Cybersecurity & Certs
Course · 10 lessons · 58 min
CMMC 2.0 Foundations: Rules, Timelines, and CUI Basics for Defense Contractors
Understand the CMMC 2.0 program, its rulemaking and enforcement timeline, and how to identify and handle Controlled Unclassified Information across your defense contracts.
By the end, you'll be able to
- CMMC 2.0 Rollout and Realities
- Unlocking Federal Rulemaking and CMMC Implementation
- What Happens Next for 48 CFR 204.75: Timeline to CMMC Enforcement
- CMMC Rollout Countdown and the Road to 2025
Curriculum
10 lessons- 01CMMC 2.0 Rollout and RealitiesExplore the phased rollout of CMMC 2.0, how the new rules impact defense contractors, and what it takes to maintain compliance. Our hosts break down the assessment process, key requirements, and real-world implications—plus, share surprising insights and practical examples from the field.
- 02Unlocking Federal Rulemaking and CMMC ImplementationDive into the federal rulemaking process and how it shapes cybersecurity requirements for defense contractors. This episode explores how the 32 CFR 170 rule went from concept to implementation, and previews how the forthcoming 48 CFR 204 changes may follow that path. Hear practical insights relevant for anyone in federal compliance, cybersecurity, and defense acquisition.
- 03What Happens Next for 48 CFR 204.75: Timeline to CMMC EnforcementThe team unpacks the next phases now that 48 CFR Subpart 204.75 has cleared OIRA review, mapping out what’s ahead for activation and enforcement—including the practical timeline to a live, enforceable CMMC rule. Special focus is given to rulemaking milestones, contract impacts, and how the DoD’s phase-in policy shapes when CMMC compliance becomes required for defense contractors.
- 04CMMC Rollout Countdown and the Road to 2025What does the final year before full CMMC implementation look like? In this episode, we explore the definitive schedule, key requirements, and what defense contractors should expect as the November 10, 2025 effective date for DFARS 204.75 approaches.
- 05Safeguarding CUI and Data RightsThis episode uncovers how organizations in the defense sector can identify, handle, and protect Controlled Unclassified Information (CUI), Covered Defense Information (CDI), and Controlled Technical Information (CTI). We examine contract requirements, marking guidance, and the latest resources to help contractors navigate CMMC compliance and data rights management.
- 06Understanding Covered Defense Information in Defense ContractingThis episode guides listeners through key aspects of Covered Defense Information (CDI), from core definitions and marking requirements to contract data rights and procurement compliance. Hosts Eric, Paul, and Roz break down regulations, risks, and real-world examples to help users, product owners, and procurement staff safeguard sensitive information effectively.13 min
- 07CUI Clarity: What Contractors Need to KnowEric Marquette and Paul Netopski, a CMMC expert, break down how to identify CUI, where to look in contract artifacts like CDRLs and DIDs, and why export control, OPSEC, and CPI don’t always mean the same thing. They also cover how to handle unclear or inconsistent contract language, confirm obligations, and avoid costly marking and protection mistakes.11 min
- 08CUI Compliance: From Executive Order to DFARSThis episode breaks down how Controlled Unclassified Information evolved from a patchwork of agency labels into a single federal framework under Executive Order 13556, NARA, and DoDI 5200.48. It also explains how technical data controls, distribution statements, and DFARS clauses turn policy into enforceable contractor obligations.14 min
- 09Who Must Mark CUI? DoD Contracting Risks ExplainedEric, Paul, and Roz unpack why the DoD—not the contractor—bears the burden of identifying and marking CUI, and why accepting unlabelled data can create serious compliance and False Claims Act exposure.They also trace how DFARS clauses, NIST SP 800-171, and pre-award CIO variance approval shape the procurement process and set the system boundaries for CDI, CTI, and CUI.11 min
- 10CMMC Is a Program, Not a ProjectThis episode breaks down why CMMC success depends on lifecycle planning, from scoping contracts and data flows to building evidence, remediation, and formal assessment readiness. The hosts also dig into real-world scope traps, crosswalking existing controls, and why steady-state monitoring matters after certification.9 min
Your instructor
Cybersecurity Maturity Model Certification (CMMC) Unlocked
This podcast contains dialog, voices and materials that are generated by Artificial Intelligence tools, but reviewed and published by the creator.
Welcome to CMMC Unlocked, the definitive podcast for defense contractors, cybersecurity professionals, and compliance leaders navigating the complex world of the Cybersecurity Maturity Model Certification (CMMC). Hosted by a seasoned Certified CMMC Assessor and Instructor with years of hands-on experience in assessments, gap analyses, and implementation services, this series pulls back the curtain on what it really takes to achieve and maintain CMMC compliance. This podcast contains dialog, voices and materials that are generated by Artificial Intelligence tools, but reviewed and published by the creator.
Each episode dives deep into the practical realities of CMMC—from interpreting the latest updates from the DoD and Cyber-AB, to demystifying assessment criteria, to sharing real-world lessons learned from the field. Whether you're a small business just starting your compliance journey or a prime contractor preparing for a Level 2 assessment, this podcast delivers actionable insights, expert interviews, and strategic guidance to help you succeed.
What You’ll Learn:
How to prepare for a CMMC assessment (and what assessors are really looking for)
Common pitfalls and how to avoid them
Implementation strategies that work for organizations of all sizes
Updates on CMMC rulemaking, timelines, and policy changes
Stories from the field: anonymized case studies and lessons learned
Why Listen? Because compliance isn’t just about checking boxes—it’s about protecting our national defense supply chain. And no one understands that better than someone who’s been in the trenches, guiding organizations from uncertainty to certification.
Visit Cybersecurity Maturity Model Certification (CMMC) UnlockedStart the course
10 lessons · 58 min. Free, no signup.
More in Cybersecurity & Certs
See all
Mastering NIST SP 800-171 Control Families for CMMC Level 2
Implement the core NIST SP 800-171 control families, from access control and audit to configuration, media, physical, and system integrity, to satisfy CMMC Level 2.
14 lessons · 2h 27mStart
CMMC Assessment, Risk, Incident Response, and Legal Liability
Prepare for CMMC assessment and certification while building risk management, incident response, and documentation practices that withstand audit and legal scrutiny.
14 lessons · 1h 29mStart
Cybersecurity Essentials for Small Businesses
After this course you can put core cybersecurity controls in place for a small business: access control, data protection, incident response, and network security.
12 lessons · ~2h 36mStart
Vulnerability Management: Patching, Prioritization, and CVE Trends
After this course you can run a vulnerability management program, prioritize patching, and track emerging CVE and zero-day threats.
6 lessons · 1h 20mStart