CMMC Compliance 2025 Insights from Cyber AB Town Hall and What They Mean for Defense Contractors

When Cyber AB hosted its May 2025 Town Hall, we were expecting the usual federal-compliance slideshow. What we got instead was a reality check—and a playbook. The message wasn’t layered in jargon or history lessons. It was tactical, forward-looking, and refreshingly blunt.

In this recap, we’ve distilled what truly matters from that session: facts, shifts, and actionable steps for defense industrial base (DIB) organizations. We’ve included relevant stats, client anecdotes, and “do-this-today” insights from real-world engagements.

"Compliance is like riding a bike uphill: stop pedaling and gravity does the rest."
– Every CISO, Ever

Why This Wasn’t Just Another Update

Since the CMMC Final Rule hit the Federal Register in October 2024, contractors have found themselves somewhere between cautious optimism and outright confusion. Many paused, waiting for the assessment bottleneck to ease. Others charged forward, only to discover their System Security Plans (SSPs) were more patchwork than playbook.

This May Town Hall wasn’t about rules in theory—it was about what’s happening on the ground. Cyber AB leadership didn’t waste time. They spoke to practitioners and decision-makers like us who are knee-deep in the day-to-day. If your team still needs to Google "CMMC levels," well, as Cyber AB joked, “you probably shouldn’t be on the call.” Fair.

Certification Momentum: Finally, the Numbers Inspire Confidence

CMMC has matured. No more hand-wringing about readiness gaps or assessor shortages. The stats speak:

• ‍2,310+ Level 2 certifications issued, up 38% since February. That’s faster adoption than ISO 27001 saw in Year One.
• ‍74% of organizations with conditional approval closed POA&Ms within the 180-day window.‍
• 93-day median turnaround from audit-ready to certified—shorter than most federal procurement cycles
  

One of our manufacturing clients put it best: “We spent more time debating forklift budgets than we did certifying.” That says it all.

The Cloud Conundrum: FedRAMP Moderate Equivalency Made Clear

For years, “FedRAMP-ready” meant little more than marketing. Not anymore. The May update drew clear lines:

1. ‍FedRAMP Moderate Equivalency is not a rubber stamp. CSPs must supply a full Body of Evidence (BoE). You—the contractor—own proving it.
2. ‍Customer Responsibility Matrices (CRMs) count as hard evidence. They map CSP responsibilities versus yours.
3. ‍Multi-tenant SaaS must demonstrate tenant segmentation. Ask your vendor for a network boundary attestation. Yes, it's buried in their appendix somewhere.
   

Action Step: Start building a “Cloud Appendix” in your SSP. Include the BoE, CRM, and your residual risk narrative. We’ve seen assessors cut review time nearly in half with this structure.

Level 2 vs. Level 3: Know the Difference, Plan Accordingly

Level 2 covers the 110 controls from NIST SP 800-171. Level 3 adds 24 from NIST SP 800-172—designed to counter advanced persistent threats.

Here’s what stood out: Cyber AB clarified that partial cryptographic coverage on legacy operational tech may be accepted—if it’s segmented and accompanied by compensating controls.

Cheat Sheet:

‍If you’re eyeing Level 3 in 2026, our advice: perfect Level 2 first. A spotless Level 2 certificate is now a prerequisite for the Level 3 assessment.

Scoping: Get It Right, or Get Delayed

One assessor nailed it: “Show me spaghetti, I’ll show you a blown timeline.”

80% of delays trace back to bad scoping. Here’s the right approach:

1. ‍Inventory first. Walk your floors. List servers, workstations, OT nodes, and vendor VPNs.
2. ‍CRMAs (Contractor Risk Managed Assets) should have a traffic policy, monitoring plan, and quarterly checks. Keep the prose tight.
3. ‍Specialized Assets like lab gear or IoT sensors can inherit protections via intermediary firewalls or jump boxes.
   

We’ve seen this strategy reduce audit prep hours dramatically—and avoid those dreaded, last-minute scoping panics.

ESPs, MSPs, MSSPs: Who Owns What?

Third-party relationships can either save you or sink you. Here’s what’s new:

• ‍Cloud providers: You must request their FedRAMP package on Day 1.
• ‍MSPs managing backups or firewalls are now Security Protection Assets. Get their SOC 2 or a mapped attestation.
• ‍MSSPs handling alerts must tie Security Protection Data (SPD) to your IR playbook—in minutes, not days.
  

Case in Point: One of our clients failed their audit because their MSP couldn’t produce evidence of password rotations. We helped them switch to a provider with API-enabled password vaults—problem solved.

Quick Wins: What You Should Be Doing Now

Want to shave days off your certification process? Start with these:

1. ‍Mini Crypto Audit – Check that every touchpoint of CUI uses FIPS-validated crypto. Segment legacy gear and explain.
2. ‍Future-Proof Your POA&Ms – By late 2025, POA&Ms must be XML-formatted. Use the preview template now.
3. ‍Evidence Workbook – Create a control-to-evidence spreadsheet: file path, control owner, last tested date.
4. ‍Tabletop Drill – Simulate an APT event. Record your response. Those screenshots and meeting notes count as evidence for 5+ controls.
   

Mythbusting: Straight from the Source

Looking Forward: Compliance as a Culture

CMMC is evolving from checklist to mindset.

• ‍NIST SP 800-171 Rev 3 will introduce Organization Defined Parameters. You’ll have flexibility—but expect to justify.
• ‍Automated compliance is coming. Cyber AB hinted at pilot programs using live SIEM feeds to reduce reassessment costs.
• ‍Supply chain enforcement will tighten. Primes will be expected to grade their subcontractors regularly.
  

Strategy Tip: Treat compliance like DevOps—iterate quarterly. Avoid the scramble-every-three-years model.

Final Thoughts: Momentum Wins

The May Town Hall brought clarity. With scoping strategies, cloud rules, and realistic assessment timelines now better understood, the runway to certification is clear—and accelerating.

Here’s our take:

‍Document what you have. Patch what you must. Build evidence as you go. And don’t stop pedaling.