Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) is pushing federal contractors to demonstrate, not just assert, that they can protect sensitive government data. Eligibility for contracts now depends on the ability to show how controlled unclassified information (CUI) is handled, why specific safeguards were selected and whether those safeguards operate consistently under scrutiny from assessors, agencies and prime contractors. This shift introduces greater accountability for CISOs, who are already contending with cloud expansion and evolving federal expectations.
CMMC 2.0
CMMC was introduced to address inconsistent self-attestation across the defense industrial base. For years, agencies relied on uneven self-attestation and patchwork controls that varied dramatically from one contractor to another. CMMC formalized expectations, established clearer baselines and brought in verification that contractors were properly implementing controls.
Compared to its predecessor, CMMC 2.0 moved toward a more pragmatic, risk-based approach. The emphasis now falls on whether protections are appropriate, documented and defensible for a specific environment rather than uniform implementation across the ecosystem. That evolution reduces friction and makes it easier to align CMMC work with broader security and GRC programs. However, it also adds weight to CISOs’ and their teams’ judgments. Scope decisions, residual risk acceptance and uneven evidence across business units all become topics of discussion during assessments.
The primary readiness gap: data scope awareness
Central to preparation is gaining a complete understanding of the data subject to CMMC 2.0 controls. Many organizations are still struggling to define the full scope of systems, workflows and third-party relationships that process or store CUI. When contractors conduct detailed CMMC-focused data inventories, it’s common that they’ll surface a larger footprint than originally anticipated.
The number of in-scope systems and workflows grows, expanding the effort, tooling and budget necessary to govern them. This discovery phase then slows certification and forces organizations to confront more foundational questions about data mapping, classification, lifecycle management and supplier risk. Until leaders can answer those questions with clarity, decisions about control implementation remain on uncertain ground.
The problem with manual compliance execution
CMMC 2.0 places equal emphasis on administrative controls as technical ones. Quarterly access reviews, employee training, incident documentation and policy attestations all require evidence of consistent execution.
Manual processes at this stage introduce variation in how the same control is interpreted and applied. Evidence of control execution scatters across email, personal storage locations and one-off spreadsheets. As practices evolve, policy language may not keep pace, leading to a divergence between documented intent and day-to-day reality. Over time, these discrepancies accumulate. During an assessment, they can manifest as incomplete records and other gaps that raise questions about the reliability of governance.
Automation as the backbone of scalability
Contractors now face a reality in which automation is the path to stable execution. Automated workflows drive CMMC-related controls from initiation through completion while generating consistent, verifiable evidence along the way.
Recurring access reviews no longer depend on calendar reminders and individual diligence. Workflow engines can schedule tasks, route them to responsible owners, enforce approvals and capture outcomes in standardized formats. Evidence collection becomes a byproduct of normal operations instead of a separate, reactive effort.
Standardized workflows can deliver more consistent control applications across teams and regions. Similar risks receive similar treatment, and deviations stand out in logs rather than remaining hidden in local practices. That structure simplifies explanations to assessors and supports internal review of where controls excel and where they fall short.
Automation still leaves room for human judgment. Leaders can spend more time evaluating whether controls reflect real risk, adapting workflows as the environment changes and using metrics generated by automated systems to refine their approach.
Making AI an enabler, not a risk multiplier
The shift toward automation brings AI into the compliance equation, as it can materially improve CMMC-related work. Summarizing complex evidence, correlating signals across systems, flagging anomalies and easing documentation burdens are all strong fits for AI-enabled assistance.
The same capabilities, if not managed correctly, can create new avenues for data exposure and governance breakdown. Opacity in AI usage makes it difficult to determine systems’ proximity to sensitive government data and what guardrails apply to generated outputs.
However, a prohibition mindset doesn’t scale well and leaves value on the table. A governance-centric approach balances careful footing with innovation. It’s advised that contractors define approved AI use cases for sensitive information, subject AI-enabled tools to security and compliance review, document data flows and configuration choices and integrate AI usage into broader GRC monitoring. When AI sits within that structure, it can reduce compliance fatigue rather than amplifying it.
Additionally, AI performance ties directly to data quality and process maturity. Pointing AI at legacy compliance artifacts or immature processes can amplify issues rather than resolve them, as AI outputs will mirror the ambiguity of the inputs. Pattern detection becomes possible, but reliable conclusions remain elusive because the underlying records lack structure and completeness.
This reality requires an honest assessment of current program maturity. Before organizations scale AI across CMMC activities, they need to answer foundational questions about scope mapping, policy adoption, evidence capture and role clarity.
Building a resilient CMMC 2.0 program
Resilient CMMC programs share common characteristics. They maintain a clear, continually updated view of data scope. Leaders can describe where CUI and related data exist, which systems and outside parties interact with it and how those flows are monitored. That understanding evolves along with the business, rather than remaining a static diagram.
They lean on standardized, automated administrative controls. Policies, reviews, approvals, training activities and other procedural steps follow defined workflows that emit consistent evidence. Exceptions and deviations are logged and reviewed, not glossed over or discovered late in an assessment.
They position AI as a governed capability within the compliance ecosystem. AI tools appear alongside other technologies in risk and compliance inventories. AI helps execute and analyze tasks, but accountability ultimately remains with human owners.
Most importantly, these programs weave evidence into daily operations. When assessors ask how a control operates, leaders can point to workflows, logs and artifacts that tell a coherent story without relying on memory or manual reconstruction. That combination of clarity, consistency and sustainability aligns closely with what CMMC 2.0 is really asking for, even as the broader environment continues to change.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
​The original article found on Why most zero-trust architectures fail at the traffic layer | CSO Online Read More
