017 The CMMC Briefing Part 1: Everything DoD Contractors Need to Know in 2026

017 The CMMC Briefing Part 1: Everything DoD Contractors Need to Know in 2026

If you lose comms, you lose the mission. If you lose your CMMC certification window, you lose your eligibility to bid on the next decade of defense contracts. In this episode we are analyzing the single most important compliance program in the Defense Industrial Base — the Cybersecurity Maturity Model Certification. 80,000 contractors need CMMC Level 2 certification before Phase 2 begins on November 10, 2026. As of March of this year, fewer than 2 percent had completed it. This transmission is Part 1 of a two-part series — the foundational briefing for every DoD contractor, subcontractor, and supplier who needs to understand what CMMC is, where it came from, who it applies to, and what it actually requires. Part 2 next week covers the Phase 2 deadline coming in November, 2026. Intel Declassified in this Briefing: * [00:00] The Two-Part CMMC Series Opens: 80,000 contractors, 5.5 months to Phase 2, and the foundational briefing the 98 percent of the DIB still needs to sit through. * [00:55] The Origin Story: Why the DoD built CMMC after years of intellectual property exfiltration through Tier 2 and Tier 3 subcontractors operating under self-attested compliance. * [03:17] The Three CMMC Levels: Foundational, Advanced, and Expert — what each one requires, who it applies to, and why Level 2 is the level that matters for the majority of the Defense Industrial Base. * [07:39] The Assessment Process: What the C3PAO actually looks at, the 180-day Conditional Certification mechanics, and why fewer than 800 assessors for 80,000 contractors creates the bottleneck the entire DIB is heading toward. * [09:30] The Supply Chain Reality: How DFARS 252.204-7021 flowdown works, why Lockheed, Boeing, Northrop, and Raytheon are already enforcing CMMC ahead of the deadline, and why "we just sub to a prime" is not the safe position contractors think it is. * [12:53] CMMC as a Business Investment: Why certifying ahead of the curve creates structural competitive advantage in the deal flow window before market saturation. * [15:01] The Three Marching Orders: Determine your required level, pull your SPRS score, and identify where CUI lives in your environment — the foundation Part 2 will build on next week. Mission Links: * Verify your Security Posture: https://watchur6.com/secure [https://watchur6.com/secure] * Want to Hire us: https://watchur6.com/contact/ [https://watchur6.com/contact/] * View the Show Notes: https://watchur6.com/podcast/017-cmmc-briefing-part-1-dod-contractors-2026/ [https://watchur6.com/podcast/017-cmmc-briefing-part-1-dod-contractors-2026/] * Read the Associated Sitrep: The CMMC System Security Plan — A Step-by-Step Build Guide for DoD Contractors: https://watchur6.com/sitrep/compliance-protocols/cmmc-system-security-plan-build-guide/ [https://watchur6.com/sitrep/compliance-protocols/cmmc-system-security-plan-build-guide/]

