's only related to the job function. Um, and secondarily, uh that uh there's nothing hanging out there that could be used by nefarious actors that you know uh some unused uh account um that hadn't been logged into in three years that a hacker could then you use to get into an old password, then uh jump on uh another one of your systems because that was open. So um again, we're trying to keep things um pretty broad here, not get too specific uh today, but that that's kind of an example of what access control is.
StaceyLet's pivot over to device protection. What is to be expected there?
AustinYeah, so the the highlights for device control typically um are gonna be endpoint protection, patch management, um, things like that. Um and so you really need to have uh a modern antivirus um endpoint detection uh system, um patch management processes and procedures, um uh and and looking for um stuff like zero days and um and and vulnerability uh risks and everything that else else that can be out there. Um the main goal is um of course making sure you have the evidence that you've been doing this right. So you always need to generate that. Um and then you need to make sure that um all those tools are updated um to a very reasonable time frame. You know, things can't be out of date for two months, you know, it needs to be within uh you know a week or two or something like that. Um same thing for patch management. Um and if there's a a computer update that you're not applying uh right now because um there's a lot of issues with it for uh Windows drivers or something, uh, then there needs to be a reason for it, and then that needs to be weighed against um whatever risk it's patching. So if it's a big security vulnerability that it's patching but it'll break something, then you know that needs to be taken to account, right? Um and so uh the main things um for device protection uh that you'll you'll see that need to be addressed are gonna be um endpoint detection, antivirus, patch management, things like that.
StaceyAll right, Austin. So what about incident response? How detailed does that need to be?
AustinUh so pretty detailed. Um and I say pretty detailed because most everyone, whenever we're talking to them, says, yeah, we've we've got that. And then you ask them, well, is it documented? And most of them say no. Um and if it is, it's it's not, it's it's relacking, we'll just say. So um even if you have something that's conceptual uh or everyone knows, you know, um, it's just general knowledge, it still needs to be written down because an assessor doesn't care. And like we say all the time, you know, that's where the buck stops, that's who we're um, you know, shooting a please. Um, and so uh all this other stuff doesn't matter. Um we're just trying to make the assessors happy to get you your certification, right? Um and so that's a goal. Uh and so it needs to be documented, it needs to be written out, um, what you're doing, uh, how you're doing it, um, and it needs to uh address most common scenarios. Um, so um, you know, obvious ones are like you you've had a breach, um, and then you also need to put in their uh reporting time frames, where you're gonna report to, who's gonna report it. Um, and then uh, you know, uh one thing that we always ask and and counsel uh when we ask about instant response plan or or helping someone draft theirs um is uh the the documentation's great, but you also need to make sure that you go um uh get registered and and um get set up to report to the government. Um uh because if you don't have that set up uh ahead of time, um you could uh breach your reporting time frame because it takes a while to get the proper certificates and and uh mechanism to report those incidents um when they happen. Uh and that's just a completely unnecessary situation to be in. It just takes a little bit of preparation, set it up, a little bit of a headache working on their their uh what. sites um to get it set up um so make sure you go do that I think it's DC3 is what they've named it to now um uh they just change systems so go get that set up uh if you haven't and then draft your instant response plan is is typical what we cancel but um you know it should have clear roles um uh communications and timelines and what you're gonna do how you're gonna do it and what time frame is you're you're going to do it.
StaceySo so there may be some misconceptions that training would be the easy part of this. Why do so many people fail around this portion?
AustinMm-hmm. Yeah it's uh this is typically going to be evidence right so um uh a lot of time there will be training done um or uh people will go use the the DD provided training um but it's it's not documented um and then there's no policy around it so there's no way to prove that you have a system to the assessor um or that you've been completing it. Um so you really need uh a couple core pieces for awareness and training um and that is um uh a policy saying what training you do um uh how you do it and then you basically who's doing it and then you need to do those things um and then you need to uh document all the completions of the training so uh this can be as simple as um you know having everyone come in for a training day and you have people sign off on um paper and you scan it in and you have a uh an archive file of um everyone you know testing that they did the training and you all watched a video together or whatever. Um or you could use um you know some cybersecurity awareness tools and training which um for the price point they are that's what we typ typically recommend. Um honestly we uh for a lot of our customers they typically um will opt to use no before um and it's nice because it's got a lot of other features um uh as well as uh some learning modules that you can you can put your training in and then they do quizzes and then there's all the documentation evidence of completion dates what their scores were um and so you can just simply just have the results of that for the assessor and then um you don't have to have a system you have to manage. All you have to do is follow up with the people that don't do the training and say get it done you know um but you have to write it up um and typically it's not written up uh and then uh most of the time uh the evidence is completely non-existent uh so uh someone you can't just pull we'll pick on Bobby Sue again can't just pull her in the office and say tell the assessor you did your training last year it doesn't work you need to have it documented before they get there.
StaceySo moving on to data handling what are the requirements here?
