A

Well, Joy, May has come and gone. We are sitting on the cusp of June and a couple events in the rear view mirror and a Cyber AB town hall where one special glowing guest that we get to see monthly appeared to talk about the MSP Collective. And on this week's show you're here to join us and we're going to talk about it. Welcome back, Joy.

B

Thank you. May was a very special month. I feel like we had huge news coming out and a lot of involvement in the community. It was really fun.

A

It was the first time ever in, in my career that I saw the quote unquote end of two events and the beginning of a new event with a special high speed logo. And we're going to talk about that, but let's just start going kind of back and forth about the stuff that we saw in the town hall this week. Obviously very heavy on a recap of Sequest and the event that was because the Cyber AB title sponsor and then some other stuff about ESPs, MSPs and then you know, obviously you joining to talk about the MSP Collective and the work that's being done there. You know, obviously we're both a part of that. So the CEO welcome and program update kind of has been at least for the, the past couple town halls, a repeat of kind of the same stuff. How's the ecosystem doing? What are some of the news and notes that you need to know about? And I think the first, the numbers. The numbers are important, right? Especially if there's an audit going on about it. Right. And so, you know, one of the things in which we let off was, and this is a number I'm particularly interested in hearing, we heard an update to the number at sequest and then you know, in the town hall the same, you know, information is being given about CMMC Level 2 certification assessments. And I know that we had some conversation back and forth about this and my impression, and I hope your, your impression was the same, Joy, is that these numbers seem to only reflect companies that have received CMMC Level 2 certifications post 32 CFR going final and there's still some work in the background for the JSBA numbers to be input. But as of this week's town hall, roughly 115, Joy, 115 CMMC level 2 certification assessment certifications have been issued. So those are certs issued.

B

What's so crazy about that, Jason, is that we have 16 MSPs or MSSPs, IT or Security Service providers that are included in that number and four more that I'm about to vet. So 20 out of 100. How many?

A

116, 115 roughly is what was said.

B

I mean, that's a pretty high percentage of the companies that are going through their assessments have gone through the assessment and passed being service providers. It's so healthy for our ecosystem. I'm really happy about that.

A

I 100% agree. I think that it sets a good example for organizations which have such a large attack surface, especially in msps that service this community, for them to at least button up things and to be leading the charge to button up things taking up at least, you know, 20% and you know how terrible I am with math taking up at least 20% of the certifications issued since 32 CFR would final. Right. There's three to four conditional certifications that are still in the pipeline, which means that they've gone through all the necessary steps and it's waiting for that finalization, the approval, the ab, whatever in the administrative process on the back end to complete. And then this is a pretty good number too. 50 to 60 assessments still pending. So 50 to 60 assessments that are somewhere in the process, either maybe they got a false start and they're going to come back, or maybe they are in the process of scheduling and waiting to kick off, but they've gotten to the point where they're like we're ready for a CMC level 2 and and they're just going through the motions now to get it. So if you take and add up all those numbers, 115 plus 4 is 119, 119 plus 50 to 60. I'm going to go on the heavy end with 60 and say that about a 179 and the key number to remember there. And as was mentioned last night, JSVA numbers still haven't been input or they are being slowly input by dibcac. And those numbers that Matt gave technically do not reflect any of the JSBA numbers, which we know were somewhere in the couple hundreds if I, if I'm not mistaken. So you're looking at, and this is just boy math right now, but you're looking at somewhere between 350 and 400 assessments that have been completed since JSVAs kicked off. And that number was amplified by the over 175 technically that have taken place since January 1st.

B

Sounds right to me.

A

That's amazing. That's good progress. I know that. It's still not like, I mean, you think about it, January 1st, we're about to hit June. That's six months. 180 technical CMMC level two assessments in some way shape or form three a day or. No, that's not even right. 30, 16. That's 180 days. 180 days, 100. It's an assessment a day, basically roughly around an assessment a day being completed or being in progress. 3,365By the end of the year. If we keep up that pace, I'm sure it's going to pick up because one of the other things that was given to us in that update is that the numbers for the C3PAOs and the ecosystem are going and are growing, going and growing. And so we are now at 70 official C3PAO, 70 certified C3PAOs, and number 71 is in the works this week. So whoever that lucky one is, that's going to get their badge this week, way to go. Congratulations. Welcome to the good side. And then the other thing that's very promising for those numbers and those assessment numbers, Joyce, is the growth in the ecosystem altogether. Again, 70 authorized C3POs. And if you look at this slide on the screen, 512 organizations looking to be assessors. And I don't know what I would like to see is if we could break that down between how many of those are now domestic and how many of those are international partners because of that. Interesting. I'd like to see where the growth is. I know that north or not North Korea, South Korea is very, very, very, very keen to the CMMC program. I don't think North Korea is big fans, but. Well, you know, maybe we can ask. So between the C3PAO applications and then the CCP applications, that's over 5,000. Those are very promising numbers for the ecosystem. That shows that maybe growth is, you know, kind of doing what we need it to do in order for this thing to thrive. Do you? I. I still think that there's this conundrum that we're in. And the conundrum that we're in is I know that we both have advocated a lot for, you know, if you're just going to be working for your organization and you want your organization to have a better process of implementing cmmc, maybe as the internal expert, you take the ccp. I know that we'll never get the breakdown, the numbers of how many people raised their hand and said, I'm just doing this so that I get the certification that can help my organization internally. And how many of these people are intending to service OSAs to either help them with implementation or to assess their implementations. One of those, that's one of those breakdowns that the analytical nerd inside of me, you know, would love to see but probably will never get. And that's one of the things I think is going to kind of tether whether or not this growth that we're expecting in the ecosystem is going to be super beneficial or just beneficial.

B

Yeah, it'll be interesting and I'd love to see more data on that also, if there's like a preliminary question that can be asked as the CCP candidate is getting the CPN number on the Cyber AB marketplace, perhaps for them to be asked the question, do you intend to use this for internal implementation knowledge? Do you intend to join an assessment team and get out there working with the C3PAO? Do you intend to leverage the knowledge as a service provider? It would be really interesting for them to see those stats. I know that just when I'm teaching the class classes and I look at the overall course registration with the person's name and their company name and we start the CCP on day one by having them go around and introduce themselves and state whether they are from a service provider, an OSC or a consulting firm, you know, whatever that is, that it's about a third, a third, a third, a third internal it, a third service providers, and a third those who actually want to be an assessor and continue through the CCA and working for a C3PAO. So I'd like to see more hard data behind that.

A

The other hard data that we'll never see is how many of those people get certified, realize the value of the knowledge in which they've just received and attained and then they roll out of the OSA and become an implementer. So I've seen that happen too. I met actually quite a few people at our most recent event at Sequest that were saying I work for insert big name here but I also on the side do a little cmmc and I was like, oh, oh really? That's cool. This is my full time thing, side game. But still the next topic that we covered or that was covered in the town hall and it was covered last, last month's town hall Too was that 10 day reevaluation period for assessments. There seems to be some clarity, Joy. I'm going to try to sum it up in Peewee's Playhouse in the background. I'm going to try to sum up kind of what was said here and to make a separation as to, you know, how this works. There's two slides that were submitted and we're going to, you know, post those two slides so that you can see them as we're talking in the background. Even though I'd love for my face to be on the screen. But the 10 day reevaluation period isn't. Oh my goodness. I didn't implement MFA properly. I need to go and implement MFA in all these other locations to make sure that it's adequately and efficiently implemented. Right. That's not what your 10 day periods for. After the assessor realizes it, that 10 day reevaluation period usually is for. I've implemented this adequately and sufficiently and I know it. And the assessor is saying, well, the evidence in which you presented during today's evaluation of the implementation wasn't adequate and sufficient to meet that. Therefore we ruled it as not met. And then they're like, well, wait a minute, in this dusty closet I've got this document that actually will prove that we've done this adequately and sufficiently. That is what your 10 day reevaluation period is for. Is for presenting evidence that maybe you forgot at home, you maybe went to go play golf one day and you left the golf shoes at home and now you got to play in flip flops or something like that. But the next time you play golf, which is still within that 10 day reevaluation period, you can show up with the golf shoes and you get better traction and a better swing. Did I get that right? Did I get that wrong? How was the analogy?

