About 100 authorized assessors. An estimated 118,000+ companies that need to be assessed. That math is the reason CMMC can't wait — and it's where this conversation starts. Brett Cox, lead CMMC Certified Assessor and head of Boeing's DFARS CMMC Program Management Office, joins host Jen Stone to explain what the Cybersecurity Maturity Model Certification actually requires, why the November 2026 third-party assessment deadline is creating a bottleneck, and how a small or mid-sized contractor should take the first step. 

KEY TAKEAWAYS 

  • Phase 2 — the third-party (C3PAO) assessment requirement — goes live November 10, 2026. The right to waive the requirement goes away in 2028. 
  • Under CMMC, you must verify the subcontractor below you holds the required level before you can award them work. Their compliance is now your problem. 
  • The bottleneck is real: ~100 assessors vs. ~118,000 companies. Expect a months-long queue — get in line now. 
  • COTS (unmodified commercial off-the-shelf) is the only exemption, and there's no minimum dollar threshold. Modify a part and it's no longer exempt. 
  • You can't use the same company for both readiness consulting and your assessment. 
  • First step: decide your level (FCI vs. CUI), download the scoping and assessment guides from the DoD CIO site, and start your gap analysis. 

RESOURCES 

DoD CIO CMMC documentation (scoping & assessment guides): https://dowcio.war.gov/CMMC/Resources-Documentation/

Cyber AB Marketplace (find a C3PAO or consultant): https://cyberab.org/marketplace 

NIST SP 800-171 https://csrc.nist.gov/Pubs/sp/800/171/r3/final

SecurityMetrics CMMC services: https://www.securitymetrics.com/product/cmmc


About the Guest

Brett Cox — Lead CMMC Certified Assessor; Principal & Team Lead, DFARS CMMC Program Management Office, The Boeing Company. LinkedIn: https://www.linkedin.com/in/brett-r-cox/

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place 

But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/ 

Podden och tillhörande omslagsbild på den här sidan tillhör SecurityMetrics. Innehållet i podden är skapat av SecurityMetrics och inte av, eller tillsammans med, Poddtoppen.