April 2026 Cyber AB Town Hall Recap: The New Cyber EF, a Marketplace Overhaul, and a Reality Check on Prime Enforcement

April's Cyber AB Town Hall had a different energy than most. Instead of a major policy announcement or a deep technical debate, this session focused on something just as important: clearing up confusion. Much of the conversation centered on the growing gap between what the government has formally required under CMMC and what prime contractors are already demanding from their supply chains.

A lot of contractors are hearing urgency from customers and assuming it reflects a new DoD deadline. In many cases, it does not. It reflects business decisions being made by primes right now.

The other major update was structural. The Cyber AB formally introduced the Cyber Engagement Forum (Cyber EF), a new subsidiary designed to take over functions that no longer fit cleanly inside an accreditation body, including the practitioner program, Marketplace modernization, and broader ecosystem engagement.

The overall message was clear: CMMC implementation is maturing, and the ecosystem around it is maturing with it. Here are the biggest updates from April's Town Hall and what they mean for contractors.

Prime contractor deadlines are not the same as DoD deadlines

One of the most useful parts of the Town Hall was Matt Travis directly addressing what he described as continuing confusion and conflation around CMMC implementation timelines and prime contractor deadlines.

The DoD's three-phase rollout has not changed. Phase 1 began on November 10, 2025 and focuses on Level 1 and Level 2 self-assessments, with the Department reserving the right to require Level 2 C3PAO certifications earlier in select contracts. Phase 2 begins November 10, 2026, when Level 2 C3PAO certification requirements start appearing more broadly in new contract awards. Phase 3 follows in November 2027 and covers Level 3 certification through DIBCAC, with the full ecosystem expected to be at scale by November 2028.

What Travis emphasized is that these are milestone start dates, not universal deadlines.

That matters because many subcontractors are being told they need Level 2 certification much sooner than the government timeline would suggest. That pressure is often coming from prime contractors, not from the DoD itself. Some primes have already started setting their own internal deadlines, including requirements for suppliers to achieve Level 2 C3PAO certification by the end of the fiscal year if they want to remain eligible for future work. Those are prime-driven decisions based on supply chain risk management, not official CMMC phase deadlines.

In practical terms, the question is no longer just "What phase are we in?" It is "What is my prime requiring?" For many subcontractors, that answer matters more than the federal implementation chart.

The Cyber AB launched a new organization: the Cyber Engagement Forum (Cyber EF)

The biggest announcement of the evening was the formal introduction of the Cyber Engagement Forum, or Cyber EF, a new subsidiary of the Cyber AB that will operate independently with a specific purpose: handling the parts of the ecosystem that create tension with the Cyber AB's role as an accreditation body.

As the Cyber AB works toward full ISO 17011 recognition, certain activities become harder to justify living inside the same organization. Accreditation bodies are expected to be impartial overseers, not active participants in the ecosystem they regulate. That includes operating a practitioner program, managing a marketplace, and doing broader ecosystem engagement and advocacy. Creating the Cyber EF separates those responsibilities so both sides can function more effectively.

Mike Snyder, who has been part of the CMMC program since its earliest days and most recently led the CAICO, will head the new organization. Its early priorities include rebuilding the practitioner program, launching Marketplace 2.0, creating a formal CMMC Body of Knowledge, improving support for ESPs and MSPs, and expanding engagement across the broader DIB.

The Cyber AB will retain its core accreditation and oversight responsibilities, including C3PAO authorization and accreditation, CAP and Code of Professional Conduct ownership, and adjudication of elevated appeals. Two parallel missions, two distinct organizations, same umbrella. This is less of a branding exercise and more of a structural correction that has probably been needed for a while.

Marketplace 2.0 is intended to be more than a directory

The current CMMC marketplace is, by the AB's own admission, a directory. Functional, but far from the transactional, searchable platform the ecosystem needs. The next version, being built in partnership with Ramp Exchange (the same team behind the GovRAM marketplace), is designed to be substantially different.

One example shared during the Town Hall was provider segmentation. Today, an RPO that offers readiness support, managed services, and implementation help often has to force those services into a single listing. The new marketplace is expected to allow much cleaner service breakdowns within a single profile. Filtering will also improve significantly, including by geography, language, and service type. Vendor tools and products will be included alongside practitioners and service providers, and there is active discussion around allowing organizations to highlight adjacent expertise like NIST 800-53, not just CMMC-specific services.

The platform is not live yet, and the existing Ramp Exchange environment is currently tied to GovRAM, not CMMC. Beta participation is expected soon, with an invitation to ecosystem members to participate. For contractors trying to figure out who can actually help them, this should eventually be a much more useful tool than what exists today.

The practitioner program is getting a real overhaul

Snyder was candid about what the practitioner program has been missing: content that was stripped out during rulemaking uncertainty, a lack of interactivity, and materials that have not kept pace with where the program has gone.

The redesign will be built by a third party rather than in-house, which is both a departure from how it has been done before and a practical decision. It allows for faster updates and a more interactive experience without requiring the EF to rebuild from scratch every time something changes. The new structure will move toward what Snyder described as a stronger Level 2 foundation for practitioners, with a new Level 3 track being developed to support organizations heading into the DIBCAC assessment realm. Beta testing is planned before any broader rollout, which did not happen with the previous version. The target for initial course releases is fall 2026.

CAICO corner: Account migration issues and the PI-to-CCI transition

Todd Gagnon, Executive Director of the CAICO under ISACA, walked through several operational updates following the April 1st transition.

The most immediately actionable item for credential holders: the account migration created duplicate ISACA accounts for a significant number of people. If you have an existing ISACA account and cannot locate your CMMC certifications, this is likely why. The fix requires contacting ISACA customer support directly so the accounts can be merged. You can reach them either through the support page on the ISACA website or by calling the 24/7 support line. Note that the phone number is listed at the bottom right of the support page and is not immediately obvious from the main ticket submission screen.

The PI-to-CCI transition is also getting underway. ATPs will receive process guidance first, followed by broader communication to all PIs, with the goal of working through existing conversions during May and opening the CCI application to new candidates in late May.

A few other items worth noting. ISACA is collecting all credential fees going forward, not the Cyber AB. CCAs are required to maintain their underlying CCP certification to keep their CCA in good standing. If the CCP lapses, the CCA is at risk. The renewal fee for CCP is $45 for ISACA members and $85 for non-members. Lead CCA designation does not require additional CPEs beyond what the CCA requires. And actual assessment work does not count toward CPE requirements, which remains a point of confusion for many assessors.

One additional note for candidates new to the credentialing process: the entry point is now entirely with ISACA. Training, exam, and initial credentialing all happen through ISACA before anything is passed to the Cyber AB for Tier 3 processing.

Tier 3: Who to contact

Travis also walked through the Tier 3 adjudication process in more detail than usual, prompted by persistent confusion and frustration from candidates who do not know where things stand or who to contact.

The short version: if you have a Tier 3 submission in process, do not contact DCSA, WHS, or the PMO directly. All inquiries go to the Cyber AB at tier3_submission@cyberab.org. The AB retains administrative coordination even as the CAICO function has moved to ISACA. The only exception is if six months have passed without a determination, at which point candidates can contact the PMO directly through the website form.

The reason for this is straightforward. Tier 3 processing touches five distinct organizations: the Cyber AB, the CMMC PMO, DCSA, WHS, and the CAICO. The handoffs between them are sequential, and the AB has visibility at the front end and the back end but not during the internal adjudication steps. That is why contacting DCSA or WHS directly usually does not help and often just creates more confusion.

Ecosystem numbers

Level 2 final certificates are now at 1,198, up 12 percent, with 42 conditional certificates and 124 assessments currently in progress. Authorized C3PAOs remain at 103. There are now 766 CCAs, 1,583 CCPs, and 489 Lead CCAs. Registered Practitioners grew 4 percent to 2,110, while RPOs increased to 278 and RPOs with C3PAO designations reached 398. ATPs and APPs hold steady at 51 and 12 respectively.

These are positive trends, but they still represent a small portion of the total market that will eventually need certification. The ecosystem is growing, but contractor demand will continue to outpace supply for some time, especially as prime contractor enforcement accelerates.

What DIB contractors should do next

April's Town Hall was a reminder that compliance timelines are no longer just about reading the regulation. You need to understand what your contracts require, what your prime expects, and how quickly those expectations are changing.

For many organizations, the real deadline is not November 2026. It is whatever date your prime contractor quietly put in an email three months ago.

At the same time, the ecosystem itself is becoming more structured. The Cyber EF, Marketplace 2.0, and the practitioner program overhaul all point toward a more mature operating model around CMMC, one where contractors should have better access to qualified help and clearer pathways to readiness.

We will continue to track updates and insights from each CyberAB Town Hall. For ongoing coverage, check out past recaps in the CMMC.com newsroom.