CMMC Compliance Guide

CMMC Compliance Guide
  • 0.0 (0)
  • TECHNOLOGY
  • UPDATED WEEKLY

Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements. The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.

  1. 2D AGO

    CMMC Paperwork Without the Pain: How to Simplify Policies, SSP, and Evidence (Level 1 vs Level 2)

    Submit any questions you would like answered on the podcast! Most small and mid-sized manufacturers do not fail CMMC because of “tech.” They fail because their documentation does not match how the shop actually runs. In this episode, Austin and Brooke break down how to build CMMC documentation that is concise, accurate, and assessor-friendly without drowning in templates that were never written for your business. You will learn why template overload causes gaps, how to keep policies aligned to real workflows, and what “minimally sufficient” documentation looks like for both Level 1 and Level 2. We also cover the difference between CMMC Level 1 and Level 2 documentation expectations, why evidence retention and verifiable processes matter, and how to decide between a file system approach vs a GRC tool to keep version control and proof organized for assessment day. If you are a machine shop, aerospace manufacturer, or engineering firm trying to get compliant without creating a 400-page monster, this is your playbook.

    54 min

  2. 12/26/2025

    How CMMC Became a Competitive Advantage for DoD Contractors

    Submit any questions you would like answered on the podcast! CMMC is no longer just a compliance requirement. It is now a competitive advantage that directly impacts who wins and who loses DoD contracts. In this episode of the CMMC Compliance Guide Podcast, Stacey and Brooke break down how the final 48 CFR rule has changed the contracting landscape and why primes are now aggressively pushing CMMC requirements down to their subcontractors. We explain how CMMC certification, SPRS scores, and assessment status are already being used to evaluate risk and readiness, even before certification becomes mandatory on every contract. You will learn why contractors who are already certified, or at least scheduled for certification, are gaining an edge over competitors who waited too long. We also cover how flow-down requirements work, how primes protect themselves from False Claims Act risk, and why small businesses face a higher barrier to entry than midsize firms. This episode also explains how contracting officers and primes view SPRS scores, what happens once certifications are uploaded through EMASS, and why CMMC status is not likely to become publicly searchable. Finally, Brooke walks through what contractors should be doing right now to stay competitive, including scoping CUI, running gap assessments, engaging a C3PAO early, and preparing subcontractor oversight. If you want to keep winning DoD contracts in 2026 and beyond, this episode will help you understand how CMMC is reshaping the defense industrial base and what actions you need to take now.

    26 min

  3. 12/19/2025

    NIST 800-171 and CMMC 2.0: How Assessors Actually Score You

    Submit any questions you would like answered on the podcast! Are assessors judging you on CMMC or NIST 800 171 when audit day arrives? In this episode of the CMMC Compliance Guide Podcast, Stacey and Brooke break down the real relationship between CMMC 2.0 and NIST 800 171 so you are not guessing when it matters most. We walk through how the 110 NIST 800 171 controls and 320 assessment objectives drive your CMMC level 2 certification, and what CMMC layers on top, including POA&M limits, timelines, and who is allowed to certify you. You will hear practical examples around SPAs, cloud tools, customer responsibility matrices, FedRAMP, and how assessors actually validate things like MFA, logging, and scope. We also explain the difference between a NIST self assessment and a CMMC level 2 certification by a C3PAO, clear up common misconceptions about “being NIST compliant”, and talk about False Claims Act risk when SSPs, inventories, and controls are not kept current. Finally, Brooke shares a step by step path for contractors: identify your CUI, scope systems, run a gap analysis, build your SSP and POA&M, collect evidence, and engage a C3PAO for a mock and full assessment. If you are a small or midsized defense contractor trying to get ready for 2026, this episode will help you focus on what assessors really care about so you can prepare with confidence.

    31 min

  4. 12/12/2025

    Top CMMC Myths Debunked: Cloud, Vendors, Firewalls, and MFA Mistakes Explained

    Submit any questions you would like answered on the podcast! Today’s episode of the CMMC Compliance Guide Podcast dives into the biggest myths that machine shops, fabricators, CNC shops, and mid-sized defense contractors still believe about CMMC. From cloud misconceptions to vendor promises that fall short, Brooke breaks down why these misunderstandings lead to failed assessments and what contractors should be doing instead. We walk through common assumptions like “cloud keeps me out of scope,” “my vendor is compliant so I’m compliant,” “MFA on email is enough,” “my firewall makes everything compliant,” and “cyber insurance handles reporting.” Each of these has a grain of truth but none of them meet the actual requirements in NIST 800-171 or CMMC Level 2. You’ll learn: Why cloud environments don’t remove your endpoints from scopeHow caching, downloads, and browser access pull systems back into scopeWhat vendor claims really don’t coverWhy MFA must be implemented everywhere CUI is accessed, not just emailThe truth about firewalls and why they’re not “compliance shields”Why VDI is helpful but not a magic solutionWhat cyber insurance does (and doesn’t) do during an incidentWhy remote workstations and home offices still introduce scope and riskThis episode is packed with clarity, not fear so manufacturers, CNC shops, and GovCon SMBs can make informed decisions, avoid costly assumptions, and protect their DoD contracts.

    17 min

  5. 12/05/2025

    Plain English Guide to CMMC Level 1: Basic Cybersecurity Without the Headache

    Submit any questions you would like answered on the podcast! CMMC Level 1 Self- Assessment Guide: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level1_V2.0_FinalDraft_20211210_508.pdf In this episode of the CMMC Compliance Guide Podcast, Stacey and Austin from Justice IT Consulting break down CMMC Level 1 in clear, simple terms: what it is, who it applies to, and the exact steps small and mid-sized contractors must take to protect Federal Contract Information (FCI). You’ll learn what the government expects from Level 1 contractors, how the 15 required practices actually work in real life, what documentation you must maintain for six years, and why the new annual self-assessment requirement matters more than ever. Whether you’re a machine shop, fabricator, engineering firm, or small manufacturer supporting a prime contractor, this episode gives you the Level 1 foundation you must have in place.

    28 min

  6. 11/28/2025

    Top 12 CMMC Level 2 Requirements Explained: Gap Assessments, Scope, SSP, and POA&M

    Submit any questions you would like answered on the podcast! In this episode of the CMMC Compliance Guide Podcast, Stacey and Austin from Justice IT Consulting walk through the top 12 essentials every contractor needs to achieve CMMC Level 2 compliance especially small and mid-sized defense manufacturers. You’ll learn how to start compliance the right way with a formal gap assessment, define and shrink your CUI scope, and build a System Security Plan (SSP) that maps to all 110 NIST 800-171 controls. We break down how to write an actionable Plan of Action & Milestones (POA&M), implement MFA correctly, enforce least-privilege access control, and deploy proper device protection across your environment. We also cover commonly misunderstood requirements around FIPS-validated encryption, centralized logging/SIEM, removable media, CNC/OT assets, data handling, and ongoing vulnerability + risk assessments. Finally, we answer a listener question on secure data transfer and why customer portals or GCC/GCC High environments are often superior to “secure links” inside commercial Microsoft 365 tenants.

    43 min

  7. 11/07/2025

    Cyber AB Town Hall Breakdown: Legal Lessons, Ecosystem Growth, and CMMC Phase 2 Progress

    Submit any questions you would like answered on the podcast! In this episode of the CMMC Compliance Guide Podcast, Brooke and Stacey from Justice IT Consulting unpack the biggest updates from the Cyber AB’s October 2025 Town Hall and what they mean for defense contractors preparing for CMMC certification. You’ll learn: Why the government shutdown isn’t delaying CMMC or the 48 CFR rolloutThe $875K False Claims Act case against Georgia Tech and what it teaches all contractorsHow the CMMC ecosystem is expanding with more certified assessors and C3PAOsKey insights from the University of Southern California’s Level 2 certification journeyPractical advice for small contractors: data mapping, documentation, and shrinking your CUI boundaryNew ethics reminders and upcoming assessor certification updates from the Cyber ABThis episode delivers plain-English explanations and real-world lessons to help contractors stay compliant, avoid legal risk, and prepare for CMMC Phase 2.

    29 min

  8. 10/31/2025

    Highlights from CS5 East 2025: Operation Midnight Hammer, CMMC Updates, and AI Insights

    Submit any questions you would like answered on the podcast! Get the inside scoop from CS5 East 2025, the largest cybersecurity and compliance event for the Defense Industrial Base. In this episode, Brooke and Stacey from Justice IT Consulting breaks down the biggest CMMC updates, Operation Midnight Hammer, and how AI is reshaping compliance. Learn what the Cyber AB announced, how CMMC Phase 2 is rolling out, and what contractors should expect next. Whether you’re a Compliance Officer, DoD Program Manager, or small-business GovCon, this recap gives you the context and clarity you need to stay ahead.

    47 min
See All (43)

About

Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements. The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.

Information

  • Creator
    CMMC Compliance Guide
  • Years Active
    2024 - 2026
  • Episodes
    43
  • Rating
    Clean
  • Copyright
    © 2026 CMMC Compliance Guide
  • Show Website
    CMMC Compliance Guide

You Might Also Like