A

Guess what, Joy? We're back. We're back. We are back. It is you and me, and we are going to talk to Cyber AB Town Hall. More specifically, what's happening in the ecosystem. The things that everybody needs to know. And they've been busy since last month, Joy. And I feel like I haven't seen you since last month. Last month. What have you been up to?

B

Well, I'm in our office now. I got all moved in, settled into Tennessee.

A

Okay.

B

I do want to say, when Matt Travis opened the town hall last night, he was funny. He always. It cracks me up. He was so funny about, you know, wanted to spend 85 minutes for the State of the Union address and, and. But he didn't have his jacket, so.

A

He didn't have the jacket. So funny. As somebody that likes to, like, layer the jokes in with current events, I appreciate that. The opening where you, you throw out the funny. The dad jokes as it is. And so I 100 appreciate it. Maybe we're rubbing off, maybe we're not. He didn't just have jokes, though, Joy. Actually, everything else that he had to say wasn't technically funny. It was actually really good news. He was the good news fairy in, in this month's town hall. And it started with, like, a bit of good news that I know. This week I learned, uh, that everybody else probably should know. And it has to do with Tier three background checks. Now, we know that the delays sometimes can be a bit cumbersome for a lot of people. Takes a lot longer, me especially, but I did not know up until now. The only thing that I thought was after six months, then you can reach out to the people that they've listed and you can ask them, hey, what's going on My status for my tier three. But if you are an organization that has an FSO facility security officer, did you know that if you have submitted a Tier 3 background check, you can actually reach out to that person and say, hey, can you see what's going on with this? It's taking a little bit longer than I think it should. Did you know that?

B

I didn't. And that's awesome because I think a lot of folks in this ecosystem actually are organizations that have an fso.

A

Yeah. So it's like something that's already, for the most part, readily available. Now, I don't know how that works. Maybe if you have an outsourced fso, if that agreement goes there, obviously there's the variables and the wrinkles that go into things, but just to have another avenue for people to reach out for a process that does take right now a little bit longer than usual, although improving and getting better. I think that that's a great start. So that was the first bit of good news that he delivered to us in this month's meeting. So this one, not necessarily great news, good news, but significant changes, obviously a topic, a hot topic of discussion, who can determine it or what can we do from, you know, the significant changes, what to do if there is a significant change. And so he just wanted to say first and foremost that there is formal guidance that's in the works, right? In the backgrounds. We know the Department of War and we. He said specifically the C3PAO subcommittees, the advisory subcommittees that they formed. There may be some discussions on the back end about how significant change is being handled and at some point there's going to be some formal guidance issued. But he wanted to point people back to the formal guidance that already exist, right? And so that formal guidance obviously was to refer to the rule and to the 32 CFR rule and to page 9 of the CMMC Level 2 Scoping Guide that basically can a look essentially at kind of the basis of what it says. And then, you know, in the preamble of 32 CFR Part 170, it addresses significant changes specifically and it says if an OSA makes significant changes within the CMMC assessment scope, a new assessment and affirmation are required. Case in point, you make a change to something that's been certified, we're gonna have to certify that again to make sure it's good enough to hold cui. And everybody's like, well, what's a change? Right? So then it goes into there. The required assessment frequency is every, you know, for organizations, every three years, they have to get a new CMMC assessment. Every year the affirming official has to affirm. And when changes occur within the CMMC assessment scope, that invalidates that system, invalidates that boundary. So in page nine of the CMMC Level two scoping guide, every CMMC ecosystem participant, every assessor has to know this pretty, pretty well, says new assessment is required if there's a significant architectural or boundary or boundary changes to the previous CMMC assessment scope readings are today, apparently. Examples include, but are not limited to expansions of networks or mergers and acquisitions. Huge parts questions that we answer all the time. Operational changes within a CMMC assessment scope, such as adding or subtracting resources within the existing assessment boundary that follow the existing ssp, do not require a new assessment, but rather may Be covered by annual affirmation to continuing compliance with requirements. So that's a lot of words. Essentially significant changes to your architectural, to your architecture, the things that are within your architecture or to the boundary of your architecture, where it goes, how big your yard is, right. What's within your yard or what's how big the yard is going to be. You want to purchase more land, right. And if you purchase another organization that's going to constitute the significant change. So adding or subtracting resources like endpoints and things of that nature within the existing assessment boundary. So if it's in your SSP called out that way, it's a one for one switch. We're saying that's not a significant change. Am I understanding that correctly, Joy?

