Sum IT Up: CMMC News Roundup – May Cyber AB Town Hall Recap

Podcast: Sum IT Up
Episode: May Cyber AB TH Recap
Date: May 29, 2025
Hosts: Jason (A), Joy (B)
Main Theme:
A comprehensive recap of the May Cyber AB Town Hall, with a spotlight on key updates within the Cybersecurity Maturity Model Certification (CMMC) ecosystem, the latest certification numbers, ecosystem growth, the conclusion of the long-running Seek conference series, a look forward to the debut of CS5, and details about the evolving roles of Managed Service Providers (MSPs) in the compliance landscape.

Episode Overview

This episode delivers a thorough breakdown of major announcements from the May Cyber AB Town Hall. Jason and Joy unpack fresh CMMC statistics, discuss the increased significance of service providers (especially MSPs), highlight key conference changes (from Seek/CS2 to CS5), and share insider perspectives on regulatory clarifications, community events, and the state of compliance readiness. Special attention is given to the MSP Collective and its new ESP Marketplace.

Key Discussion Points & Insights

1. CMMC Level 2 Certification Update

• Stats as of Town Hall:
  • ~115 Level 2 certifications since 32 CFR went final ([01:25], [02:44]).
  • 16 of those are MSPs or MSSPs, with 4 more pending vetting—about 20% ([02:26]-[02:48]).
  • 3-4 conditional certifications still in the pipeline ([03:00]).
  • 50–60 assessments currently pending or in progress ([03:00]).
  • JSVA assessments are slowly being input; those numbers (in the “couple hundreds”) are not yet included, suggesting a total of 350–400 assessments since JSVAs kicked off ([03:00]-[04:54]).
• Implication: The MSP/MSSP community is demonstrating leadership in compliance readiness, a healthy signal for the ecosystem.

“20 out of 115 is a pretty high percentage of companies that have gone through the assessment and passed being service providers. It’s so healthy for our ecosystem.” — Joy ([02:48])

2. Ecosystem Health and Growth

• C3PAO Growth:
  • 70 authorized Certified Third Party Assessment Organizations (C3PAOs), with #71 “in the works” ([04:55]).
  • 512 organizations seeking to become assessors ([05:31]).
  • Over 5,000 Certified CMMC Professionals (CCP) applications ([05:31]).
• Ecosystem Analysis:
  • Healthy growth, but a “conundrum” exists—how many CCPs are real implementers versus those seeking to help their own organizations ([05:54]-[07:54])?
  • Call for better data on CCP intent (internal vs. external work) ([07:54]-[09:06]).
• Changing Roles: Some internal implementers transition to consultancies post-certification.

“When we start the CCP class, it’s about a third, a third, a third—internal IT, service providers, and those who want to be an assessor.” — Joy ([08:28])

3. Certification Reevaluation and Corrective Procedures

• 10-Day Reevaluation Period Clarification:
  • Intended only for providing existing evidence that was overlooked during assessment—not for implementing new controls ([09:06]-[13:42]).
  • Major distinction from the 180-day POA&M (Plan of Actions and Milestones) window.
• Host Perspective: Both Jason and Joy disagree with aspects of the current application, expressing a wish for stricter criteria regarding what can be “fixed” in the 10-day window.

“If it’s not ready at time of assessment, you shouldn’t get 10 days to get it ready... there’s no process implementation that’s been proven.” — Jason ([12:17])

4. Conference Evolution: Seek, CS2, and the Launch of CS5

• Seek and CS2 Conferences:
  • Final Seek conference highlights: Over 500 in-person attendees, 40 virtual, 71 sponsors, 64 speakers ([15:26]).
  • The series concludes, merging with CS2 and forming CS5—a larger, consolidated event focused on Cloud, CMMC, Cyber, Conformity, and Compliance (CS5) ([14:00]-[15:26]).
• Aim: Enhance community value, reduce cost burden on OSCs/providers by avoiding fragmented events ([15:27]-[16:22]).
• CS5 Details: Launches October 16–17, 2025, at National Harbor, Maryland ([14:00]).

“If we have one central event, it makes it more easy and more manageable for OSCs and providers and everybody to get there together and just to interact.” — Jason ([16:10])

5. Community Building Moments: Special Events

• Women in CMMC Dinner:
  • First officially registered event; 55 women attended, representing all sectors ([17:58]).
  • Meaningful show of allyship by men in the industry, and growth in inclusivity ([18:00]-[19:15]).
  • Emphasis on visibility of women’s achievements in the ecosystem.

“There was a lot of badass women in that room, period... The accomplishments that sat in that room needed to be put on display to motivate other people.” — Jason ([20:08])

• Tech for Troops Charity Golf Tournament:
  • Helped set a positive, relaxed tone pre-conference and raised support for veterans ([19:50]-[21:58]).

6. Conference Content and Keynotes

• Quality & Diversity of Sessions:
  • Multiple viewpoints—highlighted by different takes on VDI technology on a single panel ([22:12]).
• Notable Keynotes:
  • Katie Arrington (Acting DOD CIO): Emphasizes CMMC is “here to stay.”
  • Stacy Bostanic (Chief of Industrial Base Cybersecurity): Underscores culture shift and cybersecurity urgency ([23:55]-[25:21]).
  • Both stress that CMMC requirements are not optional and reinforce the need for cultural and operational adaptation.

“The train’s not stopping, it’s here to stay. It’s a change in culture, get with the program, don’t argue it. And they didn’t ask for POAMs in Normandy.” — Jason ([24:41])

7. Regulatory Clarifications: ESP, CSP, and CUI Handling

• Key Guidance Recap:
  • If an External Service Provider (ESP) processes, stores, or transmits CUI (Controlled Unclassified Information)
    • And is a cloud provider: must be FedRAMP moderate (or equivalent), or assessed with OSC as part of the assessment ([26:58]-[29:56]).
    • If not a CSP, requires its own CMMC Level 2 and must provide evidence to OSC and participate in assessment ([28:10]-[29:16]).
    • If limited to Security Protection Data (SPD) — the SRM/CRM is assessed with the OSC only.
    • If no CUI/SPD is touched, the provider is out of scope.
  • Ongoing confusion remains about SAS providers’ participation in assessments.

“Even if you have your own CMMC Level 2, it doesn’t mean that you don’t have to participate in the assessment now for your customers.” — Joy ([29:17])

8. MSP Collective and ESP Marketplace Initiative

• MSP Collective Efforts:
  • Launched a directory (“ESP Marketplace”) for contractors to find MSP/MSSPs already CMMC Level 2 certified ([30:48]).
  • Inclusion requires validation and an SRM reviewed by a C3PAO.
  • Aimed at both members and the broader community—free to use ([30:48]-[32:35]).
  • Immediate uptake—new MSPs applied right after the Town Hall ([32:02]).

“We wanted to make sure that a contractor ... would have some kind of a marketplace or directory that they could refer to and trust that any of the MSPs on that directory have already been validated as having undergone their own CMMC Level 2.” — Joy ([31:05])

Notable Quotes & Memorable Moments

• On the pace of certification:
  “An assessment a day, basically ... at this pace, by the end of the year ... it’s good progress.” — Jason ([04:55])

• On community consolidation:
  “I personally am pretty sad to see CS2 go the way of fond memories, but it is going to be wonderful to morph it into this new larger initiative for all of us to participate in.” — Joy ([16:47])

• On inclusivity:
  “The accomplishments that sat in that room needed to be put on display to motivate other people.” — Jason ([20:08])

• On regulatory reality:
  “They didn’t ask for POAMs in Normandy.” — Jason ([24:41])

• On clarifying ESP participation:
  “Even if you have your own CMMC Level 2, it doesn’t mean that you don’t have to participate in the assessment now for your customers.” — Joy ([29:17])

Timestamps for Important Segments

| Topic | Timestamp | |-------------------------------------|---------------| | Certification numbers recap | 01:25–04:54 | | C3PAO and ecosystem updates | 04:55–07:54 | | CCP roles and “growth conundrum” | 07:54–09:06 | | 10-day reevaluation period debate | 09:06–13:42 | | Conference series transitions | 13:42–16:22 | | Women in CMMC dinner recap | 17:58–20:08 | | Keynote messages: Arrington, Bostanic | 23:55–25:21 | | Clarifying ESP/CSP/CUI rules | 26:03–29:56 | | MSP Collective/ESP Marketplace | 30:48–33:06 |

Closing Thoughts

This episode crystalizes key regulatory, community, and ecosystem changes shaping the CMMC journey in 2025. Listeners get updated certification stats, timely town hall clarifications (especially on ESP/CSP rules), hear about the continued merging and maturing of major industry conferences, and gain insight into grassroots leadership—highlighted by events like the Women in CMMC dinner and the launch of the ESP Marketplace. The tone is candid yet supportive, marked by an underpinning sense that “the train’s not stopping”—now is the time to engage, adapt, and build robust cyber defense practices as the CMMC ecosystem grows.