Top CMMC Myths Debunked: Cloud, Vendors, Firewalls, and MFA Mistakes Explained

Show Notes

Today’s episode of the CMMC Compliance Guide Podcast dives into the biggest myths that machine shops, fabricators, CNC shops, and mid-sized defense contractors still believe about CMMC. From cloud misconceptions to vendor promises that fall short, Brooke breaks down why these misunderstandings lead to failed assessments and what contractors should be doing instead.

We walk through common assumptions like “cloud keeps me out of scope,” “my vendor is compliant so I’m compliant,” “MFA on email is enough,” “my firewall makes everything compliant,” and “cyber insurance handles reporting.” Each of these has a grain of truth but none of them meet the actual requirements in NIST 800-171 or CMMC Level 2.

You’ll learn:

• Why cloud environments don’t remove your endpoints from scope
• How caching, downloads, and browser access pull systems back into scope
• What vendor claims really don’t cover
• Why MFA must be implemented everywhere CUI is accessed, not just email
• The truth about firewalls and why they’re not “compliance shields”
• Why VDI is helpful but not a magic solution
• What cyber insurance does (and doesn’t) do during an incident
• Why remote workstations and home offices still introduce scope and risk

This episode is packed with clarity, not fear so manufacturers, CNC shops, and GovCon SMBs can make informed decisions, avoid costly assumptions, and protect their DoD contracts.

Transcript

SPEAKER_00: 0:43

Hey there. Welcome to the CMMC Compliance Guide Podcast. I'm Stacy.

SPEAKER_01: 0:47

And I'm Brooke.

SPEAKER_00: 0:48

From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns, getting companies fast tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're covering a fun one. The biggest myths every shop believes about CMMC. From cloud to vendors to firewalls, there are a lot of misconceptions floating around. And if you believe them, you could fail your assessment. All right, Brooke. So the first one we hear a lot is if we just keep all CUI in the cloud, we're safe and out of scope. Is that true or false?

SPEAKER_01: 1:31

Well, it's true. If you can actually keep all your CUI in the cloud and not touch anything else, sure, then it's true. But you really have to think about that. I mean, uh if you're talking about in a cloud, a lot of times people are talking about a uh uh ERP or MRP or whatever it is uh that's accessed through a browser. So you access that uh that system through a browser, and uh more than likely that uh that CUI is going to be cached on your machine somewhere. If you download documents to view them and click on a PDF to view it, I hate to tell you this, but it downloads it as cache. And uh, you know, any anytime any of that touches your computer, any of that CUI touches your computer, then it's in scope. So um and you have to you have to worry about that. So it is rare to uh you can configure it. If you have a VDI instance for, you know, uh for instance, uh VDI instance, for instance. Uh if you have that, uh then uh then yeah, and that's your cloud. Then yes, uh as long as it's configured properly, then yes, that could be your uh that could be all in scope right there, just in that in this in the in the cloud. But that is that's rarely the case.

SPEAKER_00: 2:43

Another big one we hear is my software vendor says they're CMMC compliant, so we're covered. Would that be good enough?

SPEAKER_01: 2:51

Well, that's a good start. That is a good start. That is not a good finish. I can't tell you how many that we've run across that said, yeah, we're CMMC compliant, we're we're good, you can use us, and then when you dig into it, you're like, well, yeah, but we have some problems. You know, either we're we're storing COI or want to store COI in your in your uh in your environment, but uh you're not FedRAMP, or you're not you're not FedRamp authorized or FedRAMP equivalent, right? Um or you're not CMMC level two certified, whatever you need to be. So if they're cloud, it's gonna be uh FedRAMP. Uh you know, or they say, you know, we've got some statements on our website that show how we're uh how we are uh compliant. So you really need to delve into it and understand that this is all about scoping. All goes back to scoping and documentation, they're documented they're documentation. So um uh but you need to really delve into it, uh figure out where your COI and FCI is gonna be uh and and therefore what they would have to meet and see if they're if they meet it. So I there are very few, very few software vendors, uh relatively few software vendors uh that really are CMMC compliant, which would be if you're gonna be storing CUI there, that would be FedRAMP uh authorized, FedRAM FedRAMP, moderate authorized or higher, or FedRAMP uh equivalent. So uh authorized or equivalent is is the uh are the keywords there. So uh there are relatively few that actually have that capacity. Otherwise, you're gonna want to bring that stuff in-house or not store CUI in there or or figure something out. And if you're not talking about CUI and you're talking about um, you know, a security protection asset, uh, say it's uh a uh SIM provider, a uh security event uh and information monitoring. Maybe I got that backwards, but a sim uh that monitors all your logs. If it's cloud-based, it doesn't have to be FedRAMP moderate authorized or or equivalent. Um but you do a customer responsibility matrix uh is very, very helpful. Um assessors are gonna want to see that customer responsibility matrix based on uh the NIST 800 171 controls, not just some made-up CRM. So it's gonna uh and I say made up, but they're gonna want to see it based on NIST 800-171. If it's based on NIST 853, they can probably do the crosswalk pretty easily. Um they should. If they're assessors, they ought to be able to do that crosswalk pretty easily. If it's based on other standards, you're gonna make it a lot tougher on them. And and while they might be able to do the crosswalk, not all standards uh just because they have similar controls don't mean you have to meet them the same way. So uh they don't necessarily match up. Um that's why assessors want to see those uh CRMs uh based on customer responsibility matrix based on NIST 800-171 controls, CMMC controls.

