CMMC Level 1 Self-Attestation Explained: Requirements, Evidence, and Risk

Show Notes

 lot of contractors assume CMMC Level 1 is just a simple checkbox. It is not.

In this episode, Austin and Brooke break down what CMMC Level 1 actually requires, what a self-assessment really looks like, and why self-attestation without documentation can create serious risk.

They cover the difference between Level 1 and Level 2, what Federal Contract Information (FCI) actually is, how Level 1 maps to the formal assessment process, and why organizations need policies, evidence, and artifacts before signing an attestation.

This episode also explains:

• What CMMC Level 1 covers and what it does not
• Why Level 1 is always self-assessed, not C3PAO certified
• The difference between self-assessment and self-attestation
• What documentation and evidence should exist before attesting
• Why authorized users, devices, processes, visitor logs, and physical access controls matter
• What the CFR says about evidence retention
• When a Level 1 claim may actually be scrutinized
• How whistleblowers, breaches, or customer requests can trigger verification
• The False Claims Act risk of saying you are compliant when you are not

If you are planning to self-attest to CMMC Level 1, this episode will help you understand what the government expects before you sign your name to anything.

Chapters

• 1:27: Is There A Formal Level 1 Assessment
• 2:31: Why People Misunderstand CMMC Level 1
• 3:46: What CMMC Level 1 Actually Covers
• 5:31: What FCI Means in Plain English
• 7:26: How Level 1 Compares to Level 2
• 9:36: Why People Assume Level 1 Needs a Third-Party Assessment
• 11:21: Walking Through the CFR and Level 1 Requirements
• 14:31: What Self-Assessment and Self-Attestation Really Mean
• 16:26: What Evidence Should Exist Before Signing
• 19:31: Access Control Examples and Authorized Users, Devices, and Processes
• 24:21: Physical Protection Examples Like Visitor Logs and Keys
• 28:21: Why Evidence Retention Matters for Six Years
• 30:31: Why Level 1 Still Matters If You Have a Level 2 Enclave
• 32:41: What a Mock Review for Level 1 Should Look Like
• 35:21: When Level 1 Claims May Actually Be Verified
• 37:36: Breaches, Whistleblowers, and Customer Verification Requests
• 39:31: False Claims Act Risk for Bad Self-Attestation
• 41:01: Final Takeaway

Transcript

Is There A Formal Level 1 Assessment

Austin 0:21

Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin and I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Well, today we're talking about something that trips up a lot of Department of Defense or Department of War contractors when they first start learning about CMMC. And specifically, I think this comes from an audience question as well, a comment. Yes, it does. So a lot of people assume that for CMMC level one, there must be some kind of formal process or formal assessment uh that happens where someone comes in and audits your environment step by step. So today we're reviewing what CMMC level one actually is and how to approach it. That's right. So when people first start learning about CMMC level one, one of the most common questions we hear is what a level one assessment actually looks like. So, Brooke, is that the right way to think about level one? How does an assessment fit in? Can you help explain that?

Why People Misunderstand CMMC Level 1

Brooke 1:39

Absolutely. Yeah. So uh a level one assessment, uh really you don't um third party is not required, whereas a level two um certification, uh where a third party is required, a C through PAO is required to come and and uh do your certification assessment, right? Uh but a level one, it's always self-attestation or self-assessment. And uh but it is a formal process. You do have to go through it and and do it. And there are several pieces to it. A lot of people just phone it in and say, Yeah, we ch we do that check, uh, but that's not the right way to do it. Uh and you don't want to get caught with your pants down, so to speak. So uh you want to actually go through the formal process. Uh before you tell the government or before you self-attest that you are uh CMMC level one compliant, uh you want to actually make sure you are and actually go through that process uh to do that formally. So when you when you say it, you are actually compliant with level one.

Austin 2:41

So before we dive a little deeper into uh what goes into a testing and what you should do uh before attesting, um can you explain what CMMC level one actually covers? Sure.

