Cybersecurity Maturity Model Certification (CMMC), is here. Are you ready?

All right, bring all sit front. No, I'm kidding. All right, so a little bit about me. I'm just ordinary guy who landed here in Tampa back in ' 04 after I retired from the army after 21 years and uh kind of been here ever since. And uh got involved with a few different things while I was here. So right now I'm teaching for St. college. I work as a defense contractor. Uh kind of manage my own company doing some of the same things we're talking about here. But the biggest thing is my goal is always just trying to help people understand the big picture. And this subject, as Mike just talked about previously, has a lot of

different areas about it, different aspects, and there's a lot of different levels depending on where you sit relating to your company. You can be the owner or the worker be on the keyboard, but everybody's kind of playing a role in this. So, I'm going to kind of hit it from the angle of some of these things right here. Just in general, talk about the big picture of what it's all about and um kind of give you an idea of why it's so important we have to do what we're doing right now. And it's actually changing pretty much every day. They're adding more to it. So, it's kind of like we say in the military, building a plane in

flight. They're still kind of doing that. It's gotten a lot better, but they're still adding more things because they're realizing how many more holes need to be plugged in. This whole program is all about people getting access to defense information that shouldn't have access. And as they've realized over the years, it's that many people that said they had certain security capability in place because the government says, "Okay, you got to have these things in place." Oh, yeah. We're good. We got it. Nobody was checking. And then they start realizing maybe they don't really have it because this attack would happen, that attack would happen. And a lot of the attacks were happening on the DoD side, it didn't come through

the DoD, it came through a third party vendor. And that third party vendor, they really weren't saying or rather doing what they were saying they were doing, which is I plugged up all my holes. So this program came about to kind of go and double check and like if they say you got to have a three strike rule when you log into a computer let's see you do it log in and let's see if your three strike rule works and if it doesn't now we know where you are to help you get to where you need to be. So in a nutshell this whole thing is about all of that. Okay. So, FAR is kind of

what kicked this off for us, which is um the Federal Acquisition Regulation. And they started with something called FCI, which is federal contract information. And that was the first phase of this because CMMC, which we'll talk more about, has three phases. And we'll talk about those three phases. But this was the first phase to kind of get things going to where again those vendors those company realized that hey you have these requirements that you have to meet to cover our information as in department of defense government as a whole. So that's how we kind of moved into the scheme of using this program and growing the program to make it even more efficient than this. So that's the FAR

piece which starts off at CMC level one. So these are the 15 various controls that far kind of require companies to kind of maintain for example like monitor control protect organizational communication. Well there's a whole lot that still goes with those 15 primary areas this task that also go with it. So if they were doing these things at least they have something. A lot of them weren't even doing this. So that's where it became really difficult. And as we go through this, it also becomes more costly and that's where some of the problems fall in today because this is a requirement you have to have depending on type information. So right here it doesn't even relate to

CUI which we'll talk about control and classified information but it's still government information. So it needs to be maintained and taken care of. Clicker you clicking. There we go. So then we moved into the CUI which is basically where we are today. Now what CUI data is, it's not top secret. It's not secret. It's one of those information that is not necessarily deemed to be out in the public, but if it did, it won't bring a country down. But there still information shouldn't get out. It should be maintained properly. So as you can see right here it's laws regulation governmentwide policies that kind of make us control these things. So when you hear CUI CI CI

it's all about this type of information that whoever the organization is it can be a small vendor mom and pop it could be a general dynamics the rules the same across the board for everybody. So this really helped us create a standard because there really wasn't a standard in place and there was no way of verifying that that standard was being maintained properly. So that's how we got into CUI. Now the DFARS came from the FAR and the DFARS is really Department of Defense's breakoff of okay here's FAR you say I need to do this well I'll create my piece of it for all the people that come up under me and that's where the def came from. So 712

