A

All right, folks, it is January of 2026 and if you don't know, Elbit Systems of America is the billion dollar subsidiary of global defense tech giant Elbit Systems. Elbit America, as it's known, has over 3,300 employees. They operate in 16 locations across 12 states and they partner with more than 70 different research labs and they maintain a massive supply chain chock full of controlled, unclassified information related to every kick ass war fighter and weapon system that you can possibly imagine. When they speak, people listen. And on January 9th of 2026, they released a second open letter to their suppliers regarding cmmc. And, and they don't mince words. According to the letter, CMMC is no longer an impending requirement. It is actively being enforced and flowed down. And according to Elbit, our buyers will not issue purchase orders to suppliers who fail to meet contractual CMMC Flowdown requirements. Today we're joined by Elba America's supply chain director, former deputy CISO and lead cca, the great and powerful Bo Birdwell to walk us through what's happening. Everybody give it up for Bo. Yeah, what's up?

B

Hey Jacob, thank you for this. Thank you for having me on. And Jason, thank you as well. I've been really excited. I've been listening to your podcast since it started. Back when it was three hours.

A

Yeah, you remember the three hour days?

C

Amazing.

A

Amazing. Yeah, it's awesome. All right, well, let's just jump into it, Bo. Maybe tell us about yourself, your role at ELBA and what's going on with these open letters. You are not your average supply chain director by any stretch of the imagination. I mean, like I said, you've been around this space for a long time. You walk the walk, you talk the talk. Tell us about, tell us about yourself.

B

I will. And I hope. One of the things I. This ain't my first rodeo. And I'm hoping you all see that I'm not all hat, no cattle, that I actually, you know, I have been there, done that and I do have the T shirts to show it. Right. I've been through three DIVC assessments and two CMMC assessments because of a subsidiary. So we've actually been there, done that and I'm really hoping we can help people. First, I have three bit points I'm going to be circling around all day long. That's first, that I'm not here to sell anything. I'm here so I can buy stuff. And I really hope people listen to this podcast, do believe that I am reaching out to you today to help build my Rolodex, and I'm that old that I actually know what a Rolodex is. But, you know, for those that don't know, it's basically that ability so I can actually know who I can work with. And that's message number one, which I'll elaborate on. Message number two is a rising tide lifts all ships. I believe that we have the ability to share our experiences such that as a friend of mine at Boeing says, we're all competitive friends, right? That we all want to make sure we protect government data. Many of us are veterans. I know I'm not the only veteran on this podcast right now, that there's people that really take this personally and we want to protect our technical advantage so that there are a lot of industries, a lot of companies that are willing to basically share the lessons we've learned. And that's one of the things I think I'd be glad to expand on. That's a huge point. And the last one, I really hope people realize that we all owe a big thanks to the Department of War because they have been giving us as much transparency, as much warning, as much time that now that the mountains are coming into focus and we can actually start feeling the inclines, it's not like this is out of the blue. And what I see right now, and I'll be glad to elaborate this again as my third major point, is that because they've been so good to us. And just as a quick aside, thank you, Katie Arrington. I wish her the best as she transitions back to the civilian sector. I'm sure you all saw that she just now announced that. But that as they've given us time, we as most of the big primes or, you know, companies that, that I've seen are doing pretty well internally. We took years to solve this. And so that we actually were able to, instead of having to do massive increases in budgeting, we could do low double digits each year so that over three to four years we were able to address the requirements where when you compress that into 12 months or less, then the numbers become much more hard to swallow. But we want to thank them because they did everything possible from the Dow side to not surprise us. And also now you're seeing is my last point on the big things that this, what I see talking to my peers at, at the larger, at the larger contractor level is we're now all addressing the mountain of address of getting our supply chain in line. And it's a giant mountain to do that. And we're not all climbing the same face, but some things are universal and some things are company specific because if you're a billion, a fifty billion dollar company, some things make more sense than they would to a 2 billion dollar company or even our parent which is, you know, in the 10, 12, 12 billion dollar range. So that's where I would like to, you know, have our conversation. But those are the, you know, bottom line things I hope everybody takes from it are those three points I'll be glad to expand on during our conversation.

A

No, it's, it's awesome. Yeah, absolutely. I, I think, you know, getting to the open letters, your guys's supplier website and the sniper security page on the supplier website is probably one of the most concise that I, the major primes. So prop to you guys for putting that information out there. My big takeaway from the letters and from you know, our conversation before the show and things like that. Your big, your big message to everybody is CMMC is real. I mean the second letter that just came out here in January opens by saying that Elbit America got a requirement for CMC Level 2 certification just 32 days into the phased rollout. Like this is not a theoretical issue anymore. How are suppliers reacting to these letters? I know you said you've talked with like a thousand different companies going on. What's the reaction before the letter, during, to the letter, after the letter, what, what's the vibe out there?

