Name: RPOs vs. C3PAOs: Decoding CMMC Compliance Partners
Uploaded: 2025-11-18T16:31:41.666Z
Duration: 58 min 16 s
Description: RPOs vs. C3PAOs: Decoding CMMC Compliance Partners

Transcript for "RPOs vs. C3PAOs: Decoding CMMC Compliance Partners": Hello, and good morning, everyone. Thank you for being with us today. We appreciate your time. We know that is one of your most valuable resources. So as we get started, I don't wanna keep you too long, but do have a couple housekeeping items to go over. On the right hand side of your screen, you'll see a docs tab where you'll be able to find today's slides and for while you walk through the session as well as post session. We also have a q and a tab where you can put any of your questions that you may have for our speakers today. In addition, we will have at the end of the session a quick survey to get a feel for how you felt about today's content, if it's resonating, and what other topics you would like us to pursue in the future. So with that, I will introduce our speakers for today's presentation. Casey Lang, our senior VP of compliance here at CyberSheet and Fernando Machado from CyberSec Investments. Great. Appreciate it, Kristen. Fernando, thanks for joining me today. Always appreciate your time and experience as kinda one of the the key players in the in the cyber a b, the CMMC ecosystem. That said, as Kristen mentioned, my name is Casey Lang, vice senior vice president of compliance services here at CyberSheet. Fernando, I'll let you kinda give your, your top level before we get into our backgrounds in a little bit more depth. Yeah. Fernando Machado, managing principal and CSO at CyberSec Investments. I'm a lead CMMC certified assessor, and we're an authorized CMMC third party assessment organization located in Melbourne, Florida. Great. Great. And, topic of conversation today, we're gonna get into, RPO versus c three p a o, what the difference is, how to select partners in the CMMC ecosystem, why this is important. There's still confusion around, what those two terms mean. I think there's a lot of, questions around where do I start? So, on on your side, Fernando, I think you probably get a lot of inbound interest in, hey, I need to get certified, but you're obviously kinda qualifying and saying, hey, like, certifying doesn't come first. Sometimes you have work to do before you get to that point. But, as it relates to an agenda today, we'll cover, what CyberSheath is about, why we have a lot of experience in this in this space, and what makes us different. I'll give it to you, Fernando, to talk about CyberSec investments and kind of the unique qualities that you guys bring as it relates to the c three p o side of the equation. We'll get into the partner landscape, what to look for when it comes to where you are in your compliance journey, the type of support you might need in that journey, and then we'll get into qualifying and vetting your CMMC partners, partner strategy in the end for certification, certification success, and then open it up to questions at the end as it relates to anything CMMC, whether that's, the recent rulemaking going into effect, or what it takes to ultimately win the Super Bowl that is CMMC certification. Alright. So, jumping into CyberSheet first. We are one of the most tenured, service providers in this space. We are intentionally, within the ecosystem, a registered practitioner organization. What that means is, in in the CMMC ecosystem, registered practitioner organizations are permitted to give advisory support and support the compliance journey, and we'll get into the distinctions here in a bit. But our long tenure stems back all the way to the DIBCS pilot program in 2008. A lot of, folks in this space say that they've been here since the beginning. But the beginning for us is is almost prior to well, it is prior to NIST eight hundred one seventy one's existence. In the end, the founder of CyberSheath, we built a world class program at VAE Systems based on the provisional requirements that predicated NIST eight hundred one seventy one. And when we built that world class program and went through all of the activities to, mitigate some, some of the nation state threat actors in that environment, it was realized, hey. The the the midsize defense contractors and and, sub tier suppliers aren't gonna have the open checkbook that we had at EA systems to solve for these requirements. So, Cybersheath was born first as kind of a professional services boutique firm as it relates to the defense industrial base and solving for, these requirements. But, ultimately, about ten years ago, made the pivot towards managed services because it allows us to own as much of the problem as as possible operationally to support our clients in compliant outcomes, and compliant outcomes ultimately become successful certification attempts. That said, Fernando, if you wanna give a background on CyberSec investments, I truly appreciate your perspective, and I I do think you're one of the top players in this space. Yeah. So when I first started, in the CMMC space back in, December 2019, the fiscal year twenty twenty National Defense Authorization Act had section sixteen forty eight that was listed in there to establish that third party verification program for verifying DIB contractor compliance. And so I was fortunate enough to join one of the first standards, management industry working groups that the Cyber AB had at the time. And our job was to develop the assessment criteria to develop the first cmmc1.0 assessment guide. Our group, there was about 15 of us, had collectively contributed about 17,000 volunteer hours in creating that document and providing verbiage to that. And so for our efforts, we were formally recognized by the president of The United States with the president's volunteer service award. Later on that year, they had the first CMMC, provisional assessor program. So the first five provisional assessors were reserved for the board members at the time. I am currently provisional assessor and assessor overall number eight of the in the entire ecosystem. If so, if you look at the current CPNs, they're up to, like, 66,000. And then we became an authorized c three PAO in July 2022, went through our assessment, and we recently went through our reassessment with the DCMA DIVCAC team in, June earlier this year. We went through our reassessment. And during that time period, we were able to complete 15 joint surveillance assessments prior to the 32 rule going into effect. And since CMMC has gone into effect all the way through now, we're currently at 66 CMMC level two assessments completed. Amazing. Amazing. And and I think that shows the I mean, in the end, you were you were involved in nearly writing the requirements, the assessment standards, everything that's kind of evolved from a CMMC standpoint. So from a bonafide standpoint, we got kind of the the cyber sheet angle, which is kind of the how do we how do we implement against these requirements and operate compliantly on behalf of defense contractors. And we got Fernando who, involved in the very beginnings of the of the CMMC ecosystem, helped write the standards, the assessment frameworks, and everything that's unfolded to the requirements that we have today with the rulemaking going into effect, just about a week ago. So pivoting