#3: Navigating CMMC: Self Assessment to Certification

https://is1-ssl.mzstatic.com/image/thumb/Podcasts221/v4/5b/bb/07/5bbb07df-3f43-96f5-53a7-32e913d8f2c4/mza_14715593649434630838.jpg/600x600bb.jpg

The QT9 Q-Cast

QT9 Software

6 episodes

1 day ago

The QT9 Q-Cast explains what’s happening in quality—clearly and without the hard-to-learn jargon. We cover the standards that matter, what’s new, what’s changing next, and how different industries are affected. Each episode turns real examples into simple step-by-step takeaways you can use right away across QMS, ERP and MRP. You’ll hear from quality leaders, operators, and regulatory pros who make complex ideas easy to understand—and even a little fun. Updated bimonthly, so you can expect a new episode every other week. Powered by QT9 Software.

Business

RSS

All content for The QT9 Q-Cast is the property of QT9 Software and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Business

https://d3t3ozftmdmh3i.cloudfront.net/staging/podcast_uploaded_nologo/44522460/44522460-1759327553603-a14b0d0d1d034.jpg

#3: Navigating CMMC: Self Assessment to Certification

The QT9 Q-Cast

23 minutes 16 seconds

1 month ago

#3: Navigating CMMC: Self Assessment to Certification

Is your prime saying they can’t award the PO until your CMMCstatus shows in SPRS? In this QT9 Q‑Cast episode, host Christian Reyes interviews Rhea Dancel (Senior Manager of Information Security at NSF, a C3PAO) to demystify CMMC compliance—who needs it, how Levels 1–3 map to NIST SP 800‑171/172, and exactly what assessors expect.

Guest: Rhea Dancel, NSF (C3PAO &certification body).Host: Christian Reyes, QT9.

Chapters 00:00 Why your PO is gated by SPRS + CMMC’s purpose01:06 Meet guest Rhia Dancel (NSF, C3PAO)01:42 Why CMMC replaced self‑attestation; 320 objectives03:03 Verified assessments vs. self‑assessments03:21 Levels 1–3 overview (FCI vs. CUI; NIST 800‑171/172)04:14 CMMC as both security framework and contract gate05:01 Who needs CMMC? Prime → sub flow‑down06:03 32 CFR program rule; 48 CFR clauses; rollout through Nov202807:04 FCI vs. CUI (plain‑English examples)08:30 COTS scope discussion09:10 Do SaaS vendors need CMMC? (depends on CUI & flow‑down)10:18 Scoping Level 2: SSP, network diagram, asset inventory10:54 C3PAO vs. consultant; mock assessments11:21 What counts as evidence; why technical proof wins12:09 Level 3 path (after Level 2 with C3PAO → DoD/DIBCAC)12:49 FedRAMP Moderate / equivalent for cloud CUI13:19 First 5 tasks to start (gap analysis → remediation → docs)14:36 Minimum viable evidence (SSP + network + inventory)15:21 When software vendors should pursue CMMC; scheduling realities17:26 Level 1 as a trust signal; annual affirmation18:40 How primes view vendors without CMMC in SPRS19:23 Level 2 timeline; enclaves; control inheritance22:16 Where to find NSF (Cyber AB Marketplace) & wrap‑up

DisclaimerThis episode shares general information—not legal advice. Always verifyrequirements in your specific solicitations and contracts.

If this helped, please like 👍,subscribe 🔔, and share with ateammate who owns security, contracts, or compliance.

Hashtags#CMMC #NIST800171 #NIST800172 #CUI #SPRS #FedRAMP #DefenseIndustrialBase #DIB#C3PAO #QT9QCast #NSF