(Season Two Episode 3) Bobby is joined by Matt Hoeper, from Edwards Performance Solutions, to discuss the educational piece of the CMMC world. They discuss the CCP and CCA courses and how to prepare for testing.
He highlights the role of certifications like CCP (Certified CMMC Professional) and the knowledge of IT and NIST standards in preparing for CMMC assessments. Matt emphasizes the need for consultants and assessors to have a deep understanding of the CMMC requirements to ensure successful assessments and contract wins. He also recommends following industry experts on LinkedIn for valuable insights and staying updated on CMMC developments.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:00] Welcome back to season two of Climbing Mount CMMC. I'm your co-host Kaylee Floyd and today
[00:00:13] Bobby is joined by Matt Hopper. Matt is the senior cybersecurity consultant at
[00:00:18] Edwards Performance Solutions. He also happens to be the person that taught
[00:00:23] Bobby his CCP course. In today's episode Bobby and Matt are going to be
[00:00:28] talking about how to prepare for a CCP test. We're so excited for you to
[00:00:33] join us for today's episode and we hope that you enjoy.
[00:00:35] So today everybody what we want to talk about is just about the education of the
[00:00:40] ecosystem. Matt is probably one of the forerunners in that area and his
[00:00:45] experience as well as outside of education just real practical
[00:00:50] experience as well as teaching the material from the CCP as well as the
[00:00:54] CCA which we'll get into that more but I guess what I want to try to do
[00:00:59] is you know just kind of lead in Matt from your experience working with
[00:01:04] Edwards because at Edwards you guys not only do education training on those
[00:01:09] certifications but you guys also do other things as well right?
[00:01:12] Mm-hmm yeah so we are to my knowledge the only organization that
[00:01:17] lives in all four quadrants of the of the CMMC ecosystem. The license
[00:01:23] training provider, publishing partner, the RPO space we have an RP on
[00:01:28] staff and then the CTPO space we went through our DIPCAC assessment in
[00:01:32] September of 22 I think yeah September of 22 so yeah I remember you guys
[00:01:40] talking about that that was everybody was all like who we were all talking
[00:01:42] about like how did it go what was the DIPCAC assessment like because at
[00:01:46] that time they were relatively new not a lot of people were going through
[00:01:50] it so you guys were a little bit one of the guys over the hill right?
[00:01:54] We were I think we were number 30 or 31 yeah I think there's currently
[00:01:58] over 50 now yeah so we need more for sure. So like when we start thinking
[00:02:03] about the CMMC ecosystem how important is education and you know maybe you can
[00:02:09] kind of sort of talk us through some areas that you feel are critical that
[00:02:14] you might want to get educated in before you really dip your toe into
[00:02:17] the ecosystem of the CMMC program. Yeah so two two really two things so
[00:02:22] when you either from a consultant standpoint or an assessment standpoint
[00:02:26] you either have to get an organization ready for a CMMC assessment so that
[00:02:31] they can pass and you know win that contract or you're on the other side
[00:02:36] where you're assessing that organization to make sure that they pass in which
[00:02:40] case they can win the contract. In either case you want to make sure
[00:02:43] that you are knowledgeable about the things that you're consulting about and
[00:02:48] that you're assessing. The last thing that I want is somebody to come in and
[00:02:52] assess my organization that doesn't have any knowledge about anything and
[00:02:57] then the flip side I don't want to you know be consulted by someone who
[00:03:00] really has a very limited knowledge of what they're talking about. What would
[00:03:04] you want to expect from someone knowledge-wise you know maybe
[00:03:09] certifications and outside of certifications that you would want to
[00:03:12] see them have before you would feel comfortable like okay maybe I might
[00:03:16] want to start a relationship with this person and that might help me
[00:03:20] through that CMMC journey. So from a CMMC perspective I like to work with at
[00:03:25] least a CCP because when you look at the way the things are set up
[00:03:31] with the AB you have the registered practitioners who live in that
[00:03:36] registered practitioner organization space but the RPs don't go through
[00:03:41] quite rigorous training that a CCP would you know an RP is what eight
[00:03:46] hours something like that. Yeah let's pause for just a second because I know
[00:03:49] where you're I think I know where you're going with this and it's really
[00:03:52] great. Can you maybe back up for someone who may not know what those
[00:03:55] acronyms mean the RP the CCP could you maybe get somebody up to speed on
[00:04:00] that and then go into kind of what you're talking about because I
[00:04:02] think it's really important. Sure sure so when you start the journey
[00:04:08] down the road of CMMC one of the very first things you want to do
[00:04:11] is you want to engage with a professional someone who knows CMMC and those people
[00:04:18] live in what we call the RPO space which is a registered practitioner
[00:04:22] organization. That's the company now the individuals in that space are
[00:04:27] the RPs the registered practitioners and the registered practitioners have
[00:04:32] to go in order to be a registered practitioner they have to go
[00:04:35] through a training that is provided by the AB and that training is like
[00:04:42] eight hours so on the other side when we talk about CCPs and CCAs those are
[00:04:49] certified CMMC professionals and certified CMMC assessors. They live
[00:04:57] in the assessment space under a guise of what we call a C3PAO which is
[00:05:04] a CMMC third-party assessment organization. You know IT loves their
[00:05:08] acronyms and CMMC is no exception so when you work with someone
[00:05:14] from a consulting perspective for preparedness you typically work with
[00:05:18] an RP with the person with an RPO. You can work with a CCP they can be
[00:05:24] employed by RPOs or you can actually work with a C3PAO for preparedness.
