<img src="https://ws.zoominfo.com/pixel/cEO5AncHScwpt6EaX0mY" width="1" height="1" style="display: none;">

CMMC Phase 2 Is Arriving Faster Than Most Contractors Realize

June 11, 2026

   

On May 28, Celerium hosted a webinar featuring cybersecurity and CMMC experts Vince Crisler, Chief Strategy Officer; James Goepel, Executive VP & General Counsel, Peak InfoSec; and Ali Pabrai, CEO of ECFirst, to discuss one of the most urgent topics facing the Defense Industrial Base (DIB): preparing for CMMC Phase 2.

The discussion focused on what contractors should be doing now, common mistakes organizations make during preparation, and how companies can position themselves to remain competitive as certification requirements begin appearing in contracts.

 

The Clock Is Ticking

One of the clearest messages from the webinar was simple:

Do not wait.

Both James Goepel and Ali Pabrai emphasized that organizations beginning their CMMC journey today are already behind many of their competitors.

While the official rollout of CMMC requirements continues, prime contractors are not waiting. Many organizations are already receiving notices from primes requiring proof of compliance readiness.

According to the experts, reputable C3PAOs are rapidly filling assessment calendars for late 2026 and early 2027. Companies waiting until the last minute may discover that qualified assessors are unavailable when certification becomes business-critical.

 

The Biggest Misconception About CMMC

Many organizations still view CMMC certification as a project with a finish line.

That mindset can create significant problems.

As James Goepel explained during the discussion, CMMC certification is the start, not the end.

Certification must be maintained continuously. Organizations will be required to perform annual affirmations and demonstrate that security controls remain operational throughout the certification lifecycle.

Companies that approach CMMC as a one-time compliance exercise often struggle during assessments because they focus on documentation rather than operational security.

 

Why Scoping Matters More Than Most Organizations Realize

One recurring theme throughout the discussion was the importance of proper scoping.

Ali Pabrai highlighted that many assessment failures begin with poorly defined boundaries. Organizations frequently struggle to answer:

  • Where is Controlled Unclassified Information (CUI)?
  • Where does it move?
  • Which systems touch it?
  • Which assets are actually in scope?
  • Which assets are out of scope?

Without clear answers, building an accurate System Security Plan (SSP) becomes nearly impossible.

A well-written SSP acts as the central source of truth for the entire CMMC program and should connect directly to all supporting evidence and documentation.

 

Common Readiness Gaps

The panel identified several recurring issues they encounter during assessments.

 

Weak System Security Plans

Many SSPs are written only at the NIST 800-171 control level rather than the assessment objective level required for CMMC assessments.


Poor Asset Management

Organizations frequently fail to properly classify and document:

  • CUI assets
  • Security Protection Assets
  • Specialized assets
  • Out-of-scope systems

 

Incomplete Evidence

Policies alone are not enough.

Assessors must see evidence that controls are actually operating as described. Organizations often have documentation but lack proof of execution.

 

Inadequate Understanding of CUI

Many contractors still do not fully understand:

  • What CUI they receive
  • Why they receive it
  • Whether they actually need all of it

Reducing unnecessary CUI can dramatically simplify compliance efforts.

 

How Long Does Certification Really Take?

The panel pushed back on marketing claims suggesting organizations can become fully compliant in only a few weeks.

Ali Pabrai noted that most organizations should expect:

  • Approximately six months of preparation
  • Several weeks of assessment activity
  • Additional time for remediation and evidence gathering

Organizations that attempt to shortcut the process often discover readiness gaps during assessment.

 

What About CMMC and AI?

Artificial intelligence is already beginning to influence compliance discussions.

While current CMMC requirements do not specifically address AI, organizations must understand whether AI-enabled tools interact with CUI.

Particular attention should be paid to:

  • Security platforms using AI analysis
  • Cloud services with embedded AI functionality
  • Data handling practices involving CUI

As AI capabilities continue to expand, contractors should evaluate whether those tools introduce new compliance considerations.

