Welcome to The Illumenati. We're not here for compliance theater. We're here for the real talk: what's actually happening in GRC, why most organizations are doing it wrong, and how to engineer your way out of the madness.
This month: CMMC 2.0 went live, and 99.5% of contractors aren't ready. Plus, the tool that'll save your sanity during access reviews.
> INTEL DROP: What Happened This Week
CMMC 2.0 Officially Launches – But Is the DIB Ready?
AI Governance Certifications Accelerate
SOC 2 Compliance Momentum
> ANALYSIS: The CMMC Denial Era Is Over
After six years of delays, false starts, and an industry-wide "maybe it won't actually happen" mentality, CMMC 2.0 went live on November 10, 2025 – two days before this issue went out. The Defense Federal Acquisition Regulation Supplement (DFARS) amendment now requires all new DoD contracts to include CMMC requirements.
No more kicking the can. No more "we'll deal with it later." The denial era is officially over. Are you ready? Check out our Readiness guide to see where you are in the process.
The Uncomfortable Truth: Nobody's Ready
Let's be brutally honest about the numbers:
Think about that for a moment. The DoD estimates that roughly 37% of contractors (about 30,000 organizations) will need Level 2 certification, but only 431 have it. That's not a readiness gap – that's a readiness canyon.
Why the Massive Unpreparedness?
Several factors created this perfect storm:
1. The "Boy Who Cried Wolf" Effect
CMMC has been "coming soon" since 2019. After years of delays and revisions from CMMC 1.0 to 2.0, many contractors adopted a "wait-and-see" mentality. Some even convinced themselves it would never actually happen. Surprise: it happened.
2. Complexity Fatigue
CMMC Level 2 requires full implementation of all 110 controls from NIST SP 800-171 Rev 2. For small and medium businesses without dedicated cybersecurity staff, this is overwhelming. It's not just about buying some software – it requires policy development, technical implementation, training, and continuous monitoring.
3. Cost and Resource Constraints
Third-party assessments (C3PAOs) aren't cheap. Combined with the cost of implementing controls, documentation, and potential infrastructure changes, many SMBs have been paralyzed by sticker shock.
4. The "It's Already Required" Confusion
Here's where it gets interesting: NIST 800-171 has been mandatory since the DFARS 7012 clause was included in DoD contracts back in December 2017. CMMC doesn't create new security requirements for Level 2 – it just adds verification through assessment. Many contractors thought they were compliant because they checked a box, but never actually implemented the controls properly.
What This Means for Your Business
If you're a DoD contractor:
The DoD isn't offering a grace period. If you're bidding on contracts with CMMC requirements and don't have your certification, you're not eligible. Period.
The silver lining? The three-year phased rollout gives you time – but only if you start now. The average preparation timeline is 6-12 months, and that's assuming you don't have major control gaps. Need help? Feel free to check out Illumen.io for more information on how we can guide you on your CMMC journey.
Our Take: Automation Is Your Survival Strategy
Here's what separates the 0.5% who are certified from the 99.5% who aren't: they systematized their compliance. They didn't just implement controls – they built processes that make compliance continuous and verifiable.
For SMBs, this means embracing GRC engineering principles:
The good news? You don't need a computer science degree or a massive budget to do this. You need the right tools and the right approach, which brings us to...
> Tech Rituals
Automated Access Review: Breaking the Quarterly Curse
In the realm of digital defense, we recognize that true security requires more than just reacting to threats; it demands Deep Sight. You already know the Ancient Mandates—the foundational requirements of CMMC, SOC 2, and ISO 27001—that compel us to conduct thorough User Access Reviews. Every framework demands it. Every auditor asks for it.
For those outside our circle, this essential defense task remains a time-sink: a mundane, painful Quarterly Trial.
You know the outdated method:
This manual process is what separates the merely compliant from the truly secure. But we are here to provide Illumination. We have uncovered a superior method to complete this essential Access Ritual, leveraging a powerful, open-source tool that turns weeks of chasing into a few simple queries.
Introducing Steampipe: SQL for Your Cloud Services
Steampipe is an open-source tool that lets you query your cloud services, SaaS apps, and APIs using plain SQL. No custom scripts, no API gymnastics – just SQL queries against live infrastructure.
Think of it as a universal adapter that turns all your cloud services into a queryable database.
Why This Matters for Compliance
Instead of manually logging into each service, you can write SQL queries like:
-- Get all users across Google Workspace, AWS, and GitHub
SELECT
'Google Workspace' as source,
primary_email as user,
is_admin,
last_login_time
FROM googleworkspace_user
WHERE suspended = false
UNION ALL
SELECT
'AWS' as source,
user_name as user,
'N/A' as is_admin,
password_last_used
FROM aws_iam_user
WHERE password_enabled = true
UNION ALL
SELECT
'GitHub' as source,
login as user,
site_admin as is_admin,
updated_at
FROM github_organization_member;One query. All your user data. Updated in real-time.
Real-World Use Case: Automated Quarterly Access Reviews
Here's how an SMB can implement automated access reviews:
1. Install Steampipe (5 minutes)
# macOS/Linux
brew install steampipe
# Or use Docker
docker run -it steampipe/steampipe2. Install Plugins for Your Services (2 minutes)
steampipe plugin install aws
steampipe plugin install googleworkspace
steampipe plugin install github
steampipe plugin install azure
steampipe plugin install okta3. Configure Credentials
Steampipe uses the same credentials you already have (AWS credentials, Google service accounts, etc.). No new security holes to poke in your infrastructure.
4. Create Access Review Queries
Save this as access_review.sql:
-- Users who haven't logged in for 90+ days
SELECT
source,
user_email,
last_activity,
NOW() - last_activity as days_inactive,
admin_status
FROM (
-- Add your service queries here
)
WHERE days_inactive > 90
ORDER BY days_inactive DESC;5. Schedule and Export
# Run quarterly and export to CSV for manager review
steampipe query access_review.sql --output csv > access_review_q4_2025.csvWhat This Solves
Beyond Access Reviews
Once you have Steampipe set up, you can use it for tons of other compliance checks:
Cost: $0
Steampipe is completely free and open source. No per-user licensing, no enterprise upsells. Just install it and go.
Getting Started Resources
> The Bottom Line
CMMC 2.0 is here, and the compliance bar just got real. Whether you're dealing with CMMC, SOC 2, ISO 27001, or all of the above, the path forward is clear: automate the repetitive work so you can focus on actual security.
Tools like Steampipe represent the future of GRC engineering – taking manual, spreadsheet-driven compliance processes and turning them into code. It's not about replacing your vCISO or compliance team; it's about giving them superpowers.
Start small. Pick one painful compliance task (we recommend access reviews). Automate it. Document it. Then move to the next one. Before you know it, your quarterly audit prep goes from "all hands on deck for three weeks" to "run the scripts and review the outputs."
That's the difference between doing compliance and engineering compliance.
