A

All right folks, it is March of 2026 and did you know that most of what is written in the CMMC assessment guide isn't actually requirements? A lot of defense contractors open the CMMC Level 2 Assessment Guide and they assume that every paragraph is something that they have to implement. But that assumption creates a lot of unnecessary work. When you break down the structure of the document, you'll notice something very interesting. About 75% of the guide is just explanatory text. Only about 20 to 25% of the document is actual assessment criteria and actual requirements that you have to implement. Misunderstanding that distinction leads to one of the most common and expensive mistakes that we see in CMMC preparation. And that is what we're going to talk about today. Jason, we hear about this misconception probably in two big ways in my opinion. First, contractors assume that everything that is written in the assessment guide is a requirement. And worst of all, assessors, actual assessors such sometimes assume the same thing. Shame on you assessors. You should know better. But that's what this podcast is for. We're all friends here, we're all learning together. Both of these interpretations are incorrect. What do you think?

B

Well, I think as somebody that's been around you long enough, I know how much you love marrying things together like peanut butter and jelly or like assessment guides and the actual framework itself. And if I remember correctly and my long gray hair, years of CMMC knowledge, I, I think. Right. Like the intent when the CMMC program was developed by the developers was to include this kind of guidance in there for the organizations that were going to be that it was going to be subjected to, for them to better understand everything. So it was intended to help them. But as we're seeing, sometimes it creates a little bit more confusion. But it is all good.

A

Yeah, yeah, no, it definitely helps. I mean to the CMMC program's credit they take the explanatory text that NIST already included and then more than double the amount of explanation given when they technically don't have to. The only thing the document has to say is what's the requirement? How do you check to make sure that the requirement is implemented? And they can just stop there. So a little bit of a double edged sword because if you over read the documents and you treat that expense explanatory text as if they were all mandatory requirements, that can lead to unnecessary implementation. It can lead to excessive documentation, which is one of the things that people hate the most and it can cause your overall compliance program just to be more complicated than it needs to be. And so we're going to talk about, you know, where the assessment guide contents come from, why it's structured the way it's structured to maybe help people understand why this misunderstanding happens.

B

While I totally agree with the structure, I think that we both, and I hope that you're on my side with this, could agree, maybe a review for brevity could, could help. Right? Sometimes there is a lot of redundancies and sometimes those redundancies create confusion as

A

a, as a habitual yapper. I understand the value. People in the audience have told me many times to, to wrap it up, they need a wrap it up button. It could definitely be shorter. Let's talk about, let's talk about the structure of this document. Maybe people will start to see where this misunderstanding comes from. So let's talk about the structure of the practices themselves. So every security requirement in the CMMC Assessment Guide is called a practice. Every practice follows the same structure. There's a practice statement followed by assessment objectives, then there are potential assessment methods and objects, then there's a discussion section, and then there's a further discussion section. Only those first two parts actually determine whether an organization passes or fails their assessment. So these practice statements, this is the statement of the actual requirement itself. These come directly from nist Special Publication 800, 171. This is the actual security requirement that an organization has to implement. That's followed by what are known as assessment objectives. And these define what the assessor has to actually verify. These come directly from nist Special Publication 800-171A is an Alpha, the companion assessment procedures to the requirements in NIST SP 800, 171. And taken together, that practice statement and the assessment objectives form, what we would call the normative portion of the Assessment Guide, this is the part that you actually have to meet and verify. This isn't guidance, this isn't a suggestion, this isn't an example. That's actually the requirement and how you prove that you have met the requirement. These are the parts that determine compliance because they determine if the practice has been fully implemented.

B

Yeah. And so if I were just somebody that was reading it in the CMMC Level 2 guide only contained those two portions, the next questions I would ask is what are they going to look at to prove that and how are they going to look at it? Right. And so this is what the, the beauty of these extra additional sections is, is that now they're like, oh, you have questions. Funny enough, there's answers right here at the Bottom of the page. It's just when you give them the answers, how you're like, oh, yeah, the.

