The latest Cyber AB Town Hall, February 2025, delivered critical updates on the progress of the Cybersecurity Maturity Model Certification (CMMC) program, including timelines, compliance clarifications, and major regulatory changes. If you’re a defense contractor, Managed Service Provider (MSP), or Defense Industrial Base (DIB) supplier, here’s what you need to know.
TL:DR – Key Takeaways from the Town Hall:
- CMMC is here to stay, with strong DoD support under Katie Arrington.
- Expect CMMC requirements in RFIs in early Q2 2025 and solicitations by summer.
- C3PAOs are expanding, but demand will be high – schedule your assessment early.
- CUI handling will be standardized across all federal contracts under the FAR-CUI rule.
- Cyber incident reporting deadlines are drafted for strict-8 hours for general incidents, 72 hours for DoD-related incidents under the FAR 48 CFR proposed rule.
- MSPs and MSSPs handling CUI are in scope for CMMC and must ensure compliance.
Katie Arrington Returns as DoD CISO – A Stronger Commitment to CMMC
One of the most notable takeaways from the town hall was the return of Katie Arrington as the DoD’s Chief Information Security Officer (CISO). This signals a renewed and strengthened commitment from the new administration to CMMC implementation. If there was any doubt about whether CMMC would move forward, this announcement should put concerns to rest – CMMC is here to stay.
CMMC to Appear in RFIs by Early Q2 2025 and Solicitations by Summer
Cyber AB leadership confirmed that CMMC requirements will start appearing in Requests for Information (RFIs) in early Q2 2025 and are expected to be included in DoD solicitations by summer 2025. This means defense contractors should accelerate their compliance efforts now to avoid disruptions to their eligibility for contracts.
The key takeaway? The window for compliance preparation is closing fast. If your organization isn’t actively working towards CMMC compliance, now is the time to act.
C3PAO Growth: Expect Triple-Digit Certified Assessors by May 2025
One of the biggest concerns for defense contractors has been the availability of Certified Third-Party Assessor Organizations (C3PAOs). Cyber AB is forecasting a significant increase in C3PAOs, with the number expected to reach triple digits by May 2025.
This expansion will help streamline assessments and ensure that more organizations can achieve certification in a timely manner. However, demand is expected to be high, so companies should schedule assessments early to avoid delays.
Background Checks for Tier 3: Be Prepared for a Long Wait
For those involved in Tier 3 assessments, Cyber AB emphasized that background checks are taking at least six months. If you’re waiting for Tier 3 clearance, patience is key – inquiries about status updates should be minimized to avoid additional backlogs.
CMMC Certification Mark: Do Not Use Without Official Guidance
A CMMC certification mark was discussed during the town hall, but Cyber AB was clear – this mark should NOT be used to imply certification status. Cyber AB has requested further guidance from the DoD on its proper usage, so organizations should avoid using it until official direction is provided.
The template for the Certificate of CMMC Status is out now. This template will be presented once you have successfully passed the CMMC audit. It is important to note that no one has been awarded one yet. It will also include your auditor’s seal in the lower-middle space.
FAR-CUI Rule: Standardizing CUI Handling Across Federal Contracts
The Federal Acquisition Regulation (FAR) CUI Rule is set to introduce a standardized form (Standard Form XXX) for managing Controlled Unclassified Information (CUI). It will require contracting agencies to explicitly list all CUI in the contract using the form. This form will address:
- Security and training requirements for CUI handling
- Clarification of unmarked CUI, ensuring uniform classification
As CUI management remains a major concern for contractors, this standardization effort is a significant step forward in simplifying compliance requirements.
Read more here: FAR 48 CFR Rule: Key Changes for Small and Mid-sized Contractors – Tesseract
Cyber Incident Reporting Requirements: Be Ready for 8-Hour and 72-Hour Deadlines
Organizations should take note of new proposed cybersecurity incident reporting rules in FAR 48 CFR:
- 8-hour reporting requirement for cybersecurity incidents (regardless of business hours)
- 72-hour reporting requirement for incidents affecting the DoD
Cyber AB strongly recommended that organizations seek immediate external legal counsel in the event of an incident to navigate compliance and minimize risk.
Read more here: FAR 48 CFR Rule: Key Changes for Small and Mid-sized Contractors – Tesseract
MSPs & MSSPs: Confirm Your CMMC Scope
For Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs), the town hall confirmed that if your organization has access to customer CUI, you are in scope for CMMC compliance. For MSPs that serve defense contractors, this means ensuring your cybersecurity program meets CMMC standards is now a non-negotiable requirement.
The Time for Compliance Is Now
With compliance requirements solidifying, the best way to stay ahead of these changes is to take action now. Ardalyst’s Tesseract solution is designed to help defense contractors achieve and maintain CMMC compliance efficiently and cost-effectively. Contact us today to ensure your organization is prepared for these requirements.
