A

Joy, in the past month the CMMC FAQs have gone through an under the radar update and the ecosystem has evolved to the point where it's kind of capable of producing roughly 500 assessments at a time. There's new news from the, from Isaca with regards to the Keiko and some of the positions in there and news from the Cyber ef. And that is what we're going to talk about today. Joy, every single month we have a duty to fulfill for the ecosystem. Right. And by now I think that our audience is well aware or they know that we take that job very seriously. But every once in a while, just every once in a while, we like to have a little bit of fun with these shows, right? And as we are digging through the information that we want to distribute to the ecosystem that they need to know about, we like to, you know, pull out little tidbits to try to one up one another. Like, hey, I know that he said this, but did you know, kind of under the surface it means this. And I don't know if you could tell by this introduction. Joy, I'm super excited to share mine. I'm so anxious to share mine and I'm really hoping that you have some to share too.

B

Are you competitive, Jason?

A

Not at all, not in the slightest. Okay. I am even keeled. Jacob will tell you on the golf course I am as calm as the sea without any winds or storms.

B

Okay, you call it one upping, I call it color commentary, but let's go ahead and dig in.

A

Yeah, I think. Okay, I, I like your approach better. As usual, the voice of reason comes in and now we're not one up in each other. We are just adding color commentary to the situation. So all of that revolves around the program update and this isn't the thing I'm anxious to share with you. These are just things that were shared with the ecosystem from Matt Travis. Right. A new addition to the staff of the ecosystem that continues to grow internally. Right. There is a CEO in Matt Travis and now there is an executive vice president and CEO by the name of Matt Newfield and people who may be familiar with how the board was functioned. I believe the background that was given is that he has been board for quite some time now and now is transitioning into a full time role. Joy, do you have any experiences with Matt or do you know anything except the background that was given to us?

B

No, I don't. But I love that they're growing and I love that they're bringing people that are super familiar with you. Know what's kind of been the operating system all along, being involved in the board. So it makes perfect sense.

A

Yeah, you don't have to start from scratch. Hey, this is how we do things now. Can we get up to speed and make progress? Right. This person's already aware of how things operate kind of from intern. The other thing that this shows again is continuous growth and the evolution of now more people to accomplish all the tasks that need to get accomplished and not one person wearing multiple hats. And the more that that happens, I think the smoother things are going to run moving forward. Speaking of somebody that is on a full time position, Cat Adams joined the town hall. We are big fans of Cat. Obviously a cat crafted cat is what we are awaiting. But Kat joined to talk about the under the radar CMMC FAQ update that came and she wanted to review the changes that took place. And Joy, I first let's, let's talk about it. An FAQ again is a document that doesn't say this is new policy, this is new standard. This is clarification to existing policy or standard where confusion exists. You agree with that?

B

I do.

A

And so the areas in which they felt as though and I strongly feel they pretty much hit home run on this one, that the most confusion is coming out is about joint ventures, significant changes. What else did we talk about? Annual affirmations, CMMC UIDs and how they work into the affirmations and how they work into the bidding process, things of that nature. Hard copy. Cui I can tell you right now, out of the conversations in which I have, and I don't know about you Joy, but out of the conversation, significant change. Can I hide all of the work underneath of one certified body and still perform all of the work for the contract? And who does my annual affirmation? And I only have hard copy. Cui do I need this? Are the occupation of all of my other duties as assigned conversations that I have working at Summit set.

B

Yeah, I don't feel the FAQs have really provided enough clarity. I know they're trying. I know that these are authoritative. But still when it leaves so much ambiguity for the interpretation, it's real hard for people to take these and go, okay, now I know exactly what to do.

A

Yeah. And I want to be clear when I said they hit a home run as far as the topics being hot button topics within the ecosystem. The output obviously opinions and results may vary based on, you know, how you interpret this. But as far as hitting a home run with things that actually need to be addressed I do feel as though they consistently point out the things that are among the hot topics and the conversations in which I'm having. Yeah, another hot topic conversation which is being had by the AB and this is being had between DIP, CAC and the PMO's office and it's basically a policy sync and they discuss that policy sync and the progress as much as they could to the public on the town hall this month. And so the gist of it is is that the AB and the people at the AB sat down with the PMO's office and representatives from DIPAC to come, you know, align, get everything, are we on the same page, where are we going, are we traveling on the same pathway? Etc. And the two notable things and this is kind of weird, the two notable things, not kind of weird, this is again par for the course but the the two kind of things that they wanted to share with the ecosystem that came as a hot button topics from that meeting was the certification badge development for OSCS as they certified and want to distribute or display proudly that I want to or if they want to distribute with confidence that this is what I have and I will get back to that in a second because I have something to tell you about that. And then FedRAMP moderate equivalency, where does it work? Is it going away? Is this. And so the one thing taking away from Fedramp Moderate equivalency that Matt Travis distinctly said that people should take from this is that my impression is fedramp Moderate equivalency is not going away anytime soon.

