CMMC Supplier Questions Answered: Level 1 vs Level 2, Costs, Scope, and Flowdown for DoW Contractors

Show Notes

What do small machine shops, aerospace suppliers, and defense manufacturers really need to know about CMMC right now?

In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke answer some of the most common supplier questions they hear from companies trying to prepare for CMMC compliance. They break down how small suppliers can plan when contract requirements are still unclear, what level of compliance may be needed, how far requirements flow down the supply chain, and why scope matters so much when building your compliance strategy.

They also explain common myths around redacted drawings, whether tools alone can make you compliant, what CMMC actually costs, whether small companies can do CMMC themselves, how big the jump is from Level 1 to Level 2, and what happens when CMMC becomes mandatory on contracts. If you are a DoW supplier, subcontractor, aerospace machine shop, or manufacturer trying to understand how CMMC will affect your business, this episode will help you cut through the confusion

Chapters

• 0:42: Welcome And What We Do
• 1:14: Rapid-Fire Supplier Questions
• 2:16: Planning Without Clear Flowdown
• 11:01: Upcoming Guests From Primes
• 12:24: Redaction Myths And G-Code Risk
• 18:46: Tools Help But Do Not Comply
• 22:48: What CMMC Really Costs
• 32:54: Can A Small Shop DIY
• 39:47: The Recurring Work And Evidence
• 42:11: Level One First Or Not
• 44:17: How Big The Level Jump Is
• 46:34: Policy Templates With Caution
• 49:18: When CMMC Turns Mandatory
• 51:22: How To Reach Us And Subscribe

Transcript

Austin 0:21

Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast tracked to compliance. But today, we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Well, Brooke, today we're going to do something a little different.

Rapid-Fire Supplier Questions

Brooke 0:51

Sounds good to me. Let's do it.

Austin 0:53

Instead of breaking down a single topic within CMMC, uh, we're going to answer some of the most common questions we've collected. Uh we hear from small machine shops, aerospace suppliers, and the like.

Brooke 1:05

So it's going to be three hours long, right?

Austin 1:07

Yeah. I've tried to uh aggregate them all into uh major questions, but there are you know uh a good list of questions here. These are the questions that they're asking uh when they're trying to understand how CMMC will impact their business. Many of these companies are trying to get ahead of compliance, um, but they're stuck because the requirements don't always seem clear.

Brooke 1:29

What? Yeah. That shocks me.

Planning Without Clear Flowdown

Austin 1:31

Surprise. Uh so today we're gonna walk through the real questions suppliers are asking and the answers they actually need to hear. Whether they like it or not. Exactly. So let's start with one of the biggest questions we hear from small aerospace suppliers, machine shops, manufacturers, uh, when they're trying to prepare for CMMC. They're trying to prepare for CMMC, uh, but don't know what their customers will require yet. They don't know if their contracts will involve FCI or CUI, they don't know if they'll need level one or level two, uh, and they don't know how far the requirements will flow down the supply chain. So, how can a small supplier realistically plan on cybersecurity before those requirements seem clear to them?

Brooke 2:19

That's a very good question. So if I'm gonna if I tell you I need to buy a new car, what are you gonna tell me? You're gonna tell me what kind of car to buy?

Austin 2:29

You know, depends if I'm selling it, I guess.

Brooke 2:32

There you go. Exactly. It depends on your perspective, right? Uh if I'm a truck guy, I might tell you to go buy, you know, a uh Ford F-350 King Ranch, you know. Or if I'm a if I'm a sports car guy, I might tell you to go buy, you know, a Shelby Cobra, or, you know, who knows? But uh it really the the answer is it depends. So um if you don't if you're just getting into this uh and you you're trying to figure out where to go, but you don't have any contracts yet, um it depends on your um your risk tolerance and it depends on your uh well, it depends on your risk tolerance, really. Um are you willing to invest uh a lot of time and a lot of money uh to get uh some CMMC level two contracts, because that's really where it's gonna be. Um I don't see the government says, you know, we're not trying to pare down the the uh the dib, the defense industrial base, we're not trying to pare that down. Uh we want everybody to be compliant, we're good, you know, we're we're gonna we don't want to hurt that ecosystem. And while they may not want to, I think.

Austin 3:44

And they used to say that they had paid for it. Trevor Burrus, Jr.

Brooke 3:46

They used to, yes. And uh they will still say that, you know, it's accounted for. But um you know there's several factors to that. We could discuss that. That that's another rabbit hole. But um so uh really what what is gonna end up happening is there's gonna be fewer CMMC level two certified suppliers uh to the DOD to service all those contracts. Uh so if you get certified early, or at least not late, I should say, uh then you have a lot better of a chance of getting those contracts more easily. Um the DOD, excuse me, the DOW, Department of War, uh actually comes out and says that. You know, uh the primes will tell you that. Um so they want people certified, they need people certified. Um, I I hear from primes all the time that uh either people we know or through communications that we're looped in with with our clients through email or phone calls or whatever. Uh you know, we hear about this all the time. And primes are saying, look, if you you know you're you're this close, if you'll get your you'll schedule your level two certification and get that, you'll win contracts more easily. So hurry up, you know, come on and do it, right? Uh so the realistic view is that there's gonna be fewer suppliers there. Uh and if you're willing to put in the time and the effort and the money, I should say the money because it will cost you, um then I think uh you're gonna be in a really good position. Uh so the first thing would be to figure out where you want to be exactly. You know. Um if if you have no clue and you're trying to position yourself, then you'll probably want to be as ready as you can, and then that would be a level two certification, and just consider that you'll be handling some sort of uh uh dissemination restricted uh information. So for instance, like ITAR, uh International Trade in Arms Regulation, so um you have to there's certain hoops you have to jump through for ITAR. Uh on the technology side, as far as CMMC goes, really uh it's it means uh no foreign citizens can have access to any of that data.

Austin 6:05

So Which is harder than it seems.

Brooke 6:07

It is harder than it seems, absolutely. So if you've for instance, if you've got a Microsoft 365 tenant, you already can't use commercial, so you have to go to at least Microsoft 365 GCC. But if you're subject to any of those dissemination restrictions, uh specifically ITAR, no foreign stuff like that, that pushes you up into the GCC high. Um that's depending on what licenses you look at, it's somewhere between you know somewhere around three or four times more expensive than commercial. Um so it can be significant, right? Uh and that's just an example of one of the things you need to look for. You don't have to have 365, Microsoft 365 GCC high. It's you can do it without as long as you scope and design right. Um but uh point is uh you need to think about all that ahead of time. And if you want to be ready and you want to get those contracts, then position yourself for uh handling CUI with dissemination restrictions, CMMT level two certified. Uh other than that, if you're if you already have some of those contracts and you're trying to figure out where in the world you need to be because nobody's clear, uh then you need to figure out what kind of data you have. Do you have any CUI? If you don't have any CUI, if you truly, truly don't have any CUI, then uh then you might just have FCI, which is CMMC level one, right? Uh so you need to figure out what kind of data you have, uh or what kind of data you will have or may have or want to be capable of having. Uh so maybe you have level one, uh maybe you just have FCI data right now, but you want to get some of those level two contracts, so you might want to go ahead and shoot for some of those level two uh no foreign ITAR type contracts, right? Um so you you've got to figure that out first. Uh what kind of data you do have or what kind of data you want to be able to handle, right? Uh once you do that, it makes the path a lot clearer. Um what I can also say about that is two things. One, there's hardly anything marked right now, but they are getting a little bit better at it, but a little. Uh and if you're if you're listening and you can't see, I've got my fingers very close together. So almost pinched together saying very little. Um but yeah, it's uh there's very little that's coming out that's actually marked. Um people and we talk to some people at Lockheed and and some of the other well, I shouldn't even say Lockheed. So sorry, pretend like I didn't say anybody's name. It's the same across all of the primes. Uh you know, they think that, you know, you talk to so certain people on the inside, they're like, yeah, we mark everything. And, you know, um not that we are a a subcontractor of a prime, but we talk to talk to them all day long every day, and and they're telling us we don't see anything that's marked, or we see very, very little that's marked. So uh there's a disconnect there. But the government realizes that. They're trying to get better. We'll see. Uh so what could what uh the next thing is if you don't if it's not marked, you know, do you think you have CUI and why do you think that? Well, it it's because of the deforest clauses on my contracts. That's why I think that. That's very valid. Uh if your prime is telling you you have to be level two, that's a good reason. Uh it's also okay to ask what is CUI. Is this document sent really CUI? Or I think this is C UI. Why is it not marked as C UI? You know, and they they can help you out. I know you don't want to bite the hand that feeds you, but it's okay to ask. You you know, just be respectful about it. Uh but it all boils down to what kind of data do you have or do you want to be able to to support.

Austin 10:02

Yeah. I was thinking while you were talking, uh it'd be really funny to bleep out Lockheed. Just you know, every time we say Lockheed, we just bleep it out.

Brooke 10:13

I know I think in our area, they're uh you know, they're the 800-pound gorilla, I guess. I could, you know, maybe that's not a good phrase either, but uh they're the they're they're a big contractor around here, so uh use they show up a whole lot is so they come to mind very quickly.

Austin 10:27

Maybe we'll do that in editing.

Brooke 10:29

And I think they're only you know 20 minutes away from here. So, you know. Of course, I think there's a bunch of other contractors, uh primes that are not very far away from here, too.

Upcoming Guests From Primes

Austin 10:37

So uh we are in a hub, that's for sure. Yes. Um speaking of um primes, uh and uh sorry I'm the marketing guy, I can't help myself. Um, but we are working on um getting one of the big boys uh or you know representatives uh working there is probably a more accurate uh term to say um uh way to say it, but we are working on getting um um some primes um on the podcast so that way we can kind of get um you know their perspective um and what they might say to um you know the small mid-size um supply chain out there. So hopefully we get that. Stay tuned. Um that is in the works. So and we're also working on another assessor, um, uh C3PO organization uh coming in as well to get that perspective. Uh so just a little uh teaser for future episodes.

Brooke 11:30

Absolutely. And I'm looking forward to both of those. Uh the uh uh the gentleman from the prime uh one at least one of them that I know that uh you're looking at, we've uh worked with, we know him, and and uh he'd be a great one to have on the podcast. So keep an eye out for that one.

Redaction Myths And G-Code Risk

Austin 11:47

The question we kind of just went over was uh essentially talking about, you know, how do you plan for compliance without knowing? And I think in my you know, simplistic brain, it's um well, the government basically is just raising the barrier to entry for um their suppliers, right? Their supply chain. Um there's you know, the increasing level of, you know, CMMC is gonna start being required on new contracts before you can even compete for it. Um so that's just an unfortunate new reality that we're kind of we're going into. Um so naturally people um look for very creative ways um to make that burden uh or barrier of entry uh as as low as they can and as they should, right? Um and the reason I'm bringing this up and making that connection is that uh a question that we hear a lot, um we hear from people is that um, you know, if they have drawings or CAD files or documents or whatever else, um that uh you know, there's some people saying out there that um if you just remove the customer name or program information or some pertinent, you know, details like that um from the drawing or the document, that it's at that point, once it's redacted, stops becoming it stops being CUI. Is that true?

Brooke 13:07

No, I'd be really careful with that one. Um if you can redact enough information off that uh for what you have to be considered a commercial off-the-shelf product, then you might have an argument. But if you're just deleting the customer name, maybe the part number or or original part number or you're mixing and matching part numbers, uh that's I wouldn't play that game because if you if something happens, uh you know it's it's relatively easy to figure that out, right? Um what we're trying to do is keep China basically from um just at a simplistic view, uh keep China, Russia, all them from uh from getting all our uh being able to copy all of our military uh tools, right? All of our s all of our stuff. So, you know, the uh F-35 and the J-35 and Humbees, uh, laser systems, all that kind of fun stuff, we're we're losing, you know, billions of dollars a year, uh and probably, you know, trillions of dollars over a few years uh of all this stuff to China, for instance, and they always bring up China because China's really good at stealing stuff. So um but they they're that's what they're trying to prevent with all this. So you know, if if somebody can hack in and get some drawings and go, well gosh, there's no company name on this, I guess it's no use, you know. No, they kind of figure out that uh, you know, you've got some, you know, you do work for one of the big primes and you know they got these drawings here, and oh my gosh, they they look like they might be a part to an F-35. Look at here. So uh they can figure those things out, right? So um But all that to say just redacting a couple things off that uh uh specs or drawing or the you know, whatever it might be, uh I'd be very careful about that, saying that that's not CUI then. Um the uh one of the another way I might point this out is G-code. All G-code is is instructions. Go here, do this, go here, do that, for you know, for a C and C machine, for instance, right? Uh that's all it is. Uh are those considered CUI because you know it's not what the government sent you. It's not, you know, you took that and you made it. Yeah, but you made it in accordance with that contract for that contract, and it can be related to what you're making. So uh, you know, it's just instructions for a machine, but when somebody puts those instructions together, they can still figure that out, right? So that G code, uh and there's this will be a big argument too for lots of folks out there uh because it's been a l argument for quite a long time.

Austin 15:50

But also one of our upcoming episodes. Great.

Brooke 15:54

So uh but uh you know, go go look up Jim Gopel and and uh he's been in around in around CMMC for a long time. Um he's been counsel for Future Feed and some other places, and uh anyway, he's written some books on it and basically he says that G code is his uh his C UI, right? So uh not that it's not that his word counts, but he says that. Lots of other assessors say that. Uh the the Cyber A B has had him on before talk to specifically talk about that. Not that the cyber A B can make that determination, but I'm trying to lay out that he's got has some authority on the subject. So uh so if he says that about G code, you know, simply deleting you know a couple of things off a drawing, uh a couple bits of information is not gonna make it not CUI. Right?

Austin 16:49

Yeah, when you when you step back from the nuance and the you know arguments, you know, and and everything else, and you just look at, you know, what's the intention of CMMC and what are we trying to achieve here, if you come at it from that lens, then a lot of these workarounds or people might call them loopholes or whatever else. Um if you judge it against that lens, um, then you can kind of make an assumption as to how the Department of Defense or Department of War might see it, right? And so sometimes it's or at least from our perspective, um, it's it's better not to pick certain fights and it's it's easier just to go with with the intention of what is you know trying to be accomplished rather than um work around on, you know, the the little details or nuances um because you're just at the end of the day, you're gonna be more successful with it, um we think, you know, and um really just implementing it as it's intended um is gonna get you a lot farther um in the long term.

Brooke 17:57

Absolutely.

Austin 17:58

So it's safe to say that redacting information from drawings and whatnot, we would say um probably not, you know the go-to move for making stuff not C UI.

