Sum IT Up: CMMC News Roundup

The defense department has updated the CMMC FAQs for the second time in 3 months. In lieu of rulemaking updates the CMMC FAQs are the best place for updated guidance. This week we're exploring DoD's answers regarding everything from encryption to enclaves to VDI endpoints. CMMC FAQs: https://dodcio.defense.gov/CMMC/

Another year another set of eerily accurate predictions about defense cybersecurity requirements and the CMMC program. Like usual we got most of our 2025 predictions correct. For 2026 we're getting specific with False Claims settlements, CMMC 3.0, FAR CUI, and more! FCA episode: https://youtu.be/tPA-ALjW1Hk?si=KgPUAo4VqqmX3mNF DoD IG report: https://www.youtube.com/watch?v=RNafaUlgBGo Golden Dome: https://youtu.be/y88JqZdJsj0?si=eGpIm1jqKRYpW4n3

Defense Logistics Agency suppliers got a special Christmas gift: detailed estimates of CMMC requirements by DLA supply class! The Defense Department buys a lot of different products and services and the estimates make it clear that different types of contractors will experience CMMC requirements in very different ways. If only we could get every agency and mega prime to put out info like this. Episode Links: DLA SMB Website: https://www.dla.mil/Small-Business/Resource-Center/Cybersecurity-Resources/ What DLA Buys: https://www.dla.mil/Small-Business/Getting-Started/What-DLA-Buys/ Supply Classes: https://www.dau.edu/acquipedia-article/supply-classes

Another defense contractor is paying six figure fines after settling with the Department of Justice for allegedly failing to comply with DFARS clause 252.204-7012. The kicker: their own employee blew the noncompliance whistle and got a cut of penalty money. This is the fifth such settlement in 2025 and the DOJ is crystal clear that the don't discriminate just because a company is small. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo Memo: https://dodcio.defense.gov/cmmc/Resources-Documentation/ Swiss Automation: https://www.justice.gov/opa/pr/illinois-precision-machining-company-agrees-pay-421234-resolve-alleged-false-claims-act MORSECORP: https://www.youtube.com/watch?v=ZnePk6jaezA Raytheon: https://www.justice.gov/opa/pr/raytheon-companies-and-nightwing-group-pay-84m-resolve-false-claims-act-allegations-relating Aero Turbine: https://www.youtube.com/watch?v=hFEEVGXv_00 GTRC: https://www.justice.gov/opa/pr/georgia-tech-research-corporation-agrees-pay-875000-resolve-civil-cyber-fraud-litigation DFARS 7012: https://youtu.be/cy4e28YAkXU?si=MqGKGNAHTPyvj-DI

A recent webinar from the US Army Corps of Engineers told suppliers that if they only handle paper CUI, then CMMC requirements don't apply to them. That's a significant concession to industry on par with COTS exemption and POAMs. But is this USACE flexing their discretion or are they setting up a conflict by setting policy around CMMC applicability? Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo