The Cyber AB is back with their monthly Town Hall meeting. This week we dive into the current status of the CMMC Program, the last checklist item before official L2 certification announcements, and more.

Register for CS2 Reston: https://cs2.cloud/reston - Use code SUMITUPRESTON for listener discount

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

AB Town Halls: https://cyberab.org/News-Events/Town-Halls/Details/february-town-hall

“Freeze” Memo: https://youtu.be/L6FUBpogntM?si=0blDfn4tj3E6y_hC

Regulatory “freeze memos” have been common practice for new presidential administrations since 2001. Some people believe the most recent freeze memo spells the end of CMMC. Those people are incorrect for an assortment of reasons that we dive into this week.

Register for CS2 Reston: https://cs2.cloud/reston

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

The “freeze memo” (2025): https://www.whitehouse.gov/presidential-actions/2025/01/regulatory-freeze-pending-review/

The “freeze memo” (2021) (PDF): https://www.regulationwriters.com/downloads/Klain_Freeze_Memo-012021.pdf

The “freeze memo” (2017): https://trumpwhitehouse.archives.gov/presidential-actions/memorandum-heads-executive-departments-agencies/

The “freeze memo” (2009) (PDF): https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/agencyinformation_memoranda_2009_pdf/m09-08.pdf

The “freeze memo” (2001): https://www.presidency.ucsb.edu/documents/memorandum-from-andrew-card

CMMC (32 CFR 170): https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170

Cybersecurity requirements for protecting controlled unclassified information (CUI) aren't just for defense contractors anymore. The FAR CUI rule will affect all federal contractors handling CUI (and even those who don't). This episode introduces the main elements of the rule at a 30,000-foot level.

Register for CS2 Reston: https://cs2.cloud/reston

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

32 CFR CMMC Webinar: https://www.summit7.us/webinars/cmmc-32-cfr-final-rule

2024 Predictions: https://youtu.be/YzFkJGzny20?si=H7UurOVBgKPxpH7Q

FedRAMP memo: https://youtu.be/torWNL3U7ZY?si=_yFHuMqXpCg6hYWy

FAR CUI Rule: https://youtu.be/-bYjDy7z7BA?si=sYytd46cIhmXIP8A

The NARA CUI Registry: https://www.archives.gov/cui/registry/category-list

Cost estimate of 171 (2023): https://youtu.be/DkYefZn_wNk

How to submit effective public comments: https://youtu.be/1T_62cYiUA4

It's that time of year again where we stake our reputations on predicting the future of the CMMC regulatory landscape. What does our crystal ball say about the future hold for rulemaking, FedRAMP, and the CMMC ecosystem in general?

Register for CS2 Reston: https://cs2.cloud

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

32 CFR CMMC Webinar: https://www.summit7.us/webinars/cmmc-32-cfr-final-rule

2024 Predictions: https://youtu.be/YzFkJGzny20?si=H7UurOVBgKPxpH7Q

FedRAMP memo: https://youtu.be/torWNL3U7ZY?si=_yFHuMqXpCg6hYWy

FAR CUI Rule: https://youtu.be/-bYjDy7z7BA?si=sYytd46cIhmXIP8A

A year ago we made seven predictions for the CMMC landscape. We got some right, we got a few mostly right, and we got a few “wrong”.

Register for CS2 Reston with code SUMITUPRESTON: https://cs2.cloud/reston

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

32 CFR CMMC Webinar: https://www.summit7.us/webinars/cmmc-32-cfr-final-rule

2024 Predictions: https://youtu.be/YzFkJGzny20?si=H7UurOVBgKPxpH7Q

The Cyber AB has officially released the CMMC Assessment Process Guide. Now that the “CAP” is official, CMMC “false starts” are officially something that defense contractors need to be aware of.

Register for CS2 | Reston with code SUMITUPRESTON for 15% off here: https://cs2.cloud/reston

CMMC Cap (PDF): https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf

False starts 1.0 (June ‘24): https://youtu.be/zwU4u86L_5A

NFO Controls: https://youtu.be/YEQd--RIUkU

Documentation Deep Dive: https://youtu.be/TXsKdH3hC6E

The CMMC Program has reached it “Birth” date and part of the celebration was the rellease ong the newly revised, effective, and in-force version of the CMMC Assessment Process (CAP, and the CMMC Code of Professional Conduct (CoPC). Jason and Joy have been picking apart these documents since their release; and on this week's show, they offer their 7 “high level” takeaways from CAP 2.0 & CoPC 2.0.

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

CS2: Reston : https://cs2.cloud/reston

This week we're joined by Fenando Machado of Cybersec Investments, an authorized CMMC C3PAO. Fernando has been around the CMMC space for years and has helped a ton of companies successfully pass their Joint Surveillance Assessments. Fernando shares what he's learned ahead of the effective date of the 32 CFR CMMC final rule and the rest of the phased roll-out.

Pathfinder 101: https://www.summit7.us/pathfinder

Pathfinder Demo: https://youtu.be/JiDTCchfCa0?si=JJFplxSfvkaRVhRo

32 CFR CMMC Webinar: https://www.summit7.us/webinars/cmmc-32-cfr-final-rule

Fernando: https://www.linkedin.com/in/fernando-machado-cissp-cism-cca-ccp-5b5581124/

Cybersec Investments (C3PAO): https://cybersecinvestments.com/

(0:00 – 3:17): Intro (3:18 – 6:42): What's the key to assessment success? (6:43 – 8:48): What's the key to perfect scores? (8:49 – 11:42): Most problematic controls? (11:43 – 12:52): What's harder: technical or non-technical? (12:53 – 14:42): Are “False Starts” real? (14:43 – 17:44): How important is an MSP? (17:45 – 20:45): Current backlog? (20:46 – 22:38): $100k assessments? (22:39 – 24:27): Outro