CMMC News by Jun Cyber

Send us Fan MailCMMC isn’t just another compliance box to check anymore—it’s quickly becoming the line between companies that win contracts and those that don’t. 🚧In this update, we dive into how CMMC is acting as a true market filter across the defense space. Organizations that can prove their cybersecurity practices are working—consistently and under pressure—are pulling ahead, while others are starting to feel the impact of being unprepared. 📉📈This isn’t about having policies sitting on a shelf. It’s about real-world execution, accountability, and being ready when it counts. 🔍We break down what this shift means for your business, why so many companies are underestimating the level of verification required, and what you should be doing now to stay competitive. 💼If you’re in the defense industrial base, the message is clear: adapt early, or risk being filtered out. ⚠️ Support the show

Send us Fan MailCMMC isn’t just another requirement—it’s becoming a matter of survival for defense contractors. ⚙️Right now, companies across the defense industrial base are realizing that compliance isn’t optional anymore. If you can’t meet CMMC expectations, you’re not just at risk… you’re out of the running entirely. 🚫This update breaks down what that actually looks like in today’s environment. It’s not about having policies written down—it’s about proving your systems work, every day, under real scrutiny. 🔍We talk about the shift from “getting compliant” to staying continuously ready, and why so many organizations are underestimating what it takes to pass. 📊The bottom line is simple: the companies that adapt early will survive—and the ones that don’t will be filtered out. ⚠️ Support the show

Send us Fan MailCMMC compliance isn’t just a technical requirement — it carries serious federal fraud risk.As contractors submit assessments, affirmations, and SPRS scores, any misrepresentation—intentional or not—can trigger scrutiny under federal fraud statutes. The stakes go far beyond cybersecurity, reaching into legal, financial, and reputational consequences.In this episode, we break down where these risks come from and how contractors can avoid crossing the line.🎙️ Key Topics Covered: How CMMC compliance ties into federal fraud enforcement  The risks of inaccurate reporting and overstatements  Where contractors commonly make compliance mistakes  Why documentation and validation are critical  Steps to reduce exposure and stay aligned with DoD expectations In today’s environment, compliance isn’t just about passing—it’s about proving your claims are accurate and defensible.#CMMC #CMMC2 #CyberCompliance #FederalFraud #DefenseContractors #DoD #DFARS #CUI #LegalRisk #GovCon Support the show

Send us Fan MailCMMC compliance isn’t just about cybersecurity — it’s about legal accountability.As enforcement strengthens, inaccurate reporting, false attestations, or overstated compliance could expose contractors to False Claims Act (FCA) liability. That means compliance failures aren’t just operational risks — they can become serious legal and financial consequences.In this episode, we break down how CMMC and the False Claims Act intersect, and what contractors must do to protect themselves.🎙️ Key Topics Covered: How FCA liability applies to CMMC compliance  The risks of inaccurate SPRS scores and affirmations  What “truthful representation” means under DoD expectations  Real consequences of misreporting compliance status  How to reduce legal exposure through proper documentation and controls CMMC isn’t just about passing an assessment — it’s about standing behind your claims.#CMMC #CMMC2 #FalseClaimsAct #CyberCompliance #DefenseContractors #DoD #DFARS #CUI #LegalRisk #GovCon Support the show

Send us Fan MailCMMC isn’t about paperwork. It’s about proving you can protect Controlled Unclassified Information when it actually matters.This soundbite breaks down a hard truth about CMMC 2.0 that many contractors are still missing—and why treating compliance as a documentation exercise is a strategic mistake.🎙️ What’s Inside:✅ The biggest misconception about CMMC Level 2 ✅ Why evidence—not intent—determines your outcome ✅ How assessors evaluate control effectiveness ✅ The operational gap between policy and execution ✅ What defense contractors must fix before assessmentIf you’re operating in the Defense Industrial Base, this is not theoretical. The difference between “we have a policy” and “we can prove it works” will determine whether you pass or fail.Listen carefully. Then evaluate your program honestly.#CMMC #CMMCLevel2 #NIST800171 #DFARS #DefenseContractors #CyberCompliance #GRC #DIB Support the show

