Keynote Speaker · CMMC

CMMC Keynote Speaker for Federal Contractors and the Defense Industrial Base

For federal contractors who need to translate CUI, NIST 800-171, and CMMC requirements into actual compliance programs — not slide decks — before their next assessment.

Sample keynote video
30
Years
200+
Assessments
85
Keynotes
16
Books Published

Why Carl for Your Federal Contractor Audience

CMMC is no longer a future deadline. It's the current operating reality for the defense industrial base, and the gap between what contractors think they're doing and what an assessor will actually find is wider than most leadership teams realize. SSPs that haven't been touched in two years. POA&Ms tracking controls that were never going to be implemented. CUI flowing through systems that were never scoped for it. These aren't hypothetical scenarios — they're the patterns Carl sees in nearly every assessment engagement.

Carl B. Johnson has spent 30 years inside the rules that govern federal contractors. As CISO at Cleared Systems, he leads CMMC, NIST 800-171, and CUI compliance engagements for federal contractors and DIB suppliers, and is the author of multiple books on CMMC 2.0 and CUI for federal contractors. His keynote work is built from active assessment engagements — not training materials, not summary guides, not interpretation of guidance from a distance.

For DIB events, federal contracting summits, and government-contractor conferences, Carl delivers the kind of practical, decision-focused content that actually moves the needle on compliance maturity. The audience leaves not just understanding what CMMC requires, but knowing what to fix this quarter to be ready for assessment.

Available Sessions on CMMC and CUI

Signature Keynote

CUI, NIST 800-171, and CMMC for Federal Contractors

The practical roadmap to CMMC compliance, built from active assessment engagements. Covers the structural difference between Level 1 and Level 2, why most SSPs fail under scrutiny, the POA&M rules contractors are still misunderstanding, and the specific failure patterns auditors are flagging in 2026. Audience walks away with a clear-eyed picture of where their program actually stands and what needs attention before assessment.

Best forDIB summits, federal contractor associations, government contracting conferences Duration45–90 minutes
Executive Briefing

CMMC for the C-Suite: What Leadership Actually Needs to Know

A focused briefing for federal contractor executives, board members, and senior leadership. Cuts through the technical detail to focus on what leadership needs to decide, fund, and oversee — including the realistic cost-and-timeline picture for getting to Level 2 readiness, the contractual implications of failing assessment, and the questions executives should be asking their CIO and CISO this quarter.

Best forFederal contractor executive teams, boards, prime contractor leadership Duration20–30 minutes plus Q&A
Workshop

SSP, POA&M, and CMMC Audit Readiness Workshop

Hands-on session for compliance leads, IT directors, and the people who actually have to produce the artifacts that get assessed. Walks through what an assessment-ready SSP actually looks like, the specific evidence patterns assessors expect, the common POA&M mistakes that disqualify entire control families, and the audit-prep workflow that turns scrambling into a repeatable process.

Best forCompliance, IT, and security leadership in federal contracting organizations Duration3–4 hours

Download the One-Sheet

Get a printable, shareable PDF of this topic — perfect for circulating to your event committee or program chair. Includes the same sessions, audience profile, and FAQs as this page in a 2-page format.

Download CMMC Keynote Speaker One-Sheet

Who This Is For

Audiences serving the federal contracting and defense industrial base ecosystem — the organizations directly affected by CMMC and the people responsible for getting compliance right.

  • Defense industrial base summits
  • Federal contractor associations
  • NDIA, AFCEA, and similar industry events
  • Government contracting conferences
  • Prime contractor leadership offsites
  • Subcontractor compliance forums
  • State and SLED contractor events
  • Cybersecurity events serving the federal market

What Audiences Walk Away With

  • A clear understanding of the difference between CMMC Level 1 and Level 2 — and which one actually applies to their contracts
  • The specific structural elements assessors look for in an SSP and why most SSPs fail
  • The current rules on POA&Ms — what's allowed, what's time-limited, and which controls are not POA&M-eligible at all
  • A practical framework for scoping CUI accurately rather than over- or under-scoping it
  • The realistic cost and timeline picture for getting an unprepared organization to assessment-ready
  • The questions leadership should be asking their compliance team in the 90 days before assessment

Questions DIB and Federal Contractor Organizers Ask

Our audience is mostly small-to-medium contractors. Is the content right for them?
Yes. SMB contractors are where CMMC pressure is most acute — they have the same compliance obligations as primes but rarely the same resources. Carl's content is built specifically for organizations that need to make smart triage decisions on limited budgets, with realistic guidance on what to prioritize first.
Can the talk address Level 1 contractors as well as Level 2?
Yes. Most DIB audiences contain a mix — some contractors only handle FCI, others process CUI. The signature keynote covers both levels and helps audiences understand which level actually applies to their contracts (a question many get wrong).
Is this current as of the latest CMMC rule?
Yes. Because Carl runs active CMMC engagements every week, the content reflects current rule status, current assessor practice, and current DoD guidance — not interpretations from when the program was first announced. The keynote is rebuilt for each event with the latest engagement findings.
Can Carl speak at NDIA, AFCEA, or similar association events?
Yes. These are exactly the audiences Carl speaks to most. Submit the event details and audience profile through the contact form and his team will respond with availability and a tailored proposal.
We need someone who can also handle Q&A from a technical CISO audience.
That's the natural audience for the workshop format and an extended Q&A on the keynote. Carl works in the technical detail every day — SSP structure, control implementation evidence, assessor interpretation patterns — and is comfortable in a CISO-and-engineer audience as well as an executive one.
Does Carl have content specifically for prime contractors managing flow-down?
Yes. Flow-down obligations and managing subcontractor compliance maturity is a recurring theme in his prime-contractor engagements and can be a focus area for keynotes and workshops at events serving primes specifically.

Bring This Talk to Your Event

Submit your event details and Carl's team will respond within one business day with availability and a tailored proposal.

Book Carl to Speak