The DownLink Podcast Space Power: Want a Defense Contract? New Rules.
Nov 15, 2025
In a captivating discussion, retired U.S. Air Force Colonel Steven Shirley, former Executive Director of the DoD Cyber Crime Center, delves into the Cybersecurity Maturity Model Certification (CMMC) and its implications for the defense industrial base. He highlights the necessity of verified assessments to combat cybersecurity risks and the challenges faced by small companies in compliance. Shirley also outlines the phased rollout of CMMC and the importance of contract flow-down from primes to subcontractors, emphasizing the intersection of cybersecurity and acquisition reform.
AI Snips
Chapters
Transcript
Episode notes
CMMC Is A Three-Tier Security Standard
- CMMC is a three-tiered cybersecurity standard that adds mandatory technical controls to DoD contractors' networks.
- Level 2 demands 110 NIST-derived controls and external assessment on a three-year cycle.
Compliance Flows Down The Supply Chain
- CMMC requirements flow down from primes through all subcontractors on a contract.
- Primes become responsible for ensuring every sub in their supply chain is compliant.
Self-Attestation Proved Insufficient
- The 2017 DFARS clause required contractors to adopt NIST controls but allowed self-attestation.
- DOD concluded self-attestation was insufficient and moved toward verified assessments under CMMC.