Name: CMMC 2.0: The What, Why and How from a Compliance Expert and Former Auditor
Uploaded: 2025-08-19T17:18:04.738Z
Duration: 59 min 44 s
Description: CMMC 2.0: The What, Why and How from a Compliance Expert and Former Auditor

Transcript for "CMMC 2.0: The What, Why and How from a Compliance Expert and Former Auditor": Hello, everyone. Welcome to Secureframe's cmmc2.0 webinar. I think we'll get started now since we're at the top of the hour. Good morning, good afternoon, to depending on where you are. I know we got callers calling in from all over. Good evening to our friends over in Europe. Thank you for joining us today. We're, we're excited to have you, and, we're honored that you're taking the time to to meet with us, and listen to this webinar. So I hope you enjoy it. You know, I'll talk through a lot of a lot of things, talk regarding CMMC. I will throw a lot of information out. So if it's too much or you need some time to process, you know, Secureframe is always here to discuss. Please feel free to reach out to, your CSM or myself, and we're we're happy to dive into some of the specifics as it relates to your specific business or your specific CMMC needs. You know, I meet with Secureframe customers and and prospects all the time to talk about this stuff. So, you know, I wanna make sure that you you get that same support as needed. So with that said, without further ado, my name is Rob Gutierrez, and I'm a senior cybersecurity and compliance manager here at Secureframe. As a compliance manager and former FedRAMP auditor, I I've helped many customers through federal compliance. Before Secureframe, I worked at Coolfire, so I was a FedRAMP auditor. Very familiar with federal compliance, NIST. I worked with government agencies doing IT audits before, working at, doing FedRAMP audits. So I've been in the space for about ten years, and I I'm very familiar with FedRAMP CMMC, NIST, and all the funds, fun things that come along with with federal compliance. So in this webinar, we'll be talking about CMMC and how to navigate it. CMMC is a can be a complex, framework, especially if you're coming from, like, the SOC two world. You know, I don't like to sugarcoat it. So CMMC is is a bigger beast than than SOC two. Doesn't mean it's not possible, especially if you use Secureframe. We we make it a lot easier. But here, we're gonna talk through what how how to get through it, what is what is CMMC, what what do you need, What is the level of effort look like? And what what should you do to start preparing? And how do you know if it even applies to you? So the CMMC will, CMMC rule was put into place for gov suppliers that want to work with the DOD, Department of Defense. Whether that's a prime contractor, subcontractor, subcontractor of a subcontractor, CMMC may apply to you. So let's jump into it. So what what is CMMC protect protecting? Let's start with the basics. There are three main types of data that help CMMC help safeguard. There's CUI or controlled unclassified information. This is really the main crux of CMMC. This is why CMMC was created. It's why it was built. When people think of CMMC, you're really getting start going through CMMC audits. You know, you really hear a lot about CUI. A lot of requirements, specifically state CUI, it is it is the the meat and potatoes of CMMC and and the reason why we're all here originally. C CUI is sensitive government information that is not classified but could still harm national security if compromised. Examples of CUI include personally identifiable information, also known as PII, which could be which is tied to defense operations, controlled technical information, and relevant military information. CUI is the most commonly referenced data type when it comes to CMMC, but not all organizations that need CMMC compliance have or touch CUI, and not all systems that will be in scope for a CMMC assessment have CUI. So there are other data types that are relevant for CUI. As you see here, there's security protection data, SPD. SPD is stored or processed by security protection assets. Essentially, it's, any type of data such as that is security relevant, such as security configurations, log data, vulnerability data, continuous monitoring data, really any type of data that, correlates to the implementation, management of the 110 controls that are part of NIST eight hundred one seventy one and thus CMMC. Then there's also FCI, federal contract information. FCI is the least sensitive of the the three relevant data types, related to federal and FCI is related to federal contracts, like delivery schedules, purchase orders. It's less sensitive, but still protected under CMMC level one. As the session started, I do not hear anyone speaking. Eric, can you hear me? Sorry. I okay. Thank you. Thank you, everyone. Appreciate it. Awesome. So I'm gonna keep going. So FCI, as I mentioned, is is relevant to level one. So we'll get into this in a little bit, but CMMC has three levels, one, two, and three. Level one is the least stringent. Level three is the most stringent. Level two is the most common. Most well, I like to say that around 75 to 80% of organizations that are going for CMMC compliance need to go for CMMC level two. And we'll dive into the levels a bit further, but just just wanted to lay that out for context. Things like the the contracts that you're a part of or that you might be trying to get or are already on, data flow diagrams, boundary scoping. These are the types of things that really affect what level applies to you. So when customers come to me and ask, you know, what level applies to me, I ask about their contracts. I ask about, you know, where is their data coming in from? What type of data do they have? What systems are in place in as part of their boundary and environment? And so there's a lot of variables and nuances to CMMC scoping. I'm talking about some of these things at a high level, but as mentioned, if you want to dive into some of this further as it relates to your organization, I would be happy to do that with any of you. And that's kind of included as part of of what we do at Secureframe. And these are conversations we're having all the time. And as I mentioned, they can be very nuanced. So it's it's and they're really important to have upfront because they kinda set the tone for the rest of your your your audit readiness and ultimately your audit and your authorization. You know, no one no one wants to spend time working on things that they don't need to be work on working on. Everyone really wants to to set a target, set it properly, and move forward accordingly. So now let's discuss why CMMC was created to protect these all these different types of data. So to understand why CMMC exists, you need to understand the problem that it was created to solve. The DOD, Department of Defense, works with over 300,000 contractors, subcontractors, and service providers, which are collectively referred to as the Defense Industrial Base, also known as the DIB, DIB. For