Cybersecurity Maturity Model Certification (CMMC)

Eric Marquette and Paul Netopski, a CMMC expert, break down how to identify CUI, where to look in contract artifacts like CDRLs and DIDs, and why export control, OPSEC, and CPI don’t always mean the same thing. They also cover how to handle unclear or inconsistent contract language, confirm obligations, and avoid costly marking and protection mistakes.

This episode breaks down why CMMC success depends on lifecycle planning, from scoping contracts and data flows to building evidence, remediation, and formal assessment readiness. The hosts also dig into real-world scope traps, crosswalking existing controls, and why steady-state monitoring matters after certification.

This episode breaks down what assessors actually need from your System Security Plan control implementation summary: precise control status, exact evidence references, and the real mechanisms behind each claim. It also explains how to handle scoping, inheritance, and external services without leaving gaps or ambiguity.

Paul and Roz break down the System and Information Integrity controls in CMMC 3.14.1 through 3.14.7, focusing on flaw remediation, malicious code protection, alert monitoring, scanning, and detecting unauthorized use with assessor-ready evidence.They also connect the requirements to NIST guidance and Appendix D, showing how SI-2, SI-3, and SI-4 map to real-world policies, tools, tickets, and logs.

This episode breaks down CMMC System and Communications Protection controls, from defining boundaries and separating public-facing systems to enforcing deny-by-default network rules and stopping split tunneling.It also covers secure design, role separation, shared resource protections, and how to safeguard CUI while it moves across networks.

In this episode, we break down the three core compliance documents that make the CA domain real in practice: the System Security Plan, the Plan of Action and Milestones, and Continuous Monitoring. We’ll explain what each document is, what it should contain, and how assessors and compliance teams use them together to support CMMC and NIST SP 800-171 implementation.

This episode explores the FCC’s U.S. Cyber Trust Mark for consumer IoT devices and asks a bigger question: what can defense contractors learn from a public-facing cybersecurity label?We break down how the voluntary labeling program works, where it mirrors Energy Star, and why familiar cybersecurity signals matter to buyers, regulators, and the broader market. We also examine the practical limits of labels, including consumer misunderstanding, uneven adoption, and the gap between baseline assurances and real-world security outcomes.Finally, we connect the Cyber Trust Mark back to CMMC by showing how both efforts rely on trust signals, documented controls, and evidence-based confidence rather than marketing claims alone.

In this episode of CMMC Unlocked, host Paul Netopski breaks down one of the most misunderstood phrases in the new CMMC rule set and CyberAB guidance: “significant changes.” Many small defense contractors and their advisors worry that any major IT or organizational change will automatically invalidate a hard‑won Level 2 certification. Paul walks through what the 32 CFR Part 170 preamble, the Level 2 Scoping Guide, and the Level 2 Assessment Guide actually say—and what they don’t.We unpack the distinction between:When “significant architectural or boundary changes” require a new certification assessment, andWhen “significant changes” simply require you to update your CMMC Level 2 self‑assessment and affirmation, in line with your ongoing risk management and change‑management processes.Drawing on earlier episodes about risk assessments and continuous monitoring, Paul offers practical guidance for small DIB organizations and consultants on how to:Define what “significant change” means for your environment using NIST SP 800‑37, 800‑53, and 800‑53A concepts.Build change‑management checkpoints that flag potential CMMC impact early.Decide when a change triggers a new self‑assessment and SPRS update versus when it’s covered by your annual affirmation.Keep your System Security Plan, asset inventory, and CMMC Assessment Scope aligned as your environment evolves.If you’re worried that a tech refresh, cloud migration, or acquisition will blow up your CMMC status, this episode will help you separate rumor from requirement and integrate “significant change” into a mature, risk‑based compliance program.

A practical how-to episode on the CMMC 2.0 Level 2 Risk Assessment (RA) domain for defense contractors. Paul Netopski and Roz the Rulemaker walk through the three RA practices from NIST SP 800-171 (3.11.1, 3.11.2, 3.11.3), show how to build and use a Risk Management Policy aligned to NIST and ISO 31000, and connect risk assessment to real-world threats, third-party risks, business risk appetite, and change management. The hosts reference prior episodes on Configuration/Change Management and other domains to help contractors integrate risk into everyday decisions about people, places, and technology in CUI scope.