B

I agree. I also think it was really good for everyone to be clear that DIBCAC doesn't have to go in and give their special blessing or do a separate assessment of an organization that is FedRAMP moderate equivalent. Right. The 3 PAO does that the way that they would do for a normal Fed ramp authorization. But the difference is is that they don't have an agency sponsor so they had to go through it. In my mind even more hoops and more controls would be applied to them without the ability to have an agency out there accepting risk and saying that there are certain controls that they don't have to adhere to or align with. So that I think had been a point of confusion because we did hear that DIBCAC had reviewed one or two organizations a while back that were Fedramp Moderate equivalent or at least those organizations had claimed that DIBCAC had had validated it in some way and that's actually not necessary. So it was good to have Some clarity on that.

A

I think it goes even further. Right. Like if you get an assessment and you're using a FedRAMP moderate equivalent cloud solution, DibCac, it's outside of the purview of DibCac's responsibility and the assessment to go through and see if that cloud is federated or moderate. Right. The buck stops that. I have fedramp moderate attestation from insert 3pao name here and I have body of knowledge or I mean a body of evidence to support implementation of controls that I provide for and support for for this client as a part of the shared responsibility matrix. Client responsibility matrix that is attached to the solution. Right. That's huge. Let's talk about the certification. But hold on, hold on before we get into this because I know we're going to get stuck on that. Many other topics were discussed during that policy sync, but they weren't discussed on the town hall because they still need to be discussed and the course of action needs to be developed between the Cyber AB and The stood up C3PO Advisory Council and subcommittees that exist. Right. So basically these are go forward marching orders and the AB is going to consult with their advisory council steering committee, however you want to determine it, whatever it is. And how do we want to go about, about this? How does industry think we should go about this? How do we best serve industry going about this? This is the right way to do this. Do you agree?

B

Agreed. Yeah. There's going to be a lot of topics discussed between the Cyber AB and the DOD PMO that we won't know about or hear about until after they've gone through that vetting process, if you will, with the C3PAO Advisory Council to make sure everyone's aligned at that level. Because the advisory Council in my mind is really helping to. I'm hoping to influence some of those decisions and represent the interest of the ecosystem where we see a lot of challenges to have some clarity come out.

A

And so speaking of clarity to come out, I'm not going to go too deep on this because I don't know what I don't know. But what I do know is that the certification badge to demonstrate an organization is CMMC level 2 certified is needed now more than ever because every request from a supplier, every situation for an order, anything that's going through, they're saying are you certified? If the situation is requires certification, if they know certification is going to be required, are you certified? Do you have it? Do you have proof? And lately rumor has it there's some fake Proof circulating around. That's all I'm going to say.

B

Yeah. So having that valid badge and having a way to tie it or validate it to the actual OSC that earned it. It's a thing. We knew it was going to be a thing. And now we actually are seeing that become a real challenge.

A

I wonder how much of a technical mind you are if you think that digital signatures don't exist and people just can't look. You know, we're just trying to get to the point where you can with confidence issue a badge. It says I'm CMMC level 2 certified. And the digital signature matches the organization name that's on the certificate. Is it too much to ask? Probably not.

B

But somebody out there was a. Somebody we know is a liar, liar, pants on fire.

A

So Beaver, whatever you want to call it. Yeah, Joy, this is my tidbit. We're going to talk about the ecosystem. It's our favorite part. And the ecosystem had some great news to report. Right? And that's not my tidbit. The crazy increase, you know, like the 1391 CMMC Level 2 certifications as of the end of last month, which is a 14 increase in output from the month prior. And not the 15. That is huge. And not the 15 surge in assessors from a total of 858 to 988 total assessors. Like still nowhere near, like where. Oh my God. Everything's great, but great progress. Right? And it's not the 13 surge actually kind of is the 13% surge in lead CCAs, because that's dictates how many assessments that can be conducted at a time. Right. You gotta. You gotta have at least one lead CTA. We know that. And right now we went from 499 at the end of last month to 562 at the end of this month. Right. A 13% surge in the increase. That's not the tidbit that I want to share. This is the tidbit I want to share. Did you know that that certification increase. Right. Is the largest increase in 2026?

B

Oh, across all those categories?

A

No, just certifications. Certification increase is the largest certification increase in the year 2026.

B

Wow.

A

You didn't know that?

B

I didn't know that.

A

We're gonna go for two. All right. Did you know that 15% surgeon assessors is the largest increase in 2026?

B

Now I know.

