CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
How to Make Real CMMC Progress: Even if Compliance Isn’t Your Full-Time Job
Submit any questions you would like answered on the podcast!
Schedule your free SPRS Roadmap Session and get a step-by-step plan to close gaps and stay defensible:
👉 https://cmmccomplianceguide.com/free-sprs-roadmap
Is CMMC just one of many hats you wear at your company? You’re not alone and you’re not out of luck.
In this episode of the CMMC Compliance Guide, we break down how overworked and under-resourced compliance leads can still make meaningful progress toward CMMC and NIST 800-171. Whether you're a part-time compliance officer, the IT guy, or the quality manager who just got handed CMMC, we’ll walk you through a phased, practical approach you can tackle in just a few hours a week.
From identifying CUI and building your data flow diagrams to implementing MFA, FIPS, and policy templates the right way—this is your guide to making CMMC doable without the burnout.
Need help getting your SPRS score to 110 before the New Year?
Schedule your free SPRS Roadmap Session: https://cmmccomplianceguide.com/free-sprs-roadmap
Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Austin.
SPEAKER_00:And I'm Brooke.
SPEAKER_02:From Justice IT Consulting. We're here to help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free, so if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's episode is for the overwork under-resourced and part-time compliance lead you know who you are If CMMC is just one of your many hats you're wearing, we're going to walk you through how to make real progress anyway. So Brooke, let's start with the obvious. What makes CMMC so tough for small businesses? I know that's a loaded question.
SPEAKER_00:Well, it is a loaded question. And you hit on the biggest thing just a minute ago when you said many hats, because in a small business, you know, everybody wears multiple hats. You know, we're a small business and I don't just get to do one position. You know, I do multiple positions just like you do. I think No, I don't. I don't know what you're talking about. I do a lot of things. Let me step back. The IT guy, because in a small business, you don't have an IT manager. You might call that person an IT manager, but it's the overall many hats IT guy. And you give them another hat to wear, and that's compliance. And then it might be the quality guy, or it might be– could be the CEO or CFO, or it could be somebody else. But it's somebody like that that already has a full plate that's– trying to understand and then implement CMMC. So it's a lot of work to do for one person. And generally, if it's not the CEO that takes it under their own wing, they say, here, we need to be compliant because we've got this contract and I need you to get us compliant. And so You've got to understand and learn what all the CMMC stuff is. You've got to know all the NIST 800-171 controls and all the assessment objectives, how they layer CMMC in on top of that, and the whole nine yards. You've got to know all that, and then you've got to go implement it and figure out how to fit your environment in. So it is complicated, and the stakes are kind of high because if you get it wrong, it could mean a longer assessment, not ready for an assessment, All right. So next
SPEAKER_02:question for you. is where should someone start if they only have a few hours a week for this?
SPEAKER_00:First of all, you need to start at reading through the whole thing and understanding it, which is no small feat, especially if you're starting from ground zero. But even if you think you know this stuff, going through and actually understanding, actually reading some of the documents that it's based on, You know, that's a lot to take in. So you've got to understand it first. Then you start with a gaps assessment. You know, where are you at right now and where do you need to be? Then you figure out where all your CUI is. Where is it in your system? Could be where you want to– make it be if you want to make an enclave or something like that. But you've got to figure out what CUI you have and where it is right now. Then you've got to figure out where it comes from and where it goes. That's a CUI data flow diagram. So we download it out of this portal. We get it through email. I hope not. But anyway, we get it through email over here or whatever it may be. This is how it comes into us. These are the systems of ours that it goes into and it flows through. And then if we send it out, it goes out this way. So you need to have your CUI data flow diagram understood. You need to understand the way it is and then it's very likely it probably needs to change a little bit or a lot. So you can absolutely change that, but you need to understand that. And then from there, it's starting with the controls and doing the most obvious easy stuff first, locking down user accounts, locking down ACLs for access to information, making sure that not everybody operates as an admin, stuff like that. Easy stuff that you can do and tackle. Um, and you can do this in short sprints and, uh, you know, as long as you plan, you know, a couple hours a week, uh, now it'll take a long time at a couple hours a week, but if you, as long as you plan a couple hours a week or more, but set aside time when you're not wearing one of your other hats to wear this hat, you know, you can, you can make progress on that. by doing these short sprints of a couple hours or so each.
SPEAKER_02:Yeah, you said something a minute ago about actually starting with reading. Yes. Did you say the 800-171, the NIST 800-171?