What CMMC Level 1 Actually Covers

Brooke 2:53

Yeah. So uh CMMC level one basically covers FCI, federal contract information. So it does not cover CUI. If you're if you have CUI or will have as part of a contract uh CUI, then you're you're not level one, you're level two. And at that point, you're either going to be level two self self-assessed or level two uh C through PAO certification. So one of the two, most likely the C through PAO certification. But level one uh is only FCI. So it's uh what you need to do to protect that FCI. Specifically, it is FAR52.204-21. Uh and that that far rule just changed actually to 52.240-93. Uh there were some uh there were some FAR and DFARS rules changes uh to kind of uh help align things, and that's one of the things that changed. So uh it's easier for me to remember the old one that's been in place for a long time, the 52.204 uh 21, uh, but it has changed. So but it is really just over uh FCI uh and protecting FCI, and there's uh 15 or however you look at them, there's 15 or 17 controls.

Austin 4:04

Yeah, I know we've talked about it in previous episodes, but it might be, since we're talking about it again, it might be good to go over uh what generally speaking FCI is, uh general rule of thumb that uh people out there can use to identify whether they might be touching that. Sure.

Brooke 4:20

Uh so FCI is federal contract information. So anything on that contract that is not public. In other words, um if you have to go to a portal and log in to see the information, then it's non-public. Whatever information you can see without logging into a portal, um, you know, I don't know, maybe somebody's email address or the name of the company, uh something like that. But uh if you have to uh if if it's non-public information uh about that contract, uh then that's gonna be federal contract information or FCI.

What FCI Means in Plain English

Austin 4:55

Aaron Powell So if you're downstream either directly with the government or you know a coup a couple customers and subcontractors down um from a uh a federal contract, doesn't have to be directly with the the federal government, then uh that's the kind of information you're talking about, right?

Brooke 5:16

Yes. Yeah, it doesn't matter if it's uh directly with the federal government or if it's with a prime or uh just a subcontract or someone else, if it's that uh if it's uh that federal contract information that's uh that has to do with the federal contract, any of that information that is non-public, that's FCI. Yeah. No matter where you're at in that supply chain.

Austin 5:36

Aaron Powell So you may not even be touching you know critical flight parts or you know weapon systems or anything, and still uh this would fall on your shoulders. Yep, absolutely. So when we're looking at CMMC level one, how does that compare to uh level two in terms of requirements?

How Level 1 Compares to Level 2

Brooke 5:53

Aaron Powell So level one, uh there's 15 controls and something like uh 59 assessment objectives or something like that. Uh and uh level two uh is much more in depth. There's 110 controls uh and uh 320 assessment objectives. So it goes uh really in depth. Not as not nearly as in depth as the uh NIST 853, but you know, it's you know the uh the NIST 800-171, or it was what CMMC is based on uh anyway, that is 110 controls uh uh for level two. It's 110 controls and 320 assessment objectives. Level one is a fraction of that, uh which is why a lot of people normally just you know kind of phone it in and check the box. Uh you still gotta do your due diligence. But level one being a fraction of what level two is, it's 15 controls and I have to go look, but it's somewhere around 59 assessment objectives. Um so uh you still need to do your due diligence, it's still very important. Um, you know, you gotta have all your authorized users, for instance. You know, you gotta have those listed out. A lot of people don't even bother doing any of that for level one. They just say, Oh yeah, we're good, you know. So uh but that level one does require uh those controls and those assessment objectives to be covered.

Austin 7:13

So not near as stringent as CMMC level two. Correct. But still fifty-nine things that you're telling the government that you're you're doing. Absolutely. So 59 chances for them to uh come back knocking and say, Hey, can you prove that you're doing this? Right, exactly. So where does the idea or maybe I should say misconception uh come from uh of the need for an assessment come into play uh if someone is self-attesting to level one?

Brooke 7:44

Well, the the assessment comes in because uh you've got to implement all the controls and all the assessment objectives, right? Uh so you have to assess your environment, um, see what you need to do, put those in, and then uh once you get finished, assess it to make sure it's uh there, uh make sure everything's good.

Austin 8:03

Uh then So there is a need for a a self-assessment, but not a third party assessing.

Brooke 8:08

Correct. There's a self-assessment that is uh that is necessary, uh, but not necessarily a a uh third party. Uh you can have a third party come and help you do it, uh make sure you get everything covered and everything right, but uh it's however it is, it's extra credit. Actually, it's uh it's anyway, it's uh that's the assessment portion, right? The self-addestation, you're attesting to the government. Uh yes, I've gone through all this and I do meet CMMC level one controls.

