Listen to "All Things MSP" on Your IT Podcasts!
[00:00:06] You ever been in a fight with someone and they don't know?
[00:00:10] Or worse, they're in a fight with you and you don't know?
[00:00:17] I find that hard to believe because I'm paranoid about all that and I just assume people are always mad at me.
[00:00:23] Seriously, I'm the same way. I'm kind of in a fight with somebody who doesn't listen to the podcast, so don't have to worry about talking about it.
[00:00:32] I don't think they know I'm going to fight with them. I'm being a little childish about it, truth.
[00:00:36] But they should recognize that I'm pissed at them because of something they said to me.
[00:00:44] And I should be a man and I should say something to them, but like I'm a depressive IT person and want to just not be bothered by anyone.
[00:00:55] Well, and you know, honestly, I am jealous of those people who can just, you know, don't even know that they've, you know, done something that might have offended somebody because they didn't mean it. Right.
[00:01:08] But they don't worry about it either.
[00:01:10] I do remember I had a girlfriend one time who we were working together and I saw her and I was like, hi. And she was just like, and I was like, what's wrong? She's like, I'm mad at you. I was like, what I do now? She's like, you cheated on me. I was like, what are you talking about? She's like in my dream last night. I was like, what are you talking about?
[00:01:23] I was like, are you kidding me right now? I think I've heard that one before. Everyone's had that story.
[00:01:30] I mean, granted it was like years ago. I was like 20 or whatever, but still, um, yeah, it's not good to hold on to anger. I'm trying to actually not even like, it's weird about it. Cause like, I should talk to this person and like, be like, listen, we need to hash this out. But part of me is also just like, I don't care enough, which makes me feel bad. Cause like, they're a good friend of mine. I should care. Um, but part of me is just like, I don't, if,
[00:01:55] if I feel this way about this person, maybe there was some underlying truth to it or whatever it is. And I should just like not bother and go back to playing video games. The problem is my wife is friends with them also. So I still have to see these people.
[00:02:13] You know, it's, it's, it's tough being an adult. I'm just going to put it out there. And sometimes that's just what it is. It's adulting.
[00:02:23] If you want to know the person I'm mad at, it's Kaseya.
[00:02:28] If you're struggling with the complexity of Microsoft 365 deployment, management, and automation, it's time to check out CoreView.
[00:02:43] Created by MSPs for MSPs like you, they help you with the end-to-end Microsoft 365 administration from the moment you set up a new tenant.
[00:02:52] Packed with things like unified visibility and control of all your tenants from a single UI to powerful no-code automation engine, baseline tenant configurations, drift remediation, and much more.
[00:03:04] You can supercharge your productivity and do even the most time-consuming tasks with just one click.
[00:03:11] Work effortlessly and deliver best practices to your customers today with CoreView.
[00:03:17] To learn more, visit atmsp.link forward slash CoreView.
[00:03:23] What's up, everybody? Welcome to the All Things MSP Podcast.
[00:03:26] I am your host, Justin Escar, despite it not saying my name in the corner.
[00:03:30] And with me always is my good friend, Eric Anthony.
[00:03:32] I just know who he is.
[00:03:33] I just noticed that's missing.
[00:03:36] And if anyone who listens knows how I host this show, I like putting Eric on tilt.
[00:03:43] There they go.
[00:03:44] Magic.
[00:03:45] Magic.
[00:03:46] If you don't know what we're talking about, check us out.
[00:03:47] YouTube.com slash at all things MSP.
[00:03:49] Hi, Eric.
[00:03:50] How are you?
[00:03:52] Obviously not on my game today.
[00:03:54] I forget why I took that off.
[00:03:56] I must have been recording something else and took the names out temporarily, but they're back.
[00:04:04] The All Things OnlyFans podcast?
[00:04:06] Yeah, exactly.
[00:04:08] The one they have to pay for.
[00:04:09] The one where you show off a smoked turkey from Thanksgiving.
[00:04:13] I don't know when this is going to air, but at some point in the last random amount of time,
[00:04:17] Eric showed me pictures of his turkey that he made for Thanksgiving, and I got insanely jealous.
[00:04:23] I think my response to you was, can you please adopt me?
[00:04:26] Yes.
[00:04:26] Yeah.
[00:04:28] Well, no.
[00:04:33] And no.
[00:04:35] Well, if you're a long time listener, you know that what's coming up next is from the group.
[00:04:47] Josh Abbott writes, we have a client in Memphis, Tennessee that we've supported 100% remotely until now.
[00:04:52] As their needs grow, we're looking to provide an on-site presence for them.
[00:04:57] To make that happen, we're looking to explore two options.
[00:05:00] One, partner with a local MSP.
[00:05:03] And two, there's a potential hiring opportunity.
[00:05:06] And he goes on asking if someone can partner or if he knows somebody looking for a job to reach out.
[00:05:10] But I kind of wanted to take this for a second and talk about how, especially in the post-pandemic world that we live in,
[00:05:20] this is going to start to happen.
[00:05:22] Where we all decided that we can help anyone.
[00:05:25] Every MSP is like, I can help anyone in the United States because we have these remote tools and we can do whatever.
[00:05:30] And now we have a lot of offices that are demanding back-in-office rules.
[00:05:34] How are you going to continue to support them?
[00:05:37] Great point in case.
[00:05:39] I literally got off the phone with a client right before we started recording who needs help with their cable modem.
[00:05:46] And I'm like, I'm going to do this with you on FaceTime.
[00:05:49] And they're in New York and I'm in New Jersey.
[00:05:51] Like, I don't even want to go to New York to help them.
[00:05:53] So how do we handle on-site support in a post-pandemic world when things are out of your driving range?
[00:06:09] Okay.
[00:06:10] So a couple of things here.
[00:06:12] And obviously they point out really two most obvious options.
[00:06:16] Sure.
[00:06:17] Is partnering with another MSP, which I think is a valid option.
[00:06:20] In other industries where you have to worry about cutthroat competition, I don't think that you can do that.
[00:06:28] In this industry where there's a little more trust and camaraderie and community, I think it's an option.
[00:06:35] However, you do need to protect yourself and you need to set expectations.
[00:06:40] Everything needs to be in writing.
[00:06:42] As well as being transparent with the client, right?
[00:06:46] You need to be transparent with the client that you have outsourced this to another provider.
[00:06:51] It just puts everybody on the right level, right?
[00:06:54] And then in terms of the hiring opportunity, I think that if you want the most amount of control, that's the way to go.
[00:07:04] But that comes with it.
[00:07:06] The added responsibility long-term of having that employee, even if you lose the client.
[00:07:12] Right.
[00:07:13] So there's the third option that I would put in here, and that is hiring a 1099 contractor that could do the work because they're much easier to be flexible with.
[00:07:28] Yeah.
[00:07:29] Yeah.
[00:07:29] Yeah.
[00:07:29] I, the partnering with the local MSP thing in my mind, there's a couple of pieces there, right?
[00:07:35] Obviously you have to have, you have to be transparent, like you said, with your customer.
[00:07:39] They work for another company.
[00:07:41] We're hiring them because they're outsourced.
[00:07:42] The kicker with that though, is that there's like a level of trust you need to establish.
[00:07:50] Mm-hmm.
[00:07:50] And you definitely need to put in some contractual language when you're working with another MSP because argumentatively, you've been, Josh, you've been taking care of the kind of mom from Tennessee all this time.
[00:08:03] And if they meet somebody who is from another company and you're outsourcing to them or whatever it is, and they fall in love with that person, you want to make sure that that person has to say, I'm sorry, I can't work with you legally.
[00:08:18] Right.
[00:08:18] Because they don't want to risk their career.
[00:08:20] So make sure you have the right language in place in your contract with that other MSP.
[00:08:26] The other thing about the partner with the other MSP thing, and this is what always is a little bit of a bite for me, is what to charge.
[00:08:34] Because other MSPs have come to me and said, hey, I need boots on the ground in New York.
[00:08:38] Can you help?
[00:08:38] And I go, sure.
[00:08:39] And they go, well, what are you going to charge?
[00:08:41] And I'm going to charge you my normal rate.
[00:08:44] I'm not going to give you a discount because you're another MSP.
[00:08:47] I'm going to charge you my normal rate.
[00:08:48] If my rate is, I'm making up numbers, $200 an hour, I'm going to charge you $200 an hour because you're now my customer and I have to go help.
[00:08:56] Just because you're another MSP doesn't mean I'm going to automatically give you a discount.
[00:09:00] And that's where there's always a problem because I charge a lot more than some other people, especially if you're someone between New York and LA, like the New Yorker cover, and you call me for their office in New York.
[00:09:12] If I charge you $200 and you're only charging them $150, you need to figure that out.
[00:09:19] So there's going to be some stuff in there you need to figure out.
[00:09:22] And yes, I know people who are listening are like, you're such an asshole, Justin.
[00:09:25] Yeah, I am.
[00:09:27] The hiring opportunity one, though, the hiring opportunity one is interesting because you're right.
[00:09:31] You're going to be stuck with an employee in case the customer leaves.
[00:09:34] My other issue with the hiring opportunity is, and maybe it's just me, and I'm hoping maybe Josh has a better grasp on it,
[00:09:39] is training employees remotely is significantly harder than when we used to do it in person pre-COVID, right?
[00:09:51] I had an employee who shadowed me for six months before I let him loose on a single customer.
[00:09:56] And then at some point during COVID, we had to hire two employees.
[00:09:59] One of them was in another state, and it was very hard for me to make sure that person was doing what they were supposed to be doing
[00:10:05] or studying or learning or training or whatever because I didn't see them, right?
[00:10:11] I would see them on Zoom for 10 minutes a day or 20 minutes a day, but I wasn't with them all the time.
[00:10:15] So hiring an employee out of state is a very, in my mind, difficult process.
[00:10:21] So I would hope that you have your processes down and all of your information easily obtainable by that employee.
[00:10:30] Yeah, and you bring up a really great point in that a lot of times they are out of state.
[00:10:36] And that comes with it a lot of other HR rules that you may not want to take on.
[00:10:45] There's a lot there.
[00:10:46] Yeah, when you have stuff that's out of state with employees, you have to make sure that your PEO software understands where they are.
[00:10:53] You have to understand tax rules.
[00:10:55] You have to understand that not every state has the same rules when it comes to when that person leaves.
[00:11:01] So argumentatively, there are some states that if you fire an employee, even if you're based in an at-will state,
[00:11:10] you have to pay out that employee their final vacation days.
[00:11:14] And in some states, that's not true.
[00:11:16] So there's that.
[00:11:17] There's also, you're going to have a physical presence there.
[00:11:22] It means you have to have corporate paperwork filled for that state as well.
[00:11:26] And you have to make sure you start collecting taxes in that state.
[00:11:29] Right now, if you're doing remote for Tennessee and you're based, let's just say Josh is based in New York.
[00:11:35] I'm doing remote in Tennessee.
[00:11:36] I don't, according to New York rules, I don't have to charge tax on MSP services in Tennessee.
[00:11:42] But if I have an employee there, almost now I have a physical presence there.
[00:11:46] Now I have to charge tax.
[00:11:47] And that also means I have to be registered as a business in Tennessee.
[00:11:52] Right.
[00:11:52] So there's corporate paperwork that you need to do as well.
[00:11:54] So there's a little bit, there are some uphill battles.
[00:11:58] I think really for Josh, if he's really looking to hire someone, he better have a marketing funnel to get more customers in Memphis as well.
[00:12:08] Otherwise, I would go with either partnering or like you said, a 1099, which would be a good way to at least ease into it.
[00:12:15] Right.
[00:12:16] Because there's just so much to do to make it worthwhile for actually hiring that employee.
[00:12:22] Just like you said, there's all the additional work that has to be done.
[00:12:25] The extra taxes maybe depends on the state and all the rules of that state that your accountant may not be familiar with.
[00:12:34] So you then have to hire an accountant in that state who's familiar with it.
[00:12:40] Sorry, I'm interrupting.
[00:12:42] The reason I'm laughing about the accountant thing is once we had an accountant who we told them we're going into Iowa and then we bought the company in Columbia, Missouri.
[00:12:49] When we switched accountants, we had the two accounts on one another.
[00:12:53] And our old accountant used to just be like, yeah, they're in Idaho.
[00:12:56] I don't know.
[00:12:56] And I was like, it's Iowa.
[00:12:58] That's why we're leaving you.
[00:13:02] Oh, yeah.
[00:13:03] Yeah.
[00:13:03] Yeah.
[00:13:03] But that's also a good reason to use, you know, a payroll service that is multi-state, multinational, because they can handle all this stuff for you and you don't have to worry about it as much.
[00:13:16] You know, personally, I use Gusto, but it just depends on what works for you.
[00:13:22] And it really will help kind of get through some of those things.
[00:13:26] I'll tell you, we also use Gusto.
[00:13:27] So I think I turned you on to that.
[00:13:28] But like we also use Gusto and Gusto is great until it's not just FYI.
[00:13:34] Like we've run into problems where like we accidentally put a staff, like a new staff member in the wrong category.
[00:13:39] And all of a sudden, even though they were a part-timer, they got paid as a full-timer like their first month.
[00:13:43] And I was like, something doesn't work.
[00:13:45] Gusto will let you screw up and then you'll go back to them and ask for help.
[00:13:48] They'll help you fix it.
[00:13:49] They won't help you set it up from the get-go.
[00:13:52] So like I give Gusto a 7 out of 10, but they're totally fine and do exactly what you need them to do in a case of this.
[00:13:59] The other thing I would suggest, Josh, is if you do the hiring and you need to get the taxes, there's a website called CorpNet.
[00:14:06] CorpNet works actually with Gusto a lot.
[00:14:08] And they will all, for a flat fee, get you whatever licenses, registrations you need in that state and then provide you all the tax information you need, including because you have an EIN, right?
[00:14:21] Your federal number.
[00:14:22] But then you can have state numbers.
