Weekly CUI Hotline Q&A: 4.17.26

The Summit 7 Compliance Team has helped more than 90 companies achieve CMMC Level 2 certification. This week on a special edition of the hotline you’ll get a chance to ask them anything.

• Best indicators of success?

• Craziest thing to ever come out of an assessor’s mouth?

• Pineapple on pizza?

See you Friday at 1pm EST.

---

Transcript

0:11 — Jacob
Alrighty everybody, it is Friday. It is hotline time. We are live on LinkedIn. We’re live on YouTube. You can get a hold of us at cuihotline.org and leave questions on the form. You can leave voicemails at the number.

Like we talked about last week, CMC’s most eligible bachelor, Daniel Acreage, is off the market, everybody. He is getting married today. So, instead, we are joined by the secret to Summit 7’s success. We got cloud architect and fellow bald king, Chad Day. The actual center of the reactor behind assessment success for our clients, compliance manager Maxine. She’s the one who knows that that’s where we really go for all the answers as you’ll find out later today. And then some guy named Caleb who you guys have seen before, director of compliance.

You guys are the team. You guys are the ones for our managed clients, almost a hundred of them that have gone through successful level two certifications. You are the ones that shepherd them through that process.

So, lots of excitement out there on the social medias this week in anticipation of getting to ask you guys questions.

We got a bunch of stuff in the backlog that we will get to, but like always, we’ll get to thoughts of the week or what’s been grinding your gears as we talked about before the show started. Very quickly. We’ll just get through mine.

Check out the podcast from this week. More and more people are asking when NIST SP800171 rev 3 requirements will be required and it won’t be anytime soon because the class deviation for DR712 has to be rescended. That won’t happen until after CMMC rulemaking revises the 32 CFR regulation. And that process as everyone knows is very opaque and we have no updates.

So it ain’t going to be anytime soon. It’s a weird way of all the left hands and right hands not knowing what’s going on, but rest assured that if you are panicked about 1713, you don’t need to be.

It’s not going to be anytime soon. You have plenty of time to prepare. So you’re not going to get caught blindsided by 1713. Check out the podcast from Thursday and we’ll talk about it some more.

All right, Caleb, you wanted to start off with an easy one. What is a system security plan?

2:47 — Caleb
Well, the main point here that I want to drive home, and we see this a lot between different C3PAOs, questions going into assessments, previous preassessment activities, it always comes up that a system security plan is like this document and it’s this one document that assessors are like, everything has to be in here.

I always go back to the discussion piece from the 3.12.4 requirement in the NIST 800171.

It talks about what security plans should be and shouldn’t be. The main line that I like to pull out is:

“Security plans need not be single documents. The plans can be a collection of various documents including documents that already exist.”

And:

“Effective security plans make extensive use of references to policies, procedures, and additional documents like design and implementation specifications where more detailed information can be obtained.”

Assessors don’t always like that. Sure it’s a little more work for an assessor, but from the implementation standpoint, why are you creating all these policies, procedures, extra documentation that govern your system and everything that you’re doing?

You should be able to do references to those.

We’ve seen a lot of assessors over the last couple of months even that are just coming in and saying, “Well it’s not in this document that you titled system security plan and so it doesn’t count.”

But we think NIST disagrees with that. I certainly disagree with that.

I guess there’s maybe something to be said around the idea that it is a single tome makes it easier for the assessor, but there isn’t a hard and fast rule out there that says that it needs to be that.

So there’s maybe some trade-offs there.

4:53 — Jacob
Yeah, absolutely. And it comes in with the poem, too, right? We have a poem requirement. You have to have a POM. And that even says it can be included in the system security plan or as a separate document.

Definitely encourage everyone to make use of references and I encourage assessors to relax and reference the references.

Yeah.

All right.

Okay. Maxine, who is Will and what shall he do?

5:24 — Maxine
Yeah. So, this is one that actually came up earlier this week.

