November 7, 2025 • 28 mins
Submit any questions you would like answered on the podcast!
In this episode of the CMMC Compliance Guide Podcast, Brooke and Stacey from Justice IT Consulting unpack the biggest updates from the Cyber AB’s October 2025 Town Hall and what they mean for defense contractors preparing for CMMC certification.
You’ll learn:
- Why the government shutdown isn’t delaying CMMC or the 48 CFR rollout
- The $875K False Claims Act case against Georgia Tech and what it teaches all contractors
- How the CMMC ecosystem is expanding with more certified assessors and C3PAOs
- Key insights from the University of Southern California’s Level 2 certification journey
- Practical advice for small contractors: data mapping, documentation, and shrinking your CUI boundary
- New ethics reminders and upcoming assessor certification updates from the Cyber AB
This episode delivers plain-English explanations and real-world lessons to help contractors stay compliant, avoid legal risk, and prepare for CMMC Phase 2.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Stacey (00:21):
Hey there.
Welcome to the CMMC ComplianceGuide Podcast.
I'm Stacey.
Brooke (00:26):
And I'm Brooke.
Stacey (00:26):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast track to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on
track.
Today we're breaking down thebiggest takeaways from the Cyber
(00:49):
AB's October 2025 Town Hall.
There were major updates aroundthe Title 48 rule, new legal
enforcement cases, and even realworld success stories from USC.
So let's dive into it.
So, Brooke, with the governmentshutdown still underway, how is
the CMMC program beingaffected?
Brooke (01:09):
Uh well, long story short, it's really not.
So uh it's proceeding uh asplanned, as scheduled.
Uh they're still doing uh tierthree uh reviews, uh background
checks basically.
They're still doing those.
Uh they gave a uh they showed agraphic.
I wish we had it here we couldshow you.
We maybe should have thoughtabout that.
But there's a graphic uh thatthey showed, and there was
(01:31):
several things that they thatthe government does, and they
all had they all had green checkmarks except for one, and that
was uh had to do with uh uh Ibelieve the um uh anyway, for
contracts.
So the own so the caveat may beeverything's still proceeding
and everything will still start,uh it'll still go into effect
on November 10th.
(01:52):
Um uh 48 CFR will, that is, uhstill go into effect on November
10th.
Uh but if the government stillshut down, it may not actually
be written into any contractsuntil whenever whenever the
government reopens.
And uh so you know, hopefullymaybe it'll open before the end
of the year.
But uh anyway, that may be theonly casualty.
(02:15):
Otherwise, the CMMC program asit is is is proceeding uh as
normal.
Stacey (02:20):
There was also a big legal story mentioned during the
town hall.
Can you explain what happenedwith Georgia Tech?
Brooke (02:26):
Sure.
Uh so Geor Georgia Tech uh wasinvolved in a uh false claims
act um issue, and uh they uhthey ended up settling uh and
they ended up settling uhagreeing to pay $875 uh thousand
dollars.
So uh it's uh you know for alot of small businesses that's a
(02:49):
uh that's a that's a giganticchunk of change.
So Georgia Tech, you know,maybe not, I really don't know,
but uh it's a chunk of change,uh one that I would uh rather
not have to be liable for.
And uh so it's good to stayaway from the false claims, um
the false claims act.
Uh and they uh the false claimsact generally the ones that are
(03:09):
uh that I know about that havebeen reported, and by the way,
most of those false claims actsuh are as a result of a
whistleblower.
You look down and see whathappened, and this
whistleblower, whistleblower,whistleblower, whistleblower,
whistleblower, uh compromise.
Whistleblower, whistleblower.
So it's uh they're allwhistleblow not all.
They're most of them arewhistleblowers, uh, people that
(03:32):
say, hey, these people aren'tactually doing what they say
they're doing.
So uh and they're they'reclear-cut cases of of people of
a company's uh saying they have110 and and really not even
addressing uh you know some ofthe controls, you know.
So it's not a oops, we messedup.
(03:53):
We made a minor we had a minorproblem.
It's not that.
Although I'm not saying thatwon't happen, but uh most uh all
these that I know about areclear cut, they just weren't
doing what they said they weregonna do.
And that's that's what a falseclaim is, right?
So you say you're doing it, uhuh, but you're you're actually
not.
So there are more of those,they're not slowing down,
(04:17):
they're not just making uh anexample out of a couple people
and moving on.
Um there those false claimsacts, there's there's more all
the time.
So there's they keep coming.
Um, like I said, most of themare whistleblowers, but uh
they're not gonna slow down.
They want this, they want thisto be in place and to actually
really protect the DOD supplychain.
Stacey (04:36):
Aaron Powell What is the current state of the CMMC
ecosystem and is it stillexpanding?
Brooke (04:42):
It is still expanding.
So uh there were uh somethinglike uh 65 level two
certifications that were issueduh um uh in the past month,
which pushed them up to uh alittle over 400.
I think uh I don't have thenumber out here, but I think
that was 430 or so or somethinglike that, uh, level two
certifications.
(05:02):
Um there are 21 conditionalcertifications, which means that
they've been issued a POAM andthey have uh six months, 180
days to go back and fix that uhand then before they get their
certification.
Um so uh there are also uh 567uh certified assessors, uh, and
(05:23):
uh one of the important numbersof those assessors is the lead
assessor, and there's 331 ofthose.
So uh I'd like to see thatnumber growing a lot quicker.
But then again, uh I think Isaid this in the last podcast we
have, but uh you know, I'd liketo see the lead assessors
growing because really the Cthrough PAOs they hire assessors
and lead assessors uh to do theuh certification assessments.
(05:48):
And some of them have uh uhCCAs and lead CCAs uh as
employees, and then there's alot of them uh that do 1099
work, and they may work formultiple uh C through PAOs, uh,
which is great, but that justmeans that that those people are
very, very busy.
So um uh I would like to seethat uh that number of uh CCAs
(06:13):
and lead CCAs grow uh at a at amuch larger pace.
Uh that would be that would begood.
Uh I guess there's a it's adouble-edged sword.
Uh, you know, it's possible ifyou get a a huge number of CCAs
coming in that there may be youknow quite a few who are don't
have as much experience, butthis program's gotta get off the
(06:34):
ground.
