A

All right, folks, it is May of 2026, and we are halfway through CMMC Phase 1, and people are still saying that there are not enough assessors. And we're here to tell you that's a damn lie. And it requires you to believe that every DOD contractor out there is currently ready for an assessment. They're not. It requires you to believe that all of the C3PAOs are out there, are booked solid and have no availability. That's not true. And it requires you to believe that 80% or more of the possible assessment teams that are out there just aren't working or available at all. And that's not true. What the data actually shows is that the ecosystem is sitting on a huge amount of excess capacity. And that's what we're going to talk about today. Jason, we wait a long time to make this episode, buddy. We're making a long time.

B

Our.

A

Our CMMC prediction show from January, our. Our kickoff show at beginning of Phase one. The reality is the department is years, literally years ahead of schedule on assessment capacity and has absolutely crushed their Phase one assessment goal. And that's just based off the data from the first five months of the program's rollout. Yeah.

B

And it's crazy to think about it, that when you actually take. And you look at the statistics and you look at the numbers associated with it, you see how I want to say, impressive, but you see the progress that has been made, and it doesn't match the argument that's coming from the same five knuckleheads within the ecosystem that seem to think that we don't have enough assessors. It also really doesn't match one of the arguments made by GAO in their report against the CMFC program. And so it kind of drives me wild.

A

Yeah, it's. Listen, I can understand why that misconception might happen, because all anybody hears is 80,000 companies need a cert, 100,000 companies need a cert, everybody needs a cert by November. Everybody turns their brains off and they go, the math doesn't. Math. All right, so there were maybe some things that could have happened that could have clarified where we currently are and where we need to get to in order to support all of the throughput for the entire ecosystem. That's what we're going to jump into right now. Where are we currently? Where do we need to go? How far away are we from that destination? So, first things first. Certified assessors, CCAs, are the constraint on assessment capacity in the ecosystem. Not certification organizations, the C3PAOs, because each C3PAO can have multiple assessment teams. So right off the bat, if you're out there, I see you on LinkedIn. If you're out there saying, There aren't enough C3PO, therefore there isn't enough capacity, stop it. Get some help. Just like Michael said. Just like Michael said back in the day.

B

Yeah, that's. I mean, right off the bat, usually that's where the argument leads. When they're like, it's not ready. They're not ready, right?

A

That's right.

B

Like, why are they not ready? And it's because, well, they don't have C3Ps. And you're like, but what about this number that really matters?

A

That's right. That's right. Absolutely. So the CMMC regulation says that each assessment team needs at least one certified assessor, one lead certified assessor, and a separate certified assessor that isn't a part of the assessment team to conduct quality assurance. Right. That can do the QA function. So as of April of 2026, there are 766 CCAs. There are 489 lead CCAs. So if we factor in the need for a separate qa role checking four assessments per month, then we can divide that 766 number by three and come up with 255 possible assessment teams at one assessment per week per team. That's 10, 20 assessments per month, or 12,240 assessments per. Per year as of April of 2026. Right. That's not the end of the phase rollout. That's not 2028. That's right now, how many assessments we could hit based off the number of assessors that we have on paper?

B

It's the first time I've heard this argument come up where logic's been applied and the math is actually starting to. Math, Right. Like as the.

A

That's a lot of assessments. That's a lot of assessments, yeah. For reference, there are 1240 Level 2 certifications at all. And on paper, we have the capacity to do almost that many per month. So right off the bat, this argument that there isn't enough assessment capacity ain't adding up. So let's just sort of compare this with where the DoD thought they were going to be. Right. So they estimated in the final rule. I know none of you read it. You can go look at Table 8 in the 32 CFR CMC Final Rule. Scroll 3/4 of the way down. The numbers are right there. We'll put the link below. The DoD estimated that they would only achieve. This is real, folks. They would only achieve 517 level 2 certifications in phase one. So the time period between November of 2025 to November of 2026, we would only see like 500 level 2 certs. Just five months into that time period, we already have 24 times the capacity that DoD thought they were going to need. You would only need 10 assessment teams to get to 500 assessments in the first year. We currently have the capacity to have up to 255 of them.

B

Yeah. So clearly this was a number that was made based off of what the DoD thought their supply chain that they were going to hit during this first phase was.

