Selling to the Government? Here's What CMMC Means for You

CMMC Phase 2 enforcement lands in November 2026, and C3PAOs are already
warning about assessment capacity. If your configuration management domain
isn't audit-ready, this is the walkthrough to fix that.

Roy Ludmir breaks down what changed in enforced CMMC as of November 2025,
what auditors actually test versus what they just ask about, and where
most organizations get stuck below full compliance — plus which security
baselines to standardize on and how to build an evidence package that
holds up under a real assessment.

Highlights

00:00 Introduction

00:44 Agenda

01:36 CMMC evolution — from proposal to enforcement

04:31 Enforcement phases — where things stand now

06:07 What changed in enforced CMMC (November 2025)

07:42 The three CMMC levels — who does what

09:47 CMMC Level 2 configuration management domain (CM)

15:13 Which security baselines to use for CMMC compliance

19:24 What auditors actually check

20:30 Building an audit-ready evidence package

27:53 CMMC hardening readiness checklist

28:49 The real challenges of configuration hardening at scale

33:10 How automation changes the equation

37:47 Next steps

Learn more about automating CMMC configuration hardening:
https://calcomsoftware.com/
https://calcomsoftware.com/compliance/cmmc-compliance/
https://calcomsoftware.com/what-the-new-cmmc-rules-mean-for-dod-contractors/

#CMMC #CMMC2.0 #ConfigurationManagement #CyberCompliance #DoDContractors
, CMMC audit, C3PAO, CMMC readiness, DoD contractor
compliance, DIB cybersecurity, CIS benchmarks, security baseline, CMMC
Phase 2, NIST 800-171