A

We are just a little over 140 days into the CMMC program and the time of the month has come for another town hall, which means it's time for another town hall recap show. As you're seeing as your screen shows you, milestones have been achieved. Unfortunately, departures have been announced. CUI is still confusing. And the Keiko takeover is officially official. Right, and that's what we're going to talk about today. Joy. It seems like the months are now flying by. The program became final, and every time we turn around, it is time for another town hall show. And it is time that I can get all excited because that means that you're joining the show and we're going to go over all the things that happened during this week's town hall. How you been?

B

Thanks, Jason. I'm great. And there's a lot to discuss. I. I love the amount of topics covered in these town halls now.

A

I do. And I like that we're finally hitting big milestones, you know, obviously in the program, which we're going to talk about deeper. And then obviously we've been at this long enough that we've seen people come and go. We're going to talk about some people coming and going today, unfortunate as it may be. And then one of our friends, a friend of the show, joined the town hall and discussed a very confusing topic. And then the CAICO has taken over ecosystem growth as we always love. So let's just dive into it. Okay?

B

Okay.

A

So first, we would be absolutely remiss if we didn't leave the show the same way the town hall let off by wishing happy trails. And a warm thank you to the great Stacy Bostanic, friend of the show. Never actually been on the show. I've been privileged to have many conversations with Stacy, both public and private. I've been to see her speak. I appreciate her for all her work. I know the show appreciates her. Joy, I think that you could probably summarize feelings for Stacy better than I can. And obviously not a tragic departure, but one that you didn't want to see for everything that she's done championing the broadcast program thus far.

B

Yeah, I felt that. First of all, Matt nailed it when he talked about her energy that she brings to every conversation. I mean, she's a fireball. It was really great to be around her and witness also the transparency that she brought and tried to bring to the program. And after we went through our long period of no communication from the DoD at the time, it was great to have her step up and really communicate with everyone in the ecosystem. So I'm going to miss her a ton and hopeful that we'll stay, you know, connected through some means. But man, she contributed so much to really launching CMMC in the right way and I'm going to miss her.

A

Yeah, I think the whole program is going to miss her. And obviously, onward and upward as we have to push forward, no matter who comes and who goes. Right. Thank you, Stacy. And so one of the other most recent departures from the, from the do. Right, the CMC program, the CIO's office was the CIO, the acting CIO, Katie Arrington, who was replaced by Ms. Kristen Davies, who actually had to sit for congressional testimony within the last month. And they covered that on the Town hall. Joy. And, and basically, you know, to, to sum it up very quickly, the testimony, the main things she was directly asked about CMMC as Matt covered the town hall. And one of the sticking points that she was asked about is one of the industry talking points is cost, cost associated with cmmc. And the response that she gave was basically, we'll take a look at it. Right? That's, that's what she said. We'll give it a look. We'll see what there is. As we've said on the show many times, there's nothing in the budget for this year. I wouldn't expect anything coming in this fiscal year. I don't know if there's anything or any capability in the budget for it to come. I just wouldn't make that my plan to wait for funding to come to help for cmc.

B

Agreed. Yes. It was interesting, the lowdown report that they gave on, on the GAO report findings, because I was just listening to your episode last week where you and Jacob dove really deep into those report findings. And it's not a thing. It's like a good thing. Right.

