Name: A-LIGN & Abacode
Uploaded: 2025-02-13T20:31:17.861Z
Duration: 1 h 7 min 12 s
Description: A-LIGN & Abacode

Transcript for "A-LIGN & Abacode": Alright. Hello, and welcome, everybody. Welcome to the webinar presented by Align with our friends Abaco. We're gonna give it a few seconds for everybody to get in before we go ahead and get started. Alright. I think we are at critical capacity, for folks. So let's go ahead and get started. So welcome, everybody. We're very excited to have you all at this webinar, Kind of a CMMC master class series here. What we're looking to talk about today, key strategic decisions to achieve and maintain CMMC compliance. Obviously, a very hot topic right now. So, we're looking to dive into that. I will mostly be hosting it, and then our friends from Abaco, who I'll introduce here in a second, will be talking a lot about some of these strategic decisions that you need to make throughout the process towards compliance. And then at the end, I'll be touching a little bit more on the c three p a o and some when and how to advice on engaging a c three p a o, what factors to consider. But we also want to leave some time at the end for q and a. So if you guys have any questions now throughout the entire time, please feel free to throw those in the chat. There's a Q and A section specifically as well. If we don't have enough time to answer them or answer all of them, I do wanna make a note that we will make sure to follow-up as well. We will make sure to follow-up via email and answer any and all questions that may come up today. So without further ado, let's get started. So I I will go, counter here. So I'll introduce myself first. So Matt Ruggman. I'm a federal lead here at Align. Align is a c three PAO. So, really, I help work with, a lot of our clients on really mapping out their journey and talking a lot about what we're talking about here today. Like, what all is involved in this compliance journey? What do I need to consider? And and what are my options? But we have our friends from Abaco because we are a c three p a o. We really stay on the assessment side. Abaco kinda specializes on more of the upfront work. So we've got Rolando Torres, who's the chief security operations officer at Abaco joining us, as well as Jeannie Alford, the senior data loss prevention and compliance consultant from Abaco. So I will go ahead and kick things over to their team, and we're gonna start off with just a quick overview, high level introduction into CMMC. Great. Thank you. Good afternoon, everybody. And, once again, thank you, and welcome to today's webinar on CMMC and the key strategic decisions for compliance with this specific framework. Once again, thank you, Matt, for the kind introduction, and I'm very excited to be here today as we explore this critical framework that's designed to enhance cybersecurity across the defense industrial base. So as many of you know, cybersecurity threats continue to evolve and protecting sensitive government government data is more important than ever today. So whether you're a prime contractor or a small to medium sized business supporting those DOD contracts, understanding and then implementing CMMC is gonna be essential to maintaining compliance and then securing overall our national defense supply chain. So today we're going to break down the fundamentals of CMMC and then discuss the impact on your organization and then provide you with practical steps to prepare for certification. Next slide, please. Thank you. Let's just take a step back and then consider why CMMC is so important. The DOD has made it very clear that cybersecurity is a national security priority. We have adversaries that are continuously targeting the defense industrial base. It's no longer enough to assume that the basic security measures that we've been continuously using to protect controlled unclassified information and federal contract information are working. So CMMC is designed to ensure that all contractors and subcontractors follow the standardized cybersecurity best practices before handling sensitive data. Excuse me. So compliance is no longer optional. It's a prerequisite before doing business with the DOD. So again, whether you're a small business or a large defense contractor, understanding your CMMC obligations are gonna be key to maintaining contracts and staying competitive in the industry. So with this overall foundation that we have in place, I'm just gonna pass it back to Matt to start the discussion on the core principles of CMMC compliance. Perfect. Thank you, Jeannie. So this is kind of an overview as to, kind of the main topics that we're gonna be touching on here today. So again, we've denoted these as some of the key strategic decisions that you'll need to make along the way towards compliance. Now that Jeanne gave an overview on, you know, what CMMC is, why it's so important, and when you might need to get it pre award. Let's talk through what are those strategic decisions that you'll need along the way. So some of those, just to to highlight them here, so contractual requirements, in terms of, you know, what contractual requirement requirements will I have, when will I have them, all that fun stuff. The CMMC environment scoping, very critical. Have to understand the scope. Where is the scope for CMMC? And this next one kind of speaks to that. Where does my CUI, my controlled and classified information data actually flow, and how does that inform my scope? Also touching on some of the key important pieces of documentation that you guys will need to, make sure that you are, preparing for, along the way. The system security plan, the SSP, and all the policies and procedure documentation that will feed into your compliance and your ability to prove compliance, in order to get, especially a level two certification if that is, what you end up needing. So I'm gonna hand it back over to the Abaco team to talk through some of these topics in more detail. Thanks, Matt. Welcome back, everybody. So now that we've covered the fundamentals of what we are going over today, let's shift our focus back to one of the most critical aspects to this framework. Note that is going to be your contractual requirements and why compliance is just non negotiable for organizations working with the DoD. We'll go to the next slide. Thank you. Again, CMMC compliance is not optional. It's a mandatory requirement for any organization looking to do business with the DOD. So contracts are gonna now include specific CMMC certification levels, meaning that if you don't meet these necessary requirements, you won't be able to or eligible, excuse me, to bid or renew your existing contracts. So this applies not only to just prime contractors, but to their subcontractors as well. So you have your flow down requirements, and that ensures that every level on the supply chain handling FCI or CUI makes cybersecurity and cybersecurity hygiene a shared responsibility. So this means that compliance isn't just an overall business risk, it also comes with serious legal and financial consequences. So we have something called the False Claims Act or FCA, and that holds contractors accountable for falsely claiming compliance. This can lead to potential fines, lawsuits, and even debarment from being able to work with a defense industrial base. So, again, failing to meet CMMC requirements could eventually lead into contract termination, obviously, reputational