Accounting for CMMC: Controls, Costs & Compliance Artwork

BeansTalk

BeansTalk: Where Expertise Meets Opportunity, Mauldin & Jenkins' podcast, where we are sharing and showcasing our areas of expertise through conversations with practice leaders on their knowledge and experience.

All Episodes

BeansTalk

Accounting for CMMC: Controls, Costs & Compliance

October 02, 2025 • Mauldin & Jenkins • Season 1 • Episode 9

In this episode, we break down the Cybersecurity Maturity Model Certification (CMMC) and its growing impact on government contractors and suppliers. Join us as we explore what the CMMC framework means for your organization, how to interpret its controls, estimate compliance costs, and integrate it into your financial and risk management strategy. Whether you're preparing for an assessment or just starting your compliance journey, this conversation is packed with practical insights and expert guidance.

About Our Guest
Jameson Miller, CPA, CISA, CISSP, CCP, CCA, is a Partner in the Chattanooga, TN, office. He performs information systems regulatory compliance and framework reviews, System and Organization Controls (SOC 1, 2 and 3) Examinations, and cybersecurity assessments for information systems.

About Our Host
Brandon Smith, CPA, is a Partner based in the Atlanta office and the Advisory Practice Leader.

Speaker 00: 0:02

Welcome to Beans Talk, MJ's podcast where we are sharing and showcasing our areas of expertise through conversations with practice leaders on their knowledge and experience. Cybersecurity is important to all of us. But it's especially important for our country's defense ecosystem. And our professionals and our technology services division work with partners in the defense ecosystem to help them navigate cybersecurity considerations and regulations. And so I'm very excited today to be rejoined by our practice leader over technology services to dive into CMMC to go over what is it and how is it impacting our clients. Hey Jameson.

Speaker 01: 0:49

Hey Brandon, how are you today?

Speaker 00: 0:50

Jameson, I'm doing wonderful. And again, I know you're a returning guest. I really appreciate you coming back to the microphone with me, especially for this just I always like talking technology and cybersecurity. And this topic, especially, uh, I find very fascinating. So I'm excited, very excited to dive in with you. But before we get too deep, will you just remind our listeners a little bit about you, your background, and role at Mauldin and Jenkins?

Speaker 01: 1:13

Sure. Thanks. Um, so my name is James Miller, and as you alluded, I'm a partner here at Mauldin Jenkins. I've been with the firm now for approximately 19 years. It's hard to believe, I know. But uh I started the first part of my career um as a traditional CPA financial statement auditor, so to speak. Um obtained my CPA license, and uh, and I've always just been kind of a computer nerd at heart, so to speak. So uh after after spending about 10 years of my career doing that, I was given an opportunity to kind of transition over to uh technology uh services. That's anything from you know consulting, penetration testing to uh to doing SOC one, two type assessments. And now uh what we're here to talk about today, um cybersecurity maturity model certification assessments.

Speaker 00: 2:05

Well, and that's something it's been a big trend in the accounting profession just to really apply those, the kind of the CPA playbook in terms of you know look at internal controls, whatever the subject matter is, just to ensure different objectives are being met. So it makes perfect sense that when it comes to having that background and that blueprint of how to assess an organization's controls, it's just kind of realigning the subject matter. Instead of financial reporting controls, it's technology security controls.

Speaker 01: 2:32

Yeah, absolutely. It's just like how uh the public puts faith in audited financial statements. Um, it's important that those audited financial statements are prepared or not prepared, but audited by uh an organization that's independent from the auditee, correct?

Speaker 00: 2:51

Right.

Speaker 01: 2:51

And so why is that? Well, it's because if you're able to self-assess that your financials are good, of course you're gonna say everything you know that you put together is golden. Um, but you really need that third-party verification to kind of come in and say, yes, what they have there in their financial statements is correct. Uh so to take that and apply that to information security and and um internal controls, it's the same, the same kind of playbook as you said. Uh, but yes, the subject matter is geared more towards technology and and the controls related uh around the protection of it.

Speaker 00: 3:27

Applying that public in CPA to security. I love that. And and that really pulls us into the discussion of today, which is CMMC and kind of you know the movement from self-attestation to third-party assurance and confidence. And so with that, before we get too deep, will you just kind of give me some background and maybe just the the the overview and definition of what is CMMC?

Speaker 01: 3:51

Yeah, so CMMC, you know, simply put, is the best way to think about it is just consider this the the Department of Defense's new verification system, that the defense industrial base can protect the sensitive information that it is giving to them through the procurement process with the United States federal government so that we're ensuring that you know our our nation's uh privacy uh and security uh and other special interests are protected.

Speaker 00: 4:25

Well, and that seems pretty important. Absolutely. Who uh who needs to comply with this?

Speaker 01: 4:31

So this applies to anybody that's gonna be in the the working in the defense industrial base. So even if you're a prime contractor, so like a Lockheed Martin, well, Lockheed I know works with a lot of different subcontractors and they share some of the this information that the government considers what they call controlled unclassified information or C UI. We can talk more about that in a minute. But uh with the advent of um with the CMMC, it's gonna be a flow-down approach. So if a prime contractor is sharing uh certain aspects of controlled unclassified information with you, or perhaps even federal contract information, which we can get into the nuances of the differences between those in a minute, um then yes, it's gonna apply to you. And this will trickle down um because uh what we have found is uh and we're all aware of this, but third party breaches is a significant uh impact, especially in our defense supply chain. Uh you you go back and historically and look at what's happened. Um I won't name names, but um, you can go back and you can do Google research and find out that a lot of times when uh our defense industrial base or or the DOD is compromised, it happens through a third party or through one of their vendors. And so it's just important that we take a a top-down approach, all the way from the prime contractors to the mom and pop machine shops that are making widgets that go on, you know, submarines or aircraft or whatever.

Speaker 00: 6:06

So the full supply chain, all the way down. Everyone who touches that CUI, which we'll dive into the whole supply chain, this becomes applicable to everybody. Well, well, I guess the question is this so this is new then? They've never had to do anything in this regard previously, or is it just changing?

Speaker 01: 6:23

Yeah, it's a great question, actually. It's it's seems like it's new to everybody, but the reality is this is not actually new. So the CMMC is based heavily off of uh the National Institute for Standards and Technology, or NIST. They have a special publication called 800-171, which is currently in revision two. Um, and uh essentially this is a set of controls for protecting controlled unclassified information in non-federal systems. There's a hundred and ten control or 110 practices uh within this framework uh that organizations are now gonna be required to comply with. Um however, the requirement to uh implement NIST 800-171 has existed in contracts um previously. So this is not necessarily new. It's just uh the assessment part is what's new, but the requirement to implement these controls and to protect uh CUI and FCI, uh federal contract information, those have always been there, um, at least within the last 10 years for sure.

Speaker 00: 7:34

So that that mom pa machine shop, creating the widgets going in that carrier as the example. So that that mom paw shop, they they've always had to be maintaining security practices. It's just this is kind of elevating the level of taking a peek and kicking the tires on what they're doing.

Speaker 01: 7:50

Yes, it's elevating what they're doing, but it's also um bringing forth, I think, a lot of uh information, such as uh bringing it to light. So uh before, you know, these things were kind of buried in contracts and and language and people would just kind of sign them not realizing everything they're agreeing to. Um and so, you know, fast forward to today with this assessment process, well, you can't just kind of self-assess that you're gonna do this and sign a document and move on. Like the proof is in the pudding. You're gonna have to pass an assessment. Somebody's gonna have to come in from as a third-party assessor, assess your environment, and say, yes, you are meeting all the 110 practices that are included in NIST 800-171.

Speaker 00: 8:34

And it makes sense that it's really kind of highlighting that bring to light as you described, just especially with our kind of just evolving business environment where we are working more and more with contractors, whether it's for services or for systems. We all move into more SaaS-based systems and cloud-based systems, or just for different kinds of functions of our environment, finding specialist partners to work with. Just in today's economy, it makes sense to have a comprehensive supply chain and not try and go it alone and do it myself. But with that, I'm I'm thinking about this kind of environment of having our prime contractors and then all of their subcontractors. Are they all held to the exact same standard? Are there different levels to CMMC? Or is it just we were all following the exact same playbook and held to the exact same standard?

