September has come to a close and despite all the moving parts, name changes, and other potential roadblocks, the CMMC program is humming along. Assessments are being conducted at a blazing pace, the AB staff is growing, and people are still not sure if they should identify as an ESP or CSP.On this week's show, we dig into the September Cyber AB Town Hall and break down all the important details you need to know! Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/march-town-hall
DFARS clause 252.204-7021 goes into effect on November 10th, 2025, but there's more under the hood than just the text of the contract clause. Contracting officers have an entire set of procedures they must follow that dictate when and if the 7021 clause should be included in a defense contract at all. In this episode we're looking at the other side of the coin to the infamous CMMC DFARS clause. Final Rule Webinar: https://www.summit7.us/webinars/cmmc-phase-1-the-final-rule-is-here?hsCtaAttrib=195767465874 Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 2025 CMMC Final Rule (48 CFR): https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of DFARS 7008: https://youtu.be/vgrRGIWboKc?si=chKYMNRUea9eqpn- DFARS 7012: https://youtu.be/cy4e28YAkXU?si=OO3IEXYvfGqZQ3op DFARS 7019: https://youtu.be/7gW_82Cus7Y?si=IT2ORlBlZELxxbdu DFARS 7020: https://youtu.be/D4JLkfvB-Ws?si=-hMhIq6dJLxu1NU4 DFARS 7025: https://youtu.be/LtJK-CHuyp8?si=A6WoUGBEEgVxp5Jx DFARS 7009: https://youtu.be/kfecRRrd41w?si=PNXrbcvRLHc5GoUg 32 CFR 170 Webinar: https://www.summit7.us/webinars/cmmc-32-cfr-final-rule?_gl=1*1qpc6eg*_up*MQ..*_gs*MQ..
Final Rule Webinar: https://www.summit7.us/webinars/cmmc-phase-1-the-final-rule-is-here?hsCtaAttrib=195767465874 The regulation that finalizes CMMC guidance for DoD contracting officers and program managers officially goes into effect on November 10th, 2025. The highlight of the regulation is the final text of DFARS clause 252.204-7021 which tells contractors which CMMC level they need to achieve in order to take award of a contract. But the regulation also created DFARS provision 252.204-7025 which officially notifies offerors of the requirements contained in the 7021 clause and it's only three paragraphs long! Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 2025 CMMC Final Rule (48 CFR): https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
Register for the upcoming webinar: https://www.summit7.us/webinars/cmmc-phase-1-the-final-rule-is-here It's official: CMMC Phase 1 begins on November 10th, 2025 when the 48 CFR CMMC final rule goes into effect. After that point all new Department of Defense/War contracts will contain some level of CMMC requirement. But just when things seem certain, people are wondering about the recent class deviation regarding DFARS clause 252.204-7021. Is the use of the CMMC clause actually suspended? Spoiler: no, not even close. Final Rule Webinar: https://www.summit7.us/webinars/cmmc-phase-1-the-final-rule-is-here?hsCtaAttrib=195767465874 Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 2025 CMMC Final Rule (48 CFR): https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of Aug Class Deviation: https://www.acq.osd.mil/dpap/policy/policyvault/USA001756-25-DPCAP.pdf
A lot of defense contractors are betting that the DoD will only require CMMC Level 2 self-assessments during the first 12 months of CMMC (“Phase 1”). Since December 2024 there have been three official policies outlining what can be required in Phase 1 and none of them prohibit Level 2 certification assessments. Instead, every policy we can find reinforces the idea that many companies will be required to achieve CMMC Level 2 certification in Phase 1. In this episode we walk through all 3 policies so you can decide for yourself if that's a risk you want to take with your business. Summit 7 Live: https://www.summit7.us/S7Live Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo 32 CFR 170.3(e): https://www.ecfr.gov/current/title-32/part-170#p-170.3(e) The January Memo (PDF): https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf The July Memo (PDF): https://dodprocurementtoolbox.com/uploads/PTDO_Do_D_CIO_Memo_Resources_for_CMMC_Implemtation_dtd_20250728_25_T_2704_cleared_20250807_e53aa02e78.pdf
The Summer is all but over, but that's ok because the CMMC program is just getting started! On this week's episode, we cover the Cyber AB's Monthly Townhall for August and break down all the things you need to know. Things like: • Did assessment progress slow down? • Are there any reported failures? • Are people finally interpreting the 10-day post assessment rule correctly? • Will the DoD be represented at CS5? • What is the C3PAO Advisory Council? And so much more... Tune in to find out! Summit 7 Live: https://www.summit7.us/S7Live Women of CMMC Dinner: https://cs5global.org/women-of-cmmc-dinner/ Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/march-town-hall
