Fresh off the press! Bobby and Adam just completed a gap assessment done by a C3PAO and they want to share what they've learned with all of you. Here are the top 5 things that made their assessment so difficult. We hope you enjoy.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] [SPEAKER_00]: Hello Climbers and welcome back to another episode of Climbing Mount CMMC.
[00:00:11] [SPEAKER_00]: In today's episode, Bobby and Adam are going to share what they learned from their gap
[00:00:15] [SPEAKER_00]: assessment.
[00:00:16] [SPEAKER_00]: Now they just recently finished their first ever gap assessment for their company and
[00:00:21] [SPEAKER_00]: they're excited to share the hard and the good things about what they learned.
[00:00:25] [SPEAKER_00]: So without further ado, let's get into today's episode.
[00:00:29] [SPEAKER_03]: Well, welcome back Climbers.
[00:00:30] [SPEAKER_03]: We're excited today to talk about why passing a CMMC audit is so hard.
[00:00:36] [SPEAKER_03]: The reason why we're covering this topic, it is fresh on our minds because me and Adam
[00:00:40] [SPEAKER_03]: just went through our gap assessment.
[00:00:43] [SPEAKER_03]: So let me just kind of catch you up to speed on current events of where we're at.
[00:00:47] [SPEAKER_03]: So we as a company went ahead and signed an agreement with RC3PO.
[00:00:52] [SPEAKER_03]: We picked who it is who's going to do our assessment when they become live because
[00:00:55] [SPEAKER_03]: if you're not on current events, CMMC assessments aren't allowed to happen yet
[00:01:00] [SPEAKER_03]: because at the time of this recording, the 32 CFR rule has not been finalized and it's gone live.
[00:01:06] [SPEAKER_03]: So how do we know how well we're doing?
[00:01:09] [SPEAKER_03]: We reached out to our C2PO and said, hey, do a gap assessment of us, assess us and see
[00:01:13] [SPEAKER_03]: how well we're doing in alignment.
[00:01:16] [SPEAKER_03]: So score us just like you would if it was assessment time.
[00:01:19] [SPEAKER_03]: So that's what we decided to do.
[00:01:21] [SPEAKER_03]: And at the end of this, we'll tell you how well we did, but we kind of want to go
[00:01:25] [SPEAKER_03]: through the lessons we've learned.
[00:01:27] [SPEAKER_03]: And I wanted to bring in Adam because he was instrumental in making that happen.
[00:01:31] [SPEAKER_03]: So thank you for joining us, Adam.
[00:01:33] [SPEAKER_01]: Thanks for having me.
[00:01:34] [SPEAKER_01]: And yeah, speaking of fresh of mind, less than seven days ago, we weren't being assessed.
[00:01:41] [SPEAKER_01]: On Friday, we were being assessed.
[00:01:42] [SPEAKER_01]: So as a recording, we finished our assessment on Friday.
[00:01:47] [SPEAKER_01]: We had the weekend.
[00:01:48] [SPEAKER_01]: We debriefed internally yesterday, which was Monday.
[00:01:51] [SPEAKER_01]: And here we are on a Tuesday recording.
[00:01:53] [SPEAKER_03]: We're bringing pretty much hot off the press to everybody.
[00:01:55] [SPEAKER_03]: Yep.
[00:01:56] [SPEAKER_01]: The ink is barely dried.
[00:01:58] [SPEAKER_01]: Actually, we don't even have our big final report yet.
[00:02:00] [SPEAKER_01]: So we do have our score.
[00:02:02] [SPEAKER_01]: So we'll have some fun with that at the end.
[00:02:05] [SPEAKER_03]: But so what I wanted to do is break it down.
[00:02:09] [SPEAKER_03]: People love their five things.
[00:02:10] [SPEAKER_03]: So what we broke it down is five things that make this process so hard.
[00:02:15] [SPEAKER_03]: And we wanted to bring it down in a more bite-sizable, consumable fashion
[00:02:19] [SPEAKER_03]: to help raise awareness about the difficulty of trying to go for your assessment.
[00:02:25] [SPEAKER_03]: And you really should kind of set your tray to the full upright and seat up to the full upright
[00:02:30] [SPEAKER_03]: position, really listen to these things that we're going to be talking about.
[00:02:33] [SPEAKER_03]: Because if you don't, they could really sneak up and get you for your assessment.
[00:02:39] [SPEAKER_01]: Yeah.
[00:02:39] [SPEAKER_01]: I just know as we were going into our own assessment ourselves, we were trying to set
[00:02:42] [SPEAKER_01]: our expectations internally.
[00:02:44] [SPEAKER_01]: And what we wanted to, we were sitting there going, yeah,
[00:02:46] [SPEAKER_01]: we think everything's great.
[00:02:47] [SPEAKER_01]: We're going to get a great perfect 110 and everything.
[00:02:50] [SPEAKER_01]: I'm over here going, Bobby, hold on a minute.
[00:02:52] [SPEAKER_01]: We've got some controls out here that are weighted heavily.
[00:02:56] [SPEAKER_01]: We could fail this thing.
[00:02:58] [SPEAKER_01]: Yeah.
[00:02:59] [SPEAKER_01]: There's a lot we don't know here.
[00:03:01] [SPEAKER_01]: But the way they weight these controls is really interesting.
[00:03:03] [SPEAKER_01]: Do you want to talk about that a little bit from your side?
[00:03:05] [SPEAKER_03]: So that brings us to our first point, which is the scoring system for the assessment.
[00:03:09] [SPEAKER_03]: It is very unique.
[00:03:10] [SPEAKER_03]: It is not like any test that I can think of.
[00:03:13] [SPEAKER_03]: I don't know about you, Adam.
[00:03:14] [SPEAKER_03]: Are you aware of any test or scoring system that operates this way?
[00:03:17] [SPEAKER_03]: I'm not really familiar with any.
[00:03:19] [SPEAKER_01]: No.
[00:03:19] [SPEAKER_01]: The closest thing I could think of is the scoring methodology for the CISSP exam
[00:03:24] [SPEAKER_01]: and some of those weighted procedural exams like that,
[00:03:27] [SPEAKER_01]: where they just keep giving you question after question,
[00:03:29] [SPEAKER_01]: you get a point where you fail and then the test ends.
