Name: The Three Teams Every Defense Contractor Needs for CMMC Compliance
Uploaded: 2026-02-25T18:31:48.546Z
Duration: 59 min 48 s
Description: The Three Teams Every Defense Contractor Needs for CMMC Compliance

Transcript for "The Three Teams Every Defense Contractor Needs for CMMC Compliance": Alright. Good good afternoon or good morning depending on where you are listening in from today. Wanted to welcome you to our webinar covering the three teams defense contractors need to meet CMMC compliance. If you're not familiar with myself, I am Michael Bailey, vice president of solution engineering here at CyberSheath. And over the next hour, we're gonna be breaking down really the practical truth about CMMC and the fact that compliance isn't just an IT project. It truly is a team sport. You know, where when organizations struggle, it's not usually because they aren't working hard towards it. It's it's oftentimes because the the right teams aren't aligned, on ownership and execution. And and through our discussion today, our hope really is to give you insight into what we see as the pieces of the puzzle that need to come together cohesively in order to get defense contractors to that perfect one ten score and then maintain that through their certification cycle. You know, background on myself, if you're not familiar with me, I'm Michael Bailey. I've I've been with CyberSheath originally starting about ten years ago now. I am on my second tenure with the organization. In my return in 2022, I I was vice president of operations overseeing IT security and customer success. I've seen the majority of our clients from their onboarding through, successful compliance journeys and many of them, to successful c three PAO audits to date. So it's great to, have you with us. Little bit of, quick notes before we begin. This will be recorded. We're obviously gonna share this recording in the slides afterwards. You'll see in the documents section off to the right of your screen, we do have some items for you to be able to download that I'm gonna be referencing today, including those slides. Please be sure to drop any questions in the q and a section as we go. I will do my best to address them as we're as I'm I'm talking through this, but certainly will do my best to keep time at the end to answer some of those questions. And if there's anything I'm not able to get to, do my best to follow-up after the session with you. With our agenda here, we're gonna talk a little bit about CyberSheath. I think many of you know who we are, but we'll cover a quick slides on that. We're gonna talk about what we see as the compliance puzzle and the pieces coming together, again, to help organizations achieve that perfect one ten and maintain it. We're gonna talk to, you about building your team. We're gonna address each pieces of the puzzle. We're gonna address the teams and the capabilities that are required and then give you insight into if you're attempting to build this yourself, what you should be doing, looking out for, and and kinda pitfalls you should avoid. Or if you're looking to outside vendors to do so, we wanna give you the proper guidance in selecting the right team. We see a lot of organizations that come to us who have been through several different service providers who weren't able to get them to full compliance, or who weren't compliant themselves and therefore couldn't get organization certified. And we wanna give you guidance on selecting those right providers and the services that you should be looking out for with them. Also, we're gonna give you a little look under the hood at the CyberSheath approach. The way we implement services, the way we perform the day to day to keep ourselves certified, we wanna give you insight into what that looks like and kind of that special sauce that we put together to get our client organizations through audit so that if you want to, you can kinda mirror that on your side. And then lastly, we're gonna cover a sample organization of ours, a client organization, Campi Corporation, who has gone through this compliance journey, you know, starting off with a a DCMA DIPCAT audit and then moving through working with CyberSheath to get to them to that perfect one ten through certification and and kind of their process. So really excited to to connect with all of you today, and we'll we'll kinda hit the ground running here. So little background on CyberSheath. We are DFARS and CMMC experts. We've been, in this space for quite a long time, established in 2012, by Eric Noonan, US, veteran, marine. With that, we are a 100% US citizen staffed, US based, this is all we do. We we don't work in any other frameworks. We're not, you know, dabbling in PCI, HIPAA, HITRUST. We're completely focused on CMMC. And with that, we've performed thousands of NIST eight hundred one seventy one assessments to date for our clients and have awareness that from an auditor validation perspective, we've gone through countless DCMA, DIPCAT audits. We were part of the joint surveillance program. We we've got a a press release on that with the organization that we did that with. And then now that we're in the land of c three PAO, CMMC level two audits, we've gone through close to 30 to date. All of those have been perfect one ten scores. We haven't had any deficiencies in any of the audits we've done. And and, you know, as we talk about looking at providers or considering this internally yourself, understand that you really should be looking for somebody with that proven track record. You don't necessarily want to put the risk, you know, risk your full organization and in your government contracts and and those employees that work for you, you know, in the wrong hands there. So, you know, we're gonna talk about the three pieces of the puzzle, have awareness here at CyberSheath. You know, our base basis of our solution are solving the whole problem. It's all of those three pieces put together, full accountability, zero finger pointing, just ensuring that, we're gonna get your organization certified. So high level, the compliance puzzle that I keep referring to on our side, we see that as IT services, security services, and compliance, advisory or regulatory services. Those three pieces coming together, working together, is really what we see as the requirement. Each one of those pieces holds a large percentage of the necessary controls within the state hundred one seventy one and the responsibilities. Transparently, as we go through these, you will clearly see that it is not appropriate to consider, you know, a single individual would be able to perform this within an organization. You know, as we have here, CMMC compliance takes a village. It is a team sport. It is certainly more than technical controls. It is certainly more than security monitoring. It's all of the day to day activities that need to be performed