When I started my organization’s CMMC journey, I knew I was stepping into one of the most important projects of my career. As a Department of Defense subcontractor, our business depends heavily on contract awards from large prime contractors. When I learned that CMMC would roll out in phases, where certified companies receive priority in Phase 1 and non-certified organizations could be excluded entirely in Phase 2.

I committed myself to:

“I will not be responsible for putting this company out of business.”

That clarity of purpose fueled every decision I made. We ultimately succeeded, earning a CMMC Conditional Certification with only one POAM, and later achieving the full certification. But the journey wasn’t flawless. I am sharing what worked, what I would do differently, and how you can prepare for your own assessment.

What I Did Well

1. Taking the CMMC Certified Professional (CCP) Course

One of the best decisions I made early on was completing the CCP training. I was not trying to become an auditor—I wanted to understand how auditors think.

The course gave me:

• A strong understanding of CMMC history and intent
• Clarity on the three evaluation methods: examine, interview, test
• Insight into what auditable evidence actually looks like

This foundation removed guesswork and let me structure our implementation around defensible, auditable evidence instead of assumptions.

2. Following a Proven Audit Preparation Plan

Our Quality Manager (QM), who leads our AS9100 audits every year, gave us a plan that became the backbone of our preparation. It was simple, realistic, and highly effective:

Year-long audit readiness plan:

• Step 1: Hire an external CMMC consultant to conduct an initial assessment and create an implementation plan.
• Step 2 (6 months later): Have the actual CMMC auditor perform a gap assessment.
• Step 3 (6 months later): Conduct the pre-assessment—the final gate before the real assessment.

This phased approach made expectations clear and prevented surprises late in the journey.

3. Using an Auditing Firm We Already Knew

We selected the same audit organization that handles our other certifications.

That mattered because:

• They already understood our business operations.
• We didn’t waste assessment time explaining our structure.
• They referred us to a consultant whom they trusted and worked well with.

Relationships matter in this process. Familiarity reduced friction and helped us avoid misunderstandings during evidence inspection.

4. Implementing Requirements In-House (With Help)

We chose to implement the consultant’s findings ourselves rather than outsourcing every change. It wasn’t always fast—but it worked.

Benefits of the DIY approach:

• We built internal competency.
• We tailored policies and procedures to our real business operations.
• We avoided forcing the company to conform to “canned” templates.

Ironically, during our final assessment, we learned that our consultant’s other clients had more findings than we did. That validated our more hands-on approach.

5. Setting Realistic Expectations With Leadership

I made it clear early on that the goal wasn’t a perfect 110 score.

The real objective was:

• Pass all 3-point and 5-point controls, and
• Get at least 80% with allowable POAMs

This mindset kept leadership aligned and supportive. When we earned a conditional certification with one POAM, they understood it was a success, not a failure.

What I Wish I Had Done Differently

1. Securing an Executive-Level Champion

I reported to an IT Manager who didn’t have enough organizational influence to push company-wide changes. I was four levels down from the CEO, yet responsible for implementing policies that affected the entire organization.

Without a champion at the director/VP/C-suite level:

• I spent countless hours negotiating and socializing changes.
• Adoption took longer than it needed to.
• Enforcement became a constant battle.

If I could start over, I would secure an executive sponsor from day one. It would be someone who could clear resistance and endorse changes from the top.

2. Defining a CMMC Enclave Early

Our leadership wanted the entire company to be certified instead of just the handful of employees who actually handle CUI. Looking back, this was one of our biggest inefficiencies.

The analogy I use is PCI compliance: Imagine certifying a 500-employee company for credit card handling when only 10 employees actually process payments. Now everyone—from custodians to executives—must take PCI training and follow PCI procedures.

That’s what we did with CMMC, and that added an excessive and unnecessary burden to everyone.

Yet, having a small, well-structured enclave would have:

• Reduced training
• Eliminated unnecessary policy scope
• Simplified implementation
• Reduced audit burden
• Improved overall compliance

I strongly recommend assessing whether your organization truly needs enterprise-wide certification—or if an enclave is the smarter path.

3. Involving the Quality Manager Earlier

Leadership was anxious about whether we would pass, so they instructed the QM to audit all evidence during the final month before the assessment.

The result?

• I worked 7 days a week, rushing to restructure evidence.
• We survived—but it was unnecessary stress.

If I had involved the QM throughout the entire program, the evidence format would have been clean, consistent, and audit-ready from the start.

The Final Result

We earned a CMMC Conditional Certification with one POAM during the final assessment period.

