June 2026 Cyber AB Town Hall Recap
Expert InsightsJuly 1, 2026

June 2026 Cyber AB Town Hall Recap: Why the DIB Needs to Stop Planning Around November 10 as a CMMC Deadline

The June Cyber AB Town Hall covered a lot of ground: a myth-busting segment on the November 10 implementation date, practical due diligence guidance for hiring a C3PAO, a False Claims Act settlement, a counterfeit CMMC certificate discovered in the ecosystem, and updates on the proposed FAR CUI rule. 

The throughline across all of it is that the CMMC program is maturing faster than many contractors realize, and the decisions organizations make now will matter more as Phase 2 approaches.

Busting the November 10 deadline myth

The Cyber AB directly addressed a widespread misunderstanding that is actively shaping how organizations are planning their CMMC certification timelines.

The rumor: Tier 3 background investigation delays are causing a CCA shortage, C3PAO availability will dry up, and OSCs won’t be able to complete their Level 2 certifications once the November 10 Level 2 "deadline" arrives.

Matt Travis separated the truth from the inaccuracies directly.

What is true

Tier 3 background investigations do take time. Four to ten months is a reasonable rule of thumb. This requirement is codified in 32 CFR, and it would take a formal DoD rulemaking action to change it. 

What is not true

There is no CCA shortage relative to current demand. As of June 2026, 107 authorized C3PAOs are operating. Some are booked through the year, but many aren’t. An OSC that picks up the phone this week can get a Level 2 assessment scheduled. 

The constraint is not availability. It is awareness and urgency on the part of OSCs who are waiting longer than they should.

More importantly, November 10 is not a deadline. It is the beginning of Phase 2 of CMMC implementation. Here is how the phased implementation framework works:

  • Voluntary phase (began December 16, 2024): Organizations could pursue Level 2 certification voluntarily before any contract requirements kicked in.
  • Phase 1 (began November 10, 2025): New solicitations began requiring Level 1 or Level 2 self-assessments where applicable. The DoD retained discretion to include Level 2 C3PAO requirements in individual contracts, but it was not a standard mandate. 
  • Phase 2 (begins November 10, 2026): New solicitations will routinely require Level 2 C3PAO assessments. The DoD may opt to defer when that requirement becomes effective within a specific contract, such as pushing it to an option year. Level 3 requirements may also begin appearing in individual contracts at DoD discretion.
  • Phase 3 (begins November 10, 2027): Level 3 DIBCAC assessments will begin appearing routinely in new solicitations, again with DoD discretion to defer within contracts.
  • Phase 4 / Full implementation (begins November 10, 2028): All solicitations and contracts will include applicable CMMC level requirements as a condition of contract award.

CMMC is not retroactive. Existing contracts will not be modified mid-performance, but organizations with option years on the horizon, or that are expecting to bid on new work after November, should be planning for Level 2 certification now. The window for organizations to get ahead of requirements rather than chase them is closing.

What to ask before hiring a C3PAO

With Phase 2 approaching and more OSCs actively selecting C3PAOs, the Town Hall dedicated a full segment to due diligence questions that organizations should be asking before they sign an engagement.

The obvious questions are table stakes: availability, location (relevant if there is an on-premise component), fee schedule, sector experience, cloud environment familiarity, and how the C3PAO incorporates official CMMC doctrine (NIST SP 800-171A, 32 CFR Part 170, the CAP, and the CMMC Scoping Guide) into their assessments.

