A

All right, everybody, it is June of 2025 and we are joined again by friend of the show, C3PAO, manager extraordinaire, famous Mount Rushmore CMMC individual Fernando Machado. Give it up. Air horns in the background. Applause for everybody. You know him, you love him, you've seen him at conferences, you've seen him around the ecosystem, you've seen him on LinkedIn. If you don't know who he is, I don't know how that's possible. It's Fernando Machado, everybody.

B

What's going on, guys?

A

So a couple months ago, we had you on the podcast.

C

Hold on, dude. That big lead up, right? Fernando extraordinaire. We didn't mention his great shoes. Anything but. Hey guys, how's it going?

A

Here we go. That's right, man. A few words, but big impact around the ecosystem. So, Fernando, we had you on the podcast a couple months ago and as of June of 2025, CMMC as a program is now been in place and effective for six whole months. You guys have just completed your 25th CMMC Level 2 assessment. But for the people at home who maybe aren't familiar with you, for the people who are just now waking up to what's going on with cmc, who are you? What do you do? What have the last six months been like? Let everybody know at home who they're listening to.

B

Yeah, so I'm Fernando Machado, the managing principal and CISO at CyberSec Investments. We're an authorized CMMC third party assessment organization. So the only thing that we do are CMMC third party certification assessments, and we're located in Melbourne, Florida. The last six months have been crazy and the demand has just gotten even more crazy. We're currently right now booking in the February and March of next year and we're starting to see that demand even grow. We have no availability left for 2025 calendar year.

A

Yeah, I mean, we've heard problem. Yeah, we've heard the backlogs are growing like crazy. I know that of the various C3POs I've talked to, you have been backlogged and booked out for quite some time. And that's the proof is in the pudding. You guys have done 25 of these assessments. So we're excited to dive into your takeaways. What you've learned, what you've seen, how that's been going. But maybe just at the top, can you tell us maybe about the makeup of these 25 companies? Like the general size, the revenue, what is their maturity? Like, do they have Existing internal teams for security. Are they using msps? Are these subcontractors primes, new contracts, existing work? What's the ballpark look like of the companies you've been working with?

B

Yeah, so I actually went back and I broke down kind of like the different industries that the organizations work. And believe it or not, or it could be believable, the vast majority of, I say 40% of the assessments that we completed were all external service providers. Then another 30% were professional services organizations. And these are usually small businesses. So I'm using the SBA's term of small business of 500 employees or less. Then about 10% was about manufacturing clients. And then I think we had another 10% in engineering. And then we had another 10%, which was literally one company. Right. Because we're trying to. 25 is a very hard number to break up into 100 percentile. So it was one company that we did that was a construction company of about 50 employees.

A

Well, that's interesting because. So, I mean it's a good thing that the majority of the companies, or at least a large amount of the companies are managed service providers because of the key role that they play in the ecosystem. But it's kind of interesting to me that so many of the actual subcontractors or the smaller organizations themselves were not at the front of the line in the first 25 here because, you know, we're, you're booked out like crazy. Everybody knows that it's happening. It's been in place for six months and yet the, the largest grouping of companies that are getting the certs early, if you will, aren't actually the contractors themselves, which I think is very interesting.

C

I, I think contradictory to that. I, I think that it's actually surprising that so many providers were at the front of the line trying to get there. I thought it was going to be more delayed there too. I do also think that it is surprising that not as many subcontractors are really beating down the gates.

A

Yeah, well, maybe let's get into some specific questions about what you've seen from in individual assessments, huh?

C

Pick me.

B

Yeah, absolutely.

C

So, Fernando, I gotta ask because I think one of the things that we talked about in our first conversation with you and then one of the things that we kind of coined was the term false start. A false start, you know, not getting out of phase one. And I'm just going to ask, in the 25 or so assessments that you've completed, how many have you seen? Are they very common?

B

Yeah. So luckily for us, we've partnered with good consultants and service providers, so we really don't see that many. But we recently did have two false starts. We had one client that didn't have an incident response plan. When we asked them, hey, do you have any? They didn't have anything at all for the incident Response control family. So we asked them, you know, maybe it was an oversight, you know, part of the document dump that they were supposed to provide us, that maybe it was just missed. And we asked them, hey, what do you guys have for the incident Response control family? Any documentation or artifacts that you can provide to support this. And the answer that we got back was, well, we just opened up a ticket. Yeah, so you're not ready for an assessment. And we went ahead and we did what was called an adverse determination and just non voluntarily rescheduled them. And then the other contractor that we had sent us their trove of documentation and in going through it, the assessment team discovered that the POEM document had items that were listed as open. The assessment team asked about it. They then said, oh, that was the wrong document. And they took a while for them to get us back, you know, get us back the quote unquote correct document that never came back. So we turned around and we non voluntarily rescheduled them as well. So we would have had 27 CMMC assessments, but we had to push back two of them, which now puts us at 25.

