---
title: "PODCAST: Cracking the CMMC 2.0 Code"
date: 2025-04-15 10:15:42
description: "CMMC, NIST, FedRAMP, ITAR — which apply to you, what they cost, and how to talk about them. CMMC Registered Practitioner cuts through the noise."
keywords: "Darren Gallop"
categories: [Podcast Interviews]
tags: [CMMC 2.0, Cyber Security, Greg McHale, Manufacturing Mavericks, Manufacturing Technology, Podcast]
---

## Episode #18 of Manufacturing Mavericks

[](https://datanomix.io/mavericks/cracking-the-cmmc-2-0-code/)

NIST. CMMC. FedRAMP. ITAR. DFARS. FCI. CUI. CDI. If you’re a precision manufacturer in the DoD supply chain, you’ve heard all of these, and you’re probably not 100% sure which ones apply to you.

In Episode 18 of Manufacturing Mavericks, Greg McHale sits down with **Darren Gallop** — CISSP, CMMC Registered Practitioner, and CEO of Carbide Secure — to cut through the noise. They walk through what each standard actually requires, who’s on the hook for what, and how to think about your software vendors’ compliance posture (and why an off-the-shelf product follows different rules than a SaaS service).

### Some of the highlights:

- Why ITAR experience puts you 60–70% of the way to NIST 800-171 — and what gaps it doesn’t cover

- The “ERP/ERP login” problem and other shop-floor remediations most manufacturers will need

- Whether your software vendors need to be CMMC compliant — and what to ask them

- Realistic budget guidance for self-assessment, gap analysis, remediation, and the third-party audit

- Why your CMMC posture belongs in your capability statement — and how to phrase it so you don’t lose bids before you start

- The “hard way” vs. the “easy way” to compliance, and which one actually saves money

Whether you’re deep in the compliance process or just figuring out whether it applies to you, this episode gives you the framework — and the specific next moves — to keep your DoD contracts intact.

[Listen Now](https://datanomix.io/mavericks/cracking-the-cmmc-2-0-code/)

_**Editor’s note:** This episode was recorded before CMMC Phase 1 took effect on November 10, 2025. Phase 2 — when third-party C3PAO Level 2 certification becomes the default for CUI contracts — begins November 10, 2026. The framework Darren walks through is more relevant now than when we recorded._

**CONNECT WITH THE POD**
Follow the show on Twitter [@MFGmavericks](https://twitter.com/MFGmavericks)
[Follow the podcast on LinkedIn](https://www.linkedin.com/company/manufacturing-mavericks-podcast)

**SUBSCRIBE**
**Manufacturing Mavericks **can be found on[ iTunes](https://podcasts.apple.com/us/podcast/manufacturing-mavericks/id1703102891?utm_campaign=Manufacturing%20Mavericks&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-8KNLGzCUqP8Z1Fw8DXZ0I4HQkoZnf8FSZj8XjdToOb-AHf1AlLiX_GchpahAYS6JpSqbLc), [Spotify](https://open.spotify.com/show/5NdohS3gbAZpzBoSHBESUJ?utm_campaign=Manufacturing%20Mavericks&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-8KNLGzCUqP8Z1Fw8DXZ0I4HQkoZnf8FSZj8XjdToOb-AHf1AlLiX_GchpahAYS6JpSqbLc), [Google](https://podcasts.google.com/feed/aHR0cHM6Ly9mZWVkcy50cmFuc2lzdG9yLmZtL21hbnVmYWN0dXJpbmctbWF2ZXJpY2tz?utm_campaign=Manufacturing%20Mavericks&amp;utm_source=hs_email&amp;utm_medium=email&amp;_hsenc=p2ANqtz-8KNLGzCUqP8Z1Fw8DXZ0I4HQkoZnf8FSZj8XjdToOb-AHf1AlLiX_GchpahAYS6JpSqbLc), or your favorite podcast app.

[Learn More](https://datanomix.io/mavericks)