Summary5 min read

Sum IT Up: CMMC News Roundup—Key Takeaways From Our Final Rule Webinar

Podcast Host: Summit 7
Episode Air Date: October 9, 2025

Episode Overview

This episode distills urgent updates following the release of the final CMMC (Cybersecurity Maturity Model Certification) rule, as Summit 7 recaps main points from their recent in-depth webinar. The hosts focus on actionable advice for defense contractors—especially as the November 10, 2025 phased rollout draws near. They aim to dispel common myths, highlight critical takeaways, and provide practical guidance regarding compliance strategies, the reality of enclave solutions, and the organizational challenges ahead.

Key Discussion Points & Insights

1. November 10, 2025: CMMC Phased Rollout Begins

Main Point: CMMC level requirements will start appearing in Department of Defense (DoD) solicitations and contracts—including task orders and purchase orders—starting November 10, 2025.
Enforcement: CMMC status (often Level 2, requiring third-party assessment) can be a condition of award.
Timestamps: [00:18]–[01:10]

> “Starting on November 10th of 2025, DoD Contracting Officers will begin specifying CMMC status requirements in new solicitations and contracts...as a condition of award…”

> —Speaker A [00:18]

2. Misconceptions Around Certification Requirements

Critical Clarification: Contrary to widespread belief, Level 2 third-party (C3PAO) assessments can be required in Phase One—not just self-assessment.
Don’t Count on Waivers: Expecting waivers or leniency is risky; the requirements are more immediate than many realize.
Do Not Assume Self-Assessment is Sufficient: Organizations betting on self-assessment risk being excluded if a certification assessment is required.
Timestamps: [01:12]–[01:59]

> “Contrary to popular belief, CMMC Level 2 C3PAO status...can and will be required during the first 12 months of the phased rollout...This is probably the biggest takeaway…”

> —Speaker A [00:55]

3. Contractor Strategies: Urgency and Planning

Check Acquisition Forecasts: Companies should review their government customers’ long-range acquisition forecasts to back-calculate timelines, budget, and implementation plans.
Timing is Tight: The window for compliance may close faster than expected; plan backward from contract goals.
Timestamps: [01:37]–[02:19]

> “The number one thing...is to check your government customers’ long-range acquisition forecast...”

> —Speaker A [01:37]

4. Prime vs. Subcontractor Considerations

Subcontractors: Requirements may be dictated by primes, not the government directly—communication with the prime is crucial.
Real-World Example: Boeing’s messaging in their newsletter: “Act now.”
Timestamps: [02:24]–[02:54]

> “If you’re a subcontractor, talk to your prime...they are going to be the ones that set your requirement. It’s not the government.”

> —Speaker B [02:39]

5. Reality of Enclave Solutions

Not All Enclaves Are The Same: Two main kinds—cloud-based (all VDI, Microsoft GovCloud) and hybrid (including some on-premise elements).
Hybrid is Often Practical: Most organizations will need hybrid enclaves, especially if printers, workstations, or mobile devices are in scope.
Scope Missteps: Buying an enclave without properly scoping for contract needs can result in costly rework and inability to fulfill contracts.
Vendor-Owned vs. Customer-Owned Enclaves: Having a vendor set up an enclave under your own company’s subscription offers more flexibility for future needs or boundary changes.
Timestamps: [05:32]–[09:10]

> “There’s kind of two versions of an enclave...a cloud-based enclave...That’s not practical for a lot of people...most organizations have to end up leaning towards a hybrid enclave..."

> —Speaker C [05:32]

> “If you need to extend your boundary, how easy is it to do if you’re locked into a VDI subscription with somebody else?...Significant architectural change...triggering of a recertification.”  
> —Speaker C [08:25]

6. Organizational and Cultural Challenges

CMMC is Not Just an IT Problem: Organizational change and executive buy-in are harder than technical implementation.
Common Blockers: Delays in simple decisions (e.g., domain names), lack of policy sign-offs, and senior management reluctance—these slow or stall CMMC projects more than the tech issues.
Notable Anecdote: One company has delayed a decision for a year just to choose a domain name.
Timestamps: [03:10]–[05:32]

> “The problem isn’t the technology...it’s your policies...changing the culture of your organization and how you function...That takes time.”

> —Speaker B [03:23]

> “CMMC is not an IT problem...organizational adoption, that’s the long pole.”  
> —Speaker C [03:32]

> “We can have you up and running as fast as you want to go. And we don’t hear from them for months because approvals, budgets, decision makers...the problem is not the technology.”  
> —Speaker A [03:44]

7. Prime/Sub Tracking & Environment Scope

Linking Subcontractors to Enclosures: Primes need methods for tying subcontractors’ unique identifiers (UIDs) to the relevant enclave for processing CUI.
Lessons Learned: Early standalone enclave certifications didn’t always reflect actual secure processing.
Looking Ahead: Phase two of rulemaking is expected to tighten controls and close existing gaps.
Timestamps: [06:55]–[07:57]

> “I gotta figure out how primes are going to deal with this—how do they tie the UIDs of their subs to the scope of the processing...?”

> —Speaker B [06:55]

Notable Quotes & Memorable Moments

Biggest Misconception:

“This is probably the biggest takeaway that you can get out of this webinar.”
—Speaker A [00:59]
On Executive Buy-In:

“I talk to people all the time—they can’t even get a senior official to sign the documents required...That’s a healthy fear, but also it shows how out of sync executives can be...”
—Speaker C [04:03]
Cultural Roadblocks:

“It would be interesting to see how many times it’s taken longer to pick a domain name than it has for the DoD pulp window to close...”
—Speaker A [05:10]
On Enclave Flexibility:

“We can expand your boundary a lot easier...than if you’re buying like a $200 a month seat for a hosted virtual desktop that somebody else owns.”
—Speaker C [08:25]

Conclusion: Key Actions for Listeners

Act Now: Don’t delay CMMC preparations—requirements are arriving in months, not years.
Maintain Active Communication: Especially if you’re a subcontractor; stay in close contact with your primes about requirements.
Strategic Enclave Planning: Choose an enclave architecture that will scale with your future contracts and operational changes.
Prioritize Organizational Alignment: IT alone can’t get an organization compliant—executive engagement and cultural adaptation are essential.
Plan Backwards: Use acquisition forecasts to structure your compliance roadmap.

To dive deeper or access all the finer points, listeners are encouraged to view the full webinar as referenced by Summit 7.

