Graphic for August 2025 Cyber AB & CAICO Town Hall with Kraken Compliance logo.

CMMC August 2025 Town Hall: Major Program Updates and Tier 3 Changes

Article
Article
CMMC 2.0
12 Minutes
Article
Blog
Category
Andrew Freund
Founder & CEO, Kraken Compliance
September 5, 2025

The CMMC Compliance landscape continues to evolve rapidly, and August's CMMC Town Hall delivered significant updates that will impact defense contractors, C3PAOs, and professionals across the CMMC ecosystem. With Title 48 rulemaking progressing through final review and major changes to Tier 3 vetting procedures, this session provided crucial insights for stakeholders navigating the shifting regulatory environment.

 

CMMC Title 48 Rulemaking Momentum Builds

The Cyber AB, confirmed that the CMMC Title 48 final rule remains on track to be published in the Federal Register this calendar year. The rule has been under review by OIRA (Office of Information and Regulatory Affairs) for over a month, with expectations that it won't require the full 90-day review period. This represents the final piece needed to make Cybersecurity Maturity Model Certification (CMMC) a mandatory program across all Department of Defense (DoD) contracts.

Critical Tier 3 Determination Changes

The DoD CMMC Program Management Office announced significant procedural changes affecting all CMMC personnel.

Starting August 18, 2025, all CMMC Tier 3 adjudications must be enrolled in Continuous Vetting under the Trusted Workforce 2.0 initiative. This means full packages (OF-306, Tier 3 nomination form, and resume) are now required for all CMMC Certified Assessor (CCA) & CMMC Certified Professional (CCP) candidates, including those with active clearances. Importantly, clearance verification letters are no longer accepted, though processing timelines remain unchanged for those with existing clearances.

False Claims Act News

False Claims Act enforcement continues - Aero Turbine settled for $1.75 million for allegedly failing to implement NIST SP 800-171 R2 security requirements from 2018 to 2020, demonstrating DoD's serious commitment to cybersecurity compliance.

This serves as a stark reminder that companies are still responsible for NIST 800-171 compliance requirements, regardless of CMMC implementation timelines.

CAICO Training and Certification Updates

The CAICO's Acting Executive Director, provided updates on exam revisions aligned with 32 CFR requirements. The CCP exam has been updated and is targeting public availability by year-end, with the CCA exam following shortly after. The CAICO also addressed common delays in CCA and Lead CCA applications, noting that missing assessment experience documentation remains the primary bottleneck in processing.

C3PAO Advisory Council Launch

The newly appointed chair of the Certified Third Party Assessment Organization (C3PAO) Advisory Council, outlined the 11-member voluntary advisory board's mission to provide technical guidance and best practices recommendations. The council, featuring representatives from both large and small C3PAOs, will serve a crucial roles in the CMMC ecosystem, focusing on critical issues like the 10-day reevaluation period, ESP/CSP/MSP processes, and CMMC assessment procedures. Singer emphasized the council's commitment to making CMMC as cost-effective as possible for small businesses while maintaining program integrity.

CMMC Ecosystem Continues to Expand

The Cyber AB, opened with encouraging news about the ecosystem's expansion. The program now boasts 270 Level 2 certificates issued, 79 authorized C3PAOs (has confidence of reaching 100 by year-end), and nearly 500 CMMC Assessors. This growth demonstrates the maturing infrastructure needed to support mandatory CMMC implementation efforts, once Title 48 takes effect.

 

CMMC Level 2 Certification Assessments

  • Final Certificates Issued: 270
  • Conditional Certificates Issued: 9
  • Assessments In Progress: 91

CMMC Ecosystem

  • CMMC Certified Assessors (CCA): 496
  • CMMC Certified Professionals (CCP): 1,039
  • Registered Practitioners (RPs): 1,865
  • Registered Practitioners Advanced (RPAs): 227

 

GAO Audits CMMC Program

GAO Audit - The Government Accountability Office (GAO) is finalizing their Audit of the CMMC Program and expects to publish their Audit Report in the Fall of 2025.

Watch the Full Town Hall

Cyber AB Website

Key Terms & Acronyms

  • Certified Third Party Assessment Organization (C3PAO)
  • Accreditation Body (AB)
  • International Organization for Standardization (ISO)
  • U.S. Department of Defense (DoD)
  • Defense Industrial Base (DIB)
  • Organizations Seeking Certification (OSC)
  • CMMC Certified Assessor (CCA)
  • CMMC Certified Professional (CCP)
  • Cyber AB (Cyber Accreditation Body)
  • CMMC AB (CMMC Accreditation Body)

Share this post

FAQ: CMMC Certified Professional

What happened to the Certified CMMC Professional program?

The CMMC Certified Professional (CCP) designation has replaced the previous Certified CMMC Professional program. This CMMC program change aligns with the updated CMMC 2.0 framework and reflects the evolving cybersecurity compliance requirements within the Department of Defense (DoD) supply chain.

Can I prepare for the CCP exam through self-study without taking an official course?

The CAICO requires all CCP Candidates to complete a CCP training course delivered by an Approved Training Provider (ATP), in order to be eligible for the CCP certification exam. Self-study using CMMC guidance documents and NIST publications is helpful preparation, but it does not substitute for the mandatory official training portion. You must complete the CCP training course delivered by an ATP before you’re eligible to sit for the CCP certification exam.

What happens to my CCP if CMMC requirements change again?

The Cyber AB updates exams and continuing education expectations as the CMMC program evolves. Existing CCPs remain valid but may need to meet new training or recertification milestones when major framework changes are implemented. When NIST SP 800-171 Rev. 3 is fully adopted, for example, expect updated training requirements. Stay subscribed to The Cyber AB communications to avoid surprises.

Is the CCP certification only valid in the United States?

CMMC is a U.S. DoD program, but its reach extends internationally. Foreign-owned companies that supply the DoD or work with U.S. primes also pursue CMMC readiness, making CCP relevant wherever DoD contracts are in play. Canadian, UK, Australian, and other allied nation companies working in the defense supply chain frequently need CCP-trained professionals to manage their compliance obligations.

Do I need to work for a C3PAO to benefit from the CCP credential?

No. Employment by a C3PAO is not required. Many CCPs work inside defense contractors, consulting firms, or prime contractors where they lead readiness efforts rather than formal third-party assessments. The credential is equally valuable for internal compliance roles, independent consulting, and advisory positions across the defense industrial base.

How long does it typically take to become a CMMC Certified Professional from start to finish?

Most candidates complete the process within 1–3 months. This includes scheduling and completing the 30–40 hour training course, preparing for the exam, and sitting for the CCP certification test. If you’re new to NIST SP 800-171 or defense contracting, allow additional time for foundational preparation before the course. The background investigation or suitability determination may add time depending on your situation.

Subscribe To Our Newsletter

Stay up-to-date on Govt. IT Compliance changes and getexpert compliance, audit, and security tips.