A

We are back in the saddle, folks. It has been what seems to be a month full of Sundays since I was on screen with joy and you know, since we've been gone for a long time, a lot of things have happened with the Cyber ab, with the Keiko. And you know, I knew that inside of Summit 7's organization we had somebody that we needed to bring in to talk about this and. And luckily for us, for the first time in history, joining the Sumit up podcast, the great, the powerful Jacob Hill. Jacob, welcome to the show.

B

Thank you so much. Excited to be a part of it.

A

Jacob. I wanted to bring you in because obviously training and content and things like that, that's something that's really kind of been in your wheelhouse. It's what you were known for, it's what you kind of made your name doing. And so one of the monumental things that we're going to talk about is the transition of the Keiko to control of Isaca. And in order to get to that nice and meaty, juicy stuff, right, we want to get through all of the other things that happened in the Cyber AB town hall. Not like they're not important, but just make sure that we cover them before we get to the meaty stuff that's going to occupy a majority of the show, I think. Sound good to you guys? Yeah. All right, let's talk about the welcome and update stuff. First and foremost, while we were gone since the last town hall, we have a new cio. We're responsible over the dawn. Kristen Davies, who comes from private sector for the most part joining, we had talked about, you know, how she was the nominee and then that long arduous process to get her nomination confirmed. That confirmation went through on the 23rd of December. Obviously thanks to Katie Arrington who served in that position before and whatever pass that she laid for the CMMC program, now it's time to move on to a new regime. I'm excited to see what's on the horizon. I don't know what your guys feelings are.

C

I love to see Katie immediately thriving in another role.

A

Yeah, well, automatically jumping into a sector with something related to see what impact she has there. And I really do wish the best for Kristen Davies as she comes in and assumes a program that just got up and running. Right. Let's talk about some more updates that the Dow provided. And this is training and content related, Jacob. And I think you're gonna have an opinion on this. But realistically, not the training part that we want to harsh on on this episode, but there's new resources available, training resources made available by the Department of War through a partnership with Defense Acquisition University. And so there are a bunch of topics in which they cover. Jacob, I wanted to see what your initial thoughts are before we dig into the topics about these new resources being available.

B

Yeah, certainly so. Dear dau, I think they're called the War Fighting University. Now I am a alumni, I guess because back in the government days when I was with them, I went through DAU training and forgotten most of it. It's been several years. In any case, they had put out last year three courses. One is an intro to cmmc, the other is a CMMC for practitioners and then there's CMMC for senior leaders. Personally, I don't know how to get access to those courses because they seem to be behind a wall that is asking for a cac. Some people say that you don't need a CAC to get access. I'm not sure. So that that's a little bit problematic. But they do have some micro learning small lectures out there that are publicly available. One is for OEMs, understanding the SSP, CMMC level determination and a few others. I looked at CMMC level determination, micro lecture. It's about eight minutes, took about a minute and a half to get into the content and it's an AI voice, but it is, it's not a bad AI voice, I'll put it that way. But it is some basic content that's good to be out there for the community to be able to consume. So you know, as a person who.

A

Takes great pride in switching up the voice on their GPS to be more festive or Maury Clubbeak and things like that, I appreciate something that recognizes the voice and the quality that's in it. I think what we can all agree is that these are more resources, more resources to increase awareness in the CMMC program. And I don't think any of us are going to be like, no, stop doing that. Will they improve over time? Yes, I think that now that there's a will, there's a way and there's the avenue, hopefully they continue to populate it. There's more training there. I know as a developer of training, Jacob, you know how what the constant struggle is to keep up with requirements to make sure that we're covering everything into a piece, everybody. So here's a start. Congratulations for having those, those resources available. I want to talk about something now that essentially. Well, we first we were graced with the CMC FAQs were released while we were out of town, so to say, while we were on vacation. I don't know if any of y' all spent the time at a sunny beach, but the FAQs came out and the great and powerful Kat Adams joined the Cyber AB town hall and went over those three questions. With that being said, we're not going to harp too much on what was discussed there because she clearly explained from the point of view of the AB and the DOW, what those FAQs mean and kind of how they apply to people. And we will also link the episode of the podcast that we did a couple weeks ago where we covered those FAQs so that you can reference that. I suggest that you watch both the podcast episode and I suggest that you watch the town hall and repeat to see what Kat had to say and see where those things align.

