Graphic for August 2025 Cyber AB & CAICO Town Hall with Kraken Compliance logo.

CMMC August 2025 Town Hall: Major Program Updates and Tier 3 Changes

Article
Article
CMMC 2.0
12
Article
Blog
Category
Andrew Freund
Founder & CEO, Kraken Compliance
September 5, 2025

The CMMC Compliance landscape continues to evolve rapidly, and August's CMMC Town Hall delivered significant updates that will impact defense contractors, C3PAOs, and professionals across the CMMC ecosystem. With Title 48 rulemaking progressing through final review and major changes to Tier 3 vetting procedures, this session provided crucial insights for stakeholders navigating the shifting regulatory environment.

 

CMMC Title 48 Rulemaking Momentum Builds

The Cyber AB, confirmed that the CMMC Title 48 final rule remains on track to be published in the Federal Register this calendar year. The rule has been under review by OIRA (Office of Information and Regulatory Affairs) for over a month, with expectations that it won't require the full 90-day review period. This represents the final piece needed to make Cybersecurity Maturity Model Certification (CMMC) a mandatory program across all Department of Defense (DoD) contracts.

Critical Tier 3 Determination Changes

The DoD CMMC Program Management Office announced significant procedural changes affecting all CMMC personnel.

Starting August 18, 2025, all CMMC Tier 3 adjudications must be enrolled in Continuous Vetting under the Trusted Workforce 2.0 initiative. This means full packages (OF-306, Tier 3 nomination form, and resume) are now required for all CMMC Certified Assessor (CCA) & CMMC Certified Professional (CCP) candidates, including those with active clearances. Importantly, clearance verification letters are no longer accepted, though processing timelines remain unchanged for those with existing clearances.

False Claims Act News

False Claims Act enforcement continues - Aero Turbine settled for $1.75 million for allegedly failing to implement NIST SP 800-171 R2 security requirements from 2018 to 2020, demonstrating DoD's serious commitment to cybersecurity compliance.

This serves as a stark reminder that companies are still responsible for NIST 800-171 compliance requirements, regardless of CMMC implementation timelines.

CAICO Training and Certification Updates

The CAICO's Acting Executive Director, provided updates on exam revisions aligned with 32 CFR requirements. The CCP exam has been updated and is targeting public availability by year-end, with the CCA exam following shortly after. The CAICO also addressed common delays in CCA and Lead CCA applications, noting that missing assessment experience documentation remains the primary bottleneck in processing.

C3PAO Advisory Council Launch

The newly appointed chair of the Certified Third Party Assessment Organization (C3PAO) Advisory Council, outlined the 11-member voluntary advisory board's mission to provide technical guidance and best practices recommendations. The council, featuring representatives from both large and small C3PAOs, will serve a crucial roles in the CMMC ecosystem, focusing on critical issues like the 10-day reevaluation period, ESP/CSP/MSP processes, and CMMC assessment procedures. Singer emphasized the council's commitment to making CMMC as cost-effective as possible for small businesses while maintaining program integrity.

CMMC Ecosystem Continues to Expand

The Cyber AB, opened with encouraging news about the ecosystem's expansion. The program now boasts 270 Level 2 certificates issued, 79 authorized C3PAOs (has confidence of reaching 100 by year-end), and nearly 500 CMMC Assessors. This growth demonstrates the maturing infrastructure needed to support mandatory CMMC implementation efforts, once Title 48 takes effect.

 

CMMC Level 2 Certification Assessments

  • Final Certificates Issued: 270
  • Conditional Certificates Issued: 9
  • Assessments In Progress: 91

CMMC Ecosystem

  • CMMC Certified Assessors (CCA): 496
  • CMMC Certified Professionals (CCP): 1,039
  • Registered Practitioners (RPs): 1,865
  • Registered Practitioners Advanced (RPAs): 227

 

GAO Audits CMMC Program

GAO Audit - The Government Accountability Office (GAO) is finalizing their Audit of the CMMC Program and expects to publish their Audit Report in the Fall of 2025.

Watch the Full Town Hall

Cyber AB Website

Key Terms & Acronyms

  • Certified Third Party Assessment Organization (C3PAO)
  • Accreditation Body (AB)
  • International Organization for Standardization (ISO)
  • U.S. Department of Defense (DoD)
  • Defense Industrial Base (DIB)
  • Organizations Seeking Certification (OSC)
  • CMMC Certified Assessor (CCA)
  • CMMC Certified Professional (CCP)
  • Cyber AB (Cyber Accreditation Body)
  • CMMC AB (CMMC Accreditation Body)

Share this post

Subscribe To Our Newsletter

Stay up-to-date on Govt. IT Compliance changes and getexpert compliance, audit, and security tips.