CUI Discovery for CMMC Compliance

Cole French:

CUI isn’t just buried in IT systems. It runs through contracts, workflows, and day-to-day operations across the defense industrial base. We’ve talked about it before and can’t talk about it enough, but scoping is the most critical and most overlooked part of CMMC.

Today’s conversation will dive deep into smart segmentation strategies and data discovery tools that can dramatically change the compliance equation. In today’s episode, we explore why scoping is the foundation of CMMC readiness. The discussion covers how organizations often misjudge where their CUI actually resides, why contract-driven scoping is essential, and how poorly defined boundaries lead to unnecessary cost, elevated risk, and assessment challenges. We examine real-world operational issues such as limited visibility, unclear processes, and the growing role of tools that map and classify CUI across environments. The conversation also dives into the enterprise versus enclave debate, complexities created by multiple cage codes, segmentation inside GCC High, and the rising urgency driven by DFAR’s enforcement. This episode closes with practical strategies for managing cost, reducing liability, and building a scalable approach to CMMC, whether you start enterprise wide or focus on a tightly defined enclave. Joining us for this conversation are Andy Paul and RJ Williams. Andy is an engineer data privacy professional, and a CMMC certified assessor from Cape Endeavors with more than 15 years of experience helping firms design, implement, and secure everything from globally spanning networks to small boutique and highly specified regulated networks. RJ is CEO of Indirect IT, a managed IT and compliance services firm helping defense industrial-based contractors achieve and maintain CMMC level two and level three readiness. He provides strategic guidance and audit support to organizations navigating the complex cybersecurity and regulatory demands of federal contracting. We hope you enjoy this episode.

Well, Andy, RJ, I really appreciate you guys taking some time to join us today on the Cyber Compliance & Beyond Podcast. And today we’re really going to get into, I think, one of the most important topics in the entire CMMC ecosystem because really it drives everything. We’ve talked about it many times here on this podcast, but that’s scoping your boundary or scoping your environment, making sure that before you go through an assessment, you’ve properly scoped what it is that’s going to be assessed. So Andy, I’ll kick it over to you, get us started. If you want to talk through what scoping is like from your perspective, what folks should be concerned with, what are some of the most important aspects of scoping and some of the challenges maybe you’ve run into from a scoping perspective?

Andy Paul:

Yeah, absolutely. So when it comes to scoping, it’s this idea of having a, where’s my CUI? Well, knowing what it is, who the people are, the actual documentation that’s there and the locations that are holding it. And then the applications that are processing and making certain that is the scope. Whenever you are trying to solve your CMMC, cope with a solution that’s going to be there, you want that to be as small as possible because that’s how you make it as cheap and it also reduces assessment risk. So saying, “Hey, it’s everywhere and I’m wanting to just solve for everything,” is typically not your best answer. There’s normally a better answer for that. It’s getting you at a year at scope as small as possible.

And then you have that enclave approach that a lot of people are adopting. And there was a client recently that was going through theirs and they were actually coming with a DIBCAC assessment that came in. It was just the DIBCAC High onsite. And the first thing they did was they challenged the enclave scope. They said, “Hey, we’re assessing what the CUI is, not the thing that you pointed at. So is your CUI actually in that enclave?” So that was a big thing of being certain that you knew where it was so that you could actually define that scope because if the CUI’s not inside of that scope, do you have the scope that you think you have to go through the assessment? Last thing you want to do is assess one scope, but then have a different scope because now did you actually get a CMMC certification you thought you did? It doesn’t really reduce some of that liability risk that you have.

So that’s why nailing the scope maximizes all the other investments. It makes the best use out of that C3PAO assessment that you got. It reduces your liability from a whistleblower complaint or any of that other sort of stuff that may come up. And it also reduces the amount of effort that you’ve got to do to harden everything by only hardening the things that are in scope.

Cole French:

So RJ, I know from your perspective, MSP, from a more MSP perspective, I know Andy, obviously you understand this from an operational perspective, but you build these environments more technical perspective. So RJ, from a more operational perspective, what do you see as some of the challenges with scoping or what things have you seen and what have folks run into?

