What Do You Need to Know About the CMMC Phase II Suspension
Climbing Mount CMMCJuly 16, 2026x
14
00:34:5023.97 MB

What Do You Need to Know About the CMMC Phase II Suspension

In this episode, Kaleigh and Bobby address the recent suspension of Phase 2 of the CMMC requirements, its implications for contractors, and potential future developments. They analyze the impact on compliance, industry readiness, and the government's approach to cybersecurity standards. Sources mentioned in podcast: Vince Scott's Episode: https://youtu.be/QbhHdHM7e0c Grace in CMMC Episode:https://youtu.be/54--Ah6zod4 Matt Travis Episode:https://youtu.be/rzeumax1HqQ Link to the DoW Release: CM...

In this episode, Kaleigh and Bobby address the recent suspension of Phase 2 of the CMMC requirements, its implications for contractors, and potential future developments. They analyze the impact on compliance, industry readiness, and the government's approach to cybersecurity standards.

Sources mentioned in podcast:

Vince Scott's Episode: https://youtu.be/QbhHdHM7e0c
Grace in CMMC Episode:https://youtu.be/54--Ah6zod4

Matt Travis Episode:https://youtu.be/rzeumax1HqQ

Link to the DoW Release: CMMC Phase II Suspended to Boost DIB Innovation

Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ

Axiom's LinkedIn: https://www.linkedin.com/company/axiomtech/

Bobby's LinkedIn: https://www.linkedin.com/in/bobbyguerra/

Kaleigh's LinkedIn: https://www.linkedin.com/in/kaleigh-floyd-079a52190/

[00:00:01] Hello Climbers and welcome to Climbing Mount CMMC. Bobby got by six. Good job. What is it doing? Oh, yeah. Hello Climbers and welcome back to another episode of Climbing Mount CMMC, the podcast. My name is Kaylee Floyd and this is Bobby Guerra and we are a part of an MSP called Axiom

[00:00:29] that is CMMC Level 2 certified and taking clients through to get CMMC Level 2 ready. We are hopping on to do a quick update because of a major announcement that came out recently that made everybody post whatever they felt on LinkedIn. You know, it's so much fun to go on LinkedIn when things like this happen. I'm shocked that it's not Thanksgiving this time because normally this stuff happens around

[00:00:59] holiday if we're lucky. So, I mean, it's close to 4th of July. I guess they got pretty close. But if you are not aware of what occurred on July 13th, the Department of War announced that they were going to suspend the CMMC Phase II requirements. So what does that mean? In 32 CFR, the final rule, we got the layout of the land of the phased rollout implementation for CMMC.

[00:01:25] We go through four phases to get everything fully ready, basically meaning that hopefully all the Department of War contractors are now compliant with CMMC at the level that they should be. But of course, we can't do this all at one time. So they had to have a phased in rollout where we could kind of go through just the self-assessments at first. Then the Phase II would have the Level II requirements from a C3 PAO.

[00:01:54] Then, you know, the Phase III would happen and it would add on just these layers so that it wouldn't all happen at once. Well, with this, the suspension of Phase II, meaning that Phase II in November of this year, November 16th of this year, was supposed to happen, is no longer going to happen on November 16th. Now, they did make it very clear that they didn't give a date of when it was going to happen.

[00:02:21] So it was scheduled for, sorry, not November 16th, but November 10th of 2026 of this year. But now they said it will be suspended. So not quite sure when it's going to happen or how it's going to happen, but it's not going to happen on November 10th anymore. Now... Well, an important thing to realize is they didn't suspend compliance, right? We're still in Phase I. So that means that contracts are still going to come out with the 252-204-7025 and 7021 requirements.

[00:02:51] For self-assessments. For self-assessments. They reserve the right, if they want to, to require a third party. That's still there to use if they wanted to. I'm just going to share my perspective. The math wasn't mathing. We've been saying this for a while. We've been saying it for a while. Vince Scott came on and I think did a great job of sort of just talking about, look, you know, generals need missiles and tubes. And they also know that threat actors are going to threat.

