Submit any questions you would like answered on the podcast!

In this episode of the CMMC Compliance Guide Podcast, we tackle one of the most misunderstood topics in CMMC compliance.

Many contractors assume that if information is not marked as controlled unclassified information, then it is not CUI. But that assumption can lead to serious compliance risks.

We break down how manufacturers and machine shops can actually create CUI while performing contract work, even if the original data was not clearly marked.

We also cover how ERP systems factor into CMMC scope, when systems are considered in or out of scope, and how improper scoping decisions can create major compliance gaps.

You will learn what derived CUI is, how it applies to things like CNC G code, and why simply removing identifying details from documents does not make them safe.

We also explain who determines what qualifies as CUI, how scope can expand across your network, and what realistic cost and infrastructure decisions look like for small and mid sized contractors.

If you are part of the defense supply chain, this episode will help you avoid one of the most common and costly misunderstandings in CMMC.

Submit any questions you would like answered on the podcast!

In this episode of the CMMC Compliance Guide Podcast, we break down one of the biggest misconceptions in CMMC compliance.

Most contractors think CMMC is just a cybersecurity upgrade. Install a few tools, write some policies, and you are ready for an assessment. But that is not how CMMC actually works.

The real challenge is the operational workload behind compliance.

We walk through what that workload actually looks like, including documentation, system security plans, asset management, workforce training, evidence collection, and continuous monitoring. These are the areas that consume the most time and are often underestimated by small and mid sized defense contractors.

We also cover how CMMC impacts your supply chain, including subcontractor flowdown requirements and what you are responsible for as a prime or subcontractor.

If you are preparing for CMMC Level 1 or Level 2, this episode will help you understand the true scope of work so you can avoid delays, failed assessments, and costly surprises.

Submit any questions you would like answered on the podcast!

In this episode of the CMMC Compliance Guide Podcast, we break down one of the most overlooked risks in CMMC compliance. What actually happens when your environment changes after an assessment?

Many contractors assume that once they pass a CMMC assessment or complete a self assessment, they are set for the next year or even three years. But recent guidance from the Cyber AB town hall reveals that certain changes can trigger a brand new assessment.

We walk through what qualifies as a significant change, what does not, and how decisions are made when things fall into the gray area. We also cover real examples like mergers, switching MSPs, expanding networks, and upgrading tools.

If you are planning changes to your environment or trying to future proof your compliance strategy, this episode will help you avoid costly mistakes and unnecessary reassessments.

We also answer a listener question about how to identify FCI and how it should be handled under CMMC Level 1 requirements.

If you are a small or mid sized defense contractor, aerospace supplier, or manufacturer, this is critical guidance you do not want to miss.