Milestone to Mandate: What the Latest CMMC Update Means for MSPs
The Cybersecurity Maturity Model Certification (CMMC) is no longer a distant concept—it’s rapidly becoming a defining factor for Managed Service Providers (MSPs) working with the Defense Industrial Base (DIB). On a recent CyberCall, we discussed breaking news that the 48 CFR CMMC final rule has reached the Office of Management and Budget (OMB), signaling the imminent start of the program’s phased rollout, potentially as early as Q4 2024. This means CMMC requirements will soon appear in more Department of Defense contracts, and MSPs that aren’t prepared risk leaving their clients behind. Key insights from the call highlighted that CMMC involves two rules, with the latest step focusing on how requirements are embedded in contracts. While there may be a “12-month grace period” for self-assessments, many contracts will require Level 2 compliance, and major primes like Lockheed and Raytheon are already urging subcontractors to get ready. The real challenge isn’t just a shortage of assessors but a lack of implementation capacity, as CMMC demands far more than technical fixes—it requires standardized cybersecurity practices, detailed documentation, and deep knowledge of NIST SP 800-171 and 800-171A. MSPs must act now: assess which clients fall under CMMC, master the requirements, build repeatable processes, consider specialization, and prepare for third-party assessments. By leading rather than reacting, MSPs can secure their clients’ futures in the defense sector and position themselves as trusted cybersecurity partners in this rapidly evolving landscape.
Guests
Video Transcript
Okay. All right. Welcome, welcome. Happy Monday, everybody. The last Monday in July of 25. And as always, I, I note that this year is absolutely flying by. Um, let me just do a, a quick chat. Welcome everybody in chat, make sure we're coming through loud and clear. Um, and then we'll get rolling. Alright. If you guys all could let me know out there, um, if you can hear and see us okay, uh, I'd greatly appreciate it. And then we'll get rock and rolling.
Um, Andy, just so you're aware, um, very we scheme is really sensitive, so if you're gonna type, please do. Uh, but um, if you need to just mute because everybody will hear it. I like to get excited in the chat. Yeah. Oh, if you're chatting away, no worries at all. Um, good to see all. Okay, let's, um, by the way, we're keeping an eye out. Oh, joy is back. Here. She is. All right. Awesome. Alright, now we can get official. Now that Joy's here. We are official. Sorry.
Lots of internet issues, so No, no sweat. I never have those Joy. Yeah. Okay, good. I'm kidding. Alright, so quick programming note as always. Um, so we are now taking the cyber call, um, and making it into a podcast right after. Um, it's done. We typically get it posted out there, um, by the end of the day, if not first thing in the morning. For those of you that can't, um, you know, watch it live. It's obviously on replay on YouTube.
So, uh, let's talk real quick about who is with us in the house. Um, today's topic is, um, what's, oh, I like to call it, I was talking to Jacob. Jacob. We came up with milestone to mandate. Mm-hmm. The sausage is made. Um, we've talked about making the sausage for many years, uh, over like the last five, I think. Jacob around CMC here on the cyber call. Um, so what's the latest in CMMC? And, and we have a, a, a plethora, we're going with a big word today of guests and co-hosts.
Uh, so let's go, uh, my right to left and quick intro. So we have Jacob welcome as our special guest today. Quick intro from yourself and, uh, we'll move on. Yeah, sure. My name's Jacob Horn. I'm the Chief Cybersecurity Evangelist at Summit seven. We're a MSP that's strictly focused on facilitating dfars, CMMC, NIST compliance for defense contractors using the Microsoft stack. Uh, I've been in cybersecurity almost 20 years now. Did a bunch of cool stuff in the Navy on active duty.
I was a SOC analyst, uh, for the Army as a civilian once I got out. Moved into the world of DOD acquisitions after that and, uh, did a lot of R-M-F-A-T-O NIST 853 work, and then started consulting when NIST SP 801 71 requirements, which is really a derivative of that whole world. Started, uh, leaking out into the muggle world and affecting defense contractors more and more.
And then as the government wanted more assurance over that, through a program known as CMMC, my primary job, which has been my job for the last five, five years or so, has been translating all of the regulatory gobbledygook into human speak. So I host a podcast, uh, every week on the Summit seven YouTube channel. We do a live q and a every Friday, put out tons and tons of content on LinkedIn.
Uh, basically just trying to translate, uh, what's going on since, uh, the government doesn't seem to have an interest or a talent in doing that. Uh, I fill that gap. Yeah. And superpower Jacob of you, you kind of touched on this, but being able to take 400 page government documents and, and distilling them, uh, which I still don't know how You worst superpower ever, but, uh, but, you know, uh, I use the power for good, uh, when I can, so, All right, Andy, welcome.
Good to see you back, my friend. Thanks for cohost. Yeah. Good to be back. Uh, hey everybody. Andy Sauer, CEO of Sentinel Blue. We're an MSP and, uh, C3 PAO, very similar to Summit seven in that, uh, our focus is exclusively in servicing the dib. Um, and I'll, I'll just echo something that, uh, Jacob and others have said who have, who who've emerged as a class of subject matter experts in the CMMC space. Often, it's just because we've read the documents. Yeah.
And, and it's, it's a lot of reading. Yeah. Uh, but I think sometimes there's an a view that, uh, you can't catch up. You just gotta read it. Just the stuff's written down. That's all it really is. So excited to jump in today. There's definitely some movement happening in CMMC space and, uh, and fun fact, I had to take a break from supporting A-C-M-M-C certification assessment today to jump on with you all, and when we wrap up, I'm jumping right back in. Oh, thanks for doing that, Andy.
Really appre, really Appreciate. Listen, they're not the most fun things. I'm happy to take the break. All right, joy, welcome and back, as always, as a co-host with us. Uh, have A good Thanks, Andrew. It's great to see you. And also, Phyllis, anytime I get to see Phyllis, it's a good day. It's, so, I work with Jacob Horn over at Summit seven. I'm the Vice President of cybersecurity compliance.
I had the honor of leading our team through R-C-M-M-C level two certifications internal for Summit seven, both as a contractor for the DIB and as a service provider. Um, I have 28 years of experience in the MSP world, so I find myself being a translator between what MSPs think they know and what the reality of CMMC is pretty often. I'm also a lead CCAI participated or actually led a assessment team through the joint surveillance, voluntary assessments.
