Submit any questions you would like answered on the podcast!
The Cyber AB's May 2026 Town Hall packed in major updates and if you work with an MSP, use cloud services, or are trying to figure out where your compliance responsibility actually ends, this episode is required listening. Brooke and Stacey break down everything contractors need to know: ESP vs. CSP distinctions, FedRAMP changes, new leadership, Marketplace 2.0, and the single biggest takeaway every OSC needs to hear.
📌 What You'll Learn:
- What the new joint venture FAQ clarifies — and what actually changes (hint: less than you think)
- The status of the official CMMC certification badge and what you can display right now
- How FedRAMP 20X is changing authorization language — and why DoD's "moderate equivalency" standard isn't moving
- The three questions every OSC must answer about their ESP
- How to tell the difference between an MSP and a CSP — in plain English
- The 5 NIST 800-145 criteria that determine whether a service counts as cloud computing
- Cyber AB ecosystem updates: monthly RPO meetings launching in July and Marketplace 2.0 preview
- The biggest takeaway from the town hall — and why the burden always lands on the OSC
- Webinar Announcement: Whose Control Is It Anyway? — free live event July 21st at 12 p.m. CT - Sign up by clicking HERE
Welcome And What We Cover
StaceyHey there. Welcome to the CMMC Compliance Guide Podcast. I'm Stacy. And I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're breaking down the Cyber AB's May 2026 Town Hall. A deep dive on external service providers, ecosystem updates, new leadership, and marketplace news. So let's dive right into it. All right, Brooke, it looks like they talked about some key program level updates from this town hall. Could you enlighten us with what they mentioned?
May 2026 Town Hall Overview
BrookeAbsolutely. And uh first of all, I kind of apologize because uh it's been a little busy around here and and uh so this this town hall update is uh is a little late coming out. The uh June one's fixing to come around. So um but uh a couple of uh uh program level really uh they have a new COO uh there, uh Matt Newfield.
New Leadership And Joint Venture FAQ
BrookeUm he's been in the ecosystem uh for at least five at least five years. Uh so there's a new person there. Uh they also, I guess this is kind of program level, but they uh uh they talked about uh the PMO added some new um FAQs. Uh one of the ones is on joint ventures uh and joint ventures really it's it's more of a clarification uh of they didn't change anything. It's uh this just as these FAQs are, they're just clarifications. But uh so it talked about joint ventures. So basically uh joint ventures, unless uh a joint venture changes the way a uh company does business, so you already got certified as for instance two or three different OSCs with different uh cage codes and different UIDs. Uh unless the the um joint venture changes the way they do business or uh or the scope of anything, then everything will just fall under uh each of the cage codes, each of the each of the uh companies that's under that joint joint venture. Uh the joint venture itself doesn't necessarily need a new cage code or a or a UID unless they're changing the structure of the business and that's how they're gonna start trying to win business, or unless they are um changing the scope of something. So uh and really even then changing the scope that kind of depends on um you know how still how you're gonna do business and and how services are gonna be provided. That's uh that's the big old giant uh it depends answer. But it's basically gonna stay the same. Uh nothing's gonna change there. The joint venture doesn't necessarily need a a cage coat if if the businesses underneath it are still uh doing business as they always have.
StaceyWhat's the status on the OSC certification badge and FedRAM moderate equivalency?
BrookeYeah, so they're uh so for everybody wants a way to uh put on their website, put on their LinkedIn, put on their s all their social medias, on their email signatures, I guess, whatever anyway. They want a way to advertise that, hey, we are CMMC
Certification Badge And FedRAMP Changes
Brookelevel two certified, right? Uh and I understand that. We want to advertise that as well, but um uh you you can say that, and you can say it all you want, uh, but there's nothing official that you can put on your website. The the certificate, the certificate that you get is not public. They don't want you to display that. So um the uh but they are working on some sort of certification badge. Uh I'm thinking something sort of like uh what CCPs and CCAs have, um, you know, through a badging system, uh so it's uh more official and um and can be relied upon when you see that uh that's actually somebody who's actually got a certification. So they're working on that. They're trying to figure out all the details, all the uh all the ramifications and everything of that. Um as far as moderate uh FedRAP moderate equivalency goes, um as y'all probably know, they're they're changing they've changed some language around the FedRAMP uh uh program uh and they're getting ready and rolling out uh the FedRAMP 20X uh program. But uh now the the DOW still calls things FedRamp Moderate Authorized. Uh but if you look at the uh FedRamp marketplace, uh all the new everything there has switched over from authorized to certified. So now you're certified and you're certified with a a uh gosh, I don't have a note here of it, but it's a uh uh a letter a letter designation, a level after that. So FedRamp uh FedRamp certified uh level A, B, C, or D, right? Uh C is gonna be moderate, D is gonna be high, uh A is gonna be what used to be FedRAMP ready, um uh I believe. So anyway, but now it's changed a little bit. Uh but as far as FedRAMP uh moderate equivalency goes, the DOD has not changed that. That is a or DOW, excuse me, Department of War. Uh they've not changed that. It's not gonna change. Um it's gonna stay uh moderate equivalency, right? And that's has a specific meaning that the Department of War specified and it's it's laid out and uh you can you can look it up and find it. But basically, if you're gonna be equivalent, you've got to have a uh 3PO come over and uh do your certification for your FedR uh do your review for your FedRAMP, uh make sure you meet all the controls, and then they sign off on it and uh and you get blessed. So there's that's kind of how it works.
StaceyAaron Powell The Cyber A B called ESP is one of the most misunderstood parts of CMMC. What do contractors need to know in regards to that?
BrookeUh well what contractors need to know is that uh they uh they're the OSC, the contractor or subcontractor, whatever uh you may be, uh they're the ones that are ultimately ultimately uh accountable for this, right?
ESP Basics And Why OSC Owns It
BrookeThey're they're accountable to know uh about their ESP and understand uh what they're being provided uh and what they're supposed to do, what the OSC themselves are supposed to do, right? So uh one uh do you have an ESP, right? What is an ESP and do you have one? Um so uh you're you know you're paying them, so you ought to have some sort of agreement in place. Um you know uh they're either doing security controls for you or they may be handling CUI for you or or something like that, right? So the the second part is do you well first part is do you have an ESP? You should know if you have an external service provider, is what an ESP is. So uh the second one is uh is your there are two two kinds of ESPs. One is a CSP, so uh an external service provider that is a CSP, which is a cloud service provider. Uh in a minute I think we'll get to it, but there's uh five key things you look for to see if they're a cloud service provider. Uh and if they're not a CSP, uh then they're a a non-csp ESP, so uh which is the term they use. So um so anyway, is your uh is your ESP a CSP? Do they uh what are they actually doing for you? Uh the third thing is do they handle any CUI uh of yours or is it just SPD security protection data? Uh so if they handle any CUI, if they process, store, or transmit any CUI, then you're gonna have to go back to the whole FedRAMP thing and and figure out if they are FedRAMP moderate authorized or uh FedRAMP moderate uh equivalent. And uh and don't take their word for it. If they tell you you are, you go great, that's wonderful. Give me the paperwork. I need that, I need that CRM or SRM, and I need your uh you know, your uh FedRAMP uh number and I need uh the whatever it's called, the authorization number, uh, and I need all that paperwork to prove so I can show an assessor, yes, they really are. Um yes, I use Microsoft 365 GCC, and believe me, trust me, you know, they're they're uh FedRAMP moderate uh or FedRamp, whichever it is anyway, authorized. And uh and so they'll uh the assessor will say, that's great, but where's the paperwork? And well, you know, you can say, well, it's Microsoft, don't you know? The my they're not gonna take your word for it, they're not gonna they won't they're not gonna just take anybody's word for it, they want to see that paperwork. So always get the paperwork no matter who it is. So it doesn't matter if they're well known or not.
StaceySo in tandem to like what we were talking about with CSPs, how does a contractor tell the difference between an MSP and a CSP?
BrookeUh well, uh a CSP again, uh, and I think here the next question we'll go over the uh five things, but uh are you a cloud provider, much like uh Microsoft or Amazon
MSP Versus CSP In Plain Terms
Brookeor uh Google or something like that, where you have services that are, you know, you can automatically provision. Um that would that would be a cloud service provider, a CSP. If you're not a CSP, um then you're just an an M an ESP. So your MSP, managed services provider, is probably an ESP and not a CSP. Though I'd be I'd be surprised if there were very many MSPs out there that were actually CSPs. Uh or it's really not gonna be. They may have some service that's uh classified that way, uh, but for the most part uh uh they're gonna be an ESP. Uh so you know the the requirements are different for um just uh an MSP or uh whether they whether they lean over that line into a CSP. So, you know, if they're selling you um CMMC compliance in a box type solution, um you know, they've you and they really have to think, you know, does it does it fall under the category of a CSP? If it does, that's a different bar you have to meet, especially if you're handling CUI, it's a different bar you have to meet, which would be a compliance in the box solution most of the time. But um so uh there's a lot higher bar you have to meet for that. So you've got to think about all that stuff when you're scoping this out and where you're choosing providers or evaluating your current provider to see if uh what they're doing for you will will work for you or not for your compliance program.
StaceySo, Brig, how does an OSC determine whether their ESP is actually engaged in cloud computing?
