Sum IT Up: CMMC News Roundup – “Monthly Cyber AB Town Hall Recap (March)”
Podcast Host: Summit 7
Guest Host: Joy
Release Date: April 2, 2026
Episode Focus: Recap and analysis of the March Cyber AB Town Hall, summarizing milestones, staffing changes, regulatory shifts, and key insights affecting the CMMC ecosystem.
Episode Overview
This episode delivers a comprehensive recap of March’s Cyber AB Town Hall, highlighting critical updates in the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program. Topics range from major personnel changes, recent GAO evaluations, ecosystem growth metrics, to the official handover of credentialing functions to ISACA (dubbed the “Keiko takeover”). The hosts also spotlight industry confusion around Controlled Unclassified Information (CUI), with a deep dive courtesy of guest expert Ryan Bonner.
Key Discussion Points & Insights
1. Program Milestones and Departures
- 140+ Days into CMMC: The program has hit significant milestones since becoming final.
- Key Departures:
- Stacy Bostanic: Recognized for transparency and championing the program.
- "She contributed so much to really launching CMMC in the right way and I'm going to miss her." – Joy (01:58)
- Katie Arrington: Replaced by Kristen Davies as Acting CIO, who recently gave congressional testimony, especially on program costs.
- Stacy Bostanic: Recognized for transparency and championing the program.
Notable Quote:
"After we went through our long period of no communication from the DoD at the time, it was great to have her step up and really communicate with everyone in the ecosystem." – Joy (01:58)
2. Policy and Oversight Updates
GAO Report Summary (03:45–06:36)
- Positive Reviews: CMMC program scored “6⅔ out of 7” on key categories per GAO.
- Shortfall: Biggest gap lies in detailed evaluation and mitigation of external risks.
- "They had to come up with a plan to address each of those risks… then we can get the perfect score. 95% still, right?" – Host (04:41)
- Industry Takeaway: Strong performance scrutinized by GAO; room for improvement remains in risk management.
Congressional Testimony (02:40–03:45)
- Cost Concerns: Kristen Davies indicated that the DoD will review costs but underscored no current/fiscal year funding is expected.
3. Ecosystem Growth & Certification Milestones
CMMC Certification Stats (06:36–08:23)
- 1,000+ Level 2 Certifications: Achieved since program launch in November; early adopters notable.
- "10% of those are Summit 7 clients." – Host (06:55)
- Growth in Lead CCAs: Sharpest growth seen in credentialed Lead Certified CMMC Assessors, more critical than sheer number of C3PAOs (assessment organizations).
- "The full capability of the CMMC ecosystem… resides in [growing] the lead CCA number." – Host (07:50)
ISACA Takeover—Effects on Training Providers
- 10% Growth in Authorized Training Providers (ATPs): Despite concerns, ATP numbers continued to rise after ISACA assumed credentialing responsibilities.
4. Key Staffing Changes in Cyber AB
Administrative Additions (09:34–11:29)
- Emily Ermelini: New Director of Executive Administration, acting as gatekeeper to Matt Travis (Cyber AB President).
- "He recommended tagging her on communications if you're trying to wrangle him up." – Host (10:35)
- Upcoming Director of Cybersecurity and Compliance: Recruitment underway; role to oversee CMMC and ISO certifications.
5. CUI Confusion: Ryan Bonner’s Clarity
(12:20–19:10)
- CUI Emergence in Contracts: Early indicators are appearing in RFIs and sources sought.
- Primes Driving Readiness: Prime contractors are “over-communicating” with their subs to ensure compliance ahead of incoming mandates.
- "Those love letters that come from the DoD about the phase rollout … addressed to their primes… [Primes] only have the procurement administrative lead time… to not only have their house in order as far as their own CMMC certification… but for every UID attached to that contract." – Host (14:06)
- Game of Telephone: Confusion about CUI stems from inconsistent information flow from government to the lower tiers of the defense industrial base.
- "They are at the wrong end of a game of telephone … by the time it gets to the end of the line, it is brutally bashed and murdered." – Host, paraphrasing Ryan Bonner (16:03)
- Overmarking Issues: DoD IG report reveals continued over-marking, restricting appropriate information sharing.
Memorable Advice:
"If you're only going to listen to part of the town hall, make sure you get the Q&A at the end." — Joy (19:00)
6. ISACA (“Keiko”) Takeover: Credentialing & Training (19:10–30:47)
Credential Process Now Fully ISACA (20:00–22:22)
- All Credentialed Personnel: Must use ISACA processes for exams and training.
- Go-Live: New ISACA website and credential badges active as of March 31, 2026.
ISACA Badges & Value
- "The badges are amazing and they're exactly in line with the other ISACA credential badges that I have. Very nice, very clean and professional looking." – Joy (22:22)
- Exam Fees: Concerns addressed, with ISACA keeping costs competitive by industry standards.
Training and Curriculum Updates (23:55–29:25)
- ATPs Continue Current Processes: Authorized to use existing materials through end of 2026.
- ISACA to Release Rev 3-Aligned Training (Q4 2026): Transition to NIST 800-171 Rev 3, with “bridge training” for both directions.
- "Those of us who are trained on NIST 800 171, R2 will receive bridge training to R3. And then with the new curricula, those learning R3 will also receive bridge training to scale back to R2... all CCAs and lead CCAs, will be qualified to do an R2 or an R3 assessment." – Joy (28:28)
- Industry Experts Authoring Content: ISACA is leveraging established professionals to shape new curricula.
Provisional to Certified Instructors
- Transition Plans: ISACA rolling out clear processes for provisional instructors to become fully certified; new CCI (Certified CMMC Instructor) program expected by mid-summer 2026.
Memorable Quotes
- "Stacy brings energy to every conversation. She’s a fireball. Witnessing her transparency… I’m going to miss her a ton." — Joy (01:58)
- "The full capability of the CMMC ecosystem… resides in [growing] the lead CCA number... You can’t have the team without the coach. That’s just how it works." — Host (07:50)
- "If you’re only going to listen to part of the town hall, make sure you get the Q&A at the end. He answered a good portion of Q&A during the town hall and a lot of them were addressed to specific scenarios." — Joy (19:00)
- "The Keiko takeover... you have a new shiny flashy ISACA badge... the process to acquire any CMMC credential, CCP, CCA, CCI coming soon, all goes through ISACA and the ISACA process." — Host (20:00)
Timestamps for Major Segments
| Segment | Timestamp | |------------------------------------------------------|---------------| | Milestones & Departures (Stacy Bostanic) | 01:18–02:40 | | Congressional Testimony/GAO Report | 02:40–06:36 | | Certification/Ecosystem Growth | 06:36–08:23 | | ISACA Takeover and Training Ecosystem Update | 08:23–09:31 | | Cyber AB Staffing News | 09:34–12:20 | | CUI Deep Dive—Ryan Bonner | 12:20–19:10 | | ISACA Transition (Keiko Takeover) | 19:10–30:47 | | Upcoming Instructor Changes | 29:25–30:47 |
Final Thoughts
The march towards full CMMC program implementation continues amid staffing changes and evolving requirements. The ISACA takeover promises greater scalability and standardization in training/certification, while ongoing confusion about CUI persists as a top industry pain-point. If you only have time for part of the episode, check out Ryan Bonner’s practical CUI insights and the end-of-show Q&A (19:00+). With new resources and curriculum on the horizon, and over 1,000 certifications already issued, the CMMC ecosystem is rapidly maturing—those waiting for clarity or funding are urged to act now.
For questions, clarifications, or access to referenced resources, listeners are encouraged to join future Cyber AB Town Halls or connect with the show hosts via official channels.