We recently attended one of the most anticipated cybersecurity conferences of the year—ISC2 Security Congress 2025. Held at the Gaylord Opryland Nashville, thousands gathered to learn the latest in cybersecurity. While it wasn’t a Defense Industrial Base-focused show, the overlap between cybersecurity and compliance was clear. 

Our exhibitor booth welcomed several compliance professionals, all of whom gave us insightful feedback on their CMMC experience—and the general pulse of compliance right now. Here’s our biggest observations from those conversations: 

1. Enclaves, Enclaves, and More Enclaves.  

Almost everyone we spoke to at the conference who was working toward CMMC compliance had their environment in an enclave. The most common reasons included affordability, perceived simplicity, and offers from the RPOs they were consulting with. While there are pros and cons to enclaves, we understood why it was a common trend. 

2. The CUI Conundrum.  

Here’s just a few of the things we heard at ISC2 when it came to CUI: 

“I’m a contractor but I don’t think I have CUI.” 
“I want to start bidding on DoD contracts, but I don’t know where my CUI is.” 
“Where is the CUI in my environment?” 
“Does (insert) count as CUI?” 

It was clear to us that there’s a ton of confusion and disconnect between CMMC’s requirements, DIB organizations’ understanding of these requirements, and where to get clarification. This is especially hard for SMBs or sub-contractors who don’t have a dedicated compliance professional on their team for guidance.  

3. More Awareness of the False Claims Act 

The organizations we spoke to were more aware than ever of the importance of accurate self-assessments and reporting. With the CMMC Phase 1 rollout official, the fear of hefty fines is acting as a compliance catalyst. Organizations are feeling the pressure and expressed making the decision between investing in building out their CMMC program or paying for it later with the risk of fines was easy. 

4. Executive Approval of Compliance Investments 

Tale as old as time. There’s a disconnect between executive and security/compliance teams in terms of justifying budget, expectations of progress/success, etc. Executives and security professionals butting heads is nothing new, but we heard from multiple security professionals that they’re making “impossible” decisions when it comes to allocating their budget to necessary compliance investments. Do you spend money on a gap assessment or an enclave? What about when they have to be reassessed in 3 years? 

5. Handling CMMC on Your Own with a Limited Budget 

Many organizations feel like they have to handle CMMC on their own. The DIB was built on the back of mom-and-pop businesses. Typically, these organizations have smaller budgets and limited resources. We heard these sentiments directly from these SMBs concerned about acquiring outside help—they just can’t afford it. However, they’re also more than aware of how helpful outside consulting would be. It’s a rock and a hard place.  

6. Kickstart My C3PAO Assessment 

C3PAO Assessments were the most popular topic of discussion for our team at ISC2. Many attendees were eager to schedule their assessment, hoping to have certification by the New Year. While this is an awesome update in terms of contractor buy-in to CMMC enforcement, compliance maturity is an entirely different discussion. When discussing their maturity efforts thus far, many professionals were less mature than they realized. It’s good to have a laser focus on the end goal, but CMMC takes a lot of preparation to get there. 

7. Wanting to Boost Their Competitive Edge 

There’s no more denying the imminent impact of CMMC. In the past, we’ve seen a lot of reluctance from organizations to invest in becoming CMMC compliant, regardless of its impending enforcement. Now that there’s an official date for Phase 1 rollout, many security professionals expressed that to their C-Suite, CMMC is as much of a business decision as it is security. To have a full-proof, competitive, and secure advantage over other bidders on contracts can make or break their revenue. 

8. Who’s Flying the Plane? 

While certain organizations have dedicated time, resources, and hired talent to build their compliance program, others did not. We heard a lot of stories about how compliance programs were formed, and they were corporate equivalent of nose goes. Whoever “won the raffle” was tasked with compliance, regardless of their specialization. This has left many professionals feeling overwhelmed and eager for outside consulting, even if uppers won’t approve of it.  

Our Overall Takeaways 

As an authorized C3PAO, we’ve been attending compliance and security-focused conferences for quite some time. Over time, CMMC has matured, and DIB organizations’ attitudes toward it have as well. It’s no longer something that’s in the future, and having meaningful conversations in-person with security compliance professionals has shown us that organizations are taking it more seriously than ever.  

If you’re a DIB organization that’s eager to get CMMC under your belt, we’d be happy to help. Whether it’s advisory services to prepare your environment for an assessment, or an audit, our team of in-house Certified CMMC Assessors is ready to go.