CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
What CMMC Assessors Notice First: Early Red Flags That Fail Level 2 Assessments
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Submit any questions you would like answered on the podcast!
What do CMMC Level 2 assessors notice first, sometimes within the first day, before they ever dig into your firewall configs or deep technical testing?
In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke break down the early red flags that can derail your assessment fast. We cover what assessors ask for right out of the gate (and how quickly you need to respond), why generic SSPs create problems, how scoping mistakes happen in the real world (downloads folders, copiers, shop floor machines), and what it means when your policies do not match what employees actually do.
If you want to pass your CMMC Level 2 assessment, this episode will help you tighten your documentation, evidence, and scope before the assessor ever starts technical validation.
Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's episode is probably one of the most practical episodes we've done because we're walking through what assessors notice first in their CMMC level two assessment. Not the deep technical testing, not diving into firewall configurations, but what are the early red flags that an assessor will see sometimes within the first day and whether or not a company is actually ready for assessment? So, Brooke, before assessors even deep dive into your systems, your screenshots, your configurations, your firewalls, all your logs, all that fun stuff. What are they looking first before that even happens?
BrookeIt is about all the technical configurations, uh, but it's also about uh the CMMC is and managing those, improving those. That's really where it's at. And so they want to know about your documentation. You know, um they'll ask for a list of all your documentation. Uh, do you have this, do you have that? And uh, you know, they'll they'll ask for all that. I can tell you, if it takes you more than a day to respond to that, that's an immediate red flag to those assessors because they're going, well, if it takes them more than a day to respond to these simple questions, then you know, the the stuff they should already have and know by heart, you know, uh, then there may be an issue here. So that that could be a red flag, uh incomplete SSP or uh j j overly generic SSP. Um if you just have your policies, no plans and procedures, uh if you don't have uh you know your data flow diagram along with your uh network diagram or you know your user list and stuff like that, then those are red flags for the assessor. So before you even get started, uh and that's part of phase one, uh, you know, uh though uh at first before you get to phase one, they they want you to scope it out, you know, um so they can price appropriately, of course, but they can also kind of figure out at that point, you know, high level, you know, might this person be ready or not? So they get to that part. I think you might be ready. So phase one starts and they say, okay, I need um to see a list of this documentation, tell me whether you have these or not, uh, show me this. And and so if you can provide that, they can figure out from that point if if you're ready to move forward or not. If you're not ready to move forward, if they deem that that you're just not ready or you're just not there yet, uh they'll most of them will just tap the brakes and say, you know what, I don't think you're quite there yet. This is why I think that. You need to fix that and come back to me. And so they'll uh most of them will do that. But documentation is the very first thing that they look at. Not not they don't look at the details of the documentation at all, uh, but they want to know that you have, you know, your access control policy, your SSP, uh, you know, stuff like that.
AustinAaron Powell So of all those things you just mentioned, what do you think is probably the biggest red flag that assessors most often see right out of the gate?
BrookeAaron Powell One of the biggest things that they see, uh, and I'm sure there are different assessors that can tell you different things or or maybe a lot of them will agree on some other stuff, but one of the things I've heard is is generic uh system security plans, SSPs. You know, if you're basically just going through uh and saying uh yes, we have a list of processes, um, we have a list of users, we have a l, you know, if you're just going through and and regurgitating what the what the controls say, um, which might be tempting, especially for an IT guy, you know. Have a list of uh, you know, define have a list of all your processes, users and and uh devices with uh um authorized access CUI. And so you're like, yeah, I have that list, you know. But you kind of need to go a little further and define, you know, yes, we have that list, here's where it is, this is what's on that list, um, you know, and all that kind of fun stuff. You need to explain that in that SSP, not just say, yes, covered, you know, uh, which is my tempting answer because you know I'm a I'm a short and sweet kind of guy. Yep, we got that list, but you have to expand on that just a little bit for them to be happy with that. So the over the generic SSP that doesn't list out any uh your so your SSP should tell the story of how you're covering those controls, right? Uh so as long as it tells a story and the the assessor gets a really good idea of how you're securing your system between that SSP and uh your data flow diagram, your network diagram, stuff like that, as long as they get that uh really good uh mental picture of how you're doing it, that that SSP has done its job. So that's what it needs to be. It can't be just overly generic regurgitation of the of the uh controls.