Brooke 18:11

Correct. Not that not that that 100% of the time won't work. I'm sure there are some instances where you can make it work, but uh I would not depend on that. I would not at all depend on it. Yep.

Austin 18:25

So uh another question that we have uh a lot um is uh and it's it's one that we we mention a lot that people typically like to skip to implementation.

Brooke 18:36

Um just get it done, right? Just jump in there and get it done.

Austin 18:40

Get it done. Um yes. So uh basically the question is, you know, can tools make you compliant, right? So uh typically they'll mention some of the you know more notable tools in this in the space or or other ones that you know accomplish the same thing. Um some that come up a lot are Prevail, Threat Locker, um stuff like that. Can I just buy these and they make me compliant?

Brooke 19:08

Aaron Powell Well, you name one of my favorite ones, Threat Locker. Uh that's a that's a really good tool. Um But uh the short answer is no, they can't make you compliant. Uh Prevail is great, let Prevail. Uh you know, some of these other solutions are are great, uh, but you have to realize that they don't fit every scenario perfectly. In fact, they don't fit hardly any scenario perfectly. And um so each of those tools can be absolutely be part of your part of your solution, uh, but most likely it's not gonna be all your solution. Uh and I'm talking about things like you know, CMMC in a box type solutions. You might call Prevel one of those, and I don't mean to dump on Prevail. Uh I like Pravel, it's a great solution.

Austin 19:55

Uh we counsel a lot of our customers to use on Pravitz. Yeah.

Brooke 19:58

So uh you know it's a good solution. You just gotta know all these solutions, how they fit into your environment, how they can fit in, um, you know, Microsoft 365 GCC high, you know. Uh that's great. Does it fit in your environment and will it completely work for you? You know? Um you gotta figure all that out and figure out where where it fits in, where it doesn't, um, what solutions might be better than the others, uh, because you can't just say, take this one solution and it works for everybody, right? Or it works for 75% of everybody. It there's hardly any solution that'll fit into any environment and be the solution for a CMMC. Uh uh you know, we we deal a lot with manufacturers, and when you're really talking about all this, uh this is the defense industrial base, so you're talking about manufacturers and and construction. You know, there are some people, there are a lot of companies out there that don't necessarily do the construction or do the uh manufacturing. Uh uh maybe they just handle the data and there's there's a lot of CMMC in the box solutions that will fit them, absolutely. Thousand percent. But when you start getting into the majority of the dib, they don't they won't fit neatly in one of those solutions. So you really got to plan it out and figure out you know what all you need out of a solution.

Austin 21:19

Yeah, so buying a tool to be compliant is like buying eggs to make a cake. Right? Yeah. You need eggs. You need eggs, certainly, but eggs alone don't make a cake. Right. It's you know, it takes a whole recipe, right? So eggs don't have required ingredients ingredients, but um you have to pre-eat the oven, you have to mix it a certain way. If you don't mix it well, it's gonna be clumpy, you know. Um there's all of these steps in the process to make a good cake, and and your compliance is just like that. You're uh and if you miss a certain spot, you know, it uh it's gonna be runny or taste like crap or be dry or you know, um, and so all those eggs matter. Uh certainly a requirement, but it is a small piece of that puzzle.

Brooke 22:05

Aaron Ross Powell Absolutely. And there can be easy cakes to make and there can be complex cakes to make. There can be big cakes and little cakes. So you know, hey, your your cake uh example works pretty well, actually.

What CMMC Really Costs

Austin 22:17

I got a good one every once in a while. I think this is your favorite question. This next one. I probably should have made this the first question, to be frank, because it is the most probably the most common answer. I don't know. Yeah. We always say this is one of the most common, and I think we say that about all the questions, but um this is probably the most common, you know, uh when you start keeping keeping tallies. Um and that question is how much does CMMC actually cost? Right? Um it's one of the biggest unknowns um and companies hear wildly different numbers. Um you know, the the DOD or DW has their numbers, and then you go source quotes and you hear a big range from a bunch of different people, and then you have, you know, you just hear everything. And there's solutions, you know, ten different ways to uh solve your compliance concerns. Um how much does CMMC realistically cost? So you can't even say that with a straight face.

Brooke 23:39

And uh so I was gonna say that's a$64,000 question, but it's likely a lot more than that. Trevor Burrus, Jr.

Austin 23:45

That's just the assessment.

