CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
How Prime Contractors Evaluate Supplier Cybersecurity and CMMC Compliance
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Submit any questions you would like answered on the podcast!
What are prime contractors actually expecting from suppliers when it comes to CMMC and cybersecurity?
In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke sit down with Bo Birdwell from Elbit Systems of America to get the prime contractor perspective on what suppliers need to understand right now. They break down how primes are thinking about CMMC, what they are looking for in small and mid-sized defense suppliers, and why some companies are about to hit a major inflection point if they are still treating CMMC like it is optional.
Bo shares how Elbit evaluates supplier cybersecurity posture, the red flags that stand out immediately, and why companies that wait too long may not lose the bus forever, but they may lose their place in line. The conversation also covers flowdown realities, the difference between FCI and CUI risk, why COTS matters, what “adequate security” is really about, and why suppliers need to start making serious decisions now if they want to keep or win defense work.
If you are a machine shop, aerospace supplier, manufacturer, subcontractor, or small business in the defense industrial base trying to understand how primes view CMMC readiness, this episode gives you a rare inside look at the other side of the table.
Welcome And Guest Introduction
SPEAKER_01Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin and I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns, getting companies fast track to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we've got Bo Birdwell from Elbit Systems of America joining us. Bo brings the prime contractor perspective to the conversation. A lot of our listeners are small and mid-sized companies in the defense supply chain, aerospace manufacturers, machine shops, subcontractors who are trying to understand what companies like LBIT are actually expecting from their suppliers when it comes to cybersecurity and CMMC. So today we're going to talk about how primes are thinking about CMMC, what they're looking for in suppliers, the common mistakes they see across the supply chain, and what small businesses can do right now to just demonstrate progress. Bo, thanks for joining us.
SPEAKER_02Thank you, Austin, for having me here. I do want to let the record be shown that today is St. Patrick's Day when we recorded this, and I am the only person on this call wearing green. May the record show that.
SPEAKER_01You know, I thought about that earlier. I was listening to the radio and they said something about that. I I messed up on that.
SPEAKER_02Well, you're the redhead. So if anyone looks Irish on this call, that's you. You can't, if Brooke was red, that that that ship has sailed. But it has, hasn't it? Right, dude. It's good to talk to y'all. And yes, I I I'm very happy to represent the perspective of a company that's uh we're about a 1.6, 1.7 billion dollar annual revenue. Our parent company is somewhere over 10 billion uh for their annual revenue that uh we produce we we're very proud of some of the stuff we do to defend this comp this country, such as we're a big part of the night vision devices capabilities for this country. We're one of the major suppliers for those. We're a big supplier of the johemics, the joint telemanic queuing system. We do uh some important things for bombs, and then outside the Department of War, we actually do a lot of stuff for the customers of border protection, as far as uh the wall security. And as uh one thing we're also proud of, the reason that it's called Golden Dome is because our company owns the term Iron Dome. So there's a trademark. So we're actually the ones that are the Iron Dome, and we're actually hoping to be part of the Golden Dome initiative. They are hoping we can uh address any questions y'all have that might help uh align some suppliers to better prepare themselves for. I know the the elephant in the room that I think everybody is aware of by this point is CMMC. And maybe uh hopefully we can crush any CMC flat earthers out there to hopefully help them see the that it's it's not it's not a fringe science thing. It's it's real.
Bo’s Role Inside Elbit
SPEAKER_01Absolutely. No, I appreciate it, Bo, and and appreciate you joining us. I think this would be really valuable for everyone listening. Um do you mind starting off by kind of introducing uh yourself uh your role uh at Elbit and then um how your role involves working with suppliers and how that ties in with cybersecurity, aka and NIST and CMSC?
