About Defense Cybersecurity Group
As a leading voice in the federal compliance space, DCG's mission is to bring critical cyber solutions to the Defense Industrial Base.
​
Regardless of where your information security architecture stands or the needs of your business, our team of experts are prepared to move you toward compliance with an emphasis on real security. We employ a custom risk-based methodology, identifying the most serious threats to your information security first. From there, we tailor our consultation services to your security, compliance, and financial goals.
​
DCG was founded in 2020 by Vince Scott, a retired Naval cryptologist, Certified CMMC Assessor, and Provisional CMMC Instructor.
​
Frequently Asked Questions
BEGINNER
Q1: Who will need to comply with CMMC? Do all companies have to be assessed?
A1: There are multiple levels of CMMC. Contracting organizations which generate, process, handle, or store Controlled Unclassified Information (CUI) will almost certainly need to have their CMMC compliance assessed by a Certified Third Party Organization (C3PAO). The DoD has said that they intend to roll out assessments over the course of a three year period, beginning with “prioritized acquisitions.” In December of 2024, the Army released one of the first contracts with a third-party CMMC assessment requirement.
Q2: How do I know if I process, handle, or store CUI?
A2: CUI should either come to your organization explicitly marked, or be created by you on behalf of a contract. CUI is defined in 32 CFR 2002 as, “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls,” excluding information that is classified. DoD contracting officers are technically responsible for identifying CUI in contracts. This is not routinely practiced. Therefore, it has become the responsibility of OSCs to identify CUI in their own systems. NARA’s CUI Registry, which includes a detailed listing of CUI categories, is a good resource to support OSCs looking to identify CUI in their systems. A systematic review of active contracts is also necessary to determine if, and where, CUI rests within your organization. See our blog for more information about how to identify CUI and how to utilize contracts to determine your organization's CUI flow.
Q3: How will my organization know what CMMC level is required of my organization?
A3: Your contracts will tell you which CMMC level is required of your organization, as well as if your assessment will need to be conducted by a C3PAO. As it stands, CMMC will include several tiered levels of certification. Determining which level of certification will be required of your organization necessitates an evaluation of the kinds of federal information you come into contact with. If you process, handle, or store Federal Contract Information (FCI), but not CUI, your business will need a CMMC L1 certification. OSCs handling CUI will need a L2 certification. To learn more about the distinctions between these categories of federal data, check out this blog post.
​
Q4: How can I get my business CMMC compliant in 30 days?
A4: The short answer: you can’t. Vendors who advertise “quick-fix” solutions are disingenuous.
Q5: Okay, how long does it take to be fully certified?
A5: On average, small and medium sized businesses are taking 12-18 months to fully implement the necessary security measures. In many cases, this process may take longer.
Q6: When do we expect the CMMC rule to be fully in effect?
A6: Q2 of calendar year 2025. There are fluidities in the rulemaking process that make it difficult to name a specific date with certainty. However, experts expect CMMC to be finalized in Q1 2025, and no later than Q3 2025. Understand that there are two different CMMC rules in process under Federal rule-making. The first, 32CFR170 is due in its final form late September or early October. The second, 48CFR 252.204-7021 has just been released in its draft form and is due in its final form roughly in Q1 of 2025.
​
Q7: When should I start, if I want to be compliant on time?
A7: Sometime in 2017. Full compliance with DFARS 252.204-7012 and the security requirements in NIST 800-171 was mandatory as of 1 January 2018. This forms the majority of the requirements that CMMC is assessing. CMMC assessments are projected to begin in 2025. In general, if you want to be among the first or second wave of DIB companies with a certification, start now, as compliance generally takes between one and two years to achieve. It is also worth noting that large prime contractors are already asking subs about SPRS scores and potentiality of certification; in other words, your primes are likely to require you to become compliant before your contracting officer. In general, it takes at least one year to stand up a fully compliant CMMC program. Note that a fully compliant information security architecture also requires constant upkeep; this is not a project, but a program.
​
Q8: How do I start prepping my business for CMMC rollout?
A8: There are two key components to starting your CMMC journey on the right foot: 1) pick the leader, and 2) track the flow of CUI through your organization.
1) Selecting the correct individual to head-up your CMMC compliance effort ensures cooperation from your business as a whole; for this reason, we highly recommend your project leader is not an IT employee. This is because CMMC cannot be successfully achieved with behind-the-scenes technological efforts. At its heart, this is a business challenge, not an IT challenge, and will require a senior-level leadership to be carried across the finish line.
2) Once your project leader has been appropriately selected, their initial course of action should include tracking CUI throughout its entire life cycle within your organization. Where does CUI enter? Is it marked? How does it flow through your systems? Do you have any subcontractors which require CUI to generate deliverables? This foundational understanding will enable team members to apply controls effectively over time. In fact, without it, you'll find it impossible to make the necessary changes to your cyber architecture.
Q9: Do I have to comply with all 110 controls in NIST SP 800-171?
A9: Yes - and more, as long as you process, store, or transmit CUI. This cannot be stressed enough, because OSCs will be assessed according to NIST 800-171A and the assessment objectives therein, not the controls listed in 171. Assessment objectives are individual requirements associated with each control. This raises the number of components required to become certified to 320. If you work to become compliant only with the controls, you will not pass a third party assessment.
​
​
EXPERT
Q1: How does NIST 171 Revision 3 impact the CMMC rulemaking timeline?
A1: It doesn’t. These are separate initiatives, undertaken by NIST and the DoD, respectively. The DoD has published a memo that directs the DIB to stick with Revision 2 until further notice.
Q2: When is it okay to self-assess at CMMC Level 2 (aka, will it be possible for me to conduct a self assessment, even if my organization processes, handles, or stores CUI)?
A2: The possibility for self-assessment at Level 2 was established in the CMMC rule, 32 CFR 170. In the final rule, self-certifications is allowed based on the discretion of the contracting officer. Additionally, in the proposed 48 CFR update, the DoD has stated “(a) The CMMC certificate or CMMC self-assessment level specified in the contract is required for all information systems, used in the performance of the contract, that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI).”
​
The DoD also, "reserves the right to conduct a DCMA DIBCAC assessment of the OSA, as provided for under the 48 CFR 252.204-7020. If the investigative results of a subsequent DCMA DIBCAC assessment show that adherence to the provisions of this part have not been achieved or maintained, these DCMA DIBCAC results will take precedence over any pre-existing CMMC Status."
​
Q3: Will foreign companies be subject to CMMC requirements?
A3: According to the final rule 32 CFR 170, "The CMMC process is the same for international and domestic contractors and subcontractors. International sub-contractors must undergo a CMMC assessment at the appropriate level to demonstrate compliance with NIST SP 800-171 R2 requirements."
Q4: Does it matter what external service providers we use to support our enterprise?
A4: Absolutely. External service providers (ESPs) are not a category explicitly defined by NIST but they are defined in the CMMC regulation (see our CMMC Glossary and Acronyms for more). They are defined by the DoD in reference to CMMC as, “external people, technology, or facilities that the organization utilizes, including Cloud Service Providers, Managed Service Providers, Managed Security Service Providers, Cybersecurity-as-a-Service Providers.” It is important for OSC’s to be mindful about all ESPs they employ, with the understanding that they will need their own CMMC certification. The final 32 CFR 170 CMMC rule requires all organizations that process Security Protection Data be considered ESPs if they provision or manage IT/cybersecurity services, and the Level 2 Scoping Guide requires ESPs to attain their own CMMC certification and provide a detailed SRM to OSA, or they will be considered in scope for the OSA's assessment.
Q5: When will I have to be compliant with NIST 800-171 Revision 3?
A5: Revision 3 is the current, formalized version of NIST 800-171. Revision 3 was published as a final in May of 2024. The DoD also issued a class deviation in May of 2024 that ties all current contractual cyber requirements to Revision 2 until further notice. The length of this class deviation is listed as until canceled. Based on the public comments of the CAICO on the time to produce CMMC training based on revision 3, and the fact that the CMMC regulation itself is tied to Revision 2, we do not anticipate the imposition of Revision 3 for several years.
Q6: Since 800-171 Revision 3 impacts CMMC requirements, does that mean CCPs and CCAs will need to undergo training and/or exams?
A6: The CMMC Program Management Office is considering this, but have not provided any further insights at this time. We recommend staying up to date with the new requirements, but do not expect new assessments to be required.
​
Q7: Do I have to apply FIPS to my entire system?
A7: No. FIPS-validated encryption is needed when used to protect the confidentiality of CUI. In the "inside the data center" where appropriate physical controls are in place to protect the confidentiality, then FIPS is not required.
Meet Defense Cybersecurity Group
Vincent Scott FOUNDER AND CEO
Vince is a US Navy veteran with more than 30 years of cyber experience. A graduate of the US Naval
Academy, Vince’s 21-year career in military operations included cyber warfare, information warfare, and
intelligence operations. He conducted Intelligence Surveillance and Reconnaissance (ISR) activities at the tactical, component, theater, and national levels. He served with multiple national intelligence agencies. He deployed numerous times, including combat operations in both Gulf Wars, in addition to deployments to Bosnia, Kosovo, and elsewhere.
Following his diverse career in military operations, Vince joined Oklahoma State University’s Multispectral Laboratory (UML) as Chief Information Officer (CIO) and the Director of C5ISR. Following his work with OSU, Vince held positions with P&G as their Global Leader of Cyber Incident Response and Threat Intelligence, served as a Director in PWC's Cybersecurity and Privacy practice, and led PwC’s National Cyber Threat Intelligence Organization. Most recently he served as the Executive Director of SENTIR Research Laboratory and is currently the Chief Security Officer of Solutions Through Innovative Technologies (STI-TEC).
Vince founded DCG with the aim of supporting the Defense Industrial Base (DIB) throughout the implementation of the new Cybersecurity Maturity Model Certification (CMMC). As a veteran and small business owner himself, Vince's mission is to provide thorough, cost-effective consulting and services throughout the DIB's ongoing compliance journey. He is currently a Certified CMMC Assessor (CCA) and Provisional CMMC Instructor (PI). He is the FBI Infragard's SME on Cyber-Warfare, and former editor of the journal of Law and Cyberwarfare.​
Nick Martin DIRECTOR OF CYBERSECURITY AND INFORMATION MANAGEMENT
With over 15 years of experience in Information Technology and Data Governance Nick has in-depth knowledge of information security and data provenance. He works to advance the cybersecurity capabilities of critical industries large and small, and to assist clients with their information security, data governance, and secure data migration requirements. From the depths of Controlled Unclassified Information (CUI) to surrounding Federal requirements including DFARS, FedRAMP, CMMC, and NIST he provides cybersecurity and data management expertise that will enable the betterment of our clients and their customer base.
Nick’s background includes service in the US Navy as an Information Technology Specialist, Database Security Manager at G4S International, and Global Director of Compliance at Cocoon Data. He has a BS in Computer Science, holds certifications in networking and Unix administration, and has completed the CMMC Certified Professional course.
CCA-Qualified
Charles Norman CONSULTANT
Charles “Chuck” Norman is an accomplished executive with a track record in developing, implementing, and leading cybersecurity, governance, and risk programs. He has demonstrated success in building cross-functional, diverse teams to align IT and business strategies in large global enterprises. A graduate of Indiana State University, Chuck has applied his degree in Computer Science and Mathematics throughout his career. Most recently, he served as a Sr. Client Solutions Advisor for Optiv Security, where he acted as a business development partner to sales executives, as well as a trusted advisor to F500 client executive and senior management teams. At DCG, Chuck supports communications with C-Suites, develops approach methodology for large organizations, and serves as a consultant to businesses seeking CMMC support.
CCP-Qualified
Milt Songy SECURITY COMPLIANCE ANALYST
Milt is a graduate of the United States Naval Academy with a B.S. in Engineering, and of Southern Methodist University’s Cox School of Business, where he earned a Masters of Business Administration. He is a retired U.S. Navy Surface Warfare Officer, Manufacturing Operations Manager, and entrepreneur with a passion for holistic problem solving and a keen eye for detail. His experience in the cyber world includes private client consulting, ERP, CAD, ISO certification, and OSHA compliance.
At DCG, he applies his business strategy mindset to cybersecurity and compliance consulting. He is a Certified CMMC Professional (CCP) and a member of the FBI’s Infragard. He also has extensive experience in coaching, non-profit operations management, and fundraising —but he’d rather be sailing.
CCP-Qualified
CCP-Qualified
Shelby Scott LEAD TECHNICAL WRITER & PROJECT MANAGER
Shelby is Certified CMMC Professional (CCP) with more than 3 years of experience creating CMMC-specific documentation and informational materials. She currently supports DCG as a Lead Technical Writer and Project Manager. ​Shelby graduated with High Honors and a double major in Philosophy and Environmental Studies from Eckerd College in 2021. She has experience in nonprofit administration, grant and proposal writing, and environmental education.
Jonah Phillippi TECHNICAL WRITER & CYBERSECURITY SPECIALIST
Jonah graduated from Spring Hill College with a B.S. in Chemistry and minors in Mathematics and Philosophy. He applied this knowledge over 5 years of experience as a research specialist at Tulane University. During this time he accomplished projects including the optimization of an inventory management system, completing analysis and reports for grant applications, maintained and authored documentation for regulatory audits, and functioned as a project manager for NIH-funded research. Concurrently, he graduated from Tulane University with a M.S. in Cybersecurity Management, his Capstone project focusing on NIST SP 800-171 compliance. He has received a certificate in Cyber Defense from the Tulane School of Professional Advancement, CompTIA Security+, and is processing his Certified CMMC Professional (CCP) certification.
Jacob Scott TECHNICAL WRITER
Jacob is a technical writer with a B.A. and an equivalent A.S. in software development. He has four years of CMMC implementation experience taking companies from 0 to compliant. He focuses on working documentation and working understanding of the regulation for clients. He has also been focusing on VDI CMMC-as-a-service compliance.
Jacob has worked a number of technical positions and projects, including service desk, maintenance, and system implementation. He has led the implementation of Security Onion SIEM in a corporate environment and open source ticketing systems. Outside of CMMC he has also worked extensively with SSDF and EO 14028, as well as the implementation of secure software development.
CCP-Qualified
CCP-Qualified
Chloe Bernard JUNIOR TECHNICAL WRITER
Chloe graduated from Miami University with a B.A. in History and a minor in Geography. The majority of her time at Miami was spent researching and writing on a variety of topics, ranging from ancient Greek pottery to the International Criminal Court. Chloe also participated in the Farmer School of Business’s Client Challenge for Cleveland Clinic. She became Certified CMMC Professional (CCP)-qualified in January 2025.