Name: CMMC Without the Theater: What Actually Moves You Toward Certification
Uploaded: 2026-03-26T19:30:03.700Z
Duration: 1 h 2 min
Description: CMMC Without the Theater: What Actually Moves You Toward Certification

Transcript for "CMMC Without the Theater: What Actually Moves You Toward Certification": Alright. We'll go ahead and get started. First off, thanks for everybody take taking the time to be here today. We know there's more and more content out there on CMMC than there's ever been, webinars, vendors, opinions, a lot of noise in the in the echo chamber. So the fact that you chose to spend your time with us today is something we don't take lightly. At the end of the day, your time and trust are the two most valuable things you can give. So our goal is to make, make this worth your time. As usual, we're bringing the perspective of registered practitioner, CyberSheath in the space, acting as a what would be an ESP external service provider, and the perspective of a c three p o in the space, and I'll introduce here, Travis, in a minute. But our focus today is pretty simple. No no theater, no fear tactics, no recycled talking points, just what actually moves an organization towards certification based on what we're seeing in the field every day. So with that said, let's, let's jump in, and we'll start with the agenda. So the agenda for the the presentation, we'll we'll give an update on the CMMC final rule and what that means now. There's still, some confusion in the space about what it means to be in 2026 as it relates to the rule. You're at your, expectations as a defense contractor, legacy understanding of, what's colloquially, called a SPRS score, but is really DOD assessment methodology scoring and what that means in terms of CMMC now, what we're seeing across the DIB and how things are being interpreted, what actually matters when it comes to moving the needle towards your compliance state and participating in the DIB contracting work. Why the ecosystem still feels pretty confusing and demystifying some things, as it relates to CMMC, the right way to engage within ecosystem, which is why we like to bring multiple perspectives to these conversations. And then we'll we'll tail off with, open forum on questions as well that you might have that you can submit through, through this medium, when it comes to all things CMMC. So starting off with introductions, I'll pass it to Travis first from CoalFire. Travis, tell me your background, and then I'll jump into mine at at CyberSheath. Yeah. Absolutely. Yeah. Thanks thanks for having me on today. Hello, everyone. Travis Goldbach. I'm a cybersecurity and compliance leader with over twenty years of experience in this space. I got started with CMMC, I would say, during the birth where I was a CMMC program leader for a managed security service provider, helping serve aerospace defense customers build out resilient security programs. From there, I I went to AWS where I led go to market efforts helping organizations implement secure cloud architectures as well as contributed to AWS's internal certification. Now here at CoalFire, I lead strategic initiatives to help defense contractors really understand the emerging cybersecurity requirements to drive practical and scalable, approaches. And CoalFire Federal is one of the the first organizations that was authorized third party assessment organization, and we bring over twenty years of experience in this space doing assessments for both the Department of War, defense industrial base, and highly regulated commercial enterprises. Terrific. Thanks, Travis. So, Travis obviously brings the the c three pillars perspective and a tremendous amount of industry experience when it comes to regulated environments, a lot of dona fide when it comes to the CMMC space. Myself, Casey Lang, I run the compliance services function here at CyberSheath. CyberSheath was founded back in 2012. I helped pivot the company from what was boutique professional services, assessment services, professional services in this space towards performing managed services in long term engagements with our customers, really serving and operating on behalf of those customers to deliver compliant outcomes. Been within this space as long as kind of the foundations of CyberSheath began to come together involved in the, the 2008, provisional, voluntary requirements when CMMC didn't even have a name. So, long history when it comes to my involvement in this in this space, implementing programs against those pilot provisional requirements, but, ultimately, that led to, the the Tinder that became CyberSheath serving on behalf of our customers to deliver compliant outcomes. So, Travis, appreciate you, being with me on the call, bringing your perspective to the table, and, I think we'll have some good content for our listeners. Next slide, please. So the CMMC final rule and and what it means today and and where the confusion exists. So I think a lot of people know that CMMC final rule has been established. It is a four phased rollout year by year. And as of November 2025, phase one began. And what that means is phase one permits self attestation, of full CMMC compliance, where in the past, were expected to self assess, have a score to indicate where you were on your journey to compliance, and ultimately attest to a timeline to get there. Whatever your longest POEM was, you were you were allowed to have a less than perfect score. But as of, November, to be awarded work, just like to be awarded in the work in the past where you needed to have an SPRS score good or bad. Now this year, you have to have full at least attest to full compliance, and there is some discretion around, some programs can actually require third party certification. But for all intents and purposes, phase one allows for self attestation of the CMMC requirements. From there, we have a phased rollout towards full adoption of the CMMC framework. So phase two starting of November year and and largely next year, you'll be expected, by rule, to hold third party certification against the CMMC level two requirements. And what that means is the requirements that have existed as far back as 2017 and sometimes farther, those have to be fully compliant, meaning score of a one ten and certified by a third party, which is where Travis comes in with his perspective from coal fire on the activities that lead to certification and the the tidal wave of activity on defense contractors becoming certified ahead of that date so that they're well well prepared for, holding that third party certificate. Travis, if you wanna just kinda give me your perspective, the overview, and what you're seeing in the field around this phased rollout before I get into phases three and four. Yeah. Absolutely. So I I would say across the ecosystem, we're gonna see scheduling pressures for organizations that are actually waiting until 2026, late twenty twenty six, to approach a third party assessment organization. There's gonna be longer scheduling queues, higher costs, limited assessor availability. And oftentimes, we're seeing prime contractors really driving that enforcement before the Department of Defense. So primes are already asking for SPUR scores. They're asking where you're at on your journey and requiring flow down. One thing I just wanted to reiterate was the Department of War may implement CMMC level two third party assessments and those requirements in phase one. Also, in phase two, there might be level three requirements which