Today, we have some updates and important steps taken by the federal government that all governments should be aware of and I turned to Mr. Lambo for his insights on recent developments.

“Key steps contractors must take now:

• Assess your current cybersecurity posture against the CMMC requirements for your anticipated contract level.
• Close compliance gaps and maintain comprehensive documentation.
• Prepare for third-party or government assessments if you handle CUI.
• Ensure your subcontractors are equally compliant.
• Register and keep your CMMC status updated in SPRS.

“The risks of non-compliance are real: contract ineligibility, breach, regulatory penalties, and business disruption.

To dive deeper into this topic, I once again interviewed Taiye Lambo, who is an expert on the CMMC. The focus on the discussion is on how this topic impacts state and local governments and the wider SLED community.

Dan Lohrmann (DL): With current federal funding cuts, how can state and local governments, as well as tribes and schools, leverage DoD’s [Department of Defense’s] funding increase to mature their cybersecurity programs?

Taiye Lambo (TL): I want to keep my responses in bullet form to provide maximum benefit and offer additional resources:

• Federal/state cyber funds (SLCGP, MS-ISAC) are tightening, but SLTTs can seek partnerships. [CISA SLCGP]
• DoD requested over $64 billion in FY 25 for IT/cyber — align tooling, training, exercises.
• National Guard Title 32 cyber units support SLTTs (vulnerability assessments, incident response).
• Even with cuts, SLCGP funds can prioritize 800-171 controls. [CISA SLCGP]
• Maintain intel-sharing via JCDC and MS-ISAC. [JCDC][MS-ISAC]

DL: What are the direct or indirect implications of CMMC 2.0 requirements on the SLTT/SLED sectors?  

TL:

• CMMC is mandatory for DoD contractors (effective Dec. 16, 2024, phased Nov. 10, 2025). [CMMC 2.0 Rule]
• Even without DoD work, primes/OEMs may flow down CMMC-like clauses. [CMMC 2.0 Rule]
• Provides a clear control baseline mapping to NIST SP 800-171 Rev. 3. [NIST SP 800-171 Rev. 3]

DL: What does voluntary adoption of CMMC 2.0 requirements look like for the SLTT/SLED sectors?  

TL:

• Adopt 800-171 Rev. 3 controls without formal certification. [NIST SP 800-171 Rev. 3]
• Stage adoption with remaining SLCGP funding. [CISA SLCGP]
• Use GovRAMP to validate cloud vendors. [GovRAMP]/[FedRAMP]

DL: How can the SLTT/SLED sectors leverage CMMC 2.0 to address cybersecurity risks in their supply chain?  

TL:

• Require vendors to align with NIST 800-171 Rev. 3 and provide evidence. [NIST SP 800-171 Rev. 3]
• For high-impact systems, consider NIST 800-172-style protections. [NIST SP 800-171 Rev. 3]
• Prefer GovRAMP/FedRAMP-authorized services. [StateRAMP][FedRAMP]
• Mirror DoD-style contract clauses for vendor accountability. [CMMC 2.0 Rule]

DL: How does the current AI race combined with the CMMC 2.0 requirements impact cyber resilience for the SLTT/SLED sectors?  

TL:

• Federal AI EO 14110 (rescinded 2025) and the U.S. Office of Management and Budget guidance still shape expectations. [AI EO 14110]
• Apply 800-171 controls to AI workloads (data, access, logging, IR). [NIST SP 800-171 Rev. 3]
• Demand AI vendor transparency, align contracts with CMMC obligations. [CMMC 2.0 Rule]
• Use MS-ISAC and JCDC for AI-related intel and exercises. [MS-ISAC][JCDC]

DL: What other resources would be helpful for our audience?

TL:

• CISA. State and Local Cybersecurity Grant Program (SLCGP). Retrieved from https://www.cisa.gov/state-and-local-cybersecurity-grant-program
• CISA. Joint Cyber Defense Collaborative (JCDC). Retrieved from https://www.cisa.gov/jcdc
• Center for Internet Security. (n.d.). Multi-State Information Sharing and Analysis Center (MS-ISAC). Retrieved from https://www.cisecurity.org/ms-isac
• Federal Register. (2024, December 26). Cybersecurity Maturity Model Certification (CMMC) 2.0 Program. Retrieved from https://www.federalregister.gov/documents/2024/12/26/2024-28226/cybersecurity-maturity-model-certification-cmmc-20-program
• NIST. (2024). NIST Special Publication 800-171 Revision 3: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Retrieved from https://csrc.nist.gov/pubs/sp/800/171/r3/final
• FedRAMP. (n.d.). Federal Risk and Authorization Management Program (FedRAMP). Retrieved from https://www.fedramp.gov/
• The White House. (2023, October 30). Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (EO 14110). Retrieved from https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/