EP 11 — Eide Bailly's Anders Erickson on Cutting CMMC Scope from 70 Licenses to 3 Using CUI Flow Mapping

A manufacturer approached Eide Bailly expecting to buy 70 Azure GovCloud licenses for CMMC compliance. Principal Anders Erickson scoped them down to 3 people by mapping actual CUI flow. The company received purchase orders and occasional schematics from DOD, but everything they manufactured went to commercial markets. Commercially available products don't require the same controls as true CUI, which most SMBs miss entirely.

Anders spent 11 years auditing NSA, NRO, and Homeland Security systems before bringing that federal risk-based methodology to Eide Bailly's SMB clients. The assessment advantage comes from partnerships: when Eide Bailly sees RADICL prepared a company, they know documentation exists and risk is managed, cutting both timeline and cost. While competitors sit on 9-month backlogs, Anders told a client this morning "we can get it done December 1st." The bottleneck isn't assessment capacity, it's C3PAOs trying to execute everything in-house.

Topics discussed:

• Scoping CMMC by mapping CUI flow patterns to distinguish DOD-specific data from commercially available products
• Applying federal audit methodology from NSA and NRO engagements to accelerate SMB assessment timelines
• Building consultant-C3PAO partnerships where shared security implementation knowledge reduces assessment cost and duration
• Categorizing CUI assets versus security protection assets to establish accurate scope boundaries for compliance
• Restructuring C3PAO operations from in-house assessment execution to risk management coordination across external assessors
• Implementing CMMC readiness process: contract review, CUI movement mapping, and asset categorization frameworks
• Evaluating assessment cost drivers including architecture complexity, cloud service provider count, and documentation maturity
• Leveraging risk-based assessment approach versus uniform-depth checkbox audits to focus effort on actual vulnerabilities