may limit competitors as well as drive cost. So still think about that. Think about approaching a third party assessment organization, not waiting until November 2026 to ensure that you are in a position to get an assessment done. Yeah. And just to underline the, the drivers behind the need to be compliant and the need to be certified. So as Travis mentioned, in phase one, there can be, program efforts that require third party certification. We see it across our client base where we're seeing it unfold faster than what we have as a as kind of the phased approach here. But the the gateway right now, previously, you the a contracting official of the DOD needed to confirm that you had an SPRS score in place. And if you didn't, they couldn't award the work. Phase one really means that you have to fully attest to that one ten score to be awarded the work. A a less than one ten score is not acceptable. We hear it in the ecosystem quite a bit like, well, if I have an 88 score that's good enough to continue doing work in the DOD, but even the the the structure and function of the the supplier performance risk system, the SPRS system, to do your CMMC level two self attestation, you can't submit anything other than a perfect score. So just ensure that if you are on the path to compliance, implementing controls and capabilities, what you're up against now is if you are about to be awarded work or win new work, that is the stop gap. That that is the gateway right now. Contracting officials need to confirm your full compliance before awarding that work. Ensure that your timelines are taking that into account. The the business development team, whoever's engaging with the DOD to win the work and land the contracts, your condensed timelines should take that into into account for getting to compliance so you can truthfully declare your CMMC level two or level one compliance. Caleb, I saw a question from you around whether CMMC level one will just disappear. No. It depends on the nature of the work that you're doing. If you're if you're going to have a contract that has the FAR clause specific to level one but does not involve the exchange of CUI, you still need to do a CMMC level one attestation. In theory, they wouldn't be awarding you work for FCI transfer if you didn't have your CMMC level one attestation in first. And we do see a lot of PRIMEs and the DOD itself ensuring that you have a CMMC level one attestation in SPRS as well. But that all said, phase, phase phases three and four. Phase three will be the official implementation and rollout of CMMC level three. That is the enhanced set of requirements, NIST eight hundred one seventy eight hundred one seventy two. The criteria for when that becomes applicable is not, all that clear yet, but I would expect that some defense contractors and some programs will get particular attention around those enhanced requirements. And then phase four, you can expect CMMC level one, two, three determinations for all engagement with the DOD. That's really the full rollout in that fourth phase. How do you see that unfolding? I know, Travis, the c three PO role is very kind of specific related to third party certification of level two. But talk to me about level two versus level three from the c three PO standpoint. Yeah. So from the the level two to level three, of course, it's implementing the the NIST eight hundred one seventy one revision two requirements. Those are a 110 requirements. But then going to level three, you're gonna need to add in the additional 24 requirements for level three. It doesn't mean you can just skip right to to level three. You need to go through and ensure that you are meeting the the level two requirements as well. So that's how we're seeing it. We do see it going to the the DCMA DIBCAC to do that third party assessment for level three, and all organizations that need a level two certification will come to a third party assessor like CoalFire. Yeah. And just emphasis on the difference. So CMMC level two, the intention of the ecosystem is that the certified third party assessors, the c three PAOs, they can certify the broader defense industrial base against those NIST eight hundred one seventy one rev two requirements, that's CMMC level two. But when you graduate to CMMC level three, it is DCMA in their DIBCAC auditing capacity that will certify against those enhanced requirements. The the d Department of War decided that DCMA is gonna carry that mission forward when it comes to certifying against enhanced requirements above and beyond the c three POs performing level two assessments. Yeah. And then I think the one thing that we haven't mentioned is there needs to be an annual affirmation at all levels. So at level one, level two, and level three, and that can be from a a senior official, just affirming that you are actually meeting the requirements that you're saying you're meeting at level one, level two, and level three. Yeah. Great great point. So in this phase one even, that self attestation and the CMMC attestation functionality of SPRS, that is the same function that a authorizing official needs to perform their duties to attest to full compliance on an annual basis, not just during phase one. But even when you're in a in a in a certification cycle, a three year certification cycle, you're still expected to attest to compliance on an annual basis, from an authorizing official within your organization. Alright. Next slide, please. Alright. So what we're seeing in the DIB, most organizations fall into these four traps, overspending on tools before understanding the scope. We see it quite a bit on the cyber c side. Hey. I I bought GCC High. Isn't that good enough? Am I done? Or I have a SIM. Like, doesn't that mean I'm compliant? But not always the case. I assume on the c three p o side, you guys are qualifying, like, who's ready to go through a certification attempt and who's not. But all of these things probably come to play when you when you have conversations with prospects and customers on your side at CoalFire. Right, Travis? Yeah. Yeah. Absolutely. And and what we're seeing is companies buy, like, a full security stack, as you said, before they're ever defining their CUI boundary or what it actually looks like. They'll deploy those tools actually enterprise wide when only a subset really needs to be in scope. So to be truthful, CMMC doesn't require the best in class tools. It requires meeting the control objectives within the defined boundary. Oftentimes, this goes wrong with organizations because they're misaligning configurations that don't support CUI requirements. There's gaps in basics controls despite heavy investment, and there's no clear boundary, so the assessor can't really determine what's being evaluated. What works, I would say, is start defining a CUI data flow mapping to find the asset boundary and then align those tools and controls, not only not the other way around. Yeah. Yeah. Excellent point. And emphasis on the scoping thing being critically important. Scoping should take into full account your expected CUI data flows. It is and this eight hundred one seventy one CMMC level two, it's a data centric framework. So, you need to follow where the data, where the data goes, the platforms where the data is touching, both from a transfer and a storage standpoint. Cloud services come into play. So understanding how you engage with data broadly, whether it applies to CUI, certainly matters. So if you imagine you're a you're a defense