 |
The "SmallsCast" PodcastAuthor: TheSmalls
This podcast is designed for Small Government Contractors, Service Providers, and Manufacturers, as part of the Government Contractor Ecosystem, connecting people, organizations, and resources Language: en Genres: Government Contact email: Get it Feed URL: Get it iTunes ID: Get it |
Listen Now...
The Smalls talks to Digital Beachhead!
Episode 11
Monday, 13 October, 2025
Listen in as your host Just Nate talks with Mike Crandal, CEO and co-founder of Digital Beachhead. The Urgency of CMMC 2.0: November 10th is the date for Article 48 implementation, making CMMC a mandatory default clause in all new DoD solicitations. Many small businesses are panicked because they didn't believe it would actually happen.A History Lesson in Compliance: The discussion traces the evolution from DFARS 7012 to DFARS 7019, which introduced NIST 800-171 controls and the PoAM (Program of Action and Milestones) system. CMMC was created to replace the unreliable self-attestation and perpetual PoAMs.CMMC 2.0 Levels and Requirements:Level 1 (FCI): For Federal Contract Information (FCI) only. Requires 15 controls and allows for self-assessment by a senior company representative.Level 2 (CUI): For Controlled Unclassified Information (CUI). Requires all 110 NIST 800-171 controls and 320 objectives. Self-attestation is allowed for the first 12 months, but prime contractors (like Lockheed or Boeing) can still demand 3CPAO certification immediately.Understanding CUI: CUI (Controlled Unclassified Information) is a major gray area often defined differently by each government customer. They stress that CUI is not a security classification but a marking, and contractors should only mark information as CUI if the government has explicitly designated it as such.The Insurance Factor: Cyber insurance companies are now increasingly requiring CMMC-Level certification before they will pay out on a ransomware or data breach claim, making compliance an essential part of risk management.The Assessment Process: Mike outlines the four phases of a CMMC assessment by a C3PAO (like Digital Beach Head):Pre-assessment: Initial review of your data and readiness.Interview & On-site Visit: A deep dive into paperwork, controls, and physical security.Certification: Receiving a final or conditional certification.EMAS Upload: Submitting the results to the government's official system.The typical process for a small business takes three to four weeks.Cost & Strategy for Small Businesses: The average cost for a Level 2 assessment for a small business is between $40K and $50K (a one-time payment for the three-year certification). For companies with only a small portion of DoD work, they recommend creating a secure, isolated enclave (like a GCC High or Cloud PC VDI solution) to reduce the scope—and cost—of the assessment.🤝 Guest Spotlight & ResourcesGuest: Mike Crandall, CEO and Co-Founder of Digital Beach HeadCompany: Digital Beach Head is the only authorized C3PAO in Colorado Springs and one of three in the Mountain Region, specializing in cyber security services and CMMC assessment.Mike's Contact Information:Website: digitalbeachhead.comEmail: mike@digitalbeachhead.comLinkedIn: Search for Mike Crandall at Digital Beach Head.To find out more about the Smalls or become a member, please check us out at www.thesmalls.orgTo contact Just Nate: justnate@thesmalls.org— Send in a voice message: https://anchor.fm/thesmalls/messageSupport this podcast: https://anchor.fm/thesmalls/supportwww.patreon.com/thesmalls
