Search
Blog cover

Perry Johnson Registrars

Blog

PJR and First Defense CMMC – What You Need To Know About CMMC

7/2/2026

What You Need To Know About CMMC In this video, Terry Boboige, President of Perry Johnson Registrars, discusses CMMC readiness with Shannon Craddock, PJR Programs and Accreditation Manager Steve Jurovic, First Defense CMMC Mark Debry, First Defense CMMC The conversation…

Read more

What You Need To Know About CMMC

In this video, Terry Boboige, President of Perry Johnson Registrars, discusses CMMC readiness with

  • Shannon Craddock, PJR Programs and Accreditation Manager
  • Steve Jurovic, First Defense CMMC
  • Mark Debry, First Defense CMMC

The conversation focuses on what defense primary contractors and subcontractors should know before beginning the assessment process.

Viewers will learn

  • Why CMMC matters for organizations that handle Controlled Unclassified Information (CUI)
  • The role CMMC 3rd-Party Assessment Organizations (C3PAOs) play in the process
  • Why many small and mid-sized contractors need to start preparing early

For companies working with the Department of Defense, this conversation gives a clear overview of what to expect and how to avoid costly delays.

Key Topics Covered

  • CMMC requirements for DoD contractors
  • CUI and cybersecurity readiness
  • C3PAO third-party assessments
  • Mock assessments and scoping
  • Documentation and evidence
  • Common assessment pitfalls

Ready for CMMC? Learn more and get your process started!

Perry Johnson Registrars, Inc. Achieves ANAB Accreditation for ISO/IEC 42001 Certification

6/23/2026
Close up of hand using tablet with AI showing an outline of a brain with chart and gear images

Perry Johnson Registrars, Inc. Achieves ANAB Accreditation for ISO/IEC 42001 Certification Perry Johnson Registrars, Inc. (PJR), a leading accredited certification body, is pleased to announce that it has been granted accreditation by the ANSI National Accreditation Board (ANAB) to provide…

Read more

Perry Johnson Registrars, Inc. Achieves ANAB Accreditation for ISO/IEC 42001 Certification

Perry Johnson Registrars, Inc. (PJR), a leading accredited certification body, is pleased to announce that it has been granted accreditation by the ANSI National Accreditation Board (ANAB) to provide accredited certification to ISO/IEC 42001, the international standard for Artificial Intelligence Management Systems (AIMS).

ISO/IEC 42001 is the world’s first certifiable management system standard specifically designed for organizations that develop, provide, or use artificial intelligence systems. The standard establishes a structured framework for the responsible governance of AI, helping organizations address risks, improve transparency, support regulatory compliance, and promote the ethical development and deployment of AI technologies.

With ANAB accreditation, PJR is now authorized to perform accredited ISO/IEC 42001 certification audits, providing organizations with confidence that their AI management systems have been evaluated by a globally recognized and impartial certification body.

“Earning ANAB accreditation for ISO/IEC 42001 is a milestone we are very proud of. AI governance is becoming increasingly important for organizations around the world, and we are excited to offer accredited certification services that help clients demonstrate responsible and trustworthy AI practices. This accreditation required a great deal of preparation, collaboration, and attention to detail. Proof that while AI may be able to automate many things, it still can’t replace a dedicated accreditation team and knowledgeable auditors.”

— Shannon Craddock, PJR Programs & Accreditations Manager

Achieving ANAB accreditation for ISO/IEC 42001 reflects PJR’s continued commitment to providing accredited certification services that help organizations build trust, demonstrate accountability, and strengthen AI governance. As artificial intelligence continues to reshape industries around the world, ISO/IEC 42001 provides organizations with a recognized framework for managing AI responsibly while supporting continual improvement and stakeholder confidence.
Organizations pursuing ISO/IEC 42001 certification can benefit from:

  • Demonstrating responsible AI governance
  • Strengthening risk management and oversight of AI systems
  • Increasing stakeholder confidence through accredited certification
  • Supporting compliance with emerging AI regulations and customer expectations
  • Integrating AI governance into existing management systems

PJR has decades of experience providing accredited management system certification services across a broad range of international standards. The addition of ISO/IEC 42001 further expands PJR’s ability to support organizations navigating rapidly evolving technologies and regulatory expectations.

Learn more about ISO/IEC 42001 certification or request a quote.

Printer-friendly version of this press release.

CMMC Common Pitfalls and How Organizations Can Avoid Them

5/29/2026
Two young interracial colleagues preparing presentation while scrolling through online information in tablet

CMMC Common Pitfalls and How Organizations Can Avoid Them By Perry Johnson Registrars, Inc. As cybersecurity threats continue to evolve, organizations working within the Defense Industrial Base (DIB) are facing increased pressure to strengthen their security posture and demonstrate compliance…

Read more

CMMC Common Pitfalls and How Organizations Can Avoid Them

By Perry Johnson Registrars, Inc.