You're gonna have that, you'regonna have to work through it
and and just get through it.
You know, everybody's gottastart somewhere, I guess.
So but uh the lead CCAs uh andthe CCAs in general are really
where the bottleneck is gonnabe.
We do have quite a few uh umsee-through PAOs um in the
pipeline.
(06:54):
Um I don't recall the exactnumber, but there were quite a
few uh the C-through PAOs in thepipeline that should be coming
on board.
Uh so that's really great news.
But like I said, I'd reallylike to see those CCAs and lead
CCAs that number hopping upthere as well.
And so, you know, along withthat, um they uh the the window
(07:17):
on uh when you can get anassessment that or the lead time
on when you can get anassessment, uh, that continues
to grow.
Uh you can still get in uh youknow some newer C through PAOs
or assessors, uh or andassessors, I guess maybe, but uh
some newer ones uh may have ashorter window, uh shorter lead
(07:37):
time.
Um but uh most of them at thispoint right now uh in October
before we're you know before weeven hit November, most of them
are booking out into that I knowof, uh are booking out into you
know uh January, February.
Some of them, uh a lot of themeven further than that, but uh
January and February is typicalright now.
(07:58):
So that's uh you know twomonths plus.
So uh but as uh and they theyhave also said that uh once this
uh final rule for the 48 CFRdropped uh September 10th, that
they started getting busy.
Makes perfect sense becausewe've gotten busy too.
So everybody sees the traincoming.
(08:19):
That light that you see in thetunnel is uh is a train coming.
So um uh and we know thetimeline and when it's coming
and all that kind of fun stuffnow.
So uh but anyway, ecosystem islooking good with the caveat
that I would like to see a lotmore uh CCAs and lead CCAs uh
coming in.
Stacey (08:36):
Were there any leadership or structural updates
inside the Cyber A B?
Brooke (08:41):
Uh yeah, the Cyber A B announced uh that the um uh that
the C3PAO Advisory Council umuh and four uh sub committee uh
three committees and onesubcommittee have have are now
fully staffed and ready to go.
They put out a call uh, I don'tknow, uh a few weeks ago uh for
(09:01):
people to submit their uhrequest to be on those
committees.
Uh so um uh anyway, they've gotthey went through all those,
went through the bona fides, Iguess, and and uh have staffed
all those committees.
Um so they're all fully fullystaffed and ready to go.
Uh those committees are the uhassessment guidance committee,
(09:24):
the the CAP or the CMMCAssessment Process Uh Committee,
uh the accreditation committee,uh, and the ESP or External
Services Committee.
Uh so uh that's actually theESP one is a subcommittee.
Um and to tell you the truth, Idon't know which what it's a
sub of, but it's a subcommittee.
(09:44):
So uh and what I I've got uhjust the quick descriptions of
those.
The accreditation committee isresponsible for bringing clarity
and making recommendations inthe processes followed by the
Cyber AB to accredit future Cthrough PAOs.
Uh the assessment guidancecommittee uh is responsible for
helping the development of aCMMC body of knowledge uh for
(10:08):
the CMMC ecosystem and definingconsistent technical and
administrative interpretationsacross all C through PAOs, which
is which is needed.
Um the uh CAP or the CMMCAssessment Process Committee is
responsible for exact uh foradvising on enhancements to the
CAP document, uh, which the CAPis a really good uh document.
(10:30):
Uh it's very, very detailed andmeant to uh help ensure that
all of the assessments are asstandard as possible.
Uh so but there there arethings that need to be addressed
in it.
Everything's, you know,nothing's perfect, right?
Uh so uh this committee will uhaddress that document, uh,
(10:51):
which serves as a mandatoryguidance for C through PAOs as
they conduct CMMC level twocertification assessments.
Uh and then the externalservices subcommittee is
responsible for helping bringclarity to the roles of external
service providers, which areCSPs and uh generally uh
described as CSPs and MSPs, butreally it's a uh a CSP or uh ESP
(11:16):
that's not a CSP, is what thedefinition is, uh, and
identifying ways to encouragemore ESP participate
participation within theecosystem.
So that's uh that is a majorproblem because there's not many
um not many MSPs or uh ESPs uhyou know that take part in the
(11:37):
uh CMMC ecosystem.
Um there are some knowledgeableones, uh there are people that
kind of play around the edges,uh, and uh if they get into it a
little bit, they realize thatthey probably should not play
around the edges and just stayout of it or get completely into
it, right?
Um so um with CMMC, reallyyou're either in it or you're
(11:58):
not.
Um there are ways to partnerwith people uh to do that.
Uh but uh in any case, uhthey're they're trying to
encourage more participation.
So all those committees arefully staffed uh and ready to go
now.
Stacey (12:12):
So it seems like during the town hall they shared um the
University of SouthernCalifornia's success story.
Could you share some of thebiggest highlights from their
journey?
Brooke (12:22):
Uh yeah, sure.
So uh the USC's Institute forCreative Technologies, I believe
is what it was, uh shared theirexperience uh getting their uh
CMMC level two certification.
Uh it's a really good uhreal-world example.
Um they uh they said they're asmall team uh and uh they um you
(12:44):
know in the world ofenterprise, maybe they are a
small team, but uh you know,compared to our clients, they're
they're definitely not a smallteam.
But uh they uh for them theyare a small team that took care
of this.
They didn't have a big giantstaff.
It was, you know, just likeanybody who has to go through
this process, you gotta have tofigure out what the people you
have.
You know, you can't exactlyjust hire a whole ton of people.
(13:05):
Uh you you can't you generallyyou can hire some, you gotta
figure out how to spend moneybecause it's gonna it's gonna
cost.
But um in any case, theystarted uh back in 2015, uh
mapped their progress to the800-171, uh, and then officially
earned their certification inuh CMMC level two certification
(13:28):
in 2024.
Uh they did uh narrow their uhtheir CUI scope uh by
implementing and making theirCUI boundary uh Microsoft 365
GCC high.
Uh they ran uh multiple gapassessments.
Uh somebody, you know, uhbelieve one of the questions was
(13:49):
something too effective, youknow, what do you wish you would
have done?
And they effectively ranmultiple gap assessments, but
they said they would definitelyrecommend a mock assessment
before your uh before your realassessment, you know, see where
you're at, right?
