Name: Inside Our CMMC Level 2 Assessment: What to Expect According to an OSC and C3PAO Assessor
Uploaded: 2025-12-04T18:16:09.822Z
Duration: 1 h 4 min 44 s
Description: Inside Our CMMC Level 2 Assessment: What to Expect According to an OSC and C3PAO Assessor

Transcript for "Inside Our CMMC Level 2 Assessment: What to Expect According to an OSC and C3PAO Assessor": a minute or two to join, and then we'll kick things off. Just our face. That Share the slide deck. might help. Otherwise, the everyone will just be looking at us just talking to them. Alright. Yeah. So, hi, everyone. Thanks again for joining. We'll kinda kick things off now. My name is Mark Urbanaccio. I work with a company called Secureframe. My role here is everything CMMC. Myself and our colleagues, we were the ones who, prepared for our own CMMC level two assessment, got through the process with with Rob and and the team over at Redfin. So, yeah, it was kind of, my and our team responsibility. So today, we'll be talking about, exactly how that process went, what are some of the things that we've learned, what are things that we learned that you all could could take away from and hopefully not make the same mistakes. So we'll be covering a lot of that today. My background is compliance. I've I I was an auditor prior to working at Secureframe, and, I help, our product direction for CMMC as well. So Secureframe is a GRC platform, specifically helping organizations prepare for CMMC and then, using our modules, actually make the assessment process a bit more efficient too. Rob, if you wanna give a quick introduction as well. Yeah. Sure. Hey, everybody. Thanks for joining today. I'm Rob Teague. I'm the vice president of federal consulting at Redfin, and I'm also, lead CCA, but mostly function at the c three PAO level as the, officiating the official signature for the certificates that we issue out. I got thirty one years background in the US military with the United States Army, doing signal communications and then, cyber as I was getting towards the end of the career, and then came out. And, here I am. Leading Red's been, continuing to help the div and our our war fighters. So, enjoying, the work and meeting all the different organizations and what they do for the DOD. So it's been a very, enlightening experience, these last few years now that CMMC is live, and definitely enjoyed leading Mark and his team through their assessment as I performed, their assessment as their lead CCA. Awesome. Yeah. I think a few things we'll cover today is how kind of unique our assessment was and how we had. to navigate that, in terms of understanding scope and and what the final ruling says and how to kinda navigate all of that when it comes to actually going through the assessment. So, should be should be a lot of good stuff we cover today. So these are a few of the things that we're gonna cover during the the webinar. First, Rob is gonna kick us off, to talk about the different enforcement dates. Basically, how many organizations are currently CMMC level two, and then how many are going to need it. Rob will also chat through, a RedSpin report where they went over a lot of those details related to the current CMMC landscape. We'll also be talking about how RedSpin exactly conducts a CMMC assessment, what you need to know, how to prepare, basically, what what you should expect when when it comes to the level two assessments. And then Rob will talk about what are things that the auditors are looking for and potential hurdles that could slow an assessment down. What are the things you should be doing? What are the things you shouldn't be doing? How to best prepare and and effectively, get through, a CMMC level two assessment. Then, I'll jump in and start talking about how, Secureframe CMMC level two assessment went, what we learned during the entire process, during scoping, during our documentation reviews, and all throughout field work. So you'll get a bit of insight in terms of, what are some of the the things that we ran into initially, how did we overcome those problems and hurdles, and effectively receive our our CMMC certification. And then lastly, we'll talk about how automation can help the entire process. Automating evidence collection via integrations within your technology stack, easy way to, to kind of prepare a lot of that evidence for the assessment, and then also how automation could help make the audit process even more efficient as well. So jumping into the next slide, Rob, if you wanna take over from here, we can, we can kick off regarding the current state of, CMMC. Awesome. Okay. So for those that don't know us, Redspin, we were the first authorized c three PAO to hit the ecosystem back in May '21. Since then, we've been a quiet leader in the space. We're coming up on our one hundredth assessment, by far leading the rest of the ecosystem. That's because we, we just believe in rolling up our sleeves, getting our hands dirty, and getting to work. So, and our work is not important. Let's keep that in mind as well. It's the work you guys do as contractors that's important. What the services, solutions, everything you provide to the warfighter is what is important. So we there is not one c three PAO out here in the ecosystem that is is out there to fail an organization. So, you can take that off the table. We're just here objectively to make sure that you're doing what you said you're doing in your documentation, and it's that simple. So first of all, the CMMC rule is codified in paragraph paragraphs or parts one seventy of the 32 code of federal regulations. That was posted to the Federal Register with an effective date of 2024. The big news was the 48 rule finally was released, and it went effective on April 2025. So that is the effective date of when they're gonna start the official phases, and there's four phases they're gonna roll out. Phase one started on 10/2025 and will go to 10/1926. That is updating all the verbiage in the contracts for level one, for CMMC. So they're gonna strip out any DFARS language and put in CMMC, verbiage. Same after that, November 26 starts, level two. And then if you read the writing on the wall with that, that phase ends on 10/1927. So by that date, there's nothing out there that states you gotta be certified by then, but the reality is, you're going to see in the contracts that CMMC level two certification is required for this particular contract. And if you don't have it, you're not gonna be able to bid on it. It's that simple. The main thing is that we're already starting to see a lot of these requirements in contracts. The DOD stated from the get go that they had certain critical contracts that they were going to tackle right away, and most of those are involving aerospace, weapon systems, those kinds of critical things that the military kinda relies on. Those folks, when we looked in the, SAMS registration and at some of the postings of those contracts, there was one air aerospace contract that stated, hey. You've gotta be CMMC level two at the time of winning this contract. There was another contract that stated you had a certain amount of time to be certified in order for the contract to remain in your your possession. So it's going to vary. But by October, that's when you're going to see, and it will state CMMC level two. Whether they'll have that time frame in there for you guys to to kinda get in there and get get an assessment complete so you can finalize and win that actual contract. I don't know. It's gonna vary on the different contracts. This year and every year, this is our second year doing this. Our marketing team does a phenomenal job of starting way back in the summer, to start, you know, the survey with a lot of the DIB contractors. And if you guys have not received that survey from our team, please reach out to me, at redspin dot com and, let us know so that we can add you to next year's survey list because it's very important. All this information is information for you guys as the DIV contractors. So you see where your competitors are, everything else. But, that report was published, and it talks about the current state of the DIB. Right now, we're seeing a trend across the board where, you know, a lot of folks that are ready are moving right in without any hesitation in getting on the schedules. Many of the folks that are unsure, they're still on that kind of bubble. They're not sure which way they're going to go or the organization's going to go. We're seeing a lot of them still waiting. Many of them are now starting to go out and grab, information as they start to prepare. So you can go through that annual report. Highly recommend you do. Some of the numbers are actually improved over last year. For example, 47% have already received flow down requests from the primes. We knew this was going to happen back in, you know, early twenty four. The primes are already pushing the CMMC requirements. I'm sorry. Early yeah. '24. And we had to talk them off the ledge. It's like you can't enforce this requirement. It's not a law yet. So so, you know, I appreciate you guys being, you know, early birds, but, you gotta wait till the rule is final. So once that became final, then, of course, the you're starting to see a lot of the primes push this out. Some of the primes are taking care of their subs. They realize this is a very expensive venture. Talking to different organizations, at different conferences, you know, organizations are spending upwards of 200 k to get, devices and solutions in place that will help them get past this assessment. So, let's talk a little bit about some of those struggles. What does the assessment look like? What are some trends we're seeing? What are some things that you guys can, kinda start doing now to help you prepare? And I really wanna go through these kinda quick because I wanna set the stage for Mark because, really, what you guys need to hear is what Mark and the team experienced during their assessment. That is the key takeaway from this, particular webinar for you guys. But the assessment itself flows in four phases. Phase one is what we call the objective evidence review. This is where you have to go through a big song and dance prior to this phase to get all of your documentation ready, and that includes the system security plan, policies and procedures per 14 domains. Each domain has to have one of those, and then all the evidence associated to all 320 objectives of the NIST eight hundred one seventy one revision two guidelines. So based off of that, it takes the assessment teams anywhere from one week to two weeks to get through and review all that. Now I can't speak for every c three PAO, but I can tell you here at Redspin, we are not looking for grammatical errors. So we don't care if you missed a comma or a period. But what we do care about is the content. You gotta clearly kinda define what you're doing there or at least enough to where we can, walk away with knowledge of how you're tackling a particular objective. More importantly, these documents are for all the users within your organization. So if we're struggling as professional IT folks to read through your documentation. Imagine somebody that doesn't have that background trying to read and understand what you've what you've captured. So, that is what they're reviewing. They're really looking at, your configurations, your settings, how you're doing access control, all those different things. Keep in mind, your documentation needs to go to the objective level. There are 320 objectives. It's those objective questions the assessors ask, and that gives them the overall picture of requirement for that particular, compliance for that particular requirement. So if your your documentation isn't at the objective level, you need to go back and start working on that to add it in. Once phase one completes, if they'd found any anomalies in your documentation, they're gonna capture those in their workbook. If you can make those changes, the lead c CCA will let you know that during the phase two interviews. But once phase one completes, you roll right into phase two, and there's a couple ways this is being done. So first, it's virtual. If you opt to do a virtual assessment, it's typically a Monday, Tuesday, Wednesday. We get through all the questions. And if there's an on-site component because you have physical CUI, then the the assessment team travels on Thursday and then meets you Friday morning on-site for the walk through. We do it that way because that keeps the price down for your teams of, you know, and the cost of the assessment of a hotel for one night versus a hotel for an entire week, rental cars and all that stuff. So, we do our best to keep that as minimal as possible. The other option is you can have the team on-site. So many companies like to have the team sitting at the table with everybody so they can have good conversations. And the best assessments are those assessments that are conversational based rather than me ask a a question, get an answer. The conversations usually go very well. So it's entirely up to you on which way you wanna do that. Just keep in mind, I'm starting to hear a lot of buzz out there about other c three PAOs being able to do, the walk through portions via video. That is not allowed by the DOD. So if any c three PAO is telling you that, and I'm telling you right now, that is not authorized. So, just keep that in mind. The phase two interviews take about a week. There's some key players that we wanna see in those interviews. Obviously, the subject matter experts that are managing your security protection assets. Who's managing the firewall for you? Are they doing the SIEM? Who's monitoring the SIEM? Are alerts established? If they are, what are those thresholds? And we go into those kind of details. So those subject matter experts from IT and information security are definitely gonna play a bulk of the role with this assessment. However, this is not their assessment. This is an organizational assessment. And that's what I loved about Secureframe. Mark and the team understood that. They knew this was not just an IT thing. This was the entire company. So they had buy in from the CEO down, which is very, very important if you wanna be successful in your assessments. It has to be really pushed from the top levels down so that everybody understands the importance of this program for your organization. Other key individuals that are gonna play a role here, HR. We're gonna ask about, you know, how you validate somebody's identification. What kind of IDs do you check? How many of those different types of IDs do you check? What does the background check process look like? What are you looking for? Do you have evidence of a redacted background check so that we can verify that, those checks are taking place? Those kinds of things will be asked of from HR. The other one is your marketing team or whoever posts information to public o public facing web pages. We're gonna ask them about their process. You know, something gets drafted up. Who reviews what's being drafted, and for corrections. And then who does that go to for approval? And then once it's approved, who posts it? All of that should be documented in some type of, policy or procedure about how you post this information on your organizational web pages. Remember, that includes FCI data and CUI data. So I know that a lot of the c three POs out there are only focusing on CUI, but FCI is rolled into phase two for a reason. There's a reason those 15 requirements are put in level two because we have to check those as well. And FCI is really what's being posted on those, public pages. Okay? Once the assessment is complete, keep in mind at any time, the assessors can ask for a live screen demonstration. So the very last person that plays a vital role is somebody, with administrative privileges in every session, because they're gonna be the ones pulling the live screens, providing screen shares of the firewall configurations, the SIEM dashboard, and all the different things that we have to check. And I I will tell you if it involves a configuration setting of a device, nine times out of 10, the assessor is going to ask for that live so they can see it. So just be ready for that. Even if you've done a screenshot and sent that in as evidence, they still have to validate the configurations. Okay? Once phase two completes, you get a informal outbrief. They will give you your SPRS score. From there, that's when the assessment kinda splits. If you have completed the assessment with no gaps, basically like Secureframe did, they had no findings, no POAM items, so they really finished with a one ten. From there, the teams, the assessment teams go into report writing. This is where they're actually tying all that evidence you provided to each one of the objectives. So that's why when you name your evidence, name it to the objectives that it's addressing. Okay? That way it makes it easier for those assessors to align all that because we get upwards of a 150, you know, piece of documents that are evidence. One organization sent us five gigs of evidence, and it took our teams, like, two weeks to get through it. But, you know, more evidence is always a good thing. So just remember to to label your evidence to the objective. And then, once the report writing is done, it goes to a quality assurance, lead CCA that does the review and checks to make sure that evidence is tied to this particular objective. They open and look at that evidence to make sure it is a good, screenshot, and then they just spot check to make sure all of the questions were addressed properly. We at RedSpin go a little deeper into the report writing simply because we work so much with the DBTAC teams during joint surveillance, which was the early adopter program to CMMC, that kicked off in '22. And so we learned their writing skills, and that we think that is very important here at Redfin because at any time, they can select you for an audit. If they do, we want them to be able to read those notes like they're used to seeing. So our notes are built for DIPCAC. In case you get selected for an audit, it should be boom, boom, boom, and you're done. Once that report writing is done and the QA review is completed, everything comes to me. I do one final, you know, formatting check of all the documents and templates, and then I start loading everything in EMAS. Once I load in EMAS, it doesn't take me long to generate your certificate. And then right after all that's complete, we'll hold a formal out brief where we present the certificate and the summary report of findings to you. Once that's complete, your SPRS, affirming official should go into the PI System, find the, CMMC tab, click on it, and affirm the assessment. That pulls that assessment into SDRS and locks the scores, and you can validate that the CAGE codes are accurate. So and once that's done, that's it. You're pretty much, complete. You are now CMMC level two certified, and the only thing two things we remind you of is, one, that that certificate is not seen why, but it should be protected as such. You don't want anybody, you know, generating a copy of that certificate and using it with their name on it. Right? So be careful of who you share that certificate with. The last thing we we remind everybody is, remember, you got annual requirements, and you have a recertification in three years. At your recertification, we're gonna wanna see evidence that you've conducted, an example, a risk assessment each of those three years, in between your certifications. So keep that in mind. The other way this splits is if we do find gaps. Now the POAM items are very restrictive. Only the only the one point items can go into the plan of actions and milestones. The three and five, if we come across those and, any of those are are deemed as not met, that's a that's a failed assessment. The good thing about that is that when we load that assessment into EMAS, it tags it with a, report of no finding is what they call it, something similar to that, which means it's not it's not going to SPRS. The EMAS system will not forward it. So the contracting agency has no idea that you just failed a CMMC assessment. So only the EMAS and the PMO office really know that. So, that's the good thing about it, which means you can get back in line and start again. Right? So the if we find gaps and those are allowed in the plan of actions and milestones, at the end of phase two, we are gonna shift you into phase four. Now the team's gonna continue with report writing in phase three. Once that's, done, I go in and load everything, and I issue you a conditional certificate, which allows you to continue bidding on contracts while you're in this remediation phase. And you'll have up to a hundred and eighty days to remediate those gaps. And then once done, you contact us, and our senior operations manager, Ross. He schedules the official lab brief with you. Oh, I'm sorry. He schedules the, Delta assessment with you. That is a virtual assessment. The assessment team will come back online with you. They'll go back over just those gaps to make sure they were addressed properly, documentation updated, etcetera, etcetera. Once that's complete, they update their reports, goes to QA back to me. I go in and cancel that conditional cert and then generate your final certificate, and then you're officially done. Okay? So it's a long process. It takes about four to five weeks, and it depends on if there's gaps or if there's not gaps. We ran we run into issues all the time where folks misjudge on what the SSP should look like. And then, of course, you know, we take a pause in, phase one because we have an onus as the c three PAOs. If we feel you're not ready, we'll have to let you know, and then you have to make the decision on whether you wanna proceed or not. We did that with marketing team, you know, and nothing that was egregious by them. It was just they had a lot of stuff that did not apply to them because Secureframe does not leverage CUI. So nor do they store it, nor do they want it. You guys can keep that. So it was a little challenging for them to do the traditional documentation for CMMC because it's all about CUI. Right? So, the way they had their SSP built, we kinda stopped things and said, hey, guys. You gotta really go in and address this. Remember, this is focusing on your internal network. And then make sure that you gotta