Sum IT Up: CMMC News Roundup

NIST SP 800-171 Revision 3 has been out for two years. DFARS 252.204-7012 says to use the most current version. So why are defense contractors still using Revision 2? Because they're supposed to. In this episode, we break down the temporary rule that overrides the DFARS clause and keeps the entire ecosystem aligned on Revision 2. We cover: • What a class deviation actually is and why it matters • Why DoD had to pause the shift to Revision 3 • How CMMC rulemaking controls the transition • And when Revision 3 will realistically start showing up in contracts Bottom line: contractors aren't behind. The rules haven't changed yet. ....... Register for Summit 7 Live: https://www.summit7.us/s7live 171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/final DFARS 7012 deviation (PDF): https://www.acq.osd.mil/dpap/policy/policyvault/USA001074-24-DPC.pdf 32 CFR 170: https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170 Class deviation podcast: https://youtu.be/voziZRAMvv4?si=3xHm7I_gIeQTQxLf Class deviation press release: https://www.war.gov/News/Releases/Release/Article/3763953/department-of-defense-issues-class-deviation-on-cybersecurity-standards-for-cov/

This week we sit down with a C3PAO who has completed over 100 CMMC Level 2 assessments. We chat cost, timeframe, assessor backlogs and the most common issues facing defense contractors. Register for Summit 7 Live: https://www.summit7.us/s7live GAO Report (2026): https://www.gao.gov/products/gao-26-107955 GAO Report (2021): https://www.gao.gov/products/gao-22-104679

We are back at it again with another rundown of the Cyber AB's monthly town hall and there sure was a lot of valuable information distributed during the meeting. Join us for this episode of we discuss some of the key information dished out this month and weigh on any impact it may have on the CMMC Program. Things like: • Milestones achieved by the program this month! • Why was the new DoW CIO talking to Armed Services committees? • How is the ecosystem growing? • What to expect in the CAICO transfer to ISACA. And so much more...Tune in to find out! Cyber AB TH Replay's: https://cyberab.org/News-Events/Town-Hall ISACA Website: https://www.isaca.org/

Everyone is talking about a “November 2026 deadline” for CMMC Level 2. There's just one problem… it's not real. In this episode, we break down what the CMMC rule actually says about Phase 2, what really happens starting in November 2026, and why most contractors are misunderstanding the rollout. If you're in the defense industrial base, this is the clarity you need to plan your timeline the right way. Key topics: • What Phase 2 actually means • When Level 2 requirements apply (and when they don't) • Why this isn't a mass certification deadline • How to think about your real CMMC timeline • Stop chasing phantom deadlines and start focusing on the contracts that matter. Register for Summit 7 Live: https://www.summit7.us/s7live PALT: https://youtu.be/C50UXJyz4PA?si=ySn1oIS4FaK4Si9f 32 CFR 170.3: https://www.ecfr.gov/current/title-32/section-170.3 Jan 2025 memo: https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf

GAO's latest report on CMMC sounds cautious. They warn about external risks, ecosystem constraints, and gaps in DoD's strategy. But that framing misses the bigger story. Since the 2021 report, CMMC has gone from a fragmented concept to a functioning system. The ecosystem exists. Training exists. Small business support is working. So why does the report feel so negative? In this episode, we break down where GAO is right, where they're overstating the risk, and why the real story is the program's quiet but meaningful progress. Register for Summit 7 Live: https://www.summit7.us/s7live GAO Report (2026): https://www.gao.gov/products/gao-26-107955 GAO Report (2021): https://www.gao.gov/products/gao-22-104679

Most defense contractors assume everything written in the CMMC Level 2 Assessment Guide is a requirement. But that's not actually how the framework works. In this episode we break down the structure of the assessment guide and explain why roughly 75% of the document is explanatory text, not normative requirements. You'll learn: Where the real requirements come from in NIST SP 800-171 How verification procedures in NIST SP 800-171A become assessment objectives Why discussion sections and examples are informative, not prescriptive Understanding the difference between requirements, assessment objectives, and explanatory guidance can help contractors avoid unnecessary controls, reduce documentation overhead, and simplify CMMC compliance. CMMC Assessment Guides: https://dodcio.defense.gov/cmmc/Resources-Documentation/ NIST SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final NIST SP 800-171A: https://csrc.nist.gov/pubs/sp/800/171/a/final