A

The. Glad you. Glad you asked that question section, we

B

thought you'd ask this.

A

Right, right. So, so quick note, below those assessment objectives, there's something called Assessment Methods and Objects. There's a section sometimes called Potential Assessment Methods and Objects. So we're not going to really dive into that today. We're not going to really spend too much time. Just understand that this section describes how assessors will verify those assessment objectives. Are they going to examine documentation? Are they going to interview personnel? Are they testing technologies? Are they testing mechanisms? Basically, they're gathering evidence, but they're not required to gather all of the evidence. They're outlining how they might examine the evidence or interview people. But you don't have to examine everything and interview everybody and test everybody, everything. They're just suggestions so people can get wrapped around the axle when it comes to that.

B

Anyways, yeah, that. That is one of the huge things. One of the huge questions that we get from this is like, wait, I have to have all this. This doesn't even apply to me. No, you have to have all that apply. And these are some examples of it, right?

A

Yeah, exactly. Lots of flexibility in who you interview, what you examine, what you test, if you test, if you examine, if you interview. No flexibility in the fact that you have to answer all the assessment objectives in order to meet the actual practice security requirement itself. Okay, so discussion and further discussion. So the remainder of what can be a page or more for a single practice is discussion and further discussion. So these sections exist strictly to explain the intent of the control and to provide examples. So these are the conceptual background, like, what are they talking about? Where did this come from? They give explanatory guidance. They give example approaches that you might take, but you are not required to take. So these were never intended to create additional requirements. Their purpose is simply to help readers understand what the control is trying to accomplish. These sections are informative, they are not prescriptive. And when you step back and you look at what would be like an entire page or page and a half for a single practice, in the assessment Guide, the majority of the text is explanation. It's not requirements like we talked about earlier, more than 75% of the Level 2 assessment guide is just explanatory material. The actual normative content, the part that determines whether you've achieved compliance, is just the practice statement and the corresponding assessment objectives.

B

Yeah, from. And this may be very revealing, but from the Way I look at it, the discussion portion.

A

Right.

B

Is essentially the outcome of the control broken down into more digestible format.

A

Right?

B

Like a tldr, but it's actually longer than the actual assessment objectives itself, right?

A

Yeah.

B

And then when you get into like other things, like the further discussion, everybody's like, why do you need further discussion, further discussion, to be more specific. Again, examples may call out things still never prescriptive.

A

Yeah. And sometimes the further discussion is quite long and very helpful. And it's something that the CMC program did not have to add. And so kudos to them for actually trying to add some more context because as we all know, NIST is not the best sometimes at communicating in human speak. And so it's nice that they tried to add some additional examples. So let's, speaking of examples, let's look at a quick example. Non technical example, everybody. Okay, so requirement 3.10.1, limit physical access. Right. The requirements, the actual practice statement is limit physical access to organizational information systems, equipment and their respective operating environments to authorized individuals. That's it? That's all you get? How do you determine if that's actually been achieved? What do I have to look at? Who do I have to interview? What might I test? Can you give me some examples? Could you give me some further examples? You can see how this single sentence is going to expand to a page or more with all that extra information. But if we drop down the discussion section. The discussion section taken from 171 says authorized individuals have credentials that include badges, identification cards and smart cards. That doesn't mean that you need those specific solutions and it also doesn't mean that you need all of them. They're just examples. So those are common ways that you can meet this requirement? Probably the most common ways. But it doesn't mean that you have to use those or that you have to use all of those. The same goes for the discussion leader in the discussion section of fax machines. You don't have to have fax machines in order to meet this requirement.

B

It's just an example what you do see happening. So a lot of times people will automatically assume that controlling the physical access and they say, yeah, we do that. We have authorized individuals, that they have credentials and they to get here, get there, blah, blah, blah. Right? And then the policy statement that is taken is just the extraction of both of them. That's also not the way to go. Just to throw that out there. That's a deep.