into, the point of the conversation today, navigating the CMMC partner, landscape. Fernando, you and I have had this conversation a handful of times now, but there still seems to be some persistent confusion around the two roles between RPO and c three p o in the ecosystem. I know from a from a cyber chief standpoint, we understand the difference, but some of the mid small to midsize defense contractors still end up, as kind of inbound interest for certification when they're not ready. Tell me about your perspective as it relates to the distinction between RPO, c three p o, where you guys exist, and where Cybersheath and consulting firms exist in this ecosystem. Yeah. So when you're looking on the Cyber AB website, it's a good place to look at, and you actually go in there and you look at the ecosystem roles, one of the first things that you're gonna see is they actually break up the roles into three sections. But for today's purposes, we're only gonna talk about the two. So they'll have a consulting and implementation role, and then there's an assessing and certification role. So things that an RPO can help with will be things like, you know, helping you write your documentation, help with your technical implementation. So think of an RP and RPO as kind of like that consultant slash consulting firm. They can help you with all of your advisory consulting, but they're not able to do the actual third party certification assessment. And that's where we come in. We're on the assessing and certification role as assessors and an authorized CMMC third party assessment organization. Yeah. And in the end, the cyber a b and and the governance of of CMMC drew that hard line. Right? Like, there's some intentional separation there. Talk to me about why that exists. Yeah. So that way, right, in order to be in compliance with the code of professional conduct and that there's no conflict of interest, right, it's kind of like as Katie Arrington used to say, the self licking ice cream cone. We wanna make sure that the person that does the consulting and advisory isn't the same exact person that does the assessing and certification because right? Why would I rate myself wrong? Right? I'm perfect as far as I know. So that's why that kind of those two roles exist that if you're doing the consulting and implementation, you can't be the one that does the assessing and certification. Yeah. And I think that conflict of interest would arise if people were advising and then certifying their own work or CyberSheet as an example as a cert as a service provider in the RPO grouping. We're there to kind of operate on behalf of our clients, you know, head towards compliant outcomes, operate, whether that's change management processes, annual internal assessments, eyes on logs. We're doing those things, but we certainly shouldn't be certifying ourselves, assessing ourselves as an internal capability, but not certifying ourselves. And that's why the nature of that separation exists. And it's also why when it comes to getting to compliance versus certifying compliance, the right place to start is typically in an RPO with some expertise in this space versus a c three p o who, in the end, Fernando, and correct me if I'm wrong, you guys are prevented from from giving any advisory support in your capacity. It's really pass fail. Correct. Yeah. So once we identify a control that is marked as not met, we give our explanation as to why it's not met, and we have to stop there. We cannot say, and this is how you would fix it. Because, like, now at that point, that's considered consulting and advisory, and we would be precluded from continuing the assessment at that point. Yep. Makes sense. Alright. So, qualifying and vetting your CMMC partners. Now I I think we'll probably start off with the, the registered practitioner side of the house. There's kind of good and bad in the ecosystem. I've said a couple couple of times now in the past few weeks since CS five that RPO is starting to get, may maybe headed in the direction of of being a tarnished, acronym in a sense. But RPO, when it comes to the the credential itself and what it takes to get an RPO credential, talk to me about the the training that it takes to be an RPO, Fernando, and then maybe we can just bat around, like, what that training actually means from a practical standpoint and why you might want to vet beyond just the credential itself. Yeah. So I think that you'd have to go on to the Cyber e b website, and it's got all of the listing trainings on what you would have to take as an RP, right, the registered practitioner, I e, the consultant, and then the RPO, the, registered practitioner organization in order to figure out, like, where you are in that role. And then, once that's done, at some point, right, you'll pay a fee. You'll have to take some cyber a b required training, and then you eventually become an RP and RPO. Yeah. And and I think where where I'm headed with the RPO designation. So when it comes to the actual training to become an RPO, you're you're learning the glossary of CMMC enough to kinda speak to, the functions, the involved parties within the CMMC ecosystem. But it does RPO training actually teach you or walk you through assessment process like maybe a c three p o, CCA credential would, or is it just strictly kind of the the glossary information as it relates to understanding the ecosystem? Yeah. I I haven't taken RPO training, so I wouldn't know. Okay. I know that the I know, like, again, the the RP training, it's there there's a fee involved, and then there's some, computer based training that's involved with that. I do know that when you start getting into, like, the CCP and CCA training, like, you start getting a little bit more advanced to that level. Yeah. And it's it's stacked training. Right? So RPO is like, hey. Let's learn the ecosystem. CCA onward or CCP then CCA is all more kind of tactical evaluation of the control requirements, understanding the control requirements. So when it comes to selecting an RPO, even though that's a designation in in the ecosystem, you wanna look for staff that are more credentialed than RPO a lot of times because that's an indicator of further experience beyond RPO. CCP is is kind of the practitioner side of the house when it comes to leading up to CCAs who are the the true assessors on the ecosystem. Right? Yep. Yeah. And I know that, like, when you're going through that, like, RP training, there's, like, the introduction to the CMMC and CMMC model, kind of like what the CMMC accreditation body is in the ecosystem, what is federal contract information, and so forth. So it's kinda teaching you, like, the fundamentals of the CMMC program. Yep. Perfect. As it relates to the RPO role, as we mentioned, so RPOs are kind of the the advisors, the doers. These can be, it's not just service providers like CyberSheet. This these can be consultants. Really, anybody that, that can provide advice, make recommendations, and and kind of move beyond the pass fail determinations that you would get through a certification attempt, ultimately, to solve for CMMC readiness. When it comes to readiness assessments, what would you expect from your perspective as a c three p o? An RPO doing a readiness assessment, what what would quality work look like when it comes to setting the stage towards, ultimate readiness for CMMC? Yeah. So I would probably say that, you know, first things first is ensuring that there's a level of understanding between the RPO and the c three PAO. I can't tell you how many times I'll have either a consultant or an external service provider send folks to me and say, you know, my consultant or external service provider sent me to you because they said that, you know, you're you're one of the best or whatever it may be, and I've never even spoken to those service providers. So, right, just to kinda ensure that there's that level of understanding, really goes a long way. Okay. And one one thing that I've heard from prospects and and even some clients of CyberSheet is I I need RPO services. I guess one one point of distinction is RPO, as I've mentioned, is just people who can who can give advice and operate in support of a defense contractor's compliance. But there is a distinction between, like, advisory support. They kind of come in, do some work, and leave. And then CyberSheets CyberSheets model and and others like us who are true service providers. Talk about the difference for me, Fernando. One being kind of, I'll I'll say pro services, one being, more service oriented, more kind of attached as an extension to a DIB contractor. I know you guys on your side see how CyberSheet does it, but there is a distinction there that I think is important. Yeah. So right. If you're just gonna come in so usually, like, when we are talking to folks, they're usually in one of two camps. They're either a small business, and they don't necessarily have an internal IT staff, and this is where they would reach out to say a managed service provider, managed security service provider to help kind of implement the requirements, manage the environment for them. And then there's organizations that are a little bit larger, a little bit more mature that actually have an internal IT staff, but they don't know what they don't know regarding the requirements. And so that's where they would bring in a consultant to kinda give them that consulting and advisory side of things, and basically help their IT staff and their internal stakeholders figure out where who needs to implement what and who needs to do what within the organization. Yeah. And I think one one key thing is do you, as a defense contractor, from a small defense contractor, do I just need some advisory support to get to an end state and I'm gonna carry it forward from an operational standpoint? Or do I need a service provider that's going to operate on my my behalf and and stay as kind of a long term trusted partner? And I think that's the the real difference between pro services, get in there, Right. do some help and leave, and then service provider, which you mentioned MSSP, MSP, those are the guys that are really attached, like running your IT function, running your detection and response function over the long term, really almost as a, operational extension to your business. Yep. Agreed. Alright. Moving on to c three POs. I know we have kind of our preferred c three POs that that we like to work with. CyberSec investments is obviously one of those for for many reasons. But talk to me about what you're seeing in the ecosystem around, c three p o's that kinda come onto the scene. What what makes CyberSec Investments unique and and, well qualified to be in this space versus others? Yeah. So I think we're one of the few c three p o's that has a lot of assessment experience. Like I said earlier, we've conducted 66 assessments to date, and we've seen all types of environments. We've seen manufacturing environments. We've seen, primarily Microsoft environments, Google Workspace, AWS. So we, you know, of the 66, we've seen a little bit of everything. On top of that, we're one of the very few c three p l's also that has as many assessors as we do. We currently have about 12 assessors on staff, fully w two. We're looking to grow those numbers out there because we're starting to get a higher demand. And, you know, that'll hopefully help build out the ecosystem because as of today, there's 88 c three PAOs and about a 118,000 companies that need to get these assessments, and they have to recur every three years. Like, you know, the math isn't mathing. Right? So we're trying to make sure we try to stay ahead of that, to ensure that we have all of the resources that are available in order to help and And from from my perspective, just having worked with several c three PAOs, what makes makes you guys special and and. others that we consider qualified that we recommend to our clients, You guys qualify early, qualifying that your your actual customers to say, are you ready or not? And practical interpretation of the requirements. Those those are nice words, but, like, how do you guys, ensure you've used the word baggage in the past, but, how do you guys ensure that you guys have a a team that's not burdening with other, legacy frameworks or unrelated frameworks or CIS CISSP best practices? There is a line there. Right. Yeah. So one of the first things that we do is, like, when we bring assessors on to, our environment and we bring them into the company, we they kinda go through a very regimented training program to demonstrate how to look at the controls and how to assess them. And we always say this is a way to assess the control, not the only way, because how we would assess a manufacturing environment is gonna be completely different than how we assess, say, a software development organization. So, right, there's gonna be some nuances to some of the controls. And like you said, right, just ensuring that we don't bring emotional baggage, I e bias to the assessment on thinking, well, this is the only way or this is the only way I've been taught on how to assess a control. And so we make sure that our assessors are trained on that. And just to help kind of the defense contractors in their selection process, like, what questions do you think they might ask in in trying to qualify a c three pay o that's right for their their particular environment? Yeah. I mean, I know that there is a NDISAC c three p o shopping guide that's out there. And, you know, a lot asking questions like, you know, are your, are your assessors ten ninety nines, right? Because sometimes bringing in an assessor as a ten ninety nine, they may not necessarily have the actual assessment experience of conducting those assessments. They might have the cybersecurity experience, but they haven't conducted either a CMMC level two assessment, or haven't conducted a joint surveillance assessment. So it's finding out right are they ten ninety nine? How many assessments has the c three PO completed? Just you know, these are some of the questions to kind of start with. Also kind of like interpretation questions. Right? You know, I understand that certain controls have some nuances to it, and if you have some heartburn with certain things, I would ask those questions, about certain control interpretations. I would ask questions about, scheduling, availability, you know, any type of fees, you know, things like that. I would start asking all of those questions upfront. So in order to vet your c three PAO. Yeah. Two things that you mentioned that stood out to me. So, subcontracting, obviously, CMMC and and, is kind of a a ramping