CyberWatch

Scott "Monty" Montgomery (Island) | Navigating CMMC compliance for organizations of every size

By

By

Access Point Consulting

Scott Montgomery, known as Monty, joined the CyberWatch Expert Series podcast to discuss his extensive background in cybersecurity, particularly in building and designing network security tools for high-assurance environments like the Department of Defense (DoD) and the intelligence community. His experience includes significant tenure at McAfee (now Trellix), which led him to his current role at Island, where he focuses on innovative approaches to cybersecurity compliance.

Understanding CMMC
Monty explained the Cybersecurity Maturity Model Certification (CMMC) using an educational analogy. He described CMMC as the final exam in a college course designed specifically to protect DoD data. This "course" uses NIST 800-171 guidelines as its "homework," outlining best practices and required cyber hygiene. The certification involves an audit performed by a third-party examiner to ensure that contractors handling DoD information meet necessary security standards.

Applicability to Organizations of All Sizes
Monty emphasized that CMMC applies not only to large prime contractors such as Lockheed Martin but also significantly impacts smaller subcontractors, who might struggle with the compliance requirements due to limited resources. Many small businesses may find compliance costly or complex enough to reconsider pursuing government contracts, while others will adapt to protect their essential revenue streams.

Managing Third-Party and Downstream Risks
Monty highlighted the complexity of managing third-party and fourth-party risks within the CMMC framework. He clarified that compliance responsibilities extend downstream depending on the nature of the data involved. The designation of data as Controlled Unclassified Information (CUI) determines the level of compliance required throughout the supply chain, leading to variability and complexity for subcontractors who serve multiple contracts with different CUI designations.

Cloud Services as a Compliance Accelerator
To simplify compliance, Monty advocated for leveraging cloud services provided by companies like Amazon, Microsoft, and Google. These platforms offer standardized, compliant environments that reduce complexity for smaller businesses. He also suggested modern tools such as virtual desktop infrastructures and enterprise browsers, which simplify secure access to sensitive data and mitigate risks associated with compliance.

Beyond Government Contracts: General Cybersecurity Maturity
Monty noted that even organizations not directly contracting with the DoD could benefit from frameworks like CMMC. He recommended exploring broader NIST guidelines, such as the Risk Management Framework, which offer scalable cybersecurity practices suitable for businesses across sectors including finance, healthcare, and retail.

Key Takeaways
Monty shared three core insights for listeners:

  1. Modern tools like enterprise browsers and cloud solutions can enhance security, privacy, and productivity simultaneously.
  2. Cybersecurity and privacy are complex, evolving disciplines best addressed through community collaboration, such as industry-specific Information Sharing and Analysis Centers (ISACs).
  3. Compliance frameworks should serve as tools to advance business objectives, not merely as regulatory checkboxes.

Listen to the CyberWatch podcast on Spotify and Apple Podcasts, or watch the episode on YouTube.

Resources

Latest Resources

Resources

CyberWatch

March 19, 2025

Michael Sviben (DomainGuard) | Defending against phishing and building proactive security awareness

Cybersecurity threats evolve rapidly, and one tactic consistently rises above the rest: phishing. In this episode of CyberWatch, Michael Sviben, co-founder of DomainGuard, discusses why phishing remains so effective, how businesses and individuals become targets, and what you can do to stay vigilant.

Find out more
March 5, 2025

David Habib (Brightspot) | Building a culture of cybersecurity awareness

Cybersecurity awareness is often reduced to check-the-box training, but David Habib, CIO at Brightspot, argues that real security awareness isn’t about formal programs—it’s about making security part of a company’s culture. In this episode, he shares practical insights on how organizations can move beyond stale training sessions to create an engaged and security-conscious workforce.

Find out more
February 26, 2025

Lori Keller (Access Point Consulting) | Project management’s role in cybersecurity

Cybersecurity projects don’t just require technical expertise—they demand structured planning, risk management, and coordination across teams. Lori Keller, a practitioner in cybersecurity project management, joins CyberWatch to discuss how strong project management practices drive security success.

Find out more