Send us Fan MailCMMC Level 2 is more than a compliance requirement — it’s a supply chain stress test for the Defense Industrial Base.As enforcement tightens, many small and mid-sized suppliers are struggling to meet Level 2 requirements. The result? Gaps, delays, and fractures across defense supply chains that primes can’t ignore.In this episode, we break down how CMMC Level 2 is reshaping supplier relationships and why compliance readiness now directly affects operational continuity.🎙️ Key Topics Covered:Why Level 2 creates pressure on smaller suppliersHow primes are reassessing subcontractor riskWhere supply chain fractures are already appearingThe long-term implications for defense contractingWhat organizations can do to stabilize compliance and continuityCMMC Level 2 isn’t just a cybersecurity issue — it’s a business and supply chain reality.#CMMC #CMMC2 #DefenseSupplyChain #CyberCompliance #DefenseContractors #DoD #CUI #DFARS #RiskManagement #GovCon Support the show

Send us Fan MailAs CMMC enforcement accelerates, a new challenge is emerging — audit capacity. By 2026, the Defense Industrial Base is expected to face a significant CMMC audit bottleneck, with far more contractors needing assessments than the system can quickly support.In this episode, we break down why this bottleneck is coming, what it means for contract timelines, and how contractors can avoid getting stuck in line.🎙️ Key Topics Covered:Why CMMC audit demand will peak in 2026The limits of assessor and C3PAO capacityHow delays could impact contract eligibilityWhy readiness before enforcement matters more than everStrategies to stay ahead of the audit crunchCMMC compliance isn’t just about meeting requirements — it’s about timing. Those who wait may find there’s no room left in the schedule.#CMMC #CMMC2 #DefenseContractors #DoD #CyberCompliance #DFARS #CUI #AuditReadiness #GovCon #RiskManagement Support the show

Send us Fan MailCMMC compliance isn’t just a security challenge — it’s a scale problem. With thousands of contractors needing assessments and limited assessor capacity, the system is under strain.In this episode, we explore how AI can help solve the CMMC assessment bottleneck by accelerating readiness, improving evidence mapping, and reducing friction before formal evaluations even begin.🎙️ What’s Covered:Why the current assessment model doesn’t scale on its ownHow AI supports control mapping and evidence preparationWhere automation helps (and where humans still matter)How contractors can use AI to get assessment-ready fasterCMMC isn’t slowing down — and neither can the assessment process. AI may be the key to keeping pace.#CMMC #CMMC2 #AI #CyberCompliance #DefenseContractors #DoD #CyberSecurity #AssessmentReadiness #GovCon #RiskManagement Support the show

Send us Fan MailFor years, contractors have waited—on timelines, enforcement, and clarity. That waiting game is over.CMMC enforcement is real, expectations are defined, and the DoD is moving forward. In this episode, we explain why delay is now the biggest risk and what defense contractors must do to move from planning to execution.🎙️ Key Takeaways: ✅ Why CMMC delays are no longer a viable strategy ✅ What’s changed under the Final Rule ✅ How enforcement reshapes contract eligibility ✅ The immediate actions contractors should prioritizeCMMC is no longer something to prepare for “eventually.” It’s here—and action is required now.#CMMC #CMMC2 #DoD #DefenseContractors #CyberCompliance #DFARS #CUI #CyberSecurity #GovCon Support the show

Send us Fan MailCMMC compliance is no longer just about checking a box—it’s about staying competitive.As enforcement advances, contractors who are compliant aren’t just meeting requirements—they’re positioning themselves ahead of the pack. In this episode, we break down how CMMC has shifted from a regulatory hurdle to a market differentiator within the Defense Industrial Base.🎙️ What’s Covered: ✅ Why CMMC readiness now influences contract awards ✅ How primes are evaluating subs through a compliance lens ✅ The real business consequences of delaying action ✅ What “competitive compliance” looks like moving forwardIn today’s environment, cybersecurity maturity isn’t optional—it’s part of how winners are chosen.#CMMC #CMMC2 #CyberCompliance #DefenseContractors #DoD #CUI #CyberSecurity #DFARS #RiskManagement #DefenseIndustry Support the show

Send us Fan Mail Support the show

Send us Fan MailThere’s a lot of noise around CMMC — shifting dates, mixed messages, and assumptions that can put contractors at risk. This clip cuts through the confusion and lays out what’s actually true about CMMC compliance versus what the industry keeps getting wrong.🎯 You’ll Learn: ✅ The real requirements contractors must meet ✅ Common myths that lead to dangerous delays ✅ What the Final Rule actually enforces ✅ Why relying on rumors can cost contract eligibilityClear facts, no guessing — exactly what contractors need to stay aligned with DoD expectations.#CMMC #CMMC2 #Cybersecurity #DFARS #GovCon #DoD #DefenseContractors #Compliance #CUI #CyberReadiness Support the show

