B (3:21)

I totally agree. I just wish the Primes hadn't waited so long to indicate what their position is going to be because they had years to start laying that on to their supply chain. And the fact that they, you know, in the last 12 months, maybe six months is when we've really seen it like, hi, what were you waiting for?

A (3:42)

Yeah, I don't understand the motivation behind that. You know, obviously there's been conversations and I know I've said it on the air and then Jacob said it on the air and many people have alluded to that the conversations are happening and, or just because we can't see them doesn't mean the conversations are not happening. I just think that they're publicly happening now. And I think that that's one of those things that you get that sent out in the air and everybody's now sniffing it and they want to, they want a piece of it. So another thing that we were brought up to speed on is there's been a change in the board of directors or because of the elections. Right. Board of Directors only sit for a certain amount of time and either they need to come up for re election or whatever. And the Cyber AB is no different. This year's elections happened and there are new board of directors. And these are the people that basically tell Matt Travis and all the other people at the AB what they should be doing to carry out the mission of the Cyber ab. Right. And so Paul Michaels, who was elected the chair of the Cyber AB board last year, reelected for A second year in a row. So congratulations to you. Debbie Taylor Moore was last year's secretary and has now moved into the vice chair position. So elevation. Congratulations for the hard work. And then Kathy Hennessy joins and takes over as the secretary. And then a name that is a little familiar to us, we're huge fans. Wayne Baleen has been named at large. Yeah.

B (5:03)

Mr. Yes, no.

A (5:06)

And that's it. And I think that's what his job is, right? All the yes and no's right. When it comes down to it, he's the at large member of the board that's going to come in and provide the input. So congratulations to all them. Starting a new year, new cycle of the Cyber AB program and realistically, the first board of directors of the active CMMC program.

B (5:23)

Active. Yeah. It's a big responsibility.

A (5:26)

Well, let's talk about some more big responsibilities. There were some subcommittees and committees that were named, right? The C3PO Advisory Council. One of the things that we were brought up to speed on on last night's town hall or this week's town hall is that essentially there is a work plan for each of these committees because these committees serve at the discretion of the Cyber ab. Right. And so the Cyber AB then says, hey, you're here to advise us, but these are the specific topics so you can focus on those. And we got a list of some of the immediate topics that these newly formed committees are going to address. And so just covering them kind of like in quick and maybe touching on some of the things that we feel like, okay, about time we're going to get on that. Right. So the Accreditation Committee is one of the first committees and this committee is focused on the accreditation process and how things go through that. And so the two things that they are immediately going to be focused and Enjoy are the C3PO accreditation scheme, how we're doing that. I don't know if you remember, but just last year there was an audit that was conducted on the Cyber AB as to this accreditation scheme. So now that there's a committee that's going to make sure that we are going through, we are evaluating it, we're improving it and making sure things are good. I think two thumbs up for that and then another. Not necessarily. I think it's urgent for people wanting to display their pride of being certified. But the OSC certification emblems now fall under the Accreditation Committee. So coming soon from the Accreditation Committee near you may be an emblem for you to represent your CMMC level too. Right.

B (7:00)

Finally that's going to be Great.

A (7:02)

I know I kind of played it down like it wasn't that big of a deal. But like I can tell you that when in reading the Q&As for the monthly town halls, you see the emblem mentioned quite a few times, almost as much as Tier 3 screening. So they're trending both upward. Right. One of the other committees that serves at the discretion of the AB is the Assessment Guidance Committee. So this committee, as the name formulates or as the name indicates, is designed to help with assessment guidance to clear out any issues of interpretations and things like that. And so what they're going to be focusing on here in this initial onset joy is on premise, assessment requirements, sampling of controls, pauses and assessments. I think these are called false starts.

B (7:51)

It might be, I, I don't know though.

A (7:54)

Significant change to information systems Guys, I know a close friend of mine who may have recently posted something in relation to significant change and I know a very loud mouth podcast, podcast Hype man for a couple of months who on his wish list was just like some clarification on some significant change from the Cyber ab. Looks like that clarification is coming and it's just not coming from one point of contact, it's coming from the committee that's going to advise the ab. So that'll be interesting.

