Sum IT Up: CMMC News Roundup
February Cyber AB Town Hall Recap
Date: February 26, 2026
Hosts: Summit 7 (A: Jason, B: Joy)
Episode Overview
In this episode, Jason and Joy recap the latest Cyber AB Town Hall, breaking down the most important news and updates relevant to the CMMC ecosystem. They cover new insights on Tier 3 background checks, significant change guidance in CMMC assessments, recent staffing changes within the Cyber AB, up-to-date statistics on assessments and credentials, the ongoing ISACA transition, ethics in assessments, and a substantial segment on the recent DFARS/FAR changes impacting the defense industrial base.
Key Discussion Points & Insights
1. Opening & Tone
- Jason and Joy kick off with lighthearted banter about Cyber AB CEO Matt Travis’s humor at the Town Hall, appreciating his "dad jokes" but recognizing that the substantive news was more important this month.
- Tone is warm, approachable, and conversational, with both hosts trading jokes and personal updates.
2. Breaking News: Tier 3 Background Checks
[00:42–02:08]
- Jason: Reports good news about Tier 3 background checks for organizations with Facility Security Officers (FSOs).
- Organizations can have their FSO follow up on delayed checks, not just after 6 months but throughout the process.
- “If you have submitted a Tier 3 background check, you can actually reach out to [your FSO] and say, 'Hey, can you see what's going on with this?'” (A, 01:11)
- Joy: Notes this is a practical tip, as many organizations in the ecosystem already have an FSO.
3. Guidance on Significant Changes in CMMC
[02:08–10:26]
Formal Guidance Pending
- Matt Travis announced that more detailed and formal guidance on what constitutes "significant changes" is forthcoming.
- For now, organizations should rely on existing rules:
- 32 CFR Part 170 (esp. preamble)
- CMMC Level 2 Scoping Guide (page 9)
- Requirement to re-assess after architectural or boundary changes; annual affirmation for minor operational changes.
Interpreting “Significant Change”
- Jason:
- "Essentially significant changes to your architecture... You're going to have to recertify." (A, 04:45)
- Gives examples, e.g., network expansions, mergers/acquisitions.
- Operational changes (e.g., replacing an endpoint) usually do not trigger reassessment if within the same scope and boundaries.
- Joy:
- Highlights gray areas and the need for more clarity.
- Uses an example: switching cloud logging providers vs. changing managed service providers, noting risk and control responsibilities.
Accountability and Decision-Making
- Opinions from C3PAOs on significant change are not binding; ultimate responsibility and decisions lie with the organization’s affirming official.
- “You can't actually hang your hat on [the C3PAO's answer]. ... At the end of the day, what their call is, is where the final accountability lies.” (B, 09:50)
- Both hosts stress importance of documentation and caution against over-relying on informal guidance.
4. Personnel and Organizational Updates at Cyber AB
[10:26–12:52]
- Staff transitions with ISACA’s assumption of Keiko duties:
- Kelly Atwood moves to the accreditation division, aiding C3PAO accreditation.
- Mike Snyder assumes an ecosystem outreach role (e.g., “practitioner soirees,” workshops).
- Joy expresses hope to see more hands-on implementer training from Mike Snyder.
- Both agree these changes signal Cyber AB’s intent to mature and expand its offerings.
5. State of the CMMC Ecosystem
[12:52–16:48]
- Jason: This month saw 150 new or ongoing CMMC assessments—"assessments are going up, assessors are going up, CCPs are going up."
- Joy:
- RPO numbers (Registered Practitioner Organizations) are increasing, especially internationally; individual RP growth has plateaued.
- "Those credentials, those actual certifications for the CCP and CCA are more valuable in the ecosystem than the rp." (B, 14:51)
- RPOs may be hiring more CCPs/CCAs to enhance consulting.
- Jason: Notes international expansion (South Korea, Canada) may explain RPO increases.
- "As people come into the fold, the first line they go to is probably that Cyber AB recommended RPO..." (A, 15:30)
- Negative growth in ATPs (Authorized Training Partners) and APPs (Authorized Partner Programs) possibly due to ISACA transition uncertainty.
6. ISACA Transition & Training Updates
[16:48–19:21]
- Concerns over slow or unclear communication with ATPs and APPs following ISACA’s takeover.
- As of now, operations and exam content remain unchanged until at least April 1, 2026; only the exam administration site is shifting to ISACA’s test centers.
- "It's the only thing that's changing is on the [exam center]. ... The rest of the process is the same." (A, 19:21)
- Some anxiety persists among training partners and instructors about lack of direct outreach.
7. C3PAO Ethics, Mock Assessments, and Consulting
[19:21–25:22]
- Burst of conversation around what counts as a mock assessment versus a certification assessment:
- Joy: "You can't contract with the C3PAO and then think, ... if we actually passed it all, let's have it be the assessment of record. Like, you can't switch and decide..." (B, 21:37)
- Mock assessment requires explicit agreement up front, cannot be changed to a cert assessment retroactively.
- Mock assessments allow for “met/not met” feedback only; absolutely no gap consulting is permitted.
- In cases where a formal assessment hits an early "false start," it can revert to a mock assessment—but only in phase one.
- Jason:
- Warns some organizations may be bending rules or trying to “game the system” by switching midstream.
- Clarifies again: "Did you do this right? ... that's a mock assessment. No, you didn’t ... That is a gap analysis, that’s consulting, not allowed." (A, 25:04)
- Both advise every organization to consider a mock assessment with a C3PAO other than their ultimate assessor to prepare.
8. DFARS/FAR Overhaul & Cyber AB Guest Segment
[25:22–28:50]
- Reagan Eddins from Cyber AB appeared to explain the "revolutionary FAR overhaul" and changes to DFARS in just 15 minutes.
- "39 class deviations that you have to explain in 15 minutes. It’s not an easy thing to do." (A, 28:19)
- Joy:
- Praises Summit 7’s more thorough podcast episode on the same topic.
- Sees value in scheduled follow-ups to unpack the complex changes for the DIB sector.
- “It almost felt like it was just not going to be tying it together well enough. ... I’m glad that they're going to have ... other segments...” (B, 27:23)
- Both recommend listeners watch both the Cyber AB Town Hall replay and Summit 7’s own deep dive for full context.
Memorable Quotes & Moments
- Matt Travis’ trademark dad jokes:
“He was the good news fairy in this month's town hall.” (A, 00:42) - On significance of changes:
“Clear as mud. Right?” (A, 07:59) - On the ongoing transition:
“No changes ... basically stick to the plans now until further instructed.” (A, 18:32) - On ethics of assessments:
“You can't switch and decide ... the contract has to clearly state at the outset if it’s a mock.” (B, 21:37) - On DFARS changes:
“39 class deviations that you have to explain in 15 minutes. It's not an easy thing to do.” (A, 28:19)
Timestamps for Essential Segments
- Tier 3 Background Check Info – [00:42–02:08]
- Significant Change Guidance – [02:08–10:26]
- Cyber AB Staff Updates – [10:26–12:52]
- CMMC Ecosystem Growth Stats – [12:52–16:48]
- ISACA Transition & Training Partner Concerns – [16:48–19:21]
- C3PAO Ethics: Mock vs Cert Assessments – [19:21–25:22]
- DFARS/FAR Overhaul Discussion – [25:22–28:50]
Final Thoughts
This episode provides a comprehensive yet approachable summary of fast-moving developments at the CMMC Cyber AB, direct from the monthly Town Hall. Jason and Joy balance insight with clarity, surfacing both guidance and ongoing ambiguities, as well as offering immediate advice for organizations navigating CMMC, DFARS, and NIST standards.
Recommended actions for listeners:
- Reach out to your FSO for Tier 3 background check updates;
- Stay alert for imminent formal guidance on significant changes;
- Watch for further ISACA communications if you’re a training partner;
- Ensure clarity and separation if considering mock assessments;
- Review the additional resources offered for understanding the DFARS/FAR overhaul and other regulatory impacts.