CMMC April 2026 Town Hall Update: Key Insights for PJR Clients and Industry Stakeholders

Executive Summary

The April 2026 Cybersecurity Maturity Model Certification (CMMC) Town Hall provided important updates on program implementation, ecosystem development, and upcoming initiatives that will impact organizations across the Defense Industrial Base (DIB).

The overarching message remains clear: CMMC requirements are actively being incorporated into contracts today, and organizations should be progressing toward compliance now. While the Department of Defense continues its phased rollout, external pressures, particularly from prime contractors, are accelerating timelines for many organizations.

Program Implementation: Clarifying Phases and Expectations

A key focus of the Town Hall was addressing ongoing confusion between CMMC implementation phases and perceived compliance deadlines.

The Department of Defense is executing a three-phase rollout through November 2028:

• Phase 1 (Current – November 2026):
  Emphasis on Level 1 and Level 2 self-assessments, with select contracts already requiring Level 2 third-party certification.
• Phase 2 (November 2026 – November 2027):
  Level 2 C3PAO certifications will be required in all new contracts.
• Phase 3 (November 2027 – November 2028):
  Level 3 requirements, assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), will apply to higher-priority contractors.

Important Distinction

There is no universal compliance deadline applicable to all organizations. However, prime contractors are increasingly establishing their own requirements, often mandating Level 2 certification ahead of the official timeline.

Implication: Organizations should align their readiness efforts not only with DoD phases, but also with expectations set by their customers and supply chain partners.

Ecosystem Growth and Certification Activity

The CMMC ecosystem continues to mature, with steady growth in certifications and qualified personnel:

• Approximately 1,100 Level 2 certifications were issued.
• 103 authorized C3PAOs
• Continued expansion of Certified CMMC Assessors (CCAs) and Certified Professionals (CCPs)

This growth reflects increased adoption across the DIB but also signals rising demand for assessment services.

Implication: Organizations should plan proactively to secure assessment timelines as capacity becomes more constrained.

Launch of the Cyber Engagement Forum (Cyber EF)

A significant announcement from the Town Hall was the introduction of the Cyber Engagement Forum (Cyber EF), a new entity designed to enhance industry engagement and support.

Purpose and Structure

Due to ISO accreditation requirements, the Cyber AB must maintain independence and cannot engage in activities such as consulting, implementation support, or program promotion. The Cyber EF has been established to address these gaps.

Core Focus Areas

The Cyber EF will:

• Modernize and expand the Practitioner Program
• Develop a next-generation CMMC Marketplace
• Establish a centralized CMMC Body of Knowledge
• Provide enhanced support for External Service Providers (ESPs), including MSPs and MSSPs
• Increase industry outreach, education, and engagement.

Implication: This initiative is expected to improve access to reliable resources and strengthen the overall support structure for organizations pursuing CMMC compliance.

CMMC Marketplace 2.0: Enhancing Industry Connectivity

The upcoming CMMC Marketplace, developed in partnership with RampXchange, represents a substantial evolution from the current directory model.

Anticipated Capabilities

• Advanced search and filtering by region, language, and capabilities
• Segmentation of services (consulting, managed services, tools, etc.)
• Support for transactions and RFPs
• Integration of broader cybersecurity services beyond CMMC

Implication: Organizations will benefit from improved transparency and more efficient identification of qualified providers.

Tier 3 Clearance Process: Guidance and Expectations

The Town Hall provided detailed clarification on the Tier 3 (background investigation) process required for certain certifications.

Key Guidance

• All inquiries should be directed to: tier3_submission@cyberab.org
• Organizations should not contact DCSA, WHS, or the PMO directly unless more than six months have passed without a status update.
• The process involves multiple agencies, contributing to longer timelines and limited visibility.

Implication: Patience and adherence to the established communication process are essential when navigating Tier 3 requirements.

ISACA Transition Updates

Following the transition of certification management to ISACA, several operational updates were shared:

• Some users may experience duplicate accounts; support is available to resolve these issues.
• LCCA applications are currently processed manually, with automation planned.
• Certification structure requires maintaining lower-level certifications to retain higher-level credentials.
• All certification fees are now managed through ISACA.

Implication: Organizations and individuals should familiarize themselves with ISACA processes to ensure continuity in certification management.

Ongoing Challenges and Areas of Focus

External Service Provider (ESP) Requirements

There remains uncertainty regarding requirements for MSPs and other service providers, particularly in cases where direct handling of CUI is limited.

A policy alignment session scheduled for early May is expected to provide additional clarity.

Technology and Tool Proliferation

The ecosystem is experiencing rapid growth in compliance tools, including automated documentation platforms and AI-driven solutions. However, validation of these tools remains critical.

Assessment Rigor

Government-led assessments continue to be highly detailed and documentation-intensive, reinforcing the need for thorough preparation.

What This Means for PJR Clients

With C3PAO accreditation expected by August 2026, PJR remains committed to delivering independent and objective CMMC assessments while maintaining strict separation from consulting activities.

Based on the April Town Hall, organizations should consider the following actions:

• Advance readiness efforts immediately, regardless of official phase timelines.
• Align with prime contractor expectations, which may exceed DoD requirements.
• Ensure documentation is comprehensive and audit ready.
• Stay informed on upcoming guidance, particularly regarding MSP and ESP requirements.
• Plan for assessment scheduling to mitigate potential delays.

Conclusion

April 2026 CMMC Town Hall underscores that the program is actively progressing, with increasing enforcement and ecosystem maturity.

Organizations that take a proactive, structured approach to compliances supported by qualified partners and a clear understanding of evolving requirements—will be best positioned for successful certification.

How Recycled Materials Are Reshaping Supply Chains

What It Means for Quality and Certification

Global supply chains are undergoing a quiet but powerful transformation. As manufacturers across industries respond to cost pressures, sustainability goals, and supply uncertainty, recycled and recovered materials are becoming a more important part of production strategies.

This shift is not just an environmental trend, it is a structural change in how materials are sourced, validated, and integrated into critical manufacturing processes. For organizations focused on quality, consistency, and compliance, it introduces both opportunity and responsibility.

At Perry Johnson Registrars (PJR), we see this evolution directly through the organizations we certify across manufacturing, automotive, aerospace, and industrial sectors.

Recycled Inputs Are Becoming Mainstream in Manufacturing

Recycled materials are no longer limited to niche sustainability programs. They are now embedded in mainstream industrial supply chains, particularly in metals, plastics, and packaging.

For example, recycled metals, especially steel and aluminum, are increasingly used as primary feedstock due to their cost efficiency and lower environmental impact compared to virgin extraction. Many manufacturers now rely on hybrid sourcing models that combine virgin and recycled inputs to stabilize supply while meeting environmental expectations.

This shift helps companies:

• Reduce exposure to raw material volatility.
• Lower energy consumption in production.
• Support corporate sustainability commitments.
• Improve circularity within their operations.

However, increased reliance on recycled inputs also introduces new variability that must be carefully managed.

Quality Consistency Becomes a Greater Challenge

Unlike virgin materials, recycled inputs can vary depending on collection methods, processing technologies, and contamination control. Even minor inconsistencies can impact product performance, especially in highly regulated industries such as automotive, aerospace, and medical devices.

As a result, manufacturers are placing greater emphasis on:

• Supplier qualification and monitoring.
• Material traceability systems.
• Incoming inspection and testing protocols.
• Risk-based process controls.

This is where structured quality management systems become essential.

Supply Chain Resilience Depends on Material Transparency

One of the most significant drivers behind recycled material adoption is supply chain resilience. Global disruptions in recent years have exposed vulnerabilities in overreliance on single-source or geographically concentrated raw materials.

Recycled materials help diversify supply, but only when organizations have strong visibility into:

• Material origin and composition.
• Processing and refinement methods.
• Chain-of-custody documentation.
• Compliance with regulatory and customer requirements.