A

Oh, yeah. Guess what else you're about to know that that 13 surge in lead CCAs is the largest increase in 2026. And I didn't have enough time to confidently go back and report every single one of the numbers and go through every single one of them in history. But I'm almost certain if we're not three for three, we're two for three in the greatest increase from month to month for each of those numbers. I think two of the three experienced the greatest increase in one month. I think the only other time that certification surge passed it is when certifications became a thing and we had that huge bump that was like 33 something percent and they were just keeping going and going. But it was also because there was only 12 certifications. Then we went to 36. We went from 1260 something to 1300. Like, we know I'm not good at math, but I got the percentages beforehand so I didn't fumble this bag. This is the largest increase in 2026. I can confidently say that, but I can also kind of confidently say I'm pretty sure two of the three, it's the largest increase they've ever experienced.

B

I'm so excited about this. I mean, it kind of feels like CMMC is a real thing now. Jason, what do you think?

A

I. I just feel as though every time we have conversations that say that the CMMC program needs more assessors because they don't have enough assessment capacity, the next the best thing to have from the Cyber AB reporting in the next month is the largest search and increase in the assessment capacity that we've experienced and the largest surge in input. It's kind of like, hey, I thought you guys, you know, we weren't going to do well right here. Now let's hold my beer. Here's a 14 increase for you. We just want more people out there. Sometimes we just got to iron things out. Am I sitting here and throwing a parade saying we can assess the entire div right now? No, I'm not saying that. Saying they are doing a good job progressing to the point where they can do that. Yeah. And I think I have a valid argument.

B

You do? You do? I. I'd like to throw in a little interesting statistics that we saw last night as well. I like that they learned how to now use zoom pooling. Like it's so cute because when we teach the CCP and CCA classes at Edwards, we've been using the zoom polling to like spot check knowled as we're going and make sure that our, you know, students are staying engaged. So we're now seeing this in the town hall where they at least want to do one question each month. And if you tie that into the, like, what's happening in the ecosystem in general. I really thought it was fascinating that if you look at the percentage of who's attending these town hall meetings, were there any shocks to you in these figures? Because one of them actually really shocked me. We should talk about the. The numbers first. Number of people attending who are. Percentage of people attending the town hall who are involved in the certification assessments themselves. So those would be the. The assessor, community, CCP, CCAS involved in some way with the C3 PAOs. Okay. That's one category. Another category are the people who are doing the consulting, working with external clients, or helping to do that implementation. All right, Another category is they're doing that implementation themselves. So they represent actually the oscs or the defense contractors. All right, and then there's an other. So across the numbers they shared the percentage of people who are attending those town halls, did any of the categories

A

surprise you as it being a category itself or the percentages that it received

B

that ended up being the category itself? Like the percentage of people attending.

A

I'm gonna say other surprised me just because, like, we couldn't be more specific. What is other? Like, it just popped up in your algorithm, like, you know what I mean? I was just surfing. We were watching Ms. Rachel or whatever, and then Matt Travis is on my screen. I don't know how that works. But what about for you? What surprised you?

B

Well, what surprised me is the number of OSCs, the people doing the implementation themselves for their organization is. I'm like, that's. That's actually a lot of contractors out there, defense contractors now, who are so interested in what's happening that they're attending this monthly. Well. And they're attending it live. You can always go back and watch the recording if you're not, like, registered for it. Right. So I thought that was really great to see that level of participation.

A

All right, so other, you know, obviously piqued my interest because what does other mean? Is it people that do all of the above? Like I said, is it the people that show up in the algorithm, but now that you mentioned it, that does kind of the percentage that that represented kind of stands out because the first two categories are necessarily people that may be doing this for their job as. As a. I'm cmmc is my business. Right. Like, I'm an implementer, I'm an msp, I'm an assessor, I'm a consultant, whatever it may be. I. Software provider, whatever. Right. But then when you get to that percentage being so high of People that actually this is a applicable regulation to them and their business depends on it, not their business thrives on it. Right. That. That is very surprising. I would be curious again, other. What does other represent? Is it the Renaissance person that is every single one of those categories? I am an osc. I am trying to implement this. I want to do some assessments of my credentials. Or again, is it the people that just thought this was Ms. Rachel and they're like, why is she screaming and wearing glasses?

B

Or is it the private equity firms?

