Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Understanding the CMMC Updates
Quick Take
On this week’s edition of Compliance Unfiltered Adam and Todd tackle the tough topic of the recently announced CMMC updates.
Given the number of changes recently set in place by the CMMC advisory board, we’ve brought in some reinforcements: special guest and Total Compliance Tracking’s Head of Product Development, Jon Dotson!
Jon covers everything from the CMMC 2.0 changes to the long-term impacts across the space. He helps us unpack the updates to CMMC and separate the truth from some misinformation that’s out there.
This week’s episode of Compliance Unfiltered is chock full of critical information in the CMMC arena:
- What exactly are the 2.0 changes that are coming, and when?
- What will Assessor rollout progress look like?
- Impacts of CMMC to your long term compliance
- What you need to be prepared for
- Snake oil salespeople to watch out for!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the one, the only, compliance guru himself. The dancing machine, if you give him the right amount of liquid courage, Adam Goslin, how the heck are you? I don’t have nearly enough liquid courage for that right now, but I’m doing fine. That will be a special podcast.
Today, Adam, we are fortunate to have a guest on the line. So today we are joined by the Head of Product here at TCT, Jon Dotson. Jon, how are you today? Doing well. Doing really well. Now, Jon, you’ve been in IT project management for about a decade. You’ve been the Head of Product here at TCT for about three and a half years. But this is your first podcast appearance, is that right? First podcast appearance, yep. I like it. We are blessed and thankful to have you join us for this special topic today. Adam, this is something that we’ve covered before, but hey, when things change in the compliance world, so does our approach.
And so we’re back at it again, CMMC 2.0. What’s happening lately? Well, the reality is that I’m going to cover a lot the topics here. We’ll get into some depth on each of these as we go. Some of them I’ll cover, some Jon will cover. CMMC 2.0 was announced, and there’s a good amount of misinformation out there. So we’re hoping to give people some education about things that we know, and share some knowledge and whatnot. We’ll also talk a little bit about some of the 2.0 changes that are coming when they release this new version, some of the new things that are in there. We’ll Give the crew an update on traction on the auditor or assessor rollout progress. We’ll also talk about impacts of CMMC for long-term compliance. Things that organizations are going to need to be prepared for. And then finally, and probably my most favorite of these topics is the snake oil sales in the CMMC space. Whenever you’ve got a big opportunity and lots of movement by a lot of people, then all of the fairy tales start coming out of the woodwork. So we’ll get into a little bit of that as well. I like it.
That’s exciting news. Jon, do you want to just kind of prep yourself for this wild ride on the CMMC train for today? Because it’s going to be something special. Adam, let’s get started on the announcement itself. Just going over where the hits, and the very obvious misses are when it comes to what’s new with CMMC 2.0. Yeah, it was actually, it was funny. Back on November 4th of this year, 2021, somebody accidentally released something publicly on the website about 2.0. And I honestly believe somebody messed up and it wasn’t intentional. But because the cat got out of the bag hours later on the same day, then all of a sudden, there’s this public release of new information around 2.0. So that was entertaining. Around the middle of November, the proposed rule was issued out publicly, so that people could start kind of getting their arms around it and seeing what it’s about. But the interesting part is, like everything that’s in the government sector, the wheels of progress move slowly. So they’re not anticipating the CMMC-2.0 to be effective for something akin to 9 to 24 months from now. There’s some procedural things that they’ve got to go through, and it’s effectively a rulemaking process that they need to invoke for Title 32 and Title 48 under the Code of Federal Regulations, or CFR. So that process of unrolling that rulemaking process is really what everybody’s taking this dart throw stab at, when do we think this is really going to come fully into effect, and be fully effective.
I’m looking more at changes. And I know that Jon is Head of Product for TCT. I know that you’re faced with the auspicious task of fielding questions from potential clients about the changes within CMMC despite your well, having nothing to do with them. So tell me, what is it specifically that you’ve seen change landscape wise with CMMC 2.0? Yeah, I mean CMMC as a whole, when it was first brought out, essentially level one of CMMC, they really just took NIST 800-171 and pretty much said, okay, now this is CMMC. You know, all the same controls and capabilities of NIST 800-171 pretty much carried over. They didn’t really change much from that, going into CMMC 2.0. They’re still keeping true to that NIST 800-171 control listing. The main difference here is that at the time of their original release, they had different versions or different levels of CMMC. You had your level one, they technically had a level two, but there really wasn’t any controls that were specified primarily in that level. There was a level three, then you have your level four, and your level five. It seemed like in general, most people had to go up against level three, that was the industry standard expectation of what clients would need to do in order to maintain CMMC compliance.