And I'm a provisional instructor, which means that I have taught close to 500 students now, either the CCP or the CCA five day boot camps. So, it's a honor to be here. Thank you. Yeah, of course. And as always, Ms. Lee, good to see you, Phyllis. Thanks for coming back and welcome back from vacation. Of course. It's great to be here. Yeah. Alright. So, you know, um, Jacob, I found this one interesting. Um, you're, I, again, I troll you constantly. Uh, I hope you take that as a, as a compliment.
Um, but, uh, you posted something, uh, from the, uh, secretary of Defense, um, just I think it was Friday. Mm-hmm. If I, if my memory serves me Friday or, or Thursday. Um, you know, and what's the, can you, can you maybe break down, you know, the significance of this post? Like, you know, you, you, you RIFed a little bit about it, but, um, once you're done with that, I do wanna ask somewhat of a sarcastic question about Sure.
Something that came out on ProPublica that I'll also, that I, I've been talking about for about a week now. Yeah. Oh, yeah. I forgot to mention my, my unofficial title is now PR for Microsoft, apparently. So, so we could talk about that in a second.
But just to cut to the chase within the context of CMMC, about a week and a half ago, the Secretary of Defense, uh, issued a memo, uh, basically saying that the Department of Defense is not interested in procuring hardware or software that is susceptible to foreign influence, specifically from China. And in the list, the short list of things that the department is trying to leverage in order to deal with that problem. The first one that was listed is the CMMC program.
Uh, this is the first time, basically in the history of the CMMC program that we have a memo inked from the SEC def themselves. Typically, this was a Deputy Secretary of defense level, uh, issue, which is quite high in the hierarchy of the Pentagon. Uh, but this can't come from any higher within the organization.
Uh, and so for any of the CMMC flat earthers out there that think this isn't a department priority, if you ignored the many, many dusty unread policy documents that came out from DODs Pentagon level strategy over the last couple of years, uh, then this one should kind of cut through all of that and tell you that it is a massive priority at the very tippy top, uh, in terms of what's going on. And, uh, that, that's basically all you need to know.
If you're, uh, not interested in the details of the rule making and how all the regulations come to be, um, you're hearing it from the boss. Right. So, Jacob, you know, uh, this came out probably in a similar time. This article that I just posted in chat about a week and a half ago. I, I was, um, you know, on some of the other community channels that I, I work with, I've been talking about this.
And first off, it, it, the irony of it that Microsoft was, you know, for its DOD, um, clients or, or the federal government, it seemed, you know, without specific, but, hey, where were we using Chinese, um, uh, uh, per, you know, uh, people in China to, to work on our, our on the programs.
And we have these, but don't worry, we have these digital escorts here at Microsoft that, uh, turns out when interviewed really are far less capable and trying to understand what these folks working on these programs actually do. Like, they were like, Hey, we we're not qualified enough to tell you, um, based on their levels of sophistication since then, I think Microsoft came right out once this whistleblower came out and said this was going on, killed this program.
But do you have any, any thoughts or insights on this? Uh, yeah, sure. Well, first of all, I'd like to know what the program was or is, because after reading the ProPublica article, nobody seems to know. Uh, and you would think that if this were as controversial as people are saying, which clearly it's very controversial, if it were a smoking gun, highly controversial red flag hand in the cookie jar, you're cheating. You have thrown away national security.
I wrote down a list here from the article. Then AWS might have said something, Google might have said something. Oracle might have said something. DSA FedRAMP, GSA, Lockheed Leidos, Accenture, the Cyber Safety Review Board, before they got disbanded, or the DSA ig, who the whistleblower went to. And none of them said anything. Uh, former DOD CIOs, since this program goes back over 10 years, have no idea allegedly what the program is.
So, uh, it sounds like a big deal, but nobody seems to have any details over what it is. So, I don't know. Yeah, it's kind of weird, right? Because the, these, it seems like this, they were able to interview these, these digital escorts, but yet there's not, like This is, this is pre IG purge from the Trump administration, which itself is a highly controversial move.
So pre IG Purge, the whistleblower went to the DISA Inspector General and said, right over there, the body is right over there, wee woo wee woo. There's a big emergency. And they said, there's nothing to see here. So either the entire system is completely bought into this program that nobody seems to have any idea what it is. Uh, or that's not the full story. Right? Yeah. Now, I have zero doubts that big players are able to bend rules, they're very able to interpret rules.
It doesn't matter who you're talking about. Right? That's just how companies work. So I think this is less about particular players cheating the system, and more about the fact that when you go down this list and everybody goes, oh, it wasn't me, they all know that the rules are not sufficient. Right.
And this sort of ties back to CMMC, if you think that this is crazy, wait till you hear about similar information that just flows completely unchecked into the defense industrial base where there are basically zero rules, right? I mean, this is, it's on par with the same level of emergency. Right.
I think one of the interesting questions, I was talking with people on LinkedIn a while ago, uh, over the weekend about it, was the, the, the bigger question that I think is very interesting is when FedRAMP was originally proposed, it had data sovereignty requirements in it, and GSA took 'em out. And so you can have FedRAMP offerings from foreign countries, and it's still perfectly on the up and up, which is absurd and has always been absurd and will always be absurd. And, uh, so I don't know.
People are very outraged about this coming out as they probably should be if we have more details. But it, it just belies a bigger problem with the fact that the rules are not as strict as they should be. The consequences are not as big as they should be. And it goes whether you're directly contracting with the government as a big cloud provider, whether you're a subcontractor underneath Lockheed Martin somewhere, people only seem to care about these things after emergencies happen.
And, uh, it'd be nice if we could get ahead of that and, uh, institute these rules before something like this occurs. Yeah. Mm-hmm. Alright, well let me, um, let me set the stage and turn it over to, uh, to Phyllis and let's get rolling Jacob. Sure. Alright. So, um, I'm, I'm gonna paraphrase you a little bit, but big news, the 48 C-F-R-C-M-M-C rule, just hit the OMB and, um, you were saying this is the final stop, right?