We have some clients who put the verbiage client name will or must and then list authorized users, let’s say we’re talking about 3.1.1.

Recently some of the C3PO or assessors, they don’t like that and they will mark that as trending not met and will make you change it in the SSP.

However, this is a fairly new thing and before they have kind of marked it as met.

So just something that we have been seeing that’s a big trend is will, shall and must statements are now being marked as not met by some assessors.

But let’s just say assessors. It really just depends on the assessor.

6:28 — Jacob
So let me see if I get this right.

Let’s say you’ve got 3.1.1 and then in the SSP it’ll say company XYZ will and then the contents of the requirement.

6:41 — Maxine
Yeah.

6:41 — Jacob
And they’ll look at that entry and they’ll say nope because it uses the word will instead of the word shall or what are they saying?

Are they looking at the evidence? Are they just saying I don’t like the way that this is phrased?

7:01 — Maxine
Well, they’re saying that an assessment is a point in time.

So will meaning is like they haven’t done it yet. That’s kind of what I’ve been hearing.

It’s usually for the assessment objectives that are just defined or identified.

So they’re kind of taking that as, “Oh well you haven’t done it yet because you’re saying you will do it.”

7:19 — Jacob
So, what is the evidence for?

That’s the question.

Isn’t that what the evidence is for?

Evidence is to—

You will look at the evidence, Mr. or Mrs. Assessor.

You shall look at the evidence. How about that?

How about every one of my SSP items is you will look over here at Caleb’s endless references to see if I’ve actually done this thing or not.

So they’re just saying that—what are they saying they would rather have it look like?

Are they saying it needs to say will or shall or it needs to be something completely different?

7:51 — Maxine
It just needs to be worded as they are doing it.

So like client name utilizes Entra ID or a CMMC asset inventory to list their users instead of a client will use Entra ID and an asset inventory.

8:06 — Jacob
Okay.

I feel like I’m back in Spanish class and they’re like, “Well actually the present participle says that you’re not currently doing this.”

So maybe we should have the grammar of SSP entries podcast episode and go into some more detail based off what you’re saying.

I mean listen, I love splitting hairs when it comes down to the linguistics of security controls and requirements but we got to hammer out what’s working.

I think hearing you say this, we figure it out even if it has to be a case-by-case basis.

You guys have done almost a hundred of these.

So if we got to change it, then we just change it to what they want.

8:48 — Maxine
Exactly.

That does come up though on another point if I may.

Documentation changes.

If the assessors are the ones that take issue with how the documentation is written and then they say, “We are under guidance to limit the number of documentation changes that are allowed.”

Pick one or the other.

Either don’t take issue with the way the documentation is written, go look at the evidence and see if the thing has been done that you said you will do, or don’t require the documentation to be changed.

9:29 — Jacob
Gotcha.

Interesting.

I feel like there’s a lot more we can get into there.

Maybe we’ll do a standalone podcast just on that.

It’s pretty interesting.

All righty, Chad.

I say this all the time.

C3PAOs, I love you guys. I love the assessors. Very important job, critical role in the ecosystem.

But your job is to put the fries in the bag.

You are not there to tell a company or a service provider what the way you would have implemented this requirement.

Your job is to verify that it was implemented.

And I think this is what you’ve seen a little bit out there, right?

10:06 — Chad
Yeah.

So going into assessments, typically I’d say at least one out of every three I’m going to get an assessor that’s decided that they need to see a control set a certain way and they’ve defined it inside their head that it needs to be done that way and there’s no other way they’re going to accept it other than a technical control being done the way they’ve seen it before.

So when we go out and decide that we’re handling ports, protocols, and procedures through our firewall, which is a very common thing, but they’ve turned around and said, “Well, that doesn’t apply to a laptop.”

Well, Defender has a built-in firewall.

And then they’ll go down the thing of, “Well, you’re not showing me that the ports are actually blocked there and that a user can’t do this.”

So then you run down through step by step and then they come back to the thing of, “Well, you still haven’t shown me and I want to see it this exact way.”