Send us Fan MailCMMC timelines are shifting fast — and the confusion between forecasted dates and actual, enforceable deadlines is creating major risks for defense contractors.In this clip, we break down the real facts behind CMMC rollout dates, the truth about UIDs, and what organizations must track to stay ahead of compliance requirements.🎯 Key Points Covered: ✅ The difference between official timelines and industry forecasts ✅ What UIDs really mean for contractors moving forward ✅ Why relying on guesses can put eligibility at risk ✅ How to align your planning with the Final RuleIf you’re preparing for CMMC 2.0, understanding the facts—not the rumors—is essential.#CMMC #CMMC2 #DoD #DefenseContractors #Cybersecurity #Compliance #DFARS #CUI #CyberReadiness #GovCon Support the show

Send us Fan Mail Support the show

Send us Fan Mail Support the show

Send us Fan MailCMMC 2.0’s Final Rule isn’t just about meeting security controls—it’s about mandatory documentation and validation. 📋⚙️In this essential episode, we break down how SPRS affirmations, UID tracking, and DFARS updates come together under the new rule—and what every contractor needs to file to stay eligible for DoD contracts.🎙️ Here’s what you’ll learn: ✅ How to properly submit and maintain your SPRS score ✅ Why UID numbers are now central to compliance tracking ✅ What “affirmation of accuracy” really means under CMMC 2.0 ✅ Documentation mistakes that can cost you contract eligibility ✅ The compliance workflow your team should implement nowCMMC compliance is no longer optional—it’s auditable, trackable, and enforceable.#CMMC #DFARS #SPRS #CyberCompliance #DefenseContractors #CUI #CyberSecurity #CMMC2 #DoD #RiskManagement Support the show

Send us Fan MailEven with a government shutdown, the CMMC compliance clock keeps ticking. ⏰🔐In this episode, we uncover the paradox facing defense contractors: while agencies pause, cybersecurity deadlines don’t. The DoD’s timelines, affirmations, and enforcement plans continue to move forward—leaving unprepared firms at risk when operations resume.🎙️ Here’s what you’ll learn: ✅ How the shutdown impacts CMMC implementation (and how it doesn’t) ✅ Why contractors should use this time to accelerate readiness ✅ What happens to assessments, SPRS, and DFARS reporting ✅ The cost of waiting until after the shutdown to act ✅ How proactive firms are gaining an edge right nowGovernment may be on pause—but CMMC is not.#CMMC #CMMC2 #DoD #CyberCompliance #GovernmentShutdown #DefenseContractors #CUI #CyberSecurity #RiskManagement #DFARS Support the show

Send us Fan MailIn this episode, we break down the Department of Defense’s final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to integrate the Cybersecurity Maturity Model Certification (CMMC). We’ll cover what these new contractual obligations mean for contractors, including self-assessment reporting in SPRS, continuous compliance affirmations, and the phased rollout of CMMC requirements. Join us as we unpack key definitions, address industry concerns, and highlight how these changes impact the defense industrial base. Support the show

Send us Fan Mail🚨 CMMC 2.0 Is Rolling Out: Is Your Business Ready?The latest version of the Cybersecurity Maturity Model Certification (CMMC) is reshaping how contractors handle security across the Defense Industrial Base. From new assessment levels to increased scrutiny, the changes are significant—and noncompliance could cost you contracts.Understand what’s changed 🧩 Learn how implementation will impact your operations 🛡️ Get expert insights to stay compliant and competitive 👉 Tune in now to hear the full breakdown in our latest episode.#CMMC #CyberSecurity #DFARS #DefenseContracting #Compliance #CMMC2 #CMMCImplementation #JunCyber Support the show

