TRANSMISSION ACTIVE

// FREQ: GOVCON EPISODE: 017 STATUS: SECURE

017 The CMMC Briefing Part 1: Everything DoD Contractors Need to Know in 2026

// SIGNAL LOST: SPOTIFY LINK NOT DETECTED

80,000 contractors in the Defense Industrial Base need CMMC Level 2 certification before Phase 2 begins on November 10, 2026. As of March of this year, fewer than 2 percent had completed it. This transmission is Part 1 of a two-part series — the foundational briefing every DoD contractor, subcontractor, and supplier needs before the certification deadline. What CMMC is. Where it came from. Who it applies to. What it requires. And why CMMC is no longer a checkbox — it is the new floor of eligibility to do business with the Department of Defense.

JUMP POINTS //

00:00

The Two-Part CMMC Series Opens — Why This Briefing Exists

80,000 DoD contractors need CMMC Level 2 certification before Phase 2 begins November 10, 2026. As of March of this year, fewer than 2 percent had completed it. This transmission is for the 98 percent — the foundational briefing on what CMMC is, where it came from, who it applies to, and what it actually requires.

00:55

The Origin Story — Why the DoD Built CMMC

The Defense Industrial Base was bleeding intellectual property to nation-state threat actors at a catastrophic rate. F-35 Joint Strike Fighter design, naval submarine specifications, hypersonic weapon research — much of it exfiltrated through Tier 2 and Tier 3 subcontractors operating under self-attested compliance. CMMC is the DoD’s answer: the move from “trust but verify” to “independently verified.”

03:17

The Three CMMC Levels — Foundational, Advanced, Expert

Level 1 (Foundational) for Federal Contract Information — 15 controls, self-assessment permitted permanently. Level 2 (Advanced) for Controlled Unclassified Information — 110 NIST 800-171 controls, 320 assessment objectives, mandatory C3PAO certification starting Phase 2. Level 3 (Expert) for the DoD’s most sensitive programs — Level 2 plus 24 controls from NIST 800-172, assessed by the DoD itself starting Phase 3 in 2027.

07:39

The Assessment Process — What the C3PAO Actually Looks At

The Certified Third-Party Assessor reviews the System Security Plan, the POA&M, the policy documentation for each of the 14 control families, and the technical evidence demonstrating each of the 320 assessment objectives. They interview your people, observe your environment, and sample your logs. Conditional certification carries a 180-day remediation window. Final certification is good for three years.

09:30

The Supply Chain Reality — DFARS Flowdown and Prime Enforcement

DFARS 252.204-7021 — enforceable since November 10, 2025 — requires prime contractors to flow CMMC requirements down to subcontractors handling CUI. Lockheed Martin, Boeing, Northrop Grumman, Raytheon, and General Dynamics are already requiring CMMC compliance documentation in supplier procurement processes. They are not waiting until the November 2026 deadline to enforce.

12:53

CMMC as a Business Investment — Not an Expense

The contractors who certify ahead of the curve gain a structural competitive advantage. Subs who certify early become high-demand suppliers commanding premium pricing as primes scramble to replace non-certified vendors. The window between now and broad certification saturation is the leverage window — for both winning new business and renegotiating existing rates.

15:01

The Three Marching Orders Every Contractor Must Execute This Week

Determine your required level by reviewing current contracts and the 24-month pipeline for CUI exposure. Pull your current SPRS score — every contractor should know it off the top of their head. Identify where CUI actually lives in your environment — if you cannot draw the boundary on a whiteboard in five minutes, the assessment will fail.

// INCOMING SITREP

The operational playbook for building the System Security Plan — the document the C3PAO reads first. The eight-section build guide, the 90-day sprint, and the three failure modes that derail most assessments. Read the SITREP dossier.

