BeansTalk
BeansTalk: Where Expertise Meets Opportunity, Mauldin & Jenkins' podcast, where we are sharing and showcasing our areas of expertise through conversations with practice leaders on their knowledge and experience.
BeansTalk
The CMMC Roundtable: Scoping, Social Engineering, and Success Stories
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
This episode provides an objective look into the shifting CMMC landscape as the defense industrial base transitions to rigorous, third-party assessments. Jameson Miller, M&J Partner, and Chris Silvers, owner of CG Silvers Consulting, dissect real-world success stories and critical assessment failures, highlighting major pitfalls like scoping disasters, social engineering gaps, and external service provider blindness. Listeners will walk away with key insights into the technical and cultural realities of compliance, from asset management to employee preparedness.
About Our Guest
Jameson Miller, CPA, CISA, CISSP, CCP, CCA, is a Partner in the Chattanooga, TN, office. He performs information systems regulatory compliance and framework reviews, System and Organization Controls (SOC 1, 2 and 3) Examinations, and cybersecurity assessments for information systems.
About Our Guest
Chris Silvers, CISSP, MBA, is the Founder and Principal Consultant at CG Silvers Consulting, a boutique information security firm based in Atlanta, GA.
About Our Host
Brandon Smith, CPA, is a Partner based in the Atlanta office and the Advisory Practice Leader.
Click here to learn more about our technology services: https://www.mjcpa.com/services/consulting-advisory-services/technology-services/
Welcome to Beast Talk, M&J's podcast where we are sharing and showcasing our areas of expertise through conversations with practice leaders on their knowledge and experience. Recently I was joined by Jameson Miller, the leader of our technology services practice, to discuss the Cybersecurity Maturity Model Certification, or CMMC. This is a space that continues to evolve. So I have asked Jameson to come back and join me on the microphone to discuss where we're at now with CMMC and what's around the corner for us. And additionally, we're joined by a guest, an expert in the CMMC space, Chris Silvers, to help with our conversation. So thank you for tuning in. And Jameson, thank you for joining us. Chris, thank you for joining us.
Speaker 03Great to be here.
Speaker 01Will you both do me a favor, uh, starting with you, Jameson, and just give our audience a little brief background of kind of who you are, what your role is, and your your kind of touch points with CMMC.
Speaker 02Sure. So as you already mentioned, my name is Jameson Miller, and I uh am the IT leader of our practice leader here at Mauldin & Jenkins. I've been with our firm about 20 years now. Um spent the first half of my career as a as a CPA working on financial statement audits, and then I've spent the last half of my career uh working in the information security space. So that's all things. Uh Graham Leech Bliley Act to SOC 2 compliance and SOC 1 reporting. Um and so it was just kind of a natural fit for us to pursue this other assessment area uh that the Department of Defense has created. And so joining me today is Chris, who I've been partnering with on some CMMC assessments.
Speaker 01And and Jameson, last time we were together, you kind of gave some background on just kind of how the CPA profession is tackling information security and kind of the playbook of just public trust and third-party, you know, independent assessments and kind of how that's being directed, you know, at the world of cybersecurity and and the like. So, you know, fantastic conversation. I look forward to continuing it here. And and Chris, will you do our audience a favor and just kind of tell a little bit about your background and your roles?
Speaker 03Yeah, absolutely. So uh I've been in the cybersecurity industry since uh the late 90s, back in 98. Started here in Atlanta at the Federal Reserve Bank of Atlanta. Um, that's kind of where I say I cut my teeth, if you will, in cybersecurity. Um, bounced around a little bit and got into consulting back in 2008. And um, and then 2014 started my own company, kind of branched out and uh uh created CG Silver's consulting, doing penetration testing, doing a little PCI uh assessment, some Sarbanes Oxley, that kind of stuff, uh a little bit of compliance. And then early 2020, uh, I found out about this new thing called CMMC. And uh back then it was version 1.02, and uh started doing a little consulting and a little bit of uh mock assessments for some clients, and then uh was fortunate enough to start teaching uh CMMC certification courses back in October of 2021. Uh and so uh that's been really a great opportunity. I'm honored to say that I've I've taught over 2,000 students now. I stay in touch. Uh Jameson was one of my star students, obviously. And uh and yeah, it's it's been a great, great, great ecosystem.