Send us Fan Mail🚨 N𝗲𝘄 𝗣𝗼𝗱𝗰𝗮𝘀𝘁 𝗘𝗽𝗶𝘀𝗼𝗱𝗲 𝗔𝗹𝗲𝗿𝘁! 🚨We’re breaking down 𝗖𝗠𝗠𝗖 𝗖𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗥𝗲𝗮𝗱𝗶𝗻𝗲𝘀𝘀 for manufacturers navigating defense contracts 🛡️🏭If you’re part of the DoD supply chain, this episode is your essential guide to prepping for CMMC success.🎙️ What’s Inside:✅ What manufacturers need to know about CMMC 2.0 ✅ Common pitfalls and how to avoid them ✅ Steps to get audit-ready without overwhelm ✅ Insights from industry experts and assessors ✅ Aligning NIST 800-171 controls with your businessDon’t get caught off guard—tune in to learn how to protect your contracts, safeguard data, and stay compliant in today’s cybersecurity-first landscape.#CMMC #Cybersecurity #DIB #DefenseContracting #NIST800171 #AuditReady #Compliance #GovCon #RiskManagement Support the show

Send us Fan MailIn this episode of CMMC News, we break down DoD Instruction 5200.48—the Department of Defense’s rulebook for handling Controlled Unclassified Information (CUI). Hosts take you through what CUI really means, why the DoD created a standardized approach, and what it takes to handle, mark, and share sensitive information properly. Learn why it’s critical for both DoD staff and contractors, what the marking and safeguarding requirements look like in real life, and how agencies and industry partners share the responsibility for CUI protection. With insights into NIST 800-171, legacy document handling, day-to-day challenges, and the penalties for missteps, this deep dive gives listeners a practical take on why understanding CUI is essential to compliance and security across the defense ecosystem. Support the show

Send us Fan MailIf you're a Department of Defense (DoD) contractor, navigating the world of CMMC 2.0 is essential—and it starts with understanding the role of a C3PAO. In this episode, we break down what a Certified Third-Party Assessor Organization (C3PAO) is, why it matters, and what to expect during a third-party CMMC assessment. You’ll learn: What a C3PAO does and how they’re approvedWhy passing a C3PAO assessment is non-negotiable for many contractsWhat the assessment process looks like from start to finishHow much a CMMC assessment might costTips for finding a trusted C3PAO and preparing effectivelyWe also share a behind-the-scenes look at Jün Cyber’s own journey toward becoming a certified C3PAO. Whether you're starting your compliance journey or getting ready for your official audit, this episode gives you the clarity and confidence to take the next step. 🛡️ Subscribe for more insights on CMMC, compliance tips, and updates from the defense cybersecurity world. Learn more at juncyber.com. Support the show

Send us Fan Mail🚨 Working with the Department of Defense or handling Controlled Unclassified Information (CUI)? Here’s what you need to know about the DOD’s new approach to NIST SP 800-171 Revision 3 ODP values.Just listened to the latest episode of CMMC News, where the hosts did a deep dive into the recent DOD memo standardizing “Organization Defined Parameters” (ODPs) for protecting CUI. If you’re a defense contractor—or work in the DIB—these aren’t just guidelines, they are your new minimums.🔑 3 Key Takeaways:No More Guesswork: The DOD has filled in the “blanks” of NIST 800-171 R3 by setting specific ODP values. These are now the baseline for all contractors—think max inactivity timeouts, access control reviews, and patching deadlines.Timelines Are Tight: Some key numbers to know:Account inactivity? Disable within 90 days.Privileged session logoff? Required at end of work period.High-risk vulnerability patching? 30 days max.Quarterly updates for password “bad lists” and system inventories.Documentation & Continuous Vigilance: Annual (or more frequent) reviews for policies, logs, training, and agreements are now required. Plus, always justify and document any deviations or risk-based modifications—the DOD wants your decisions traceable.The big picture: The DOD is taking out ambiguity. If you handle CUI, you must implement these specific controls—or document strong justification for any flexibility allowed. And these requirements will change as threats evolve, so keep your risk assessments and compliance efforts agile.Want the full detail? Highly recommend listening to the episode and reviewing both the NIST SP 800-171 R3 standard and the new DOD ODP memo. Stay compliant, stay secure! 💪See the original PDF here: https://drive.google.com/file/d/1rtgUmlaCiUKst-mHR7Fsz5O95g46hCra/view#cybersecurity #DoD #NIST #CUI #compliance #riskmanagement #defenseindustry Support the show

Send us Fan Mail🔍 Want to stay ahead in the world of government contracts and cybersecurity? Dive into our latest CMMC News episode where we explore the NIST SP 800-171 DoD Assessment Requirements. It's all about breaking through the wall of acronyms and jargon to ensure you know exactly what the Department of Defense expects when it comes to protecting sensitive information.Here are 3 key takeaways:Understand Assessment Levels: We break down the three types of cybersecurity assessments — Basic, Medium, and High — and what each level of confidence means for your contract requirements with the DoD.Supplier Performance Risk System (SPRS): Learn how all assessment scores are recorded in SPRS, the centralized database that helps the DoD gauge the cybersecurity health of their contractors.Subcontractor Compliance: Discover how these requirements flow down to subcontractors and what obligations primes have to ensure their partners are compliant.Stay informed, secure those contracts, and fortify your cybersecurity posture! 🎧🔒#Cybersecurity #DoD #NISTSP800171 #GovernmentContracts #CMMCNews Support the show

Send us Fan MailWe just dived deep into the Department of Defense's NIST SP 800-171 assessment requirements. This is crucial for any contractor involved with DoD contracts, especially when it comes to cybersecurity. Here are three key takeaways:Assessment Frequency: If you're implementing NIST SP 800-171, make sure you have a recent assessment conducted within the last three years for every covered information system tied to DoD contracts.Assessment Levels: There are three types of DoD assessments - Basic, Medium, and High. Understanding which level applies to you and how to proceed can make or break your eligibility for DoD contracts. The details for each can be found in another key document, the NIST SP 800-171 DoD Assessment Methodology.Reporting Requirements: Once your assessment is complete, post your summary level scores in the Supplier Performance Risk System (SPRS). This is a mandatory step to demonstrate your commitment to cybersecurity, and remember, time is of the essence – scores need to be posted within 30 days of assessment completion.🔗 If you’re involved in defense contracting, keeping up with these requirements is non-negotiable! Tune into our latest episode for the full breakdown and stay ahead in the ever-evolving landscape of cybersecurity standards.For the official CMMC documentation, click this link: https://dodcio.defense.gov/cmmc/Resources-Documentation/#DefenseContracting #Cybersecurity #NISTSP800171 #DOD #CMMCNews #PodcastHighlights Support the show

Send us Fan MailHello LinkedIn community! 🌐 As we delve deeper into the cybersecurity requirements for Department of Defense (DOD) contracts, understanding DFARS Clause 252.204-7012 is crucial. It outlines safeguarding covered defense information (CDI) and protocols for cyber incident reporting. Here are three key takeaways for businesses and contractors engaging with the DOD:Understanding CDI: It’s essential to recognize what constitutes covered defense information. CDI includes sensitive technical data, like military blueprints and designs, and any information listed in the controlled unclassified information (CUI) registry. Whether provided by the DOD or generated during contract work, this data requires strict protection.Timely Reporting: In the event of a cyber incident, the clock is ticking. Incidents must be reported within 72 hours to the DOD. This rapid reporting helps mitigate potential damages and underscores the importance of having efficient processes in place to identify and report any compromises.Subcontractor Responsibilities: Prime contractors must ensure that subcontractors comply with the same cybersecurity requirements. This includes using standardized controls outlined in NIST SP 800-171 and ensuring that all reporting protocols are followed. If deviations are necessary, these must be formally requested and approved.In a world where cybersecurity is critical, adopting such stringent measures not only protects sensitive information but also reinforces the security of the defense industrial base. Let's leverage these practices to enhance data security across various sectors.For the official CMMC documentation, click this link: https://dodcio.defense.gov/cmmc/Resources-Documentation/#CyberSecurity #DOD #DefenseContracts #DataProtection #Compliance #DFARS #CyberIncidentResponse Support the show

Send us Fan Mail🌟 Just listened to another insightful episode of the CMMC News podcast, where the hosts take a deep dive into the complexities of CMMC, focusing on ESPs, SPAs, and VDIs. Here's what stood out to me:🔍 Key Takeaways:Scoping ESPs in CMMC: The involvement of External Service Providers in the CMMC assessment depends largely on their interaction with Controlled Unclassified Information (CUI) and whether they are a Cloud Service Provider. Non-cloud ESPs processing CUI make the whole service part of your CMMC scope.VDI Configurations Simplifying Scope: A properly configured Virtual Desktop Infrastructure can simplify CMMC scope by ensuring that local endpoint devices remain out of scope. This requires strict configurations to prevent local processing or storage of CUI.CRMAs vs. Specialized Assets: Understanding the difference between Contractor Risk Managed Assets (CRMAs) and specialized assets is crucial. While CRMAs can share networks with CUI processing assets without handling CUI, specialized assets often can't meet all security requirements due to their nature.🎧 If you're navigating the CMMC landscape, definitely give this episode a listen for more practical insights!For the official CMMC documentation, click this link: https://dodcio.defense.gov/cmmc/Resources-Documentation/#CMMC #CyberSecurity #DevSecLead #VDI #ESPs #Compliance Support the show

