Scaling CMMC Level 2 Compliance Across the DIB and Higher Education

In this CareCast episode, Tanium’s Group VP Ryan Endorfer and Georgia Tech Research Institute Director Wes Hogarth unpack the challenges of scaling CMMC Level 2 compliance across the Defense Industrial Base (DIB) and higher‑education research environments. They explain why CMMC matters: protecting Controlled Unclassified Information (CUI) for DoD sponsors, meeting NIST SP 800‑171 requirements, and aligning with FedRAMP expectations for cloud services. Their conversation highlights the shift from the original five‑level CMMC model to a streamlined three‑level framework, emphasizing how organizations must adapt both technical and policy controls to stay audit‑ready.

The duo outlines a practical roadmap for teams new to CMMC. Wes recommends starting with hands‑on fundamentals—Active Directory, group policy, and role‑based access control—before partnering with seasoned GRC professionals to craft a solid System Security Plan (SSP). Defining clear authorization boundaries and deciding between enterprise‑wide versus enclave‑specific scopes prevents scope creep and simplifies evidence collection. Ryan adds that eliminating technical debt early and freezing major infrastructure changes during an audit are critical to avoid conflicting evidence and POA&M delays. Robust change‑management processes, including documented CAB approvals and back‑out plans, ensure audit trails remain intact.

Finally, the speakers stress that least‑privilege and automated controls are the linchpins of sustainable compliance. Tanium’s “no‑privilege” lockbox model forces every access request through a just‑in‑time approval workflow, generating immutable logs for auditors. Leveraging Infrastructure‑as‑Code tools like Terraform or Ansible accelerates repeatable security configurations, but continuous validation of automation outputs is essential. Emerging AI‑driven monitoring, such as LLM‑based session analysis, adds a proactive layer to detect anomalous behavior before it escalates. Together, these strategies equip DIB contractors and research institutions with a scalable, future‑proof path to CMMC Level 2 certification.