October 3, 2025 • 33 mins
Submit any questions you would like answered on the podcast!
The September 2025 Cyber AB Town Hall dropped big updates for contractors navigating CMMC and NIST 800-171 compliance.
In this episode of the CMMC Compliance Guide Podcast, Brooke and Austin break down what the final CMMC rule (Title 48A) means for defense contractors, subcontractors, and service providers.
We cover the timeline for implementation, prime and subcontractor flow-down requirements, service provider risks (MSPs, CSPs, ESPs), and how a government shutdown could affect CMMC. You’ll also hear insights on ongoing compliance, documentation, FedRAMP requirements, advisory councils, and what primes will expect from their supply chains.
Whether you’re a compliance officer, program manager, or DoD subcontractor, this episode gives you clear, actionable takeaways so you can prepare before deadlines hit.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Austin (00:21):
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
And I'm Brooke from Justice ITConsulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance.
But today, we're here to giveyou all the secrets for free.
So if you want to tackle ityourself, you're equipped to do
(00:44):
so.
Let's dive into today's episodeand keep your business on
track.
Today, we're unpacking the bigheadlines from Cyber A B's
September 2025 Town Hall.
From the final rule to theservice provider risks, new
compliance requirements, andwhat it means for primes and
subs, this session has a lot oftakeaways.
Let's start with a big one.
(01:05):
The final title, 48A rule, isnow published.
What does that even mean?
It means that that 48 CFR thatwe've been talking about that
puts CMMC in place on contractshas been published.
It was published on September10th, and they gave it a 60-day
period until it goes intoeffect.
So on November 10th, this goesinto effect.
And there's now there's fourphases.
(01:25):
First phase goes into effect onNovember 10th.
The next phase, phase two, goesinto effect on November 10th,
2026.
This first phase, it's largely,largely what you're doing right
now, except that you have uhthere's some more teeth in it,
and there's also definitetimeline that you have to be
compliant.
It also means that there's adefinite timeline on the prime
uh contractors.
(01:45):
And so the prime contractorsvery well may be, how should I
say it, um more and more pushy,I guess, uh trying to get uh
their subcontractors to be leveltwo certified, may at some
point require it before thefederal government actually
does.
So level two certificationwon't actually be required on a
contract technically untilNovember 10th, 2026.
(02:06):
But with primes, it very likelyis gonna be sooner with that
for their subs.
That's uh that's the big newsfor the 48 CFR.
I also heard there was someconfusion on when certification
is needed, proposal versusaward.
It's gonna be needed at award.
Uh and uh they'll check onthey'll check on that uh at
award and make sure that youhave your certification.
(02:27):
The other thing is they'vespecified you need to have your
cage codes right and all that,but there's another piece in
there that's associated with itin Sam.gov, for instance,
anyway, your unique entity ID.
Uh you need to make sure thatthat's entered right.
You need to make sure those twopieces of information correct.
They have all the rightinformation in there, especially
whenever you get your uh leveltwo certification, that those
are correct.
So when they get uploaded, makesure that they show up and they
(02:50):
match correctly.
If they don't, then you'regonna have some problems getting
awarded some contracts and youdon't want that.
You had mentioned earlier thatprimes might be getting a little
pushy when it comes tocompliance.
So the town hall made it clearthat the primes are responsible
for the entire supply chain.
How big of a deal is that?
It's a huge deal, but it'sreally nothing that has changed,
really.
It's just changed, I guess, inenforcement.
(03:12):
So the flow down rule hasalways been there.
Primes are supposed to makesure that their subcontractors
were the same level ofcompliance as them as far as a
specific contract goes, right?
And work on that contract.
And then those subcontractorswere supposed to do the same.
That's that's not that's alwaysbeen there, hadn't changed, but
that's specifically spelled outand said, hey, by the way, you
need to make sure you're doingthis.
So guess what?
(03:33):
You need to make sure you'redoing this.
So not only do the primes needto make sure that their
subcontractors are compliant,where they need to be compliant
at level one, level twoassessment, or level two
certification, whatever it is,you know, they need to make sure
that their subcontractors arecompliant.
But then subcontractors alsoneed to make sure that their
subcontractors that are workingon in any of those particular
(03:53):
contracts that have CUI, theyneed to make sure that they're
compliant as well, which isgonna likely cause some big
problems.
Interestingly enough, it'llcause big enough problems in the
uh manufacturing, but uh it'llthat'll actually cause bigger
problems in construction.
Well, there's constructionprojects that uh have include
CUI, all the subcontractors, Imean, think about it.
(04:14):
You know, I'll just leave uhI'll just leave leave the
obvious unsaid, but you know,the uh the all those
subcontractors that are usedwould have to be that get that
CUI would have to be level twocertified.
So uh that's an even taller askof the construction industry
than it is the uh manufacturingindustry.
So big deal.
(04:35):
From what I heard on the townhall, it seems like they really
emphasized that compliance isn'tjust a one-year thing.
Sounds like that might havebeen brought up.
Can you address that?
Absolutely.
And and this is another one ofthose things that is has not
changed.
Uh they're just specificallycalling out and saying, hey, by
the way, uh this the I mean youlook at the way the NIST 800171
(04:58):
is written, uh just that, leaveout CMMC, just the NIST 800171,
look at how it's written, andit's all about ongoing
compliance, ongoing management,ongoing monitoring.
Uh so it's it's not a it's nota set and forget it.
It's not to get everything inplace and just you know, don't
worry about it any longer.
Uh it is an ongoing monitored,managed compliance is what it
(05:22):
is.
And and they're they're justreminding everybody of that.
Uh because I think people arefinding out, you know, that uh
oh hey, we can't just uhimplement a tool or two and then
forget about it.
You know, it's it's a it's awhole deal.
I spent a lot of time workingwith uh new and prospective
customers and I think that isone of the biggest pills they
(05:46):
have to typically swallow um isthat uh just uh w what the um
full breadth of burden is uh forcompliance.
You know, the the documentationuh a lot of people come to us
for documentation first, um, andthat's a whole nother thing.
You know, it's a whole thing byitself, but um then the
(06:08):
documentation once you put ittogether, if you put it together
correctly, it says all thesethings that you have to do and
all these money you have tospend.
It does.
Um and uh, you know, it'stypically uh you know, when
someone's first on the the startof their compliance journey, um
it is not necessarilynecessarily something they're
(06:28):
they understand, even if theyintellectually understand it at
first, it doesn't really hitthem until later.
Yeah, that has a tendency of notreally sinking in, even though
that you talk about it, they youknow it sinks in, it hits them
later, you know.
Oh, so really what you weretalking about when you said that
was blah, blah, blah.
Yes.
Yep.
It's ongoing, you have to keepit up.
(06:49):
There's a lot of work involved,so yes.
Aaron Powell Another thing thatalways comes up, and uh there's
a lot of confusion and uhmisnomers about, I think, um, is
service providers, um uh ofwhich we fall under um that
umbrella term.
Uh ESP's not a CSP, is what weare.
Yeah.
Right.
And speaking of, uh there was alot of discussions about CSPs,
(07:12):
MSPs, and ESPs on the town hall.
So what uh can you tell us whatthat discussion was and what
what the risk uh the risks arehere?
Absolutely.