Um they uh he said they spent alot of time uh documenting
their inheritances from cloudproviders, so like Microsoft
(14:12):
365, GCC High, stuff like that.
They they documented all thoseuh all those inheritances that
they got from uh that that floatdown.
Um they uploaded over uh thiswill this will get you.
So we always talk aboutdocumentation, right?
Documentation, documentation,documentation.
Uh so in fact, I I don't knowthat I've said that in the past
(14:33):
couple of weeks.
Stacey (14:34):
Yeah, it's been a while, actually.
Yeah.
Brooke (14:36):
So uh, but uh this is a little bit technical controls
and a lot processingdocumentation, right?
That's really what it is.
It's really a business thing,it is not an IT thing.
So um there's not as much as ofan IT thing.
So uh but documentation is uhyou've got to be able to prove
you're doing what you say you'redoing, and documentation is the
(14:58):
way you do that.
Um and so along with your SSPand all your policies and uh the
plans and procedures you haveand the authorized lists and you
know, all that kind of funstuff, uh, you have to upload
artifacts to show, you know,here's here's a screenshot of
this.
Here's, you know, uh whateverit may be, your artifacts you
upload.
(15:18):
Um but they said they had uhthey uploaded over 330 artifacts
for the during their.
So that just goes to show youthat there is a lot of
documentation that goes intothis.
You you you can't shortcut thedocumentation.
If you do, I would say you risknot passing your uh
certification.
(15:39):
So and I the one of the thingshe said was that uh this uh the
their main lesson was that CMMCisn't about technology, it's
about process maturity.
That's really it.
I mean that yes, you can say,yeah, I've got an antivirus, you
know.
Well, what does it do?
Well, you know, uh here's whatit does.
We wrote it all down.
(16:00):
This is how we configure it,this is what it does, this is or
it's you know, it's alldocumented.
Uh you start going down theprocess of uh of process
maturity then.
So that's uh that's what hesaid.
Stacey (16:12):
Was there any advice shared for smaller contractors
who may not have the sameresources as USC but would like
to achieve the same result asthem?
Brooke (16:21):
Yeah, absolutely.
Absolutely.
They uh they said some of thesame things we do.
Uh they said uh start with datamapping.
Uh you can't protect what youuh don't know you have, right?
So uh and that's what we we sayfigure out what you what kind
of CUI you have, right?
Uh and why you know that that'sa CUI you have.
(16:42):
Is it just because I'mguessing?
Just because I'm, you know,make a widget for F-35s uh or a
widget for a laser system or youknow, whatever it is, you know,
uh, yeah, that's gotta be CUI,so I have CUI.
Well, that's great, but you'reguessing.
So, you know, how do you knowthat CUI?
Well, it should come in theform of uh your contracts.
(17:03):
Documents should be marked.
Don't laugh too hard.
Uh so hopefully we'll see we'llstart seeing more marked
documents, more properly markeddocuments here before long.
Um supposedly from what KatieErrington said, uh starting in
October, uh, you should seethat.
Uh and October is just aboutover.
So uh maybe we'll start seeingthose documents uh uh that are
(17:27):
properly marked uh coming moreoften now.
So we'll we'll keep our fingerscrossed if that's what happens.
Uh but uh start with yourcontracts, know what's in your
contracts, know what deforestclauses are in there.
Uh ask your contractingofficer, you know, hey, is this
C UI?
Or if it's marked C UI and youdon't think it should be, is
this really CUI?
(17:47):
Is that bolt right there thatis a off-the-shelf product, is
that really CUI?
Um I don't think it is.
And they may they very wellcould they very well may come
back and say, you know what, no,it's not.
And uh so um really in the end,uh they don't really want more
of a burden.
Some of them do have a tendencyto just say everything in here
(18:09):
is CUI.
But in the end, they reallydon't want more of a burden on
themselves than they need tohave.
So um so it's about knowingwhat uh if you have CUI, what
type of CUI you have, why youknow that, uh, and then uh
figure out where all that's atin your systems.
And your systems could beemail, could be SharePoint, a
(18:30):
server, could be your uh ERP orMRP, it could be uh laptop, a
CAD program, uh, you know,there's there's a lot of things
that could be.
Um so you gotta figure out uhwhere all that's at.
So they said start with datamapping.
That's what we're that's whatwe talk about.
Um and they said treatcompliance as an administrative
(18:52):
process, not an IT project.
Uh and that's true.
It's it's um it's the business,it's not just IT.
And if you treat it as just anIT project, then they're gonna
say, you know, it's that's moreIT stuff, you know, and you've
got to do it with the budget youhave, you've got to do it with
the people you have.
So definitely uh I agree withthat.
(19:12):
Treat it as an administrativeprocess.
Uh and he said shrink yourboundary.
Uh and I agree if if there's atall possible to take that scope
of CUI and narrow it down uh toa smaller scope, uh, you know,
just a few machines, just a fewpeople.
Um however you can shrink thatuh boundary, that scope for your
(19:33):
CUI, uh, do it if you can.
Uh a lot, some people can't doit, uh, you know, just uh by the
nature of their work.
Uh sometimes it's possible tosay, do we really need to be
doing it this way?
Can we do it a different way?
So uh but figure out yourboundary, uh shrink it if you
can.
Uh and then uh he said documenteverything.
Again, documentation,documentation, documentation.
(19:58):
So uh document everything.
Make sure you keep and savethat documentation in the right
places.
And I would say put it in a GRCtool, don't keep it on a file
share because then you startgetting different versions that
are hard to track.
And oh, somebody saved it overhere or over there.
If you put it in a CRM tool, uhexcuse me, if you put it in a
GRC tool, uh it's there withversion tracking, and you can
(20:21):
you can work on it there.
So in one spot.
And uh the one thing he didsay, uh, he said that the uh the
technical stuff is easy.
And I'd say easy-ish, but uhthe technical stuff is easy, you
know, and he's pretty muchright there.
The people in the processes arethe hard part.
They are.
Uh and even in the uh even inthe normal IT world without any
(20:43):
compliance, the the people inthe process are the hard part.
You can put all your technicalcontrols in to protect people
from all sorts of malware andall sorts of problems, all sorts
of compromises.
