Summary6 min read

Sum IT Up: CMMC News Roundup

Episode: 7 CMMC Predictions for 2026

Date: January 1, 2026
Host: Summit 7

Overview

In this special year-end episode, Summit 7 recaps their 2025 CMMC predictions—boasting a 71% accuracy rate—and dives into seven bold predictions for the world of CMMC in 2026. With a healthy dose of humor and insider insights, the hosts review regulatory progress, government reports, and enforcement trends, while forecasting the road ahead for CMMC, DFARS, FAR, and related cybersecurity requirements for defense and federal contractors.

Recap: How Did the 2025 Predictions Turn Out? (00:54–13:49)

2025 Hits and Misses:

False Claims Act (FCA) Settlements: Predicted an uptick, especially among small businesses. Multiple settlements materialized, with substantial fines and whistleblower payouts.
DFARS 252.204-7012 Revision: Predicted publication of the proposed rule—did not happen. No substantial progress or indication it’s imminent.
FedRAMP Equivalency: Expected removal via rulemaking; did not occur, and strict equivalency still stands.
C3PAO Accreditation Audit: Predicted DoD IG report would not disrupt the program. It was a "nothing burger" with no major issues found.
- “This was a small debate...So we released a four part episode series...Didn’t turn out to be anything at all.” — A [07:17]
32 CFR Final Rule: Predicted it would publish before the election—true. Rule was finalized and phased rollout began.
FAR CUI Rule (Proposed): Predicted publication; happened in January 2025. Introduces NIST SP 800-171 for all federal contractors.
NIST SP 800-172 Rev 3 Expansion: Predicted a 25%+ increase in controls; confirmed as requirements increased dramatically.
Bonus AI/Critical Infra. Incident: Predicted a major incident involving AI in critical infrastructure; partially correct, especially noting deepfakes and social engineering ("half credit").

Memorable quote:
“If you only read [IG report] summaries, it makes everything sound really bad all the time. That’s their business model...You have to read the whole thing.” — A [06:13]

Seven CMMC Predictions for 2026

1. CMMC Level 2 Surge: 1,000+ Certifications by March, 2,500+ by Year-End (14:36–16:14)

The hosts predict over 1,000 organizations will achieve Level 2 CMMC certification by March 2026, and at least 2,500 by year’s end.
Debate on the pace: recent trends suggest growth, but March is a tight window.
- “Here we are just hitting January, and I don’t know, that’s, that’s a lot. That’s short.” — B [15:22]
Ultimately, both agree it’s achievable as demand and assessment capacity ramp up.

2. Dozen+ False Claims Act Settlements—with Steep Fines (16:22–18:51)

At least 12 FCA settlements with defense contractors expected in 2026 (vs. 5 in 2025).
Most will include seven-figure penalties, with fines tied to contract value.
- “Not trying to scare anybody, but it is true that there are companies of all sizes getting hammered for $800,000 here, $1.75 million there, $4 million over here throughout the year.” — A [17:41]
Expect ongoing, high-profile enforcement activity.

3. No Major Funding to Cover Costs (18:51–21:09)

No significant appropriations or grants to offset CMMC or DFARS 7012 compliance costs in 2026.
CYBERSEC will continue as overhead for contractors, with little to no external relief.
- “Help is not coming. There will be no major funding appropriation.” — A [19:19]
Tax incentive legislation momentum has also faded.

4. FAR CUI Final Rule Will Publish and Take Effect by Year-End (21:22–23:10)

The much-anticipated FAR CUI rule is predicted to publish and become effective before the end of 2026—after major overhaul delays in 2025.
This would standardize CUI requirements across all federal contracts but with agency-level autonomy over assessment models.
- “This makes the 800-171 baseline the requirement for all federal contractors handling CUI…We’ve been waiting on this thing for over a decade.” — A [22:22]
Co-host B is skeptical it will publish in 2026, but A remains optimistic.