C

And then just kind of like amplifying that. Like you, you commended the Dow for their transparency like with you guys and giving you that grace period. Did that affect the tone in your letters and the, the way that you went at that?

B

Right. Yes. I want to thank my, our leadership is very much. It's not, I'm not talking generally people have to put that caveat that I'm not speaking on behalf of my organization. I'm actually speaking on behalf of my organization that my company sees this as a business imperative. And I, I'm not speaking out of turn. This is our Elba Systems of America position is this is a regulatory requirement. This is the same thing as any other requirement we have from the government. And it's not like you get to choose which ones you're going to apply. That's not how it works. That's not how any of this works. But the, the, to answer your question, what I saw talking to over the course of two weeks, I spent almost two weeks just going back and forth with at least 600 suppliers where I was in one on one communications with over 600 suppliers, many are, have, are dealing with the consequences, are addressing the consequences of deferment that now that those deferment decisions are accelerating reality. Also I'm seeing a very capitalistic perspective of if you want us to get there you should help us. And I'm trying. That is a business decision that every higher stream contractor has to address. Is when your key suppliers are not certified you have two choices. You either help them or you got to re qualify someone else. And anyone that's in this business knows that requalifying a supplier is not free and it does not take in its time. It has a time cost. So that, that is something I think most of the primes are dealing with right now is how do you, how do you mature your supply base to give you resiliency? One of the great news stories that I'm comfortable about is that most of the big companies are already looking at level three. So even though I know you guys like to talk about how R3 is going to come, R3 is going to come. The supply chain requirements in level three will force maturity on the big primes that will flow down as over time sooner than R3 is going to come out. So I, I see that as something that we're all going through is supply chain management. And most of the big companies I talk to don't consider level three to be aspirational. Most are going toward level three in the next 12 to 18 months. Just because we can read the tea leaves.

A

Yeah, and that's an interesting point when you say that you know, your, your suppliers in a lot of instances, whether it's intentional or not, are kind of giving you an ultimatum. Either assist directly or requalify somebody else. Both of those situations like you said, cost you money. So does that, you know, by looking at that situation does that mean that a company that is ready is very valuable to you guys because they are not costing you money?

C

Oh.

B

This is. The short answer is yes. But the more nuanced answer is it's not that simple. This is not Lego pieces. I can't just take this company from name your place in the US and replace it with. I mean even if I really know I have to get rid of it because it's a foreign company that's never going to get cmmc. It's not like I can just do a find or place or you know, control F control R. There's it is a monthly, a multi month process to re qualify a supplier. And you don't just do that over one or two phone calls.

A

Right.

B

So that, that is something that I don't, I can't speak for other primes, but I've talked to a lot of them. This is something that, this is the side of the mountain we all have to climb. That is something that now how we climb it, we have different things. Some of them are, you know, might actually focus on acquisition of those most important ones because that might be the best solution. Right. An alternative might be to spend your own money and, you know, get them someone that's competent to help them get there. But that's not something anyone's doing lightly. And you're paying chicken as the supplier. If you know that, you're going to see who blinks first. Right, Right. And the harder you make it for us, the more likely the risk calculus changes from the prime's perspective or the higher tier supplier. And I would offer to those companies that, you know, because I've had, since we've been putting those letters out, we've gotten at least a half dozen companies pointed out to us. And unfortunately we had another three or four that said that they were level two and they sent us their spurs saying that they were basic. I'm like, okay, yeah, thank you for helping. But that's not, that's not what we're talking about. Right. But the, the pro, it's a journey. And that's one thing I'm working with, with these people that want to work with us and I have a list of companies that want to work with us. But we can't just guarantee. I mean, we're also in business too. We can't guarantee work for a company when we haven't won the contract either. So there is something of a chicken and egg dilemma here that you can't win the contract unless you have the supply chain, but you can't guarantee the supply chain the work until you win the contract.

A

Right.