from configurations and day to day management to get organizations to that one ten by achieving compliance with all the 320 assessment objectives in the NIST eight hundred one seventy one a and then maintaining that through the certification cycle. It is not a one time milestone. This is continuous compliance and attestation of the government that you're doing the things that you said you're supposed to be doing. You'll see in the in the bottom of the slide here, you know, there is a lot of fear, uncertainty, and doubt. There are a lot there's a lot of misinformation within the DIB right now that we're seeing, whether it be, you know, on LinkedIn, Facebook, Discord, etcetera. All of that, we wanted to kinda dispel a lot of those myths. And with that, we performed our own private research survey. We've done this for a few years in a row now utilizing a company called Merrill Research. We have attached in the document section of this webinar the 2025 state of the DIB. What we've done is surveyed organizations trying to understand their application of the controls, their understanding of their requirements, and how they're doing with implementation. What we found was that more than 50% of respondents, more than 50% of the defense industrial base organizations, those those defense contractors, found DFARS activities highly challenging. You know, with that, I I think there's a a a change of focus now that the 48 CFR has gone into effect, now that there is truly an audit mechanism where organizations in the past had thought, we're probably doing enough, you know, as we self certify. We're we're attesting to how we have the controls in place, but nobody's really gonna come in and look at this. But with that, now that there's an audit mechanism, they're second guessing that. They're thinking, wait. How prepared really are we? You know, is are we doing the right things? Have we interpreted these controls correctly? And and now that the the audits are, you know, being enforced, A lot of organizations are taking a second look in that and re reconsidering how they're implementing the necessary controls, services, etcetera, in order to achieve and maintain compliance. So gonna break down for you what we see as those three essential teams. We're gonna start off with compliance advisory capabilities. For us, is this is the foundation. This is the governance capability within a compliance function to assist organization with defining what needs to be done, but also reviewing what's in place to validate either either meeting the controls or not. Fundament or kinda foundationally is the gap assessment. That is a assessment against the NIST eight hundred one seventy one. Many times organizations look at that gap assessment as the 110 control requirements. You know, I give you the guidance to actually dive a little deeper than that. The assessment framework that an auditor is going to use in your c three PAO audit or if you get tapped on the shoulder for these for a DIPCAT audit by DCMA, they are going to leverage the NIST eight hundred one seventy one a assessment objectives guide. And what that is are we're breaking down those 110 controls into sub requirements with things such as, you know, define, implement, audit, etcetera. And with that, organizations need to ensure that they're not just trying to meet the high level one ten controls, but all of those assessment objectives because that is truly what's needed to get you past to pass an audit. So, you know, performing that gap assessment annually or periodically as the NIST eight hundred one seventy one outlines, coming out of that assessment, identifying any of the gaps in the environment. You know, we see organizations when they perform these internally, they don't do so with the kind of the the same rigor that a third party organization might. Third party organizations in this instance often look at things from a readiness perspective, anticipating the questions of a c three PAO as opposed of looking at something and saying, yeah, we think we kinda have that covered. We'll be okay. So with that plan of actions and milestones, that are gonna be those are gonna be a listing of any of the gaps. It's a document that's gonna highlight your gaps, the owner, and the timeline for completion. With compliance in that advisory team, it is generally they are the owner of that document, but it is them working with other teams to drive the change in the organization for implementing controls, implementing policies, processes, and doing the necessary monitoring documentation in order to close those gaps and add to your SBRS scoring. Also on the compliance team is the the system security plan. Is that document generally resides within that function. And the system security plan is an overarching document highlighting the full architecture of your environment, your CUI processing space, CUI data flow system, system stakeholders, external system interconnects, but also breaking down all of those 110 controls and their assessment objectives in in having a detailed description of how you're implementing those controls in your environment and meeting that that requirement. That's a document that a c three p a o is going to look for as table stakes coming in your environment. Those audits are essentially show me exercises where they're reading that system security plan and validating what you say you're doing is actually what you're doing, and they're looking for artifact evidence of that. So that for many organizations could be, you know, some serious heavy lifting. Oftentimes, you need to have all the necessary controls in place in the organization first, and this is really long pole in the tent finalizing kind of your compliance journey in documentation of what you are doing and the good work that you you've implemented. So, again, that is another kinda living, breathing document that the compliance team would manage. Outside of these three high level items, also no. There's requirements for incident response plan, incident response tabletop, testing exercises, policy and practice documentation, security, awareness training. So, again, you know, compliance certainly has their hands full, for that function, as it relates to, meeting the needs in this state hundred one seventy one and achieving CMMC level two. Moving over into security operations. So security operations team, really the core for that function is going to be the central event logging and monitoring from the dissimilar sources within your environment. What that means is ensuring that you have, you know, analysts looking at any, you know, anomalous or malicious behavior and acting on that from an incident response standpoint. While there are, you know, full families of the NIST eight hundred one seventy one, you know, for this particular function also have awareness taking a step back, into the DFARS clause