RJ Williams:

Generally, we start from a people process technology perspective. Obviously, we’re technology support experts. And so as we go through the process of securing technical systems, it’s quickly obvious that most people have limited understanding of their processes, particularly the people that are put in charge of CMMC. Those processes oftentimes lead to limited understanding of what people are involved in. So like Andy was articulating, it can be complex. It doesn’t need to be. We try pretty quickly to get our hands around the processes we own and operate, like access control, user provisioning, vulnerability management. Those types of processes give a lot of light to not just IT support and best practice and compliance mechanisms, but also as you build through RBAC, or in most cases we try to get to ABAC and you start assigning attributes to individuals, understand the contracts. And as the data processes through the system, it becomes a lot easier and clearer picture to scope.

And so the biggest thing we see often is a lack of visibility, and we use a business x-ray approach to graph and document, draw out a lot of the business processes that they have on these contracts, not just at a corporate level, but on a contract by contract basis, which can oftentimes be different depending on the program manager’s approach and the government deliverables that they’re looking for.

Cole French:

That’s a good point. And we’ve talked about that here in the past, but it isn’t just… I think a lot of people think scoping and they think, “Oh, well, what are my IT assets that are in scope?” But the reality is that it actually starts at a more foundational level, “With what are the contracts that I have and what is the data associated with those contracts?” And that really drives the scope and obviously, and then from there, what assets are going to actually be in scope, depending on whether you try to go with the entire environment, like you guys mentioned, or you try to build out that enclave.

Now, Andy, one question I had, you mentioned that in a DIBCAC assessment, they essentially challenge, is there actually CUI inside that environment? And that’s not something… I know certainly from our assessments, we always tell people, “Hey, we’re here to assess you. This is not an audit.” So really we’re just trying to… We’re essentially going to take what you tell us. We’re going to say, “Okay, this is what you’ve told us as your boundary.” We’re going to evaluate it as your boundary and take things from there. We’re not there to challenge, is this actually your boundary? So I’m just curious, what was the outcome of that? How did the organization that was undergoing the assessment, how did they tackle that particular question?

Andy Paul:

Yeah, and it’s absolutely right. When I hire you as my C3PAO, I’m hiring you to assess the scope that I give you. You’re not there to audit and say, “Hey, did you move all the stuff in there?” You’re not assessing everything else. So if a whistleblower complaint to my outside of that enclave environment that I hired you to assess and it’s over there, clearly that’s not what was in the scope of your assessment. I can’t rely on that. That was a DIBCAC assessment too. So they were able to do some things that C3PAOs can’t do when they’re coming in doing a DFARS. They’re saying, “Hey, I’m here to assess where the CUI is.” They also didn’t do an audit. They didn’t go and look at every file that wasn’t inside of it and make sure there wasn’t any CUI there. But rather what they did was they just wanted to verify that we had a way.

How did we come to this conclusion that we’d found and moved our CUI into the environment? So we walked through this process of, “Well, we scanned for it, we migrated it, then we deleted it from the other side.” It’s kind of the basic way of what it would look like to move CUI in. And once we enumerated that, hey, we had actually looked for our CUI outside of it, that we had moved all the CUI that we found, we deleted it from the other side so that now it’s only in this one bucket and that’s the bucket that we want you to look at. They were very happy with that. They really just want to make sure that we’d done something in that regard. And then if we lied about that or if we didn’t, we left some out and we intentionally didn’t look at it, that’s qui tam, whistleblower type stuff. That’s also not their purview. That’s somebody else that’s going to have to tell [inaudible 00:07:27], and then Department of Justice will handle that misrepresentation.

Cole French:

So in terms of… Hold on, think of how I want to ask this question. So you mentioned moving essentially what you just described, right? So it sounds like this organization, or did this organization at the beginning have more of an enterprise focus and approach, and then through conversations and evaluating what their actual scope was, they decided to go with an enclave. How did they come at this scoping problem from the beginning?

Andy Paul:

Yeah, that’s exactly right. They were going to start their CMMC journey and they were like, “Hey, my business is a lot bigger than my CUI problem, and 800-171 is not the most appropriate framework for everything that I have going on.” So instead of trying to force a bad framework onto my organization, I want to take the government CUI and put it where I can harden it to the way the government wants it to work. That way I can harden that data as my compliance requires while still grabbing the most appropriate framework that was not 800-171 for the rest of my organization from a cybersecurity perspective.

They recognized that there were some impossibilities for them in the 800-171 nature of that, because that’s really, really locked down for specific pieces of data and not all of their environment is conducive to processing CUI in. So they took that splitting it out, putting that data into the enclave, harden the enclave approach. And then as part of that, once they made that decision, it was just a case of go find my CUI and move my CUI into that enclave.

