
Hosted by Summit 7 · EN
It's difficult to keep up with all of the moving parts that make up the Department of Defense's Cybersecurity Maturity Model Certification Program. It's even more difficult to keep up with the relevant bits and bites that influence CMMC. This weekly podcast sums up the news and developments relevant to CMMC; DFARS and other regulations; and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.

Register for Secure The DIB: https://summit7.us/event/secure-the-dib-telethon The public comment period for the proposed FAR CUI rule closes on July 23, making this your last opportunity to influence one of the biggest cybersecurity changes coming to federal contracting. Simply supporting or opposing the rule isn't enough. In this episode, we break down the Government's own guidance for writing effective public comments and explain the seven principles that make comments persuasive. You'll learn the common mistakes to avoid, how to build evidence-based arguments, and how to give regulators constructive recommendations they can actually use. Whether you're planning to comment on the FAR CUI rule or want to better understand how federal rulemaking works, this episode will help you make your comment count before the deadline. Register for Summit 7 Live: https://www.summit7.us/s7live FAR CUI Rule: https://www.federalregister.gov/documents/2026/06/23/2026-12559/federal-acquisition-regulation-revolutionary-federal-acquisition-regulation-overhaul-parts-1-2-4-33 GSA Comment Guidance: https://www.regulations.gov/commenting-guidance

Another 279 companies achieved CMMC Level 2 certification in June 2026, bringing the total to 1,717 certified organizations. That's a record month and far ahead of DoD's original projections. But the data also shows something surprising: the industry still isn't using all of its available assessment capacity. In this episode, we break down the latest Cyber AB numbers, explain our assessment capacity methodology, and discuss why contractor readiness, not assessor availability, remains the biggest constraint on CMMC adoption. Topics covered: • June 2026 CMMC Level 2 certification numbers • Available CMMC assessment capacity • Why the assessor shortage narrative doesn't match the data • The connection between CMMC readiness and DFARS 252.204-7012 compliance • What these trends could mean for the rest of the phased rollout Have questions? Contact us: https://summit7.us/ Register for Secure The DIB: https://summit7.us/event/secure-the-dib-telethon Monthly Cyber AB Town Hall: https://cyberab.org/News-Events/Town-Halls/pager/7916/page/2

The DOJ has announced its first cybersecurity False Claims Act settlement of 2026, and the details should get every defense contractor's attention. In this episode, we break down the LOGZONE settlement, the difference between DFARS 252.204-7012 and CMMC, how a perfect SPRS score became a DIBCAC assessment score of -170, and why this case may be a preview of additional enforcement actions still working their way through the system. Topics covered: • LOGZONE FCA settlement details • DFARS 252.204-7012, 7019, and 7020 • SPRS self-assessment scores • DIBCAC medium assessments • Why no whistleblower was required • What this means for defense contractors moving forward Settlement and source documents linked below. Register for Secure The DIB: http://summit7.us/event/secure-the-dib-telethon Register for Summit 7 Live: https://www.summit7.us/s7live DOJ Settlement: https://www.justice.gov/opa/pr/alabama-defense-contractor-agrees-pay-507144-resolve-false-claims-act-liability-relating DoD IG + DOJ (2023): https://youtu.be/_3GLX6ele_E?t=448 FCA pod w/ Alexander Canizares: https://youtu.be/Tga0krfIrEk?si=i6E2FuLY7QLNGmos FCA pod w/ Stephanie Siegmann: https://youtu.be/d1yweDy2wV4?si=drOwbWxBm9GAlh38 FCA w/ Bruce Judge: https://youtu.be/tqT_5yQBlOk?si=xgmqev-87KTKpxUJ

Register for Secure The DIB: https://www.summit7.us/secure-the-dib-telethon Over the last two months, we ran the CMMC Challenge Bracket. Eight matchups, 907 participants, 2,005 votes. The winner? Leadership Buy-In. But the final standings were only part of the story. In this episode, we break down the voting trends, coalition shifts, and comment analysis to understand what the community actually believes is holding organizations back from CMMC success.