C

Yeah, you and Jacob did a great job really diving into those a couple weeks ago. Right.

A

Thank you. So good, good, good. Let's talk about a little bit not so good news, right? You got to throw that negative in there every once in a while. And the not so good news is that potentially looming. I'm not going to call it a foregone conclusion, but there will possibly be a lapse in federal appropriations similar to the one that we experienced at the end of the last fiscal year. Government fiscal year. Right. And so what they did on this month's town hall is kind of jumped in as they did last time, and said, these are the things that you can expect. These are the delays in which you can expect that. These are kind of the hindrances of to the CMMC program in which you can expect. And the best way for us to relay it to you, the audience, is to say that basically whatever you saw last time during the government shutdown, if a government shutdown were to happen again and funding appropriations lapsed, you can probably expect the same user experience from here, right? The same delays at the Tier 3 screening, the same possible delays for authorizations of C3 PAOs, but still assessments rolling on as scheduled and. And other things necessary to get done as scheduled. There's one difference and one caveat that Matt Travis threw in there is that some of the organizations that were impacted last time have already received their funding, clear list of what they are. So we may see some changes in improvements for the better and some of those expectations, but for the most part, expect the same user experience. Folks, state of the ecosystem. Our favorite part, before we get into the juiciest part, right, is it we want to see what's happened and we've been gone for a long time. And even when they did that emergency town hall, they tried to sneak in some updates in there and they threw some numbers in there. But we're going to talk about where the program stands right now, folks. And this is kind of the things that we want to point out that are super, super important. First and foremost, we are at A. Over 800 CMMC Level 2 certifications issued, whether they are final or conditional. Insane numbers. If you think about since essentially November, let's say November, we'll call November the point. 90 days.

C

Outstanding.

A

I know that some of them happened before then. Some of them were conversions of, you know, joint surveillance assessments and things of that nature. But programs only been live for 90 days and joint. During this semester, we get credit for.

C

Days or nine months.

A

Wait, n. What did I say? Nine month, 90 days. Well, yeah. So phase one went into effect November 10th, right?

C

Oh, yeah. Okay.

A

November to December. December to January. I. Julie, you know how bad I am at math and you go try to throw a wrench in there to see how I can get worse than that. You try to keep the boy on his toes. I understand what you're doing here, but.

C

We'Re not gonna edit that out.

A

No, we're definitely not editing that out. This is not coming out in post. So crazy eat it in math.

B

Because we've been talking about CMMC for so long, saying it's 90 days, like.

A

Kind of 90 day performance period. Have we ever had this? Right? Yeah. She goes, we're not going to edit that out. We're not going to edit it out. The first time in the show's history. I got math right. We're keeping that info for one producer. Tustin, I want you to leverage that. But listen, let's not. Let's not, Harper. That in 90 days we are going to take credit for all the people that took and passed the final exam before the semester even started. We are at over 800 with some conditionals. And in addition to that, there's a hundred or so that are hung up, which I like to assume are something to do with either operational plans of actions or something like that, or false starts, as we like the coin. Right. Like, so people got started and we're like, your documentation isn't quite as good, but those numbers are over 100. So technically over 900 certifications being final or looming out there. And. And so that was the number one aspect that we always get hyped up about. There's another aspect, Joy. The people doing the assessments how's that ecosystem thriving? Right. And I know from perspective that the things that we really want to track are the numbers of assessors and the numbers of lead assessors. That's the people that can lead the teams and fill the teams. Still trending upwards. 8% growth in the CCAS, 6% growth in CC fees and 13% growth since the last time we met in lead TCAS. With a promise from Mike Snyder that there are a bunch more in the hopper that he has to complete that process. How does that.

C

The lead CCA increase is pretty dramatic, actually. Like they're really cranking those through. I was happy to see it.

B

Yeah.

A

That's 48 since the last time we met. So 48 since December 2025. So that's 48 people capable of leading teams. That's 48 new assessment teams that have floors. More teams. More assessments. More assessments. More certifications. More certifications. We might get this thing done, folks.

B

Yeah. The interesting part about that though is I wonder how many of those folks will actually be part of assessments. Because I just became a lead cca. I'm probably not going to be involved in assessments unless I, you know.

