The CyberAB’s May 2025 Town Hall offered timely insight into the evolving CMMC ecosystem and clarified several points of confusion that have surfaced since the release of the 32 CFR rule. 

Here are 8 key takeaways from the session.

1. The CMMC ecosystem continuing to expand slowly

CMMC certification activity continues to grow steadily. Over 115 organizations have now achieved a final Level 2 (L2) certification, with an additional 3–4 organizations awarded conditional certifications and around 60 assessments still pending. In parallel, more than 130 joint surveillance assessments—which meet the same technical standard as a CMMC Level 2 assessment—have been completed by authorized C3PAOs.

To support this growing demand, the CyberAB noted the steady expansion of the ecosystem, now made up of:

• 70 authorized C3PAOs (up from 67 in April)
• 364 Certified CMMC Assessors (CCAs)
• 787 Certified CMMC Professionals (CCPs)
• 346 Registered Practitioner Organizations (RPOs)

In total, nearly 7,000 applications have been submitted across C3PAO, CCA, and CCP roles. This signals sustained interest but also a critical need to continue building the CMMC ecosystem capacity, particularly ahead of the anticipated finalization of the 48 CFR rule later this year when demand is expected to skyrocket.

2. The 10-Day re-evaluation period is not for remediation

One of the most valuable clarifications from the Town Hall was around the 10-day re-evaluation period established under 32 CFR § 170.17(c)(2). This rule allows an Organization Seeking Assessment (OSA) to submit additional evidence for any requirement marked as “Not Met” during an assessment, but only if the evidence already existed at the time of assessment.

In other words, this period is not a grace window for remediation. Organizations cannot use this time to draft new policies, install new technologies, or implement corrective actions. The CyberAB emphasized that “additional evidence” should really be understood as “additional existing evidence.” Meaning, documentation or artifacts that were not available or couldn’t be found during the assessment due to oversight, staff absence, or other logistical issues.

This evidence can only be submitted before the CMMC Assessment Findings Report is finalized, and it cannot affect the status of any other requirements already assessed. Also it’s important to understand that this rule does not impact the normal discretion CMMC assessors have during fieldwork to recommend small clarifications or adjustments before issuing a finding on whether a requirement has been met or not.

For OSAs, this clarification is critical: make sure your internal teams are aligned and all relevant evidence is organized and readily accessible before your assessment begins.

3. 48 CFR rule will likely be in effect in the fall of 2025

The Town Hall also included a recap of the CMMC CEIC West event, where Department of Defense (DoD) officials reaffirmed the long-term future of the program. 

Katie Arrington, who is performing the duties of the DoD Chief Information Officer, reiterated that CMMC is here to stay and Stacy Bostjanick, Chief of the DoD’s Industrial Base Cybersecurity Office, indicated that the 48 CFR rule is expected to go into effect in fall 2025. 

Once final, this rule will kick off the CMMC phased rollout, making certain CMMC requirements enforceable through contract clauses. 

4. CSPs must be FedRAMP Authorized if they handle CUI

This month’s Town Hall provided extensive clarification around the responsibilities of Cloud Service Providers (CSPs).

If a CSP is processing, storing, or transmitting Controlled Unclassified Information (CUI) on behalf of an OSA, then it must:

• Be FedRAMP Moderate Authorized or equivalent
• Be engaged in the OSA’s CMMC L2 assessment and provide a Customer Responsibility Matrix (CRM)

If the CSP handles only Security Protection Data (SPD) and not CUI, FedRAMP authorization is not required. However, they still must participate in the OSA’s L2 assessment and submit a CRM. 

If the CSP does not touch either CUI or SPD, it is considered out of scope for CMMC purposes.

5. MSPs and MSSPs must get CMMC L2 certified if they handle CUI

The Town Hall also clarified requirements for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs)—collectively referred to in the 32 CFR rule as “External Service Providers (ESPs) that are not CSPs.”

If an MSP or MSSP processes, stores, or transmits CUI, it must:

• Meet all 110 NIST SP 800-171 Rev. 2 requirements
• Participate in the OSA’s assessment and submit a validated Customer Responsibility Matrix

While the 32 CFR rule doesn’t explicitly state that MSPs that handle CUI must have their own Level 2 assessment, it does say they can do so if it’s “to their advantage.” Why would it be to the MSPs advantage? Because the minimum assessment type for an ESP is dictated by the OSA's DoD contract requirement. Meaning, if the OSA only has to do a L1 or L2 self-assessment, then the MSP would only have to do self-assessment. But if the MSP isn’t L2 certified themselves and one of their clients is an OSA undergoing a C3PAO-led assessment, so must the MSP. This is true even if it’s their second, third, or tenth time supporting an OSA that’s pursuing L2 certification.

In short, if you're an MSP or MSSP supporting clients in the Defense Industrial Base, getting your own CMMC Level 2 certification is not optional. It’s the most practical and scalable path forward.

If the MSP/MSSP handles only SPD, certification is not required, but they still must be included in the OSA’s assessment. 

If they handle neither CUI nor SPD, they are out of scope.

6. The MSP Collective lists MSPs that have achieved CMMC L2 certification.

A growing number of MSPs and MSSPs have already completed their Level 2 certifications, and the MSP Collective is helping make them visible. 

Because the CyberAB Marketplace does not currently list ESPs that aren’t CSPs, this third-party resource has become an important signal for OSAs seeking high-assurance partners.

As an independent directory, the MSP Collective validates each listing with the relevant C3PAO to confirm the MSP has:

• A completed CMMC Level 2 assessment
• An SPRS score of 110
• A validated CRM submitted during assessment

7. CAGE Codes must be accurate and up-to-date

The CyberAB issued another firm reminder during this month’s townhall: Commerical and Government Entity (CAGE) codes must be accurate and match what’s listed in SAM.gov prior to a Level 2 assessment.

If an incorrect or incomplete code goes unnoticed until after the assessment, the resulting administrative corrections are burdensome and can delay certification. Organizations should confirm their SAM.gov registrations are current and consistent across systems to avoid unnecessary disruptions.

8. Lead CCAs will now be automatically listed in the CyberAB Marketplace

In response to delays caused by a previously manual process, the CyberAB has launched a new workflow for Lead CCA applications. Those who receive Lead CCA status will now be automatically listed in the CyberAB Marketplace, which should help C3PAOs and OSAs identify qualified lead assessors more quickly and efficiently.

Staying ahead of the CMMC phased rollout

The May 2025 Town Hall reinforced that CMMC is entering a more defined and enforceable era. With the 48 CFR rule likely to take effect in the fall, the ecosystem is transitioning from preparation to implementation. With the timeline clear, requirements codified, and ecosystem expanding to support certification is expanding, organizations can no longer afford to take a passive approach. 

The session also underscored how vital clarity and coordination are to the program’s success. Misunderstandings, whether around the 10-day re-evaluation period or the certification expectations for MSPs, can derail readiness and create compliance gaps. 

Key reminders:

• The 10-day evidence window is for existing artifacts only, not remediations.
• Understand how your service provider relationships affect scope and assessment requirements.
• Ensure your CAGE code is accurate in SAM.gov prior to assessment.

For organizations preparing for Level 2 certification or navigating their service provider ecosystem, these insights provide timely and practical guidance.