Inside CMMC Implementation: What November 10th Means for Defense Contractors | Secure Talk with Bob Kolasky

Hello everyone and welcome to SecureTalk. I'm your host, Justin Beals.

On November 10th, 2025, everything changes for defense contractors. That's the day the Department of Defense's CMMC requirements become mandatory in all contract solicitations. After years of delays, pilot programs, and self-certification loopholes, compliance is no longer optional. You either meet the requirements or you don't get the contract.

Although enforcement is already here. In May 2025, Raytheon and RTX Corporation agreed to pay $8.4 million to settle allegations that they violated the False Claims Act by failing to comply with cybersecurity requirements in Department of Defense contracts. The issue wasn't sophisticated nation-state hackers or zero-day exploits. Raytheon failed to implement basic security controls. They didn't develop a system security plan. They didn't install antivirus software on systems handling defense information.

This wasn't an isolated incident. In October 2024, Pennsylvania State University paid $1.25 million to resolve similar allegations across 15 different DoD and NASA contracts. And in September 2025, the Georgia Institute of Technology settled for $875,000 to resolve False Claims Act allegations where the Department of Justice had intervened for the first time in a cybersecurity case.

Katie Arrington, who is performing the duties of the DoD Chief Information Officer and the architect of the CMMC program, has been blunt about what's coming. At an AFCEA luncheon, she warned contractors: "If you go on LinkedIn one more time and tell me how hard CMMC is, I'm going to beat you. That ship sailed in 2014."

She's right. Contractors have been required to comply with NIST Standard 800-171 since 2017. For over a decade, they've been self-certifying their compliance. But complaining publicly about how difficult cybersecurity requirements are sends a dangerous message. It tells the government you're not compliant. And it tells adversaries like China, Russia, and North Korea exactly where to look for vulnerabilities.

As Arrington put it: "Do you think the government isn't watching?"

The stakes are enormous. On September 10th, 2025, the Department of Defense published the final DFARS rule implementing CMMC, setting the stage for mandatory compliance. After years of debate, the program is now federal law.

If you're a defense contractor, November 10th marks a fundamental shift. Every new solicitation after that date will include CMMC requirements. Your ability to bid on contracts now depends on demonstrating measurable cybersecurity practices. The grace period is over. The self-attestation loophole has closed.

What makes CMMC different from previous compliance efforts is its quantitative approach. You're not just checking boxes. You're receiving scores. An 88 out of 110 for Level 2 conditional status. These aren't arbitrary numbers. They represent measurable capabilities across domains like incident response, access control, and continuous monitoring.

For Level 1 contractors handling Federal Contract Information, you'll need annual self-assessments reported through the Supplier Performance Risk System. For Level 2 contractors handling Controlled Unclassified Information, you'll need independent validation by certified third-party assessors. And for Level 3 contractors working with breakthrough technology or creating critical aggregations of CUI, you'll face direct government audits.

The Department of Defense estimates that 35% of their contractors will need Level 2 certification through third-party assessors. That's thousands of organizations competing for limited assessment capacity. The bottleneck is real. Wait too long, and you might find yourself unable to schedule an assessment when your contract renewal depends on it.

Prime contractors now bear responsibility for verifying subcontractor compliance before award. They can't just accept a security questionnaire anymore. They need evidence. They need validation. And they're personally attesting to the government that they're actively managing supply chain risk.

The concept of an "affirming official" puts accountability on senior executives. We've seen this pattern before in the commercial sector. CISOs becoming personally liable for security failures. Now we're seeing it extend into the Defense Industrial Base. Sign your name to a CMMC attestation, and you're taking responsibility for the accuracy of that claim.

What fascinates me about this transformation is how it mirrors challenges I've faced throughout my career building technology products. When you're designing secure systems, you can't start with compliance requirements. You start with understanding your actual risk posture, your operational realities, your resource constraints. Then you build security that works for your specific context. The compliance frameworks are measurement tools, not design specifications.

CMMC forces that same mindset. You can't just implement a checklist and hope for the best. You need to understand which information systems handle CUI, how data flows through your organization, where your vulnerabilities actually exist. Then you need to demonstrate continuous monitoring and active risk management over time.

The policy landscape has been remarkably consistent across administrations. Whether under Obama, Trump, or Biden, the Department of Defense has steadily moved toward mandatory supply chain security requirements. The current administration sees CMMC as a major priority. Katie Arrington, the DoD CISO, has made this her mission. And with Kirsten Davies nominated as the new CIO, we can expect aggressive implementation throughout 2025 and 2026.

For any businesses, the challenge feels overwhelming. How do you compete with the resources large primes can dedicate to security infrastructure? The answer lies in leveraging technology that automates compliance evidence collection, streamlines assessment preparation, and provides continuous monitoring without requiring dedicated security staff.

There are a lot of vendors selling CMMC solutions in the market right now. It's scary when you're facing a six-figure "readiness assessment". We don't believe in that model. That's why at StrikeGraph, we're offer a free Level 2 Self Assessment including System Security Plan, SPRS score, and Plan of Action and Milestones reports at no cost. We believe we need to support organizations in becoming compliant, not gate keep access to government contracts.

We caught some criticism for this offer at the National Cyber Summit. Competitors suggested we were undercutting the market. But our community needs accessible solutions right now. These aren't faceless corporations with unlimited budgets. These are veteran-owned companies, specialized manufacturers, and critical suppliers who want to support national defense but shouldn't have to spend six figures just to understand their baseline.

Today's conversation brings someone uniquely qualified to discuss these challenges. Our guest spent 15 years in senior federal government roles, including founding the Cybersecurity and Infrastructure Security Agency's National Risk Management Center. He's worked at the highest levels of policy development around supply chain security and critical infrastructure protection. And now, as Senior Vice President for Critical Infrastructure at Exiger, he helps defense contractors navigate exactly these CMMC requirements.

We'll explore the practical implications of the DFARS ruling, what prime contractors now expect from their subs, where the assessment bottlenecks will hit hardest, and how businesses can compete in this new environment. We'll also discuss why this represents more than just a compliance exercise. It's a fundamental shift in how the Defense Industrial Base thinks about security as a shared responsibility across the entire supply chain.

The mathematics are straightforward. If you want to participate in defense contracting, you need to meet CMMC requirements. The timeline is aggressive. The expectations are clear. And the consequences of waiting too long include losing the business you've spent years building.

But there's also opportunity here. Organizations that invest in security infrastructure now, that build cultures of continuous risk management, that leverage technology to automate compliance, those companies will have a competitive advantage. They'll be the subcontractors primes want to work with. They'll win contracts competitors can't bid on. And they'll build customer trust that extends far beyond government work.

Bob Kolasky is Senior Vice President for Critical Infrastructure at Exiger where he focuses on developing cutting-edge risk management solutions for critical infrastructure companies and supporting government agencies. In this role, Mr. Kolasky leads market strategy for addressing third party and supply chain risk in critical infrastructure and delivering analysis. Mr. Kolasky also serves as a Nonresident Scholar in Technology and International Affairs Program at the Carnegie Endowment for International Peace, as a Senior Associate for the Center on Strategic and International Studies (CSIS), and a Senior Fellow at Auburn University's McCrary Institute. He is the former Chair of the High-Level Risk Forum for the Organization of Economic Cooperation and Development (OECD). Mr. Kolasky joined Exiger after 15 years as a senior leader in the Federal government, where he was responsible for foundational work in national security risk management and election security. He was the founding Director for the Cybersecurity and Infrastructure Security Agency's (CISA) National Risk Management Center at the Department of Homeland Security. As one of CISA's Assistant Directors, he oversaw efforts to build a strategic, cross-sector government and industry risk management approach to cyber and supply chain threats to critical infrastructure. Mr. Kolasky has served in a number of other senior leadership roles for DHS, including Acting Assistant Secretary and Principal Deputy Assistant Secretary for Infrastructure Protection. Earlier in his career, Bob was a management consultant, a journalist and an entrepreneur. He graduated from Dartmouth College and from the Harvard Kennedy School of Government.

—-----
Justin Beals:  Bob, I'm really grateful to have you back on Secure Talk this week. Thanks for joining me.

Bob Kolasky: Yeah, glad to be back Justin. Let's enjoy the conversations.

Justin Beals: The whole run.I feel like this is the second time we've done a recording, and a couple of times we've had to chat. I'm proud of our friendship, my friend. It's growing professionally. Yeah, absolutely. And of course, like something you and I have been talking about as long as a year ago was what's happening with CMMC. What's changing about, you know, nation-state supply chain management for our federal government?

Bob Kolasky: Me too. Me too, yes. We have lots of aligned interests.

Justin Beals: And we have a final ruling, a DFARS ruling that is going into effect on November 10th. And it's given us a lot of clarity, right, Bob? Maybe we'll just start off. going to start off with a really easy question. Like, let's capture what the DFARS ruling means in the sausage-making process a little bit.

Bob Kolasky: Yep, exciting.
Yeah, so I like to think of it, first of all, it's the permission to put the requirements into the contracts, which is what's always been coming, and sort of to define the levels of expectations for CMMC certification based on the handling of CUI-controlled unclassified information there. And so it starts the framework by which there are going to be real requirements. And you are going to be required to be certified at a level one, a level two, or a level three based on the DOD's expectation of what CUI is going to be handled as part of that. 

And so I mean, I think that's the significant point that when you are responding, when you are part of a team responding, when you are serving part of the Defense Industrial Base and responding to these things, you know where the requirements are. And so we've talked before about sort of people like have are going to get religion finally, finally, finally, but you better have your religion now, right? And then, so this is the moment you're talking to God.

Justin Beals: 
That's right. Yeah, yeah. And I think, you know, it's been like, we were going to do it and then COVID hit and then of course, you know, elections change things, we're interested in what the new administration is going to do. And of course, they leaned in really hard. And so one of the big findings was that the DOD made a level one, a pass fail requirement, no more grace period.

It is done, right? Like you're not going to get the contract if you don't meet the CMMC requirements specified in the contract. Yeah.



Bob Kolasky:  But there's still the degree in level one that it is a self attestation that you're doing that. So there's still going to be implementation ambiguity of how things like that are checked along the way. Of course, as you get higher up the chain, the actual requirements for certification, and you go to level three and DOD is actually looking to confirm you've done it. Level two, and you obviously are talking to customers about this. So are we level two? Are you going to make sure you have this? independent attestation by a C3PAO, those sorts of things. But yeah, there's a lot more definition out there.

Justin Beals:  Yeah.
One of the things that I find, there are some innovations in CMMC, right? Like you and I are well aware of other styles of frameworks, like an ISO 27001 or a SOC 2 type thing. One of the things that I always find interesting about just CMMC broadl,y level one, you know, through level three is quantitative. So we're scoring. You're not going to have a perfect score all the time. Yeah. And also

Bob Kolasky: Yeah, still a risk management.

Justin Beals: Still risk plan of action of milestones, you know, where you're like, okay, and also I got to show progress over time. I find those almost like the government as a buyer, being aware of where the vendors will be at. 

Bob Kolasky: Yeah, I mean, I think you see a theme, you we're talking about CMMC, but we could be talking about FedRAMP certification. We could be talking about other aspects of the DOD software risk management, risk management process. You see a thing where nobody wants to just a moment of time, either a binary yes or no, but a commitment to continue to actively manage risk and be flexible around that. So, you know that the easy mantra is to get rid of checklists and replace checklists with a sort of dynamic process that can be automated and regularly checked against that. And I think the policy in regulatory framework is trying to replicate that, make that mantra a reality.

Justin Beals: Yeah, and in the DFARs ruling, it redefines current CMMC status to mean no changes in compliance. I think to your point, like continuous active security infrastructure in place around the CUI requirements is not a one-and-done.

Bob Kolasky: Yeah, how that's validated over time, how that's checked, and at what level, that's all going to be; there's going to be experience around that. I very much hope, and I know you do too, that this gets people to, this gets entities to take their risks more seriously, forces them to, from a business interest, and then changes their culture because it has changed the sort of cost-benefit analysis of making investment in cyber protections.

Justin Beals: Yeah, certainly. I made a change to my sales deck in the last quarter, a little bit where I'm trying to explain to people interested in hitting any supply chain outcome, compliance outcome, that this is like a change in your operations, plus the change in your security that equals compliance. Like you're not, you're not just doing a quick test and being done. Like you, you're going to change how you work or identify how you're working today and keep that going.

Bob Kolasky: Yeah.

Justin Beals: Which you should have been doing all along, honestly, but now we're gonna measure it, yeah.

Bob Kolasky: Yeah, and technology is going to enable you to more continuously be looking at whether the risk has changed and how you're addressing risk and things like that.

Justin Beals: Yeah. When I first started working in this space about six years ago, one of the things that really floored me, and of course, I knew this as a CTO, was just really like the network effect of supply chain and third-party risk and how things flow down. And one of the things that I thought was interesting is that in the rule, prime contractors are responsible for verifying subcontractor CMMC compliance before award. And they cannot view the subcontractor, yet they cannot view the subcontractor certificates in the SPRS systems. So they've got to rely on either an audit or the subcontractor meeting and assessment, providing some validation and verification.

Bob Kolasky:  Yeah, it's, you know, I think it'll change the nature of the business relationship between a prime and a sub. Obviously, subs will want to be figuring out ways to demonstrate when they're going after being a subcontract for prime contract to demonstrate ahead of the game that they're already there. It is a business differentiator to say, hey, we've achieved this level of CMMC certification for another purpose, or we've made this investment in these sort of things, or these are certifications around that. And you're going to want to lead with that when you're setting up the relationship with the prime contractors. And you're going to get those questions even before it becomes a contracting discussion, right? And at the same time, the trend of the prime is actually making investments in subcontract's ability to go through the CMMC process and demonstrate CMMC.

If they think a sub-ad's real value to their offering. And that's what we certainly think DOD is certainly hoping that there's just gonna be more pressure, business pressure across the way to make investments in this area as a competitive advantage, as a, a necessity to have the ability to win there and that primes will take some ownership over their supply base, their supply chain. And that's...

Justin Beals: Yeah. Are, I have some customers that are primes and what I find interesting that they've started discussing with us is how to like this concept of validation, right? Like it's one thing for my sub to tell me, Hey, this is my score. But now I feel kind of responsible, maybe from a legal perspective or a commercial contract perspective that I've validated that operation as well. And that's, that's changed the tech discussion.


