<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt="">
Webinar

CMMC Compass Webinar - From Where You Are to Where You Need to Be: Right-sizing Your Path to CMMC Compliance

July 15, 2026

CMMC Phase 2 was suspended — but your compliance obligations haven't changed. Learn what the July 13 DoD announcement means for DIB contractors and what to do next.

On July 13, the DoW announced the immediate suspension of CMMC Phase Two,  including the mandatory C3PAO third-party audits that were set to take effect in November 2026. The DoW launched a formal 60-day program review. For many defense contractors, the news raised an urgent question: what does this actually mean for us? The answer, according to the experts in this session, is simpler than the headlines suggest: your compliance obligations have not changed.

In this on-demand session, Virtru's Andrew Lynch is joined by William McBorrough — CISO, lead CMMC assessor, and head of MC Global Tech, a certified small business defense contractor — to break down exactly what was suspended, what wasn't, and how organizations should be thinking about their path forward. They cover the July 13 announcement in plain language, walk through the options for right-sizing a CMMC compliance strategy to your organization's size and structure, and address the real legal risk that comes with self-attestation when your program isn't grounded in solid governance. Whether you were weeks away from a C3PAO audit or just getting started, this session will help you make a clear-eyed decision about next steps.

What you'll learn:

  • What the July 13 DoW announcement actually suspended — and what it explicitly did not change about your contractual obligations under DFARS 252.204-7012
  • Why CMMC Phase Two being paused is not the same as CMMC being canceled, and what "still being in Phase One" means for your self-assessment requirements right now
  • The real legal exposure behind SPRS self-attestations — including ongoing False Claims Act prosecutions against contractors whose attestations didn't hold up under audit
  • How to think about compliance options based on your organization's scope, size, and how your team actually works with CUI — from data-centric tools like Virtru to enclave-based solutions to enterprise-wide implementation
  • Why primes are likely to keep requiring CMMC certification even after the Phase Two suspension — and what that means for your competitive position in the DIB
  • What the coming transition from NIST 800-171 Revision 2 to Revision 3 means for your security program, including the new supply chain controls and increased assessment objectives heading your way
Read transcript Hide transcript

Well, welcome everyone. Thank you for joining this morning. My name is Andrew Lin from Virtru. We're excited to have you all here, especially given the recent announcement this week around CMMC that we're gonna talk about.

If you haven't seen that news, on July thirteenth, the Department of War, did announce the immediate suspension of the phase two for CMMC, which includes the mandatory c three p o third party audits that were kicked off in November or set to to go into effect phase two November tenth of this year.

It also launched a formal full sixty day program review. We're gonna talk all about that today.

And so that of course is a important moment in the CMMC journey and part of our job today is we wanna help to make sense of it. And so to that point, I'm joined today by William McBurrow who is a long time CMMC expert. Welcome William.

Thanks for having me Andrew.

Of course.

So William is a lead CMMC assessor. He's also a chief information security officer and head of MC Global Tech. And he has tracked this program since its inception from CMMC level one and has sat on both sides of the tables as a consultant, as an assessor, as a technology professional, really helping organizations to build their compliance programs and assess whether they can pass or not.

And so I thought it would be great to have him today. Coincidentally, we already had this scheduled for some time. And so we're not just going to talk about the updates today. We we initially and plan to still cover what it takes and what are the options towards building an environment to meet the CMMC level two, which is the NIST eight hundred dash one seventy one standards.

So William, I'm gonna kick it over to you here. Again, if if if everyone has not seen the Department of War announcement, that was posted, and there's a couple more official resources that were shared. But, maybe William, could you just walk us through what actually happened on July thirteenth and and what does that mean?

Sure, Andrew. I'm happy happy to do so. One one one thing that I would add to your introduction is that MC Global Tech is a small business defense contractor.

We are a CMMC compliant small business defense contractor that has undergone a c three PAO audit.

And these conversations that in part you're about to continue are one that we have all the time because we live in this space, right? We're not just a service provider, we're also a defense contractor maintaining CMMC compliance. So these changes are very relevant to us as a company. But as you alluded to on July thirteenth, the Department of War immediately suspended the future, right? Phase two deployment the phase two implementation of the CMMC rollout.

