After avoiding the Air Force's early CISSP requirements and calling the cybersecurity ecosystem "a mess," Matthew Titcombe, CEO & Sr. Information Security Consultant at Peak InfoSec, still found himself designing NIST 800-171 firewall architectures at United Launch Alliance.
Since then, Matt has conducted hundreds of CMMC assessments and witnessed a consistent pattern: businesses confidently estimate their System Security Plan Review scores in the hundreds, only to discover they're actually in the 30s when assessed against all 320 assessment objectives rather than just the 110 basic requirements. He tells Chris that this gap between perception and reality reflects deeper misunderstandings about scope, configuration management, and the information-centric approach needed for effective compliance.
Topics discussed:
- The operational blind spots MSPs develop when serving defense contractors through convenience-based practices that become CMMC violations.
- Why most small businesses require enterprise-wide CMMC implementation rather than enclave strategies due to role overlap and information flow complexity.
- The systematic approach to CMMC scoping that follows information flow through people, processes, facilities, and technologies rather than starting with technology boundaries.
- How System Security Plan Review scores drop precipitously from estimated hundreds to actual 30s when assessed against all 320 assessment objectives rather than just the 110 basic requirements.
- Configuration management as the most commonly failed control area, requiring documented configuration baselines rather than just implementing DISA STIGs or security guides.
- The market dynamics driving MSP consolidation as providers choose between compliance investment for small client percentages versus exiting the defense contractor market entirely.