Cyber AB Town Hall Breakdown: Legal Lessons, Ecosystem Growth, and CMMC Phase 2 Progress

Show Notes

In this episode of the CMMC Compliance Guide Podcast, Brooke and Stacey from Justice IT Consulting unpack the biggest updates from the Cyber AB’s October 2025 Town Hall and what they mean for defense contractors preparing for CMMC certification.

You’ll learn:

• Why the government shutdown isn’t delaying CMMC or the 48 CFR rollout
• The $875K False Claims Act case against Georgia Tech and what it teaches all contractors
• How the CMMC ecosystem is expanding with more certified assessors and C3PAOs
• Key insights from the University of Southern California’s Level 2 certification journey
• Practical advice for small contractors: data mapping, documentation, and shrinking your CUI boundary
• New ethics reminders and upcoming assessor certification updates from the Cyber AB

This episode delivers plain-English explanations and real-world lessons to help contractors stay compliant, avoid legal risk, and prepare for CMMC Phase 2.

Need help getting your SPRS score to 110 before the New Year?
Schedule your free SPRS Roadmap Session: https://cmmccomplianceguide.com/free-sprs-roadmap

Transcript

Stacey: 0:21

Hey there. Welcome to the CMMC Compliance Guide Podcast. I'm Stacey.

Brooke: 0:26

And I'm Brooke.

Stacey: 0:26

From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast track to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're breaking down the biggest takeaways from the Cyber AB's October 2025 Town Hall. There were major updates around the Title 48 rule, new legal enforcement cases, and even real world success stories from USC. So let's dive into it. So, Brooke, with the government shutdown still underway, how is the CMMC program being affected?

Brooke: 1:09

Uh well, long story short, it's really not. So uh it's proceeding uh as planned, as scheduled. Uh they're still doing uh tier three uh reviews, uh background checks basically. They're still doing those. Uh they gave a uh they showed a graphic. I wish we had it here we could show you. We maybe should have thought about that. But there's a graphic uh that they showed, and there was several things that they that the government does, and they all had they all had green check marks except for one, and that was uh had to do with uh uh I believe the um uh anyway, for contracts. So the own so the caveat may be everything's still proceeding and everything will still start, uh it'll still go into effect on November 10th. Um uh 48 CFR will, that is, uh still go into effect on November 10th. Uh but if the government still shut down, it may not actually be written into any contracts until whenever whenever the government reopens. And uh so you know, hopefully maybe it'll open before the end of the year. But uh anyway, that may be the only casualty. Otherwise, the CMMC program as it is is is proceeding uh as normal.

Stacey: 2:20

There was also a big legal story mentioned during the town hall. Can you explain what happened with Georgia Tech?

Brooke: 2:26

Sure. Uh so Geor Georgia Tech uh was involved in a uh false claims act um issue, and uh they uh they ended up settling uh and they ended up settling uh agreeing to pay $875 uh thousand dollars. So uh it's uh you know for a lot of small businesses that's a uh that's a that's a gigantic chunk of change. So Georgia Tech, you know, maybe not, I really don't know, but uh it's a chunk of change, uh one that I would uh rather not have to be liable for. And uh so it's good to stay away from the false claims, um the false claims act. Uh and they uh the false claims act generally the ones that are uh that I know about that have been reported, and by the way, most of those false claims acts uh are as a result of a whistleblower. You look down and see what happened, and this whistleblower, whistleblower, whistleblower, whistleblower, whistleblower, uh compromise. Whistleblower, whistleblower. So it's uh they're all whistleblow not all. They're most of them are whistleblowers, uh, people that say, hey, these people aren't actually doing what they say they're doing. So uh and they're they're clear-cut cases of of people of a company's uh saying they have 110 and and really not even addressing uh you know some of the controls, you know. So it's not a oops, we messed up. We made a minor we had a minor problem. It's not that. Although I'm not saying that won't happen, but uh most uh all these that I know about are clear cut, they just weren't doing what they said they were gonna do. And that's that's what a false claim is, right? So you say you're doing it, uh uh, but you're you're actually not. So there are more of those, they're not slowing down, they're not just making uh an example out of a couple people and moving on. Um there those false claims acts, there's there's more all the time. So there's they keep coming. Um, like I said, most of them are whistleblowers, but uh they're not gonna slow down. They want this, they want this to be in place and to actually really protect the DOD supply chain.

Stacey: 4:36

Aaron Powell What is the current state of the CMMC ecosystem and is it still expanding?