A

Oh, also true too. Like a lot of conversations about, like, what's happening in CMC for pe Lord. Yeah. Okay, so now another conversation that happened frequently. Enjoy. We're gonna just sum it up quickly on this topic because this is the fifth, fifth segment in the past 12 months that has been dedicated. Now these town halls are intended to make sure that we clear the air, to make sure we distribute information. We the ecosystem is distributed information. The air is cleared within the ecosystem by the powers of be. Right. But this is the fifth segment of a town hall that is in the 12 calendar months, has been dedicated to help people determine the difference between a CSP and msp. Mssp. Right. And the line of delineation is in. At the end of the day, conceptually it boils down to this. How does the ESP interact with you and cui? If they interact with you in a certain way, if they interact with CUI in a certain way, if that includes storing processes and transmitting cui, I don't think your MSP is an msp. It's a csp, but we don't know. Every single detail is different, every responsibility is different, every concept of operations is different per solution or whatever. And it depends upon that interaction. And the biggest thing that you can do is scope it out. And there are questions that were listed. I implore you to go back and watch the town hall portion where they discussed this in depth and showed the things that you can do. Preventative scoping. And the documents, 800145 obviously is a document that we'll list down in here and then. But the one thing that they did mention and we. This is no surprise to us, Joy, is that the largest gray area and where this question comes up of whether or not I'm an ESP or a csp, it turns out to be with the small enclave solutions. The. The quick to. To go enclave solutions. I'm not here to bashing, but I'm not here to say you're terrible. This is a terrible solution. I'm not. That's not what I'm trying to do here. What I'm saying is that the area of the biggest question and the goal of those is rapid deployment. The goal of those is cost efficiency and things like that. And then sometimes you start fitting some characteristics unknowingly. I would like to say, I want to be naive and say that unknowingly, this is what's taking place. And so at the end of the day, not the solution provider's fault, it is the customer's fault for purchasing the thing that didn't fit the regulatory requirements. So it is your job as the customer, as the client to go through and review those and make sure that they're there and then make sure that you choose somebody you have confidence in. It's going to give you documentation to support the stance that we are good enough in this area. Right?

B

Yeah. It's so hard to put that burden on the osc, especially with the amount of them that are just super small, can't even like barely have their own IT support in house and they're faced with trying to make a decision that carries that much weight behind it, you know.

A

Yeah. I mean is this significant change? Who's my affirming official? Is this going to get me in trouble? Am I putting this in the right cloud? Who owns this cloud? What is the cloud? Those are all questions that these organizations are technically having to answer right now. And so like the whatever we can do to help, obviously we're here to do to help but there's some stuff, especially being distributed during the town hall that organizations can do to kind of help themselves. Read up, be knowledgeable here so that you aren't kind of taken out out to the shed as they like to say or whatever it is. A couple quick things from the Cyber EF the update. Well actually just one update. It's The Marketplace. The CMC 2.0 Marketplace powered by Ramp Exchange under development, still not live and that they there is going to be a beta that is expected to launch sometime during the summer and the ecosystem is going to be engaged to provide feedback and to make sure that functionality exists for that before it goes live. So new and improved marketplace long ago from the old marketplace. I remember back in. Back in the old days the Marketplace but now another evolution obviously with new people and new capabilities able to focus on different things. We're seeing these improvements to make things more efficient. Last thing Keiko Corner joined and one thing particularly I think. Well, let's talk about two things. One that might surprise some People there are spot audits that are happening. There was a lot of data that was migrated from one organization's control to another organization's control. And there's a lot of check the boxes that needs to take place. Do you meet this requirement? Is this there? Do we have this documentation to support it? Are all the records in place in this new error to back you up in a migration as people may be accustomed to, sometimes things get lost, corrupt whatever it may be, or it just didn't exist. Right. So spot audits are taking place for certain credentialed personnel done by Isaca and they're just auditing the profile to make sure do we have this document. So you may be asked to produce a certificate number or an expiration date or a resume or something of that nature as they mentioned on the town hall. And not to be alarmed, you're not being fished. This isn't some sort of test. This is actually just to make sure that we all week that they get all your information up in order. And the last thing for the CCIS updates for the CCIS provisional instructor, CCI is certified CMMC instructor. For those that don't know, the PI is the provisional instructor. And it's a program that's going to go away at the end of the summer. And there's a transition phase for all the PIs. PIs that are already attached with credentials that have already obtained it, gone through the process, have been sent an email that came out this week that basically explains the process you need to go through in order to go from a PI to a cci. And then if you are somebody that is on the list that wants to be a PI and you or wants to be now a cci, you're going to get an email coming soon, very soon that's going to explain the more in depth process that you are going to have to go through in order to instruct people for cmmc. Anything that you had to add that ISACA dished out?

B

Nope. Pretty straightforward. I don't think there was any really new information since last month. But we are seeing now that the PI to CCI transition that those emails are starting to come out. Great stuff.

A

Yeah. And I liked your tidbit. You made me think there the, the great stuff on the poll. Like I, I was just like oh yeah, that makes sense. That makes sense. I was like other. What's other? See, you know where my brain immediately went. It's other. Like other could be anything, it could be this. Right? All of these. I know what they are and then you. You made it make sense for me. That poll was good. That's all we got for this week, folks. Make sure, like, subscribe, tell all your friends, and we'll see you next week.

B

Thank you.