A

Folks, it is June. It is hotter than a rat in a sock in the middle of a microwave. I don't even know what I just did there. It is over 100 degrees outside. Obviously my brain's not working. But we're going to put our brains together because the town hall happen, Joy. And we're going to talk about it on this week's show.

B

Yeah, let's do it.

A

So first and foremost, I think that the, the one thing that we always get into, Joy, is the CEO welcome and update and to kind of just, I guess, you know, lead it off. Like, obviously there are some growing geopolitical tensions that are taking place and some of the countries in which those tensions kind of are taking place with. Right. They have some pretty good cyber capabilities. And so, you know, we, the Matt Travis let off the town hall by basic, basically telling everybody that age old, shields up, get ready. Make sure that you're ever vigilant, make sure that you're just noticing, you see something, you say something. And so we're just going to do the same thing and we're going to say, shields up, guys, just prepare yourself. I don't know why you would ever take the shield down, but right. If you have, just raise, raise back up for us. Okay.

B

Really, it is the why behind cmmc. You know, we're protecting the warfighter. We're making sure in the end that all of our sensitive data is protected the way it should be. So I, I love that he started it that way. I'd like to see every town hall start with shields up.

A

Well, I, I think it should go without saying. Right. But, but with, with that being said, you know, I'm glad that we just kind of, hey, here's a reminder in case it started to slip because we know that sometimes, you know, people get lackadaisical once they get comfortable and things like that. So let's just make sure that we remain vigilant. Some news on the front of comings and goings within the Department of Defense and specifically within positions that affect the CMMC program. Specifically. And you know, a huge congratulations to the honorable Michael P. Duffy, who was confirmed as the under Under Secretary of Defense for Acquisition and sustainment. Right, Joy, Exactly. And so a couple things that is kind of relevant here with the CMMC program is that, you know, that position specifically is responsible for the rulemaking process for 48 CFR, which is the final piece to the puzzle before we start seeing CMMC and contracts that come from the dod. And I say contracts that come from the DOD because we all know that your maybe prime contractor that you work for as a subcontractor somewhere within their supply chain may have already levied or may have already started pushing towards you getting CMC certified so they can prepare their supply chain a little bit better before the DoD is asking them to, you know, have their ducks in a row. Right. So obviously Michael Duffy comes in, you know, the honorable Michael Duffy comes in with extensive experience with OMB and with the DoD. So it's not like there's going to be this refamiliarization process with everything that goes on as far as the rulemaking or as maybe the programs go. So hopefully what we still actually, Matt Travis is very confident that we are still on the same timeline and that we should be expecting. And I say into summer, I've said it's the summer of CMMC for three years. I'm just going to keep saying until it sticks, but I kind of feel like that that's what this is. We are in that summer where 32 is done, everybody's getting those 32 preparations done, and then 48 is going to come. So I said, I plan vacation for Labor Day. So if, if the gods align correctly, more than likely the day before the day I go on vacation. We know that those Fridays before holidays seem to be very popular for this particular agency. So I'm going to go with Labor Day, the Friday before Labor Day. That's a bold statement. It's a bold strategy. We'll see if it pays off.

B

I'm going over on that one. I'm going to say the end of September, beginning of October, but we have a new quarterback, so you never know.

A

I like it. I like the quarterback pool. Way to go there. Yeah. And it's good that the backup knows the system right, knows all the plays already so that we don't have to get used to the new playbook. I love it. I love, I didn't, didn't think that we were going to go on that particular analogy.

B

Only sports analogy you'll ever hear out of me.

