January 2026 Cyber AB Town Hall Recap: New PMO Training, Fresh FAQs, and What to Watch for Next
The January Cyber AB Town Hall felt like a “back to business” checkpoint for the CMMC ecosystem. Certification activity is still climbing, the supporting infrastructure around assessments is maturing, and the PMO continues to publish clarifications that can materially change how organizations scope their environments.
This session also offered a rare behind-the-scenes look at how the Cyber AB handles complaints and appeals, which is increasingly relevant as more organizations enter live assessments and more providers market CMMC services to the Defense Industrial Base. Here’s what’s new, what’s next, and what defense contractors should take from this month’s updates.
The Pentagon has a new CIO
Matt Travis opened the Town Hall by sharing a leadership update from the Department. Kirsten Davies was confirmed and sworn in as the Pentagon’s new Chief Information Officer in December. The Cyber AB welcomed her to the community and framed her appointment as good news for cybersecurity governance more broadly, given her background in senior cybersecurity and IT leadership roles.
Travis also thanked Katie Arrington, who held the role over the past year and remains closely associated with CMMC’s momentum even as she returns to the private sector.
New PMO educational resources and FAQ responses sharpen guidance for contractors
The January Town Hall highlighted a meaningful expansion of PMO-provided educational resources, aimed at reducing confusion and improving consistency as more organizations move into active CMMC assessments.
One of the most practical updates was the release of new public micro-learning videos produced by the PMO in partnership with the Defense Acquisition University. Although these short, self-paced modules were originally designed for the DoD acquisition workforce, the PMO explicitly encouraged the broader CMMC ecosystem and Defense Industrial Base to use them as well.
The videos on ACQuipedia focus on foundational topics that continue to drive rework and misalignment during readiness and assessment prep, including how to interpret a System Security Plan, how POA&Ms differ from operational plans of action, how phased CMMC implementation works, and what certification actually signifies. For organizations struggling to align IT, security, compliance, contracts, and program teams, these modules offer a shared baseline that comes directly from the PMO’s own training pipeline.
Alongside the new training content, the PMO also updated its FAQs to clarify several scoping questions that continue to surface across assessments. The Cyber AB walked through a handful of these updates during the Town Hall, underscoring just how detail-oriented CMMC scoping has become.
These training resources and FAQ updates reinforce a broader reality for contractors heading into 2026: scoping is often the single biggest factor influencing assessment timelines, cost, and outcomes. Organizations that want fewer surprises are well served by pressure-testing their boundary assumptions early and ensuring their scoping rationale is grounded in how data truly flows through their environment.
The potential impact of another government shutdown
The Town Hall also addressed a potential lapse in federal appropriations and what that could mean operationally. The Cyber AB’s expectation, based on communications with the PMO and prior shutdown behavior, is that the ecosystem would continue to function. C3PAOs could still perform Level 2 certification assessments and issue certificates of status, eMASS would remain in operation, DIBCAC activity may continue, and DCSA would likely continue adjudicating Tier 3 packages.
The key nuance is that even if DCSA continues investigative work, the PMO is the authority that accepts risk and issues final determinations. If PMO staff are not working due to a shutdown, that could create delays at the final decision stage even while other parts of the pipeline keep moving.
Ecosystem growth continues, with Level 2 certificates climbing
After the last update in December, the Cyber AB reported another meaningful increase in certification activity. They shared that 773 Level 2 Certificates of CMMC Status have been issued to date, with 34 conditional certificates issued and 109 Level 2 assessments in progress.
On the capacity side, they reported 97 authorized C3PAOs and expect to cross 100 soon. They also reported continued growth in credentialed professionals, including 688 CCAs, 1,459 CCPs, and 425 Lead CCAs. Registered Practitioners remain just under 2,000, while ATPs and APPs increased modestly as well.
They also reiterated that CMMC is an international program and highlighted growing participation across countries, with four non-US C3PAOs currently moving through the authorization process. The message was clear: the market is expanding beyond the U.S., and the supporting ecosystem is expanding with it.
A major milestone for the Cyber AB: C3PAO reauthorization and accreditation is now live
One of the more “behind the scenes” updates in January is also one of the more consequential for the long-term stability of the ecosystem. The Cyber AB announced the launch of the reauthorization and accreditation process for C3PAOs.
