Lessons Learned from CMMC Level 2 Assessments

Exostar Webinar: Lessons Learned on Certification Assessments – Insights from a C3PAO

KLC Consulting’s President and CISO, Kyle Lai CCA, was interviewed on Exostar’s monthly CMMC webinar this past week. Watch Kyle’s informative presentation, followed by an enlightening Q&A facilitated by Exostar’s own Kevin Hancock. Learn about the wisdom that C3PAOs like KLC Consulting have gained from completing certifications for companies just like yours.

Key takeaways from the video include:

• Early Preparation: While the DoD has a phased implementation timeline, CMMC requirements can appear in contracts at any point, so early preparation is crucial.
• Subcontractors & CUI: Any subcontractors receiving CUI are also obligated to meet NIST 800-171 requirements and potentially pursue CMMC Level 2 Certification.
• Scoping is Critical: Organizations must clearly define all in-scope assets, including hardware, software, and cloud/managed service providers, and ensure all relevant CAGE codes are identified upfront.
• Having Documents in Order: Proper documentation is essential to the certification process, including a well-developed System Security Plan (SSP) with consistent dates, and artifacts that are hashed to ensure integrity.
• RMF Versus CMMC: While a Risk Management Framework (RMF) Authorization to Operate (ATO) is for connecting to DoD networks, CMMC focuses on protecting CUI within a contractor’s own environment.

In this video, we break down the #CMMC Level 2 assessment process, walking you through the requirements and what to expect during an audit. We provide #C3PAO insider tips to help your company prepare and succeed in achieving #CMMCAccreditation… Exostar Webinar: Lessons Learned on Certification Assessments – Insights from a C3PAO

**The content below is for the hidden transcript (linked in the title within the blue box just like https://klcconsulting.net/cmmc-level-2-certification-assessment-final-rule-video/)**

Exostar Webinar: Lessons Learned on Certification Assessments – Insights from a C3PAO

Introduction

Kevin Hancock 00:02

All right everybody. Let’s go ahead and get started. So thanks thanks again for joining me today. My name is Kevin Hancock director of solutions here at Exostar and thanks for coming to to today’s webinar lessons learned on Certification assessments insights from a C3PAO. So I’m joined by Kyle Lai of KLC Consulting one of ExoStar’s partners. KLC Consulting is a C3PAO organization, so Kyle will be doing a large portion of today’s presentation. So he’s got an intro slide. So I’m going to I’m going to wait to introduce him formally if you will till we get to his section But just want to let you know all that that’s coming up. So before I dive into the formal content just a few housekeeping details. So today’s session is scheduled to last 45 minutes to an hour that does include question and answer. Now you’re going to be muted during today’s presentation. However a number of folks submitted questions prior to today’s webinar and those are the ones we’ll be answering at the end of today’s session. Now one of those questions is almost always can I get a copy of the slide deck um and the answer is yes. As a followup today’s session you will be receiving the slide deck and a link to a recording of the press presentation if you’d like to refer back to any particular section. If for some reason we do have an outage today just wait for a minute and try to reconnect. You can also use that link you receive via email to try to come back in at any time as well If at any time you’d like to speak with one of our CMMC experts or if you have any additional questions you can reach out to us at CMMC-team exostar.com via email or you can come to our website www.exostar.com. There’s a chat feature there on every page and we’d be more than happy to answer any questions you have via that medium as well.

Current Status of CMMC Rulemaking and Implementation

Kevin Hancock 02:02

So this is the the agenda we’ll be covering today. Now where we are in kind of the current CMMC rulemaking process hopefully as most many of you will know the C that 32 CFR and CFR stands for the code of federal regulations went into effect on 12/16/2024 Now what that meant is that that’s when the CMMC program was officially launched It meant that you can now start to schedule assessments with a C3PAO organization. But what isn’t yet in place is 48 CFR And what that is is when the actual clauses requiring CMC will start to show up in DAR’s contract. So that’s the one thing we’re still kind of waiting for. Now just a couple notes about the rule. Hopefully as all of you know the main difference with CMMC to the existing programs of requiring you to safeguard controlled unclassified information is this introduction of moving away from a self-attestation model to requiring certain groups and in this case it’s CMMC Level Two and Level Three to have a third-party assessment done once every 3 years of their compliance with controls. It also puts in place some definitions around external service providers and cloud service providers. The cloud service providers must be fed rampant moderate or fed ramp moderate equivalent And that external s service providers who many of you may utilize to implement a portion of your controls or to augment some of your IT staff or do some other functions on your behalf. They’re not required to obtain CMMC Certification but their services are assessed as part of your overall CMMC assessment. Now as we all know right in January new new administration took over and as is typically the case a regulatory freeze was put into place. Now that’s probably affected 48 CFR in the actual implementation of that that regulatory freeze has since expired and 48 CFR is still winding their way through you know the the the official channels but we do fully expect the CMMC program to be put into place. This was actually introduced under the first Trump administration the same people who advocated for CMMC during that time are in also in this current administration. So we really do do expect this to be put into place and all all you know if you will indicators say that that will happen. Just a review of the different levels of CMMC Right we’ve got Level One Level Two and Level Three Level One are for those organizations that that really only only deal with federal contract information right FCI. If if and this is like 63% of those organizations If you’re one of those organizations then you need to be Level One. And Level One there are 15 requirements It’s an annual self assessment and then an annual affirmation that you do those things Level Two is where you start to see the introduction of this third-party assessment and it’s an assessment of your implementation of the NIST 800-171 controls and it specifically car calls out revision two of that regulation. Now there is a small portion of organizations which will be able to do a self assessment at Level Two that will be at the discretion if you will of the contracting officer. When contracts are let they’ll determine whether or not it’s a CMMC Level Two self assessment or a third-party assessment Level Three introduces some additional controls on top of the NIST 800-171 controls It’s a once every three-year assessment as well but that assessment is done by DICAC and you and all at at all levels a senior company official must reaffirm that you do the things that you do on a yearly basis.

CMMC Implementation Timeline and Existing DFARS Requirements

Kevin Hancock 07:12

Now when CMMC starts to appear in contracts there there is also expected to be an implementation phase in place. This graph I’m showing here is taken straight from the DoD website their about CMMC pages Right that initial phase one the initial implementation of the program is expected to is expected to last a year. And in that year it’s expected that Level One and Level Two will be self assessments. After that initial year that’s when you’ll start to see the Level Two Certification be required. Then after two years we’ll start to see the Level Three Certification required. And then in phase four after three years that will be full implementation of the program. Now the key thing to keep in mind is that bottom bar there you know if if the DoD determines that there are some procurement um contracts some particularly specific programs etc that require it. They do reserve the right to put these CMMC requirements really in place anywhere along this timeline. But at the end of the day it’s going to come down to the contract and the contracting vehicle and what those DFAR clauses are going to require you to sign up for when you sign them. Now there are still requirements that we all have today if we have a contract with the Department of Defense or if we’re a subcontractor to somebody that has that because the DFAR clauses in these contracts flow down to all the subcontractors as well. So if you’ve got that 252.204-7012 clause in one of your contracts or it’s been flowed down to you if you receive CUI as part of the contract vehicle you’ve agreed or or if you will you’ve contractually obligated to to meet NIST 800-171 requirements if you receive CUI and protect it in accordance with those with with that requirement. If you’ve got the 252.204-7019 clause in your contract right you’ve got to do one more step. You’ve got to well it’s actually two steps I guess. You’ve got to actually do a self assessment of your organization score yourself based on NIST 800-171 and then enter that score that you’ve received into the supplier performance risk system. That’s that SPS system. As you hopefully improve your score over time you should enter that new number in the SPRS system because that is something that contracting officers use when determining who’s going to win a bid. Now the SPRS system has a number of different things that go into your overall score. It’s not just how you are around cyber security but that is one of the the factors they take into effect when awarding bids on contracts. So as I said there are requirements you have to do today around NIST 800-171 if you have CUI So you know this shouldn’t be a surprise to anybody you should already be doing these things if you’ve got those contracts in place today. So with that I’m gonna turn over to Kyle and I’m going to let Kyle share out and move the slides at his leisure. So Kyle take it away.