[00:14:23] You need to know those too.
[00:14:24] So there's a lot to be said there.
[00:14:26] So maybe partnering with MSPs.
[00:14:27] Also, what we're missing from this equation is how big is this customer in Memphis, right?
[00:14:32] If you're supporting a 20-person office, maybe none of this matters, right?
[00:14:38] But if it's like a 100, 200-person office and you need to be able to support them, that's how you do it.
[00:14:45] Or depending on where you live, Josh, quarterly visits by driving.
[00:14:50] That's what we do for our clients in Iowa.
[00:14:51] Like our guys in Missouri, it's a four-hour drive.
[00:14:54] We throw them in the van with a bunch of stuff and some snacks and we tell them to drive and we go there once a quarter just to visit our clients.
[00:15:00] So there's always a way to do it.
[00:15:01] Josh, thanks so much for writing in from the group.
[00:15:04] And if you want to be from our group, check us out, facebook.com slash groups slash all things MSP.
[00:15:14] Elevate your IT-managed service provider business with SuperOps, the all-in-one platform that integrates RMM and PSA.
[00:15:22] Powered by AI-driven insights and automation, SuperOps helps you stay ahead, streamline operations, and boost efficiency.
[00:15:30] Are you ready for operational excellence?
[00:15:32] Find out more at atmsp.link forward slash SuperOps.
[00:15:37] What's up, dude?
[00:15:39] I am super excited for today because I love it when we have a guest.
[00:15:45] Oh, really?
[00:15:46] We do.
[00:15:48] We have Eric Leventus, VP of Business Development from Control Case.
[00:15:52] Eric, how are you, man?
[00:15:55] Going on, guys.
[00:15:55] How are you?
[00:15:56] Doing good.
[00:15:56] Thanks for being here.
[00:15:57] Real quick, give everybody a two-minute spiel.
[00:15:59] Who are you?
[00:16:00] What is Control Case?
[00:16:01] And, you know, what are you doing this weekend?
[00:16:05] Yeah.
[00:16:06] Hey, well, I'm actually going to Florida tonight to go visit my parents.
[00:16:09] So I'll be on a plane in a few hours to go visit them, spend some time.
[00:16:13] I'm staring at my dog right now, so he's not too happy that I'm leaving.
[00:16:16] But my girlfriend will certainly take care of him this weekend.
[00:16:19] But so I'm Eric.
[00:16:20] I'm the VP of Business Development for Control Case.
[00:16:22] We are an audit and certification shop globally.
[00:16:24] Think of a compliance standard we audit against in SAC2, ISO, FedRAMP, PCI.
[00:16:30] In particular, CMMC, which is going to be a topic of conversation today.
[00:16:35] My world is cybersecurity and compliance.
[00:16:37] Sales and business development and marketing is where I've spent my whole career.
[00:16:40] So my passion is to help other businesses, specifically MSPs, build a go-to-market
[00:16:45] strategy around compliance.
[00:16:47] How do you use me to go drive compliance back to your tech stack to help your monthly
[00:16:52] recurring revenue?
[00:16:52] I want to be a part of that conversation and be a part of structuring what that go-to-market
[00:16:57] looks like.
[00:16:57] So that's my intentionality of being here today.
[00:17:00] Awesome.
[00:17:00] I'm talking to you.
[00:17:01] Well, I think you nailed it in one.
[00:17:02] So that's it for all of us.
[00:17:03] No, I'm just kidding.
[00:17:06] Yeah, we've talked about this concept certifications and getting compliant a couple times now over
[00:17:12] the last few months.
[00:17:13] But let's talk specifically about CMMC.
[00:17:17] So for those who don't know, because CMMC is definitely not something that comes up a lot
[00:17:21] on the Apple MSP side of things.
[00:17:23] And I'm sure most PC MSPs do know, but just in case they don't.
[00:17:27] What exactly is CMMC?
[00:17:29] And what does that differ from some of the other ones we may have heard of, like SOC 2 or ISO?
[00:17:35] Yeah, yeah, yeah.
[00:17:36] So CMMC is kind of like Baltimore, right?
[00:17:39] It's been the cybersecurity standard that everybody's been talking about for years.
[00:17:44] It's coming.
[00:17:45] It's coming.
[00:17:45] It's coming.
[00:17:46] If you do business with the Department of Defense at any capacity, you hold a contract
[00:17:50] with the Department of Defense.
[00:17:52] They've been saying for years that you had to be NIST 800-171 compliant, but nobody checked
[00:17:57] you.
[00:17:58] Nobody came behind you and said, are you actually doing that?
[00:18:01] Because we see these jets in China and Russia that look like our jets.
[00:18:06] Clearly information is getting out.
[00:18:08] Why is that, right?
[00:18:09] So they said a couple of years ago, well, hey, we don't believe you.
[00:18:13] And if you handle CUI, controlled unclassified information, we're going to put an assessment
[00:18:19] body over.
[00:18:20] But that assessment, CMMC, has been getting the can kicked down the road.
[00:18:25] So everyone's like, it ain't real.
[00:18:26] It's not coming.
[00:18:27] It's not a thing.
[00:18:29] It's real.
[00:18:30] December 16th, I think in 10 days, and it already actually launched a couple of months
[00:18:34] ago, two months ago, but it will be fully fleshed out as a real rule that's been published.
[00:18:39] So CMMC right now is particular for those people that hold contracts with the DOD.
[00:18:45] They're going to have it based on the type of information they handle.
[00:18:48] They're going to need, when they go to time of awarding contract, there's going to be
[00:18:52] big old checkbox that's going to say, are you CMMC level at one, two, three compliant?
[00:18:58] And if you are not, no contract for you, right?
[00:19:02] So differing from these different standards suck to, you know, a lot of them are dependent.
[00:19:08] People are asking you to get it.
[00:19:09] That's why you go after a standard, right?
[00:19:11] I mean, I wish people went after it just to go after it, but usually you're going after
[00:19:15] a standard because you have to, the biggest difference is the complexity behind CMMC, the
[00:19:21] level of effort behind CMMC and who is asking for it.
[00:19:25] And that is the biggest difference.
[00:19:26] And we could talk 10 days about the why and the how, but just at least bringing up CMMC
[00:19:32] as a topic of conversation, I think is the most important.
[00:19:34] Right.
[00:19:35] Which I think this also explains why this was why no one in the Apple market has heard,
[00:19:39] because there's not really a lot of Apple products in government.
[00:19:42] I mean, I'm surprised that the Department of Defense isn't doing more with iPads, but
[00:19:46] I'm pretty sure they're just going to Apple directly for that stuff.
[00:19:50] And that's why, you know, a small MSP like me is in there.
[00:19:53] But I do know a lot of other PC MSPs who do have, who do have DOD contracts in some way,
[00:19:59] shape or form, which I have questioned how they got those in the first place, because
[00:20:03] I know those people and they're weird.
[00:20:06] But it's interesting that this is now being like a, this is a directive that is being forced
[00:20:10] down on MSPs.
[00:20:12] Eric, what were you going to say?