Loading summary

Transcript42 lines

[00:03]
A
All right, folks, it is October and we are just over a month away from the start of the CMMC phased rollout when CMMC status requirements will begin showing up in Department of Defense solicitations and contracts. Right after the final rule came out, we gave a big webinar that sort of summarized all the changes in the rules. What you need to know. Key takeaways so this week on the podcast, we're going to replay the takeaways and as well as our thoughts in the webinar on solutions, enclaves, strategies that people are using to approach the problem. If you want the full webinar with all the details, we spent over an hour going through everything. You can register for that webinar on demand with the link below and we'll see you next week. All right, here we go. Okay, so the key takeaways up front. Starting on November 10th of 2025, Duty Contracting Officers will begin spending specifying CMMC status requirements in new solicitations and contracts, including task orders and purchase orders. As a condition of award, they will start specifying CMMC status level requirements. Contrary to popular belief, CMMC level 2 C3PAO status, the results of third party assessments can and will be required during the first 12 months of the phased rollout known as phase one. This is by far the biggest misconception that we're seeing in the ecosystem right now. This is probably the biggest takeaway that you can get out of this webinar. Related to that, do not bet on getting a waiver. We'll explain why. Do not bet on getting a level two self assessment even in phase one. You have to hedge your bets here and be extremely careful because if you're expecting a self assessment and then you get the requirement for a certification assessment, you, you will be out of time by the time you see it in the solicitation. We'll explain to you why that is. And then as we start to talk about some of these strategies, the number one thing, in my opinion, that you can do to get a sense of how much time you have before the other shoe drops is to check your government customers long range acquisition forecast for the procurement administrative lead time expected for the work that you're planning to bid on. Work backwards from there to plan your budget, your implementations, your solutions, your assessment timing and everything else will explain what all that means. But those are those main takeaways and.
[02:25]
B
If I could, if I could add one piece is that's for prime contractors. The majority of the people that, that we're talking to that we talk to on a weekly basis are not prime contractors, or at least not solely prime contractors. Talk to your prime.
[02:39]
A
Yep.
[02:39]
C
Yeah.
[02:40]
B
If you're a subcontractor, talk to your prime because they are going to be the ones that set your requirement. It's not the government.
[02:46]
C
Well, I mean, we'll go and say this. Yesterday I posted on LinkedIn, Boeing sent their newsletter out in the section with the CMMC certification. The first two words, act now.
[02:54]
A
Yep. Yeah.
[02:55]
C
It's like they're already given the warning sign, guys.
[02:57]
A
Yeah. Yeah. Basically this entire presentation is building up to show that the phased rollout and people's. What people think the phased rollout is, really has. It's mostly irrelevant for a lot of people. It is not the number one thing that you should be orienting around.
[03:11]
B
Yeah. I mean, enclaves, like you said, Daniel. And you're going to talk more about it here in a second. But, you know, they can, they can shrink it. But, you know, if you're doing full organizational change, the problem isn't, isn't the technical issues.
[03:23]
A
Yeah.
[03:24]
B
It's. It's your policies. It's your integrating the culture, changing the culture of your organization and how you function. And that takes time.
[03:32]
A
It does.
[03:33]
C
And that's the hard part that people don't understand. It's like, we say this a lot. CMMC is not an IT problem. It can go spin up. We can spin up this environment, organizational adoption, that. That's the long pole.
[03:45]
A
How many calls do we sit on where people are like, okay, we want to get all the information for what we need. And we're like, yeah, let's schedule a weekend to get you set up and get you migrated and get you turned over. And we can have you up and running as fast as you want to go. And we don't hear from them for months because approvals, budgets, you know, different authorities, decision makers, this and that. The problem is not the technology.
[04:03]
C
It's not. Yeah, it's not. It is a. Definitely a piece of it for sure. It should be overlooked, but it is not the problem. I, I talk to people all the time. They can't even get a senior official to sign the documents required. The environments built, ssp, POAM policies, procedures. Nobody wants to actually sign the piece of paper saying, yes, this is real. This is our SPRs score, because they're so afraid that it's actually wrong. That's a healthy fear. But also it shows how out of sync executives can be with the kind of boots on the ground kind of organizational process.
[04:37]
A
Yeah, absolutely. Any other thoughts here on enclave solution takeaways for folks?
[04:41]
C
Yeah, yeah.
[04:42]
A
Did you?
[04:42]
B
Well, I was just gonna say, you know, even down to, you know, super, what I would call simple decisions that organizations have to make like picking a domain name for, for GCC High. We see customers sit and forever and you know, back and forth in him and hall just on picking a domain name for literal months.
[05:00]
C
Yeah.
[05:02]
B
Now that's not every customer, not every customer. Not every customer does that. But, but we see that, you know, happen.
[05:06]
A
Yeah.
[05:07]
B
And it's just that is what drives these, these kind of.
[05:10]
A
It would be interesting to see how many times it's taken longer to pick a domain name than it has for the DoD pulp window to close. I've known some time where that's happened. Yeah.
[05:21]
B
I think we have one customer right.
[05:23]
A
Now that I think it was September of last year. Yep.
[05:25]
B
So we were ready to go and.
[05:27]
A
They have been waiting for a year now. Hey, it's a big decision. Naming a boat, naming a domain. These are big decisions here.
[05:32]
C
Uss so the enclave slide, going back to that for just a second. So the enclave slide, there's kind of two versions of an enclave. There's a cloud based enclave, all VDI driven virtual desktop, Microsoft, GovCloud. Keep all your CUI in there. Let's not let it touch on prem at all. That's not practical for a lot of people. Right. I mean that's a good solution if maybe you're like an SI or a developer, something like that. Most organizations have to end up leaning towards a hybrid enclave we call it.
[05:59]
B
Right.
[06:00]
C
So bringing some portion of their on prem in scope for processing, storing or transmitting CI printers, workstations, mobile devices, things of that nature. Right. So when you're looking at an enclave solution like the ones that we deploy and that we manage, kind of having an understanding of not necessarily what's going to get me certified the fastest. Although that's very important. You have to understand when you actually go and win said contract, all of your processing, storing and transmitting of CUI on behalf of that contract has to fit in this box.
[06:30]
A
Yep.
[06:31]
C
That is so buying an enclave and getting a checkbox and then a month later realizing I want a contract but I can't work on any of the data in that system because I didn't bring those assets in scope and I can't fulfill the contract. That's a problem.
[06:44]
A
Hey, not only are we going to make decisions in 45 days that we've never made that quickly before, we're also going to digitally and cloud Transform our entire company in 45. Five days. And it's gonna work.
[06:53]
C
It just doesn't. It doesn't work.
[06:55]
B
One of the things I gotta, I gotta figure out how primes are going to deal with this is how do they tie the UIDs of their subs to the scope of the processing of the environment that is supposed to be being used to process that information. Because, you know, we saw this, you know, with some C3 PIOs back in the early days. It's been taken care of for the most part now. But back in the early days, there were C3, there were some, you know, you know, people that wanted to become C3POs that were standing up enclave environments standalone, getting them certified by dibcac, but then literally never processing, never doing any systems at all. Yeah, and. And there's got to be some kind of check on that, right?
[07:37]
A
Yeah, yeah. I mean, we're definitely getting the, you know, the, the program off the ground at that point. So I'm sure that once we do the second phase of rulemaking to pick up the wrinkles, the gaps and lessons learned from there, that we'll be able to close those things. It will be interesting to see how those different things manifest over the. Over the phase rollout, for sure. Whatever the phase rollout is worth. Any thoughts here, Daniel, as we start to wrap up?
[07:58]
C
Yeah, so just kind of be aware, not all enclaves are created equal. Right. So there's the. Owned by vendor, managed by vendor. This is going to be a FedRAMP moderate equivalent cloud and. Or authorized cloud. I don't think there are any authorized that I'm aware of. But. And then there's the. You own it and we manage it. Right. So the method that we use is we provision a Microsoft subscription under your company's name and, and we deploy and support that environment. The reason that's a lot more flexible is because we're using the full Microsoft stack.
[08:26]
A
Right.
[08:26]
C
We can connect things, we can scale things up, scale things down. We can expand your boundary a lot easier. Right. We can do so many more things than if you're buying like A$200 a month seat for a hosted virtual desktop that somebody else owns. And the big reason that this is important, going back to the previous slide for a second, just conversationally, is that if you need to extend your boundary, how easy is it to do if you're locked into a VDI subscription with somebody else? Right. And if you have to pull out of that environment at any time, going back to our significant change, if you're pulling out of the place that you're storing all your CUI and putting it in a brand new place, storing all your cui. Significant architectural change. Right. Triggering of a recertification. Just kind of be aware when you're vetting enclave solutions, pros and cons on both sides.
[09:11]
A
Yeah, absolutely.