Jacob and Daniel discussed the growing shortage of experienced CMMC personnel as organizations lose key compliance and cybersecurity staff to larger companies offering higher salaries. They also examined the impact of L3Harris Missile Solutions requiring suppliers to provide Level 2 certification evidence by July 30, highlighting how customer-driven deadlines may arrive much sooner than formal Department of War rollout timelines. The episode concluded with audience questions covering supplier strategies, AI usage, VDI environments, joint ventures, certification costs, annual affirmations, and the importance of building compliance programs based on governance and evidence rather than assumptions.
Key Takeaways
- Organizations are increasingly losing internal CMMC expertise to larger contractors. Employees with experience implementing NIST 800-171 and CMMC are becoming highly sought-after across the Defense Industrial Base, creating staffing and sustainment challenges for smaller companies.
- Prime contractors are accelerating compliance expectations across their supply chains. L3Harris Missile Solutions’ July 30 certification requirement demonstrates that customer deadlines can be far more important than broad Department of War rollout timelines.
- Reducing the flow of CUI remains one of the most effective compliance strategies. Organizations should carefully evaluate suppliers, data flows, and business processes to minimize unnecessary CUI exposure throughout the supply chain.
- AI tools are not inherently incompatible with CMMC requirements. The key considerations are data governance, storage location, access controls, export compliance, and understanding how information is processed by the AI platform.
- Certification is not the finish line. Annual affirmations, governance processes, internal audits, and ongoing evidence collection are critical to maintaining compliance and ensuring senior officials can confidently attest to the organization’s cybersecurity posture.
There are no deadlines in the CMMC Phased Roll-out. “When do I need CMMC?” depends entirely on your customer and the data you’ll be handling. NAVFAC SW says November 2026. PCS JTF says Spring 2027. Some SOCOM support contracts say you don’t need to achieve status until six months after award. That’s blatantly against policy, but the DoD isn’t a monolith. It all depends on your specific situation. If you have questions about your specific situation, come hang out with us Fridays at 10am PST when we answer your questions live.
Transcript
0:04 – Jacob Horne:
Alrighty everybody, the most difficult hotline of the year because we all have to stop watching the Masters for a full hour. So, if you are here hanging out with us and not watching the Masters or if you are even sharing screen and tab time with the Masters, thank you very much because I know I’d want to be watching the Masters right now.
0:27 – Jacob Horne:
This is the hotline. We do it every Friday. This is the last time you’re going to see Daniel on the hotline for several weeks because he’s about to be a married man. So, your boy’s getting married.
0:36 – Jacob Horne:
You got questions for Daniel while he’s still a bachelor, ladies, then make sure you get them in on this hotline because that’s right, it won’t be allowed after this broadcast. The clock is ticking.
0:44 – Jacob Horne:
We are streaming on YouTube and on LinkedIn and you can find us at cuihotline.org.
0:55 – Jacob Horne:
You can put your questions in chat. You can send us questions via DM. You can fill out the form. You can call the number. Lots and lots of ways to send questions to us.
1:05 – Jacob Horne:
We got a bunch in the queue that we haven’t had a chance to get to yet. So, we’ll jump right into our thoughts of the week and start going from there. Daniel, you want to talk about internal capacity and CMMC?
1:16 – Daniel Akridge:
I do. So, I was talking to a few organizations this week and this was the most common thread because I always like to look for general threads of what are people actually saying here.
1:38 – Daniel Akridge:
The topic this week was very, very consistent. And that was not only do we have to figure out CMMC, we just realized we’ve lost our internal capacity to solve that problem.
1:46 – Daniel Akridge:
The team that we had, two or three of them left and now we don’t have them anymore.
1:58 – Daniel Akridge:
Well, I wonder why that might be the case. Well, it turns out, at least the conversations that I had this week, people are aggressively getting hired away to go be hired as CMMC program managers, GRC, senior GRC, director-level GRC people for these larger organizations and getting paid exponentially more money because obviously they have deeper pockets.
2:29 – Daniel Akridge:
The current trend that I’m seeing is internal capacity starting to fall off. Not because there’s not competent people out there, but because people can’t afford the competent people that they either had and had to lose because they couldn’t meet the salary or can’t go acquire net new.
2:45 – Daniel Akridge:
We’re seeing this really big trend in, “Hey, our team got us there but now our team left because they have something cool on their resume and we don’t have anyone to maintain the compliant environment that we built.”
3:21 – Jacob Horne:
This is similar to the thing that we’ve been seeing where people’s external capacity also dries up because their MSPs called them up and they were like, “Hey, we told you 18 months ago that we were totally going to be good to go. We actually have zero interest in doing this work anymore. So good luck out there.”
4:02 – Jacob Horne:
Ryan Bonner has said this time and time again. If you have an internal resource that can single-handedly walk your company through everything that you need to do to do implementation and compliance with DFARS 7012 and successfully navigate CMMC, you will not be able to keep them as your internal resource for very long.
4:25 – Jacob Horne:
It just won’t happen. I feel like this is Bonner’s law of competency or something like that. It is happening in droves right now.
4:48 – Jacob Horne:
Talk about losing internal capacity, losing external capacity, and then suddenly getting the gauntlet thrown down. You and I both posted about this this week.
4:56 – Jacob Horne:
We’ve seen supplier letters from Lockheed. We’ve seen supplier letters from every major prime out there. At this point, I don’t know of a prime that hasn’t put out some sort of notice to their suppliers that you’re going to have to do this.
5:21 – Jacob Horne:
Some primes that we know, like Mr. Birdwell at Elbit Systems, are out there doing a roadshow. He’s posting every day. He’s going on podcasts. He’s going to conferences.
5:44 – Jacob Horne:
If you’re a supplier to Mr. Birdwell, you’re probably very happy that you’re not a supplier to L3Harris because they put out a letter.
5:52 – Daniel Akridge:
Missile Systems specifically at L3Harris basically says if the prime contract requires Level 2 CMMC and you’re going to handle CUI, you require a Level 2 certification.
6:09 – Daniel Akridge:
In order to prove to us that you have your Level 2, we want a copy of your certification and the Security Assessment Report generated from your Level 2 assessment.
6:16 – Daniel Akridge:
We want that by the end of July or you can get out.
6:33 – Daniel Akridge:
The thing that jumps out to me is how many times they use the word “our.” Our business disruption. Our supply chain.
6:50 – Daniel Akridge:
This is what we’re doing for us and our business. This is what you will be doing in order for us to continue doing business.
7:04 – Daniel Akridge:
There’s no feelings. There’s no flowery language. There’s no nothing.
7:10 – Daniel Akridge:
If this is the first time you’re hearing from your customer and your customer is L3Harris, you have less than 80 working days to meet July 30th.
7:44 – Jacob Horne:
All these primes have been collecting attestations from their suppliers that say we comply with 7012, we’ve implemented 171, we’re planning to get CMMC Level 2.
7:52 – Jacob Horne:
They were like, “Okay cool, now it’s time to prove that you did the things that you’re saying you were doing.”
7:59 – Jacob Horne:
If you don’t do it, we’ll find somebody who did.
8:13 – Daniel Akridge:
I saw another email from a company I’ve worked with in the past that said, “Hey Daniel, we just got a notice that we have to be compliant by July 30th.”
8:45 – Daniel Akridge:
That timeline’s too aggressive for organizations starting net new.
9:02 – Daniel Akridge:
It’s really interesting to start seeing the ripple effect of this already.
9:26 – Jacob Horne:
This is under the Missile Solutions division.
9:34 – Jacob Horne:
If you’re doing parts that affect missiles, you’re probably working with defense categories of CUI that are clearly going to require you to comply with DFARS 7012 and almost certainly require certification.
10:06 – Jacob Horne:
It basically says we get the requirement from our customer, we flow that data to you, therefore you get that requirement from our customer.
10:22 – Jacob Horne:
They’ve been able to downgrade, dissect, and change all these things pursuant to DFARS 7012 for a decade. They ain’t doing it.
10:31 – Jacob Horne:
Get the cert or you can work on somebody else’s missiles.
10:40 – Jacob Horne:
L3Harris acquired Aerojet Rocketdyne.
10:49 – Jacob Horne:
Aerojet Rocketdyne was the case that established cybersecurity compliance as being material to defense contracts.