process in case the CUI comes in. What happens if it does make it to you? Right? So the team went back, and Martin and Rob and those guys crushed it. I mean, they worked late hours to get that done because they were so dedicated to getting the CMMC assessment complete. They did not wanna kick this the can down the road by four or five months to do, you know, documentation adjustments. They did it in, like, two weeks, and we met back with the team and continued on with the assessment. So that is a normal process that typically happens. And, of course, they were one ten after that, but we'll get into some of those nuances. But, really, the the entire phase, if there's no gaps identified during your assessment, you're done in about three to four weeks. If the gaps are in place, you're about three weeks plus that 100 one hundred and eighty days. And I'll tell you that most of those findings are very minimal, and they're mostly documentational because of some kind of configuration issue. And most organizations are taking about two to three weeks to get through that, remediation phase. So, so far, we'll we'll talk about some of the trends that we're seeing, but, I really do wanna get out to Mark. So let's jump to the next slide, and let's get into what we're kinda looking for as assessors. So first of all, the main thing that we really check to make sure that you are ready to go is that system security plan. So what about four to six weeks out from the start of your phase one, that's when we hold what we call the scoping call. In the scoping call, we're gonna ask for a screen share of your Sam's registration so we can validate the cage code hierarchy in there. And that depends on on the organization. Like, Secureframe only has one cage code, so there was no need for us to have them pull up Sam's to take a look at that. But we have organizations that have upwards of 90 CAGE codes. So if one of those is not in the right place within the hierarchy, it throws the entire system off. When I load everything into EMAS, you will not be able to see it in the s p in the SPRS system. And then now we gotta disconnect, and we gotta go back and do administrative adjustments to try and fix it, and it's just a pain. So we check to make sure the hierarchy for CAGE codes is accurate. We ask you to give a brief presentation to the assessment team on what you do. So Mark and the team gave a beautiful, you know, kind of briefing on the Secureframe platform, how the you guys as their users are leveraging that platform, its purpose for the, DIB community and the CMMC program itself and how it can assist. And I'll tell you, our team really loved that that platform. It looked really nice. It was very professional. It was easy to use. Absolutely loved it. So, we we checked the SSP to make sure it goes to the objective level. If there's discrepancies within there, we'll catch them during phase two and make adjustments there, but we really wanna make sure you're you're getting to the objective level. The other thing we're looking for is the evidence. Now many many c three PAOs out there will tell you they will not proceed with the assessment unless you give them every piece of evidence that they need. I will tell you that's not how we are at Redfin because this is already a stressful, process. These you know, a lot is riding on these assessments. I mean, your your organization and all the all the funds you make and the revenue you generate is driving your business. And if you can't pass this assessment, you know, and that that's all you do is div work, you're pretty much out of business. So it's a lot of stress on it on the organizations that are preparing, specifically the folks that get tagged with the button to say, hey. You're you take charge of this and get us certified. So we try to keep the stress levels down. If you don't have all the evidence with us, we'll just do live screens during the phase two interviews and then ask you to take a screenshot there. The other thing is we wanna we're looking for really nothing we don't need college words in these documents, folks. Nothing fancy. Just keep it simple. Right? KISS is what I call it. Keep it simple, stupid. So, you know, if it asks you, how do you identify your users? The keyword there is define. How do you define your users? Typically, what we see is our users are defined in active directory. We've got them in a role bay, an RBAC matrix, spreadsheet where we track them and yada yada. That's not a definition of a user, folks. That is how you're managing the users. The definition of a user is somebody that does not require elevated privileges that functions in the network with only the requirements they need to perform their daily tasks and support a business operations. That's the definition of a user. So when you see define, keep in mind, they're asking you for that definition. If you see, identify, has the organization identified the, you know, the the, ring ring cramping. The primary functions, ports, protocols, and all that, it's the critical or efficient ones. When it says identified, we need to see a list of those. Are you do we need it to be all encompassing? No. But it should hit the big ones, especially the open ports. Right? So if you're running in a cloud environment, very similar to what, Secureframe is, what ports are open? There should only be a couple ports if it's a cloud environment, but a lot of times, there's other things that happen with inside your business where other ports have to be open for the other business to operate. Well, you have to account for every port that's open. Right? So keep that in mind. We'd look to make sure that's documented properly. Remember when you see, periodically in any of the NEST documents in the DOD's definition, periodically means annually at minimum. Okay? So if you have periodically anywhere in your documentation, you need to strip that out and get granular right to the level. And we we had to do this with the Secureframe team. It's like, no. No. No. How often are you doing the vulnerabilities, scans? You know? Oh, we're doing this this amount of time. Okay. So strike out that periodically and put in that you're scanning every week, two weeks, or whatever the case may be. Okay? We're looking for consistency in the interviews. Your personnel that we're we're talking to should know these policies and procedures, because it's the policies and procedures that really tell them how to do things properly and not properly. Right? So you wanna make sure that your users understand that. And as we're talking with them, during the interviews, they need to be able to regurgitate to us what's in the documentation. So caveat note here. No c three PAO should ever come in and tell you your configurations are wrong. That is not our job. Alright? You as the organization determine your configuration settings. So, for example, time out settings for inactivity. Some organizations are set at ten minutes. Others are, like, four hours. You know? In industry best practice, would I say four hours is is optimal? Probably not, but I'm not gonna tell you that in the CMMC assessment because that's your decision to set that configuration. All we're doing is validating that what you said in the documentation for that configuration time is actually what's in the configuration, so we're making sure it matches. Okay? So that's the consistency we look for. I will tell you I love it when, administrators and we ask for a live screen demonstration of the