Austin 8:37

Yeah. And I think uh also probably uh from you know the fact that CMMC level two focuses on a third-party assessment so much, you know, uh maybe people just make the natural conclusion that you gotta do that for level one too.

Why People Assume Level 1 Needs a Third-Party Assessment

Brooke 8:51

I I'm sure they do, and I'm sure that's uh that's why they think that. Um I think part of the other part of the other part of that is that uh they are uh it's kind of confusing. Um as to what's needed, right? What exactly, you know, what am I supposed to do for level one, you know? Uh it really it lays it out in the level one uh assessment guide. You know, you go read that and you'll figure it out pretty quick. But um of course you gotta know some key things to look for, and we'll go over those here in just a minute.

Austin 9:21

But so our for our uh video watchers, um, they might be uh usually keep things pretty uh you know not cluttered here. Um we uh have a a prop as we don't normally have. So we're answering the uh you know the question I guess they have for what the heck is on the table. So but I thought there's a good natural uh spot to bring this up. Um uh this is um a printout of the e CFR, so electronic version of the CFR, specifically the 32 um CFR the section.

Brooke 9:59

Would that be ECFR if you've printed it out? And I'm just wondering because it's not electronic anymore.

Walking Through the CFR and Level 1 Requirements

Austin 10:03

So now now it's the uh yeah, it's the I'm sure there's a you know paper CUI joke there somewhere. I'm sure I have no doubt. Um but this is uh 170.15 on uh the 32 CFR. So um in the the ECFR, if you just Google that, you can find it pretty easily, and then you can pretty decently search uh in there. So if you go search for the 32 CFR, 170.15, uh, this is where it defines what an assessment and uh what the affirmation uh requirements are um for whenever you um basically attest to CMC level one. Right. And so I thought it would be helpful to print this out and show uh the viewers or or listeners here. And so sorry if you're listening, you know, just memorize all this, I guess, because you can't see it. But um so in here, um there is uh specifically uh the level one self-assessment um under the procedures heading um that uh specifically calls out how to do a self-assessment, and you do it in accordance with um the scoring methodology described in 170.24. The government is really good at referring to 15,000 other documents, you know, or places.

Brooke 11:26

Um go look here, go look there. Yeah. Get you jumping around and make it very confusing. They're they're they are good at that, yes.

Austin 11:32

Yes, yes. So but the breadcrumbs are there. So they are there. You just you know, commit yourself to uh staying, you know, paying enough attention, you know, and and uh not getting uh lost in the uh you know the block of uh text that they give you.

Brooke 11:48

So everybody that wants to look at the CFR and and click through it and and find all the little breadcrumbs and everything, you you probably need to be good at puzzles. Yeah.

What Self-Assessment and Self-Attestation Really Mean

Austin 11:57

So absolutely. Absolutely. But I've I've kind of tried to put the puzzle together for you here. So um so this is the 32 CFR 170.15. So this tells you um you know what how to do an assessment against yourself and basically what your affirmation requirements are, what you're attesting to. And then it refers to the 170.24, which is here, right? Um, and it basically um tells you uh that you need to uh rate yourself met, not met, or not applicable, right? And so uh and then it says um a bunch of different stuff that basically says uh the things that you have to rate yourself against is the NIST 800-171A and then refers back to this 170 uh dot 15, this um mapping table here, which converts the one uh the CMMC level one requirements to the uh 800-171A requirements. So basically what this is saying is on the left column, the mapping of the mapping table, those are all the things that you have to uh hold yourself against, right? Or uh assess yourself against. Right. Right. So that is why I bring this up, because there's it it is there and it is spelt out. Um, and this is CMNC level one is the easier version to do this yourself, right? Um because it's it's kind of all within these few documents um that it tells you what what you need to do. So um so basically uh what it's saying is for the things on this mapping table, you gotta have evidence, right? And documentation to what you're assessing to. Yep, absolutely. So um I'll pause there because I think the next section um is evidence, but I wanted to lay that out and then we can talk about um you know uh your cheat sheet as well. I've got a cheat sheet here. We never do this, but we both have one today. Um so uh we'll use that as a segue to um the next question I have for you, which is before the senior official that uh of the business um signs the attestation or tells the government um that they are indeed CMMC level one and and those things are met or you know very sparingly used, not applicable, um what evidence should the organization actually have ready or documented?

