On June 22, 2026, we got a message from Apple App Review. Not a bug report. Not a rejection over a screenshot. A notice that the government of Russia had ordered our app removed from its App Store.
Here’s what they wrote, word for word:
“We are writing to notify you that your application, per demand from Roskomnadzor, will be removed from the Russia App Store because it includes content that is illegal in Russia… According to Roskomnadzor, the app violates No. 7 of Article 15.1 of the Federal Law dated 27.07.2006 No. 149-FZ ‘On Information, Information Technologies and Information Protection’.”
Translated from bureaucrat: our VPN works, and a surveillance state would rather its citizens didn’t have it.
What actually happened
Roskomnadzor is Russia’s federal censorship and surveillance agency. Article 15.1 № 7 is the specific provision they use to block “information about means of circumventing” the country’s internet restrictions — in plain English, the law they point at VPNs.
Apple isn’t the villain here. They’re the messenger, legally compelled to comply with a government takedown order or lose access to the entire market. So the notice lands in our inbox, an “Unresolved issues” flag turns red in App Store Connect, and Citadel disappears from one storefront.
Let’s be honest about why
We’re not going to pretend Russia singled us out as uniquely uncrackable. Since 2024, Roskomnadzor has been systematically purging VPN and anti-censorship apps from the Russian App Store — dozens of them, one after another. We’re one more name on a long list.
But here’s the thing about that list: everyone on it shares a single trait. Their tools actually protect people. Citadel encrypts your traffic, hides your network activity, and flags the threats sitting on the WiFi around you. That’s precisely the capability a regime built on watching its citizens wants gone.
When the people whose entire job is surveillance decide your product is a problem, that’s not a setback. That’s product-market fit.
What it means for everyone else
Nothing changed for you. Citadel is still live in every other App Store territory. The removal applies to one country — the one country that decided privacy was against the rules.
We build everything cybersecurity-first. That’s the GRYHAT difference, and it’s why an authoritarian censor flagged us while millions of other apps sail through untouched. We’ll wear that.
Russia gave us a one-star takedown. We’re reading it as five stars.
A new dad gadget that isn’t a shotski — and it’s free.
Where we’ve been & something for the dads
⚡ Major Announcement ⚡
Hey There—
We’ve been quiet for a stretch. Not gone — heads down. We didn’t want to surface until we actually had something worth showing you.
Father’s Day weekend felt like the right time. So — happy Father’s Day.
If you’re a dad, you know the real job: you’re the one looking out for everybody else. So this is what we wanted to put in your pocket today — Citadel, a little app that quietly guards your phone and the WiFi your family hops onto. It’s free to download. And because it’s free, the protection you set up for yourself, your kids can have on their phones too. Feels like a dad thing.
That’s the one we wanted in your hands this weekend. But the quiet stretch wasn’t nothing — we’ve been building a small platform, four pieces finally coming together at once:
• Citadel — security that lives in your pocket.
• GRYHAT — where it all started: the crew that guards businesses for a living.
• ReferralGenius — the digital business card that refers you business.
If your company touches a Department of Defense contract — directly as a prime or somewhere down the supply chain as a sub — the rules just changed under your feet. The Cybersecurity Maturity Model Certification program, known as CMMC 2.0, has moved out of “proposed rule” limbo and into the contracts themselves. For California’s dense ecosystem of aerospace, hardware, software, and engineering firms serving the defense sector, this is no longer a future compliance project. It is a present-day requirement, and the assessment clock is already running.
This guide breaks down what CMMC 2.0 California defense contractors actually need to do right now: what changed, which level applies to you, what an assessment looks like, and how to close the gaps before they cost you an award.
What CMMC 2.0 Actually Is (and Why It’s Different This Time)
CMMC is the DoD’s mechanism for verifying that contractors actually protect the sensitive information they handle. For years, the standard was self-attestation: you signed a form promising you met the 110 security controls in NIST SP 800-171, and everyone moved on. The problem was obvious — a signature is not a safeguard, and adversaries were walking out the door with Controlled Unclassified Information (CUI) from contractors who had checked “compliant” without doing the work.
CMMC 2.0 replaces the honor system with verification. It streamlines the original five-level model down to three, aligns each level to existing NIST standards, and — critically — requires third-party assessment for most companies handling CUI. The framework is now baked into the DFARS rule and is appearing as a condition of award in new solicitations. In short: no certification at the required level, no contract. This is the core of modern defense contractor cybersecurity, and it is enforceable.
The Three Levels — and How to Know Which One Applies to You
Your required level is driven by the type of information you handle, and it will be specified in the contract. Here is the practical breakdown of the CMMC compliance requirements by level:
Level 1 (Foundational): For contractors handling only Federal Contract Information (FCI). Requires the 17 basic safeguarding practices from FAR 52.204-21. Assessment is an annual self-assessment with an executive affirmation.
Level 2 (Advanced): For contractors handling CUI. Requires all 110 controls from NIST SP 800-171. Most companies at this level will need a third-party assessment by a certified C3PAO every three years, with annual affirmations in between.
Level 3 (Expert): For the highest-priority programs and the most sensitive CUI. Builds on Level 2 with a subset of NIST SP 800-172 controls and a government-led assessment.
The mistake we see most often in California’s supply chain is firms assuming they are “just a subcontractor” and therefore exempt. They are not. Flow-down clauses push CMMC requirements to every tier that touches CUI. If a prime needs Level 2, the small machine shop or software vendor they rely on very likely needs it too.
Why California Contractors Are in the Crosshairs
California is one of the largest defense economies in the country — Southern California aerospace, the Bay Area’s defense-adjacent tech, San Diego’s naval and unmanned-systems cluster, and a long tail of specialized suppliers across Orange County and the Inland Empire. That density is exactly why the state’s contractors face concentrated risk. Adversaries map the supply chain and attack the softest link, which is almost never the prime — it is the under-resourced supplier with a flat network and no formal security program.
California firms also carry extra weight: alongside federal rules, you are operating under the CPRA and a maturing set of state data-protection expectations. A well-built CMMC program does double duty here, hardening you for the DoD while strengthening your posture against the breach-notification and privacy obligations that already apply to you at home.
What a CMMC Assessment Looks Like
For Level 2, a cybersecurity audit against the 110 NIST 800-171 controls is the heart of it. An assessor doesn’t just want to hear that you have multi-factor authentication or encryption — they want evidence: configuration screenshots, policy documents, access logs, and proof that what you wrote down is what you actually do. Two artifacts carry enormous weight:
System Security Plan (SSP): the master document describing your environment, where CUI lives, and how each control is implemented. No SSP, no credible assessment.
Plan of Action & Milestones (POA&M): your documented roadmap for closing any gaps, with owners and dates. CMMC 2.0 allows limited POA&Ms for certain controls, but they must be closed within 180 days — they are a short bridge, not a permanent excuse.
You’ll also be scored. The DoD uses a 110-point SPRS methodology where certain unimplemented controls subtract more than one point. Many contractors who believe they are “mostly there” are shocked to discover a negative score once an honest assessment is applied. Knowing your real number before a C3PAO walks in is the difference between a clean certification and a failed one.
The Gaps That Sink Contractors Most Often
Across the assessments and remediation projects our team runs, the same handful of failures repeat:
No defined CUI boundary. CUI is scattered across email, file shares, and personal devices with no enclave, which makes the entire environment in-scope and the assessment exponentially harder.
Weak or partial MFA. Multi-factor on email but not on the VPN, remote admin, or cloud consoles is a guaranteed finding.
Unmanaged endpoints and mobile devices. Laptops and phones that touch CUI without enforced encryption, logging, and remote-wipe capability. Mobile is a particular blind spot — a single unmanaged phone can undo an otherwise solid program. (For locking down the mobile layer specifically, see how Citadel handles mobile and Wi-Fi security.)