As cybersecurity threats continue to evolve, organizations working within the Defense Industrial Base (DIB) are facing increased pressure to strengthen their security posture and demonstrate compliance with the Cybersecurity Maturity Model Certification (CMMC). For contractors and suppliers handling Controlled Unclassified Information (CUI), achieving and maintaining CMMC compliance is[EB1.1] a critical business requirement.

While many organizations understand the importance of cybersecurity, preparing for a CMMC assessment can present significant challenges. Companies often underestimate the complexity of the requirements, overlook documentation expectations, or fail to implement controls consistently across their operations.

Understanding the most common pitfalls can help organizations avoid costly delays, failed assessments, and compliance gaps.


1. Treating CMMC as an IT-Only Responsibility

One of the most common mistakes organizations make is assuming that CMMC compliance is solely the responsibility of the IT department. In reality, CMMC impacts the entire organization.

Security practices related to access control, incident response, training, physical security, vendor management, and data handling often involve multiple departments including:

  • Human Resources
  • Operations
  • Executive Leadership
  • Quality Management
  • Facilities
  • Procurement
  • Information Technology

Without organization-wide involvement, important processes and responsibilities may be overlooked.

How to Avoid It

Establish a cross-functional cybersecurity team with leadership support. Ensure all departments understand their role in protecting sensitive information and supporting compliance efforts.


2. Lack of Proper Documentation

Many organizations implement security controls but fail to properly document them. Under CMMC, documentation is essential.

Assessors will expect organizations to provide evidence that policies, procedures, and practices are established, implemented, and maintained.

Common documentation gaps include:

  • Missing or outdated policies
  • Incomplete procedures
  • Lack of system security plans (SSPs)
  • Insufficient incident response documentation
  • Missing records of training or monitoring activities

An organization may have strong technical controls in place but still struggle during an assessment due to inadequate documentation.

How to Avoid It

Develop and maintain clear, organized, and regularly updated documentation. Conduct internal reviews to ensure documents align with actual practices and system configurations.


3. Underestimating Improperly Defined Scope [SC2.1]

Another major challenge is incorrectly defining the scope of the CMMC environment.

Organizations sometimes fail to identify:

  • Where CUI resides
  • How CUI flows through systems
  • Which assets process or store sensitive information
  • Which vendors or external providers impact security

An unclear or overly broad scope can increase assessment complexity, costs, and remediation efforts.

How to Avoid It

Perform a thorough scoping exercise early in the process. Map data flows, identify all assets connected to CUI, and document system boundaries carefully.


4. Ignoring Employee Training and Awareness

Cybersecurity is not only about technology. People remain one of the largest risk factors in any organization.

Organizations often focus heavily on technical controls while neglecting:

  • Security awareness training
  • Phishing prevention education
  • Acceptable use policies
  • Employee responsibilities for handling CUI

Even strong technical systems can be compromised by human error.

How to Avoid It

Implement regular cybersecurity awareness training for all employees. Reinforce training through ongoing communication, phishing simulations, and documented procedures.


5. Waiting Too Long to Prepare

Some organizations delay preparation until a contract requirement or assessment deadline approaches. This can create significant pressure and leaves little time for corrective actions.

Achieving CMMC readiness often requires:

  • Technical improvements
  • Policy development
  • Process implementation
  • Employee training
  • Internal audits
  • Gap remediation

These activities take time and coordination.

How to Avoid It

Start preparing early. Conduct a gap assessment to identify areas requiring improvement and develop a realistic implementation timeline.


6. Failing to Maintain Compliance After Certification

CMMC compliance is not a one-time project. Organizations must continually maintain and improve their cybersecurity practices.

Common ongoing issues include:

  • Outdated policies
  • Unpatched systems
  • Inconsistent monitoring
  • Incomplete records
  • Failure to review risks regularly

Organizations that do not maintain their systems and processes may face difficulties during future assessments or contract renewals.

How to Avoid It

Establish ongoing cybersecurity management processes including:

  • Regular internal audits
  • Management reviews
  • Risk assessments
  • Vulnerability monitoring
  • Employee retraining
  • Continuous improvement of activities

7. Overlooking Third-Party Risks

Many organizations rely on vendors, cloud providers, managed service providers, and subcontractors that may also interact with sensitive information.

If third parties are not properly managed, they can introduce significant cybersecurity risks.

How to Avoid It

Evaluate suppliers and external providers carefully. Ensure contracts, agreements, and security expectations are clearly defined and monitored.


