Weekly CUI Hotline Q&A: 05.29.26

Jacob: All right, everybody. It is Friday. It is hotline time. We are streaming on YouTube. We are streaming on LinkedIn. If you are hanging out with us, you can put your questions in the chat. You can go to cuihotline.org. You call the number and leave a voicemail. You can fill out the form. You can send us DMs on social media. You can find us on our website. Lots and lots of ways to get a hold of us. Lots and lots of ways to ask questions. Huge backlog of questions to get through. Tons of awesome stuff about GCC High specifics. So we’ll get into that. But first, a little bit of a celebration. Everybody, if you didn’t hear the news, if you didn’t see down below, the Summit 7 YouTube channel has officially crossed 100,000 subscribers, which is a mind-boggling number for — well, it’s a mind-boggling number for any YouTube channel because less than 1% of all YouTube channels ever cross 100,000 subscribers. It’s especially mind-boggling for this because, listen, I like talking about this stuff. Daniel likes talking about this stuff. Love it. You guys love hearing about it, but a hundred thousand people like hearing about it? Crazy. I mean — cool. It’s fine with me.

You know, I think — we were talking before we started — less than two years ago, we were throwing a party because one podcast episode got a thousand views in 24 hours. Five years ago, we had less than a thousand subscribers. And now we’re in the freaking stratosphere. It’s awesome. I know I’m always pestering you guys to like and subscribe. But thanks to everybody who shows up, who participates, who subscribes, who tells their friends and families and pets about the channel and the show and the stuff. We hear from all kinds of people who find the content — people who need help, people who are in charge of big programs, all kinds of fun stuff that we sometimes don’t even get to talk about. So thanks to everybody for doing that. 100K, Daniel, what do you think?

Daniel: Yes. Hey guys, thank you so much. Like, Jacob can attest to this — what started off as basically the history of CMMC video that you did, how many years ago, which rolled into a podcast that you did and Jake did, which led into more episodes and shows. And by the way, it is a team effort here. We would not be anywhere without the one and only producer Dustin. So that’s right. Who is always in the background. We keep him in this little room back here. We might let him out now that we’re at 100,000 subscribers.

Jacob: Come on, Dustin. Come on out. It’s okay. It’s time to say hello to the people.

Daniel: Yeah, maybe we’ll do a producer Dustin takeover episode for everybody. So let us know in chat if that sounds interesting. He knows quite a bit about a lot of stuff, so he could have a pretty sweet episode. But anyways, we’re going to do the whole thing. We’re going to get the plaque and the play button and do a whole video and it’ll be awesome. But thanks again to everybody for subscribing over the years and we’re going to keep on trucking.

Jacob: Speaking of keep on trucking, Daniel, what’s on your mind?

Daniel: So I’ve been getting this question a lot actually, because everyone’s like, “Okay, I’m compliant or I’m in process of getting compliant, but I was just told that our supply chain has to get compliant and that maybe I should do something about it.” And this person I’m referring to is somebody in the IT department or a CIO-type role. And so I think the interesting thing is a lot of them are like, well, let’s just spin up an enclave for our supply chain, right? Some of them are thinking that idea, although it’s a lot of overhead — like who supports it, who does the day-to-day operations. But the interesting thing is with the conversation around how paper-on-copy CUI can be exempt from reporting CMMC — basically you still have to protect it to DFARS 7012 physical protections and things like that — there’s kind of this window of, hey, if you don’t have CUI on your information systems, talking about like someone in your supply chain, then your systems aren’t in scope and therefore you don’t have to report anything. And if you look at the logic of paper CUI, you could see how a VDI-driven enclave hosted by the prime could leave their supply chain out of scope for needing CMMC, while still meeting DFARS 7012 in other ways like the paper copy description states in the FAQs.

But I’m kind of curious — because we’ve had this conversation off and on for years — quite honestly, a lot of primes don’t want to have their subs in this environment because they’re afraid the subs will put non-prime data in it, right? Because it’s a CMMC environment for them. So we haven’t seen any primes really take hold of this and build an enclave for their supply chain, at least to my knowledge. If you are aware of that, please let us know. But I’m curious if we’re about to see this wave of primes maybe using an enclave internally, spinning up a secondary enclave for their supply chain and doing VDI only and paper copies only and not having to flow down the full CMMC requirements. So it’ll be really interesting to see what happens here, but I think there’s a viable solution here, quite honestly, in the sense of descoping your supply chain from CMMC, just applying DFARS 7012 and the appropriate controls there and calling it a day. So we’ll see how much of the cost the prime’s willing to eat of that, how much they’re going to require a chargeback — almost like an enclave subscription cost to their supply chain to cover some of that. Anyways, just some interesting thoughts and dialogues happening, even more so as we get closer to the deadline of November 10th, which as you know, Jacob, is the deadline the DoD is requiring CMMC Level 2 on everything. So I don’t know if you know that or not, but November 10th is the actual — everyone needs — all 80,000 companies need their Level 2 by November.

Jacob: Yeah, that absolutely sounds like what the plan would be, even for the department, right? There was just a thread this morning about the certification cliff and they were like, in November everybody needs a cert. And the top comment was like, all new contracts — all new contracts may include the Level 2, just like all new contracts right now for the last six months may have included the Level 2. So it’s going to affect a lot of companies but it doesn’t affect all companies at the same time.

Which — we didn’t have it as the thought of the week — but currently, as of the numbers from the May AB town hall, there are enough, if we assume that of the set of possible assessment teams we could have with a number of certified assessors — if we assume that only half of those teams are available and working, because the other half are working in companies not doing assessments — just cut the assessor pool in half. And then assume that those assessment teams are only doing two assessments per month. So half of the available teams are working, they’re only working for half the month — at that rate, still 4,700-something assessments per year capacity right now, which is way more than the current level of demand. Like a significantly larger amount of assessment capacity than what the current demand is. So yeah, the assessment cliff — not really what people are making it out to be. The assessor shortage also not really what people are making it out to be.

