Monthly Cyber AB Town Hall Recap (January)

Transcript

[music] We are back in the saddle, folks. It has been what seems to be a month full of Sundays since I was on screen with Joy. Since we’ve been gone for a long time, a lot of things have happened with the Cyber AB and with the KO. Inside Summit 7’s organization, I knew there was somebody we needed to bring in to talk about this. And luckily for us, for the first time in history joining the Summit Up podcast, the great, the powerful Jacob Hill. Jacob, welcome to the show.

Thank you so much. Excited to be a part. Jacob, I wanted to bring you in because obviously training and content and things like that have really kind of been in your wheelhouse. It’s what you were known for. It’s what you kind of made your name doing. One of the monumental things that we’re going to talk about is the transition of the KO to control of ISACA. In order to get to that nice, meaty, juicy stuff, though, we want to get through all of the other things that happened in the Cyber AB town hall. Not like they’re not important, but just to make sure we cover them before we get to the meaty stuff that’s going to occupy a majority of the show. Sound good to you guys? Yeah. Go.

All right. Let’s talk about the welcome and update stuff. First and foremost, while we were gone since the last town hall, we have a new CIO responsible over the DoD, Kristen Davies, who comes from the private sector for the most part. We had talked about how she was the nominee and that long arduous process to get her nomination confirmed. That confirmation went through on the 23rd of December. Obviously, thanks to Katie Arrington who served in that position before and whatever path that she laid for the CMMC program. Now it’s time to move on to a new regime. I’m excited to see what’s on the horizon. I don’t know what your guys’ feelings are.

Yeah. Well, automatically jumping into a sector with something related to CMMC, we’ll see what impact she has there. I really do wish the best for Kristen Davies as she comes in and assumes a program that just got up and running.

Let’s talk about some more updates that the DoD provided. This is training and content related, Jacob, and I think you’re going to have an opinion on this. There are new training resources made available by the Department of Defense through a partnership with Defense Acquisition University. There are a bunch of topics they cover. Jacob, I wanted to see what your initial thoughts are before we dig into the topics about these new resources being available.

Certainly. So, DAU, I think they’re called the Warfighting University now. I’m an alumni because back in my government days I went through DAU training and have forgotten most of it—it’s been several years. In any case, they put out last year three courses: an intro to CMMC, CMMC for practitioners, and CMMC for senior leaders. Firstly, I don’t know how to get access to those courses because they seem to be behind a wall that is asking for a CAC. Some people say you don’t need a CAC to get access. I’m not sure. That’s a little problematic. They do have some microlearning lectures publicly available. One is for understanding SSP, CMMC level determination, and a few others. I looked at the CMMC level determination micro lecture. It’s about eight minutes. It took about a minute and a half to get into the content and it’s an AI voice. It’s not a bad voice, but it is basic content that’s good to be out there for the community to consume.

I think what we can all agree on is that these are more resources to increase awareness in the CMMC program. I don’t think any of us are going to say, “No, stop doing that.” Will they improve over time? Yes. Now that there’s a will, there’s a way, and there’s the avenue. Hopefully they continue to populate it and expand the training.

Let’s talk about the FAQs that were released while we were “out of town.” Cat Adams joined the Cyber AB town hall and went over those three questions. We’re not going to harp too much on what was discussed because she clearly explained from the point of view of the AB and the DoD what those FAQs mean and how they apply to people. We also did a podcast episode a couple weeks ago covering those FAQs. I suggest you watch both the podcast episode and the town hall to see how those things align.

Now for some not-so-good news. Potentially looming, not a foregone conclusion, there may be a lapse in federal appropriations similar to what we experienced at the end of the last fiscal year. On this month’s town hall they jumped in as they did last time and outlined what to expect: delays at tier three screening, possible delays for authorizations of C3PAOs, but assessments still rolling on as scheduled and other necessary activities continuing. One difference is that some organizations impacted last time have already received funding, so we may see some improvements compared to the last shutdown scenario. For the most part, expect the same user experience if funding lapses again.

Now let’s talk ecosystem update. This is our favorite part before we get into the juiciest part. We want to see where the program stands. First and foremost, we are at over 800 CMMC Level 2 certifications issued, whether final or conditional. That’s insane if you think about it. Phase one went into effect November 10th. In roughly 90 days, we’re at over 800 certifications. In addition to that, there are around 100 more that are hung up, likely due to POA&Ms or false starts. Technically over 900 certifications either finalized or in process. That’s huge growth in a very short period.

On the assessor side, the numbers are still trending upward: 8% growth in CCAs, 6% growth in CCPs, and 13% growth in Lead CCAs since the last town hall. That’s 48 new Lead CCAs since December. That means potentially 48 new assessment teams. More teams, more assessments, more certifications. The only unknown variable is how many of those Lead CCAs will actually participate in assessments. Still, the capacity is there.

Internationally, we now have four C3PAOs in the pipeline for authorization that are non-U.S.-based—one from South Korea, one from Canada, one from Australia, and one from Taiwan. The program is going global. The defense industrial base is global, so it makes sense. As long as proper provisions are in place, and they are, international involvement supports the overall mission.

We also had new board member appointments. We won’t go through every name, but congratulations to the new appointees. It’s important to have established leaders from different sectors bringing outside perspective and avoiding an echo chamber. That diversity of experience will strengthen the program.

Now let’s talk about complaints, appeals, and ethics. The Cyber AB reiterated its formal responsibility under ISO and contract to adjudicate matters within its purview. Many complaints submitted fall outside their authority, particularly those related to rulemaking, which belongs to the DoD. The most common complaints they receive are against ecosystem members for COPC violations and complaints about the AB’s own performance. They have a responsibility to adjudicate these matters, but not to publicly disclose outcomes due to ISO confidentiality requirements. They are not being secretive—they are bound by confidentiality obligations.

They reiterated the same ethics guidance: present yourself and your organization accurately, charge fair and reasonable prices, do not guarantee assessment outcomes, and refrain from making false or damaging statements about other ecosystem members. If you see violations, try to resolve them directly. If that fails, use the formal complaints process.

Now to the juicy stuff: ISACA taking over the KO. Some people see this as a takeover because the KO couldn’t handle it. But from a strategic standpoint, this looks like scaling. ISACA has around 300 employees, over 190,000 members across 188 countries, and established certification infrastructure including CISA, CISM, and CRISC. The CCP and CCA exams are now accredited to ISO 17024 by ANAB. That is a maturation of the certification program.

Concerns raised include whether there will be duplicate fees between the Cyber AB and ISACA, how CPEs will be managed, and whether curriculum updates will be delayed during transition. On CPEs, there are numerous ways to earn them beyond ISACA-sponsored events: in-house corporate training, conferences, seminars, vendor presentations, teaching, mentoring, working groups, and more. Many of us in the ecosystem will have no trouble reaching 20 hours annually.

As for training providers, it’s possible that existing LTPs will roll into ISACA’s Authorized Training Organization model, similar to how ISACA manages other certifications. Ideally, this centralization would provide clearer visibility into providers, formats, and potentially reviews, making the marketplace more transparent and competitive.

Biggest concerns include delays in updated curriculum rollout, potential fee overlap, communication bottlenecks during transition, and ensuring that CPE requirements don’t inadvertently reduce the number of active certified professionals due to administrative oversight.

At the end of the day, this transition appears to increase the value and credibility of the CCP and CCA certifications. It represents scaling and maturation rather than failure. As much as it pains me, that brings us to the end of this episode. I don’t think this is the last time Jacob will be joining us to talk town hall. Joy, I hope this isn’t the last time we’re on screen together to break this down. Thank you both for joining. Thank you to the audience. Make sure you watch every week, like, subscribe, tell your friends, and we’ll see you next week. [music]