A

The number of CMMC Level 2 certifications issued keeps growing. The ecosystem has technically come together twice in one month and members of the industry have a new way to interact with the ab. And that's what we're going to talk about this week. Joy, it has been an absolutely busy, busy month in the world of CMMC conferences, announcements, certifications and a town hall. And it's time for us to come together and talk about it. How's it been? How did you like CS5, Joy?

B

I loved CS5. I thought that it just keeps getting better every year. And since the interaction and engagements we had for CS5 east, moving over to west now, I really feel like everything is gelling and what a great amount of conversations and sessions and topics and what was your thought on it?

A

Well, so I kind of echo some of the same sentiments. Some of the things that were announced by Matt Travis during this month's town hall about the CS5 event was like the in person attendance, almost a thousand people. That's amazing. I remember being at the first one in Tysons in the basement of a Ritz Carlton, I think it was, and maybe 200 and now to see it be a thousand people in the ecosystem and only going to grow. I really enjoyed that part of it. I thought that it had great energy. I agree with Matt there. And there were some presentations, quite a few presentations that I was kind of blown away by. I agree, I agree with Matt. So I definitely learned quite a few things. I appreciated the workshops, the round tables. That was interesting, just not because what happened was, is like, all right, I'll just jump into it for like a quick second and then we'll keep going. But you knew when the round table started because you, if you were in the vendor exhibit hall, it became more lively, right? People were interacting and then people were more curious. They were walking over to the tables and like, what is this about? So I think having that located there just this time for some reason attracted more people and I think that's going to be something that's going to grow a little bit in the future. I, I have to ask you, Joy, what do you, what do you think about our, I guess second day keynote speaker, the Honorable Ms. Arrington? I thought that that was one of the best Katie speeches that I've ever seen.

B

Right. And you know, I haven't been able to see her before, live in person without getting tears in my eyes. And same thing happened, you know, I was laughing, I was crying. I'm like, she's just such a enigmatic dynamic person and you can't help but like line up for the mission the minute she starts talking. And, and it was very poignant the moment that she had with Stacy on the phone. Funny and poignant because it was very unplanned, obviously. Really good stuff though. Yeah, I, I'm a big fan.

A

I, I am also, but I, I have to admit that I love the fact that she walks through the audience and if you've never met her in person, she's not a very large person. She's very small in stature. But all you see is her little head like bouncing as she's going through and talking. And I just absolutely love it. I thought it was a great presentation. I thought it was an excellent addition to, to the CS5 and I look forward to CS5 in the fall. Something that we've been telling people to look forward to was one of the topics of the town hall and it's basically Primes are going to Prime. John Joy, the topic was prime movers and CMMC implementation. And while the the Dow has a phased rollout for cmmc and we know what that lays out, that this is a possibility here based on what the Dow wants to do and that their discretion allows for risk and things like that and changes for when requirements may come down to their prime contractors. Right. But the supply chain that those prime contractors must get an order, clean up, make sure is good enough to keep business going is is really the focus of all of their priorities. And we're seeing that through notifications from an L3, Harris from RTX, all of those people. Right. And so this segment, Joy, is basically the Primes are going to prime. They're going to make sure they're still able to capture the revenue they need to. And if you're part of that supply chain, that might mean that you're going to need to have things in order for the prime to be able to rest their head easy at night knowing that you're good to go. They can still capture revenue when the Dow comes calling of them, whenever that may be. Is that kind of what you got from that segment, Joy?

B

Right, it is. And you know, we see immediately when these things come out from the Primes, they tend to get shared on LinkedIn and other social media platforms. Like look at what this prime is saying now. It's been happening quite a bit as you referenced and then also in, you know, our own summit up about that, in Jacob Horn's post about it, it has been a huge amount of engagement and interaction with people asking questions. So it Seems like this is like, what we are seeing is that the Siberia B Town Hall Matt follows suit and says, okay, just so everyone understands, yes, this is happening. And this is why this is the distinction between Dow PMO and what we're saying in the CFR170 is the phased rollout. But then this is what the primes are saying. So he's just kind of recapping this is official according to what the primes want to do. They can do that. It just follows suit with all the things that we've been seeing already posted. But if you're not on LinkedIn, you're not aware of it, this is a good venue for you to get the lowdown on it.

A

Yeah. And I've absolutely. In conversations with prospects and just in conversations with OSCs in the wild. Right. I've seen where the ripple effects of these letters and these notifications are coming downwind, where they're like, I don't necessarily deal with an L3 Harris missile solutions directly. And they're not my, you know, first tier. I'm three tiers down from them. And now I'm seeing the ripples of this. And this is kind of, you know, what we're saying, like, if, if it's due next week for the first level, then I bet you it was due last week for the second level and then levels below that the weeks before, you know, concurrently. Right. And so what we're seeing right now is proactivity and especially in the L3Harris case, I think, and this is just a hunch, right? Imhoj. But I honestly think that because Missile Solutions are in there and we have this Golden Dome initiative that's going to have L3 attached to it, that L3Harris is proactively pushing L3 by putting L2 in place. Now, that's just me. I don't know. I sometimes like to ramble on, but I, I would kind of chalk that one up. Right. IOU, Ferrari, 500K, whatever you want.

B

Probably an educated guess.

A

Educated just slightly. I don't know. Joy, our favorite things where we don't have to take educated guesses is the updates that we get from Matt Travis about the state of the CMMC ecosystem today. And I see you cracking up because, like, you know, this is, this is fun for us. This is what we like to do. As of, as of the town hall recording for this week, final certifications issued are up 12%. That's a big jump. 12% in one month now at 1198. Official with conditional status certifications up Another. Let me peek in real quick. 8%. Sorry, should have made the font a little bit bigger. Another 8%. So we have 42 conditional search in place. So right now, just a little bit over 1240. Either statuses issued and then the in progress. Right. CMMC level two assessments that are in progress, either having completed, converted to a mock or whatever it may be, 124 of those. A little bit of growth there and then speaking. A little bit of growth, Joy. A little bit of growth, maybe to the tune of 1% growth. In the lead CCAS, we went from 486 or 44 to 489 this month. And as we've mentioned in months past, I think that that is the most vital number that we, we need to pay attention to because that means at most that's how many assessment teams can go out at once, right?

B

Yeah.

A

All right. And then last bit of update before we get into the big update. And this one, Joy, had a been a couple surprises for us. Okay. First, it was about Tier three inquiries. And we know that there is a lot of questions that surround Tier three statuses for people. Why is it taking so long? Does it even exist? Who's in charge? Right. What has to happen for me to be okay to handle CUI or to do a job to prove that people are okay to handle cui? There's a couple things that when statuses take long, it seems as though there's people inquiring just to the wrong people. And so they got on the town hall today. All right. This week. Sorry. And basically, these are the people that you don't contact about your Tier three updates. Dcsa, WHS, and the Department of War, pmo, they're not the people. Unless that status takes longer than six months for your Tier three. And then there's a link that's provided, and we'll drop that link in our notes for the show this week, but there's a link that's provided on the, on the town hall for you to contact if it's been longer than six months. Just to be like, hey, what's going on with my status? Was there anything about that segment, Joy, that surprised you?

B

Well, the first thing is, I thought it was funny that they're basically saying, don't call me, I'll call you. Unless, of course, it's been six months. And then you can follow the form multiple times. Yeah, we can't help you. Stop, stop trying to call us. And then the second thing is that this is a very laborious process. I didn't realize until they actually broke it out visually, how many steps are involved in going through that Tier three adjudication?

A

Well, now, now we know. I, I was today years old when I found out that this process was that long. Right. I thought it took a lot of degrees of separation to get to Kevin Bacon in a movie that. Until I found out how many degrees of separation it took to get a Tier 3 status to perform ecosystem activities on a professional level. Right. Just so you know. And we're going to display it on the screen and it would probably take me 48 minutes to talk through it. 10 steps is what Joy's referring to. It is a 10 step process to get tier three cleared. And I'm only giggling because I thought it was maybe like three. It went from this status to this status to this status. And now after how long my process took, I feel a little guilty like for how I reacted. Like it had to bounce off all these people. That's a, it's a crazy game of telephone is what it is. And I. So I can imagine why there's some hiccups at times. Right. But we're going to display that on the screen so that you can see what the process is. And I suggest you listen to the explanation of how it goes that Matt provided on the town hall and then we'll figure it out from there and enjoy the biggest news. And we heard about this at CS5, but the biggest news in which I feel came from this month's town hall meeting is the announcement of a way for the Cyber AB and for the CMMC ecosystem, just people in general of industry to interact with one another, better to collaborate more, to share knowledge, things of that.