And, um, this means that the phased rollout could begin as early as Q4, I think you were saying, Jacob. Mm-hmm. Again, my, my memory serves me from your post. So for MSPs and BCIO supporting the dib, um, this is the starting gun Jacob. Correct. And so, so, so with that, um, you know, it's, it's been a wild journey, like I said, probably five years of having you and Brian Bonner and Joy and Andy on. So, with that, let's get on into it, Phyllis, and you can take it away, uh, with Mr. Martin.
Yeah, sure. So, you know, as Andrew just said, um, the 48 C-F-R-C-M-M-C final rules with OMB, um, the Office of Management and Budget, for those of you who don't know that. And so what does this milestone mean for everybody? And can you just break it down for us? Yeah. So to use Andrew's metaphor here, if the 48 CFR final rule going into effect is the starting gun, then this milestone is them raising the gun above their head next to the track, right? That's sort of where we are.
So, just to recap for everybody, 'cause I know it seems like we keep saying cmmc is around the corner. It's around the corner. Yet again, CMMC is a single program, but it's implemented by two different regulations. And because it's implemented by two different regulations, we're on two different rulemaking timelines. And they don't happen perfectly in parallel.
They're slightly staggered, which is why we're back here talking about a second final rule after we were just talking about one in December of last year. So you need both rules to be final and in effect for their phased rollout to start and it to start showing up in contracts. So the first of those two regulations is what we call 32 C-F-R-C-M-M-C.
And that's because all of the policy of the CMMC program, the rules, the roles, the responsibilities, the levels, the poems, the waivers, the requirements, all that stuff, all the policy stuff is codified at Title 32 of the code of Federal regulations. You can just Google 32 CFR one 70 and it'll bring you right to the regulation. However, this is a contractual requirement.
And contract clauses and contract language are themselves regulations, and they have to go through rulemaking or the process of making regulations as well. So in order to implement that 32 CFR policy in the actual contract language with clauses and provisions and all that stuff, we need a second rule. And so that's what this rule is. It takes all that language that went into effect in December of 2024, and it turns it into contract language.
That proposed rule came out in the summer of last year. And now the final version, the final rule, is off to OMB for regulatory review. That's the last stop for all regulations where they dot the i's and cross the T's and swim through all of the red tape. After that, it goes off for publication. And that's really the last thing that you wait for. And then once it hits the street, we'll figure out how long before it goes into effect.
And, uh, then all CMMC, or sorry, all DOD uh, contracts that come out from that point will have some form of CMC requirement in them, uh, at the various levels. That's right. That, that was a great explanation. I'm just gonna foot stomp the procurement part. Right. So when it makes it to OMB, that's, that's really, you know, when I was in the government, that's the real power, right? Yeah. Before you can purchase anything.
Um, once OMB says, okay, now this is an official ruling, then you must follow that rule. Yeah. The, the Office of management budget is like peering directly into the reactor of the bureaucracy of how the federal government works. And so it is a huge, huge milestone that, uh, for all intents and purposes, once a rule leaves an agency's hands and goes to OMB, as far as the agency is concerned, it's over and done. If they didn't have to send it to OMB, they would just run with it as is, right?
It's literally just the signatures and the red tape are the only thing standing in between DOD putting it in contracts today or two months from now, essentially, is it's just red tape. So, um, how close do you think we are to seeing the final rule published, and when should MSPs expect, um, you know, CMMC to actually be enforced? Sure. So I'll give you the conservative estimate based off of what the historical data suggests, and then I'll tell you what I actually think, right?
So, uh, nobody knows. There is no way to know the exact publication date. Uh, it, it talking to people in the government at agencies who then deal with OMB and then after OMB sends it over to yet another agency for publication. It's a series of black boxes. They don't know, right? So we went back, can I, can I ask? Yeah. Last week I got a number of emails saying it was starting October 1st. Oh, yeah, we'll talk about that. Remind me. We'll talk about that. So nobody knows. Nobody knows.
Not even I, the rulemaking guy knows the exact day that it will be published. So we went back through every DOD rule that's been published since 2009 and calculated the average timelines, did all that stuff, blah, blah, blah. So the conservative estimate at this point is that we would see the rule published sometime between the end of October and the beginning of February, right?
So that's the most conservative range of time that we would see based off of historical averages and the way that this can play out. Uh, however, there's many reasons to believe that that will be closer to the October timeline, or perhaps slightly earlier than there are reasons to believe that it would be February. Uh, the primary reason is that this rule is very small compared to its Big brother that went into effect in December of last year.
It's also mostly revising language that already exists on the books to update it, to match the rule that went into effect in December. Um, it's implementing a very large and controversial rule that already made it through this rulemaking process. If you remember some of the other things that we talked about, some of the other times that we've been on, uh, there are far fewer public comments that they had to sort through, uh, whenever the public comment period was open.
Uh, and in general, because of the way that, you know, things have changed in DC there just aren't as many rules that are being pushed through the system right now. And so there aren't as many things for OMB to review, like there were in the past. I think there's maybe like a third as many as there have been in the past. So there's just not a lot going on. Um, and it's also a huge priority. Uh, the director of OMB, it's a guy named Russ Vote.
Uh, he was the director of OMB when the first version of CMMC got pushed through in 2019 and 2020. Uh, and my understanding is, is that the inauguration when folks from DOD were hanging out with, uh, Mr Vote, uh, one of his first questions was, where's my rule? What have you been doing for the last four years? Uh, so I don't think we're gonna wait until February. Wow.
But yeah, so to Andy's point, if you've been perusing LinkedIn, you may have been getting the algorithmic fire hose of, of posts about, there's the, this thing has happened and there have been marketing emails that have gone out, and people have said it's gonna be October 1st. It will be effective October 1st. Okay? First of all, it could be October 1st. That's very early. That would be very unlikely based off of what the data suggests, but it could be.
However, that's not what people are saying. What ends up happening is people will say, they'll just Google it. They'll say, CMMC effective date. And what you'll find is that there is stuff in the Federal Register and in the code of federal regulations right now that says CMMC on October 1st, 2025, will go in all DOD solicitations and contracts that is left over from the 2020 CMMC 1.0 rule. Right? So if you remember way back in the day, under CMC 1.
0, we were gonna have this multi-year phased rollout where the DOD was gonna hand pick contracts over the course of five years to include these requirements. And then on October 1st, they were gonna say, everybody's gonna have these requirements in all new contracts. That language is that way because the rule said, put this into the regulation in 2020, that language won't change until the final rule revises the text of the regulation.
That's why when you read through this, uh, rule that came out last summer, it says, we are proposing to revise 48 CFR with the following things. So that's old phased rollout language. The, the great irony here will be if they do go very fast and it comes out on October 1st, and everybody's gonna go, see, we told you, you were, we told you it was gonna be October 1st. I don't think it's gonna be October 1st.
I would love to be wrong, and no one will ever care about, oh, well, actually it was the 1.0 language. Uh, but that's why people are saying October 1st. Nobody knows for sure. We are predicting late October to early February, but I would not be surprised if it went earlier. I tested that theory real briefly about people just searching, but I, I did what I think most people are doing now. I went to chat pt. Yeah. And I just asked the latest model, the 4.
5 model, and it confidently says 48 CFR, which inserts this came out July 23rd. This clause makes CMMC compliance a requirement in nearly all new contracts starting October 1st, 25. That is, then it proceed. That is what proceeds to link me to a marketing landing pages. The current clause says that is what the current clause says. But as you know, people are probably aware, uh, don't trust the robots, don't trust them, they don't have sufficient context. It is telling you what's true.
That clause currently says October 1st. It says nothing about the fact that there's this giant rule that's gonna revise that language in like a couple weeks, and it's not gonna say that anymore. That's funny. So, um, does the absence of a 60 day delay post-publication, um, change how defense contractors should prioritize their readiness? Okay, so there's, so let's, let's just talk about how rules are made real quick.
So there's a bunch of regulations around the process of making regulations, right? Mm-hmm. It's this whole fun rabbit hole. Everybody, if you thought bureaucracy was crazy, you should see the bureaucracy that manages the bureaucracy, right? So one of the things that is very important in terms of rulemaking is something known as the Congressional Review Act.
And one part of the Congressional Review Act says that if a rule is designated as a major rule, which has a specific meaning, then before the rule goes into effect after it's published, Congress has 60 days to review the rule and make sure, hey, is this really a regulation that we want to hit the streets? Uh, CMMC, this 48 CFR rule publicly is not categorized as a major rule. And so by the book, that means there would not be a 60 day delay after publication.
Now, sometimes that can change, but we don't know if that information has changed. There's no way for us to know that. And so if all of a sudden you're like, well, there's gonna be another 60 days after it's published, so we are good and you're wrong, then you've lost a ton of time, right? Uh, so, uh, will it have an extra 60 days? We don't know. Will it have 30 days? Will it have 15 days? Will it go into effect two hours after it's published? Hard to know.
The current public information suggests that we won't have a 60 day delay, but like I said, we won't know until it's published. So if you're banking on having 60 days like it's published, and now it's gonna be effective in 60 days, lemme just tell you 60 days ain't enough. Right? Uh, 60 days, 60 days ago was not enough.
If you have not gotten a firm grasp over whether your clients need to achieve CMMC, uh, then that means that you don't have a firm grasp over whether your clients currently have on the books in their contracts, the obligation to meet the cybersecurity requirements that CMMC is verifying that they have implemented.
So you are very, very, very far behind the curve, and, uh, Andy could tell you, joy could tell you, uh, it's very difficult for the average MSP if possible at all for them to get caught up starting from zero in 60 days, especially if you have multiple clients that have to deal with this problem. Jacob, quick question.
Cameron posted from what I'm finding, it looks now, it looks, looks like now that the 48 CFR is active published and gives CMMC level two contractors 12 months to implement question mark. Yeah. So the current version that is published, the CMMC clause 2 5 2 2 0 4 70 21 was created in 2020 when the CMMC 1.0 rule went into effect. And that was the clause, that clause got put on ice and paused.
When the DOD entered their program review in 2021, at the end of 2021, they announced, Hey, we're gonna do CMMC 2.0, and we're not going to use that clause until we revise what's going on. This rule that's about to be published is revising that clause language. So when you're looking at 48 CFR 2 5 2 2 0 4 70 21 right now, that language is going to be updated in a couple of weeks.
And it's going to say, if you want to know what the phased rollout's gonna look like, you gotta look at a different regulation, the 32 CFR regulation that we talked about earlier. So, uh, it is not currently active, it is not currently published. That's what we're waiting to happen. The version that you see online is the old version. Now, regarding the 12 months question, this gets into the details of what DOD calls their phased rollout. So the rule goes into effect.
The DOD now has this shiny new contract language that they can insert into contracts, and it's gonna say, you need A-C-M-M-C level one, you need a CMC level two, you need a CMC level three, or whatever, right? Um, they say, according to the policy at 32 C FFR one 70, that for the first 12 months, they will insert CMMC level one requirements and CMMC level two self-assessment requirements.
And that up to their discretion, they will include CMMC, third party certification requirements in place of level two self-assessments. And what everyone is interpreting that to say is that, okay, phase one is 12 months, it's all self-assessment. So we have 12 months to implement, to get ready for phase two when they will require a third party certification.
Two things, one saying out loud in public that you're going to wait to implement the requirements that CMMC seeks to verify for another year, is telling the government that you are not complying with the requirements you currently have. So keep your voices down, right? The second thing is that, that word by discretion is a huge question mark.
And there is no way for you to know, unless you have a very, very close relationship with your DOD customer or with your prime contractor customer, the Lockheeds, the Raytheons of the world, how much that discretion will affect you. So if you're banking on that first 12 months to be a self-assessment and you're wrong, you're screwed because you need the certification to take award of the contract.
Now, there was a memo that came out in February from DOD, it's from the Under Secretaries of Defense addressing the contract workforce. So this is clarifying guidance from the CMMC program policy and telling the contract officers and the program managers, how do you determine the level that's required for CMMC in a given contract? And they say that when you're handling certain types of data, the minimum requirement is A-C-M-M-C level two certification assessment.
So if we put two and two together, there is nothing prohibiting the contract workforce from including a third party certification assessment in the first 12 months. And the guidance says, by default, for most contractors, they will need a third party certification assessment because of the nature of the data that they're handling. And if you don't talk to your customer and know that that's not what they're gonna do, then you are betting against what the policy says, right?