[00:20:13] Well, I was just going to say, one of the things that would probably be helpful to the
[00:20:17] MSP audience is understanding a little bit more about CMMC level one, level two, level
[00:20:23] three, what the difference is, why you might want to go all the way to level one to differentiate
[00:20:31] yourself as an MSP.
[00:20:33] But also, if I'm not mistaken, level three is self-assessed and covers a lot of people
[00:20:42] that may not think they need to be covered.
[00:20:46] So we're going to, so let me back into your question.
[00:20:48] I'm going to, I'm going to flip it, right?
[00:20:49] Level one is self-assessed.
[00:20:51] Oh, sorry.
[00:20:52] I got the word backwards.
[00:20:54] So you're right, but opposite way.
[00:20:56] So I will, I'm going to focus on level one and level two, because the way that I describe
[00:21:00] level three, it is the weapons manual.
[00:21:02] It is a very limited group of individuals that have to be level three.
[00:21:06] And if you need to be level three, either somebody has already told you, you know, that
[00:21:10] you handle that type of information.
[00:21:11] And it is a very small amount of people that need it.
[00:21:14] And those people have to get audited by the dip cap, right?
[00:21:17] So the government has to audit them.
[00:21:19] Level one is if you hold a federal contract, you could be the toilet paper manufacturer.
[00:21:24] If you have a federal contract with the government, they are requiring you to be level one certified,
[00:21:30] which requires an annual self-assessment.
[00:21:32] So we're going right back to where we were, right?
[00:21:34] No one's going to come and check it.
[00:21:36] You as the CEO, Mr. and Mrs. CEO have the stamp of approval every year.
[00:21:41] There's 15 control families and you have to be compliant at a 100% completion rate dictated
[00:21:46] by you because you're assessing yourself.
[00:21:49] Are you compliant?
[00:21:50] Yes or no.
[00:21:50] And every year you have to sign off.
[00:21:52] And then when you go and bid for that contract, you could say, I am level one compliant.
[00:21:56] Level two, that's when rubber meets the road.
[00:21:59] This whole concept of CMMC assessment is now what's, if you handle CUI, controlled unclassified
[00:22:06] information, CUI is king here.
[00:22:08] I can't express that enough.
[00:22:10] Whether you store, process, or transmit CUI at any capacity, level two CMMC is required
[00:22:15] for you.
[00:22:16] And then at that point, there's 110 control families.
[00:22:19] You can see the difference, big difference of disparity.
[00:22:21] There's 320 assessment objectives that go against it.
[00:22:25] And you need to meet that at a 100% completion rate.
[00:22:29] Perfect score in a third party, like a control case or another company who's a C3 PAO, assesses
[00:22:35] you every three years.
[00:22:36] And then every year in between those, you have to self-assess.
[00:22:39] So the level of effort magnifies.
[00:22:41] And there's a huge conversation, and we'll get into it, is like, if I'm an MSP, why does
[00:22:47] that matter for me if I don't hold a government contract, but my clients do?
[00:22:52] What if I do hold a government contract?
[00:22:54] What does that mean?
[00:22:55] Right?
[00:22:55] So there is a couple of different conversations to be had.
[00:22:58] And this is such an extremely important conversation because the ESP community, any CSP, any cloud
[00:23:06] provider, any MSP or any MSP, they're grouped under what's called an ESP, external service
[00:23:11] provider.
[00:23:12] They could make or break their client's CMMC assessment, and it could be a blowout.
[00:23:17] Well, I want to get right into that then, because we could talk about MSPs themselves getting
[00:23:25] these DOD contracts.
[00:23:26] I think they already know what to do.
[00:23:28] If you're going to go for a DOD contract, you're being told, level one, level two, level
[00:23:31] three, move on with your life.
[00:23:33] But this is a really interesting take.
[00:23:34] I like this, Eric, where you talk about the MSPs who take care of their customers have
[00:23:39] the DOD contracts.
[00:23:41] How far upstream do the customer's controls need to be that the MSP who's helping said
[00:23:50] customer with the DOD contract need to be protected?
[00:23:53] Does the MSP need to get a CMMC because the customer is CMMC?
[00:23:58] Do their levels have to match?
[00:24:00] What's it look like for them?
[00:24:02] So I'm going to sound like a broken record, right?
[00:24:05] Store, process, or transmit CUI.
[00:24:07] That should be, I should get that tattooed on my forehead.
[00:24:09] If you store, process, or transmit CUI, you need to get a level two certification.
[00:24:14] However, most MSPs don't do that.
[00:24:16] Most MSPs don't store, process, or transmit CUI.
[00:24:19] You might manage things or upkeep things, but that doesn't necessarily mean that you
[00:24:23] store, process, or transmit the CUI.
[00:24:25] The information might never get ingested into your system.
[00:24:28] So what does that mean for you?
[00:24:30] Technically, the way that the new rule is written that got launched in October, that will
[00:24:34] be fully published in December, says if you are an external service provider and you
[00:24:39] do not store, process, or transmit CUI, your security protection asset, you are still
[00:24:43] liable to be 800-171 compliant for the applicable controls that you manage on behalf of your client.
[00:24:50] So every client you manage is different because every SOW you hold with each client is different,
[00:24:55] which means that when your client goes up to those pearly gates of the C3PAO, and then
[00:25:02] they go, and then the C3PAO goes, all right, so show me this, who manages this, who's responsible
[00:25:07] for this, and they go, and my MSP does, that MSP better be fully ready to be able to back
[00:25:14] up all the things they manage and align it to what NIST 800-171, which is CMFC, is asking
[00:25:21] for at a 100% click rate.
[00:25:23] So the short answer to your question is technically the MSP is not required to get a CMMC level two
[00:25:31] if they do not store, process, or transmit CUI.
[00:25:34] However, I feel like the narrative that I and others are preaching in the network is you
[00:25:40] should go after a voluntary assessment, and the reason behind that is if I'm your client,
[00:25:47] let's paint this story.
[00:25:48] The other Eric here is the client, and I'm the C3PAO, and Justin, you're the MSP, right?
[00:25:55] So Eric asked me as the C3PAO, can you quote me?
[00:25:58] My first question is going to be like, tell me about your ESPs.
[00:26:02] You're going to go, well, Justin's my MSP.
[00:26:04] I go, my second question is going to go, does Justin have a level two cert, or has he made
[00:26:09] his own way down CMMC level two, or is he aligned to 800-171, right?
[00:26:14] Based on that question, my scope remains the same, doubles or triple.
[00:26:20] I don't know, you could introduce so much risk into me as the C3PAO, where if I'm assessing
[00:26:25] Eric's company, and now the ESP has their own scope that might cause disruption, it worries
[00:26:31] me.
[00:26:32] It's a scope creep.
[00:26:33] I don't need that, right?
[00:26:34] So if I am the MSP, I want to reduce that.
[00:26:38] I want to go to market and say, hey, don't worry about me being a blockade to your auditor.
[00:26:44] Hey, don't worry about me increasing costs for your auditor.
[00:26:48] I've already been compliant or going down a compliant journey.
