The Cybersecurity Maturity Model Certification program is officially off the ground.

CMMC is the Pentagon’s program to evaluate whether defense contractors are following requirements for protecting controlled unclassified information. The cybersecurity requirements, based on National Institute of Standards and Technology controls, have been in Defense Department contracts since 2016.

It took years for CMMC to become a reality. But the final rule to implement CMMC into contractual requirements took effect Nov. 10.The rule establishing CMMC as a program had already gone into effect last year.

DoD has a phased implementation plan for the program. During Phase 1, over the next year, the department will largely require CMMC self-assessments from contractors. But DoD programs have the discretion to require Level 2 CMMC third-party assessments over the next year as needed.

Tackling third-party CMMC assessments

During Phase 2, starting next November, those third-party assessments will become standard in applicable contacts.

Those third-party assessments are a key facet of the CMMC program and its goal to ensure defense contractors follow cybersecurity requirements.

The Cyber Accreditation Body is responsible for authorizing the CMMC third-party assessment organizations (C3PAOs) that will carry out those independent assessments. And Matthew Travis, CEO of The Cyber AB, said work is well underway to building out the scaffolding that will support the CMMC program.

“If there’s any remaining skepticism of whether or not the department was serious about this conformity regime, you can now just look at the Code of Federal Regulations and see both rules there,” Travis said during Federal News Network’s Risk & Compliance Exchange 2025. “Now, the real challenge is to scale the ecosystem.”

‘Impending bow wave’

So far, just under 500 defense contractors have voluntarily achieved a Level 2 CMMC certification, Travis shared.

But the Pentagon has estimated that the requirement for a Level 2 third-party assessment could apply to as many as 80,000 companies as CMMC is phased in.

“I am concerned about the impending bow wave that I think we’ll see in demand,” Travis said.

Some C3PAOs already have a backlog of assessments that stretch into next year.

“Now is the time to move if you’re ready,” Travis added. “People are going to start racing to the checkout line, and it’s going to be a wait. So move now if you’re ready, and if you’re not ready, get ready, because the sooner you do it, the sooner you’ll be able get a slot.”

Among the voluntary Level 2 assessments that have occurred to date, Travis said “false starts” have been an issue for some organizations.

“We heard frequently from the C3PAOs that they had to call it off mutually once the organization seeking certification realized all the things that they hadn’t fully done,” Travis said. “And the C3PAO said, ‘We might want to pause here. Go back to work and call us when you’re ready.’ ”

Travis said the 110 requirements required under Level 2 go beyond technical controls.

“It does require an organizational commitment,” he said. “There are physical security requirements, there are training requirements that human resources has to be involved in. There are leadership requirements in terms of resourcing.”

Another key lesson gleaned from early assessments is the need for companies to understand their external service providers. Travis said most organizations rely on cloud service providers or managed service providers for many IT and cybersecurity needs.

But whether they’re a CSP or an MSP — and to what extent they are involved in an organization’s handling of controlled unclassified information — are crucial questions in a CMMC assessment.

“Knowing who’s helping you and knowing your organization is fully committed are probably the two biggest takeaways that we’re hearing from industry,” Travis said.

CMMC’s ‘long pole in the tent’

The Cyber AB, through its no-cost contract with the Pentagon, is responsible for authorizing C3PAOs and certifying the people who conduct CMMC assessments.

Travis said there are just under 600 certified CMMC assessors today. Half of them are eligible to lead assessment teams.

But to meet the envisioned scale of the CMMC program — evaluating tens of thousands of defense contractors annually — Travis estimates there’s a need for between 2,000 and 3,000 assessors.

“That’s the most important part of the ecosystem that has to be grown. … That’s a long pole in the tent,” Travis said.

Initially, the challenge to building a pool of assessors was DoD’s drawn out rulemaking process: There was no financial incentive to become an assessor with no CMMC requirements on the horizon.

But Travis said the challenge now is getting CMMC assessors through the process quickly enough as DoD phases in the requirements. The process of becoming an assessor involves training, exams and passing a Tier 3 DoD background investigation, which is equivalent to being investigated for a secret-level security clearance. Those investigations can often take months.

Travis said assessors don’t necessarily need to start with a technical background. He pitched it as a “great way for folks to get engaged in cybersecurity.”

