CyberAB January Town Hall Updates: Key CMMC & FAR CUI Rule Insights for DoD Contractors

Show Notes

In this episode of The CMMC Compliance Guide Podcast, we break down the most important updates from the CyberAB January Town Hall. From the latest developments in CMMC implementation to the newly proposed FAR CUI rule, we discuss what these changes mean for DoD contractors and beyond.

Key Takeaways:

• The CMMC program is officially live under CFR 32—what this means for your business.
• The FAR CUI rule and how it expands compliance beyond the DoD.
• What DoD contractors should be doing right now to stay ahead of upcoming certification requirements.
• The latest challenges in obtaining CMMC Level 2 certification and how to navigate delays.

If your business is in the Defense Industrial Base (DIB) or sells to the Federal Government, this episode is a must-listen! Stay informed, stay compliant, and don’t get left behind.

📩 Got questions? Contact us at cmmccomplianceguide.com/podcast – we’ll answer them for free on the podcast!

Transcript

Stacey 0:21

Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Stacy from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hard guns getting companies fast tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're diving into the latest updates from the Cyber AB's January Town Hall and what they mean for DoD contractors like you. There's been a lot of movement in the CMMC space, and we're here to break it all down. So, Brooke, why should DOD contractors care about what was discussed in the Cyber A B Town Hall?

Brooke 1:04

Well, the uh this these town halls that Cyber A B does, uh, they're they're great, great information for the whole CMMC world. Uh they give you great information, great updates, uh things you wouldn't know otherwise. Uh we also try to provide a little uh newsletter or a little update updates like this, uh, but you you just don't hear that very well unless you know to attend these or download the recordings or something. There that's just really good information for the for the CMMC world.

Stacey 1:35

What were some of the biggest takeaways from this town hall?

Brooke 1:39

Uh yeah, so some of the updates from this town hall, a lot of them were stuff we already know or or were in process last time. You know, the 32 CFR, it's final. Uh we knew that. The uh 48 CFR, same status as last time, and uh it's still proposed, hasn't come out as final yet. There's a little bit more news about that I think we'll get to here in a minute, uh, but nothing nothing specific. The new CAP 2.0 is out, the uh new code of professional conduct, which is a really big deal to everybody in the CMMC ecosystem. It's a big deal to CCPs like myself, big deal to RPs, CCAs, lead CCAs, C through POs, it's a it's a big, big deal. They've they make that clear that code code of professional conduct is is real and and you need to hold to that, which it's all pretty common sense, but you know, it's it's uh it's a real thing. Uh one of the things uh that is not really specifically CMMC that they talked about uh is the um it's a new FAR uh CUI rule that came out. So the FAR CUI rule is the beginning of uh CMMC for the rest of the federal government. So it's a that's a uh that's a huge deal. They keep they've been saying it's gonna come out, but now it's come out and it's it's the beginning of it. So uh so that's a really, a really big deal. There's some other inside baseball stuff. Uh one of the inside baseball things, quote inside baseball, uh, that uh they talked about um were the tier three background checks and just letting us know that once they get over to the federal government to do the tier three background check, it's kind of a black hole. You know, we just are not gonna find out. Uh and and full disclosure here, uh, whenever I got my CCP, uh the only reason you had to get a tier three background check if you is if you wanted to take part on an assessment. Well, we don't do assessments. I don't care to be be an assessor. I don't want to be in that part of it, and so I didn't bother with it. Well, then they changed and said, oh, by the way, if you want to keep your CCP or CCA, you have to get a uh a tier three background check. So, oh so filled all my uh I think it's a FS uh SF uh 86 form and out and did all turned everything in, got all that done, um, you know, was contacted, all that kind of fun stuff. And so now I'm just waiting on mine. So now, since the 32 CFR went final, those of us who were certified before, like a CCP or CCA, but uh had to go back and do their uh background check, uh, since that uh 32 CFR went final on the 16th, we're we're in a pending status. So um as soon as that gets done, we'll be able to move. Oh, I'll have that uh have that uh designation again. But uh so anyway, but nevertheless, those are a lot of the things that were uh that they talked about.

Stacey 4:32

Are there any new deadlines or changes in compliance expectations that contractors need to be aware of?

Brooke 4:39

There's not uh really any new deadlines or anything. The assessments are available right now. Um they became available uh December 16th, so uh the cap is done, the professional conduct is done, see-through PAOs are starting to be reauthorized. Uh uh, I don't know if all of them are reauthorized yet, but uh all of them had to get reauthorized. Uh there's a good number of them that are already reauthorized. Uh and new ones that are coming on. But uh that's available sometime in 2026, as we talked about the timeline before. Uh sometime in 2026 is when certifications will start being required, at least by the federal government. That doesn't mean their prime won't require it sooner. But uh there's so those are the kind of updates on the timelines.

Stacey 5:19

When will CMMC level two certifications be required on contract?

Brooke 5:23

That is a timely question. Since I just mentioned that. Uh I jump ahead on some of these things on accident sometimes. So um the uh so we don't at this point we don't know. I mean, that's that's the actual answer. Uh but what it looks like, so the 48 CFR uh that's proposed, uh, when it goes final, that's what will require it on on the new contracts. So that is still in the proposed stage. President Trump, uh, when he came into office, uh, one of his executive orders was to basically say any rules that have been um submitted but not published, or that are they haven't quite made it to being submitted yet, uh um final rules. Uh anyway, uh they need to pull those back and they need to take a look at them before they submit them. That's not really anything new. Uh all administrations do that, at least from what I understand, all administrations do that. Uh so it just means that there's gonna be a little bit more time added on. The cyber AB guesstimated another 60 days, maybe, but we'll see. Uh so that 48 CFR rule, it'll likely be a little more than 60 days from today, for instance. You know, who knows when it'll actually be, but uh there that added just a little bit of time on it. But still, if it goes into effect, say uh this is February, so March and April, if it went into effect in uh the middle of May, that would mean roughly the middle of May in 2026 is when certifications would be start uh start being required on contracts, at least by the federal government. And again, we've talked about if that if middle of May 2026 is the date, then that's when they'll be required on new contracts. They also gave themselves a little bit of wiggle room to implement a little later or a little earlier, depending. Plus, the big question mark is what are primes gonna do? They're gonna want all their subcontractors to get in a good position before so they can say we're ready because you're part of them being ready if you're a sub. Uh so the big question is when are Prime's gonna start requiring them or uh really pushing or all that kind of fun stuff.

Stacey 7:29

So, with that being said, what are the next steps for companies that want to stay ahead of the curve?

Brooke 7:35

The next steps, if you want to stay ahead of the curve, really, is make sure all your controls are taken care of, make sure they're all up to date, engage somebody to help you verify that you have all your documentation, you have all your documentation, you think I'm ready to go, then hire a C through PAO. They're at least three to four months out or so right now. Uh, most everybody that I know is, and so even if you say I'm ready to go right now, it's gonna be three or four months before you can even get started. And then it's gonna be another couple of months, likely, uh, to go through and get that assessment. And so you're talking maybe six months down the road before you can even get a certification. So don't wait, do it now. Uh, it's it's not easy to get prepared, it's not easy to get all that documentation, and certainly not quick or easy to go through the certification process. So get it done now and be ready and pull that trigger on the C3PAO uh as soon as you know that you're gonna be ready so you can get that in the works.

Stacey 8:36

You had quickly brushed over earlier about the FAR CUI rule. Could you go into it a little bit deeper and let us know what that entails?

Brooke 8:44

Sure. So and I think I probably kind of touched on it. Like I said, I I I kind of jump ahead on some of these questions sometimes. I don't mean to. So the FAR CUI rule uh that was just published is for the DFARS is defense federal uh uh federal acquisition request. Uh uh is for federal acquisition for the defense companies, was what DFARS is. Uh FAR is federal acquisition. So this this is basically the beginning of CMMC for the rest of the federal government. So this means all of the federal government is gonna have to get on board and understand CUI, get that standardized, and start working with CUI and protecting CUI, uh, and and then I'm sure the rest of the uh some sort of the CMMC process uh CMMC process will come out to the rest of the federal government. But that that is the beginning of it.

Stacey 9:40

Were there any common concerns or questions raised by attendees that we should address?

