Understanding the $100,000 Cost of CMMC 2.0 for MSPs with Mike Semel

[00:00:00] So there's been a lot of buzz around regulation and CMMC 2.0 so I wanted to dig a little

[00:00:07] bit further in and the timing was great because Mike Sommel reached out to me and said,

[00:00:12] Dave, we need to talk about this.

[00:00:14] Did you know about $100,000?

[00:00:16] Let's learn more on this bonus episode of the Business of Tech.

[00:00:23] With as many breaches and security concerns as I report in this show, it should be obvious

[00:00:28] that cybersecurity is not just about technology, but also the human expertise needed to interpret

[00:00:34] and respond to complex threats.

[00:00:37] Huntress is focused on elevating SMBs and MSPs around the world.

[00:00:42] Huntress has a suite of fully-managed cybersecurity solutions powered by a 24x7 human-led sock

[00:00:49] dedicated to continuous monitoring, expert investigation, and rapid response.

[00:00:54] And the proof is the execution.

[00:00:57] This is the number one rated EDR or SMBs on G2.

[00:01:03] Want to know more about the platform?

[00:01:04] Visit huntress.com slash MSP Radio to learn more.

[00:01:09] Well Mike, thanks for joining me today.

[00:01:13] It's great to be with you Dave.

[00:01:15] Nice to see you again.

[00:01:16] Yeah, so I want to dive right in because you recently wrote an article kind of going through

[00:01:22] the differences in CMMC1 versus 2 and how you think this is going to impact managed

[00:01:29] servicemen providers and managed security services providers.

[00:01:33] Walk me through where you're highlighting the big proposed changes and what it needs.

[00:01:39] Okay, so this is a big issue that MSPs need to be aware of because right now it is focused

[00:01:45] on CMMC which is for defense contractors but the word is that the rest of the federal

[00:01:52] government is watching the Department of Defense and letting it kind of carry the ball

[00:01:56] and go through the new regulation pane and work through it.

[00:02:01] And then they're going to make this requirements in other industry.

[00:02:04] So for example, it could end up in the healthcare industry and others, other areas where MSPs

[00:02:10] have clients.

[00:02:11] So the background on this, first of all I've been doing compliance for over 40 years in

[00:02:17] my MSP business and then about 12 years ago I spun off a consulting company.

[00:02:23] So we do compliance and business continuity planning full time.

[00:02:27] We don't sell any IT products and services.

[00:02:29] I'm not an MSP anymore but we work with MSPs every day.

[00:02:34] I was concerned when CMMC came out several years ago and was very vague about MSPs and

[00:02:42] I actually contacted the Department of Defense, the lady in charge of CMMC or named Stacey

[00:02:47] Busjanic and asked if MSPs were going to be covered by the regulations.

[00:02:53] And she said yes.

[00:02:55] So I knew this was coming.

[00:02:57] CMMC has gone through a lot of growing pains.

[00:03:00] We had the original CMMC and then they came out with CMMC 2.0.

[00:03:06] So we didn't know the first one was 1.0 but the new version 2.0 took the original which

[00:03:12] had 5 different levels and reduced it to 3 levels.

[00:03:17] So you have level 1, level 2 and level 3.

[00:03:20] CMMC is going to affect about 300,000 defense contractors and they're saying these are

[00:03:29] government estimates not my guesses that roughly half of them are going to be at level 1.

[00:03:36] And that means that they don't have what's called controlled, unclassified information.

[00:03:42] CUI in CMMC or in the defense world is the equivalent of like PHI protected health information

[00:03:50] and health caring, PII personally identifiable information that's covered under other laws.

[00:03:56] So half of the defense contractors don't have them.

[00:03:59] So think of somebody mowing the lawn at an Air Force base and they're an outside contractor.

[00:04:04] They're not going to have that kind of sensitive information or if they're sweeping the floors

[00:04:08] or whatever.

[00:04:09] So roughly half of the contractors in the defense contracting industry will have to comply

[00:04:15] with CMMC.

[00:04:17] About 80,000 of them are going to have controlled unclassified information and that means

[00:04:24] that the minimum level that they're going to be at is level 2.

[00:04:29] Level 3 is the highest level and that's going to apply to a very small percentage that

[00:04:33] have more sensitive controlled unclassified information.

[00:04:40] But it's the smaller companies that make up most of this defense industry.

[00:04:46] We don't think about that.