But if that user is intent onclicking that link from somebody
that they don't know, there'sthere's uh uh I wouldn't say
there's very little you can do,but there's they they're gonna
(21:05):
test the boundaries of yourtools.
So um so yes, people andprocesses are definitely the
hard part.
Stacey (21:11):
Aaron Powell Were there any reminders during the Cyber A
B about professional ethics inthe ecosystem?
Brooke (21:16):
Aaron Powell So he did remind us uh of the ethical uh
ethical obligations that we allhave, the see-through PAOs, the
CCAs, the the RPs, RPOs, uhCCPs, you know, every everybody
that's in the uh the CMMCecosystem uh has to sign the
code of professional conduct andis held to these uh ethical
(21:38):
obligations.
Uh and if there's a legal orethical issue, uh we have to
report it.
I mean that that's uh that'splain.
But at the same time, uh you'vegot to make sure that's uh
that's an actual problem, youknow.
You don't want to be just titleon people you don't like,
right?
Uh he didn't say that.
(22:00):
But uh uh you know so thatincludes fraud,
misrepresentation, uh, or anyactions that could damage uh the
credibility of the program.
Uh you know, it really it allboils down to that it you're
they're trying to protect theintegrity of uh the Cyber A B
and the whole CMMC ecosystem.
(22:21):
So that's what they're tryingto protect.
Makes perfect sense.
Stacey (22:25):
Were there any updates around assessor training or
certification programs?
Brooke (22:30):
Uh yes.
So uh CCA exam, I believe, isscheduled for release in 2026.
Uh updated CCP training is uhuh is launching now.
I have it here in my notes.
Um they also said that this hadto be people that have not
actually signed uh the code ofprofessional conduct.
(22:53):
Okay.
Uh but uh in fact my wife iswatching this with me and uh
she's been she's been uh uhdumped in the deep end with me
about all this.
So uh uh but she was watchingit with me and she turned to me
and said, Are people reallydoing that?
And so what they've done isthey've taken um fake
certification badges and putthem on their website and
(23:16):
whatever else, uh claiming thatthey're certified or that they
you know, I guess they don'treally know what that means.
Uh I can't imagine anybodythat's an actual CCP or RP or
anybody like that using a usingsomething that's not correct.
You know, uh there's a rightway to do that, and they they
(23:37):
hammer that in.
So I don't know who was doingthat, but uh um you know there's
uh anyway, there's uh butthere's certain certainly people
that are doing that.
And there are there are alsopeople that are uh putting up a
uh and I guess really uh what uhthe the one thing he did talk
about was that uh there are somelevel two certification also uh
(24:02):
that people are posting ontheir website.
Not supposed to do that.
They're looking at doing aversion that you can uh publicly
post, uh, but there's nothingthat's official that you can
post on your on your websitethat you're level two.
You can say you're level twocompliant or uh certified, but
uh there's nothing from theCyber A B that you're supposed
to be able to do that with.
And they did say the uhofficial digital credentials are
(24:25):
in development uh for thatlevel two certification.
So they're they're working onthat.
Like I said, it's um somethingthey realize would be helpful
for people um during theconference, during the um CS5
conference that was uh gosh, Idon't know, a week or two back
now.
Um time has flown.
(24:46):
I've I've uh lost completetrack of time.
Uh but they did say uh thatsome people mentioned it would
be really nice to be able tosearch a database of all the
companies that are uh level twocertified uh to find some you
know suppliers that you can use.
And they said that's a greatidea, except China would love to
(25:08):
know who's certified and who'snot.
So don't expect that anytimesoon.
That's uh that's a huge uh riskuh putting all that together in
one spot.
Uh so uh not that they couldn'tfigure it out by you know
looking looking at people'swebsites, but you don't want to
make it easy for them, right?
Uh so we'll see if that comesor not.
Stacey (25:30):
That makes a lot of sense.
I didn't think about that.
That might be a problem.
Brooke (25:34):
Exactly.
Stacey (25:36):
So people are just making like Canva badges.
Brooke (25:39):
I guess.
I guess that's what they'redoing.
I don't really know whatthey're doing, to tell you the
truth.
Stacey (25:43):
That's wild.
That takes me by surprise aswell.
So to round everything out,what were the key takeaways from
this town hall for contractorspreparing for 2026?
Brooke (25:56):
Sure.
So uh the the biggest thing, ofcourse, is that and we've I
think we've probably said thison the last few podcasts too,
but uh since September 10th, isthat CMMC is moving forward.
It's coming.
You know, there's no there's nostopping it.
The government shutdown's notgonna stop it, you know,
nothing's gonna stop this.
They're gonna keep on rollingforward.
(26:17):
The longer the governmentshutdown lasts, you know, it's
possible that they these uh theymay not actually get written
into any contracts until thegovernment reconvenes, but um
but other than that, CMMC iscoming.
It's there's nothing stoppingit.
Uh they they know they theyknow they need it, they want it
in place, uh, and they want tomove forward on it.
(26:38):
So uh however pretty or uglyyou think this thing is, it's
moving on.
And uh it will help secure thedib.
It will.
Uh you know, there's there's alot of it that's uh uh a little
onerous, you know, uh, but uhbut it will help secure the dib
(26:59):
and and uh so they're movingforward with it because they
know we we have to do that forour for our national security.
You know, contractors thatfocus on uh you know
documentation, uh consistencyand and transparency uh set
themselves up for success.
Um you know everybody thatthey've had on uh that talks
(27:21):
about uh uh achieving a leveltwo certification or something
of that nature, what I can tellyou is that they've all talked
about using a GRC tool, youknow.
So uh not that you have to, notthat everybody that's passed
has, but uh GRC tool makes it alot easier for you to keep track
of all that documentation.
So that's really that's areally important thing to do.
You know, and the only otherthing they uh well they talked
(27:41):
about a few things, but theother important thing that they
talked about, uh other thanhammering on ethics again, uh,
is that uh, you know, thesefalse claims acts, uh, act uh
issues are gonna are gonna keeppopping up.
You know, they're they're notgonna go away.
They're they're trying to takecare of those and and make sure
that you know they don't happen.
(28:03):
So um so just be careful, makesure that you're doing what you
say you're doing, make sure thatyou score the score you put in
SPRS is correct, you know.
Um as correct as you can makeit, and you don't want to you
don't want a false claims act uhfiled against you.
Stacey (28:19):
If you have any questions about what we covered,
reach out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions, and we'll answer them
for free here on the podcast.
You can find our contact infoat cmc compliance guide.com.
Stay tuned for our nextepisode.
Until then, stay compliant,stay secure, and make sure to
(28:39):
subscribe.
Hey there.
Welcome to the CMMC ComplianceGuide Podcast.
I'm Stacey.
Brooke (00:26):
And I'm Brooke.
Stacey (00:26):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast track to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on
track.
Today we're breaking down thebiggest takeaways from the Cyber
(00:49):
AB's October 2025 Town Hall.
There were major updates aroundthe Title 48 rule, new legal
enforcement cases, and even realworld success stories from USC.
So let's dive into it.
So, Brooke, with the governmentshutdown still underway, how is
the CMMC program beingaffected?
Brooke (01:09):
Uh well, long story short, it's really not.
So uh it's proceeding uh asplanned, as scheduled.
Uh they're still doing uh tierthree uh reviews, uh background
checks basically.
They're still doing those.
Uh they gave a uh they showed agraphic.
I wish we had it here we couldshow you.
We maybe should have thoughtabout that.
But there's a graphic uh thatthey showed, and there was
(01:31):
several things that they thatthe government does, and they
all had they all had green checkmarks except for one, and that
was uh had to do with uh uh Ibelieve the um uh anyway, for
contracts.
So the own so the caveat may beeverything's still proceeding
and everything will still start,uh it'll still go into effect
on November 10th.
(01:52):
Um uh 48 CFR will, that is, uhstill go into effect on November
10th.
Uh but if the government stillshut down, it may not actually
be written into any contractsuntil whenever whenever the
government reopens.
And uh so you know, hopefullymaybe it'll open before the end
of the year.
But uh anyway, that may be theonly casualty.
(02:15):
Otherwise, the CMMC program asit is is is proceeding uh as
normal.
Stacey (02:20):
There was also a big legal story mentioned during the
town hall.
Can you explain what happenedwith Georgia Tech?
Brooke (02:26):
Sure.
Uh so Geor Georgia Tech uh wasinvolved in a uh false claims
act um issue, and uh they uhthey ended up settling uh and
they ended up settling uhagreeing to pay $875 uh thousand
dollars.
So uh it's uh you know for alot of small businesses that's a
(02:49):
uh that's a that's a giganticchunk of change.
So Georgia Tech, you know,maybe not, I really don't know,
but uh it's a chunk of change,uh one that I would uh rather
not have to be liable for.
And uh so it's good to stayaway from the false claims, um
the false claims act.
Uh and they uh the false claimsact generally the ones that are
(03:09):
uh that I know about that havebeen reported, and by the way,
most of those false claims actsuh are as a result of a
whistleblower.
You look down and see whathappened, and this
whistleblower, whistleblower,whistleblower, whistleblower,
whistleblower, uh compromise.
Whistleblower, whistleblower.
So it's uh they're allwhistleblow not all.
They're most of them arewhistleblowers, uh, people that
(03:32):
say, hey, these people aren'tactually doing what they say
they're doing.
So uh and they're they'reclear-cut cases of of people of
a company's uh saying they have110 and and really not even
addressing uh you know some ofthe controls, you know.
So it's not a oops, we messedup.
(03:53):
We made a minor we had a minorproblem.
It's not that.
Although I'm not saying thatwon't happen, but uh most uh all
these that I know about areclear cut, they just weren't
doing what they said they weregonna do.
And that's that's what a falseclaim is, right?
So you say you're doing it, uhuh, but you're you're actually
not.
So there are more of those,they're not slowing down,
(04:17):
they're not just making uh anexample out of a couple people
and moving on.
Um there those false claimsacts, there's there's more all
the time.
So there's they keep coming.
Um, like I said, most of themare whistleblowers, but uh
they're not gonna slow down.
They want this, they want thisto be in place and to actually
really protect the DOD supplychain.
Stacey (04:36):
Aaron Powell What is the current state of the CMMC
ecosystem and is it stillexpanding?
Brooke (04:42):
It is still expanding.
So uh there were uh somethinglike uh 65 level two
certifications that were issueduh um uh in the past month,
which pushed them up to uh alittle over 400.
I think uh I don't have thenumber out here, but I think
that was 430 or so or somethinglike that, uh, level two
certifications.
(05:02):
Um there are 21 conditionalcertifications, which means that
they've been issued a POAM andthey have uh six months, 180
days to go back and fix that uhand then before they get their
certification.
Um so uh there are also uh 567uh certified assessors, uh, and
(05:23):
uh one of the important numbersof those assessors is the lead
assessor, and there's 331 ofthose.
So uh I'd like to see thatnumber growing a lot quicker.
But then again, uh I think Isaid this in the last podcast we
have, but uh you know, I'd liketo see the lead assessors
growing because really the Cthrough PAOs they hire assessors
and lead assessors uh to do theuh certification assessments.
(05:48):
And some of them have uh uhCCAs and lead CCAs uh as
employees, and then there's alot of them uh that do 1099
work, and they may work formultiple uh C through PAOs, uh,
which is great, but that justmeans that that those people are
very, very busy.
So um uh I would like to seethat uh that number of uh CCAs
(06:13):
and lead CCAs grow uh at a at amuch larger pace.
Uh that would be that would begood.
Uh I guess there's a it's adouble-edged sword.
Uh, you know, it's possible ifyou get a a huge number of CCAs
coming in that there may be youknow quite a few who are don't
have as much experience, butthis program's gotta get off the
(06:34):
ground.
You're gonna have that, you'regonna have to work through it
and and just get through it.
You know, everybody's gottastart somewhere, I guess.
So but uh the lead CCAs uh andthe CCAs in general are really
where the bottleneck is gonnabe.
We do have quite a few uh umsee-through PAOs um in the
pipeline.
(06:54):
Um I don't recall the exactnumber, but there were quite a
few uh the C-through PAOs in thepipeline that should be coming
on board.
Uh so that's really great news.
But like I said, I'd reallylike to see those CCAs and lead
CCAs that number hopping upthere as well.
And so, you know, along withthat, um they uh the the window
(07:17):
on uh when you can get anassessment that or the lead time
on when you can get anassessment, uh, that continues
to grow.
Uh you can still get in uh youknow some newer C through PAOs
or assessors, uh or andassessors, I guess maybe, but uh
some newer ones uh may have ashorter window, uh shorter lead
(07:37):
time.
Um but uh most of them at thispoint right now uh in October
before we're you know before weeven hit November, most of them
are booking out into that I knowof, uh are booking out into you
know uh January, February.
Some of them, uh a lot of themeven further than that, but uh
January and February is typicalright now.
(07:58):
So that's uh you know twomonths plus.
So uh but as uh and they theyhave also said that uh once this
uh final rule for the 48 CFRdropped uh September 10th, that
they started getting busy.
Makes perfect sense becausewe've gotten busy too.
So everybody sees the traincoming.
(08:19):
That light that you see in thetunnel is uh is a train coming.
So um uh and we know thetimeline and when it's coming
and all that kind of fun stuffnow.
So uh but anyway, ecosystem islooking good with the caveat
that I would like to see a lotmore uh CCAs and lead CCAs uh
coming in.
Stacey (08:36):
Were there any leadership or structural updates
inside the Cyber A B?
Brooke (08:41):
Uh yeah, the Cyber A B announced uh that the um uh that
the C3PAO Advisory Council umuh and four uh sub committee uh
three committees and onesubcommittee have have are now
fully staffed and ready to go.
They put out a call uh, I don'tknow, uh a few weeks ago uh for
(09:01):
people to submit their uhrequest to be on those
committees.
Uh so um uh anyway, they've gotthey went through all those,
went through the bona fides, Iguess, and and uh have staffed
all those committees.
Um so they're all fully fullystaffed and ready to go.
Uh those committees are the uhassessment guidance committee,
(09:24):
the the CAP or the CMMCAssessment Process Uh Committee,
uh the accreditation committee,uh, and the ESP or External
Services Committee.
Uh so uh that's actually theESP one is a subcommittee.
Um and to tell you the truth, Idon't know which what it's a
sub of, but it's a subcommittee.
(09:44):
So uh and what I I've got uhjust the quick descriptions of
those.
The accreditation committee isresponsible for bringing clarity
and making recommendations inthe processes followed by the
Cyber AB to accredit future Cthrough PAOs.
Uh the assessment guidancecommittee uh is responsible for
helping the development of aCMMC body of knowledge uh for
(10:08):
the CMMC ecosystem and definingconsistent technical and
administrative interpretationsacross all C through PAOs, which
is which is needed.
Um the uh CAP or the CMMCAssessment Process Committee is
responsible for exact uh foradvising on enhancements to the
CAP document, uh, which the CAPis a really good uh document.
(10:30):
Uh it's very, very detailed andmeant to uh help ensure that
all of the assessments are asstandard as possible.
Uh so but there there arethings that need to be addressed
in it.
Everything's, you know,nothing's perfect, right?
Uh so uh this committee will uhaddress that document, uh,
(10:51):
which serves as a mandatoryguidance for C through PAOs as
they conduct CMMC level twocertification assessments.
Uh and then the externalservices subcommittee is
responsible for helping bringclarity to the roles of external
service providers, which areCSPs and uh generally uh
described as CSPs and MSPs, butreally it's a uh a CSP or uh ESP
(11:16):
that's not a CSP, is what thedefinition is, uh, and
identifying ways to encouragemore ESP participate
participation within theecosystem.
So that's uh that is a majorproblem because there's not many
um not many MSPs or uh ESPs uhyou know that take part in the
(11:37):
uh CMMC ecosystem.
Um there are some knowledgeableones, uh there are people that
kind of play around the edges,uh, and uh if they get into it a
little bit, they realize thatthey probably should not play
around the edges and just stayout of it or get completely into
it, right?
Um so um with CMMC, reallyyou're either in it or you're
(11:58):
not.
Um there are ways to partnerwith people uh to do that.
Uh but uh in any case, uhthey're they're trying to
encourage more participation.
So all those committees arefully staffed uh and ready to go
now.
Stacey (12:12):
So it seems like during the town hall they shared um the
University of SouthernCalifornia's success story.
Could you share some of thebiggest highlights from their
journey?
Brooke (12:22):
Uh yeah, sure.
So uh the USC's Institute forCreative Technologies, I believe
is what it was, uh shared theirexperience uh getting their uh
CMMC level two certification.
Uh it's a really good uhreal-world example.
Um they uh they said they're asmall team uh and uh they um you
(12:44):
know in the world ofenterprise, maybe they are a
small team, but uh you know,compared to our clients, they're
they're definitely not a smallteam.
But uh they uh for them theyare a small team that took care
of this.
They didn't have a big giantstaff.
It was, you know, just likeanybody who has to go through
this process, you gotta have tofigure out what the people you
have.
You know, you can't exactlyjust hire a whole ton of people.
(13:05):
Uh you you can't you generallyyou can hire some, you gotta
figure out how to spend moneybecause it's gonna it's gonna
cost.
But um in any case, theystarted uh back in 2015, uh
mapped their progress to the800-171, uh, and then officially
earned their certification inuh CMMC level two certification
(13:28):
in 2024.
Uh they did uh narrow their uhtheir CUI scope uh by
implementing and making theirCUI boundary uh Microsoft 365
GCC high.
Uh they ran uh multiple gapassessments.
Uh somebody, you know, uhbelieve one of the questions was
(13:49):
something too effective, youknow, what do you wish you would
have done?
And they effectively ranmultiple gap assessments, but
they said they would definitelyrecommend a mock assessment
before your uh before your realassessment, you know, see where
you're at, right?
Um they uh he said they spent alot of time uh documenting
their inheritances from cloudproviders, so like Microsoft
(14:12):
365, GCC High, stuff like that.
They they documented all thoseuh all those inheritances that
they got from uh that that floatdown.
Um they uploaded over uh thiswill this will get you.
So we always talk aboutdocumentation, right?
Documentation, documentation,documentation.
Uh so in fact, I I don't knowthat I've said that in the past
(14:33):
couple of weeks.
Stacey (14:34):
Yeah, it's been a while, actually.
Yeah.
Brooke (14:36):
So uh, but uh this is a little bit technical controls
and a lot processingdocumentation, right?
That's really what it is.
It's really a business thing,it is not an IT thing.
So um there's not as much as ofan IT thing.
So uh but documentation is uhyou've got to be able to prove
you're doing what you say you'redoing, and documentation is the
(14:58):
way you do that.
Um and so along with your SSPand all your policies and uh the
plans and procedures you haveand the authorized lists and you
know, all that kind of funstuff, uh, you have to upload
artifacts to show, you know,here's here's a screenshot of
this.
Here's, you know, uh whateverit may be, your artifacts you
upload.
(15:18):
Um but they said they had uhthey uploaded over 330 artifacts
for the during their.
So that just goes to show youthat there is a lot of
documentation that goes intothis.
You you you can't shortcut thedocumentation.
If you do, I would say you risknot passing your uh
certification.
(15:39):
So and I the one of the thingshe said was that uh this uh the
their main lesson was that CMMCisn't about technology, it's
about process maturity.
That's really it.
I mean that yes, you can say,yeah, I've got an antivirus, you
know.
Well, what does it do?
Well, you know, uh here's whatit does.
We wrote it all down.
(16:00):
This is how we configure it,this is what it does, this is or
it's you know, it's alldocumented.
Uh you start going down theprocess of uh of process
maturity then.
So that's uh that's what hesaid.
Stacey (16:12):
Was there any advice shared for smaller contractors
who may not have the sameresources as USC but would like
to achieve the same result asthem?
Brooke (16:21):
Yeah, absolutely.
Absolutely.
They uh they said some of thesame things we do.
Uh they said uh start with datamapping.
Uh you can't protect what youuh don't know you have, right?
So uh and that's what we we sayfigure out what you what kind
of CUI you have, right?
Uh and why you know that that'sa CUI you have.
(16:42):
Is it just because I'mguessing?
Just because I'm, you know,make a widget for F-35s uh or a
widget for a laser system or youknow, whatever it is, you know,
uh, yeah, that's gotta be CUI,so I have CUI.
Well, that's great, but you'reguessing.
So, you know, how do you knowthat CUI?
Well, it should come in theform of uh your contracts.
(17:03):
Documents should be marked.
Don't laugh too hard.
Uh so hopefully we'll see we'llstart seeing more marked
documents, more properly markeddocuments here before long.
Um supposedly from what KatieErrington said, uh starting in
October, uh, you should seethat.
Uh and October is just aboutover.
So uh maybe we'll start seeingthose documents uh uh that are
(17:27):
properly marked uh coming moreoften now.
So we'll we'll keep our fingerscrossed if that's what happens.
Uh but uh start with yourcontracts, know what's in your
contracts, know what deforestclauses are in there.
Uh ask your contractingofficer, you know, hey, is this
C UI?
Or if it's marked C UI and youdon't think it should be, is
this really CUI?
(17:47):
Is that bolt right there thatis a off-the-shelf product, is
that really CUI?
Um I don't think it is.
And they may they very wellcould they very well may come
back and say, you know what, no,it's not.
And uh so um really in the end,uh they don't really want more
of a burden.
Some of them do have a tendencyto just say everything in here
(18:09):
is CUI.
But in the end, they reallydon't want more of a burden on
themselves than they need tohave.
So um so it's about knowingwhat uh if you have CUI, what
type of CUI you have, why youknow that, uh, and then uh
figure out where all that's atin your systems.
And your systems could beemail, could be SharePoint, a
(18:30):
server, could be your uh ERP orMRP, it could be uh laptop, a
CAD program, uh, you know,there's there's a lot of things
that could be.
Um so you gotta figure out uhwhere all that's at.
So they said start with datamapping.
That's what we're that's whatwe talk about.
Um and they said treatcompliance as an administrative
(18:52):
process, not an IT project.
Uh and that's true.
It's it's um it's the business,it's not just IT.
And if you treat it as just anIT project, then they're gonna
say, you know, it's that's moreIT stuff, you know, and you've
got to do it with the budget youhave, you've got to do it with
the people you have.
So definitely uh I agree withthat.
(19:12):
Treat it as an administrativeprocess.
Uh and he said shrink yourboundary.
Uh and I agree if if there's atall possible to take that scope
of CUI and narrow it down uh toa smaller scope, uh, you know,
just a few machines, just a fewpeople.
Um however you can shrink thatuh boundary, that scope for your
(19:33):
CUI, uh, do it if you can.
Uh a lot, some people can't doit, uh, you know, just uh by the
nature of their work.
Uh sometimes it's possible tosay, do we really need to be
doing it this way?
Can we do it a different way?
So uh but figure out yourboundary, uh shrink it if you
can.
Uh and then uh he said documenteverything.
Again, documentation,documentation, documentation.
(19:58):
So uh document everything.
Make sure you keep and savethat documentation in the right
places.
And I would say put it in a GRCtool, don't keep it on a file
share because then you startgetting different versions that
are hard to track.
And oh, somebody saved it overhere or over there.
If you put it in a CRM tool, uhexcuse me, if you put it in a
GRC tool, uh it's there withversion tracking, and you can
(20:21):
you can work on it there.
So in one spot.
And uh the one thing he didsay, uh, he said that the uh the
technical stuff is easy.
And I'd say easy-ish, but uhthe technical stuff is easy, you
know, and he's pretty muchright there.
The people in the processes arethe hard part.
They are.
Uh and even in the uh even inthe normal IT world without any
(20:43):
compliance, the the people inthe process are the hard part.
You can put all your technicalcontrols in to protect people
from all sorts of malware andall sorts of problems, all sorts
of compromises.
But if that user is intent onclicking that link from somebody
that they don't know, there'sthere's uh uh I wouldn't say
there's very little you can do,but there's they they're gonna
(21:05):
test the boundaries of yourtools.
So um so yes, people andprocesses are definitely the
hard part.
Stacey (21:11):
Aaron Powell Were there any reminders during the Cyber A
B about professional ethics inthe ecosystem?
Brooke (21:16):
Aaron Powell So he did remind us uh of the ethical uh
ethical obligations that we allhave, the see-through PAOs, the
CCAs, the the RPs, RPOs, uhCCPs, you know, every everybody
that's in the uh the CMMCecosystem uh has to sign the
code of professional conduct andis held to these uh ethical
(21:38):
obligations.
Uh and if there's a legal orethical issue, uh we have to
report it.
I mean that that's uh that'splain.
But at the same time, uh you'vegot to make sure that's uh
that's an actual problem, youknow.
You don't want to be just titleon people you don't like,
right?
Uh he didn't say that.
(22:00):
But uh uh you know so thatincludes fraud,
misrepresentation, uh, or anyactions that could damage uh the
credibility of the program.
Uh you know, it really it allboils down to that it you're
they're trying to protect theintegrity of uh the Cyber A B
and the whole CMMC ecosystem.
(22:21):
So that's what they're tryingto protect.
Makes perfect sense.
Stacey (22:25):
Were there any updates around assessor training or
certification programs?
Brooke (22:30):
Uh yes.
So uh CCA exam, I believe, isscheduled for release in 2026.
Uh updated CCP training is uhuh is launching now.
I have it here in my notes.
Um they also said that this hadto be people that have not
actually signed uh the code ofprofessional conduct.
(22:53):
Okay.
Uh but uh in fact my wife iswatching this with me and uh
she's been she's been uh uhdumped in the deep end with me
about all this.
So uh uh but she was watchingit with me and she turned to me
and said, Are people reallydoing that?
And so what they've done isthey've taken um fake
certification badges and putthem on their website and
(23:16):
whatever else, uh claiming thatthey're certified or that they
you know, I guess they don'treally know what that means.
Uh I can't imagine anybodythat's an actual CCP or RP or
anybody like that using a usingsomething that's not correct.
You know, uh there's a rightway to do that, and they they
(23:37):
hammer that in.
So I don't know who was doingthat, but uh um you know there's
uh anyway, there's uh butthere's certain certainly people
that are doing that.
And there are there are alsopeople that are uh putting up a
uh and I guess really uh what uhthe the one thing he did talk
about was that uh there are somelevel two certification also uh
(24:02):
that people are posting ontheir website.
Not supposed to do that.
They're looking at doing aversion that you can uh publicly
post, uh, but there's nothingthat's official that you can
post on your on your websitethat you're level two.
You can say you're level twocompliant or uh certified, but
uh there's nothing from theCyber A B that you're supposed
to be able to do that with.
And they did say the uhofficial digital credentials are
(24:25):
in development uh for thatlevel two certification.
So they're they're working onthat.
Like I said, it's um somethingthey realize would be helpful
for people um during theconference, during the um CS5
conference that was uh gosh, Idon't know, a week or two back
now.
Um time has flown.
(24:46):
I've I've uh lost completetrack of time.
Uh but they did say uh thatsome people mentioned it would
be really nice to be able tosearch a database of all the
companies that are uh level twocertified uh to find some you
know suppliers that you can use.
And they said that's a greatidea, except China would love to
(25:08):
know who's certified and who'snot.
So don't expect that anytimesoon.
That's uh that's a huge uh riskuh putting all that together in
one spot.
Uh so uh not that they couldn'tfigure it out by you know
looking looking at people'swebsites, but you don't want to
make it easy for them, right?
Uh so we'll see if that comesor not.
Stacey (25:30):
That makes a lot of sense.
I didn't think about that.
That might be a problem.
Brooke (25:34):
Exactly.
Stacey (25:36):
So people are just making like Canva badges.
Brooke (25:39):
I guess.
I guess that's what they'redoing.
I don't really know whatthey're doing, to tell you the
truth.
Stacey (25:43):
That's wild.
That takes me by surprise aswell.
So to round everything out,what were the key takeaways from
this town hall for contractorspreparing for 2026?
Brooke (25:56):
Sure.
So uh the the biggest thing, ofcourse, is that and we've I
think we've probably said thison the last few podcasts too,
but uh since September 10th, isthat CMMC is moving forward.
It's coming.
You know, there's no there's nostopping it.
The government shutdown's notgonna stop it, you know,
nothing's gonna stop this.
They're gonna keep on rollingforward.
(26:17):
The longer the governmentshutdown lasts, you know, it's
possible that they these uh theymay not actually get written
into any contracts until thegovernment reconvenes, but um
but other than that, CMMC iscoming.
It's there's nothing stoppingit.
Uh they they know they theyknow they need it, they want it
in place, uh, and they want tomove forward on it.
(26:38):
So uh however pretty or uglyyou think this thing is, it's
moving on.
And uh it will help secure thedib.
It will.
Uh you know, there's there's alot of it that's uh uh a little
onerous, you know, uh, but uhbut it will help secure the dib
(26:59):
and and uh so they're movingforward with it because they
know we we have to do that forour for our national security.
You know, contractors thatfocus on uh you know
documentation, uh consistencyand and transparency uh set
themselves up for success.
Um you know everybody thatthey've had on uh that talks
(27:21):
about uh uh achieving a leveltwo certification or something
of that nature, what I can tellyou is that they've all talked
about using a GRC tool, youknow.
So uh not that you have to, notthat everybody that's passed
has, but uh GRC tool makes it alot easier for you to keep track
of all that documentation.
So that's really that's areally important thing to do.
You know, and the only otherthing they uh well they talked
(27:41):
about a few things, but theother important thing that they
talked about, uh other thanhammering on ethics again, uh,
is that uh, you know, thesefalse claims acts, uh, act uh
issues are gonna are gonna keeppopping up.
You know, they're they're notgonna go away.
They're they're trying to takecare of those and and make sure
that you know they don't happen.
(28:03):
So um so just be careful, makesure that you're doing what you
say you're doing, make sure thatyou score the score you put in
SPRS is correct, you know.
Um as correct as you can makeit, and you don't want to you
don't want a false claims act uhfiled against you.
Stacey (28:19):
If you have any questions about what we covered,
reach out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions, and we'll answer them
for free here on the podcast.
You can find our contact infoat cmc compliance guide.com.
Stay tuned for our nextepisode.
Until then, stay compliant,stay secure, and make sure to
(28:39):
subscribe.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.