In this special episode of Climbing Mount CMMC, Bobby and Kaleigh discuss the intricacies of the CMMC ecosystem with Matt Travis, CEO of the Cyber AB. They explore the challenges, opportunities, and future strategies for MSPs, assessors, and small businesses navigating cybersecurity compliance.
32 CFR Final Rule: 2024-22905.pdf
Cyber AB Website: CyberAB > Home
Time Stamps:
02:15-04:03 What Is the Cyber AB?
04:04-09:27 Surviving the Early CMMC Years
09:28-12:26 CMMC Momentum Is Growing
12:27-16:13 Can the Ecosystem Scale?
16:14-21:47 How the DoD Will Manage Rollout Challenges
21:48-27:50 The MSP Capacity Problem
27:51-33:24 Why MSPs Are Essential to CMMC
33:25-35:43 New Support for MSPs & Contractors
35:44-39:54 Creating a CMMC Body of Knowledge
39:55-44:00 Policing the Ecosystem & Preventing Abuse
44:01-47:40 The Future of CAICO Under ISACA
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] Hello Climbers and welcome to Climbing Mount CMMC. Bobby got by six. Good job. What is it doing? Look at that. Hello Climbers and welcome back to another episode of Climbing Mount CMMC, the podcast. My name is Kaylee Floyd and this is Bobby Guerra and we are your hosts of Climbing Mount CMMC.
[00:00:29] We're part of an MSP called Axiom that's CMMC Level 2 certified and trying to figure out how to do this whole thing, not only for ourselves, but for our clients that need it. And if you're along for the ride, we're welcome to have you. But also we have a special guest, very special guest on today. For those of you who live under a rock and don't know what the Cyber AB is, accreditation body for CMMC. And we are excited to have Matt Travis on. He's the CEO of the Cyber AB. Matt, thank you so much for taking the time and joining us today.
[00:00:59] Kaylee, thank you for the invitation. It's probably long overdue given the success of the podcast. And that's on my end. So I'm glad we're able to connect. No, we're thrilled to have you. I mean, we saw you at, what was it? CMMC Midwest this year in 2026. And we were like, you know what? If you're free, if you just happen to have about 45 minutes, what if you talk to us about some things? And honestly, Bobby's going to take it over. But I did want to say that our goal today is kind of to get a different perspective on,
[00:01:27] I know that Matt talks about the ecosystem as a whole, as well as where the Cyber AB is involved, which is very important. But we have a little tiny group over here called MSPs, you know, that are under the label of external service providers and CMMC. And there's just some really interesting things happening in the ecosystem. Obviously, it's still in the infancy of it all. And we're figuring this thing out.
[00:01:51] January of 2025 is when CMMC Level 2 assessments were allowed to actually start happening and occurring with C3 PAOs. And it's been really crazy to go through this journey as an MSP going through multiple different client assessments and whatnot. And we're just really excited to dive into certain aspects about this today. So yeah, I'm thrilled. Bobby, I'll let you take it over because I know you're eager to steer this. Well, yeah, Matt, let's kind of let you start off because I'm going to be honest here.
[00:02:19] Like when I first was getting into the system, I thought that the Cyber AB was part of the Department of Defense. So can you like maybe sort of very quickly talk about perhaps the inception of the Cyber AB and the difference and then where you guys are in the space just to kind of level set for people because not everybody may not really know that. Right. Absolutely. And in doing so, I'll start off by just reminding everyone, as you point out, we are not part of the Department of Defense.
[00:02:46] We are a nonprofit, independent 501c3 charitable organization. And so on that note, nothing that I say should be construed as representing anything, any policy or positions of the Pentagon or the U.S. government. But we were essentially formed at the encouragement of the Department back in late 2019 when the CMMC initiative was first kind of announced. The Department wanted an accreditation body to be really dedicated just for this program.
[00:03:15] There are other accreditation bodies out there. In the United States, we kind of do it differently. Not surprisingly, our accreditation bodies are largely in the private sector, whereas around the world, usually the accreditation bodies are within the government itself. And given all the things that the department wanted the CMMC accreditation body to do, not just to credit, but to kind of build an ecosystem, administer it, police it, to run a marketplace, the existing accreditation bodies recognize, well, that's not really what we do.
[00:03:44] And so the AB was really formed by an original board of directors who volunteered. They came from the defense sector, from the cybersecurity, from CMMI, and really formed the organization. But from the onset, it was always intended and designed not to be part of the Pentagon, but to be an independent nonprofit. Given that perspective, what are some challenges you think that you see? You're glad you're in your rearview mirror, right? And what are some that you see before you?
[00:04:13] Well, I think if we're honest with ourselves, those early board of directors before I showed up, I'm not sure they all understood what accreditation body does, because they came from the defense sector or the cyber sector or the audit community. And we, at our core, exist, really do three things as it relates to CMMC. To ensure that every level two certification assessment is done competently, that the C-3PO's know what they're doing.