Speaker 01Well, Chris, we were very appreciative of you joining us for this episode. So thank you for making that the trip to join us. And that background is is just it's awesome to hear about. And and one thing I love about both of you too is that not only are you experts in this field, but also you're business leaders and business owners. So a lot of these concepts, they mean something to you too. You've been navigating these for yourselves and also, you know, know the playbook to help other organizations kind of follow best practices. Now, Chris, you mentioned that you know you first learned about the CBMC concept in 2020. You know, it does feel like from somebody who's kind of on the outskirts of it, that this is a relatively recent evolution, kind of kind of a newer thing that all of us are navigating. But the truth really seems to be this has been around for a while. So will you kind of help me start out by describing a little bit more of kind of briefly the history of CMMC, kind of where are we now? How has the history led to where we are now? And then also we'll kind of expand that into what's kind of coming around the corner. But just some background around the kind of the current environment.
Speaker 03Oh goodness. Um, all right, buckle up, kids. Uh I'll try to just hit the just the highlights uh because believe it or not, the history of CMMC goes back to controlling or protecting controlled unclassified information. All right, it's also called CUI. And believe it or not, the what prompted the need for uh protecting CUI was 9/11. All right, so we go back to 2001. Uh based on the 9/11 tragedy, there was a report that came out, I believe it was 2004, the 9/11 Commission, and they found that if different federal agencies had shared information that was not even classified information, it was unclassified information, if they had shared that information between themselves, they could potentially have avoided the attack. Now that was really impacting, right? Um so Obama signed uh uh an executive order 13556, right? Jameson can probably quote that number as well, uh, because we cover that in our training, uh, in 2010 to create the CUI program. And so uh shortly after that, shortly, in government time, I guess, uh 2016-2017, uh a standard was uh was created called NIST Special Publication 800 171. And that is the that is the bedrock upon which CMMC is created, right? That that standard, uh that standard list of safeguards is what CMMC uh kind of audits and and makes sure that that companies are adhering to. So uh so yeah, when you say it's been a long time coming, yeah, it's been quite a while.
Speaker 01Well, and that makes sense because, like you said, that that CUI concept, you know, as soon as we kind of opened our eyes to the importance of unclassified information that does need to have a certain level of confidentiality to it, like clearly we needed to be mindful of it and protect it in some regard. So it is interesting kind of what that journey looked like in terms of just you know the implications that could tragically occur if we're not being you know mindful of that. Um and then kind of as we've developed practices and built you know through the NIST, that 800-171 publication, um, and then now kind of expanding that further to this assessment concept through CMMC. So, Jameson, talk me a little bit more about where we're at today. What is CMMC today? And what kind of, I guess, phase would you say we're in with respect to CMMC?
Speaker 02Yeah. So according to the Department of Defense, uh they would say that we're in phase one right now of the CMMC. So that essentially means that the CMMC is in full rollout. Organizations that are seeking assess uh certifications or assessments are uh partnering with C 3 PAOs or certified third-party assessor or C 3 PAO to start either mock assessments or full assessments uh with the intention to be ready by the rollout of phase two, which is coming this November 2026, where at that point that's when uh organizations that are signing defense contracts will be required to have a level two certification in order to uh uh to be in compliance with that contract. Uh now technically though, when we start talking about this, this is not anything new that these companies should have been doing. As Chris mentioned, NIST 800-171 has been around for quite some time. And actually under the DFARS, the defense federal acquisition regulations, they are required to have been implementing NIST 800-171 all along. Um but this is a new, you know, third-party assessment that verifies, you know, organizations can no longer self-assess themselves and say, yeah, we're meeting all these requirements.
Speaker 01So, Chris, you know, looking ahead, kind of what Jameson is describing, I guess, what does that environment look like in terms of who is this really going to apply and you know, kind of what do people need to prepare for?
Speaker 03Yeah. So uh the DOD estimates that there are uh around 80,000 companies, 80,000 contractors, and realize that this the reason that number is so large is because it's not just prime contractors. All right. There's a there's a misunderstanding out in the marketplace, I think, that that suppliers who are subcontractors don't think that they're covered under this compliancy, um, when in fact they are. There's a there's a thing called the flow down rule, and it's just that's just a kind of colloquialism, but it's but it's actually written into these laws, these defense uh federal acquisition regulation supplements to force prime contractors to flow down these requirements to all their subcontractors. And when they flow down the requirements, they're also flowing down the flow down so that a subcontractor has to flow down those requirements to their supplier. So it goes all the way down through the defense industrial base. So you've got 80,000 companies out there, some of them mom and pop shops, like right, like my own company, just a small family business, right? And uh so uh so we've got those 80,000 companies out there. And to date, uh the last number I saw was less than 800 of these companies have actually gotten certified, have gone through the certification assessment process and everything. So uh, you know, that's that's one percent of the 80,000 have actually been assessed.