I think they realized that like, no one’s ever really going to be assessing at a level two, there wasn’t even an assessment practice built in, to actually go in and assess someone at a level two. It was either level one, level three or level five. So they probably, I guess during that process realized, hey, why do we have two additional levels that we shouldn’t have. So they’ve updated those levels now. So now essentially they’ve broken it down to just three levels. You’ve got your level one, which is basically your foundational items. It’s really just consists of 17 total practice items. And the really cool part about the level one is, before you couldn’t self-assess at all with CMMC, just doing the baseline level controls still required some aspect of an assessment. They have allowed the ability to self-assess on level one now. So as companies are going in, and they’re doing these 17 practices, they can self-assess. Level two is now what was level three basically. This is now where a majority of companies are most likely going to reside. That’s really the 110 specific practices that are brought in directly from NIST 800-171. And what’s neat about this is on level two, it’s a tri-annual audit process, and can be done by accredited third-party assessors, so that’s how that process works. But they even allow some companies, depending on the type of situations they’re in, and if they haven’t really dove down into this quite yet, but they even say that some of them can actually self-assess on an annual basis as they need to. And the last level, that level three expert level, they haven’t actually published any of the information on what’s supposed to be in this level three yet. They’ve just said, hey, this is going to be based off of NIST 800-172. So we’re still waiting on what controls are going to be involved in that process. And that’s also a tri-annual assessment. But this one, because it’s an expert level, this actually has to be done by government-led assessors. So it can’t be through like a third-party company. It actually has to be through the government directly when it comes to being assessed on level three.
Well, I mean, going back to the auditor side of thing, talk to me about what type of traction you’re seeing on the auditor rollout.
I mean, this isn’t just going to drop in our laps right now, right? Yeah, I mean, obviously all these companies that wanna go through and be auditors for CMMC have to go through the proper accreditation. And essentially they become what is known as a C3PAO, which is basically that qualified assessor for CMMC. And there’s a lot, like once CMMC came out, it felt like there was this race to go out and become a C3PAO. But it is definitely still a slow moving process. I mean, we looked it up recently and there are only about five approved C3PAO companies out there. With that being said, there’s about 197 organizations that are literally pending right now, and in the process of becoming accredited. So when that comes about, there’s going to be tons of organizations out there that you can leverage and use when going through CMMC, specifically with that level two process.
So just a little bit of stats around that, which is crazy. When we look it up, there’s about 220,000 companies inside the defense industrial base. Basically like the contractor listing? Yeah, the contractor listing, exactly. So there’s about 220,000 companies listed within that. So even if all of the organizations that are currently pending get approved, we’re still talking at about 350 companies per C3PAO organization a year, even if they’re all tri-annual assessments. So there’s still a lot of business to go around for those assessing organizations. Well, it sounds that way, Jon. And it also sounds like this is not a short-term thing.
So Adam, talk to me a little bit more about the impacts on long-term compliance that this change-up is going to have. Well, really there’s a couple of phases to this, right? There’s those folks that know they’re going to be facing this, and know they have to get down this path. Certainly for any of the organizations which are new to compliance, AKA, don’t have a well-seasoned compliance management program. My best is advice, do not wait, because there’s going to be a lot of things that we’ve gotta go dig into. Make sure that we have in place policies and procedures, getting the internal personnel used to this rigor. So if your compliance program is relatively new, get going on this as soon as you can. Even in advance of going out there and engaging a C3PAO. That requirement isn’t going to be literally on the doorstep, but I certainly would not be waiting around to go find an assessor, and start heading down this path. At that point in the game, it’s going to be, I don’t wanna say, it’s going to be too late, but you’re really going to be under the gun to go get through this stuff. For the organizations that are well-seasoned with compliance, that are certainly leveraging some type of a strong underlying standard before CMMC became a thing. If they were using some type of a really strong and prescriptive standard, honestly, it’s not going to be that bad. There’s a lot of crossover between CMMC and other industry standard certifications. So the things that are in there make sense.