Missing logging and monitoring. You can’t prove control effectiveness — or detect an incident — without centralized logs you actually review.
Policies that don’t match reality. Templated documents pulled off the internet that describe a company you aren’t. Assessors spot this immediately.
What to Do Right Now
The contractors who win in this environment are the ones who treated CMMC as a head start instead of a fire drill. Here’s the sequence we recommend:
Confirm your required level by reviewing current and upcoming contracts and the flow-down clauses from your primes.
Scope your CUI. Identify exactly where it lives and draw a defensible boundary around it to shrink your assessment footprint.
Run an honest gap assessment against all 110 controls and calculate your real SPRS score — no grade inflation.
Build the SSP and POA&M as living documents, then remediate the high-impact gaps first.
Operationalize, then certify. Live in the controls for a few months so your evidence is genuine before a C3PAO arrives.
This is exactly the work our GRYHAT cybersecurity and compliance services are built for — virtual CISO leadership, gap assessments, remediation, and SSP/POA&M development tailored to defense contractors. We translate the framework into a concrete plan and stay in the trenches until you’re certifiable, not just hopeful.
Don’t Wait for the Solicitation to Force Your Hand
CMMC 2.0 is not a paperwork exercise you can knock out the week before a bid is due. A Level 2 program typically takes months to stand up and mature. The contractors who start now will have certification as a competitive advantage; the ones who wait will watch awards go to better-prepared rivals — or lose existing work when their primes demand proof they can’t yet provide.
If you’re a California defense contractor and you’re not certain where you stand, the smartest first move is also the cheapest: find out. Schedule a free initial cybersecurity audit with GRYHAT, and we’ll give you a clear, honest read on your current posture, your real SPRS score, and the fastest defensible path to the CMMC level your contracts require — before it shows up as a condition of award.
You opened a business in California. Respect. You dealt with the permits, the taxes, the lease, the payroll, the insurance. You did the hard part most people never do.
Here’s the part nobody warned you about: the moment you put a sign on the door and a form on your website, you became a target. Not because anyone has a grudge. Because attackers don’t aim — they sweep. They scan thousands of small businesses a day looking for the one with the door left unlocked. Most of the time, it’s a small business. Most of the time, the owner had no idea the door was even there.
“We’re too small to be a target” is the most expensive sentence in business
I hear it every week. It’s wrong, and it’s wrong in a specific way. You’re not too small to be a target — you’re exactly the right size. Big companies have security teams. You have a guy who “does the computers.” Attackers know that. Small businesses are the path of least resistance, and automated attacks don’t care how many employees you have.
A Southern California contractor we worked with believed the same thing. Good business, busy crew, clean books. They asked us to take a look — not because anything was wrong, but because a client of theirs had been breached and it scared them.
In under two weeks we found and remediated 48 vulnerabilities. Not theoretical ones. Real, exploitable holes: exposed remote-access ports, default passwords still in place on networked hardware, an old employee account that still had the keys to everything, file shares wide open to the internet. None of it was visible from the front office. All of it was visible to anyone scanning.
What an audit actually looks at
People think a security audit is a guy in a hoodie typing fast. It isn’t. It’s boring, and boring is the point. Here’s what we actually check:
Your perimeter — what’s reachable from the open internet right now. Ports, services, login pages you forgot existed.
Your accounts — who has access, who left two years ago and still does, and whether anyone’s reusing the password from their personal email.
Your devices — the router the ISP installed, the printer nobody updates, the camera system with the default admin login.
Your data — where your customer information lives, who can touch it, and what happens if a laptop gets stolen from a truck.
Four areas. That’s where almost every breach of a small business starts. Not exotic hacking — basic doors left open.
CMMC is coming, and “we’ll deal with it later” is not a plan
If you do any work that touches the Department of Defense — even as a subcontractor three layers down — CMMC compliance is no longer optional, and the clock is real. I won’t bury you in acronyms. The short version: if you handle controlled information for a federal contract, you will have to prove your security meets a standard, on a deadline, or you lose the ability to bid.
The businesses that wait until a prime contractor demands their certification are the ones that pay triple and scramble. The ones that start now treat it like any other part of running a real company. CMMC readiness for OC contractors
What to do this week — even if you never call us
Change the default password on your router, your cameras, and anything else with a login. Do it today.
Turn on multi-factor authentication for email and anything with customer data. This one step stops the majority of account takeovers.
Delete old accounts. Every former employee who can still log in is a door you forgot to lock.
Find out what’s exposed. You can’t protect what you can’t see.
That last one is where most people get stuck, because you can’t scan your own perimeter from the inside. That’s the part we do for free as a first look. No pitch, no pressure — we tell you what’s open, and you decide what to do about it.
You did the hard part already. You built the business. Let’s make sure you keep it.
Want the free first look? We run a no-cost perimeter scan for Orange County businesses and DoD contractors — you’ll get a plain-English report of exactly what’s exposed. Request your free scan · gryhat.com
The hardest state in the union to run a business just added mandatory cybersecurity requirements.
One breach. $7,500 per record. No cap.
Here’s what every Orange County business owner needs to know — and what to do about it before it’s too late.
California now mandates cybersecurity audits for businesses handling personal data. The average small business breach costs $150,000–$300,000, and 60% of small businesses that suffer a breach close within 6 months.
GRYHAT Cybersecurity LLC is Orange County’s vCISO firm for small and mid-size businesses. We don’t sell you enterprise tools you don’t need. We assess your actual risk, close the actual gaps, and make sure you’re covered.
Trillion-dollar infrastructure. The smartest systems ever built. And every time you open a new chat — it’s like meeting a stranger. Here’s why. And here’s how to fix it today.
—
Last week I wrote about lying to your AI — how feeding bad information into these systems, or letting wrong answers slide uncorrected, compounds into something worse than a single mistake. A lot of you responded. Most said some version of the same thing: *I didn’t realize I was doing that.*
This week I want to go one level deeper. Because before we can talk about the quality of what goes into these systems, we need to talk about the fact that most of what goes in — doesn’t stay.
—
All these trillion-dollar data centers. Servers the size of city blocks. The smartest computers ever built by human hands.
And yet — every single time you open a new chat, it’s like meeting a stranger.
We solved self-driving cars. We beat world champions at chess. We can generate a photo of anything you can imagine in four seconds flat.
But memory? Still working on it.
This isn’t a cynical take. I use these tools every single day and I believe in them. But part of believing in something is being honest about what it can’t do yet. And right now, AI can’t remember you. Not between sessions. Not without help.
Here’s why — and more importantly, here’s how to work around it today.
—
The whiteboard problem
Every AI conversation you have happens inside what’s called a context window. Think of it as a whiteboard.
The whiteboard is extraordinary. Within a session, it tracks everything — what you’ve said, what you’ve established, the corrections you’ve made, the context you’ve built. It can hold tens of thousands of words and work with all of it simultaneously.
But the second the session ends, someone erases it.
The next time you open a conversation, the AI has no idea who you are. It doesn’t remember your business. It doesn’t remember the three hours you spent last Tuesday getting it calibrated exactly right. It doesn’t remember the correction you gave it, the way you like things structured, or the client context you carefully walked it through.
It wakes up a stranger. Every time.
This is not a bug they forgot to fix. It’s not a feature coming in the next update. It’s an architectural reality of how these systems are built right now. The context window is not persistent memory. It never was.
So if you’ve ever felt like you’re going in circles with your AI — re-explaining the same things, getting inconsistent outputs, watching it drift away from the voice or style you spent time building — now you know why. And here’s the important part: it’s not the AI being difficult. It genuinely doesn’t know. You haven’t told it yet. This session.
