Weekly CUI Hotline Q&A: 5.15.26

From a real DM I recently received:

“Our prime customer’s head of purchasing gave a presentation regarding Level 2 certification by November. Their stance: No cert? No work. They read the names of six suppliers with the required status. There were 45 companies in the audience. We were one of the six and we’re very excited to take work from the 34 who have fallen behind. Thanks for the all the content. It’s very helpful.”

See y’all Friday at 10am PST.

---

Transcript

0:08 — Jacob
[music] Oh, hey everybody. We got the band back together.

Everybody’s favorite. Oh my god, our names aren’t on the screen. We’ll fix it in post. But you know this guy. Everybody remembers this guy, right? It’s Daniel Acreage.

He’s married. Everybody’s off the market. So, you know, that’s probably why our unsubscribed numbers have been going up recently is because they found out the bad news for them. Good news for you.

Back from world traveling, jet setting honeymoon. There they are. There’s the names. It’s a live show. It happens.

But we’re back. We got the band back together. Daniel, we missed you. We hope that you had a good time. Tell us about that real quick before we do the normal spiel.

0:51 — Daniel
It was incredible. We made our way through Spain and London and came back here stateside and man it was absolutely incredible.

Now it’s the fun part of being married which is integrating two lives and schedules together. So man we’re having a good time.

And hey, a lot of CMMC things happened while I was gone. I guess they just build up all of their things. We got MSPs collapsing. We’ve got FAQs coming out. We’ve got 172 Rev 3 popping out. Like I mean—

1:26 — Jacob
That’s right. Well, before we get to all that, even more breaking news. Priceless Pancake has a new avatar, and I believe it’s a tall stack of pancakes with a gun and a cowboy hat.

That’s amazing, and I love everything about that.

We’re always doing this every Friday. We stream on YouTube and on LinkedIn. Feel free to drop questions in chat. You can go to cuihotline.org. You can leave a voicemail. I think we got one of those to get to.

You can fill out the form and send us questions through there as well. You can find all kinds of other content at summit7.us. Find us there. Send us DMs. Send a raven. Whatever you want to do.

Let’s see here. Okay. Well, we normally do week in review. The formatting on this did not work out. You’ve been gone for a while, Daniel. You came back. The more things change, the more they stay the same. What are your thoughts here?

2:20 — Daniel
All right, I’m going to go a little rapid fire on this one.

So, supply chain. Talking to a lot of companies right now that have made it through their CMMC journey as a prime, but they’re actually looking down to their supply chain. They just don’t know what to do with them, right?

Paper copy got a little bit of an update with the DoD FAQs that came out saying, hey, you can do that, but you do have to apply 7012 protections to it.

Do primes host enclave environments for their subs? How much of their environment is in scope if that’s the case? Do they want to have their subcontractors tied to their infrastructure if they’re also working with competitors of that prime?

There’s just so many nuances, but honestly, the most important thing to realize is please look at your supply chain.

If you’re trying to solve this CMMC problem for you, that’s great. You need to bring it up as a huge corporate risk if you’re not looking downstream at your supply chain of who can handle CUI outside of you that are required to perform on the contract.

So that’s the first big one.

Significant change language, man. Some interesting stuff happening on that side too.

Again, DoD FAQs popped out. Interesting stuff around when you would trigger a reassessment.

If you had a control that was met because it was not applicable. They use the example of wireless. And now you’re implementing wireless. Guess what? Boom. Boom. Boom. Triggering a reassessment.

Think about this in the world of how many VDI-only enclaves exist out there and how many will end up needing to grow to extend their boundary to on-prem.

Well, you immediately need to budget for significant change based on the new DoD FAQs, right?

So that’s a whole other thing that’s a really interesting topic.

Lessons learned from disappearing MSPs.

As most of you know—I mean, I feel like I can say the name because they’re no longer in existence as far as I know. You can check the CMMC subreddit. NeoSystems is no longer around. They dissolved completely and left their clients in quite a bit of a lurch.

I know there have been some good and faithful people trying to get those clients back up and running and get them access.

One of the things that we’ve been made aware of is a lot of people didn’t have admin access to their own environment.

There was no break-glass emergency account. No spare set of keys under the doormat. Nothing.

The problem that we’re seeing right now is basically their old clients having to do a hostile takeover with Microsoft to break into their own environment.

Here’s the thing. There is nothing contractually or in the MSA that could have foreseen a company just disappearing off the face of the earth.

It’s so hard to understand how to mitigate that risk.

But the one thing I will tell everybody on here: if you don’t have the ability to gain administrative access to your own tenant, that is a huge risk that I definitely recommend you looking into and remediating ASAP.

5:42 — Jacob
We’ll add it to our list of things to vet your MSP for.

Because that’s the way that we operate. But I remember when I heard that, I was like, why were they doing that?

It was not something that I would have thought to add to the list of how to vet an MSP because it just seems like that’s the way things ought to happen.

But apparently not.