SPEAKER_00:Yes. Revision two, not three. Right. It's not the current one. Yes,
SPEAKER_02:for now. For now, yeah. So I went on a meeting the other day with a prospective customer, and it was– it's always– quality manager and typically the GM or owner, especially at these aerospace machine shops and whatnot. Anyway, and the reason I'm bringing it up is because it was the first quality manager I'd met that was rather learned, if you will, up to speed on compliance. And he had mentioned that he had spent probably the better part of the past five years getting learned up on it. Um, and, uh, anyway, so I'll bring that up to, to say that it can be done. Um, but, uh, if, if this is a task that's in your lap, I wouldn't wait to start reading, um, that, um, enthralling document that is, uh, uh, NIST 800-171 revision two. Um, cause it can be done. You can get educated on it. You can do it yourself, but, um, it does take some time. Maybe not It doesn't have to take five years, but it takes some time to digest it and then start applying it.
SPEAKER_00:It does take some time to digest it. And there will be, if you're an IT guy or a quality manager and you haven't been doing compliance all these years, right, then it's going to be something that you have to figure out and understand. Surprise, surprise, not everything is just laid out 100% clearly. in terms that everybody understands. You have to read through it. You have to read some of the documents it's based on and all that kind of fun stuff. So it's helpful to get other people's input, but you've got to be careful. Looking on Reddit, you definitely have to be careful asking AI because AI will lie to you.
SPEAKER_02:It'll be
SPEAKER_00:very confident about it too. It'll be very confident and it'll seem very convincing but AI will lie to you. AI is good to use. I'm not saying it's not. AI is very useful but you have to check it. It's only as smart as everybody that has posted knowledge about it. It can grab bad knowledge. But be very careful about AI, about all these different social media sites that you can go to and where there's CMMC groups. They're a great way to get some information and kind of muddle through some stuff. But really, if you can ask some see-through PAOs or some assessors, some certified CMMC assessors or certified CMMC professionals questions, that's where you can really start trusting your answer. So it takes a lot of reading, a lot of discovery, and a lot of figuring these things out. And don't just take somebody else's word for it is what I'm saying, especially AI.
SPEAKER_02:Yeah, basically what you're saying is there's no substitute for just at the end of the day– looking at the documents and then the documents that it is referring to, you know, for definitions or what else to get your answer. Um, you know, it's, uh, there's no replacement for that. You have to do that at the end of the day where they're talking to an assessor or something, you know, someone like us or Reddit or something like that, you know, and, and so a quick little hack, um, that helps AI be better, but certainly not, um, you know, uh, some, someone, something that trusts a hundred percent, um, is if you upload the document and into the AI and make it its reference manual. So that way it's not pulling from a large model that it's cobbled together. Like you just, you give it essentially the model, the document, and then you ask it questions about the document. You'll get more reliable answers, but still that's not a substitute for, you know, figuring out yourself or hiring a professional to give you guidance because it'll still make stuff up. But it's a good way to kind of cut your teeth and then use that understanding to then dive in and then reference the document yourself to verify, okay, what is this actually saying? So a good hack, but not a solution.
SPEAKER_00:Absolutely. Absolutely. And don't forget that this is not just NIST 800-171R2. Yeah. It's also all the stuff for other, the DFARs rules the CMMC stuff that they've layered on top of it things that they've clarified in those rules all that kind of fun stuff so you have to read those you have to understand those as well see how ESPs are addressed for instance you know stuff like that
SPEAKER_02:absolutely there's a whole host of information outside of just the 171 that We'll get you tripped up if you don't look at it as well.
SPEAKER_00:Yeah, I'm an IT guy. I say, give me the controls, let me look at them, and I can implement them. Give me this 800-171-R2, and I can do it. But then, oh, well, you've got to reference this, or you've got to reference that. Oh, there's CMMC stuff over here, too. So it gets very complicated very quickly. So, you know, we were talking about this and how complicated it is, and it is. But the question was, you know, where does somebody start? Mm-hmm. That's really with... knowing what CUI you have, knowing where it is and where it comes from, doing a gaps assessment, and this can all be part of the gaps assessment, but doing a gaps assessment, drawing out a network diagram, a CUI data flow diagram, and understanding your systems, where your CUI lives, and keep in mind FCI as well. And then after that, the next point after that is implementation, and you just get the low hanging fruit so you can feel some good winds you know you know Remove everybody from the admins group, the local admin or domain admins group, if you have them there. Lock down your ACLs on your server, for instance, and stuff like that. But do the low-hanging fruit on the implementation. So that's really it, is how you get started.
