A

Joy, we are here. You were across the screen from me. And that can obviously only mean that it is that time of the month. A Cyber AB Town hall has taken place recently. And what we do is we are lucky enough to have you come in and join us. And what we talk about is everything that realistically is pertinent about that Cyber AV Town hall, and the one that we're going to talk about this month is. Is April.

B

Let's get the lowdown.

A

Yeah. So as normal, as is customary, we always. They always go into the Cyber AB Town hall and we get a nice little update. You know, how are things going? How are things progressing? And these updates are more and more important now, especially as we have a final rule in place and another rule that is pending and people are starting to get certifications. Right? They can get the certifications. And so, you know, with this month's update comes some good and. And some not so good news. Right. And. And we'll start, as I always like to ask, give me the bad first. Right. Or give me the thing that is just not so good and not so good is there's a change in the leadership for the Keiko. That's the CMMC assessors, or controlling organization for the training. Right. And so essentially what happened is that Kyle Gingrich, who was the acting director of the Keiko, stepped down sometime within the past month and she's going to be replaced by Mike Snyder, who I think everybody in the ecosystem should be familiar with right now. It's had an opportunity to interact with them, at least on an interim roll. And Matt Travis, the CEO, said that sometime in the near future he'll be meeting with the board and developing a course forward to replace Kyle and her presence. For me personally, thank you, Kyle, for everything that you've done thus far to get the ecosystem off the ground. Thank you for being a guest on this show. Right. And participating with us when we needed questions that need to be answered. And I wish you all the best and whatever may come in the future.

B

Agreed. Kyle had a rough job starting up the training in the ecosystem, trying to balance between the demands and the needs of the DoD. And then all of the licensed partner publishers are now approved partner publishers and the training centers. And so during those growth phases, it was a rough time for a lot of people, so she brought us all the way here. She was a guest on our show, the first one that I joined you four on the Sum it up, she was our guest. I've worked with Mike before in the past, too, before Kyle was put into place. We had Mike and he was training all of the provisional assessors. So already have a great relationship with him. And it's going to be really interesting to see how he can improve the program now moving forward because they have a huge job in kind of bridging that delta, if you will. The gap between the R2, the R3. We still don't have the CCI out there. Right. For the certified. Certified instructor. Oh my God, I lost the acronym. So we have a ways to go and it'll be good to see how he can bring us to the promised land.

A

I will hold down the acronyms if you hold down the math. And I think between the both of us, we'll at least get through. Get through a whole show, right?

B

Yeah.

A

So it's nice to have at least somebody in the interim so that we don't lose the momentum that the program has somebody in the interim that is least familiar with it. So there's. It's not that getting to know you type period. Somebody that can at least grab the torch and make sure it doesn't hit the ground until a more permanent person, if it happens to be that person, is put into place there. So at least it's not like, oh no, the world is ending. I do echo what you said. I don't think that Kyle had the most pristine of conditions like to go into. It's very tough to try to develop something that covers everything and people are judging you for not having things developed that they feel like that this program needs. Yeah, that's a great idea. We're starting from scratch here. We're going from the bottom up. She was very graceful in conversations that I had with her and she was again, very nice to join us on the show, but again, well wishes. But something that, you know, kind of her job impacted and now Michael Snyder needed to do is growing the ecosystem for assessments. And one of the things that we had an update on coming from Matt Travis in the town hall had to do with assessments and progress and assessments. Right. We know that the program went live, but I think one of the things that we've all been wondering and we asked it last, I actually asked you this question last month on our show is right now, if you had to guess, how many do you think have been completed? And I think we were both kind of a little high on the number in which we guessed. But the update that we got, 85 total certified OSC. So since the start of CMMC program and assessments being able to be. Be done, 85 organizations have received that ID number, have it uploaded, you are good to go. You have CMMC level 2. And then of with that 85 right now in progress, I think the update that we got at some stage of it is 99 other assessments. So there's 185 total assessments. I think my guess was somewhere in the area of 200. Just based on what we have. The, the progress in which we had, I got an extra month for my guests to come to fruition, but we didn't do terrible some number stuff. And I got that right. So that's a personal victory for me. But it's also a victory for the ecosystem in a way. It just shows that there's progress and there's assessments happening.

B

So you know what's crazy about this? The MSP Collective has a marketplace where we're tracking the number of MSPs or MSSPs that have themselves gone through and received the CMMC Level 2 certification.

A

The only place that does that, I think right.

B

Have gone through and been validated that yeah, they received their certification. So if 85 total have been certified and 15 of those are MSPs or MSSPs, that's a fairly high percentage of service providers in that initial mix, which I am super excited to see because so many of those service providers are going to be the avenue or the gateway for success of a lot more small div contractors to get through quickly. I mean that's. That's pretty amazing, don't you think?