up ecosystem. Subcontracting probably seems like a necessity in some ways, but firsthand see have seen it where c three PO subcontracted out some work. That, that subcontracted firm had differing opinions from kind of the primary c three p o. So just just be aware, when when subcontracting exists. There's you're further and further away from kind of the training and the mission of the c three p o that you engage with, when subcontractors are are pulled into the fold. And then the fee structure that you mentioned, Fernando, I think one key thing that I've seen is, some of the c three p o's out there, are economically incentivized to give you a provisional assessment, a provisional certification versus a full certification if they come back and and kind of, charge additional time and material fees for closing out closing out POAIMs. It's not to say that that's happening, but it's just something to keep in mind that, if you wanna avoid additional fees in the end when it comes to discrepancies in in where you are, are at from a certification attempt, if. if there are fees versus flat fee return and close some things out, just something to keep in mind as a defense contractor. Yep. Agreed. Alright. So, partner strategies for certification success. Just walking through some readiness checkpoints before engaging with the c three p o. So, Fernando, you see this all the time where people, show up asking, hey. I I think I need to be certified, and you're asking some qualifying questions. What do those questions look like on on your side when it comes to, you know, the the three to five questions you ask that are like, nah. I think you're in the wrong spot. I think you need an RPO or a service provider that are gonna get you to the next level. Yeah. So one of the first things I asked them right right out of the gate is, do you even have a system security plan in place? You know, that is gonna tell if they if they just kinda give me this puzzled look of, like, what's a system security plan, then I know they've got a long ways to go. If they do have one, right, I wanna see their system security plan and some of the support supporting documents. Right? Like, you know, any types of artifacts, any other policies and procedures, and are they addressing, right, most importantly, the assessment objectives. I cannot tell you how many times I have seen system security plans downloaded from the NIST website that only goes down to the control level versus the assessment objective level. And they'll literally copy and paste the control statement and say we do this. Well, that's not gonna get you very far. Another thing I wanna see. Right? The data flow diagram. I wanna see when CUI comes into your environment, how are you protecting it within your four walls, and where is it traversing within your environment? And then are you clearly defining your scope? Have you identified to us what's a CUI asset? What's a security protection asset and so forth? So if we're looking at that at a very high level, I can tell within the first thirty seconds of looking at that system security plan if they're ready to move forward with an assessment or if, you know, at that point, they need some additional help in which we would make, kind of, like, introductions to some folks of our trusted partners. Talk to me about the the potential for reciprocity. Do you do you ever get, defense contractors saying, well, I I do ISO. I I have an ISMS. Isn't that good isn't that good enough? Is it good enough? Yeah. So this is what I like to call the CMMC five stages of grief. Right? So right. We'll we'll get through the denial that CMMC isn't happening, but here it is. This is kind of like one of the bargaining stages and where they're like, oh, well, I do ISO 27,001 or I do a SOC two or I do this. None of those other frameworks fully map 100% to NIST eight hundred one seventy one a. And so there might be some overlap, but you're never gonna get there 100% of the way. So no. The answer to your to your question is no. Right? You have to implement that eight hundred one seventy one a requirements, all 320 assessment objectives. Yeah. And and CMMC level two requirements, NIST eight hundred one seventy one, it's a data centric framework, which is different than ISO 27,000 series. Correct. ISO 27,000 series, very organizational. Could there be like for like between, like, an enterprise scoped environment and an ISO organizational scope? Yes. But when the assessment objectives are as prescriptive as they are, you do need to make sure that those define, identify, specify statements. If you're gonna leverage your ISO documentation in that way, you need some clear delineation between your system security plan, those definition statements, and where it might exist in ISMS or ISO policies. Agreed. Alright. Great. So from a readiness checkpoint stand checkpoint standpoint, we talked about system security planning be being kind of a key differentiator. But, one thing that we see is, you do have the three dot 12 dot one requirement to assess yourself. The c three p o isn't solving for that for you. So when it comes to assessing the controls, you all you have the requirement to do that. So, we find when we're doing scoping as it relates to our services, we ask the question, like, are you self assessing? If you're not, that's, that's a key indicator you need to start that process. It informs the entire, compliance journey in a sense because in the end, that's the data collect for a POAM that's required. That's the data collect to populate a system security plan in the end, and you're required if you have the DFARS clauses. Historically, you would have been expected to calculate an SPSRS score or a DOD assessment methodology score for SPSRS submission and as of November 10, attestation to CMMC compliance. Talk to me about, the difference there, Fernando. I know we're kind of in the middle of, a new phase, when it comes to CMMC truly going into effect. Yeah. So now on as of November 10, right, the CMMC 48 rule went into effect and now DOD's phase rollout begins. So we're currently in phase one for the next year all the way through 11/10/2026. And DOD intends to include CMMC level one and CMMC level two self assessment as part of the rollout. However, DOD at its discretion can require a CMMC level two third party assessment in place of a level two self assessment. Now something that contractors need to keep in mind, if you are a sub to a prime, the phase rollout does not apply to you. Meaning, your rollout could potentially be faster because there's nothing stopping that prime from saying, hey. CMMC is out now. Go get a level two cert because you work for me and not DOD. And we're already starting to see that. Like, right, recently we saw letters and memorandums come out from Leonardo DRS. Right? That if you're in if you have a d four seventy twelve clause in your contract with them, expect to receive a CMMC level two third party at any point within the next two years. You're seeing Boeing with their memorandum where they're using words like we strongly encourage you to go get a CMMC level two third party assessment if you wanna continue to keep doing business with us. And we send similar memos from, Raytheon and Lockheed Martin, and other large primes are starting to do the same thing. Yeah. I feel like the prime