the firewall settings and click you see the admins. Click, click, click, click, click, and boom, it pops up. That was the entire Secureframe team during this assessment. Anytime we ask for a live screen demonstration, usually, the organizations will wait and get the screen up and then do a a screen share with what they got, but not this team. I mean, these guys were pretty much bragging to us. It was it was pretty cool. But they would literally pop the screen up, and you could see the mouse. Just click, click, click, click, and boom. There it was. And then not even hesitating, went right into description of what we were seeing on the screen, yada yada yada, etcetera, etcetera. That lets us know that you are living that on a daily basis, which is exactly what the Secureframe demonstrated to us. So, keep that in mind when you're going through your assessments. And I know we got some questions out there, so we'll get to those in a second. So what are some things you should not do? Right? Real quick. You cannot make any configuration adjustments during the assessment. This is a point in time assessment. Right? If we find in your using that in activity settings, in your document, it says we ten minutes of inactivity, the screen locks. But when we look at the configuration, it's set at fifteen minutes. More than likely, we're gonna tell you change that document to match the configuration because you cannot make a configuration adjustment. Right? So the way we get around that is adjust the SSP to match the configuration, and now you're matched. What we recommend is once the assessment's complete, run that through your change management board to determine if you need to set that back to what what you originally wanted. Other things you should not do is, have your evidence just in a folder everywhere. It needs to be organized. If it's not organized, you're gonna have two lead assessors, a lead assessor and a CCA assessor going through and digging into places you don't want them digging, right, and finding things you don't want them to find. So control where they go. Label all those that evidence per objective and keep them on task so that they're they can go in, find what they're looking for, and they move on to the next one. Alright? So, again, those are some things that you should not do. If you run into a, you know, an objective where you don't agree with the assessors, have the conversation. Our teams I don't wanna say pause the assessment, but we have a conversation with you, right, because we want you to understand why we are seeing it as a not met. And then we need to hear your stance because, typically, that's when a compensating control will fly out that was not previously mentioned, and that makes a difference in the assessment of, an item being not met and met. Okay? Other than that, it's an assessment like any other. It is very demanding. These assessors do read every document you give them. I will tell you, Microsoft Federal told us that was their first assessment where the assessors actually regurgitated their documentation back to them. So it is a very intense assessment. But by the time it's done, one, you're gonna realize that, hey. We're sitting pretty dang good, and, two, you're gonna understand CMMC completely by the time you're done with that assessment. Okay? So my last slide here. Let's talk about, some lessons learned from Secure Frames assessment. And this is the part that I wanted to get to because this is where it matters for all of you that are out there listening. Because what Mark and his team experienced is nine times out of 10, the experience everybody is having as the contractors. So, Mark, I'll shut this pie hole and pass it back to you. Rob, thanks a lot. You you covered a lot of points that, you know, I was planning on covering as well and I think are, like, really critical for any organization that's going through this for the first time. Right? You know, we we went into CMMC pretty cocky. You know, I have a background in compliance. I used to be an auditor. You know, Secureframe has been soft to an ISO 27,001 compliant for years. So we thought a lot of the policies that we already had, were good enough. We thought a lot of the configurations that we had set, overlapped pretty heavily. And we learned the hard way, how diligent, us and how thorough a CMMC assessment really is. So, Rob, when you're talking about, you know, how buttoned up our documentation was and how on point we were during the field work. That was that was the final stage. We went through two phase twos before that and, and a couple documentation reviews, before we had everything buttoned up. So, yeah. If you were if you are our first CTPO going through the audit the first time, you would have seen, you know, what what our documentation looked in like initially. Right? And that's like that that's the point that I wanna drive across to to everybody that's kinda listening today. I mean, Rob, like, how how often would you say an organization going through CMMC for the first time, you know, their SSP is is buttoned up, their evidence is prepared. Like, is it is it more frequent that you see these folks, like, make it through to phase two, or are they going back and and having to reevaluate sometimes? No. This is this is a norm. We're seeing a lot of organizations missing the mark on the documentation. The ones that are doing well, Mark, are those that, bring on an RPO or another c three PAO to help prep them to make sure that everything is straight. And then they'll they'll sign with the c three PAO for a mock assessment and then the actual certification assessment. That gives them peace of mind that none of the items will fail. But, yes, that is normal with the SSPs. Yeah. I mean, Rob, you bring up a good point. Like, that's a way that you can guarantee you aren't going to fail a real assessment is, you. know, you go through that mock assessment with the c through p o. You bring on an RPO to take a look at all of your documentation and your evidence and your configurations because they're the ones who are gonna be able to provide you guidance in relation to remediation. So Mhmm. the you know, you your guys your guys' job is to validate that the processes are meeting the configuration, that the policies are meeting the implementation. Right? It's not it's not your job to to provide recommendations and remediation guidance. Like, if anything, there's a conflict there. Right? So if if this is your force first foray into CMMC, I highly recommend, reaching out to RPOs, having discussions with them, make and and seeing if bringing in a consultant, is an option. Because that, you know, Secureframe, we we went into this as compliance experts reading through the, the CMMC assessment guide, reading through NIST eight hundred and one seventy one, reading through the assessment objectives, and then, and then, like, trying to figure out on the fly if the configurations that we have in place are sufficient for those requirements. Right? And, like, without the actual deep understanding of CMMC, having gone through these assessments, having shadowed CMMC assessments before. You know, our interpretation of the rule wasn't a 100% accurate. So by the time we went into building our documentation and and implementing our controls, the first time we had, a CPAO kind of review a lot of our configurations and our and our, implementation of assessment objectives and our our documentation, there was a lot of, pushback. So we