6:07 — Daniel
Please make sure and do your due diligence as you’re interviewing partners.

We did a webinar on this, on how to make an RFP with a lot of good questions.

NDIA, in coordination with Allison and her machine shop down in Florida, put together an MSP shopping list for CMMC.

But please do more due diligence and make sure you have the ability to gain admin access in case something were to happen because ultimately it is your infrastructure.

If you’re the one paying for the licensing from Microsoft and it’s not a SaaS VDI solution, meaning you’re just leasing the space, but you actually own the tenant, you need to have the ability to get into it.

Hard stop.

So that is my rapid-fire post-wedding honeymoon catch-up of all the fun CMMC bits that have been sprinkling in while I’ve been out.

7:02 — Jacob
There’s a clear prenup content opportunity here for when you get married to a new MSP.

When you read your marriage contract more closely than your MSP contract for your business, maybe you should go back and double-check your paperwork. Make sure you’ve got a spare set of keys in case they disappear overnight.

Talking about supply chain, there was a very interesting Reddit thread.

Somebody with the username Help Desk Guy said, “My experience with subcontractors lately.”

He said there are two things.

One, no idea that CMMC is a thing, which leads me to having to go into my speech and presentation about it every time.

Two, struggling to achieve CMMC status because they’ve hired a consultant or MSP who has never achieved CMMC status themselves. So it’s the blind leading the blind.

What’s funny though is in the comments they said, “When Lockheed, Boeing, and other primes were issuing CMMC statements, I wanted to do the same for our subcontractors, but our executive team said no.”

And I asked him, “Why did they do that?”

He said, “Their executive team said, ‘We don’t want to scare anyone.'”

And I said, “What did they expect to happen? Did they just expect them to get ready by magic?”

And they said, “Yeah, it reports to the CFO and that is a recipe for it to never work.”

The CFO said he didn’t want to scare anyone, meaning he didn’t want to give anyone any costs.

This is one of the many reasons why CMMC became a thing because of crap like that.

Just boneheaded executive decisions being like, “We don’t want to ruffle feathers with our supply chain,” even though you’re flowing controlled information into the supply chain.

It’s just insane.

Some real gems in there this week.

I will say this. I got a LinkedIn message and this is the first time I’ve ever seen this.

A 50-person company sent me a copy of their notice to suppliers.

It was incredibly well written. It was very articulate.

I’ve never seen a small business ever issue something like that.

So there are some SMBs out there still doing it really well and taking it seriously. But to your point, a lot of people have not for such a long time, which is why we ended up where we are.

9:47 — Daniel
Yeah. Yeah.

9:53 — Jacob
John says, “Way to go.”

I know, John. Everything falls apart. I’m back. We’re holding it together.

I almost wanted to text you about some of the events that went down while you were gone, but I thought it would be more fun if you just got everything when you got back.

Somebody says, “If you have access to admin creds of your tenant, the MSP is not solely responsible for anything. Everything is shared. That’s probably why they did it that way.”

Yeah, sharing responsibility for requirements is hard.

It’s complicated because it isn’t a black-and-white binary.

You’re doing all of this. We’re giving you money. Thanks for taking care of everything.

This is a third-party risk that would count for outsourcing anything to a third party.

If you outsource everything to a third party, you better make sure that you know in detail what’s going on with those third parties.

Otherwise, you might get totally screwed and left holding the bag, cybersecurity or otherwise.

All right.

Big news, everybody.

800-172 Revision 3 has officially been published.

NIST took about a year and a half to go from initial concept draft to final publication.

They have once again done the thing that no one else in the government seems to be able to do.

They revise and revamp large, complicated projects and publications consistently and well, and they don’t really take all that long to do it considering the amount of work that they have and the number of bodies they have to actually do that work.

We now have 800-171 Rev 3 and 800-172 Rev 3.

And boy oh boy is this going to cause a lot of regulatory issues, which are our specialty around here.

First things first, I briefly posted a summary. We’re going to have a lot more content coming out about 172 Rev 3.

172 Rev 3 is much bigger than the original version.

There are 115 requirements in 800-172 Rev 3. Eighty new requirements, essentially.

However, 800-172 Rev 3 is not a minimum baseline. It is an overlay that you can select from.

Much like the existing 800-172, the DoD only selected 24 of the requirements in the current version.

So they don’t have to select all 115. They’re not going to select all 115. But there are more options for them to select from.

So we could see future CMMC Level 3 requirements go up.

However, what’s very interesting is that even if they only stick with the same 24 requirements and select no additional requirements on top, there are changes to all 24 of those requirements to some degree.

Sometimes those changes are as small as one new organizationally defined parameter.

Sometimes, for nine of the requirements, they were withdrawn entirely and are now addressed by other 800-172 Rev 3 requirements or 800-171 Rev 3 requirements.

So now we have this spaghetti bowl of things to track.

