Ep. 489 Ensuring CMMC Compliance with Hoop 5 Networks

Rancho Mesa’s Surety Relationship Executive Anne Wright sits down with Mandy Irvine and Russell Emig from Hoop 5 Networks to discuss the origins and importance of the Cybersecurity Maturity Model Certification (CMMC). They provide guidance on compliance, and the risks of non-compliance for businesses in the defense industry.

Show Notes: ⁠Subscribe to Rancho Mesa's Newsletter⁠.

Hoop 5 Networks - IT and Cybersecurity Solutions

Director/Host: ⁠Anne Wright⁠

Guest: Mandy Irvine, Russell Emig

Editor/Producer: ⁠Megan Lockhart⁠

Music: "Home" by JHS Pedals, “Breaking News Intro” by nem0production

© Copyright 2025. Rancho Mesa Insurance Services, Inc. All rights reserved.

Transcript

Anne Wright: Good morning. Welcome to Studio One. This is Anne Wright, Surety Executive with Rancho Mesa. And I'm happy today to be joined by a couple professionals with Hoop 5 IT. Mandy Irvine is the owner, and I've known Mandy for some 25 years. We go back from some associations and service providers and a lot of relationships over the year. And I’m also joined by Russ Emig, who is the…

Russel Emig: I am the Chief Information Security Officer at Hoop 5, good morning.

AW: Thank you, because I cannot get those acronyms and mouthfuls down. We are going to talk today about a new, well, it's not a new federal requirement. Russ will get into this in great detail. But the Cybersecurity Maturity Model Certification Requirement relates to what contractors need to do to protect themselves with basically confirming that they are in compliance with certain things that the government is looking for relating to minimizing the cybersecurity threat, simple as that.

There are various levels of compliance and Russ will explain what those are, and for those who are intimidated by that, again, we'll give you some contact information at the end so you can contact them directly, but for the majority of our local contractors doing federal work, please stay tuned because there's a way to be compliant that doesn't involve just throwing everything up in the air and saying “Help, I'm not sure I can do this.”

 So we will explain the processes. And Russ, I thank you for all of your knowledge and information that you're going to share with our audience.

RE: You're very welcome, I'm happy to be here and I'm always happy to talk about this topic even if it seems intimidating.

AW: Okay, thank you. So Russ, you want to start with a little bit of history of how this came about?

RE: Sure, this is building, has been building for well over a decade. The existing security framework NIST 800171 run Revision Two, Revision Three was published but everything's still using Revision Two. It's been out for a long time. A lot of the same contractors in this space had a requirement to continually comply with that framework around November of 2020, if I'm not mistaken, I think it was around the 20th. And they had a three -year window because NIST and the score reporting requirements provide a three-year improvement cycle. And they had that window Some of them updated that some of them haven't many companies working in this space since 2016 have been aware of NIST 800171 and CMMC layers right over the top of NIST as an enforcement mechanism. It is the same controls by-and-large with a few small changes and updates. And the goal was, in the past this was self-reported somewhat of the honor system. It was/is a metric for verifying company’s self-reports and increasing their competence scores, what the DoD refers to it as.

So they would say if it's a self -reported score in the supplier performance risk system—there's going to be a lot of acronyms because the government loves acronyms. If it's self -reported it was low, third -party might be medium or moderate, and federal employee verifying security controls would be considered high. And this is building on what those refer to the DIBCAC assessments, the Defense Industrial Base, Cybersecurity blah, blah, blah, blah, blah. Point being there was a third party either with or within the government verifying that status. Now this builds a whole ecosystem with third party certified assessors to come in and verify at a high confidence level you are achieving all of the compliance requirements.

AW: And is hoop five in one of those third party?

RE: We are not going to do the assessments directly. I am a certified CMMC professional. As part of that, I have gotten a tier three background check completed by our government, verifying that I can work with our contractors, with that information that is sensitive, non-public data, or the whole thing is built around protecting CUI—Controlled Unclassified Information.

AW: But you all have the template that these contractors need to follow to be in compliance with this important requirement to Basically minimize the risk of cyber threats.

RE: Yes, and to break down how this is coming into play There are two major code of federal regulations updates. One was 32CFR that published the framework. These are the requirements you have to meet. There is a cap or really just an assessment sheet that your assessor is going to use to review your business. What everybody in the industry is waiting for is 48CFR that allows contracting officers to place these requirements into their contracts.

Most folks look at this now 252204-7019 is the contract clause most frequently seen that requires NISC compliance for CMMC It's going to be 252204-7021.

AW: And it is coming.

RE: It is coming. The fact is that in January the 15th or 17th of this year there were code of federal regulation updates That Implied Contracting officers can with DOD approval include that clause and contracts going to bed with specific approvals and otherwise none will be placed until 48CFR is published. With a deadline potentially of October is how some of the language reads depending on who you talk to, there are a few interpretations. Coming into this year a lot of the folks in this space expected this to be published prior to this summer. Now we're kind of seeing that pushed back. When our current president came into office there was a freeze on federal regulation changes.

AW: Right.

RE: We sort of expect that to last up to 60 days and everything that we have from CMMC, 48CFR for that was it was done. It was in final adjudication of public comment period and whether they were going to make any changes or just respond to those comments and then publish it.

AW: So that helps and hinders certain contractors, right, because you've got the contractors that are kind of dialed in and they know what to look for and what to watch for and who to talk to make sure they are going to be compliant, and then you've got contractors that are so busy or smaller and they don't necessarily stay on top of issues like they should. So I imagine it's going to impact people in different ways once there's a green light on this thing and you all are going to get very busy.

RE: Speaking frankly, a lot of businesses: small, medium, they look at this as a necessary evil. It's getting in the way of them doing business. And for years, it's been up to them to hold themselves accountable. So of the estimated 200,000 businesses that need to come in line on this that are potentially small businesses, they may have been aware of compliance requirements peripherally and whipped that checklist, submitted their NIST score with a system security plan template to SPRS, the Spurs website and they said, okay, we're compliant for 7019 and the old NIST requirements and all that other stuff, you know, that'll come in whenever. And maybe they've updated it. Maybe they didn't. Maybe their documentation is correct. Maybe it's not. The truth is it's been like 60/40 in terms of companies I've personally encountered kind of in that space where they've done it once and then ignored it for years.

And now the thing that's driving a lot of awareness of this right now; Primes and other GCs are notifying all their subs and this can be your tagline if you'd like – they sent notices to all these subs; No compliance. No contract.

AW: Yeah. Yeah, getS your attention. So how far down does it go? Does it stop at subcontractors or are there vendors that also have to comply?

RE: It's a very key point. CMMC, in addition to actually holding everyone involved in the food chain

accountable and creating this ecosystem with third -party verification, holds external service providers, cloud service providers, subcontractors to your subcontractors, all associated businesses in that food chain are implicated. And subcontractors and GCs or Primes along that food chain may have different levels of compliance requirements.

CMMC is broken into sort of a low, moderate, high; a level one, level two, level three. And the difficulty scales exponentially in terms of what is required to be compliant. That is to say, if you're a small business,

and you depend on managed service providers for IT or document disposal or even facilities management, those companies must be compliant as well, unless you are only getting a commercial off the shelf product through them. And that's not just for the services that may be implicated by these controls, that is any service that provides or controls what they are terming security protection data. So that can be details

regarding your network, details regarding your laptops, just to keep it IT –centric here. Anything that comes into the periphery of how you configure your security information, how it is stored, where the project data is retained, just even the information about how you are addressing these must be protected. So if you're a subcontractor and your Prime says, "Hey, send me a copy of your system security plan. I want to make sure you're compliant," the answer should always be, “No. We will attest to you to your compliance platform. We can provide proof we've done our due diligence. we will not give you our own keys to the kingdom about all of our business and how we protect our own data.”

AW: That's a great point.

RE: And to your neck of the woods, this implicates insurance providers with that customer information. If

they have details that are exposed to you on your process of maintaining that customer is doing their due diligence to maybe get a lower insurance premium that they have those security majors in place. They can't publicly disclose that. They can't tell the world how they are protecting their business. And this podcast, I can't come on a podcast and discuss either for us or our customers any controlled information that's not approved for public dissemination.

There is a specific control in there for businesses that have social media presence. You don't want somebody visiting a project site, taking pictures of a secure location and then posting on social media, “Look at the great work we do.”

AW: Right. Yeah. I know I've done a few job sites with my clients and I always have to run the pictures by the owner to make sure that there's nothing sensitive in the background. So, yeah, it's all, so it's all this, this encompasses so many more things than just how do you back up your information.

RE: Some folks will look at this and say those are ticky–tack details. No, this is not. This is a pass /fail. Either you were doing this or you were not.

Mandy Irvine: We're also seeing a lot of smaller subcontractors and even vendors reevaluate if they want to continue to do federal work. Is this really worth it?

RE: It's an ROI conversation. How much federal work are you doing and what is this going to cost you?

AW: Sure, I can understand that.

RE: Very recently the government has implemented a new federal acquisition regulation update for CUI and that is basically the first steps of CMMC for everything that's not defense. So if you're doing contracts that are not defense-focused, this is coming. That speaks to if you were doing contracts with state and local government, this is coming because when those regulations get written they're not going to reinvent the wheel, they copy and paste what’s already out there.

AW: So if one of those contractors, subcontractors, vendors contacts you all, you walk them through a checklist, you help them understand what they need to do so they can make that business decision.

MI: Yeah, Russ is great with that. So, sometimes it’s starting with creating a sam.gov account and submitting a score, all the way through a full assessment, on-site visits, whatever's needed for the contractor, but yeah we hold their hand through the whole process.

RE: It's important to note that CMMC has a code of professional conduct and ethics they take very seriously. There are some companies that have already been contacted for violating that policy. It is important to note that we do our best to provide accurate guidance based on what is available and what is published and what we know is coming. And we just encourage our customers, "Hey, you're working for our national interests. Let's do the right thing together."

AW: And then those clients that you work with, that you take on, you'll continue to notify them as those things change. So they don't have to spend, they don't have to have a dedicated person that's reading all these far regulations and whatever else is coming out that tells them, “Oops now you got to do this or yougot to fix that.”

RE: Just so. I mean it's a lot to keep track of already and the regulations they read like a stereo instruction manual from the 70s. They can be technical; they can be dry. There are a lot of resources that are available that break down some of that information. We try to advocate and act for our customers and partners as a resource if you have questions, please reach out to us, we're happy just to have a conversation. If you need help organizing your technical data, we can assist with that. We can conduct a mock assessment and walk you through what your assessor is going to ask for.

AW: And I guess it's pretty obvious then, you know, last question I was going to ask is what are the consequences if you don't comply, well, there go your federal contracts, right? Are there any other penalties that government can assess if you don't comply?

RE: So the big change with CMMC, when I said it held people accountable when involved third-party assessments and not just whipping a checklist, it implicates the False Claims Act, which was already, to some extent, implicated by previous contract clauses. But now, very specifically, we're seeing companies be prosecuted under the False Claims Act. The financial penalties written into that are typically $12,000 to $25,000 per incident plus treble damages. Any losses the government suffers times three, per incident. And the implication there is that this control list is 110 items with 300 plus odd individual actionable details and if you fail those or if you, more specifically, willingly mislead the federal government that you are compliant and it is discovered later, that's typically going to scale exponentially depending on how much later it was discovered and how much damage was done.

It's also important to note that even at the lowest levels, CMMC level one, which is still, I will note a self-attestation that you are doing these 17 items for your own business. One of your company executives or ideally a person in senior leadership who has core knowledge needs to personally attest that your business is doing that and declare themselves personally liable if you are not.

AW: Nice.

RE: Yeah. Right. It's an enforcement mechanism that scares some people up.

AW: Well, it gets people's attention, right? I mean, if there's no skin in the game, then people will slide, and we see that all the time, so. Well, I mean, it sounds intimidating to say the least, overwhelming to say the most, but you guys have been doing this a long time, and I know you have a lot of clients, we have some mutual clients that use your services. There's a way through it, right? It's just one more thing that you have to take seriously and understand the importance of right.

RE: I'm a terrible salesman for the process It sounds horrifying It's not the end of the world, it's documentation. It's reviewing a lot of key processes that most businesses should be following nowadays because of the growing risks. It can be pitched as efficiency. It can be pitched as risk reduction. Management can buy into it from the perspective of how much downtime did we have the last three years because of a security incident? How many people's emails were compromised because we didn't take appropriate steps to protect their credentials?

AW: So this is all avoidance techniques.

MI: And a lot of the items for level one compliance follow most cyber insurance policies anyway. So getting those core securities in place, it's becoming a standard everywhere. So level one isn't impossible.

RE: CMMC level one is generally referred to as basic cyber hygiene. There are guidelines that were published this year, and given to contracting officers, that's why we know this is coming real soon. Here's the language that determines for those contracting officers how they are to apply these security requirements to their bids. One inflexible piece of that is that if a contract implicates controlled, unclassified information with a defense category, because there are a bunch of categories of CUI, there are five defense categories, primarily things like nuclear data, propulsion data. That's primarily nuclear submarines, things like that. It will require CMMC level two with a third party assessment.

For a lot of companies, they are hoping that either their small business subs or their general drywallers, plumbers, painters will probably be level one. They're hoping for those contracts or they can work with a general contractor who has level two, who can then flow down some of that work at level one. The tiered sort of work between primes and subs can go up and down. You could potentially, there is a circumstance where you may have a general contractor at level one who's only receiving the federal contract information, but maybe all of the sensitive work and sensitive data is going directly from the government to a subcontractor who has a higher CMMC level, level two or level three.

AW: So it sounds like a lot of our local contractors that are on the, you know, smaller to medium JOC contracts, MAC contracts, maybe some of it's doing up to, I don't know, pick a number, you know, doing $5 million jobs, $50 million a year. Most of their requirements would be that level one.

RE: But do you want to risk it? If you go for level one, if you self-attest to it, awesome. That will allow you to continue in this space. If you don't do it full stop, you don't have that option. If you decide to pursue level two at a significant time and money investment for your business that opens doors for youand doing that work. Bottom line.

AW: Okay, understood. All right. Well, thank you guys so much for joining us here in StudioOne™. And if they have any questions, what's contact information they should use?

RE: You can visit our website, hoop5.net. You can reach out to me directly by email, remig@hoop5.net. Thank you.

MI: Thank you for having us.

AW: All right. And I can be reached awright@ranchomesa.com, 619-486-6570. If you want a personal introduction to Mandy and Russ, let me know. Thanks again.