Speaker 01So I want to sit on those numbers for a minute. So 80,000 is the estimate for who's gonna need to have this process applied to them. That they're going to need to be compliant with this process and therefore show some kind of you know different levels of compliant.
Speaker 03And actually, let me let me let me clarify that. 80,000 are going to need to be certified by a third-party assessment organization. So that's not even self-self-assessment. There's another uh estimated 120,000 that would that would need to do self-assessment.
Speaker 01So 80,000 is those who need to be assessed. And what was the count estimated of who has currently gone through this process?
Speaker 03It's less than 800. I think it was 773, is what the number that's sticking in my mind. Yeah.
Speaker 01So I so I guess question to both of you what's leading to that gap in terms of well, well, I guess, you know, it's not required yet. It's just coming around the corner. Is that right?
Speaker 03Well, it's the the way that the DOD is rolling this out is that it shows up in a contract, right? Um when you receive a contract from the government or when you are when you receive a solicitation for a bid, right? They uh the government will uh give you a list of requirements for the bid. You know, we need a coffee cup made, and it needs to be three inches in diameter, and you know, the all the specifications. But in addition to that, they specify what regulations you have to meet. And it's and it's usually a list of like two or three hundred regulations. There, you have the federal acquisition regulations that all government agencies have to uh comply to, and then you have these defense federal acquisition regulations supplements that supplement those those acquisition regulations. And there can be hundreds of those. So the way that the DOD implemented CMMC is that they're including a new supplement, and it's it's actually 252.204-7021 or 7021 as we we commonly refer to it. So that will show up in the contract. And so essentially, if you are bidding on that contract, you have to adhere to that that those requirements by the time the DOD awards the contract. Okay? So you'll get basically about a 60 to 90 day heads up that this contract requires CMMC certification. And and then you'll have 90 days to be compliant. If you're not, then the DOD cannot award you that contract. So they'll go to the next bidder who you know maybe had the next, you know, uh more expensive price or whatever reason and say, okay, are you compliant? You're compliant, congratulations, you win the bid.
Speaker 01And and Jameson, you mentioned that we're in like a phase one right now. So I guess phase two is that one that's around the corner. So tell me a little bit more about kind of what that transition to phase two looks like.
Speaker 02Yeah, so like I said, in phase two, that's when the uh DOD is going to then start writing those into the contracts. And so uh, you know, if you have an existing contract that's playing out, you might not have to immediately comply. But the next time that contract re-ups, you better believe it, it's gonna be in there because they want everybody doing this. And uh this is just gonna be a business requirement moving forward. It's not an option, it's not voluntary. Um, if you want to play in this space, this is what you have to do.
Speaker 01And and I imagine that the expertise you all have to be assessors, and Jameson, we covered this a little bit in our previous episode, but just the the efforts it takes to get certified and the lift you have to navigate in order to be an assessor firm for the uh the rest of the 80,000 who are going to need this, who are not of the around 800 who've already had it done, they're going to be having to navigate this. Like you said, it's going to be in their contracts. So I guess do you have any advice for the business leaders in terms of like they need to probably get started on this, right?
Speaker 02And and again, you know, they need to be starting right away because the assessment process is not uh something to be taken lightly. It's very rigorous. Um the documentation requirements are are very onerous. And if you think that you're gonna be able to close that gap in 60 days when you're notified of a contract, you're you're not gonna have the time that it's gonna take uh to get your environment ready and assessed uh within that 60-day time frame. And and as you mentioned, just the sheer numbers, uh I'd be interested, Chris, in that you know, 773 uh organizations. How many of those were organizations that are C 3 PAOs getting their level two assessment?
Speaker 03Because No, that's that's OSCs. That's that that's organizations seeking compliance. It's it's not counting the the what uh 97 uh C 3 PAOs who who are certified or actually uh I shouldn't say certified, um authorized is the term.
Speaker 01So our process as an example is a firm to get up to speed to be able to help with a service would not count toward that number.
Speaker 02Correct. Um but you know, also I think it should be you should be aware that these organizations that are becoming a third-party assessor, they have to practice what they're preaching uh essentially. So we have to be level two certified before we're able to certify other companies as a certified third party assessor. And so again, that is I think another reason why you probably see some of these lower numbers uh because there are you know several organizations that are ramping up to become a third-party assessor, but it is difficult. It's not easy. There's a lot of training I've had to go through to become a lead CCA, and you need at least three of those on your team to make uh a C3PAO function independently on its own.
