Name: CMMC Certification Through the Eyes of a Certified CMMC Assessor: Avoiding Common Pitfalls in Your First Assessment
Uploaded: 2025-11-13T18:16:04.715Z
Duration: 44 min 32 s
Description: CMMC Certification Through the Eyes of a Certified CMMC Assessor: Avoiding Common Pitfalls in Your First Assessment

Transcript for "CMMC Certification Through the Eyes of a Certified CMMC Assessor: Avoiding Common Pitfalls in Your First Assessment": Alright. Hi, everybody. Thank you for joining the CMMC part three series. We're gonna give it one more minute just to allow more people to join, and then we'll officially kick things off. Alright. Great. That should be enough time. Welcome, everybody, and thank you for joining part three in our CMMC webinar series. Certification through the eyes of a certified CMMC assessor. In if this is your first time you're joining us, my name is Mark Rubenaccio, and I'm the head of cybersecurity and compliance and secure frame. I was responsible for our CMMC level two assessment, which we did receive a a perfect score of one ten out of one ten. And then I also lead our product direction for supporting our CMMC customers. Joining me today are close partners, Precian Security, who will be leading the webinar, taking you through what they have seen in the many CMMC assessments that they have been a part of and, ultimately, how to be prepared as possible. Please welcome Sammy and Matt. I'm glad you both are able to join us today. And if you can give us a quick introduction on your end, Sammy, if you wanna kick things off. Sure. Sure. Thank you, Mark, for inviting us and including us on this journey as you, you know, go around and and kind of educate the community on how to prepare for for CMMC and what's ahead of us. Sammy Chaudhary, cofounder and chief compliance officer. So I support, our audit practices here at Precint. We cover SOC two ISO, PCI, HITRUST, FedRAMP, and CMMC among other cybersecurity, privacy, and AI related, standards. And, we, you know, support over 5,000 small businesses around the world, on their compliance journey. Our our mission is to simplify security and compliance for all. With me, with me, I have Matt. He leads our federal practice. Matt, over to you. Yeah. Good morning. Good afternoon, everybody. My name is Matt Graham. I'm the vice president of the US Federal Practice over here. I'm a senior FedRAMP GovRAMP assessor, candidate lead assessor on the, CMMC side. My team is made up of a number of fully qualified and candidate lead CCAs, CCAs, and CCPs, and we specialize in all NIST frameworks. So we're really excited to talk to you guys today. Thanks, Sammy and Matt. Really appreciate you having having both of you here in the webinar with us. Alright. To kinda kick things off, I'll quickly skim what Sammy and Matt are gonna be going over today. First is how to tackle actually finding a secret PAO, that would be a good fit for your organization. Next, how to ensure you will get through that first phase of the assessment. Then what to expect during phase two. And finally, how remediation of findings and follow-up requests are actually handled for CMMC. We'll touch on recertification requirements, and then we'll preview part four, which is gonna be the last part of our webinar series. I'll quickly go over some of what we covered during part one and part two of the webinar series. In part one, we covered the timelines, scoping, levels, and data categorizations. We also covered segmentation and enclaves, whether or not this is something your organization should pursue. CMMC level one is when an organization is handling FCI only, which results in a self assessment. CMMC level two is what we are generally going to be covering today, and that revolves around the protection of CUI. We're likely gonna see most organizations need a third party assessment for level two. And finally, level three is an assessment specifically through the DIPCAC, which is a unit of the Department of Defense. In part two, we covered how to prioritize implementing controls for CMMC and how to prepare your evidence for the assessment. We also covered different strategies and ways an organization can perform a gap assessment. So, if you haven't seen part one or part two, I would highly recommend you go watch those after this webinar. Feel free to email me for the links or you can find them directly through Secure Frames LinkedIn. Now it's my privilege to pass this webinar over to my co presenters, Sammy and Matt. Please feel free to take it away. Great. Yeah. Thanks so much. Yeah. So let's start at the very beginning of your kind of CMMC journey. Right? And one of the those key parts is picking your c three p o, your certified third party assessment organization. This is one of the most important decisions that you're gonna make as an OSC, because that c three p o then becomes your partner throughout your entire assessment life cycle. So when we touch on this, you know, one of the first things we talk about is timing and scheduling. Right now, you know, government's just reopening. Timing is critical. November 10 was CMMC day. So you're gonna start seeing all those contractual requirements flow down. So there's a demand in building the CMMC level two assessments, and and during this ramp up period. So lead times, for some of your