A

So it's good and it's bad. Right. So let's, let's talk about it because Kristen Davies was asked about this. Right. And on the Town hall, they also discussed the GAO report as its own separate topic. Right. And that report, yeah, if you looked at the scoring for all of the things, there were seven total categories which needed to be achieved, and according to the scoring metric, 6⅓ of those categories were achieved. It just happens that the one category which was not fully achieved and they weren't given full credit for, it's a pretty big one. It's, you know, the evaluation of external factors and what you're going to do if those external factors are going to impact your ability to roll out the program. As far as the resources that the Dow has for the dib, GAO finds that to be great. As far as the Cyber AB's plan to implement the program, GAO finds that to be great. It's just the detailed evaluation of external risks and the granular explanation of each risk. And if that risk presents itself, how are you going to mitigate that risk? Specifically is the thing in which they. They lack. So what they had to do based on that GAO report is come up with a plan for to address each of those risks and then submit that to the office for approval. And then we can get the perfect score, 95% still, right. When you go through and you average six and seven, six and two thirds out of seven, it's an A. My kid came home with an A. I'd be okay with it, especially for scrutinized as the program is 95% from the government Accountability Office. Some nice little feather to wear in your cap, I guess. So to say. Yeah, let's talk about the fun things and the milestones, right? We're going to talk about the state of the ecosystem and ecosystem growth. And any milestone that's worth celebrating around here is something to do with the growth of the ecosystem. And more importantly, the first major milestone officially announced during this week's town Hall. Over 1000 CMMC Level 2 certifications, final status certifications have been issued. What makes that interesting is the program just launched in November and technically only until November this year is when the Dow is saying that these are going to appear. So these are more proactive companies or companies that are being forced or pushed by pressure from their primes who are getting their supply chains in order. Either way, a thousand of them have been completed and then not to, you know, again, feathers in the cat. 10% of those are Summit 7 clients.

B

Amazing.

A

Yeah. So it's nice that proactivity. We can't preach proactivity for four years and not at least have a good chunk of that percentage going on. So like that worked out and everything went there. The other major milestone. And again, I know that when the GAO probably was evaluating the external factors, one of the elements they evaluated was the amount of C3PA organizations. Right. How many organizations are there that can conduct the assessments? They did evaluate the lead CCAs and the capability of lead CCAs. But in discussions with C3PAOs, Joy, I find it to be that the lead CCA is the number that we should key on as opposed to the number of C3 PAOs and the reason why is because we see some C3 PAs out there now operating 8, 10 with plans of 12 to 14 assessment teams. And in order to have 14 assessment teams, we know good and well that you need 14 lead CCAs. No matter what, you need 14 leads. So the, the full capability of the CMMC ecosystem, in my personal opinion, resides in the ability for us to grow the lead CCA number because that determines the amount of teams in which we can have. Obviously you need assessors to have CCAs to have assessment teams, but you can't have the assessment team without the person to lead the team. Can't have the team without the coach. That's just how it works.

B

Totally agree. And we'll talk a bit more about the Keiko and Isaca part of the town hall that I think is going to impact the growth of the CCAs temporarily and those lead CCAs. And we'll circle back to that, though. It's very interesting. I agree, though, that the number of C3PAOs isn't nearly as important as the number of lead CCAs.

A

And last. So when we, last month when we talked about the ecosystem numbers, I personally was hypercritical of the ISACA takeover and the impact that it may have on the ATPs and the apps. Right. I thought the ATPs would shrink. Apps would drastically shrink. Right. Because ISACA has that whole thing in order. Right. One of the surprising elements reported this month is a 10 growth in the ATPs. Right. Was it the ATPs, the training providers? I want to double check. Yeah. So now we're over 50 of those. And, you know, we'll get into this later in the Keiko section again, but they're still going to have a purpose. And it sounds like that psycho has a plan for them, the publishing partners. No change in their numbers. And I don't think that we'll expect to see any growth in that part. Another, again, steady 10 growth for another month or close to 10 growth for another month in lead CCAs. As we talked about that being a key metric here, just to point that out, that is the credentialed position in the ecosystem that is growing at the fastest rate right now.

B

Yep. And it makes sense.

A

All right, Joy. So, yeah, we've talked about ecosystem growth, we've talked about, unfortunately, Stacy leaving. We've talked about the congressional testimony of Kristen Davies. There's some Cyber AB staffing news to get into anybody who has ever, and I think that we both can relate to this, ever tried to get in contact for clarification with Matt Travis about anything can understand that he is harder to pinpoint than Mr. Waldo himself. So Mr. Travis now has. Well, the Cyber AB has a director of Executive administration. But the way that Matt, you know, introduced Emily Ermelini and Emily, I apologize if I didn't pronounce that correctly. As somebody with a hard to pronounce last name myself, I understand your pain, I did my best. But Emily Ermelini, stepping in as the director of Executive administration for the Cyber ab. And so she is the person that you're going to want to, if you need to talk to Matt Travis, if you need Matt Travis to show up at your events or things like that, that's the person now you can go through to try to, or at least tag he. He recommended tagging her on the communications. If you're trying to wrangle him up. I am not. Those are not my words. I do think that those were his words, wrangle him up. It's very tough to wrangle him. So I think that that's a positive move in the direction especially as the ecosystem grows, as the more responsibility he has to maintain and the AB has to maintain and maybe more inquiries as more assessments happen, more, more challenges. Whatever it may be, it's very important to have avenues of communication to get to the person in charge.

B

Agreed. And I like that her background is working with the AB board already and doing their meeting minutes and so her level of familiarity with the program and some historical context to who are the key players. What does this all mean? It's already in place and I think she's going to be a great value add.

A

Yep. Welcome to the show, Emily. And then the other staffing news that Matt announced during this month's town hall was in the future we're going to have a new Director of cybersecurity and compliance for the Cyber ab. Obviously somebody that's going to lead their efforts for, I don't know, things like maintaining CMMC certification, I would imagine maintaining their ISO certification and any other accreditation board related certifications that they're going to have to maintain or pursue in the future. It sounds like that this person job coming soon. For those out there eager to work with the Cyber AB and are pretty good in cyber and compliance, now's your time to shine. Sign up, see what the resume does right. Hi Joy. I Ryan. Ryan Bonner is probably one of the smartest people I know, period.

B

Yep.

A

Point blank case, full stop right there. Having Ryan Bonner join and provide clarity to a topic on the town hall was a Very good move and probably one of the best moves that they made in, in the recent months. And the reason why is because he was in depth and he was thorough about cui. Could I do that? No. I do want to talk about some of the key factors in which he pointed out and see if you had anything to add to it. I will praise him for his clarity and conciseness. Obviously he's a friend of the show, been on the show many times, but one thing that he had pointed out initially, right. Is that where he and he deals with a lot of contractual stuff, finding CUI and contracts, it's like he can sniff it out better than anybody in the world. But where his organization and specifically him, where they are seeing a CUI pop up or CUI requirements pop up or an RFIs and sources sought are specifically where they are seeing those pop up. Now for organizations ahead of time. Have you heard anything similar to that, Joy?

B

Oh, 100%. I mean, first of all, Ryan being on the Cyber AB town hall, like I love that we get to do the recap thing, actually watch the recording, I would say actually go in there and hear what he had to say from his own mouth because he is so valuable in his expertise. And of all the Cyber AB town halls over the years, I would put having Ryan on there in the top three for value of content. So yeah, big fan of his and everything that he shared. We'll go through it. But really valuable.

