Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: Securing the Supply Chain with Elbit America

Release Date: January 15, 2026
Host: Summit 7
Guest: Bo Birdwell, Supply Chain Director & former Deputy CISO, Elbit Systems of America

Episode Overview

This episode dives into the rapidly evolving landscape around CMMC (Cybersecurity Maturity Model Certification) enforcement, particularly focusing on supply chain security requirements as seen by Elbit America—a major U.S. defense contractor. The discussion centers on the practical realities of CMMC compliance, the company’s communications to suppliers, and current supply chain risk management strategies, with plenty of hard-won advice from guest Bo Birdwell.

Key Discussion Points & Insights

1. The Reality of CMMC Enforcement

CMMC is now "actively being enforced and flowed down" from primes, not just a looming requirement.
Elbit America’s open letters to suppliers make it clear: “Our buyers will not issue purchase orders to suppliers who fail to meet contractual CMMC flowdown requirements.” (00:48, Host)
A CMMC Level 2 requirement hit Elbit America just "32 days into the phased rollout"—proving the urgency and reality for supplier compliance. (05:47, Host)

2. Bo Birdwell’s Three Core Messages

Network Building:
- “I’m not here to sell anything. I’m here so I can buy stuff.” (02:13, Bo Birdwell)
- Emphasizes the importance of building relationships with compliant suppliers.
Community Lifts All:
- “A rising tide lifts all ships… we’re all competitive friends.” (02:36, Bo Birdwell)
- Advocates for sharing experiences to protect collectively.
Thanks to DoD Transparency:
- Major contractors have benefited from early and clear DoD signals, allowing gradual spending and adaptation.
- “Thank you, Katie Arrington… as they’ve given us time, we as most of the big primes… were able to address the requirements over three to four years.” (03:10, Bo Birdwell)

3. Supplier Reactions & the New Business Imperative

Suppliers are reacting in varied ways—some accept the urgency; many remain hesitant until it directly impacts their bottom line.
“A lot of them straight up told you they’re willing to wait until they see a decrease in business before they get started acting.” (13:38, Host)
Primes increasingly open to seeking new partners if current suppliers delay compliance:
- “If we can’t get there, we are going to have to make some hard decisions. And we’re building a bench…” (14:31, Bo Birdwell)
There’s an emerging "ultimatum" dynamic: comply or risk being replaced, even though replacing suppliers is costly and complex.

4. The Cost and Tactical Challenges of Compliance

Bo underscores the benefit of planned, staged investments over several years (“low double-digit” annual increases) vs. rushed, expensive spend.
- “If you spread it over years, you can go with low double digit increases… If you have to accelerate… those start accelerating on the high double digits.” (19:33, Bo Birdwell)
Transition pain is felt most acutely among smaller suppliers with little prior investment, facing steeper, faster expense curves.
SaaS providers reluctant to do FedRAMP, posing a big supply chain headache.
For manufacturing/enterprise, pre-packaged or “CMMC in a box” solutions are not realistic. Integration with ERP, MES, and business applications adds significant complexity.

5. The Flowdown and Chicken-and-Egg Dilemma

There’s a stalemate: suppliers want a contract promise before investing, but contractors can’t award work until compliance is proven.
“You can’t win the contract unless you have the supply chain, but you can’t guarantee the supply chain the work until you win the contract.” (11:49, Bo Birdwell)

6. Documentation vs. Implementation: Lessons Learned

Key Takeaway: “Documentation is as important as implementation.” (25:40, Bo Birdwell)
Many audit failures stem from canned, unreviewed documentation; successful orgs deeply integrate policy and practice.
Elbit’s approach: Security plans are written to be shareable but exclude sensitive details, referencing over 100 supporting docs and procedures.
Regular self-assessments (>100 pages) per DFARS with annotated determination statements are invaluable in audits.

7. Demand for Level 3 on the Horizon

Major primes are not viewing CMMC Level 3 as aspirational—most are already investing with a 12–18 month timeline.
On Level 3 Flowdown: “No one wants to flow down Level 3 unless they absolutely have to. It’s an onerous bill.” (35:25, Bo Birdwell)
Discussion of government (and customer) ambiguity and learning curve, with some contracting offices issuing inconsistent requirements.

8. Advice for Suppliers & Practical Steps

Start Now: If you haven’t started, start—because compliance always takes longer than you think.
Internal Champions: Invest in internal knowledge—get someone CMMC CCP trained.
Thoroughly vet MSP/RPOs: Only work with certified, experienced CMMC professionals.
Prioritize by Risk: Focus efforts first on sole-source and high-dollar suppliers; build a “bench” of alternative options.
Communicate proactively: suppliers who share readiness, plans, and honest timelines build better relationships with primes.

Notable Quotes & Memorable Moments

“CMMC is no longer an impending requirement. It is actively being enforced and flowed down… Our buyers will not issue purchase orders to suppliers who fail to meet contractual CMMC Flowdown requirements.”
— Host (00:48)
“This ain’t my first rodeo… I’m not all hat, no cattle.”
— Bo Birdwell (02:10)
“I would offer that what we are doing is opening up the floodgates to saying, hey, we want to talk to other companies. Because as much as we like our existing suppliers, if we can't get there, we are going to have to make some hard decisions.”
— Bo Birdwell (14:31)
“A lot of [suppliers] straight up told you… they're willing to wait until they see a decrease in business before they get started acting.”
— Host (13:38)
“No one is going to flow controlled, unclassified information to someone they don’t have to. When CMMC clause is in effect… If companies are saying, well, they’re saying that we have to be Level 2, there’s probably a reason.”
— Bo Birdwell (33:18)
“If you haven’t started, start. Because the longest journey… if it takes you 12 months and you don’t start, you still need 12 months of work. So please start.”
— Bo Birdwell (46:49)

Timestamps for Key Segments

Introduction to Elbit & CMMC Letters: 00:02–02:08
Bo’s Core Principles & Industry Perspective: 02:08–05:47
Supplier Reaction to Letters & Flowdown: 05:47–10:31
Supply Chain Risk & Replacement Dilemma: 10:31–14:31
Communication with Government/Customers: 16:43–18:59
Cost & SaaS/FedRAMP Challenges: 19:33–23:48
Documentation, Best Practices & Assessments: 25:20–31:53
Minimizing CUI Flow Discussion: 32:31–39:26
Practical Supplier Guidance & Prioritization: 41:37–45:29
Closing Thoughts & Start Now: 46:49–47:05

Practical Guidance from Bo Birdwell

Get Educated: “Invest someone in your company to get a go through the CCP training.” (41:37)
Vet Partners: “If you are a small company using an MSP, determine their knowledge of this situation because not all MSPs are equal.” (41:37)
Roadmap & Communication: “Start putting together a roadmap and start talking to the leadership about the things that leadership cares about… dollars, time, resources.” (41:37)
Realistic Planning: “I haven’t, I’m … going to require a much more in-depth conversation than someone just telling me we’re six to nine months out… I’ve already been through that.” (44:08)

Closing Words

Bo Birdwell’s message for defense contractors and their suppliers is clear: “If you haven’t started, start.” CMMC is now a live, enforced, and consequential reality in the defense sector supply chain. Transparent communication, strategic investment, and building true internal knowledge are critical to staying competitive and viable in a fast-accelerating compliance landscape.

Links mentioned:

Elbit America supplier info page
MSPs for critical infrastructure directory

(Contact and event info provided during the episode. Skip to closing minutes for direct outreach instructions.)

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: Securing the Supply Chain with Elbit America

Release Date: January 15, 2026
Host: Summit 7
Guest: Bo Birdwell, Supply Chain Director & former Deputy CISO, Elbit Systems of America

Episode Overview

Key Discussion Points & Insights

1. The Reality of CMMC Enforcement

CMMC is now "actively being enforced and flowed down" from primes, not just a looming requirement.
Elbit America’s open letters to suppliers make it clear: “Our buyers will not issue purchase orders to suppliers who fail to meet contractual CMMC flowdown requirements.” (00:48, Host)
A CMMC Level 2 requirement hit Elbit America just "32 days into the phased rollout"—proving the urgency and reality for supplier compliance. (05:47, Host)

2. Bo Birdwell’s Three Core Messages

Network Building:
- “I’m not here to sell anything. I’m here so I can buy stuff.” (02:13, Bo Birdwell)
- Emphasizes the importance of building relationships with compliant suppliers.
Community Lifts All:
- “A rising tide lifts all ships… we’re all competitive friends.” (02:36, Bo Birdwell)
- Advocates for sharing experiences to protect collectively.
Thanks to DoD Transparency:
- Major contractors have benefited from early and clear DoD signals, allowing gradual spending and adaptation.
- “Thank you, Katie Arrington… as they’ve given us time, we as most of the big primes… were able to address the requirements over three to four years.” (03:10, Bo Birdwell)

3. Supplier Reactions & the New Business Imperative

Suppliers are reacting in varied ways—some accept the urgency; many remain hesitant until it directly impacts their bottom line.
“A lot of them straight up told you they’re willing to wait until they see a decrease in business before they get started acting.” (13:38, Host)
Primes increasingly open to seeking new partners if current suppliers delay compliance:
- “If we can’t get there, we are going to have to make some hard decisions. And we’re building a bench…” (14:31, Bo Birdwell)
There’s an emerging "ultimatum" dynamic: comply or risk being replaced, even though replacing suppliers is costly and complex.

4. The Cost and Tactical Challenges of Compliance

Bo underscores the benefit of planned, staged investments over several years (“low double-digit” annual increases) vs. rushed, expensive spend.
- “If you spread it over years, you can go with low double digit increases… If you have to accelerate… those start accelerating on the high double digits.” (19:33, Bo Birdwell)
Transition pain is felt most acutely among smaller suppliers with little prior investment, facing steeper, faster expense curves.
SaaS providers reluctant to do FedRAMP, posing a big supply chain headache.
For manufacturing/enterprise, pre-packaged or “CMMC in a box” solutions are not realistic. Integration with ERP, MES, and business applications adds significant complexity.

5. The Flowdown and Chicken-and-Egg Dilemma

There’s a stalemate: suppliers want a contract promise before investing, but contractors can’t award work until compliance is proven.
“You can’t win the contract unless you have the supply chain, but you can’t guarantee the supply chain the work until you win the contract.” (11:49, Bo Birdwell)

6. Documentation vs. Implementation: Lessons Learned

Key Takeaway: “Documentation is as important as implementation.” (25:40, Bo Birdwell)
Many audit failures stem from canned, unreviewed documentation; successful orgs deeply integrate policy and practice.
Elbit’s approach: Security plans are written to be shareable but exclude sensitive details, referencing over 100 supporting docs and procedures.
Regular self-assessments (>100 pages) per DFARS with annotated determination statements are invaluable in audits.

7. Demand for Level 3 on the Horizon

Major primes are not viewing CMMC Level 3 as aspirational—most are already investing with a 12–18 month timeline.
On Level 3 Flowdown: “No one wants to flow down Level 3 unless they absolutely have to. It’s an onerous bill.” (35:25, Bo Birdwell)
Discussion of government (and customer) ambiguity and learning curve, with some contracting offices issuing inconsistent requirements.

8. Advice for Suppliers & Practical Steps

Start Now: If you haven’t started, start—because compliance always takes longer than you think.
Internal Champions: Invest in internal knowledge—get someone CMMC CCP trained.
Thoroughly vet MSP/RPOs: Only work with certified, experienced CMMC professionals.
Prioritize by Risk: Focus efforts first on sole-source and high-dollar suppliers; build a “bench” of alternative options.
Communicate proactively: suppliers who share readiness, plans, and honest timelines build better relationships with primes.

