Podcast Summary: T-Minus Space Daily

Episode: The Cybersecurity Maturity Model Certification Program

Date: November 8, 2025
Host: Maria Varmazis (N2K Networks)
Guest: Jacob Horne, Chief Cybersecurity Evangelist at Summit 7

Main Theme

This episode explores the origins, requirements, and implications of the Cybersecurity Maturity Model Certification (CMMC) Program for space industry contractors working with the U.S. Department of Defense (DoD). With CMMC’s regulatory deadline looming (November 10, 2025), host Maria Varmazis and cybersecurity expert Jacob Horne break down what the new rules mean, debunk misconceptions, discuss DoJ enforcement risks, and provide actionable advice for companies navigating compliance.

Key Discussion Points & Insights

1. What is CMMC and Why Does It Matter?

[00:55–05:24]

• Background: DoD contractors, including space companies, have long had cybersecurity obligations written into their contracts.
• The Problem: There’s been no mechanism to verify compliance; breaches occurred because requirements weren’t enforced.
• CMMC Solution:
  • The Cybersecurity Maturity Model Certification (CMMC) mandates third-party verification to prove contractors are meeting these cybersecurity requirements.
  • Goes into effect November 10, 2025.
• Practical Impact:
  • After this date, companies must prove compliance before contract award—there’s no grace period post-award.
  • “This is the red light going off to tell everybody to start thinking about it now, not when it shows up in the solicitation.” – Jacob Horne [07:05]

2. CMMC’s Regulatory Structure

[09:02–12:25]

• Two Regulations:
  1. Title 32 CFR: Governs program policy, responsibilities, levels, and assessment (in effect since Dec 2024).
  2. Contract Clauses: These bring the CMMC requirement into actual government contracts (active November 2025).
• Levels: Three levels (1, 2, 3) depending on sensitivity of work.
• Early Adopters: ~400 companies voluntarily attained Level 2 certification before the contract clause requirement.

3. The Nature of Compliance: Not Just Another Box-checking Exercise

[12:25–17:23]

• CMMC is Verification, Not New Requirements:
  • The standards (from NIST SP 800-171) have existed since 2013; CMMC enforces verification.
• What’s Being Verified?
  • 110 requirements → 320+ verification questions (see NIST SP 800-171 and 171A).
• Audits are Standardized:
  • “The good news is it’s standardized. The bad news is it’s standardized.” – Jacob Horne [17:23]
  • It’s not subjective like some audits, but you can’t improvise or cut corners.
• Self-Assessment Pitfalls:
  • DoD found large discrepancies between self-reported and actual compliance, leading to Senate and DoD intervention.
  • “That’s fraud.” – Jacob Horne [15:30], regarding contractors attesting to compliance they hadn’t achieved.

4. Unique Factors for the Space Industry

[20:18–23:21]

• Scope in Manufacturing:

  • Shop floor/manufacturing environments have special scoping nuances. Knowing what’s in scope takes work.

• Quality Management Synergy:

  • Companies with strong QMS (Quality Management Systems) are better positioned to adapt.

• Common Space Industry Pitfalls:

  • Placing export-controlled (ITAR/EAR) data in commercial clouds or using foreign-national-managed service providers violates both export and CMMC rules.

  Quote:
  “If you are in the space industry, definitely be aware of that. There are rumors that the Golden Dome program … will be elevated to CMMC Level 3 requirements. That is a big jump over CMMC Level 2.” – Jacob Horne [22:47]

5. Enforcement and Legal Risks: The False Claims Act

[25:10-27:57]

• DoJ's Cyber Civil Fraud Initiative:

  • DoJ actively seeks False Claims Act penalties for misrepresented compliance.
  • Whistleblowers (even your own IT staff) can collect up to 30% of government recoveries.

• Materiality:

  • Cyber requirements ARE material to payment; failing to comply exposes companies to legal and financial risk.

  Quote:
  “Your biggest insider threat is your IT guy picking up the phone and calling the Department of Justice. … Many of these whistleblowers make out with millions of dollars for a thing that would have cost you like a hundred grand if you had just done it.” – Jacob Horne [26:35]

6. No Loopholes or Waivers—Act Now

[28:01–28:59]

• No Individual Exemptions:
  • Waivers are for entire contracts, not individual contractors.
• Prime/Subcontractor Dynamics:
  • Primes can dictate CMMC status to subs; don’t assume the rules or deadlines are the same.
• Action Steps:
  • Don’t wait for a solicitation. Call your customers, talk to your primes, study the requirements, take compliance seriously.

Notable Quotes & Memorable Moments

• “CMMC is just making sure you did the requirements.” – Jacob Horne [12:45]
• “If you could flip a button, we would sell you the button to flip… and I wouldn’t even have to make all these podcasts.” – Jacob Horne [16:10]
• “If you are planning on bidding … you are going to see these requirements in your contracts and the requirement to prove that you have implemented them … before you bid.” – Jacob Horne [06:24]
• “Don’t kick off your IT guy. That’s lesson number one.” – Maria Varmazis [26:31]
• “There are no waivers. … If you see it in the solicitation, there is no mechanism to remove the requirement.” – Jacob Horne [28:01]

Key Timestamps

| Timestamp | Topic / Quote | |---------------|-------------------------------------------------| | 00:55 | Introduction of CMMC and its necessity | | 02:16 | Jacob Horne introduces himself | | 07:05 | The November 10, 2025, effective date clarified | | 09:02 | Regulation structure: Title 32, Contract Clauses | | 12:45 | “CMMC is just making sure you did the requirements.” | | 15:30 | DoD audits reveal wide gaps in self-vs-real compliance | | 20:18 | Special notes for space and manufacturing sectors | | 22:47 | Golden Dome contractors may be subject to Level 3 | | 25:10 | False Claims Act and whistleblower enforcement | | 26:35 | Insider threat: whistleblower risk | | 28:01 | No waivers; prime/sub responsibilities |

Final Takeaways

• CMMC compliance is real, imminent, and enforceable for defense contractors, including space industry firms.
• Preparation must begin now; you won’t have time after solicitation to catch up.
• Don’t assume your past practices meet the standard—verify using the NIST and CMMC assessment guides.
• The risks for non-compliance include contract loss, legal exposure, and whistleblower-triggered penalties.
• The best first steps: read your contracts, familiarize yourself with the NIST standards, and open communication with both clients and primes about CMMC readiness.

Resource Links

• NIST SP 800-171 and SP 800-171A
• CMMC Assessment Guides (Levels 1–3)
• CMMC official website
• DOJ Cyber-Fraud press releases (for recent enforcement examples)

Questions or further info?
Contact Jacob Horne (Summit 7) via LinkedIn.