[00:04:39] They're using certified assessors and CCPs that have been certified by the C-3PO, that they are conducting these assessments consistently, that they're following similar procedures, and that if you're a small business in Texas, that you are getting essentially the same type of assessment procedurally, as well as the rules that Lockheed Martin or Boeing would be getting somewhere else in the country. And then, perhaps most importantly, that these certification assessments are done impartially,
[00:05:09] that there is no inside game. There's no cutting corners. Any conflicts of interest are disclosed, identified, and either mitigated or avoided, depending on the nature of those. And those are really the three pillars, competency, consistency, and impartiality. So, make everyone aware, what we do is an initial challenge, right? Because we can't help train and we can't help give tax credits or grants to small businesses who are trying to conform to this CMMC standard. So, I think understanding what we were charted to do is a first challenge.
[00:05:39] And then, I think early on in the ABC history, we didn't appreciate the role that we played. And so, kind of policing ourselves, making sure that when we're speaking in public, that we're not endorsing products or services, that we ourselves are being impartial, that we're disclosing things. So, there was, you know, one of the challenges we had is that the contract with the Pentagon is a no-cost contract. And so, the CyberBee has never received a dollar of contract money, of taxpayer money, any, no government revenue at all.
[00:06:07] We generate our operating revenue from the fees that are attached to some of the economic activity that goes on in CMMC. And since, as you both know very well, there were a lot of fits and starts to the program early on after the ADA was formed, when essentially in April of 2021, when the new Biden administration came in, they decided to hit pause to take a six-month, you know, strategic review at CMMC. And that really killed all of the burgeoning activity that was starting.
[00:06:34] So, we had a tough time navigating our own resilience to existence. There wasn't much going on. I'm glad you brought that up because that's been something that's always been, I don't know, maybe an inquiring mind kind of want to know about that is I'm a provisional instructor trying to get my CCI filled out the forms and we'll see how that goes. But when we go to teach the material, one of the things that I always explain is that the CyberABS that was starting off is it was making revenue, I guess, predominantly from the RP
[00:07:03] and RPO programs initially because assessments were really happening. And so, it was since you're not getting any money from the government, I mean, most organizations because the Dib is so large, they just assumed the CyberABS, this massive organization that had, you know, tons and tons of members. I'm like, actually, no, it's actually very small. And here's sort of the reason why. How tough was it financially for you guys starting off in that during that time frame? Yeah, there were some there were some tough times, some using naval analogies or some
[00:07:30] rough seas or, you know, whatever you want to metaphor you want to use. And it was, I think, the biggest reckoning was when we knew that the changes the Biden administration wanted to make to the program were going to result in another round of rulemaking. But when we learned how long rulemaking was going to take, we initially thought it would be a year and then it was clear it was going to take three years and it ended up being about three and a half years. That was when we had to really figure out how we're going to survive. And, you know, we obviously been operating on a skeleton staff up until recently.
[00:08:00] And so keeping that team intact and finding ways. And you were absolutely right, Bobby, it was the practitioner program, the RPs, RPOs that kept the lights on because they knew that there was still there was the main one that could actually work. Right. Because there were defense contractors who were paying attention, recognizing that, OK, even though this thing is paused and going through rulemaking, I've heard enough of the defense officials talk about this. I've seen the requirements in the NDAA on Capitol Hill. So I know this is this was something like this is going to have to happen. The Nissan 1171 Route 2 is the standard.
[00:08:30] I might as well start getting ready. And so some of the RPs, actually, and some of the candidates C3PO's kind of turned to consulting because they, too, are a challenge. And how can they invest in becoming part of this EMMC program? How are they going to withstand and endure this long, protracted rulemaking process? Yeah. And then on the instructor side, and you live this right, the classes were being filled because if you're a CCA candidate, it's a non-trivial investment to pay for the CCP course and then
[00:08:58] pay for the exam and all the time you go into studying for it. And then you got to do the same thing at the CCA level. And then you can't monetize that credential because you other than some we had some joint surveillance program with did cap. We did some pilot stuff to try to get people some experience. Long winded way of saying those were some heady times. I'm glad they're behind us. But yeah. Are you seeing a good trend now? Are you guys happy with the trajectory financially? I mean, because obviously the cyber AB is critical to the infrastructure.
[00:09:26] Are you guys happy with the decision? We are hiring now. I just hired a chief operating officer. We've just made an offer out to a compliance officer whose full-time job will be to police the ecosystem as well as doing some of our own internal compliance requirements. We'll be hiring communications. We don't communicate very well, whether it's our website, social media. There's a lot of improvement to be done there.
[00:09:50] So now that the operations of CMMC are underway, we've got C-3PO's over 105 active in the marketplace. For everything I'm hearing from them, what they talk to us on a weekly basis, they are busy. And even though that level is level two requirements aren't yet requirements, the department certainly reserved the right to start putting some of those in contracts. And we're seeing that. But even without that, just the fact that the rulemaking is over, I think, spurred a lot of activity.
[00:10:19] So I am pleased. We're seeing a good uptick across all parts of the ecosystem. And I suspect that that will continue. Yeah, we grew 70% last year. I mean, it is just been a hockey stick, like, you know, but, you know, I got my CCP 2022. The test hadn't even come out yet, you know, so, you know, everybody, I think, that started CMMC in the early days, like they have their kind of, you know, I went uphill in a snowstorm both ways to school kind of story that they talk about.
