Sum IT Up: CMMC News Roundup

Hosted by Summit 7

Technology

Website RSS feed

Episodes

161

Latest episode

Jun 2026

Language

EN-US

About the show

It's difficult to keep up with all of the moving parts that make up the Department of Defense's Cybersecurity Maturity Model Certification Program. It's even more difficult to keep up with the relevant bits and bites that influence CMMC. This weekly podcast sums up the news and developments relevant to CMMC; DFARS and other regulations; and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.

Listen to episodes

60 recent

June 11, 202619 min

We Predicted 2026. Here's What We Got Right (and Wrong) About CMMC

Back in January, we made seven predictions about where the CMMC ecosystem would be by the end of 2026. Now that we're halfway through the year, we're checking the scoreboard. In this episode: • Level 2 certification growth • False Claims Act enforcement trends • Funding and compliance assistance programs • The FAR CUI rule • CMMC 3.0 and NIST SP 800-171 Rev. 3 • Early Level 3 activity • What the GAO report actually found Some predictions are looking strong. Others are too close to call. And at least one is trending in the wrong direction. Here's our mid-year reality check on CMMC in 2026. Register for Summit 7 Live: https://www.summit7.us/s7live 2026 Predictions (January): https://youtu.be/WxgGtKpF3_s?si=I9MfjmkBDojCRThv GAO Report podcast: https://youtu.be/U0VhiN3qpdE?si=lD-Pbl3vyfbIMPw7 NCODE for SMBs: https://www.summit7.us/blog/ncode-contract-award Assessment Capacity podcast: https://youtu.be/e_1FztgNCHM?si=PdpkkVk3SSa1V4-2 CIRCIA update: https://youtu.be/bvwnNSpDZgU?si=bS0ARRUfvvzLemmK

June 4, 202622 min

The Cyber Rule Everyone Forgot About Just Came Back

Remember CIRCIA? The proposed rule would create mandatory cyber incident reporting requirements for more than 300,000 organizations across 16 critical infrastructure sectors, including the Defense Industrial Base. Now CISA is holding a new round of town halls to gather feedback before issuing a final rule. In this episode, we explain why CIRCIA isn't just another version of DFARS 252.204-7012, the seven biggest differences defense contractors need to understand, and why the upcoming town halls may be the DIB's best opportunity to influence the final rule. Registration links for the CIRCIA Town Halls are included below. Register for Summit 7 Live: https://www.summit7.us/s7live CIRCIA Town Halls: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia CIRCIA Proposed Rule Pod (2024): https://youtu.be/ngYSaO5fg5Y?si=VoVW54QvAzKe6r-r Proposed Rule: https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements Congressional Research Service Report (PDF): https://www.congress.gov/crs-product/R48025 CIRCIA Hearing: https://homeland.house.gov/hearing/surveying-circia-sector-perspectives-on-the-notice-of-proposed-rulemaking/

May 28, 202625 min

May Cyber AB Town Hall Recap

The Cyber AB brought the ecosystem together to deliver pretty exciting news during the May monthly town hall. Join us for this week's episode as we break down some of the topics a little deeper to see what it actually means for the ecosystem. Things like: • Has production accelerated within the ecosystem? • Who is the new EVP of the Cyber AB? • Who actually attends these meetings? And so much more...Tune in to find out! Cyber AB TH Replay's: https://cyberab.org/News-Events/Town-Hall ISACA Website: https://www.isaca.org/ T3 Inquiries (older than 6 months): https://dowcio.war.gov/CMMC/Contact/ NIST SP 800-145: https://csrc.nist.gov/pubs/sp/800/145/final

May 21, 202618 min

DoD Updated the CMMC FAQs Again

DoD has updated the CMMC FAQs again, and the revision history doesn't tell the full story. In this episode, we break down the most important FAQ 2.3 changes, including significant changes, annual affirmations, CMMC UIDs, joint ventures, hard-copy CUI, and why the Affirming Official is one of the most important CMMC roles inside your company. Register for Summit 7 Live: https://www.summit7.us/s7live 100 Level 2-Certified Clients: https://www.summit7.us/blog/100-cmmc-l2-certified-clients NCODE: https://www.summit7.us/blog/ncode-contract-award CMMC FAQs: https://dodcio.defense.gov/CMMC/ January FAQ Pod: https://youtu.be/8ZxqqH0zws8?si=m5n8WQttWsZV8n24 Paper CUI Pod: https://youtu.be/lcIaxVBjyr0?si=17LdlP92NuCGa_ph

May 14, 202626 min

Lessons Learned from 100 Level 2 Client Certifications

It's milestone season in the CMMC world. Just six months into the Phased Rollout and there are 2.5x more Level 2 certifications than DoD expected. Meanwhile, a significant portion of those certs are Summit 7 clients. We now work with more than 100 Level 2 certified companies. Last but not least, Summit 7 was awarded the Army's NCODE contract to help bring secure and compliant enclaves to micro-sized defense contractors. Exciting times. Register for Summit 7 Live: https://www.summit7.us/s7live 100 Level 2-Certified Clients: https://www.summit7.us/blog/100-cmmc-l2-certified-clients NCODE: https://www.summit7.us/blog/ncode-contract-award

May 7, 202628 min

The Numbers Behind CMMC Assessment Capacity

Everyone keeps saying there aren't enough CMMC assessors. The data tells a very different story. In this episode we break down actual assessment capacity using the current number of certified assessors, DoD's rollout estimates, and capacity growth rates across the ecosystem. How quickly is the ecosystem scaling toward future demand targets of 16,000 and even 25,000 assessments per year? Turns out the real bottleneck isn't assessor capacity at all. ... Register for Summit 7 Live: https://www.summit7.us/s7live GAO Report (2026): https://www.gao.gov/products/gao-26-107955 GAO Report (2021): https://www.gao.gov/products/gao-22-104679

April 30, 202628 min

April Cyber AB Town Hall Recap

We are back at it again with another rundown of the Cyber AB's monthly town hall and there sure was a lot of valuable information distributed during the meeting. Join us for this episode of we discuss some of the key information dished out this month and weigh on any impact it may have on the CMMC Program. Things like: • Changes in ecosystem engagement? • Do we have enough steps are in the T3 process? • Has certification output increased? And so much more...Tune in to find out! Cyber AB TH Replay's: https://cyberab.org/News-Events/Town-Hall ISACA Website: https://www.isaca.org/ T3 Inquiries (older than 6 months): https://dowcio.war.gov/CMMC/Contact/

April 23, 202620 min

L3Harris Won a Big Contract, Now You Need CMMC By July

L3Harris Missile Solutions recently sent a letter informing their suppliers that they will need to achieve CMMC Level 2 (C3PAO) Status by July, 30th 2026. Two weeks later, L3Harris announced that they had been awarded a new contract for the Army Tactical Missile System. Coincidence? We think not. Not only do subcontractors need to provide their Level 2 certification, they also need to provide their Level 2 assessment report. This week we talk about whether this is an anomaly or a sign of things to come. Register for Summit 7 Live: https://www.summit7.us/s7live L3Harris Letter: https://www.summit7.us/blog/l3harris-supply-chain-notice Primes can't waive CMMC: https://youtu.be/haVzS8j7Qz4?si=F2RICMKbCNRu-1uh CMMC CAP (PDF): https://cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf

April 16, 202621 min

NIST 800-171 rev. 3 is Coming ... But Not How You Think

NIST SP 800-171 Revision 3 has been out for two years. DFARS 252.204-7012 says to use the most current version. So why are defense contractors still using Revision 2? Because they're supposed to. In this episode, we break down the temporary rule that overrides the DFARS clause and keeps the entire ecosystem aligned on Revision 2. We cover: • What a class deviation actually is and why it matters • Why DoD had to pause the shift to Revision 3 • How CMMC rulemaking controls the transition • And when Revision 3 will realistically start showing up in contracts Bottom line: contractors aren't behind. The rules haven't changed yet. ....... Register for Summit 7 Live: https://www.summit7.us/s7live 171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/final DFARS 7012 deviation (PDF): https://www.acq.osd.mil/dpap/policy/policyvault/USA001074-24-DPC.pdf 32 CFR 170: https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170 Class deviation podcast: https://youtu.be/voziZRAMvv4?si=3xHm7I_gIeQTQxLf Class deviation press release: https://www.war.gov/News/Releases/Release/Article/3763953/department-of-defense-issues-class-deviation-on-cybersecurity-standards-for-cov/

April 9, 202632 min

CMMC Level 2 Assessment: What to Expect (Insights from 100 assessments)

This week we sit down with a C3PAO who has completed over 100 CMMC Level 2 assessments. We chat cost, timeframe, assessor backlogs and the most common issues facing defense contractors. Register for Summit 7 Live: https://www.summit7.us/s7live GAO Report (2026): https://www.gao.gov/products/gao-26-107955 GAO Report (2021): https://www.gao.gov/products/gao-22-104679