A

Yeah. A couple other key points in which Ryan pointed out or put out is that as we've noted on the show, but I think industry is becoming well aware is that Primes are mainly driving the awareness through their subcontractors. And what he is seeing is more activities from the primes, more webinars, more letters, those love letters that come down saying hey, get in order and overall interaction with their supply chains. And the reason that they're doing that is because they have to be ahead of the game. Those love letters that come from the Dow about the phase rollout and when these requirements are going to show up in contracts are addressed to their primes and those primes don't have a crystal ball as to if and when one of their contracts is going to appear and going to have those requirements attached. And so when that comes, a prime only has the procurement administrative lead time, the PALP time from when they submit the submission and the contract is awarded to not only have their house in order as far as their own CMMC certification, if that's applicable, but for every UID that's attached to that contract. They're also responsible for getting that reporting and maintaining that reporting up to the contracting officer. So I thought that that was a very key point that was driven there and that because they don't the crystal ball, you know, I just think it was the analogy of the crystal. Crystal ball. I wish that we could predict when this is going to come out, but right now the DoD is just saying, hey, our prime contractors, starting November 2026, you're going to start seeing this. And whenever you see it, the lead time or the leash time that you have to get your stuff in order hasn't been very long and the window's always shrinking. With one of the questions that came through that, you know, Matt was very engaging with Ryan and he had a bunch of questions that he specifically asked to kind of draw some information out of Ryan. And one of them that I thought was pretty interesting and I wanted to call to note was that he asked why is it so difficult for companies to know if they have or if they will get cui? And specifically the answer in which Brian provided for the defense industrial based side, so for the OSCs and things like that, why it's so difficult for them is because from his eyes, he is witnessing that they are at the wrong end of a game of telephone. And if you're familiar with the game of telephone, it's where you stand in the line. Somebody whispers in their ear a message, you can't hear it out loud. And by the time it gets to the end of the line, it is brutally and bashed and murdered. Right. It's just absolutely done. And so that's what's happening is that it comes from the contracting office or the program office or whoever it may be. And by the time that game of telephone gets down to the osc, the, the second tier subcontractor, third tier, the message is so diluted and jumbled up that nobody knows exactly what it is. Yeah, this is cui. It's not cui. But what everybody can be assure is they don't want to be the one that doesn't market appropriately. So it's either overmarked or like, we're not sending this whatsoever. Right. Joy, did you, do you think that or do you agree that. I think that, that by thinking that that is the source of a lot of the confusion, an identification of CUI in the div is that game of telephone. And everybody that's playing the game of telephone isn't 100% sure if the message they're receiving they understand it fully.

B

Yeah. The way that he described it made so much sense also too kind of the insight for how when they're starting the program, they may not necessarily be sure what parts of the schematics and documentation that they're distributing are indeed going to be cui. They're not quite sure about maybe some of the distribution statements and so or the designation indicators. And without that information up front, when they're putting out the RFIs RFPs, it's hard for everybody in the chain to understand what am I expecting here? But there's also like, it really made sense for how the Department of War operates through the, from acquisition, the program manager through the acquisition, the contracts going down to the primes, all the way down through the contracting chain. Very interesting to learn about yesterday.

A

Yeah. So the DoD IG report about the marking I think is going to cause this to be even more of an issue. Right. Because again, we were over marketing things, things weren't getting released. They were supposed to be CUI could be released to people, but we were marking them as absolutely government only or some other designate designator block, which stopped their distribution the way it's supposed to be. And it's just a clear demonstration on multiple levels that there is still, from the top down, a. A clear misunderstanding as to necessarily what needs to be marked and how we need to float down. But if you watch that 15 minutes or so with Ryan Bonner from this week's Town hall, it is definitely going to change the way that you look at that and the way that you act. Last thing before we get out of here. Official this week. What's that

B

at the end too? When he takes a couple of the Q and A Q&As at the end, I would. If you're only going to listen to part of the town hall, make sure you get the end, the Q A as well.

