Summary7 min read

Podcast Summary: Sum IT Up – CMMC Level 2 Assessment: What to Expect (Insights from 100 Assessments)

Date: April 9, 2026
Host: Summit 7
Guest: Fernando Machado (Managing Principal at Cybersec Investments, master C3PAO, CMMC expert)
Notable Co-Host/Contributor: Jason

Episode Overview

This episode provides a rare, data-driven look into the realities of CMMC Level 2 certification assessments, based on Fernando Machado’s experience overseeing 100 successful C3PAO assessments. The conversation covers assessment costs, timelines, company readiness, common pitfalls, assessment capacity, green/red flags, and advice for companies preparing for CMMC certification. The discussion is rich with practical insights, puncturing myths frequently encountered online about the CMMC ecosystem.

Key Discussion Points & Insights

1. Profile of the First 100 Assessed Companies (00:46–03:11)

Revenue & Size:
- 71% of companies: $0–50M annual revenue.
- 60% have 0–200 employees.
Maturity:
- 74% used consultants or certified MSPs; most did not do it fully in-house.
Contractor Types:
- 46% are subs (many also primes elsewhere).
Defense Agencies:
- 68% Navy, 23% Air Force, 7% Army, 3% Marine Corps.

Fernando: “Most companies are between the 0 to 50 million in revenue... 0 to 200 employees... companies that used a consultant or a certified service provider accounted for 74%.” (01:52)

Insight: The composition reflects the broader Defense Industrial Base (DIB): small businesses, often with external support, and largely serving as subcontractors.

2. Assessment Costs: Myths vs. Reality (04:36–07:25)

Baseline Cost:
Assessments typically start at ~$30k, scaling with complexity (multi-location, large primes may exceed $100k).
Common Cost Drivers:
- Organization size & complexity.
- Scope—careful scoping reduces cost.
- Use of non-statistical sampling (e.g., sampling a subset of similar sites).
Misconceptions:
Online buzz inflates assessment costs ($100k+) by conflating them with implementation costs.

Fernando: “Costs start at around 30k and they go up from there... We could randomly select two sites at random and if those are good, we can say with reasonable assurance the others are good too.” (05:07)

Quote:
Host A: “Fernando's not charging you $200,000. CMMC is not costing you $200,000. Sorry, I say it every week.” (07:01)

3. Assessment Timelines & Triggers (07:39–09:44)

Assessment duration:
- 90% finish in a week or less (Mon–Thu, Fri as needed).
- Can extend to two weeks for complex, multi-site organizations.
What makes companies seek assessment?
- Main driver: pressure from prime contractors who mandate certification by certain dates (e.g., November 10).
- Not driven by DOD deadlines but by primes preparing proactively.

Fernando: “We tend to conduct small to medium size assessments... within about a week... The speed depends on how well prepared the customer is.” (07:39) Fernando: “The biggest thing is the prime contractors are starting to push the supply chain to get certified.” (08:59)

4. Assessment Ecosystem & Capacity (10:53–20:54)

Assessment Volume:
- Fernando’s firm accounts for about 10% of the ecosystem's issued Level 2 certs.
- Capacity varies—some C3PAOs are booked out, others are looking for work.
Assessment Teams:
- A single C3PAO may have multiple assessment teams (Fernando’s firm has 8, aiming for 10).
- Monthly assessment capacity: 15–18 assessments with 8 teams.

Fernando: “We ourselves make up for 10% of the overall certificates issued in the ecosystem.” (11:23)
Fernando: “At the moment with eight assessment teams... 15 to 18 assessments per month.” (20:51)

5. False Starts & Company Readiness (12:22–18:32)

False Start Rate:
- ~30% of prospective assessments are "false starts" (company not ready, don’t even enter the assessment proper).
Common False Start Triggers:
- Incomplete documentation (e.g., SSP in draft, not signed, with unresolved comments).
- Poor scoping (e.g., data flow diagrams don’t match environment).
- Misunderstanding on technical requirements (e.g., thinking encryption alone is sufficient; missing endpoint diagrams for FedRAMP).
- Not using NIST SP 800-171A for self-assessment.
Financial Implications:
- Companies are not charged a full assessment fee if they false start; reassessment can be rescheduled.

Fernando: “I would probably say two or three [out of 10]… 30% false start rate, meaning these folks do not even get out of pre-assessment.” (12:22) Fernando: “SSP was still in draft… improper scoping… the use of FedRAMP moderate equivalent solutions…” (12:22)

6. Assessment Outcomes (Conditional, Failed, and Green/Red Flags) (14:55–27:01)

Conditional Status:
- None issued so far by Fernando’s team—a mark of strong preparation among early adopters.
Failures:
- None outright; pre-assessment phase screens out unready companies.
- The reevaluation process (before report submission) allows minor doc gaps to be remedied.
Green Flags:
- Well-written, detailed System Security Plans (SSP).
- Thorough customer responsibility matrices (for service provider relationships).
- Working with certified MSPs/consultants.
Red Flags:
- Unfinished or poorly documented SSPs.
- Evidence of only checkbox compliance (“implemented” checkmarks with no detail).
- Not using 800-171A methodology.