was kind of the first one to introduce NIS 8171 and again safeguard of incident reporting. So that basically means well okay I'm company X I have an incident hacker may have gotten into something it happens okay but I don't report that I just kind of keep it in the house shove it up under the rug nobody ever know but this kind of changed that to basically say okay hey if you're going to do this maintain our stuff we need to know within 72 hours if there was something that took place that doesn't mean you may fix it in 72 hours At least we know. So if we need to cut off something temporarily so you can take care of

that, we'll be able to do that. Won't be a problem. But if they don't tell us, that's when becomes a big problem because it can also, as you know, people pivot and move in different directions from the negative side and that's how they get into the big companies. So the DIB that you hear here is the defense information base and what that is that makes up pretty much most of well it's all of the vendors that DoD as a whole works with that could be from a small company to a big company that makes screws for a tank. It doesn't really matter. But that's the stuff that needs to be protected because in the wrong hands that could be an issue for

our country as a whole. So then we moved into the next piece and that's why you see again this is where handling CUI comes in from subcontractor. So if I'm a prime like Lockhee Martin or one of the other big ones here in the area I will sub out certain things because most companies as a whole as you just heard even when we were talking about um through the news you hear about Ford and you know tariffs and all these great things but nothing's made everything in one place. Half is here, half is there. And these are all these subcontractors that are contributing to the whole. So just like I said before, when you get a

vehicle, you got pieces from all over the world. And those little companies play a big role in making it work. So that's why we had to kind of control that. So you see here in 719 of the def assessment requirements. So they came up with these requirements that says, "Okay, now that we know it's not being done and now that we know we need to kind of set up some way to make sure it's being done, we have to lay out what we want done and that's where these requirements come from." So SP 8171 is what they put on in place rather to break down these various requirements and there's 110 of them. We'll talk

about them. And then there's something right here called spurs, which is supply performance risk system. That's where you as in company A subcontractor have to report to show that you meet these requirements for the 110 controls. And any DoD company who wants to use a vendor in the supply chain can go in and look in that spurs says, "Okay, I want to hire Joe's airplane." Great. Is Joe meeting requirement met by this requirement here of 8171. And if he does, great. We can work with him. If he doesn't, not so much. He needs to get up to speed. So, we can work with him. So that's what all that's about. And then as you see right here at the bottom it

says assessment scores must be current not more than three years old. Well yes. So that means trianually you have to get reassessed which is fair because as we all know technology changes every day. So nine times out of 10 every year you're left behind somewhere and there may be new things AI new things that are coming out that you're now using incorporating in your company which is not bad thing. but it hasn't been assessed. So if you do your own internal assessment at least every year, then every three years we can get an authorized agency to come in and do a full assessment for you. Then we update your spurs again and everybody's good and we just keep moving

on. That's the game plan. So here is 720. This came later and basically what this says gives DoD the right to assess contractor facilities and systems for assessments. So now this has kind of become more of like the law type of thing of hey we said here's what need to be done. We said you can kind of do your own self assessment and we'll kind of work with that first but now we need to make sure. So this is what gives us the ability to say hey we need to make sure you're being assessed and that's what the spurs comes in at and that's telling you about the scores and basically what happens is once that assessment is done

like I said you meet the score you're good we can work with you and then we came out recently with the 721 rule CMC requirements and again you're looking at the cyber security maturity model certification so now you have the ability because prior to all that there really wasn't a certification. You were just being assessed by yourself first if you're doing a self assessment and then you were being assessed by a organization that DoD has approved to come out, take a look at you and says, "Yeah, they're good and update your scores." 721 7021 came out and now it's official that we have agencies C3PAO we'll talk about those guys in a sec and they can come

out representing DoD and says yes I've done a full assessment on this company they met all the requirements and I can give them a certificate well that's saying that you are now CMMC certified as company A. So, right off the bat, carrying that acceptance of being certified, they already know, okay, if you're certified, you're good. We can work with you. If you're not, got to figure out, how do I get there? And that's where the rub comes in. Because getting there may not be as easy as you think. Some companies may already have infrastructure in place, people, some may not. And that's where the problem is because this isn't cheap. And I'll just tell you right off the