5. CMMC 3.0 Proposed Rule Will Publish Before Halloween (23:19–25:23)

Anticipate the 3.0 version (32 CFR rev.) will be released pre-Halloween, updating standards to NIST SP 800-171 and -172 Rev 3, and integrating DOD’s new parameters.
CMMC 3.0 would not require new 48 CFR updates as it will reference the latest 32 CFR text.
- “This rule should…take less time because they’re not creating it from scratch, they’re just revising it.” — A [25:02]
Both hosts are confident, citing progress and established groundwork.

6. First CMMC Level 3 Solicitation—Ahead of Schedule (25:24–27:59)

At least one solicitation in 2026 will require CMMC Level 3, ahead of phased rollout timing.
CMMC PMO is piloting Level 3 assessments already; high-priority/critical programs poised to move early.
- “The writing on the wall for Level 2 is that it’s there. The writing on the wall for Level 3 is that it’s there.” — B [27:05]
Key example: ‘Golden Dome’ programs highlight urgency.

7. GAO CMMC Report: Another “Nothing Burger” (27:59–29:34)

The upcoming Government Accountability Office report will deliver no major findings, derailing controversies, or material issues.
Program is highly scrutinized; prior major reviews have been uneventful.
- “This GAO report was supposed to come out at the end of 2025…the CMMC program has to be one of the most extensively reviewed and analyzed and evaluated programs that the DoD has ever undertaken.” — A [27:59]
Anticipate a Q1 release; expect detailed coverage in future episodes.

Notable Quotes & Memorable Moments

“We were pretty accurate for our predictions in 2025, and we’ve got a bunch of spicy ones coming up for 2026.” — A [00:05]
“If one of the bets doesn’t hit in the parlay, the parlay didn’t hit.” — B [04:26]
“It was such a nothing burger that we did a four part episode going through every single page of the IG report.” — A [06:10]
“Help is not coming. There will be no major funding appropriation. What do you think?” — A [19:19]
“Trick or treat, everybody. You’re going to get the revision!” — A [25:09]
“This is a...Did I convince you? I don’t know.” — B [27:05]

Timestamps for Key Segments

00:54 — Review of 2025 predictions: accuracy rates, notable outcomes
14:36 — Prediction #1: CMMC Level 2 certification surge
16:22 — Prediction #2: FCA settlements and penalty forecasts
18:51 — Prediction #3: Funding gap remains
21:22 — Prediction #4: FAR CUI final rule by year-end
23:19 — Prediction #5: CMMC 3.0 rule by Halloween
25:24 — Prediction #6: First CMMC Level 3 solicitation
27:59 — Prediction #7: Quiet GAO report expected

Tone & Takeaways

The hosts blend deep regulatory insight with sharp wit—keeping complex topics accessible, skeptical, and even playful.
Their predictions for 2026 focus on continued regulatory tightening, stepped-up enforcement, process delays, and resource challenges for contractors.
The podcast offers direct, actionable takeaways for CMMC stakeholders, signaling increased scrutiny, little outside financial relief, and the critical importance of early compliance.

For the CMMC Community

Share your own predictions or opinions on LinkedIn or in the comments.
Stay tuned for follow-up episodes and deep dives on enforcement actions, regulatory updates, and assessment trends.
Don’t expect miracles—compliance is a moving, expanding target. Start preparing sooner than later.

“Let us know what you think…We appreciate all of you.” — A [29:34]

Loading summary

Transcript97 lines

[00:03]
A
Alrighty, folks, it is the last show of 2025. It's time for the most accurate CMMC prediction podcast on the Internet. Because we're the only podcast that does an annual prediction show. We were pretty accurate for our predictions in 2025, and we've got a bunch of spicy ones coming up for 2026. That's what we're going to talk about in this week's episode.
[00:28]
B
Yeah, when you came out and you said that we were the most accurate show that there was, you didn't tell me that we were the only show that does this. So here I was thinking I was going to introduce myself as Sprouse Radamus or something like that. Right? Where I was just going to be able to predict the CMMC future, which, by the way, I've done twice. Not throwing that out there. But when you tell me we're the only show, I'm like, well, this might not be good. But then I look at the numbers. The numbers aren't, aren't that bad.
[00:55]
A
I don't know if we actually are the only show, but we are the most accurate because for our 2025 predictions, we were 71% accurate. And that's good enough to pass your final exam and get called doctor or whatever professional licensing certification you needed. So it's close enough for government work. Let's review what we predicted for 2025 and then we'll get into our predictions for. For 2026. Okay, so this time in 2024, a year ago, we predicted seven things and most of them came to. Came to end up, hey, what do you know? Right? What do you know? Okay, so first off, we said that we will hear about a False Claims act against a small business of less than 100 employees. This turned out to be correct. We actually saw multiple false claims settlements against small businesses. We saw multiple false claim settlements against large businesses all on the grounds that they were non compliant with the terms of DFARS clause 252204 7012. Way back in 2021, the Department of Justice launched their Cyber Civil Fraud initiative. That program has not been derailed. That program has not been changed. That program has been doubled down on by the Department of Justice. The we've been hearing for a long time that we have a ton of these False Claims act settlements in the queue. And so we started to see those trickle through as actual settlements in 2025. And there were multiple False Claims act settlements against small businesses. Whistleblowers got paid. There were fines that were over a million Dollars. We were absolutely correct on this one.
[02:40]
B
Yeah. We just saw that 2024 was the. Or 2025 was the year in which they were injecting the awareness of these requirements. So more small businesses were going aware that these things were required, which means that more people had the ability to blow the whistles. It was a given that this was going to happen.
[02:53]
A
Yeah. Yeah, absolutely. All right. So something we weren't right about that I was actually very surprised. Did not happen. The DFARS 252-204-7012 proposed rule we thought was going to be published in 2025 and it was not. We have no indication that they've started rulemaking on revising DFARS 7012. Remember, DFARS 7012 rulemaking is not done by the DoD CIO's office, who does CMMC rulemaking. DFAR 7012 rulemaking is done by the Undersecretary for Acquisition and Sustainment. And they don't get out much. They don't do very many webinars. They just kind of do their own thing. They've been saying for a while through their unified agenda that it's on the docket for them to revise the rule. The last time they revised the rule is now 10 years ago. So it's definitely due for some revisions. And they didn't publish the proposed rule and it doesn't look like they're going to do that anytime soon.
[03:54]
B
Yeah. I don't know what exactly is holding this up. I'd like to naively think that it was something to do with maybe a shutdown or a change in administration or anything like that. I don't know. It needs to happen. I thought it was definitely going to happen.
[04:09]
A
Yeah.
[04:09]
B
It didn't happen.
[04:10]
A
We had. We had a smaller prediction sort of nested under this that, you know, they were going to specify 800171 Rev 2, which is what I thought, or they were going to specify 800171 Rev 3. That doesn't really matter because they never published the rule. So we won't count that one as a loss. We're just going to move on to the next prediction.
[04:27]
B
As they say in gambling, if one of the bets doesn't hit in the parlay, the parlay didn't hit. Right.
[04:32]
A
And there you go. That is. That is what they say. All right, moving on to another prediction that we had that we were also not correct about. Fedramp equivalency will go away via 7012 rulemaking. Right. So at the very beginning of 2025, the DOD published the infamous Fedramp equivalency memo that clarified what they mean by the term fedramp equivalency. And not only did it turn out that equivalency actually does mean the same as but you have to do basically everything that you have to do for Fedramp, up to paying a C3PAO to run through your Fedramp assessment. It's very involved. There's a lot of stuff. In many ways it's more intense than the actual Fedramp process itself. It's debatable about whether it's less expensive. I'd say in many ways we thought that was going to go away because it's an open secret that the DoD does not like the language in DFARS 7012 that says you have to use FedRAMP moderate or equivalent services when you put their CUI in the cloud. But the 7012 rule never got revised, never got published, never went into effect. And so Fedramp equivalency is still in 7012. The memo is still in effect. We were not correct about this prediction.
[05:49]
B
Yeah. And then we even tried to put a safety bet in place. Right. And say that even if it was in place, Jacob, that like there would be zero solutions that would be able to meet it. This is the worst parlay in the parlay of 74 rulemaking history because we missed every single leg. And yeah, we openly admit it.
[06:05]
A
Right. Yep. We weren't around that. That's above bad news. Let's talk about all the things that we got correct in addition to that.
[06:11]
B
So get it all out of the way first.
[06:12]
A
Yeah, we got all that stuff out of the way. Yeah. Yeah. Anyways, more about why we were right. The DoD inspector general audit of the C3PAO accreditation process will be a big nothing burger is what we said going into 2025. And we were correct. It was such a nothing burger that we did a four part episode going through every single page of the IG report. Because as much as I love reading IG reports, if you only read their summaries, it makes everything sound really bad all the time. That's their business model. So you have to read the whole thing. This was a small debate, I think, for a little while on LinkedIn and social media. So we released a four part episode series. If you're really interested in how much of a nothing burger this process was, check out the episodes or we'll add the link to the IG report down below. Didn't turn out to be a thing that would derail the program and blow it all up and stop it in its tracks, as some other people predicted out there. Didn't turn out to be anything at all.
[07:18]
B
You know, you're always happy when you're right, but this is one of those instances where you're extra happy that you're right because it proves that there's nothing wrong going on.
[07:26]
A
On. Right.
[07:27]
B
So like, this was one of those things that needed for the program to move forward for kind of people to put some of that bad news to bed.
[07:32]
A
Right? Yeah. Probably the easiest prediction out of all of them where any of the ones that people were like, this is gonna kill cmmc. And we're like, no, it's not. Yeah. Anyways, next prediction that we were also correct about, we said the DoD will publish the 32 CFR final rule before the election. And this was true. We ended up getting the rule published in October. In December it went into effect. And then we waited through 2025 for the 48 CFR rule to come out. All the rulemaking got tidied up. Everything got published ahead of time. Everything went into effect. We're now in the phased rollout as we're talking about this. At the end of 2025, rulemaking didn't get derailed. It was a multi year long process for many reasons and it just sort of chugged along and got done. So people who were betting on rulemaking not happening, that was a bad bet. We turned out to be correct about this.
[08:30]
B
I think at the time that we made this, these predictions, there were things that were happening within the industry that we were able to see that we were like, you know, this signals like this is going to move a little bit faster than we think it's going to.
[08:41]
A
Yeah.
[08:42]
B
And we were able to kind of confident put that confidence meter to like 10 on that prediction right there. And I'm glad again, that one went through the way it went. Yeah.
[08:50]
A
There's a lot of uncertainty around the election and the rhetoric around the election now as the smoke has cleared and we're, you know, a year away from it. Turns out everything that was happening before it is still happening just like it was. And it was all talk. So here we go. All right, next prediction wrapping up here. This was our sixth one out of seven. The far CUI proposed rule will be published is what we predicted. And we got it. We got it. In January of 2025, we got the FAR CUI proposed rule. This is the rule that makes 800171 a requirement for all federal contractors doesn't really change anything for defense contractors. Most importantly, it standardizes a GSA form that indicates whether or not controlled and classified information is included in the work that you will be doing on the contract or subcontract. That is a very helpful thing for everybody. We got the proposed rule and a decade after we were supposed to and so yeah, we were correct. We were able to see that. I think that with the election and all the stuff that was going on with the rulemaking and all the craziness that was happening at the beginning of the year, not a lot of people actually knew that the FAR CUI rule got published. There were very few public comments on the rule, especially compared to the CMMC final rules. But yeah, we were correct about this. We did get the proposed rule.
[10:10]
B
Yeah. I think that the only thing that comes along with this that I want to add to that is that with this one getting published, we hope that we're not taking stabs in the dark for the next couple years as to when we see it finalized.
[10:21]
A
Right. Like oh yeah, I can't imagine that would be on the prediction list for next year.
[10:25]
B
Yeah, like.
[10:27]
A
All right, last prediction from from last year's prediction show the NIST SP801.72, the final version of NIST SP800 172, this is revision three. Three will increase by more than 25%. This is correct. The amount of requirements for SB800 171, revision three, SB800 172, revision three, all of those increased dramatically. We had a whole series of episodes over the course of many months tracking this revision process. We had Ron Ross on the show. We'll link those below if you're curious. It's going to be a while before the CMC program is updated to point to those new revised versions of the NIST requirements. But the only way that this thing changes in the future is for your requirements to increase. Because if you've been following the show for a long time, if you've been following CMMC and DFARS cyber requirements for a long time, you know that back in the day they took the original NIST requirements out of 853 and absolutely shredded them down to the bone to to make them as small and as open ended as possible. That turned out to backfire as a policy and turns out that most people need very specific and detailed instructions about what the government wants you to do. And that means the government is going to be adding details back into Those requirements, in addition to adding any new requirements that are needed for, you know, cybersecurity. And so as we move forward over the years, those requirements will only continue to increase the size of the baselines over and over again. This turned out to be true as well.
[12:07]
B
Yeah. And what we've learned is that the 172 revisions are often things that we learn from experiences that happen. Right. What could have prevented this particular breach? What could have prevented this and that? And where can we put the control? And these are the enhancements that they're placed in 172. Obviously. That's why you see a lot of dual authentication with a lot of the breaches that we've had to experience over the past couple years. So this was an easy one. It was essentially because it was only like 35 controls to begin with. So like, to get 25 we only needed a small bit of number. But yeah, we got it. We did it again. We did it again, folks.
[12:43]
A
Yeah, we did a great job. There was a bonus prediction at the end of that episode where you were saying you think there'll be a major cyber incident involving critical infrastructure that involves the use of AI. This turned out depending on how you, you know, you know, define critical infrastructure. There's been, you know, a bunch of these hacks of like AI systems, AI databases, the LLM models. I think it was anthropic that experienced. They put out this big report about how they got attacked using AI stuff. It's hard to discern at the end of 2025 about whether people are just labeling everything AI or whether it was legitimate AI. I'll call this one correct.
[13:23]
B
Yeah. So for me, like, I don't want to. Can I get half credit for my bonus? Right, because like the half credit is. Is that. Yeah, I agree with all the things that you put forward, but I think that the biggest epidemic that's being experienced within critical infrastructure is the deep fakes that are coming from AI. Right. These AI generated interview deepfakes of people trying to infiltrate from within. Right. And I think that that is one of the biggest things that's being combat within critical infrastructure right now.
[13:50]
A
Yeah. Don't support Clank or Slop, everybody like. And subscribe for more organic free range. 100 natural human thoughts here on our podcast about what's going on. All right, on that note, let's move into what we think is going to happen for 2026. We got seven things that are going to happen in 2026. We're feeling real confident. We're two years in a row of the majority of our predictions actually being correct. So take that for what you will. All right, first up, there will be at least 1000 CMMC Level 2 certifications by the end of March of 2026, and there will be at least 2500 CMMC Level 2 certifications by THE end of the year.
[14:36]
B
So, so we were, so, we did so well last year.
[14:39]
A
You seem not confident.
[14:41]
B
Listen, I, I, I, I think that we're moving in the right direction. I think the progress, if we worked with the law of averages and the way that things are going with the productivity increase in the output of certifications that's happening every single month, I think this is very realistic.
[14:59]
A
Over under 1000 certs by the end of March.
[15:02]
B
I think under. Because of the number that we're at right now and because of the time do I think that we'll get over.
[15:09]
A
Under 2500 by the end of 2026, I think push. Okay, let us know what you think in the 2501. I was gonna say 1500 by the end of March, but I dialed it back.
[15:23]
B
I think I, but I, so I think it's realistic because I think we're going to see things absolutely rev up. I think we're going to see more requirements and solicitations, things like that. The, the, the issue that I see is, is that you're talking about by the end of March. Here we are just hitting January, and I don't know, that's, that's a lot. That's short.
[15:44]
A
We're coming up on 700, 704 here at the end of the year. So I don't think it's a stretch to say 1000. I'm very confident we'll hit at least a thousand by March.
[15:54]
B
And they did 60. What do they do? 65 last month, right? They just reported 65. So, yeah, yeah, I think you might be right. I'll go over, I'll go over.
[16:03]
A
All right, there we go.
[16:04]
B
You want me? I'll go over.
[16:05]
A
There we go. There we go. Let us know in the comments if you think it's going to be by more than a thousand.
[16:09]
B
So you're, you're a pretty persuasive fellow, you know that?
[16:11]
A
Well, thanks. Thanks.
[16:13]
B
I scribed, I tried.
[16:15]
A
This is not a math podcast, so I could be completely wrong, but I'm gonna say one thing.
[16:19]
B
Thank God. The ratings would be terrible.
[16:22]
A
All right, second prediction, that we're fully confident 100 sure will happen. There will be at least a dozen false claims act settlements with defense contractors over non compliance with DFARS cybersecurity requirements. There were five in 2025. We think that's going to at least double to a dozen or more than double to a dozen in 2026. What do you think over under 12? FCA settlements with the tractors? More. More than 12. All righty. Well, we think there will be at least 12. We've been hearing for a long time that there are tons and tons of these things in the queue, but they take a long time for the settlements to finalize and then get published. We think that that's going to increase how long, you know, it should accelerate and take less time as time goes on. We saw five of them every time they came out in 2025. They were definitely the highest performing posts and episodes through the year. So it definitely gets people's attention. Definitely freaks people out. So not trying to scare anybody, but it is true that there are companies of all sizes that Getting hammered for $800,000 here, $1.75 million there, $4 million over here throughout the year. There's going to be at least 12 of them. You know, maybe we'll do an episode a month. I don't even know. We might have to do a roll up show depending on how many of these come out. And the majority of those 12 False Claims act settlements will include seven figure penalties. What do you think?
[17:58]
B
I don't know because I can't, I can't predict the penalties. Right. Like so like it's tough, right? You're like, oh my God. Every single bit of evidence that they presented in this allegation. Right. Makes me feel like that these people should be sent to the woodshed. Right. And then it's like, oh, okay, well this is what the penalty is. Yeah, seven figures.
[18:18]
A
The penalties are based off the value of the contracts. Right. So we've seen some companies get relatively small penalties because they got hammered over a couple of purchases.
[18:27]
B
Well up to a percentage of the value of those contracts. Right. Like up to. It doesn't have to be that full potential. It's somewhere within that threshold. Right.
[18:34]
A
It can sometimes be up to triple the value of the contract. So you could have one company with one contract get hammered for a million dollars even though they only had one thing that they were not.
[18:44]
B
And so you're. Are you saying simple majority or.
[18:47]
A
Let's go with at least half. Over. Under.
[18:50]
B
Okay, over.
[18:51]
A
All right, here we go. There you go everybody. What do you think? Do you think that there's going to be 12 more, fewer. I think they're going to be small penalties, big penalties. What do you think? All right, number three here. There will be no major funding appropriations to help offset the cost of DFARS 7012 or the cost of CMMC assessment in 2026. There will be no money. There will be no tree to shake. There will be no, you know, Brinks truck backing up to every small business in the defense industrial base. Help is not coming. There will be no major funding appropriation. What do you think?
[19:29]
B
I agree. 100.
[19:30]
A
Yeah. The FY26 NDAA just got signed. There are no dollars in that bill for any of this. There never have been. We don't anticipate that there probably ever will be. There were rumors for a while that there was legislation around tax incentives for cybersecurity compliance. Sadly, that effort seemed to go away when Bob Metzger unfortunately passed away. He was sort of the flag bearer for that effort. Cyber costs are part of your overhead. They are reflected in your rates. They are allowable costs. This has been the DoD's position through cyber rulemaking since 2011. And that policy hasn't changed. Until appropriators give them the correct color of money to offset the cost. There is no money. And there doesn't appear to be any appetite for coloring the money correctly anytime soon.
[20:23]
B
Yeah, I, there's just no writing on the wall that says that the help is coming. And even when they say, when you're asking people in the higher positions like, is there money coming? They're like, we'll look into it. Or here's Project Spectrum.
[20:38]
A
Right. Right now going to the DOD and being like, where's my money? Isn't the property place to go? Right, that's, that's the Wendy's drive up window. They only have the money if it gets appropriated correctly. So you have to go to the people in Congress who appropriate the money and remember, it was their idea to come up with CMMC in the first place. So I just don't think it's going to happen in 2026.
[21:00]
B
It's definitely, and it's the government. It's not one of those things where we just go, okay, well yeah, we got money lying around, let's go grab this and take care of this. That's not how it goes. It has to go into a budget. It has to be planned out and it's not in the plan.
[21:10]
A
So now, depending on how the FY27 NDA process goes, maybe your prediction for 2027 will say that there's going to be any funding, but I don't think there's going to be funding in 2026.
[21:19]
B
Well, at least we won't go oh for seven this year.
[21:22]
A
Yeah. So number four, the far CUI rule will be published. The final rule will be published and go into effect before the end of the year in 2026. So remember we said the proposed rule was published in January of 2025. It was derailed by the revolutionary far overhaul process. That's a whole other can of worms. It sidetracked the final rule all year. That process is now coming to a wrap at the end of 2025. So there shouldn't be any major blockers for the FAR CUI final rule. Remember, this makes the 800171 baseline. The requirement for all federal contractors handling CUI doesn't change any requirements for defense contractors. Leaves third party versus self assessment decisions up to the individual agencies. Which opens the door for Department of Energy, gsa, NASA to require CMMC certification through the third party process in certain situations. Probably the most important part is it standardizes that GSA form that clearly indicates this work will include cui, which is going to be very helpful for everybody. We've been waiting on this thing for over a decade. It would be very nice to see. Come on everybody, hope with me it's going to happen. It's going to go into effect by the end of 2026. Right.
[22:44]
B
I can't be everybody and I can't hope with you. And here's the thing. I for this I want to be wrong. Right. I want to be right for the reasons of being wrong or however you want to put it. I just don't think it's happening. Are we sitting in this show maybe this time next year talking about how we're on the cusp of all of this happening? Yes. 100. Has it happened? I don't think so. I'm gonna go against you, bud. Sorry.
[23:10]
A
Nonsense. 10th times the charm. Rulemaking is an easy thing to predict. It's gonna happen next year. My delusion as well is a well oiled machine because I've been a Chargers.
[23:20]
B
Fan my entire life speaking into existence, my guy.
[23:22]
A
There we go. There we go. We're gonna manifest it. All right. Well, speaking of easy rulemaking predictions, number five, the CMMC 3.0 proposed rule will be published before Halloween. This is the revision to 32 CFR170. This is the program itself. This would update the CMMC program to use 800171 Rev. 3800172 Rev3 instead of the current versions 171 Rev2 and just the standard 800, 172. This would update to say you have to use the DoD's definitions for 800171 Rev3 organizationally defined parameters which they published earlier in 2025. Interestingly, the 48 CFR rule, the actual contract clause rule wouldn't need a corresponding update because it just points to 32 CFR as it's codified in the Code of Federal Regulations. So I think that the CMSE 3.0 rule, the proposed rule, will be published before Halloween. They already started working on this rulemaking in 2025. Word is that they're pretty far along. What do you think?
[24:36]
B
So they've done. They've done Christmas, they've done Thanksgiving.
[24:43]
A
Right.
[24:43]
B
And so let's working back pattern. Right. And we know that Halloween is your favorite holiday.
[24:48]
A
It is true.
[24:49]
B
And so. And to protect this friendship that we have going here, I'm going to jump on board with you. And I think this is going to happen. We know that this is progressing along. We know that they were already working on it and we know they like to move really, really fast and don't.
[25:02]
A
Yeah.
[25:02]
B
With their hands. Right.
[25:03]
A
This rule should, it should take less time because they're not creating it from scratch, they're just revising it. So.
[25:08]
B
And plugging in ODPs that already exist.
[25:10]
A
Right, Right. Yeah. The, the guidance is already out there, so I don't think it's going to take that long. Definitely before Halloween. Trick or treat, everybody. You're going to get the revision, which is why it's going to pay off to get your CMC cert before that goes into effect because then you won't have to deal with any of the changes for many years.
[25:23]
B
Yes.
[25:25]
A
Alrighty. Prediction number six. At least one solicitation will include CMMC level three requirements in 2026. This is your, this is your pet prediction here.