Fernando: “Well written, documented SSP statements… best piece of advice… write your SSP at a very detailed level.” (21:30) Fernando: “Not using 171A… the NIST gets them every time… I’ll see SSP document, and it’ll just be implemented. They'll just put a check mark on it…” (22:58)

7. Environment-Specific Challenges (23:53–24:49)

Manufacturing environments:
- Hardest to assess and implement due to multiple locations, OT (operational tech), and complex physical segmentation.

Fernando: “Manufacturing environments… hardest time with implementing… specialized assets… becomes a nightmare for physical and logical segmentation.” (23:53)

8. Market “Push” and Early Movers’ Rewards (27:03–28:32)

Prime-driven assessment:
- Majority seeking certification due to prime contractor demands.
Early adopters:
- Gaining more business as primes look for certified subs.
- Notable: Elbit Systems actively seeking certified partners.

Fernando: “More of the customers are doing this because they're being pushed by a prime, but at the same exact time, they're also winning work out of it.” (27:34)

9. Significant Changes Triggering Reassessment (28:44–31:00)

What triggers a fresh assessment?
- Any “significant architectural or boundary change” post-cert (per the rule).
- Examples: Adding new cloud services for CUI; changing capabilities (e.g., enabling printing or removable media after initially disabling it to pass assessment); mergers/acquisitions.
- No delta/partial assessments—must do the full assessment over again if a significant change triggers reassessment.
Practical Guidance:
- “Do not change your MSP provider after assessment.”
- Plan all anticipated operational changes before seeking assessment to avoid unnecessary extra assessments.

Fernando: “If you open up capabilities that was initially not applicable or was met because it wasn't being done and you open it up later, we have to go through a full blown assessment all over again.” (30:24)

Notable Quotes & Memorable Moments

On assessment cost myths:
Host A: "Fernando's not charging you $200,000. CMMC is not costing you $200,000." (07:01)
On non-statistical sampling to reduce cost:
Fernando: "We could select two sites at random. If those sites are good, we can say with reasonable assurance that the others are good to go as well." (05:07)
On readiness and company failures:
Host A: "Clearly a hundred thousand companies aren't ready... just not the case." (13:30) Fernando: "It's insane... some folks fail to continue to keep using 800-171A." (13:26)
On incentives:
Fernando: “Instead of entering what we like to call the five stages of grief and just get into acceptance, there’s a lot of work to be had here.” (28:17)
On “significant change” gotchas:
Fernando: “There are no delta assessments... If you open up capabilities... we have to go through a full blown assessment all over again.” (30:24)
On making life easier for primes and assessors:
Host A: "Don't be hard to do business with." (28:17)

Segment Timestamps for Reference

Company Demographics & Landscape: 00:46–03:11
Assessment Cost Breakdown: 04:36–07:25
Assessment Duration: 07:39–08:12
What Drives Certification Uptake?: 08:59–09:44
Assessment Ecosystem Capacity & Teams: 10:53–20:54
False Start Analysis: 12:22–13:26; 14:33–15:18
Conditional & Failed Assessments: 14:55–18:20
Green/Red Company Flags: 21:30–23:23
Manufacturing & OT Challenges: 23:53–24:49
Market Pushers & Early Movers: 27:03–28:32
Significant Changes & Triggers for Reassessment: 28:44–31:00

Conclusions and Practical Takeaways

Preparation is everything: Companies that thoroughly document, understand their scope, and leverage credible outside help have smooth assessments.
Assessment cost is not prohibitive for small companies—but implementation costs are separate.
Prime contractors, not the DOD alone, are the biggest immediate push for certification.
Assessment failures are rare due to robust pre-assessment screening (but 30% never make it to the start line).
Manufacturing environments are notably challenging.
Significant architectural changes after certification will require a full reassessment—plan wisely.
Early certification conveys business advantage, not just compliance.

Tone & Style

Conversational, practical, at times cheeky, grounded in data-driven reality, and slightly irreverent toward common industry myths.

Speaker Attributions

Host A: Podcast host, facilitator, myth-buster, direct.
Fernando Machado (B): C3PAO assessor, subject-matter expert, practical, occasionally self-deprecating.
Jason (C): Co-host/contributor, brings up contrasting industry experiences and clarifies main points.

For listeners and practitioners aiming for CMMC Level 2: leverage certified MSPs/consultants, start early, and take scoping seriously. Avoid false starts by ensuring all documentation and boundary work is complete—there’s more assessment capacity than you may think, especially for those truly ready.

[End of Summary]

Loading summary

Transcript108 lines

[00:03]
A
All right, everybody, it is April of 2026 and we are joined by friend of the show master C3PAO world traveler, CMMC expert himself, Fernando Machado. You are managing principal at Cybersec Investments. Not no stranger to the podcast or to our content out there on LinkedIn. We'll link to the episode below that we did not that long ago when you were at just a couple dozen assessments. Today we're going to be talking about how you recently crossed a hundred successful C3PAO assessments. Fernando, welcome back. How are you?
[00:47]
B
Yeah, good. Thanks for having me, guys.
[00:49]
A
Yeah, awesome. Yeah. Well, I was looking back at the episode and it wasn't that long ago and it was just a couple dozen. I think you had just crossed into 25 or maybe 50. I mean, it wasn't, it wasn't a ton of assessments. Looking back at the time, it was a big deal. But the, you know, the big news recently, and I mean now it's kind of in the rear view mirror by the time we're having this conversation, is you've successfully completed 100 CMMC level 2 certification assessments. These are third party C3 PAO assessments. And I think a lot of people out there would have, you know, they imagined when the final rule came out, they're like 100 assessments would be amazing once that happens and you just have a hundred in your portfolio. So 100 is a huge achievement. Can you just maybe give us some background about the makeup of those 100 companies? Like General size, their revenue? Are these, you know, more mature, less mature in terms of internal teams? Like, what's the, the nature of the landscape of these hundred companies?
[01:53]
B
Yeah, so we broke up our metrics into five different kind of categories. Right. So annual revenue, we saw that most companies are between the 0 to 50 million in revenue, which accounts for 71% of the overall customers. Then company size was about 0 to 200 employees. That accounts for about 60% of our customers. The third metric that we captured was maturity. Right. So either did the company handle all of these control implementations and maintenance on their own, did they utilize a consultant or a certified managed service provider? And we figured, figured out that companies that used either a consultant or a certified service provider accounted for 74% of the overall assessment that we've conducted. The fourth metric that we captured was contractor type. So 46% of those contractors that we assessed were either subs. Now some subs are also primes on other contract vehicles. So that was a little bit more of a difficult metric to capture. And then the last metric that we captured was, you know, which agencies we're working with. The Navy makes up for 68 of the overall contracts, followed by Air Force, which is about 23. And I think I saw was army was at 7%, Marine Corps was at 3%.
[03:12]
A
Wow. So I mean, to just off the, off, off the jump here, those stats sound pretty similar, I'd say, to the broader makeup of the dib. You know, in, in my experience, right, mostly smalls, probably 50 million or less, 200 employees or less, generally doing a lot of subcontract work, almost always have some form of third party service provider attached to them. They're generally not doing everything in house. So that seems to be pretty representative of, of the dib as a cross section in this 100. So that'll be really good for everybody. What are your initial thoughts here, Jason?
[03:48]
C
Yeah, first, congratulations on getting to 100. And I think just the initial question I have for you, Fernando, is, you know, obviously when you started out, I want to be a C3PAO. I'm going to do assessments. You set milestones and metrics for you. And obviously 100 assessments has to be one of those. It has to be on there. My first 100. Is this earlier or later than you anticipated when you set that metric for yourself?
[04:12]
B
This was a lot earlier because, I mean, if you can imagine, right. Phase one didn't begin until November of last year. And this is accounting for all those organizations that began assessments in January. So if you really look at the numbers, right. Let's just say we were to exclude from January to November of last year, I mean, those numbers would be far less. But these are all companies that are leaning forward and wanting to get certified early on.
[04:37]
A
Yeah. Yeah. All right, well, let's just, let's just jump right into the questions here and, and get straight to the point because that's what everybody is looking for. So let's just address the elephant in the room here, the one that everybody's talking about. What are the ballpark costs here? Like, we don't have to get specifics. We're not giving anybody a quote here. What is the, what does the ballpark look like in terms of cost and what are the factors that are maybe driving up costs unnecessarily? Because that seems to be pretty common.
[05:07]
B
Yeah. So usually like we usually say costs start anywhere. Like we've seen it in the, in the, in the ecosystem, costs are starting at around 30k and they kind of go up from there. A lot of it really depends on size, complexity of the organization and then, you know, one way to lower costs. We always tell folks scoping is very important on driving down your cost as well as we also try to drive down costs for our customers by using the non statistical sampling that's out in the cap. So for example, let's say that you're a manufacturing environment with five sites. They're all under the same system security plan, they're all set up the same way. Rather than us going and visiting all five sites, which now would increase the time and cost for the contractor, we could say we'll randomly select two sites at random. And if those sites are good, we can say with reasonable assurance that the remaining three sites are good to go as well.
[05:56]
C