[00:10:48] It's because it's such a burgeoning industry. And it still is, you know, it's still finding its sea legs in a lot of areas. But a lot of positive signs, a lot of things that are indicating that we are trending in the right way. Let's talk a little bit about the ecosystem as it's starting to continue on its transition. In 32 CFR, they have several tables, and I want to highlight one of them I'll share in just a second.
[00:11:16] But it sort of talks about in the SMB space and managed service providers provide, like, typically that's our focus. Most MSPs are focusing in the MSP space. And I don't know, maybe you might agree with this percentage, but it seems like small businesses account for, like, 70% of the DIP space. Would you – does that sound reasonable to you? It seems like that way with the numbers that I'm seeing here as well.
[00:11:40] You know, informally over the years, those are the kind of numbers you always hear that, you know, 85% of the nation's critical infrastructure resides in the private sector. And about 70% of the DIP is small and medium-sized businesses. But I don't have any empirical data other than kind of what some of the NDIAs and other trade associations publish. But clearly, having been a defense contractor of my own, a small business, you know, I think that sounds right, given most of the companies you interact with are small.
[00:12:08] And then some of all of you eventually are working for larger primes. But it's a huge part of the DIP. And I think when you talk about CMIN, I'm sure we'll get to it, some of the challenges of the program is making sure we're not chasing out those small companies who find the requirements or the cost of the requirements too much to handle. Yeah, so let me share the screen here. So this table 5 in the 32 CFR final rule, in here it has the estimated number of entities by type.
[00:12:35] And this table 5 that we have, which I guess is on page 83176, that's great. But in this one, it talks about the small businesses and other than small businesses. It's saying in this, their estimate is 163,000, almost 164,000 organizations they're considering in the small. They're going to have to either get level 1, level 2, level 3, right? What's the challenge with that number and how accurate do we feel that that is?
[00:13:03] You know, certainly the Pentagon through all of its defense contract management agency. And I think a lot of those numbers came from contracts, right? And I think they weren't taking a roll call of companies, but rather looking at all the contracts and the known or estimated number of subcontractors supporting those contracts. And so I frankly think the number is probably larger than what you see there. And of course, at the EB, we're really looking just at level 2 certification, not to dismiss level 1 or level 3.
[00:13:31] And so that total, you know, 76 and change. Generally, we talk about level 2 C3PO assessments, you know, 80 to 110 is kind of the range that I hear about. Regardless, it's a big number, as you rightfully point out. And so obviously, one of the questions we get asked all the time is, you know, can ecosystems scale to the sufficient level to meet the demand signal of that level 2 certification assessment?
[00:13:59] And I'm confident when we get to the end of the three-year implementation period, we will be there or close to being there. Okay. But there's still a lot of variables on that, right? One, that there's no dramatic changes to the program. Or if any changes, that would encourage more participation of assessors and instructors and C3PO is not fewer. And that, you know, economic factors and, you know, the world events drive a lot sometimes of how many companies are in the Dib.
[00:14:27] But I think as just a starting point in terms of understanding the community that needs to be served by the CMMC ecosystem, you know, that's certainly a big number. But one that I think what's nice about the way CMMC was designed, I mean, if you were to tell me that a bunch of government inspectors have to service them, well, then that's a huge lift of trying to – but there's an economic incentive for C3PO's and individual assessors to be part of CMMC, right? This is – the whole premise of the program was to take advantage of those supply and demand dynamics
[00:14:55] and that there is a very strong demand signal there. And we expect the private sector to respond by providing sufficient supply over the course of the next three years. Yeah, and I want to focus in more on that. You're bringing up so many good points. I really want to talk about this because I don't feel like we've had sometimes as many pointed conversations around this. One of the challenges that we have with that number – correct me if I'm wrong – is that it's traditionally looked at from the DOD's perspective of the primes
[00:15:24] and not necessarily all the subs that are going to be down there because a lot of these contracts could have multiples of subs, of subs, of subs, of subs. And as 170 – as 252, 204, 70, 12 has, those flow downs go all the way down. It's flow down all the way, baby. Like there's no limit to how far it goes. So it can keep flowing that down. And those all would then be subjected to the contractual.
[00:15:49] I mean I would think it would be reasonable to assume that number could easily be double that you could see when you have like the smaller sub organizations that are maybe 10, 20, that are just doing parts and pieces of things. No one knows for sure exactly what that number is going to be. But it's going to be definitely, in my opinion, larger than the 163,000 that it has listed there.
[00:16:13] And I think, Bobby, that's why you see the department bifurcated Level 2 because – not speaking for them, but my interpretation of that is they wanted a couple dials that they could adjust depending on how quickly and how well the ecosystem was scaling. So as we get into Level 2 entering into contracts, if there's a sense that there's a backlog and a lot of Level 2 companies are having to wait six to nine months to get a C-3PO availability,
[00:16:41] well, then they can put more self-assessment requirements in contracts, right? So they're not going to be flooding the procurement lanes with Level 2 C-3PO requirements if they know that there's a bit of a bow wave of backlog. So I think that's one tool that the department has now is GA reported out. Well, if the whole goal is to get Level 2 certified, that doesn't necessarily help in terms of protecting CUI.