“Whether it’s a full time job or a side hustle, these assessors are going to be in demand,” Travis said. “And so the compensation that goes with it, I think, is compelling. We are encouraging folks, if they haven’t considered entering into the CMMC program, think about becoming an assessor.”

Discover more articles and videos now on our Risk & Compliance Exchange 2025 event page.

The post Risk & Compliance Exchange: Cyber AB’s Matt Travis on scaling the CMMC ecosystem first appeared on Federal News Network.

Advance your operational toolkit with dual-belt training that's 52% off.

The post Build Essential Process Skills with This Lean Six Sigma Certification Deal appeared first on TechRepublic.

Advance your operational toolkit with dual-belt training that's 52% off.

The post Build Essential Process Skills with This Lean Six Sigma Certification Deal appeared first on TechRepublic.

Interview transcript:

Jared Serbu: Dan, we now have a final rule, actually multiple final rules, telling us where the Defense Department is headed with CMMC. It’s been a long time coming. As we sit here in the fall of 2025, I mean, generally, how would you assess the level of clarity that folks have about how this is going to play out once we start really moving into the implementation stage here?

Dan Ramish: Well, Jared, I would say there are some questions about how the rollout will take place and the final rule included in Title 48 actually created some new questions. So one of the big questions, there are two central pieces of the CMMC program, really. One of them is that over time, these verification requirements will be implemented and that’ll include for most contractors that have contracts involving CUI, a certified third-party assessment, but the other piece of CMMC is that contractors are actually going to have to have a passing score that they are implementing cybersecurity requirements whereas currently, they only need to do an assessment and report the summary scores of that assessment without reference to having a particular passing score, having implemented a certain number of the security requirements. So this is going to be a big deal starting November 10th. Some contracts will require contractors to have a certain level of cybersecurity implementation with regard to the 110 cybersecurity requirements in this data 171. The question is which contracts will have the CMMC clause and which won’t. And it’s going to matter so much because again it’s going to be an issue of eligibility for award. So you could lose out on a contract if you don’t have sufficient cybersecurity compliance. And the uncertainty here stems from the fact that there is language in the Title 32 rule and the Title 48 rule that is different. So the Title 32 rule suggests that DoD, as of Phase 1, which begins on November 10th, 2025, intended to include the CMMC statuses in clauses in all contracts and solicitations. Whereas the Title 48 rule, that came out in September, says that during the first three years the CMMC requirement will be included in only certain contracts. So it’s unclear which contracts will or won’t have it, or whether all contracts will have the CMMC clause or not.

Jared Serbu: But I think part of the take-home message there is you as a potential bidder or potential offer on any of these contracts have no control over what DoD ends up doing on any particular contract and whether the clauses are going to be included or not. So that probably means it’s time to be ready no matter what.

Dan Ramish: That’s right. Contractors shouldn’t be rolling the dice and potentially losing out on an important contract opportunity that may include the CMMC clause.

Jared Serbu: And so what do we know about, as you just did a great job of taking us through, there’s a lot of murkiness about which contracts are going to include this or not. But what do we know about sort of the process DoD is going to use to decide whether those clauses are going end up going into those contracts, at least during this first phase where they’re leaving themselves quite a bit of discretion?

Dan Ramish: So the Title 48 rule basically says that it’ll be up to the requiring activity to make the determination of CMMC that the CMMC program office will direct the component program offices as to inclusion of the requirement. The other issue, besides whether the clause will be in the contract at all, is whether self-assessment will be included or whether some contracts may include certification assessment for CMMC Level 2 and there’s discretion in that as well. There is a little bit more guidance as to that piece of it, when the decision might be made to include a certification assessment requirement. DoD’s frequently asked questions says that PMs should only make use of the discretion to include C3PAO assessment during Phase 1. When informed by adequate market research, there’s reason to believe there are enough qualified offerors, including their subcontractors, to provide adequate competition. So if there are enough contractors that have a certification assessment for a particular requirement, then there’s a greater chance that DoD might decide to include a certification assessment and you could lose out even if you have self-assessed and are compliant, either conditionally or fully compliant.