[00:26:52] I am looking to get my certification, and by doing so, I've become a risk mitigator,
[00:26:58] a time mitigator, and boy, am I going to market the hell out of that thing.
[00:27:01] So again, short answer is not required, but really good best practice.
[00:27:06] And it takes away a lot of the concern that Eric's company might have, and that me as
[00:27:11] the auditor might go, I'm sorry, you fail because of that.
[00:27:15] Right.
[00:27:15] This makes a lot of sense.
[00:27:16] So real quick, I want to just, in case anyone doesn't know, a C3PAO, which you've said a
[00:27:21] couple of times, CMMC third-party assessment organization, had to look that one up.
[00:27:26] So a company like Control Case where you can assess that situation for CMMC.
[00:27:32] So let's go back to this example, right?
[00:27:34] So I'm the MSP.
[00:27:35] Eric's the customer with the DOD contract, which by the way, government, come on, do a
[00:27:38] little better.
[00:27:39] And also, if you want to see what we're doing, why we're all having, you should check us out
[00:27:42] at youtube.com to share all things with me.
[00:27:44] And Eric, you're the auditor here.
[00:27:47] So Eric Anthony goes for his level two.
[00:27:50] And basically, because he's going to level two, even though I'm not touching the data that
[00:27:55] Eric has, because Eric, we talked about this with another, at some other podcast episode
[00:28:00] where there was a question around the MSP having some sort of certification for managing data
[00:28:13] for their client, but their client had nothing to do.
[00:28:15] Oh, we talked about it from the group because someone about the mortgage.
[00:28:18] And yes, we talked a little bit about background checks for that one.
[00:28:20] But it was that they didn't want the MSP touching the computers that had client data on it.
[00:28:27] So Eric L., the question here, because you say it's all about store processor transmit data.
[00:28:35] If Eric Anthony's company is doing all this stuff for the DOD, and my job is just to go in and make
[00:28:41] sure the computers are running Windows updates, right?
[00:28:44] I'm not logging into their file share.
[00:28:46] I'm not touching the data.
[00:28:48] Like me becoming CMMC is only going to help him.
[00:28:52] But I do feel like a lot of MSPs are questioning, like, is the juice worth the squeeze, especially
[00:28:58] if it comes to money to go get this?
[00:29:01] When in reality, how often are they touching Eric's data?
[00:29:05] And in the truth of it is, they're the MSP.
[00:29:08] They probably can get to the server anyway if they really wanted to, to screw with the
[00:29:11] data.
[00:29:11] But like, they shouldn't be.
[00:29:13] So I feel like there's a little bit of a push and pull here between is the juice worth the
[00:29:18] squeeze to be able to support them?
[00:29:20] I guess your answer obviously is going to be yes.
[00:29:23] But where can we go from there?
[00:29:25] Because it seems like, like, is this a costly thing?
[00:29:27] Like, if I wanted to get level two CMMC, like, I'm going to, I'm assuming I'm paying out
[00:29:33] the butt for this one, right?
[00:29:35] You're nodding yes, which people at home that are driving can't see this.
[00:29:38] I'll tell people.
[00:29:38] Well, he's nodding emphatically yes.
[00:29:43] Right?
[00:29:43] So where are these, like, lines that need to be drawn around that?
[00:29:48] Yes.
[00:29:48] There's two answers here, right?
[00:29:50] So there's the go-to-market strategy, the pull-in, pull-out, right?
[00:29:53] Do I go all in or do I go out?
[00:29:56] So there's no in-between, right?
[00:29:57] So you cannot support any clients that handle any form of CMMC unless you meet a similar.
[00:30:05] So if your clients are going after level one, the expectation is you as the MSP would be
[00:30:09] able to, whatever, you know, you would be able to match the same level of compliance with
[00:30:13] them.
[00:30:13] Again, you won't need a certification over top of that, but you need to still align yourself
[00:30:17] to NIST 800-171 for the controls that you're managing.
[00:30:20] What I will tell you is this, right?
[00:30:21] Just because you aren't necessarily ingesting information, they still consider you a security
[00:30:26] protection asset.
[00:30:27] You're going in, you're monitoring things, you're managing things, you're upkeeping things.
[00:30:30] Just because CUI doesn't flow into your system, that's the indicator that you don't need the
[00:30:35] assessment.
[00:30:36] The minute you actually store process or transmit CUI, there's no getting around that.
[00:30:40] You need that assessment.
[00:30:42] But for all these MSPs that are like, I just don't understand, like, nothing gets into my
[00:30:46] system.
[00:30:46] I'm just updating their windows.
[00:30:47] I'm just managing their systems.
[00:30:49] I'm just watching their SIM.
[00:30:51] I don't know.
[00:30:51] You're considered a security protection asset.
[00:30:54] And the way that the new rule is written is that you must adhere to NIST 800-171 and be
[00:31:00] compliant so that when the auditor comes in and they point at who owns it and who's responsible
[00:31:04] for it, and they go, Justin, you could say, well, here's my applicable documentation.
[00:31:08] Here's my applicable policies and procedures.
[00:31:11] Let me show you within the tool how I manage it.
[00:31:14] And the only way to not have to sit on every single one of your clients' calls.
[00:31:18] So this is where the rubber meets the road.
[00:31:21] If you have one client or if you have no client, it might not make sense for you to go after
[00:31:26] this market.
[00:31:27] It's a huge investment.
[00:31:28] There's the investment to build your own cybersecurity practice and be compliant.
[00:31:33] That itself could be dozens of thousands of dollars, if not, you know, a hundred plus
[00:31:38] thousand dollars.
[00:31:39] And again, it's all depending on scope.
[00:31:41] So you could do it for less.
[00:31:43] You could do it for more.
[00:31:44] It depends on the complexity of your scope and your clients.
[00:31:46] Then you have to consider the audit at the end.
[00:31:49] But if you have one client that needs a CMMC certification, it might not make sense for
[00:31:55] you to get a certification.
[00:31:57] Align yourself to NIST 800-171 and be a part of that assessment.
[00:32:01] Sit in on that assessment.
[00:32:02] But if you have two, three, four, five, six clients, think about the time investment.
[00:32:09] The rule says you have to sit in on the assessment.
[00:32:13] So if you have 10 clients, you have to go in and prove to the auditor 10 separate times,
[00:32:19] even if it's the same auditor, that your controls are compliant with CMMC for what you manage
[00:32:24] on behalf of your clients.
[00:32:25] So if you're in, you better be all in.
[00:32:29] And if you're all in, why not build a go-to-market strategy, get your certification, market it to
[00:32:35] the universe, and then be able to show your client, I will not be a blockade to you.
[00:32:40] I will actually be, you will actually be able to leverage me more efficiently during these
[00:32:45] audits.
[00:32:45] And hopefully your commitment and your time and your cost with this CFP bill might go down.
[00:32:50] And otherwise, you as the ESP will just be a, you know, we don't, I don't want to come
[00:32:57] into the audit and Eric would be a hundred percent.