Brooke 23:47

Yeah. So when you consider, you know, your assessment is gonna start off, we we generally tell people small manufacturers, small manufacturers, to think about sixty thousand dollars as a beginning point uh for those assessments, right? They can be less than that, uh and they very well may be less than that, but I'm not gonna tell people to budget less than that because until you get in and you figure everything out and you know who you're hiring and you know, you know if prices have gone up by the time they get there because of the surge pricing or whatever it may be, you know. Um uh you know, it it may be sixty thousand, it may be less, maybe a little more, you know. Uh depends on your environment too. But a small manufacturer, uh I would I would intend on spending at the very least, you know, sixty thousand dollars for an assessment. Um could be thirty-five, I doubt it. Could be sixty-five or seventy. Uh, you know, if it's more complicated, you know, it can get more than that. But uh if there's multiple sites, you know, but we're talking a small single site manufacturer, I'd plan on sixty thousand dollars. Then, and this is just for the certification. That's every three years. That's every three years, right. Once every three years. Uh so just for the certification. Then I would suggest, since this is a first go at it for everybody, I would suggest a mock assessment. Uh and a mock assessment is uh is a uh same thing as a certification assessment, except uh they don't do the certification part. They do everything just the same, they just don't upload it to the government. They come back and they say, okay, here's how you did, here's what are uh the controls that are met and not met, here's why. Uh we can't tell you how to fix it, but we can tell you why it's not met, right?

Austin 25:38

It's an expensive passfell. But a low-stakes way to proceed.

Brooke 25:44

Yeah, and we've we've gone over why you should do a mock assessment before. Um and uh you know we can go over it again, but uh I we highly suggest a mock assessment as well. So generally see-through PAOs do those different ways. Okay, but generally if you schedule a mock assessment and an assessment with with a uh see-through PAO, the mock is generally 50 percent. So maybe$30,000 uh for a mock assessment. Again, small manufacturer, single site, right? Uh then uh if you have um if you happen to have a an MSP or something that's helping you, you've got to consider their time. And their time is gonna be there's gonna be some sort of a fee, project fee to go through that because there are a lot to get together. Trevor Burrus, Jr.

Austin 26:35

An MSP or your consultant or for the same person. So it could be two people you're paying or one.

Brooke 26:42

Right. So I would figure somewhere around another thirty to sixty thousand dollars for that. And this is just for the assessment.

Austin 26:49

Aaron Ross Powell And the reason for that is the uh sheer amount of evidence that has to be prepared for, and then they have to sit through the assessment with you, um, with you, not for you. Um so there's there's a lot of labor there that um you should account for, as we're saying.

Brooke 27:07

Aaron Ross Powell, Jr. So just for that assessment, once every three year or uh the first time at least, you're talking$120,000 or so, right? Just for the just for the certification assessment. Um which is uh about on par with what the what the government said. Um but then you've got to figure in you know, it really depends highly on your environment and w, you know, what you're gonna do to get there. But it's there's gonna be a big time investment uh either on your part or on your part and with somebody else, a third party, an ESP to come in and help you get there. Uh so there's you could probably overall figure another a hundred it really depends, but you could probably figure another hundred thousand there. Uh, you know, getting servers in place, getting your network split up and be Landoff, getting a Enclave in place, whatever it may be, you know, getting all that stuff in place. You're probably uh gonna need some more uh cybersecurity type tools, uh different ones than you have right now. Um there you may find that you need Microsoft 365 GCC high. Uh you may want to do your whole tenant or you may want to do a separate secure tenant for for that. You know, again, that's all part of scoping and you can figure that out. But we're talking uh$120,000 or or more, uh possibly less, but you know, wouldn't necessarily budget on less uh for the assessment. And then um and then maybe uh this is a wild, you know, there's a wild range or uh a wide range here, but you know, maybe a hundred thousand to get ready. But it depends on how you're doing that. If you have an MSP helping you and there are going to be monthly services, uh, you know, what all there's gonna be. But there's it's a it's a huge range that there could be, but it is it is an investment. And it's an investment in time and tools. That time can be yours or it could be somebody else's. And if it's somebody uh if it's yours, depending on if you have people that are already if you already have uh CMMC level two experts, then you know maybe your time is uh not gonna be that expense as expensive as hiring somebody in. But if you don't already have experts and they have to go through and become that CMMC expert, then you better get ready to start sending them to conferences, sending them to training, all that kind of fun stuff. And their their time you pay them for is gonna is gonna grow. It's not just implementing it, it is learning CMMC. So you pay for that expertise one way or the other. Uh and the uh the amount of time, that buffer time you have uh for that, you need to consider. So all that's a wild uh or I keep saying wild, but all that is a wide uh range of costs and time input. Um and you're either paying your employees for time or you're paying a third party for time. Uh if you're paying a third party, you're generally shortcutting that experience timeline uh because it will take quite a quite a while for internal employees to become CMMC experts. Anyway, there's a there's a large investment there.

Austin 30:24

Aaron Ross Powell So you're always going to have your uh preparation costs, right? Whether you do it internally or externally with a consultant, right? So that'd be uh general planning, documentation policies, stuff like that. Uh then you probably have to swap or replace some of your um cybersecurity tools, um, maybe some vendors that you have. Um so those are probably going to be considered ongoing costs. Um and then you may have some implementation costs that like a Windows 7 machine that's sitting on the line or an old server 20, you know, old server version uh in the server room that needs to be replaced or something. Um that's kind of the X factor, right? That you know could be wildly, you know, it could be small, could be really big. Um and then uh you have uh you know to have some period of time which you are doing everything you know perfectly to a T, right, for evidence. And then you have to collect all that evidence, put it up into an evidence package, um, and then um get go through an assessment, right? And so every step of the way you're gonna have um, you know, vendors or internal people to pay for um to do that, right?