AustinNow I think you had kind of alluded to this earlier, um, but we hear a lot about and we see a lot of scoping issues. Um what do assessors see most often when it comes to scoping issues?
BrookeWell, there's uh there's a couple different problems, but um one is scoping everything in, um, and that just creates headaches for you for you to try to put everything in scope and and secure it appropriately and and all that kind of fun stuff also raises the cost. But uh when people say, you know, no, these systems, they're out of scope, you know. Okay, that's fine. Tell us why they're out of scope, uh, and show us that you've done something to keep them out of scope. They can't just be out of scope on the same subnet, on the same land, you know. Um they have there has to be something showing what you're doing to keep them out of scope. Um so you know, your finan computers that uh just deal with financials, just QuickBooks and or you know, whatever your uh your accounting package of choice is, whether it's in your ERP or something else, uh those computers just handle that. Uh they're out of scope. Great. Put them on a different VLAN. Put them on a VLAN that can't touch the CUI, you know, uh, or you know, whatever it needs to be, make sure that they're make sure that you can show that you've done something or some things to to keep those computers out of scope. Uh, you know, and another thing is um security protection assets. Um they are in scope, although they may not process uh transmit or or store CUI. Um uh security protection asset, an SPA is is in scope uh if it provides security for a CUI asset. You know, if it's uh if it's a SIM uh security information and event log monitoring, um, you know, if it antivirus solution, uh your firewall, you know, you can go on and on. But if it's any of those things, um any kind of anything that provides security for a CUI asset for CUI uh then uh it is in scope and it gets assessed for the security that it's providing. So um so those are in scope. You can't just scope out your firewall, you know, you can't just scope out your antivirus solution or your SIM. Uh your SIM is specifically it's been stated that it's an SPA and that it's in scope. So those things are in scope, although they're in scope for the uh for the for how for the controls that they're covering protecting that C UI.
AustinNow I'm not an assessor, um, so I will say that. Uh but one of the things that I see most common um with uh when people come to us and and they um there are varying degrees of um you know maturity when it comes to uh where they're at on their compliance journey. Some people actually come rather prepared um uh but still kind of come to us to help you know button up the documentation or something. Typically the part they don't want to do, right? And no one wants to do that part. Um but anyway, uh it it is I don't know that I've talked to somebody that um has been completely um completely inclusive of everything uh that is in scope. Um and what I mean by that is uh for example, the downloads folder, right? Uh you know, you're you have to get the data from your customers portal uh to maybe your ERP or something, uh and they've scoped in, you know, um obviously the ERP and uh or something like that, and they forget that it traverses the computer in the downloads folder to get there. So um your computer has to be in scope then. Um or sometimes they've left out machines on the shop floor because um, you know, they've for one reason or another. Um but if you know if you're making the parts on the shop floor, those are in scope, you know. Um and then and even just so the printer itself is in scope, right? I mean it um you have to print um you have to know whether it prints uh over Ethernet or wireless and how it does so. If it's wireless, it has to be encrypted, and then um, you know, the the copier, for example, has a hard drive on it that if you're you're copying diagrams at CUI, that is in scope. So um, and uh, you know, people have a tendency to think, well, that's just minutiae, you know, it's not important, but it is actually, and those are the things that are gonna really screw you up when it comes to your assessment. Um if if it you know, if and probably when it pops up um that you're talking about your workflow um and you haven't thought of it. Uh and so um the tendency is to um you know think that you've got everything pretty well locked down. And usually uh uh if people are you know further down the maturity path and do have things well figured out, they have um they have a good handle on things, but they typically leave out the minutiae like that. The downloads folder, the copier, the all the time. And so you really have to get into the details and and think about the actual flow of that data as it downloads from the portal to your computer in the downloads folder, where it goes to the clipboard from there to in the RP. Like you you you need to map it out to that granular of a uh process.
BrookeAaron Powell So you address that pretty well, but I'll add some more to it. Yeah.
AustinNothing like kicking a dead horse.
BrookeSo the uh you know the the control is just not where is CUI stored. It's you know uh where CUI is processed, transmitted, and stored, right? So the downloads folder, you know, you have a computer that you use to download, or maybe you open it and view it and then save it and transfer it over to your CRM. That is, you know, when you download it, that's transmitted. When you transfer it over to your ERP or wherever it's going, uh the Inscope file server or whatever it may be, uh your Enclave, then that that's uh that transmission, uh that is transmission of CUI. Uh whenever you uh open it to view it, uh, you know, just to make sure you got the right thing, right? Um, you know, I hate to tell you, but it has to be stored somewhere for you to be able to view it. And generally, if you're gonna transmit it somewhere on your network, that is stored temporarily at least, uh if not longer, on your like in the downloads folder or the temp folder. That's that's stored on your computer, so it's processed, stored, and transmitted from that computer and to that computer. So uh yes, the other thing we see is you know, hey, I've got an enclave. Uh it's um I've got an enclave provided by XYZ software company, uh, and everything in there is, you know, it's FIPS validated encryption. Um it's uh you know, it's stored and transmitted in that environment and you know, all that kind of fun stuff. And and uh, you know, well, what about these machines that don't have that software on it? How do they get to it? You know, well they well they get they get it off the file server. Well, how does it get to the file server? Well, we put the we put the enclave solution on the file server and then share that out. Um once that gets onto that file server, even if it's even if it's from that solution, then yes, that is uh that file server is now in scope, the whole thing, and anything that touches that is now in scope because they're they're touching CUI outside of your enclave. Basically, you uh you can still consider it part of your enclave if you want, but you just expanded your enclave. Right? Uh however you want to phrase that. Um I was talking to an assessor the other day, and they said, you know, if you have an enclave, but it's uh, you know, if you access it from your computer, then you don't have an enclave in it. I can't remember exactly how they phrased it, but I was I was thoroughly confused and I didn't know, you know, what do you mean it's not an enclave, you know? And uh, and so well your computer is now in uh computer is now in scope. I was like, oh well, yeah, of course. You know, yeah. If if that computer touches that enclave, that's part of that enclave and it's in scope, right? So define enclave however you want. Uh there's some pretty loose definitions of enclave these days, but um your CUI storage solution, you know, anything that touches it uh is in scope. So any anything that transmits it, anything that processes it, uh CUI is in scope. So uh you have to think about those things uh and the the secondary things that you do to get that information to places it needs to go. So you know, maybe your maybe your CNC machines, uh, you know, maybe they're on their own private network and and they can't touch anything else, you know, uh, and you've done lots of great things to lock down that network. Um, but if you open them up and let them grab information from your enclave, then you know you've just you've just opened a can of worms for yourself. So um so you really really need to think about all that and uh and figure it all out. The other thing is, you know, and this is not necessarily CUI scope necessarily, but uh the other thing is, you know, access to where your CUI is stored at or where or to your environment. You know, um how do you keep track of those keys? How do you keep track of those key cars? How do you, you know, what do you do, and can you prove it? So um those kinds of things you need to think about. So just like you're talking about, all of you new shoes, you know, you need to understand how all those environments work, how this where the CUI really goes, you know. Think about it. Yeah, I download it from the portal and put it in my uh on my Enclave file server. Okay, well, how do you get it out of the cloud and how do you get it to your Enclave file server? Well, I download it on my machine and then I poke a little hole and and go in and put it on the Enclave, put it in the Enclave, then we turn that off. You know, well I hate to tell you, but you know, uh you just messed up your uh network diagram because your network diagram doesn't have that uh capability there, you know. Your data flow does not show that capability there. So um, but you need to keep all that in mind. You need to be truthful and honest about it because an assessor is gonna ask, you know, well, how do you get how do you get that in here? You know, I see stuff, you know, you don't have access to the internet or you don't, whatever it may be. Um, you just need to make sure you think all those through and and design your system appropriately and document it appropriately. And I guess the the uh short of this is that um there's no silver bullet and it takes a lot of time and effort uh to figure out and get right.
AustinUh let's move on. Uh so what happens when policies, SSP scope, and interviews with, you know, your employees and staff just aren't lining up?
BrookeYeah, so I mean if you write a policy that says um, you know, we go uh we have these uh special key cards, only you know, here's a list of employees that has access. They get into the into the enclave and they go in and they download, um, they download their uh CUI only from approved portals and only from websites are allowed to get through, you know, some DOD website or Lockheed website or wherever it may be. Uh, you know, download that data, we get it right in there. That's your your documentation explains all that. And when they go to ask Sally, she says, Well, you know, uh it's really hard to get all the sites I need to get to, so sometimes I just download it on this USB and then I walk in there uh and then you know I use my key card, you know, but I walk in there and then I plug in the USB and copy it over from there so it's in a secure environment. Well, she just said did several things wrong there. So uh point is hopefully somebody's not that blatantly wrong about stuff something, but uh the point is that uh what a uh what an employee may do to to complete their job um as an IT guy, as a uh CMMC expert, or what you know, as a as a CEO, you know, you may not know exactly how your employees are are doing their jobs. So um a lot of those things people just don't think about. You know, the CEO CEO says, Well, I didn't know you couldn't get to all your, you know, the tech the CEO and the IT guy say, I didn't know you couldn't get to those websites. And you're like, oh no, I couldn't get to them, you know. And uh so you really when you scope all this, when you write your policies, you really need to have some of the people that do the do the actual work in the room with you uh so they can say that's not how we do this, you know. Uh or if you tell them this is the way we need to go about doing this, they say, well, we can't do it because of X, Y, or Z, then you can figure out a workaround and how to how to fix that, you know. Uh but a lot of times the the people making the policies, um it may be the IT guy and quality guy, along with uh, you know, um a CCA, a CMMC certified assessor that's uh making the policies, they go, these policies are awesome. You know, they define everything in detail. They're each you know 30 pages long and and uh everything's covered. And then the first employee you go to, you ask some questions, you're like, oh crap, I didn't think about that. So uh those out-of-scope things that you don't think or those not out-of scope, but those uh uh out of normal process things, uh you've gotta make sure that everything is covered.
AustinYeah, it's one of the reasons um that uh whenever we do an engagement somebody, um typically we start start with uh the scoping and documentation first. Um but even before that um we we do a gaps assessment. Um Um and the reason we do that is because I think maybe once um we uh went in and found nothing different than we were expecting for the gaps assessment. Um so no what I'm trying to say is normally uh whenever we've done our interviews and and uh spent a lot of time with the customer um and we go to validate it with a gaps assessment, typically uh it has not line up with what they said, right? Um 98% of the time um that is the case. And so um and that's just the gaps assessment from like a technical um uh perspective, and then us going and interviewing, you know, some employees in the process and going and viewing the physical physical security. Um it's not uh it's not completely inclusive, a full-on, you know, like an assessor type assessment. Um uh but anyway, we we always find uh massive inconsistencies with what has been reported to us. Um so we always do it, um, with the exception of maybe one time that we we went and it was um mostly lined up. So um but yeah, that's uh that's why we always insist on on doing that and making that part of uh our engagements. Right. Absolutely.
