The Evolution and Enforcement of CMMC with Jacob Anderson

In the latest episode of Trust Issues, Jacob Anderson joins the team to discuss the practical realities of achieving and maintaining CMMC certification. The conversation explores the common misconceptions that lead to audit failures and provides a roadmap for contractors who are just beginning their journey toward compliance.

Jacob began his career in a way few cybersecurity experts do today. Starting at Los Alamos National Laboratory in the nineties, he worked alongside specialists who were already treating data exfiltration as a serious government priority long before the general public understood the risks. With four decades of experience in the field, Jacob has witnessed the transition from quiet government projects to the highly regulated world of the defense industrial base. 

Listen now:

👉 Apple: https://link.thetrustissuespod.com/1i4aOD

👉 Spotify: https://link.thetrustissuespod.com/BfTKTk

The shift from voluntary compliance to strict enforcement

Many contractors currently view CMMC as a brand-new set of rules imposed by the government, but the underlying requirements have actually been in place for years. Since 2016, DFARS regulations have required adherence to NIST 800-171, yet many organizations have relied on self-certification without the pressure of an external audit. Jacob notes that CMMC functions primarily as the enforcement arm for these existing standards. The era of simply submitting a high score and moving on is ending as the Department of Defense prepares to verify that these controls are actually functioning in real-world environments.

Why physical security is the primary hurdle for small shops

When businesses begin their CMMC journey, they often focus entirely on the electronic and digital side of their operations. However, Jacob points out that physical access control is frequently the area where small and medium-sized businesses encounter the most resistance. This includes everything from the exterior doors of the facility to the interior doors leading into server rooms or IT closets. While a company might trust its long-term employees, the government requires documented proof of who is entering sensitive areas at all times.

Understanding the total scope of your organization

A common strategy for businesses looking to save on costs is attempting to segment their organization so that only one office or a handful of computers are in scope for certification. Jacob explains that this container approach rarely works in practice because controlled unclassified data tends to spread across mail servers, file servers, and backup systems throughout the entire company. To pass a CMMC audit, the entire organization generally needs to be certified because isolating the data to a single room or person is often impossible for most modern businesses.

The manual reality of 1,000 pages of evidence

One of the most underappreciated aspects of the certification process is the sheer volume of documentation required to satisfy an inspector. A typical evidence packet can easily reach a thousand pages because every single step in the assessment process requires its own proof. Jacob estimates that a single organization might spend upwards of forty-five man-days just collecting and organizing this data. Because configurations change and employees leave, this evidence must be refreshed constantly to ensure it remains valid when the auditor finally arrives.

Why your team must own the system security plan

Outsourcing the creation of a System Security Plan (SSP) is a common mistake that can lead to long-term failure. Jacob emphasizes that while consultants can provide guidance, the contractor must be the one to perform the exercise of writing and maintaining the SSP. This ensures that the organization actually understands its own security controls and can continue to follow them after the external advisors have finished their engagement. Ownership of the plan also covers the ongoing training and traceability requirements that are often overlooked by companies looking for a quick fix.

The bottom line

Achieving CMMC certification is not a one-time event that ends with a certificate on the wall. Jacob compares the process to getting married, noting that receiving the certification is only the beginning of a long-term commitment to maintaining a high standard of quality. As the government moves toward stricter enforcement over the next three years, contractors who view security as a core business driver rather than just a cost center will be the ones who remain competitive in the defense supply chain.

Frequently asked questions

1. Is CMMC a new set of cybersecurity rules? CMMC is the enforcement mechanism for NIST 800-171 and DFARS regulations that have been required for defense contractors since 2016.

2. Can we just certify the one department that handles government contracts? It is very difficult to containerize data this way because sensitive information often lives on mail servers and backups that are shared across the entire organization.

3. What is the biggest mistake small companies make during an audit? Many companies neglect physical security and fail to monitor internal access to server rooms or record who enters their facility.

4. How long does it take to gather the evidence for an audit? Gathering a thousand pages of evidence can take approximately forty-five man-days of focused effort.

5. Should we hire someone to write our system security plan for us? While you can get guidance, your internal team should be the ones to write and own the SSP so they understand how to maintain it after the consultants leave.