Selling to the Government? Here's What CMMC Means for You
CMMC Phase 2 enforcement lands in November 2026, and C3PAOs are already
warning about assessment capacity. If your configuration management domain
isn't audit-ready, this is the walkthrough to fix that.
Roy Ludmir breaks down what changed in enforced CMMC as of November 2025,
what auditors actually test versus what they just ask about, and where
most organizations get stuck below full compliance — plus which security
baselines to standardize on and how to build an evidence package that
holds up under a real assessment.
Highlights
00:00 Introduction
00:44 Agenda
01:36 CMMC evolution — from proposal to enforcement
04:31 Enforcement phases — where things stand now
06:07 What changed in enforced CMMC (November 2025)
07:42 The three CMMC levels — who does what
09:47 CMMC Level 2 configuration management domain (CM)
15:13 Which security baselines to use for CMMC compliance
19:24 What auditors actually check
20:30 Building an audit-ready evidence package
27:53 CMMC hardening readiness checklist
28:49 The real challenges of configuration hardening at scale
33:10 How automation changes the equation
37:47 Next steps
Learn more about automating CMMC configuration hardening:
https://calcomsoftware.com/
https://calcomsoftware.com/compliance/cmmc-compliance/
https://calcomsoftware.com/what-the-new-cmmc-rules-mean-for-dod-contractors/
#CMMC #CMMC2.0 #ConfigurationManagement #CyberCompliance #DoDContractors
, CMMC audit, C3PAO, CMMC readiness, DoD contractor
compliance, DIB cybersecurity, CIS benchmarks, security baseline, CMMC
Phase 2, NIST 800-171