top of page
army men (1).png

About Defense Cybersecurity Group

As a leading voice in the federal compliance space, DCG's mission is to bring critical cyber solutions to the Defense Industrial Base.

​

Regardless of where your information security architecture stands or the needs of your business, our team of experts are prepared to move you toward compliance with an emphasis on real security. We employ a custom risk-based methodology, identifying the most serious threats to your information security first. From there, we tailor our consultation services to your security, compliance, and financial goals. 

​

DCG was founded in 2020 by Vince Scott, a retired Naval cryptologist, Certified CMMC Assessor, and Provisional CMMC Instructor. 

​

FAQ

Frequently Asked Questions

BEGINNER 

Q1: Who will need to comply with CMMC? Do all companies have to be assessed?

A1: There are multiple levels of CMMC. Contracting organizations which generate, process, handle, or store Controlled Unclassified Information (CUI) will almost certainly need to have their CMMC compliance assessed by a Certified Third Party Organization (C3PAO). The DoD has said that they intend to roll out assessments over the course of a three year period, beginning with “prioritized acquisitions.” 

 

Q2: How do I know if I possess a contract with CUI? 

A2: CUI is defined in 32 CFR 2002 as, “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls,” excluding information that is classified. As discussed in this blog, DoD contracting officers are technically responsible for identifying CUI in contracts. This is not routinely practiced. Therefore, it has become the responsibility of OSCs to identify CUI in their own systems. NARA’s CUI Registry, which includes a detailed listing of CUI categories, is a good resource to support OSCs looking to identify CUI in their systems. A systematic review of active contracts is also necessary to determine if, and where, CUI rests within your organization. 

 

Q3: How will my organization know what CMMC level is required of my organization?

A3: As it stands, CMMC will include several tiered levels of certification. Determining which level of certification will be required of your organization necessitates an evaluation of the kinds of federal information you come into contact with. If you process, handle, or store Federal Contract Information (FCI), but not CUI, your business will need a CMMC L1 certification. OSCs handling CUI will need a L2 certification. To learn more about the distinctions between these categories of federal data, check out this blog post.

​

Q4: How can I get my business CMMC compliant in 30 days?

A4: The short answer: you can’t. Vendors who advertise “quick-fix” solutions are disingenuous.

 

Q5: Okay, how long does it take to be fully certified?

A5: On average, small and medium sized businesses are taking 12-18 months to fully implement the necessary security measures. In many cases, this process may take longer. 

 

Q6: When do we expect the CMMC rule to be fully in effect?

A6: There are fluidities in the rulemaking process that make it difficult to name a specific date with certainty. However, experts expect CMMC to be finalized in Q1 2025, and no later than Q3 2025. Understand that there are two different CMMC rules in process under Federal rule-making.  The first, 32CFR170 is due in its final form late September or early October.  The second, 48CFR 252.204-7021 has just been released in its draft form and is due in its final form roughly in Q1 of 2025.

​

Q7: When should I start, if I want to be compliant on time?

A7: Full compliance with DFARS 252.204-7012 and the security requirements in NIST 800-171 was mandatory as of 1 January 2018.  This forms the majority of the requirements that CMMC is assessing.  CMMC assessments are projected to begin in 2025. In general, if you want to be among the first or second wave of DIB companies with a certification, start now, as compliance generally takes between one and two years to achieve. It is also worth noting that large prime contractors are already asking subs about SPRS scores and potentiality of certification; in other words, your primes are likely to require you to become compliant before your contracting officer. 

​

Q8: How do I start prepping my business for CMMC rollout?

A8: There are two key components to starting your CMMC journey on the right foot: 1) pick the leader, and 2) track the flow of CUI through your organization.

 

1) Selecting the correct individual to head-up your CMMC compliance effort ensures cooperation from your business as a whole; for this reason, we highly recommend your project leader is not an IT employee. This is because CMMC cannot be successfully achieved with behind-the-scenes technological efforts. At its heart, this is a business challenge, not an IT challenge, and will require a senior-level leadership to be carried across the finish line.

 

2) Once your project leader has been appropriately selected, their initial course of action should include tracking CUI throughout its entire life cycle within your organization. Where does CUI enter? Is it marked? How does it flow through your systems? Do you have any subcontractors which require CUI to generate deliverables? This foundational understanding will enable team members to apply controls effectively over time. In fact, without it, you'll find it impossible to make the necessary changes to your cyber architecture. 

 

Q9: Do I have to comply with all 110 controls in NIST SP 800-171? 

A9: Yes - and more. This cannot be stressed enough, because OSCs will be assessed according to NIST 800-171A and the assessment objectives therein, not the controls listed in 171. Assessment objectives are individual requirements associated with each control. This raises the number of components required to become certified to 320.  If you work to become compliant only with the controls, you will not pass a third party assessment. 

​

​

EXPERT

Q1: How does NIST 171 R3 impact the CMMC rulemaking timeline?

A1: It doesn’t. These are separate initiatives, undertaken by NIST and the DoD, respectively. 

 

Q2: Will guidance on Level 2 self-certification (if it will be allowed and if so, what the criteria is for an OSC to qualify) come out at any point prior to the interim or proposed rule?

A2: We expect this to be established in the final CMMC rule, 32 CFR 170. In the proposed rule, self-certifications were allowed based on the discretion of the contracting officer. Additionally, in the proposed 48 CFR update, the DoD has stated “(a) The CMMC certificate or CMMC self-assessment level specified in the contract is required for all information systems, used in the performance of the contract, that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI).”

​

Q3: Will foreign companies be subject to CMMC requirements?

A3: Whether or not foreign members of the DIB will be assessed against CMMC has yet to be determined by the DoD.  The proposed 48CFR CMMC regulation says, “Many respondents commented on whether CMMC will apply to foreign suppliers. Response: If the program office or requiring activity identifies a need to include a CMMC requirement in a contract, it will be included in the solicitation and resulting contract unless the contract is exclusively for COTS items. The proposed rule does not exempt foreign suppliers from CMMC requirements."

 

Q4: Does it matter what external service providers we use to support our enterprise?

A4:  Absolutely. External service providers (ESPs) are not a category explicitly defined by NIST but they are defined in the CMMC regulation. They are defined by the DoD in reference to CMMC as, “external people, technology, or facilities that the organization utilizes, including Cloud Service Providers, Managed Service Providers, Managed Security Service Providers, Cybersecurity-as-a-Service Providers.” The CMMC Assessment Process (CAP) also includes a discussion of Service Providers in Section 1.5.4., “Ascertain the Use of External Cloud Service Providers,” which equivocates Cloud Service Providers with other ESPs. Therefore, it is important for OSC’s to be mindful about all ESPs they employ, with the understanding that they will need their own CMMC certification. The proposed 32 CFR 170 CMMC rule requires that all organizations that process Security Protection Data (not defined yet) will be considered ESPs and require their own CMMC certification.  Our assessment of 32 CFR 170 as proposed is that DoD intends to mandate the CMMC certification of all MSP and MSSPs that service DIB companies.

 

Q5: When will I have to be compliant with NIST 800-171 Revision 3?

A5: Revision 3 is the current, formalized version of NIST 800-171. Revision 3 was published as a final in May of 2023.   The DoD has issued the class deviation also in May of 2024 which ties current contractual cyber requirements to Revision 2.   The length of this class deviation is listed as until canceled.  Based on the public comments of the CAICO on the time to produce CMMC training based on revision 3, and the fact that the CMMC regulation itself is tied to Revision 2, we do not anticipate the imposition of Revision 3 for several years.

 

Q6: Since 800-171 Revision 3 impacts CMMC requirements, does that mean CCPs and CCAs will need to undergo training and/or exams?

A6: The CMMC Program Management Office is considering this, but have not provided any further insights at this time. We recommend staying up to date with the new requirements, but do not expect new assessments to be required

​

Q7: Do I have to apply FIPS to my entire system? 

A7: No. FIPS-validated encryption is needed when used to protect the confidentiality of CUI.  In the "inside the data center" where appropriate physical controls are in place to protect the confidentiality, then FIPS is not required.

Meet the Team

Meet Defense Cybersecurity Group

CSPH4327_edited.jpg
  • LinkedIn

Vincent Scott FOUNDER AND CEO

Vince is a US Navy veteran with more than 30 years of cyber experience.  A graduate of the US Naval

Academy, Vince’s 21-year career in military operations included cyber warfare, information warfare, and

intelligence operations. He conducted Intelligence Surveillance and Reconnaissance (ISR) activities at the tactical, component, theater, and national levels. He served with multiple national intelligence agencies.  He deployed numerous times, including combat operations in both Gulf Wars, in addition to deployments to Bosnia, Kosovo, and elsewhere.  

 

Following his diverse career in military operations, Vince joined Oklahoma State University’s Multispectral Laboratory (UML) as Chief Information Officer (CIO) and the Director of C5ISR. Following his work with OSU, Vince held positions with P&G as their Global Leader of Cyber Incident Response and Threat Intelligence, served as a Director in PWC's Cybersecurity and Privacy practice, and led PwC’s National Cyber Threat Intelligence Organization.  Most recently he served as the Executive Director of SENTIR Research Laboratory and is currently the Chief Security Officer of Solutions Through Innovative Technologies (STI-TEC). 

 

Vince founded DCG with the aim of supporting the Defense Industrial Base (DIB) throughout the implementation of the new Cybersecurity Maturity Model Certification (CMMC). As a veteran and small business owner himself, Vince's mission is to provide thorough, cost-effective consulting and services throughout the DIB's ongoing compliance journey. He is currently a Certified CMMC Assessor (CCA) and Provisional CMMC Instructor (PI). He is the FBI Infragard's SME on Cyber-Warfare, and former editor of the journal of Law and Cyberwarfare.​

CAICO Assesor Badge.png
nick martin.jpg
  • LinkedIn

Nick Martin DIRECTOR OF CYBERSECURITY AND INFORMATION MANAGEMENT

With over 15 years of experience in Information Technology and Data Governance Nick has in-depth

knowledge of information security and data provenance. He works to advance the cybersecurity capabilities of critical industries large and small, and to assist clients with their information security, data governance, and secure data migration requirements. From the depths of Controlled Unclassified Information (CUI) to surrounding Federal requirements including DFARS, FedRAMP, CMMC, and NIST he provides cybersecurity and data management expertise that will enable the betterment of our clients and their customer base.