Speaker 01So as a business leader who you know is is overseeing a company that has CUI and that has contracts, you know, with the defense industrial base. So I need to start thinking about the schedule of how am I going to be navigating the process of getting ready to be certification ready almost and actually getting the certification done. And it sounds like I probably need to be doing that planning sooner sooner rather than later, because there's gonna be a a lot of my peers will be seeking that out, Stan.
Speaker 03Well, to be to be honest, the what I what I tell clients the first step really needs to be is you need to make a decision, a business decision on whether you want to continue in the defense industrial base or not. That's the that's decision one. And uh we we've had several clients that uh we performed mock assessments on in 2020, right? Because there when word got out, there was there was kind of a rush in early 2020 to, you know, what is this? I need GAP assessment, I need to figure out, you know, what I need to do to get compliant. And I had several clients come back to me after doing the GAP assessment and told me, we've decided we're not doing any more business with the DOD. And that's a valid, that's a valid business decision, right? For them, it represented like 5% of their business, and the cost to become compliant was more than what they were benefiting from those government contracts. So I I feel like that's that's really the first thing that needs to happen. And then the next thing is figure out how are you going to uh how are you going to get compliant. And uh because compliance itself, like getting compliant is actually more expensive and takes more time than getting assessed. You know, we talk about you know lead times for getting assessed, and the the process itself takes, you know, two months. And leading up to that, we like to reserve two months to make sure that the company is ready, right? We we go through, we're going through that right now of making sure that they're ready to be assessed. But before all that happens, you've got to get compliant. And that can take 12 to 18 months. So, you know, you it it is a it's a big deal. So there are to me, uh a lot of small companies, the better play for them may be to seek acquisition by a company who is on this path already.
Speaker 01And and Jameson, that this my my mind goes to, you know, system and organization control audits, SOC audits, SOC 1, SOC 2, you know, talking about this having to meet control objectives and having an independent assessor come in and give some type of an opinion or conclusion or authorization, whatever the case might be. So will you just kind of talk me through what are some of the similarities and what are some of the differences between a SOC audit and this CMMC assessment?
Speaker 02Sure. So uh I I think when you want to talk about SOC SOC audits and SOC examinations, the one that that mirrors most closely to the CMMC is gonna be the SOC two versus the SOC 1. But the the there are differences where a SOC 2 is gonna be more focused on the security of the organization, how they're maintaining confidentiality or privacy. Uh it's not about protecting controlled unclassified information. That's what the CMMC assessment is about. The other part that kind of sets the two uh assessments uh apart from another. Uh in a SOC 2, if you have a qualified opinion, meaning you had so many exceptions in your report that one or more control objectives couldn't couldn't be met, then you get a section five in your report and you get to talk about, well, here's why this uh exception happened and here's what we are gonna do about it in the future, so on and so forth, and you issue that report. A third party that's using your services looks at that report, they assess how that impacts their environment, and you don't necessarily lose your contract with that user. The CMMC doesn't work that way. If if you're going through an assessment and you fail certain aspects, I know we won't get in the weeds with you know the nuances, but if you fail so many of the requirements, then you fail the assessment. If you fail the assessment, you don't get the contract. So that's the biggest difference that I see between the two assessments. Um they're both very rigorous examinations.
Speaker 01Yeah, that that makes sense because it you know, a a a stop two are like you're saying that you know that section five, that talk through what the findings were and the management has an opportunity to respond to them. You know, we're not quite sure how a customer might respond to that. You know, it might not put your contract at risk. Whereas this case, like our customer per se is the DOD, and they're going to have an opinion on those failures to a certain degree, like you're describing. Interesting. Well, I guess tell me a little bit about like what does write look like from a CMMC perspective. You know, what what what does a company's operations or posture look like to help them have, you know, navigate a successful assessment process?
Speaker 02Well, I think the the biggest point kind of goes back to uh one of Chris's earlier earlier points, which is they need the the at the top management or the owners or the board, whoever it is that's charged with governance of that organization has to make a business decision. Are we going to continue to stay in this space? And if that is the case, then right looks like um making sure that you are ready to meet this assessment process. That goes with getting started right away with mock assessments if you don't think you're ready. Um starting to get with those registered practitioner organizations or RPOs, those are people that have been qualified under the Cyber A B, which is a the um accreditation. Accreditation accreditating body for the for the for the CMMC. So those organizations have been uh have gone through some uh rigorous training uh to to consult in this space and help get organizations ready for those assessments. Uh but those RPOs are not certified third-party assessors necessarily. Some are, some aren't. Um but you you then would have to have the third-party assessment completed by the the C3PAO.
Speaker 03Right. And and if I can tack on to that, um you bring up a great point, Jameson. There's and and this is something that has borne out over the last year of doing assessments. I think we've done now 11, 12 assessments. And you can tell the difference between companies who are who have been focusing on compliance and the ones who have not only focused on compliance, but focused on becoming ready for an assessment. So it's two different things, right? It it's, you know, everybody needs to be compliant. They need to, you know, implement the practices and in such a way that that controls are consistent and reliable and all those things. But uh but they also need to be ready for an assessor to come in and ask questions. They need to have uh you know their evidence organized in such a way that it's easy to present to an assessor so that it presents their security program in the best light, right? They need to prep the individuals who are going to be interviewed, right? How many times have you been on an interview when you ask someone what time it is and they tell you how to build a watch? Right? Yeah. And you know, people get themselves in trouble that way. You know, the the more you talk, the more the assessor is hearing, well, wait a minute, I don't think this control works the way your documentation says based on what you just told me, even though I didn't ask you that particular question.
Speaker 01So so obviously we need to have the controls that help us meet our objectives, but we also need to be able to demonstrate we have the controls and they are functioning properly.
Speaker 02And it needs to be documented in a manner in which it makes it easy for an assessor to close those gaps and you know look at the proper artifacts for each requirement.
Speaker 01Well, do y'all have any advice for that? Like I'm thinking, you know, maybe like continuous processes that can help some. I guess just baking into our SOPs, you know, creating artifacts and the like. Like, do you have any just practical advice for our listeners in terms of how they can help with the demonstration and prepare themselves for an assessor?
Speaker 03Absolutely. Number one, engage with a consultant who uh is knowledgeable, who has the requisite certifications, uh, especially, you know, the more the better. If you if you're working with a consultant who is also a C3 PAO as a business, that's great. Uh the individuals that you're working with, if they if they are uh CMMC certified assessors and CMMC certified professionals, um, you know, the more the merrier. Um and then and then practice, right? Um do practice runs of assessments. And while you're doing, you know, when the assessor says, can you show me this setting within you know this configuration setting, uh go through the process of creating, you know, doing that demonstration and at the end take a screenshot. And then as long as the same person who created the screenshot is the one who's gonna get interviewed in the assessment, uh, they've already done it once. So that when it comes time, when it comes show time, they're not nervous. They, you know, they know what requirement assessment objective was was demanded that screenshot and they remember what they did. So when the assessor says, Can you show me that setting? they just do it once again. And from an assessor standpoint, it really, you know, even if we know that they were coached, subconsciously, it makes us feel confident. It makes us feel like they know what they're doing and they have implemented the practice. Right? It's very important. Got to remember assessors are people too, right?
Speaker 01That's exactly right. And Jameson, same question to you. Any considerations in terms of advice to folks to help posture themselves for a successful assessment?
Speaker 02You know, but from my perspective, I think the the more documentation you can provide in your system security plan, that's always super helpful for an assessor. Um, and then also including your own internal security control assessment is part of your artifacts. That can also help uh because a lot of times we we like to look at that to see what kind of artifacts that you were looking at to determine your compliance, and then make sure, okay, well, is that same evidence going to be uh adequate and sufficient to meet this requirement, you know, for our needs on our side. So I definitely think the more you do there, uh, the better. I think the more, you know, depending on your environment too. So this, you know, also is heavily contingent on what kind of environment. Are you a manufacturing facility? You know, you might have more challenges than somebody that's operating just a secure enclave with a few people in it. And so um, you know, if you're in that secure enclave environment, the more configuration um information that you can give me with how certain assets within the environment are set up, uh the easier it is for me to go through and determine, yes, they they are practicing what they're preaching, they're doing what they're saying they're doing in their system security plan, uh, the quicker I can get through the assessment, the fewer demonstrations we have to go through. Um so it just saves everybody time by being that organized. Um and then it just keeps us from asking, kind of like Chris said, keeps us from asking more questions and then getting somebody into that, you know, rambling on and on and on, and then just well, well, actually, so and so uses this jump drive to take this uh controlled unclassified information over. It's like, whoa, what did you just say? Like that's that just blew this whole assessment up, you know. So uh making sure that people aren't gonna blunder something, you know, quite like that. But at the same time, we're not asking for people to be coached on misleading the assessors. Um, that's not what we're encouraging. We're just encouraging people to be coached up on how to get to those artifacts. Because again, I don't know, like we sit in a lot of these walkthroughs and demonstrations. There's nothing kind of more frustrating than sitting on a demonstration for 15 minutes watching somebody fumble through, you know, their Microsoft Azure environment trying to find certain settings.