A

It was a good one. You nailed it. Absolutely crushed it. So the ecosystem update, this is something that we are very attentive to. We'd like to see, you know, exactly how things are going, how we're progressing along as the ecosystem is being built, the rankings of professionals, as far as how many there are, what's the interest in people coming in to participate in this ecosystem? So we got that update this month and I wanted to do something that we normally don't do. And I Want to do a comparison from where we were last month, where we are this month, just to see, you know, are we just spitting out numbers? It could be. We just regurgitate numbers constantly, but let's just see, you know, what's going on here. So last month, Last month there were 70 authorized C3 PAOs, and number 71 was in the hopper going through the final stages that week of the town hall, as of this month. Drum roll. 74. 74. He said 73 are authorized. And 74 is almost done. Realistically by the time this airs and realistically by the time people listen to this episode of the podcast, we'll have 74. So you got four in a month, one a week. Now 52 weeks in a year, you can get 52 if that's the rate that we're going. So I just feel like that it's not stale, but it's progressing just enough because there's processes on the back end that have to take place for these organizations to go through. But as long as it's slowly or as long as it's just continuously improving, I'm fine with that. No matter how slow or how fast it is.

B

Yeah, well, considering that we were at 70 and now 74, I feel like that's actually some good steady progress for them.

A

Okay. Last month, Joy. Yeah, there were roughly 115 CMMC level 2 certifications issued.

B

This is a big number increase then.

A

Okay, so you already know that I was gonna, I was gonna make you guys go, let's play a game. But you already know that's a weird game for us to play with you already knowing the number. So 168 are done. There's 168 done. So fifth, we know how math goes with, with us on the show together. I, I pre. Did this math. 53 assessments this month.

B

That's a lot here, right?

A

That's. That's 10 roughly. You know, 12 a week. 12 and a half a week. Right. Like a little bit more, A little bit less. Right. 13.

B

I. I think that it's going to keep growing exponentially. Now. I think we see 50 something this month. I think next month will be 60, 70, 80. It's going to go grow pretty quickly.

A

Well, yeah, so you always have that. The snowball at the top of the hill when it's starting, you know, very little. It's going to move slow. Right. But it's still moving and it's still growing. And as it gets bigger and weight and gravity and all those other things take into place, starts going. I think we're in the weight and gravity phase because we have more C3PO firing off on cylinders. There's been more time for organizations to, to get prepared. There's. There's also been, and I kind of don't want to give light to this community, but there's also been an increase of now we're five months into 32C, or now we're six months plus in the 32 CFR kind of being ready to go. Of the organizations that were kind of kicking the can have had time to kind of recoup or accelerate their efforts. So now you're seeing more of a push, more of an effort to go towards it. 53 in a month is crazy.

B

Well, you know what else, Jason? I mean, we're up to, I think 21 MSPs or ESPs that are not CSPs that have received their own CMMC Level 2 certification. And I have to think that that's going to help propel that number because as the MSPs themselves are getting certified, they're getting their customers ready and they're getting their customers in and through that door. I mean, I know that we've received an exponentially larger amount of our own customers saying, all right, we're ready, we want to go, and we've got the team for it. So there's a lot of MSPs that have really invested in this, and I think that's going to be one of those force multipliers because they can use that CMMC Level 2 certification not for inheritance, but to have a reduced level of effort on behalf of the assessor to get their customers through those assessments. It's very exciting.

A

Do you feel like that, that new motivation from those OSC's, especially in our case that we see. Right. Do you feel like that new motivation is because now the MSP has done it and they're like, well, set an example. I'm going to follow that lead. Or do you think it's more comfortable with doing it because the MSP has that demonstrated knowledge, or is it a combination of both?

B

A combination of both, but probably the latter. I mean, I think that the MSPs that have really invested in this to the point of getting their own certification, they're now really getting those processes down and being able to establish a cadence with their customers that makes really good sense so that they can help to scale this.

A

Yeah, I, I would agree with you.

B

Return on their investment as well, right?

A

Yeah. So 50. So you think about it, 53 in one month actually is there was 115 in five months like that. You don't even have to go through and get granular into math to realize the, the progression and the momentum that's happening. Right. But let's get Grant not too granular in some math and just talk about a couple things that have grown since last month. Certified assessors. We've gained 25 new certified assessors and the ecosystem certified professionals has gone up by almost a hundred.

B

Nice.

A

That's insane. I, I love it like you see it. You love to see it flow. Flourishing now. RPO organizations have dropped by two. But they've dropped now. Do you think that that's because a lot of those companies that are RPOs are now graduating to being C3PAOs? Because we're seeing more authorized C3POs coming kind of like a both. Like I, I could see holding both. Or do you think it's just now more so people just not participating in the ecosystem through that channel?

B

It's hard to say.

A

I don't understand why two is not a drastic drop. Like if I like, you know what I mean? Like it.

B

But it's not growing. It's the thing which is interesting.

A

Well, but the C3POs are growing. The C3PA applications decreased awaiting assessment. So there's more assessments that have been passed through dip, CAC assessments. There's less waiting assessments and there's more applicants in the C3PO. And actually if we realistically looked at the numbers, three new C3PO applicants, two less RPOs registered. I don't know. I like, I know that there's things that tie into it. I'm not going to speculate because I don't think there's enough evidence here speculators enough of a trend. I think we all have our personal reservations as to why we that that may be happening. Whether it be for person got the badge for marketing purposes or a person just doesn't participate in the ecosystem, whatever it is, numbers down by two. Not a big deal. We're going to move and we're going to move on to something that we talked about last week's show or on last month's show with regards to the csp, not an ESP opp. What are we doing here? Right. And so realistically you had a point and you were like, I don't think that that's technically right. Like why would you have to have like a Microsoft or anything like that sit through the entire assessment? If they have Fedramp, you know, they're Fedramp Moderate authorized. And so there was that clarification there, right? We got the clarification essentially that like for somebody that or for a FedRAMP authorized CSP like you know, technically, Microsoft, Google, AWS, all of those and any other Fedramp authorized service that you intend to use, they don't have to send somebody as long as the body of evidence is presented and the SRM CRM is, is there and that is the CRM SRM and body of evidence that was used to obtain that certificate application. Right. Now that's authorized. Now if you're a Fedramp moderate equivalent, you don't have Fedramp moderate equivalency or you don't have anything. You just have a bunch of papers that defend what you do. You need to send somebody to the assessment on behalf of the osc. That's, there's like we can dig into it. We could say, well if it's this, it's that. No, if you're Fedramp authorized then it's a lot easier. You pass on the body of evidence which passed. If you're not Fedramp authorized and you're the person of service, you need to intend as a service provider, external service provider. Now one of the services that you have to provide is assessment support.

B

Yeah, that's not going to be sustainable. I think we'll see how that plays out. Because can you imagine, I mean that's having someone available for 40 hours just because they use your service is a tough thing to accommodate on behalf of the vendor. So I'm not saying it's wrong. I actually, I understand why that's in place and I'm glad that there was clarification on it.

A

Yeah. Because the moderate equivalency and things like, and, and not necessarily having the Fed ramp moderate for whatever situation that takes place, that was an opening the door for the people that couldn't get the authorization. Because we know the Fed ramp process, you know, it's a little bit.

B

Yeah.

A

Arduous. Right. And so one of the, the trade offs there is you get this equivalency. You don't go through this arduous process. You just have to implement the controls. But on the back end, because of the CMMC program, this is what has to happen. That's from the dod. That's the way the rule is written. That's what.

B

Yeah, it's actually more arduous I think, to be Fedramp equivalent because you, you get no risk acceptance from another agency.

A

Yeah, more arduous in the assessment part. For all your clients for the assessment. Less arduous in the, the preparation and going through, getting authorization, getting the sponsor, all of those things. Right. Like, so it's a trade off. Right. It's still, there's some work to be done. It's. When do you want to do the work? Before, after? I don't know.

B

I, I don't think that, that I, the companies I know that have done Fed ramp, moderate equivalency, it's a tremendous amount more work than the Fed Ramp ATO because they have to meet all of the controls. With the ATO process, you can have the agency accept some of the risk and not have to implement all of the controls necessarily.