—
Push back when it happens
Before we get to the fix, there’s something worth knowing about what to do in the moment.
If a conversation starts feeling repetitive — if the answers stop making sense, if you keep explaining the same thing and the AI keeps getting it wrong — don’t just keep prompting and hoping it self-corrects. It won’t. The context window is getting crowded and earlier instructions are getting pushed out. The AI doesn’t know it’s lost. It will confidently spin in the same direction until you redirect it.
The fix is simple but it takes nerve: call it out. Say “we’re going in circles — let me restate what I need.” Or start a fresh session with a clear briefing.
This is still the honesty principle from last week — just the other direction. Don’t lie to your AI. And don’t let your AI keep lying to you by going along with a broken thread just because you haven’t called it out.
—
The practical fix: how to give your AI memory today
Here’s what every serious team running AI agents has figured out — and what most businesses using AI casually haven’t discovered yet.
You build a briefing file.
It’s exactly what it sounds like. A plain text document that tells your AI everything it needs to know before the session starts. You load it at the beginning of every conversation and your AI picks up exactly where you left off — every time.
It takes about ten minutes to build the first version. It will save you hours.
What to put in your briefing file:
*Your business context*
Who you are, what you do, who your customers are, what problems you solve. Two or three paragraphs. Plain language. Don’t over-engineer it — write it the way you’d explain your business to a smart friend who’s never heard of you.
*Your voice and tone*
How you communicate. Formal or casual? Technical or plain English? Are there phrases you use all the time? Words you hate? Things you never say? Write them down. Your AI will use them.
*Current priorities*
What are you working on right now? What projects are active? What decisions are you trying to make? This is the part that changes week to week — update it when things shift.
*Rules and guardrails*
Things the AI should always do. Things it should never do. Clients it knows about. People it works with. Anything that would take time to re-explain if the AI forgot it.
*How to use it*
Open a new chat. Paste your briefing file. Say: “Read this before we do anything else. This is your context for our session.” Then work normally.
That’s it. Your AI now knows who you are, what you’re doing, and how you operate — for this session. Tomorrow, load it again. Same result.
—
Why context is the new skill nobody’s teaching
Here’s the thing most people miss. The AI tools are getting more powerful every month. Models are getting smarter. Features are being added. But the teams getting the most out of AI right now aren’t the ones with access to the best models.
They’re the ones who’ve figured out how to give those models context.
Context is the new skill. And almost nobody is teaching it.
When you load a briefing file, you’re not just saving time — you’re fundamentally changing the quality of what the AI can do for you. A well-briefed AI isn’t just faster. It’s more accurate, more consistent, more useful, and less likely to drift into outputs that sound right but miss the point.
The people who get this first — who build their briefing systems now, who treat AI context as a skill worth developing — are going to have a compounding advantage over everyone else who’s still re-explaining themselves every single session.
That’s not hype. It’s just arithmetic. Better inputs, better outputs, every time.
—
Where this is all going
The memory problem is being worked on. Native persistent memory is coming — some models already have early versions of it. The tools for long-term agent memory are improving faster than most people realize.
But we’re not there yet. Right now we’re in what I’ve started calling the duct tape era — a moment where the intelligence is extraordinary and the infrastructure around it is still catching up.
The briefing file is duct tape. Good duct tape. Duct tape that works. But it’s a workaround, not a solution.
Build it anyway. Use it now. And stay ready to migrate to something better when it arrives — because it’s coming.
Next week: what it actually costs to run AI agents in a real business. Not token costs. The half-days rebuilding what should have been saved. The drift nobody warns you about. The architecture work that doesn’t show up in any vendor’s sales deck.
*Andy Vaca is a 27-year Information systems veteran, vCISO, and founder of GRYHAT Cybersecurity LLC and YouFeelingLucky.com. Based in Orange County, California. He runs Friday night AI education sessions open to the public under the “Andy the AI Guy” brand.*
*Questions, pushback, or stories from the trenches: eva@gryhat.com*
So last Friday I showed up to teach a 2-hour AI class.