SPEAKER_00: 5:59

Aaron Powell Something else we hear pretty often is if we use two-factor login on our URP or email, that should be good enough, right?

SPEAKER_01: 6:08

Yeah, they um no, it's not. So, you know, people don't realize that um you wherever you have your CUI, uh wherever you access it remotely or over a network, you have to have MFA enabled. So that may be that may mean that you have to have uh uh MFA enabled on your computer login and as well on your uh cloud provider uh login if if you're storing CUI there. Really, it's if it's any cloud provider, I'll tell you right now that you just might as well go ahead and make sure that your cloud providers, whether it stores CUI or not, uh, has MFA available and set up uh because uh I there's no cloud service that I can imagine uh that I would suggest setting up without MFA, which is very strange because there's our there are quite a few bank sites that actually don't offer MFA. I'll just set a good password. You know, that's great. But um but no, it's uh you need to really sit down and that's scoping again, uh figure out where the COI is located at uh and where that MFA needs to be implemented.

SPEAKER_00: 7:16

Aaron Powell Something else we hear sometimes is um our firewall makes everything inside it compliant. What do you have to say about that, Britt?

SPEAKER_01: 7:25

Uh it'd be nice. It'd be really nice. Uh but it doesn't. Uh it can help, absolutely. That's your that's your edge protection, and that's certainly part of the controls. Um, but you need to have, you know, uh the SIM we just talked about a minute ago, the security information and event monitoring. Uh actually, I take that back. You're uh you don't have to have a SIM. Uh let me make that clear. You don't have to have a SIM, but if you read all the controls and everything, it's really written to so that you need a SIM. If if you don't have a SIM helping you look through all those logs, you're sorely missing out. Uh and I would I would argue you're really not that secure if you're not having a if you don't have a SIM or something watching the logs helping you, because that is tens of thousands of log entries to to pour through, and I can almost guarantee you you're not doing it. So uh so it doesn't require a sim, but it kind of requires a sim. So uh but uh to go back to your question about the firewall, uh there's it's certainly a very important part of it. Uh and uh you need to configure it, make sure it's everything's scoped properly, but you need to make sure your network and all the endpoints behind it are scoped properly and secured, VLAN, however you need to uh subnet it, however you need to divide it up, you need to scope your environment, draw out your boundary, and figure that out, and then implement all the controls like the SIM, like an antivirus, like a uh, you know everything else is going to be part of that. So yes, firewall is one part of it.

SPEAKER_00: 8:57

Aaron Powell So what about the idea if we don't print CUI and only view it on our screens, we avoid scope.

SPEAKER_01: 9:04

Aaron Powell Well, there's uh uh a few things there. Uh so if you just view it on a computer, that's great. Uh unless it's a uh unless it's a VDI situation uh where you've secured it properly, then that endpoint you're viewing it on is going to be in scope. Uh also the people viewing it, people are part of your assets and and they're in scope as well. So uh they'll have to be authorized to be able to view CUI. While if if you've got a VDI environment set up, maybe that uh endpoint uh is not in scope. And that'd be great. Guess what? The people looking at it are in scope. So they have to be authorized. One way or another, they have to be authorized to be able to view that.

SPEAKER_00: 9:47

Here's another one to throw at you. So if everything is in the cloud, there's nothing for attackers to get locally, right?