A

Yeah, they were like, we got to scale this ecosystem and, you know, we just don't expect. That's why they did the phased rollout.

B

But they didn't expect for the scaling of the ecosystem. They didn't expect for the primes to prime. They didn't expect for competitive advantage, manage to be a talking factor in business.

A

They can only estimate, you know, they can only estimate what they can see. But we're going to get to that. We got a special segment for all of you out there who say that the deity's estimates are wrong. Just stick with us for now. Right? Okay. We have humored you guys for months when you say that the estimated cost of an assessment in the rule must absolutely be what the DoD said. We've been telling you those estimates are not correct, but nobody wants to listen. So now it's our turn. We get to use the deity's estimates from the Rule and you gotta listen. So, cool fact. They also estimated how many they would need in year two and year three, and then how many they would need to sustain per year from year four onward after the rollout is complete. They estimated that they would only achieve 2,599 Level 2 certifications in Phase 2. That's November of 2026 to November of 2027. So far, based off where we are right now, if you were to freeze everything and we had no more current assessors, we have five times that capacity. We've achieved almost half of those certifications halfway through phase one. That's what they were expecting to have at the end of phase two. And then you go on from there. The department estimated that they would achieve 8666 level two certifications in phase three. That's November of 2028 to November of 2029. That means that the ecosystem currently right now is two and a half years ahead of schedule on the assessment capacity that it would need for phase three, right. In phase four, which is November 20th, 29th and beyond, after the phase rollout ends, DoD estimated that they would need 16,610 assessments per year for, for the entire industrial base to rotate through as certifications expire every three years or so. That's 319 assessment teams conducting one assessment per week, with each team requiring at least three CCAs. That's 957 certified assessors, a third of which need to be lead assessors, but we're adding those at plenty of time. So halfway through phase one, halfway through phase one, we are already 75% of the way to the total capacity that the DoD estimated that they would need at the end of the phased rollout, before we even consider that the ecosystem might add more to the rate of growth of available assessors in the ecosystem. And based on that rate, which we'll get to at the end, based on the rate of new CCAs and lead CCAs added per month, we're going to be at 319 assessment teams before the end of phase one.

B

So, Jacob, a couple things here. First and foremost, the projected numbers that you put of the capability that we sit at right now, that projection of capability exceeds what the DoD itself said it was going to need throughout the first three phases. The number that we can achieve now is it's not until we get to Phase four. What's that?

A

It way exceeds what they thought.

B

Yeah. And it's not even until we get to Phase four. So three and a half more years from now, technically, right, until that number of demand exceeds capability, if we were

A

to just use the number we have

B

now, and that's the first thing that stood out to me, and I'm not crazy with numbers, so just bear with me. The second crazy thing that stood out to me is that every time that we hear this argument with regards to the capability of what needs to be assessed or how many organizations need to be assessed specifically, the number in which we get is 80,000 to 100,000 need to be assessed for when CMMC goes into effect. But the numbers don't show that.

A

Yeah, that's, that's not what the current throughput is. But listen, before, before we get to that, I've got even another qualifier. I've got another concession that I will make to everyone who says there aren't enough assessors because this is based off of everyone who is currently a CCA is available to conduct assessments. And I can hear it now, everybody watching, they go, but, but not all CCAs are participating in assessments. So let's cut the number of possible assessment teams in half and then we'll cut it in half again and then we'll see what the numbers look like, shall we? So if only 50% of the CCA pool is available, we're left with only 128 possible assessment teams halfway through phase one. But when you add it all up, that's 512 assessments per month. We've never even come close to 512 assessments per month. 6,144 assessments per year. If half of the people that are certified to conduct assessments actually participate in assessments, they, that's still as many assessments per month in phase one that DoD estimated they would get in total through 12 months of phase one originally. And that's still two and a half times as much capacity as we need for all of phase two based off of DoD's estimates. But if you go even further and you say that only 25% of the available CCA pool has halfway through phase one, which is an absurd thing to say. Right. That's completely unrealistic.

B

And so hold on real quick. That's 25% of you already cutting in half to account for the fact to create a whole assessment team, right?

A

Yeah. So we've got, theoretically we have 255 assessment teams. Get rid of half of those people and you, and then get rid of half of them again. So 75% of all the CCAs out in the ecosystem just aren't doing anything. Which is absurd. Right. But if only 25% of the CCA pool were available, we're left with 64 active assessment teams. And that doesn't sound like a lot, but that's enough to have 256 assessments per month, 3,072 assessments per year. That's still again, way more than what we thought we needed for Phase one and Phase two. Even under the most ridiculous, absurd, worst case scenario.

B

Yeah. I think that the 64 active assessment teams is exactly a break class scenario. I know for a fact that we know one C3PO in particular that possesses 18% of that number.

A

Right.

B

Like so, like there's that output. It's just crazy of me to think that still the argument is focused around that we don't have enough assessors, we don't have enough C3PAOs. The assessment output isn't enough and not focused on like the, the real issues. And when we talk to C3PO, some of the real issues lie within the readiness. Lie within the. It's all about readiness and what about the booked out for months. That's the other thing that kind of drives me nuts. We talk to people and they're like, yeah, we're booked out until November and this is the busiest E3PA we know.

A

Let's talk about it. Let's talk about it before we get into the readiness issue. Let's give, let's, let's entertain more of the questions. I literally posted about this today and I got another, I got. One of the first comments was, but the dud's estimates were wrong. I'll be like, well, where were you when we were talking about cost? Everybody. Anyways, I can hear it now. But, but, but the DOD's estimates were wrong. We need way more assessments than what DoD actually imagined. Oh yeah, you sure about that? If that were true, then if there were way more companies that needed assessments, where are they? Does any where? I, it's like John the John Tramine. Where are they? Where are they? I agree with you that the DoD's estimates weren't 100% accurate because the DoD can only estimate what they can see. And they can't see the entire dib. They can't see the flow of control information through the subcontracting base. So we know that their estimates aren't going to be correct. But we now have months of observed demand and capacity in the ecosystem and capacity still isn't a problem. Since January, we have only added 125 to 180 level 2 certifications per month at a completely unrealistic 25% of current capacity. We're still capable of 256 assessments per month, basically double the current observed throughput of assessments in the ecosystem. The ecosystem has a ton of, of excess assessment capacity. It is not true that there aren't enough assessors or that there aren't enough assessments available because like you said, Even the busiest C3PAOs are not completely booked up through the end of the year. Some C3PAOs are on social media posting their open availability windows, asking people to sign up for assessments and they're not getting booked.

B

Yeah, but that's still the number one root cause when everybody's out there gallivanting saying that this program, they ain't ready, right? Like, and then, but then you use those same, the same terminology. They're not ready, right? They ain't ready, whatever. However you want to phrase it. I just want to talk proper here so nobody chastises me, right? But when you say they ain't ready, right, and you talk to C3 pos it's the shoes on the other foot. And the people that aren't ready are the people that are like, actually, I am ready. I need to get assessed. I want to capture the CMMC business. And then they don't even make it through the initial phases. Right.

A

This is exactly why we coined the phrase false start. You and I sat here on this podcast years ago and called it back then and we said there will be very, very few assessment failures because most companies are not taking their cyber security obligations under DFARS clause 252-204-7012 seriously, are gambling that CMMC will never make them prove what they are claiming to the government and getting paid for. And so they will wait until it's too late and then CMMC will expose them because they will sign up for an assessment. They won't qualify because they are unready and they won't fail. They just won't get an assessment. And so when you talk to the C3 PAOs out there and we talk to a bunch of them, we've had them on this show, go ask them, they're literally posting that they're available. They don't have anything going on because no one's signing up for assessments. 25 to 40% of the people who sign up, anecdotally of the companies that sign up for assessment can't even get started on the assessment because they can't pass the readiness check. So the assessment never happens. These companies don't fail their CMMC assessments. The assessments just don't happen at all. Hence, false start, as a phrase. If every, even then, if everyone who got a false start, we take this 25 to 40% range. If everyone who got a false start were actually ready, we would still be able to support assessments at the 25% capacity number because that's available for 256 assessments a month. What's really happening is that contractors are getting exposed for gambling on the idea that this program wasn't going to make them actually demonstrate the things that they were claiming to the government. The problem has never been assessment capacity. The problem was never going to be assessment capacity. It has always been assessment readiness because people were not implementing their existing cybersecurity requirements. They haven't implemented 800, 171 pursuant to DFARS clause 252, 204, 7012. So now they can't qualify for a CMMC assessment. That is exactly what the program was designed to do. You can't demonstrate that you have implemented the precursor security requirements to handling this controlled data. You don't get the control data. That's why the program was created. It's working as intended.

B

So with a 36 to 84 month depending on how aware you were Head start that you had these requirements coming down, you gave it the old college try and you got there and you didn't make it. We, I speak to a lot of organizations that that's the case where they're on what is like a bounce back. We tried to do this, we were unsuccessful. And the approach they take is to sum it up best to like a flex seal approach to it. Like we can just slap this on there. Let's save somebody. Yeah, just, just smack it on there. And it doesn't end up working because there's no comprehension of what needs to take place. 25 to 40% based on what C3BAO you talk to is crazy work. With the amount of head start and warning that was given, what's even crazy, you know, even bigger crazy work is it's only a smidgen of a representation of the entire base that needs to get assessed. So is this going to get worse or is it going to get better? I, I think I'm hoping that's going to get better because people are taking longer to get assessed. They're actually doing preparation stuff and implementation

A

and not just I think it's going to get better and it's going to get better quickly. But, but the point here is that assessment capacity is not the problem, right? Not enough assessors is not the problem. It's not even close to being the problem.

B

How much do you think publishing the like a false start statistic, right? Probably to be seen. How much do you think would, how much do you think that would like squash this argument of not enough assessment capacity assessments?

A

Tell you what, I'll tell you what, I'll tell you what. U.S. government, if you're listening, if you post, they're always listening you, if you start tracking false starts, I will get false start statistics tattooed on my back like Pam Povy from Archer by month for the rest of the phase rollout. That metric is not officially tracked. It should be tracked because it will tell you that this percentage of companies that sign up for an assessment who have claimed to be compliant can't even qualify to, to be assessed. That tells you exactly how many people are lying through their teeth in terms of their readiness, which is why the program was created. But anyways.

B

Well, we've also. Hold on before you, before you jump forward. We've also, even in Our conversation with Fernando, Fernando had mentioned that they're doing a more stringent pre screening process to stop it from even getting to that point. So that even the people that think they're ready to get through the door are being told you still got to buy a ticket. Right.

A

By the way, there's plenty of companies that don't have a problem at all. Right? We are, we are rapidly approaching 2,000Level 2 assessments in phase one. There's plenty of companies that don't have this problem. So you've got a major split. You got companies that are sitting just fine, got their assessment just fine, and you got a bunch of companies that can't even qualify for an assessment. Right? There's not a lot of in between anyways. Let's, let's, let's. Okay, okay, okay. You guys did the math. Whatever. Okay, okay, okay. Maybe the deity's estimates aren't accurate and that doesn't even matter because that's not what observed throughput says. Whatever. We might have enough capacity right now, but we're not going to have enough capacity when everybody needs an assessment. Okay, first of all, first of all, there is no scenario in which 80,000 to 100,000 companies need assessments in a single year.

B

I've got 20 LinkedIn posts that would argue otherwise with you right now.

A

Stop it. Get some help. Right. November is not a deadline for all Level 2 assessments. There is no scenario where the entire industrial base all gets certified. Nothing happens for two years. And in the third year the entire industrial base gets recertified. That's not how it works. It's not how it works. Which is why the DoD didn't estimate it that way. Because that's not how things work. So we only need to sustain a fraction of the total number of required assessments per year in order to sustain this rolling cycle of new reassessments over time. The dud estimated that you would need to have 16,610 of these assessments per year to get to about that 80,000 range. Right? So that's starting at the end of 2029. You would need to be able to sustain 16,000 assessments per year. Like we said earlier, that's 319 assessment teams with 255 current assessment teams. On paper, with we're only short one hundred and ninety one assessors. We're currently adding 29 new CCAs per month. That was before ISACA took over assessor training, which will certainly increase the amount of CCAs that are added to the ecosystem every month. You can bet your bottom dollar on that one. So if all current CCAs were active, we get to 319 teams in six months. That's the throughput that the DoD thought we were going to need. At its maximum in six months before the phase one is even over. If only 50% of the current CCAs are active, we get to 319 teams in April of 2029, eight months before phase four begins, when they thought they would need 319 times. So we can indulge further. Let's go even deeper. Right? Let's say we need to hit 20,000 assessments a year and the DoD's estimates were off by 20%. Right. At the current rate of growth, with the additional assessors added per month, we would get to the capacity to have 20,000 assessments in like four and a half years. That's with no increase in growth at all. You add 10% faster, you get there in four years, 20% faster, new certified assessors added, you get there in like three and a half years when phase four starts. So even if DoD was off by 20%, you still get to the maximum throughput number without even really breaking a sweat. That's it. So 50, Mark, that's not at the 100, it's at 50 of the current number.

B

So you're saying without even stressing in the slightest bit, even if we over exceed the need, expect the output expectations. Right. It's still without a sweat. Yeah, we can do this. And based off of the projected growth, we're in good shape.

A

You will have enough assessors, you will have enough assessment of teams. Even if the DoD was off by 20. I'll do you one better. Let's say the DoD was off by 50% and we need 25000 assessments per year or 481 assessment teams. The ecosystem is growing currently at a rate halfway through Phase one that we would end up with enough capacity in basically about five years to sustain that number of assessments. Even if you consider that only half of the current assessor pool were active, which isn't true, we're at more than that. If 100% of the current assessor pool were active, we could get to 25,000 assessments per year at the current rate of new assessors added in two years, Assessors are not the problem. Assessment capacity is not the constraint on the ecosystem. It is not true.

B

Just another layer of non constrainable things. Right. Is the interest in being a part of that assessment capacity. Right. The background of the people waiting to get through Tier 3 screenings, the background of people waiting to become lead CCAs. CCP is trying to transition into CCAs and things of that nature is enough that if we only captured half of the percentage of that as well, we would be able to meet this demand. Just to add, you know, I just want to add a little fuel to your fire, bud.

A

Imagine if the Tier 3 process weren't such a ridiculous chokehold on the, on the pipeline. We would have.

B

Yeah, ten steps is insane. But I, I feel like with Isaca taking over some of the responsibilities for a lot of the credentialing, hopefully wishful thinking that we're able to focus some more attention onto that process of moving forward.

A

If, if you guys don't listen to the monthly A B Town hall, you should. If you don't listen to the monthly A B Town hall recap on this channel, you definitely should like and subscribe. All anybody ever talks about in the questions of the town hall is T T3. T3. T3. Where's my background? Where's my background? It's just people waiting to become assessors. It's like dozens and dozens and dozens of people. So we're not even factoring in what the potential number could be. This is just the current number. People who've gotten through that slog of a process and it's still not even close to being.

B

So none of these. And just to reemphasize that none of the estimates in, in which have been made on this show are made with any like, wishful thinking of growth within the ecosystem. It's already within what exists within the ecosystem.

A

And then cut it in half and it's fine. And then cut it.

B

Yeah, it's.

A

It, it's enough for what we have right now. It's enough for what we need in the future. It's enough for what DoD originally estimated. It's enough for what we're seeing in reality on the ground around every month now that the rollout has started. It's enough for what you imagine is the requirement in the Future. If the DoD was wrong by 50%, it's not even close to being the problem. Not even close. So.

B

And not even doomsday scenario. If they were close to misestimating, wrongfully estimating what has to happen.

A

It is, it is. It is not a problem. So let's just wrap it up here. Right.

B

Okay.

A

As it stands, halfway through the first year of CMMC's rollout, the DoD has achieved 1,240 Level 2 certifications. It is a massive achievement that was years in the making. While we were waiting for this awful rulemaking process to go through, but instead of celebrating this spectacular achievement, people are out here talking about a problem that doesn't even freaking exist under the most conservative possible scenario. Right? Not enough assessors is an intellectually hollow coping mechanism for people who didn't bother to read rulemaking estimates and compare them with current ecosystem throughput. And that's being very generous with my words. There are more than enough assessors for what we need. There are going to be more than enough assessors for what we're to going going to need. Stop saying that there isn't enough assessment capacity and get to work like and subscribe. We'll see you next week.

B

See you next week, folks.