SPEAKER_02:Let's say that you've ran a GAP assessment. Now you know where your COI lives. You've got kind of a network diagram to define the scope and the boundaries. And you've done those low-hanging fruit items. What would you do next?
SPEAKER_00:You know, one of the easy things to do is wherever you touch CUI, you have to have multi-factor authentication. So the short answer is implement MFA for wherever you touch CUI. So wherever you touch CUI, that has to be implemented, whether it's a privileged account or remote access or network access. So Really, if it's not privileged access and it's not network and you only access CUI only on one machine and it's kept on that hard drive, I guess technically you don't necessarily have to have MFA. But that's almost never going to be the case. So wherever you touch CUI, implement MFA. That's really a good one to start on. You can knock that out. Make sure, you know, it's good to have MFA anyway. And, you know, we just had this talk at one of our tech meetings the other day is that, you know, having the token, the MFA tokens, you know, on your phone, you know, that's great. That's great. less fishable, I guess, than an SMS password or an email code or something like that. But even that's getting more and more fishable with token theft and all that kind of fun stuff. And I know I'm kind of going down a rabbit hole here, but if you look at doing something like UB Keys or pass keys or something like that. Windows Hello for Business has to be implemented properly for any... But anyway, that one you have to make sure you implement properly for CMMC. Those are stronger MFA methods and less fishable, I should say. And there's even attacks on those to downgrade and all sorts of other stuff. If you go ahead and implement one of those less fishable MFA methods, it is a little more intensive, I guess, if you've not done it before. But I would go ahead and start there so you don't have to go back and change things later on. But as far as CMMC goes, MFA. however you get it implemented, and do MFA. So that would be a really big one, reasonably easy to get started on after you get the low-hanging fruit, I should say. Another one is FIPS-validated cryptography for CUI. FIPS-validated cryptography for CUI is required for any CUI that's at rest, in transit, or processed. So Processed, stored, or transmitted CUI. We shorten that to PST, right? Anyway, so any of the PST methods for CUI, then you have to have FIPS cryptography. So in other words, if you have a Windows server, you have CUI on it, you have to turn on FIPS mode and... Red alert here, you know, only server 2019 and 2016 have a FIPS-validated cryptography ready to go. None of the other newer models do. They're in the process, but they're not ready. Windows 10 and 11, there are no currently supported versions that have a full FIPS-validated cryptography stack that you can use to implement for Windows 10 or 11, so... Good luck. They do make some exceptions for that. But implement FIPS-validated cryptography everywhere you can. Servers, your firewall, if you VPN in. Now, the CUI needs to be protected once with FIPS-validated cryptography. So if it's already encrypted... you don't have to worry about encrypting it again. Or you don't have to worry about FIPS validated encryption again. So if you VPN in, but you're only communicating over SMB, for instance, then as long as it's turned on, you're good. But if you're doing anything that might be less than FIPS validated cryptography through that VPN tunnel, turn on FIPS mode for that firewall. Or at least for the VPN, but most firewalls you'd Well, I don't know about that. But a lot of firewalls, you turn on FIPS mode, and you either turn it on, and it turns off all the stuff that's not FIPS, or you have to go meet all the requirements, and then you can turn it on. I know SonicWall just changed from one method to the other. But you have to turn that on. And really, to tell you the truth, it's just safer just to go ahead and turn on FIPS mode on the firewall. It's easy. There's not that much impact. There is some, but it's all good stuff. So turn on that FIPS mode for the firewall is a good thing too. Any cloud services for COI should be FedRAMP authorized or equivalent. And if they are, then they'll have FIPS mode. But if they're equivalent, you need to make sure that you've looked at all the documentation and it actually is. in FIPS mode, that they use FIPS-validated cryptography. So FIPS cryptography is another thing. Set up your audit logs for monitoring. You define the monitoring. You define the categories, but you need to be able to research and find issues. So... But your audit logs for wherever you touch CUI and wherever it travels. It's going to be your firewalls. It's going to be possibly your APs and network equipment, possibly your servers, stuff like that. So turn on all those audit logs. The next thing is all those logs have to be reviewed. So you can go review those logs. And that's– Fine-ish, but really to do it properly, you should have at least a SIM, if not a SOC helping you, but at least a SIM gathering all those in one place because those logs have to be protected.
SPEAKER_02:Not required, but if you're a small team, it's a heck of a lot easier to go buy a product that does a lot of the
SPEAKER_00:things for you. It doesn't tell you you have to have a SIM, but the things it tells you you have to do with the logs– A SEM does all that and makes it easy for you. The next thing is your incident response plan. And you have to build out a good incident response plan. I saw this question come up just the other day. How many of you IT guys have incident response plans? What do we know to do in this case or that case? That's not an incident response plan. Not everybody will do the same thing. But You have to have that response plan. It has to be built out. The first time you build that out, it's going to be a booger. It's going to be tough to go through and build out that thing. But you're supposed to also test it. So if you test it, for instance, annually, you go through and test it, I guarantee you, you're going to find things you have to change. But that's the point of testing it, you know, is to find these problems in it. And things are going to change from time to time, so you're going to need to update your incident response plan. But once you get it built out, adding on to it, updating it, all that stuff is not nearly as hard as building it out the first time. It may be involved, but not nearly as much. So those are some of the high-priority things that make a big difference. And I would say those are probably good things to do next.
SPEAKER_02:How do you handle all the documentation? Because you can't go too far in the implementation without starting on the paperwork.
SPEAKER_00:Well, there's a lot of the controls and assessment objectives are documentation related. Mm-hmm. you know, it's less than 50% technical. Using templates is a good thing. So if you find some templates, you can use those. It's always better to... With scripts, I always tell people, you know, I never write a script myself. I always find one that does mostly what I want and then I bastardize it and make it my own. Or it's like a recipe. You know, you take somebody else's recipe and you say, I don't like this and this. I'm going to change this up. And so now it's mine. Right. And so then you can take credit for that recipe, too. So really, documentation is hugely important in this. For procedures, your supposed to follow, policies you're supposed to follow, but also for proving that you're doing things. It's good to start off with a template if you can get one, either find one and download it. The ones that you can download for free or so-so, there are good ones that you can buy. But either way you go, you're going to have to customize that template. that policy, for instance, you're going to have to customize that quite a bit. I've been saying this a lot, but look at the assessment objectives, fulfill those assessment objectives and you won't have, and that takes care of the control, right? Um, so once you take care of all those objectives, uh, makes it much easier. Some of them, uh, you know, like, um, 3.1.1, it has six different things, and they do this for processes, do this for people, do this for devices. Well, if your policy addresses people, devices, and processes and says what you have to do with those, that you have to have authorized and you have to configure them right and everything. So if you have– you can– Put all those together in one policy and make it sound a lot better than dividing them all up. This is what we do for processes. This is what we do for people. So you can combine those or some parts of those. Point, though, is that you do have to customize those for how you do things. The SSP... you can use an SSP template pretty easily and then put in what you do. The SSP, your system security plan, is going to be kind of at a high level what you do to fulfill those controls and assessment objectives. The policies are going to get down to the nitty gritty. So the SSP, you can take that template and you can just stick in high level what you do on these things, get that taken care of, and then Then you can refer to your policies. Your policies, you write out. in-depth, this is how we take care of this. And you can certainly start with a template. We start with a template, but they're heavily modified for that particular client. This is how we do it. In this instance, not everybody's the same, believe it or not. I know there's a lot of vendors out there who say, buy this solution here, put it in place, and you have your enclave, and you're good. Here's some documentation, and you're good to go. That box doesn't perfectly fit a lot of people. So once you break that box a little bit, guess what? You've just brought more things into scope. The
SPEAKER_02:truth really comes out in the wash, and the wash is the assessment. Because then the assessor starts asking questions, and you realize it's a perfect little– silver bullet solution you bought is suddenly not a silver bullet solution anymore.
SPEAKER_00:Right. Absolutely. And you know, uh, most of the dib is, is made up of, uh, manufacturers. And so they have machines on the floor that have computers that control them and CNC machines and, and whatnot. And, uh, you know, so how do you get that CUI from your environment to that machine? Uh, It can be a host of different ways, but you have to fulfill those controls and assessment objectives and do it properly. So my point is that templates and box solutions are great. But most likely you're going to have to customize those. You will have to customize the policies. And most likely, unless your business just happens to fit in a box, then you're going to have to customize that solution some too or make that solution fit a portion of your business, for instance. Yeah. I guess I'm saying kind of the same thing in a different way. But– Yes, you can absolutely start with templates, but they will be heavily modified. If you don't heavily modify them, then they're just not going to fit and not going to be defined enough for an assessor.