All right. Perfect example of why the assessment capacity constraint is not the biggest problem that people are facing. “Just started a new job. Boss says we need CMMC Level 2 by July. We haven’t started yet. Is this possible?”

No. And I hate giving such direct answers. Like, in reality, no. This person probably has no real experience, the business probably hasn’t budgeted for it in this fiscal year. I mean, there are so many other factors. Even if you had a bench of people, if you had a consultant that’s able to start today and do all of the things — including scoping and boundary determination to start, okay, now that we’ve done that, now let’s figure out what assets have to be in scope. Okay, now let’s classify those assets. Let’s bring them into scope by applying the controls and practices. Like, when you just look at the motion it takes organizationally — not even just IT — to do something like this, doing it in 60 days is genuinely impossible unless you’re like, “I’m doing an enclave and this enclave is this one computer in a closet and that’s it. No email, no nothing.” Basically no business, right? No way to really ingest information. And it’s like, well, then you’re just kind of in paper copy territory.

Daniel: Well, and you’re probably going to end up having to do all the work twice, which is going to be more expensive in time. But let’s assume that it is — like you said — 60 days, they need it by the end of July. That’s only eight weekends to cut over if you have to do a migration. There’s just not a lot of time even if it’s feasible. We were on a call the other day — I wrote this down because I loved the way that you said it — because the company, you know, they were nice people, existing defense contractors, and one of their first questions was, “What is FedRAMP?” And these are people who have been putting CUI in the cloud for a long time with no idea what FedRAMP is. But when they got down to asking about timelines and they said, “How long does this take?” — your answer was, “How long does it take your company to negotiate a master services agreement?” You want to talk about that? Because I feel like that is the best way of capturing why this takes so long.

Jacob: Yep. It’s like, so we’ll go into it, IT team vets, thumbs up, Summit 7’s the one to pick, great solution, great. And they’re like, “Let’s start today.” I was like, “Okay, perfect. We just need a signed copy of these things that say what we’re going to do for you, right?” It’s not a crazy thought. And those are associated with a master services agreement, right? What happens if things go sideways, right? Caveats for both sides. And so then that one document — that master services agreement — will have to go through legal and contracts and typically IT to interpret the services that we’re buying. I’ve seen on the short end MSAs take, well, at minimum two weeks — usually at least a month, somewhere in that spectrum — because you have both parties going back and forth redlining, finally getting on a call. Okay, is legal there? Both sides have to have legal present because that’s apparently the code of lawyers. And so subsidiaries end up in weird positions. Like there seems to be a lot of times — you know, especially early on — I used to think that this was only a problem for larger organizations just because the larger organizations have more bureaucracy in them. But it doesn’t take long for a medium-sized organization to be large enough that if there are multiple decision makers, then it just grinds to a halt. Which is why we tell people it takes months of time to do something that on the technology side doesn’t take months of time. The technology is not the constraint — much like the assessment is not the constraint. It’s your organizational debt that just burns tons of time.

Daniel: Exactly. And that’s the problem that people don’t realize. It’s like if it was up to them, they would sign the contract that day and get started, right? But it’s not just them. Just like in CMMC, it’s not just them having to be involved. So yeah, you’ve got to get your parents to sign the permission slip. Otherwise you don’t go to the zoo.

Jacob: It’s true. I love the zoo. Alrighty. “Are the DoD FAQs cumulative or does the newest version supersede previous versions?”

So, policy — as far as I understand it — is that the newest version of the FAQs supersedes all previous versions. They only have one official version posted at a time. So if you have copies of the old versions, that’s cool and it’s great for reference and trivia and tormenting the DoD for things that they’ve said. But I don’t think that the DoD would say that it is cumulative policy. I need to go back and look and see how much of a difference there really is between one version and the next. But as far as anybody is concerned in the real world, the most current FAQ is the FAQ and all previous versions would not be considered to be authoritative at all. That’s somewhat different than what NIST has said. You know, they keep a long-running version. You can find all previous drafts, all previous revisions of basically everything they’ve put out. And you know, when we talked to Ron Ross, he was like, “Yeah, new revisions don’t necessarily invalidate previous copies and rationale. It’s all helpful and great.” Which is why I tell people it’s very helpful to go back and read old versions because just because they got rid of something or rephrased something doesn’t mean that everything in the other one is worthless. But the new FAQ should be superseding previous ones.

Daniel: So I’ve got a follow-up question to that, Jacob. So FAQs and DoD stance and clarification — that language isn’t in any of the CMMC rules, right? And so if I’m an organization and let’s say I’ve just looked at the CMMC Level 2 scoping and assessment guides and the CAP — all of these are referenceable documents — and gone through or about to go through my assessment, and an assessor fails me because I treated encrypted CUI and did not have logical separation on a network, right? Even though the data was encrypted. Is there a stance or a point of debate where anyone could say, “Hey, you can’t assess me based on DoD FAQs that came out post-rule because they’re not anchored anywhere in the rule as an authoritative document?”

Jacob: Well, Daniel, the problem with your question is the premise that the FAQs are not completely helpful in their entirety. The idea is that there might be some confusion or some unhelpful bits in the clarification. So I guess it depends on your situation. If the data and the explanations in the FAQ are helpful to you, then people are probably going to try to use them. If you don’t like what the FAQs are going to say, you can probably make the case to dismiss them. Probably very important to be on the same page with the people who are assessing your environment and see what their position is. Important to be on the same page with your service provider as well, but they are not part of the regulation. They’ve been updated many times since the regulation went into effect, which is cool because normally the only way we would get any clarifications like that is through updates to official documentation and regulation, which takes forever. So it’s a gray area — at best.