ACCESS THE BRIEF »

TRANSMISSION LOG //

The Compliance Program That Will Decide Who Bids on Defense Contracts for the Next Decade

There are 80,000 contractors in the Defense Industrial Base who will need CMMC Level 2 certification before Phase 2 takes effect on November 10, 2026. As of March of this year, fewer than 2 percent of them had completed certification. The math from here is the entire story of the next six months.

This episode is Part 1 of a two-part briefing on the Cybersecurity Maturity Model Certification — the single most consequential compliance program in the Defense Industrial Base. Part 2, next week, will cover the Phase 2 deadline reckoning. Today’s transmission is the foundation: what CMMC is, where it came from, who it applies to, and what it actually requires.

Why the DoD Built CMMC in the First Place

The DoD did not create CMMC because they needed another framework. The NIST publications and ISO standards already existed. CMMC exists because the Defense Industrial Base was bleeding intellectual property at a catastrophic rate.

Nation-state threat actors have systematically targeted the most sensitive programs in the U.S. defense ecosystem. F-35 Joint Strike Fighter design data. Naval submarine specifications. Hypersonic weapon research. Much of that intellectual property has been exfiltrated — not through breaches of the prime contractors, but through breaches of the Tier 2 and Tier 3 subcontractors operating under self-attested NIST 800-171 compliance that was never independently verified.

For years, the DoD ran on the honor system. Contractors self-attested that they had implemented the required security controls. The enforcement mechanism was after-the-fact audit. The problem with that model — as the CISO put it on this transmission — is that by the time the breach is discovered, the intellectual property is already in Beijing or Moscow.

CMMC is the structural answer. It moves the entire Defense Industrial Base from self-attestation to third-party verification. From “we promise we did the work” to “an independent C3PAO confirmed we did the work, and the certification is on file with the government.” That change is the entire program. And that change is the difference between eligible to bid and ineligible to bid for the next decade of defense contracts.

The Three CMMC Levels — And Why Level 2 Is the One That Matters

CMMC has three certification levels, each tied to a specific category of information the contractor handles.

Level 1 (Foundational)

Applies to contractors handling Federal Contract Information — information the government provides or generates in the course of a contract that is not intended for public release. Level 1 requires 15 basic security practices from NIST SP 800-171 Rev. 2. Self-assessment is permitted permanently for Level 1, with annual affirmation required.

Level 2 (Advanced)

Is the level that matters for the majority of the Defense Industrial Base. It applies to contractors handling Controlled Unclassified Information — CUI. Level 2 requires implementation of all 110 controls in NIST SP 800-171 Rev. 2, with 320 assessment objectives. Phase 1 allowed self-assessment for most Level 2 contracts. Phase 2, beginning November 10, 2026, requires C3PAO certification for the majority of Level 2 contracts. This is the change every contractor in the DIB is preparing for.

Level 3 (Expert)

Applies to contractors working on the DoD’s most sensitive programs — classified or near-classified work. Level 3 requires Level 2 plus 24 additional controls from NIST SP 800-172. Assessment is conducted by the DoD itself, not a third party. Phase 3 begins November 10, 2027.

The underlying framework is NIST SP 800-171 Rev. 2 — 110 controls organized into 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. The control families are the architecture. The 110 controls are the bricks. The 320 assessment objectives are the inspection points.

FCI vs. CUI — The Distinction Most Contractors Get Wrong

Most contractors think they only handle Federal Contract Information. Most contractors are wrong.

CUI includes technical drawings, system specifications, contract performance data, financial information related to federal contracts, export-controlled technical data, and any information marked as CUI by a federal agency. If you have ever opened a Statement of Work for a DoD contract and it mentioned export controls, ITAR, EAR, or technical data — you are handling CUI. Level 2 applies.

The CISO’s working recommendation on this transmission was direct: if you are working with the DoD in any capacity, default to assuming Level 2. The cost of building Level 2 controls when only Level 1 is required is meaningfully lower than the cost of being unprepared when CUI shows up in your next contract.