contractors for a long time now, even before the rulemaking, were leading the charge with applying pressure on on kind of the sub tier suppliers through those questionnaires. And there's certainly a a shift now that the rulemaking has gone into effect where they're looking for some more confidence in the compliance of their supply chain. So, great information. Questions every DIB contractor should ask as it relates to c three p o. We covered some of this, but just a quick recap on, the qualifying questions. I I'm a I'm a ready DIP contractor. I feel that I'm ready. What am I asking as I'm selecting the c, my c three p o? Yeah. Things like right. Obviously, right, cost is one of them. Right? But do please do not make cost your sole, your your sole focus. Right? Because as as everything in life, you get what you pay for. The next thing I would ask is things like how many assessments have been completed, you know, do they happen to have metrics on, you know, past failures? And a couple of things too, ten ninety nine CCAs versus w two CCAs. These are good questions to ask. And remember, if you're a contractor, this is one of those areas that is is fully within your control in selecting a c three p a o. You get to decide which c three p o you wanna work with. So make sure you ask all and of course, right, most importantly, ask questions about, you know, have they assessed environment similar to yours? I think the last thing that you want is to hire a c three p a o that doesn't have experience in assessing your environment and you're gonna be the first one. There's gonna be some level of confusion there. Yep. Great. And the one thing one other thing that I recommend our clients, ask when they're selecting c three pro is is is the means to escalate. So if if we go through DIPCAC audits and we do, there's always an escalation path. If there's a if there there's a different, opinion between a CCA, is there a lead CCA to kind of per, do a quality check or at least get a second opinion? Having that means to kind of bat some things around and and, have thoughtful conversations on the, on the implementation approach, like you mentioned, Fernando. There's not, there's more than one way to skin a cat, in some of these situations. Yep. So having that escalation channel has always been good, as it. relates to selecting. Yeah. And also and I'll also say, right, Casey, that's a great point that you bring up. Per the CMMC assessment process, process document or the cap, we have to inform, right, during the in brief, we have to inform the contractor of their appeals rights. And I sometimes see some c three peels not do that. Right? They have to inform them of their appeals rights and tell them this is the process that you would follow that if in the event you fail an assessment or you want to appeal our decision, this is a process that you would follow. Yep. Yeah. Absolutely. The formalities exist. Alright. Great. Well, Fernando, appreciate your your time and perspective on on the topic. I do wanna give people a few minutes to put some questions in the chat, as it relates to q and a. Just gonna try to handpick a couple of these. Did I hear correctly? Only around 90 c three posts in the industry. What was the count that your recent count? I'm sure there'll be new numbers. Here, I'll I will tell you right now. I I believe it was 88, c three p o's in the entire ecosystem. The number is I apologize. 87. We're at 87 c three p o's as of today. Great. Alright. I have some? questions to Casey. Yeah. If. you want, I can go again. Yeah. Sure. So, should I start with the CMMC level one before proceeding to CMMC level two? Yeah. I mean, from from my perspective, it's gonna it comes down to the data that you're engaged with. So CMMC level one is, is related to federal contract information. It's information that's not publicly releasable in your engagement with the federal government or the DOD. That most of the focus is around CMMC level two and CUI protections because that's where the DFARS seventy twelve clause exists. So if you engage with with the DOD today, if you've had the DFARS seventy twelve clause historically, if you engage or work with CUI, level two is is the right, the right path to be on. Yeah. And and to add to that too, the the it it really depends on, if you're dealing with both data types and you're like, I'm gonna do, you know, CMMC level one today and the CMMC level two later. Understand depending on the environment that you're in, those two things cannot crosswalk. So for example, for FCI, you could totally be in Microsoft's commercial environment, but you cannot build out completely to cover CUI because c u, the the commercial environment is not compliant for CUI. So you would have to establish those foundations early on in order to do that. So there is no you you can't carry forward from commercial. Yeah. I mean, data flow and boundaries matter. I mean, you mentioned scoping, Fernando, and and if there's anything that's most critical to high quality assessments, it's it's scoping. Yep. So FCI, federal contract information, CMMC level one, that's not the DFAR seventy twelve clause. The DFAR seventy twelve clause says for CUI protection, you're going to use, FedRAMP moderate or equivalent cloud services. FCI's CMMC level one doesn't have that requirement. So key distinction, understand your data types, understand how they flow, and if your CUI datasets intersect with cloud platforms, that's where we have the, the FedRAMP moderate or equivalent requirements come into play. Correct. Go ahead, Kristen. I have this question here. What's the difference between a c three PAO assessment and an RPO assessment? You wanna take that, Fernando? Yeah. So an RPO assessment is and, basically, it's a it's a it's an assessment by, I guess, it's it'd be considered a third party, but the difference is that an RPO doesn't have the authority to actually certify. Right? So even though they both may do the same exact thing, the c three PAO actually can issue CMMC level two certificates of status at the end of that assessment. Yeah. And I think from from our perspective because, CyberSheath does, I'll I'll call it RPO assessments, but gap assessments. Right. We can do gap assessments. We can assess. We can write kind of written guidance, as it relates to the output. So our deliverables would say, we made this observation for this reason, and we make we recommend you take this action to close this. Where on the c three PO side, it's did you pass or did you fail? I I think, you guys sometimes call it the Christmas. tree on your side, Fernando, when it comes to pass fail across the framework. But one could be written verbose full of advice, and the other is, pass or fail. Yep. Alright. Kind of follow-up to this one. If I do a level two, does that affect do we qualify me for a level one? Not necessarily. It depends on your boundaries, your systems, and and your scope. What I'll kind of pivot to is the the the concept of an enclave. When you when you're making your attestations in the supplier performance risk system, you can select environment types, you can select enterprise, like your full business, you can select an enclave. Reason why I point to that specifically is if you have an enclave that's dedicated to CMMC level two compliance for CUI protection, you might still be engaging