Cyber AB Town Hall September 2025: Key CMMC Compliance Updates

Show Notes

The September 2025 Cyber AB Town Hall dropped big updates for contractors navigating CMMC and NIST 800-171 compliance. 

In this episode of the CMMC Compliance Guide Podcast, Brooke and Austin break down what the final CMMC rule (Title 48A) means for defense contractors, subcontractors, and service providers.

We cover the timeline for implementation, prime and subcontractor flow-down requirements, service provider risks (MSPs, CSPs, ESPs), and how a government shutdown could affect CMMC. You’ll also hear insights on ongoing compliance, documentation, FedRAMP requirements, advisory councils, and what primes will expect from their supply chains.

Whether you’re a compliance officer, program manager, or DoD subcontractor, this episode gives you clear, actionable takeaways so you can prepare before deadlines hit.

Transcript

Austin: 0:21

Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance. But today, we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today, we're unpacking the big headlines from Cyber A B's September 2025 Town Hall. From the final rule to the service provider risks, new compliance requirements, and what it means for primes and subs, this session has a lot of takeaways. Let's start with a big one. The final title, 48A rule, is now published. What does that even mean? It means that that 48 CFR that we've been talking about that puts CMMC in place on contracts has been published. It was published on September 10th, and they gave it a 60-day period until it goes into effect. So on November 10th, this goes into effect. And there's now there's four phases. First phase goes into effect on November 10th. The next phase, phase two, goes into effect on November 10th, 2026. This first phase, it's largely, largely what you're doing right now, except that you have uh there's some more teeth in it, and there's also definite timeline that you have to be compliant. It also means that there's a definite timeline on the prime uh contractors. And so the prime contractors very well may be, how should I say it, um more and more pushy, I guess, uh trying to get uh their subcontractors to be level two certified, may at some point require it before the federal government actually does. So level two certification won't actually be required on a contract technically until November 10th, 2026. But with primes, it very likely is gonna be sooner with that for their subs. That's uh that's the big news for the 48 CFR. I also heard there was some confusion on when certification is needed, proposal versus award. It's gonna be needed at award. Uh and uh they'll check on they'll check on that uh at award and make sure that you have your certification. The other thing is they've specified you need to have your cage codes right and all that, but there's another piece in there that's associated with it in Sam.gov, for instance, anyway, your unique entity ID. Uh you need to make sure that that's entered right. You need to make sure those two pieces of information correct. They have all the right information in there, especially whenever you get your uh level two certification, that those are correct. So when they get uploaded, make sure that they show up and they match correctly. If they don't, then you're gonna have some problems getting awarded some contracts and you don't want that. You had mentioned earlier that primes might be getting a little pushy when it comes to compliance. So the town hall made it clear that the primes are responsible for the entire supply chain. How big of a deal is that? It's a huge deal, but it's really nothing that has changed, really. It's just changed, I guess, in enforcement. So the flow down rule has always been there. Primes are supposed to make sure that their subcontractors were the same level of compliance as them as far as a specific contract goes, right? And work on that contract. And then those subcontractors were supposed to do the same. That's that's not that's always been there, hadn't changed, but that's specifically spelled out and said, hey, by the way, you need to make sure you're doing this. So guess what? You need to make sure you're doing this. So not only do the primes need to make sure that their subcontractors are compliant, where they need to be compliant at level one, level two assessment, or level two certification, whatever it is, you know, they need to make sure that their subcontractors are compliant. But then subcontractors also need to make sure that their subcontractors that are working on in any of those particular contracts that have CUI, they need to make sure that they're compliant as well, which is gonna likely cause some big problems. Interestingly enough, it'll cause big enough problems in the uh manufacturing, but uh it'll that'll actually cause bigger problems in construction. Well, there's construction projects that uh have include CUI, all the subcontractors, I mean, think about it. You know, I'll just leave uh I'll just leave leave the obvious unsaid, but you know, the uh the all those subcontractors that are used would have to be that get that CUI would have to be level two certified. So uh that's an even taller ask of the construction industry than it is the uh manufacturing industry. So big deal. From what I heard on the town hall, it seems like they really emphasized that compliance isn't just a one-year thing. Sounds like that might have been brought up. Can you address that? Absolutely. And and this is another one of those things that is has not changed. Uh they're just specifically calling out and saying, hey, by the way, uh this the I mean you look at the way the NIST 800171 is written, uh just that, leave out CMMC, just the NIST 800171, look at how it's written, and it's all about ongoing compliance, ongoing management, ongoing monitoring. Uh so it's it's not a it's not a set and forget it. It's not to get everything in place and just you know, don't worry about it any longer. Uh it is an ongoing monitored, managed compliance is what it is. And and they're they're just reminding everybody of that. Uh because I think people are finding out, you know, that uh oh hey, we can't just uh implement a tool or two and then forget about it. You know, it's it's a it's a whole deal. I spent a lot of time working with uh new and prospective customers and I think that is one of the biggest pills they have to typically swallow um is that uh just uh w what the um full breadth of burden is uh for compliance. You know, the the documentation uh a lot of people come to us for documentation first, um, and that's a whole nother thing. You know, it's a whole thing by itself, but um then the documentation once you put it together, if you put it together correctly, it says all these things that you have to do and all these money you have to spend. It does. Um and uh, you know, it's typically uh you know, when someone's first on the the start of their compliance journey, um it is not necessarily necessarily something they're they understand, even if they intellectually understand it at first, it doesn't really hit them until later. Yeah, that has a tendency of not really sinking in, even though that you talk about it, they you know it sinks in, it hits them later, you know. Oh, so really what you were talking about when you said that was blah, blah, blah. Yes. Yep. It's ongoing, you have to keep it up. There's a lot of work involved, so yes. Aaron Powell Another thing that always comes up, and uh there's a lot of confusion and uh misnomers about, I think, um, is service providers, um uh of which we fall under um that umbrella term. Uh ESP's not a CSP, is what we are. Yeah. Right. And speaking of, uh there was a lot of discussions about CSPs, MSPs, and ESPs on the town hall. So what uh can you tell us what that discussion was and what what the risk uh the risks are here? Absolutely. Yeah, so to clarify, there's uh an ESP is an external service provider, right? Okay. And that is any any company or service that uh uh an OSC organization seeking certification. So uh anybody that wants to be compliant, right? Um any company that wants to be compliant, uh if you use a third party to do anything for you, that is a an external service provider. So if you use somebody to back your systems up, secure your systems, um anything else like that, then then that's an external service provider. There's a a whole big category of ESPs, external service providers, and then within that, uh you've got CSPs, MSPs, MSSPs, you know, you name it, but the way the federal government looks at it is there are among the ESPs, there are CSPs, which is a cloud service provider. Okay, think of Microsoft 365, think about Google, those are CSPs. Uh that's an easy, easy one to look at and kind of figure that out. Uh and then everything else other than a CSP is called an ESP, not a CSP. So which really, I mean, kudos to the government, I guess. Uh they uh, you know, that's a very that's very descriptive. It's just a weird name to name something, right? Um but that's fine. So uh so you got CSPs and ESPs, not an M, uh not a CSP. So uh things that fall into that category are gonna be managed service providers like us, MSPs. Uh they're gonna be managed security services providers, MSSPs, um, stuff like that. So uh the and those are the two most common uh what you're gonna find. Um but there's a uh a little bit of a confusion as to whether a uh MSP or an MSSP in what circumstances they might be a CSP. One uh lead assessor told me, I can't forget who this was, but uh that a CSP um uh if just kind of like a dro rule of thumb, and you might correct this, this might be wrong, but um it was an SS. Um and he said that basically if if you could go turn on cloud services by yourself um in some form of like portal or instant access, then that's a CSP. But if like you have an MSP that does it on your behalf, there's no like ability to do it, like it's all you know provided provided, managed by the service provider, um, then that's kind of the distinction that the he thought uh was a good one. I don't know if that's accurate, but that's a that's a good distinction. Although that might be uh confusing for some because they're a lot of them, they're MSP managers, they're they're CSP licensing. So that might be a little confusing to some, but that's that's basic that's that's a pretty good explanation. So uh that's what a uh CSP is gonna be. An MSP or an MSSP is gonna be somebody that provides you a a service. You know, they they back up for you or they um they provide security for your laptops or something like that. They uh and they again they may provide some of those CSP services, um, but at that point your MSP uh if they provide those services for you, uh they should know whether those are gonna contain CUI or SPA or SPD or whatever they may contain and whether they need to be FedRAMP or whether they need to be um whether they don't necessarily need to be FedRAMP, but they'll be included on the assessment and be assessed and need a uh CRM or a customer responsibility matrix. Um so uh there's a whole bunch of uh it it matters a whole bunch whether you're a CSP or or uh or ESP, not a CSP. Uh so CSPs uh are gonna if they contain CY, they're gonna have to be uh a FedRAMP uh authorized or FedRAMP equivalent. Okay. Uh ESP's not a CSP, they're gonna have to make sure, uh you're gonna have to make sure that they provide you uh a shared responsibility matrix or a customer responsibility matrix, whatever you want to call it, uh SRM or CRM for short. Um the uh the government is now calling it a CRM, which is why we started calling it a CRM. Uh so you need to have one of those in place from your MSP or MSSP or other ESP, there's not a CSP, uh need to have that in place and make sure that uh that everything is covered there and they'll be assessed against those controls. Uh one other thing really uh that um I just realized is that uh if you if an MSP or MSSP uh holds CUI, store uh processes stores or transmit CUI uh then they're gonna fall in the category of having to meet all 110 controls uh of uh CMMC. So all 320 assessment objectives. Uh however, if that uh and that so if they hold CUI that's gonna be like uh if they if they're if the MSP is the ones are the ones that store your um backups on their uh equipment, then at that point um they would need to they'll have the CUI in their possession even if it's encrypted. It'll still CUI as we've discussed uh before, uh and they'll have to they'll have to meet all 110 controls. The um there are other examples too, but that's uh that's a the easiest one to to think about is is uh if they're hosting your backup. Uh so if they just have access to it, it's not the same thing. So if they're managing that backup, making sure it happens, making sure it completes, making sure that they can restore, that's a different ballgame. But if they are storing that um well mostly storing, but process storing or transmitting that CUI for you uh in form of a backup, then they need to uh they'll have to be they'll have to meet all 110 controls. Otherwise, if they don't and they're just handling uh security protection data, and I think I just said SPD a while ago. So SPD is security protection data. Um if they're just handling that, uh then they just have to uh meet the controls um for which they're providing to you. Uh so uh for instance, antivirus on workstations or or something like that. Yeah, it makes sense. I was I was reading some LinkedIn posts, um, and it's real funny because um people get really almost like political about uh CUI and CMMC and the decisions that are made by the the powers that be. Um anyway, and someone was being very critical um of uh the fact that uh access does not require um level two certification on four MSPs. Um and so just thought that was interesting. Um uh because it makes sense to me. I mean, if you're you're not holding the football, you know, you just uh have access to it, then um it makes sense uh that you you could use a MSP that's not um certified themselves if if what they're providing to you follows all the controls, which is ultimately the the goal of the compliance, right? So is it's not to get everyone certified, it's to protect the COI and the data, and that's that's the goal, I think. So and I think it's just really important that um at the end of the day uh that we go back to uh intent, you know, and because people get real caught up in, you know, like I said, all this um weird political and uh um I call it political, but anyway, people like hold a lot of biases about CUI and compliance and everything, but really at the end of the day, all we're trying to do is just protect CUI with with good cybersecurity hygiene. And um it's just I just I think a little commentary for me, I find it funny how um uh you know, I guess uh religious people get about it. Right. One thing I might add is that uh because I I said something about it a minute ago and and you did too just now, but uh um if an MSP has to be uh does hold some of that CUI uh or if they uh provide a lot of security and they'll be assessed, you know, just SPD, they'll be assessed on a lot of those controls, whether it's all of them or a lot or whatever, however many it may be, um the that MSP has to kind of think about uh how many clients they have that are uh Dib clients and are gonna need this and how many times they want to undergo those assessments because you'll have to provide documentation and all sorts of other fun stuff. Um and you'll have to spend time with your client and and answer questions. How many times are you gonna want to go through that? Or would you rather go get a uh level two certification and be uh level two certified and be able to say, yep, here's my paper right here, I'm level two certified. Now that doesn't mean that all assessors are just gonna go, ah, okay, no problem. You know, they'll they'll still have to check into some things, and if they have warm fuzzies from the things they check into, most likely uh the controls and assessment objectives, that is, uh most likely uh they won't see the need to dig anymore, right? Um so and they'll take your level two certification at face value. But uh anyway, that level two certification likely likely uh would make it uh quicker and easier uh on the uh assessors doing the assessment and quicker and easier on the MSP as well. Yeah, it's uh we're down here in Texas and um anyway, so we have this thing called concealed carry. And so if you I just think of where's this going? Thinking of a funny uh anyway, something it's like um and uh you know, when you get if you have a concealed carry, you've been federally background checked, right? And so if you have a license, it's um you know if you get pulled over uh and if you don't have one, the police officer is a little more suspicious of you than whenever you get pulled over and you're like, oh, here's my concealed carry, they're just handing them a background check. So they typically take the traffic stop a little um uh more lightly, uh, although not that they have to perform their job any differently. It just kind of, you know, helps uh grease the gears a little bit and it's kinda like that, you know, where Which you wouldn't really understand if you didn't uh live in Texas or one of the other states where you have a LTC. Right. Right. But the point is it's um you know, you'd you don't need the certification but uh as an MSP and and you don't have to get rid of your IT provider if they don't have one. Um but it it certainly greases the gears and makes things easier, and then you also um like you alluded to earlier, that MSP is gonna have to be a part of your assessment. And so if you're their only client that has this burden of compliance, then uh that might be a bit of a burden to them. It may not, and it's gonna get it's gonna cost. And so um they're you should probably approach them about how much it's gonna cost to you know carry that burden. And if they don't charge you, they might be a little um res you know it's not gonna be fun for them, right? Right to have to provide all that information and everything. So I guess my what I'm getting after is uh it is it's good to have a MSP that's level two um and cer certified, I should say. Um and they don't have to, but if they're not gonna be, you really need to um uh because you're gonna be married to them, you really need to uh have those uh discussions and be like, look, you know, this level two assessment's really gonna be a pain in the rear. You know, can you do this? It's gonna take a lot of time. How much are you gonna more are you gonna charge me, you know, um, yada yada, and make sure that they're really gonna be there for the the um full extent of um your relationship and and stick around and it's not something they're gonna get tired of very quickly and and uh drop you as a client because then you're kind of in a bad spot. Yeah, and what I might also say to that is you know, if you're looking for an MSP, there aren't very many right now that are level two certified. You know, if you find one that's level two certified, that's even better, or on the path to be level two certified, that's good. Uh they uh at the very least, uh that MSP or MSSP, anybody that provides you any services uh as an ESP, uh if they're not FedRAMP, if it's not a CSP, then any of those folks are gonna need to give you a uh shared responsibility matrix uh or customer responsibility matrix, SRM or CRM, uh that is the that is the lowest bar to provide there. And it needs to be a uh NIST 800 171-based uh uh responsibility matrix, not just a generic one. Right. Not one they put in JAT GPT and then sent over to you. Exactly, exactly. So um, you know, there needs to be thought behind it because they're saying these are these were what these are the controls that we cover. This this is your responsibility for these controls, these are our responsibility, and uh and so it lines it out there and spells it out. And that's what the that's what the assessor wants to see. And even if you do have uh somebody that is level two certified, you you still need that. So it's not anything that's just a a basis of what you need from your provider. Yeah, so that's uh another really good um talking about if they're not certified, that's another very strong question to lead with. Not even um that that might give them an ide give you an idea of uh, you know, if they say they're committed to going through this with you, then uh then immediately ask them for an SRM or CRM. Um because then that that'll be a good litmus test of if they're uh you know, if they're actually are. Um because they may not have realized um, you know, what the true breadth of the burden is gonna be for having you as a client. And so asking them for that CRM, SRM uh will really um tell you whether they are um um gonna stick around and also tell them uh I might want to reevaluate my situation. Right. Talking of the government shutdown, what is the risk to CMMC um in this whole process? What are the implications gonna be for uh the defense base? The biggest risk for uh for the CMMC for the government shutdowns is gonna be tier three background checks for um for CCPs and CCAs. That's uh CMMC certified professionals and CMMC certified assessors. So those tier three background checks that you have to ha have to get, uh those will likely be delayed. Uh hopefully not very long. Uh but what I can tell you is it took me 10 months to get mine. And there wasn't a government shutdown. And there was not a government shutdown. Uh maybe there maybe I was uh a a you know strange character and they really needed to check into me, but uh mine took about 10 months. Uh they are taking, you know, six to ten months right now or so. Uh but as of today, uh the government has shut down. Uh so that tells you when we recorded this uh as opposed to when it's uh uploaded. But uh as of today, the government shut down. We'll see how long it shut down, but it will affect tier three background checks. There's a small likelihood uh that could uh that it could affect when it goes into uh when CM when the excuse me, when the 48 CFR goes into effect. It's already published, it's already live as of September 10th. They put a 60-day date on it. So November 10th of 2025, uh, it'll go into effect. There's there's not really a reason not for it not to go into effect uh on November 10th. But uh, you know, stranger things have happened. So uh that may be affected. I kind of doubt it, but uh, but that's possible. So there could be some other background things that happen. Um uh you know all the assessments uh will they'll keep going as is. Um you know, government shutdown doesn't matter because they're not government employees. Uh so the C3 PAOs will keep doing their keep doing their job, all that'll keep trudging along. Um there could be some of the pieces in the background uh they upload to a system called EMAS. Um you know, there could be some of that in the background where uh if they have some issues and they need to talk to somebody or something that uh it may be delayed. But that's just a possibility. Uh so those are the those are the reasons, uh those are the things that uh the government shutdown may affect as far as CMMC goes. Mostly it's some inside baseball, like I said, with the uh uh CCPs and CCAs not getting their tier three background checks in a uh quote timely manner. Yeah, because six to ten months is really timely. Six to ten months is yeah. So um so that's the biggest thing right there though. So uh I I don't know how this works uh particularly um and we may uh need to um talk to a C through PAO. So um I'm not sure if you'd know this either, but um the uh whenever you get a certification um or you you have some you have a provisional um certificate or something from the assessor themselves, and then it has to go through the powers that be in the government for them to like finalize it, right? So does does the uploading to EMAS have to take place for that provisional kind of status um before you get your final certification status, or can you go through the assessment um and then you're just provisional because the C through PAO said you're provisional? And I know I'm using the wrong words there because I don't know what it is, but I know that's um kind of the basic structure of it. So uh the way I understand it is that once you pass your uh once the C three PAO says you're good, you passed, you're good, you passed. But it does need to be uploaded into EMAS. There's no actual certificate right now. Uh they're supposed to be coming up with their certificate of an official certificate that they give you, although from what I understand, you're not supposed to show that certificate to anyone, so what the heck that matters, I don't really know. But uh so all that should be good. Um the only question is it flowing through the systems properly um after it's uh uploaded EMAS. So um uh so there may be some issues there, but uh once you once you get assessed by your uh assessor uh and your C through Pao says you're good, you passed, um then you're good and you passed. It's just got to flow through the systems. Yeah, so I guess if you're going through that process right now, great question for C through PAO. Yeah, it is a great question. And I I should know the answer to that one, but uh but um I don't think it's called a provisional yeah um I know it's not called provisional. I just cannot remember the name of it. Yeah. Um but we're more on the readiness side, um getting you and then we pass the baton off to the C through PAO. So that was that's where a bit where our expertise drops off. So just a question as far as impact goes. So really it sounds like you know, unless you're one of the few that's going through an assessment right now, um, you know, great question for your C through PO, which they'll they'll probably have a decent answer for. Um, but really the other main impact um is uh for everyone else, uh the lion share of people, is that the the the pipeline of um CCAs and CCPs, which means um, you know, people that are able to certify you and people like us that are able to get you to the point at which you can get certified, um, just got paused. Um more or less, that's uh mostly on the assessment side. Um uh so uh really the biggest impact would be that there just may be um less people um, you know, able to help um as more people come into the um uh professional labor side of CMMC things to help get the defense base up to snuff. Right. Um so but really um unless this goes on really long time, that r it should be uh uh something you don't really feel at all. So yeah. I you know I I don't remember uh exactly, but I don't think these government shutdowns last too awful long. So really a couple weeks at the most, if I remember right. And the whole scheme of things as far as your uh tier three certifications or uh tier three um uh background investigations go. Um the uh if it's six to ten months on average, uh a few days or a week or a couple of weeks, you know, is not gonna is not gonna change that whole lot. I wouldn't think. Uh so uh you know, I mean that just means they'll build up and they'll have more to go through, but uh they'll go through them at the same pace they've been going through them once they start again. So uh there will be a little bit of a delay, but in the whole scheme of things, if it's adding, you know, a couple of weeks on to uh to six to ten months, it's not it's not that much of a difference. So absolutely. Especially when most of the industrial base out there still has you know yet to go through it. So yeah. So we're more or less in the same spot. I know um I know people really love the grasp onto anything that um could mean that CMMC isn't gonna happen or or whatever else, but it doesn't seem like government shutdowns the one to make it uh stop. So I agree. So what other updates have I missed um from the town hall that that you saw? Uh well, uh there's uh new hires, uh there are new hires including Kat Adams uh as conformity uh credentialing coordinator and Christopher Davis as interim CFO. Uh so there's that one. Uh the ecosystem does continue to grow, uh so that's good, because we're gonna need uh as many C C P, C C A's, uh RPs, RPOs, um C three PAOs, we're gonna need as many as possible to uh uh get this uh flood of uh OSCs that are gonna come along uh to get all them everything implemented and certified and You know, in a in a timely manner. So that's good. There's uh over three hundred and sixty-six uh uh final level two certifications uh that have been given out so far. So that's companies that have gone through and gotten their level two certification uh and have completed that and don't have an active poem that they need to finish, right? Small bite of the elephant, but it's progress. Exactly. Exactly. Uh so at this point there are uh eighty-two uh authorized C3 PAOs uh to do the hundreds of thousands of uh of companies that need to have level two certifications. Uh but there are uh there are 80, uh about 82 of those right now. Uh that's increasing. Um, you know, as we talked about a minute ago, the the uh government shutdown could affect that by a couple weeks or so or whatever a government shutdown is, but uh not by much. Uh so that should be keep trudging along. Uh the um Cyber A B is starting up some advisory councils. Um uh I was gonna put in to be on one of those, but uh my calendar is so full that I had the form halfway filled out and I thought, you know what, I'm just gonna hold off for now. So uh maybe when the two two-year term comes up. But um they've uh they've the got these uh settled now at this point, and uh these um advisory councils, uh so there's one for C through POs, one for ESPs, one for uh there's a few different ones. Uh I can't remember all the ones they are for, but um the those advisory councils are all set now, or at least uh the timeline to have your um application in to b to be on one is uh is all done. I believe they said that they're all uh uh set now. Um but those will be kicking off pretty soon. Um and then uh believe it or not, there is some international expansion to um uh CCP, CCAs, uh C through PAOs, uh there is an international component to that. So uh folks in Canada, folks in Australia, stuff like that, uh can uh can be part of the ecosystem. And uh there's nothing saying they can't. Those folks typically are not gonna see uh uh COI. Uh so if it's a type of COI that uh is uh dissemination restricted from uh foreign citizens, uh like ITAR, for instance, or no foreign, uh then um should be fine. Uh they should just need to make sure that if if when they do an on-site assessment for someone that there's no COI out there for them to see, right? Uh so uh or they need to make sure they follow their ITAR regulations as well. Uh but uh that should that should all be okay. There was a question as to whether those um foreign assessors could assess uh American companies, and and the answer was yes, they can with the caveat that I just talked about for the CUI. So those are the uh those are some of the main updates that came out, some of the other updates that came out of the town hall. I think that's it for today, guys. If you have any questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. You can find our contact information at cnnccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.