[00:05:30] The thing is that that C3PAO that you work with for preparedness cannot be
[00:05:35] the same organization that assesses you. We want that delineation of
[00:05:39] responsibilities to reduce that conflict of interest.
[00:05:44] So when you're looking at that what's the time frame of like requirement
[00:05:48] for the training for the CCP and the CCA compared to the RP and the RPO?
[00:05:53] So the CCP our course is five days. Monday through Friday where we cover
[00:06:01] all of the domains, we cover you know the ecosystem, we cover the source
[00:06:07] documents, we cover the cap, we cover scoping both level one and level two
[00:06:12] and then we do all the practices level one and level two. We don't have
[00:06:15] to from a CCP perspective because the CCP is typically level one which are
[00:06:20] the 17 practices but we do them all as part of it. We have a guided
[00:06:26] learning as well that's more of a self-paced.
[00:06:29] Well I think that you kind of blew over something that was
[00:06:32] I kind of accidentally fell into the benefit is when I did my CCP
[00:06:38] certification and went through it I went through Edwards and you were
[00:06:41] actually like I said my instructor one of the instructors that I had.
[00:06:45] One of the things that I think was really interesting is yes the
[00:06:48] CCP's are as I guess right now they're supposed to be really focusing on
[00:06:54] level one. I'm not sure maybe we might ask another question about whether or
[00:06:58] not you feel they'll be able to be involved in other types of level two
[00:07:01] activities but right now just focusing on that like if you wanted to
[00:07:05] be prepared technically you guys could just teach the level one of
[00:07:11] the three levels of the CMMC program but that's not what you guys did.
[00:07:14] You guys actually went and taught to level two and I didn't know that
[00:07:20] there was a difference as I was getting into that and boy did that help me out
[00:07:23] so much more in being better educated and prepared because I felt like it
[00:07:31] kind of came back and bit me a little bit because when I went to get
[00:07:33] ready for my test nobody had really taken it yet so I got ready for
[00:07:37] almost basically CCA level type for the test and it wasn't anywhere as
[00:07:45] deep as I went into my training now a lot more people understand what's going
[00:07:48] to be on the test and I don't think other people are making that same
[00:07:51] mistakes that I did but the material that you guys taught was just so deep
[00:07:55] and it was instrumental in helping me kind of get started and I really
[00:07:58] appreciated it. That's good that's good to hear. Yeah the people who
[00:08:01] take the class they really sort of fit into one of three buckets either
[00:08:05] they were the person who was designated by their organization to take
[00:08:09] the class so they can come back to the organization and get them prepared
[00:08:13] so there's that person there's the the second type which maybe is from an MSP
[00:08:17] perspective or an MSSP where they're going to get in that consultant space
[00:08:21] and they want to help organizations or the third one are the people who want
[00:08:26] to go on to be assessors so it's really one of those three buckets
[00:08:30] and we felt as we were coming up with you know designing the course we
[00:08:34] felt that we would go ahead and do the level one and level two stuff for
[00:08:39] a CCP to make them pretty well rounded because we really didn't expect
[00:08:45] that a lot of your consultants were going to go on to take a CCA course.