[00:03:33] [SPEAKER_01]: But they don't have one where question two is worth more points
[00:03:37] [SPEAKER_01]: than question three versus question four.
[00:03:39] [SPEAKER_01]: Yeah.
[00:03:40] [SPEAKER_01]: You know, it's a little interesting and different.
[00:03:42] [SPEAKER_03]: Yeah.
[00:03:43] [SPEAKER_03]: I've taken some Microsoft courses that are classes and tests
[00:03:46] [SPEAKER_03]: that have a weighted process and how they do it.
[00:03:49] [SPEAKER_03]: And they actually have it broken out into different sections.
[00:03:51] [SPEAKER_03]: And it was kind of interesting, but the way that the CMMC audit works
[00:03:54] [SPEAKER_03]: and the way that they do the scoring system for whether or not you pass
[00:03:57] [SPEAKER_03]: is unique from the perspective of there's 110 controls.
[00:04:02] [SPEAKER_03]: So think of them as test questions, 110 of them.
[00:04:05] [SPEAKER_03]: And the way that they work is if you pass it, it's a point,
[00:04:09] [SPEAKER_03]: one point, a single point.
[00:04:11] [SPEAKER_03]: If you fail it, that same question could have a negative
[00:04:15] [SPEAKER_03]: different point.
[00:04:17] [SPEAKER_03]: So it could either be a negative one point, it could be a negative three points,
[00:04:22] [SPEAKER_03]: or it could be a negative five points.
[00:04:25] [SPEAKER_03]: So the maximum amount of negative points you could get on your test.
[00:04:29] [SPEAKER_03]: So zero is not the end.
[00:04:32] [SPEAKER_03]: It's not the basement.
[00:04:33] [SPEAKER_03]: It's actually a negative 308, I think something along those lines
[00:04:37] [SPEAKER_03]: is the maximum negative score you could get.
[00:04:40] [SPEAKER_03]: So you could fail every control and you would get well below 110.
[00:04:47] [SPEAKER_03]: So that's the way that that works.
[00:04:50] [SPEAKER_03]: But wait, there's more.
[00:04:52] [SPEAKER_03]: So the other additional way that they work that is if you fail any
[00:04:58] [SPEAKER_03]: of the five point questions, the three point questions,
[00:05:02] [SPEAKER_03]: it's immediate fail of the test.
[00:05:05] [SPEAKER_03]: So they break those questions down into the one pointer,
[00:05:07] [SPEAKER_03]: the three pointer, the five pointers.
[00:05:08] [SPEAKER_03]: And if you fail any of the three or the five pointers, it's an immediate fail.
[00:05:13] [SPEAKER_03]: They won't stop your assessment.
[00:05:15] [SPEAKER_03]: They'll continue it forward and most of the time.
[00:05:19] [SPEAKER_03]: And so you'll get a good feel of where you're at.
[00:05:22] [SPEAKER_03]: But in theory, you could just straight fail one of those controls and boom,
[00:05:28] [SPEAKER_03]: you're done, they got you.
[00:05:30] [SPEAKER_01]: And it's a little, it can definitely be frustrating from the MSP perspective
[00:05:35] [SPEAKER_01]: because there's so much nuance to it,
[00:05:38] [SPEAKER_01]: especially when you drill in, as you mentioned, there's 110 controls,
[00:05:40] [SPEAKER_01]: but those 320 assessment objectives, there's a lot there.
[00:05:44] [SPEAKER_01]: And it's such a very complex to try to weave everything together to tell that story.
[00:05:50] [SPEAKER_01]: But I get where they're trying to do from it.
[00:05:52] [SPEAKER_01]: They're trying to manage their risks around it.
[00:05:53] [SPEAKER_01]: They want to make sure they're able to maintain that confidentiality of CUI.
[00:05:57] [SPEAKER_01]: But it's a challenge.
[00:06:00] [SPEAKER_03]: And we didn't even really get into 320.
[00:06:03] [SPEAKER_03]: So kind of what Adam's talking about is in every control,
[00:06:05] [SPEAKER_03]: there's sub, they're called assessment objectives or determination statements.
[00:06:12] [SPEAKER_03]: But they're basically that, let's just say we're using 311, right?
[00:06:18] [SPEAKER_03]: That one control is going to have three or four various sub requirements
[00:06:23] [SPEAKER_03]: that you have to get those right as well.
[00:06:25] [SPEAKER_03]: So when the auditor is assessing you,
[00:06:28] [SPEAKER_03]: they're actually looking at all 320 assessment objectives
[00:06:32] [SPEAKER_03]: and they're making sure they're all marked off individually.
[00:06:35] [SPEAKER_03]: They're going, boom, boom, boom.
[00:06:37] [SPEAKER_03]: So you could fail one assessment objective of 311 and that 311 is a fail.
[00:06:42] [SPEAKER_03]: Doesn't matter that you got most of them.
[00:06:44] [SPEAKER_03]: It's like, and if that's then here's the bad part is it cascades, right?
[00:06:48] [SPEAKER_03]: So if you fail one of the assessment objectives,
[00:06:50] [SPEAKER_03]: then you fail that control.
[00:06:51] [SPEAKER_03]: If that controls a three pointer, you failed the assessment.
[00:06:54] [SPEAKER_03]: Boom. That quickly is how that can kind of play out, which is pretty dangerous.
[00:06:58] [SPEAKER_03]: Now you might think to yourself, well, how many,
[00:07:00] [SPEAKER_03]: what is the percentage of those that are three pointers and five pointers
[00:07:04] [SPEAKER_03]: versus the one pointers, which you can fail and based on your score,
[00:07:10] [SPEAKER_03]: you can try to correct it over, I think it's 120 days
[00:07:14] [SPEAKER_03]: and you can set up a poem or a plan of action in milestone.
[00:07:18] [SPEAKER_03]: It's over 60% of those controls are three or five points.
[00:07:24] [SPEAKER_01]: Yeah. Not a small amount.
