CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
Key Takeaways from the January 2026 CMMC Town Hall: Hard Copy CUI, Scope, and Program Changes
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Submit any questions you would like answered on the podcast!
The January 2026 CMMC Town Hall brought several important clarifications and program updates that directly impact Department of War (DoD) contractors.
In this episode of the CMMC Compliance Guide Podcast, we break down what changed, what was clarified, and what contractors should take away from the latest guidance.
We cover:
- New DOW CIO leadership changes and what they mean for CMMC
- Updated clarification on Hard Copy CUI (and what qualifies)
- Why encryption alone does NOT define scope
- Government shutdown impact on assessments
- C3PAO reauthorization and ISO 17020 accreditation
- KECO transition to ISACA and certification updates
- What all of this means for contractors planning in 2026
The biggest theme? CMMC is not slowing down. It’s becoming more standardized, more mature, and more defined.
If you’re planning contracts in 2026, now is the time to understand how these updates affect your scope, documentation, and assessment strategy.
Hey there and welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance. But today, we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's episode is about the updates that came out of the January 2026 CMMC Town Hall. We're going to talk about why they matter. There were a few clarifications, transitions, and program changes discussed that directly affect assessments, vendors, and timelines for not Department of Defense, but Department of War contractors. Starting to get used to it. We're getting to it. Taking a little bit use, a little bit of time getting used to it here at COT Compliance Guide.
Brooke:I think everybody is.
SPEAKER_02:Let's get into it.
Brooke:Okay, let's do it.
SPEAKER_02:First off, let's talk about the new faces over at the uh DOW. Um I think we've got a new uh DOW CIO. Can you tell us about that? The leadership changes over there.
Brooke:Absolutely. So uh the uh new DOD uh see I did it again. So the new DOW CIO uh is Ms. Kirsten Davies has uh uh been confirmed. Uh so she is now heading up the uh information security, I guess, for information, the IT department, whatever you want to call it anyway, for the uh uh for the for the DOW. Uh she's got lots of relevant experience leading large organizations, being part of uh cybersecurity initiatives and and all sorts of fun stuff, but we do have a new uh a new CIO for the DOW. And uh so it'll you know Katie Errington was a huge, huge champion and and really pushed um CMMC over the hump uh you know to get it to uh to fruition. Um and I guess we're on the path to that fruition now. We're not actually there, but that path is well defined and and we are on that path, and there's no getting off that path without Congress saying, Oh, you know what, never mind. And uh I do not see Congress doing that. So but anyway, uh Katie Errington did a great job. Now uh Kirstine Kirsten Davies is now in. Uh she's the DOW CIO, and um uh looks like she's well on her uh way and wanting to uh you know continue and and make uh make all the DOD's information safe. DOD. DOW make all the DOW's information safe. So uh looks like she'll do a a great continuation of uh everything that's been in place.
SPEAKER_02:Aaron Ross Powell So Hard Copy CUI came up again. It did. Absolutely. It's a popular uh topic, I think, because it's uh it remains to be a uh potential, you know, hope for someone that might not potential way out. Yeah, yeah. A loophole, maybe whatever you want to call it. Um people are uh talking a lot about it, hoping they might could use it to avoid some some you know some burden of compliance. So that came up again during the town hall. Um and there's some uh additional clarification and um conversation around it. Can you kind of break down what they talked about in the town hall um but in some more plain English terms?
Brooke:Sure, sure. So uh they really uh they really just rehashed the the FAQ that came out. The there's a list, a long list of FAQs that came out uh from the DOW and uh this hard copy CUI or the printed CUI, right, is is one of those. Uh and so uh and it's a it's getting a lot of uh a lot of attention. Um but basically what they're saying is if you have hard copy CUI, so like paper C UI, um if you have that paper C UI and that's all you have, you don't it's not in any of your electronic systems anywhere, then you don't have to worry about CMMC, right? However, the caveat to that is it still has to be protected, uh and it falls under DODI, I think it's still DOD I might be D-O-W-I, I don't really know at this point. In any case, DODI uh 5200.48, uh which lays out protection for it, but you you still have to protect that. Of course, not to the scale, uh not to the scale really of uh of CMMC, but then again, it's it's not an information system, it's a it's a piece of paper, you know. Uh you still have to protect it to fifty hook 5200.48 as long as you don't put it in an information system. So the very second that you scan it in or put it on a USB or receive it by email or send it by email or you know, anything like that, the very second that it goes into anything that could be even remotely construed as an information system. In other words, you know, something other than the piece of paper and a filing cabinet that it goes in. You know.
SPEAKER_02:Wait, you mean I can't even photocopy it and make a copy of it?
Brooke:You can't even fo Right, exactly. There you go. You can't photocopy it. So uh it the very second it goes into anything that can be anywhere construed as an information system or part of an information system, then it goes the you're under uh CMMC at that point.
SPEAKER_02:So to clarify that, it would have to physically travel from the original source by way of plane, train, or automobile to your location, and you would have to physically handle it, file it away, look at it, pull it out. There's no copies or emails or scanning in happening. And then uh when you wanted to send it to someone, that one and only copy that you have, because you couldn't copy it unless they sent you a multitude of copies originally, um, you would have to send your copy physically by plane, drain, or automobile. I guess you could use carrier pigeon. No, we discussed that one in the past. That may not be compliant.
Brooke:Um I don't think there's any tracking numbers on carrier pigeons.
SPEAKER_02:That's a problem, yeah. Yeah. But you know, uh drone by drone, maybe. You know, there's have you seen these drone services coming out? I have, they're pretty cool. Yeah, you we can uh well we can't because we're not in the service area, but uh you can get uh drone packages from our local Walmart now.
Brooke:Yeah, our local Walmart sends drones over our head all day long. Yeah. And uh but when I went on Walmart's website to order by drone because I wanted to see it in action, uh we're we're right next to a highway, so I understand. We're that's probably why. But anyway, we couldn't order anything by drone. So don't know why exactly. But that's way beside the point here.
SPEAKER_02:We're good at we're good at uh rabbit trails. So um but the whole life cycle of that um paper COI has to be in physical paper form um in terms of transit to you and from you. Yeah. Um and can't even touch a copier uh to be duplicated. Correct. Correct. So that is if you can make that work for your business um or organization, then then you can take advantage of the uh of of that that rule.
Brooke:Really where this uh where this works, really where it matters, is for uh it does in other scenarios too, but for construction companies. They have if the construction company prints out some CUI, has CUI copies, and they want their uh contractor to be able to subcontractor to be able to look at it, then they make sure that they're authorized to see it, and then uh uh then they can handle the paper CUI, uh protect it like it needs to be protected, um and then hand it back or whatever whatever they need to do with it. But uh as long as that subcontractor doesn't put it in any information systems, uh make copies of it or anything like that, then they're good. They just have to protect it pertaining to uh as per 5200.48. DODI 5200.48.
SPEAKER_02:Yeah. So if you if you have subcontractors that are are probably not gonna get on the compliance, you know, train concrete guy. This might be a way to do it. Yeah.
Brooke:Concrete guy or framing guy, you know, whoever, whoever it might be, you know, uh, you know, they've they're not gonna go through and get that. That that's a huge problem in the construction industry, right? And uh even more so than in the than the manufacturing industry. So uh but yeah, those those folks, if they just handle uh paper CUI, then they don't have to worry about it. This did come out as a statement from the Army a few months back. Uh I don't even remember when it was now, but from the Army a few months back, and one of our clients asked us about it, and I was like, that's good news, but wait, that was just the Army. I know it's the Army, but that's just the Army. The Army's not the DOD. It's not the DOD. So we've got to wait for the DOW. See, I did it again. I thought I was getting used to it, and and obviously I'm not. So uh but you know, at the time we actually did tell them it was DOD, not DOW. So yeah. There you go. That's true. But uh it did finally come out from the DO DOW. Uh so uh so it's all good.
SPEAKER_02:All right, this next question is among some of my favorites. Scope. Uh I always like to say all roads lead back to scope.
Brooke:Yes, uh, they do, absolutely.