B

I would interpret it that way, but I think that's the problem is that there's so much room for interpretation on these.

A

Yeah, well, I mean it is fairly open ended. I think that that's the reason why we need additional guidance on the significant change. Because right here we're saying, I don't know what you guys reading, but based off of what I'm reading in the ssp, if we're making the one for one change and let's use the example that I like to use, we want to switch from brand A logging and monitoring tool to brand B logging and monitoring tool within the ssp. The only thing technically that changes is the brand in which you use. Right. Or the details in which, how that goes, what cloud it goes to, et cetera, et cetera. That is a one for one change within the ssp, not a significant. And it's within the boundary that does not constitute significant change. Would you agree?

B

I would agree.

A

Okay. Now let's say that within that SSP that I say that Jason is managing said tool. Okay. It says logging in, monitor or as an msp. And then all of a sudden I've decided that the people that deliver that management of that tool, but I'm using the same tool, the people that deliver that management. Would you consider that a significant change and needs to be reassessed?

B

I think it depends. Like there should be a shared responsibility matrix that has been tied to that. Right. And I would say how many other controls are going to be impacted by replacing J with a different firm and what their shared responsibility matrix are now? Are you going to leverage only the exact same capabilities from the new provider or you know, are they going to cover 90% where Jason only covered 20%? That's, that's where I would try to understand. But Still, I don't if it's the exact same tool. Yeah, right.

A

Clear as mud. Right. So for me personally, I believe as though if the intent and the delivery is exact same and you can match it one for one again, the affirming official can come in and say we have this capability within this boundary, the delivery methods coming in the same manner. Now what if we change the provider, change the tool, change the delivery method? Joy, within that ssp, we're still accomplishing the same controls, but the story that we're telling to do it is completely different than what's been certified.

B

Yeah. That's where for me you start to have to really understand what kind of risk is that presenting to the organization because that's where significant change is going to have to balance on is what level of risk is being introduced by the changes.

A

So the first two examples we listed there was adequate and sufficient evidence that the implementation that was presented for certification has now been represented. Right. The evidence has been represented that this task is being done by this person in this process, in this manner, as detailed within our policies and procedures, whatever it may be. What happens is, is that there's nothing that has proved that this new tool or this new provider, there's nothing that has the backing that says that that method that you are exercising now to protect the CUI is adequate and sufficient implementation. Therefore, I do also believe that that is what a significant change triggers and that you have to go there. Good thing is based on the Cyber AB town hall, more detail. You're not just going to have to have two talking heads here or everybody else on social media giving their interpretation. There's layers to this. Documentation is important. Documentation matters obviously all the times. But more significant change details are coming forward based from subcommittees, based from the dow.

B

That one thing I thought was interesting when he said that you can ask the C3PAO for what, how they would view it, but that is not the final word. You can't actually hang your hat on that. And you know, if something comes back later, say, oh, well, the C3PAO told me so, you know, it's really up to that affirming official for the organization that they're the one who in the end of the day, what their call is, is where the, where the final accountability lies.

A

Yeah, it's not. So if you could consult with somebody, hey, I know a C3PO. I know an assessor. Do you think that or the C3PO that performed your assessment is actually the example in which they used. You can reach out to them and think, does this constitute ask, you know, does this constitute that you're asking their opinion? That opinion is not binding. Responsibility still lies on you as the organization seeking certification or as the organization do a business with the Dow. That's a good point. I almost missed that. That is huge because people are just thinking. One of the other questions is not just what is significant change, but kind of what do I do? Do I call the C3PO? If I call a C3PO and say, hey, do you think I need a new assessment based on the business model? I would think, you know, we would think that conscience would take over and morals would prevail, but I don't know if that's necessarily widespread. So some other significant changes within the Cyber ab, but more so significant when it comes to staffing. Right. Obviously we knew with ISACA coming in and assuming the duties of the Keiko, there were some people that we were familiar with that we got to interact with throughout the years, obviously and the roles that we hold within the ecosystem that are going to now assume new roles, you know, people were kind of worried about what's going to happen to these people. Well, they're going to go to new roles and probably excel in those new roles. And that's Kelly Atwood and Mike Snyder. Both of them worked, you know, kind of in the accreditation in the, the Keiko part. But Kelly's going to move over to the accreditation division of the cyber AB helping with accreditation of three C3PAs and, and, and whatnot. And I didn't quite pick up Mike Snyder's new role. All I got from it was the gist is, is that he's outward facing an ecosystem, relations, reaching out, coordinating things like those practitioner soirees or the practitioner get together. Soiree is a terrible word for. It indicates that everybody's showing up in limos, in tuxes, but, but a big fancy webinar where all the practitioners come and they talk about the ecosystem.