B

We got it right. And here's the thing. We don't have to like it or agree with is what is being stated as the standard. I don't personally like it or agree with it.

A

Well, I've heard.

B

Does it.

A

Yeah. So there's. I guess it's kind of like how you think about it. If you never gave the college try for the implementation and you didn't prepare the assurance claim that was necessary to defend the implementation fully, and it's clear and evident that you just didn't get this implementation correctly. I don't think that there should be a 10 day period. That's what you're. The 90 day comeback period for us. That's, that's when. That's those things going. Poems. Correct.

B

Do you mean the poem is 180 days?

A

180. What did I say 90?

B

Yeah, but we're gonna do a strict no numbers rule. Or you can't put it on a poem, you just fail.

A

Right. But if it's a one pointer, it can go on the poem and then you can have that reevaluation assessment.

B

Right. I again I don't necessarily agree with it.

A

Yeah, I just not ready. If it's not ready at time of assessment, you shouldn't get 10 days to get it ready one because there's no process implementation that's been proven. Right. So like I can't go and rewrite my access control policy and then have it effective and say that this is effective in a effective end date. Right. And we're abiding by this and it says that we do all this. And me as the assessor knows that there's not something you can do within 10 days. It's not a process that I can't quarterly check my logs. And I just did it today. We just happen to the quarter fell on day number three of 10 and so here you go, here are your logs. So I think that there's a lot of caveats to that. I think that there's a lot of situations which I do not agree with the 10 day period like you. And then there's some situations where I 100% agree that you shouldn't be able to implement that. And one of the things in which you get that implementation gets rolled out actually is if it cannot change or limit the effectiveness of other controls within there. So that, that throws that out there too. So if it's one of those like basic controls that has routes into other controls that allows those controls to the implementations to perform appropriately. You know, like you, you can't modify the logs if you have no logging capability. Right. So there's things of that nature. But it's only for if you think that you have the evidence to prove that a control that has been marked not met actually is met. And you have 10 days to give that.

B

No.

A

All right. Marketplace updates were talked about as a lead cca. Now there's a button on the CMMC Marketplace for you to go and apply if you want to become one. Not a huge topic, but a huge topic in which they covered sequest. Sequest the final installment in the Seek series. The third installment of the Seek series. We just went through the final installment of the CS2 series which is so near and dear to our hearts. And now we are I guess, one big happy conference family. And the emergence of CS5 is what it is. CS5 covering cloud comp, cloud CMC, cyber cloud, conformity and compliance. Right. Representing all of the things that are kind of in the grand scheme of this ecosystem that we had, by the way, the SCF Connect frameworks, the conformity with CMMC cloud security, which is something that CS2 was very adamant about. Cyber security, which we're all adamant about. Cmc. The whole reason that we're all going to be there anyway. So CS5 is the next stage. October 16th, 17th National Harbor, Maryland that would be the east variation of this first installment in the series. But let's talk about the last installment in the Seek series and some of the numbers and then two very key quotes that were given during the town hall that I think should resonate with a lot of people. First, joy. 541 people in person attendees, 40 virtual 71 sponsors, 64 speakers. I don't care how you cut it, 500 people in person anywhere is a great accomplishment, period.

B

Agreed.

A

500 people there for the same purpose. Great accomplishment. That's the. We can hold our own reservations and people can hold their own reservations as to the makeup of the crowd. Whatever it may be, the fact that 500 people now are committed kind of signals the reason why we were merging the CIC and the Cyber AB summit and CS2 to free up the calendar. And that's the reason why. So that more people can come and get the same knowledge in the same spot instead of spreading them thin and having this little one here, this little pop up here, this little pop up here and those little pop ups cost each time. And in the grand scheme of things, the biggest complaint about CMMC is cost. And you can't say that we're concerned about your cost and have 19 different events. So if we have one central event, it makes it more easy and more manageable for OSCs and providers and everybody to get there together and just to interact. Would you agree?