Without this transparency, recycled inputs can introduce uncertainty instead of reducing it.

The Role of Standards in a Circular Economy

As circular supply chains expand, international standards play a critical role in ensuring consistency and trust.
Management system frameworks such as:

• ISO 9001 (Quality Management Systems),
• ISO 14001 (Environmental Management Systems),
• Sector-specific standards like IATF 16949 or AS9100,

help organizations integrate recycled materials without compromising product integrity.

These standards support:

• Process standardization across suppliers.
• Continuous improvement in material handling.
• Auditable documentation and traceability.
• Risk mitigation in complex supply networks.

Certification provides external validation that systems are designed to manage variability while maintaining compliance and performance expectations.

Sustainability and Quality Are Converging

Historically, sustainability and quality were treated as separate business functions. Today, they are increasingly interconnected.

Recycled materials sit at the center of this convergence. Companies are now expected to demonstrate not only that their products meet performance requirements, but also that their sourcing practices align with environmental and social governance expectations.

This means quality systems must evolve to incorporate:

• Sustainability metrics in supplier evaluations.
• Lifecycle considerations in material selection.
• Documentation supporting ESG reporting requirements.
• Greater collaboration between quality and procurement teams.

Building Stronger, More Responsible Supply Chains

The growth of recycled materials in manufacturing is not a passing trend; it is a long-term structural shift. Organizations that adapt early will be better positioned to manage risk, meet regulatory expectations, and compete in increasingly sustainability-driven markets.

However, success depends on more than sourcing decisions. It requires disciplined systems, reliable data, and robust certification frameworks that ensure consistency across complex and evolving supply chains.

At Perry Johnson Registrars (PJR), we continue to support organizations as they strengthen their management systems to meet these challenges; ensuring that quality and sustainability move forward together.

FOR IMMEDIATE RELEASE

Perry Johnson Registrars Launches Free ISO/IEC 27001:2022 Clause-by-Clause Training Course

Troy, MI — April 13, 2026 — Perry Johnson Registrars (PJR) is pleased to announce the release of its newest free online training: the ISO/IEC 27001:2022 Clause-by-Clause Course, led by Brandon Abbinante, ISMS/SMS/QMS Lead Auditor and PJR Executive Committee Member.

Designed to provide a clear and practical understanding of the ISO/IEC 27001:2022 standard, this self-paced course offers participants a comprehensive walkthrough of each clause, helping individuals build a strong foundation in Information Security Management Systems (ISMS).

Successful completion of the course can help meet training requirements for professionals seeking to demonstrate knowledge and understanding of ISO/IEC 27001:2022.

Course Overview

This engaging online training begins with the fundamentals of information security, including the CIA Triad, and progresses through each section of the standard, from organizational context and leadership to risk management, operations, performance evaluation, and continual improvement.

Presented in straightforward, easy-to-understand language, the course incorporates real-world insights and practical examples to help learners apply requirements effectively within their organizations.

Key Learning Topics Include:

• Understanding an Information Security Management System (ISMS)
• Purpose and intent of ISO/IEC 27001:2022
• How clauses 4 through 10 function together
• Context of the organization and interested parties
• Risk assessment and risk treatment processes
• Statement of Applicability (SoA) explained
• Common pitfalls when implementing controls
• And more

Who Should Attend?

This course is ideal for individuals responsible for implementing, managing, or supporting an ISMS, as well as professionals seeking a foundational understanding of ISO/IEC 27001:2022.

Course Details:

• Format: Online, self-paced
• Duration: Approximately 1–2 hours
• Flexibility: Participants may log in and out as needed

“Understanding ISO/IEC 27001 at the clause level is essential for effective implementation and audit readiness,” said Brandon Abbinante. “This course is designed to make the standard approachable while still delivering meaningful, practical value.”

PJR continues its commitment to supporting organizations and professionals with accessible, high-quality training resources that promote continual improvement and compliance excellence.