A

Take the discussion section and you put that in your ssp. The assessor is Going to go, where's that fax machine at? You'd be like, what fax machine? It'd be like, well, I think we're done here.

B

And it's just a standoff. Yeah. Adding elements that are not there just because.

A

Exactly. Yeah, exactly.

B

You have to have it.

A

So the further discussion section. So this is the part that the CMMC program adds in the CMMC Assessment Guide below what NIST has for their discussion section. They say specific environments are limited to authorized employees and access is controlled with badges, electronic locks, physical key locks, etc. That doesn't mean that you need badges and electronic locks doesn't mean that you need electronic locks. They're just examples, hence the term etc. Right. So these are not additional requirements. You don't have to do everything that's listed in these sections. It's just there for your information. It's just there for explanation.

B

So now that we often say, like the, Sometimes the misunderstanding of things is because people aren't fully aware of what they represent, what they are, what they're supposed to do. Providing this explanation is there. But. And sometimes if you don't understand the words that are being said, the intent that's trying to come from the discussion.

A

Right.

B

The further discussion realistically reflects policy statements or standard statements that an organization would make as to their position into things.

A

Things.

B

Right.

A

Yeah, I think it, you know, to your point, this, this highlights some tension that we hear a lot because what we hear in theory, a lot of people say that they want. Just give me the outcome. Just give me what you want me to do. Just tell me what you want. Get out of my way. We don't want these overly burdensome checklists. Get out of my way. Right. And then you end up with, what NIST did they give you a single sentence? And then what is the first thing that people say? What does that mean? Just tell me how to meet it. Could you give me, I don't know, a checklist of stuff that you want me to do? And so when you approach it with that actual realistic mindset, because people are busy, they got other stuff going on, they read through this and their first thought is like, do I have to do all this? Just tell me what I need to do. I need locks, I need badges, I need this, I need fax machines and fax machines. And they get all pissed off and they're like, this is ridiculous. And they're just. For example, only 75% of that assessment guide is just there for informational purposes.

B

Yeah, I've seen Individual situations where each individual assessment objective has things that have been implemented. And then you go into the discussions and those things are laid out and it is like full on pages of this is how we do this, this is how we do that. That's a quick way to obviously creep out the resources. Right. To wear everything out that you have to do.

A

Yeah, absolutely. So let's maybe dive a little bit deeper here, talk about where these requirements come from and we can just really clarify, close the book on the fact that these are just for informational purposes only. So let's talk about the major misconception here. Right. So CMMC is not the requirements. CMMC is a verification program for the NIST requirements imposed on defense contractors from other 10 year old contract clauses. Right. They've been around for a long time. It's just the verification program. Similarly, the assessment guide is not the requirements. It's literally copying the requirements and verification procedures from 171 and 171 A. So the requirements as of this conversation come from NIST SP 800 171, Revision 2. That document defines 110 security requirements for the companies that are handling control and classified information. And right at the beginning of that document, if you read more than just the requirements, if you actually read the beginning of the document, highly recommended that you do that. They say a discussion section follows each CUI security requirement, providing additional information to facilitate the implementation and assessment of requirements. This information is derived from the security control discussions in SP853, which I also recommend that you read. It is provided to give organizations a better understanding of the mechanisms and procedures and used to implement the controls to protect cui. Key quote here. The discussion section is informative, not normative. It is not intended to extend the scope of a requirement or to influence the solutions organizations may use to satisfy a requirement. The use of examples is notional, not exhaustive and not reflective of potential options available to organizations. In other words, the discussion section exists to explain the control, not to expand the control.

B

Yeah. So is that the difference between saying you'd like to play basketball like Michael Jordan or you like to play basketball. Right. Kind of like Michael Jordan.

A

Yeah. I think, I think a good, a good example here would be like, hey, you gotta have, well, you gotta have a good baseline of physical fitness. And you're like, some of the ways that you could do that are push ups and cardio and pull ups and burpees.

B

Sure.

A

Do you have to do push ups and burpees and pull ups and bicep Curls and calf raises and side bends and this. And no, you don't have to do all that. Those are examples of the things that you. You should do. Are they common ways that you could achieve baseline physical fitness? Sure. But they're just examples. They're not exhaustive lists of all the questions crazy things that you could possibly do to get in shape.

B

So you need good access control fitness. And these are certain exercises in which you can do in order to achieve access control fitness. Okay. It's.

A

Yeah, absolutely. You definitely fun. Note everybody at home. You don't have to do your bicep curls in the squat rack. All right. If you do, we're gonna judge you. All right. Like I'm just saying we're gonna judge.

B

How do you do that?

A

Any long story. Okay, let's talk about where the verification procedures come from. So we talked about where the requirements come from. 171 let's talk about where the verification procedures come from in 171 A. So for every requirement in SP 800171 there are corresponding verification procedures in 800171 A as in alpha. These procedures describe how an assessor, or you, if you're doing a self assessment, determine whether a requirement has been implemented or not. Think of them as questions that need to be answered in order to have assurance that a requirement is fully implemented. Implemented. Be aware. We talked about this a million times. But just so you're aware. 171 revision 2 has 110 requirements. 171A has 320 verification procedures. There are multiple questions that need to be answered in order to prove that you have been meeting any given requirements. So these procedures, which are technically called determination statements, show up in the assessment guide as what we call assessment objectives. Things get lost in translation from NIST to CMMC sometimes. I know, I know. I've. I've griped about it before. Anyways, unlike 171, 171A has no discussion sections. It's just focused on verification. It's just the procedures and the potential methods and objects that we talked about earlier. So another common misconception here. People sometimes interpret each assessment objective as if it's its own own requirement. That's not how this thing works. The assessment objectives are the observable conditions that demonstrate whether a requirement has been implemented. They don't create new controls. They don't expand the original control. They are the questions that are decomposed from that original practice statement from the original security requirement. They are the multiple ways The Assessor confirms that same overarching requirement, right? They. They are underneath the hierarchy, if you will.

B

I. I think I remember somebody one time saying that the way that this works is kind of like the Transformers. Optimus prime is the control statement, right? Optimus prime is this representation of all of them, right? That's when all of them. Or is that Mega Optimus prime or whatever. Help me out here, folks. But it's when all of the Transformers come together and they formulate the. The super powerful Transformer.

A

Right?

B

That's Optimus Prime.

A

Yeah.

B

Yeah.

A

Well. Well, let's do this for the 90s, kids. Let's think about Power Rangers, right? Power Rangers all come together to form Megazord, right? So you got a Megazord requirement. Each individual Power Ranger is an assessment objective.

B

And without the ass. All the assessment objectives tied together, there's no Megazord. It's just clunky, right?

A

You don't have a leg. You don't have an arm.

B

Right?

A

You don't have your sword. And then read.

B

I still like the Transformers better, but Book.

A

Yeah. Rita Repulsa. You know, Never mind. I'm not going to bore you with my deep. My deep knowledge of OG Power Rangers lore. We'll save that for a bonus episode. Okay, so let's talk about how the CMMC Assessment Guide. You can. You can. I'm restraining myself here. Let's talk about how the CMMC Assessment Guide helps overall. Right? Something that they don't get enough credit for. So historically, 800171 and 800171A are separate documents. And I hate it. And it's dumb and it's a bad idea and it needs to be fixed. And I begged NIST to do it for years. And they won't do it.

B

Never heard you say that before.