SPEAKER_02I I started working at Elbit back in October of 2018. I started in engineering where I stood up what became a cyber engineering directorate. And then in 2020, I moved over to the corporate side to be the deputy chief information security officer to help prepare us for CMNC. We've been we spent five years getting ready for CMNC because we have the time, so we have the luxury of time, right? Because uh one of the truths in IT or truths in business is a truth for a reason. Fast, good, and cheap. You can choose to. Well, we took a by doing it over five years, we were able to maybe look at options that aren't quite available to those who are trying to do it in five months, right? That there's we had the opportunity to learn from our mistakes. One of the things that uh, as from the Deputy CISO perspective, I helped with a lot of the documentation. We got a lot of positive feedback from both DOD DIPCAC auditors, and I've been through three of those, uh, two highs and a medium, and two CMNC assessments, not because we failed any of them, but because we have a subsidiary at Azure Network. And in all of those cases, they were very positive toward our documentation because we were able to show not only did we have procedures, not only we have processes, we'd uh iterated them. And it kind of points to that maturity of actually your your ink's not wet. And uh those are some things I was able to do there. And then one of the things we were able to do, because we had you know a little more time than maybe some companies have right now, not a whole lot, but last summer when we got our our house in order, we really started looking externally at our supply base and realized that from a supply chain perspective, we really didn't have a good understanding of the cybersecurity compliance of our suppliers. So the company made a decision to move me over from being the deputy CISO to being a director of supply chain business excellence. And my initial task, uh hopefully to end in the you know, by Christmas of this year, is to normalize CMMC compliance within our supply chain processes. And we've made a lot of headway in the last six months, and we're seeing real progress. We're one of the more vocal companies out there. If you look on our website, we put out we put out three letters in the last four months. There'll be another letter coming out probably in April, maybe later this month, but it uh definitely in the next 45 days. We try to keep the our suppliers aware of what we're doing, and we're really proud of the fact that when we ask for people to reach out to us that are level two compliant, we take that seriously. And uh, we've gotten good feedback from that. We've had we've had over a dozen companies that are level two compliant today reach out to us that we don't have we didn't have a business relationship with, and they're wanting to make sure that we're they're on our Rolodex. And as we're fleshing out our Rolodex, they are absolutely our part of it. And that's kind of what I'm doing right now. I will evolve to other things in the future, but right now a big portion of what I do is I'm this I'm the company's CMMC uh project officer. Anything CMMC related, I I help I work with the lawyers, I work with supply chain, I work with IT. Uh I don't know all the DFAR clauses. That's lawyers do that, but I'm pretty comfortable talking about most of the ones related to cybersecurity requirements from the defense side.
From Air Force To Cyber Risk
SPEAKER_01Appreciate that, Bo. Yeah, and uh this is a great segue. My next question is how did you get into the defense industry um and and the side of the business? Your background a little bit.
SPEAKER_02I retired after 20 years of active duty service in the U.S. Air Force in 2016. I had the opportunity there to work with every airframe in the first half of my career. And then I transitioned more towards cyber and the second half of the last 10 years of my career, where I was able to actually do full spec, uh, not only command on X Squadron, they did the whole range of cyber operations, but actually helped to orchestrate the cyber operations, both, you know, not just talking about, you know, bad guy stuff, but also, you know, defending your networks for the entire Air Force in the last couple of years of my time career. So I actually had a I don't know, like most people have a lot of happy memories in the military. I know the older I get, the better I was, and it's been 10 years. So like the stories now are like the fish is really big, but uh that's what I did for 20 years of my life, and then for the last 10 years, ate a woodplay been a Dellwood, and then before that, I uh I did a couple different things, and I'm really I don't know, I'm really excited about securing our data because again, my background in the military tells me this is a real threat, and uh not that that's a secret anymore, that's pretty common knowledge now that uh the nation states are in your networks, but uh criminal actors are trying to to break your network so they can get money. Cyber is real. I've had some great opportunities to really mature risk management uh and address from a cyber perspective. That's one of our uh something that we actually get a lot of positive feedback for. We actually can have done a pretty decent job of translating cyber risk into dot monetary figures. And uh for that it's gotten some credibility with our leadership and with us outside parties, including major primes. And I define those as a big six. Absolutely good.
SPEAKER_01Thank you. Um, and over your career, you you started in in the military um and you've uh developed into your role at LBIT. How have you seen the cybersecurity expectations um evolve in the defense supply chain over your tenure?
Why CMMC Became Nonnegotiable
SPEAKER_02I think there was a lot of thrashing in 2017 when C, I mean, uh I think y'all are, I'm sure y'all are aware of this. See the what became CMNC, the D Farge requirement started in 2013. They went live or 2012, you know, then they went live in December of 2017. And at that point, there was I I would say real consternation, but people were saying, okay, did anybody get decapitated? No. And they made conscious risk decisions that several companies, not necessarily by size, but I would say a significant portion of companies made decisions to defer costs and not realizing that they would be deferring costs for such a long period of time that it became almost overwhelming tech debt, right? By the time that the people have to make a decision. And I think unfortunately, because the rulemaking process took a long period of time and it transitioned between administrations, that there is some people out there that became CMMC flat earthers. And what I mean by that is they really just don't leave the earth is round. They think CMMC is going to go away, they think it's a joke. And I don't know how to talk to them because I have contract requirements that have CMMC in them today. And I'm not talking about just level one self-attestations, I'm talking level two C through PAO so that it's not hypothetical, it's not over the horizon, it's it's here today, and that is something I think many companies are still struggling with. And I I'm personally predicting that there is going to be a sea change in many companies' attitudes towards the MMC because people are gonna in the next six months are gonna start seeing business opportunities all away from them. So that's me going on a limb looking in my crystal ball, however you want to say it. I think there's people on this call are going to hear a business opportunity dry up or not follow through because there's gonna be someone who's not going to select them because they've made a a risk decision, which is fine, we're all adults, but just realize you know, you made a risk decision. I think that's going to be something that you'll see in the next six months. And I think that's how you'll see it evolve. As companies actually see opportunity costs hit them, they're much more likely to uh to make strong action statements, and you'll actually see people trying to get CMMC compliant in single-digit months versus single-digit years.
SPEAKER_01That that brings up my next question. It's a um it's a great segue. So you mentioned the CMMC flat earthers, uh, basically the people that um you know uh have seen the requirements, you know, transition from you know, NIST to the different CMMC versions, you know, go on. And for some of them, um, it still feels like something that isn't real, isn't happening. Um and to me, it feels like they've missed that inflection point, you know, from you know, things like at what point has it started becoming real? From your just opinion or perspective, at what point um did uh the supply chain cybersecurity really start becoming what was that inflection point that this really started to matter?
The Inflection Point Suppliers Miss
SPEAKER_02We put in one of our open letters that 31 days into the uh phase one, we got our first level T requirement. And I I think a senior leader in our company pretty pretty well. That was quick. We're we've had senior leaders conversations well above me, getting our arms around where's where's the health of our supply chain? Because no one builds anything without a supply chain. I don't care who you are. And I just think people need to be very confident that this is not that they can play chicken with their those above them in the the chain, because this is not something where the the company above you is prime or what do you want to call the higher tier supplier, because maybe in some cases we're not the prime. We're this we're sub but we're we're still higher than you know our supply base. We'll have if there's an option between a company that is certified and a company that's not, I don't think a lot of companies will be struggling in that decision. And I think that's going to be happening more often in the next six months than people expect because they think they have six or seven more months until November. But I'm just saying not everybody on the DOD side is on the contracting officer side is is holding off and putting those clauses in there. So it's already passed and that inflection point, you know. I I I think H company will find that inflection point. I'm saying that was our inflection point. But I'm saying for the people listening on this call, that inflection point is probably gonna happen to you in the next six months where someone's going to ask you that question. And depending on your answer, you might not get another phone call. And I think that's gonna happen a lot in the next six months and definitely in the next 12. But I think those to use your term, the inflection point. I think most companies are gonna have that oh moment.
unknownYeah.