AustinYeah so um the big piece of this um is gonna be um your asset list or your um asset inventory um and you it needs to be pretty exhaustive and typically um people have the computers and the servers listed that that have uh that hold uh coi um process stores transmits pst is the the role we you know like to uh rule of thumb we like to tell everyone if it so if it processes stores or transmits coi it needs to be on that asset inventory list so um even if it's not um holding your CUI data um all the time if it traverses it in any way it needs to be on that asset list because that is then in scope so um and uh people typically leave out a lot like I said the laptops the workstations the servers those are easy people you know they're like yeah they're there uh but then people forget the USB drives um they forget the operational technology things like CNC machines etc um and uh and all the other things and so uh all it needs to be a completely exhaustive list um because if if you have if the assessor spots um some technology or you know uh assets that CUI somehow traverses or stored on and it's not on that list then it's a big black eye in the assessment. So um that's probably the biggest thing about data handling um that we see people get tripped up on um the other is um removable drives things like USB drives hard drives stuff like that um those need to be inventoried they need to be tracked um they need to be uh typically serialized um fits encrypted um and uh uh the easiest thing especially in a manufacturing environment is to use the um if especially if you're dealing with operational technology like CNC machines you know um it it's not always as easy to just plug it into a computer and type in a password in they have a a fit sometimes with working with things so um the we like to suggest the uh thumb drives that have the actual like punch button codes on the outside um because when you punch that button in um it basically decrypts it instead of your computer having to do it so whatever you're plugging it into it just seems like a regular USB drive at that point um and so it works a lot better in scenarios where you're not dealing with just like the latest and greatest computers that have all the features and they're able to read things correctly um and so uh anyway uh people typically don't serialize those correctly um they don't label them correctly um those all have to be um inventoried labeled and and tracked um uh as well so that's uh another common piece and then uh disposal as well so um whenever uh one of those USB drives dies or you know a computer that was in scope that you know is a programmer's for example that had CUI data on it um there needs to be a process for which that data is destroyed and that computer is disposed of um because otherwise uh if if you don't then you've just you know say put that computer out to recycling or sold on an eBay or something then you've just null and voided your entire compliance program because you just sent CUI to eBay or something you know like that. So it's um so the disposal um and sanitation of of uh computers and media and thumb drives really important as well people don't typically think about it.
StaceyUm but it it it's uh it takes some some management some systems but it's uh at the end of the day a pretty easy one to solve moving on to encryption which is a topic that seems to trip people up a lot um what's the rule of thumb there?
AustinYeah yeah encryption does trip people up quite a bit so and there's some gotcha there's gotchas there as well um one that we like to see a lot um or excuse me we don't like to see it a lot we just happen to see it a lot um because we work with a lot of small and mid-sized manufacturers um and a lot of those manufacturers use QuickBooks even if they have a nice fancy ERP system um that they're running their shop through um oftentimes especially if you're outsourcing some of your accounting or or whatnot um it's easier to run some of the books just through QuickBooks and and most of the ZRPs have uh QuickBooks backed in the connection even if they have an accounting system built in. So um uh and typically the easiest thing to do is put that QuickBooks computer server on the same network as um your your uh where your CUI is and so um you'd asked about what trips people up for FIPS or excuse me for encryption is um because it requir the compliance requires a specific type of encryption it's called FIPS validated encryption um it's a special government version and uh just like everything that's a special government version most things don't work on it correctly so um it really limits uh the number of things that you can put in scope for example QuickBooks you can't put it in scope it needs to be on your own like we typically call uh tell people to put it on the level one network um segment the network put it off over here um on one of the other computers where it can't talk uh to the programmers and the CNC machines um and that typically will solve it um but you can't just have it all on the uh in the same environment um uh as as everything else so uh because uh the type because fips encryption breaks things when you implement it so that uh the most common scenario is that people have encryption turned on but it's not FIPS validated encryption um so that's obviously won't work because it's not the right kind. Um and then uh when they do turn it on things start breaking um or the tools that you're using uh to satisfy some of the other controls stop working as well so backups are very common um one where there's not a lot of backup um solutions out there uh that are uh uh kind of all in one backup solutions that have FIPS encryption um the ability to use FIPS encryption FIPS validated um and then uh if they have that then they're not FedRAMP and then so you uh you can't use them. So the rule of thumb is making sure you have FIPS validated encryption turned on on everything um in scope that's in scope um and then if you're using a tool that you don't want to stop using then put it somewhere else because if it breaks with FIPS encryption.
StaceySo Austin how deep do contractors need to go with logging?
