A

All right folks, it is November of 2025 and this is the first podcast of the new normal. CMMC is officially in effect and can be put into defense contracts. CMMC status is now officially and will forever be a condition of contract award. We are now well into phase one of the CMMC phased rollout. And everybody's probably asking now that it's finally here, now that we're finally in the rollout of cmmc, what comes next? That's what we're going to talk about today.

B

That's the question that I have because for the past four years off camera and on camera, we've been thinking about like what's going to happen and going out in public and saying, hey, we believe based on what we know, this is what's going to happen. And now it's kind of time to put up or shut up, right?

A

Yeah, I mean it's, it's funny because right after spending all this time waiting for CMC to happen, the government shut down. Now we're waiting for it to reopen. So of course we have this sort of staggered start. Couldn't have CMMC without some sort of weird staggered start thing every time a milestone. But, but yeah, that's coming to an end very quickly. So let's, let's just get everybody caught up really quickly on what's happened so far leading up to the phase rollout. So In December of 2024, the CMMC program officially went into effect as a result of many years of rulemaking. And that meant that companies could voluntarily go get CMMC level 2 assessments. They could go pay a certified third party assessment organization, a C3PAO for a CMMC level 2 assessment. And that would officially count, assuming that they passed all the requirements as a valid CMMC level 2 status. But DoD could not require it in the terms of a contract or a contract solicitation without going through some additional rulemaking to take that policy language and convert it into contract clause language. Interestingly, despite that issue, which was a major issue, the ecosystem over the course of 2025 has grown rapidly, all things considered. So from a certifications perspective, as of October of 2025 there are over 450 level 2 certifications. That includes people who have final status where they have no open items and people who have conditional status, which means they have open items on their poem. You can still win a contract. You can still have a level 2 status that's perfectly valid even with open items as long as they comply with CMMC policy for the allowable open items. That is up 280% since May of 2025. So we are going up into the right on the graph very quickly here. Towards the end of 2025, if we were to just maintain that amount of growth and not have any acceleration whatsoever, you could expect around 700 Level 2 certifications by the end of 2025 and easily about 1,000 or more Level 2 certifications in Q1, which is something we're going to talk about when we talk about our predictions for Phase one coming up here in a little bit.

B

I mean, these are impressive numbers based off of where we came from. We came from zero, right?

A

Yes.

B

Still a minor snippet in what totally is going to happen as the program is fully rolled out. But this is reflective of the forward thinking of people. Again, this was before the DoD could say, you have to go get this. Right. So this was either forward thinking as an organization trying to get competitive advantage, or forward thinking of primes trying to get their supply chains in order, saying, hey, pay attention to this. Right?

A

Yeah, yeah. I mean, they had to start from zero, because when the rule went into effect in December of 2024, you know, it had been published in November of 2024, went into effect 60 days later, essentially, that restarted everything for C3PAO authorizations, delta training for assessors, updating the CMMC assessment process guide, all this stuff that had to happen administratively for the ecosystem to be able to handle people who wanted voluntary assessments. So essentially, going from zero to October, you went from zero level two certifications to over 450. We should end the year somewhere around 700 or more. And that's. That's without it being required. It hasn't been required. Like it hasn't been required in a single contract through 2025. And you're already at almost 1,000 companies that have done it. So, yeah, that is huge growth. On the assessment capacity side, what's led up to the beginning of Phase one? Because everybody always goes, there's not enough assessors, there's not enough assessment capacity. We should end the year at the current rate of growth without any accelerations or anything like that, with around 1400 certified practitioners, around 700 certified assessors, around 400 lead assessors, which is really the big constraint on the number of teams. 400 teams or 300 teams or even 200 assessment teams is a lot of teams in terms of initial capacity at the start of Phase one.

B

Right.

A

This is leading up to the beginning of the phase one on November 10th, and somewhere around 100 C3 PAOs that's at the end of 2025. Remember phase one just started in the middle of November of 2025. So you've got these massive increases through 2025, especially the second half of 2025, for number of voluntary certifications and assessment capacity in the ecosystem leading up. So this was all under the banner of what we called the market rollout because DoD couldn't require it in contracts under the phased rollout, but you could of your own volition, go to the market and get your assessment. So tremendous growth and expansion in certs and capability for the ecosystem without anything having been required whatsoever.

B

So Jacob, do you know how many teams do you think DIP CAC runs with? Like how many?

A

I don't know actually. I've heard that they're growing significantly, but I don't actually know how big DIBCAC is these days.

B

Do you think it's around 400?

A

No, no.

B

Where I'm getting at here, like, yeah, we used to. And some of the arguments were DIP CAC should just do all of this, right? And now we're talking about the end of the year being at the capability of 400 teams possibly and still saying that we need to grow rapidly and grow more.

A

So it's just, yeah, you were never going to be able to hire enough full time employees to work for DIBCAC to be able to conduct the number of assessments that the DoD wanted. Even in the reduced number of assessments under CMMC 2.0, the only way to grow that ecosystem is to do it with the third party system that they established and it is working currently. So far nobody who has needed assessment has been unable to get an assessment. So until we see that happen, then the constraint on assessors is not the number one constraint that we're seeing so far anyways. We're in phase one. As of November 10th of 2025, both the CMMC program is implemented and the CMMC contract clause language is effective and it is now a condition of contract award. So on November 10, the barrier that prevented the DoD from requiring CMMC status in contracts was lifted. And as the government begins to open back up, which I believe there was a vote yesterday or today, it's happening, the government is allegedly opening back up, new solicitations and contracts will be issued again and CMMC status will be a condition of taking award of those contracts. Now, very briefly, a refresher on the model and the types of data that it corresponds to. So if you don't handle any controlled and classified information, which is a longer conversation that We've covered a bunch and we'll cover again in the future. But if you're not handling any controlled and classified information, if you're just a federal contractor, CMMC Level one Status indicates that you have implemented and complied with the terms of FAR clause 52, 204 21. This is a set of cybersecurity requirements that applies to all federal contractors and has applied to all federal contractors unchanged since 2016. All CMMC level one status is saying is you are telling the government, yes, we super duper are complying with the terms of the contract. Right. It's not imposing new requirements or doing anything like that. It's just a mechanism for giving the government assurance that you are doing the things in that FAR clause. Because without that mechanism, you're just accepting the terms and the government just doesn't have any other indication that you're actually doing those things. Right? All right, so if you are handling controlled unclassified information, Then CMMC Level 2 status indicates that you have implemented the requirements in NIST Special Publication 800171 pursuant to DFARS Clause 252, 204 7012. That contract clause is the one that obligates you to implement those cybersecurity requirements. CMMC Level 2 status is verifying that you implemented the requirements imposed on you by that contract clause. We just wrapped up a long series explaining the details of all of the DFARS cyber series of contract clauses. We'll link those in the description below so you can check those out if you need a refresher or if that is news to you. CMMC is just making sure that you did those things. It's not actually imposing those things on you, but those are coming from other contract clauses. Now, phase one of this phased rollout, this first 12 months from November of 2025 to November of 2026 is supposed to only focus on level two self assessments. And a lot of people have concluded that it will only be level one and level two self assessments. But we have been pleading with people for a long time now to remind them that DoD guidance says that Level 2 certification, Level 2 C3 PAO third party audit status is the minimum requirement if you will be handling any of the DoD categories of controlled unclassified information. There is nothing that prevents the DoD or your prime from requiring level two certification during phase one. Right? So if you think, oh, there are, there will not be any third party certification, so we're going to maybe take our foot off the gas, it depends on your specific situation. It's not a guarantee. So just, you know, do your research accordingly. And you know, the last little note here is that you won't know, you won't know what the requirement is until the solicitation hits the street. And at that point there are no waivers because waivers are for entire contracts, not for individual companies. And the waiver decision to remove CMMC requirements from the contract is a pre solicitation process. So they can include level two third party audits in phase one. By the time you find out what the requirement is, it's too late for them to change it. So plan accordingly. Okay, now if you are handling CUI, CMMC Level 3 status indicates that you have implemented selected requirements from NIST Special Publication 800172 pursuant to 32 CFR 170, Section 170.14. So if you look up Google, ChatGPT, whatever you're going to do, 32 CFR 170, that is the text of the CMMC Program Policy. Section 170.14 outlines the requirements that the DoD has said are CMMC Level 3. So they didn't say do everything in SP 800 172, they said do a selected number of those requirements from SB800 172. You can find those listed in 170.14. Now the phase rollout says that level three requirements shouldn't show up until phase two, which is which starts in November of 2026 and runs for another 12 months. And even then at phase two it will only be at department discretion. But Jason might have a prediction about CMFC Level 3 requirements during the other phases and in Phase 1. Coming up here in a minute. Like I said, Phase 2 begins on November 10th of 2026. So that day is now hurtling towards us. And there you go. So that's how the model sort of lines up with the requirements and what DoD allegedly says should happen during this first phase.

B

I don't know if you sign up for any other hobbies outside of sitting in your lair and reading regulations or working on your short game, right?

A

There are other hobbies.

B

Have you ever signed up for like a community 5k for like a good cause or something like that? Listen, just go with me on this, okay?

A

Have I ever volunteered, I think voluntarily signed up for cardio? Never in my life.

B

So I feel as though phase one is the community 5k, right? And everybody's showing up and then you realize that there are some people there that are ready to sprint the entire 5K and I think that the realization that people are going to have is that there are going to be more people from the DOD that are going to be sprinting to get to the finish line than the people from OSC's and OSAs and stuff like that because of evaluation of risk. What I mean by that is I think that people are going to show up thinking a lackadaisical self assessment approach is going to be the way of Phase one. And as we are already seeing in the very limited solicitations that we viewed, that's not the case. They're ready to sprint. We're trying to set the course record. Right. Like, I, I just don't know if people are still prepared for what race.

A

Yeah, I think it's somewhere between community 5k and Alex Honnold in free solo where he's climbing cliff faces without a rope. And it's like, oh, we showed up.

B

For like our climbing shows going this week.

A

Yeah, they're like, oh, we showed up for our climbing lesson in our maturity model and they're like, actually you got to climb that. And we are out of rope ropes, so see you at the top. Yeah, exactly. Right. So, all right, so that's, you know, how we got to the market rollout. The general idea of the model and how it, you know, corresponds to the requirements and the general idea of what DoD has said will happen in phase one. What do we think is going to happen in Phase one? I've got a couple ideas. You've got a couple ideas?

B

Sure.

A

My first prediction here is that there won't be a lot of assessment failures, but there will be a lot of what we call false starts. We've been talking about this for a long time in that a CMMC assessment, if you read the assessment process guide, which you should, is conducted in four phases. And the first phase is really just do you pass the SNF test? Do you display general readiness to even be able to go through an assessment? So if they say, do you have evidence ready? And you go, we don't have an ssp, they're not going to conduct the assessment because you're not ready for the assessment. Now that doesn't count as an assessment failure. You just don't get an assessment. So we call that a false start. That is not a metric that is tracked by the government or by the cyber AB at all. Anecdotally, when we have talked to C3PAOs, we have heard during the market rollout of people voluntarily going, which would allegedly be the people who would be the most ready to go get their assessments. It's somewhere in the neighborhood of like 25 to 40% of companies that signed up for an assessment were told, come back later, you're not ready. These are companies that would be paid to have you go through their assessment process that they literally cannot even take your money to send you through the process. One of the C3POs that I talked to at Gold coast last year, I can't remember how he phrased it, he said something along the lines of, we want you to pass, but we can't just let you pass. Right. Is sort of how he phrased it, right? Where he's like, it's so egregious that they can't even take your money.

B

It really is the nicest thing. Even though it is dictated by the cap, it really is the nicest thing the C3PA can do for you because they could just go through it and be like, you're absolutely awful at this. Try again in a couple months. And that's it.

A

So, yeah, so we've seen that already through the market rollout on the AB's monthly town hall that you enjoy go over every month. Is that the fall? The failure numbers are very low. They're like single digit percentages. I think that it will remain single digit percentages of failures, but a lot of people won't even qualify. And so when you.

B

And it's because of that, it's because of the false starts is why we're not getting as many failures, just to your point.

A

Yeah, absolutely. And so anytime that anybody would evaluate the program, the program is going to look like a massive success because most people pass and it's not a big deal and they'll go, well, yeah, the people who are ready pass it just fine. And the people who haven't implemented the requirements wouldn't be ready for assessment anyways. And so I don't think that there's going to be some massive disruption to the rollout of the program because everyone's failing, because there just won't be a lot of failures. So I agree. Yeah. So second idea here, the people who are the early adopters that 700 to 1000 to 1500 people by the end of Q1 of 2026 are going to grow rapidly. They are going to win a lot of work, they are easy to do business with, they don't ask for special treatment, they're not asking for exceptions, they're not hoping for waivers, they're not begging their contract officer their purchase order to stick their neck out with them. They're not negotiating with PMs or whatever. They just have it, right? They just. They just have it. It makes it easier for your customer to give you the work. And so I think that they're going to grow a lot and that people who are lagging behind are going to be betting on getting away or having more time or getting, you know, special treatment or whatever it happens to be. And that is a dicey propaganda or dicey strategy the longer we go on through the timeline. So I think the early adopters are set up to grow significantly.

B

I think that you left out the negative connotation in that, you know, betting for an extension, doing all this, all of the things that you mentioned there, or they just fell too far behind and they don't exist.

A

All right, last prediction for me here. There will be no subsidies, no appropriations, no cost offsets, no tax breaks, no assistance whatsoever. Right. The ultimate ace up the sleeve, if you will, that the government has is that the costs for CMC assessment, the costs for complying with DFARS 7012 are supposed to be rolled up in the contractor's rate that they submit on the bid. That's why they're always saying that it's an allowable cost. That's why they also say it's a question of fairness, because people who don't impose those costs or don't incur those costs have artificially low rates compared to their competitors who are complying with their cybersecurity requirements. And so the government's going to turn around and say, why do you need assistance for the thing that we're paying you for? Did you submit a bid that was artificially low? Did we pay you for the thing you said you were going to do and you're not doing it? And then you start to get into discussions about fraud and false claims and all this mess back and forth. So I don't think there's going to be any appropriations whatsoever because of the fact that these are terms of a contract. When we've been talking to people through the grapevine, there seems to be no appetite for this whatsoever outside of the DOD CIO's office. Ironically, they would love it if people had the money or if they could pay them the money to be able to work with these requirements. But the colors of the money in the current appropriations aren't right. There doesn't seem to be any appetite for creating new appropriations from folks in Congress. And so I would not bank on there being any kind of cost offset buckets of money or anything like that anytime soon to comply, especially with DFARS 7012 requirements, but also the cost of CMMC assessment.

B

So just keep me sane here for your prediction. Like these appropriations, these offsetting cost movements. Right. Those are things that have to appear in a budget, right?

A

Yeah. So, you know, you would, you would imagine that in the, the annual National Defense Authorization act, so the annual ndaa, there would be something in there that would say here's a bunch of money to help the DIB with cybersecurity requirements. Right. Quick control F. Yeah, it's not in there. Right. The only thing that is ever in the NDAA since this whole thing is kicked off is contractors aren't doing the things that they said they were doing. So we want a program that makes them prove that they're doing them. Not we're gonna come up with a bunch of money to give to people for the thing that we already paid them for. Right. So that's not the perspective that a lot of contractors have, but that is the perspective that the government has. Right. And so depending on what hat you're wearing, it's a very different conversation. I have heard no rumors about people who are eager to create any kind of cost offset or bucket of money to help with DFAR7012 or CMMC assessments. So I would not bank on that being a thing. Like some people might think, well, we'll delay, delay, delay as long as we can. There won't be enough assessment capacity in the ecosystem. Things will get drawn out to the right. People will realize that there aren't enough resources and there needs to be cost offsets and then we can use that cost offset money instead of our own money in order to comply with the requirements. That is a astronomically unlikely scenario. I wouldn't bet my company or the livelihoods of my employees on that being how it plays out. It's a very long, it's a super long shot. Right. That's a, that's a multi leg parlay that I don't think is going to hit. Yeah, yeah, yeah.

B

It's a bold strategy.

A

Yeah. So there you go. What do you think?

B

Well, I think just like you, well, first and foremost, that budget covers this year. This year basically covers phase one. No money in the budget, no appropriations. Phase one, get out and do it right. Mine aren't quite as cynical as yours or mine aren't as detailed as yours. But my first one is kind of the obvious that we're seeing already. And I know that we're only realistically Two days into the program being live and we've seen some solicitations, but I think that requirements being applied to contracts prior to the scheduled phase in which they're supposed to be there. So level two certification appearing, even level three certification appearing in contracts based on political climate and things like that, I think it's going to be more common than people expect. It's not going to be the, the unicorn in the group. I think it's actually going to be the herd of goats.

A

Yeah. So you think that Level three could even show up in Phase one?

B

I think so. Just because look at the memos that we, we've looked at over the past year and some of the business that's going to try to be garnered there. I also think that like it's going to be more, I guess, preempted. Right. Because we know that you have to get level two to get Level three. So they may mention the level three so that you get your button gear for level two now so that you're prepped for level three.

A

Yeah, I mean, you got to remember too is like when the text of the rule was written was a long time ago and then it's got to go through all that red tape before it's finalized and then it goes into effect. So the original idea for the phase rollout might have been there won't be any Level three in Phase one. It'll only be discretionary in Phase two. But then you fast forward to a couple months ago when this memo about Golden Dome came out and then all of a sudden they're saying a lot of the contractors in the Golden Dome supply chain will definitely need Level three. Well, that's an update that the rulemaking lags behind because that got, that got finalized. The text of the rule got finalized a year or more before that memo came out. So sure. Yeah. I mean, I could absolutely see it happening if the DoD says it's important enough. There isn't anything in DoD policy or some sort of statutory limit that says you can't require X in Phase one or Phase two. You can only require A, B or C. That's, that's not how it works. That was the idea. But like we've said, it'll be highly situational. Right. So if you're doing super cool high speed stuff under Golden Dome, then, you know, ask around and see, see, you know, what, what they think is going to happen. We know the DIBCAC, who are the teams who run the Level 3 assessments, are already running their Level 3 pilots and getting the wrinkles worked out. They're already asking for people to email them to get on the schedule for level three. So you can go ask them for level Threes when they're ready. But yeah, I could see that happening. I could see level three in phase. In Phase one, definitely in Phase two.

B

All right, so I'm one for one. Let's see if I can go two for two. Two for two. I kind of, this is a little bit of a layup. Right. We're encroaching on 100 authorized C3POs right now at the end of this year, one full calendar year, I think it's safe to say we'll have another hundred. At least 200 authorized C3PAOs in the ecosystem by the end of phase one. That's it.

A

Yeah. A year, over a year from now, having another 100 C3POs. I could see that. Do you think that we're going to hit a thousand, a thousand level 2 certs in Q1 of 2026?

B

I do. And the, the reason that I, oh, wait, hold on.

A

So we're, we should be around 700 by the end of this year and then by the end of March. So by the time we're, we're setting, resetting our clocks again for daylight savings time, do you think we'll be at a thousand? So another 300 companies.

B

Doing my best. Jacob Horn, Fuzzy math here.

A

Right.

B

Like, I'm just trying to figure out, like, we've seen the growth every month. It's been about a 66% increase in the output of assessments to that point. So given the trend and given the fact that now it's live, so there should be more motivation. Yeah, I think it's 100. Safe to say by the end of.

A

Q1, I'm going to say we'll be close to 1500 by the, by March.

B

That's, that's crazy. I think, I mean, I, I don't.

A

Think it's impossible, but somewhere between a thousand and fifteen hundred, let's put it.

B

That's a, that's a safe assessment. I, I, I agree.

A

There we go. All right. What, what else do you think?

B

So three is kind of backpacking on number one, where we're seeing accelerated requirements, but the number one pertain to, in DoD in the solicitations. I think that the primes are going to absolutely ramp up the speed on the requirements for certifications during Phase one. I don't think that you are safe with whatever the DoD puts out, because the prime is going to be hopefully One step ahead of the the dod, which they're going to have to answer to. I've said this for months. I'm going to stand by it because I 100% firmly believe it, and we're seeing evidence of it. Prime contractors are going to put the, the gas pedal down to the floor, I believe.

A

Yeah. And, you know, we've said that whatever DoD's idea that the phase rollout should be will deteriorate as that policy guidance goes to individual DoD components and programs and program managers. Some might try to bend the rules, some might be very strict with the rules. Some might try to squeeze out phase one as long as they can. Some of them might not even care because it's at their discretion and they really care about what's going on. So it's hard to predict. Another X factor is what your prime decides to do, because they're going to say, we don't know if or when you need the cui. And by the time we do know, we can't wait for you to then turn around. Take 18 months to get ready. So go ahead and get ready now. Which is basically the reason why they're telling a lot of people to go get CMC Level 2 certification before the phase rollout even started. So, yeah, I absolutely think that the primes will accelerate the timeline. And since most people work for the primes and not for the DoD, it doesn't really matter what the DoD says the phase rollout should be. It matters what your prime says they're going to do. And if you haven't asked them in a while, you should, because it might be very, very different from what you hear Stacy or Katie or the DoD saying they think is going to happen.

B

And because on the show I can't let the list only be six things, I added one for good measure. So we have seven. Right. And it goes with what we said. And I believe this very much so, especially in the first phase of the program. I don't think they're going to be any waivers, especially in phase one. I don't think they're going to kick off the program with making concessions for people for a couple reasons. One, because the timeline. Two, because we've already behind the curve.

A

Right.

B

Because of the shutdown, everything like that.

A

Yeah.

B

Right. They're going to have to be pushing out. I just don't think there's going to be any time or any resources they're going to be able to absorb waivers or anything like that. It's not going to happen.

A

Yeah. I think that there will be DoD components and there will be solicitations that opt for self assessment over certification assessment because they can bend the rules. That won't be true everywhere. And so that's why it's dangerous to bet on that being the case all the time. But I also agree. I don't think anybody is going to say there are no CMMC requirements in this solicitation whatsoever. And they're just, it'll be literally, it won't be included at all. I know that, you know, now that the phase rollout started, like on the first day, people were messaging me and they were like, hey, we got this solicitation from the Navy and it doesn't have CMMC requirements in it, but it's supposed to be awarded in Phase one. And I was like, it's going to get revised. Like, as soon as the government opens up again, it's going to get revised and you'll have even more time or even less time to sort of calculate that increased cost. So it is not a perfect flare gun went up, air horn went off and now everything is like universally smooth in terms of its rollout. It's all very sort of situational and sporadic, but that's the policy. And so it's definitely going to be coming in in different forms. So, yeah, I don't think we'll see waivers, but I think you'll see some people bending the rules for sure. But it's a dangerous game to bet on that being, you know, the situation all the time, everywhere for everybody. So plan accordingly. All right, what do you think? Do you think that the seven things that we thought were going to happen in Phase one are going to happen that way? Do you disagree? Do you agree? You think something else going to happen? Let us know in the comments like and subscribe and we'll see you next week.

B

See you next week.

A

Sa.