Semel Consulting

05/29/2026

It is part of it.

A lot of companies think the CUI problem stays inside engineering, production, and quality. Then part of the work goes to a subcontractor and purchasing becomes the point where controlled information leaves the company.

That is where things start getting expensive.

Now the question is not just what your team is doing with the data. The question is what is being sent, how much is being sent, how it is being marked, how it is being transmitted, and whether the recipient should be getting it at all.

None of that feels unusual inside the company. It is just how work moves.

The issue is that CMMC evaluates what actually happens, not what the company intended to keep inside the building.

That is another reason companies get scope wrong. They count the obvious systems and miss the handoff points where the information leaves the company and creates a bigger problem.

That is also why the CMMC QuickStart matters.

We look at how the work actually moves, including where purchasing and subcontractor flowdown change the scope. That gives the company a clearer picture of what is really in play before more time and money get spent preparing for an environment that was never fully understood.

"When it comes to compliance there is nobody else in the industry
who knows more and is a better resource than Mike Semel.
You can count on him."
- Michael Mittel, Founder, RapidFire Tools

05/28/2026

Once marked CUI enters the company, the real question becomes:

Where does it go next?

It goes to engineering. It moves into production. It shows up in quality records. It may move to purchasing if a subcontractor touches part of the work. It may end up in printed travelers, shared folders, machine code, inspection reports, certifications, USB drives, and systems nobody counted because they were focused on the original file.

That is why scope matters so much.

A lot of companies see the controlled drawing and think the issue is protecting that one document. It usually isn’t. The issue is everything the document touches after that.

This is also where companies start wasting money. They improve systems before they know whether they are preparing the right environment.

If you are Company A, start with the scope.

If you don’t know where to start, we can help. As a Certified CMMC Assessor I can help you build a plan that is custom to your business and your needs, so it remains cost effective and actually prepares you for your audit.

05/27/2026

The answer was Company A.

Why?

Because CMMC does not follow the part. It follows the contract and the information.

Company A is receiving marked CUI and building to a Department of War specification. That is the trigger in this example.

Company B’s hinges may end up on military aircraft. Company C may sell into the defense market. That does not matter here, because neither company is receiving Department of War contract information, government drawings, or CUI.

That is where people get this wrong.

They focus on where the product ends up and miss the thing that actually drives CMMC.

The trigger is not “military use.”
The trigger is the information.

If your company is receiving marked CUI and working from that controlled information, you have a different problem than a company selling a standard commercial product into the same supply chain.

That is why CMMC has to start with the contract and the data, not the part.

05/27/2026

Let’s test your CMMC knowledge…

Company A receives marked CUI and makes hinges to a Department of War specification.

Company B makes standard commercial hinges that later end up on military aircraft, but it receives no Department of War contract information, government drawings, or CUI.

Company C sells hardware into the defense market, but it receives no Department of War contract information, government drawings, or CUI.

Which company is subject to CMMC compliance?

CMMC does not follow the part.
It follows the contract and the information.

05/20/2026

Most compliance advice sounds confident until you find out who it is coming from.
That matters more than you think.

Semel Consulting is not a software company trying to sound like a compliance firm. It is our compliance and business continuity consulting firm, built around helping businesses find the blind spots that leave them exposed to investigations, fines, lawsuits, uncovered insurance claims, and contract problems. The work goes deeper than cybersecurity tools. It includes state data breach laws, contractual cybersecurity requirements, cyber insurance requirements, security risk assessments, contract reviews, business continuity planning, policy templates, training, and checklists.

I am the founder, president, and Complianceologist at Semel Consulting. I am a CMMC Certified Assessor, CMMC Certified Professional, and CMMC Registered Practitioner, along with multiple other security, compliance, and resilience certifications. I have owned or managed MSP companies for over 30 years, served as CIO for a hospital and a K-12 school district, managed operations at an online backup company, and I am the best-selling author of How to Avoid HIPAA Headaches. I am also the only expert who consulted with CompTIA/GTIA on the original Security Trustmark, the Security Trustmark Plus, and the Cybersecurity Trustmark.

That background is important because CMMC is not just about buying tools or sounding security-minded. It is about scope, evidence, ownership, contracts, insurance, operations, and whether the company can support what it is claiming when facing an assessment. That is the lens we bring to CMMC work.

At Semel Consulting, we help businesses comply with federal and state laws, contractual requirements, and cyber insurance obligations, while protecting operations, reputation, and finances.

“When it comes to compliance there is nobody else in the industry who knows more and is a better resource than Mike Semel. You can count on him.” - Michael Mittel, President, RapidFire Tools.

If you want to start with the part most companies get wrong first, comment QUICKSTART and I’ll send the details.

05/20/2026

Most companies know CMMC is serious and still are not sure what kind of help they actually need.

That is where they start wasting time.
Some companies need team training because they are still treating CMMC like an IT problem. Some need a Quick Start because they have already started spending money and still do not know whether they are preparing for the right scope. Some need more direct help after that to move from diagnosis into real assessment preparation. Those are different problems. They should not all be solved the same way.

