CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
When ‘Not Applicable’ Can Cost You Contracts
Submit any questions you would like answered on the podcast!
Marking a CMMC control as “Not Applicable” might feel like an easy shortcut but get it wrong, and you could fail your assessment, lose contracts, or even face legal trouble.
In this episode of The CMMC Compliance Guide, Brooke and Stacey from Justice IT Consulting break down the real risks of misusing N/A, share common mistakes companies make, and explain how to properly justify a not applicable control so you stay compliant and avoid False Claims Act issues.
We cover everything from Wi-Fi misconceptions to remote access oversights, mobile device scoping, assessor validation methods, and the legal risks nobody talks about. Whether you’re a one-person shop or managing a complex network, these insights could save you from major headaches come assessment day.
Hey there, welcome to the CMMC Compliance Guide podcast. I'm Stacey.
Brooke:And I'm Brooke.
Stacey:From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hard guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're tackling something a lot of companies get dangerously wrong, making requirements as not applicable. We're going to walk through why this can be a serious trap and how to avoid getting tripped up during an assessment. So, Brooke. Why is not applicable such a dangerous designation to throw around in a CMMC assessment?
Brooke:Not applicable is kind of a dangerous thing because you have to be very careful and make sure it truly is not applicable. Because if it's not, then you can mark it down, but you need to explain it and tell why. And if the assessor looks at it and says, I think you're off your rocker, then at that point, there's a whole host of things that could happen depending on when that is, when they see that. You've got to be very careful. sure that a control is truly not applicable.
Stacey:Can you go into what are some of the most common ways companies incorrectly mark something as not applicable?
Brooke:You know some of the some of the ways that people get this wrong for instance is like Wi-Fi for instance I don't know why but people seem to have a misconception about Wi-Fi sometimes. Maybe all they have is guest Wi-Fi, and they say it's guest Wi-Fi, and it's not applicable here. So really, truly, that would be out of scope, but you have to make sure that it truly is because a lot of these companies you see that have a guest Wi-Fi network, it's actually on their regular LAN, so regular corporate network. So there may be some protections added, but you've got to be very, very careful Very careful with things like that. You know, another thing is remote access. There's a whole host of ways to access your network remotely. And if there's, you know, people have a tendency of forgetting, you know, oh, you mean Splashtop is part of that? You know, yes, if you have Splashtop installed and you can access it remotely, which is what Splashtop is for, or LogMeIn or any of those kinds of remote access programs, yes, those are in scope and would not be not applicable if they connect to your network. network where there's CUI and you haven't scoped out what they connect to. Public access systems, you can't just say it's not applicable for public access systems. For instance, if you have a website, if you don't have a website, absolutely, that would probably, you know, and you don't have anything else, maybe it is not applicable, but most people have websites these days, and that would probably you'd have to make sure that that is in scope. That's a public access system, and you have to make sure that there's no CUI posted to it. You have to have some procedure around that so it's not applicable. I guess that makes it applicable. And then mobile devices, you know, People are always wanting to say their mobile devices, you know, they're not in scope or they're not applicable, you know, for some of the controls that address mobile devices. Then when you find out, you know, you get your email on those and then you say that you can send secure emails out, you know, is that, you know, are you sure you can reach your OneDrive files that are in the GovCloud? Are you sure those are not, are you sure that phone's not in scope now, you know, or are you sure it's not applicable Because most likely that's going to be applicable. That's a big sticking point as well, too.
Stacey:We actually did a scoping episode together where we tackle talking about mobile devices. So if you're still a little confused about it, definitely check that out. We go a little bit deeper on all of those great scoping tips. Moving onward, how do assessors validate whether an not applicable claim is valid or not? Okay.
Brooke:Well, they look at your CUI data flow diagrams. Hopefully you have that. They look at your system security plan. They look at your network diagrams, what you've classified as in scope, what you've classified as out of scope, if it all makes sense and everything aligns properly. For instance, if you, you know, Fill out a data flow diagram and you say it comes into your server, but on your server there's no ACLs or anything that classify, for instance, CUI from anything else, then that's going to be a problem. So they look at your SSPs. They talk to your staff. Part of this whole thing is interview questions. So they'll want to talk to some of your staff. They'll say, Stacy. you know, can you access any of the client data? As a marketing person, can you access any of the client data? No, I can't. Well, can you show me? Yeah, sure. Right here is the IT folder. Oh, I just got into it. And so that's– then the assessor– excuse me, not auditor. The assessor would say, oh, well, that may be an issue. So, you know, they interview staff. They, you know, they look at your– all your– all your proof, your network diagrams, like I said, all that kind of fun stuff to kind of go through it and understand how everything is built out and make sure it all jives and works together. So if they cover something that you've defined, if they discover something that you've defined as not applicable, then I realize probably the example I used is probably not the best example, but the point still is valid. They can still... interview staff and if they discover that something you marked is not applicable, then they can say, hey look, this is actually applicable here and now this control is going to be scored as not met instead of not applicable.
Stacey:Now that we've covered all the do-nots for marking as not applicable, when is it okay to mark a control as not applicable?