contractor in this space, understand not just from the IT perspective because sometimes these these requirements fall too much on IT, but the people who engage with the data the most are the ones that can tell you what the flow are when you're understanding your own scope and boundaries. So that could be business development people re receiving CUI specifications for RFP. That could be contracts people, that could be post, post contract or post award. You have engineers, project team people, project managers, all involved in touching CUI and understanding how it's received, where it's land what where it lands, the tools that are, involved in in its processing, and then where does it go from there? So do you guys transfer it outbound? Do you flow it down to subcontractors? Am I meeting my obligations to flow down the clause in those situations? That's the type of flow that needs to be understood. Where it goes leads to the in scope assets for, for its processing. And then, ultimately, the SSP is the, is really the the the, North Star narrative when it comes to telling your story on the controls, the data flows, where it applies. Talk to me about what you guys on the c three code side like to see in an in an SSP. What what does readiness look like in a system security planning document? Yeah. I would say the the biggest challenge that we've seen for organizations is when they have an external service provider, understanding what their capabilities are and putting that information back into their system security plan. So, you know, if you're working with a cloud service provider, let's say, if you're in their environment and it's a FedRAMP authorized environment, you're gonna be most likely inheriting maintenance, media protection, physical protection, some access control. But you need to showcase specifically, is it a full inheritance? Is it a shared responsibility, or is it a customer responsibility? So when you are working with these external service providers or interviewing ones to to help support you, I would say that's your number one question you need to ask is how they're how they're ultimately providing that information to you. You hear about customer responsibility matrixes or shared responsibility matrixes. And I think by by having that level of understanding who you're working with and how they're within your environment, you're able to to put that into your system security plan and be more successful. So so having that understanding. Yeah. Great point. I and I know the the rule making settled on external service providers not necessarily needing to be CMMC certified. themselves, but certainly helps. But it's the nature of the interfacing that that matters largely when it comes to interconnectivity and the roles that are introduced to the OSCs, the defense contractor environments. The challenge with that and the external service providers and the shared responsibility is, does the service provider fall into your scope, depending on how they're accessing your environment? So if you have external service provider staff within your environment with access to, within your COI boundary, If they are not certified themselves, they're gonna get a lot of attention during an assessment because auditors know that they need to pull those strings. I have an external party. How do they access the environment? Are they fairly, open with their access in the environment? And do the personnel do the assets that are used by the external service provider personnel, do those those all come into play when it comes to managing environments? So think like, yes, my own people are trained and they've gone through security training and background screening, but as your external service provider, considered those things, a certified one starts to alleviate the burden a little bit, versus one that's not where they could easily come into scope, would imagine, Travis. Yeah. And and we've seen some assessment challenges where that system security plan is either incomplete or contain contains contradictions. There's some that our policies and procedures are generic or not tailored or don't match what the organization is actually doing. And sometimes there's procedures that exist that aren't institutionalized, so they're not followed in practice. That's where it can really be a challenge for us as a c three p ago because we can we can't validate those controls without the documented evidence. Yeah. Yeah. Absolutely. And then the one other thing that that we see quite a bit with, preparing our customers for certification and having them them kinda walk in the door with system security plans that that aren't ready. NIST eight hundred one seventy one a, it is the assessment guide for NIST eight hundred one seventy one. It is more granular. So there's a 110 requirements in NIST eight hundred one seventy one, and there's 320 assessment objectives in NIST eight hundred one seventy one a. Travis, talk to me about the difference and and talk to me about how the c three appeal leverages NIST eight hundred one seventy one a in their assessment and why defense contractors should care. Yeah. I I would say it's it's ultimately the way that we're gonna part of the way that we're gonna be looking at your environment, testing, interviewing. But, also, organizations should should ultimately start looking at the CMMC assessment process as well. So I would say NIST eight hundred one seventy one a and the CMMC assessment process so you can understand how we do and conduct a pre assessment, how we look at and assess conformity, and then the report out as well as issue a certification. So I would say those two documents alone are gonna be the strongest documents that you can utilize. When I worked for a company and we were actually going through the DIPCAT assessment, it was similar as the NIST eight hundred one sixty two handbook, similar to what the the NIST eight hundred one seventy one a looks like, and it goes through exactly how you're gonna be looked at. So very important to to review those documents and be sure that you're in line with what the assessor's gonna come in and actually do. Yeah. And in this state under one seventy one a, it's it's public. It's it's a gift to those who are preparing for CMMC certification because it is the questions that the the auditors and the c three co assessors are gonna ask. So if you wanna be as prepared as possible, writing to three hundred and twenty three hundred and twenty things instead of a 110 sounds like a lot of work, but it does give you the opportunity to lead lead the witness a bit in your certification attempt or your DCMA DIBCAC audits because they're asking the questions. And, ultimately, what's what happens is I have, I have my question in this ANO one seventy one a. I have a response in my SSP at that level of granularity, and it becomes a ask the question. Here is the definition. Demonstrate what you're what you're what you have documented, and it certainly makes the process a lot easier if your SSPs are at that level of granularity, keeps everybody on track for what, for successful outcomes. Yeah. And and it's gonna go into, you know, what are those obsess assessment objectives as well as what we're gonna examine, who we're gonna interview, and what we're gonna test. So it is very valuable as a resource to utilize. Absolutely. And final point here, waiting too long and compressing timelines. If you're not on a path to compliance, really, your engagement with the c three PAO should be informed