with FCI outside of that environment. So, you might be making a level one attestation that's broader than an enclave approach for your CUI protections. Your thoughts on that, Fernando? No. I mean, everything you said everything you said there is spot on. You stole my thunder, Casey. Got ahead of you. Yeah. What else we got, Kristen? How does the one hundred and eighty day closeout period work if I have items on my POA and post audit? Alright. So the way that that works there, in the 32 CFR part one seventy rule, there's a section in there that talks about the POAIMS. And I believe section one seventy dot 21. And so when it talks about that in order to achieve a CMMC level two conditional certificate, I mean, that means that you have POAIM items, that the you have to have the following three criteria in order to do that. So number one is you have to score at least 80% on your control. So 88 out of the 110 controls have to be marked as bet. Number two, know any control that is a three or five valued control cannot be POAM ed. And then number three, there's a subset of one valued controls that that cannot be POAM ed. So if you meet those three criteria, you'll get a CMMC level two conditional certificate, and then you'll have a hundred and eighty days to close out those POAM items. And so at that point, what you would do is you would contact, either the same c three PO that you use for your initial assessment or another c three PO to do your POAM closeout. They would come back, and we they would basically do what's called a delta assessment. We're only going to look at the controls that were on that POAM and close those out within those hundred and eighty days. Right? Because that's your responsibility as a contractor to come back to us to tell us that you're ready. And then once those are closed out, your certificate will be upgraded from a conditional level two cert to a final level two certificate. Great. If we use CyberSheet as our RPO, what is CyberSheet's role during the c three PAO audit? Yeah. So CyberSheet, as a service provider, we deliver through three three lanes or three puzzle pieces, managed IT services. So IT done compliantly, in accordance with the requirements, managed security services, which is detection and response, and managed compliance services, which is is my function. So when you're engaged with CyberSheet, you get an assigned compliance analyst from my team that leads your compliance journey, all supported by the bullpen that is detection and response done through the lens of CMMC and IT services operationally done through that same lens. So we're leading the compliance journey administratively through the compliance analyst, but we have the operations folks doing IT compliantly, and security compliantly, which when we assess first, we're finding the issues, then we're in a remediation phase where the ops team and the compliance analysts are collaboratively documenting and implementing capabilities and then ultimately staging for a for a certification attempt. Your compliance analyst supported by the entire team is there to kind of be across the table from Fernando and the c three p o capacity to tell your compliance journey, demonstrate the the implemented controls, and ultimately be your long term partner when it comes to getting through certification. Yep. What is the difference between 11/10/2025 and contracts continuing requirements for CMMC level two self attestation versus prior requirements for NIST eight hundred one seventy one r two and DFARS seventy twelve, etcetera? Yeah. So the biggest thing that you're gonna notice is CMMC is really nothing new. All it is, it is simply a third party verification of your existing DFAR seventy twelve requirements, specifically your NIST eight hundred one seventy one implementation. So in the past, right, and I think for this first year, you're gonna see a lot of self attestation and self affirmation. And then right now, we're gonna be transitioning to a third party verification depending on the CUI data type that you're handling. In January, DOD put out a memorandum on implementing the CMMC program and and the levels and what's gonna constitute a third party assessment. So if you're handling CUI in the NARS CUI defense organizational index grouping, I. E. Control technical information, and there's a couple of other, data types that are in there. If you're handling that type of data, the minimum is gonna be a CMMC level two third party assessment. Anything outside of that defense organizational index grouping, the minimum will be a minimum of a CMMC level two self assessment. There's another line in that memo that states that's simply the bare minimum and doesn't preclude the contracting officer or the program manager from selecting a higher level. I know I have talked to some contracting officers that they're dealing with contractors that are handling, for example, a soldier's PII, and they're saying we're not gonna allow them to self assess. We're gonna require third party verification of those contractors as well. Yeah. Makes sense. And then kind of stepping into the history of of kind of, defense contractors today familiar with, calculating a score for for SPSS submission and the transition to the the CMMC phase rollout. Historically, the contracting official was was asking the question, is a score submitted to SPRS? That was the discriminator, Right. and that allowed some flexibility. Like, you're on a path to compliance. You can have a less than a 110 score. What's different about November 10 is going forward, these contracts that have CMMC language expect full attestation of those requirements. So major difference there in you you had some flexibility. You were allowed to be kind of on the train and on the path to compliance. And going forward, at contract award, you're going to need to be compliant, or you're gonna be pushed, faster than that by your prime contractors in some situations. Yep. Given the risk associated with self assessments for level two, is it realistic for OSAs to self assess? I think it depends on the rigor that you have in your self assessment processes. I think historically, I I mean, we've seen defense contractors think they're compliant and then they have a third third party set of eyes say, no. You're not quite there yet. Fernando has seen this as well. Assessment at the requirement level and not the assessment objective level, really tarnishes your score quite a bit. If you're not looking at the assessment objectives, you're also not looking at the words define, identify, and specify. So your documentation might cause a massive score distinction between a perfect score of a one ten. So a second set of eyes is good with kind of experience in this space. Pencil whipping, bad. So I would say use the assessment objectives wisely. Think practically and defensively. And, again, to hammer in on scope. Scoping is key. Assessors pull the threads on where does CUI exist, how does it flow, they establish what the in scope platforms are. And if. you have platform gaps, if you have an assessor or a a DIPCAC auditor find out that you're using, I don't know, some cloud service that's commercial, that could have a massive impact on, how you've implemented your controls and ultimately your your score and readiness. Yep. I know when it comes to certain, cloud