Speaker 01: 9:20

Yeah, so there are uh three different levels of the CMMC. Uh what we do know uh currently right now is is they're really only um rolling out level one and level two. Uh so level one applies to those organizations that are just getting uh federal contract information. Uh once you step up um uh to level two uh that's what uh triggers okay, you're in level two because you are either processing, storing, or transmitting controlled, unclassified information. So once you've crossed into that territory, um then you are now required to do a level two assessment. A level one assessment can still be done as a self-assessment. Um, but again, that's because those organizations aren't touching controlled unclassified information, they're not processing it, they're not looking at it, um, they have nothing to do with it. Um so uh as long as that's the case, level one's good for them. There's 15 practices they have to meet, they're very basic uh things every organization should be doing, honestly. Uh the next level two, then like I said, it jumps up to 110 practices, and that's where uh if you are processing, storing, controlling FC uh uh controlled and classified information, now this applies to you. Level three, that'll be kind of rolled out uh in the future and uh over the next several years. Um, but what I do know about level three is they're reserving that for for areas of the defense industrial base that are have access to controlled unclassified information that might be more sensitive than perhaps other controlled unclassified information. They haven't really defined the nuance of like what the difference is yet. Um, but if you fall into the level three bucket, you have to meet all the requirements of level two, and then you have to have a level three assessment, and that one's done by the federal government.

Speaker 00: 11:25

So for me as a business leader, the the the size and complexity and maturity of my enterprise doesn't necessarily derive which level I need to accommodate. It's it's the it's the information that's routing through me. Yes, absolutely. And so with that, we keep mentioning the CUI, and that's clearly a an important concept that you know that that impacts all of these considerations. So can you kind of help me drill into CUI a little bit?

Speaker 01: 11:54

Yeah, so CUI or controlled unclassified information is uh any information that the government, US government, um creates or possesses that requires uh uh specific controls to uh protect the security of that information and the sensitivity of it. It's not classified information. So this is not stuff that is top secret or secret, um, but it's sensitive enough that it warrants protection. So think of it as in simplistic terms, it it might be a recipe, it's not the final cake.

Speaker 00: 12:35

Right, right. I like that analogy. And so so for me then, realizing that I do have part of the recipe, even though it's not the final product, I am a key part of this whole picture. Just doing my little piece of it, but it does lead to a bigger picture. Therefore, my piece needs to make sure it's it's meeting this this this bar. Um, and and this might be kind of new to me, you know, based off of the changes to when all of a sudden I need to not no no longer just self-attest, but need to have somebody come in and and get that that assurance around it. Um, what what are considerations I should have in mind financially? I'm thinking in terms of okay, I need to start kind of budgeting for for this. What what are what are things for me to keep in mind?

Speaker 01: 13:16

First is you need to understand where the CUI in your environment is, or if you even have CUI. So that's that's the most important thing because honestly, if you don't have CUI in your environment, you're not processing, storing it, transmitting it, then level two is not gonna apply to you. Um, it's very important to figure that out from the onset. Uh, then the next thing I would say is most organizations, like if you're going from zero to full compliance, it's gonna take time. Um, and that's one of the major resources in this beyond just the people to help you do it. Um, so you're gonna have to have the the budget for time. And it takes organizations anywhere typically nine to 12 months to go from zero to full compliance with all 110 practices. Um, so that's one concern that you want to start budgeting for. The next thing you want to start thinking about are we're gonna have some capital expenditures possibly associated with this. So think about new uh hardware that you might have to acquire. So things like firewalls or seams or other things um that you need in your in your network architecture that you might not have now or potential upgrades that you might might need to make. Okay, so case in point, uh uh on my way to the podcast, I was actually listening to another podcast about CMMC actually. And um, one of the things that uh that podcast mentioned was um there were some um small mom and pop shops that were they didn't want to invest in new Wi-Fi infrastructure. And so every time that they were uh adding on additional warehouse space, they would just go and buy an off-the-shelf uh wireless router, plug it into their network, and now this new section of our warehouse has Wi-Fi. Well, one day they continued to follow that process and they plugged in the Wi-Fi router, and uh all of a sudden some bells and whistles started going off in their seam, and they were trying to figure out what in the heck is communicating back to China from our network. And it happened to be this router that was purchased off the shelf. And so uh it just kind of goes to show you that there could be things like that in your environment. You're not thinking about wireless, you know, we we're gonna have to revamp how we do wireless around our infrastructure. That could be a significant cost that you're gonna have to incur, but it's necessary for the security.

Speaker 00: 15:38

Right, exactly. So, so definitely when it comes to planning for potential hardware upgrades, hardware replacements, and even just an evaluation of what we have in our environment right now to really go through and kind of see where we are. But but I like that you called out time too. This isn't gonna happen overnight.

unknown: 15:54

Right.