So what that effectively means is that the phase two upcoming rollout schedules for December of November of this year has been immediately suspended pending a sixty day review by the department.

The mandatory CTPA level two assessments that would have been part of the phase two rollout has been suspended until the department decides what their next steps are.

They also included in the announcement that phase two requirements were being immediately removed from active and pending solicitations. We have seen solicitations that require CMMC certifications, know, audited by a C3PO, right? We have seen that all of that is being removed.

And most importantly, I believe the industry has up to August fourteen to respond to the RFI with their comments about, with the comments and feedback that the government is now considering what to do about scalability and costs associated.

Now, I think an important caveat here is what has not changed, right? We are in the middle of the phase one rollout of CMMC that remains in effect. That was part of the announcement. And what that means is that organizations still have to submit their level one and their CMMC level two self assessments.

It also means that the DFAR seven thousand and twelve requirements which requires organizations to implement NIST eight hundred-one hundred seventy one revision two is still in effect. These are requirements that predated CMMC and they are still in effect today.

Being able to upload your self assessment into Spurs is critical for small businesses and for all organizations in the dip. And then very important caveat is that as of February of this year, when the department started to require self attestations for CMMC level one and two in the SBIRS, your attestation can only be a compliant attestation, right? You have to individually select the individual controls that you have implemented and the system will only allow you to submit it and at the station that is compliant, I. E. You've met your score is at least eighty eight of one hundred and ten and you have met all of the five points and three points of control. So there are controls that cannot be planned and the system will only allow you submit an attestation if you have met these baseline requirements. This is an attestation of compliance, not an attestation of your partners.

Those are some great points, William, and a lot to unpack there.

You know, from from my perspective, some some of the key takeaways that I just got from you are, first and foremost, CMMC is not canceled. Right?

It's always been a phased rollout. And as a reminder, we're we're currently in phase one. So every every OSC, every organization I've talked to as a salesperson at Virtru, as well as you've consulted are are in phase one. And, essentially, phase one has just got extended because phase two has been suspended. Exactly. And phase two, again, was going to go into effect November tenth of this year.

And the biggest thing that it required, one of rather, was the third party certification by a c three p o.

So key points, CMMC level two as well as CMMC in general did not get canceled. Right, William?

Key point. Absolutely.

Okay.

And so just wanted to reshare that because e e even myself, it's you here. Level two and phase two, different different twos. Yes. There's level two and then there's phase two. Yes. As a reminder, they they did not cancel the program.

And, again, in full transparency, you know, we we sort of all know the same things, which is the memos that have been released.

But it's it's easy to, of course, jump to conclusions. And, of course, we'll learn more after the sixty day period, maybe even before.

But, you know, for what it says is that it's it's really phase two has been halted.

So you also talked a little bit about NIST eight hundred dash one seventy one submitting SPUR scores. And and I did read that in the memo where it it says specifically that, you know, I think the second to last paragraph is that it's critical to note this action does not eliminate the requirement for companies to protect federal data, and all defense contractors and some contract subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause two fifty two dot two zero four dash seventy twelve. So could you just kind of share what does that mean? And for those who have maybe been on the CMMC journey, why is that still so relevant?

That is relevant because CMMC is simply a verification program, right? It's a verification program of security requirements that has been on the books for over a decade, And there has been no change to these federal government wide CUI protection requirements. So in order to protect controlled unclassified information as a federal contractor, you have to implement the security standard NIST SP eight hundred-one hundred seventy one.

The DOD is currently adhering to revision two of that standard.

NIST has provided a third revision of that standard that other civilian agencies are progressing to, but this standard remains on the books.

That paragraph that you read was the DOW reiterating that your existing security requirements as a defense contractor has not changed at all, right?

CMMC was simply a verification program of that standard. The DOW is reiterating that we expect you to implement this standard and we expect you to attest to us that you have done so in compliance with your contracts.

Yeah. Thanks, William. And, yeah, maybe let's back up and can you just kind of walk us through and remind everyone, this isn't the first time there's been a change to the CMMC program, is it from from when it first was announced?

