5 Questions to Ask BEFORE Choosing an MSP for CMMC

[00:00:01] Hello Climbers and welcome to Season 3 of Climbing Mount CMMC. Hello Climbers and welcome back to Climbing Mount CMMC, the podcast. I am so excited to be talking with you guys today about should I even have an MSP that's CMMC Level 2 certified? Or maybe you're an MSP that's going, should I even get CMMC Level 2 certified?

[00:00:30] Well, we are here to tell you guys five things that you need to consider when making that decision. Just five. Look at that. Look at what we did here. We made it only five things you have to think about in your entire life. It's so easy. Will it be easy? Probably not. So let's get started. Let's get into it. For those of you guys who don't know us, my name is Kaylee Floyd. This is Bobby Guerra.

[00:00:57] We have an MSP called Axiom that just got CMMC Level 2 certified. Hooray. So if you're wondering if we're qualified to talk about what this gets you, I fear that we are qualified. So let's talk about the first thing, which is our classic saying that we love to say on this podcast episode.

[00:01:23] Do you really want to go through marriage counseling for CMMC? Now, Bobby, let's break down what that means for the folks who don't already know. Who came up with that? Was that used for me? That's definitely you. Yeah, that's definitely you saying. We use it so much now. I don't remember. But basically the concept is both of you kind of know that you're in troubled waters because you want to become CMMC certified. So you both go to a marriage counselor, somebody who's going to coach both of you through the process.

[00:01:50] And then, you know, through the through the end, you magically get married through the process of being certified together. Hand in hand, walking through it. What better way? It always works out. It's a beautiful thing. There's no possible way that could go wrong. No, no such thing as divorce in this. No, never. Yeah, it's beautiful. No, we're lying. So it's a very scary thing.

[00:02:16] If you're an organization seeking certification and you are working with somebody who is not CMMC level two certified, they will be pulled into your assessment. OK, they are doing certain things for you that are part of the controls of CMMC. And the assessor is going to want to know how they're doing it, what they're doing.

[00:02:41] And if they haven't been assessed yet, they are going to be assessed during yours. And that that should be a very concerning statement if if your MSP or your provider is not prepared for that. Right. Well, it's the client that they have legal contracts that they have signed with the Department of Defense, you know, now with the FAR counsel finally releasing the.

[00:03:09] The proposed rule that's in proposed right now. Mm hmm. Uh, so you could be coming from other agencies that have these types of requirements that are flowing down to you. But regardless of how that client ends up with it, they're turning to that MSP and now they are flowing those contractual requirements down to you. So it's not like, oh, let's just try to help them. Like you're going to basically get roped into a legal agreement that you're going to have to sign with that client that tests that you're doing those things.

[00:03:38] And there is absolutely, uh, you know, legal precedence for you to be, you know, handled if you're not doing that correctly. Like you're, you're getting into the, you know, the, the laser focus of the Department of Justice. If you like, you're part of that and you're, and you've, you've not done what you're supposed to do and you did it knowingly or unknowingly. Um, they're not going to be real happy if you're not doing what you're saying you're supposed to be doing.

[00:04:06] You know, they don't throw their head back and just laugh about that and think it's a big deal. You know, no, no, no, no. They're so silly. You know, they're so funny. Yeah. They're not going to play around with that. So when you get into that relationship with that OSC, you have to make sure that it's in a way that you can appropriately support them. Like it's not like you just throw some agents on there and you patch them and then you send them a report and you're good. So I love it. So that first question, again, do you want to go through marriage counseling for CMMC?

[00:04:36] I think you need to decide if you do or you don't. And that should help you a little bit. Well, the head result is going to be this, this relationship that's unique to you too. Yeah. And the cost of, as an MSP of changing and providing services, because the way that you operate as a traditional MSP, you cannot meet them and help them get compliant. A lot of the tools. Scalability. That and a lot of the tools that you use just aren't going to work.

[00:04:59] So that means you're going to have to, with that one client or a few clients, change dynamically how you work as an organization. And that is just a recipe for disaster because you want your team to be able to know whoever's handling those tickets or working those things. That's what they're used to doing. But that's not what's going to happen. You're going to have this one or two off scenarios with this client and there's a lot of cost involved. You know, and it starts, you start thinking to yourself like, okay, well then maybe I might bring on a whole bunch more clients.