Yeah, so to clarify, there's uhan ESP is an external service
provider, right?
Okay.
And that is any any company orservice that uh uh an OSC
(07:37):
organization seekingcertification.
So uh anybody that wants to becompliant, right?
Um any company that wants to becompliant, uh if you use a
third party to do anything foryou, that is a an external
service provider.
So if you use somebody to backyour systems up, secure your
systems, um anything else likethat, then then that's an
(07:59):
external service provider.
There's a a whole big categoryof ESPs, external service
providers, and then within that,uh you've got CSPs, MSPs,
MSSPs, you know, you name it,but the way the federal
government looks at it is thereare among the ESPs, there are
CSPs, which is a cloud serviceprovider.
Okay, think of Microsoft 365,think about Google, those are
(08:23):
CSPs.
Uh that's an easy, easy one tolook at and kind of figure that
out.
Uh and then everything elseother than a CSP is called an
ESP, not a CSP.
So which really, I mean, kudosto the government, I guess.
Uh they uh, you know, that's avery that's very descriptive.
It's just a weird name to namesomething, right?
(08:44):
Um but that's fine.
So uh so you got CSPs and ESPs,not an M, uh not a CSP.
So uh things that fall intothat category are gonna be
managed service providers likeus, MSPs.
Uh they're gonna be managedsecurity services providers,
MSSPs, um, stuff like that.
(09:05):
So uh the and those are the twomost common uh what you're
gonna find.
Um but there's a uh a littlebit of a confusion as to whether
a uh MSP or an MSSP in whatcircumstances they might be a
CSP.
One uh lead assessor told me, Ican't forget who this was, but
(09:28):
uh that a CSP um uh if just kindof like a dro rule of thumb,
and you might correct this, thismight be wrong, but um it was
an SS.
Um and he said that basicallyif if you could go turn on cloud
services by yourself um in someform of like portal or instant
(09:51):
access, then that's a CSP.
But if like you have an MSPthat does it on your behalf,
there's no like ability to doit, like it's all you know
provided provided, managed bythe service provider, um, then
that's kind of the distinctionthat the he thought uh was a
good one.
I don't know if that's accurate,but that's a that's a good
distinction.
Although that might be uhconfusing for some because
(10:14):
they're a lot of them, they'reMSP managers, they're they're
CSP licensing.
So that might be a littleconfusing to some, but that's
that's basic that's that's apretty good explanation.
So uh that's what a uh CSP isgonna be.
An MSP or an MSSP is gonna besomebody that provides you a a
service.
You know, they they back up foryou or they um they provide
(10:38):
security for your laptops orsomething like that.
They uh and they again they mayprovide some of those CSP
services, um, but at that pointyour MSP uh if they provide
those services for you, uh theyshould know whether those are
gonna contain CUI or SPA or SPDor whatever they may contain and
(11:01):
whether they need to be FedRAMPor whether they need to be um
whether they don't necessarilyneed to be FedRAMP, but they'll
be included on the assessmentand be assessed and need a uh
CRM or a customer responsibilitymatrix.
Um so uh there's a whole bunchof uh it it matters a whole
bunch whether you're a CSP or oruh or ESP, not a CSP.
(11:23):
Uh so CSPs uh are gonna if theycontain CY, they're gonna have
to be uh a FedRAMP uh authorizedor FedRAMP equivalent.
Okay.
Uh ESP's not a CSP, they'regonna have to make sure, uh
you're gonna have to make surethat they provide you uh a
shared responsibility matrix ora customer responsibility
(11:43):
matrix, whatever you want tocall it, uh SRM or CRM for
short.
Um the uh the government is nowcalling it a CRM, which is why
we started calling it a CRM.
Uh so you need to have one ofthose in place from your MSP or
MSSP or other ESP, there's not aCSP, uh need to have that in
place and make sure that uh thateverything is covered there and
(12:05):
they'll be assessed againstthose controls.
Uh one other thing really uhthat um I just realized is that
uh if you if an MSP or MSSP uhholds CUI, store uh processes
stores or transmit CUI uh thenthey're gonna fall in the
category of having to meet all110 controls uh of uh CMMC.
(12:30):
So all 320 assessmentobjectives.
Uh however, if that uh and thatso if they hold CUI that's
gonna be like uh if they ifthey're if the MSP is the ones
are the ones that store your umbackups on their uh equipment,
then at that point um they wouldneed to they'll have the CUI in
(12:52):
their possession even if it'sencrypted.
It'll still CUI as we'vediscussed uh before, uh and
they'll have to they'll have tomeet all 110 controls.
The um there are other examplestoo, but that's uh that's a the
easiest one to to think aboutis is uh if they're hosting your
backup.
Uh so if they just have accessto it, it's not the same thing.
(13:14):
So if they're managing thatbackup, making sure it happens,
making sure it completes, makingsure that they can restore,
that's a different ballgame.
But if they are storing that umwell mostly storing, but
process storing or transmittingthat CUI for you uh in form of a
backup, then they need to uhthey'll have to be they'll have
(13:34):
to meet all 110 controls.
Otherwise, if they don't andthey're just handling uh
security protection data, and Ithink I just said SPD a while
ago.
So SPD is security protectiondata.
Um if they're just handlingthat, uh then they just have to
uh meet the controls um forwhich they're providing to you.
(13:55):
Uh so uh for instance,antivirus on workstations or or
something like that.
Yeah, it makes sense.
I was I was reading someLinkedIn posts, um, and it's
real funny because um people getreally almost like political
about uh CUI and CMMC and thedecisions that are made by the
(14:15):
the powers that be.
Um anyway, and someone wasbeing very critical um of uh the
fact that uh access does notrequire um level two
certification on four MSPs.
Um and so just thought that wasinteresting.
Um uh because it makes sense tome.
(14:37):
I mean, if you're you're notholding the football, you know,
you just uh have access to it,then um it makes sense uh that
you you could use a MSP that'snot um certified themselves if
if what they're providing to youfollows all the controls, which
is ultimately the the goal ofthe compliance, right?
So is it's not to get everyonecertified, it's to protect the
(15:01):
COI and the data, and that'sthat's the goal, I think.
So and I think it's just reallyimportant that um at the end of
the day uh that we go back touh intent, you know, and because
people get real caught up in,you know, like I said, all this
um weird political and uh um Icall it political, but anyway,
people like hold a lot of biasesabout CUI and compliance and
(15:22):
everything, but really at theend of the day, all we're trying
to do is just protect CUI withwith good cybersecurity hygiene.
And um it's just I just I thinka little commentary for me, I
find it funny how um uh youknow, I guess uh religious
people get about it.
Right.
One thing I might add is thatuh because I I said something
(15:44):
about it a minute ago and andyou did too just now, but uh um
if an MSP has to be uh does holdsome of that CUI uh or if they
uh provide a lot of security andthey'll be assessed, you know,
just SPD, they'll be assessed ona lot of those controls,
whether it's all of them or alot or whatever, however many it
may be, um the that MSP has tokind of think about uh how many
(16:07):
clients they have that are uhDib clients and are gonna need
this and how many times theywant to undergo those
assessments because you'll haveto provide documentation and all
sorts of other fun stuff.
Um and you'll have to spendtime with your client and and
answer questions.
How many times are you gonnawant to go through that?
