Sum IT Up: CMMC News Roundup

NIST SP 800-171 Revision 3 has been out for two years.



DFARS 252.204-7012 says to use the most current version.



So why are defense contractors still using Revision 2?



Because they're supposed to.



In this episode, we break down the temporary rule that overrides the DFARS clause and keeps the entire ecosystem aligned on Revision 2.



We cover:

• What a class deviation actually is and why it matters

• Why DoD had to pause the shift to Revision 3

• How CMMC rulemaking controls the transition

• And when Revision 3 will realistically start showing up in contracts



Bottom line: contractors aren't behind. The rules haven't changed yet.

.......

Register for Summit 7 Live: https://www.summit7.us/s7live



171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/final



DFARS 7012 deviation (PDF): https://www.acq.osd.mil/dpap/policy/policyvault/USA001074-24-DPC.pdf



32 CFR 170: https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170



Class deviation podcast: https://youtu.be/voziZRAMvv4?si=3xHm7I_gIeQTQxLf



Class deviation press release: https://www.war.gov/News/Releases/Release/Article/3763953/department-of-defense-issues-class-deviation-on-cybersecurity-standards-for-cov/

This week we sit down with a C3PAO who has completed over 100 CMMC Level 2 assessments. We chat cost, timeframe, assessor backlogs and the most common issues facing defense contractors.



Register for Summit 7 Live: https://www.summit7.us/s7live



GAO Report (2026): https://www.gao.gov/products/gao-26-107955



GAO Report (2021): https://www.gao.gov/products/gao-22-104679

We are back at it again with another rundown of the Cyber AB's monthly town hall and there sure was a lot of valuable information distributed during the meeting. Join us for this episode of we discuss some of the key information dished out this month and weigh on any impact it may have on the CMMC Program.



Things like:

• Milestones achieved by the program this month!

• Why was the new DoW CIO talking to Armed Services committees?

• How is the ecosystem growing?

• What to expect in the CAICO transfer to ISACA.

And so much more...Tune in to find out!



Cyber AB TH Replay's: https://cyberab.org/News-Events/Town-Hall



ISACA Website: https://www.isaca.org/

Everyone is talking about a “November 2026 deadline” for CMMC Level 2.



There's just one problem… it's not real.



In this episode, we break down what the CMMC rule actually says about Phase 2, what really happens starting in November 2026, and why most contractors are misunderstanding the rollout.



If you're in the defense industrial base, this is the clarity you need to plan your timeline the right way.



Key topics:



• What Phase 2 actually means

• When Level 2 requirements apply (and when they don't)

• Why this isn't a mass certification deadline

• How to think about your real CMMC timeline

• Stop chasing phantom deadlines and start focusing on the contracts that matter.



Register for Summit 7 Live: https://www.summit7.us/s7live



PALT: https://youtu.be/C50UXJyz4PA?si=ySn1oIS4FaK4Si9f



32 CFR 170.3: https://www.ecfr.gov/current/title-32/section-170.3



Jan 2025 memo:

https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf

GAO's latest report on CMMC sounds cautious. They warn about external risks, ecosystem constraints, and gaps in DoD's strategy.



But that framing misses the bigger story.



Since the 2021 report, CMMC has gone from a fragmented concept to a functioning system. The ecosystem exists. Training exists. Small business support is working.



So why does the report feel so negative?



In this episode, we break down where GAO is right, where they're overstating the risk, and why the real story is the program's quiet but meaningful progress.



Register for Summit 7 Live: https://www.summit7.us/s7live



GAO Report (2026): https://www.gao.gov/products/gao-26-107955



GAO Report (2021): https://www.gao.gov/products/gao-22-104679