A

Because they don't like me personally. Right? So that separation of those two documents has caused crazy amounts of confusion over the years. One of the most useful things that CMMC has done is that the Level 2 assessment guide combines those two documents into a single referenceable document. Right? This is wonderful. So they pair the requirements with the verification procedures in the same place. What a concept. Right? But remember, the Assessment Guide is primarily an evaluation document for the assessments. It's not in its entirety, a set of requirements. The further discussion sections are unique to the CMMC Assessment Guide, but they are informational only. And the CMMC Assessment Guide even explains this at the top. If you read the beginning of the document. Highly recommended. Instead of just flipping to the requirements, it Says that the further discussion section, direct quote here, expands upon the NIST content to provide more information on the practices intent. It contains examples illustrating how the staff of contractors might apply the practices. These examples provide insight, but are not intended to be prescriptive of how the practice must be implemented, nor comprehensive of all assessment objectives necessary to achieve the practice. It's just for guidance. It's just. For example.

B

Yeah. Again, as I said in the beginning, this was by structure. It was intentionally put in here to help people better understand it. The issue is, is that people read into it, they absorb it all as gospel and they start taking and I got to do this now, I got to do this now. And not using applicability where necessary. Right. And I think that that leads to a lot of problems and why it's important for you to know this can save you a lot of money.

A

Yeah, I mean, it could be a UI design issue too, because the formatting doesn't exactly call out like this is mandatory. This is suggestion. Right. So I mean there's a lot of room for improvement, brevity, the formatting clear signals, you know, I do, I do

B

think words do matter. And I think that in some cases it is more suggestive in the way that it is written.

A

That's right. Words hurt. Okay. Why, why this matters? What do you know? So we're gonna talk about why this matters. So when the explanatory text, which is the majority of the assessment guide, when all of that explanatory text, 75% of this document gets mistaken for hardline requirements, this causes organizations to implement unnecessary technical controls, buy unnecessary stuff, create unnecessary documentation, over engineer their control environment and their compliance programs to go along with it. That will increase cost, it will increase complexity, and it won't necessarily improve your assessment outcome because you're just adding in things that can get asked about. Right, Right. They can get evaluated, they can get brought up during your assessment. Ultimately, the assessors are there to verify the assessment objectives. They are not there to verify the explanatory information. So you want to stick to those assessment objectives. Those 320 questions are the questions that the assessors are going to be focused on or should be focused on assessors out there. And so you want to stick to those as closely as possible.

B

Jake, what do you think the ROI is on? A solution that you've implemented just because the further discussion said that you should, or you thought the further discussion told you that you should, but you used it negative.

A

Yeah. Probably cost you more than it's worth. Yeah.

B

And it's just I look, they're helpful, but again people take every single word as like gospel, like absorb it in and that can be very, very costly for organizations.

A

You know, you've heard me in the past say that we should just copy and paste.

B

Yeah, but you said. Yeah, I've also heard you in the past say that we should combine documents like this. So in the first example in which we have where we have combined it and put it into the field test, we're explaining that the things that we've come up.

A

Yeah, really, it was just, it was just a big brain scheme in order to be able to generate podcast episodes explaining the overly long document. Right. It's all a scam. Anyways, let's wrap this up. So, helpful question to ask yourself whenever you're reading the assessment guide. Is this something that an assessor has to verify or is this just an explanation in the discussion and further discussion section? So understanding that distinction is going to make CMMC compliance a lot simpler. It's going to make it a lot cheaper, it's going to make it way less intimidating. Really. We're talking about a document that could be 20% of the length of the entire thing, which should make things easier to get through, even though it's still complex thing that you got to solve for. So just don't find yourself in the position that a lot of people find themselves in and expect that the helpful guidance is now suddenly this giant heavy burden that you have to implement every single word of the document.

B

Yeah. If it's something the assessor must verify. Right. That's a key word. If it's something that assessor must verify, the answer to that question is if it's applicable to you, they have to verify it. And knowing that and the awareness of what applies to you is very, very important.

A

Yeah, absolutely. Alrighty folks, let us know if you thought this was helpful. I mean this is one of those ones that I think a lot of people, if you've been in the ecosystem for a while, it can seem self evident, but we hear this all the time. So we decided to do a whole discussion about it. Do you want us to dive into assessment methods and objects in more detail in the future? Us know in chat, shoot us a message, easy get a hold of and we'll see you next week.

B

See you next week.