bat, it's not cheap. It's more costly if you don't have anything. And even if you have a third party vendor like an MSP, then that's great. They're handling all of your SharePoint, your email, and everything. But guess what? If they're using CUI in that stream of data flowing up and down, they also have to be certified at least for Fed RAM. So there again, there's another cost because I hate to break it down, but as you guys all know, everything's about money when it comes to getting to a certain standard. And either you have it now or you don't. But there's also some parts in there you have to realize that if you don't have it, fine.

You now have to figure out how you're going to get it, but it may not be to the full degree you think you need it. As in, I may not need an entire enterprise of 500 machines or 2500 machines all doing CUI because they're not. I may only have like 10 people actually doing something like that, working contracts with the government or doing something like that. So why am I paying for all these other people having that access? That's pretty costly. And oh by the way, now all of that needs to be assessed, not that one enclave that would be a lot easier to work with and less costly. So I can still do business.

So these are some of the pieces of really what makes up 171. Rev 2 is what we're using right now. Rev 3 is already out, but we're not using it, but we will be shortly soon. Probably another six months. But there's 110 requirements and those are 110 controls that come with 171. 171 alpha breaks down those 110 controls. But under each control are task or call objectives and there are actually 320 objectives. So it means one task can have like five objectives tied to it. You have to meet all five objectives to meet that one control. there again goes back to the problem. How are we going to do that? It's only me and the guy who plays with the

server, right? And it happens. So they have to figure out, okay, do we outsource this? Do we get a managed service provider? Maybe. But maybe we can't. Now, not to say, keep in mind, not every DoD contract has CUI. First of all, not everyone does. Going back to whoever the core is, your contracting officer that you do the contract with, they can tell you you will be managing or using CUI data. And if you're not, you're okay. Hey, I mean, yeah, you still have to secure your environment, but you don't have to worry about for that particular contract having CUI to have to worry about, but they break it down in these areas. So, here's how we get into the frameworks

because it's considered as a framework. Like it says right here, the CMMC framework consists of security requirements from 8171, protecting unclassified information, and nonfederal system organizations. That means they're not tied to department of defense. So because DoD's taking care of their own piece, this is the people working with DoD as a subcontract. The uh N 8001 172 enhances security requirements for protecting and control information that is also out and we're going to talk about the levels of level one, level two, level three, and how they all kind of play a role in there. And like I says the framework is originally um organized rather into domains and we'll talk about those domains which map directly to

the regulation level one two and three. So here we are these are your levels and each level brings something different. So when we're talking about the FCI in the FAR right here that's a small amount of controls 15 actually it's about 17 really but just basic and annual assessment meaning I can take my company and if I'm just using that type of information I can do a self assessment go through all of those controls checklist and put that into spurs and I'm good but if I want to do level two which is where 800 171 comes in at I got to do more 110. So that's where those 110 controls come from. And notice it says

trianually by a C3PAO. That is a certified organization that has been given a right. They've gotten the certification themselves as a company to go out and certify you or your company and they're the only ones authorized to do it. Do kind of crown them as you're good and now you can go and check and make sure other people are good as well. So then you have level three which we're not there yet but we're getting there real soon and that has even more requirements derived from 172 and we'll break down how many different controls are there too. That's also triangle. So that means every year I have to do a self assessment or have a third party

come in and do assessment. You may have someone just do a gap analysis of all of your controls. see where you stand and see where your gaps are because you may have 70% done. But then those other 30%, you got to figure out how you want to fill those gaps. When you start getting into level three, this is where we're looking at the bigger stuff like tanks and airplanes and all those big heavy enterprise type of things. That's why it's a little bit more. We're not there yet, but it's coming. So, here's the basic levels. Level one of course they call it basic like it says security requirements for protecting the FCI data 17 basic requirements from 171 and at