And it’s like, wait.

You’re not the configuration.

You’re the assessor seeing if I’ve done the control.

Not telling me how it should be done or what you’ve seen done in the past.

And it continues to happen.

11:23 — Jacob
Well and this kind of gets down to what we were talking about, the linguistic differences of what’s going on.

It feels like splitting hairs when you say these are assessments. They’re not audits.

And it does actually matter because an audit implies that there is a single correct answer to the questions that I’m going to be asking you.

And that’s not what’s going on here.

These are very open-ended outcome-oriented performance statements essentially.

These are outcomes that you need to achieve.

There’s no strict guidance saying that this is the way or this is how these things will be done.

Therefore there is no single correct answer.

It’s not an audit.

It’s this is how we met this requirement.

We engineered a solution to meet this performance requirement.

If you would’ve engineered a different solution, that’s great for you.

That’s not your job here.

Your job here is to verify that it was done.

12:37 — Chad
Yep.

Yeah.

12:42 — Jacob
I guess that gets into one of the common questions that we hear a lot whether we’re at events or things like that during assessment prep.

We’ll probably just go around the horn here.

What kind of variation have you seen between assessors?

You guys have already talked about linguistically in terms of verbiage in SSPs, whether or not they’ll even look at references, whether they think certain implementations need to be done.

Are there any other big ones that come to mind?

13:12 — Chad
Well, there’s actually quite a few.

Dealing with the different C3PAOs out there, even from the CAP itself and dealing with how they’re doing it.

Some will turn around and say, “You know what, we have a hard set timeframe. We’re going to do this control during this timeframe. If we finish early, then we’re just going to break and expend time.”

You have other ones that will push through all the way through and just rapid fire and go through them in succession.

Other ones take our SRM, some don’t take our SRM and we have to explain word for word.

Some take our level two assessment and say, “Yes, it’s perfectly fine. We’ve been assessed and everything’s great.”

Others turn around and say, “No, you’re going to prove everything out to me.”

It really depends on the assessor and it goes from one side of the scale to the other side.

14:13 — Jacob
It’s like golfing with your buddies and then one of them is just like you leave a putt six inches short and they’re like, “I have to see you hit it.”

14:19 — Jacob
Well, Max, are there any others that you can think of that you’ve seen?

14:26 — Maxine
Yeah.

One specifically that I’ve noticed is some assessors will sample more.

Let’s just use 3.1.1 again for an example.

They will look at your asset inventory. They will pull up random five users and tell the client, “Okay, show me in Entra ID this is set up how it is in your asset inventory.”

Some will just say, “Yeah, show me one user.”

And it’s up to the client.

We have seen a difference in sampling and the way things are being audited and assessed and it really just depends on the assessor.

But keep in mind that the client can show whatever they want in order to prove that they are meeting that.

[15:13] — Caleb
Yeah, Chad mentioned the CAP. In the CAP, we have the pre-assessment process.

That’s where I see a lot of variance. We’ve talked about this with false starts and things of that nature.

There are certain things that a C3PAO needs to see at certain times.

Some will say, “Three months ahead of time, we want all of your evidence and artifacts ready to go.”

Others are more flexible and only require everything a week before assessment kickoff, along with the SSP and scoping information.

That varies quite a bit.

[16:02] — Jacob
The three-month lead time sounds like DIBCAC.

Does it actually make assessments faster when they ask for everything that early?

[16:17] — Caleb
If you’re ready.

What actually makes assessments faster is assessors doing their review beforehand.

Too often we get into assessments and hear, “Give me a minute, I haven’t read your documentation yet. I haven’t reviewed your SSP.”

Then everyone waits while they’re trying to catch up.

The assessment may still go fine, but I don’t think that’s the best assessment experience.

[16:55] — Jacob
It sounds like there’s a lot of variability depending on the assessor or C3PAO.

If someone is shopping for a C3PAO, is there any way to predict what their process will be?

[17:19] — Caleb
Ask them.

Ask:

• How far in advance do you need artifacts?
• When will you review our environment?
• How much pre-assessment work do you perform?

Make sure they’re going to do their due diligence before assessment day.

Another interesting aspect is staffing.

Some C3PAOs use all W-2 employees and operate consistently.

Others rely heavily on 1099 Lead CCAs and CCAs.

Some organizations have excellent processes to ensure consistency among those assessors.

Others allow individual assessors to run engagements differently.

That creates variability even within the same C3PAO.

[19:03] — Jacob
It almost sounds like planning around different referee crews in sports.

Some call games one way. Others call them differently.

That makes me think about automation.

Some people assume we’re opposed to automating assessments.

We’re not assessors. We don’t benefit from keeping things manual.

Human assessments introduce variability.

In theory, automation could make things:

• faster
• cheaper
• more consistent

Would it?

[20:10] — Chad
It depends on what you’re automating.

Technical controls can be implemented dozens of different ways.

You’d have to teach the automation every acceptable implementation path.

Documentation review is easier to automate.

Technical validation is much harder because there are so many compliant ways to achieve the same outcome.

You risk forcing everyone into a small number of approved implementations.

[21:00] — Jacob
What do you think, Maxine?

Do you want a bunch of automated assessors running around?

[21:14] — Maxine
I think automation could help with readiness reviews.

But there still needs to be human validation.

Anything automated still needs quality assurance and oversight.

[21:31] — Jacob
John says they had to steer assessors back to the assessment because they were getting distracted.

Have you had to do that?

[21:57] — Caleb
Absolutely.

Sometimes assessors go so deep into a particular assessment objective that they leave the objective entirely.

Take 3.1.1.

The objective is straightforward:

Authorized users are identified.

You need to demonstrate that.

Sometimes discussions drift into areas that aren’t actually part of that assessment objective.

At that point, we help bring everyone back to the requirement being evaluated.

[22:39] — Jacob
It’s always bad when Maxine has to start gently parenting assessors.

Then you’ve definitely wandered too far.

Let’s talk requirements.

Are there controls that always take a long time regardless of preparation?

[23:10] — Chad
3.12.2.

[23:16] — Maxine
3.4.7.

[23:21] — Jacob
For people who don’t have control numbers memorized, what are those?

[23:29] — Chad
3.12.2 deals with reviewing information before it’s posted publicly.

The challenge is that it applies to the entire organization.

A lot of companies focus only on their CUI environment and say:

“Our normal business systems don’t have access to CUI.”

That’s fine.

But you still need documented processes proving how information is reviewed before public release.

On larger organizations, gathering all that documentation from multiple departments can be time consuming.

[24:26] — Jacob
Aren’t those departments out of scope?

[24:32] — Chad
No.

Not for that requirement.

The entire organization is relevant.

[24:37] — Jacob
Maxine, what about 3.4.7?

[24:43] — Maxine
3.4.7 is ports, protocols, services, programs, and functions.

It has the largest number of assessment objectives in 800-171.

You have to make sure:

• It’s clearly documented.
• The evidence supports it.
• Assessors can easily find what they’re looking for.

Sometimes everything is there, but it’s labeled differently than the assessor expects.

You have to be confident enough to explain that what they’re looking at is, in fact, the required information.

[25:30] — Chad
Ports, protocols, and services are fairly straightforward.

Programs and functions are where things get interesting.

Different assessors define functions differently.

Different implementers define functions differently.

Those interpretations can vary quite a bit.

[26:23] — Jacob
That’s the challenge with outcome-based requirements.

People don’t want overly prescriptive compliance requirements.

Then everyone gets broad requirements and spends time debating what they mean.

There’s a tradeoff there.

[27:02] — Jacob
Question from The Big Ham:

“Are there CMMC families that are better to start with? Are there any you’d regret saving until the end?”

I love this question because Access Control is first largely because it’s first alphabetically.