AustinYeah so um logging is one of those that uh again we're we're sticking with high level broad strokes today so um you know I'm gonna gonna miss a lot of uh important things here but um pretty deep is the answer so everything needs to be logged um for for the most part um so uh for example um if you're using Office 365 Microsoft 365 whatever you want to call it they keep changing the names um uh you need to have a license um that allows you to be able to look at the logs for it so um we typically recommend implementing uh a sim a seam whatever you call it people call it different things um sock as a service is another uh um product you can buy that includes uh uh a sim a lot of the times um but it is the easy by far the easiest way to implement this control does not require one um but as Brooke likes to say um it describes one right so um yeah we we generally uh recommend go get you a sim um implement it and then make sure that um it is capable of looking at all proper data sources um common ones are gonna be your firewall it needs to be able to connect your firewall your firewall needs to log things correctly um and then it needs to pull it over into its own system and and protect those logs um so um it needs to have its own like repository um uh and then uh you know if you you have CUI in your email or Microsoft 365 that needs to be able to be logged um your computers your servers um those need to be logged those are all common um uh areas to log beyond that uh you also have to make sure uh that all your your time clocks sync well so um which is not one that people often think about they're like okay I got a a seam a similar and I'm all good um but uh all whenever you have a say you're git breached and uh you need to make a timeline of the breach uh you need to make sure that all your times are matching up correctly otherwise your timeline's not gonna make sense or you're gonna miss things. So um if server one it says it's 5 p.m but your email system says it's 5.05 and you get breached at 4.59, um you're gonna be real confused when you look through all the wall logs um if all the times aren't syncing up correctly. So uh a part that people generally miss is making sure that uh their time clocks are syncing up correctly and then you want to know you want to use a trusted source always benefits you to use a government uh time clock um and so if you're out there you're a manufacturer you're a quality guy or something like that and you have no idea what I'm talking about that's fine you shouldn't your IT guy probably knows um uh or what what I'm talking about so you need to make sure that there's an authoritative source for your times for all your servers and your systems um and that they're using that and that it it lines up um because otherwise um even if you had the control implemented but your times don't match up again black eye last but not least ongoing assessments can you uh enlighten us there things change is the easiest way um to describe the need for ongoing assessments right and so uh your assessor's gonna come in and they're gonna make sure that you're following the rules for everything um but they want to really make sure that um you're doing this stuff on a day-to-day minute by minute you know hour by hour um basis and so uh part of that is doing regular um assessments of yourself and your own network and systems so that way you catch things before they do and um and really the more important thing that they're trying to shoot for is that you catch it before a hacker does or another nation state or um you know before you get caught um not you know uh in a vulnerable position um and someone gets to exploit it. So um easiest way to think about it um you know I like my analogies uh we moved away from the doctor office now or we're moving to going to bed at night. Um I don't know about everyone else but whenever I go to bed I go check all make sure my garage is shut make sure my doors are locked make sure my security system's turned on um and and that is essentially the same thing that you're doing um for uh risk assessments um vulnerability assessments whenever you do them internally um you have to do them on a certain cadence you have to do them frequently so you catch those things um you know uh software changes updates have vulnerabilities um you know uh people make changes on computers um much like if you know you got people coming in and out of your house all day you you don't know who went to the door last if they locked it um same thing for your computers if someone changed the configuration or um a piece of software got updated uh you need to go then double check those things occasionally and make sure that um all your T's have been crossed your I's been dotted the door's been locked the window's been shut um and all your patches were installed and um and all that. So that that's the goal uh it's just it's a double check um and you have to show that you've done it um have the evidence for it and and of course actually do it.
StaceySo before we round out today's episode we have a listener question on episode 35 um at Caesar Nay King asked since we talked about on that episode we said secure links via email are not really adequate because of commercial Microsoft 365. So their question is are we suggesting that because of potential Microsoft Outlook vulnerabilities as a potential point of risk um or are we also suggesting that the customer portal via a web browser is a superior method to digital transfer of CUI?
AustinYeah great question uh Caesar is that right yes Caesar naked awesome appreciate it thank you keep them coming um so yeah the the issue with um the the core issue that we're talking about there is um CUI and has how it has to be treated not necessarily problems with office um uh or vulnerabilities but um compliance says you have to um protect CUI in certain ways and the commercial version of um Microsoft is not sufficient because it doesn't meet the requirements so that's why you see people wanting to use GCC GCC high um so that is simply um the reason why uh a secure link through commercial um is not sufficient it's because that commercial doesn't meet the necessary controls to protect COI um secure links should be used um to transmit COI um and yes I always do uh uh typically most of our customers their customers um are gonna be larger primes um or the government itself and they're gonna have their own portal that they want you to transmit um data in and out of to communicate with them and we certainly recommend um doing that um uh uh because that's their systems they're your customer uh and um it doesn't abdicate your responsibility necessarily um but it's uh something you don't have to take care of right um so because as soon as uh you interact with that portal usually in the means of downloading it um then as soon as it touches and you download into your downloads folder your downloads folder's in scope your computer's in scope then so um the point of that I'm just trying to say is that uh the best thing to do is use their approved portals um because they're supposed to be compliant um to transmit data to them best way to do it um because then you don't have to one provide your own secure means so you could save some money chances are you're not all your customers are gonna you know uh have a a completely great way to share data so you might have to invest in a secure way to share CUI anyway um and GCC GCC high is a good way to do it we like prevail a lot of times um seems to fit the bill for a lot of people there's other things um but I think that ultimately answers the question uh I think maybe a little bit more than Caesar bargained for but you know here we go.
StaceyNonetheless it was great thank you. All right if you have any questions about what we covered reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions and we'll answer them for free here on the podcast. You can find our contact info at cmcomplianceguide.com stay tuned for our next episode. Until then stay compliant stay secure and make sure to subscribe
.jpg)
