Bob Kolasky walked the halls where CMMC was built. As founding director of CISA's National Risk Management Center, he watched this policy evolve from concept to pilot program to federal law—surviving three presidential administrations because the need never changed.

On November 10, 2025, that policy becomes mandatory reality for every defense contractor pursuing new DoD solicitations. Self-certification ends. Independent verification begins. And the defense industrial base faces its most significant security transformation in a generation.

In this conversation with Justin Beals, Bob explains what contractors need to understand about the deadline—and what recent enforcement actions reveal about gaps that have existed all along.

From Honor System to Accountability:

For years, defense contractors self-certified compliance with NIST 800-171 cybersecurity requirements. The system worked on trust. Contractors checked boxes, DoD accepted attestations, and controlled unclassified information flowed through supply chains with security gaps nobody was measuring.

Then came the settlements. Raytheon paid $8.4 million for failing basic security controls—no antivirus software on systems handling defense information, no system security plans, missing access controls. Penn State settled $1.25 million across 15 contracts. Georgia Tech paid $875,000 in the first DOJ intervention in a cybersecurity False Claims Act case.

These weren't breaches. These were preventable failures that contractors had certified didn't exist.

Katie Arrington's warning to the industry has been consistent: "If you go on LinkedIn one more time and tell me how hard CMMC is, I'm going to beat you. That ship sailed in 2014." Translation: adversaries are watching, and contractors broadcasting difficulties are revealing exactly where vulnerabilities exist.

The November 10th Framework:

After this deadline, every new contract solicitation includes CMMC requirements matched to data sensitivity:

Level 1 handles federal contract information through annual self-assessment with SPRS score reporting. Level 2 manages controlled unclassified information and requires independent C3PAO assessor validation—affecting approximately 35% of DoD's contractor base. Level 3 involves breakthrough technology or critical CUI aggregations and demands direct government audit.

The quantitative approach represents a shift. Instead of binary pass/fail, contractors receive scores reflecting actual security posture. An 88 out of 110 qualifies for Level 2 conditional status with plan of action and milestones. These numbers measure real capabilities across incident response, access control, and continuous monitoring.

The Supply Chain Ripple Effect:

Prime contractors bear new responsibility for subcontractor compliance. Before contract award, they must verify—not just accept—that subs meet requirements. Security questionnaires aren't sufficient anymore. Primes need evidence, validation, and continuous visibility.

An affirming official—typically a senior executive—personally attests to the government that the organization actively manages supply chain risk. This accountability changes relationships throughout the defense industrial base.

Practical Considerations:

Bob addresses the questions contractors are asking: How do you define system boundaries when CUI flows through your infrastructure? Why does each information system need a unique CMMC identifier? What does "current CMMC status" mean for maintaining certification? How do you schedule C3PAO assessments when capacity is limited and 35% of contractors need certification?

He also explains why technology becomes essential—automating compliance evidence collection makes continuous monitoring feasible without massive security staff increases. And he's candid about what the next two years bring: with Kirsten Davies nominated as new CIO and Katie Arrington driving implementation, expect aggressive rollout through 2026.

Why This Policy Survived:

Bob's experience spans Obama, Trump, and Biden administrations. The CMMC framework persisted through every transition because supply chain security isn't a partisan issue—it's a national defense imperative. Now at Exiger advising defense contractors, Bob bridges the gap between policy intent and practical implementation.

This conversation provides clarity on November 10th's real meaning: not just a compliance deadline, but a fundamental shift in how the defense industrial base secures the supply chain supporting national security.

Guest: Bob Kolasky, SVP Critical Infrastructure at Exiger | Former Founding Director, CISA National Risk Management Center | 15 years shaping federal cybersecurity policy

#CMMC #November10th #DefenseContracting #Cybersecurity #DFARS #CISA #SupplyChainSecurity #DIB #ComplianceDeadline #NationalSecurity