[00:08:49] Right right but I mean a lot of the organizations are that are going to be
[00:08:55] going for level two are going to need that overarching experience and
[00:08:59] having someone with a CCP could be hugely helpful and I guess what
[00:09:05] I'd like to ask you too is for like a managed service provider like myself
[00:09:09] if someone was going to try to get into that space as a managed service provider
[00:09:12] would you recommend that they get a CCP or would you recommend them go into the
[00:09:16] RP and RPO type situation what's your what's your time?
[00:09:20] Well I would recommend a CCP I'm a little slanted in that I just feel that the the
[00:09:27] the CCP is just given you know because they have to take an exam it is a certification
[00:09:33] whereas you know the the RP is more of a designation and pretty much anybody who
[00:09:38] would attempt an RP would get it the level of effort isn't quite as high.
[00:09:44] There is an RPA which is I think a registered practitioner advanced I
[00:09:48] can't speak too much to that but again even in that instance it's not
[00:09:51] a certification with a higher stakes exam so I like the CCP.
[00:09:56] Well if you're running a managed service provider as the proposed rule came out last
[00:10:01] year it was very clear that the DOD wanted MSPs if you're providing technical
[00:10:07] controls and you're supporting that client that you're going to have to get level two
[00:10:12] that you're going to have to meet parity with the client that you're supporting.
[00:10:15] If that's the case just having probably an eight hour course
[00:10:20] and that you're guiding their destiny on whether or not they're going to pass the
[00:10:24] assessment I would think you would want to go in with as much preparedness and knowledge
[00:10:29] as possible right? Oh for sure yeah because there's so much writing on it.
[00:10:33] You know if you're an MSP and you're working with an organization that is looking to renew
[00:10:38] a 10 million dollar contract that is probably the lifeblood of your organization you need
[00:10:43] to make sure that you're getting the right information so that you can pass that assessment
[00:10:47] because my goodness losing you know failing an assessment an assessment and losing out on
[00:10:52] that contract I mean that's that's life or death for these organizations so. Right right yeah
[00:10:58] as you're going through working with organizations trying to help them get prepared the expectation
[00:11:09] is that you need to know what is going to be required for them to meet it and if you're not
[00:11:15] at that ability so it's not just helping the client the OSC that you know the organization
[00:11:23] is you know seeking assessment right if the OSA I guess is the new term that they started using
[00:11:31] is that it's not just about getting them there you have to get there yourself so it's almost
[00:11:37] like you get hit twice. Yeah for sure for sure so yeah I want to make sure that I'm engaging
[00:11:43] with someone who knows exactly what they're talking about. Right now if someone's trying to
[00:11:47] get into the ecosystem and they're really just trying to to step into it would you recommend
[00:11:54] that they start let me just go ahead and dive in and get my CCP or is there some things
[00:11:58] that you would suggest that they first kind of cut their teeth on before jumping into the CCP?
[00:12:03] Well I don't think that going right for the CCP is such a bad idea but going into a CCP we
[00:12:09] would recommend that you have some base knowledge of IT. I believe that the requirements that the
[00:12:18] AB puts forth are you know the A plus certification and I think that's great but when I you know A
[00:12:26] plus I'm thinking hardware operating system which is great but for me I would probably go
[00:12:32] more towards a security plus or a network plus at the end of the day you're going to want
[00:12:36] the working knowledge of how IT works because if you're going to assess that stuff
[00:12:43] you need to know what you're a little bit about what you're assessing so.
[00:12:47] And when I went through my course it was really interesting there was one person
[00:12:51] that came from Dell that had a tremendous amount of compliance experience there's like
[00:12:56] maybe 15 or 20 of us in the course and there was another person that that was a FedRAMP assessor
[00:13:01] that was used to doing FedRAMP which is massively above and beyond you know the experience of that
[00:13:06] and then you had you know little old me and a few other MSPs that hadn't really had that
[00:13:11] much experience in that type of compliance and it was quite the range but the fact that you guys
[00:13:16] had such a coverage of the material it really helped level the field out as best as I think
[00:13:22] you humanly could based on the divergence of so many people coming from different lives and
[00:13:28] perspectives and experience right. What about NIST experience? What would you say
[00:13:34] would you want that person to try to at least have some experience with 800-171,
[00:13:40] 171A and those types of things? Would you what about that?
[00:13:44] I think it's very beneficial. I had experience with 800-171 prior to CMMC coming out and so
[00:13:51] when CMMC dropped even though they renumbered and everything in 1.0 I think having a working
[00:13:57] knowledge of some of that stuff is very beneficial. You know even an obscure publication like
[00:14:05] 888 that talks about media sanitization I think that that is very very helpful
[00:14:11] to know but I think if you know 800-171 which basically came out of 853 I would know those two
[00:14:20] and then you know some of the other ones like media sanitization but we cover those
[00:14:25] when we teach in the boot camp so if you're not terribly familiar with them
[00:14:29] you know you'll have to do some catch-up reading on the side but.
[00:14:33] I've never heard of the red books until I went through my cc. Oh yeah you guys were
[00:14:37] like talking about for those that you may or may not be familiar with it's back in the past
[00:14:42] in the 80s and 90s I think even before that they had a series of different colored books.
[00:14:48] Yeah the rainbow series that's going back a ways yeah oh yeah and you guys cover some
[00:14:52] of that history of how that rule came out because I think it does it does come into play.
[00:14:57] Are there people that you would recommend following on linkedin or videos or people
[00:15:01] to watch that you feel have a good grasp in or providing content besides you know I don't
[00:15:09] know maybe climbing mount cmmc might be a good podcast to possibly follow but are there
[00:15:13] others that you might suggest. I'll do some name dropping why not so you know everybody
[00:15:19] who's listening to this podcast is ever familiar with cmmc would know who Jacob Horne is.
[00:15:23] Yeah you know he would definitely be one I follow good guy I've known him a while he's
[00:15:28] a really good guy Ryan Bonner is another really good really good guy Amira I don't
[00:15:34] know if you guys know who Amira Amand is there's quite a few but once you get linked in that
[00:15:41] I assume you know people are on linkedin once you get linked with those people and that stuff
[00:15:45] starts to show up in your feed then you can grow your base and see some other people and
[00:15:50] then people like me who you know take a slightly different approach to add a little
[00:15:54] bit of humor and I love yours rather boring otherwise but solid solid jokes dad jokes
[00:16:02] maybe perhaps you might even be as bold to say right right now you mentioned the ab or
[00:16:10] cyber ab and then about that body exists it's a non-profit it's not actually a government
[00:16:17] organization but they work in conjunction with the dod can you kind of talk about
[00:16:23] the cyber ab all these acronyms like kco and ccp and cca and rp and like how do they sort
[00:16:32] of fit together if someone was stepping into this space and they were trying to choose
[00:16:36] where they were wanting to go and pick just sort of understanding that could be helpful for them
[00:16:41] sure so it started with the cmmc ab it was a 501 c3 non-profit that was that was spun up
[00:16:50] by the department of defense and I hope I don't say anything incorrect here so matt travis if
[00:16:54] you're listening here I apologize if I get it wrong it was then rebranded from cmmc ab to
[00:17:02] the cyber ab so if you hear cmmc ab it's you know synonymous with the cyber ab so the cyber ab
[00:17:10] would be the correct thing the thing though is that the cyber ab is going to have to get an iso
[00:17:18] accreditation I hope I said that right it's I believe it's 17.0.11 iso 17.0.11 so what they
[00:17:25] did was they they they branched off the the part of the business that was responsible for
[00:17:31] the the training the testing uh the sort of the stuff around the the individual stuff and they
[00:17:39] created a something called caco which is oh my gosh it's the cmmc assessors and instructors
[00:17:48] certification organization or something like that so they spun up caco and so you have part of
[00:17:54] the uh what was the cmmc ab that is now responsible for training and testing and then
[00:18:00] you have the the the cyber ab which is uh responsible for the accreditation which is
[00:18:07] the ab is the accreditation body so and the c3po's also answer to the the the cyber ab as
[00:18:14] yes yeah and I believe the rpos do as well right right because they're not certified so
[00:18:20] they all kind of connect together as is this this and and interestingly enough in your course you
[00:18:26] guys do cover you have a nice some slides and things that cover sort of that that evolution
[00:18:30] to try to understand where like kind of that you're in the mall you are here kind of thing
[00:18:35] like right you're out right now in the ecosystem which was really helpful for me as I was first
[00:18:40] coming in I was just like whoa um you know okay this is a little larger than I anticipated
[00:18:45] you know just because as I came in from the msp space I didn't really understand how deep the
[00:18:51] waters ran in so much and that was just a little bit of ignorance on my part as I was coming in