B

So this is not something that, you know, it's a couple more letters and we're there. This is going to be like what I'm willing to say publicly because I think it's something that we should all be doing. We're going to start requiring Level 1 later this year of all of our suppliers that aren't cots. So that because the process, the major muscle movements are the same, if you're going through the process to make sure they're level one now, the actions required by the supplier are orders of magnitude different to, you know, go into spurs and put yourself as level one than you would if you have to be CMMC certified by a third party assessment organization. But from our supplier side, we're going through most of the same muscle movements. Our contract language would be very similar. We're going through those kind of decisions and it, it's, it's a way that we can kind of do what we did internally, externally, which is implement the process incrementally versus which some companies are having to make the decision to implement everything at once. And then you get into the. You start breaking stuff. Yeah, it's like we actually had one control that took us over 12 months to implement because we didn't want to break stuff. Well, you're, you're going one. That's an example that everybody talks about is fips. You know, you're either you take time and get new applications or fix applications and that, you know, over time, or you break a lot of stuff when you actually start turning fips on.

A

Let me ask you this. Sorry, Jason, let me ask you this real quick, Bozo. You're talking about, you know, suppliers giving you this ultimatum or this gamble. One of the things that you mentioned in this group of suppliers that you talked to was a lot of them straight up told you that they're, they're willing to wait until they see a decrease in business before they get started acting. I mean, how do you, how do you work with a situation like that where it's like it's a contractual imperative for you, it's a risk for you, it's a liability for you. And then you communicate out to your suppliers ahead of time, you're very clear with what's going on. And they basically say, until it costs us something, we won't do it. How do you navigate that?

C

Yeah, that has to amplify your risk. When you're evaluating whether or not you want to keep them around, whether you want to invest in them or anything like that, they're not even willing to invest in the cause to help you support your mission. Right.

B

I would offer that what we are doing is opening up the floodgates to saying, hey, we want to talk to other companies. Because as much as we like our existing suppliers, if we can't get there, we are going to have to make some hard decisions. And we're building up, we're building a bench, that's all you can, where I think we need to focus on all the good things the department did. But one thing that would have made our every company's life easier is that they would have let us query spurs that would have made our lives so much easier. And this whole Thing like. Well, we don't want the, the adversaries to get into spurs because if we can let you query it, and it wouldn't take them five minutes to then to query. But. Okay, so we're going to be building our own databases that I'm sure they're going to be attacking those as well. But the, the. But what we're trying to do is get the word out, talk to companies like I'm meeting with them, talk to. We're starting to. I don't want to use the word onboard, and we can't. We're not ready to, to promise any work. But we're starting to build a bench so that we can then have intelligent conversations about. Okay, this is a, you know, not to make it light of a situation, but, you know, is divorce the only answer here? Yeah, you know, like, because we got to think about the kids. So, you know, like, those are the things we have to work because, I mean, most companies are comfortable with their supply base. I mean, there is a lot of work when you're changing out your supply base. And I know that several of companies are asking the same questions we are. And that's why I'm hoping that I'll meet people at Kulicon, that I'll meet people at CS5 in San Diego. I know I'll see you there, Jacob, that we're going to. I'll work with them there and not, not so much with the RPO community, but more of working with the companies that need help because we want to lift them up, we want them to succeed, we want our supply base to succeed. And I don't want to say they're giving ultimatums, but I really think there is a perception in the community that the DoD is going to. The Department of War is going to blink. And I think, unfortunately, and people are going, like we said, they're. They're going to bite their nose despite their face.

A

Yeah.

B

And that's where most of us are taking adult moves now of actually looking for alternatives.

A

This is a, this is a question I had for you, speaking of that. And it's a perspective we don't get to hear a lot, lot out in the ecosystem and the supply chain. I know. I saw it when I was at the major primes. I know I hear about it when I talk to people from the major primes. Is your relationship as a big prime to your government customer rather than the relationship of your suppliers to you? What are those conversations like regarding the situation? For what I've heard, it's Very cut and dry. This is the new requirement. This is what's going on. I mean, you know, is there any insight you can provide there on sort of what they're saying to you guys that would drive these letters and, you know, these timelines and this risk mitigation?

B

I will. This was not a planted question. I don't want people to think I just have a funny story on this. At least my sense of humor. It's really funny. As soon as I want to say it was literally an November, like right when it went live, we had a contracting officer reach out to us and say, I don't know what the CMMC thing is, but I need you to have it. And that was a government contractor. And he said, I need that now because they're telling me that you need to have that. And so I would offer to you that, like, just like the whole ecosystem, because they're part of the ecosystem, there's some immaturity there. And I think we have to be careful not to homogenize the Department of War as one entity.

A

Yeah.

B

But the contracting officers are at different levels of maturity and the government and I just, like y' all have been pointing out and others have been pointing out how DLA has been pushing out stuff. There's some contracting officers that get this at a very high level. Others that were sending out in, back in October and September were sending out proposals and renewals that had the old CMMC clause in it, which the DoD had already in August said, stop doing that.