[00:04:47] We think of Northrop Grumman and Lockheed Martin and Boeing and Ray Theon and General Dynamics

[00:04:53] as the defense contractors and they are and they'll get the contract for like a fighter

[00:04:58] jet.

[00:04:59] But then they'll go out and they'll take part of that contract.

[00:05:03] 30, 40% of that contract and split it up among small businesses.

[00:05:07] That's a requirement in the contract.

[00:05:09] So the contracts and the money flow down from these big contractors to smaller contractors

[00:05:17] and they're all over the country.

[00:05:18] In small communities or specialized businesses, they may make ball bearings.

[00:05:23] When you have a fighter jet, you have the cockpit canopy that opens so the pilot can get

[00:05:28] in.

[00:05:29] Don't think of the jet.

[00:05:31] Think of the hinge that that cockpit canopy has so that it can open and there's a pin

[00:05:38] in the cockpit canopy hinge just like the pin in your bathroom door, in the hinge to

[00:05:43] your bathroom door.

[00:05:44] So think of the hinge company or the pin company.

[00:05:47] Those are the ones that are working with MSPs and in some cases a bulk of that company's

[00:05:53] business is defense contracting.

[00:05:55] In some cases, it may make up just 5 or 10%.

[00:05:59] But these are critical products for the defense of our country.

[00:06:04] And what CMMC is now recognizing, it has been published in the federal register.

[00:06:10] There had been doubt that CMMC was going to happen but there's no doubt anymore.

[00:06:15] It's in the federal register as a proposed rule.

[00:06:19] In the proposed rule, it says that I'm not going to quote the language because it's

[00:06:23] all acronyms.

[00:06:24] They have their own language just like we do in the IT industry.

[00:06:28] But it says that if you are an external service provider who's not a cloud service provider

[00:06:35] then if your client requires a CMMC level 2 assessment, then you do too.

[00:06:43] And if you fail, your client fails.

[00:06:46] The other areas where MSPs are brought into CMMC, they have scoping guides and assessment

[00:06:55] guides.

[00:06:56] The scoping guides define what is within scope of a CMMC assessment.

[00:07:03] And you would imagine if you walk into a defense contractor the computers that download

[00:07:07] this information, this controlled unclassified information, the machinery that they upload

[00:07:13] that into so they can make a product.

[00:07:15] Those are all within scope but there's another category called security protection assets.

[00:07:23] Defined in security protection assets are the managed service provider personnel who maintain

[00:07:29] networks.

[00:07:30] So I've had MSPs say, oh we really don't do the cybersecurity.

[00:07:35] That's done by a SOC as a service or some other vendor or using XYZ company.

[00:07:42] But the way they define this.

[00:07:44] If you're just doing patches and updates and managing that network, you're within scope.

[00:07:49] The second thing that's within scope are the cloud service providers who are providing

[00:07:55] security tools.

[00:07:57] So the products that you as an MSP are using in your stack that are cloud-based services,

[00:08:04] all within scope of the end user's assessment.

[00:08:08] The timeline for this is roughly, we're going to see CMMC in contracts in a year.

[00:08:14] I'm a CMMC certified assessor helping to guide, we're consulting with companies to help

[00:08:21] them prepare.

[00:08:22] And it's taking an average company 12 to 18 months to prepare in the government's estimate

[00:08:30] on the assessment just to prepare for the assessment.

[00:08:33] Not the cost of implementing the cybersecurity is over $100,000.

[00:08:40] So to summarize, MSPs are going to have to be assessed if you have defense contractor

[00:08:47] clients.

[00:08:48] The assessment cost is estimated at $100,000 and the tools that you use will have to

[00:08:54] meet federal specifications that most of them don't do now.

[00:09:00] If you're going to continue to deliver services to defense contractors, and as I said

[00:09:04] when I started, this is likely to spread across many other industry.

[00:09:09] Well, let's put that aside because that's projection.

[00:09:12] We don't know.

[00:09:15] And that's farther.

[00:09:16] Let's talk specifically about this.

[00:09:17] Won't this just fracture the market into those providers that are capable of delivering

[00:09:21] in the defense industry and those that aren't?

[00:09:25] Well, yeah, I think it will.

[00:09:27] And I think there are several things that I mean, anticipating are going to happen.

[00:09:31] First of all, there will be some MSPs that simply say we're not going to do this.

[00:09:35] We can't afford it and all that.

[00:09:36] We only have one defense contractor.

