CMMC Compliance Guide

What You Missed: June Cyber AB Town Hall CMMC Highlights

CMMC Compliance Guide Episode 26

Share episode

Submit any questions you would like answered on the podcast!

48 CFR UPDATE: https://www.ecfr.gov/current/title-48/chapter-2/subchapter-A/part-204/subpart-204.75

Missed the June 2024 Cyber AB Town Hall? We’ve got you covered.

In this episode of the CMMC Compliance Guide, Brooke and Austin break down the biggest takeaways — including how recent leadership changes, service provider requirements, and G-code classification are shaping the path to CMMC compliance.

If you're a DoD contractor or MSP supporting government clients, this is the update you can't afford to miss.

INSIDE THE EPISODE:
- What the new Undersecretary means for CMMC rulemaking
- ESP vs. CSP vs. MSP — and why the difference matters
- Why your IT provider will be assessed with your environment
- How your CAGE code could delay certification
- What assessors say about G-code and CUI
- Upcoming CMMC events you should have on your calendar

UPCOMING CMMC EVENTS MENTIONED:
- Carahsoft CMMC Webinar Series: https://www.carahsoft.com/learn/event/71021-proofpoint-and-microsoft-cmmc-webinar

- National Cyber Summit: https://www.nationalcybersummit.com/

- CS5 East 2025: https://cyberab.org/News-Events/CS5-Conference

SPEAKER_01:

Hey there, welcome to the CMMC Compliance Guide podcast. I'm Austin. And I'm Brooke. From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today, we're breaking down the key takeaways from the June 2024 So if you missed it, no worries. Brooke is going to walk us through the highlights and what they mean for your compliance journey. Let's start with the leadership changes. Who is the new Undersecretary and how does that impact the Title 48 rulemaking process? The Honorable Michael

SPEAKER_03:

P. Duffy was recently confirmed by the Senate as the new Undersecretary of Defense for Acquisition and Sustainment. He brings experience from both the Department of Defense and the Office of Management and Budget, which is especially relevant since he will now be overseeing CMMC Title 48 rulemaking. The Cyber AB mentioned that they're hopeful we'll see the Title 48 rule later this year. Hey

SPEAKER_00:

everyone, this is Stacey with Justice IT Consulting jumping in real quick with some breaking news that dropped while we were recording this episode. The 48 CFR structure has officially been released. This went live in the eCFR and it confirms exactly what you've been preparing for. Starting October 1st, the 48 CFR rule is on track to become a standard requirement in nearly all DoD contracts. So while the the 48 CFR rule itself is still under review with OMB, the structure is now officially visible and the writing is on the wall. CMMC enforcement is coming and is coming fast. I'll be linking in the description below where you can view that 48 CFR rule structure. All right, let's get back to the episode where we left off with Brooke.

SPEAKER_03:

Fingers crossed, October, but Who knows? So we thought it was going to be then the Q1, then maybe in Q2 sometime. And so now, you know, we're looking at October. So he was actually confirmed by the Senate. So we've... He's in there. He's been in the mix, and he understands and he knows. And so we've got a champion to push that rule through. It's not just the DOD CIO, acting CIO, Katie Arrington by herself. Of course, I guess it never was. There's a whole team there. But we've got somebody that can actually push that through. So hopefully we'll see that Title 48 rule, the 48 CFR, come through. October-ish, maybe. So, cross our fingers. And of course, you know, when that 48 CFR comes through, that's a... That's a very important milestone because that'll kick off the process of the CMMC being required on contracts. And then, of course, there's four phases of it. So that's very important. Katie Arrington has talked about how important that is to get that through the goalposts and everything. So I think this is a good sign that this is going to really start moving forward.

SPEAKER_01:

There were a lot of questions around how service providers kind of played into the assessment process for CMMC assessments Can you help us understand the answers to those questions, how that kind of clarified?