A

Right.

B

So that we, I think there every, I would say just some homogenization. They all know it's coming and some are more engaged than others on how to actually implement that. But I thought that was the funniest one was they're like, I don't know what this is, but you need it. Can you, can you show me you have it?

A

Right.

C

Right. So I know that you said that you're going to be at CS5 and you're going to be at different events, and I know that people are going to ask you questions based on your experience and what you've been through. And so one of the heaviest questions that comes is associated with cost. What needs to be invested, not just the time, but the money wise. Right. And I wanted to ask you if you had the insight as, like how investments have changed in the CMMC grand scheme of things and then how maybe if you anticipate any costs associated as a result of CMMC as you moving, doing business moving forward.

B

One thing that, that I have seen is that you're looking at load. If you spread it over years, you can go with low double digit increases in your spend. Right. If you have to accelerate that, those low double digits start accelerating and on the high double digits.

A

Right.

B

And where I see friction is that most SaaS solution providers are not FedRamp. I'm optimistic that if they can follow the road where they're actually going to get rid of the requirement for sponsorship, that that will get rid of a lot of problems because most vendors are going that. But I also can see their point that it's very cost repetitive to go through a 3 PAO assessment every 12 months for FedRAMP equivalency where you don't have to do that for asking for it.

A

Right.

B

Yeah. So that, that's, that is a friction point that I think the entire community is going to be dealing with. Because so many organizations have SaaS solutions and we share good, bad or indifferent. We share CUI a lot of places. So a lot of organizations are going to be dealing with the fact that we've been dealing with the years. Like our part of those increases in costs were switching to GCC high paying for the fedramp version of crowdstrike or whatever tool you're using. Because one thing that people sometimes forget, that some spa actually has the ability, like for example if it was CrowdStrike to actually do with some of their capabilities like real time response, you could actually pull CUI so that you need to be careful. They're not all spa spa, they are security protection assets. Some of them are really CUI assets. But the, the community in general that is going to be the big cost because there is going to be a people processing and those kind of issues. But at the end of the day it's kind of binary. If you're putting stuff in the cloud, you have to be either Fedramp or Fedramp equivalent. That's a kind of a. You gotta be there.

A

Yeah, it's table stakes. Right. Well, so let me ask you this. So you know, you're saying you guys were able to, you know, amortize these costs into the low double digits over the course of years. There are a lot of suppliers out there that aren't even sniffing double digit spend to begin with. So you know, when they're, you know, on this compressed timeline, like what, what's the realistic impact here? I think some people out there maybe think that they're going to get this done for a couple grand. It's going to take them a couple weeks. They hear A lot of claims out there about what's going on. I mean, is that a realistic scenario for what you're seeing out there?

B

I would say for a small entity, a number of organizations, that's possible. I know that there is a organization that out there that almost does sell CMMC in a box because they just sell a VDI solution. Yeah, that. That is a different problem set than most manufacturing companies are going to be dealing with. I think the issue you're looking at is that yes, there's going to be engineering companies, you know, consultants, all those kind of organizations that can probably get away with that. But when you have to integrate it with your erp, you have to integrate it with your mesa, you have to integrate it with. I don't name your tool SolidWorks.

A

Whatever.

B

I mean whatever the tool is your company use, you're looking at going enterprise wide. And I think that's. I don't want to overstate this, but I think that's one of the reasons why you see so much pushback against where, as you would love to point out, CMMC is the. Is just the attestation or the confirmation. It's not the controls, but it's something people can yell at. And I sometimes think sure is. So that I think there is real concern that the risk calculus is changing and they're going to have to work through because there is no easy way. So I don't, I, I think they're going to be looking at getting assistance and I'll throw a plug in for. If you're getting assistance and the RPO is not a certified CMMC professional, don't talk to them. They'll. If they're not, I would talk. Most C through PAOs also have the ability to advise you. Obviously you can use them for both. That goes against the copsi.

C

The.

B

Was it the code of professional ethics?

A

Yeah.

B

Not saying that, but I'm saying those are the organizations that know what they're talking about. Just like I personally when I recommend msps, I only recommend MSPS that are CMMC certified.

A

Yeah.

B

Because I don't. I think if you haven't walked a mile in their shoes, I find it very hard to believe you're going to help them get through it.

A

Yeah. Especially with the degree to which people are dependent on their msp. Right. It's kind of tough to.