SPEAKER_02:Yeah. It's real hard to buy compliance off the shelf. You can certainly throw a lot of money at the problem and it makes it a lot easier, but you can't just buy it off the shelf. It doesn't work that way.
SPEAKER_00:Right. And I will say just what I said just a minute ago, you can buy it off the shelf, but you'll have to customize it. I don't know about all of them. Some of the ones I've seen that have been purchased have been a pretty good set of policies and plans and procedures, and it's not just SSPM policies. You're going to have some policies. You're going to have your SSP, and you're going to have some policies. You're going to have some plans and procedures. You're also going to have lists. There's a lot. But the good sets include all that stuff to where you can customize it for yourself. They help you– a list will help you. Oh, I've got to include all these columns. That makes sense. Where otherwise, if you're creating your own list, you might accidentally leave something out that is key to understanding. And this whole thing is also about the assessor understanding what you're doing and feeling comfortable with what you're doing. Because if it's not clear, they're going to ask a lot of questions. They're going to do a lot of testing. All that kind of fun stuff. And Which is fine, but that leads to a lot more work. It also leads to discovering something. Ooh, I left this out. That's good if they discover that, but you should have already discovered it. And hopefully you'll discover that when you're trying to flesh out your documentation.
SPEAKER_02:Let's talk about time savers. What helps most when you're not full time on this?
SPEAKER_00:So there are some tools or some things that can help out that are time savers. So an automated collection, evidence collection tool, you know, an easy one to think of is your SIM. It gathers your logs. There are also other tools out there that vendors sell that will help you gather that information from different systems. Then you also have your continuous monitoring that you have to do. Continuous monitoring may be from an RMM or something like that or monitoring and management tool or something else or related, and so that also gathers evidence automatically for you. So those kind of things are a time saver for you where you don't have to go fill things out manually, go search for things, go run reports and export stuff. If you can have that stuff ready to go, and I guess maybe you might have to export it from whatever tool and put it into a GRC that you have, for instance, or wherever your documentation archive is at. Speaking of that, another thing would be centralized documentation. So it's perfectly fine to have a bunch of Word docs and spreadsheets in one place where you keep everything located at and maybe have version numbers or whatever you want to do on that. It's perfectly fine to do that. But that is a bit of a bear to manage when you're trying to manage, you know, 20, 30, 40, 50 documents. And did somebody take one and update it and forget to put it back or whatever? So if you're the only one doing it and you're managing all that, then I guess maybe it's not that hard. But it's still a lot of documents to keep track of. If you have a GRC tool to store everything in, That is your centralized documentation platform. That is most of those GRC tools. A lot of them that have CMMC in mind, not just a... an afterthought, but, you know, are built for CMMC. A lot of those will help you calculate your SPRS score. They can output a SSP for you. You can put your policies right in there. They can live as live documents and change them and automatically have version numbers, histories, and all that kind of fun stuff. What's changed? You can assign responsibilities. So a centralized document storage platform, which is I'll just say a GRC tool, Governance Risk and Compliance tool. So a GRC tool. The one that we use, and I talk about this all the time, but it's because I really like them, is FutureFeed. We love FutureFeed for CMMC. They've done a wonderful job with it. They've built it out very well. They continue to build it out. It's a very good platform. So go talk to Mark Berman, Chase Berman. They're good folks over there. But If you don't use FutureFeed, use some sort of GRC tool. It really does help a lot. I know it helps us stay in sync with our clients. We're both looking at the same documentation and the same spot. It really helps out a bunch.
UNKNOWN:Mm-hmm.
SPEAKER_00:Monthly review meetings help out, especially when you have a team or clients or whatever. Monthly review meetings or more often while you're implementing things. But these are– scheduled meetings are very important while you're ongoing and implementing this. But they're also important for some of your documentation as well because you have to have certain– meetings and updates every so often, and these meetings help fulfill that. But have scheduled meetings to help you go through things, make sure things are updated, make sure you're reviewing risk, reviewing security, all that fun stuff. Those really help out a lot. If you have a little bit larger team, or if you have any team, but you can assign responsibilities to HR is in charge of training, and IT is in charge of implementing technical controls, and whatever compliance team or whoever that may be is in charge of the documentation. But if you can split out those roles and assign people– which you can do with the GRC platform, by the way, or most of the good ones you can. So that's a really good thing to do. And the other thing is don't forget that you can outsource specific pieces or the whole thing or anywhere in between. to help you out and help you get this done.
SPEAKER_02:All right, let's land the plane here. If you only have a few hours a week to work on CMMC, what are some practical tips that can get you some steady progress, kind of wrapping up?
SPEAKER_00:Sure, sure. And if you only have a very few hours a week, then God bless you. Good luck. But it can be done. But it won't be done overnight. Even if you have all the people in the world, it still will not be done overnight, just so you know. If you block... Block a couple hours a week at the very least. Set that, just like we were talking about earlier, set that aside. Make that scheduled time that you take all your other hats off. You put them off to the side. You put them out of view. You don't want your other hats to be in view. You take off all your other hats, and you wear only your CMMC hat. And you step through the phases of stuff that we talked about earlier, which we'll probably hit on here in a second.
SPEAKER_02:So work from home or lock the door so
SPEAKER_00:no one comes in your office. Work from home or lock the door. Ignore the phone. Unplug the phone. I don't know. But block off at least a couple hours a week, if not more, to work on just this to get it done. So that's one of the first things you do. You need to set time aside to do just this, to where you focus on just this. It's very hard to get this stuff done if you're doing other things and you have to get your mind wrapped back up and, you know, I've got to go unlock a user account and now I can come back and where was I with the CMMC stuff? So it's hard to get pulled away to do other things. So set aside some time, just like you're in a client meeting or whatever, Whatever it may be, you can't be bothered while you do this stuff. It's very important to stay focused and get this stuff done, especially if you don't have much time available to do it. Breaking your work into phases and writing those phases out and understanding what goes in each phase and not getting everything all jumbled together. So you need to figure out what type of CUI you have. You need to figure out where it lives and where it goes. So process, transmitted, and stored. So you need to figure out where it goes. I would draw that out so you understand it. And you see that visually. And then do a gaps assessment and figure out where you're at, where you need to be. And then after that, the other phases are things that we talked about a while ago, is to do all your low– the next phase would be your implementation. So break your implementation down into sub-phases as well. They're going to be knock out all your low-hanging fruit. Take people out of the admins group, my God, please. Yeah. Lock down your ACLs on your server. Make use of groups so that it's easier to do. All the low-hanging fruit that you can get done that you should probably be doing anyway, get those done. Then go for your big-ticket items that make a lot of difference. Implement MFA, implement FIPS. stuff like that, make sure that you have that going. And then make sure that you have your documentation spelled out. You can start off with your SSP and say, this is how we do things at a high level. And you can go back and change that anytime you need to. As you go through some of this stuff and figure out how you're going to implement this, you'll have a POAM, a plan of action and milestones from your assessment. You can break that down into, and this is something I didn't mention a while ago, but you You can take that POAM and say, here's all these assessment objectives, all these controls that need to be addressed that are not done. And that's what your POAM is. And you can take those, group them together, and say, I can do these 10 items with this project. I can do these 20 items with this project. I can do these two things by doing this small project. Whatever it is, break it down into projects. Then you can also, from there, figure out what projects are just going to be just your labor and buckling it down and getting it done in that two hours a week you have. Or how much it's going to cost. Am I going to need a... a new server? Am I going to need a new enclave for a new server for an enclave? Maybe, uh, are we going to need to buy this product or that product? Are we going to, you know, what do we need to do to fulfill these? And you can, uh, figure out the effort involved and the cost involved with your, with your poem and making projects out of that. Um, so that's a very important part. And that helps you with your implementation, uh, breaking your implementation down into phases as well. Uh, so, um, it's a very important that poem, uh, is very important to use to make projects out of. And I'll go back to GRC platforms. The good GRC platforms will help you with the POAM. You'll have your POAM, your items that you need to address. Then you can also make projects out of those within your GRC software and assign projects You know, criticality, effort involved, cost involved. You know, you can assign all that. You can assign people to do them, the whole nine yards. So the GRC platform can help with a lot of this stuff. But that POAM is very important during implementation because it is for implementation. But you can use that, as I said, to make projects out of it. For your policies and everything, you can, like we said, Use a template approach. Be very careful with free ones. Always make sure they're up to date with the latest controls and assessment objectives. and CMMC, all the stuff that CMMC requires. But you can use templates. Just make sure they're good templates. And I will tell you that the ones you can go purchase from some of the good C3PAOs and other vendors, most of those templates are going to be better than the free ones you can find. But you can find decent free ones, I'm sure. So we don't use templates. we use ones that we developed over time and changed a lot over time. We started, we started in this back in 2017. So I could tell you that our policies that we developed back in 2017 are not this. Well, I guess they're the same policies that we had back in 2017, but they don't look the same at all. So, um, they were more simple and more, however view back then. And now they're a lot more detailed. So, um, But that's the point with buying good documentation versus something free you can find on the Internet. So template approach is just fine. Just make sure you customize it for your use. Because even if another widget manufacturer that makes– aerospace manufacturer that makes the same sort of widgets you do with the same sort of machines– They're going to have a different workflow, most likely, than you do. Maybe a lot the same, but it's not going to be exactly the same. And so their policies are going to look a little different than yours, for instance. So the point is you have to customize those policies. If you have more than one person working on it, and hopefully you do, then you can assign responsibilities. Even if you don't have more than one person working on it and you have an HR person, for instance, you can say, hey, our training platform that we have, you make everybody take this little five-minute cybersecurity training. I need to add these things on it to cover CMMC. And most training platforms will have that, or you can upload or create some custom content for those training platforms to use, or you can develop your own training program too. That's always okay. But any of those you can assign to somebody else. That's always a good thing to do. Again, tracking your progress visually, whether– and I'll go back to– GRC platform. GRC platform will do this as well. But if you have one document, or maybe even more than one, but if you have one document where you can track your progress in a spreadsheet on all these different controls, and there are lots of templates that will help you do this for spreadsheets, but track your progress visually. all-in-one where it's easy to see, that will help you go through this and not be overwhelmed. There's lots of them that will help you track your progress, but they're complicated to use, and those just help to blow your mind up. One of the other things is, even if you are the only one doing this and you wear four or five other hats and now you're in charge of compliance, then you know, a good thing to do is, is outsource, you know, outsource key pieces that you need, you know, outsource, uh, you know, your SSP, uh, and policy and documentation creation, uh, you know, whatever it is, outsource something to help you out. And that also helps you not only, uh, will help you get it done faster, but it helps you with good advice. You know, you get some good advice. Now, um, Preferably, you want somebody with at least an RPO, preferably maybe a CCP or CCA on staff. CCAs I know can help out with this. I would imagine most of them are going to be– there's going to be a good deal that are tied up in assessments and won't have time for a small– a small engagement. So, uh, but, um, folks that have those, uh, companies that have those folks on staff and do implementation, uh, then it's, that's a good way to get good advice is to, uh, engage some of those, uh, some of those implementers to help you out. Uh, and then the only other thing to remember while you're trying to get this done is that this isn't a one and done thing. And if you look at the, if you look at NIST 800-171 and CBMC, it's not, uh, You know, they don't say implement this and then you're good. They say implement this and manage it. So it's ongoing management. It's ongoing monitoring. Be updating your documentation. I can tell you your incident response plan is going to be one of those things that every time you test that incident response plan, you're going to go, eh, we didn't think about this. You should not test the exact same scenario every single time because Or maybe you did so poorly on the first one that you do want to test it again. But you should test different scenarios. And you should find things in your IRP that... that you need to address. In that policy or the plan or procedures that you need to address, you need to shore up and make better. So it is an ongoing thing. Don't forget that. So once you get it done, you're in management, monitoring, and maintenance mode.
SPEAKER_02:And if this all seems too complicated or you don't want to do it yourself, we are offering a free roadmap to an SPRS 110 score. So SPRS is your self-assessment of basically the 110 controls, right? And so what this session is, is just kind of sitting down with us for 90 minutes, myself and Brooke, and then we'll just kind of walk through where you're at for compliance right now, where you need to be, what the gaps are, more or less, and then kind of jotting out a personalized roadmap for you to see how you could get to 110, and that's all free. So that hour and a half session, is what we offer just kind of as a get-to-know-us offer there. So you'll understand where you currently stand, what gaps you have that could cost the contracts, and then get that personalized roadmap. Absolutely. That should be in the description down below if you want to take advantage of that. If not... Keep coming back and we'll keep giving away the secrets for free here on the show. Thank you everyone for joining us today. If you have any questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions. Also, you can comment questions as well. We'll answer them for free here on the podcast. You can find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant and stay secure. And make sure to subscribe.
.jpg)
