Podcast Summary: Sum IT Up: CMMC News Roundup
Episode: June Cyber AB TH Recap
Host: Summit 7
Date: June 26, 2025
Episode Overview
This episode focuses on a detailed recap of the June Cyber AB Town Hall, offering insights into the latest CMMC ecosystem updates, pivotal regulatory changes, industry trends, and guidance for organizations seeking or maintaining CMMC certification. The hosts, Jason and Joy, highlight the critical news, recent statistics, clarifications on assessment requirements, ongoing issues (such as CAGE code complications), ethical reminders, and references to key community resources. The conversation emphasizes the momentum building in the CMMC ecosystem and practical advice for stakeholders.
Key Discussion Points & Insights
1. Opening Remarks & Geopolitical Context
- Theme: The ongoing role of cybersecurity in national defense, especially amid global tensions.
- Main Insight: The CEO, Matt Travis, emphasized the “shields up” mentality, urging everyone to stay vigilant due to heightened threat environments from nation-state actors.
- Quote:
“Shields up, guys, just prepare yourself. I don't know why you would ever take the shield down, but right. If you have, just raise, raise back up for us, okay.”
— Jason [00:46]
2. Leadership & Rulemaking Developments
- Update: Michael P. Duffy confirmed as the new Under Secretary of Defense for Acquisition and Sustainment.
- Relevance:
- This position is crucial for the CMMC rulemaking process, specifically regarding 48 CFR—considered the final puzzle piece before CMMC appears in DoD contracts.
- Hosts predict contract-related updates around late summer or early fall, speculating on a possible Labor Day announcement.
- Quotes:
“Matt Travis is very confident that we are still on the same timeline and that we should be expecting... the summer of CMMC.”
— Jason [03:13]
“We have a new quarterback, so you never know.”
— Joy [04:01]
3. CMMC Ecosystem Growth Metrics
a. C3PAO (Third-Party Assessment Organization) Update
- Increase from 70 to 74 authorized C3PAOs within a month.
- The growth rate suggests steady (if not rapid) ecosystem expansion.
- Quote:
“You got four in a month, one a week. Now 52 weeks in a year, you can get 52 if that's the rate that we're going.”
— Jason [05:14]
b. Level 2 Certifications
- Certifications issued jumped from 115 to 168—a monthly increase of 53.
- The hosts liken the process to a snowball gaining momentum.
- Joy predicts the numbers will increase “60, 70, 80” next month, indicating exponential growth potential.
- MSPs (Managed Service Providers) getting certified are described as “force multipliers," accelerating their clients' readiness and reducing assessment effort.
- Quotes:
“53 in a month is crazy.”
— Jason [07:47] “I think that's going to help propel that number because as the MSPs themselves are getting certified, they're getting their customers ready and they're getting their customers in and through that door.”
— Joy [08:17]
c. Professional Ecosystem Stats
- +25 certified assessors and +100 certified professionals over the past month.
- RPO (Registered Provider Organization) numbers dropped by 2, but this is not seen as worrisome.
- Quote:
“No matter how slow or how fast it is [the growth], I’m fine with that.”
— Jason [05:57]
4. Clarifications on Cloud Service Providers (CSPs) & Assessments
- FedRAMP Authorized CSPs (e.g., Microsoft, Google, AWS) do not need to send representatives to CMMC assessments if proper documentation is provided.
- For FedRAMP “equivalent” providers, a physical presence is required at assessments, which could be burdensome for smaller vendors.
- The hosts discuss the trade-offs between obtaining full FedRAMP authorization and meeting equivalency requirements.
- Quotes:
“If you're FedRAMP authorized, then it's a lot easier. You pass on the body of evidence which passed.”
— Jason [13:10]
“That's not going to be sustainable... having someone available for 40 hours just because they use your service is a tough thing to accommodate on behalf of the vendor.”
— Joy [13:20]
5. CAGE Code Issues
- Warning about mismatches in CAGE codes preventing organizations from receiving proper credit for completed assessments.
- Strong advice to double-check registrations to avoid bureaucratic slowdowns.
- Quote:
“Check your CAGE codes, make sure that everything is spot on and follow the instructions that were given to you.”
— Jason [15:27]
6. Ethics & Use of CMMC Logos/Credentials
- Three rules:
- No using logos/credentials not rightfully earned (“No stolen CMMC valor”).
- Don’t be deceptive when seeking permission to use logos (purpose must align with granted usage).
- Even with permission, all use must adhere to the Code of Professional Conduct.
- Special caution not to misuse the official DoD CMMC program logo or to represent a self-assessment as a certification.
- Memorable Moment:
“Look man, I'm all about giving flowers. I'm all about celebrating. If I in the wild see somebody say we got a 76 self assessed SPRS in private, I'll give you a high five... in public. Don't do it. Please don't do it. I don't know how I'd react.”
— Jason [19:58]
7. Segment Highlight: CUI Expert Insights
- Reference to a town hall segment with James Gopal (Fathom Cyber), renowned CUI expert; recommended as a must-watch for those seeking a thorough understanding.
- Quotes:
"If you have questions about what CUI is, et cetera, et cetera, that is one resource in which you can go to and obviously learn what you need to know.”
— Jason [21:13]
“As much as I think I know about CUI... it's its own world of like focused expertise.”
— Joy [21:33]
8. Code of Professional Conduct Accessibility
- Joy submitted a Q&A about the public visibility of the Code of Professional Conduct; it's now available for download at CyberAB’s website.
- Quote:
“Every time that Matt's pulling up... that section of the Code of Professional Conduct... is actually available for public viewing.”
— Joy [22:42]
Notable Quotes & Memorable Moments
-
"Shields up, guys, just prepare yourself. I don't know why you would ever take the shield down..."
— Jason [00:46] -
“53 in a month is crazy.”
— Jason [07:47] -
“That's not going to be sustainable... having someone available for 40 hours just because they use your service is a tough thing to accommodate on behalf of the vendor.”
— Joy [13:20] -
"No stolen CMMC valor here, okay? If you aren’t an RP, if you aren’t a C3 PAO, if you aren’t a PI… you can't say that you have them."
— Jason [16:33] -
"If I in the wild see somebody say we got a 76 self assessed SPRS in private, I'll give you a high five... in public. Don't do it."
— Jason [19:58] -
"As much as I think I know about CUI... it's its own world of like focused expertise."
— Joy [21:33] -
“The consumers, the actual DIB contractors should also be reading the Code of Professional Conduct to understand what to expect...”
— Joy [23:31]
Key Timestamps
| Segment | Description | Timestamp | |---------|-------------|-----------| | CEO's "Shields Up" caution | Importance of vigilance in cybersecurity | [00:24] | | Michael Duffy appointment & CMMC rulemaking timeline | Regulatory update and timing predictions | [02:00] – [04:09] | | C3PAO & Level 2 certification metrics | Latest growth statistics; exponential pace | [04:30] – [08:00] | | MSPs as accelerators | Impact of certified MSPs on clients' readiness | [08:07] – [09:43] | | CSP/FedRAMP assessment clarifications | Assessment attendance requirements; operational impact | [12:40] – [15:08] | | CAGE code warnings | Practical advice to ensure smooth certification credit | [15:20] – [16:29] | | Ethics and logo use | Misconduct warnings and best practices | [16:29] – [20:44] | | CUI expert recommendations | Reference to James Gopal; deep-dive resource | [20:49] – [22:10] | | Code of Conduct public access | Where to find and why it's important | [22:36] – [23:31] |
Tone, Language, and Style
The hosts maintain a conversational, approachable, and humor-infused tone, making technical topics accessible. They frequently use analogies (“snowball at the top of the hill”, “no stolen CMMC valor”), encourage community improvement, and underscore the gravity (and occasional absurdity) of compliance issues.
Summary for New Listeners
If you missed the episode, you’ll come away understanding:
- The latest ecosystem growth momentum (certifications issued, new C3PAOs, professional stats).
- The regulatory and leadership updates affecting rulemaking and contract requirements.
- Practical takeaways on FedRAMP/CSP assessment rules and CAGE code importance.
- The current state of ethics, credential representation, and Code of Conduct access.
- Where to look for deep-dive knowledge (e.g., CUI segment with James Gopal).
The episode reflects the accelerating pace of CMMC adoption and continually stresses the need for vigilance, integrity, and professional rigor as the ecosystem matures.