damage, and the loss of future opportunities to work with the DoD. So these DoD contract reviews will scrutinize compliance, making it critical for your organizations to integrate cybersecurity into their operations and be more proactive. And then beyond targeting your contractual obligations, the true purpose of CMMC is to protect sensitive defense information and strengthen national security. So all of us are most likely gonna be working with the DIB or already in the DIB, and that is gonna be remaining a high value target for nation state actors and cyber criminals. So single vulnerabilities that we're finding in our supply chain have far reaching consequences. So CMMC has established this standardized approach to cybersecurity, ensuring that every contractor, regardless of the size, follows the best practices to reduce risk and improve resilience for their organization. So ultimately, compliance here isn't just gonna be about checking the box. So it's gonna be more about securing your organization, protecting your sensitive data, and maintaining your ability to support the DOD. We wanna take proactive steps towards CMMC readiness, not just as a requirement, but as a competitive advantage and increasing security consciousness for the defense, landscape. And here we've got key points. So in order to achieve this for your contractual requirements, first thing you wanna do is at least review them, define your obligations for handling CUI that should be listed within your DD254 or your procurements, and then understand your flow down requirements as well. With that being said, I'm gonna pass it to our chief security officer, Rolando. Hey. Good afternoon, everyone, and thank you very much for the opportunity to to be talking to you here. And thanks, Melanie. So we're gonna talk about a CMMC environment scoping, specifically, which it's an area where, you know, it's, it's almost like where the CMMC solutioning happens. Right? And I think it is very important to realize, that, you know, may many cases, you're gonna be part of this webinar because your organization has made a decision that you are responsible for meeting the CMNC requirements. But this is very important to realize that this is not an IT issue. It is a business issue. Right? So it is a, enterprise level issue. And as such, it is important that, you know, there is buy in from leadership and that there is, constant communication on the decision making along the lines of what are, you know, your c CUI boundaries and what is a CUI environment. So from so from that perspective, you know, like like, being a little bit more like a minimalist helps, from from the from the, from the standpoint of being able to reduce the effort to comply. But then on the business side, there are specific, workflows that you need to take into consideration. Right? From, you know, we used to go in on the commercial side from order to cash or from contract to billing. You have to understand, you know, who are the folks that actually get access to CUI today as part of their business functions and determine how those workflows are gonna change. Not only that, you know, communicate to those business owners and make sure that you get sign in or or sign off on those, you know, requirement changes. So the the keyword here is change. Right? So any anytime you're gonna change your workflow, you're gonna change the way people do work, they perform their functions in the business, it's it's gonna have a major impact. Right? Change is not easy. I think that's, very, common, and it's something that you cannot, prescript in a vacuum. So you're gonna need to have a team, environment and it's gonna be a team effort to decide, you know, how those workflows, will change if they need to change in order to meet the CMMC compliance requirements. Again, you know, like, going with, a segmentation type of approach where you have a smaller environment that is in scope of CMMC, will save you some time and effort in the front end. But, of course, you know, you have to be, in a position where you can support the business, and the business is able to continue to function, and you're not disrupting the business from from that perspective. I think it goes back to what Ginny mentioned before, you know, in terms of why are we doing this in, you know, also what why why CMMC compliance is so important. You know, like, we want to protect the CUI. So if we, if we set up an environment and the boundary to protect CUI, you know, we need to religiously follow those, controls that we put in place to keep the CUI in that environment, and that has to be, you know, highly guarded and protected. The you know, every time you assess the workflows, you're gonna realize that your boundary continues to expand. And, keep control over that boundary and the systems that are in scope is gonna be critical. You know, you have to define what are your CUI assets, the one that actually are gonna be hold holding the, the DOD or government issued CUI, you know, and those have to comply with the requirements, right, that are set in the CMMC Nissan hundred dash one seventy one standard. And then what are the solutions and systems that, you know, compliment the CUI, asset. Right? I mean, and and there's a list of those, you know. Are you gonna need a SIM solution to aggregate security event? Yes. Are you gonna do that EDR to, monitor, endpoints? Yes. Are your mobile devices in scope, to a certain extent, in the, CUI, boundary? Yes. If you're using MFA that requires your mobile device. You know, and then the list goes on and on. The more you expand, your environment, the more systems will come in, in scope. Do you have a need to print CUI for some of the, workflows that we mentioned at the beginning? If you do, well, the network in which those printers reside will be in scope as well as the printers themselves. So, yes, it will be easier a lot easier to limit the scope to cloud systems and, you know, in some cases that also is possible, but you have to understand, you know, where the CUI resides. Everything, you know, I say, at the business level, there has to be a a, a, commitment to, you know, meeting the standard going forward. CMMC is not a point in time, you know, effort. It's a continuous effort, and there's a lot of, you know, processes that will continue to operate throughout the, you know, the, period, even after there is a, you know, audit and certification. You know, like, just going through the points here real quick, you know, the the remote work environments, there's a need for that, will also become part of the scope. So we have to be able to to elaborate, you know, what where exactly CUI is being accessed from, what are the devices that are involved in accessing CUI in addition to where the CUI is host. If you're receiving CUI from government agencies through email, then your email system is in scope. Unless you're able to change that practice from from the DOD or the, you know, the prime that is sending you that documentation. So so the the DOD is not prescribing what you need to define in your, boundary and your system, but it's prescribing what are the controls that need to, you know, govern that environment. So so there's a lot of, decision making that needs to happen. And I think this is where, you know, the typical, you know, subprime, you know, bid company serving under a prime contract. Or even if you have a prime contract but it's not of of, you