of the the seventy twelve requirements. There is, you know, instant response, reporting capabilities that need to be implemented in an organization. So not only is there logging and monitoring and and ensuring all of those log sources are feeding in appropriately, having eyes on those logs and acting on them. There's also the reporting function that you need to make sure you're able to support. Many organizations find that trying to implement this capability in house is cumbersome and inexpensive knowing that meeting a twenty four seven three sixty five monitoring capability requires several internal resources through the night, weekends covering, you know, vacations, sick time, etcetera, where oftentimes they are this is probably one of the first functions that they are outsourcing. You know, as we'll talk in in in a couple minutes here about considerations for outsourcing, as you look at a security operations team, many of our clients have US sovereignty requirements. So ensure, number one, that that team knows and is aware of CMMC, potentially has certified themselves, are able to provide the necessary configurations and artifacts to support your compliance goals. And, you know, and also ensure that that in many cases, have clients with US sovereignty requirements that that those folks are gonna be US based too. We also cover vulnerability management within the security families of the NIST eight hundred one seventy one for security operations. Vulnerability management is something that most organizations really struggle to achieve a comprehensive solution for. You know, vulnerability management on our the security side is really the the scanning to ensure that there if there are any vulnerabilities or or any patches necessary in an environment. We see this really as a checks and balances against IT operations capabilities of performing patching and maintenance on the system. So, again, we we see organizations, number one, struggle to perform patching and to scan for vulnerabilities. There is a requirement that when you do scan for vulnerabilities and identify them, that they need to have a policy and a process to define how quickly those are going to get addressed in your organization. And, again, that's a a pitfall that we see organizations have is that they define these policies. They define these processes, and their staff oftentimes aren't able to upkeep those throughout the timeline up to audit and then pass that. So when it comes to audit, we go back. Know, You those organizations go back looking for those artifacts and find that some of those things have fallen to the wayside and therefore jeopardized their compliance and their certification. With information technology, you know, I often kind of joke on with some of our new clients coming in and talking about these requirements and what needs to get done that, you know, we we look at NIST eight hundred one seventy one as as more so a compliance and a security framework. 67 of the 110 NIST eight hundred one seventy one requirements strictly fall within information technology and what we'd see as responsibilities of an either an internal IT team or kind of an external service provider. With that, it is covering all of the configuration management and asset management. It is implementing all of the necessary secure configurations to meet the NIST eight hundred one seventy one controls. It is having all of the baseline secure documentation for those configurations that you're gonna implement and then ensure that those configurations are kept through, you know, through through your certification and into the future. There's a lot of documentation with within this side in addition to, you know, the compliance side of the house for baselines of what gets done. Now, essentially, here at CyberSheath, any piece of technology that we touch has a SOP for baseline configuration. We're making sure we meet those and configure devices to those and then scan against those configurations for any changes. So it is a continuous activity with configuration management. Also, see a lot of organizations when it comes to configuration management struggle with change management requirements. So there are requirements in the NIST eight hundred one seventy one to implement change management policy and process having both IT and security review and approval on changes in the environment. Oftentimes, see organizations trying to achieve this internally. Again, they develop policy, They develop the process. They might start on the process, but it it is something that when, you know, life gets busy and other things get in the way that might not get continue to follow. And then when it does come time to audit and you're looking for those artifacts, they're nowhere to be found putting your your organization at risk. So as you look at some of these items, again, think to yourself a little bit of, hey. You know, can my internal team handle this? If I was to pull in resources for this, could they achieve this now, and can they maintain that moving forward? But if also, if you are looking externally at service providers, ensure that they have the track record, they have the expertise, and this is essentially kinda the just normal day to day activities for them. When it comes to identity and access management and information technology, that is ensuring that all of those activities are, you know, auditable and approved. So it's implementing processes for new user onboarding, for role and permissions changes, for offboarding users and systems, for monitoring inactive users and inactive systems, privileged users, etcetera. It's having all the necessary policies, processes, and configurations in place to meet the needs of the NIST eight hundred one seventy one and having all of those items as auditable evidence when necessary for either, c three PAO or a DCMA audit. Lastly, with patching and maintenance, I did speak to this, is is more so as a checks and balances against the vulnerability scanning that's oftentimes found within a security function. I I mentioned that this is something that many organizations and transparently many, external vendors struggle with. You know, it's with patching and maintenance, it is a continuous operation. It's not, you know, you achieve it this week, and it's gone for forever. It's you achieve it this week and next week or next month. There are more updates to to implement, and it is, you know, it it just never goes away. So, ensuring that systems are kept patched, ensuring that vulnerabilities are and risk are reduced, and also, again, as I spoke of, NIST eight hundred one seventy one requirements with vulnerability management, having a process and a policy in place to ensure that when vulnerabilities are identified that based on their risk that they are remediated in a defined time period is instrumental to the success of meeting