Agility Development Group
Agility Development Group
All Perspectives
CMMC and CybersecurityApril 6, 2026

CMMC & Cybersecurity Intelligence Brief – 11

By Michael Devine

A new credentialing body, a national cyber strategy, and a government that cannot mark its own CUI are reshaping what compliance means for defense contractors.


title: "CMMC & Cybersecurity Intelligence Brief – 11" date: "April 6, 2026" author: "Michael Devine" category: "CMMC and Cybersecurity" excerpt: "A new credentialing body, a national cyber strategy, and a government that cannot mark its own CUI are reshaping what compliance means for defense contractors."

A new credentialing body, a national cyber strategy, and a government that cannot mark its own CUI are reshaping what compliance means for defense contractors.

Executive Summary

Three structural shifts are converging this week that will reshape the CMMC compliance landscape through the rest of 2026. On April 1, ISACA formally assumed control of all CMMC assessor and instructor credentialing from the Cyber AB, creating the first major governance transition since the program's inception and raising questions about assessor pipeline capacity during a period when the defense industry has seen a nearly "200 percent increase" in certified organizations in just six months. Simultaneously, the White House released its 2026 national cyber strategy, reinforcing zero trust architecture as a non-negotiable federal standard and setting a 2035 deadline for post-quantum cryptographic transition, signals that will cascade into contractor procurement requirements. Meanwhile, a DoD Inspector General advisory found that the department itself is still failing to properly mark CUI data, with recommendations from a 2023 audit remaining open, a finding that undermines the very foundation of CMMC scoping for every contractor in the supply chain. On the threat front, CISA added the TrueConf CVE-2026-3502 zero-day to the KEV catalog after Check Point exposed Operation TrueChaos, a supply chain attack that weaponized software update mechanisms against government targets.

Development 01: Governance / Capacity Shift

ISACA Assumes CMMC Assessor Credentialing as Cyber AB Transitions Core Function

On April 1, 2026, ISACA formally became the sole CMMC Assessor and Instructor Certification Organization (CAICO), completing a 90-day transition from the Cyber AB that began in January. The change transfers credentialing authority for CMMC Certified Professionals (CCP), CMMC Certified Assessors (CCA and Lead CCA), and CMMC Certified Instructors (CCI) to ISACA, a global organization with more than 180,000 members and established credential management infrastructure across 188 countries.

The transition matters for defense contractors for two reasons. First, the assessor pipeline feeding C3PAO capacity is now governed by a different organization with different processes, timelines, and renewal procedures. Second, ISACA's scale creates an opportunity to expand the assessor workforce more rapidly than the Cyber AB could alone. With approximately 635 Certified CMMC Assessors serving an ecosystem of 80,000-plus contractors that need Level 2 certification, the credentialing bottleneck is one of the primary constraints on assessment capacity.

The Cyber AB retains authority over the CMMC Marketplace, Tier 3 background checks, and all Registered Practitioner programs. Todd Gagnon, a career U.S. Naval officer with experience across the federal cyber apparatus, leads the CMMC program at ISACA. The structural separation is now clear: the Cyber AB accredits C3PAOs, ISACA credentials the individual assessors and instructors who conduct assessments.

The practical implication for contractors is that any assessment timeline built around assessor availability should account for the transition. Organizations with assessments scheduled for Q2 or Q3 2026 should confirm that their assigned assessors have completed the migration to ISACA's credentialing system and that no lapses in certification status have occurred during the handoff.

Development 02: Policy Movement / Strategic Direction

White House 2026 Cyber Strategy Signals Zero Trust, Post-Quantum, and AI Requirements Coming to Contractor Procurements

On March 6, 2026, the White House released "President Trump's Cyber Strategy for America," accompanied by an Executive Order on combating cybercrime. For defense contractors, the strategy is not a regulation, but it is the clearest signal yet of where procurement requirements are heading over the next three to five years.

Three priorities in the strategy carry direct implications for the defense industrial base. First, zero trust architecture is described as the expected standard across all federal systems and agencies — not aspirational but required. Second, the strategy establishes a 2035 deadline for completing the transition to post-quantum cryptographic standards. Third, the strategy signals that federal agencies will increasingly deploy AI-native cybersecurity tools for defensive operations. Vendors and contractors able to demonstrate AI-enhanced security capabilities will carry a competitive advantage in future procurement evaluations.

Notably, the strategy eschews discussion of new regulations or increased liabilities for U.S. companies, instead focusing on challenging foreign adversaries, streamlining regulations, and relying on the private sector to identify and disrupt attacks.

