Trust Issues
The four phases of a CMMC assessment
June 16, 2026
Norris Carden joins the show to discuss the realities of becoming a certified defense contractor. He shares how his journey from broadcast journalism to the front lines of cybersecurity informs his perspective on auditing. This discussion explores the critical components of a successful assessment and why skipping steps can lead to immediate failure.
Norris Carden, a lead CMMC assessor who has seen the industry from both the implementation and auditing sides. He explains the fundamental necessity of the system security plan and how it serves as the primary document for any official evaluation. The conversation highlights why many organizations struggle with the technicalities of log management and periodic reviews. 

Norris also outlines the specific phases of an assessment, providing a roadmap for small businesses looking to secure government contracts. Listeners will learn why access control remains the most frequent point of failure and how to properly prepare for an audit before the first day begins.

Episode chapters:

00:00 Introduction
00:50 From the newsroom to cybersecurity leadership
06:45 Lessons from the early days of CMMC
10:17 Why most implementation statements are incomplete
14:14 The widespread misunderstanding of log reviews
19:29 Why the system security plan is what gets assessed
24:19 Navigating the four phases of an assessment
32:47 The value of a mock assessment
40:10 Managing authorized users and Active Directory
46:39 Why an internal IT manager might not be enough
50:58 Access control as the foundation of everything
54:40 Final thoughts and wrap up

Quotes:

"Access control is the biggest one that most people fail because access control is the foundation that everything else is built upon. If you don't identify who your users are and document it, you're going to fail within 15 minutes of your assessment starting."

"It's the SSP that's getting assessed. The system security plan is what's getting assessed. If you're doing it, that's awesome. But you gotta show me. You gotta demonstrate in words how."

"Hire somebody that knows what they're doing. That's it. The company that hired me last year had an internal IT manager who said, 'I've read NIST 800-171, I can do this' and obviously he did, but that's rare."

Connect with the team: 

👉 Jacob Anderson on LinkedIn: https://www.linkedin.com/in/norriscarden/ 

👉 Bruno Lecoq on LinkedIn: https://www.linkedin.com/in/brunolecoq/ 

👉 Brandon Lecoq on LinkedIn: https://www.linkedin.com/in/brandon-lecoq  

👉 BEMO Website: https://www.bemopro.com/ 

Trust Issues is handcrafted by our friends over at: fame.so
Powered by Fame