Sum IT Up: CMMC News Roundup
Episode: September Cyber AB Town Hall Recap
Date: October 2, 2025
Host: Summit 7 team
Overview
This episode dives into the key takeaways from the September Cyber AB (Accreditation Body) Town Hall, with a particular focus on how the CMMC (Cybersecurity Maturity Model Certification) program is weathering the federal government shutdown, updates on the rulemaking process, ecosystem growth, and clarifications on the roles of cloud and external service providers (ESPs). The hosts discuss personnel changes at the Cyber AB, metrics on ecosystem growth, international participation, and the strengthening of community feedback mechanisms.
Main Discussion Points
1. The Government Shutdown & CMMC Continuity
- [00:02–04:25]
- Despite the federal government shutdown, the CMMC program continues to operate largely unaffected.
- Key functions—like C3PAO assessments and EMASS availability—remain intact. The Cyber AB and Keiko are fully functional, though some impact is anticipated for the PMO office.
- Quote: "The CMMC show is still going to go on regardless if there’s a lapse in government funding." – Host A [00:04]
- Empathy is expressed for federal employees impacted by the shutdown, juxtaposed with the reality that CMMC program participants must “keep moving.”
- Potential risk: Shutdown could bleed into the November 10 CMMC rule effective date, but leadership expresses confidence in minimal impact.
2. CMMC Title 48 Rulemaking and Prime Contractors' Role
- [00:52–03:52]
- November 10 set as the anticipated go-live date for the CMMC final rule, with all indicators currently pointing toward on-time implementation.
- Emphasis that prime contractors will be key drivers in enforcing compliance throughout their supply chains.
- Quote: "The primes are responsible for their subs. That is going to be the biggest takeaway here." – Host A [02:14]
- There’s a communication gap: info sent from DoD to primes may be misinterpreted as direct to lower-tier suppliers.
3. Updates on Screening, Assessments, and Ecosystem Resiliency
- [05:33–08:07]
- Tier 3 screening processes (background checks for assessors) are ongoing but face pressure to keep pace.
- Some applicants report long waits, but leadership remains "confident they’re working on it" [07:47].
- Quote: "That screening process cannot afford to take two steps back. IMHO, that’s just how it is." – Host A [07:08]
4. Personnel Changes at Cyber AB
- [08:19–11:13]
- Raymond Kronbruner (CFO) has departed, Christopher Davis steps in as interim CFO.
- Notable appointment: Cat Adams becomes the new Conformity and Credentialing Coordinator, responsible mainly for the CMMC assessment process.
- The hosts particularly celebrate Cat Adams' appointment, citing her depth of experience and open approach to feedback.
- Quote: "The thing I like about her is not only is she super knowledgeable, but she is open to feedback... that’s made her a good instructor all along." – Host C [10:05]
5. Ecosystem Growth and Metrics
- [12:04–16:02]
- 82 authorized C3PAOs (up by 3 since last month), with a forecast of 100 by year’s end.
- In September alone:
- 366 CMMC certifications issued (up by 96 in one month)
- 16 assessments in conditional limbo
- 75 CMMC assessments currently in progress
- Dramatic uptick in ecosystem engagement
- Milestone: Over 1,000 CCA applications in queue.
- Highlights international participation, with authorized C3PAOs now in Canada and Taiwan.
6. International Expansion
- [16:02–17:15]
- Defense contractors from South Korea, Sweden, Taiwan, Canada increasingly participating in the CMMC ecosystem.
- Quote: "It’s even better when a national program gets international support." – Host A [16:02]
7. Public Badge for CMMC Certification
- [17:15–19:48]
- Discussion underway between Cyber AB and DoD about a public method (badge) for confirming CMMC certification—balancing visibility and security.
- Hosts joke about design concepts: "It’s a 110. It’s just a big 110. And it’s in bubble letters." – Host A [19:18]
8. C3PAO Advisory Council & Community Engagement
- [19:56–24:08]
- Advisory council update: Three committees and subcommittees coming together from a large pool of applicants, mainly CCPs and CCAs.
- Dialogue about broadening inclusion to other industry voices over time.
- Quote: "This council in the sense of community inclusion... is very refreshing." – Host A [23:23]
9. ESP & CSP Clarifications: Preventing Misconceptions
- [24:16–34:31]
- Matt Travis (Cyber AB CEO) injects humor, but re-emphasizes the urgency of clarity around ESPs vs CSPs (Managed Service Providers vs Cloud).
- Many organizations, primarily MSPs, are still being incorrectly marketed as CSPs or vice versa—leading to compliance risk.
- The AB prescribes three vital scoping questions for organizations to differentiate and properly handle ESP vs CSP relationships ([28:49–29:45]).
- Quote: "Your ESP is in scope when it processes, stores, or transmits CUI on ESP-owned assets." – Host A [27:08]
- Warning: C3PAOs and OSCs (contractors) equally bear responsibility; misclassification could void certifications and trigger further audits.
10. Potential Consequences for Incorrectly Certified Organizations
- [32:42–34:42]
- If a C3PAO erroneously certifies an OSC due to ESP/CSP misclassification, the organization risks losing certification, and an audit/investigation is warranted.
- Quote: "There needs to be some sort of audit report... It's not because we want to dunk on people... it's to make sure things are amply protected." – Host A [33:34]
Notable Quotes & Memorable Moments
- "No surprises with the government shutdown. No surprises that CMMC keeps on rolling." – Host C [00:29]
- "The only takeaway is you need to prepare for CMMC. And we see a lot of the primes now... saying what do you guys got going on? We need to know immediately." – Host A [02:14]
- "The tier three screening process cannot afford to take two steps back." – Host A [07:08]
- "The thing I like about [Cat Adams] is ...she is open to feedback and just talking through things very well." – Host C [10:05]
- "If there is a case ... where a C3PAO assessed an organization, deemed them an MSP but they're a CSP... there needs to be some sort of audit report." – Host A [33:34]
- "It's only sad if there's no improvements that come from it and there's no learning that happens from it." – Host A [35:06]
Key Timestamps
| Timestamp | Segment | Notes | |-------------|-------------------------------|----------------------------------------| | 00:02-04:25 | Government Shutdown | CMMC continuity throughout shutdown | | 00:52-03:52 | Title 48 & Prime Contractor | Upcoming rule, prime and sub responsibilities | | 05:33-08:07 | Screening & Assessment | Ongoing ecosystems processes | | 08:19-11:13 | Personnel Updates | New roles: Cat Adams, CFO shift | | 12:04-16:02 | Ecosystem Growth | Rapid increase in C3PAOs, certifications, international reach | | 17:15-19:48 | CMMC Badge Discussion | Visibility vs. privacy | | 19:56-24:08 | Advisory Council Inclusion | Subcommittee formation, ecosystem inclusion debate | | 24:16-34:31 | ESP vs CSP Clarification | Defining service provider boundaries, tangible risks | | 32:42-34:42 | Certification Risks | Consequences of misclassification |
Final Thoughts
The episode highlights continued momentum in the CMMC ecosystem, including steady rulemaking progress despite external uncertainties, significant ecosystem expansion, and growing international interest. The hosts emphasize the importance of accurate service provider classification (CSP vs ESP) and the critical role of collective vigilance across the ecosystem—including contractors, assessors, and leadership.
Even with the light-hearted banter and occasional jokes, there’s an undercurrent of urgency: clarity, accountability, and continual improvement are essential as the CMMC program moves into its pivotal operational phase. The community-centric approach is welcomed, and regular updates like these help maintain transparency and momentum.