Cole French:

I think another thing to highlight, and is worth mentioning, this maybe goes back to what RJ was talking about with the more foundational contractual type stuff is, and this goes to what you just said, Andy, but an issue that we’ve been having a lot within CMMC as we’ve been doing assessments, particularly enterprise level assessments that involve multiple cage codes, which for those that may not be familiar, cage codes are essentially codes that get assigned to business entities, and then they get assigned… The certifications that companies achieve are assigned to those particular cage codes or cage code. It could just be one. But it’s sort of unearthed this major problem and it’s a scoping problem at the end of the day, especially for an enterprise organization. Okay, I have, I don’t know, 10, 15 cage codes. I’m going to do an enterprise assessment to cover all my cage codes.

All right, that’s good. But again, it’s an enterprise approach. So if I go acquire another company or I stand up another entity and I decide they’re going to get a cage code or they have a cage code already, now I have a problem essentially with how the existing framework works in that I can’t add that new cage code. So I’m just curious, is that something organizations are considering when they’re having these scoping conversations? And I think this is another thing that goes towards an enclave approach is, I can build something that’s associated with one cage code or two cage codes. And then if I do bring on anything else from a CUI perspective, I just bring them into that enclave that’s already covered. I don’t have this sort of issue hanging out there. Anything you guys have seen on the whole cage code challenge within CMMC certifications?

RJ Williams:

Yeah. So we look at enclaves and segmentation options as a lot of different applications being potentially coming out of that. We oftentimes use an enclave as a lifecycle approach. They need a way to start to bid contracts that are coming. They know they have data out there in the ether. There are really strong products we’re going to talk about on this podcast at some point to help discover that data. But as that process is being undertaken, maybe they’re a drone manufacturer. They just got hit with NXTL drone dominance contract that came out and they’ve got to be certified by November 10th next year, but they’ve got to self-attest to level two now to get the documentation to bid on that solicitation. Those are opportunities to use the enclave approach in a lot of different ways. There’s people using… We’ve used information barriers and admin units inside of Microsoft GCC High to enclave inside of an existing GCC High tenant to get moving.

We’ve done entire separate enclaves for organizations that were approaching it currently as enterprise, knowing they couldn’t get the culture buy-in and win the war that quickly to be able to get to the solicitation returns they needed. And then in some cases, it’s just a simple buy a tiny enclave and throw the CUI in there kind of thing. But there’s a lot of different ways to do it. Segmentation oftentimes gets involved. And I sort of use that as a gap between the enterprise and the enclave approach where you start to segment off programs, particularly export control programs, hands-on development, software, radio, RF radio development, physical manufacturing development, those types of things are good for segmentation, but they oftentimes can be simplified by starting as an enclave. And it really helps people wrap their heads around getting a program in place and getting somewhere to start to do the business development activities that they need to continue to fund the activities that we’re trying to provide them for.

Cole French:

Andy, did you have anything to add to that?

Andy Paul:

No, I mean, it’s spot on. I mean, everybody’s having to grow to this. Yes, the idea of DFAR 7012 has been around for a long time now, but the CMMC, the enforcement’s coming up, companies are having to get into it and not everybody’s going to be able to do a hard cut over. That kind of crawl, walk, run approach to stuff. Let’s get something going. Let’s get them where they can actually go out procured, get the contracts before you continue to move it out. Those are great uses of that enclave approach as well. I really like that.

It also makes it… CMMC can be really, really expensive and it can be a huge burden, or it can be a way for you to limit your liability, to go out and get that work, be a market differentiator, and not have to be super costly. Using some of these other strategies to help you manage that cost down and turn it into something that’s reducing liability and actually driving a little bit of a return for your company, your business while not putting you at all this whistleblower type risk and these kind of existential things that can come.

RJ Williams:

Circling back a little more on that, Cole, if you don’t mind. You asked about cage specifically. Cage codes are interesting, right? Your commercial and government entity codes, a lot of people don’t know that non-US companies have those if they’re registered with the federal government. That’s the base requirement to get your cert and get in there. And there’s a lot of complexities around cages and US versus non-US parts of the business. But the thing that we’re seeing the most right now is people… This space has been private equity-driven acquisition for the last, I don’t know, decade, at least. And as these companies get acquired, it’s really been interesting how little people understand the cage system. And the fact that as you do that integration innovation process of contracts, that’s where it starts to get to be a different conversation depending on how the entity is structured.

