The Big Blog

On December 18, 2025, the Fiscal Year 2026 National Defense Authorization Act (FY 2026 NDAA) (P.L. 119-60) was signed into law.^[1] While the Act addresses a broad range of national defense priorities, several provisions are directly relevant to cybersecurity obligations across the Defense Industrial Base (DIB). Most notably, the FY 2026 NDAA explicitly references the Cybersecurity Maturity Model Certification (CMMC) framework and reinforces Congress’s expectation that Depart

David R. Shedd didn’t come to the conversation as a commentator. He came as a former Deputy Director and Acting Director of the Defense Intelligence Agency, someone who spent a career watching adversaries play the long game. In a recent virtual discussion with CSIS’s Dr. Seth G. Jones, Shedd walked through the core argument of his new book, The Great Heist: China’s Epic Campaign to Steal America’s Secrets : over the last few decades, China has executed a structured campaign

In today's interconnected defense industrial base, defining and protecting your CMMC Boundary is more critical than ever. The CMMC Boundary is the clearly scoped set of systems, assets, people, facilities, and processes that handle, process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). It serves as the foundation for achieving Cybersecurity Maturity Model Certification (CMMC) compliance. As Dr. Georgianna Shea, a season

Cybercrime no longer resembles a loose collection of isolated actors and ad-hoc attacks. As discussed in a recent episode of Bourbon & Bytes , it operates as a mature underground economy —complete with specialization, marketplaces, service models, and increasingly sophisticated use of artificial intelligence. In this episode, Terry McGraw, CEO of Cape Endeavors, sits down with Rebecca Taylor, Threat Intelligence Knowledge Manager and Researcher at Sophos, to unpack how cyberc

The 2025 U.S. National Security Strategy released in November is explicit about how the United States now defines security. It rejects vague aspirations and instead focuses on “a concrete, realistic plan that explains the essential connection between ends and means.” That clarity has consequences for defense contractors, technology providers, manufacturers, and cybersecurity leaders, because the strategy repeatedly makes clear that national power depends on economic strength

Understanding Annual and Triennial Assessment Requirements The Cybersecurity Maturity Model Certification (CMMC) program establishes standardized requirements for assessing and validating the cybersecurity posture of organizations within the Defense Industrial Base (DIB). Despite the formalization of the program in regulation, confusion remains regarding when a self-assessment is sufficient and when an independent assessment conducted by a Certified Third-Party Assessment Org

Featuring insights from former U.S. Attorney Zach Terwilliger on Bourbon & Bytes CMMC Compliance has officially entered a new era—one where cybersecurity claims aren’t merely checked for accuracy, but examined with prosecutorial intensity. In a recent episode of Bourbon & Bytes , Terry McGraw sat down with Zach Terwilliger , Managing Partner of Vinson & Elkins’ Washington, D.C. office and former U.S. Attorney for the Eastern District of Virginia, to unpack a sobering reality:

Why Self-Built CMMC Enclaves Fail In the world of defense contracting, achieving compliance with the Cybersecurity Maturity Model Certification (CMMC) is essential for handling Controlled Unclassified Information (CUI). A key component in this process is the CMMC enclave—a secure, isolated environment designed to protect CUI from unauthorized access and cyber threats. However, many organizations, particularly small and medium-sized enterprises (SMEs), opt to build their own C