Episode 3: Is your prime saying they can’t award the PO until your CMMC status shows in SPRS? In this QT9 Q‑Cast episode, host Christian Reyes interviews Rhia Dancel (Senior Manager of Information Security at NSF, a C3PAO) to demystify CMMC compliance—who needs it, how Levels 1–3 map to NIST SP 800‑171/172, and exactly what assessors expect.
What you’ll learn:
- CMMC Levels 1, 2, and 3 explained: what protects FCI vs CUI, and how verified assessments replaced self‑attestation across 320 assessment objectives.
- Who needs CMMC (primes and all tiers of subcontractors handling FCI/CUI) and how requirements flow down—plus where COTS fits.
- Where CMMC appears in contracts (32 CFR program rule; 48 CFR clauses) and the rollout toward November 2028.
- The “minimum viable evidence” package for Level 2: SSP, network diagram, and asset inventory—and why consistency matters in Phase 1 scoping.
- How assessors score evidence (test, examine, document) and why technical evidence carries more weight.
- Cloud quick test for CUI: use providers that are FedRAMP Moderate or equivalent.
- Realistic Level 2 timeline (plan ~12 months from zero) and how a CUI enclave + control inheritance from FedRAMP solutions can accelerate readiness.
- Ongoing obligations: annual affirmation and 3‑year recertification (it’s not one‑and‑done).
Guest: Rhia Dancel, NSF (C3PAO & certification body).
Host: Christian Reyes, QT9.
Resources mentioned
Disclaimer
This episode shares general information—not legal advice. Always verify requirements in your specific solicitations and contracts.
If this helped, please like 👍, subscribe 🔔, and share with a teammate who owns security, contracts, or compliance.
Hashtags
#CMMC #NIST800171 #NIST800172 #CUI #SPRS #FedRAMP #DefenseIndustrialBase #DIB #C3PAO #QT9QCast #NSF