by Troy Richardson, CMMC Consultant and Peter Case, Director of Partnerships

The Experience

Mid-autumn, our team headed to CS5 East 2025. If you’ve never been to this “official conference of the Cyber AB”, think of it as the place where everyone obsessing over defense cybersecurity and CMMC compliance gathers to compare notes, swap war stories, and figure out what’s actually happening with this program.

The timing was perfect—maybe a little too perfect. The CMMC Final Rule just dropped, Phase 1 kicks off November 10th, and everyone in the Defense Industrial Base is basically asking the same question: “Okay, now what?”

CMMC is Taking Flight – Ready or Not

Matthew Travis, CEO of The Cyber AB, opened things up with an analogy that got some knowing laughs: He said CMMC spent forever stuck at the airport during internal review, spent most of 2024 taxiing down the runway, and now? We’re finally taking off.

And honestly, that tracks. This isn’t some theoretical framework anymore. It’s real, it’s here, and contractors need to get moving—not when a contract forces their hand, but right now.

What really stuck with us was how many speakers hammered home this point: the next 6 to 12 months are going to separate the prepared from the scrambling. The companies with their documentation tight, their assessments done, and their evidence ready? Those are the ones who’ll be able to bid with confidence while everyone else is playing catch-up.

Five Things That Really Stood Out

We spent two full days in sessions, roundtables, and those impromptu hallway conversations that somehow end up being the most valuable part of any conference. Here’s what we took away:

  1. Everyone Gets It—They Just Can’t Execute It

This was a big one. Most organizations actually understand what CMMC requires. That’s not the problem. The problem is doing it. Policies are half-written. Procedures exist on paper but not in practice. Evidence is scattered or missing entirely.

The companies that will stand out aren’t the ones with the fanciest binders—they will be the ones who can show their compliance is actually operationalized. Primes and DoD evaluators can tell the difference.

  1. The MSP/CSP Situation Is Still… Figuring Itself Out

There were multiple sessions trying to nail down how Managed Service Providers and Cloud Service Providers fit into the shared-responsibility model. Progress is happening, but it’s still murky in places.

Bottom line: If you’re a small business, you need to really vet your MSP. And we mean really vet them. Document exactly who’s responsible for what, because when things go sideways, nobody wants to be pointing fingers trying to figure out whose job it was.

  1. Good Luck Finding an Assessor Last-Minute

The pipeline for Certified CMMC Assessors and C3PAOs is growing, but demand is outpacing supply by a mile. If you wait until you absolutely need one, you’re going to be stuck in a very long line.

Every assessor we talked to said the same thing: Start your self-assessment now. Close the obvious gaps. Reach out early. Don’t be that company scrambling three months before a contract deadline.

  1. The Ecosystem Actually Looks Legit Now

We’ll be honest—at earlier CMMC events, the vendor floor sometimes felt like a buzzword convention. This year was different. We saw real tools from credentialed providers: GRC platforms (like Vanta), documentation automation, and evidence-collection software that actually integrates with each other.

It’s starting to feel like an ecosystem small- and mid-sized businesses can actually navigate without needing a PhD in compliance.

  1. The Real Value Was in the Conversations

CS5 wasn’t just about sitting in sessions—it was about the connections. The “Roundtable Revolution” format was clutch. Open discussions, lessons learned, best practices shared freely. Direct access to C3PAOs, consultants, and vendors who are all dealing with the same challenges.

For small businesses especially, that’s the reminder you need: You’re not alone in this. There’s a whole community trying to figure it out together.

What Wasn’t There

The elephant in the room—or rather, the elephant not in the room—was the lack of DoD speakers. Several had to cancel because of the federal government shutdown, which left some people wondering if things were stalling out.

But here’s what The Cyber AB and other presenters made crystal clear: CMMC is still moving. The shutdown doesn’t change the timeline. The rule is still rolling out on schedule. Don’t mistake the absence of DoD officials for a slowdown—this train is still leaving the station.

What This Means for You

If you’re a small contractor, here’s the real talk: CMMC isn’t some far-off requirement anymore. It’s becoming a competitive advantage. The companies that get ahead of this in 2025 are going to be the ones winning contracts when compliance becomes a deciding factor.

Based on what we learned at CS5, here’s what you should actually do:

  1. Do a readiness check right now. Know your SPRS score. Identify your gaps. Document where you stand today.
  2. Focus on the big four: Access Control, Incident Response, Configuration Management, and Audit & Accountability. These are the areas assessors are going to dig into hardest.
  3. Get aligned with your MSP and IT providers. Create a shared responsibility matrix. Put it in writing. Make sure everyone knows who owns what before you’re in the middle of an assessment.
  4. Start collecting evidence today. This is huge. The first “M” in CMMC stands for “Maturity,” and maturity means you’ve been doing this for a while—not that you spun everything up last month. Auditors will notice if your evidence is suspiciously fresh.
  5. Stay flexible. Some of the guidance is still being refined, so be ready to adjust as things evolve.

Final Thoughts

The vibe at CS5 East 2025 was pretty clear: CMMC is happening, and being ready means being competitive. The small businesses that move now are going to be the ones positioned to win DoD work in 2026 and beyond.

Our team left feeling energized—not just by how far the CMMC ecosystem has come, but by how committed everyone seems to be to actually making this work. It’s not just about checking boxes; it’s about genuinely improving cybersecurity across the defense supply chain.

We’re already folding what we learned into our client work: updated playbooks, readiness engagements, partner training sessions—all of it.

Let’s Talk About Your Readiness

Whether you’re just starting out or you’re already deep into prep, we can help you navigate this—from gap analysis all the way through evidence validation.

Reach out to our CMMC team to schedule a consultation.