Send us Fan Mail🚀 Exciting Insights from Our Latest Deep Dive on the CMMC News Podcast! 🎧In our newest episode, we unpack the intricacies of the Cybersecurity Maturity Model Certification (CMMC) and its alignment with NIST standards, essential for those engaged with Department of Defense contracts. Dive into the details with us as we explore practical implications and strategic alignments.🔹 Key Takeaways:CMMC Levels Explained: Understand how the different levels of CMMC build upon each other, starting from the foundational Level 1 to the more advanced Level 3 that incorporates elements like NIST SP 800-171 and 800-172.Scoring System Nuances: Learn about the in-depth scoring methodology for NIST SP 800-171 Rev 2, highlighting the critical components and areas of partial credit, essential for MFA and FIPS compliance.Preparing for the Transition: The shift to NIST SP 800-171 Rev 3 is on the horizon. Organizations need to stay compliant with Rev 2 while preparing for Rev 3, focusing on gap analysis and updating system security plans.Tune into the episode for a detailed exploration and ensure your security protocols are robust and compliant. Stay ahead in the defense industrial base with actionable insights and strategies! 🎙️🔍For the official CMMC documentation, click this link: https://dodcio.defense.gov/cmmc/Resources-Documentation/#CMMC #Cybersecurity #NISTStandards #DODContracts #DevSecLeadPodcast Support the show

Send us Fan Mail🚀 New Episode Alert: Navigating CMMC Compliance with ESPs and Inherited Controls 🚀In our latest episode of CMMC News, we dive deep into the complexities of CMMC compliance and how to effectively manage the relationship with your External Service Providers (ESPs). This episode is packed with insights that are crucial for any DOD contractor aiming to unravel the intricacies of inheriting security controls while maintaining full compliance responsibility. Here's a sneak peek at three key takeaways:🔹 Own Your Responsibility: Just because your ESP is CMMC certified doesn’t mean you’re off the hook. You're accountable for validating, documenting, and proving those inherited controls work in your environment.🔹 Clear Role Divisions: Understand the spectrum of responsibilities—fully inherited, partially inherited, and those non-delegable controls that are 100% on you, like user authorization and data classification.🔹 Audit Readiness is Key: Meticulous documentation is your best friend. Make sure your controls are thoroughly documented in your SSP, supported by concrete evidence to ace that CMMC assessment.For the official CMMC documentation, click this link: https://dodcio.defense.gov/cmmc/Resources-Documentation/#CMMC #Cybersecurity #DODCompliance #ESPs #SecurityControls #AuditReady Support the show

Send us Fan MailIn this episode of CMMC News, host Wilson Bautista Jr. breaks down the crucial factors to consider when choosing a CMMC consultant. He outlines five essential criteria: ensuring proper CMMC certification, verifying real audit experience, evaluating communication skills, determining consultation needs (assessment vs. implementation), and assessing cultural fit with your organization. Whether you're starting your CMMC journey or preparing for an audit, this episode provides valuable insights to help you avoid costly mistakes and find the right consultant to guide your compliance efforts. Learn how to identify red flags, verify credentials, and make an informed decision that will support your organization's path to CMMC compliance. Support the show

Send us Fan MailWelcome to another episode of CMMC News! Today, we're simplifying the complexities of cybersecurity compliance, specifically diving into how to choose the right Certified Third Party Assessment Organization (C3PAO) to guide your organization to CMMC compliance. I'm your host, Wilson Bautista Jr., and in this episode, we'll break down the key considerations to make the right choice. From examining a C3PAO's experience with federal compliance frameworks like NIST 80171 and FedRAMP to assessing their industry expertise, reputation, and communication skills, we'll cover it all. Plus, we'll discuss the importance of verifying accreditation and balancing cost versus value. Tune in as we navigate the steps to ensure you're not just compliant but well-prepared for long-term security. Let's get started! Support the show