Register for Secure The DIB: https://www.summit7.us/secure-the-dib-2025 Golden Dome promises to be the largest and most complex defense initiatives in American history. Countless contractors, subcontractors, and suppliers will be called on to help build the ultimate system of systems. But those suppliers are the targets of cyber espionage, disruption, and IP theft – regardless of their size. So it's no surprise that as the Golden Dome program lifts off, the DoD is out in front with some pretty intense cybersecurity requirements. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo DFARS 7012: https://youtu.be/cy4e28YAkXU?si=KvezY7Vu7zXf9qYZ
Register for Secure The DIB: https://securethedib.us/ Voluntarily disclose your DFARS cybersecurity noncompliance? That'll be $1.75M, please. This week we're looking at the details of a recent False Claims Act settlement involving a small defense contractor. Turns out that mistaking export controls for cyber controls and relying on the wrong external service providers can controls can cost you a lot of money. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo DOJ Settlement: https://www.justice.gov/opa/pr/california-defense-contractor-and-private-equity-firm-agree-pay-175m-resolve-false-claims DFARS 7012: https://youtu.be/cy4e28YAkXU?si=KvezY7Vu7zXf9qYZ
Register for Secure The DIB: https://www.summit7.us/secure-the-dib-2025 We can't remember a 30-day stretch in the history of CMMC that had more milestones and memos than July 2025. The ecosystem is closing-in on 300 Level 2 certified companies, mega primes have put everyone on notice, the phased roll-out is weeks away, the secretary of defense, the Army Corps of Engineers, you name it – everybody is gearing up for the big day. This week we're talking about 5 things you might have missed while on summer vacation. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo Secure the DIB: https://www.summit7.us/secure-the-dib-2025 Lockheed Memo: https://youtu.be/gMHWhXhe_Uo?si=FtkziMSqBWfzWAWp SECDEF Memo: https://media.defense.gov/2025/Jul/22/2003759081/-1/-1/1/ENHANCING-SECURITY-PROTOCOLS-FOR-THE-DEPARTMENT-OF-DEFENSE.PDF 48 CFR Progress: https://youtu.be/Q2qeJhA4oIs?si=b1bRqxcR0MbTOWIj USACE Notice: https://sam.gov/workspace/contract/opp/0b14a472d53b454ea6bca0893b2647d0/view
Register for Secure The DIB: https://www.summit7.us/secure-the-dib-2025 The Cyber AB brought the CMMC Ecosystem together once again for the July 2025 installment of their monthly Town Hall series. Join us for this week's show as we discuss all the information distributed during the meeting that you need to know; answers to questions like: After your assessment, you get 10 days to do what? How many CMMC assessments took place in July? Does anyone fail their assessment, and do they keep track of them? And so much more... Tune in to find out! Secure the DIB: https://www.summit7.us/secure-the-dib-2025 CMMC Just Crossed A *Huge* Rulemaking Milestone: https://youtu.be/Q2qeJhA4oIs?si=IQ1bYI6jH3VGuxAa Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/march-town-hall
Register for Secure The DIB: https://www.summit7.us/secure-the-dib-2025 The final rule that allows DoD to include CMMC requirements in defense contracts and solicitations has officially moved into regulatory review. This is the last milestone before official publication and the start of the CMMC “phased roll-out". Because this final rule simply implements CMMC policy that went into effect in December 2024, we believe CMMC will start showing up in contracts as early as late October. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo Secure the DIB: https://www.summit7.us/secure-the-dib-2025 Self-Assessments/Waivers: https://youtu.be/LTgmrsFGr9s?si=jm7U4s4vQpgvj4J- PALT: https://youtu.be/NZs4f5voyrg?si=mjzethgW61SLad7t
Register for Secure The DIB 2025: https://www.summit7.us/secure-the-dib-2025 When it comes to cyber incident reporting requirements people are always concerned with how well the government will protect a company's breach information. When the DoD overhauled contractor cyber requirements in 2016 to focus on incident reporting they included a clause that specifically addresses those concerns: DFARS 252.204-7009. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplx SfvkaRVhRo OPM Data Breach: https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach DFARS 7008: https://youtu.be/vgrRGIWboKc?si=g4vc5bKG6Y6G-DDo DFARS 7012: https://youtu.be/cy4e28YAkXU?si=ImBm-iI6mh3Xs1sF DFARS 7019: https://youtu.be/7gW_82Cus7Y?si=LxB__5jeSuJMoL5C DFARS 7020: https://youtu.be/D4JLkfvB-Ws?si=YG6CRn2w7rRv2Ofo
An industry event for DoD Contractors & Higher Education Institutions: https://www.summit7.us/secure-the-dib-2025 Lockheed Martin wants their suppliers to know two things. First, suppliers should be fully and confidently compliant with existing DFARS cybersecurity requirements. Second, suppliers should be fully transitioned to the “Cybersecurity Compliance and Risk Assessment” tool. All of this before CMMC ever shows up in contracts. This shouldn't come as a surprise to anyone because this is the 6th CMMC memo from Lockheed in the last 18 months. This week we take a look at each one to see where things are headed (hint: they all say the same thing). Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo Blog: https://www.summit7.us/blog/lockheed-martin-pushes-suppliers-toward-urgent-cybersecurity-compliance Lockheed Memo: https://www.lockheedmartin.com/en-us/suppliers/news/features/2025/cybersecurity-program-rule.html Memo Recap: https://youtu.be/IKpH2F259J8?si=qmCyo4Mi57UvMx0g DFARS 7012: https://youtu.be/cy4e28YAkXU?si=RJwhoS6NrZJgo9Xj DFARS 7012 Class Deviation: https://youtu.be/voziZRAMvv4?si=Pm3mtgR338PE3B7b DFARS 7020: https://youtu.be/D4JLkfvB-Ws?si=aa45Tr3_UhtbtH4t
Continuing our back-to-basics series of the “DFARS Cyber Series” of provisions and clauses brings us to clause 252.204-7020. This clause applies to defense contractors who are required to comply with DFARS clause 252.204-7012. Through DFARS 7020 the DoD reserves the right to conduct a higher-level assessment of a contractor's cybersecurity compliance. Additionally, defense contractors must give DoD assessors full access to their facilities, systems, and personnel. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo DFARS 7008: https://youtu.be/vgrRGIWboKc?si=g4vc5bKG6Y6G-DDo DFARS 7012: https://youtu.be/cy4e28YAkXU?si=ImBm-iI6mh3Xs1sF DFARS 7019: https://youtu.be/7gW_82Cus7Y?si=LxB__5jeSuJMoL5C
The Cyber AB brought the CMMC Ecosystem together once again for the June 2025 installment of their monthly Town Hall series. Join us for this week's show as we discuss all the information distributed during the meeting that you need to know; answers to questions like: Is the Ecosystem growing? How many certifications were awarded this month? Does Microsoft have to be at my assessment? And so much more... Tune in to find out! Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/march-town-hall
System Security Plans are the single most fundamental documents underpinning cybersecurity compliance for defense contractors. But even after nearly 40 years of using SSPs for federal information systems there are essentially zero examples of what good looks like. Thankfully NIST is revising SP 800-18 guidance on developing SSPs and wants your comments. This is a crash course on SSPs so you can get caught up before the July 30th comment deadline. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo DFARS 7008: https://youtu.be/vgrRGIWboKc?si=g4vc5bKG6Y6G-DDo DFARS 7012: https://youtu.be/cy4e28YAkXU?si=ImBm-iI6mh3Xs1sF DFARS 7019: https://youtu.be/7gW_82Cus7Y?si=LxB__5jeSuJMoL5C NIST SP 800-18r2: https://csrc.nist.gov/pubs/sp/800/18/r2/ipd#:~:text=NIST%20Special%20Publication%20800%2D18r2,and%20mission%2Fbusiness%20process%20requirements. NIST SP 800-18r1: https://csrc.nist.gov/pubs/sp/800/18/r1/final The History of CMMC: https://youtu.be/jbY2irZ1ePg?si=_Ay66UqRUU9ShhJV
The CMMC program has been in-effect for six months and hundreds of early adopters have achieved CMMC Level 2 status. Today we speak with Fernando Machado, managing principal at Cybersec Investments, an authorized C3PAO. Fernando has completed 25 CMMC Level 2 assessments and he has a ton of valuable takeaways to share. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo Fernando (LinkedIn): https://www.linkedin.com/in/fernando-machado-cissp-cism-cca-ccp-5b5581124/ Fernando pod (Dec 2024): https://youtu.be/KKJtW4G44WA?si=qzAnzp7_VrCl2Rdu
We're back to basics this week with DFARS provision 252.204-7019. SPRS scores? DIBCAC High assessments? DoD Assessment Methodology? It all started in 2020 with a humble four paragraph provision that was overshadowed by CMMC 1.0. These days the Department of Justice is settling False Claims Act lawsuits for millions and defense contracts aren't getting renewed all thanks to the DFARS cyber provision everyone loves to forget.
The Cyber AB has once again convened the CMMC ecosystem to deliver the monthly Town Hall covering the latest news and information about the CMMC Program. Join Jason and Joy as they talk about the latest ecosystem happening for the month of May. There has been another branding change, an event filled week in Vegas, more conversations around 10-day re-evaluation periods for CMMC assessments, stats on completed assessments and ecosystem growth, ESP and CSP clarification, and so much more... Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/march-town-hall
The CMMC program regulation went into effect in December 2024, but the DoD can't insert CMMC requirements in contracts until they finish revising regulatory contract clause language. The window for the long-awaited contract clause final rule is opening next month. We predict that CMMC will start showing up in defense contracts between June – October 2025. Episode Links: Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo DFARS 7012: https://youtu.be/cy4e28YAkXU?si=enUg-mPyZgl3FlYK PALT: https://youtu.be/NZs4f5voyrg?si=KOEiREzXFe5LNAXZ Katie's Keynote: https://youtu.be/OrPsD24j2Es?si=NSyhli9NW7Y1HJSH Contractor noncompliance: https://youtu.be/lsiR1KSQKUo?si=hSGzUzJFj1x8PT48