As the CMMC 2.0 rollout continues to gain momentum, keeping up with monthly updates from The CyberAB is one of the best ways for defense contractors and service providers to stay aligned with current expectations. Each Town Hall offers a real-time snapshot of how the program is evolving—highlighting new rules, emerging risks, and common compliance mistakes.

The June Town Hall delivered important updates on ecosystem capacity, clarified how Cloud Service Providers (CSPs) fit into the CMMC framework, and reinforced ethical boundaries around the use of official symbols and marks. It also featured a special presentation on CUI, which remains a persistent source of confusion across the DIB.

Whether you're preparing for your own assessment or advising others through the process, here are the key insights from the June 24, 2025 session.

A new leader is overseeing DFARS rulemaking

The Department of Defense has officially confirmed Hon. Michael P. Duffey as the new Under Secretary of Defense for Acquisition and Sustainment. Sworn in on June 5, Secretary Duffey now holds direct oversight of the Title 48 DFARS rulemaking process that will define how CMMC is formally integrated into federal acquisition regulations.

While no new publication date for the Title 48 rule was announced, Duffey’s appointment provides renewed momentum for the policy side of the program. His background includes extensive experience at both the DoD and OMB, which is expected to support progress on CMMC implementation across federal contracts.

The CMMC Ecosystem is scaling rapidly, but capacity remains a challenge

The CMMC ecosystem continues to scale, with steady growth across assessors, practitioners, and authorized C3PAOs. As of June:

• 73 C3PAOs have been authorized
• 389 assessors have been certified, with 266 designated as Lead CCAs
• 877 professionals have achieved the CCP credential
• More than 500 C3PAO applications have been submitted, signaling continued interest and expansion

These figures represent real progress, but they also highlight how much work lies ahead as assessments become more routine and the DIB ramps up its readiness efforts.

Defining CMMC scope for Cloud Service Providers

The Town Hall addressed continued confusion around how CSPs are treated under the CMMC framework, particularly when they handle Controlled Unclassified Information (CUI) or Security Protection Data (SPD).

CSPs that process, store, or transmit CUI must be FedRAMP Authorized or meet a FedRAMP Moderate Equivalent. If they handle CUI or SPD, their services will be in scope during an OSC’s CMMC assessment. Their responsibilities must be clearly outlined in the Customer Responsibility Matrix (CRM) or Shared Responsibility Matrix (SRM).

However, if a CSP does not touch CUI or SPD, they are considered out of scope for CMMC. This clarification helps OSCs determine which vendors need to be formally included in their documentation and assessment scope, and which do not.

How to use logos and marks ethically

The CyberAB reiterated that companies may not use official logos, badges, or other symbols to suggest they are certified or authorized unless those designations have been formally granted. Misusing or modifying these materials without permission violates the Code of Professional Conduct and can result in disciplinary action.

This guidance applies to websites, marketing materials, email signatures, and even retired badges. Organizations are reminded that the official DoD CMMC program logo is not to be used to imply a company is certified or has completed a self-assessment. Only approved, earned designations may be represented, and only in the manner authorized by The CyberAB or CAICO.

Clarifying CUI requirements

James Goepel, author of several foundational CUI guides, joined the Town Hall to provide updated guidance on Controlled Unclassified Information. He reinforced that CUI includes information that requires safeguarding under laws, regulations, or government-wide policies, but is not considered classified under national security standards.

This session served as a helpful refresher on how to correctly identify and label CUI, which remains one of the most misunderstood parts of CMMC compliance. Goepel’s work continues to be a leading resource for organizations that need practical, real-world clarity on how to manage CUI in accordance with NIST SP 800-171.

Keeping an eye on what’s next

The CyberAB also highlighted several upcoming opportunities for organizations to learn more about CMMC, including a virtual webinar series in late July and the National Cyber Summit in September. Additional events are planned for October in National Harbor, Maryland. These gatherings offer valuable chances to stay informed, connect with experts, and build confidence heading into assessments.

As more companies pursue certification and more assessments get underway, the importance of staying informed cannot be overstated. Each month brings new guidance, rulemaking developments, and field-level insights that can shape how you prepare. The June Town Hall provided a timely mix of program updates, technical clarifications, and ethical reminders to help organizations stay on track.