Notable Quotes & Memorable Moments

“CMMC is no longer an impending requirement. It is actively being enforced and flowed down… Our buyers will not issue purchase orders to suppliers who fail to meet contractual CMMC Flowdown requirements.”
— Host (00:48)
“This ain’t my first rodeo… I’m not all hat, no cattle.”
— Bo Birdwell (02:10)
“I would offer that what we are doing is opening up the floodgates to saying, hey, we want to talk to other companies. Because as much as we like our existing suppliers, if we can't get there, we are going to have to make some hard decisions.”
— Bo Birdwell (14:31)
“A lot of [suppliers] straight up told you… they're willing to wait until they see a decrease in business before they get started acting.”
— Host (13:38)
“No one is going to flow controlled, unclassified information to someone they don’t have to. When CMMC clause is in effect… If companies are saying, well, they’re saying that we have to be Level 2, there’s probably a reason.”
— Bo Birdwell (33:18)
“If you haven’t started, start. Because the longest journey… if it takes you 12 months and you don’t start, you still need 12 months of work. So please start.”
— Bo Birdwell (46:49)

Timestamps for Key Segments

Introduction to Elbit & CMMC Letters: 00:02–02:08
Bo’s Core Principles & Industry Perspective: 02:08–05:47
Supplier Reaction to Letters & Flowdown: 05:47–10:31
Supply Chain Risk & Replacement Dilemma: 10:31–14:31
Communication with Government/Customers: 16:43–18:59
Cost & SaaS/FedRAMP Challenges: 19:33–23:48
Documentation, Best Practices & Assessments: 25:20–31:53
Minimizing CUI Flow Discussion: 32:31–39:26
Practical Supplier Guidance & Prioritization: 41:37–45:29
Closing Thoughts & Start Now: 46:49–47:05

Practical Guidance from Bo Birdwell

Get Educated: “Invest someone in your company to get a go through the CCP training.” (41:37)
Vet Partners: “If you are a small company using an MSP, determine their knowledge of this situation because not all MSPs are equal.” (41:37)
Roadmap & Communication: “Start putting together a roadmap and start talking to the leadership about the things that leadership cares about… dollars, time, resources.” (41:37)
Realistic Planning: “I haven’t, I’m … going to require a much more in-depth conversation than someone just telling me we’re six to nine months out… I’ve already been through that.” (44:08)

Closing Words

Links mentioned:

Elbit America supplier info page
MSPs for critical infrastructure directory

(Contact and event info provided during the episode. Skip to closing minutes for direct outreach instructions.)

wavePod

Securing the Supply Chain with Elbit America

Powered by Wave AI

Summary

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: Securing the Supply Chain with Elbit America

Episode Overview

Key Discussion Points & Insights

1. The Reality of CMMC Enforcement

2. Bo Birdwell’s Three Core Messages

3. Supplier Reactions & the New Business Imperative

4. The Cost and Tactical Challenges of Compliance

5. The Flowdown and Chicken-and-Egg Dilemma

6. Documentation vs. Implementation: Lessons Learned

7. Demand for Level 3 on the Horizon

8. Advice for Suppliers & Practical Steps

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Practical Guidance from Bo Birdwell

Closing Words

Summary

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: Securing the Supply Chain with Elbit America

Episode Overview

Key Discussion Points & Insights

1. The Reality of CMMC Enforcement

2. Bo Birdwell’s Three Core Messages

3. Supplier Reactions & the New Business Imperative

4. The Cost and Tactical Challenges of Compliance

5. The Flowdown and Chicken-and-Egg Dilemma

6. Documentation vs. Implementation: Lessons Learned

7. Demand for Level 3 on the Horizon

8. Advice for Suppliers & Practical Steps

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Practical Guidance from Bo Birdwell

Closing Words