The one thing that organizations need to realize is that, I could describe it to the people that I’m talking with about heading down this path of compliance, right? It’s that first shot at trying to run the gauntlet of getting through compliance. And at the end of that rainbow, I call it the compliance party, because quite frankly, the internal personnel have been through 18 dimensions of hell and back. And so just getting to the point where you’re gaining the wave of the scepter, and now you too are compliant. Yeah, it’s a party, let’s go celebrate, have a good time, all that fun stuff. And that’s where dancing machine Adam comes out. Yeah, under those circumstances, hell yeah. But no, one day we’re going to recount my very first compliance party, but that is not a story for small children, or for this podcast. But the reality is that once they get through that initial compliance party, and they’ve moved on to their maintenance. They need to understand that as tough as it was to get to that point, what you’ve done by passing that audit, is you’ve now signed up for we’re going to need to maintain this structure ongoing. While it may be that, okay, your next audit isn’t for three years, you’ve got to be maintaining this stuff, right? I mean, the assessor’s going to go back and be taking samples. If they’re three years down the road, they’re going to be going back two years, or nine months saying, okay, show me your evidence that you were doing these things at that point in the game. They’re not going to give you a free pass. So it’s really on these organizations to make sure they’re mentally prepared for that transition from, pushing to try to achieve the objective, to adoption of a proactive stance so they can make sure they don’t have those issues on their next compliance engagement.
A little bit of a story, I said back in the day that when I was originally conceiving the TCT Portal, with the experience that I had been going through, with the compliance consulting engagements of companies I was working with. One of the biggest problems, was the fact that everybody was in this mindset of annual audit, right? So we’d go in, we’d show up to the annual audit, and as sure as we’re sitting here, the assessor says, okay, well, show me that you’ve done fill in the blank. And of course, everybody is nervously looking at each other. Okay, we’re going to go look for that, we’ll be back in a minute. And they go off into another room. And everybody’s like, What are we going to do? We don’t have what their looking for type of thing. And it was really stressful. It was unreasonably stressful.
One of the things that we integrated into the TCT Portal is something called operational mode. And basically what that does is, it takes an existing track and turns it on to pulse checks, periodic pulse checks, making sure that you’ve got the stuff under control. That You have the evidence you’re supposed to have, when you’re supposed to have it. And TCT proper, we use operational mode within the TCT Portal to manage our own compliance these days. And a lot of organizations that have gone on and used the TCT Portal, it’s been fantastic. They’re able to have a measure of internal self assurance that they’re doing what they need to do, when they need to do it, as well as reducing that risk of showing up to your audit three years down the road, only to find out that something isn’t getting done. So the questions I’ll typically get are, what types of things should I do throughout this time period? And these are items that are line items on CMMC. For example, change control, making sure that each quarter we’re gathering up evidence, that we’re following our change control procedures and processes, that we have the requisite evidence on hand to be able to support the audit, performing security training at hire, ongoing checks each quarter to make sure anybody that should have had their annual training, is getting scheduled for it in that upcoming quarter. Things like log reviews, make sure that those are being done in accordance with policy requirements, and pulse check that each quarter. Terminations, making sure you’re processing those right away, and validating every quarter that we do it. Making sure we have all the paperwork that we need, and do things when we need to. And there’s other examples, like keeping your inventory up to date.
So, I’ve just passed my audit, I’m going in, I’m heading down the path of moving into this operational mode. I’m in the early stages of this three year cycle before I go back and get another audit. A lot of stuff can go wrong. And then, you don’t want to be answering questions with the assessor. So being prepared, going through those line items, and making sure they are done is very important. I mean the objective, I think of every organization that’s signed up to be in this space is, that you want to make sure you have your act together. You don’t want any bumps when you get to the audit. You don’t want to do the worst thing that you can do. I know the auditors and assessors listening to this, I know they’re chuckling because the last thing on earth that you want to do as a company going through compliance is, give the assessor any reason under the sun to ask more questions than they need to. So if you don’t have things in place, the evidence isn’t buttoned up, or it doesn’t seem like the client’s organized, those are trigger points for these assessors. They’re going to put on their assessor hat, and they’re going to start digging and start scratching. They’re going to start going deeper, and start asking more questions. It’s like, man, you want to have it buttoned up, bows on it, here, see, this is perfect. And just deliver it to them. The assessors happy, and the clients happy.
