Register for CMMC Industry Week: https://www.summit7.us/industry-week

Since the 48 CFR CMMC final rule was published in September 2025 we've seen supplier notices from Lockheed, RTX, BAE, HII, and many others. Most recently, Northrop Grumman recently published a supplier announcement titled “CMMC 2.0 is Final – Are You Ready?”. The big takeaway: don't expect CMMC waivers from your prime customers because they can't grant them to you.

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

DFARS 7012: https://youtu.be/cy4e28YAkXU?si=KvezY7Vu7zXf9qYZ

32 CFR Final rule: https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program

48 CFR Final rule: https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of

January Memo (PDF): https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf

While everyone has been focused on the start of CMMC phase 1, many contractors are discovering that DFARS clause 252.204-7020 has been lurking in their contracts since 2020. DoD reserves the right to show up at any time and audit compliance with DFARS clause 252.204-7012. This week we're diving into everything that DIBCAC will be asking for when they show up on your doorstep. Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

DIBCAC intake forms: https://www.dcma.mil/DIBCAC/

DFARS 252.204-7012: https://youtu.be/cy4e28YAkXU?si=x4tmDKcCc44dLnJE

DFARS 252.204-7020: https://youtu.be/D4JLkfvB-Ws?si=6_yyMYrU7DVoxoBt

The final Cyber AB TH of 2025 took place this week which means it's time for the team to unpack all the important information you need to know. On this week's show, Jason and Joy sit down for one one last time in 2025 as we discuss things like:

•The final ecosystem update of 2025

•The biggest highlights of 2025

•DO I have to affirm my C3PAO assessment score?

•What the AB expects for 2026

Tune in as we close out this year of Cyber AB Town Halls with a little fun!

Summit 7 Live: https://www.summit7.us/S7Live

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/march-town-hall

As of November 10th, 2025, CMMC is now a condition of award for new defense contracts. “Phase 1” of the CMMC rollout will last until November 10th, 2026. This week we discuss seven predictions we have for the new normal.

Summit 7 Live: https://www.summit7.us/S7Live

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

32 CFR 170.3(e): https://www.ecfr.gov/current/title-32/part-170#p-170.3(e)

DFARS 7012: https://youtu.be/cy4e28YAkXU?si=yC_wKI42JNxIHKME

Phase 1 Blog: https://www.summit7.us/blog/cmmc-begins-today

After four years of rulemaking here we are at the last podcast before the official start of CMMC phase 1. What better way to usher in the new normal of CMMC than a quick refresher on how and why CMMC became a thing in the first place? Nothing helps contextualize the CMMC program like remembering how resistant the DoD has been to third party verification until they were left with no other choice.

On this week's spine-tingling episode of the show, Jason and Joy sit down unwrap the October Cyber AB Town Hall like a bag of pillowcase full of candy. With less than two weeks until the November 10th launch, this marks the final town hall before the CMMC becomes a fully operational reality. Tune in as we mix up a cauldron of all the important information you need to know to assure no tricks as you pursue your CMMC bag of treats… no costumes required!

Summit 7 Live: https://www.summit7.us/S7Live

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/march-town-hall

CMMC officially goes into effect on November 10th, 2025, at which point all new DoD solicitations and contracts will include at least CMMC Level 1 status requirements. While the government shutdown might affect the pace of new contract awards, it doesn't change anything about the effective date of CMMC specifically. This week we're looking at the trickle of contract notices that are letting people know CMMC is very real and will absolutely be required (including level 2).

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

NAVSEA (Level 2): https://sam.gov/workspace/contract/opp/0a92f866231546828b3fd11cf1146a8a/view

USSOCOM (Level 1): https://sam.gov/workspace/contract/opp/eb3d38dd00e845579212f724b6dedd37/view

USACE (Level 2): https://sam.gov/workspace/contract/opp/e0a817b5b7c74c319ebaa2df9cd3d637/view

The Senate has passed their version of the FY26 NDAA and they want annual contractor performance measurements to focus exclusively on “negative performance events”. Per the Senate Armed Services Committee that includes failing to meet cyber requirements, failing to flow down requirements to subcontractors, and submission of false claims (cyber). Add this one to the growing pile of evidence that the government really, really wants contractors to take cybersecurity seriously.

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

Memo: https://dodcio.defense.gov/cmmc/Resources-Documentation/

Senate NDAA: https://www.congress.gov/bill/119th-congress/senate-bill/2296/text