B

So those people, I think, you know, what I would love is to see Mike Snyder, if it's outward facing his role, I would love to see him doing like workshops for implementation. And you know, I think he's the one that designed the rpa. And so if on the implementer side he was to get more involved in that, maybe not the certification aspect of it, but workshops and just really making that hands on, I think that would be valuable.

A

I, I could see a part where like the plan of evolution for the Cyber AB is eventually moving into things like that. Because as we see as the program's gone live, as the shift over into ISACA and things of that nature, you see them taking on more responsibilities, doing more things, hiring more people, bringing more people into the fold, assuming a larger organizational structure. So again, you know, a few months into the program, a few months into the program being live, 100 could see that in the future. But good to see those people slide over into other roles and continue to make an impact for the Cyber ab. Talk about impact, I guess to the ecosystem, the state of the ecosystem. Our favorite part of the show every single month, what's been happening and I think the biggest what's been happening and the, the thing that that was detailed us to the most is 150 assessments. Matt Travis's words. 150 assessments plus completed this month or have taken place, started in progress. All of that. Right. We are 150 more assessments new. And the state of the ecosystem, the growth in a nutshell can be assigned as assessments are going up, assessors are going up, CCPs are going up, some apps and ATPs, those numbers going down. Maybe some impact from the ISACA takeover. Obviously no communication coming there, although communication to the credentialed roles, but steady growth in all areas. Realistically, Joy, except for that negative growth that I just mentioned, anything in particular that stood out to you?

B

Yeah, you know, I thought it was interesting that we, we still are having an increase of RPOs, but the RPs themselves, that the certificate of the registered practitioner seems to be pretty level. I don't know that that's really growing in, in my mind that's not a bad thing because we're seeing such growth in the ccps and the ccas. And in my mind those credentials, those actual certifications for the CCP and CCA are more valuable in the ecosystem than the rp. I said it out loud again. But what's interesting is that the RPOs themselves are growing. And I think that might be a sign that the RPOs are bringing in C as opposed to just RPs to help them with the implementation and consulting side. So if I had to read the tea leaves, I would say that that might be a direction that we keep heading unless they add value in what is taught in the rp.

A

So my tea leaves read a little bit different and my tea leaves were the registered practitioner organizations are growing because of the international presence of the program. Right. So we are seeing more RPOs developed in countries like South Korea, in countries, you know, like Canada, things of that nature. So that's what I thought. So I, I didn't even consider that perspective. It is a great perspective that you offered there. And then naively, I'm more naive than the average bear. I would like to think that the reason why The RP and RPAs are kind of in this kind of just treading water phase is because people are getting those RP designations as an entry level into it and then taking the next step and going to CCP. So those RPs are now becoming CCP's. I don't know how that affects the math naively. That's what I want to think is happening. But I think the international or the RP growth, the RPE organizational growth, definitely something to do with the international involvement as we see. I mean, last month when we talked about this, there was countries coming into the fold, never been in the mix before. And obviously as people come into the fold, the first line they go to is probably that Cyber AB recommended RPO be a part of the ecosystem, etc. The ATPs and apps, I mean,

B

I don't know, I think the transition over to Keiko or from Keiko over to Osaka is why those ATPs are struggling. They really need to understand where they sit in the Osaka world. And I saw just in the Q and A, one of the people I know who's involved as an ATP and app saying when is Keiko going to reach out to us? Which isn't good. It's been a little while since that announcement and you think that they would be communicating with them. So that's likely why it's declined a bit. And I'm wondering, once Kate, once the ISACA folks are established with the training providers and, and really start to give them guidance on what that's going to look like, maybe it will grow again. I don't know. We'll see.

A

Yeah, maybe just people just hesitant to renew whatever fees, maybe they have to do whatever process just because of the lack of clarity there. I mean, we are a month away from that transition. Those ATPs and apps realistically should play a key role in that, especially with the updates that need to happen. We know that that training content is, is now definitely well behind. So there has to be an update that takes place there. That communication definitely should be like one of those things that's happening. I can understand the decline. You don't want to see it unless there's a plan in place. Just to be like, hey, what I will say is that, and maybe we can just touch on that now is that you Know, the one of the things that was covered was in the Keiko corner was the ISACA takeover. We'll just blend those together and then we'll go back to ethics. Right. But that Keiko corner, you know, some of the things that were communicated in there is like no changes that, you know, that move on, proceed as usual if you wanted to get the test and things like that. So that communication of no changes, maybe that is a direct communication is just because we didn't reach out to you specially, we reached out to the ecosystem as a whole and we said there are no changes, basically stick to the plans now until further instructed. Would you think that that is a.

B

I was trying to understand what the exam thing. I think what maybe they're referring to on April 1 is that the cutover to the exam centers that are through ISACA versus the exam centers that have been available. But it doesn't have to do with the exam content itself because that's not changing. The exam content can't change until they update the curricula.

A

So yeah, so maybe that's it is that basically it's the only thing that's changing is on the. The name on the building. Right? Like essentially right. You're no longer finding this testing location. You're going to one of these more readily available testing locations, one of these ones that are associated with our brand to get your testing done. But all of the rest of the process is the same stuff that you have to do. So maybe that communication people are just like, I understand the need because of the position that you hold within this whole scheme of things to be like, you should directly reach out to me. This is a direct relationship with us. Maybe the instructor's the same thing. I just got the normal ecosystem communication. I didn't get a direct instructor thing. I'm supposed to be teaching this Pre and post April 1st. So yeah, I still think that there's still stuff there. I will say though I will. With this entire transition, I do appreciate the communication of at least some set of instructions as to this is the way things are going to go in my mind. It's clear to me that nothing's changing between now and April 1st and post April 1st, a new plan. You know, it's not like here comes April 1st all of a sudden, hard change, ISACA takes over. Everybody get used to a new norm. It's no, it's just you're going to a different website, going through a different process is what it seems like to me. We. We want to do, I guess one Last thing here and touch on the ethics. Right. Ethics has always been the hot button topic for us and usually it's super controversial. And I, I still think that this may be a bit controversial because a lot of the conversations in which come up with regards to what can a C3PA do, especially when it comes to mock assessments. What is mock assessment? What constitutes a mock assessment versus gap analysis? The ethics corner this month was important because there is in the code of Professional Conduct and conflicts of interest, the organization that performs the four record certification assessment, the C3PAO assessment. They can perform mock assessments, but there's rules that they have to adhere to that make sure that they don't break any, any of the, I guess, requirements, regulations that they have to adhere to in their position. Joy, what is the difference between a mock assessment and a regular assessment done by a C3PAO?

B

Well, a mock assessment, first of all, you can't contract with the C3PAO and then think, well, you know, agree, well, we're not quite sure if we're ready, let's just call it a mock assessment. And then at the end, if we actually passed it all, let's have it be the assessment of record. Like, you can't switch and decide which you have to. The contract has to clearly state at the outset if it's a mock. The C3PAO organization is allowed to say met or not met, and they can say whether the evidence presented was adequate or sufficient. But they can't give any consulting advice how to bridge any gaps there. If there's something that's not met, right, and at the end of it, they can deliver that report, but they can't upload anything into the SPRs or EMASs to say whether or not it was a pass or a fail. It's not a for record assessment in that regard.

A

That is a great explanation there, Joy. And one thing that you pointed out there at the beginning was that if you go into a mock assessment and you're doing extremely well, you just can't look at your C3PO and you can't say, hey, I want this to be official. Once it's a mock assessment, no matter what, no matter how well you do, it cannot turn into a legally binding certification assessment. However, what we did learn was if you go into a C3PAO assessment with a C3PAO and we get into phase one and they hit you with the old false start, you can then turn that into a mock assessment. However, that mock assessment, yes, you can, can not get consulting on It. So it would just be like, we're going to continue with this process because we've already paid for it. Let's get the mock out of the way. Can you tell me what I've met, what I haven't met so I can go through and remediate it? Because at that point in time, the only thing that you're being told in that point in the phase of the assessment process is that your documentation is enough to snuff nothing about the implementations. Might as well go through it now. Obviously, if the documentation isn't very good, probably the implementations aren't going to be very good. But you've already gone through that. I don't necessarily know why anybody would be like, I paid this money for the cert, the C3PO assessment. We're not doing well. Let's just go through the motions. Anyway, I would go, I don't know, like I could see. I just, I guess depending on how confident in your ability. Right. Like after that fact or whatever, like to go back and hey, let's pause it, let me get my stuff together and then we'll pick this back up. Because that is an option if you're false started. But it's a transition.

B

I just think the important thing is that in phase one, that's where the decision has to be made. You know, does it look like it's not going to be a pass if they continue forward and do we convert that to a mock assessment? But you can't all of a sudden make that conversion to a mock assessment in phase two and say it looks like we're going to fail. So let's turn this into a mock assessment. You know, at that point you may as well move forward and finish the assessment and see how you did. But that's a for record assessment and you know, hopefully you can poam and get a conditional award, but it may be that you just fail the assessment. I've heard actually that there's a lot of that happening also. And you know, it's no coincidence. Do you think that they brought this up as the topic this month for ethics? Because I think that there's maybe some organizations out there playing little loosey goosey with the rules as to where, where does it turn into a mock assessment versus a for record assessment and you know, trying to maybe game the system a little bit.

A

Yeah. But I suspect, I feel like it's for the fact that they're like nobody would ever think that we're going to do this and then we're doing it or Again, getting too comfortable within the standard. I, I don't know how to necessarily explain this. Cautiously is the best way. Maybe it's best for me to steer away from it. Simply put, did you do this right? Did you not do this right for this control? Yes. No, that's a mock assessment. No, you didn't do this right because you didn't implement your Microsoft 365 role based access controls correctly. That is a gap analysis that's considered consulting, not very thorough consulting. I'm just trying to be general here for the purposes of the show and to be brief. So, yeah, whatever you choose to do is obviously there. I do recommend, and we met with Birdwell from Elbit Systems who recommends to every single person in supply chain and said that it helped his experience to get a mock assessment. I do think it's extremely important for you to know where you stand before you're sitting in front of the people that make the decision. But if you do sit there, you don't do the mock assessment first. You go into C3PO assessment, there's a way for you to bail out. All right, Joy. And before we get out of here, one of the things that we haven't covered that they covered on the, the town hall this month was the changes, the revolutionary FAR overhaul, the changes to dfars, the exclusion, the Cyber AB had Reagan Eddins join the town hall this month to explain those changes in 15 minutes, which I think is nearly impossible given the breadth of information in which has to be covered and the detail to go in there and the explanation. With that being said, I do recommend that everybody, first of all, what are your things thoughts on the, the, the DFARS changes, the segment in the show as far as the town hall, what are your thoughts with regards to it?

B

It's very hard on a town hall. I mean, that is really complex information. I do think that in the 33 minutes that I heard you and Jacob Horne cover what those changes were on the Summit up podcast, it seemed very straightforward. And so I believe that in the short amount of time that he was given on the town hall, it almost felt like it was just not going to be tying it together well enough. So that's, we saw some comments about that that was like, oh, it felt clear as mud. But it's a topic that can be very convoluted. So I'm glad that they're going to have sounded like in between the town hall they might have other segments where other people can come on and also talk about, you know, what these changes what the impact is going to be to the defense industrial base. And so it'll be good to see some follow up information shared.

A

Yeah, 39 class deviations that you have to explain in 15 minutes. It's not an easy thing to do. So, you know, props to the AB for having the segment to have that explanation on there. Anybody that needs deeper, thorough explanation, obviously we'll reference our link in the comments of this episode for our episode that we did on it. And then obviously we always link the Cyber AB town hall for people to go back and re watch to get all that information. Watch all of it, absorb it all. Like subscribe, tell all your friends. We'll see you next week, folks.

B

Thanks, Jason.

A

Sam.