Daniel: At best. So there you go.

Jacob: All righty. This was an interesting one that we heard on a call. True or false? You can’t have mobile phones and achieve CMMC status.

Daniel: Jacob, I forgot about this call. These were incredibly lovely people, great people. They had a lawyer on the call, they had two people from IT. And they were talking about how there’s so much misinformation in the ecosystem, because one consultant said you can’t have phones and get CMMC certified. Phones just can’t even be in scope at all. Like — what do you mean phones can’t be in scope at all?

Jacob: I had never heard that before.

Daniel: I had never heard that before either. And I was like, yeah, like it can process, store, or transmit CUI. You can apply controls to the device. You could use a virtualized version of Android like through Hypori or something like that and meet it like a VDI carveout would, right? And so the good news is you can have mobile phones and achieve CMMC status. But it’s just so funny that — there’s just this much misinformation in the ecosystem. Which, honestly, I know you’re doing your brackets and I’m not sure where misinformation falls into play here, but as of about 20 minutes ago, bad guidance and snake oil not only beat CUI — what is CUI — in the semifinal. Bad guidance and snake oil is going to the finals against leadership buy-in.

Jacob: Wow. I thought the finals was going to be cost, scoping, CUI confusion — one of those three. And it turned out to be bad info and leadership buy-in. So now this will be the finals bracket, everybody. So it’ll be after we do the third-fourth place bracket. But the finals bracket will be — which is the bigger problem? Let us know: what is the bigger problem? Is it leadership buy-in or is it sifting through bad information? I mean, those are both horrible. But people — I think a lot of the paralysis by analysis that people have around CMMC is like, “Oh, it’s not going to happen because no one actually knows what’s true or not.” Like, no one. And there’s this grasping of, “I could hire three different assessors and three different assessors can interpret things three different ways.” And so it’s like, I think a lot of this misinformation has just fed people to believe, “How could CMMC even be real if no one really knows what’s going on?” So it’s crazy. I mean, just this morning — or actually last night, drifting off to sleep, scrolling through the glorious soothing blue glow of my LinkedIn app on my phone — somebody had posted and they were like, “33,000 companies are going to leave the DIB as a result of CMMC.” And they just kept talking in their post. And I’m like, “Stop what you’re doing. Where did you get this number from? Like, where did that come from?” And I was like, “What? Do you have a source or a citation?” Like, I see this version of the misinformation all the time where people are like, “Assessment cliff in November. 50,000 companies are going to leave the DIB.” And I’m like, uh, there have been studies about how many companies are leaving the DIB and it ain’t 30,000 a year. It’s not even close.

Daniel: So yeah, I was talking to a construction company this week. It was actually really encouraging and they were like, “Our primes are doing it.” But what’s crazy is — and they’re mid-tier — their subs have told them that they’ve already done it and are voluntarily reporting that they’re doing it. And it’s like, they’re sitting in this middle space where it’s like, my prime’s doing it, I am working on doing it, but my subs have already been reporting to me voluntarily that they’re doing it. And they’re the micros — these are like 50-person shops. This is not a significant-size organization in their supply chain. Anyways, very, very interesting.

Jacob: Yeah, absolutely. “Nope says leadership buying into snake oil and/or ChatGPT instead of what their team says.” Man, we have talked to some people — I feel so bad for them. They are just at their wits’ end when it comes to what’s going on. I think we had this a couple episodes ago where — or it was the Reddit thread where people were talking about their boss going off what ChatGPT says. So like, subscribe and share our content and help seed all that stuff into ChatGPT because it just sifts what’s out there on the internet. So when you’ve got bad takes, that’s what you end up with. All the models, all day long. So yeah, absolutely.

All right. “If paper-only CUI is still subject to DFARS 7012, it is — should the DFARS 7012 clause be flowed down to subcontractors?”

Yes. I am so happy you asked. Let’s consult the CMMC FAQ document, ladies and gentlemen. So this is on the DoD’s website. And right down here — when DFARS 7012 is included in a contract and flowed down to applicable subcontracts, all organizations that process or transmit CUI, including in hard copy form, remain obligated to safeguard the information in accordance with the applicable security requirements of NIST SP 800-171. And so basically what it’s saying is you can’t get away from DFARS 7012 even if you’re just doing paper copy CUI. Now up here, what it’s saying is they’re not required to complete a third-party assessment. However, the organization may elect — if they’re choosing to conduct a self-assessment or a third-party assessment on the environment — for a higher degree of assurance. So again, what they’re saying is DFARS 7012 — you can’t run from CMMC. They’re kind of leaving it at the subs — really the prime’s discretion — because the prime is the one that’s going to ask, “Hey, are you CMMC or not?” And the sub would have to come back and say, “No, I thought we just agreed on paper copies,” right? Or, “Yes, I’m self-attested,” or fill in the blank. Now, what this is very clearly not saying — it doesn’t allow them — if the prime is certified for CUI because the contract states it, it’s not saying the sub has the ability to only self-attest. So just be aware of that. Paper copies — they don’t have to attest at all, because the way this is worded they can elect to. But if this is CUI certification you’re flowing, anything else — non-paper, digital copies of things — certification has to follow.

So I say that even though I think this collective group here on the live stream understands what that FAQ is saying, explicit to paper. But some people read that and say, “Oh, my sub gets to decide what level and if they self-certify or not.” It’s like, no — very narrow use case here, people. And it’s really the prime that’s going to dictate to the subs what they want from them.

Daniel: Gotcha.