Bob Kolasky: Yeah. And you know, ExaJour and we've worked together and ExaJour is a supply chain risk management company in first place. And so ExaJour, we spend our time trying to help prime contractors; we do business with three of the five biggest prime contractors in the defense industrial base. We do business with a lot of other big companies who care about their suppliers. There's always been an aspect that you've owned your suppliers' risk a little bit. And by entering into the nature of a business relationship where you're working together to deliver something that's functionally or operationally important to the war-fighting mission or some other sort of critical system, that risk is part of your responsibility especially if you give access to data and stuff, now you can't, right, now officially you own that risk, right? But you already own that risk a little bit, but for purposes of CMMC, you are attesting to the government that you're actively managing that risk.

Justin Beals: And I think it's like that representation, and I think we'll dig into this for a second, but you know, the chief compliance officers that I've talked to now are really scared that security questionnaire is just not going to do it, right? Like it wasn't the level of rigor to validate, know, to properly validate that the sub was effective.

Bob Kolasky: Yeah. And they shouldn't necessarily be scared. They should just accept that that is the reality and build in a process. But again, from a risk perspective, it has not been good enough for a long time. So let's trust but verify. Let's look for different processes to verify. I always use the old reganism. So, trust but verify is the reganism.

Justin Beals: That's good.

Bob Kolasky:  There's a lot times you want to verify and then trust, right? And I think that's where we're getting to. You don't trust it, know, and that goes to the zero trust mindset.

Justin Beals: Yeah, they have this concept in the DFAR's ruling of an affirming official. And that is, I think you're putting the load on a person, a senior executive. And I do think that always changes the game as well. We've seen this in the commercial space where CISOs have become personally liable for failures to secure. And now we've got I think senior officials in the DIB. Yeah.

Bob Kolasky: Yeah, and I, you know, taking that line of question down that line for a second, I'm not sure, like the personal liability for CISOs is something that scares me a little bit. Like there's a level of degree if you are as a CISO, if you are within your resources, taking the steps you can to try and take the steps to tend to achieve security, you shouldn't necessarily be liable.

The Chinese government decides to attack you, or the Russian government decides to attack you. So it's figuring the gap of when you are actually, you're not meeting a realistic standard of care. And I think the courts, right, in the private sector on the CISA side, the SolarWinds case and other things like that, the courts are still gonna, working through kind of what is your duty of care, standard of care and things like that. But to your overall point on attestation, what am I?
pen on something, I want to make sure I'm asking the hard questions of my team. And I know that my reputation, if not my legal, if I'm not legally liable, I'm certainly reputationally liable for not doing it. And that process is still playing out, but I think attestation is a good step. We've seen the same thing with software development practices and what CISA has been trying to do in terms of software attestation, secure software development, lifecycle processes, attestation.

Justin Beals: Yeah.

Bob Kolasky: We're definitely seeing a trend in that direction.

Justin Beals: Yeah, I always like to admit I'm no lawyer, although I did play one in a high school play once. So dangerous that way. Yeah. But I do think about this concept of negligence versus being a victim of fraud yourself as a CISO, right? Like if you were negligent in your job and ethical responsibilities or you falsified or created false claims, that's a real issue as a CISO.

Bob Kolasky: Okay, to kill a mockingbird or something else. What was it? Yeah.

Justin Beals: But if you were the victim of fraud and you weren't negligent in your work, I feel like that's not something you should be liable for necessarily.

Bob Kolasky: Right. Then, you know, we, obviously there's some level where every CISO is accepting some level of risk because you have to, to operationally do the work of whatever company you're doing. And so, you know, are you going into as a CISO, understanding what risk you're accepting? Do you have the ability to have the conversation with your C-suite and your board about this is the resources I need to get to that level, to match our risk tolerance. 

And again, I just get a little scared somewhere in that system that the CISO is the liable person when it is the entity that's ultimately, it's the board, it's the C-suite that are setting the resource levels and the risk tolerance level. So I think you have to prove negligence.

Justin Beals: Yeah. Although there's been some teeth, right? Like DOJ settled $8.4 million settlement with Raytheon recently. As you know, think Katie yourself in one of the CMMC conferences that I was at was very aggressive about their going to levy fines if they find that you were falsifying your claims.

Bob Kolasky: Yeah. Yeah. And I think, but I think that goes to the point that we were just talking about, right? The fine is against the entity. The fine is not against the CISO there. And I think the entity, if the entity can be proven to not have to take the proper steps to protect valuable information, then going after them is appropriate. know, this is, I'm not a lawyer either, and so we'll stop this line, but it is a.

Justin Beals: Yes.
Bob Kolasky: Very interesting set of case law to continue to monitor because the legal system does play such a key role as it has in other things like safety and health outcomes and environmental outcomes. It does play a key role in setting kind of what expectations are for managing risk.

Justin Beals: Think you and I, though, again, not being lawyers, and I'm sorry for continuing this, but it's a drum I like to bang. We are responsible for the ethics of how we do our jobs. Myself as a CEO, when I was a CTO, you and helping your organizations, there should be a concept of ethics in our work and the trust we create. I kind of get frustrated, especially as we see like some of the rise of data science, machine learning and AI, that people have not done effective ethics in that work. I wish we would teach it better. Yeah.

Bob Kolasky: Yes. My daughter is excited. She just took the LSAT. She's excited. She's 21 years old. She's excited to be a lawyer soon. So hopefully, she'll be able to give me some legal advice along the way. She just took an ethics of an AI class, which I found fascinating. And I talked to her for ethics of AI class. My point is, and your point, right, the ethics of security and the ethics of taking care of your customers' data, your consumers' data, your business partners' data, that's what we're talking about. So it is a business ethics question. And in some ways, you know, somebody who doesn't always think that the legal system is the right way to manage risk, right? In some ways, I agree with you, the culture of business ethics, that isn't a culture of compliance, isn't a culture of you're just doing it because if not, you're going to be legally liable. You're doing it because it's the right thing to do for your business to be long-term successful.

Certainly, that's what we're trying to do at Accenture. Our mission is making the world a safer and transparent place to do business. And that's an ethical mission. We certainly sell to compliance officers and leave the place. But we talk about what we do from an ethical perspective. And so I agree with you completely.

Justin Beals:  Mm-hmm. Yeah. Okay. Let's talk a little bit about the level one, level two, and level three types of things that are coming out in CMMC and this DFARs ruling. So, level one, annual self-assessment reporting with an SPRS score. Level two and level three allow triennial C3PRIO or DBAX type assessments, depending on where you're going. But there's, I think, they're also closing the door and especially small contractors.

Bob Kolasky:  Yeah.

Justin Beals: I'm thinking very small teams here that are working through small business administration or have gained some federal contracts. There's a real kind of closing on the door of you need to step up. Do you agree? Is that one of the things we're seeing across that DIB base?

Bob Kolasky: Yeah, I think you have to figure out a way to get some level two as a small country. You have to figure out a way to get some level of independent validation as you see in their processes, and there's an ecosystem that's out there to do it. I don't know what you're seeing. You bring in the SBA, and can you use small business funds, small business loans to get to a different level of CMMC compliance, and are there different ways to offset the cost? I think that's still a goal that the small businesses don't have to bear all the costs directly of CMMC compliance, and that there are some ways to get some incentives and some help along the way. And I talking earlier about the prime's helping and the bigger players in the ecosystem. But you gotta have this as part of your business plan on how you're gonna, you know, pay for this and get to that because at some point, if you're going to stay in that business, you're going to start to lose business opportunity.

Justin Beals: I like to say that a big part of my conceptualization of the United States as a nation-state is that it's a heavy private-public partnership, right? Like, our federal government relies a lot on private industry to support them. I've seen other, like I know that Australia's DIB is working through a similar concept to CMMC, they call Essential 8.

Bob Kolasky: Yeah.

Justin Beals: But they've started providing small business funds, right? Like, here is a small amount of funds to help you come out and hit these outcomes. I think that's helpful, right? Like it even just greases the wheels a little bit and just takes down the fear at that small company that we're in this partnership together, and we're here to support you. I would support that type of investment in security.

Bob Kolasky:  I certainly agree. The premise from a national defense, national security architecture, the government expects that industry is going to build the instruments to allow us to execute the mission of the Department of Defense, the war-fighting mission there. And the whole philosophy, and you see it in you mentioned Katie, but when you talk to Katie Arrington, you know that, right? Her whole philosophy is like, yeah, the solutions are going to come from the outside. They're going to come from the commercial space. But we need them to be ready to provide us solutions at the speed of relevance. And if they're not there from a security perspective or if they're not there from just having the technology, the ability to scale technology, the government can help fill that gap through targeted financial incentives, through innovation funds, through security funds. Yeah, you know, I think one of the things we're to learn in the next year is the degree to which people are able to the contractual requirements associated with CMMC. And if we get to a moment where there's a gap in the ability for entities to deliver the services the Department of Defense needs through the Defense Industrial Base, got to have a hard conversation from a policy perspective of how we're going to close that gap because

We can't take the security risk, but we also can't take the operational risk of not having the technologies we need to do the warfighting mission.

Justin Beals: Yeah, I agree. You know, we always feel a part of this community. I'm going to do a very slight bit of self-promotion. So if anybody wants to skip ahead, it's fine with me. But we saw this with some of our midsize customers that were really fearful. And so what we decided to do on our platform is offer kind of a level one or level two self assessment for free for 60 days. So at least like it's no cost upfront, but you can get on a piece of technology and get to that initial SPRS score and figure out what your gap is. Of course, we eventually need to recognize revenue from it, but that's when they start doing the continuous monitoring and hopefully have understood where they're at. We caught a little flack at the National Cyber Summit from competitors, but we were like, man, our community needs solutions to help them lever into this, right? Yeah.

Bob Kolasky: Yeah, no, I agree completely. We call them freemium services a little bit, right? It's the degree to which you are, you're triaging where the needs are through that and you're giving that skill. And obviously, you're making the business calculation that once people better understand the needs, they will be looking for solutions, which I think is important. We do that in some of the areas we look at supplier risk as well.

Justin Beals: Also it's terrifying when you just don't know much about it, but I think once you go through that initial assessment, you're like, well, we're doing some things and these are the gaps, and now I understand them. It's not as terrifying. Yeah.

