CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
CMMC FAQ Update: Timeline, Subcontractor Flowdowns, Enclaves, Cloud Rules, and VDI Scope Explained
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Submit any questions you would like answered on the podcast!
The DoW just released updated CMMC FAQs that clarify the rules contractors keep getting wrong. In this episode, Austin and Brooke break down what the new guidance actually says, what it means for your scope, and where vendor and architecture decisions can derail an assessment before it even starts.
We cover the most important FAQ clarifications, including:
- The real CMMC timeline and what Phase 1 vs Phase 2 changes
- Why primes may demand Level 2 earlier than the official dates
- Flowdown requirements for subcontractors (and what “defensible” verification looks like)
- The myth that encrypted CUI is no longer CUI (it is still CUI)
- Whether CMMC assessment results will be public (they will not)
- POAM vs “operational POAM” and why the distinction matters
- Hard copy only CUI: when Level 2 may not apply (and the strict caveats)
- Why encryption does not create logical separation or reduce scope
- Enclaves and enterprise networking components: what pulls systems in scope (and what does not)
- Cloud storage rules: why non-FedRAMP clouds cannot store encrypted CUI
- MSP requirements: do MSPs need CMMC certification (and what a CRM must include)
- VDI scope rules: when endpoints can be out of scope, and when they are automatically in scope
If you are making decisions around scope, vendors, cloud tools, backups, enclaves, or VDI, this episode will help you avoid assumptions that assessors will not accept.
Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance. But today, we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's episode is about the CMMC questions that are quietly tripping up DOD contractors right now. We have word from Uncle Sam, the DOD or Department of War.
Brooke:DOW, yes. You gotta get that right.
Austin:Yes, I'm sorry. I'll I'll buy uh and I'm sure I'll get it right here in a couple months.
Brooke:It's been a couple months, so you know. I'll get it right by the end of 2026, probably, so you know.
Austin:I'll say I finally started putting 2026 on things, so DOW is next. So um, but uh we have word from Uncle Sam. Um they have just released um a whole list of uh FAQs facts. They have. Um addressing uh commonly misunderstood or um uh just just items that trip up DOD contractors, and they've come out pretty conclusively and and made decisions on each of them and released facts about them.
Brooke:Yes. A lot of these they've addressed before, uh, but they they keep addressing them because they keep being questions.
Austin:They keep being misconstrued, I guess. So absolutely. So that's what our focus on today. Um we're breaking down uh what the rules actually actually say, uh what they've come out um and uh put in writing on these facts. So today we're breaking down those facts that Uncle Sam came out with, um, what the rules say, what contractors get wrong, um, how to avoid scope and uh vendor mistakes, and ultimately what can derail an assessment sometimes before it even starts. Absolutely. Okay, so first um I want to address timeline. Uh a lot of contractors feel like CMMC is just a problem to address in the future. Um when does it really become real?
Brooke:I feel like we've addressed this a couple times, but well, on uh you know, to to be fair, I guess it is something to address uh in quote in the future, you know. Uh you really need to address it now. But so the um the so let's back up a little bit. The 32 CFR uh that was published and went into effect uh in December of 2024 was what finalized the what uh the description uh uh defined definition of CMMC. What what is CMMC? That's so that uh 32 CFR was uh um published uh in well it went live, I guess, anyway, in uh December of 2024. So um the uh the 48 CFR is the uh federal rule that puts CMMC on play in place on contracts, CMMC as it is with the level two certification assessments and stuff like that. So it puts it in effect on contracts. It went into effect November 10th of 2025. So it's in effect right now, but there's four phases. So those four phases, the first one is pretty much what you're doing right now. They're self uh self-assessments. Uh there is some more teeth in it, basically. There's there's a definite timeline now. There's no question you can't say, you know, I think it's still not coming. You know, it's because if you still think it's not coming, then you're just not in reality with the rest of us. So um, but the the each of the phases last a year. So November 10th, 2025, phase one starts. That's still the self-assessments. Uh November 10th of 2026, which now is at this point today when you when we're recording this, uh probably way, way, when as as the time we're recording this, it's about nine and a half months away, I think I counted. So um so really November 10th, 2026 is not that far away. That starts phase two. Phase two says that they will be putting the level two certification requirement on new contracts. Not necessarily current contracts that you're working on, but new contracts. Uh so you need to be aware of that. Uh I assume everybody would need some new contracts to survive, you know, to get business, keep business coming in. Uh but also the other caveat, the giant caveat to that, uh, is that there's a lot of uh, especially in our neck of the woods, there's a lot of primes. There's Lockheed, Bell, Raytheon, GD OTS. I mean, there's there's all sorts of uh primes. And uh they will be and and are uh starting to push their um suppliers to have get their level two certification. Um and at some point I'm sure that they will require that ahead of time, ahead of November 10th, 2026, uh to get new contracts because they have to show that they're ready. They can't wait. Those primes have so many subcontractors they can't wait till November 10th of 2026 because they'll be behind the eight ball at that point. And uh when we're talking about uh hundreds of millions or billions of dollars, uh, you know, you probably don't want to wait. So they don't want to wait. So uh if you do work for a prime, which in the Dallas-Fort Worth area, there's uh a ton of those. So uh a ton of subcontractors that do work for primes, uh, you will likely be asked to uh get your level two certification before November 10th, uh or at least show that you have it scheduled before then or something like that. So it's coming. There's no question that's the timeline. So they one of the FAQs was what's the timeline? And that that's that's what the timeline is. It's fairly obvious from the uh federal rule that came out, but that was one of the FAQs that was answered.
Austin:Yeah, so uh I to jump on what you're saying there, um you know I don't think it is apparent that the primes don't um uh care to uh manage things by the details, you know, and exactly, you know, um who has the contracts and and whatnot. They as you kind of mentioned, they want to just get everyone on board so that way they're in just in a good position and they're just gonna ask everyone that is doing work for them whether you have an immediate contract need for it or not, to get we have seen instances of that, yes. Seen many instances of that.
Brooke:We've told them, you know, politely push back and politely see what you can do and make sure that, you know, that they're responding to you and not just a form email, you know. Uh and some of them have been told, yep, sorry, uh they we want you to be level two. And when when they know they're really not supposed to be level two for what they have right now, but again, they want to be able to show the numbers. We have 75 percent or whatever of our subcontractors are level two. Great. I don't know that it'll be level two or 75 percent by uh November. That's a tall order. But you get my point. Though they want to be able to say, you know, hey, we're better than the other prime over there because we have X number of subcontractors, X percent of subcontractors ready to go.
Austin:Yeah. Yeah, we uh and to be clear, we always recommend pushing back gently, nicely. Yes. Um checking your contract.
Brooke:Don't want to bite the hand that feeds you. I understand that. Absolutely.
Austin:They are a customer, you know. Uh you know, auditing your contracts, making sure that the link proper language is in there. So don't just go spending money that you don't need um and and doing things that you aren't necessary, but just as a general rule, we're seeing we're seeing that happen, right?
Brooke:Absolutely we are.
Austin:So one of the uh reliably um confusing or frustrating or um just pro problem prone areas as a flow down rule. Um uh, you know, it it has its issues across industries for different you know things. Absolutely it does. Um and so uh and it's it's also misunderstood, um, highly misunderstood. So uh do CMMC requirements really apply to subcontractors, you know, you know, from the perspective of, you know, if if you're at home being a sub a subcontractor and you also have subcontractors that may be working on this work with you or on your behalf?
Brooke:Yeah, uh yeah, there's been flowdown rules in it from uh from the get-go, uh, but they've they've been made more clear and now uh they've been made more clear more than once, and now there's another FAQ about it that says, hey, you know, the flow down we talked about, we're serious, you know. So um they are serious. Uh you have to make you have to make have some level of effort to make sure that uh your subcontractors, the ones that are helping you with your CUI, uh or that maybe not helping you with your CUI, but they get CUI in the process of doing business for you, um they need to be the same level of uh CMMC as you are. So if it's level two C through PAO assessed uh or you know, L2 certified, uh then they need to be L2 certified too, as long as that's CUI you're you're handing down to them. I don't uh off the top of my head I can't think of a reason for this, but if you're just sending them FCI and there's no CUI with it, uh FCI is federal contract information, anyway. If you're sending them FCI with no CUI, then no, they don't necessarily they don't have to be level two. They do have to be level one. So it depends on what information you send you send them. But if you do send them that CUI that you have so they can do whatever work it is for you, finishing, deburring, that might be a dumb one, but you know, it's whatever they may be doing for you. Uh painting, um anyway, they if they get that CUI, then they need to, uh they need to be the same level as you. And you have to have some process to say, yes, here's our process. We checked, we've verified that they are CMC level two certified. You can't go look uh and look for their level two certification, but they can show it to you. Or they can, you know, Scouts Honor, however that is, Scouts Honor. Uh they can uh it's the peace sign. I know I just did the peace sign. Sorry. Oh, three fingers? Yeah, there you go. Okay. So I keep getting it wrong. I don't remember. But anyway. Um the uh you can't just say, I promise we did it. You have to have you have to be able to prove, show what process you have, so show how you and show proof that you actually did it, right? And so uh there has to be some level of effort to verify your level two or your your subcontractors. So whether they're level one, level two self-assess self-assessed, or level two certified, they there has to be proof. Uh you have to have a process and proof that you did it.
Austin:Yeah. Yeah. So and it has to be um defensible. Yes. Right. Yeah. Yeah.
Brooke:Yeah.
Austin:This is one of my favorite ones.
Brooke:Me too. It's been around for a long time. Yeah. I don't know why the question is still around, but go ahead.
Austin:I mean, I I guess I get the I get it in you know why someone might arrive to that conclusion, um, although I don't agree. Um so the question uh to clue in the audience, because they haven't seen our cards, yeah. Is um uh if CUI is encrypted, um is it still considered CUI?
Brooke:Aaron Powell If a tree falls in the forest. Uh so yes, it is CUI. Just because it's encrypted does not mean it's uh not CUI anymore. There's probably a million reasons by well, probably a few reasons behind that. One off the top of my head that I can think of is is quantum computing. So at some point there's gonna be uh you know, there's gonna be quantum computing that can break a lot of the encryption or maybe all the encryption that we currently have. So if people steal that stuff, if you know China or Russia steals that information uh and they hang on to it, and later on they can decrypt it. So the point is not to just protect that with encryption, but protect that uh information with other all the other controls that are in there um uh for the for CMMC. So yes, uh if it is encrypted, it is still considered CUI and it needs to be protected as such.
Austin:Yeah. So my question here would be if if you have uh if you mine gold um and you got it put in a safe and a thief comes in your house and steals a safe and walks away with it, is the gold still in there? The answer is yes. Yeah.
Brooke:Can they get to it? Who knows? Yeah. Right. You know, after a while they probably will be able to, you know. With enough effort, the gold is still there. Is that safe heavy? Probably so. Is it, you know, uh, but you know, if you put a bunch of gold in your safe and you're, you know, uh you might want to figure out a good place to put it in your house, in a secure place in your house. You don't want to just stick it outside in your driveway, right? Right.
Austin:Yeah, yeah, exactly. You wouldn't you wouldn't be like, well, it's um, you know, it's in a safe, so you know, it's not gold anymore. So I'm gonna just, you know, uh keep it on my front porch. You know.
Brooke:Oh my gosh, my safe is gone. What happened? I can't believe it.
Austin:Right. So that that's more or less, you know, the concept simplified for why um they consider um it still to be C UI because the data still is there and it still is C UI. It's just it's just protected better. Yes. Yeah. So um and and uh the the important piece of clarity here is that um this is an argument that when you're going to an assessor that you just cannot make because it's coming out it's come out you know in the facts on and the DOD has addressed it very specifically um that uh you know it you're you're just not gonna it's not a winning argument when you go to an assessor. So if you're trying to figure out what you know what hills to fight on, that's probably not gonna be one of them if if that's part of your strategy, um, your CMMC strategy and uh and and scope and everything else.
Brooke:So to uh dive into that just a tad more or give some examples on it, it's also not enough to say my COI is encrypted on this little drive and we're just not gonna lock it up because you know it's encrypted and it's safe. No. You still have to follow all the other controls. That little thumb drive still has to be locked up, you still have to, you know, inventory it and all that kind of fun stuff. So um so that it's not just the fact of any CUI being out on some unprotected system or some lightly protected system. It's also, you know, you can't just say, you know, in your environment, you know, I have this uh encrypted drive and it's okay, we don't have to do anything else with it. It's still CUI. It still falls under the other controls.
Austin:Yep. Yeah. It's uh all 110 controls uh should be applied if at all possible is typically the the well it is the rule, I guess not typically the rule, but it is yeah. So um it's uh it's not fun, but it's it's what we're supposed to do, you know? So yeah. Um and uh that'll keep you from from failing assessment or um or having problems later if you just build the right system in. Right.
Brooke:Exactly.
Austin:So uh next question for you is are CMMC assessment results public information?
Brooke:They are not, and they won't be. Uh you can share them with uh a customer and your primes will likely ask for them, but um but uh they're not public. They don't at this point, the way I understand it, uh they that is not a consideration to make a searchable database because I know I know a few people uh you know in the in the DIB, the defense industrial base, that say, hey, you know, we want cy Cyber A B, we want a place where we can search for all these level two certified companies so we can choose the the vendors that we want to work with and uh so we don't have to guess and it's not so much work. And the and the DOD has said, nope, not doing it because we don't want to make it we don't want to make it make it that easy for our adversaries to go, oh, here's all of the uh here's all the level two certified uh businesses so far. Uh you know, they're gonna get contracts, so let's go after them. Because when you're specifically targeted by uh nation state, uh it is a lot harder to defend against than than just being a general target. So uh you don't want that target on your back, if at all possible. Um you know, they've got cyber ninjas just like we do, although I'm you know hopefully ours are better. But uh anyway, so uh but yeah, that they're not gonna make a public database, or at least from what we've been told so far, uh they they're not gonna make any kind of public database to look for uh level two certifications.
