The CMMC Trap: Why Certification Isn’t Compliance
April 21, 2026
Discipline is the difference between winning and losing - even in the world of security and compliance. In this episode of Trust Issues, hosts Brandon and Bruno Lecoq welcome Cindy Oliveto, Senior Director of Operations at BEMO, to break down why government contractors struggle with certification, how to avoid the "checkbox trap,” and why automation and clear ownership are non-negotiable for real compliance success. This episode serves as a critical reminder that you can have all the certifications in the world, but without operational discipline, they amount to naught.
Discipline is the difference between winning and losing - even in the world of security and compliance. In this episode of Trust Issues, hosts Brandon and Bruno Lecoq welcome Cindy Oliveto, Senior Director of Operations at BEMO, to break down why operational discipline is the key to winning the security game:
What You’ll Learn:
- Why repeatable processes and consistent operational rigor across every department are the key to compliance
- How SOC 2, ISO 27001, and CMMC differ strategically
- The "post-certification cliff" you can't ignore and why compliance isn’t a one-time project
- How to build an unstoppable compliance infrastructure
- Why your policies must match your actual business operations
- The hidden prerequisite before deploying AI responsibly
This episode serves as a critical reminder that you can have all the certifications in the world, but without operational discipline, they amount to naught.
Episode Chapters:
00:00 Introduction
01:46 From Entrepreneurship to BEMO: Lessons Learnt
02:36 Building Repeatable Systems with Clear Ownership
05:48 SOC 2 vs. ISO 27001 vs. CMMC: Framework Breakdown
10:20 What to Expect from CMMC Level 2 Audits
15:17 Automating Evidence Capture Across 60 Log Sources
18:38 Why Data Cleansing Must Come Before Deploying AI
23:49 ISO 42001: Why BEMO is Going After this Certification
28:10 The Shadow AI Problem & Stopping Unauthorized Data Exposure
33:42 Why it Should be Team First, Tools Second, Automation Third
36:25 Key Takeaways: Building Sustainable Compliance
Quotes:
"I think looking at the entire operating model across an organization is important. So developing that dependable rhythm across teams, those are the key things that I think build team dependencies, customer trust, and deliver good outcomes."
"It requires a lot of discipline, and companies really aren't sure what or how to implement that discipline. So the scoping required, the ability to track, and the ability to monitor evidence - the challenges really aren't the tools or the security. It is documentation, operational rigor, cadence, and they're just not prepared to embrace that across all of their departments."
"Before you can even start thinking that your agent can have accurate boundaries within how you want it to operate, you need group policies and access privileges in place across your organization."
"Identify your core team that is gonna drive this initiative - who's in charge of it, and who's owning it, and what are the players?"
“We ensure customers know what it takes to manage the security, and manage it from a business standpoint. We give them templates so that it helps them come up to speed real quickly around what those policies and what the controls mean.”
Connect with the team:
👉 Cindy Oliveto on LinkedIn: https://www.linkedin.com/in/cindyoliveto/
👉 Bruno Lecoq on LinkedIn: https://www.linkedin.com/in/brunolecoq/
👉 Brandon Lecoq on LinkedIn: https://www.linkedin.com/in/brandon-lecoq
👉 Brandon Lecoq on LinkedIn: https://www.linkedin.com/in/brandon-lecoq
👉 BEMO Website: https://www.bemopro.com/
Trust Issues is handcrafted by our friends over at: fame.so