know, your size, I mean, you're probably gonna need some, some help from the consultant firm, you know, like Abaco, you know, that will be able to help you with, you know, assessing some of these, areas of, of concern. I've been able to define that CUI environment where where it's not only compliant, but it's also aligned with your business goals. Right. Ginny, back to you. Sure. Thank you, Rolando. So we can just go to the next slide. Here We're going to talk about CUI Dataflow and it really touches on a lot of the things that Rolando was just talking about, and this is scoping your environment. You want to start on strategic mapping of controlled and classified information. This is gonna be essential for achieving and maintaining CMMC compliance. So OSCs or organizations seeking certification need to start by first identifying where their CUI resides within their systems and how it flows across their network and then the persons and systems who have access to that CUI. Without having an effective understanding of this, it's nearly impossible to apply the right security controls effectively. So So it goes back to what Rolando was saying. You want this is gonna affect your business operations because if you don't effectively identify where CUI is flowing across your organization, this becomes an enterprise wide certification, and all of the security controls within NIST eight hundred one hundred and seventy one Rev two will need to be applied across the entire enterprise. So mapping CUI ensures organizations can segment and protect this sensitive information, reducing the risk of unauthorized access or data breaches. So the proper mapping also streamlines, excuse me, the compliance efforts by aligning your security investments without actually adding risk exposure as well. So rather than applying a blanket security measures, organizations can then focus resources on just protecting their most critical assets. This targeted approach improves the efficiency and ensures compliance with the CMMC requirements without adding unnecessary complexities. So in addition, it also helps organizations demonstrate their due diligence during their audits and assessments. It also reduces the likelihood of compliance failures and penalties because in this way, it's proving to the assessor that you understand where your CUI resides and you also have proper access control restrictions in place to protect that very sensitive data. And then back to the contractual requirements when we were talking about them earlier, from a contractual and operational standpoint, strategic CUI mapping also supports your business continuity and risk management processes. So by understanding where and how CUI is stored, transmitted, and processed, excuse me, organizations can then build stronger incident response plans as well and ensure rapid containment in the event of breach, meeting DFAR seventy twelve regulations as well. This also helps strengthen relationships with prime contractors, which will always ask for this requirement, as well as documented CUI strategies and demonstrating a commitment to your overall approach to cybersecurity and compliance. So, again, ultimately, CUI mapping is just more than, a compliance exercise. Right? So, again, back to what Rolando was saying earlier, it's not a one and done approach. It's a continuous program. It's proactive security. It's measures that protect sensitive defense information. It's gonna enhance your operational resilience and enhance your eligibility for your your ability to work with, the DOD and bid on DOD contracts as well. So organizations that continue to take their strategic approaches to CUI management by using a CUI data flow management program will be better positioned overall to navigate the evolving CMMC process while maintaining a strong competitive edge in the defense industrial base overall. So for the key points for this, we have again, you wanna identify, see why, where it flows throughout your organization. So again, where you process, store, or transmit it. Do you have any access from third party cloud services, any authorized external connections to your controlled unclassified information, and then you want to document that in a data flow diagram for your compliance program and then for your assessors and your audit as well. That being said, pass it back to you, Rolando. Rolando, if you're there, I believe you might be muted. Oh, yes. Sorry about that. Sorry about that. So, yeah, I think, I mean, like, we I was just, starting to mention that as we, you know, we we talk about the, CUI bantering, right, as part of a documentation component of the of your security plan. It basically identify what are the systems that are in scope of, of a, you know, the CMMC environment. And then we also talk about the, you know, the CUI data flow, which, you know, is also part of the documentation that goes into the system security plan. So, it is very important that these these two fundamental aspects of the security plan are, accurate, purposely built to reflect the reality of the field, and that, you know, we take into consideration each and every, you know, scenarios. As I mentioned before, you know, like, if you print, CUI documents, I mean, like, you should not ignore the fact that you are printing those documents. Right? That's something that shouldn't should be in scope, of your, CUI boundary, and it should be included in your CUI data flow. If you have concerns that, you know, because of that, you won't be able to be CMMC compliance, then perhaps you should have a conversation about, stopping that practice. Right? Same thing with, you know, you for example, USB, you know, devices. If there is a, a workflow in which CUI gets copied to a, USB drive or is, you know, USB, you know, device and then, load it over to another system, that has to be documented in the, data flow as well. So we cannot assume that, you know, that, yes, you know, I can do that. You know, my CUI is it's, the secure in the within the CUI environment in the boundary. But I I have some exceptions in where I can extract CUI I use in other places. So that's, you know, that would be a, almost, you know, like an illegal practice at that point. So it's very important to recognize that because, you know, it's it's it's very easy to work on a by exception type of environment when when you define, your CUI data flow and and, your CUI, you know, environment and and, boundary. But we definitely wanna be very strict and conform with the requirements of, you know, CMMC at all times. Right? So that's part of the requirement. So so I think, you know, like like, if you're here, you probably were assigned the task of becoming, you know, for your company to to become CMMC compliant or maybe perhaps you have, some additional changes coming to your already compliant program that you're not sure how to to tackle. And at the center of the compliance package is your system security plan. It's a document that, you know, it it it basically goes through each and every one of the control families and documents what what is the, you know, what are the security controls, that are in place to meet the requirements of each control family controls. Right? So so this is a very in-depth document. Can you document it using a word, you know, document? Perhaps. It is very, you know, lengthy, you know, sometimes in a hundred of pages. Just managing itself in a word document with a, you