Sum IT Up: CMMC News Roundup

GAO Gave CMMC a 95%... Then Called It a Problem

GAO's latest report on CMMC sounds cautious. They warn about external risks, ecosystem constraints, and gaps in DoD's strategy. But that framing misses the bigger story. Since the 2021 report, CMMC has gone from a fragmented concept to a functioning system. The ecosystem exists. Training exists. Small business support is working. So why does the report feel so negative? In this episode, we break down where GAO is right, where they're overstating the risk, and why the real story is the program's quiet but meaningful progress. Register for Summit 7 Live: https://www.summit7.us/s7live GAO Report (2026): https://www.gao.gov/products/gao-26-107955 GAO Report (2021): https://www.gao.gov/products/gao-22-104679

75% of the CMMC Assessment Guide Isn’t Requirements

Most defense contractors assume everything written in the CMMC Level 2 Assessment Guide is a requirement. But that's not actually how the framework works. In this episode we break down the structure of the assessment guide and explain why roughly 75% of the document is explanatory text, not normative requirements. You'll learn: Where the real requirements come from in NIST SP 800-171 How verification procedures in NIST SP 800-171A become assessment objectives Why discussion sections and examples are informative, not prescriptive Understanding the difference between requirements, assessment objectives, and explanatory guidance can help contractors avoid unnecessary controls, reduce documentation overhead, and simplify CMMC compliance. CMMC Assessment Guides: https://dodcio.defense.gov/cmmc/Resources-Documentation/ NIST SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final NIST SP 800-171A: https://csrc.nist.gov/pubs/sp/800/171/a/final

We Mapped 130 Iranian Cyber Attacks to CMMC… Here's What We Found

Iranian cyber actors are targeting the Defense Industrial Base. So does CMMC actually help? In this episode, we mapped 130 real-world techniques used by five Iranian threat groups to the controls behind NIST SP 800-171 using the MITRE ATT&CK framework. Here is what the data shows: • 100% of techniques are detectable • 68% are mitigated with preventative controls • Just a handful of core controls drive most of the defensive impact We also examine what that means for Cybersecurity Maturity Model Certification and why 800-171 remains a strong floor for protecting CUI. But there is a gap. Only about half of the relevant NIST SP 800-53 that mitigate known Iranian techniques are represented in the 800-171 baseline. If you are a defense contractor, this episode will show you what compliance actually buys you and where you may need to go further. Register for Summit 7 Live: https://www.summit7.us/s7live MITRE ATT&CK: https://attack.mitre.org/ [https://attack.mitre.org/] Mappings Explorer: https://ctid.mitre.org/projects/mappings-explorer CISA Alert: https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/iran NIST SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final NIST SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final

February Cyber AB Town Hall Recap

The Cyber AB has once again summoned the CMMC Ecosystem to deliver its monthly update and on this week's show we are going to break it down for you. Join us as we take all the information distributed during the meeting and dish out the information you need to know. Things like: Can my FSO check on my Tier 3? Have we eclipsed the 1,000 assessments milestone? When does a mock assessment stop “mocking”? Updates on the ISACA/ CAICO switchover And so much more...Tune in to find out! Sum It Up: “The End of SPRS Scores (sort of)”: https://youtu.be/_UFN7fubgQY?si=EgtchmuAHti24Cr8 Cyber AB TH Recordings: https://cyberab.org/News-Events/Town-halls ISACA Webinar - CMMC: Requirements, Roles, and Professional Credentials: https://store.isaca.org/s/community-event?id=a33VQ000001otC1YAI ISACA CMMC Page: https://www.isaca.org/credentialing/cmmc

48% vs 9%? The DoD's CUI Numbers Don't Add Up

The DoD Inspector General is raising concerns about CUI marking again and the numbers don't add up. In 2023, the IG found that 48% of reviewed CUI documents lack proper markings. Yet the DoD CUI Program website reports only 9% were unmarked that same year. So which is it? In this episode we break down the latest DoD IG management advisory, where the recommendations fall short, and why the CUI program and the CMMC program (although closely related) are owned by different offices that can't fix each other's problems. For defense contractors, this isn't academic. CMMC enforcement depends on the integrity of the CUI program. If CUI marking is inconsistent, compliance risk increases downstream. Summit 7 Live: https://www.summit7.us/s7live 2026 IG Report: https://www.dodig.mil/reports.html/Article/4397146/management-advisory-dod-policy-and-training-on-dissemination-controls-for-contr/ 2023 IG Report: https://www.dodig.mil/reports.html/Article/3413433/audit-of-the-dods-implementation-and-oversight-of-the-controlled-unclassified-i/