compliance within this team. So I tried to really highlight kind of the services that we see are required and and kind of the capabilities and the teams and how they map back to those requirements and where some of those those items lie. With that, we, we always are giving organizations guidance on, you know, is it is this the right choice to utilize in house resources or or hire additional resources in house, or does it make sense to outsource those services? And with that, I wanna just really cover some very high level pros and cons of those of those. And, you know, many of these might be kind of very apparent and I'll try to dive into some that aren't even listed here to really just give you high level things we're seeing out in the wild. But, obviously, internal team pros of that, familiarity with the people, the nuances of your organization, line of business applications, and ensuring, you know, has a has a personal stake in ensuring that things are running extremely well. You know, obviously, there if you're utilizing existing resources, many times you're you're not incurring additional budget. It is just another requirement added onto those resources day to day activities. You know, with that, we find many times that number one, those resources truly don't actually have the extra cycles to get this work done. Many times when they're looking and kinda assessing the internal organization for gaps against the nifty eight hundred one seventy one, they're doing so through rose colored glasses. That being said, you know, I see many organizations. We ask them about things about, you know, do you have multifactor authentication in place? And they'll they'll answer, oh, of course, yes. And we'll find that they've they're taking credit for having MFA in place maybe in their cloud collaboration suite of Office three sixty five, but they haven't taken the opportunity to implement it on their VPN connections or maybe their their local endpoint. So you don't always get a comprehensive view from a kind of auditor readiness perspective to make sure you were able to pass that audit. Oftentimes, are getting kind of a full sense of security where that resource often is just responding based on making themselves look good for the work that they've done internally. So there's oftentimes blind spots that, know, they either, you know, responded incorrectly, potentially had an incorrect understanding of the actual requirement. Again, I'll highlight the fact that we find a lot of internal resources leveraging just the NIST eight hundred one seventy one for internal assessments as opposed to the NIST eight hundred one seventy one a of which a auditor is going to utilize. When it comes to DFARS and NIST and NIST eight hundred one seventy one, we know it's a steep learning curve. That's why we put on these webinars. That's why we want to kinda share the knowledge in the vertical. And we know for internal resources, they're they're kind trying to grasp at that information. It's not really organized in a very clear, concise, easily to understand manner. So without having gone through audits before or been part of organizations who have achieved this, they're making many assumptions on what they think needs to be in place rather than, you know, having the experience of knowing, and and kinda no fault of their own. They they just haven't been there yet. And, transparently, that's one of the things we'll see with with a lot of external service providers and vendors is that many of them haven't gone through audits to date. And and if you are looking at outsourcing, we encourage you. Ask those difficult questions. Have you yourselves gotten certified? Have awareness knowing that if you're gonna get certified, you need your your external service service providers to be certified to, you know, ask difficult questions. How many organizations have they gotten through successful audits? You'll oftentimes hear people say, oh, we've done, you know, 30 or 40 readiness assessments. That is not the same as an audit, and and don't let the kind of the play on words fool you there. So ensure that you're you're if you are looking at outsourcing, you were teaming up with somebody who has that proven track record, reducing your organizational risk, and ensuring your success moving forward with your government contracts. You know, pros of of external service provider, you know, the expectation is if you are selecting somebody to assist you with this, they should be bolt on instant deforestationist expertise. And, again, inquire about past performance. The expectation is that they should be experts in this field and not being you know, not trying to figure this out on your dime as we found many many organizations are doing in this space. You know, you obviously get dedicated resources, you know, so using the external service provider can help get you compliant faster. Talked to somebody earlier this morning who had said they've been working with this you know, working internally for the past three years to achieve this, and it's gotten to the point that they're like, listen. We've put three years of work into this. We're done. We're putting our hands up, and and we're looking for an external service provider to give us that confidence in the areas of uncertainties that we've been working on and we just don't know. So that's that's truly a a benefit there is is having that, you know, auditor validation and and that confidence knowing that the people, processes, and technologies that you are looking to implement have been approved by a third party. And, you know, when it comes to cons, you know, with external service providers, know that there are a lot of kind of magic wands out there right now that have popped up. There's a lot of different tools that that are coming up saying they're gonna get you compliant. As we, again, go through the different teams of what we see as it takes to to put this together, whether it be internally or externally, there's there's no magic bullet, no magic wand. You know, it's, it's real work that has to get done, to get you there and then to maintain that moving forward. No special tools gonna gonna take that off your plate. And if you are looking at different tools, know, you know, are all these gonna work together? You know, I spent a bit bit of time at a few different trade shows recently, and there's a lot of providers out there who who tell a story that they have a tool that is gonna do 90% of the work for you. And I would certainly dig in with those providers to understand, you know, and use kind of the things we shared today to understand all the different pieces of the puzzle and ask them how they're going to achieve those on your behalf or, you know, just have clear understanding of what you are gonna need to do to supplement those on your side to get you there. You know, when we talk about cons with with external service providers, many times, you'll you'll have, you know, vendors who who come in. They're not familiar with your people, process, technologies, and it's really a friction point. You know, as you talk to firms, understand their service delivery methodology. I'll cover in a little bit here, you know, kind of our service approach, that I implemented for CyberSheath a few years back of a team based approach to drive customer intimacy. So that might not always be a con with with external service providers, but we wanted to note it here just so you can look for those providers, have a a a talking point to ask them that. Ask them how they deliver services. What do their teams look like? You know, if you call up, are you gonna get a different help desk technician or compliance analyst each time you call? So, hopefully, these items here can help you make the proper determination and understanding if this is something that you're gonna try to achieve internally or you're going to look in an external service provider. Last item on this slide that I just wanted to add is, you know, I spent a lot of time on the new logo sales side of the house here at CyberSheath, helping organizations understand the proper solutions for them and and how they can kinda see a vision of a a trajectory towards compliance. With that, we oftentimes get questions asked, you know, hey. I was really looking to probably pull in a single IT resource for this. Like, we are we have this level two help desk analyst. He's great. He knows he knows his stuff. He's a fast learner or she's a fast learner. And and we plan on just giving them the this responsibility, and they're gonna knock it out of the park for us. You know, my response to that is, you know, based on my background and being here for as long as I have and and knowing all the pieces and the configurations and the technology of what it takes to get there. I I give the analogy that I don't feel personally that if I was hired, if I wasn't here at CyberSheath, that if I worked, say, a a small defense contractor, you know, manufacturing facility or something, I don't think I would have success in getting that organization compliant single handedly. Again, it really comes back to all of these items coming together. The three pieces of the puzzle are more than a single person's job even if you have the expertise. It is a team sport, and all of those items coming together are what's required, again, to get you there. But you need to keep that there and maintain all of those activities into the future on your three year certification. Alright. Wanted to cover, again, as I mentioned, a little look under the look under the hood at how we approach these items. We're a fairly you know, if you talk to us, we're a fairly transparent company. Truly wanna help others in achieving their compliance goals whether or not we're the right provider for you. But as we break these down, understand if you're kinda in the mindset of, hey. How am I gonna do this internally, or should I be doing this internally? Or if I look at other service providers, hopefully, as we go through this, you can get a little insight into understanding what CyberSheath would do for its clients in performing these services to see if that's something you wanna try to mimic internally, or if you're looking at other service providers, have something that you can engage them with having a little bit more of a background of knowing what it takes to get there. Starting at the top, managed compliance. Managed compliance for us, I mentioned it's foundational, you know, with the services that we are providing. It includes an annual gap assessment. Those gap assessments, again, against the NIST eight hundred-171a, ensuring that we are well prepared for c three PAO audit. Coming out of those are plan of actions and milestones. We're, you know, we're gonna develop that for our clients on their behalf, and then we're gonna manage that. I'll I'll talk here briefly on the next slide about kind of our our our team approach and our pod approach. But with that, know that anytime we produce a plan of actions and milestones, it's all three of the pieces of the puzzle on our side coming together, building out a project plan for remediation, and then putting it back in front of the client for approve approval for us to then go ahead and get to work in getting those items closed out. We also assist organizations developing their system security plans. As I mentioned, that really is the all encompassing guide that an auditor is gonna look for defining every compliant configuration in your environment and how you're achieving that. That's the checks and the balances that they're gonna use during the audit to to validate that you're doing the things you said you were doing. For us, in most organizations, this really is the long pole in the tent that's getting finalized at the completion of all the other controls and after they're implemented. We assist organizations with their incident response testing and incident response plans. So any documentation that CyberSheath does, we are doing all the heavy lifting on the behalf of client organizations. We find that kind of throwing templates over the fence or or we find even organizations who just sign up for compliance templates and stick their name on them, are not as successful in, you know, achieving full compliance as those who are tailoring those documents, to their organization. You know, with the CyberSheath approach, we are doing all the heavy lifting for our client organizations. It's an iterative process where we learn kind of their their process and their operations, and we draft, you know, their policy and practice documentation, incident response plans, all to their needs mapped back to the necessary documents that are needed from an artifact perspective. When it you know, with the incident response plan, we're drafting that plan for you. We're, also performing that annual tabletop simulation exercise. It's it's a virtual roundtable, event where we're we're picking a a mock scenario and running through the plan with your team, doing so in a a time of quiet. You know, with incident response testing, we we perform that tabletop. We perform after action debrief and reviewing any areas for maturity. We're documenting those. We're adding those back into the plan for for next time for for to incorporate those updates. All of those items that we do are required by the NIST eight hundred one seventy one, and we're documenting those and recording those as auditable evidence in the future. As I spoke before that, you know, it is, kinda continuous compliance. So as we perform many of these cadence actions, we need to make sure. And and if you're performing these services internally or you have a third party service provider doing so, make sure that they are doing all the things that