SPEAKER_03:

Just so you know, there are ESPs, external service providers. We are an external service provider, an ESP, but we're also an MSP, a managed service provider. All the acronyms. To make it more confusing. The CMMC doesn't specifically call out MSPs, but I don't want to get confused there. But ESPs are divided into two very broad categories. One is CSPs. It can be an ESP that's a CSP, and a CSP is a cloud service provider. That's going to be like Microsoft 365, any place that you might store your files in the cloud, Box for Government or Prevail maybe or something like that. So those will be CSPs. And then there are ESPs that are not CSPs. I guess that's what they call them. So that means everybody else but CSPs, right? So an an ESP that's not a CSP, external service provider, but you don't provide cloud services directly. You may help clients get those CSPs or something like that, but you don't provide– you're not a CSP yourself. You're not providing cloud email or cloud file storage. You could be, I guess, but then you would be a cloud service provider. Right. But if you're an ESP, not a CSP.

SPEAKER_01:

And the distinction there probably could be defined by a cloud service provider is– Something that you could go source yourself, like go interact with a web page, spin up, like, for example, Microsoft 365 tenant or something environment. That's kind of more in the CSP category and your ESP category would be more like your consultant like us or IT guy who may leverage those services, but it is not directly providing them.

SPEAKER_03:

Correct. And if it's a service like Microsoft 365 that can expand and contract with your service or whatever, not that Microsoft will let you reduce licenses, by the way, but that's beside the point. Theoretically. Theoretically. Those are cloud services. Anything you get directly from a provider like us that's not hosted in the cloud, then that's going to be an ESP, not a CSP. So those, ESPs not a CSP, are going to be assessed along with the organization seeking certifications. They're going to, it's an OSC, they will be assessed along with that OSC's environment for whatever security controls that fall in line. So mostly it's going to be SPD, of course, security protection data. So, and the security protection data is, are those security services that are protecting CEO assets. The SP and not a CSP's environment will be assessed along with that OSC's environment. Every single time, if a MSP like us, a managed service provider, has 25 CMMC clients, we're going to have to go through that assessment. We're going to go through that 25 times. You have to make sure that you have all your documentation in line. You have to make sure the ESP, not a CSP, has to make sure...

SPEAKER_01:

You have to make sure your IT provider has their documentation. If you're an

SPEAKER_03:

OSC, you have to make sure your IT provider has their documentation in line, has a shared responsibility matrix or what they're calling it now is a customer responsibility matrix. So a CRM, to make sure you have that in place, that tells you what is by control whose responsibility that is, that each control is. If you have it broken down by assessment objective, even better. And the more, you know, you don't want to get too detailed in those and write whole books for each assessment objective, but some sort of, some sort of of explanation that tells uh what each party does the osc and the esp not a csp so that the assessor can understand what's going on right they have to be able to look at it and go okay yeah that makes sense i get it you know they can't look at it go what does this mean you know um you can't write it so vaguely that they don't really it doesn't make sense if you're ESP, your IT provider, is able to get a CMMC Level 2 certification. There is nowhere that says it will make it any easier. However, a lot of C3PAOs and assessors have said, yes, that'll make things easier because we have that Level 2 certification and we still want to see those documents, but it'll make the process a lot easier. So there's that as well. There's not very many that have it. Just be aware that there's a backlog of people that are trying to get through and get those certifications. Okay, so in short, really, what they said was ESPs that are not a CSP are going to be assessed in the OSC scope of their environment as they fit in there. And the short story about certification for the ESP, if you have one, if your IT provider has one, it's likely that that will make things easier. But they're not going to say it's going to make things easier, just so you know. They're not saying, yes, I promise it'll make things easier. But likely it'll make things easier.

SPEAKER_01:

There's a lot of implications, no promises. Right. Kind of put in layman's terms there, if you have an IT provider, they're going to be assessed as part of your company. Absolutely. And then... if they have any tools that they use to fulfill their obligations to you, the organization that's trying to get certified, organization seeking certification, then their tools will also be assessed as part of your assessment. For example, if they had antivirus that they installed on your computers, not only you as the, say, manufacturer, aerospace manufacturer, you get assessed, as well as your IT provider, as well as the tools they use, like antivirus, get assessed all at the same time.