years, these companies have handled sensitive information or non sensitive but relevant information, but didn't have many consistent security practices. While the DOD released security requirements under DFARS seventy twelve a few years back, they didn't have a framework in place to verify that companies were actually protecting sensitive data. This left the DOD and thus American National Security exposed to cybersecurity risks and gaps, which could which adversaries could exploit to siphon off sensitive military data and ultimately harm the warfighter's mission and goals. So starting in 2020, the DOD began to move on from voluntary compliance under DFARS to a framework that requires proof through assessments, certifications, and scores. That framework is CMMC. So in a nutshell, CMMC was created to protect the DOD supply chain and supply chain of its supply chain. And we'll get into this, but, you know, just because you're not on a direct you're not a prime contractor or directly on a DOD contract, doesn't mean that c CMMC doesn't apply to you. There are a lot of what we like to call flow down requirements where if you work with a prime or you work with a subcontractor of a prime, CMMC can and likely does apply to you. So it's important to to really, you know, make sure that you are part of the the solution of securing that that, CMMC supply chain or sorry, DOD supply chain. So just a little quick little history lesson, for a little context. CMMC wasn't built overnight. It's the results of years of bipartisan policy evolution to reduce risk across the DIB and protect government data from falling into the wrong hands. So CMMC has gone through three different administrations going back to 2016. Doesn't matter who's in in office. It's CMMC has been and will be here to stay. So in 2016, the DOD released DFARS seventy twelve, as I mentioned, which required con contractors to implement NIST eight hundred one seventy one security controls to protect CUI. If anyone's not familiar with NIST eight hundred one seventy one, NIST eight hundred one seventy one is a derivative of NIST 853. So it's kind of a subset. All 110 controls that are part of NIST eight hundred one seventy one and thus CMMC are also part of NIST 853. So if you're already compliant with NIST 853, you're likely in a good place to, to to be compliant with NIST eight hundred one seventy one and, CMMC. There's a lot of overlap and, you know, we'll get into this later, but that's one of the benefits of Secureframe is, you know, we work we have so many we have over 40 frameworks in our platform, including all of the federal frameworks that I've already mentioned and many others. So you can really track that overlap across the board. In 2020, the DOD performed a review of the DIB that income uncovered widespread noncompliance with the state hundred one seventy one, including many contractors with plans of actions or milestones, also known as POAIMs, if you're familiar. That wouldn't have brought them into full compliance until 2099, which as far as national security goes is frankly unacceptable. So that year in 2020, the DOD introduced the first version of CMMC, cmmc1.o. It had five levels and mandatory third party assessments. But the framework proved too rigid and overly complex and became a nuisance and wasn't really, the intent was there, but it wasn't actually functional or effective for really, improving security across the DIB. So that brings that brought us to cmmc2.o, which was announced in late twenty twenty one. It simplified the model, reducing five levels to three and offering more flexibility for meeting security and assessment requirements. And then in December 2024, this past year, the final rule was published, making cmmc2.0 official policy. With cmmc2.0 requirements expected to start phasing into DOD contracts later in 2025, it's critical to understand this latest version of the the framework. So what changed? CMMC introduced several important changes that affect how organizations prepare for and achieve certification. As mentioned, reduced from five levels to three, levels one, two, and three, level one requires basic cyber hygiene for protecting FCI and is based on 15 practices or 15 requirements. So it's pretty lightweight. If we're talking con to put into context or perspective, I would say CMMC level one is easier than a SOC two. It's it's less requirements, more lightweight, does not require an SSP like level two. Whereas level two is for handling CUI and SPD and does require implementation of all 110 NIST eight hundred one seventy one controls, a lot harder than than SOC two. And level three is reserved for the most sensitive DOD programs and includes 24 additional controls from NIST eight hundred one seventy two, which is different than one seventy one, and and and is on top of the 110. So level three is 24 controls. Level two is a 110. So if you need to be compliant with level three, you really need to be compliant with a 134 controls. Right? 110 plus 24. Self attestation is allowed for level one and two, depending on contract requirements. So depending on those requirements, level two could either require an independent third party attestation or an audit from a c three PAO, which is a certified third party assessment organization that is allowed to do CMMC authorizations per the cyber a b. The cyber a b is the governing body of CMMC. Think like your a a AICPA for SOC two, similar similar idea. And, however, any companies handling CUI or SPD do need to go through independent third party attestations. There's more flexibility with POAIMS and cmmc2.o. Within cmmc2.o, companies are allowed to make one hundred eighty day POAMS, plans of action and milestones. So, essentially, for certain requirements within CMMC, you are allowed to POAM them with remediation of no more than a hundred eighty days or six months. You can get conditionally authorized, with the assumption that those POAMs will be remediated with within a hundred eighty days. And once they are remediated, your c three PAO will attest that those have been in fact remediated. CMMC two dot o removed NFOs NFO controls, which were non federal organizational controls from the requirements, which was good because these were these were controls that essentially the DOD assumed that everyone would already have in place as part of CMMC, and the assumptions were really just throwing people off and people didn't understand or weren't even didn't even know that they were in fact in scope for CMMC. So by removing those NFOs, it really made it clear what what needed to be in scope and what was the, what was in play for CMMC. And then CMMC also clarify cmmc2.0 also clarified asset categorization and scoping guidance. So if you're not familiar with the the scoping guidance, or the assessment plan or the asset categorization, see if these came out in in September 2024 as part of cmmc2.o. I would definitely recommend looking these documents up. You can Google them, you know, level two