Jacob: Quick break real quick before we get to the next question. I have a special request that I’m forwarding from somebody who reached out to me yesterday. Does anybody here on the live stream have any good examples of overmarked information — of CUI, of information that is not CUI that is marked as CUI? So the only actual official DoD position here is from the IG reports, and they only focus on data that is CUI that’s not marked. They don’t focus on data that isn’t CUI that is marked as CUI. Now, anecdotally, I hear about this all the time. You can’t go 30 seconds without hearing about emails with CUI headers on barbecue invites and screenshots and things like that. But does anybody here have any good examples of non-CUI data marked as CUI? The more recent the better. Let us know in chat. Send it to us. You can DM me on LinkedIn if it’s one of those situations. But I’m very curious to know — do you have any recent, clear examples of overmarked data?

Daniel: Yes. I received an email this week with that exact thing. I don’t know if you were setting me up and you knew that or not. Will Hanley here on our team forwarded it over to me. I’m going to share my screen really quick. So this was an attachment to a sole-source workstation — basically additional workstations. I think it was for the Air Force specifically — equipment like furniture for workstations. And this was in the attachments for sole-source justification. And if you look at our pretty friend at the top — marked CUI — this is on SAM.gov, publicly available to all people on this solicitation. And so it’s just really interesting because they redacted some things, right? So I’m sure maybe at one point this might have been CUI to them and maybe when filled out also CUI, but they were using this as just an example. Does this have a header? This just has a header and footer. It doesn’t have a designation block on it at all.

Jacob: Nope. Just a header and footer.

Daniel: Yeah. So that’s just kind of interesting. I mean, it’s out there. This is public information. SAM.gov.

Jacob: Yeah, absolutely. “John said — also, shout out to John, thanks for hanging out on that CMMC show — one of the people who’s helped contribute to getting to 100,000 subscribers.” So everybody give it up for John here. John says, “Not just all new contracts” — speaking about the November deadline — “but also all contract extensions and IDIQ work has CMMC Level 2 requirements. Seven out of seven contract extensions or renewals we received in the past 30 days require proof of CMMC Level 2 self or C3PAO certification.” So there you go. That’s how it’s rolling out. I mean, John knows this. John’s good to go. But you would imagine that with this volume of rollout occurring — and even though it’s not necessarily completely accurate, November and July looming for people — the C3PAOs would be completely booked up and they’re still not completely booked up. You know, if we really were staring down the barrel of this massive cliff and this massive exodus, then you would think there’d be a line out the door at all the C3PAOs. And they’re still out there trying to drum up work. So something ain’t adding up in terms of what’s going on, because clearly — like John is saying on the ground — people are seeing that this is the case.

Daniel: I think it’s obvious people are busy trying to catch up on their implementation and they haven’t scheduled their assessments yet. And that’s what’s sort of extending that C3PAO availability, which is a good thing because that means you can still go get an assessment scheduled when you need it.

Jacob: I think a lot of people — this is another interesting conversation we had this week — they’re having the realization of, “If I submit a proposal and I’m certified and no one else submits a proposal, the DoD is probably going to take mine, right?” And so people are realizing like, oh my god, I know five companies in my space that are certified that would likely go after this work because I saw it on their LinkedIn. It’s like, I know I don’t have a shot. The DoD is not going to pull that back if they have two submissions. I mean, every former contracting officer that we’ve talked to said the same thing. They were like, “As soon as they meet the minimum number of bids that they need to award the work, every additional bid beyond that is just extra work for them that they don’t want to deal with.” Like, they don’t care if there are 800 suppliers that could do the work. If they need eight bids, then they care about getting eight bids. If they get 800 — I mean, that’s nice — but they have to now review 800 bids. There isn’t anything in their job that says once you get the minimum number of bids, you really should go get more. And so you don’t have to have every possible supplier get a CMMC status. You only have to have a critical mass of suppliers for each individual award. And so if you’re outside of that minimum viable group of potential awardees, then you have to hope for exceptions, extensions, special treatment, waivers — and those are over time increasingly unlikely to happen. And so you’re making a massive gamble because you’re playing poker. You don’t know what the other people have in their hand. And so it’s a very risky bet to make.

“Brian — this is very interesting, we’ve talked about this before — Brian says, ‘We constantly send company proprietary information and DoD sends it back to us marked as CUI and we can’t uncontrol it after that.'” So this is something that you and Ryan have talked about quite a bit. I send my data to the government, they mark it CUI and send it back, and now all of a sudden I have to do a bunch of stuff with CUI. Is that true?

Daniel: So the short answer is usually no. This is the conundrum and it’s not really clear, quite honestly. Like, we’ve seen people send their rate cards, for example, and the DoD comes back and says CUI and sends it right back to you. It’s like, wait — this is the data that I just gave you. Like, this is my data. What are you doing to me? And there’s this conundrum where it’s like, do I have to protect my own data that’s not CUI to me, but is CUI to the government because they don’t want to share that with other competitors or with other people? So they want to keep it sensitive, right? And so they’re marking it because they have CUI guidelines, law, regulations, and government-wide policies to abide by. But those same regulations don’t apply to you as a contractor, right? A good example of this — if you look in the CUI categories, this is my favorite one to look at — if you look at budget, I’ve had people come to my door and say, “Oh my god, Daniel, my budget’s in scope as being CUI.” I’m like, “No, no, no. Read where it applies. It applies to federal agencies — when that information is CUI, their budgets are submitted to OMB.” And so when you start looking at this logic, not all CUI is applicable to private commercial organizations, right? And so for people that just think that all CUI applies to them — it’s like no, CUI has to apply to you. And so looking at the CUI registry — and talking to NARA — we’ve never really gotten a lot of clarity out of NARA or the DoD in the sense of, if it’s my information, I send it to you, you mark it — which is the thing you’re supposed to do in some of these cases — you send it back to me. Do I have to treat it as CUI? Most people have just taken the stance of yes — just put it in the enclave, right, treat it as such — to not have any potential repercussions.