c three pOs can stress several months. So if you're targeting specific quarters, for award cycles, you need to start engaging with those C3POs very early. Same thing with your RPOs. If you need assistance in getting set up, RPOs are ready and waiting, just like us. So don't wait until your documentation is perfect before you start working on your C3PO relationship. A good C3PO is gonna help align your readiness milestones with their schedule, and that will help you develop your shortlist. So some folks are booking eight months out. Some folks are ready to go next week. Make sure that that is an important determination in who you're picking for a CPPO. And then your next step is gonna be performing your due diligence. Right? So, if you're going to choose a CPPO, you're gonna vet them like any other major partner. You wanna talk to your CPPO about, you know, how they assess organizations like yours, environments like yours. Whether it's cloud systems, manufacturing environments, hybrid architectures, these are all very important things to discuss with your CPPO to make sure that their assessment methodology is aligned with your specific environment. You wanna discuss how they handle evidence collection, how they do remote interviews, on-site interviews, multisite coordination if that's applicable to you. But at the end of the day, your CPPO should be very transparent about their methodology and their experience in assessing a system similar to yours. Next thing you wanna make sure, when you're discussing things with your CPPO is what are the cost expectations? It's always a factor, but it's not really a one size fits all. You know, There's various ranges out there in the marketplace from 35 to $75,000, depending on complexity, number of objectives in play. So it's perfectly reasonable, you know, during your initial discussions to ask for a range, once, you know, the c three zero kind of has an idea of what your system boundary looks like. But it's also important to understand what's included in your, assessment. Does it include a readiness review? Is field work included? Travel, reporting, remediation support if necessary, and then understanding those expectations and managing those throughout your kind of c three go selection process. Next thing you wanna make sure you understand is, you know, what the methodology really is. Not every c three p o runs by the same playbook. We all have the cap, but each individual c three p o may have variations of how they run that. It could be a phased approach where they do readiness, field work, and reporting, or they could do integrated review processes. So, understanding what the assessment methodology looks like will help you kind of set out your timelines, pick the CPPO that's right for you. So make sure that you understand how they evaluate evidence, how they handle interviews, what the findings documentation process is, and then make sure that, you know, everything along the way, there's clearance clarity, consistency, and alignment with the, with the gap. So in short, treat your c three p o like, any other strategic partnership, making sure the right fit, helps you stay organized, you manage expectations, and ultimately make the certification experience a lot less painful. Yep. I would just add one more point here, for the audience that keeping, efficiency in mind. So automation plays a critical role in reducing your cost and time through this process. So it's important to pick a an assessor who is tech forward, and, can understand not just your implementation, but also can drive efficiency through implementation of various automated means of collecting evidence, maintaining evidence. As assessors, you know, you will find different types of assessors in the marketplace. Some would give you a lot of pain and and maybe maybe very expensive and, and very long, journey with you. Others would offer, you know, more flexible, more, you know, frictionless experience, that are yet high quality. So it's important to choose, your assessor over those factors and and automation plays a key role. That's why we're partnering with Secureframe and because we believe in inefficiency. Yep. Go ahead. Cool. Yeah. Absolutely. Automation is is the future. You know, there's so many innovative approaches out there, and there's also, like, lots of spreadsheets. So, finding the right fit for you and your team, especially to make it less painful is absolutely something that we recommend. But, you know, this kind of goes into phase one. Right? So now you found your perfect c three p o. You know, they understand your environment. This is kind of what I would describe as your foundation phase. You know, what do you need to do to get ready for your c three p o assessment? Sometimes that's engaging with an RPO like us where you we can help you build your documentation, leveraging a lot of tools, automation out there to help build these things. If it makes sense for your organization, absolutely leverage what you can. But, really, this is where all the organizations set themselves apart. You know, they set themselves up for success or they create additional challenges that they kinda have to unwind later. So think of phase one as your preparation, documentation, clarification phase. So when you walk into this, you know, your idea