NIST has repeatedly said the order of the control families doesn’t imply implementation priority.

What do you think?

[28:02] — Chad
I like grouping families together.

AC and AU naturally connect.

Access Control is usually where I start because it establishes:

• who has access
• what systems exist
• what programs are allowed

From there I move into related controls that build on that foundation.

After that I focus heavily on architecture and engineering-related work.

I usually leave much of the security monitoring work until later because I want all of the technical implementation completed first.

[29:49] — Jacob
That’s interesting.

It sounds like you divide controls into engineering-focused families and security-focused families.

Maybe talk about that a little more.

You’re a cloud architect.

Most people hear “security” and think it’s all one thing.

You clearly don’t.

[30:08] — Jacob
It sounds like you divide these in your head into engineering domains and security domains or families. Maybe explain more about your thought process there. You’re a cloud architect. You’re as technical as they come. How do you think about the families and how they interrelate? A lot of people hear security and think it’s all security. You don’t see it that way.

[30:26] — Chad
There’s different things inside each domain that have a security element, but not all of them do.

Take the 3.1 family. A lot of that is related to security because you need policies, procedures, MFA, and things like that.

But when you’re talking about logs or evidence, you’re really focused on making sure you’re controlling and monitoring admin accounts and their usage.

That’s the security monitoring aspect.

If you break out the controls that require monitoring, things you’d actually show in Defender or a SIEM console, those naturally group together.

I even pull some controls out of their families mentally. I’ll go through all of AC, but I’ll leave something like 3.1.15 until later when I’m reviewing audit logs and monitoring evidence because it fits better with those activities.

[31:40] — Jacob
That’s interesting.

Maxine, what do you think? Do you go straight down the list from AC to SI? Do you group them together?

[31:57] — Maxine
I’ve tried all the different ways doing gap assessments and mock assessments.

Personally, I like going down the list.

By the time I get to SC and SI, I already have all the evidence I need. Then I’m mostly focused on evaluating implementation statements.

So for me, going straight down the list works best.

[32:18] — Jacob
Caleb, you were at DIBCAC for a while.

They had preferred control groupings they assessed in sequence. Can you talk about that?

[32:36] — Caleb
Absolutely.

From an assessment standpoint, DIBCAC operated a little differently than many C3PAOs today, although some have adopted similar approaches.

They grouped controls by topic.

For example:

• AC, IA, and AU together.
• What we called 3.2, 3.9, 3.10, 3.11, and 3.12 together.

Those are more programmatic topics:

• physical security
• risk assessments
• SSPs
• training

Different assessors would specialize in different groups.

A more technical assessor might focus on SC controls.

Someone with a more programmatic mindset might focus on those governance-heavy families.

From an implementation standpoint, I think differently.

I start by understanding CUI flow and scope.

What touches CUI?

Then I move into a gap assessment.

Then I build the SSP.

Going back to RMF, the SSP wasn’t intended to simply capture final results.

You build the SSP based on initial assessments:

• Where are we now?
• What’s missing?
• What do we need to do?

It’s a plan.

So I want to understand scope, evaluate where we stand, and then build the roadmap.

[35:10] — Jacob
That’s interesting because at a very high level the RMF approach was:

You create a security plan.

Then you implement.

Then you assess.

Then you generate a Security Assessment Report.

Then somebody compares what you planned to do against what you actually did and makes a risk decision.

Maybe they want to see you again in six months.

Maybe they don’t need to see you for three years.

We’ve kind of lost that original concept over time.

When I first joined Summit 7, one of the reasons I joined was because Summit 7 was leaning heavily into Shared Responsibility Matrices and breaking things down by assessment objective.

One way we grouped things was by who we needed to talk to.

If I can answer most assessment objectives by talking to the same people, maybe that’s the best grouping strategy.

There are lots of ways to organize the work.

[37:06] — Jacob
Someone mentioned the presentation yesterday at CS5.

Maxine is still there if you’re attending.