C

Right?

A

That's one of those things. Industry input, industry engagement, making sure everybody's lined on the same page. And so what they did this month, Joy, they announced the EF or the Cyber Engagement Forum. And so I'm already doing a terrible job butchering this. So I thought I would put on my mess Matt Travis impersonation real quick and think, you know, who better to join us, right, to talk about what the EF is, what the EF does, who talks to the EF and everything like that. Then the person that's responsible for running the EF moving forward, the new and I think this is the executive director of Ecosystem Engagement, Mr. Mike Snyder. Mike, welcome to the show. Mike, first, congratulations. You are indeed the Renaissance man of the CMMC Cyber AB, the Mr. Fix it, the at home homeowner dad of the Cyber ab. Right. I think that You've held a position in kind of every avenue that the person that went from the busboy to the manager in the restaurant, you know, I've done it all. I've written all of the policies that have to go along with all of those positions. And now, you know, personally, I want to say congratulations, because I feel like even though you've excelled in each step in stage that you've been at, I feel like this is truly a role that fits you, fits your personality and what you're intended to. To do. So congratulations.

C

Thank you, Jason. And thank you, Joy. It's good to see everybody.

A

So I wanted to first bring you on and have you talk about the ef. But in order to talk about the ef, we have to understand what your new role is. And based on the title, and this is just a hunch for me, I think that it has a lot to do with engaging with the ecosystem. So do you want to take a couple seconds and just tell us about your new role and what it is and what you're supposed to do?

C

Yeah. So, very simply put, you're spot on. First word is engagement. And the goal is to be the first entity, first group of people that engages with the CMMC ecosystem as a whole. Last night, if you heard me, I think the fundamental issue with how we built CMMC was we were trying to get to the assessments before the implementation and we'd always known that that was a kind of an issue. But without the assessments, you really have nothing to do to begin with. So although we did kind of do the cart before the horse, it's getting back to that, actually looking at the OSCs and our RPOs, our practitioners, and getting them the availability of relevant information resources, webinars just like this, that actually feeds them with information. It's not hearsay. The forum, Joy will remember this from years ago. I had this dying urge to create a community, get together, right? An actual like the old forums from back in the day with dial up and everything else. Granted, John Hanney and the team, our IT team, tried to create one for me. It was just way too hard to manage. But getting back to actually being able to facilitate and get information directly from the source to the person that needs it, is building the forum. So we'll see the CMMC body of knowledge coming out shortly. I feel bad. I think I hit it last night, but I've wanted this for so long. I think the rest of the tester and the implementation community is the same thing. Mike and the AB has been promising this for so long, one central place for all the information. But I would say when Matt and I and everybody else came up with the name, but I think it was putting words together that we have talked about for so long and pushing them together to make sure that the ecosystem does have what they need from start to finish.

A

So do you feel like this is basically. Basically another stage in the evolution? Right. People are being dedicated to certain positions within the ecosystem instead of doing things or occupying multiple roles at once. Right now we have a person that's dedicated and focused for that.

C

Correct. So we used to say this in the beginning, back in the provisional assessor days. Joy might remember some of the slides, but the AB was broken up into multiple departments with the intention that we would have to split into actual individual organizations as the ISO. The 1711 requirements came out for the AB, that they couldn't be doing all these other services. We talked about it and it kind of faded out. But now we're actually breaking those up so that we can, to your point, provide direct support and engagement to each one of those different parts of the ecosystem and that we're not violating any part of the 32 CIFAR or ISO while we're doing it.

B

Absolutely. So you mentioned that primarily you were looking to get this form going for RPOs and OSCs, but really who all should be engaging with the new form that you're putting together.

C

I'll break it up in different segments for this. So the initial engagement point part of what I have to do Inside the cyber EF is essentially for OSC's, RP's, RPOs, RPAs, like the implementation. I'll caveat that with probably the one big secret. I didn't focus on it too much last night, but is the breakup of the RPOs into actually what they do. We've had a lot of requests, like, I am an msp. I'm really not an rpo in the fashion of what you talk about, actually going from just being an RPO to be an MSP or a vendor or whatever you're trying to do with that RPO title and actually let the ecosystem see you for what you, what that company or what that organization does. So that's probably the initial thing. The biggest breakout we've all talked about is issues. So that'll probably be the biggest thing coming through there. Now, with that being said, I have some other fundamental requirements that we're given. So not only do we deal with them, but assisting the AB and even the Keiko is the ability to Build like the bok and that's for everybody. That's not just for the implementation side or it's a whole. It shows the implementation and the assessment side all in one, you know, tool for different people. And then of course, the marketplace is for everybody. It's not like it's going to single out any. We'll see OCS in there for the first time. Like I said, we'll see the split up of different services that can be sold, sold, actually sold in the marketplace, not just a directory listing.

B

Okay, Mike. And just for those who aren't aware, you mentioned a bok, which is a body of knowledge. And I'm very excited personally for this because I know that there's been so much ambiguity around guidance for implementation, guidance on interpreting the official documents. And so this is going to be community driven from the sound of it, with your oversight. And that body of knowledge is something we've been needing for a long time. The second thing I'm picturing when you're talking about this marketplace is like right now I can go on a website for say a retail outlet and I can filter down to exactly what I'm looking for, like a navy peacoat for an elegant, you know, women's event. And I'll have just that in front of me. So when you're speaking to all the capabilities of potentially an rpo, it really can be that granular. I'm looking for implementation assistance and I think you even said that regionally or geographically and with the language that they speak that it can be very narrow in filtering, which is going to be a huge resource for the oscs. Did I get all that right?

C

You did. I'll add to that just a little bit. This will be the first time we've ever had user or ecosystem involvement during the beta phase. We've had a tendency to roll things out just to get them out. With this one, there is already filtering there down to a vendor tool specific tooling that you have in your environment, picking assessors for their trait skills. So you'll be able to build out a profile which I think almost everybody's asked for. Like, how do I add this to my current profile? And there wasn't a lot you could do in the old one. John did a ton of updates just so we could add a little bit of filtering to your point. It'll have any and every filter. Every time I come up with a new one, I'm expecting our partnership with Rampage Change will come back and say, yeah, we can't do that. But so Far they've been able to pretty much add whatever we wanted. But this will come from oscs, from the practitioner community and from the assessment community. Utilizing it first, telling us what we need to do in the beta and add more features if we need to, and then having some future ones. I know we're going to keep adding stuff to it, but yes, it will be as close to Amazon as we can get.

A

Amazon Marketplace for cmmc. I like it.

B

So I'll just say that as soon

C

as this is at the highest level I could.

B

Yeah. And as soon as it's ready to go, the homework is going to be that if you are on the current directory, you need to get into the marketplace and really identify all of those special areas and capabilities, populate all the fields that are available or you're going to be left behind, lose out on some of those opportunities. Right?

C

Yeah, kind of. This will be a little bit different for our ecosystem members that have been with us either from the beginning or in the last couple years. Ramp Exchange has a totally different process. So although we're using a CMMC variant of Ramp Exchange, it won't be like you're going to Ramp Exchange and using all their tools. This would be built just for us. But they have staff on hand. They also have a process that essentially does the enrollment, the registration, asks you all the questions. It's very in depth. Like Matt and I have always been impressed by the way they've kind of thought through everything on the gov. Ramp side of the house, on the state side. Now we're integrating that, adding just more like stuff we've wanted the whole time of cmmc. This will probably be a little bit different because you have humans. I'm not going to say that we didn't, but Tracy could only do so much. Our support staff could only do so much and there was limited functions. This is pretty much full customer service, helping somebody so that they do understand how to essentially promote themselves. There's also one thing that we didn't really talk about it last night. There is requests for proposals. The customer can do one or you can have your own proposal already drafted in there. The system helps you build it out if you don't already know how to do them on both sides and their staff there. That's probably the biggest change that we are not used to on this CMMC ecosystem is having tools that are ready available to help you sell your product,

A

some more advancements to help the ecosystem. Nice. I. I know Mike, you had mentioned the Book of Knowledge and we, we kind of explained that and some of the other like the Amazon First CMMC for. For vendors and. And. And the like. What are some other things. I know you had mentioned webinars earlier some other output from this from the EF that the ecosystem can expect as far as like, you know, attendance of conferences, things of that nature.