by some disciplined, internal processes around assessing yourself, either doing it solo or with a partner to do assessments for you. That ultimate ultimately leaves the development of a plan of actions and milestones. The POAM, at least from an operational sense, when you're on the compliance journey yourself, should have dates, timelines, commitments to get to a state of compliance. So there is gonna be one long date in there, whereas, like, we're finally over the finish line. You engaging with a c three PAO and getting that on the calendar should be informed by a POEM and a reason and reasonable timelines. There's a little bit of, like, hey. If you're at a score of an 88, you can engage with a c three PAO. I'd imagine on your side, Travis, score of an 88 doesn't mean start to engage with a c three PAO. You should really have confidence that you're gonna be at a one ten score before you get started. Yeah. Yeah. I would I would say, ultimately, start engaging with a c two p a m now to understand what their timelines are for an assessment, understand what their capabilities are. Finding the right third party assessment organization is gonna be key to to your success. But, of course, yeah, ADA, you know, I feel like that's more you're doing a good job. You still have to to look at those poems and and close those out before you're gonna go through the actual assessment. But engaging with one early, you're able to work backwards and understand where you're at now, where you need to get to, the timeline in between, and, ultimately, what a successful engagement would actually look like with the c three PAO. Yeah. It's a little bit of a balancing act. Right? Like, the POAM says I'm gonna be a compliant at a certain time. The c three POs have a a bit of a backlog and and timeline before they can engage. So, certainly, start the conversation early. Like, select your c three PO, but getting it on the calendar should be informed with when do I actually think I'm gonna be compliant in my own POAM, because that's the right date. You wanna be you wanna find that sweet spot between c through POA availability and your own intentions to get to a compliant state. You shouldn't schedule a c through POA audit when you get to an 88. You should schedule it when you fully think you're gonna have a closed out POA. Yeah. And then you're communicating. that 80 would just say start communicating that across your organization when your expected assessment should happen. It it can be very challenging if you have team members that are either going on vacation or actually leaving the organization. Make sure that you have enough team members to support that engagement. By having these timelines up front, you'd be able to socialize that organizationally. Yeah. Absolutely. And and emphasis on on the score of an 88 as a thing. C three PAOs have, a different kind of perspective when it comes to the use of POAMs versus operationally using a POAM within your organization. So when I when I say start with a c three o when you have a one ten score, 88 isn't yours isn't your starting point. 88 that 88 score means something in c three p o terms. Right, Travis? It's, you start an engagement, you hope to be compliant, the c three p o finds some issues, and they can issue you a conditional certification as long as your score is an 80 above and not not triggering some some key requirements, which is different than just using a HoM operationally. Let's step into that a little bit. Yeah. Exactly. I mean, that's gonna give you the conditional CMMC status, but you need to get through those POAMs within a hundred and eighty days. Basically, what an 88 tells me is, you know, you've made progress. But from a c three PAO perspective, certification isn't just based on that score. It's based on whether you, have every control implemented fully implemented. And at level two, it's required for the controls that are are met, and you don't pass regardless of that score. Yep. So kicking off with the c three pay o, it's, yep, I think I'm compliant. C three pay o thinks otherwise, and they can issue you a time bound conditional, conditional certification with hundred and eighty days to resolve. But, ideally, you wanna be entering the situation with, with full confidence that you're ready. I think we can move on to the next slide. Yeah. I I would just say the the last thing there is we've seen a lot of organizations doing mock assessments prior to their real assessment. I think that's a a great way to understand if you're gonna meet the requirements or not. Ultimately, you don't wanna go into an assessment and then get caught in a position where you're not actually meeting the requirements. So doing those mock assessments is is very valuable and to understand what the assessment process really looks like. Yep. Yeah. Absolutely. So the the final reality check-in this section, you will be assessed. You should be assessing yourself. There's a requirement to do it, 3. 12 dot one. So have your self assessment processes and do them with with some level of diligence. Evidence is gonna is gonna matter critically both for self assessments, for audit preparation, for staging a c three p o attempt, for the potential of an audit by DCMA in their in their DIPCAT capacity. But audits, evidence from your side, Travis, like, I always recommend if you're on the path to compliance, collect the evidence and have confidence to to give confidence in your own assessment results. But for a c a c three p o CMMC level two certification attempt, there is some evidence required, and there are some things you need to do with it. Yeah. You know, evidence, it really matters during the assessment process. Every control must be supported by objective evidence. So evidence must be current, traceable, and repeatable. And And what we're seeing with organizations that are doing the right things but failing is because the evidence is scattered around. There are screenshots that are outdated or no audit trail exists. So what an assessor will actually look for is logs, tickets, configurations, training records, access reviews, and prove that those controls actually operate consistently over time. So I would say if you can't prove it from an assessment perspective, it didn't happen. Yeah. And and evidence, if you institutionalize evidence collection as part of your internal practices, you have much higher confidence in the results and and your readiness. So good to adopt it as a practice. But for a see through pill engagement, you are expected to have a package of evidence associated with your certification attempt. So, it's why there is a hashing, a hashing function at the end of the certification. You gather the evidence that's been associated with that particular lever, with that particular effort, package it up, hash it. It's referenceable. This way, you have proof that you went through the process with a c through pay o. You've collected a set of set of evidence that positions yourself as compliant and is referenceable in the future. Yeah. And we're we're gonna confirm in phase one of that assessment process to understand if that evidence is even available or not. If not, then, you know, we're not gonna be moving forward. Yep. Absolutely. Alright. Next slide. So some decisions that drive things, five activities that actually move the needle. We alluded to this earlier, but scoping correctly before the spending and following the CUI. Those things are two things that are very interrelated, boundaries and