B (3:26)

Okay, so first, when she came off stage, you knew it was going to get serious. But the face in which she was making when she hit the knock it off. Right. Had me, like, with PTSD flashbacks of my mom yelling at me and my brother because we were doing something out in public we probably shouldn't have been doing. Just hitting us with the quick knock it off in the face. And we knew it was time to straighten up. Yeah, I mean, dude, command coming off the stage, foot hitting the ground. That CMMC thing, it's happening case point, instant. It's right. Like within the first minute.

A (3:57)

Yeah, I mean, that's, that's that as she's walking down the stairs to do her. Her walk and talk thing, which Katie is famous for. Yeah, that's how she talked about. It was just Mother's Day. Everybody loves their mom. Moms are great. Katie even talked about her mom later on during the presentation. Let's hear what, what, What Grandma. What grandma had to say.

C (4:23)

Fine. Right? My mom lived by three principles. They were real simple. Right. You only put down your fear if you're putting it down. Ask yourself, why. If you're putting down the cmmc, why are you putting it down? It's only an audit measure for you to do what you were contractually required by law to do since 2014, which is implement the NIST 7171.

A (4:51)

Mom's always right. Mom's always right. We love our moms around here. We're big mama's boys. And Katie's mom knocked it out of the park. What have we always been telling people? CMMC is not the set of requirements. CMMC is not a new set of requirements. CMMC is not constantly subject to change, and it's always adjusting and this and that, and we can't predict what's going on every time. Over the years, people have said, oh, it's new or, oh, it keeps changing when under the surface. DFAR 7012 and NIST SP 800171 have been unchanged for almost a decade, if not longer, depending on when you start counting, then you are inadvertently exposing yourself as not knowing what's going on. At best if you're saying that it's constantly changing. So, as Katie said in a different version of what we always say, CMMC is not the thing that's making you do the requirements. It's making sure you did the requirements. It is a verification program for existing cyber security requirements that you were subject to via other contract clauses. We just are in the middle of a series on the DFARS cyber series of contract clauses. We're about halfway through. Check out the links below if you need a refresher on what DFARS7012 is. But you know, just like Katie's mom said, if you're putting it down it, it's because you got to ask yourself why? So everybody that's like, oh, CMMC this, CMC that. Why? What's the problem? It's just proving you're doing the thing you said you were doing.

B (6:28)

Yeah, exactly. So if mom's always right, Grandma is definitely 100% of the time always right. And if grandma's saying it, and I just want to touch back on that, you only put down what you fear. And we've noticed that people are putting it down because they're scared of it. Because normally in human nature, people are scared of things that they don't know about or they are unaware of. Right. Or that simply they just can't do. They're fearful of doing right. And one of the things that you said was that, you know, and we've said it all along, is that CMMC is not what's making you do the requirements. It's just making sure that you did the requirements right. Just, just in case. But in a lot of cases, what we're finding out is CMMC is letting people know they should have been doing the requirements and they haven't.

A (7:13)

Well, funny that you say that. Funny that you say that. We've got great rapport on this show. It's funny that you say that Katie had something to say about CMMC being the thing that is causing people to realize that they have requirements to do. During the Q A session at the end of her presentation, let's hear what Katie had to say.

C (7:33)

Am I going to hire it out? But right now, if you want to be in the defense industrial base, few things on the CMMC Number one, if you didn't build it into your rate because you weren't doing it, shame on you. I can't tell you how to run your business, but shame on you. You missed out. Why do you think that there are so many false claims acts happening right now? How many do we see? I know we just saw three in the past week, but when the government said to you to be compliant, you must do the NIST 171 and so many of you checked the box and then you wrote a poem and you said, I'd get to it. I can't tell you how to build your rates. You should have built your rates based on the requirements the government gave to you. And if you had a poem, you should have resourced in your rates how to get to that poem. So talking to me about how hard it is after the law went into effect in 2014, do you all realize that the NIST 171 was law since 2014 and we are still complaining it's too hard in 2025 while we were losing on average $250 million a day in the defense industrial base.

B (8:56)

I'm not laughing, but it's like I'm taking in breaths of fresh air.

