The Truth About CMMC: Compliance, Risks, and Readiness

The Cybersecurity Maturity Model Certification (CMMC) is no longer on the horizon—it’s here! With enforcement taking effect as of December 2024, organizations working with the Department of Defense (DoD) must now comply with CMMC 2.0 or risk losing their contracts. But as compliance deadlines approach, many businesses are left wondering: What does CMMC 2.0 really require, and how can we ensure we’re ready? 

These were just some of the pressing topics discussed in our recent webinar, The Truth About CMMC: Compliance, Risks, and Readiness, featuring industry experts Scott Giordano, Partner & Co-Founder at the CISO Law Firm, and Rob Server, Spirion’s Field Chief Technology Officer. 

Below, we provide a high-level overview of the key insights from the webinar, including an overview of CMMC 2.0, the biggest risks to compliance, and how businesses can take action now to meet the latest requirements. 

To set the stage, Scott Giordano, a seasoned AI privacy and cybersecurity attorney, kicked things off by explaining why the Cybersecurity Maturity Model Certification (CMMC) exists and how it has evolved. 

What Is CMMC? 

CMMC is the Department of Defense’s (DoD) cybersecurity framework designed to secure the defense supply chain. It applies to all organizations handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). 

CMMC is no longer optional—as of December 2024, organizations must be compliant at the appropriate level to win or renew DoD contracts. 

The Evolution of CMMC: From 1.0 to 2.0 

Giordano explained that CMMC compliance has been years in the making. In 2010, Executive Order 13556 laid the foundation for securing Controlled Unclassified Information (CUI), leading to the creation of DFARS 7012 and NIST SP 800-171. 

However, the self-attestation model failed, and many organizations misrepresented their compliance or failed to implement proper security controls. This led the Department of Defense (DoD) to develop CMMC 1.0 in 2020, which introduced a five-tier maturity model for contractors. 

In 2021, the DoD streamlined CMMC into CMMC 2.0, reducing the number of compliance levels from five to three: 

• Level 1: Foundational (Self-Assessed) – Basic cyber hygiene for companies handling Federal Contract Information (FCI).  
  
• Level 2: Advanced (Third-Party Assessed) – Aligns with NIST SP 800-171 and is required for organizations handling Controlled Unclassified Information (CUI).  
  
• Level 3: Expert (Government-Assessed) – Required for companies working on highly sensitive national security projects. 

Most defense contractors (approximately 200,000 companies) are expected to meet Level 2 compliance within the next 10 years, but some may require Level 3 if they handle high-value data that is targeted by nation-state actors. 

With CMMC enforcement now in effect, some organizations are still hoping it will be delayed or not strictly enforced. Don’t count on it. 

Our experts debunked key myths surrounding CMMC 2.0: 

🔸 Hype: CMMC is just for prime contractors. 
✅ Reality: False. CMMC applies to everyone in the Defense Industrial Base (DIB)—not just large prime contractors. Subcontractors, vendors, and suppliers must comply if they handle FCI or CUI for the DoD. 

🔸 Hype:  Enforcement will be delayed again.  
✅ Reality: False! Giordano emphasized that cybersecurity is a top priority for the U.S. government, regardless of administration changes. The Final Rule was published in October 2024 and is expected to be vigorously enforced in 2025. Organizations must act now—DoD will require compliance as a condition for contract eligibility. 

Reality Check: If your organization is in the Defense Industrial Base (DIB), CMMC applies to you. This includes: 

• Prime Contractors 
  
• Subcontractors (including those handling CUI on behalf of DoD contractors) 
  
• Suppliers & Vendors – If your customers require CMMC, you’ll need it too. 

The experts discussed the False Claims Act (FCA), which is being used to enforce CMMC compliance. This means failure to meet requirements could result in lawsuits, contract losses, and major financial penalties. 

A Real-world Case Study: A major university settled an FCA lawsuit for $1.25 million in October 2024 due to false self-attestation of NIST 800-171 compliance. A whistleblower (Relator) received $250,000 for reporting the violation. 

Key Takeaway: If you’re relying on self-attestation instead of implementing strong security controls, you are at risk for lawsuits, financial penalties, and contract loss. 

Giordano and Rob Server, Spirion’s Field CTO, emphasized the need for precise and automated data discovery—something that many organizations struggle with when identifying in-scope CUI. 

Spirion helps organizations: 

• Find & classify CUI automatically – reducing manual errors and human mistakes. 
  
• Apply persistent classification & tagging – ensuring compliance with CMMC and integrating with DLP, SIEMs, and other security tools. 
  
• Provide audit-ready compliance reporting – no more risky self-attestations—our tools provide evidence of compliance with CMMC requirements. 
  
• Strengthen security and compliance posture with data discovery, classification, and monitoring solutions. 

“Spirion’s been performing low false-positive data discovery for over a decade,” Server said. “Because you can’t protect what you don’t know exists.”  

• CMMC enforcement is real—compliance is required now to win DoD contracts. 
  
• Organizations handling CUI must meet Level 2 requirements and undergo third-party assessments every three years. 
  
• The FCA is being used to fine non-compliant organizations. Whistleblowers can sue on the government’s behalf. 
  
• Data discovery and classification are critical—you must accurately locate, label, and protect CUI across your organization. 
  
• Human error is a major risk. Employee training on cybersecurity and compliance is more important than ever under CMMC 2.0. 

Is your organization prepared for CMMC enforcement? Watch the full webinar to better understand the key takeaways from our expert panel discussion!