5 Questions to Ask Your MSP to Gauge Their CMMC Readiness

[00:00:00] Welcome back climbers! I'm your co-host, Kaylee Floyd and this is another episode of Climbing Mount CMMC. In today's episode, Bobby and I talk about 5 questions you should ask your MSP to prepare for

[00:00:17] your CMMC journey. We're so excited for you guys to join us in today's episode and we hope that you enjoy. Hello climbers! Today we are going to be talking about a topic that we get asked

[00:00:30] a lot, which is how do you know that your MSP is taking CMMC seriously? How do you know that they're ready to catch you when that time comes? We are going to be diving into our top 5 questions

[00:00:46] that you should be asking the MSP that you're working with to know if they truly are ready to catch you when that time comes. I'm super excited to be asking these questions to Bobby.

[00:00:57] Let's start by talking about this serious, what was this pain point that you're feeling right now that maybe some businesses that are listening to this podcast today are also feeling? Yeah, it's a real challenge just because maybe you're newer to the ecosystem.

[00:01:16] You know that you're going to have to get assessed but you're just not sure how to have that conversation with your MSP. This is a real challenge and they just don't know they be in

[00:01:26] the companies that are going to have to get assessed. What kind of very hard hitting conversations and questions should you ask your MSP that you rightfully should be able to ask? And so we just figured, hey let's put it down and let's ask those hard-quitting

[00:01:42] hitting questions that we would expect our clients to ask us. Right, I love it because again we're all about being real and being truthful and I think this goes right alongside

[00:01:53] that and we're going to try to help you guys as much as we can with these five questions. So I think let's dive right into the first one shall we?

[00:02:03] So the first one is have you been audited by a C3PAO and if you have what was your score? Yeah there's a lot of companies, well not a lot of companies but they're definitely

[00:02:16] managed service providers that are wanting to participate in the space but they really want to have their toe out and they want to have their toe in and they're not totally committing to this

[00:02:26] and they're totally okay with their clients not really defining whether they're in or out but in all honestly if you're really going to be going after your assessment in the next year or so

[00:02:37] you need to know whether your MSP is really in it to win it. And one of the first questions you can ask is have you been audited by a C3PAO organization? In other words the organization that's qualified to be doing these assessments even though they're not officially

[00:02:53] doing assessments yet they can still get a gap assessment or analysis where this organization can come and they can investigate the MSP and they can look and see how prepared they are.

[00:03:05] Now it's going to be based on just whether or not they're ready to get level two it's not necessarily going to assess how they're providing their services and that'll be another question

[00:03:13] but that's the first thing you should ask like have you been audited and if their answer is yes I have what you want to do is say by who? The organization that did the audit should be capable

[00:03:24] and willing to share that information with you as their client so that you can have you know the trust verify of knowing where they're at and what their score was. Does that make

[00:03:35] sense? Yeah it does make sense now can you clear something up for me about this topic? They're not required an MSP right now that's working with government organizations they're not required to get audited right now correct? No yeah they're not required but when the

[00:03:53] certification process starts happening which will either be at the end of this year which is at the time of this recording the final ruling has yet to be dropped but what is it all

[00:04:05] indications are providing and showing us that MSPs will have to be level two before you can submit your attempt to be certified so in other words let's say that you're planning on you know being

[00:04:18] one of the first to get over the hill if it's six to eight months for your organization to be ready what you don't want to do is you start that path and then you go to contact the C3PO

[00:04:28] organization say that I think I'm ready and your MSP has not gotten certified themselves you can't go like you can't use them without them already being certified so it is really the carp for the horse so your MSP must be certified first before you can request

[00:04:44] to go down the certification path and so that's reason why that first question is really important you want to ask them you know have you even been audited how close are you to even going because

[00:04:57] you know if you ask most of those MSPs they'll be like oh yeah we're serious we're ready you're like well how ready like well you need a third party that has actually looked under the hood

[00:05:07] you know put the little oil stick thing in and said this looks good you know you want them to actually check and know and so having that third party examination is going to be real key in that

[00:05:18] yeah that's great I just keep thinking about your analogy we don't want you know we don't want a what do you say you know what I'm about a marriage counseling approach to CMMC right

[00:05:31] yeah you want your MSP to go you know before you rather than with you you want them to go down the down the aisle get married have the certification before you even start thinking about engaging

[00:05:42] them because you just don't want to find out that they're really not that serious as you start to walk down the aisle and then they kind of just dip left and then they are gone and then

[00:05:51] then you're just like well I'm screwed that's just not a good place to be right I love it okay so let's go and move on to question two so this is the next question that you would ask your MSP that

[00:06:02] you're working with have you signed an agreement with a c3p a o the c3po right you have to that's who's going to do your assessment okay that's who's going to assess you right if you haven't been

[00:06:18] examined by a c3po have you even signed the paperwork to do that at some point right have you committed with them does that make sense and so most c3po's have some type of ingestion process

[00:06:35] that that the person that's getting in line has to go through so they're going to want to know do you have a system security plan do you have some of these things in place before you sign the

[00:06:45] paperwork they just want to you know kind of see if you've at least some type of sniff test most c3po's are going to do that so yeah it's a it's a good sign if the organization that you're working with has

[00:06:58] signed and they can tell you this is the c3po that I signed with we are either going to have a gap assessment or when the starter pistol fires off we're third in line or 15th in line to be

[00:07:11] assessed that should make you feel a lot more comfortable that who you're working with is really serious about stepping into the space you might be a company that in no way has dealt with something

[00:07:23] this intense you know but now has to and it's scared to do this journey and it's going to hear a lot of alphabet soup you know which we did another video on and so I just think it's important to

[00:07:37] pause and take a second for those people and like no we hear you and we're here for you as well because we know that this can be a daunting journey for anybody especially somebody who's

[00:07:48] never really heard about it so I just thought that's important for them um yeah and and I think it's also important to kind of realize that um you're not gonna you're not going to know everything

[00:08:03] and and I would hope that you didn't expect anyone to expect you to know all that this is where that the msp is really supposed to know those types of things and they're supposed to step in there with

[00:08:13] you and help and an example of that would be like you know we have been talking with lots of different organizations c3po's assessors we're just trying to get a better idea of what

[00:08:24] the lay of the land is to understand um you know as we start to get more and more clients they're gonna need to try to pick c3po's they're gonna need to pick people to have consultant

[00:08:35] conversations with they right they're gonna need uh those that rolodex of options to help them move down that path and if the msp doesn't even know who they want to pick for themselves or

[00:08:47] even have an idea how are they going to be able to help their client absolutely yeah that's huge and you know question number two kind of goes with question number three because

[00:08:59] let's say that their answer to question number two have you signed an agreement with the c3po was no then the next question you should ask is if you haven't then when are you going to do you

[00:09:13] do you plan on doing that because you better right work with us so let's talk about that what do you mean by when it does that mean like that they could schedule it in the future and

[00:09:26] it could be something later down the line yeah this all goes back to you as the company that needs to get assessed when do you want to be assessed when would you like to be you know standing up on the

[00:09:39] podium with this with the you know with the with the gold medal of i got my certificate like when do you want to do that so that you can start doing those types of contracts we know

[00:09:50] that it's going to be a phase rollout that not all contracts as they're coming out are going to require that but you know that these primes and sub primes are going to start pushing on their

[00:10:01] contract companies that they work with to get certified as soon as possible so soon as the starter pistol goes off that assessments can start happening you're you bet that that pressure is going to start coming and the organizations that are more serious about

[00:10:16] wanting to get certified in the next year or so you're gonna need your your msp to already have been certified uh as soon as possible because if you want to go down that path and be

[00:10:28] within eight months your msp that you're picking should almost already be ready do i mean because if the if you're like we for us like we are coming into the finish line we have we have you know

[00:10:41] we're right now as we're speaking we're going through uh our preparation work for our gap and so we will know what our score is and ready so that when the assessment starter pistol goes off we're ready to go we want to be the one of the first people

[00:10:55] on the on the starting line uh yeah but if you're wanting to get assessed in that first year or so you're gonna need to have somebody that's already there because if you don't um it's going to take

[00:11:09] your msp at least a year to to be ready right and if you're wanting to get done in that year next weekend right right they make the decision they're like yeah we'll have it done by next week

[00:11:20] and if you're like yeah you know two three years let's just see what happens uh you know you you definitely have some room to kind of play the like you know play the field some yeah what i have a

[00:11:31] suspicion is there's people that feel like they want to play the field they're gonna start to realize that maybe that wasn't such a good idea if they wait to yeah yeah that's a great point

[00:11:41] so the fourth question that you have on here um is do you either have a ccp or a cca on staff in your organization so let's talk about a ccp and a cca for a second and what those are and what that means

[00:11:57] to have one on your staff yeah that that means that they have been uh tested and accredited by keiko which is a organization that is partnered with um that is partnered with uh the cyberab to

[00:12:14] validate that you know cmc that you have gone through the required practices and tests that you've been tested by an approved testing organization um you know we did uh edwards for

[00:12:27] for me when i got my ccp that's where i went through was with edwards and those guys are amazing but there are other you know there are other organizations that can do that um

[00:12:36] but you you want to partner with someone that has um someone on staff that has gone through that and i i've seen numerous times people are like oh you know i've got my you know this certification

[00:12:49] or this other certification that that validates that i know risk and i i've got lots of experience and that's all cool uh maybe even you might have gone through the rp program that's cool

[00:13:00] but i would just me personally i would not uh this is just the gospel according to bobby here would not partner with any organization that doesn't have either a ccp or cca on staff

[00:13:13] yeah time and employee um just because the level of requirement of what they want to see knowledge wise um is just higher and uh there's just too much at stake yeah that's just my personal

[00:13:28] opinion well i mean you've you've done it right so could you imagine doing what you're doing now without going through your ccp training no and i have i've seen and had conversations with some

[00:13:39] good friends that are like i just don't think it's really needed for the ccp i'm like dude at least get your ccp and they're like ah okay after they went through they're like holy cow i'm so glad

[00:13:50] i did i don't know why i was fighting you over this bobby this was a really good decision for me to do this i feel so much more prepared working my clients through this now that i have

[00:13:58] this certification i've never heard anyone that i've ever personally met gone through it and sad that they did they everybody that always goes through it or just like oh man this has been a

[00:14:08] massive help i thought i knew what i knew and i didn't until i went through it and realized what i didn't know right yeah no for sure i mean even people that we've had on the podcast have said

[00:14:20] that exact phrasing too um so let's talk about our last question which is have you had your offering reviewed by a cca or a c3 pao so what do you mean by let's let's break this down a little bit

[00:14:38] you're offering you know what do you mean by that um it's i'm surely it's not the same as a church offering so let's talk about what that means let's pass it around try to see we get some

[00:14:48] passing around on tithing time you know so uh you know with breaking down this lingo for some people that are listening to this on the other side let's talk about that this is probably a tie for the

[00:15:03] first question to this last question like both of these you really need to make sure you have an answer for in my opinion you're like well why did you make it last i don't know i did you

[00:15:13] know sometimes people say save the best for last save the best for last there we just we sandwiched to the best so let's so just pay attention to what i'm about to say

[00:15:23] getting cnmc assessed so let's say you pick an msp and they get assessed and they pass their assessment just because they pass their assessment does not mean the offering they're going to provide to you is going to help you pass your assessment and does not mean

[00:15:38] that their offering is not going to help you fail your assessment okay i'm going to say that again just so you kind of pick up what i'm putting down is that what the msp is providing to you if it

[00:15:51] has not passed the mustard and it does not necessarily mean a lot of companies have done this with sock assessments even sometimes they'll do it with isos where they'll scope their assessment

[00:16:04] to something smaller and they get assessed and then they can say they've got it but then what they're offering may not have been in scope does that make sense what i'm saying and so that makes

[00:16:18] sense what you and even the cmc assessment when they come in the c3p that's going to audit that msp they're not going to look and go i think your offering is going to be cool like that that's not

[00:16:30] that's not part of that yeah that's not their job that's not their job they're just going to go through to see if you're if you as an organization are ready and safe to receive controlled and classified information and whether you pass all the controls that require

[00:16:43] to mandate that right they're they're going to go through and check that but if they have gone to a cca or a c3p organization and said hey look here's my offering here's what i'm going to be

[00:16:55] providing to my clients they can't the c3p o can't really give you like an assessment score or validate your offering that there isn't really right now there isn't a mechanism for that to happen

[00:17:11] but i personally if i was going to be doing with msp i would want to say hey who did you talk to to validate like how you're providing this stuff to me is is is right is going to be okay and and

[00:17:23] that has been a big deal for us is like we've had numerous discussions with various cca's uh you know to look at how we are offering what we're offering how we're doing it what you know we want

[00:17:39] to make sure everything that we're going to be providing is going to be scope you want to make sure when you're partnering with an organization that they're going to have everything in scope when it's being assessed that that what they're providing is is not going to jeopardize

[00:17:52] their assessment journey so when they go to get cmc certified that you don't want that they're not doing something they should be coming out in the wash during your assessment that's going to be a really really really bad day yes so it's a very

[00:18:08] important question that you want to ask is like who's checked out how you're doing stuff and yeah you know if if the if the msp has a good relationship with who they've talked with maybe they'll they'll have a conversation with you so that you feel comfortable maybe they

[00:18:24] who knows but it's a valid question that you want to ask that you want to see that they've been looking you know at that really seriously does this and you know i could be totally wrong about this but does this have to do with the

[00:18:39] shared responsibility matrix yeah that's all part of it that's a good point yeah one of the things that that organization is going to want to look at is they're going to look to see like okay they're going to want to see your offering as far as in

[00:18:55] what scope you have how you're doing it is it is it valid and then like you said they are going to want to see the matrix that you're providing to the clients how's this

[00:19:05] division of duty is going to work who's going to be responsible they're going to want to see that to kind of have a good idea of what you're offering again this isn't something that could

[00:19:15] be officially assessed right now that's just that creature doesn't exist but i think it should yeah i think in all honesty for the safety and security of organizations are going to be working

[00:19:27] with msp there should be some process to examine how they're going to be providing that because you just don't want to find out when it's too late yeah no that's scary and that's the reason

[00:19:37] why we need to do this stuff and you know try our best to help um because i guess like you're looking at it like there's a venn diagram right and there's your company and there's the msp and

[00:19:49] there's going to be overlap right and you want to make sure that they have their stuff together so something doesn't hit the fan if you know what i'm talking about because that's going to be

[00:20:04] really bad time for them but a very very bad time for you and please don't hear what i'm not saying i think by and large our community is great we've got a lot of just wonderful people in

[00:20:16] the community it's just the problem that we're running into in just pure total transparency here is there's just so many things that aren't defined there's a lot of good people that i think are

[00:20:27] trying to do the right things but because they just haven't had everything examined because they're they're trying to come to the market quickly or um they just didn't realize that some of the

[00:20:37] things they think are one way versus the way that the market perhaps has changed or some of the things the way that the new 32 you know cfr proposed rule to what's coming out now um and you know

[00:20:52] some of these organizations haven't really looked at some of those requirements i think deep enough about how that proposed rule is going to affect them and the offering that they have um and so

[00:21:02] it's i don't think it's necessarily someone trying to be you know with ill intent it's just these things can kind of happen so you just really want to make sure that when you're working

[00:21:13] with an msp that their solution has been examined at the level of what we know currently about how the rule is going to be yeah well thank you bobby for being transparent with you know your

[00:21:27] opinions on these five questions but also i hope that many of you have listened to this podcast and hopefully have learned just a little bit of how to prepare yourself in your business for maybe

[00:21:40] searching for this person if you haven't found it or talking to your msp personally if you do already have one and you're going through or about to go through this journey of cmmc

[00:21:54] if you guys have any questions thoughts things that you want us to cover you're welcome to comment right now you can send us something on linkedin a message us on linkedin if you'd like we're

[00:22:07] here for you guys we're here to help and so we'd love to hear from you and hear what you guys want to hear from us so thank you guys again for listening to this podcast and

[00:22:20] we hope to see you in the next one but until then keep on climbing bye guys make sure to follow us on linkedin and youtube to stay up to date on the latest cmmc news we hope you guys enjoyed today's

[00:22:33] episode and listen out for the next one but until then keep on climbing