A

All right, folks, it is June of 2026. Is halfway through June of 2026. So we are halfway through the year. And back in January we made some predictions about what we would see across the CMMC ecosystem by the end of the year. And it's looking pretty good for how our predictions are playing out. That's what we're going to talk about today, Jason. 60%, 70% of the time, we are correct 100% of the time. When it comes to these predictions, we've done pretty well in the past. And this is going to be our first mid year review of our predictions so that our Holiday edition prediction review doesn't take forever.

B

Yeah, Jacob, you know, I take everything Fergie says to heart. And I've been up in the gym working on my fitness and one of the things that has really been troubling me, couple problem pounds I just can't seem to shed. And after looking at the results of our predictions halfway through the year, I think it's a golden horseshoe that I can't seem to find when I step on the scale. So help me find it, Jacob. Help. Help me find it.

A

Oh, okay. For everybody who got the reference, you know, don't give us a copyright strike because you sound just like, just like the lyrics, right?

B

Yeah, Fergie and Jesus. There you go.

A

All right, let's jump right into it. We got seven predictions for what we thought we were going to see across the ecosystem. First prediction, 1,000 CMMC level 2 certifications by March of 2026 and 2, 500 by the end of 2026. Jason, back in January you were a little skeptical about this one. I was not. However, at least 1,000 Level 2 certifications by the end of March that ended up being correct. There were 11, 13 level 2 certifications by the end of March. We also said that we thought there was going to be 2500 Level 2 certifications by the end of the year. That is currently trending towards being correct. We are currently on pace, conservatively for about 2600 Level 2 certifications by the end of the year. And remember folks, based off of the estimates in the original CMMC rule, DoD did not expect to hit 2600 level 2 certs until the end of 2027. We are literally years ahead of time at the pace at which people are achieving CMC level 2. I'd call this a win.

B

Yeah, I think another win for you is the fact that you were able to slide in my skepticism and the fact that I was kind of off on this one. Before you even threw any of those numbers out there. Appreciate the solid, you know, friendship, you know, brothers united. Yeah, I was skeptical, but the reason I was skeptical, Jacob, is because, you know, whenever something can go wrong, especially when it comes to cmc, it seems that we get a road bump here or there. Right?

A

Yeah.

B

And with things that were trending in the direction that they were trending at the time, I thought maybe a robot was coming. I'm so happy I was wrong. I am so happy it's going like this. Even more so, I think. Last month the town hall reported the largest increase in certifications in at least the last six months. So since we made this prediction, the largest output. So I'm glad we're turning this in direction. It's the direction it has to go. And it kind of sets the tone for some other predictions, if I'm not mistaken.

A

Yeah, absolutely. Let's get into the second one here. This one, this one ain't looking so great. But then again, it's very tough to tell. So prediction number two, at least 12 False Claims act settlements against defense contractors for their cybersecurity non compliance issues. Our prediction was there would be at least a dozen of these False Claims act cybersecurity settlements and a majority of them would include seven figure penalties. That was what the trend looked like at the end of 2025, but we're currently trending towards this being incorrect because there have been zero False Claims act settlements so far in 2026, which is extremely puzzling to me because anytime you talk to people in the know, all they do is say there are a ton of these False Claims act whistleblower lawsuits in the queue, like a hundred or more. It's not hard to hear about these cases that are obviously still under seal until they're settled, but there's like a ton of noise, there's a ton of smoke, there's clearly a ton of stuff in process, but none of the settlements have come out in general. White collar crime enforcement is down across the board. And if you've been paying attention to current events over the last several months, DOJ staffing has taken a massive hit. So is that what's affecting this as part of broader trends and the whole thing is just slowed down on top of an already slow process. On the other hand, cyber False Claims act settlements take a really long time, like years of time to get through the queue. So several of them could all drop at once in like a couple weeks from each other that were going through the process over the last two years. So there's still time for a bunch of them to come out before the end of the year, but as of right now, there are none.