So it's established on your confidence and the determination. Right. We're doing such a good job in these two sites that as an assessor I feel confident that your process is implemented in the other three sites.
[06:07]
B
Yep.
[06:08]
A
Correct.
[06:08]
B
Yep.
[06:08]
A
Well, well, here's a question for you. I don't know if you misspoke when you said that assessments start at around 30k because LinkedIn would have you believe that assessments start at $100,000. So did you misspeak here?
[06:22]
B
Yeah.
[06:23]
A
You know, I noticed that you're still in the same house that you were in, you know, 75 assessments ago, which makes me think you're not charging $100,000 for assessments. Can you help us understand this, this issue?
[06:36]
B
Yeah, I mean like if, like, like the metrics that we talked about. Right. Most of the companies that we're dealing with are 0 to 200 employees with pretty simple environments.
[06:44]
C
So.
[06:44]
B
Right. The starting at 30k and then going up from there is normal. Now we have had companies that were very large primes, very complex, where we've charged over 100k for assessments. But these are Right. Long, large manufacturing environments with multiple different locations in different countries.
[07:02]
A
Yeah, we all know, we all know what's going on. People have implementation costs to comply with DFAR 7012 and then they associate that with CMMC in addition to their cost of assessment. And so then they say CMMC is costing me $200,000. Fernando's not charging you $200,000. CMMC is not costing you $200,000. Sorry, I say it every week.
[07:25]
C
Just gotta re. Emphasize the point. You want to hammer it.
[07:27]
A
Can't emphasize it enough, apparently.
[07:29]
C
Right. So you listed some of the factors that impact the cost of assessment.
[07:33]
A
Right.
[07:34]
C
But what about the timeframe of the assessment? Are some of those the same factors that impact the timeframe that has to go There.
[07:39]
B
Yeah, I mean, most of the time we tend to conduct most of the, like the small to medium sized business assessments. Those are usually within about a week. We allocate a week. The speed of it can really depend on how well prepared the customer is. So we usually allocate a Monday through Thursday schedule with a Friday reserved as needed and. Right. And depending on the size and complexity, we've had assessments where we've had to go two weeks because there was just so many different locations and variables that we had to account for. But by far and large, I would probably say 90% of our assessments are within one week or less.
[08:13]
C
Sure.
[08:13]
A
Nice, nice. So we talked about the phased rollout. Obviously, you know, we had about a year of time from when the program rule went into effect and people could go get an assessment if they wanted. And then when the contract clause final rule went into effect and started the phased rollout, at which point DOD would start mandating people to achieve a CMMC status and contracts. And that seemed to really, you know, catalyze a lot of people into acting on it. In your experience with those 100 assessments, what were the things that triggered people to start? Just, just a love of security and, and God and country and they wanted to do the right thing or was there some other thing that caused them to make the jump and, and go through assessment?
[08:59]
B
Yeah, I mean, and really the biggest thing is the prime contractors are starting to push the supply chain to get certified. Now, interestingly enough, we've talked to several different subs coming to us saying we need to get certified, who are all working for various of the large primes that we all know and love in the space. And they're all saying the same exact thing. My prime wants me to get certified before November 10th of this year. So they're all trying to get onto our calendar and, and at the pace that we're going, I think probably here in about another month we're going to run out of basically calendar availability for calendar year 2026. Yeah, we're trying to help with that on the back end with trying to bring more assessment teams on, but. Right, we gotta love the Tier 3 background check and the new ISACA process.
[09:45]
A
You know, it's interesting. It's interesting because this has been a debate that I've been getting into with people on LinkedIn all the time is a bunch of people are saying the November 10th deadline, the November 10th deadline. And it's interesting because some of the primes are saying we want people by October, we want Level 2 status. By November. That is not part of Deity's phase rollout. So it's another one of those situations where people are like, I can't believe CMMC is turning the screws on everybody. And they're like, they're not. There are zero deadlines in the phased rollout. This is all the Lockheeds in the Northrops of the world deciding that as of November they want their supply chains to be ready to go and not to, you know, not to speak around anybody that, you know, are competitors to you as a C3PAO. But we've heard a lot of variability in terms of. Some C3POs are completely booked, some C3POs are flipping signs on the corner, like just trying to drum up some work and there's, there seems to be quite a bit of variability. So can you maybe talk about your view of the assessment capacity of the ecosystem broadly? Like, is every C3PAO out of cycles or does it, does it vary?
[10:54]
B
I really don't know. I know like, that we could speak for like our metrics. For example, at the last town hall we were, I believe, something like 900 assessments had been, or 900 CMMC level 2 final certs had been issued and at the time we were in the 91, 92 CMMC level 2 final certs issued. So we ourselves make up for 10% of the overall certificates issued in the ecosystem. Yeah, I, I don't know how the other C3POs are faring in that regard,
[11:23]
A