[00:07:27] [SPEAKER_01]: But wait, there's a fun one.
[00:07:29] [SPEAKER_01]: And I think this is the good one to kind of,
[00:07:32] [SPEAKER_01]: we think through like the scoring system and everything.
[00:07:35] [SPEAKER_01]: There is the control that's essentially your big, if you don't have this,
[00:07:39] [SPEAKER_01]: it's just game over before you even get you started moving.
[00:07:43] [SPEAKER_01]: And that's the control of my brain as much with all the numbers
[00:07:45] [SPEAKER_01]: because we've been going through our all controls recently.
[00:07:48] [SPEAKER_01]: But it's the control about having your system security plan.
[00:07:51] [SPEAKER_01]: If an assessor finds that you don't have a good system security plan
[00:07:55] [SPEAKER_01]: or you just think that you can somehow go through this without having one,
[00:07:57] [SPEAKER_01]: which I don't know why anyone would, but I'm sure someone has.
[00:08:02] [SPEAKER_01]: That's an immediate, just you're done.
[00:08:03] [SPEAKER_01]: You didn't pass.
[00:08:05] [SPEAKER_03]: They probably wouldn't let you get past the first phase of your,
[00:08:09] [SPEAKER_03]: if you reach out to your C3PO to get assessed,
[00:08:13] [SPEAKER_03]: hopefully they would catch that your SSP is not really there in a good state.
[00:08:17] [SPEAKER_01]: Right. Because the system security plan is exactly as it sounds.
[00:08:20] [SPEAKER_01]: You're describing the security of the system that you have in place.
[00:08:24] [SPEAKER_01]: You're documenting out the system, all its sub components, the protections.
[00:08:28] [SPEAKER_01]: You get into all 110 controls and all assessment objectives
[00:08:30] [SPEAKER_01]: that describe your implementation via policy, technical procedures, etc.
[00:08:34] [SPEAKER_01]: And then supplemental information.
[00:08:36] [SPEAKER_01]: Our SSP came out to like what, 180 pages of documentation?
[00:08:40] [SPEAKER_01]: It was not a small document.
[00:08:41] [SPEAKER_03]: No, not at all.
[00:08:42] [SPEAKER_03]: And that makes it really difficult and it puts a lot of pressure on us
[00:08:45] [SPEAKER_03]: to be more prepared to have all of the discussions.
[00:08:48] [SPEAKER_03]: You know, just imagine being prepared to have a conversation about
[00:08:55] [SPEAKER_03]: the Star Wars universe.
[00:08:57] [SPEAKER_03]: Right, Adam, you could do that.
[00:08:59] [SPEAKER_03]: I'm prepared.
[00:08:59] [SPEAKER_03]: Very prepared, but I maybe not so much.
[00:09:02] [SPEAKER_03]: And your SSP is kind of your universe and you have to really understand it
[00:09:05] [SPEAKER_03]: to a high level because you don't know where they're going to poke.
[00:09:09] [SPEAKER_03]: And so you've got to be able to speak intelligently wherever they decide to go
[00:09:13] [SPEAKER_03]: as they're going through and digging deeper in some of those aspects.
[00:09:16] [SPEAKER_03]: Now they should be following the breadcrumbs of the assessment methodology
[00:09:22] [SPEAKER_03]: as well as the actual controls to go through them.
[00:09:25] [SPEAKER_03]: So there should be some standardization there.
[00:09:27] [SPEAKER_03]: But I mean, everybody's different.
[00:09:31] [SPEAKER_03]: They're all unique in how they operate.
[00:09:34] [SPEAKER_03]: But I would say this is the number one challenge with your CMMC assessment
[00:09:38] [SPEAKER_03]: is the severity and how it's almost all in most of those questions.
[00:09:45] [SPEAKER_03]: And it raises the bar for you to be ready because if all of it was just a pure percentage score,
[00:09:52] [SPEAKER_03]: you know, you're like, okay, well, if I got one or two of them wrong,
[00:09:55] [SPEAKER_03]: we could poem it will be fine.
[00:09:57] [SPEAKER_03]: Like, you know, we're going to really lock things down and be very,
[00:09:59] [SPEAKER_03]: you know, very detail oriented, but we're human.
[00:10:02] [SPEAKER_03]: We can make some mistakes, but, you know, at least we have some margin for error.
[00:10:07] [SPEAKER_03]: And with the fact that 60% of the questions are just straight failed,
[00:10:11] [SPEAKER_03]: they just threw that out.
[00:10:12] [SPEAKER_03]: You don't have that capability really with that percentage of those being a straight fail.
[00:10:17] [SPEAKER_03]: So it just makes it that much harder for you to, I mean,
[00:10:21] [SPEAKER_03]: you've got to spend a lot more time making sure someone's ready before we
[00:10:24] [SPEAKER_03]: try to send that hill because you don't want to feel that one control and then boom.
[00:10:30] [SPEAKER_01]: Yeah, and I think that segues really well into just the assessor question.
[00:10:36] [SPEAKER_01]: We've been privileged to work with some some brilliant assessors as our consultants.
[00:10:41] [SPEAKER_01]: And those people have to be independent from the assessor we actually have chosen.
[00:10:45] [SPEAKER_01]: But in going through those and asking questions, we've got some interesting results.
[00:10:49] [SPEAKER_01]: Bobby, do you want to speak to that a little bit?
[00:10:51] [SPEAKER_03]: Yeah. And so we kind of call it the human factor.
[00:10:54] [SPEAKER_03]: That would be our number two on this is the human factor.
[00:10:57] [SPEAKER_03]: And it's very similar.
[00:10:59] [SPEAKER_03]: And I did a post about this and I kind of equated it to like the Olympics
[00:11:04] [SPEAKER_03]: because that's fresh in our mind.
[00:11:05] [SPEAKER_03]: The Olympics just finished up and you can watch a floor routine, right?
[00:11:09] [SPEAKER_03]: And there'll be eight or 10 judges and one will be like, that's a 9.5.
[00:11:14] [SPEAKER_03]: And another person's like, that's a five.
[00:11:17] [SPEAKER_03]: And you're like, they literally watched the same routine.
[00:11:20] [SPEAKER_03]: Right.
[00:11:20] [SPEAKER_03]: They had the same requirements and somehow they marked it that much different.
[00:11:25] [SPEAKER_03]: So I think when you take in that human factor, that is going to happen.
[00:11:29] [SPEAKER_03]: It is absolutely going to be happening.
[00:11:31] [SPEAKER_03]: We've had numerous conversations with CMMC assessors
[00:11:35] [SPEAKER_03]: and they can have a variance and opinion on what would be considered met and not met.
[00:11:40] [SPEAKER_03]: And then when you add on the difficulty of the way the scoring system is set up,
[00:11:44] [SPEAKER_03]: that human factor can really get you.
[00:11:47] [SPEAKER_01]: Yeah.
[00:11:47] [SPEAKER_01]: Because there's been things just working with our consultants where you and I have gone back
[00:11:52] [SPEAKER_01]: and forth about that.
[00:11:52] [SPEAKER_01]: And we've had that dance where we've probably spent hours doing it.
[00:11:56] [SPEAKER_01]: We finally reached a solution that we think is a good one.
[00:11:59] [SPEAKER_01]: We mentioned it to our consultant who's an assessor and he goes, absolutely,
[00:12:04] [SPEAKER_01]: they have not.
[00:12:05] [SPEAKER_01]: Are you guys crazy?
[00:12:06] [SPEAKER_01]: This doesn't solve anything.
[00:12:07] [SPEAKER_01]: This is no, don't do this.
[00:12:09] [SPEAKER_01]: And we're over here like, what?
[00:12:13] [SPEAKER_01]: But then we've told the same story to it.
[00:12:15] [SPEAKER_03]: So frustrating when that happens.
[00:12:17] [SPEAKER_03]: You've got to check yourself.
[00:12:18] [SPEAKER_03]: You've got to check your ego and you'll be like, okay,
[00:12:21] [SPEAKER_03]: let me understand where they're coming from because we've got a sacred duty right, Adam?
[00:12:25] [SPEAKER_03]: Like it's not about us blazing the trail and pushing our clients along,
[00:12:29] [SPEAKER_03]: showing everybody that this is the right way to do it.
[00:12:31] [SPEAKER_03]: We have to make sure they pass.
[00:12:34] [SPEAKER_03]: We've got to help them get through the finish line and we can't put them in a
[00:12:38] [SPEAKER_03]: space that's risky, right?
[00:12:40] [SPEAKER_01]: Right.
[00:12:41] [SPEAKER_01]: When we've gone through our process, we've certainly found a few things where we're like,
[00:12:44] [SPEAKER_01]: this could be risky.
[00:12:46] [SPEAKER_01]: We might be rolling the die a little bit on these certain controls here.
[00:12:50] [SPEAKER_01]: We feel that we've built a very defensible argument for ourselves and we're ready.
[00:12:54] [SPEAKER_01]: And if an assessor doesn't agree with us to be able to say, hold on,
[00:12:57] [SPEAKER_01]: we're going to challenge you on this control.
[00:12:59] [SPEAKER_01]: We're going to fight this one.
[00:13:00] [SPEAKER_01]: But we had to be very careful on that one because, you know,
[00:13:03] [SPEAKER_01]: we don't want to be arguing with our assessor the entire time.
[00:13:06] [SPEAKER_01]: We want to make sure that if we are going to pick a fight,
[00:13:08] [SPEAKER_01]: it's going to be for something that we feel very strongly about,
[00:13:11] [SPEAKER_01]: that we're prepared and we've got all the evidence for.
[00:13:13] [SPEAKER_01]: Which again, if we're already prepared to do that,
[00:13:16] [SPEAKER_01]: we should have already satisfied that control to begin with.
[00:13:18] [SPEAKER_01]: You know, you don't want to have to build a mountain of evidence to argue a weird
[00:13:21] [SPEAKER_01]: scenario there and trying to get cute with the control.
[00:13:25] [SPEAKER_01]: But it's complex.
[00:13:28] [SPEAKER_01]: And in our process of going through doing things,
[00:13:30] [SPEAKER_01]: we prepared to fight for every single control because we were just that
[00:13:34] [SPEAKER_01]: confident in our implementations.
[00:13:36] [SPEAKER_01]: But still, every once in a while when we would have those conversations with
[00:13:39] [SPEAKER_01]: our consultants, we would come back with a, I wouldn't score you as Matt for this one.
[00:13:43] [SPEAKER_01]: And we're like, even with this mountain of evidence, and they're like, no, no, no.
[00:13:47] [SPEAKER_01]: Like there's this and this and this.
[00:13:49] [SPEAKER_01]: We're like, yep, we got out.
[00:13:51] [SPEAKER_01]: We had our slice of humble pie and we had to sit down, shut up,
[00:13:54] [SPEAKER_01]: have a slice of pie and get back to work.
[00:13:57] [SPEAKER_03]: Well, what that also implies is us as a manager service provider,
[00:14:01] [SPEAKER_03]: we have to be involved in the ecosystem and start to understand
[00:14:04] [SPEAKER_03]: where a lot of these assessors are landing in some of those more battle ground.
[00:14:10] [SPEAKER_03]: Controls, like there's certain controls that assessors have a general disagreement on.
[00:14:16] [SPEAKER_03]: I'm not going to go through and list them and try to stir up some things about it,
[00:14:20] [SPEAKER_03]: but just suffice it to say it exists and it happens.
[00:14:23] [SPEAKER_01]: So what does that mean?
[00:14:24] [SPEAKER_01]: This podcast is not going to be about FIPS 140-2 validated cryptography anymore?
[00:14:28] [SPEAKER_03]: Nope.
[00:14:28] [SPEAKER_03]: We're not going to talk about that or separation of duties
[00:14:30] [SPEAKER_03]: and how you might or might not be able to do that
[00:14:32] [SPEAKER_03]: or do that at the right way or not the right way.
[00:14:34] [SPEAKER_03]: There's just lots of different ways that assessors,
[00:14:37] [SPEAKER_03]: and I've seen some assessors just take some weird approaches on things that I'm like,
[00:14:41] [SPEAKER_03]: I don't quite, where did that come from?