know, standard laptop is a difficult task. So in in many cases, what makes the most sense is to look at some level of, platform, you know, that will allow, allow you to, document the, you know, the different different control information and requirements information into a SaaS level type of solution that's like, a GRC portal that allows you to to have, better management of the data that is going in, the change management of information that gets documented in the SSP. You know, the SSP has to be, you know, well balanced and, you know, and it has to to meet the expectations over the of the CMMC standard as well as, you know, the operational requirements. You don't wanna document something in the SSP that cannot be proven in practice, once you go into the audit. Right? That's we see those, situations where, you know, the SSP is like a perfect document that doesn't really match the realities of the field. So it has to be a, you know, reflection of of of the controls that have that have been put in place to meet the requirements. Another thing that we see, you know, this is something that, you know, some of you might have might have experienced is you might start on the path of documenting the SSP. You might start, you know, making assumptions of how things are gonna be in the future once you get the time to make the configuration changes or make the migrations, change the, workflows, and adapt your business to the CMS requirements. But then along the way, you know, new changes come in, modifications and technologies are adopted, configuration changes are, you know, implemented for other reasons, and then you end end up with an SSP that, you know, doesn't reflect what the real configuration is on the c CMMC environment. And the very unfortunate reality of that is is, you have to rework on the SSB. And reworking on the SSB takes a lot of time. Right? So you have to review and rereview, you know, revise, update, peer review, you know, get approval for management, and, you know, start all over again. So it is critical, and this is where we, you know, we we took the time to put this, almost like in chronological order. It is critical that you have your environment scope done properly and that everyone agrees on that and is set in stone almost before you move down the path of building your SSP. Otherwise, you're gonna be reworking the SSP quite a bit. You know, the SSP is indeed a green document to a certain extent. I mean, you wanna lock it down, right before the audits, and you wanna make sure that it reflects everything that is, you know, really being configured and done. The auditors are gonna be using SSP as a guideline for some of the audit activity activity along with some of the other documentation. But, you know, you'll be in trouble very quickly if your SSP is not in, aligned. If you're, for example, mentioning technologies that you're not using, you're, you know, mentioning policies that are not in place or, you know, procedures that are no longer being followed, you'll be in trouble very quickly if that's the case. So the SSP has to be properly reviewed and, it has to match what what you have, in terms of the environment. For those that are, you know, looking to, you know, reassess and redo their SSP, it's a lot of work. Right? I mean, you end up with a a couple of hundred pages document. It has to be very specific. One of the, you know, comments that we have heard in the industry is can I get a a a sample SSP? Right? I mean, well, these are highly confidential documents and it really is not to be shared with, you know, somebody else and that's, you know, by design. So it is highly confidential and part of your security, package wise. You know, you shouldn't be asking for a copy of of a SFP of an SFP template and, you know, they're all gonna vary because each solution is different. And and the other thing is, you know, specifically to the SSP content. Right? As I mentioned before, it's really it's really gonna reflect the, the, the environment and and the uniqueness of the environment. So it will be very it will be very hard to have a template that matches, is even close to what you need to to accomplish in terms of the SSP. So, you know, like like, as you move towards, you know, documenting your SSP and you're in a good position to do so, some key points is, you know, make sure that you have the proper, technology to support you in this journey because it's a it's a it's a big task to accomplish. You know, it's it requires a lot of time, you know, I think in estimates of the DOD, which I think they're a little bit conservative. They talk about hundreds of hours spent on SSP and policy and procedures. So you have to be very, you know, cognizant that this is gonna impact. If this is not your day job, this is gonna impact, you know, your day to day, job, dramatically. I think the other option is, you know, like, obviously, getting help. Right? Getting somebody else to work with you on this to help you, you know, draft the SSC and help you fill out the process of becoming, you know, a CMSC compliance. Alright. With that in mind, we can move to the next, topic here. So the other the other big components of the, you know, documentation kit that is required to be ready and set to go for the audit and certification, as well as you if you're doing, you know, yourself as a station, is the policies and procedures. Right? So the the policy set, what are the things that the organization is doing, you know, the controls that have been put in place, to meet the requirements of the, you know, the the of the CMMC, you know, program. But your procedures also are gonna be part of the scope of the audit. And, you know, they basically define how those policies have been implemented. And it is important. Right? Because in policy, you you want to make sure that you document as a foundational part of your program, not only in the SSP, but in policy documents. What are the things that you're doing to meet the requirements of each, control family? Those policies are binding. So, you know, to, sort of so from that perspective, you, you know, you shouldn't be, like, making decisions on your own, you know, unless, you know, you have the authority to do so to, implement these policies and and, you know, deploying these policies at the company wide level, enterprise level. They should have, you know, they should go through proper review on the legal side as well as on the leadership side of the organization and being signed off and approved by them, you know, as part of the program. This is gonna allow you to, you know, you know, make sure that you're not, you know, setting policies and procedures that are, you know, going against, you know, the the the business goals and the, procedures that are in place. And it also allows you to have more credibility with regards to the CMMC program. Like, we as we mentioned at the beginning, you know, this is a it's a business issue. It's an enterprise issue. It's not an IT issue. Slash, it requires, you know, the involvement of the legal team, the leadership team, and everyone has to be in agreement. The the whatever decision is made in terms of GMC compliance is the one that they they, come like, the whole company and the enterprise is going to adopt and support. So those are key components right on the on the, policies and procedures. You know, when it comes to procedures documentation, there's a rigor in the level of details. I think