C

Yeah. So the DFL put kind of a fundamental flip on how we do stuff from the AD perspective. Most everybody's used to us. You know, we kind of get some events we're going to do. This will be more of an outreach to what do we think is viable from the community. Instead of us kind of picking and choosing or whoever talks to us actually do that engagement with the whole entire ecosystem and try to help out some of the conferences. Some people probably noticed me going around doing it last year as I was working in the Keiko and trying to do the cyber EF at the same time. Trying to but essentially get conferences or events down to regional where you can actually get to them and the same thing would have been at each one and highlight on what's needed there. I think the biggest ass if I know all you enjoy both go to a lot of the events and from Joy and I last year were in Washington State. We did one very good but it's, you know, it had a. Its own crowd and you're going to see like Navy is going to be at certain places that we're going to have army of different ones trying to break it up so that we're actually fitting that community. The other thing we'll be doing is the practitioner program. Overall, what we've been waiting for forever actually going back to the ecosystem. Our implementers, our organizations actually building courses that they want, the training that they want all the way to the advanced level. Actually getting into tools for a change.

A

Could we. Mike, could we see a situation where the EF is maybe spearheading efforts for like maybe mass. Not certifications but mass trainings at these different events, these regional events where like this the EF is leading something like ARP Advanced Class or cca. Not why you can't lead the CCA classes, but you know what I mean, Spearheading or facilitating people getting guided into those. And then I'll. I think I'm done with my questions.

C

Yeah. I won't speak and commit to anything because I do believe that there needs to be ecosystem input into it. But essentially some of the feedback that we've got my first attempt is we've seen most of the training is focused around ccp. CCA at the event but actually breaking that out into assessor traits and skills as well as implement implementer. So RP RPA advanced traits and skills. So actually having the vendors come in but teach us how to implement it. Teach us to do stuff we've seen like at Microsoft Team different events where they actually have hands on training to let you know how to this is what you need to look for in the assessment. This is the first time I don't know if you if you had an opportunity to see but ENAB came in from the C3 appeal side of the house to teach how the 17020 assessment gets done. So that was like a request but we'll see more. Certain events will be focused on ccp, CCA and then the RPRPA where some will be focused on organizational based training. But yeah whatever people can or those organizations individuals in ecosystem can think we will try to do. I'm anybody who knows me, I'm very adamant about getting the skill set that we need for the whole ecosystem to actually be able to do the assessment and the implementation.

A

Awesome.

B

Yeah. Why I know it's been a six year dream since you and I spoke about this and so I'm really happy to see it coming true. Now Mike, how should people interact or engage with you in the Cyber ef?

C

So as Matt said we go live on Friday with the website we'll switch over some emails. This will be the probably the first time like with the Keiko Isaca did some some switch over emailing but as the F since I were the first part of the engagement we will be doing surveys and sending out how to contact us essentially most of it won't split. You'll still go to the same support inbox. The differences for events and some other thing we'll be switching to different emails on the EF but we will be sending out information probably bombarding everybody with tons of information for a change coming from the EF on what's going to happen for the rest of the year.

A

Nice. Mike, I can't tell you how grateful we are that you joined us for the show to talk about the ef. How grateful we are for all of the things that you're now spearheading to increase ecosystem engagement. Thank you so much for joining us. I hope that we can have you back. Obviously if you need to engage with the ecosystem we're here to help you do that. So we, we hope you take us up on the offer whenever you need to talk to somebody.

C

Thank you for having me on and anytime all right, folks.

A

Well, that's all we got for this week, so, like, subscribe, tell all your friends, and we'll see you next week. It.