Trust Issues
Why CMMC became necessary in the first place.
June 30, 2026
CMMC did not appear overnight - it followed more than a decade of cybersecurity requirements, industry resistance, weak self-assessments, and contractors claiming compliance without doing the work. In this episode of Trust Issues, Brandon and Bruno Lecoq hear from Stacy Bostjanick, VP of Government Services Strategy at Cybersec Investments and former Director of CMMC Policy at the Pentagon, on why CMMC became necessary in the first place. She explains how stolen defense innovation affects every taxpayer and why small contractors can no longer assume attackers are not interested in them.
CMMC did not appear overnight. It followed more than a decade of contractors failing to do the work they were supposed to. In this episode of Trust Issues, Brandon and Bruno Lecoq welcome Stacy Bostjanick, VP of Government Services Strategy at Cybersec Investments and former Director of CMMC Policy at the Pentagon, to unpack the long road from DFARS and NIST 800-171 to enforceable CMMC assessments.

Stacy explains how contractors gamed self-attestation, why the cost of stolen innovation extends far beyond a single compromised company, and how attackers deliberately target small businesses within critical defense supply chains. She also takes listeners inside the federal rulemaking process and explains why today’s CMMC requirements are only the beginning of a much larger shift toward stronger, more automated security.

What You’ll Learn: 

Episode chapters:

00:00 Introduction
00:01 Stacy’s journey from defense contracting to CMMC policy 
04:31 How contractors gamed cybersecurity requirements 
08:00 Why self-attestation failed 
12:02 The real reason CMMC became necessary
12:37 Why taxpayers should care about stolen innovation 
17:01 How one supplier can stop an entire production line 
18:00 Attackers are already inside the critical infrastructure
19:49 What CMMC was actually designed to do
21:43 Why federal rulemaking takes so long 
28:22 How the team processed more than 2000 public comments 
34:04 Small business costs vs. the cost of stolen innovation
35:10 Why attackers wait for smaller contractors 
39:00 The unsecured laptop problem in the defense supply chain 
42:00 Political appointees, federal employees, and policy change
48:18 Why CMMC is only the beginning
51:00 Turning cybersecurity resistance into a new normal
55:00 Key takeaways and closing thoughts

Quotes:

  1. “As a taxpayer, you should be pissed, because the data and information that people are able to steal because we don’t have good cyber hygiene took billions of dollars of innovation and development to put together.”
  2. “They lie and wait for the small businesses because they know their cyber is not as advanced as some of the big companies.”
  3. “The whole idea behind CMMC was to get the defense industrial base to keep our data and information ours.”
  4. “The assessment isn’t that expensive. It’s the compliance that you were supposed to be doing.”
  5. “This is the roll before the crawl, before the walk, before the run. This is just the very beginning.”
  6. “They are already in our networks. They are already monitoring what we’re doing.”

Connect with the team: 

👉 Stacy Bostjanick on LinkedIn: https://www.linkedin.com/in/stacy-bostjanick-a3b67173 
👉 Bruno Lecoq on LinkedIn: https://www.linkedin.com/in/brunolecoq/
👉 Brandon Lecoq on LinkedIn: https://www.linkedin.com/in/brandon-lecoq 
👉 BEMO Website: https://www.bemopro.com/ 


Trust Issues is handcrafted by our friends over at: fame.so