CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
CMMC Scoping 101: The Most Expensive Mistake Contractors Make (And How to Fix It)
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Submit any questions you would like answered on the podcast!
Scope is the foundation of your CMMC compliance program and getting it wrong is one of the most expensive mistakes a DoD contractor can make.
In this episode, Austin and Brooke break down what “scope” actually means in plain English, why contractors skip scoping early on, and how one small miss, like a downloads folder or a USB handoff, can quietly pull major systems into scope.
We cover:
- What CMMC scope really is, including processed, stored, and transmitted CUI
- Why contractors start with tools and policies too early
- The data flow diagram exercise that reveals hidden scope issues
- How scope mistakes turn into rework, delays, and major cost increases
- Why “enclave” is often misunderstood and what it really means
- What to do if you think you got scope wrong
- How to self-check readiness using NIST 800-171A and the CMMC Assessment Process (CAP)
- Why documentation and evidence, not just controls, become the real burden
If you are planning for a Level 2 assessment, scope should be your first move, not your last-minute scramble.
Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin and I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance. But today, we're here to give you all the secrets for free. So if you want to tackle it yourself, you are equipped to do so. Let's dive into today's episode and keep your business on track. All right, Brooke. Today we're talking about one of my favorite topics. Scope. Scope. That's right. That comes up quite a bit, doesn't it? It does, it does. And it's the foundation of your compliance program. Uh, and it's really important. And typically it is the most expensive mistake that uh companies make when planning for CMMC. Um, this isn't necessarily, you know, technical implementation or misconfigurations or policy-based today. Um, but uh a planning decision that can quietly turn a manageable compliance effort into a six-figure problem, or worse, you get down the line to your assessment or a couple years later and you have to redo your scope entirely. Right, right. So let's get into it. Absolutely, let's do it. Well, Brooke, when companies come to us, um typically they'll f fine fall into a couple different categories. Either they've tried to DIY, um, they've engaged a uh uh another, you know, company uh in some form or fashion, uh either amateur or professional in the compliance area um to start the effort, um, or they just hadn't started at all. Right. Um what is the mistake um that shows up over and over again um uh from from these three buckets?
BrookeUh well the one that shows up uh all the time is scoping, you know, and it's it's uh and really that scoping can be a problem because you just say, you know, well shoot, we're a small business and everybody's got to touch it, so everything is included. That may be the case or or it may not. You know, you can you can certainly scope some things out and make it easier on yourself, uh, most of the time. Um the uh but the other problem is uh people just don't understand CMMC and they don't understand the controls, and they go start trying to implement everything, and they just assume everything is in scope. And so yet that's still a scoping issue. But they, you know, that scoping issue can stem from different problems. Uh but it it all ends up being a scoping issue. You've really got to understand CMMC and have a have a big picture of of all the controls to say what really should be uh in scope.
AustinYeah, and this is where we typically see people putting the cart before the horse, and from our opinion, um, and that you know it's really attractive to uh to start with implementation first, you know, buy the tools, install them, get things configured. Um and and that, you know, get it done uh attitude works on a a lot of problem solving, you know, but compliance is one of those things that has so much nuance and just interconnectedness that you really need to start on the planning stage, uh scoping stage, um, because it it really affects all of the technical implementation and and policy decisions. Um so like for example, you don't even, from our opinion, start on policies until you got scope figured out, you know. Right. Um because if if uh your scope changes, you have to rewrite all your policies, right? As you have to redo all of your technical implementation.
BrookeIt may not be a full rewrite, but if you have to go back and touch every policy or most policies because you change your scope, then you know that's that's a lot of work to go through and do that.
AustinOh yeah, oh yeah. I mean, so it's uh it's really something that um, you know, uh it feels uh like you're not making a ton of effort when you're spending time on it, but you really should uh spend a decent amount of time on your scope because it makes everything else fall into place a lot easier.