data flows with regards to the CUI and then subsequently establishing what the assets are that are involved in those boundaries and data flows. But talk to me about how you guys at least validate, a an accurate boundary, or what are you guys doing in the early phases of a certification attempt to make sure that, you know, we're we you got a client that's at least, preliminarily ready. Yeah. I I would say that the first thing that we're gonna do is review the SSP. We're gonna validate that assessment scope. We're also going to confirm availability of the evidence and determine readiness for the assessment. We'll also compose an assessment team and a pre assessment form throughout this to ensure that we are approaching it correctly. And a lot of this will come through from the CMMC assessment process. It's what we go off of to ensure that we conduct our assessments as seamless as possible where organizations know how we're actually gonna be assessing. Yeah. And I think just on the on that scoping activity, you what you should end up with in a system security plan is the assets that are in scope. So understand cloud services, end point endpoints, servers, wherever that CUI lands and whatever utilities are used to transfer it or access it, all need to be accounted for. But that should be accounted for in both visual illustrations so that it's clear to an assessor, like, what what does that flow look like and what the boundaries are. So, get out your crayons and make sure you have great diagrams that that follow what is true. And then ultimately, asset list that categorize. I have CUI assets. I have non CUI c CRMA assets. And then further complications around, I have specialized assets manufacturing for equipment that can't meet the requirements, but you have to, in preparation, at least identify what those are and have compensating controls in place. But talk about the distinction between CUI assets and specialized assets for me, Travis. Yeah. So CUI assets or assets that store, process, or transmit CUI. So you're gonna have to do a document of those assets inventory. You're gonna have to document those assets and and and treat them in a system security plan. You're gonna have to document that in the network diagram of the CMMC assessment scope and be prepared to be assessed against those level two security requirements. And then a specialized asset is an asset that can process and store CUI but are unable to fully be secured, including Internet of Things or industrial Internet of of Things as well in those devices, those still need to be documented in the asset inventory. The document asset needs to be treated in the SSP and show that these assets are are managed and and using the contractor's risk based security policies, procedures, and practices. There's also one other one for a specialized asset, and that's around the operational technology. These need to be documented in the network and the diagram of the CMMC assessment scope. Yeah. And and the the key thing when it comes to those specialized assets, the CMMC scoping guide is a gift. Right? It, it didn't exist in the past prior to CMMC. It does allow, some thoughtful consideration of assets that maybe can't be configured to a compliant state. Think of, like, you know, on shop floors. Sometimes you have, like, a shaker table or a vacuum chamber or some equipment that has a PC or an asset attached to it, but it has to be Windows Vista because they haven't updated that in several years. There's no way to functionally update it, put AV tools on it, not use a shared account. So the the key distinction there is it can't be configured to be in a compliant state. If it if it's an asset that can be configured, then it should be configured to a compliant state. So as you're looking at that, the the gift that is the CMMC scoping guide and what feels like a get out of jail free card being a specialized asset, just make sure that you're thoughtfully considering the language of that scoping guideline because you can't just say, I think this thing is hard to configure, so I won't configure it and move on and put it in the corner. You do actually need to defensively position yourself on why it is a specialized asset, why it cannot be configured to be in a compliant state, and and position yourself in a way that that's defensible with defensible compensating controls. Like, we've taken certain steps to limit the risk related to these particular assets. On the POAM topics, rethinking what POAMs are, we talked about this a little bit already, but there is kind of the the POAMs that you use on a day to day, day to day basis when it comes to deficiencies identified in your environment. Defense contractors tend to go experience a lot of chaos when it comes to change. That should lead to actual use of your POAM. So even when you get certified or think you're compliant, you know, if your environment changes, your boundary changes, you have an acquisition, a divestiture, you handle CUI or touch CUI differently, which which is a new data flow, those things need to be considered. The impact of those things need to be considered, and you should use your POAM if you uncover deficiencies and then put a date on it and then drive to resolution. It is a process. You should be using it that way to keep yourself in a compliant state when you're kind of in the midst or the fog of war of change within defense industrial base in your business. Yeah. And and now I'd just say you need to understand that not everything can be POAMed. There's specific controls that that can be POAMed, typically the one point controls that we're gonna be going off of. So I would say take a look at the the controls that might not be poammable. Yep. Yeah. Certain, valid distinction to consider because a lot of things that are not POAMable could trigger a recertification. So you do need to be aware that, well, criteria will be eventually released, around, what is a security relevant change and what triggers recertification. So major boundary shifts, like, if you're in an enclave today and you decide, wow. This happened, so I need to be in a full enterprise configuration tomorrow. Like, that's a big one. That would be an obvious configuration change that would even on your on your c your CMMC level two certificate, it says environment type enclave or enterprise. If you're shifting between those two things, you're gonna call Travis back and his team and say, hey. Like, we've we have a major change planned and we need to go through a recertification attempt. But the details of what triggers recertification I know I've heard rumors, Travis, but I imagine that criteria will be established and set in stone at some point. Absolutely. Yeah. I I would say poems, you know, don't save a weak environment. They really just validate a strong one. Yep. Yeah. Exactly. And then institutionalizing controls, I'll kind of dovetail this one into the documentation side of the house. Documentation can just sit in the corner, but documentation on SOPs, processes, input, outputs, this all ties to, operational capability, something that's being executed on the regular. So don't let your compliance program be stale. You shouldn't just be executing some things to get through an audit. Think of the verbs within the assessment objectives that exist today around monitor or performing activities. That means perpetually. So change management is a great example. You can't do change management to have an audit and then stop doing change management. It