[00:17:08] But I think we all recognize that this is a very ambitious conformity assessment initiative. And I credit certainly the PMO and the DIPCAC recognizing that this can't be done overnight. We have an implementation plan that's going to be three years in the making. We all need to be patient. We need to make sure that we're keeping track of the growth. And if all of a sudden we find ourselves off pace, then we'll need to revisit how we incentivize better, more participation for assessors and C-3POs.
[00:17:33] But I'm feeling okay where we are right now, but I'll, you know, every month, every week, frankly. But we're looking at those numbers very closely in terms of how we're scaling. Yeah, I'm so glad you brought that up because it really does kind of talk about how the system's ramping up. And I don't know if I feel like I've gotten a good piece in how those levers and dials are going to be used effectively come November as we go into the second phase of that approach.
[00:18:00] Which the way it could be interpreted is it could be more aggressive or it could be, like you were saying, more realistic to – I mean, because it comes down to, you know, you're going to need missiles and tubes, right? You're going to need technology in the sky. You're going to need jets flying and doing things. And compliance is great, but if you don't have those things, we're kind of screwed. So there's a balance there that has to happen.
[00:18:25] And I just don't know if I feel like I've gotten clarity about what is their strategy and how aggressive are they going to be about keeping their finger on the pulse around that? Have they given you guys any indication about that? No, I wouldn't expect them to at this point. I mean, one of the aspects of our great democracy is that sometimes we have new administrations come in every four years.
[00:18:48] And so when that happens, you get new leadership that wants to take stock of the programs, whether it's CMMC or something else, and then figure out, OK, how do we improve it? How do we adjust it or otherwise? And certainly the new CIO, Ms. Davies, who was sworn in just for Christmas and is still kind of assessing her portfolio. I know is obviously getting briefings from the PMO about scale.
[00:19:10] And that balance that you've talked about, Bobby, is that the priority is making sure the warfighters have what they need and that the information and the CUI that went into building the tools and the systems and the services that enable their success are protected. And it's that constant, it's that balance. There's always a balance between security and productivity or efficiency. And I think current leadership is looking at what's the right balance.
[00:19:40] Because if all the CUI is protected, but we're driving companies out of the Dib because either it's too expensive or they can't get in line to get a C-3PO assessment, they decide, heck with it, I'll go and build widgets for somebody else. That's not great. But the opposite is not great either. That if we're not protecting CUI, those warfighters are potentially using compromised systems where adversaries either have reverse engineered it to fight against us,
[00:20:07] sabotage it or develop countermeasures based on that CUI that they have exfiltrated. So it's a balance. And I think another tool in the toolbox, again, not to speak for the department, there are waivers, right? And so if it turns out that, you know, we just don't have the ecosystem scale where we'd like it to, you know, certainly the department has reserved the right at their discretion to waive requirements. And I have no insight into how or when that would be used. I just know that the department has anticipated they're going to have to see what, you know,
[00:20:37] see how this evolves and what speed it is evolving. And that'll drive some of the decisions they make, I suspect. Yeah, and I think that would provide such, I think, more calm and peace about how things are going to be as we slide into November and the beginning of next year, how that's going to go. Bobby loves calm and peace. But again, remember, we came from the MSP space. We are not familiar with how the DOD runs always. And I think that Bobby wants a handwritten letter. That would be great. Certified would be great. Yeah.
[00:21:07] They're all legitimate questions, Kaylee. And the thing when others like, you know, I've asked me questions like Bobby is, and sometimes my response is, well, right now, is there any trouble in getting a C-3PO assessment on the books? And there's not, right? 105. Now, some stance cards are booked well until Thanksgiving. Others are not. So if you're a company right now that says, hey, I want to get level two certified at the end of June, you can do that.
[00:21:33] Now, when we get to the point where I can't say that, that's when I start, you know, I'll be getting more nervous about are we scaling at the right rate or the necessary rate. But until now, it's certainly a legitimate question to ask, but it's not a problem right now. I think that Bobby is probably going to talk about this next. But we kind of challenged you with this question about the bottleneck of potentially right now.
[00:21:57] And so, you know, we've heard a lot of people have different perspectives on what they see a potential bottleneck for the ecosystem being right now. And I know you've talked about multiple times. Sometimes it's wonderful the amount of CCAs that are out there, but we always need more of those, you know, and lead CCAs that are able to step up to the plate and do assessments with C3PAOs and be able to do that.
[00:22:22] And we, I know we talked about this when we were preparing for the podcast episode, but something that we're challenged with is, you know, implementers like us. How many of, we look around and we're like, how many of us are there, right? How many people are also doing this? I know we have a few names that people are familiar with, like Summit 7, Sentinel Blue, you know, M&S Group. We have some friends out there that we talk to, but we're wondering like, okay, how many of us are there
[00:22:51] and how many companies can they get through to help the ecosystem prepare? So, Bobby, I know you were going to talk about that too. Yeah, let's, I'm going to share the screen again to make sure on the final rule, it's page 83177. And in here, this table denotes the number of entities in this period are for the small entities. The very top one in table six is small entities. Small entities, right?
