The Stern Report: Q&A Recap of CMMC Accelerate 2026

Last week, Hypori hosted its third annual CMMC Accelerate conference at Carahsoft headquarters in Virginia, bringing together nearly 500 Defense Industrial Base (DIB) professionals (both in person and virtually) to tackle one of the most pressing compliance challenges facing government contractors today.

The event has evolved significantly since its first iteration three years ago, when just 15 people gathered in a classroom. This year's program, supported by premier sponsors including Summit 7, Carahsoft, AWS, Okta, and Axonius, featured industry-leading expert panels, keynote presentations, and candid discussions about what it really takes to achieve and maintain CMMC Level 2 compliance.  

Following the event, Laura Schwab, Director of Corporate Marketing at Hypori, sat down with Matt Stern, Hypori's Chief Security Officer (CSO), to unpack the biggest lessons, surprises, and strategic shifts emerging from the CMMC landscape. From insurance premium reductions tied to compliance to AI-powered audit acceleration, the conversation reveals how CMMC has moved from "maybe this matters" to "this is the industry standard."

Watch the Full Conversation

Q&A with Matt Stern, CSO at Hypori

Laura Schwab: Hey Matt, thanks for joining me today. I wanted to get some time with you to talk about the CMMC Accelerate event that we hosted last week. It's the third year that we’ve hosted it. If you can first give everyone a little intro of who you are and what you did at the event, and then we'll talk about the major takeaways and things that you learned from attending this year's event.

Matt Stern: Sure, as Laura said, I'm Matt Stern. I'm the Chief Security Officer for Hypori. I’ve been in the cybersecurity business for a very long time—I don't want to say how long because it makes me feel old. Let's see, at the event, I had the esteemed honor and distinction of introducing Flo Groberg, Medal of Honor recipient. He did a great job of talking about why CMMC is important from an operator point of view and from someone who has been at the pointy end of the spear. That was a great intro to the entire event.

Then, I got a chance to talk a little bit about cybersecurity and some things that are near and dear to my heart regarding how the threat will continue to leverage AI to get after our systems. I was also able to host a panel of CMMC experts. It was a really great panel; we discussed a lot of interesting topics and I actually managed to learn something myself at the conference, which we can either discuss now or I can tell you later. It's all up to you.

Laura Schwab: For those that don't know, CMMC Accelerate was hosted at the Carahsoft headquarters last week. We had about 500 people registered, and held this in person as well as virtually. We brought together organizations in the Defense Industrial Base and those looking to understand CMMC compliance and the requirements moving forward. It was a great session. We had multiple different sponsors—thanks again to them. Our premium sponsors include Summit7, Carahsoft, AWS, Okta, and Axonius.

Matt, touch on a little bit of what you learned from this conference. This is our third year hosting; we've grown this from about 15 people in a classroom to almost 500 this year. What were those major takeaways that you learned this year?

Matt Stern: I think the biggest one for me was in the panel session. When you get people with the level of experience that we had on that final panel—which was the capstone of the event—they started discussing how much the CMMC, especially the Level 2 audit and security assessment, is being seen in other parts of the industry.

One of the panel members brought up the fact that insurance companies are now looking at CMMC as the highest standard in cybersecurity. Companies that are gaining the Level 2 audit and compliance certification or validation are taking that to their insurance companies and getting points in their favor. They are meeting extra requirements and going above and beyond a normal SOC 2 audit or other standards. Insurance companies are reducing premiums because of this. There are benefits to doing this that I hadn't recognized. I think it's going to become the de facto standard in the industry writ large. Even people that aren't in the Defense Industrial Base and don't normally do business with the government can benefit from the audit.

I just thought it was really interesting that they're starting to see that trend from the MSP side where we don't necessarily get that same visibility. That was a big thing for me. Then, obviously, meeting new vendors and talking to people—it's a great way to talk to folks going through the same experience and learn lessons that you may not pick up in another venue. I think that was key for the event: being able to get across the intangibles and the unknowns—the things that aren't directly in an audit or published. You can definitely learn from those little nuances to help you pass your audit.

Laura Schwab: That totally makes sense. It sounds like some folks who didn't have CMMC on their radar should put it there because of those additional benefits. Regarding the audience, what would you say the level of CMMC readiness was?

Matt Stern: I've been doing the CMMC thing for a while and had it on our radar. We've gone through the same level of scrutiny as everybody else. What I determined from the audience is that we are now at a point where, if a couple of years ago people were just trying to figure out if they needed to do it or what the minimum standard was, everybody now recognizes that this is real. It's here; it’s not a "maybe" anymore.

We aren't getting questions about that anymore. In the past, events would have been about whether it would really become a rule or how it would affect them. That's gone now. Now we're concentrating on the audit itself: the dos and don'ts, and how to have the minimal impact on your organization while maximizing the effects. The audience was primed to ask questions relevant to lessons learned and the "gotchas" in an audit. Our event has evolved, and the folks there definitely have a different focus than in years past.

Laura Schwab: That makes sense. You touched on where we were before and leading up to now. Where do you see things going in the future, especially in the next six months?

Matt Stern: Right now, everybody is trying to get their audits done. The C3PAOs (Third Party Assessment Organizations) are racking and stacking on a first-come, first-served basis, so you have to get in their queue. Internally, a company has to make sure that everybody is involved and part of the security team.

You have to be prepared and ensure you have the right documentation. We've learned that things we thought we documented correctly can be interpreted differently when you get in front of an auditor who isn't living in your environment every day. The more descriptive you can be in the actual documentation, the easier it is for them. Those are the nuances people are picking up on as we move forward in the CMMC journey. It’s a journey, not "fire and forget." You have to maintain it, prove you're maintaining the standards, and then you get audited again.

The other big impact people are recognizing is that if you want to do business in the DOD, this is it. If you're not doing this, you're not going to do business with the Department of Defense.

Laura Schwab: Did you hear anything at this year's event that reinforced your perspective on where the market is heading?

Matt Stern: I think one of the really interesting conversations between Okta, Axonius, and Summit 7 was how we automate and use AI to our advantage. My talk was about how AI is being used against us, but we also discussed how to use AI to speed up this process. There are indicators that we can go faster in getting security controls documented and implemented in your infrastructure using AI.

There are a lot more tools coming on board to help facilitate that. You might invest in a tool that helps you get there faster or helps you monitor your compliance. I know we have partners that are using AI to that effect. That is a bright spot: using AI to our advantage to gain and maintain compliance.

Laura Schwab: I completely agree. Looking to the future, what's something you're hoping to see from the community by the time we're back for next year's event?

Matt Stern: Again, I think the most useful part of our event was seeing people share more lessons learned and "how to be successful" as they gain their Level 2 or Level 3 certifications. As a CISO, we have a lot of requirements levied on us. We get into discussions about whether we have to give up something to maintain these contracts. How do we afford a capability? What does it replace? Do I need to hire more people?

Those lessons are very beneficial, and we did a good job starting that conversation. Next year, I would love to see a continuation of those success stories and how to minimize impact so that it doesn't break the bank or expend resources needed elsewhere. As a CISO, you recognize you're often a cost center, not a profit center.

Laura Schwab: You just touched on how we at Hypori leverage our partners for our CMMC compliance. Is there a benefit to CMMC Accelerate from an audience perspective in having those vendors there?

Matt Stern: Absolutely. You could say it's got my thumbprint on it and I've approved these vendors, but more importantly, it's a great place for folks who want to learn how to successfully pass their audit. It’s an opportunity to connect customers with vetted, legitimate vendors who know what they're doing.

There are organizations like Summit 7, Coalfire, and Kratos that have great reputations. Axonius is a great vendor, and we’ve been using Okta for years as an identity management tool. We're vetting the vendors to make sure that if you come to our event, you're not going to be inundated with people who don't know what they're doing. It’s a place to identify vendors that will help with security controls, advisory services, or the audit itself.

I would love for us to grow our vendor pool. At the end of the day, we're protecting the information and technical capabilities we give to our warfighters. We need to take that seriously. I can't thank Carahsoft enough for providing the facility; it’s a great location and a really nice space.

Laura Schwab: We're definitely going to be opening it up to more sponsorships and speakers for next year. This is really a forum for others to share their knowledge. We are also taking "call for papers" for 2027. If you're interested in speaking or getting involved, it's the event for you.

Matt, if attendees walked away and could only act on one or two things immediately, what would you recommend they prioritize?

Matt Stern: You've got to get your audit done and get it right. I can't emphasize enough the importance of pre-assessment audits. You want to enter the actual audit knowing you're ready and not misinterpreting a rule. You can't guess; you have to be certain. Whether you call it a mock audit or a pre-assessment, don't leave anything to guesswork.

Second, CISOs need to make sure they don't blindly take whatever the auditor says as gospel. Sometimes you have to push back if they add requirements that aren't there. If the standard says a password is good and you've met that requirement, ask them to show you in writing where it says you have to do something different. Compliance is about meeting the standard. It's great to exceed it, but in an audit, it needs to be a binary equation and less open to interpretation.

Laura Schwab: Time is definitely of the essence. We have a lot happening in the next couple of months and are looking forward to next year's event, tentatively scheduled for April 13th, 2027, likely back at Carahsoft headquarters.

If you want to view the sessions or slides from this year, or find out more about the 2027 event, click this link. Thanks, Matt, for walking through your biggest takeaways. We're already looking forward to next year.

The Bottom Line

CMMC compliance has officially graduated from speculation to operational reality. As Matt emphasized throughout the conversation, the shift is undeniable: organizations are no longer asking if they need CMMC—they're executing on how to pass the audit, maintain compliance, and minimize business disruption in the process.

Three insights from CMMC Accelerate 2026 stand out as particularly actionable for DIB organizations navigating the compliance journey:

CMMC is becoming the gold standard beyond defense. Insurance companies are recognizing CMMC 2.0 as a benchmark that exceeds SOC 2 and other compliance frameworks, offering premium reductions for certified organizations. If you're not in the DIB but handle sensitive data, CMMC may still be worth pursuing as a competitive differentiator and risk mitigation strategy.

Documentation clarity is make-or-break. Auditors don't live in your environment. What seems obvious internally can be interpreted entirely differently during an assessment. Pre-assessment audits aren't optional. They're the difference between passing on the first attempt and costly delays.

AI is accelerating both sides of the equation. While threat actors leverage AI to attack systems, organizations can use it to document security controls, monitor compliance posture, and streamline audit preparation. The vendors and tools entering this space are game-changers for resource-constrained security teams.

Want to see how Hypori simplifies mobile CUI compliance? Our virtual workspace keeps sensitive data off end-user devices entirely, reducing your CMMC audit scope and eliminating the mobile security gaps that trip up most DIB contractors. Request a demo.

‍