B

And everybody thinks the s. The supply, the shared responsibility matrix is going to save them. I'm telling you that almost everything is shared. That's why it's called a shared responsibility matrix. So that you need to be careful, that you're not going to just be able to punt the problem to name your msp especially you're going to be in a good place if they are certified. I'm a big fan of the MSPS for Justice or whatever the name of that nonprofit that you guys are involved in. Yeah, I do recommend that one to. Look, that's where I point people to when they're like, which MSP should we use? I point them there because as someone who takes this pretty seriously, I think that's a good starting point. And if you want to know the cost, talk to someone that can give you a realistic quote. Right. So that, you know, that's, that's where I, my advice to everyone is to go to that, go to that website which I. Yeah, we'll put you guys over back.

A

Yeah, we'll put in the link down below for MSPS for protection of critical infrastructure and you can get, you guys can check it out from there if you're interested.

B

Because I consider it the Justice League for cmmc. I mean, so I'm really thankful for those companies.

C

So Bo, I, I gotta ask you, you've been through there. Like you said, you've been there, you, you've done that. You've got the T shirt five times over. Assessment wise, Right. There's gotta be some takeaways that you have, like some things, some key factors that you could pass along. Right. I want to bestow my wisdom upon the audience to make sure that they succeed as well as we have.

B

Right.

C

And what are those things?

B

Well, the first off, that is hard for most organizations and this is not unique to cmmc because everybody thinks CMMC is different. It isn't, is that most audits, regardless of who's doing it, documentation is as important as implementation. Because people try to say, oh, it's 40% implementation, 60% document, whatever. No, it's most points. You can't get the point because of the way that the, the 320 determination statements are set up. There's almost always a documentation and an implementation for almost every control. And I think it surprises people that or people get frustrated like, well, my documentation wasn't good enough. Well, that's every audit. That's not a CMMC thing. That's true in ISO. That's true. And I've been through socks. Yeah, I mean that's, it's your documentation matters. One of the first things I would encourage people to do is don't outsource your documentation and insource your implementation because the people are on different pages. You're going. The auditor is going to figure it out. In fact, one of the lessons learned I got from talking to Diff Cat guys who've done lots and lots of these is that you really have a Goldilocks dilemma. There's some companies that obviously paid a lot of money to get some documentation and didn't read it.

A

Yep, that's.

B

That is a. That's how. Those are the companies that usually get the negative scores. Now, there are some companies that actually, you know, have the best implementation in the world, but that's not. Their strength is documentation because there's just personality types. And generally people that are doing certain IT scenarios are not exactly the ones that then want to write a book on telling you how they did it. Yeah. And that's just auditing. So then you have the opposite on the Goldilocks and then the sweet spot where sometimes you end up writing books. Like, we actually gave the government over 10,000 pages of documentation. And we were told that unlike some other companies, it wasn't just trying to drown them in data. Because the way we did ours is just. There's a couple of things I would share. One, we wrote our security plans to be shareable with our competitor friends. So that. What that means is we put in our. In our security plan, we say how we meet the control, but we don't tell you what the name of our EDR is. We don't tell you what our tools are because we don't see that that needs to be shared. So we just put references to all of our policies, procedures, instructions, guides. And we have over 100 procedures, instructions, guides, plans that we reference. So it was over 10,000 pages. And we do a monthly, Monthly Vulnerability Management report. Because we don't have emass. And I'm not trying to defend EMASS as a good system, but because we can't put all of our artifacts in the database and give it to them, which is what EMASS does, that we actually reference in the security plan. Here's where all the references are. And it works really well. And it's not that you're trying to drown them in data, but you're actually showing them that. We actually got asked the question, like, okay, I see you did a incident response exercise last year. How did you show me what you learned from it? And we had, we were able to show like, oh, we had these. We call them opa. Opas. Right. Because they weren't poams. We don't use that word. You know, once you're CMIC certified. You're. You don't use that word anymore. We had, we looked at items that we were still improving on areas for improvement, you know, to use an ISO term, opportunities for improvement ofis. And we'd look at those and show like, yeah. And we closed them out over six months and they're like, okay, now we'll give you credit. So that they really want to see that it's not documentation just to drown it in data, but to actually show you're meeting the intent of the control. And I kind of respect that. I have a lot of respect for people that are trying to implement. To make sure you're implementing the control as opposed to just you're trying to check a box.

A

Yeah. And I think, you know, you mentioned when we were talking beforehand about how, you know, on that same thread, you know, the assessors, I mean you are elite cca, the sort of logic chain that they follow when they're like looking through the determination statements. And then you were also mentioning, it's like if you claim that you're going to be doing something, just be ready to demonstrate it, you know, because I think you've probably seen practice too.