BrookeYeah, it's uh I can't tell you the number of times well you hit the nail on the head. Really uh once or twice, maybe it's happened that everything actually is covered like they tell us it is. Most of the time they say, Yeah, this is how we handle this, this is what we do. We go do the uh uh do the gaps analysis, and we're like, well, what about this data here in this folder on this server? You know, it that seems to be the same data as in your in your enclave solution, you know, your your CY storage solution. Well, it is, you know, or um whatever it may be, you know, things come to light. Uh, you know, well, yeah, but we we're just doing this. Well, thank you very much. But that puts that in scope, you know. Uh so that we always find stuff when we go, you know, on site and do a uh do a gaps assessment. So uh and I say always, like I said, there once or twice we've gone on site and done that, and everything has most everything has been correct. Uh there may be a couple things that they say, you know, well, you know, sometimes we open up a port so we can get this done real quick and then we close it. We're like, well, you've got to take that into account and figure s figure out a different way to do that or document it, you know. You can't just open a port and then close it, you know, because that is piercing your uh piercing your enclave solution, you know, whether it's temporarily or not. Um but you've got to have some uh your policies have to define your policies, your SSP procedures and plans need to be accurate on how they define things.
AustinWell, beyond those things, uh what are some other items that immediately raise uh concerns when assessors come in?
BrookeUh well one of the things, uh it depends on when you get your environment spooled up. Uh you know, if you've been how long you've been handling CUI the whole night, how long you say that you've been compliant and all that kind of fun stuff, but if everything is brand new, uh, you know, you have brand new evidence, brand new policies that just were in effect last week, you know, everything was just signed last week, um, you know, all that kind of fun stuff, then you know, they they look at it and they're like, well, haven't you been at this for like two years, you know? Uh so uh a way to uh help out with that, and and if you're you know completely maybe but maybe you've built out the new a new um enclave or something and and you're honest with them about all that up front, it's all good, you know. But um what they like to see is that if you've been operating, they like they like to see it history. So maybe they see you have some screenshots from you know a year ago, six months ago, and then some screenshots from you know right before the assessment started with you preparing for it, um, or or other evidence, you know, uploads of your logs or you know, whatever it may be. Um, you know, that's all good, but they want to they want to see uh some history that you actually have been doing this because that really is what this is all about. Uh again, I said it a while ago, but this is all about ongoing monitoring and management of of this. You can't set and forget IT. A lot of people like to try. It doesn't work. Uh, but um you've gotta anything IT related, you've got to, you've gotta manage it. Shoot, you've even got to manage, you know, your your house that you live in. You know, you've got to, you know, you gotta have your AC checked out. You gotta have, you know, uh, my roof is 10 years old, you know, is it is it in good shape? You know, is it uh, you know, I've got a few holes in my fence, we need to fix that. So you monitor and manage those things as as you go along. Same thing with your car, everything else. You know, you really those don't take nearly as much necessarily, but um, you know, the CMMC uh it's meant uh it's built for care and feeding of your cybersecurity program, right? And and proof of your cybersecurity program. So they want to see that ongoing proof. You know, that's that's the biggest thing. That's in that'll include all your logs, you know, history of everything, you know, all that kind of fun stuff. And screenshots, the the artifacts that you upload, they want to see that you've got, you know, more than one in there or whatever it may be. Um, you know, maybe another thing that's that's on here that I forgot about just a second ago, but is uh policies that don't have any version history or policies that aren't signed or approved in some way. Um, you know, those are those are things you need to be aware of. You know, GRC platforms generally will have a way for them to be approved. They'll be they'll show uh they'll generally have a way to see the version history. Uh it may not be right on the document itself. Um, you know, you might have to go uh click and look at it, but it'll have the version history and show you what's gone on over time. So all that stuff helps to prove your case that you're you're operating CMMC, the way CMMC was meant to be operated.
AustinSo we deal uh with a lot of manufacturers, um, a lot of the people that are actually you know making the real things, you know, uh producing and and building um uh the things that go into our our defense mechanism, the fighter jets and everything else, right? So um all the widgets. All the widgets, yeah, all the widgets. So um question I have for you is um you know, for those builders and makers out there, um, let's make it real, you know, tangible for them. Um what do we see them um struggle with the most?