Iranian cyber actors are targeting the Defense Industrial Base. So does CMMC actually help? In this episode, we mapped 130 real-world techniques used by five Iranian threat groups to the controls behind NIST SP 800-171 using the MITRE ATT&CK framework. Here is what the data shows: • 100% of techniques are detectable • 68% are mitigated with preventative controls • Just a handful of core controls drive most of the defensive impact We also examine what that means for Cybersecurity Maturity Model Certification and why 800-171 remains a strong floor for protecting CUI. But there is a gap. Only about half of the relevant NIST SP 800-53 that mitigate known Iranian techniques are represented in the 800-171 baseline. If you are a defense contractor, this episode will show you what compliance actually buys you and where you may need to go further. Register for Summit 7 Live: https://www.summit7.us/s7live MITRE ATT&CK: https://attack.mitre.org/ Mappings Explorer: https://ctid.mitre.org/projects/mappings-explorer CISA Alert: https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/iran NIST SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final NIST SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final

The Cyber AB has once again summoned the CMMC Ecosystem to deliver its monthly update and on this week's show we are going to break it down for you. Join us as we take all the information distributed during the meeting and dish out the information you need to know. Things like: Can my FSO check on my Tier 3? Have we eclipsed the 1,000 assessments milestone? When does a mock assessment stop “mocking”? Updates on the ISACA/ CAICO switchover And so much more...Tune in to find out! Sum It Up: “The End of SPRS Scores (sort of)”: https://youtu.be/_UFN7fubgQY?si=EgtchmuAHti24Cr8 Cyber AB TH Recordings: https://cyberab.org/News-Events/Town-halls ISACA Webinar - CMMC: Requirements, Roles, and Professional Credentials: https://store.isaca.org/s/community-event?id=a33VQ000001otC1YAI ISACA CMMC Page: https://www.isaca.org/credentialing/cmmc

The DoD Inspector General is raising concerns about CUI marking again and the numbers don't add up. In 2023, the IG found that 48% of reviewed CUI documents lack proper markings. Yet the DoD CUI Program website reports only 9% were unmarked that same year. So which is it? In this episode we break down the latest DoD IG management advisory, where the recommendations fall short, and why the CUI program and the CMMC program (although closely related) are owned by different offices that can't fix each other's problems. For defense contractors, this isn't academic. CMMC enforcement depends on the integrity of the CUI program. If CUI marking is inconsistent, compliance risk increases downstream. Summit 7 Live: https://www.summit7.us/s7live 2026 IG Report: https://www.dodig.mil/reports.html/Article/4397146/management-advisory-dod-policy-and-training-on-dissemination-controls-for-contr/ 2023 IG Report: https://www.dodig.mil/reports.html/Article/3413433/audit-of-the-dods-implementation-and-oversight-of-the-controlled-unclassified-i/

CMMC is a condition of contract award and many defense contractors are waiting until they see CMMC requirements in a solicitation to get started. But the department of defense wants the period between solicitation and award to be as short as possible. This week we crunch the numbers on 1,070 upcoming Navy contracts to see what a realistic timeline ought to look like. Summit 7 Live: https://www.summit7.us/s7live PALT Pod 2024: https://youtu.be/NZs4f5voyrg?si=S-xarOpYyiSG00Bs NAVAIR Forecast: https://www.navair.navy.mil/LRAE

The largest change to DFARS cybersecurity requirements other than CMMC took place on February 1st, 2026, and nobody knew it happened. DFARS 7019 and 7020 have been replaced by DFARS clause 252.240-7997. Basic self-assessments have been eliminated. FAR 52.204-21 has a new number. And none of this went through rulemaking. This week we're diving deep into the mysterious world of class deviations and what they mean for defense contractors moving forward. RFO Website: https://www.acquisition.gov/far-overhaul DFARS RFO Deviations: https://www.acq.osd.mil/dpap/dars/dfars_far_overhaul_class_deviations.html CMMC class deviation: https://youtu.be/vC4IJ2JQ5NU?si=B8I9DII4ZEbQ2dNx 7012 class deviation: https://youtu.be/voziZRAMvv4?si=HxIkpUWnxyergEUQ

After a brief hiatus, the Cyber AB has gathered the CMMC Ecosystem to deliver its monthly update. On this week's show, we breakdown the information distributed on this month's meeting that you need to know. Things like: • Who is the new DoW CIO? • Pending shutdown and CMMC Impacts • Ecosystem Growth and Certification updates • Does this show count for CPEs? And so much more...Tune in to find out! ISACA Webinar - CMMC: Requirements, Roles, and Professional Credentials: https://store.isaca.org/s/community-event?id=a33VQ000001otC1YAI DAU CMMC microlearning: https://www.dau.edu/acquipedia?combine=cmmc&title=C&field_functional_area_target_id=All&field_topic_area_target_id=All ISACA CMMC Page: https://www.isaca.org/credentialing/cmmc

Defense contractors aren't the only ones who need to implement NIST cybersecurity requirements for CUI. The big question has always been whether other agencies would require proof of implementation via the CMMC program. The GSA just revised their process for assessing nonfederal systems handling controlled unclassified information and it's way closer to NIST's Risk Management Framework than CMMC. CIO-IT Security-21-112r1 (PDF): https://www.gsa.gov/system/files/Protecting-Controlled-Unclassified-Information-%28CUI%29-in-Nonfederal-Systems-and-Organizations-Process-%5BCIO-IT-Security-21-112-Rev-1%5D.pdf Summit 7 Live San Diego: https://www.summit7.us/s7live

This week we sit down with Supply Chain Director Bo Birdwell to discuss Elbit America's latest open letter to suppliers regarding CMMC. Elbit's letter doesn't mince words: CMMC is here and the time to act is now. Bo not only walks us through the perspective of a major prime contractor on cost, timelines, outsourced services, CMMC Level 3, and more – he also drops a ton of helpful tips for current and prospective suppliers. Elbit Supplier Page: https://www.elbitamerica.com/suppliers#cyber MSP Collective: https://www.mspcollective.org/ Bo Birdwell: https://www.linkedin.com/in/bobirdwell/

The defense department has updated the CMMC FAQs for the second time in 3 months. In lieu of rulemaking updates the CMMC FAQs are the best place for updated guidance. This week we're exploring DoD's answers regarding everything from encryption to enclaves to VDI endpoints. CMMC FAQs: https://dodcio.defense.gov/CMMC/

Another year another set of eerily accurate predictions about defense cybersecurity requirements and the CMMC program. Like usual we got most of our 2025 predictions correct. For 2026 we're getting specific with False Claims settlements, CMMC 3.0, FAR CUI, and more! FCA episode: https://youtu.be/tPA-ALjW1Hk?si=KgPUAo4VqqmX3mNF DoD IG report: https://www.youtube.com/watch?v=RNafaUlgBGo Golden Dome: https://youtu.be/y88JqZdJsj0?si=eGpIm1jqKRYpW4n3

Defense Logistics Agency suppliers got a special Christmas gift: detailed estimates of CMMC requirements by DLA supply class! The Defense Department buys a lot of different products and services and the estimates make it clear that different types of contractors will experience CMMC requirements in very different ways. If only we could get every agency and mega prime to put out info like this. Episode Links: DLA SMB Website: https://www.dla.mil/Small-Business/Resource-Center/Cybersecurity-Resources/ What DLA Buys: https://www.dla.mil/Small-Business/Getting-Started/What-DLA-Buys/ Supply Classes: https://www.dau.edu/acquipedia-article/supply-classes

Another defense contractor is paying six figure fines after settling with the Department of Justice for allegedly failing to comply with DFARS clause 252.204-7012. The kicker: their own employee blew the noncompliance whistle and got a cut of penalty money. This is the fifth such settlement in 2025 and the DOJ is crystal clear that the don't discriminate just because a company is small. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo Memo: https://dodcio.defense.gov/cmmc/Resources-Documentation/ Swiss Automation: https://www.justice.gov/opa/pr/illinois-precision-machining-company-agrees-pay-421234-resolve-alleged-false-claims-act MORSECORP: https://www.youtube.com/watch?v=ZnePk6jaezA Raytheon: https://www.justice.gov/opa/pr/raytheon-companies-and-nightwing-group-pay-84m-resolve-false-claims-act-allegations-relating Aero Turbine: https://www.youtube.com/watch?v=hFEEVGXv_00 GTRC: https://www.justice.gov/opa/pr/georgia-tech-research-corporation-agrees-pay-875000-resolve-civil-cyber-fraud-litigation DFARS 7012: https://youtu.be/cy4e28YAkXU?si=MqGKGNAHTPyvj-DI

A recent webinar from the US Army Corps of Engineers told suppliers that if they only handle paper CUI, then CMMC requirements don't apply to them. That's a significant concession to industry on par with COTS exemption and POAMs. But is this USACE flexing their discretion or are they setting up a conflict by setting policy around CMMC applicability? Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

Register for CMMC Industry Week: https://www.summit7.us/industry-week Since the 48 CFR CMMC final rule was published in September 2025 we've seen supplier notices from Lockheed, RTX, BAE, HII, and many others. Most recently, Northrop Grumman recently published a supplier announcement titled “CMMC 2.0 is Final – Are You Ready?”. The big takeaway: don't expect CMMC waivers from your prime customers because they can't grant them to you. Pathfinder 101: https://www.summit7.us/pathfinder Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo DFARS 7012: https://youtu.be/cy4e28YAkXU?si=KvezY7Vu7zXf9qYZ 32 CFR Final rule: https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program 48 CFR Final rule: https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of January Memo (PDF): https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf