CMMC Compliance Guide

CMMC Compliance Guide
  • 0.0 (0)
  • TECHNOLOGY
  • UPDATED WEEKLY

Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements. The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.

  1. 15H AGO

    CMMC Level 1 Self-Attestation Explained: Requirements, Evidence, and Risk

    Submit any questions you would like answered on the podcast!  lot of contractors assume CMMC Level 1 is just a simple checkbox. It is not. In this episode, Austin and Brooke break down what CMMC Level 1 actually requires, what a self-assessment really looks like, and why self-attestation without documentation can create serious risk. They cover the difference between Level 1 and Level 2, what Federal Contract Information (FCI) actually is, how Level 1 maps to the formal assessment process, and why organizations need policies, evidence, and artifacts before signing an attestation. This episode also explains: What CMMC Level 1 covers and what it does notWhy Level 1 is always self-assessed, not C3PAO certifiedThe difference between self-assessment and self-attestationWhat documentation and evidence should exist before attestingWhy authorized users, devices, processes, visitor logs, and physical access controls matterWhat the CFR says about evidence retentionWhen a Level 1 claim may actually be scrutinizedHow whistleblowers, breaches, or customer requests can trigger verificationThe False Claims Act risk of saying you are compliant when you are notIf you are planning to self-attest to CMMC Level 1, this episode will help you understand what the government expects before you sign your name to anything.

    42 min

  2. MAR 6

    CMMC Scoping 101: The Most Expensive Mistake Contractors Make (And How to Fix It)

    Submit any questions you would like answered on the podcast! Scope is the foundation of your CMMC compliance program and getting it wrong is one of the most expensive mistakes a DoD contractor can make. In this episode, Austin and Brooke break down what “scope” actually means in plain English, why contractors skip scoping early on, and how one small miss, like a downloads folder or a USB handoff, can quietly pull major systems into scope. We cover: What CMMC scope really is, including processed, stored, and transmitted CUIWhy contractors start with tools and policies too earlyThe data flow diagram exercise that reveals hidden scope issuesHow scope mistakes turn into rework, delays, and major cost increasesWhy “enclave” is often misunderstood and what it really meansWhat to do if you think you got scope wrongHow to self-check readiness using NIST 800-171A and the CMMC Assessment Process (CAP)Why documentation and evidence, not just controls, become the real burdenIf you are planning for a Level 2 assessment, scope should be your first move, not your last-minute scramble.

    36 min

  3. FEB 13

    Key Takeaways from the January 2026 CMMC Town Hall: Hard Copy CUI, Scope, and Program Changes

    Submit any questions you would like answered on the podcast! The January 2026 CMMC Town Hall brought several important clarifications and program updates that directly impact Department of War (DoD) contractors. In this episode of the CMMC Compliance Guide Podcast, we break down what changed, what was clarified, and what contractors should take away from the latest guidance. We cover: New DOW CIO leadership changes and what they mean for CMMCUpdated clarification on Hard Copy CUI (and what qualifies)Why encryption alone does NOT define scopeGovernment shutdown impact on assessmentsC3PAO reauthorization and ISO 17020 accreditationKECO transition to ISACA and certification updatesWhat all of this means for contractors planning in 2026The biggest theme? CMMC is not slowing down. It’s becoming more standardized, more mature, and more defined. If you’re planning contracts in 2026, now is the time to understand how these updates affect your scope, documentation, and assessment strategy.

    28 min

  4. FEB 6

    Why Feeling “CMMC Ready” Isn’t the Same as Passing a Level 2 Assessment

    Submit any questions you would like answered on the podcast! Many DoW contractors feel confident they’re ready for a CMMC Level 2 assessment until assessors get involved. That’s when gaps in documentation, scope, and operational maturity start to surface. In this episode of the CMMC Compliance Guide Podcast, Brooke breaks down why implementation alone does not equal readiness. We walk through what assessors look for before technical testing even begins, why documentation is often the real reason companies fail, and how poor scoping or misaligned staff interviews can derail an assessment. You’ll learn: Why “feeling ready” is not the same as being assessment-readyWhat assessors review first during the readiness and pre-assessment phaseHow SSP quality can make or break your assessmentWhy screenshots alone are not sufficient evidenceHow POAMs are viewed during Level 2 assessmentsThe role of operational maturity and ongoing proofHow scope and employee interviews expose readiness gapsHow to realistically self-check readiness before scheduling an assessmentIf you’re preparing for a CMMC Level 2 assessment or think you’re close this episode will help you identify blind spots before they cost you time, money, or certification.

