The Cyber AB’s June 2024 Town Hall was packed with critical updates for DoD contractors, managed service providers (MSPs), and anyone navigating the CMMC and NIST 800-171 landscape. From new leadership to technical clarifications around G-code and external service providers, staying ahead of compliance just got more urgent — especially with October right around the corner.

Here’s a breakdown of the top takeaways, what they mean for your compliance journey, and the actions you should be taking now.

Leadership Changes Signal Movement on Title 48 Rulemaking

The Honorable Michael P. Duffy has been confirmed as the new Undersecretary of Defense for Acquisition and Sustainment. His experience in both the DoD and the Office of Management and Budget (OMB) makes him a key figure in accelerating the Title 48 CMMC rulemaking process.

Breaking Update: The 48 CFR rule structure is now live in the eCFR. Though the rule itself is still under OMB review, the structure is finalized — signaling enforcement is on the fast track, starting October 1st.

Clarifying the Role of ESPs, CSPs, and MSPs

One of the most important updates from the town hall was the clarification of how External Service Providers (ESPs) factor into CMMC assessments.

What’s the Difference?

• CSP (Cloud Service Provider): Platforms like Microsoft 365, Box for Government, and others that host cloud data.

• ESP (Non-CSP): Consultants or IT providers (like Justice IT Consulting) that offer cybersecurity services but do not directly provide cloud storage.

If you're using an ESP (not a CSP), they will be assessed as part of your CMMC assessment scope. This includes their environment, tools, and documentation.

Why This Matters:

• ESPs must have proper documentation, including a Customer Responsibility Matrix (CRM).

• If your MSP supports multiple clients, they’ll be assessed multiple times — once per client.

• Changing tools or providers last-minute could put your compliance at risk.

The CRM (Customer Responsibility Matrix) Is Now Mandatory

Every OSC (Organization Seeking Certification) must coordinate with their IT provider to document:

• Who is responsible for each control

• How assessment objectives are divided

• A clear, non-vague breakdown that assessors can quickly interpret

Without these shared responsibility documents, you risk failing your assessment.

IT Tools Used by Providers Are Also in Scope

Any tools your ESP or MSP installs on your systems — like antivirus, firewalls, or remote monitoring — are also subject to assessment.

Changing providers or tools after assessment without a compliance re-evaluation could void your certification.

Why Your CAGE Code Must Match Exactly

Another gotcha covered in the town hall is the CAGE code mismatch issue. Your system’s CAGE code must:

• Match the contract under which you're assessed

• Match the system used to submit to SPRS and EMAS

• Reflect the accurate company name, address, and legal entity

Failure to match CAGE codes has led to delayed or derailed assessments.

G-code Is CUI — According to Cyber AB and Assessors

There has been heated debate in the community about whether G-code (used in CNC manufacturing) qualifies as Controlled Unclassified Information (CUI).

The consensus shared in the town hall (and reinforced by experts like Jim Goepel) is clear:

If G-code is generated as part of fulfilling a government contract, it is CUI.

Your safest bet? Treat all G-code as CUI and scope it appropriately. Use encrypted USB drives (like punch-code FIPS-validated devices) to simplify compliance, especially for older machines.

Upcoming CMMC Events and Webinars

If you want to stay current, these events were recommended:

Cyber AB Town Halls

• Held monthly

• Usually 5:00 PM Central

• Great for directional insight straight from the source

Carahsoft Virtual Webinar Series

• June 29–31

• Features voices from across the CMMC and GovCon ecosystem

National Cyber Summit

• September 23–25 in Huntsville, AL

• Ideal for in-person networking and sessions

CS5 Conference

• October 16–17, National Harbor, DC

• A merger of CIC, CEIC, and CS2 events — one of the best for CMMC insights

Final Takeaways: What Should You Be Doing Now?

As October approaches, your compliance priorities should include:

• Verifying your CAGE code information is correct and consistent

• Asking your IT provider for CRMs and documentation now (not later)

• Scoping G-code as CUI and using encrypted transfer solutions

• Avoiding last-minute tool changes that can trigger re-assessment

• Building a clear, concise SSP that tells your compliance story, and referencing detailed policies separately