 

Final Advice from the Experts

The panel closed with remarkably consistent guidance:

  1. Start immediately.
  2. Build internal CMMC knowledge.
  3. Understand your CUI and data flows.
  4. Establish realistic budgets and timelines.
  5. Engage qualified experts early.
  6. Schedule assessments before calendars fill up.
  7. Treat CMMC as an ongoing security program, not a one-time certification effort.

For organizations that depend on Department of Defense business, CMMC is no longer a future requirement. It is becoming a competitive differentiator today.

The organizations that begin preparing now will have significantly more options, lower risk, and greater flexibility than those who wait.

 

Turning CMMC Requirements into Operational Reality

One of the recurring themes throughout the discussion was that time is becoming a critical factor for organizations pursuing CMMC Level 2 certification.

While the panel spent significant time discussing readiness, scoping, documentation, and assessment preparation, there is another practical challenge many contractors face: implementing technical controls and generating the evidence needed to demonstrate compliance.

To address that challenge, Celerium introduced its DIB CyberDome™ platform and the first solution within that platform, Cyber Interceptor™.

Built on technology that has supported Department of Defense and Defense Industrial Base cybersecurity initiatives for years, Cyber Interceptor focuses on two CMMC Level 2 controls that organizations frequently identify as difficult to implement, monitor, and prove:

  • 3.13.1 – Boundary Protection
  • 3.14.6 – Continuous Boundary Monitoring

Rather than requiring new hardware, software appliances, or endpoint agents, Cyber Interceptor integrates with existing firewall infrastructure and begins collecting network telemetry immediately. The platform analyzes Layer 3 network traffic data, applies commercial and open-source threat intelligence, and generates automated reporting designed to support assessment readiness.

Day 1: Monitoring and Protection Begin

Deployment typically takes about 45 minutes.

Once connected, Cyber Interceptor begins continuously monitoring boundary traffic and evaluating activity against threat intelligence sources. Organizations immediately gain visibility into potentially malicious communications while beginning the evidence collection process required for future assessments.

For organizations choosing to enable automated protection, the platform can also work with existing firewalls to dynamically block identified threats without requiring additional infrastructure investments.

Day 2: Evidence Starts Building

Within the first 24 hours, organizations begin receiving reports that demonstrate both monitoring and protection activities.

Threat detection reports, blocked traffic records, and documented review activities create an auditable record of operational security activity. Rather than manually assembling screenshots and logs before an assessment, evidence generation becomes part of day-to-day operations.

Day 30: Auditor-Ready Documentation

After a month of operation, organizations have accumulated a meaningful body of evidence demonstrating continuous monitoring, boundary protection, threat detection, and documented oversight activities.

For many small and mid-sized defense contractors with limited cybersecurity staff, this can significantly reduce the effort required to prepare for an assessment while simultaneously improving security visibility across their environment.

 

Why Starting Early Matters

One point repeated throughout the webinar was that evidence cannot be created retroactively.

Assessors want to see that controls have been operating consistently over time. Waiting until the last minute means organizations may find themselves with insufficient operational history when assessment time arrives.

The sooner organizations begin implementing and documenting controls, the sooner they begin building the evidence needed to support certification.

As CMMC requirements continue expanding across the Defense Industrial Base, contractors that start now will be in a significantly stronger position than those who wait until contracts force the issue.

 

Continue the Conversation

Before we wrap up, one final takeaway from this webinar deserves repeating:

Time matters.

Organizations that begin preparing now will have more flexibility, more assessment options, and more time to build the operational evidence required for successful certification.

That reality was echoed throughout the discussion by both James Goepel and Ali Pabrai. Whether the topic was assessment scheduling, scoping, documentation, or readiness, the message remained consistent: waiting creates risk.

For organizations looking to accelerate their readiness efforts, Celerium’s DIB CyberDome™ platform and Cyber Interceptor™ solution were designed to help simplify implementation, continuous monitoring, and evidence collection for critical CMMC Level 2 controls.

The goal is straightforward: help contractors strengthen their security posture while reducing the operational burden associated with compliance preparation.

Connect with our team to get started with your free 90-day assessment, or visit celerium.com/solutions/dib-cyberdome to learn more.

Thank you again for joining us for this webinar, and if you would like to watch it on-demand, click here.