Everybody comply now.

That’s the message for Department of Defense (DOD) contractors as the federal agency moves to enforce Cybersecurity Maturity Model Certification (CMMC) requirements as defined in the December 16, 2024, CMMC Program Rule. As of 2025, all new contracts with DOD are required to adhere to the guidelines.

The program is in place to enforce existing standards, Deltek Senior Manager of Cloud Solutions Michael Greenman told IT Brew during a break from the floor at CEIC West, a CMMC-focused conference, in May. The contract clause dates back to 2017, and for a time relied on the honor system. That didn’t work, perhaps predictably; Greenman said that the lack of self-enforcement was even worse than DOD had expected.

“CMMC was born as the enforcement of the cybersecurity requirements that defense contractors have had again in their contracts for many, many years,” Greenman said. “And so in the first version of CMMC, it was a bit haphazard, didn’t do the full baked out version.”

Why hoping for compliance isn’t working.—EH

Virtual CISOs (vCISOs) are like a box of chocolates, you never know what you’re gonna get.

That’s at least the opinion among some practicing vCISOs in the industry who feel there is a lack of shared standards or formal accreditions for professionals taking on the title.

vCISOs, consultants who provide security guidance to companies on a part-time or contractual basis, can be a cost-effective option for organizations of all sizes. While these professionals often play a key role for the organizations they serve, SecurityStudio Academy Executive Director Dave Tuckman told IT Brew that there isn’t much of a “vetting process or standardization” of skills associated with the role. SecurityStudio is FRSecure’s sister company.

“If you go and ask 10 people, ‘What is the definition of vCISO?’ you’ll probably get 11 answers,” Tuckman said. “There just isn’t a common understanding, which leads to variances in perception and understanding.”

How to make the vCISO a reality.—BM

Any professor who holds office hours knows: College kids have lots of questions.

Patty Patria, chief information officer at Babson College, knows, too, that students may now save their quick queries for a chatbot. Currently the team has visibility, she said, into the many AI tools being used on the school’s network.

Babson IT employs Microsoft Defender for Cloud Apps to view AI-related activity, like suspicious prompts and data leaks. Other options for companies that want to monitor LLM usage include CASB products, which apply access controls and detect data-compromising SaaS usage.

“This is becoming a much more challenging thing,” Patria told us, “to get down to the granularity of data: What data is going into ChatGPT versus DeepSeek versus Copilot?”

Patria shared ways to ensure data security when everybody’s hooked on ChatGPT.

Here’s why you should keep the proprietary private.—BH