Janaury 6, 2026

CMMC in the News: January 2026 Edition

Happy New Year, everyone! Ah, we certainly do live in interesting times. The past month or so included several newsworthy CMMC items:

DLA Provides Clarity on CMMC for its Supply Chain: The Defense Logistics Agency (DLA) recently posted a number of CMMC Resources on its website with some actual numbers of how it expects CMMC to be in play: "DLA anticipates 25% of it's (sic) total procurements to require CMMC." If you scroll down to the section titled "Supply Class to CMMC Level Expectation Breakout" you will see the percentage of contracts in each supply class that DLA expects to achieve which level of CMMC. (Hint: There's a whole lot of L2 in there, both Self and C3PAO, with just a smidgen of L1 and L3.)

CMMC Ecosystem Continues to Grow: In the December town hall meeting, the Cyber AB showed that the number of Authorized C3PAOs and CMMC Certified Assessors (CCA) continues to grow slowly. Likewise, the number of organizations receiving final L2 certifications continues to grow slowly as well as the number "IN PROGRESS" -- many of which are apparently actually "paused."

There has been much chatter in this regard since official assessments started January 2, that many orgs entering assessment aren't anywhere near ready to pass, so rather than failing them, C3PAOs are "pausing" the assessments to give orgs time to regroup and get prepared. There isn't any provision for this tactic in the final rule nor in the CMMC Assessment Process (CAP) so C3PAOs have been winging it with their own plans. I think Cyber AB (and possibly DoD/DoW) wants to clamp down on this -- or at least provide some consistency on how it's handled. We shall see. (BTW, have you read the CAP? If you plan to get an official L2 assessment, you really need to read and understand this document. It's the C3PAO's Bible for conducting CMMC assessments.)

Also Growing: the Number of False Claims Act Violations: "Swiss Automation Inc. has agreed to pay $421,234 to resolve alleged False Claims Act violations relating to its failure to provide adequate cybersecurity for certain drawings of parts that the company machined and supplied to Department of Defense (DoD) prime contractors." Ouch. Anecdotally, I've heard from numerous sources that there are literally hundreds of FCA cases winding their way through DoJ.

“Protecting our nation’s security includes protecting its data. As cyber threats become more sophisticated, defense contractors, subcontractors, and suppliers must do their part to safeguard sensitive government information,” said Special Agent-in-Charge Jason Sargenski, Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Southeast Field Office. “We will hold contractors, subcontractors, and suppliers accountable when they fall short of their cybersecurity obligations to the Department of Defense.”

USACE Makes Proclamations About CMMC: The U.S. Army Corps of Engineers (USACE) created a stir last month when they gave a webinar on CMMC and made the bold claim that paper-only CUI does not trigger CMMC requirements. This is also stated on their website: ""CMMC safeguards apply to prime contractors and subcontractors at all tiers but are always based on sensitivity of the information. For example, CUI kept in paper form only does require physical safeguards yet does NOT trigger CMMC."

While I agree that sending only paper CUI to subcontractors can greatly reduce their compliance burden, I (and many in this field) disagree that this does not trigger CMMC. I think that USACE absolutely has the right to assume this risk for its data, and I suspect that was their intent, but the actual phrasing is very misleading. Here's hoping they clarify at some point in the near future. Meanwhile, I would not count on ignoring CMMC if you only handle (or share) paper, especially since this pronouncement is from USACE only and not DoD/DoW as a whole.

Update 2025-01-08 Right after I published this update DoD/DoW released an update of the CMMC FAQ addressing this directly, in fact supporting USACE's position with the caveat that paper still needs to be protected according to regulations.

Meanwhile, the Portland District USACE published a Notice to Industry "to inform current and prospective contractors that most future contract actions issued by the District are expected to require Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 (Self-Assessment)."

So, where do we stand? That CMMC train is rolling faster and faster down the track.

Are you ready? Do you need help? Ping me!

A Lead CCA’s Breakdown of How to Prepare for a Level 2 Assessment

If you missed this webinar, the recording is available on YouTube

A practical discussion on what organizations can do to prepare for CMMC Level 2 assessments — directly from a Lead CCA’s perspective.

Key Takeaways:

• How to structure and organize your readiness efforts before engaging with a C3PAO
• Common pitfalls that slow down assessment progress (and how to avoid them)
• Real-world tips to make your assessment process more efficient and effective
  
  Sincerely,
  
  Glenda R. Snodgrass, CCP/CCA/Lead CCA
  grs@theneteffect.com
  The Net Effect, LLC
  www.theneteffect.com
  251-433-0196 x107