Speaker 01Great advice from both of you. I think all of us business leaders can kind of take those and put them into action in terms of how we're developing our policies. We're gonna actually practice what we preach, do what we say, you know, live by it, like you were saying, Jameson, in terms of our policies are actually representative of our procedures. And then additionally, importantly, preparing our people, making sure that we can navigate like you were describing, Chris, in terms of just, you know, being coached in the ways that make sense to coach our folks, just so that we can successfully and accurately demonstrate what we are doing as a business and what our controls are and how we are documenting satisfaction of those controls. So great, great advice from both of you, but I'm also curious about maybe some misses, you know, maybe something from y'all's experience of navigating either side of the coin in terms of whether you've been consulting with companies to help them prepare and be assessment ready, or whether you've actually been navigating an assessment, you know, uh with a company. Just what are some things you've seen where maybe something's gone a little sideways? So Chris, you first.
Speaker 03Okay. Well, uh from an assessment perspective, I think, well, actually, I I do have a good consulting one. Um I was doing a mock assessment back in 2020, right? So it's been quite a while, uh, where they had great policies and they had a policy that administrators, uh, when they log into the system, they have to use multi-factor authentication. Okay. This is a this is one of those requirements that it's it's so easy to say it, and it's so easy to understand it, and of course, a bit difficult to implement, right? But uh nobody really questions the need for multi-factor authentication in today's world and and all that. So uh I'm with the client, we're sitting in a conference room, and he's showing me up on the screen uh the authentication mechanism. And I say, okay, great. So show me the administrators. And you know, his policy said, you know, sure enough, all administrators have to use MFA. So uh I said, okay, show me the administrators now. Uh show me, you know, where it says that they have to use MFA. And he's showing me a list of about six or seven administrators. I noticed that two of them, it says no MFA required. I'm like, uh, are you sure we're at the right place? I mean, what you know, I'm just trying to throw him a bone, right? And he just kind of looks at me and he says, I'll be back in five minutes. So, you know, very important. Uh again, goes back to that coaching. Make sure that uh whatever you have implemented is still implemented when the assessor shows up, right? It's very embarrassing. Apparently, there were a couple administrators who were troubleshooting something and they had turned that off. Well, you know, during the assessment's not a good time to turn off uh security controls, right? Maybe never a good time to turn off security controls. Never is a good time, but but still, uh yeah, it it all comes down to you know, make sure you're doing what you say you're doing.
Speaker 01Yeah, exactly. No, that's a great example because I agree, Jameson. It's probably never a good time to turn off security controls. But but yeah, Chris, and I feel like that's something where this process, you know, is really valuable just to kind of keep all this top of mind for us, too, that you know, we created that MFA policy for a reason, you know, and we first enabled it for a reason. And it's probably good for us to go through even just internally and check that it's there, especially if we know an assessor is going to be coming in soon.
Speaker 03Yeah, absolutely. And I and I wanted to mention one other thing about uh interviews as well. Uh most of the time when we are performing interviews and and we're having demonstrations done, we need to take uh a little bit of time to document what we're seeing, right? Because we we don't just sit down at night and replay the day and do all our documentation. I mean, that there's no way to do that. There's just too many questions that you've asked. So it's very common that there's going to be a good 15 to 30 seconds of silence. Learn to get comfortable with the silence. Embrace the silence. Because as a person who is being interviewed and uh and assessed, and I've been in that seat, I've been in that hot seat, it is so hard to just sit and let the silence linger while the assessor is typing up his notes, right? It's it is difficult, but you need to learn to do it.
Speaker 01Right. Not just as this assessor is digesting what my response was and updating their notes related to my response. I don't need to just fill that silence by telling the assessor even more way beyond exactly relevant to the scope of what they're navigating. That's fantastic advice. Uh Jameson, same question to you. And any anything you've now encountered where things went a little bit sideways.
Speaker 02Well, it didn't really go sideways. Uh I guess the closest thing that I've come across in an assessment, we we kind of had a near-miss, but this was uh it wasn't a that major uh or that big of a deal. Uh so essentially uh one of the organizations I was working with, uh the Department of Defense, by the way, is they're very um uh they place a high priority on logging. So if something happens, they want to make sure that adequate amount of information has been retained for an appropriate time period to investigate what occurred. So on this particular assessment, um a lot of this organization's network traffic was running through a particular network device. And they said in their system security plan that that network device was was maintaining logs for 90 days. And when we came to doing the demonstration, uh it was one of those situations where I don't think they were actually prepared for me to ask, well, show me where it's keeping maintaining logs for 90 days. Um and so they kind of fumbled around for a bit, uh, had to actually go back and say, well, we'll have to we'll reshow you this demonstration because we think that actually the logs are being sent to this other system, this other seam, and that's where they're maintained. I'm like, well, that's not what your SSP says. And so uh, you know, the other thing is when you're doing the assessment, you're not really allowed to do any kind of consulting. And so when you point things out like this, you kind of have to be careful how you phrase things because you can't just be like, well, just update your SSP. To, you know, you have to you have to make them kind of, oh yeah, we need to update our SSP. We'll be we'll be right back, you know, and and we'll give you an updated version. And so uh that's the kind of the closest thing that that I've run across uh in terms of uh uh and that that would have been poammable though, even if they would have failed it.
Speaker 01Um so that that is a good point in terms of you know we we have a really good written policy and then we have a really good procedure, but they're different. Yeah, they just don't match. They just don't match. So we need to ensure that we have alignment because there's a degree where that's relevant to the assessment of the assessment be like, that is a good practice, but that's not what you say you do, and that's a problem. Now, what's that word you just threw out? Po.
Speaker 02POAM? Poeammable, yeah. So poammable. What's poamable? So essentially it's a made-up word. Yeah, it's it it is a made-up word, uh, I guess used in the uh industry, but uh it stands for POAM or uh plan of action and milestone. So essentially if you have uh an exception or you're not meeting a requirement, it goes on your schedule, your plan of action and milestone schedule POAM. Uh you have uh a certain period of time to correct those. Uh now when you're going through an assessment, this is kind of getting down in the weeds. But if you get if you have too many of those, or there's certain requirements that are just you can't POAM. Um so if you fail one of those, that's an automatic failure of the assessment. There is no fixing it.
Speaker 01So there are some some comparisons to like a cap, a corrective corrective action plan.
Speaker 02Absolutely. That's essentially the same kind of thing. So like if you're familiar with high trust, uh where they have this corrective action plans, and you have to have an external assessor come back out six months later and reassess those those uh corrective action plans. POAM works the same way. An OSC would have to have a uh if they did achieve the certification on the front end, they would have six months to correct those POAMs and have uh a C3PAO come in and reassess those requirements. Doesn't have to be the same C3PAO that they worked with originally. It could be a different one. Um it could be the same one though, presumably.
Speaker 01So well, this conversation has been so helpful. I recognize now just the the magnitude of what we're navigating in terms of how many different companies in the supply chain of the defense ecosystem this is gonna start applying to. And so some real critical business decisions they need to make in terms of does this strategically make sense for them to continue to operate within this world? And if yes, they need to start acting now, if they haven't already, in terms of preparing for an assessment, recognizing the next contract and where they get is gonna have some additional language in it, identifying their gaps, and then when it comes time for an actual assessment, you know, making sure that they have in place the processes, procedures, and training to come out on the other side with the successful assessment. Um and also we discussed some pitfalls that you know we we've seen in the real world in terms of kind of what we can avoid for ourselves. Um, I guess I'm gonna ask one last question to both of you, Jameson. I'll start with you and then end with you, Chris, in terms of kind of just your final takeaway for our listeners. Just kind of that one final piece of advice that you had for them, just as they're preparing for or navigating this CMMC environment. So, Jameson, what's your what's your last takeaway for our listeners?
Speaker 02Sure. So uh maybe a couple of things, but uh the first, starting with uh whoever is gonna be in your organization leading the charge for the certification, in my opinion, this is not a requirement, but just this is my opinion. I think it would be helpful for them to go through the CCP and maybe even the CCA course. Uh that way they are familiar with what the assessors are gonna be looking at, what the assessors are gonna be doing, and that will give them a better understanding of the requirements also. Um they don't necessarily need to go take the examinations, but I do think it would help for them to go through that training. There's one-week courses, um, so that would that would help educate somebody internally, uh, and they're not too expensive. So we're not talking about, you know, tens of thousands of dollars of training here. Uh the second thing I would close with is just scoping is so important in your environment. So if you can't figure out or get your head, your hands or your head wrapped around everywhere you have controlled unclassified information in your environment and you don't understand all the scope of the assets you have in your environment, then you can't protect them all. And you can't under- So if you're having difficulties navigating that, then you need to find a partner that can help you navigate that and organize this stuff in a manner uh to get you over that hump quicker. Um so that would be my biggest takeaways.
Speaker 01Well, I've heard you say before, Jameson, you can't protect what you don't know you have.