Austin:So uh operational poems and just regular old poams. That's right. Uh there's a lot of talk about that. They addressed it in one of the facts. Um so why does that distinction matter?
Brooke:Uh well sorry, I can't get this out of my mind, but I they so the POAMs are plan of action and milestone, they call a POAM, but the operational plan of action and milestones is not a OPOAM, it's a OPA. So I don't know why they call this one an OPA and the other one a POAM, but you know, it's either neither here nor there. It just it bugs me.
Austin:So isn't OPA like a grandpa or something?
Brooke:Yeah, that's like a it's like a yes, that's a grandfather or grandmother or something. Uh I think from Germany, something like that. I'm not sure. Maybe you can tell us. Because we're obviously not looking it up right now. Uh but nevertheless, so uh a plan of action of milestones is the formal plan of action of milestones or POAM uh for your CMMC assessment. Those you have to have all of those closed, complete, done, finished, finae, done done, anyway, for your to be able to get your level two certification. The um the OPA, the operational plan of action of milestones, OPA that they're calling it, is um plan you put together for things that you may have had covered. Um for instance, and I go back to this one all the time because it's kind of easy to use, but if you have a firewall, you've got it in FIPS mode, you it you've covered all the other controls, it's all good. Uh but the latest firmware comes out for it, and uh, of course the firmware generally has security patches in it, so you need to uh load that uh firmware update on it for those security patches, but yet that's gonna take it out of FIPS compliance. So what do you do? Well, they would much rather you have uh latest security updates than FIPS validated uh cryptography. So it doesn't mean things won't be encrypted, just means they won't be encrypted with FIPS validated cryptography. So they would rather you put that on an operational POAM and have a process to fix it when it comes out, whatever it may be. Um they would rather you do that than keep it unpatched, for instance, because then at that point you fall out of compliance anyway, and that's the that's the higher level of uh that's a more important need is the Is the uh you know, stay in patch with security patches. So that's what an operational poem is. Those things that may need to come out of compliance, but there's a very valid reason for it. Um and you put those on an operational poem. They specifically mention uh FIPS validated encryption because that's such a common one that like for instance, there's no supported versions of Windows 11 right now that have uh that have FIP that are FIPS validated, uh that have FIPS validated modules in them. So you're just kind of out of luck there on servers. You do have uh Windows Server, uh as far as Windows servers go, Windows Server 2019, uh 2016, 2019. And there I know there are some modules for 2022. 2025, you're out of luck. So uh I would suggest not deploying any 2025. 2020, you can if you have a license, you can downgrade to 22 or 19, or even 16 because they're still in support. So um, and actually I have to look up 16. I don't know how long 2016 is in support for, so that may not be one you want to downgrade to. Uh, but in any case, uh generally you can downgrade on those Windows servers to a supported version. Um, and I would highly suggest that rather than just putting 2025 in and saying, sorry, because you have to show that you know you you've at least tried to be compliant. So uh but that's what that is, an operational poem or an OPA. Uh is uh, or I guess that's OPA. Uh anyway, I need a beer in my hand. So, you know, opa. Um we need to look that up and see what that really is. You know, make sure we're not saying something uh something we're not supposed to be saying. Uh but the uh so the op the operational.
Austin:Jokes on you, we've already been banned.
Brooke:We've already been banned, I know. Uh so the uh the operational plan of action, the OPA, OPA is uh for those items that were in compliance, but you've had to pull them back out of compliance for for some reason, like the FIPS validated encryption I told you, the the actual the formal POAM plan of action and milestones is the main one for your CMMC uh assessment. And all those items on that uh main official POAM have to be cleared before you can get a level two certification or before you can do your level two self-assessment. Or say that you're you know uh that you've got 110. They all have to be cleared.
Austin:So dream scenario, I think, uh, for all the defense contractors out there that um I guess applies to some people. Um but uh certainly not the majority. The question is uh what if a company only handles hard copy only CUI? Hard copy being you know paper.
Brooke:Yeah. Uh so if if it's only hard copy, truly, truly only hard copy. Uh so maybe you think about a construction company where they give um a contractor a paper copy of the plans and that they just keep them in paper and they open them up, they roll them up, they stick them in a little tube, you know, all that kind of fun stuff. Um actually I have no idea if they still do that. I assume they do because it protects it.
Austin:Uh but um this includes no Xerox copying, no No Xerox copying, no electronic anything.
