The Big Blog

For more than a decade, Edward Snowden has been portrayed by many as a lone whistleblower exposing illegal domestic spying. In a recent Bytes & Brew  episode , Steven Bay, Snowden’s former manager at NSA, offers a different perspective; one grounded not in operational reality, not politics. And that’s where the lessons for CMMC begin. Separation of Duties: What Snowden Actually Had Access To Bay explains something that rarely makes headlines: NSA operates under strict separat

Executive summary QED Enterprises, Inc. , a Stafford, VA-based government contractor founded in 2007, pursued CMMC Level 2 certification early, well ahead of broad Phase 2 enforcement, after leadership concluded CMMC would become a gating requirement across the defense supply chain. Working with Cape Endeavors, QED built and operationalized an assessment-ready compliance program and achieved CMMC Level 2 certification with a perfect score, demonstrating full implementation of

As CMMC enforcement moves from policy to practice, defense contractors are facing a simple but uncomfortable reality: choosing the wrong CMMC consultant can cost more than doing nothing at all . The right consultant shortens timelines, reduces scope, and produces defensible outcomes. The wrong one leaves you with shelfware policies, fragile enclaves, and assessment-day surprises. This guide focuses on what actually matters when evaluating a CMMC consultant , based on how asse

On December 18, 2025, the Fiscal Year 2026 National Defense Authorization Act (FY 2026 NDAA) (P.L. 119-60) was signed into law.^[1] While the Act addresses a broad range of national defense priorities, several provisions are directly relevant to cybersecurity obligations across the Defense Industrial Base (DIB). Most notably, the FY 2026 NDAA explicitly references the Cybersecurity Maturity Model Certification (CMMC) framework and reinforces Congress’s expectation that Depart

David R. Shedd didn’t come to the conversation as a commentator. He came as a former Deputy Director and Acting Director of the Defense Intelligence Agency, someone who spent a career watching adversaries play the long game. In a recent virtual discussion with CSIS’s Dr. Seth G. Jones, Shedd walked through the core argument of his new book, The Great Heist: China’s Epic Campaign to Steal America’s Secrets : over the last few decades, China has executed a structured campaign

In today's interconnected defense industrial base, defining and protecting your CMMC Boundary  is more critical than ever. The CMMC Boundary  is the clearly scoped set of systems, assets, people, facilities, and processes that handle, process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). It serves as the foundation for achieving Cybersecurity Maturity Model Certification (CMMC) compliance. As Dr. Georgianna Shea, a season

Cybercrime no longer resembles a loose collection of isolated actors and ad-hoc attacks. As discussed in a recent episode of Bourbon & Bytes , it operates as a mature underground economy —complete with specialization, marketplaces, service models, and increasingly sophisticated use of artificial intelligence. In this episode, Terry McGraw, CEO of Cape Endeavors, sits down with Rebecca Taylor, Threat Intelligence Knowledge Manager and Researcher at Sophos, to unpack how cyberc

The 2025 U.S. National Security Strategy  released in November is explicit about how the United States now defines security. It rejects vague aspirations and instead focuses on “a concrete, realistic plan that explains the essential connection between ends and means.” That clarity has consequences for defense contractors, technology providers, manufacturers, and cybersecurity leaders, because the strategy repeatedly makes clear that national power depends on economic strength