Continuing our back-to-basics series of the “DFARS Cyber Series” of provisions and clauses brings us to clause 252.204-7020. This clause applies to defense contractors who are required to comply with DFARS clause 252.204-7012. Through DFARS 7020 the DoD reserves the right to conduct a higher-level assessment of a contractor's cybersecurity compliance. Additionally, defense contractors must give DoD assessors full access to their facilities, systems, and personnel. Pathfinder 101: https://www.sum...
Jul 03, 2025•25 min
The Cyber AB brought the CMMC Ecosystem together once again for the June 2025 installment of their monthly Town Hall series. Join us for this week's show as we discuss all the information distributed during the meeting that you need to know; answers to questions like: Is the Ecosystem growing? How many certifications were awarded this month? Does Microsoft have to be at my assessment? And so much more... Tune in to find out! Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: http...
Jun 26, 2025•25 min
System Security Plans are the single most fundamental documents underpinning cybersecurity compliance for defense contractors. But even after nearly 40 years of using SSPs for federal information systems there are essentially zero examples of what good looks like. Thankfully NIST is revising SP 800-18 guidance on developing SSPs and wants your comments. This is a crash course on SSPs so you can get caught up before the July 30th comment deadline. Pathfinder 101: https://www.summit7.us/pathfinder...
Jun 19, 2025•50 min
The CMMC program has been in-effect for six months and hundreds of early adopters have achieved CMMC Level 2 status. Today we speak with Fernando Machado, managing principal at Cybersec Investments, an authorized C3PAO. Fernando has completed 25 CMMC Level 2 assessments and he has a ton of valuable takeaways to share. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo Fernando (LinkedIn): https://www.linkedin.com/in/fernando-machad...
Jun 12, 2025•23 min
We're back to basics this week with DFARS provision 252.204-7019. SPRS scores? DIBCAC High assessments? DoD Assessment Methodology? It all started in 2020 with a humble four paragraph provision that was overshadowed by CMMC 1.0. These days the Department of Justice is settling False Claims Act lawsuits for millions and defense contracts aren't getting renewed all thanks to the DFARS cyber provision everyone loves to forget.
Jun 05, 2025•38 min
The Cyber AB has once again convened the CMMC ecosystem to deliver the monthly Town Hall covering the latest news and information about the CMMC Program. Join Jason and Joy as they talk about the latest ecosystem happening for the month of May. There has been another branding change, an event filled week in Vegas, more conversations around 10-day re-evaluation periods for CMMC assessments, stats on completed assessments and ecosystem growth, ESP and CSP clarification, and so much more... Pathfin...
May 29, 2025•34 min
The CMMC program regulation went into effect in December 2024, but the DoD can't insert CMMC requirements in contracts until they finish revising regulatory contract clause language. The window for the long-awaited contract clause final rule is opening next month. We predict that CMMC will start showing up in defense contracts between June – October 2025. Episode Links: Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo DFARS 7012:...
May 22, 2025•11 min
Katie Arrington is the architect of the CMMC program, currently performing the duties of the DoD CIO, and she is ultra pissed that defense contractors haven't improved their cybersecurity posture while she was gone for 3 short years. This week we dive into Katie's keynote at AFCEA TechNet Cyber 2025 where she didn't mince words about CMMC, the DIB, and the coming storm. Register for CEIC West: https://ceicwest.com/ Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu....
May 15, 2025•15 min
The Cyber AB has once again convened the CMMC ecosystem to deliver the monthly Town Hall covering the latest news and information about the CMMC Program; and Joy has once again joined the show so we can talk about the latest ecosystem happening for the month of April. A change in CAICO leadership, stats on completed assessments, another audit, a “ESP, not a CSP” MythBusters/Ecosystem ethics fusion, and so much more... Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://you...
May 08, 2025•33 min
It's that time of year again and this time CS2 is coming to Reston, VA. This week we walk through the agenda adn talk about the sessions we're most excited for. Whistleblower attorneys? C3PAO lessons learned? Real world defense contractors who have completed CMMC Level 2? Prime contractor perspectives on upcoming requirements? CS2 has it all. Register for CS2 Reston: https://cs2.cloud/reston Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplx...