That is why we work with companies in a few different ways.
For companies that need to get the right people up to speed, we offer self-paced team training for government contractors. It covers Level 1 and Level 2, assessment preparation guidance, scoping, scoring, SSP and POA&M templates, a Customer Responsibility Matrix template, and short training built specifically for senior leadership and non-technical managers.

For companies that need a diagnosis before they waste more time and money, we offer a CMMC Quick Start. It is a one-day, on-site engagement led by a CMMC Certified Assessor. It includes an executive briefing, a masterclass for managers and the MSP, a scope and system review, SPRS score review if applicable, a 10-point readiness snapshot, a culture and capability fit check, and an actionable roadmap.

And if the company needs more help after that, Quick Start is not a dead end. It is the starting point. The fee includes credit toward future consulting, which makes it easier to move from getting the scope right into fixing what would keep you from passing.

Why trust us with that work?
Because I am not learning CMMC from summaries and vendor slides. I am a CMMC Certified Assessor who has owned or managed MSP companies for over 30 years, served as CIO for a hospital and a K-12 school district, managed operations at an online backup company, and I am the only expert who consulted with CompTIA/GTIA on the original Security Trustmark, Security Trustmark Plus, and Cybersecurity Trustmark.

“Semel Consulting’s CMMC Quick Start was the turning point for us.” - Mary Binckley, CFO, ArmourSource.

If you are not sure which path makes sense for your company, comment CMMC and we’ll point you in the right direction.

05/15/2026

The part MSPs often miss about HIPAA is that the opportunity is bigger than doctors and dentists.

HIPAA does not stop at Covered Entities.
It also reaches Business Associates, which means the vendors and support organizations that touch Protected Health Information or the systems that process it.

That includes MSPs. It also includes a long list of other companies around the healthcare ecosystem that many MSPs never think about as HIPAA clients until someone points it out clearly.

That is what makes this proposed rule change important.

If the final rule moves forward close to the proposal, a lot of organizations are going to need help. Not just with cybersecurity tools, but with the harder part: turning vague intentions into something documented, supported, and easier to defend.

That means more projects, more recurring work, and more opportunities for MSPs that understand how to guide clients before the confusion starts costing them money.

The smart move is to be the one clients remember for explaining this early.

Read more here:

In this latest article from compliance expert Mike Semel, we dive into how the new HIPAA revisions are changing the game.

05/13/2026

The companies that get the most value from a CMMC QuickStart are usually the ones feeling one of three things.

They are about to begin and do not want to waste money.
They already began and are no longer sure the scope is right.
They know the company is speaking in broad statements and want to find out what actually holds up before someone from the outside starts asking questions.

That is where QuickStart helps.

We use it to get the company out of the guessing stage.

We walk the environment. We look at how the work actually happens. We identify where CUI is really showing up. We test whether the company’s current understanding of scope, support, and readiness matches reality. We also bring the right people into the room so the company can see early that CMMC is not just an IT issue and not something you hand to the MSP and hope for the best.

QuickStart does not solve every problem in one day.

It does something more important.

It shows the company where to start, what not to assume, and what will get expensive if discovered late.

And a QuickStart is not just a diagnosis. It also gives the company a clearer path into assessment preparation. Once scope is confirmed and the real weak points are identified, we can help the team move into the next phase with much less guessing, whether that means training, remediation, or preparing for the assessment itself.

Comment QUICKSTART and I’ll send the details.

05/12/2026

A lot of contractors do not need more CMMC effort.

They need a diagnosis.

That is the part people skip.

They know CMMC is serious. They know the contracts matter. They know they need to do something. So they start working. IT gets involved. The MSP gets involved. Documentation starts moving. Tools start getting reviewed. Meetings start happening.

And none of that answers the first question that matters.

Are you preparing for the right environment?

That is what the QuickStart is for.

It is not generic training. It is not a long consulting project. It is not “let’s spend six months figuring it out.”

It is a one-day, on-site CMMC diagnostic led by a CMMC Certified Assessor to help the company get its arms around scope, current posture, assumptions, and the biggest places the story is likely to break.

It also gets the right people into the same conversation early. Leadership. IT. Operations. The people outside IT who own the parts of CMMC companies keep pretending belong only to IT.

That is why QuickStart saves time and money. It helps companies stop solving the wrong problems first.

Comment QUICKSTART and I’ll send the details.

05/11/2026

If your contracts depend on CMMC and you are still getting your guidance from recycled summaries, vendor opinions, and people who have never had to think like an assessor, this roundtable is worth your time.

I’m participating in the 3rd Annual CMMC Roundtable Livestream Webinar on Thursday, May 14, 2026, from 9:00–10:30 AM EST, broadcasting live from the Lifeline Data Centers INDY 500 Suite during opening week of Indy 500 practice.

A lot of companies are still making expensive decisions based on incomplete explanations of CMMC. They are improving the environment, updating documentation, and moving forward without being sure they understand the assessment process they are actually going to face.

That is how CMMC gets more expensive than it needs to be.

Some companies need to get the right people up to speed.
Some need a diagnosis before they waste more time and money.
Some need both.
If you are dealing with CMMC now, or know it is coming soon, this is worth your time.

Register here: https://us06web.zoom.us/webinar/register/5417781855667/WN_C77tXf-FQLq04dr5_6Ohmg #/registration