[00:03:18] So you kind of have these two kind of competing things that are happening and the Dib is sort of caught in the middle. And what, just over 2,000 organizations at this point are level two certified. Well, that's not enough to get the Dib space continuing to move. So they obviously, I think, saw that and said, eh, we can't move into phase two where it's going to be required. And I didn't, I was like, how is this even going to happen? This doesn't seem like a thing. So I think somebody realized there's not enough money in the bank account to cash that check.

[00:03:46] So they said, oh, let's pause. And so that's what they did. So, but they didn't put a pause on security requirements. They didn't put a pause on the fact that people aren't going to have to have a system that's compliant of receiving CUI. They know that's going to happen. So that didn't go away. And I don't think that's ever going to go away because you have the FAR rule that's coming out later this year that is going to be government-wide, that is going to require

[00:04:12] 800-171 to be applied to every government agency that's going to be utilizing CUI. So even if they decide to put it on pause indefinitely or they, you know, nuke 252-204-7012 from orbit for whatever reason, the FAR rule is still going to be there and it's still going to apply and it's still going to make you have to have that system. So it's still that same challenge that everybody's had. It's just they don't have the bouncer at the door right now that's checking everybody's ID, if you will.

[00:04:41] And that's really what you're looking at. And you still have the same risk. Yeah. And I mean, it's pretty clear to the DOW that people weren't really going to get their butts in gear and do the requirements unless they put something as far as like to check or fact check that it's happening in place. So there's definitely going to be something like that put in place. I feel like they're so sick of it, of their data getting leaked to things that they shouldn't.

[00:05:11] So something's going to happen. The question is just what exactly? Now, as far as the timeline now, there is a time that we have heard of, which is that there is going to be a CMMC task force that is going to be looking very strategically on CMMC requirements. And I think more specifically the assessments and how we assess these information systems for the next 60 days.

[00:05:40] So after that, we hopefully will hear what they're going to do moving forward. I would be pretty shocked if they had a whole new assessment process within 60 days. Yeah. But I'm quite curious on what they're going to accomplish in those 60 days or look at. But they do have an RFI out. So a request for information. Yeah. Let's talk about that. Yeah. Let's talk about that. And I'm quite curious about your perspective on that.

[00:06:08] Actually, we haven't discussed what your perspective is on that. Yeah. We're going to submit suggestions and I'm looking forward to doing it. I just still my brain was still kind of just like, whoa, what the frick just sort of happened? You know, it just they could have given us some more signals than to just be like, surprise, just sort of jump out of the closet. But yeah, whatever. They're good at that though. So that was a bit shocking. I mean, I was literally in a CCP class teaching it. Right.

[00:06:37] And I'm trying to show the resource links and they're gone. I'm like, I go and it says 404 page not found. I'm like, what the heck is going on here? I'm like, well, I'm sorry, guys. I guess they changed some stuff. I'm like literally going through talking about it in a class. And so then I'm like, well, the logo at the top looks different. I go to look at it and like now I see, you know, the page is different, you know, and I see the banner. CMMC is just gone off the top. And I was like, what the hell? You're chicken riddle.

[00:07:06] And the sky is falling. Yeah. I was like, what's going on? And then I start about because they did that around like noontime or something. Yeah. And so those resources were disappearing. And then later on, they reposted the CMMC announcement page. And then all that stuff sort of drop it around two or three in the afternoon. So then the other shoe dropped during the class. And I'm just like, what the heck? You know, students are asking questions and trying to go.

[00:07:33] It was just it was very interesting to be right in the middle live of what's going on, of teaching the material when it in a big major impact like that happened. It was very surreal. Yeah. And I had to finish the class teaching out. And everybody's asking all these questions and we're going through. I'm like, look, guys, I'm finding out with y'all at the same time. I'm right here with you. Yeah, I'm right here with you. Just bizarre to kind of see that. But what's interesting is then today I was teaching the course again.

[00:08:03] And but today one of the subjects we covered was the pause between what people affectionately refer to as 1.0 to 2.0 versions. It's just CMMC. But the reality is they've already this is this has happened before. And if for those that may not have remembered, they had five levels originally in the first original kind of release design that was supposed to really push down a lot more.

[00:08:30] There was 20 additional controls on top of the 110 controls that are coming from 171. So there was there's going to be a lot more meat on the bones of what they're wanting to see. And they were like, this is too onerous. So they paused it. They reevaluated and said, you know what, let's just go down to Manila 171. We're going to go to three levels. This is going to be better. The difference was it was not in the Code of Federal Aleation yet about exactly how it's going to be. That's different.