Because if you’re on 171 Rev 2 and the original 800-172 and you need to go to 172 Rev 3 in the future, then you’re going to have to track changes to the 171 baseline and the 172 baseline versus what the DoD selects and so on and so forth.

Lots of fun in store with what’s going on there.

The only second thought that I have here is rulemaking implications.

After the final rule came out and the phased rollout began, the DoD immediately started working on CMMC 3.0, if you will, revising CMMC to point to 800-171 Rev 3 because 800-172 Rev 3 had not yet been published.

That rule that no one has seen outside of the DoD would have pointed to 171 Rev 3 and the current version of 800-172.

Well, DoD CIO changes, stuff gets put on pause, and there seems to be no interest in aggressively pushing that rule anymore.

Now that 800-172 Rev 3 is officially out, will they have to update that draft rule for Revision 3 of both 800-171 and 800-172?

That’s good news for Level 2 suppliers because you probably have many more months before 171 Rev 3 would ever become an issue.

But if the baseline for Level 3 shifts dramatically, then companies going to 172 Rev 3 will have a much bigger jump.

We don’t know because that rulemaking process is completely opaque.

15:53 — Jacob
172 Rev 3 is officially out and there’s a lot to dig in there.

For now, with the way that CMMC is set up, CMMC Level 3 will be done against 800-172. We’ll just have to see what happens after that.

Alrighty, so this is a fun one.

We just did the podcast last week. Everyone should go watch that podcast.

It is not true that there is not enough assessment capacity in the ecosystem.

It’s not even close to being true.

It’s not even close to being true under the most conservative way of looking at the available number of assessors and assessment teams in the ecosystem.

If you take the maximum theoretical number of assessors at the end of April, divide it by three, which is a bigger division than you need to do, cut that in half, and then cut it in half again, we have more assessment capacity per month than we are currently seeing at Level 2 for successful Level 2 assessments.

We have more assessment capacity if 75% of the assessors just aren’t working.

Even if everyone who gets a false start was actually ready to go through an assessment, if we have more than 25% of the current number of assessors available—which we of course do—we’re sitting on somewhere between five and ten times the amount of monthly assessments than people are actually qualifying for and going through.

We currently, as of April, have enough assessment capacity at maximum for 12,000 Level 2 assessments in a year.

We had as many Level 2 assessments in the first month of the phased rollout that the DoD thought they were going to get in the first year of the phased rollout.

Assessment capacity is not the constraint in the ecosystem.

Period.

It is not true.

However, you still often see people ask questions like this: How are there more CMMC assessments in progress than the total number of C3PAOs?

C3PAOs can have multiple assessment teams.

The number of C3PAOs is not the constraint on total assessment capacity.

Currently the primary constraint is the number of CCAs.

There are more CCAs in the ecosystem than there are Lead CCAs.

The current constraint is CCAs rather than the other way around.

The number of C3PAOs is not the constraint.

There are 103 as of April.

We’re not limited to 103 assessments per month.

The maximum theoretical capacity would be the total number of possible assessment teams times four, which would be one per week.

When you do that, it’s like 12,000 a year.

Fun fact: in full implementation, from Phase 4 and beyond, the DoD estimated that we would need 16,610 assessments per year.

We’re, as of five months into the phased rollout, theoretically capable of doing 12,000.

Cut that in half and you’re at six thousand. That’s still way more than we’re going to end up with at the end of Phase 1.

If you extrapolate forward the rate of assessment teams that we’re adding per month versus the rate that people are asking for Level 2 assessments, there is no foreseeable point anytime in the near- or medium-term future where assessment demand outpaces assessment capacity.

Period.

End of story.

We got six months of data that proves it.

It’s not a theoretical extrapolation.

It is not true.

Tell your friends, tell your neighbors, tell your relatives, tell your pets.

Stop saying that there isn’t enough assessment capacity.

It’s just straight-up not true.

All right, I got a couple questions for you.

One statement, one question.

I was seeing somebody on LinkedIn who used to rail on basically the lack of assessors as the bottleneck.

19:45 — Daniel
Yes.

19:45 — Jacob
Come back around and changed his mind and said—

19:51 — Daniel
Hey, we say hallelujah, everybody. It’s a Christmas miracle in May.

19:57 — Jacob
It is a miracle.

I have been doing the LinkedIn thing for a long time.

I have mild PTSD from the early days of doing CMMC LinkedIn content from the mean things that people used to say to me.

I lost my hair sitting on social media all day talking about CMMC.

This is one of the first times I have ever seen a devout critic of the program, an LLM AI slop-fueled critic of CMMC, watch our content and then turn around and say, “Props to you guys. I was wrong. Actually, we have way more assessment capacity than we actually need.”

So shout out to that person.

Great job.

People are allowed to change their minds.

We might make fun of you for a few seconds, but people are allowed to change their minds.

That’s why we’re putting the content out there.

GAO wrote an entire report where one of their takeaways was essentially, “What if there aren’t enough assessors?”

Meanwhile, it would take literally some bozo with a podcast 30 seconds to look at the monthly chart and say there’s enough assessors.

Why did you write that?

Anyways.

21:15 — Daniel
The other thing I was thinking about is obviously we have a question mark when it comes to false starts.

We don’t know how many are actively out there.

I’m curious why the numbers are so low on certifications even though in the DoD’s estimate we’ve blown past that.

I wonder if primes are still not communicating clear enough expectations to be certified to their subcontractors.

I am still talking to some subs.

I talked to one yesterday.

They were like, “Yeah, we don’t have to be compliant until the end of 2027.”

And I was like, if you look at the rollout of CMMC, you have some validity there.

Because the CMMC rule is not saying hard dates you have to be certified by.

It’s the rolling in of CMMC requirements to contracts.

But it’s interesting because it feels like primes, although we’ve seen some letters, are still not doing a good enough job.

Or they’ve identified who their critical supply chain is and just stopped communicating to everybody else.

22:26 — Jacob
Yeah.

Or they have enough people for what they think they need moving forward.

The deadlines are different from supply chain to supply chain, from type of work to type of work.

It’s very fluid.

It’s hard to predict.

My whole thing is people for a long time said—and they continue to say—the DoD’s estimates are wrong.

We’re going to need way more assessments than they think.

There will not be enough assessors.

The backlog will be humongous and therefore the program will not work.

There is no C3PAO, even the biggest, busiest C3PAO, that is booked up even until the end of this year.

Even if you aggressively cut the theoretical assessment capacity by 75%, we’re still outpacing the number of monthly Level 2 assessments that are successfully going through.

Even if you were to grant all the false starts a full assessment.

By the end of this month we’re going to be close to 1,300–1,400 Level 2 assessments.

We’re adding 40 to 50 a week.

We’re flying through adding plenty of assessments.

But if the DoD were wrong, where is everybody?

It’s got to be a mixture of a lot of things.

A lot of it is people didn’t implement the stuff that they needed.

Which is why our backlog is longer than a lot of C3PAO backlogs because people never implemented the requirements to be ready for the assessment.

Some people might have variable deadlines.

Some people might have self-assessment the first time around.

There’s a lot of reasons why it could be.

But ultimately it’s just not true that there isn’t enough assessment capacity.

As far as the data shows for now, based off even trying to steelman the argument as best as I could, I don’t see there being an assessment constraint anytime soon, if ever at this point.

Especially now that iSooC has taken over assessor training.

24:02 — Daniel
Oh yeah.

24:07 — Jacob
Speaking of cool things that happened though, not only did we hit 100 Level 2 certified clients at this point, but we also were awarded the Army’s Endure contract.

Daniel, I can’t remember if it was somebody in the Hotline chat or somebody on LinkedIn.

They were a longtime viewer.

You and I were a little critical of this program when it first came out because we didn’t know conceptually how this thing was going to work.

That was like two years ago.

But they worked through that process.

There were a bunch of different presentations, RFIs, slide decks, all kinds of stuff.

The rough number that they’re talking about is they want to help around 6,000 of these micro and small DIB contractors with what’s going on.

This person said, “We haven’t seen any detailed info.”

There’s a lot of details that are missing, even for the people that are going to be helping with this program.

What I can tell you is that we’re actively looking for people who want to go through the pilot of this program for the first six months.

You might be finding out some of the details with us.

If you’re interested in that, get in touch.

If you’re the right size, there’s now funding available for people to participate in the pilot and it might be exactly what you’re looking for.

The details are probably going to be slow to come out, but everybody who’s in the pilot will be up and running by the time those details actually happen.

So let us know if you’re interested.

It’s great to see yet another thing.

Pop quiz, chat.

Do you think the Army would have spent $49 million on facilitating secure enclaves for their suppliers if CMMC had never been a thing?

Do you think they would have ever bothered to allocate that money?

Nope.

Not at all.

There wouldn’t have been a single dime for that kind of work.

So yet again, another thing you can thank CMMC for.

Even though it’s got its warts and we all have our issues with the program, it’s a means to an end for helping people with security.

Therefore, it’s a net win in my book.

26:12 — Jacob
Alrighty, we just heard this one this morning.

Daniel, our PE firm wants us all-in on AI.

We probably need to go to GCC High.

Can we do both of those things?

26:26 — Daniel
The answer to that is yes.

The question always comes around your asset scoping.

If you’re using a SaaS version of an AI instance, guess what it has to do?

It’s got to meet FedRAMP.

If you have export-controlled data, it’s got to meet that as well if that data is going to reside in there.

This particular conversation was talking about empowering the lowest person on the totem pole to use whatever LLM model they saw fit to do the job they were trying to do.

It sounded a little Wild West.

I came back with the conversation of, you can’t just do that.

You’re in a very regulated industry now where you have to have enough controls in place to know where this data is going.

They came back and said, “What if none of these LLMs are going to have CUI in them?”

I said, okay, then they’re not going to be a CUI asset.