scoping guidance, DOD CIO. To be honest, I refer to these almost daily. Or at least I used to. Now I'm so familiar with them. I don't have to look as much, but they're really helpful guidance, as you as you go into scoping. And as you start to prepare for your CMMC audit, you know, if they help you understand what the auditors ultimately gonna be looking for. And the auditors that you work with, they are using these on their end as well. So everyone's reading from the same script and it makes it a lot easier to understand what what is in scope or what isn't in scope for CMMC. And then finally, the DOD has planned to phase cmmc2.0 in, contracts over time instead of flipping a switch overnight. So which makes it easy for organizations to prepare accordingly based on some of the different requirements needed. So I do see some questions in the chat, so I am gonna kinda run through those real quick. So, Lockheed Martin has already put it so they put out all subdiscussed picture. Yep. Yeah. Lockheed Martin announced that, and all their vendors need to be CMMC compliant, and that was big. Obviously, Lockheed Martin is one of the main five prime contractors. So if you work with Lockheed Martin, you certainly need to be CMMC compliant, and we can help you get there. As a former auditor, what's the most common misconception organizations have about cmmc2. 0 compliance, and how can they avoid costly surprises during audits? Great question. What's the most common misconception? You know, I think the the most common misconception is that, one, that you need CUI to be CMMC compliant because you don't. So for example, Secureframe just went through a CMMC, audit, and we we do not hold CUI ourselves. However, we do have customers that are, CMMC compliant or authorized, and we're helping them with that. And so Secureframe ourselves is an SPA, one of those security protection assets I mentioned. We don't have CUI in in our platform, but we do need to be CMMC compliant. Another another common misconception is that, I think the like I said, I don't like to sugarcoat it. Like, CMMC is not you know, I come from the FedRAMP world. FedRAMP is, I think, the hardest framework there is outside of PCI. CNMC is two dot o isn't that far off. SOC two ISO, they can be pains, but everything it's all relative. Right? And it's all it's all relative to what you're used to. If you've never gone through any compliance, you probably think SOC two is a pain a pain. But if you've been through FedRAMP, you might think it's not so bad. So it's all relative, but I will say it's it's not easy. Even if you're already compliant with another framework, unless that framework happens to be FedRAMP. What contracts have you seen CMMC requirements? Any DOD contracts and or contracts of organizations that are working with the DOD. So now we're starting to see organizations that aren't the DOD, but they do work with the DOD having CMMC requirements in their contracts because, essentially, they're trying to cover themselves. Right? They wanna make sure they're not that weak link or vulnerability in the DOD supply chain. So, you know, it's it's not just DOD contracts. It's it's the c m CMMC compliance is really becoming a barrier to entry or essentially a a baseline for companies that wanna be part of the DIB or be adjacent to the DIB. Can you provide links to those reference documents? Yes. I could. I am in the middle of the webinar, but other afterward, I I I could just send those over. But, yeah, if you just Google DOD CIO scoping guidance and level or DOD CIO assessment guidance and level one, two, three, it shows up really quickly. The make sure you click on the DOD CIO links. What's the biggest delta you see when mapping NIST eight hundred one seventy one to cmmc2 dot o controls, and how should IT leaders prioritize closing those gaps? Good question. So to be honest, NIST eight hundred one seventy one revision two so quick step back. NIST eight hundred one seventy one, recently went through an update last year in about, May 2024 where they updated from revision two to revision three. Cmmc2.0 is based off of revision two. So there's really not many deltas between two dot cmmc and revision two. I would say the biggest delta there is kinda just like the scoping guidance and the fact that you're you're ultimately probably gonna have to go through an independent assessment. Right? Where with eight hundred one seventy one, you can self attest. Or you can you can get an attestation letter from an auditor, but you're not that auditor does not need to follow the CMMC cap, which is, the CMMC assessment plan that all auditor all c three VA auditors follow. Whereas if, let's say, maybe you're working towards this 08/1971 revision three, revision three was updated to align more with NIST 853 and kind of the traditional control family, and, organization defined parameters that you see in many of the federal frameworks now. So there are more deltas. The best way that I would address those deltas is I would use Secureframe because Secureframe has everything cross map between every single framework in our platform. So it's really easy to see what the deltas are in within the app. Do you provide any real time monitoring and dashboards to keep our team informed when controls fail or evidence falls out of date? Yes. We do. That's Secureframe's bread and butter. How much is it to become CMMC certified? So it depends. It depends on your level. It depends on your tech stack. It depends on, I will say Secureframe, Secureframe is you know, if you use a platform like Secureframe, we, we are part of that cost, but I would say we are the least part of that cost. The biggest part of your CMMC cost is really gonna be your audit. Audits go between, if you get a nice auditor who really likes you, maybe they'll say 35, 40 k, and I've seen quotes up all the way up to 80 k. So it that's that's obviously a big chunk of change, where and then additionally, you know, it takes a lot of time and and resources to to get through a lot of CMMC things. If you're you're building an SSP with no no, SSP generator, you're probably looking at four or five months of your team's time to build an SSP. So that's a lot of resources and and, you know, human human, capital, and that I know can be very costly. So I would say you're looking at 5 to 6 figures for CMMC. It's, it's not like SOC two where you can pay, you know, much less and and get an audit through a platform. How can we continuously monitor our compliance posture? Can we do real time collection, search monitoring, analysis of data compliance in a centralized solution? Yes. That's exactly what Secureframe does. Would love to show you a demo, Neboja. Yeah. So appreciate some of the comments in here answering some of the questions. I just wanna make sure I don't miss anything. With AI and automation rising, do you expect future CMMC updates to shift from static control checks to more continuous compliance monitoring models? Great question. You know, we're