    20 min

  5. JAN 30

    CMMC FAQ Update: Timeline, Subcontractor Flowdowns, Enclaves, Cloud Rules, and VDI Scope Explained

    Submit any questions you would like answered on the podcast! The DoW just released updated CMMC FAQs that clarify the rules contractors keep getting wrong. In this episode, Austin and Brooke break down what the new guidance actually says, what it means for your scope, and where vendor and architecture decisions can derail an assessment before it even starts. We cover the most important FAQ clarifications, including: The real CMMC timeline and what Phase 1 vs Phase 2 changesWhy primes may demand Level 2 earlier than the official datesFlowdown requirements for subcontractors (and what “defensible” verification looks like)The myth that encrypted CUI is no longer CUI (it is still CUI)Whether CMMC assessment results will be public (they will not)POAM vs “operational POAM” and why the distinction mattersHard copy only CUI: when Level 2 may not apply (and the strict caveats)Why encryption does not create logical separation or reduce scopeEnclaves and enterprise networking components: what pulls systems in scope (and what does not)Cloud storage rules: why non-FedRAMP clouds cannot store encrypted CUIMSP requirements: do MSPs need CMMC certification (and what a CRM must include)VDI scope rules: when endpoints can be out of scope, and when they are automatically in scopeIf you are making decisions around scope, vendors, cloud tools, backups, enclaves, or VDI, this episode will help you avoid assumptions that assessors will not accept.

    51 min

  6. JAN 23

    How to Triage CMMC Compliance When You’re Overwhelmed and Short on Time

    Submit any questions you would like answered on the podcast! When CMMC compliance starts to feel overwhelming, most companies don’t fail because they lack effort, they fail because they don’t know where to start. In this episode of the CMMC Compliance Guide Podcast, Brooke and Stacey break down why CMMC feels so urgent and high-risk for small and mid-sized DoD contractors, and how to triage your compliance work so you can make real progress without burning out. This episode covers: Why starting at control 3.1.1 is a mistake for most companiesHow poor scoping makes CMMC feel impossibleWhat assessors actually prioritize firstWhich controls are non-POAMable and must be addressed earlyHow to reduce scope without cutting cornersWhen tools help and when they waste time and moneyHow to approach SSPs, policies, and POAMs the right wayPractical steps small teams can take to regain control of CMMC If CMMC feels like everything is urgent and nothing is moving fast enough, this episode will help you slow down, focus, and build a plan that actually works.

    28 min

  7. JAN 16

    CMMC Evidence 101: How to Prove NIST 800-171 Compliance in a Level 2 Assessment

    Submit any questions you would like answered on the podcast! Get your free SPRS Roadmap here: https://cmmccomplianceguide.com/free-sprs-roadmap In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke break down the #1 thing that trips companies up before a CMMC Level 2 assessment: evidence. Having a binder of policies (or a 300-page SSP) is not enough. Assessors want proof you are doing what you say you do consistently, over time and they want it organized so they can quickly map evidence to controls and assessment objectives. You’ll learn: What assessors mean by “acceptable evidence” (and what doesn’t count)The “who, what, when, where” test for logs and proofHow tickets, approvals, and checklists strengthen your evidence trailWhat to avoid putting in cloud ticketing systems (SPD risks)Manufacturer-specific pitfalls assessors notice on the shop floorWhy “fresh out of the oven” evidence raises red flagsHow GRC tools can make evidence collection and linking easier

    1h 11m

  8. JAN 9

    What CMMC Assessors Notice First: Early Red Flags That Fail Level 2 Assessments

    Submit any questions you would like answered on the podcast! What do CMMC Level 2 assessors notice first, sometimes within the first day, before they ever dig into your firewall configs or deep technical testing? In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke break down the early red flags that can derail your assessment fast. We cover what assessors ask for right out of the gate (and how quickly you need to respond), why generic SSPs create problems, how scoping mistakes happen in the real world (downloads folders, copiers, shop floor machines), and what it means when your policies do not match what employees actually do. If you want to pass your CMMC Level 2 assessment, this episode will help you tighten your documentation, evidence, and scope before the assessor ever starts technical validation.

    45 min
See All (51)

About

Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements. The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.

Information

  • Creator
    CMMC Compliance Guide
  • Years Active
    2024 - 2026
  • Episodes
    51
  • Rating
    Clean
  • Copyright
    © 2026 CMMC Compliance Guide
  • Show Website
    CMMC Compliance Guide

You Might Also Like