This New Rule Can DESTROY Your Sales Overnight: CMMC's Wide Reach

Show Notes

CMMC 2.0 explained in plain English — what it means for small businesses, defense contractors, and vendors across the DoD supply chain. Learn about Level 1 vs Level 2, self-attestation risks, C3PAO shortages, compliance deadlines, and how to stay audit-ready before 2025.

Don't miss out on crucial information about the CMMC 2025 deadline. The Cybersecurity Maturity Model Certification is a vital requirement for businesses dealing with the Department of Defense. If you miss the deadline, you risk losing contracts and facing severe penalties. In this video, we'll explore the consequences of missing the CMMC 2025 deadline and provide valuable insights on how to prepare and stay compliant. Stay ahead of the game and ensure your business is CMMC-ready.

 

Find out what happens if you missed the deadline and learn how to avoid costly mistakes. Tune in now and take the first step towards CMMC compliance.

 

CHAPTERS

00:00 – The 4 Letters That Can End Your Business

00:15 – CMMC 2.0: Why November 10, 2025 Changes Everything

01:35 – Meet the Expert: Frontline View from a CMMC Assessor

02:59 – What Is CMMC (In Plain English)?

04:20 – FCI vs CUI: The Data That Decides Your Level

07:05 – Are You Level 1 or Level 2? How the Flow-Down Really Work

10:05 – Why the DoD Stopped “Trusting” Small Contractors

11:40 – Supply-Chain Breaches: How Third Parties Take You Down

13:00 – Level 1: The 17 “Basic” Controls Everyone Ignores

17:00 – The Dangerous Game of Fudging Your Self-Attestation

21:15 – Level 2: 110 Controls, SSPs, and the Reality of NIST 800-171

23:40 – C3PAO Bottleneck: Why Waiting Means Losing Contracts

26:30 – POA&M and the 180-Day “Grace” Trap

32:05 – Surprise: Printers, MSPs, and “Non-Defense” Vendors in the Blast Radius

35:15 – CMMC Is Not Going Away (And Other Hard Truths)

37:05 – Countdown to Fall

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 

Support the show

🔥New Special Offers! 🔥

1. Remove Your Private Data Online Risk Free Today. Try Optery Risk Free. Protect your privacy and remove your data from data brokers and more.
   🔥No risk.🔥Sign up here https://get.optery.com/DMauro-CyberCrimeJunkies
2. 🔥Want to Try AI Translation, Audio Reader & Voice Cloning? Try Eleven Labs Today 🔥 Want Translator, Audio Reader or prefer a Custom AI Agent for your organization? Highest quality we found anywhere. You can try ELEVAN LABS here risk free: https://try.elevenlabs.io/gla58o32c6hq

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Dive Deeper:
🔗 Website: https://cybercrimejunkies.com

Engage with us on Socials:

✅ LinkedIn: https://www.linkedin.com/in/daviddmauro/
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Transcript

What Happens If You MISS The CMMC 2025 Deadline?

CMMC 2.0 explained in plain English — what it means for small businesses, defense contractors, and vendors across the DoD supply chain. Learn about Level 1 vs Level 2, self-attestation risks, C3PAO shortages, compliance deadlines, and how to stay audit-ready before 2025.

Don't miss out on crucial information about the CMMC 2025 deadline. The Cybersecurity Maturity Model Certification is a vital requirement for businesses dealing with the Department of Defense. If you miss the deadline, you risk losing contracts and facing severe penalties. In this video, we'll explore the consequences of missing the CMMC 2025 deadline and provide valuable insights on how to prepare and stay compliant. Stay ahead of the game and ensure your business is CMMC-ready.

 

Find out what happens if you missed the deadline and learn how to avoid costly mistakes. Tune in now and take the first step towards CMMC compliance.

 

 

CHAPTERS

00:00 – The 4 Letters That Can End Your Business

00:15 – CMMC 2.0: Why November 10, 2025 Changes Everything

01:35 – Meet the Expert: Frontline View from a CMMC Assessor

02:59 – What Is CMMC (In Plain English)?

04:20 – FCI vs CUI: The Data That Decides Your Level

07:05 – Are You Level 1 or Level 2? How the Flow-Down Really Work

10:05 – Why the DoD Stopped “Trusting” Small Contractors

11:40 – Supply-Chain Breaches: How Third Parties Take You Down

13:00 – Level 1: The 17 “Basic” Controls Everyone Ignores

17:00 – The Dangerous Game of Fudging Your Self-Attestation

21:15 – Level 2: 110 Controls, SSPs, and the Reality of NIST 800-171

23:40 – C3PAO Bottleneck: Why Waiting Means Losing Contracts

26:30 – POA&M and the 180-Day “Grace” Trap

32:05 – Surprise: Printers, MSPs, and “Non-Defense” Vendors in the Blast Radius

35:15 – CMMC Is Not Going Away (And Other Hard Truths)

37:05 – Countdown to Fallout: What to Do Before the Deadline Hits

 

TAGS

agentic ai,ai,ai for beginners,ai tools,artificial intelligence,business strategy,cyber awareness,cyber security,cyber security explained,cybersecurity,cybersecurity for beginners,information security,network security,prompt engineering,social engineering,true crime,truly criminal,what is cyber security,CMMC 2025,CMMC Level 2,NIST 800-171,cybersecurity for small business,government contracts,federal contractors,CMMC audit,CMMC training,CMMC

Speaker 2 (00:14.958)
Four letters are about to shake the entire defense supply chain. See MMC, the deadline November 10th, 2025. Not a suggestion, not a checkbox. It's a survival test. For thousands of small and mid-sized contractors, this is where it all flips. Pass and you keep your business. Fail and you're out of the game overnight. Here's what

Not everybody's realizing. You don't have to build rockets or tanks to be on the radar. If you touch defense data in any way, a print vendor, a parts maker, a small consulting company, a managed IT firm, you're already in the blast radius. And this isn't theory anymore. It's happening. When the fallout starts, the unprepared won't just lose contracts.

They'll lose everything tied to them. The clock is ticking. So let's unpack what that really means before time runs out. This is Cybercrime Junkies and now the show.

Speaker 2 (01:34.136)
So four letters that are about to shake the entire defense supply chain are here. CMMC. The new compliance deadline on November 10th, 2025 isn't just paperwork. It's a survival test. All small to mid-sized businesses that pass will keep their business, revenue, and contracts that ultimately flow up to the Department of Defense, also called the Department of War now. Those that don't, well, they're out.

Today I'm joined with Sam Durso, a cybersecurity leader and CMMC expert at NetGain Technologies, who's been on the front lines helping organizations prep for this massive shift. We're diving into what's real, what's myth, and what every business leader needs to do right now before the revenue stream gets dried up. This is your countdown to the flow down fallout, why small businesses are being forced into CMMC.

compliance. Sam, welcome to the studio, my friend.

Thank you, Dave. It's good to be here.

Yeah, well, let's talk CMMC. And there have been a lot of changes. We've talked about it several times. We've had several webinars in the past. First, let's start at the very beginning. OK, what is CMMC? High level, just get that out of the way. What is CMMC and who does it apply?

Speaker 1 (02:59.5)
Yeah, so CMMC high level is the cybersecurity maturity model for the DOD or now the DODW of course. It's just a compliance framework that companies need to follow whenever they're handling anything such as CUI, controlled unclassified information or FCI, federal contract information.

And so when we think of Department of Defense, we think of like building tanks, building rockets and stuff like that. But I think the important thing here is, in your experience, it goes way beyond that, doesn't it? It is way down in the supply chain. When you think of like Raytheon or Boeing or some of the big Department of Defense manufacturers, this is all, this really affects small businesses, doesn't it?

Yeah, it will affect any company that's in possession of any of this kind of information. They don't have to be building weapons, tanks, missiles, or anything like that to be compliant under this framework.