[25:37]
B
Flip the script. What do you think, bud? Do you think?
[25:39]
A
Well, yeah. So we're saying that there would be at least one solicitation with CMC level three. That would be at least 12 months before the phased rollout says we're supposed to see CMMC Level 3 in Solicitations. Remember, we've been talking about the phased rollout all through 2025 and how DoD's discretion determines when they get to include certain requirement. Really? This is dependent on the CMMC PMO finishing the Level 3 assessment process and DIBCAC getting through their CMC Level 3 assessments, practice. They already started the Level 3 pilots in 2025. So, Jason, this is your prediction. What do you think, man? You're very confident this is going to happen?
[26:24]
B
I, I, I am very confident. And the reason that I'm confident is because what we're seeing right now in the trends is at least once a week, if not more, a solicitation that's ahead of its time, so to say, right ahead of its phase that has CMMC Level 2 requirements in it. But wait a minute, I thought we weren't supposed to get coming November. So it's going to be this thing where we're evaluating risk, we're evaluating important programs. And the important programs, especially those with level three in it, I think are going to be more proactive. And it may be something that like hint set, you need this level two because you need a level two before you get that level three. And we're going to want level three ahead of time no matter what. I still think that this is going to be pushed for big programs like Golden Dome, things like that.
[27:05]
A
Right.
[27:05]
B
So everything I'm a big fan of reading the writing on the wall. I think there's so much scribble on these walls now that you can't fit anything else. Right. But the writing on the wall for this is. It's there. The writing on the wall for level two is that it's there. So, yeah, this is a. Did I convince you? I don't know.
[27:21]
A
I completely agree. I completely agree. I'm not, I'm 100 on board with your prediction here, especially like you mentioned with the Golden Dome, the leaked memo that came out that affects an absolute ton of contractors. And so I think that we're absolutely going to see at least one level three solicitation. 2026.
[27:38]
B
I was, I was watching America's football game, the Army Navy game. Right. And every commercial break. Do you know what there was a commercial for during that commercial break?
[27:46]
A
Defense contractors.
[27:48]
B
No, the Golden Dome initial.
[27:49]
A
Was it really? Yeah, I didn't watch the game.
[27:53]
B
Yeah. So like that's, that's screams Level 3 Everything in the memo anyways. Yes. Okay. Thanks for jumping on board.
[27:59]
A
There you go. Yep. I completely agree. All right, last prediction. Last prediction for 2026. Prediction number seven. The upcoming GAO report on the CMC program will show no major findings or issues with the program. This GAO report was supposed to come out at the end of 2025. The government shutdown derailed that whole process. So we're going to roll this into a bonus prediction or our final prediction for 2026. Just like the GAO report in 2021, just like the DoD IG report that came out in 2025. Again, another nothing burger. No major controversies, no major findings, no major issues. Wrinkles have been worked out along the way. They will continue to be worked out as we move forward. The CMC program has to be one of the most extensively reviewed and analyzed and evaluated programs that the DoD has ever undertaken, right? There have been multiple extensive, painstaking, years long rulemaking efforts. There have been multiple GAO reports, IG reports, industry analyses, public comments, all this stuff. I'm sure that when this report comes out, people are going to read the first page and they're going to go, oh my God, this is going to be the big one. And we're going to have to do another multi part episode which we're happy to do, explaining what the findings are or aren't. I don't think that this GA report is going to be a big deal at all. Probably gonna see it sometime in Q1, I would imagine because we were supposed to get at the end of 2025.
[29:28]
B
Yeah, very little convincing for me here. We've had three big duds in a row. Why not number four? I'm gonna go with this.
[29:34]
A
There you go. Alrighty folks, that was our review of our predictions for 2025. We were mostly correct on all of those. And our predictions for 2026, I'm very confident we'll be 100% correct on all of those. What do you think? Let us know in the comments. You know, it's the end of another year of the podcast. We appreciate everybody who tunes in to watch, anybody who's liked and subscribed, anybody who shared the podcast or their thoughts. It's been a long journey. Lots of different topics, lots of different episodes. Still tons of stuff to talk about moving into 2026. We hope you'll join us if you found this show valuable over the years. Tell your friends. Share it on LinkedIn. Tag us, let us know what you think. Send us dms, Leave comments. Tons of ways to engage. We appreciate all of you.
[30:21]
B
See you next year, folks.
[30:22]
A
See you guys.