Graphic for March 2025 Cyber AB & CAICO Town Hall with Kraken Compliance logo.

CMMC March 2025 Town Hall: International Expansion and Program Updates

Article
Article
CMMC 2.0
12 Minutes
Article
Blog
Category
Andrew Freund
Founder & CEO, Kraken Compliance
March 26, 2025

The CMMC ecosystem continues to evolve rapidly, with significant developments in international participation and CMMC Certification Process taking center stage during the March 2025 Town Hall.

In the Cyber AB's March 2025 Town Hall, CEO Matt Travis and special guest James Gillooly from the DoD's CMMC Program Management Office (PMO) provided critical updates on the program's progress, international participation, and ethical guidelines for the CMMC ecosystem. This session confirmed that the final piece of the certification process—the official certificates—is now in place, allowing Organizations Seeking Certification (OSCs) to become officially CMMC Level 2 certified.

Program Fully Operational

CMMC Level 2 certification assessments are now officially live with 64 authorized C3PAOs issuing legitimate certificates. The final digital integration between eMASS and SPRS systems remains pending, but companies can now obtain verified CMMC Level 2 certification status.

International Momentum Building

South Korea leads international participation with over 100 practitioners, while Canada launches its parallel Canadian Program for Cyber Security Certification (CPCSC) program without CMMC reciprocity. While Canada's CPCSC program is similar to the CMMC Model, there is one big difference, CPCSC pulls it's security requirements from NIST SP 800-171 Rev 3, while CMMC still uses NIST SP 800-171 Rev 2.

Despite diplomatic tensions, the CMMC program remains fully open to Canadian participation as both CMMC assessors and organizations seeking certification.

Tier 3 Background Process Streamlined

James Gillooly DoD CMMC PMO announced a major development: formalized Tier 3 background investigation processes for foreign nationals seeking CCA or CCP certification. The new process divides candidates into four categories based on citizenship and U.S. residency status, utilizing existing bilateral security agreements between the United States and partner nations. One foreign national has already successfully completed the process in less than a week. Once fully implemented, foreign nationals that previously submitted their Tier 3 Determination Applications, will be required to resubmit under the new process.

Congressional Review Period Ongoing

While House Joint Resolution seeks to cancel the CMMC program, industry experts view this as having minimal likelihood of success, requiring passage through multiple legislative hurdles including Armed Services Committee approval and presidential signature.

CMMC MythBusters

Rumor 1 - CMMC Certified Professionals (CCP) candidates need to submit for Tier 3 Background investigations prior to taking the CCP exam.

Fact: Only CCP Candidate who have passed the exam and then are contacted by the CAICO submit for the Tier 3 Background investigation.

Rumor 2 - House Joint Resolution introduced by House of Representative Andrew Clyde (Republican GA-9) is going to cancel the CMMC Program.

Fact: The bill has been referred to the House Armed Services Committee. In order for the bill to become law, canceling the CMMC Program, the bill would have to be:

  • voted out of committee;
  • passed by the full U.S. House of Representatives;
  • passed by the full U.S. Senate; and then
  • signed into law by the President.

Rumor 3 - All CCAs and CCPs need to apply for access to CMMC eMASS.

Fact: Only CCAs or CCPs that have been designated by Authorized C3PAOs to upload CMMC assessment documents to CMMC eMASS on their behalf, are granted access.

CMMC Ecosystem Capacity Scaling

Current numbers show 336 CMMC Assessors, 655 CMMC Professionals, and over 1,800 registered practitioners across the ecosystem. The marketplace continues expanding with enhanced regional search capabilities planned for implementation.

  • CMMC Certified Assessors (CCA): 336
  • CMMC Certified Professionals (CCP): 655
  • Registered Practitioners (RPs): 1,640
  • Registered Practitioners Advanced (RPAs): 201

Watch the Full Town Hall

Key Terms & Acronyms

  • Certified Third Party Assessment Organization (C3PAO)
  • Accreditation Body (AB)
  • International Organization for Standardization (ISO)
  • U.S. Department of Defense (DoD)
  • Defense Industrial Base (DIB)
  • CMMC Certified Assessor (CCA)
  • CMMC Certified Professional (CCP)
  • Cyber AB (Cyber Accreditation Body)
  • CMMC AB (CMMC Accreditation Body)
  • CyberSecurity Maturity Model Certification (CMMC)
  • Controlled Unclassified Information (CUI)
  • Federal Contract Information (FCI)

Share this post

FAQ: CMMC Certified Professional

What happened to the Certified CMMC Professional program?

The CMMC Certified Professional (CCP) designation has replaced the previous Certified CMMC Professional program. This CMMC program change aligns with the updated CMMC 2.0 framework and reflects the evolving cybersecurity compliance requirements within the Department of Defense (DoD) supply chain.

Can I prepare for the CCP exam through self-study without taking an official course?

The CAICO requires all CCP Candidates to complete a CCP training course delivered by an Approved Training Provider (ATP), in order to be eligible for the CCP certification exam. Self-study using CMMC guidance documents and NIST publications is helpful preparation, but it does not substitute for the mandatory official training portion. You must complete the CCP training course delivered by an ATP before you’re eligible to sit for the CCP certification exam.

What happens to my CCP if CMMC requirements change again?

The Cyber AB updates exams and continuing education expectations as the CMMC program evolves. Existing CCPs remain valid but may need to meet new training or recertification milestones when major framework changes are implemented. When NIST SP 800-171 Rev. 3 is fully adopted, for example, expect updated training requirements. Stay subscribed to The Cyber AB communications to avoid surprises.

Is the CCP certification only valid in the United States?

CMMC is a U.S. DoD program, but its reach extends internationally. Foreign-owned companies that supply the DoD or work with U.S. primes also pursue CMMC readiness, making CCP relevant wherever DoD contracts are in play. Canadian, UK, Australian, and other allied nation companies working in the defense supply chain frequently need CCP-trained professionals to manage their compliance obligations.

Do I need to work for a C3PAO to benefit from the CCP credential?

No. Employment by a C3PAO is not required. Many CCPs work inside defense contractors, consulting firms, or prime contractors where they lead readiness efforts rather than formal third-party assessments. The credential is equally valuable for internal compliance roles, independent consulting, and advisory positions across the defense industrial base.

How long does it typically take to become a CMMC Certified Professional from start to finish?

Most candidates complete the process within 1–3 months. This includes scheduling and completing the 30–40 hour training course, preparing for the exam, and sitting for the CCP certification test. If you’re new to NIST SP 800-171 or defense contracting, allow additional time for foundational preparation before the course. The background investigation or suitability determination may add time depending on your situation.

Subscribe To Our Newsletter

Stay up-to-date on Govt. IT Compliance changes and getexpert compliance, audit, and security tips.