So that's interesting. So walk us through, you mentioned FCI, Federal Contract Information, and you mentioned CUI, Controlled Unclassified Information. Let's unravel both of those, okay? So FCI, what is that? Like what are samples of Federal Contract Information?

So FCI is basically any information that's generated under a DoD contract and it's not intended for public release, but it's not classified. And this is stuff like purchase orders, delivery schedules, internal communications from the DoD, or even invoice details.

Speaker 2 (04:37.216)
Okay. So it's not rocket design and things like that, right? It's far from it. It's really just contractor information, right? And so if small mid-sized businesses, and I mean, I've seen CMMC compliant organizations be six person firms, it gets really low, right? Right. If they're engaged with any of the federal contract information, then CMMC applies. And then you have to go through the rubric of

Are you a level one? Are you a level two, really? And if it's just federal contract information and that's it, that's all the data that you are experienced in in that supply chain, then you're just a level one, right?

Yes, that's correct. And EFCI is going to be purely level 1, which is under FAR clause 52-204.

Right, cool, okay. So the other one, the level two, is gonna be CUI, Controlled Unclassified Information. So walk us through what that is. Like what are some samples of

Yeah, so CUIs, any information that requires safeguarding, but it's not classified as well, but normally will fall under like laws, regulations, or policies. This is stuff like technical drawings, IT system diagrams, export control data, engineering reports, security plans. And the best way I always like to compare these two is say you go to the government and you buy a rocket design. You buy a design on how to build a ballistic rocket.

Speaker 1 (06:09.154)
The receipt you get from them will be FCI, but the drawings you get will be the CUI.

that's a really good example. So the receipt that you get is FCI, that's federal contract information pertaining to the contract itself. The actual drawings are going to be what the CUI is. Okay, all right. So as a business leader, if you're listening to this, right, and you are engaged in, now, if you're a contractor and you get business from somebody,

who does business with somebody who does business with one of the prime big guys in the Department of Defense supply chain, then this is going to apply to you, right? And so you have to figure out what type of data are we engaging to win these bits.

Right? Right. I mean, is that that's how it works.

Yeah, that's crap.

Speaker 2 (07:05.176)
So, I'm sorry, I think out loud. that's what I'm doing. I'm verbalizing it as I follow the bouncing ball in my mind.

I'm the same way, I get caught insane in public sometimes.

Exactly all the time. So now when that happens Then they have to decide whether they're gonna be level one or level two because when they're bidding on deals and that's what this What this new rule that finally came into effect that it goes into effect November 10th, which is just around the corner When that rule comes into play then you are not going to be able to bid on that business, correct unless you are

If I only have FCI, I have to be level one. So I have to go through the level one process and then show them that I'm certified, right? Okay, and then likewise, if I'm supposed to be level two and I actually touch CUI, then I have to show them that I'm level two in order to be able to bid on these contracts.

Correct, but a little bit different actually. For level 2, they have the 180-day poem rule, which is the plan of action milestone in this new CFR rule that came out where if the contract is not fully compliant, they still might be eligible with a conditional CMMC status to get that contract, but they have to show that they're going to fix those gaps within 180 days or those contracts are going to get pulled away.

Speaker 2 (08:39.54)
Okay, so that makes a lot of sense, right? So they do have, well here's the practical effect of that, is even there's this plan of action, this poem, 180 day time period, they have to get started soon though, right? I mean isn't this something that organizations that are gonna be at the level two stage handling controlled unclassified information, CUI,

They need to get going because it takes some time to get fully compliant, doesn't it?

Yeah, it will take quite some time. know, I've seen companies do it in a month all the way to, you know, years to do it. And it really depends on the resources available, the team available, if you're willing to put all of your effort into it. But I know companies can't put all their effort into a single thing at a time.

Right. Well, I mean, in fairness, the ones that we've seen do it that fast are pretty small, right? Like they only have one or two computers that are handling the CUI. So they're able to kind of segment that off.

Yeah, that's correct. mean, the one client that I did do it when I was freelancing was just a few employees. They had three, four computers and that's about it. So it was very easy to understand, you know, their entire network map and what goes where and how to secure those, you know, specific devices down that did touch the CUI.

Speaker 2 (10:03.384)
Yeah, it makes sense. know, high level, why did they, why are they doing the CMMC? Like, why are they starting this requirement? Because small businesses have got to think this is like, this is a big burden. This is going to be a big change, isn't

Yeah, it's going to be huge. I mean, the biggest reason is because, you know, the government always has projects for people to do. You know, that's why construction companies, for example, you know, even though it's the government's property that's being built on construction companies are doing that construction for them because it's just easier instead of making, you know, a government owned construction company, for example. Right.

Yeah, and it protects the data of engagements with the Department of Defense, which is obviously highly sensitive. Now granted, they're not talking about nuclear codes and designs of nuclear weapons or anything like that at this level, especially at the level one level, even part of the level two, but it is part of that whole supply chain. And as we've seen from security incidents and breaches, like once they get part of that supply chain, they could always move to other parts.

and that's where it gets scary.

Yeah, you know, that's why supply chains are always needing to be locked down. I mean, there was an incident years ago where a company had their entire pay systems come in term the supplier and that supplier started having an employee that was infecting those devices as they're going out with malware. So every time someone swiped a card, that malware was activated and taking those card numbers.

Speaker 2 (11:38.104)
Yeah, and I mean, and we just recently saw it with the we saw with the Clorox breach we saw with the with the disk or the recent discord breach. It's not they're not CMMC, but you see how the supply chain gets affected, right? They didn't breach discord. They breached a third party IT provider, right? Zendax or Zendesk or whatever. And then from there they got to discord. So it's it's always that supply chain. It's that.

Who are you doing business with and how are they protecting their data because they have access to enter inside your network? Makes sense, right? Right. So walk us through. So, CMMC became law when? Was it last December? 2024? I mean, it's been around for a while, but I mean, it really got its teeth last December, didn't it?

Yeah, that's why I really started to hit companies the hardest. But before then, know, a lot of people looked at it more as a recommendation.

Like one of some of the other frameworks ISO, NIST, stuff like that, right? They're just, they're guides of what you should do. Okay. And then CMMC came in and then they were waiting for what? What do they call it? The final rule that came out recently that set the date of November 10th.

Right.

Speaker 1 (12:58.848)
Yeah, the final rule that came out about a month ago, that's what everyone's been waiting for. there was thought that it would come out this month, but it coming out a month earlier kind of caught everyone off guard too.

Yeah. Well, yeah, it's it's better late than never in. And it is I mean, it's just something it's a sign of the times. It's just things that are going to have to happen for everybody. Let me ask you the difference between the levels. So when an organization, because I've spoken to business owners and they don't really understand the different levels or they don't think that they're that big of a deal. But level one has what 15 17 controls, right?

Right. And you don't have to have an independent. It definitely helps having an independent organization help you get there and make sure that it's correct and make sure that you're filling out the self attestation. But you're allowed to self attest, right? That means you literally sign a form that says I have complied with these 15 17 controls. Correct. OK.

Correct. And that's all you gotta submit.

then that's all you have to submit. And what are these types of controls? I mean, we have the list down, but generally, what are they trying to make sure is protected?

Speaker 1 (14:24.834)
They're really looking to make sure that the FCI is protected. mean, if you look at a lot of the controls on their level one, a lot of them are going to be really focused on the FCI, like are the devices that have limited user access processes running in the background. Then when you look at the physical part of those assessment, you really just see the controls asking, is the spot where FCI stored protected with cameras? Motion sensors, are they locked?

Makes sense because you don't want it like at a kiosk or a public terminal or something open to the entire office, right? OK, and so it's also something that is I understand can be. Like it doesn't have to like the entire organization doesn't have to have be engaged with FCI right only if only a part of it is engaged with the federal contract information.

then you just have to show the computers accessing, those computers accessing it can be done. It can be segmented from like different departments in the organization.

Yeah, that's correct. And that's actually a whole control on itself as are the people who are authorized to be accessing this information, the ones accessing it. Because we don't want to need HR, for example, accessing FCI because they're more in charge of the internal employees.