this level contractors with minimal exposure CUI. So that means very very little or maybe none at all and that's okay. Level two you move into the CUI. They call that the intermediate because now you're starting to work with more of the data that needs to be protected. So you got to meet those controls. And like I say, this level requires third party audits focusing on protecting that sensitive information. And that's where those C3PAO I was telling you about come in. And then you have the last one at the bottom, level three. And this one again says this level covers the enhanced security requirements and it it's based on 13131 requirements from 171 172 plus 35 additional. So

there's a lot more and that's that's because like I said it may be heavy duty information like diagrams or blueprints for something major facility or something that they're working with. So you got to have a little more intense scrutiny from a control side. Nice song. All right. So here's another look at it as far as the 171 172 as far as how they differ. So as you can see 71 is protect and control unclassified information. 72 is the enhancement for that on the applicability. No federal system or I'm sorry, non-federal system organizations on 72 organizations dealing with US and Department of Defense. So, and again, these are other variables that kind of tie into those. Just kind of showing you

a little bit of the difference between the two. And you guys will get all these slides and everything at the end of the conference. That's from all the talks. So, if you don't get the pictures, no big deal. These are the control families that make up 171. And as you can see, there are several different ones here. You got access control. Anyone give me an idea of what an access control can be anywhere? Active directory. How's active directory access control? Okay. Yeah, you're correct. Anybody else? Any other ideas? Yeah, that's a physical access, right? So access control is just not the machines, it's the physical because as you know in IT or more cyber we have

three things we already focus on. It's going to be either technical control, physical control or an administrative control and administrative will be policies, procedures, those type of things. So all of that plays a role in all of these which is why some things if you go to let's say I'm going to go to a GCC high with Microsoft and they're going to protect a lot of my stuff for me that's great but they can't protect the physical stuff. So we still need to get eyes on that to make sure you're doing it right and then we can say yep you're good box check. So we can inherit some things from Microsoft because they've already gotten certified gone

through the feder process but the rest we have to kind of figure out and make sure we cover it ourselves. So these are the families and this kind of moves into the 32 and 48 CFR and these are basically rules that came down and again they are federal regulations. So 32 CFR sets the rule for the program itself. It's setting the tone for the program defining specific requirements for compliance as well as policies for assessments. The policy also designates the cyber AB. Now that organization I was telling you about that kind of authorizes the C3PO folks to come and do that certification, they fall through cyber AB. Do says, "Hey, we're not going to run this. will tag this company or

organization cyber AB and you run that aspect and then you certify the right companies once they get certified and then go certify other people. So that's where that comes in. Then 48 CFR enforces these requirements within the procurement process and that's when again we're going to get stuff from supply chain. So for CMC the rules mandates that the contractor must be CMC certified except the award of new defense contracts. So, if they're going to do business, they got to get certified. And we're at that point right now because first 32 CFR came out. 48 CFR is like knocking right on the door right now. It'll be out soon to say, I can put that in my

contract and you have to follow it. And if you can't meet that requirement, we can't do business. And and that's okay. But at least you know as a vendor supplier where you stand. And now you know what you need to do to hopefully get to where you can. Now, unfortunately, a lot of people are going to lose a lot of money because they've had contracts previously with DoD and they weren't really like putting a hammer down. So, they're kind of, you know, just doing business as it goes. But now they are. And if they stipulate that into your contract, you have to meet that requirement. Meaning those spur scores we talked about, and we'll look at that in a little bit more

in depth, that has to be 110. And if it's not, you have a certain amount of time to make sure it is once that assessor does the assessment. And if it isn't, then we go back, start all over again, try to figure out how we can get it there, and then have someone come back out and take another look at us. Why is this costed? Like I told you in the very beginning, it's expensive to either get it and maintain it. But once you get it, all you have to do is continuous monitoring and monitor it and make sure what you think is right is still right. That's a little less costly. So, it's one of those unfortunately, I hate to