Lessons Learned from CMMC Certification Assessments by a C3PAO

Kyle Lai 11:03

Great Thank you so much everyone Uh really glad to be here Uh so today we’re going to talk about the Certification assessments we recently conducted. We have conducted five so far and uh I’ll share some lessons learned and some mistakes that that are taken from these assessments and also some best practices that you may be able to use as you are preparing for the Certification assessment Yeah. And again my name is Kyle Lai president and CISO of KLC Consulting. We are a C3P authorized C3PAO I am a lead uh CMMC certified assessor Uh in the past I have worked at uh Dissa as a operations manager as a contractor over there Um but that’s how I got into the DoD side and um really glad to be here sharing my the lessons to learned. Okay And uh as you know we’re in the DoD space There are a lot of acronyms So as uh Kevin mentioned the slide will made available to you. So you will be able to take a look at these acronyms Okay Um just uh very briefly let’s go through the H3: CMMC Assessment Schedule with a C3PAO Um there this is a very common question. What does the schedule look like when you’re you know starting a assessment conducting an assessment by a C3PAO I cannot speak for all the different C3PAOs out there but I can speak for ourself. So as our as a authorized C3PAO we will start our assessment after the contract you know is uh put in place we will start our pre-assessment 7 weeks before the actual assessment date right but during the initial planning call we are going to determine which week you’re going to conduct the assessment then we are going to fill in these uh dates so seven weeks before the actual assessment that’s when we will start asking for the pre you know the we are in the pre-assessment phase we’ll start asking for you as a OSC to provide us the uh system security plan the SSP your scoping diagram your network diagram inventory so we want to see if you are ready so we are going to take a look at the documents that you provide to us we’re not going to get into detail in terms of doing the actual assess assessment of the controls but we want to see if your SSP is 20 pages or is that you know 20 more than 100 pages if you are 20 pages then we think you are not ready if we don’t think you’re ready we’re not going to start the assessment okay if we know that you are ready then we’re going to start the assessment uh phase that’s when we will work with you to to finalize the assessment plan we’re going to conduct the kickoff the scope the scoping call that kickoff meeting to just have you walk us through your scope your diagram your SSP walk through the preambles so we get an understanding of your environment and in the meantime you will still ask you to provide us with all the artifacts two weeks prior to the assessment start date that’s the cut off we want you to provide all your artifacts the support documents policies these procedures screenshots configuration items to us two weeks before So allow us to do enough you know proper preparation before the actual assessment.

On-site vs. Remote CMMC Assessments and the Assessment Week

Kyle Lai 14:46

The actual assessment usually take place you know take place uh either on site depends on if you have the physical uh environment in place If you say everything is all in the cloud we don’t have anything that’s you know physically we we don’t handle anything physical no paper there’s no everything is all VDI virtual desktop Um then we will say okay we’ll conduct everything remotely Um but if there are if you do have some for example manufacturing you do have the physical uh operation we’ll go out to visit um at least one day during that week Um and during the assessment week um we we will start with a day one of the assessment in brief. We’ll just go through what we’re assessing the scope and every day during that week we’re going to have a daily checkpoint to to let you know if there at the end of the day if there are anything that’s trending met or not met Um and you some of the simple ones you may have an opportunity to correct Um after the assessment week um the last day of the assessment week you will pretty much know if there are anything that’s trending not met Uh if there are anything trending unmet you will have 10 business days to 10 business days to uh provide additional artifacts or just to correct these not met. Providing that these these uh controls these requirements if they are identified as not met they’re not impacting other controls they will allow you to correct those not met items Okay And uh two weeks after the assessment completion that’s when we will provide the out brief We’ll give you the out brief and also we have to start documenting the the the document that we have to submit to DoD Um and uh within 30 days we’re going to submit these uh results uh assessment results to the DoD eMASS System and then we will generate if you meet all the requirements to get the conditional or final status. We’re going to go through what that mean in the later slides. But if you meet the conditional or final status then we as a C3PAO will issue the certificate and you will receive it within 30 days of the assessment completion So that’s uh just an overview of our process.

Understanding CMMC Level 2 Conditional and Final Status

Kyle Lai 17:28

Okay And these are the seven different uh status right and you know usually these status are defined because in the contract you will see what are the minimum requirements for the status you must achieve right and we’re going to focus on uh the number four and number five because these are the conditional Level Two C3PAO status or final Level Two status If you’re in the conditional Level Two final status that means you you have some plan of action and milestone. You have some deficiencies that are allowed under CMMC and then you will have 180 days to uh perform the POA&M closeout assessment um before 180 days So if you successfully close out these deficiencies and these deficiencies uh you can actually change from unmet to met then we as a C3PAO will will give you a new certificate saying that now you have a certificate now you achieve the final Level Two uh C3PAO status. Okay And the lease status or yeah will specify in the DoD contract. So that’s how you know what level is required.

What CMMC Assessors Look For: Utilizing the DoD Playbook

Kyle Lai 18:52

Okay And a lot of questions about hey what what what is the what are the assessors looking for right what what do you assessors look for um so we provide the playbook. This playbook is originally developed by DoD the their audit organization DIPCA So we modified a little bit make it our own. So you you and uh you will be able to download from our website and in this playbook it’s very easy to read the design in plain English. So you will be a lot more clear to the OSC’s you know help you to do the preparation because you will know what as a C3PAO as the assessor what we’re looking for right so feel free to take a look okay and uh let’s go through some H3: CMMC Assessment Best Practices for OSCs these are things that we learned uh from our assessments okay so during the pre-assessment phase you you just need to make sure that you have if you’re OSC right you just need to make sure that you have at least the doc the SSP network diagram CMMC the scoping diagram and the asset inventory provide to us so we can see if you are ready Um like I said before if you are not ready uh if we see these documents are not in a good shape or they are just inadequate they are not sufficient we are not going to move to the assessment phase.