needs to be an operational capability. So just keep in mind, institutionalizing your controls, making it through operational, outcomes and activities that are defensible, leaving a paper trail, showing that you're in a compliance state. As Travis mentioned, you have to attest annually that you're remaining compliant, and then every three years, you have to go back to your c three PAO, and recertify all over again, and you should have some some valid record keeping to show that you are, keeping true to your commitments. Yeah. What what we're seeing is, you know, from a c three PO perspective is controls implemented once then are slowly degraded. There's security tied to individuals instead of processes. And CMMC is is about repeatability and sustainability. So we need to look at the controls, how they're operating over time, not just how they are recently. And this matters because evidence, reoccurring activities, consistent execution, ownership across the organization. So where companies actually get this right is the controls are embedded into their daily operations, into their tooling, into their team's responsibilities. So if a control depends on one person remembering it, then it's not institutionalized. Yep. Absolutely. All right. Let's move on. So, talking about the ecosystem, why it feels so confusing, the distinctions between registered practitioner organization and C3 appeal. Talked about this lightly in the beginning of the the conversation, but just to kinda recap on the distinction and where you should be getting support depending on where you are in your compliance journey. Registered practitioner organizations are those that can give advisory support. They can write, like Adam mentioned, Travis mentioned a a mock assessment. A mock assessment is truly like a c three p o engagement, the same output for the most part. But a gap assessment, on the other hand, might be more verbose, might provide some advice and some recommendations to get to a compliant state. So understand, depending on where you're at and and your needs, an RPO has the ability to, advise. A c three PIO is actually restricted by by the governance of the cyber a b ecosystem to not give advice. It's really just pass fail. But talk to me about, the boundaries that you guys have on your side when it comes to a c three PAO. Yeah. You know, we we have to stay independent. We can only assess what exists, and we can't really help you fix gaps as a c three PAO. You know, as a an RPO, we can advise. We can implement. We can help you get ready, but we can't do both from a c three PO perspective. So the same company can't prepare you and certify you at the same time, Yep. but we're more looking at at it from a a c three PO perspective and have to stay independent. Yeah. Essentially, what what the ecosystem is designed is is to prevent one firm from certifying their own work. So if if CyberSheath, was a c three PAO and we did all the work to get you ready and then we audited our own work, there would be bias in that situation, which is why they have the distinction between the two roles. So, but the one risk to keep out for is qualifying on both sides. So if you need, advisory type of support, find an advisory partner that is well versed, experienced, and proven, within the ecosystem. The the RPO, and the registered practitioner credential really only trains on the glossary that is CMMC, where the c three POs, the CCP credentials, the CCA credentials, they're more in tune and and in-depthly trained on the actual requirements themselves. So finding an RPO that has CCP, CCA credentials might be, part of the criteria for selecting advisory service support. But just be aware that that same firm cannot certify the work that they've done, and, ultimately, that separation has to be maintained, to effectively prevent certifying your own work when it comes to the firm supporting your organization. Yeah. And and that's big been a big challenge across the the ecosystem is having those right partners. CoalFire Federal has, I would say, over 20 different partners that are trusted partners that can help deliver end to end capabilities, CyberSheath being one of those. So if you do have questions, you can always reach out to us at CoalFire, and we could direct you to some of the the real partners that can help you get things done and make sure that you are in a position to work with the correct partner. Because a lot of times, organizations are out there, and they can get their RPO status, but maybe they're not doing everything appropriately. Yeah. And the and the great thing about c three pay is in the ecosystem or or what you should watch out for when selecting one selecting a c three pay is long industry experience in regular regulated frameworks, but also the processes to ensure that staff are appropriately trained and rightsized to the frameworks that they're supporting. So having those CCA, lead CCA credentials that are practically interpreting the requirements, have the right, quality assurance processes in place to make sure that if there's discrepancies between CCA and OSC that we have kind of, escalation paths to, to flush out discrepancies. All of those things are critically important. So longer term, just other things to consider when selecting a c three PO, be aware that, some c three POs out there have less experience in the DIB or your particular use case. So there's manufacturing environments. There's pro services. There's staff augmentation. So you wanna find the c through p o that can support you in your particular circumstances and have familiarity with how you operate. Alright. Next slide, please. So just final, thoughts on supply chain risk management, the flow down of the requirements and how things are unfolding. Supply chain risk management, for a long time, has been the DFAR 7,012 clause requires you to flow down the DFAR seventy twelve clause. But there is a certain onus on prime contractors to, ensure the compliance of the suppliers that they bring to the table, understand how they exchange their own data, potentially CUI with suppliers, holding their suppliers accountable or at least monitoring the state of their compliance in some way, which a lot of smaller defense contractors are probably subject to questionnaires, where on your where are you on your path to compliance, notifications. Hey. If you're within our supply chain, we want you to be CMMC level two compliant. If you wanna perform work with us as a prime contractor, get to compliance, be on the right path, let us know when you're there. All these things are happening in the ecosystem. Right, Travis? You're you're probably seeing it as much, if not more, than we are. Yeah. Yeah. I would say every prime contractor that I speak with, their their number one risk is their supply chain, and that risk is concentrated more at the lower tiers of their supply chain. One noncompliant subcontractor can really jeopardize a contract eligibility, and they have limited authority over what the supplier's decisions are. You know, primes aren't authorized to mandate specific partner or one partner. They can't direct suppliers to to one MSSP or consultant. They need to avoid that organizational conflict of interest. So, really, that's, you know, a challenge that they're having right now. I've seen prime contractors, you know, reaching out to their subs, and their subs aren't even answering them. And then there's some prime contractors that say, if you don't get CMMC level two assessed by a