B

All right, so first I'm, you know, if we're going to be wrong about one of our predictions for the year, it's the. I, I'm okay with being wrong with the one where it's people, you know, technically lying to the government about being compliant. Right. If it's for the right reasons. If I'm wrong for the right reasons, if it's a case like you just said last year, I think when we saw FCA cases come out, they all came out right about the same season. Right. Like they weren't sparse, spread out. Right. It was like it started, we saw one, then oh, another, oh, another. It started popping up. I don't know if it's going to be a case like that, like the dandelions out in my yard where all of a sudden I see one and then now there's a hundred and I have to battle them all. Or if it's a case where we're not seeing that much or there's unsubstantiated claims that aren't moving forward.

A

Yeah, yeah. I definitely don't think that the lack of settlements is due to the lack of cases that could be settled. Right. I, I think there's probably some sort of systemic issue.

B

That's why I said wrong for the right reasons. Right.

A

Yeah. But we'll just have to see as, as of this point, as of June, not looking so great on this prediction. There's still time, so we'll end up having to see what happens by the time December rolls around. Okay. Prediction number three. There will be no major funding appropriations for CMMC or for DFARS 7012 compliance. Specifically no large federal funding program to offset the cost of compliance. There will be no Brinks truck full of cash backing up to small businesses across the div saying, here's a bunch of money for you to deal with cybersecurity. This is trending towards being correct. There is zero effort, zero legislation, zero talk, zero momentum around anybody getting money given to them for these costs. However, as of June, there's no money but the ENCODE program has been funded. Summit 7 was one of the awardees that's going to help provide free enclave environments to very small companies who have to deal with DFAR 7012 and CMMC. We put out a blog about it. Check out the link in the show notes. So that's something, but it isn't Exactly. A lot of money for everybody. It is a great solution for the people that it's a great solution for.

B

Yeah, it's not high. Here you get a check to help you get compliant, which is what I think people were expecting. We need to get compliant. You pay the bills. Instead it's, here's a lease on your future as a contractor. Here is your compliant enclave environment that's set up, that's paid for for you to go and do what you need to do. I think that that's a much better trade off than just getting handed a check. And in the cases, especially with a lot of the organizations that are struggling with the CMMC program and the implementation this ENCODE program is directly going to benefit it.

A

Yeah, as of June, I would say this one is trending. Correct. No money. There are programs to help offset it, but I don't see anybody, you know, writing checks to the dib.

B

I don't think they redo budgets in the middle of the year either.

A

So. Yeah, yeah, probably. Probably gonna be correct about that one. All right, prediction number four, the FAR CUI rule. The FAR CUI final rule will be published and effective before the end of 2026. Come on, GSA. Come on, FAR Council. It's the 10 year anniversary of when we were supposed to have the FAR CUI rule. We were expecting this back in 2016. It's caused untold issues and consternation and problems for the CUI program and other programs like CMMC that are dependent on the CUI program for a decade. Please, please put us out of our misery. We said the FAR CUI final rule would move from proposed proposed to final and go into effect as of right now. Too soon to tell. Too soon to tell. One nobody knows because real rulemaking processes don't tell you anything about the progress of rulemaking until the rules come out. So we all got very spoiled by DOD's CMMC rulemaking era where they would just tell you what was going on even though they weren't supposed to. The big problem is the revolutionary FAR overhaul is overhauling the entire FAR DFARs and all the supplements. And they're pushing it all through rulemaking, making it once. So until that's done, individual changes probably won't happen. That is currently happening with the, the revolutionary FAR overhaul rulemaking process. So there's still time for the FAR CUI final rule to pop out on the other side of that before the end of the year. So we'll just have to see. I don't know, could happen. I Wouldn't. I mean, at this point, after 10 years, it could also not happen. I think it's too soon to tell.

B

Is this the one that stings you the most?

A

It's. It's my white whale. It's my white whale. You know, I'm just like, it would. Yes.

B

Yeah, but. But it's so. It's. But it's not. Like there's not indications that the whale's not in the waters that you're hunting in. Right.

A

Like, we've seen it. I've seen it.

B

We've seen the whale. We've seen traces of. The whale's been here or traces of making an area good enough for the whale. Right. The FAR overhaul, isn't that one of those steps that has to happen, the precursor steps for all. All of this to take place?

A

Yeah, theoretically. Theoretically, they're not going to update the FAR in the middle of the FAR overhaul. They're probably going to change it after the FAR is overhauled. So there's still time for the FAR CUI rule to happen before the end of the year. But we'll have to see.

B

Yeah, the writing on the wall is that it's happening. Correct. Happens within the timeline we predicted. Yeah, but.

A

Yeah. Is it happening on a human timeline or a geological timeline? We still don't know.

B

That's the question. Nobody knows. Right.

A

I'm hopeful that we'll see it because the standard form at the bottom of the rule that clearly indicates you do or do not have CUI is going to make everybody's lives a lot easier. So it would be wonderful if the final rule actually goes into effect. So everybody keep your fingers crossed. All right, prediction number 5. CMMC 3.0. The proposed rule will be published before Halloween.

B

Oof.

A

The prediction was that the proposed rule to update the 32 CFR CMMC regulation, which everybody would historically refer to as CMC 2.0, up to CMC 3.0 to incorporate NIST SP 801, 71, revision 3, new DoD organizationally defined parameters, things like that would be published before Halloween. That is still pending. That rulemaking process, internal to the dod has been executed. We know through the grapevine that everybody's standing around waiting to send this rule out for interagency review and to get the final steps of the rulemaking process done. There's been leadership changes and so on and so forth, and people want to make their mark on new programs. And so things pile up on the desk. And as of June, I haven't heard any progress about this. So it still could happen. We all know that a lot of stuff around rulemaking gets dropped right around Thanksgiving to New Year's. So it's very easy that we could see this by the end of the year. Before Halloween, though, I don't know.

B

Look, I'm going on vacation in late August. I'm going on vacation in late September. Just if anybody historically knows how that that figures into the factor, I I'm going to start worrying about this prediction about that time, not just because I'm going on vacation, but because that marks the end of the government year. And usually that's when we see the trends trying to push things out the door before the year ends. I. Is that the case here?

A

I don't know.

B

I mean, again, writings on the wall. Are they reading it? I don't know.

A

Yeah, the the far CUI proposed rule exists. Comment periods done. What are we waiting for? The 3.0 CMMC proposed rule is done. It's waiting to go to interagency review. What are we waiting for? This is how rulemaking goes. It's really hard to tell, which is why it's so fun to try to make predictions. I'd say it's too soon to tell before Halloween, too soon to tell before the end of the year. The real takeaway here, though, we get this question all the time. 171 revision 3 won't be a thing until CMMC 3.0 is final and in effect. So the longer this takes the the longer you have to, you know, prepare for 171Rev3, the more people will be on 171Rev2. So changes in clarity and the new rule would be nice. But additional time before you have to do 171 rev3 is also nice for a lot of people people. So it's not the worst thing in the world.

B

I don't disagree with you.

A

There you go. All right, almost done. Prediction 6 At least one solicitation will include CMMC Level 3 requirements. We predicted that a solicitation would include CMMC Level 3 requirements ahead of the formal phased rollout schedule. We were correct about this. We have seen them. We have several clients who have otherwise been told directly by their customers. And you will need level three. 100%. Level three assessments conducted by DoD's DIBCAC team are still technically in pilot mode, but they've asked for people to sign up for the queue of Level three assessments. So that process is executing. That process is happening. The queue is forming. Is anybody going to get Level 3 before the Level 3 portion of the Phase rollout. I'm not sure, but we have seen the requirement come out, so I'll call this one Correct. Correct.

B

Yeah, listen, this is a. Again, we read the, the writing on the wall. We were seeing that preemptively. People were prepping it, and in the discussions they were saying, this is so that we can get level three as soon as Level three is available. We are waiting on DIP CAC insert agency here to get things together for the process so that we can go through this and get it going. There are people chomping at the bit to get assessed for level three, and some of those people are in charge of major supply chains. So there you go.