B

Yeah, it's a great thing, I think to the success of the CS2 conferences, all the loyal fans that are being brought now to the new CS5 conference is going to be a great audience addition. You know, combining those. I think that the CIC conferences that went into ceic, those historically drew a lot of contractors, not just ecosystem consultants and you know, those found in the Cyber AB marketplace. So when we're combining all of those bodies and audiences, it should definitely save money, generate more of the thought leadership and great speakers to provide the educational content that the contractors need. So I think that it's a great move for everyone. I personally am pretty Sad to see CS2 go by the way of fond memories, but it is going to be wonderful to morph it into this new larger initiative for all of us to participate in.

A

Well, I'll always have a secret tattoo on My body that nobody can see.

B

I'll have to take your word for it.

A

That will remind me of all the fond memories of CS2. No, I listen again, if you can get everybody on the same page, everybody is going to be for it, right? So if we can get everybody on the same page this can be a great thing and so hopefully that's what happens. Oh good.

B

Well I just do want to point out one of the things Matt talked about with sequest was the success of the Women in CMMC dinner. Mentioned the golf tournament as well the charity golf tournament. But I'll tell you the Women in CMMC dinner was so near and dear to my heart. It was wonderful to have 55 women in that room. And the women came from the C3PAOs, the consulting firms, the managed service providers, the contractors themselves. We had women representing like every different aspect of CMMC and it was the first time that we officially had a registration add on to participate in that making it open to all the women of the ecosystem not just the ones that we happen to personally know to invite like the last couple of dinners. So I also want to say thank you because you my shining dear friend volunteered right away to help man quote unquote the check in desk for all the women coming in for that dinner. And of course you were joined right away by the leadership over at Summit 7, all of the men to help check in the women and just show support for that event. It was really special.

A

Well it was my honor. I first I, I appreciate you taking me up on my offer to help similar to my wife whenever I have free time she's like well let's see what we can do with that. No, I thought it was so I wanted to talk about the lead up events, the golf tournament and, and the woman to CMMC dinner. I did not want to steal your thunder for the woman to see him see dinner. I wanted you to get a chance to mention it so I wanted to give my a little bit of perspective into was great sitting at that table and seeing the excitement people as they walked up it was the every single one of these some people were new to me getting to meet them. Some people I've known in this industry for quite a long time and they're very hard workers and to actually see them get the opportunity to unwind. And then as far as volunteering I, I, I don't speak for every single one of us which volunteered to help you guys out but I think it was very important for us that you guys put a lot of hard Work into it. And it turned into something extremely great. But you guys got to sit back and enjoy it. And you know, if I can tell Dustin to get the sensor button ready. There was a lot of badass women in that room, period. Like, like that. That's it. There's no other way to describe it. The accomplishments that, that sat in that room, I think it needed to be put on display to motivate other people, because I think it's exactly what the ecosystem needs is that support and that growth, not just from the women in cmc, from everybody, but especially from the women, to recognize and let them know this is a comfortable space for you people like. And we're great friends with the people at Axiom. I think that Kaylee Floyd was the most excited person to come into that room because it was like this wonder of I don't know what's going to happen, but I know it's going to be special. I thought it was very special. I, I, the menu looked delicious. The setting was very good. I thought that you guys picked a great venue. And then so that was the evening of the first day and then the day of the first day. Something that Jacob and I were very, very excited about and that we were excited to, to represent Summit 7 in was the golf tournament, the Tech for Troops golf tournament. Right. So we get two good causes before the event even starts. Right. The charity golf tournament at a beautiful golf course. And we got to see in two cases, a lot of people in the ecosystem that I think that all of us have mutual relationships and have respect for actually of relax. You know, the first time we got to see people post rule, just sigh, let themselves, you know, together. And so both events were very good additions to the seek lineup. And now the CS5 lineup, hopefully continues that tradition. And the women, the CMC dinners, I don't know, renting out whole restaurants. Right. That's the goal.

B

Yeah, absolutely. And then I thought the content for the conference itself was great. The sessions I was able to sit in on, I really appreciated the perspective and experience of those who were presenting.