Or would you rather go get a uhlevel two certification and be
(16:30):
uh level two certified and beable to say, yep, here's my
paper right here, I'm level twocertified.
Now that doesn't mean that allassessors are just gonna go, ah,
okay, no problem.
You know, they'll they'll stillhave to check into some things,
and if they have warm fuzziesfrom the things they check into,
most likely uh the controls andassessment objectives, that is,
uh most likely uh they won'tsee the need to dig anymore,
(16:54):
right?
Um so and they'll take yourlevel two certification at face
value.
But uh anyway, that level twocertification likely likely uh
would make it uh quicker andeasier uh on the uh assessors
doing the assessment and quickerand easier on the MSP as well.
Yeah, it's uh we're down here inTexas and um anyway, so we have
(17:19):
this thing called concealedcarry.
And so if you I just think ofwhere's this going?
Thinking of a funny uh anyway,something it's like um and uh
you know, when you get if youhave a concealed carry, you've
been federally backgroundchecked, right?
And so if you have a license,it's um you know if you get
pulled over uh and if you don'thave one, the police officer is
(17:41):
a little more suspicious of youthan whenever you get pulled
over and you're like, oh, here'smy concealed carry, they're
just handing them a backgroundcheck.
So they typically take thetraffic stop a little um uh more
lightly, uh, although not thatthey have to perform their job
any differently.
It just kind of, you know,helps uh grease the gears a
little bit and it's kinda likethat, you know, where Which you
(18:04):
wouldn't really understand ifyou didn't uh live in Texas or
one of the other states whereyou have a LTC.
Right.
Right.
But the point is it's um youknow, you'd you don't need the
certification but uh as an MSPand and you don't have to get
rid of your IT provider if theydon't have one.
Um but it it certainly greasesthe gears and makes things
(18:28):
easier, and then you also umlike you alluded to earlier,
that MSP is gonna have to be apart of your assessment.
And so if you're their onlyclient that has this burden of
compliance, then uh that mightbe a bit of a burden to them.
It may not, and it's gonna getit's gonna cost.
(18:48):
And so um they're you shouldprobably approach them about how
much it's gonna cost to youknow carry that burden.
And if they don't charge you,they might be a little um res
you know it's not gonna be funfor them, right?
Right to have to provide allthat information and everything.
(19:09):
So I guess my what I'm gettingafter is uh it is it's good to
have a MSP that's level two umand cer certified, I should say.
Um and they don't have to, butif they're not gonna be, you
really need to um uh becauseyou're gonna be married to them,
you really need to uh havethose uh discussions and be
like, look, you know, this leveltwo assessment's really gonna
(19:32):
be a pain in the rear.
You know, can you do this?
It's gonna take a lot of time.
How much are you gonna more areyou gonna charge me, you know,
um, yada yada, and make surethat they're really gonna be
there for the the um full extentof um your relationship and and
stick around and it's notsomething they're gonna get
tired of very quickly and and uhdrop you as a client because
(19:53):
then you're kind of in a badspot.
Yeah, and what I might also sayto that is you know, if you're
looking for an MSP, there aren'tvery many right now that are
level two certified.
You know, if you find onethat's level two certified,
that's even better, or on thepath to be level two certified,
that's good.
Uh they uh at the very least,uh that MSP or MSSP, anybody
that provides you any servicesuh as an ESP, uh if they're not
(20:17):
FedRAMP, if it's not a CSP, thenany of those folks are gonna
need to give you a uh sharedresponsibility matrix uh or
customer responsibility matrix,SRM or CRM, uh that is the that
is the lowest bar to providethere.
And it needs to be a uh NIST800 171-based uh uh
(20:38):
responsibility matrix, not justa generic one.
Right.
Not one they put in JAT GPT andthen sent over to you.
Exactly, exactly.
So um, you know, there needs tobe thought behind it because
they're saying these are thesewere what these are the controls
that we cover.
This this is yourresponsibility for these
controls, these are ourresponsibility, and uh and so it
lines it out there and spellsit out.
(20:58):
And that's what the that's whatthe assessor wants to see.
And even if you do have uhsomebody that is level two
certified, you you still needthat.
So it's not anything that'sjust a a basis of what you need
from your provider.
Yeah, so that's uh anotherreally good um talking about if
they're not certified, that'sanother very strong question to
lead with.
(21:18):
Not even um that that mightgive them an ide give you an
idea of uh, you know, if theysay they're committed to going
through this with you, then uhthen immediately ask them for an
SRM or CRM.
Um because then that that'll bea good litmus test of if
they're uh you know, if they'reactually are.
(21:39):
Um because they may not haverealized um, you know, what the
true breadth of the burden isgonna be for having you as a
client.
And so asking them for thatCRM, SRM uh will really um tell
you whether they are um um gonnastick around and also tell them
uh I might want to reevaluatemy situation.
(21:59):
Right.
Talking of the governmentshutdown, what is the risk to
CMMC um in this whole process?
What are the implications gonnabe for uh the defense base?
The biggest risk for uh for theCMMC for the government
shutdowns is gonna be tier threebackground checks for um for
CCPs and CCAs.
(22:20):
That's uh CMMC certifiedprofessionals and CMMC certified
assessors.
So those tier three backgroundchecks that you have to ha have
to get, uh those will likely bedelayed.
Uh hopefully not very long.
Uh but what I can tell you isit took me 10 months to get
mine.
And there wasn't a governmentshutdown.
And there was not a governmentshutdown.
Uh maybe there maybe I was uh aa you know strange character
(22:43):
and they really needed to checkinto me, but uh mine took about
10 months.
Uh they are taking, you know,six to ten months right now or
so.
Uh but as of today, uh thegovernment has shut down.
Uh so that tells you when werecorded this uh as opposed to
when it's uh uploaded.
But uh as of today, thegovernment shut down.
We'll see how long it shutdown, but it will affect tier
(23:04):
three background checks.
There's a small likelihood uhthat could uh that it could
affect when it goes into uh whenCM when the excuse me, when the
48 CFR goes into effect.
It's already published, it'salready live as of September
10th.
They put a 60-day date on it.
So November 10th of 2025, uh,it'll go into effect.
(23:25):
There's there's not really areason not for it not to go into
effect uh on November 10th.
But uh, you know, strangerthings have happened.
So uh that may be affected.
I kind of doubt it, but uh, butthat's possible.
So there could be some otherbackground things that happen.
Um uh you know all theassessments uh will they'll keep
(23:51):
going as is.
Um you know, governmentshutdown doesn't matter because
they're not governmentemployees.
Uh so the C3 PAOs will keepdoing their keep doing their
job, all that'll keep trudgingalong.
Um there could be some of thepieces in the background uh they
upload to a system called EMAS.
Um you know, there could besome of that in the background
(24:15):
where uh if they have someissues and they need to talk to
somebody or something that uh itmay be delayed.
But that's just a possibility.
Uh so those are the those arethe reasons, uh those are the
things that uh the governmentshutdown may affect as far as
CMMC goes.
Mostly it's some insidebaseball, like I said, with the
uh uh CCPs and CCAs not gettingtheir tier three background
(24:37):
checks in a uh quote timelymanner.
Yeah, because six to ten monthsis really timely.
Six to ten months is yeah.
So um so that's the biggestthing right there though.
