CMMC 2.0 Scenarios & Strategies for OSCs

Every Organization Seeking Certification (OSC) finds itself in unique, but common, scenarios as they prepare for the Cybersecurity Maturity Model Certification (CMMC).

Kyle Lai of KLC Consulting and Carter Schoenberg of SoundWay Consulting, join Cuick Trac’s Derek White to discuss the following:

  • Changes from CMMC 1.02 to CMMC 2.0
  • Challenges facing OSCs
  • Common scenarios and what OSCs can do to find success under CMMC.

Derek White (Cuick Trac) (00:00:03):

Hello everybody. And thank you for joining us today for what will be a great conversation regarding common scenarios organizations seeking certification, find themselves in as they look to implement and prepare for CMMC.

The goal of today’s discussion is to help provide tangible information and takeaways from some of the top subject matter experts who have very impressive backgrounds in helping OSCs ready themselves for success under CMMC OSCs do come in all shapes and sizes. And though some scenarios across the DIB are very common.

No organization is the same. So what we thought, what better way to provide OSCs with some solving of problems and some other common scenarios that they’re going through than to have two people who are highly qualified and have a great experience and different perspectives on recommendations and how to get OSCs, where they need to be before CMMC is here officially, and people are looking for solutions. With that said, let’s talk a little bit about who these individuals are.

Derek White (Cuick Trac) (00:01:12):

So first off we have Kyle Lie with KLC consulting. So now I will say, Kyle I did print off both of your bios here because it is very impressive and I want to make sure that I represent these correctly.

And so Kyle is the President and Chief Information Security Officer of KLC consulting, a CMMC C3PAO candidate company. He’s also a CMMC registered practitioner pending provisional assessor and provisional instructor as well. Kyle continuously assesses an architect’s NIST 801-171, and CMMC compliance solutions for the defense industrial base, especially in the aerospace and manufacturing industries.

Kyle has over 20 years of cybersecurity experience serving as a security advisor to fortune 500 companies, and the United States Department of Defense. Kyle was a former CISO at Pactera and Brandis University, Heller school. He was also an Operations Manager for DISA cybersecurity portal, which is the predecessor of and a consultant to a number of defense industrial-based suppliers.

Derek White (Cuick Trac) (00:02:19):

Kyle has consulted for ExxonMobil, zoom, DISA, Boeing, and the list is pretty long and impressive. As cybersecurity experience spans security strategy policies, program management, vulnerability management, penetration testing, incident response, business continuity, regulatory compliance, application security, and third-party risk management.

Kyle is the creator of smack Mac address changer software, which over 3 million users have downloaded globally to test and address security and privacy issues. Kyle holds the top security and privacy certifications, which include CISSP, CSSLP, CISA, CDPSE, CIPPUS, CIPPG, ISO 2701 lead auditor. So again, very impressive background there, Kyle.

So if you want to just share for a couple of minutes on who KLC is real briefly and how you guys are helping the industry and people in this industry, then we can move on from there.

Kyle Lai (KLC Consulting) (00:03:21):

Thank you very much. At KLC, we focus on helping small and medium-sized companies the organization seeking certification from the CMMC. So we have focused on this area for the last couple of years.

That’s all we do. We really want to help the small companies, because they have a lot of challenges when it comes to NIST 800-171 and CMMC. So really glad to be here. Thank you.

Derek White (Cuick Trac) (00:03:51):

Awesome. Thanks for being here, Kyle. All right, next up, we have Carter Schoenberg, who is the Vice President of Cybersecurity at SoundWay Consulting, which is a registered provider organization or RPO and certified third-party assessment organization, or C3PAO candidate Carter is a certified information system security professional, and registered practitioner with the CMMC recently completing training for certified CMMC professional, which is CCP as he awaits his exam in 2022.

Carter has over 28 years of combined experience in criminal investigations, cyber threat intelligence, cyber security, cyber risk management, and cyber law. His past work includes comprehensive assessments of US Government contractors to align with what are now formal requirements set forth by the Department of Defense, including NIST 800-171. And now the Cyber Security Maturity Model Certification.

Carter has performed over 25 independent conformance assessments of small and medium sized businesses pertaining to CMMC 2.0 and NIST 800-171. He has also been involved with over 30 authorizations to operate, or ATOs, on behalf of the United States department of Homeland security. His experience was featured at Mieters quarterly cybersecurity supply chain risk forum at the request of DOD and DHS.

So again, very impressive background. Thank you, Carter for being here as well. Take a few minutes, let us know a little bit about SoundWay and what you guys do.

Carter Schoenberg (SoundWay) (00:05:26):

Absolutely. First off Derek, thank you very much for letting me be able to attend the session with you and Kyle. Soundsway Consulting is technology and management consulting firm. We’ve been around for a little bit over a decade.

Our core business has been in support of the US Intelligence communities with mission support it and cybersecurity for the past year and a half. We’ve had a core focus on the B2B service sector where we’ve been helping small, and medium size government contractors become ready for CMMC 2.0.

We provide a limited range of professional and managed services, and we’re very fortunate to be able to be here today to address some of these challenges that we’ll be covering in today’s session.

Derek White (Cuick Trac) (00:06:09):

Thank you, Carter.

Derek White (Cuick Trac) (00:06:12):

Moving on, we’re going to cover the agenda for today and why we’re here. So we’re going to cover some, some very high-level changes to CMMC 2.0 that aren’t so much the changes that originally came out when it went from version 1.02 to 2.0, but maybe some more recent changes and maybe even some things that have been said that seem to be changes.

That will be things that we can prepare for and be ready for in the very near future. And we’re also going to get into some of the challenges that are facing OSCs.

There are many challenges in different areas, as we mentioned at the beginning of this discussion, but we’re going to highlight a few that are very common as we’ll, then be able to then transition into some of the scenarios that some of you might find yourselves in as an organization looking to have success under CMMC and talk about some of those common scenarios and what to do.

Derek White (Cuick Trac) (00:07:06):

Having somebody like Kyle and Carter just having an open discussion on some of those scenarios is just that just trying to help the DIB and help the OSCs come to some confidence.

And that’s a big thing that we all talk about is giving the confidence back to the DIB and OSCs in order to make the right decisions to go down the right path and be successful under CMMC.

So some of the changes from CMMC 1.02 to CMMC 2.0, and one of the first ones, and I’ll kick this one over to you is that the DODs doubling down and have said more things on dates and timelines. Do you want to touch on that for a couple minutes?

Kyle Lai (KLC Consulting) (00:07:47):

Yeah, absolutely. So CMMC, they were released in November, 2021. And that’s when, you know, people are really guessing, like when it’s actually going to be released, because they’re actually going through the rule making process right now. For the latest information we got from the Director of CMMC, Stacy Bostjanick, has indicated that the date is going to be around March or may because that, I mean, I will say, you know, May, 2023 followed by 60 days of public comment, timeframe.

But as you can see, you know, in the past they usually release the new version or guidelines in the November timeline. I am expecting that they will kind of doing the same thing because the new the new fiscal year starts in October 1st.

So most likely they’ll release, sometime in October, November, 2023, that’s my guess. But official date that was given is July, 2023, that’s when the rule making should be done.

Derek White (Cuick Trac) (00:09:00):

Right. And that’s, that’s a very, very good way to recap that. And, and we all know that one of the challenges, and we’re not going to talk about this one today, is that a lot of people have, have waited to see how this is going to play out.

And we all know that you could, we could talk about that all day and why that’s not a great path, but it is getting closer and we already are here in the, in the spring/summer of 2022.

So definitely something worth noting of change. Second change is some of the expectations that I think we’ve been hearing about, some of us in the industry have anticipated, and are starting to get a little clearer on. And that is a revision to NIST 800-171 to revision three Carter.

Do you want to talk a little bit about what that might look like and some of the things that seem to be kind of aligning from that standpoint?

Carter Schoenberg (SoundWay) (00:09:46):

Yeah, certainly. So and again, just kind of recapping some of the differences between 1.0 and 2.0 for CMMC while both had incorporated this NIST 800-171 protecting control and classified information and non-federal systems and organizations.

The challenge, and the biggest difference between 1.0 and 2.0 was the redaction of other framework requirements such as Carnegie Mellon’s resilience, maturity model. However, having said that there has been some I’ll say spirited debates in our own ecosystem about what does that really mean?

Because even though you’ve redacted the requirements for certain RMM, there are inherently some similar requirements, not in the base controls, but in the appendix section of NIST 800-171 current, which is revision 2.

At SoundWay, what we anticipated is going to happen is that through some lessons learned over the course of the past couple of years, and probably in no short measure by a recent report that was released by the GAO (Government Accountability Office), as it stands right now in the current revision NIST 800-171, the government has made some assumptions in terms of what corporate Americana or any corporate enterprise actually does, which includes the presumption of having existing policies and procedures.

Carter Schoenberg (SoundWay) (00:11:20):

So while it’s a presumption, it is not necessarily a specific line item that is being called out to be reviewed against other than high-level guidance. From the assessor’s guide. Where we believe is going to evolve, is similar to what we’ve seen previously NIST 800-53, between Rev. 4 and Rev. 5.

In NIST 800-53 Rev. 4, you had an appendix section that had a whole slew of privacy controls. And then in Rev. 5 Privacy controls went from an appendix section into an actual formal control in the body of that document. We feel very strongly that this is going to be a strong probability in Rev. 3, Where these particular controls that are highlighted in the appendix section will actually be formalized, or ratified, in the core body of controls that will be required to be assessed by an independent assessor.

Derek White (Cuick Trac) (00:12:20):

Perfect. Yeah, I mean, that’s, and there’s, there’s timing too, that goes into that right on when we expect to see those revisions based on some of the rule making, and some of that in place too.

Thank you for covering that for the third change. Carter, I’ll go back to you on this one. We talked about this in the past, and we talked about this at length the expectation around the RFIs when, when those come out and, and the timing on when that would happen and how that’s going to be a big change and how that will even be a concern in some places.

Talk about that a little bit from the validation side from a C3PAO.

Carter Schoenberg (SoundWay) (00:12:56):

Certainly and I will go ahead and speak from firsthand experiences with us even undergoing an assessment internally. So a couple of years ago when CMMC was being launched and its infancy, what was being socialized was a timetable of six months.

That timetable of six months was basically presumption, again, by the government, albeit incorrectly that 180 days is approximately what it would take an organization starting from scratch to build a program that is adequately prepared to undergo a third-party assessment.

I think it’s important for the viewers of today’s session to understand, as you may reference to previously supporting ATO efforts for Homeland security.

Systems that were already ATO when they’re coming up for renewal, they’re given a six month window for preparation and that’s for a system that is already ATO. So the notion of a six month window starting from scratch to finish was a little bit of aggressive of timeline in my professional opinion.

Carter Schoenberg (SoundWay) (00:14:02):

And I do believe that when new RFIs are coming out where CMMC is going to be specified as a, as a line item requirement, when the RFP or RFQ is actually dropped. And again, with an anticipation of about a year from now, it’s important for the government to understand two things.

One, what is based on historical track averages from real-world scenarios, how long is it taking the majority of organizations to become (1) adequately prepared to be able to meet these requirements for CMMC, whether it’s level one, level two, but more specifically (2) for level two, because you inherently have a dependency on a moving part that you as an OSC have no control over.

And that is the schedule availability of the C3PAO. So even if you are ready to go right now, that doesn’t necessarily mean that you’re going to be able to be independently evaluated by a C3PAO for weeks, potentially months, just because of the supply and demand at this point.

While the number of C C3PAO has increased there is going to be a challenge with the number of assessors, again, just supply and demand issue.

Carter Schoenberg (SoundWay) (00:15:20):

The accreditation body is working towards ramping that level up. So individuals like Kyle and myself will have the blessing to be actual assessors. And that should hopefully free up a little bit more of an opportunity in the marketplace.

But when you look at historical averages of when a solicitation is released to the time of actual award, it’s usually somewhere between four and six months. So again, as, as you made reference to Derek at the onset, we’re already pushing in June and these timetables are going to become more and more compressed as organizations seeking certification kick the can month after month after month.

Derek White (Cuick Trac) (00:16:01):

And that’s a great, and that’s a great transition into some of the challenges that we’ll get into, but it, you know, DOD has been pretty, I would say, straight-laced since the beginning of this, that they have expectations that they’re putting on the suppliers, right?

The expectation is that you wait, you don’t wait forever and they have the right within long within regulations to say, the expectation is that you were further along and all that, but yes, that is an absolute great transition into the next topic, which is some of the challenges.

So some of the challenges facing OSCs today. We could make a longer list here if we wanted to, we could spend a lot of time on this topic, but we really wanted to highlight some of the more common ones as we sat down and talked about, what do we want to cover in this discussion?

Derek White (Cuick Trac) (00:16:49):

Some of the more common challenges that came up also kind of play into some of the scenarios that we’re going to get into here shortly.

One of the big challenges that I think that is not a surprise to most people is the CUI marking, or lack thereof, as it says on the screen, what that means, and how that’s a challenge. So each one of these topics, we’re going to talk about a little bit here with both of your perspectives on this.

So I’ll start with you, Kyle, on, on the CUI marking side and why that’s a challenge and what you’re seeing there from your perspective.

Kyle Lai (KLC Consulting) (00:17:23):

Yep, absolutely. So CUI marking it is a challenge because when there is a contract, or when you receive the information from DOD, from your prime contractor, prime customers, one of the problem is that you don’t know if you’re receiving CUI.

Obviously you have to go into the CUI registry to do the research, but even that is a little bit confusing, right? So it’s the best way is to see, you know, the contract itself have defined what is CUI, right?

And the CUI they sent from your customers DOD or prime actually marked, but they are usually not marked. A lot of them are not marked, especially the older documents. The new documents might be a little bit better, but it’s really based on the agency’s policy.

There are some of the agencies they’re just slowly adopting to marking, but it’s still a lot of the agencies don’t.

Kyle Lai (KLC Consulting) (00:18:22):

And when you actually get that documents, you don’t looks like it’s CUI, but you don’t know is in that gray area.

You go talk to the contract officers, and the contract officers sometimes are not too helpful because they just don’t know. They have a partly other other more urgent matters to deal with, so they kind of kick this back and sometimes they’re not being helpful.

That is actually one of the major challenges. And a lot of times you cannot really get into the CUI scoping until you understand what kind of CUI you have.

I would suggest for companies that really have this type of problem, they may want to just create take the lead and say, we think these type of data are CUI.

Kyle Lai (KLC Consulting) (00:19:16):

Then draft the email and then send it to your contractors or your customers and say these these type of information are what we think is CUI, do you agree?

If you take that initiative, it’s they just have to say agree or not might, you might get a little bit further in terms of determining what type ofCUI you have. If you don’t take the initiative, just waiting for the customers, contract officers, I don’t think we’re getting anywhere.

That’s one of the major challenges.

Derek White (Cuick Trac) (00:19:53):

Got it. Carter, anything to share on CUI markings from your perspective?

Carter Schoenberg (SoundWay) (00:19:57):

To piggyback on Kyle’s comments, which I agree with 100% is (1) the registry that the department of defense is using while closely resembles, which comes from NARA (National Archives and Records Administration) is actually not a one-for-one parody.

So if you are actually a organization seeking certification at this time, I would say it would be prudent to look at only the categories that DOD is defining as CUI.

Your better bet is to look at what is NARA defining as CUI, because you might very well have existing contract with Homeland Security or Department of Energy or another entity that may not necessarily have a CMMC specified requirement, but there still is an obligation, a duty to mark properly based on that contract, based as it’s defined by by NARA. And (2) secondarily is also keeping in mind, if you take Kyle’s approach on focus, what is that data that you’re talking about in the first place?

Carter Schoenberg (SoundWay) (00:21:02):

If you’re able to start with the data, even if it’s not marked right now, it puts you in a much better position to understand where that data going to reside in my organization and who is going to have access to it that better defines your scope for not only personnel, but the computing assets they’re associated with each personnel.

And it’s also very important for, I think the audience that’s attending today’s session to understand you could very easily have a piece of information that is not marked as CUI. It is a proprietary, confidential document, belonging to the Acme company. It is then in term provided to a government that exact same artifact, not one alpha, not one numeric character has changed on that artifact.

And they can stamp that CUI if they return that to you as CUI, then it becomes a question of, okay, now how far back do you have toe your existing documentation now that the government has defined your sensitive or proprietary information ASI.

Kyle Lai (KLC Consulting) (00:22:14):

I just want to add that it is also important to make sure that your staff and your contractor or the employees, they are trained to through the DODs mandatory CUI training to make sure they understand the marking. If you actually receive a document that actually with a CUI marking, you understand how to handle that properly.

Derek White (Cuick Trac) (00:22:42):

That’s a great point. I think that’s probably an area, in my personal opinion, is that some of that training aspect area requirements over time are going to have to improve too.

Where it’s it how you handle it at your organization for versus how you handle there’s ways that the DOD wants you to handle information like CUI, but your people should know at your org. That’s what this is all about, right? How, how you as an organization are going to handle this to then meet the requirements. So that’s a great, that’s a great, great recap on that, on that challenge.

Thank you. Next up, what about those that I outsource too? Those that I use, those that I inherit their own service offering or solution. So, providers and other security companies that are not able to demonstrate their own compliance.

Let’s talk about how that’s a challenge right now facing the OSCs.

And we’ll start with we’ll start with you Kyle on that one.

Kyle Lai (KLC Consulting) (00:23:43):

I think for companies that are providing the services, the security managed service providers or companies that are just providing the it or the security services, they will have to understand these requirements for compliance, because if they don’t understand some of the fundamental requirements for meeting NIST 801-171, for example, and if you have an incident, you really have to turn it around within 72 hours.

If you don’t know these type of requirements, then it’ll be very difficult. Then, suddenly ,you are making the organizations seeking certification OACs non-compliant.

So, and this is also on the OACs, they, when they’re interviewing and getting the managed service providers or any service provider, they’re helping them on the it side. They have to make sure that they choose the company they’re familiar with these requirements.

Derek White (Cuick Trac) (00:24:43):

Carter, what are your thoughts on, on some of that and the challenges that come with it. I’ll refer back to the confidence, right?

Like if I’m going to go out, and we can speak from the heart on this too, at Cuick Trac, we’ve, we’ve been doing this since 2018. So to see the industry shift like this, and a lot more people jumping into the world, because it says certification behind something now makes everybody experts, if you will.

Some of those challenges Kyle was just talking about, is understanding these requirements.

What are you seeing and what are your thoughts on what an OSC should be looking at for clarification on that expertise in eating their own dog food as you will.

Carter Schoenberg (SoundWay) (00:25:21):

It’s great topic. One that’s very near and dear to me starting my career, actually working with an MSSP, cutting over from government side to the commercial sector and having firsthand experiences on how they operate.

So a couple things come to mind. One is most organizations seeking certification when they’re exploring the option for outsourcing security technical requirements. It’s the old adage.

They don’t know what they don’t know. They’re going to be provided a service level agreement and ancillary terms and conditions that make no mistake are designed to favor the service provider, not the person receiving the services.

So as a result of that if the terms and conditions and service level agreements are not modified in a way that clearly defines one what does the requirements traceability matrix look like for the controls that they are being tasked with?

Carter Schoenberg (SoundWay) (00:26:28):

Secondarily, what are the statutory obligations that are going to be imposed upon the MSP or MSSP?

Also with respect to potential cause causation of harm. It’s not probable to think that as more MSPs focus on supporting the government contracting arena, that by default, they inherently become a bigger target of the us’ adversaries keeping in mind that it was not that long ago China was able to take advantage of nine different MSPs and that allow them direct access into their client’s networks.

Because of escalated privilege commands. So I think it’s very important for any organization seeking certification to at least consult with either experts, such as Kyle or myself that have backgrounds and experience of looking at these kinds of documents, or finding legal representation, legal experts that really understand this.

And I will say this, putting my professional name and reputation on the line.

Carter Schoenberg (SoundWay) (00:27:32):

There are not that many attorneys that are out there right now that fully understand these nuances. There are a lot of, I will say law firms that specialize in this, but when I say that there’s not a lot, you think there’s probably, you know, a couple hundred thousand attorneys in the United States.

At best you may have 100 or 200 in the entire country that are really going to be able to understand these nuances and how to better protect their clients, addressing these particular types of issues.

At what point does the liability stop with the OSC and its formally transfer it over to, to the MSSP.

Derek White (Cuick Trac) (00:28:14):

You know, you gotta think back if we gotten the time machine a little bit too, on when people before CMMC, if you were working in the NIST 800-1781/DOD space you knew eventually we’re going to have to get some sort of a validation certification model because it just wasn’t getting done.

And if you go back to when that first got announced, and it was getting closer, there was a rush to the front of the line to be an auditor or an assessor or an organization who was full consultants.

And there wasn’t a lot of conversation around and there still really isn’t much, we’re getting closer to, you know, what about those that have tools, even if it’s just a piece of the pie or those that have pieces of the pie put together MSPs that are more traditional, those that are more cloud, all these other things.

What are they supposed to do, and what are they supposed to demonstrate now that we’re closer to that?

Derek White (Cuick Trac) (00:29:05):

You’re absolutely right. There needs to be a higher standard than the MSP who has two customers in the DIB is a little bit different from an adversary target standpoint than somebody who has a thousand.

So where is that layout? We don’t know. It’s a challenge, but at the same time, it goes back to that confidence thing, broken record here. But if someone just got into this game and they’re telling you it’s this and that, and they can’t back that up, then that’s a pretty big red flag. And you’re not expected to have everything done tomorrow.

We know that, but it is going to come faster. And I think you’re right with the service level agreements. And who’s going to be there for you on judgment day is very, very important that goes for consultants and security companies and you know external resources of all different shapes and sizes, as far as my opinion goes on that.

Carter Schoenberg (SoundWay) (00:29:52):

And Derek, before we move on, when I’m referencing to MSPs and MSSPs I’m not referring necessarily to even small, medium size MSPs and MSSPs. I’ve communicated directly with some of the larger MSSPs globally, and they’re quite silent on this issue.

Whereas I would look at this to be an opportunity for them to take an advantage of this capability or nuances in the language and use that from a competitive advantage standpoint, to be able to say, here’s exactly how we’re addressing CMMC on your behalf.

But so far, unfortunately, I have not seen much movement in the MSSP arena in that capacity.

Derek White (Cuick Trac) (00:30:43):

Yeah. And that’s a good teaser for one of our scenarios later on this isn’t just a license game anymore. It’s different than that. And we’ve already talked about how important the data is, and we’ll get to that as well. So the next challenge that we want to highlight here real quick is, and we already touched on a little bit by you Carter early on, is the lack of, of assessors and not so much to C3PAOs themselves. It’s the individuals that are going to be doing these assessments and giving that golden ticket, if you will, is starting to drive a little bit difference of a cost model for that certification than originally planned by the DOD and the CMMC-AB. So maybe Carter, you want to start with that one and, and give us your thoughts on that?

Carter Schoenberg (SoundWay) (00:31:26):

Sure. I would say that there’s actually two challenges here. I’ll start yeah, the commercial side government contractors, and then you have the government side, the government’s acquisition workforce.

So back when the, the interim rule came out, that Kyle made reference to earlier in the session, there was actually updates that showed the government’s initial, what they call ice independent cost estimation for what the government would define as allowable charges back to the government for a certification.

They were kind of debating. Is it going to be a one time ODC at the defined costs, or I think ultimately what has been decided is the government is willing to accept the cost, but you, as the OSC have to bake it into your soft targets.

Like your your fringe and your overhead rates and things like that. It’s important to understand just for a reflection point if memory serves, and this is again under the caveat of the CMMC 1.0 doctrine that a level three, which would be similar to what we would define out as a CMMC 2.0 level two assessment would cost somewhere around, let’s say $51,000 to $55,000 by all accounts, from what I have seen, and I’ll keep the floor open for Kyle’s comments to keep me honest here, but from all accounts, from what we’ve been seeing so far, the indications are companies are being pitched fees of around $150,000 to $170,000.

Carter Schoenberg (SoundWay) (00:33:03):

So, that’s a problem because of the expectation of what the government had, which quite frankly was skewed. It was based on a very limited number of subject matter experts that came out without calculus.

Secondarily, their ice was also probably based upon a traditional government rate versus an open market rate. And we live in an open market. The accreditation body made it very clear that it’s designed to be an open market. So right now you do not have that many C3PAOs.

I think at last count with like a 10, but the important thing to keep in mind is that there’s even, there’s disproportionate number of actual people that are authorized to actually act as assessors on behalf of C3PAOs.

And, in almost every case, they’re acting as a 1099. Without having an assessor on board as a W-2 where you, as the C3PAO can better control what those cost models are going to look like, the C3PAO is basically going to be beholden to the assessor. I’m not faulting the assessors if they can charge that amount, because that’s what the market dictates, then that’s what they’re going to get.

Carter Schoenberg (SoundWay) (00:34:24):

And there’s a big difference between having somebody on board where you’re compensating them, let’s say, in fairness, probably a $200,000 salary, which is going to probably be a fully loaded rate of, let’s say $157 an hour.

Rough estimate versus assessors that right now are charging between $350 and $425 an hour.

Carter Schoenberg (SoundWay) (00:34:52):

There’s unique challenges that hopefully as more and more assessors are coming out, that starts to help that valuation proposition on what a fair or reasonable hourly rate is.

And I think it’s also very important for the audience to understand that there is nowhere near enough data to support going to a firm fixed price model yet, and it probably won’t be available until you have a year and a half to two years of a consistent track record by C3PAOs, understanding this size of organization, this many man hours, this cost.

Derek White (Cuick Trac) (00:35:34):

That’s true. Kyle, what are some of your thoughts on what you’re seeing and what you’re feeling on this challenge and on OSCs, when it comes to trying to financially, time-wise, and resource-wise get this ready to go for when that day does come.

Kyle Lai (KLC Consulting) (00:35:52):

I agree with Carter. There are not enough assessors out there be able to actually cope with all the numbers of companies and OSCs that want to go through the assessment.

The director of CMMC, Stacy Bostjanick, mentioned that initially based on her number, 80,000 companies that require OSCs that require CMMC 2.0 Level 2. So the numbers doesn’t add up. Right now we only have 10 or 11 C3PAOs that are authorized. And by the end of the year we probably will be lucky if we get 30.

So I think there are going to be the number doesn’t end up. So she has mentioned that initially they, she, there are going to be like faceted approach.

They’re probably going to initially require some self-assessment, but I don’t know how exactly that will work because we already know self-assessment doesn’t really work well.

Kyle Lai (KLC Consulting) (00:36:57):

Right. So I think it’s going to be interesting to see, but I do see that yeah. Until we have enough assessors out there and they have CMMC-AB, they have to go through the training, get CCPs and CCAs, you know, CMMC certified assessors, you know, out the doors and there is another problem I’m actually pending cert the pending provisional assessor right now.

And I have to go through the DOD suitability background check and that’s kind of equivalent to the secret level background check. So that will take a while. So with the number of assessors, there are just not enough and also the requirements for getting the the suitability clearance.

I think it’s going to just add up even more challenges.

I think it’ll be interesting challenge for DOD and CMMC-AB to resolve.

Derek White (Cuick Trac) (00:37:57):

Yeah, for sure.

Carter Schoenberg (SoundWay) (00:37:58):

Just to pull that thread a little bit more, Derek. So to the point with what we’re talking about before the changes, and we, especially when we were talking about the RFIs, this again is unfortunately another example of the more time that goes by for an OSC to at least explore.

Even if they’re thinking that the numbers are high right now, in terms of cost of ownership, at least they will be one of the very, very few that will actually be vetted and authorized to bid on the work when it’s coming out.

Even if they only have 10 solicitations next year, coming out, if you have 10 solicitations coming out, I think by the math that they were previously suggesting is you’re going to be looking at anywhere between a hundred to 500 companies that are going to be in play to have to bid on that. Well, I mean, just do the math.

If you’re waiting until the RFI to come out and it’s a supply and demand scenario, that’s fine. We definitely want your business, but congratulations, take a number, get in line. We’ll get you when we get to you. And at that point, mathematically it’s too late.

Derek White (Cuick Trac) (00:39:12):

We’re already seeing this with in a different sense, but same, same challenges that a lot of the primes are, are doing reviews and temperature checks and going down their supply chain way further down than I think people would argue they were before, because they want to know, right.

They want to know now, are you going to be a problem, or you’re not going to be a problem if this organization who we really like and really need is going to be a massive problem to us, we gotta think of replacement plans and it is going to be a supply and demand situation that I think every OSC that likes their work with the DOD wants to be a part of.

So totally with you on that.

Transitioning to the last challenge we have listed here and it kind of ties into the last one a little bit is this is a potential cost of assessment and/or certification.

Derek White (Cuick Trac) (00:40:03):

However you want to put it, improper and proper scoping for a CMMC assessment. So if the scope is off and and assessor comes in and that’s wrong, we’re going to see some discrepancies.

We’re going to see some things at which I still don’t know that we have a very good, clear idea on how that’s going to go. They have ideas, but let’s talk about improper CMMC scope a little bit. And Kyle, we’ll start with you on this one and how that’s a challenge.

Before we get into the scenarios that, we’ll talk about where that comes into play, that scoping conversation, what are you seeing from there?

Where do you guys spend your time and how does that challenge end up becoming less of a challenge with clients?

Kyle Lai (KLC Consulting) (00:40:44):

Yeah. So what we have seen is that a lot of clients that we actually came across already have done the SPRS submission to the DOD SPRS system. They already gone through creating the SSP, POAM so when we asked them, so what is your scope?

It’s like, what scope it’s like, “I think everything in our company is the scope, right?” And it is like how about your financial accounting system? Those are, you know, you probably don’t have the CUI information there. Why do you need to make them in scope?

So I think there’s a lot of confusion in terms of what should be in scope and you know, DODs that release the CMMC scoping guide. I think that helps, but it still creates some confusion there.

When it comes to, you know CUI when you actually talk to the customers, you know, in terms of like, what is your scope?

Kyle Lai (KLC Consulting) (00:41:42):

A lot of time, they don’t really have a clear understanding or they priority have gone through and created something. For example, we only store CUI in one file server in one folder. So our scope is that one server it’s like, how about your firewall, VPN and your, active directories. Those are not in scope because they don’t have CUI it’s like, yeah, you probably have to go back and revisit, right. What should be in scope for the base on the CMMC requirements. So that is one of the challenge. A lot of the companies there’s a miscommunication and misinformation out there. And now there’s a scoping guide, but people don’t know to actually read it. If they read it, they still don’t understand. So it’s better to have a consultant that understands.

Kyle Lai (KLC Consulting) (00:42:37):

And in terms of the CUI, the most fundamental understanding is what is your scope for your CUI. I think that’s even more fundamental, but we usually just go through understanding how your CUI flows through your company. I think that is going to be the most important thing. And how does your CUI life cycle, what’s the life cycle look like? So we usually go through and say, what is your, how does your CUI get into your environment? That means the input. How do you actually download that CUI into your environment? Or how do you create your CUI creation or the download input of your CUI into your environment, right. Then how do you store that information, right? The storage of the files, where, or where do you actually store this information is either server database, application, cloud, on-prem, you know, USBs, let’s make a list, right.

Kyle Lai (KLC Consulting) (00:43:38):

Then what actually have the, what can you actually access that information? Where, what system devices, applications actually, or people, right? What business unit, what roles have accessed the usage of the CUI. So now, because when you are defining the scope, you have to define the technology, your processes, your people facilities, right?

So those are going to be important. Then you get into the sharing who do you share, right. So those are going to be when you share, how do you share it?

Who do you share with, so you understand, you know, as you slow down, who do you actually slow down these requirements, then there’s the archiving, what are the systems that you back up to OnPrem cloud, right?

Who is actually in charge, right. And maybe the MSPs, are they actually involved in helping you with the archiving?

So those have to be taken into consideration.

Kyle Lai (KLC Consulting) (00:44:37):

And also the last step of the lifecycle is the disposal, right. Of the data of your CUI how do you actually dispose? So as you go through this lifecycle, you’ll have a pretty good understanding in terms of what is your CUI scope.

And on top of that, you will get into what they call security protection assets. That’s the security actions or devices systems. Your firewall VPNs, SIM, etc. The type endpoint protection, for example. Another type of scope is the contractor risk managed assets.

So these are, the assets could be storing CUI information, but you have the policies and procedures to say, yeah, we actually maintain and control it this way.

Kyle Lai (KLC Consulting) (00:45:40):

And then there are specialized assets. These are maybe the you know, the OT machines, your government furnish equipments, or test equipments.

They may have that information or CNC machines, for example, for manufacturers aerospace, etc. You use the CNC machines to create, so you might have the G code, those type of special code that consider CUI. You want to manage it.

And obviously at the end you have the assets that are considered out of scope assets. So as you go through this, you identify these type of assets.

I’m pretty sure you have a clear, better understanding of your scope. There are going to be some, sometimes are going to be a little bit confusing, but yeah. Reach out to consultant like Carter myself, we can definitely help

Derek White (Cuick Trac) (00:46:32):

For sure. Yeah. You know, Carter from the scoping side, you know, we’ve talked about this at length multiple times. So, some of your thoughts on the challenges there around scoping for CMMC versus scoping for other things that people might be telling you to do.

Carter Schoenberg (SoundWay) (00:46:47):

I don’t have any issues with what Kyle said. He said it very eloquently. I would say that what we’ve seen is actually the opposite end of the spectrum, whereas, well, we don’t have CUI. How do you know? Well, guess we’ve never had anything marked it.

Well, that’s where you have a little bit of a disparity and understanding between say the Chief Executive Officer, and maybe the person that’s responsible for your system altogether.