BrookePart of scope is defining what CUI you have, right? And how we always start by saying, you know, hey, what kind of what what type of CUI do you have? You know, and all right, well, how do you know that you have that type of CUI? Uh well, I don't know is is generally the answer. Uh sometimes people do know, and they can say, well, this contract here has these deforest clauses and this, that, and the other, and we have these uh documents that are marked CUI. That's great. That's wonderful. That is definitely the rare case. It is not it is not most people, so but it is not most companies. They uh so you've got to define what that what in the world is CUI uh and then figure out where is it on my systems currently, you know, and uh and then figure out what your scope should be from there. And so uh that's all part of the scoping decision, right? Uh but it that's the basics. And uh and it it's made easier if you kind of have a really good overview and understanding of CUI or excuse me, of CMMC uh beforehand, you know. Uh so you can know what's involved, and you know, somebody says, well, let's just do the whole network, you know. Hold on just a second, because this will that will affect this, this, and this, you know. So uh scoping is the biggest thing caused by different problems maybe or coming from different angles, but scope is the biggest problem and and can cost you a lot of time and effort and a lot of money.
AustinYep, absolutely.
BrookeOr I say I should say incorrect scoping can cost you a lot of a lot of extra time and effort and money.
AustinSo um, you know, as I always like to say, all roads lead back to scope. Um and uh scoping is the foundation of everything. Um that's all great and good, right? But if you don't understand what scope is, right, then it's kind of hard to um hard to start, right? So um when people hear the word scoping, it um it can uh sometimes it feels a little abstract, or sometimes people are like, yeah, yeah, scope, got it. You know, uh it's a simple word, you know, I understand. Um so there's uh you know, there can be some misunderstanding as to what it is. So uh what does um improper scoping actually look like? And and maybe if you could tell us, you know, briefly what what scope is.
BrookeSure. So when you're talking about scope and you're figuring out, you know, uh how to scope things properly, you think, all right, now we're gonna scope our systems and figure this out. Uh you've got to first figure out, of course, like I said, you know, what CUI you have uh and where it's currently at. Um but when you're thinking about that, this whole thing is to protect CUI, controlled, unclassified information, right? And so uh and the you've gotta figure out where it's processed, where it's stored, and where it's transmitted. So processed, stored, and transmitted CUI. And that's uh that's devices, that's systems like you know, a SQL Server, uh a um ERP solution or MRP solution, uh email, um you know, a network, uh anything that touches that. People, uh your service providers, you know, maybe you have an MSP or or MSSP or something that uh you know provides some services for you, uh those those can all be uh part of that scope. Uh so people, devices, systems are all part of that, and you have to take those into into account. So uh folks have a tendency to leaving out and not even thinking about uh their service providers or their people. And that's that's a very important part of that. So and do you have meetings where you show CUI, you know, on a on a online on a Zoom meeting or something, you know? Um so those are all things you need to take into account. What systems figure out that CUI, what what kind of CUI you have and where is it currently, you know, uh and what what systems, people and devices process, store, and transmit CUI. That really that really is the crux of the matter right there.
AustinYeah, I like to say um, you know, it's it's really as simple as getting your your legal pad, your scratch pad out, you know, and it's really where scope starts, in my opinion, is um, you know, you it comes from your hopefully your you know your um your customer's portal and then it goes to your downloads folder. And then so, you know, so and everything it touches, right, your downloads folder is now in scope, right? Which means the computer's in scope. That's right. And then uh, you know, may go from your downloads folder to uh you know the estimator, right? And the estimator may, you know, kick it over to um programming. And programming, you know, puts it in some G code and puts it on a USB drive and goes to the shop floor, and the guy that carries it, you know, runs the machine, the machinist um and plugs it into the CNC machine. If it's on a USB, then the you know, the machine, the CNC machine's in scope, right? Right. And so um and you just go on with that whole process, uh, and that that is scope, you know, and that's where you define scope from, at least where it's at today. Now you can re-engineer that process and change it if you don't like your scope.
BrookeYou can, and a lot of times you do, absolutely.