Jared Serbu: Yeah and one of the things that comes to mind here is it may be an incentive against over-classification in some cases here, of course, a problem that has been existent in the government for a long time. If you run into a situation now where whether you’re designating things as CUI or not could determine whether or not you need to have CMMC in a contract, that could be a fairly powerful force on the government side to at least make you take a second look at the requirements in your contract and say, ‘Hey, is this really CUI or not?’

Dan Ramish: Yes. Well, and the backdrop to that is that a significant portion of the defense industrial base isn’t at the full passing score as yet for CMMC Level 2. And there have been a number of studies, one of them fairly recently from a company called CyberSheath, that suggested that the median SPRS score based on 300 survey respondents was 60, whereas the full compliance score is 110. So a lot of contractors have work to do and DoD requiring activities, of course, want to get their products and services from the contractors. And so on the one hand, the cybersecurity concerns are real, the national security implications of cybersecurity are real. But on the other hand, the Department of Defense needs to get their stuff. And so this has always been the tension all along. And I hope that you’re right that as the stakes increase with the CMMC clause that the government will take a more serious look at what really needs to be marked as CUI and be more discerning in that. But part of the challenge is that there isn’t at this stage a standardized method for indicating, identifying what CUI will be involved in the given contract. That’s something that’s addressed in the FAR CUI proposed rule. But that is kind of on hold with the whole Revolutionary FAR Overhaul that’s taking place. So there’s still going to be some challenge and some need for informal communication between prime contractors and the government or between subcontractors and prime contractors to figure out even what is going to be CUI under a contract.

Jared Serbu: Yeah, I want to make sure I’ve got my head around that last piece. So you as a vendor, when you see an RFP, you may not necessarily know just based on those solicitation documents whether or not there’s going to be CUI involved in performance of the work. And you may not know at the outset whether or at what level you need to be compliant with CMMC. Is that the upshot of all that?

Dan Ramish: Well, so there will be a designation of what CMMC level is required. The clause will designate which CMMCs level is required, but just because CMMC Level 2 is designated for a given solicitation or contract, doesn’t mean that all information that is provided by the government or that’s generated in performance is going to be controlled on classified information and it’s important to know what specific information is subject to handling and dissemination controls because contractors need to take appropriate precautions and they may have CUI on some information systems and not on others. And so ensuring that they are properly directing the flow of materials that are actually CUI is critical for compliance with the cybersecurity requirements. And so if they don’t have that information, if that’s not clearly indicated in the contract because there is no standardized form for that to happen, as yet, that creates a challenge.

Jared Serbu: Yeah, and you mentioned earlier that this is not the time to roll the dice anymore. But are there some areas or windows where, depending on the type of work you do, you can get away with completely avoiding CMMC altogether? Are there places where contractors really can still play and not worry about anything that we’ve been talking about the last 10 minutes?

Dan Ramish: So this is a big point of debate because, so CMMC Level 1 is actually going to apply to the largest portion of the Defense Industrial Base. And CMMC Level 1 corresponds to the basic safeguarding requirements that are currently in the FAR and those requirements are intended to be less onerous, but they are government-unique requirements. And to get out of even CMMC Level 1, there are really two ways around it. One of them is, there is an exception for COTS items. So if a contract is solely for a COT, commercially available off the shelf, that’s one exception. There’s going to maybe be greater need to drill down on what specifically is COTS. Of course, we live in an age where if you’re buying something off the shelf, there may be different options, and if the same options are available to the government as are available in the commercial marketplace, does that still make it COTS? There are questions like that where there could be gray areas. The other piece is federal contract information. If there’s no federal contract information, then CMMC Level 1 isn’t going to be required, assuming there also is CUI. Federal contract information is just non-public government information that’s involved in the contract. And the way that is interpreted by the government is going to important because, of course, a lot of the information that is involved in contract performance is going to be accessible through the Freedom of Information Act. But the Department of Defense declined to say that anything that’s foible is not FCI. So it may be challenging to demonstrate that you don’t have any non-public federal information. There are going to be some exceptions if the government makes the information publicly available like on a public website or certain financial payment information isn’t going to be FCI. But short of that, I think it will be interesting to see whether there are questions about getting out of CMMC altogether based on the lack of FCI.

