Sum IT Up: CMMC News Roundup
Episode: You can’t do that with your ESP!
Date: May 8, 2025
Host: Summit 7
Theme: April Cyber AB Town Hall Recap, CMMC Updates, Assessment Progress, and ESP vs CSP Clarifications
Episode Overview
This episode provides an in-depth summary of the April Cyber AB Town Hall, focusing on recent developments in the CMMC ecosystem, leadership changes, assessment progress, ongoing audits and oversight, and detailed guidance for managed service providers (MSPs), enterprise service providers (ESPs), and cloud service providers (CSPs). The hosts discuss key stats, respond to community myths, and provide practical clarifications on the evolving responsibilities within CMMC compliance.
Key Discussion Points & Insights
1. Leadership Changes at the CMMC Ecosystem (Keiko)
[01:04-03:36]
- Announcement: Kyle Gingrich, former Acting Director of the Keiko (CMMC training oversight) has stepped down.
- Replacement: Mike Snyder, previously involved in training provisional assessors, is stepping in as interim.
- Quote:
“Thank you, Kyle, for everything that you've done thus far to get the ecosystem off the ground.” – A [01:19]
- Impact: Hosts praise Kyle's efforts in building foundational training programs under challenging conditions and express optimism regarding Mike Snyder’s familiarity and expertise.
- Notable: The change is seen as an opportunity to maintain (or even accelerate) momentum, bridging gaps in training, particularly regarding certified instructors.
2. CMMC Assessment Statistics & Progress
[03:36-08:34]
- Numbers Shared:
- 85 organizations have achieved CMMC Level 2 certification.
- 99 assessments are in progress.
- Notably, 15 certified orgs are MSPs or MSSPs (approx. 17.65% of early adopters).
- JSVA Program (early, voluntary assessments): No conversions reported as of the town hall.
- Quote:
"It is firing off, people are doing assessments. And I think that we both know C3PAOs or CCAs that have been nothing but non stop busy since the clock struck for this to start." – A [08:16]
- Analysis: Early high adoption by service providers is notable; further conversions from voluntary programs are pending and will considerably increase numbers.
3. Issues with CAGE Code & Assessment Data Uploads
[08:34-11:03]
- Problem Identified: Multiple errors during the upload of assessment information (especially around CAGE hierarchy and form field validation).
- Lack of real-time field validation creates friction – errors are only revealed after full submission, requiring complete resubmission.
- Quote:
“The example that I heard was…if you put L1 or L2 instead of 1 or 2, that kind of validation isn’t happening.” – B [09:54]
- Current Action: The CMMC PMO is working on improving validation and making the process less onerous for organizations.
4. Government Accountability Office (GAO) Audit
[11:03-13:36]
- Nature: A new audit of the CMMC program has been initiated by direction of Congress.
- Purpose: Primarily to review the health, scalability, and sustainability of the ecosystem—not punitive.
- Quote:
“No, I…think that this is more so is the plan that is in place sufficient for this to grow to where we need it to grow?” – A [11:36]
“I totally agree. You know, for a long time we thought that this was going to expand beyond just the DoD...I see it as a net positive.” – B [12:16]
5. Growth and Health of the Ecosystem
[13:36-15:15]
- Key Stats:
- 67 authorized C3PAOs, with 2 more in the pipeline.
- Over 5,000 CCP (Certified CMMC Professional) applicants, nearly 1,000 certified.
- Significance: Demonstrates increasing buy-in and ecosystem maturity.
- Quote:
“I always plug this number in…before the CCPs because it is absolutely fascinating to me that there are 5,000 plus CCP applicants and we already have almost a thousand that are certified within the ecosystem.” – A [13:22]
6. Addressing Fears and Misinformation: Will CMMC Survive?
[15:15-17:04]
- Public Perception: Frequent audits, hearings, or program reviews can cause concern.
- Hosts stress these are routine government processes and NOT signs of program demise.
- Quote:
“It's not specific to the CMB program, more so specific to making sure that there's checks and balances in place within the government." – A [16:35]
7. CMMC’s Rising Visibility, Especially at RSA Conference
[17:04-19:14]
- Trend: Increased discussion and educational focus on CMMC at national events like RSA—signals mainstream acceptance.
- For the first time, CMMC was a selectable topic tag for RSA abstracts.
- Multiple sessions on CMMC/800-171/Shared Responsibility Models offered.
- Quote:
“At RSA…CMMC for the first time was available as a tag for the abstracts. And so I got very excited…” – B [18:11]
8. Mythbusting: What ESPs/MSPs/CSPs Can and Cannot Do
[19:14-29:36]
- Key Clarifications:
- Assume Responsibility:
- MSPs/ESPs/CSPs cannot carry overall CMMC conformity responsibility for clients.
- “They can say that, but no. Is that something that they can put in their contract…?” – B [22:23]
- Provide/Loan System Security Plans (SSPs):
- These must be unique to each client (OSC); MSPs may assist but cannot be owners.
- 100% Coverage Claims:
- No service provider can fulfill all requirements (especially subjective/organizational controls, e.g., authorized access).
- “There are specific ones…where the contractor has to be the decision maker.” – B [24:03]
- Use of Shared Responsibility Matrices (SRM/CRM):
- SRMs from MSPs aid, but do not replace client responsibilities or assessor validation.
- The burden of validation may be less if the MSP holds CMMC Level 2, but evidence and participatory assessment are always required.
- “It has to be highly detailed in the system security plan. And then the MSP still needs to be available and partake in the actual assessment.” – B [26:28]
- Inheritance and Burden of Proof:
- Some inheritance can occur, but ultimate validation always lies with OSCs and assessors’ comfort level.
- Assume Responsibility:
- Illustrative Analogy:
“Think about the DOD has a kid and that kid's name's CUI…” (Babysitter analogy explaining why you cannot delegate authority for CUI custody) – A [24:52-25:56]
9. MSP/ESP/CSP Terminology and Regulatory Distinction
[29:36-31:47]
- Clarification:
- “ESP, not a CSP” in rules = MSPs and MSSPs (FedRAMP does not apply).
- CSPs (as formally defined by NIST SP 800-145) require FedRAMP Moderate as a baseline if handling CUI.
- Quote:
“Cloud service provider is going to be aligning to FedRamp, which is a whole other set of criteria… Everyone else that is a ESP comma, not a csp. They don't have to align to fedramp Moderate as the baseline.” – B [30:25]
10. In Memoriam: Robert Metzger
[31:47-End]
- Closing Reflection:
- The hosts pay tribute to Robert Metzger, a foundational figure in CMMC and valued friend/mentor in the community.
- “I was lucky enough for Robert Metzger to become my friend Bob and we lost a friend. I will miss my friend. I'm sure we will all miss Bob and his impact. May he rest in peace.” – A [32:27]
Notable Quotes & Memorable Moments
-
On Transition and Growth:
“She [Kyle] was very graceful in conversations that I had with her and…well wishes. But something that…her job impacted and now Michael Snyder needed to do is growing the ecosystem for assessments.” – A [04:45]
-
On Early Assessments:
"It is amazing that 17.65% of all…organizations that are certified at CMMC level 2 [are] providers." – A [06:54]
-
On Persistent CMMC Survival Rumors:
“There's so much missing context. So that's what I was glad that he was clarifying for us…there was some people that just jumped right on to the fact that he was bringing it up at all during his confirmation hearing.” – B [15:15]
-
On CMMC Conferences vs. Mainstream Conferences:
“This wasn't a CMMC conference, this was a national stage conference…for abstracts for speaker submissions. Correct.” – A [19:14]
-
On the Limits of Outsourcing Compliance:
“You cannot 100% outsource your responsibility for compliance.” – A [19:38]
-
Babysitter Analogy on Non-Delegation of CUI:
“If I am being trusted as the babysitter… I can't just turn to my neighbor and say, hey, you watch them for the next hour and then you can…decide who can watch CUI…” – A [25:26]
Timestamps for Key Segments
| Time (MM:SS) | Segment | |------------------|------------------------------------------------------------------| | 01:04 – 03:36 | Leadership transition at Keiko / reflections on progress | | 03:36 – 08:34 | Assessment numbers, breakdown and significance | | 08:34 – 11:03 | CAGE code data errors in submissions, issues and fixes | | 11:03 – 13:36 | GAO audit: scope, purpose and host perspectives | | 13:36 – 15:15 | Ecosystem growth numbers, CCP/CCA/C3PAO pipeline | | 15:15 – 17:04 | Addressing misconceptions & survival rumors about CMMC | | 17:04 – 19:14 | CMMC’s increasing presence at RSA and other major conferences | | 19:14 – 29:36 | ESP v. CSP centric Mythbusting; outsourcing compliance limits | | 29:36 – 31:47 | Nuances in MSP/ESP/CSP terminology per CMMC and NIST standards | | 31:47 – End | In memoriam: Robert Metzger; personal reflections |
Conclusion
This episode dives deep into the April Cyber AB Town Hall, offering practical updates on program health, clarifying rumblings about audits and program survival, sharing concrete assessment progress statistics, and dispelling prevalent misunderstandings about the roles and boundaries of MSPs/ESPs/CSPs in the compliance ecosystem. The hosts emphasize vigilance in responsibility allocation and best practices, while also honoring a community luminary, leaving listeners updated, reassured, and better able to navigate the continually evolving world of CMMC.