A

Yeah, but I was talking about the process like finding the sponsor, getting somebody to latch on to you so that you.

B

Oh, that's true.

A

Yeah, yeah, that's.

B

That's so broken. And I'm glad that it's something that Katie's looking at fixing.

A

Yeah, yeah. All right, so just a quick touch right here on the cage, Coach. Still some issues with cage codes. And the reason that we're still harping on it is because there's a lot of organizations that have successfully implemented NIST 800, 171, CMMC Level 2 have successfully passed their certification assessment. But they can't get credit for it because there's an issue with the hierarchy and their cage codes and what it's supposed to be reporting to. I'm just going to offer up an overall generalized statement to the entirety of our audience, which is check your cage codes, make sure that everything is spot on and follow the instructions that were given to you. You don't want to be like, yeah, I passed the assessment. And then they're like, we can't give you this contract because you didn't pass the assessment. It's not attached to the right cage code. And you're like, but it's attached to this one. Because I can tell you, I don't think that that's a, a quick send an email and within a day, that's a turnaround. That sounds like a lot of government agencies having to talk to one another to resolve a situation. And I, I've never seen that move very quickly. Yeah, yeah. All right. Ethics, we love ethics. This is one of our favorite parts of the show.

B

Don't be using our logo on your cartoon.

A

That's essentially. Let's, let's do it. Let's just. We're not, we're not going to go. I'm going to read off the three bullet Points, okay? You cannot, you cannot use logos and credentials if you do not earn them. Okay? No stolen CMMC valor here, okay? If you aren't an RP, if you aren't a C3 PAO, if you aren't a PI, if you have not paid the cost, right? Or that's terrible terminology. Geez. If you haven't put in the work to obtain those whatever, which ones that you have, you can't use them. You can't say that you have them. Case in point, I, I think that anybody with a conscious wouldn't do that. But obviously we're reading it because as people are doing it, right? Do not attempt to be deceptive when obtaining permission. So this is tricky, right? Let's say that you know you're allowed to use those logos if you've earn them. You're allowed to use the CMMC logo and other logos attached to the program if you obtain permission from the Cyber Ab, right, The people that own the logo. But you can't be deceptive in saying it. So you can't say I want to joy obtain your cool Cyber AB logo. Here's my end writing giving me permission because I want to use it. A newsletter that states that, you know, this is what's happening in CMMC events, right? And you get the permission, you have the written permission and then you start plastering on marketing materials and dishing it out. You don't have permission to do that. You didn't do that. You can't.

B

Yeah, I've heard some stories about some of the badges and, or credentials being shared out from third party companies that were making it seem as if the third party company themselves were credentialed. And I think that's what they're talking about here.

A

I, and you know me very well, I don't, I don't hold things back very easily. Two or three years ago I was at a industry event and as I normally do in industry events, I am asking questions particular to the vertical in which I specialize in, which is cmmc, what does your solution do for this? What does your solution do for that? And these people looked at me like I had a disease. I don't want anything to do with it. I don't, we don't, we don't deal with that. That's a joke, blah, blah, blah, I get it, that's cool. I'm gonna tell you, some of the best examples of what we're talking about right now have come from those same organizations. Now they want to hop into business. I mean, we're all about it. We're rpp, cpp, all that thing. We're like, bro, wasn't this nationalistic to you like 14 months ago? That's just me. I digress. All right, last one. Once you. Well, it's kind of the same thing. Once you get permission to use the logos, you still have to adhere to the Code of Professional Conduct, whatever stated as far as it goes with the Code of Professional Conduct, basically saying you can't use this to misrepresent yourself, you can't use this to over represent what you can do and things of that nature. And then the official DoD CoC CMFC program logo. This is tricky. The one that says Cyber Security Maturity Model certification. Right, that one that represents the program not to be used to represent a company. CMMC certification. So you can't say Summit 7 got CMMC certified and throw this logo up there. Totally different logo. You'll see it. And it's not to be used to represent an SPRs self assessment. Like, I know, hold on. Look man, I'm all about giving flowers. I'm all about celebrating. If I in the wild see somebody, I'm all about good cyber security. Let me be clear about that. If I in the wild see somebody say we got a 76 self assessed SPRS in private, I'll give you a high five for being proactive and whatever in public. Don't do it, Please don't do it. I don't know how I'd react. Like I, I don't know if I could control my face. Does that make sense?

B

I don't know why anybody would say publicly what their SPRS score is if it's.

A

Well, obviously they want to use the logo, Joy. Like, I mean it's, it's a snazzy logo.

B

It's just not making sense. I think whoever did that didn't have their coffee that morning.

A

And then before we jump into the, the questions and answers, I know that you had one in particular that we kind of wanted to have clarification on. I just want to touch on. There was an entire segment on the Cyber AB town hall with James Gopal from Fathom Cyber talking about cui. James has written multiple books on Cui. I'm not going to sit here and go through a list of. This is the, the pinpoints I'm going to tell you. If you have questions about what CUI is, et cetera, et cetera, that is one resource in which you can go to and, and obviously learn what you need to know.

B

Totally. I mean I, I think that James, both, both Jim and Ryan Bonner are the go to experts for cui. And every time I listen to one or both of them, I. I'm like, there's little nuggets that I pick up. As much as I think I know about cui, but it's its own world of like focused expertise. You know, it's kind of like someone described to me once when they were getting ready for the cissp, that your knowledge of security is an inch thick and a mile wide is what you have to know. And I kind of feel like CMMC is the same thing. But if you want to get 10 inches deep into something, that is where you go to an expert in that specific area. And Jim and Ryan are both go to people for that kind of knowledge.

A

I would agree. And you know, just basically because it was a 20 minute segment plus add ons in the Q and A where people were able to get specific questions. If there were one thing I would ask for you to watch, that would be it. Like watch the entirety of that. I could sit here and summarize the bullet points, but there are intricacies to the questions and the answers that were provided and intricacies into the information in which was provided that if I put bullet points I wouldn't be doing it justice.

B

Was a Q and A that of mine that I submitted. Did you see that one?

A

I did not see that one.

B

Why is there not the Code of Professional Conduct listed on the Cyber AB Marketplace? And the answer was it is. So they hit it really well. Yes, it's there. I checked. If you go to cyberab.org or just cyber ab.org resources downloads, it's listed under one of the downloads now. So every time that Matt's pulling up, when he talks about ethics and he talks about this section of the Code of Professional Conduct that is actually available for public viewing. Now there was the. For years we actually haven't had access to that publicly being posted on the site. So they fixed it. I'm thrilled to see that.

A

We were both looking pretty thoroughly yesterday.

B

Huh?

A

We were both looking pretty thoroughly through that website yesterday.

B

But the thing is that's important for the buyer to read and understand like the consumers, the actual dib contractors should also be reading the Code of Professional Conduct to understand what to expect from anyone in the ecosystem providing services to them.

A

I agree.

B

They know if they have a valid ethics complaint.

A

I agree. And especially conflict of interest. Still a lot of it lingering around. Tighten up folks, tighten up.

B

Good stuff. You know, we're making great strides, Jason. The, the whole ecosystem. I'm so proud of us.

A

I I yeah, I mean, is this the we, us like scenario when you're talking about, like, sports teams are gonna get one of those sports analogies again? Yeah, us. I I think us. I I, I, I, I I think the thing that blows me away the most is, is the 50 plus ass. We were talking about how they were averaging one every other day, one every three days or something like that. And then they're like, oh, really? Bam. Hold my beer. Like. And so now this is where we're at. That is very impressive. It's impressive to see slow, gradual growth every single, you know, area. And it was pretty nice to get through one town hall where there was no GAO reports or something like that that we had to talk about. So, hey, no drama, no nothing until next month. See you.

B

Thanks.