[00:32:59] And then Justin, because of the MSP not doing their due diligence, you actually caused that
[00:33:04] failure.
[00:33:04] So MSPs, ESPs, whoever need to take this very seriously because the rule says they are in
[00:33:11] scope, period.
[00:33:13] I feel like maybe because I'm just not aware of it.
[00:33:20] Because again, this isn't my realm, right?
[00:33:23] Like I said, there's very few applicants who do it.
[00:33:26] But what about so many of these other vendors?
[00:33:29] So let me give an example, right?
[00:33:31] A lot of the time my clients want to get SOC 2 reports from vendors.
[00:33:35] And we got to pull SOC 2 from Google, from Slack, from Microsoft, from some other cloud-based
[00:33:41] file servers that will not be named on this podcast.
[00:33:47] Do all of those providers have CMMC?
[00:33:50] Are they going to be the problem for the, like, how does someone who needs CMMC level two, like,
[00:33:58] do email when you have all of these, like, tight, I'm like picturing like a visualization
[00:34:04] of, like, they have the thinnest of pipes to be able to work through because they have
[00:34:10] to have this protection in place for that controlled, unclassified information.
[00:34:14] But, like, Google and Microsoft are cesspools.
[00:34:18] Like, how do they work?
[00:34:20] Yeah.
[00:34:21] So it's a great question, right?
[00:34:23] So the same scenario is the exact same conversation for the cloud service provider community,
[00:34:28] right?
[00:34:28] So as these CSPs are products that the MSPs use to support the OSA, right?
[00:34:37] All these acronyms.
[00:34:38] End client is managed by IT provider who uses all these third-party products.
[00:34:44] If those products store, process, or transmit CUI, they must get FedRAMP moderate or FedRAMP
[00:34:51] moderate equivalent to be compliant for CMMC to be able to leverage for these clients.
[00:34:55] The same conversation applies.
[00:34:57] I can't tell you how many conversations I'm having with these cloud service providers
[00:35:00] that are saying, I don't store processor trends with CUI.
[00:35:04] I have to go, well, you have to prove it.
[00:35:07] And if you don't, at minimum, a best practice would be for you to go after your level two
[00:35:11] certification because if you are not, you're considered a security, see how the same conversation,
[00:35:17] you're a security protection asset.
[00:35:19] You will have to sit in on each of these assessments and you will have to prove for the applicable
[00:35:22] controls that you manage on behalf of them.
[00:35:24] Because if the MSPs own a certain part, the cloud service providers own a certain part,
[00:35:29] the organization seeking certification owns a certain part.
[00:35:32] And when the auditor comes in, we need to speak to the individual that owns that part
[00:35:36] of the control and owns those objectives and validate and verify that all of the appropriate
[00:35:41] documentation or controls are put in place.
[00:35:43] So as the cloud service provider, same conversation applies.
[00:35:46] Store process transmits CUI.
[00:35:48] Yes, FedRent moderate or FedRent moderate equivalent is required.
[00:35:52] No, then you need to meet NIST 800-171 for all the applicable controls that you manage
[00:35:58] on behalf of them.
[00:35:59] And a best practice would be to go after your certification and to have that certification
[00:36:03] to provide to your clients so that when they go through their assessment, they could
[00:36:07] show almost like if you ask Microsoft, they give you what?
[00:36:10] A body of evidence, right?
[00:36:12] So when you go to the auditor, you provide that body of evidence.
[00:36:16] Think of the CMMC certification or the body of evidence as those documents that you're
[00:36:21] adding into your system security plan to show the auditor, look, these things do touch CUI
[00:36:27] or they don't.
[00:36:27] And here's how I'm protecting it.
[00:36:29] And here's how they're protecting it.
[00:36:30] So that when the auditor comes in, they get a full picture of your scope and they know
[00:36:34] that there's no holes and they're able to bless your scope and say it is DMC-MMC compliant.
[00:36:39] So Justin, there is so much complexity.
[00:36:42] And that is, I think the bigger question is, are you speaking to the right people to hold
[00:36:47] these conversations?
[00:36:48] To be able to manage your scope, to be able to have these discussions, to build your program
[00:36:53] so that when you come to my, I'm Bowser.
[00:36:56] I'm the big bad boss at the end of this.
[00:36:57] And I put you through my audit and I say, you're not even ready.
[00:37:01] I heard you chip up.
[00:37:02] Hold on.
[00:37:03] I heard you chip up and say that you were Bowser.
[00:37:05] That's a solid Mario reference.
[00:37:07] I did quickly, I wanted to quickly just look.
[00:37:10] And so while you were talking, I just straight up went like, is so-and-so FedRAMP certified?
[00:37:16] Google Workspace is FedRAMP certified.
[00:37:18] I'm not surprised about that.
[00:37:19] Obviously, Microsoft is FedRAMP certified.
[00:37:22] I asked about a particular file share service that we won't talk about on the show.
[00:37:26] They're also FedRAMP certified.
[00:37:27] But Dropbox is not.
[00:37:29] And I am not shocked by this at all.
[00:37:36] You know.
[00:37:37] Look, I'll tell you this.
[00:37:39] I can't speak to their path down FedRAMP or CMMC.
[00:37:43] I can't speak to any CSP's path.
[00:37:45] What I will tell you is this.
[00:37:46] Getting involved with the proper person to help you get ready.
[00:37:50] CCP, CCA.
[00:37:52] So certified professionals, certified assessors, companies that invested in C3PO,
[00:37:56] companies that are invested as RPOs.
[00:37:58] Making sure you're talking to the right person.
[00:38:01] Scope is king.
[00:38:02] If Dropbox is in scope and every client is different,
[00:38:05] and the way that Dropbox handles your information is done a certain way,
[00:38:09] you have to make sure that your environment and if Dropbox is storing, processing,
[00:38:15] or transmitting CUI for you, whether it's meant to be that way or not,
[00:38:19] and they're not FedRAMP certified, you might have to make a shift.
[00:38:22] Or you might need to segregate Dropbox to never touch CUI so that you can continue your standard
[00:38:29] business practices and then you scope the rest of your environment to not include that.
[00:38:34] And again, I can't deem if that's the right approach or the wrong approach because every
[00:38:38] single client is different.
[00:38:39] But the first thing any client should be doing should be to build that nice little square
[00:38:44] diagram around their scope and be able to work with the right person to say,
[00:38:47] what's in, what's out, how am I going to make sure my business can function correctly?
[00:38:52] But do I have to pivot a little bit to make sure I meet these controls?
[00:38:56] But maybe my whole organization doesn't have to pivot.
[00:38:59] Or maybe my whole organization does and I need to start making shifts in the way that I invest
[00:39:03] in product to adhere to CMMC so I don't lose out on these contracts.
[00:39:07] So I can't, it is a huge conversation to have about what your tool suite is based on how you
[00:39:14] do things as a business.
[00:39:16] All right, so we've talked a lot about this.
[00:39:17] Let's, let's, cause I want to bring this back to you for a second.
[00:39:20] Quickly, how can, how does Control Case help the MSPs or even the MSPs customers
[00:39:28] get this scope under control?