but I mean, it makes sense. I mean, you guys, you know, you've got the 100 assessments to do good work. So people want to, want to work with you guys.
[11:30]
C
So if you're occupying 10, there's 90 plus other C3PAOs that are occupying the other 90 of what's being the output. Now obviously there is, so obviously there is some of those C3PAOs that are just C3PAOs to have the title. Right. They don't occupy their MSPs, whatever it may be. So I have a question of, and just kind of to move on, like when it comes to the makeup of the assessments and kind of what you see when it comes to the assessments, we like to keep track of false starts. And then obviously there's no official false start metrics except for the word of mouth from people like you. Yeah, so I want your word of mouth. When you see assessments come in out of every, I don't know, let's say 10, how many of them are false starts that you're like, do not pass we're not going to assess you right now.
[12:22]
B
I would probably say two or three. Right. So we've got about a 30 false start rate, meaning these folks do not even get out of pre assessment with us to get into phase two or even get into our, into our schedule. So a couple of things that we see that drives that incomplete documentation. Right. SSP was still in draft in one instance, was not signed by any official and I could still see comments in the document. Right. Hey, should we do this? The other thing I saw was improper scoping. Right. The data flow diagram was inconsistent with their environment summary at one organization even tried to slip in a cold storage data center from their scoping. Yeah, it's crazy. Another thing we saw too, the use of FedRAMP moderate equivalent solutions. A lot of folks not understanding that their endpoint was in scope, but it wasn't depicted on any of their diagrams. And I know Jacob, we say this a thousand times, I don't know, over the last what, five years, everyone, some of these folks fail to continue to keep using 800 171A. It is insane.
[13:27]
A
Yeah, I mean I kind of want
[13:29]
C
to add a good. No, no.
[13:31]
A
Well, I was just going to say, you know, if you see like a 30% false start rate. You know, people talk about this where they're like there's not enough assessment capacity. We're always telling people that there's not enough implementation capacity because everyone's like, well, a hundred thousand companies need assessment. Clearly a hundred thousand companies aren't ready. I mean you're talking if, if only 80,000 companies need an assessment and they all went to you, 25,000 of them just won't even qualify for an assessment. So you know, we're not talking about this, this perfect estimate here in terms of the number of companies as if they're 100 ready. It's just, just not the case.
[14:07]
B
Yeah.
[14:07]
C
So you mentioned data flow diagrams being one of the like trigger points where the false starts. And so I, I'm kind of curious with the recent release of the updated FAQs and some of the things that are data flow dependent that are attached to those FAQs, like encryption not being logical boundaries and things like that nature, how many of those things are you seeing as people falsely thought I'm using encryption, I'm good to go. And you're like, nope, that's not how this works.
[14:34]
B
Yeah, I think we had two instances where the organization's like, oh, we'll just encrypt it and just put it in Microsoft Commercial And I'm like, nope.
[14:42]
A
Yeah, well, okay. So, you know, the false start thing is interesting, but it is, it is relatively anecdotal because it's not an official metric, but maybe one day it will be and then we can, we can take that as a win.
[14:55]
C
You can only pray.
[14:56]
A
What, what kind of ratio out of, out of the assessments that you've run end up being conditional assessments. So for those of you that don't remember, right, you run through your assessment, you don't fall start, you actually get an assessment done. If everything is met, you get a final status. If you have open poam items, you get a conditional status, then you have to close them out. So do you see a lot of conditional statuses that result or how does that, how does that play out?
[15:18]
B
Yeah, we haven't had to issue any conditional assessments to date. So that, that, that's a testament, right, to the trusted partnerships that we've established with companies like Summit7 that help their clients get ready and make sure that, right. There's little to no surprises on the end of the tunnel.
[15:35]
A
There's nothing wrong with conditional assessments, everybody. Like, I mean, it's a cool feather in the cap to have like, oh, we haven't had anybody, you know, have a conditional assessment, but you can win contracts with a conditional assessment. It's not a big deal.
[15:46]
B
Agreed.
[15:47]
A
You know, it's, it's. Is a spare worse than a strike and bowling like, you still knocked all the pins down. Who cares, you know, but it's, it's one of those things. I think it's probably having to do more with the fact that these are the early wave of companies that were ready ahead of time and they wanted to be early, if you will. So the likelihood of them having open items is probably a lot smaller. But nothing wrong with conditional assessments, everybody. Don't, don't worry about it.
[16:11]
B
Nothing at all. Yep.
[16:13]
C
So false starts, Fernando, are one of those stats that we wish were reported and then we did one month see failed assessments be reported. Right. And we're like, oh, there's hope here. We understand that people are failing this now. It's no longer reported. And now there's obviously bailout options during an assessment so that there are less failures. So I'm asking you, how many of those scenarios have you seen where people just flat out failed or we had to convert to something else?
[16:39]
B