AustinAnd a lot, yeah, a lot of times you do, and um, and you just you obviously want to do that in a way that's you know uh not hurting the efficiency of the business. Um so everything's a trade-off. But I remember I was talking with uh uh one of our uh customers kind of on an intake type call, um, where we were you know doing some consulting, some some first conversations, and he's like, Well, I really think we got everything figured out, you know. I mean, it's uh everything's in our you know ERP that um you know is all the controls implemented, and then um we don't keep anything on the computers, and then it comes straight from the you know customer portal, and and I was like, Well, that sounds wonderful. It sounds like you got really figured out. How do you get it into your ERP? You know, there's a cloud ERP. And he said, Well, we download it and upload it. And it's like, well, your computer's in scope, and his big eyes is like, didn't realize, you know. Um, and I mean I completely get that. It's it's easy to miss that little step. But that's the point of scope in the scoping discussion. Like, because if you miss that that critical connection point of the downloads folder on your computer to upload into your you know compliant ERP, um you've just ruined your assessment because the assessor will notice that. Um, and you have an endpoint that is, you know, processing, storing, or transmitting um uh CUI uh that's not being controlled, not you know, being taken care of properly, right?
BrookeRight. Exactly. You know, I heard there's two things there. One, I heard you say compliant ERP. That's pretty funny.
AustinUh compliant cloud ERP, yes. It wasn't, but I was trying to give him the, you know, he thought it was. It didn't they do have all the controls implemented, but it's not compliant.
BrookeSo there's that. Uh there are a lot of VRP, you have to be very careful when you look at ERP systems because a lot of them say, we are CMMC compliant, you know, and and uh but you have to look in to see what CMMC compliance really means to them and whether they you can actually store COI in there or not. The second thing is uh what I realized that I left out a while ago that you just described in detail uh was data flow diagram. And so a data flow diagram, you start writing out, you know, you start drawing out, you can sketch it out. This is what I always do because I'm better I'm quicker at drawing, you know, drawing with a pen or a pencil than I am uh, you know, doing a Visio or something. So uh I just dated myself. You know, I'm I don't think any young ripper snappers these days like to use Visio.
AustinThey all they use something else. But uh is Visio a shorthand for a rock and chisel? I'm not sure what that would be. I think so. I think that's what it is.
BrookeUh but you start out sketching out, you know, uh where where does the COI come from? You know, well it comes from our customer portals. Well, where does it go? Well, we download it, you know, our estimate or whoever, you know, uh contract officer downloads it, you know, and then they they save it on a uh shared drive, you know, a shared folder, and then you know, the estimator gets it and he does this with it, and then it goes into this system, and then it gets turned into drawings or specs, you know, whatever it may however it may go. Uh but that data flow diagram is a very important part to understanding um to understanding the flow of CUI, uh where it goes, what systems are involved, and all that kind of fun stuff.
AustinYeah, and those details are very important. Um they're also very important if you put them on paper, then you realize, well crap, we don't have to do this one thing, and it costs a lot of money to get it in scope, you know, say email or something. Let's just exit off. Yeah. Um, and we're we will no longer do that, you know, um, or we'll no longer put it on this folder or something. Um so you can once you have it on paper, you can go, what here can we reduce or remove? Um, and then you can you can short, you know, create your scope, smaller scope that way, um, and hopefully save yourself some money, or at least the amount of things the assessor is looking at.
BrookeRight. Absolutely.
AustinSo I think we might have covered this one, uh, but I'm gonna ask it anyway. Um why do why do you think that small and mid-sized contractors, you know, um skip the step of scoping, kind of fall in the trap of improperly scoping?