[00:39:31] Yeah, look, so I assume we're live right now, right?
[00:39:34] We're talking to the people, no, we're recording.
[00:39:36] So our dip, got, our dip tech is scheduled for next week.
[00:39:40] So right now, as we said today, early December, we are a candidate C3PO.
[00:39:45] But we get our dip tech audit next week.
[00:39:48] We hope to get the blessing of becoming a C3PO by end of the year.
[00:39:51] So what I would say is come 2025, assuming all goes good on for us, we will be one of
[00:39:57] the 60 C3PO's in the world that will be able to do the audit.
[00:40:01] Right now, just like everybody else, we're cutting our teeth on readiness.
[00:40:05] So we are not an MSP.
[00:40:07] So for all the MSPs out there, if you want to build a compliance extension arm to your
[00:40:11] business, companies like mine help with the SSP creation, the system security plan, help
[00:40:16] with the documentation.
[00:40:17] We help with the CUI data flow diagramming.
[00:40:20] We help identify gaps.
[00:40:21] We do all the administrative part of CMMC or we audit.
[00:40:26] We can only do one or the audit, the other.
[00:40:28] So that goes for all the certs, right?
[00:40:30] You talked about SOC 2.
[00:40:32] We audit and certify against all these standards.
[00:40:35] We either can help MSPs help them or their clients get ready or audit and then use that
[00:40:40] audit to drive back to drive back to their tech stack.
[00:40:44] So we want to make sure that they can go to their clients and say, you need CMMC.
[00:40:48] I can help you get there with Eric's help and we're going to take you to the finish line
[00:40:52] and I'm going to profit from this because I'm doing right by you by making sure I'm following
[00:40:57] my own journey and you're going to be successful down your journey.
[00:41:01] And as a group, you're going to be compliant and we're going to help you get there.
[00:41:04] Got it.
[00:41:04] That's awesome.
[00:41:05] So ballpark it.
[00:41:09] I'm an MSP.
[00:41:09] I want to get CMMC level two.
[00:41:14] Are we talking $5,000, $10,000, $50,000?
[00:41:25] So you're scaring the crap out of me with the nodding, man, because as soon as I said $50,000,
[00:41:30] you were like, yeah.
[00:41:31] And I was like, now that explains things.
[00:41:34] So I'll tell you this, right?
[00:41:35] I'm going to give you a quick context and then I'll give you your answer.
[00:41:39] We do SOC 2 audits, right?
[00:41:41] So we were asked, somebody said, well, I'm already SOC 2 compliant.
[00:41:44] Being CMMC compliant should not be too much of a difference, right?
[00:41:47] And my lead assessor chuckled.
[00:41:49] So that was his answer, right?
[00:41:51] So that's my context.
[00:41:53] So what I will tell you is this, right?
[00:41:54] You have your readiness journey.
[00:41:56] That journey is 100% dictated on scope.
[00:41:59] So scope is king here.
[00:42:01] So if you have one person in scope or 1,000 people in scope, it changes the price.
[00:42:05] There's a cost for the MSP or IT provider or your cloud services.
[00:42:09] There's your cost for licensing.
[00:42:11] I'll be honest.
[00:42:12] I have no idea what those costs are.
[00:42:13] That's up to the MSP community.
[00:42:15] I personally heard it's on average about 1.5 to 2.5 to 3.5% more than if you weren't doing this.
[00:42:23] So the amount of effort per head increases if a client is going after CMMC.
[00:42:28] Don't quote me.
[00:42:29] Again, I'm not an MSP.
[00:42:30] So there's that fee.
[00:42:31] You have to probably pay either that same company or a separate company to help build your documentation.
[00:42:36] There's that fee.
[00:42:37] That price can be $5,000 or $100,000, depending on the level of effort.
[00:42:43] Then you have to pay the auditor.
[00:42:45] Most auditors right now are anywhere from $30,000 to $100,000.
[00:42:51] And I know that's a crazy scale.
[00:42:53] Everyone's all over the place.
[00:42:54] I'd say the average assessment is 40 to 60.
[00:42:56] That is a every three-year cost.
[00:42:59] So once year one is done and you pay that audit fee, you still have to upkeep your MSP and all of your documentation.
[00:43:07] And then every year do a self-assessment until year three when you do your audit again.
[00:43:13] So I will tell you, and I chuckle at that 50 grand number because it's a rolling average.
[00:43:18] And we're hearing people spend well north of six figures to get ready.
[00:43:23] But I will back that up with, if you're an MSP scared to get into this market, just know the amount.
[00:43:31] There are hundreds of thousands of companies that need this.
[00:43:34] And just to capture a small percentage of that, it's going to reap you eons of benefits and revenue back to you if you do it right and market it right to them.
[00:43:45] If they can trust you to take them down that path, there are so many other MSPs that are getting out and running 1,000 miles away.
[00:43:53] Those people are going to need IT providers.
[00:43:55] So I will say doing it right first time off the jump and scoping it appropriately, that's your main way to reduce cost.
[00:44:04] And then from there, the cost is the cost.
[00:44:07] The licensing fees are the licensing fees.
[00:44:09] There's really no way to get around that.
[00:44:10] It's just making sure that your program aligns with how you do business.
[00:44:14] And that's the most important part.
[00:44:16] You don't want to just spend money and then make sure nobody can communicate internally because you've made it impossible.
[00:44:22] So I would say $50,000 is an absolutely lowball number that I would double if not triple.
[00:44:29] I was going to say, if you have $200,000 and are looking to get a CMMC certified, I mean, the real question is like, and joking but not joking here, like, if you're an MSP or you're starting off as an MSP and you're like, I want to go after governmental contracts, it really does sound like that $100,000 to $200,000 amount.
[00:44:51] Like, you need to have that in your pocket ready to spend on getting this.
[00:44:56] So this way you can – and again, though, I think you bring up a good point.
[00:44:59] We didn't really talk about marketing on it today.
[00:45:01] But being able to – it's $200,000 just to get the CMMC and then X amount more to market to prove that you're CMMC.
[00:45:09] I'm sure you'll get on lists and all these other things or whatever it is to be able to reach that.
[00:45:15] But like, you know, there's a good – like Eric said, there's a good marketability here with having that.
[00:45:22] I think from my perspective, obviously, it doesn't make sense, right?
[00:45:25] So I'm not going to pursue this.
[00:45:26] But at the same token, there's not a lot of Apple consultants that are getting SOC 2 compliant.
[00:45:31] And that's the marketing aspect that we're looking at when we're doing that.
[00:45:34] So whether it's CMMC, SOC 2, or something in between, if those are the customers that you're looking for, you should get certified in that realm.
[00:45:46] If you're looking to work with MED, you should go after HIPAA.
[00:45:48] If you're looking to go with international companies, you should look at ISO 27001.
[00:45:53] If you're looking to work with government, you should go for CMMC.
[00:45:57] But just realize that you're starting off your business with like a negative $200,000 line item on your P&L.
[00:46:06] Yeah, I'll say this quickly.
[00:46:08] Again, all these certs are in our – what we do, right?
