Submit any questions you would like answered on the podcast!

What are prime contractors actually expecting from suppliers when it comes to CMMC and cybersecurity?

In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke sit down with Bo Birdwell from Elbit Systems of America to get the prime contractor perspective on what suppliers need to understand right now. They break down how primes are thinking about CMMC, what they are looking for in small and mid-sized defense suppliers, and why some companies are about to hit a major inflection point if they are still treating CMMC like it is optional.

Bo shares how Elbit evaluates supplier cybersecurity posture, the red flags that stand out immediately, and why companies that wait too long may not lose the bus forever, but they may lose their place in line. The conversation also covers flowdown realities, the difference between FCI and CUI risk, why COTS matters, what “adequate security” is really about, and why suppliers need to start making serious decisions now if they want to keep or win defense work.

If you are a machine shop, aerospace supplier, manufacturer, subcontractor, or small business in the defense industrial base trying to understand how primes view CMMC readiness, this episode gives you a rare inside look at the other side of the table.

Submit any questions you would like answered on the podcast!

What do small machine shops, aerospace suppliers, and defense manufacturers really need to know about CMMC right now?

In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke answer some of the most common supplier questions they hear from companies trying to prepare for CMMC compliance. They break down how small suppliers can plan when contract requirements are still unclear, what level of compliance may be needed, how far requirements flow down the supply chain, and why scope matters so much when building your compliance strategy.

They also explain common myths around redacted drawings, whether tools alone can make you compliant, what CMMC actually costs, whether small companies can do CMMC themselves, how big the jump is from Level 1 to Level 2, and what happens when CMMC becomes mandatory on contracts. If you are a DoW supplier, subcontractor, aerospace machine shop, or manufacturer trying to understand how CMMC will affect your business, this episode will help you cut through the confusion

Submit any questions you would like answered on the podcast!

 lot of contractors assume CMMC Level 1 is just a simple checkbox. It is not.

In this episode, Austin and Brooke break down what CMMC Level 1 actually requires, what a self-assessment really looks like, and why self-attestation without documentation can create serious risk.

They cover the difference between Level 1 and Level 2, what Federal Contract Information (FCI) actually is, how Level 1 maps to the formal assessment process, and why organizations need policies, evidence, and artifacts before signing an attestation.

This episode also explains:

• What CMMC Level 1 covers and what it does not
• Why Level 1 is always self-assessed, not C3PAO certified
• The difference between self-assessment and self-attestation
• What documentation and evidence should exist before attesting
• Why authorized users, devices, processes, visitor logs, and physical access controls matter
• What the CFR says about evidence retention
• When a Level 1 claim may actually be scrutinized
• How whistleblowers, breaches, or customer requests can trigger verification
• The False Claims Act risk of saying you are compliant when you are not

If you are planning to self-attest to CMMC Level 1, this episode will help you understand what the government expects before you sign your name to anything.

Submit any questions you would like answered on the podcast!

Scope is the foundation of your CMMC compliance program and getting it wrong is one of the most expensive mistakes a DoD contractor can make.

In this episode, Austin and Brooke break down what “scope” actually means in plain English, why contractors skip scoping early on, and how one small miss, like a downloads folder or a USB handoff, can quietly pull major systems into scope.

We cover:

• What CMMC scope really is, including processed, stored, and transmitted CUI
• Why contractors start with tools and policies too early
• The data flow diagram exercise that reveals hidden scope issues
• How scope mistakes turn into rework, delays, and major cost increases
• Why “enclave” is often misunderstood and what it really means
• What to do if you think you got scope wrong
• How to self-check readiness using NIST 800-171A and the CMMC Assessment Process (CAP)
• Why documentation and evidence, not just controls, become the real burden

If you are planning for a Level 2 assessment, scope should be your first move, not your last-minute scramble.

Submit any questions you would like answered on the podcast!

The January 2026 CMMC Town Hall brought several important clarifications and program updates that directly impact Department of War (DoD) contractors.

In this episode of the CMMC Compliance Guide Podcast, we break down what changed, what was clarified, and what contractors should take away from the latest guidance.

We cover:

• New DOW CIO leadership changes and what they mean for CMMC
• Updated clarification on Hard Copy CUI (and what qualifies)
• Why encryption alone does NOT define scope
• Government shutdown impact on assessments
• C3PAO reauthorization and ISO 17020 accreditation
• KECO transition to ISACA and certification updates
• What all of this means for contractors planning in 2026

The biggest theme? CMMC is not slowing down. It’s becoming more standardized, more mature, and more defined.

If you’re planning contracts in 2026, now is the time to understand how these updates affect your scope, documentation, and assessment strategy.

Submit any questions you would like answered on the podcast!

Many DoW contractors feel confident they’re ready for a CMMC Level 2 assessment until assessors get involved. That’s when gaps in documentation, scope, and operational maturity start to surface.

In this episode of the CMMC Compliance Guide Podcast, Brooke breaks down why implementation alone does not equal readiness. We walk through what assessors look for before technical testing even begins, why documentation is often the real reason companies fail, and how poor scoping or misaligned staff interviews can derail an assessment.

You’ll learn:

• Why “feeling ready” is not the same as being assessment-ready
• What assessors review first during the readiness and pre-assessment phase
• How SSP quality can make or break your assessment
• Why screenshots alone are not sufficient evidence
• How POAMs are viewed during Level 2 assessments
• The role of operational maturity and ongoing proof
• How scope and employee interviews expose readiness gaps
• How to realistically self-check readiness before scheduling an assessment

If you’re preparing for a CMMC Level 2 assessment or think you’re close this episode will help you identify blind spots before they cost you time, money, or certification.

Submit any questions you would like answered on the podcast!

The DoW just released updated CMMC FAQs that clarify the rules contractors keep getting wrong. In this episode, Austin and Brooke break down what the new guidance actually says, what it means for your scope, and where vendor and architecture decisions can derail an assessment before it even starts.

We cover the most important FAQ clarifications, including:

• The real CMMC timeline and what Phase 1 vs Phase 2 changes
• Why primes may demand Level 2 earlier than the official dates
• Flowdown requirements for subcontractors (and what “defensible” verification looks like)
• The myth that encrypted CUI is no longer CUI (it is still CUI)
• Whether CMMC assessment results will be public (they will not)
• POAM vs “operational POAM” and why the distinction matters
• Hard copy only CUI: when Level 2 may not apply (and the strict caveats)
• Why encryption does not create logical separation or reduce scope
• Enclaves and enterprise networking components: what pulls systems in scope (and what does not)
• Cloud storage rules: why non-FedRAMP clouds cannot store encrypted CUI
• MSP requirements: do MSPs need CMMC certification (and what a CRM must include)
• VDI scope rules: when endpoints can be out of scope, and when they are automatically in scope

If you are making decisions around scope, vendors, cloud tools, backups, enclaves, or VDI, this episode will help you avoid assumptions that assessors will not accept.

Submit any questions you would like answered on the podcast!

When CMMC compliance starts to feel overwhelming, most companies don’t fail because they lack effort, they fail because they don’t know where to start.

In this episode of the CMMC Compliance Guide Podcast, Brooke and Stacey break down why CMMC feels so urgent and high-risk for small and mid-sized DoD contractors, and how to triage your compliance work so you can make real progress without burning out.

This episode covers:

• Why starting at control 3.1.1 is a mistake for most companies
• How poor scoping makes CMMC feel impossible
• What assessors actually prioritize first
• Which controls are non-POAMable and must be addressed early
• How to reduce scope without cutting corners
• When tools help and when they waste time and money
• How to approach SSPs, policies, and POAMs the right way
• Practical steps small teams can take to regain control of CMMC

If CMMC feels like everything is urgent and nothing is moving fast enough, this episode will help you slow down, focus, and build a plan that actually works.

Submit any questions you would like answered on the podcast!

Get your free SPRS Roadmap here: https://cmmccomplianceguide.com/free-sprs-roadmap

In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke break down the #1 thing that trips companies up before a CMMC Level 2 assessment: evidence.

Having a binder of policies (or a 300-page SSP) is not enough. Assessors want proof you are doing what you say you do consistently, over time and they want it organized so they can quickly map evidence to controls and assessment objectives.

You’ll learn:

• What assessors mean by “acceptable evidence” (and what doesn’t count)
• The “who, what, when, where” test for logs and proof
• How tickets, approvals, and checklists strengthen your evidence trail
• What to avoid putting in cloud ticketing systems (SPD risks)
• Manufacturer-specific pitfalls assessors notice on the shop floor
• Why “fresh out of the oven” evidence raises red flags
• How GRC tools can make evidence collection and linking easier

Submit any questions you would like answered on the podcast!

What do CMMC Level 2 assessors notice first, sometimes within the first day, before they ever dig into your firewall configs or deep technical testing?

In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke break down the early red flags that can derail your assessment fast. We cover what assessors ask for right out of the gate (and how quickly you need to respond), why generic SSPs create problems, how scoping mistakes happen in the real world (downloads folders, copiers, shop floor machines), and what it means when your policies do not match what employees actually do.

If you want to pass your CMMC Level 2 assessment, this episode will help you tighten your documentation, evidence, and scope before the assessor ever starts technical validation.