A

Yeah. So that is going to be, I think the thing that, that always unknown variable because there's no way for us to obviously track that. Like we could see who's been active in assessments, but it doesn't mean that that wasn't their intent. They just said they picked up or they're not a part of an organization. I, I will say that just from the number surface part. I just want to go with the fact that we could possibly have 425 potentials. And I would also think that somebody that was pushing to be a lead CCA wasn't maybe being a cca, just a plain CCA to help your organization have that understanding. But going through the measures to be a lead cca, I would hope, and this may be a naive, you know, wish that that person has the intent to perform assessments. Now you just proved that. You just debunked that. So you're going to need to do some assessments so I don't look dumb. Oh. But if everybody else follows that, we'll be in great shape. One more little tidbit. International. We like to keep track of international involvement and we're not going to go through all the numbers of all the organizations. We might flash it up on the screen during the episode. But there's four C3 PAOs right now that are in the hopper to be authorized, that are non US based Companies, one from South Korea, one from Canada, one from Australia and one from Taiwan. It's going global. We knew that the program had global RPAs. People wanting to be CCAs and RPOs now full on organizations based outside the US because the Defense industrial base has organizations based outside the US I know it's a weird concept to grasp but those people need to be assessed too. And there's standards, there is a process that's there. How do you guys feel about little international flavor to the CMMC program and assessing going on?

B

I think we re up military. We have military bases all over the, all over the place, you know, and so that they have to have a supplier base to support those folks. So I mean. Yeah, it makes sense.

A

Yeah. And if you think about it, the need for an assessor, even though a lot of stuff is done remotely to have somebody local in case there is that on site or in case there's things like that, to have people cleared in different areas where the Department of War, the Defense industrial based services totally makes sense as long as there's provisions in place. And obviously we know the Dow DOD has put those provisions in place to clear the international involvement in the CMMC program. More involvement in the CMMC program. The people that call the shots. We got board of directors nominations and votings that took place right over and new people have been appointed to the board. We are going to display the picture of these new appointees here. Right. But there's a couple that we're going to send some special shout outs to because of personal relationships with them and admiration. Right. And for me, I had the privilege of serving with Beth Leonard on a panel at the last SEEK event and was absolutely blown away with not only her intelligence, her in depth perspective and approach to assessments and running a business for assessments, but also she was double dutying as we were preparing for that panel walking on Fashion Week in Paris. So a jack of all trades and now a board member to lead the direction of the Cyber ab. Congratulations to Beth. And then Joy, I think you have some shout outs to send for the new board appointees.

C

Well, Sunil Yee, I mean he's no Sunil Yu. He has been super involved in the MSSP industry for the last few years. But I remember when he came out with the Cyber Defense Matrix. I think I've sat in three of his workshops at RSA where he's presented variations of that over many years. I think the first one was in 2017 that I participated in and he's just so personable and so smart and inclusive and an amazing person. So it's really exciting to see him now as, like, I didn't expect to see his photo on the new board for the Cyber ab. And I was like, of course. It's. It just makes sense. It's such a great fit. So I'm really excited for him and for us.

A

I cannot emphasize enough the importance of having people with established backgrounds in different elements of industry. Right. Coming in and contributing to this program now and adding that perspective, because now we have outside perspectives, not a tunneled, singular approach of this echo chamber of the same people. Not saying that it was. I'm just saying that we are preventing that from happening by being. Bringing people outside. Well respected people with accomplishments. So good work on the board of directors. I wish you all of the luck. We wish you all of the luck and all of the success in leading the program this coming year. Hopefully do a good enough job to get reelected. So we're going to get into the, the meat and the potatoes of everything here, right? We're going to talk about complaints, appeals, ethics, and then the caico takeover. But we want to get complaints, appeals and ethics out of the way because one, while I wish that we would spend an entire episode on this, I think that Cyber AB has spent more than enough time covering complaints, appeals and ethics, especially on the same topics, to the point where is the message getting through? Right. So let's talk about the role of the Cyber AB in these complaints and ethics before we talk about the complaints and ethics and, and things like that. That.

C

Right.

A

So they covered basically their role as the Cyber AB when an ethics complaint or an appeal for a certification or some sort of scenario appears and they have a formal responsibility under ISO and under their contract to ad, ad, blah, blah, adjudicate. Right. If I could speak. I did math, now I can't speak. It's never a complete package with me. Right. They have the corporate responsibility to adjudicate and respond to all matters that are within their purview. And they emphasize that because a lot of times sometimes matters are submitted to them that don't fall under their area of responsibility for cmmc. Case in point, anything to do with like the rulemaking and complaints and appeals about rulemaking processes. Cyber AB doesn't handle that. That's Department of War. They just carry out the rules. Right. All right, so there's the first and foremost, and they say that a majority of the submissions that they receive for complaints are technically outside of that, but for the ones that they do receive that are within Their purview, the two most formal types of complaints they receive or the two most common types of complaints they receive are those against other members of the ecosystem. So people complaining about other people for violations of things like the COPC and then complaints about their performance as the AB from everything from. You're not doing this. Right. You're not getting this certification to my ticket to get my marketplace access took way too long. And so they do have a responsibility to adjudicate that. However, they do not hold a responsibility to communicate to you how they adjudicate this. So everybody right now, especially a hot topic of conversation is ethics violations and what people are doing and what this person's doing and complaints being submitted about this person. And then the second thing that follows behind that, Joy and Jacob, I think you can agree, is when the ethics complaint sent or we see egregious violations, people are mad because the Cyber AB isn't parading the responses. Right. They're not saying, hey, thanks for submitting this complaint. We've done such and such and such to penalize this person that violated it. But there's reasonings behind that. Do you guys know what the reasonings are?

C

Well, it's part of. I know. Program. Right. That they can't publicly disclose. Like it has to be treated as confidential between the Cyber AB and who was. Who the complaint was against.

A

Yeah. So ISO relies heavily on confidentiality, especially in business processes. Right. For the organizations that have to adhere to it. And so this is a very, very sticky. Lots of legal ramifications, lots of reputational damage can take place in this scenario. So it is very, very important for the AB to strongly adhere to their requirements as a part of ISO certification in which they intend to attain. And that is they have to maintain some confidentiality. They don't go out great and say the ABC Company was doing some messed up stuff and now we've penalized them six months, no pay, no contract, whatever it may be. Right. That's not how it works. There's a way for them to remediate it. If the remediation that has been suggested by the party that you know, hears out the complaint, they abide by it and they're back in the system. And if they don't abide by the violating party, doesn't abide by it, then other penalties are levied. They just can't tell you. It's not that they're trying to be secretive. They're not allowed to tell you. And so we talked about how to submit those complaints and ethics appeals Right. What did they cover about ethics really quickly? The things that they've covered for the past four months. It has to get through at some point. We still, I think, regularly see violations of this that need to be addressed. But things like presenting yourself and your organization accurately and completely, don't fluff up who you are to get more business. Be yourself. If it's good enough, business will come. Charging fair and reasonable prices, not too high, not too low, foregoing making guarantees of assessments. You can't tell people they're going to pass if they come to your services. You got to help them pass. And then when they pass, be like, good job, we did it right. You can't be like, come to us, we're going to make sure you guaranteed pass, or we're going to send you to our friend for the seven minute ads. Right? That's not how this works. And then finally, you must refrain from making false or damaging statements about other members of the ecosystem. What I mean by this is we are all grown adults. At this point, I would like to assume that we are all entitled to differences of opinion. We are all educated. We can have civil conversations about disagreements to come to resolution without being like, you've got an ugly face. Case in point, your business is violating American trust or whatever mumbo jumbo you want to come up with to prove your point. That's not how this works. Stay professional, stay engaged. And if somebody's doing something wrong, do something to make them better. Don't try to knock them down and make them worse. Now if they continuously do those things after you try to help them, there's other measures and that's where the complaints and ethics come in. Right? Go to them first. Try to make the situation better. If it doesn't work, submit any. You guys got anything to add about complaints and ethics? Before we get into the juicy stuff.

C

I'll have to say that, you know, I, I've complained with you in the past on this about not getting more detail and not getting an acknowledgment when something has been submitted for review and that's actually changed. I was happy to, or I'm happy to report that when I submitted something recently, there was a website that a lot of people saw that was just in like the first. Both of the first two things on the slide that they shared about exaggerating the services and low balling the price were being violated. And when I submitted it for review, I received a customized response acknowledging that they had received it and also that I wasn't the only Submission to have them review that. And I was like, at least somebody's now acknowledging it. We know that they're looking at it and they're even seeing that. Okay. They're identifying when there's a trend or more than one complaint. So it was good to see that there's some movement there. And I think that Kat Adams, they said, is going to be the acting copc, you know, policy coordinator at this time. And I've known Kat for a while. She's very fair and she's very good. So I'm. I'm really looking forward to seeing some.

B

I don't know what.

C

Hopefully see some changes.

A

Yeah, we begged for those changes. I think it was either last. It may have been our last show when we were asking for our wish, you know, around then where we were like, I really want to see some movement as to what's happening. I know that these things are happening. I. I've been told that people are submitting complaints about them, but where's the action? And. And to have that answer. Look, I stand corrected. I feel. Okay, Sorry. Okay, I'll stop pushing. I'll stop asking. I get it. Like, I understand now. There's an obligation there. Should have known it before, but now it's explained and I've explained to others so that they aren't wondering the way I was or we were. Right? Just don't ask. You see things disappear. People start disappearing. You know what it's about. Juicy stuff. Guys, we brought you here. I. I don't know why we wasted all this time with. With this show all the way up until now. Right? Because the whole point of, you know, us bringing Jacob on and, and you both being here together is so I can ask questions. So I understand this as sack a takeover. Eiko better. Okay. Don't tell anybody else. This is strictly selfish, strictly for me, but Isaca is going to take over the Keiko. And from my perspective, and from what I see publicly, the perspective is why are they taking it over? They couldn't handle the responsibility or, you know, all of these jumping the conclusions, knee jerk reactions. And instead of letting knee jerk reactions run wild. The AB addressed it a lot here. But I still think that there's some things that, you know, questions that remain needing to be asked. And I think that there's some information that needs to be covered or maybe we can dig into some stuff. And I wanted to ask you guys questions about the Isaca takeover and let your big brains run through it so that people understand it better. Are you guys okay? With that.

C

Yeah, I think I, I would like to Jacob, and set the, the scene for this. I, I think he's got some great background to start us off.

A

Oh, let's hear Jacob.

B

All right. Well, I did some research into isaca. I am not a member. I don't hold any ASAKA certifications up to this point. I suppose CCP CCA is rolling over. Yeah, but very interesting. The announcement that they put out, they framed it, ISACA framed it as an acquisition. They said this acquisition positions ISACA at the center of the largest cybersecurity certification program in the world. So that's quite a statement. They have around 300 employees compared to the Keiko, which had maybe less than 5. I'm not sure. They have over 190,000 members across 188 countries, which goes to the point of CMMC being international. They have that reach, you know, to an existing membership across the world. And just something interesting. The former Keiko director worked for CompTIA and Skillsoft in the past, so she had some big names probably involved. I imagine this was a very long process to down select to isaca. So that's pretty fascinating as well. If you're not familiar with isaca, they run cisa Certified Information Systems Auditor cism, which is a lot of people like as an alternative to cissp. They also run crisc, which I think, Joy, you have as well. And something interesting, I thought membership and certification is separate so you don't have to. You can hold a ISACA certification but you don't have to be a member. So I think something from one of the last town halls was they were considering, they weren't sure if CCP CCAs would be also ISACA members. So the benefits of getting the membership is you get discounts on annual maintenance fees and access to free CPE opportunities. And then also I guess as a byproduct of ISACA becoming the Keiko. The CCP and CCA exams are now accredited to ISO IEC17 0242012 by ANAB. And that ISO standard is a conformity assessment, General Requirements for Bodies Operating Certification of Persons. So I see this as a maturing of the ccp, CCA certification and the whole ecosystem. Right. Isaca. I mean, Joy, you can probably speak to this much better than I, but the curriculums for CCP and CCA have just kind of been. They're old, they're floundering, trying to get them updated. So ISACA coming in with that large workforce is really going to be a big benefit.

A

I Think so. Can I ask a question real quick to interject on just what you said? So ISACA coming in with a quicker workforce. Right. I think that this was one of those things where the CMMC program is now live. Right. Keiko was developed, the foundations were developed with those five employees, or six employees, whatever you had mentioned before. But if this is going to grow and we have to improve these things, you're going to need a considerable amount of employees, like more employees to make it work. So you're saying that this is more of a strategic alignment for scaling and growth instead of a takeover because they could handle it, right?

B

Yeah, yeah, that's what I believe.

A

Yeah, that's a, that's what my assumption was too. But I was seeing some opinions as people were thinking, like, oh, you couldn't handle a geico. No, this is a strategic move to make sure that the Cyber AB can scale with the way the program's going to go.

B

Yeah. And I also think that this gives the Cyber AB the opportunity because I know that Cyber AB and Keiko were separated.

A

Right.

B

But I think there were still some staff working across. Perhaps this is an opportunity for the Cyber AB to focus on what the Cyber AB needs to focus on. Like you were saying.

A

Right. So what does that mean for Joy? I gotta ask you, Like, I mean, you're very heavily involved in training. Actually, I met you because you wrote maybe the first book for CMMC training. Right. So this kind of, this, this kind of strikes home to you, like how, what, what is your thoughts, what, you know, what questions do you have left unanswered that you would like to know about?

C

Well, first of all, let me say that although it may seem kind of scary or daunting or confusing for those who have had the CCP or CCA for a while and all of a sudden they are being asked to access a new platform, do things like reporting CPEs. It is going to take a little adjustment and we have a lot more information coming. But I've been a member of ISACA and had my first certification since I want to say, 2015, so more than 10 years. And similarly with CompTIA with their certification. So if you've had certifications at that level for a while, you've been doing this kind of CPE reporting. I love the fact that the structure and maturity that ISACA has in place is actually going to give another level of credence or validation to the expertise that we carry that we embody as CCPs and CCAs. Like, this is a full fledged certification And Jason, you and I have for a long time argued between the difference of an RP and a ccp. Even at that elemental level where people were not understanding what's a certificate versus a certification, ISACA is going to stand up that certification in a way that's a lot more powerful. In my mind, there's a lot of misinformation or confusion around what qualifies for CPEs. And I've been doing this so long that I got to tell everybody, settle down, it's going to be just fine. First of all, the three of us, all three of us are provisional instructors. So as we're preparing for our class and teaching a class, anything to do with instructing, presenting seminars, stuff like that, all of that can be accrued towards the cpe. So I'm going to read a few things, if you don't mind.

A

Of course. No, I'm going to have questions after because I don't figure out a way to get my CPEs.

C

I was seeing on like on LinkedIn, you know, we're always on LinkedIn and I was seeing that some people were saying, why do I have to take ISACA courses now in order to get CP ease? And there's actually a ton of ways that you can do that without attending or participating in anything ASACA established. So let's take the first one. Non ASACA professional education activities and meetings. These activities include in house corporate training. How many of us are going through corporate training that has to do with cui, cmmc, you know, the AT domain every single year, probably every month. All right, so that time can be captured. University courses, conferences, how many conferences are we attending that pertain to cmmc, the defense industrial base, Anything with cgi, seminars, workshops and professional meetings and related activities not sponsored by isaca. Now these can't be in the normal, you know, your day to day I'm having a professional meeting, so I'm going to claim that. But maybe a professional meeting where you are meeting with industry stakeholders and you're talking through and there's an even another area like being a member of a working group, peer groups, things like that. When you go to report your hours, it will ask you to identify what category it falls into. So you could say non ISACA Professional education activities and meetings is the category and then it gives you a brief description field for you to say what it is. I just type in there exactly what it was. The date, the time, how long, how many hours I did that for. And there's no limit to the number of hours you can enter. All right, the next one is vendor sales and marketing presentations. Jacob Hill and I, in January alone, how many hours of this do we already have? Right. These activities include vendor, product or system specific sales presentations related to the certification domain. If you have the CCP or the cca, there are so many vendor sales and marketing presentations that you could apply to get credit for this. Now that has a 10 hour limit annually. The next one, teaching, lecturing, presenting. Like I said, we're all provisional instructors when we're teaching the CCP class. The cc. But even more than that, presenting could be. I'm presenting on the CUI hotline. What it is that I understand about 32 CFR as it applies to CMMC level three. Right. I've done a lot of background work, whatever that is, I can put that in there. And there's no limit to the amount of time for teaching and presenting. And as a matter of fact, the first time that you teach an actual course, you can do five times the number of presentation hours because it helps you to incorporate all the time you spent developing that material. That's a pretty big.

A

So the time to prep and present are all part of the continued education because you're learning the stuff that you're going to present and then presenting.

C

The first, the first time you do it now, when you do it after that you're just doing meal time. But the first time you get to account five times the amount of hours to capture all that preparation time.