So uh I I don't know how thisworks uh particularly um and we
may uh need to um talk to a Cthrough PAO.
(24:57):
So um I'm not sure if you'dknow this either, but um the uh
whenever you get a certificationum or you you have some you
have a provisional umcertificate or something from
the assessor themselves, andthen it has to go through the
powers that be in the governmentfor them to like finalize it,
right?
(25:17):
So does does the uploading toEMAS have to take place for that
provisional kind of status umbefore you get your final
certification status, or can yougo through the assessment um
and then you're just provisionalbecause the C through PAO said
you're provisional?
And I know I'm using the wrongwords there because I don't know
(25:39):
what it is, but I know that'sum kind of the basic structure
of it.
So uh the way I understand it isthat once you pass your uh once
the C three PAO says you'regood, you passed, you're good,
you passed.
But it does need to be uploadedinto EMAS.
There's no actual certificateright now.
(25:59):
Uh they're supposed to becoming up with their certificate
of an official certificate thatthey give you, although from
what I understand, you're notsupposed to show that
certificate to anyone, so whatthe heck that matters, I don't
really know.
But uh so all that should begood.
Um the only question is itflowing through the systems
properly um after it's uhuploaded EMAS.
(26:22):
So um uh so there may be someissues there, but uh once you
once you get assessed by your uhassessor uh and your C through
Pao says you're good, youpassed, um then you're good and
you passed.
It's just got to flow throughthe systems.
Yeah, so I guess if you're goingthrough that process right now,
great question for C throughPAO.
(26:43):
Yeah, it is a great question.
And I I should know the answerto that one, but uh but um I
don't think it's called aprovisional yeah um I know it's
not called provisional.
I just cannot remember the nameof it.
Yeah.
Um but we're more on thereadiness side, um getting you
and then we pass the baton offto the C through PAO.
So that was that's where a bitwhere our expertise drops off.
(27:07):
So just a question as far asimpact goes.
So really it sounds like youknow, unless you're one of the
few that's going through anassessment right now, um, you
know, great question for your Cthrough PO, which they'll
they'll probably have a decentanswer for.
Um, but really the other mainimpact um is uh for everyone
else, uh the lion share ofpeople, is that the the the
(27:28):
pipeline of um CCAs and CCPs,which means um, you know, people
that are able to certify youand people like us that are able
to get you to the point atwhich you can get certified, um,
just got paused.
Um more or less, that's uhmostly on the assessment side.
Um uh so uh really the biggestimpact would be that there just
(27:51):
may be um less people um, youknow, able to help um as more
people come into the um uhprofessional labor side of CMMC
things to help get the defensebase up to snuff.
Right.
Um so but really um unless thisgoes on really long time, that
r it should be uh uh somethingyou don't really feel at all.
(28:13):
So yeah.
I you know I I don't remember uhexactly, but I don't think
these government shutdowns lasttoo awful long.
So really a couple weeks at themost, if I remember right.
And the whole scheme of thingsas far as your uh tier three
certifications or uh tier threeum uh background investigations
(28:34):
go.
Um the uh if it's six to tenmonths on average, uh a few days
or a week or a couple of weeks,you know, is not gonna is not
gonna change that whole lot.
I wouldn't think.
Uh so uh you know, I mean thatjust means they'll build up and
they'll have more to go through,but uh they'll go through them
(28:56):
at the same pace they've beengoing through them once they
start again.
So uh there will be a littlebit of a delay, but in the whole
scheme of things, if it'sadding, you know, a couple of
weeks on to uh to six to tenmonths, it's not it's not that
much of a difference.
So absolutely.
Especially when most of theindustrial base out there still
(29:18):
has you know yet to go throughit.
So yeah.
So we're more or less in thesame spot.
I know um I know people reallylove the grasp onto anything
that um could mean that CMMCisn't gonna happen or or
whatever else, but it doesn'tseem like government shutdowns
the one to make it uh stop.
(29:38):
So I agree.
So what other updates have Imissed um from the town hall
that that you saw?
Uh well, uh there's uh newhires, uh there are new hires
including Kat Adams uh asconformity uh credentialing
coordinator and ChristopherDavis as interim CFO.
Uh so there's that one.
(29:58):
Uh the ecosystem does continueto grow, uh so that's good,
because we're gonna need uh asmany C C P, C C A's, uh RPs,
RPOs, um C three PAOs, we'regonna need as many as possible
to uh uh get this uh flood of uhOSCs that are gonna come along
uh to get all them everythingimplemented and certified and
(30:21):
You know, in a in a timelymanner.
So that's good.
There's uh over three hundredand sixty-six uh uh final level
two certifications uh that havebeen given out so far.
So that's companies that havegone through and gotten their
level two certification uh andhave completed that and don't
have an active poem that theyneed to finish, right?
Small bite of the elephant, butit's progress.
(30:42):
Exactly.
Exactly.
Uh so at this point there areuh eighty-two uh authorized C3
PAOs uh to do the hundreds ofthousands of uh of companies
that need to have level twocertifications.
Uh but there are uh there are80, uh about 82 of those right
now.
Uh that's increasing.
(31:04):
Um, you know, as we talkedabout a minute ago, the the uh
government shutdown could affectthat by a couple weeks or so or
whatever a government shutdownis, but uh not by much.
Uh so that should be keeptrudging along.
Uh the um Cyber A B is startingup some advisory councils.
Um uh I was gonna put in to beon one of those, but uh my
(31:27):
calendar is so full that I hadthe form halfway filled out and
I thought, you know what, I'mjust gonna hold off for now.
So uh maybe when the twotwo-year term comes up.
But um they've uh they've thegot these uh settled now at this
point, and uh these um advisorycouncils, uh so there's one for
(31:49):
C through POs, one for ESPs,one for uh there's a few
different ones.
Uh I can't remember all theones they are for, but um the
those advisory councils are allset now, or at least uh the
timeline to have your umapplication in to b to be on one
is uh is all done.
(32:09):
I believe they said thatthey're all uh uh set now.
Um but those will be kickingoff pretty soon.
Um and then uh believe it ornot, there is some international
expansion to um uh CCP, CCAs,uh C through PAOs, uh there is
an international component tothat.
(32:29):
So uh folks in Canada, folks inAustralia, stuff like that, uh
can uh can be part of theecosystem.
And uh there's nothing sayingthey can't.
Those folks typically are notgonna see uh uh COI.
Uh so if it's a type of COIthat uh is uh dissemination
restricted from uh foreigncitizens, uh like ITAR, for
(32:53):
instance, or no foreign, uh thenum should be fine.
Uh they should just need tomake sure that if if when they
do an on-site assessment forsomeone that there's no COI out
there for them to see, right?
Uh so uh or they need to makesure they follow their ITAR
regulations as well.
Uh but uh that should thatshould all be okay.
(33:15):
There was a question as towhether those um foreign
assessors could assess uhAmerican companies, and and the
answer was yes, they can withthe caveat that I just talked
about for the CUI.
So those are the uh those aresome of the main updates that
came out, some of the otherupdates that came out of the
town hall.
(33:35):
I think that's it for today,guys.
If you have any questions aboutwhat we covered, please reach
out to us.
We're here to help fast trackyour compliance journey.
You can find our contactinformation at
cnnccomplianceguide.com.