The C3PAO Assessment — What Actually Happens

A Certified Third-Party Assessor Organization — a C3PAO — is an outside firm authorized by the Cyber AB to conduct CMMC Level 2 certification assessments. There are currently fewer than 80 authorized C3PAOs in the country and only about 800 Certified CMMC Assessors. The DoD estimates the Defense Industrial Base needs 2,000 to 3,000 assessors to clear the certification backlog. That gap is the entire reason the November 2026 deadline is going to hit so hard — and Part 2 of this series will unpack that math in operational detail.

When the C3PAO arrives, they review the System Security Plan, the Plan of Action and Milestones, the policy documentation for each of the 14 control families, and the technical evidence demonstrating each of the 320 assessment objectives. They interview your people. They observe your environment. They sample your logs. They do everything a real audit does, because that is what they are.

If a contractor passes the assessment with minor gaps, the C3PAO can issue a Conditional Level 2 certification with an accepted POA&M and a 180-day remediation window. If the gaps are not closed within 180 days, the conditional certification expires and the contractor is back to ineligible. Final certification is good for three years.

The Supply Chain Reality — Why “We Just Sub to a Prime” Is Not a Safe Position

DFARS 252.204-7021, which became enforceable on November 10, 2025, requires prime contractors to flow CMMC requirements down to subcontractors that handle CUI in the course of contract performance. If the prime needs Level 2, the subs touching CUI need Level 2 — as a condition of receiving work, not at some future date.

Lockheed Martin, Boeing, Northrop Grumman, Raytheon, General Dynamics — the major primes have already issued supplier directives demanding CMMC compliance documentation. They are not waiting until the November deadline to enforce. They are already filtering supplier selection on CMMC certification status. Subs without certification are being deprioritized in procurement rationalizations happening right now.

The DoD estimates that approximately 65 percent of the Defense Industrial Base is affected by Phase 1. Approximately 80,000 contractors will need Level 2 certification before Phase 2 takes effect. The DoD’s own modeling assumes a meaningful number of contractors will simply exit the DIB rather than complete certification.

The strategic implication runs both directions. For a sub, getting certified early creates leverage — there will be high demand for certified suppliers as primes scramble to fill compliance gaps in their supply chains. For a prime, identifying which subs are on track to certification is now a procurement decision that affects program delivery. The certified sub commands premium pricing. The non-certified sub commands a polite exit from the supplier list.

CMMC as Business Investment — Not Business Expense

The most important reframe from this transmission was the business framing. CMMC certification, right now, is not a cost. It is an investment. Specifically, an investment in winning more deal flow during the window before market saturation.

The pattern mirrors what happens in every regulated B2B sector. SOC 2 used to be a competitive differentiator for SaaS companies — now it is the cost of doing enterprise business. HIPAA used to be a healthcare-tech advantage — now it is table stakes. CMMC is currently in the differentiator window. Contractors who certify before broad saturation gain a structural competitive advantage that materially affects revenue for the next 12 to 24 months.

The contractors who wait until certification is universal will be playing catch-up against competitors who used the window to lock in new contracts at premium positioning.

The Three Marching Orders Every GovCon Executive Must Execute This Week

The CISO closed with three concrete actions to execute starting tomorrow morning.

1. Determine your required level.

Pull every active DoD contract, every active subcontract under a DoD prime, and every contract pipeline opportunity for the next 24 months. For each one, determine whether the work involves FCI only or CUI. If any contract or pipeline opportunity involves CUI, your organization needs Level 2. Document the determination in writing.

2. Pull your current SPRS score.

Every DoD contractor is required to have a current Basic Assessment score in the Supplier Performance Risk System. The score is public-facing to primes. If you do not know your SPRS score off the top of your head, that is the first finding any prime contractor reviewing your supplier file will identify.