We recently had a client who was responsible for providing a certain kind of technology that’s really heavily used throughout the government contracted community and from the CEO’s perspective, not because he was trying to obfuscate the answer with any degree of impropriety.

He just honestly didn’t understand the data sets that were coming in and being ingested.

Carter Schoenberg (SoundWay) (00:47:46):

And as a result of having a discussion, is how do you know how to find the right people to help you. Having that checklist is important to understand, but how you’re going to actually conduct your interviews? I would argue is probably 10 times more important.

And that is ultimately going to come back to whether it’s a facial expression or a pause and an answer where you’re going to have that 1-on-1 kind of understanding of, okay, maybe I need to scratch the surface a little bit more to get a little bit better fidelity of what the answer actually is as applies to CMMC scoping.

I would say also things that will keep in mind with regards to IOT and OT type of devices. And you would think there’s no way that government contractors would use them.

Carter Schoenberg (SoundWay) (00:48:39):

Although data supports the opposite. Devices where there’s an Alexa or an Echo Dot or something along those lines a scenario that was brought to my attention recently, and then admittedly, I didn’t even think of, but it was pretty much spot on probably be for larger organizations.

Do you have vending machines in your company?

And if you do more likely than not, if they’re newer, they take credit card payments. How are they connecting to the backend server to know that the credit card is good? Are they leveraging a segment of your network to get the app out communication? The answer is obviously yes.

Then becomes a question, is that in the same network segment that CUI could be maintained, stored or transmitted on? And is there enough of a bifurcation between them from a separation standpoint to either say yeah, it is, but we have some compensating control some place and therefore, no, it’s not able to do it even if it was compromise, or even taking you to the next level.

Do you even understand who’s providing you those particular vending machines? What due diligence have you done on them?

And I know it seems kind of silly, but given the fact that it’s a computing asset and it’s now touching your network, it really shouldn’t be evaluated any differently than how and where you’re buying a laptop today.

Derek White (Cuick Trac) (00:50:09):

You know, we joke about this all the time. Today, the vending machine story might be weird, but in five years from now, if things like NIST-171 and CMMC are successful and people have their stuff in place, the whole reason for a cybersecurity model, or cybersecurity requirement like this, is that the world’s going to evolve.

And if we’re not thinking about the vending machine today in five years from now, that could be a great attack vector. We don’t know. We’ve heard the fish tanks, we’ve heard all these crazy stories.

So you’re absolutely right. Then that’s where scope does matter. And if you have your implementation set up correctly, and like you said, things are segmented properly and escalating of privileges and all these different things that NIST 801-171 is really about the confidentiality of information when in place is a good has a lot of those controls that are intended to do that.

Derek White (Cuick Trac) (00:51:02):

Thank you for sharing that. And that’s a great transition into some of the scenarios we’re going to get into.

We’re not going to go quite that deep in the vending machine side of the scenario, but we will call out some of the more common ones here in the next section.

So scenario one. Hopefully from the previous slides, we don’t have too many people watching this, starting to get the cold sweats and the clammy hands, because it sounds familiar to them.

That is part of the reason that we want to talk about challenges is that, should it hit some people where it counts? Hitting their minds, hitting their heart, getting their heart rate up a little bit.

But now we want to talk about scenarios that we are seeing at all of our companies.

Derek White (Cuick Trac) (00:51:42):

We collaborate together for a reason. You guys have great experience. Customers out there are looking OSCs are looking for separation of not just duties obviously, but separation of expertise.

So that’s really, really important. So some of the scenarios that we’ve come up with here, the first one is the OSC legitimately doesn’t have CUI, but believes they’ll be required for CMMC level two.

How should they score themselves? And we’re going to start with Carter on this one, and then Kyle will go to you, but Carter, in your experience, and with SoundWay, how do you handle that scenario for that OSC?

Carter Schoenberg (SoundWay) (00:52:23):

It’s unfortunately a little bit more problematic than we would hope for. So when you take into consideration, what do we mean by scoring? First off, there is a scoring metric that is basically a spreadsheet with logic built into it.

You start with the highest score of 110, and then you reduce the number of points for each thing that you’re not doing, whether it’s entirety or a fraction thereof. And you can even technically have a negative score. What we’ve seen so far is companies that again, they legitimately are saying, look, we don’t have CUI. Would you not agree that we don’t have CUI?

And even we concurs, you don’t have CUI, if you take the approach to saying, well, we don’t have CUI, you’re agreeing we don’t have CUI. So therefore, why would we reduce points in these particular areas by the default?

Carter Schoenberg (SoundWay) (00:53:17):

Because we would say that they’re not applicable. In all fairness, I think that they have a case, but that does not change the fact that if you’re going to demonstrate that you are having to adopt and conform of CMMC level two, it becomes irrelevant.

So actually what we will show them is if you operate under the assumption that they’re not applicable, your score is X. And I’ll use a recent scenario for something that we came up with their score was 64.

And then once you took it into consideration those specific 19 control items that we did not deduct points from originally, but if we then deducted points from them, they were actually at -3.

We want to make sure that they had the understanding of, you know, here’s two different options that you’re going to be looking at, but you need to understand that if you’re saying that you’re going to have to conform with level two, then you have to conform with level two and your score is, technically, -2.

Carter Schoenberg (SoundWay) (00:54:17):

The smaller organizations, those smaller business owners are usually getting a little woo. That makes us look really, really bad. Short answer is yes, it does.

Another short answer, the government expects that the government has made it very clear for a couple of years now. They would much rather see an organization seeking certification, put in scores where let’s say it’s a 5 and then five months from there, it becomes a 42 and then three months from there, it becomes a 94 and so on and so forth.

Versus just saying, “Oh no, we’re awesome.” 110 boom, right up the gate.

Because, make no mistake, that is going to do nothing but put a bullseye on your company for having an independent audit by Tip Tech.

Derek White (Cuick Trac) (00:54:59):

For sure. We expected that, right. That’s a great way to say it is that the DOD had expectations and they’re not dumb.

The game changed significantly when that rule came out and it was you’re going to enter a score into a government system is a little bit different than checking a box on a questionnaire that says that you have things in place.

Carter Schoenberg (SoundWay) (00:55:24):

I apologize, one other question. One other aspect to add to that, where we’ve had multiple opportunities of prospecting a client and they’re asking, well, how much does a pre-audit assessment cost us?

To be fair to them, rather than just giving a blanket fee, let’s go ahead and sign a non-disclosure agreement. You said you already put in your Spur score. Let’s take a look at your System Security Plan (SSP), because depending on how well developed that is, that might dramatically reduce your cost of ownership.

And in almost every case I’ll sign the NDA, but I don’t have an SSP to give to you. By default, that is already showing you what the maturity level of that organization is, because the government’s expectation is you should not be submitting a score if you don’t have a System Security Plan in the first place.

Derek White (Cuick Trac) (00:56:11):

It says a pretty clears day in there as well. So that great point. Great call out on that. Kyle, from your perspective on this scenario with an OSC who is saying that they’re confident, and maybe you agree or disagree with them, but still they say they don’t have CUI.