A

All right, so I'm asking for a friend and I'm the friend. A lot of the stuff that you've run through sounds like a lot of things that I could probably get educational credit hours for if they were like, I don't know, a podcast that was vertically specific that presented information that allowed you to understand the concept better. Am I correct? Like, and maybe if it aired weekly and I liked and subscribed to it and then told all my friends and then every week I. I listened to the terrible dad jokes and poor mathematics that takes place during the show that I can actually get CPE credits for this.

C

Well, by terrible dad jokes and bad math, you mean ccp, cca, cmmc, related content.

A

Yes, you can get translated into terrible dad jokes and demonstrated through poorly executed math. Yeah, correct. Okay, so that's.

C

So there's two more quick categories that the other one, the working groups. Anytime you're contributing as certification review, manual development, knowledge center contributor, professional research development. Those kinds of things are like if you're a member of the C3PAO working groups, any of those people can apply that time. And then the final one that I really like is mentoring you. Actually, if you're listing the name of somebody that you're membering for the professional development of their career and it relates to the ccp, cca, cmmc, and you're giving them mentoring, that even qualifies. Now that's a 10 hour annual limit. But just in what I just described there, I think that everyone I know in the ecosystem is going to have no problem doing 20 hours a year. I think the requirement was, it's pretty.

A

Straightforward if you're getting 10 hours a week, that the limit is for preparation and viewing of webinars and stuff like that. And in the last category you just listed or that's 10 hour max that you get. Not a week, but max, right? For the certification, there's your 20 hours. So again, in a lot of cases, sometimes the anger that people express publicly, right, has to do with a lack of awareness and understanding, right? A lack of ability to grip the concept. But then when you have somebody as, I don't know, calm and serene of a voice, as Joy Bielen, that comes on and it's like, hey, don't panic folks. This isn't as, it's not as bad as you think it's going to be. Here are some examples.

C

And here's the thing too. A lot of people are investing a lot of money to be a CCP CCA and just keep looking at, and without understanding it, they keep looking at this as more money, more money, more time. Like when am I going to start to see a return on my investment? So I have a lot of empathy, especially for the people who have never had a professional certification before. I do. I just want them to know there's an answer and it's free.

B

So, yeah, and I, I do think that one of the takeaways from the Isaca become the Keiko is the CCP and CCA just became more valuable, you know, because of their backing, because there are accreditations behind them. They're, they're a big name. So it did become more valuable and you become more valuable because.

A

So I. One of the other questions that we see publicly about this Isaca Keiko transition, right, is like obviously the Keiko, the training material, what do the training materials automatically switch over to ISACA sanctioned training materials? Are we finally going to get tests where the language that's used to ask the questions is universal and not told from the perspective of the person that wrote it? There's a lot of questions that I have here. Do you guys have any questions about maybe what's going to happen to that ecosystem of developed people that were supposed to provide the training and is that still going to be leveraged in December.

B

Town Hall I asked that question multiple times and it was not answered. But based on my research, here's what I think could happen. So the ltps out there for ltps that teach you organizations. ISACA does have its own authorized training organization program. So I'm kind of thinking that ltps could roll underneath that program that's exactly existing today. Now for the LPPs who create curriculums today, I'm not sure because today ISACA does provide curriculums for their training organizations. So I don't know what that's going to look like.

A

Would you think, oh, sorry, this is like on top of your question. But Jacob, so when you study for any certification and you go to like the ISE Square or the ISACA website, obviously there are training resources that are available and courses in which you can purchase. There's the self paced course and there's the instructor led course. Do either of you foresee a situation in which when this is up and fully running, that when we select that for the ccp, cca, CCI or whatever other you know, certifications come up, when we select that instructor led training, now we're going to be partnered with a company like Edwards or Space Coast Cyber, any of those other training providers. Is that kind of what you guys foresee happening? I'm not saying that you think that this is what's going to happen or no, sorry, I say foresee not that you know that this is exactly what's going to happen, but wouldn't that make the most sense? And is that what you guys believe as well?

B

I would think so. Personally, I think that the folks who are teaching today would possibly roll into their ATO program, their authorized training organization program because they have to have folks who can teach these material right to start with. I do think that it could expand, but I, I do think that many of the organizations, I'm not sure Learning Tree might already be an ltp. And I know they were on, I saw them on the ISACA website as an ato. So there might not be as many names introduced into the pile as we think at the end of the day because I think many of them are already involved as ltps.