BrookeSure. Uh so where we see the struggle or misunderstanding or or just uh ignorance, and by ignorance, I mean true ignorance, just not not knowing, you know. Uh, you know, those uh CNC machines that are network connected, you know. Um it's an old Windows XP machine. Uh that machine costs you know quarter million dollars to upgrade, and uh they don't feel like spending a quarter million dollars to uh to upgrade that thing. Uh or maybe they have 10 of them, you know, and uh they don't want to spend 2.5 million to upgrade, whatever it may be. Uh, you know. Um, but they uh you know they have some of those CNC machines that are on the network. Um there are you you need to take all that in consideration and figure out what you need to do uh if they really need access to the network, how to segment it properly, how to get that data over there. Um or USBs, you know. Uh yeah, we have some USBs, and uh, but are those USBs encrypted? You know, they have FIPS validated encryption on them, are they are they controlled and managed? You know, do you know who all's got one? Are they are they serialized? Do you have a number on them, right? Um we're missing USB 001. You know, where is it? You know, well Sam had it, but anyway, so uh those are the kind of things that you need to think about. Um for construction, you know, you need to think about your construction trailers. How do you deal with CUI and the construction trailers? You know, typically at a construction site, you're gonna have your construction trailer. It's gonna, you know, any anybody can walk in and out of those construction trailers, and uh they have you know, they have a hotspot in there, and that hotspot provides Wi-Fi and they connect to Wi-Fi. And I'll bet you a million dollars that Wi-Fi is not FIPS coming FIPS validated, does not use FIPS validated encryption. Um so how are you accessing your CUI? Where does your printed CUI go? Um you know, for those uh for those construction companies, who's authorized, how are they authorized to see that CUI? Um uh if it is just printed CUI and they just look at it, you know, great, they need to be authorized to see it. Uh but other than that, you know, there's nothing necessarily that's in scope. The drawings are in scope, of course, but uh if they go back where they're supposed to go, fine. Um there has been some discussion about those drawings not necessarily being CUI, but that hasn't come from the DOD, it's come from some department specific sources. I wouldn't necessarily trust that. Uh then again, I guess that could be one of your questions for uh for an assessor when you interview assessors, but um so but anyways, the that's you have to those are the things you have to think about and consider. Uh, you know, you just completely don't even think about the scope of the of the uh construction trailers, you know. Uh so those are the kind of things you need to think about. Um you know, one of the one of the things that uh manufacturers do quite a bit that actually is a good thing is is the physical travelers. You know, they have their they have their drawing specs, whatever it may be, whatever it is, in a in a physical traveler. It's a folder, they close it, you know, they they open it and they use it when it's open, and then they close it and the COIs covered up. All good. Of course, it needs to be put up, stored, and locked whenever you're not using it. Uh that's the other part of it. Uh, but the travelers are a good thing. Uh those are in use all over. Uh I think probably because of uh ISO 9001. Uh but um uh those are those are a lot of things that specifically manufacturers and uh construction folks need to think about.
AustinOkay, so a large part of the defense industrial base, the supply chain, um, the people that are unfortunately, you know, uh having to deal with this issue, um unfortunately, especially if you're asking them, right? Um they're gonna be smaller, mid-size, um, and usually they're gonna be um either augmented by um or completely outsourced to an IT provider, an MSP, uh, IT guy, um, someone that's outside the company um or a vendor that's outside of the company, uh, at least in part. Uh so the question is um how do these MSPs, these IT providers, these service companies come into play um in the assessment uh process, and and more so I'm talking about kind of early in the assessment process?
BrookeIt'll depend a whole lot on what what all your MSP or MSSP does for you. Um but just the long and short of it is they're in scope with you. So uh they'll have to be there and available for whatever they're doing for you. If, for instance, if all they do is provide antivirus for you, I seriously doubt that. But if all they're doing is providing antivirus for you, they'll have to be there and answer those antivirus management questions uh because that is a security protection asset. And uh the antivirus is and and the MSP will be because they're providing that. Uh that's a security protection asset providing security for CUI. And so uh they'll be in scope and they'll be asked how they fulfill that, uh fulfill those uh the controls that are related, right? Um so uh the the easy thing uh to ask for uh is that your, you know, is my MSP or MSSP, are they do they have a level two certification? That's great. That's that'll get them a good long ways down the road. Um but there's not very many that are right now. Um and the the what they actually that's just a good to have, a really good to have, but that's a good to have what they really need is a shared responsibility matrix or a customer responsibility matrix. Thank you, DOD, for changing that uh acronym. No, it's not DOD, by the way. Yeah, they changed that acronym too. Uh so not DOD, but DOW the DOD did change it. Right. The DOD did change it, but now the DOD is a DOW, so the DOD DOW that used to be the DOD changed the SRM to the CRM. So um rewind that again if you need to SRM is a shared responsibility matrix, which made completely s complete sense to everybody. But now they've changed it to a CRM, which is a which is a customer responsibility matrix, but it's also a customer relationship manager. Yeah, that's what it's called, a CRM. That's what you know, CRM is something you manage your marketing and customer relationships with, you know. So for us, it's like, well, you know, which CRM are you talking about? Uh but any in any case, uh with the with CMMC, the um the responsibility matrix is the customer responsibility matrix, the CRM. Uh your provider should have listed out, uh should have that matrix for you, and should have listed out all the controls, which ones are your responsibility, which ones are their responsibility, uh, and likely there's a column for each, and there's probably not very much that the provider is 100% responsible for. There is, I'm sure there's some, but there is some responsibility uh for both. Uh well, there's some responsibility, at least some, if not all, responsibility for the customer, for the uh for you seeking certification. Um and then the provider may share some of that responsibility. Some instances they may be 100% responsible for some things. Um but uh that shared responsibility matrix or customer responsibility matrix will will define all that. And if you have that, uh that is one of those things that the um that the assessors are gonna want to see. All right, you use an MSP, let's see their let's see their CRM. You know, what are they doing for you? And uh now let's make sure that they're doing those things, you know. Uh so and and you want that that also, even though really you should split that on out into assessment objectives, and if you do, it's 320 items long. So uh so if you do that, great. It's nice to have, it shows you exactly what they do for you, uh, but it also is also quite long. You know, it's a uh it's a list that you'll be you know searching through all the time trying to figure out what they're doing, really. But um the other thing in our world is that you know, on our invoices, we try for our invoices not to be 320 pages long, you know. So we try to put things nice and short on the invoice so uh so it's understandable for the client, and that's what they see most. They're not gonna really always go back and look at their SRM. But I digress that SRM or CRM uh is where it's at, where what you should have in place for any of your for your MSP, your SSP, excuse me, your MSP, your M MSSP, um, any uh any other ESP which is an external service provider, you should have that in place. Uh not only should you have that in place, but it should also line up with the CMMC controls, the NES 80171 controls and or assessment objectives, uh, it should line up to those. It's it can't be just some generic, you know, thing. An assessor needs to be needs to be able to see it and map it to a control and say, all right, this is what they do for you. So it does need to be CMMC specific.
AustinOkay, so we've talked about all these issues and common pitfalls. Um how can companies avoid these issues?