Can A Small Shop DIY

Brooke 31:43

Right. And I might the other caveat I might add is you know the assessment, uh the certification assessment is once every three years, like you said. Uh but you won't necessarily um have to pay for that mock assessment every every three years. Now if you have some substantial changes, you know, it might be smart, but uh you know, the second second go around through this, if everything's relatively the same, uh maybe just more growth or something, you know, uh but uh your environment is uh the same other than that, then uh your uh your next certification assessment, uh you ought to be in a lot better position for it. There's you'll still there'll still be a lot of getting ready for it, uh, but you ought to know at that point what flies and what doesn't. And so the the mock may not be necessary uh in subsequent certifications.

Austin 32:33

Aaron Ross Powell So that naturally leads us into the next question, um, which is can small companies do CMMC themselves?

Brooke 32:41

Well, uh yes, they can do it themselves. Um but it goes to one of the things I was saying just a minute ago is do you have that internal CMMC expert resource, right? Um or do you want to make them uh you know make one of your uh uh you want to help somebody be uh a CMMC expert. And if you're gonna do that, that's fine, but you gotta realize it's gonna be a big time investment. You can't just send them to a class and go, you're good to go, you know. Uh it's it's uh it's a lot more than that. Umce you go to class, you really have to it d you know, going to class teaches you uh, you know, the the controls and how assessors look at those controls and how they how they assess them and everything, but uh it doesn't teach you how to implement those controls in a manufacturing company that has, you know, fifty percent of their contracts are are Dib and 50% are commercial, and uh they run everything all on the same lines, and oh by the way, they have what you mentioned, they have a you know a Windows 7 computer that controls a um you know a cutting machine$300,000 machine, and no, they're not gonna buy a new$300,000 machine. Um so you have to figure out what you're gonna do with that. You know, it's it doesn't fit all that, and you have to figure all that out, right? You have to figure out what's okay and what's not, and um you know uh one class does not teach you that. So uh CMMC conferences, uh the time investment of listening to and and understanding the um Cyber A B town halls are a good thing to listen to. Um training, CCP training, you can do the RP training, uh the registered practitioner. I would say that is very, very basic and a beginning uh that does not an expert make, believe me. Um it helps kind of get your feet wet, uh, but that's about it. Um the the RPA, the registered practitioner advanced, but the uh RP uh advanced is a uh is the next level above the RP. Uh and I don't really I don't exactly know what the what all the RPA entails. Uh I've not taken that one. I've not talked to anybody that has. Uh supposedly it's more in-depth and and and uh you know a better uh better example of what needs to be done uh you know for CMMC. However, when you start getting into the CMMC certified professional, the CCP, that's when you start getting into uh really understanding how an assessor looks at these things, right? Um if you can do that and maybe do a CCA, a CMMC certified assessor, whether you actually become an assessor, you know, that's a different story. Uh but if if you're just trying to learn everything you can to make sure you really understand, at least taking that uh CMMC certified assessor training uh would be a good thing. Uh so uh as you can see with all this training and going to some of these conferences, uh chatting and yucking it up with a bunch of CMMC geeks, you know, as uh as fun and exciting as that may be. You learn a lot doing that. Um there's a uh an investment in time, an investment in training uh for somebody internally.

Austin 36:04

Trevor Burrus And a cocktail budget, you're saying.

Brooke 36:06

Yes, and a cocktail budget. Yes, that would cocktail your own. Absolutely. Yeah. Uh so uh uh you know if you're gonna come talk to me at a conference, you know, it sure it does help for you to bring me a cocktail. So loosens things up. Uh a collan. A callend, there you go. A gallon of Balvinny, maybe. But uh Or you can just bring me a free drink from you know from the from the show floor, you know. Uh just kidding.

Austin 36:31

But the I do say down here in Texas, the best beer is cold beer. The best beer is cold beer.

The Recurring Work And Evidence

Brooke 36:37

That's right. Exactly. Uh so you know, if you're gonna do it internally and do it yourself, you really have to invest in some training to do that. And um and uh and a lot of reading, a lot of understanding, a lot of really delving into processes and how your business does all this. And uh if you take your estimator or your quality guy and say, hey, go learn CMMC and implement it, it's probably not gonna work unless you invest a whole lot of time and say, you know what, your uh quality job or your estimator job that you were doing uh that's now secondary and we're gonna hire somebody else to do that. Your primary is CMMC. Then it might start to begin to work, right? But not even not even there. And then you have to figure out what tools are acceptable and what are not, you know, and uh what handles SPD, what handles CUI, you know, what doesn't, what you know you have to figure all that out. So there's a lot to it. And then you know the other part of that is once you really understand all that, now you've got to write some policies. You gotta write some procedures and some plans, and um, you know, you gotta gather all your lists and what do your lists need to look like? What do you, you know, what does your policy need to look like? What does, you know. So uh you know, are you gonna draft all that from scratch? Are you gonna use somebody's policy templates? And I would say be very careful using somebody's policy templates. Aaron Ross Powell Verbatim. Yeah. Well, not even verbatim, just you know, a lot of them don't really address all of the controls, and a lot of them mix uh procedure or or uh plan into policy. And it depends on how you want to write them too, I guess. But anyway, you've got to you've got to write all those policies and plans and procedures and all that kind of fun stuff. So uh there is a lot to it. And if you're a tech technical person and you're not a uh you know, I'm a I'm a uh generally, if you don't hear me on this podcast, you know, I say as few words as possible, you know, to get a point across, and I write as few words as possible. All my documentation that I write is gonna be bullet pointed, short, sweet, to the point, you know, uh just get the point across and and be done with it, right? It's not necessarily how uh policies should be. So uh, you know, if you start writing policies and you're like me and you don't like, you know, it's very few words, you're gonna have to figure out how to expand on things and and really get the point across, right? Um so sometimes in those cases, you know, policy templates do help. It helps get that thought process started, but do not depend on those policy templates to address everything. You're gonna be highly customizing them. I can almost certainly guarantee you that.

Austin 39:26

So that's a good segue into the next question I've got for you, which is um what does the day-to-day workload look like for someone that's DIYing their compliance?

Brooke 39:39

Well, uh so it depends on how you it depends on how you implement, right? Uh but uh you know there's all sorts of things. You gotta audit logs need to be reviewed, your um of all your systems, uh your visitor log needs to be reviewed. Um you're on some sort of scheduled basis, not maybe not daily, but uh you know uh there's a lot of things that need to be done quarterly or annually, you know, that you need to make sure you get done and get documented. Uh your SSP needs to be reviewed, your uh what your logging needs to be reviewed. Um there's all sorts of stuff that needs to be reviewed. So some of that's on a daily basis, some of that's on a on a quarterly basis, and some of that is annually, but it needs to be reviewed. Uh you need to show proof that you actually do these things and that you actually are managing the environment. Because that's what this is all about, is ongoing management of the environment. Not that you put some stuff in place and you completely forget about it and you dust the binders off whenever the uh auditor comes in. You know, that's that's not how this works. And if you do that, you'll probably fail the assessment. Uh so there is there's all sorts of daily things that need to be done and daily, quarterly, uh on a schedule, right? Daily, quarterly, annually, uh that need to be done. You know, when people when people are onboarded, you know, a new you have a new user. Uh do you have an onboarding procedure? Do you have a checklist? Do you have proof that you went through and and uh gave them the access they're supposed to have? Uh do you have authorization for that? You know, I mean there's there's all sorts of things you have need to have documentation for and that are just on a on the daily workflow of things that you know as a new user comes on, you need to remember, oh hey, HR is requesting new user be set up. I've got to go through my handy dandy little checklist here and make sure that I get everything done, you know. Um So there's anyway, there's a lot of stuff that needs to be done on a recurring basis.

Austin 41:50

So another uh common assumption that we hear or question as well is that companies should start with CMMC level one and then work their way up to CMMC level two at a later date. Is that the right approach?

Brooke 42:06

There's another it depends one. Right. Uh so uh it can be. Uh if you don't have any contracts that you know of that have level two compliance, any DFAR's rules that say you need to be level two, uh then that may be a way to go. Um but if you do, um then you need to do a gaps assess. I would I would say getting level one first and then going level two is not necessarily direction you want to go. You really want to do a gaps assessment, see where you're at, see where you need to be, uh figure out part of that gaps assessment is gonna be, you know, what kind of document, what kind of uh protected information do I handle? Is it FCI? Is it CUI? Is it uh is there are there dissemination controls on it, like NoForn or ITAR or something like that? Um ear data, you know, what what is there? What kind of data do I have that needs to be protected? Um once you figure that out, you do your gaps assessment, figure out where you're at, then you can figure out you can start putting a plan together of where you need to be. Or uh well, you know where you need to be at that point, but uh putting a plan together of how to get there, right? Uh so that could include going to level one first, but it may not. You know, a better plan may be just to uh do that gaps assessment, come up with a plan and start implementing the different things to uh to become level two compliant. And in the process, you'll you know if you want to cover all the level one controls first, you know, that's certainly a way you can do that. Absolutely.

Austin 43:45

Not gonna hurt you.

Brooke 43:46

No, it's not gonna hurt you. Could draw things out a little longer, you know, but uh you know, it may or may not be the right way to go. It kind of depends.

unknown 43:55

Yeah.

Austin 43:56

So how big is the jump from level one to level two? Quite large.

Brooke 44:02

Quite large. Uh you know, there's uh level one's nothing to sneeze at. You uh people typically do sneeze at it, and people pe people typically do for level one. Uh we just got finished uh recording another episode on level one not too long ago. Uh but uh level one tipi people typically phone in. They say, You know, check we got that right. We we're done. You know. Well do you have a policy? Do you have uh your authorized list? Do you have, you know, no, I don't, you know, yeah, I've got my authorized list, it's Active Directory. No, no, no, it's not. Uh you know, that could be part of it, you know, that can be where your list starts, and but you gotta show where you've categorized people, where you have uh, you know, have somewhere something saying these people are authorized, you know. Uh so um you know, level one, there are there are some things that are required in level one that you actually have to do. You actually have to document, you actually have to uh prove that you've that you have logs, for instance. So uh so there are things to implement on level one, but there's fifteen or seventeen, however you look at it, fifteen or seventeen controls for level one, um and uh somewhere around fifty-nine or so assessment objectives for level one, so uh you know, that you've got to do. So that's not that's not that difficult. But then for level two, there's 110 controls and 320 assessment objectives. And you know, at first glance looking at some of them, you're like, oh, that's easy. And then you start looking into it, really, really figuring out how you're really gonna do that, you know, through all your systems and what's gonna what's in scope, what's out of scope, and all that kind of fun stuff, it starts getting a little complicated. So um again, that's part of scoping. But uh level two, uh there's a lot more to it, so there is a big jump.

Austin 46:00

Aaron Powell So I think we already uh answered this one earlier, but I'm gonna ask it anyway because it is um again uh one of the common questions, and that's what we're going over today.

Policy Templates With Caution

Brooke 46:10

Aaron Powell I kind of jumped the gun on this one, I think, but go ahead.

Austin 46:13

It's all right. It's all right. Um So the question is are there not just policy templates that I can use to get this done?

Brooke 46:23

Absolutely, there are policy templates that you can use to get this done. But I would not uh there are there are some that are better than others. Um, I've seen some that people have paid, you know, good money for, and uh they're pretty good templates. I've seen some that people paid pretty good money for that you're like there's a lot of words on there, but what the heck does it mean? You know? Uh and then I've seen, you know, uh the anyway, there's they're all over the place. Uh but what's common across all of them is that you'll want to look into that, then you'll want to match it up with uh with the controls and the assessment objectives, and does it does the policy cover all that? Um between the policy and your SSP are you going to be able to cover all those uh all those assessment objectives? Really the assessment objectives is what you need to worry about, not not the controls themselves necessarily, because if you take care of the assessment objectives, that takes care of the control, right? Um so really that's what you want to pay attention to. Uh you want to make sure your policy covers all those assessment objectives. Uh generally you do them by family. Uh a lot of people will split out uh access control into several policies because it's kind of a beast. Um but point is you'll want to go through each of those uh policies and make sure uh that they do address all the controls and all of the assessment objectives properly and that it fits your environment, right? Because they write them with the whole dib in mind, not you, right? Uh so uh and generally when you get policy templates like that, they're written by someone by someone who doesn't work in the space, you know, somebody that doesn't necessarily do cybersecurity and IT for um uh for a medium-sized dib, right? Medium-sized uh manufacturer or you know, especially construction. Uh you know, talk about redheaded stepchild, you know, that's uh construction is one of those because they're uh they're you think the uh manufacturers are in a bad spot in some of this stuff. The contractors, um uh the construction I should say. Uh construction is in a they're they're in a tough spot, you know, with a lot of these things. So um but in any case, uh it almost certainly does not fit your environment perfectly and you need to go through those.

Austin 48:57

What happens when CMMC becomes mandatory and is it already mandatory?

Brooke 49:03

It is mandatory. Uh there's four phases to it. So we're in the first phase. It started on November 10th of uh 2025. Uh and this first phase ends November, I guess it would be November 9th of 2026, and phase two would begin on November 10th of uh 2026. So phase one is essentially what everybody's doing right now, self-attestation, self-assessment, um, and reporting your scores uh with a now there's a where there wasn't before, there's now a definite 100%, thousand percent, million percent uh uh deadline, you know, to this. Uh you know, you know it's you know it's coming, you know how far away that light is at the end of the tunnel, uh, you know, and it's coming, right? Uh so uh when when phase two gets here, uh the uh it'll be uh level two certifications will start being required on contracts before you can be awarded a contract. So uh at that point, you know, the the rubber is really gonna hit the road then, you know. Uh and if you're not ready before then, uh and you decide, you know, towards the end of this year that, you know, hey, I think it's time to get level two certified, and let's do that before November. You're gonna be uh sorely disappointed that it's gonna be very tough to make it before November 10th. So uh if you haven't already started, good luck. Uh it's gonna be tough. Um but uh November 10th of 2026 is coming. That's when it's required on contracts. Um so uh yes, it's required now, uh, but phase one is required. Phase two is when it's required on contracts. Uh and if you do work for a prime or some other contractor, you're a sub of somebody, they might require it of you sooner than that.

Austin 51:01

So I think that's all the questions we have for you today, Brooke. Um and thank you for joining us today, everyone out there. If you have any questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmc complianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.