Send us Fan MailA Department of Defense Inspector General audit (DODIG-2025-056) revealed that the Department of Defense (DoD) inadequately implemented its process for authorizing third-party organizations to conduct Cybersecurity Maturity Model Certification (CMMC) 2.0 assessments. The audit found that the DoD failed to ensure all required steps were completed before authorizing these organizations, increasing the risk of awarding contracts to companies lacking sufficient cybersecurity controls. Two hotline allegations were substantiated. Ten recommendations were issued to improve the authorization process, focusing on implementing quality assurance measures to guarantee compliance. The DoD OIG will continue monitoring the DoD's implementation of these recommendations.Ref: https://www.dodig.mil/In-the-Spotlight/Article/4028197/press-release-audit-of-the-dods-process-for-authorizing-third-party-organizatio/ Support the show

Send us Fan MailThis memorandum from the Department of Defense outlines requirements for cloud service providers (CSPs) seeking FEDRAMP Moderate equivalency. It details the necessary assessments and documentation, including security plans and testing procedures, that CSPs must meet. The memorandum emphasizes the importance of compliance with specified Defense Federal Acquisition Regulations Supplement clauses. Finally, it clarifies the roles and responsibilities of the contractor, CSP, and assessing organizations. The document aims to ensure the security of covered defense information processed by these cloud services.Ref: https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf Support the show

Send us Fan MailRepresentative Gary Palmer introduced a resolution to overturn a Pentagon rule establishing the Cybersecurity Maturity Model Certification (CMMC) program. This Congressional Review Act resolution aims to allow Congress a vote on significant regulatory actions. The Department of Defense completed the necessary steps to implement the CMMC rule, which adds third-party assessments to existing cybersecurity standards for contractors. While some stakeholders support CMMC for improving cybersecurity and enabling more efficient compliance, the resolution's success is uncertain due to limited legislative support. The resolution's goal is to ensure Congressional oversight of major rules impacting the public, not necessarily to oppose CMMC itself. Opponents warn that halting CMMC could jeopardize the defense industrial base's efforts toward cybersecurity compliance.Ref: https://insidedefense.com/insider/lawmaker-introduces-resolution-roll-back-cmmc-program-final-rule Support the show

Send us Fan MailIn this episode of CMMC News, we dive into the guidance for defining the scope of a Level 3 Cybersecurity Maturity Model Certification (CMMC) assessment. We discuss the asset categories—CUI Assets, Security Protection Assets, Specialized Assets, and Out-of-Scope Assets—and their specific requirements. Learn how to categorize and document assets in an inventory and network diagram, and understand the role of External Service Providers (ESPs) and Cloud Service Providers (CSPs) in the assessment scope. We also highlight the critical prerequisite of completing a Level 2 assessment, with all POA&M items resolved, before undertaking Level 3 certification.Preparing for a Level 3 CMMC assessment? Jun Cyber offers expert support to ensure you meet every requirement with confidence. Contact us today and let us help you succeed!Ref: CMMC Level 3 Scoping GuidanceWebsite: www.juncyber.comEmail: [email protected] Support the show

Send us Fan MailIn this episode of CMMC News, we explore the Cybersecurity Maturity Model Certification (CMMC) Assessment Guide for Level 2, Version 2.13. This comprehensive guide provides instructions for conducting both self-assessments and certification assessments, detailing security requirements across key domains like access control, awareness and training, audit and accountability, and configuration management. We break down the assessment criteria, methodologies, and compliance objectives, offering practical examples for achieving alignment with CMMC standards. Additionally, we discuss how to use the included appendix of acronyms and abbreviations to navigate the document effectively.Need expert guidance on your Level 2 CMMC assessment? Jun Cyber’s team is ready to help you achieve compliance with confidence. Contact us today to get started!Ref: CMMC Level 2 Assessment GuideWebsite: www.juncyber.comEmail: [email protected] Support the show

Send us Fan MailIn this episode of CMMC News, we unpack the Level 1 Cybersecurity Maturity Model Certification (CMMC) Assessment Guide, designed to help organizations self-assess their compliance with 15 basic cybersecurity requirements for protecting Federal Contract Information (FCI). We cover key aspects of the guide, including how to define the scope, clarify custom terms, apply assessment criteria and methodologies like examining, interviewing, and testing, and document findings as MET, NOT MET, or NOT APPLICABLE. Detailed guidance for each requirement is discussed, along with tips on using the appendix of acronyms and abbreviations effectively. Whether you're an organization or a professional supporting CMMC efforts, this episode has valuable insights for you.Need assistance with your CMMC self-assessment? Jun Cyber is here to help you navigate the process and ensure compliance with confidence. Contact us today to get started!Ref: CMMC Level 1 Self-Assessment GuideWebsite: www.juncyber.comEmail: [email protected] Support the show