Yesterday I was talking about Procurement Administrative Lead Time.

PALT is the period between solicitation release and contract award.

CMMC status is a condition of award.

The problem is that many organizations wait until they see the requirement in the solicitation before starting.

Then they try to fit all of their implementation and certification work into the PALT window.

The problem is those windows are getting shorter.

So my question is:

If median PALT is 45–90 days, could the average company starting from zero complete implementation, assessment prep, assessment, and certification within 90 days?

[38:42] — Chad
No. Not even close.

We’ve actually analyzed this internally.

Even using pre-designed architectures, pre-packaged builds, and repeatable processes, we’re still looking at four to five months minimum.

And that’s after doing this 60 or 70 times.

[39:17] — Jacob
Okay, but that’s with Summit 7 helping.

What if I’ve got a part-time IT person at my manufacturing company?

Can I do it in 120 days?

[39:49] — Maxine
It depends.

I don’t tell clients to schedule assessments until they’ve completed their gap assessment and understand what they need to fix.

The POA&M work takes time.

The migration and technical work takes time.

Honestly, 120 days is still pretty short.

[40:17] — Caleb
No way.

Even before I joined Summit 7, the message was always:

Expect a 12–18 month process if you’re starting from scratch.

That should be the expectation.

Could somebody help accelerate it? Sure.

But every organization is different.

That’s why this team exists.

This is all we do.

Assessment support, implementation discussions, readiness preparation.

Things get missed.

That’s just reality.

We ask for a 90-day runway before assessments, and that’s assuming most of the work is already complete.

Most organizations aren’t truly ready even at that point.

[42:24] — Jacob
In ideal situations, what’s the fastest process you’ve seen?

[42:43] — Chad
Five months.

That’s the fastest we’ve taken someone from zero to done.

[42:49] — Jacob
What about the assessment itself?

[42:55] — Chad
That varies dramatically.

I’ve been in assessments that lasted a week.

I’ve been in assessments that lasted four hours.

It varies that much.

[43:13] — Jacob
A lot depends on assessor preparation.

If they’ve reviewed your SSP, references, and evidence beforehand, the assessment becomes a verification exercise and can move very quickly.

If they show up Monday morning and start reading documents for the first time, it takes much longer.

Even DIBCAC, which had a very structured process, usually finished around Thursday morning.

Assessor preparedness makes a huge difference.

[44:05] — Maxine
I’ve seen four-hour assessments too.

I’ve had a client come through a gap assessment, documentation development, assessment support, readiness review, and then a C3PAO assessment.

From the time they engaged us until certification, it was about three months.

[44:33] — Jacob
Wow.

But they weren’t starting from zero when they came to you, right?

[44:38] — Maxine
Right.

They already had about two months of work completed.

[44:44] — Jacob
Gotcha.

[44:44] — Maxine
They still needed uplifts and remediation work.

It was probably one of the hardest projects we’ve done because the environment was complex.

[45:05] — Jacob
Let me ask you this.

We’ve talked about assessor variability. We’ve talked about client variability. Even the assessment timeframe itself can vary significantly.

Not every client that has achieved Level 2 certification has shown up perfectly prepared, fully automated, with complete agreement on every implementation detail.

Yet we’re approaching 100 successful Level 2 certifications with no conditional statuses, no POA&Ms, and no failed assessments.

What do you think has contributed to that level of success?

[46:22] — Chad
First, it’s not going into an assessment thinking you know everything.

It’s being humble and doing your due diligence beforehand.

Go through the environment thoroughly.

Remove old test accounts.

Verify every configuration.

Review every document.

For every control, make sure the documentation says what you think it says and that the technical implementation matches the documentation.

That’s what we do.

Before an assessment, engineers and compliance personnel perform readiness reviews. We validate that the environment, documentation, and technical implementations all align.

Once you’ve done that preparation, assessments become much easier.

You’ll still get curveballs, but you’re ready for them.