016 PE and VC Funds Are Now Liable for Portfolio Cyber Breaches: The PowerSchool Case Study

If you lose comms, you lose the mission. If you write the check without verifying what is in the codebase, you lose the fund. In this episode we are analyzing the federal court ruling that rewired cybersecurity due diligence for the entire investment community. On March 18, 2026, a California federal judge allowed class action claims against Bain Capital to proceed for a data breach at PowerSchool that occurred before Bain acquired the company. The acquirer is now legally on the hook for the seller's pre-close cybersecurity failures. Every PE partner, VC general partner, family office principal, and corporate development executive deploying capital in 2026 just got a new precedent. The era of "verify SOC 2 and move on" is over. Intel Declassified in this Briefing: * [00:00] The March 2026 Ruling That Rewired Cyber Diligence: How one federal court decision made the acquirer legally responsible for the seller's pre-acquisition cybersecurity failures. * [01:39] The PowerSchool Case Walkthrough: 60 million students, 10 million teachers, stolen vendor credentials, and a ShinyHunters ransom demand two months after close. * [08:26] Why Financial Diligence Is Rigorous and Cyber Diligence Isn't: The double standard inside every investment process, and the Yahoo/Verizon $350 million reference point that should have ended it years ago. * [12:46] The Five-Point Technical Assessment Every Investor Needs: Secrets in repositories, undocumented data flows, production access sprawl, missing audit trails, and the vendor DPA gap. * [15:34] The Three Layers of Fiduciary Exposure: Fund-level class action, GP-level LP letter, and personal liability for the partner who championed the deal. * [18:15] The Three Marching Orders Starting Monday: Upgrade the framework, audit the existing portfolio, build cyber into LP reporting. Mission Links: * Verify your Security Posture: https://watchur6.com/secure [https://watchur6.com/secure] * Want to Hire us: https://watchur6.com/contact/ [https://watchur6.com/contact/] * View the Show Notes: https://watchur6.com/podcast/016-pe-vc-funds-liable-portfolio-cyber-breaches-powerschool-case/ [https://watchur6.com/podcast/016-pe-vc-funds-liable-portfolio-cyber-breaches-powerschool-case/] * Read the Associated Sitrep: The Investor's Cyber Due Diligence Framework — A Four-Stage Playbook for PE and VC Funds After the PowerSchool Ruling: https://watchur6.com/sitrep/compliance-protocols/investor-cyber-due-diligence-framework-powerschool-ruling/ [https://watchur6.com/sitrep/compliance-protocols/investor-cyber-due-diligence-framework-powerschool-ruling/]

015 Inheriting Control Drift: Briefing for New Leaders, CMMC Annual Affirmations & Phase 2 Deadline

If you lose comms, you lose the mission. If you inherit a control library you cannot operationally vouch for, you lose the contract — and possibly your name. In this episode we are analyzing the longest, quietest failure inside the Defense Industrial Base: control drift. There is no breach. No threat actor. No alarm. Just a slow, silent erosion of operational reality — a control library certified clean in 2021 that has decayed by 2026 through cleared workforce attrition, vendor migrations, and "vision-first" leadership making changes before they understand what they inherited. With Phase 2 of the CMMC Final Rule beginning November 10, every incoming CISO, IT Director, and Affirming Official is about to discover the gap between the System Security Plan they inherited and the operational reality they signed for. We break down the four decay patterns, the False Claims Act exposure the annual affirmation creates, and the three marching orders every GovCon executive must execute before the C3PAO walks the floor. Intel Declassified in this Briefing: * [00:00] The Paper Ghost: Why a control library that passed audit in 2021 may no longer exist operationally — and why no alarm fires when it decays. * [05:49] The Four Decay Patterns: Orphaned custom scripts, vendor migration gaps, SSP rot, and POA&M zombies that have aged into False Claims Act exhibits. * [13:16] Vision Without Inventory: Why incoming "modernization" leaders create control gaps faster than threat actors do — and the rule that prevents it. * [15:59] The Annual Affirmation Trap: How a named senior official's signature in SPRS becomes the foundation of a False Claims Act case when the underlying controls have drifted. * [19:30] The Three Marching Orders: Control Library Walkthrough, Tribal Knowledge Capture, and the Inherited Watch Protocol. Mission Links: * Verify your Security Posture: https://watchur6.com/secure [https://watchur6.com/secure] * Want to Hire us: https://watchur6.com/contact/ [https://watchur6.com/contact/] * View the Show Notes: https://watchur6.com/podcast/015-inheriting-control-drift-cmmc-annual-affirmations-phase-2/ [https://watchur6.com/podcast/015-inheriting-control-drift-cmmc-annual-affirmations-phase-2/] * Read the Associated Sitrep: Building a Living Control Library — The GovCon Playbook for Surviving CMMC Phase 2 and the Annual Affirmation: https://watchur6.com/sitrep/compliance-protocols/living-control-library-cmmc-phase-2-govcon/ [https://watchur6.com/sitrep/compliance-protocols/living-control-library-cmmc-phase-2-govcon/]