could have avoided a lot of that, which is time. So, you know, spent on preparing this documentation and and configurations in in regards to the way that we thought they should be implemented. Cost. There was a situation, initially during our first c through pay o assessment where, we got feedback that our some of our vendors needed to be fed ramp moderate. Right? So what we did was we took their word for it in relation to, you know, our environment because we're not the experts. We we needed somebody to be the experts and provide us that guidance. Right? And what what happened was we ended up, looking at some of our key vendors and having to swap them to FedRAMP moderate authorized vendors. Was that something we actually needed to do? After, you know, getting a second and third and fourth opinion? Turns out that wasn't exactly what we needed to do. And what we learned during that and I'll I'll deep dive it a little bit because I have a bit of a a script in terms of, like, how our assessment went. But what we learned overall throughout the process is, you know, the CMMC, this final rule is very new. And although it's written in black and white, a lot of these definitions and scoping guidance and all this stuff can be interpreted in in different ways. If if if you ask one c through b o how they interpret, like, SPA compliance and, like, your relationship with these SPAs even though you don't handle CUI. And, like, oh, there's all these nuances. Right? Like, you you could get two different answers if you talk to two different c through payos. So what we learned during the process was don't be afraid to make friends with, you know, a lot of folks in the community. And, like, feel free to ask multiple opinions if you're running into, a situation where you're you're kind of hitting a wall. Or maybe you just feel that, you know, you don't have the the right expertise to make an executive decision on something. Or you're running into a situation where the cost is gonna be elevated. You have to swap out vendors. You need to change the way that you're handling the data that you're that you're receiving. Those are are significant changes where, I would recommend reaching out to to multiple partners even if you already are contracted with a specific c through a payout or something and getting that that second and third and fourth opinion. Well, I'll dive deep into it a little bit more, you know, how how Rob and I kinda collaborated on on some things that happened during our assessment, and how, you know, maybe the collaboration with our previous CPBO didn't go nearly as well, and and what you all can kinda kinda learn from that that process. So the the first major challenge that Secureframe faced was understanding how we actually fit within the definition of of CMMC. We knew that we wanted to achieve CMMC because we're entering that space as a, you know, as a software GRC platform. We we know in order to talk the talk and walk the walk, we needed to go through CMMC ourselves. And how we went about that, we we weren't exactly sure right off the bat. Right? So the the first conversations that that we're having internally is, like, what what's the data that we are gonna handle? We understand that, like, CUI is is the data that needs to be protected for level two and SPAs, you know, transmit SPD, security protection data. There's there's a few categories of data that that are in scope for for CMMC. Right? So the first thing we were determining is, like, do we want to handle CUI? Is that a benefit for the customers and the users? If we handle CUI, what can we help provide these these customers and and clients? Right? Well, in order for us to handle CUI, we're a SaaS cloud based platform. We we learned that we would need to be FedRAMP moderate authorized or FedRAMP moderate equivalent. And we looked into this. FedRAMP moderate authorization today, requires, like, getting agency sponsorship, to a certain extent. And that is, you know, maybe not feasible for a lot of organizations, including ourselves. And then we looked into FedRAMP Moderate Equivalency. And FedRAMP Moderate Equivalency, after talking to some three PAOs, seems to be nearly impossible to achieve because you need a 100% completion of every single NIST 853 requirement. Right? And we we actually spoke to one of the biggest three payo firms, and they told us that they have never gotten an organization through to FedRAMP moderate equivalent. So having so, like, after receiving this feedback, it's like, okay. We definitely should not nor could not handle CUI. So understanding the scope of, like, what is the data that that you are handling and how you're handling that data, what you're looking to accomplish, as part of your service offering is, like, the first questions that that you need to understand. And, like, our situation being really unique, being like a SaaS platform, specifically for GRC, it kinda put us in this this bucket that didn't really exist where, like, ideally, we would wanna be FedRAMP moderate, but we couldn't. So, like, what what's the next best thing? CMMC level two. So, we we're considered basically an SPA where you if you're a customer of Secureframe, we're connecting in technology integrations. We're pulling in configuration data, and now we have your your SPD. Right? So we knew that that was the scope that we wanted to protect, the people that had access to it, the infrastructure, the software, the applications that had access to it. And that's kinda where we got started. So understanding your scope and talking to, experts in the industry to really define your scope and make sure you're handling that properly is super important. Because if you start documenting, you start writing up your SSPs, you start implementing tools and technology, based on a scope that might be incorrect, you're gonna have to do a lot of backtracking when the audit comes around and turns out, like, the the scope is not as accurate as you you had assumed. So as we go into documentation, when we first started working on the SSP, we reviewed, like, the FedRAMP template for the SSP. And we mapped some of our existing, like, SOC two and ISO 27,001 policies to the SSP. So what we ended up with was, like, a very short SSP with, implementation statements and owners for the high level CMMC requirements, so not the assessment objectives. When we sent this over to our first c through b o, they reviewed the SSP and immediately turned it back to us explaining, like, we needed we needed a way more detailed executive summary, which included describing our service, assets, owners, and details, as well as deep diving all the requirements, explaining the the related policies, processes, procedures, and implementation description. So like Rob was saying before, starting off your SSP at the assessment objective level, where each assessment objective is specifically talking about a nuance configuration or control in relation to the high level requirement. What we did was we mapped an owner to that assessment objective. We mapped a policy procedure document to that assessment objective, and then we described exactly how that assessment objective is being met in relation to all of the assets that are considered in scope. So there was no stone unturned. If you read that implementation statement for each assessment objective, you would know exactly how we're meeting that. And that went from a high level description to something incredibly detailed, something that the CPPO would