Sum IT Up: CMMC News Roundup

The CMMC November 2026 Deadline Is a Myth (Here’s What’s Actually Happening)

Everyone is talking about a “November 2026 deadline” for CMMC Level 2. There's just one problem… it's not real. In this episode, we break down what the CMMC rule actually says about Phase 2, what really happens starting in November 2026, and why most contractors are misunderstanding the rollout. If you're in the defense industrial base, this is the clarity you need to plan your timeline the right way. Key topics: • What Phase 2 actually means • When Level 2 requirements apply (and when they don't) • Why this isn't a mass certification deadline • How to think about your real CMMC timeline • Stop chasing phantom deadlines and start focusing on the contracts that matter. Register for Summit 7 Live: https://www.summit7.us/s7live PALT: https://youtu.be/C50UXJyz4PA?si=ySn1oIS4FaK4Si9f 32 CFR 170.3: https://www.ecfr.gov/current/title-32/section-170.3 Jan 2025 memo: https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf

GAO Gave CMMC a 95%... Then Called It a Problem

GAO's latest report on CMMC sounds cautious. They warn about external risks, ecosystem constraints, and gaps in DoD's strategy. But that framing misses the bigger story. Since the 2021 report, CMMC has gone from a fragmented concept to a functioning system. The ecosystem exists. Training exists. Small business support is working. So why does the report feel so negative? In this episode, we break down where GAO is right, where they're overstating the risk, and why the real story is the program's quiet but meaningful progress. Register for Summit 7 Live: https://www.summit7.us/s7live GAO Report (2026): https://www.gao.gov/products/gao-26-107955 GAO Report (2021): https://www.gao.gov/products/gao-22-104679

75% of the CMMC Assessment Guide Isn’t Requirements

Most defense contractors assume everything written in the CMMC Level 2 Assessment Guide is a requirement. But that's not actually how the framework works. In this episode we break down the structure of the assessment guide and explain why roughly 75% of the document is explanatory text, not normative requirements. You'll learn: Where the real requirements come from in NIST SP 800-171 How verification procedures in NIST SP 800-171A become assessment objectives Why discussion sections and examples are informative, not prescriptive Understanding the difference between requirements, assessment objectives, and explanatory guidance can help contractors avoid unnecessary controls, reduce documentation overhead, and simplify CMMC compliance. CMMC Assessment Guides: https://dodcio.defense.gov/cmmc/Resources-Documentation/ NIST SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final NIST SP 800-171A: https://csrc.nist.gov/pubs/sp/800/171/a/final

We Mapped 130 Iranian Cyber Attacks to CMMC… Here's What We Found

Iranian cyber actors are targeting the Defense Industrial Base. So does CMMC actually help? In this episode, we mapped 130 real-world techniques used by five Iranian threat groups to the controls behind NIST SP 800-171 using the MITRE ATT&CK framework. Here is what the data shows: • 100% of techniques are detectable • 68% are mitigated with preventative controls • Just a handful of core controls drive most of the defensive impact We also examine what that means for Cybersecurity Maturity Model Certification and why 800-171 remains a strong floor for protecting CUI. But there is a gap. Only about half of the relevant NIST SP 800-53 that mitigate known Iranian techniques are represented in the 800-171 baseline. If you are a defense contractor, this episode will show you what compliance actually buys you and where you may need to go further. Register for Summit 7 Live: https://www.summit7.us/s7live MITRE ATT&CK: https://attack.mitre.org/ [https://attack.mitre.org/] Mappings Explorer: https://ctid.mitre.org/projects/mappings-explorer CISA Alert: https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/iran NIST SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final NIST SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final

February Cyber AB Town Hall Recap

The Cyber AB has once again summoned the CMMC Ecosystem to deliver its monthly update and on this week's show we are going to break it down for you. Join us as we take all the information distributed during the meeting and dish out the information you need to know. Things like: Can my FSO check on my Tier 3? Have we eclipsed the 1,000 assessments milestone? When does a mock assessment stop “mocking”? Updates on the ISACA/ CAICO switchover And so much more...Tune in to find out! Sum It Up: “The End of SPRS Scores (sort of)”: https://youtu.be/_UFN7fubgQY?si=EgtchmuAHti24Cr8 Cyber AB TH Recordings: https://cyberab.org/News-Events/Town-halls ISACA Webinar - CMMC: Requirements, Roles, and Professional Credentials: https://store.isaca.org/s/community-event?id=a33VQ000001otC1YAI ISACA CMMC Page: https://www.isaca.org/credentialing/cmmc