3. Identify where CUI lives in your environment.

Your System Security Plan. Your file shares. Your email systems. Your endpoints. Your cloud environments. If you cannot draw the boundary around CUI on a whiteboard in five minutes, the assessment will fail before the assessor finishes their first day.

The Operational Playbook for the System Security Plan Is Here

Marching Order 3 — identifying where CUI lives and building the System Security Plan that documents it — is the single highest-leverage piece of preparation any contractor can complete this quarter. The SSP is the first document the C3PAO opens. It is the document that bounds the assessment. It is the document that gives the contractor control over the narrative or hands that control to the assessor.

The operational build guide — the eight sections every CMMC SSP must contain, the 90-day build sprint, and the three failure modes that derail most assessments — is laid out in this week’s Sitrep companion: The CMMC System Security Plan: A Step-by-Step Build Guide for DoD Contractors.

CMMC is not a checkbox. It is the new floor of eligibility to do business with the Department of Defense. The floor goes up on November 10, 2026. Part 2 of this series next week unpacks exactly what happens on that day — and the 30/60/90 day sprint every contractor must execute between now and then.Execute the standard.

// DECODED TRANSCRIPT

Access the full text logs of this transmission for compliance and review purposes.

Actual (00:00)
Welcome to Status Secure. Today’s transmission is part one of a two-part series on the single most important compliance program in the defense industrial base, the Cybersecurity Maturity Model Certification, otherwise known as CMMC. If you sell to the DoD, if you sub to a prime that sells to the DOD, if you’ve ever touched data on a federal contract, this briefing is for you. There are 80,000 contractors who will need CMMC Level 2 certification before phase two begins.

The CISO (00:00)
Yeah, so

Actual (00:27)
On november tenth, twenty twenty six. As of March of this year, fewer than two percent of them had completed that certification. We are going to spend two episodes making sure you are not in the other ninety-eight percent. Today, part one, what CMMC is, where it came from, who it applies to, and what it actually requires. And then next week on part two, ⁓ the deadline for phase two, and we’ll discuss that and what it means for you. So CISO, set the table for us.

Why does CMMC exist?

The CISO (00:55)
Okay, so the origin story. The DoD did not invent CMMC because they wanted more paperwork, because there’s already a lot of you know, frameworks and standards out there, as we know. there’s all the NIST standards, right? There’s the ISO standards, that’s all that. the DOD ⁓ created CMMC because the defense industrial base was bleeding in textual intellectual property.

Because nation state threat actors were actually obtaining their sensitive data. For instance, the F-35 joint strike fighter design, naval submarine specifications, hypersonic weapon research, all of it has been targeted, much of it has been exfiltrated, mostly through tier two and tier three subcontractors who were never seriously hardened. It’s because of this rate of exfiltration. They decided they needed something stronger.

So the, you know, for years, DOD contracts required contracts to self-attest. I mean that they had implemented NIST 800-171 security controls. And in security, trust but, you know, trust but verify, right? That was it that’s a foundation. And it wasn’t even being ⁓ implemented. So the fact that, you know, the subcontractor could just say trust.

Trust us. You know, we’ve implemented these controls. That’s part of the reason why, you know, there were so many problems. And there was no enforcement. So by the time something breaks, right, and the breach is discovered, the intellectual property is already in Beijing or Moscow. So the reality is the CMMC is the DoD’s answer to this problem, right? The trespit verify failure.

It moves the defense industrial base from self-addestation to third-party verification. From we promised we did the work to an independent assessor confirmed we did the work. That somebody else who’s independent looked at your can your design and your controls and they said, yes, they are performing effectively. And that change that makes a difference between eligible to bid and ineligible to bid for the next decade of defense contract.

Actual (03:00)
Got it. So let’s break it down. When someone says ⁓ we need to be CMMC compliant, what does that actually mean? Walk us through the levels of that structure and I and actually before that, just quickly answer who needs CMMC and then break that down for us.

The CISO (03:17)
Okay, so anybody who wants to contract with the DoD, right? And any subcontractors that are working on DoD contracts. Mm-hmm. so let’s talk about the levels. There are three levels to CMMC. The first is foundational, the second is advanced, and the third is expert. So the foundational applies to contractors handling any kind of federal contract information. Right. ⁓ this

⁓ you know this provide that provides or generates in the course of a contract ⁓ that’s not intended for public release. Okay. So level one requires 15 basic security practices from NIST SP 800-171. Revision two, ⁓ self-assessment is permitted permanently for this level. And then you have to do that ⁓ you know a self-assessment annually. Level two is advanced.

This applies to contractors handling controlled un level two is advanced. This applies to contractors handling ⁓ CUI, controlled unclassified information. This is the level that matters for the majority of the defense industrial base for contractors working with the DOD. Level two requires implementation of all 110 controls in the NIST 800-171.

with 320 assessment objectives. Phase one allowed ⁓ self-assessment on most level two contracts, but beginning November 10 of this year. So in 2026, November 10, right? It’s gonna require a C3 PAO certification for the majority of level two contracts. And this is the change ⁓ that you know everyone is preparing for. Level three is expert.

This applies to contractors working on the DOD’s most sensitive programs, classified or neoclassified. Level three requires level two plus 24 additional controls from you know, NIST 800-172. Assessment is conducted by the DOD itself. So not even a C3PAO certified body. Right? The DOD is going to come and assess you. This phase three begins on November 10th of next year, so 2027.

November 10th. Right. So the you know, the underlying framework is NIST you know, special publication 800 171, revision two. There are 110 controls organized into 14 control families. If if you ⁓ if you’ve been doing 853, right, this should be really familiar to you, right? But remember, it needs to be 800-171. Okay.

So you’ve got your access control family, your awareness and training, your audit and accountability, configuration management, identification and authentication, incident response. I mean, this should not be new to you. You should have been doing this all along. So the control families are the architecture, the 110 controls are the bricks, the 320 assessment objectives are the inspection points. Okay. So just remember, like when you’re building out your program, identify your risk.

create the control, map that control to one of the 110, right? ⁓ that’s required.

And so what’s FS I’m sorry, what’s FCI versus CUI? Like what does that mean? Okay. So most contractors think they only handle FCI, which is the federally, you know, confidential information, right? ⁓ CUI includes so that includes technical drawings, system specifications, contract performance data, financial information.

related to federal contracts, export controls. You can see, I mean, to be safe, just assume that you’re handling C UI if you’re working for the DOD. Okay. and then if you have opened a statement of work for a DOD contract and it mentioned export controls, you know IT ITAR ear so if you you know I T A R E A R or technical data, you’re handling C UI.

And then level two applies. Again, to be safe, just assume you’re you’re you’re level two. Even if you’re level one, just build your build your program around that because it doesn’t take long for you to be, you know, level two if you start working on that, you know, C UI data data.

Actual (07:25)
Yeah, let’s run with that. Let’s say, you know, we’re working with the DOD. We’re just gonna make the floor level two, right? That’s the default standard. So what does this assessment look like? Mm, who shows up? What are they looking at? How does that how does that all work?

The CISO (07:39)
Okay, so the C3PAO, right, which is a certified third-party assessor organization, ⁓ it’s an outside firm authorized by the Cyber AB to conduct CMMC level two certification assessments. There are currently fewer than 80 authorized ⁓ C3 PAOs in the country and only about 800 certified CMMC assessors. So the DOD estimates the ⁓ you know, there’s gonna be a need of about two to three thousand assessors.

To clear the certification backlog. That gap is the entire reason the November 2026 deadline is going to hit so hard. And ⁓ what does the assessor look ⁓ you know, what do they look at? The assessor reviews the system security plan, your SSP, right? That your poems, your plan of action and milestones, the policy documentation for each of the 14 control families, and the technical evidence demonstrating each of the 320 assessment objectives. The interview they interview your people.