Brooke 9:45

Uh yeah, so uh the really the I think probably the most common question because it was a bunch of us uh but you know there's um there's people from the DIB, people from the CMC CMMC ecosystem uh on the call. Uh and but the for the so for the people in the CMMC ecosystem like RPs, CCAs, C C Ps, um uh there was a lot of questions about the tier three background check. And really, like I said a minute ago, it's it's uh once it once you're once you submit your form, uh really after that, uh it's a black hole. You know, you get contacted at some point and you get to contacted by the Washington Headquarters Service, I think is what it is. I think I wrote that down. Uh yeah, Worship Washington Headquarters Services. Um you get contacted by them, you get one attempt. If you're lucky, you get two attempts to contact you, and then they kick you out, and you have to you have to start again. And uh so the process to get there is not short. And so if you get kicked out, it's a it's a pain in the rear. Uh, you have to go back through it again. But once you're once you get contacted, they'll probably want you to go in for a fingerprint uh check and I can't remember what else. But uh anyway, they'll uh they'll want to set those things up. Uh and then after that, it's a black hole again. It's in the federal government. There's no website you can go to and see the status of my of my uh uh tier three background check. There's nothing like that. We're not the only ones they're doing tier three background checks for, they're doing them for the whole federal government. So we're just I'm sure I don't know what kind of piece of the pie, but we're I'm sure we're a small piece of the pie, you know, in the CMMC ecosystem. So that that was the biggest thing. How long is it gonna take? How long uh in fact it takes probably four to ten months on average to go through that tier three background check. Wow. And that's if everything goes well. But I resubmitted mine or submitted mine, I think October. So it's possible that I may have to wait till August for it to come back. So uh that's not good. Uh so what that does also uh is it very well could um could uh narrow the field of available CCPs and CCAs to participate on these assessments, which is not good uh because we're struggling to have enough anyway. Um and there's you know they're constantly trying to get trying to push people to get CCAs especially, and and uh we need least lead CCAs. That's a very strict requirement for a lead CCA. Tier 3 background checked is the same for everybody, but so it's it's taken a long time, and that was uh that's a that's that was what the most questions were about.

Stacey 12:28

Are there any other challenges that contractors might face with these updates and how can they navigate them?

Brooke 12:35

Uh the biggest challenge really is not knowing when exactly you need to be certified. You know, one of the biggest challenges for us last year was, you know, what's gonna happen with uh security protection data, you know, SPD, what what's gonna be the final requirement? We know what the proposed rule said, what's the final rule say? Now we know. But it was and so now we gotta make sure that we meet that final rule. But we had a whole year to look at it and figure out what we're gonna do for those places where we needed to address it. Um but the uh so this is kind of the same thing, you know, when when are you gonna need to be certified? Well, not really sure. Uh but when it happens, it's probably gonna happen quick. And it's only gonna be on new contracts. But, you know, if you're bidding on new contracts or you get POs uh right now, or some of our clients get POs, they don't necessarily sign a contract uh to get new business. It's part of that PO, and maybe there is some sort of contract somewhere, maybe that's gonna change. I'm not the one that actually gets that business, so I don't exactly 100% know, but this is what our clients are telling us. Um But that's gonna change and that'll probably change fairly quickly. And so uh like I said, these C through pay uh C through PAOs are backlogged, and that's not gonna get any better probably for the next four years, I would imagine. You don't know when you're gonna need to be certified, so you you just can't wait. Uh you know, uh if you do wait, likely to be behind the eight ball and and uh and trying to trying to figure something out because you can't get new contracts yet. The other thing is uh with all this is that uh as far as the DOD is concerned, you've known since 2017, to the end of 2017, uh that you've needed to be uh compliant with NIST 800-171, R2 now. Um so as far as the DOD is concerned, the cost with that and the cost associated with being compliant and uh all that fun stuff and the the act of being compliant, getting compliant, um that's that's water under the bridge. That should already be done. They're not concerned with that. And so uh you should if there's anything that needs to be POAM'd, get it taken care of or that is POAM that's not taken care of yet, um you need to get that taken care of.

Stacey 14:58

That wraps up our recap of the January Cyber A B Town Hall. If you have any questions about what we covered, reach out to us. We're here to help fast track your compliance journey. So please, please, please text, email, or call in your questions. We will answer them for free here on the podcast, and you can find our contact information at cmccomplianceguide.com.