Sometimes there’s a primary holding entity that’s going to do the acquisition. Sometimes the subsubsidiary’s going to be directly acquired under a platform company. Those things are very specific. And when you start to dive into what it means to have a cage and have your assessments match the cage and locations, really it comes down to understanding your business contract initiatives and goals as well as your business structure. And that’s why we end up on the call with the COO and the CFO, maybe if they have a contracts person, a lot more than we do with the IT.

And I think that’s something that we see in this space that most people don’t do. Most people are trying to sell a solution. They want to sell a stack or a standard that they’re good at implementing, which we totally support. I mean, we have a lot of things that we do. We have a couple of packages we’re incredibly efficient at and we can be competitive, but it’s not necessarily the right thing to do. So when you start to get the complexity of understanding entity structures and the way that you structure capital investment and the mission and initiatives of the business, I think that’s really what answers your question, which is sort of answering your question saying it’s really hard to define, but those are things that people need to make sure that they’re accounting for, not just going down the level two scoping guide and finding a bucket and dropping people in it, because that’s not going to be the right solution.

Cole French:

And I think to what Andy mentioned about risk and whistleblower and things like that. So to what you’re saying, RJ, yeah, I think these are complex issues. I mean, it depends on the organization. Some organizations, it’s simple and straightforward, but others, there’s varying degrees of complexity. But like we say a lot here, talk to an expert or talk to somebody who has a solid and deep understanding of how these things work and what the ramifications are. And I think perfection is rarely achieved in anything, but I think to Andy’s point about the whistleblower, risks and things like that, the more due diligence you can do to try to get this right from the beginning, address some of those complexities. And maybe there’s things you have to change later on or whatever the case may be, but I think being able to show that due diligence is huge.

So don’t… I think the cage code issue is something that kind of caught the ecosystem off guard a little bit, I think. At least speaking for myself, I’m surprised at how many organizations we’ve worked with that we’ve assessed that have been certified and come back very shortly after their assessments with, “Hey, we’re going to acquire an organization,” or, “We’ve already done this.” And so something we’ve started telling people is like, “Hey, if you get your certification and you think there’s going to be changes or anything like that, come talk to us before you do anything. Because if you end up doing stuff without talking to us, you could end up in a situation where there’s ramifications that you’re maybe not aware of or things you could have done differently.”

So pivoting off of that, RJ, you mentioned technology and Andy, you’ve alluded to identifying CUI within the environment. So do you guys want to talk a little bit about some technology tools, things out there that organizations can help make these decisions about, how much CUI do I actually have? Should I build an enclave or use segmentation to essentially build an enclave inside my existing environment? Where is all the CUI? Who has access to it? All that kind of stuff. So what are some tools, technologies that organizations can use to help identify some of that stuff and make some of those decisions?

Andy Paul:

Yeah, absolutely. So the company I’m with, Teramis, we set out to try to solve that problem. Originally, we were in the space and you always had to start this from this kind of interview like, “Hey, who has CUI? Can you show me your CUI?” We would try to do a day in the life of CUI, seeing it come in from the sales team and how it makes its way through the organization, try to find all that stuff. And there’s varying levels of success on that. If you’ve got all the right people and they gave you all the correct information, you could get there, but it’s also got a high risk of a garbage in, garbage out kind of approach where if you don’t talk to the right person, you never knew about that application, you never pulled that thing in. It really wasn’t working very well.

And then when we tried to use some of the existing products in the market, the idea of, let me go out and actually just try to find my CUI, there weren’t tools that were actually meant to like, “Hey, can I go identify the CUI inside of my environment?” So we set out to try to help address this, and we built a product called Teramis, which does exactly this. So it’s going to scan you point it at a target inside of your environment, SharePoint, exchange, network dash file stores, doesn’t matter, you’re going to point it at it. And it’s going to basically go through and look at every document inside of that and say, “Is it CUI?”

And we look at it from two questions, because every organization has two questions that they’re looking at. One is, where’s my CUI? By CUI, I mean properly marked stamped stuff that I’m handling correctly as CUI. But then there’s a second question is, “Well, have I marked all of my CUI correctly? Is all this stuff actually marked as CUI that was supposed to be marked as CUI?” So there are two different questions. And we always advise customers to try to do that in two different passes. Your main whistleblower liability complaints, that stuff is properly marked. Government gave it to you, it was marked CUI and you just put it over there and your Microsoft commercial accounts that aren’t allowed to have it, that’s a large risk for you. Stuff that maybe you were supposed to have marked a CUI, but you haven’t… That’s a failure somewhere else, but it’s not quite as large a liability risk. You’re not being grossly negligent with that one. You’re still trying to figure out how to adopt it or what was supposed to be marked as CUI.