A

I so I will say yes, I, I do agree on the ones that I was able to sit in on, I, I saw two things. I saw two, a lot of people that were prepared that were giving, you know, defenses to certain topics. And I saw one case where, and this was one certain panel where each person on the panel represented a technology within the ecosystem and the explanation of how it was supposed to be. It was each a different way and that was good to see them interact. In a cordial way and kind of, kind of resolve that. And that was the VDI panel, the George, the one that George hosted. George Pres Diaz from Beryllium. There were different perspectives in there. All of these people had the same technology and there were different perspectives of how, how this applies, how this applies and how this applies. And I commend them all for remaining tactful within their conversation and making sure that it was educational outcomes. Because as we noticed for a lot of things, when it comes to cmmc, sometimes it just depends. You have to actually analyze you. The devil is in the details when it comes to cmmc and you have to know all the details fully before you can kind of, yeah, that's right. That's wrong. And so sometimes I think that we tend to, as a ecosystem, tend to lean on that's wrong. Before we know exactly how ugly the devil is. And so it was nice to see the people, hey, this is the devil. It's not really that ugly. He's cool. Don't touch him. So one of the. So the two big contents, the two keynotes or the two for the first day one and day two, we was led off by Katie Arrington and Stacy Boss Janik. So obviously you have had to have been living under a rock at this point to not know who either one of them women are. But Katie Arrington right now is performing the duties of the senior official, performing the duties of the DOD Chief Information Officer. So right now it's a lot of words. It's the assistant to the regional manager type deal. But it realistically, Katie is the face that runs the place right now, DOD CIO until a nominated appointee is there. And then Stacy Bostanic who works at the office of the DOD CIO and she's the chief of industrial based Cyber security. So the dib, Cyber security. The common themes in both of them were. And. And tell me if you disagree. The common themes from both of their keynotes were the train's not stopping, it's here to stay. It's a change in culture, get with the program, don't argue it. And then they didn't ask for poems in Normandy. That was, that was the one thing that, that really resonated with me. You know what they didn't ask for in Normandy? Poems and extensions.

B

Yeah, I thought they both were really enforcing the fact that CMMC is just not going anywhere. And as a matter of fact, they're preparing for those advanced persistent threats. And how are we looking at R3 now? It's moving forward. So it was very exciting to hear both of them.

A

Yeah. To hear in their official stances on, on things and clarification on certain topics. I know that was. As soon as 48 CFR hits, everybody's gonna have to self assess. Here's a gut check and I don't know if anybody else realized this gut check is you're going to have to self assess anyways because 48 CFR is going to require that annual affirmation anyways. Right. So everybody's gonna have to do it anyways. That is just basically the DOD talking to whoever they're directly having contracts with. And if you are a subcontractor in a supply chain and you think that you're not going to be required to do anything but self assess in the first year the 48 CFR is law is live, please give me a call because I want to follow your story closely.

B

Yeah, exactly.

A

Okay, so just to get out of here a couple minutes, Joy, I, I think that one of the most confusing topics back and forth. Okay. Has been esp, not a csp. What do I do with the CUI if I spt, all of those things that go along with it. And so Matt Travis touched on it again in last night's town or in this week's town hall and essentially it said that the key to this, the first step is scoping usb. And yes, the devil again is in the details. How do they interact with your environment and how do they interact with CUI is very critical. And if, if they process, store or transmit CUI, Joy, they must have what they must be FedRAMP authorized FedRAMP moderate equivalent or the SR, the CRM or an SRM assessment with an OSC. With the OSC. So their CRM must be assessed along with the OSC during the assessment.

B

Right. If they process, store or transmit CUI is a cloud based environment they have to have.

A

If your ESP is a cloud service provider and they store processors transmit CUI that automatically delineates them as a csp.

B

Yeah.

A

So my CSP is a cloud service provider, but they do not process, store or transmit, or they, they process, store, transmit only SPD security protection data. In that case that the client responsibility matrix, the shared responsibility matrix is assessed with the OSC only. So the SRM CRM is given to the OSC and the obviously the ESP has to be there as well to defend their part of the srm. And that part is what is assessed in, in the CMMC certification assessment. Correct? Yeah.

B

And that's a little tricky for me, because I'm thinking how many SAS providers that process store, transmit spd, I think that by and large a lot of them are understanding now the importance of the CRM or the SRM and generating that for their customers to use. But I don't know any that are showing up to the actual assessments.

A

Yeah, I think it's so I think.

B

He said it one way, but I think the requirement is actually the SRM has to be included, it has to.

A

Be, it has to be timely, it has to be complete. And then, but, but there's, I still think that there's certain elements in an SRM CRM in which somebody's going to have to be there to fin. The common OSC is going to tell you how this SAS provider may do one or two things that are assigned to that part of the CRM. So now knowing your msp, mssp, you're my ESP is not a cloud service provider. Right. So they're not a CSP, but they process store or transmit CUI. They must have their own CMMC level 2 assessment. And that CRM and SRM that was technically assessed, the controls that are inside of that was technically assessed, is given to the OSC as a body of evidence and then that is assessed along with the OSC during the. So you have to have the CMC Level 2 assessment and then your CRM SRM is assessed with the OST that's using whatever your service that you have.

B

And you still need to be available during that assessment.

A

Correct?

B

Right. And that's the tricky part is that even if you have your own CMMC level 2, it doesn't mean that you don't have to participate in the assessment. Now, for your customers, if you're one of those that process and transmit cui.

A

And we've talked about this before, is that like there's going to come a case where I think with certain providers that there's going to be a built familiarity and it may not be as stringent. And that's kind of part of assessor discretion. Right, Assessor discretion that is in the.

B

Cap, there can be a lower burden proof or lower level of effort. If the ESP already has their own CMMC Level 2 certification, but they are supposed to still participate.

A

Okay, and then last one is if you're not a csp, your ESP is not a csp, but they process store or transmit spd, then basically these, the client responsibility matrix, shared responsibility matrix, is assessed with the OSC only. So basically when the OSCE goes to their assessment, they have the body of evidence that you presented that defends your relationship with them and you are responsible for defending things on the back end there. Last but not least, if they are, if your ESP is not a cloud service provider and they do not process store transmit cui, or they do not process store transmit spd, then they are out of scope and not a CMMC esp. Okay? So don't let them score your. Don't let them store spd, no one process spd, don't let them touch CUI and you're good to go. Just write them off and that's it. And then obviously, Joy, you joined the town hall to talk about the MSP Collective and some of the great work that's being done there. You want to touch on that quickly?

B

Sure. Really it was just Matt inviting us to talk about the ESP Marketplace that we've stood up as a temporary measure because the Cyber ABS Marketplace currently does not have the ability to represent any of the ESPs who are not CSPs that have undergone their own CMMC Level 2 certification. And at the MSP Collective, we wanted to make sure that a contractor who is looking for an MSP that has already gone through their own CMMC Level 2 assessment, that they would have some kind of a marketplace or directory that they could refer to and trust that any of the MSPs on that directory have already been validated as having undergone their own CMMC Level two. We took it a step further and we said that if you want to be included in the directory, you have to have your SRM included as part of the assessment from the C3PAO so that the way in which you deliver those services is being validated as part of the CMMC level 2, which we think is really important. And so we were able to talk through how you get to the marketplace, how you apply to be included if you are an MSP or mssp, and what it looks like to go through that, that it's available to members and non members alike and it's completely free. So that was a really great thing for us to be able to share with the larger community right away, I'll have you know, I'm the one that receives the request to be included in that marketplace place, because you and I both are members of the MSP Collective. And right away after the town hall, two more MSPs had filled out that form to be vetted for inclusion in the marketplace. So really happy with that.

A

Yeah, I think any growth in that and people coming together to work for a common purpose obviously is a good thing. I will say that it was very timely to have you in the order in the agenda in which it was because basically he just went through an entire session where he was talking about the importance of the CRM and the SRM and your ESPs and the entire thing and you're like hey in case you guys were looking for, you know, organizations that have actually gone through this and can have things that have passed the test of time, here's a whole website full of them so try them out.

B

Yeah, agreed.

A

It was great addition. I think you did a great job. I was happy to see you on there. Always happy to see my friends on there. Give you a high five through the screen. That's 30 minutes or so on the happenings in the CMMC ecosystem for this month. Joy, I'll see you next month and to the viewers we'll see you next week.

B

Sounds good. Thanks Jason.

A

See you.