they need to be doing in the interim so that when it does come up to audit time, number one, you're not scrambling identifying things are out of compliance, number two, not trying to kinda come up with artifact evidence that doesn't exist. When it comes to security awareness and training, we include a capability with our services. You know, we we use Kno before. I don't think that's a secret on our side. You know, if you're you're looking at solutions, that's certainly a viable one. You know, with security awareness training, it's another one of those that organizations tend to set it and forget it. And when it comes to audit time, they're realizing that their staff have not performed the necessary actions that they needed to. So if you're doing this internally or you're using a service provider, ensure that, again, these items are kept up to date. They're monitored on a regular basis. With CyberChief services, this is something that we're doing, you know, monthly and and quarterly for our clients to ensure that when it does come to audit time, there are no surprises. With audit and certification support, this is more so a function that you would need internally, you know, if you were doing this internally and and if you're using a third party service provider, inquire if this is something that that comes with this service with their services. I know for us, our audit and certification support is us sitting on your side of the table directly facing off against the auditor. We're providing the answers to their questions, the necessary artifacts, and evidence to get you to that one ten. We we come with our our compliance analyst, IT, and security to make sure that there are no questions asked. And and, realistically, on our side, we're we're hoping to answer those questions before they're asked, driving confidence with the auditors that we have all our i's dotted and our t's crossed. We include with our services, and this is kind of where I was giving you insight with the compliance capability earlier that you want to ensure that whoever's providing this function for you is giving you insight into what's coming down the road, what's happening with CMMC. You know, were you blindsided by the 48 CFR being published? Did you understand the landscape of the phased rollout for the requirements? Are you looking down the road to understand what your requirement's gonna be when this date hundred one seventy one revision three is adopted by CNMC? Those are capabilities we provide our clients on a daily basis, whether it be in our just day to day interactions, our monthly meetings, or business reviews. We always wanna make sure that we're giving insight into organizations at what what's coming. Also with this, on our side, we have the ability to give organizations guidance on what others are doing and how other organizations just like them are approaching and, and, you know, implementing controls within their environment to achieve compliance. So, you know, with somebody internal, that is truly where you need somebody who's had this expertise and and kinda been there, done that before. But if you're looking at a, an external service provider, just have awareness that that is something instrumental that you should be looking for with their capabilities is that trusted partner. With the managed security function, you know, the the with CyberSheath, we are twenty four seven, three sixty five. All of our staff are US based. All of our staff are US citizens, you know, including our full security and and SOC team. You'll hear a lot of our clients refer to our SOC as more of a boutique type service as compared to some of our competitors as they get to know our analysts, our analysts get to know them, and it really is a great partnership. Within that team, you know, the instrumental requirements are central event logging, the security monitoring, and incident response that we talked about earlier. Ensuring that you're doing that, you know, consistently and you're able to act on those alerts is is paramount in keeping your organization secure whether or not you're a defense contractor. So with that monitoring on our side, it's 2065. We work internally if we identify any, you know, any any concerns within a client's environment, malicious or anomalous behavior, we're working hand in hand with our managed technology team to get those items remediated. So just know that while you do need monitoring and logging and in some response capability, there needs to be a remediation function in in that capability too. And that's really where kind of the Cohesity of having those teams either altogether in house or going to a vendor who is going to provide all the services or work very well integrated into your organization is imperative. We talked about vulnerability and configuration assessments a little bit earlier. Now on our side, when we provide that service, we're utilizing a third party tool. We utilize Rapid7 at the current time, and we're providing we're performing those regular scans of client environments, endpoints, network servers, etcetera, identifying vulnerabilities and configuration deviations. For our clients, we're sending them reporting, on any of the work that we had done to remediate those and any of those findings. That is audit evidence that's defensible in the future. But know that we're kinda in that checks and balances performing those remediations for the clients by our managed technology team, ensuring we're meeting their policy and process that they defined stating that when vulnerabilities are identified, that they are closed out by risk within a certain time period. When it comes to compliant managed technology, on our side, our team, everything we're doing since we're so focused on CMMC and this 08/1971 is done through the lens of CMMC compliance. We don't have any distractors of of clients with PCI, HIPAA, HITRUST, or other framework requirements. So everything we're doing, we're able to give clients guidance on ensuring every action we perform is done through a c CMMC compliant manner, but also advise clients if they are asking for configuration changes or have questions on systems that we're doing so, you know, giving, compliant advice on that. You know? So our technology team handles everything from, you know, support desk requests, password unlocks, account resets, new computers, decommissions, all done compliantly in an auditable fashion. We also are performing the patching and maintenance as the checks and balances to security. As I mentioned before, all of our configurations, all the technology, any piece of technology we touch has a secure configuration baseline. We are ensuring our client organizations are configured to those baselines, and then we're utilizing those in the future for audit evidence. We have very strict change management processes on our side. We have any changes that impact more than five users or 20 of an organization go through both IT and security approval, notification to client stakeholders, notification to potentially impacted users just to make sure, number one, we're meeting the needs in this day hunter one seventy one, but also we are operationally focused ensuring your end users are able to get their day jobs done. You know, to me, this compliance should be transparent to your users. The configurations that are put in place and the policies that are put in place are not meant to be overarching. They are basic information security, and our hope is that, you know, whether you're doing this yourself, have a third party service provider using CyberSheath, that your day to day is not impacted from the way that you're normally operating. Lastly, on our side, just have awareness. We've got a a great depth of expertise within our tech bench, you know, technicians and engineers from small business all the way through to large enterprise. And we've worked with organizations on many of their technology projects that they might have. We find that within the defense industrial base, you know, there are lots of rapid acquisitions, divestitures, changes in scope based on new contracts, new line of business applications, SaaS platforms, you know, joint ventures, etcetera, and and we're have the capabilities and the expertise to support our clients through them. You know, when it comes to acquisitions, divestitures, we we we have a playbook to assist organizations from due diligence through successful outcomes on tPA. So just know that we have that expertise and if you're looking, you know, externally for providers, inquire about some of those items to make sure if you're ever expecting those activities in your organization that you're going to have a provider who has the ability to support you in the future. When it comes to the team approach, this is something I near and dear to me here at CyberSheath. I put this into place for us in the past when I when I came back to run operations, and what this was meant to do is truly drive customer intimacy. We wanna make sure that the the the resources on our side that you're interfacing with are very familiar with you and your organization and that you know our resources very well and that you're very comfortable with them from a partnership perspective. What that team looks like to us is a customer success manager that's a dedicated single point of contact assigned to your account. That's that one shoulder to tap for anything you need related to CyberSheath. You know, we we that person will be your project manager. That person will see you through from onboarding, through remediation, you know, through day to day activities and into your your CMMC compliance audit. So with that, we're also gonna have dedicated IT and security engineers assigned to your account. Again, making sure that during that migration, during that onboarding, during any of those remediation projects, they understand your staff. They understand your configurations and potentially any nuances in your environment, and that we're taking those into consideration in any of the implementations implementations we're doing to get you compliant and to maintain that compliance. Compliance analysts on our side are dedicated to accounts that is going to be the person who is gonna walk you through your your gap assessment, work with you on all your compliance documentation, through that iterative process that I talked about, and is going to set you up for success for your c three PAO audit. They're instrumental in the team as the rest of these resources. And then lastly, we have dedicated help desk specialists per team. Again, level one and level two help desk techs who are there to assist you with your day to day support. We wanna make sure, again, that there's customer intimacy. It makes everything much more efficient when, you know, we know your environment and and you know the people who are helping support it. So that's what we see as that dedicated team approach. You'll see again, we've got compliance, IT, and security with that customer success manager leading the charge. And and with that, that's how we've been so successful in everything we've done for our client organizations and and helping them with their compliance goals. And overall, you know, full compliance is is a shared responsibility. It is not a single department. It's not a single resource. It is a team based approach, and it truly takes a village. So just have that. You know, if you're taking anything away from this today, please know that that is probably the most important thing that that you could be walking away with is knowing that it takes more than just a single individual to get this done, and hopefully, we're providing the insight of all the different requirements across those different business units for you to kinda have a vision of what full compliance might look like for your organization in a mature fashion. We we touched on this several times that there is no point in time compliance. Obviously, you need to get yourself up to that one ten, maintain it. You're gonna go through a c three p a o audit, and you need to maintain that compliance moving forward for three years. It is continuous validation that you have the necessary pieces in place on your side so that when it does come to audit or if DCMA does step in to do a DIPCAT audit, that you're not scrambling identifying that you are missing many of the pieces that you thought were in place, and you don't have full auditability on those items. And then lastly, it is truly the people, the processes, and technology that all come together to make this work. There's no magic tool, no magic program, no special one person who could do this for you. It is an integration and and a partnership of all those items to come together and ensure that you're gonna get there and you're gonna be able to maintain that moving forward. And again, talked earlier, I wanted to highlight kind of one of our client success stories. Campy Components is a parts distributor based in Pennsylvania. Campy's kind of background is that they did you know, they obviously had contracts with the DFARS clause in them. They, at the time of engagement with CyberSheet, they had several different managed service providers in play in the organization. With that, none of those service providers were compliant. You know, we were managing a small piece of kind of the puzzle for them. And when DCMA stepped in and and performed a DIBCAC audit within the Canopy space, With that, Canopy had not been migrated over to a FedRAMP authorized collaboration space. And with some of the findings from DCMA, CyberSheath was able to step in and help, Penny and Katie over there, their internal IT resources, in giving them kind of a vision of what compliance could look like, reviewing their existing service providers to see who could successfully remain in the environment, if any, from a compliance standpoint and where they needed to supplement with additional services. With that, we work together to get them into GCC High, perform a gap assessment, produce a POAM, and then get to work in remediating all of the findings that we had within their environment. Subsequent to that, Campi was engaged with the c three PAO this past year and went through a successful level two CMMC audit and is now maintaining their compliance for the next three years. So it's very common, and we wanted to highlight this success story where we are seeing so many organizations out there who have been working with existing MSPs, MSSPs, you know, towards their compliance, not realizing that they're not gonna be able to get there without compliant vendor organizations. So, you know, have that as a takeaway that knowing you're gonna need compliant organizations to help you on this journey. Ask those questions if you're potentially engaging those firms. Look, again, look at track record. Make sure that they are certified. Make sure that they've you know, this is what they focus in. It's not a side project. It's not something they just spun up when they saw the 48 CFR published last year. Make sure this is what they truly do all day every day because it is going to, you know, be your best chance for success in reducing your organization's risk and ensuring you're gonna pass that audit and and maintain your government contracts. I do see a couple questions in the side here, so I want to touch on those real quick. We had one. Besides the typical scary tactics to the c suite that if we fail this audit, what are some of the arguments for justifying the exorbitant cost of cybersecurity? You know, I look at this in a very simple way. Maybe my analogy isn't well received by others, but I know when I started working in The United States and I had a job, I was gonna have to pay taxes, and I was signing up for that by working. And, you know, I I look at kind of these exorbitant costs in in the NIST eight hundred one seventy one or or how folks are are addressing these exorbitant costs. And and I I kind of take a step back that, you know, defense contractor organizations have had the the DFAR 70 clause many times in their contracts since 2016, since 2017, and and just have kinda turned turned a blind eye on them. So, you know, many if I look at the NIST eight hundred one seventy one framework and even take it a step back outside of defense, truly, I I think it's a remarkable framework. There's a couple items in there that might not apply to the commercial organization, but, transparently, it is overall good security. And I I think it's security that that most commercial organizations should have in place. That being said, I look at defense contractors who have agreed to implement these controls and haven't done so to date, and I don't necessarily see those as as exorbitant costs. You know, in in many times as we talk to smaller organizations and organizations that come to us that are saying, hey. We're we might consider hiring, you know, again, that level two IT resource or something somebody like that. And and from a cost comparison perspective, oftentimes, a vendor such as CyberSheath or others, when you look at their monthly services charges for providing kind of those three pieces of the puzzle versus what it would cost to hire an internal resource fully loaded with vacation benefits, etcetera, then it's a wash. And you're getting the full expertise of a, in-depth of a team and somebody who's done this before as opposed to just another internal resource. So, you know, I I don't necessarily see this as exorbitant. I'm sure there's other providers out there who are charging outrageous numbers for this. I don't think we are here at CyberSheath nor are many of our, you know, closest competitors. But, you know, I would say that the the scary tactic is that it's not a scary tactic if it's you if you fail the audit. To me, it is a risk based approach to spend the necessary money to, better protect your government contracts and ensure that you're gonna keep those moving into the future. And with that, you are ensuring all of the employees in your organization and their families and their livelihoods moving forward based on something that they probably expect that, you know, you're doing natively by taking on those contracts. So happy to dive into that deeper and and give you, you know, any additional insight or or kinda references if you want any bill on that. And then I also had another one asking about an inconsistency of auditors in gathering defensible, irrefutable evidence for the controls. I I don't exactly understand your question, Eric. Like, we're you know, I'm not expecting the auditors themselves to be performing the the evidence gathering process. But what I would say is that we have come across several different auditors who might not align with our application of the controls, and and really that's up to us to kinda share our viewpoint and push why we feel that what we're doing meets the NIST eight hundred one seventy way one assessment objectives. So that might be what you're touching on. But, you know, transparently, we found, majority of auditors we've worked with have had very realistic understanding of the implementation of the controls or have been just a couple, I think, fringe cases where there have been differences in opinion. As I've mentioned ourselves here at CyberSheath, we've never had anything but a perfect one ten score. So it's it's truly, you know, believing in your stance and the configurations that you have and being able to kinda express those opinions in in in changing the auditor's mind in those. So, again, we've had gone through countless audits on our side, whether it be DCMA or c three PAO. And with that, we've gotten a lot of feedback from different auditors and their opinions. And that's where some of that expertise I talked to is ensuring and gathering all that together to cover all your bases when you're going into the next audit. So it's probably the best answer I can give for you there. Alright. Well, that is gonna wrap us up for today. I really appreciate everyone's time. If there's anything I wasn't able to answer from a question perspective or if you have anything else that you wanna kinda even bounce off of us, please do not hesitate to reach out. Super transparent on what we're doing and helping support the DIB. And if you're trying to evaluate if, you know, doing this internally or hire an external service provider or you just even had a question of, you know, our our interpretation of some of the controls, please don't hesitate to reach out. We're all working on this together. So really appreciate everyone's time, and and thank you again, and have a great day.