that, you know, the the the procedures documentation is very unique to, how the technicians and the engineers and the folks that actually have the access to the environment, from the administrative standpoint perform some of those tasks, right, especially for, technical, you know, controls. And the ability to, you know, showcase that those, you know, controls are in place and are being met, through, you know, like, taking a screenshot or providing a configuration file or being able to show an auditor that those configurations are in place and operating. So so the the it is very important that the the the procedures, are aligned with the technology, you know, for sure, and then with the level of configuration that has been, you know, implemented in in the environment. And it is important to be audit ready. Right? So the procedure should allow for, you know, the organization to present the proper level of evidence that the procedure is operational and that is being followed, you know, based on the, set policy. So if, for example, if a procedure, on the access control policy says that, you know, access control will be review every quarter. So then that procedure should indicate, you know, how how are you reviewing those, access control logs or, you know, this is the asset control and the users that have access to the systems. How are you, you know, documenting the evidence that you're performing those, you know, procedures. Right? Who's who's responsible for performing those? I mean, what cadence? Is it this quarterly? You know, like, how are you gonna be able to do that? So very quickly becomes, highly complex. This is where, you know, GRC tools, that, you know, not only allow you allow you to document the SSP, and they and and help you with the policies and some of the procedures, but it also allows you with the tasks. Because these procedures, as we as we said at the beginning, you know, CMMCs are a point in time certification or process. This is an ongoing, you know, process. So some of these tasks are gonna help you, you know, aggregate the evidence, being able to go back and, you know, look into what are the, the controls that need to be, revised, you know, how often do you need to review your policies. And make sure that you're not missing the point, or you're not missing the deadlines on, you know, how to, you know, make sure that those controls remain operational according to the policies and the sets, controls in the SSB. Then we can move along. Alright. Thank you, Rolando. Okay. So we're gonna go over some common misconceptions here. So there's several misconceptions about CMMC that can lead organizations to underestimate the effort that's required for compliance. Rolando mentioned that there's estimates out there by the DOJ that it takes about eighteen months from start to finish for the full implementation of the compliance program under CMMC. And, that's probably a rough estimate there. And one of the biggest myths is that CMMC, again, is a one time commitment. In reality, compliance is an ongoing process. Right? So as cyber threats evolve, so do many of the regulatory requirements, so we have to continuously address it and improve the security posture to maintain the certification. Doing this set it and forget it approach to will not meet the DoD expectations, and it's not a fear mongering tactic. It's just a reminder that if you're working with DoD and you have DD254s out there, as a prime contractor, they will likely send you some cybersecurity assessments outside of your regulatory framework. When you meet certification every three years, they may send it to you every year or every six months to verify your compliance, and then you will have to do a self attestation annually regardless anyways. So, again, it's not a meet the certification and then it's done. It's a continuous compliance program. And another misconception is that CMMC is too complex to implement. While it does sound scary and it does introduce some new requirements, it is designed to align with existing cybersecurity best practices, right, such as NIST eight hundred one seventy one, which has been in existence since 2017. So organizations can take a phased approach starting with gap assessments, implementing the necessary controls, and then maintaining the documentation, a lot of the stuff that we covered in our previous slides and discussions. So many organizations may mistakenly believe that they can become compliant when needed, and then they end up waiting until the last minute, and it becomes very, very costly and time consuming as Rolando alluded to. So achieving CMMC certification does take time, and then without the proper planning, organizations do risk losing contract opportunities if they are not certified when these requirements are enforced. So, again, some some assume also that they may have a high SPSS score right now, so it means that they are fully prepared for CMMC. So while a strong SPSS score is a good indicator of a strong security posture as well, it does not overall guarantee compliance. Right? So CMMC requires a third party assessment to validate these security controls. So like Matt said earlier, they're a c three PAO. They're on the audit and assessment side of things. Abacoat cybersecurity and compliance is on the consultant side of things. It helps you prepare for that third party assessor to come in and verify your compliance program. So similarly, these small businesses often think that CMMC doesn't apply to them, but compliance is required for any contractor handling CUI regardless of size. So in fact, small businesses are required, are also frequent targets of cybersecurity attacks. If you remember the exchange attack back in 2024, I believe, it was actually across mostly small and medium sized businesses in the defense industrial base. So that's why CMMC is so important. And then finally, there's the false belief that organizations will be certified immediately after their assessment. In reality, certification involves a very thorough review, and if gaps are identified, remediation may be necessary. In the current, CMMC two point o regulation, you have an authorized one hundred and eighty days to implement any identified plan of action and milestones, and organizations assume that they may pass on their first attempt excuse me, attempt without proper preparation. They may face delays and then even end up, having some risk to their contracts right now. So overall, the key takeaway is that CMMC is not a checkbox exercise. Right? It's a long term commitment to cybersecurity and regulatory compliance that requires strategic planning, continuous monitoring, and proactive security investments. Back to you, Rolando. Okay. Yep. Perfect. So, you know, some some common challenges is CMMC applies to to everyone. Right? That is that has a contract with the DOD or with the DOD prime. So budget and resource constraints is pretty number one. Misconceptions about, you know, how much it cost. You know, some some people might say, oh, you know, it's just gonna be, like, a relatively simple thing to do. But the reality is that it is, you know, it's complex. It requires time, effort, and expertise. And, you know, like, in many cases, you know, those, that expertise is not available in house. Right? So, you know, that that that's that's a big challenge, for for almost everyone including large organizations. The the other big challenge is, you know, for for many years, we have been hearing about CMMC compliance, these hundred dash one seventy one. And, you know, there's been a a, a sense that, yep, you know, we have some good, you know, cybersecurity hygiene. And, I think we meet the controls. I and I said when I say I think is, you know, like like, we have a tendency to to be very, positive about, you know, feeling positive about meeting them. And then we they we say, you know, it's an SVR score of one ten. But then once you start getting engaged in a company like Avogad and and the gap assessment is done, that SVR score goes down very quickly. Because in reality, there's a lack of rigor around the controls that, you know, were were set or or thought to be in place. So, you know, so there's a a requirement to adapt, quickly to the to that reality. Right? Which is, you know, like, we thought we were compliant, but we're not. So what do we do now? Then, you know, in addition to that is, you know, there there there was a lot of, assumptions of what the final rule would be or would not be. And then the final, the final rule just got approved. And there's a lot of, additional requirements, or things that were thought that maybe perhaps were not be that would not become requirements that are requirements now. Like, for example, you know, that the requirement of if you have CUI in the in the, cloud, it has to be a FedRAMP, approved a FedRAMP system, one that is in the marketplace. FedRAMP moderate approved, system. Right? So in the past, maybe, you know, there was, assumptions that it could have been less than that, but, you know, that's the reality of the of the field right now. So, you know, so there's a a rush to almost, like, to make sure that that those requirements are met if you're using a cloud strategy to that. And then, you know, managing the subcontractor flow down. Right? I mean, that's so everyone wants to, you know, make sure that the, subcontractors that they're using also meet the requirements, and that's a big challenge. Right? I think as the, you know, the, contract obligations flow down, you know, you're running to smaller and smaller vendors, and for them, it's a little bit harder to to meet those requirements. Again, you know, like, you're you're in this, webinar perhaps, trying to figure this out, but, you know, you also have another job. Right? I mean, I'm and it's probably a very demanding one, and this is a almost like a full time job in itself, you know, to become CMMC compliant. So I say, you know, there's a lot of constraints and resources, to be able to to meet the demands of the CMMC compliant effort, especially the initial push and then keep the CMMC compliance, you know, going, you know, throughout the years. So how a cybersecurity and compliance service provider like Alagote can help. Right? So so the the first one is providing the proper guidance. And I think we see we have seen in, you know, in the past, you know, investment been made, by mistake. You know, we we have seen, you know, assumptions being made by mistake. And then the reality of the CMMC program really settling in, where, you know, those some of those mistake could probably be avoided with the proper level of guidance. As I mentioned before, the DOD doesn't tell you how do you have to be compliant. You are, you know, free to select the systems, and the components that are part of your environment, but they do, you know, prescribe very strictly, you know, what are the controls that need to be implemented for those systems. So, you know, so it it is important to have that guidance and the and the half proper planning ahead of any investment. And I think that's where, you know, a, a consultant firm will will come in and help you with that initial gap assessment. Looking at, you know, what are your your, you know, CUI, where the CUI is, where does does it reside, reside, and then how could they, you know, the initial setup of the, you know, a program will, you know, could be could be, accomplished. You know, the gap assessment is critical. Right? It's it's understanding it's taking the temperature of the patient, understanding where they are, where where the, you know, where you are in your journey, and then, you know, putting together a road map. Right? I mean, what is it that we need to do? I know your SVR score was, you know, whatever it was. Right? But now the reality is, although we get you ready so when, you know, a line comes in to do your, you know, audit, you're in a good position to to be certified. So, and then, you know, from that from that plan, there's gonna be a few things. One of them is, what are the configuration changes, the systems that need to be set up, and the engineering aspects of the compliant configuration management. And then the documentation that, you know, supplements those processes such as the SSP with a, you know, boundary documentation and the data flow as well as all the policies and procedures. That's a lot. Right? I mean, drafting all the documentation and making sure that both the configuration, the setup of the environment, as well as the documentation match is a is a big task. And I think that's where, you know, we accelerate that process very quickly as a, you know, service provider. Cost effective, I mean, like, most you know, a lot of organizations try to, you know, like, post a, a job rec for a, you know, GRC person, compliance person, and, you know, that just takes time. Right? So we're able to come in, you know, onboard quickly, you know, ready to impact. Our consultants are seeing this in and out, you know, companies like yours. They're go they have gone through audit audits already, you know, not only on the CMMC side, but also from DeepCAC. We have seen what the auditors are looking for. We're also looking into, you know, how the, environment can be, you know, reduced and this could reduce. Also, how the business is unimpacted. So there's a lot of things that a lot of synergies just by the fact that the consultant are doing this. This is their main job. This is what they do every day, and this this is what they do with multiple clients. That's that's a big component to that. Ginny, let let me, you know, pass it back to you. Yep. Thank you so much. Alright. So wrapping it up here, what so what should you do next if you're a contractor or subcontractor in the defense industrial base? So going back to what Rolando just said, so perform a gap analysis against NIST eight hundred one seventy one rev two. So that is what the assessors are going to be looking at. All of the, excuse me, assessment objectives as well. So there's 320 assessment objectives and a 10 controls, equaling four thirty controls in in total that you will have to take a look at. Add all of that to your gap analysis. This way you're not missing any of the assessment objectives when you go into an assessment. Document all of that control health in your SSP. Maintain that as well, develop your policies and procedures to go along with that, maintain a robust incident response plan. This way you can, be in adherence with DFAR seventy twelve reporting requirements as well, Update any of your contracts with your subcontracts to include, any of the mandatory CUI flow down provisions. So take a look at your contracts that we talked about earlier when we talked about contracts. If you have flow down requirements and you're a contractor or subcontractor, make sure that your your flow down, requirements are