Bob Kolasky:  Yeah, and we haven't talked about sort of the training resources elements of CMMC, but that's obviously, the CMMC ecosystem is not just the auditors and the certifiers and the technology to support you there, but it's also the trainers and, know, there's a pretty robust business market out there for people who are willing to help you along that journey.

Justin Beals: Yeah, actually I've had a number of colleagues that were systems administrators or software engineers that have gone and done the cyber AB training become it's I forget all the correct terms. So I apologize, but someone that can assist in, assisting someone into CMMC. Yeah.

Bob Kolasky: That's okay. Yeah. Yeah, the training is just to learn CMMC acronyms. And even you and I don't even know the CMMC. It's like, okay, we've invented this new language called Department of Defense Ease.

Justin Beals:  I know, yeah!
That's right. So one other little bit about this is that I just find, you know, I'm a, I love thinking of myself as an engineer and computer scientist initially. And one of the things I love about CMMC is the quantitative analysis, but there's like some minimum score expectations on the level two side, an 88 out of 110 to even qualify for conditional status with a poem. I think that is an innovation.

Too long it's been like so opinionated, but now we start to have scoring right

Bob Kolasky: Yeah. Yeah. In the scoring, I think a scoring like this works best as a relative assessment against, you know, the overall ecosystem in comparable elements, you know, whether an 88 itself is meaningful. If the difference between an 88 and a 78 and a 68 is meaningful, then you start to get a baseline of where people are can use the scores to benchmark against

Like companies, different-sized companies, you can use the scores as a place to say, okay, know, good scoring systems to get a higher score incentivize good behavior, right? And so as long as the higher scores get to things that are correlated with better security, then it's a good use of quantification.

Justin Beals:  Yeah, I used to work in the high-stakes assessment education industry. And once you dig into the data science on an SAT score or something along those lines, what you realize is that these are really statistical tools. You know, it's not actually measuring intelligence. It's plotting you on a continuum of other people's responses. Yeah. Yeah.


Bob Kolasky: No, I spent a lot of years, as you know, in Homeland Security risk analysis and risk management. And the debates we used to have as we were building some of the early risk models between qualitative and quantitative, and when it was appropriate to use qualitative and quantitative. Those were doctrinal wars in the risk analysis community. They're doctrinal wars probably in the data science community writ large. I thought at times, qualitative versus quantitative is a false argument. But I won't take us down that route because we can then be spending. Yes.

Justin Beals: Fun philosophy, data science side, yeah. Okay, let's dig into some of the assessment level clarifications that came in the deep bars ruling. So one of the things that I think we were a little surprised with is we thought there'd be a lot of level two self-assessment, but actually, as it came out, it looks like it's a lot of level two C3PAO assessment, much more than we imagined. And that really the DOD estimates only estimates that only 2 % of contractors can do a level two self-assessment, and 35 % of their contractors will need a C3PAO. We know that there are issues with the number of C3PO's that are available to do these types of assessments. I think we're going to experience a little bit of a bottleneck around this. Do you agree?

Bob Kolasky: Yeah. I mean, it comes down to what I was saying a little bit earlier about what kind of gaps are we going to be in the ability to meet it, right? So I don't know if you've seen numbers of how the predictions of which contracts or which requirements are going to be level one, level two, level three, and what those ultimate, what the denominator of those requirements are. But if there's a lot of things, I mean, you have to take into account the throughput ability to meet the requirements.

I agree with you that there is a bottleneck and if the bottleneck happens in a place where there's a large denominator, then we are going to have potentially some gaps in performance. And so then you've got to speed up trying to clear the bottleneck. The Department of Defense is going to have to take some steps to clear that bottleneck if it exists.

Justin Beals:  Yeah. I think this is where tech can be a solution too. We, one of our customers just took six different factories through their CMMC certification, and we prepped their data really well for the C3PAO, and it was quite efficient. Like it was weeks, not months, to get through the audit process. 

Bob Kolasky: Yeah. So innovation and automation. Yeah. That's good.

Justin Beals: Mm-hmm. one thing I really loved is that they kind of are categorizing the confidential unclassified information better for us or CUI as we use the acronym. Yeah, so we're looking at controlled technical information, critical infrastructure security information and a couple of others. That's going to drive that level too. And so now I think businesses can be like, okay, am I dealing with controlled infrastructure? Am I dealing with controlled technical information and

I love that the data drives the level of assessment.

Bob Kolasky: Yeah. Because it is ultimately the data's, that's the level of risk of information leakage, And defining the risk and having the ability to tell the story of why there's risk that maybe you don't understand that you're part of is what's gonna show up in the contract requirements.

Justin Beals:Yeah. And then we've got some clarity around level threes. CUI involving breakthrough, unique advanced technology, significant aggregation compilation of CUI or a ubiquity where it's kind of like you're so interconnected as a vendor that your failure has a cascade effect out or a network effect out. And those are going to require a DBAC assessment. So that's the government doing an audit of you. Is that correct Bob?

Bob Kolasky: Yeah, D-Vec, DOD's teams coming out and assessing and keep talking risk, right? That's DOD saying there's too much risk. You own too much of the risks that we're responsible for that are important for national defense. We, again, need to verify and then trust, and we need to have the ability to continuously do that.

Justin Beals: Yeah, we've got one customer that has already been, you know, I think they've gotten some information they need to be prepared for a level three style assessment. We didn't think we'd see any. We thought it was pretty far out of our purview, but it happened quite quickly. Yeah.

Bob Kolasky:  Yeah, I mean, I'm interested in, you don't need to too much detail your customer, but I'm interested. I gotta assume that the ones who are going to be responsible for having to meet level three understand that that's the business they're in. And while they may not have been preparing for all aspects of understanding the specifics of the defaults, they had to understand that, you know, and I hope they understand before CMC that they had special obligations from a security perspective. Protecting information perspective.

Justin Beals: I mean, certainly this group is very mature organization. I think they weren't sure, but man, you have to look at, don't even, they could never tell us what they were doing, of course, that's how secretive it needs to be. But you'd have to imagine that the types of things that they were engaging around was so sensitive that it just required that level of authorization. Yeah, absolutely.

Bob Kolasky: Yeah.

Justin Beals: Okay, so let's talk a little bit about the system level complexity. So each information system that is handling FCI or CUI requires a CMMC unique identifier. I think this is another as a CTO at like a technical difference in SPRS. So you're tracking and affirming that an information system that's handling that data, you can identify it like it has an identifier.
And this is what it is doing. How are you finding customers thinking about systems boundaries of information systems?

Bob Kolasky: I mean, it goes back to sort of the ideas in Zero Trust and the ideas of trying to limit your blast radius associated with that. you know, that's good security architecture. And so, you know, it starts from a security architecture perspective for our customers there around that. And then saying, okay, things should only have access to the things and they should only work to limited high-risk things. So designing the technical architecture behind that and be able to report that is kind of the conversations that I have with some of our customers.

Justin Beals: Yeah, I've had systems I've designed in the past where we created like unique instances for each customer, like a physical separation instead of just a logical separation of data because the data was so sensitive that we just, could, there was a cost to doing business in that way, right? Because we had to provision more technical infrastructure, but at least the segmentation and to your point, the blast radius was limited because if we had a breach in one,
instance, it wouldn't infect the other instances necessarily.

Bob Kolasky: Yeah, and then it reduces likely to breach, of course, because not only is the blast radius limited, but the target radius is also, hopefully, limited. So you can't get in through the weakest link.

Justin Beals: Yeah. And then. for the FCI stuff, though, that gets really, in fact, federal contract information because if you load it up in Salesforce, that's a very porous system. It's gonna be in a lot of places.

Bob Kolasky: You are accepting some risks. I won't say anything negative about Salesforce, but yeah, no. You are, mean, obviously, companies rely a lot on software systems to manage data around that. And one of the things that we're competing against is years of using software to improve efficiencies and improve data availability and the ability to work virtually and the ability to share information and all that, which has all been wonderful for business effectiveness, but has created security vulnerabilities. sometimes we are trying to catch up with, we made a business effectiveness decision without taking into account the new security risks there. as somebody who advises companies and working with different suppliers, you want to start at the outset of thinking about where your suppliers are going to have access to things that are critical to your information and design the security in. So you're going to use Salesforce for one of its competitors, but how do you protect that from the purpose of making sure it doesn't have anything that is CUI?

Justin Beals: Yeah.

Bob Kolasky: Let's use it at FCI.

Justin Beals: You know, I talk a lot with our customers and potential customers about the fact that you really have both a right and a responsibility to design effective security and that you can't take a compliance requirement like CMMC or any other framework as being the design of your security. That's a measurement tool. You're going to get assessed against it. Yeah, but you've got to be an active participant in how you're going to organize this information in the systems that support it.

Bob Kolasky:
Yeah, definitely. Mean. You know, as a security professional, you are aware of all the frameworks and tools that you could potentially be held accountable for or in an ideal world you are, but you're still starting with what's the right level of security to manage risk to my risk tolerance given the resources for my board. And hopefully that gets you to something that gets you to comply relatively quickly. Don't start with the requirements, start with the security and then, you know, fill the gap to make sure that the security meets the requirements.

Justin Beals: Yeah. Okay. So the defaults ruling talks about what they term a phase one rollout, which I think is a little bit of a misnomer because it makes it seem like this is going to be slowly rolled out, but it doesn't quite feel that way. I do think this is like any new contract has to have a CMMC requirement in it. Is that right? Is that

Bob Kolasky:  That's my expectation. I mean, we'll see level pushback. We'll see if there's any, if it's too aggressive. But I think that's probably what they're going in there thinking about. You know, we, yeah.

Justin Beals: Mm-hmm, and it'll be in the solicitation. They'll you'll know upfront as a contractor what you got to meet. Yeah

Bob Kolasky: Yeah. I mean, we haven't talked sort of the reality of the policy window or the political window here, but you know, we are, this will happen a year after President Trump was elected. So we're one year into the Trump administration and this is a real opportunity to get this stuff all instantiated in the next year. And I think certainly the appointees over the Department of Defense.

The Department of War recognized that and they're going to be pushing hard to make sure that this is completely instantiated by through 2026.

Justin Beals:  Yeah, and you of course worked for the government for a long time and helped that risk office and supply chain office kind of design what they were working on. It feels to me, I get that we deal with new administrations from time to time, but this theme seems to have been going for DOD, DOW, you know, through different administrations from different political parties.

Bob Kolasky: Yeah, I think there were inefficiencies in implementation because of political change and maybe there always is in that, but the goal of what ultimately is going to get implemented in CMMC has been consistent, that the framework has been, there's been ups and downs, I think overarching from people who look at from the outside, think there has been consistency there. There's just a real sense right now that it is going to be a major win for the Department of Defense to get it done. And I think they're going to lean on that as a major win.

Justin Beals: Yeah, and of course, you've worked with Katie Arrington for some time, the CISO at the DoD. so maybe, you know, you know, having known her as a leader and seen her in this leadership role, I think you see that this is something that she and the administration broadly wants to continue to roll out and see.

Bob Kolasky: Yeah, I mean, obviously, the good news about Katie is if you see her on stage or if you talk to her, whether you know her very well or not, what you see is what you get. it really is. And this is something that is a passion project to secure the country for Katie. you know, this is something that was important to her last time around in the first Trump administration. And certainly in her time as the acting CAO has been very important to her, know, personnel-wise, the DOD will have a new CIO, presumably in the next couple of months. Kirsten Davies has had her hearing and was appointed by President Trump. And so she will be taking over the job and will probably take the next step. So it'll be interesting to see what happens the next step with new leadership at the DOD CIO shop. But I know while Katie's there, this is something she's committed to get done.

Justin Beals: Yeah, and I have to say that, you know, I take, I try to live up to the example that some of my colleagues that work inside the federal government, that certainly we're all voters, you know, we participate in our democracy, but at the same time, we also kind of see that this is good for our nation, you know, broadly, even myself personally, like

I would like to continue the public-private partnership that we do as a nation, and I'd like to see the level of security expectations raised, especially on the private side. I think it's useful. Yeah, 

Bob Kolasky: And it's good for the nation because the service, right, we haven't talked about, the companies that are gonna have to go through CMMC are doing it because they decided to be in the business of supporting, they are members of the defense industrial business. They made business decisions that I wanna be part of helping the nation, helping the government defend the nation, right? And I'm excited about that. And that's a special obligation like we can talk about the special obligation on the government side, but the special obligation on private sector side, that if you are doing something that is important to a community or important to national defense or national security, you are in the business of providing a special obligation. And there are security expectations on you in doing that. I so appreciate that the private sector steps up into those special obligations, but I hope they match that with the security commitment.

Justin Beals: Yeah, and I personally have, you I'll use my own experience as being a CTO. I've worked a lot in the startup space. At first, you know, I think the first thing I had to hit was like a OWASP server hardening set of requirements or my first penetration test that I ever had to go through to win a contract. And at first it's terrifying, but for those that haven't been through it yet, I have to say that on the backside of all that work, I felt a lot more confident about what I knew I should do.

Justin Beals:  And then also more confident in my team and our culture and what we were doing. I think these are good practices. Yeah.

Bob Kolasky: Yeah, I hope so and I don't want to be too cheerleading the government I mean some of this can be too much some of this can be compliance heavy some of this Can be too much cost for? little risk, but but I think over the last 10 years that's kind of those issues have been sort of worked through as it relates to see MMC and you know we talked before about sort of It's it's hard to imagine 10 years ago that this is just where we are in

But the benefit of that is that's because there has been deliberative processes. There has been learning. There has been feedback along the way. And now we are implementing CMNC with more automated tools available, the ability to scale against all that. so if this is a way to continue to take advantage of private sectors' abilities to help the defense mission, let's be happy that we continue to rely on innovators and we just want to help the innovators get to the right level of security.

Justin Beals: I love that. I'm so grateful for getting to spend time with you today.

Bob Kolasky: And enjoyed it. I feel like we'll probably have to check in every six months to see where we are on longer journey, but I'm always happy to.

Justin Beals: Think so. Yeah. Well, excellent. And of course, we're, think you're in the DC area and I have a lot of friends, colleagues and families in the DC area. And so we're hoping for a quick resolution for our friends and colleagues out there from a budgetary perspective. So yeah.

Bob Kolasky:
Yes, as we talked about before, we're taping this before it's going to air. I hope when this airs, there is no longer a government, for a lower government workers and things like that, and that Congress has come to come to its senses.

Justin Beals: Yeah. We're thinking about those teammates for sure. Bob, have a great day. Thank you for joining us.

Bob Kolasky:   Thanks, Justin.