But it comes back to one core problem.

How are you going to implement appropriate governance to make sure CUI and export-controlled data aren’t going to end up in those LLMs?

How are you going to ensure there aren’t things uploaded to some SaaS LLM that’s ultimately going to disclose controlled information or worse, export-controlled items?

Short answer is nobody has a really strong answer to that except for hosting their own LLM in a private cloud like OpenAI deployments in Azure Gov or Copilot inside GCC High where there’s a semblance of more governance.

AI serves a purpose.

28:23 — Jacob
You’re doing it wrong, buddy.

You got to turn your brain off.

AI.

AI.

It’s just AI.

Have you seen the Jensen Huang mashup videos where they clip every time he says AI for five minutes straight?

Just AI.

AI.

AI.

Just throw controlled data into this AI thing.

You have no idea what it’s doing or where it’s going.

No problem.

It’s fine.

Trust in the coming robot singularity to take care of everything.

Don’t look up.

Don’t look up.

Corporate risk?

Who needs it?

Oh my God, we have a voicemail.

29:04 — Voicemail Question
Question for you guys.

I’ve got a client who has a machine product that they customize for the government.

Even though this product is commercially available, the customization piece is specific to the government entity they’re working with.

However, even though all rational thought tells me that this should be CUI and should be CTI, their program manager is consistently saying that there is no CUI involved here.

How would you recommend advising this client who doesn’t really want to get prepared for a Level 2 CMMC audit or self-assessment?

Thanks.

31:30 — Daniel
Oh, this is a fun one.

Commercial off-the-shelf products are not CUI.

That’s one of the things that gets people confused.

The question becomes: what information is being used to perform the customization?

If I’m taking a commercial product and modifying it using information that is publicly available, that’s a very different conversation than taking a commercial product and modifying it based on non-public government requirements.

The first thing I would do is get the determination in writing from somebody with authority.

If the government is telling you there is no CUI involved, get that documented.

The second thing I would think about is how quickly could that answer change?

Because a lot of organizations are making decisions based on today’s answer without thinking about tomorrow’s answer.

If next month the answer changes and suddenly there is CUI involved, what does that do to your timeline?

If it takes six months to get compliant and losing that work would materially impact your business, I would probably continue preparing.

At least enough that I wasn’t starting from zero if the determination changes later.

33:01 — Jacob
That’s one of the things people constantly underestimate.

They focus on whether something is CUI today.

The more important question is often whether it could become CUI tomorrow.

Because if the answer changes and you’re not ready, now you’re dealing with a business continuity problem.

We’ve seen that happen plenty of times.

33:31 — Daniel
Exactly.

It’s really a risk management decision at that point.

33:40 — Jacob
Speaking of risk management decisions, let’s go back to paper records for a second because people got very excited about the FAQ.

Then they read the rest of the FAQ and got less excited.

33:55 — Daniel
Yeah.

The FAQ didn’t create some magical loophole.

It said paper can exist.

It didn’t say the protection requirements disappear.

You still have to safeguard the information.

You still have physical security considerations.

You still have handling requirements.

The format of the information doesn’t magically remove your responsibilities.

34:28 — Jacob
People always want the one weird trick.

Government hates this one weird trick.

And then they discover there is no one weird trick.

The objective remains the same.

Protect the information.

34:48 — Daniel
Exactly.

34:54 — Jacob
Here’s another question.

Are enclaves still the dominant strategy?

35:01 — Daniel
For a lot of organizations, yes.

Especially when you’re talking about companies where a relatively small number of users need access to CUI.

The economics can be very attractive.

Instead of transforming the entire enterprise, you reduce scope.

Scope reduction is still one of the most powerful things organizations can do.

35:31 — Jacob
It’s one of the biggest mindset changes we’ve seen.

People assume everyone has to move.

Everybody doesn’t have to move.

You have to move the people and assets that need to be in scope.

35:46 — Daniel
Exactly.

And once organizations understand that, they tend to make much better decisions.

36:00 — Jacob
What are you seeing from primes regarding supply chain readiness?

36:06 — Daniel
A lot of uncertainty.

Some organizations are aggressively evaluating suppliers.

Some are communicating.

Some are issuing notices.

Others seem to be waiting.

The challenge is that waiting doesn’t make the problem easier.

It compresses the timeline.

If your supplier needs six months and you wait until the last minute to tell them, you’ve created your own problem.

36:43 — Jacob
We’ve seen this movie before.

Everybody waits.

Then suddenly everybody needs the same thing at the same time.

And then everybody acts surprised.

36:57 — Daniel
Exactly.

37:04 — Jacob
How should people think about MSPs after everything that’s happened recently?

37:11 — Daniel
The first question I’d ask is whether you retain control of your environment.

Can you gain administrative access?

Do you understand your shared responsibility model?

What happens if something unexpected occurs?

A lot of people never considered that last question until recently.

37:40 — Jacob
Because nobody expects a provider to disappear overnight.