Brooke: 4:42

It is still expanding. So uh there were uh something like uh 65 level two certifications that were issued uh um uh in the past month, which pushed them up to uh a little over 400. I think uh I don't have the number out here, but I think that was 430 or so or something like that, uh, level two certifications. Um there are 21 conditional certifications, which means that they've been issued a POAM and they have uh six months, 180 days to go back and fix that uh and then before they get their certification. Um so uh there are also uh 567 uh certified assessors, uh, and uh one of the important numbers of those assessors is the lead assessor, and there's 331 of those. So uh I'd like to see that number growing a lot quicker. But then again, uh I think I said this in the last podcast we have, but uh you know, I'd like to see the lead assessors growing because really the C through PAOs they hire assessors and lead assessors uh to do the uh certification assessments. And some of them have uh uh CCAs and lead CCAs uh as employees, and then there's a lot of them uh that do 1099 work, and they may work for multiple uh C through PAOs, uh, which is great, but that just means that that those people are very, very busy. So um uh I would like to see that uh that number of uh CCAs and lead CCAs grow uh at a at a much larger pace. Uh that would be that would be good. Uh I guess there's a it's a double-edged sword. Uh, you know, it's possible if you get a a huge number of CCAs coming in that there may be you know quite a few who are don't have as much experience, but this program's gotta get off the ground. You're gonna have that, you're gonna have to work through it and and just get through it. You know, everybody's gotta start somewhere, I guess. So but uh the lead CCAs uh and the CCAs in general are really where the bottleneck is gonna be. We do have quite a few uh um see-through PAOs um in the pipeline. Um I don't recall the exact number, but there were quite a few uh the C-through PAOs in the pipeline that should be coming on board. Uh so that's really great news. But like I said, I'd really like to see those CCAs and lead CCAs that number hopping up there as well. And so, you know, along with that, um they uh the the window on uh when you can get an assessment that or the lead time on when you can get an assessment, uh, that continues to grow. Uh you can still get in uh you know some newer C through PAOs or assessors, uh or and assessors, I guess maybe, but uh some newer ones uh may have a shorter window, uh shorter lead time. Um but uh most of them at this point right now uh in October before we're you know before we even hit November, most of them are booking out into that I know of, uh are booking out into you know uh January, February. Some of them, uh a lot of them even further than that, but uh January and February is typical right now. So that's uh you know two months plus. So uh but as uh and they they have also said that uh once this uh final rule for the 48 CFR dropped uh September 10th, that they started getting busy. Makes perfect sense because we've gotten busy too. So everybody sees the train coming. That light that you see in the tunnel is uh is a train coming. So um uh and we know the timeline and when it's coming and all that kind of fun stuff now. So uh but anyway, ecosystem is looking good with the caveat that I would like to see a lot more uh CCAs and lead CCAs uh coming in.

Stacey: 8:36

Were there any leadership or structural updates inside the Cyber A B?

Brooke: 8:41

Uh yeah, the Cyber A B announced uh that the um uh that the C3PAO Advisory Council um uh and four uh sub committee uh three committees and one subcommittee have have are now fully staffed and ready to go. They put out a call uh, I don't know, uh a few weeks ago uh for people to submit their uh request to be on those committees. Uh so um uh anyway, they've got they went through all those, went through the bona fides, I guess, and and uh have staffed all those committees. Um so they're all fully fully staffed and ready to go. Uh those committees are the uh assessment guidance committee, the the CAP or the CMMC Assessment Process Uh Committee, uh the accreditation committee, uh, and the ESP or External Services Committee. Uh so uh that's actually the ESP one is a subcommittee. Um and to tell you the truth, I don't know which what it's a sub of, but it's a subcommittee. So uh and what I I've got uh just the quick descriptions of those. The accreditation committee is responsible for bringing clarity and making recommendations in the processes followed by the Cyber AB to accredit future C through PAOs. Uh the assessment guidance committee uh is responsible for helping the development of a CMMC body of knowledge uh for the CMMC ecosystem and defining consistent technical and administrative interpretations across all C through PAOs, which is which is needed. Um the uh CAP or the CMMC Assessment Process Committee is responsible for exact uh for advising on enhancements to the CAP document, uh, which the CAP is a really good uh document. Uh it's very, very detailed and meant to uh help ensure that all of the assessments are as standard as possible. Uh so but there there are things that need to be addressed in it. Everything's, you know, nothing's perfect, right? Uh so uh this committee will uh address that document, uh, which serves as a mandatory guidance for C through PAOs as they conduct CMMC level two certification assessments. Uh and then the external services subcommittee is responsible for helping bring clarity to the roles of external service providers, which are CSPs and uh generally uh described as CSPs and MSPs, but really it's a uh a CSP or uh ESP that's not a CSP, is what the definition is, uh, and identifying ways to encourage more ESP participate participation within the ecosystem. So that's uh that is a major problem because there's not many um not many MSPs or uh ESPs uh you know that take part in the uh CMMC ecosystem. Um there are some knowledgeable ones, uh there are people that kind of play around the edges, uh, and uh if they get into it a little bit, they realize that they probably should not play around the edges and just stay out of it or get completely into it, right? Um so um with CMMC, really you're either in it or you're not. Um there are ways to partner with people uh to do that. Uh but uh in any case, uh they're they're trying to encourage more participation. So all those committees are fully staffed uh and ready to go now.

Stacey: 13:25

So it seems like during the town hall they shared um the University of Southern California's success story. Could you share some of the biggest highlights from their journey?

Brooke: 13:35

Uh yeah, sure. So uh the USC's Institute for Creative Technologies, I believe is what it was, uh shared their experience uh getting their uh CMMC level two certification. Uh it's a really good uh real-world example. Um they uh they said they're a small team uh and uh they um you know in the world of enterprise, maybe they are a small team, but uh you know, compared to our clients, they're they're definitely not a small team. But uh they uh for them they are a small team that took care of this. They didn't have a big giant staff. It was, you know, just like anybody who has to go through this process, you gotta have to figure out what the people you have. You know, you can't exactly just hire a whole ton of people. Uh you you can't you generally you can hire some, you gotta figure out how to spend money because it's gonna it's gonna cost. But um in any case, they started uh back in 2015, uh mapped their progress to the 800-171, uh, and then officially earned their certification in uh CMMC level two certification in 2024. Uh they did uh narrow their uh their CUI scope uh by implementing and making their CUI boundary uh Microsoft 365 GCC high. Uh they ran uh multiple gap assessments. Uh somebody, you know, uh believe one of the questions was something too effective, you know, what do you wish you would have done? And they effectively ran multiple gap assessments, but they said they would definitely recommend a mock assessment before your uh before your real assessment, you know, see where you're at, right? Um they uh he said they spent a lot of time uh documenting their inheritances from cloud providers, so like Microsoft 365, GCC High, stuff like that. They they documented all those uh all those inheritances that they got from uh that that float down. Um they uploaded over uh this will this will get you. So we always talk about documentation, right? Documentation, documentation, documentation. Uh so in fact, I I don't know that I've said that in the past couple of weeks.

Stacey: 15:47

Yeah, it's been a while, actually. Yeah.

Brooke: 15:49

So uh, but uh this is a little bit technical controls and a lot processing documentation, right? That's really what it is. It's really a business thing, it is not an IT thing. So um there's not as much as of an IT thing. So uh but documentation is uh you've got to be able to prove you're doing what you say you're doing, and documentation is the way you do that. Um and so along with your SSP and all your policies and uh the plans and procedures you have and the authorized lists and you know, all that kind of fun stuff, uh, you have to upload artifacts to show, you know, here's here's a screenshot of this. Here's, you know, uh whatever it may be, your artifacts you upload. Um but they said they had uh they uploaded over 330 artifacts for the during their. So that just goes to show you that there is a lot of documentation that goes into this. You you you can't shortcut the documentation. If you do, I would say you risk not passing your uh certification. So and I the one of the things he said was that uh this uh the their main lesson was that CMMC isn't about technology, it's about process maturity. That's really it. I mean that yes, you can say, yeah, I've got an antivirus, you know. Well, what does it do? Well, you know, uh here's what it does. We wrote it all down. This is how we configure it, this is what it does, this is or it's you know, it's all documented. Uh you start going down the process of uh of process maturity then. So that's uh that's what he said.

Stacey: 17:25

Was there any advice shared for smaller contractors who may not have the same resources as USC but would like to achieve the same result as them?

