GRC Academy
by Jacob Hill
Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform for GRC professionals, executives, and anyone else who wants to increase their knowledge in the GRC space!
Podcast episodes
Season 2
CMMC Will BREAK Your MSP - Axiom's CMMC Level 2 Journey
“We built a second company from scratch…” Is that what it takes for MSPs to get CMMC'd!?! 👀 In this episode I’m joined by Bobby Guerra and Kaleigh Floyd from Axiom, an IT Managed Service Provider (MSP). They explain exactly what it took to achieve CMMC level 2 certification - after 4 years of effort. Most MSPs aren’t ready for CMMC. Many believe it's just another checkbox, but it’s a complete operational shift that requires rethinking your tools, processes, and client relationships! Here are some of the highlights: How much money they allocated for CMMC (it’s more than you think) How to build scalable and repeatable processes to support compliance The tools, contracts, and agreements you MUST have in place How to prepare for the assessment (and avoid sleepless nights!) Bobby Guerra is the CEO of Axiom and has led the MSP for over 22 years. Under his leadership, Axiom became one of the first MSPs in the U.S. to achieve CMMC Level 2 Certification. Bobby now helps guide clients through their own CMMC journeys, focusing on sustainable security and compliance. Kaleigh Floyd is the Marketing Director at Axiom and Co-Host of the Climbing Mount CMMC podcast. Raised in the MSP world, she now educates others through Microsoft 365 training and cybersecurity content. Her passion lies in simplifying tech and making a lasting impact in the industry. This is a true CMMC for MSPs masterclass! So much great advice packed into this episode! What were your biggest takeaways? Let me know in the comments! Follow Bobby on LinkedIn: https://www.linkedin.com/in/bobbyguerra/ Follow Kaleigh on LinkedIn: https://www.linkedin.com/in/kaleigh-floyd-079a52190/ Axiom's Website: https://www.axiom.tech/ Climbing Mount CMMC Podcast: https://www.axiom.tech/climbing-mount-cmmc-the-podcast/ ----------- Thanks to our sponsor Vanta! Need continuous visibility into the state of your security controls? Discover the new way to GRC here: https://vanta.com/grcacademy ----------- Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform! Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e4&utm_campaign=courses #cmmc #nist #cybersecurity
CMMC Level 2 Assessments - What to Expect and How to Avoid Disaster
Preparing for a CMMC assessment, but don't know what to expect? Get ready to learn from CMMC Lead Assessor Fernando Machado as he explains EXACTLY what happens in each phase of the CMMC assessment process! Fernando is the Managing Principal of Cybersec Investments which is an authorized C3PAO. Fernando has been involved with CMMC starting in 2020 as a member of the Cyber AB's Standards Management Industry Working Group. Cybersec Investments has already issued 12 CMMC certifications since CMMC assessments began in January of 2025 and previously participated in nearly 20 Joint Surveillance Voluntary Assessments (JSVAs). 👉 Here are some highlights: What to expect during a CMMC assessment The 4-phases of the CMMC Assessment Process (v2.0) No self-assessment? No independent assessment Common issues that could cause assessment failures How to make the assessment easier for your assessor (and you) It is overwhelming preparing for a CMMC assessment, but don't go into it without knowing what to expect! What were your biggest takeaways? Let me know in the comments! Follow Fernando on LinkedIn: https://www.linkedin.com/in/fernando-machado-cissp-cism-cca-ccp-5b5581124/ Cybersec Investments Website: https://cybersecinvestments.com/ ----------- Thanks to our sponsor Vanta! Need continuous visibility into the state of your security controls? Discover the new way to GRC here: https://vanta.com/grcacademy ----------- Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform! Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e3&utm_campaign=courses #cmmc #nist #cybersecurity
CMMC Mistakes COST Villa-Tech $485,000