third party assessor, you're not gonna be a part of our supply chain anymore. So it is really important to maintain a relationship, be outspoken about where you're at within your journey. Those those prime contractors wanna understand. They wanna be able to support you. They wanna be able to provide you with ways that you can be successful because no one wants to lose supply chain member over requirements that can can really be done across an organization. Yeah. And I think most most top tier or prime, defense contractors are in this position where they need to have confidence that their suppliers are taking this as seriously as they are. This will get easier over time as the sub tier defense contractors start to get certified. It's either you're certified or you're not. But for a long time now, it's been questionnaires, begging for responses, where are you at in your compliance journey, how confident am I in the responses I'm getting, sometimes some audits or some spot checking to confirm, like, is what I'm collecting true. But, ultimately, it is, the responsibility of the prime to have some oversight of the compliance of their supply chain. And if you're part of that supply chain, you should be on that journey if you wanna continue to participate and work with with those, with those prime contractors or the DOD itself. So just keep in mind that this is as critically important as being a prime. Subs still have the same requirements. They have the requirement to flow down those requirements to you, and you have the obligation to protect CUI in accordance with those requirements. So, that's where supply chain risk management is headed. I know we have about thirteen minutes left. Wanted to drill into oh, yeah. Sorry. Just forgot a couple slides. So practical steps steps to getting ready and certified. So step one, get in line. We talked about this earlier. Schedule a c three pay o, but do so thoughtfully. So, engaging, starting the relationship, finding the coal fires or or the right size c three pay o to help you get there is important. Understand their timelines and their schedule and how it lines up with with your timelines, your corrective action, where you are, and when you're gonna think, when you think you're gonna get to compliance. That's all gonna be key when it comes to readiness and starting the relationship and ultimately, preparing for a certification attempt. Travis, I imagine on your side, you see a lot of, hey. I think I need a c three p a o. You ask a few qualifying questions and find out they're not ready. Is is that pretty common on your side? Yeah. Yeah. Absolutely. A lot of times, we're getting, organizations reaching out to us, and they they aren't ready at all or, you know, they're they're partially through their journey. They're actually requesting, you know, what partners can we partner with to support us on our journey of where we're at now. We talk about our processes, how we go off the the CMMC assessment process when we do these certifications. They also wanna understand what our time frame is now to ultimately getting assessed. And we're about eight weeks out, but it's good to start that conversation now with the c three PAO and work backwards from where you need to get to. Yeah. Absolutely. And then step two, as I alluded to earlier, assessing yourself. So there is, a requirement that you assess yourself. So 3.12.1 says perform self, self assessments, essentially. But first, assess yourself. That could be with a partner. That could be with an RPO that gives you a verbose output. If you're far along in your journey and you have high confidence in where you're at because you have self assessment processes, you might wanna consider a mock assessment with a c three PAO just to understand, hey. We wanna dry run the process. We wanna understand it well before we jump into it and get that, get that look and feel and engage the people internally so that everybody's on board with with an actual certification attempt. So I would say self assess self assess with a partner that's that's an RPO advisory, then mock assessment if you feel like you need to do a dry run, and then ultimately, it's gonna be your certification attempt. On the remediation front, this is all kinda tied to your POEM. You've assessed yourself. I in theory, you know where your problems are. That could be you've self assessed. You've self self assessed with a partner. That could even be a mock assessment. Somebody something flagged flagged red, and we have something to track down and solve for for an actual certification attempt. But those things should lead on, land on your POAM and lead to implementation of controls that are in a deficient state. And that's where I imagine, Travis, on your side, after a few qualifying questions, like, do you have a system security plan? And if the answer is no, they're probably not ready. That's one point of remediation, but, there seems to be a fair amount of not readiness in the ecosystem. So Yeah. There is, and we're able to understand that pretty quickly upfront with one conversation. We have a great team that understands, you know, what the requirements are and what a customer needs, and and we'll be able to determine if they're ready or not or or direct them to a different partner. I would say some of the funniest ones that I've heard in the past are, well, you know, I'm I'm built in the cloud, and it's FedRAMP moderate or FedRAMP high. So I'm good. I don't have to implement any of these NIST eight hundred one seventy one controls, and and that's just an incorrect statement. You need to still implement the controls even if you are within FedRAMP authorized environment. Yeah. I mean, going in the cloud can certainly be a shortcut, in some ways, but being in the cloud doesn't mean that the cloud service provider is doing your background screens. They're not putting locks on your doors. They're not putting cameras on your doors. They're not handling your data for you. So. all of those things people. yep. Training your people. So, the whole picture needs to be considered. There there are things that will be covered by your compliant cloud service provider, but, important to assess yourself, understand the applicability of the controls in your environment, understand the split responsibility between yourself, cloud service provider, and external service providers like MSPs and MSSPs, and then make sure that we're you're tailoring your controls to your particular circumstances. So steps four and five, we we alluded to a little bit, but operating, staying compliant. We you don't wanna have a stagnant program. You want your program, your processes, when they're being executed to leave a paper trail so you have all the record keeping to demonstrate continuous compliance. But, ultimately, your goal is to to get compliant and stay compliant, in preparation for a successful certification attempt, but also in preparation for your annual attestations and your recertification attempts as you continue to work in the defense space. Any final thoughts, Travis, on kind of the the staying compliant side of the house? Yeah. I would just say that you you have to have reoccurring activities around, access reviews, log monitoring, patch management, and have clear ownership of the controls. Yeah. Absolutely. And and that's where, you know, these things can be can happen in house. If you're a smaller shop, sometimes it makes sense to get some outside support. You think, like, change management is, I gotta