10:56 – Jacob Horne:
Brian Marcus was basically told, “Tell the government that we’re complying with these requirements.”
11:04 – Jacob Horne:
He blew the whistle and said they were not compliant and the government was paying them anyway.
11:12 – Jacob Horne:
That case established the precedent that if you are not compliant with DFARS 7012 and NIST 800-171, that’s a material violation of the terms of the contract.
11:45 – Jacob Horne:
They are anticipating future contract awards to have this requirement.
11:53 – Jacob Horne:
They’re accelerating their supply chain because they want to win the work.
12:26 – Jacob Horne:
They’re not going to jack around with supplier variances and requests. That’s why they’re saying July.
12:41 – Jacob Horne:
You don’t have that information. So this is all you have to go off of.
12:46 – Jacob Horne:
Get right or get left.
12:51 – Orion (Question):
Can a large contractor that has hundreds of small subs provide those subs with access to a VDI? Does the contractor then become a cloud service provider? Does the sub have any additional requirements beyond that?
13:12 – Daniel Akridge:
I had a conversation with somebody making the case that if the prime is hosting the environment and they’re certified, and subcontractors are simply users in that environment, then it becomes a very interesting discussion.
13:51 – Daniel Akridge:
If the prime is hosting a single environment that all subs are in, you could maybe avoid some CSP considerations.
14:10 – Daniel Akridge:
The language I heard was that because the prime is hosting it and certified, the subcontractors’ assets are out of scope and contractual obligations would define authorized personnel.
14:28 – Daniel Akridge:
The argument is that CMMC wouldn’t necessarily need to flow down because none of the subcontractor systems are processing, storing, or transmitting CUI.
15:01 – Daniel Akridge:
I haven’t seen anyone do this because I don’t know any legal team at any prime that wants a sub tying their compliance to the prime’s infrastructure.
15:22 – Daniel Akridge:
I don’t see anyone doing this at scale.
15:46 – Jacob Horne:
John says he saw a similar letter from Northrop.
16:05 – Jacob Horne:
If you guys ever see or hear of anything and you’re like, “What the heck is this?” send it over. We’re all learning together.
16:31 – Jacob Horne:
Purple Girl says, “I have a question. What would be a good solution for vendors that can’t get compliant but are necessary to meet contractual requirements?”
16:48 – Jacob Horne:
This might be related to what Orion was asking. Are primes going to be extending their environments out to suppliers?
16:55 – Jacob Horne:
I’ve heard this on some calls where people are saying, “We’ve got all these suppliers and they’re telling us they can’t do it, so what are we going to do about it?”
17:08 – Daniel Akridge:
I think the problem lies back to Orion’s point earlier.
17:15 – Daniel Akridge:
Let’s say the prime has an environment that allows a bypass of the CMMC flowdown for Level 2 because none of the subcontractor systems process, store, or transmit CUI.
17:31 – Daniel Akridge:
Technically they’re deeming authorized users through other contractual means.
17:42 – Daniel Akridge:
The reason I don’t think that’s really going to get very far is that contracting officers and large prime organizations don’t know how their employees are sending data to subcontractors.
18:00 – Daniel Akridge:
Even if the prime built an enclave, a lot of them don’t have enough organizational trust to believe all of that data is genuinely going to stay there.
18:14 – Daniel Akridge:
That’s where it becomes a really big problem.
18:22 – Daniel Akridge:
It opens them up for significant risk.
18:31 – Daniel Akridge:
We didn’t flow down the contractual obligation, but we did flow down CUI through some other means outside the approved process.
18:47 – Daniel Akridge:
It’s probably easier to have a smaller, more concise supply chain and supplement a handful of critical suppliers financially to get them to CMMC than it is to host an enclave and absorb all of that risk.
19:19 – Jacob Horne:
With those things considered, somebody asked: Is it realistic to get compliant by Halloween for a 150-person company currently in Microsoft Commercial?
19:49 – Daniel Akridge:
I’m going to throw out multiple options here.
19:57 – Daniel Akridge:
Cloud enclave, VDI, no data migration.
20:07 – Daniel Akridge:
A lot of people don’t realize you don’t actually have to have CUI in the environment to be assessed.