So you have to be very, very careful, uh, in assuming that you're gonna have an extra year. 'cause for most MSPs dealing with clients that are affected by this, they can't wait a couple months between awards, right? They have to continuously win this work. And so if you're off by 30 days, if you're off by 90 days, that might be a wrap, right? So don't bank on that 12 months until you know for sure, uh, I would really caution people against that. Cool. Back to you, Phyllis. Thanks. Yeah, sure.
Um, my last question is, um, you know, so we all know you've been tracking this for several years, and what surprised you the most about the timing or the details of this milestone? Um, like of the program overall or of how the regulations came about or Yeah, how, how this, um, you know, this last, um, regulation in my opinion went to, um, OMB. Yeah.
Um, well, I would say that, you know, like we said, it's one program, two regulations thing that surprised me the most about the big brother one, the 32 CFR one was how fast it went. I know that sounds crazy, but by the numbers that 32 CFR rule, the big controversial one had like 1800 public comments that went 30% faster than DOD regulations in the past, which in, in regulatory bureaucratic speak is like light speed, right? Right. I mean, they went crazy fast with this one.
I think the part that surprised me the most is like, uh, just how unserious the industry is about what the regulation represents. Uh, once the 32 CFR rule went into effect, um, it's a little confusing 'cause people are like, well, CMMC is in effect, but it's not in my contracts yet. Right? And so the first question you would think is they would ask, why is that true? Rather than being like, well, I guess it's not happening, which is what most people do.
The reason that that's happening is that 32 CFR makes the program live, but DOD can't put it into contracts until they have the contract regulated contract language available. This is why you see people announcing that they have level two certifications because you can voluntarily go get a level two certification. Right? Now, you pay a C3 pa go through the audit, get the certification, you're good to go.
DOD just can't require it in contracts until they get that last permission slip that lets them do it. Um, and people have mostly been ignoring this. Um, so it's, I'd say that's probably the surprise to me the most is just the, the, uh, just the, the way that people think about it. They, they don't think it's real until they see it in the contract language and just a little bit of time learning about how this process works.
And you'd be like, it's, uh, that's, that's way, way too late to be thinking that it's real. I think, you know, some people were hoping a change in administration and then it would've been dropped. Hey, that's interesting. Hey, pop quiz, everybody. Pop quiz and chat. Hey, let me know. Here's a question.
Tell me, give me a list of policies that the first Trump administration, the Biden administration, and the second Trump administration saw completely eye to eye on, and it has transcended rhetoric, politics, partisanship, headlines, controversies, scandals. Give me a list of all the policy positions that all that would transcend all three of those things. Quick hurry, hurry. Time's up. It's just one. It's the CMC program. It's the CMC program.
It really has lasted the test of time, surprisingly. For a Reason. For a reason, right? That's true. That's true. Dave, before we go to Andy, just real quick, in just 30 quick seconds, because I wanna make sure we get Andy and Joy to ask you a question, although it's not, you know, you know, been blessed, right? Gone through OMB, et cetera, are you hearing rumblings from the Lockheed's Raytheons of the world? Are letters coming down like, Hey, get ready? Yeah, absolutely.
We, uh, we just did a podcast on this two weeks ago. So, uh, I think it was the very end of June, um, early July, Lockheed published a memo on their supplier blog that said the 32 C-F-R-C-M-M-C rule that went into effect in December made the requirements perfectly clear. Tho those are their words, that this is what's going on with CMMC. People need to have already implemented their current requirements, uh, which are contained in a document called NIST SP 801 71.
You need to be confidently meeting those requirements, is what Lockheed said when we dug back through their blog. It turns out Lockheed has issued six similar memos with the same language over the last 18 months saying rule's about to come out. And then in December, rules out, we know what the policy is, you better get ready. And then there were four more. They said, here comes the contract clause rule, you better be ready. And they said, well, uh, contract clause rule is over to OMB.
You better be ready. And now here we are. So yeah, the primes are, uh, not, uh, not pretending like this isn't Happening. The reason I'm asking that is, you know, a lot of times we, we ignore what's coming from government, this big engine, but I gotta believe Jacob and Andy, I'll hand it to you, Lockheed isn't gonna jeopardize a multi-billion slash trillion dollar contract because you decided you didn't want to get your stuff on time. Right? They're where the money hits the road.
They're gonna determine who, who plays and who doesn't. That's why I'm asking that. Is that fair? Yeah. I mean, um, you know, what we like to tell people is, uh, a lot of people think they're very critical, highly important suppliers that, uh, the, that the Lockheeds and the Raytheons can't do business without. And, uh, if you haven't heard from them yet about them giving you money or resources or whatever, then you might not be as critical as you think.
So, uh, call your customer, because that's a very important relationship to have. The, the, the primes are not beholden to the DODs phased rollout, right? Your contract as a subcontractor between you and Lockheed is a contract between you and Lockheed. The dod, even though their data is flowing through that relationship, don't have privity of contract.
Uh, and so that's why the primes can require you to get whatever level they want, uh, above and beyond the minimum, and they can require you to get it independent of the phased rollout, right?
So if they know 12 months from now they wanna take award of a, you know, big new government contract, and they, they don't even know, they think that you're gonna have to deal with covered data, they're gonna say, go get the cert now so that we don't have to explain to our contracting officer why our supply chain has caveats next to it, right? Because if Northrop doesn't have to do the explaining, then Northrop's gonna win the contract.
Uh, and so if you're a sub, if you're not dealing directly with the government, you have another layer of bureaucracy that you have to deal with. Funnily enough, we were just having our, our sync up meeting this morning in, in Summit seven, and people were saying, Hey, we went through the OMB slide for the timeline for people. Uh, we went through the hegseth sec def memo for people, and they were like, okay, that's interesting.
They went through the Lockheed slide being like, here's their latest memo. And everybody sat up and they went, oh my God, it's real. So pick your poison, pick your poison. But at this point, it's like, we can just spin a big wheel and be like, you wanna sec def memo? You wanna final rule at OMB? You wanna Lockheed memo? Like it's re it's real, folks. Yeah. Andy, over to you, bud.
Well, I, I'll, I'll just add, I think there's, there's some pain coming because for years, you know, the primes haven't been dormant on this. They've been sending detailed questionnaires. People have been responding to those detailed questionnaires. The DOD has been, uh, requiring contractors to, to submit scores and to a system that maintains the history of the score. You submitted the, the SPRS system.