The Importance of a Structured Approach

Preparing for CMMC compliance requires more than simply implementing technical tools. Successful organizations approach cybersecurity as a structured management system that includes:

  • Leadership involvement
  • Defined responsibilities
  • Risk-based thinking
  • Documented processes
  • Employee engagement
  • Ongoing improvement

Organizations that take a proactive and organized approach are typically better positioned for successful assessments and long-term cybersecurity resilience.

How Perry Johnson Registrars, Inc. Can Help

Perry Johnson Registrars, Inc. understands the growing importance of cybersecurity compliance within the Defense Industrial Base.

To support our clients through this shift, PJR is currently a candidate for C3PAO (CMMC Third-Party Assessment Organization) status, with full authorization expected this summer. Organizations preparing for CMMC assessments benefit from working with experienced certification professionals who understand management systems, compliance expectations, and audit preparedness.

By identifying gaps early and developing a structured compliance strategy, organizations can improve readiness, reduce risk, and strengthen customer confidence.

As cybersecurity requirements continue to evolve, organizations that invest in preparation today will be better positioned for future opportunities within government and defense supply chains.

Final Thoughts

CMMC compliance can appear overwhelming, especially for organizations beginning their cybersecurity journey. However, many common challenges can be avoided through early planning, clear documentation, employee involvement, and continuous improvement.

Organizations that understand the common pitfalls and take a proactive approach to cybersecurity are more likely to achieve successful outcomes and maintain long-term compliance.

Cybersecurity is no longer optional within today’s defense supply chain environment. Building a strong foundation now can help organizations protect sensitive information, meet customer expectations, and remain competitive in the marketplace.

Notice Regarding the Release of FSSC 22000 Version 7.0

5/28/2026
Workers packing ripe red vine tomatoes on a production line

Notice Regarding the Release of FSSC 22000 Version 7.0 We would like to inform you that the Foundation FSSC 22000 has published FSSC 22000 Version 7.0 in May 2026. This new version will apply to audits conducted on or after…

Read more

Notice Regarding the Release of FSSC 22000 Version 7.0

We would like to inform you that the Foundation FSSC 22000 has published FSSC 22000 Version 7.0 in May 2026. This new version will apply to audits conducted on or after May 1, 2027. The key points are outlined below.

Please note: a video presentation covering the revisions to FSSC 22000 Version 7.0 can be viewed here: https://www.fssc.com/insights/insights-webinar-fssc-22000-introducing-version-7/

If you have any questions, please contact our Sales Department or Schedulers. We thank you for your continued support and cooperation.

[Application of FSSC 22000 Version 7.0]

Effective Date: May 1, 2027

For Currently Certified Organizations

  • Transition audits shall be conducted between May 1, 2027 and April 30, 2028.
  • Surveillance audits conducted during the transition period will remain subject to the unannounced audit accordance with the applicable criteria.

For Initial Certification

  • For audits conducted on or after May 1, 2027, both Stage 1 and Stage 2 audits shall be conducted against Version 7.0.
  • If the Stage 1 audit is conducted on or before April 30, 2027, the Stage 1 audit shall be conducted against Version 6.0, while the Stage 2 audit shall be conducted against Version 7.0.

[Requirements for Organizations to be Audited]

Documents outlining the changes introduced in Version 7 are also available under “All” or “Additional Information” here: https://www.fssc.com/fssc-22000/documents/version-7-documents/

CMMC April 2026 Town Hall Update: Key Insights for Defense Contractors

5/6/2026
Military soldier transmitting information from satellite displays on phone call, supporting field missions with crucial intelligence.

CMMC April 2026 Town Hall Update: Key Insights for PJR Clients and Industry Stakeholders Executive Summary The April 2026 Cybersecurity Maturity Model Certification (CMMC) Town Hall provided important updates on program implementation, ecosystem development, and upcoming initiatives that will impact…

Read more

CMMC April 2026 Town Hall Update: Key Insights for PJR Clients and Industry Stakeholders

Executive Summary

The April 2026 Cybersecurity Maturity Model Certification (CMMC) Town Hall provided important updates on program implementation, ecosystem development, and upcoming initiatives that will impact organizations across the Defense Industrial Base (DIB).

The overarching message remains clear: CMMC requirements are actively being incorporated into contracts today, and organizations should be progressing toward compliance now. While the Department of Defense continues its phased rollout, external pressures, particularly from prime contractors, are accelerating timelines for many organizations.

Program Implementation: Clarifying Phases and Expectations

A key focus of the Town Hall was addressing ongoing confusion between CMMC implementation phases and perceived compliance deadlines.

The Department of Defense is executing a three-phase rollout through November 2028:

  • Phase 1 (Current – November 2026):
    Emphasis on Level 1 and Level 2 self-assessments, with select contracts already requiring Level 2 third-party certification.
  • Phase 2 (November 2026 – November 2027):
    Level 2 C3PAO certifications will be required in all new contracts.
  • Phase 3 (November 2027 – November 2028):
    Level 3 requirements, assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), will apply to higher-priority contractors.