[00:14:44] [SPEAKER_03]: And so what does that mean?
[00:14:46] [SPEAKER_03]: That means that we as a provider for our clients have to get into the ecosystem
[00:14:51] [SPEAKER_03]: and understand where these different C3PO's are coming from
[00:14:54] [SPEAKER_03]: and where these assessors because not all C3PO's are going to look at things the same way.
[00:14:58] [SPEAKER_03]: And what you don't want to do is you don't want to help steer your client
[00:15:03] [SPEAKER_03]: when they're doing the floor routine and they get a five when they should get a nine.
[00:15:06] [SPEAKER_03]: And that is a very, very bad day.
[00:15:08] [SPEAKER_03]: It's something that not a lot of people want to talk about,
[00:15:11] [SPEAKER_03]: but that is absolutely the reality.
[00:15:13] [SPEAKER_03]: And you have to have a partnership with somebody who has the space, understands and knows
[00:15:18] [SPEAKER_03]: that if you talk with these three or four C3PO's,
[00:15:22] [SPEAKER_03]: the way that their approach is,
[00:15:23] [SPEAKER_03]: is the way that you guys are operating is should go well.
[00:15:28] [SPEAKER_03]: If everybody's doing what they're supposed to,
[00:15:30] [SPEAKER_03]: it should play out the way that it should as far as you're getting a 110.
[00:15:32] [SPEAKER_03]: And you've got to have those conversations with those C3PO's to know that in advance
[00:15:37] [SPEAKER_03]: because you don't want to find out that their approach on something is kind of wonky
[00:15:40] [SPEAKER_03]: based on your assessment live happening at that moment.
[00:15:44] [SPEAKER_01]: Right. Yeah, it's definitely just the breath of differences we've seen across our
[00:15:51] [SPEAKER_01]: consultant base compared to our assessor is very interesting.
[00:15:55] [SPEAKER_01]: There's definitely the hard line conservative approach that read through
[00:15:58] [SPEAKER_01]: and look for a very literal implementation of the control.
[00:16:01] [SPEAKER_01]: Others that will go through and say,
[00:16:03] [SPEAKER_01]: I see what you're trying to do here.
[00:16:05] [SPEAKER_01]: I understand the spirit of the control and how you're satisfying it.
[00:16:09] [SPEAKER_01]: It's really a mixed bag.
[00:16:10] [SPEAKER_01]: And then we've even seen some people out there and heard some stories and everything
[00:16:13] [SPEAKER_01]: of assessors that'll go and say your documentation dates,
[00:16:18] [SPEAKER_01]: your document, the dates in your documentations aren't updated to reality.
[00:16:22] [SPEAKER_01]: I can't mark this control as math.
[00:16:24] [SPEAKER_01]: Do you feel?
[00:16:26] [SPEAKER_03]: Yeah, they can.
[00:16:26] [SPEAKER_03]: And that's scary because that's a lot of money to possibly go through and reassess.
[00:16:34] [SPEAKER_03]: And so I think this comes back to also having a good relationship with your C3PO.
[00:16:38] [SPEAKER_03]: You should really talk with them to say, hey, if we get just a stupid silly mistake on a control
[00:16:45] [SPEAKER_03]: and we have to go back to you to reassess again, what does that look like?
[00:16:49] [SPEAKER_03]: What's our cost?
[00:16:49] [SPEAKER_03]: What's our liability there?
[00:16:51] [SPEAKER_03]: You do want to have that conversation with your C3PO because it is
[00:16:55] [SPEAKER_03]: because everybody plans and hopes for that not to happen.
[00:16:58] [SPEAKER_03]: You really should plan on trying to understand that because if you think about the scoring system,
[00:17:01] [SPEAKER_03]: how difficult it is, you plan on the human factor, both the people preparing as well as
[00:17:06] [SPEAKER_03]: the people doing this assessment.
[00:17:07] [SPEAKER_03]: The odds are stacked against you in getting a perfect 110.
[00:17:10] [SPEAKER_03]: So you really need to understand that risk and be prepared that if it doesn't go the way you
[00:17:15] [SPEAKER_03]: are that you can try to turn things around very quickly and then get right to that 110
[00:17:20] [SPEAKER_03]: that you need so you can go ahead and get on to doing your business the way that you need to do it.
[00:17:25] [SPEAKER_01]: Yep, absolutely.
[00:17:26] [SPEAKER_01]: Well said.
[00:17:27] [SPEAKER_01]: So I think that segue is fairly well into and the kind of one of our next points that we want to
[00:17:30] [SPEAKER_01]: get into is just that learning curve of stuff.
[00:17:34] [SPEAKER_01]: When we look over those controls, we know they're weighted differently.
[00:17:38] [SPEAKER_01]: We know assessors may interpret them differently.
[00:17:40] [SPEAKER_01]: But the controls themselves don't really do us money favors.
[00:17:45] [SPEAKER_01]: You know, I said we're doing the FIPS Hour podcast now.
[00:17:47] [SPEAKER_01]: So you know, the use of FIPS Validated Cryptography.
[00:17:51] [SPEAKER_01]: What does that even mean?
[00:17:54] [SPEAKER_01]: And then you have to drill through and read into it.
[00:17:56] [SPEAKER_01]: So like, do you want to talk a little bit about the learning curve?
[00:17:58] [SPEAKER_01]: Because especially with our journey here, the axioms journey with CMMC started years
[00:18:03] [SPEAKER_01]: before I showed up.
[00:18:04] [SPEAKER_01]: I'm still technically the new guy here.
[00:18:06] [SPEAKER_03]: Well, yeah.
[00:18:08] [SPEAKER_03]: Yeah, I would say number three is easily like knowing and understanding the environment
[00:18:15] [SPEAKER_03]: and the ecosystem you're stepping into that goes down to being certified.
[00:18:19] [SPEAKER_03]: I'm very passionate about whoever you're working with needs to at least have somebody
[00:18:23] [SPEAKER_03]: as a CCP certified or a CCA because you want to have a good,
[00:18:29] [SPEAKER_03]: you want to have a good understanding when you're trying to tackle these controls and
[00:18:32] [SPEAKER_03]: implement them.