What Evidence Should Exist Before Signing

Access Control Examples and Authorized Users, Devices, and Processes

Brooke 14:49

Yeah, so kind of talking through this, uh um and I use I'm using my cheat sheet because we don't always do level one very much, uh, you know, as do level two a whole lot more. So uh need to make sure I don't get the wrong ones in here. But uh there's a few families. One is access control, you have to worry about access control, uh identification and authentication, media protection, uh physical protection, systems and communications protection, uh, system and information integrity. So those are the families you need to worry about. Uh the first one in access control, for instance, is uh authorized access control for FCI data, right? They don't care about your personal data or your company data, really. They just care about their FCI data, right? Uh and for level two, again, they don't care about your data, they just care about CUI. You probably want to protect yours too, but that's all the government cares about is FCI or CUI. So uh this is what that's what this is all about. So you gotta have an uh authorized access control uh for that. And that means that doesn't mean that a lot of people say, oh, of course, we've got authorized access control. We use Active Directory. Check. Well, no, not really. Uh I'm gonna use another one of my cheat sheets. Uh but the uh I may not need it, but the um so uh for authorized access control, these numbers are different. I'm usually you should used to the uh level two ones, but ACL, uh one uh-b dot one dot i. So it's authorized access control, limit information system access to authorized users, processes. I'll just cut that one short, users processes and devices uh accessing that information, right? So and processes is processes acting on behalf of users. In IT world, we generally call those service accounts, uh something like that, right? So not a person. So some you know, a a script, uh a service, uh, you know, something like that, but we generally call those service accounts. Uh so uh the assessment objectives, there's six of those. Same thing for level two. Uh are authorized users, processes, and devices. So that's three different assessment objectives. Are they identified? Anytime you say identified, do you have a list of those users and does it say these are authorized? Um and have you actually authorized those? Has somebody read them, reviewed them? Yes, sign your name. Uh has somebody reviewed those, right? So you gotta review those, you gotta identify those and review those. Uh then it says the system access is limited to those authorized users, processes, and devices. So there's the other three uh assessment objectives. So are they identified and is the system access limited as they are identified, right? Uh so uh just using that one as an example, you've got to have a list of your uh of your authorized users, right? Um's processes and devices. So all your computers, uh, all of your uh access points, printers, anything else that's uh on that network that has authorized that has access to that FCI data, it's gotta be authorized in some manner if it's if it touches it, right? Um use another one, for example. We'll just use the next one, ACL1B uh one dot II. Okay, so for uh for this one, transaction and function control, uh limit information systems uh access to the types of transactions and functions that authorize users are permitted to execute. Right? So there's uh two there, two assessment objectives. One is the types of transactions and functions that authorize users are permitted to execute are defined. Do you define those anywhere? How do you define those? Is it in the list? Do you have a policy? How are they how are they id how are those transactions and functions that they're allowed to that they're authorized uh to execute, how are they how are they identified? You gotta identify them somehow, right? Well, you can go into Active Directory and look and see what access they have. Yeah, but because they're in Active Directory doesn't mean you authorized them, right? So they've got to be authorized. So generally that's gonna be a policy. So you could probably write one policy that covers all this, uh, and then you know there's some different lists you might need to have. Uh but uh point being uh this and point being that you need to uh when it says identified, uh then you've got to have a list. You've got to have uh a list or a policy that says talks to what they're what they're wanting here. So um the second one is the system access is limited to those defined types of uh functions. So uh so not only do you have to identify it, but then you it you have to you have to tell them what you're doing, just like level two, you have to tell them what you're doing, and then you have to actually do that uh do what you tell them you're doing, right? Show and tell. Show and tell, that's right. So, you know, you might say, well, it's just self-assessment, self-addestation. They're never gonna come and and uh look for all this stuff. Well, sure, we meet it. Well, you know, yeah. But that's not what you're supposed to do. And if uh, you know, for any reason, uh and we'll probably discuss this later on in the podcast, but for any reason, if you ever get caught and you have to show, yes, this is why I say I'm level one compliant, uh, you know, you need to have all that documentation there to back you up. Sure and and then examples of how you implemented it uh to show that you actually did that, right?