is to make sure that you are prepared for that CPPO and, assessment. So, first piece, know what's in scope, how it connects. You wanna make sure that you have a very clearly defined system boundary, so you know where CUI sits, how it flows without throughout the environment. That should be supported by clear document, architecture diagrams. And you also make wanna make sure that you have pretty clean executive summaries that explain how your environment works in plain English. Obviously, you wanna start with the high impact controls, so access control, incident response, configuration management, and then work your way down through, the IRS, eight hundred one seventy one, control objectives. So as you do this, you wanna make sure that you're gathering evidence either in a GRC GRC platform or, you know, at some home brewed structured repository. You don't wanna wait until your assessment begins to start that organization process, and also making sure that that information is categorized so that from the very beginning, it's organized. It saves a lot of cleanup later. One of the next major tasks that you're gonna do as you're preparing is build a detailed system security plan. System security plan is the plan. It should describe how each of your controls are implemented, who's responsible for them, and your team should know where that evidence to support that, implementation exists. Within your SSP, you should include all supporting documents like architecture diagrams, asset inventories, your vendor list, external service providers, and any associated system documentation. You know, at the end of the day, a strong SSP will tie every control to the exact policies and procedures that support it, and they should read like a road map. So your assessor should be able to trace from the objective to the evidence without guessing or going on a scavenger hunt. During this phase, you're also drafting your, policies and procedures. So, again, ARRI control maps back to a policy procedure. So, this is the time where you validate that documentation, and you're making sure that all of your employees are reviewing, acknowledging their policies, and making sure that, you know, all of this is, in a mature state so that your assessors can go in and say, yes. They sign the policy. They execute the policy by following the procedure, and it all maps back to the plan. If you got a GRC tool, or platform that supports this mapping or linking policies directly, to those control objectives, it's a huge advantage, from an assessor standpoint going into field work. And then another one of the things as you're preparing, you wanna make sure that, your SMEs on your team know where, the evidence is located, how to find it. CMMC assessments are heavily heavily dependent on documentation, but it's, the the main priority is about validation. So, your assessors are going to expect to speak directly with the people responsible for implementing those controls, just making sure that they can confirm that policies and procedures in the SSP are actually being followed. So we recommend holding internal walk throughs, mock interviews with your SMEs, making sure that they can confidently explain where, their area of responsibility is and what tool to use, how to ensure compliance and practice, and making sure that, you know, they can show somebody if asked. This this one step alone makes a huge difference in how smoothly, these assessments go. One of the major pitfalls I see in in phase one is it's just poor or incomplete documentation. Your data flow diagrams are missing or overly complex. Policies are spread across too many sources. SSPs don't match. All these things can make assessments much more difficult than they need to be. So focusing on phase one, getting your documentation in order, getting ready for, you know, responding to questions. Before you do any technical deep dives, tool audits, make sure your documentation is really, really, dialed in. Anything add to add there, Samuel? Cool. Hey, Matt. Have you seen organizations, like, not be able to get past phase one due to documentation? And it's or, like, what are some of the pitfalls there? Like, is it a, is it gonna be a timing issue, a cost issue if they're not able to make it through phase one? Yeah. So phase one can stretch, you know, it it could be a very quick we do all this stuff, but we don't have somebody to write it down. So if you don't have a bunch of tech writers, there's tools, there's partners that we we know out there that can help you get that documentation in order. But, really, it it is a labor intensive task. When we built our system documentation, it took us three, four months, to write everything down, because we were doing it. We built the system. We built the enclave, but it's really, do you have the time to write it down? Do you have the time to educate the people or even gather the information that you need? That's really where the the hard part comes in. We see it in FedRAMP, we see it in GovAMP. It it's it's a lot of stuff to write down. There's a lot of tools out there that can really support that, which I kinda wish we would have leveraged at some point, but, we did it the hard way. I don't recommend the hard way. Cool. So now, let's talk about phase two. Right? So we've done our documentation. We have our c three p o in place. Phase two is where, you know, the live assessment actually begins. This is where your assessors are gonna come in. They're gonna verify what's written in the SSP is actually happening in practice. That's done through interviews, demonstrations, observations. So examine interview test. CMMC allows us to, with an assessor determination, figure out that this is actually in place and operating as intended. So we talk about interviews and observations. This is usually about a week, three to five days depending on the system complexity. But these assessor will meet directly with your control owners, your subject matter experts. Ideally, what what's critical here is making sure that those key resources that you've prepared in phase one are available to speak to the controls that are responsible for. It's goes a little bit beyond general process. You you know, your assessors are going to talk about actual implementations, how something works, how often it's done, what are the tools that you use, how it's validated. In many cases, the assessors aren't gonna rely just on verbal answers. They may ask your SMEs to log into a system, demonstrate a configuration, like, showing MFA settings, audit log retention, endpoint configurations. It's important that those answers align with, your documented controls within your SSP, your policies, but your SME should be able to bring that story, to the front, bring to life for your, predecessors to review, and consistency is key here. A lot of systems are building CMMC specific environments that might not might be different than the the normal corporate environment. So understanding the scope, making sure the SMEs know to speak only to that scope, is is very critical during the interviews and observations phase. So what we typically recommend, holding mock interviews ahead of time, walking through each control area with the people that are responsible so that they know what the SP says, what the policy says, you know, what the procedure says, and what they actually do day to day, and and making sure that your assessor hears a consistent message throughout, and and, unfortunately, the confidence in those responses. So it's not a canned answer, it's not a compliance guy sitting on the side, it is a true practitioner saying this is what we do and how we do it and I could show it to you here. So the interviews and administrations, those are all great. The other half is evidence. Right? So the the organization has to, gain some sort of efficiency, in collecting this evidence and making sure that they're prepared in advance. So phase two evidence is required to align specifically to each one of the assessment objectives, not just a control as a whole. So organizing artifacts, in accordance with the assessment guide structure, objective by objective, clear mappings. We always always recommend automation where possible. So automated evidence here is your friend, log exports, screenshots generated at scale, configuration baselines, volume scan, outputs, endpoint management reports. You wanna make sure that every all of your evidence covers every in scope asset and system, not just a small subset, and your assessors will check for consistency. And you wanna make sure that it's all organized and traceable. So you label your artifacts clearly, grip them logically, you'll use somewhere, stored in a tool or in a organized repository so it's easy to export. You can keep it maintained and updated. That creates a seamless walk through, and reduces a lot of back and forth searching during the assessment process. That's the biggest challenge I see here is is, unstructured evidence. So you got a whole bunch of screenshots dumped at a folder, no context, outdated documentation, not tied to any assessment objectives. The more organized and intuitive your evidence is, the more confidence your assessor will be in your implementation. Alright. Anything to add there, Sami or Mark? We're good? No. I think there was a question on the chat regarding, you know, how many people are we looking to interview as part of, like, in in smaller environments where IT team is responsible for admin and security. I would say that a DevOps person who knows all the systems and the the security controls could answer all the questions, and we should be happy with that. And it's really where the knowledge, you know, sits right within your organization, whether it's one person or a whole team. Yeah. That's that's really it. We don't really have a specific num you know, minimum number of people that we need to interview. It's just whoever is responsible, control owner, and knowledgeable about the, set of controls. Thanks, Jacob, for the question. Yeah. Go ahead. Yeah. When we went through ours, I think it was it was two of us, sometimes a third. We we built the environment, we wrote all the documentation, we could speak to all of it and show it all. So if it's two people, if it's 10 people, you know, we work with small organizations, large organizations. Whoever does the the actual implementation, that's who your assessor wants to speak to. Don't go just a compliance. guy in front of there because probably gonna get some annoyed assessors out there. But, if it's one guy and you can show it all, that that's totally And then in shared responsibility fine. situations where you use an outside provider for MSP, MSSP, enclave solutions, then you may not have all the answers to all this all the controls. Then, you know, in in those cases, you might have to consult with your outside provider and and invite them in for for a conversation with us, in our own assessment because we also, you know, passed with perfect score as as Mark did at one ten out of one ten. But, you know, DeepCAC came in and audited us, the Department of Defense, assessors. And, we we had to invite our enclave, you know, partners to to be part of that conversation because we didn't really know how they, you know, operated those controls behind the scene that were extracted from us. So yeah. It it really depends on the assessors and, you know, what quick you know, what answers would satisfy them. Yep. Yeah. So MSSPs, you know, your managed systems or service providers, they might have to come in and speak to how they do a process. You know, CSPs that you're leveraging that are gonna BedRamp authorized or BedRamp model equivalent, those you know, there are some certain control and adherence that you get there, but if it's a process managed by an individual, not a tool, somebody should be able to speak to what it does, how it's done, how it's secured, specifically around your your COI environment. So, yeah, we had to go through that fun roundabout, but, all is well that didn't well. So we talked about interviews, observations, how we prepare evidence. Two more key components about phase two, is is how we handle sampling and, follow-up evidence. Right? So this is how we understand that's how assessors are validating what's actually happening in the environment. Sampling is a major part of our assessment process just like our FedRAMP, GovRAMP, process. We rely on the structured unbiased sampling to confirm that all controls are consistently implemented across the entire environment if we have to do manual validation. This is part where automation and and getting, like, full, exports of system configurations makes it easier versus a screen share where we will randomly sample, x out of your inventory and say, show us these configurations, capture screenshots. This process provides that unbiased, repeatable way to validate that controls are working across all of your assets, all of your users, all the time frames meet. So during the assessments, your, assessor may randomly sample selected systems. You can give them a full, configuration baseline of workstation servers, applications, databases. It saves you on interview time. And it also makes sure that, you know, what's written in your policy is actually implemented everywhere, not just on the demo machine that, you plan to show them. User role and sampling, we we sample users and roles across, privileged standard admin service accounts, to validate access management and if they enforce minute roles, role based permissions. We do time based sampling. So if there is a required historical view for, say, logging, incident response, vulnerability scanning, assessors will review that across multiple time periods to make sure that those controls are functioning consistently, not just, you know, this week, which is another reason that we wanna make sure, as you're preparing, your SMEs are up to date. They know where things are happening, the frequency. They know where, they can find the configurations for a sample system, not just the one that they they're interacting with them day to day, but, they can find anything in the system that needs to be shown. So, you know, with any great preparation, there's gonna be some gaps. It's normal for an assessor to ask for additional clarity. That's where some of the follow-up evidence comes in. Your assessor might request additional documentation like screenshots or, during the field work. All of these things need to be provided before the assessment window closes. There's a ten day evidence resubmission window based on the latest rules. So any objectives marked as not met, your OSC would have ten days after field work to submit any additional evidence. So that's an important window. This is not a time for remediation. It is a time for providing clear or more complete evidence. So you can't change anything, but if if you couldn't find a setting in there that person wasn't available, you can provide that within ten days of, the close of the work. Anything that is not truly implemented at the end of your assessment, you have a POA remediation timeline of one hundred and eighty days. If a, a requirement or objective is able to be POAmed, you would have one hundred and eighty days to submit, additional evidence, to show that you remediated that. So phase two, very interactive, sampling, demos, evidence exchange, and your SMEs are are very crucial here in making sure that you can get it to your assessor in a timeline. Anything? See some stuff going on, Chad. Anything we wanna address here? So I think we can, we're have a. question. So you wanna go, Yep. quick on the few slides, and we can answer the questions. Yep. Yep. So what happens after your assessment? Right? So field work's done. All your evidence is submitted. Your CMMC assessment moves into its final stage. So there are couple of status options. There's a final status where