20:21 – Daniel Akridge:
There’s almost a pre-CMMC and post-CMMC way of thinking.
20:30 – Daniel Akridge:
In a post-CMMC world, CUI must be stored in a boundary meeting the requirements with either a self-assessment or certification, depending on what’s required.
20:46 – Daniel Akridge:
If you’re doing an enclave, you can get really close to meeting August or September timeframes assuming there’s no on-prem complexity.
21:03 – Daniel Akridge:
You still have to do organizational adoption, training, technical deployment, managed services enrollment, shared responsibility matrices, and all of those things.
21:18 – Daniel Akridge:
If you’re actually migrating an entire organization, you’re probably looking closer to nine months.
21:24 – Daniel Akridge:
That’s not because the technology takes that long.
21:33 – Daniel Akridge:
Microsoft throttles tenant-to-tenant migration throughput.
21:41 – Daniel Akridge:
You have to cut over users, devices, single sign-on applications, SMTP relays, third-party applications.
21:56 – Daniel Akridge:
You also have to determine whether your infrastructure is compliant.
22:04 – Daniel Akridge:
Are your networks FIPS validated?
22:08 – Daniel Akridge:
Are your third-party applications FedRAMP?
22:22 – Daniel Akridge:
We typically see enterprise-level transformations take at least 12 months, even for smaller companies.
22:31 – Daniel Akridge:
Enclave implementations can typically get there in about six months.
22:42 – Jacob Horne:
This question has been coming up everywhere. Can we use AI tools and still be CMMC compliant?
22:58 – Jacob Horne:
There is nothing about the CMMC program that is at odds with the idea of using AI tools.
23:13 – Jacob Horne:
There’s nothing in 171, 172, CMMC Level 2, Level 3, or the FAR basic controls that outright says you can’t use AI.
23:28 – Jacob Horne:
It all depends on how you’re managing those tools and where the data is going.
23:43 – Daniel Akridge:
One hundred percent.
23:50 – Daniel Akridge:
When you’re looking at AI, you have two real options.
23:57 – Daniel Akridge:
You can self-host your model or use a SaaS-based service.
24:06 – Daniel Akridge:
If it’s a cloud provider, the same requirements apply.
24:14 – Daniel Akridge:
You need to understand what happens to your data, how the model learns, and how data is shared.
24:37 – Daniel Akridge:
If you self-host or use a controlled environment, you’re generally in a better position.
24:45 – Daniel Akridge:
For example, we use Copilot in GCC High.
24:54 – Daniel Akridge:
The learning model and the data remain within the protected environment.
25:09 – Daniel Akridge:
You can absolutely use AI tools.
25:17 – Daniel Akridge:
A lot of what people feed AI doesn’t actually require feeding it CUI.
25:31 – Daniel Akridge:
Your IT team needs to be hyper-aware of what type of AI you’re using.
25:39 – Daniel Akridge:
You need governance and you need to run it through the DFARS 7012 and CMMC filter.
25:49 – Jacob Horne:
This is becoming similar to the question, “Can we use the cloud and still be compliant?”
26:06 – Jacob Horne:
There’s nothing inherently wrong with using the cloud.
26:15 – Jacob Horne:
You just can’t send controlled data wherever you want.
26:28 – Jacob Horne:
The same thing applies to AI.
26:47 – Daniel Akridge:
Even if an organization is FedRAMP Moderate, that doesn’t mean it satisfies export control requirements.
26:58 – Daniel Akridge:
FedRAMP has nothing to do with citizenship requirements.
27:09 – Daniel Akridge:
You need to understand who can access your data and what happens to it.
27:24 – Audience Question:
We have C3PAO certification for several cage codes using an Azure GCC High enclave. We want to bring another location with a separate cage code into the enclave. Do we need another assessment?
28:04 – Daniel Akridge:
Yes.
28:08 – Daniel Akridge:
There’s only one organization that can add cage codes to eMASS for a certified commercial environment, and that’s a C3PAO.
28:22 – Daniel Akridge:
What we’ve been hearing more conversations around is what people are calling delta assessments.
28:38 – Daniel Akridge:
If a C3PAO already assessed you and you’re adding a cage code with minimal changes, they may charge less.