[00:18:56] but you know as you're dealing with a managed service provider what are the kinds of things
[00:19:01] that you would want to look for to say okay well these people have done their homework
[00:19:05] they have spent time in this space they've learned what they needed to learn I feel
[00:19:09] comfortable doing business with them what are some things that you would want to look for
[00:19:13] from them well if the current rule the the proposed rule holds true the msp's will have
[00:19:20] to be certified at the level that their osc's would be so so number one if you if you as an
[00:19:26] msp have that l2 certification that goes a long way uh in my opinion because if you so
[00:19:33] foundationally you know the the msp's are providing you know patching monitoring and
[00:19:38] backups very very basic foundational level but then they're going to be doing more
[00:19:44] or could be doing more for the organization when it comes to access control so the the msp
[00:19:51] depending on what they're providing the osc is going to be involved in some capacity
[00:19:57] with that osc's assessment especially since we're following you know at a level two perspective
[00:20:04] uh the the scoping we're following the cui the controlled unclassified information so if the
[00:20:10] msp is responsible for those systems or has access to those systems that brings them into scope so
[00:20:16] i would hope that they would know what they're doing but yeah if they pass the l2 certification
[00:20:21] that's okay but you know what's interesting is and and i think this is uh what joy
[00:20:29] and team for the the infrastructure the msp for critical infrastructure is trying to push is is the
[00:20:37] just because an msp has gotten a level two certification means that they have an
[00:20:43] infrastructure to support cui and how that might come into their system but that doesn't mean
[00:20:48] that they have the appropriate maturity from a matrix perspective on how they might be able
[00:20:53] to engage with the client just like what you're talking about as your msp comes in
[00:20:57] and they're providing those service for services for you you want to make sure that you're able to
[00:21:05] not compromise their journey uh just because i got level two doesn't mean naturally that i'm
[00:21:11] i'm going to provide good services at a level two perspective to the client what do you think
[00:21:16] uh like as a cca if you were doing those types of assessments do you see the need for having
[00:21:21] that separation and being able to look at an msp from a different perspective than just do
[00:21:26] they support cui i yeah i think so you know if i'm an assessor assessing an organization
[00:21:32] you know my job as an assessor uh and there might be some disagreement in the in the ecosystem
[00:21:37] but my perspective is that our job is not to adjudicate cui uh we're we're not in that business
[00:21:43] my job as an assessor is to you know validate if i'm a lilly assessor validate the scope in the
[00:21:51] planning and preparation phase of the assessment and then once the assessment takes place
[00:21:56] all of those systems that are in scope for that assessment i am applying the the uh 110
[00:22:04] practices of 8171 that's it um i'm seeing if those systems meet every one of those practices
[00:22:13] because at the end of the day i want to make sure that i've done my due diligence as an
[00:22:17] assessor to sign off and say yeah they're ready so i don't get too much into the weeds from an
[00:22:23] assessment perspective um you know other than looking at the shared responsibility matrix on the
[00:22:28] part of the msp hey uh you know the osc is is is responsible for something or the msp is
[00:22:34] responsible for something my hope is that the osc would have already engaged with someone who
[00:22:40] knows what they're doing and what they're talking about so that by the time i come in
[00:22:44] as an assessor it's all laid out pretty cut and dried you know checking everything for
[00:22:49] adequacy and sufficiency and we we know we are done in a few days and you don't see me
[00:22:55] for another three years another three years right yeah so when you're going through that
[00:23:00] assessment process um how much do you fall back on the training and education like are
[00:23:06] you do you have materials or things that you've gone through that you're like you know thumbing
[00:23:10] through to look for references and those types of things oh for sure i'm uh so the i think that
[00:23:16] the uh cmc assessment guides level one level two are incredible uh if you haven't looked at them
[00:23:24] i certainly recommend that the people do look at those because they give examples um they
[00:23:30] give you you know further things to to consider um so yeah i'm constantly looking at those
[00:23:36] documents three four or five times a week as i help an organization and when i do help an
[00:23:41] organization typically i have that document open with my share my screen shared not for an