you have met all assessment objectives. There's a 110, score in SPURS. That's your ideal account, outcome. You get a three year certification window after that. Conditional status means you've passed overall, but there are some objectives that have a POAM. You may need to submit that evidence within a hundred and eighty days. The the other status is no CMMC status, where, an appointment cannot or an objective cannot be placed in a plan status. So, there is no certification at that point. So all that has to be remediated before, a reassessment could occur. EMAS, once your assessment is complete, your CPPO, uploads the results, reassessment data, assessment results, documentation into, the EMAS system. EMAS, is DOD's repository. From there, DOD reviews the package, verifies it for correctness and completeness. Once that status date is determined, you need three years for final, one hundred and eighty days for conditional. There's a spursing on the background that pushes, all that information to SPURS which is where contracting officers look to confirm your certification status. But at the end of the day, you know, may take place. Know you that you have a hundred and eighty days to remediate those. Ten day resubmission window is part of the assessment process where you don't fix anything, you just provide extra evidence. And then, yeah, I think, one of the the main things we wanted to to kinda no. Not many things, but kind of give you a little bit about, our process internally. You know, why would you choose Pressian. Right? So we are NIST experts. CMC might be new, but NIST eight hundred one seventy one, NIST 853 are not. We've been, you know, collectively assessing as a team these controls for decades. So we understand how NIST works, how better AMP, go RAMP, even see how all these, controls are put together. We can guide you through that, assessment preparation. And once our CPPO is finalized, we'll typically do your assessment, as well. We're very hands on. We don't do cookie cutter assessments. Every we understand every environment is different, especially for small and medium sized businesses. So our assess the team tailors your assessment to your architecture, your tools, and your compliance, existing frameworks. And we also have an extensive partner network. So we're partnering with GRC platforms, automated evidence tools, cloud security consultants if, we need to stay on one side of the fence or the other. We truly focus on small and medium sized businesses with unique environments to make sure that, this process is not as painful as it can be. We probably know that you're already doing it, but how do we get you there and validate it, for, you know, these federal frameworks? Mark, you wanna wrap up your slides? And then we can get to use Yeah. That sounds good. So, yeah, not only can Secureframe help with, preparation and readiness, but also during the assessment as well. So, the way that we do that is Secureframe has a built in audit model where you can manage the actual auditors and assess your evidence, granting access only to the evidence that's ready for review. And then within the Secureframe platform, the auditor can review the evidence, determine if it's accepted as is, provide a comment where clarification or additional evidence is needed. And that way you can easily see your progress through the entire assessment. You can manage all of your evidence collection and all of the evidence review all in one place within the Secureframe application. That's where automation really comes into play, where you're preparing for the assessment all through Secureframe. You're gathering evidence throughout the year, throughout the months. And then when it's time for the assessment, granting auditors an instance and having that full review, within the platform. So, the next part, is gonna be scheduled for November 20. There, we're gonna be talking about continuous monitoring and the management of your CMMC certification. So once you're compliant, what you need to do on an ongoing basis in order to maintain your certification. Certification. So, yeah, why don't we jump into some of the questions in the chat? And, I know we're over, so thanks for hanging out with us. We can we can kick things off. with a couple of questions. here. Brian asked a question. How deep do they look at your MDM solution? Well, I mean, obviously, you're in the end solution is it depends on on what you're using it for. Right? So if it's if it's controlling workstations, so laptops, things of that nature, You know, we're really looking to make sure that that workstation is locked down so that there's no COI transmitted to that device. If in the case where you allow downloads or printing from a local device that brings that kind of endpoint into scope, but if you had an MDM solution that prohibits all of that, then it takes your endpoints out of scope. You know, if you're using a cloud based service, again, it has to be BedRamp or BedRamp auto equivalent. You know, most of your large providers have some sort of, FedRAMP solution. But, you know, at the end of the day, it's it's, in my opinion, MDM should be used to isolate endpoints, as much as possible, and it's really just controlling the flow of that CUI, to an endpoint. Phones and laptops are typically not considered endpoints for, proceedings. and purposes. Another question from Jessica. How do you get information you need for an SSP when your ESP is very unresponsive? Well, that happens. Only provides you with the their SSP and some policies. So an external service provider is only providing you with their SSP and their policies, but they're not giving you a control, like, so a CRM or a CI control implementation summary or a customer responsibilities matrix. In that instance, I would not, at that point, you would if your team doesn't have the expertise to peel through their documentation and and truly delineate what's your responsibility versus theirs, Yeah. At that point, I would hire, like, an RPO or somebody that can really peel through that documentation, work with your team to say, hey. These are settings that we can set. This is how we securely configure it, and this is what the ESP does on their side. But, If the CRM was provided and, but other information is not, then what do you do? again, it it the CRM is provided, but so the CRM should have as far as what you need to satisfy or configure on your side or your system. If it's an ESP that I'm trying to think of an instance where this would be possible, but, if it's an external service provider that is doing all these things and providing these controls for inheritance, that should be documented through the the FedRAMP or the FedRAMP auto equivalency and their body of evidence to show what's truly in their responsibility. So you're only required to show, you know, your responsibility for the the the secure configuration of that ESP. I think it's a very unique situation. I I would think that if somebody's going into this in this scenario, they should have. done that. I would say good RPO can help you navigate that. Effective communication with your partners, very important. Making sure you, you know, contractually, obligate them to be, you know, available, to share information since you're going through a process like this, would be another way to to get more attention, or switch them out Yeah. I mean, possible. that that that ESP should be a true partner here in telling you, like, hey. Our tool does what it's supposed to do. It's it's easy to operate. You can securely configure it. This is how you do it. If your assessor needs additional information, they can go see this body of evidence or that ESP should offer to join in in some of those, assessor interviews to to explain what their system does and and how it's kind of outside of the boundary of of your, CMMC system. Another question. How do you handle or how do you deal with separation of duty with smaller teams, when you're interviewing folks? Yeah. So it it it depends. Right? So it depends on what the the true separation of duty is there. It could be that one account does this and one account does that, so you can manage it. It's the same person doing both. They're using separate accounts for that. There's a sufficient auditing mechanism to track down, which account was doing what, so you're only using, you know, your admin account for admin purposes. But when it comes to approvals and things of that nature, you usually want at least two layers of approval. We haven't assessed anybody. That's just a one man show. There's usually at least two people, and they can switch, you know, approvals off or Jira tickets that says, hey. I'm doing this. Yes. Please approve this. I mean, we manage our environment with two people right now. So one will submit a ticket when we need to make a change. The other will approve it, and all that's audited and we're using very specific accounts, for each. Yep. There was, obviously, a question around cost, range to complete a successful CMMC assessment. So the cost of assessment. Yeah. So, you know, we we've seen a lot of, varying ranges. Right? So, our process, we believe we can assess the system within a week depending on, you know, if it's a standard, you know, mostly cloud based system, technological. We can get it done in about a week. A lot of estimates say, you know, three to six weeks, you know, six to eight weeks. There there's a lot of information out there. From what we know about, the CMMC controls or personal experience, the interview process does not take that long if there's sufficient evidence provided upfront. Your active interview session shouldn't be more than a week. Preparation should be two weeks before that and we can probably spit out a report within a week or two after that ten day window closes. So five weeks start to finish. But we're we're targeting, you know, around $25,000 for a, relatively simple system, but we've seen estimates go into 35 to 75, and anywhere from, again, six weeks to to to eight weeks. But we're we're targeting a lot, targeting you a lot quicker, especially if there's a system that's highly integrated, with a GRC tool or, with a a great automated, evidence collection platform. We can reduce that time. If your speeds aren't properly trained, you know, you don't have crazy disorganized, artifacts, you can really bring down the time. But it's all about, how much you prepare, how hard it is to do the assessment. And, you know, at the end of the day, if there's a lot of physical sites that is at that that extends your timeline. So it depends is the worst thing, but, we're we're targeting, right around 25,000, for a pretty standard system. So I think I will take one more question here. There are cloud providers who are CMMC compliant, not necessarily certified. Would that prevent us from getting certified if we use those cloud providers? If there is a cloud provider that is CNMC compliant, we would wanna understand what that level of CMMC compliance is. Have they gone through a similar level of CMMC level two certification, similar to your team? Are they able to participate? Do they sit within your boundary? Or is the CSV, FedRAMP, or or GovRAMP, or or some equivalency to to a modern cloud service provider, under the friend of FedRAMP framework. So, it depends. It depends. Again, there's a lot of terminology that goes, is this a CSP? Is this an ESP? Is this MSSP? There's a there's a lot of nuance that goes into that. But really, you know, where is the CUI? Does it go into that CSP? Is it just a tool? Is it a SaaS solution? You know, understanding what that that component is in your environment would help us determine, you know, where it sits and and if it's acceptable for use. So is the authorization or certification required for those partners or compliance status is okay? It depends. Right? So if it is a compliance status of FedRAMP or FedRAMP auto equivalent, you might be able to inherit controls from them. If not, you might have to attest to those controls or at least validate them as part of your assessment. It it again, it's one of those, where does it sit? Does the system truly handle CUI or is it just like you have a three sixty five word, that sits in your environment? So it it it it's very dependent on on does it handle CUI, does it handle FCI, what does it do, how is it supported, how is it secured, is it isolated? We really need to understand that from a boundary review. Alright. Matt and Sammy, how how could everyone reach out to you if they do have additional questions or want to ask about, you know, your your CMMC services? They can email us at fedram@freshandsecurity,uh,.com. We haven't spin up spun up one for CMC yet, but, yeah, fedram@prescientsecurity.com would be a good email. You can also connect with us on LinkedIn, and, you know, ask additional questions. I think there is one just popped up. Are all independent contractors considered ESP and require, individual assessments or can they be can they, like, incorporate it as users within organizations? Yeah. So if you have contractors within your, organization, those contractors fall within your boundaries. So they're going through the same background checks. They're meeting the same, you know, personnel screening requirements if they're handling CUI. That does bring into issues of citizenship and clearances, potentially for your organization. But, again, it depends on on how much access they have to CUI. If they're just developers handling a nonproduction environment, they have no, access to CUI. You know, they, again, just follow your normal, procedures as contractors, not so much as, individuals with access to CUI. If they have access to CUI, you follow that procedure. But, yes, contractors are absolutely allowed. Just make sure you know what they have access to, what they can touch, what they, can influence. Yes. I have seen there's a question in the group that says, encounter group that calls their policy standards to avoid conflicts and incorporate policy confusion. That's absolutely okay. Right? Whatever you call it, ideally, you would map it to your assessor's, evidence request list. So if they're gonna ask you, like, where do you store personal screening requirements, that's in standard zero zero one or p s zero zero one. So you can map it to wherever. It doesn't have to be called policy. There's not a lot of templates out there for CNNC. You can make your SSP look however you want, but it has to be, you know, very clear cut, very descriptive, all your policies. You know? Ideally, you wanna map it by control, but if you don't, that's okay. Just make sure that you can you have a mapping that shows exactly where it is. If you guys haven't figured this out, you can also, like, connect with me on LinkedIn. I love talking about this stuff. So, you email us over at at FedRAMP, but, yeah, shoot shoot me a message anytime. This is really cool stuff. I think we've got a great program. We're excited to partner with, Secureframe over here and, get some cost savings and, boost this, CMMC environment for everybody. Yeah. Matt, Sammy, I really appreciate you both joining. I think these sessions are really valuable. You could see a lot of folks have questions about CMMC. So the more that we can share with the community, I think, the better. And like Matt mentioned, feel free to reach out to us if you do have any questions. We'd be happy to talk to you individually about your environment and the specific, you know, questions that you do have. A lot of questions came through regarding, like, data and scoping. You can find a lot of that in part one of the series that we presented. So please review part one and part two, and then join us November 20 for part four as well. Thanks, everybody, for joining. Really appreciate your time. Thanks for you. hanging in there for such a dry topic, but we appreciate you guys. Absolutely. Thanks, everyone.