Listen in as your host Just Nate talks with Mike Crandal, CEO and co-founder of Digital Beachhead.

• The Urgency of CMMC 2.0: November 10th is the date for Article 48 implementation, making CMMC a mandatory default clause in all new DoD solicitations. Many small businesses are panicked because they didn't believe it would actually happen.

• A History Lesson in Compliance: The discussion traces the evolution from DFARS 7012 to DFARS 7019, which introduced NIST 800-171 controls and the PoAM (Program of Action and Milestones) system. CMMC was created to replace the unreliable self-attestation and perpetual PoAMs.

• CMMC 2.0 Levels and Requirements:

  • Level 1 (FCI): For Federal Contract Information (FCI) only. Requires 15 controls and allows for self-assessment by a senior company representative.

  • Level 2 (CUI): For Controlled Unclassified Information (CUI). Requires all 110 NIST 800-171 controls and 320 objectives. Self-attestation is allowed for the first 12 months, but prime contractors (like Lockheed or Boeing) can still demand 3CPAO certification immediately.

• Understanding CUI: CUI (Controlled Unclassified Information) is a major gray area often defined differently by each government customer. They stress that CUI is not a security classification but a marking, and contractors should only mark information as CUI if the government has explicitly designated it as such.

• The Insurance Factor: Cyber insurance companies are now increasingly requiring CMMC-Level certification before they will pay out on a ransomware or data breach claim, making compliance an essential part of risk management.

• The Assessment Process: Mike outlines the four phases of a CMMC assessment by a C3PAO (like Digital Beach Head):

  1. Pre-assessment: Initial review of your data and readiness.

  2. Interview & On-site Visit: A deep dive into paperwork, controls, and physical security.

  3. Certification: Receiving a final or conditional certification.

  4. EMAS Upload: Submitting the results to the government's official system.

  • The typical process for a small business takes three to four weeks.

• Cost & Strategy for Small Businesses: The average cost for a Level 2 assessment for a small business is between $40K and $50K (a one-time payment for the three-year certification). For companies with only a small portion of DoD work, they recommend creating a secure, isolated enclave (like a GCC High or Cloud PC VDI solution) to reduce the scope—and cost—of the assessment.

🤝 Guest Spotlight & Resources

Guest: Mike Crandall, CEO and Co-Founder of Digital Beach Head

Company: Digital Beach Head is the only authorized C3PAO in Colorado Springs and one of three in the Mountain Region, specializing in cyber security services and CMMC assessment.

Mike's Contact Information:

• Website: digitalbeachhead.com

• Email: mike@digitalbeachhead.com

• LinkedIn: Search for Mike Crandall at Digital Beach Head.

To find out more about the Smalls or become a member, please check us out at ⁠⁠⁠⁠⁠⁠⁠www.thesmalls.org⁠⁠⁠⁠⁠⁠⁠

To contact Just Nate:  ⁠⁠⁠⁠⁠⁠⁠justnate@thesmalls.org⁠⁠⁠⁠⁠⁠⁠

—  Send in a voice message: ⁠⁠⁠⁠⁠⁠⁠https://anchor.fm/thesmalls/message⁠⁠⁠⁠⁠⁠⁠

Support this podcast: ⁠⁠⁠⁠⁠⁠⁠https://anchor.fm/thesmalls/support⁠⁠⁠⁠⁠⁠⁠

⁠⁠⁠⁠⁠⁠⁠www.patreon.com/thesmalls⁠⁠⁠⁠