A

I will agree. Yeah. Because he did answer a good portion of Q A during the town hall and a lot of them were addressed to like, specific scenarios. What about this? What about, you know, my ssp, which is don't get me started. But it's just one of those things, right? Like it's a lot of these things, these little nagging questions that realistically, if you think about it, the identification of CUI and where it goes in your environment is probably one of the first things that you need to do if you're going to start your implementation journey. So if anybody is having confusion right now about the first stage of their journey, that means the journey probably hasn't started and the longer they stay confused, the longer it's going to take for them to get started. Just talked about there's not a very long time and we don't know how long it is. So getting that clarification is definitely crucial now. Last thing before we roll out of here, Joy. Again, effective this week, the Keiko takeover. Okay. It's what we're going to dub it. The transition from the Cyber AB and the people internally at the Cyber AB and their staffing that is trying to gradually scale up as the program scales up to a more well oiled machine, a well known machine in Isaca. Right. Fully staffed, their own processes, their own ability to churn out learning materials and stuff like that. And so I don't want to butcher Todd's name, tough name month for us here, but Ganon, I think that that is Todd Ganon. I thought it was Gagnon, but it's Ganon. Sorry, Todd again, I can relate. Right. But so essentially Todd joined the, the show, joined the town hall and just was. He did a good job of answering questions too, but just putting out some before this happens information, some transitional information and there's some good bits of information in here, Joy. Basically moving forward, starting now, starting as you're listening to the show, the process to acquire any CMMC credential, CMMC based credential, ccp, cca, CCI coming soon. We'll talk about that in a minute. All of the other credentialed personnel positions. Credentialed positions. So not the rp, the rpa, anything like that. That still stays with the Cyber ab. The credentialed personnel positions go through Isaca and the Isaca process. You sign up for the exams there, you sign up for the training through them and then the providers are in that marketplace, you get linked to them, et cetera, et cetera. And on the website is live as of yesterday at 10:01am at the time of this show. Right. Yesterday at 10:01am website went live and also new credential badges went live. So if you're a credentialed member of the ecosystem, you know how now have a new shiny flashy Isaca badge. I think they were Credley before or Badgley, one of those brands before you have new transitional ones that you can log into your account with the instructions that you have or the already existing Isaca account that you have. How do you feel about new badges? How do you feel about Isaca takeover so far before we start digging into how things are going to Carry on from this point forward.

B

Well, first of all, the badges are amazing and they're exactly in line with the other ISACA credential badges that I have. Very nice, very clean and professional looking. So I'm excited to download mine and get that one in action. How do I feel about the takeover in general? I think that there's necessarily a lot of fallout that's happening like with the licensed partner publishers that we touched on earlier. But I do think that ISACA brings a level of professionalism and value to, to the credentialed individuals that is going to over time really prove itself out and it's a good move. The other thing that I liked about Todd coming on and talking through some of these challenges is that he really gave the reasons and leaned back into look, these are some of the ISO requirements. Like we really don't have much of a choice on a few of these. So that made a lot of sense. I know that the ecosystem is pretty upset about the exam fees. I got to tell you though, the exam fee for the first year as they were to like $760 or what, what it's going to come out to, that's actually less than the last exam and certification that I sat for, much less through ISACA for the CRISC credential. So they, they are trying very hard to keep it affordable for our ecosystem. I think a lot of people don't realize that.

A

Yeah. So one of the things that ISACA for me in earning credentials is some of the self paced training which may be a little bit cheaper. So if they add a self paced training instead of that instructor led training because as we know, once you start adding instructors in there, the cost of it goes up and obviously it's more thorough, more in depth and it's not self paced. You're not at your own discretion here. So but I think the explanation that hey, we're making this the same price as every other one of our certifications. There's a reasoning behind, I think the price going up, you're getting more people, you're getting more of a process, you're getting a well engine machine, a well oiled machine for some of the things that have to happen. And let's talk about that. So moving forward for ATPs in the training process as it exists right now, no changes, you're going to carry on delivering training as you did before. These are for the ATPs and when they are delivering training, any changes to that process, Todd is assured, are going to be announced well in advance for preparations to be made. And so basically the instructions were for these organizations to proceed with the catm, which is the, what is it? Cyber ab? I think it's certified Certified approved training material or certified something Training material, Authorized training. Yeah, help us out here folks. I, I know this. I, I, I, I know catam, what it stands for. I am absolutely in at a loss for words when it comes for that, that acronym. I just don't know. I'm acronymed out. ATPs, LTPs, ISACA, EXAM, CCI, everything. Anyways changes to that CAT, whatever, whatever that acronym may mean, changes to that. Cattle is the current CATM, which is the approved training materials. They are authorized through the end of this year. So 12-31-2026. They can be used through 12-31-2026. The intent is for ISACA to deliver new content, new training content for the ecosystem at the end of this year in quarter four with a test to accompany it. And that is going to be CMMC 2.13. Training is what it's going to be labeled according to the town hall and surprise, surprise, probably surprised no one. It's going to be aligned with NIST 800171 revision 3.

B

Now that's interesting, right?

