What You Missed at CEIC West 2025: CMMC Culture, Mock Assessments, AI for CUI, and Subcontractor Risk
The 2025 CEIC West (CMMC Ecosystem and Implementers Conference) in Las Vegas brought together cybersecurity leaders, defense contractors, and compliance professionals for crucial updates on the CMMC landscape. Whether you couldn’t attend or want a distilled summary of what matters most to small and mid-sized defense contractors, this article provides the highlights and actionable insights directly from the event.
Katie Arrington’s Keynote: CMMC Isn’t Going Anywhere
CMMC as a Cultural Shift
Katie Arrington, often referred to as the “Mother of CMMC,” opened the conference virtually with a message that set the tone for the event: CMMC is not just a program—it is a cultural imperative. Cybersecurity must be embedded into every layer of the organization. Employees must not only follow policies—they must understand what CUI is and how to protect it.
"This isn’t a checkbox—it’s a culture," she emphasized.
Cybersecurity as National Defense
Arrington positioned cybersecurity as the most effective non-kinetic deterrent to kinetic warfare. She highlighted ongoing intellectual property theft by China and emphasized how data leaks undermine U.S. military strength and innovation. Contractors must understand the role they play in national security.
The False Claims Act and the Accountability Shift
One of the most critical takeaways was the Department of Defense’s stance on accountability. The False Claims Act is now firmly on the table for organizations that misrepresent their cybersecurity posture.
Arrington stated that the Department of Defense is losing billions, and it is no longer the taxpayer’s responsibility to absorb those losses. Failing to implement required cybersecurity measures may result in legal and financial consequences—not just failed assessments.
What’s Next: NIST 800-171 Rev. 3 and Policy Alignment
R2 Today, R3 Tomorrow
CMMC Level 2 currently aligns with NIST 800-171 Revision 2. However, that will change. Once CMMC becomes fully operational, it will evolve with NIST updates. Contractors should expect future assessments to require compliance with Revision 3, particularly after their certification renewal date.
If you can get certified under Revision 2 now, you may not have to worry about Revision 3 until your three-year reassessment cycle.
AI in Compliance: CUI Tagging Gets a Tech Upgrade
AI-Driven CUI Labeling Is Coming
Arrington revealed that AI-based CUI tagging and labeling tools are expected to become standard within the next 18 months. This means a shift toward more automated and aggressive CUI identification and classification.
Organizations should prepare for an increased volume of data being flagged as CUI—and the higher protection standards that will follow.
Important note: Public AI tools like ChatGPT are not compliant for CUI. Contractors must ensure any AI tool used is properly certified and authorized.
Mock Assessment Takeaways: What Really Happens
Three Key Steps in a Real CMMC Assessment
Austin provided insights from a live mock assessment session, outlining the core process:
Present your System Security Plan (SSP).
Show documented policies for each control.
Provide evidence (e.g., screenshots) proving implementation.
Assessors may verify functionality on-site or request additional confirmation. Being thorough, clear, and concise in your documentation is key to a smoother assessment.
Why Your IT Guy Can’t Save You
You can outsource implementation, but not accountability. During an assessment, you—not your IT provider—must answer the assessor’s questions. This requires a working understanding of your SSP, policies, and procedures.
Operationalizing Compliance: Culture Beats Checklists
Build Routine into Your Workflow
Sessions like “Creatures of Habit” emphasized that compliance must be operationalized into day-to-day business. For example:
Conduct weekly or monthly log reviews.
Set reminders to review your SSP and POA&M.
Use GRC tools (like FutureFeed or Asana) to assign responsibilities and track task completion.
Building a sustainable culture of compliance will reduce audit risk and improve preparedness.
The Flowdown Problem: Why Subcontractors Could Sink You
If You Share CUI, They Must Be Compliant
Flowdown requirements were a key focus. If you share any CUI with subcontractors—even a single technical drawing or specification—they must be compliant at the same CMMC level as you.
Start the Flowdown Process Now
Don’t wait until your certification is on the line. Begin verifying your subcontractors’ compliance status now. Use questionnaires or written attestations to establish their level of preparedness. Early communication helps avoid future disruptions.
FedRAMP Equivalency vs. Authorization: What You Need to Know
If you use cloud storage or file-sharing providers to handle CUI, those providers must be either:
FedRAMP Authorized, or
FedRAMP Equivalent (with evidence)
At a minimum, your cloud vendor must provide:
A Security Assessment Report (SAR)
A Shared Responsibility Matrix (SRM/CRM)
A body of evidence
Assessors will ask to see these during your audit. If you can’t produce them, your use of that service may not be defensible.
Final Recommendations: How to Prepare Today
Before your next assessment, take these key steps:
Revisit your SSP and POA&M – Ensure they accurately reflect your current environment and map to assessment objectives.
Schedule regular compliance reviews – Start with quarterly meetings, and involve key stakeholders.
Vet your subcontractors – Document their compliance level and make flowdown a formal process.
Document responsibilities using a CRM or SRM – Clearly identify which party is responsible and accountable for each control.
Accountability always falls on the OSC (Organization Seeking Certification), not the MSP or service provider. Make sure everyone on your team understands this distinction.
CMMC is not going away. The themes from CEIC West 2025 reinforced that cybersecurity is a cultural, operational, and legal priority for all contractors in the defense supply chain. Whether it’s AI-driven CUI tagging, mock assessments, or subcontractor flowdowns, the message is the same: You are accountable.