[00:23:19] So if we look at this, level two certifications in the first year, they're estimating about 382. And then in year two in the phase two is 1900. And then year three is 6,000. And then year four is 12,000. And it just sort of planes out at the 12K mark that you, that we see that they're thinking. But one of the things that I've just kind of looked at, Matt, and I just want to mention to you and get your perspective on it,
[00:23:45] is when you look at the MSP collective, right, that tracks level two certified MSPs like us, I think that would be the first gauge of organizations that have the best chance of understanding what it takes to get an organization ready. And there's about, I went through and counted it before the podcast. I think it's just at 40. So they have about 40 people. And that's external service providers, to be clear. So not all external service providers are managed service providers, right?
[00:24:14] It includes a couple different types of companies. Yeah, like in that list that they have, some might just be MSPs where they're just doing the tech, like the security piece of SIEM monitoring and other components. So not all of those 40 are going to be like, hey, if you come to me, I can take you from start to finish and solve all of your woes when it comes to CMMC. So let's just say that those 40 are there and let's just double it. So now we have like 80 of other people out in the space that are involved in it.
[00:24:41] What I'm finding is, as I've had conversations with other MSPs, around 10 to 20 is what they can handle in a year because they're smaller right now. We're starting to ramp up. Now, Summit did like, what, 100? They're coming up on 200. I mean, not everybody scales like that. But when you look at that and you think to yourself, let's just do it on the low end. You know, so let's say 80. That's only 800 organizations roughly that you can start moving through if they come.
[00:25:10] Because I think there's a lot of organizations right now. This is my opinion. I really want to get your opinion about this too. I think as we were coming into the launch of CMMC, there was a lot of companies that have been like, let's go, let's go, let's go. And then we flush those out. And now it's the organizations that are sort of playing chicken, trying to determine when they want to go for it or not. But then it comes down to, I still think, even if everybody that wanted to start to move through,
[00:25:39] I feel like there's enough C3PO's and CCA's that could handle a lot of that. I think the biggest problem is going to be companies like us that are going to be people that help them get implemented. Because if you think about it, 70% of the organizations are SMBs are going to need people like us. I just don't know if there's enough of us to get it done. And if you look at just very, very lazy math here, 800 is not going to get you where you need to be, assuming that MSPs are the ones that are in town doing it.
[00:26:09] And that's not the case. We obviously know that's not. There's RPOs and other people that are doing it that would not fall under that category that could help pour into filling that gap. But still, you can see that gap could be pretty significant that can start to happen of implementers of these organizations. What do you think about that?
[00:26:28] Well, you kind of touched on a distinction that I make, which is there are implementers to help OSCs meet the standard and prepare for their certification assessment. And then there are entities like yours that actually help OSCs run their networks. And so for you, and you mentioned the RPOs. We have 410 registered practitioner organizations. You know, training's outdated. The quality varies among those greatly.
[00:26:57] That's a problem that we, unfortunately, have been well aware of. And now with resources are starting to do something about it. But they exist because what the department asked us to do with the RPO program was, we don't want, especially small businesses in the Dib, to be susceptible to state oil salesmen who don't know anything about CMMC, offer to help them, and then don't know what they're talking about. So all the RPOs, we do a background check. They have to have at least one person take some modest training, pass a modest exam.
[00:27:23] And ostensibly, they are following the program, attending the town halls and all of that. But not all of them are MSPs. So I think in terms of, is there enough help out there to help you understand what the requirements are and to start implementing? I think there's, you know, again, we have 400 companies that could help do that. But I don't think the department recognized how many companies with a Dib, you know, rely on MSPs to run their networks. It's going to be very few that have their own tech stack that they manage themselves.
[00:27:49] And I think, I know we'll get into this, but the MSP function was something that I think was very much underappreciated, underestimated as CMMC was being formed. It always struck me that you could read NIST 800-171 and never see the term managed service provider. You don't see that in any of the DOD assessment guides, scoping guides. It wasn't until we saw 32CVAR where we got the external service provider.
[00:28:17] We can talk about whether, you know, how helpful that is or not. But it is one of those, and I think some of it was just how quickly technology evolved in the economic model where MSPs were relied upon overwhelmingly for a lot of companies, even outside the Dib. When I was at CISA, we saw MSP being the targets of cyber threat actors. I mean, the MSPs were the primary target because of what they do and the data that they had access to.
[00:28:43] And so I think CMMC has been catching up to that realization that you can't solve the problem of protecting CUI if you're not fully and coherently incorporating the role of the MSP. And then to your point, body, is there is the volume of MSPs there to support those numbers that you cited in terms of who are going to need implementation or sustainment help to maintain their networks? Yeah. And again, I would come back to, one, it's a great opportunity for MSPs.
[00:29:12] And I would hope that that would encourage more businesses to get into this sector. It surprised me we saw a pretty prominent MSP kind of incur some trouble here a couple of weeks ago and ended up kind of liquidating and being sold off to two different other companies. So I haven't done the forensics there, but I would think it's a pretty rich market for MSPs. That doesn't mean that the demand signal will be satisfied. But I always look at, are there enough people to help companies prepare for CMMC? I feel pretty good about that.
[00:29:42] Are there enough companies to help defense contractors run their networks and actually maintain requirements to the standard? That's a different question. Right. I was thinking about this, too. I'm glad that you brought up RPOs of helping people get ready, too, because I feel like there's a different type of getting ready for CMMC than MSP, that a managed service provider has to do. I might be a bit biased on that because that's where we came from.