do record keeping. I gotta thoughtfully consider applying changes in my environment because I'm doing IT. But those formalities of I have to do that. I have to do patch management defensively. I have to do vulnerability, assessment enumeration, but I also need to do vulnerability, remediation, the other side of the equation, and how to tailor those things in a way that are, operationally effective and and continuously executing is really the key to get and stay compliant. So I think our final slide, is questions. I think we got a few minutes left, so I'm just gonna jump into this at the top of the list. We are an SMB DOD contractor with an SPRS recorded one ten self assessment. Is it realistic to be audited by November 2026 deadline? I'll say it depends. If you've self assessed at the assessment objective level, if you have the discipline to go and collect artifacts, that are in tune with a, a diligent scoping activity, then, yes, probably realistic. But it really depends on how confident in your own self assessment methodologies. Any thoughts on that from your side, Travis? Yeah. I I would say that if you're if you've gone through the the one zero one or a 110 self assessment, I would say start leaning into getting a a third party assessment. Be one of the first contractors to do so. Beat your competitors out. I think that'll only produce a clear vision for your prime contractor to wanna bring you into to more of these contracts as they come out. Yeah. And the and the one gotcha. Right? When I hear, yep, I've self attested one ten, I think of a small defense contractor that looked at the 110 requirements. He said, yeah. Yeah. I think I'm doing that. But, if you haven't looked at the assessment objectives and this day enter one seventy one a, it will be eye opening. I think of things as simple as password complexity, like, pretty easy to enable password complexity in, say, a Windows environment, pretty easy to implement it in a way that's centrally controllable and demonstratable, but the requirement says implement password complexity. The assessment objectives say define what password complexity is, which means write it down, and implement some control that enforces password complexity. If you don't do both of those things, then you're not complying with the requirement, and it's actually a score of deduction. So if your documentation doesn't match what's in place and you're not addressing the words define, identify, and specify as they exist in the assessment objective levels, The writing things down matters just as much as the implementation, so just be very cognizant of the fact that there are 320 assessment objectives that you need to apply, and some percentage of them is very document very specifically documentation in nature. Assessor's gonna say, where do you define it and where do you implement it and demonstrate it? So just just keep an eye on that, when you're assessing how ready you actually are. Meredith asked, what's the missed assessed, missed number assessment a? Recommended we do a dry run, discussed around the twenty minute mark. This eight hundred one seventy one alpha, alpha is assessment. It is the assessment counterpart to to the 110 requirements in this state 800 without an a. So this is where the assessment objectives are, enumerated. It is the the guide for anyone assessing this eight hundred eight hundred one seventy one on the questions to ask. And this is where the example I just gave you around password complexity assessment objective will say, is it written down, and is it implemented? You wanna get to that level of granularity for, to support your preparedness. I'll kick this one over you to you, Travis. Are OSCs required to obtain a RPO, I guess, designation? What are your thoughts on that? No. They're ultimately, what they're doing is is looking to get to get certification. The the registered provider organizations are gonna be the ones that help you either implement or assess, not from a certification perspective, but get you ready to go through your CMMC journey. So if you're just an organization seeking certification, then you don't need to be a registered provider organization. Yep. But flip to that. If you are an RPO, like, CyberSheath is a service provider. We're a registered practitioner organization, but we support our clients in a in a ESP, managed services capacity. We chose to get certified. Certified. So we became an OSC because we wanted to meet the same level of requirements as our clients do. So an RPO can become, an OSC, but the RPO designation is really representing yourself within the CMMC ecosystem as an organization that does advisory support related to CMMC. Alright. The MSP can provide evidence too, right, from Marco? MSPs, depending on on the nature of the work that they're performing on your behalf, and your engagement with them, really should be providing evidence for you. So if you think of an IT service provider and maybe you don't have an in house IT function, your MSP should be supporting the collection collection of evidence for anything that might be technical or anything that exists in their lane from a shared responsibility standpoint. I would say if you have an have an MSP in your environment, managed service provider is a managed IT provider, they are, in terms of CNMC, considered an external service provider, and you should be either getting from them a shared responsibility matrix or collaborating with them to document the shared responsibility so you know what's in their lane and what's yours. But, ultimately, anything should be, anything that's in their lane, they should be supporting by evidence collection, demonstrating on your behalf during a certification attempt. Any thoughts on that, Travis? Additional thoughts? Oh, did I lose you? And I lost that audio, Travis. Alright. Final question. Are self assessments uploaded in SPRS or somewhere else? The supplier performance risk system for CMMC level one and level two self attestations are within that platform. There is legacy, SPRS scoring functionality for, at that exited prior to November. And going forward, there is actual questions aligned with the requirements that you have to submit and attest to in the Supplier Performance Risk System. That's where your contracting officials are effectively going to be referencing whether you have submitted your CMMC level one self assessment or CMMC level two assessment within that platform. I know we're at the top of the hour. Travis, wanted to, thank you so much for participating in the conversations. Final thoughts from your side before we wrap up our discussion here. Yeah. I I would just say, you know, from a a c three p o perspective, CMMC is really a life cycle. And the companies that understand that will move faster, they'll spend less, and they'll pass with far fewer surprises. Yep. Absolutely. Yeah. Completely agree. But I wanted to I know we're 02:01, minute past central time. Appreciate everybody taking the time to, to walk through this with us. Hopefully, was value valuable information for the OSCs and the per and the people participating in the webinar. Happy to engage further if you guys have questions. You can gauge through kind of formal channels, CyberSheath or CoalFire or, social media. LinkedIn LinkedIn is always a good way to get me. I'm sure I'm sure it's the same for Travis if you're interested in speaking on any of these topics further. Thanks, everybody, for your time today. Thanks for joining. Thanks, Casey. Thanks, Travis.