Absolutely not. And it's the the the CMMC programs have been ebbing and flowing since about twenty twenty. Right?

We first came up with CMMC what is called one point zero now, which was a different model is essentially, you know, the current iteration has three levels, the previous iteration at five levels.

But ultimately CMMC as a program sits on top of the underlying DFAR security requirements, which has been pretty consistent.

What the DOW is grappling with is how do we verify? And the fact that this verification imposes a lot of challenges for defense contractors, primarily small defense contractors who do not have the capabilities to implement these security requirements.

One of the things that was not to sort of go off on a tangent here a little bit Andrew, one of the things that was mentioned as part of the announcement is the fact that we have close to one hundred thousand defense contractors that would ultimately need to be certified, right? And only about a thousand or so in the auditors.

But what I've seen, having worked in this space for the last decade focused on this eight hundred-one hundred seventy one implementation to today, the challenge that we have is not a lack of audit capacity, it's a lack of capacity to implement the security requirements.

And I think us as an industry have to do a better job coming up with solutions in especially those that that can be acquired by small businesses.

We should have very limited capacity and very limited financial resources.

But CMMC has changed multiple times. The phases are in place specifically for the purpose of rolling this out over time and the DOW always have the discretion to adjust the phases as needed.

So this is a change now, This is probably not going to be the last change, but we've seen this this happen over the past, well, six years now with the CMMC program.

And again, just to reiterate and kinda connect the dots, we talked about we've talked about NIS Internet eight hundred dash one seventy one. Specifically, we know there's revision two and then now revision three. We've talked about the d force clause.

But as a reminder, CMMC level two, you know, what organizations have been working towards contacting Virtru, for example, to help with the encryption requirements, working with an organization like yours to help with with even more, is has really been based off of NIS eight eight hundred dash one seventy one revision two. Right? The controls and objectives are are the same. Right, William?

That is that is correct. That is correct.

And and to confirm, the the memo says that self assessments saying that, you know, my organization, me as an OSC, is meeting those. That's still required?

That is still required. Yes. Okay.

Yep. So, yeah, just, again, ask that again because there there's a lot of talk about CMMC and organizations working towards that, but what they've been working towards has been essentially enforced already.

As you shared, it was CMMC was the verification is the verification process. Again, it hasn't gone away.

But the requirements to ultimately protect federal data, which is in part, you know, obviously a a huge importance and where Virtru fits in specifically around data encryption still remains.

So let's let's switch gears slightly. And, actually, I I sorry. I I should have mentioned that this is being recorded as well as if you do have any questions, please feel free to drop them in the chat or the q and a tab, and we'll try and get to all of them.

I'll also drop in some some links if if people want to review them. So I'll just drop in here the actual memo that I'm referring to from the Department of of Ora's website is is what I just dropped in. Also wanted to drop in, as William mentioned, there is the sixty day review period and the RFI was was was released where organizations can go and submit their feedback.

What what has been a challenge for them, what their requests are.

And as as William shared, that's, to some degree, always been part of the plan. It was rolled out in phases versus just bam, here it is, to allow for these adjustments.

Maybe, William, I so we wanted to get to a little bit of our regular scheduled program of how to go about, meeting these, but maybe maybe we get some of the questions first, that are just relevant to this.

Is that okay with you both? Yeah.

So, you know, one question from your perspective, you know, let's talk about organizations who maybe have engaged with the c three p o or were considering one.

From your perspective, what would be the benefit of working with a c three p o, or even a consultant since this update?

I've I've I've had a series of conversations with our clients over the past couple days and most of the feedback from them is essentially big yarn, right? This is the government being the government. Our compliance requirements haven't changed, we still have to do all of the things full speed ahead.

That's the feedback that I would give to any organization working on CMMC today. Your compliance requirements have not changed. CMMC is just a verification that you have met your contractual requirements, you know, and you should proceed as planned.

My company is a CMMC certified company. We do so and it allows us to demonstrate to the government, to demonstrate to our primes, to demonstrate to our partners, to demonstrate to the marketplace that we have implemented the required security requirements to protect CUI.

