cmmc-logo
cmmc-logo
Talk to a CMMC expert
May 2026 Cyber AB Town Hall Recap
Expert InsightsMay 27, 2026

May 2026 Cyber AB Town Hall Recap: New Guidance Around ESPs, CSPs, and CMMC Scoping

The May Cyber AB Town Hall focused heavily on one topic that is likely going to affect a huge portion of the Defense Industrial Base over the next year: how organizations scope and classify External Service Providers (ESPs) under CMMC.

The discussion centered around newly updated CMMC FAQs from the Program Management Office (PMO), particularly guidance clarifying when an ESP may actually be functioning as a Cloud Service Provider (CSP) and what that means for FedRAMP requirements.

The Town Hall also included a new COO introduction, updates on Level 2 certification growth, the state of the ecosystem, the CMMC Marketplace 2.0, clarification around joint ventures, maintaining compliance after certification, and credential management updates from CAICO. But the clearest takeaway from the session was this:

Many organizations may not fully understand whether the providers supporting their environment are acting as MSPs, ESPs, or CSPs, and getting that distinction wrong could create major assessment issues later.

ESPs vs. CSPs and why the distinction matters

One of the most important moments in the Town Hall came during the policy discussion around ESP scoping requirements under 32 CFR §170.19(c)(2)(i).

The PMO recently added new FAQ guidance clarifying that organizations seeking assessment (OSAs) are responsible for determining:

Cyber AB CEO Matt Travis emphasized that many providers currently positioning themselves as "MSPs" may actually be functioning as CSPs depending on how their services are delivered. If a provider is operating as a CSP and processing, storing, or transmitting CUI, FedRAMP requirements come into play, not just CMMC Level 2 requirements.

The Town Hall specifically called out "CMMC-in-a-box" style offerings where providers host large portions of an OSC's environment through cloud-delivered infrastructure and inherited controls. According to the discussion, many of these providers may be functioning more like CSPs than traditional MSPs, even if they don't market themselves that way.

The PMO is pointing organizations to NIST SP 800-145

One of the challenges highlighted during the session is that CMMC guidance tells organizations they must determine whether an ESP is a CSP, but does't provide a simple operational test for doing so.

Instead, the framework points organizations to NIST SP 800-145, which defines five characteristics of cloud computing. Importantly, Travis clarified during Q&A that all five traits must be present for a provider to be classified as a CSP under CMMC, not just one or a subset.

Organizations should evaluate whether a provider offers:

Travis noted that some providers may not realize their own architecture potentially places them into CSP territory under the CMMC interpretation of cloud computing. He specifically highlighted that a single-tenant arrangement (such as a dedicated GCC High or AWS instance) would not meet the resource pooling criterion, whereas a shared, multi-tenant model often would.

The broader message: organizations can't simply rely on vendor marketing terminology when determining their compliance obligations.

"A true MSP processing CUI is probably an edge case"

The Town Hall suggested that a "true MSP" processing, storing, or transmitting CUI outside of cloud computing scenarios may actually be relatively uncommon across the DIB. The examples provided were mostly centered around genuinely non-cloud scenarios:

Many modern managed environments that heavily rely on cloud-hosted delivery models may drift into CSP territory faster than organizations expect. This is likely to become an increasingly important issue as more contractors adopt enclave models and outsourced CMMC support services.

Clarifying common questions and misconceptions from DIB contractors

The May Town Hall addressed several questions that have been generating confusion across the DIB and the broader ecosystem.

FedRAMP Moderate equivalency: C3PAOs do not need to wait for DIBCAC

A practical question that had been creating uncertainty: does a C3PAO need to wait for DIBCAC to vet or validate a CSP's FedRAMP Moderate Equivalency (FME) assertion before proceeding with a Level 2 assessment?

The answer is no. If an OSC is using a CSP asserting FME, backed by an appropriate body of evidence and a third-party assessment under FedRAMP 3.0, a C3PAO can recognize and rely on that assertion directly. DIBCAC does not need to pre-approve it. Travis noted this clarification will be documented in the next update to the CAP, and it removes a potential bottleneck in assessments where CSP compliance documentation is already in order.

CMMC compliance must be continuous

The PMO also introduced updated FAQ guidance around handling system changes after achieving certification.

The discussion reinforced that CMMC compliance is not treated as a one-time event. Organizations are expected to continuously evaluate whether changes affect CUI flow, security requirements, assessment scope, SSP accuracy, or overall compliance posture.

The FAQ walked through a three-phase lifecycle for managing significant changes:

  • Before implementation: Perform security impact analysis per CM.L2-3.4.4, assess effects on CUI flow per AC.L2-3.1.3, document the change through formal change management procedures per CM.L2-3.4.3, and review the planned change with the Affirming Official.
  • During implementation: Document risks and temporary conditions per CA.L2-3.12.2, identify personnel responsible for the change, and track progress.
  • After implementation: Update the System Security Plan per CA.L2-3.12.4, update all affected sections, and review with the Affirming Official prior to annual affirmation to ensure continued compliance.

The PMO indicated additional clarification around what constitutes a “significant change” is expected in future FAQ updates, and Travis noted the June Town Hall will go deeper on that topic with C3PAO input.

CMMC certifies systems, not companies

The updated FAQ guidance around joint ventures (C-A6) reinforced an important concept that comes up repeatedly in CMMC discussions: CMMC certifies information systems, not companies themselves.

The FAQ clarified that joint ventures must identify all CMMC Unique Identifiers (UIDs) in their proposals that will be used to process, store, or transmit FCI or CUI during contract performance. Those UIDs may apply to individual JV members or to the JV itself, depending on whether the JV operates its own shared systems and networks. In either case, the UIDs must accurately represent the scope of systems used during contract performance.

Travis was direct on the takeaway: stop thinking about whether a company is certified, and focus on whether the information system is certified. If a JV is using a certified information system and the appropriate UID is identified in the proposal, that satisfies the requirement.

Mock assessments can't be converted into formal certification assessments

A Town Hall attendee reported hearing from a Lead CCA that a non-certification (mock) assessment could be converted into a formal certification assessment mid-process if things were going well.

Travis was clear in his response: this is not permitted. A certification assessment must follow the sequential procedures in the CAP from the beginning, including submission of the pre-assessment form in eMASS as part of Phase 1. You can convert a certification assessment into a mock if the OSC requests it, but the reverse is not allowed. Any C3PAO that has provided consulting or remediation advice during a mock assessment is also conflicted out of conducting the certification assessment for that OSC due to conflict of interest.

There is currently no formal cooling-off period between a mock and a certification assessment, though Travis noted the CPO Advisory Council is actively working on whether guidance should be established for this area.

The CMMC ecosystem continues to grow

The Town Hall included updated ecosystem statistics showing continued expansion across the certification landscape.

On the certification side: 1,391 Final Level 2 Certificates have been issued (+14%), 47 Conditional Certificates remain open (+11%), and 140 Level 2 assessments are currently in progress (+11%).

The 15% surge in CCAs from April to May is notable. Travis acknowledged the CCP number declining slightly is largely attributable to CCPs graduating to CCA status rather than attrition.

Credential management updates

CAICO leadership covered several operational updates relevant to CCAs, CCPs, and those in the certification pipeline:

  • 8140 cert verification: During data migration audits, CAICO found some records missing underlying DoD 8140 certification data. If you receive an email from ISACA requesting your 8140 cert number or date, this is the reason, not a compliance issue.
  • Reinstatement process improvements: CAICO is streamlining the reinstatement process for individuals whose certifications lapsed during the Cyber AB-to-ISACA transition. Simple lapses due to missed renewals should now be resolved more quickly without requiring full reprocessing.
  • No CPIN is required before the CCP exam: Candidates do not need a CPIN prior to taking the CCP exam. The CPIN is assigned after passing the exam, when the candidate's information is submitted to Cyber AB to initiate the Tier 3 background investigation.
  • No government sponsor required: CCP and CCA applicants do not need a government sponsor to initiate their Tier 3 investigation; the Department of Defense sponsors that process automatically. The only scenario requiring an external sponsor is a CSP seeking a full FedRAMP ATO.
  • CCI transition emails: CAICO has sent emails to all CMMC Certified Instructors (CCIs) outlining their transition pathway. Those with an existing underlying instructor credential from an approved organization will go through a shorter verification process; those without will go through a more formal credentialing process including an interview and quality review.

What the latest Cyber AB updates mean for defense contractors

If you rely on an MSP or CMMC enclave provider, find out whether that provider meets all five NIST SP 800-145 criteria for cloud computing. If they do, FedRAMP or FedRAMP Moderate Equivalency is the compliance bar, not CMMC Level 2. Do not rely on how your provider markets itself. Ask whether your environment runs on shared, multi-tenant infrastructure, confirm whether FedRAMP or FME documentation exists, and get the answers before your assessment begins.

If you have already achieved Level 2 certification, review the change management FAQ (F-A5) against your current processes. If you do not have a formal procedure for evaluating whether a system change affects CUI flow or assessment scope, build one now. The PMO has signaled that "significant change" guidance is coming.

For C3PAOs and assessors: the mock-to-certification prohibition is clear but apparently not universally understood. Review the Code of Professional Conduct if there is any ambiguity on your team about what non-certification assessments permit.

We'll continue to track updates and insights from each Cyber AB Town Hall. For ongoing coverage, check out past recaps in the CMMC.com newsroom.