CMMC is moving from talking about readiness to measuring throughput. In the February 2026 CMMC Town Hall, the program shared updated counts for CMMC Level 2 certifications, a snapshot of ecosystem capacity (C3PAOs, CCAs, CCPs), and clarified two topics that materially affect how organizations should prepare.
First, a new Class Deviation intended to synchronize CUI safeguarding, NIST SP 800 171 assessments, and CMMC into a consolidated FAR and DFARS structure.
Second, the ethics and limits of C3PAO led mock assessments (non-certification assessments), including what they must not include to protect impartiality.
If you want help translating these updates into an execution plan for your environment, Book a Readiness Call to pressure test your scope, evidence, and assessment timeline.
CMMC Level 2 certifications (February 2026 snapshot)
The Town Hall shared the current status of CMMC Level 2 certifications and active assessments.
| Metric | Count |
| Certificates of CMMC Status Final | 896 |
| Certificates of CMMC Status Conditional | 36 |
| CMMC Level 2 Assessments In progress | 110 |
What this means: Final certifications are increasing, conditional certifications remain a smaller subset, and there is an active pipeline of Level 2 assessments underway. If you are planning around assessment availability, this pipeline matters for scheduling and resourcing.
Not sure how these numbers affect your timeline or assessor availability? Book a Readiness Call and we will map realistic lead times and readiness gates based on your current posture.
CMMC ecosystem capacity: C3PAOs, assessors, practitioners
The Town Hall also provided ecosystem counts across C3PAOs, assessors, and practitioners.
| Category | Count |
| Authorized C3PAOs | 98 |
| Applicant C3PAOs | 547 |
| CCAs | 748 |
| CCPs | 1,494 |
| Lead CCAs | 452 |
| Registered Practitioners | 1,954 |
| Registered Practitioners Advanced | 255 |
| Registered Practitioner Organizations | 378 |
| Approved Training Providers | 47 |
| Approved Publishing Partners | 12 |
Why this matters for CMMC planning: There is a large applicant pool for C3PAOs and a growing base of practitioners, but the number of authorized C3PAOs is still comparatively limited, so readiness scheduling remains a real constraint for many organizations.
What the new Class Deviation is
A major topic was the new Class Deviation and its intended impact.
The purpose
The deviation is meant to synchronize CMMC, CUI safeguarding, and NIST SP 800 171 assessments into one consolidated document structure. The goal is to reduce fragmentation and align contracting language across overlapping requirements.
What it temporarily replaces
This deviation temporarily replaces existing FAR and DFARS text requiring contracting officers to use:
- Revised FAR Part 40
- New DFARS Part 240
- New DFARS PGI 240
What gets consolidated under DFARS Part 240
The discussion described consolidation of information and supply chain security under DFARS Part 240, including:
- CUI safeguarding
- NIST 800 171 assessments
- CMMC
- Supply chain risk authorities
- Telecom prohibitions
- Satellite prohibitions
If your contracts or primes start using new references and your internal crosswalk is not updated, you can lose time fast. Book a Readiness Call to validate your clause to control mapping and avoid evidence rework.
Clause renumbering: what changed vs what did not
The Town Hall provided a clause mapping summary showing what was renumbered under the deviation and what remains unchanged.
| Old Clause | Subject | New RFO Clause (Deviation) |
| FAR 52.204.21 | Basic Safeguarding | FAR 52.240 93 |
| DFARS 252.204 7012 | Safeguarding Covered Defense Information | Not changed |
| DFARS 252.204 7019 | Retired | |
| DFARS 252.204 7020 | NIST SP 800 171 Assessments | DFARS 252.240 7997 |
| DFARS 252.204 7021 | CMMC Requirements | Not changed |
Operational takeaway: Even when requirements are familiar, the clause references in contracting language may appear different. Update your internal clause mapping and any evidence tracker fields tied to clause IDs so your readiness work does not drift from what your contracts actually require.
Before you update internal policies and evidence trackers, Book a Readiness Call to confirm the right clause crosswalk for your specific contracting context.
Mock assessments: what a C3PAO can do and what they cannot do
Another practical discussion focused on the ethics around mock assessments.
Mock assessments are permitted, but only as non certification assessments
A C3PAO can perform a non certification assessment for organizations seeking certification.
The key constraints (Section 3.4)
Section 3.4 addresses Non Certification Assessments (mock assessments). This is a cybersecurity conformity assessment, in full or in part, that does not result in issuance or denial of a certification. It can involve CMMC or other cybersecurity standards.
To avoid impartiality risk, the mock assessment must
A mock assessment must:
- Be conducted formally and in accordance with the CAP or other established cybersecurity conformity standards
- Not include any recommendations, advice, or consultative information to the organization seeking assessment
- Produce a deliverable documenting the official results
Important: mock assessments do not equal CMMC status
Mock assessments do not convey any standing or status within the CMMC program.
If you want remediation guidance, not just a results only deliverable, Book a Readiness Call to design a readiness program that actually closes gaps before your formal assessment.
Why you might not want your C3PAO to perform your mock assessment
This was the most practical question raised in the discussion.
If a C3PAO led mock assessment cannot provide recommendations or advice, then its value depends on what you are buying it for.
When a C3PAO mock assessment can be valuable
- You need a formal CAP style rehearsal to see how your evidence reads under assessment discipline
- You believe you are already ready and want a neutral results artifact
- You want to stress test scoping, sampling, and evidence traceability without consulting
When it can be a poor fit, or a premature spend
- Your biggest blocker is what to fix next
- You need help interpreting gaps, prioritizing remediation, or building an evidence plan
- You want how do we become compliant faster, which the mock assessment format is not allowed to answer
Practical CMMC readiness strategy: many organizations benefit from a readiness partner that can advise and remediate, then engage the C3PAO for the official assessment once the program is truly evidence ready. This avoids paying for a results only dry run while still needing a separate engagement to translate results into fixes.
ISACA transition: CAICO and certification administration
The Town Hall included discussion that ISACA has become the CAICO and now holds certifications for members of the CMMC ecosystem, with Q and A on how the transition will work and details related to CPEs.
If you are unsure how this impacts your training, credentials, or readiness staffing plan, Book a Readiness Call and we will walk through what to watch operationally.
Action checklist: what to do next with these CMMC updates
Use this checklist to turn Town Hall updates into execution.
- Update your clause crosswalk
Ensure your internal tracker reflects the latest clause references, especially around NIST SP 800 171 assessments. - Decide readiness vs results only
If you need remediation guidance, a C3PAO mock assessment may not deliver what you actually need. - Build an evidence first plan
Map each requirement to concrete artifacts (policies, procedures, tickets, configs, logs) and confirm ownership and review cycles. - Plan around ecosystem capacity
Authorized C3PAO availability and scheduling can be a gating factor. Do not wait until you feel almost ready. - Operationalize continuous readiness
The fastest assessments are the ones where evidence is already current, consistent, and traceable before you ever schedule.
Ready to turn this into a practical roadmap tailored to your environment and contracting reality? Book a Readiness Call and we will build your assessment ready plan.
Key takeaways
- CMMC Level 2 counts shared in the Town Hall: 896 Final, 36 Conditional, 110 assessments in progress.
- A Class Deviation was described as synchronizing CMMC, CUI safeguarding, and NIST SP 800 171 assessments into a consolidated contracting structure referencing revised or new FAR and DFARS parts.
- Clause mapping highlights include FAR 52.204.21 to FAR 52.240 93 and DFARS 252.204 7020 to DFARS 252.240 7997, while DFARS 252.204 7012 and DFARS 252.204 7021 were described as not changed.
- C3PAO mock assessments are allowed under professional conduct rules but cannot include recommendations or advisory guidance and do not confer CMMC status.
- ISACA CAICO transition and certification administration were discussed, including details related to CPEs.
FAQs
How many CMMC Level 2 certifications are Final as of the February 2026 Town Hall?
The Town Hall reported 896 Certificates of CMMC Status Final.
What is the Class Deviation discussed in the February 2026 CMMC Town Hall?
It was described as a deviation meant to synchronize CMMC, CUI safeguarding, and NIST SP 800 171 assessments into a consolidated contracting structure under revised and new FAR and DFARS parts.
Did DFARS 252.204 7021 (CMMC Requirements) change under the deviation?
It was described as not changed.
Can a C3PAO perform a mock assessment?
Yes. C3PAOs may perform non certification assessments under professional conduct rules, with strict impartiality constraints.
Why might a C3PAO mock assessment be less useful for readiness?
Because the mock assessment must not include recommendations or advisory guidance, it may not help teams that need remediation direction and prioritization before the formal assessment.