C

And so in both cases it was you as the C3PO having the adverse decision to stop it. Was there pushback for it or it was basically accepting it was more, you.

B

Know, oh yeah, there was a little bit of pushback until they start to realize that it's one of two things. Either they get non voluntarily rescheduled or they go through the assessment, they fail and we end up, you know, billing them for it at a later time. Which I think once they sit back, in hindsight, they probably think that that's probably the best way to move forward is just to go through the assessment the first time, at least in their mind, that they have everything ready to go.

A

Yeah, well, so how many conditional statuses have come out of the assessment? So this would be for anybody at home. So you make through phase one, you go through the assessment, but you don't have everything implemented. There's, there's some small subset of requirements that are allowed to be parked on a POAM that you have 180 days to fix. So that would result in a conditional status as long as you close out your assessment later on. Have you had very many of those.

B

We have not. We haven't had a single conditional level 2 certification yet. And again, that's a testament to the good consultants and service providers that have been helping them. And a lot of the contractors that we've been working with have all had service providers that have been in industry since the very beginning. So that kind of makes getting a level two conditional sort like that just lessens that risk on that end.

A

I mean it makes sense because all of these people are, would be considered early adopters. I guess the earliest of the early adopters would have been people who had gone through joint surveillance assessments. And then the people who get their CMMC L2 assessments prior to CMC being in contracts would be like the second wave of early adopters. And so they're going to know what's going on. Right? I mean they're going to be familiar with what's going on. They've partnered with people what's going on. So it's no surprise that we haven't seen very many conditional statuses in your set of assessments so far. That doesn't surprise me at all.

C

So I want to kind of backpack off of that then. So you said you haven't issued any or there's been no conditional assessments. How many of you failed?

B

We haven't failed any, however. Right. I think in the situation that we talked about earlier where we had to non voluntarily reschedule those contractors, I believe that if we would not have caught that during the pre assessment phase of reviewing their documentation, those organizations would have failed and they would have been. Those would have been two failures on our docket.

A

Yeah.

C

So you're saying like the foundational documentation, like you're noticing that if it's in place and they pass through phase one, that usually it's, it's an easier process to get through everything else, correct?

B

Yep.

A

Yeah. I mean it makes sense. This is something we called out early on where we were like, the number of people who fail CMMC will be pretty small because the people who make it through pre assessment review are more likely to pass than not pass. And so looking for assessment failures isn't really going to be a thing. You're just going to have a bunch of people that just don't qualify for assessments, which is, you know, in this small subset so far seems to be what, what you're, what you're seeing. So, all right, so we got a bunch of these companies that have had great success then. So they no conditionals, no failures and very few false starts. So do they have any like green flags in common amongst this set where it's like, you know, going into your interaction with them that they're going to be like, they're going to be fine or probably fine.

B

Yeah. So when we start working with some of these like trusted providers, we kind of see the same song and dance, the same type of documentation on how it's laid out, the same network architecture. So we start to become familiar with that, with their methodology, and they start also to become familiar with us and what we're going to be looking for. And nine times out of 10, when they document their things in their system security plan down to the assessment objective, that always makes, you know, an assessor's heart just warm. And then also supplemental documentation. Right. Like another huge green flag. When you start providing me things like a shared responsibility matrix that makes us happy, we're like, okay, you get it. So you're probably gonna. The chances of success for you have just gone up.

A

Yeah, yeah.

C

So I, I want to kind of back back on that again. And so when you get into these green flag assessments or any assessments in general, how long are they normally taking and is it always a full week or are there certain conditions in which it tethers back and forth? You might know that going, going into the situation, it's a full week, but then you see something different, you know, it's shorter.

B

Yeah. So usually what we do is we allocate an entire week for a client and you know, nine times out of 10, it usually, you know, we'll just say it's, it's a week. It's usually not more than that, but we allocate an entire week because there could be instances where that client might have, you know, on site visits. There might be some additional documentation that has to get provided that got missed somewhere. And so usually what we're seeing now is like the well prepared clients are seeing reduced assessment time during their assessment week. So we're actually seeing it instead of going the full five business days, we're usually seeing two to three business days.

A

Wow, that's, that's awesome. There you go. Fortune favors the prepared mind, everybody. Is that Louis Pastor? Louis Pastor in chat. Let me know. I think, I think that was pastor. Anyways, so you get a bunch of great results. You get a bunch of folks with a bunch of green flags. Everything looks great. Are there still like spots that cause snags or slowdowns or anything like that? Is there, are there any like requirements that are more often an issue or not like just an amount of work or spend more time on. Like, are there any, anything like that in the, in the overall set of stuff you gotta, you gotta address?