[00:30:09] And the tool stack that's included, the way that we service our clients, there's so many intricate spider webs that are intertwined that even if you get, let's say, which I talk to many contractors, small businesses on a day-to-day basis that have, you know, an MSP that is not in the CMMC space but is willing to help them out. And they try to bring somebody in, let's say, like an RP or RPO company.
[00:30:36] And, you know, those types of organizations still, even with the help that they can provide for a CMMC basis, there's a different type of level of understanding that needs to happen for that MSP. You know, it's talking a different language that not all RPOs can do, you know, because it is more technical and there are things that are intertwined.
[00:30:59] And then, you know, you layer on top of that, a lot of the conversations I have with C3 PAOs, the problem that they have in phase one is the MSP. The MSP is not ready. And so, you know, you hear those two things and you're like, okay. So it sounds like, though, that, you know, that the clients or the contractors that are wanting this level too are getting ready, but then they're having to drag sometimes their MSP behind them if they don't know what to do, you know?
[00:31:27] And so you're seeing this weird, like, seesaw effect of, like, we're trying to lift them up, but then here comes the boulder of the MSP bringing them down, you know? Well, Kaylee, that's a great point that I think some MSPs who may not be as tied into the dip maybe have 10 or 20 percent of their clientele in the sector, when they realize what's required of them, they'd want to be dragged into it. They're like, wait a minute, I don't know if I'm signing up for all this. And that leaves those defense contractors in the lurch.
[00:31:54] And to Bobby's point, maybe there are actually fewer MSPs available because not all those MSPs necessarily have kind of embraced, you know, their role of the CMMC program. Yes. Yeah, we, I just did very, very rough math so no one come at me at the accuracy because I'm very out in the open with the inaccuracy of what I'm about to say. So, but I would estimate that we're going to need a few thousand MSPs to step in the space and really understand it.
[00:32:20] And right now, 88 anywhere close to that, that's not great English, but, you know. Yeah, yeah, 88, you know. So, it's like we're, we are, if it is true that MSPs are that critical to the SMB market, and I think it is in my heart, I feel like it really is. I think we, MSPs play a critical role in the MSP space, in the dip space. And a lot of that's being filled with MSPs.
[00:32:49] We get contacted daily by companies that are like, hey, our MSP just doesn't get it. But what are some things that the Cyber AB can do to help around that, to try to help? Because I get contacted all the time. Hey, Bobby, how are you guys doing this? You know, and it's like, I can't just stop what I'm doing to like, okay, I'm going to have a, you know, six hour confab with this company. And then the same thing again with this other company. That's part of the reason why we have this podcast is to try to get the word out, to try to help say, hey, we need you as an MSP.
[00:33:16] But, you know, I can't, and just a few of the other MSPs that have really started to focus on this is their goal. They can't do it. But does the Cyber AB have some offerings that can help in that area? Not quite yet. So as we, as a program evolves, our appreciation for what, you know, the entity, Cyber B, that is privileged to sit in the position we're sitting in, you know, where our help might be needed.
[00:33:46] And one of the things that we've had to, you know, better understand is we have ISO requirements over ourselves, right? So CMMC early on was determined to be an ISO conforming program. So the Keiko has to be accredited under the ISO 1724 standard. C3PO is accredited under the ISO 1720 standard. We have to be recognized under the ISO 1711 standard, which is the standard for accreditation bodies.
[00:34:11] And accreditation bodies aren't supposed to be out there providing advice and guidance and assistance to small businesses. So in order to insulate that accreditation function, which is the primary reason we exist, we recently announced the creation of the Cyber Engagement Forum or the Cyber EF. And that is what we are going to be really empowering and resourcing to get out there and not only spread the good news of the CMMC gospel,
[00:34:37] but to try to provide more assistance, more help, especially not just for small businesses, but for MSPs. Because as I said, I think they are kind of an underserved part of the CMMC equation. And it's not something that the AB proper can do for ISO, you know, impartiality reasons and proprietary reasons. But the Cyber EF was really formed, among other things, to do that, to build a marketplace where MSPs that meet certain requirements can be listed,
[00:35:02] where MSPs, customer responsibility matrices could be validated. So there's some pilot programs within the Pentagon that I think will be kind of transferred to us in terms of helping MSPs to be able to have better confidence about where they sit and that they don't have to, you know, repeat the same process over and over again because we've got different clients who have different CTPOs assessing them.
[00:35:28] Right. So we're trying to figure out how do we reduce that burden and still have the trust and confidence that if an MSP is really an integral part of that, of that running that network, that we're not disincentivizing MSPs from being a part of the CMMC equation. I'm so glad you brought that up because one of the challenges that we've run into is as an MSP, and we ran into it like we got hit with a 2x4 across the forehead with this one.
[00:35:57] Kaylee's laughing her butt off right now. Like when we were coming in for a landing to just for our level 2, 32 CFR hadn't come out. We weren't 100% sure how security protection data was going to be handled. So we had to play it safe. And a lot of times when we're working with our clients, we have to play it more safe about let's just take MFA for example.
[00:36:21] Some organizations feel that Hello for Business, you know, doing the little pin with Hello for Business is acceptable for MFA. Some assessors feel that way. Some assessors are like, heck to the no. That's not acceptable either. You need to go with something like Duo. And the problem for us is we've got to navigate our clients through those waters. And if they didn't have to use Duo, it would be cheaper for them.
[00:36:45] But we also, if we went with like say let's just go with Windows for Hello and they pick a C3PO that does not agree with that perspective, they just failed the assessment and I would have to object. And now it's costly again. So it's like this juxtaposition, this problem that we find ourselves in. And is that new program going to help with defining those types of things so that organizations like us can feel more comfortable about saying,
[00:37:11] well, in the body it says that Hello for Business is acceptable. Is that where that's going to kind of go to where we can start having almost like a case law that we can kind of sort of go back to to kind of say, see, this was acceptable. Is that how that's going to possibly be? It is, Bob. We call it the CMMC body of knowledge and or BOK. And that's something that the CyberEF will kind of bring to life and maintain and curate.
[00:37:40] The process by which what goes in there and how is that validated? I think it'll be a combination between the A, B and our equities in terms of accreditation consistency. The DOD, you know, both the PMO and the DBCAC who have equities in these types of questions. And even other groups like the MSP Collective, the CMMC Industry Standards Council, other groups out there that are, you know, mostly, you know, not private companies,
[00:38:08] but, you know, the groups that have formed. We've got a CTPO Advisory Council and coming up a way where if we're putting, because your point is spot on, you look at this 171, we have 210 things you got to, you know, 110 research security requirements, but 320 things you got to do or things that are going to be looked at. There's more than one way to skin a cat. But how many ways are there to skin a cat? How many legitimate ways are there to skin a cat? How do I find that? Yeah. And that's what's missing.
[00:38:37] And that's, I think, again, what I think a year into it now of level two certifications being conducted, we realize that we can't just rely on 32 CFR and the C1171 and the CAP. We need a place that is more, not a living diet, but a kind of a contemporaneous source of that truth, but, you know, best practice, accepted practice. And enough C-3PO's say, yep, I think that meets requirements. And the DBCAC agrees. Well, then we'll put it in there.
[00:39:07] You know, that's exciting. That is so exciting. So we're working towards that actively. I don't have a timeframe from you, but very encouraging meetings with DOW in May. And we are driving towards that. So one of the main goals, just to shift gears here, of the Cyber AB is to protect the ecosystem. And it can be challenging for organizations that are like, look, our goal is to try to help save these companies money.
[00:39:32] And they're going to try to pick options and do things, but they may not be in line with those. And it might be from good spirits or perspective that they go to do that. So I could see where it could be very challenging for the Cyber AB to kind of regulate and work with MSPs, C-3PO's that aren't handling things correctly. Can you talk to how you guys have stepped into the space?
[00:39:57] Maybe use some examples of how you guys have had to do that, what your plans are around to continue to do it? Because I think as organizations go to step into this space, they want to know that if they're doing it right and it's going to cost them more, that they're not going to get undersold and undercut by someone else who does not have the same ethics that they have in their approach. What wanted posters have you put up?
[00:40:22] Well, you know, we're close to that because we came across just last week a bogus level two certificate that a non-C-3PO generated. Taking a valid UID from another C-3PO and some poor dib company was snookered into. I won't get into that. So that might be the first wanted poster. That's a relatively new case we're working on. It's a terribly important question, Bobby. It's, again, why we exist with those three pillars or two of the three.
[00:40:52] And I would say I would answer initially that way. There are two types of infractions that we have the authorities to police as well as adjudicate. So we're the detective and the judge and jury in a lot of this. Some of those are technical infractions, right? So to make sure that if a C-3PO is allowing certain approaches or technologies or services, making sure that they, in fact, meet the security requirements of the NIST standard.
[00:41:21] And to your point, companies want to find, MSP is going to want to find efficiencies, the OSC. So we have to be ready to evolve as people come up with innovative ways to meet requirements. And then there is the ethics piece. Are people cutting corners in terms of what they know is either the letter or spirit of the rule? Now, in some cases, you know, it's like, you know, you pour water. Water is always going to find the quickest path to freedom. Yeah.
[00:41:49] So I think C-3PO is now that it's game on and, you know, there are business competition pressures there that, you know, some OSCs are putting in bake-offs. You know, who can do it, you know, for the cheapest? And C-3PO is like, well, if I had to bid this, how am I going to do it for that, right? That's what we really have to look closely at.
[00:42:10] We can't have, certainly can't have certificate mills, but we also need to make sure that MSPs aren't getting too chummy with C-3POs, where there's, you know, they could certainly, a C-3PO who is not allowed to help implement or prepare, but they want to certify that defense contractor, but they can refer them to an MSP or an RPO who could help them. And there's a difference between referring and endorsing, right?
[00:42:35] So we're on the lookout for joint marketing, endorsements, you know, a little too close for comfort. C-3POs need to keep their distance from MSPs, RPOs, MSSPs, CSPs, if they intend to certify the clients of those entities, right? If they don't, then that's what they should be doing, right? Identifying potential conflicts, then mitigating or avoiding, depending on what's going on.