The post New CMMC rules take effect Monday, with contractors facing uncertainties first appeared on Federal News Network.

Last Updated on September 26, 2025 by Narendra Sahoo

The world of payment security never stands still, and neither does PCI DSS. PCI DSS 4.0.1 Compliance is now the latest update that is the new talk of the town. Don’t worry it’s not that massive and heavy on changes but it is here to make a remarkable difference in transparency and finance.

The Payment Card Industry Data Security Standard (PCI DSS v.4.0) is a data security framework that helps businesses keep their customers’ sensitive data safe. Every organization, regardless of size and location, that handles customers payment card data has to be PCI DSS compliant. PCI DSS v4.0 consists of 12 main requirements, categorized under 6 core principles that every organization must adhere to in order to maintain compliance.

Since 2008, 4 years from the date it was first introduced, PCI DSS has undergone multiple revisions to keep up with the emerging cyber threats and evolving payment technologies. With each update, organizations are expected to refine their security practices to meet stricter compliance expectations.

Now, with PCI DSS 4.0.1, organizations must once again adapt to the latest regulatory changes. But what does this latest version bring to the table, and how can your organization ensure a smooth transition? Let’s take a closer look.

Introduction to PCI DSS v4.0.1

PCI DSS 4.0.1 is a revised version of PCI DSS v4.0, published by the PCI Security Standard Council (PCI SSC) on June 11, 2024. The latest version focuses on minor adjustments, such as formatting corrections and clarifications, rather than introducing new requirements. Importantly, PCI DSS version 4.0.1 does not add, delete, or modify any existing requirements.  So, organizations that have already started transitioning to PCI DSS 4.0, won’t face any drastic changes, but it is crucial to understand the key updates to ensure full compliance.

PCI DSS 4.0.1 changes

We know PCI DSS 4.0.1 does not introduce any brand-new requirements, so what kind of refinements does it bring, and are they worth noting?

The answer is: Yes, they are, and you should comply with them to avoid non-compliance. The new updates aim to enhance clarity, consistency, and usability rather than overhaul existing security controls in PCI DSS.

Below are some of the significant updates in PCI DSS 4.0.1:

1. Improved Requirement Clarifications: The PCI Security Standards Council (PCI SSC) has fine-tuned the wording of several requirements to remove ambiguity. This ensures businesses have a clearer understanding of what’s expected.
2. Formatting Enhancements: To ensure uniformity across the framework, some sections have been reformatted. This may not impact your technical security controls but will help streamline audits and documentation.
3. Additional Implementation Guidance: Organizations now have more explanatory notes to assist them in correctly implementing security controls and compliance measures.
4. No Change in Compliance Deadlines: The transition deadline to PCI DSS 4.0 remains firm—March 31, 2025—so organizations need to stay on track with their compliance efforts.
5. Alignment with Supporting Documents: Updates ensure consistency across various PCI DSS-related materials like Self-Assessment Questionnaires (SAQs) and Reports on Compliance (ROCs), making assessments more straightforward.

Steps to comply with the new version of PCI DSS 4.0.1

 1) Familiarize Yourself with PCI DSS 4.0.1 Updates

• Review the official documentation from the PCI Security Standards Council.
• Understand the refinements and how they apply to your current compliance efforts.
• If you’re already transitioning to PCI DSS 4.0, confirm that 4.0.1 does not require any drastic modifications.

2)  Conduct a Compliance Gap Analysis

• Compare your existing security controls against PCI DSS 4.0.1 to identify areas needing adjustment.
• Engage with internal stakeholders to assess any potential compliance gaps.

3)  Update Policies and Documentation

• Revise internal policies, security documentation, and operational procedures to align with clarified requirements.
• Ensure that SAQs, ROCs, and Attestations of Compliance (AOCs) reflect the latest version.

4)  Validate Security Controls

• Perform security assessments, penetration testing, and vulnerability scans to confirm compliance.
• Make necessary adjustments based on the refined guidance provided in PCI DSS 4.0.1.

5)  Train Your Team on Key Updates

• Conduct training sessions to educate staff and stakeholders on clarified expectations.
• Ensure that compliance teams understand how the changes affect security protocols.