[00:09:39] When I started in the compliance business, I was at MSP in the early 2000s when HIPAA came

[00:09:44] out.

[00:09:45] I learned about HIPAA.

[00:09:46] I went and got a training class and passed a certification test on HIPAA.

[00:09:51] And stayed as an MSP.

[00:09:52] We didn't change any of the products and services we were offering, but we promoted them

[00:09:57] as HIPAA compliance services.

[00:10:00] So we took compliance and used that as a differentiator.

[00:10:04] I didn't have to prove anybody I was a best in class MSP because nobody saw us as an MSP.

[00:10:10] They saw us as a risk management company focused on compliance.

[00:10:14] One of the things I did back then was I took all of our rates across every client in

[00:10:20] every industry and increased them enough to cover the costs that I had to incur for

[00:10:25] the healthcare industry because I didn't want to pay for it out of my own pocket.

[00:10:30] So when somebody says, well, it's $100,000 and I only have one customer.

[00:10:34] I get that but I would never take the $100,000 and just say it's 401 customer, I'd increase

[00:10:40] my rates across the board.

[00:10:43] And the reason that I think this is so important is that you're going to be beating a lot

[00:10:49] of other companies that can't answer the bell.

[00:10:53] And if you don't do it, I think this is the opening where we have all these MSPs that

[00:10:58] have consolidated through mergers and acquisitions.

[00:11:01] I don't know if you want to call them a super MSP or a mega MSP.

[00:11:05] I see those guys as really being able to take advantage of this because they, if they

[00:11:10] had like 20 locations, they could take one location, get it fully certified for CMMC,

[00:11:17] spread that across all 20 of their markets.

[00:11:20] But then they could come into your market and not just take the defense contractors that

[00:11:25] need your help, that's their wedge to get into your market and take away the rest of

[00:11:30] your business.

[00:11:31] But I think there's a big risk to the MSPs that are kind of afraid of this or aren't

[00:11:37] ready to do this.

[00:11:40] It's a big moment in time for the industry.

[00:11:43] Now you brought up the tool providers.

[00:11:45] I mean, I would have every expectation that they want to have their tools delivered

[00:11:49] used by defense contractors.

[00:11:50] Are you expecting them to just get it together and deliver on doing a certification and getting

[00:11:57] FedRAM authorization and delivering their cloud in a way that the government will consume?

[00:12:02] I think eventually, but when you say just getting FedRAM certification, that's taking years

[00:12:08] to get right now.

[00:12:09] And the challenge that everybody has is that CMMC's going to be in contract starting

[00:12:14] in 2025.

[00:12:16] So my concern is that the names we all know in this industry are not ready.

[00:12:22] They're not talking about where the guys you need to come to and here's what we're doing

[00:12:27] to build a CMMC compliant product.

[00:12:30] Remember, this regulation was only published at the end of December.

[00:12:35] So we're just over a month from that.

[00:12:37] But I've talked to several of these dual companies and they are not ready for this.

[00:12:41] So it's easy to say, yeah, get FedRAM.

[00:12:44] But that means that they're going to have to have a full certification assessment across

[00:12:51] all of the FedRAM requirements.

[00:12:53] FedRAMP moderate, by the way, is the level for CMMC.

[00:12:57] That's not easy and cheap to do.

[00:12:59] Well, I'm not crying for those companies.

[00:13:01] I think they can do it.

[00:13:02] Because I'm going to say that's the law.

[00:13:06] And if they want to do business there, they're going to have to do that.

[00:13:09] It's a yes or no choice.

[00:13:11] But I want to push back a little bit and say, the Dependent Department has come out

[00:13:13] and said they're going to run particular programs to help small companies ramp up because

[00:13:20] they recognize too that they are going to need to invest in their own supply chain.

[00:13:25] Don't you expect that the government is going to be proactive about working through

[00:13:29] that?

[00:13:30] Because they do know at the end, as you described, they're going to need those

[00:13:32] hinges.

[00:13:33] They're going to need those bolts.

[00:13:35] They're going to work through the process and invest to make sure that their own supply

[00:13:38] chain delivers.

[00:13:39] Aren't you expecting that as part of the process?

[00:13:42] Not exactly, but there is going to be some help.

[00:13:45] So first of all, why did CMMC come out?

[00:13:48] It's because there was a requirement going back to December 31st of 2017 that all defense

[00:13:56] contractors that had a certain clause in their contract, 252.204-7012, which was an

[00:14:04] 80% of defense contracts, that they had to implement all the cybersecurity controls in

[00:14:10] this date 171.

[00:14:11] And that was a requirement since December 31st, 2017.

[00:14:16] That's key.

[00:14:18] And the reason for this is that CMMC didn't exist then.

[00:14:22] The reason CMMC came out is that the defense department did audits of their contract and

[00:14:28] found out that fewer than 10% had ever implemented those requirements.

[00:14:33] And that left the risk of cyber attacks all the way across the defense industry.

[00:14:40] So they reacted, maybe the terms overreacted by coming out with CMMC and saying every

[00:14:45] one of these businesses needs to be assessed.

[00:14:49] In the regulation that they put out, they also put out comments that people had made in

[00:14:54] their response to them.

[00:14:55] And one of this is, this isn't fair, this is so expensive.

[00:14:59] Why are you making us do this?

[00:15:00] We don't do that much business with the Department of Defense and maybe we're not going to do

[00:15:04] business with you.

[00:15:05] And their answer was, you've taken our money since 2017 when this regulation came out, we

[00:15:12] are not going to help you pay to implement the regulation.

[00:15:16] You should have been doing that now for six years.

[00:15:20] So their position is no, we're not going to help.

[00:15:23] However, NIST, the National Institute of Standards and Technologies has a program, the

[00:15:30] MEP program for manufacturers.

[00:15:35] It's not for MSPs, it's for manufacturers.

[00:15:39] And there's some funding that's flowing down through the federal government to the states

[00:15:44] to the local manufacturing groups that may help them cover some of the costs of this.

[00:15:51] But no, the DOD is not in there, I don't really want to say they're arrogant about it,

[00:15:56] but they're being strict about it.

[00:15:59] And here's one of the big concerns.

[00:16:02] So the Federal False Claims Act is a lot that goes back to the Civil War.

[00:16:06] And it says, if you defraud the government, you have to pay back three times what the government

[00:16:12] paid you and by the way, they can go back three years.

[00:16:16] So we work with doctors who take Medicare money, their government contractor.

[00:16:20] You never think of your doctor like Lockheed Martin or Northrop Grumman as a government

[00:16:24] contractor, but they are because they take Medicare and Medicaid.

[00:16:28] These subcontractors are taking federal money.

[00:16:32] So the DOD is saying if you are misrepresenting your cybersecurity and you're still taking

[00:16:39] our money, then we can come back and charge you civilly through the Department of Justice,

[00:16:46] not the FBI making an arrest, but civil lawsuit.

[00:16:49] And take back nine times what we paid.

[00:16:51] So there's already skin in the game that many of these companies have that didn't implement

[00:16:57] this.

[00:16:58] And they're not just going to be able to abandon the defense industry because if they do

[00:17:03] and they're still caught based on what they've done up to now, they could still pay back

[00:17:07] a lot of money.

[00:17:08] I don't know, Mike seems pretty clear about what their expectations are and what the

[00:17:13] contracts come with.

[00:17:14] And if you're citing contracts with the government, you're obligated to read the contract and understand

[00:17:20] what you're taking the money for.

[00:17:21] So I'm sitting here and hearing this, I'm saying like yeah, this makes sense to me.

[00:17:27] It seems like if you're going to be in defense, you better do it right.

[00:17:32] And you're going to need to be proactive about this.

[00:17:35] So what do you recommend being people do is this a decision essentially to get in or out

[00:17:39] now and what are their next steps?

[00:17:42] Well, you know, this is like eating the elephant one bite at a time.

[00:17:47] And the first thing you say at all $100,000 is a crazy amount of money.

[00:17:50] Put that aside.

[00:17:51] And the reason for it is that unless you're only doing $10,000 a year or so much, you

[00:17:56] shouldn't be in this business, forget the money because I think you need to look at where

[00:18:01] are you now on the scale.

[00:18:03] And a lot of the things, if MSPs are doing the right things and they've implemented cybersecurity.

[00:18:08] So remember I said this isn't just the defense industry.

[00:18:11] If you have one healthcare client, just one, you are a HIPAA business associate.

[00:18:18] And that means it is a business associate.

[00:18:20] You have to implement the entire HIPAA security role.

[00:18:25] So if you're already doing that because you have healthcare clients, NIST 8171 is the guidebook

[00:18:33] or the, not the regulation but the framework for the defense industry.

[00:18:38] You start going down through that list and a lot of it is yeah, we're doing that.

[00:18:42] Yeah, we're doing that all the way down through.

[00:18:45] And then there will be things that are challenges such as data has to be encrypted.

[00:18:53] This is the CUI data for your clients needs to be encrypted at FIPFIPS 140-2 level encryption.

[00:19:03] Now a lot of the backup companies don't do that but a lot of them do or some of them do.

[00:19:10] So you may have to change the vendor you're using either for defense contractors.

[00:19:15] When I was an MSP, I didn't like having multiple vendors in the same space.

[00:19:18] We were going to change a backup vendor, we changed everybody to the same one.

[00:19:23] But if your vendor does not offer FIPFIPS 140-2 encryption,

[00:19:29] then it's going to be in fact that already is illegal for them

[00:19:34] to have controlled unclassified information that's based on the current rules.

[00:19:38] So these are things that you want to look at.

[00:19:41] And then as I said, when you pay for this, don't look at that one client or those two clients

[00:19:47] that you have to do this for.

[00:19:49] If you spread this, if you do a million dollars a year in business,

[00:19:55] so 3 million over three years.

[00:19:58] You can add a few percent, three, four percent to every one of your contracts

[00:20:03] and cover the cost of this whole thing.

[00:20:07] And by the way, when you get an assessment, it's good for three years.

[00:20:10] And then it will have to be renewed.

[00:20:12] But my point is this is where you want to start looking at where you are

[00:20:16] in terms of the regulatory space.

[00:20:19] And also, you can start looking at adding a little bit to your prices across the board

[00:20:27] to pay for this.

[00:20:28] Like I said, I don't believe this is going to stop with this industry.

[00:20:30] I know you've had a lot of discussions about regulation in the state of Louisiana

[00:20:35] and all these other things related to MSPs.

[00:20:39] It's not even the federal government that I believe is the regulator here.

[00:20:44] As crazy as that sounds, I think it's going to be the prime contractors.

[00:20:49] And I know this because we have small defense contractors who have more subcontractors

[00:20:54] to Rathia in general dynamics and Northrop Grumman and Lockheed Martin.

[00:20:58] It's those companies right now, not even the Department of Defense.

[00:21:03] And they're a year ahead of where the regulation is going to be asking our clients

[00:21:08] in questionnaires, are you ready for CMMC?

[00:21:11] Have you done a self-assessment score so you know you're going to be ready

[00:21:15] for the third party assessment?

[00:21:19] And if you don't answer those questions right,

[00:21:21] they're just going to take you off the list now and you will not be a defense contractor.

[00:21:27] So that's the pressure we're seeing is flowing down from the prime contractors

[00:21:32] who the next time they get a big contract,

[00:21:36] they want to know that you qualify to be a subcontractor

[00:21:40] or else they're going to go to your competitor who will do it.

[00:21:43] Mike, you've given everybody a lot to think about.

[00:21:45] Mike Summers known as the complianceologist in his president of Semmel Consulting.

[00:21:50] He's a certified CMMC professional.

[00:21:52] CMMC registered practitioner certified HIPAA security professional.

[00:21:56] He's certified cyber-resistant professional and a whole bunch more.

[00:22:00] Mike, thanks for joining me today.

[00:22:02] Thanks Dave, it's great to see you in you.

[00:22:06] Hey software vendors interested in supporting the show

[00:22:09] and getting recognized in a simple way.

[00:22:12] Want to try out podcast recognition but concerned about the budget?

[00:22:16] Want to support the community and get credit for it?

[00:22:19] Want critical linkbacks to your website?

[00:22:21] Want access to me for answering your questions?

[00:22:24] The business of tech now has a Patreon supporter option just for you.

[00:22:29] Sign up at patreon.com slash MSB radio and get shout outs on the live shows,

[00:22:35] recognition on the business of tech website and access to me

[00:22:39] for your questions and answers about what's going on in the MSB space for your organization.

[00:22:44] Easy to do?

[00:22:45] Just sign up at patreon.com slash MSB radio.

[00:23:14] Our Patreon where you can join the business of tech community at patreon.com slash MSB radio

[00:23:21] or buy our why do we care merch at businessof.tech.

[00:23:26] Finally if you're interested in advertising on a show, visit mspradio.com slash engage.

[00:23:33] Thanks for listening today and I will talk to you again on the next episode of The Business

[00:23:37] of Tech.

[00:23:44] Part of the MSB radio network.