[00:18:33] [SPEAKER_03]: Just understanding what the controls trying to accomplish doesn't mean that you really,
[00:18:39] [SPEAKER_03]: truly understand.
[00:18:40] [SPEAKER_03]: I understand how my phone in general works, but I couldn't build one.
[00:18:45] [SPEAKER_03]: Right.
[00:18:45] [SPEAKER_03]: I understand how my car runs in general, but I couldn't build one.
[00:18:50] [SPEAKER_03]: And if you're going to step into space and help clients go, you not only need to understand it,
[00:18:55] [SPEAKER_03]: but you need to be able to build it.
[00:18:56] [SPEAKER_03]: And that is a completely different level of understanding.
[00:19:00] [SPEAKER_03]: And you can't assume anything in that.
[00:19:02] [SPEAKER_03]: So that knowledge is so critical in that journey.
[00:19:07] [SPEAKER_03]: We have been on this journey for about three years.
[00:19:10] [SPEAKER_03]: I would say two and a half was me learning how not to do stuff.
[00:19:15] [SPEAKER_03]: When you came on and we tried to do a little bit of a moving where I had taken us forward,
[00:19:22] [SPEAKER_03]: what did we end up doing, Adam?
[00:19:24] [SPEAKER_01]: We took everything and put it in the trash.
[00:19:26] [SPEAKER_03]: We threw it out.
[00:19:29] [SPEAKER_03]: And I've said this before, you aren't really doing CMMC right if your trash pen is not full.
[00:19:37] [SPEAKER_01]: Yeah.
[00:19:38] [SPEAKER_01]: It's CMMC is really trying to push that concept forward of iterative development.
[00:19:43] [SPEAKER_01]: And even in my own journey doing informal gap evaluations,
[00:19:49] [SPEAKER_01]: trying to build up and just lay a basic foundation for CMMC for an organization,
[00:19:54] [SPEAKER_01]: just the bare basics.
[00:19:56] [SPEAKER_01]: Even in my own history, I've gone through so many iterative versions of my own documentation,
[00:20:01] [SPEAKER_01]: my own strategies for it.
[00:20:02] [SPEAKER_01]: As I've learned and grown and added more knowledge to that pile,
[00:20:06] [SPEAKER_01]: things have changed.
[00:20:09] [SPEAKER_01]: It's just that constant evolution.
[00:20:12] [SPEAKER_01]: And that makes it fairly difficult to begin with.
[00:20:15] [SPEAKER_01]: But then, again, you go back to those controls and they are very vague in some places.
[00:20:22] [SPEAKER_01]: We'll also be very specific in other places.
[00:20:24] [SPEAKER_03]: Right.
[00:20:25] [SPEAKER_03]: So in what I mean by your bin being full is like just like you're talking about,
[00:20:29] [SPEAKER_03]: you've got to have those iterations where you're throwing stuff out,
[00:20:32] [SPEAKER_03]: you're changing stuff, you're doing that.
[00:20:34] [SPEAKER_03]: Because if you just sit there and nail it right off the break, you're like, we've got it.
[00:20:38] [SPEAKER_03]: Like there's no way you've got it right off the first swing unless you're just,
[00:20:42] [SPEAKER_03]: I mean, your level of understanding of the CMMC ecosystem.
[00:20:47] [SPEAKER_03]: But that's my point is like you would have to be in that ecosystem for a good period of time to know.
[00:20:52] [SPEAKER_03]: And that's why we threw so much out and evolved and went through and changed.
[00:20:56] [SPEAKER_03]: And then when you came on, we're like, we got to start over in scratch.
[00:20:59] [SPEAKER_03]: And then we built it in like what, eight months?
[00:21:02] [SPEAKER_03]: Seven months?
[00:21:02] [SPEAKER_03]: Yeah.
[00:21:02] [SPEAKER_03]: Something like that.
[00:21:03] [SPEAKER_01]: Yeah, went from starting over to...
[00:21:05] [SPEAKER_03]: That fast because we had already had all of that knowledge.
[00:21:10] [SPEAKER_01]: And we still learned a lot along the way.
[00:21:13] [SPEAKER_01]: And even to that overall point is, so we started about eight months ago,
[00:21:18] [SPEAKER_01]: we threw everything out, we started fresh, started rebuilding.
[00:21:21] [SPEAKER_01]: We went through our assessment last week and the first thing we did Monday morning
[00:21:24] [SPEAKER_01]: was sit down and start saying, okay, where do we evolve it from here?
[00:21:28] [SPEAKER_03]: Yeah.
[00:21:28] [SPEAKER_03]: It came out with some great ideas.
[00:21:29] [SPEAKER_03]: I mean, evolving it even better to make the assessment process that much smoother.
[00:21:34] [SPEAKER_03]: Because to me, the way that I feel is your assessment is like the five yard line.
[00:21:39] [SPEAKER_03]: Right?
[00:21:39] [SPEAKER_03]: It's the red zone of football.
[00:21:42] [SPEAKER_03]: You're trying to get that football in the end zone.
[00:21:45] [SPEAKER_03]: And you could literally fumble on the one yard line and they take it back for another
[00:21:49] [SPEAKER_03]: score and it is a bad day.
[00:21:50] [SPEAKER_03]: And so you've got to be very, very, very prepared for that.
[00:21:54] [SPEAKER_03]: So that when that assessment process plays out,
[00:21:56] [SPEAKER_03]: that it is favorable the way that you need it to be.
[00:22:00] Yeah.
[00:22:02] [SPEAKER_03]: And now I think this takes us into the next part is one of the things that we struggle with so much
[00:22:07] [SPEAKER_03]: is the scoping and design of our ecosystem to be assessed.
[00:22:14] [SPEAKER_03]: We looked at how we wanted to build our ecosystem.
[00:22:17] [SPEAKER_03]: We looked at not just how we needed to pass, but we wanted to include our architecture
[00:22:23] [SPEAKER_03]: and our assessment.
