Audio Courses
CMMC Assessment, Risk, Incident Response, and Legal Liability — audio course cover
Cybersecurity & Certs

Course · 14 lessons · 1h 29m

CMMC Assessment, Risk, Incident Response, and Legal Liability

Prepare for CMMC assessment and certification while building risk management, incident response, and documentation practices that withstand audit and legal scrutiny.

Start listeningCreated byCybersecurity Maturity Model Certification (CMMC) Unlocked

By the end, you'll be able to

  • Self-Assess or Certify: The New DoD CUI Assessment Split
  • CMMC Scoping guides
  • How Long and How Much? Realistic Timelines and Costs for CMMC & NIST SP 800-171 Compliance
  • Risk Assessments and Meeting NIST SP 800-171 Control 3.11.1

Curriculum

14 lessons
  1. 01Self-Assess or Certify: The New DoD CUI Assessment SplitThis episode breaks down the Department of Defense’s recent decision on when contractors can self-assess for CMMC Level 2, and when a third-party assessment is required. The hosts clarify how the NARA and DoD CUI registries impact assessment requirements, and explain why ACAT categories are no longer the dividing line.
  2. 02CMMC Scoping guidesReview of CMMC Scoping guides. In this episode we dive into the CMMC L2 Scoping guide and provide a summary of the categories and details within.
  3. 03How Long and How Much? Realistic Timelines and Costs for CMMC & NIST SP 800-171 ComplianceThis episode unpacks the complete journey to CMMC/NIST SP 800-171 compliance, breaking down the phases, expected timelines, and real-world costs using authoritative federal guidance and hands-on field experience. Drawing from key federal regulations and the Critical Prism Defense whitepaper, we deliver facts and planning models for organizations at any starting point.
  4. 04Risk Assessments and Meeting NIST SP 800-171 Control 3.11.1Dive into how risk assessments underpin NIST SP 800-171 compliance, with a focus on control 3.11.1. Our expert hosts break down what assessors look for, walk through real-world approaches, and share lessons learned from the field.
  5. 05Deep Dive: NIST Risk Assessment & Prioritization ProcessJoin Eric, Ruby, Paul, and Roz as they break down the NIST IR 8286 series and SP 800-30 guidance for cybersecurity risk assessment. This episode explores how to set enterprise risk appetite, create and score risk scenarios (including threats and vulnerabilities), use business impact analysis for prioritization, and aggregate, monitor, and report risks for executive risk decisions. The team uses relatable examples and practical case studies to show how to turn risk analysis into real-world, risk-based decisions.
  6. 06Making CMMC Risk Management Practical: RA Domain, Policies, and Change ManagementA practical how-to episode on the CMMC 2.0 Level 2 Risk Assessment (RA) domain for defense contractors. Paul Netopski and Roz the Rulemaker walk through the three RA practices from NIST SP 800-171 (3.11.1, 3.11.2, 3.11.3), show how to build and use a Risk Management Policy aligned to NIST and ISO 31000, and connect risk assessment to real-world threats, third-party risks, business risk appetite, and change management. The hosts reference prior episodes on Configuration/Change Management and other domains to help contractors integrate risk into everyday decisions about people, places, and technology in CUI scope.23 min
  7. 07Incident Response Interlaced: DFARS 252.204-7012 and NIST SP800-171Explore how incident response requirements from DFARS 252.204-7012 and NIST SP800-171 complement and amplify each other. Our experts dissect what each demands, how they mesh in practice, and what that means for defense contractors. This episode highlights actionable steps and noticeable pitfalls, with real-life examples from industry and government.
  8. 08Building a Bulletproof Incident Response PlanThis episode dives into the essentials of incident response plans required by NIST standards, explores best practices and testing, and highlights how to leverage providers like Vertek and your MSSP for superior readiness. Our hosts break down actionable steps, useful examples, and real-world MSSP integration strategies, making your compliance journey clear and manageable.
  9. 09Real-World Cyber Incident Response Beyond the TabletopExplore how Bridgewater State University's Cyber Range revolutionizes cybersecurity training, making incident response testing more immersive than traditional tabletop exercises. Hear insights on simulating real attacks, following NIST guidance, and how organizations can use this environment for CMMC and real-world readiness.
  10. 10NIST Incident ResponseIncident Response for NIST CSF 2.0, NIST SP800-171r2 and CMMC 2.1316 min
  11. 11CA Controls Unlocked: Security Plans, POA&Ms, and Continuous MonitoringIn this episode, we break down the three core compliance documents that make the CA domain real in practice: the System Security Plan, the Plan of Action and Milestones, and Continuous Monitoring. We’ll explain what each document is, what it should contain, and how assessors and compliance teams use them together to support CMMC and NIST SP 800-171 implementation.14 min
  12. 12SSP Breadcrumbs: Proving Controls, Scope, and InheritanceThis episode breaks down what assessors actually need from your System Security Plan control implementation summary: precise control status, exact evidence references, and the real mechanisms behind each claim. It also explains how to handle scoping, inheritance, and external services without leaving gaps or ambiguity.8 min
  13. 13CMMC "Significant Changes": Do They Really Invalidate Your Certification?In this episode of CMMC Unlocked, host Paul Netopski breaks down one of the most misunderstood phrases in the new CMMC rule set and CyberAB guidance: “significant changes.” Many small defense contractors and their advisors worry that any major IT or organizational change will automatically invalidate a hard‑won Level 2 certification. Paul walks through what the 32 CFR Part 170 preamble, the Level 2 Scoping Guide, and the Level 2 Assessment Guide actually say—and what they don’t.We unpack the distinction between:When “significant architectural or boundary changes” require a new certification assessment, andWhen “significant changes” simply require you to update your CMMC Level 2 self‑assessment and affirmation, in line with your ongoing risk management and change‑management processes.Drawing on earlier episodes about risk assessments and continuous monitoring, Paul offers practical guidance for small DIB organizations and consultants on how to:Define what “significant change” means for your environment using NIST SP 800‑37, 800‑53, and 800‑53A concepts.Build change‑management checkpoints that flag potential CMMC impact early.Decide when a change triggers a new self‑assessment and SPRS update versus when it’s covered by your annual affirmation.Keep your System Security Plan, asset inventory, and CMMC Assessment Scope aligned as your environment evolves.If you’re worried that a tech refresh, cloud migration, or acquisition will blow up your CMMC status, this episode will help you separate rumor from requirement and integrate “significant change” into a mature, risk‑based compliance program.17 min
  14. 14False Claims Act and the Cybersecurity Compliance TrapDive deep into the False Claims Act, the Civil Cyber-Fraud Initiative, and how lapses in cybersecurity compliance with DFARS and NIST SP 800-171 can lead to hefty fines. Our hosts unpack how qui tam whistleblowers bring these cases to light by exploring high-profile settlements, revealing the potential for severe financial and reputational fallout across the defense contracting world. None of these cases have involved our clients, but the lessons are critical for everyone navigating cybersecurity compliance.11 min

Your instructor

Cybersecurity Maturity Model Certification (CMMC) Unlocked

This podcast contains dialog, voices and materials that are generated by Artificial Intelligence tools, but reviewed and published by the creator. Welcome to CMMC Unlocked, the definitive podcast for defense contractors, cybersecurity professionals, and compliance leaders navigating the complex world of the Cybersecurity Maturity Model Certification (CMMC). Hosted by a seasoned Certified CMMC Assessor and Instructor with years of hands-on experience in assessments, gap analyses, and implementation services, this series pulls back the curtain on what it really takes to achieve and maintain CMMC compliance. This podcast contains dialog, voices and materials that are generated by Artificial Intelligence tools, but reviewed and published by the creator. Each episode dives deep into the practical realities of CMMC—from interpreting the latest updates from the DoD and Cyber-AB, to demystifying assessment criteria, to sharing real-world lessons learned from the field. Whether you're a small business just starting your compliance journey or a prime contractor preparing for a Level 2 assessment, this podcast delivers actionable insights, expert interviews, and strategic guidance to help you succeed. What You’ll Learn: How to prepare for a CMMC assessment (and what assessors are really looking for) Common pitfalls and how to avoid them Implementation strategies that work for organizations of all sizes Updates on CMMC rulemaking, timelines, and policy changes Stories from the field: anonymized case studies and lessons learned Why Listen? Because compliance isn’t just about checking boxes—it’s about protecting our national defense supply chain. And no one understands that better than someone who’s been in the trenches, guiding organizations from uncertainty to certification.
Visit Cybersecurity Maturity Model Certification (CMMC) Unlocked

Start the course

14 lessons · 1h 29m. Free, no signup.

Start listening

More in Cybersecurity & Certs

See all
CMMC 2.0 Foundations: Rules, Timelines, and CUI Basics for Defense Contractors — Cybersecurity Maturity Model Certification (CMMC) Unlocked

CMMC 2.0 Foundations: Rules, Timelines, and CUI Basics for Defense Contractors

Cybersecurity Maturity Model Certification (CMMC) Unlocked

Understand the CMMC 2.0 program, its rulemaking and enforcement timeline, and how to identify and handle Controlled Unclassified Information across your defense contracts.

10 lessons · 58 minStart
Mastering NIST SP 800-171 Control Families for CMMC Level 2 — Cybersecurity Maturity Model Certification (CMMC) Unlocked

Mastering NIST SP 800-171 Control Families for CMMC Level 2

Cybersecurity Maturity Model Certification (CMMC) Unlocked

Implement the core NIST SP 800-171 control families, from access control and audit to configuration, media, physical, and system integrity, to satisfy CMMC Level 2.

14 lessons · 2h 27mStart
Cybersecurity Essentials for Small Businesses — How Secure Is Your Business - Really?

Cybersecurity Essentials for Small Businesses

How Secure Is Your Business - Really?

After this course you can put core cybersecurity controls in place for a small business: access control, data protection, incident response, and network security.

12 lessons · ~2h 36mStart
Vulnerability Management: Patching, Prioritization, and CVE Trends — It's all about Vulnerabilities

Vulnerability Management: Patching, Prioritization, and CVE Trends

It's all about Vulnerabilities

After this course you can run a vulnerability management program, prioritize patching, and track emerging CVE and zero-day threats.

6 lessons · 1h 20mStart