Important Distinction

There is no universal compliance deadline applicable to all organizations. However, prime contractors are increasingly establishing their own requirements, often mandating Level 2 certification ahead of the official timeline.

Implication: Organizations should align their readiness efforts not only with DoD phases, but also with expectations set by their customers and supply chain partners.

Ecosystem Growth and Certification Activity

The CMMC ecosystem continues to mature, with steady growth in certifications and qualified personnel:

  • Approximately 1,100 Level 2 certifications were issued.
  • 103 authorized C3PAOs
  • Continued expansion of Certified CMMC Assessors (CCAs) and Certified Professionals (CCPs)

This growth reflects increased adoption across the DIB but also signals rising demand for assessment services.

Implication: Organizations should plan proactively to secure assessment timelines as capacity becomes more constrained.

Launch of the Cyber Engagement Forum (Cyber EF)

A significant announcement from the Town Hall was the introduction of the Cyber Engagement Forum (Cyber EF), a new entity designed to enhance industry engagement and support.

Purpose and Structure

Due to ISO accreditation requirements, the Cyber AB must maintain independence and cannot engage in activities such as consulting, implementation support, or program promotion. The Cyber EF has been established to address these gaps.

Core Focus Areas

The Cyber EF will:

  • Modernize and expand the Practitioner Program
  • Develop a next-generation CMMC Marketplace
  • Establish a centralized CMMC Body of Knowledge
  • Provide enhanced support for External Service Providers (ESPs), including MSPs and MSSPs
  • Increase industry outreach, education, and engagement.

Implication: This initiative is expected to improve access to reliable resources and strengthen the overall support structure for organizations pursuing CMMC compliance.

CMMC Marketplace 2.0: Enhancing Industry Connectivity

The upcoming CMMC Marketplace, developed in partnership with RampXchange, represents a substantial evolution from the current directory model.

Anticipated Capabilities

  • Advanced search and filtering by region, language, and capabilities
  • Segmentation of services (consulting, managed services, tools, etc.)
  • Support for transactions and RFPs
  • Integration of broader cybersecurity services beyond CMMC

Implication: Organizations will benefit from improved transparency and more efficient identification of qualified providers.

Tier 3 Clearance Process: Guidance and Expectations

The Town Hall provided detailed clarification on the Tier 3 (background investigation) process required for certain certifications.

Key Guidance

  • All inquiries should be directed to: tier3_submission@cyberab.org
  • Organizations should not contact DCSA, WHS, or the PMO directly unless more than six months have passed without a status update.
  • The process involves multiple agencies, contributing to longer timelines and limited visibility.

Implication: Patience and adherence to the established communication process are essential when navigating Tier 3 requirements.

ISACA Transition Updates

Following the transition of certification management to ISACA, several operational updates were shared:

  • Some users may experience duplicate accounts; support is available to resolve these issues.
  • LCCA applications are currently processed manually, with automation planned.
  • Certification structure requires maintaining lower-level certifications to retain higher-level credentials.
  • All certification fees are now managed through ISACA.

Implication: Organizations and individuals should familiarize themselves with ISACA processes to ensure continuity in certification management.

Ongoing Challenges and Areas of Focus

External Service Provider (ESP) Requirements

There remains uncertainty regarding requirements for MSPs and other service providers, particularly in cases where direct handling of CUI is limited.

A policy alignment session scheduled for early May is expected to provide additional clarity.

Technology and Tool Proliferation

The ecosystem is experiencing rapid growth in compliance tools, including automated documentation platforms and AI-driven solutions. However, validation of these tools remains critical.

Assessment Rigor

Government-led assessments continue to be highly detailed and documentation-intensive, reinforcing the need for thorough preparation.

What This Means for PJR Clients

With C3PAO accreditation expected by August 2026, PJR remains committed to delivering independent and objective CMMC assessments while maintaining strict separation from consulting activities.

Based on the April Town Hall, organizations should consider the following actions:

  • Advance readiness efforts immediately, regardless of official phase timelines.
  • Align with prime contractor expectations, which may exceed DoD requirements.
  • Ensure documentation is comprehensive and audit ready.
  • Stay informed on upcoming guidance, particularly regarding MSP and ESP requirements.
  • Plan for assessment scheduling to mitigate potential delays.

Conclusion

April 2026 CMMC Town Hall underscores that the program is actively progressing, with increasing enforcement and ecosystem maturity.

Organizations that take a proactive, structured approach to compliances supported by qualified partners and a clear understanding of evolving requirements—will be best positioned for successful certification.