Back in January, we made seven predictions about where the CMMC ecosystem would be by the end of 2026. Now that we're halfway through the year, we're checking the scoreboard. In this episode: • Level 2 certification growth • False Claims Act enforcement trends • Funding and compliance assistance programs • The FAR CUI rule • CMMC 3.0 and NIST SP 800-171 Rev. 3 • Early Level 3 activity • What the GAO report actually found Some predictions are looking strong. Others are too close to call. And at least one is trending in the wrong direction. Here's our mid-year reality check on CMMC in 2026. Register for Summit 7 Live: https://www.summit7.us/s7live 2026 Predictions (January): https://youtu.be/WxgGtKpF3_s?si=I9MfjmkBDojCRThv GAO Report podcast: https://youtu.be/U0VhiN3qpdE?si=lD-Pbl3vyfbIMPw7 NCODE for SMBs: https://www.summit7.us/blog/ncode-contract-award Assessment Capacity podcast: https://youtu.be/e_1FztgNCHM?si=PdpkkVk3SSa1V4-2 CIRCIA update: https://youtu.be/bvwnNSpDZgU?si=bS0ARRUfvvzLemmK

Remember CIRCIA? The proposed rule would create mandatory cyber incident reporting requirements for more than 300,000 organizations across 16 critical infrastructure sectors, including the Defense Industrial Base. Now CISA is holding a new round of town halls to gather feedback before issuing a final rule. In this episode, we explain why CIRCIA isn't just another version of DFARS 252.204-7012, the seven biggest differences defense contractors need to understand, and why the upcoming town halls may be the DIB's best opportunity to influence the final rule. Registration links for the CIRCIA Town Halls are included below. Register for Summit 7 Live: https://www.summit7.us/s7live CIRCIA Town Halls: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia CIRCIA Proposed Rule Pod (2024): https://youtu.be/ngYSaO5fg5Y?si=VoVW54QvAzKe6r-r Proposed Rule: https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements Congressional Research Service Report (PDF): https://www.congress.gov/crs-product/R48025 CIRCIA Hearing: https://homeland.house.gov/hearing/surveying-circia-sector-perspectives-on-the-notice-of-proposed-rulemaking/

The Cyber AB brought the ecosystem together to deliver pretty exciting news during the May monthly town hall. Join us for this week's episode as we break down some of the topics a little deeper to see what it actually means for the ecosystem. Things like: • Has production accelerated within the ecosystem? • Who is the new EVP of the Cyber AB? • Who actually attends these meetings? And so much more...Tune in to find out! Cyber AB TH Replay's: https://cyberab.org/News-Events/Town-Hall ISACA Website: https://www.isaca.org/ T3 Inquiries (older than 6 months): https://dowcio.war.gov/CMMC/Contact/ NIST SP 800-145: https://csrc.nist.gov/pubs/sp/800/145/final

DoD has updated the CMMC FAQs again, and the revision history doesn't tell the full story. In this episode, we break down the most important FAQ 2.3 changes, including significant changes, annual affirmations, CMMC UIDs, joint ventures, hard-copy CUI, and why the Affirming Official is one of the most important CMMC roles inside your company. Register for Summit 7 Live: https://www.summit7.us/s7live 100 Level 2-Certified Clients: https://www.summit7.us/blog/100-cmmc-l2-certified-clients NCODE: https://www.summit7.us/blog/ncode-contract-award CMMC FAQs: https://dodcio.defense.gov/CMMC/ January FAQ Pod: https://youtu.be/8ZxqqH0zws8?si=m5n8WQttWsZV8n24 Paper CUI Pod: https://youtu.be/lcIaxVBjyr0?si=17LdlP92NuCGa_ph

It's milestone season in the CMMC world. Just six months into the Phased Rollout and there are 2.5x more Level 2 certifications than DoD expected. Meanwhile, a significant portion of those certs are Summit 7 clients. We now work with more than 100 Level 2 certified companies. Last but not least, Summit 7 was awarded the Army's NCODE contract to help bring secure and compliant enclaves to micro-sized defense contractors. Exciting times. Register for Summit 7 Live: https://www.summit7.us/s7live 100 Level 2-Certified Clients: https://www.summit7.us/blog/100-cmmc-l2-certified-clients NCODE: https://www.summit7.us/blog/ncode-contract-award

Everyone keeps saying there aren't enough CMMC assessors. The data tells a very different story. In this episode we break down actual assessment capacity using the current number of certified assessors, DoD's rollout estimates, and capacity growth rates across the ecosystem. How quickly is the ecosystem scaling toward future demand targets of 16,000 and even 25,000 assessments per year? Turns out the real bottleneck isn't assessor capacity at all. ... Register for Summit 7 Live: https://www.summit7.us/s7live GAO Report (2026): https://www.gao.gov/products/gao-26-107955 GAO Report (2021): https://www.gao.gov/products/gao-22-104679