Jacob: So yeah. All righty. Let’s see here. This was an interesting question on a call I hadn’t heard before. “Are licensing servers in the cloud considered to be CUI assets or otherwise considered to be in scope?” So licensing servers for applications like SolidWorks, Autodesk, MATLAB, Bentley — I mean, there are thousands of applications that still use what they call pooled licensing servers. And so when you look at this from a scoping perspective, if there’s like a line of sight — so like a VPN connection — and you’re connecting to that pooled licensing server, it’s likely going to be a CRM, right? Because it’s part of your scope. You have a system that’s around CUI, but due to policies or technical controls like segmentation of the data and segmentation of the network traffic and things like that, it isn’t going to have CUI on it. So in a lot of cases it ends up being a CRM. Sometimes if it’s web-based authentication, you could potentially just look at it as an external connection. So I think it kind of depends on where the licensing server is sitting. Usually not CUI, but at a minimum usually about a CRM asset, but it depends on where the licensing server lives.

Daniel: Gotcha.

Jacob: “Does Microsoft Universal Print work in GCC High? The Microsoft knowledge base only lists GCC. We’ve gotten Universal Print working in GCC High via Microsoft Universal Print Connector, but we would love to send print jobs directly to the printer.”

Daniel: I have great news and terrible news all in the same breath. So GCC High is GA for Universal Print. However, on actual printers that can natively connect to Universal Print — Lexmark, Canon, fill in the blank, Ricoh — they have not built their firmware to support the endpoints to connect into the GovCloud. So that native almost Intune-like join, if you will, just doesn’t exist because we haven’t found any hardware on the printing side that supports it, outside of commercial. Because there are commercial Universal Print printers out there all over the place. So that’s the conundrum — every time we’ve gone to deploy this, we’ve gone back and said, we’ve got to use a Print Connector every time. It’s like, well, that’s just a print server basically at that point. It’s like I’m trying to get away from having extra infrastructure or a workstation or a VM having to run this. So good news, bad news — it is there. Call your friendly neighborhood printer vendor and tell them, “Hey, we’d love you to build printers that can connect into GCC High.” Hey, it’s summer break, Ricoh. Get some interns. Give them some Cursor tokens and vibe code up an interface so that we can get it done.

Jacob: I thought, you know, the dream of AI has been alive for a couple years now. What’s the hold up?

Daniel: [laughter] Xerox, can everybody just get on and get some interns going.

Jacob: Yeah. [laughter] All right. “We have six GCC High users. My main account is the M365 admin account. Needs to change. Okay.” Good, they’re changing it. “The new admin user account didn’t assign licenses to it and now it does not have access to P2 Defender. Do I need another expensive GCC High license for this admin account?”

Daniel: So typically not. I mean, the main license we look for for administrative accounts — at minimum — is usually an Entra ID P2 license, so that we can do privileged access to the tenant, right? Just-in-time access, break glass — or not break glass, but just-in-time access, escalation of privilege, things like that. And so we want to keep that tracking and that accountability around that administrative account and not just have perpetual global admin all the time on that account. So ideally it’s an Entra ID P2 is what we look for. Not necessarily the full suite of things unless you’re using that admin account for other things, right? So if you’re looking at Defender for Cloud Apps, if you’re looking at Defender for Endpoint, if you’re looking to manage some of those platforms, likely you’ll want a G5 or at least some security stack tooling. But minimum, you’re looking at Entra ID P2 is what we would recommend.

Jacob: Nice. Let’s see. John to the rescue again. He said there are some Xerox printers that work with Universal Print and are FIPS 140-3. So John, post some links in chat. You’re about to be a hero.

Daniel: There you go. Savior of the printing — the, as you say Daniel, the Achilles heel of this whole thing — because people are like, “We want to go enclave, cloud only,” this and that. Great. And the first question you always ask is, “Do you ever have to print anything?” Because — and they’re like, “Well, yeah, actually.” Matter of fact, it’s like printers and phone systems. When I was in IT for 17 years, there are two things I never wanted to see again when I left IT. That was printers and that was phone systems. And look, here we are. You join the CMMC train and — [laughter] — printers. And phone systems have a weird VoIP control kind of thing now with Rev 2, but that goes away in Rev 3. But you know, printers, man — still the bane of existence, quite honestly.

Jacob: Absolutely. Breaking boundaries left and right. There you go.

All right. True or false — another fun misinformation thing we heard on a call. “True or false? After migrating to GCC High, we will be limited to webmail only for several days.”

Daniel: Only if you have a bad consultant. [laughter] That’s so — that’s the reason. That’s what I gave them. It’s like, no. I mean, the short answer is no. But when the records are cut over, it is going to take some steps to basically resync your Outlook profile, resync OneDrive, right? Do these things. Rejoin the device if they’re Intune-joined. So all these little things have to be done at the pace that you can do them is the pace at which you can have email on your regular device. So some people say, “Yeah, I’m going to have to use webmail because I’m one IT guy and I have to service 200 people in my company, so it’s going to take me some time to do that.” And it’s like, okay, that’s why you will likely have to use webmail. But no, there’s not a limitation of GCC High that you cut over to the GovCloud and all of a sudden there’s a five-day probationary period of webmail only, just to make sure you wanted GCC High, with the ability to switch back. That doesn’t exist. Just pick a good migration partner.

Jacob: There you go. All righty. About as fun as printers — international considerations. “Nicholas said, ‘How common is it for primes to require JCP registration?'” This is the Joint Certification Program, which is the US-Canadian defense contractors — like you’ve got locations in both. I believe that’s the line there. I always thought that if you were in the ITAR CUI world, being part of the JCP was de facto required. The only place I’ve seen it written as needed is in NAVSEA NN 801 for NNPI. Have you heard this, Daniel, about JCP registrations coming up or any issues with them?

Daniel: Somebody in chat said that they know Northrop is requiring it. And it’s not that hard to get from DLA, but I don’t have an answer for Nicholas’s question. Yeah, I haven’t seen it mandated a lot of places. I will occasionally see it pop up — funny enough, a lot more in higher ed recently, which is kind of interesting. They’re basically saying that you even have to hold the certification to be admitted into conferences. Like some of the conferences have had a JCP requirement. Same thing with Critical Military Technology, DD Form — I can’t remember the nomenclature off the top of my head. But what is interesting is that they actually have a CMMC section in JCP, where it talks about CMMC. And this has actually confused a lot of people. Post-2028, contractors seeking renewed JCP certification must obtain a CMMC Level 2 certification. So JCP is starting to link — or will start linking — your ability to be eligible for JCP if and only if you have a CMMC certification as a prereq, which I thought was interesting. Not self-attest — this is a full-on certification of Level 2 — and then you’ll be able to renew with JCP. So anyways, just kind of interesting, but I have not heard of it as a mandated requirement from all primes or anything like that.

Jacob: All righty. Let’s see. “Can non-CUI users in a GCC High tenant be out of scope? Does being in the tenant automatically make non-CUI users in scope? We want to save money instead of making a separate commercial tenant.”

So a lot of people, when they do CMMC scoping exercises, they just look at technology. However, asset classifications can apply to things outside of technology — buildings, people, things like that. So if you have a person around CUI but who isn’t supposed to have CUI, you likely will have them classified as some CRM resources, right? Contractor Risk-Managed asset. And so it doesn’t explicitly call out people as CRM, at least that I recall. But the short answer is, can you have people in there? Sure. Do you want to take the risk of having people in there and having to defend your stance that they’re not being treated as CUI users even though they’re around CUI? Like, do you have strong enough technical policies to isolate things? Strong enough security groups? Can they email each other or not email each other? Do you have information barriers? How nuclear do you want to go on that? So I would say, from both a technical and compliance stance, you could decide to make a case to do that. No problem. The question is, would you want to?

Daniel: I don’t know anyone deciding that users in GCC High are not CUI users. I don’t know anyone splitting the tenant and saying, “CUI here, non-CUI users here.” I see that with export control — so you’ll have non-US person SharePoint sites and things like that. I haven’t seen it to the nature of CUI because it’s just complicated and people don’t want to have to overly defend a stance when they could just say everyone’s treated the same.

Jacob: Right. Theoretically possible, but maybe not worth the hassle.

Daniel: Yeah.

Jacob: All righty. Let’s see here. “150 employees, 15 CUI users. Currently M365 Business Premium plus Preveil. They need a compliant path for CUI screen sharing. GCC High cannot be merged into existing M365. Is that true? Should we go with Zoom or WebEx for Government instead?”

Daniel: Good question. So that is correct — GCC High and Commercial cannot be merged together. Now, there are Business Premium licenses in GCC High — just a little FYI. So Zoom and WebEx have Gov versions of their product. They’re FedRAMP. However, you also need to make sure that where the data is being stored — if it’s export-control in nature — FedRAMP does not cover the sins of US support only. That’s usually a separate contract that you have to have with these vendors. So FedRAMP Moderate and FedRAMP High don’t mean you can have ITAR in them. They’re just a certification boundary of the data center and application. So when you’re looking at this, just be aware that yeah, you can use Zoom and WebEx for Gov for that. And if that is your only use case of screen sharing, that’s great. However, with the whole “encrypted CUI is CUI” thing, I would take a minute and even challenge potentially your Preveil implementation as well, or any type of file-sharing collaboration tool, because once it crosses the boundary of the FedRAMP Moderate equivalent cloud onto your system — even though it’s in an encrypted wrapper — you’re going to have probably significant scope creep. Which is why we end up recommending M365 GCC or GCC High to fully manage that device as part of that equation, and the email traffic and all of those pieces as well. So I hope that helps whoever asked the question.

Jacob: Nice. All right, John to the rescue again. He said — John, we’ve just got to get John on the show. “Contractors in the US and Canada must be JCP certified to bid or work on contracts requiring access to controlled technical data.” John, I hate to make you work for free, buddy. Do you have a — I am behind on my JCP reading and definitely behind the curve on that, so I need to catch up. Shame on me. Do you have a link? Is it on the JCP website that says that it’s required? I believe Nicholas’s question was, “Are the primes requiring it?” So is it — do we have a link between what the JCP program policy is and what the primes are saying? Does that show up only in their terms? Is that listed on any of their supplier websites? I’m not sure if that would answer Nicholas’s question or not. But yeah, I definitely need to get smart on JCP again because I’m missing some pieces here.

Let’s see here. Yeah, because it’s saying you can’t even apply if you don’t have a CAGE code or you’re not in SAM.gov, or I mean, there are limitations of who can even apply. And I know subs — that even now, it sounds crazy — are not even in SAM.gov. Like they just do private contracts. And it’s like, okay.

Daniel: Yeah.

Jacob: All right. “Ninja says — question for the audience — is anyone running into Microsoft licensing issues for users in GCC High? I think they’re called G5 licenses.” Do you have a specific issue or a specific problem that you’re seeing out there? Ninja, let us know. I have not heard of any licensing issues.

Daniel: I’ve got one licensing issue that we have just kind of unearthed. So in Microsoft Commercial, you can mix Business Premium — because there’s a cap of 300 seats there — with Enterprise licenses. Like, you can have both in the same tenant. GCC High, they’re pushing back on being able to do that. So if you’re Business Premium and then let’s say you hit a 300 cap and you were like, “Okay, well, I’ll just start buying Enterprise licenses” — there are conversations right now to fix that, but right now you’re going to have an issue having mixed licenses. So just be aware of that.

Jacob: Gotcha. Yeah. “Has there been any movement in harmonizing the GSA CUI enforcement process and CMMC?”

