CMMC Expert, Gary Wright Interview

Interviews
Written By Guest User
 

CMMC Madness: Demystifying Cybersecurity Compliance with Expert Gary Wright

In this week’s Gula Tech Adventures video and blog, cybersecurity veteran Ron Gula interviews CMMC expert Gary Wright following the animated short “CMMC Madness.” The video humorously captures the confusion and frustration many professionals experience when navigating modern cybersecurity frameworks—especially the U.S. Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC). What follows is a clear-eyed conversation that explains what CMMC is, why it matters, and what companies can do to prepare.

What is CMMC and Why Was It Created?

The CMMC, short for Cybersecurity Maturity Model Certification, was developed by the DoD to secure the defense industrial base (DIB). It builds on the requirements outlined in NIST SP 800-171, aiming to ensure organizations properly safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

As Gary Wright explains, “It was designed to put teeth behind existing requirements like DFARS and NIST 800-171.” Wright brings over three decades of experience in pen testing, red and blue teaming, and enterprise cybersecurity. He was involved with the early days of CMMC back in 2019 when the government realized that relying on self-attestation alone wasn't enough.

Who Needs to Be Compliant?

If you're a prime contractor or a subcontractor handling CUI or FCI—even if you’re only making a specific bolt for an aircraft—you may fall under CMMC’s scope. The determining factor is whether the DoD identifies the contract as requiring CMMC Level 1, 2, or 3, based on the sensitivity of the information involved.

Gary emphasized: “Even if you’re just a supplier in the defense supply chain, if you touch CUI or FCI, you’re likely in scope.”

What Are the Levels of CMMC?

Originally conceived as a five-level model, CMMC has since been simplified to three:

  1. Level 1 – Focuses on safeguarding FCI and requires annual self-attestation.

  2. Level 2 – Covers CUI and mandates a more rigorous third-party assessment every three years, though some may still self-attest depending on contract sensitivity.

  3. Level 3 – Reserved for the highest levels of security, involving direct government assessment (e.g., DIBCAC).

Each level builds upon the previous one in terms of controls and requirements. Level 2, for instance, maps closely to the 110 controls in NIST 800-171.

What’s Driving the Push for CMMC?

Nation-state adversaries like China have stolen sensitive technical designs—such as those for the F-35—by targeting weaker points in the DIB’s cybersecurity posture. CMMC aims to close those gaps.

“If China can copy our designs without spending a dime on R&D,” Gary notes, “they start the race ahead of us. We’re paying for that tech, and we should protect it.”

CMMC is a way for the DoD to wield its purchasing power to require better cyber hygiene across the entire defense supply chain.

Common Misconceptions and Challenges

One major misconception is that CMMC compliance is prohibitively expensive. Wright acknowledges the concern but urges companies not to panic: “Many fear it’ll cost tens or hundreds of thousands, but most will find it’s not that bad—especially if they’re already following good security practices.”

Another sticking point? Terminology. In the animated short, the main character mistakes a SIEM for a sneeze, and CMMC for a yoga class. Gary explains that understanding the difference between FCI and CUI is key:

  • FCI (Federal Contract Information): Basic info provided or generated during contract performance.

  • CUI (Controlled Unclassified Information): More sensitive technical data that must be tightly protected.

Proving You’re Compliant

To show compliance, companies must build a System Security Plan (SSP) and conduct an assessment. For Level 1 and some Level 2 organizations, self-attestation and uploads to the government’s SPRS (Supplier Performance Risk System) database are enough. Others will need an audit from a certified C3PAO (CMMC Third-Party Assessment Organization).

Gary recommends planning now: “Even a one-person business can become compliant if they scope their systems properly.”

The Role of Technology

Modern cybersecurity increasingly involves cloud services like Microsoft 365 and AI platforms. Are these allowed? “Yes,” says Gary, “but you need to scope properly and make sure controls are applied.”

Cloud providers like Microsoft publish guidance for how to configure their services to meet CMMC requirements. Some companies, like Binalyze and BEMO, offer plug-and-play security solutions specifically designed to help companies become compliant more easily.

On Cloud Security and Risk

Ron and Gary also discuss the pros and cons of relying on third-party cloud services. “Cloud helps with ease of setup and automation,” Gary notes, “but it also concentrates risk. One misconfigured cloud service can be exploited across thousands of companies.”

Recent breaches like those involving Ivanti VPNs and Chinese targeting of edge infrastructure are proof that relying on exposed services—whether VPNs or firewalls—without layered controls is no longer enough.

Practical Advice for Startups and SMBs

Ron points out that many early-stage companies are intimidated by federal compliance. His advice: don’t over-engineer for CMMC too early, but be prepared to scale into it. Gary adds:

“If you're already trying to be secure, you're ahead of the game. Focus your efforts on the environment where CUI and FCI live, and keep the rest of your business segmented.”

For AI tools like OpenAI or Anthropic, it comes down to whether they handle CUI. “You can run local models or use AI for general purposes—but if you’re handling CUI, it needs to stay protected,” says Gary.

What's Next for CMMC?

The government is working to finalize the CMMC rule and expand the ecosystem of assessors. The future also includes better public awareness, more training programs, and additional support for SMBs in the DIB. Tools like tabletop exercises, breach awareness campaigns, and strategic consulting will become even more critical.

Wright’s own firm, Futures Inc., offers simulated tabletop cyber attack scenarios, as well as analysis of breached data to alert companies to threats they didn’t even know existed. “Sometimes we’re the first to let a company know that 30GB of their data is already on the internet,” he shares.

Final Thoughts

Ron closes the interview with a strong call to action: “Don’t let the complexity of CMMC keep you from working with the DoD. If you’ve got something Uncle Sam wants to buy—especially if it helps the warfighter—step up.”

Gary agrees: “We’re all in this together. CMMC is not about bureaucracy—it’s about protecting what we’ve built as a nation.”

Whether you’re a Fortune 500 defense contractor or a one-person startup thinking about future government contracts, understanding and preparing for CMMC compliance is a must. The standard might sound daunting, but with the right knowledge, tools, and partners, it’s an achievable goal—and a patriotic one.

 

Watch More

 
Guest User
Previous

CMMC Madness - Cynfeld #1
Next

Former Cyber Command Private Sector lead, Jason Kikta Interview