Development 03: Enforcement Trend / Compliance Infrastructure

DoD Inspector General Finds Pervasive CUI Marking Failures, Raising CMMC Scoping Questions for Contractors

A DoD Inspector General management advisory (DODIG-2026-047), published February 4, 2026, found that DoD components are still failing to properly mark Controlled Unclassified Information. The advisory identified that organizations frequently omitted the required designation indicator block entirely, and when they did include markings, they often defaulted to overly restrictive dissemination controls rather than applying no limited dissemination control when none was warranted. Six of the 14 recommendations from a 2023 audit of the CUI program remain open.

This finding carries direct consequences for every defense contractor preparing for or maintaining CMMC certification. CMMC scoping begins with identifying where CUI exists in contractor systems. If the government entity generating the CUI applies incorrect markings, the contractor inherits a scoping problem that is not of their making. Over-marking causes contractors to bring more systems, networks, and personnel into the CMMC assessment boundary than necessary. Under-marking creates the opposite risk: CUI flowing through systems that lack the required 110 controls.

The practical takeaway for contractors is defensive: do not assume that CUI markings on government-furnished information are accurate. Organizations should independently verify CUI categories and markings on received data against the CUI Registry and applicable contract language, particularly before finalizing CMMC assessment boundaries.

Development 04: Threat Intelligence / Supply Chain Security

CISA KEV Alert: TrueConf CVE-2026-3502 / Operation TrueChaos Weaponizes Software Update Mechanism

CISA added CVE-2026-3502 to its Known Exploited Vulnerabilities catalog on April 2, 2026, with a federal remediation deadline of April 16 under Binding Operational Directive 22-01. The vulnerability, carrying a CVSS score of 7.8, affects TrueConf Client, a video conferencing and collaboration platform used across government and enterprise environments. Operation TrueChaos, documented by Check Point Research, represents a supply chain attack that weaponized a trusted software update mechanism against government targets.

The attack operated as follows: threat actors compromised a central on-premises TrueConf server operated by a government IT organization in Southeast Asia. They replaced a legitimate client update package with a malicious one. Because the TrueConf Client does not validate the authenticity or integrity of downloaded update files before executing them, the malicious update installed and executed automatically across connected endpoints.

For defense contractors, the TrueChaos attack demonstrates a specific risk pattern: any on-premises collaboration or communication tool that distributes updates through a centralized server becomes a potential attack vector if that server is compromised. NIST SP 800-171 control 3.14.1 (flaw remediation) and 3.4.8 (application whitelisting) are directly relevant. The remediation is straightforward: upgrade to TrueConf Client version 8.5.3 or later.

Development 05: Capacity Shift / Market Data

CMMC Certification Velocity Accelerates 200%, But 99.5% of the DIB Remains Uncertified

The defense industry has seen a nearly "200 percent increase" in CMMC Level 2 certified Organizations Seeking Certification (OSCs) over the last six months. Despite the 200 percent increase, only approximately 0.5 percent of the defense industrial base has achieved Level 2 certification. With Phase 2 enforcement beginning November 10, 2026, making third-party C3PAO assessment mandatory for most Level 2 contracts, the math remains daunting. Assessment lead times of three to six months mean that organizations not yet in the assessment pipeline may not reach certification before Phase 2 requirements appear in their solicitations.

The early mover advantage is measurable. Certified organizations are competing for contracts where non-certified competitors are disqualified at the gate.

For organizations in active CMMC assessment preparation: Confirm that your assigned C3PAO's assessors have completed their credential migration to ISACA. Request written confirmation of current CCA/Lead CCA status under the new credentialing system.

For organizations scoping their CMMC boundary: Implement an independent CUI verification step for all government-furnished information. Cross-reference received documents against the CUI Registry and your contract's CUI requirements. Do not accept government markings at face value when building your assessment scope.

For organizations managing on-premises collaboration tools: Audit every platform that distributes software updates through a centralized server for cryptographic signature verification of update packages.

For organizations planning 12- to 18-month security roadmaps: Begin incorporating zero trust architecture milestones and post-quantum cryptographic readiness into your planning.

Forecast & Emerging Issues

  • ISACA Credentialing Transition Is the First Governance Stress Test. The transition will be the first test of whether the CMMC ecosystem's governance structure can evolve without disrupting assessment capacity.
  • Post-Quantum Cryptography Will Collide with the FIPS 140-3 Transition. Infrastructure decisions made in the next 12 to 18 months will determine whether agencies and their contractors can meet the 2035 deadline.
  • DoD CUI Marking Problems Will Persist. Three of five IG recommendations from the 2026 advisory remain open, and six of 14 from the 2023 audit are still unresolved.
  • Supply Chain Attacks via Software Updates Are an Escalating Pattern. TrueConf joins SolarWinds, 3CX, and Codecov in the category of trusted update channels that have been weaponized.
Back to Perspectives

Ready to Put These Insights to Work?

Agility turns intelligence into action — helping you compete, win, and grow in the federal marketplace.

Talk to Our Team