Once these independent assessments start happening and people are way off the mark of what was submitted, they might find themselves in some hot water, uh, potentially, uh, of the false claims variety. Uh, we may not see it get, get that bad for most, but it'll certainly be an awkward moment when, uh, when you fail your CNMC certification, having represented that for the last three submission, uh, thrust, you know, your last three years you've been saying Yeah, one 10 outta one 10.
So, yeah, that's a, that's a dicey problem. Uh, you're currently making attestations to the government right now. Um, and you know, like before the CMMC thing comes out, and so if you're like, we're good, we're good, we're good, we've been good, we've been good, we've been good CMMC, whatever, and then all of a sudden you can't qualify to get outta phase one of an assessment, or you just can't get the assessment or whatever, uh, people are gonna start asking questions.
I mean, you'd be lucky if they had started asking questions. The worst thing that's gonna happen is you can't qualify and your phone stops ringing, which is gonna be a lot of people, right? Yeah. Um, yeah. Yeah. I, I've seen some primes already cut, uh, stop work orders to folks that don't have good enough answers Yeah. On their progress. And it's hard to predict, right? It's customer by customer. Yeah.
Some prime, some purchasers, some programs, some DOD components, it's gonna vary how that plays out. I've spoken with people at different conferences, they have an awesome relationship with their customer. They know when it's coming. They know what they expect. They have a great relationship with their customer. I have other people, uh, they haven't heard anything in a while. And so it's it's case by case at that point.
And to your point, the contractors, they're well within their rights to approach this in the way that they see fit to sup, you know? Oh, yeah. To secure their supply chain. So it's hard to predict these things, and I think a lot of times people, uh, in the industry and in the community are looking for clear, like, when, when exactly do I need to do this?
Those answers just aren't out there with, uh, you know, with things proceeding the way they're going and this incoming need for so many CMMC certification assessments. Uh, I know, you know, we have the collective experience now of having been through assessments and supported clients through assessments and seeing how intensive they are.
We're close to the cyber ab and I, I think we all have a good understanding the public may not have of how many people, how many professionals have to be involved, and how much time these assessments take. Uh, we're already short on assessors. It's a, it's a very short list of people that can perform as lead CCAs. It's a very small list of C3 PAOs. As this ramps up and as you know, 48 c FFR becomes real, and we start seeing that real panic set in of, Hey, we need certification yesterday.
I'm just, I'm curious what you foresee happening with an industry that's gonna be in panic mode and not able to secure potentially certification assessment in a timely manner. Yeah. Well, I, I'd sort of give like my standard, uh, analysis of this situation. Everyone focuses on assessment capacity and the number of assessors as if that's everybody's first problem.
And I'm sure, Andy, you could tell people, joy, we could tell people all day long, the assessment capacity is not your first problem for the average DIB contractor out there, implementation is your first problem. And what we've seen with the assessors with the C3 PAs is when the rule went final in December and you could go get an assessment, their backlog shot up to like months and months of backlog for people scheduling these assessments.
And then what ended up happening was as they started working with people, people just started not qualifying for assessment. Because in the phases of CMMC assessment, you can't make it out of phase one unless you have a, uh, demonstrable readiness for an assessment, like some easy sniff test type stuff to tell that you can actually go through the actual formal assessment itself. And most people end up failing out at that point, which doesn't constitute an assessment failure.
We call this a false start. Essentially, you've signed up, you've scheduled your assessment, you have your pre-assessment meeting, and the assessors are like, even though you're paying us money to go through an assessment, you are so far away from being ready. We can't run the assessment and get paid. Right? Which tells you everything you need to know, right? They get paid to go through the assessment. They're like, we still can't send you through the assessment.
And that's because people haven't adequately implemented the current requirements that are imposed on them as defense contractors. So the real long poll in the tent is how much assessment capacity is out there in the ecosystem. And Andy, it's like you guys, us and maybe six other people are hyper, hyper-focused on this one segment, and we all have longer backlogs than the assessors do.
There aren't enough implementers, there isn't enough implementation capacity in the MSP ecosystem to support all the people who need to get through their assessment. So I don't think you're gonna see a constraint on assessments even in the first year or two because there just won't be enough people ready for assessment. And that's a problem that people just aren't talking about.
Uh, there's no real solution for, uh, and it's kind of technically out of the DOD scope of problems because everybody's been telling the DOD they're fully implemented and ready for assessment, right? But we know that's not true. And so if everybody goes through and they go, well, we can't qualify for an assessment, the DOD will be like, what? What's this? What's this?
You guys told us you were ready, you told, you've been telling us you're ready for eight years now, you're telling us you can't qualify for a verification assessment. What's, what's the problem? Yeah. Jacob is there if you can do 30 seconds Sure. Because I don't, I'm stealing Andy's time. So as you've said many times, this is just validation. It's a check that what you've been saying you've been doing all along, you've been right.
Will there be ramifications, do you think, for some that have said we've been Yeah, of course we've been doing this and Oh yeah. Oh yeah, for sure. Yeah. So I think, you know, what realistically what'll happen for most people is you're gonna have this varied rollout where some components of the DOD, some purchasers, some primes are gonna bend the rules for their program. Some of them are gonna stay tight to the rules for various reasons.
And, uh, and so you won't be able to know, I think for a lot of the people who haven't started implementing, for people who got promised the world by their MSP and they're not ready for an assessment, uh, I think what's gonna happen is having spoke with a lot of contracting officers, all they need is a critical mass of bids to be able to award the work. There's nothing that says we have to take a bid from everybody who could possibly do the work.
And so if you're far enough back in line enough of your competitors have their certification, then the government or the purchaser or the contracting officer needs a reason to make an exception for you. Right? And so, uh, that just becomes a very dicey situation. And I think that people's are just gonna, they're just gonna see business slow down, uh, and they're not gonna have a, a realistic understanding of why. Right. Gotcha.
And Jacob, you mentioned, um, it's a relatively short list of companies, MSPs out there that, uh, that are actively supporting companies for CMMC certification who are pretty dedicated at this. Uh, you know, some like us that exclusively work with the dib. Yeah. Um, for this audience of MSPs, you know, I'm, I get asked a lot, or I see this a lot in our sales pipeline or, or, or elsewhere, uh, MSPs asking like, okay, so what do we really need to do? Like, what, what actually do I need?
Do I just need to buy it like a new cloud environment? Yeah. And I always have to do the big deep breath, like, all right, here we go. Let's have that conversation, that emergence of, you know, these MSPs who are so focused on it. What's, what's the difference that we're making? Why is it that it's, you know, serves to be so focused Yeah. That these MSPs are emerging that way?
Well, I think, I think culturally, joy, you probably have a better perspective with your history on this than I do, but I'd say that big picture culturally, the thing that seems to be the oil and water the most is that you have a regimented, standardized set of requirements that have a standardized set of verification procedures, which is unlike other, uh, regulated environments. It's not like iso, it's not like hipaa, it's not like anything else because NIST has both sides of the coin here.
It tells you what you need to do, and then it says, how do you prove that you are doing that thing? And that's where the rabbit hole really gets deep because the requirements in NIST SP 801 71 are the tip of the iceberg. The question to ask yourself when you're looking through these requirements is, how would you prove to somebody that you're actually doing them for your clients? And that stuff is documented in, uh, a, a document called NIST SP 801 71 A or Alpha.
And I think most MSPs just haven't tooled themselves. They haven't set themselves up, they haven't trained themselves, they can't, they just don't know how to communicate that way, even though it's a standardized set of processes. And they also don't know how much they have signed themselves up for to represent their client in the assessment itself. For the most part, most of the companies in the DIB need to rely to a very large degree on their Ms. P to answer the questions for them.
And most MSPs just aren't set up business model wise to make money in that way. And so they don't, and your clients are gonna get sort of left hanging out to dry Jo Joy, you could explain this more sort of as Ms p business models have changed, but I'd say that's like the big reason why it's such a, a huge lift. Yeah. Joy, you wanna give it a go real quick?
I think that Andy, you would agree that, uh, in order to scale your business, if you are providing CMMC related services, you have to have repeatable procedures and a consolidated tool stack that meets the criteria In most MSPs have made their living for many years being able to say, oh, we'll use whatever you have in place. We'll use your firewall. We'll do you know the onboarding the way that you want it done? All of that has to be reset. Every single thing you do is an MS P has to be reset.
And the more that that can be constructed in a repeatable manner, manner from one client to another, the more successful you're going to be. It's very hard to resource. It's very hard to document and consistently support. Like, you can't just make an exception. You can't Application because the customer wants it. Question, even for MSPs, like a lot of 'em have standardized, but isn't it what they've standardized on? Also, the, the bigger question.
Like, in other words, you know, I know for you guys, FedRAMP is a critical component to what tools, you know, based on the level of CMMC. So what, what are your thoughts there? Well, that's, I agree. The tool or the mechanism that's being leveraged is really important. Andy will probably tell you the amount of research that we do as an MSP to make sure that the tool is going to conform for the long run and not say, well, for right now, but we'll probably have to swap it out in 12 months.
That gets really brutal in the CMMC world. But I wanna refocus Andrew, on the processes, the procedures and the people that you're using, any outsourced entities that you're, you know, having your SOC from India maybe. Um, that part is the maturity that most MSPs are not going to have from help desk level 1, 2, 3, consistently for that service delivery.
It, uh, I'll just Ask the, the follow up to all that great conversation, uh, which is sometimes I'm asked again by MSPs, like, Hey, kinda what do we have to do? Uh, some of them wanna dabble in it, they see the opportunity CMMC is huge and the DIB is huge, and they're like, you know, what's the minimum commit I can make to tap into this revenue stream? I get a lot of questions like that. Can they dabble in it? No. No. So There's So much liability in that attitude.
I just dunno if it'd be worth it, right? I mean, like, if you're, if you're just interested to dabble in it because of the economics, then I think that just at, at the start, that's just your answer, right? Like, it's very difficult to juggle this with other things just 'cause you, you're gonna have to change the way your stack runs, the way you operate, the way everything runs. And it, it just might not be worth your time unless it's a majority of your, of your book of business.
Jacob, One of the things, like I, I listened to your, you at Scott on mm-hmm. Friday podcast. Can you just maybe talk a little bit about like, the number of assessments you're doing at one time, but more, more importantly, I think it was what, what you and Scott really honed in on was the amount of time and process that this person is spending like just on, you know, on process and requirements. Yeah. If As well.
That's all that team does in inside, inside Seven seven, that's, we have a team that's dedicated just to shepherding people through their assessments. We currently have the capacity, you know, our, our big, uh, our big sort of level up moment, uh, last month as we ran four assessments concurrently in the same week for different C3 PAOs running audits. Um, but we have a dedicated team inside of what is now a pretty large organization that just focuses on that part.
Uh, they're very well trained in terms of what's going on. A lot of them are former DOD auditors themselves, who came from the DIB CAC team. Uh, we sniped them purposefully, uh, for, you know, for this type of work. So if you are, you know, this is one of many hats that you're wearing, um, or you can't afford for your internal resources to just be dedicated to this process, um, then, then, you know, double check the math.
'cause it might not, it might not be math thing for you, which is not to scare anybody off the work. This is, this is important work and we need as much implementation and MSP capacity and ecosystem as we can, but it's not something that you just sort of pick up, right? And it's certainly not something that you pick up the day the rule is published and then it goes into effect two weeks later.
You know, not saying that this is people on this call, but we see this a lot, some, you know, over the last probably three months, uh, one of the most common categories of calls that we get are people moving away from other MSPs who were promised that they would be get, you know, they'd be taken care of. And, you know, suddenly the MSP's like actually on second thought, it's not, it's not really worth it.
So, you know, the nice part is all the requirements, all that stuff, standardized public information. There isn't some secret kung fu um, you know, behind like paywalls and memberships and things like that. You can find all the information. Uh, it's all out there. But, um, it's tough to scale. It's tough to scale, especially 'cause the demand is so high. So Cool. Andy, You wanna do one more and we'll get to Joy? Sure.
I was going to, uh, say we've, yeah, we're definitely seeing the same, you know, people calling to say, you know, we've been working with an m MSSP for two years and feel like we're not getting anywhere and we love them otherwise, but they're not moving us forward. They're not leading this. And that's, that's, if you're an MSP in this space, you gotta, you gotta be prepared to lead. Yeah. Um, don't be prepared to react to what your clients are telling you.
And Jacob plugged 801 71 A, you gotta know that there are 320 assessment objectives and the assessors check every single one. Yep. And these are process technology people. Uh, it's very detailed. These are difficult assessments. Not, again, to Jacob's point, we don't wanna scare people away. We need more work in here. But you need to come in, understand the scope and the seriousness. It's not just adding a business practice. Like maybe you have an ISO or something else in your, in your MSP.
This is significant uplift. Okay. Joy. Yeah. Um, Jacob, I wanted to get your perspective on something because I think that there's going to be contractors out there when 48 CFR goes into effect and then they get A RFP. Uh, the customer gets the RFP and it says, A level two self-assessment is required with your score. And then they celebrate and they're like, oh, it's just a self-assessment. Oh, yeah.
But you don't kind of convey in the DO D'S eyes, your best guess between what they consider your security posture to be with a self-assessment versus a validated third party coming in. Yeah, it's exactly what it is right now, prior to the rule. So right now, defense contractors, by virtue of being a defense contractor and accepting the language in your contract, it's there. I promise. Uh, you have attested to the government that you have fully implemented these requirements.
And if you've uploaded your score into the government's SPRS database, uh, then you have told them, yep, we're good to go. And so when the CMC requirements come through, a lot of people are being like, oh, we get to self-assess, first of all, uh, for imagine yourself as the DOD, and they're processing your information that you care about, having some level of assurance over. And everybody goes, whoa. Uh, well, we get to grade our own test for a year, so we feel great.
Uh, that would be very suspicious. Very suspicious. Uh, it's part of the reason why self-assessments, especially over time, will be exceedingly rare. Uh, so if you find the golden ticket and you get the self-assessment in the first 12 months, congratulations. But just know it's part of the reason why it's important to keep up with what's going on. You've already made attestations for what's going on, and we've seen this before.
People get an extra 12 months, they kick the can and then you're gonna be right back into the same boat. So, uh, we won't know until the rule gets published, but relying on self-assessment is not a viable long-term goal. Uh, bragging about getting a self-assessment as if it's somehow different from a certification assessment, uh, does not look great. Uh, I would not recommend that you do that. And, and should the MSP take a self-assessment any less seriously than a C3 PAO assessment? Uh, no.
No, not at all. Like if you're, if you're relying on, if you, at this point, if you're relying on the type of cmmc level two assessments to dictate your level of rigor in your implementation for your client, you are digging your own grave, right? Like Yeah. Yeah. End of story. Yeah.
I mean, I would just put a cap on that by saying that as an MSP, you're going to ask one of those company officials to sign off that what you have done, they are affirming responsibility that what you have done gets them where they need to be, even in a self-assessment. So there's so much liability in that. I just want MSPs to, you know, take that really seriously as if, um, a C3 PAO is walking in the door, like that level of scrutiny about it. So, do we have time for one, one more quick?
Yeah, We do. Absolutely. Um, Jacob, what's the biggest single adjustment that an m MSS p who serves contractors is going to have to make in the next six to 12 Months? Uh, I guess deciding whether they're gonna gonna work with defense contractors or not. Like do you, do you wanna work with defense contractors or not? Like Andy said, there's no, like, there's no half as your, your, you are working with these contractors, right?
Like especially for the contractors who 100% of their work is dependent on getting this work with the DOD, you are the gate that they now rely on, right? You essentially are the defense contractor by proxy. These aren't dental clinics, these aren't laundromats, right? These are people putting parts on missiles. These are people putting parts in F 35, right? This is important work, and they're relying on you to not screw it up.
So if you haven't even cracked 1 71 a, if you don't know what it is, I won't tell anybody. You gotta, you gotta start studying really, really fast. But I'd say the biggest question is, do you wanna do the work or not? 'cause there, that's, do you wanna do it or not? Do you wanna be here? Yeah. Do You see it's an important business?
Do You see the question in the, or the statement in the, in the chat that says, level does help with dollar amount that the clients are having to spend, though we have a smaller sub that was happy to end up a level one versus level two third party assist? Yeah, I mean, there won't, basically, once the 48 CFR rule goes into effect, there won't be a DOD contract that comes out from that point. That doesn't have at least level one.
However, most defense contractors, for all intents and purposes for this audience that you would be dealing with, manufacturers, construction firms, people doing cool defense contracting work level one isn't where they're stopping. It's gonna be level two. And the number of level two self-assessments over time are going to be incredibly, incredibly small. So don't bank on self-assessment, don't bank on level one.
Personally, if I had one thing I could do to fit, you know, make CMC more efficient, I would just ditch level one altogether. 'cause it's just pure self-assessment. The DOD doesn't really care about it. They care about the level two self-assessment. The policy says they care about level two assessment policy says, uh, they, that they care about the certification assessment, the policy says they're gonna go for level two certification assessment.
Everybody's out here being like, we're gonna get self-assessed, we're gonna get level one. Just be careful. Business is about taking risk. We're all successful here because we take risks. But you need to understand the type and the nature of the risk that you're taking when you're doing this kind of work with defense contractors. 'cause it's not a joke. Yeah. Well, wow, that was an hour that flew. Um, and, and we could probably do another hour easily.
So, um, first for everybody that tuned in, thank you so much as always for, for joining us on your Monday. I'll have the podcast out for your review, uh, probably by end of day. Jacob, thanks as always for joining us. It was a pleasure having you on. Yeah, anytime. Yeah, it was, it was great. We'll, this will be Here pretty soon. We can talk about something. What's that? What he, oh, I think they just walked, they Froze Something else for once, you know?
Well, I said, See, he says like, once this goes into effect, maybe we'll talk about Something. Oh, we, I'm just, I'm just kidding. We're never gonna talk about anything else. I think we all, Andrea, I saw you linked, uh, Jacob's LinkedIn. If you're not following him on LinkedIn, you guys need to Yeah. And, And, and you can follow Andy and Joy. Um, last thing, uh, Andy, thank you so much for coming on, being co-host Joy.
Thanks so much for coming on, being a co-host, Phyllis, as always, thank you for being a co-host and we'll look forward to seeing you all next week. Make it a great one and be safe. Take care everyone. Bye-bye. Thanks. Thanks.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois