Tom Conkle

Cyber-AB shared a CMMC ecosystem update yesterday. There are now 773 companies with finalized CMMC Level 2 C3PAO certifications and 97 authorized C3PAOs with another 109 Level 2 assessments are in progress.

New #CMMC FAQ C-Q12 clarifies enclave scoping: Enterprise network components are not automatically in scope if a CUI enclave has no direct internet connection. With proper logical separation and encryption, the corporate network can be used. FAQs: dowcio.war.gov/Portals/0/Docu…

Can encryption alone create logical separation for #CMMC? Short answer: No. Per DoD C-Q11, separation between #CUI and non-CUI must be physical or logical. Encryption protects data, but it does not create scope separation. FAQs: dowcio.war.gov/Portals/0/Docu…

New DoD CIO #CMMC FAQ update! If #CUI is handled only in hardcopy and never processed, stored, or transmitted on your systems, a CMMC L2 assessment is not required. If you are the one printing it, the system printing CUI requires CMMC. FAQs: dowcio.war.gov/Portals/0/Docu…

An SSP isn’t just a compliance document. It’s a management tool for governing security. It ties together people, processes, and technology, enabling risk decisions and stronger cybersecurity long after the assessment is over. Reach out if you want to get more from your SSP.

As the new year approaches, many organizations are thinking about how to start CMMC work the right way. That’s why we built Optic's CMMC Progress Tracker. It's a free tool to map and track your progress. Get your copy at 43828014.hs-sites.com/cmmc-l2-progre… or DM me with your email address

Cyber-AB announced CAICO will transition to ISACA. With decades of experience running global certifications, ISACA is better positioned to scale CCP and CCA credentials. Minimal near-term impact for current cert holders. A sign the CMMC ecosystem is maturing.

Hard to believe it has already been a month since the #CMMC Rule in CFR 48 went live! CMMC is now showing up in solicitations and primes are asking their supply chain to step up. I'm excited to see what 2026 will bring for securing the Defense Industrial Base (DIB)

NIST has released a new Online Informative Reference (#OLIR) mapping SP 800-171r2 to SP 800-53r5! (csrc.nist.gov/projects/olir/…) I'm very proud to have helped develop the mapping. If you have questions regarding the mapping or #CMMC feel free to reach out.

Why do I keep talking about Customer Responsibilities Matrices (#CRMs)? Because they help safeguard your data and assuming “the provider handles that” is never appropriate. Download the @Optic Cyber Solutions CRM Template today (loom.ly/zs0TK58) to get started today.

The #CMMC PMO provided an update on the status of self assessments. As of 11/18: * 6,000+ Level 1 self-assessments affirmed in SPRS * Nearly 2,000 Level 2 self-assessments affirmed

Customer Responsibilities Matrices (#CRMs) continue to get more attention for good reason. In the #CMMC ecosystem, CRMs are mandatory when using External Service Providers. I recently joined the Cuick 10 podcast to unpack CRMs. Check out the video:youtube.com/watch?v=UR2oV4…

Today's the day -- CMMC goes Live! The #CMMC Clause in 48 CFR is effective today, Nov 10, 2025. This clause requires the DOW contracts to include CMMC requirements. Feel free to reach out regarding CMMC, 48 CFR, or the phased implementation.

Is your #CMMC scope accurate? Scoping is critical for compliance. Validate it by checking: 1. Are all CUI-related assets in scope? 2. Do protection systems work remotely? 3. Are contract-critical tools included? Questions? Let’s talk. #OpticCyber

Are you preparing for CMMC and not sure what to expect? Check out Kelly Hood's video for a quick overview of what to expect during a CMMC assessment and how to be prepared for the assessment. If you haven't already check out her video here: youtu.be/U_GceuaHNLw?si…

I'm thrilled to have been selected to speak at #CS5 East 2025, happening next week: October 16–17 for a session titled: “The Most Misunderstood Aspects of CMMC: What MSPs and OSCs Keep Getting Wrong” #CS5East2025 #CMMC #OpticCyber

#NIST released SP 800-172r3 and 800-172Ar3 for public comments. Why does this matter? CMMC L3 leverages SP 800-172 security requirements. This is a chance to help define your future! - NIST SP 800-172r3: csrc.nist.gov/pubs/sp/800/17… - NIST SP 800-172Ar3: csrc.nist.gov/pubs/sp/800/17…

What does the government shutdown mean to CMMC? Nothing. Formal assessment will continue and organizations preparing for CMMC should stay the path.

Tomorrow's the day! We are truly honored to be considered for recognition among so many outstanding cybersecurity companies. There are a lot of great cybersecurity companies it's a privilege to be considered along side of them.

What documentation do I need for CMMC? Answer isn’t one-size-fits-all. It depends on your structure, skillsets, and familiarity with the security controls. Optic Cyber Solutions is here to help. We work with your existing processes and culture to develop what is appropriate.