SPEAKER_02:And it is one of the most poorly understood concepts, I think, in compliance, but um, if understood, really makes everything else fall in place. So um they brought up uh scope and uh encryption as well, and how that plays into scope in the town hall. Uh can you tell me what came up in the town hall and and more more importantly, what contractors should take from that?
Brooke:This is another one of those uh FAQs that came out and and uh bubbled up to the top in the town hall. Uh so basically basically what they said is that uh uh encryption alone can't create logical separation. So a logical separation would be like a VLAN, right? Creating a separate secure VLAN from uh you know one that's in scope and one that's out of scope, right?
SPEAKER_02:Uh so an encryption should always be understood as a control, not uh definition of scope. Is that what you're saying? Exactly, yes.
Brooke:Uh that's a good way to put it. Uh so yeah, it's uh just because you have information encrypted does not mean that that's the end of the end of the uh that that creates logical separation. You have to have ACLs, VLANs, or something else there to actually create that logical separation. You know, and the other thing about encryption uh is uh this sort of related to this, uh is that uh encryption uh just because CUI is encrypted doesn't mean it's not C UI anymore. Encrypted CUI is just that. Encrypted CUI. It's still C UI, it's just encrypted. So uh there's a clarification there. A lot of people want to try to try to take the easy way out and encrypt CUI and say it's not encrypted anymore, or it's not uh CUI anymore. It is. Or they want to try to say it's encrypted, and so the rest of the network can't see it, and I I don't need to create you know logical separation like a VLAN uh because it's they can't get to it. Well that that doesn't that doesn't fly either. So uh encryption is great, you have to do it, but like you said, it's a it's a control, it's not part of the it's not it doesn't define the scope.
SPEAKER_02:So one of the other uh questions that came up was uh about the uh the looming government shutdown. Um now this uh the town hall of course was from January, so that was at that point in time. Um now that is passed, and now we have uh as of today um is February 10th, is when we're recording this. So um we have another one looming.
Brooke:Another looming shutdown. Yeah, imagine that.
SPEAKER_02:And just that short of a, you know, we've two uh in just a short period of time. So fun uh fun times. Um but uh you know, being that there's another one coming up, and maybe it's here, maybe it's not whenever this airs, um uh it's still relevant, and it's I guess maybe potentially relevant for any future um uh additional uh government shutdown or uh uh possibility of one. So uh what what is it what does a government shutdown mean for assessments? They talked about it on the town hall.
Brooke:Yeah, it doesn't mean jack for assessments. Uh so uh really that's what it means. Um but uh the gov the uh everything will continue, everything in the whole CMMC ecosystem will continue, with the exception of contracting functions. So if there's a new contract that's uh you know gonna come out or uh that needs to be signed or whatever, then that's not gonna happen during the shutdown. Other than that, uh everything else is gonna happen. The assessments are gonna happen, uh the scores are gonna be uploaded, the tier three background, tier whatever background checks uh are still gonna happen. Uh everything else within the CMMC ecosystem is gonna happen. Pretty much like everything else within your life, whenever the government shuts down, it still continues. Um but there is there are, you know, the contracting part of this uh will probably not happen during the shutdown.
unknown:Yeah.
SPEAKER_02:So usually the only thing that shuts down um in when governments are shut down is them sending money out. Yes. They everything else typically runs or or things will be shut down just for inconvenience sake, maybe. Um uh or you know, maybe had a hard time to get a hold of somebody, you know, um if certain support functions are shut down. But by and large, you're saying that um all the assessments and expectations of controls and everything else is not gonna change and uh and not gonna be something you can point to uh because they're not gonna care.
Brooke:Correct. Yeah. Now I guess if your assessment happens to take place at a national park, you know, or something like that, then possibly that you you might be affected. But uh assuming that uh and that's just a joke, but you know, assuming that uh your assessment is not inside a national park or something, then your assessment's still gonna go on. And if you have any um, you know, level three assessments, uh I would imagine those are still go on as well.
SPEAKER_02:Absolutely. So we can hope, but it is not uh not the case for this one, huh? Now there's also some discussion around reauthorization for C three PAOs, not C three PAOs or C three POs. Uh yeah. Uh from Star Wars. Um but anyway, reauthorization for um your certified third party auditors. Um what is why does that matter? What's the ultimate effect for contractors?
Brooke:Well, this is uh so for the uh reauthorization uh for the uh C three PAOs, uh they have to go through an accreditation for uh against ISO uh 17020. Uh and uh this really is just a standardization and making sure that uh they adhere to certain uh controls and standards uh for conducting impartial assessments and all that kind of fun stuff. And really it's a uh maturation of our of the CMMC ecosystem. And and um so it's uh um they have uh I think uh twenty-seven months to uh go through that process uh after authorization, uh but they do have to go through that process and uh for uh that accreditation.
SPEAKER_02:Aaron Ross Powell Now another question that came up on the town hall um is the uh Keiko Keiko, how do you say it? Keiko. Keiko.
Brooke:Yes. Uh the Kiko At least that's how they say it on the town hall. So I'm assuming that that they're pronouncing it right, but I guess they can make it up because you know they made they made the term up.
SPEAKER_02:So it's one of those things you always read and then you never say. And so you're like when you go to say it, you're like, how in the heck do I say that thing?
Brooke:Yeah, exactly.
SPEAKER_02:So that word, uh transition, um, you know, it on town hall kind of sounded kind of technical um of nature. Um but can you kind of break it down, you know, at a more plain English level for the contractors out there? Um, what does the transition mean? How does it affect them?
Brooke:Yeah, sure. So this is for the contractors and subcontractors, it's really not gonna affect them a whole lot. Uh maybe if you want to send your uh any of your people to CCP training or CCA training or anything like that, uh it'll affect them.
SPEAKER_02:Which if you're gonna do compliance in-house, it'd be a really good idea.
Brooke:If you're gonna do compliance in-house, I really suggest that you send your people that they get a CMMC certified professional, a CCP, and that they at l at the very least go through the class and the training uh and take the test for uh a CCA, a CMMC certified assessor. Uh those two will do wonders. They'll give you all sorts of information about how assessors are supposed to perform the assessment. Uh so that I mean you you understand where they're coming from, right? Uh so those are great. They don't necessarily have to have to become a CCA because to become a CCA you have to take part in some uh in some uh assessments and and there's some other uh other requirements. But if they at least take the class and go through that and um uh that'll that'll help out a bunch. So um but in any case for those CCPs and CCAs, um and I guess CMMC certified instructors, I believe that uh this covers them too. Uh but anyway, all that uh all the certification stuff is moving over to Isaac. Uh they do a whole ton of different um industry certifications, and so uh that's all gonna move over. Um we're waiting for the details on exactly what that looks like, but there's gonna be you know ongoing learning or ongoing uh uh credits uh for that you can go get when you go to conferences and uh all that kind of fun stuff. So um but that's all moving over to Isaac and uh the KECO is uh current CAICO uh folks are helping with that migration and working through that and and all that. So that's uh it just means uh more um standardization with other uh certification paths. The movie's a good one. Uh and I they never they always uh I don't think I think there was always something bigger planned or or desired there uh than managing the KCO themselves, uh you know, under the whole Cyber A B umbrella. Uh but this is like I said, it's moved out to being moved, it is moved out to Isaac, but they're just finalizing all the details right now, and I'm waiting patiently for those details. So because, you know, uh for us and our certifications uh that some of our team have. So um but yeah, it's it's moving over to Isaac, so it's that's one that's uh you know, they're an organization that's been doing this for a while. Uh so that's adds more um uh maturity to this whole thing, right?
SPEAKER_02:Yeah, so there's not a big takeaway there, but if you're someone, an individual maybe at a company or uh that's doing compliance in-house or something, and you're looking to get your credentials soon, go ahead and do it maybe. Um so that way um you can get it done before the transition, not for any reason other than um the just the unknown, you know. Um it may there may be some um, you know, things that change that if you've been doing your prep and you've invested a lot of time and effort and taking the the tests or or whatever, um, that you don't have to reinvest that that time because there's there's always, you know, um things always appear like they might go smoothly, but there's always changes when things change, you know. Yes, there is. That's just the reality of it. And so um, but if you're if it's not on a near time horizon for you to get those credentials or um do that training, then you know, there's no real action needed. Just uh you'll you'll learn about it whenever you go do it. So that's right. Yep.
