Why CMMC became necessary in the first place.
CMMC did not appear overnight - it followed more than a decade of cybersecurity requirements, industry resistance, weak self-assessments, and contractors claiming compliance without doing the work. In this episode of Trust Issues, Brandon and Bruno Lecoq hear from Stacy Bostjanick, VP of Government Services Strategy at Cybersec Investments and former Director of CMMC Policy at the Pentagon, on why CMMC became necessary in the first place. She explains how stolen defense innovation affects every taxpayer and why small contractors can no longer assume attackers are not interested in them.
CMMC did not appear overnight. It followed more than a decade of contractors failing to do the work they were supposed to. In this episode of Trust Issues, Brandon and Bruno Lecoq welcome Stacy Bostjanick, VP of Government Services Strategy at Cybersec Investments and former Director of CMMC Policy at the Pentagon, to unpack the long road from DFARS and NIST 800-171 to enforceable CMMC assessments.
Stacy explains how contractors gamed self-attestation, why the cost of stolen innovation extends far beyond a single compromised company, and how attackers deliberately target small businesses within critical defense supply chains. She also takes listeners inside the federal rulemaking process and explains why today’s CMMC requirements are only the beginning of a much larger shift toward stronger, more automated security.
What You’ll Learn:
- Why years of weak self-attestation made CMMC assessments inevitable
- How stolen defense data allows adversaries to avoid billions in development costs
- Why small contractors are attractive targets, even when they believe their data has little value
- How one compromised supplier can disrupt an entire defense production line
- Why the real cost of CMMC is deferred cybersecurity work - not the assessment
- What the future of CMMC, automation, and zero trust could look like
Episode chapters:
00:00 Introduction
00:01 Stacy’s journey from defense contracting to CMMC policy
04:31 How contractors gamed cybersecurity requirements
08:00 Why self-attestation failed
12:02 The real reason CMMC became necessary
12:37 Why taxpayers should care about stolen innovation
17:01 How one supplier can stop an entire production line
18:00 Attackers are already inside the critical infrastructure
19:49 What CMMC was actually designed to do
21:43 Why federal rulemaking takes so long
28:22 How the team processed more than 2000 public comments
34:04 Small business costs vs. the cost of stolen innovation
35:10 Why attackers wait for smaller contractors
39:00 The unsecured laptop problem in the defense supply chain
42:00 Political appointees, federal employees, and policy change
48:18 Why CMMC is only the beginning
51:00 Turning cybersecurity resistance into a new normal
55:00 Key takeaways and closing thoughts
Quotes:
- “As a taxpayer, you should be pissed, because the data and information that people are able to steal because we don’t have good cyber hygiene took billions of dollars of innovation and development to put together.”
- “They lie and wait for the small businesses because they know their cyber is not as advanced as some of the big companies.”
- “The whole idea behind CMMC was to get the defense industrial base to keep our data and information ours.”
- “The assessment isn’t that expensive. It’s the compliance that you were supposed to be doing.”
- “This is the roll before the crawl, before the walk, before the run. This is just the very beginning.”
- “They are already in our networks. They are already monitoring what we’re doing.”
Connect with the team: