Sum IT Up: CMMC News Roundup

Episode Title: November Cyber AB Town Hall Recap
Host: Summit 7
Date: November 20, 2025

Episode Overview

This episode recaps the November Cyber AB Town Hall, the last major update for 2025 on the state of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program. Hosts reflect on the year that saw CMMC’s active implementation and transformation into a robust, regulated ecosystem. The episode covers new board elections, the impact of regulatory changes, committee priorities, year-end growth metrics, government shutdown effects, fresh data from the CMMC PMO, and predictions for 2026.

Key Discussion Points & Insights

2025: The “Year of CMMC”

CMMC Came Alive: The hosts agree that 2025 was the pivotal year when CMMC fully “became a thing”; companies started being assessed and certified, regulations kicked in, and the program entered an active phase (00:03–00:35).
Title 48 in Effect: CMMC Title 48 came into force on November 10th, marking the start of phased implementation (00:35).
- Level 1 and Level 2 self-attestation dominates phase one (until November 9, 2026), but the Department of War (DoW) has discretion to require more rigorous assessments earlier in select contracts (00:35–01:58).
Host Perspective: Proactivity is now essential for both prime contractors and the DoD:

“The word for the first phase of the CMMC implementation is proactivity.” (02:29, Host A)

Prime Contractors & Supply Chain Dynamics

Late Response from Primes: There’s frustration that prime contractors are only now, after years of warnings, signaling compliance requirements to their supply chain (03:21–03:42).
- “What were you waiting for?” (03:21, Host B)
Public Conversations Now Visible: The need for supply chain readiness is finally a visible, urgent conversation (03:42).

Cyber AB Board Updates

Leadership Transitions: New Board of Directors freshly elected for the now fully active CMMC program (03:42–05:03).
- Paul Michaels re-elected as Chair.
- Debbie Taylor Moore elevated to Vice Chair.
- Kathy Hennessy joins as Secretary.
- Wayne Baleen named At-Large member—referred to playfully as “Mr. Yes-No” (05:06).

Committee & Advisory Council Initiatives (05:26–14:40)

Four Key Focus Committees Introduced (05:26–14:40):
1. Accreditation Committee (06:15):
  - Improving C3PAO accreditation scheme.
  - Introducing CMMC certification emblems for organizations.
  - Quote: “Finally, that’s going to be great.” (07:00, Host B)
2. Assessment Guidance Committee (07:10):
  - Clarifying on-premise assessment requirements, sampling, “false starts,” and “significant change.”
  - Will address methodology for interviews, examinations, and tests despite some skepticism about necessity.
  - Quote: “I don’t think I’ve ever seen anybody say, ‘Hey, we need to re-evaluate the interview, examination, and test.’” (11:28, Host A)
3. External Services Subcommittee (12:00):
  - Clarifying CSP vs. MSP boundary, FedRAMP moderate equivalency, and providing shared responsibility matrix (SRM) guidance.
  - “Not all customer responsibility matrices are created equal…” (12:59, Host A)
4. CAP (Assessment Process) Committee:
  - Ongoing revision and improvement of the CMMC Assessment Process (CAP) document to reflect changes and support scaling.
  - CAP 2.0 and COPC updates delivered this year, not years ago as hosts assumed (15:11–15:27).

Major 2025 Milestones & Growth

Key Achievements (16:57–19:13):
- 100% growth in Certified Assessors (CCAs).
- 52% growth in Authorized C3PAOs.
- 21% growth in Certified Professionals.
- 384% increase (from zero) in Lead CCAs.
- “That’s 384 people capable of leading assessment teams. That means…384 assessments that could happen a week.” (20:12, Host A)
Resilience During Government Shutdown:
- CMMC activities persisted robustly despite the shutdown—a testament to the maturity of the ecosystem (19:04–20:31).

2026: Looking Ahead

Planned Initiatives (21:31–23:49):
- New leadership in key positions (KEIKO, etc.).
- Staff and expansion to handle assessment workload.
- Overhaul of Practitioner (RP/RPO) program—much needed due to concerns over consulting quality.
  - “I think it’s desperately important. These companies…spending so much money…when they’re given the wrong advice, spending good money after bad, we just don’t want to see it anymore.” (24:18, Host B)
- Goal to achieve ISO17011 recognition.
- More engagement initiatives, an upcoming ecosystem survey, and expansion of the CS5 conference.
- Phase Two (“C3PAO assessments as the norm”) to start November 10, 2026, though hosts expect earlier adoption in practice.

Data Drop: Latest CMMC Certification Stats (26:29–33:05)

Self-Assessment Numbers (from guest Dana Mason, CMMC PMO):
- 7,047 companies have completed Level 1 self-assessment in SPRS.
  “A teeny drop in the bucket.” (27:42, Host B)
- During government shutdown alone: 1,000 Level 1 and 72 Level 2 self-assessments completed; 76 Level 2 C3PAO certifications recorded.
  - “People were busier in the government shutdown!” (27:42, Host A)
Certification Figures:
- 575 total CMMC Level 2 certifications in SPRS (includes C3PAO and DIBCAC conversions).
  - Of those, 115 are pending organizational affirmation—a critical step many organizations appear unaware of.
  - “115 companies…can’t say they’re Level 2 C3PAO certified…because they haven’t affirmed with SPRS.” (30:47, Host A)
- Guidance: Affirmation requires an official from the company to log in and attest accuracy—can’t be completed solely by C3PAO (31:09, Host B).
Level 3 Activity:
- Two organizations have completed CMMC Level 3 process walkthroughs with DIBCAC, preparing for the next stage of high-assurance assessments (33:05–34:09).

Notable Quotes & Memorable Moments

“The word for the first phase of the CMMC implementation is proactivity.”
Host A, 02:29
“What were you waiting for?”
Host B, 03:21, on primes and their slow roll-out of supply chain requirements
“I think improved training is important...Let’s make sure that at whatever stage they’re at, they’re trained to at least contribute to the effort. Because...if the training is not adequate, then what purpose and what help are they, you know, actually doing?”
Host A, 25:10–26:27
“A teeny drop in the bucket. A teeny tiny drop in the bucket.”
Host B, 27:37 (in response to Level 1 self-assessment statistics)
“That's 384 people that are capable of leading assessment teams...Sounds good to me. Powerful. Very exciting.”
Host A & B, 20:12-20:29
“I wish that I could have participated...how fascinating. I love the whole thought of Level 3 with the enhanced cyber security control.”
Host B, 33:52–34:09

Timestamps for Important Segments

00:03–00:35 | Recapping the “Year of CMMC”
00:35–01:58 | Title 48 in effect; Phase One overview
03:21–03:42 | Delay in prime contractors’ supply chain engagement
05:26–07:02 | Board elections and major committee assignments
07:10–11:28 | Assessment Guidance Committee focus areas
12:00–14:40 | External Services Subcommittee & CAP Committee preview
16:57–19:13 | Year-in-review milestones and ecosystem growth
21:31–23:49 | Preview of 2026 initiatives and practitioner program overhaul
26:29–33:05 | CMMC data dump: Self-assessment and certification numbers from Dana Mason
33:05–34:09 | CMMC Level 3 assessment preparations
34:50–36:03 | 2026 predictions and closing banter

2026 Predictions (34:50–36:03)

Host B: By the end of Q3 2026, Level 3 assessments will be underway.
Host A: There will be over 135 authorized C3PAOs by end of Q1 2026.

Overall Tone

Engaging, insightful, occasionally irreverent and humorous—hosts balance deep regulatory and process knowledge with playful banter, making the technical regulatory content accessible and lively.

Summary

This episode serves as a comprehensive review and sneak peek, vital for anyone tracking the CMMC program’s progress, regulatory shifts, or preparing for upcoming compliance activity in 2026. The hosts reflect the excitement, frustrations, and ongoing learning curve within the CMMC ecosystem, with actionable observations and projections for the program’s future.

Sum IT Up: CMMC News Roundup

Episode Title: November Cyber AB Town Hall Recap
Host: Summit 7
Date: November 20, 2025

Episode Overview

Key Discussion Points & Insights

2025: The “Year of CMMC”

CMMC Came Alive: The hosts agree that 2025 was the pivotal year when CMMC fully “became a thing”; companies started being assessed and certified, regulations kicked in, and the program entered an active phase (00:03–00:35).
Title 48 in Effect: CMMC Title 48 came into force on November 10th, marking the start of phased implementation (00:35).
- Level 1 and Level 2 self-attestation dominates phase one (until November 9, 2026), but the Department of War (DoW) has discretion to require more rigorous assessments earlier in select contracts (00:35–01:58).
Host Perspective: Proactivity is now essential for both prime contractors and the DoD:

“The word for the first phase of the CMMC implementation is proactivity.” (02:29, Host A)

Prime Contractors & Supply Chain Dynamics

Late Response from Primes: There’s frustration that prime contractors are only now, after years of warnings, signaling compliance requirements to their supply chain (03:21–03:42).
- “What were you waiting for?” (03:21, Host B)
Public Conversations Now Visible: The need for supply chain readiness is finally a visible, urgent conversation (03:42).

Cyber AB Board Updates

Leadership Transitions: New Board of Directors freshly elected for the now fully active CMMC program (03:42–05:03).
- Paul Michaels re-elected as Chair.
- Debbie Taylor Moore elevated to Vice Chair.
- Kathy Hennessy joins as Secretary.
- Wayne Baleen named At-Large member—referred to playfully as “Mr. Yes-No” (05:06).

Committee & Advisory Council Initiatives (05:26–14:40)

Four Key Focus Committees Introduced (05:26–14:40):
1. Accreditation Committee (06:15):
  - Improving C3PAO accreditation scheme.
  - Introducing CMMC certification emblems for organizations.
  - Quote: “Finally, that’s going to be great.” (07:00, Host B)
2. Assessment Guidance Committee (07:10):
  - Clarifying on-premise assessment requirements, sampling, “false starts,” and “significant change.”
  - Will address methodology for interviews, examinations, and tests despite some skepticism about necessity.
  - Quote: “I don’t think I’ve ever seen anybody say, ‘Hey, we need to re-evaluate the interview, examination, and test.’” (11:28, Host A)
3. External Services Subcommittee (12:00):
  - Clarifying CSP vs. MSP boundary, FedRAMP moderate equivalency, and providing shared responsibility matrix (SRM) guidance.
  - “Not all customer responsibility matrices are created equal…” (12:59, Host A)
4. CAP (Assessment Process) Committee:
  - Ongoing revision and improvement of the CMMC Assessment Process (CAP) document to reflect changes and support scaling.
  - CAP 2.0 and COPC updates delivered this year, not years ago as hosts assumed (15:11–15:27).

Major 2025 Milestones & Growth

Key Achievements (16:57–19:13):
- 100% growth in Certified Assessors (CCAs).
- 52% growth in Authorized C3PAOs.
- 21% growth in Certified Professionals.
- 384% increase (from zero) in Lead CCAs.
- “That’s 384 people capable of leading assessment teams. That means…384 assessments that could happen a week.” (20:12, Host A)
Resilience During Government Shutdown:
- CMMC activities persisted robustly despite the shutdown—a testament to the maturity of the ecosystem (19:04–20:31).

2026: Looking Ahead

Planned Initiatives (21:31–23:49):
- New leadership in key positions (KEIKO, etc.).
- Staff and expansion to handle assessment workload.
- Overhaul of Practitioner (RP/RPO) program—much needed due to concerns over consulting quality.
  - “I think it’s desperately important. These companies…spending so much money…when they’re given the wrong advice, spending good money after bad, we just don’t want to see it anymore.” (24:18, Host B)
- Goal to achieve ISO17011 recognition.
- More engagement initiatives, an upcoming ecosystem survey, and expansion of the CS5 conference.
- Phase Two (“C3PAO assessments as the norm”) to start November 10, 2026, though hosts expect earlier adoption in practice.

