This episode breaks down CMMC System and Communications Protection controls, from defining boundaries and separating public-facing systems to enforcing deny-by-default network rules and stopping split tunneling.
It also covers secure design, role separation, shared resource protections, and how to safeguard CUI while it moves across networks.
In this episode, we break down the three core compliance documents that make the CA domain real in practice: the System Security Plan, the Plan of Action and Milestones, and Continuous Monitoring. We’ll explain what each document is, what it should contain, and how assessors and compliance teams use them together to support CMMC and NIST SP 800-171 implementation.
This episode explores the FCC’s U.S. Cyber Trust Mark for consumer IoT devices and asks a bigger question: what can defense contractors learn from a public-facing cybersecurity label?
We break down how the voluntary labeling program works, where it mirrors Energy Star, and why familiar cybersecurity signals matter to buyers, regulators, and the broader market. We also examine the practical limits of labels, including consumer misunderstanding, uneven adoption, and the gap between baseline assurances and real-world security outcomes.
Finally, we connect the Cyber Trust Mark back to CMMC by showing how both efforts rely on trust signals, documented controls, and evidence-based confidence rather than marketing claims alone.
In this episode of CMMC Unlocked, host Paul Netopski breaks down one of the most misunderstood phrases in the new CMMC rule set and CyberAB guidance: “significant changes.” Many small defense contractors and their advisors worry that any major IT or organizational change will automatically invalidate a hard‑won Level 2 certification. Paul walks through what the 32 CFR Part 170 preamble, the Level 2 Scoping Guide, and the Level 2 Assessment Guide actually say—and what they don’t.
We unpack the distinction between:
Drawing on earlier episodes about risk assessments and continuous monitoring, Paul offers practical guidance for small DIB organizations and consultants on how to:
If you’re worried that a tech refresh, cloud migration, or acquisition will blow up your CMMC status, this episode will help you separate rumor from requirement and integrate “significant change” into a mature, risk‑based compliance program.
Explore the critical personnel security requirements within NIST SP800-171 and CMMC 2.0 Level 2 standards. Learn practical processes for screening, onboarding, and access approvals, and uncover the nuances between standard employment screening and federal background investigations to safeguard Controlled Unclassified Information.
Dive into essential physical security controls within CMMC 2.0, from access management to safeguarding support infrastructure. Learn real-world lessons from defense contractors who strengthened facility security and avoided common pitfalls.
Explore key strategies for protecting Controlled Unclassified Information across physical and digital media. Learn practical approaches to handling, marking, encryption, and auditing that ensure compliance and safeguard your organization.
This episode guides listeners through key aspects of Covered Defense Information (CDI), from core definitions and marking requirements to contract data rights and procurement compliance. Hosts Eric, Paul, and Roz break down regulations, risks, and real-world examples to help users, product owners, and procurement staff safeguard sensitive information effectively.