Austin 20:43

Uh so it says it here on the 32 CFR uh 170.15, all the way at the bottom where I've highlighted, right here, it says uh it's artifact retention. The artifacts uses evidence for the assessment must be retained by the OSA, that's you, uh, for six years from the CMMC CMMC status date. So that right there tells you by law that you have to do all this and have it on file and retain it for six years.

Brooke 21:16

I wonder why they want you to retain that for six years. Maybe in case some breach ever happens or something ever, you know, something goes on five years and eleven months down the road, they can go back and say, Hey, you know, ACMA company, uh, you know, we had this breach and it looks like it came from your direction. You know, you said you're a level one compliant. Uh can you prove that? You know, and you're like, no. We just said we were level one compliant. You know, that's uh or if you say, yeah, we can we can prove it, but we threw those documents out after our you know next assessment came out or whatever it may be. Uh you do have to hang on to those, to the to the artifacts, all the documentation, uh and which points to the fact that you've got to have some documentation to to archive to h hang on to, right? Uh so you've got to have uh at le you've got to at least have a policy and um you know an authorized list of of uh users' devices and and um processes.

Austin 22:20

So whenever People use the term they threw the book at them. This is typically what they mean by throw the book at you. It's all written down there. It tells you what you're supposed to do. And then uh, you know, if you didn't do it, then they can use that against you later. Absolutely. So whether you did it or not, it doesn't matter. It's whether you had this, that's that's the book.

Brooke 22:40

A typical thing is also uh for a lot of folks to do a CMMC level two enclave and then get the rest of the network to a level one, right? Which is what we're talking about today. Right. Which is great. That's a great plan. Uh there's nothing, I mean, that's a great plan. There's nothing wrong with that. Uh but point being that when you do all the really hard work to get that level two environment in place, it's great. That's wonderful. What about your level one network? Where is that documented? Is it in is that documentation also in with your uh level two? Is it separate? You know, how how did you do that? How did you document it? Uh, because if you're the rest of your corporate network, you set it as at a level one, so you can handle all the contracts on that side, um, not necessarily a CUI, uh, then you've got to have some evidence that you've that you've done that.

Austin 23:34

Yeah, you don't want to have gone through the entire process of getting CMC level two certified and then have the level one get you.

Physical Protection Examples Like Visitor Logs and Keys

Brooke 23:41

Right, exactly. Exactly. Yeah. Just to go through a couple more of these, um, you know, there's uh different things in here that you're gonna have to have to address, you know, like the physical protection. It says manage visitors and physical access. For physical protection for PE.l1-b.1.Ix, uh manage visitors and physical access. So the assessment objectives for that are uh again, um there's several of them here, there's six of them here. So visitors are escorted, visitor activity is monitored, audit logs of physical access are maintained. There you go, there's uh piece of physical evidence that you hit need to maintain. Uh physical access devices are identified. What's a physical access device? Do you know? That's going to be a key, that's gonna be a key card, uh, anything like that. Uh those physical access devices need to be identified. Uh and if you hand out the same key to everybody, there's an issue, right? So they need to be serialized. Uh physical the cards that you get the proximity the proximity cards or whatever you call them, those are those are generally serialized, no problem.

Austin 24:58

Um This is whenever customers usually look at us and go, Are you serious? Yeah. And we say yes. Yeah. Because it says right there, you know.