[00:46:11] So I talk ISO, SOC 2, PCI, HIPAA every day.
[00:46:14] The complexity of those audits – and ISO is pretty complex.
[00:46:17] It requires a lot of complexity.
[00:46:19] SOC 2, you know, you'll hear assessors say it depends, it depends.
[00:46:22] We'll write your report.
[00:46:23] Or with CMMC, I believe that the reason why it is so complex, it's a lot of investment.
[00:46:30] It's a serious thing.
[00:46:32] Like we want to protect the nation's security.
[00:46:34] So those individuals that are investing and being a part of this ecosystem, that's why I say things like there's no such thing as half in, half out.
[00:46:41] You're either all in or you're all out.
[00:46:44] And if you're all out, I respect that.
[00:46:45] And if you – I have people that say I want to gobble that business up from those all out people.
[00:46:50] But you cannot cheap your way down CMMC.
[00:46:53] I'm sure there's ways to mitigate costs, again, scope.
[00:46:56] It doesn't have to be as expensive as it is.
[00:46:59] But if you think this is a 5K effort and then you can go be that guy and go work on government contractors, this might not be the world for you.
[00:47:06] And I don't want to engage with those people.
[00:47:08] I want to engage with people that take this very seriously.
[00:47:10] But at the end of the day, there's a community of people that do take this very seriously.
[00:47:14] And they don't cut corners.
[00:47:16] But they're not the high school bully at the same time.
[00:47:18] You have to make sure you are doing things right.
[00:47:21] And I promise you, I have personally seen it.
[00:47:23] If you build your environment, if you build this go-to-market strategy, if you align yourself to different partners like us, the goal, you will reap the benefit if you do this the right way.
[00:47:34] And Justin, you can spread out that cost, but just recognize that the cost is going to be there.
[00:47:39] It's just you dictate how much of that cost based on your scope.
[00:47:43] So I just want to make that message clear.
[00:47:45] It's like, this is a bear.
[00:47:47] But we want to make it a friendly bear.
[00:47:49] But it's still a bear.
[00:47:51] There's no way to get around that.
[00:47:52] I think what I was hearing, though, is if you build it, they will come and you can build it up.
[00:47:58] Well, Eric, this has been great.
[00:48:00] Where can people find out more about you and Control Case Online?
[00:48:04] Yeah, I'm on LinkedIn.
[00:48:06] Control Case is on LinkedIn.
[00:48:08] Check out our website, controlcase.com or find me on LinkedIn, Eric Levitis.
[00:48:12] I'm always down to have these conversations and be a soundboard, even if we're not doing work together.
[00:48:18] I'm the guy that owns all of our federal stuff, FedRamp and CMMC, and I manage all of our channels.
[00:48:24] So this is literally what I do every day is have these conversations with MSPs to say, what makes sense for me and how can we be a part of it together?
[00:48:33] I really hope that when you go see your parents this weekend, this isn't something that they ask about because I know how parents are when their kids are in IT.
[00:48:41] My phone's broken.
[00:48:42] Can you look at it?
[00:48:42] Yeah.
[00:48:43] My dad's a retired CIO from the government, so he's much smarter than I am.
[00:48:47] There you go.
[00:48:48] Eric Anthony, got anything to say before we say goodbye?
[00:48:51] I know you didn't get a whole lot in today and I apologize.
[00:48:55] No, that's okay because the conversation just happened and it's great when that does.
[00:48:59] And technically, I am the producer and co-host of the show.
[00:49:03] So it's more important for you to get your questions in.
[00:49:06] But I do have one question.
[00:49:09] Store, transmit, pretty much those are understandable, right?
[00:49:13] I think that process could get a little bit more cloudy and I'll make it specific in my question.
[00:49:20] And that is, if I'm an MSP and I have a cloud backup, am I processing that data or do I have that responsibility to become compliant?
[00:49:33] Even though I'm not storing the data, I'm not transmitting the data, but I do have access to it.
[00:49:40] So is that considered processing?
[00:49:42] So I will give you one of my famous lines being the VP of business development is,
[00:49:48] that question is much better answered by my lead CCA on my team.
[00:49:52] Who's our technical guy.
[00:49:54] But what I will tell you is this, every situation is different.
[00:49:58] We would have to understand where the CUI starts, how it gets processed, what the tool actually is,
[00:50:04] and then what that tool is actually, like what it's touching.
[00:50:07] Because again, there are different scenarios that process means something different, right?
[00:50:11] So what I will tell you is this, scoping that, what you just mentioned,
[00:50:16] that flow of that particular CUI into that particular cloud platform will dictate if it is actually processed
[00:50:24] or if you're just managing it, and then at that point, you're just considered a security protection asset.
[00:50:28] Or yes, in fact, we agree that is a process.
[00:50:31] You now are required to have a certification.
[00:50:34] So I would, again, live in my world of not a me question.
[00:50:38] I'm not that technical.
[00:50:40] That is a question I can gather from one of my smartest guys on my team.
[00:50:43] And I'm sure he would have a great answer.
[00:50:45] And then the only other comment that I have is the DOD must have some Star Wars fans
[00:50:50] to come up with C3PAO.
[00:50:54] So I know it's true.
[00:50:55] I blurred my background, but I've got Batman behind me and Charizard behind me.
[00:50:59] So I'm on board with him.
[00:51:01] I'm all about the Iron Man.
[00:51:02] One actually, if you look close, there's one in my poster there.
[00:51:05] It's like the hidden Iron Man.
[00:51:07] It's our hidden Mickey's here on All Things MSP.
[00:51:10] Well, Eric, thanks so much for being here, man.
[00:51:12] Much appreciated.
[00:51:13] If you want to find out more about CMMC or Control Case, check out their website, controlcase.com.
[00:51:17] And for you listening, if you want to check us out, it's facebook.com slash group slash allthings MSP.
[00:51:22] Follow us on YouTube at youtube.com slash at allthings MSP.
[00:51:26] So you can see how Eric and I were like giggling during the show about when we're asking certain
[00:51:30] questions.
[00:51:31] Follow us on all your favorite podcasting tools, even though you're listening to us most likely
[00:51:35] on one right now.
[00:51:36] Don't forget to leave a review.
[00:51:38] And that's basically it.
[00:51:39] Eric, anything to say before we say goodbye to the folks at home?
[00:51:42] No, just thanks so much, Eric, for being here.
[00:51:46] You do spell your name right.
[00:51:47] I do appreciate that.
[00:51:49] And other than that, thanks for being here.
[00:51:51] And we are going to have another session with Eric and Control Case where we're going to go
[00:51:57] into a little more detail in an office hour session with them.
[00:52:01] So look forward to that.
[00:52:03] Looking forward to that.
[00:52:04] Well, then that's it.
[00:52:05] That's Eric.
[00:52:05] That's also Eric.
[00:52:06] I'm Justin.
[00:52:07] Bye.
[00:52:33] See you next time.
[00:52:47] our vendor sponsors.
[00:52:51] The All Things MSP podcast is a BizPow LLC production.