The questions worth asking that most organizations do not think to ask:

  • How do you manage risks to impartiality and conflicts of interest? ISO 17020, the standard C3PAOs must meet, requires robust impartiality management. A C3PAO that cannot answer this clearly is a risk. If they run afoul of Cyber AB requirements mid-engagement, your assessment schedule will be affected.
  • When does your DIBCAC three-year assessment period expire? Every authorized C3PAO must undergo its own DIBCAC assessment and renew every three years. Being listed on the Marketplace as authorized means they passed, but not necessarily that they are current. If a C3PAO's renewal lapses between when you sign and when they assess you, your timeline is at risk. 
  • Is there anything in your corporate future that would affect your FOCI status? Merger and acquisition activity can trigger a Foreign Ownership, Control, or Influence re-screening by DCSA. C3PAOs are not obligated to disclose M&A plans, but it is a reasonable question to raise.
  • How many months are left in your 27-month authorization period? Authorized C3PAOs have 27 months to achieve accreditation under ISO/IEC 17020 through the Cyber AB. The Cyber AB cannot grant extensions beyond that window. If a C3PAO is a year into their 27-month period and has not yet begun the accreditation process, that is worth knowing before you engage them.

Hard copy CUI and CMMC assessments

This month’s FAQ segment will matter to a meaningful segment of the DIB, particularly manufacturers and defense suppliers who handle sensitive technical documents in physical form.

FAQ C-Q11 asked: are CMMC assessments required for organizations that only handle hard-copy CUI?

Based on the lesser risk associated with paper-only scenarios, organizations that exclusively handle hard-copy CUI are not required to complete a CMMC third-party assessment. A self-assessment or voluntary third-party assessment remains an option, but it is not mandated.

Hard-copy CUI still carries a compliance obligation under NIST SP 800-171 and DoD Instruction 5200.48, even without an assessment requirement.

More importantly, the exemption ends the moment CUI enters a digital system. Scanning, photographing, uploading, emailing, or printing CUI to a contractor-owned system brings that system into scope for CMMC assessment requirements. And that assessment will cover both the paper and digital CUI together.

Organizations that believe they are outside CMMC scope because they "only handle paper" may be digitizing CUI in ways they have not fully considered. If your workflows involve any of those actions above, your information system may be in scope for a Level 2 C3PAO assessment.

Updates to the Proposed FAR CUI Rule

The proposed FAR CUI rule resurfaced earlier in June with several updates following a previous public comment period. This rule applies to federal contractors more broadly, not just the DIB, but it has real implications for organizations operating across both DoD and civilian agency contracts.

Key changes in the updated proposed rule:

  • New location in FAR Part 40. The rule has been reorganized to sit in FAR Part 40, a structural change from the earlier proposal.
  • Incident reporting revised to 72 hours. The initial proposal required CUI breach reporting within eight hours. That has been revised to 72 hours and aligns more closely with other cybersecurity regulatory frameworks. The definition of a reportable incident has also been narrowed.
  • "Potential CUI" eliminated. The concept of "potential CUI" from the earlier version has been removed.
  • NIST SP 800-171 Rev 3 referenced. This is the most consequential point for organizations already navigating CMMC. The FAR CUI rule references Rev 3, while CMMC remains tied to Rev 2 with no near-term plans to change. If this rule goes final, some contractors may find themselves subject to two different revision requirements across different contract types. The Cyber AB noted the divergence without offering a resolution, and contractors will need to track this carefully.
  • Third-party certification not required, but not precluded. The rule leaves the third-party certification decision to individual agencies. GSA has signaled interest in requiring it. Other agencies could implement the rule with self-attestation only, which the CMMC experience suggests does not work well as a standalone compliance mechanism.

The public comment period closes July 23, 2026. If your organization has a stake in how this rule is finalized, particularly around the Rev 3 requirement or third-party certification language, this is the window to engage.

Enforcement reality and False Claims Act settlements

Earlier in June, the Department of Justice settled a False Claims Act case with LOGZONE, Inc., a Huntsville-based service-disabled veteran-owned small business providing logistics, materials management, and medical support services. The settlement amount was $507,144.

The allegation was that LOGZONE reported a perfect NIST SP 800-171 Revision 2 self-assessment score of 110 in SPRS. A subsequent DIBCAC assessment produced a score of -170. The complainants were USDOJ, the Army, the Navy, and DCMA. LOGZONE did not admit guilt in settling.

This is the pattern the DoJ has been establishing across multiple FCA settlements in the CMMC space: a contractor reports a high SPRS score, a government assessment finds something very different, and the gap becomes the basis for a False Claims Act action. 

The U.S. Attorney for the Northern District of Alabama stated in connection with the LOGZONE case that adherence to cybersecurity provisions in federal contracts must be a priority, and that this enforcement action should serve as a reminder of that. 

Ecosystem updates and a warning about counterfeit certificates

The CMMC ecosystem continues to evolve, and certification growth continued in June.

  • Authorized C3PAOs: 107 (+3%)
  • CCAs crossed 1,000 for the first time, with 596 also holding Lead CCA designation

A counterfeit CMMC certificate appeared in the ecosystem

Travis flagged something the ecosystem should be aware of: a counterfeit Certificate of CMMC Status has been discovered circulating among prime contractors vetting teaming partners.

The fake certificate named Anodyne, Inc. as the assessed organization and Bermuda Systems, LLC as the C3PAO. Bermuda Systems is not an authorized C3PAO. The certificate included fabricated assessment dates, a fictitious certifying official named "Gagik Gev, CEO," and a CMMC UID that appears to have been lifted from a legitimate certificate. The Cyber AB has marked it as counterfeit and is investigating. Anodyne, Inc. has been contacted but had not responded as of the Town Hall.

Travis was careful to note that Anodyne may itself be a victim rather than a perpetrator. The Cyber AB is not attributing guilt to them.

The fraud would not survive contact with eMASS, where counterfeit certificates would not be accepted. But it does illustrate a new dynamic: as CMMC certification becomes a meaningful differentiator in competitive teaming situations, some actors will try to fake it.

If you are a prime contractor or subcontractor vetting partners for CMMC compliance, verify certification status directly through the Cyber AB Marketplace and eMASS. Do not rely on a certificate provided by the contractor as the primary form of verification.

CCI Transition, No CCP Prerequisites, and Exam Volunteers

This month’s CAICO update focused on the official close of the Provisional Instructor program, a clarification on CCP application requirements, and a call for volunteers to help develop new exam content.

June 30, 2026 was the official end of the CMMC Provisional Instructor program. A 90-day grace period applies to those actively pursuing CCI transition, extending the window through late September. If you are a PI who has not yet applied or indicated intent to transition, contact CAICO immediately.

CCI progress as of June 30: 83 applications received, 41 fully credentialed. Of 124 total PIs, roughly 40 have not yet applied or signaled intent. If you submitted an instructor evaluation video during your original PI process, you can reuse it for the CCI transition if it accurately represents your current capabilities. CCI designation requires affiliation with an Approved Training Provider.

The CCP application currently displays education and experience fields that appear mandatory but are not required under 32 CFR. CAICO acknowledged the UI issue and is working on a fix. If you have the experience, include it. If you do not, contact CAICO customer support for a manual application.

CAICO is developing new exam content for a release expected toward the end of 2026. Interested volunteers can reach out at itemwriting@isaca.org. Note that participating in exam item writing makes you ineligible to teach that content during the same three-year certification cycle.

Action items for DIB Contractors

November 10 is not a deadline, but that does not mean you have unlimited time. New solicitations issued after that date will routinely carry C3PAO Level 2 requirements, and assessment timelines are measured in months, not weeks. If you are not already in the process, you should be.

If you handle only paper CUI and have assumed you are outside CMMC scope, look carefully at your workflows. The moment CUI enters a digital system, even informally, the assessment requirement follows.

If you are in the process of selecting a C3PAO, ask the key questions that protect your timeline: DIBCAC renewal date, 27-month authorization window, FOCI status, and impartiality management.

If you are a prime contractor verifying teaming partner CMMC status, use the Marketplace and eMASS directly. The counterfeit certificate case is a signal that document-based verification is no longer enough.

We will continue to track updates and insights from each Cyber AB Town Hall. For ongoing coverage, check out past recaps in the CMMC.com newsroom.