[00:05:28] But do you want to have unique relationships with each of them that are all different? You know, you're like, oh, well, we'll write the templates and everything with them and then we'll reuse it wherever else. It doesn't really work out that way. You need to start looking at it from the satellite view of scalability and how you design it as you're supporting them. Just sort of working through it together and then magically you can then make it to where it can scale for what you're doing. It just doesn't work that way.

[00:05:58] What you'll end up doing is meeting them exactly where they need to be at, which is awesome for them, but not great for you when it comes to supporting the 10 or 20 other people you want to do. CMMC has a certain level of head costs that you have to pay no matter how many clients you have. And those are coming your way whether you like it or not. And so you've got to think about that. So just having those one or two clients is just not typically fiscally responsible from what I've seen. Yeah.

[00:06:25] I actually, fun fact, I was talking to an OSC the other day that their MSP was not CMMC level two certified, but in fact was asking to speak to a consultant about how to do CMMC and was having their client pay for it. Yeah. That is cool. The OSC had, who, you know, was a C-3PO. They were like, can we talk to your C-3PO and they could help us get, you know, like with you together. Yeah. Yeah. Like, oh. Yeah.

[00:06:54] Interesting. Interesting story. Okay. So let's talk about number two. They, they would be prepared for the dance of an assessment. We've talked about this in a past episode. So if you want to hear us really specifically break down what that dance is like and how we've experienced it and how you can help through it.

[00:07:16] But if you have a MSP that has a level two certification, it is guaranteed that they have at least gone through one assessment themselves. That should be a really, really nice pat on the back because they have gone through that dance and have come out to the other side with a nice score. Right.

[00:07:38] So do you want to talk a little bit more about two from your perspective on how that's been nice for you as an MSP as well to experience that? Yeah, I was talking with an organization that was going through a JSV assessment because they were going to be a C-3PO. And they hadn't gone through that dance that we talked about. While they felt like they were ready, they weren't ready to do the dance.

[00:08:01] So when it came time for the auditors to start poking them for questions and they look at them and they're like, okay, what are you going to ask us? What do you want to do? They weren't ready to drive the ship. They were just reacting. They were always on their back foot. They didn't have an offensive plan on how to... Always on the defense side. Always on the defense. They were just asking and then they were like having to pivot and think about how they were going to respond. And it was just a train wreck for them.

[00:08:29] And then they went back and rescheduled. And then they had the test plans they were going to do. They had the documents they knew they were going to bring up. They were ready to go. And it was just bop, bop, bop, bop, bop, bop. With flying colors. No problems whatsoever. Trial and error. They learned from that already. And so now they're so much more prepared when they go to work with clients. They understand how those audits can go. And they're prepared to walk clients through that as well. It's just you need that experience. Yep.

[00:08:59] So let's talk about number three. So we talked about the experience of the assessment itself. Let's talk a little bit about the preparation and the documentation. We love to talk about this. But if you are working with an MSP who is CMLC Level 2 certified, they guaranteed have an SSP. And that SSP has already made it through an assessment. That should sound like music to your ears.

[00:09:28] You know? You know? Because some people are asking us still to this day, do I even have to have a full, you know, fledged SSP? And that is scary. Sorry. So let's ask Bobby, let's say this. Is an SSP required? 100%.

[00:10:16] You know, I'm going to ask you to do this job because you have to be here every day. Like, I can't pick you up. Like, what the heck's wrong with you? You know, that's just, that's sort of how it is, like your SSP. So, you know, so Kaylee, from your perspective, you've been a lot of these other peer calls. You can start to see these individual organizations that are MSPs that want to kind of step in the space, but they're wanting to dip their toe. And you've seen those conversations around what they need to prepare in order for them to participate.

[00:10:45] Documentation is obviously one of them. And, um, how do you feel about that? And like, what do you think about, um, what you've seen? Just from your, I'm just curious what you're. Yeah. Well, my, my perspective is there. And I think we talked about this in our previous episode, but there is a, there is a fear of like, how much, how much can I keep of what I've already built up?

[00:11:12] And that, that completely and totally makes sense to me of how you would ask that question first of like, if you're an MSP that has been, you know, doing their thing, servicing clients for many years, you want to keep whatever stability you already have, whatever processes and policies you already have.

[00:11:32] But if you have not, you know, gone through NIST 800-171, if you have not gone through the CMMC requirements before, it's going to change your organization. And like, if you're not willing for that change, there is going to be a major disconnect and there's going to be a point where you have to decide if you're going to fully change or just bow out.

[00:11:58] And I do, I get so fearful because when I hear the questions asked, I fear that some people don't see that decision and are never going to make it and could potentially bring their clients into that because they never end up making the decision until it fails, you know? Right. So that's my biggest takeaway, I think. I think it's like, here's some warning signs. Like if you're an MSP, start asking these questions to yourself.

[00:12:25] You're like, if this is how I'm treating CMMC, it's a danger sign. Number one, what do I absolutely have to do? You know, what is the bare minimum I can do to participate? Danger sign. Yeah. What documentation can I get away with that I have and just sort of make it work with what we're trying to do? Another danger sign.

[00:12:49] What are the existing tools that we've always used, you know, and we can still leverage going into the prime out of our cold dead hands, you know, and I don't want to spend any more money, you know, like, like is a few thousand going to get me there? You know, like, you know, as you start looking through and they're, they're just firing off these, like they, you haven't gone through the five levels of CMMC grief and have come to the acceptance phase that I have to go all in.

[00:13:16] I have to earmark a chunk of money for me to budget, to get this done. I have to already have, I mean, even if you don't get level two, you're still going to have to do a chunk of things like 60 to 70% of what would be required for you to be ready. What do I mean by that? You're going to have to have a fully fleshed out system security plan. Yeah. That talks about a CRM. That's going to talk about how you're going to operate to support your clients.

[00:13:44] That is a very mature document that requires a lot of process and validation. So, I mean, would you go 80% of the race and go, I don't need to finish. I'm good. You know, you're already 80% there. Yeah. No one's going to do that. Right. No one would do that. So the reason why people are asking that is because they don't want to go 80%. They want to go 20%. They want to go 15%. They want to do just what's barely, and there is, that does not exist. That's not there.

[00:14:14] So you can take my word for it or you can find it out yourself. But trust me, I'm telling you, you can take it to the bank. Like you've got to fully commit to this if you want to do it. And the best way to prove that you're fully committed is to get your level two certification. But if you don't, you're going to have to go all in with most of everything you're trying to do. And at that point, you've spent so much money and time and effort to get there.

[00:14:42] It's almost detrimental to your business not to go all the way. Right. Exactly. And I want to clarify, too, when I'm saying this kind of stuff, I'm not saying that an MSP that doesn't go CMMC is anywhere less than. Because there is a need for MSPs in the CMMC ecosystem, and there is a need for them outside of it.

[00:15:06] There's tons and tons and tons of commercial businesses around the United States that are in desperate need of an MSP. And I fully believe that. The problem that I have is when people drag clients that are contractors that have to do this for their business to actually survive. And you don't go full in, and you don't prepare for this, and you drag that client through.

[00:15:34] And you ruin their journey because of it. That is just the problem that I have. Because there are MSPs needed in both ecosystems, and that is totally fine. It's just make your decision. That's my opinion. Because there are so many organizations we work with. Like, this is their life. Like, 90% of their business is this. If not all. Right. Yeah. And then some, it's 100%. Yeah.

[00:16:01] Their business is DOD-based work that have these requirements. And if you step in and you wreck them, you could put them out of business. Like, this is a big deal. Like, do not screw around with this. Yeah. And do you think an organization is going to let you put them in this situation, and they're going to just lay down and take it with a, hey, I'm sorry, man. Or, you know, I thought we were ready. I know I charge you all this money, and you're not. Yeah. It ain't going to go well.

[00:16:29] That literally goes into our next number four, which is a CMMC agreement. Then I think that ties into that part of things, too. Do you want to speak a little bit about that? What are you talking about? I think it was the. Well, it was having an SSP fully fledged out in a CRM. I think it's in the scoping guide, right? That's what I'm trying to remember. Oh, the scoping guide. I think it's in the document of the scoping guide. That is correct. If you go through, there's a section. I'll put the. Okay. I'll put the thing up here. Look at it. It's so beautiful. It's so beautiful.

[00:17:00] You can see it in post. Somewhere right here. The reality is the in the scoping guide, it speaks to the fact that they want to see the agreement from the ESP, a.k.a. the MSP and the matrix and understand not what you just sort of hand shook on or high fived or fist bump or whatever about how this partnership is going to work.

[00:17:27] They want to see legal documentation that you've signed that says this MSP is on the hook to do these things. And then the OSC is responsible for these things. And then that provides a good line for the auditor to kind of go, okay, I'm looking at you and now I'm looking at you and you need to tell me and you have to provide the documentation processes, you know, and just proving you're doing it is enough.

[00:17:56] They want to see policies and procedures around the maturity to know that you're going to continually do it right. I don't see how an auditor could pass you if you don't have something that of a system security plan nature that's going to help guide them from that. You might say, oh, no, I'm just playing off of the OSC's SSP. I don't see how that could ever work. So you're going to have to have your own system security plan. You're going to have to have your own policies. You're going to have to have your own procedures. And when it comes time for you to talk, you're going to have to execute that.

[00:18:22] You know, maybe you're not doing all 110 of them in your SSP, but the ones that you have better darn well speak to what you're doing through your, you know, your SRM or CRM and how they come across. Right. Exactly. Yeah. And, and I, I did, I do have the blurb here and, and it just to really clarify to those of you who might not be like how haven't looked at the scoping guide before, but like, this

[00:18:47] is what an assess, an assessor that is going to be assessing you during your level two assessment is going to be considering. Like, this is what, this is what they told, they were told to pay attention to. So if it says in the scoping guide that you have to, as the assessor, consider the agreement in place with the ESP, you better believe that they're going to start considering that.

[00:19:12] If, you know, if it's a good assessor, which, you know, and so this is, yeah, I, this is so critical and it goes with what you were saying before as well on the flip side of an MSP who has an agreement to back themselves up for, you know, if for some reason there is not METS and we have to fix something, what happens there? You know, what's the, like, where, how far can we get you? What can we guarantee?

[00:19:40] And what can we not, you know, you have to have that stuff written in place or there's going to be some really risky legal battle sort of situation. Um, and so I think that that also ties into what you were saying before in that way. Yeah. So let's talk about the last thing, which we've talked about the SSP and we've talked about, so the system security plan, we've talked about the CRM a little bit, the client or customer responsibility matrix, right?

[00:20:09] And let's talk now about inheritance. Okay. Cause it goes with the documentation piece. So when you have a CMC level two, you know, certified MSP, you have the opportunity for this. So Bobby, you want to speak into a little bit of what that opportunity can be and also what you're working towards too. Yeah. We're going on the offensive here because there's some verbiage that is in the 32 CFR that sort

[00:20:39] of the DOD says, we understand that there's going to have to be equilibrium hit between the ESPs and the OSCs and the C-3PO's that they're doing the audit, especially for those, those MSPs that are going to get level two certified. So there, the 32 CFR was written in such a way that there is room for MSPs that get level two certified to afford them inheritance with their clients.

[00:21:07] I believe it in my heart that there is that way. I do see in the documentation, there's precedents that could be, or verbiage and wordage that could be leveraged to do that. And so we're moving forward with working on the methodology of what that would look like and how that would happen. And in our approaches, we want to provide that to the C-3PO to say, this is the approach we feel inheritance can and should work with MSPs that have their level two, right?

[00:21:37] If there are certain things that have been assessed during their audit, I mean, if that's already been assessed, why would you want to reassess it over again? And I think that makes a lot of sense, but there isn't quite a clear definition of how that is. But just because there isn't doesn't mean it can't happen. So, you know, we're going through the process of walking that path with being absolutely respectful for the scoping guide and assessment objectives and the 32 CFR rule as a whole.

[00:22:06] I believe there's a very clear, narrow path that can be walked that will allow for all of that to happen. And when that comes out, that equally abridium hips, I think that's going to even emphasize more of why being that MSP with a level two is so much more important because then the client who's getting assessed has at least portions of their audit checked off and that

[00:22:35] you now don't have a question mark around that organization you're doing business with. I would be scared to death if I was going into the audit and not only do I not know how I'm going to go, I don't know how the MSP is going to go because they've never gone through it themselves. So like, what does that even look like? Like, that would scare me to death. Yeah. Yeah.

[00:22:55] I think too, this really speaks upon the MSPs that work so hard to get this certification. Their brain is not just thinking about like what the bare minimum is to keep a client, to keep the money, you know, but rather how can I help my client get through this? Right. And I feel like it's a completely different mindset.

[00:23:21] And even you speaking about the inheritance piece and how we're striving to get even more of an understanding that is not there at this moment to better equip our clients, get them better prepared, take less time, less money, like to be able to do all these things for a client. It just shows the difference in headspace between some of the, you know, the different companies out there.

[00:23:48] And I think it's great to end on this because we really do have a heart not just for doing CMMC, but helping clients like get through this. And, you know, that's why we want to do all of this. Well, if you think about it, do you want to do business with an organization that, you know, has a really good search engine experience history on WebMD? Or do you want to go to a doctor who has gone through medical school, right?

