As the November 10 rulemaking milestone approaches, the CMMC ecosystem is seeing its fastest growth to date. The October CyberAB Town Hall offered a wide-ranging update on certification activity, capacity planning, and policy enforcement, as well as a reminder of what’s at stake for contractors who are unprepared.

The meeting also brought new commentary on the False Claims Act, updates from the C3PAO Advisory Council, and the latest impact assessments around the looming federal budget shutdown. Below are the key takeaways from this month’s session and what they signal for the weeks ahead.

Certification and ecosystem growth continue ahead of approaching enforcement deadline

With the November 10 enforcement date for the CMMC Title 48 final rule fast approaching, both certification activity and ecosystem participation are accelerating.

As of this month, 431 organizations have achieved final CMMC Level 2 certification, an increase of 65 from the previous Town Hall. An additional 21 have conditional certificates (+5), and 104 assessments are currently in progress, marking a 39% increase month-over-month.

The Cyber AB also reported continued growth across the CMMC ecosystem:

• 83 Authorized C3PAOs (+1)
• 567 Certified Assessors (+40)
• 1,167 Certified Professionals (+128)
• 1,108 total CCA applications (+60)
• 359 Registered Practitioner Organizations
• 2,101 total RPs and RPAs

The numbers show meaningful momentum across the ecosystem, with a notable month-over-month jump in certified assessors and professionals. The addition of 40 CCAs and 128 CCPs signals a stronger assessment pipeline just in time for the post-rule surge in demand.

Federal shutdown has minimal impact on CMMC so far

The ongoing federal government shutdown has raised concerns across the ecosystem, particularly around DIBCAC operations, assessor vetting, and the CyberAB’s oversight responsibilities.

So far, the CyberAB’s understanding is that most CMMC-related functions remain unaffected. DIBCAC assessments are continuing, Tier 3 background investigations are still being processed, and the CyberAB and CAICO remain operational. The one notable slowdown is with the DoD CMMC PMO, which is experiencing reduced activity during the appropriations lapse.

The current outlook suggests that assessments and certifications will continue to move forward even in the event of a short-term shutdown.

The CyberAB also confirmed that the CMMC Title 48 rule is still expected to go into effect on November 10 despite the current government shutdown. As a reminder, this rule does not require all contractors to be certified by that date. Instead, CMMC certification will become a contractual requirement for any solicitations that include CMMC language after the rule is finalized.

This means organizations must be certified before contract award, not before proposal submission or by the November deadline. However, once the rule goes live, solicitations may begin including CMMC requirements at any time. Contractors that delay assessments may find themselves boxed out of award eligibility.

False Claims Act settlement reinforces compliance obligations

A new False Claims Act case was spotlighted during this month’s meeting. Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it knowingly failed to meet cybersecurity requirements for contracts with the Air Force and DARPA.

The whistleblower complaint claimed that GTRC submitted a false self-assessment score in SPRS and failed to properly safeguard sensitive data. While GTRC denied wrongdoing, this case underscores that DFARS 7012 and NIST 800-171 requirements are already enforceable. CMMC will only strengthen the accountability landscape.

The message to contractors is clear: even if CMMC is not yet part of your current contracts, your cybersecurity posture and documentation must already reflect full implementation of NIST 800-171.

More organizations are stepping forward as CMMC success stories

In a profile segment, Rob Groome of the University of Southern California shared lessons from USC’s CMMC journey. As a large research university managing highly complex IT environments, USC’s experience serves as a model for balancing operational realities with compliance requirements.

Groome emphasized the importance of early stakeholder alignment, strong documentation, and an internal culture that treats cybersecurity as a shared responsibility. He also called out the value of leveraging a GRC tool throughout the preparation and assessment process – not just for tracking documentation, but for understanding where they stood, identifying high-priority gaps, and staying focused on what mattered most. “We lived in our SSP,” he said, describing it as the central source of truth the team worked from to guide decisions, measure progress, and demonstrate compliance.

USC’s experience reinforces a key message: certification is achievable for even the most complex environments, but it requires leadership buy-in, intentional planning, and the right tools to operationalize security and compliance.

C3PAO Advisory Council continues momentum

The C3PAO Advisory Council continues to play an active role in shaping policy and assessment guidance. The Council has established five working subcommittees focused on:

• Accreditation policy and consistency
  
  
• Clarifying and improving the CMMC Assessment Process (CAP)
  
  
• Defining external service provider (ESP) expectations
  
  
• Assessment guidance and documentation
  
  
• Ecosystem feedback and continuous improvement
  
  

Chairs and vice chairs from organizations like Redspin, CyberNINES, The CMMC Team, Schellman, and others are now leading these efforts. Their ongoing collaboration with the CyberAB helps ensure that guidance evolves based on real-world assessment experiences.

For now, committee participation is closed, but the CyberAB continues to welcome feedback from across the ecosystem.

Stay ready, stay informed

CMMC is now moving from planning to enforcement. Final rulemaking is just days away, certifications are ramping up, and the legal risk of noncompliance is no longer theoretical. The window for preparation is closing, and now’s the time to act.

Whether you're leading internal readiness efforts, advising clients, or navigating an upcoming assessment, understanding these latest updates can help you pursue CMMC certification with confidence. 

Bookmark our newsroom for ongoing CMMC compliance guidance, monthly Town Hall recaps, and post-rule analysis once enforcement begins. You can also review our previous Town Hall recaps:

• September 2025 Town Hall recap
• August 2025 Town Hall recap
• July 2025 Town Hall recap
• June 2025 Town Hall recap
• May 2025 Town Hall recap
• April 2025 Town Hall recap