So we do two different passes. And so what the tool actually will do is it says, “Hey, here’s all the files that we found that have high likelihood that this is CUI. These things appear to be properly marked.” And then here’s a pass that says, “Hey, these things look like they might have should have been.” There’s some indications on there, but it’s not properly marked CUI. So to help you take two different passes. One is move, find my actual CUI, this stuff that’s clearly marked. And then another one, find the stuff that I need to go look at that maybe was supposed to be marked, but we never did because we just didn’t have the instructions yet or we just didn’t know yet, kind of going through the environment.

Once you have that in place, once you know those documents, you can derive a bunch of information that can enable all the rest of the stuff. You can find the users that were touching those documents, find where they are on side of your network. You can help identify them by the file types, what applications they were probably using. If there’s no DWG files inside of all that, well, you probably don’t need to bring your AutoCAD solution. It helps you make a lot of determinations that when you have just this list of all of your files that are out there, whereas you’re kind of guessing or you’re not really confident in your answers as you are when you have a, “Boom, here are the actual files, here are the actual things that are inside of my environment. Now I can right size and properly scope.” And that’s where RJ would come in and say, “Hey, here’s how we’re going to go about doing this. This is your best approach. Here’s how I can right size that for you.” That proper search and good search on that really enables a lot of other things.

Cole French:

Yeah. So then RJ, you essentially take the outputs from those particular scans and then you’re able to help folks essentially design or right-size the environment that they’re going to build to support CUI within their organization.

RJ Williams:

Yeah. Yeah. And just to point out from my perspective as a solutions provider, obviously I was senior leadership at BigBear.ai, which was a large government contractor before that, being responsible for over 50 DOD, three-letter agency programs, myself, these are the types of things that keep you up at night. And so when we’re dealing with stakeholders today, it keeps me up at night because I got to make sure I know where the data is, but it’s easy to look at Teramis as a solution that does technical discovery because that’s what it does really well. However, you would hear people say, “Well, you can keep it in the Microsoft ecosystem and you could use a DLP, you can use an Azure information protection, you can use Purview to do data classification.” Teramis is designed to find the data, map the people and the systems that it’s touching and give you that data back.

The empowering function of Teramis for us is that once we have that data catalog, the life forms attached to it, the locations of the files and types of files and data types that are there, it enables our DLP implementation program exponentially. We don’t have to sit down with the client and say, “Well, what do you have? Do you have export control data? You have OFAC, you got ITAR? What sensitivity labels do we need to build? What policies do we need to touch? Do we need to block internal sending across programs because this is an export program and this is not?” Those are the types of things that when you do a good solid technical discovery out of the gate, which to me at this point, when I look at the way that we function as a business, I’m not sure how we did it without it if I’m being transparent.

It’s really a lot harder to whack-a-mole CUI and make things pretty complicated. Using a good solid technical discovery approach, having the conversations around process, mapping visually for the client, what the outputs are of that discovery, and then using that to inform our data loss prevention implementation, it’s exponentially increased the efficiency of our implementations, I would say probably by 90%. And it’s not 90% work, it’s 90% time because trying to get the information out of the client and expecting them to know things, a single person or two people in the meeting to know all the things that we can find with a true deep dive technical discovery with a tool that’s designed to do that, like I said, it’s really improved our capabilities and it very clearly defines who’s touching it, who’s doing what with it, who needs to be trained, what their capabilities are, what the maturity of the organization is, what kind of segmentation or enclave or enterprise approach.

If you’ve got a heat map and everything lights up, well, you’re an aerospace contractor, you got an enterprise approach. There’s no way around it. If you’ve got two file repositories in SharePoint that light up and one guy that’s been there for 30 years, OneDrive, you know what to do. And so those are the types of things that are increasing the capability and decreasing the pricing for end users and the DIB to be able to make this something they can implement and be competitive in the supply chain.