[00:43:00] I think nothing will undermine, I'll just finish, I think nothing will undermine the legitimacy of the program quicker if we don't do our job well in this area. Yeah. How could people report that to you? Complaints at cyberab.org, as simple as that. We can maintain your anonymity. And even if you don't have hard evidence, if you have concerns, you know, we can, we've got some wide authorities. These are administrative authorities, right? We don't, we don't have the power of the government behind us.
[00:43:28] And we can only take action against those that are in the ecosystem, right? So if there is a company that's not an RPO, an RP, or an instructor, an assessor, C-3PO, that we can, we will contact them. We will, whether it's irresponsible marketing or something. But clearly those who are under our authorities, we have everything from a kind verbal reminder, you shouldn't do that, to a written, you know, letter of instruction, letter of reprimand.
[00:43:56] Ultimately, suspending or completely removing their credentials and they're out of the program. Yeah. I know we're getting to the very end, but I did want to ask just one quick thing before we close today, which is something that has happened more recently. And I just wanted to get just a short, you know, story or perspective from you, Keiko, and what has occurred in the ecosystem recently and what CCP's and CCA's can look forward to in the future. Just because I know, again, this is such an important part.
[00:44:24] I mean, I cannot stress enough. I encourage people to take the CCP course like it is breath that I breathe. You know, I just went through it and passed my CCP. And it was really eye-opening to go through. So I greatly encourage anybody that I'm talking to to go through this. But if you want to give just a brief description of, because I know ISACA just recently took over and is going to be running things as well. So did you want to share just a little bit about that for people that are going into the ecosystem right now before we close?
[00:44:55] Absolutely, Kay. And I'll go back. We started the discussion about some of the history. I'll go back to that history because initially, you know, when this was all started, the Pentagon wanted the AAB to do everything, to do the accreditation and to train and certify the assessors and the CCPs. And then once they realized, well, we really should put this under ISO. Okay, well, now we can't have the AAB do everything. And so the plan was always to find a good home for the Keiko.
[00:45:22] But back in 2021, when the program was paused for six months, that went into three as a rulemaking. There was really no takers until the program actually was modified. Somebody wasn't signing up for that yet. Yeah, but we had, you know, we had conversations with ISACA, you know, along the way. And, you know, we knew that given all the kind of challenges we were facing financially, that once the rulemaking was finished, we would not be in a position to resource the Keiko appropriately.
[00:45:51] Because you think about it, CMC is a global program. We've got to start creating exams in foreign languages. Right. And then that has to be done under the ISO 1724. You can't just do a translation. You've got to go back through the accreditation process. And that's an expense. And we didn't have the international network. I mean, we didn't have an explicit responsibility to recruit assessors. But it was certainly in our and everyone else's interest, as you rightly point out, Bobby, that there be more assessors. Yeah.
[00:46:18] And so having a global reach, having established credibility as a personnel certification entity in the IT and cybersecurity space was big. And so to us, it was or to me, I should say it was a no brainer. Thankfully, my board saw that as well. And they're going to make some changes. And so I know some of the changes have gotten people's attention or maybe don't sit well with them. But they certainly are have the best interest of the program for the long term.
[00:46:46] And I'm excited that they're part of the CMMC community. Is ISACA going to be the only organization that can create material? Or can because you have the LPPs that could create their own content and had to go through the CADM and then it went through the DOD. Can that is that still allowed to happen or is it only going to be the Keiko can create? That's being phased out. So one of the things early on, that model of decentralized publishing sounded great.
[00:47:11] Have licensed publishing partners create their material and then have it kind of QA'd at the AB and PMO level. But that's really runs against 1724. You want consistency in training materials that go to professional examinations. So they're phasing out the publishing partners. They've all been informed. And starting later this year, it'll be ISACA. The Keiko will be the only generator of CMMC authorized training material. Got it.
[00:47:41] Okay. Well, I could truly just keep asking you questions, but I know you actually have a job to do. That's sort of why we also have you here. So we do encourage you to keep doing that job, you know, because I don't know what would happen if you didn't. But I do want to say thank you. Thank you so much for taking the time to be on a little itty bitty podcast episode like us. It's been wonderful having you. So thank you so much.
[00:48:09] Love to have you back at the appropriate time because this program is moving. Things are going to be changing in terms of a lot of things we've talked about. And especially once we have something more tangible in terms of helping the MSP community, finding an appropriate place in the marketplace so they can be more visible. The ones that, you know, that are invested in CMMC. I'd be excited to talk about that. Yeah. Bring Mike Snide along with me. That'd be great. I hope I'm invited back in the months to come. Open mic for you. You and Mike. Yeah, absolutely. Yes. We would love that. Yeah.
[00:48:39] Well, guys, I hope you enjoyed today's episode since we cornered Matt Travis for you all in this little itty bitty corner of the CMMC space. Stay tuned. Again, every Thursday we post another episode. So follow us and keep track of what we're doing. And also make sure to stay tuned for, you know, Cyber AB's website has amazing material and also all of the things that you need to know about the ecosystem, what you need to look at, resources there.
[00:49:06] So stay tuned on their podcast. They post the town halls on there too, which are great. Thank you. Yes. Please plug the town halls. What I'll do is I'll link that down below too so they can check that out easily as well as the website itself. And yeah, we hope you guys enjoyed today's episode. But as always, guys, continue to keep on climbing. We'll see you. Bye. Bye.