 

Nick’s background includes service in the US Navy as an Information Technology Specialist, Database Security Manager at G4S International, and Global Director of Compliance at Cocoon Data.   He has a BS in Computer Science, holds certifications in networking and Unix administration, and has completed the CMMC Certified Professional course.  

unnamed.png
C Norman Headshot (1).jpg
  • LinkedIn

Charles Norman CONSULTANT

Charles “Chuck” Norman is an accomplished executive with a track record in developing, implementing,

and leading cybersecurity, governance, and risk programs. He has demonstrated success in building cross

-functional, diverse teams to align IT and business strategies in large global enterprises. A graduate of Indiana State University, Chuck has applied his degree in Computer Science and Mathematics throughout his career. Most recently, he served as a Sr. Client Solutions Advisor for Optiv Security, where he acted as a business development partner to sales executives, as well as a trusted advisor to F500 client executive and senior management teams. At DCG, Chuck supports communications with C-Suites, develops approach methodology for large organizations, and serves as a consultant to businesses seeking CMMC support. 

unnamed.png
milton.jpg
  • LinkedIn

Milt Songy SECURITY COMPLIANCE ANALYST

Milt is a graduate of the United States Naval Academy with a B.S. in Engineering, and of Southern

Methodist University’s Cox School of Business, where he earned a Masters of Business Administration. He is a retired U.S. Navy Surface Warfare Officer, Manufacturing Operations Manager, and entrepreneur with a passion for holistic problem solving and a keen eye for detail. His experience in the cyber world includes private client consulting, ERP, CAD, ISO certification, and OSHA compliance.

 

At DCG, he applies his business strategy mindset to cybersecurity and compliance consulting.  He is a Certified CMMC Professional (CCP) and a member of the FBI’s Infragard. He also has extensive experience in coaching, non-profit operations management, and fundraising —but he’d rather be sailing.

unnamed.png
TJ White png.png
  • LinkedIn

T.J. White STRATEGIC ADVISOR 
FOUNDER & CEO, ONE NETWORK CONNECTION 

Vice Adm. TJ White hails from Spring, Texas. A graduate of the United States Naval Academy, he received a BS in Mechanical Engineering in 1987, an MS in Systems Technology from the Naval Postgraduate School, and an MS in National Resource Strategy from the National Defense University–Industrial College of the Armed Forces (now The Eisenhower School). He has received diplomas from a myriad of executive and professional education programs, including MIT, Harvard, and Darden.

​

TJ is a 30-plus year national security practitioner, strategist, and cyber operations expert. He is experienced in leading joint military formations and combined intelligence community organizations, and has commanded at all levels within the Navy and Joint Service; most recently as the Commander, United States Fleet Cyber Command / United States TENTH Fleet / United States Navy Space Command and previously as the Commander, United States Cyber National Mission Force / USCYBERCOM. He is a former Director of Intelligence for United States Indo-Pacific Command and has served globally in various combat zones and conflict areas supporting competition dynamics. A former CINCPACFLT Shiphandler-of-the-Year, he misses his days driving a Battleship.  

​

Following his retirement from the USN as Vice Admiral (VADM), White founded OneNetworkConnection, a small business designed to support organizations in understanding the value and opportunity found in collective cybersecurity. As a business owner and highly experienced veteran of cyber warfare, Tim collaborates with DCG on critical communications with C-Suites and board members in regards to CMMC and other developing information security frameworks. 

TJ
BIO.jfif
  • LinkedIn

Shelby Scott LEAD TECHNICAL WRITER 

unnamed.png

Shelby is Certified CMMC Professional (CCP) with more than 3 years of experience creating CMMC-specific documentation and informational materials. She currently supports DCG as a Lead Technical Writer and project manager. 

​

Shelby graduated with a double major in Philosophy and Environmental Studies from Eckerd College in 2021. She has experience in nonprofit administration, grant and proposal writing, and environmental education. 

CSPH4273_edited.jpg
  • LinkedIn

Jacob Scott TECHNICAL WRITER 

Jacob is a technical writer with a B.A. and an equivalent A.S. in software development. He has four years of CMMC implementation experience taking companies from 0 to compliant. He focuses on working documentation and working understanding of the regulation for clients. He has also been focusing on VDI CMMC-as-a-service compliance.

Jacob has worked a number of technical positions and projects, including service desk, maintenance, and system implementation. He has led the implementation of Security Onion SIEM in a corporate environment and open source ticketing systems. Outside of CMMC he has also worked extensively with SSDF and EO 14028, as well as the implementation of secure software development.

bottom of page