The simple explanation is that 32 CFR provides C3PAOs a 27-month window to remain authorized, and as early-authorized C3PAOs approach expiration for their initial authorization period, they will now either enter the accreditation program or pursue reauthorization for the remainder of that 27-month period. The Cyber AB framed this as a core part of why they exist as an accreditation body. It also places the program on a clearer path toward alignment with ISO standards, including the longer-term peer review expectations tied to ISO 17011.
As accreditation becomes operational, the ecosystem is moving from “standing up capacity” to “validating consistency.” Over time, that should translate to more predictable experiences across assessors and fewer of the wild variations that tend to happen early in any new compliance market.
Customer support changes are coming February 9
The Cyber AB also addressed customer support issues head-on. Starting Monday, February 9, support requests will move away from email-based intake and shift to a structured form accessible through the Contact Us link on the Cyber AB website. The intent is to capture better information up front, automatically route tickets to the right teams, and improve the Cyber AB's ability to report on support metrics. Existing tickets will not be impacted, but after the change, emailing support@cyberab.org will no longer create a new ticket.
They also clarified that complaints, appeals, and events will still route through their dedicated email addresses rather than the new form.
Complaints, appeals, and why you won’t see public outcomes
Cyber AB took time during this month's Town Hall to explain how complaints and appeals are handled, and why they cannot publicly share details even when action is taken.
They emphasized that they have a formal responsibility to receive, evaluate, and make decisions on valid complaints and appeals, and that confidentiality requirements apply, especially in matters involving C3PAOs. They also noted that when a complaint concerns a C3PAO, ISO expectations encourage that the complaint be addressed by the C3PAO first whenever feasible, before it escalates.
They shared that since 32 CFR went into effect, they’ve received 43 discrete complaints. The topics described were familiar: alleged Code of Professional Conduct violations, exaggerated marketing claims, improper credential usage, conflicts of interest, CAP adherence issues, and slow processes. They also described the types of appeals they have authority to hear, including C3PAO authorization decisions and elevated appeals between OSCs and C3PAOs.
This segment also included a clear warning that contractors should not ignore. The Cyber AB reiterated professionalism expectations spelled out in the Code of Professional Conduct, especially around representing credentials accurately, avoiding unrealistic or deceptive pricing practices, and refraining from making guarantees of certification outcomes. That theme is worth reading as guidance for how you vet CMMC providers. If someone is promising a guaranteed certification or presenting their status in a way that feels inflated, that is not just a marketing red flag. It is behavior the ecosystem is actively trying to police.
CAICO transition status: wait for ISACA’s official guidance
Finally, the Town Hall included a brief CAICO corner update as the transition to ISACA continues. The Cyber AB reiterated that the CAICO transfer is now in effect, with the transition period expected to complete on April 1.
The key update here was not a new policy decision, but a practical reminder. ISACA has begun communicating directly with credential holders, and the ecosystem was encouraged to wait for ISACA’s formal sessions and published guidance. ISACA is expected to explain how continuing education, credentialing workflows, and related changes will operate in an upcoming March event.
What's new and what's next for contractors
January’s Town Hall reinforced a few realities about where CMMC is headed in 2026:
- The PMO is continuing to publish clarifications that directly affect scope.
- The ecosystem is growing in both certifications issued and capacity to deliver assessments.
- The Cyber AB is shifting into a more mature operational posture, including formal accreditation activities for C3PAOs and a more structured approach to support intake.
- The CAICO transition is focusing on the mechanics ISACA will put in place starting in April.
For contractors, the most actionable takeaway is that this is a good month to tighten fundamentals. Use PMO training resources to align your internal teams, pressure test scoping assumptions with the newest FAQ guidance, and be skeptical of anyone selling certainty in a program that is still actively refining interpretation details. The organizations that move fastest this year will not be the ones who rush. They will be the ones who reduce surprises by getting scope, documentation, and boundary decisions right early.
We’ll continue to track updates and insights from each CyberAB Town Hall. For ongoing coverage, check out past recaps in the CMMC.com newsroom: