We are back at it again with another rundown of the Cyber AB's monthly town hall and there sure was a lot of valuable information distributed during the meeting. Join us for this episode of we discuss some of the key information dished out this month and weigh on any impact it may have on the CMMC Program.

Things like:

• Milestones achieved by the program this month!

• Why was the new DoW CIO talking to Armed Services committees?

• How is the ecosystem growing?

• What to expect in the CAICO transfer to ISACA.

And so much more...Tune in to find out!

Cyber AB TH Replay's: https://cyberab.org/News-Events/Town-Hall

ISACA Website: https://www.isaca.org/

Everyone is talking about a “November 2026 deadline” for CMMC Level 2.

There's just one problem… it's not real.

In this episode, we break down what the CMMC rule actually says about Phase 2, what really happens starting in November 2026, and why most contractors are misunderstanding the rollout.

If you're in the defense industrial base, this is the clarity you need to plan your timeline the right way.

Key topics:

• What Phase 2 actually means

• When Level 2 requirements apply (and when they don't)

• Why this isn't a mass certification deadline

• How to think about your real CMMC timeline

• Stop chasing phantom deadlines and start focusing on the contracts that matter.

Register for Summit 7 Live: https://www.summit7.us/s7live

PALT: https://youtu.be/C50UXJyz4PA?si=ySn1oIS4FaK4Si9f

32 CFR 170.3: https://www.ecfr.gov/current/title-32/section-170.3

Jan 2025 memo:

https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf

GAO's latest report on CMMC sounds cautious. They warn about external risks, ecosystem constraints, and gaps in DoD's strategy.

But that framing misses the bigger story.

Since the 2021 report, CMMC has gone from a fragmented concept to a functioning system. The ecosystem exists. Training exists. Small business support is working.

So why does the report feel so negative?

In this episode, we break down where GAO is right, where they're overstating the risk, and why the real story is the program's quiet but meaningful progress.

Register for Summit 7 Live: https://www.summit7.us/s7live

GAO Report (2026): https://www.gao.gov/products/gao-26-107955

GAO Report (2021): https://www.gao.gov/products/gao-22-104679

Most defense contractors assume everything written in the CMMC Level 2 Assessment Guide is a requirement. But that's not actually how the framework works.

In this episode we break down the structure of the assessment guide and explain why roughly 75% of the document is explanatory text, not normative requirements.

You'll learn:

Where the real requirements come from in NIST SP 800-171

How verification procedures in NIST SP 800-171A become assessment objectives

Why discussion sections and examples are informative, not prescriptive

Understanding the difference between requirements, assessment objectives, and explanatory guidance can help contractors avoid unnecessary controls, reduce documentation overhead, and simplify CMMC compliance.

CMMC Assessment Guides: https://dodcio.defense.gov/cmmc/Resources-Documentation/

NIST SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final

NIST SP 800-171A: https://csrc.nist.gov/pubs/sp/800/171/a/final

Iranian cyber actors are targeting the Defense Industrial Base.

So does CMMC actually help?

In this episode, we mapped 130 real-world techniques used by five Iranian threat groups to the controls behind NIST SP 800-171 using the MITRE ATT&CK framework.

Here is what the data shows:

• 100% of techniques are detectable

• 68% are mitigated with preventative controls

• Just a handful of core controls drive most of the defensive impact

We also examine what that means for Cybersecurity Maturity Model Certification and why 800-171 remains a strong floor for protecting CUI.

But there is a gap. Only about half of the relevant NIST SP 800-53 that mitigate known Iranian techniques are represented in the 800-171 baseline.

If you are a defense contractor, this episode will show you what compliance actually buys you and where you may need to go further.

Register for Summit 7 Live: https://www.summit7.us/s7live

MITRE ATT&CK: https://attack.mitre.org/

Mappings Explorer: https://ctid.mitre.org/projects/mappings-explorer

CISA Alert: https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/iran

NIST SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

NIST SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final

The Cyber AB has once again summoned the CMMC Ecosystem to deliver its monthly update and on this week's show we are going to break it down for you. Join us as we take all the information distributed during the meeting and dish out the information you need to know.

Things like: Can my FSO check on my Tier 3?

Have we eclipsed the 1,000 assessments milestone?

When does a mock assessment stop “mocking”?

Updates on the ISACA/ CAICO switchover

And so much more...Tune in to find out!

Sum It Up: “The End of SPRS Scores (sort of)”: https://youtu.be/_UFN7fubgQY?si=EgtchmuAHti24Cr8

Cyber AB TH Recordings: https://cyberab.org/News-Events/Town-halls

ISACA Webinar - CMMC: Requirements, Roles, and Professional Credentials: https://store.isaca.org/s/community-event?id=a33VQ000001otC1YAI

ISACA CMMC Page: https://www.isaca.org/credentialing/cmmc

The DoD Inspector General is raising concerns about CUI marking again and the numbers don't add up.

In 2023, the IG found that 48% of reviewed CUI documents lack proper markings. Yet the DoD CUI Program website reports only 9% were unmarked that same year. So which is it?

In this episode we break down the latest DoD IG management advisory, where the recommendations fall short, and why the CUI program and the CMMC program (although closely related) are owned by different offices that can't fix each other's problems.

For defense contractors, this isn't academic. CMMC enforcement depends on the integrity of the CUI program. If CUI marking is inconsistent, compliance risk increases downstream.

Summit 7 Live: https://www.summit7.us/s7live

2026 IG Report: https://www.dodig.mil/reports.html/Article/4397146/management-advisory-dod-policy-and-training-on-dissemination-controls-for-contr/

2023 IG Report: https://www.dodig.mil/reports.html/Article/3413433/audit-of-the-dods-implementation-and-oversight-of-the-controlled-unclassified-i/

CMMC is a condition of contract award and many defense contractors are waiting until they see CMMC requirements in a solicitation to get started. But the department of defense wants the period between solicitation and award to be as short as possible. This week we crunch the numbers on 1,070 upcoming Navy contracts to see what a realistic timeline ought to look like.

Summit 7 Live: https://www.summit7.us/s7live

PALT Pod 2024: https://youtu.be/NZs4f5voyrg?si=S-xarOpYyiSG00Bs

NAVAIR Forecast: https://www.navair.navy.mil/LRAE