🔥 "I Could Have Saved $300K on CMMC!" 🔥 Miguel is the founder of Villa-Tech, a small but powerful tech company that is breaking into the defense contracting space. Miguel shares a raw and honest look at the costly missteps, lessons learned, and strategies that could save small businesses hundreds of thousands of dollars preparing for CMMC certification! 👉 Here are some highlights: How he could have saved $300k Bad advice is expensive - how to hire the right consultants Rebuilding their SSP 4 times The importance of CMMC education before diving in Villa-Tech has built a CUI enclave environment that other defense contractors can leverage! They also have an amazing set of capabilities and just achieved CMMC level 2 certification, so be sure to check out their capabilities statement below. Small businesses CAN succeed in CMMC, but the path is filled with pitfalls that can drain your budget. Don’t make the same mistakes - learn from someone who’s been through it! What were your biggest takeaways? Let me know in the comments! Follow Miguel on LinkedIn: https://www.linkedin.com/in/miguel-villarreal-0231286/ Villa-Tech Website: https://www.villa-tech.com Villa-Tech Capabilities: https://villa-tech.com/government/capabilities-statement/ Structura.io Website: https://structura.io/ ----------- Thanks to our sponsor Vanta! Need continuous visibility into the state of your security controls? Discover the new way to GRC here: https://vanta.com/grcacademy ----------- Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform! Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e2&utm_campaign=courses #cmmc #nist #cybersecurity
CMMC Compliance in AWS Cloud Just Got a LOT Easier
CMMC and DFARS compliance is hard - especially in the cloud. Got AWS? They've given you tools that make compliance much easier! In this episode, I sit down with Travis Goldbach from Amazon Web Services (AWS) to break down the solutions AWS has created to simplify CMMC and DFARS compliance. 👉 Here are some highlights: AWS compliance automation - reducing manual effort and risk Shared Responsibility Model - what AWS secures vs. what you manage AWS GovCloud vs. Commercial Cloud - choosing the right environment Landing Zone Accelerator - your shortcut to a secure, compliant AWS setup How AWS is pursuing its own CMMC certification & what that means for you I didn't know that AWS was so mature when it came to CMMC and DFARS compliance! It was really awesome to learn how they are making compliance easier! What were your biggest takeaways? Let me know in the comments! Follow Travis on LinkedIn: https://www.linkedin.com/in/travis-goldbach-b446a223/ AWS CMMC website: https://aws.amazon.com/compliance/cmmc/ ----------- Thanks to our sponsor Vanta! Need continuous visibility into the state of your security controls? Discover the new way to GRC here: https://vanta.com/grcacademy ----------- Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform! Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e1&utm_campaign=courses #cmmc #nist #cybersecurity #aws
Season 1
CMMC 2.0 Is FINALLY Here - What Happens Next (with Stacy Bostjanick)
It’s been a long and wild ride on this #cmmc ship! ⛵ In this episode, I speak with Stacy Bostjanick who is the Director of the CMMC program at DoD CIO! Here are some highlights from the episode: Expectations for the initial phase in of CMMC Who determines CMMC levels for contracts? How will CMMC waivers work? Criteria for CMMC level 2 self-assessments and CMMC level 3 Early use of NIST 800-171 r3 And so much more! First mentioned in 2019, CMMC 1.0 was released in 2020 under the Trump administration. CMMC 1.0 was reviewed during the Biden administration, they released CMMC 2.0 in late 2021, and then… There was a great silence. If you threw a small rock, you’d hit ten people who thought CMMC was going away. All this time though, the DoD was quietly marching on. They released the proposed CMMC program rule in December 2023 and released the final CMMC program rule in October 2024 - which is now EFFECTIVE. After all of that, CMMC will FINALLY begin to phase into DoD solicitations and contracts by this summer. CMMC has been a LONG time coming, and it was an honor to hear the back story and why certain decisions were made! What were your biggest takeaways? Let me know in the comments! Follow Stacy on LinkedIn: https://www.linkedin.com/in/stacy-bostjanick-a3b67173/ DoD CIO CMMC website: https://dodcio.defense.gov/CMMC/ ----------- Thanks to our sponsor Vanta! Want to save time filling out security questionnaires? Experience questionnaire automation here: https://vanta.com/grcacademy ----------- Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform! Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e43&utm_campaign=courses #cmmc #nist #cybersecurity