So my advice to firms that are actively working on this and I would separate the firms that are working on compliance from the firms that are just trying to get to an audit, right? If your driver is, I only want to get to a CMMC level to audit because that's what my business requires and that's what the government requires. The government is saying we are relooking at that requirement, right?

If your incentive is we have these contractual obligations that we have to meet and we have to attest to the government that we are meeting these contractual obligations and we have to personally, someone accountable have to personally affirm and put their name down and say that I am attesting that my company is fully in compliance with these requirements.

Yeah, my advice to you would be full speed ahead.

Yeah, and great point where there's the meeting CMMC. Right? And then there's the maintaining compliance. Right?

And that's where I think the term journey sticks with not just CMMC, but any compliance where it's not just meeting it. It's you then have to maintain it, and and every year, you know, attest that you've continued to maintain it. And there the the good news is already CMMC and the program has facilitated a number of true professionals and experts in in the program, which is literally what has needed to be met for years. Yes.

And so if an organization is struggling with that, as well as wants to show from a competitive advantage that they've met that, that's still a great idea. And let's talk about and again, part of this is, you know, it's it's relatively early.

But we've we've heard from Primes previously where they were requiring to show that an organization was CMMC level two.

And could you maybe speak to from from your perspective, can could could a prime continue to do that or could they could they ask, well, we'd like to see how you're meeting this eight hundred dash one seventy one? And again, does that is that is that a requirement?

So I will start with a caveat that we have not seen any announcements from I have not seen any announcements from any of the major clients. Okay. But CMMC is a verification, right, of the DFAR security requirements. These DFAR security requirements flow down from the prime to its supply chain, okay?

The prime is the party that has an agreement with the government. It is their responsibility to ensure that their supply chain is compliant and secure.

Right. One of the ways that we confirm compliance is through third party audits. This is not a CMMC thing. This is how security governance is done in general. Right? So I can clearly foresee Prime saying no, we still need you to get certified because we need to be able to ascertain that you are compliant and we will do so because it helps us manage our risk.

I highly suspect that that will continue to be the case because primes are the ones that are accountable and how do you ensure that your suppliers, your supply chain, your subcontractors have met these requirements? You either audit them or you have them provide documentation that someone else has audited them.

Yep. And and I think and I and I know I've heard from the beginning talking to organizations of all sizes that, you know, why have organizations achieve level two, you know, earlier on? It's because they they saw it as a competitive advantage. Exactly.

You know, and and to your point, that that does not seem like that's going to go away. It's it's if anything, having a still approved, vetted organization who can give the formal stamp of approval showing that they've met the requirements exactly and that that could be shown to a prime, where then that would cut down on the prime's need to go through other mechanisms to try and ensure it's being met. Because it's to your point, they're they're the ones that are on the hook, and they don't wanna jeopardize or risk their contract or or them meeting their their contractual obligations. Yes.

There's there's there's been no change in the liability equation here.

Right? Primes are still liable for their supply chain.

So there's been no change in that and having a mechanism to verify compliance, again, that is not a CMMC thing. Right? That is proper practice around, you security governance.

Yep.

And I think it's also important just to, you know, discuss that. I think we saw in the memo that it mentions that, of course, we talked about the self assessments are still going to continue, but also select government led assessments can can continue to happen. And can you speak to just as a reminder, you know, again, prior to CMMC being a thing, what would what could be at risk for organizations that either are incorrectly submitting a SPURS score knowingly or unknowingly? What what would be at risk for them, and what could happen, you know, if and when there was a government audit?

The government has always reserved the right to come in and audit a firm cybersecurity posture based on these standards, and that has happened. That continues to happen.

And the actual risk is that there's been a number of well publicized false claims act persecutions by the DOJ for organizations, as you say, that have knowingly or unknowingly, you know, submitted claims of compliance via just their spurs submission that turned out not to be true, right? I think any change to the requirement of a C3PAO validation increases that risk to defense contractors. Why? Because there's no legal risk of you failing a C3PAO. You just don't get certified. You potentially, you know, wasted your money, right?

But you have an opportunity to go back and try again. There is significant legal risk for submitting a compliant attestation to the government that is not true, right? So, you know, taking away the driver for firms to get certified, I believe increases that risk of firms relying, falling back to their reliance on, you know, self attestations without validation. And when I say validation, you know, I mean experience of validation. I mean folks who are trained in security governance and CMMC specifically, having looked at your determination of the scope of your CUI management program, how you have implemented the assessment objectives that are outlined within the standard and able to make a determination of whether or not you have met these objectives.

That's what a validation is, right?

And I think without that, it increases the risk of organizations submitting False Claims Act, I mean, organizations being subject to the False Claims Act, you know, persecution because their attestations aren't really, you know, grounded on facts.

Yeah. Those are all great points, William.

So let's actually now and again, this will be recorded. We'll we'll get to some questions at the end as well.

But I know that it seems like as, you know, the the days have gone on from my conversations as well, organizations are realizing, and of course, speaking for everyone, but most are realizing we should still continue to do this because, again, we've been working towards something that we're already contractually obligated to meet.

And, you know, where Virtru, of course, again, fits in is we're doing, you know, end to end object level encryption. We're FedRAMP authorized, so we're specifically fitting into encrypting CUI.

And, you know, William, would love to hear your take on just, you know, from from your conversations, organizations that may be considering, different options and different paths. At a high level, you know, let's start with what are they? What are the different paths that, from a technology perspective?

Andrew, I think you've figured out a bit, but I got the gist of the question. I think to answer that, I want to take a step back.

You know, my company MC Global Tech and myself, I not a CMMC professional.

I'm an information security professional. I've been doing this work for over twenty five years. You know, so, you know, we approach our work with CMMC as just another security standard that fits into good security governance.

The way how we operate is that it's never technology first, right? CMMC is a governance framework for controlling, managing, protecting the flow of controlled unclassified information within the organization. So when we're working with clients, always start at that governance level, starting with what is your need for CUI, right? How do you access it?

Who needs to access it? Which systems are involved? Which networks are involved? Which locations are involved?

These are all things that determine the scope of your CMMC and your CUI management program.

CMMC certifies the information system for managing CUI. This is not necessarily certifying the company. Those two could overlap but very often they do not. So determining your information system which is the people, the processes, the systems, the network, the locations that are involved in, you know, with CUI within the organization, that is always the first step.

What is your scope of your CMMC program? Right? And based on that scope, that helps us determine what the governance framework needs to look like. And based on that governance framework, we look at technology options, right?

I am seeing global tech, we are tech, vendor agnostic. So we've worked with firms that have used essentially all of the above CUI management solutions out there. But we look at the organization's scope, right? What do you need to do and how do you need to do it?

How do you need to access? How do your users engage with this data?

Do they need to print it? Are you a manufacturing firm where you guys are working with CUI on the shop floor? Are you a professional services firm where you only have to manage, you know, documents, right? So based on the scope and how you operate, and based on your capabilities and based on your culture and based on your budget, we look at available options.

There are different options for how you implement CMMC from a technology perspective. Starting at the high level, there are options like Virtru and others out there that are data management solution, right? They integrate existing systems and your existing infrastructure and they give you a compliant way to manage, track, share, store CUI.

There are other solutions that are enclave based solutions that are cloud hosted enclave based solutions that provides you a workspace of where you can engage with CUI in a compliant way. At Emtsey Global Tech, we have the CMMC Assured Enclave, which is a fully governed, enclave based solution that allow our clients to work with CUI in a compliant way and totally separates their CMMC scope from the current company.

There are other options for an enclave based solution where you segment portions of your company and portions of your network to isolate CUI within your enterprise, right? So that reduces and limits your scope of your CMMC compliance.

Ultimately, for organizations that need to have CCUI throughout the organization, now it is in a practice of implementing all of the controls across your entire enterprise, The physical security requirements at your facilities, the network security requirements on your local networks, ensuring that your systems are maintained, monitored and controlled according to the CMMC standard and ultimately having the proper governance programs in place sort of oversee your CMMC programs. But there are different approaches to how you implement CMMC. Our strategy is always to meet the organization where they are and craft a CMMC strategy that fits their mode.

We could present use cases for five different clients where we are approaching CMMC five different ways. Why? Because the organizations are different, their needs are different, IT capabilities are different. With one client, we could be working with their IT team and the security team and an IT director and experienced IT professionals.

With another client, we could be working with the business owner who has no IT capability, right? But the idea is to craft a program that meets the organization where they are.

Thanks, William. And and, yes, also, you for correcting me in so many words that, you know, your organization, it's not a CMMC organization. And and nor is Virtru, you know. We support organizations in every industry whether it's to help meet compliance or just they see, which is very important, the need to better protect sensitive information or or their data, intellectual property, health information, etcetera.

And, you know, I'm curious from your perspective, how often would you have conversations where organizations seem to be short term, shortsighted with needing to just meet CMMC? And and how do you kind of reframe that for them to understand the ongoing process of needing to overall maintain compliance, not just CMMC, but maybe others?

I have these conversations pretty frequently.

And I will start by saying I put some of the blame on us, like industry, right? Because of the need for CMMC compliance, you know, we have sort of an entire ecosystem of providers that are operating in sort of the audit readiness space with a focus on helping you pass your audit, right?

So lot of the solutions are focused on helping you pass your audit and a lot of providers are seeing this as a check mark that they have to get past. At Amgen Global Tech, we're a security compliance company, right? So our conversations clients are never just about certification, it's about compliance and compliance requires ongoing program management.

So I'm always right sizing the requirements and the level of effort involved for our clients. One of the reasons why we came up with a fully managed security compliance operations as a service model is because a lot of new firms that would hire us to build their security programs had no capability to maintain it.

When you are doing CMMC, you are committing to doing things on a daily basis, weekly basis, monthly basis, quarterly basis, etcetera, etcetera. You are committing to continuous security governance.

And, you know, for a lot of organizations are approaching CMMC as security, security as IT. So they're looking for an IT solution. But CMMC is not an IT problem, it's a governance problem. So unless you tackle the governance, there's no way you have to align the right tools to implement that governance program.

Those are great points.

As far as other common compliances that come up, I know one that, you know, from my conversations does frequently is is ITAR specifically.

And I'm curious from your take, you know, for for those who are watching, what's the difference? What are some of the different considerations? And was this update, this memo, did it mention any change to how ITAR data needs to be handled or met?

This memo made no changes to the underlying security requirements, right?

There are a number of categories of CUI, But the most relevant, I think, you know, to your question is export controlled CUI versus non export control CUI, right? Export controls CUI that is subject to requirements like ITAR. And the reason that is relevant is that that places requirements and limitations on the type of solutions that an organization can use, right? So for an organization that has export control requirements, you know, something like the commercial market share three sixty five will not be a viable option.

Why? Because the commercial market share three sixty five is supported in some parts by non US persons, right? And that's why Microsoft passed the GCC high option that is supported only by US persons. But again, that places a limit on the types of options.

So for example, looking at solutions that are sort of FedRAMP authorized with Virtru, again, is a viable option because again, there are specific requirements for export control data that you would not have for other types, you know, of CUI. But it's important to reiterate that there is no information memo, press conferences, releases that have come out of both the DOW and the SBA over the past couple of days that has made any changes to the underlying DFARS requirements and a change to that would require rulemaking, right? We require a new rulemaking process. Your security requirements today relative to CUI are exactly the same as they were a week ago.

Yep. Yeah. So so to to reiterate, how data needs to be handled, how it needs to be protected, There really was no mention or change in that regard. It's it's really just, the the future set for November tenth Yes. Verification by a third party auditor, which was paused. But the need to protect data and the manner it needs to be protected is is still contractually the exact same.

Is that correct, William?

So why don't we jump to we have about ten minutes left. There's some additional questions. Could you maybe speak to there was a question around we know that CMMC level two follows NIST eight hundred dash one seventy one revision two currently, but they did announce the revision three. So could you speak to William, just at a high level, what are some of the differences? And from your awareness, is there a transition to, one actively around CMMC?

There is the current requirements for CUI protections within the DOW is MIS eight hundred one hundred seventy one revision two.

But it's already been announced that a transition to revision three is coming, right? So to be compliant today, you need to comply with revision two, but any organization that intends to continue to operate within the DUW, you need have a plan for how they're going to transition to revision three. What revision three does, it yes, it reduces the number of domains but it increases the number of assessment objectives. A lot of organizations focus on the one hundred and ten secondurity practices or security controls. But in order for you to be able to demonstrate your compliance, there are specific objectives you have to meet.

Revision three of NIST eight hundred-one hundred seventy one increases the number of assessment objectives you have to meet, as well as added some additional domains of controls, including supply chains, etcetera.

So yes, this did not make, I mean, a transition to revision three isn't gonna make security any less, right? It's only going to increase the security requirements. So it's important to note that there's already a path for increasing the CUI protection and security requirements within the DOW. That is not changing. There's no indication that that is going to change.

What the DOW is grappling with is the fact that most, especially the small businesses within the DIB are now ready to be audited.

And so requiring that as an audit will adversely impact sort of the ecosystem. So we as solutions providers as well after DUW need to grapple with how to come up with a better solution for the DIP, but ultimately security requirements are increasing, they're not decreasing. It's just how the government verifies it that is in question. We are transitioning from revision two of this eight hundred-seventy one to revision three of this eight hundred-seventy one and that increases the security requirements. It does not reduce them.

Thanks for that overview, William.

So it looks like there's a couple questions. We've kind of touched on this, but just from from your perspective, will there be any bias or again competitive advantage to organizations who have achieved level two CMMC through a C3PO?

Bias, I don't believe so. I think there will undoubtedly be a competitive advantage.

And that advantage is you can demonstrably show that you are a compliant company, right? Versus in organizations that only says that they are. If you're operating as a subcontractor, right, that undoubtedly gives you a competitive advantage over your peers because your prime can be certain that when they flow down CUI to you, you are going to protect it or you can protect it and it's been verified to be the case.

What I do not know is that as the government is evaluating awards, is it going to award a company that has a C3PAO audit higher points than a company that does not. I don't know the answer for that. I find that unlikely if they're not requiring it.

But I mean, don't see a downside to the security requirements are here to stay, being able to demonstrate to the marketplace, be it the government, your prime or your peers, you are a secure company.

I mean, can only be a good thing in my view.

Yes. And and again, to restate, neither companies, Williams or Virtru, are c three POs. So we don't have any direct, you know, benefit or outcome of of saying one which or the other. But that that sounds like that would make sense to me. And I know there's also just been some questions around those who and maybe, William, your take, maybe have a c three p o assessment scheduled, you know, how would you recommend approaching that or would you make any changes?

If you've done the work, if you've implemented your security requirements and you've gathered the documents to be able to demonstrate to an auditor that you have done so, my advice is get your assessment done.

You are hedging and we're considering getting a CCPA audit, a CCPA audit is just a verification that you have implemented the controls, right?

If you're confident that you have implemented all the controls and you don't need anyone to verify it for you and you believe that want to wait and see, that's a business decision, right? But I will I will I will share with you that.

All of the clients that I've had conversations with in the past couple of days and some of them reach out to me proactively even before I could, you know, check-in with them.

The reason with an understanding that our compliance requirements haven't changed in each.

So we still need to do all the things and we are going to get audited because yes, it is is in our business interest to be able to demonstrate to the marketplace that we are a secure compliant company.

Yeah. Thanks, William. And and similar, it's only been again a couple days, but you know, here at Virtru, we've been talking with organizations over the past few years that are you know, they would contact us saying we're we're looking to meet CMMC level two.

And, you know, since this announcement, I I I think for the most part, organizations have realized that well, number one, they were just working towards showing that they were meeting something they already needed to.

And to say we're gonna pause that, you're you're essentially saying we're we're gonna we're gonna be okay with not meeting something that we again contractually already have had to, that we that you could get audited And and there could be penalties if it's found that you that you weren't. So to your point, the the the the one of the best things about CMMC so far is it has just surfaced the need and the importance of protecting CUI, and it put in place a mechanism to to make that more clear. But, you know, what it has been asking people to do, that has not changed. That that that announcement did not change the fact that this information needs to be protected and that you need to still abide by NIST eight hundred dash one seventy one?

So there are there are there are there are a couple of takeaways here for me. Right?

The the first is that what this announcement reiterates to me is that as an industry, we need to provide better solution sets.

I talked to lots of defense contractors and most of them have had some engagement with the market, either with technology vendors or security consultants or auditing firms and the solutions that are being provided are sort of all over the map.

And I think that as an industry, we need to do a better job because I personally believe that CMMC is a governance problem.

And governance is a discipline. Like I've been a college professor for sixteen years. One of the courses that teach is on security governance, right? Governance is a discipline, right? It's not something that a small business just does, right?

So we need to come up with better solutions, better holistic solutions to help especially the small defense contractors that don't have this internal governance capability, just selling them technology or doing a gap assessment or doing a webinar or giving them a checklist, that is not sufficient, that has not met the moment.

So that's my one takeaway. We need better solutions. My second takeaway is two words, affirming official.

The affirming official is the senior leader within the government contractor that signs their name personally on their self attestation and say that I, William McBurray, am attesting the MC Global Tech have implemented all of these controls that we have noted as being met.

Under threat of False Claims Act persecution if this is found not to be true.

There are a number of highly publicized False Claims Act persecution ongoing today. There's a number of settlements between defense contractors and the Department of Justice because they were found to be non compliant when the self attestation said otherwise and that settlement amount was a lot more than what it would have cost them to become CMMC compliant. Now, in part of the announcement that the DOW did, what you did to talk about is sort of, you know, the pricing, right? Organizations that are having to pay six hundred thousand dollars for CMMC compliance, so on and so forth.

I mean, I've heard that and I've heard from defense contractors about some of the numbers that they're being quoted. And yes, it's wild out there, but CMMC should not cost you six hundred dollars Right? CMMC should not cost you five hundred dollars I'm sorry, five hundred thousand or four hundred thousand dollars right? So as an industry, we have to be able to provide better options for helping organizations, especially smaller organizations. I run a small business, we are CMMC compliant, We have been audited by a sixty PAO.

We are living this.

And CMMC implementation is not complicated.

It's not complicated. It doesn't have to be overly expensive.

And there are solutions out there that can help small businesses get compliant and with the ultimate goal of better protecting the data and that's what it's all about. We are under threat, right? The defense supply chain is on a constant threat and we need to come up with better means of protecting this, know, the control on classified information, right?

And that's my general takeaway. Defense contractors, especially the smaller ones, need better solutions and not just piecemeal technology here, advisory here, gap assessment there, training there, and all that sort of adding up. I think they need a more comprehensive approach to how we're going to tackle this problem. That's something that we at MC Global Tech are actively working.

Thanks for those takeaways, William. And, yes, again, thank you so much for your your expert opinion today.

We know that this was still early within the announcement, but, again, just to recap, phase two has been suspended. CMMC is not over. We're we're still in phase one.

And the need to, as you just shared, protect the information remains. The need to comply with your your contractual obligations still remain.

And William and his firm, MC Global Tech, again, well qualified to to help all around. Here at Virtru, again, we're a technology company, so we can help specifically with data protection with our open source trusted data format that our cofounder invented while at the NSA.

So whether that's helping with CUI, ITAR data, PHI, intellectual property, you know, we we're here to support organizations and align to the need to have it be easy and quick with very easy implementation, no usernames and passwords. So again, I think aligning to the new directives that were announced as well.

So this was recorded. If anyone would like to get in touch with William, we will be sure to share his contact information.

William's also local to the to the DC Metro and would welcome a conversation. If we didn't get to answer any of your questions, feel free just to reach out to us directly.

Again, Andrew Lynch at Virtru.

And William McBurrow from MC Global Tech.

We'll probably have some more of these as we hear more. The chance to, again, submit your comments for the RFI or dropped in the chat on sam dot gov, which goes until August fourteenth twenty twenty six. So that was announced in the memo as well. And appreciate everyone for joining today. And thanks again for the time, William.

My pleasure.