CMMC Compliance and Certification: What It Really Takes to Be Ready

0:00

Tara Holwegner : Hey, listeners, welcome back to another episode of Get smarter, a Life Cycle Engineering podcast. In today’s episode, we’re going to be talking about cyber security compliance. Now, cybersecurity compliance stopped being optional, stop being a nice to have when your business or your organization decides they want to do work with the Department of War. The requirement to be compliant with what is called the cybersecurity maturity model certification, we’ll talk about it in this episode of CMMC is coming fast. It’s 2026 , and the companies and businesses that understand what’s coming next won’t risk delays or lost contracts even, not only that, but they’re also going to outpace every competitor out there. If you are prepared. So with that, I want to introduce to you the individual who’s going to help us understand what it means to be prepared for CMMC and why it’s so important and that person is Scott Palmer.

1:00

Tara Holwegner : Now Scott is a lead CMMC certified assessor and his focus is in compliance frameworks like nists, risk management framework, and CMMC. He also is leading research into AI security and zero trust architecture ZTA with LCE. So, Scott’s research is really laser focused on risk frameworks. So, that we can make sure that we are aligned to all these emerging cybersecurity practices because this is an area that is rapidly evolving. But we want to take a real world look at the security solutions that we can actually implement. Scott has a passion for helping companies navigate through these complex compliance issues, and believe it or not, he makes it not scary. So, I don’t want to talk anymore because I want Scott to talk some. I want you to welcome to the podcast Scott.

2:00
Scott Palmer : Thank you, Tara. Happy to be here as always.
Tara Holwegner : Yeah, thanks for joining me today. So, I want to back up a little bit and explain this concept and the benefits of being prepared to our listeners. For someone who’s not very familiar with CMMC, why does it matter?
Scott Palmer : Well, rather than sounding like another CMMC brochure because I know our listeners have heard enough of that, I will briefly touch on it. CMMC is the Department of War’s way of saying, if you want to be in the defense industrial base, you actually have to protect the information that we give you. It’s built on the information and security requirements in NIST 800-171.

3:00
Scott Palmer : Now that said and more importantly, I will discuss why it’s important and how you prepare for your level two assessment in more ways than many organizations realize, which I think is what our audience came here for.
Tara Holwegner : Yes, absolutely. Now, I would like to ask when you say the information that we share with you, are you talking about classified information? Are you talking about, you know, like top secrets, needed clearance or what does that really mean?
Scott Palmer : Talking here is controlled unclassified information CUI, and, the best way to explain that would be that CUI might sit on the lower end of the classification spectrum, it’s technically unclassified, but it’s also controlled. And it’s controlled for a reason. That reason becomes a lot clearer when you look at a lot of the real world threats that are taking place in cyber security today, most recently, the advent of AI and just how damaging that can be when it’s not used properly.
Tara Holwegner : It’s unclassified. It is controlled, but if it’s unclassified, what, what would be the threat there? Like, why would that be a threat?

4:00
Scott Palmer : The big concern that I’ll continue to use is AI as an example because it’s most realistic in a lot of what we’re dealing with. Attackers today can leverage AI tools that analyze and correlate massive amounts of data that is seemingly harmless, on its own CUI might not look very sensitive, but when you feed enough small pieces of it into modern systems, they can generate conclusions that would normally be considered classified.
Tara Holwegner : Oh, I see, they can do it quickly because they can assimilate all of this information. When you hear about CMMC as a framework, like RMF, for example, which has been around for a while. What is different about the CMMC requirements.?

5:00
Scott Palmer : Well, I oftentimes hear from people CMMC just feels like another framework, as you pointed out RMF for example, and I remind them this isn’t about your paperwork, this is about the fact that unclassified information when aggregated and weaponized by tools like AI can create national security level intelligence in minutes. That’s why CMMC really exists and that’s why level two assessments are structured the way that they are.
Tara Holwegner : Okay, so level two assessments is what organizations that want to pursue work for or with the Department of War, that’s where we’re going to have to get to.

6:00
Tara Holwegner : When we’re talking about an assessment, how can a company, like this is a requirement, it’s and we’ll talk a little bit more about that later about the timeline for that et cetera. But could there be other benefits to preparing for this level two assessment? I mean could this be an opportunity to better support maybe productivity or, I mean my sister works in risk management, in the finance industry, and so they are very focused on business continuity. I mean, is this something that we should be afraid of or embrace as an opportunity? What’s your thoughts?
Scott Palmer : That’s a great point and I absolutely is an opportunity, and this is something that pretty much all of the clients that I’ve dealt with so far don’t realize up front about CMMC, but once they do, everything that revolves around their level two assessment starts to get a little bit easier, it starts to make a little more sense. Strong cyber security isn’t just a technical thing that you bolt on to your network. It needs to support productivity, reliability, and business continuity because it forces you to look at your entire organization and how it works, not just the locks on the door and not just your firewalls.

7:00
Tara Holwegner : Gotcha. Got you. So, it’s more holistic, it’s not just an IT thing.
Scott Palmer : No not at all. This isn’t something that you can just hand off to IT and then it’ll disappear CMMC touches the entire ecosystem of a business. So, we’re talking about IT, HR, physical security, operations, finance, and of course leadership. It’s really a framework that is going to expose whether these groups are talking to each other or whether they’re just pretending to.
Tara Holwegner : So I’ve heard the term, and this was all was all new to me, you know, as well, and trying to think about navigating through the level two or the phase two assessment process. I’ve heard the term posture. Could you explain to me what that is?

8:00
Scott Palmer : Lot of different ways to look at a security posture. I think one of the best ways to break it down comes directly from the CMMC acronym, the first M stands for maturity. It’s building a small cross functional team, not a big committee that meets just to schedule more meetings, but a handful of people within your organization that are going to bring their subject matter expertise as a piece to the bigger picture and work together towards the goal.
Tara Holwegner : So they’re like a focus focused team, a focus group, if you will.
Scott Palmer : Yeah, exactly what they are, and when you operate that way, going back onto some things you brought up earlier, this is when your productivity is going to increase and reliability is going to improve.
Tara Holwegner : This is.
Scott Palmer : Annuity is going to strengthen because the organization itself becomes more aligned and more predictable. That’s what is meant by maturity and most frameworks, and once you start working as a mature organization, you’ll realize you’re already doing most of the work that CMMC requires, you just haven’t connected the dots yet.

9:00
Tara Holwegner : Well, I mean that that brings a message of hope, you know, I think too, like we’re not as bad as we think we are. We just haven’t pulled it all together yet, and I liked what you said about, about predictability, I mean, risk variability incurs errors, right? So just working with the organization in this way to reduce that and become more reliable benefits the whole organization. Can you, because I’m sure this is a question our listener have on their minds, is what actually happens when you are going to do an assessment of your organizations, how close are we to being compliant or what are our gaps or what does it look like feel like to go through a CMMS assessment?

10:00
Scott Palmer : An actual CMMC assessment is a lot more structured and honestly a lot more predictable than people think. Every assessment follows the same framework because we as assessors use standardized templates and standardized methodologies. That’s just a requirement that we have to follow. Every company has to go through the same process. The part that’s going to change from company to company is going to be the scope, and if you were a company that has to take on a level two assessment, you’re going to hear that word thrown around a lot. So just to define it simply, the scope refers to every person, every system, every device, application or location that handles CUI and or provides some form of security to any of those things that are handling the CUI. But depending on how your business is built, it can be small and simple or it can turn into a multi site multi team, multi week event. If you have three locations to process CUI instead of one, your scope’s gonna increase. If you’ve got a hybrid environment with a mix of legacy systems and modern tools, your scope will increase.

11:00
Scott Palmer : Right. And the assessment will reflect that, but there are methods to consolidate your scope while still maintaining compliance, which is overall going to reduce your cost as an organization, and it’s going to make my job as an assessor a lot easier, so that’s always good.
Tara Holwegner : Yeah, right? Because you’re more streamlined and you can get in and get out faster. But I guess what that means is you need to have an awareness about your own organization. Deeply, you know, associated, as you said, like the what, where, when, why of your controlled unclassified information and how it flows through your organization.

12:00
Tara Holwegner : So that’s really interesting because, you know, in the reliability maintenance and reliability improvements that lifecycle does, you know, for, when we’re doing consulting for like manufacturing organizations, we also have to do the same thing, maybe not necessarily with data and information. Although that plays a part too, but a huge part of trying to help the organization is to help them learn themselves and understand how they currently operate and where they need to go. Is it a little similar in the CMMC Certification?
Scott Palmer : That’s exactly the same.
Scott Palmer : The more knowledgeable you are of the ins and outs of your organization, which means you are going to need to bring in people from other departments to collaborate, the more you’re going to get or I guess the closer I should say, you’re going to get to a level of compliance that you didn’t realize you were already at before this all started. And I really am convinced, based on what I’ve seen that most organizations are doing a lot of the work already

13:00
Scott Palmer : They just have to get a little bit more in the weeds to define it and figure out how it all correlates.
Tara Holwegner : Right, and, and, and, I know you said it’s not about documentation, but there’s got to be some involved to be able to pull it all together. Oh, well let’s talk about pulling it all together. What, what is the timeline that has been set for the CMMC certification requirement?
Scott Palmer : The timeline is a, it’s a four phase rollout, to be honest with you though, if you’re handling CUI level two is what is going to matter first because that’s where the majority of the defense industrial based lives. Phase two is the moment everything becomes real. That’s going to be November tenth of 2026. This is when most contracts are going to start requiring a level two assessment and certification.

14:00
Scott Palmer : If you plan on competing for DOW work that involves CUI, you can’t ignore that date. And then ultimately the fourth phase is going to revolve around November tenth of 2028, that is when every Department of War contract that touches CUI will have a CMMC requirement built in. So, if you’re asking yourself, when do we need this done by, the answer is really before someone else wins the contract, you want to bid on.
Tara Holwegner : Did you hear that listeners? This has got to be taken seriously, but it’s also a competitive advantage to prepare yourselves now and start, you know, 2026, make it a goal to understand your organization and align it with the maturity assessment.
Tara Holwegner : If a company knows that it’s going to require a level two assessment, what, what should they do? What should be their next step?

15:00
Scott Palmer : Nobody knows that they need a level two assessment. The first thing I can tell them is pretty simple. Don’t rush, and I know that’s contradictory to everything that’s being set out there, but I’m telling you from experience, that’s when people make the worst decisions is when they’re rushing, they’re rushing to buy random tools. They’re outsourcing responsibility that could have been handled in house. They’re throwing money at solutions that don’t solve the actual problem. I have to be a little bit careful about how I say this, but, let’s just say there’s a lot of fear driven marketing out there and not a lot of solutions driven marketing. And the fact is most companies already have more in place than they think.
Tara Holwegner : I think that’s a great point, and, I think it also lends itself well that companies don’t have to do this though alone, right?

16:00
Tara Holwegner : I mean, there are folks like yourself, you know, and other organizations that can help you get ready. What would be an example of that? What would be an example of how you can help an organization figure out how far they have to go, you know?
Scott Palmer : So I’ll give those organizations a little help right now before we get into specifically what an external company would have to do I mean the smartest next step is just building that small cross functional team. I mean a real working group, bringing someone from IT, bring in someone from HR operations, someone who can manage, documentation, bring finance in cause the stuff is not free.
Scott Palmer : Obviously bring leadership actively involved in the decision making process, not just cc’d on the emails.
Scott Palmer : Once that team exists, just perform a basic in house gap assessment. That exercise alone is going to tell you where you stand today, how close you are to compliance and what’s missing. And that’s the, I know I keep coming back to this point, but this is again speaking from experience, if you can get that internal team to work cohesively, you’re talking about sixty percent of the way to compliance before you.

17:00
Scott Palmer : You can even bring external help. Now, if you need help with that gap assessment, you know, I’ll talk about that in a little bit.
Tara Holwegner : I mean sixty to seventy percent, that, that’s huge. Again, and I like how you’re not using fears and motivator; you’re using hey, you know, there are some concrete things that you can do to position yourself, to already be over halfway there.
Tara Holwegner : And then it’s just a matter of connecting the dots like you said. So, I want to talk about pitfalls, and then I’m going to come back and ask a little bit about leadership because you mentioned both of those things in the last question that we discussed.

18:00
Tara Holwegner : So, from your experience, now that you’ve been doing this for a while, what are the biggest pitfalls that companies experience when they’re trying to implement  CMMC on their own? So let’s say that we’ll take the fictional company you were just talking about and maybe they didn’t get their focus group, but they know they have to, they know they have to be compliant and they’re freaking out. So, what are some of the pitfalls that happen?
Scott Palmer : The biggest pitfalls that, that I can point out, start with before anyone even touches a security requirement, and honestly, most of them aren’t really the candidate’s fault. Everything out there talks about CMMC’s importance and rightfully so, but as we see every video starts out with the final rules here, are you ready? But that doesn’t help you implement a security controller or security requirement. No one is talking about actually how to do this work.