Yeah, we haven't had any failures either, Right. Because we try to catch any of those showstoppers in phase one. And then additionally, we've been able to use the reevaluating part of the rule, the security requirement reevaluation, where they've provided additional evidence to demonstrate a control's not met. Right. Doesn't change or limit the other controls that have been marked as met. And it's prior to us submitting our assessment findings report. So we've had to use that a few times. But it was mainly, you know, a person like we would request, we need a certificate for like insider threat awareness training for example, and they couldn't immediately find it. They would go back and they would bring it back to and say, oh, here's the cert. We finally got it. Because as you can imagine, right. We get hundreds of artifacts and documents that get submitted to us.
[17:23]
A
Yeah, I mean it's, it's, this is one of those things where it's like the, the idea that CMMC is some draconian like impossible hurdle. I mean, I think I was talking to some other C3POs, probably this probably a year ago and, and somebody said we don't want you to fail, but we can't just let you pass. And I think that like really sums up the situation where they're like, nobody here is rooting for people to fail. But it's interesting that you say like no failures, but that false start rates are like 30%. Obviously if that, if that phase one readiness assessment wasn't built into the CMMC assessment process, we would have double digit failures, no question. I mean I've heard as high as 40% or more for some people get false starts. So I think that the system is working as it's supposed to because I assume that if they false start, they're not getting charged for going through a full assessment and having to go get charged for a second assessment after you fail within the first hour. Right?
[18:20]
B
Yeah, yeah, no, yeah, you're right. We, we just, we simply don't even put them on our calendar. We don't think that they're ready. And at that point it's like, sorry guys, you're not ready for an assessment, come back and see us in six months.
[18:32]
A
Now did you see any? Did you? So like when, when the phase rollout started and everybody was talking about C3PO, backlogs were increasing dramatically. But then everybody started seeing all these false start rates. Did you see that the backlog was not as accurate? Like it wasn't actually as bad as it seemed because a bunch of companies just would fall start and fall out of the queue.
[18:53]
B
Yeah, yep, yep, agreed. Yeah, we would see that all the time.
[18:57]
A
Yeah. I mean do you expect moving forward that like. So let's say if you're booked out until November, but 30% of your company's false start, just say then you know the queue until November there would. It's like trying to get a dental appointment. You're like we can't see you until August, so call and see if there's any cancellations. Like there's going to be some false starts so maybe you can get fit in. Right?
[19:17]
B
Yeah, yeah. And we've also had two, like, part of like that is like the adverse determination of assessment readiness or we've even had organizations say, hey, we booked out with you in, in June and as we're approaching June we know we're not going to be ready. Can we reschedule that now? Right, that now kind of helps with flexibility with allowing folks to kind of move up and move around.
[19:38]
A
Gotcha.
[19:40]
C
Just the kind of the booked out and, and Jacob, I'll turn back over you a second. But you say you booked out until November, right. Right now you're not booked out. One assessment team. How many assessment teams do you have?
[19:51]
B
No, I think we have eight assessment teams right now with two more assessment teams pending clearing.
[19:57]
A
But Fernando, LinkedIn told me there's only 90 C3 PAOs. What you mean that a single C3PO can have multiple assessment teams? Is this breaking news for the people of LinkedIn? Absolutely.
[20:10]
B
Like, and, and on top of that, if, if we needed to, we also have some 1099 CCAs that we could leverage. But I think at the moment with eight assessment teams as well as two more on the way, hopefully soon with this ISACA transition that we might be able to add two more assessment teams to open up some availability for later part of this year.
[20:30]
C
Still the constraint is the lead CCAs.
[20:32]
A
Right?
[20:32]
C
You have to have a lead TCA. So if we have 462, no matter what, we cannot output more than 462 a week. Well, we could.
[20:39]
A
Are you able, I don't know if this is, if this is, if this information is not, if it's too business sensitive. Are you able to say like roughly what your assessment capacity is per month with eight teams? Like is that, is that we're at
[20:51]
B
15 to 18 assessments per month that we're conducting at this rate.
[20:55]
A
Gotcha. It's really interesting.
[20:57]
C
That's very interesting actually.
[20:59]
A
It's very interesting. So I'm going to be coming in hot on LinkedIn with that station. Okay, so let's, let's get back to this. So we Talk about people who fall start. We talk about people who didn't fail at this point. So when you first start talking to these companies, are there some like immediate green flags where you're like, these guys are solid. We know they're going to be set up for success. Like, obviously you're not making a determination that they're going to pass, but is it like you can just sort of tell right away that these guys know what they're doing and this is going to be, this is going to be a fun experience for everyone.
[21:31]
B
Yeah. So usually we see well written, documented SSP statements. I get that we're not supposed to be evaluating anything at this point, but it's like one of those things. Right. Like I can't unsee it once I see it.
[21:43]
A
Right.
[21:44]
B