Brooke 25:05

The single key you give out to the front door, you know, that uh everybody's got, you know. Uh what I can tell you is I know um, you know, people hand out those keys and they're not always really good about giving them back. Uh and if you think businesses are bad, churches are even worse. There ends up being like 200 people that have keys to the place and you don't really know who's got them. Uh but uh same thing here, we're not really talking about churches. So uh physical access devices are controlled. How do you control those devices? How do you control those keys? Um how do you know who has what keys? Uh and physical access devices uh are managed. So physical access devices are identified, controlled, and managed. So those keys and key cards are are identified, controlled, and managed, right? Identified means you've got to have a list somewhere. Uh visitors are escorted, visitor activity is monitored uh monitored, and audit logs of physical access are maintained. So that's audit logs of physical access. That's not visitor activity. That is audit logs of physical access are maintained. So uh how do you watch that? You know, if it's a proximity card and they swipe it, there's a log, or there should be, a log in a computer somewhere that hopefully you can get to, uh, that uh that says who came in or at least what badge number came in. If you assign that badge number to somebody, then you know who it is. Physical keys, they can just unlock the door and walk in. Uh sometimes if there's a key code on the door, there may be some kind of log that can go along with that. Um but if it's just keys and that's all you have, all you have, that you probably need a camera watching that front door so that your physical access can be monitored. That way it's monitored, anybody that comes in and out, uh you can tell who it is. So uh that's how you would cover that. Uh if you don't have a some other electronic way of of uh capturing who comes in and out. So though the just another example of the kind of uh documentation you're gonna need with this. It's not simply, you know, yeah, we we're we've got all this covered, we're good, just check the box. You know, there's lots of there's documentation that needs to go with it. It's not a ton. You can get away with a uh pretty small amount of documentation for it, but it's gotta be there. Yeah. And it's gotta be accurate and reviewed.

Why Evidence Retention Matters for Six Years

Austin 27:33

So it has to exist. Um and it can can look as simple as like you mentioned. Um you know, a clipboard at the door for visitors, um uh a camera on the door um for that um, you know, your employee visitor log, um, a a metal stamping kit for your keys if they're not if they don't come serialized, right? Um and uh I think we mentioned a couple other things I've forgotten now, but um, these aren't things that you have to spend a fortune on. You don't need some$20,000 iPad visitor system and uh, you know,$3,000 uh a door access control system. Um you can you can do these things you know on a budget um and implement it, you just have to do the work. Absolutely.

unknown 28:21

Yeah.

Austin 28:21

So I think uh we've kind of already answered this, um, but uh I wanted to ask it again, because it is a question that we've been asked before. Um if a company wanted to conduct a mock review uh before making an attestation uh for CMMC level one, uh what would that actually look like?

Why Level 1 Still Matters If You Have a Level 2 Enclave

Brooke 28:41

Uh so uh and just to be clear, there's not technically a mock uh uh assessment for uh level one, uh, but a self-assessment, you you need to assess your environment. Um one would be you need to do a pre-assessment and figure out where you are and where you need to be, or that'd be a gaps analysis also, however you want to phrase that. So when you download that CMMC level one assessment guide, uh they're gonna have uh what this gonna walk you through it, right? And so part of this is just the same as a level two uh assessment, whether it's self-assessment or or a uh level two certification, uh you're gonna the three things you're gonna do uh or have a choice to do are gonna be examine, interview, and test. So you examine the evidence, uh you may interview uh someone to make sure that it's uh of course if you're the one that implemented it and you're the one assessing it, that's a little different, but preferably somebody's uh a third party view, or not maybe a third party, but uh could be within the company, somebody uh different than somebody who um who implemented it, right? So you can get a clear view on these things. And uh but anyway, so an interview, so an exam interview and then a test, right? Uh so you go look for uh you go look for that visitor log or you go look for those uh to make sure the antivirus is up to date or whatever it might be. Uh so you just follow, follow that level one assessment guide uh and walk through that. Uh and you know it's it's not a 30-minute thing, you know. Uh it'll it'll take a little bit longer than that uh to really go through it and verify it. Uh but that's what you need to do uh to to assess yourself uh before that senior official goes to uh test that you're uh CMMC level one compliant.

Austin 30:31

So uh as we've said, CMMC level one is a self-attestment and uh a self-attestment, right?

Brooke 30:40

Yeah, I think you're wanna for how you want to say that, you attest.

Austin 30:43

So you're assessing yourself and you're attesting, right. Right. Um so what I'm trying to say here is it's the uh honor system, right? Right. Yeah. Um so and but we keep saying when the government comes knocking, or if they do, right? Uh what are the situations where someone might actually find themselves that that they might actually find themselves in where uh claim to level one needs to be verified?

What a Mock Review for Level 1 Should Look Like

When Level 1 Claims May Actually Be Verified

Brooke 31:11

Well I've seen it uh on level two, and there may be some level one instances, I'm not real sure, uh, but uh you know the reported ones that I see are always level two, but um uh most of the time uh the the lion's share of the time uh for level two, it's uh it's uh whistleblower, right? So somebody on the inside, or not even on the inside necessarily, but uh somebody that knows about it uh may go to the government and say, Hey, this company over here, Acme Brick Company, uh which I probably shouldn't use because I think there is an Acme Brick Company. Uh I was I was thinking Wiley Coyote and Acme. So but uh anyway, Company A over here, uh they say they're level one and uh they're not even close. You know, they don't have anything documented and and uh they're kind of willy-nilly over there and need to go check. So that's a whistleblower. Uh and the other thing would be a uh the other uh possibility would be some sort of breach, you know. Uh and it may not be your choice whether it's uh reported as a as a breach or not. So it may not be your choice, right? Uh so for instance, if a if one of your employees has an email breach, you know, a token theft, which is you know a really hard thing to uh guard against. Um so it may not be something that's uh your fault necessarily. Uh there's always things you can do to improve security, so I'm not saying you can't avoid token theft, but not complete negligence. Token theft is one of those uh more and we can go into depth what that is, but uh token theft is one of those things it's more uh harder to protect against. So uh if there's token theft and you're employed, in other words, you've got uh username, password, and MFA enabled on these accounts and they still get breached, you know, uh some hacker gets in, uh they send out a whole bunch of fake invoices, for instance, which is a really common thing to happen, uh, and home you know 500 different people get them. Uh maybe the IT department uh gets notified, uh the alert pops up, and they get in and they do their due diligence and they they kick that sucker out within you know five minutes, you know, but they've still gotten in and done done a little bit of damage by sending out fake invoices to people. Uh then you know, if one of those happens to go to say a prime and they say, hey, you've had an email breach and we've got to turn this in. So there it's not your it's not your even if you don't have any of that information in that system, you know, you've got a whole different system for it. Even if you don't have that, it may get turned in as a breach uh as a cyber incident anyway, um, which it was, but um whether it involves government data is a different story. Uh anyway, one of those may get turned in and they may come knocking and say, hey, you know, we need to review, you say you're a level one compliant, uh, you know, let's review that. So that was a really long-winded story, an example of a breach, but I'm just trying to give you an idea of, you know, what you know, what kind of breach that may not even be you know complete negligence on your part um may kick off some sort of uh review of level one, um, level one compliance. So if they do come looking for that level one compliance, they're gonna say, All right, you said you're level one compliant, uh, show us your documentation, you go, documentation. You mean I have to have documentation for that? Uh you know, they're gonna say, well, there's uh strike one right there. So uh so you do need to uh you you do need to make sure you don't phone that in and you actually do what you're supposed to do. Uh because there's a couple of instances right there, a breach or a whistleblower uh that may bring the government in to review those things.

Austin 35:05

Yeah. Yeah, one uh one that we actually do see a fair amount for CMC level one um in terms of verification is is from Primes or customers. Um they specifically uh we've seen ask for um evidence um and uh you know further documentation that um things are actually in place. So that that we have seen. So if you're if you got a customer that um you know is doing their home arc you um uh you may find yourself in a situation where they're they're actually asking for evidence. That that actually happens in more in the near term, less of a a risk of happening, uh more of a probably will happen at some point.

Brooke 35:45

So absolutely. Yeah, and and uh some of that is in in the case of you know before you get awarded a contract, and some of it is kind of after the fact, you know, a prime coming back and saying, you know what, we need to firm all this stuff up and make sure our uh subs are good, you know, and they may come back through asking for that stuff.

Austin 36:06

We've talked about when someone might find themselves in a situation where um they're getting their CMMC level one status verified. Um what is the risk um of attestation and not actually being um level one, and but you said you were. Um if someone did come knocking, one of those scenarios we talked about happened, uh what could come out of that?