Stay tuned for our nextepisode.
Until then, stay compliant,stay secure, and make sure to
subscribe.
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
And I'm Brooke from Justice ITConsulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance.
But today, we're here to giveyou all the secrets for free.
So if you want to tackle ityourself, you're equipped to do
(00:44):
so.
Let's dive into today's episodeand keep your business on
track.
Today, we're unpacking the bigheadlines from Cyber A B's
September 2025 Town Hall.
From the final rule to theservice provider risks, new
compliance requirements, andwhat it means for primes and
subs, this session has a lot oftakeaways.
Let's start with a big one.
(01:05):
The final title, 48A rule, isnow published.
What does that even mean?
It means that that 48 CFR thatwe've been talking about that
puts CMMC in place on contractshas been published.
It was published on September10th, and they gave it a 60-day
period until it goes intoeffect.
So on November 10th, this goesinto effect.
And there's now there's fourphases.
(01:25):
First phase goes into effect onNovember 10th.
The next phase, phase two, goesinto effect on November 10th,
2026.
This first phase, it's largely,largely what you're doing right
now, except that you have uhthere's some more teeth in it,
and there's also definitetimeline that you have to be
compliant.
It also means that there's adefinite timeline on the prime
uh contractors.
(01:45):
And so the prime contractorsvery well may be, how should I
say it, um more and more pushy,I guess, uh trying to get uh
their subcontractors to be leveltwo certified, may at some
point require it before thefederal government actually
does.
So level two certificationwon't actually be required on a
contract technically untilNovember 10th, 2026.
(02:06):
But with primes, it very likelyis gonna be sooner with that
for their subs.
That's uh that's the big newsfor the 48 CFR.
I also heard there was someconfusion on when certification
is needed, proposal versusaward.
It's gonna be needed at award.
Uh and uh they'll check onthey'll check on that uh at
award and make sure that youhave your certification.
(02:27):
The other thing is they'vespecified you need to have your
cage codes right and all that,but there's another piece in
there that's associated with itin Sam.gov, for instance,
anyway, your unique entity ID.
Uh you need to make sure thatthat's entered right.
You need to make sure those twopieces of information correct.
They have all the rightinformation in there, especially
whenever you get your uh leveltwo certification, that those
are correct.
So when they get uploaded, makesure that they show up and they
(02:50):
match correctly.
If they don't, then you'regonna have some problems getting
awarded some contracts and youdon't want that.
You had mentioned earlier thatprimes might be getting a little
pushy when it comes tocompliance.
So the town hall made it clearthat the primes are responsible
for the entire supply chain.
How big of a deal is that?
It's a huge deal, but it'sreally nothing that has changed,
really.
It's just changed, I guess, inenforcement.
(03:12):
So the flow down rule hasalways been there.
Primes are supposed to makesure that their subcontractors
were the same level ofcompliance as them as far as a
specific contract goes, right?
And work on that contract.
And then those subcontractorswere supposed to do the same.
That's that's not that's alwaysbeen there, hadn't changed, but
that's specifically spelled outand said, hey, by the way, you
need to make sure you're doingthis.
So guess what?
(03:33):
You need to make sure you'redoing this.
So not only do the primes needto make sure that their
subcontractors are compliant,where they need to be compliant
at level one, level twoassessment, or level two
certification, whatever it is,you know, they need to make sure
that their subcontractors arecompliant.
But then subcontractors alsoneed to make sure that their
subcontractors that are workingon in any of those particular
(03:53):
contracts that have CUI, theyneed to make sure that they're
compliant as well, which isgonna likely cause some big
problems.
Interestingly enough, it'llcause big enough problems in the
uh manufacturing, but uh it'llthat'll actually cause bigger
problems in construction.
Well, there's constructionprojects that uh have include
CUI, all the subcontractors, Imean, think about it.
(04:14):
You know, I'll just leave uhI'll just leave leave the
obvious unsaid, but you know,the uh the all those
subcontractors that are usedwould have to be that get that
CUI would have to be level twocertified.
So uh that's an even taller askof the construction industry
than it is the uh manufacturingindustry.
So big deal.
(04:35):
From what I heard on the townhall, it seems like they really
emphasized that compliance isn'tjust a one-year thing.
Sounds like that might havebeen brought up.
Can you address that?
Absolutely.
And and this is another one ofthose things that is has not
changed.
Uh they're just specificallycalling out and saying, hey, by
the way, uh this the I mean youlook at the way the NIST 800171
(04:58):
is written, uh just that, leaveout CMMC, just the NIST 800171,
look at how it's written, andit's all about ongoing
compliance, ongoing management,ongoing monitoring.
Uh so it's it's not a it's nota set and forget it.
It's not to get everything inplace and just you know, don't
worry about it any longer.
Uh it is an ongoing monitored,managed compliance is what it
(05:22):
is.
And and they're they're justreminding everybody of that.
Uh because I think people arefinding out, you know, that uh
oh hey, we can't just uhimplement a tool or two and then
forget about it.
You know, it's it's a it's awhole deal.
I spent a lot of time workingwith uh new and prospective
customers and I think that isone of the biggest pills they
(05:46):
have to typically swallow um isthat uh just uh w what the um
full breadth of burden is uh forcompliance.
You know, the the documentationuh a lot of people come to us
for documentation first, um, andthat's a whole nother thing.
You know, it's a whole thing byitself, but um then the
(06:08):
documentation once you put ittogether, if you put it together
correctly, it says all thesethings that you have to do and
all these money you have tospend.
It does.
Um and uh, you know, it'stypically uh you know, when
someone's first on the the startof their compliance journey, um
it is not necessarilynecessarily something they're
(06:28):
they understand, even if theyintellectually understand it at
first, it doesn't really hitthem until later.
Yeah, that has a tendency of notreally sinking in, even though
that you talk about it, they youknow it sinks in, it hits them
later, you know.
Oh, so really what you weretalking about when you said that
was blah, blah, blah.
Yes.
Yep.
It's ongoing, you have to keepit up.
(06:49):
There's a lot of work involved,so yes.
Aaron Powell Another thing thatalways comes up, and uh there's
a lot of confusion and uhmisnomers about, I think, um, is
service providers, um uh ofwhich we fall under um that
umbrella term.
Uh ESP's not a CSP, is what weare.
Yeah.
Right.
And speaking of, uh there was alot of discussions about CSPs,
(07:12):
MSPs, and ESPs on the town hall.
So what uh can you tell us whatthat discussion was and what
what the risk uh the risks arehere?
Absolutely.
Yeah, so to clarify, there's uhan ESP is an external service
provider, right?
Okay.
And that is any any company orservice that uh uh an OSC
(07:37):
organization seekingcertification.
So uh anybody that wants to becompliant, right?
Um any company that wants to becompliant, uh if you use a
third party to do anything foryou, that is a an external
service provider.
So if you use somebody to backyour systems up, secure your
systems, um anything else likethat, then then that's an
(07:59):
external service provider.
There's a a whole big categoryof ESPs, external service
providers, and then within that,uh you've got CSPs, MSPs,
MSSPs, you know, you name it,but the way the federal
government looks at it is thereare among the ESPs, there are
CSPs, which is a cloud serviceprovider.
Okay, think of Microsoft 365,think about Google, those are
(08:23):
CSPs.