[00:23:47] assessment but you know for maybe some sort of a gap analysis so that the client can see
[00:23:52] exactly what i'm looking at uh and what i would expect as an assessor i think that
[00:23:57] transparency helps a lot because the last here's the deal when i got into this ecosystem
[00:24:03] when i got into this line of work of security years ago i came to make a difference i didn't
[00:24:08] come to smack hands you know and and and just keep people on my thumb and there's some people
[00:24:13] in the industry who like to lord over and realize that they have some authority here
[00:24:18] my my hope and why again is i want to help organizations i want you to be reasonably secure
[00:24:26] as an organization and that's why i got into this now i want to make sure that we're doing
[00:24:31] it the right way so you know when i'm when i'm assessing if they don't meet they don't meet and
[00:24:37] that's unfortunate but that's why i always fall back on hopefully the osc worked with someone
[00:24:42] who knew what they were talking about in the in the preparation phase yeah i agree i i think
[00:24:47] it's critical to have an attitude of of support and hope that they're going to pass
[00:24:54] and those types of things i think that's where um having the experience of working through
[00:25:00] getting your ccp or even cca so that you can kind of understand when you're
[00:25:05] courting a c3po just try to understand more about where that organization is coming from and
[00:25:10] do they have that same perspective that you're talking about a healthy respect for all of the
[00:25:16] required controls and that you you have the level that you need to have them met but they're
[00:25:19] rooting for you right that you want you want you want them to pass but you're not going
[00:25:24] to sacrifice in that process but there's nothing wrong with being you know cheering for
[00:25:29] them to succeed right for sure yeah and and the thing is is that when i'm assessing an organization
[00:25:35] you know we look at the controls and i think i would say that that those of us in the
[00:25:39] assessment community agree on the interpretation of about 90 maybe a little higher than that
[00:25:45] but there's those few controls that we interpret just a little bit differently at
[00:25:49] the objective level and so you know what does it mean and so when i look at a control we
[00:25:54] what does it say what does it mean and how do i apply it and i think to pass an assessment
[00:26:00] the bar is just a little lower i think than higher because i'll give you an example like
[00:26:05] one of the uh one of the controls talks about mfa so if i walk into a situation with an
[00:26:10] organization and they have mfa enabled but they're only prompted every three months or
[00:26:15] four months as a security professional i'm probably losing my mind over that but as an
[00:26:19] assessor did they do it and the bar is a little bit low and that's really the difference between
[00:26:25] compliance and security as all of your listeners know there is a difference you know i often tell
[00:26:31] the the story that you know i have a five-year-old little girl and if she comes to me in the
[00:26:36] afternoon like at 4 30 or so and she says hey can i have some fruit snacks i'm probably
[00:26:40] going to tell her no and the reason i'm going to say no is because i don't want her to spoil
[00:26:44] her dinner so but i but if i leave the room and i come back and she's eating an ice cream
[00:26:48] sandwich and i look at her and i say hey i thought you said you couldn't have a snack and she says
[00:26:53] you said i couldn't have a fruit snack you didn't say anything about an ice cream sandwich true
[00:26:59] technically she's correct so that's the difference between compliance and security
[00:27:02] so future see so and right or a lawyer yeah or a lawyer yeah now from a ccp
[00:27:14] what would differentiate you in your opinion you touched on this a little bit but i just
[00:27:18] want to kind of give you an opportunity if you feel like it's necessary to kind of create a little
[00:27:22] bit more differentiation between the ccp and the cca as far as in what the material is covered
[00:27:27] why you may want to invest further down there because there may be people that may want to get
[00:27:32] their cca that aren't necessarily going to participate in assessments but i mean that's
[00:27:37] obviously a big reason can you talk more about that sure so as it currently stands the ccp
[00:27:43] the certified cmc professional can only assess the level one practices now in a level two assessment
[00:27:51] let me back up a little bit level one is self-assessment so if you're only in possession
[00:27:56] of federal contract information or fci that is still self-assessment if you're in possession
[00:28:02] of cui that moves you uh to to to at least level two now there are some instances where
[00:28:09] you can self-assess at a level two we're not exactly sure what that means yet what levels
[00:28:15] of cui would permit that but what i say is uh when we do a level two assessment we are as
[00:28:23] part of that level two assessment assessing the level one practices as well so that's where
[00:28:28] a ccp would come into place is that a ccp can assess those 17 level one practices without a cca
[00:28:36] um helping them assess those now the ccp we believe it sounds like will be able to help gather
[00:28:45] evidence for level two practices but they can't make the final determination that's why you need
[00:28:50] a cca and a cca will require a little bit more than a ccp the suitability for sure and then
[00:28:57] there's a three assessment requirement as it currently stands in order to become a cca you
[00:29:02] have to have gotten your suitability and you have to have participated in three assessments
[00:29:09] to you know there's an experience component there so to answer your question if someone
[00:29:13] wants to go on to be a cca i would certainly recommend that we're going to need assessors
[00:29:19] in the ecosystem but if you want to become a cca and not necessarily be an assessor but
[00:29:24] still live in a consultant space that is perfectly fine just know that the difference
[00:29:30] between the two is the level one practices versus the level two practices and i think there are
[00:29:36] some training providers who only when they're teaching the cca class or ccp class they're only
[00:29:45] covering the level one practices right we're covering the level two as well like i mentioned
[00:29:49] earlier why because we thought that it would be beneficial to those ccps but that's really
[00:29:55] the differentiation level one practices in the training material how's it different between the
[00:30:00] ccp and the cca um we're a lot more scenario based we do you know a little bit deeper dive
[00:30:07] into scoping because the the exam is a lot different too the exam is very scenario based
[00:30:13] in a cca whereas ccp there are some scenario questions but it's largely trivia things like
[00:30:19] you know who manages the cui registry nara what established the cui program executive order 13556
[00:30:27] so knowing that trivia but it's it's it's important to know a lot of times what is
[00:30:34] can be better understood with what has been so right now when you are
[00:30:42] trying to make that decision of going to whether you would want to go for the cca
[00:30:47] um there you mentioned that you you would have to have a certain amount of assessments so it
[00:30:52] i guess if you went to go get your cca but you didn't do the assessments uh you could pass your
[00:30:58] test but not be formally a cca how would that work or has that ever been clarified
[00:31:03] so as it currently stands um what we're told um from caco is that if you take and
[00:31:11] pass the cca exam you are a cca but there's a little asterisk there right because i can't
[00:31:19] just pass the exam and say hey i'm good i can participate on an assessment in order to
[00:31:25] participate on an assessment as a full cca you have to have passed suitability which is uh
[00:31:31] filling out the sf86 standard form 86 which translates to a tier three suitability and you
[00:31:37] have to have a three assessment requirement but here's the thing if all you do is take the class
[00:31:42] and pass the cca exam you will show up on the marketplace as a cca and you would have every bit
[00:31:49] as much knowledge as another person who has gone through it uh with the suitability and the
[00:31:56] the um three assessments but you wouldn't have that experience component but from a
[00:32:01] knowledge perspective it would be pretty even yeah good good that's good to know well matt
[00:32:06] thank you so much for joining us today it's it's great seeing you again and as always you know
[00:32:12] your your passion for what you do is greatly appreciated thank you man and i appreciate what
[00:32:18] you do you know you're living in the msp space i came from the msp space and you're always
[00:32:23] trying to do more with less and i feel your pain i really feel your pain it's it's it's
[00:32:28] going to be an interesting few years as we you know find parity and and equilibrium in that
[00:32:33] space because there's just really not many tools and other things that are in there quite yet
[00:32:38] because it's still in its infancy but it's getting there it's getting better um and uh
[00:32:44] but you know just kind of like what you shared before the passion for trying to do
[00:32:48] the right thing and help people try to get there and as well as supporting the warfighter
[00:32:52] in their journey and and trying to help secure the ecosystem because i think there's a little
[00:32:57] bit of patriotism for everybody that's involved in this and uh that's part of the reason why i
[00:33:02] like doing this as well agreed totally agree well as always everybody thank you so much for
[00:33:10] joining us tune in for next time and don't forget to keep on climbing make sure to follow
[00:33:15] us on linkedin and youtube to stay up to date on the latest cmmc news we hope you guys enjoyed
[00:33:21] today's episode and listen out for the next one but until then keep on climbing