A

It is interesting because right now as the ecosystem exists and everybody until this new training is released that gets trained is going to be trained on NIST 800171 revision 2. Only problem with that is is that everybody new is going to be trained on revision three and that the framework and the program is moving to revision three at some point when rulemaking takes place. So those people need to be trained. There's an option for that too. Obviously they thought about this bridge training different than delta training. Obviously going to be more thorough. There's a lot more to cover from Rev 2 to Rev 3, but it's basically going to cover the differences and allow people to maintain certifications with new materials or a new version of new materials. Again, very common process and something that is only accomplished in my opinion by transferring the ownership or the leadership of this Keiko to an organization with a lot more people to do this big lift. This is a huge lift. This is the entire training curriculum for the CMMC ecosystem that needs to be updated. And before anybody jumps down my throat and they're like well there's these ltps, right? And the training providers, I'm sure they can sacrifice people. They're training people, they're busy and those people hold multiple credentials and some of the.

B

I know at least one person who is helping to author the new training materials. And that person has been a PI and a PA for a long time in our ecosystem and is going to do a great job weighing in on the new curriculum that. So they're pulling industry experts to help create the.

A

Right. But they're creating a board, right?

B

Probably.

A

I think it is. I think we're referring to the same. You're referring to Rose, right?

B

No, I'm referring to Tony.

A

Oh, sorry. Okay, never mind then. Well, congratulations, Tony. But, yeah, but yeah. So I wonder if it's a board or if it's a working group or something like that. But I, I Isaac's intent was we have this big ecosystem already established of these people that do this pull from the experts.

B

And so we're going to have consistent training curricula. It can be taught by different organizations and maybe in slightly different ways. And you always have to rely on the expertise of the instructor who's teaching it. But everyone's using the same curriculum. Moving forward, I think that that actually is going to add a lot of value to the consistency of the training. And then the other thing is that I like that they're providing that bridge training in both directions. So those of us who are trained on NIST 800 171, R2 will receive bridge training to R3. And then with the new curricula, the people who are learning R3 will also receive bridge training to scale it back to R2. And that way all assessors out there, all CCAs and lead CCAs, will be qualified to do an R2 or an R3 assessment. It makes perfect sense.

A

Which in. Yeah, I agree. It makes perfect sense. And as a person that likes to read the tea leaves on the wall, that would lead me to believe that we aren't too far away from our three assessments being a real thing. I'm not saying not that far away. Like in the next 90 days. I say in 300. Within the next 365 days, I bet you hear rumblings of what the intentions are, how things are going. So last thing before we get out of here affects both the way you talked about the effectiveness and the ability of the instructors for the training to deliver the training. The last update provided about the CAICO takeover has to do with the transition. We are both provisional instructors. Obviously they need to be certified instructors at some point. That was the intentions all along. ISAC is in the process of getting that going. Notifications are being sent out to all the provisionals instructors to start that process, whatever the process may be. There's going to be their own ISACA credentialing process for you to obtain the CCA or cci. I said cca and in mid to late April there should be a total release of information of the holistic CCI process. So basically, hopefully by the summertime you got some CCIs popping up. And hopefully by the summertime everybody knows exactly what they need to do if they want to start instructing. And they haven't started down that path yet. Anything to add, Joy?

B

No, other than I think that it's pretty prestigious to be a member of ISACA's Professional Instructing Pool for this kind of a credential. And so I'm excited about the transition over the instructors I've used for ISACA related certification courses before have been outstanding. So I'm very excited about this transition for the instructors themselves.

A

I'm just very excited about the transition for the impact that I do believe that it's going to make on the ecosystem and the stress that it relieves from the multiple people that were responsible for it before the transition takeover. Right. Like they did a great job. It's just that when things scale and they scale a lot bigger than what you're capable of doing, you have to do something. And this is what it's for. That's all we got. Joy. That's the town hall for this month. No April Fools, no jokes, none of that. Let's bring out the flowers like and subscribe. See you next week. Sam.