28:54 – Daniel Akridge:
Ultimately, it’s their name on the line.
29:03 – Daniel Akridge:
They determine the risk and what level of reassessment is required.
29:10 – Daniel Akridge:
One of the other interesting things that came up is the joint venture situation.
29:26 – Daniel Akridge:
One of the first places we’ve seen this addressed was in the MAPS contract language.
29:44 – Daniel Akridge:
Each member of the joint venture that processes, stores, or transmits CUI must hold its own CMMC certification.
30:00 – Daniel Akridge:
A JV can rely on a managing or mentoring partner’s certification if the JV uses the managing partner’s IT systems and enclave.
30:17 – Daniel Akridge:
If they’re leveraging your environment and not processing, storing, or transmitting CUI on their own systems, there may be ways to structure it differently.
30:48 – Daniel Akridge:
Level 1 requirements might still apply because of FCI.
31:04 – Daniel Akridge:
There may be some flexibility depending on how the organization is structured.
31:23 – Jacob Horne:
The joint venture language in that MAPS contract was very interesting.
31:32 – Jacob Horne:
Is there guidance on how contractors can get CMMC costs reimbursed under contracts?
31:42 – Jacob Horne:
No.
31:52 – Jacob Horne:
The cost of compliance with DFARS 7012 and cybersecurity requirements is considered an overhead cost.
32:00 – Jacob Horne:
These costs are reflected in overhead pools and rates.
32:15 – Jacob Horne:
If you’re a subcontractor and your prime is squeezing you, there isn’t a mechanism for individual reimbursement.
32:25 – Jacob Horne:
There is no special cost recovery mechanism for cybersecurity clauses.
32:38 – Jacob Horne:
Some state grants exist through manufacturing extension programs.
33:05 – Jacob Horne:
Those programs are entirely dependent on whether grant funding exists.
33:19 – Jacob Horne:
As far as direct reimbursement on contracts, that mechanism doesn’t exist.
33:28 – Audience Question:
How should companies think about ITAR data versus CUI when planning for CMMC?
33:40 – Jacob Horne:
People tend to mash all of these concepts together.
33:46 – Jacob Horne:
ITAR is not CUI.
33:49 – Jacob Horne:
CUI is not ITAR.
33:53 – Jacob Horne:
There is overlap between the two.
34:00 – Jacob Horne:
There is ITAR-controlled information that is also CUI.
34:06 – Jacob Horne:
There is CUI that has nothing to do with ITAR.
34:14 – Jacob Horne:
You have to understand which regulatory framework applies to the information you’re handling.
34:25 – Jacob Horne:
The mistake people make is assuming one framework automatically satisfies the other.
34:36 – Jacob Horne:
It doesn’t work that way.
34:45 – Daniel Akridge:
The easiest way to think about it is that CMMC doesn’t replace export controls.
34:53 – Daniel Akridge:
You can be perfectly compliant from a CMMC perspective and still violate export control regulations.
35:02 – Daniel Akridge:
Those are different obligations.
35:08 – Daniel Akridge:
You have to satisfy both when both apply.
35:22 – Audience Question:
Do you think we’ll see protests based on CMMC eligibility?
35:35 – Jacob Horne:
Absolutely.
35:39 – Jacob Horne:
Once certification becomes a condition of contract eligibility, people are going to pay attention.
35:50 – Jacob Horne:
Companies protest all sorts of things today.
35:57 – Jacob Horne:
If certification status affects award eligibility, it becomes something competitors will scrutinize.
36:10 – Daniel Akridge:
This is one of those areas where documentation matters.
36:16 – Daniel Akridge:
If you’re claiming compliance, you need to be able to substantiate it.
36:25 – Daniel Akridge:
The closer we get to certification requirements becoming commonplace, the more important that becomes.
36:43 – Audience Question:
Should contractors move to IL5 just to be safe?
36:53 – Daniel Akridge:
No.
36:56 – Daniel Akridge:
Requirements should drive architecture decisions.
37:03 – Daniel Akridge:
Fear should not drive architecture decisions.
37:10 – Daniel Akridge:
We see organizations all the time trying to buy the highest level of everything because they’re worried about future requirements.
37:24 – Daniel Akridge:
That can become extremely expensive.
37:32 – Daniel Akridge:
You should understand the requirements that actually apply to your environment and design around those requirements.
37:48 – Jacob Horne:
People spend a lot of money solving hypothetical future problems.
37:55 – Jacob Horne:
You still have to solve today’s problems.
38:09 – Audience Question:
What is the actual cost of certification?
38:18 – Daniel Akridge:
This is probably the most common question we get.
38:24 – Daniel Akridge:
And the answer people hate is:
“It depends.”
38:34 – Daniel Akridge:
The cost of the assessment itself is only part of the equation.
38:42 – Daniel Akridge:
The bigger question is the cost of becoming compliant.
38:49 – Daniel Akridge:
If you’re already mature from a cybersecurity perspective, your costs look very different than someone starting from scratch.
39:02 – Daniel Akridge:
The assessment isn’t what drives most of the expense.
39:08 – Daniel Akridge:
Building and maintaining secure systems is where most organizations spend money.
39:24 – Jacob Horne:
I compare it to a building permit.
39:29 – Jacob Horne:
The permit didn’t make the building expensive.
39:35 – Jacob Horne:
The building made the building expensive.
39:41 – Jacob Horne:
The permit simply verifies that it meets the requirements.
40:00 – Audience Question:
Can you explain annual affirmations?
40:10 – Daniel Akridge:
One of the biggest misconceptions is that certification is the finish line.
40:20 – Daniel Akridge:
It isn’t.
40:24 – Daniel Akridge:
Certification demonstrates that you met the requirements at the time of assessment.
40:34 – Daniel Akridge:
Annual affirmations are part of maintaining that status.
40:43 – Daniel Akridge:
Organizations are expected to continue operating in accordance with the controls they were assessed against.
40:57 – Daniel Akridge:
If your environment changes dramatically or your controls degrade, certification doesn’t somehow shield you from that reality.
41:20 – Jacob Horne:
People want certification to be a finish line.
41:26 – Jacob Horne:
It’s really the beginning of the maintenance phase.
41:38 – Audience Question:
What should a company do first if they’re just getting started?
41:49 – Daniel Akridge:
Understand the information you’re trying to protect.
41:57 – Daniel Akridge:
Before you buy technology.
42:00 – Daniel Akridge:
Before you redesign your network.
42:04 – Daniel Akridge:
Before you hire consultants.
42:08 – Daniel Akridge:
Understand your data.
42:15 – Daniel Akridge:
Where does it come from?
42:18 – Daniel Akridge:
Who uses it?
42:22 – Daniel Akridge:
Where does it go?
42:26 – Daniel Akridge:
Why does it exist?
42:32 – Daniel Akridge:
Those questions drive almost every decision that comes later.
42:50 – Jacob Horne:
People try to solve fourteen problems simultaneously.
42:56 – Jacob Horne:
Instead of solving the first problem first.
43:12 – Audience Question:
Will AI make compliance easier?
43:22 – Daniel Akridge:
AI will make certain tasks easier.
43:28 – Daniel Akridge:
Documentation.
43:31 – Daniel Akridge:
Research.
43:34 – Daniel Akridge:
Analysis.
43:38 – Daniel Akridge:
Workflow automation.
43:45 – Daniel Akridge:
Those are all opportunities.
43:51 – Daniel Akridge:
What AI doesn’t eliminate is governance.
43:58 – Daniel Akridge:
It doesn’t eliminate accountability.
44:03 – Daniel Akridge:
It doesn’t eliminate human judgment.
44:19 – Jacob Horne:
Every technology wave promises to eliminate complexity.
44:27 – Jacob Horne:
Usually complexity just moves somewhere else.
44:38 – Daniel Akridge:
Organizations with good processes will probably benefit the most.
44:46 – Daniel Akridge:
AI tends to amplify existing capabilities.
45:03 – Jacob Horne:
Which means if your processes are terrible, AI may simply help you make mistakes faster.
45:10 – Daniel Akridge:
That’s also true.
45:23 – Audience Question:
What if we’re getting different answers from different customers?
45:35 – Daniel Akridge:
Separate contractual requirements from opinions.
45:43 – Daniel Akridge:
Sometimes customers are communicating requirements.
45:49 – Daniel Akridge:
Sometimes they’re communicating preferences.
45:55 – Daniel Akridge:
Those aren’t the same thing.
46:04 – Daniel Akridge:
Organizations need to understand what is contractually required versus what someone simply prefers.
46:28 – Jacob Horne:
People hear ten opinions and assume all ten carry equal weight.
46:36 – Jacob Horne:
They don’t.
46:50 – Audience Question:
What advice would you give companies that feel like they’re already behind?
47:00 – Daniel Akridge:
Start.
47:04 – Daniel Akridge:
That’s honestly the answer.
47:09 – Daniel Akridge:
People spend so much time worrying about whether they’re behind that they never begin.
47:20 – Daniel Akridge:
The organizations that succeed aren’t necessarily the organizations that started first.
47:28 – Daniel Akridge:
They’re the organizations that started moving and kept moving.
47:50 – Jacob Horne:
At some point you have to stop planning and start doing.
48:03 – Daniel Akridge:
Exactly.
48:10 – Daniel Akridge:
You can only gather information for so long before action becomes necessary.
48:28 – Audience Question:
What gives you optimism right now?
48:40 – Daniel Akridge:
The number of organizations taking this seriously compared to even a year ago.
48:50 – Daniel Akridge:
The conversations have changed dramatically.
49:00 – Daniel Akridge:
People aren’t asking whether cybersecurity matters anymore.
49:15 – Daniel Akridge:
People aren’t asking whether cybersecurity matters anymore.
49:24 – Daniel Akridge:
They’re asking how to implement it effectively.
49:32 – Daniel Akridge:
That’s a very different conversation than the one we were having a few years ago.
49:46 – Daniel Akridge:
I’m also encouraged by how much knowledge is spreading throughout the Defense Industrial Base.
49:56 – Daniel Akridge:
Organizations are sharing lessons learned.
50:01 – Daniel Akridge:
They’re helping each other avoid mistakes.
50:08 – Daniel Akridge:
They’re talking openly about challenges.
50:15 – Daniel Akridge:
That’s healthy for the ecosystem.
50:28 – Jacob Horne:
I agree.
50:31 – Jacob Horne:
The questions are getting better.
50:35 – Jacob Horne:
The conversations are getting better.
50:41 – Jacob Horne:
We’re much farther along than people sometimes realize.
50:58 – Daniel Akridge:
There’s still a long road ahead.
51:04 – Daniel Akridge:
But we’re moving in the right direction.
51:18 – Audience Question:
Who is actually responsible for signing annual affirmations?
51:30 – Jacob Horne:
The rule identifies a senior official from the organization.
51:40 – Jacob Horne:
People sometimes assume this can be delegated infinitely down the chain.
51:47 – Jacob Horne:
That’s not really the intent.
52:01 – Daniel Akridge:
The person signing the affirmation is making a representation on behalf of the company.
52:11 – Daniel Akridge:
That should be somebody with appropriate authority and visibility into the organization.
52:28 – Jacob Horne:
One of the things people don’t appreciate is that affirmations create accountability.
52:38 – Jacob Horne:
They’re not intended to be a meaningless administrative exercise.
52:54 – Audience Question:
How much personal liability is associated with those affirmations?
53:06 – Jacob Horne:
This is where people start getting nervous.
53:12 – Jacob Horne:
Because they should.
53:18 – Jacob Horne:
You’re making a representation to the government.
53:32 – Jacob Horne:
The issue isn’t that somebody accidentally forgot something.
53:40 – Jacob Horne:
The issue is knowingly making false representations.
53:56 – Daniel Akridge:
That’s why organizations need governance processes.
54:05 – Daniel Akridge:
You shouldn’t be relying on a single person guessing.
54:13 – Daniel Akridge:
You should have evidence.
54:18 – Daniel Akridge:
You should have documentation.
54:24 – Daniel Akridge:
You should have internal review processes.
54:42 – Jacob Horne:
We’ve talked about this before.
54:46 – Jacob Horne:
Good compliance programs create confidence.
54:52 – Jacob Horne:
Bad compliance programs create anxiety.
55:11 – Audience Question:
How should organizations think about internal audits?