Speaker 00: 15:54

You know, we need to make sure that we're we're giving ourselves the time to assess what information we have our hands on, whether it meets the status of CUI, what implications that are for us, and then giving our people the time to go through and do the analysis they need to do and and probably have some service providers help us navigate this as well.

Speaker 01: 16:14

Absolutely. And so, you know, luckily uh the the DOD and the ecosystem has created an accrediting body called the Cyber A B. And so you can visit their website, cyberab.org. Uh, and there they maintain a marketplace of uh what they call registered practitioners and registered practitioner organizations. And you can go to that marketplace and you can look up people that have gone through the certification process, become uh a registered practitioner. Um, and you can you can find the organizations that house these registered professionals, um, the RPOs or or the organizations. Uh Mauldin Jenkins is one of those, of course. And uh these are people that have gone through the the and organizations have gone through the proper training, they've passed the certification tests that were required, um, and they have been authorized to then consult in the industry. So um the RPOs uh can do the consulting, they can't do the level two assessments. So they've reserved that for another group.

Speaker 00: 17:21

I get the picture that the standards everybody in this defense ecosystem needs to abide by are it's a pretty high bar to have to meet. So I suspect the standards that practitioners like you had to meet to help those organizations was a pretty bi high bar too.

Speaker 01: 17:35

Yeah, uh it's not fun having to take certifications. Um, you know, I really thought when I took the CPA exam, I was like, I'm never gonna do this again. Um, and I don't intend to ever take the CPA exam again. Um, but you know, I've had to go get additional certifications. And these are these are proctored examinations that are just like the CPA exam where they're recording you and you know, making sure you're not chewing gum and all those things that are part of it. But uh uh it is, it's an onerous process. It's a lot of training, it's a lot of cost um to to get even in the space and and be able to do the assessments.

Speaker 00: 18:15

Well, I know that the the people in this ecosystem need the help, so it's awesome. You you you did the lift for them and now you're able to help them. But you know, we've been talking about costs, you know, both in terms of time, but also money for perspectives of services, hardware, you know, analysis, um, all of that. But you know, as a business leader, I also want to think about return because I see that cost as an investment. You're trying to increase my enterprise value. You know, do you see an opportunity for me as a business leader to look at this as a potential avenue for ROI?

Speaker 01: 18:48

Absolutely. So, first of all, um, with this requirement, uh it's mandatory. So if you want to be receiving the revenue from uh your defense uh contract, uh you're gonna want to comply with this. Otherwise, you're putting that at risk. Um and we can talk about the false claims act and kind of what that means and how that applies to the CMMC uh in a minute. But uh that's that's number one in terms of ROI, is like you zero revenue unless you comply with this.

Speaker 00: 19:20

These are like the new table stakes, like you're not even sitting at the table unless you meet this prerequisite.

Speaker 01: 19:25

Right. And so when you sign that contract that says um, you know, this is the the contract we're we're gonna um uh execute between us and the and the Department of Defense, um, you are saying that you have met the 110 requirements of NIST 800-171 when you sign that contract. Um and the way that's gonna be enforced moving forward through this regulation is that uh executives of your organization, owners, the C-suite uh will be held uh professionally and um privately liable for for these kind of um egregious acts. Like if you say that you're meeting something and you're not.

Speaker 00: 20:06

All right. We're we're gonna circle back to that because you piqued my interest on it. But but real quick, it sounds like when I'm bidding on work, I need to make sure I'm factoring this in.

Speaker 01: 20:15

Absolutely. Like if you're bidding on the work, you need to have already uh at least be going down the road to you know that when time comes to sign this contract, we can uh demonstrate that we're meeting the 110 uh requirements.

Speaker 00: 20:29

Right. All right, let's go back in that. So that kind of be like you know, the almost the cost of non-compliance that for me in the C-suite, I want to make sure I'm mindful of. So drill into that a little bit for me.

Speaker 01: 20:40

Um, well, I do want to talk about some of the other ROIs just real quick before we get into that. So one thing I wanted to mention is that uh I think a lot of smaller organizations are gonna look at some of these requirements and say, this is too onerous for us. We're not gonna do it. And so they're gonna get out of doing some things with a defense industrial base. Um, so if you do this now and you implement it early, it could give you a competitive advantage, a leg up to your competition where you've already complied. Um, and so now you can go get more defense contracting work than you previously had before. So that's one way.

