Sum IT Up: CMMC News Roundup

Most defense contractors assume everything written in the CMMC Level 2 Assessment Guide is a requirement. But that's not actually how the framework works.



In this episode we break down the structure of the assessment guide and explain why roughly 75% of the document is explanatory text, not normative requirements.



You'll learn:



Where the real requirements come from in NIST SP 800-171



How verification procedures in NIST SP 800-171A become assessment objectives



Why discussion sections and examples are informative, not prescriptive



Understanding the difference between requirements, assessment objectives, and explanatory guidance can help contractors avoid unnecessary controls, reduce documentation overhead, and simplify CMMC compliance.



CMMC Assessment Guides: https://dodcio.defense.gov/cmmc/Resources-Documentation/



NIST SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final



NIST SP 800-171A: https://csrc.nist.gov/pubs/sp/800/171/a/final

Iranian cyber actors are targeting the Defense Industrial Base.



So does CMMC actually help?



In this episode, we mapped 130 real-world techniques used by five Iranian threat groups to the controls behind NIST SP 800-171 using the MITRE ATT&CK framework.



Here is what the data shows:



• 100% of techniques are detectable

• 68% are mitigated with preventative controls

• Just a handful of core controls drive most of the defensive impact



We also examine what that means for Cybersecurity Maturity Model Certification and why 800-171 remains a strong floor for protecting CUI.



But there is a gap. Only about half of the relevant NIST SP 800-53 that mitigate known Iranian techniques are represented in the 800-171 baseline.



If you are a defense contractor, this episode will show you what compliance actually buys you and where you may need to go further.



Register for Summit 7 Live: https://www.summit7.us/s7live



MITRE ATT&CK: https://attack.mitre.org/



Mappings Explorer: https://ctid.mitre.org/projects/mappings-explorer



CISA Alert: https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/iran



NIST SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final



NIST SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final

The Cyber AB has once again summoned the CMMC Ecosystem to deliver its monthly update and on this week's show we are going to break it down for you. Join us as we take all the information distributed during the meeting and dish out the information you need to know.



Things like: Can my FSO check on my Tier 3?



Have we eclipsed the 1,000 assessments milestone?



When does a mock assessment stop “mocking”?



Updates on the ISACA/ CAICO switchover



And so much more...Tune in to find out!



Sum It Up: “The End of SPRS Scores (sort of)”: https://youtu.be/_UFN7fubgQY?si=EgtchmuAHti24Cr8



Cyber AB TH Recordings: https://cyberab.org/News-Events/Town-halls



ISACA Webinar - CMMC: Requirements, Roles, and Professional Credentials: https://store.isaca.org/s/community-event?id=a33VQ000001otC1YAI



ISACA CMMC Page: https://www.isaca.org/credentialing/cmmc

The DoD Inspector General is raising concerns about CUI marking again and the numbers don't add up.



In 2023, the IG found that 48% of reviewed CUI documents lack proper markings. Yet the DoD CUI Program website reports only 9% were unmarked that same year. So which is it?



In this episode we break down the latest DoD IG management advisory, where the recommendations fall short, and why the CUI program and the CMMC program (although closely related) are owned by different offices that can't fix each other's problems.



For defense contractors, this isn't academic. CMMC enforcement depends on the integrity of the CUI program. If CUI marking is inconsistent, compliance risk increases downstream.



Summit 7 Live: https://www.summit7.us/s7live



2026 IG Report: https://www.dodig.mil/reports.html/Article/4397146/management-advisory-dod-policy-and-training-on-dissemination-controls-for-contr/



2023 IG Report: https://www.dodig.mil/reports.html/Article/3413433/audit-of-the-dods-implementation-and-oversight-of-the-controlled-unclassified-i/

CMMC is a condition of contract award and many defense contractors are waiting until they see CMMC requirements in a solicitation to get started. But the department of defense wants the period between solicitation and award to be as short as possible. This week we crunch the numbers on 1,070 upcoming Navy contracts to see what a realistic timeline ought to look like.



Summit 7 Live: https://www.summit7.us/s7live



PALT Pod 2024: https://youtu.be/NZs4f5voyrg?si=S-xarOpYyiSG00Bs



NAVAIR Forecast: https://www.navair.navy.mil/LRAE