seeing a lot of that right now with FedRAMP. You know, FedRAMP if you're not familiar with the FedRAMP 20 x program, we definitely encourage people to look into that. You know, FedRAMP is is moving into the future. They see that there's, you know, we have everyone's in the cloud, and we have compliance automation platforms now that can do a lot of this continuous monitoring. And, you know, technology's changed over the last fifteen years. So, I do and I there's already rumblings about cnmc3.o. So what that will look like, I'm not sure, but, you know, I do know that a lot of people in the government are trying to make things more modern and use more technology. And, so I do if I had to bet, if I was a betting man, I would say I in CMMC three dot o and in the future of the program, I'm sure there will be more continuous compliance monitoring models. With cmmc2.o, how can we customize and then and publish CMMC required policies and manage required documentation? You can do that all within Secureframe. In theory, you could also do it in in your own Google Drive, but we have templates and policies and a whole policy management module. Secureframe also has an SSP module, which can help you generate and maintain your system security plan over time. There's not many platforms or really, any that have that capability outside of ours. So it's really along with all of our GRC capabilities. So we're really at a at a unique place, in terms of our federal offering and capabilities. Just wanna make sure. Is there a clear definition of when level two is self attest versus third party audit? Yeah. And good question. So as mentioned, if you have CUI or SPD, you likely need that third party attestation. If you do not have either of those and you might just have to be level two compliant as part of a flow down requirement, but you really don't have any sensitive data and maybe just your customer or your contractors requiring level two, you likely can self attest. And Secureframe can help with that. You know, we have we have, gap assessment and SPRS scoring within our platform that can help you, that would help you self attest. Just wanna make sure I'm not missing anything. Okay. Yeah. Neboja, I see you sent a lot of good questions. We do pretty much everything you're asking in there. I would definitely encourage you to get a demo of the platform. You can reach out to me, rob@secureframe.com or sales@secureframe.com. You know, we're happy to show you our platform. It it it really does a lot of good stuff. Alright. I'm gonna gonna keep it moving here, through the slide deck. But But I appreciate all questions and the interaction. This is fantastic. Please keep them coming. I'll keep an eye on the chat and, you know, wanna be a resource and and help you guys out through through your questions and your your different, CMMC needs. So, talking about the CMMC rollout timeline. So as mentioned before, CMMC is being introduced in phases to give the defense industrial base time to understand and implement these requirements and to give the CMMC ecosystem time to meet the demand for assessments and under their services. The DOD understands that no one is gonna have the CMMC compliant overnight. So there are four phases. And these four phases start now, and they go until 2028. So phase one beginning this year, this will require self assessments for level one and level two certifications to be included in new solicitations. So any new contracts that are being made that DOD is is, putting out for an RFP, these will start including CMMC in them. So so do you DFARS what the final rule was public passed by congress. So it is officially a law that these that CNMC that DOD contracts need to include CMMC going forward. So for those level one and level two self attestations, those are gonna start appearing, this year. Phase two, starting approximately one year after phase one. This will be third party assessments becoming mandatory for level two certification in new contracts. Phase three, one more year after phase two, which will be likely 2027. CMMC level two certification requirements will be enforced as a condition to exercise option periods on applicable contracts awarded after the effective date of the CMMC rule. And level three assessments will begin for certain programs. So as you can see, there's a lot of different conditionals for these this rollout, and it's gonna apply to many different, members and or companies that are part of the DIB. There's, the DOD expects that there's over 800,000, companies that are part of the DIB or that, CMMC will apply to whether as again, as a prime contractor, subcontractor, subcontractor, subcontractor. You know, it's, the DOD is really trying to lock down their supply chain. And then that phase four expected to begin in 2028. This final phase will require full CMMC compliance across all applicable DOD contracts. And while these phases may seem far off, the time to start getting ready is now. If you start too late, it's gonna take you months and if not years, unless you use Secureframe, to get ready and that could push you past the deadline when you actually need to be compliant. And you could potentially even miss out on some of these contracts. You know, if it's you and another vendor or supplier that the DOD or another contractor prime or sub is looking at and one is CMMC compliant and one isn't, the CMMC compliant organization is likely going to, get that award because, they they're not they're they're in compliance and no organization wants to be out of compliance with the DOD. You know, that's how you lose business. That's how you get fines. Essentially, how you break the law, and, you know, don't wanna break the law. Phase two beginning January 26. I would say later in 2026, Jacob. So they're saying it's gonna be one year after, phase one starts. Phase one is expected to go in I it would be implemented. They say 2025, but my guess would be in the next few months to be official. So probably latter part of 2026. Is CMMC compliance like the PCI DSS compliance that is done annually? Good question. No. So CMMC compliance is a tri annual tri annual assessment. So if, let's say, you need a third party attestation, you do that every three years. And then on an annual basis, you can self attest in between those three year phases. Whereas PCI compliance is is annual, similar to a SOC two or FedRAMP. So, CMMC, it is continuous compliance. You you can't just it's not like a one and done type thing, but could because you do need to self attest that SPSS score every year. But the official third party assessment, that will be done every three years. Which contracts are likely targeted for CMMC requirements? Any specific codes? It's not it's they're saying it's gonna be all DOD contracts. So whether you're air force, navy, army, just general you're a general contractor. Even if you're cleaning supplies for the DOD, you know, you could fall into that place. If you're manufacturing for some random part or for, you know, your we do see a lot of manufacturing organizations that that are falling in that need CMMC compliance. That's a very common thing. If you're a service provider of any sort for the DOD or the DOD supply chain, you're likely gonna need to be CMMC compliant. In our experience, the vast majority of contracting officers and small business teams, such as NAVFAC and Air Force bases have no knowledge of CMMC and its upcoming requirements. How do you think this will actually roll in practice in the construction space? So, you know, I think what's gonna happen is that in the construction space and many other industries, it's some organizations are gonna try to get ahead of it. You know, they're gonna work with companies like Secureframe, some of our vSyso and MSP partners to to help get ready, and they'll be prepared. And there's gonna be organizations that say, you know, I don't need this, and they're gonna learn the hard way when they lose a deal or when they realize they need to be CMMC compliant yesterday or next week. You know? And that is really hard. You know? Here at Secureframe, as I mentioned, we just went through CMMC audit. It's you know, we we we have our platform. We think we're experts. It doesn't mean we do this overnight. You know? It's still a it's still a hard process. There's a lot of documentation that goes into it. There's a lot of controls you have to get through. Auditors do a thorough assessment of your platform. You know, it's not snapping your finger. So, you know, the longer the the sooner you can get started and start working on this stuff, then the better for sure. That is a faint line with MSP MSPPs. Yeah. A lot of the MSPs, MSPs that we work with need to be CMMC compliant because they they are either security protection assets for their customers or they are responsible for controls for their customers. And if you're responsible for a control that is, needed to be met for as part of CMMC, one of those 110 NIST eight hundred one seventy one requirements, you are you need to be CMMC compliant. And if you're not CMMC compliant, then you can be then you will be in scope of your customer's audits. And that means you can you'll be invited to interviews, you need to provide evidence, and you will send and the auditors can ask you pretty much anything. So being CMMC compliant really lowers the burden on your organization to, to work with to support your customers. Would an MSSP need CDMMC two or does one suffice? It depends on your customers and who you're supporting. So if it if your customers you're supporting are level two, then you probably need level two. Same idea for level one. What are the fines for noncompliance? It depends, kind of what that compliance looks like, the level of sensitivity of data. Also, sometimes you might not get a fine, but you might just lose out on the business. You know? Again, if they're gonna pick if they're picking between a CMMC authorized vendor and a non CMMC authorized vendor, the the the the fine is essentially the opportunity cost or the the loss the loss of opportunity there. So, yeah, lost contracts. Yeah. And VMs are great. You know, you if you're familiar with CMMC, you might have heard about Enclave Solutions, which can be used to lessen the scope of your CMMC audit, but really help you establish, like, an isolated boundary or environment that, sometimes can make it easier to get, CMMC authorized. And, Secureframe is actually coming out with an enclave solution soon where you can create, an enclave in your Azure works, Azure instance environment, out of CMMC and ensure compliance with that. So, VMs can be a good resource, for CMMC. So I appreciate you calling that out, Michael. Oh, questions keep coming. You guys are crushing it. Based on your experience, what are the most common issues first time emergencies fail on and how can we avoid them? Scoping. Like I I said, you know, if you don't know the scope or you're improperly scoped, it can lead to, you know, focusing on the wrong things or not preparing enough. And then again, like I said, sometimes people, I think, underestimate CMMC. You know, they think it's gonna be you know, they think they're SOC two compliant. It should just be a few extra controls, but it's it's it's more than that. It's, you know, even if you have a platform, even, you know, it's it's a lot. It's and it's very nuanced. It's very black and white, very prescriptive. You know, it's not as flex SOC two can be very flexible, very, malleable if you will in terms of which controls you decide to implement. CMMC is not like that. CMMC has a 110 requirements, 320 assessment objectives, and you need to be compliant with all of it. And they're very clear. And there's assessment guidance in terms of how all of it needs to be done. So, you know, there still are multiple ways to skin that proverbial cat, but the ways to do that are much more confined to those 110 requirements, 320 assessment objectives. What if we use Secureframe to help a client to get CMMC readiness or provide a compliance as a bound, as a service offering. Would we be in scope? Potentially. So if you're if you're an MSP or a vCISO, you could be in scope. It there's there's some nuance there. So that might be something to to kind of discuss further, Brian. But it it is very possible for sure. Yeah. Many organizations struggle to justify the cost of advanced resilience tools. How can IT leaders build a strong business case for resilience investments? You know, a good business case often comes back to money and dollar signs, and government contracts are big. You know? I'm sure you guys hear on the news about DOD budgets and and federal budgets. You know, it's these contracts are not $5,000. They're big, big contracts. So, you know, the the juice can be and is worth the squeeze many times. You know? So you might be spending $50.60, 70,000 on CMMC, but you might be looking at a $100,000 contract or 200,000 or 500,000. You know, they're some of these DOD contracts are up in the millions. You know, it depends who you are, but I've seen a big range of, of CMMC contracts. What are the low risk level two requirements from the 14 families which comprise the 110 security controls or are the low risk dependent on the environment? It's a good question. I I guess low risk depends on the environment. You know, what I would say is I don't like to call them low risk, but I will say CMMC does include a lot of common controls. So things that you're used to seeing in many frameworks or, access controls, incident response, you know, training, network security. The these common controls that you're familiar with from SOC two, ISO, PCI, FedRAMP, they're all part of CMMC. So you do see you do see overlap there. I don't know if that necessarily makes them low risk, but I will say it makes them more familiar. So it makes it, it makes it I say I think sometimes when those controls have when there is overlap, it makes it a bit easier, lower hanging fruit to to achieve them or know you're already on the right track. But I I guess low risk really depends on the environment. You know? Also, if you're CMMC level one, likely low risk. What metrics should organizations track to measure the effectiveness of their uptime resilience strategies? You know, RTO, RPO, you know, that's that question is pretty specific to, like, contingency planning, which believe it or not is actually not part of, CMMC. The CP control family, which you might be familiar with from NIST, 853, and FedRAMP is surprisingly not part of CMMC, but doesn't mean it's not a important part of a a good cybersecurity program. In ransomware attacks, resilience often fails at the recovery stage. What best practices do you remember recommend to ensure fast clean recovery? So, obviously, having good business continuity, disaster recovery plan, you know, doing tabletop exercises is critical. That's always always good to help prepare the whole team. Doing training. Right? Whether it's instant information spillage training or, ransomware training or basic security awareness training, you know. Some those are really key. And then if you're in the cloud, I you know, having high availability, having multiple avail availability zones, you know, having backup setup. You know, these are things that are critical to to clean to an easy recovery and and high availability. With organizations that we depend on cloud providers, how can IT leaders ensure true resilience without being locked into a single vendor? You know, we see organizations that, you know, sometimes decide to have different database providers, you know, maybe they're in AWS, but they also want to have MongoDB, or a Snowflake set up. You know, sometimes it's we really recommend having multiple zones. You know, what what if you have you're set up in AWS and, god forbid, US East West goes down, it's unlikely that, you know, another zone goes down as well. And now, obviously, AWS, they're they're FedRAMP moderate, and they they have a great they take really good care of their their controls and their compliance and, their customers' controls and security. But, you know, the cloud the inherent nature of the cloud definitely helps a lot of that stuff, which is nice. The the power of technology in in living in 2025. How do you see AI driven automation changing resilience strategies in the next few years, especially in minimizing downtime? I'm sure that AI will make it easier to for organizations to determine what their recovery times are. You know? I, you know, you can ask you cannot probably ask ChatGPT, tell them your context, and they'll give you a suggested RPO, RTO. Before ChatGPT, you might need to hire a consultant for that, you know, or do a lot of research. So, not saying ChatGPT can just do your BCDR for you, but I am saying that, you know, it's, there's definitely value in AI, in in all fields as it relates to compliance. And SecureFrame has a lot of different AI capabilities, for CMMC and honestly for all our frameworks and GRC modules, which we're we're really excited about and save our customers lots and lots of time. Yes. I definitely recommend resilience drills, fire drills, tabletop exercises, red team exercises, pen tests, vulnerability scans. That definitely recommend those. Definitely recommend doing those at least annually. So yeah. Lot of ways to do that. Can Can we move on to the next slide? Yes. We can. Thanks, Michael. Sorry. We got so many good questions. You guys are you guys are doing great. Hopefully, I'm doing great as well. Alrighty. So so who needs some CMMC compliance? So now that I've explained the urgency and timeline behind CMMC, let's talk about who's going to be compliant. So we mentioned prime contractors and subcontractors as the most obvious candidates, but the scope of who needs CMMC is broader than many expect. People forget that subcontractors, subcontractors are in scope as well as I mentioned. So so for primes and subs, if you handle FCI, CUI, or SPD, you'll likely need to meet level one or two requirements. If you handle really sensitive, data and you're a prime or sub, potentially level three. For manufacturers and other DOD suppliers, if you don't have a large cloud or tech footprint but supply tangible goods and services, think manufacturers or some of those, you know, DOD service providers that I mentioned, you know, whether it's cleaning services or certain parts or you know, we recently spoke with a company that provides office furniture to DOD offices. You know, CMMC compliance does apply to you. As weird as that sounds, it it doesn't matter. You know? You're part of the dip. That's really the idea here, right, is to to protect the entirety of the supply chain. You know? The The US, for better and worse, has adversaries all over the world, and we need to protect the, national security, protect the warfighter from these adversaries. So it is critical to to many different, manufacturers and suppliers and service providers. And then as mentioned earlier, so service providers including MSPs, security operation centers, SOCs, cloud service providers, security protection assets like Secureframe, you may fall into scope. You know, if you're a tech company that provides, that has a that provides a secure service of some sort, whether it's mobile device management or, you know, vulnerability scanning or, you know, pen testing. You know, any of these types of services can and will be in in scope for CNMC compliance, especially if if CUI is in play or you are a part of those flow down requirements. So here's a good example. You know, if you're a SOC that provides incident response for either a cloud service provider or an MSP, you'll likely be part of a contractor's assessment boundary, and you will need to show that you are compliant with CMMC and the 110 controls that we keep talking about as and provide evidence showing that those controls that they maintain are in place. So going back to the SOC example or as part of the SOC example, if you, are responsible for your for your customer's incident response controls, then you will be in scope for the incident response portion of their assessment. So you will need to attest on behalf of that customer for how they're meeting IR, I believe it's 361362363. Right? Those are the three IR requirements that are part of CMMC. So, you know, it's really critical that depending on what type of services you provide, you are ensuring compliance. And the same goes for any organizations that don't currently, but might one day want to work with DOD or prime contractors. With federal contracts totaling 775,000,000,000 in fiscal year twenty twenty four, proactively getting CMMC certification can help you break into this lucrative market. What about configuration management tools that don't hold CUI, but manage configuration for the computer that holds CUI? Definitely in scope. So you would be responsible for the configuration management, controls that are part of CMMC, and you'd probably be categorized as an SPA, most likely. So for example, Secureframe, as mentioned, we do continuous monitoring for a lot of our customers. Continuous monitoring is part of the CMMC scope. So we are in play or in scope even though we don't have CUI ourselves. Alright. Moving on to the next slide here. So just understanding the three levels, as mentioned, level one, fifteen requirements, pretty basic, handling FCI, self assessment only. Level two, a 110, missed one eight hundred one hundred and seventy one controls, three twenty assessment objectives. Every just to be clear, all 320 assessment objectives must be met. It's so you don't it's not that when your assess assessor is doing and this might this is a common misconception too that I didn't mention earlier. But a lot of times people think they just need to meet the 110 controls. It's not yes. But they need to meet every single assessment objective that underlies that. When the auditor does their assessment, they're assessing you at that assessment objective level. So they're going one a, one b, one c. You know, they're not just looking at number one. They're looking really line by line, line by line. And when you get your artifact list from your auditor or you get, you build your SSP, it needs to be done at that granular level, which, honestly, I know it sounds like more work. It is more work, but that is the nature of the beast. Right? You do need to do that to be CMMC compliant, which I think is part of what makes it what makes it hard. It's what makes it a beast. And then as mentioned, level three is gonna be those 24 additional controls on top of that 110. Secureframe has all three of these built out on our platform. There are three separate frameworks. If you needed to get compliant, with any of these, with Secureframe, you can kinda pick and choose or just add one as needed. You know, we'll have customers that start with level one, then they're ready for level two. They move on to level two, and then they go to level three once ready. Or, or just, you know, they go straight to level two or they just need a level one. So we can really support you in any any which way. And I would add to that Secureframe is FedRAMP authorized now as of a couple weeks ago. You can see us on the FedRAMP marketplace. So if that is a concern about using FedRAMP authorized vendors as part of your scope, see, Secureframe is FedRAMP authorized. Alright. I'm gonna keep it moving here just because I do see, I do wanna keep an eye on time and, you know, we and I appreciate all the questions. But but, yeah, keeping it moving here. So as mentioned, CMMC does have, spans 14 control control families or categories, if you will. Hopefully, these look familiar to you if you're familiar with NIST, or FedRAMP, but these are the control families that make up CMMC. And as mentioned, there's a lot of overlap here as you can see. So access control, security training, logging monitoring, configuration change management, identification, authentication, incident response, physical security, personnel security, which is background checks, risk assessments. Security assessment is continuous monitoring, POAIMS, SSPs, network security, system integrity monitoring. So a lot of overlap here with a lot of common frameworks, with a lot of other federal frameworks, and it just this is what makes up CMMC. And then so what's in scope for CMMC assessment? So there's there's five different category types, asset types, CUI assets, security protection assets, contract risk managed assets, specialized assets, and out of scope assets. I will say the first two are generally the most important and most common. CUI assets, anything that has CUI, Security protection assets, anything that provides that security function. So configuration management, change management, continuous monitoring like Secureframe. Those are generally security protection assets, vulnerability management. Contractor risk managed assets are assets that could possibly transmit store process CUI but do not. And you likely need to show an Otter how these these assets are segmented from the CUI workflows and any documentation that supports that. And then specialized assets are assets that can but will not process, store, or transmit CUI and are difficult to secure using standard methods due to their nature. So example includes, like, operational technology systems, Internet of things devices, stuff like that. And then out of scope assets is stuff that's really out of scope, you know, like Zoom. Or if you use Zendesk for your ticketing or something or, you know, you use Notion for internal documentation, but there's nothing important or sensitive in there. Those are types of things that are out of scope. And honestly, it's really important to it's really important to, to figure out what's out of scope because if you have something that should be out of scope but make it in scope, you're just creating more work for yourself. You know, auditors don't want you to include out of scope things that don't need to be in scope because it's more work for them and it's honestly, frankly, an inaccurate scope. So it is really important to to be able to narrow that scope as much as possible. And I mentioned, having an incorrect scope can lead to scope creep, can lead to to wasted time, gaps in coverage, and really just wasting resources as well. So, you wanna ensure that, you know, you're you're aiming for the right goal post and it's not moving. So now how how to prepare for an assessment? So first, you wanna make sure you understand your CMMC scope as mentioned and the requirements. You're gonna wanna implement those requirements. Make sure you're meeting all 110 controls and 320 assessment objectives. You need to build a complete system security plan, document how you're meeting all 110 controls and 320 objectives. The SSP, I would not underestimate that. Right? That is something that secure, without Secureframe, SSP generator or, it will take you at least three to four months, if not longer. Many companies will pay MSPs or vCISOs to do this for them, and it'll take them still some time and probably it'll cost you anywhere between 50 and a $100,000 for that to hire someone to do it for you. So, I would definitely encourage you to look into Secureframe's federal package that has our SSP generator. You know, I wish I had that when we were building our SSP. It really would have saved us a lot of time. It's an awesome tool. Haven't really seen anything else like it on the on the market, especially considering and, and, and, yeah, it's it's a really neat tool. Does it spit out the SSP in a good format? Yeah. It looks it looks like the SSP that you're used to seeing. It's it what the way it works is it collects a lot of different data pieces that are critical as well as your control implementation statements and then spits it out. So it's not like you're like it's more of a data collection and input tool, and then it it spits it out into a good SSP format. And I should note, most SSPs are between around a 150 pages at least, if not more. If your SSP is 75 or 80 pages, which is still a lot, that's not enough. You know, I've seen organizations learn that the hard way. Not to say, you know, the auditors are expecting to see really comprehensive and robust documentation within that SSP that really documents the who, what, when, how, why of each and every single control and objective. Are we able to get these slides? Yeah. We'll share these slides afterwards. And we do have a good POAM tool as well. That is part of our federal package. It's really nice. It's a clean table where you can create POAMs either straight from the SSP or from your controls and track them, against that hundred eighty day requirement that I mentioned. And, yeah. It's really neat. The the new federal package is something we're really excited about here at Secureframe. Yeah. Michael, it just came out the last couple months, so it's it's very new for us, still into our infancy. Awesome. Alright. And then, inventory vendors, assets, and data flows, you're gonna need to document all that. Network diagrams are a critical part of that SSP. You know, they, you need to document, like, where your CUI or SPD is going, coming, where it's stored, how it's transmitted, and those things need to be really comprehensive. You know? Some I've seen for SOC two, people draw data diagrams on the back of a napkin. First, CMMC needs to be very comprehensive and robust. To conduct a thorough gap assessment, you can do that on our platform or you can do that separately, but I would definitely recommend that to ensure readiness. Right? You wanna know what your SPSS score will likely be beforehand. It's nice with Secureframe. We have an SPSS score now where you can kinda track that. That's another new feature we just came out within the last couple months. We're really excited about. But that's critical. Right? You you wanna know your gaps are so that you're not shooting yourselves in the foot going into your audit. I'm gonna keep it moving here just for the sake of time. But as mentioned, how Secureframe can help. Right? We we integrate with your tech stack, pull out at a evidence, and then automatically map it to different requirements, controls, tests, assessment objectives. You can build your SSP and manage it over time. The UX is really nice because you can, like I said, manage it over time. You're gonna need to continuously once you build your SSP, you need to make sure it stays accurate. Right? When you put in new technologies, you need to update that SSP. As new controls owner owners come into play or new processes come into play, You need to document all that stuff. You know? POA management, track your POAMs against certain assessment objectives or controls. SPS scoring. You know, these are capabilities that I would say a lot of our competitors who do have CMMC capabilities, they don't have this these federal offerings that we do in terms of SSP, POAIMS, SPRS. Some are using templates. And if they do have some of that stuff, they probably don't have a lot of the other GRC stuff that we have in terms of vendors and risks and all that stuff. So we really think that we're we're kinda uniquely positioned there. We're really excited about it. We, we've gotten really good feedback from our customers thus far. We've had CMMC customers get authorized, and we and more stuff coming too on the federal side with with our Enclave offering and as our FedRAMP offering, grows, we're we're really excited about it. As mentioned, asset vendor and risk management, those are requirements for CMMC, the requirements for a lot of other frameworks as well. Policy templates and control mapping across all frameworks. That mapping makes things a lot easier. Right? You can upload, do something once, apply many. You don't need to apply. You should need to apply upload anything any times. And then all we have an auditor module now where, auditors can do their whole audit within Secureframe. They can create new requests. They can make follow ups. They get their own kind of portal, essential, which makes it really easy. And we have a lot of audit partners that are using Secureframe for our customers' audits. And we work with a lot of really good c three PAOs that have done a lot of these. They have a lot of experience. We have we work with brand name firms like CoalFire, Align. We work with, some of the most experienced CMMC auditors like Redspin. We have more price conscious auditors that were kinda on that lower end I mentioned earlier. So whatever kind of auditor you're looking for, we can set you up with. And we've been through this ourselves, most importantly. I just took Secureframe through a CMMC audit. And so I can tell you all our our trials, tribulations, good, bad, ugly, and because we wanna help you. That experience has been really critical. And same with FedRAMP 20 x, you know, if that's you want you need to get FedRAMP authorized as part of your, DOD or federal compliance. You know, that's something we did. Check us out on the FedRAMP marketplace. We're, we're happy to help, and we're really feeling like a leader here in the federal space. As mentioned, I've been in this space for ten years now. I haven't seen any tool like ours. We have competitors that do a lot of similar things, but I don't think anyone with kind of that unique all in one offering that we have. You can get bits and pieces from a lot of different places, but but, what we have is pretty unique. So, yeah. If you wanna book a demo, please reach out to rob at secureframesales@secureframe.com. We'd be happy to chat. If you don't wanna demo, you just wanna talk through some of your different Nuance questions, happy to do that as well. As mentioned, you know, I understand this stuff is complex. It it it really is. You know, if we need to have multiple chats, we're willing to do that. But we're here to help. You know? And, and I know I also said a lot in this in this, webinar, and I will be sharing we will be sharing the slides. We will be sharing the recording. But, you know, if you take some time to digest and wanna come back and talk about it or ask questions, please please send them in. Also feel free to connect with me on LinkedIn, Rob Gutierrez. Happy to chat about really anything. I'm just gonna look through the questions real quick here. Yeah. We have all the policy and templates. Also, if you go to cmmc.com, you can get all of our templates for free. So cmmc.com, you can get all of Secureframe's templates for free. What's a rough price for Secureframe on a 10 end user device? I am not a sales guy, so I'm not sure even though I think sometimes I sound like one. But yeah. Connect with me on LinkedIn. Awesome. Cool. Well, thanks everyone for joining. Really hope you enjoyed it. We enjoyed having you. We enjoyed doing this. We enjoy helping our customers through CMMC. So hopefully, we chat soon. Otherwise, hope hope this was great for everyone, and hope you all have a great day. Take care.