Breaches, Whistleblowers, and Customer Verification Requests

Brooke 36:35

Well, if you uh attested that you were a level one compliant uh and you don't have any of the documentation or any of the proof to back that up, that brings about the False Claims Act, uh, which is no joke. Uh you know, they don't they don't mess around with that. They've they've um they said they were gonna make some examples of of uh some companies, whether the companies deserved it, the kind of example or not, I don't really know. Sounds like they probably did, but uh they've made they have made some examples of uh of some companies with now this is mainly level two, uh, but uh the companies they've made examples for um of, excuse me, the ones they've made examples of, you know, they've gotten, you know, fines in the millions, fines in the hundreds of thousands, you know, uh depending on the size of the company, size of contract. Uh so you know, you can get fined, you could lose your contract, um, or if it's a minor violation, they might, you know, slap your hand and say, get things in order and prove it to prove to us that you did, you know. Um so but for just completely completely phoning it in and checking the box without doing any of your homework, that's a false claims act, and that's a serious violation. Something I would not want to do. Yeah, right. Level level one or level two.

Austin 37:54

So if someone is listening today, preparing for level one compliance, what's the main takeaway?

Brooke 37:58

Uh so the main takeaway is is really what we've been talking about this whole episode. Uh level one is not just about, you know, uh saying, hey, level one's easy. We've got it, we've got it covered, we've got basis covered. It is not about that. Well, it is about that, but it's also about uh being able to prove uh, you know, writing down what you do and doing what you say you do, right? And being able to prove it. So uh that's what it's about. It does take uh does take documentation, you know, it also takes some uh some actual technical controls implementing those, uh, but it does take some of that documentation. You have to do your due diligence and do the documentation, um and and save that documentation, save the artifact, save the logs, stuff like that, and make sure that you're covered there. Uh again, it's it's not just a check the box we're good kind of thing. It is an actual assessment and and uh proof is what you need.

False Claims Act Risk for Bad Self-Attestation

Final Takeaway

Austin 38:58

Awesome. Well, thank you, Brooke. Uh another thing I'm gonna bring up, my other my last prop that I have for today, um, is that uh this keeps coming up, level one does in various different scenarios. Um and in preparing for uh today's uh podcast uh and everything, and preparing for today's podcast and everything. Kind of, I don't know, I guess saw the need for um some more education around this because you don't see you get a lot of CMC level two stuff. Um people talk about it, there's other you know, guides and stuff, CMC level one, just kind of uh redheaded stepchild, if you will. Um, so uh we've got kind of a a draft here um of just kind of an all-in-one uh comprehensive guide on uh CMC level one. It says simply read this before you self-attest to CMC level one. And that would be good. Yeah. So um it just kind of goes in a little more in-depth um and puts it in written form uh as to everything that we talked about today. Um so um tells you uh, you know, the the problem, uh what self-testing actually means, explains kind of the false claims act information, um, kind of explains the the need for evidence, everything, evidence, everything that we talked about um in the uh the CFR, uh 32 CFR requirements. Um, and then uh we have broken out in longer form of what you just did earlier um uh live, uh referencing it with your phone, um, each of the uh the control IDs, the requirements, um, and then um listed out example evidence, like so you can a little easier find your way to what you actually need to do for each of the uh requirements. So uh we're working on this right now. Um it's not a super big priority uh because we got a bunch of other stuff on our plate. Um but uh if you're interested in it, you're welcome to email us, give us a shout, um, and we'll put you on the list whenever it's done. Um we'll we'll send it out. And then if it happens to be done by the time this episode comes out, we'll we'll provide a download for it as well. But um anyway, I just wanted to uh say that uh so if if this is something that you're facing, and we do hear a lot of people uh as it keeps coming up, then we're working on um a resource for it. And it's all comprehensive um to uh for you to DIY yourself. So um so there's that. Uh Brooke, do you have anything else before we end this bad boy?

Brooke 41:33

I think I'll go back to documentation, documentation, documentation. Favorite three words, our favorite phrase there. That's what it all boils down to.

Austin 41:42

Need to bust that shirt out again.

Brooke 41:43

I do, I do. I need to remember to wear that shirt.

Austin 41:47

All right, well, cool. Well, um, thank you guys for your time today. Uh, if you have questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.