[00:08:59] Now, 32 CFR is out, 48 CFR. They're already out and working. They've been moving. So if they want to change it now, they're going to have to undo regulation, which is completely different. So in the RFI recommendation that I have that I'm going to provide to them is like, I want to write it in in such a way that obviously it's going to have to address some of the context of the challenges they're going to have to overcome with that fact. Right.

[00:09:27] So if you have that 60 days to me, I think the easiest thing, first off, would be a straight pass after 88. You're going to have like what you still just certainly going to be 3.12.4. Right. For the assessments, you mean? Yeah, for the assessments. You still need to have your SSP, but assuming you have your SSP, allow people to fail one, three and five pointers. If you had 10 people in a room, you're like, I need everybody to agree on all 110 controls

[00:09:56] that this is how it needs to be done, that no one would think that's possible. But yet somehow magically we can have random assessors meet with a random OSC and we're all going to agree about how all 110 of those are supposed to go. And oh, by the way, if you fail any of them from the assessor's perspective, you get kicked right back to the stone ages as far as in you lose your contract. That's draconian. Yeah. It's just that assessment process is crazy hard.

[00:10:23] So if they could just lower it to the 88, you know, give everybody 180 days to fix anything that they have. So that would drop the cost dramatically. We wouldn't charge as much for services. It wouldn't be as hard for us to implement because trying to come into anything with perfection at that largest scale is immensely hard. You had to think, and people might try to understand this from like the outside looking in from like a company like us.

[00:10:51] And they're like, well, just lower your costs now if you like, if you want small businesses to pass. You have to understand, we have to hire the people in those positions that can get those clients ready in a perfect, you know, sense for these assessments. They cost more money. We have to pay for these people that are expensive. And how are we going to pay for it? You know, but that's different if we can like relax some and breathe and actually be able

[00:11:21] to get through an assessment, even if it is like a type of assessment that's not we have to be perfect, but rather we can fix some mistakes because we're willing to do that. We want to do that. Yeah, give us some grace, which is we have like three episodes of the podcast already about how there should be more grace in CMMC. And I really hope that they'll listen to some of these perspectives of it, you know? If they could bake in that, I think that would, from our perspective, that would drop our

[00:11:50] costs to our clients. That would make an impact. And here's the next thing I think they should do that would make a massive impact on the implementation costs. And some people are going to flame me about this, but drop the FedRAMP requirements. All right. You're not a 20, you're not a 20X fan, whatever. Like, okay, sure. The DoD is going to have to accept some risk if you allow CUI to be stored in, you know, basically any cloud platform.

[00:12:20] Do you, does the DoD want to allow that? If they did think about how much easier. Oh my gosh. Implementations would be like you could use the commercial version of 365. Licensing costs. Yeah. Now Microsoft would hate that, right? They're like, wait, everybody's going to freaking not use her. What's the GCCI? And we're like, oh well. But I mean, how many times do clients come to us and we're like, look, we're going to have to move you from commercial this and move you to the government version of that.

[00:12:47] If they, if they did away with that and they were willing to accept that risk. I mean, I know some people are like, that's insane, Bobby. Don't do that. I agree. Like it, it should be in place, but I don't think the organization as a whole FedRAMP as well as the ecosystem is really prepared to handle like what's been thrown at them at the timeframes they're trying to do. So if we tried to handle it a little bit more realistically and allowed people to store those

[00:13:15] types of things, or at least just come up with a list, maybe not FedRAMP, just of approved vendors that you can store CUI, you know. Yeah, exactly. So, okay, great. So we won't allow, you know, China to stand up a fictitious company and try and see how many dummies they'll go ahead and sign up to put their cloud data there. Okay, I get that. Yeah. Yeah. But you could have a list of maybe, you know, some type of vetted process or just that you're going to have. And that would just be hugely helpful for organizations.

[00:13:43] Okay, so they could still use the commercial version of the products to be able to store that CUI? Yeah. Bing! I mean, wow. We wouldn't, so many conversion costs, upfront charges, tenant bill processes. Man, things would be substantially cheaper for clients. Yeah. That would drive the cost down. Yeah. Astronomically for them. But DOD would have to accept that risk. Do they want to do that? Traditionally, they were like, not no, but heck no. They do not want to do that. Yeah.