SPEAKER_00So question related to that, Bo. Uh, so you know, a company misses that inflection point, for instance, and they uh uh they know they gotta get on the ball and get things done. And so, you know, down the road later this year, it's end of the year, whatever it may be, they get their level two certification. Uh now they're all good to go. Uh, what did they do at that point? Have they missed the bus? You know?
SPEAKER_02I I I hesitate to ever say someone's missed the bus. I will say you probably missed a PO. But I mean, but as far as you're being done. I I don't know of any anyone that would say that you're done. I think what happens then is you it's like standing in line for three hours for a ticket, and then you decide, uh man, I gotta go to the bathroom or something, whatever. And you now no one's gonna let you go back in line where you were. You had a great place in line. Maybe you waited 18 hours, I don't know, and then you had a strong bladder, but then at some point you decided I have to cut out a line, but Billy's gonna keep my place. I I put it unlikely that Billy is going to keep the place. So what's gonna happen is you might actually fall back a lot further in line. So maybe you were uh, and this is this is uh uh generic hypothetical. I would say that it's possible that you might find that you're now put in the same Rollodex with any other company, as opposed to being, dude, we had a relationship for 20 years, and you're you know, I invited you to my Christmas party. It's gonna be you're in the same boat as the other guys that are good now because the inflection point is passed where you have the opportunity to smoothly move forward. And I would just yeah, encourage people to take it seriously and be careful that uh there are wolves out there in sheep's clothing. Make sure you you know who helps you.
SPEAKER_00Well, appreciate that. That's uh, you know, people always ask us uh, you know, the reason I ask that question is because we get asked those kinds of things, you know, and and uh I like your standing in line for tickets uh in comparison. That's that's a good one. Uh but it's it, you know, that makes sense that you know if they've had that relationship and everything, you know, these past 20 years has been, you know, just have that ongoing relationship and PO's and contracts coming your way. Uh then if uh you're not ready when the time comes, you know, you gotta you gotta get back in back at the end of the line and get back in. So I appreciate that perspective.
SPEAKER_01You might be stealing that one, I'm gonna be honest.
SPEAKER_00So well, I think I think we are stealing that uh yeah, so thank you.
SPEAKER_01Yeah, it's it's a really good analogy. I think that you know, a lot of the the companies we work for and and a lot of the audience on uh our channel, um, you know, they're small mid-sized companies in the defense supply chain. Um, they're not um direct uh by any means uh you know to the government. So um, you know, they're just kind of hearing all of this from you know uh through the grapevine, it might a lot of it's from the ecosystem, right?
What CMMC Is Really For
SPEAKER_02A lot of it's coming from the ecosystem, and they feel that those are people that have less than best intentions at heart, right? And that's why I try to do these podcasts because, dude, I'm not trying to sell anything, I'm trying to buy stuff. And if you don't believe me, I mean I I don't know what I can tell you, dude. I I mean I work at a I'm trying, I work in supply chain for a defense industrial-based company, and I'm trying to build out our supply chain. So that when I come on these podcasts, it's specifically to say, I'm not coming here with an agenda. I'm not saying I have a seven-step process to make you good. Now, sure as hell ain't saying that I can get you through an assessment in 11 minutes, you know. But what but what I am saying is they're not joking. And when you look at those 800 companies that are level two today, uh, little fun fact the cyber AB doesn't know who they are. The DOD hasn't told any of us who they are, they just give the cyber AB a number. And uh I've talked to several of those companies, and most of them are people that are primes to some extent, because the prime doesn't mean that you're, you know, a hundred billion dollar company. Prime just means you have a prime contract with the government. And most people that have a prime relationship with the customer government know this is coming. So that is, I think, part of the issue. And then what I've seen is many primes are hesitant to get ahead of the government. So there is some where you're basically seeing most of us are just echoing what's already in literature, like when we put on our open letter that if we cannot issue you a PO unless you're compliant with the requirement, that's not something I wrote or co-pilot wrote, or you know, Grok or whoever. That's literally straight out of the DFARS clause. It explicitly says we cannot do that. So I think maybe it's because we've read the clauses, and that's I'm not trying to say people don't read clauses, but I do know a lot of people maybe don't think their government's serious. And I I would just warn them that I wouldn't play chicken with this game.
SPEAKER_01Yeah, and uh that's a great point. And that's um that brings up the next thing that I was uh uh ask you about is that you know, um the because they're so far down the supply chain or removed from you know the the main customer, the government, or you know, um it the intention of CMMC um can get a little lost um along the way. Um and uh the goal of of Primes or of their customers um like you um get a little lost as well. So if you could for a minute just kind of go over, you know, what is the purpose of CMMC? Why is it important? And uh what risks are you know companies like you, primes and et cetera, trying to manage when when they're pushing cybersecurity down uh to their supply chain?
SPEAKER_02That's a great question. And I think where a lot of people struggle, especially from the Prime perspective, is how far down your supply base does controlled unclassified information flow? The answer is federal contract information flows really far. But every prime I've talked to tries to limit the flow of controlled unclassified information because the prime is responsible for as far down as it goes down the supply chain, not just to their first tier suppliers. One of the terms that my lawyer friends taught me is privy of contract. The government has said that is a prime problem because. The DOD has said we don't have privy of contract, which just means we don't have a contractual relationship with your suppliers. And as much as I would like to say, well, you know, pot kettle, we don't have a relationship with our supplier suppliers either. You know, like hello, we have the same problem that by accepting the contract from the government, we are obligated to figure out how to do that. And there are several ways we can do that. We partnered with Exostar, and that is one way. That's not the only way. Some of the other primes I know have built their own databases. Generally, those are companies a lot bigger than us, because that anybody that thinks it's easy to manage your own database that you're going to be showing on there is it's a lot of work. And uh, so a lot of us just outsource. As you would know that as you're since you are a managed service provider. But the the question about like what what do we care about is where is the data? And the government absolutely wants to make sure that we know where that data is and that it's meeting adequate protection, right? Which anyone that's been following this to go back to one of your earlier questions, that's verbiage is from 7012. That rule's been around for a long time. Adequate security is not a CMMC thing. All CMMC does, which I know I'm not the first person to say this, is it's external validation that you're providing adequate security. And uh water's wet, sky is blue. That's that's what CMMC is about, is just trust but verify. That's all CMMC is. The government's big concern is validating adequate security. And unfortunately, there's been plenty of uh public record comments, all that kind of stuff that show that maybe not everybody takes adequate security to mean the same thing, or their understanding of how 7012 applied to them. Katie Arrington on multiple occasions had talked about the companies that put OAMs that would end sometime in 2099 because that's what they were allowed to do. So they would put for 110 controls OAM of December 31st, 2099, and they actually told that to the DOD. So we did this to ourselves, right? Because the DOD's initial plan was to just litmus test occasionally. And uh how do I say this? Had things gone differently with they did CACA medium assessments in 2020, or you know, in 2019, if things hadn't gone the way they did with the uh report, maybe we wouldn't have CMNC today, but you know, you you you get what you pay for, so that's where we're at.
SPEAKER_01I appreciate that. Um you'd mentioned, you know, you're in the supply chain, you're just trying to buy stuff, right? Um and and uh you know find suppliers. Uh so from your vantage point, uh, how prepared do you see or think that the supply chain is today? And are most suppliers still earlier in their journey?
How Ready The Supply Chain Is
SPEAKER_02I will say the answer is had to find the supply base, right? Uh because no one knows how big the div is. Depends on the Austrial base. We're because of that whole privy of a contract, no one really knows how big things get. But in general, I would say the closer you are to the government customer, you're more likely to be further along the journey. The further you are from the government customer, you're more likely to be further away. And I've had, I won't say heated conversations, but I have had strong conversations about how long it takes to go from zero to 60 to get compliant. I personally think unless you're breaking a lot of stuff and basically shutting down production servers during normal working hours, you're looking at a nine to 18 month process because holidays don't happen that often. So if you're gonna actually do some of this stuff, generally you try to do it on a holiday because some places they work weekends. So it's not like I mean, you're very few places have budgeted in for to shut down all their servers, whatever, to get them upgraded, to putting FIFS compliant. I mean, I was able to do it over years because I had years to do it. Now I think doing that in five months means you're going to be impacting production and you might not be able to meet your contractual obligations because you have to produce so many widgets every month, and it's going to be hard to do that when IT is having to make major changes. So I would offer the closer you are to the government, the more likely you are that you're further along in the journey. But even those that are further along in the journey are still early in the journey with our supply chains. Because I think most people up to this point have done it serially. And now we're losing that ability. Companies can no longer handle it serially because when you have it come up in a contract, it's now you've got to figure out in parallel who are you sharing that information with and how do you go downhill? It'll be interesting to see how this works out over the next 18 months if the government starts pulling the thread on show me, you know, all the places where federal contract information is. If you're telling me there's only two companies in your supply chain, you know, how apart do they actually pull that? Because federal contract information is almost everywhere. So that technically you should be having a lot of companies getting federal contract information because unless it's completely a COTS communication, or it's you know something that's straight out of the what was put out on sam.gov when they announced or ewan, it's federal contract information. So that's going to be, I think, a friction point as we go forward is how how far down the rabbit hole do those Excel spreadsheets actually go where you're supposed to be listing out the UIDs, you know, unique identifiers for each of your suppliers that gets either federal contract information or controlled and classified information. Absolutely.
SPEAKER_01Um and so kind of want to you know uh take this from another angle for a minute and and kind of um what I was wanting to ask you is uh when a supplier wants to work with a company like Elbit, um, what does a good cybersecurity posture look like? What do you look for in a supplier? Um what signals tell you a supplier is taking this seriously?
Supplier Signals And Red Flags
SPEAKER_02I will tell you there's nothing anyone can tell me because I've been lied to by so many people. I've I've had vet I've had conversation with vendors whose product is FedRamp, but oh and then when I pull the thread, it's no it's built-in government azure. That's not FedRamp, brother. I I have that conversation at least once a month with a vendor. The uh with the suppliers, oh yeah, we're we're level two, level, and then can I see your paperwork? Oh you know, so that like our Exostar forms that we push out, we only push them to companies that show that they're at least level one. If they're not uh level one today, we don't there's not a whole lot of communication that's happening that we're we're looking at uh we see a demand signal for everyone should be level one by now. And everyone that if you're building something to print, building something to form, you really need to be getting pretty closer to uh level two because there's if you're building something to spec, it's almost it's gonna be very likely that that's gonna be controlled in classified information. Now, if you own the intellectual property and it's it's like it's your stuff, and maybe those are those are conversations that are different. But if if you are building something for a higher tier supplier that is not you know something that you you sell on this in at Walmart, you know, or you you know you can't go buy it at Sam's, Lowe's, whoever, there's a risk there that it's gonna require level two. Uh if you're all you're doing is building something to the mill deck stand, like mill standard or something, that's where you know, that's where the lawyers get involved. Is that really tailored? You know, and those are conversations that I think are gonna be interesting for the next six to twelve months as we normalize. But I guarantee if you're building something that's not a standard product, there's gonna be controlled on classified information in your future.
SPEAKER_01I think you might have already mentioned this, but I'm gonna ask it just in case. Is uh what are some red flags when you you see when evaluating suppliers?
SPEAKER_02Sometimes I'll just ask them to show to if they're using Office to show me their their office, and it's like, hey, that's the commercial version of Microsoft. You guys are you guys are at least six months out, if not more, because it is not an easy lift to switch from commercial to tenant uh GCC high. So that's one thing I'll ask. I'll ask, you know, what cloud services do you use? I'll be uh ask, you know, like don't tell me about FIPS. Yeah, yeah. You know, I don't know. I one thing I haven't mentioned up to this point is I'm actually a certified lead lead C lead lead certified CMMC assessor. I think that's what lead CCA stands for. Yeah, I'm I'm actually a lead CCA because I went through enough audits for CMMC for DipCAC for ISO 27001, and I had their certifications. I was actually able to get the lead, I was one of the first lead CCAs. There's me and a couple other primes where the lead uh guy is the lead person. Yeah, I think they're all guys, so the lead person is uh is a uh lead CCA. That's good, and that's a big thing too. Yeah, I get a lot of people wanting to hire me to be a CCA, and I'm like, no, I'm good. I'm doing the implementation, I'm good. Got your plate full. I literally do.
SPEAKER_01Uh what are some of the most common misconceptions you see from your suppliers uh and what they have about CMMC?
SPEAKER_02I think some people think that they have more levers than they do. That they're like, oh, this isn't real, it's not gonna happen, and I grab plenty of time. That's a common misperception. Because we have production requirements, right? Like when we're going to have to when up when one thing that I think is also an odd thing that's going on right now, some stuff's showing up much later in the process than you expect. Not everything's showing up at the beginning of the RFP. I'm gonna come in 30 days before you know it's done, or it might even show up in a ward, which yes, you can pick your battles and say, hey, we're gonna that wasn't in there and it wasn't in scope. Maybe we'll argue, but maybe you won't because there's it's much more complicated than just one factor. Very few things in life are black and white. There's always a you know, five or six factors you have to consider. And I think uh organizations think they have more runway than they do, and they think they have more leverage in a relationship than they do, and that goes for primes too with the government. You got to be real careful going to the DOD customer saying, Yeah, you need me. I think there's a real risk there where they might be saying, maybe not. So you have to be real careful because it's real money and it's people's jobs.
SPEAKER_01Yeah, I think um, you know, oftentimes people get caught up a little much in the uh in the trees and not the forest. So they'll um uh you know look very, you know, detailed and narrow at the requirements or um the problems facing them today. And um they won't necessarily see the the changing tide, you know, in the bigger picture. Um and I think, you know, just my personal uh perspective as you're talking, uh, I see that a lot in our our customers and our prospects and the people we talk to that um they're just not seeing the the bigger picture here. And um uh I I think some people may be missing the boat, if you will.
SPEAKER_02So I think I've also said a lot of life is self-critiquing. So I mean, I think we're within six months of people getting some pretty clear feedback. If not, more power to them. I mean we'll see what happens, but I feel pretty confident that in the next six months there's gonna be more emphasis on this. I just I I'm willing to publicly state I don't think CMMC is gonna get turned off in November. Do I think some contracts are gonna go to the pro uh there is an they do have a safety valve, it's called the uh in the clause, it specifically says in phase two and phase three they can push uh the CMMC requirements to the option period. I think that's gonna be used judiciously because the DOD is not going to shoot themselves in the foot. If it's something that they absolutely have, uh need to have, they probably will play that card. But if it's a new capability or something where there's options available and it's not, okay, this is the only one you can use. This is what you you know, I think that more often than not, you're gonna see uh judicious and minimal use of the uh the safety valve for CMMC in 2027.
Flowdown, COTS, And Data Sharing
SPEAKER_00Good point. Good point. Uh, do you have a question? You've talked a lot about flow down uh and you know, your supply make sure your suppliers are ready. So for uh for companies that are trying, you know, smaller companies that are trying to do that, um what what should they be doing uh to try to make sure that they're um how do they build that database? What do they do they just ask a question? They say, Do you promise you know?
SPEAKER_02Well, well no, one thing you can do is if you're what you're producing is you can do a determination statement that it's commercial off-the-shelf technology. That is your gold card, right? That's your gold ticket. So that you that's in the control of the supplier. The supplier is the one that provides that to the to the customer. Is you and I think you know that. So that's the best thing to do. If you really think you're a COTS product, you there's the DOD has a definition of what COTS is. There's a process you go through. Make sure that you can prove where you are you're producing is COTS. That's your best defense. And then one of the things I think we'll work through in the next 12 months is there's actually a thing called military off-the-shelf technology. I never heard of MOTS, but I now that I'm in supply chain, I've now heard of MOTS. I just don't think there's like you was I mean, you go to a SAMS and get grenades. I I don't know, but it's like military off the shelf, right? That it's such a thing, and we're gonna find out what does that mean? Is that FCI? Is that C UI? Is that is it uh is it a form of COT? I think that's gonna be something that'll normalize over the next 12 months. I think the best thing you can do is understand uh where you are in the food chain. If you're COTS, you're really protected. If you're just building someone else's stuff at their specifications, I would say you're at higher risk than someone who all they do is they build special widgets that they own the intellectual property for that is critical for X products. Those are they might, I would, I would highly encourage them to be level one, but maybe they they can play roulette and hope that they don't, you know, things don't go too south for them, right? Even a Russian roulette is supposed to be a five out of six odds as long as you don't just keep pulling the trigger. So they so it depends on the game and what the rules are, but you you're you're playing with fire.
SPEAKER_00So for these uh these clients that are level two or are these um subs that are level two uh are going to be level two soon, uh they're asking, you know, how do they how do they do the same, verify the same for their suppliers that maybe you know finish a product?
SPEAKER_02Always it's data flow. Yeah, absolutely. It goes to data flow. What are you sharing with who? And I think the one that everybody's gonna be struggling with is just the level one because there's still a paperwork requirement. You have to still validate for level one. And I think that's the one that's maybe slipping through the cracks that is going to be it's not gonna be a big crusher because I think people can get there, but it's gonna be uh an impediment, it's gonna be a hill you have to climb over because that information it's gonna be really hard to stop. Where there are things you can do to limits controlled on classified information, there's not a whole lot you can do about federal contract information. I mean, it's it's it's pretty, I won't say it's everywhere, but it's it's pretty heavily influenced to be a big portion of the contract information.
SPEAKER_01Gotcha. Well, last question I had for you today, Bo, is uh if you could give advice to a supplier who says, I know I need to do something, but I have no idea where to start, what advice would you give them?
SPEAKER_02That's great. Great question. First thing I tell them to actually for our suppliers, I actually have some stuff I share with them that gives them a roadmap or a flight plan, depending on where how you want to look at it. First thing I tell them to do is look at the US DOD Department of War websites, like the CMMC page for under the CIO, the CMMC page under DCSA, uh Cyber A B. These are places where you no one's trying to sell you anything. This is just uh hard data. Next thing I tell them to do is to seriously consider investing about under$2,000 to put someone through a CCP class because someone in your company needs to be able to speak the language, even you're gonna outsource a lot. I'm a big believer that you need someone that can speak truth to leadership in your company and actually understand uh what is in the realm of the possible and also what's in the realm of the required versus nice to do. So I always recommend that. And the last thing I recommend is go to conferences. I know y'all are going to a conference tomorrow, so it'll be done before this thing goes live, but there is a big conference in San Diego in next month in April. It's uh the CS5 West. I think October will be CS5 East, and then there's a thing called CUI Con, they call it CUICon, but I it's CUI. And uh that's that was in February every year. So there's a couple of options out there for people to go to. Those are low cost, and there's plenty of people at those conferences that want to help you. You can just go walk the floor, and those are the I'd say four or five things to start off with. I tried to recommend to all of any supplier because I do get asked a lot, how do I get from zero to 60?
SPEAKER_01Well, Bo, really appreciate your time um and information today. Uh, it's been really helpful. I think it's gonna be really helpful to our listeners who uh who catch it whenever hairs. So thank you. If you have questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.
.jpg)
