The Evolution and Enforcement of CMMC with Jacob Anderson

Jacob Anderson brings forty years of high-stakes security experience to the table, starting from his formative years detecting data exfiltration at Los Alamos National Laboratory. In this conversation, he traces the journey of federal compliance from the voluntary era of CMMC 1.0 to the strictly enforced requirements of version 2.0. We go behind the scenes of how he built Cyber Sam, an AI-powered regulation query system, to help contractors navigate the dense nuances of NIST 800-171 without getting lost in the bureaucracy.

The discussion moves into the practical trenches of certification, where many small and medium-sized businesses run into unexpected roadblocks. Jacob explains why the common strategy of trying to segment a single office or computer for certification is a myth that auditors will quickly dismantle, as data often lives across the entire organization. He shares details on the significant manual effort required to maintain a thousand-page evidence packet, noting that the process can take upwards of forty-five man-days for a single assessment. Listeners will learn why owning their System Security Plan is non-negotiable and how the next three years will define the survival of contractors within the defense supply chain.

Episode Chapters:

00:00 Introduction
01:18 Jacob's security journey
03:33 The Transition from CMMC 1.0 to 2.0
05:00 Building Cyber Sam and Automating Regulation Queries
07:49 Why CMMC is the Enforcement Arm of Existing Regulations
08:42 The Physical Security Hurdles Most Companies Miss
09:26 Why You Cannot Segment Your Company For Certification
11:15 Monitoring Access: From Exterior Doors to Server Rooms
16:31 The Reality of Building a 1,000 Page Evidence Packet
18:50 The Ongoing Cost of Remaining Compliant
19:49 Evaluating GRC Platforms for Evidence Collection
22:12 Why Every Contractor Must Own Their SSP
25:33 Predicting the Future of CMMC Enforcement and Exceptions
28:23 Will CMMC Expand to State and Local Governments?
30:37 First Steps for Contractors Starting Today

Quotes:

"The commercial space has no idea about why the government wants you to do this, because in their world, compliance is just a cost center. But that's the thing: CMMC, again, it's not just about cyber. It's about the whole picture."

"The government uncle Sam doesn't know Bob and Sally, so you need badge systems. Once you get past that, the next conversation is really about the interior. You have a server room, and even though Bob and Sally access it, Joe and Tim might go in there and shouldn't be, so you need to know when they go in there."

"We don't do the SSP for them because that's an exercise they have to do on their own, so they understand what they're doing. That's super important because we're gonna leave, and they gotta maintain it. And then there are lots of other components they're always gonna be missing, like the whole training component and the traceability of training."

"If you wanna be a CMMC contractor, the first thing to learn is to go and read the actual CMMC and get that down. Learn as much as you can about it and look at the nuances of CMMC because it's not just cyber; it's a lot of other stuff. Then learn more of these GRC platforms and find one that makes sense for you if you're gonna be doing this on your own."

Connect with the team:

👉 Jacob Anderson on LinkedIn: https://www.linkedin.com/in/jacobwanderson/

👉 Bruno on LinkedIn: https://www.linkedin.com/in/bruno

👉 Brandon on LinkedIn: https://www.linkedin.com/in/brandon

👉 BEMO Website: https://www.bemopro.com/