This year’s CEIC West in Las Vegas provided an overview of the evolving cybersecurity landscape within the Defense Industrial Base (DIB) and its alignment with the Department of Defense’s (DoD) CMMC. For those in the cybersecurity and compliance field, this was a critical checkpoint in the journey toward better securing our national defense infrastructure.
One of the key highlights came from Katie Arrington’s keynote, which underscored a fundamental message: CMMC is here to stay.
Built upon the framework of NIST 800-171, CMMC represents a shift in how we approach cybersecurity across the DIB.
Arrington also revealed that the need for such frameworks is gaining global traction, with countries like Canada, the UK, Israel, and Japan aligning their cybersecurity policies with CMMC’s principles.
This global trend:
As the regulatory landscape continues to evolve, there is a strong indication that CFR 48, which is expected to formalize CMMC into DoD contracts and RFPs, may be finalized as early as this fall.
Both Arrington and Stacy suggested that:
This finalization would mark a significant milestone, creating a much-needed framework for defense contractors to build their compliance strategies.
The issue of compliance costs was another recurring theme at CEIC West.
It is no secret that the financial burden of becoming CMMC-compliant is one of the biggest challenges facing contractors today.
Another central point was the cultural shift required within the DIB.
Matt Travis’ keynote brought to light a critical reality:
The DoD needs the DIB to be as diligent and rigorous in its approach to cybersecurity as the DoD itself.
Yet, many DIB organizations are still not ready for CMMC audits:
CyberAB announced its upcoming rollout of continued guidance on what constitutes an External Service Provider (ESP) — including distinctions between:
There has been considerable confusion around these terms, and the introduction of a CMMC Body of Knowledge promises to offer much needed clarity.
The path forward remains challenging, particularly given the financial and cultural hurdles many organizations face.
However, the discussions at this year’s event highlighted the growing recognition of CMMC’s importance, both within the U.S. and globally.
The CEIC West 2025 conference was a fantastic opportunity to:
The CMMC community is close-knit, and events like this bring stakeholders together to collaborate and address the most pressing challenges facing the DIB and those who support it.
Attending CEIC West 2025 was a powerful reminder that we’re all navigating this evolving landscape together. The conversations, keynotes, and hallway chats made one thing clear: CMMC is no longer a distant requirement—it’s a present reality.
The path forward may be complex, but it’s also collaborative. Whether you’re a contractor, advisor, or assessor, we each have a role to play in strengthening the DIB’s cybersecurity posture.
Let’s keep learning from each other and moving the industry forward.
Marc Zurcher
Coalfire