{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"Secure Talk Podcast","title":"Inside CMMC Implementation: What November 10th Means for Defense Contractors | Secure Talk with Bob Kolasky","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/180b26bc\"></iframe>","width":"100%","height":180,"duration":3338,"description":"Bob Kolasky walked the halls where CMMC was built. As founding director of CISA's National Risk Management Center, he watched this policy evolve from concept to pilot program to federal law—surviving three presidential administrations because the need never changed.On November 10, 2025, that policy becomes mandatory reality for every defense contractor pursuing new DoD solicitations. Self-certification ends. Independent verification begins. And the defense industrial base faces its most significant security transformation in a generation.In this conversation with Justin Beals, Bob explains what contractors need to understand about the deadline—and what recent enforcement actions reveal about gaps that have existed all along.From Honor System to Accountability:For years, defense contractors self-certified compliance with NIST 800-171 cybersecurity requirements. The system worked on trust. Contractors checked boxes, DoD accepted attestations, and controlled unclassified information flowed through supply chains with security gaps nobody was measuring.Then came the settlements. Raytheon paid $8.4 million for failing basic security controls—no antivirus software on systems handling defense information, no system security plans, missing access controls. Penn State settled $1.25 million across 15 contracts. Georgia Tech paid $875,000 in the first DOJ intervention in a cybersecurity False Claims Act case.These weren't breaches. These were preventable failures that contractors had certified didn't exist.Katie Arrington's warning to the industry has been consistent: \"If you go on LinkedIn one more time and tell me how hard CMMC is, I'm going to beat you. That ship sailed in 2014.\" Translation: adversaries are watching, and contractors broadcasting difficulties are revealing exactly where vulnerabilities exist.The November 10th Framework:After this deadline, every new contract solicitation includes CMMC requirements matched to data sensitivity:Level 1 handles federal...","thumbnail_url":"https://img.transistorcdn.com/FI5U-V5f7xdITFyeJIbD7DHq2VtWIj7V7SxzbEqbbTM/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS81NzRj/MTkwYWEwN2IzMjIw/ZjRhZTE0MGJiYjhi/N2YxMS5qcGc.webp","thumbnail_width":300,"thumbnail_height":300}