19:00
Scott Palmer : They’re just reciting NIST 800-171 verbatim. That’s why our goal is to walk you through the security requirements, the way real engineers real assessors understand them, not alphabetically, not academically, but practically. How they fit together, what order makes sense and how to operationalize them in the real world.
Scott Palmer : Another pitfall we spoke about this a little bit earlier is treating CMMC like it’s an IT only framework. The moment you put this on one department’s shoulders, you’re already behind. You see involves a lot of different departments within your company. When you place it on just one, you don’t have a cyber security posture, you have a bottleneck.

20:00
Scott Palmer : Now, documentation has been kind of in and out of the conversation, but I’ll address that now because no conversation like this would be complete without documentation. We all know if it’s not documented, it doesn’t exist, all the templates that you need for CMMC and the CMMC program, they’re readily available, they’re all free. You can find them through many different resources online, so I’m not even going to go into that, but if you need help writing them or tailoring them for your environment, that’s something that we can help with as well.
Scott Palmer : And then I think the big one that I’ve seen lately is assuming that perfection is required because it really isn’t. As an assessor, and I’ve spoken to this about other or with other assessors as well, we don’t expect you to be perfect, but what we expect is consistency. We can work with your consistency, we can’t work with your chaos and your clutter. That’s something that you have to deal with internally.
Tara Holwegner : That makes, that makes a lot of sense.

21:00
Tara Holwegner : I like that. We can deal with your consistency but we can’t deal with your chaos and your clutter. So, I think those are some great learning points and listeners, we will be putting a couple of resources into our episode notes, so we maybe able to get you there a little faster to those, some of those helpful resources that Scott was just talking about. So now I want to talk about something that we touched on just a little bit about how cybersecurity is everybody’s responsibility, right? Cybersecurity is a culture. That’s why it can’t just be an IT thing. ITOT for that matter. So how can leaders make cybersecurity part of their daily culture and keep it out of that IT bottleneck.
Scott Palmer : Well, keeping in mind that this extends beyond any check the box security practices like a lot of cybersecurity has been done in the past. We need to remember that this is about standing up a modernized, mature, and functional cyber security team. Leaders make cybersecurity part of the daily culture by treating it like a running part of the business.

22:00
Scott Palmer : Not a quarterly initiative and not a slide deck that we watch when we’re onboarding new employees and we just sign it off. With leadership models, this behavior, when they talk about security decisions openly, they ask questions, they participate in reviews, they treat it like operational hygiene. That’s when people are going to follow. You don’t need the posters on the wall, you don’t need the inspirational slogans and the media laid in definitions with the buzzwords. The real test is if the people that are thinking about security are only your tech folks hanging out in the server room, then you don’t have a culture, you have a dependency, and that dependency very quickly becomes a liability in this field, a very expensive liability.
Tara Holwegner : Absolutely. I mean this could be the difference between, you know, winning that contract or not and more. Or worse yet risking an incident, as we said, this world has been evolving so rapidly in terms of weaponizing AI, etc.

23:00
Tara Holwegner : So that just got me a little scared. So now let’s talk about the fear factor.
Tara Holwegner : At LCE, this is something that, that we’re, taking very seriously and you, as a lead assessor, is early out there in the field. But how does LCE help organizations take the fear factor out of the CMMC and move forward with confidence?
Scott Palmer : We take the fear factor out of CMMC because we’ve lived frameworks like RMF, FedRAMP, ISO IEC, NIST eight hundred TAC fifty three. We’ve done so for years. To us, CMMC isn’t new, it’s just another flavor of a world that we already understand very well. Not to downplay its importance, but we’re not intimidated by it.

24:00
Scott Palmer : And we don’t want our clients to be either. We can support you as a trusted advisor during implementation that goes back to gap assessments and writing documentation if you need assistance with that, or we can function as a C three PAO when you’re ready for level two assessment. But I want to make this very clear. It’s important to understand the difference between the two. When we’re acting as assessors, the assessment is not the place to learn CMMC for the first time, we’re not there to coach you through how to do the work. We’re there to evaluate what’s already in place versus when we are coming in as a consultancy to perform a gap analysis or a pre assessment readiness review, ahead of schedule, obviously, but this is when we can come in, look at your environment holistically and help you get prepared long before an assessment date is even on the calendar.

25:00
Tara Holwegner : It Seems like a very strategic approach. Can you do both? Can you be the consultant and the assessor?
Scott Palmer : Cannot do that, that violates the CMMC code of ethics if we are your C three PAO assessor, we cannot have had performed any consulting work prior to that, and the opposite is also true. If we come in to do any gap assessment or pre assessment work, we then can’t go on to be your assessor, that creates a conflict of interest.
Tara Holwegner : The conflict of interest, yes, that makes sense. So, just wanted to call that out for our listeners.

