6 Critical CMMC Questions Every Small DoD Contractor Should Know

Show Notes

Are you trying to navigate CMMC and NIST 800-171 with a small team and limited resources?

You're not alone. In this episode of the CMMC Compliance Guide, we’re breaking down six of the most common and confusing questions small DoD contractors ask—and giving you clear, practical answers you can act on immediately.

Join Brooke & Stacey from Justice IT Consulting as they unpack risks of misinterpreting controls, mobile device scope, admin account misuse, CUI data flow diagrams, remote access, and more. Whether you’re prepping for a CMMC Level 2 assessment or just trying to stay ahead, this episode is packed with actionable advice.

Transcript

SPEAKER_00: 0:21

Hey there, welcome to the CMMC Compliance Guide podcast. I'm Stacy. And

SPEAKER_01: 0:26

I'm Brooke.

SPEAKER_00: 0:27

From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. If you've ever thought, are we doing this right? you're not alone. Most small teams are trying to interpret vague guidance, juggle multiple roles, and still pass a CMMC assessment. In this episode, we're going to break down six common questions we hear and giving you clear practical answers so you can act on it right away. All right, Brooke, what are the risks of misinterpreting a CMMC or NIST 800-171 requirement and how strict are assessors during reviews?

SPEAKER_01: 1:16

You really need to focus on the assessment objectives really because you meet those and you'll meet the control. If you read just the control, you may misunderstand some of those assessment objectives. So if you read those and if you go through and understand them, then that will help you avoid some misinterpretation. But if there are some things that are misinterpreted, then that will likely– there are several things it could lead to. It could lead, number one, to just a longer assessment. It could lead to just kind of a failed start. So you go, you contact your C3 PAO, say, hey, we're ready. And you pay them a little bit for the pre-assessment part. And they go through and say, okay, here's a list. Do you have all these things? And you go through and you say, we have all this. Oh, we don't have this, this, and this. And they say, well, you're not ready. So then you have to go back and figure it out and get those things fixed. Another risk is going through the assessment, depending on what it is that's misinterpreted. But there could be Something that causes you just to have to write a POAM and take anywhere from a week to six months to get it done. So that could be a delay in the assessment and the certification. Could be that it's something you can't POAM. and that could lead to failing the assessment, and then you have to start all over, spend all that money all over again, and that wouldn't be a good feeling. If you just happen to make it through the assessment and misinterpreted something, and for whatever strange reason, see-through PAO did not catch it, then it's possible you might have to worry about a False Claims Act issue, and that would be... Absolutely no fun to deal with. So those are the risks of misinterpretation. So you've got to make sure you understand the control, each control, but you've got to make sure you know all the assessment objectives. 3.1.1, that's got six assessment objectives associated with it. So if you don't understand one of those or you get a little bit wrong, then that may be an issue for you.

SPEAKER_00: 3:25

How should administrative and standard user roles be Sure. So, you

SPEAKER_01: 3:35

know, this is something that is just a basic IT, something you should do all the time, and something that's a best practice is not to use an admin account for your everyday activities. And admins have a tendency to, you know, say, well, none of the users can have that access. But it's a pain in the rear for me to have to jump back and forth between accounts, so I'm going to use an admin account. Well, it's still not smart. So you really do need to separate out your admin account from a daily use account. For instance, that's what we do. We need admin access to stuff, but our daily account, what we use all the time to log in with, it's a regular user account. And so we have to use an admin account separately to do something for credential data or for admin type access. What that does is it really minimizes the risk to being compromised. If you're a regular user account and you happen to click on a link or visit some site that you shouldn't, it's a lot less likely you'll be compromised than if you're an admin account. Or if you're an admin account, another way to phrase it is it just makes it a lot easier to be compromised and for that to spread.

SPEAKER_00: 4:58

So for the business owners out there, will they need a written or visual CUI data flow diagram? And what is the best way to scope and document that?

SPEAKER_01: 5:07

You don't have to have a CUI data flow diagram. However, it's very useful and the assessors really like to see it. It tells them that you've taken time to design everything properly and discover where everything flows, how your CUI flows through your system and you that you really actually do understand it right um but they like to see that um uh it's also it helps you tell your story um so uh we were talking to chris silvers and a c3pao and he said you know your ssp is your story and and uh tell you tell your story to the assessor of how you do things and uh the better you write that the better you tell your story the And the better the assessor can understand that, the better your assessment is going to go. You know, if you write something that's, uh, that seems like you're not telling the truth or not telling the whole thing, then, you know, they're going to want to ask more questions. They're going to want to see more things, right? Not that they won't ask questions or see things, but if, you know, if everything you're showing seems upfront and agrees with your SSP and what you're telling them, uh, then, you know, they're more likely to say, you know, um, I'm good with what you showed me here. We don't need to delve into that anymore. So you're, you're CUI data flow diagram is the same thing. It's part of that story. You can say, here is how our CUI flows through our systems, into, through our systems, and out of our systems. And that is the first part of what you should do. Then your SSP tells the rest of the story of how you deal with it, right? So the CUI data flow diagrams are very important. We make sure we do those with everybody. It's nothing that we can do for a client, for instance, as an MSP or an implementer or RPO or RP. Anyway, it's nothing that we can do specifically for the client because we don't know their business. We might know their business really well, but we don't know how they do their job daily. So it's something we need to loop them in on. A lot of our clients... don't know the full scope of– or don't understand the full scope of CMMC assessments, all the controls and assessment objectives. So a lot of them lean on us to say, hey, this is what we need. We can help you draw out a diagram, but we need to collaborate on this. And so they know how they do things, how they can do things, or how things might be able to be changed if it needs to be. So that's a good collaborative effort. For a small team, you're going to want to involve people that actually do the jobs. And so you know that this really is not– you don't– You as an IT person or a small team who's kind of overseeing this don't think, oh, well, we download it, and it goes here, and this is what we do. Then you involve somebody that actually does it, and they say, oh, no, here's these three other things we do with the CUI data. And so you're like, oh, I didn't know that. So it's good to involve all those team members, but that CUI data flow diagram is very important. It helps tell your story.

SPEAKER_00: 8:27

Another question that we hear a lot from businesses is, Do they need to identify the specific type of CUI that they're going to handle so that they can implement proper security controls?

SPEAKER_01: 8:39

Yes, you do need to know what type of CUI you'll be handling or you are handling to implement these controls, right? To figure out where it can flow in your CUI data flow diagram, right? What kind of services you can have. You know, it might mean the difference between GCC and GCC High. Microsoft 365... government community cloud or government community cloud high. Anyway, it might mean the difference between those two. It might mean the difference between in a lot of things, right? I know it's a challenge. because most of our clients still are not getting documents that are marked with CUI on them. They're starting to. More and more they're seeing documents that are marked with CUI markings, but generally what their contracting officers will tell them is, oh, everything for this contract is CUI. You know, and that's not accurate. It's not right. At that point, they have to treat it like CUI, right? So, but knowing what kind of CUI you have would help out a lot. You can always say, talk to your contracting officer, even if they're not going to mark things, you know, like they should, you know, say, what type of CUI is this? And what are the dissemination restrictions? You know, you need to know all that so you can design your system appropriately.

SPEAKER_00: 10:02

Pivoting over to remote access and systems and scope. How could businesses configure remote access and VPNs to keep systems out of scope and data protected?

SPEAKER_01: 10:13

The key thing you need to remember is that if your system, and we're talking about remote access here, okay, so if your system that you're using to connect remotely to your internal business systems where you house that CUI, if it can process, store, or transmit CUI, it's in scope. So if it touches that CUI, it's in scope. So if you connect by VPN, and you just connect by VPN, and there's no other configurations or no other solutions in place, and I'll get to that in just a minute, but if it's just a VPN that you're connecting with to get to that, then the machine you're connecting to the VPN with, it's in scope. So it's in scope. There's no ifs, ands, or buts. It's in scope. However... If you do some sort of VDI solution, virtual desktop infrastructure solution, and that's not just plain remote desktop, but if you do a VDI solution and you make sure that you configure it properly, then the machine you're connecting from to that VDI system, if it's configured properly, then it can be out of scope. So for instance, what you need to know is that there can be no copy and paste, no printing, no drives mapped, anything like that, no screenshots. All that has to be disabled. If all that's disabled and there can be no data sharing between the systems, between the remote app remote system you're connecting from and that VDI system, then that remote system is out of scope, truly. And they've clarified that, and it's good. Now, does that keep you necessarily from taking a picture with a cell phone? Not really, but it does prevent most of the problems there might be with remote access.

SPEAKER_00: 12:14

How should mobile devices, like phones and tablets, be handled under CMMC if users access email or CUI remotely?

SPEAKER_01: 12:22

Scope them out. Don't use them. It's the easiest solution. If you're going to be accessing any kind of CUI from your mobile device, again, process, store, or transmit. If you do one of those with any device, whether it's a cell phone, and this just really gets people. They're like, well, we're going GCC high, but I want to be able to put on my cell phone or GCC it. I want to be able to put on my cell phone and want to be able to send and receive CUI. Well, great. You can do that. And that cell phone is now in scope. It has to be managed. It has to be encrypted. It has to follow all standards. all 110 controls and 320 assessment objectives. So you have to be aware of that. And for cell phones and tablets, there are management systems for those, and they're an additional cost. I was going to say they're not inexpensive, but they're not really that expensive. If you've got just two or three devices, it's more expensive for you than if you had 100 devices. It's more expensive per device, I should say, than if you have 20 or 50 or 100 devices or 1,000 or 10,000. Anyway, those devices are in scope if you access CUI from them. If you don't send CUI through email, you have different ways to send them, and you scope email out. then yeah, sure, you can access your email with your phone. But if there's any chance of CUI being accessed from that phone, it's going to be in scope. So that's why I say scope them out. Don't use cell phones where you can connect with CUI. It's much easier.

SPEAKER_00: 14:10

For the small teams listening right now, What should they go check or do this week?

SPEAKER_01: 14:15

Check for misinterpretations. So really go through all of the assessment objectives, the assessment objectives, and go through each one of those. Make sure you understand what they're talking about. Make sure, you know, there's plenty of videos online that explain each one of these controls and the assessment objectives, what they really mean. There's a lot of different ways to achieve each one of these to cover each of these assessment objectives. through and make sure you understand really understand all those assessment objectives use separate admin and user accounts so your normal everyday account that you log on your computer with and use it's got to be a normal user account it cannot it cannot be an elevated privilege account it's got to be a user account your admin accounts should be used for system admin access only so separate those accounts don't use system admin accounts to do any kind of normal everyday work. Another thing is the CUI data flow diagram we were talking about. Although it's not required at all, you don't have to do that, it is a very good document to have, very good process to go through. It really does help you understand where everything goes. It lays it out in a nice picture format. I guess you can do a data flow diagram and text, but most people are visual with that kind of stuff. But if you have your CUI data flow diagram, it lays it out really good, shows you've went through that process. You actually did go through the process, and so it helps you out, understand where everything is at, and it helps– helps with your assessment. Knowing your CUI type. It's just really important to know what kind you have. It's a big challenge, but you've got to know that your contracting officer can help out. I know sometimes it's a pain and they don't necessarily give you exactly what you want, but you can get the information you really have to have from them. Secure remote access. Go VDI solution with the correct configuration if you want to scope out endpoints that are connecting to that VDI solution. That's the best way to go. Lockdown, I would say scope out mobile devices if you can. If you can't, then they're in scope and you have to manage them, encrypt them, all that kind of fun stuff. So inventory them. Everything, all those controls and assessment objectives apply there. So if you can, scope them out. If you can't, then you've got to manage them. And I believe that is all of the items we talked about, and let's hit those at a high level.

SPEAKER_00: 17:07

If you have questions about what we covered, reach out to us. We're here to help fast-track your compliance journey. You can text, email, or call us, and we'll answer your questions for free here on the podcast. You can find our contact info at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant and stay secure. Like, subscribe, and share.