They observe your environment, they sample your logs, they do everything a real audit does because that is what they are. They’re gonna go in and they’re gonna audit. and then conditional certification versus final certification. If a contractor passes the assessment with minor gaps, the C3PAO can issue a conditional level two certification with an accept ⁓ accepted poem and a hundred and eighty-day remediation window.

If the gaps are not closed within 180 days, the conditional certification expires and the contract is back to ineligible. Final certification is good for three years.

Actual (09:07)
Got it. So a lot of small, mid sized contractors might be listening right now thinking, Well, my company’s small, we don’t have mm, maybe direct DOD contracts we sub to a prime. Walk us through why that’s maybe not the safest position or maybe maybe it’s not a safe thing, but like help help that person understand maybe like how this applies to them and and kind of what they need to do.

The CISO (09:30)
⁓ so in DFAR’s two two fifty-two dot two four-seven zero two one. There’s a lot of regulations here. that actually was November 10th of 2025 when when that ⁓ became enforceable. Right. And what it does is it requires prime contractors to flow the CMMC requirement down to subcontractors.

That handle CUI in the course of contract performance. So if the prime needs level two, the sub touching the CUI also needs to have level two, not some time, but you know, before they can work on that contract. and so and that’s a condition of being able to get that work. So if the prime wins the contract and this sub is not CMMC certified.

they can’t not use that sub and that might cause a problem for them to be able to deliver. Okay. So what, you know, so like Lockheed Martin, Boeing, Northrop, Gurman, I mean the big Rathyan, you know, the the big primes, they’ve already issued supplier directives demanding CMC compliance documentation. Right. So ⁓ you know, if you’ve ever bid on a contract if you ever bid, you know that they’re gonna put in the

the requirements, some re you know, some certifications. So these big primes have already put it into their requirement. If you don’t have a CMMC certification, you cannot, you know, you can’t be put on as their sub. And so they’re not going to ⁓ add you onto the contract, onto the contract bid. They’re not waiting and they’re not waiting until the November deadline to enforce this. They’re already, they’re already putting it into their ⁓

procurement ⁓ supply chain processes. Right? So the DoD estimates that approximately 65% of the defense industry base is affected by phase one. Approximately 80,000 contractors will need level two certification before phase two takes effect. And the DOD’s own modeling assumes a meaningful number of contractors will simply exit the ⁓ the bidding process rather than complete certification. So what does you know so what does this mean? It means that

There’s a lot of contractors who’s not gonna be able to bid by November of this year, right? So it’s cause it’s not enough to certify your own organization. You know, under DeForest Flowdown, the Prime is now responsible for ensuring its subs are also certified. So if you’re if you’re a sub and you get certified, you’re going to have a you’re gonna have leverage, you’re gonna have ⁓ you know, be in high demand. and your specialty, ⁓ your software

vendor, you know, your IT support firm. you know, if they touch CUI and they’re not certified, you can’t use them. And now that becomes the Prime’s problem. That’s your problem, right? and it’s a big deal because it’s going to create it’s going to create high demand which can you know raise the prices raise the price. it’s going to create

where subs who are certified are going to be, you know, trying to figure out which contracts they can be part of because they have too much work. and then, you know, and then the subcontractors who don’t get them, they’re gonna be blocked from being part of any bids. So as a sub, you know, where do you want to be? And as a prime, you have to be worried about this because now these subs that are certified, they can charge you more.

I they can ask for a more percentage because you’re having a problem finding subs who are qualified.

Actual (12:53)
Yeah, and this is a great angle to look at it from. think of it from like a business perspective. getting your CMMC certification, this isn’t a business expense, not right now. Right now, this is an investment. It’s an investment that’s going to put you at the top of the stack to securing more deal flow in your pipeline. So if you look at it from that perspective, you’re in this window where you can have this certification that that

kind of opens the doors for you to secure more contracts and and secure more deals and bring in more business, then maybe next year, the year after, the year after, as more people kind of as this becomes common where everybody has it and then where it does basically become that business expense to just play in this field, which it is, but because not everybody has it, it’s a great opportunity to get ahead of the curve, right? And to get on more contracts, right? And to build your business. So,

That’s that’s kind that’s where we’re at. So if you’re in that that kind of category where you’re going, hm, I don’t know. ⁓ you know, we we also work with in in other industries. So if you think like tech startups that want to work in like the healthcare space, it it probably behooves them to, you know, be HIPAA compliant, right? I if they’re if they’re a platform where they’re people being who are using it, whether they’re hospitals or or some kind of

organization in that field, they will require you to have HIPAA. Otherwise you can’t do business with them. Same thing with maybe SOC 2, right? Other startups that want to do business with that that world, ⁓ they’re gonna need SOC 2 as a way to get deal flow. It’s the same here. So if you want to play in the government space, this is a great time to get CMMC and use that as a business strategy, right, to get more business. if you don’t want to play in the DOD space, maybe you don’t want to throw out that expense and maybe you just kind of stop serving that community.

so depends on where you’re at. And so for you, CISO in this conversation, what are our marching orders for people this week? So they’re listening to it, they’re like, Okay, I play in the space, I probably should do something about this if I’m not already certified. what what what what are some three things that they can do this week to help them kind of move the needle forward and also to prepare them for, you know, phase two, which is coming up in November.

The CISO (15:01)
Mm-hmm. So three things. The first is determine what your required level is. Take a look at your contracts that you’ve already completed, ⁓ that you’ve won. Look at, you know, your contract pipeline, opportunities involving C UI, the things that you’re gonna be wanting to be part of or bid on, you know, in the next 24 months. ⁓ take a look at that.

Because first you need to identify which level you want to play in, right? Which level you’re gonna be part of. Second is pull your current, you know, your supplier performance with system ⁓ score. You know, you should know that off the top of your head. if you don’t, you know, that’s one of the first things that your assessor is going to identify is you don’t know what your, you know, your SPRS score is. You need to know that. Mm-hmm.

⁓ third is identify like if you if you’re going to be doing work that has that has CUI, identify ahead of time where that CUI is gonna live in your environment. Like know know that. Know your your SSP, your system security plan, you know, where you know the file shares are the the you know the place where CUI often lives, like identify those. ⁓

You know, really understand like, okay, is it in your email? Are you gonna be you know, is it in your email system? What about your endpoints? What about your cloud? I ⁓ if you can’t draw the boundary around CUI on a whiteboard in five minutes, you know, your assessment’s gonna fail. Right? You have to know what you’re protecting. So those are the three things that you need to do right away.

Actual (16:39)
Got it. So as we discussed, CMMC is not a checkbox. It’s not a certificate on the wall. It’s the new floor of eligibility to do business with the DOD and for good reason, right? We don’t just want to say we’re secure, we want to be secure. And that floor goes up on November tenth. So today we’ve kind of set the foundation, kind of everything you need to know about CMMC. and then next week on part two, we’re gonna specifically talk about what phase two is, what the deadlines are.

The CISO (16:39)
Right. ⁓

Actual (17:06)
All the things about that so that you’re prepared. So mission success starts with an understanding of the system that you’re operating inside of. So let’s execute the standard and we’ll see you next week for part two.

JOIN "THE WATCH" //

Receive critical SITREPs, Industry Alerts, and Threat Indicators sent directly to your inbox.

By submitting this form, you agree to our Terms & Conditions and Privacy Policy.

SILENCE THE NOISE. AMPLIFY THE SIGNAL.

INTELLIGENCE IS USELESS IF YOU AREN'T LISTENING.

Join The Watch to receive New Episode Alerts, Strategic Breakdowns, and Guest Intel delivered to your inbox.