26:00
Tara Holwegner : So I’ve got one nice little nugget of a question left, and this is asking for your advice. So if you were going to give a piece of advice to a manager or a leader who, no matter after all of the reassurements we’ve made in this episode, there’s a feeling of being overwhelmed by all this and the timeline and the process.
Tara Holwegner : So what is a piece of advice that you give those listeners?
Scott Palmer : For a manager or a leader who feels overwhelmed the best advice I can give you is don’t try to navigate this alone. Just call us. Our assessors are very good at cutting through the noise. We can quickly show you where your bandwidth and resources actually need to go. That way you’re not wasting time polishing the areas that you’re already strong in, you’re identifying and strengthening your weak points before they become problems, ok?

27:00
Scott Palmer : So that, that feeling of overwhelmed is going to disappear very quickly when you kind when you have the type of clarity that we can offer.
Tara Holwegner : No, I think that makes a lot of sense, even helping to figure out scope, you know, the LCE experts here can, like you said, see and cut through all of the clutter, and, make sure that people are prioritizing in the right areas. So, well, I just thank you so much Scott Palmer for being with us on the get smarted podcast today. We’ve learned a lot about CMMC. We’ve learned a lot about how you can get started preparing and if you aren’t, if you don’t feel overwhelmed or if you do have the resources to put together that focus team and to get all of the stakeholders, you know, in the room that are going to play a part of this, start building that culture of cyber security, maturity and awareness that they’re gonna be the head of. Internal gap assessments that those matter. Common pitfalls like making this an IT thing, you know? Or not getting leadership involved.
Tara Holwegner : Working for consistency. You don’t have to be perfect, but consistency is key, and not cluttering chaos. A guide or a coach, like an external expert such as yourself, ideally, I mean, they would need to be CMMC certified assessor one would think so that they understand exactly what the ins and outs and what the practices and practical things that people can do, to get ready, bring the calm in the chaos. I think that’s really important point for everyone.

29:00
Scott Palmer : We do.
Tara Holwegner : And that you don’t need to be scared because LCE knows how to create that calm out of the fear of these assessments. So CMMC is a real requirement and with AI, it’s completely the right thing to do. But there is a tight timeline, you know, and the implementation of this can be challenging. So it would be a great idea to get some external help and bring those functional groups together to achieve the CMMC maturity level and the security posture that your organization needs. Not only if you want to go work for or partner with the Department of War, but it’s just the right thing to do in general.

30:00
Scott Palmer : It really is. I’ve been telling this to people for a really long time, use these as opportunities to get it together. You’re only going to thank yourself in the long run because as we know, this industry is constantly changing, the threats are becoming more and more imminent, more and more advanced, more and more.
Tara Holwegner : Dated yeah. Yeah.
Scott Palmer : You’re only going to set yourself up for success in the future.
Tara Holwegner : Remember that listeners? This is about operational hygiene, this is about improving productivity reliability, and business continuity through cyber security, best practices and building a cybersecurity culture around cybersecurity. We are our LCE, and, and, and Scott himself as a subject matter expert, we are going to be publishing some resources, content, videos, and, and provide our community out there with some helpful guidance.

31:00
Tara Holwegner : So be on the lookout for that, and go to the episode notes, we’ll share what we have now but definitely be on the lookout for our content updates. And if you are feeling overwhelmed like Scott said or underprepared, just give us a call and go to LCE.com and contact us, don’t worry, we will help you give you everything you need to move forward. So, thank you again so much Scott for joining us. Any last words before we sign off?
Scott Palmer : No, I think that that covers it. I wish the government had issued me a crystal ball so I can predict the future, but I really can’t. But what I will say is these mandatory frameworks are going to be refined and there’s going to be a lot more emphasis on third party verification. We’re already seeing a lot of momentum with supply chain security and visibility into that. As you mentioned earlier, zero trust architecture is becoming the new norm.

32:00
Scott Palmer : So we can only move forward from here.
Tara Holwegner : And LCE will be in the know as we help our clients and the federal government navigate this as well.
Tara Holwegner : Okay, well thank you again Scott I’d love to bring you back some time to talk more about cybersecurity best practices. So, I hope you’ll be willing to come back and join me for another episode of Get Smarter. But until our next episode, let’s stay smarter people