About 100 authorized assessors. An estimated 118,000+ companies that need to be assessed. That math is the reason CMMC can't wait — and it's where this conversation starts. Brett Cox, lead CMMC Certified Assessor and head of Boeing's DFARS CMMC Program Management Office, joins host Jen Stone to explain what the Cybersecurity Maturity Model Certification actually requires, why the November 2026 third-party assessment deadline is creating a bottleneck, and how a small or mid-sized contractor should take the first step.
KEY TAKEAWAYS
Phase 2 — the third-party (C3PAO) assessment requirement — goes live November 10, 2026. The right to waive the requirement goes away in 2028.
Under CMMC, you must verify the subcontractor below you holds the required level before you can award them work. Their compliance is now your problem.
The bottleneck is real: ~100 assessors vs. ~118,000 companies. Expect a months-long queue — get in line now.
COTS (unmodified commercial off-the-shelf) is the only exemption, and there's no minimum dollar threshold. Modify a part and it's no longer exempt.
You can't use the same company for both readiness consulting and your assessment.
First step: decide your level (FCI vs. CUI), download the scoping and assessment guides from the DoD CIO site, and start your gap analysis.
Brett Cox — Lead CMMC Certified Assessor; Principal & Team Lead, DFARS CMMC Program Management Office, The Boeing Company. LinkedIn: https://www.linkedin.com/in/brett-r-cox/
A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.
Podden och tillhörande omslagsbild på den här sidan tillhör
SecurityMetrics. Innehållet i podden är skapat av SecurityMetrics och inte av,
eller tillsammans med, Poddtoppen.