About Perry Johnson Registrars (PJR)

Perry Johnson Registrars is a globally recognized certification body, providing accredited certification services across a wide range of international standards. PJR is committed to helping organizations achieve compliance, improve performance, and demonstrate excellence.

Understanding ISO 14001:2026 – Key Updates and What They Mean for You

The publication of ISO 14001:2026 introduces a refreshed approach to environmental management systems (EMS), reflecting the growing importance of sustainability in today’s business environment. While the overall framework remains recognizable, the updated version places greater emphasis on proactive environmental performance and long-term impact.

For organizations currently certified to ISO 14001:2015, this update is less about starting over and more about strengthening existing systems to meet evolving expectations.

A Shift Toward Strategic Environmental Management

Environmental responsibility is no longer viewed as a standalone initiative. It is now closely tied to business strategy, risk management, and organizational resilience.

ISO 14001:2026 encourages organizations to take a broader view of their environmental responsibilities, considering not only compliance obligations but also the expectations of customers, regulators, and other stakeholders.

Key Updates in ISO 14001:2026

Greater Focus on Environmental Challenges

The updated standard encourages organizations to address pressing environmental issues such as climate change, ecosystem impact, and resource consumption more directly.

This means taking a more structured approach to identifying environmental risks and opportunities and ensuring they are integrated into decision-making processes.

Expanded Life-Cycle Thinking

Organizations are expected to look beyond their immediate operations and consider environmental impacts across the full life cycle of their products or services.

This includes evaluating suppliers, transportation, product usage, and end-of-life considerations. The goal is to promote more responsible practices throughout the entire value chain.

Improved Integration of Change Management

As organizations evolve, so do their environmental impacts. ISO 14001:2026 places greater importance on ensuring that environmental considerations are built into organizational changes, whether operational, technological, or strategic.

This helps maintain consistency and effectiveness within the EMS during periods of growth or transformation.

Enhanced Clarity and Accountability

The revised standard refines existing requirements to improve understanding and consistency. There is a stronger emphasis on leadership involvement, clear documentation, and accountability for environmental performance.

These updates aim to make environmental management systems more transparent and easier to evaluate.

What Remains Consistent

Despite the updates, several core elements remain unchanged:

• The high-level structure shared with other ISO management system standards.
• The Plan-Do-Check-Act (PDCA) model for continuous improvement.
• A focus on achieving measurable results rather than simply maintaining documentation.
• This continuity helps organizations transition without significant disruption.

Preparing for the Transition

With the publication of ISO 14001:2026, organizations will have a defined transition period to align their systems with the new requirements.

To prepare, organizations should begin by purchasing a copy of the standard, reviewing their current EMS, identifying gaps, and developing a structured transition plan. Training employees and engaging leadership early will also be key to smooth implementation.

An Opportunity for Growth

Adopting ISO 14001:2026 is not just about maintaining certification, but it is an opportunity to strengthen environmental performance and demonstrate commitment to sustainability.

Organizations that take a proactive approach may benefit from improved efficiency, stronger stakeholder relationships, and a more competitive position in the marketplace.

How PJR Can Help

PJR supports organizations throughout the transition process with clear guidance, practical insights, and efficient auditing services. Our goal is to help you not only meet the updated requirements but also gain meaningful value from your environmental management system.

Final Thoughts

ISO 14001:2026 reflects a broader shift in how organizations approach environmental responsibility. By aligning environmental goals with business strategy, organizations can better navigate today’s challenges while preparing for the future.

Thinking of Switching ISO Registrars? We Answer Common Transfer Questions

If you’ve been scrolling through quality management forums, you likely notice a pattern. Whether you notice a thread in a forum or you take a deep dive into an industry message board, the conversation about transferring ISO certification is usually a mix of “I’m over the high fees” and “I’m terrified the process will be a nightmare.”

We get it. Changing your registrar feels a bit like switching banks – you know it might save you money and headaches in the long run, but the thought of the paperwork and the “what ifs” keeps you from making the change.