So it's one. So if they're able to like at a high level, I'm just looking at it and I, I just read a sentence and it's explaining every assessment objective as detailed as spot as possible. That kind of paints that story for the assessor. That's like the best piece of advice that I can provide to anyone out there is like make sure you write your SSP at a very detailed level. Another green flag that we see is if they're using an external service provider, that they have a very well defined customer responsibility matrix that demonstrates who's responsible for what for each control. And then of course. Right. Just having worked in the space for so long, just Those certified level 2 MSPs or the use of consultants, although they're not required to be certified, we've noticed that certified MSPs tend to perform better in preparing their clients for a CMMC assessment. Right. Because they've had to eat the same dog food that their customers are going to be eaten. So that kind of helps with that assessment experience for their customers.
[22:43]
A
Yeah, yeah, it makes sense.
[22:44]
C
Yeah. Keep that same energy. Fernando and I want to kind of flip it a little bit. Right. And I want you to now the most. He asked the green flags, what are the red flags? You're getting into the framing, you're getting into the phase one and you start seeing things and you're like, man, this is going to be a long week.
[22:59]
B
Yeah. Kind of like, like what I mentioned earlier. Right. SSPs not being completed implementation. Right. Not using 171A. So we'll you, I'll usually see the, you know, the NIST gets them every time. SSP document and it'll just be implemented. They'll just put a check mark on it and they'll say we've implemented this. I'm like, that's not going to get you very far.
[23:23]
A
Nice, nice. Well, so let's ask, let's go with this then. So they get through phase one of the assessment and everything seems like it's humming along. Are there particular types of environments or architectures that have, that take a little bit longer or are tougher, like is it, is it faster if it's completely in house versus having a third party service provider? Like, you know, is there, is there any sort of differentiation there or is it all just a question of preparation?
[23:54]
B
Yeah. So manufacturing environments I've seen seem to have the hardest time with implementing the requirements. A lot of them is due to like the various locations. And then of course, dealing with things like operational technology, specialized assets. Right. It like now starts to become a nightmare for like, you know, physical and logical segmentation.
[24:13]
A
Gotcha, Gotcha. Yeah.
[24:19]
C
So the different perspective that I want to offer here is like the, for you assessing them, not the ones implementing them. For you assessing which ones do you know are going to have to take more attention to detail or you're gonna have to more carefully come over what environments pose that kind of opportunity for you?
[24:38]
B
Manufacturing environments. Right. From both an implementation and assessing standpoint, there's a lot more things to like, take a look at to make sure that things are documented and implemented correctly.
[24:50]
C
Good thing there's not a lot of manufacturing environments in the dib, huh?
[24:56]
A
Okay, so shifting gears again here. Here I go again with my monthly pleading to the fine folks at dibcac. Just to remind you, putting out the most common requirements that people experience issues with does not create a security problem. And it raises awareness about common issues so that people can fix them, which actually helps security. Dibcac. Hello. Please let us know the most commonly missed things in DIBCAC assessments. Short of that, Fernando, are there requirements from 171 that you see generally cause issues for the companies that do pass? So let's assume that like we get through. We haven't just like completely left stuff blank. We haven't done a false start, we passed. But there's still things that are sticking points or people struggle with or whatever. Like are there requirements like that that are like, oh yeah, this one always takes, you know, an extra, an extra cycle or two?
[25:53]
B
Not really. I mean, we've had to. And we'll probably discuss it here in a bit, but we, we've had to do a couple of significant change assessments that we could talk about.
[26:06]
A
Save the best one for last. Well, I mean, it's good to know. I mean, it's. This is, this is, you know, in line with what we've told people where it's like the, the CMMC assessment not to minimize what the C3POs do. But the CMC assessment is, as a function of your preparation is really just a formality because you know what questions are on the test. You get to pick the answers for the questions that are on the test. I mean, you can paint the assessors into a corner with the scoping and with the answers and with the documentation and with your service provider and all those things and put this thing really on rails as just a straight verification. So, you know, we've seen this again and again where it's like, if you make it through feasibility and you don't false start, you are very likely to pass your assessments. And if you're likely to pass your assessment, you're not likely to get tripped up on any given requirement, especially if you're working with somebody who knows what they're doing.
[27:02]
B
Yep, agreed.
[27:04]
C
I want to talk a little bit about maybe insights that you have into the organizations you assess and, and their plans for the benefits post assessment. Right. Are they doing this? You know, just basically because there's pressure coming from the primes and they want to keep them happy. Are they doing this to gain more business or, and more importantly, like, when you're in discussion with them and maybe you're trying to say, hey, what are you in this for? Are they saying, I want to do this because my competition is or is not doing it and I want to remain competitive or get a competitive advantage over them?