Uh that's an easy, easy one tolook at and kind of figure that
out.
Uh and then everything elseother than a CSP is called an
ESP, not a CSP.
So which really, I mean, kudosto the government, I guess.
Uh they uh, you know, that's avery that's very descriptive.
It's just a weird name to namesomething, right?
(08:44):
Um but that's fine.
So uh so you got CSPs and ESPs,not an M, uh not a CSP.
So uh things that fall intothat category are gonna be
managed service providers likeus, MSPs.
Uh they're gonna be managedsecurity services providers,
MSSPs, um, stuff like that.
(09:05):
So uh the and those are the twomost common uh what you're
gonna find.
Um but there's a uh a littlebit of a confusion as to whether
a uh MSP or an MSSP in whatcircumstances they might be a
CSP.
One uh lead assessor told me, Ican't forget who this was, but
(09:28):
uh that a CSP um uh if just kindof like a dro rule of thumb,
and you might correct this, thismight be wrong, but um it was
an SS.
Um and he said that basicallyif if you could go turn on cloud
services by yourself um in someform of like portal or instant
(09:51):
access, then that's a CSP.
But if like you have an MSPthat does it on your behalf,
there's no like ability to doit, like it's all you know
provided provided, managed bythe service provider, um, then
that's kind of the distinctionthat the he thought uh was a
good one.
I don't know if that's accurate,but that's a that's a good
distinction.
Although that might be uhconfusing for some because
(10:14):
they're a lot of them, they'reMSP managers, they're they're
CSP licensing.
So that might be a littleconfusing to some, but that's
that's basic that's that's apretty good explanation.
So uh that's what a uh CSP isgonna be.
An MSP or an MSSP is gonna besomebody that provides you a a
service.
You know, they they back up foryou or they um they provide
(10:38):
security for your laptops orsomething like that.
They uh and they again they mayprovide some of those CSP
services, um, but at that pointyour MSP uh if they provide
those services for you, uh theyshould know whether those are
gonna contain CUI or SPA or SPDor whatever they may contain and
(11:01):
whether they need to be FedRAMPor whether they need to be um
whether they don't necessarilyneed to be FedRAMP, but they'll
be included on the assessmentand be assessed and need a uh
CRM or a customer responsibilitymatrix.
Um so uh there's a whole bunchof uh it it matters a whole
bunch whether you're a CSP or oruh or ESP, not a CSP.
(11:23):
Uh so CSPs uh are gonna if theycontain CY, they're gonna have
to be uh a FedRAMP uh authorizedor FedRAMP equivalent.
Okay.
Uh ESP's not a CSP, they'regonna have to make sure, uh
you're gonna have to make surethat they provide you uh a
shared responsibility matrix ora customer responsibility
(11:43):
matrix, whatever you want tocall it, uh SRM or CRM for
short.
Um the uh the government is nowcalling it a CRM, which is why
we started calling it a CRM.
Uh so you need to have one ofthose in place from your MSP or
MSSP or other ESP, there's not aCSP, uh need to have that in
place and make sure that uh thateverything is covered there and
(12:05):
they'll be assessed againstthose controls.
Uh one other thing really uhthat um I just realized is that
uh if you if an MSP or MSSP uhholds CUI, store uh processes
stores or transmit CUI uh thenthey're gonna fall in the
category of having to meet all110 controls uh of uh CMMC.
(12:30):
So all 320 assessmentobjectives.
Uh however, if that uh and thatso if they hold CUI that's
gonna be like uh if they ifthey're if the MSP is the ones
are the ones that store your umbackups on their uh equipment,
then at that point um they wouldneed to they'll have the CUI in
(12:52):
their possession even if it'sencrypted.
It'll still CUI as we'vediscussed uh before, uh and
they'll have to they'll have tomeet all 110 controls.
The um there are other examplestoo, but that's uh that's a the
easiest one to to think aboutis is uh if they're hosting your
backup.
Uh so if they just have accessto it, it's not the same thing.
(13:14):
So if they're managing thatbackup, making sure it happens,
making sure it completes, makingsure that they can restore,
that's a different ballgame.
But if they are storing that umwell mostly storing, but
process storing or transmittingthat CUI for you uh in form of a
backup, then they need to uhthey'll have to be they'll have
(13:34):
to meet all 110 controls.
Otherwise, if they don't andthey're just handling uh
security protection data, and Ithink I just said SPD a while
ago.
So SPD is security protectiondata.
Um if they're just handlingthat, uh then they just have to
uh meet the controls um forwhich they're providing to you.
(13:55):
Uh so uh for instance,antivirus on workstations or or
something like that.
Yeah, it makes sense.
I was I was reading someLinkedIn posts, um, and it's
real funny because um people getreally almost like political
about uh CUI and CMMC and thedecisions that are made by the
(14:15):
the powers that be.
Um anyway, and someone wasbeing very critical um of uh the
fact that uh access does notrequire um level two
certification on four MSPs.
Um and so just thought that wasinteresting.
Um uh because it makes sense tome.
(14:37):
I mean, if you're you're notholding the football, you know,
you just uh have access to it,then um it makes sense uh that
you you could use a MSP that'snot um certified themselves if
if what they're providing to youfollows all the controls, which
is ultimately the the goal ofthe compliance, right?
So is it's not to get everyonecertified, it's to protect the
(15:01):
COI and the data, and that'sthat's the goal, I think.
So and I think it's just reallyimportant that um at the end of
the day uh that we go back touh intent, you know, and because
people get real caught up in,you know, like I said, all this
um weird political and uh um Icall it political, but anyway,
people like hold a lot of biasesabout CUI and compliance and
(15:22):
everything, but really at theend of the day, all we're trying
to do is just protect CUI withwith good cybersecurity hygiene.
And um it's just I just I thinka little commentary for me, I
find it funny how um uh youknow, I guess uh religious
people get about it.
Right.
One thing I might add is thatuh because I I said something
(15:44):
about it a minute ago and andyou did too just now, but uh um
if an MSP has to be uh does holdsome of that CUI uh or if they
uh provide a lot of security andthey'll be assessed, you know,
just SPD, they'll be assessed ona lot of those controls,
whether it's all of them or alot or whatever, however many it
may be, um the that MSP has tokind of think about uh how many
(16:07):
clients they have that are uhDib clients and are gonna need
this and how many times theywant to undergo those
assessments because you'll haveto provide documentation and all
sorts of other fun stuff.
Um and you'll have to spendtime with your client and and
answer questions.
How many times are you gonnawant to go through that?
Or would you rather go get a uhlevel two certification and be
(16:30):
uh level two certified and beable to say, yep, here's my
paper right here, I'm level twocertified.
Now that doesn't mean that allassessors are just gonna go, ah,
okay, no problem.
You know, they'll they'll stillhave to check into some things,
and if they have warm fuzziesfrom the things they check into,
most likely uh the controls andassessment objectives, that is,
uh most likely uh they won'tsee the need to dig anymore,
(16:54):
right?
Um so and they'll take yourlevel two certification at face
value.
But uh anyway, that level twocertification likely likely uh
would make it uh quicker andeasier uh on the uh assessors
doing the assessment and quickerand easier on the MSP as well.
Yeah, it's uh we're down here inTexas and um anyway, so we have
(17:19):
this thing called concealedcarry.
And so if you I just think ofwhere's this going?
Thinking of a funny uh anyway,something it's like um and uh
you know, when you get if youhave a concealed carry, you've
been federally backgroundchecked, right?
And so if you have a license,it's um you know if you get
pulled over uh and if you don'thave one, the police officer is
(17:41):
a little more suspicious of youthan whenever you get pulled
over and you're like, oh, here'smy concealed carry, they're
just handing them a backgroundcheck.
So they typically take thetraffic stop a little um uh more
lightly, uh, although not thatthey have to perform their job
any differently.
It just kind of, you know,helps uh grease the gears a
little bit and it's kinda likethat, you know, where Which you
(18:04):
wouldn't really understand ifyou didn't uh live in Texas or
one of the other states whereyou have a LTC.
Right.
Right.
But the point is it's um youknow, you'd you don't need the
certification but uh as an MSPand and you don't have to get
rid of your IT provider if theydon't have one.
Um but it it certainly greasesthe gears and makes things
(18:28):
easier, and then you also umlike you alluded to earlier,
that MSP is gonna have to be apart of your assessment.
And so if you're their onlyclient that has this burden of
compliance, then uh that mightbe a bit of a burden to them.
It may not, and it's gonna getit's gonna cost.
(18:48):
And so um they're you shouldprobably approach them about how
much it's gonna cost to youknow carry that burden.
And if they don't charge you,they might be a little um res
you know it's not gonna be funfor them, right?
Right to have to provide allthat information and everything.
(19:09):
So I guess my what I'm gettingafter is uh it is it's good to
have a MSP that's level two umand cer certified, I should say.
Um and they don't have to, butif they're not gonna be, you
really need to um uh becauseyou're gonna be married to them,
you really need to uh havethose uh discussions and be
like, look, you know, this leveltwo assessment's really gonna
(19:32):
be a pain in the rear.
You know, can you do this?
It's gonna take a lot of time.
How much are you gonna more areyou gonna charge me, you know,
um, yada yada, and make surethat they're really gonna be
there for the the um full extentof um your relationship and and
stick around and it's notsomething they're gonna get
tired of very quickly and and uhdrop you as a client because
(19:53):
then you're kind of in a badspot.
Yeah, and what I might also sayto that is you know, if you're
looking for an MSP, there aren'tvery many right now that are
level two certified.
You know, if you find onethat's level two certified,
that's even better, or on thepath to be level two certified,
that's good.
Uh they uh at the very least,uh that MSP or MSSP, anybody
that provides you any servicesuh as an ESP, uh if they're not
(20:17):
FedRAMP, if it's not a CSP, thenany of those folks are gonna
need to give you a uh sharedresponsibility matrix uh or
customer responsibility matrix,SRM or CRM, uh that is the that
is the lowest bar to providethere.
And it needs to be a uh NIST800 171-based uh uh
(20:38):
responsibility matrix, not justa generic one.
Right.
Not one they put in JAT GPT andthen sent over to you.
Exactly, exactly.
So um, you know, there needs tobe thought behind it because
they're saying these are thesewere what these are the controls
that we cover.
This this is yourresponsibility for these
controls, these are ourresponsibility, and uh and so it
lines it out there and spellsit out.
(20:58):
And that's what the that's whatthe assessor wants to see.
And even if you do have uhsomebody that is level two
certified, you you still needthat.
So it's not anything that'sjust a a basis of what you need
from your provider.
Yeah, so that's uh anotherreally good um talking about if
they're not certified, that'sanother very strong question to
lead with.
(21:18):
Not even um that that mightgive them an ide give you an
idea of uh, you know, if theysay they're committed to going
through this with you, then uhthen immediately ask them for an
SRM or CRM.
Um because then that that'll bea good litmus test of if
they're uh you know, if they'reactually are.
(21:39):
Um because they may not haverealized um, you know, what the
true breadth of the burden isgonna be for having you as a
client.
And so asking them for thatCRM, SRM uh will really um tell
you whether they are um um gonnastick around and also tell them
uh I might want to reevaluatemy situation.
(21:59):
Right.
Talking of the governmentshutdown, what is the risk to
CMMC um in this whole process?
What are the implications gonnabe for uh the defense base?
The biggest risk for uh for theCMMC for the government
shutdowns is gonna be tier threebackground checks for um for
CCPs and CCAs.
(22:20):
That's uh CMMC certifiedprofessionals and CMMC certified
assessors.
So those tier three backgroundchecks that you have to ha have
to get, uh those will likely bedelayed.
Uh hopefully not very long.
Uh but what I can tell you isit took me 10 months to get
mine.
And there wasn't a governmentshutdown.
And there was not a governmentshutdown.
Uh maybe there maybe I was uh aa you know strange character
(22:43):
and they really needed to checkinto me, but uh mine took about
10 months.
Uh they are taking, you know,six to ten months right now or
so.
Uh but as of today, uh thegovernment has shut down.
Uh so that tells you when werecorded this uh as opposed to
when it's uh uploaded.
But uh as of today, thegovernment shut down.
We'll see how long it shutdown, but it will affect tier
(23:04):
three background checks.
There's a small likelihood uhthat could uh that it could
affect when it goes into uh whenCM when the excuse me, when the
48 CFR goes into effect.
It's already published, it'salready live as of September
10th.
They put a 60-day date on it.
So November 10th of 2025, uh,it'll go into effect.
(23:25):
There's there's not really areason not for it not to go into
effect uh on November 10th.
But uh, you know, strangerthings have happened.
So uh that may be affected.
I kind of doubt it, but uh, butthat's possible.
So there could be some otherbackground things that happen.
Um uh you know all theassessments uh will they'll keep
(23:51):
going as is.
Um you know, governmentshutdown doesn't matter because
they're not governmentemployees.
Uh so the C3 PAOs will keepdoing their keep doing their
job, all that'll keep trudgingalong.
Um there could be some of thepieces in the background uh they
upload to a system called EMAS.
Um you know, there could besome of that in the background
(24:15):
where uh if they have someissues and they need to talk to
somebody or something that uh itmay be delayed.
But that's just a possibility.
Uh so those are the those arethe reasons, uh those are the
things that uh the governmentshutdown may affect as far as
CMMC goes.
Mostly it's some insidebaseball, like I said, with the
uh uh CCPs and CCAs not gettingtheir tier three background
(24:37):
checks in a uh quote timelymanner.
Yeah, because six to ten monthsis really timely.
Six to ten months is yeah.
So um so that's the biggestthing right there though.
So uh I I don't know how thisworks uh particularly um and we
may uh need to um talk to a Cthrough PAO.
(24:57):
So um I'm not sure if you'dknow this either, but um the uh
whenever you get a certificationum or you you have some you
have a provisional umcertificate or something from
the assessor themselves, andthen it has to go through the
powers that be in the governmentfor them to like finalize it,
right?
(25:17):
So does does the uploading toEMAS have to take place for that
provisional kind of status umbefore you get your final
certification status, or can yougo through the assessment um
and then you're just provisionalbecause the C through PAO said
you're provisional?
And I know I'm using the wrongwords there because I don't know
(25:39):
what it is, but I know that'sum kind of the basic structure
of it.
So uh the way I understand it isthat once you pass your uh once
the C three PAO says you'regood, you passed, you're good,
you passed.
But it does need to be uploadedinto EMAS.
There's no actual certificateright now.
(25:59):
Uh they're supposed to becoming up with their certificate
of an official certificate thatthey give you, although from
what I understand, you're notsupposed to show that
certificate to anyone, so whatthe heck that matters, I don't
really know.
But uh so all that should begood.
Um the only question is itflowing through the systems
properly um after it's uhuploaded EMAS.
(26:22):
So um uh so there may be someissues there, but uh once you
once you get assessed by your uhassessor uh and your C through
Pao says you're good, youpassed, um then you're good and
you passed.
It's just got to flow throughthe systems.
Yeah, so I guess if you're goingthrough that process right now,
great question for C throughPAO.
(26:43):
Yeah, it is a great question.
And I I should know the answerto that one, but uh but um I
don't think it's called aprovisional yeah um I know it's
not called provisional.
I just cannot remember the nameof it.
Yeah.
Um but we're more on thereadiness side, um getting you
and then we pass the baton offto the C through PAO.
So that was that's where a bitwhere our expertise drops off.
(27:07):
So just a question as far asimpact goes.
So really it sounds like youknow, unless you're one of the
few that's going through anassessment right now, um, you
know, great question for your Cthrough PO, which they'll
they'll probably have a decentanswer for.
Um, but really the other mainimpact um is uh for everyone
else, uh the lion share ofpeople, is that the the the
(27:28):
pipeline of um CCAs and CCPs,which means um, you know, people
that are able to certify youand people like us that are able
to get you to the point atwhich you can get certified, um,
just got paused.
Um more or less, that's uhmostly on the assessment side.
Um uh so uh really the biggestimpact would be that there just
(27:51):
may be um less people um, youknow, able to help um as more
people come into the um uhprofessional labor side of CMMC
things to help get the defensebase up to snuff.
Right.
Um so but really um unless thisgoes on really long time, that
r it should be uh uh somethingyou don't really feel at all.
(28:13):
So yeah.
I you know I I don't remember uhexactly, but I don't think
these government shutdowns lasttoo awful long.
So really a couple weeks at themost, if I remember right.
And the whole scheme of thingsas far as your uh tier three
certifications or uh tier threeum uh background investigations
(28:34):
go.
Um the uh if it's six to tenmonths on average, uh a few days
or a week or a couple of weeks,you know, is not gonna is not
gonna change that whole lot.
I wouldn't think.
Uh so uh you know, I mean thatjust means they'll build up and
they'll have more to go through,but uh they'll go through them
(28:56):
at the same pace they've beengoing through them once they
start again.
So uh there will be a littlebit of a delay, but in the whole
scheme of things, if it'sadding, you know, a couple of
weeks on to uh to six to tenmonths, it's not it's not that
much of a difference.
So absolutely.
Especially when most of theindustrial base out there still
(29:18):
has you know yet to go throughit.
So yeah.
So we're more or less in thesame spot.
I know um I know people reallylove the grasp onto anything
that um could mean that CMMCisn't gonna happen or or
whatever else, but it doesn'tseem like government shutdowns
the one to make it uh stop.
(29:38):
So I agree.
So what other updates have Imissed um from the town hall
that that you saw?
Uh well, uh there's uh newhires, uh there are new hires
including Kat Adams uh asconformity uh credentialing
coordinator and ChristopherDavis as interim CFO.
Uh so there's that one.
(29:58):
Uh the ecosystem does continueto grow, uh so that's good,
because we're gonna need uh asmany C C P, C C A's, uh RPs,
RPOs, um C three PAOs, we'regonna need as many as possible
to uh uh get this uh flood of uhOSCs that are gonna come along
uh to get all them everythingimplemented and certified and
(30:21):
You know, in a in a timelymanner.
So that's good.
There's uh over three hundredand sixty-six uh uh final level
two certifications uh that havebeen given out so far.
So that's companies that havegone through and gotten their
level two certification uh andhave completed that and don't
have an active poem that theyneed to finish, right?
Small bite of the elephant, butit's progress.
(30:42):
Exactly.
Exactly.
Uh so at this point there areuh eighty-two uh authorized C3
PAOs uh to do the hundreds ofthousands of uh of companies
that need to have level twocertifications.
Uh but there are uh there are80, uh about 82 of those right
now.
Uh that's increasing.
(31:04):
Um, you know, as we talkedabout a minute ago, the the uh
government shutdown could affectthat by a couple weeks or so or
whatever a government shutdownis, but uh not by much.
Uh so that should be keeptrudging along.
Uh the um Cyber A B is startingup some advisory councils.
Um uh I was gonna put in to beon one of those, but uh my
(31:27):
calendar is so full that I hadthe form halfway filled out and
I thought, you know what, I'mjust gonna hold off for now.
So uh maybe when the twotwo-year term comes up.
But um they've uh they've thegot these uh settled now at this
point, and uh these um advisorycouncils, uh so there's one for
(31:49):
C through POs, one for ESPs,one for uh there's a few
different ones.
Uh I can't remember all theones they are for, but um the
those advisory councils are allset now, or at least uh the
timeline to have your umapplication in to b to be on one
is uh is all done.
(32:09):
I believe they said thatthey're all uh uh set now.
Um but those will be kickingoff pretty soon.
Um and then uh believe it ornot, there is some international
expansion to um uh CCP, CCAs,uh C through PAOs, uh there is
an international component tothat.
(32:29):
So uh folks in Canada, folks inAustralia, stuff like that, uh
can uh can be part of theecosystem.
And uh there's nothing sayingthey can't.
Those folks typically are notgonna see uh uh COI.
Uh so if it's a type of COIthat uh is uh dissemination
restricted from uh foreigncitizens, uh like ITAR, for
(32:53):
instance, or no foreign, uh thenum should be fine.
Uh they should just need tomake sure that if if when they
do an on-site assessment forsomeone that there's no COI out
there for them to see, right?
Uh so uh or they need to makesure they follow their ITAR
regulations as well.
Uh but uh that should thatshould all be okay.
(33:15):
There was a question as towhether those um foreign
assessors could assess uhAmerican companies, and and the
answer was yes, they can withthe caveat that I just talked
about for the CUI.
So those are the uh those aresome of the main updates that
came out, some of the otherupdates that came out of the
town hall.
(33:35):
I think that's it for today,guys.
If you have any questions aboutwhat we covered, please reach
out to us.
We're here to help fast trackyour compliance journey.
You can find our contactinformation at
cnnccomplianceguide.com.
Stay tuned for our nextepisode.
Until then, stay compliant,stay secure, and make sure to
subscribe.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Two Guys, Five Rings: Matt, Bowen & The Olympics
Two Guys (Bowen Yang and Matt Rogers). Five Rings (you know, from the Olympics logo). One essential podcast for the 2026 Milan-Cortina Winter Olympics. Bowen Yang (SNL, Wicked) and Matt Rogers (Palm Royale, No Good Deed) of Las Culturistas are back for a second season of Two Guys, Five Rings, a collaboration with NBC Sports and iHeartRadio. In this 15-episode event, Bowen and Matt discuss the top storylines, obsess over Italian culture, and find out what really goes on in the Olympic Village.