May 01, 2025•27 min
DoD has officially released their parameters for NIST SP 800-171 revision 3 requirements. Defense contractors now have a clear picture of their future compliance requirements and what assessors will ask for under “CMMC 3.0”. But if SP 800-171r3 won't be required for some time, why did the DoD publish their organizationally defined values? In this episode we dive into the basics of “ODPs”, why they matter, and how contractors can leverage them now to future-proof their systems against regulatory ...
Apr 24, 2025•29 min
Most people mistaken believe that their cybersecurity requirements stem from the Cybersecurity Maturity Model Certification Program (CMMC). CMMC is simply a verification program that proves if you have implemented the requirements imposed by DFARS clause 252.204-7012. Ultimately, DFARS clause 252.204-7012 is the center of gravity for all the cybersecurity stuff that comes with being a defense contractor. This week is an important primer on DFARS 7012 because even though it's only 13 paragraphs l...
Apr 17, 2025•39 min
After 100 episodes diving into every possible rabbit hole to help illuminate the bigger picture around CMMC we're starting over at square zero: the “DFARS Cyber Series” of contract clauses. First up: the solicitation provision 252.204-7008. Although 7008 doesn't have the notoriety of it's big brother DFARS 252.204-7012, it is the first domino that triggers the cascade of cybersecurity compliance obligations that ultimately culminate in CMMC assessment. Register for CS2 Reston: https://cs2.cloud/...
Apr 10, 2025•36 min
The Department of Justice finally did it: they went after a small defense contractor for failure to comply with their contractually obligated cybersecurity requirements. This case has it all from fake SPRS scores to whistleblowers getting paid hundreds of thousands of dollars to contractors paying millions in fines. All thanks to the same set of contract clauses in every DoD contract and the same errors committed by the vast majority of defense contractors. Register for CS2 Reston: https://cs2.c...
Apr 03, 2025•23 min
The Cyber AB is back with their monthly Town Hall meeting which can only mean one thing; Joy is here to co-host the show, and we are gonna break down the information distributed during the meeting. The ecosystem is growing, CMMC is going international, and so much more! Tune in to see what we have to say! Register for CS2 Reston: https://cs2.cloud/reston Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo Sum IT Up ‘Canada's CMMC': ...
Mar 27, 2025•23 min
The Canadian Program for Cyber Security Certification (CPCSC) requires defense contractors to undergo assessment against NIST SP 800-171 revision 3. That's a big problem for contractors who also do work for the U.S. Department of Defense because CMMC currently evaluates NIST SP 800-171 revision 2 and will for quite some time. In this episode we dive into what we know about Canada's version of CMMC and how close (or far) we are from reciprocity between the programs and what might be done to close...
Mar 20, 2025•40 min
At long last we've come to the fourth and final episode covering every finding and allegation in the DoD Inspector General Report on the CMMC process for authorizing 3rd-party assessment organizations. So far none of the 10 findings come anywhere close spelling doom for the CMMC program. Perhaps the juiciest scandals were saved for last? Register for CS2 Reston: https://cs2.cloud/reston Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvka...
Mar 13, 2025•22 min
We're almost done with our exploration of DoD Inspector General audit of the CMMC C3PAO authorization process. The last two recommendations might be the most perplexing of all. Maybe the Inspector General saved the best for last? Register for CS2 Reston: https://cs2.cloud/reston Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo DoD IG report: https://www.dodig.mil/reports.html/Article/4028189/audit-of-the-dods-process-for-authoriz...
Mar 06, 2025•31 min
The Cyber AB is back with their monthly Town Hall meeting. This week we dive into “what's new” with the CMMC Program for the month of February covering things like: What do the ecosystem numbers look like right now? What's up with T3 suitability? Can people announce if they're certified yet? And so much more! Register for CS2 Reston: https://cs2.cloud/reston Register for S7 Live: https://www.summit7.us/s7live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiD...
Feb 27, 2025•38 min
The DoD has released guidance to the contracting workforce that implements the 32 CFR CMMC final rule. This week we discuss the two big takeaways for defense contractors. 1) Level 2 self-assessments are unlikely for 99% of companies. 2) CMMC waivers will be even more rare. Register for CS2 Reston: https://cs2.cloud/reston Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo Memo (PDF): https://dodprocurementtoolbox.com/uploads/DOPSR_...
