While CMMC 2.0 is now officially live, the surrounding ecosystem is still maturing. Authorized assessors are just beginning to conduct evaluations at scale, and real-world implementation continues to evolve. With new guidance, tooling updates, and clarification from the Department of Defense (DoD) and the Cyber AB emerging regularly, staying current is critical to avoiding costly delays or missteps during certifications.

The Cyber AB’s monthly Town Halls offer a front-row seat to the latest program developments, shedding light on common issues and clarifying how service providers can support compliance. They also provide valuable updates on ecosystem capacity, rulemaking progress, and program expectations.

The April Town Hall delivered clear next steps for organizations seeking certification (OSCs), practical guidance for C3PAOs, and a transparent look at how the CMMC ecosystem is progressing. Here are the key takeaways from the session held on April 29, 2025.

1. Organizations have begun achieving certification, but pain points are slowing progress 

The CMMC ecosystem continues to grow, with 85 organizations having now achieved full Level 2 certification. Four others have received conditional certification through a Plan of Action and Milestones, and nearly a hundred more assessments remain in progress. Some of these are paused due to organizations being underprepared, reinforcing the importance of pre-assessment readiness.

There have been other points of friction as well. The DoD has identified an issue with inaccurate CAGE codes that are preventing assessment records from transferring correctly from CMMC eMASS to SPRS. To address this, organizations are being urged to verify that their CAGE code is accurate, listed in SAM.gov, and correctly associated with their hierarchy before sharing it with a C3PAO. While longer-term technical fixes are in development, including validation and update capabilities in eMASS, OSCs should take immediate steps to ensure their information is clean and complete.

2. The CMMC ecosystem is expanding, but maybe not quickly enough

The CMMC ecosystem is expanding across nearly every role. At the time of the Town Hall, there were 67 authorized C3PAOs and over 700 Certified Professionals, a number highlighted as particularly critical for supporting the program at scale. More than 5,000 individuals have applied to become CCPs, showing strong interest but also revealing the need for continued training and evaluation resources to bring new professionals online. Meanwhile, 345 individuals have become Certified Assessors, and 21 C3PAOs have passed the DIBCAC assessment.

Despite these gains, the GAO is currently conducting an audit of the ecosystem’s capacity, focusing on the readiness and availability of these key roles to support mandatory assessments at scale. The outcome of that audit will likely shape how the program scales further.

3. Service providers can support, not take on, their clients’ CMMC obligations 

A major focus of this Town Hall was the role of Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), and other External Service Providers (ESPs). The Cyber AB emphasized that while these providers play a crucial supporting role, they cannot take on core CMMC obligations for their clients.

The Town Hall clarified that any "ESP, not a CSP" involved in processing, storing, or transmitting CUI must be included in the OSC's System Security Plan and Customer Responsibility Matrix. Their services are also in scope for the OSC’s assessment. However, the OSC is ultimately accountable for all 110 requirements and 320 assessment objectives. Providers cannot lend out their SSP, offer pre-approved CRMs, or stand in for core responsibilities such as defining security boundaries or user access.

While an ESP can seek its own CMMC certification, which may reduce the rigor required in client assessments, this does not exempt the client from their own compliance duties. The key message here was clear: your MSP can support your compliance, but it cannot achieve compliance on your behalf.

4. Mock assessments performed by C3PAOs must be strictly observational 

The Cyber AB also addressed ethical boundaries for C3PAOs offering non-certification services like mock or gap assessments. These assessments must be conducted using formal processes and cannot include remediation advice. This is to avoid conflicts of interest if the same C3PAO later performs the official certification. While these mock assessments can provide value in identifying deficiencies, they are strictly observational and cannot provide guidance on how to correct the issues found.

5. No progress on Title 48 rulemaking, but CMMC is here to stay 

On the regulatory front, there were no updates on the Title 48 rulemaking timeline. The DoD affirmed that CMMC remains a statutory requirement, and it is not expected to be negatively impacted regardless of political or administrative shifts. At the recent RSA Conference, the Acting DoD CISO confirmed the government’s continued commitment to CMMC.

The Town Hall also shared an active events calendar for May 2025, with key in-person and virtual opportunities for education, networking, and training. The Cyber AB will also host a webinar on the Secure Controls Framework Conformity Assessment Program in early May, underscoring its broader role in compliance beyond CMMC.

Staying ahead in an evolving ecosystem

The CMMC program is evolving quickly, and staying informed is one of the most effective ways to stay prepared. Whether you’re gearing up for your first assessment or helping others navigate the process, the guidance shared during these Town Halls can make a meaningful difference.