You did your self assessment and received a perfect 110 score, congratulations! You met with your C3PAO and scored less than 0. What happened!
How can two CMMC assessors examine the same defense contractor and arrive at completely different scores? A lack of rigor in assessment methodology could mean the entire certification system is measuring the assessor — not your security. Logan Therrien, Chief Strategy Officer at Kieri Solutions and one of the original C3PAO lead assessors in the U.S., joins Justin Beals to expose a critical flaw in how CMMC Level 2 assessments are conducted today: no standardized evidence sampling methodology.
This episode is for DoD contractors, compliance consultants, and defense industry executives who want to understand what's at stake — and how to navigate assessments before the rules tighten further.
What you'll learn:
- Why NIST 800-171 was intentionally vague — and how that backfired for assessors
- How one assessor might review a single evidence point while another reviews 100%
- What ISO 17020 accreditation will require of C3PAOs and why it matters now
- What the 48 CFR expansion means for 118,000+ contractors in the supply chain
- How to prepare for an assessment so it feels like an open-book test
Logan also co-authored the peer-reviewed paper "The Need for Standardized Evidence Sampling in CMMC Assessments: A Survey-Based Analysis of Assessor Practices" (with John Hastings) — one of the first data-driven studies of assessment methodology in the CMMC ecosystem.
Chapters
00:00 Introduction to Secure Talk and Psychometrics
01:45 Understanding CMMC and Its Implications
05:32 Logan Therian's Background and Insights
09:16 The Challenges of Assessment Methodologies
16:10 The Scale and Impact of CMMC Assessments
20:31 Navigating Standards in Cybersecurity
23:53 Evidence Testing in CMMC Assessments
27:43 The Importance of Reliable and Accurate Assessments
36:22 Building Trust Between Industry and Defense
41:46 Future Directions in CMMC Research
Resources:
Therrien, Logan and Hastings, John. (2026, February 10). The need for standardized evidence sampling in CMMC assessments: A survey-based analysis of assessor practices. arXiv.
https://arxiv.org/abs/2602.09905What is Secure Talk Podcast?
Secure Talk reviews the latest threats, tips, and trends on security, innovation, and compliance.
Host Justin Beals interviews leading privacy, security and technology executives to discuss best practices related to IT security, data protection and compliance. Based in Seattle, he previously served as the CTO of NextStep and Koru, which won the 2018 Most Impactful Startup award from Wharton People Analytics. He is the creator of the patented Training, Tracking & Placement System and the author of “Aligning curriculum and evidencing learning effectiveness using semantic mapping of learning assets,” published in the International Journal of Emerging Technologies in Learning (iJet). Justin earned a BA from Fort Lewis College.