At Perry Johnson Registrars (PJR), we’ve seen it all. We don’t want to be another certificate on your wall; we are a partner in your growth. To help with your decision process, we’ve taken the most common (and sometimes stressful) questions from the forums and answered them through the PJR lens.

Question: Is there a ‘transfer fee’ or a ‘joining fee’?
Answer: One of the biggest gripes online is the “hidden cost” of moving. Some registrars might hit you with a “file setup fee” that can cause you a lot of stress.

We believe in transparency at PJR, and we acknowledge that transfers are disruptive. While every situation is unique based on your industry and standard, PJR focuses on a value-driven approach to limit disruption.

• Transfers are nuanced, and we complete scoping with you
• To limit disruption we perform the transfer audit free of charge
• For other costs, we offer free, no-obligation quotes that break down exactly what you’re paying for including certification and maintenance fees

No surprise fees and no hidden costs. We provide straightforward pricing so you will see your ROI from day one.

Keep in mind that if there were any major nonconformities that were not closed out from a previous audit, those will need to be resolved before a transfer can be done or you may need to start over with a fresh audit. Of course, if this is the case we will inform you ahead of time so there are no surprises.

Question: Can I transfer mid-cycle, or do I have to wait?
Answer: There is a common myth that you are “locked in” until your three-year recertification audit. The reality is that you can move whenever you want!

According to the Global Accreditation Cooperation Incorporated (GACI, formerly known as IAF) rules found in IAF MD 2, you are able to transfer during a surveillance year or a recertification year.

If you’re unhappy with your current service or auditor, there’s no reason to wait. We step in, review your existing documentation, and work into your current audit cycle.

Question: Will my current registrar ‘retaliate’ if I leave?
Answer: This is a frequently mentioned statement in forums.  Accredited certification bodies must facilitate seamless transfers.

Professionalism is the backbone of our business. While PJR can’t control other registrars, we ensure your move to PJR is handled with total discretion. Our goal is a seamless hand-off.  You simply need to let your certification body know that you will be transferring. We handle everything from there.

Question: Do I have to start from scratch (Stage 1 & Stage 2)?
Answer: Starting over is the ultimate deal-breaker for most business owners and Quality Managers.

If your current certificate is valid and accredited by a recognized body (like ANAB or UKAS), you do not have to start over. It is a transfer, not a new certification. We perform a “Pre-Transfer Review” (essentially a document check) to make sure everything is in order, and then we simply take over the remaining cycle of your audit program. As mentioned above, if you have any unresolved major nonconformities the process may not be a simple transfer. Of course, we’ll let you know ahead of time.

Question: How much ‘overlap’ is required? I don’t want my cert to lapse.
Answer: The fear of a “gap” in certification will cause a great deal of stress to CEOs and keep Quality Managers up at night. Especially if your customers require proof of ISO status to stay on the bid list.

PJR’s dedicated scheduling team is obsessed with timelines. We recommend starting the conversation at least 60-90 days before your next scheduled audit. This gives us plenty of time to review your files and issue your new PJR certificate . That means no gaps, no lapses, and no panicked emails to your customers.

Question: Are your auditors actually going to add value, or just check boxes?
This is a common complaint in online forums. The statements go something like, “Our auditor has been coming for 10 years and adds zero value.”

Answer: This is where PJR truly shines. We utilize a Process Performance Auditing (PPA) method. We don’t look for “shalls” in a manual; we look at how your processes drive your business. Plus, with our global network of industry-experienced auditors, we match you with someone who understands your specific sector, whether that’s aerospace, medical devices, or cybersecurity.

The PJR Difference: When you call us, you talk to a real person. No automated loops, no “we’ll get back to you in three weeks.” From your first quote to your 20th surveillance audit, you have a dedicated project manager by your side.

Ready to stop “registrar shopping” and start partnering?

Contact PJR today at (248) 422-3013 or email pjr@pjr.com to receive a free quote and learn how to transfer your certificate to a new registrar.