6)  Consult a Qualified Security Assessor (QSA)

• If your organization requires external validation, work closely with an experienced  QSA (like the experts from VISTA InfoSec) to confirm that your compliance strategy meets PCI DSS 4.0.1 expectations.
• Address any concerns raised by the assessor to avoid compliance delays.

7)  Maintain Continuous Compliance and Monitoring

• Implement robust logging, monitoring, and threat detection mechanisms.
• Regularly test and update security controls to stay ahead of evolving cyber threats.

8)  Prepare for the March 2025 Compliance Deadline

• Keep track of your progress to ensure you meet the transition deadline.
• If you’re already compliant with PCI DSS 4.0, verify that all adjustments from v4.0.1 are incorporated into your security framework.

FAQs

• What are the main changes in PCI DSS 4.0.1 compared to 4.0?

  PCI DSS 4.0.1 introduces clarifications, minor corrections, and additional guidance to make existing requirements in PCI DSS 4.0 easier to understand and implement.

• Why was PCI DSS 4.0.1 released so soon after PCI DSS 4.0?

  PCI DSS 4.0.1 was released to address feedback from organizations and assessors, ensuring requirements are clear, consistent, and practical without changing the core security goals of version 4.0.

• How should organizations prepare for PCI DSS 4.0.1?

  Organizations should review the updated documentation, perform a gap analysis, update policies and procedures if needed, and confirm alignment with the clarified requirements.

• Are there new technical requirements in PCI DSS 4.0.1?

  No new technical requirements were added. PCI DSS 4.0.1 focuses on clarifications and corrections to help organizations implement PCI DSS 4.0 more effectively.

• What happens if my business does not comply with PCI DSS 4.0.1?

  Failure to comply with PCI DSS 4.0.1 can lead to fines, loss of the ability to process card payments, and increased risk of data breaches due to weak security practices.

Conclusion

PCI DSS compliance isn’t just a checkbox exercise, it is your very first commitment when it comes to safeguarding your customer’s data and strengthening cybersecurity. While PCI DSS 4.0.1 may not introduce serious changes, its refinements serve as a crucial reminder that security is an ongoing journey, not a one-time effort. With the March 2025 compliance deadline fast approaching, now is the time to assess, adapt, and act.

Need expert guidance to navigate PCI DSS 4.0.1 seamlessly? Partner with us at VISTA InfoSec for a smooth, hassle-free transition to the latest version of PCI DSS. Because in payment security, compliance is just the beginning, true protection is the actual goal.

The post PCI DSS 4.0.1 Compliance made simple with latest updates appeared first on Information Security Consulting Company - VISTA InfoSec.

Last Updated on September 17, 2025 by Narendra Sahoo

What is SOC 2 Certification?

SOC 2 certification is an audit framework developed by the AICPA that evaluates an organization’s ability to design and operate effective controls related to security, availability, processing integrity, confidentiality, and privacy. It’s a critical assurance tool for service providers managing customer data in the cloud, demonstrating a commitment to robust internal controls and regulatory compliance.

SOC 2 Certification is today the need of the industry especially for every business offering third-party IT services. Businesses that outsource certain aspects of their data information operations prefer dealing with secure vendors. They prefer working with vendors demonstrating evidence of implementing best security practices and rigorously protect sensitive information.

So, most businesses demand  for a SOC 2 compliant vendor who demonstrates strict adherence to IT security. Achieving SOC 2 certification means vendors have established practices with required levels of security across their organization to protect data. Elaborating more on this, we have listed some of the benefits of attaining SOC2 Certification. Let us take a closer look at the benefits to understand the importance of SOC2 Audit and Attestation/Certification

Benefits of SOC2 Certification

1. Brand Reputation-

SOC 2 Certification is an evidence that the organization has taken all necessary measures to prevent a data breach. This in turn helps in building good credibility and enhances the brand reputation in the market.

2. Competitive Advantage –

Holding a SOC2 Certification/ Attestation definitely gives your business an edge over others in the industry. With so much at stake, businesses are only looking to partner with vendors who are safe and have implemented appropriate measures for preventing data breaches. Vendors are required to complete a SOC 2 Audit to prove they are safe to work with. Besides when pursuing clients that require a SOC 2 report, having one available will give you an advantage over competitors who do not have one.

3. Marketing Differentiator–

Although several companies claim to be secure, they cannot prove that without passing a SOC2 Audit and achieving SOC2 Certificate. Holding a SOC 2 report can be a differentiator for your organization as against those companies in the marketplace who do not hold SOC2 certification and have not made a significant investment of time and capital in SOC2 Compliance. You can market your adherence to rigorous standards with SOC2 Audit and Certification while others cannot.

4. Better Services: –

You can improve your security measures and overall efficiency in operations by undergoing a SOC 2 Audit. Your organization will be well-positioned to streamline processes and controls based on the understanding of the cyber security risks that your customers face. This will overall improve your services.

5. Assured Security:- 

SOC2 Audit & Attestation/Certification gives your company an edge over others as it assures your customers of implemented security measures for preventing breaches, and securing their data. Moreover, the SOC2 report assures the client that the organization has met established security criteria that ensure that the system is protected against unauthorized access (both physical and logical).

6. Preference of SOC2 Certified Vendors-

Most businesses prefer working with SOC2 Certified vendors. For these reasons having SOC 2 certification is crucial for organizations looking to grow their business in the industry.

7. ISO27001 is Achievable–

SOC 2 requirements are very similar to ISO27001 certification. So, having achieved SOC2 certification will make your process of achieving ISO27001 easier. However, it is important to note that clearing a SOC 2 audit does not automatically get you ISO 27001 certification.

8. Operating Effectiveness–

Auditing requirements for SOC2 Type II require compulsory 6 months of evidence and testing of the operating effectiveness of controls in place. So, SOC2 Audit ensure maintaining an effective information security control environment.

9. Commitment to IT security-

SOC2 Audit & Certification demonstrates your organization’s strong commitment towards overall IT security.  A broader group of stakeholders gain assurance that their data is protected and that the internal controls, policies, and procedures are evaluated against industry best practice.

10. Regulatory Compliance- 

As mentioned earlier, SOC 2 requirements go in sync with other frameworks including HIPAA and ISO 27001 certification. So, achieving compliance with other regulatory standards is easy. It can speed up your organization’s overall compliance efforts.

11. Valuable Insight–

A SOC 2 report provides valuable insights into your organization’s risk and security posture, vendor management, internal controls,  governance, regulatory oversight, and much more.

Conclusion

As professionals of the industry, we strongly believe that the benefit of clearing a SOC2 Audit and obtaining a SOC 2 report far outweigh the investment for achieving it.  This is because when a vendor undergoes a SOC 2 audit, it demonstrates that their commitment and that they are invested in providing secure services and ensuring the security of clients’ information.

This, in turn, enhances the business reputation, ensures business continuity, and gives the business a competitive advantage in the industry. VISTA InfoSec specializes in helping clients in their efforts of SOC2 Audit & Attestation.  With 16 + years of experience in this field, businesses can rely on us for an easy and hassle-free SOC2 Compliance process.

FAQ

1.Who needs SOC 2 certification?

Any SaaS provider or cloud-based service that stores, processes, or transmits customer data—especially in regulated industries—should pursue SOC 2 certification to build trust with clients.

2.What is the difference between SOC 2 Type I and Type II?

Type I reviews the design of controls at a specific point in time, while Type II assesses the effectiveness of those controls over a period (usually 3–12 months).

3.How long does it take to get SOC 2 certified?

The SOC 2 process typically takes 3–6 months, depending on an organization’s readiness, existing controls, and whether it’s a Type I or Type II audit.

4. Is SOC 2 mandatory?

SOC 2 is not legally required, but many clients—especially in the B2B tech space—demand it as part of vendor due diligence.

The post Top 11 Benefits of having SOC 2 Certification! appeared first on Information Security Consulting Company - VISTA InfoSec.

Daniel Pizarro // What is the PNPT?  The Practical Network Penetration Tester (PNPT), created by TCM Security (TCMS), is a 5-day ethical hacking certification exam that assesses a pentester’s ability […]

The post PNPT: Certification Review appeared first on Black Hills Information Security.

The post Detectify’s ISO 27001 certification use case and guide for SaaS companies appeared first on Detectify Blog.

The post Detectify achieves ISO 27001 Certification appeared first on Detectify Blog.