The other point to make, specifically in this space, is whenever you’re dealing with the government, you don’t exactly get a second shot at this. So if you make a mistake, miss your time frame, or your window, it’s something that you’re desperately going to pay for. But that leads into another potential pitfall, that we’ve been seeing pop up in this space. And that is just the befuddling amount of folks that are trying to cash in on the opportunity to work in the CMMC space. Well, I mean, Jon, that was a great point earlier, talking about the fact that there’s two hundred and twenty thousand contractors on the DOD contractor list. And, if you go and spread those out over even the people that have applied to be an assessor, seriously, three hundred and fifty. Now granted, some of these are going to be going through self-assessment, so this is a worst-case scenario. But let’s pretend everybody needs to go through an audit. That’s a freaking lot of organizations every year. So, how much of that is going to fall into self-assessment, versus not? I mean honestly, even if it’s a hundred or two hundred organizations in a year, that’s a pretty good clip for many of the assessor organizations that are out there. So you’re right Todd, there’s a lot of opportunity that is surrounding this arena. Certainly, tons of people are popping out of the woodwork.
I’m seeing a lot of chatter around CMMC, all sorts of people that are throwing their hat in the ring to try to take advantage of the CMMC space. So whenever this is happening, whenever you’ve got a big opportunity for a lot of folks and organizations that can be spread around, yeah, there’s organizations that are really going to just throw their hat in a ring. Should they throw their hat in a ring? Are they qualified to throw their hat in a ring? Are they doing things appropriately while they have their hat in a ring? There’s all sorts of challenges. Granted, these assessors are going to go through an assessor validation style program for getting themselves certified. But that said, there’s certainly something to be said for an organization that has experience in the security and compliance arena. I’ve been around the security and compliance space, neck deep in it for over a decade. You see companies come and go, it’s just part of the nature of the beast, right? And I mean, some people are going to try to go take their shot, but it’s really on the organization as they’re going through this process, to do your homework, do your validation, do your vetting, look into the background of the folks that you’re working with. It’s that relationship that you have between you and your assessor, you’re in it you know, as much as they want the business. If you think about it, they’re a vendor to your organization, so they should go through the same background vetting process as you would with any other vendor in the space.
The other thing that I’m seeing more whiffs of in different ways, shapes and forms, is the atypical, and this happens every time we’ve got some new standard or some big opportunity, is folk are out there saying, oh, all you need to do is fill in the blank, and you too are going to be CMMC compliant. The bottom line is, I’ve been to this rodeo eight or 40 times. The reality is that you’re always going to hear all sorts of BS about, well, if you just use this system, or you just put your stuff here, or if you just follow our happy 18 step process, then poof, you too are going to be CMMC compliant. And it’s like, I don’t know what to tell people but there isn’t a silver bullet for this stuff. You actually have to have your act together. All these silver bullet stories, they make for good stories, but invariably fall short on their promises.
And that’s part of the reason why I’ve come full circle too. Going with organizations that have been in this space, that know what they’re doing, they’ve got their sea legs, they’re really going to put it together for you. You should not be hearing from somebody that all you have to do is fill in the blank and poof, you’re going to be compliant. Because the minute I hear that, honestly, I shut off.
I got it, I’m sorry, I get it. The salespeople of the world, more power to them, but there’s a fine line between good sales and unadulterated BS.
I wanna take this opportunity to remind everyone out there. If you have additional questions regarding CMMC or the things that we discussed today, please feel free to take a look at our website at gettct.com. Additionally, the CMMC website, the AB’s website itself at cmmcab.org. I Want to take this opportunity to also thank our guest today, Jon Dodson. Jon, thanks so much. I hope you had a blast. Always fun. I hope that your first experience podcasting was painless. It was not bad at all. Excellent. Well, that means we can rope Jon into more of these. This is going to be even more entertaining. Maybe we’ll have to have like another one where you drag Jon in.
Because he’s a mouth of knowledge on a lot of things the compliance space, and certainly about things that TCT does, including the platform and all of the certifications. We’re definitely going to find some more topics to drag Jon in on. We just had to ease him in slowly, so we didn’t scare him off. Yeah, and somehow we didn’t. We appreciate the time.
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