Brooke: 17:34

Yeah, absolutely. Absolutely. They uh they said some of the same things we do. Uh they said uh start with data mapping. Uh you can't protect what you uh don't know you have, right? So uh and that's what we we say figure out what you what kind of CUI you have, right? Uh and why you know that that's a CUI you have. Is it just because I'm guessing? Just because I'm, you know, make a widget for F-35s uh or a widget for a laser system or you know, whatever it is, you know, uh, yeah, that's gotta be CUI, so I have CUI. Well, that's great, but you're guessing. So, you know, how do you know that CUI? Well, it should come in the form of uh your contracts. Documents should be marked. Don't laugh too hard. Uh so hopefully we'll see we'll start seeing more marked documents, more properly marked documents here before long. Um supposedly from what Katie Errington said, uh starting in October, uh, you should see that. Uh and October is just about over. So uh maybe we'll start seeing those documents uh uh that are properly marked uh coming more often now. So we'll we'll keep our fingers crossed if that's what happens. Uh but uh start with your contracts, know what's in your contracts, know what deforest clauses are in there. Uh ask your contracting officer, you know, hey, is this C UI? Or if it's marked C UI and you don't think it should be, is this really CUI? Is that bolt right there that is a off-the-shelf product, is that really CUI? Um I don't think it is. And they may they very well could they very well may come back and say, you know what, no, it's not. And uh so um really in the end, uh they don't really want more of a burden. Some of them do have a tendency to just say everything in here is CUI. But in the end, they really don't want more of a burden on themselves than they need to have. So um so it's about knowing what uh if you have CUI, what type of CUI you have, why you know that, uh, and then uh figure out where all that's at in your systems. And your systems could be email, could be SharePoint, a server, could be your uh ERP or MRP, it could be uh laptop, a CAD program, uh, you know, there's there's a lot of things that could be. Um so you gotta figure out uh where all that's at. So they said start with data mapping. That's what we're that's what we talk about. Um and they said treat compliance as an administrative process, not an IT project. Uh and that's true. It's it's um it's the business, it's not just IT. And if you treat it as just an IT project, then they're gonna say, you know, it's that's more IT stuff, you know, and you've got to do it with the budget you have, you've got to do it with the people you have. So definitely uh I agree with that. Treat it as an administrative process. Uh and he said shrink your boundary. Uh and I agree if if there's at all possible to take that scope of CUI and narrow it down uh to a smaller scope, uh, you know, just a few machines, just a few people. Um however you can shrink that uh boundary, that scope for your CUI, uh, do it if you can. Uh a lot, some people can't do it, uh, you know, just uh by the nature of their work. Uh sometimes it's possible to say, do we really need to be doing it this way? Can we do it a different way? So uh but figure out your boundary, uh shrink it if you can. Uh and then uh he said document everything. Again, documentation, documentation, documentation. So uh document everything. Make sure you keep and save that documentation in the right places. And I would say put it in a GRC tool, don't keep it on a file share because then you start getting different versions that are hard to track. And oh, somebody saved it over here or over there. If you put it in a CRM tool, uh excuse me, if you put it in a GRC tool, uh it's there with version tracking, and you can you can work on it there. So in one spot. And uh the one thing he did say, uh, he said that the uh the technical stuff is easy. And I'd say easy-ish, but uh the technical stuff is easy, you know, and he's pretty much right there. The people in the processes are the hard part. They are. Uh and even in the uh even in the normal IT world without any compliance, the the people in the process are the hard part. You can put all your technical controls in to protect people from all sorts of malware and all sorts of problems, all sorts of compromises. But if that user is intent on clicking that link from somebody that they don't know, there's there's uh uh I wouldn't say there's very little you can do, but there's they they're gonna test the boundaries of your tools. So um so yes, people and processes are definitely the hard part.

Stacey: 22:24

Aaron Powell Were there any reminders during the Cyber A B about professional ethics in the ecosystem?

Brooke: 22:29

Aaron Powell So he did remind us uh of the ethical uh ethical obligations that we all have, the see-through PAOs, the CCAs, the the RPs, RPOs, uh CCPs, you know, every everybody that's in the uh the CMMC ecosystem uh has to sign the code of professional conduct and is held to these uh ethical obligations. Uh and if there's a legal or ethical issue, uh we have to report it. I mean that that's uh that's plain. But at the same time, uh you've got to make sure that's uh that's an actual problem, you know. You don't want to be just title on people you don't like, right? Uh he didn't say that. But uh uh you know so that includes fraud, misrepresentation, uh, or any actions that could damage uh the credibility of the program. Uh you know, it really it all boils down to that it you're they're trying to protect the integrity of uh the Cyber A B and the whole CMMC ecosystem. So that's what they're trying to protect. Makes perfect sense.

Stacey: 23:37

Were there any updates around assessor training or certification programs?

Brooke: 23:43

Uh yes. So uh CCA exam, I believe, is scheduled for release in 2026. Uh updated CCP training is uh uh is launching now. I have it here in my notes. Um they also said that this had to be people that have not actually signed uh the code of professional conduct. Okay. Uh but uh in fact my wife is watching this with me and uh she's been she's been uh uh dumped in the deep end with me about all this. So uh uh but she was watching it with me and she turned to me and said, Are people really doing that? And so what they've done is they've taken um fake certification badges and put them on their website and whatever else, uh claiming that they're certified or that they you know, I guess they don't really know what that means. Uh I can't imagine anybody that's an actual CCP or RP or anybody like that using a using something that's not correct. You know, uh there's a right way to do that, and they they hammer that in. So I don't know who was doing that, but uh um you know there's uh anyway, there's uh but there's certain certainly people that are doing that. And there are there are also people that are uh putting up a uh and I guess really uh what uh the the one thing he did talk about was that uh there are some level two certification also uh that people are posting on their website. Not supposed to do that. They're looking at doing a version that you can uh publicly post, uh, but there's nothing that's official that you can post on your on your website that you're level two. You can say you're level two compliant or uh certified, but uh there's nothing from the Cyber A B that you're supposed to be able to do that with. And they did say the uh official digital credentials are in development uh for that level two certification. So they're they're working on that. Like I said, it's um something they realize would be helpful for people um during the conference, during the um CS5 conference that was uh gosh, I don't know, a week or two back now. Um time has flown. I've I've uh lost complete track of time. Uh but they did say uh that some people mentioned it would be really nice to be able to search a database of all the companies that are uh level two certified uh to find some you know suppliers that you can use. And they said that's a great idea, except China would love to know who's certified and who's not. So don't expect that anytime soon. That's uh that's a huge uh risk uh putting all that together in one spot. Uh so uh not that they couldn't figure it out by you know looking looking at people's websites, but you don't want to make it easy for them, right? Uh so we'll see if that comes or not.

Stacey: 26:42

That makes a lot of sense. I didn't think about that. That might be a problem.

Brooke: 26:47

Exactly.

Stacey: 26:49

So people are just making like Canva badges.

Brooke: 26:52

I guess. I guess that's what they're doing. I don't really know what they're doing, to tell you the truth.

Stacey: 26:56

That's wild. That takes me by surprise as well. So to round everything out, what were the key takeaways from this town hall for contractors preparing for 2026?

Brooke: 27:09

Sure. So uh the the biggest thing, of course, is that and we've I think we've probably said this on the last few podcasts too, but uh since September 10th, is that CMMC is moving forward. It's coming. You know, there's no there's no stopping it. The government shutdown's not gonna stop it, you know, nothing's gonna stop this. They're gonna keep on rolling forward. The longer the government shutdown lasts, you know, it's possible that they these uh they may not actually get written into any contracts until the government reconvenes, but um but other than that, CMMC is coming. It's there's nothing stopping it. Uh they they know they they know they need it, they want it in place, uh, and they want to move forward on it. So uh however pretty or ugly you think this thing is, it's moving on. And uh it will help secure the dib. It will. Uh you know, there's there's a lot of it that's uh uh a little onerous, you know, uh, but uh but it will help secure the dib and and uh so they're moving forward with it because they know we we have to do that for our for our national security. You know, contractors that focus on uh you know documentation, uh consistency and and transparency uh set themselves up for success. Um you know everybody that they've had on uh that talks about uh uh achieving a level two certification or something of that nature, what I can tell you is that they've all talked about using a GRC tool, you know. So uh not that you have to, not that everybody that's passed has, but uh GRC tool makes it a lot easier for you to keep track of all that documentation. So that's really that's a really important thing to do. You know, and the only other thing they uh well they talked about a few things, but the other important thing that they talked about, uh other than hammering on ethics again, uh, is that uh, you know, these false claims acts, uh, act uh issues are gonna are gonna keep popping up. You know, they're they're not gonna go away. They're they're trying to take care of those and and make sure that you know they don't happen. So um so just be careful, make sure that you're doing what you say you're doing, make sure that you score the score you put in SPRS is correct, you know. Um as correct as you can make it, and you don't want to you don't want a false claims act uh filed against you.

Stacey: 29:32

If you have any questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at cmc compliance guide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.