About Defense Cybersecurity Group
As a leading voice in the federal compliance space, Defense Cybersecurity Group’s (DCG's) mission is to bring critical cybersecurity solutions to the Defense Industrial Base and beyond.
Regardless of where your cyber architecture stands, the security framework you utilize, or the needs of your business, our team of experts are prepared to move you toward compliance, with an emphasis on real security. We employ a custom risk-based methodology, identifying the most serious threats to your information security first. From there, we tailor our consultation services to your security, compliance, and financial goals.
DCG was founded in 2020 by Vince Scott, a retired Naval cryptologist, Certified CMMC Assessor, and Provisional CMMC Instructor.
Frequently Asked Questions
BEGINNER
Q1: Who will need to comply with CMMC? Do all companies have to be assessed?
A1: There are multiple levels of CMMC. Contracting organizations which generate, process, handle, or store Controlled Unclassified Information (CUI) will almost certainly need to have their CMMC compliance assessed by a Certified Third Party Organization (C3PAO). The DoD has said that they intend to roll out assessments over the course of a three year period, beginning with “prioritized acquisitions.”
Q2: How do I know if I possess a contract with CUI?
A2: CUI is defined in 32 CFR 2002 as, “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls,” excluding information that is classified. As discussed in this blog, DoD contracting officers are technically responsible for identifying CUI in contracts. This is not routinely practiced. Therefore, it has become the responsibility of OSCs to identify CUI in their own systems. NARA’s CUI Registry, which includes a detailed listing of CUI categories, is a good resource to support OSCs looking to identify CUI in their systems. A systematic review of active contracts is also necessary to determine if, and where, CUI rests within your organization.
Q3: How will my organization know what CMMC level is required of my organization?
A3: As it stands, CMMC will include several tiered levels of certification. Determining which level of certification will be required of your organization necessitates an evaluation of the kinds of federal information you come into contact with. If you process, handle, or store Federal Contract Information (FCI), but not CUI, your business will need a CMMC L1 certification. OSCs handling CUI will need a L2 certification. To learn more about the distinctions between these categories of federal data, check out this blog post.
Q4: How can I get my business CMMC compliant in 30 days?
A4: The short answer: you can’t. Vendors who advertise “quick-fix” solutions are disingenuous.
Q5: Okay, how long does it take to be fully certified?
A5: On average, small and medium sized businesses are taking 12-18 months to fully implement the necessary security measures. In many cases, this process may take longer.
Q6: When do we expect the CMMC rule to be fully in effect?
A6: There are fluidities in the rulemaking process that make it difficult to name a date with certainty. However, many experts expect CMMC to be finalized in 2025.
Q7: When should I start, if I want to be compliant on time?
A7: CMMC assessments are projected to begin in 2025. However, contracts acquired in 2018 or later require compliance - on a self attestation basis - with DFARS 7012; if this sounds like you, then you are subject to the False Claims Act, and should be have made good faith efforts toward compliance already. In general, if you want to be among the first or second wave of DIB companies with a certification, start now, as compliance generally takes between one and two years to achieve. It is also worth noting that large prime contractors are already asking subs about SPRS scores and potentiality of certification; in other words, your primes are likely to require you to become compliant before your contracting officer.
Q8: How do I start prepping my business for CMMC rollout?
A8: There are two key components to starting your CMMC journey on the right foot: 1) pick the leader, and 2) track the flow of CUI through your organization.
1) Selecting the correct individual to head-up your CMMC compliance effort ensures cooperation from your business as a whole; for this reason, we highly recommend your project leader is not an IT employee. This is because CMMC cannot be successfully achieved with behind-the-scenes technological efforts. At its heart, this is a business challenge, not an IT challenge, and will require a senior-level leadership to be carried across the finish line.
2) Once your project leader has been appropriately selected, their initial course of action should include tracking CUI throughout its entire life cycle within your organization. Where does CUI enter? Is it marked? How does it flow through your systems? Do you have any subcontractors which require CUI to generate deliverables? This foundational understanding will enable team members to apply controls effectively over time. In fact, without it, you'll find it impossible to make the necessary changes to your cyber architecture.
Q9: Do I have to comply with all 110 controls in NIST SP 800-171?
A9: Yes - and more. This cannot be stressed enough, because OSCs will be assessed according to NIST 800-171A and the assessment objectives therein, not the controls listed in 171. Assessment objectives are individual requirements associated with each control. This raises the number of components required to become certified to 320. If you work to become compliant only with the controls, you will not pass a third party assessment.
EXPERT
Q1: How does NIST 171 R3 impact the CMMC rulemaking timeline?
A1: It doesn’t. These are separate initiatives, undertaken by NIST and the DoD, respectively.
Q2: Will guidance on Level 2 self-certification (if it will be allowed and if so, what the criteria is for an OSC to qualify) come out at any point prior to the interim or proposed rule?
A2: No, we expect this information to be established in the rule.
Q3: Will foreign companies be subject to CMMC requirements?
A3: Whether or not foreign members of the DIB will be assessed against CMMC has yet to be determined by the DoD. However, the self-attestation of NIST 800-171 is still relevant to non-American businesses, and remain subject to the False Claims Act to the extent that it is US law.
Q4: Does it matter what external service providers we use to support our enterprise?
A4: Absolutely. External service providers (ESPs) are not a category explicitly defined by NIST. They are defined by the DoD in reference to CMMC as, “external people, technology, or facilities that the organization utilizes, including Cloud Service Providers, Managed Service Providers, Managed Security Service Providers, Cybersecurity-as-a-Service Providers.” The CMMC Assessment Process (CAP) also includes a discussion of Service Providers in Section 1.5.4., “Ascertain the Use of External Cloud Service Providers,” which equivocates Cloud Service Providers with other ESPs. Therefore, it is important for OSC’s to be mindful about all ESPs they employ, with the understanding that a C3PAO will need to evaluate the compliance of the providers to the extent that is required of reasonable scoping activities.
Q5: When will I have to be compliant with NIST 800-171 Revision 3?
A5: Revision 2 is the current, formalized version of NIST 800-171. This is the version in contracts today, and represents the security controls that contractors must have in place today. Revision 3 was published as a draft in May of 2023. We expect Revision 3 to be finalized no later than Quarter 1, 2024. We also expect that the DoD will allow 12 months for contractors to make the necessary updates to their information security architecture to become compliant with Revision 3. Based on this, we anticipate compliance requirements to begin to impact contractors in Quarter 1 of 2025, (around the same time third-party CMMC assessments are expected to begin).
Q6: Since 800-171 Revision 3 impacts CMMC requirements, does that mean CCPs and CCAs will need to undergo training and/or exams?
A6: The CMMC Program Management Office is considering this, but have not provided any further insights at this time. We recommend staying up to date with the new requirements, but do not expect new assessments to be required.
Q7: Do I have to apply FIPS to my entire system?
A7: No. FIPS-validated encryption is needed when used to protect the confidentiality of CUI. In the "inside the data center" where appropriate physical controls are in place to protect the confidentiality, then FIPS is not required.
Meet Defense Cybersecurity Group
.png)
Vincent Scott FOUNDER AND CEO CCA, PI
Vince is a US Navy veteran with more than 30 years of cyber experience, both afloat and ashore.
A graduate of the US Naval Academy, Vince’s 21-year career in military operations included cyber warfare, information warfare, and intelligence operations. He conducted Intelligence Surveillance and Reconnaissance (ISR) activities at the tactical, component, theater, and national levels. He served with multiple national intelligence agencies, including time with the US National Security Agency (NSA) as a Chief of Crises Management and Deployed Support. Throughout his time as a Naval Cryptologist he deployed numerous times, including combat operations in both Gulf Wars, in addition to deployments to Bosnia, Kosovo, and elsewhere.
Following his diverse career in military operations, Vince joined Oklahoma State University’s Multispectral Laboratory (UML) as Chief Information Officer (CIO) and the Director of C5ISR. Following his work with OSU, Vince held positions with P&G as their Global Leader of Cyber Incident Response and Threat Intelligence, served as a Director in PWC's Cybersecurity and Privacy practice, and led PwC’s National Cyber Threat Intelligence Organization. Most recently he served as the Executive Director of SENTIR Research Laboratory and is currently the acting CIO of Solutions Through Innovative Technologies (STI-TEC).
Vince founded DCG with the aim of supporting the Defense Industrial Base (DIB) throughout the implementation of the new Cybersecurity Maturity Model Certification (CMMC). As a veteran and small business owner himself, Vince's mission is to provide thorough, cost-effective consulting throughout the DIB's ongoing compliance journey. He is currently a Certified CMMC Assessor (CCA) and Provisional CMMC Instructor (PI). He is the FBI Infragard's SME on Cyber-Warfare, and has acted as a panelist for both the National Defense Industry Association (NDIA) and the Cyber A-B's Town Hall series, marking him as a leading voice in the CMMC ecosystem.
Nick Martin DIRECTOR OF CYBERSECURITY AND INFORMATION MANAGEMENT CCP
With over 15 years of experience in Information Technology and Data Governance Nick has in-depth knowledge of information security and data provenance. He works to advance the cybersecurity capabilities of critical industries large and small, and to assist clients with their information security, data governance, and secure data migration requirements. From the depths of Controlled Unclassified Information (CUI) to surrounding Federal requirements including DFARS, FedRAMP, CMMC, and NIST he provides cybersecurity and data management expertise that will enable the betterment of our clients and their customer base.
Nick’s background includes service in the US Navy as an Information Technology Specialist, Database Security Manager at G4S International, and Global Director of Compliance at Cocoon Data. He has a BS in Computer Science, holds certifications in networking and Unix administration, and has completed the CMMC Certified Professional course.
.jpg)
Charles Norman CONSULTANT
Charles “Chuck” Norman is an accomplished executive with a track record in developing, implementing, and leading cybersecurity, governance, and risk programs. He has demonstrated success in building cross-functional, diverse teams to align IT and business strategies in large global enterprises. A graduate of Indiana State University, Chuck has applied his degree in Computer Science and Mathematics throughout his career. Most recently, he served as a Sr. Client Solutions Advisor for Optiv Security, where he acted as a business development partner to sales executives, as well as a trusted advisor to F500 client executive and senior management teams. At DCG, Chuck supports communications with C-Suites, develops approach methodology for large organizations, and serves as a consultant to businesses seeking CMMC support.
Milt Songy SECURITY COMPLIANCE ANALYST
Milt is a graduate of the United States Naval Academy with a B.S. in Engineering, and of Southern Methodist University’s Cox School of Business, where he earned a Masters of Business Administration. He is a retired U.S. Navy Surface Warfare Officer, Manufacturing Operations Manager, and entrepreneur with a passion for holistic problem solving and a keen eye for detail. His experience in the cyber world includes private client consulting, ERP, CAD, ISO certification, and OSHA compliance.
At DCG, he applies his business strategy mindset to cybersecurity and compliance consulting. He is a designated CMMC Registered Practitioner, a candidate for Certified CMMC Professional, and a member of the FBI’s Infragard. He also has extensive experience in coaching, non-profit operations management, and fundraising —but he’d rather be sailing.
T.J. White STRATEGIC ADVISOR
FOUNDER & CEO, ONE NETWORK CONNECTION
Vice Adm. TJ White hails from Spring, Texas. A graduate of the United States Naval Academy, he received a BS in Mechanical Engineering in 1987, an MS in Systems Technology from the Naval Postgraduate School, and an MS in National Resource Strategy from the National Defense University–Industrial College of the Armed Forces (now The Eisenhower School). He has received diplomas from a myriad of executive and professional education programs, including MIT, Harvard, and Darden.
TJ is a 30-plus year national security practitioner, strategist, and cyber operations expert. He is experienced in leading joint military formations and combined intelligence community organizations, and has commanded at all levels within the Navy and Joint Service; most recently as the Commander, United States Fleet Cyber Command / United States TENTH Fleet / United States Navy Space Command and previously as the Commander, United States Cyber National Mission Force / USCYBERCOM. He is a former Director of Intelligence for United States Indo-Pacific Command and has served globally in various combat zones and conflict areas supporting competition dynamics. A former CINCPACFLT Shiphandler-of-the-Year, he misses his days driving a Battleship.
Following his retirement from the USN as Vice Admiral (VADM), White founded OneNetworkConnection, a small business designed to support organizations in understanding the value and opportunity found in collective cybersecurity. As a business owner and highly experienced veteran of cyber warfare, Tim collaborates with DCG on critical communications with C-Suites and board members in regards to CMMC and other developing information security frameworks.
Shelby Scott TECHNICAL WRITER & MARKETING ASSOCIATE
Shelby graduated in May of 2021 from Eckerd College. In school, Shelby spent time as a Consultant with the Eckerd College Writing Center, as a Ford Apprentice Scholar developing her thesis in epistemology, and as the Communications Committee Head for the Eckerd College Student Title IX Advisory Council. Upon graduating with High Honors, as well as a double major in ES and Philosophy, she was awarded the George P. E. Meece Writing Excellence Award, the Eckerd Giver Award, and the Eckerd Excellence in Gender Justice Award.
Following her time at Eckerd, Shelby worked as an AmeriCorps VISTA Grants Associate with Colorado Youth for a Change (CYC). There, she assisted in increasing their development capacity by more than $800,000. Her time with AmeriCorps was followed by work as a Development and Program Coordinator for a Washington-state nonprofit, where she directed critical development activities, managed budgets and data-tracking processes, and conducted programming for at-risk youth. When she isn't snowboarding, Shelby works for Defense Cybersecurity Group as a Technical Writer and Marketing Associate.