014 The Transparency Trap: When Hackers Weaponize the SEC Against Banks

If you lose comms, you lose the mission. If you lose your compliance timeline, you lose the company. In this episode, we are analyzing the collision between the SEC's new 96-hour breach disclosure mandate and the extortion tactics of modern ransomware cartels. Many financial executives believe the SEC rule is just an administrative burden. The reality? Threat actors are actively weaponizing this mandate, using the threat of federal whistleblower complaints to force ransom payments while your incident response team is still trying to stop the bleeding. Intel Declassified in this Briefing: * The Dinner Bell: Why forcing public disclosure during an active breach invites secondary attacks. * The Reporting Dilemma: Why closing the vulnerability must happen before notifying leadership. * The e-Discovery Threat: How claiming "state-of-the-art" security in an SEC filing becomes a massive legal liability post-breach. * The Whistleblower Tactic: How hackers monitor 8-K filings and report you to the SEC if you miss the 96-hour window. * The Caremark Standard: How a technical failure transforms into personal liability for board directors. * Actionable Defense: How to define "materiality" thresholds and conduct board-level tabletop exercises before the fire starts. Mission Links: * Verify your Security Posture: https://watchur6.com/secure [https://watchur6.com/secure] * Want to Hire us: https://watchur6.com/contact/ [https://watchur6.com/contact/] * View the Show Notes: https://watchur6.com/podcast/014-transparency-trap-sec-96-hour-rule-banks [https://watchur6.com/podcast/014-transparency-trap-sec-96-hour-rule-banks] * Read the Associated Sitrep: How Threat Actors Weaponize the SEC's 96-Hour Rule Against Banks: https://watchur6.com/sitrep/compliance-protocols/sec-96-hour-disclosure-rule-cybersecurity-materiality/ [https://watchur6.com/sitrep/compliance-protocols/sec-96-hour-disclosure-rule-cybersecurity-materiality/]

013 The Dispersed Hospital: Securing Telehealth & Remote Patient Monitoring Risks

If you lose comms, you lose the mission. If you lose data integrity, you risk patient lives. In this episode, we are analyzing the rapid disappearance of the traditional hospital perimeter. Through the massive expansion of "Hospital-at-Home" programs, clinical care is now being delivered over highly vulnerable residential Wi-Fi networks. Many healthcare executives assume that deploying a clinical tablet into a home is secure simply because the hospital owns the hardware. The reality? Operating a telehealth kit over an unpatched, default-password consumer router turns a life-saving telemetry device into an open backdoor for adversaries.   Intel Declassified in this Briefing: * [00:00] The Disappearing Perimeter: Why delivering acute care over unsecured residential Wi-Fi completely invalidates your enterprise firewall. * [01:57] The Trojan Horse Scenario: How threat actors scan cheap smart home IoT devices to pivot directly into hospital-issued telehealth tablets. * [03:50] Kinetic Disruption: The terrifying reality of telemetry spoofing, where manipulated vital signs trigger false medical emergencies and divert hospital resources. * [06:11] The Fiduciary Duty: Why outsourcing patient care to the living room does not outsource your legal liability for data hygiene. * [10:45] Actionable Defense: How to bypass the home network entirely using cellular-first deployments and strict Zero Trust Network Access.   Mission Links: * Verify your Security Posture: https://watchur6.com/secure [https://watchur6.com/secure] * Want to Hire us: https://watchur6.com/contact/ [https://watchur6.com/contact/] * View the Show Notes: https://watchur6.com/podcast/013-the-dispersed-hospital-securing-telehealth-remote-patient-monitoring [https://watchur6.com/podcast/013-the-dispersed-hospital-securing-telehealth-remote-patient-monitoring] * Read the Associated Sitrep: The Dispersed Hospital: Why Remote Patient Monitoring is a Cybersecurity Minefield: https://watchur6.com/sitrep/mission-resilience/remote-patient-monitoring-cybersecurity-telehealth-risks [https://watchur6.com/sitrep/mission-resilience/remote-patient-monitoring-cybersecurity-telehealth-risks]