B (8:26)

We know that there's a FAQ that the Dow will be issuing on an FAQ on from the Dow. I'm losing track of all of my acronyms, but yeah, on significant change guidance. And then what will be interesting to me is what the Assessment Guidance Committee comes up in, what their take on it is, and how much of that will influence the Dow to maybe update or modify their faq. They really listen and hear the input.

A (9:01)

That I think that's very vital because you formulated this committee and this committee is supposed to provide that input to you and whether you act on that input and that recommendation is still at the discretion of the Dow, at the discretion of the Cyber ab, how it carries forward. So it would be interesting to see if any of those significant change FAQ information that comes out is disputed by this committee and recommendations are sent upward for change and if that significantly changes.

B (9:29)

That faq, my guess will be yeah, that they're not going to match up really closely at all.

A (9:38)

We'll see. Another thing is, and maybe you can help me with this, the Assessment Guidance Committee is going to be providing more guidance on the interview, examination and test methodology that when it comes to assessments, I, I, I, because you can't find.

B (10:00)

That information in the Assessment guide, Jason.

A (10:03)

But I, I don't know if. Is there things that necessarily need update? I'm not, I'm not, I can't even say it. I'm at a loss for words here.

B (10:11)

Right?

A (10:11)

Like I can't even begin to think. And maybe that's why I'm not on the assessment guidance committee. Right. I can't even begin to think of things that are needed to update the interview examination and test methodology unless there are errors like, or there are issues where maybe interpretation can be affected or maybe there are elements within the assessment guidance that list things that necessarily aren't relevant for that particular control or something like that. I don't know.

B (10:41)

I don't know. It did surprise me to see that on there. And then I thought to myself, I wonder if they are experiencing a lot of pushback from like consultants or OSCs on things that are being presented, whether it's a document or spoken to in an interview or where they really are challenging the assessor point of view on it. And so they want to get some more, you know, some guidelines out there for what does or doesn't qualify. I imagine that's it. But there's a lot of examples in the actual assessment guide and all of the assessors in the CCP and CCA classes are taught through examples of all of it. So it was interesting to see it.

A (11:28)

Yeah, I. What we see here, just by the list that we've been given of the priorities and we still have two more committees to go, is that from my perspective? And obviously I get to see a lot of what industry and the ecosystem says. Right. Like on social media, whatever it may be, these are all things with the exception of the interview examination test. I don't think I've ever seen anybody say, hey, we need to reevaluate the interview, examination and test. But as far as sampling, as far as on PREM assessment requirements, these are all talking trouble points. So it's nice and it's refreshing to see that the immediate things that they are addressing are all things that the ecosystem are buzzing about as to, hey, help us figure this out a little bit better. So totally agree with something else and figuring out and understanding something else, something better, a csp, not an esp, msp, opp, whatever it may be. Right. The external services subcommittee is now tasked with addressing that. So the external services subcommittee is going to be not only tasked with CSP versus MSP determination guidance. Right. What is that line of delineation? What can we put as a hard line in the sand and recommend up the fedramp moderate equivalency which is buzzing obviously with new fedramp requirements coming and some conflict with that. I think that there's going to be some conversation there and then this one which I, I do agree with. They're not all customer responsibility matrix are created equal and if one of them hasn't been created well it's going to be very troublesome on your assessment outcome. Right. And so the external service providers are going to go with assessment guidance. What does necessarily needs to be in the CRM and what the assessors need to look for and the subcommittee is going to recommend that up. What, what does a good SRM look like? What needs to be included in that and how should you evaluate to tell if this is telling the truth or not?

B (13:20)

So critical that that is squared away. I think that many of the C3 PIOS and MSPS MSSPs have very different versions of what qualifies as a shared responsibility matrix. I'm sure if I was a contractor out there shopping for a new MSP I would have no idea what is a good or a bad SRM that I would be looking at by you know, if I'm the prospect out there. So I think it's going to be great and that that kind of information is really going to help inform the CAP committee which is the next one. And because I think that's crucial, a crucial part of the CAP document is, you know we have one paragraph right now about a lower level of effort or a lower burden of effort if the MSP MSSP already has their own CMMC Level 2 certification. The quality of that customer responsibility matrix is also going to inform the depth that you go into I would imagine when you're doing the assessment of the OSC who's using that msp. So the CAP is going to need to give a lot more guidance and I think that those two committees are going to have to work together a bit to make sure they're coming to a common language for the cat.