SPEAKER_03:

Yeah, the IT provider has to list all their tools out, what they use, and have the CRMs from each one of those. Those CRMs then flow down to that database. ESP, the IT provider, and then that then of course flows down to the company getting the certification, the OSC.

SPEAKER_01:

And the fun part about that, from what I understand, correct me if I'm wrong, but once that's all done, If you change anything, like say your antivirus or your IT provider changes it, you're no longer in compliance. You're no longer– you have to get essentially recertified.

SPEAKER_03:

Yeah, it's a major change. So I don't know that changing your antivirus necessarily is going to be a major change. You're going to have to assess what a major change is. If you buy a company and add it onto your– or merge them into your network, of course that's going to be a major change. Yes, there will be– you have to kind of assess what a major change is. major change is going to be because they don't they give some examples, but they don't spell it out. So be careful. And I can tell you that it's it's tough to get those CRMs that are good and legitimate from your vendors. And so changing those tool sets, just out, change them out willy nilly is probably not going to be part of the process. And you're not going to want to just up and change out a bunch of things or even one or two things, really.

SPEAKER_01:

Yeah. So if you have an IT provider and And you're, at some point in the future, going to get assessed. You probably need to call them today and say, hey, for all this stuff you got installed on my computer, do you have a CRM for it? Have you gotten a CRM from them? And if they're like, not sure, or what's a CRM, then you might want to investigate it. I think it might be okay if your assessment... is out in the future and they say, no, we don't have it yet, but they're developing it or legal's working on it or something, that might be an acceptable answer. But it needs to be on the roadmap soon, if not already, should be already done. What

SPEAKER_03:

I can tell you is we waited and waited and waited for some of our vendors to have those CRMs or something to hand down to us to fulfill our requirements. And They're just not moving fast enough, so we said adios, and we're going to go a different direction. We had to do that. We had to make the switch so we could get those compliance

SPEAKER_01:

pieces in. Which is a very painful switch for your IT provider. So to be quite honest, if it's not in the works right now, it's not something that you can just have them change a couple weeks before assessment or even a month before. It takes a lot of planning in their business to do that because they're likely using the same vendors for all of their customers, kind of like how Southwest used to fly one plane. They're trying to get some efficiencies there, which is part of the business model. So it really needs to be... on their roadmap and their vendors' roadmaps.

SPEAKER_03:

It does. It needs to be on that roadmap. If it's not already in process and have a date, have a, you know, yes, this vendor is going to have it by Q4, you know, then, you know, they really need to have, because it's not easy to research and figure out what to use necessarily. So that definitely does need to be in process and a forefront of their mind of what they're going to do.

SPEAKER_01:

Okay, so tell us, we talked about service providers, but another thing that's a frequent question or a frequent gotcha is kind of the cage code situation and how that plays into the assessment process. Can you help us figure out what the clarity was around that?

SPEAKER_03:

So you have to specify your cage code whenever you get assessed and for your system that is in scope, you have to specify your cage code or cage codes. They have to be listed because that's how the government knows you is through your cage codes that you are basically what identifies you to the government. But you have to have that because they have to be able to tie. When everything's said and done, they have to be able to tie your score and tie your certification back to your company, back through all of their systems. They upload it to a system called EMAS. It's got to match in their SPR system. It's all got to match and they've got to be able to match it up somehow. That cage code is very important. That can derail or hold off an assessment. So you need to be sure that your cage code is, that you've got your company name right your address right, you know, all that kind of fun stuff. And when you're assessed that you built your system on that cage code and the assessment is on that cage code, not a different cage code. There were examples of people that had something, either used the wrong cage, an old cage code, or a cage code with information that didn't match, like an address and stuff like that, and that held them up. And so they couldn't finish their assessment.

SPEAKER_01:

And it often presents an issue you see a lot when businesses are growing or there's private equity coming in, the typical playbook is to aggregate many books of business into one entity and get some cost efficiencies across the more or less what we call SGA lines in our business, but just kind of your general and admin expenses. So IT is generally considered that, accounting, yada, yada. It just makes it a little more complex for KMMC because essentially your IT system needs to be separate for each different entity, each different cage to It's not the whole truth, but basically you're going to need to have an assessment for each of those different entities. So you're not going to be able to share it in the exact same way as you could other things because essentially what they're worried about is the data that you hold as part of your obligation of fulfilling the contract. That's what they want to control, and it unfortunately traverses the entire IT system, and that's what they want. Yes,

SPEAKER_03:

it absolutely is. And that also brings up another point that I left out a second ago is that you get your contracts based on your cage code. If you're doing business getting your cage code as company A and then company Z comes in, buys this company up, aggregates it all in with company B, C, D, and E, that's great and that's fine. But are you still doing business under that original cage code or are you doing business under a new cage code? Or are you going to do business under a new entity and how are you being assessed? What are you looking for? So that cage code has to match. If you're doing business under that cage code with that one company A, that's what you have to put in for your business systems. That's what you have to be assessed on. It all has to match up. If a PE company comes and buys up a bunch of DOD manufacturers, that's fine. And you can even share some systems as long as you do it properly. It's got to be done properly. But you can share some systems As long as it's done right, that's fine, but that cage code has to match.

SPEAKER_01:

Right. And you're not going to get a cost efficiency on the assessor because they're going to charge you separately each time.

SPEAKER_03:

They will. That's what we've been told. So there may be assessors that are willing to give you a break if you say they're a cookie cutter. but I wouldn't promise that.

SPEAKER_01:

There's a lot of talk around G-code or similar file formats, basically file or program that tells some piece of manufacturing equipment how to machine out, cut out, whatever, make a part, and the part being CUI. Some people believe that the G-code or this file that is telling the machine what to do is not CUI. Some people believe that it is CUI. We have our own beliefs on that front. According to the town hall, what is the stance and what did they say about it?

SPEAKER_03:

Well, first of all, that is a topic of debate quite a lot. People say, it's just points. You go to this point and do this, this point and do that. It's not actually CUI. Well, the long and short of it is, it is CUI. So, but I saw, I mean, just yesterday, I saw people debating this on Reddit, you know, oh, it's, you got to consider it CUI. No, definitely it's not CUI. You know, there's no way that's CUI. Well, what I can tell you is that there are plenty of assessors that I've talked to. Some of them have questioned, well, I'm not really sure, you know, and, but most of the assessors have said yes, if that G-code comes from something that you're doing to fulfill a government contract, and if you're a subcontractor, you're still fulfilling that government contract because it's a contract with the prime that they have with the federal government. So if it's something that you're making to fulfill that contract, unless you can 100% prove that there's no CUI in it and that it's just off-the-shelf stuff, You know, it's going to be CUI. And to point this out, this is what I've heard from many assessors, many C3PAOs. I've sat and talked to Jim Gopal about it. Great guy. He's written a bunch of books about CUI and about CMMC and works for, I believe, still works with Future Feed. They actually, the Cyber AB had Jim Gopal on to explain this. So if the Cyber AB has Jim Gopal on to explain why G-code is still CUI, I would think that they're saying that G-code is CUI. You know, I don't think that's too far of a step. You know, it's not a leap. You know, they're linking it right there. So anyway, and so he basically said, or he did say that G-code is CUI if it's, if it's created in relation to that contract being fulfilled for the government.

SPEAKER_01:

And if you take the stance that we do, which is essentially let's take the– path of least resistance to certification, and that is we don't want to be arguing with the assessor too much on assessor day, then you're better off residing in the camp of G-code as CUI. And you can have your philosophical debates, but whenever it comes to real-world implementation, we think it's better to just move forward with the concept that it is. And so we just don't worry about it after that. It's protected.

SPEAKER_03:

What I might say is that if you don't think it's CUI, then by all means, when you interview your C3PAOs, say, do you believe that G-code is CUI? And you may have your answer there. That's not really part of our questionnaire because we go ahead and say yes from everything we know and understand, G-code is CUI. So it's not part of our questionnaire. But if you don't believe it's CUI, then by all means, ask that question in your C3PAO interview process. Because you should be, unless you know some see-through PAOs, you should be doing some sort of interview process before you just pull the trigger and hire one.

SPEAKER_01:

Yep. Yeah, and truth be told, the real implication of whether you think GCO to CUI or not is really just... impacting of scope, right? So at least for our manufacturers that are more small, medium business, typically what we do is we just set them up with punch code USB drives. And that more or less settles the, I mean, with a lot of other details there, but more or less settles the concern around G-code being CUI and just kind of solves that scoping problem, right? So now if you've got more intricate systems. or you have like machine monitoring systems and some other things going on maybe that's more of a concern for you but for a lot of shops that is the easy answer and the easy solution to g-code being cui from a scoping perspective

SPEAKER_03:

assets on the floor the cnc machines for instance would be specialized assets because they're operational technology and you just have to make sure that everything's documented that you follow all the documentation rules and then as you said one of the punch code things so it's a it's a their FIPS validated encryption USB sticks and you put in a code on the stick itself and it decrypts it and it looks and that's good because a lot of these machines are older and they're going to have a hard time reading some sort of encrypted drive or you know whatever so having that being able to plug in that USB put in the code and it looks just like any normal USB is a is a time saver and something that where you just don't have to worry about encrypted drive being read.

SPEAKER_01:

Okay, so if folks want to stay up to date and get more involved in the CMMC community, what upcoming events can they keep on their radar or put on their calendar?

SPEAKER_03:

Well, first thing is the Cyber AB town halls really are good. You can come here and listen to us, and we'll give you the lowdown on the town halls, absolutely 100%. But you can also attend those town halls. They're an hour. They're once a month. They're usually at 5 o'clock, 5 p.m. Central time, I should say. So anyway, they're at 5 p.m. Central time, last an hour. They have really good information, you know, like... Jim Gopel on. They have some guests from time to time to explain some things. And so you pretty well guess that the guests that they have on, they're going to be very knowledgeable. And they're going to have, while the Cyber AB is not going to put their stamp of approval directly on them, they're not going to have them on their town hall unless they approve of what they're saying.

SPEAKER_01:

It's a real good way to understand which way the wind's blowing.

SPEAKER_03:

Yes, it is. Absolutely is. There's also a... Kerasoft. Kerasoft is a company that sells a lot of government and CMMC type solutions, software solutions. So there's a lot of FedRAMP type software that you can, FedRAMP authorized software that you can get through them. They're a great resource for that kind of fun stuff. But they have a webinar series that runs, a virtual webinar series that runs from June 29th to the 31st. And they say they'll feature speakers from across the ecosystem. I have no doubt that that'll be a good one because Kerasoft is, we use them for some things and they're a good group of folks. Then there's a National Cyber Summit happening September 23rd through the 25th in Huntsville, Alabama. That's for great in-person networking. And then there's a conference called CS5. I'd say it's a brand new conference, but it's really not. These conferences started off as CIC, CMMC Implementation Conferences. Those folks partnered with CyberAB. They became CEEC, C-E-I-C And now they've teamed up with the Cybersecurity CS2, I think, conference folks. So now there's those three organizations together. They've pulled their resources, and now it's going to be the CS5 conference. So it's a new, instead of Seek East and Seek West, this is going to be the CS5. It may be the CS5 East, maybe. I don't know if they're going to call it CS5 East. I'd have to go look and see, but I would imagine they would because they'll have a West Coast conference. But the CS5 is scheduled for October 16th and 17th. That's going to be in D.C. at National Harbor again. That's a great one to go to if you're trying to figure out the whole CMMC thing, get a lot of information. They have tons and tons of good information. It's a really good one to go to. So those are the main ones coming up that I would suggest. And like I said, Cyber AB town halls are monthly. So they happen every month. Go on their website, look for the town hall link, and you'll see where you can sign up for those. Or if you just want a shorter, quick and dirty update from the town halls, come to us and listen to us talk about it.

SPEAKER_01:

Absolutely. All right. Based on everything shared in the town hall and what we talked about today, what is your advice for businesses trying to stay ahead of CMMC requirements? What is the takeaway for today's episode?

SPEAKER_03:

So really, the biggest advice is that October is just really around the corner. I mean, it's already July. It seems like just a couple of days ago it was January, right? So, but October's coming up quick. And if the 48 CFR or the title 48, however you want to reference it is, if it's going to be actually. If it's actually going to come out in October, that really is just around the corner, and you really need to get ready for it. Again, double-check your cage code. Make sure that how you're doing business is how you're assessed, basically. How you're doing business and getting those contracts. What is your cage code? Is it right? Is all the correct information there? Make sure that your IT providers, your other servers, any other CSPs, make sure that you have all the documentation you need. If they're FedRAMP If you need to have that documentation for CSPs, if they're your IT provider or an ESP that's not a CSP, then you may need to make sure you have your CRMs.

SPEAKER_01:

And if you're wondering, you know, if you talk to your IT guy or if you're needing to look for someone to help you on this, we're trying to put together a little checklist of sorts so that way people know the right questions to ask. It's not done yet. It's not available. But if you watch this episode and you want it, just email us and we'll send you the draft. as long as you be kind to us about the draft. Right.

SPEAKER_03:

Absolutely. You know, and again, make sure that if you're not going to– make sure you have your G code spelled out and you know how you're treating your G code. I'd say treat it as CUI because that's the lion's share of what everybody says. You have to take some leaps of descriptions to, I guess anyway, to not call it CUI. And have a good strong SSP. Make sure it tells your story. We've talked about this before. Your SSP needs to tell your story.

SPEAKER_01:

We did have a question. I believe the question was from our scoping episode. And the question was, can an SSP double as a policy?

SPEAKER_03:

So that's a very good question. I would suggest that it not double as a policy, that you use your CSP to tell your story and how you're doing things and keep it. Even if you keep it pretty succinct, it's still going to be probably kind of long. But if you start putting everything into your CSP, all the little minute details of how everything is done and everything, your SSP is going to get very, very long, very complicated to read. So what we suggest is having your SSP and then have it refer to– describes overview of how things are doing. So how things are done. So your assessor gets a good idea, right? I mean, they just need to read through that and go, yeah, okay, I get it. You know, uh, these are how things laid out and this is, this is how they do all of them. Now, uh, what are the nitty gritty details of how, uh, access control is implemented, right? And that should be in your policies. Can it be in your SSP? Yeah, it can be in your SSP. Um, and I, I know, uh, I've been at some conferences where people said, yeah, we just put it in our SSP and our SSP is 350 pages long. I don't necessarily think that's the best way to do it. The majority of assessors that I've talked to SSP needs to tell your story and refer to policies that give the nitty-gritty detail. And if you have policies that, you know, a policy for each family, you can group those very easily into those families. It works out very well that way. So short answer is, yes, it could double as your policy, or you could put your policies all in your SSP. I would suggest not doing that, though, and having a more concise SSP that tells your story with the policies. Awesome. I think I've said that like five times. So

SPEAKER_01:

hopefully we answered that question for you. If you see it and we didn't and you want more info on it. Hit us up again, and we're happy to dive in more on it. Just hit us with your follow-up questions. Well, if you have questions about what we covered, please reach out to us. We're here to help fast-track your compliance journey. Text, email, or call your questions. We'll answer them for free here on the podcast like we just did. And you can find our contact information at cmmccomplianceguide.com or simply leave a comment. Stay tuned for our next episode. Until then, stay compliant. Stay secure and please subscribe.

Head Shot

Brooke Justice

Host
Head Shot

Austin Justice

Co-host
Head Shot

Stacey Flores

Co-host