BrookeAaron Powell Well, there's a lot of reasons, but for small and mid-sized contractors, uh really I think it boils down to uh they know it's gonna be expensive and they want to do it in-house, uh and so they try to do it in-house, uh, and they they don't really understand CMMC. And so um that's where it all stems from. And then they say, Hey, Johnny, Mr. Estimator, you know, Mr. Quality Guy, I need you to implement CMMC for us. It is your job to implement CMMC for the poor quality guy. Yeah, the poor quality guy or the the one IT guy that they have that's underpaid, you know. It's a it's your it's your job to implement this. And that and by the way, you have no authority to do anything, but you have to implement CMMC. So that is generally where it starts and and why that happens, you know. Uh and what they what they really need to do is don't say, I need you to implement this. You know, hey, I need you to tell me, you know, what we you know what we need to do to be able to get to implement this, and then that person should or somebody, you know, needs needs to step back and look and say, this is a big beast. And uh you either need to invest in a whole lot of training and more people, or you need to invest in bringing somebody in to help us, uh something like that. So it's it always starts with them trying to do it as inexpensively as possible. And while that's uh that is totally thousand percent understandable. Sometimes you know That should be the goal. Yeah, sometimes you can be pennywise and pound foolish or whatever that phrase is. Uh you know, you can save cents and then cost yourself dollars later on, right? Um but they uh you know there's uh in in a lot of other business aspects you may realize, hey, it's gonna cost us more to try to do this on our own, and we need to hire an expert to guide us, you know. Uh well, this is the same thing with CMMC. You need to have an expert because it is a big beast. So you either need to make one of your internal people, or preferably more than one of your internal people, uh CMMC experts uh and guide the process and then to either give them the authority or a direct line to the decision makers uh to get things done, uh, or you need to hire somebody in. And that I will tell you that the learning process uh is not quick. It's not you go to a class and learn it and you're good. You know, it is it is a lot of reading, a lot of understanding, a lot of, you know, go take our go do become an RP, become a CCP, you know.
AustinWe've been doing this since 2017 and I think we're still learning.
BrookeOh, it's trying to say everybody is, you know. Uh so and it things and things change. Yeah you know. Uh it is not the CMMC program today is not the same as it was in at the end of 2017, for instance. So um people are not implementing things the same way, the policies don't look the same. Uh so yeah, you you really need an expert to do that. And if you wanna if you want to do it internally, you absolutely thousand percent have to invest in training uh your people, sending them to conferences, uh meeting with people, all that kind of fun stuff. It's not gonna be one three thousand dollar course to become a CCP and hey, they're they're magically, they're good. There needs to be a lot of input and a lot of understanding there. So they that CCP class is huge and very important. Uh RP is a good beginning. Uh registered practitioner is what that is through the Cyber AP. Uh CCP is a C uh CMMC uh certified professional. So there you go. Try not to throw all the uh TLAs around, three-letter acronyms around uh and not not describe them. So uh but that that's really important. Uh you know, if you're gonna do it in-house, you really gotta train your people up. Uh if you don't want to take the time and the effort to do that, because you'll still have to spend a lot of money after that and a lot of effort and time uh to implement this. If you you don't want to shortcut that process, get it done quicker, uh and sometimes maybe even cheaper, uh, you know, bring them bring a professional on to somebody that already is in that arena to to help you out.
AustinYou uh it's a pennywise pound foolish, yes, you know. Um and you know, I think the you know the whole point of that statement and that that phrase is that uh you know it's not really what something costs, it's about what your dollar buys, right? And it's the effectiveness of that spend, right? Exactly. And so that's why um it's kind of a great segue into my next question. Um the goal should not, as I said earlier, should be the make everything as cheap as possible. It should be about making everything as uh cost efficient as possible, or um you know, that your dollar goes the furthest. So even if you're spending a good chunk of change, just that what you that chunk of change is buying something even bigger back, right? Um so the next question I thought is a good segue is uh what happens after a company gets scope wrong early on?
BrookeOh. Yeah. So you know, you may have invested, you know, thousands of dollars in a uh in a in an enclave solution, and you realize to to keep your uh all your systems out of scope and you know, all that kind of fun stuff, and then you know you realize later on, oh crap, that uh that enclave solution isn't gonna work like I thought it was. And now uh there's a lot more of our uh of our system that is in scope now. Uh so now you have to bring all that up to standards, right? Um you may uh you know if you get scope wrong in the beginning, uh you may spend a whole lot more than you need to securing everything. You know, and again, I'll say that it is uh bringing everything into scope is definitely uh a uh a way to go and and can be the the best way to go depending on your business, depending on how much of your business uh the DOW is, uh depending on how big your business, you know, depending on a lot of things, it you know, all your systems might be in scope, you know, or all but two or three of your computers may be in scope, for instance, you know, something like that. Uh but um the you know, getting it wrong early on will cost you. Uh it's just a matter of how much that costs you, how much re-engineering you have to do, and and all that kind of fun stuff.
AustinYeah. So you may have you may have spent uh a little amount of money saving money early on, but you know, the fact that you have to redo it later uh made that spin just completely ineffective. Absolutely. You've been better off spending more money later buying more and getting more back, right? Right. You know, I saw you um uh whenever you said enclave solution, you did this little thing. I'm I'm afraid you might have hurt some people's feelings out there.
BrookeI probably shouldn't have used their quotes on Enclave Solution. Enclave is a buzzword, uh much like uh much like cloud, you know. It's in the cloud. You know, really all the cloud is is somebody else's computers that you're using. That's that's really all it is. Now, when you talk CSP and ESP and all that kind of fun stuff, now CSP has a specific meaning uh and they're a cloud provider from uh from the Department of War. They've made a uh determination and a very good definition of what it is and how it fits. So but you know, the cloud really is just somebody else's computers. An Enclave is just your scope. Just your scope. What you've what you've narrowed it down to, you know, it can your enclave can be a lot of different things. It can truly be an enclave where you've got a locked room and all your systems are in there, and you know got an internet connection coming into your enclave and all your firewall and everything else is in there. That's uh that would be a true enclave. You know. Uh when you start expanding out of that, you know, people still call it enclaves, you know. Here's your here's your cloud enclave, here's your you know, this, that, or the other enclave, and that's that's great, you know, but uh it just sets the wrong expectation. It does set the wrong expectation because people think, oh, it's all contained, great, you know. That is rarely the case. Especially I mean, we're talking about uh this is the this affects what base? The defense industrial base, which does what? Mostly. They manufacture things. Build, make. They're taking, you know, hunks of metal and and uh or whatever, you know, taking hunks of metal and turning them into a little widget, you know, for a a plane or a ship or a submarine or something like that. Or, you know, wiring systems, or this or that, or whatever, you know. Um but it's it's manufacturing, and manufacturing is is a messy business when it comes to systems, right? And computers, everything else, and and so, you know, and they've a lot of manufacturer manufacturers have tried tried to get their machines online and more efficient and stuff like that, but security, ha ha ha ha, that's pretty funny. Uh so you've got to, you know, you've got all sorts of things you have to address there, and an enclave solution, you're gonna pierce that enclave to try to get CUI out to get it to your machines to build the product.
AustinSo which means piercing enclave means expanding it. Trevor Burrus, Jr. It does. Piercing it means expanding it.
BrookeYou just brought something else into scope.
AustinSomething however you do it. Right. So we're you know, we're not haters of Enclave necessarily, but it's just, you know, uh it sets the wrong expectation. And if you're a because, you know, at the end of the day, like you said, we're working mostly mostly with manufacturers, builders, dealing with the real world. The real world penetrates, you know, a cloud enclave that you know people like to go by off the shelf and want to be just good done after that. The problem is it just doesn't work that way. Um because like you said, as soon as you introduce a manufacturing environment, um it gets pierced and the that all gets brought into the enclave into scope.
BrookeRight. And it can still be an enclave, those those machines can still be part of an enclave, but you've got to define it right uh and figure out what your enclave is, you know. Um but you know when the the only problem with an enclave is what people think and you know, oh, everything's contained in it and it's all in there, and I don't have to worry about anything else. Great. Well, except you do have to worry about other things and and that's fine. Uh so I probably shouldn't use air quotes. But uh because we do build enclave solutions, right? I mean we we do that too, but we you take it a holistic approach and figure out what's going on, what needs to be in scope, what needs to be out of scope, what needs to be have alternative alternative physical controls or whatever it is, right?
AustinI just didn't want to open the hate mail from that one. So I think we've spent a fair amount of uh of time examining the pitfalls and um the traps that you can fall into around scope, um and uh and how we see manufacturers, OSCs, um, and just you know, the general department of war and industrial base um falls into whenever they're um going through their compliance journey and and and looking at scope. Um so if if you're at home right now and you're one of these, you know, following one of these buckets, um, and and you think maybe, well, they have a good point. I think I may have you know a chink in my armor. Uh you know, where where would what would they do, where would they start on um r uh remedying that? Um, you know, if they if you told them how to advise them on what to do right now at home, what should they do?
BrookeI would say just stop and hold on, and and I guess you don't necessarily have to pause everything, but uh depending on what you're doing and who you've engaged in, all that kind of fun stuff, you may want to just pause for a minute and uh start with the basics, you know. Uh what kind of CUI do we have? How do we know that? You know? Um and if you don't, if you just think you have CUI or you're pretty sure you do, then you might look at your contracts. You might look at uh talk to your contracting officers, you know. You need to figure out what kind of CUI you have and and if you have any of it marked at all, right? Uh and then start with figuring out the flow of CUI, the data flow diagram, and figuring out where it goes, the processing, the storage, and the transmitting of CUI. And that's people, devices, and and uh and systems, you know, and system could be anything, it could be your ERP, could be uh file shares, could be email, hopefully not, uh could be uh SharePoint, could be, you know, could be a million things, but whatever a system is, and there's those air quotes again. So uh but whatever a system is, you know, it could be anything from server shares to uh cloud systems, right? Um but you figure out that flow of that CUI, figure out where all it is processed, stored, and transmitted, uh and and then you step back and and the other thing I would recommend people do, if they haven't done this yet, if they if they don't have a CMMC expert driving this, uh I would say just take a minute, look at the uh look at two things. Look at the NIST 800-171A, so the assessment guide, and just read through it, you know. Have fun. Uh or read through part of it, you know, you'll get through part of it and you'll get my point, right? Uh look at it and that's what the assessors are looking for, and say, have we, you know, have we done some of these things? And most people will go, I don't even know what the heck that means. So, you know, if you don't know what it means, you know, there's there may be an issue. There may be a chink in your armor, right? Uh the next thing I would say is look at the CMMC uh uh assessment process, a cap. Uh that's what um C3 PAOs and uh assessors have to follow. Uh they they have to follow that uh to do an assessment and kind of look through that process and figure out really if if you're if you really are on the path to being ready to go through that process. Uh most if you've tried to do it internally and not made sure that you've gotten somebody trained up and talking to all sorts of people, you know, going to conferences, stuff like that, I'll bet that you're probably really not on a really good path to being ready. Uh so uh having that CMMC expert, whether it's internal or external, um understanding that you'll need to pull in resources to help you out. I mean, we're talking about small and medium businesses. Uh you know, that is a that is a very important part. You've got to understand CMMC before you even start to try to implement anything, before you even talk to anybody about an enclave solution. You know, you don't go talk to a vendor and say, hey, I need to figure out how to handle my C uh CMMC stuff. You know, how do I do that? And I hear you have an enclave solution. Yep, we do. And you know, you buy that enclave solution, but you fail to get it implemented properly because you don't understand CMMC and what's in scope. It all boils down to just you know pausing, taking a minute, and figuring out uh, you know, understanding that this CMMC stuff is a big beast to understand, you know, and did you start at the very beginning with your understanding the CUI that you have, data flow diagram, and scoping, did you do any of that? Answer is probably no, for a lot of people, uh, especially people that haven't uh meaningfully started this process yet, um or have somebody internal. So have you done that yet? And uh, you know, if you haven't, you need to go back and do that before you go any further. Um hopefully if you have a CMMC expert on staff, uh they've they've led you to that. If they haven't, then you need to go back and do that first part. But again, uh you know, the next part is understanding that it is a beast and you need to have an expert whether it's on staff or or you hire in somebody to help out.
AustinI mean I think to your point, I think that uh, you know, most everyone out there, if they just go through that data flow diagram, that scoping, the the scratch pad legal legal pad pad exercise, they can probably find their chink in their armor by themselves without um you know having to engage someone immediately. You know, you can uh you know if you're really honest with yourself and and you just do that exercise, you can you can find out, you know, what issue you have and kind of where to go. Do you need to reach out to someone or or whatever? So um, you know, if if you if you've done that um or you're not sure, um um we always uh uh we we always offer a compliance roadmap. Um and it's basically I just I have basically think it's like 12 questions that I developed that um uh just is usually guaranteed to find um within those twelve questions, uh, you know, uh uh the chinks in the armor, right? Right um uh kind of how I spoke about earlier and uh how we found the issue, the downloads folder between the ERP and um and all that stuff. So if if you're interested, if you just want a second look, um then you feel free to just email us or text us compliance or map or whatever. Um and we can we can set up a call onto those real quick and um just for a second look. But um but like I said, you're you can go through that exercise yourself with the legal pad and you can probably find it, you know.
BrookeUm so uh you know part of that though is also being honest with yourself and realizing that uh and thinking about and that's why I suggested looking at the NIST 800-171A, uh the assessment guide and the CAP, the CMMC assessment process, uh to see what the assessors are gonna look at, what the process is and what you know what questions they're asked, what of evidence they're gonna look for. When you do that and see that, uh even you go through part of part of access control, and that's the you know part of one family of 14, you know, part of that, and you look and you go, oh crap. They're they're looking for some detail, you know. So we probably ought to be pretty detailed about this uh data flow diagram, not just yeah, we download it from a portal and it goes into our ERP. Okay. Let's be a little more detailed about it than that. Where what systems does it go to? So you really have to think that through, and you really do have to list the that's why I said uh list the people, list the systems, and list the the devices that the COI flows through.
AustinYeah, we we always say uh documentation is the biggest burden, um, which is true. And to clarify that a little more, um you know, once you get the actual like if you think documentation like paperwork out of the way, um the biggest burden is actually the evidence. Yeah. So if you go look at um like to your point, that stuff, and then you see, you know, what evidence do I have to generate to show them, um, that'll make you wiggle in your seat a little bit because you realize, oh crap, you know. It will. And frankly, if you if even if you go look at the CMMC level one, um, I forget uh the URL and spots and uh people too. Um, but if you go look at the requirements for a CMMC level one self-attestation for evidence, that'll make you wiggle in your C. It will. Most people are phoning that in and they do they are not keeping their evidence for it.
BrookeThey they don't keep evidence for it. I can almost guarantee it because you know most people say, look, the rest of our network can be uh and we do this too. I mean, we say, look, the rest of our network can be level one, and we'll have an enclave. There's those air quotes again, sorry. We get I know we can have an enclave where CUI is processed, you know, uh everything else will be outside that scope and be level one. And people just phone that in, and like you said, and uh really it requires some evidence. So if anything ever happens and they come and look and say you're supposed to be level one, and you know, where's where's your policies? Where's your where's this, where's that, you know, you'll say, what? Yeah, I was supposed to have policies. I gotta have, you know, I gotta show something, you know. Uh yes you do. And uh so I would not uh it's probably less likely that you'll get caught with your pants down on level one, but I wouldn't want to get caught with my pants down. So you gotta get that right too.
AustinYeah, that's uh you know, I view those as um, you know, just a real easy cover your butt, you know, situation, you know, and uh it's it's real you sleep a lot better at night knowing that's stored away and that if you ever do get, you know, the government comes knocking or your your your primes come knocking, then you just you know show them the money, you know, show them the evidence and uh and you're you're covered.
BrookeYou know, just to be clear, you don't want to show you know uh the government official money because you might get in more trouble.
AustinSo now we've we've offended everyone with the enclave air quotes, and then now I've now you're trying to send people to jail. Yeah, no, yeah. So I've got uh accusations of uh bribe and property. So well, on that note, I think maybe we should end the episode. Right. Um if you have any questions about what we covered, please reach out to us. Uh we're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.
.jpg)