Yeah, makes perfect sense. Or sales. Well, no, sales might be, right?

Speaker 1 (15:51.982)
It depends on what you're doing with them, of course.

Yeah, I mean if you're doing the bids and stuff, you might actually have some access, but you would use those machines, et cetera. So when an organization self-attests, does it themselves, what all do they have to do and what do they have to be careful?

So all they have to do is go register, get a cage code, is basically like serial numbers, that's why I like to explain it, that identifies them as the company to the government. And once they have all that, they go to the website where you can submit your scores and you just get those put in place. You select the right options on what your company falls under, who's doing the attestation and, you know, attaching any files you think you need to be attached. And that's really all you do there.

Okay, and then how do you know if you pass or is it automatic?

It's automatic from what I've seen. I have not noticed any changes recently. Of course, with this new rule just coming out, you're not really going to see those changes until people start submitting that stuff. From what I've seen, just submit it and then you're done.

Speaker 2 (17:01.294)
Okay, that's phenomenal. And then what are the risks of doing it? Like, I can imagine if you're a small business, you want to be able to on, you know, you're a 30 person 50 person company, you want to be able to bid with this one company who might have 1000 employees, but they're not necessarily a prime with the Department of Defense, they're in the supply chain, but you want to be able to bid on that. And the

FCI flows down to you. What if you've what if you fudge some of it? What if you don't have? Multi-factor authentication or you don't have this or you don't have a good firewall or something like that But you just fudge it is there a risk? to to that small business

So that's the hard part, especially if level one, because from my knowledge, when you submit it, it's all done, it's automatic. From my knowledge on that one is no one really looks at it, no one reviews it and confirms that you're telling the truth. Because if they had to do that, they would have no time to worry about level twos or especially level threes. so the risk that you have there is if something happens and there's a data breach,

there will be an investigation and during that investigation they're going to pull that record and look and they'll say okay well you claim this but the reason that this breach happened was because this control actually wasn't in place and that's when it'll actually all start to hit you know it just take one breach because you're required to disclose if that fci or coi even was ever leaked

Right, and then you have you run the risk of. There's like federal rules against that, right?

Speaker 1 (18:41.13)
Yeah, the I am turn remember what exactly it's called. I believe it's the false flag rule.

Speaker 1 (18:52.46)
or if you falsify stuff, you could be looking at what we've seen mostly as fines, but probably depending on how severe it is, they could find reason to penalize even further than just a fine.

Yeah, absolutely. So and then what about the flow down? Like isn't like don't like when you're bidding, if you're a small business and you're bidding to a larger sub of one of the primes. There's still a chance that they're going to make sure that you actually have those things because they themselves don't want to get in trouble, right? So like from what I've been reading, I heard.

You know, starting November 10th or even before you're going to start seeing this in the bits like provide your your certification, your cage number, etc. That you are actually level one. Right. And so and so they may want if there's any question or any flag raised in their discussions with you or whatever, they very well may start asking questions about that. Right.

Right, that's the thing is primes, you know, must ensure that their subs are meeting the same level that's appropriate based on the information they're going to receive. So they make sure that FCI or COI is not shared with the subs unless they're complying under that.

Okay, so that's a big thing. you actually, it's, it's dangerous to fudge that self attestation. And you've so you really have to make sure you're doing it because not only could you wait for a breach and then something bad happens, but the bid itself could be blown up, right? Like you are bidding on something. And even if a breach doesn't happen, you get investigated, etc. Obviously, that's going to be bad. But you really do run the risk of your main pipeline.

Speaker 2 (20:45.442)
business there being cut off if they get wind of the fact that you're fudging. Which makes sense. So the bulk of it now in terms of numbers of all the contractors in the supply chain it seems like about 35 percent or so are are level one but the bulk of everybody is really level two. Right. Like you're there are the ones dealing with.

Yeah.

Speaker 2 (21:13.806)
controlled unclassified information, CUI. So from the 15, 17 controls, depending on how you read those controls in level one to level two, it doesn't go from like 15 to 17 to like 25. It shoots all the way up to like 120, doesn't.

Yeah, 110 practices are then moved into level 2, which is very heavily focused on the framework of NIST 800.171.

Okay, so very detailed and you have to shore up, create all the documentation for it, make sure it's tested, make sure that all the controls are in place and things like that, right?

Correct, and you gotta do something called a system security plan as well or an SSP. And this is basically a living document of how you're meeting every individual control. And these documents can get very long. I mean, I've seen them as big as 100 pages and they're always asking for network diagrams. Do you meet this control? Yes. How do you meet this control? And you gotta explain it a bit. And they're living documents. You gotta update them every time there's a change in your organization.

But this is gonna be the first document any auditor or even the DOD is gonna wanna see right off the bat of are you compliant? Because that's gonna be their roadmap to determining everything.

Speaker 2 (22:38.69)
Okay, so that makes sense. So in the difference between level two and level one is that level two you can't self attest. Okay, so level two you actually have a C3PAO. It sounds like C3PO from Star Wars, but it's not. It's actually C3PAO. It's a certified third party assessor organization, right?

Correct.

Speaker 2 (23:06.018)
So that's the certified organizations and they will come in and actually do the assessment of you, correct?

Correct. just actually a small correction is level two you can self-attest, but it's always something I try to avoid telling people because the only times I've seen clients ever self-attest, like the companies that I freelanced for, only one of them ever self-attested and that's because they were actually getting FCI. They weren't really getting CLA.

Bye, you live.

Right. wanted to get it just in case, but they couldn't afford an auditor. So they didn't have a choice. But also that's where the warning comes in of even if you self-attest and you say you're CMMC level two, if you start getting any real sensitive CUI information, you got to get that auditor.

Right, exactly. And as I understand, there was just a recent report that came out that showed that it was like less than 5 % of everybody dealing in level two can actually self-attest. So when you get to level one, it seems safe to say you're going to need to be assessed by a third party, by one of those certified third parties. Does that seem right based on your experience?

Speaker 1 (24:19.746)
Yeah, yeah, that's okay from what I've seen

Okay, yeah, I'm just trying to, you see these things, but you don't know if it's actually happening in real life and you actually see it. So that's why I was asking. So level two, CUI, that's the actual designs. That's the actual, it's not the receipts for it or the contract information. It's the actual content itself, right?

Correct. It's the technical drawings, the export control data, diagrams, plans, anything like that.

And there's not that many, I imagine there's not like tens of thousands of C3 POs assessing organizations out there. So you've got to get in line and get in queue and make sure that all these things are kind of done ahead of time or at least mostly done.

Correct. that's the hard part is I remember I was in the town hall discussing CMMC and there's definitely way less than a thousand C3s out there, maybe around the 100 area. And we got thousands, more than 10,000s, maybe close to a hundred thousands of companies that need to get CMMC level two. But if you only have this many C3s out there, you know.

Speaker 1 (25:39.116)
you're looking at some real mathematical issues because from what I've seen is they can only fit, you know, at most probably 10 clients in a year because they got to audit and that takes some time. And so for them to, you know, fit that many clients in and how many we have, you could be waiting years to finally get assessed.

Right. In meantime, you won't be able to bid on those or be awarded those contracts. So this is one of those things where compliance and cybersecurity actually affects business, right? Like it is actually something that is a condition preceding to actually getting the business. So I can see why it's getting a lot of people's attention. The 110 controls, what type of stuff is it?

Correct.

Speaker 1 (26:26.243)
Yeah.

Speaker 2 (26:30.51)
is it assessing in general? You said it's right along the lines of NIST 800. It is, it is.

Everything pertaining to that CUI has to be locked down, right? Like timing out of the machines, access to the machines, the identity of the people using it, the physical access to the device, all of those things really have to be done and then reported on in that security.

Correct. It really breaks down all of those things and the hardest part about it that I have learned when I first started getting in the CMC Level 2 and assessing clients is the language is not very easy to understand. And there's these self-assessment documents you can use out there and they don't make it any easier because it will have the control that you need to meet. But then it'll have two pages worth of content asking questions about that.

control alone and you got to try to understand what is the important end goal here for this control. And I remember the first time I was going through it and I had a mentor with me and she highlighted probably four items of everything else on the entire set of two pages of what really meets that control and those are the questions that you need to be asking yourself.

Wow. That's unbelievable. And then, you know, we were talking earlier about what happens if you try and take shortcuts here. And because it deals with the Department of Defense, they're not really tolerating a lot of shortcuts.

Speaker 1 (28:10.056)
No, they are not and you're gonna have to get it past that auditor first too if you're not self-testing

Right, it's the you and I had talked earlier earlier this year, the Department of Justice brought false claims act enforcement against a couple of contractors that itself attested that hadn't been actually compliant. And so you're going to start to see a lot of things like that where they're bringing that enforcement. Plus, you're going to see just the flow down aspect, right? The contractors that you're doing the business with, they might want to see.

some proof that you're actually, not just the certification that, yeah, it says that I'm good, but because you're self-attesting, they might want to just vet and see some of those controls in place.

Yeah, that's correct. And that's the scariest thing about auditors too, is working with them in the past, I have seen them get hired by third party contractors to assess these companies to see if they're following a certain compliance framework. Like one of my clients, for example, had an ISO certification and the auditors will ask you a single question that's very broad and they're going to hope that you say something wrong so they can start asking a lot more questions.

just to verify that you actually meet the credentials, even though you get the certification through ISO or whatever, they still want to make sure that you're actually doing it.

Speaker 1 (29:36.045)
Yeah.

Makes sense, right? So what happens if you don't when you get audited and you're a Small mid-sized business and you get audited for level 2 C3 PO comes in what? What happens if you don't meet all 110 controls? I said 120 before because depending on how you read the sub paragraphs some people add new ones But it's really 110 controls. What happens if you pass 108 of them?

but not the other two. Do you get like conditionally certified or no? You still, you just get time to finish those other two.

So the

Speaker 1 (30:15.448)
So you don't get certified yet. You need to put it in the plan of action milestone document. Yeah, that poem. And this is only allowed for levels two and three, not level one. And you have 180 days to fix those gaps listed in that plan of action. And if you don't close them in time, you'll lose your eligibility and for any new or even continuing work that you're doing.

that po-

Speaker 1 (30:40.738)
But the grace period only applies if you've gone through the assessment, the issues are minor. So like if, you don't allow passwords at all throughout the entire organization, anyone can log in without a password. I just need the username. That's definitely not gonna be a minor issue. That's gonna be a critical issue. But if I have an issue where, my firewall is just not logging logins, you know, that's not gonna be a.

Bad issue unless the password is weak, they'll look at that and say just turn on logging, you'll be fine. As long as you can do that in 180 days. They'll let you get that certification before you close it.

Okay, makes perfect sense. So until though, until they actually give an issue you that certification, you really can't bid on new business though.

Correct. It's all or nothing with the new, especially with the new law.

Wow. Okay, so that's got a lot of impact. if you are engaged, I guess the message to small mid-sized businesses is if you're engaged in any part of the Department of Defense, Department of War supply chain, even if you are a commercial printer and you're part of it, or you're, you know, somebody who you wouldn't think is like designing rockets, right, or tanks. But if you are doing something that is part of that supply chain,

Speaker 2 (32:04.632)
you're gonna at least have the FCI, that federal contract information in your supply chain. And you could potentially, depending on what it is, you could be accessing CUI. Is there a way people can check to see what level they have to be?

So the best way that you guys can check to see what level you are is to contact your contracting office, whoever is giving you that DOD contract. They're always going be the best person to tell you what level you're going to need to be following, what kind of information you are going to have. Even if you have to go to the DOD directly as if they're your contracting office, ask whoever is giving you that contract.

and they'll tell you what the information that you get from them or through them actually constitutes. Meaning if you're on the fence or if it's gray, because different businesses, I understand like different businesses, I've had people ask us like, is this FCI? Is it CUI? And I've always kind of given them the answer that you gave us today. And that is like, is it the content itself or is it the receipt for the contract for the contract?

Makes sense. So what are you seeing out in the field? Any stories you can share that aren't confidential? Anything that you're seeing that could shed some light and give some insight to some organizations?

Yeah, I'm definitely seeing some companies not even be aware of this new rule going out and when they are finding out they're not understanding it. I've had an MSP that I've done work before get notice of this and they had no idea what it meant and they have CMMC clients in their environment and they didn't really, you know, if they didn't know about this and that rule finally got put in the official law.

Speaker 1 (34:01.272)
they were going to be in trouble and those clients are going to get in trouble too.

So that's a really good point. Like your IT organization needs to be certified themselves, depending on the type of work that they're doing. If it's the MSSP and they're guiding you through this and they're helping you achieve the certification, then they don't have to be CMMC certified. But if they're going to be doing ongoing IT support and they're going to access this data, right, then they themselves also have to

as do other vendors that you work

Yeah, any kind of transmitting, processing, access, storing, anything that touches that data in one way or another, indirectly or directly, you're going to have to get that certification that they require.

Unbelievable. That's unbelievable. And then what is the future hold for this? Like there was talk a year ago or so about like, well, as CMMC or with the change in administration, maybe CMMC is going away or something like that. It doesn't seem that at all. Like it is here to stay and it's a sign of the times it seems.

Speaker 1 (35:13.684)
Yeah, it's not going anywhere, especially with the US wanting to get more strict on how they handle their DOD information or DOW now. And I will say it's actually getting a lot bigger than what it has been because I hear other countries are now starting to adopt a CMMC-like framework as well. I know Canada has something. I can't remember what it is, but they're starting to get their own.

Yeah, well, yeah, and other countries have have gone much further than the US in terms of privacy laws and things like that when you think of GDPR even California's CCP or CCP I make sense does make sense. Excellent. Well, Sam, thank you. Any parting words, any thoughts that you want to give on CMMC?

I would say the best advice that can be given right now is to contact that contracting office if you don't know what you have and figure out what you have and get in line with that auditor if it is level 2 because you can't afford that way. Of course we all know the same time is money and in this case as each day goes by or even in this case each minute you're getting probably hours further away from

being able to get that certification of each minute that just passes.

Yeah. And the D-Day, for lack of a better phrase, is November 10th of 2025. So, yeah, really, really good insight in something. I agree. Like something that we talk to organizations all the time that are just like, I didn't even know I didn't know I read something about it, but I didn't know that applied to us. But they are still part of the supply chain. And I think it's that that myth of

Speaker 2 (37:03.31)
Well, we're not selling anything pertaining to rockets or tanks. So I didn't think that because it didn't have anything to do with military equipment that it wouldn't be part of it, but it still is right. If you're a commercial printer or a food supplier or something like that, that is doing things that are in that, that are still feeding up to the department of defense primes, then, then this is going to apply. So it's got a pretty broad footprint. seems.

It does and it's only going to probably get bigger and bigger especially as technology advances.

Yeah. Well, Sam, there's so thank you so much. We really appreciate it. And we will keep keep everybody updated on new developments on CMMC as the time progresses. And once November 10th happens and things start really falling because you're going to hear a lot of people that a lot of organizations that weren't prepared that really get hit. And then you're going to start to see the the pain happen. So we want to help. We hope that this gets

everybody some awareness and some insight to actually ignite the fire so that they can take take steps right away.

Excellent. Thank you for your time, Sam. Appreciate all your insight as always,

Speaker 1 (38:25.134)
Of course, thank you for having me.

Thanks buddy.

Speaker 2 (38:33.688)
Catch us on YouTube, follow us on LinkedIn, and dive deeper at cybercrimejunkies.com. Don't just watch, be the type of person that fights back. This is Cybercrime Junkies, and now the show.