Secureframe summit puts CMMC & AI at federal focus

Secureframe has concluded its inaugural National Cybersecurity Summit, a virtual event that brought together thousands of security leaders, government officials and federal sector participants.

Over three days, speakers focused on Cybersecurity Maturity Model Certification, supply chain security and the use of artificial intelligence in federal defence and cybersecurity work. The programme featured former senior officials from the US Department of Defence, the National Security Agency and the Cybersecurity and Infrastructure Security Agency, alongside sector executives.

The event highlighted how cybersecurity policy and operational risk are converging around federal contractors and their suppliers. A central theme was whether organisations treat CMMC as a paperwork exercise or as a broader security discipline tied to national security, procurement standards and resilience against fast-moving attacks.

CMMC focus

Mike Snyder, Executive Director of Ecosystem Engagement at The Cyber AB, outlined current figures for the assessment system: 1,198 final Level 2 certifications, 103 authorised C3PAOs and 518 Lead CCAs.

The figures fed into a broader discussion about the pace of adoption and the practical barriers facing companies in the defence industrial base. Speakers said the larger issue is no longer simply assessor availability, but whether contractors understand the security rationale behind the rules they are being asked to meet.

Stacy Bostjanick, a former Deputy CIO at the Department of Defence, argued that the compliance debate needs to move beyond metrics and audits.

"People don't care about [cybersecurity requirements] until they get hit by an attack," Bostjanick said. "We need to get secure before that... and stop giving away information to adversaries for free."

Her remarks reinforced a recurring message from the summit: cyber standards in the federal supply chain are being framed less as administrative burdens and more as safeguards against espionage, disruption and theft of sensitive information.

AI pressure

The second day turned to the threat landscape and AI's effect on both attackers and defenders. Speakers described a security environment in which intrusion activity is becoming faster, more complex and easier to scale.

General Paul M. Nakasone, former Commander of US Cyber Command and former Director of the NSA, warned that many organisations may already be compromised without realising it.

"There are likely adversaries in your network and you probably don't know it," Nakasone said.

He also urged organisations not to try to overhaul everything at once as they adopt AI in security operations.

"We should move in sprints. We need to move faster. Instead of trying to solve all problems, let's try to solve the most urgent, unique problems," he said.

Robert Costello, former CIO of CISA, discussed where AI may offer more immediate value in security and compliance work. Rather than focusing on the attention around chatbots, he pointed to uses such as reducing alert fatigue, processing large volumes of compliance information and supporting continuous control testing in live environments.

That emphasis reflected a more practical approach to AI adoption in heavily regulated sectors, where teams are under pressure to document controls, monitor systems and respond to findings without sharply increasing headcount.

Federal outlook

The final day focused on federal cybersecurity priorities and CMMC's role in procurement and vendor assessment. Katie Arrington, Chief Information Officer at IonQ and former Chief Information Security Officer at the Department of Defence, said the model should be seen as a baseline for operational protection rather than a checklist.

"CMMC is not just about compliance. It's about protecting you and all of us. The threat is real, it's continuous, it's evolving and becoming even more of a problem because of capabilities at hand so taking CMMC and other cybersecurity requirements to protect your environment seriously is more important than ever," Arrington said.

She added that the framework has become a benchmark in vendor reviews, reflecting how government buyers and contractors are starting to use certification as a signal of security posture. That trend could raise the commercial stakes for companies seeking federal work, especially as more agencies adopt common expectations around cyber controls.

Rob Joyce, former NSA Cybersecurity Director, closed the event with a warning that AI is likely to compress the timeline of cyber operations on both sides.

"The AI revolution is real and here. These tools will accelerate offense and defense and the people using AI will outperform those who aren't," Joyce said. "So start adopting it now to improve your defenses."

Secureframe Chief Executive Officer Shrav Mehta said the discussions reflected broader challenges for compliance teams trying to turn regulatory demands into durable internal processes.

"The conversations this week have shown us where the real cybersecurity compliance hurdles lie. Not just in understanding what needs to be done, but in building the tools, processes, and cultures that make it sustainable," Mehta said. "We're committed to helping compliance teams bridge those gaps, so organizations can focus less on checking boxes and more on enhancing cybersecurity and building genuine resilience."