going down to your subcontractors too. And then train your employees on CUI protection as well. Stay informed about the finalized ruling for the far CUI rule. That will be published in by approximately March 15. And then engage during the comment period. The the public comment period is still open right now for the official CUI ruling. Oh, I'm sorry, March 17. And again, bottom line here, achieving far CUI compliance is is not optional. Right? So prepare now to secure your federal contracts and then build trust in the supply chain. And I'll pass it back to you, Matt. Great. Thank you, Jeanne. So we've got, about ten minutes left here. So I'm gonna talk a little bit, about, you know, we really mapped out, hey, what is CMMC? What all do you need to consider in terms of getting compliant? Once you're compliant, we didn't talk about the levels much, but I did see a question we're gonna touch on about levels one, two, and three. If you are level two, you do need a CMMC certification. You need a c three PAO, that's a CMMC third party assessment organization like a line, to come in and assess you and issue that certification. We are the actual certification body. So when and how do I select a c three PAO? What do I need to be thinking about with those? We're gonna talk a little bit about that here, and then, I'm gonna try to move relatively quickly through this so that we can answer some of the questions that I see in the chat. So, one thing I wanna highlight, selecting a c three p o is a is a very vital step, the CMMC, kind of compliance and assessment process. It's obviously gonna impact your experience, your final report, but then also timing can be and is very critical. So I've got a lot that I can and probably will say on that. I've broken this into four main categories that I'd like to touch on. The first being the expertise. Obviously, when you're considering a c through PAO, you wanna consider, like, what is their expertise in this space? While the one thing I wanted to highlight here, while CMMC certifications are new, the frameworks, NIST eight hundred one seventy one specifically, that they pull from for the controls is not new. So, you know, ask around if if you're talking to different C3POs, you know, some questions to ask would be what are you what's your experience with these NIST frameworks? I'd say prior to CMMC because the assessments only begin in January of this year, so a little over a month, about five to six weeks of assessments have been happening. What is your experience prior to that with NIST based frameworks, whether that's NIST eight hundred one hundred and seventy one, FedRAMP, FISMA audits, you know, 853 baselines, whatever it may be. Obviously, you want to make sure that they have experience with that. You're not kind of learning with them in terms of how they need to assess, these different frameworks. So I broke that into expertise. Next one, experience. What I meant by this is what is your experience? Think about what experience you want as the organization seeking certification as you go through the assessment process. Nobody likes getting audited. They're inherently not fun. We're checking you. We're seeing, if you're meeting certain controls or not, through review of documentation, policies and procedures, interviewing personnel. What experience are you going to get and what are you looking for there in terms of the quality, the efficiency? And also, you know, this will play into the timing a little bit, but how long does do each of those phases take? And, have they kind of mapped out for me what this is gonna look like in some initial discussions? What is their, process in terms of coordination and time to get back to me if and whenever I have questions? All these sorts of things are, I think, are really important and often underestimated. So think about what would be important to you in terms of questions you would wanna ask to see through PAO in terms of what would I want this actual audit experience to look like? Timing. So, there's a lot we could touch on here. One thing I noted, when are you looking to achieve your CMMC level two certification? A lot of organizations are coming to me and and asking me that question. When do I need my level two CMMC certification? So a lot of them don't know, but some of them do. There's nuance to that answer, and it depends a little bit on your specific situation, what requirements you might already have, what you foresee, where you're at in the supply chain. For instance, some a lot of subcontractors that we talk to now, you know, I'm hearing them say, hey. My prime contractor is already coming to me and telling me, I need to get CMMC certified by x date, or I need to show proof that I'm on a c through PAO schedule by y date, Whatever that might be. Right? It might be a little bit organization specific because the actual DOD contract requirements for CMMC as a program to require level two certifications pre award is, is not here today. Right? That's coming in the future. So what everybody's doing right now is saying, well, let's get certified now so that pre award, once that does show up on my contract requirements, it's not too late. Right? One thing I wanna highlight is if you wait until this shows up in your contract requirements, it will be too late to meet that contract. Right? You need the time that that, Jeanne and Rolando talked about for implementation and getting ready. You also need the time to get on a c three p o schedule and actually get assessed and certified. The other thing I wanna talk about with timing really quickly is there are a ton of organizations that are going to need and that do need level two certifications. There is a ton of interest that these c through POs are hearing about. There are not a ton of c through POs, that is organizations that can issue these certifications today. So there is a backlog that I would say continues to build. So if this is something that you want to prioritize and say, I don't wanna run any risk of potentially getting left behind on these contract requirements, I would highly recommend engaging and talking to a c three PAO earlier in the process than you might be thinking you you would right now. Because as long as you can talk about and scope this out, and if you if you need help figuring any of that out, I'm I'm happy to hop on a call and talk through that. As long as we could scope it out, I would highly recommend getting on their their calendar, getting under contract with whoever you wanna work with there as early in the process as possible because the backlogs are just gonna continue to build. The last thing you'd wanna do is say, hey. I'll talk to a c three PAO once I'm compliant. And then, you know, summer, fall, winter of this year comes around, you reach out to them, and c three POs are saying, oh, you you know, we're we're looking nine months out, a year out, whatever it might look like at that point. And I'm already hearing from other c three POs that there is a backlog in the realm of, like, six to nine months. Our backlog is a little bit more favorable. We could talk through that in more detail, but that is something important to consider. Last thing I wanna touch on, obviously, budget, very important topic. Everybody, loves budget. So is this assessment budgeted for currently? I'm talking to a ton of organizations that had not budgeted for this, previously. It is a new certification. Maybe you're just now