B

Yeah. So the biggest thing is the cage codes, right? That's causing a lot of problems in emass. So sometimes what will end up happening is a contractor will tell us, yeah, we want these lists of cage codes. And they all supposedly tie back up to the highest level owner. And what ends up happening is they don't go into sam.gov to make sure that the cage codes are all aligned to the hlo. And so when everything gets submitted, then what ends up happening is on the SPRs side, it'll show that only three out of the five cage codes actually transferred over. Because the other two cage codes, for example, they just, they're not tied to the hlo. So now we have to go back and do rework. We have to go back and delete the record. We have to contact emass. This is big headache. So we're trying to get in front of that now. And we're trying to let contractors know, hey, make sure that all your cage codes are all tied up to hlo. And if you're a service provider, there's no reason for you to have a cage code. But in order to go, you can't go through an assessment without one. So we always tell them, go on to sam.gov, go register your organization there, go obtain a CAGE code, and then come seek an assessment afterwards.

A

All right, well, I guess two, two questions. So for people at home who don't know what is an hlo. And two, if my managed service provider is promising me the world and says that they're going to get me ready for cmmc, but they don't have a cage code, is that a bad sign?

B

Yeah. So the HLO stands for the highest level owner cage code. So it's going to be that quote, unquote parent company. And then usually you'll have subsidiaries or other sites that all flow up to the primary HLO cage code. As far as, like, promising you the world, I don't think any service provider should be promising anything because, like, you never know anything can happen during an assessment.

A

Okay.

C

All right, I want to ask some questions about, like, obviously now going through 25 assessments and counting, you've kind of gotten to hear some of the backstories.

A

Right?

C

So some. What has the OSA gone through? Have you heard any feedback from OSAs? Your teams heard any feedback from OSAs that are having more difficulty or their journey was much more tougher? To meet in the implementation of the requirements than others.

B

So we've had a couple of organizations that decided to go give it a go at their own. And one of the things that we're discovering is they don't understand the requirements as well as some of the more established service providers do. So when we start going through that pre assessment phase, that initial discovery phase, I'm finding problems left and right. I'm finding cloud service providers that are not FedRAMP. I'm finding cloud service providers that aren't even FedRAMP equivalent. Like, they're not. They're just nothing at all. We've got service providers that even to this day, I don't know how many times me and Jacob have been saying this for a while. They still don't know that 800-171-a exists. So at that point, we tell them you're not ready for an assessment. You know, here's a list of some trusted service providers for you to go talk to. Go talk to them and come see us in six months to a year.

C

Okay. And kind of to build off of that. Right. From a different perspective. The, the perspective as you being the person that has to assess the environment.

A

Right.

C

Or your team's assessing the environment. In your experience thus far, have you seen different types of environments, whether it be machine shops or whether it be different types of business models that pose different potential roadblocks or maybe more troublesome for you or your teams to assess?

B

Yeah, the manufacturing environments are always the trickiest because of all of the specialized assets. We see that quite a bit. And then we've also seen professional services environments. Those are, those are fairly easy. And then, you know, sometimes we start getting into environments that are just very, very small in nature. I think our smallest client was less than five employees. But, but they saw this as a competitive advantage. That's why they took the leap forward and went ahead and did it anyway.

C

Nice.

A

So are there, I guess, just to. Just to close the loop, are there any specific requirements in 171? You talked about the cage code issues like tripping people up, but were there any, any of the requirements in 171 that like, take more time than others or more confusing for others that. That you've seen even amongst the. The set of people who are well prepared?

B

Right. Yeah. So the biggest one. Right. Should be to no surprise to anybody in the dib, is the fips. Validated cryptography has been an issue that has caused a lot of pain. They're able to get through it. Right. You Know, thankfully, I mean, this guidance has always existed in 171 and 171A, but the new guidance on temporary deficiencies, on, you know, your firewalls in FIPS mode, something out of your control happens. I. You get this critical vulnerability, you patch it, it invalidates sips, the things you're supposed to do, you document it, you work with your vendor on the next FIPS iteration. And then so you'll basically be in and out of FIPS mode, but you'll be able to at least explain that to the assessor and show your documentation on how you were in FIPS mode. Then something out of your control happened.

A

Yeah. Yeah.

C

Fernando, so now that, that you've gone through this, I don't know if you ask the organizations to assess us or not, but do you try to get an understanding as why they're so proactive in their implementations? Like, what's triggered them to start early?

B

Yeah. So primarily two reasons. Right. Number one, they're being instructed by their primes to provide proof that they're in line for a CMMC assessment.

C

It's a good reason.

B

And then the sec. Yeah. And then the second reason is competitive advantage. They see the writing on the wall, they know that this is coming. And the first thing that they tell me is we don't want to be priced out of the market, so we want to go ahead and get in front of this now to become early adopters.

A

But, Fernando, it's not in DoD contracts yet. The phased rollout hasn't started yet. What do you mean that the primes are asked? What do you mean the primes are asking?

B

I know. This is what happens when you work for the prime, not DoD, which is.

A

75 or more of the DIB. Probably. So.

C

So let's backpack off that if the DoD says that within the first year, everybody's gonna have to get self assessed, that doesn't mean that everybody that has a relationship with a prime is going to have to get self assessed, correct?

B

Yep. Yeah, because you work for the prime, not to the dod. The Primes work for the dod?

A

Absolutely. All right, well, so people are responding to pressure from the Primes, their customers, whatever it happens to be. So have you heard it from them yet about any, like, tangible business benefit? Is this, is this just a method to keep them happy and assure them that you'll be ready to go? Are they expecting to gain more business like you talked about, competitive advantage or any kind of differentiation? Like, does anybody, does anybody mention their competition not doing it, and they're trying to get ahead of their, like, how are they rationalizing this here?

B

Yeah, I haven't heard really much about as far as like the contractors letting us know like that they need to do this, but they see the writing on the wall as a competitive advantage, which is one of the reasons that we're doing. Where we were seeing a lot of this, like, early success was during JSVAs where we started seeing some of the small businesses going through and becoming proactive and getting that DIBCAC high assessment and showing their primes that they had the 110 DIBCAC high. And so at that point, a lot of those small businesses actually did benefit directly from that. And I think that once the 48 rule goes live and they're able to demonstrate to their primes and to anybody else that's looking to do business with those subs, they're gonna, they're gonna come right out of the gate with the CMMC cert.

A

Yeah. Yeah.

C

Okay, so.

A

All right, drum roll, everybody. Here we go.

C

This question, I think, is what's on everybody's mind? And it's a well debated question. What's the ballpark range of an assessment?

A

Cost.

C

And like, can you tell me some of the biggest factors that drive that cost?

B

Yeah. So one of the things that we're seeing in industry is, you know, ballpark range. Things that I've seen out there ranges from like 20k, which I don't think is sustainable, all the way up to like 70k. The DOD themselves even estimates that the role to conduct an assessment for a small business entity is about 76k. Not saying that that's what most C3PO's are charging, but right, by DOD's estimates, that's what they believe it should cost. Now, the biggest factors that we're seeing on what's driving the cost up is one, the DoD decided that it's two assessors are going to be required for every assessment. So a lead CCA and then a CCA on top of that, and then you add the third assessor to conduct the qa. Also the organization, Right. What, how complex are they? Do they have various cloud service provider environments? Are they dealing with managed service providers? Are they dealing with, you know, on prem various locations? Like these are all things that could potentially drive the cost up of an assessment.

C

Makes sense.

A

Yeah. Yeah. I mean, that seems to be the thing is like, you know, they DOD came up with their estimate, but they, they don't really know. Right. There's no way for them to really know. And that's the range of stuff that we've heard, it tends to vary pretty dramatically. So it all just depends on context. I mean, like you said, you've worked with professional services to manufacturing to engineering to Ms. Those are very different types of environments, even if you include size from there. Well, hey, man, I mean, this is super Insightful. Congrats on 25 assessments. It's. CMC has been in place for six months. We'll definitely have you back after assessment number 50 for sure, which I. It sounds like with the way that you're booked up, it's going to happen here pretty quickly, especially once 48 CFR goes live here later this year. We'll link to your LinkedIn, we'll link to your website, we'll link to all your stuff and make sure that people can get a hold of you. You know, we've known you forever, man. You've been around for years and years. So if you're not following, Fernando, you're wrong. He puts out great information, especially on LinkedIn. Definitely check him out. We'll link to the previous conversation that we had on the podcast a couple months ago. And we'll see you after assessment number 50, man.

C

Yeah, Andy's a new golfer. We'll see.

A

Yeah, yeah. And he did. Did well at the. How did the. How did the. The tournament go in at Sea Quest? Dude.

B

Ah, dude, I was so bad. Like, I tried, uh, every. Every time. I tried, every time I connected with the ball, like, I connected, I was like, all right, I hit it far right.

A

I mean, that's. That's. That's golf, man. That, that is. That is golf for sure. You're hooked.

C

One of us.

A

Absolutely. All righty, dude. Well, thanks for stopping by. Thanks for all the awesome insight. And we'll see you at assessment 50. And for everybody else, we'll see you next week.

C

See you next week.

B

See you then.

A

Sam.