We closed that POAM within five months and achieved full CMMC Certification.

This journey pushed me professionally and personally, and I’m proud of the outcome. The lessons above aren’t hypothetical: they’re battle-tested. If you’re preparing for your own assessment, I hope these insights help you navigate your path more efficiently and with fewer surprises.

Closing Thoughts

CMMC is challenging, especially if you work for a small or mid-sized contractor. But with the right structure, the right people, and realistic expectations, it’s absolutely achievable.

If you’re getting ready for your final assessment:

• Invest in training.
• Choose your partners wisely.
• Secure an executive champion.
• Scope your environment thoughtfully.

And remember: the goal isn’t perfection—it’s certification.

Secjuice – ​Read More

A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine.

The link between essay mills and Russian attack drones might seem improbable, but understanding it begins with a simple question: How does a human-intensive academic cheating service stay relevant in an era when students can simply ask AI to write their term papers? The answer – recasting the business as an AI company – is just the latest chapter in a story of many rebrands that link the operation to Russia’s largest private university.

Search in Google for any terms related to academic cheating services — e.g., “help with exam online” or “term paper online” — and you’re likely to encounter websites with the words “nerd” or “geek” in them, such as thenerdify[.]com and geekly-hub[.]com. With a simple request sent via text message, you can hire their tutors to help with any assignment.

These nerdy and geeky-branded websites frequently cite their “honor code,” which emphasizes they do not condone academic cheating, will not write your term papers for you, and will only offer support and advice for customers. But according to This Isn’t Fine, a Substack blog about contract cheating and essay mills, the Nerdify brand of websites will happily ignore that mantra.

“We tested the quick SMS for a price quote,” wrote This Isn’t Fine author Joseph Thibault. “The honor code references and platitudes apparently stop at the website. Within three minutes, we confirmed that a full three-page, plagiarism- and AI-free MLA formatted Argumentative essay could be ours for the low price of $141.”

Google prohibits ads that “enable dishonest behavior.” Yet, a sprawling global essay and homework cheating network run under the Nerdy brands has quietly bought its way to the top of Google searches – booking revenues of almost $25 million through a maze of companies in Cyprus, Malta and Hong Kong, while pitching “tutoring” that delivers finished work that students can turn in.

When one Nerdy-related Google Ads account got shut down, the group behind the company would form a new entity with a front-person (typically a young Ukrainian woman), start a new ads account along with a new website and domain name (usually with “nerdy” in the brand), and resume running Google ads for the same set of keywords.

UK companies belonging to the group that have been shut down by Google Ads since Jan 2025 include:

–Proglobal Solutions LTD (advertised nerdifyit[.]com);
–AW Tech Limited (advertised thenerdify[.]com);
–Geekly Solutions Ltd (advertised geekly-hub[.]com).

Currently active Google Ads accounts for the Nerdify brands include:

-OK Marketing LTD (advertising geekly-hub[.]net⁩), formed in the name of the Ukrainian national Alexander (Oleksandr) Korsukov;
–Two Sigma Solutions LTD (advertising litero[.]ai), formed in the name of Olekszij Pokatilo.

Messrs. Korsukov and Pokatilo have been in the essay-writing business since at least 2009, operating a paper-mill enterprise called Livingston Research. According to a lengthy account from a former employee, Livingston Research mainly farmed its writing tasks out to low-cost workers from Kenya, Philippines, Pakistan, Russia and Ukraine.

In 2011, the two men set up a Cyprus corporation called VLS Research Ltd, which would later change its name to CLS Research Ltd. Pokatilo moved from Ukraine to the United Kingdom in Sept. 2015 and co-founded a company called Awesome Technologies, which pitched itself as a way for people to outsource tasks by sending a text message to the service’s assistants.

The other co-founder of Awesome Technologies is 36-year-old Filip Perkon, a Swedish man living in London who touts himself as a serial entrepreneur and investor. Years before starting Awesome together, Perkon and Pokatilo co-founded a student group called Russian Business Week while the two were classmates at the London School of Economics. According to the Bulgarian investigative journalist Christo Grozev, Perkon’s birth certificate was issued by the Soviet Embassy in Sweden.

Around the time Perkon and Pokatilo launched Awesome Technologies, Perkon was building a social media propaganda tool called the Russian Diplomatic Online Club, which Perkon said would “turbo-charge” Russian messaging online. The club’s newsletter urged subscribers to install in their Twitter accounts a third-party app called Tweetsquad that would retweet Kremlin messaging on the social media platform.

Perkon was praised by the Russian Embassy in London for his efforts: During the contentious Brexit vote that ultimately led to the United Kingdom leaving the European Union, the Russian embassy in London used this spam tweeting tool to auto-retweet the Russian ambassador’s posts from supporters’ accounts.

Neither Mr. Perkon nor Mr. Pokatilo replied to requests for comment.

A review of corporations tied to Mr. Perkon as indexed by the business research service North Data finds he holds or held director positions in several U.K. subsidiaries of Synergy, Russia’s largest private education provider. Synergy has more than 35,000 students, and sells T-shirts with patriotic slogans such as “Crimea is Ours,” and The Russian Empire — Reloaded.”

The president of Synergy is Vadim Lobov, a Kremlin insider whose headquarters on the outskirts of Moscow reportedly features a wall-sized portrait of Russian President Vladimir Putin in the pop-art style of Andy Warhol. For a number of years, Lobov and Perkon co-produced a cross-cultural event in the U.K. called Russian Film Week.

Mr. Lobov was one of 11 individuals reportedly hand-picked by the convicted Russian spy Marina Butina to attend the 2017 National Prayer Breakfast held in Washington D.C. just two weeks after President Trump’s first inauguration.

While Synergy University promotes itself as Russia’s largest private educational institution, hundreds of international students tell a different story. Online reviews from students paint a picture of unkept promises: Prospective students from Nigeria, Kenya, Ghana, and other nations paying thousands in advance fees for promised study visas to Russia, only to have their applications denied with no refunds offered.

“My experience with Synergy University has been nothing short of heartbreaking,” reads one such account. “When I first discovered the school, their representative was extremely responsive and eager to assist. He communicated frequently and made me believe I was in safe hands. However, after paying my hard-earned tuition fees, my visa was denied. It’s been over 9 months since that denial, and despite their promises, I have received no refund whatsoever. My messages are now ignored, and the same representative who once replied instantly no longer responds at all. Synergy University, how can an institution in Europe feel comfortable exploiting the hopes of Africans who trust you with their life savings? This is not just unethical — it’s predatory.”

This pattern repeats across reviews by multilingual students from Pakistan, Nepal, India, and various African nations — all describing the same scheme: Attractive online marketing, promises of easy visa approval, upfront payment requirements, and then silence after visa denials.

Reddit discussions in r/Moscow and r/AskARussian are filled with warnings. “It’s a scam, a diploma mill,” writes one user. “They literally sell exams. There was an investigation on Rossiya-1 television showing students paying to pass tests.”

The Nerdify website’s “About Us” page says the company was co-founded by Pokatilo and an American named Brian Mellor. The latter identity seems to have been fabricated, or at least there is no evidence that a person with this name ever worked at Nerdify.

Rather, it appears that the SMS assistance company co-founded by Messrs. Pokatilo and Perkon (Awesome Technologies) fizzled out shortly after its creation, and that Nerdify soon adopted the process of accepting assignment requests via text message and routing them to freelance writers.

A closer look at an early “About Us” page for Nerdify in The Wayback Machine suggests that Mr. Perkon was the real co-founder of the company: The photo at the top of the page shows four people wearing Nerdify T-shirts seated around a table on a rooftop deck in San Francisco, and the man facing the camera is Perkon.

Where are they now? Pokatilo is currently running a startup called Litero.Ai, which appears to be an AI-based essay writing service. In July 2025, Mr. Pokatilo received pre-seed funding of $800,000 for Litero from an investment program backed by the venture capital firms AltaIR Capital, Yellow Rocks, Smart Partnership Capital, and I2BF Global Ventures.

Meanwhile, Filip Perkon is busy setting up toy rubber duck stores in Miami and in at least three locations in the United Kingdom. These “Duck World” shops market themselves as “the world’s largest duck store.”

This past week, Mr. Lobov was in India with Putin’s entourage on a charm tour with India’s Prime Minister Narendra Modi. Although Synergy is billed as an educational institution, a review of the company’s sprawling corporate footprint (via DNS) shows it also is assisting the Russian government in its war against Ukraine.

The website bpla.synergy[.]bot, for instance, says the company is involved in developing combat drones to aid Russian forces and to evade international sanctions on the supply and re-export of high-tech products.

KrebsOnSecurity would like to thank the anonymous researcher NatInfoSec for their assistance in this investigation.

Krebs on Security – ​Read More

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.
The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an

The Hacker News – ​Read More