[47:44] — Jacob
I was hoping the answer was something like drinking bone broth tea before every assessment.

But yes, staying ready means you don’t have to get ready.

Maxine, what do you think?

A hundred successful certifications is a pretty remarkable streak.

[48:15] — Maxine
I give a lot of credit to Summit 7 as a whole.

Things like:

• the Shared Responsibility Matrix,
• maintaining our own Level 2 certification,
• staying current on requirements,
• collaboration across departments.

Success requires coordination across engineering, compliance, and every supporting team.

The assessment support team is also extremely thorough.

We have engineers, CCAs, and CCPs reviewing everything.

A lot of our job is telling clients hard truths.

Sometimes we have to tell them their implementation isn’t ready and needs work before assessment.

Being direct and honest helps clients succeed.

[49:19] — Jacob
Caleb?

[49:25] — Caleb
Everything they said.

A year ago this team didn’t even exist in its current form.

Back then we might have had:

• a compliance person helping,
• an engineer helping,
• someone from the SOC helping,

but it wasn’t a dedicated function.

Now we’ve refined the process.

We’ve been through enough assessments to know what works.

We’ve developed a much better understanding of what’s required during certification.

Another important factor is being willing to tell clients they aren’t ready.

That’s not always a fun conversation.

But sometimes the correct answer is:

“No, you’re not ready for assessment yet.”

The rest of this year and next year will be interesting because of program rollout timelines and increasing demand, but that principle doesn’t change.

[50:49] — Jacob
Orion asks how many DIBCAC High assessments we’ve seen.

[51:01] — Chad
Four or five.

[51:01] — Jacob
We’ve definitely seen some.

DIBCAC High assessments seem to come in waves.

We’ve also worked with a number of organizations after DIBCAC engagements to help them move forward.

All right.

Let’s get into the backlog.

[51:28] — Jacob
Question:

“NIST SP 800-171A Section 2.1 says organizations can determine the assurance and confidence required, yet C3PAOs seem to exercise their own discretion. How is that resolved when there’s a difference of opinion?”

[51:49] — Caleb
I’ll take it.

If we’re talking about 800-171A, that’s an assessment guide written for assessors.

If you’re conducting an internal assessment, then yes, you’re determining the level of assurance and confidence required.

But once you’re dealing with a C3PAO under the CMMC program, there are additional sources of guidance involved, including:

• the CMMC Assessment Guide,
• the Scoping Guide,
• program requirements.

At that point, assessors are responsible for determining whether sufficient evidence exists.

That goes back to my DIBCAC days.

A lot of organizations would say:

“This is what we’ve implemented. You decide whether it’s enough.”

I always encourage assessors to ask additional questions when needed.

Not to create new requirements.

Not to go outside the scope.

But to understand what was actually implemented.

[53:17] — Jacob
I was hoping the answer was just to bully them until they give up.

Maxine?

[53:31] — Maxine
I think confidence matters.

You need to be able to explain:

• why you implemented something the way you did,
• how it satisfies the requirement,
• where it aligns with the assessment guide.

Point back to the assessment guide.

Point back to the program rule.

Point back to your evidence.

You’re defending your implementation.

The stronger your understanding, the easier that discussion becomes.

[54:20] — Jacob
Chad?

[54:25] — Chad
I agree with Maxine.

You need to be able to defend your implementation.

You need to explain:

• why it was configured that way,
• how it meets the requirement,
• how it satisfies the intent.

If you can clearly articulate that, most disagreements become productive discussions instead of arguments.

[55:01] — Jacob
That’s a good point.

A lot of people think assessment success comes down to having the right technology.

But a lot of it comes down to being able to explain what you’ve done and why you’ve done it.

All right, next question.

Let’s use a practical example.

Suppose somebody has a Microsoft Teams Room system.

How do you evaluate something like that when you’re trying to determine whether it’s in scope and how requirements apply?

[55:33] — Caleb
That’s where understanding the technology becomes important.