say, is pay me now, you pay me later. But there is going to be somebody paying somebody along the way because you lose business if you don't meet the requirements. But keep in mind, not everything in DoD has CUI data. So there's still contracts out there for it. Like whoever's going to fund the contract for the toilet paper in the gym. I really doubt that's CUI. That's government contract, right? Those type of things still exist. But again, if you want some of the larger ones, you're going to have to do the work. Okay, these are the folks that kind of put everything together. The CMC ecosystem is what they call it and cyber AB we just talked about. They were

tagged roles depend on them to kind of put the program together to make this successful. So throughout the program you had a couple different levels. Over here you have RPOS's which is registered practitioner organizations and kind of help with that piece and these people right here the RPS practitioners help support them. They are the front end, meaning you can have an RP come in and do a gap analysis, do a a preassessment for you, as in like the actual assessors coming through to take a look at you. So now you got an idea of how do I look? Some people call it a mock assessment. They can do all that for you. Then if everything's good, you can have

one of these people right here that work for the C3PAO who's been authorized to do the work to come out. See C3PO's down here, these instructors rather, I'm sorry. And they can come out and do the assessment for you. They work for these guys, the C3PO, which is a CMMC, third party assessment organization. Right now, we're close to about a hundred CCPAOs, give or take globally. You got it right. So, what does that mean? That means, oh, if I want to get on the list to get looked at, I need to do that like now because they may not even see me until December because you got a little bit supporting a whole lot. Now, don't get me wrong,

it's growing by the day. there's more assessors coming on by the day because the program is actually picking up more speed. This isn't going away though. That's where one of those things you have to get it there. Once you get it there, you have to maintain it. But at the same time, if you have it, you're open to any business you want to do, which is good. So, you got a couple different groups. You got these people over here who are the people who create the print the training materials. Then you have over here the instructors and they're now merging into where there was a provisional instructor, it's all merging now into just one instructor

set. Then over here you have the licensed partners. So that would be like a company that you go to that's been authorized by these folks to teach and then the instructors will do the teaching for you. And then you have the provisional assessors which kind of isn't the same anymore. instead of just an assessor. Now, you have a lead assessor, which is one that's going to be in charge of the team that's going to come out and do your actual assessment for you. Now, here's the kicker. When they come out, these folks right here C3PO they're coming one time, you got one shot. As in, they're not going to be there to tell you, you know,

you got a couple of policies missing. and they just tell you, "Okay, uh, your policy on log management, okay, all right, don't have a policy." They can't tell you what goes in there or how to do it because they're not there to teach. They're there to assess, which is why it behooves most companies that want to finally get to the certified level through CPAO to have a preassessment done by another company because this company, whoever the C3PO has been authorized, they cannot do an assessment as in the preassessment side of it. You can't do both. You can't do the pre-assessment then come back and do the assessment because that's illegal because you can't check your own work. Does that make

sense? So that's why you have a lot of companies that do preassessments and then another company will come in and do the assessment and that's how the program works. This is just a scale of how you get through the various levels of certification in the program. Um, and again, you you can move at any rate you want, but this is kind of designed again by Cyber AB of the steps you get to get to the assessor side. Now, here's the C3PO, the folks we were talking about. These guys right here are huge in the picture of certifying companies. They've all been certified. They've gone through the whole process. They had to go through what's called a

