Alright folks, I lost my voice at Ducks vs Oilers game 6 last night so we’ll pick up the Hotline on May 8th at 10am PST. The last time the Ducks won a playoff series was 2017, the same year that defense contractors handling CUI were required to implement NIST SP 800-171. In 2026 there are all kinds of new deadlines for defense contractors who must now prove what they’ve been claiming since 2017 and suddenly the Ducks are advancing in the Stanley Cup Playoffs. Maybe it’s just coincidence, but I’m here for it.
Transcript
[0:00] Jacob
Hi everybody. It is Friday. It’s Hotline time.
Daniel is still out there doing his thing. We’re happy for him.
And don’t be watching the stream, Daniel. I don’t want to see you in chat because you’re back at work on Monday and there’s plenty to talk about.
Talk about an epic, epic, epic honeymoon. I mean, I got to hear this story when he gets back.
I think it’s also the most vacation time he’s taken ever.
[0:28] Scott
That’s true. That’s very true.
He probably could have taken a six-month honeymoon if he wanted to.
[0:33] Jacob
One hundred percent.
Anyways, we are streaming on YouTube. We are streaming on LinkedIn.
We’ve got a bunch of questions in the chat that are queued up from a recent webinar, from the AB Town Hall webinar, from previous Hotlines that we have done, stuff that has come through on LinkedIn.
So, tons of stuff to get to.
Add your questions in the chat and we’ll get to them as we can.
The great and powerful Scott Edwards is here because it feels like every day there’s some new press release or piece of breaking news from the world of Summit 7.
And back by popular demand, the one and only Maxine, audience favorite.
We had many, many nasty grams when you weren’t here last week and so now you are a permanent fixture.
Congratulations.
[1:34] Jacob
All right, we’ll get right into it.
We always do.
Scott, I mean, wow.
We’ve come a long way.
Officially announced today: 100 certified Level 2 Summit 7 clients.
Thoughts? Perspectives?
[1:53] Scott
It’s fantastic news.
Great for the DIB.
Great for building a secure, resilient supply chain.
But we’ve got 100 down and only 118,000 to go.
It’s been a ton of work.
We’ve had weeks where we did one certification and we’ve had weeks where we did four or five.
It goes up and down on a week-by-week basis.
I think we have another 60-plus right now on schedules for the rest of the year.
The pace is not slowing down.
It would not surprise me if we hit 200 by the end of the year.
We’ll see how that goes.
[2:49] Scott
It’s fantastic.
Lots of companies have been putting the work in for a long time to get there.
Some assessments go super smooth and are super easy.
Others feel like we’re dragging ourselves across the goal line kicking and screaming.
Max can tell you all about that.
[3:08] Jacob
I was just going to say that.
Under the hood and in the trenches, Max, you were there.
These 100 certifications couldn’t have happened without you.
What do you think about hitting the 100 mark?
[3:22] Max
I think it’s great.
It’s crazy because this year has gone by so fast.
I think it’s because we’re literally in the trenches every day with clients, getting them ready for their assessments, prepping them on things they need to talk about, and helping them understand their customer responsibilities.
There is still customer responsibility here.
Summit 7 can’t do it all, but we do most of it.
It just feels like everything has gone by so quickly.
I’m with Scott here.
It sounds crazy, but I think we could get to 200 by the end of the year.
[4:04] Jacob
Well, with you and the team, we definitely can.
Scott, in addition to 100 certified clients, the Army announced an award for their NCODE program.
What is NCODE?
[4:19] Scott
NCODE is a program that has been in the works for two years.
It was specifically started as an Army contract to provide enclaves for Army contractors.
Essentially, the Army would be paying for the implementation and operation of an enclave for a small business—think one to twenty employees.
It took two years to go through all the RFIs, RFPs, evaluations, and contract processes.
That contract was officially awarded this week.
There were eight companies selected.
Summit 7 was one of the eight.
We’re very excited about it.
[5:05] Scott
The proof of concept begins on May 15.
We signed the contract and basically kick it off a week later.
The expectation is that the proof of concept will last about six months and then roll into production around November.
At that point we’ll start adding a lot of clients.
It’s going to be a wild ride.
But it’s a great opportunity for small businesses in the DIB.
I’m super excited about it.
[5:44] Scott
I actually had a call about twenty minutes ago with a ten-person business that reached out after seeing my LinkedIn post about NCODE.
They were looking for cost-effective ways to meet their contract requirements.
I told them to keep an eye on NCODE because it sounds exactly like the type of solution they’re looking for.
I’m excited about bringing that to market in the next six months.
[6:30] Jacob
For companies that fit into a solution like that, this is a great approach and it’s coming online at exactly the right time.
This is the solution people have been asking for at that tier.
We’ll have more information coming out, but it’s awesome.
[6:52] Scott
We’re working on FAQs and additional content right now.
One important thing is that this isn’t just for Army contractors.
It’s a DoD-wide contract vehicle.
Army, Navy, Air Force, Marines—all of the services can use it for their contractor base.
It’s really, really good news.
[7:23] Jacob
I think it’s awesome news.
And big picture, this would not have happened if it weren’t for CMMC forcing the issue.
If it weren’t for the pain of CMMC making people grapple with existing requirements, the DoD would have never gotten around to funding something like NCODE.
Sometimes you’ve got to go east to go west.
This is another example of CMMC driving solutions for a problem that’s existed for ten years.
[8:06] Scott
I honestly never thought it would happen.
We’ve talked for years about grants, tax credits, subsidies, and different ways the government could help.
I didn’t think we’d see it.
So kudos to the Department of the Army and the DoD for getting it across the finish line.
I’m excited about what it can do for the small DIB.
I am a little disappointed as a Navy guy that the Army beat them to the punch.
[8:40] Jacob
We’ll save that argument for the group text later.
Scott, you’ve basically been living on the road.
Every time I talk to you, you’re in a different city.
You’ve been in Washington, San Jose, San Diego—everywhere.
What’s been going on?
[8:58] Scott
It’s been a busy spring.
I was at CS2, then our Washington, D.C. Chamber trip where we met with representatives, senators, and congressional staff.
We talked about MSPs, cybersecurity costs, CMMC, and NCODE.
Then I was out in San Jose at an entrepreneurship conference held at Microsoft’s offices.
We were talking with a lot of startup and micro businesses that want to bring capabilities to the Department of Defense.
I spent a lot of time discussing CUI protection, NIST 800-171, and the cybersecurity requirements they’re going to encounter.
It was a fantastic event.
[10:16] Scott
It was also really exciting to see some of the new capabilities and technologies being developed.
They ran a rapid-fire pitch competition with dozens of companies.
There are some really impressive things being built right now.
One of the themes I keep hearing is that small businesses want to work with the government, but they don’t understand the cybersecurity requirements until it’s too late.
They get excited about the opportunity.
Then someone mentions NIST 800-171.
Someone mentions CMMC.
Someone mentions CUI.
And suddenly the conversation changes.
[11:02] Scott
That’s exactly right.
Most of these companies are focused on the capability they’re bringing to market.
They’re solving engineering problems.
They’re building software.
They’re developing products.
Cybersecurity isn’t what they’re thinking about.
Then they find out that handling CUI comes with obligations and costs.
A lot of them are surprised.
[11:34] Jacob
Which is why programs like NCODE matter.
The government wants more innovation.
The government wants more small businesses.
The government wants more nontraditional contractors.
But if the barrier to entry is too high, those organizations simply won’t participate.
[11:57] Scott
Exactly.
You need a pathway.
And for very small organizations, building and operating a compliant environment from scratch may not be practical.
NCODE helps create another option.
[12:20] Jacob
All right.
Let’s pivot.
One of the recurring conversations lately has been assessment readiness.
Everybody keeps talking about assessor shortages.
Everybody keeps talking about assessment capacity.
I continue to think that’s the wrong conversation.
[12:41] Max
I agree.
From where I sit, the issue isn’t finding assessors.
The issue is getting organizations ready.
Most companies aren’t sitting around fully compliant waiting for an assessor to call.
Most companies are still working through implementation challenges.
[13:07] Jacob
That’s exactly what I keep saying.
People talk about capacity like it’s the limiting factor.
But when I look at the actual numbers, I don’t see that.
I see organizations struggling to reach readiness.
Those are very different problems.
[13:31] Max
And readiness isn’t just technology.
That’s another misconception.
People think readiness means deploying tools.
Readiness includes documentation.
Policies.
Procedures.
Training.
Evidence collection.
Interview preparation.
There are a lot of moving parts.
[14:02] Scott
The SSP alone is enough to trip people up.
I’ve seen organizations spend months implementing controls and then struggle because the SSP doesn’t accurately describe the environment.
The documentation has to match reality.
[14:27] Jacob
That’s probably one of the biggest lessons from the first hundred certifications.
The SSP matters.
People love talking about technology.
They love talking about products.
The SSP is still one of the most important documents in the entire process.
[14:58] Max
Absolutely.
Assessments go much smoother when the SSP clearly explains what the organization is doing.
When assessors can follow the narrative, everything becomes easier.
When the SSP is vague, inconsistent, or disconnected from reality, the assessment becomes much harder than it needs to be.
[15:37] Jacob
And this is where people get frustrated.
They think the SSP is paperwork.
It isn’t.
The SSP is the story of how your environment works.
If the story doesn’t make sense, assessors are going to ask questions.
[16:04] Scott
Exactly.
Good documentation reduces friction.
Bad documentation creates friction.
It’s really that simple.
[16:22] Jacob
Let’s grab a question from the audience.
This one comes up constantly.
How long does it take to become compliant?
Everybody wants a number.
Everybody wants a timeline.
And everybody hates the answer.
[16:41] Max
Because the answer is always:
It depends.
It depends on where you’re starting.
It depends on your architecture.
It depends on your resources.
It depends on leadership support.
It depends on how much CUI you’re handling.
There isn’t a universal timeline.
[17:09] Scott
The companies that move the fastest tend to be the companies that make decisions quickly.
The technology is usually not the bottleneck.
Decision-making is the bottleneck.
[17:31] Jacob
That’s such an underrated point.
People think implementation delays are technical.
A lot of the time they’re organizational.
Nobody wants to decide.
Nobody wants to approve budgets.
Nobody wants to accept tradeoffs.
And the project stalls.
[17:58] Max
Exactly.
When leadership is engaged and decisions happen quickly, implementations move quickly.
When decisions sit in meetings for three months, timelines expand dramatically.
[18:23] Jacob
Let’s talk GCC High because this question never goes away.
Do all defense contractors need GCC High?
[18:37] Scott
No.
And that’s one of the most persistent myths in the industry.
The answer depends on the data you’re handling and the contractual requirements that apply to you.
There are absolutely organizations that need GCC High.
There are also organizations that don’t.
[19:07] Jacob
The problem is that people want a simple answer.
They want a flowchart.
They want somebody to tell them yes or no.
Reality is more complicated than that.
[19:28] Scott
Exactly.
You have to understand your requirements.
You have to understand your contracts.
You have to understand your data.
Only then can you make the right decision.
[19:52] Jacob
And that’s why we spend so much time talking about discovery.
People want architecture recommendations before they’ve answered the foundational questions.
That’s backwards.
[20:16] Max
You can’t design the right solution until you understand the problem you’re trying to solve.
That’s true in cybersecurity.
It’s true in compliance.
It’s true in pretty much everything.
[20:39] Jacob
Well said.
Let’s keep going because we’ve got a lot more questions to get through.
[20:47] Jacob
Here’s another question that came in from the webinar.
What role should MSPs play in a compliant environment?
This feels like one of those topics where everybody has a different opinion.
[21:04] Scott
The first thing I’d say is that MSPs are not magic.
They’re service providers.
A good MSP can help you implement, operate, and maintain a compliant environment.
A bad MSP can create a lot of problems.
Organizations still own responsibility for their compliance program.
[21:35] Max
That’s one of the biggest misconceptions.
People think hiring an MSP transfers accountability.
It doesn’t.
You can outsource activities.
You can’t outsource responsibility.
[21:57] Jacob
Exactly.
At the end of the day, the organization is still responsible for protecting information.
The organization is still responsible for maintaining compliance.
The MSP is supporting that effort.
They’re not replacing it.
[22:23] Scott
And that’s why provider selection matters.
Organizations should understand:
What services are being provided.
What services are not being provided.
Who owns which responsibilities.
What assumptions are being made.
Those conversations should happen before contracts are signed.
[22:57] Jacob
Speaking of assumptions, let’s talk cloud versus on-premises environments.
Because people love debating this.
Some people think cloud automatically solves compliance.
Others think cloud automatically creates problems.
Neither position seems particularly accurate.
[23:20] Scott
I agree.
Cloud is just a deployment model.
You can build good architectures in the cloud.
You can build bad architectures in the cloud.
You can build good architectures on-premises.
You can build bad architectures on-premises.
The technology doesn’t make the decision for you.
[23:54] Max
What matters is understanding the requirements and implementing them correctly.
That’s true regardless of where the systems live.
[24:14] Jacob
I think people sometimes want technology to eliminate complexity.
And that’s just not how cybersecurity works.
Every architecture introduces tradeoffs.
The goal is understanding those tradeoffs and making informed decisions.
[24:48] Scott
Exactly.
The best architecture is usually the one that aligns with the organization’s operational needs while still meeting the requirements.
There’s rarely a one-size-fits-all answer.
[25:15] Jacob
Here’s another audience question.
What are some of the most common assessment pitfalls you’re seeing?
Max, you’ve lived through a lot of assessments at this point.
[25:29] Max
Documentation is still near the top of the list.
Organizations often know what they’re doing operationally, but they struggle to explain it clearly.
The controls may be implemented correctly.
The evidence may exist.
But if the story isn’t easy to follow, assessments become more difficult.
[26:02] Max
Another issue is consistency.
People update one document and forget to update three others.
Then the assessor sees conflicting information.
Now everyone spends time figuring out which version is correct.
[26:31] Jacob
That’s such a good point.
Assessors don’t know your environment the way you do.
They’re relying on the evidence you provide.
If that evidence points in three different directions, they’re going to ask questions.
[26:58] Scott
And honestly, that’s what they should do.
The assessment process is designed to validate implementation.
If something doesn’t make sense, clarification is part of the process.
[27:22] Jacob
Let’s talk prime contractors for a second.
Because we’re seeing more and more suppliers being told:
“You need certification by this date.”
Those deadlines aren’t always coming from the government.
They’re coming from primes.
[27:45] Scott
That’s absolutely happening.
Primes are looking at their supplier base and trying to understand risk.
They want to know who can continue supporting programs.
They want to know who can handle CUI.
And in many cases, they’re establishing timelines based on their own business needs.
[28:16] Max
Which means organizations can’t assume they have unlimited time.
Even if the regulatory rollout happens gradually, market pressure can move much faster.
[28:40] Jacob
That’s one of the biggest disconnects I see.
People look at government timelines.
What they should also be looking at is customer timelines.
Sometimes those are the dates that matter most.
[29:07] Scott
Exactly.
Your contract doesn’t care what your implementation plan says.
Your customer cares whether you can perform the work.
Those aren’t always the same thing.
[29:33] Jacob
And that’s why readiness matters.
Organizations that start early generally have more options.
Organizations that wait until a customer imposes a deadline tend to find themselves making decisions under pressure.
[29:58] Max
And decisions made under pressure are rarely the best decisions.
[30:12] Jacob
That might be the quote of the day.
All right, let’s keep going.
We’ve still got a few more questions before we wrap up.
[30:21] Jacob
Let’s hit a few final questions before we wrap up.
This one comes up a lot.
If a company has a great cybersecurity program but poor documentation, how does that impact an assessment?
[30:38] Max
More than people expect.
Assessments aren’t just about what exists.
They’re about what can be demonstrated.
If controls are implemented but the documentation doesn’t support them, you’re creating unnecessary difficulty for yourself.
The goal is alignment.
Implementation and documentation should tell the same story.
[31:10] Scott
Exactly.
People sometimes treat documentation like an afterthought.
Then assessment time arrives and they realize they’re trying to reconstruct months or years of decisions.
That’s a painful place to be.
[31:37] Jacob
It’s one of the reasons we constantly tell people to build documentation as they go.
Trying to recreate history is much harder than documenting decisions when they happen.
[31:58] Max
And assessors can usually tell the difference.
They can tell when documentation is part of an operational process.
They can also tell when it was thrown together two weeks before the assessment.
[32:24] Jacob
Here’s another question.
Do organizations need to think differently about compliance once they achieve certification?
[32:38] Scott
Absolutely.
Certification is not the finish line.
It’s an important milestone.
But maintaining compliance requires ongoing effort.
Policies need updates.
Evidence needs collection.
Systems change.
Personnel changes.
The work continues.
[33:07] Max
The organizations that do best are the ones that treat compliance as an operational function rather than a project.
Projects end.
Operational functions continue.
That’s an important distinction.
[33:33] Jacob
That’s probably one of the most misunderstood aspects of CMMC.
People focus entirely on getting certified.
Very few people think about what happens after certification.
[33:56] Scott
Exactly.
The assessment is one event.
The program exists every day.
[34:15] Jacob
Let’s close with a bigger-picture question.
What gives you optimism about where the DIB is headed?
We’ve spent years talking about challenges.
We’ve spent years talking about requirements.
What’s encouraging right now?
[34:34] Scott
Honestly, the progress.
One hundred certifications is meaningful.
Not because of the number itself.
But because it represents organizations that have actually improved their cybersecurity posture.
That’s real progress.
[35:01] Max
I agree.
I also think organizations understand the requirements much better today than they did a few years ago.
The conversations have changed.
People are asking better questions.
They’re making better decisions.
That’s encouraging.
[35:29] Jacob
I think that’s true.
A few years ago, many organizations were still debating whether these requirements would ever matter.
Now the conversation is much more focused on implementation.
That’s a healthy shift.
[35:54] Scott
And we’re seeing more solutions emerge.
NCODE is a great example.
People identified a challenge.
The government responded.
Industry responded.
Now there’s another pathway available for organizations that need it.
[36:21] Jacob
That’s a great point.
The ecosystem is maturing.
More providers.
More expertise.
More success stories.
More lessons learned.
All of that helps.
[36:43] Max
And we’re still early.
There’s a lot of work left to do.
But we’re much farther along than people sometimes realize.
[37:02] Jacob
Well said.
All right everybody, that’s going to do it for this week’s Hotline.
Thank you to Scott.
Thank you to Max.
Thank you to everyone who joined us in chat and submitted questions.
As always, keep sending us your questions through the website, LinkedIn, YouTube, voicemail, carrier pigeon, smoke signal—whatever works.
We’ll be back next week with more cybersecurity, more compliance, and probably more things to argue about.
[37:35] Scott
Thanks everybody.
Have a great weekend.
[37:38] Max
See you next week.
[37:41] Jacob
Take care, everyone.
Contact
Speak With Our Team
Our team of compliance and cybersecurity experts are on standby and ready to help. We’ll walk you through what you need and what to expect.