37:46 — Daniel
Correct.

But risk management requires thinking about unlikely scenarios.

You don’t build contingency plans for things that are guaranteed.

You build contingency plans for things that would hurt if they happened.

38:11 — Jacob
Do you expect the Department of War to move quickly on 171 Revision 3?

38:18 — Daniel
I don’t know.

And I think anyone claiming certainty there is probably guessing.

There’s still a rulemaking process.

There are still lots of moving pieces.

Most organizations have plenty of work to do under the current requirements.

38:46 — Jacob
That’s one of the reasons I’m not telling people to panic.

The people who haven’t finished Rev 2 aren’t exactly sitting around waiting for Rev 3.

They’ve got plenty to keep them busy.

39:04 — Daniel
Exactly.

39:10 — Jacob
What are you seeing from organizations that are actually succeeding?

39:17 — Daniel
Momentum.

That’s the common denominator.

The organizations that are succeeding started moving.

They made decisions.

They committed resources.

They stayed engaged.

They kept making progress.

The organizations struggling are often stuck waiting for perfect information.

Perfect information doesn’t exist.

39:54 — Jacob
The people who started three years ago didn’t have perfect information either.

They just started.

40:05 — Daniel
Exactly.

40:11 — Jacob
What’s the biggest misconception you’re still hearing?

40:17 — Daniel
That CMMC is going away.

I still hear it.

I still hear people say they’re waiting because maybe the program disappears.

At this point I don’t know how someone can look at contract requirements, certifications, supplier notices, and customer expectations and conclude that the program is going away.

40:52 — Jacob
The conversation has changed.

We’re no longer debating whether it exists.

We’re debating implementation details.

That’s a completely different discussion.

41:08 — Daniel
Exactly.

41:14 — Jacob
What should organizations focus on over the next six months?

41:20 — Daniel
Understanding their data.

Understanding their supply chain.

Understanding their architecture.

And making decisions.

The organizations that continue making decisions continue making progress.

The organizations that delay decisions generally delay outcomes.

41:55 — Jacob
Analysis paralysis remains undefeated.

42:00 — Daniel
Unfortunately.

42:07 — Jacob
Do you think we’re going to continue seeing supplier notices?

42:13 — Daniel
Absolutely.

I’d be shocked if we didn’t.

The trend line is very clear.

Customers want certainty.

Certification provides certainty.

As more suppliers get certified, expectations rise for everyone else.

42:42 — Jacob
That’s how compliance ecosystems mature.

What feels unusual today becomes normal tomorrow.

42:50 — Daniel
Exactly.

43:00 — Jacob
One thing that’s been interesting is how many organizations are now evaluating cybersecurity as part of supplier risk.

Five years ago we weren’t having that conversation nearly as often.

43:15 — Daniel
No.

And that’s one of the major shifts.

Cybersecurity is increasingly being treated as a business requirement instead of a technical preference.

That’s a huge change.

43:37 — Jacob
And frankly one of the reasons we’re seeing so much activity around certification.

43:44 — Daniel
Absolutely.

43:52 — Jacob
We’ve still got a few questions left.

Let’s keep moving.

44:02 — Daniel
Let’s do it.

44:10 — Jacob
Somebody asked whether there will be enough qualified people to support implementation as demand continues increasing.

44:22 — Daniel
That’s actually a bigger concern for me than assessment capacity.

Finding people with real-world implementation experience is difficult.

We’ve seen organizations lose key personnel because larger companies are paying premiums for people who have successfully navigated CMMC.

44:52 — Daniel
Assessment capacity gets all the attention.

Implementation capacity is where I think many organizations are going to struggle.

45:10 — Jacob
That’s a really good point.

45:16 — Daniel
You can schedule an assessment.

You can’t instantly create experienced implementation personnel.

45:31 — Jacob
And that’s one of the reasons organizations should start earlier rather than later.

45:40 — Daniel
Exactly.

46:00 — Daniel
Is screenshots part of basic VDI protocol?

No.

Transmitting video only, video, keyboard, and mouse if the VDI is properly configured to prevent copying, including screenshots. You see how they call that out?

Saving or printing CUI on the endpoint except within a NIST 800-171 compliant system, meaning that assets in scope, that physical assets in scope, and multifactor is implemented for access to the VDI server, the endpoint would be considered out of scope.

So you can have all of the incredible things configured, right, and you still have screenshots out there.

And according to the DoD FAQs, that is still not enough. You got to be able to disable screenshots.

46:46 — Jacob
And with that, that’s it. We’ll keep going.

Said, can you briefly share your opinion on CIO IT Security 2110.2 Revision 1? That is the GSA’s updated standard for CUI in vendor systems.

Daniel and I did a podcast not too long ago on that very topic.

