March 2026 Cyber AB Town Hall Recap: Flowdown Pressure, Ecosystem Growth, and the Realities of Early Enforcement

March’s Cyber AB Town Hall offered a clearer picture of how CMMC is taking shape in practice. Not just as a finalized rule, but as an emerging set of behaviors across the Defense Industrial Base.

The discussion moved beyond timelines and into execution. Requirements are beginning to appear in solicitations, primes are taking a more active role in enforcing expectations across their supply chains, and the broader ecosystem continues to expand to meet demand that is still only partially realized.

At the same time, several recurring challenges remain unresolved, particularly around defining Controlled Unclassified Information (CUI) and managing scope in a way that is both compliant and operationally sustainable.

CMMC requirements are beginning to appear in contracts

One of the more tangible updates from this Town Hall was the growing presence of CMMC requirements in active solicitations across multiple DoD programs.

The examples shared spanned agencies including NAVSEA, USAF, USACE, and NAVAIR, with requirements ranging from Level 1 to Level 2 and, notably, a mix of both self-assessments and third-party (C3PAO) assessments depending on the program. These are not future-state projections. They are current opportunities with defined timelines, several of which fall within early 2026.

What stands out is not just that requirements are appearing, but how they are being applied. In some cases, Level 2 requirements tied to a C3PAO assessment are being set as a condition tied closely to contract timelines. In others, self-assessment pathways are still being used, suggesting a transitional phase where different parts of the DoD are adopting enforcement at different speeds.

For contractors, this reinforces a practical point. Even before full Phase 2 enforcement, CMMC is already influencing eligibility. Organizations that have not begun preparing may find themselves excluded earlier than expected, not because of a formal deadline, but because requirements are being introduced at the program level.

Flowdown requirements are driving most of the immediate pressure

While the DoD continues to formalize requirements, the Town Hall discussion made it clear that much of the immediate pressure is coming from prime contractors.

Primes are actively evaluating their supply chains and, in many cases, beginning to segment suppliers based on their ability to meet CMMC requirements. This is less about formal enforcement and more about risk management. If a subcontractor cannot handle CUI in a compliant manner, that risk ultimately sits with the prime.

This dynamic is accelerating flowdown conversations. However, the discussion also highlighted that flowdown is not simply a mechanical process of pushing requirements downstream. It is increasingly becoming a design decision around where CUI is introduced and how far it needs to travel within the supply chain.

In practice, this means some organizations are rethinking their architectures and data flows to limit the spread of CUI, rather than expanding scope unnecessarily. Others are still working to understand whether they handle CUI at all, which continues to slow progress and create inconsistency across the ecosystem.

Identifying CUI remains a challenge for contractors

Despite ongoing guidance, the difficulty of identifying and scoping CUI continues to surface in both formal presentations and Q&A discussions.

Part of the challenge is structural. CUI is not defined by internal designation alone but by a combination of regulatory frameworks and contract-specific requirements. As that information moves through the supply chain, clarity can degrade, leaving downstream contractors to interpret requirements that were more clearly defined at the program level.

The Town Hall reinforced the need for organizations to develop a defensible position on CUI rather than waiting for perfect clarity. This includes understanding how CUI is introduced into the environment, how it is stored and transmitted, and how those flows map to the defined assessment boundary.

Without that foundation, organizations risk either over-scoping their environments, which increases cost and complexity, or under-scoping, which can create issues during assessment.

Ecosystem growth continues, but capacity remains a focus

The March update also showed continued growth across the CMMC ecosystem, with increases in authorized C3PAOs, certified assessors, and practitioners.

Authorized C3PAOs rose to 103, while Certified CMMC Professionals (CCPs) and Lead Certified CMMC Assessors (LCCAs) also saw steady increases. Registered Practitioners and RPO participation continue to trend upward, reflecting growing engagement from organizations supporting readiness efforts.

At the same time, the underlying concern around capacity has not disappeared. The GAO report discussed during the Town Hall highlights a structural dependency on private sector assessors to meet program demand. While the ecosystem is growing, it is still early relative to the total number of organizations expected to require Level 2 certification.

This creates a tension between supply and demand that will likely continue to shape how quickly the program can scale, particularly as enforcement expands.

The GAO report highlights execution risk

The discussion of the recent GAO report provided useful context for how the program is being evaluated externally.

The report does not challenge the intent of CMMC. Instead, it focuses on execution, particularly the Department of Defense’s ability to account for external factors that could impact the program’s success.

One of the key concerns is the reliance on private sector organizations to conduct assessments, and whether there is sufficient capacity to meet demand over time. While the DoD has mechanisms such as waivers to address short-term challenges, the report notes that these do not resolve underlying structural risks.

For contractors, this reinforces the importance of timing. As demand increases, delays related to assessor availability or scheduling could become a more significant factor, particularly for organizations that wait until requirements are tied directly to contract awards.

The CAICO transition to ISACA signals continued program maturation

Another notable update was the continued transition of the CAICO function to ISACA.

The transfer of designation, authorization, and stewardship was completed in December 2025, and operations are continuing under ISACA without disruption. Training, credentialing, and certification processes are being consolidated under a more standardized model, with alignment to ISO/IEC 17024:2012 accreditation.

While there are no immediate changes to certification requirements or processes, the transition reflects a broader shift toward a more mature and institutionalized ecosystem. Credentialing pathways are becoming more structured, and the long-term administration of the program is being aligned with established certification bodies.

What these updates mean for the DIB

The March Town Hall reinforces the fact that CMMC is moving from policy to practice.

Requirements are beginning to influence real contracts, primes are actively managing supply chain risk, and the ecosystem is expanding, but still catching up to anticipated demand. Foundational challenges, particularly around CUI identification and scope definition, remain central to successful implementation.

For organizations preparing for Level 2, the implications are straightforward but important. Progress matters earlier than it used to. Scope decisions have long-term consequences. And clarity around data handling is not something that can be deferred until assessment.

As the CMMC program continues to evolve, the gap between organizations that are actively preparing and those that are waiting is likely to become more visible, not just in compliance status, but in access to opportunities across the defense industrial base.

We’ll continue to track updates and insights from each month's CyberAB Town Hall. For ongoing coverage, check out past recaps in the CMMC.com newsroom.