Speaker 00: 21:18

Yeah. Well, and we might see some consolidations then in terms of you know, an organization that has maintained compliance going and helping tuck in some of the organizations that see it as too onerous now, or just an opportunity to to bid on some new work that otherwise you didn't have because the folks who previously did it are now saying we're checking out.

Speaker 01: 21:35

That's right. That's right. So that's uh that's definitely one of the the biggest advantages I think that I see right now. Yes, absolutely. Um in terms of return on on investment. The rest of the return really comes from risk reduction. And perhaps, you know, uh once you've implemented these controls and you can demonstrate it, uh, no guarantees on this, of course, but you know, in theory, hopefully you could get a reduction uh potentially on like insurance costs.

Speaker 00: 22:02

Right.

Speaker 01: 22:03

Yeah, absolutely.

Speaker 00: 22:04

Well, I appreciate you keeping us on RLI because that's always the really important thing we need to stay hyper-focused on is how do we use this to increase our our you know return and our enterprise value. But but I just I get my blinders on like, oh no, I'm at risk, you know. Tell me more. So okay, cost of non-compliance.

Speaker 01: 22:19

Yeah, cost of non-compliance. So uh the the penalty is gonna be financial, uh absolutely monetary. Um could be as much as jail time, we're talking um even. So you could be held criminally liable. And sure, it probably depends on you know the the uh uh sensitivity of what you allowed to get leaked or or disclosed or whatever, or you were just negligent. Um but uh um interesting enough, um, there's already been some prosecutions, some settlements out of the the false uh claims act already. So um you can you can go Google this, uh listeners out there uh that are interested. But there was a recent um company that was just fined um $1.75 million um for failing to uh implement all 110 practices. Um and they actually self-reported themselves. So um that's kind of eye-opening, I think, is to how serious they are. And then uh one thing that I would like to say is that the um owners of this company, so they were they were backed by some private equity, the private equity uh group was fined as well. So um yeah, you can read about that out there on the on the internet if you want to.

Speaker 00: 23:44

Well, that definitely shows me why I need to get some support to make sure I'm I'm doing this right. And and so from that, I guess, you know, if I could steal some of your thoughts, just first steps, you know, if I were to get you to sit with me and and help me think through how to really go in the direction I need to go and really prepare for this, you know, and you know, both make sure I'm managing the costs appropriately, also keeping an eye on the ball for ROI, and then avoiding that that situation to where I'm financially or potentially even criminally liability liability. Well, which makes sense because it's just the stakes are high on this. This is critical stuff for advocating.

Speaker 01: 24:21

It's very, yes, and it's very important. And I I think our government wants to make it absolutely clear that this is not uh something that's a checklist that you can just say, yeah, we we've done and and disregard, like this is important for uh the protection of our country and its citizens. And if we don't protect this stuff, then it does. It absolutely gets out to our adversaries who then use it directly on the battlefield to impact impact our warfighters that are that are out there.

Speaker 00: 24:51

Yep.

Speaker 01: 24:52

And um, you know, this is kind of how uh us here at home can play a part in helping prevent that kind of stuff from happening.

Speaker 00: 25:02

And so exactly. Uh yeah. Sort of my first steps. Okay, so first steps.

Speaker 01: 25:06

How do I move forward and you've moved forward and you you've determined, okay, we have CUI in our environment. So the big thing is understanding your business processes around how that information moves through the environment, how it's processed, how it's being stored, how it's being transmitted, who has access to it. Is it a limited number of people within the organization, or is it everybody in the organization? That can have an impact on um on your first step. So essentially, I would say that identifying where it is and how it's moving around, who has access to it. Um and then the second thing is scoping the assets around that environment. Um, scope is very important when it comes to CUI. So the more contained and um I guess protected, but uh uh centralized and and limited on who can access it, the easier it is to kind of implement some of these standards and protect it. Um the more you have it out, you know, and you have different departments and they're communicating, and we have lots of different people touching lots of different things, and um that can complicate things. So uh those are important things to understand, first steps. And then I think the next step is you probably want to go go find um you want to you want to identify some people within your organization that can be project sponsors. Um, this is not like a specific requirement. This is just me saying like it helps to have somebody internal uh to your organization that's pushing this, um, this kind of compliance.

Speaker 00: 26:47

It's like any big change management project or or you kind of need a project manager.

Speaker 01: 26:51

Yes, you know, absolutely the case with the major. Right.

Speaker 00: 26:54

It's too important not to have somebody constantly think about this and pushing us all forward.

Speaker 01: 26:58

That's right. And so well, once you've uh identified that individual or individuals, um you'll you'll want to probably, uh I would argue, put them through some kind of NIST training so they can get more familiar with it. Um, but then at that point, I think that's where you want to reach out uh to a third party, like a registered practitioner organization, and um meet with them and see, you know, which one's gonna be a good fit for you. Because I mean, there's a lot out there on the marketplace that you can you can evaluate geographically. They're all, I mean, you can search by location and and find one near you. Um, but that I'd say is a critical step because they can help you with that scoping. They can give you ideas on, well, you if you change this business process just slightly here, then we can narrow the scope of of where the CUI is going uh even further. And so, you know, within our organization, uh, we have only, you know, uh a handful of professionals that are working in this space, but we have uh over 500 employees, right? And so what we have what we have created is what we call a secure enclave to where only the people that are working with CUI um have access to that system. And that system is scoped out and it meets all 110 requirements of NIST 800-171. Um all CUI gets transmitted into that enclave, it stays in that enclave, it gets trans or processed or or evaluated or whatever in that enclave. Um and so that's you know, that's how it works for us.

Speaker 00: 28:38

Yeah, that sounds so could can I take a peek at that?

Speaker 01: 28:41

No. Maybe one day if you have a need to know, but yeah, that's right, that's right.

Speaker 00: 28:48

And then do I should I like have like a whole compliance team around this, you know, when it comes to just making sure that I'm doing what I need to do?

Speaker 01: 28:55

Well, absolutely. So I think, you know, um, like even in our scenario, what we've learned in in creating like our secure enclave, it takes a minimum of at least three people to create all the necessary segregation of duties within the environment to keep everything functioning. Um and so like we have to have one person that's in charge of uh patch management and keeping up with everything um on a monthly routine basis. And then we have a different person that's in charge of making sure that uh uh people that are getting provisioned to the system are are meeting all the training requirements that we've set up uh and they're going through the proper approval process um to get access to that system. So uh, you know, to go back to your previous question, you know, if you do go through and get your CCP and your CCA, then absolutely we we would add you to the system.

Speaker 00: 29:48

Then you'll then you'll give me uh you'll provision me some access to take.

Speaker 01: 29:51

I need to have access. So we'll because we'll we can use your own assessments.

Speaker 00: 29:56

I don't know. I I I I think I'm done with certifications, but that does sound. Intriguing. I don't blame you.

Speaker 01: 30:02

It is a very onerous process. So each one of these certifications has required at least, you know, one week of training with the licensed training provider. And then again, the the proctored examination, which is no cakewalk. I mean, it's a four-hour test and a you know closed stream, all that good stuff. So yeah.

Speaker 00: 30:22

Well, I'm definitely curious about it, but you know, I'll just have to maintain that curiosity. Um, well, well, and and just thinking about this too, you know, talking about the different prod, you know, uh steps I'm gonna take, my first steps, and then developing my kind of compliance team and helping me think through everything I need to be doing, including reviewing policies, adjusting standard operating procedures. This makes me think of, you know, just a common consideration where we're evaluating controls that help us meet a certain objective. Our objective is maintaining compliance with CMMC, the controls we have in place are those outlined by NIST and CMMC, et cetera. So this kind of gets me to the standard playbook in terms of like a gap analysis. Is that something we should be walking through here? Is just kind of some type of gap analysis of where are we, where do we need to be and what what are the the gaps?

Speaker 01: 31:06

Or absolutely. So once you've kind of scoped out your asset your environment and you understand where everything is, that's where you want to do the gap analysis and determine where do we stand today against the 320 plus um control requirements that are within NIST 800 and 171. So I said there's 110 practices. Each of those practices has multiple layers of, we'll say, control considerations or control objectives to meet that practice.

Speaker 00: 31:36

And that's something as a certified practitioner, you could either help with that gap analysis or come on the back end to validate satisfaction of the controls.

Speaker 01: 31:46

Yeah. So as a as the registered practitioner organization, you could come in, you could do the gap assessment, um, provide a roadmap, so to speak, of hey, here's where you're at, this is the gap, this is what we would recommend to close the gap. Um, or uh here are some ideas of what other organizations that we work with have done to close this gap. Right. Um and then that you know gives them the opportunity to go figure out what they want to do.

Speaker 00: 32:15

When I imagine too, you know, the front end of this conversation we were talking about, just you know the whole defense ecosystem and how this is impacting the supply chain, everything from the prime down to subcontractors and every in between. I imagine for me, as a member of this, my supply chain's impactful too. You know, not only are they being subject to this on both sides, but also I need to be evaluating them. Is that the case, or can I just trust that they're doing what they need to do, they're satisfying CMMC, therefore I'm okay to work with them, or do I need to kind of keep a handle on my supply chain?

Speaker 01: 32:49

So you do have to keep a handle on your supply chain because you have to understand and make sure that if you are working with a vendor and that CUI is crossing over into their environment, then yes, they become subject to that. And you need to make sure that that's okay. So for instance, our secure enclave, um, there are certain security requirements and how that is set up um within the infrastructure itself, like AWS or Microsoft Azure or whatever environment you're using, um you have to meet certain requirements uh around those things. And and if you're using a third party like Microsoft or or Amazon Web Services, you have to make sure that um that they are doing what they say they do. So for instance, uh if you're going to be building a secure enclave in Azure, then you're gonna be in their their GCC high, you know, cloud environment that has been approved by the government to store CUI um and process and translation.

Speaker 00: 33:55

So this seems to be something that I'm just keeping top of mind as I'm working with partners, as I'm engaging vendors.

Speaker 01: 34:01

Absolutely. So you wanna you wanna stay uh focused on how are they interacting with the data in your environment um or or are they coming into your environment even and being exposed to controlled and classified information? So if you have an MSP that comes on site and then does performs, you know, work on your security protection assets that are part of your uh scoped in CUI, then yes, that MSP might then get pulled into the scope of your environment.

Speaker 00: 34:33

And if I just happen across a secure enclave because I want to take a peek, I'm pulled into it.

Speaker 01: 34:37

Potentially, yes. Yeah, yeah. No, absolutely you would be.

Speaker 00: 34:39

Yeah.

Speaker 01: 34:40

Um and then there's a there's a scoring system. Um that the All right, I'll stay out of it, Jameson. Yeah, yeah, yeah, no, no. You do have to stay out of it. But there there is a uh a government database. It's called the SPRS or the uh supplier performance uh risk system. And uh that system is where you go in and you actually say, yes, we've met the 110 requirements and you submit that. And so then other organizations can um go in and I think check that. All right. And then once you go through the level two assessment, they give you a uh uh certificate essentially saying that you've passed the level two assessment. You're not allowed to publicly um post that on your website. Um, however, you're allowed to then say we're level two certified. So you just kind of they haven't really been clear uh yet on you know whether or not you have to provide the proof, like here's our level two certification certificate. But what we'll say is they have been very specific, do not post that stuff, the certificate publicly.

Speaker 00: 35:50

So that makes sense. That makes sense. Well, Jameson, this has been incredibly enlightening. You've talked about just the the basics of what in CMMC, who this applies to, financial considerations as a work in this journey, and then also some operational considerations to really be successful in this and look at this as an opportunity for our ROI, not just cost.

Speaker 01: 36:11

Anything else on your mind that we can share with our listeners before we No, I just really hope that uh this has helped some business leaders really uh understand these requirements that are have been rolled out. And um, with the rollout of 48 uh CFR, um these are gonna start appearing in contracts really soon. So it's coming whether you're ready for it or not. So let's go ahead and realize that this is a risk to be managed moving forward. This is not an IT cost, this is not an IT problem, this is a full business problem if you're working in the defense industrial base. And uh if you need help navigating that, we'd love to help you with that. Uh, we are a registered practitioner organization. Uh, we are working on becoming uh a certified third-party assessor organization or a C3 PAO. Um, so you know stay tuned for that information when that gets released. But uh in in the meantime, if we could help you with any of your uh uh scoping or uh answering questions related to the CMMC or or controls or NIST or or any other kind of cybersecurity questions, please just reach out to us here at Mauldin or Jenkins, we'd be glad to help.

Speaker 00: 37:24

I love how you frame that. This is not just an IT problem, this is an organization problem. Some all of us business leaders keep in mind. So thank you so much, Jamison, and thank you to our listeners for tuning in. If you have any follow up questions about this discussion or any other business challenges you're navigating, don't hesitate to reach out to us at www.mjcpa.com.