Cole French:

Yeah, we always say that technology is only as good as the implementation behind it. And implementation is more than just, oh, I deployed it in the right place. It’s also, like you mentioned with DLP solutions, you got to tune them. They’re not automatically… I think a lot of people are like, “Hey, man, I put this thing here and I’m good to go now,” because it knows everything, it’s going to take care of everything. But the reality is that it’s pre-programmed to do a lot of things, but it’s best used when it’s tuned. So if you can, like you’re describing, you couple it with something that actually gives you the knowledge of how that particular environment, how the data is in that particular environment, then yeah, you can use those two things in tandem. It’s not a replacement one for the other. It’s a way to use one tool to inform the other.

And in our experience as well, in our work as advisors to certain customers, I would say we’ve had the same exact experience. The first thing we do when we’re advising a customer, especially if we’re helping them build out or identify what their boundary is or what their boundary should be, is yeah, we have these working sessions where we go through, “Well, what kind of CUI do you have? Where is it?” All that kind of stuff. And inevitably, we haven’t had a tool or technology like Teramis to scan for these types of things yet. We haven’t seen what that looks like, but doing it in a manual fashion to what you just said, RJ, I mean, inevitably we always find stuff later on that nobody knew about.

Because like you said, we’re talking to contracts folks, we’re talking to high level IT people and they’re telling us one thing, but then when we get in these actual working sessions with more day-to-day type people, they’re like, “Oh, well, we have this project over here. We have this thing over here.” And you end up with finding out that there’s way more than you thought and you haven’t even used technology or anything like that that automates some of this. So talk a little bit more about Teramis, some of the capabilities, maybe more get into more use cases of what you guys have seen and how this has really benefited organizations.

RJ Williams:

Yeah. Andy, real quick, I want to add, Cole, if you don’t mind, there’s a really serious lack of understanding around Microsoft licensing in particular. And we do Google too, right? I’m just focusing on Microsoft because that’s a large portion of the ecosystem. Something that most people do not understand is your license dictates your features and every implementation guide you’ll find, the most recent one I know of is from 2022 for Microsoft, tells you all the things you can do, assuming you have a G5. Most people don’t buy G5 licenses. They buy G3 or they buy G3 plus EMS, or now everybody’s buying Business Premium plus Defender for Business Premium, Purview for Business Premium. Unless you have G5, you can’t do DLP protection on the endpoint. It’s not a feature. You will have an admin or a security engineer banging on that machine, implementing the policy, thinking they’ve done the right thing, and it cannot be implemented unless you have the right level of licensing.

And so those intricacies and the gaps and baselines because of the licensing across the ecosystem for Microsoft is another major reason why using a dedicated CUI protection tool informs you on what licenses you need. If Defender for Cloud and Purview for Cloud, DOP works because everything you have from a CUI perspective sits in SharePoint and you could share secure links and you can back up the data to the cloud, then you’re in good shape. If you need endpoint protection or you need more auto labeling, that doesn’t come from G3. Those things have to be implemented and paid for. And so if everybody’s buying G5 licenses. G5 last I checked is about $1,200 a year per user upfront. Your business premium stack’s going to be closer to $500 a year per user. The gap in cost is real for a 300, 400, 500 person, even a 50 user company.

And understanding what you need to implement to protect the CUI in your environment as advised by a scanning tool like a Teramis enables you to either save that money or understand that it is a major no-brainer risk mitigation investment that you have to make to protect your systems.

Andy Paul:

Yeah, that’s a great point, RJ. I personally have never really given enough credence to just how much immediate savings that you can get there by right sizing that license spend and not going out and buying something that’s not going to get you there. It doesn’t have enough capability. Those are two huge risks. And if you’re guessing at it, if you don’t have all the information, you could end up wasting a lot of time and money running down a path that just won’t get you there or was twice the amount of money you need to spend to begin with. Whereas you could have easily got around that with a rather cheap technical scan if you didn’t put that in place.

Another big thing that we’re talking about, so we go through and do this discovery, we try to find our CUI and then move that in. We’re doing that in a manual spot. That can only really be done once. You’re not going to continually do that, going back and re-interviewing everybody, trying to manually refine all of our CUI in the future. And so that’s another big thing that having a technical tool in that’s looking for that gives you. So if you create, it doesn’t matter if you have enterprise or if you go enclave, if you’re saying that, “Hey, this one area, this segment, this tools, these are the only places that CUI is allowed to be inside of my environment.” And then CUI moves somewhere else. That government customer emails your wrong email address, a CUI file. You technically have spillage there. And if you don’t have a way to manage that, if you’re not addressing that upfront, that’s technically a reportable breach. You lost CUI out of the place where it’s supposed to be, it’s in a place where it’s not supposed to be, and now you’ve got a breach that you’re supposed to report.

That’s clearly not the intention. That’s not an actual breach. It’s not a breach [inaudible 00:32:46], but by the letter of the law, it is. And when you start getting into whistleblower, so the letter of law is what’s going to matter. So one of the other big benefits is this ability to continue to re-scan. Once you’ve scanned it once, you go back and re-scan it again. And then if you see data that you moved and then it starts showing back up where it’s not supposed to be, when you’re re-scanning for it, now you can classify it more as a vulnerability. So I say, “Hey, that’s not actually a breach. It’s a vulnerability. I’m giving myself 30 days to bring it back in. I’m going to use my RA family controls to bring that in, so I’m not only left with incident response for how I’m going to handle this.”

And then now that kind of lowers that risk of not having to report breaches that weren’t breaches or even to follow the letter of the law with that. It also gives you some things like from that, I’m big on reducing that risk that your environment has. When you create, especially an enclave, and I always like to pick on construction companies here because you’ll have that superintendent out in the field just like, “I’m not using that tool you make me use.” They’re just going to push back on all these technical implementations. Well, if you start seeing repeat offenders, the same person that’s continually owning CUI that’s not in the right spot over and over again, that’s going to identify this risk. Those are people that need either additional training or maybe you need to do something else with them because they’re creating liability for your company.

If somebody in there is spilling CUI into your environment and you’re not doing anything about it, that’s a whistleblower complaint that’s coming your way. So that’s another big use case for this whenever you go back and say we do the initial scoping scan, we migrate all of our initial data in, we can then do another scan, “Hey, look, I’m clean.” And then go scan again a couple months later and there’s [inaudible 00:34:31] starting to show back up. Why did that happen? Do I need to train somebody else? Do I have a loose control somewhere? Hey, how do I tighten this up? Because just turning a blind eye to it and trying to stick your head in the ground. Yeah, there’s CUI over there, but I’m not worrying about it. That is what this whole whistleblower, DOJ, the NDAA act, all that stuff that’s coming out right now is set out to address.

Cole French:

I like you bringing up the, or really you kind of hit on to me, and RJ, you were talking about it too, licensing and users. And I think that’s a feature that you mentioned earlier with Teramis is not only does it identify where the CUI is in your environment, but it also identifies the users. And I know Andy, you and I have talked about this in the past, and this goes into the licensing thing, RJ, you were talking about. It’s like an organization thinks they need a particular environment or a particular size environment for a particular number of users only to find out that the reality is there’s not nearly as many users that actually access CUI and are actually working with CUI. So not only does it allow you to right size your environment and get CUI in the right place, but it also helps you identify, “Hey, actually I thought a hundred users needed this in my environment, but the reality is it’s only 20 to 25,” which reduces the license cost again.

Like we talked about earlier, also reduces the risk. But like you were mentioning, Andy, having that data about users or at a user level allows you to have those conversations with potentially users who are repeat offenders or you can figure out what is it that this user’s doing? How do we change this behavior, whether that’s training, like I mentioned, or some type of technical implementation to prevent them from storing CUI in a particular location. So yeah, I think it sounds like there’s a lot of great capabilities around really figuring out who it is that is and is not by definition, I guess, or by exclusion, accessing and working with CUI.

Andy Paul:

Absolutely.

Cole French:

So just pause for a second here. So ESP collective stuff, I know we’re coming up on top of the hour, so I can kind of pivot to that to close us out if you guys want to talk about the ESP collective.

RJ Williams:

It’s up to you guys. I mean, we have a meeting tomorrow that sort of drives some things and I’ll know a lot more, so I don’t know if maybe you want to have a conversation, a shorter conversation down the road or Brandon and I, or if you want to… I can give a high level right now, but I think we’re going to have it signed tomorrow, and so that’ll really give me the actual charter to speak from, if that makes sense.

Cole French:

It does. Yeah, let’s hold on it then. And I know Brandon wanted to join today, but he was traveling. So yeah, let’s just do a follow-up and we could just talk about… I mean, ESP stuff’s a major issue in and of itself, so we could just do an episode on ESP stuff and talk about the collective and all that, if that works for you guys.

RJ Williams:

That’d be great. Yep.

Cole French:

Okay.

Andy Paul:

And Brandon’s also definitely much more the ESP collective guy than myself, that’s him and RJ and I just get the updates myself. I’m not as involved with that one, but [inaudible 00:37:55].

RJ Williams:

[inaudible 00:37:55] off the hook.

Andy Paul:

Yeah.

Cole French:

Okay, no worries. Okay. So then I guess, okay, so we talked through users. Any other things you guys want to hit, we can close out with? Just mention them and then I can tee them up or did we pretty much cover?

Andy Paul:

The only other thing that I would think that we may want to do is when you’re deploying… I’m trying to think of the best way to phrase this question. When you’re deploying an enclave or something like that, how do you assess the health? The person that bought that thing, that’s bought the CMMC solution, how do they ensure, one, that they’re getting their value out of it, some sort of reporting that goes back up, the ability to show, here’s how much CUI I had outside of before, here’s how much I have afterwards. RJ’s used the phrase like a scorecard before around this, just to try to help show that value that, hey, you went and bought this extremely nice safe. Whether you went enterprise or enclave approach, you went and created a very nice place to put the governance data in. Now you can show where you actually cleaned up the data, you put it over there, that’s where it still is and it’s not at other places.

That really helps hammer it home that, hey, we’re monitoring this and we’re driving it for the executives that don’t necessarily understand if you can make it a little more visible for them and understandable that, hey, we moved five million files over into this thing over here. At least 30 people are actually working on inside of it.

Cole French:

Okay. Yeah, I mean, why don’t I… So I’ll just do that then I’ll transition us to close and hand it to you guys to just talk about, we’ve talked a lot about it this, but at the end of the day, it really is what’s the value and then you guys can hit on what you think, how customers can get measurable value. Does that work for you guys?

RJ Williams:

Mm-hmm.

Cole French:

Okay. Well, RJ, Andy, again, thanks. I really appreciate you guys coming on this afternoon. As we wrap things up, I think one of the biggest things and one of the most important things in this conversation is, and I know for me, something as a more data-driven kind of person is, this thing looks and sounds great, but how do I actually determine if I’m getting value out of this? Not just today, but from a long-term perspective.

So if you guys want to each of you just hit on what you think, how does an organization determine the value that they’re getting out of scoping in general, but Teramis in particular?

Andy Paul:

Yeah, so this is a difficult thing, especially for that executive that’s not an IT person. All they know is that this was a requirement that came down and they’re spending thousands of dollars a month and all this extra costs that went in there. That ability to show and graphically show from the heat map perspective that there was all this problem that was out there and now it’s gone. Now we’re monitoring to make certain it’s going in there, the kind of reporting capability that you get out of that to make it a little more tacit and able to understand for the executives, I feel like that’s a really big piece of this, whatever that looks like, but you’re going to spend a lot of money. It’s not just in your technical scanning, it’s all of your CMMC solution. There’s a lot of investment in this.

What you don’t want to do is just not have reduced your liability while spending all that money. That’s a worst case scenario is if you’re not actually fully doing the implementation. Again, why it’s really important to work with providers, work with an RJ, somebody like that, that’s going to be able to do a full deployment of this and then help drive that through.

Cole French:

RJ, you want to from a value perspective?

RJ Williams:

Yeah. And so I totally agree with what Andy said. I would add this, anybody that’s in this industry right now is aware of the compliance eligibility problem, the cyber risk that we’ve already articulated, the financial risk to the business. Anytime you combine risk in revenue in a conversation, you got attention. What I would say is profitability is something that we should talk about as it applies to cost. There’s a massive return on investment for CMMC if done right, and here’s why. It’s built on lease privilege. The core tenant of any good AI implementation is understanding who needs access to what data when. And if you’re not already implementing AI automation and process implementation, the leverage of models into your business and enabling your proposals team like everyone should be, your chat with your data and understanding where you’re at, you’re behind. And in order to get out and in front using a mechanism that is required by you doing this right, understanding your data situation, your processes and your people directly leads into a great, efficient, effective AI implementation.

Every AI implementation that we have seen, every single one, 100%, fail if you don’t understand those things first. And so in this industry right now, we’re seeing a lot of push to get compliant. Visionary leaders shouldn’t lose focus on the value you gain from the clarity that you get in this process.

Cole French:

Guys, really great perspective. I appreciate you guys, again, coming on this afternoon. Always enjoy talking to you guys and the perspective that you guys bring. So again, just thank you guys for coming on and sharing your perspective on these important topics.

RJ Williams:

Thanks, Cole.

Andy Paul:

Thank you, Cole.