[00:22:24] [SPEAKER_03]: And that architecture is what we use to support our clients.
[00:22:27] [SPEAKER_03]: So we didn't want to have this little back door slash small broom closet be assessed
[00:22:36] [SPEAKER_03]: that we don't use, right?
[00:22:38] [SPEAKER_03]: That is just this little thing over here.
[00:22:40] [SPEAKER_03]: And then we get our certification and you see people do that with SOC and other
[00:22:44] [SPEAKER_03]: types of things where they go have a little part of their thing be assessed.
[00:22:47] [SPEAKER_03]: And then they can say they got a certification.
[00:22:50] [SPEAKER_03]: That's not what we did.
[00:22:51] [SPEAKER_03]: We built a system that we were going to live in and work in and use to support our clients
[00:22:56] [SPEAKER_03]: so that when our clients get assessed, they could leverage the fact that we are living
[00:23:01] [SPEAKER_03]: and using it.
[00:23:02] [SPEAKER_03]: And that is how we're connecting to them.
[00:23:04] [SPEAKER_03]: That is how we're supporting them.
[00:23:05] [SPEAKER_03]: But the number four on this list is the tools, the lack of tools.
[00:23:10] [SPEAKER_03]: It's just there just isn't very many that are compliant that we can use, right, Adam?
[00:23:17] [SPEAKER_01]: Right.
[00:23:17] [SPEAKER_01]: You know, I've talked before is you know, I've gone to plenty of conferences over the years.
[00:23:22] [SPEAKER_01]: And you know, one of the places that I spend a decent amount of time is usually the
[00:23:25] [SPEAKER_01]: vendor hall and there's tons of awesome vendors out there.
[00:23:29] [SPEAKER_01]: Now, of those vendors, how many of them can actually do CMMC or how many of them
[00:23:33] [SPEAKER_01]: say they can do CMMC?
[00:23:35] [SPEAKER_01]: Maybe five.
[00:23:36] [SPEAKER_01]: How many of them that say they can do it right?
[00:23:40] [SPEAKER_01]: Maybe you're lucky if you find one and it's the same one that shows up at every event.
[00:23:44] [SPEAKER_01]: There just isn't the tools out there.
[00:23:46] [SPEAKER_01]: When you look at those requirements out there.
[00:23:48] [SPEAKER_01]: Now, we're starting to see some more movement in the space.
[00:23:51] [SPEAKER_01]: I think one of our big companies, Kaseya, not one of our big companies that we use,
[00:23:55] [SPEAKER_01]: one of the big companies in the space, Kaseya has said that they're going to
[00:23:57] [SPEAKER_01]: make some commitments to CMMC.
[00:23:59] [SPEAKER_01]: I think two weeks ago, ConnectWise followed suit and said they're going down
[00:24:03] [SPEAKER_01]: and more vendors are coming up, coming to the table saying,
[00:24:06] [SPEAKER_01]: Hey, we're going to go that route.
[00:24:07] [SPEAKER_01]: So I really hope this statement ends up being the one that doesn't age well.
[00:24:12] Right.
[00:24:12] [SPEAKER_01]: But as a recording in August of 2024, it's pretty slim pickings in terms of tool sets
[00:24:18] [SPEAKER_01]: that we can bring to the table.
[00:24:20] [SPEAKER_03]: Yeah.
[00:24:22] [SPEAKER_03]: You kind of leave your machine shot with your CMC and all your cool stuff,
[00:24:26] [SPEAKER_03]: and then you sort of go to this other shop that's got like chisels and
[00:24:30] [SPEAKER_03]: you're going back a little bit to the stone age of how you're trying to do stuff
[00:24:33] [SPEAKER_03]: because there just isn't much participation in the ecosystem from the vendors.
[00:24:37] [SPEAKER_03]: Now, you can bring them in.
[00:24:38] [SPEAKER_03]: You can try to use them, but a good assessor is going to fail you on those
[00:24:42] [SPEAKER_03]: because those controls are going to require a certain level of compliance and guarantee.
[00:24:49] [SPEAKER_03]: And many of those vendors just aren't used to how to handle that,
[00:24:53] [SPEAKER_03]: how to justify that, how to provide that evidence to be able to back up the claims
[00:24:56] [SPEAKER_03]: that they say, because when you're doing in a commercial environment,
[00:24:59] [SPEAKER_03]: it's a lot easier to get away with that.
[00:25:02] [SPEAKER_03]: But when you're doing an assessed compliant,
[00:25:04] [SPEAKER_03]: you've got to be able to have a document that has been reviewed by that
[00:25:08] [SPEAKER_03]: organization's legal department that says, this is how that vendor does stuff
[00:25:11] [SPEAKER_03]: and we're going to stand behind it.
[00:25:13] [SPEAKER_03]: And this is how it is.
[00:25:14] [SPEAKER_03]: And just what we find is, right, Adam, not a lot of vendors want to do that.
[00:25:17] [SPEAKER_03]: They don't want to get to that level of commitment because
[00:25:21] [SPEAKER_03]: their product is evolving and they don't feel very comfortable being that risk
[00:25:28] [SPEAKER_03]: into that step of risk of sharing that much information.
[00:25:30] [SPEAKER_03]: So they just don't.
[00:25:32] [SPEAKER_01]: Yep, there's a bit of that.
[00:25:33] [SPEAKER_01]: Also, we've talked before, none of the season CMC stands for cheap.
[00:25:37] [SPEAKER_01]: That applies to our vendors just the same as it does for us.
[00:25:41] [SPEAKER_01]: None of this is easy as well.
[00:25:43] [SPEAKER_01]: And they've got to do their own cost benefit of if we pivot to support CMC,
[00:25:47] [SPEAKER_01]: will it be worth it?
[00:25:49] Yeah.
[00:25:50] [SPEAKER_01]: But there's still other pitfalls to fall behind.
[00:25:52] [SPEAKER_01]: And I think, again, we're having the FIPS hour here because he started it.
[00:25:57] [SPEAKER_01]: We look at just controls like, again,
[00:25:58] [SPEAKER_01]: the requirement for FIPS validated cryptography.
