Redspin, a division of Clearwater

48 CFR has been updated! Here's what it means for you. Big updates just hit CMMC via the eCFR and its giving DoD contractors the details of what the contractual enforcement of CMMC is going to entail, and when to start expecting it. If you haven’t already, now is the time to pay attention. 𝗛𝗲𝗿𝗲’𝘀 𝘄𝗵𝗮𝘁 𝘀𝘁𝗮𝗻𝗱𝘀 𝗼𝘂𝘁 𝗶𝗻 𝗦𝘂𝗯𝗽𝗮𝗿𝘁 𝟮𝟬𝟰.𝟳𝟱 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗠𝗮𝘁𝘂𝗿𝗶𝘁𝘆 𝗠𝗼𝗱𝗲𝗹 𝗖𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 (𝗖𝗠𝗠𝗖) (𝗗𝗙𝗔𝗥𝗦 𝟳𝟬𝟮𝟭) (𝗽𝗱𝗳 𝗮𝘁𝘁𝗮𝗰𝗵𝗲𝗱 𝗮𝘀 𝗽𝘂𝗹𝗹𝗲𝗱 𝗳𝗿𝗼𝗺 𝗲𝗖𝗙𝗥 𝟳/𝟮𝟯/𝟮𝟱): This subpart outlines how DoD will enforce CMMC through contracts if required by the statement of work or requirement document, throughout the life of the contract, task order, or delivery order. Additionally, it contractually obligates the contracting officer to verify in SPRS a current (not older than three years) CMMC certification if required to include exercising an option or extending any period of performance on a contract, task order, or delivery. 𝗣𝗼𝗹𝗶𝗰𝘆 (𝟮𝟬𝟰.𝟳𝟱𝟬𝟭) 𝗕𝗲𝗳𝗼𝗿𝗲 𝘁𝗵𝗲 𝗰𝗼𝗻𝘁𝗿𝗮𝗰𝘁 𝗶𝘀 𝗮𝘄𝗮𝗿𝗱𝗲𝗱: • Requiring activity must state the required CMMC Level • You cannot be awarded the contract unless your certificate is current (issued within the last 3 years) 𝗗𝘂𝗿𝗶𝗻𝗴 𝗰𝗼𝗻𝘁𝗿𝗮𝗰𝘁 𝗽𝗲𝗿𝗳𝗼𝗿𝗺𝗮𝗻𝗰𝗲: • You must maintain certification throughout the life of the contract yes, even for extensions or options • No cert = no extension 𝗣𝗿𝗼𝗰𝗲𝗱𝘂𝗿𝗲𝘀 (𝟮𝟬𝟰.𝟳𝟱𝟬𝟮) Contracting officers (KOs) must verify your certification status in SPRS before award or renewal. 𝗖𝗼𝗻𝘁𝗿𝗮𝗰𝘁 𝗖𝗹𝗮𝘂𝘀𝗲 (𝟮𝟬𝟰.𝟳𝟱𝟬𝟯) The clause that makes CMMC real: 252.204-7021 • Now through Sept 30, 2025: Only required if CMMC is in the SOW, and it requires approval by OUSD (A&S). • 🔥Starting Oct 1, 2025: CMMC Becomes standard in almost every DoD contract including those using the FAR 12 procedures. (unless you’re selling COTS-only) 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆𝘀: • The eCFR has already baked in what will go live after the 48 CFR rule clears OMB review in conjunction with the Phased roll-out established in 32 CFR Part 170 • Oct 1, 2025: Clause becomes required in all non-COTS DoD contracts at the appropriate level • Enforcement will escalate in phases through 2027 ___________ 𝗕𝗼𝘁𝘁𝗼𝗺 𝗟𝗶𝗻𝗲: CMMC isn’t a future concept, it’s happening now. If you don’t have a plan to certify and stay certified, you could be blocked from being awarded contracts. At Redspin, we’re not just watching this evolve, we’ve helped more DoD contractors through CMMC assessments than anyone else. The floodgates are open, are you read to take action?

🚀 Great week at the NDIA Space & Missile Defense Symposium in Huntsville! Jeremy Mares, VP of Federal Accounts at Redspin, had impactful conversations with defense contractors about how Redspin helps organizations get CMMC Certified and Cloud Secure to meet evolving cybersecurity requirements. Thanks to everyone who connected with Jeremy — we’re proud to support the mission with proven expertise in securing the defense industrial base.

We’re showing up in a big way at this year’s ISC2 Security Congress! ISC2 Security Congress is one of the premier global cybersecurity conferences, bringing together thousands of security professionals from around the world to explore the latest threats, trends, and solutions in the industry. Redspin’s own stephanie Kincaid and Thomas Graham, PhD, CISSP, MBA will be sharing their lessons from the field in a session focused on CMMC from the Assessor’s Perspective, a must-attend for anyone preparing for certification. And that’s not all, Thomas Graham will also take the stage alongside Tara Lemieux to tackle the growing threat of Advanced Persistent Threats (APTs) in a session packed with insight, strategy, and real-world examples. 📍 You won’t want to miss either one. Mark your calendars, check out the details, or request a meeting with our team here: https://bit.ly/4lbXKCw

Our own Thomas Graham, PhD, CISSP, MBA, joins Katie Arrington, highlighting the ticking clock for DoD contractors to achieve CMMC, as covered in this recent MeriTalk article. Thomas emphasizes that contractors must prioritize compliance now to gain a competitive edge and reduce risk. Arrington puts it plainly: “Complaining to the world that the CMMC is too hard … you’re – and I want to say with the most respect I can to anybody – you’re foolish in what your statement is. What you’re saying is you’re noncompliant.” Read the article: https://bit.ly/4fuOAzG

Yoo-hoo… 𝗼𝗻𝗹𝘆 𝟮 𝘀𝗲𝗮𝘁𝘀 𝗹𝗲𝗳𝘁! Redspin’s Back to School promotion takes $1000 off our September Certified CMMC Professional (CCP) course. Whether you're building your internal CMMC knowledge or planning to become a Certified Assessor, this is your chance to save, and start strong. Learn more & Register here: https://bit.ly/41lHszB

🚀 This week, Jeremy Mares will be on the ground at the Space and Missile Defense Symposium (August 5–7) at the Von Braun Center in Huntsville, AL! As part of Redspin, one of the first C3PAOs and Cloud Service Provider, Jeremy is looking forward to connecting with YOU to discuss how Redspin can help get you CMMC ready, and not only achieve but also maintain certification. With the finalization of 48 CFR (the rule that puts CMMC into DoD Contracts) on the horizon, now is the time to ensure your organization get started with CMMC. If you're attending #SMD2025, be sure to connect with Jeremy to talk CMMC, compliance strategies, and how Redspin can support your mission. Book a meeting here 👉 https://bit.ly/47fnPx0

Big news out of the CMMC ecosystem! Thomas Graham, PhD, CISSP, MBA has been appointed to the C3PAO Advisory Council by The Cyber AB 𝘢𝘯𝘥 named Chair of the Accreditation Committee. This two-year leadership appointment recognizes Dr. Graham’s continued contributions to the advancement of the CMMC program and his reputation as a trusted voice in the CMMC community. For Redspin, this is more than a professional milestone it’s a testament to the caliber of talent on our team. We’re incredibly proud to have Dr. Graham leading the charge on CMMC. His insights, dedication, and leadership help shape not only our company but the future of CMMC for the entire DIB. Please join us in congratulating Dr. Graham on this well-deserved recognition! 👏👏👏👏👏

A lot happened in July, and we are here for it. Here is a full July recap in our latest newsletter, including: 48 CFR movement, cert numbers, cloud realities, and how we’re helping grow the CCP/CCA pool.

A new episode of the pod just dropped! In this episode, we break down a major milestone: 48 CFR has officially been sent to OIRA for final review. We also cover the July 18th memo from the Secretary of Defense and what both updates mean for the Defense Industrial Base. Plus, we unpack key terminology (“effective” vs. “enforceable”) and discuss what contractors need to know about upcoming timelines. Happy listening! P.S. Don’t forget to subscribe to Cyberspin so you’re the first to know when the replay of today’s CMMC Connect session is available. https://hubs.li/Q03zR8f80

Last night's Cyber AB Townhall revealed that only 258 organizations are currently CMMC Level 2 Certified, with just 87 more in progress. So what’s really getting in OSC's way of tackling CMMC? This week, we’ve explored a lot of possibilities. But earlier this year, we asked OSCs directly, and here’s what they told us. In his latest article for Federal News Network, Thomas Graham, PhD, CISSP, MBA breaks down the top 3 disruptors impacting the DIB’s path to certification: 1. Cost 2. Timeline confusion 3. CUI scoping These are just some of the barriers organizations are grappling with as the enforcement date approaches. 📖 Read the full article: https://hubs.li/Q03zwrxV0 Have you experienced one (or all) of these challenges? You’re not alone. #CMMC #DefenseContractors #Cybersecurity #Compliance #DIB #FederalNewsNetwork #CUI