Data Drop: Latest CMMC Certification Stats (26:29–33:05)

Self-Assessment Numbers (from guest Dana Mason, CMMC PMO):
- 7,047 companies have completed Level 1 self-assessment in SPRS.
  “A teeny drop in the bucket.” (27:42, Host B)
- During government shutdown alone: 1,000 Level 1 and 72 Level 2 self-assessments completed; 76 Level 2 C3PAO certifications recorded.
  - “People were busier in the government shutdown!” (27:42, Host A)
Certification Figures:
- 575 total CMMC Level 2 certifications in SPRS (includes C3PAO and DIBCAC conversions).
  - Of those, 115 are pending organizational affirmation—a critical step many organizations appear unaware of.
  - “115 companies…can’t say they’re Level 2 C3PAO certified…because they haven’t affirmed with SPRS.” (30:47, Host A)
- Guidance: Affirmation requires an official from the company to log in and attest accuracy—can’t be completed solely by C3PAO (31:09, Host B).
Level 3 Activity:
- Two organizations have completed CMMC Level 3 process walkthroughs with DIBCAC, preparing for the next stage of high-assurance assessments (33:05–34:09).

Notable Quotes & Memorable Moments

“The word for the first phase of the CMMC implementation is proactivity.”
Host A, 02:29
“What were you waiting for?”
Host B, 03:21, on primes and their slow roll-out of supply chain requirements
“I think improved training is important...Let’s make sure that at whatever stage they’re at, they’re trained to at least contribute to the effort. Because...if the training is not adequate, then what purpose and what help are they, you know, actually doing?”
Host A, 25:10–26:27
“A teeny drop in the bucket. A teeny tiny drop in the bucket.”
Host B, 27:37 (in response to Level 1 self-assessment statistics)
“That's 384 people that are capable of leading assessment teams...Sounds good to me. Powerful. Very exciting.”
Host A & B, 20:12-20:29
“I wish that I could have participated...how fascinating. I love the whole thought of Level 3 with the enhanced cyber security control.”
Host B, 33:52–34:09

Timestamps for Important Segments

00:03–00:35 | Recapping the “Year of CMMC”
00:35–01:58 | Title 48 in effect; Phase One overview
03:21–03:42 | Delay in prime contractors’ supply chain engagement
05:26–07:02 | Board elections and major committee assignments
07:10–11:28 | Assessment Guidance Committee focus areas
12:00–14:40 | External Services Subcommittee & CAP Committee preview
16:57–19:13 | Year-in-review milestones and ecosystem growth
21:31–23:49 | Preview of 2026 initiatives and practitioner program overhaul
26:29–33:05 | CMMC data dump: Self-assessment and certification numbers from Dana Mason
33:05–34:09 | CMMC Level 3 assessment preparations
34:50–36:03 | 2026 predictions and closing banter

2026 Predictions (34:50–36:03)

Host B: By the end of Q3 2026, Level 3 assessments will be underway.
Host A: There will be over 135 authorized C3PAOs by end of Q1 2026.

Overall Tone

Engaging, insightful, occasionally irreverent and humorous—hosts balance deep regulatory and process knowledge with playful banter, making the technical regulatory content accessible and lively.

wavePod

November Cyber AB Town Hall Recap

Powered by Wave AI

Summary

Sum IT Up: CMMC News Roundup

Episode Overview

Key Discussion Points & Insights

2025: The “Year of CMMC”

Prime Contractors & Supply Chain Dynamics

Cyber AB Board Updates

Committee & Advisory Council Initiatives (05:26–14:40)

Major 2025 Milestones & Growth

2026: Looking Ahead

Data Drop: Latest CMMC Certification Stats (26:29–33:05)

Notable Quotes & Memorable Moments

Timestamps for Important Segments

2026 Predictions (34:50–36:03)

Overall Tone

Summary

Summary

Sum IT Up: CMMC News Roundup

Episode Overview

Key Discussion Points & Insights

2025: The “Year of CMMC”

Prime Contractors & Supply Chain Dynamics

Cyber AB Board Updates

Committee & Advisory Council Initiatives (05:26–14:40)

Major 2025 Milestones & Growth

2026: Looking Ahead

Data Drop: Latest CMMC Certification Stats (26:29–33:05)

Notable Quotes & Memorable Moments

Timestamps for Important Segments

2026 Predictions (34:50–36:03)

Overall Tone

Summary