BrookeUh so um that's a good question. There's two things here. One, uh there may be cloud services that they have that they offer. Um and so those services may be uh they may
Five Signs Something Is Cloud
Brookebe uh fall under the CSP category uh for the most part, but if they don't handle CUI, then there's a uh it's a little bit different for you. So but uh so there are five categories really, and you you go look at the NIST 800 and 145, uh this will help out. Uh but uh one is on-demand self-service. So like Microsoft, you can go click, click, click, add license, add license, you know, easy deal. Uh spull up a virtual machine, create, choose your settings, go, you know, um broad network access. The service is accessible uh all over the internet, uh through standard devices. Uh three, it's uh resource pooling. So uh, you know, not any one of these necessarily, but but all five of them. So resource pooling. Uh so are your customers like Microsoft email, you know, you're all gonna be you're in the cloud, which means you're on a bunch of data center computers of uh Microsoft's and it's just one big environment, right? So that's resource pooling. Um uh rapid elasticity, so uh can you provision up or down pretty quick? Uh and uh measured service. So is there something that's measuring the amount of service that you have? Uh so you get you get pieces of that with most MSPs, but what really uh most MSPs you're not gonna have on-demand self-service um and you're not gonna have um that rapid rapid elasticity. So you'll have to you know email or call your MSP and say, hey, we're adding you know a new server and I need you to back it up. Well, that requires provisioning from uh from the MSP, or hey, we've got you know ten new computers and we need you to manage them. Well, that's gonna require a bunch of provisioning, whether it's whether most of it's automated or not, that's gonna require uh something from your MSP to kick that off, right? Uh so you have to meet those uh to be called a to be a CSP.
StaceyDid the town hall cover anything new in the broader ecosystem?
BrookeYes. Uh so there's a cyber engagement forum. Uh it's launching uh monthly meetings for RPOs starting in July. Uh that same structure already exists for C through PAOs. They they meet. Um In fact, I didn't even really realize that because we're not a C through PAO. Uh I was talking to the one that did our assessment and we were discussing some
Ecosystem Meetings And Marketplace 2.0
Brookeuh um uh some particulars about you know how assessments go and um all that kind of fun stuff. And he said, well, in our monthly meetings, and I was like, monthly meetings? What? So uh but yeah, so uh there'll be monthly meetings that are gonna spool up and uh get going. Uh and then OSC and practitioner meetings will follow that. Uh the uh the other thing is uh so if you've seen the uh Cyber A B uh Marketplace, um it is uh it is not the easiest thing to search through. Uh and I'll I'll I'll avoid disparaging the Cyber A B because they've they've had a lot to do and and I've done a lot with uh with a limited budget and a limited staff. So I I get it. Uh but the the marketplace leaves a lot to be desired. So uh but a new one's coming. Uh and it's uh they're Marketplace 2.0, I guess, and and so uh it should be they showed us what it would look uh show us what it could look like. Uh and uh it'll be looks like it'll be very helpful. It's uh been built through uh Ramp Exchange uh with their help, and uh there will be opportunities. I I don't know exactly, they talked about um you know maybe some advertising or connecting or I don't really know how that's uh uh necessarily gonna work, and I don't think they do either. Uh but they look they talked about maybe some new opportunities along with that. But uh they're looking at uh making that marketplace better and what they showed uh what they and what they showed it would be built on, what's already built out uh for a different program is is uh uh looks like it's very helpful.
StaceyAll right. So what's the biggest thing a contractor should walk away from this town hall?
BrookeUh so the biggest thing really is that uh uh I mentioned it, I don't know how much I emphasize it, but uh the burden is on the OSC. It's not on your SP. Uh and uh it may be you may depend heavily on your ESP, which may be your MSP. You probably don't depend that heavily on your CSP, but
Biggest Takeaway Shared Responsibility
Brookeuh there's too many three-letter acronyms. So uh but you you may very well depend very heavily on your MSP to help out, to help you with your whole broader compliance program, uh, or it may they may just handle just the security part of it, right? So um, but even if you lean heavily on them or another provider to help you meet these controls, or or um keep your documentation up or whatever it may be, uh you still have the burden of making sure it's all working right and it's all working as it should. Uh everything that is written down, all your policies, uh procedures and plans, what you've defined or what somebody has defined is actually what's being done, and then can you prove it, right? So you're you're accountable for that. The OSC is accountable for that, uh, not your MSP. They may take a heavy burden for you, but you're still accountable and you're where the rubber meets the road. So uh they made that absolutely abundantly clear that uh, you know, it's not it is up to your MSP to tell you uh what you're doing and provide that, provide that responsibility matrix, you know. But you've got to look at that responsibility matrix and make sure you understand that responsibility matrix, not just that, yeah, hey, I got one here for my MSP. I'm good. No, you gotta look at that thing and you gotta make sure that you know the MSP is doing what they say they're doing.
StaceyAll right, guys, before we wrap things up, we wanted to tell you about something that directly connects with what we covered today. We're co-hosting a free live webinar with Prevail and Future Feed on Tuesday, July 21st at 12 p.m. Central Time. It's called Whose Control Is It Anyway, and it's built around exactly what Brooke was talking about shared responsibility,
Free Webinar Invite And Closing
Staceycustomer responsibility matrices, and figuring out which controls you actually own versus which your vendors are supposed to be covering. If you're a manufacturer or contractor in the defense supply chain trying to protect your DOD contracts, this is for you.
BrookeAbsolutely.
StaceyWe're gonna walk through how to read a CRM line by line, identify where responsibility actually lands, and close the gaps before an assessor finds them for you. It's free, it's live, and if you can't make it in person, you'll get the recording just for registering. So head over to cmc compliance guide.com forward slash podcast to grab your seat. All right. If you have questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at cmc compliance guide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.