service providers, like, if you're using an external cloud service provider to process, store, or transmits the UI, then us as the assessor have to do one of two things. We're gonna go on to the FedRAMP marketplace and find out that they're FedRAMP moderate authorized, not FedRAMP moderate in, you know, ready. Right? They have to be FedRAMP moderate authorized or, right, if they don't have an agency sponsor because they can't get onto the marketplace, then the next thing we're gonna look at, are they FedRAMP moderate equivalent with a assessment done by a FedRAMP three PAO, and then there's a body of evidence we're gonna ask for. Yep. Great. Is an enclave approach mandatory for level two? Go ahead, Fernando. Yeah. So it really depends, right, on on what it is. So, like, let's say, on your organization and how you're doing business with the government. So if you have a 100 employees in your company, but you have a contract in which only 10 employees are dealing with CUI, maybe an Enclave approach might be a better approach. But if everybody in your company is dealing with CUI from top to bottom, then it might better just bring the entire enterprise into scope. Yeah. So certainly not not required, but what you do need to understand is is the data flow, how it moves, and how you engage with CUI today. The volume of of CUI and the volume of DOD related work versus a broader business, like, sometimes that matters. That. whole FedRAMP moderate, cloud solutions thing becomes a a bit of an economic decision in some ways as well because raising the bar organizationally to say GCC high in the Microsoft ecosystem, has a cost. And if everybody doesn't need to be at that level, an Enclave solution might might be better. So certainly not required, but there is, you should thoughtfully consider your options. Yeah. And I always say, to Casey, to your point, I always say there's an old adage that I started picking up lately where I say there are no solutions. There are only trade offs. Right? So it really just depends on your environment. Right? Your solution might be an external cloud service provider that might be relatively inexpensive, but the trade off might be that, right, it might hinder productivity severely. So just make sure that when you go into these decisions for these solutions, like, you're stuck with this environment for at least three years because if you make any type of significant architectural or boundary changes, you're gonna trigger another assessment. Yep. Absolutely. We are working with Cybersheath to get CMMC certified. Is RPO Cybersheath in this case present and involved during the c three PAO assessment? Yes. Yeah. So your your assigned compliance analyst, is literally across literally or virtually across the table from Fernando or a DIPCAC auditor or a c three p o assessor telling your story on your on your behalf. So, they are the ones kind of coordinating with resourcing on cybersecurity side to say, hey. Security team, we need you to demonstrate. IT team, we need to you to demonstrate your your IT functions and your maturity. But in the end, that's, I said it before, that's that's our Super Bowl, and that and we're there there to win, and Fernando sees us bring the team together, in that capacity. Yep. Are all the controls within eight hundred one seventy one weighted the same weight determining certification? So I I don't know how to answer that question. So each control, has a weighted value that is identified in the DOD assessment methodology. So if you go look at the DOD assessment methodology, you'll see, for example, three one one is a five is a five point control. Three one two is a five point control. Three one three. Right? The and so they're all weighted differently. So just ensure, right, that in order for you to get a CMMC level two conditional cert, no three or five valued controls and a subset of one valued controls cannot be POAM ed. Yeah. And that's that's all set by the DOD assessment methodology. That's why historically, we've had this range of negative two zero three to positive one ten. That's not a CyberSheet thing. That's not a CyberSec investments investment thing. That's a that's a DOD assessment methodology. They set the weighted criteria. Correct. What's the difference between the one ten controls required versus 320? So this is the control level versus at the assessment objective level. So I always like to use this example where I look at three one three for example. Right? Controlling the flow of CUI is the control. If you're doing and you're grading yourself as a self assessment with looking at that, that has a very yes or no paradigm to it. Right? Well, am I controlling the flow of CUI in accordance with approved authorizations? That's not how you're supposed to assess yourself nor how your assessor will assess you. You have to do it in accordance with NIST eight hundred one seventy one a, and there's a series of assessment objectives that go under three one three. That if you looked at the title by itself, could be very deceiving because in three one three and one seventy one a has things like our approved authorizations identified. Are there approved authorizations enforced? You wouldn't have gotten that from just from the title of three one three. Yeah. The the assessors have to assess at the assessment objective level. So if you think of it, it's nesting. It's it's the requirement and then the questions that the assessors ask that that allow them to come to conclusion at the, as it relates to the state of the top level requirement. The example that I always give is password complexity because it's easy to understand. Password complexity. was the requirement. One of these, assessment objectives says define what password complexity is, and the other one says implement and control password complexity. If you don't define it and write it down, even if you've done it, you're not passing the assessment objective, and that's why, assessing at the assessment objective level is so critical. If you're not looking at those define, identify, and specify statements at the AO level, you're gonna be in a in a world of hurt when it comes to your score. Yeah. And I and and, Casey, I'm I'm sure you've seen this. When you're looking at the controls at the AO level, the the the controls is breaking up into basically two sections. You'll have, right, the identified, specified, or defined at the top of those control sets. And then at the bottom of it is, you know, it's either implemented, enforced, or limited or some type of technical configuration that goes along with it. So you need both in order to pass those controls nine times out of 10. Yep. Okay. Will cloud service providers be providing customers with CMMC certification reports similar to SOC reports? Will third. parties now have to have both? Yeah. Cloud cloud service providers according to the DFARS seventy twelve clause need to be FedRAMP moderate. So there's no there it it, there's a distinction. Right? Cloud services are tied to FedRAMP, and as a DIB contractor, you're headed towards CMMC certification. So I would I would keep those in their lanes. Cloud services have, a no kidding FedRAMP requirement or equivalency if you can demonstrate that. So your use of cloud services only matters through the lens of FedRAMP. Cloud service providers we we've had inbound requests like, hey. I'm building a cloud widget. Should I, can you guys get me CMMC compliant? They They should really be on a path to FedRAMP because that's what matters in this ecosystem. Correct. Yep. Is there still an issue of forcing outside service to be CMMC compliant even if I am IE MSP, MSSP? So in the in the 32 rule when it came out as a proposed rule, that was one of the things that they had listed in there was that if you're using if you're gonna be level two certified and you're using a managed service provider, they would need to be level two certified as well. But since then and now in the 32 final rule, they don't require it. However, we at CyberSec have taken a hard stance of we will not take on clients from non certified MSP, MSSPs because we've already turned five or six companies away in which the managed service provider would have had their client fail. And it's a very awkward conversation to have that during the course of the assessment that the contractor fails due to the inadequacy of the managed service provider. So So we've just taken a hard stance of just not accepting those clients anymore. Yeah. And it's worth pulling the thread on that a little bit. Like, if so CyberSheet is a certified managed service provider. But if we weren't, then you guys as a c three p a o would need to dig into CyberSheet's practices given that. we have access and support these client environments. So if we take something very basic like personnel security and we have cyber chief staff accessing a DIP contractors environment, then personnel security starts to apply to cyber chief staff, and they need to do background screening, and they need all of the formal workflows as it relates to access and per personnel management. So, easy button, similar to kind of FedRAMP versus FedRAMP equivalent. If your service providers are are certified in a way that, scopes them, and defines them as it relates to their engagement with the defense contractor, makes it a lot easier. Fernando and his team can kind of, oh, Cybersheath, you're already certified. I don't need to ask personnel security questions or try to understand Cybersheath. Otherwise, if you're not certified, Fernando, other CTPOs would essentially need to assess the MSP MSSP at the same time as the defense contractor or the OSC. Yeah. And at and at that point, it's pretty much, right, two assessments in which one only the contractor is gonna get certified for and not the MSP. And so as you can imagine, right, if if you're an MSP, even though it's not required, I would say it's probably strongly encouraged to go ahead and do that. Given the math of a 119 k orgs looking to get level two certified and only a small handful of c three PAOs, When can we realistically expect full CMC level two certification and contract requirements? I mean, a lot of it really depends on your prime. If you're a sub to a prime, which the vast majority of the dip falls under. And, again, like I I referenced earlier, the memos that the different prime contractors have put out there. So the sooner you can get in line and start vetting your c three p o, even if you're not ready today and you know that you're gonna be ready eight to twelve months from now, just get in line and say, hey. This is when we're in line and when we're gonna go get our assessments done. Because if you wait, there's two timelines here. If you're gonna be using an organization like CyberSheet or another service provider, they have a backlog of their own, and c three p o's also have a backlog on certification. And so what you wanna make sure is that those two things line up so that as you're coming out of full implementation and compliance that you're going straight into assessment versus waiting another year plus to get onto the books of a c three p a o. Yeah. I think there's two camps. Right? There's there's the camp that's not compliant yet that needs to get compliant in a in a hurry now that November 10 is here, and they're gonna start seeing the CMMC language in contracts. And then there's the camp that is compliant but really needs to start to get in line with the c three PAO. We're seeing, as we support our clients, inbound questionnaires that are asking, as a discriminator, are you scheduled with a c three PAO today? So. there is some decision making on the prime side around, like, are they taking CMMC seriously? Have they scheduled with with CyberSec investments in in a c three PAO yet? So there will be conversations between primes and sub tiers around like, well, you don't have a certification yet, but at least you have us have it scheduled. So there will be some some risk based decision making in those situations. There is there is. certainly a pipeline as it relates to c three PO services and, supporting RPO services. That's right. Last question ties nicely with today's topic. What's the fastest way to separate credible partners from pretenders? Yeah. I mean, I I think I I articulated my some of my opinions on on the RPO, credential. Like, having gone through the RPO prod the registered practitioner training, it is very glossary information. So people out there that are like, hey. I'm an I'm an r RP or an I'm an RPO organization. You do need to be better at kind of assessing, the validity of their experience given that it's not a very high bar to understand the glossary of the CMMC ecosystem. You do wanna understand, have they taken any clients through a certification attempt? Have they gone through a DIPCAC audit? Have they implement what what kind of ownership do they have of of their controls? Do they help, do they have or help develop a, a shared responsibility matrix as it relates to their responsibilities if they're in an operational capacity? So certainly qualify experience. How long have they been in the ecosystem? What is their support model, and, given the nature of you have to self assess, like, have they have they supported self assessment processes, POAM, remediation? It's it's more than just the credential itself. But Fernando, I'll let you speak to the CPPO side. Yeah. I mean and on the c three p o side, like I had mentioned earlier, right, is ensuring that, you know, what what type of CCAs are on staff? Are they w two or ten ninety nine? Are they trained to understand your environment? Because CCA training is specific to assessing, but they cannot tell you how to assess a Microsoft environment to AWS, to Google, and all these other platforms that are out there. And, of course, right, experience, how many assessments have been completed. Casey, when this call is over, so we can provide it to the audience. I'm gonna provide the link for the NDISAC small and medium business shopping guide for MSPs and for c three PAOs. So that way, it gives the audience and contractors out there looking to vet some of the questions they should be asking these folks to make sure they make the best decision possible. Absolutely. That's great. Well, with that, I wanna thank you, Casey and Fernando, both of you for joining us today for this session. We have the post webinar survey running in the background. If you could take just maybe thirty seconds of your time before you sign off, to fill that out for us just so that we can be better prepared for the next one. Otherwise, thank you all and have a wonderful day. Thanks, everyone. Everyone.