The Smallscast Podcast
JOIN OUR 1000+ WEEKLY LISTENERS!
This weekly podcast is designed for Small Government Contractors, Service Providers, and Manufacturers, as part of the Government Contractor Ecosystem, connecting people, organizations, and resources.
LISTEN ON THESE APPS
This podcast is designed for Small Government Contractors, Service Providers, and Manufacturers, as part of the Government Contractor Ecosystem, connecting people, organizations, and resources
Listen in as your host Just Nate talks with Mike Crandal, CEO and co-founder of Digital Beachhead.
The Urgency of CMMC 2.0: November 10th is the date for Article 48 implementation, making CMMC a mandatory default clause in all new DoD solicitations. Many small businesses are panicked because they didn't believe it would actually happen.
A History Lesson in Compliance: The discussion traces the evolution from DFARS 7012 to DFARS 7019, which introduced NIST 800-171 controls and the PoAM (Program of Action and Milestones) system. CMMC was created to replace the unreliable self-attestation and perpetual PoAMs.
CMMC 2.0 Levels and Requirements:
Level 1 (FCI): For Federal Contract Information (FCI) only. Requires 15 controls and allows for self-assessment by a senior company representative.
Level 2 (CUI): For Controlled Unclassified Information (CUI). Requires all 110 NIST 800-171 controls and 320 objectives. Self-attestation is allowed for the first 12 months, but prime contractors (like Lockheed or Boeing) can still demand 3CPAO certification immediately.
Understanding CUI: CUI (Controlled Unclassified Information) is a major gray area often defined differently by each government customer. They stress that CUI is not a security classification but a marking, and contractors should only mark information as CUI if the government has explicitly designated it as such.
The Insurance Factor: Cyber insurance companies are now increasingly requiring CMMC-Level certification before they will pay out on a ransomware or data breach claim, making compliance an essential part of risk management.
The Assessment Process: Mike outlines the four phases of a CMMC assessment by a C3PAO (like Digital Beach Head):
Pre-assessment: Initial review of your data and readiness.
Interview & On-site Visit: A deep dive into paperwork, controls, and physical security.
Certification: Receiving a final or conditional certification.
EMAS Upload: Submitting the results to the government's official system.
The typical process for a small business takes three to four weeks.
Cost & Strategy for Small Businesses: The average cost for a Level 2 assessment for a small business is between $40K and $50K (a one-time payment for the three-year certification). For companies with only a small portion of DoD work, they recommend creating a secure, isolated enclave (like a GCC High or Cloud PC VDI solution) to reduce the scope—and cost—of the assessment.
🤝 Guest Spotlight & Resources
Guest: Mike Crandall, CEO and Co-Founder of Digital Beach Head
Company:Digital Beach Head is the only authorized C3PAO in Colorado Springs and one of three in the Mountain Region, specializing in cyber security services and CMMC assessment.
Mike's Contact Information:
Website:digitalbeachhead.com
LinkedIn: Search for Mike Crandall at Digital Beach Head.
To find out more about the Smalls or become a member, please check us out at www.thesmalls.org
To contact Just Nate: justnate@thesmalls.org
— Send in a voice message: https://anchor.fm/thesmalls/message
Support this podcast: https://anchor.fm/thesmalls/support
The Start of Something New
We had to scramble and put something together in order to start producing our podcasts as the studios we were going to use are shut down due to COVID-19. Sometimes you just gotta do what you gotta do!
Discover New Opportunities
We want to talk to you, so if you want to be a headliner on one of our podcast episodes, don’t hesitate to reach out.
