CMMC 2.0 is moving steadily toward full enforcement. The August 2025 CyberAB Town Hall provided important updates on the final rulemaking stages, ecosystem growth, and policy changes that will impact assessors, C3PAOs, and OSCs alike. It also addressed ongoing confusion around the 10-day re-evaluation window, introduced a new C3PAO Advisory Council, and addressed the timeline for implementation.

Below is a recap of the key takeaways and a preview of what’s to come this fall.

1. Final rulemaking is nearing the finish line

CMMC’s Title 48 rule, the final regulatory step to making certification a contractual requirement, is now in the final stretch. The Department of Defense submitted the rule to the Office of Information and Regulatory Affairs (OIRA) on July 22 for final coordination. While OIRA has 90 days to review the rule, the CyberAB expects it could be published in the Federal Register by the end of September.

Once published, the rule could take effect after a 30-day waiting period. This led to speculation that October 1, 2025, would be the official go-live date. However, CyberAB CEO Matt Travis clarified that this reference came from early CMMC 1.0 planning and a recent Army Corps of Engineers posting. That date is no longer applicable.

To reinforce this, the Department of Defense issued a new class deviation formally removing the outdated language from DFARS. You can read the full memo here.

In the Q&A, CyberAB leadership also addressed a related development: a memo released by the Under Secretary of Defense instructing contracting officers not to include DFARS clause 252.204-7021 in new solicitations. This confirms that CMMC cannot yet be used as a contractual requirement until the Title 48 rule is finalized and published.

Bottom line: CMMC is still expected to become enforceable before the end of 2025, but the exact date remains pending.

2. Certification momentum and ecosystem growth 

CMMC assessments are progressing, and the ecosystem is expanding in parallel. As of August:

• 270 organizations have received final Level 2 certification
• 9 organizations have been issued conditional certifications
• 91 Level 2 assessments are currently in progress

While these totals reflect modest growth since July, the CyberAB noted that duplicates were recently removed from eMASS, providing a more accurate count of certifications.

On the ecosystem side:

• 79 C3PAOs are now authorized (+2 since July)
• 15 C3PAOs have passed a DIBCAC assessment
• 496 Certified Assessors (CCAs) are active, including 304 Lead CCAs
• 1,039 professionals have earned the CCP credential
• 351 Registered Practitioner Organizations (RPOs) are supported by nearly 1,900 practitioners

These numbers all point to a rapidly maturing program. The continued growth of certified assessors and C3PAOs will be essential as certification requirements begin appearing in contracts.

3. Guidance on branding and marketing CMMC certification

OSCs that have successfully certified at Level 2 often ask whether they can publicly share their certificate. The CyberAB discouraged posting the certificate itself, which includes CAGE codes and other sensitive identifiers. Instead, it is working with the DoD and C3PAOs to develop a controlled, authentic graphic that certified organizations can use on websites, marketing materials, and business cards. This would offer a verified way to show certification status without risking misuse or confusion.

During the Q&A, attendees also raised concerns about companies using “CMMC Compliant” branding on their event booths and marketing materials, despite not having been assessed.

CyberAB leadership clarified that they do not pursue enforcement around branding claims, but emphasized that the DoD could take action if a misrepresentation impacts a contract. Until a formal certification is earned and properly documented, companies should avoid using language that implies an official CMMC status.

4. Clarifying the 10-day re-evaluation window

The CyberAB also addressed ongoing confusion around the 10-day re-evaluation period outlined in 32 CFR §170.17(c)(2). This period is only available when:

• A requirement is assessed as “Not Met”
• The OSC can provide existing evidence that was not available or reviewed during the original assessment
• The CMMC Assessment Findings Report has not yet been submitted

This window is not an opportunity to remediate findings or create new documentation. It exists solely for presenting overlooked evidence. Minor "quick fixes" may be allowed at assessor discretion before a determination is recorded, but this is separate from the formal 10-day provision.

CyberAB leadership noted that an official Notice to the Ecosystem and a CAP update are in development to provide clearer documentation on this topic.

5. False Claims enforcement is escalating

At the end of July, the Department of Justice announced a $1.75 million False Claims Act settlement with Aero Turbine Inc. and its private equity partner, Gallant Capital. The allegations? Failing to implement required NIST SP 800-171 Rev. 2 controls between 2018 and 2020 and allowing CUI to be accessed by unauthorized recipients.

While Aero Turbine self-reported and cooperated with investigators, the settlement underscores a key point: even before CMMC becomes mandatory, defense contractors are already required to implement and maintain the 110 controls under DFARS 7012. Self-attesting in SPRS without actual compliance is a serious risk.

6. A new voice in the CMMC ecosystem: The C3PAO Advisory Council

The CyberAB formally introduced its new C3PAO Advisory Council, a group of 11 certified and active representatives who will provide feedback on accreditation policy, assessment interpretation, and best practices. The Council will form subcommittees on key topics such as external service providers, assessment guidance, and updates to the CMMC Assessment Process (CAP).

Council Chair Scott Singer emphasized that the group’s mission is to improve consistency, keep small businesses in the game, and develop practical, experience-based recommendations. A public call for committee participation will go out soon, with active CCAs and CCPs encouraged to apply.

7. Tier 3 vetting changes: Continuous monitoring now required

James Gillooly from the CMMC PMO shared important changes to the Tier 3 clearance process. As part of alignment with the Trusted Workforce 2.0 initiative, all Tier 3 adjudications must now be enrolled in continuous vetting. Clearance verification letters are no longer accepted. Instead, the full Tier 3 package is required, including the OF 306 form, a nomination form, and a resume.

The CyberAB will now track who is active in the ecosystem and report status changes monthly to the DoD. If someone leaves the ecosystem or their status changes, they will be removed from the continuous vetting process.

This change does not impact adjudications already completed, but individuals previously cleared through verification letters will be asked to submit a full package retroactively for enrollment.

8. ISO standards update from the IAAC General Assembly

CyberAB leadership attended the IAAC General Assembly in Santo Domingo, where key changes to international accreditation standards were discussed. The ISO/IEC 17020:2012 standard used for C3PAO accreditation is being updated. A multi-year transition is planned, including training workshops. Accreditation bodies will not be expected to switch overnight, but C3PAOs should be aware that changes are on the horizon.

Also of note, the two global accreditation organizations, IAF and ILAC, are merging into a unified body. This move is expected to simplify oversight and communication within the international accreditation community.

9. Updates on training and exams

Mike Snyder, Acting Executive Director of CAICO, shared a number of updates related to training, certification, and assessment readiness:

• CCA and Lead CCA reviews are taking place on a rolling basis, with most delays caused by missing documentation.
• Individuals should look out for emails from the validation team requesting updated information, especially details on assessment experience.
• SOC 2, ISO 27001, and NIST 800-53/171 experience are all valid toward meeting assessment experience requirements.
• The CCP exam has been updated to align with 32 CFR. A beta test is planned, with public availability expected by the end of the year. CCA updates will follow closely behind.

The CyberAB is also seeking CCAs and Lead CCAs with training development experience to support exam updates and training materials. Interested individuals should reach out to training@caico.org.

10. Fall events and CS5 announcements

Several upcoming CMMC events were promoted during the session, including:

• National Cyber Summit: Sept 23–25, Huntsville, AL
• CS5: Oct 16–17, National Harbor, MD
• A-LIGN’s Compliance Connections: CMMC Edition: Oct 27, Washington, DC
• CMMC Pacific Northwest: Oct 27–28, Suquamish, WA
• CUI-CON: Feb 11–13, 2026, Orlando, FL

The CS5 planning team announced that Katie Arrington and Stacy Bostjanick will speak live at the event. This year’s conference will also feature a new "Roundtable Revolution" format, two industry-specific breakouts on construction and aerospace, and a golf tournament on October 15. A call for speakers is open through the end of this week.

Stay informed as CMMC 2.0 moves toward enforcement

The August Town Hall made one thing clear: CMMC 2.0 is accelerating toward full enforcement. The ecosystem is expanding, assessments are well underway, and false claims enforcement is picking up. At the same time, new procedures, clarifications, and accreditation policies are being introduced monthly.

The coming months will be pivotal. Each CyberAB Town Hall sheds new light on CMMC implementation and could influence how you plan and prepare for certification. We’ll be tracking every update so you stay ahead of the curve. For detailed analysis, expert insights, and full rulemaking coverage, check out our in-depth recaps of previous CyberAB Town Halls.

• July 2025 recap
• June 2025 recap
• May 2025 recap
• April 2025 recap