Feb 20, 2025•22 min
This week we continue our exploration of DoD Inspector General audit of the CMMC C3PAO authorization process. The majority of the recommendations pertain to the Cyber AB, but are all of the recommendations even actionable? We think you'll be surprised at the disparity between the headlines and what the report actually says. Register for CS2 Reston: https://cs2.cloud/reston Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo Part 1: ...
Feb 13, 2025•31 min
The DoD Inspector General's report on the C3PAO authorization process is out and people haven't been shy with their takes on the findings. This week we dive into the first set of recommendations to see if there really is a smoking gun. We think you'll be surprised at the disparity between the headlines and what the report actually says. Register for CS2 Reston: https://cs2.cloud/reston Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaR...
Feb 06, 2025•35 min
The Cyber AB is back with their monthly Town Hall meeting. This week we dive into the current status of the CMMC Program, the last checklist item before official L2 certification announcements, and more. Register for CS2 Reston: https://cs2.cloud/reston - Use code SUMITUPRESTON for listener discount Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/february-town-hal...
Jan 30, 2025•17 min
Regulatory “freeze memos” have been common practice for new presidential administrations since 2001. Some people believe the most recent freeze memo spells the end of CMMC. Those people are incorrect for an assortment of reasons that we dive into this week. Register for CS2 Reston: https://cs2.cloud/reston Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo The “freeze memo” (2025): https://www.whitehouse.gov/presidential-actions/20...
Jan 23, 2025•18 min
Cybersecurity requirements for protecting controlled unclassified information (CUI) aren't just for defense contractors anymore. The FAR CUI rule will affect all federal contractors handling CUI (and even those who don't). This episode introduces the main elements of the rule at a 30,000-foot level. Register for CS2 Reston: https://cs2.cloud/reston Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 32 CFR CMMC Webinar: https://www....
Jan 16, 2025•48 min
It's that time of year again where we stake our reputations on predicting the future of the CMMC regulatory landscape. What does our crystal ball say about the future hold for rulemaking, FedRAMP, and the CMMC ecosystem in general? Register for CS2 Reston: https://cs2.cloud Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 32 CFR CMMC Webinar: https://www.summit7.us/webinars/cmmc-32-cfr-final-rule 2024 Predictions: https://youtu.b...
Jan 09, 2025•25 min
A year ago we made seven predictions for the CMMC landscape. We got some right, we got a few mostly right, and we got a few “wrong”. Register for CS2 Reston with code SUMITUPRESTON: https://cs2.cloud/reston Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 32 CFR CMMC Webinar: https://www.summit7.us/webinars/cmmc-32-cfr-final-rule 2024 Predictions: https://youtu.be/YzFkJGzny20?si=H7UurOVBgKPxpH7Q...
Jan 02, 2025•20 min
The Cyber AB has officially released the CMMC Assessment Process Guide. Now that the “CAP” is official, CMMC “false starts” are officially something that defense contractors need to be aware of. Register for CS2 | Reston with code SUMITUPRESTON for 15% off here: https://cs2.cloud/reston CMMC Cap (PDF): https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf False starts 1.0 (June ‘24): https://youtu.be/zwU4u86L_5A NFO Controls: https://youtu.be/YEQd--RIUkU ...
Dec 26, 2024•34 min
The CMMC Program has reached it “Birth” date and part of the celebration was the rellease ong the newly revised, effective, and in-force version of the CMMC Assessment Process (CAP, and the CMMC Code of Professional Conduct (CoPC). Jason and Joy have been picking apart these documents since their release; and on this week's show, they offer their 7 “high level” takeaways from CAP 2.0 & CoPC 2.0. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?s...
Dec 19, 2024•37 min
This week we're joined by Fenando Machado of Cybersec Investments, an authorized CMMC C3PAO. Fernando has been around the CMMC space for years and has helped a ton of companies successfully pass their Joint Surveillance Assessments. Fernando shares what he's learned ahead of the effective date of the 32 CFR CMMC final rule and the rest of the phased roll-out. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 32 CFR CMMC Webinar: h...
Dec 12, 2024•24 min