Send us Fan MailIn this episode of CMMC News, we provide an in-depth overview of the Cybersecurity Maturity Model Certification (CMMC), the Department of Defense’s framework for enhancing the cybersecurity posture of contractors and subcontractors. We explore the three maturity levels and their requirements, which are derived from FAR 52.204-21, NIST SP 800-171 Rev 2, and NIST SP 800-172. Listen as we break down the 14 security domains and the specific mandates for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). We’ll also touch on additional resources available to guide you through CMMC compliance.Ready to strengthen your cybersecurity and meet CMMC requirements? Jun Cyber offers expert services to help you navigate compliance with confidence. Contact us today to get started!Ref: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverviewv2.pdfWebsite: www.juncyber.comEmail: [email protected] Support the show

Send us Fan MailIn this episode of CMMC News, we explore the key guidance for conducting a Level 1 Cybersecurity Maturity Model Certification (CMMC) self-assessment. We discuss how to define the scope, including which assets—such as those processing, storing, or transmitting Federal Contract Information (FCI)—are included, and which, like IoT devices and Government Furnished Equipment, are excluded. Learn why no formal documentation is required for Level 1 and how to evaluate people, technology, and facilities involved in handling FCI. We also clarify the conditions for reassessments and the role of annual affirmations in maintaining compliance.Need help with your CMMC self-assessment? Jun Cyber is here to guide you every step of the way. Contact us today for expert support in achieving and maintaining compliance with confidence!Ref: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL1v2.pdfWebsite: www.juncyber.comEmail: [email protected] Support the show

Send us Fan MailIn this episode of CMMC News, we break down the essential guidance on defining the scope of a Level 2 Cybersecurity Maturity Model Certification (CMMC) assessment. We explore the key asset categories—CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets—and provide insights into categorizing and documenting them effectively. Learn about the assessment requirements for each category, the critical role of System Security Plans (SSPs) and network diagrams, and what you need to know about working with External Service Providers (ESPs). We also touch on handling classified and unclassified information to ensure compliance.Need help navigating the complexities of your CMMC assessment? Contact Jun Cyber today for expert guidance and support tailored to your organization. Don't leave compliance to chance—let us help you succeed!Email: [email protected]: www.juncyber.comRef: CMMC Level 2 Scoping Guidance Support the show

Send us Fan MailIn this episode of CMMC News, we explore the proposed CMMC Tax Credit and its potential to provide financial relief for small defense contractors navigating the complexities of Cybersecurity Maturity Model Certification (CMMC) compliance. Discover how this tax credit could offset costs like technology upgrades, staff training, and third-party assessments, helping small businesses stay competitive in the defense supply chain. Tune in to learn why this proposal could be a game-changer for contractors working to protect sensitive information and secure DoD contracts.Website: www.juncyber.comEmail: [email protected]: https://www.juncyber.com/cmmc-tax-credit-a-lifeline-for-small-defense-contractors/ Support the show

Send us Fan MailCertainly! Here’s a polished description for your podcast episode:🎙️ Episode Title: Demystifying the CMMC Final Rule: What It Means for Defense ContractorsIn this episode of CMMC News, we delve into the recently unveiled CMMC Final Rule by the Department of Defense. Join our AI hosts as they unpack the critical updates, explain what’s new in the compliance landscape, and provide actionable insights for defense contractors navigating these changes.Whether you’re a small business in the defense supply chain or a compliance professional looking to stay ahead, this episode offers practical advice, expert commentary, and strategies to align your organization with the latest cybersecurity standards.💡 What you’ll learn:Key changes in the 2024 CMMC Final RuleHow these updates impact contractors of all sizesSteps you can take today to prepare for certificationDon’t miss this engaging conversation that cuts through the jargon and delivers clarity on what the CMMC means for you.Website: www.juncyber.comEmail: [email protected]: https://www.juncyber.com/final-cmmc-program-rule-unveiled-by-dod/ Support the show