A

I do. I do think that it is amazing that 17.65 of all div. 17.65 of all div contractors that are all organizations that are certified at CMFC level 2. Learned my lesson this time. Relied on my old friend the intranet. But yeah, so there are providers. However, I think that those were the ones that were itching the most. And one of the other things to consider, Joy, and I think that maybe you can provide like why this is a hiccup more so is that all of those organizations that were actually div organizations that had DFARS requirements that wanted to get certified early, that went through the Joint Surveillance Voluntary Assessment Program, JSBA program. Right. None of those have converted as of the town hall. Right. There was still a process of the information getting uploaded and some issues that they were running to getting those conversions to happen. And if I remember correctly, there was a good amount of organizations that got that done too. So that percentage of it being providers is kind of shrunk a little bit once it gets there. But the other thing to Take into this is that any of the, the C3 PAOs to get DIP CAC assessments they have, you know, automatically carry over for the CMC level 2. So there's a lot of intertwining that's going on there. I think the biggest thing to take away from the entire issuance of these numbers basically through the first quarter of the program is that it is firing off, people are doing assessments. And I think that we both know C3PAOs or CCAs that have been nothing but non stop busy since the clock struck for this to start.

B

Yep.

A

What. And this is maybe something that I will kind of ask for your clarification on, but one of the guests that joined for there was a guest on this one's town hall, Dana Mason from the CMMC Program Management Office joined to just give a little update with regards to CAGE codes and basically some issues that they were seeing. And this is just my general understanding and I didn't know if you had anything extra to add in there, but basically it's just they're seeing several errors with people that are uploading their scores in the EMAs. Whether that be C3PO. Does that right? They do, yep. So something coming from the C3PO. But what they said was, and this is again my understanding, please, you know, don't attack me and hopefully you can clarify this. But Joy, like it was some of these errors could be like CAGE hierarchy errors that were reported by whoever got assessed and that was false information that they had. Can you kind of help me understand that a little bit more? Like how that works?

B

Yeah, that's part of it. And I don't know that they were given the right direction on the importance of the hierarchy of the CAGE code in, in providing that information to the C3PAO and then the C3PAO putting that into the system. The other part of that is that from what I understand there's not great field validation so that as information's being put into a field it tells you right away if it's not the right format. And that's another area they're working on. The example that I heard was that if you're like it says what level is this for? And if you put L1 or L2 instead of 1 or 2, that kind of validation isn't happening. But it kicks it back and it doesn't kick it back until you've completed the entire form and done the whole upload and then you get the rejection. And right now what's happening is that rejection requires the entire thing to be input. Again, you can't just go back and correct a field.

A

So that whole packet of information that you had to do, it's another process. So you're doing twice database 101, right? Yeah, yeah. Like, does it, does it give you, like an error or, I mean, if you're familiar at all, like, is there an error that says 46?

B

It just gets a rejection. And so that's part of what they're trying to fix. It was great to talk about it and to clarify some of the issues that they know are, are being addressed right away.

A

Yeah, it's like basically going line for line through a code. Did this work? Did it take it? No. Let's change this. Let's change this. Oh, my goodness. All right, so another thing. Is another audit coming for the CMMC program or another audit where the CMMC program is, you know, this topic of the audit and this one is basically from the General Accountability Office, the gao. And I'm sure that there will be an episode somewhere in the future of the summit of podcast where Jacob digs into another audit to let us know exactly what it is. And, and we talk about it. But essentially what Matt Travis had told us is that this was an audit of the program as a whole, but it was given at the direction of Congress, and it's been basically focusing on the health of the ecosystem and its plan to grow and sustain it, which again, initially, people hear audits, right? And people are thinking, oh, that's so bad. No, I, I more so in, in my humble opinion, I M H O J. I think that this is more so is the plan that is in place sufficient for this to grow to where we need it to grow? And that was the perspective in which I got when the message was delivered to us from Matt. Would you agree or disagree?

B

I totally agree. You know, for a long time we thought that this was going to expand beyond just the DoD into other agencies. And I think that this is, I'm reading it as kind of a feeler going out to say, if we do expand it that way, what are we looking at for the timeline? So I see it as a net positive.

A

I 100% agree. And unfortunately, some people, again, like I said, see that word audit and they're like, it's going down. This is the end of cmmc and the numbers, which that audit basically is going to investigate. And the progress of the, the numbers is reflective of the ecosystem growth. And we got those numbers on this month's town hall. And overall, all the numbers are growing. Right. We've gained a couple new assessment organizations, authorized C3PAOs. Right. The CCAs continue to grow. I always plug this number in there before the CCPs because it is absolutely fascinating to me that there are 5,000 plus CCP applicants and we already have almost a thousand that are certified within the ecosystem. I think that that is a testament to the fact that people are actually buying into it and not just the people that want to make money off of it and provide a service off of it. Right. But the people that want to actually implement the standard correctly and have a better understanding for their employees, which is something that we advocate for heavily.

B

Yeah.

A

Do you think, and this is just. Oh, shoot, I'm sorry. 67 authorized CCAs and two that were announced at the town hall which were presented for authorization.

B

67 authorized C3PAO.

A

What did I say? CCAS.

B

Yeah.

A

Dagger. I was trying to do two things. I cannot multitask. Ask my wife. 67 authorized C3PAOs and then two more coming that are in the hopper to get authorized that were presented for authorization to the Cyber AB CEO this week sometime. So maybe. 69. And so, you know, we, we hear the audit and the ecosystem sounds good. And then another, you know, question that is constantly brought up with regards to the CMMC program, especially nowadays with the new administrations, the rulemaking, which effects and things like that, whether the DOGE program will come in and have an impact on CMMC and whether testimonies coming from certain places indicate anything to the end of the program and, and add a general consensus. It's getting old at this point. Right. Like I, I think that every time it's the same thing. Yes, I'll look into that program. Yes, we'll conduct an audit, yes, we'll do this. But we're still not coming up with anything substantial. And I think that one of the main things that was instilled here during the town hall by Matt Travis was that based off of the belief and how the program works and what these particular cuts that are taking place are happening with that they don't intertwine with one another and doesn't feel like CMMC is going to be one of those casualties.

B

Yeah, not at all. I mean, we are hearing and seeing Katie being more vocal, more visible about it. And really I liked that he, Matt had restated on the town hall that the way that we heard the information coming out of Michael Duffy was that he was actually responding to some questions that were pre submitted. And the context is always the thing. It's, it's you know, this is the, the thing on every news outlet that drives me crazy is that they pay you just a snippet of what somebody said out what led into that or what are they responding to. There's so much missing context. So that's what I was glad that he was clarifying for us because we know that but for the general ecosystem out there, there was some people that just jumped right on to the fact that he was bringing it up at all during his confirmation hearing.

A

Yeah. And I, I think it. There's something to say about the fact that if you continuously see kind of the same events happening, if there's constantly only an audit, if there's constantly somebody questioning in some hearing, if there's constantly some review happening of it, if you hear it consistently enough, you're going to start believing maybe this is the possibility. Right. But realistically, what we've seen is that all of it has come either as a part of just the, the par for the course. Right. Whether it be administration changes, whether it be reviews of programs or whatever it is, these are just typical things that, that are happening. It's not specific to the CMC program, more so specific to making sure that there's checks and balances in place within the government. Right now, you were lucky enough to attend rsa. I think it's one of your favorite events of the year, right?

B

It is, by far.

A

And one of the things I think might have been refreshing for you at RSA that, as told by Matt Travis, is that there was a lot of talk about something that we really like, cmmc. Right. But it wasn't the typical we don't know what's going to happen talk. Right. It was more of it ain't going anywhere type of deal. Right. Did you think that that was the general tone of the conversations that were happening from. I mean, Stacy was there, there was a few other people there. Like, it seems like it was kind of like a firm, let's put our feet in the stand. What do you think?

B

Yeah, every year I'm seeing more of it. What I'm surprised is that we're still not seeing a lot of CMMC anywhere on the vendor fl. But then every CMMC conference we go to outside of rsa, those vendors are everywhere spending a lot of money. But at rsa, what I noticed this year when I submitted my abstract, which can't believe was not accepted, but in the abstract, you know, they have you tag all of the different areas of cyber or compliance that your talk might touch upon. And CMMC for the first time was available as a tag for the abstracts. And so I got very excited. I thought, well, maybe they're going to have a CMMC track. Now that's just wishful thinking I think for quite a while. But the GRC track really did center a lot more educational sessions around it. They even had a fabulous one that I mentioned to you around a mock trial for cybersecurity through the Department of Justice. And what would it be if. I won't get into the details, but I will tell you that there was probably what I saw, seven or eight educational sessions that either were directly CMMC with the Shared responsibility matrix or NIST 800171 kind of a spin off or something very close to it that would have been valuable for anybody that is in CMMC and wanted to get more education at RSA about it.

A

Yeah, I think that what this represents is kind of like the changing of the tides. Right. And I think that you could safely say, and I've been in that position before too is a couple of years ago when we went to these non industry specific events, the, the larger named events, there was no representation whatsoever. And as the time's going on, especially probably over the past five or six months, you're starting to see more of a desire, more of a presence of it too. Very refreshing. It's nice to see everybody that's new to the party. Welcome to the party. It can be fun at times, but for the most part I, I think that that was a great takeaway at a conference like that. This wasn't a CMMC conference, this was a national stage conference where now as you mentioned, I just today I learned that it had its own section for abstracts for speaker submissions. Correct. And so like to see that potential adaptation. Acceptance of it I think is not only indicative, like I said, of the tides changing, but I think it is a direct result of now that there's regulation in place and it's real and all of the. Is it not going to be here? Let's you know, it's going to be here, it's here to stay. And we see it in four different avenues that were communicated very clearly through this month's town hall. Like the growth of the ecosystem, where it's going with rulemaking, the RSA conference and such. So this one's near and dear to our heart because obviously we work for a managed service provider, managed security service provider and we do a lot of explanation and content around the shared responsibility model and who can do what within it and making sure that it's very, very clear in which you could do it. And recently publicly, a lot of scrutiny received based on a position in which we took, based on our knowledge of, I don't know, the frameworks and compliance and how it works. But all of that stuff aside, the position in which we took is that you cannot 100% outsource your responsibility for compliance. And this month on the town hall, for the second month in a row, we kind of got some evidence to defend that. And the evidence was just in the form of combining Mythbusters with the ESP, not a CSP edition, clarifying ESPs and CSPs and what they can and can't do. Basically to be educational, to stop you from getting taken to the, to the house by somebody that says they can do a lot of stuff that legally that they can't do. Right. And so I'm going to read through the five things which were listed and I just want you to quickly, do you think that a yes or no, do you think that they were wrong for saying that they can't do this? Right. Do you think it's wrong that MSP can't do this? And so the first one pretty, pretty important here. Assume overall responsibility for your CMMC conformority. Joy. So could a msp, esp, csp, whatever is in that classification. Right. Could they say, don't worry about your CMMC will take care of everything for you?

B

Well, they can say that, but no. Is that something that they can put in their contract that in their marketing language? You know, I think that a lot of MSPs are pretty loose with their words like that. And so it's good that this is being called out.

A

Yeah, I think that what, what this is, is clarification and marketing. There's a little bit of tricky marketing is happening and I think that the AB is seeing that. Now, can a ESP, not a CSP loan or bequeath you their system security plan? Can I say I have a really good system security plan here. Use it for your assessment.

B

No, the system security plan has to be provided by the osc. Now the MSP can help them populate it. They can give some areas of the shared responsibility matrix that they would say, copy this part into your ssp because that's directly based on our performance performing these services and we have the service level agreement and the contract and we'll be there as well to speak to it, so they can assist with it. But no, they can't own the SSP of the osc.

A

All right, now Joy, would I be telling the truth or would I be telling a fib if I said that I have a olution that will 100% satisfy all 110 security requirements and all 320 assessment objectives for you to include things like AC 311, I don't know, identifying authorized users or defining information security related topics that need to be covered in training or. I don't know. Can I say that I develop your system security plan for you?

B

You can say that you can develop the system security plan with the contractor, but there's too many controls and. And specific ones were called out by Matt where the contractor has to be the decision maker. They're the ones that have all of the risk and they're the ones that are the holders of the CUI according to the contract with the flow down. Right. So they're the authorized holder in the end. What the example was that like the first one that he gave 3.1.1 the contractor themselves, the OSC is responsible for saying who on their team is allowed to is authorized to engage with that CUI in any way. No MSP or MSSP can make that decision for the contractor. Right?

A

Yeah. So the way that I like to explain it. Yeah, it makes 100 sense. And the way that I like to explain it is think about the DOD has a kid and that kid's name's cui and the DOD has given you permission, Joy, and your company. Right. To watch CUI while they go run some errands or do something, or your friends or kids or whatever. The DoD does not give you permission for CUI to decide who is authorized to watch CUI from that point out. Right. Does that make sense?

B

Yeah. This is Amira's from, I think two years ago. Amira started using that as an example. Yeah, that exact. I mean, it's just such a good way of viewing that because you, if you, if I am being trusted as the babysitter, right. I can't just turn to my neighbor and say, hey, you watch them for the next hour and then you can.

A

Decide who can watch cui while if you want to go out and eventually cuis down on the corner hanging out with some people you've never even met before for, right?

B

Yeah.

A

Like that's how episodes of Cops happen, Right? Like, it's just, this is how things populate. Next question. My company has this stellar client responsibility, shared responsibility matrix that's offered for our services. We got a CMMC level 2 certified certification that backs that up. If I give you that CRM or That srm, Joy, can you then just take and be like, you know what, this is pre validated, this is good to go. You don't have to look at those 76 controls that they pass that we say that they tie into.

B

No, it has to be highly detailed in the system security plan. And then the MSP still needs to be available and partake in the actual assessment. Right. It's not a matter of inheritance, the same way that fed ramp CRM would work at all. It's similar though. There should be a lower burden of proof so that if the C3PAO is seeing that all of these shared responsibility matrix verbiage and evidence at some point through it, if that MSP already has their own CMMC Level 2 certification, it's up to the assessor to determine. Maybe I don't need to go to as much detail or depth in each of these controls because I'm seeing that there is a way of working through this that the MSP is, is absolutely doing what they say they're going to do. Right?

A

Yeah. They can't provide you and they can't say that they're going to provide you with that matrix. Right. And you're going to be able to go to the C3PO and say, yeah, this is from Summit 7. We good? Right. Like that's not how it works.

B

Right.

A

Still has to be some validation there.

B

Still has to be very clear about that. Well, let me say it this way. The cap is clear that if the MSP has their own CMMC level 2, there should be and could be a lower burden of proof. So what that actually translates to is still up to the assessor and their level of comfort as they start to go through each of those controls and domains.

A

Do you think that that burden of proof like lies between. Here's a statement that says we as the MSP do this on behalf of that and we're certified saying that we do this. So you don't need this body of evidence that defends our implementation of 311 or whatever is right, because we're certified, 311s done something like that. Is that kind of what you're getting at?

B

I think that the body of evidence still needs to be there, but the level of participation with the MSP may be where the difference is.

A

Yep. Okay, so less defense of the, the CRM and, and more so the client being able to defend it and not having that staff there.

B

Okay, yeah, I'm hearing that more.

A

All right, so last thing that we want to cover for, for this month. And it's something, I mean, realistically, with our work, both of us, you sit on the board and I am a, a member representative of the MSPS for Critical Infrastructure, the MSP Collaborative. Right. And we do a lot of work with ESPs, MSPs, MSSPs, like you said, only marketplace that lists all the certified MSPS MSSPs ESPs in CMMC ecosystem right now. But one of the topics that they covered, which is something that still is a little bit of a cloudy area for some, see a lot of questions about it within the town hall questions, a lot of questions being submitted apparently to the, the procurement, you know, question box. But it's the difference between an MSP or, or basically the differentiator between an esp. Right. That's not a csp. Is. Is that what the. The breakdown was?

B

Yeah, the language is.

A

I was like an MSP that's like an esp, but it's a csp. But hij lmnop I. I just like, even with you with the earlier, like, it's just sometimes a esp, not a csp. Plus a CSP with CSP capabilities has characteristics on Wednesdays that make it a csp. It's weird.

B

Yeah, no, he got there. But the ESP comma not a CSP quote unquote, actually means an MSSP or an MSSP. Right. But they can't say MSP or MSSP because that's not what was in the rule.

A

Correct. So it's basically just making sure that the message that's being delivered aligns with the rule. And what is the differentiator between an ESP and a csp? Joy?

B

Well, the cloud service provider is going to be aligning to FedRamp, which is a whole nother set of criteria with a whole different product process going through it. Right. And he gives the description for what qualifies as the cloud service provider. There's a whole other NIST SP 800145 that you can go to to see the formal definition of that. Everyone else that is a ESP comma, not a csp. They don't have to align to fedramp Moderate as the baseline. Right. They have their own way of navigating whether or not they have CUI or SPD as the types of data that they are processing, storing or transmitting in support of or on behalf of an organization seeking assessment. So that has its own criteria. And he gave the table, the same table that you can find in 32 CFR part 170, the same table of information really that you can find in the CMMC Level 2 Scoping Guide that talks through. How does that come to play if you're an MSP or MSSP otherwise known as an ESP, not a CSP.

A

And thank you for clarifying that for me. So before we get out of here, the last section of the town hall and we would be remiss if we did not address it but we both lost a friend. A friend to the show, a friend to our organization and titan of cmmc. I was when I first started in CMMC I was writing justifications to go see the great Robert Metzger speak because of what he said had such an impact on me and what I wanted to do and what I wanted to learn. And I was lucky enough for Robert Metzger to become my friend Bob and we lost a friend. I will miss my friend. I'm sure we will all miss Bob and his impact. May he rest in peace. We'll see you next week.

B

Thanks Jason.

A

SA.