In this episode of "Regulatory Phishing," government contracts attorney Eric Crusius is joined by Tom Tollerton, a partner with FORVIS, a Certified Third-Party Assessment Organization (C3PAO). In this episode, Eric and Tom discuss the role of the C3PAO in the Cybersecurity Maturity Model Certification (CMMC) process and what to expect with the new version of Special Publication 800-171 from the National Institute of Standards and Technology (NIST). NIST 800-171 is used as the baseline for a number of existing and forthcoming regulations in addition to Level 2 of CMMC.