Submit any questions you would like answered on the podcast!

In this episode of the CMMC Compliance Guide Podcast, we tackle one of the most misunderstood topics in CMMC compliance.

Many contractors assume that if information is not marked as controlled unclassified information, then it is not CUI. But that assumption can lead to serious compliance risks.

We break down how manufacturers and machine shops can actually create CUI while performing contract work, even if the original data was not clearly marked.

We also cover how ERP systems factor into CMMC scope, when systems are considered in or out of scope, and how improper scoping decisions can create major compliance gaps.

You will learn what derived CUI is, how it applies to things like CNC G code, and why simply removing identifying details from documents does not make them safe.

We also explain who determines what qualifies as CUI, how scope can expand across your network, and what realistic cost and infrastructure decisions look like for small and mid sized contractors.

If you are part of the defense supply chain, this episode will help you avoid one of the most common and costly misunderstandings in CMMC.

Submit any questions you would like answered on the podcast!

In this episode of the CMMC Compliance Guide Podcast, we break down one of the biggest misconceptions in CMMC compliance.

Most contractors think CMMC is just a cybersecurity upgrade. Install a few tools, write some policies, and you are ready for an assessment. But that is not how CMMC actually works.

The real challenge is the operational workload behind compliance.

We walk through what that workload actually looks like, including documentation, system security plans, asset management, workforce training, evidence collection, and continuous monitoring. These are the areas that consume the most time and are often underestimated by small and mid sized defense contractors.

We also cover how CMMC impacts your supply chain, including subcontractor flowdown requirements and what you are responsible for as a prime or subcontractor.

If you are preparing for CMMC Level 1 or Level 2, this episode will help you understand the true scope of work so you can avoid delays, failed assessments, and costly surprises.

Submit any questions you would like answered on the podcast!

In this episode of the CMMC Compliance Guide Podcast, we break down one of the most overlooked risks in CMMC compliance. What actually happens when your environment changes after an assessment?

Many contractors assume that once they pass a CMMC assessment or complete a self assessment, they are set for the next year or even three years. But recent guidance from the Cyber AB town hall reveals that certain changes can trigger a brand new assessment.

We walk through what qualifies as a significant change, what does not, and how decisions are made when things fall into the gray area. We also cover real examples like mergers, switching MSPs, expanding networks, and upgrading tools.

If you are planning changes to your environment or trying to future proof your compliance strategy, this episode will help you avoid costly mistakes and unnecessary reassessments.

We also answer a listener question about how to identify FCI and how it should be handled under CMMC Level 1 requirements.

If you are a small or mid sized defense contractor, aerospace supplier, or manufacturer, this is critical guidance you do not want to miss.

Submit any questions you would like answered on the podcast!

What are prime contractors actually expecting from suppliers when it comes to CMMC and cybersecurity?

In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke sit down with Bo Birdwell from Elbit Systems of America to get the prime contractor perspective on what suppliers need to understand right now. They break down how primes are thinking about CMMC, what they are looking for in small and mid-sized defense suppliers, and why some companies are about to hit a major inflection point if they are still treating CMMC like it is optional.

Bo shares how Elbit evaluates supplier cybersecurity posture, the red flags that stand out immediately, and why companies that wait too long may not lose the bus forever, but they may lose their place in line. The conversation also covers flowdown realities, the difference between FCI and CUI risk, why COTS matters, what “adequate security” is really about, and why suppliers need to start making serious decisions now if they want to keep or win defense work.

If you are a machine shop, aerospace supplier, manufacturer, subcontractor, or small business in the defense industrial base trying to understand how primes view CMMC readiness, this episode gives you a rare inside look at the other side of the table.

Submit any questions you would like answered on the podcast!

What do small machine shops, aerospace suppliers, and defense manufacturers really need to know about CMMC right now?

In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke answer some of the most common supplier questions they hear from companies trying to prepare for CMMC compliance. They break down how small suppliers can plan when contract requirements are still unclear, what level of compliance may be needed, how far requirements flow down the supply chain, and why scope matters so much when building your compliance strategy.

They also explain common myths around redacted drawings, whether tools alone can make you compliant, what CMMC actually costs, whether small companies can do CMMC themselves, how big the jump is from Level 1 to Level 2, and what happens when CMMC becomes mandatory on contracts. If you are a DoW supplier, subcontractor, aerospace machine shop, or manufacturer trying to understand how CMMC will affect your business, this episode will help you cut through the confusion

Submit any questions you would like answered on the podcast!

 lot of contractors assume CMMC Level 1 is just a simple checkbox. It is not.

In this episode, Austin and Brooke break down what CMMC Level 1 actually requires, what a self-assessment really looks like, and why self-attestation without documentation can create serious risk.

They cover the difference between Level 1 and Level 2, what Federal Contract Information (FCI) actually is, how Level 1 maps to the formal assessment process, and why organizations need policies, evidence, and artifacts before signing an attestation.

This episode also explains:

• What CMMC Level 1 covers and what it does not
• Why Level 1 is always self-assessed, not C3PAO certified
• The difference between self-assessment and self-attestation
• What documentation and evidence should exist before attesting
• Why authorized users, devices, processes, visitor logs, and physical access controls matter
• What the CFR says about evidence retention
• When a Level 1 claim may actually be scrutinized
• How whistleblowers, breaches, or customer requests can trigger verification
• The False Claims Act risk of saying you are compliant when you are not

If you are planning to self-attest to CMMC Level 1, this episode will help you understand what the government expects before you sign your name to anything.

Submit any questions you would like answered on the podcast!

Scope is the foundation of your CMMC compliance program and getting it wrong is one of the most expensive mistakes a DoD contractor can make.

In this episode, Austin and Brooke break down what “scope” actually means in plain English, why contractors skip scoping early on, and how one small miss, like a downloads folder or a USB handoff, can quietly pull major systems into scope.

We cover:

• What CMMC scope really is, including processed, stored, and transmitted CUI
• Why contractors start with tools and policies too early
• The data flow diagram exercise that reveals hidden scope issues
• How scope mistakes turn into rework, delays, and major cost increases
• Why “enclave” is often misunderstood and what it really means
• What to do if you think you got scope wrong
• How to self-check readiness using NIST 800-171A and the CMMC Assessment Process (CAP)
• Why documentation and evidence, not just controls, become the real burden

If you are planning for a Level 2 assessment, scope should be your first move, not your last-minute scramble.

Submit any questions you would like answered on the podcast!

The January 2026 CMMC Town Hall brought several important clarifications and program updates that directly impact Department of War (DoD) contractors.

In this episode of the CMMC Compliance Guide Podcast, we break down what changed, what was clarified, and what contractors should take away from the latest guidance.

We cover:

• New DOW CIO leadership changes and what they mean for CMMC
• Updated clarification on Hard Copy CUI (and what qualifies)
• Why encryption alone does NOT define scope
• Government shutdown impact on assessments
• C3PAO reauthorization and ISO 17020 accreditation
• KECO transition to ISACA and certification updates
• What all of this means for contractors planning in 2026

The biggest theme? CMMC is not slowing down. It’s becoming more standardized, more mature, and more defined.

If you’re planning contracts in 2026, now is the time to understand how these updates affect your scope, documentation, and assessment strategy.

Submit any questions you would like answered on the podcast!

Many DoW contractors feel confident they’re ready for a CMMC Level 2 assessment until assessors get involved. That’s when gaps in documentation, scope, and operational maturity start to surface.

In this episode of the CMMC Compliance Guide Podcast, Brooke breaks down why implementation alone does not equal readiness. We walk through what assessors look for before technical testing even begins, why documentation is often the real reason companies fail, and how poor scoping or misaligned staff interviews can derail an assessment.

You’ll learn:

• Why “feeling ready” is not the same as being assessment-ready
• What assessors review first during the readiness and pre-assessment phase
• How SSP quality can make or break your assessment
• Why screenshots alone are not sufficient evidence
• How POAMs are viewed during Level 2 assessments
• The role of operational maturity and ongoing proof
• How scope and employee interviews expose readiness gaps
• How to realistically self-check readiness before scheduling an assessment

If you’re preparing for a CMMC Level 2 assessment or think you’re close this episode will help you identify blind spots before they cost you time, money, or certification.

Submit any questions you would like answered on the podcast!

The DoW just released updated CMMC FAQs that clarify the rules contractors keep getting wrong. In this episode, Austin and Brooke break down what the new guidance actually says, what it means for your scope, and where vendor and architecture decisions can derail an assessment before it even starts.

We cover the most important FAQ clarifications, including:

• The real CMMC timeline and what Phase 1 vs Phase 2 changes
• Why primes may demand Level 2 earlier than the official dates
• Flowdown requirements for subcontractors (and what “defensible” verification looks like)
• The myth that encrypted CUI is no longer CUI (it is still CUI)
• Whether CMMC assessment results will be public (they will not)
• POAM vs “operational POAM” and why the distinction matters
• Hard copy only CUI: when Level 2 may not apply (and the strict caveats)
• Why encryption does not create logical separation or reduce scope
• Enclaves and enterprise networking components: what pulls systems in scope (and what does not)
• Cloud storage rules: why non-FedRAMP clouds cannot store encrypted CUI
• MSP requirements: do MSPs need CMMC certification (and what a CRM must include)
• VDI scope rules: when endpoints can be out of scope, and when they are automatically in scope

If you are making decisions around scope, vendors, cloud tools, backups, enclaves, or VDI, this episode will help you avoid assumptions that assessors will not accept.