You have to understand:

• what the device is,
• what it does,
• how it interacts with CUI,
• whether it stores, processes, or transmits information.

Then you apply the scoping guidance.

A lot of these discussions become technology-specific.

The answer isn’t always obvious at first glance.

[56:12] — Jacob
That’s one of the recurring themes here.

People want universal answers.

But a lot of compliance questions start with:

“It depends.”

[56:22] — Caleb
Exactly.

Because context matters.

How it’s implemented matters.

How it’s being used matters.

[56:41] — Jacob
Just to be clear, we will fight.

It’s more of a “have a fun podcast and carry a big stick” situation.

We don’t want to do that, but for clients who hire us to do it, we absolutely will.

All right, let’s see here.

Neil says:

“Longtime listener, first-time caller. What are your thoughts on passwordless solutions? Met? Not met? Are these grounds for enduring exceptions?”

[57:12] — Chad
It depends.

Put a dollar in the jar, Caleb.

It’s going to depend on the solution.

If you’re dealing with an RSA token tied to a badge and badge access, so you’re swiping a badge instead of entering a password, it gets tricky.

From a security perspective, it may be very good.

But does it meet the letter of the CMMC requirements?

Not really.

That’s where things become difficult.

Honestly, I’d defer to Caleb on this one because it may be better security, but compliance isn’t always the same thing as security.

[58:07] — Jacob
Sure.

I love questions like this because people ask whether a technology is compliant or non-compliant.

The first question should be:

“Against what requirement?”

What specific requirement are we evaluating?

Are there other ways to satisfy that requirement?

[58:26] — Caleb
When we get into enduring exceptions—which is a topic I love—there are very thin lines that have to be walked

between something being a specialized asset and something qualifying as an enduring exception.

Anybody who knows me knows I hate everything about the CMMC Scoping Guide, but we have to work with it.

Specialized assets are devices where you can’t apply all of the security requirements.

Enduring exceptions are different.

With an enduring exception, you can secure the device or technology fully, but doing so would inhibit its intended function.

That becomes particularly important when the technology is being used directly in support of contract performance.

In situations like the one described, there’s probably more room to discuss specialized assets than enduring exceptions.

Ultimately, you always have to bring it back to:

• the requirement,
• the assessment objectives,
• what you’re actually trying to satisfy.

Then ask whether there are additional controls or safeguards you can apply to meet the requirement.

[59:39] — Jacob
Gotcha.

Well, I told you guys before we started that the hour flies by, and we barely made a dent in the backlog of questions.

I think we’ll probably do this again at future milestones.

Maybe every 25 Level 2 certifications or something like that.

We get some really interesting and highly detailed scoping questions that we could send to you ahead of time.

Let us know in the chat:

• Was this helpful?
• Did you like their answers?
• Did you hate their answers?

A lot of times Daniel and I are talking about regulations and questions coming in from the community.

This is a different perspective, especially now that we’re approaching 100 assessments.

We’re live every week, so we’ll have plenty of opportunities to cover more of this content in the future.

[1:00:33] — Jacob
If you’re watching after the live stream, you can always submit questions or comments.

Go to cuihotline.org and fill out the form.

You can also call the hotline and leave a voicemail.

We actually had one we didn’t get to this week, so we’ll save it for next time.

If you’re one of our clients, you’re already familiar with the compliance team.

If you’re not feeling confident about your preparation, this is the team that helps clients get through the process.

[1:01:05] — Jacob
Any parting thoughts?

It’s not so bad doing content, right?

[1:01:11] — Chad
No.

[1:01:11] — Maxine

[1:01:13] — Jacob
There you go.

I didn’t make them say that.

[1:01:18] — Caleb

Just work an extra hour on a Friday night.

[1:01:19] — Jacob

Of course.

We’ll do it on a Friday. No big deal.

They were totally here voluntarily, everybody.

We did not make them show up.

[1:01:23] — Jacob
All right.

Thanks everybody for tuning in, and we’ll see you next week.