Explore the critical personnel security requirements within NIST SP800-171 and CMMC 2.0 Level 2 standards. Learn practical processes for screening, onboarding, and access approvals, and uncover the nuances between standard employment screening and federal background investigations to safeguard Controlled Unclassified Information.

Dive into essential physical security controls within CMMC 2.0, from access management to safeguarding support infrastructure. Learn real-world lessons from defense contractors who strengthened facility security and avoided common pitfalls.

Explore key strategies for protecting Controlled Unclassified Information across physical and digital media. Learn practical approaches to handling, marking, encryption, and auditing that ensure compliance and safeguard your organization.

This episode guides listeners through key aspects of Covered Defense Information (CDI), from core definitions and marking requirements to contract data rights and procurement compliance. Hosts Eric, Paul, and Roz break down regulations, risks, and real-world examples to help users, product owners, and procurement staff safeguard sensitive information effectively.

Join Eric, Paul, and Roz as they break down the CMMC Level 2 Maintenance (MA) family: what each control requires, implementation strategies, and special considerations when working with Managed Service Providers. Discover how MA controls intersect with other CMMC families, and how third-party maintenance impacts your compliance journey.

Dive deep into the False Claims Act, the Civil Cyber-Fraud Initiative, and how lapses in cybersecurity compliance with DFARS and NIST SP 800-171 can lead to hefty fines. Our hosts unpack how qui tam whistleblowers bring these cases to light by exploring high-profile settlements, revealing the potential for severe financial and reputational fallout across the defense contracting world. None of these cases have involved our clients, but the lessons are critical for everyone navigating cybersecurity compliance.

Incident Response for NIST CSF 2.0, NIST SP800-171r2 and CMMC 2.13

Explore how awareness and training align with NIST SP800-171 security controls. We break down each control, connect them to specific CDSE course catalog options, and discuss assessment objectives crucial for defense contractors and cybersecurity teams.

Explore the Audit and Accountability (AU) domain of NIST SP 800-171 with actionable strategies for compliance in defense contracting. Dive into the essentials of system audit logs, open-source accountability tools, and best practices for working with MSSPs. Learn how to create a robust monitoring program to detect and respond to unauthorized activity while meeting regulatory demands.

Eric, Paul, and Roz break down one of the most debated aspects of CMMC 2.0 compliance: when exactly multifactor authentication must be enforced for users and administrators. The team references NIST SP800-171, SP800-53, and practical deployment scenarios—exploring the nuanced requirements around MFA, Kerberos, and different types of system access. Real-world examples and lessons learned bring much-needed clarity to a common challenge in identification and authentication.

Dive deep into the fundamentals of configuration management for NIST SP800-171 compliance. This episode covers why a Configuration Management Plan matters, explores policy requirements, and examines baseline examples for applications, firmware, hardware, and operating systems.

Explore how an Acceptable Use Policy (AUP) underpins compliance for CMMC Level 2. We'll break down key NIST SP800-171 requirements that users need to understand, and discuss how communicating policy expectations empowers organizations to enforce controls and drive accountability.

This episode unpacks the elimination of the basic and derived security requirement distinction in NIST SP 800-171 revision 3, the assessment methodologies surrounding them, and the practical effects on DoD contractors, especially primes managing supplier risk. Our hosts dive into how the structure of NIST SP 800-171 assessments has evolved, the rationale for the new approach, and what subcontractors and primes alike can expect under the updated rules.

Explore the essentials of the NIST SP800-171 System Security Plan (SSP), the key requirements from NIST SP800-53r5, and recommended sections to create a plan that's truly fit for your organization. We'll break down what must be included, what can be added for clarity, and how to make your SSP a practical tool for security and compliance.

This episode dives into the essentials of incident response plans required by NIST standards, explores best practices and testing, and highlights how to leverage providers like Vertek and your MSSP for superior readiness. Our hosts break down actionable steps, useful examples, and real-world MSSP integration strategies, making your compliance journey clear and manageable.

Explore how Bridgewater State University's Cyber Range revolutionizes cybersecurity training, making incident response testing more immersive than traditional tabletop exercises. Hear insights on simulating real attacks, following NIST guidance, and how organizations can use this environment for CMMC and real-world readiness.

This episode unpacks how the DoD's cloud security requirements come together across SRGs, STIGs, and CMMC, clarifying regulatory foundations, Impact Levels, and the real-world implications for cloud service providers and mission owners. The hosts decode recent changes, practical responsibilities, and the intersection of CMMC with FedRAMP, NIST, and DFARS. Whether you’re a DoD contractor, a cloud service provider, or a compliance leader, get the plain-English guidance you need to understand the nuances of today’s cloud compliance landscape.

Join Eric, Ruby, Paul, and Roz as they break down the NIST IR 8286 series and SP 800-30 guidance for cybersecurity risk assessment. This episode explores how to set enterprise risk appetite, create and score risk scenarios (including threats and vulnerabilities), use business impact analysis for prioritization, and aggregate, monitor, and report risks for executive risk decisions. The team uses relatable examples and practical case studies to show how to turn risk analysis into real-world, risk-based decisions.

This episode explores the essential supporting documents and general procedures needed for the Access Control Family under CMMC. Learn which records are vital, how to structure compliant procedures, and practical tips for streamlined documentation. Hear real-world insights and specific examples from seasoned practitioners and compliance experts.

This episode breaks down how the NIST AI Risk Management Framework (AI RMF 1.0) supports a robust, continual approach to AI risk assessment, with a special focus on how to meet NIST SP 800-171 rev 2 control 3.11.1 for assessing risk to CUI. We connect specific core functions of the AI RMF—Govern, Map, Measure, and Manage—to compliance requirements and practical periodic risk reviews in organizations running or deploying AI systems.

Explore how incident response requirements from DFARS 252.204-7012 and NIST SP800-171 complement and amplify each other. Our experts dissect what each demands, how they mesh in practice, and what that means for defense contractors. This episode highlights actionable steps and noticeable pitfalls, with real-life examples from industry and government.

What does the final year before full CMMC implementation look like? In this episode, we explore the definitive schedule, key requirements, and what defense contractors should expect as the November 10, 2025 effective date for DFARS 204.75 approaches.

This episode unpacks the complete journey to CMMC/NIST SP 800-171 compliance, breaking down the phases, expected timelines, and real-world costs using authoritative federal guidance and hands-on field experience. Drawing from key federal regulations and the Critical Prism Defense whitepaper, we deliver facts and planning models for organizations at any starting point.

The team unpacks the next phases now that 48 CFR Subpart 204.75 has cleared OIRA review, mapping out what’s ahead for activation and enforcement—including the practical timeline to a live, enforceable CMMC rule. Special focus is given to rulemaking milestones, contract impacts, and how the DoD’s phase-in policy shapes when CMMC compliance becomes required for defense contractors.

This episode breaks down the Department of Defense’s recent decision on when contractors can self-assess for CMMC Level 2, and when a third-party assessment is required. The hosts clarify how the NARA and DoD CUI registries impact assessment requirements, and explain why ACAT categories are no longer the dividing line.

Eric, Ruby, Paul, and Roz explore the unique CMMC compliance complexities that arise when a Managed Security Service Provider (MSSP) delivers a Security Operations Center (SOC), SIEM, and SOAR—especially when CUI and privileged access are in play. Using real examples and asset categories from the latest CMMC scoping guides, the hosts dig into scoping, asset classification, and responsibilities.

Review of CMMC Scoping guides. In this episode we dive into the CMMC L2 Scoping guide and provide a summary of the categories and details within.

Dive into how risk assessments underpin NIST SP 800-171 compliance, with a focus on control 3.11.1. Our expert hosts break down what assessors look for, walk through real-world approaches, and share lessons learned from the field.

Dive into the federal rulemaking process and how it shapes cybersecurity requirements for defense contractors. This episode explores how the 32 CFR 170 rule went from concept to implementation, and previews how the forthcoming 48 CFR 204 changes may follow that path. Hear practical insights relevant for anyone in federal compliance, cybersecurity, and defense acquisition.

Explore how continuous CMMC monitoring transforms cybersecurity for defense contractors and compliance teams. Discover essential strategies, real-time tools, and practical steps for maintaining readiness in a dynamic threat landscape.

Explore the phased rollout of CMMC 2.0, how the new rules impact defense contractors, and what it takes to maintain compliance. Our hosts break down the assessment process, key requirements, and real-world implications—plus, share surprising insights and practical examples from the field.

This episode uncovers how organizations in the defense sector can identify, handle, and protect Controlled Unclassified Information (CUI), Covered Defense Information (CDI), and Controlled Technical Information (CTI). We examine contract requirements, marking guidance, and the latest resources to help contractors navigate CMMC compliance and data rights management.