B

Right? Well, what got us a lot of kudos and I, I argue this isn't a best practice. I believe we're just reading the document, reading what the DFARS requires. You have to do a self assessment every time you update your score and spurs and supplier performance risk assessment system. That's not me, that's actually in the DFARS clauses. You guys even, I think talk about it in one of your calls when you're Talking about maybe 7019, you have to do a self assessment. Well, we turned that into a report that's literally over 100 pages long, has all 320 of the determination statements and we have screen captures and we have references to look where the documentation is. So that when we actually, you know, annually we do our. Because of cnc, you have to do an annual one. So we do an annual update where we revise the whole document. It goes from. For us it's 004 becomes a dash 01 to 02. And then during the course of the year, like when we were dealing with poems, that'd be a rev A to rev B and we would actually show like in 2023 we'd made these changes to spurs and here's where they show up in our report. And the government was really like, that's what we asked you to do. So that's fantastic. And I will tell you that auditors, one, are not out to get you. They're trying to make sure the requirements are being met. So if you can talk through what you're doing and you have a reasonable answer, they're not trying to trick you. And two, we have to remember everyone's human and give them grace. And sometimes it really helps if you can show the auditor that what you did was straight out of the assessment guide, because maybe they don't have that memorized either. But if they're like, well, I don't know if that meets the requirement. You're like, well, this is the example that the assessment guy gave me. And they're like. And I had them a couple of times. They said, well, that's pretty reasonable.

A

Then you know, Bill Belichick won six Super Bowls by knowing the rulebook better than anybody else. Right.

B

But I would just offer those are things that. Why you can't outsource it all to someone else. No one's going to care much about your company as you do. So that the best thing that people can do is actually make sure they have someone inside their organization they can help, be their quarterback. Absolutely. You can use msps, mssps. Not arguing against that, but you really need to understand it from your own company side, because no SRM is going to say something that's not in the contract anyway. So it's not like people are going to start signing up for more work that you're not being paid to do.

C

Yeah. It's that level of ownership and accountability. Because at the end of the day, the person that has to answer the questions if things don't go right is you. So.

A

Well, here's a, Here's a question that we hear a lot, and I don't know, you know, your thoughts and feelings on it. Bo, but is a lot of people when they say, okay, there's, there's big budget increases, there's time, there's tech debt, there's all this stuff that we got to deal with. There's all these mountains to climb. The source of the problem is whether or not the CUI flows down to begin with. Have you guys looked at minimizing the flow of cui? Is that a realistic situation? You know, a lot of times when I've seen this is people go, well, you know, my entire business is based off of receiving and handling and processing cui. If they just stop sending me the data, I wouldn't have CMMC problems. I'm like, but you also wouldn't have a business because you're dependent on the data. How do you feel about that as a course of action?

B

I, I'm really glad Jacob, you brought that up because one of the things I need our supply base to know and I, I think I speak on behalf of most suppliers or see me most higher level, higher tier contractors. No one is going to flow controlled, unclassified information to someone they don't have to. When CMMC clause is in effect. If we're saying that we have to flow CUI to you, it's not because we're just control F control, you know, consume me, control A, control C and just throwing it into a new document saying here, here, everything, you figure it out. It is really important that companies understand that no one wants to shoot themselves in the foot because I've had a couple people, you know, do the. Oh my, the primes are just throwing down level two to everyone. No one's doing that haphazardly because you risk a lot of. Because it's pretty explicit as you pointed out, we cannot issue a PO unless we have validated and as you know, there's certain ways you can do that. The DoD said one good way was to have a screen capture from spurs from that supplier. There's a couple other things and we have to provide the unique identifier number to up channel to either the prime or to the government customer that we are going to do everything humanly possible to protect our supply chain because it makes our life easier. It's completely enlightened self interest. So that if companies are saying, well, they're saying that we have to be level two, there's probably a reason and that they're not going to be able to work with them otherwise. So that it is a. Yes, that is just the reality.

A

Yeah, absolutely.

C

You had mentioned earlier, you know, controlling the cost and Jacob mentioned, you know, like flow of CUI to, you know, prevent costs associated with that. But you had mentioned earlier that you fully anticipate CMMC Level 3 to be a thing for you. Right. Do you fully anticipate flowing that down to the suppliers or just where necessary or making it mandatory to keep it secure?

B

I, I think I speak for a larger audience saying that no one wants to flow down level three unless they absolutely have to because it is an onerous bill. I, I think there is not consensus among the community on the best way to address level three. Some companies are climbing the mountain through an enterprise approach. Some are climbing by, are actually going from an enclave approach in their own environment. And as we go through that, as Companies going on the journey to level three, which to best of my knowledge no one is level three yet. I'm aware of like a half dozen dry runs. None of those companies have have actually gotten the certification that that is going to become a very compelling conversation for 2027 because that's when you know if you do the N minus one or the one year early pull, that's when we expect the level three could come in there. I was surprised or maybe not surprised, but it seemed like the DoD was or deep farming of war was actually telegraphing that with golden dome memo that leaked because that was an internal memo. But we've seen with other programs of interest of this company that there's a high likelihood that our customers because you got to realize it's not one person making that call. That's a program decision made regarding a specific program. We've seen there's some programs where the government customer feels like they want the highest level of protection and we're doing everything we can to make sure the information that has to flow down is only requiring level two because as you guys know that's the minimum if it doesn't give you enough information to actually do a, a solid determination. That's straight out of the rule. Unless they give you a security classification guide, which generally you get those for classified programs. There aren't a whole lot of purely unclassified programs that have actually given security classification guides just to address the CUI monster.

A

Well, so you know bo in dfars7012 at the very bottom at the end of paragraph N it says that the contractor gets to determine whether the data retains its identity of cui. That sounds like you guys could just make the declaration that this data isn't cui and then free your supply chain from all these obligations. All you would have to do is accept liability for the decision and everything that would happen cascading through your supply chain. Why not just accept the liability for everybody in your supply chain?

B

I obviously one yeah I mean one the obvious answer is because the probability it's back in the air Force days they talk about the probability of kill is one if you hit the ground that yes the the enemy might kill you, but if you run into the ground trying to avoid the enemy it that did kill you.

A

Right.

B

Don't think any company feels like that is in their financial best interest to accept that risk because it the mathematical certainty that someone in your supply chain is going to get hacked. That is, I mean that's why we're doing CNC and Why we're doing all this stuff and you've done many podcasts talking about that. The need is urgent. And I don't think there's a, a serious person in this space that hasn't have at least know of someone that's been hacked and not. And it's not because anyone's bad or anyone's not good. It's just then they, it's like in pro football, they, they get paid too, right? Those players get paid. They're trying to, they're trying to get into your network. I don't see that as, as a viable one. But I'll also say there's some companies that, even though the Dow and the Army Corps of Engineers have said, you know, that you, if it's only hard copy, you don't have to flow down cmmc. I know there's companies out there that are still going to flow down the CMMC requirements just because. And I don't. I'm not trying to.

A

You read my mind. You read my mind. I was going to ask you. I was like, I don't know if you've heard the news, but, but all you gotta do is just send them the paper and then we don't have to worry about this anymore.

B

I've talked to enough lawyers and I'm actually, I'm very proud of my. I have a really good relationship with our legal counsel and our legal team here. There's some things that, you know, maybe that Dog Dish doesn't hunt for every company. Like there's. We, we talked about. Like there's things that every company's looking at. At least most of the companies are looking at this through a filter of risk. Like, what are we going to do? Because we are.

C

There's a.

B

The probability is high that most companies are going to get a CMC Level 2 requirement before their supply chain is fully mature. That is a high probability that we're all dealing with that there are things you, you, you hope. You hope that a VDI is all you need, right? So you can share the information through a virtual desktop environment or interface, but you're looking at different options available. I can't speak for all companies, but we're not looking at that as one of the options to actually just mail them the cui. We're not looking at that as, yeah, we're not looking at that as a viable one to get us out of jail. And I'm not belittling any civil engineering company that maybe that works for them. But for manufacturing companies, it's kind of hard to see a scenario where you wouldn't be needing that information in some kind of system.

A

Yeah, well, I mean, this has been super insightful. I guess maybe we can just summarize some of the points you made and then talk about some, some of the practical guidance that you have for people. So like you said, this is the real deal that you guys are seeing. The requirement. You're anticipating the requirement. You guys have spent the time and the money. You're in sync with your legal counsel. You're even working with your other competitors. At the level that you guys are.

C

At, you're going to communicate into your supply chain like, yeah, I mean this.

A

Is, this is, you know, the real deal. And you know, you fully expect that your suppliers are going to have increased costs and you guys are not going to accept liability on their behalf. You know, what kind of practical guidance do you have for those people who are going to wrestle with this in terms of should they. Is there training they should go for? Is there, you know, where should they focus first, what would you recommend if.

