The four phases of a CMMC assessment

You can have the most perfect implementation of the technical side and fail within 15 minutes of your assessment because you don't have the processes to prove that you are controlling access. Access control is the biggest one. Everyone starts on access control because access control is the foundation that everything else is built on. Welcome to Trust Issue by DMO, the podcast where we go beyond checkbox compliance and get real about security. In every episode, we break down what's happening in the world of CMMC. Cybersecurity, and GRC. Straight from the people building, auditing, and living it. Real conversation about real security. Welcome to Trust Issues. On today's episode, we're joined by Norris Cardin, lead certified CMMC assessor and principal consultant for Centaur, working directly with defense contractors preparing for certification. Norris has a really awesome perspective that he's going to be bringing today, having been on both the implementation side of NIST 800-171 for years and now going to the C3PAO or auditing side of the business, evaluating organizations seeking certification. Cool. The first thing I would love to ask is just how did you go from TV to CMMC? I feel like a lot of people I'm talking to, either they like started in the military or working for the government. TV's a new one. Yeah, well, there's you an interesting one. I was a television news guy, uh, carried a camera, even carried a camera in the Army when I shot You Were Supposed to Live. Um, became the computer guy in the newsroom. Actually was cra— I crashed in a helicopter, which I've got 5 fused vertebrae, so couldn't carry the camera anymore. Became a newscast producer, a newsroom manager, was the operations manager of the TV station in Louisiana and then became the computer guy and became the computer guy that worked with the newsroom software company. Then when I ended up working for the newsroom software company, it got bought and spun off and by a big corporation and ended up going out just pure IT. Um, I'd been doing computers. I bought a Mac in 1985, so, um, been doing computer stuff on the side. I had a, a, uh, 4-line dial-up bulletin board in the early '90s in my house. So, um, the tech stuff was there, and I actually had studied a little circuits and stuff, and it was a ham radio operator. So the technical knowledge and, and was, was around. So from the newsroom Windows Server type of thing to with Windows for Workgroups and desktops, working with that and the dial-ups and my own things that migrated to the internet, my first domain I didn't have to pay for. So Bruno remembers those years. My, my Internic handle, if you know what that is, was NC54. So the numbers— the first people just got their initials, then they started adding numbers. So rolled off into a pure IT role working for the company that invented computer-controlled lighting, managing their global network. Got really involved in— had already been doing email and internet stuff on my own, but got involved in firewalls and other things. There became focusing on Cisco, um, realized that the job market— the, the Microsoft knowledge and experience was becoming a commodity, the Cisco knowledge and experience was becoming a commodity, early 2000s. So I started focusing in on— looked around and said, what's not going to go away? Um, security. I've been doing security as far back as that dial-up bulletin board because people were paying me money to have access to stuff. So it was, okay, what do you have access to? When does your subscription expire? Does your account exist? And can I share folders with you that I don't share with other people? And can I have private folders for myself and my buddy? So Security was just a natural progression. Earned the CISSP in 2005. I had been working a couple years, one, maybe two classes at a time on a master's degree through one of those online universities. Just ended up with a couple of different insurance companies. I was living in Madison, Wisconsin at the time. Look it up. You can probably figure out which ones, three different ones. And became experienced there. Got the CISA, the Information Systems Auditor certification, rolled back to playing photographer for a little bit. I was telling you earlier that the job that moved me back to my hometown in Tennessee was to build the internet piece of a fiber-to-the-home project. So TV, internet, television. Or telephone. Um, so internet brought me back. We— I ended up at, uh, doing the first IS internal audit job at a large credit union. Buddy of mine in Wisconsin started an MSP. He said, hey, come work for me, do my networks and firewall stuff. I've been a Fortinet reseller myself, an engineer since 2008. Also have experience with Check Point, Cisco, and other stuff. Um, so picked up a job at, uh, with one of the major auto manufacturers in the US. I don't know if I can say Nissan or not, but, um, in their information security group. So my background writing I'd been editing people's content, their, their text, their, their scripts. My ability to write and edit— Nissan picked me and said, hey, we need somebody to help us with vendor contract negotiations. So assessments, kind of already been doing some, you know, assisting companies with PCI prep and ISO prep and and other things, never, never really been an auditor. But so we were doing vendor assessments. So third-party vendors come in, try to sell you something, and the, the buyers and the business side and the legal side are saying, okay, great, now tell us which of these vendors is better equipped to protect our data. So we used NIST CSF, the Cybersecurity Framework, to do assessments, just simple assessments of vendor A, vendor B, and, and then did the contract negotiation. So that's— that was— some of it was easy, but some of those were huge companies and working with all sorts of levels of lawyers and, and business people and making sure that the, the specific language to the contracts met the desired requirements. So not quite DoD-ish, but sort of. And then got picked up after COVID killed that contract, got picked up with a company, Mad Security, out of Huntsville, close enough to drive to, actually almost the exact same distance for me to Nashville and me to Huntsville. So worked with them as a CMMC GAP assessor and consultant. For 4 years. We would bring in a client, a client would come to us with zero, usually zero, ready for CMMC. Like, what is this CMMC thing? Why do I have to do it? I need to do it. So this was CMMC 1.0. This is 2020, and where you had to have not only it written and doing, but you had to have a policy for it. So CMMC 1.0 was initially going to be different point levels for are you doing it? Do you have it written down as a as a policy? And second, do you have— or the final— do you have a policy procedure to do it? Which fortunately they took that away because we would never be getting hardly anyone. It's hard enough right now. Unfortunately, it's hard enough right now to get the organizations seeking assessment to be ready to be assessed. So that was the beginnings of— and then, you know, a year or two later, learning, going through as a consultant all of the errors that people make in learning about CMMC. Somebody else paid me to do that. So, so I'm now with Syntar as a lead CMMC assessor and I'm still learning. We had a huge discussion this morning among our team on inheritance. A couple of years ago, 3, 4 years ago, after being with MAD for a little while, oh yeah, the assessment guide has these, all these objectives, not just the 110 requirements, these 320 objectives. We need to be writing our— yeah, we need to write our SSPs to this. So A year ago, I was hired as an independent contractor by a company who had been told in January by their C3PAO, you're not ready. And it took less than 5 minutes when they showed me their stuff to say— actually, it probably took about 1 minute— you're not ready because you have an implementation statement that does not address ABCD. So I've been on the consulting side doing the gap assessments., and I learned a whole lot. Yeah, my first gap assessments were not very good. We started, we, we learned, hey, we're, we're interpreting this one wrong. We're interpreting, you know, it's, it's also— you can still do a lot of interpretation. Yeah, it's, uh, I can put 2 or 3 assessors in the same room and on some would be, oh, this Oh yeah. Oh yeah. Oh, we'll get— maybe get to one stupid little thing that an assessor and I had an argument over. So, but going from being the consultant, learning that one of the— and as I was, I self-funded because MAD Security did not pay for me to get the CCP or the CCA, so I self-funded $6,000 to get the CCP training, the CCP certification, the CCA training, the CCA certification, the lead CCA. During the year that I was going through that, it was almost exactly a year between the first time I talked to— because I knew, I knew the Centaur people because we— they were in Huntsville. But the first time I talked to their recruiter to when they sent me the, hey, come talk to us again., and I knew a couple of people. The CISO who runs this, started up this C3PAO section, he and I talked over the years at ISSA events, you know, hey, what do you think of this? What about this FIPS thing? You know, the firewalls are going to get patched. And so all of that stuff, all of those questions that the organizations that haven't been doing this for years start not really knowing it, not really thinking about it, or maybe it pops into their head, hey, it says FIPS validated, but this is not the version that's FIPS validated, so what do I do? So a lot of those things, yeah, I've had the opportunity to work through in my own head and learn from others and learn from doing. And you kind of touched on the different interpretations of, of something. In talking with, you know, as I was getting my assessment certificates and I was sending out updates to C3PAOs and saying, hey, this is my status, I'm going to be available if you want to get me now as a professional, you can. Anyway, in, in interviews, multiple C3PAOs, when they interviewed me, pulled up 3.3.3 which is event review. Bruno's nodding his head. Review and update logged events. 5 words. And it's so misunderstood by people, and I misunderstood it for years. What that's asking you to do is periodically, not every day, this isn't, hey, go look at what's logged. Goat, this isn't the review what is in your logs. This isn't the go and make sure that— at least make sure you have a log. It's trying to— you have the logs. It's to make sure you have the logs and the logs are logging what you need them to log and that the ones that are supposed to be logging are there. I've heard of a client They upgraded their firewall, put a new firewall in, had a DPCAC high. This was before the CMMC stuff. Knew that they were, everything was good. They upgraded a firewall. They missed two things when they replaced the old firewall with the new firewall. They didn't have all of the logs going that they expected to have going. They had some, I can't remember what it was that wasn't logging that they weren't getting, but, but doing their continuous monitoring. And the other one was they didn't set the time source to be the time source that their, that their SSP, their system security plan. One of the, one of the requirements is specify your time source. New firewall. They forgot to double-check and make sure, hey, new firewall, let's make sure our time source is right, but their continuous continuous monitoring, which is not your annual, hey, let's annually look at everything. But your continuous monitoring plan that you need to have of, hey, in one of the best ones I've seen is in January, we're gonna go over these 10 controls, we're going to look at these 5, 3, 2, 3, whatever policies that are related to these controls. We're going to check those out. February, we're going to do another batch. March, we're going to do another batch. I've also seen it to where every week we're going to do, we're going to make sure these are the same points. I believe like you, I believe like the way me, I do it is monthly, same thing. So monthly you divide and every month you go over. So you don't have to do one full week to review all at once. Yeah. Well, the other way I've seen it is, okay, these are things we're going to be checking anyway every week. Like, who— did anyone try to log in from Istanbul? Um, on those weekly things, we're going to check these things that are relevant to that type of a check. On a monthly, maybe quarterly, we're going to confirm that the list of users in Active Directory match the list of users that I have as a consultant. So, for me, it's interesting what you are saying, because for me, the way I see it, I take at BMO as a client, we have two teams, the security team and the compliance team. Oh yeah, but this is smaller organizations. The security team is supposed to be reviewing, this is their job to look at compliance. Yeah, who's doing compliance? So, yeah, there's two ways to do that. I've— one of the SSPs I saw that did it that second way had every single objective in the SSP stated this would be reviewed weekly, monthly, quarterly, every 6 months, every— and then in the back of the SSP, in an addendum, was that list of every month we will do the ABCD or 3.1.4. Whatever. Every quarter we do these. So it was really well laid out. But personally, my preference is probably that January we check these, February we check these. Now one thing that people don't understand is the word periodically. DOD in one of their FAQs, CIO, Department CIO FAQs, go find those, read them. They're valuable information. It's not in the regulation, but it's stuff. They define, or maybe it was one of the memos, but they define periodically as no less than annual. And a lot of companies, and this was a template SSP provided by a FedRAMP-approved, FedRAMP-ready company, provided a template to their clients that had the requirement for periodically reviewing everything. As monthly, not once a year. And the, the statement in the NIST 800-171 is periodically. So I can pretty much guarantee you anyone that's using that template probably didn't do that, isn't doing that. And if their assessors are on the, on the ball and know what they're doing, they're going to fail. Because they say in one of the things that companies need to understand is it's the SSP that's getting assessed. The system security plan is what's getting assessed. If you're doing it, that's awesome. But you got to show me, you got to demonstrate in words how. It's almost like you're, you're telling like your wife that you're committed to going to the gym. Every day. You're like, well, you don't, you don't have to go every day. Like, no, I'm going to go every day. Like, okay, well, I'm going to hold you to it now. And if you don't, you're going to fail. But start off with once a week, once a month. Yeah. And, and, and the other thing is if you go to the gym but you didn't tell your wife, yeah, she's going to wonder where the heck you were from 6 to 7 AM every day. So you gotta, you gotta write it down. Yeah, I like that. I'm gonna, I'm gonna use that somewhere. You know, you don't gotta go to the gym every day. Yeah, one of the other things we run into, and my boss came up with this one, um, the little companies that say, okay, why do I need to be CMMC assessed? Why do I need to get that certificate? I don't have any CUI. I've never had CUI, and anyone that's worked with the DOD knows that DOD has been negligent in the past about labeling stuff as CUI. So they say, I don't have CUI, why do I need this certificate? Well, one, the DOD says if you want to get a contract, you got to have it. But what they need to understand, and my boss describes it this way. You've got a restaurant, you're building a restaurant. You don't have food yet. You don't have customers yet. You have to be inspected before you can open. You have to be able to show the inspector, this is where I'm going to store my food. This is where I'm going to prep my food. This is how I'm going to prep my food. This is where I'm going to clean up. This is how I'm going to clean up. This is how I'm going to keep the restaurant clean and neat. And we've got all the things to keep rodents out and whatever, you're preparing the restaurant to open. You're preparing your business to do business with the Department of Defense when they require a CMMC certification. I just today saw something that the Navy released about their, uh, one of those things that they do for smaller businesses, or we're trying to try new things, to give them the chance to, to bring something to the Navy that the Navy would want to buy. Um, but it specifically said that to bid, you had to have done a CMMC self-assessment. And we're in the year right now until November where the DOD is— has said with the phased-in approach that self-assessments are acceptable. But this proposal thing that they, they have out that I saw on it, I could share the link or whatever later, specifically said that they may require an actual certificate before you can be awarded a contract. So my client last year that I worked with for 5 months, they really only CCUI in the bid proposals. Most of their workers actually work on military bases using government-furnished equipment. So they're out of scope and they get to access all sorts of CUI and, and in doing their work there. But this company only sees it during the bid process. If I'm DOD and I'm saying, I want you to protect my CUI, and by the way, you're only going to get CUI when you're bidding, If you want to bid, you'd better have a certificate. There's so much in the— and I touched on this earlier, and Bruno and you guys have probably talked about this also. There's so many companies that just aren't ready. They come— we talked— what happens? Like, I would imagine that most of the people are more likely not ready So what happens, um, let's say Centaur is working on, I don't know, 100 CMMC assessments right now. Well, our first step is the sales process tries to weed out as well as they can. Okay. The, you're not ready. We're not going to sign you up unless our sales guys, which is the thing. Oh, because for, I guess for them, it's like the person has to be ready. Like on our case, we prep the company. We do their level. So when we say from a BMO, you are ready, then we engage with C3PO. Sure. And C3PO knows. So you'll turn people away and say like, I'm sorry, I'm not here to do an engagement with you because you're going to take up too much of our time because you're literally not ready. There's 4 phases in a CMMC assessment. Hopefully most companies will never get to phase 4 because phase 4 is the, you have a POAM and you need to fix some things that we we found wrong. Phase 1 is the— we're looking at, are you ready? Are you prepared? So we have a kickoff call, then we have a scoping call, and scoping calls actually required. I don't know if they called it that, but we call it that. There is a call required by the regulation, or a meeting. We have to agree on the scope. They have to show us evidence that there is enough information there for us to do an assessment. We're not assessing anything. Now, we may choose to look at a couple of 5-pointers, the biggies, and say, you know, you haven't written in this right. Or like the example I gave of my client last year who didn't even put out stuff by ABCD, didn't even address each objective. If we get to the scoping call and you provide us with your SSP, can be a draft, doesn't have to be your final one, your network diagram, your data flow diagram. And if you look at us and say, what's a data flow diagram? What's a network diagram? We're not going to be ready. If we get that and we can't agree on the scope. Well, one of the things that's required is we do agree on the scope. We have to agree. They have to present Yes, this, this is— these are our CUI assets, these are our CRMA assets, these are our security protection assets, etc. This is out of scope. I guess network doesn't have anything. It's out of scope. It exists or whatever. And in the scoping call, we make a determination. Are we good to proceed? So, and this is stuff that a year ago I didn't know. Because when I was working with that company that got told, no, you're not ready. It was okay. And I was just then, I had just been training for the CCP certification. The problem, tell me if I'm correct, you cannot really tell, you can just say you're not ready, but you cannot really give detailed information, correct? Because you are the assessor. I can't assess. I can't, I can't advise. I can't consult. I can't tell them how to do something. I can say you're not ready. I don't see enough information here. I don't see that— I could, I could say you haven't broken it down by objective. You have not given me the information I need to assess every objective. Your network diagram doesn't, to what you've explained to me, actually demonstrate the environment. There's things I can say. I can potentially say, I would expect to see a connection between your Office network and Microsoft if you're using Office 365. So that's to tell if things are going bad, if you're saying, I would expect to see. Well, the pro— yeah, the problem there is we've already signed a contract. Yeah. So what we were hinting at is our salespeople try to narrow down because they don't want to have to— okay, think about this from the perspective of the business owner, the C3PAO's business owner. I've got a limited number of assessors. It requires us to have 3 assessors to do an assessment. Now you can have 2 teams running, have 2 assessors on 2 different assessments, and one of those can be the QA for the other team. So you minimum 3, 2 teams, 4, et cetera, on up. I've got next week 2 assessments scheduled. I've got 4 assessors. Let me go a little bit further out. Next month, tomorrow I'm doing a scoping call with, with somebody. Next month they are scheduled already. They are on the schedule for a specific week for the assessment. If they come to the scoping call, they're not ready, and I as a lead assessor say, you're not ready, we're going to have to reschedule you. I now have the— my boss now has 2 assessors, minimum, possibly 3, not doing billable work that week. 6 months ago when I was trying to find a job, 6, 8 months ago, I was looking at 1099, the, you know, the contract as needed stuff, which There's some awesome numbers out there being thrown around for lead CCA to do those. But I mean, you're responsible for your own insurance. You've got to have your own liability insurance. You've got to take care of everything yourself, pay the taxes, et cetera. And what if you're a 1099 assessor? You were planning on being able to take your family to Disney World because you had something scheduled, now you've got a week where you were planning on income and you don't have it. So to the individual contractor, it's a little bit different than me as a W-2. Now, as an employee, my boss now has to come up with something for me to do. So I, I see many— I see many— see, yeah, we'll make you pay a fee if you have to delay, which I find fail. Yes. I don't know what they exactly came up with. If you're outside of 30 or 45 days or something and you need to reschedule, I don't think we're charging a fee. If you're a week or two away, yeah. Is, is that— probably charge a week. Like, I'm, I'm curious as to, um, well, we pushed out the scoping calls to instead of being like 2 weeks in advance, 2 weeks ahead, we've tried to push them out to 6 to 8 weeks. Ahead. So that, so that will give us a chance to do a second scoping call maybe and say, hey, we didn't see something here. And it elongates the entire process also. But it's, but it's already elongated because we're booked. Now, what— there's a little bitty secret there is that Company Charlie just got pushed because they weren't ready. Their week's— their week just opened up. So Bruno, if you've got a client that's ready, and, and I'm— this isn't a solid number, um, in 2, 3 weeks, 4 weeks, whatever, we could have an opening. Wink wink. I'm kidding. So if somebody is absolutely ready And Bruno says, hey, go check with and say they might have an opening faster. One of my clients that I've got, that I'm lead on, I just did a mock assessment and we highly recommend companies. Oh, really? Assessment? Yes, a mock assessment. And I'll get back to where I was going with that because it's the same client and I should be able to keep the train of thought going. The mock assessment is treated just like a real assessment. We cannot, we don't have a quality assurance assessor. Sometimes they're only done with one assessor, but usually it's still two. So there's a little bit less overhead in doing it because we don't have the QA. And it's possible our sales guys might charge a little bit less for the mock if we're doing the formal also, but it's the exact same thing. We run through it as if we were assessing. We can't consult, we can't say We could say, you know, I would expect to see that all of your devices are using the same time source, and you're going to get a report that says not met. And that will give an organization the chance to have time to go back and fix it. It also gives you a chance to— because we're trying really hard to not have someone be a lead assessor in two successive weeks, back-to-back weeks. It's a whole lot easier to be the second assessor. Lead assessor has more responsibilities, um, has to keep things going, has stuff to do outside of the time that you're interviewing. Of course, the second assessor is also going to preview stuff the week before or a few days before and get an idea of what's going on and what's there. They'll have been on this Scoping Call, probably. What percentage of organizations are doing the mock audit these days? A third. A third? I would've expected a little higher because for me, I've only been with Syntor since December. Yeah, yeah. But I, I would feel like for me as a, yeah, I, I, we tell our client, you should do the mock again from a perspective of it's better for you to have a second chance. Higher likelihood. Likelihood of achieving certification, right? Yeah. Yes. Third, I'd say a third to half. Okay. I'd have to go back and look at the number of that I've got. But for the people who aren't doing the mock, I find that really interesting. For the people who, the organizations that don't decide to do the mock, there's higher risk that you fail. Yeah. Oh yeah. Does that ever happen? Of course. Oh yeah. Oh, okay. Yes. Now there's, there's an interesting thing that was, if you are a follower of the Cyber AB organization that keeps the— everybody up to date— ecosystem. They have their monthly town halls. Highly recommend we attend them. Attend those or look back at them. Um, a couple of months ago, it was brought up there that it's possible to convert an assessment that's ongoing that you've started into a mock. If you failed, that failure gets reported to SPRS and DOD will see that you failed. If you have the plan and DOD looks at your and says, okay, you've done a self-assessment and you have a plan, but then you fail. Self-assessment and a plan with a fail as a whole is not going to get you something. We had a discussion internally. We really don't want to do that. We want to, we'd rather be harder, and harder is not quite the right word, more firm in looking at the details for the scoping call during the scoping to say, yes, you're ready, no, you're not. I'm not going to get in, I'm not going to take the time for a scoping call to go into every single requirement and notice, and there's no way I'm going to know upfront that your time sync on your firewall and your Active Directory server are different sources. There's no way I'm going to know that until the actual assessment. Now, the good news is that one's programmable. So I have a quick— there's a question for you that I always wonder, so maybe you can— you know, if I go to the SOC world, and, you know, as part of a SOC is you were doing Type 1, and you had 3 months, you need to have data for 3 months before you could go to So, to type 2, for the CMMC, when you go do the assessment, do you need to have X months prior of running it, or do you consider the assessment can be your month number 1? And which means you don't have much history of you going through the— let's go back to the restaurant. You're building a restaurant that you intend to serve food in. If you've got— where I'm understanding is you're saying, okay, I've got a new— exactly, the restaurant, or we just created a new enclave, or yeah, we were going to do the whole enterprise and it's just too darn much, so we've built an enclave. If you've— no, you're not going to be able to show me that you've got a year's worth of audit records because your SSP says you're going to retain. Everything for a year. You've been in it for probably a couple of months. You may not have had a chance to do a tabletop exercise and test it. Do you have it on the calendar? Do you have a plan that shows me that you will meet this requirement that you say you're going to meet? You haven't been around for a year, so you haven't done a periodic full assessment. So yes, it is possible We'd like to see some evidence that you followed change control. You've added a user, you followed the change control process, you did a background check, you did— maybe it's a new enclave and everyone's already employed, but you have to authorize. I see something different between, so I need to prove background check, I would expect you to background check independent of compliance, you should be doing it, versus I'm going to show you that I have kept 5 years of the log, or whatever, I'm putting a number. Yeah. I just consulted with a company that's built, that is building an enclave, helped them write their SSP and everything. All of their employees, they're only going to have 5 people in, in the enclave. But these 5 people, when they were hired over the past 4 or 5, 10 years, had background checks performed. They don't have to have a background check again to be authorized to be in the enclave, but they have to be authorized. And there you have to have written a process for how you're going to authorize. You got to follow that process. And one of the things, and I'll throw this out as a pet peeve of mine, it'll pass. Probably. An organization says to me, Active Directory is my list of authorized users? How did they get there? Who added them? Did a hacker get into your system last week and add a new user? And you're telling me that your system of record, your authority for who is authorized as a user of this environment is the fact that they have an account in Active Directory. And what happened if you fired someone? Did you remove the account? Yeah. Did you remove it? So is Sue who left a year ago, is she still authorized? Jim Bob has a buddy named Kyle who says, hey, I'd love to see some of this stuff you're working on. So Jim Bob creates an account for Kyle outside of the normal process, and Kyle then gets in. Oh, that's really cool stuff. Thanks. Jim Bob created an account for Kyle. It's in Active Directory, and if Active Directory is your system of record The account exists. So obviously, because you say that Active Directory is your system of record, that he's authorized, right? So systems, users, there's, there's all sorts of little— everything interconnects. There are, there are requirements at the beginning of 800-171 that relate to requirements halfway through, two-thirds of the way through. They roll back and forth. I would love to have an AI that can look at, help me look at the SSP and policy and say this sentence in this policy will, is related to these 3 requirements. So, That's going to come. We will never see an AI able to do the determination of is adequate or is it sufficient. And that's, that's another thing that OSCs, the organizations out there don't know, is the difference we're assessing. One of my coworkers calls it, we're calling balls and strikes. I've pushed it a little bit further and said, I'm not going to criticize you on your pitch selection. Or the fact that you put your third baseman over between first and second base. Did you throw the ball down the middle and is it a strike? If so, great. Where you have a requirement, that's an objective. We have to go here, object by objective. If you have an objective that says define or identify, you'd better have defined or identified that. That time sink source is one of those. It specifically says define it. So like, these are lots of like tips and tricks, but like if, if you're like an, if you're like an OSC and you're doing this for the first time, how are you supposed to know all these tricks that you already know? Hire somebody that knows what they're doing. Yeah, that's, that's it. The company that hired me last year had an internal IT manager who said, yeah, I've read, I've read NIST 800-171, I can do this, I can, I can get us ready and obviously didn't. There are a lot of companies out there who are— the marketplace, the CMMC marketplace is a good place to start. But I will tell you that there are— that the RPO side, the registered practitioners, the registered practitioner organizations, it's a pay-to-play. I plop down $500 In 2020, when I still didn't even know that you needed every objective in your SSP, I was an RPO or an RP, sorry. RPO is the organization. I was an RP. My training provided didn't teach me. I remember taking even the first test, I think, and it was easy to get and you were like, I don't feel like I know that much. Oh yeah. Yeah. And then it didn't go over 800-171. It went over the ecosystem. It told— it was like, what is the Cyber AB? What is an RP? What is an RPO? What is a training organization? What is an assessor? It was that type of thing. So I highly recommend get somebody there. Go to the marketplace and look. What was— what is it now, about 800 certified assessors? I can't remember the number. Um, 400 or 500 of those are leads. Um, there's 1,100, 1,200 professionals. Um, I should have looked at those, but those numbers are probably out of date. Not every single one of those is working for a C3PAO. Not every assessor, not every lead assessor is working for C3PAO. There are calm RPOs, there are consulting organizations that have CCPs and CCAs on staff. There are businesses that are hiring CCPs and CCAs to work for them, to help them, only them. So wherever you can get somebody that has experience, get an organization that has helped other organizations pass, right, their certificate, get their certification. So, so you wouldn't recommend just like a director of IT going in it all by themselves? Do they understand NIST 800-171? Do they understand— if they have experience with 800-53, with RMF, with the world of management. For me, my learning on my side is also, you may understand the IT side, but do you understand paperwork, the process, the expectation? I think it's this, you know. Yeah. Yeah, yeah. The company that hired me last year, that I spent 5 months in there full-time, just about, um, technically they were very, very sound. Multi-factor authentication was in there, the DMZ, they had everything else going. There were some segmentation things we had to come up with, and, and we had to come up with other stuff, but they had one policy that I kept, one policy I kept, their disaster recovery. It was very well written. They were, they were, they were an ISO company. They knew how to do procedure. They knew how to do policy. They didn't know how to do CMMC. We started and I took, I took a template. I had them buy a template from another company that happens to be a C3PO. And this is even where I say you need to understand it, know it. It took me 3 months to rewrite everything working full time. So that template had errors in it. In the world of— in CMMC 1.0 in 2020, when I started, there were some of the requirements in the CMMC rewriting of NIST 800-171 where it said this requirement is for FCI contract information. 800-171 actually says CUI. And when they went to 800— went to CMMC 2.0, before— still before the regulation, they renumbered. So 3.1.1.1 was not 3.1.1. Maybe it was, but there were, there were numbers and they were grouped in different families. So if you had a previous template, you went and said, this is the one dealing with the time sync. It used to be 3.whatever. We're going to change it to be 3.now the new number, but we're not going to do the reconciliation to make sure that the wording there is identical. Their— that template from this C3PAO that is highly respected C3PAO. I highly respect them. They were huge in the early days of CMMC, and I'm not going to name them. Their template, when I looked at it again in August of last year, still, even after I told them you have errors, the template that a customer can download still had those same errors. And it's And it's why for me, if I, you know, for the listeners, you know, again, I don't doubt their IT, most of them will be very good from an IT perspective, but it's everything else. You can have the most perfect implementation of the technical side and fail within 15 minutes of your assessment starting because you don't have the processes. To prove that you are controlling access. Access control is the biggest one. It's the one that I'm, I'm betting everyone starts on access control because access control is the foundation that everything else is built on. So if, if you don't identify who your users are, one of, one of my clients that I consulted with not too long ago, I don't need to have a separate account for an admin. And because this guy is only an administrator. And I said, no, the account you log into is your user account, or you, you have identified somewhere else in your system security plan because of 800-171, you have identified what a standard user can do. Standard user can read and edit and save Word files, Excel files, browse the internet, generally browse the internet, maybe. Um, if it's, if it's one of those, we're wide open. What you've, you've defined that your administrator account that you're trying to tell me is the only account you need. Can it do all those things? Because there's also another requirement that says that what the standard user can do, has to be different than what the privileged user can do. So now it doesn't, doesn't mean that the privileged user can't do some of the things that this ordinary user can do, but they certainly are going to be able to do other things. And you don't want— if, if the account that you log into, if that is compromised, you've just allowed— and this doesn't get into why, but you've just allowed somebody access to privileged access. So elevated access. There's, there are so many little things. And but if, but if you aren't documenting it, if you don't have the list of users, if you don't have the list of devices, if you're not managing controlling access and you can't demonstrate it. Now, your SSP— before CMMC certifications came in, DIBCAC, the DOD organization that can come in and audit— and by the way, they still have the opportunity to do this— could call you as a defense contractor and say, Send us your SSP and all supporting documents. We're going to assess that. Bruno, what was it called? A DIBCAT moderate or medium? I can't remember. DIBCAT medium. DIBCAT is going to come on site and do everything and observe and say, show me. DIBCAT moderate was send me all of your documentation, your SSP and every, all the supporting documents. That gets assessed. Yeah, that gets assessed. And if you can't show them with that, here's my list of users, here's my list of devices, here's my— and they're authorized in this manner. And this is, this is how we confirm that they're authorized. And it's just not going to be good. Yeah. So you can be technically sound. Bruno's got to go, unfortunately. Yeah. No, but I think so. Yeah. That is another episode of Trust Issue. If this conversation helped you think differently about compliance, security, or trust, share it to help someone who is still stuck in a checkbox mode. Each week we will keep bringing you more episodes, resources, and real-world insights from the BeMo team. Wherever you are listening from, don't forget to rate the podcast and follow allow us to stay up to date on the latest developments in the GRC space. Remember, compliance gets you certified, but real security, that earns trust. Thank you for listening.