[00:14:10] And the last one for me would be FIPS. Nuke FIPS from Orbit. Just FIPS compliant would be good enough. If they got rid of FIPS, think of all the tools and solutions that we could use to help make the client's lives much easier. So many tools are just, they don't have FIPS compliant capabilities. And it's just like vendors and solutions. We just can't, we can't use them. And just the way that CMMC works in general, a lot of people don't think about this, but this is honest to God truth.

[00:14:39] It is like getting into a fight with one hand behind your back using toothpicks. Like, and like you're figuring out how to get it done because they take everything away from you because of the compliance requirements, because the industry is not caught up. The industry is not ready for it. It sounds good in theory. In theory, but right. If everybody was caught up, but they're not. And yeah, this is an opportunity to like, again, slow roll it in that sense, because I know

[00:15:05] we talked about this in our interview with Matt Travis from the Cyber AV, but everybody keeps talking about the bottleneck being CCAs. I even was reading, you know, in the CIO's like memo and stuff like that of just the thought that it's like the assessment cost and that's it. Sure. The assessment costs a good amount of money, a good chunk of money. But hello, can we be the first to say that we cost a lot of money? We are the ones, the implementers that have to do this.

[00:15:34] But there's a reason why we cost a lot of money. It's because it's really freaking hard to do this at scale. And we have to have like how you're saying the government version of all these applications. It costs more. The licensing costs more. We have to do all this stuff differently. And if we didn't have to do as much of that, it wouldn't cost as much. And then they could get through it. We don't want to charge this amount. Like we want to be fair to small businesses when we can.

[00:16:04] But it's just how tough the assessments are to pass at a perfect scale. We have to do what we got to do to let the client pass. I guess, you know, we could try to say like, let's see what happens and go with the flow a little bit. But that's a risk for that $50,000, you know, $40,000 assessment that our client is paying for. And we're up on the chopping block, you know. And so it's crazy that they're still talking about just the assessment costs.

[00:16:34] But like, hey, we're very much aware that we cost a lot of money. The implementers cost a lot of money. So please hear what we're saying as implementers of what is tough. And if we can drive our costs down, like that can greatly benefit small businesses. And we can come in and help those people and lower the cost of it, you know. And like I think that's what they've got to do. But I hope that they listen to us. But I don't know. We'll see.

[00:17:02] Well, and then everybody's all like, oh, you know, 171 is too hard. Those things are different. No, it's the things that I just listed that are so stupidly hard. Like if you took those off the table, dude, we could be crushing it so much easier and supporting clients and driving the cost down massively. Sure is change control for a 10-person company like kind of stupid and hard to do, you know, for them, you know, because they're like, wait a minute. There's only 10 of us. There's only one. I'm the owner. The rest of these people are doing like how are we doing change management?

[00:17:31] I mean, I get it. Like 171 doesn't for these really small companies doesn't really scale as well. But you can get through those. Those aren't that bad if you have implementers or people that know what they're doing, how to do it. Just make the solutions and tools much easier for people to just meet it where they're at. If they could just meet it where they're at, that's where you're going. But that's not what they can do. They've got to reorg and rechange and just redesign so much to try to meet the controls where they're at.

[00:18:01] But if you're just like, hey, we're going to have you just apply 171 where you're at, you know, it's going to be a lot easier in cost to do. It's just so that's kind of what I'm going to be trying to push on the RFIs, just like let's just have some sanity, you know. And I think the last recommendation I would have is, you know, don't do away with third-party assessments. I think they still need to happen.

[00:18:28] I think they're the savior of compliance around it. But just make it reasonable. Like I said, the 88 would make them so much easier to pass. That would drive the cost of the assessments down. There's a lot of things that are driving this cost. And if you don't have to be perfect and things are, you know, it just – everything just goes down dramatically for those. But they still need to have the assessments involved.

[00:18:55] But – and like make it to where, you know, you have peripheral treatment on those contracts based on the fact that you got a, you know, high-confidence assessment done to a third party versus someone that self-attests. Like make that a difference maker. And then allow people to make the choices from there. You know, it's a business decision at that point. You know, okay, so you're a small business. Maybe you just do self-assessments. Okay, so we know that you're probably going to lie. Okay, sure.