Brooke:So it's only when the technology, the process, the... All the assessment objectives for that control, it's only when those are completely absent for that control that you can mark that as not applicable. You can't mark it as not applicable because it's too expensive or too hard. So you've got to be very careful when you do that. And even if you do mark it as not applicable, you really have to define that and prove to the assessor, say, this is not applicable, and this is why it's not applicable. And you can see this in my data flow diagram. You can see this in our network diagrams. And this is why it's not applicable. And not only explain it, but make sure you include evidence if there's any evidence you can include for a not applicable. So that's not necessarily the same as proving a negative, but that was– if there's any evidence that you can show to say this is not applicable, then that evidence– anything to make sure that you can convince that assessor that it truly is not applicable because that's a– I guess what I'm trying to say is that should be a very high standard. So to say something's not applicable and just doesn't apply to me is not good enough. The other thing you can do... And admittedly, this is a lot harder. But if you want to classify a control as not applicable, you can get an exception from the DOD CIO. So I guess you could contact Katie Arrington's office, say, hey, this doesn't apply to us, and this is why, but I want a formal exception from you so I can have that and show the assessor. If you want to be very comfortable with it... I'm sure there have been probably people that have asked for that, but I don't know of any particularly. And that would be a very tall bar, a very high bar to cross for me to say, yeah, let's go to Katie Arrington and ask her in her office if we can be accepted from this. But you can. That is allowed for in CMMC and the NIST 800-171. And just I've got a note here just to remind me to remind you is that cost and difficulty is not an excuse to classify something as not applicable. You know, that's going to cost twenty thousand dollars to, you know, to fix that one. It doesn't matter. The way the DOD sees it is that you should have already had all this figured out by now, and the only cost you necessarily should be worrying about is the cost of assessment. The cost of meeting all the controls should already be done and already be water under the bridge. Everybody already knows that and what they should be doing. I guess the only reason you might not know that is if you didn't have any contracts yet. But that's just the way the DOD sees it. that they already should have been done and met by now. And those costs to be compliant sure are to be sunk costs.
Stacey:Let's talk about the big scary risks with not applicable is the legal risks that nobody's talking about. So what are those bigger risks that are beyond just failing your assessment?
Brooke:Well, there's failing your assessment, but there's also... The False Claims Act always comes in, something like this. If you knowingly said something was not applicable and you were just hoping to slide it under the radar or something like that. The False Claims Act always comes in, and then it turns into a legal risk. There's all sorts of things that could happen. You could lose your contract, and that's bad enough. You could be fined. I know there's a couple of universities, somebody else, another company anyway, they've been fined millions of dollars because they just said, hey, all these don't apply to us. And it wasn't true. And it was a blatantly false statement. Now, if it's just a screw up and a disagreement with an assessor, that's I would think, and this is not legal advice, but I would think that that's a lot less likely to end up with the False Claims Act. But if it's something you just blatantly, you know, said these don't apply and you made up some, you know, some false information to say, you know, there are some information maybe that wasn't completely accurate. Maybe you left out some things, you know. You know, there is a sin of omission, you know, crime of omission, however you want to, whatever that is. So if you leave out some things, you know, to say, yes, this is, if you would have put those things in, it would be applicable, but, you know, When you leave those out, that is a sin of omission, and that can lead you to a False Claims Act. So the False Claims Act is a thing to stay way away from. Steer way clear of that. So just be very careful. And, you know, the other thing to go along with the False Claims Act is, you know, there are whistleblower protections. So if you're not doing things properly and you're just trying to skirt by and see if you can get everything done properly, or done, I guess, improperly, But anyway, you're trying to get everything done. There are whistleblower protections. And if somebody, one of your employees decides that, you know, hey, I want no part of this because it's not right, they can go and turn you in. So it is a thing to be very careful of. And again, steer way clear of that. But there are whistleblower protections. So it's not like you can skirt through and keep a short leash on all your employees to make sure they don't spill the beans.
Stacey:Seems like the The intention is very important when you're checking that off.
Brooke:Yes. The intention is important. Where it would fall is anybody's guess because there's all sorts of– it really will depend on the situation. I can't tell you that if it was just completely unintentional that it wouldn't end up there, but the likelihood is a lot less that if it's unintentional and purely a mistake– it probably won't end up with the False Claims Act.
Stacey:Now that we've covered all the big, scary legal risks, let's jump into how we can avoid all of those when we mark off as not applicable. So could you delve into maybe some tips and tricks and to-dos that our listeners can do to make sure they don't fall into that trap?
Brooke:Sure. So, you know, the biggest thing is... Just assume all the controls apply to you. For instance, even if you don't have remote access, we don't have remote access, but here's our policy in case we decide to turn this on. This is what we'll do. I'm just a one-man shop, and I don't have any other employees, but this is what I would do if I hire somebody else. That's an easy thing to do. So I'd be very, very judicious with the not applicable. For instance, if you're a one-man shop, there's a lot of this stuff you can go, I'm going to throw this out the door because most of that doesn't apply to me. It does, and just because you're a one-man shop doesn't mean you don't need any cybersecurity training, even if you're a smart guy or a smart woman. So you need to really think about whether– those controls don't apply to you. And so use NA very, very sparingly. Be very judicious with it. Make sure if you do use them, if you do use a not applicable, make sure that it truly is and make sure you have, you explained it, why it's not applicable. Make sure that you have evidence. Make sure that you have all your I's dotted and your T's crossed. So make sure that your eyes are not crossing your T's dotted, I guess. And, you know, if you're unsure, then ask for help. You know, look for an RPO, look for a CCP or CCA or something like that, somebody that does implementation, and ask them for some help and some guidance. And if you're looking for a place to, you know, say, I have no clue, I don't know anybody that's an implementer, I don't know any IT folks, I don't know anything like that, where you would go is you start– It's a CyberAB marketplace. And so you'd go to cyberab.org. That's cyberalphabravo.org. And you go there. I think the CMMC marketplace is over on the right-hand side. You click on that, and you can filter for RPOs. You can filter for CCAs and CCPs. And then you can also filter, I think, for the area of the United States it's in. I don't remember off the top of my head. I think it's by state. But there's all sorts of stuff you can filter on and search for RPOs there.
Stacey:If you have any questions about what we covered, reach out to us. We're here to help fast-track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant and stay secure and make sure to subscribe.
.jpg)