A (14:40)

Yeah. And that's the, the first CAT crafted cap. Remember that? Right. CAT crafted and it's going to have a cover to cover review from the, from the CAP committee and yeah perspective annexes or appendixes into the cap. I listen the CAP came out, the new version of the CAP came out three years ago now. Three maybe, maybe.

B (15:07)

No, I thought that it was updated with the final rule with 32.

A (15:11)

You're I believe Cap 2.0. Yeah, Cap 2.0 and CrPC 2.0. So yeah, it's still two years from.

B (15:19)

CFR, from Title 32, Part 170.

A (15:24)

The captain well, so now there obviously are changes to the program. There obviously are changes to FAQs or obviously are a lot of things that have evolved since that CAP has been updated the last time. And then it's one of those documents, I think, that needs to be in a constant, you know, revision cycle. So it's good to see that there's a committee that now is going to cover that and kind of, kind of press on the gas and make sure that keeps happening. I don't think I would let that happen, but what do I know, right? So that was the work plan. So that's the work plan moving forward for next year, just for the Advisory Council. But we don't want to get too far ahead into next year without reflecting back on kind of where we've come in 2025, which at the top of the show, the year of cmmc, I think is. It's safe to say that there was a lot accomplished here that really formed the program within this year. A lot of changes. And I'm just going to go through a couple that I think people don't realize. Like, when they were reading them off, I was like, man, that felt like so long ago. But no, that, that actually was this year, you know, that was in December of this year, like when 32 CFR entered force. Right. Like it entered into effect December 10th of. No, last year. Right. And then January 1st is when assessment started, remember? Because they paused it for like three weeks. So within a full year. So, yeah, within a full year. And then had I known that this slide contained this, maybe if I did a little read ahead, we would have avoided some of the conversation because within this year they published the CAP and the COPC updates. So it hasn't been two years, it hasn't been three years after this year. Like, like I said, like, I didn't even realize it happened this year. I thought it happened so long ago. You know, time flies when you're having fun. So here we are, another big thing that happened, and that was a part of one of the audits and one of the, you know, the investigations that took place was the recertification of all CCAs and CCPs because of 32 CFR going into force and new requirements being attached to them. They had to go through, through and make sure that all of the CCAs and CCPs that were certified at that point in time when the rule went into force now meet all of these new requirements that are laid out within that rule. So they did all of that. And as you know, that's a lot of people, Joy. They also reauthorized all the C3PAOs going through that process commenced. We started issuing at the first of the year CMMC level 2 certifications. We want to talk about the farce UI rule coming out of dormancy, right? Like it exists, it's there. But realistically, like it's there and it exists. We don't know when it's coming, but we should be cognizant of it. CS5 launched as the the conference series that contains multiple elements of cloud conformity compliance frameworks. I. I don't even know all of the acronyms, but it's everything that encompasses this industry in this ecosystem. Right. Everything that the ecosystem stands for now all fits into one conference that is obviously headlined by the Cyber ab. And then last but not least, we just came out of this, Joy. And I don't know if I have any complaints about how prepared the program was, because the program thrived and we're going to talk about it in the numbers later on, but we endured the government shutdown, right? The CMC program had the government shut down from it. Not only did it endure it, as we go into the reflection of the CMMC year in review and the numbers, which is what we're going to talk about now, you'll see that thrived. The ecosystem is there, it's in a good spot. This is all before the program even started. But let's talk about it. Joy.

B (19:04)

Yeah, Was impressive that they kept on rolling. We kept on rolling during the government shutdown and we have some big numbers in one year.

A (19:13)

Really? One year growth of assessors, 100%. Right. That like, no matter what the number is, the gross there we ended in November 25th. And I doubt we'll get any of these ecosystem updates until our next show in 2026. Right. So I'm excited to see how far they grow just between now and then, because the ecosystem's kind of humming. The shutdown did delay some of those certified professionals and certified assessors getting their final stamp of approvals, some authorized C3POs going through the process, the final stages of the process. So these numbers are going to grow between now and then. But in 2025 alone, 100% growth in CCAs, 52% growth in the amount of authorized C3 PAOs we have, and then 21% growth in certified professionals. Right. Doesn't sound like a lot, but when you get into the numbers that we were already at Right. We were at 1000 in the beginning of November 2024. Now we're a little bit over 1200. And then the biggest growth, 384% not listed here of lead CCAs because lead CCAs were implemented. We didn't have any last year. We have 384 of them now. That's 384 people that are capable of leading assessment teams. That means if there were three people that wanted to go along with them, that's 384 assessments. That could happen a week. Sounds good to me.

B (20:29)

Powerful. Very exciting.

A (20:31)

It's over 1200amonth. That's a good start. Program just started.

B (20:35)

Yeah.

A (20:36)

In case you forgot. So now one number that we didn't get in the year in review is because that number was reserved for the special guest, Dana Mason, who joined from the cmcpmo. We're going to get into that right before we, right after we talk about the look ahead, what the AB looks to do in 2026 or what they expect to happen in 2026. Right. So we talked about the biggest growth in 2025 being the assessors and we talked about what they want to happen in 2026. And essentially this is their goals. New leadership in the Keiko. Mike Snider was commended for filling in on short term and interim basis. But as Matt Travis stated, they have larger plans for Mike Snider and Mike Snider will be doing bigger and greater things eventually as new Keiko leadership has emerged or emerges. Right. They intend to expand. So we talked about on last month's show how some people join the A B team and they're going to grow some more. The program's running, assessments are happening now. It makes sense to staff out this program to have people dedicated in certain spots. I, I think people overlook the fact that the little amount of people that were staffing the Cyber AB through the onset of the program, getting off of its feet and stuff like that. How many hats those people had to wear. It's almost poetic because it's kind of like a dip contractor. Right. A small dip contractor trying to wear all of these hats for their CMMC compliance. Well, they're wearing all these hats so that we can have CMMC compliance. Kind of crazy hats off to them. I'm glad they're getting some help and they're expanding.

B (22:17)

Me too.

A (22:18)

Practitioner program is going to be overhauled and now I know that we've made complaints about the RP RPOs. Maybe the level, the length of the training, maybe clarity as into exactly what role they're supposed to play or what they can do. So we're expecting an overhaul of that in 2026. ISO17011 recognition and their C3PO accreditation program. Obviously that's one of the necessary steps that they have to take. Rules finalized, the clock's ticking. That needs to happen. Some more engagement initiatives that they are going to announce in the upcoming months. Survey to improve the quality of town hall ecosystem or so. So a survey of the ecosystem to improve town hall quality and then the expansion we talked about CS5 finally turning into this event that encompasses everything the ecosystem represents. And so the only thing that you can do is once you get to that point is to grow it and make it better. And they have intentions of doing that in 2026. And then 2026 is going to introduce to us on November 10, 2026 to be exact. Just a guess. I don't know, maybe there's something there. But phase two of the implementation, which is where organizations realistically should expect from the. Or sorry, not realistically should expect, but where the DoD states within documentation that organizations should expect C3PO assessments to be the normalcy. Right. So we know that that's going to happen way before then. What on this list most excites you, Julie?

B (23:46)

Overhauled practitioner program.

A (23:49)

Why did I.

B (23:50)

You saw a reflection of that in the Q and A. Some of the, well, comments, more than questions I guess about the quality of consulting that's happening. And you know, it's kind of sad to know that there are, I hear of many organizations seeking some kind of, you know, like can we capture some of our money back? Is there any liability that this consultant is facing and giving us really bad guidance? So I think that it's, it's something that should have been done in tandem with standing up the assessor ecosystem to make sure that the, the quality of the consultant was equally as valuable and robust and even tested. Right. Not just, oh, I took a six hour pre recorded course. I won't go on about it any more than I already have multiple times. I'm very happy to know that they are going to focus on it. The sooner the better. I think it's desperately important. These companies, many of these small contractors, you know, they already are spending so much money trying to get ready just with the technical part of it. And so when they're hiring anybody to help them with it and they're given the wrong advice, spending, you know, good money after bad, we just don't want to see it anymore.

A (25:10)

Yeah, I think improved training is important for the reasons in which you mentioned. But let's talk about the numbers, right? We always say strength in numbers and stuff like that. Right now registered practitioners outnumber the total number of certified assessors and certified professionals and the OR in the ecosystem, right? So if they're not going to take that next step and be the CCA or the ccp, let's make sure that at whatever stage that they're at, they're trained to at least contribute to the effort. Because we just talked about being able to complete, you know, multiple number of assessments in a week in order to meet the mission. We just talked about staffing those teams that of those 384 lead assessors. Well, if you can search down in the depths and find an RP at 1908 or a CCCP at night, you know, one of the 1908 RPs or one of the 1253 CCPs that can come in and serve on those assessments, then those lead assessors can staff more assessment teams. But the training has to be there because if the training is not adequate, then what purpose and what help are they, you know, actually doing? So that's just my personal opinion, but I think because they represent such a large number in the ecosystem of the positions that are recognized, let's put them to work and let's make sure that the work that they're doing is quality. And the only way that you do that is you train them up so they can perform both, right?

B (26:27)

Yep.

A (26:29)

All right, so we talked about the numbers. We talked about what's coming in 26. We talked about what happened in 25. Dana Mason, they didn't give us some numbers that we particularly look for. Joy, those CMMC certification assessment numbers, because those were delivered by Dana Mason, an IT specialist with the CMMC PMO's office. She joined the town hall sand slides. Let's try not to make that a habit and speed read through all the statistics that are really, really important to us. So it's basically you took my favorite part of the town hall AB and you put it in 2x. So I had to like shorty and type to keep up. Thanks for the help, but let's, let's get here. All right, so we are going to talk about in particular first thing, the number of CMMC level 1 self assessments that are in SPRs. As of reported by Dana Mason, as Of this week's AV Town Hall, 7,047 companies have Level 1 self assessment. While I commend that number, I don't think that that's all the dib.

B (27:37)

It's a teeny drop in the bucket. A teeny tiny drop in the bucket.

A (27:42)

That's crazy. Now the crazier part of it is during that government shutdown that we just endured, a thousand of those were completed. So they could. A thousand SPRs level 1 self assessments were uploaded in SPRs during the government shutdown. People were busier in the government. We're going to talk some more. People didn't take the government shut down off like we thought.

B (28:04)

Like, oh, and two, I'm also remembering now that the SBIR system wasn't adjusted to accommodate a level one self assessment until just what, like two or three months ago. So it could be that that's contributing to the low number that all of a sudden ramped up during the shutdown.

A (28:24)

Oh, no, I. I'm just saying that like, that's crazy no matter what. Seven thousand is crazy. Progress in that short time period, maybe leading with that would have kind of helped put in context like kind of that. That number being as. As good as it is. But it's still a long way to go, right? Like still a very, very long way to go. During the government shutdown, additionally, 72 level 2 self assessments were completed. Now, system's been set up for those for a while. So no excuse there, like absolutely none. But there are 72 done there. During the government shutdown, there were a total of 76 level 2 C3PAO certifications recorded. That means completed, done and recorded. Within that was it 41 day shutdown? Yeah.

B (29:14)

That's fascinating to me that we had more C3PAO assessments than we did self assessments in one month.

A (29:22)

Yeah, maybe. Maybe because they already had the score in maybe. I don't know. That was just during the shutdown. So let's talk about the total numbers. This is the last CMMC Level 2 certification. So these are the last statistics. The drum roll, please. What have we completed in the first? I don't know. We'll say the year of CMMC. Including C3PO and DIP CACs, which have been converted over, there are a total of 575. I think I typed quick enough and caught the right number maybe off like 1 or 2. There's a margin for error there that are listed within SPRs as being completed. Now, Joy, one thing that I learned last night that troubled me about this is that there are 115 of those pending affirmation. And me being naive as I am, thought that that was pending. Like, okay, it's done and we just need to go through, check the T, you know, across the T's, dot the eyes. The C3PAO needs to make sure that they upload it. Or maybe there were some issues. We were talking about cage code issues before preventing the affirmation. That's not the case. We learned last night that there are 115 companies of these 575 total, that technically can't say that they're level 2C3PAO certified on any contract they wanted to bid on. Because they're not. Because they haven't affirmed with an sprs. Right?

B (30:47)

Yeah. That's how I understood it. And that means that the organization went and celebrated after they got their certificate and thought, okay, we're done.

A (30:56)

I mean, they might be still be celebrating. It's a big accomplishment.

B (30:58)

Who knows the purpose of the affirmation, Jason?

A (31:01)

So are you asking me or I'm asking you? I don't know what the purpose of the affirmation, I thought the affirmation was.

B (31:09)

The company official is going to log in themselves and say, I am attesting that everything that has been, you know, presented as evidence is true and correct. That's the purpose of the affirmation. So the C3PAO may have validated it and issued the certificate. Right. Certification. The company official, though, for that contracting firm is the one that needs to get on there and say, it's my name on the line. I attest to this.

A (31:37)

For some reason, I thought that, like in this one scenario, right, where you're going through, the C3PO is doing it in lieu of the affirming official doing that. Right. That the C3PO did that, uploaded it, you were good to go. And then every year after the affirming official would have to come in and do that. Right.

B (31:56)

Understanding.

A (31:57)

Yeah. And so now this is a wrinkle that apparently is catching a bunch of other people more so than me. And look, I'll. I'll be vulnerable. Look, I thought 100 honestly thought that when my C3PO evaluated my organization and they pumped it up in the EMAs, that it just did this double population workflow, whatever it was, that in both places. Because it made sense. Yeah, it made sense. I just paid somebody 30 to $50,000 to come in and assess my environment, and now I got to do extra work on top of that because, you know, now here's the other question that's good for three years. Is it good for three years from the time that it's been uploaded in EMASS by my C3PO or good for three years from the time that I affirm it. And then what if there's an overlap in that time frame?

B (32:46)

Okay. I think it's when it's entered in the SPRI system by the C3PAO. That's how long you have. The clock starts ticking now for your 12 months before you have to do your annual self assessment. Whether or not you've gone in and done the affirmation. I think that's crazy.

A (33:05)

And then the last thing Joy, that I want to talk about from Dana Mason's update from the Town hall. This is, it's so crazy to me, but a bit of progress and a look of, of what's to come. Before the government shutdown happened, we were told that there were two organizations that completed the CMMC Level three process walkthroughs. Right. So these are what's going to happen during a CMMC Level 3 assessment done by DIBCAC. Right. How is this going to take place? How are we going to document this?

B (33:33)

Blah, blah, blah.

A (33:35)

All of that's happening now so that those can start happening when the Dow thinks it's going to happen in the phase rollout. I, I feel like if they're doing it now, it's probably big, intense in anticipation. That's probably going to happen before that phase rollout implementation like everything else that's happened thus far.

B (33:52)

I would feel like that too. I, I wish that I could have participated in that somewhere, somehow. I mean, how fascinating. I love the whole thought of Level three with the enhanced cyber security control. So I'm excited about that and the.

A (34:09)

Way the assets are managed within Level three and stuff like that. It's going to be very fascinating. All right. So like I mentioned, Joy, there's no town hall until January 27th of 2026, which leaves us in this lull period. Right. And I know that the AB put out some stuff that they want to work for four in 2026. And usually we say next month on the town hall, we'd like you to put this up there and it's our wish list. So we're going to just substitute for this month and real quick go through our way too early predictions for the year 2026. I want Joy's can't miss prediction for 2026 for the CMMC program. What is one thing that you are certain that I should go and create.

B (34:50)

A parlay around level three assessments will take place by the end of Q3.

A (35:01)

By the end of Q3. So your early prediction is by the.

B (35:04)

End I'm going there. I'm saying that. How about you?

A (35:08)

I think that we will be above 135 authorized C3 PAOs by the end of Q1.

B (35:16)

By the end of Q1. Okay.

A (35:18)

Because remember, we talked about how, like, there's almost a 100. This is. I shouldn't explain the logic to my guests. Almost 100. And then they keep hinting at the. The shutdown holding up the process of so many. And they listed so many there. And then something. They're about to go through the DIP assessments. And from what I hear, DIP is kind of hard. Charging right now through assessments. Anybody and everybody. We just assess it. Right. Like a little baby sliding across the table. Let's assess it real quick. And so, like, that's basically the way things are going. So I could see it happening quicker than that.

B (35:47)

That analogy was very interesting. Maybe across the table from 88 to 135. By the end of Q1.

A (35:55)

By the end of Q1. So it's four months.

B (35:57)

All right. Like a baby sliding across the table.

A (36:01)

Table. You got to assess everything. Okay.

B (36:03)

I just had to make sure.

A (36:06)

Logic. All right. So as far as the show goes, like. And subscribe and we'll see you next week. Sam.