Brooke:And they ought to have all the details sorted out here in a couple months. Um I can't remember what the they had a deadline of when they were gonna have it uh everything kind of figured out. But uh they ought to be not not be too awful long before they announce all the the rest of the details.
SPEAKER_02:Can you tell us what updates there were about Isaac that stood out?
Brooke:Uh so some of those things we talked about at uh you know, I mentioned a minute ago. Uh but one of those things is uh CPEs, uh CPE credits. Um You know, if we're going, you know, they'll offer some for different conferences, different trainings, you know, all that kind of fun stuff. So uh there'll be a formal process around that. Um, for instance, uh CCA should expect uh I think they said 20 uh CPE credits per year. Um and uh you know they're still in transition, still working through everything. Those kind of reviews are gonna still be handled through the Cyber A B for the time being. Uh but like I said, every they're up they're working on all this. Uh details come out shortly, um and everything is eventually gonna be migrated over to uh to the uh to Isaac.
SPEAKER_02:Well that was most of the questions I had uh that I wanted to cover from the CMMC Town Hall Brook. Um but kind of putting it all together um for our listeners, what does everything that we talked about um mean uh for contractors that are planning in uh 2026?
Brooke:Really what it means for contractors is that you know, whenever uh, you know, a couple years ago people were like, well, you know, CMMC is all over the place and it's never coming, and they've put it off, and you know, all that kind of fun stuff, that's over. So it's there's more standardization, uh, more um uh consistency, and everything else is coming with this, more maturity uh for this whole process. You know, all the the clarifications that they're releasing uh are uh closing loopholes, clearing up misconceptions, some of those things that shouldn't be misconceptions, like encrypted CUI is not CUI, but I digress. Uh so it's it's uh they're clarifying those things. It's being more standardized, uh, it's becoming more mature. Uh so that's all good thing. There's the oversight is is uh being clarified and uh more oversight being added in. They're with the move to Isaac, you know, it's more of that standardization maturity and uh going along with uh industry models. So uh overall, you know, it's it's a good thing uh for CMMC. Um there's uh I saw a couple interesting threads about cost of uh assessments. So um, you know, there's nothing that addresses costs where it may come down, but hopefully in the future, you know, once everything kind of settles out and shakes out a little bit, uh it'll be a uh hopefully a little a little less costly and more predictable. Um it's pretty predictable right now. Yeah. It's just predictable up here. Yeah. Uh so uh but it's uh there's more maturity uh to the to the whole process now. So uh that's that's what that's what you get from that town hall and and everything that's going on with CMMC right now.
SPEAKER_02:Yeah. So it's survived Doge. Um most of these updates are more around clarifications and the big changes like Isaac that are happening are more um longevity and investment oriented than they are backpedaling on anything. Oh, yeah, definitely. And and we're seeing um in the foreseeable future um increases in defense items um uh and everything else uh more than we're seeing uh the pulling back on or stripping away from. So um it seems like uh, you know, it this may have been a long time um uh coming to what seems like maybe some fruition, as you said earlier, but um uh so but it it seems like they're they're not they're not pulling back on it at all.
Brooke:So they're not pulling back on it. There's full steam ahead. Uh they're holding to the timeline. Uh and the the next really big thing is gonna be uh the change to when I in two or three years, four years, five years, I don't really know. Um but the change to uh NIST 800 and 171 uh current version, which of course is R three right now, uh that'll be the next big change. And I'm sure R4 will be out by the time we move to R three. It may be. It may be. Um so but that's the that's the next big change, but that's not a that's not a backpedal, that's not anything else. That's just uh keep it up with the keep it up with the standards.
SPEAKER_02:Aaron Ross Powell And more of an increase in controls and standards than it is uh a rollback of any. So um so makes should make planning a little easier, um, you know, uh for what it's worth uh in terms of um what you should expect, clarification on things and and knowing that you know if this is uh you know, if you have work in in the sector or you you desire work in the sector, then probably a target you should be shooting for.
Brooke:Absolutely.
SPEAKER_02:If you have questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.
.jpg)