[00:24:18] Being certified. Do you want to be like, hey, I can go to my friend who's watched countless episodes of Law and Order and can... Oh yeah, they're a professional. They're very professional. Or do I want to talk to someone who's been certified and has gone through the bar? You know, like it is when you say that, well, that's just silly. But so many people think, well, let's just go with an MSP that has never gone through level two and they haven't did. But it's sort of the same thing, right? I mean, that's what you're doing. You're engaging with an organization that has not gone through the real proof process

[00:24:47] that they are actually ready. Yeah. Now, is the audit right now written in such a way that they're assessing how they're going to service the client? No. All right. But it does show that they are 100% committed. They understand how the audit process goes. They've gone through an audit. They've created the SSP, which will then be inherited to some extent from the organization that is being assessed next, your client. So it absolutely is essential for you to feel comfortable that what they've got, that they're

[00:25:16] going to bring to the table is what you're going to need. Yes. Yes. That's so great. I mean, guys, MSP is a term. It is. You can say you're at MSP. Just because you're an MSP doesn't know, doesn't mean that you know everything about security and compliance. Like you can set anybody could say they're an MSP. Like it is just, you know what I mean? But a certification is a certification.

[00:25:45] You have to literally go through it. I feel like it's equivalent to saying, oh, I'm Miss Kaylee, Miss Kaylee Floyd. That's just, I'm just putting miss in front of my name. Like that's just a term. I'm like, I can just, I can just do that. But if I said that I am Dr. Kaylee Floyd, that is another, that is a whole different ballpark. You know?

[00:26:19] It's a different statement. If you have any organizations that are listening to this, then know that this is a crucial, you know, and critical part of your journey. It is a decision that you have full authority to, you know, put the hammer down and make that decision with all of these things in consideration and be a little bit nitpicky with who you choose to go through this journey, you know, with.

[00:26:43] And also MSPs, like, you know, decide what you want to do and take that, take that decision very seriously. And, um, and if you want to join the climb, like, Hey, welcome. Like we, we welcome you. Let's do it. Like we've been doing it. We're here for you. We're ready to answer any questions you have and we're ready to go through it. Um, but yeah, I hope that this was like Kaylee, like, uh, there at the time of this recording

[00:27:13] two MSP friends that I know have announced that they got level two. I had no question that they wouldn't get level two because I knew them personally. Uh, I've messaged them. They're direct competitors of mine, like on like publicly, like so excited for you. So happy. I mean, there might be 10 or 20 MSPs that are like full help desk. Like this is what they do. That'll get level two probably this year. There isn't going to be many. Um, there's just not going to be many MSPs that are going to do this. No, but.

[00:27:43] Like we're all celebrating for that because that is a huge deal because like any of those buddies that I walked by, you know, I'm like the nod, like I know what you went through. I know what you had to do, you know, respect man, respect. Yeah. Um, because like, like you said, anyone can hang, hang out a shingle for, for an MSP, but you can't show that certification because you just walked up and grabbed it out of the candy jar, you know, like you gotta earn that sucker. Yeah.

[00:28:12] And, and that is no joke. Uh, so that's the level of confidence that I think any organizations should look for when they want to basically guarantee that their organization's gonna, um, you know, have a shot at passing. No one can provide a guarantee that you'll pass, but like you gotta take your best shot and I just couldn't see any other way. Yep. I totally agree. Well guys, I hope you all enjoyed this, um, discussion, but if you have any questions

[00:28:41] or thoughts, make sure to comment on Spotify. There's comments below the episodes that we can check out there on YouTube. We have some also, you can follow us on LinkedIn and message us that way. Um, and we're here to answer as many questions as we can. Um, but yeah. And if you are listening to this before May, um, and you're going to Seek West, come see us. We have a booth there. We can answer questions there as well. And we're excited to meet you. Um, but yeah. All cool t-shirts and all kinds of cool. Yeah.

[00:29:11] Ooh, I, um, I wonder if by the time this is out that we'll show some of the cool t-shirts that we've had in store for a while. We're at a celebratory shirt, right? Yeah. At the conference to celebrate us getting our level two, which is exciting. So yes. And those will be giving those out for free. So definitely. For free. Yeah. For, for free. I love it. Okay. Guys. Well, again, make sure to tune in next Thursday for our next episode.

[00:29:39] But until then guys, keep on climbing. See ya. Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news. We hope you guys enjoyed today's episode and listen out for the next one. But until then, keep on climbing.