CMMC 2.0 Webinar Q&A Recap: Your Compliance Questions, Answered

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is now in effect, requiring organizations working with the Department of Defense (DoD) to comply with new, stricter cybersecurity rules. With the final rule in place as of December 2024, non-compliance now means the risk of contract loss, legal action under the False Claims Act (FCA), and increased scrutiny from auditors. 

During our recent webinar, The Truth About CMMC: Compliance, Risks, and Readiness, we had the opportunity to discuss CMMC 2.0 with top cybersecurity and legal experts, Scott Giordano (Partner & Co-Founder, CISO Law Firm) and Rob Server (Field CTO, Spirion). 

Here’s a recap of the questions from the audience—along with expert insights on what you need to do next to ensure your organization is ready for CMMC 2.0 enforcement. 

Expert Answer: 
“The answer depends on who you hold contracts with. If your organization has a federal contract with the Department of Health & Human Services (HHS) or another federal agency that imposes CUI requirements, then your HIPAA-covered PHI may also be considered CUI.” 

What this means for you: 

• HIPAA security and CMMC 2.0 compliance could overlap, requiring organizations to comply with both frameworks. 

• If you handle federal healthcare contracts, check your agreements for CUI requirements. If they exist, PHI data is now also CUI data, requiring CMMC compliance. 

💡 Pro Tip: If your organization handles PHI and CUI, assume both HIPAA and CMMC 2.0 requirements apply. Conduct a data classification audit to determine which data falls under both regulations and ensure your security controls meet the strictest standard to stay fully compliant. 

Expert Answer: 
“Regulators will ask for proof of compliance, so documentation is key. When auditors show up, they’re going to ask for evidence of your security measures.” 

What this means for you: 

• Classify and label CUI data consistently. If you don’t know where your sensitive data is, you can’t protect it. 

• Demonstrate that security controls are working. Perform regular penetration testing and compliance audits. 

• Maintain detailed security logs & reports. Ensure your SIEM or DSPM tool can generate reports proving that your security measures are effective. 

💡 Pro Tip: Auditors won’t just take your word for it. If you don’t have automated compliance reporting, start implementing data discovery and classification tools now. 

Expert Answer: 
“It’s very difficult because CMMC 2.0 adds stricter access control rules—and research universities often collaborate internationally.” 

What this means for you: 

• If foreign researchers are involved, they may not be authorized to access CUI. 

• Universities often lack network segmentation, meaning CUI can be accessed across different research departments. 

• You’ll need strong identity and access management (IAM) to ensure only authorized U.S. persons can access CUI. 

💡 Pro Tip: If you’re a university or research institution, start by conducting a full network mapping to see where CUI is stored, who has access, and where segmentation is needed to stay compliant. 

Expert Answer: 
“Even if your backup system stores encrypted CUI and you don’t have the keys, it’s still in scope.” 

What this means for you: 

• Encryption is just one layer of security, and it can be broken. 

• If an attacker gains access to that backup, they may be able to decrypt it. 

• The DoD expects organizations to treat all stored CUI as in-scope, regardless of encryption status. 

💡 Pro Tip: Don’t assume encryption removes compliance obligations. Instead, implement strong access controls around backup systems and ensure you have a zero-trust security approach to limit exposure. 

Q5: Does CMMC 2.0 Differentiate Between MFA and Two-Step Verification? 

Expert Answer: 
“Yes, CMMC 2.0 requires true MFA, not just two-step verification.” 

What this means for you: 

• Two-Step Verification relies on a second step (e.g., an SMS code) but does not require two separate authentication factors (e.g., something you know + something you have). 

• MFA (Multi-Factor Authentication) requires two or more distinct authentication factors (e.g., password + biometrics, or password + hardware token). 

💡 Pro Tip: SMS-based two-step verification is NOT enough! Ensure your MFA solution requires a second distinct authentication factor, such as a biometric scan, security key, or authentication app. 

• CMMC 2.0 enforcement is here. Contractors and subcontractors must comply now to avoid penalties. 

• Self-attestation is no longer enough. If you can’t prove compliance, you’re at risk of False Claims Act lawsuits and contract loss. 

• Every system touching CUI is in scope. Even if it only transmits or stores encrypted data. 

• Universities face major challenges in restricting foreign access to CUI in global research collaborations. 

• MFA is now required. Two-step verification is not the same as MFA under CMMC 2.0. 

• Proactive compliance is key. Start with a gap analysis and security assessment now. 

Is your organization ready for a CMMC audit? Read the full webinar recap and find out.