Brooke:It's just paper CUI, right? So if it's just paper CUI and they're just handling that paper CUI, uh then no, they don't have to have a level two certification. They don't that flow down does not apply the same way. Um so uh you know, all the construction people are out there going, yay, you know, but you gotta make sure you follow it right. Um, they can't take it and uh not necessarily gonna scan in big blueprints, but you know, you can't take a piece of paper and go scan it in somewhere and say, uh, you know, it's just a hard copy. Well, once you scan it in, it is no longer just a hard copy. So um if it hits any sort of information system at all, CUI applies. So but the caveat to that is that if you handle hard copy CUI, so paper CUI, uh you still have to protect it as per uh DODI 5200.48. So there's still some I believe that's what it is. I believe I got that right. Anyway, but you still have to protect it. They still have to protect that paper CUI, that hard copy CUI. Uh but the Army, I think at first the first time I heard of it was an Army statement. Uh talked to one of my clients about it. I said, don't get too excited. I wouldn't trust just the Army. It's gotta come from the DOD, not just the Army, you know. And uh so now we've heard or have seen in a uh FAQ from the DOD that, you know, yes, that's right. If it's just paper, uh it's not CUI, uh they still have to protect it, but not the same, not under the same controls because it's not an information system.
Austin:And I know we already said it, but we I'm very familiar with um, you know, the the questions that typically come up out of this. So that means if you're emailed something and then you print it out, that's not hard copy only, right?
Brooke:Aaron Powell No, that's not a hard copy only. It's in an information system.
Austin:So it came to you over email.
Brooke:That that one was hopefully it did not come to you over email. But uh but however it came to you, email or whatever. Yes. If it gets if it comes to you that way and then you print it out, it's still in an information system. It was still on your computer.
Austin:Even if you delete it afterwards. Even if you delete it afterwards, yes. So you physically have to receive the physical copy, whether it's by uh going there or having it mailed or dropped off to you.
Brooke:I'm sure it could be by carrier pigeon. Yeah. You know, they don't really that's not electronic. So you know, if you want to send a carrier pigeon with CUI, or excuse me, hard copy CUI. I'm just kidding. I wouldn't try that.
Austin:Who knows what'll happen with that pigeon, but so yes, it it it has to res you have to be received, you have to receive it physically, and it has to leave you physically, um, and you have to store it physically. Um and so like think of the 40s and 50s before any photocopying existed. That is the system you would have to have, right? Yes.
Brooke:Okay.
Austin:Yeah. Cool. Thank you.
Brooke:Absolutely. Yeah. That's uh that was actually kind of a surprise. Um, but you know, they they did say that. So it's it it allow it it helps out construction companies a lot. Uh and I'm sure it helps out manufacturers in some instances and whatnot, but um that really is a is an area of concern uh for for a lot of people, especially in construction.
Austin:So next question for you is can encryption alone create logical separation in a network?
Brooke:Uh good question. I didn't and actually I didn't even really think that was a question. I mean, you know. Uh but no, it c it cannot provide logical separation. It encryption provides confidentiality. In other words, it it encrypts that uh that data so uh the wrong people can't read it, right? Or people don't have that decryption key, can't read it. That's great. That's confidentiality. It does not prevent that file from being moved around. Uh so you need to have some logical separation in there, you know, like uh like uh through networks, a subnet or a VLAN, uh through ACLs, access control lists, stuff like that. You need to divide up that access and restrict access to it. Uh because again, we go back to the whole uh is encrypted CUI, CUI still. Right. Uh and yes, it is. And yes, it still has to be um protected with all 110 controls, right? Uh so no encryption does not provide any sort of logical separation on a server or anything else. It simply provides the uh confidentiality of the data.
Austin:So this is why we say all roads lead back to scope.
Brooke:So because I thought you were gonna say something else, but uh go right.
Austin:Well, I'm sure it would apply. Uh no, all roads lead back to scope. They do. Um and so if if you had properly scoped, um, this wouldn't be a question to begin with. And that's why we always start with scope. Um and you have to map that journey of CUI, how it flows through your business, um, and every system it touches needs to be within scope and then segmented from the rest of your network, basically. Um and so uh encrypting or password protecting a file um doesn't do that job for you because you've never addressed scope, right? So um that's why that that is a a problem, or why or why it doesn't create logical separation, right? Yeah, yeah, exactly. Yeah, this is another uh technical in the weeds question, um, but uh is one that's asked a lot nonetheless. What about enclaves that rely on enterprise networking components?
Brooke:Yeah, I mean, uh it uh it does not pull the rest of your uh enterprise network into scope. Uh so if you can show that you're separating out through the use of secure VLANs, uh stuff like that, uh, or untrusted subnets, uh, or you know, untrust no trust between the two. Um or I should say no trust between your enclave and whatever else is out there. It may not be just two. Um but uh you need to be able to show how you're separating it and all the logical separations through secure VLANs, firewall rules, all that kind of fun stuff, whatever it may be. If you can show that and prove it and uh it makes sense and you it's not uh I mean uh that's pretty uh that's pretty common, so I don't see what would be controversial about uh some setup. I'm sure somebody could dream up a setup that isn't that they think is secure, but it's really not. So I guess you really need to have a reality check with yourself. But as long as you're uh creating a secure enclave, secure subnet or VLAN, and you have the proper separation, proper logical separation, proper ACLs in place, uh you should be good and it should not pull the rest of your uh enterprise network into it.
Austin:Yeah. So in other words, if you've properly scoped things.
Brooke:You know, I think you said all real roads lead back to scope, so yes, that would be if you properly scope things.
Austin:And I'm gonna say something really controversial here in terms of uh so get ready.
Brooke:If we're not banned already, here it comes. Yeah.
Austin:But enclave's a buzzword. In my personal opinion. It is a buzzword. Yes. And so uh it's like the cloud.
Brooke:Yeah, it's like the cloud. It's in the cloud. Okay, well, what do you mean it's in the cloud?
Austin:Right, exactly. All enclave means, in my personal opinion, a controversial one at that, is that you've properly scoped things and CUI stays in there. And scope means you map that journey out, and all those computers and come uh and servers that that uh process, store, or transmit CUI are properly protected and follow all 110 controls. That's all it means. Right. Yeah. And so if you're trying to just get an enclave and keep everything in the enclave, that's great. That's what you should be doing. That is the whole purpose of scoping things and and uh and and following uh the rules set forth and uh you know by the CMMC whole regime of you know regulation and everything else. So um, you know, and you can you can put everything in an enclave box and and buy enclave off the shelf or as a service or something. Um and that certainly uh works as well if it works, um, but it's still the same exact thing that we had just talked about. It's just a network that you're only keeping your COI in that follows all Hunterton controls, and you can do the same thing at your local office um to solve all the same problems. So I'm sorry, my my soapbox there, um uh, but it's uh it's a it's a buzzword at the end of the day, and it causes a lot of confusion for people um because uh they hear Enclave and then uh it it has this feeling like it means something more than it is, just like cloud. Um, but in the day, cloud is just utilizing someone else's server somewhere else. Yeah. Exactly. Um and so it's just important, you know. I don't have a a problem with Enclave. It's just important to know what it means.
Brooke:It is, and really it's just a a logical separate logical secure separation uh that follows the boundary you've defined, right? So um that's really what it is. Uh so if you can set up your enclave within your network with logical separations properly in place, uh properly defined, and you can prove it uh and and it actually works, uh then you're good to go. Yep.
Austin:Absolutely. Absolutely. And I'll uh I could talk about that one for a while, but I'll uh save our listeners and we'll move on to the next question.
Brooke:That's right.
Austin:Um so the next question is do program managers have to require CMMC level two C3PAO assessments right away?
Brooke:Uh they do not. So that is uh part of one of our earlier questions, maybe our second question or so, uh that um this is phase one, and phase one uh is uh self-assessments. Uh phase one will be uh over, and phase two will start November 10th of uh 2026, so this year. So a little less than uh somewhere around nine and a half months away. You know, just seems like just yesterday we said it's you know a little more than a year away, but now you know the holidays just speed by. So now it's uh less than nine and a half months away, or somewhere around nine and a half months.
Austin:So can a cloud? Speaking of cloud, we just talked about cloud. We did, absolutely. Again, cloud just being someone else's servers that you're utilizing, right? Um so can a non-fed ramp cloud uh store encrypted CUI?
Brooke:No. Uh short answer is no. The longer answer is that uh uh CUI uh to be in the cloud to for to utilize a CSP, a cloud service provider.
Austin:So not on your servers in your office or your computers in your office.
Brooke:Uh and not to muddy the waters too much. I think we might have this question coming up in a second, but that does not include your uh your MSP that may be hosting your backups or something like that. So uh that's a different story, uh but they don't have to be um they don't have to be FedRamp unless unless they're providing a true uh CSP service, a cloud service provider type service like Microsoft 365, Commvault, you know, stuff like that.
Austin:So what if they have a vendor for backup that they uh that hosts the data for them on their behalf?
Brooke:That is that that does muddy the water a little bit. So that uh that vendor, if it's if if a uh CSP is in the picture somewhere, that CSP that that uh handles CUI does have to be FedRAMP, moderate or higher, um authorized or equivalent. And equivalency uh has a very specific meaning in the DOD uh and they have to they defined it and they have to go through a uh a whole equivalency equivalency uh assessment with um with a C through PAO um uh C through PO or maybe through PO anyway, they have to go through a whole uh equivalency uh assessment and uh they have to uh be declared and and approved by the DOD that they are in fact uh equivalent. So for instance, ProVel uh is one of those, they were in fact the first one. And to tell you the truth, I don't know who else is actually uh you know has achieved that, but I do know Pravel kind of early on uh achieved that FedRAMP equivalency. They're not FedRAMP uh authorized, but they are FedRAMP equivalent. So um so it you have to so if there's a cloud service that you put CUI in, it either has to be FedRAMP moderate or higher uh authorized or FedRAMP moderate or higher equivalent. Okay.
Austin:So if you have CUI in your office, you're good. Yep. If you have CUI backed up to your IT provider's office and it only goes to their office and on their own servers, you're good. With some caveats.
Brooke:I think we have that question in a minute, but yes. Yeah.
Austin:And then but if you're using a backup provider that stores it somewhere else that's not your IT provider, or if they are and they're just reselling it to you, it needs to be a FedRAMP.
Brooke:If a CSP comes in the picture anywhere, doesn't matter where, then yes, it has to be FedRAMP. Yep. Authorizer equivalent. And you're we'll get to it in a minute, I think, but your uh NSP isn't necessarily uh a uh a CSP.
Austin:So uh let's go ahead and get to that. So do m MSPs need their own CMMC certification?
Brooke:They do not. So uh the the minimum that an MSP needs to provide uh for uh for their client, for you, the OSC, the organization seeking certification, um the minimum they need to uh supply is a uh responsibility matrix. It's called the DOD and their infinite wisdom decided to change the term from shared responsibility matrix to customer responsibility matrix. So it's a CRM, which confuses with another very common uh uh term we use in the in the whole IT world, but uh but that it's okay. You know, federal government can do that. Uh so this uh you have to provide the IT provider, the MSP, has to provide a CRM uh to you that explains what their responsibility is and they do for you uh as it's laid out by controls, uh preferably assessment objectives, but controls, uh and uh and what your responsibility is. So uh that's called a you know, like I said, customer or shared responsibility matrix. And that's what it defines is who takes care of what as it applies to uh CMMC. Uh so as long as you have that CRM in place, it's clear to clearly defined, um that's great. Uh you'll know what flows down, what does not uh to you. Um the if they are, if if your MSP does get a level two certification, uh that does it's not promised, but it does it should lighten the load some uh for your assessments. It will certainly lighten the load uh for the um MSPs uh assessments if they have multiple clients. If an MSP has multiple clients, then uh they really just have to go through a uh I can't r think of a polite term to call it uh uh but an assessment. They only have to go through an assessment, uh uh a full assessment once. They will spot check and verify, uh, but they go through that full assessment once. They say, here's our certification, uh, here's our CRM, and uh the assessors should Be pretty good with that. They'll like I said, they'll spot check some of it, but they won't go through the full assessment on each one of those controls that they provide you.
Austin:If your MSP has a CMMC level two certification, it uh lowers the risk um that they carry to you during your assessment because uh you're likely just they're just likely gonna be spot checked more or less uh by the your C3PAO. But if they're not, then it's gonna be a much more intimate exam.
Brooke:Intimate exam. That's what I was looking for. Gotcha. Uh the word intimate couldn't come to me, but I was thinking of something else. But yes, the uh it will be a much more intimate exam for that MSP. Uh and the um you know I don't know how this would translate for future uh for future assessments, you know, maybe it'll matter a little bit more, um, but right now the the cost is a cost, and it does they don't they don't take any of that cost off if your MSP has a has a certification. So uh could be that they do that later, but the burden certainly is a little bit lighter on the assessment and on you, the OSC, uh uh the risk to you, uh your uh burden that you shoulder, the weight you feel on your shoulders, you know, that that's lighter. Um so yes, so level two certification will help a lot, um but it's not a it is not a panacea, you know.
Austin:Let's a hedge your bets. Yes. Yeah. What if your IT support and your security tools are not handled by the same company, but instead different vendors?
Brooke:Aaron Powell Sure. This would be like if you had an MSP to take care of the normal support, the care and feeding of your system, but you also outsource some MSSP services. Uh MSP is managed services provider and MSSP is managed security services provider. So for instance, a lot of people will uh outsource their SIM or or MDR to a different company. Um firewall, stuff like that. Yeah, something like that. So uh so it can it's okay if they are you know provided by different companies, no big deal, but they will be assessed uh for whatever controls that they uh uh cover for you. So for instance, if I mean well whatever they uh whatever services they may provide uh to protect CUI, uh they're gonna cover antivirus uh you know uh firewalls, uh anyway, they're they're gonna be assessed for those controls. Not all of them. Not all the controls, not all 110, just the controls that they provide you uh service for.
Austin:Well, fortunately we were uh uh provided uh easy question this last time, but this next one also will be a pain. So uh are endpoints in scope when using VDI?
Brooke:So VDI is virtual desktop infrastructure, and uh it has a pretty specific meaning. Um and the uh Department of Defen Department of War has uh uh defined it, defined what they're talking about. So um a VDI system can be out of uh the endpoint connecting to VDI can be out of scope as long as you meet certain parameters. Those certain parameters are gonna be, for instance, uh no USB passed through, no uh map drives pass through, no uh or local drive, no no drives pass through, uh no copy and paste ability, um uh screenshots, uh no screenshots. Uh as long as you cover all those controls, uh and I'm off the top of my head I can't think if that's all of them or not, but uh anyway, if you configure it properly and make sure that you know those things can't be done, uh then your endpoint connecting to VDI is is out of scope. But if you can't do all those items, so you can do everything, you know. I can cover all those controls except for uh disabling screenshots. I can't disable screenshots, you know, um, but we tell people not to. Sorry, doesn't work. Uh that that means your endpoint is in scope. You know, are you actually yes you can do that, uh absolutely, but that puts that endpoint that's connecting in scope. So um uh they have defined that very uh very well, and everybody knows if you read uh the clarification on that, you know how you have to configure it, and you know that you have to put some sort of VDI infrastructure in place, you know. Whatever it may be. Parallels is a is a good one to go with if you if you want to look. So short answer is as long as it's configured properly, that endpoint is out of scope. If it's not configured properly, uh like the DOD defines, DOW defines, I'm s it's gonna take me a whole year to get it used to that. Uh you know, if it's not uh configured properly, then yes, your endpoint that you connect with is gonna be in scope.
Austin:Yeah, this is one that causes a lot of confusion because uh you know it a lot of the off-the-shelf um VDI solutions, what uh is nice and fortunate about them is that most of those are already solved for you. Right. Um and so uh I remember at maybe it was last year um in Vegas at CS whatever East, uh I don't know, the names changed and I think CS5. CS5, but no, it was before it was CS5. Um Seek East, I think. Yeah, Seek West and Seg Western. Yeah, whatever, one of those things. Um there was a lot of confusion about it. Um and uh uh anyway, uh it it seemed like at the time the prevailing thought was you couldn't provide your own VDI solution to yourself. Um uh you could only really source it, you know, from a VDI vendor. Um, but that's not necessarily true. You can do it if you have everything configured correctly.
Brooke:Correct, yeah.
Austin:Right. So but some of those things are hard to configure. Um and uh to do it, you might as well just make some things in scope. Um uh because the cost to get the proper solutions to do it easily and properly is um, you know, you know, if you're if you're a smaller company, um, you know, uh it's just not always worth it. So but if you're a larger company making your own VDI solution for yourself, um very much um could be worth the the money spent to get a specific solution to to solve some of the things like the screenshots and and other things that are um uh are to do just you know with uh your off-the-shelf remote desktop and terminal services from Microsoft or whatever.
Brooke:So absolutely. Yeah, it's you know it depends on the the scenario. You have to do a cost-benefit analysis and see. Uh, but you're right, the uh VDI solutions that cover all the bases here, uh they're they're not inexpensive, you know. So there may be some open source uh VDI that you can use, uh, but you know, there's always a trade-off, you know. Uh there's uh the open source and commercial arguments all the time. Uh so typically, you know, commercial, you pay for you know somebody else figuring everything out for the support. And uh uh for open source, you know, it's the time invested uh to figure it out. Uh search through all the news groups and whatever else for uh you know for support. Uh so there's there's an investment either way. It depends on how you want to invest. Either one uh is not gonna be inexpensive, however you want to look at that. Um so for smaller companies, depending on your environment, manufacturers, it's hard to make a uh VDI solution be the end-all be all for them. So same thing for construction companies, uh, although there's some things that fit in a little bit better for construction companies. But in any case, uh it can work for you. You just gotta do the benefit cost-benefit analysis and see uh because they are not inexpensive solutions to put in.
Austin:So I think that about rounds out all of the uh FAQs, the facts. Um so what would you say the biggest takeaway uh from all of this today is, Brooke?
Brooke:Uh well the biggest take really the biggest takeaway from all from these FAQs, uh there were only a couple of them that were um that were truly new, uh at least new to me, you know. Uh uh but the rest of them, they were uh stuff that they've just reiterated and reiterated and reiterated. So if you're if you're in the ecosystem, you're paying attention to it, um you know, they're not necessarily uh some of them are very technical, like we just talked about, the VDI and uh, you know encryption and stuff like that. But uh the gist of most of them are not highly technical, uh and it's just revolves around, for instance, you know, is uh encrypted CUI still CUI? You know, that's not technical, that's just uh I was gonna say philosophy, but that's not even philosophy, but that's just a argument some people try to make to to uh ease their burden of uh scoping things out properly, I guess. But uh anyway, most of them are not highly technical. Most of them uh have to do with understanding the controls and understanding everything properly, um, you know, what they're asking for, the processes and stuff like that. So really it's you know about understanding all the controls and making sure you have the proper documentation in place, making sure everything's scoped properly, you know, all that kind of fun stuff.
Austin:I think that's it for us today. Uh, if you have questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.
.jpg)