B

Well, first, if they are on the journey and they aren't already level two? Because if they already are level two, please reach out to us suppliers@elbasystems us.com we want to know about them because we are absolutely looking for those people. But if there aren't, I would encourage your organization before they go ask for help and they can reach out to me. Send an email to supplierslbasystemsus.com it's on the open letter and I will recommend classes. Not all instructors are equal and there's some instructors out there that I will not do it on this call, but I'll do it to them if they're like, who's a class that we should go to? I have, having been through several classes myself, I know that there's people that will take care of you and their prices. I'll be very transparent, like here's what the prices they ask. You can make what decisions you want. I would start there just to get a basic understanding your own organization. So then you can start talking to others and not come from an area where you're completely unaware. So the first thing I would do is I would invest someone in your company to get a go through the CCP training. Second thing I would do is I would. If you are a small company using an msp, I would determine what is their knowledge of this situation because not all Ms. TVs are equal. That's the second step I would take. And then the third step I would take is I would absolutely start putting together a roadmap and start talking to the leadership about the things that leadership cares about. Basically the balance of this is true. Everything you want a good fast or quick, I mean good fast or cheap. You're going to have to start making those kind of conversations because that's, I mean people talk about oh it, you need to use business terms. Business terms are dollars. Business terms are time. Business term are resources. That's what they want to hear. They don't want to hear like hey we have to do 300 of 300 of the 320 determination. They want to know like dude, we, we have to buy this type of tool. We have to, we need to outsource this. We need to do that mainly to the answer of how much is it going to cost? How long is it going to take? Can I, you know how much of that is capital versus opex.

A

Right.

B

Because capital, you can actually, you can do it over years where opex, you know generally opex is over the same year when you depreciate.

A

Yeah, I mean do you guys feel like that's, you know, if somebody's reaching out to you, they're communicating the roadmap, their intent, their plans, they're going to trainings that does that do a lot to develop that relationship with you and the potential supplier relationship.

B

I would say what I've seen and this is firsthand knowledge for myself that I, everyone says it takes six to nine months and I just don't, I haven't, I, I, I'm, it's going to require a much more in depth conversation than someone just telling me we're six to nine months out or we'll have it by the end of the year because people set up date, it says dates without having done the homework and then they're just, they, no, I, I, it's not as important. Now having said that, if they're a critical supplier or someone that we really want to work with, we would go through the trouble of actually working with them and working through the process to make sure that that's actually going to happen. But that's not something I'm, I don't want to get deluged with a thousand companies saying hey we're six to nine months out. Because I've already been through that.

A

Not every supplier is a critical supplier. I think is maybe what you're saying.

B

I know we define critical as like where their sole source, those are the big things. Like if we can't get it from somewhere else. And then below them are the ones that have to be re qualified. So like you start, I mean that's, that is a good way that I've seen multiple big companies try to eat the elephant. Look at your sole source ones, look at the ones that are the high dollar. Then, you know, after you've gotten through those, then start looking at the ones that are going to require significant investment because you're going to have to re qualify them to actually get them to sell it to the customer.

A

Yeah. Jason, any closing thoughts here?

C

I, I have to say, and I said this when your second letter came out. It's refreshing. And every time that these notifications come out, it's very refreshing. But yours was even more so refreshing because it was blunt and to the point. This is what we expect, this is what we're doing and this is how things are going to go. It level sets expectations and I'm a huge fan of that. I think that that is exactly what's necessary. I think, uh, we're in the tough law phase of the CMC program where you're getting your supply chain together. And look, it's either, you know, peer, get off the pot, right?

A

Yeah. All right, Bo. Well, I really appreciate you coming on the show. You know, we've spent years telling people that it was going to come and not to be lulled by rulemaking. Now rulemaking is over, we're in the phased rollout and things are happening very quickly. You know, you're easy man to get a hold of. You're very open and transparent with what's going on. Props to Elbit for putting out the letters and the info. You're going to be on the events circuit at West Coast, east coast, all the various events that are going to be out there. We'll be sure to link to your supplier page down below. We'll have your contact information for people to reach out as well. Since you're interested in talking with everybody out there, any other parting words for the ecosystem out there?

B

My request is if you haven't started, start. That is my last part. If you haven't started, start. Because the longest journey take doesn't. If it takes you 12 months and you don't start, you still need 12 months of work. So please start.

A

There you go. Couldn't have said it better myself. All right, everybody. Bo, thanks again. Thanks for tuning in. Make sure you like and subscribe and we'll see you next week.

C

See you next week, Sam.