BrookeSo the first is to uh perform a documentation check, make sure that you've got all your documentation in line. It really is a an absolute ton of documentation. So uh make sure that uh you have all that documentation ready, not only that you have all the specific pieces of documentation, but it defines everything very well. You know, it's not generic. Um the second thing is make sure you have all your evidence. Uh however you may organize it. Um it needs to be organized and easily accessible and easily relatable to the different controls for an assessor. An assessor can't just look at a um screenshot from your active directory and go, you know, oh yeah, I know which ones that uh that uh that maps to this one, this one, this one, you know. And they might be able to do that, but the point is uh they shouldn't have to do that. And you should make it, again, this is all about giving the assessors warm fuzzies, you know, making things easy for them. Uh so uh if you have a GRC tool, typically in a GRC tool, you can take that piece of evidence and then you can link it to different uh controls or assessment objectives, and uh and then when they're going through that, they can see that evidence right there. So that's a that's uh that's a uh really good thing to do. Um make sure you avoid any uh major change, any any changes really, other than the normal process of uh a new user here, disabling a user, you know, just normal stuff like that. You don't want to make any big changes, putting new servers in, expanding your scope, or changing your scope or anything like that. Um you want to keep everything the same. As far as an actual major change goes, uh, you know, a major change might be uh well a major change would be uh completely changing your enclave, you know, to a different solution, or implementing an enclave where you didn't have one before, or taking an enclave out. Don't know why you do that, but taking an enclave out where you had one, uh those are major changes. Those invalidate your uh your assessment. And uh but uh they also make it more complicated if you do that right before the assessment, unless you're building something out, right? So uh you're trying to get ready from the from scratch. So those are those are some big things. Um and the the fourth thing to do to get ready uh really is just to review your your business workflow uh to make sure it matches uh to make sure reality matches your documentation or documentation matches reality. Uh like we were talking about a while ago. You know, they you say these these uh ten people are in scope, and uh one of them is Sally Joe, and they interview Sally Joe, and and uh she says, Yeah, I bring this to you. USB from home and I use this cute little USB with a teddy bear on it to transfer CUI. And uh well that you know she just invalidated your uh your controls that you wrote. Likely, unless you wrote that teddy bear USBN. I don't really know. But uh so you need to make sure that uh documentation matches reality and reality matches documentation.
AustinYeah, um you know this might be the best bang for your buck if if you're hiring professional like uh CMMC uh professional sorts um is uh like we like to say all roads lead back to scope, you know. Um so if you're gonna pay someone um your best bang your for your buck probably would have them come in and try poke holes in your scope.
BrookeUm how are things flowing through and um you know what does Sally say like you said um and that would be just being an assessor and coming in and asking those questions and reviewing that evidence yeah exactly absolutely so because it's uh you know if you don't have that figured out you you likely have downstream issues you know so uh if you're gonna spend time and and money you probably won't start there so well I think it's about time we wrap up Brooke.
AustinUm if you could kind of bring it home for us and and uh distill what are some of the biggest takeaways for our listeners today.
BrookeSure. Uh most uh folks don't fell a CMMC assessment for uh technical control necessarily uh they fell it for um uh documentation uh or evidence um if you have if if your documentation doesn't uh follow reality if your documentation is um you know overly broad or uh whatever it may be your you know your documentation could be a problem uh if you don't have enough documentation that could be a problem although they ought to figure that out in phase one hopefully uh so you know whenever uh your documentation uh defines uh your uh your real world what you what you do in real world and all your technical controls whenever it defines that well and when all your evidence matches that um uh the then then you'll do well uh the other thing that sometimes catches people is that um maybe they didn't have for the assessment they forgot a remote access policy uh you know and and they didn't really cover it in the access control policy for instance or something like that you know and um and so they go write one real quick that doesn't that doesn't really fly but if you had your remote access policy and you just forgot to give it in the in the first place or you lost it and and you give it to them you know uh then that's that'll work but it won't work if you create something completely new and and give it to them so um those are the kind of things that'll that'll catch you as well uh but that hopefully those kinds of things are caught uh um in phase one or or maybe even a mock assessment that a mock assessment is a really good thing to do uh so maybe those things are called in mock assessment or phase one that you know hey we're not quite ready we don't have this uh or if you have this we can proceed so then maybe you create it real quick maybe you create that remote access policy you forgot but uh um those are the kind of things that uh that'll catch you and if you cover all that make sure all that's there uh make sure the technical controls are covered then then reality matches documentation and all that you should be good awesome well thank you brooke um if you have questions about what we covered please reach out to us we're here to help fast track your compliance journey text email or call in your questions we'll answer them for free here on the podcast you can find our contact information at cmccompliance guide dot com stay tuned for our next episode until then stay compliant stay secure and make sure to subscribe
.jpg)
