Sum IT Up: CMMC News Roundup

This week we sit down with Supply Chain Director Bo Birdwell to discuss Elbit America's latest open letter to suppliers regarding CMMC. Elbit's letter doesn't mince words: CMMC is here and the time to act is now. Bo not only walks us through the perspective of a major prime contractor on cost, timelines, outsourced services, CMMC Level 3, and more – he also drops a ton of helpful tips for current and prospective suppliers. Elbit Supplier Page: https://www.elbitamerica.com/suppliers#cyber MSP Collective: https://www.mspcollective.org/ Bo Birdwell: https://www.linkedin.com/in/bobirdwell/

The defense department has updated the CMMC FAQs for the second time in 3 months. In lieu of rulemaking updates the CMMC FAQs are the best place for updated guidance. This week we're exploring DoD's answers regarding everything from encryption to enclaves to VDI endpoints. CMMC FAQs: https://dodcio.defense.gov/CMMC/

Another year another set of eerily accurate predictions about defense cybersecurity requirements and the CMMC program. Like usual we got most of our 2025 predictions correct. For 2026 we're getting specific with False Claims settlements, CMMC 3.0, FAR CUI, and more! FCA episode: https://youtu.be/tPA-ALjW1Hk?si=KgPUAo4VqqmX3mNF DoD IG report: https://www.youtube.com/watch?v=RNafaUlgBGo Golden Dome: https://youtu.be/y88JqZdJsj0?si=eGpIm1jqKRYpW4n3

Defense Logistics Agency suppliers got a special Christmas gift: detailed estimates of CMMC requirements by DLA supply class! The Defense Department buys a lot of different products and services and the estimates make it clear that different types of contractors will experience CMMC requirements in very different ways. If only we could get every agency and mega prime to put out info like this. Episode Links: DLA SMB Website: https://www.dla.mil/Small-Business/Resource-Center/Cybersecurity-Resources/ What DLA Buys: https://www.dla.mil/Small-Business/Getting-Started/What-DLA-Buys/ Supply Classes: https://www.dau.edu/acquipedia-article/supply-classes

Another defense contractor is paying six figure fines after settling with the Department of Justice for allegedly failing to comply with DFARS clause 252.204-7012. The kicker: their own employee blew the noncompliance whistle and got a cut of penalty money. This is the fifth such settlement in 2025 and the DOJ is crystal clear that the don't discriminate just because a company is small. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo Memo: https://dodcio.defense.gov/cmmc/Resources-Documentation/ Swiss Automation: https://www.justice.gov/opa/pr/illinois-precision-machining-company-agrees-pay-421234-resolve-alleged-false-claims-act MORSECORP: https://www.youtube.com/watch?v=ZnePk6jaezA Raytheon: https://www.justice.gov/opa/pr/raytheon-companies-and-nightwing-group-pay-84m-resolve-false-claims-act-allegations-relating Aero Turbine: https://www.youtube.com/watch?v=hFEEVGXv_00 GTRC: https://www.justice.gov/opa/pr/georgia-tech-research-corporation-agrees-pay-875000-resolve-civil-cyber-fraud-litigation DFARS 7012: https://youtu.be/cy4e28YAkXU?si=MqGKGNAHTPyvj-DI

A recent webinar from the US Army Corps of Engineers told suppliers that if they only handle paper CUI, then CMMC requirements don't apply to them. That's a significant concession to industry on par with COTS exemption and POAMs. But is this USACE flexing their discretion or are they setting up a conflict by setting policy around CMMC applicability? Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

Register for CMMC Industry Week: https://www.summit7.us/industry-week Since the 48 CFR CMMC final rule was published in September 2025 we've seen supplier notices from Lockheed, RTX, BAE, HII, and many others. Most recently, Northrop Grumman recently published a supplier announcement titled “CMMC 2.0 is Final – Are You Ready?”. The big takeaway: don't expect CMMC waivers from your prime customers because they can't grant them to you. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo DFARS 7012: https://youtu.be/cy4e28YAkXU?si=KvezY7Vu7zXf9qYZ 32 CFR Final rule: https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program 48 CFR Final rule: https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of January Memo (PDF): https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf

While everyone has been focused on the start of CMMC phase 1, many contractors are discovering that DFARS clause 252.204-7020 has been lurking in their contracts since 2020. DoD reserves the right to show up at any time and audit compliance with DFARS clause 252.204-7012. This week we're diving into everything that DIBCAC will be asking for when they show up on your doorstep. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo DIBCAC intake forms: https://www.dcma.mil/DIBCAC/ DFARS 252.204-7012: https://youtu.be/cy4e28YAkXU?si=x4tmDKcCc44dLnJE DFARS 252.204-7020: https://youtu.be/D4JLkfvB-Ws?si=6_yyMYrU7DVoxoBt

The final Cyber AB TH of 2025 took place this week which means it's time for the team to unpack all the important information you need to know. On this week's show, Jason and Joy sit down for one one last time in 2025 as we discuss things like: •The final ecosystem update of 2025 •The biggest highlights of 2025 •DO I have to affirm my C3PAO assessment score? •What the AB expects for 2026 Tune in as we close out this year of Cyber AB Town Halls with a little fun! Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/march-town-hall

As of November 10th, 2025, CMMC is now a condition of award for new defense contracts. “Phase 1” of the CMMC rollout will last until November 10th, 2026. This week we discuss seven predictions we have for the new normal. Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 32 CFR 170.3(e): https://www.ecfr.gov/current/title-32/part-170#p-170.3(e) DFARS 7012: https://youtu.be/cy4e28YAkXU?si=yC_wKI42JNxIHKME Phase 1 Blog: https://www.summit7.us/blog/cmmc-begins-today

After four years of rulemaking here we are at the last podcast before the official start of CMMC phase 1. What better way to usher in the new normal of CMMC than a quick refresher on how and why CMMC became a thing in the first place? Nothing helps contextualize the CMMC program like remembering how resistant the DoD has been to third party verification until they were left with no other choice.

On this week's spine-tingling episode of the show, Jason and Joy sit down unwrap the October Cyber AB Town Hall like a bag of pillowcase full of candy. With less than two weeks until the November 10th launch, this marks the final town hall before the CMMC becomes a fully operational reality. Tune in as we mix up a cauldron of all the important information you need to know to assure no tricks as you pursue your CMMC bag of treats… no costumes required! Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/march-town-hall

CMMC officially goes into effect on November 10th, 2025, at which point all new DoD solicitations and contracts will include at least CMMC Level 1 status requirements. While the government shutdown might affect the pace of new contract awards, it doesn't change anything about the effective date of CMMC specifically. This week we're looking at the trickle of contract notices that are letting people know CMMC is very real and will absolutely be required (including level 2). Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo NAVSEA (Level 2): https://sam.gov/workspace/contract/opp/0a92f866231546828b3fd11cf1146a8a/view USSOCOM (Level 1): https://sam.gov/workspace/contract/opp/eb3d38dd00e845579212f724b6dedd37/view USACE (Level 2): https://sam.gov/workspace/contract/opp/e0a817b5b7c74c319ebaa2df9cd3d637/view

The Senate has passed their version of the FY26 NDAA and they want annual contractor performance measurements to focus exclusively on “negative performance events”. Per the Senate Armed Services Committee that includes failing to meet cyber requirements, failing to flow down requirements to subcontractors, and submission of false claims (cyber). Add this one to the growing pile of evidence that the government really, really wants contractors to take cybersecurity seriously. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo Memo: https://dodcio.defense.gov/cmmc/Resources-Documentation/ Senate NDAA: https://www.congress.gov/bill/119th-congress/senate-bill/2296/text

Watch full webinar here: https://www.summit7.us/webinars/cmmc-phase-1-the-final-rule-is-here The start of CMMC phase 1 is just around the corner. Starting on November 10th, 2025, DoD contracting officers will begin inserting CMMC status requirements in new solicitations and contracts. We recently held a webinar on the CMMC final rule to get people up to speed so this week we're bringing you our key takeaways. If you want all the details, the webinar is available on demand (registration link is in the show notes). Find out where you are on your CMMC journey here: https://www.summit7.us/pathfinder

September has come to a close and despite all the moving parts, name changes, and other potential roadblocks, the CMMC program is humming along. Assessments are being conducted at a blazing pace, the AB staff is growing, and people are still not sure if they should identify as an ESP or CSP.On this week's show, we dig into the September Cyber AB Town Hall and break down all the important details you need to know! Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/march-town-hall

DFARS clause 252.204-7021 goes into effect on November 10th, 2025, but there's more under the hood than just the text of the contract clause. Contracting officers have an entire set of procedures they must follow that dictate when and if the 7021 clause should be included in a defense contract at all. In this episode we're looking at the other side of the coin to the infamous CMMC DFARS clause. Final Rule Webinar: https://www.summit7.us/webinars/cmmc-phase-1-the-final-rule-is-here?hsCtaAttrib=195767465874 Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 2025 CMMC Final Rule (48 CFR): https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of DFARS 7008: https://youtu.be/vgrRGIWboKc?si=chKYMNRUea9eqpn- DFARS 7012: https://youtu.be/cy4e28YAkXU?si=OO3IEXYvfGqZQ3op DFARS 7019: https://youtu.be/7gW_82Cus7Y?si=IT2ORlBlZELxxbdu DFARS 7020: https://youtu.be/D4JLkfvB-Ws?si=-hMhIq6dJLxu1NU4 DFARS 7025: https://youtu.be/LtJK-CHuyp8?si=A6WoUGBEEgVxp5Jx DFARS 7009: https://youtu.be/kfecRRrd41w?si=PNXrbcvRLHc5GoUg 32 CFR 170 Webinar: https://www.summit7.us/webinars/cmmc-32-cfr-final-rule?_gl=1*1qpc6eg*_up*MQ..*_gs*MQ..

Final Rule Webinar: https://www.summit7.us/webinars/cmmc-phase-1-the-final-rule-is-here?hsCtaAttrib=195767465874 The regulation that finalizes CMMC guidance for DoD contracting officers and program managers officially goes into effect on November 10th, 2025. The highlight of the regulation is the final text of DFARS clause 252.204-7021 which tells contractors which CMMC level they need to achieve in order to take award of a contract. But the regulation also created DFARS provision 252.204-7025 which officially notifies offerors of the requirements contained in the 7021 clause and it's only three paragraphs long! Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 2025 CMMC Final Rule (48 CFR): https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of

Register for the upcoming webinar: https://www.summit7.us/webinars/cmmc-phase-1-the-final-rule-is-here It's official: CMMC Phase 1 begins on November 10th, 2025 when the 48 CFR CMMC final rule goes into effect. After that point all new Department of Defense/War contracts will contain some level of CMMC requirement. But just when things seem certain, people are wondering about the recent class deviation regarding DFARS clause 252.204-7021. Is the use of the CMMC clause actually suspended? Spoiler: no, not even close. Final Rule Webinar: https://www.summit7.us/webinars/cmmc-phase-1-the-final-rule-is-here?hsCtaAttrib=195767465874 Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 2025 CMMC Final Rule (48 CFR): https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of Aug Class Deviation: https://www.acq.osd.mil/dpap/policy/policyvault/USA001756-25-DPCAP.pdf

A lot of defense contractors are betting that the DoD will only require CMMC Level 2 self-assessments during the first 12 months of CMMC (“Phase 1”). Since December 2024 there have been three official policies outlining what can be required in Phase 1 and none of them prohibit Level 2 certification assessments. Instead, every policy we can find reinforces the idea that many companies will be required to achieve CMMC Level 2 certification in Phase 1. In this episode we walk through all 3 policies so you can decide for yourself if that's a risk you want to take with your business. Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 32 CFR 170.3(e): https://www.ecfr.gov/current/title-32/part-170#p-170.3(e) The January Memo (PDF): https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf The July Memo (PDF): https://dodprocurementtoolbox.com/uploads/PTDO_Do_D_CIO_Memo_Resources_for_CMMC_Implemtation_dtd_20250728_25_T_2704_cleared_20250807_e53aa02e78.pdf