A (9:00)

Jacob, people forgotten you forgot. Listen, I know it says Summit seven on the polo. I know we sell things, but you could go find this information for yourself. We put the information out for free. We're not charging for this information. A lot of people forgot right when they announced CMMC 2.0 in November of 2021. From that time all the way up Until July of 2023, you could not go anywhere without the DOD talking about CMMC, even after Katie left. So even if you didn't like Katie, disagreed with her, the politics, whatever, right? Other appointees inside the DoD from a different administration were still constantly talking about the critical importance of this program because the program was solving a problem that wasn't made up, right? Not only is it a statutory requirement, you still have a problem with the fact that the department has zero assurance over the protection of its data that it's paying people to implement and it knows that it's not being done. So then we go into this long period of like 14 and a half months after the 32 CFR CMMC rule was published, where the DoD is not allowed to to comment on the program because they're in the middle of rulemaking. And everybody said, well, I haven't heard anything. These crazy guys on this podcast keep talking about it, but I haven't heard Anything from anybody like Katie. So I guess it's not happening. Boom, the rule is done. It goes into effect. There's a hundred companies that have CMMC level 2 certifications. Katie gets put back in charge of the program that she started, and this is what she has to say about it. So I'm not here to tell you that I told you so. What I'm here to tell you is that if you don't believe it when we say it, how about when the DoD CIO says it? How about that?

B (10:56)

And then. So some people may comment on maybe the. The attitude. I don't want to say attitude, but basically the man or the way that she. She delivered. Yeah, People absolutely hate.

A (11:09)

People hate the tone.

B (11:10)

Think about this. Think about. For 11 years, you've been telling people that you need to do this.

A (11:16)

And.

B (11:16)

And for 11 years, they're signing a paper saying, yeah, we're doing that. Give us more money. And then when it comes time for you to be like, okay, those things that you said you've been doing for 11 years, or.

A (11:28)

Or the fact that the government knows that you're not implementing the requirements. The government knows that.

B (11:34)

It's still giving these nice, like, friendly nudges.

A (11:37)

Like, well, they know. They know that you haven't implemented the requirements. They know that they've experienced direct harms on capabilities inside the joint force of. Across various weapon systems. Right. They know that people are continuing to shirk their responsibilities on contract. And then as soon as the government comes up with a program that says, we'd like you to prove that you're implementing these things, please, everybody goes, you're being ridiculous. You're the one that's being insane. You're the one that's crazy. And you're like, are you nuts? Like, it's amazing that they're as restrained as they are. I certainly would be. I couldn't do that job. I'd be on stage freaking out. So people, listen. It comes down to this. People don't like Katie's attitude. They don't like the way that she communicates. But the only time anybody pays attention to this stuff is when she gets in their faces.

B (12:25)

Yeah. Nobody wants to pay the light bill for an entire decade, but everybody wants to turn on the power switch.

A (12:30)

There you go. So don't take it from us. Take it from Ms. Arrington herself. She's easy to get a hold of. She'll talk to you on LinkedIn. If you message her enough, she'll respond to posts. She's out here communicating, just like she was back in the day. We'll add a link to a bunch of her interviews and a bunch of statements that she made in various articles back in April. But it just isn't getting the traction that it got in 2019 and 2020. And I'm here to tell you, we're here to tell you you need to be paying attention to what's going on because if you told yourself you got a bunch of time or it's not happening, you were wrong. You were 100% wrong, and Katie will tell it right to your face.

B (13:06)

So in that down period between Arrington ERA one and Arrington ERA two, right. We'll name it that, see if it catches on. In that downtime, we would be lucky to maybe get, you know, a Stacy coming out or somebody else coming out and speaking about the program, but never as Stacy was pretty blunt as well. But not as bluntly as this.

A (13:27)

Right.

B (13:28)

But you would usually get it on rare occasions, maybe once a quarter or something like that. I, I don't think this is Katie's only appearance. Right. Like this is not Katie's only time. Within the past two weeks talking about.

A (13:40)

Yeah, she got a point. She got put into this position in March. She was given a bunch of statements in April, which we'll link below, gave this keynote just last week. So, you know, pick, pick what your flavor of how you'd like to get this information. But she's extremely consistent in what's going on and this isn't any different than what she said in 2019 and 2020. So, you know, we'll have a update episode coming up on when we think the rule and stuff is happening. But it's still very confident that that's happening sometime summer, fall of this year, if not faster. But this is why we said that it would go faster than average because you got people like Katie back in the building running the system. So there you go. We'll put the links below. Don't shoot the messenger. You can ask, you can ask the boss lady herself and we'll see you next week.