55:24 – Daniel Akridge:
Internal audits are one of the best ways to identify issues before somebody else identifies them for you.
55:38 – Daniel Akridge:
Nobody enjoys discovering problems.
55:43 – Daniel Akridge:
But it’s much better when you discover them yourself.
56:01 – Jacob Horne:
Especially before an assessor discovers them.
56:12 – Daniel Akridge:
Exactly.
56:16 – Daniel Akridge:
Internal audits give organizations an opportunity to validate assumptions.
56:25 – Daniel Akridge:
A lot of compliance failures happen because people assume something is working.
56:48 – Audience Question:
Do you expect enforcement activity to increase?
57:02 – Jacob Horne:
Yes.
57:06 – Jacob Horne:
As requirements become more common, scrutiny naturally increases.
57:15 – Jacob Horne:
That’s true for almost every compliance framework.
57:31 – Daniel Akridge:
The organizations that document what they’re doing and maintain evidence tend to be in much better positions.
57:52 – Jacob Horne:
That’s one reason we constantly tell people to focus on operationalizing compliance.
58:02 – Jacob Horne:
Not just documenting compliance.
58:18 – Audience Question:
Any final advice for organizations trying to prepare?
58:32 – Daniel Akridge:
Don’t wait for certainty.
58:38 – Daniel Akridge:
Start with what you know.
58:43 – Daniel Akridge:
Learn as you go.
58:48 – Daniel Akridge:
Build momentum.
59:02 – Daniel Akridge:
Most organizations don’t fail because they lacked perfect information.
59:10 – Daniel Akridge:
They fail because they never started.
59:28 – Jacob Horne:
That’s probably the most important point of the day.
59:42 – Jacob Horne:
We’ve got time for one last topic.
59:55 – Jacob Horne:
When people ask me about annual affirmations, I often think about the WorldCom case and Betty Vinson.
1:00:11 – Jacob Horne:
For those who aren’t familiar, Betty Vinson became famous because she participated in accounting fraud at WorldCom.
1:00:26 – Jacob Horne:
She knew something wasn’t right.
1:00:31 – Jacob Horne:
But she kept signing things anyway.
1:00:45 – Jacob Horne:
When people ask why affirmations matter, that’s why.
1:00:53 – Jacob Horne:
The government wants someone willing to stand behind the representation.
1:01:10 – Daniel Akridge:
That’s why governance matters so much.
1:01:17 – Daniel Akridge:
You don’t want somebody blindly signing documents.
1:01:31 – Daniel Akridge:
You want a process that provides confidence in the statement being made.
1:01:50 – Jacob Horne:
Exactly.
1:02:02 – Jacob Horne:
People sometimes hear these discussions and think we’re trying to scare them.
1:02:10 – Jacob Horne:
We’re not.
1:02:14 – Jacob Horne:
We’re trying to explain why building a real compliance program matters.
1:02:32 – Daniel Akridge:
A mature compliance program protects the company and the people making those representations.
1:02:48 – Jacob Horne:
That’s ultimately the lesson from Betty Vinson.
1:02:56 – Jacob Horne:
You want evidence.
1:03:00 – Jacob Horne:
You want governance.
1:03:04 – Jacob Horne:
You want confidence.
1:03:18 – Jacob Horne:
All right everybody.
1:03:22 – Jacob Horne:
That’s going to do it for this week’s Hotline.
1:03:31 – Jacob Horne:
Thank you for joining us.
1:03:35 – Jacob Horne:
Thank you for all the questions.
1:03:43 – Jacob Horne:
Keep sending questions through the website, LinkedIn, YouTube, voicemail, carrier pigeon, whatever works.
1:03:58 – Jacob Horne:
And next time you see Daniel, he’ll be a married man.
1:04:06 – Daniel Akridge:
I appreciate all the congratulations.
1:04:11 – Daniel Akridge:
Thank you everybody.
1:04:18 – Jacob Horne:
Good luck, buddy.
1:04:22 – Daniel Akridge:
Thanks.
1:04:24 – Jacob Horne:
We’ll see everybody next week.
Contact
Speak With Our Team
Our team of compliance and cybersecurity experts are on standby and ready to help. We’ll walk you through what you need and what to expect.