Sign up to save your podcasts
Or
Share The Smalls talks to Digital Beachhead!
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Smalls talks to Digital Beachhead!
Listen in as your host Just Nate talks with Mike Crandal, CEO and co-founder of Digital Beachhead.
The Urgency of CMMC 2.0: November 10th is the date for Article 48 implementation, making CMMC a mandatory default clause in all new DoD solicitations. Many small businesses are panicked because they didn't believe it would actually happen.
A History Lesson in Compliance: The discussion traces the evolution from DFARS 7012 to DFARS 7019, which introduced NIST 800-171 controls and the PoAM (Program of Action and Milestones) system. CMMC was created to replace the unreliable self-attestation and perpetual PoAMs.
CMMC 2.0 Levels and Requirements:
Level 1 (FCI): For Federal Contract Information (FCI) only. Requires 15 controls and allows for self-assessment by a senior company representative.
Level 2 (CUI): For Controlled Unclassified Information (CUI). Requires all 110 NIST 800-171 controls and 320 objectives. Self-attestation is allowed for the first 12 months, but prime contractors (like Lockheed or Boeing) can still demand 3CPAO certification immediately.
Understanding CUI: CUI (Controlled Unclassified Information) is a major gray area often defined differently by each government customer. They stress that CUI is not a security classification but a marking, and contractors should only mark information as CUI if the government has explicitly designated it as such.
The Insurance Factor: Cyber insurance companies are now increasingly requiring CMMC-Level certification before they will pay out on a ransomware or data breach claim, making compliance an essential part of risk management.
The Assessment Process: Mike outlines the four phases of a CMMC assessment by a C3PAO (like Digital Beach Head):
Pre-assessment: Initial review of your data and readiness.
Interview & On-site Visit: A deep dive into paperwork, controls, and physical security.
Certification: Receiving a final or conditional certification.
EMAS Upload: Submitting the results to the government's official system.
The typical process for a small business takes three to four weeks.
Cost & Strategy for Small Businesses: The average cost for a Level 2 assessment for a small business is between $40K and $50K (a one-time payment for the three-year certification). For companies with only a small portion of DoD work, they recommend creating a secure, isolated enclave (like a GCC High or Cloud PC VDI solution) to reduce the scope—and cost—of the assessment.
🤝 Guest Spotlight & Resources
Guest: Mike Crandall, CEO and Co-Founder of Digital Beach Head
Company: Digital Beach Head is the only authorized C3PAO in Colorado Springs and one of three in the Mountain Region, specializing in cyber security services and CMMC assessment.
Mike's Contact Information:
Website: digitalbeachhead.com
Email: [email protected]
LinkedIn: Search for Mike Crandall at Digital Beach Head.
To find out more about the Smalls or become a member, please check us out at www.thesmalls.org
To contact Just Nate: [email protected]
— Send in a voice message: https://anchor.fm/thesmalls/message
Support this podcast: https://anchor.fm/thesmalls/support
www.patreon.com/thesmalls
View all episodes
By TheSmalls
5
22 ratings
Listen in as your host Just Nate talks with Mike Crandal, CEO and co-founder of Digital Beachhead.
The Urgency of CMMC 2.0: November 10th is the date for Article 48 implementation, making CMMC a mandatory default clause in all new DoD solicitations. Many small businesses are panicked because they didn't believe it would actually happen.
A History Lesson in Compliance: The discussion traces the evolution from DFARS 7012 to DFARS 7019, which introduced NIST 800-171 controls and the PoAM (Program of Action and Milestones) system. CMMC was created to replace the unreliable self-attestation and perpetual PoAMs.
CMMC 2.0 Levels and Requirements:
Level 1 (FCI): For Federal Contract Information (FCI) only. Requires 15 controls and allows for self-assessment by a senior company representative.
Level 2 (CUI): For Controlled Unclassified Information (CUI). Requires all 110 NIST 800-171 controls and 320 objectives. Self-attestation is allowed for the first 12 months, but prime contractors (like Lockheed or Boeing) can still demand 3CPAO certification immediately.
Understanding CUI: CUI (Controlled Unclassified Information) is a major gray area often defined differently by each government customer. They stress that CUI is not a security classification but a marking, and contractors should only mark information as CUI if the government has explicitly designated it as such.
The Insurance Factor: Cyber insurance companies are now increasingly requiring CMMC-Level certification before they will pay out on a ransomware or data breach claim, making compliance an essential part of risk management.
The Assessment Process: Mike outlines the four phases of a CMMC assessment by a C3PAO (like Digital Beach Head):
Pre-assessment: Initial review of your data and readiness.
Interview & On-site Visit: A deep dive into paperwork, controls, and physical security.
Certification: Receiving a final or conditional certification.
EMAS Upload: Submitting the results to the government's official system.
The typical process for a small business takes three to four weeks.
Cost & Strategy for Small Businesses: The average cost for a Level 2 assessment for a small business is between $40K and $50K (a one-time payment for the three-year certification). For companies with only a small portion of DoD work, they recommend creating a secure, isolated enclave (like a GCC High or Cloud PC VDI solution) to reduce the scope—and cost—of the assessment.
🤝 Guest Spotlight & Resources
Guest: Mike Crandall, CEO and Co-Founder of Digital Beach Head
Company: Digital Beach Head is the only authorized C3PAO in Colorado Springs and one of three in the Mountain Region, specializing in cyber security services and CMMC assessment.
Mike's Contact Information:
Website: digitalbeachhead.com
Email: [email protected]
LinkedIn: Search for Mike Crandall at Digital Beach Head.
To find out more about the Smalls or become a member, please check us out at www.thesmalls.org
To contact Just Nate: [email protected]
— Send in a voice message: https://anchor.fm/thesmalls/message
Support this podcast: https://anchor.fm/thesmalls/support
www.patreon.com/thesmalls