[00:19:23] Yeah, and they might not pick you for the contract because of it. It's up to them. Right, but because you're SMB, maybe they just might let them slide. At a certain point, you're forced to have to do third party. I mean, there's different ways you can sort of attack it. I mean, none of those are great solutions. But let's not throw the baby out with the bathwater, right? Like, you know, let's try to come up with something that still keeps us within the ballpark. Yeah, yeah. You know, but I don't know. We'll see.

[00:19:50] I mean, when you went from, like I said, I was teaching that class today. And I was just like how nostalgic I was. We're talking about going from the five levels to the three levels and how they did those changes. And here we are again going through some type of change. What is those changes going to be? Not sure. So let's look at what options are on the table for change. And what do I mean by that? So because 32 CFR and 48 CFR are in the Code of Federal Rehension, it's like it's there. It's ready.

[00:20:20] So right now about the only option they have is to pull the emergency brake on the way the rule was written, which is just pause the system, which is what they did. They just went, right? And they're like, we're pausing the rollout, which is well within the rules. It says they could do that. So that's what they did. They pulled the handbrake. And we talked about that in some previous podcasts. So they hit that handbrake, you know, mega, right? So they just paused it in phase one, which is fine. But that doesn't solve 32 and 48. It's still there, right?

[00:20:49] That the debt of the requirement is still there to have it met. So they can either, A, keep it for a period of time until they feel that balance has happened. And then maybe they'll let the handbrake off a little bit more reasonable through orders and management and control of that. And that's still within the 32 and 48. So they could kind of, you know, hit the brake and gas pedal and sort of slow roll their way out of it. That's how they could do it, knowing that organizations just simply aren't doing it, right?

[00:21:18] Everybody's speeding and they just hope they don't get a ticket because there's just not enough cops to catch them. No. Yeah. And then the other option would be go back through rulemaking, right? So they propose a new pool. And that's going to be a year and a half to, what, two years, something like that? And then the other option would be some type of class deviation of some sort. And I'm not even sure if that's even quite legal and how you could do it with the 32 CFR written how it is. I'm not an attorney.

[00:21:47] I don't really know that. But I know those are kind of like the three general options that are sort of on the table for that. Yeah. Yeah. I am quite curious about, I'm not going to act like I live in this government world and I know everything about the, you know, CIO and the Department of War. But rather we're just kind of living in this space, like kind of trying to figure it out.

[00:22:11] And honestly, I wouldn't be shocked if Kirsten Davies, she, you know, if she was just really trying to play a game of like, I see you, small or medium-sized company. And I'm with you. And I love you. Yeah. And then the 60 days are up and they go, I don't really want to figure this out though. So continue forward. And then they just do absolutely nothing. But they just wanted to win the hearts and minds of the small and medium-sized companies there.

[00:22:40] With this beautiful RFI where it's like, we want to hear you. We want to see what you have to say. And then they do absolutely nothing. Just, I mean, I wouldn't be shocked too if that happened because I've seen scenarios where that has occurred. Where they kind of gave a nice little middle finger to what we had to say and just continued forward, you know. And so I wouldn't be that shocked if that did occur.

[00:23:09] So I do think that that's kind of important to mention, especially if you're somebody that's like getting your clients ready for an assessment or about to take one. It's like you also don't know if they're about to go and look at this for only 60 days and realize this is kind of a lot of can of worms. I think we're just going to keep it where it is and just let it ride, you know, because it is a lot to unpack. Like what you said, 32 CFR, fully out, 48 CFR, fully out.

[00:23:36] It describes in detail the whole phase rollout, what things are like. You would have to backtrack all of that. That's pretty wild. So I would not be shocked if she came in and was like, Kirsten's like, I'm with you, small business. And then goes, but not that much with you. And then this is just right now. Yeah. So I don't know. I mean, I'm quite curious on what is going to occur after the task force takes on.

[00:24:05] I think they're going to look at the RFIs. I think they're going to look at some stuff and I think they're going to figure out how they're going to make some changes. It may be rearranging the chairs on the boat, but it's still heading the same direction. Or they could make some minor course corrections as well as rearrange the deck chairs. Like I don't know how that how they're going to do it. No one really quite does. I've talked with several people and friends that I know that were in the DOD. They had no idea this was even coming.

[00:24:35] So it seems like Ms. Davies and the DEFSEC had some some plans and not everybody necessarily knew all of those plans that were going on. And so I think a lot of people were surprised at how this went. And I think you might be right, Kaylee, there there there might be a nothing burger through some of this process. Just they wanted to say that they did their due diligence and review of that process. Yeah. I don't know where this is going to land.

[00:25:04] So we're going to have to look as far as in whether there's going to be minor or any changes at all through this process. So this 60 days is definitely going to create a lot of interesting perspectives. Organizations that are doing hiring are probably going to take a wait and see attitude. Organizations that were planning on scheduling are going to probably wait to see how that's going to play out. So this is going to create some chaos for sure as this starts to settle. Let me just say about this.

[00:25:30] If they if they really were they really were for the small businesses and for the you know, for the people that are trying to do the right thing.

[00:25:39] It really is crazy to do something like this and lose a lot of confidence in the CCA program and C3PAOs and all of this structure that literally we American citizens worked really freaking hard to set up and put in place so that we could adhere to your cybersecurity standards that you put on all of us.

[00:26:06] Then we take all the time and effort to sit in these classes to to open these businesses to literally crush it with these assessments. Actually blew it out of the water of what your guess was of how many assessments we get done in the first year. We actually did more as a community. So not only do we extend your expectations, we literally did more than it.

[00:26:32] Then you proceed to say, actually, pause, because we care about you, small and medium sized companies. I'm like, well, what about everybody that worked so freaking hard to try to get this thing working? And now, even if you like, even if you end up coming back and saying we're going to keep doing it, people have this like iffiness of like, I'm a CCA for a job. And I don't even know if maybe tomorrow I'm not going to have one. And, you know, it's crazy. They already kind of did that with the Keiko scenario.

[00:27:00] We haven't talked about it a lot. But basically, they gave a big middle finger to the LTPs and they said they said or not a licensed publishing. Yeah. So like the publishing partners, they there's no such thing no more, you know, at the end of this year, I think. And there's no such thing of them. And it's just Keiko. It's just Isaka stuff. And so all of this work that these people put into their companies and whatnot, that goes away.

[00:27:29] And this is like adding on to that. And I'm just like, if you're really trying to do a big hoorah, like we're for this. This is an interesting perspective to make them all doubt the entire system that we've put together so far. Like, could you have given a little bit more information or maybe not have said, hey, we're going to suspend this whole thing, but rather just looked at it?

[00:27:52] Like, what if you just took a look and just decided for yourself, why do you have to scare the pants off of everybody in the process? I just don't. I don't get it. But I haven't been living in the government world. You know, I come from the MSP community that we're just trying to live in this and figure it out. So maybe, you know, my heart would be already broken and it would be used to it by now. So it wouldn't make any sense to me. But right now, the yo-yo process of the government. Yeah. Yeah. But right now, I'm like, what a prick.

[00:28:21] Some of the people that I've talked to, like you said, that have been in the space longer, that have seen a lot of this schizophrenic approach because you have a change of administration and other things. So this is to be expected to some extent because you've seen it traditionally go to happen, but it doesn't feel good when it does for you. When, like you said, Kaylee, you know, we're a small business. We listened to the call. We need you. Get in the industry and help us out. We did it. So we're here because we believe you want us to be here.

[00:28:51] And then you come off the turnbuckle with an atomic elbow and say, we're shutting you down. Kapow. You know, and you're like, what? You know, right. I thought I'm supposed to be on this X, not this is where you shoot the person, you know, like, you know, so it's really interesting mixed emotions and feelings through that perspective.

[00:29:14] But I feel like as you've been in the government longer and longer, you're going to have to expect to pivot to some extent because of the schizophrenic nature of how they operate. But the challenges are still challenges. The threats are still threats. Yeah. That's not going away. And so they're going to need these types of things to some capacity regardless of what's done. Right.

[00:29:35] And so my hope and prayer is that, you know, cooler and smarter minds prevail because to some extent of what you're talking about, there are plenty of organizations that have financial requirements that they've lined up to meet the things that the government said they were going to do.

[00:29:53] And if they just torpedo and derail and dismantle those, what does that open up from a legality perspective of the responsibilities that they've said they were going to allow to have happen and they just shut it down? You know, those organizations just go out of business and their capabilities are going to change and what they have. You know, if they shut down C-3PO process entirely, what happens to all the C-3PO's and all the money and the ISO costs and the things that they did?

[00:30:21] They're going to just say, oh, that's – you got us. Way to go. Like some people are going to be unhappy about that and probably expect some type of compensation around the due diligence and trust that they put in the government of what they're trying to do. Yeah. And so I hope and pray that it doesn't go that direction for a lot of those people and that they just try to find a more happier medium ground. But we're going to have to wait to see to see how in that 60 days how that's going to play out. Yeah.

[00:30:49] And so because of this, we're going to cancel the podcast entirely. We just leave it up. Nope. Just kidding. No, I think we're going to be on it honestly more than we ever have because we'll see just what is occurring. And we'll be – I mean we'll be honest on what we're hearing in the space and the ecosystem and what's occurring because I know it's going to be a weird time for everybody.

[00:31:11] Well, I think for us as managed service providers that, like I said, the FAR rule and the 7012 requirements for 171, organizations need to have a CUI-capable system. And they're just not capable of doing it themselves. So managed service providers are going to be needed. That has not changed. That will continue to happen. Keep implementing, please, because we're going to be behind. They're going to need implementers. More implementers need to say that has not changed. That's still going to happen. You know, Axiom is still going to be around. I have no doubt of that.

[00:31:39] You know, some people are just doomsayers about those types of things. You know, the sky is falling and it is not falling. It's just the way that they're expecting and implementing may change some around it, which I understand. I think we all kind of agree that it had to change to some extent. Yeah. So this could ultimately end up being a good thing for everybody. It just everybody tends to not trust the government about the choices they make. So we'll see to reserve judgment.

[00:32:05] But the reality is that those types of activities are going to happen. I just think managed service providers are still always going to be needed. The question starts to become the ecosystem like, you know, third party assessment organizations, people like the cyber AB. You know, is the cyber AB OK after they start, if they shut down all the C3PO assessments indefinitely? And that's a big way that the cyber AB gets paid. Yeah.

[00:32:35] And then, you know, if CCA, CCP is going to, LTP is not going to exist anymore. Did ISACA just totally get shafted? You know, like. Oh, my gosh. They just got handed the keys to the key. You're an empty house. You know, you're like, what? That's nuts. Yeah. So for those that aren't, that are just maybe new to the game, like ISACA got handed the certification process like earlier this year. Yeah.

[00:33:00] And so they're just new to the game of taking over the certification process around, you know, the people getting CCP or CCA'd and CCIs. And they, you know, if they think, oh, you know, we're not going to do assessments. Do they kill those programs then? Like, I don't know. That would be. That's a lot of dominoes to fall. That's a lot of dominoes. I can't imagine they're going to do that. That would be crazy. That sounds crazy. Yeah. That would be crazy.

[00:33:30] Yeah. So hopefully cooler heads prevail, but we'll definitely keep you up to date on what's going on. But everybody stay calm. Everything's going to be fine. Put your oxygen mask on. Actually, just put it up. The plane is not even falling. It was just a bit of turbulence and you were scared about it. It's going to be okay. I'm still wearing my CMMC shirt. It's alive. And, you know, we've been saying that we'll be keeping you guys updated.

[00:33:57] So, I mean, again, please, if you're not already subscribed to our stuff and whatnot, make sure to hit the subscribe button or follow us on LinkedIn so that when we update you on there, you'll get notified. And also, too, if you want to comment any things that you want to talk about specifically your perspectives on it, like, feel free to do that. Please don't send any hateful comments to my DMs. I don't want it. You can send it to Bobby's, though. It's totally fine. Just kidding. Yeah.

[00:34:25] And again, all of this, we're not claiming CMMC Jesus. We just heard the news just like all of you guys. We're not in the special no or anything like that. So we're just reviewing it just as much as you guys are. We will try our best to continue to post updates as they occur. But we will see what occurs in these next 60 days. So just remember, guys, as always, to keep on climbing. See ya.