The Summit 7 Compliance Team has helped more than 90 companies achieve CMMC Level 2 certification.
This week on a special edition of the hotline you'll get a chance to ask them anything.
- Best indicators of success?
- Craziest thing to ever come out of an assessor's mouth?
- Pineapple on pizza?
See you Friday at 1pm EST.

There are no deadlines in the CMMC Phased Roll-out.
"When do I need CMMC?" depends entirely on your customer and the data you'll be handling.
NAVFAC SW says November 2026.
PCS JTF says Spring 2027.
Some SOCOM support contracts say you don't need to achieve status until six months *after* award.
That's blatantly against policy, but the DoD isn't a monolith.
It all depends on your specific situation.
If you have questions about your specific situation, come hang out with us Fridays at 10am PST when we answer your questions live.

Just because something sounds like it should be CUI doesn't make it so.
Unclassified data is only controlled if a law, regulation, or government-wide policy specifically says that data must be, well, controlled.
Sometimes there are dozens of "authorities" related to the same type of data so the CUI Registry summarizes and describes each category very broadly.
Even though those descriptions might talk about "vulnerability information" in general, the summary doesn't make all vulnerability information controlled.
You have to read the specific details of the laws and regulations to know what's what.
It's tedious, but it can save you a ton of time and money when you find out that your customer is just being lazy and only reading category descriptions.
We answer CUI questions on the hotline every week.
Come hang out.