No, there has not. As far as we know, they’re not talking to each other. So we did a podcast a little while ago — you guys probably heard the news. GSA updated their approach to verifying when contractors and vendors are handling CUI. They want them to do NIST SP 800-171 Rev 3. They want them to hire a FedRAMP 3PAO to do an assessment and then they want that assessment report sent back to GSA so that GSA can make a case-by-case consideration on whether to accept the risk based on the status of that assessment report — which is basically the RMF process by another name. It’s clunky. We don’t know how they’re going to do it. We’ve heard no updates about it. And as far as we know, even though they say in their document that they’re willing to accept other mechanisms of verification, they never mention CMMC by name. And we know of no coordination between the GSA and the CMMC program office.

Daniel: Not that I have heard. Also, I got asked this question again this week about Canadian reciprocity with the CMMC program. I have not heard of any other country’s reciprocity with CMMC in general — even outside of that. So even if you put down the GSA CUI for a second, look back at the CMMC program. Like, they’re all kind of operating as independent programs. Maybe FAR CUI is the ultimate unifier, at least here in the states. But it’ll be interesting.

Jacob: Yeah, yeah, absolutely.

All righty, let’s see here. “Cyber, when talking about licensing issues, said the issue is availability of the licenses. We’re being told from our vendor — maybe it’s just our vendor.”

Daniel: Yeah, I would definitely say so. The only constraint outside of Business Premium is around Azure. So you have to submit requests for large GPU clusters and things like that to Azure Gov data centers. I have never heard about Microsoft not selling a G5 license. I can tell you Microsoft definitely wants your money. They’re very interested in your money. So I think maybe something’s getting lost in translation. You should go back to them and double check because that — something sounds not right here.

Jacob: [laughter] All righty, Daniel — everybody out here knows we only talk to the bigs. We only talk to the biggest of the big. If you’re not 50,000 employees, get lost, we don’t want to talk to you. What is the typical Summit 7 customer profile? Is it just big companies?

Daniel: It is not. So we actually did the math not too long ago. We have about 1,400 clients in total and a third of those are enterprise. And what we consider enterprise is over 500 seats. Everyone else — two-thirds — are small and medium businesses. Sub-500, the majority of those sub-150-200. So we’ve got a bunch of micro businesses — five, six, seven, eight users. We’ve got mid-size — 50 to 100, all the way up to like 200, 250 — and then they start obviously getting bigger and bigger. It’s interesting, right? Because budget’s a big thing for small businesses. They can be agile but don’t have money. So they’ll typically buy licenses. Some of them will go full managed services with this because they have maybe some PE or VC funding that they’re kind of bootstrapping this thing to get going. And then some go all the way to a fully managed relationship because they’re large enough and they realize, “I’m not agile enough to transform my whole enterprise. So I just need a separate environment to do this.” So it’s interesting. Small businesses have the agility but don’t have the money. Large businesses have the money, don’t have the agility. And so everyone’s trying to get to CMMC through different hurdles, which is kind of interesting.

Jacob: Yeah, we definitely work with everybody of all sizes. Also heard through the grapevine today that there are some people out there telling folks that our 100 Level 2 certified clients — that we didn’t have any real role in those 100 Level 2 certifications, that they were licensing-only clients and they did all the implementation. That is not true. And we know who you are. So that is not true. [laughter] We have lots of fully managed clients that go through the process, which is always hilarious how stuff works through the grapevine here.

Let’s see here. Okay, great — John’s got a link in there for JCP. So we’ll dig into that. Some exciting weekend reading. Now that finals are done, everybody, we can read up on JCP.

All right, let’s see here. “What should we consider when migrating from GCC to GCC High? Are there different considerations than going from Commercial to GCC High?”

Daniel: No, I mean, luckily GCC is built on the same infrastructure as Commercial. So you have some of the same heartburn, I guess. So GCC High doesn’t have native VoIP calling plans at all, right? You have to bring in like a SIP provider and SBCs and things like that. There’s limitations in the Teams app store. A lot of third-party integrations — like the Universal Print thing we just talked about — just don’t work because developers don’t code for the government endpoints, the GCC High endpoints. What are some other really common ones here? Feature parity around like — Security Copilot isn’t in GCC High, right? Copilot is just regular — Copilot for Microsoft 365 is what I’m looking for. So it’s really the same as the commercial jump. I mean, at least if you’re in GCC, you likely moved from Commercial once, so you understand that pain and torment that you went through. Now you’re kind of about to do another migration to GCC High. And Microsoft doesn’t post feature limitations really on any of their websites between the platforms — or if they do, it’s one tiny product-line-specific thing. Like, this specific Defender service — Autopilot, for instance — isn’t there. So the ability to zero-touch enroll and deploy devices in GCC High. So if you need that kind of overall sounding board about what’s there and what’s not, feel free to shoot me a message and we can walk through based on the services you’re using today. External Microsoft Forms — it just keeps coming to my head from all the conversations we’ve had throughout the years. So there you go.

Jacob: “Does Department of Defense versus Department of War change anything about CMMC?”

No. No, it does not. Pick your flavor and go with it. But the name change or non-name change process does not affect CMMC in any way.

All right. “Everyone asks about the cost of CMMC. What is the cost of not pursuing CMMC?” We’ve heard stories like this. These don’t get the headlines. Happens all the time. Car crashes happen all the time — they never make it on the news. We’ve heard about this happening, Daniel — of people whose primes were like, “We’re not working with you.” They lost awards. They did the math and they stand to lose money. What have you heard out there in terms of people who didn’t pursue it in time and the cost of that decision?

Daniel: The biggest dollar value I’ve heard is losing an $18 million contract because they could not show proof that they were CMMC certified. And that was a small business — I think under 100 employees, around 80-something. And that was General Atomics — General Dynamics, something — that was the prime. But anyways, yeah, millions of dollars, and that’s just one example that we’re seeing. The more examples that we keep hearing about are almost the equivalent of like the quiet quitting kind of stuff, where the primes just stop reaching out because the information you put in their cybersecurity questionnaire wasn’t sufficient. So they just took that information, didn’t reach back out, put you in this little section over here saying “do not talk to anymore,” and then basically people are like, “We were getting solicitations and then we stopped, and then we called and asked, ‘Hey, what the heck is going on?’ and they’re like, ‘Oh, we’re so sorry, you don’t have a high enough CMMC rating score'” — they use different language — but like, your assessment isn’t correct, you’re not certified, fill in the blank. So what’s interesting is we are seeing people lose money and they become very aware of that, but the more common thing is people are just not hearing about solicitations anymore or opportunities. And that’s what’s really interesting.

Jacob: Yeah. It’s not like there’s some big day that goes off in November where they just flip a switch and then they kick down your door and take all your stuff. Like, the phone just stops ringing and the work just slows down.

Daniel: Exactly.

Jacob: There you go. All righty. “We don’t handle CUI. Customer says we need Level 2. What do we do?”

You get Level 2. I — again, this is the cringy part about the CMMC world, because primes aren’t doing things correctly and they’re not only flowing down just the data that you need, and they’re not being — they’re not doing great jobs of scoping or marking appropriately, or just sending FCI as FCI, or just proprietary data when CUI is not needed. Anyways, all of those things in your situation — whoever this is — it just becomes a pay-to-play game, right? And again, I hate to say it. You can go to bat and say, “Here are the 10 years we’ve worked with you. Not one time have you sent us marked CUI.” You can show examples. You can try and defend your position, which I welcome you to do. But if your customer — who writes the checks, ideally in a private contract with you — mandates this requirement and you can’t make that case or don’t want to rock the boat even more, you’re going to have to pursue Level 2. Again, I hate to say it that way, but in those situations, it becomes a — if you want the business, you’ve got to do what they say.

Daniel: Yep. Yep. Absolutely.

Jacob: All righty. “Somebody said, ‘Are you aware of any meeting programs like Read.ai that would be compliant?'”

Read.ai — I’ve never even heard of Read. These would be like meeting notes, right? So like live transcription, AI summaries of meetings and things like that. Are there any tools that you could use — if you’re just talking about stuff at work, engineering meetings, collaboration — and the materials that you’re using are CUI and you’re using an AI service to transcribe those meetings and then it just gets stored in some commercial cloud somewhere?

Daniel: I mean, Teams in the Gov cloud does it. We use that here. I think Zoom Gov probably has transcription capabilities where they’re storing that information. The question is does it meet CUI requirements — and potentially export — again, depending on what you’re talking about or recording, right, if it’s video recordings as well. I’m not aware of any Read.ai-type solutions that meet the FedRAMP requirement. Because if they are an actual provider — Otter.ai is a pretty common one, right? Like, people use Otter.ai for transcriptions and things like that. I mean, very convenient. But you know, where does that data go?

Jacob: Right. Yeah.

All righty. “How to handle application whitelisting and blacklisting for engineering workstations? We use Intune but I don’t have the manpower to package every utility on the workstation.”

Daniel: So there are a few different tools out there. The most common one that I’ve seen people adopt is ThreatLocker. I think Palo Alto has a solution out there as well. Microsoft kind of redid their AppLocker to App Control for Business — I think that’s the name now. And so it makes it a little bit easier because AppLocker was a disaster. It just took so much manpower to do. They’re making it a little bit easier that way. But usually third-party options — non-Microsoft, and I hate to say this — are usually better solutions. The question comes down to, do they have to be FedRAMP or not? Well, security protection data doesn’t have to be FedRAMP because it just doesn’t exist in this CMMC world, at least as of today. So you could use non-FedRAMP tools if this is the only thing it’s doing, right? Because I can’t imagine it processing, storing, and transmitting CUI with application installation and deployment, or allowing elevated access for users to approve installations themselves if it’s on the approved list. So yeah, there you go.

Jacob: There you go. All righty. Probably last one here. “A contracting officer told us that a new task order would require CMMC Level 2 because of prior access to facility schematics under a previous effort, not because the task order actually involves CUI. Does this seem right to you?”

It doesn’t seem right, but I’ve heard crazier things. So NAVFAC actually sent out a notice on SAM.gov saying, “Hey, all IDIQs in the AECOM — A-E-C — space, architectural, engineering, construction — are going to be CMMC Level 2 certification required,” right? And it’s like, they just blanket-stated this thing. Well, the problem is they don’t necessarily know — I don’t think — that everything’s going to be CUI on behalf of that contract, right? And so it’s so hard because people again are taking the CYA approach. It’s like, “I’m going to set the highest possible watermark for this contract, and if it’s lower, great. But I’m only taking people that can meet the highest requirement. Hard stop. Because I don’t trust the Navy or the Air Force or whoever is on that side of the house to actually only send non-CUI data.”

So it doesn’t sound right because it isn’t right the way it’s supposed to happen. The problem is it’s not happening the way it’s supposed to happen. They’re just CYA-ing themselves — is really what it comes down to.

Daniel: Yeah, absolutely.

Jacob: All righty, everybody. That’s an hour — flies by every week. If we didn’t get to your questions in chat, we’ll add them to the backlog. John, I know you got a good one in there so we’ll make sure to add that for next week. If you find this afterwards, you can leave your questions, comments, and compliments in the chat below and we’ll add it to the queue, print it out, we’ll put it on our refrigerators. You can find us at cuihotline.org. You can always leave a message up there if you call the number. You can fill out the form. You can find us at summit7.us. You can find us on social media. Our DMs are open. Thanks for 100,000 subscribers. Thanks for hanging out on a Friday. And thanks for all the awesome questions like always. We’ll see you guys next week.