The Importance of Accurate CMMC Scoping

Kyle Lai 20:37

Okay Okay And uh let’s take a look at the scoping Scoping is very important Right So when we are looking at your scope diagram when we’re looking at your asset inventory we need to understand that you listed out in detail of all the hardware and the software and that with the asset category labeled for each asset. Right so that means the asset that you have there are falling into five different categories right uh CY assets security protection assets contractor risk manager assets specialized assets and some of them they are listed but have to be out of scope. We want to know that too right out of scope assets So it has to be clear to us. So we will be able to understand what’s in scope and uh what need to be assessed. And also this is also very important If you have multiple CAGE codes that want to be assessed within one certificate you must have all the CAGE codes defined before the assessment starts Right and once this the assessment starts we already start assessing and these are the scope. It’s all locked in Will it it will be hard to change the CAGE codes after the the assessment starts. So just make sure that you have the CAGE codes defined before you you start the assessment And uh the and also the reason is that we have to submit the pre-assessment uh form the the information to DoD EMS So once we submit it we don’t want to change it. Okay And also the the the CAGE code. Let’s dig in a little bit about the CAGE codes all the CAGE codes that are going to be for under the one certificate You need to make sure that this time OSC uh OSC side you need to make sure the CAGE codes have the same highest level owner HLO right and that is because HP SPS system it does not recognize the CAGE codes that are not under the same highest level owner hierarchy Okay Um and also just need to make sure that you identify the cloud service providers and the manage service providers right there they’re help they’re within your scope you need to identify them uh for cloud service providers CSP that stores processes or transmits CY they’re considered CY asset for cloud service providers that handle CY asset and you OSC you will need to obtain the FedRAMP body of evidence and customer responsibility matrix and the reason is that you are most likely will inherit some of these controls and we will need to verify that controls that you you are inheriting actually meet these security requirements Okay Okay And also the uh documentation this uh actually pretty often it’s a little bit minor but this happened quite frequently is that documentation they are authorized but there are dates on the documentation they don’t match the authorization date and the the date on the history for example version history they don’t match right so it’s minor that but uh this is something that when you are preparing your document just make sure that dates all match up Okay Um and the OSC’s if you use GRC tools there are several GRC tools out there that you will be able to use to keep track of your to document your SSP controls security requirements your policies procedures artifacts We still want to have these artifacts uh saved in the files right and the reason is that we need to have the artifacts in files uh individual files so we will be able to confirm what what version of the file what information what files we are look we actually observed during the assessment and also there is a requirement under the CMMC program rule 32 CFR part 170 is that OSC’s you must hash the artifacts hash it means like take a signature of your artifacts that you provide to the OSC’s You need to uh take a hash to preserve the integrity and then on repudiation of the file and then you have to save the file and the hash for six years So if there are any questions there is not going to be any uh doubt in terms of what files what uh information we actually reviewed at the time of the assessment So it’s important to you know when you are using the GRC also output the files and provide that as artifacts to the OSC to the to the assessors

CMMC Assessment Process: Artifact Management, Participation, and Mock Assessments

Kyle Lai 26:20

Okay Um and also this is uh more for assessors. As a assessor we like to make sure that it’s easy to find the artifacts the support documents that associate with each security requirement. Right so if you provide a uh support artifacts to us during the assessment make sure that you label label each document that you provided with the uh CMMC requirement number. Make it easy for the assessor because if you make it uh easy make the assessment a little bit easier for the assessor make the files easier to find for the assessors the assessment will go a little bit a lot more smoother and maybe a little bit faster Okay and also the assessment who should participate um team members that manage the CMMC security requirements should participate and that does not that that means that if you are preparing for CMMC you know it’s not just it right there could be your HR for the personnel security there might be your facility people for physical security so you need to coordinate if you use a MSP managed service provider. And you want to make sure that MSP personnel will be available during the assessment because that’s sometimes we do see that we need some information but the MSP staff there are not not not there they are not uh available during the assessment week. So make it a little bit difficult and there might be some delay on the assessment results also want to cover a little bit about the mock assessment. Mock assessment is something that uh that’s offered It’s pretty common and also in the allowed under the CMMC assessment process that’s by Cyber AB is that why why do we need to do why does the OSC choose to do a mock assessment um because it is a practice kind of like a practice assessment practice test right and it’s conducted by a C3PAO um by the certified assessors the lead assessors so yeah everything is all pretty much the same uh except we don’t submit the results to the eMASS System at the end but the mock assessment is a practice test right so it will allow the assessors if there are initial gaps deficiencies will be identified during the mock assessment. So what are the benefits right benefits is that OSC you become familiar with what the process official process look like because we do follow the official process right and also you will be able to uh have the opportunity if there are any deficiencies you will be able to correct them before the final assessment. The only thing that we cannot do as a C3PAO what we cannot do is that we cannot we are not allowed to provide consulting or remediation recommendations uh during the during the mock assessment or the end of mock assessment. We cannot provide any consulting Um and that is because we as a C3PAO if we want to conduct the official Certification assessment we’ll come back and uh as a impartial uh assessor to conduct the Certification assessment. So just uh want to cover that So and companies that have gone through the mock assessment before the official certification assessment they they actually have a better results.

Common Mistakes in CMMC Assessments: Preparation and Compliance

Kyle Lai 30:30

Okay Um I want to cover some common mistakes that we see that we have seen during our assessments right um so inadequate preparation. This especially happened during the on-site physical security assessment Um I think there usually is like we don’t know exactly what you’re going to see So um so they are not really well prepared Um some of them some of them are not well prepared Um but again I mentioned about the uh the assess the playbook for the assessors that playbook that we made it available uh to the OSC’s will have a list of 18 controls that we are going to conduct 18 assessment objectives that we are going to conduct during the physical walkthrough So it will list it the you know very clearly what we’re looking for. The other thing is the second one is the failure to follow documented frequency. So if your policies or procedures or SSPs say we are going to do this monthly um make sure you do it monthly because if it’s uh if you say you are doing it monthly but you’re coming up with uh something a little bit different you can do it more frequently but if you say monthly but we only do this quarterly then there will be a gap then it it then you know then then will may make that uh control not effective. Right So uh just want to make sure that you follow the frequency that you defined

CMMC Compliance: Encryption, Synchronization, and Authentication

Kyle Lai 30:30

Uh missing or expired FIPS validation that is still it’s pretty famous right the Certification you you know you need to use a validated encryption mechanism Uh that’s FIPS 140-2 or 140-3 validated Um some of these tools if they just don’t have any FIPS validation then you cannot use them or it will it will be identified as a a deficiency right Um if you have a FIPS uh if you have a firewall that’s just a if you have a firewall that actually has a FIPS 140-2 validation um but it expired right it expired because they have a version upgrade In that case um the new the final version the very latest version of the CMMC assessment guide already provide and also 32 CFR the CMMC program rule stated that if you have a uh firewall let’s just say equipment that already have the FIPS 140-2 validation but now the vendor they’re working towards getting a new validation for the next version you can put this uh put this uh deficiency as a operational plan of action which is different from the plan of action and milestone right so it’s no longer a deficiency this is something that you are working to resolve but this is the operational plan of action this is the CMMC specific term um but you want to look into that so if you have anything that is say they are expired right FIPS 140-2 valid validated validation is expired you can still use the operational plan of action and make it um if you have the operational make operational plan of action in place then this control can still be uh be determined as met Okay Right Um but you just need to make sure that you are using a equipment uh if it require the encryption Yeah make sure that has a FIPS validation at least once Okay uh time synchronization Um there’s a NTP you just need to make sure the systems servers laptops firewalls they all synchronize to the NTP the time source right um but you know once once a while we’ll actually see that okay time sources different systems are using different time sources and at the end um you have to prove that you are using the same time source and uh you know the logs actually will document the same time right when they’re looking at the audit trail when there is any incident you can actually see what the what what your logs what’s the the log the audit trail have to show the logs and the entries with the actual time and you will be able to synchronize the time. So the the the time source is going to be important and you need to make sure they are synchronized Um SFTP secure FTP is kind of popular out there as a uh as a tool for collaborating with your customers with the OSC customers for the larger files right uh however a few times we already saw that there are multiple the multifactor authentications are not enforced So you need to make sure they do have the capabilities for some of the SFTPs I just need to make sure that those are th those are enabled

CMMC Documentation: Assets, Inheritance, and MSP Staff

Kyle Lai 36:31

Okay Um specialized assets contractor riskmanage assets or specialized assets If you are a manufacturer you will see this quite often You just need to make sure they are documented how you protect these assets contractor risk manage assets and specialized assets like OT IoT how you protect them document that them in the SSP we’re not going to test it assessors are not going to test it if you go for Level Two but have still have to be documented okay um inheritance if you are a cloud service provider or manage service provider if you use them if you are inheriting some of these controls. And you have to really document them Uh which you know not at the control level is this control inherited or not You have to document it So make it easy for the assessor to to understand if the control the specific requirements are inherited and if they are fully inherited partially inherited or not inherited. Right make it clear And if there is a inheritance then make sure you show the you have the evidence to be able to provide to the assessor like we talked about the fed ramp body of evidence and the customer responsibility matrix Okay Uh and this is what we just talked about the MSP staff just make sure they are available because uh some sometimes we were not able to talk to the people we can reschedule I mean we are flexible be able to reschedule for the MSP but just make sure that the MSP staff they are available to answer questions during the assessment week. Okay

CMMC Network Diagrams: Software Environments

Kyle Lai 36:31

And also the uh this one is uh actually we already seen this a few times companies uh it network diagrams beautiful right but now when we ask do you do you know custom develop some software that could be handling CUI um and a couple of them say yes we have but where is that on the network diagram it’s not there so we really have to make sure that if you’re uh software for a development organization If you are developing some software that are used to handle CY then has you you you must include the software environment in the network diagram and I understand that software environment sometimes they are not handled by IT and that’s why it has you know IT IT group has to work with the software development group or software security group to get that information in the into the network diagram but because otherwise it’s not complete. Okay And when we are talking about software environment we could be talking about the uh web web application firewall load balancer um your uh you know key vault or some of these uh or like a web server. So we want to make sure that the software development environment may not be the environ the software production or the support uh software support architecture is also included in the network diagram.

CMMC Assessment Costs and Quote Tool

Kyle Lai 40:07

Okay And uh come several several uh OSC’s that are asking what is the cost for the assessment So the cost is really depends on the size complexity how many how many sites right how many sites do we have to go out to visit so it all depends so what we do is what we have a we have made this instant quote available so depend you can just uh fill in the information about the size that’s number of sites and the organization the number of people uh that information will give you a quote you’ll be able to see what’s that cost And uh that’s the end. We’ll leave some time for Q&A.

Webinar Feedback and Exostar Solutions

Kevin Hancock 40:55

Great Thanks Kyle And just just remind everybody you’re going to get slide deck so you’ll get you’ll get Kyle’s um um sheets and web addresses etc So you know feel free to use use the barcodes and uh look look at look at the stuff and get and um get that uh that idea of what what it’s going to cost your organization Let me share out [Music] here. All right All right So as we wrap it up today just want to we’re going to push out a poll to everybody Um would would appreciate your feedback Um what we use this poll is for a couple different things A just find out how we did today But then we also do ask if there are additional topics particular areas etc you’d like to focus on which allow us then to um tune these um webinars for for your needs Um this is a monthly series that we that we do just to educate the overall dib on CMMC topics Um so that’s what we use this poll for. So we appreciate your feedback on that So we’re going to dive into some Q&A now Um but before I dive into the first questions just let everyone know So Exostar has a number of solutions around CMMC. We have solutions that that help you manage that overall CMMC program and get ready for that assessment. Our policy pro application has policy templates that allows you to customize those for your organization It then has an AI algorithm that will grade those give you feedback on those If you’ve got policies and procedures in place that you’ve used for other Certification programs you know for example if you’re using ISO2701 or something like that you’ve already got some controls in place for certain things you can use that you know that AI editor to read those through determine what you might need to tune those for CMMC Certification assistant is a is is a is a is is a GRC tool that’s particularly tuned to um CMMC It allows you to manage an overall CMMC program So it goes through allows you to do a self assessment on each of the 110 controls If you don’t have have a control in place allows you to create a POA&M develop a plan to address that particular control Allows you to set tasks against those recurring programs etc. Provides you that spurge score on a running basis as part of the dashboard to see how you’re doing If you’re looking for a solution to store process and transmit CUI Exostar’s manage Microsoft 365 is a solution up in Microsoft’s GCC high built on top of the teams environment which provides that enclave to store process and transmit that CUI. And then we have a number of part third party and partners like KLC who can do everything you need to around those different services that are around CMMC as well.

C3PAO Selection Criteria

Kevin Hancock 44:09

So with that let’s dive into the questions. So Kyle I’m going to ask you the first one here So you know when what should a company look for when they’re looking for a C3PAO

Kyle Lai 44:24

yeah Um so first of all not all C3PAOs are created equal because it’s all depends on the experience of the lead assessor and also the industries they focus on. So for example just we talked about software industry right so if you’re in the software if you are a software developer you’re creating software for DoD you might want to look for a C3PO with a lead assessor that have the experience assessing uh understanding the software development and understanding how to assess software you have VR manufacturer you want to you know find the C3PAO they’re familiar with your industry Um you don’t want to have a you know if you are a manufacturer you don’t want to have a assessor go in and they say so what is the CNC machine right because that would be pretty bad because they don’t understand your industry at all it will be a problem Um so yeah I think that’s the the good thing. And you want to also just compare a few C3PAOs and uh just you know just compare and make sure you find one that suit your business.

CMMC Assessment Scheduling Lead Times

Kevin Hancock 45:39

Absolutely Okay So for number two and since you’ve got the uh you know the tool on the on the website as well you’re currently scheduling these running them out So what’s the current lead time for scheduling the readiness assessment for CPAOs?

Kyle Lai 45:54

so it I think right now we are what we’re seeing is that there are about 64 C3PAOs So there are availability for KLC, we are we’re about 60% built uh full in terms of this year’s capacity I think we’re going to hire more lead assessors uh at the end the second half But uh right now I think we still have the the availability. However that as you mentioned Kevin that there are some contracts that we saw for example army maps right there is already a requirement for either you have the CMMC Level Two Certification or you show the proof that you have the scheduled you have scheduled a assessment CMMC Level Two assessment with a C3PAO So when when the 48 CFR rule is finalized and know when the army maps or the other schedule right other RFPs drop with the requirements I think we’ll see a flood of the OSC’s require scheduling for the assessment. So you probably want to at least you know put your put yourself reserve a reserve a time with the C3PAO because we definitely expect there is going to be a flood floodgate uh open when this 48 CFR and the RF different RFPs are coming.

Determining if Received Information is CUI

Kevin Hancock 47:28

Absolutely And just everyone you know reminder to to to Kyle’s presentation on that on one of his first slides where I gave you kind of the timeline for the CMMC assessment there is you know a lead time for that. There’s you know a an exchange of information. There are various scheduling calls etc. So it’s not one of those things where you can arrange for somebody to you know to come out next week to do your assessment. There is lead time also once you’ve scheduled the assessment to get involved. So just taking that into consideration as well.

Kevin Hancock 47:58

Yep Yep Uh for us is uh seven weeks prior to the actual assessment start date Yep Okay So for number three as a subcontractor to a major DoD prime contractor how do we know if any CY we receive is CUI yep. So this is a very common question Yes Uh yeah So if you are a subcontractor you are you you really have to get the information from your prime contractor. So your prime contractor depends on the information that you receive uh from the prime. You have to ask to you know to you have to discuss have that discussion with prime your prime contractor If you feel that hey they are forcing me to get the CMMC Level Two but we only receive FCI have that conversation maybe just need to have a Level One but yeah if you need if you are receiving CY you need to get the CMC Level Two uh the Certification.

Kevin Hancock 48:58

Yeah and I do I just kind of reemphasize what Kyle said there there if you’re unsure please ask the contracting officer that you’re dealing with right and if you have any questions about it you know please you know bring it up to them um and and and work that out

CMMC and FedRAMP Requirements for Cloud Service Providers

Kyle Lai 49:13

Yes absolutely

Kevin Hancock 49:16

Um so number four can you please elaborate on the status of FedRAMP requirements handling yeah

Kyle Lai 49:24

So FedRAMP requirements is only it’s for comp for cloud service providers there are either store stores stores stores stores transmits or processes C uh CY information. So if you have the CY you will need to get the the cloud service provider must have the FedRAMP moderate or FedRAMP high Certification to operate

Kevin Hancock 49:53

Great Because we actually had a few of those kinds of questions came in and and and so just know the difference between what’s actually processing and storing CUI and what is one of the security protection assets because there are cloud services that are doing those things as well So just understand kind of where that cloud service you’re utilizing falls into that overall assessment.

Kyle Lai 50:17

Correct. And if you are interested in you know figuring out hey am I using am I actually using a cloud service provider or a managed service provider um there’s a clear definition that that you can take a look at from the CMMC manage CMMC program rule or NIST uh 140 sorry NIST 800-145 that’s where it defines the cloud services.

48 CFR Status and CMMC Compliance Statement Details

Kevin Hancock 50:42

Yep Okay Okay So so number five how and where can we check for status and approval date for 48 CFR now I I will caveat this to say I get most of my information from LinkedIn but I’ll let you answer Kyle as well

Kyle Kai 51:00

Yeah there there are a lot of speculation right now because it’s not really defined right now. We are in the proposed rule. So uh I think the the word on the street or from the cyber AB is somewhere in the summer Uh maybe July August. That’s our best guess right now but obviously we don’t know the exact date.

Kevin Hancock 51:43

Yep All right So before we answer the last few questions just want to you know again some provide some additional information. So again you’ll get the slide deck You’ll be able to refer to this stuff get some additional information as you need it. So as we continue on with the questions so how detailed do my compliance statements need to be?

Kyle Lai 51:47

Yeah we we cannot really tell you how detailed it needs to be. We will say we we want to as a assessor when we going to look at the system security plan I want to be able to see when you are describing your controls it’s meeting every single uh assessment objective right it satisfy every single assessment objective I have to be able to check every box that every uh check off every assessment objectives that you are met Then the entire control security requirements are met So that is the minimum requirement So as long as you cover them uh individual assessment objective you’re good.

Kevin Hancock 52:36

So it doesn’t have to be too long Uh just make sure you cover all the assessment objective right and it’s those assessment objectives I think that that that that are are the key right there are 110 controls but within each of those controls there are assessment objectives that that you know that are if you will the detail things that you need to do to meet that requirement So I think and I think there’s 320 of those if you go through and count all of those across the 110

Kyle Lai 53:00

Yeah usually they go from ABCD Uh those are the assessment objectives

C3PAO Auditor Availability and Company Compliance Dates

Kevin Hancock 53:05

Yeah Okay. So I’ve heard there aren’t enough auditors to handle all the companies that require it How does that affect the company’s compliance date

Kyle Lai 53:14

Um again I I think right now the if there are not enough auditors to handle then you you will be putting on the backlog. So just make sure that you reserve the reserve a date with C3PAO If you are close to be ready yeah I mean we are taking some reservation until February 2026 right now. So yeah some companies they’re reserving their time because they they they know there’s going to be a flood of uh OSC’s coming.

Kevin Hancock 53:45

Right and keep in mind like DoD knows this It’s why they have that phased implementation plan in place already. So when it does take into effect there’s it’s going to be implemented over phases. But it will you know and and but it’s going to deter you know I’m sorry it will depend on the contract itself.

Kyle Lai 54:06

Correct and and also I think it’s uh other agencies also are right mentioning about hey you need to meet you need to meet NIST 800-171 or if you have a CMMC you’re good as well uh that NASA actually have those kind of a statement put out.

Kevin Hancock 54:26

Right NASA DHS recently did something around CUI and NIST 800-171 so DoD has has similar so these are this is becoming more prevalent across the government space.

CMMC Certification Costs, Timelines, and Encryption Requirements

Kyle Lai 54:36

Absolutely Yeah

Kevin Hancock 54:39

So back to the question we always get So how much does a C3PAO charge and how long does a CMMC Certification take on average?

Kyle Lai 54:47

Yep So so so I think we already went through these uh schedule about seven weeks and um I provided the quote tool so you’ll be able to check it out.

Kevin Hancock 54:49

Great Thanks. So if we keep CUI within the protected environment do we still need to have FIPS validated encryption?

Kyle Lai 55:06

Yeah. So this is uh you know if we are talking if we are talking strictly looking at the CMMC assessment guide if you have a system that is require encryption they are within your physical environment they are they’re within your boundary basically then you do not you need it’s protected then you do not need to have the FIPS validated encryption you it need to be encrypted it but it doesn’t have to be FIPS validated So but we we just need to look at the CMMC assessment guide.

RMF ATO vs. CMMC and Determining CMMC Level

Kevin Hancock 55:45

Okay So number 10 I have a risk management framework ATO Do I still need to get CMMC?

Kyle Lai 55:52

Uh yes because RMF ATO it is to make sure that your system when you plug in to the DoD network it is you you have the authorization to operate right to put into the DoD network that’s DoD network what we’re talking about CMMC CMMC is to certify that you are meeting NIST 800-171 which is means that you are handling CI within the contractor’s your own network. So there’s the difference.

Kevin Hancock 56:23

Right that’s everyone please understand what NIST 800-171 is It’s guidelines to store and process controlled unclassified information outside government systems. That’s that if you will is the formal title of NIST 800-171 Non-government non-government systems So that’s why it’s it’s about your environment.

Kyle Lai 56:45

Yep Absolutely.

Kevin Hancock 56:48

So how do I know what CMMC level I need to be?

Kyle Lai 56:53

Yeah I think we already covered this a little bit but this will be specified within the contract um RFP or RFI solicitation that will be very specific on what CMMC level you need to be and also the you know if you’re if they allow the conditional final status um it will specify in terms of what certificate or what level you need to com you need to be to bid on the bid on the contract or have you know what do you need to have before the actual contract award date.

Conclusion

Kevin Hancock 57:25

Absolutely Great. Well I think we timed this beautifully right we’re right at the top of the hour Kyle I want to thank you so much for joining us today. Um everyone thanks for your attendance Um and as I said this is a monthly occurrence. Please feel free to join us next month for the next topic. We have a number of these throughout um the the the month as well about Exostar products um as well as other CMMC topics as well. So thanks again for joining us Kyle. Again thank you so much for for being here.

Kyle Lai 57:56

Great. Thank you everyone. Thank you.

Kevin Hancock 57:59

Take care, all.