On May 28, Celerium hosted a webinar featuring cybersecurity and CMMC experts Vince Crisler, Chief Strategy Officer; James Goepel, Executive VP & General Counsel, Peak InfoSec; and Ali Pabrai, CEO of ECFirst, to discuss one of the most urgent topics facing the Defense Industrial Base (DIB): preparing for CMMC Phase 2.
The discussion focused on what contractors should be doing now, common mistakes organizations make during preparation, and how companies can position themselves to remain competitive as certification requirements begin appearing in contracts.
One of the clearest messages from the webinar was simple:
Do not wait.
Both James Goepel and Ali Pabrai emphasized that organizations beginning their CMMC journey today are already behind many of their competitors.
While the official rollout of CMMC requirements continues, prime contractors are not waiting. Many organizations are already receiving notices from primes requiring proof of compliance readiness.
According to the experts, reputable C3PAOs are rapidly filling assessment calendars for late 2026 and early 2027. Companies waiting until the last minute may discover that qualified assessors are unavailable when certification becomes business-critical.
Many organizations still view CMMC certification as a project with a finish line.
That mindset can create significant problems.
As James Goepel explained during the discussion, CMMC certification is the start, not the end.
Certification must be maintained continuously. Organizations will be required to perform annual affirmations and demonstrate that security controls remain operational throughout the certification lifecycle.
Companies that approach CMMC as a one-time compliance exercise often struggle during assessments because they focus on documentation rather than operational security.
One recurring theme throughout the discussion was the importance of proper scoping.
Ali Pabrai highlighted that many assessment failures begin with poorly defined boundaries. Organizations frequently struggle to answer:
Without clear answers, building an accurate System Security Plan (SSP) becomes nearly impossible.
A well-written SSP acts as the central source of truth for the entire CMMC program and should connect directly to all supporting evidence and documentation.
The panel identified several recurring issues they encounter during assessments.
Many SSPs are written only at the NIST 800-171 control level rather than the assessment objective level required for CMMC assessments.
Organizations frequently fail to properly classify and document:
Policies alone are not enough.
Assessors must see evidence that controls are actually operating as described. Organizations often have documentation but lack proof of execution.
Many contractors still do not fully understand:
Reducing unnecessary CUI can dramatically simplify compliance efforts.
The panel pushed back on marketing claims suggesting organizations can become fully compliant in only a few weeks.
Ali Pabrai noted that most organizations should expect:
Organizations that attempt to shortcut the process often discover readiness gaps during assessment.
Artificial intelligence is already beginning to influence compliance discussions.
While current CMMC requirements do not specifically address AI, organizations must understand whether AI-enabled tools interact with CUI.
Particular attention should be paid to:
As AI capabilities continue to expand, contractors should evaluate whether those tools introduce new compliance considerations.
The panel closed with remarkably consistent guidance:
For organizations that depend on Department of Defense business, CMMC is no longer a future requirement. It is becoming a competitive differentiator today.
The organizations that begin preparing now will have significantly more options, lower risk, and greater flexibility than those who wait.
One of the recurring themes throughout the discussion was that time is becoming a critical factor for organizations pursuing CMMC Level 2 certification.
While the panel spent significant time discussing readiness, scoping, documentation, and assessment preparation, there is another practical challenge many contractors face: implementing technical controls and generating the evidence needed to demonstrate compliance.
To address that challenge, Celerium introduced its DIB CyberDome™ platform and the first solution within that platform, Cyber Interceptor™.
Built on technology that has supported Department of Defense and Defense Industrial Base cybersecurity initiatives for years, Cyber Interceptor focuses on two CMMC Level 2 controls that organizations frequently identify as difficult to implement, monitor, and prove:
Rather than requiring new hardware, software appliances, or endpoint agents, Cyber Interceptor integrates with existing firewall infrastructure and begins collecting network telemetry immediately. The platform analyzes Layer 3 network traffic data, applies commercial and open-source threat intelligence, and generates automated reporting designed to support assessment readiness.
Deployment typically takes about 45 minutes.
Once connected, Cyber Interceptor begins continuously monitoring boundary traffic and evaluating activity against threat intelligence sources. Organizations immediately gain visibility into potentially malicious communications while beginning the evidence collection process required for future assessments.
For organizations choosing to enable automated protection, the platform can also work with existing firewalls to dynamically block identified threats without requiring additional infrastructure investments.
Within the first 24 hours, organizations begin receiving reports that demonstrate both monitoring and protection activities.
Threat detection reports, blocked traffic records, and documented review activities create an auditable record of operational security activity. Rather than manually assembling screenshots and logs before an assessment, evidence generation becomes part of day-to-day operations.
After a month of operation, organizations have accumulated a meaningful body of evidence demonstrating continuous monitoring, boundary protection, threat detection, and documented oversight activities.
For many small and mid-sized defense contractors with limited cybersecurity staff, this can significantly reduce the effort required to prepare for an assessment while simultaneously improving security visibility across their environment.
One point repeated throughout the webinar was that evidence cannot be created retroactively.
Assessors want to see that controls have been operating consistently over time. Waiting until the last minute means organizations may find themselves with insufficient operational history when assessment time arrives.
The sooner organizations begin implementing and documenting controls, the sooner they begin building the evidence needed to support certification.
As CMMC requirements continue expanding across the Defense Industrial Base, contractors that start now will be in a significantly stronger position than those who wait until contracts force the issue.
Before we wrap up, one final takeaway from this webinar deserves repeating:
Time matters.
Organizations that begin preparing now will have more flexibility, more assessment options, and more time to build the operational evidence required for successful certification.
That reality was echoed throughout the discussion by both James Goepel and Ali Pabrai. Whether the topic was assessment scheduling, scoping, documentation, or readiness, the message remained consistent: waiting creates risk.
For organizations looking to accelerate their readiness efforts, Celerium’s DIB CyberDome™ platform and Cyber Interceptor™ solution were designed to help simplify implementation, continuous monitoring, and evidence collection for critical CMMC Level 2 controls.
The goal is straightforward: help contractors strengthen their security posture while reducing the operational burden associated with compliance preparation.
Connect with our team to get started with your free 90-day assessment, or visit celerium.com/solutions/dib-cyberdome to learn more.
Thank you again for joining us for this webinar, and if you would like to watch it on-demand, click here.