How should they approach this? How should they be doing what their customers are asking them to do? If, if in fact they don’t have CUI or think they don’t.

Kyle Lai (KLC Consulting) (00:56:42):

I think it’s better to communicate that with with the prime contractors. I agree with what Carter was saying, but it’s better to just communicate and try to get understanding, say, “Hey, based on the contract, this is what we’re getting.

Tell us if there’s anything other than what we’re getting right now, we don’t believe these are CUI.”

Unless you can prove otherwise, I don’t think we need to actually go for CMMC level two. We go for CMMC level one, and this is how we are going to approach it. Are you okay with it or tell us if there are anything that is CUI.

That’s how I would approach it because if you don’t need CUI, why spend so much money going to going through this exercise.

Derek White (Cuick Trac) (00:57:34):

All right. For scenario number two, we have OSCs leadership wants to be CMMC compliant and likely task one person with this objective and initiative.

Tell me how much it costs.

We get that call a lot I know you guys too. Kyle, let’s start with you, you know, you take that phone call, where does that go with KLC and what is your experience on that and your expertise on what they should do?

Kyle Lai (KLC Consulting) (00:57:59):

There’s just so many vectors that you have to take into consideration, right? How mature you are in terms of cyber security, how complex is your environment? How many cage codes, right? How many facilities? Do you have the information in the US or other outside of the US as well?

So I think there is a lot of complexity, and we have to understand the complexity before we can start getting to understand how much is going to cost.

And if you are more mature, and you have a lot of the security tools in place already it’s going to take a little bit less time and effort. Budget is probably not going to be as significant as if you don’t have anything.

Some of the manufacturers that we come across, there are pretty good size manufacturers, but they have not really upgraded their IT for the last 20 years.

Kyle Lai (KLC Consulting) (00:58:58):

It’s like, we produce, you know, this stuff for our customers. We don’t really get into the security stuff. It’s pretty secure, we have never been hacked.

But you only know what you know. And so for that type of scenario, there will be a very significant upgrade to put in the active directory, upgrade your windows environment.

Just something even very, very basic is going to cost quite a bit to actually just schedule up to par before you can start putting some security product tools into the environment.

I think, really, that that’s how we approach it. Really looking into the fundamentals. What do you have right now? And based on that, we’ll give them a budget and sometimes they’ll get a sticker shot, but that’s usually going to be the case if they don’t have, or have not kept up with their cyber security in the past few years.

Derek White (Cuick Trac) (00:59:56):

Excellent. Carter, your thoughts on this scenario

Carter Schoenberg (SoundWay) (01:00:01):

Loved everything. Kyle said, spot on. I would usually say when we get to that tail end and we’ve been able to go through all those nuances and the specificity, then we get advice on what the cost will be. 9 times out of 10, we’re also getting “that seems high.”

Okay. Based on what? What did you think it was going to take for you to accomplish this goal and objective? Because what we’re also hearing is, “Why would I want to go with you or somebody like you when I’m hearing, I could become CMMC compliant in three days with this particular solution?”

There is a lot of snake oil being pitched out there and right wrong or different. There are also a number of business owners that are going with the lowest price option that ultimately one is not going to provide the artifacts necessary to successfully pass an independent assessment.

Carter Schoenberg (SoundWay) (01:01:01):

And secondarily, once you are paying and accounting for those additional costs to come in and retrofit or correct course, correct what was it originally done. Your costs of ownerships are probably going to be two or three to one.

Had you not just decided to go with somebody that’s competent in guiding you on this journey, which is just that, it’s a journey. It’s not a one and done, it’s going to be something that’s going to take a number of weeks, if not a number of months to get a company from here to there.

Derek White (Cuick Trac) (01:01:33):

If you want to talk about a topic we’ve already hit on, it’s the scope matters. There’s so many times you have the first conversation when Kyle already talked about how does the information get in, and where does it go?

It doesn’t matter if it’s 10 people or 10,000 people, it’s going to cost more from both an assessment and a security requirement, implementation standpoint, to put everybody in scope, just because that’s what it is.

Some people will quote that out and they’ll price you on that. But if you’re not able to shrink your scope, going back to where that can save costs and time and resources based on who has to handle that information or not s a big thing. And you’re right. Some people want to say, you can do it quick, because we can boilerplate all this stuff.

Other people will say, you didn’t even tell me who handles the information within your organization. How can I tell you how much it’s going to cost you? And if anybody’s telling you how much it costs and you don’t have a System Security Plan, then you might not want to answer the phone again for that conversation.

Let’s move on to the next scenario.

Derek White (Cuick Trac) (01:02:39):

We’ve got an OSC has been doing a really good job implementing the technical requirements of NIST 800-171 in-house, but now they’ve kind of hit their plateau and need help with the more security and administrative requirements side.

We’ve seen a lot of this over the years for those that really jumped into the NIST 800-171 and DFARS 7012 initiatives, and rightfully so and thankfully.

Very much in the minority. And now they’re, they’re seeing the CMMC stuff they have been for a couple years where, where does SoundWay and where does Carter’s experience come in on that scenario and what that OSC should be looking to do to have a successful journey to their CMMC initiatives?

Carter Schoenberg (SoundWay) (01:03:23):

Yeah, so we actually see similar scenarios from the clients that we’ve supported. A lot of people when they’re taking into consideration the cost of ownership with CMMC, they’re usually looking at the line items, what they actually have to purchase, and what they rarely account for is the internal labor costs that are associated with being able to handle the ongoing operations and management of the new technologies and capabilities that they brought on board to be in conformance with CMMC.

The it person is now going to be forced to wear multiple hats, whereas actually within CMMC, that’s not allowed. And you have that separation of individuals to reduce the risk of malevolent activity.

We actually have a solution that we call a separation of duties capability, where that’s basically a number of items that are being described in 800-171 are actually outsourced to a firm like SoundWay. It’s very valuable and beneficial to our clients because they don’t want to deal with the TDM of the cyber.

Carter Schoenberg (SoundWay) (01:04:33):

If the IT person is responsible for the system, they want to make sure it’s running. They want to make sure that they’re not getting, you know phone calls from angry people that the system isn’t running.

You start to throw on the skill set and backgrounds and expertise necessary to then be the cyber expert. On top of that, one is technically, it’s a violation because you don’t have separation of duties. And two, it’s still one person.

One person can only do so much with any one point in time. And we’re also seeing scenarios where people are saying, oh, well, you know what I’m going to just have everything posted in Microsoft GCC high or something similar to that effect.

That’s great.

But that doesn’t change the fact that by doing that, you inherently have transferred all of your responsibilities over to this third-party.

Carter Schoenberg (SoundWay) (01:05:21):

Even if you have a fully fed ramp package, roughly about 38% of all the controls are still the responsibility of the system owner, which would be you, the government contracting firm that the organization’s taking certification.

So we try to help our clients continue to develop and improve their System Security Plans, help them with their plans of actions and milestones and really help them drive that forward progress and being able to convey in a way which is actionable and it’s measurable.

And oddly enough, it’s also legally defensible. I think it’s also important to understand that while OSCs are trying to get into continue doing work with the federal government, they still have a lawful obligation to be what’s called the “standard of care.”

And depending on how many records they maintain in which particular states that they operate in, they may have unforeseen exposure to liability of harm stemming from a cyber incident. That goes well beyond what CMMC was ever designed to cover in the first place.

Derek White (Cuick Trac) (01:06:28):

And that’s that is the challenge here, it’s great to hear it. Like we already mentioned. It’s great to see them go ahead first and put their head down.

And now that it gets into some of these, these, we want to do it in-house and we’re building it out. It is a strategic plan at that point who is going to be the responsible party in-house or do you have to go externally for that? And that’s what the DOD wants to see.

It’s great that you’re at score X now and you plan to be a 110 by this time. We just want to see how you’re going to get there.

And that’s why, again, we partner with with SoundWay and KLC and people like you guys, because that an expertise level type of responsibility that you don’t just want to say, here’s read a bunch of stuff and go do this and pray that you’re pray that you’re right.

You gotta know this stuff now as it is.

Carter Schoenberg (SoundWay) (01:07:20):

Exactly. And also before we jump off of this topic, one thing I will like to say is we reference to your earlier with regards to the estimations of costs, the independent cost estimations that the government Richard came up with with the interim role.

They had line items in there for junior level skillsets, which again, the effort and intent was good, but in practicality woefully off of the mark. So I would highly doubt that a junior level cyber practitioner would understand the depth and magnitude of the topics that we’re covering in this particular scenario.

Derek White (Cuick Trac) (01:08:02):

Right. We saw that with the rush to the front of the line with C3PAOs registrations, right. Where some of them had their time to shine on how they were going to do and they, they didn’t, they didn’t succeed themselves. So that’s, that’s absolutely worth noting.

So thank you.

So, to wrap up, we’re going to have a little recap discussion here and talk about some of the takeaways that hopefully those OSCs that joined and were able to watch through this and maybe see themselves in the scenarios that we highlighted have some takeaway and some tangible outcome stuff here where they can move forward, and start asking the right questions, start planning the right way, or, even if they’re stuck and they just need to get down that path that is going to lead to a better outcome than some of the paths people want to lead them on.

Derek White (Cuick Trac) (01:08:50):

Some of the things that we want to make sure that we talk about before we wrap is understanding your data. Is it CUI or not? We have people like Carter and his company Sound Wave Kyle at KLC and his team, utilize resources that’s my takeaway is you need to understand your data.

It’s yours, it’s, you’re working with the, the DOD and the government here understand that Carter, something to share there and kind of to recap on that. What are some of the things that you want to make some recommendations on as we close out here?

Carter Schoenberg (SoundWay) (01:09:25):

I think it’s very important to understand anytime an OSC is going to reach out to a third party to help them from a consultative standpoint.

One, what are the background experiences of the individuals?

Two, are you actually going to be guaranteed that those are the individuals that are going to be actually helping you. You don’t want to be put into a position where you have a bait switch type of approach where the big guns are coming in to actually help close the deal with you, make you feel warm and comfortable, but then you have much lower, level junior personnel that maybe exacerbating potential issue with spending more time than is necessary to get to the actual questions that are going to yield the information to drive forward progress for the completion of your initial assessment.

Derek White (Cuick Trac) (01:10:18):

That’s a great transition to the second highlight, is you do have to understand that it’s your organization and this can’t go and be said, loud enough in our opinion. You’re not the same as everybody else.

There are things that can be done and repeated and streamlined in areas of the requirements for sure. But your organization is yours. And the DODs expectation is that you understand that you, as an OSC, know it’s not a prescribed set of requirements. We know that. Do what’s best for you, but meet the requirements.

And so some people out in the marketplace as providers and consultants and vendors do want to take advantage of that sometimes and try to sell you and move on. So be very aware of that and it goes on to the last take away. Find the right help.

Derek White (Cuick Trac) (01:11:11):

You can see the information at the bottom on KLC on SoundWay, our team here at Cuick Trac visit the websites, hit pause.

If you have to visit the websites and see what we do and reach out to Carter, reach out to Kyle, reach out to myself, and find the right help find the right people, because this is not a go it alone situation. Most of the time, if you have the internal resources, that is great.

But again, there’s responsibility there, a growth expectation here. A lot of people want to grow their DOD business, which is another scenario we didn’t get to.

So go through that, make sure that you’re paying attention to this stuff. Hopefully you’ve got something out of this. Carter, any, any final words that you want to talk about before we end this?

Carter Schoenberg (SoundWay) (01:11:55):

I guess last point would be with regards to whichever organization that you’re interested in selecting make sure that you have a degree of comfort vetting them no different than you would vet any other company to provide you goods or services. Do they have qualified references?

What’s the nature and the duration of tenure of the company that you are going to potentially engage with? What types of limitations or liability warranty do they have?

They have first and third-party cyber liability insurance, if for whatever the reason they introduce unforeseen harm to your company in the course of that assessment, which is one of the things that it SoundWay we pride ourselves upon because we actually provide a warranty on our work products.

Derek White (Cuick Trac) (01:12:40):

That’s great. And that’s that’s the confidence, right? That’s what we’ve been talking about. So, thank you.

Again, hopefully for those of you that were able to watch this, that you’ve learnt something, you have resources available to you from Carter and Kyle. So thank you both for joining and looking forward to the next time where we can draft up some other scenarios and help the OSCs find their way to the promise land.

Carter Schoenberg (SoundWay) (01:13:05):

Great. Thank you again for having me on board.

Derek White (Cuick Trac) (01:13:07):

Thanks Carter.

Carter Schoenberg (SoundWay) (01:13:09):

Take care, everybody.

To connect with Kyle, Carter or Derek, visit the following websites to learn more:

Learn more about CMMC 2.0


CMMC for Small Businesses – A Perspective on Compliance

CMMC for small businesses starts with a focus on good cybersecurity hygiene when struggling to be compliant to NIST 800-171.

Protecting CUI in 10 Steps

Identifying and protecting CUI is of utmost importance for safeguarding our national security. Learn how in 10 steps.

What is ITAR and How Does it Impact CMMC Regulations? 

What is ITAR? ITAR is a cornerstone regulation governing the export and import of defense-related articles, services, and technical data.

Part of the most relevant industry groups and committees

department of defense badge
ndia partnership badge
cmmc certification badge
defense alliance badge
infragard partnership badge

Get a 30-minute demo from a Cuick Trac product expert

You've made it this far, now let us show you why Cuick Trac will be the smartest decision you'll make this year.

Schedule a quick product tour

See how we can secure your CUI in less time, with less effort, and more features than any other DFARS compliance products in the market.