C

Yeah, what I would love to see is similar to how it works like for the CISM right now is you go onto Yasaka's site to the cism and then it lists all of the training providers and I think it lists their fees. But to have that all under one umbrella for the CCP or the CCA is going to be a benefit to the community. We're right there. They can see all the ones teaching it, whether it's virtual, whether it's instructor, whether it's in person and be able to filter accordingly. Like ideally that's what they've been doing for their other certifications and hopefully that would now apply moving forward for the ccp, cca. I think it's just going to benefit the community in every way.

A

Yeah. Do you think it's going to like, like, like the market economics with it because of that centralized location where you can click and drill down and pick somebody before? I. I would think that the marketplace for the most part was word of mouth and people following names of people and names of organizations. Right. Either there was an instructor that they really respect that they found out this person teaches here and they want to take a class from that person, or there was a name that established itself as a leading ltp. Now what you're saying is, especially with international involvement and as more people become involved and they're not more originals. Right. That have been here since the program developed and seen these names develop, that they're going to go to a central location and so it's going to even out for the ATPs, LTPs, whatever it may be, that make their way over.

C

Probably make it more competitive. Yeah. I mean, imagine if they were to do like a review system as well. So you know that even though somebody might be dirt cheap, that they may not have as great a reviews or the opposite. But that would be pretty cool. Let's make a wish list for isaca. Since we've been doing it for the cyber apartment.

A

Yeah, we just throw the wish list out there. Sometimes they answer it. Like we found out they were like, hey, stop asking us to tell us about complaints. Shut up. We're not allowed to tell you. You know, sometimes they don't like the answer, but at least we get answers. I, I do want to make a wish list, but I do want to ask you each one question. Right. I want you guys to answer this question. Maybe a little bit vulnerable for, for the second. What is your biggest concern with this takeover? What is your biggest area of unknown? What is the one thing that you. Maybe it is your wish list. What is the one thing that you want an answer to that you feel like you haven't been able to find the answer for? Right now, the top priority question, the burning question for you guys, what is it? Not everybody at once.

C

Joy, My question or my biggest concern is that this isn't going to slow down the availability of updated curricula because it's desperately needed. And I know that there are many partner publishers that were in the final, you know, ready to get the updated CCP out there. And so if they have to go through a whole bunch of new hoops and new processes, I'm just concerned that it's going to slow it down even more at all.

B

Concern, I think on my side, I suppose it would be maybe what other people are saying about am I, am I going to have to pay Cyber? And then also Isaca, I would think they would work that out so that doesn't happen. But that's kind of something that's lingering in my mind as a holding, you know, ccp, ccp, cca, Provisional instructor, lead cca, you know, wondering how that's all.

A

Gonna work and the communication. I know that we've seen that when processes become automated or they transition to different websites and stuff like that, sometimes there's some new bottleneck that emerges. I think for me the largest concern in which I have is that with this switching to the CPS, even though we've explained that the CP's are relatively easy to collect, sometimes people just forget to collect them. Yeah. And we've done such a great job with growing the ecosystem. We've done such a great job with increasing the number of assessors, you know, professionals of lead assessors. For a small hiccup, like forgetting CPEs to be something that kind of relegates you back to not being a certified professional or assessor or lead assessor. I hope that that's not something that causes the numbers of the ecosystem and diminishing.

B

I would love to see actual assessment experience be available, you know, as a CPE opportunity. That would be nice.

A

Yeah. On the job training. I don't understand how you're not continuing your education by participating in the thing that your skill that you were certified for on a daily basis. But I, I kind of, maybe that's just like low hanging fruit are already given. Like we're not awarding fish for being able to swim. Right. So like I, I get the way it goes there. Jacob, enjoy. As much as this pains me, this brings us to the end of this episode. But based on kind of how the episode went, I don't think this is the last time, Jacob, that you're going to be joining us to talk town hall and joy. I hope. I pray to God this isn't the last time that we're together on screen to talk about town hall, because how much fun do we have? We're at the end. I thank you both for joining us. Thank the audience for joining us. Make sure you watch every week to get your CPE's, like, subscribe, tell all your friends, and we'll see you next week. Folks.

B

Folks, see y'.

A

All.

C

Thank you.