My AI had other plans.
Four hours later — four — people were STILL asking questions. I tried to wrap it up twice. The room wouldn’t let me. At some point I just accepted my fate and kept going.
Here’s what we covered before I lost all control of the situation:
🔥 The SonicWall demo — dropped a raw firewall log into AI, got back a board-ready security report in 60 seconds. The room went from polite to wide-eyed real fast.
📊 The BI dashboard breakdown — showed how AI can take your business data and turn it into something you can actually make decisions with. People went home with homework. Voluntarily.
🤷 The honest talk about what AI CAN’T do — this was apparently the most surprising part. Turns out people are starving for someone to just tell them the truth.
This Friday — Week 2. And somehow it’s already getting weirder.
Two weeks in and people are already volunteering to TEACH. I did not plan for this. I love it.
This Friday we’ve got a special guest teacher — an AI 3D animator — who is going to show us things that will make your brain do a little somersault. Real tools. Real workflow. Real “wait, AI can do THAT?!” energy.
Unexpected Course Extension: A 2-hour AI class unexpectedly turned into a four-hour session as participants kept asking questions, showing high engagement and curiosity.
Demonstration of AI Capabilities: The class featured a demo where AI analyzed a raw firewall log and produced a security report in 60 seconds, impressing attendees.
AI for Business Data Analysis: Participants learned how AI can transform business data into decision-making tools through a dashboard breakdown.
Honest Limitations of AI: The session included a candid talk about what AI cannot do, which was surprisingly the most appreciated part of the discussion.
Upcoming Week 2 and Guest Speaker: The next class will include a guest AI 3D animator who will showcase real tools and workflows, and the event will also launch new projects.
We’ll send you everything you need once you’re in.
Bring a friend. Bring snacks. Leave your preconceived notions at the door.
Everyone’s worried about AI getting things wrong. Nobody’s talking about the human on the other side of the keyboard. First, let’s fix the language. When AI produces a wrong answer, the media calls it a “hallucination.” That word is doing a lot of work to protect a lot of people. It implies the AI made something up from nothing — random, accidental, a glitch. That’s not what’s actually happening. What’s happening is confluence. The AI is pulling from multiple streams of real information, mixing them together, and producing an output that sounds completely grounded — because it is grounded, just in the wrong combination of things. It’s not random noise. It’s misattributed signal. And misattributed signal is far more dangerous than a hallucination because it passes the smell test. My own AI recently wrote an article about AI memory failures. Then got my name wrong in my own bio. It didn’t invent a name. It pulled a real name from real context in our history and attached it to the wrong person. Confident. Plausible. Wrong. That’s confluence, not hallucination. Now here’s the part nobody wants to hear. When you lie to your AI — or give it bad information, or steer it with a wrong premise, or confirm an output you know isn’t right because you’re in a hurry — you are deliberately adding contaminated streams to that confluence pool. You’re not just making a mistake. You’re poisoning the well on purpose. Here’s what people actually do every day: they feed their AI wrong context to get the answer they already wanted. They don’t correct it when it gets something wrong because fixing it feels like more work. They confirm bad output to avoid the friction of pushing back. They give lazy answers just to move the conversation along. And then they blame the AI when things drift. Your AI isn’t going to call you out. It doesn’t have ego. It takes what you give it and builds on top of it — intelligently, confidently, wrong. Feed it a bad foundation and it will construct something impressive on top of it. You built that. Not the AI. The relationship only works when both sides are honest. That’s not a technical principle. That’s just integrity. And the people who are going to get the most out of these tools aren’t the ones most impressed by them — they’re the ones most honest with them. Hold it to a standard. Hold yourself to the same one. You’ll get a better result
Andy Vaca | Founder, GRYHAT Cybersecurity / You Feeling Lucky? vCISO | AI Practitioner | 27 years in the security trenches