[27:35]
B
Yeah. So I'm noticing more of the customers are doing this because they're being pushed by a prime, but at the same exact time, they're also winning work out of it. So we had one customer from our JSVA days. They were given an award by a large prime contractor for being one of the suppliers of the year, which led to more work for them. And I think. I know recently you had him on Jacob Bo Birdwell. Yeah, I know. Elbit Systems of America is looking for certified companies to give work to because, like, they're trying to find folks to do that. So there's a lot of opportunities here for organizations that lean forward. Right. And then instead of, you know, entering what we like to call the five stages of grief and just get into acceptance, there's a lot of work to be had here.
[28:17]
A
Yeah, it's a lot more work trying to, you know, get waivers and special exceptions and Extensions and all these things. It's just you're a lot easier to do business with. And that's the fundamental thing to remember when you're doing business with anybody is don't be hard to do business with.
[28:32]
B
Agreed. Yeah.
[28:33]
A
Alrighty. Fernando, here we are at the, at the final question, the, the burning question, the simplest one for the end. What Triv triggers a significant change.
[28:44]
B
All right, so this is, this is
[28:47]
C
a simplest one, kind of like a
[28:49]
B
landmine, but I'm going to try to navigate it as much as possible.
[28:52]
C
Good luck, bud.
[28:53]
B
The rule states that if you have a significant architectural or boundary change, you're going to trigger another assessment. And then so some of the examples that they give you are things like expansions and networks or mergers and acquisitions. So for example, adding. Right, I'll talk about some of the low hanging fruit. Adding a new cloud service provider for cui. Right. That's probably going to trigger another assessment. Opening up other capabilities will open up another assessment. So let's say for example, you go through your initial assessment, you decide to block printing, block removable media, and then six months later you're like, you know what? We want to open up printing. Well, we didn't validate the physical protection media protection control family, so now we have to come back and do a full blown assessment all over again. So those are just some examples that will trigger another assessment. But at the end of the day, the affirming official is the one that is going to determine what constitutes a significant change or not, since they're the ones that will be affirming that they're maintaining compliance throughout that three year life cycle. Right.
[29:48]
C
Can I, I just want to backpack on that one thing that you just mentioned there. You said that you went through and evaluated the media protection. Right? So for instance, if an organization went through and they did met, not implemented for a control where we have the ability to print but we're not printing and we've shut it off so you can't print. You evaluated that, you've certified that, then they want to add printing, you have to come back through and reevaluate. Reevaluate those controls that you previously deemed were adequately sufficiently implemented.
[30:17]
A
Right?
[30:17]
B
Correct. Yeah, but the thing is with this, with the way that it's written in the rule, there are no delta assessments.
[30:24]
C
Right.
[30:24]
B
If you open up capabilities that was initially deemed not applicable or was met because it was something that wasn't being done and you open it up later, we have to go through a full blown assessment all over again. And it's not enough to say as a small business, it's not enough to say, oh, we can pay for another assessment. With 103 C3POs and 118,000 companies that got to get certified, you can imagine availability started to become an issue.
[30:46]
A
Yeah.
[30:46]
C
Yes. That was a, that's a tricky little like gotcha in there because I could get the assessment that says that I'm able to print because I pass all the MP stuff, but because just it's such, you know, the checkbox. Right. The evaluation of it. But it's not because I have printing in place.
[31:00]
A
Yeah, yeah. If you're planning on changing MSPs, do that before you do your assessment. Guys don't, don't get an assessment and then change MSPS two weeks later. Like that's just not a good recipe for success. That's pretty, pretty, it's a pretty big one. There's a lot of room in significant change for determinations and, you know, affirming official discretion and kind of gaming it as people do with all things. But if you're just switching providers a month after your assessment, like you're kind of shooting yourself in the foot whenever that happens and there's, there's really not much that you can do about it. Alrighty. Fernando, you know, we flew through the, you know, the Delta up to 100 assessments. Probably, you know, in a couple months you're going to be at 200 or 250. So we'll have to have you on the show again in the future. I mean, you guys are just ripping through these things and especially in the lead up to November, which apparently the primes say is their deadline, I'm sure we'll have you on again for some preparation. So if you guys are not following Fernando on LinkedIn, you're wrong. If you are not following Fernando at all the in person events that he goes to, which is like every one of them, then you're also wrong. Friendliest guy in cmc. Your CMC assessor's favorite CMC assessor.
[32:12]
C
Best dressed in the business.
[32:13]
A
Best dressed for sure in the business. So check him out, follow him, let us know if you have additional questions or comments. He's an easy guy to get a hold of. And Fernando, we'll see you at, we'll see you at number 200.
[32:25]
B
Yes, sir. Thank you.
[32:26]
A
Awesome, thanks.
[32:28]
C
See you next week. Sam.