Speaker 02That's right. Yeah. So if you don't know you have it, or you don't know that, you know, the example I gave earlier of, you know, somebody takes a jump drive and moves it from a machine uh in this network to over here in the warehouse, you know, if you don't understand that those things are happening, uh then you can't have adequate controls in place to protect everything and pass this assessment.
Speaker 01Chris, same question to you. Kind of a final takeaway for our listeners.
Speaker 03Wow. Well, Jameson kind of covered really the big hitters that I probably would throw out there. And especially you brought up scoping. Um, yeah, I would I would echo that 10 times. Scoping, scoping, scoping, right? Uh we we have we've seen uh a false start. Uh the the one kind of false start that we've had um was because of scoping, because we started asking the question, the simple question, how do you receive CUI? And the the contractor, the OSC started describing all the ways they receive it. And I'm sitting here looking at a network diagram, and they didn't have on the diagram a couple of ways that they receive CUI. So I'm like, we can't go forward. There's you know, without without a solid documented scope, we cannot go forward. So it is, it's it's it's vitally important. Um, the only other thing I would, I guess, uh reiterate is assessors are human. Uh in my case, in my particular case, uh my wife works with me. She's been working with me for five, six years now, and she is an assessor. She's a a CCA. And when we show up on site, uh, we're not mean. We're not there to trick you. We're not, you know, we're not we don't hold a grudge against anything in the world. We're we're literally just wanting to provide the OSC an opportunity to provide evidence that they are compliant. So um, you know, we're we uh my wife's also name is Chris, so we're Chris and Chris. And uh one one of the consultants, yeah, one of the consultants started calling us Chris Pleural.
Speaker 02So Chris Squared.
Speaker 03Yes, Chris Squared. We I think we've heard them all. Uh Chris Pleural was a new one, though. I hadn't heard that before. But uh but yeah, I assessors are human. And um keep that in mind, right? I I I wouldn't suggest doing anything untoured or or deceitful or anything, but assessors are human and we can't escape that. It is what it is.
Speaker 01Uh also fantastic advice. I love your comment about scoping because I know that's oftentimes whenever we're trying to secure some type of environment, we have to know what are the boundaries of that environment. What is our system? What are we kind of ties into that concept if you can't protect what you don't know, you have, but what what is relevant to it? Like you're saying, kind of how CUI is coming into our environment, making sure our network diagram is appropriately capturing that. And I also love the con the comment too, Chris, about just assessors being human. You know, we're all playing our part, right? And we and we all want this to be a smooth process, a successful process. You know, we're we're all in this together. At the end of the day, the way I see it too is this has real implications. I mean, we're not just doing this just to check off some boxes, right?
Speaker 03Yeah, absolutely. I mean, uh, you know, we didn't we didn't really talk about like the real world impact of of not protecting CUI, but you know, there's stories about the the Chinese bomber that that looks a lot like our stealth bomber, the the space shuttle that looks a lot like our space shuttle. Well, there's a reason for that, right? Plans and designs and sensitive information is getting stolen and used by our adversaries.
Speaker 01Yeah, you're right. Like there are actual real world implications to all of this. And Chris, will you also just do uh do uh me a favor and tell listeners a little bit more about your business and how they can get in contact with you?
Speaker 03Yeah, absolutely. So, in addition to CMMC, uh we do other compliance frameworks like PCI, HIPAA, those type things. We also do penetration tests. And uh uh I as you might imagine, I love education. So uh we have a whole education department in our business where we can do uh user awareness training and and that type of stuff. It's a little different. It's not a platform, it's not just a five-minute video, it's literally me coming on site and doing kind of a roadshow. So uh yeah, as you can probably imagine, I'm pretty passionate about security and about helping companies uh become more secure, right? There is no hundred percent out there and uh just trying to approach it. So uh so basically in the late 90s, early 2000s, um I I essentially bought uh everything that says CG Silvers that I could find. So what I tell people is the way to get in touch with me is just go out on the internet and yell CG Silvers, and you'll probably come up with me. That's literally LinkedIn.com slash IN slash CG Silvers, right? And of course our website, CGSilvers.com.
Speaker 01Well, again, thank you so much to both of you for joining me. And and first off, just thank you for the work that you do because it really is impactful. But I just also really appreciate you joining me today and get on the microphone to talk through these considerations. And to our listeners, also thank you for tuning in. If you have any thought questions about the items we discussed today or any other business challenges you're navigating, please don't hesitate to contact us at www.mjxcpa.com and also go to the internet and just yell CG Silvers.