A

Absolutely. Absolutely. All right. Last prediction that we made in January, the GAO report would show no major issues with cmmc. We said that the at the time upcoming GAO report on the CMMC program would be a big nothing burger. And we were right. There were no major findings in that report that would somehow derail or stop or revise the program. We did an episode all about it, and so we'll link to that below. DoD got a 95% if you count up all the criteria they were evaluated on for their strategy efforts for managing CMMC. The cyber AB was all clear on the findings as well. The DoD in terms of the CMMC program office has created training for the rest of the DoD to leverage for the contracting workforce. And so it's kind of out of their hands. It's up to other parts of the DoD to pick it up and run with it, which is something not enough people were talking about as a result of the findings in the report. But GAO had to come up with something at the end of the report. And in my opinion, they, they, they kind of made it up. They said, the DoD doesn't have a plan in the event that there aren't enough assessors. And this was the part that the LinkedIn hive mind and the headlines jumped all over. They said, oh, my God, DOD doesn't have a plan for. There aren't enough assessors. Everybody thinks there aren't enough assessors. There's two big problems with that. First of all, the DoD does have a plan. That's what the waivers are for. That's what Dud said in the report. The, the GAO said, you don't have a plan. They said, yes, we do. And GAO said, well, that's not the plan we would have come up with. So we're calling it a finding. Read the whole report, everybody. Second of all, it's a fictitious, It's a Fictitious situation. There are way more assessors than demand for assessments. There always have been. And it doesn't look like that situation is going to change anytime soon. As Of May of 2026, the ecosystem capacity for assessments is 395 assessments per month, or 4,700 or more. You have slightly more than 4,700 assessments per year as of May. If only half of the qualified assessor pool is working and they're only completing two assessments per month, at the current rate of growth of increased assessment capacity in the EcoSystem for Level 2, by the end of 2026, you would have enough for 566 assessments per month. We've never come anywhere close to Level two demand for that number of assessments because, as we all know, contractors aren't ready for their assessment because they didn't comply with DFARS7012, which is why CMMC was created in the first place. Big Nothing Burger. We were right. Read. Watch the podcast. Read the report for yourself. There you go.

B

I've reserved myself to the stance that until we can show that there are 80,000 organizations that can be assessed every single day, that somewhere some birdie is going to chirp that it's not enough or this isn't good enough. Right? Your math is terrible. Or that 5% that you're discrediting that GAO report to get your prediction right, Technically is the equivalent to a SSP in an assessment situation, right? No ssp, no assessment. Right. The same situation. Listen, the plan probably wasn't as thorough, but 95 is 95. And there are points to address what needs to be addressed, but the numbers show that it doesn't need to be addressed. I don't know.

A

I mean, you know, it. Everybody's like, they don't have a plan for what if there aren't enough assessors? They ignore the fact there are way more assessors than we need. And nobody talks about the fact that we're on trend to hit as many level two assessments at the end of year one that DoD thought they were going to hit by year too. Nobody wants to give them their flowers. Nobody wants to give them their credit. The program is a massive success halfway through 2026, halfway through phase one. And that's just the way the data shapes, shapes out just a little bit

B

of data to back that point up. Last month was the largest quantifiable growth of assessors in the assessment pool since the iteration of the CMC program.

A

The rate of assessment capacity is growing faster than the Demand for Level 2 assessments, including it doesn't look like that's going to change anytime soon. So that's the update halfway through the year on our predictions that we made back in January. One thing that we didn't see coming, because honestly, I thought it was dead, was the CIA rule. We just did an episode about that. The town halls where they want feedback from the DIB are coming up soon. So make sure that you get smart on what that rule means because it's a big deal for defense contractors and this and CISA wants your feedback. So that was one that kind of came out of left field. Check out that episode like and subscribe. We'll see you next week.

B

See you next week.