then be able to read and completely understand. The executive summary, even more detail. Every single asset, all the asset categories they exist in, why they're used, what are the services they provide. We included as much detail as possible in the executive summary. If you knew nothing about Secureframe and you read through this, you would know exactly how our service is lined up, how we're scoped out related to CMMC, and why we're doing this in the first place. And we learned a lot about that through the failed first phase one that we went through. Having those discussions with the CTPO about what we're missing, what they need to understand. Having a conversation with them and then trying to just describe our service back to us and us realizing they had no idea what we really did was, like, a light bulb moment where we were like, okay. We need to make this a lot clearer in our documentation. Once we did that, our SSP was nearly like a 120 pages. They reviewed all of it and determined at that point we were ready to get into phase two. And that's where we went through two different CMMC audits. The first audit with our original c three bill, we hit a roadblock where, they interpreted the final rule to be much more strict related to the compliance requirements of our third party vendors. So what we started doing was migrating some of those vendor SaaS services to be hosted on our infrastructure instead of using the cloud implementation because they weren't, FedRAMP moderate. Right? And then we also started reviewing FedRAMP moderate vendors, to to replace some of our core security services. But it was at that point that we were considering, like, you know, we're not handling CUI. These security vendors, they're not providing a security service that directly meets CMMC requirements for us. Right? Like, we're not relying on these vendors to meet these requirements. So we got a second, a third, a fourth opinion on how we should be handling these vendors. And turns out, like, the CTPO was just being a bit strict in terms of it it makes sense that, like, core critical SaaS vendors being FedRAMP moderate authorized, that is ideal. Right? Like, the then the CTO knows they've gone through that sort of assessment to back that that vendor's meeting proper security controls. But the thing is is it it wasn't exactly required for the way that we were these third party services were were meshed with our solution. Right? So, that's when we started talking to to Redspin. We we gave them a call. We were like, hey. This is our situation. Do you agree that we can move forward with these vendors in a certain path? And, like, after having these calls and discussions, understanding our environment, Redspin was was able to state that, like, yeah. Absolutely. We can move forward in this situation. So even before use and, again, Mark, this is this is very nuanced because you guys were a, you know, nontraditional kind of organization that gets assessed. So many many of you are not gonna run into some of the issues Mark is talking about, but what you need to focus on, what Mark is talking about, is talking to the c three PAOs. Right? That that was the biggest thing. They wasted some time with another c three PAO before they they finally connected with us. So I I think that's the key there. Right? Like, maybe you won't have these exact nuances that we ran into, but I can guarantee you that there's gonna be some questions about scope. There's gonna be some questions that dive really deep into CMMC rules and definitions and things that maybe you do you aren't an expert on. And these are the kind of conversations that are important to have with the c three zero before you sign a contract. Like, if you're able to have those discussions with the c three zero where they're they're talking through scope, they you wanna make sure that these folks, they either have experience with the environment that you have and they've assessed other organizations with a similar structure, or they're willing to have a conversation to learn what your environment is like, how you're handling that data, and if, you know, you can kinda move forward with with your current implementation. Rob, I'm sure you have conversations with prospects all the time to make sure, like, you know, if they have questions about how their environment's set up, are they ready for CMMC, these high level discussions that kinda dive deeper into the final rule? I'm I'm sure you you're happy to have those conversations. Right? Absolutely. Yes. Absolutely. And the other thing is, you know, I'm answering I'll just take Jacob's question live here. He asked, you know, how can one c three PAO say one thing and another says the other? It's all experience. You know? The good thing about the c three PAOs is that we have to pass the same assessment you're going through. So so, but because I can pass the CMMC assessment doesn't mean I know how to do assessments. Right? So the experience of the c three PAO is what matters. We ourselves at Redfin spend a lot of time with DIVTCAC in the joint surveillance early adopter program. I mean, we completed almost, 40 to 45 assessments. By far, led the ecosystem in those assessments, but we gained a lot of knowledge from DIPCAC while doing that. So by the time the rule went live, Redfin and their assessors were already experienced with at least 20 assessments under each of their belts. So, compare that to a new c three PAO that comes into the market space now. Right? They just got, you know, certified, and now there's they're getting ready to start business, but they have never done a CMMC assessment. And the training is really it's missing that part of continuity, and there's no real way you can address that in the training. And the DOD, the Cyber AB, the Keiko, they all know that. But the the fix to this, and and I'll shorten it up. The cyber AB has established advisory councils, and they are going to take a look at this. So one of those things they're going to be doing is talking with each of the c three PAOs and each CCA in the ecosystem to make sure they know what they're doing. And, hopefully, that will minimize this. Yeah. And that's where choosing the right partner is, like, the most important. Right? Like, you could be speaking to a CTO that's done 20 assessments before, but they're all, you know, maybe for MSPs. And, like, they're they're providing security services, and they're not actually handling CUI. But you are handling CUI. Right? So, like, that's where you have discussions with these different CTOs, and you see what experience they have in terms of the assessments that they've completed. You know, our situation was really unique. No CTPO has gone through an audit. Not a lot of CTPOs, I'm sure, have gone through an audit where they're working with a software platform, handles security protection data, doesn't touch CUI, nor has a a way to handle CUI. So, you know, that's where working with Red's been really worked out because any sort of time there was, questions about, like, you know, oh, should we have a way to handle CUI? You know, we're going for CMMC, and that's, like, the core aspect of this. Right? Like, we would have these open conversations. We'd reach out to the cyber a b directly, you know, talk to the folks that we needed to to make sure that we're doing the right thing as we went through this assessment. And that's where I really respect Rob and and the team. It's like, instead of making ex executive decisions about how things should be done or, you know, having an ego about being the expert and knowing exactly what what should be done and shouldn't be done. When we ran into a situation that was fairly unique, we reached out to, you know, the councils themselves. Right? So, it's important to have a partner that that's willing to work with you and and kind of and even if they don't understand your environment fully, is willing to bring on the experts to to help, you know, make sure that you all are moving in the right direction. Cool. Yeah. We're running out of time. I I've talked. about I I've talked about a lot. I I have a bit of a script for the rest of this, but we're just gonna completely skip that. I think, like, I'll just generally give you guys my thoughts. But, basically, like, having the documentation on point is the most important thing, like, right off the bat, as well as, gathering a lot of the evidence beforehand was really helpful when it came to our audit. You know, using Secureframe, we had all the evidence kind of organized and prepared for the field work. That way Rob and the team was able to kind of review a lot of that evidence beforehand. And our conversations were more like, oh, you know, we saw the screenshot. Maybe we need to, see, like, something else or just we had questions about how that, you know, configuration was implemented. And we were talking about the evidence itself instead of field work being like, oh, we need this evidence. And if you don't have the evidence prepared, that Monday, Tuesday, Wednesday could be just chasing evidence. And then before you know it, you know, the team still needs to review a lot of it. So our recommendation is, you know, be prepared as possible. Get get the documentation prepared. Get the evidence prepared. Going through a mock assessment is a surefire way to to make sure that you're actually ready for the audit. And then, Rob, I I I know a question came in about, and you might have actually answered it in the chat, but, let's say, like, you're in the middle of phase two and you have a misconfiguration for a three or a five. Right? What does it look like at that point? Like Yeah. So, and, unfortunately, we have run into this. So if we find a three or five point item that is deemed as not met, it is an automatic fail. They will more than likely go through the rest of the assessment process with you because at this point, it's really going to be information for you to go in and clean things up to prep because you're gonna have to get back in line and do it all over again. But if you do not agree with the finding the assessment team has made, you can do an appeal. It'll start with the c three PAO. If nothing gets overturned there, you can appeal it to the cyber AB. Cyber AB will have the final decision. But, yeah, unfortunately, the three and five point items, it it kills that assessment, which is why, you know, as you mentioned earlier, Mark, if you have never done this assessment before, definitely, definitely, definitely sign up for a full mock assessment in conjunction with your certification assessment. That will point out those three and five point items so you can address them with confidence going into the cert. If you're if you're knowledgeable, like, the Secureframe team, for example, these guys are very good at security. So for them, I would have recommended that we do a technical mock, which is just take a look at their documentation and evidence because I don't need to interview Mark. Right? Mark knows how to answer these questions. But but that's what the full mock gives you. It gives you an opportunity to answer those questions and get a a feel of what that assessment's gonna be like. So but, yeah, it's a a failed assessment is a failed assessment. You start over. Yeah. I think, I think we have a lot of really good questions, in the chat. I I I would recommend, Rob, you you do a a live q and a, Yeah. pretty frequently. Right? We have a what we call the CMMC connect. Our very fantastic Lauren Frickel, who is also active in the chat sessions, she is our marketing director, came up with this idea, and it's really I I gather up all our CCAs that are available. We put them on this panel. There's no agenda. Come to the webinar. We're gonna tell you what the latest buzz is we're hearing in the DOD, the latest changes in the rules or whatever the case may be, and then we dive right into your questions just like we're doing here in the chat session. Bring your question. The team answers it. Get you moving. And it was mainly because we were attending all these conferences, Mark, and you know because you guys attend them. By the time you're done speaking, you got, like, a minute to answer people's questions, and that is not enough time. So we. were like, you know what? Let's just let's just have a thing where they bring their questions and we just that's all we talk about. makes us So makes sense. I mean, we we extended this webinar to be an hour, and we still weren't able to cover everything we wanted to. Right. Right. so, yeah, I'll, I'll be on that, CMC connect the next one. We can pick up where we left off. If you do have questions for me or about Secureframe, you could reach out to me at @markatsecureframe.com. Yeah. It's not on that slide. We'll also be sending out the deck. So there's some good information in the slide deck. But, if you do have any questions, feel free to reach out directly to me. I'd be more than happy to have a conversation with with everybody on the call today. Yeah. Also, if you want us to continue this conversation, because as Mark mentioned, we didn't even get into, a lot of the stuff we wanted to share with with, all of you. So if you want us to continue another one, let us know. I mean, we can either pick it up with, you know, Mark's team or or we can bring Mark team Mark's team on our webinar, so that we can continue this talk. Because this this to me is the important part of CMMC. It's not these conferences. It's this where Mark comes on and shares. This is what we what we struggled with. This is what the assessment was like. And at the end of it, we're like, thank gosh. We're done. You know? So but he's sharing all of those things that you guys are currently struggling with and running into right now, and that is the valuable knowledge. So appreciate you doing that, Mark, for all the all the listeners here and your clients. So. I know we only covered the surface of it. I hope, I hope a lot of, what we talked about today kind of relate related to the struggles that you're dealing with now. And, yeah, I I'd be more than happy to jump on another, you know, one of these and, answer. more questions and talk about our process in a little bit more detail. We went through a lot of mistakes during our, preparation, so that you all don't have to, and I'm more than happy to talk through those. So, thanks everybody make you make it sound, Mark, like you guys are all mess you are not. It was just a a miss in the documentation. The the security stance configurations were all there. The knowledge was all there. It was just the documentation, which is very, very, very difficult to tackle. So but, yeah, appreciate you bringing me on, Mark. Thank you guys for attending. I appreciate it. Yeah. Thanks thanks for joining, Robert. Always appreciate you joining us. And, everybody else, thanks for joining as well. We'll, we'll be in in communication. Everyone have a great day. Alright. Take care. Have a great day. Thanks, Mark.