SPEAKER_01: 9:56

Uh that goes back to I think uh the first question we talked about, but uh that is untrue. Uh it is not accurate. So uh if everything's in the cloud, that's great. Uh but uh when you access, unless it's again, we'll talk about the VDI solution. Unless it's a VDI solution that's configured properly, that you know, clipboard access is disabled, the map drives are disabled, and and all that kind of fun stuff, then uh uh if it if that's configured properly, the VDI, that's correct. The endpoint is not in scope. Anything else other than that, your endpoint's likely going to be in scope. Uh because it's that you touch on those CUI files, your computer, uh for one, it uh it caches those files. Uh the and the uh control, uh all the controls that discuss CUI is processing, storing, and transmitting COI. So if you click on that document, again, we're not talking about a VDI environment, but a VDI, I've said this about a hundred times in this podcast, is virtual desktop infrastructure. So uh, but um if you don't know what that is, uh look it up. It's a protected way that you could uh set up that environment, a remote way to get to uh to that environment as well. So uh but it's a it's a whole thing. But uh aside from VDI, uh that computer, if you click on uh a piece of CUI, it's gonna process on that computer so it can read it and open it up. Uh it's gonna store uh a cache a portion of that on the uh on the local computer. So you've got that that computer is in scope. So uh store it all in the cloud doesn't mean no risk. It helps out with the risk, no doubt, uh if it if your cloud environment is properly configured, but uh but it does not re it does not uh uh does not reduce all the risk.

SPEAKER_00: 11:49

Aaron Powell So here's a fun one. Cyber insurance will handle incident detection reporting for us, true or false?

SPEAKER_01: 11:57

They will not handle the I guess they may help with the reporting and tell you where you need to report it at, maybe. Uh generally cyber insurance, uh they're they're gonna require you to have your incident response plan and they're gonna require certain things to be in your incident response plan, and they're also usually gonna require uh that you hire their I don't know about usually I don't know how I don't know the percentage, but a lot of the times they're gonna require you to use their forensics companies uh or partners um to help investigate that incident, right? So they they help with those incidents and uh that forensics company is gonna help manage that incident. Uh, but with CMMC, at least as far as CMMC goes, we're not talking about any state reporting or anything else, uh, or other countries or anything like that, uh, or other, you know, other uh industries other than DOD. As far as CMMC goes, you already know where you need to report that, and that's the uh DC three. Uh and you have to have your have to have your uh medium assurance certificate already installed on some comp on a at least a computer, hopefully two or three computers, uh just in case one of those is in the line of fire. Uh but uh you know that you'll need to report uh the incident there uh within 72 hours. So uh so you already know that, but your uh those cyber insurance companies uh with their forensics uh teams that help them investigate these things, they're probably gonna help guide you through that process. Uh you just may need to make sure that you've documented it properly and included what they want you to do in your incident response plan. Uh they're they're gonna guide every part of it from reporting to talking to legal counsel to when to restore, how to restore, all that kind of fun stuff. Uh and depending on what kind of incident it is, of course.

SPEAKER_00: 14:01

So last myth of the episode. If I log in from home, that doesn't matter as long as it's secure.

SPEAKER_01: 14:10

Well, that could be true. Uh again, we're gonna refer back to the uh VDI instance, right? Um if you secured that properly, uh then then that could be true. But you also have to uh make sure that your uh remote workplaces, your alternate work sites, uh meet all the proper controls. So you have to be aware of that, you have to know that it can be home, but but you need to make sure that you've taken all the proper precautions. Using a VDI instance uh makes that a lot easier, but it does not absolve you of all uh all risk and does not uh you know make it okay to do anything anywhere. So um again, it matters uh where and how you view that CUI. Uh hopefully from your VDI setup, you've not you know allowed printing to anywhere, you know, uh because that would be a big no-do. But yes, home computers do count, and and generally what you're gonna want to do is is not count uh not let home computers touch your environment. You're still gonna want to access that VDI for something that you can control. Uh that way you know it's not just wide open to to anything. So um now what you control doesn't necessarily have to be in scope if it's a VDI instance, but um but you don't want to allow just anything can to connect to it.

SPEAKER_00: 15:38

So just wrapping everything up for our listeners, it seems like the biggest takeaway here with all of these myths that you've demystified for us is that cloud, vendors, firewalls, and insurance aren't silver bullets for CMMC compliance. Um you'll still need local controls, our favorite proper documentation, and FedRAMP ready platforms to pass an assessment.

SPEAKER_01: 16:01

Yes, that is correct. And you don't necessarily uh there most of that you do need, you don't necessarily need a FedRAMP provider, only if you're using have CUI in the cloud somewhere. Um but uh yes, I mean you need to scope your environment properly uh and then build it out properly. None of those are silver bullets. There's no, you know, be careful of uh we call it CMMC in a box, but you know, there are CMMC in a box solutions that you can customize to your situation, which is just fine, you know. Um but be careful those situations where a vendor says, All you need, all you need is this little product here, and you're fine. You know, you you just gotta ru go into that your with your eyes wide open and realize that it's not just that little box, it's gonna be other things. Everything that touches that little box, basically. So um yeah, there's there's quite a bit to that.

SPEAKER_00: 16:55

Well, thank you, Brooke. I appreciate that. Absolutely. If you have questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmc compliance guide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.