Long story short, it’s a damn mess because instead of using a third-party outsourced certification program for the 800-171 baseline, GSA is going to use an RMF-style approach in which even though everybody has the same exact minimum baseline for the same exact type of data, regardless of the details of that data, they would rather on a case-by-case basis go through and review the security assessment results after hiring a FedRAMP 3PAO to conduct the assessment.

There’s a reason why the DoD never did that because it doesn’t work at scale. They don’t have enough people to do it. I don’t think GSA has enough people to do it.

GSA has said nothing about it. There are no press releases. There are no interviews. There are no posts. There is no information anywhere about it at all.

They also point to 171 Rev. 3 while DoD points to 171 Rev. 2. As far as I’ve heard, no one at GSA or the DoD has talked to each other about this, even though they all sit on the FAR Council together, but that’s probably because they’re too busy working on the FAR CUI rule. Am I right, folks? Because we’ve only been waiting on that for ten years.

There are some interesting gems in there though around their showstopper requirements, some examples they have of SSP language, things like that. So there are some interesting things that defense contractors can probably lift out of the GSA guidance. Don’t treat it as gospel, obviously, but it can be helpful context or examples.

As of right now, two ships in the night between GSA’s approach and DoD’s approach, unfortunately. Wild times.

48:49 — Daniel
Yep. Yep.

Fun times. Fun times.

48:57 — Jacob
I remember when people said, “Oh, there’s not going to be anything to talk about after the rules are done.”

Alrighty.

Oh, I left this one in here from last week because I wanted you to see it.

If Phase 1 requires self-assessment with an 80% passing score, why would the Cyber AB allow prime contractors to increase or accelerate Phase 1 requirements?

49:20 — Daniel
The fact that they think the Cyber AB has control over how primes decide to roll out CMMC to their supply chain is surprising by itself.

49:25 — Jacob
Cue up Lockheed as Bane putting his hand on the guy’s shoulder being like, “You think you have power here?”

The AB is not in charge of anything. The AB is in charge of the town hall. They’re not even in charge of their own logo.

They put the fries in the bag, essentially, for DoD’s program. That’s a very important job, but they don’t tell primes what to do. Very few people in the world tell the primes what to do.

The Cyber AB is not in charge of allowing or disallowing the primes from increasing or accelerating requirements.

In fact, even the DoD themselves are not in charge of what the primes do between the primes and the subs because they do not have privity of contract.

The subcontract between the prime and their subs is between the prime and the subs.

The contract between the DoD and the prime, they have privity for because they are a relevant party to that contract. But those primes can do whatever they want to.

So if the primes know that in the future they’re going to need Level 2 certified subs, they can go tell their subs right now, “You need to go get Level 2 certified.”

It doesn’t matter when they have the requirement to go get Level 2 certified.

Which is why we predicted a long time ago that you would see an acceleration the further away from the prime-DoD contract you are because the prime can’t wait until they take award of a contract, or they’re three months away from award, to then go tell a bunch of suppliers to start a project that is typically taking them 12 to 18 months to finish if they finish at all.

They need to know ahead of time who they’re going to be able to work with.

Which is why you’re seeing July, November, Spring 2027. There is no one deadline for any one of these companies.

Some companies have already had deadlines. Some companies have won work. Some companies have lost work.

It’s a big world out there with a lot of different agreements and contracts and opportunities.

The AB’s not in charge of it. The DoD’s not in charge of it.

Lockheed can do whatever Lockheed wants to do.

They can say, “Hey, you want this contract? You do a standing backflip.” And if you can’t do it, feel free to negotiate, but that’s between you and Lockheed.

51:30 — Daniel
Well, you think Level 2 has an accelerated timeline?

We’re hearing people coming out with Level 3 requirements for their supply chain by January of next year.

51:43 — Jacob
Yeah.

And listen, if there’s anyone from DIBCAC listening, please call us back.

Everyone’s trying to get in touch with DIBCAC about what Level 3 assessments will look like.

I’ve heard maybe that they’ve started the conversation about Level 3 assessments, but after November 10th, contracting officers are ready to go.

We’re ready to go.

I heard through the grapevine that there were some Pathfinder pilot Level 3 assessments with the big, big, bigs of the world and didn’t go so great for the big, big, bigs of the world.

But we’re ready for our Level 3.

Hit us up, DIBCAC. We’ll show you how to get it done. No big deal.

I know you guys watch the content. I know you guys are big fans.

Help us help you.

We’ll show you how to get through Level 3.

No problem at all because Level 3 is closer to 800-53 and I brush my teeth to 800-53.

52:35 — Daniel
Yes, you do.

52:40 — Jacob
Help us help you.

All right. A few comments in chat real quick.

52:46 — Daniel
Listen, okay.

Impossible to prevent screenshots if you’re not in a SCIF.

You’re absolutely right. Anybody can pull out a phone and take a picture.

What the DoD is really saying is what technical controls can you implement to prevent it.

You should have policy saying Joe shouldn’t take out his phone and take a picture.

There’s only so much you can do, but you have to do as much as possible, which is really what the DoD is asking.

Scott says if a device is not managed then screenshots can’t be disabled in GCC High as far as he knows.

That’s true except for Azure Virtual Desktop. You can inherit that connection profile that disables it in the Microsoft Remote Desktop client that’s streaming that image.

The one thing we’re really hoping for some clarity on in the near future is things like zero-trust browsers to try and be almost like a VDI-equivalent type solution.

But we need some assessors to look over that and probably the Cyber AB or the DoD CMMC PMO office to rule on whether that’s going to be acceptable as a VDI-ish solution.

54:14 — Jacob
All right, let’s see here.

Through DMs: “Big fan of the content. Helped me a ton over the past 18 months.”

They actually did write that. I’m not making that up.

Are you aware if two cage codes enter into a joint venture where the joint venture itself has no separate information systems, only the systems of the cage codes that are already certified?

Does the JV require its own independent C3PAO assessment?

54:49 — Daniel
So you’ve got cage code at Level 2, another cage code at Level 2.

When two cage codes with Level 2s love each other very much, they enter into a joint venture.

But this is actually new as of last week and the DoD update here.

Basically what they’re saying is if an organization is certified to Level 2 and you’re using those certified assets as part of the joint venture, you’re okay.

But if you’re introducing other assets outside of the boundary, you need to get certified to bring those assets into scope.

Whether that’s the other organization doing it or whether that’s you.

So if you both come to the table certified and you’re both using the assets as they’re intended with CUI and not introducing anything new that would require maybe a significant change, then you’re likely going to be okay.

56:02 — Jacob
What is the current backlog for C3PAOs?

56:09 — Daniel
There is no one dashboard or status tracker for backlogs.

Best thing to do is call many of them.

There’s a marketplace on the Cyber AB website where you can reach out.

Currently it ranges from no backlog to days to weeks to months depending on which one you go with.

Definitely vet who you’re going with and make sure their experience lines up with your environment, your technology, and your service provider.

Ideally you’re working with people who know what they’re doing and already have a track record of getting people through this process.

There is no existing backlog tracker.

56:42 — Jacob
What we do know is that there is no lack of openings across the marketplace for C3PAOs.

Some C3PAOs are out there posting open availability windows.

I saw one this week that said, “We could start you on Monday.”

They’re going to be outside on the corner flipping a big arrow saying, “Who needs an assessment?”

And everybody’s still going to be on their phone at the red light saying there aren’t enough assessors.

57:16 — Jacob
After we achieve CMMC Level 2, are there any maintenance fees beyond annual self-affirmation?

57:22 — Daniel
Yes.

You’ve got to care and feed for the environment.

Whether you’re doing that internally with FTEs you’ve already staffed or you’re using outsourced support, there will be costs associated with it.

You can’t just set it, certify it, and walk away.

CMMC is not a one-and-done thing.

57:53 — Jacob
Licensing, personnel costs, upgrades, refreshes, operating the environment, change control.

These are all ongoing costs.

58:17 — Daniel
One of the most interesting things we’ve talked about with false claims attorneys is significant change.

I think the next wave of whistleblowers is not going to be people who were never compliant.

It’s going to be people who became compliant but failed to disclose significant changes and get reassessed when required.

59:05 — Jacob
How many pages should a System Security Plan be?

59:11 — Daniel
There is no standard.

There’s no minimum. There’s no maximum.

The NIST template is widely considered completely insufficient.

The general rule of thumb is that your SSP should address every assessment objective in 800-171A or 800-172A depending on what level you’re pursuing.

One of the most common reasons companies get false starts is they either don’t have an SSP at all, or their SSP is only a couple pages long.

1:00:20 — Daniel
I’ve heard 250 to 300 pages is a decent number to shoot around, give or take.

Obviously it depends on the number of assets, the configuration, and how you’re organizing documentation.

There are a lot of ways to build an SSP.

1:00:45 — Jacob
Well everybody, it’s been an hour.

We’re tantalizingly close to 100,000 subscribers on our YouTube channel.

Five years ago this month we put out the History of CMMC video, which changed the trajectory of my career.

We were just yelling into the wind and then we started putting those rants on YouTube.

Now we’re almost at 100,000 subscribers.

If you’re not subscribed, please do that.

If you are subscribed, thank you very much.

If you’ve ever gotten anything valuable out of the content or think someone else might, share it with them.

The subscriptions definitely help.

We’re going to throw a big party when we get those play buttons.

We don’t talk about subscriber numbers much, but 100,000 is a big milestone.

1:01:49 — Jacob
Daniel’s back. I’m gone next week.

You’ll get more Daniel all the time and then we’ll be back together eventually.

We’ve got some questions in the chat that we’ll add to the backlog.

If you find this afterwards on YouTube or LinkedIn, add your questions there and we’ll add them to the backlog as well.

Find us at cuihotline.org.

Like always, shoot us a DM.

1:02:07 — Jacob
We’ll see you next week.

1:02:13 — Daniel
See y’all.