finding out about it. Maybe you're just now figuring out what it might cost. We can help with any of those estimates, if and when that's important. But one thing that I do wanna highlight is there's obviously trade off, between budget and the other factors that are important to you. You wanna make sure you're considering all the factors. You certainly don't want to go with the lowest budget and then you're missing out on all of those other, factors that are important, and then it takes longer. It's a cumbersome process. Maybe it didn't go how you wanted, whatever that might be. But then the inverse is true as well. You don't wanna necessarily pay the most, and then maybe you feel like you didn't get some of those other factors that are important to you. So it's all about balancing and finding what that right mix is for you and and the trade off that you might get. Okay. I want to leave a few minutes here. I wanted to work through that really quickly. I I I see we just have about four minutes left. I don't wanna eat up anybody's time beyond that, but I do see we have some fantastic questions. I'll see how many we can get to here. So Jeanne, Rolando, I'll throw some over to you. Let's, see if we can answer these as succinctly as possible to hit on as many as we can. The first one, I think, should be relatively straightforward. I'm just gonna go in a sequential order here. So we didn't talk a lot about the levels. So CMMC as a program is level one, level two, and level three. This question comes in and says, how do I know if my organization qualifies for a level one self assessment versus a requirement to have a level two external assessment? Rolando or Jeanne, do you wanna take that really quickly? Yeah. Go ahead, Jeanne. Yeah. I can take that. So it would be stipulated in your contract. If it's not stipulated in your contract, I would suggest you reach out to your Cognizant Security Agency. If you don't have a contract and you're going to bid on a contract, take a look at the type of sensitive data you have within your environment. So you can go to the CUI archives, and it will give you a listing in the NARA registry of all sensitive type of data that qualifies as controlled and classified information. You can start there. If you have any sensitive type of data that is considered controlled and classified information, then yes. You would need a level two external self assessment like Matt referenced earlier. One caveat I wanted to talk about with, mention Matt, to add on to what you said earlier, there are two different ways that you can get a level two certification. You can still do a level two self assessment, and then there will be a requirement for the c three p o for level two. That will be listed in your contract as well. But, again, it's like what Matt said earlier, it's coming in contracts. It's not codified yet. But, according to the DODCIO website, there is that stipulation that it's either gonna be a self assessment or the need for the c through PAO. Thank you, Jeanne. Yeah. One thing, I I do get a lot of questions around, hey, you know, how do I know if it'll be a self assessment or not? Again, that will be coming. But if you look at the DOD estimates, it is a vast minority. So a majority of the organizations that will fall into level two, again, based on the DOD numbers and estimates that they've put out, will fall into a requirement to have a c three p o come in and do an external assessment. Okay. Another question here. I believe it was Rolando. So I'll I'll throw this question to you who mentioned something about remote, scope early on. There's a question from Ken. Can you clarify what you mean by remote? Do we need the, do we need to address employees that work 100% remote? I'll tee it up. I know that it's gonna be the consultant answer of it depends. Can you touch a little bit on what does that depend on? Yeah. So I I think, I mean, there's a a technical answer to that which, you know, will be challenged, you know, by the solution that you decide to use. But if CUI is processed by the CPU or in the memory or storage of the endpoint, right, the device, the laptop that the remote person is using, that device will be in scope. And we can send over some further information, kinda further clarifying. And and, Ken, if you wanna hop on a call, you know, I'm sure either team would be happy to talk through that more. I might just take one more question here. I know that we can go over by a minute, but I wanna be respectful of everybody's time. I'll take one more question, and then we'll make sure that we answer all the other ones, via email. So last question here. What's more common, generally speaking, setting up an enclave versus relying on enterprise wide controls slash compliance? I I think, you know, it really depends. Right? I mean, you know, like, the numbers might be might skew the the scenario specific for each company. Right? But, I would say enterprise wide is hard. Right? Especially if you have legacy systems systems that don't support the level of encryption that is required by the DOD. So even if it's a, subset of the enterprise wide systems, you gonna gain a lot of, acceleration on the process, right, if you exclude certain systems. But I I I would say in general, what we see is most companies are trying to not not necessarily build an enclave, maybe that's part of it, but at least reduce the scope as much as they can, within, you know, the business workflows that they have to support. Okay. Fantastic. Alright. Well, I wanna wrap up here. We're a minute over. I wanna be respectful of everybody's time. First of all, thank you all so much, for joining us. Rolando, do you wanna give a quick overview on Abaco just really quickly to close this out and what you guys do? Yeah. No. Absolutely. So, you know, we are a cybersecurity and compliance firm. You know, we're an MSSP, managed security service provider that differentiated itself, you know, by providing compliance services. And, you know, we're able to take organizations like yours from, you know, the uncertainty of whether or not they're CMMC compliant or what they need to do to be CMMC compliant all the way to, you know, being ready for the audit, provide, audit liaison services to support you through the audit process, which in itself could be disruptive. And then keep and maintain the compliance throughout the years as you, you know, continue in your journey. You know, that's what we do. That's the only thing that we do. You know, we look forward to, you know, having conversation with some of you, with regards to to our ability to help you with your CMMC journey. Perfect. Thank you so much. And on our end, you know, kinda touched on this a little bit, but just a quick overview, Align, how we might be able to assist here. So we're a leading provider of high quality, cybersecurity compliance and assessments. So, again, with CMMC, we are a c through PAO. We we wanna be that independent third party audit body that would issue your level two certification. We're a top player in the federal space. So if you wanna learn more, reach out. You can visit align.com. You can reach out to us directly. We'll send some information. And I just wanna, again, thank you all so much, for for joining us on this webinar today. We hope it was helpful. We'll follow-up with, any questions that we didn't get to answer, and hopefully we talk to you all again soon. Thank you all so much. Thank you.