DICK, which is more or less the government itself inspecting them and assessing them. And once they got the green light, now they can go and do the same thing for all these other companies. And like I say, the primary mission of CyberAB, who's the umbrella organization, authorize and accredit that C3PAO. So that's what they do. And the government says yes, you are the company or I'm sorry, organization to manage the program to do all these things. And like I said, this DIB, defense information base, everything's all about that protecting the supply chain that's inside the DIB. Now, this piece right here is just kind of showing you what happens. So, as you can see here at the very bottom, the

first year, if I'm a level two, I can do a self assessment. Okay, great. So, I've gone through and done a gap analysis, having another company come in and do a pre-assessment for me, and I can count that as my self assessment. Now, I have to have, of course, my system security plan and all these other documents we'll talk about later that kind of is required to go into that spurs that I was saying that you got to upload that 110 score. You got to have supporting documentation. So, all that's been done and that's what they're talking about here. So, you did it. Everything's good. did gap analysis, completed the project, and ultimately you're good for doing self assessment

one year. Now, that does not get you Curi contracts though because you still have to go through the official C3PO certification for the CUI contract. But if you were just granted the certification that you have your C3PO certification, this is you right here. You got checked out. You're level two. Everything's good. You got approved. You got tagged as I am now certified. You can run that banner on your web page for your company, which is great because now people know that you can be worked with for DoD. And you're good for three years. Now, after that three years, you renew that every three years. But every year you got to do this a self assessment. Why is that

important? Like I said earlier, is because things change. Your company change, people change. So you need to make sure you're current on everything you're saying is still right. Because every year you have to put that back into your spur score. Whether you're a certified company or not, that certification is good for three years. But if your score isn't maintained as you do your annual self assessment, you could fall out of being certified. Going back to once you get there, continuous monitoring, continuous improvement helps keep you there. So far so good. Awesome. Okay. All right. So, this is the spur of stuff I keep talking about. Supply performance risk system. And this is a system that

we said back in our def realm that we have to have to record the 110 score by whatever organization decides to want to do business. And this is a bad picture of it's kind of a picture of how you put data in. You put in some other information like your organization ID and some other things that go into there. And this is what someone in DoD can go into and look and say, "Oh, okay." Okay. Yeah, they're good. I see 110. They got certified. We're great. We can work with those guys. Then right below it, they see somebody's uh 85. Not there quite yet. So, uh, next slide. I mean, what can you do, right?

All right. So like I said, the spur score is essentially a numerical grade that gets entered into that DoD system and that's what's used to be monitored to verify the company and like I say spurs score will fall somewhere in between a minus 203 ultimate score is 110. So what does that mean? It means that when you first do your your checklist of 8171 alpha, go through all those controls, all those tasks, after you do all that, you ultimately should get to 110. You start at minus 203. And there's a category from five to three to one scoring of the various objectives that dictate how you get to 110. So that's how you get to that point. You

have to be able to answer all those objectives and the subtasks or various objects rather that go with it. And if you do, you're good. And if you're not there, again, you're aware of what's going on and what's wrong because you may not have the money to get there in the next six months. You just did your annual budget. You got to budget for next year or find some extra money somewhere, which is kind of hard to do nowadays, right? This is under the mattress somewhere, right? So that's where it falls. And again, there 110 controls, maximum spur score is 110 out of 14 families. Five steps to CMC readiness. And this is the readiness aspect of I need to get

going. I need to get it started. I need to get looked at and I need to get my score. So you start preparing like it says here, um, regular standard. And you want to find out, it's kind of like my buddy Mike just talked about earlier. You got to figure out how to scope what you are actually working with. That could vary. You may, like I said earlier, you may think your entire enterprise of 500 2500 people need CU access. They may not. They just may need a small slice of that which is much easier to get assessed and certified the entire network. Does that make sense? And that's one of the biggest piece right now a lot of people are struggling

with is what am I using right now? Who is touching my CUI? So if I am using a MSP, do they store that for me in AWS in the S3 bucket somewhere? Maybe. Do they see it? Maybe. Do they do backups? So that means they also have to be approved. If they're not, and here's the downside, and unfortunately it's happened to a lot of people. If your company's working on the MSP right now and they're not certified, you won't get you won't get certified. Their not having it affects you having it. So that means you got to go find another MSP that's already certified to start working with. Because if you inherit controls from them, they have to

meet the same requirements that you have to meet. Yeah, like I was saying earlier, they may able to come down when you do your assessment because they have to be there for it. It's Oh, yeah. Here's how we do our our, you know, our patching. We run our patches. Uh we run vulnerability scans every Thursday. We patch every Monday. Okay. How long you keep your logs? I'm not sure. The book tells you how long to keep the logs. So, if they're not keeping your logs, then you just fail. because you don't know how long to keep your logs. You never did a service level agreement with them from the very beginning. We got that contract SLA

specifying here's what I need to be able to do as your customer MSP and if you can't meet that requirement for me, I can't work with you because when I get assessed or inspected, they're going to ask me these questions. I need to say, "Yeah, oh, I can go in and look at the logs myself from my Amazon supporting MSP. and I can show you exactly how often they've done it or they can keep your report out and show them what they did. This is more or less don't tell show because when an assessor comes through they're going to ask you for supporting documentations artifacts to answer the mail on all these things I'm talking about and if that MSP cannot

do it then that's the wrong MSP and and don't get me wrong there's been some strong relationships over the years that people have built with their MSP because you're a small company you don't have the manpower to handle all that stuff which is fine But if you're going to do a CI, they're not the ones. So keep it in mind, it's strictly business, nothing personal, right? Because you want to keep doing business. All right. Preparing for the CMC audit. Some of the things I was talking about, figure out if you're going to do level one, level two, and again, most companies going to probably do level two. And it's always good if you're not to still strive to get to

level two because you want to have as many options as you can as a business owner because you have now a diverse capability to be able to pull in more income. So as you go through all that then you submit your CMC assessment. So you can put assess assessment in there if you got your gap analysis or preassessment into your spurs. You have your SSP system security plan. Now, that system security plan breaks down 110 controls and it says in there how you going to answer each one of those controls. Now, yes, you can stubby pencil it'll work, but there are templates out there for it. But most people now have some type of um governance risk management

system that they use automated. They can go in and put in information and this fits out their SSP form which makes it also easier to go in and tweak it every 90 days, every six months. And you may just grab, I don't know, 10 controls and go back and look at them says, "Okay, are we still good on these? Is it still good?" Update it and you'll be prepared. So by the time you get your annual for your self assessment, you've already done it. Which means by the time you get to your triannual every three years, you already done it. And that's the best recommendation to take care of it. Because the problem is, as we all know,

life we get busy, business starts growing, people start leaving, and now you're stuck because the same people you had to get you there aren't there anymore. So that's your responsibility as a business owner. Make sure you take care of that. And then like it says, okay, you put into the portal. If you don't have the ability to handle a certain control example, let's say you have a Unix system or you're running Red Hat and it's a system as a whole. You don't have a patch because they haven't put it out yet. Not your fault. You recognize it and realize it. So, you put on this thing called a plan of action and milestones, a poem.

That poem says, "Hey, uh, stakeholder risk owner, here's something we got a problem with. Are you okay with that?" Sure. How long is it going to take you to fix it? Uh, company says they'll have some out in the next six months. Great. I'll put six months on the poem. That's my window. If an assessor comes back and says, "Hey, you had a poem here for six months." And it really probably won't be that long, but did you close it? I don't know. We just did it when we did the assessment.

You got to make sure you stay on top of this. And that's the biggest issue because it will run away from you if you don't because you're going to get assessed again whether you like it or not if you decide that's the route you want to go. Not a bad thing. And you just have to stay on top of it. All right. What do I need to do to be compliant? These things right here kind of fall into play. We already talked about it. 171 171 um 171 alpha meeting that 14 control families. Any objectives? How much does it cost? That's not an easy question to answer because one person's cost may not be the

same as another person. Example, you have a company here in Tampa, small company. They have an MSP that supports them and they do average business and they don't have a really large footprint. They would probably be a little less depending on what they have in their infrastructure than a company that has three different organizations set up in three different places. because now you got to secure all three or if it's the enterprise that the domain is managing you secure the domain hopefully you'll secure those boxes but the physical aspect of it still needs to be looked at each one of those sites. So that's where the cost comes in because the assessors are going to charge you by the hour or

per contract, however you set it up for however big you may be. And like I said, it could vary just depends on. So that goes back to the point of if you can reduce your footprint of the type of area that you need to use CUIN, that reduces your cost in most cases. All right. So what are the steps? These are the steps here. We talked about them already. And in the end, you'll get certified. These are just some of the resources. There are more. And if you have any questions, I'll be glad to help you. And my company also does free assessments and help out with gap analysis as well. But the biggest piece Yes, sir.

Yeah. There. Yeah, no problem. And these are just general questions. There's always more questions, but I tried to hit the the hot topics that most people are concerned about. How much does it cost? How long can I be certified? All those type of things. Yes, sir. So again, every organization is different because there are some automated capabilities tied to track your program and it can it's kind of like um a notification on your phone on a calendar. Hey, this event's coming up somewhat like that, but others may not have that capability. So you may have to kind of manage it manually and you may only have like four or five items on the pamp, but someone has to

maintain that. And then someone has to go back and says, "Hey, when was that closed out?" So, and there's a process when you go through the actual certification. They give you a little bit of time to do it, but it's not a lot. Small amount of time because if you don't get it done, you got to come back, go to the back of the line, and start all over again. Yes, sir.

Yes, it does. Yeah, it it does. Yeah, they a lot of them. So, you got to look at it from a governance, risk, and compliance perspective. All of them are pretty much doing the same thing. They label them different numbers, but you know, a lock is a lock. You know, ballers are ballards. Everybody know what ballards are? I'm sorry if you don't. Those little flower pots in front of Target that you'll hit that before the store. Those are ballots. So, yeah, most of them are, but most have a mapping. They can help you out. Um, I don't have a a mapping source on this one, but I can get you one. Yeah. Yeah, they do. Yeah, they're really good

to use. Yes. Correct. Yeah, but CL Yeah, compliance Forge is a really good site to go ahead and stuff's free. No, it's free. Yeah. Yeah. It's like a heat map. They've already done that and given out to everybody. Yeah. Yes, sir.

If it affects the scope of your work that you're doing CUI in, if that enclave, let's say you have an enclave for CUI, if it doesn't alter, you're still good. you man you can add additional services on on the back side but if it affects the way the data flows with CUI you're going to have to get reassessed another piece too this is where managed service providers really like this because if you change MSPs you have to get reassessed that means everything you went through for that first one you got to go through all that again for this new one third year. Pray, right? But yeah, that's the reality. So that's why I said whomever

is going to be involved with this program, you really need someone in your organization is keeping up with it and the changes and monitoring, you know, how often these things are being looked at as far as these various controls because it can run away from you real quick and before you know it, you're at renewal time and now you have a a big piece of money you have to put out because you haven't sustained what you started with. Anybody else have any questions? Yes, sir. Right. It's coming.

Right.

Correct.

Yeah. Well, so that's what the book says, but what the the noise on the street is it may be sooner because of the way the infrastructure is changing in Washington. And now that Kathy Arington's back in the lead of it, it's going to be a lot of changes. Now, that may not be all bad, but you still got to kind of look at it from the aspect, if it does come in the next eight to 10 months, how do I look? They they probably will do a slow roll, but it may depend on the contractor as well because the contractor does not have to put that in there today, but I can promise you by August they will.

And then that becomes part of the issue. Go ahead, Mike.

Yes. Yes.

Yeah.

Correct.

So, it's kind of like a dark hole you can fall into.

All right.

And that's best guess, you know, and because it's hard to say from where we sit right now, but it is coming. But you got to kind of just be ready. It's the best you got right now. Any other questions? All right, folks. Thank you so much. I appreciate you taking time to hang out with me.