[00:26:01] [SPEAKER_01]: There are plenty of vendors out there that say we have FIPS compliant cryptography.
[00:26:04] [SPEAKER_01]: Yeah, that's so bad.
[00:26:05] [SPEAKER_01]: Back and forth with some of our consultants before on that very topic.
[00:26:10] [SPEAKER_01]: And the main thing is, you can't just say, oh, they're FIPS compliant,
[00:26:13] [SPEAKER_01]: so we can go ahead and use them.
[00:26:15] [SPEAKER_01]: No, the control sets FIPS validated.
[00:26:17] [SPEAKER_01]: You can't just look at a control here and say,
[00:26:21] [SPEAKER_01]: we'll just write down that we exempted this control or this tool from this control
[00:26:25] [SPEAKER_01]: because we like the tool.
[00:26:27] [SPEAKER_01]: That's not how it works.
[00:26:28] [SPEAKER_01]: A good assessor will sniff that out, find it, ding you on it.
[00:26:31] [SPEAKER_01]: If it's one of those three or five pointers, you're dead in the water already.
[00:26:36] [SPEAKER_01]: And do you really want to have that argument only for them to come back from the assessor
[00:26:40] [SPEAKER_01]: say it looks like you decided that a control didn't apply to you when it absolutely does?
[00:26:45] [SPEAKER_03]: And also, to me, a very low key dangerous control requirement that requires some type
[00:26:55] [SPEAKER_03]: of technical tool to accomplish is application allow listing.
[00:26:59] [SPEAKER_03]: Not a lot of people talk about that requirement in CMMC, but it is absolutely required.
[00:27:04] [SPEAKER_03]: And you have to have a mechanism to do something like using a tool like Threat Locker,
[00:27:11] [SPEAKER_03]: which isn't in the compliant arena yet for CMMC.
[00:27:16] [SPEAKER_03]: So if you're trying to use Threat Locker to do application allow listing,
[00:27:22] [SPEAKER_03]: you could be in a rude awakening if your auditor catches their approach
[00:27:26] [SPEAKER_03]: to how they're doing stuff.
[00:27:29] [SPEAKER_03]: And you could be marked as not met, and then you can straight failure assessment
[00:27:33] [SPEAKER_03]: because you're utilizing a tool.
[00:27:35] [SPEAKER_03]: Not that I'm trying to pick on Threat Locker.
[00:27:37] [SPEAKER_03]: They said that they're going after their FedRAMP.
[00:27:39] [SPEAKER_03]: Hope to God that they do get it and they can step in the space
[00:27:42] [SPEAKER_03]: and provide some valuable support.
[00:27:44] [SPEAKER_03]: And that's, I think part of the point that we're trying to make here right at them
[00:27:47] [SPEAKER_03]: is we want more vendors to step in the space because they're desperately needed.
[00:27:51] [SPEAKER_03]: And it's going to be like shooting fish in a barrel
[00:27:52] [SPEAKER_03]: because there just isn't many in that space.
[00:27:55] [SPEAKER_03]: So if you can step in that space as a vendor, you're going to be cleaning up
[00:27:59] [SPEAKER_03]: because the people are desperate to try to get tools
[00:28:00] [SPEAKER_03]: that are going to be able to help them on this journey because it is not easy.
[00:28:04] [SPEAKER_01]: Yeah, I mean to the point on Threat Locker, we're very familiar with them as a company,
[00:28:09] [SPEAKER_01]: what they bring to the table.
[00:28:10] [SPEAKER_01]: Great tool, great offering, really brings a lot of value to the SMB space out there
[00:28:15] [SPEAKER_01]: and the MSP community as a whole for application allow listing.
[00:28:17] [SPEAKER_01]: They've been enhancing other products, sweet.
[00:28:19] [SPEAKER_01]: This is not the Threat Locker sales pitch.
[00:28:21] [SPEAKER_01]: I'm not being paid to say any of this stuff.
[00:28:22] [SPEAKER_01]: I've got a shirt maybe somewhere around here from a conference because they're soft and awesome.
[00:28:26] [SPEAKER_01]: But we looked at that and said, great, this will solve some problems.
[00:28:32] [SPEAKER_01]: We were going through our demo.
[00:28:33] [SPEAKER_01]: We had our demo and proof of concept spun up.
[00:28:36] [SPEAKER_01]: And then the updated rule came out that involves security protection data,
[00:28:40] [SPEAKER_01]: some clarifications around FedRAMP.
[00:28:42] [SPEAKER_01]: And we took the conservative approach and had to do full stop on this.
[00:28:46] [SPEAKER_01]: We don't have FedRAMP ATO, we can't proceed.
[00:28:49] [SPEAKER_03]: Because we've got to move clients in the safe waters.
[00:28:51] [SPEAKER_01]: Yeah, because at the end of the day, if we put a tool in there that is not compliant,
[00:28:56] [SPEAKER_01]: we're telling the client to pay for it.
[00:28:59] [SPEAKER_01]: Because MSP is, you know, we don't do this for free.
[00:29:02] [SPEAKER_01]: And Lord knows the good tools aren't free either.
[00:29:05] [SPEAKER_01]: If they fail their assessment because we didn't do our due diligence on a tool
[00:29:08] [SPEAKER_01]: and their assessor says, nope, that should have a FedRAMP there.
[00:29:12] [SPEAKER_01]: And we say, I disagree with you and they rule, nope, you have to.
[00:29:16] [SPEAKER_01]: We're the reason the client just failed their assessment.
[00:29:18] [SPEAKER_01]: And in a best case scenario, we get some nasty emails
[00:29:21] [SPEAKER_01]: and a very uncomfortable meeting with that client.
[00:29:24] [SPEAKER_01]: Most likely case they're going to want to switch providers pretty quick.
[00:29:28] [SPEAKER_01]: Worst case they might try to come back and throw the lawsuits on legal at you.
[00:29:32] [SPEAKER_01]: Now hopefully of course, you know, MSAs are up to date
[00:29:34] [SPEAKER_01]: and make sure that they've got protections in there and stuff.
[00:29:36] [SPEAKER_01]: So doesn't stop them from throwing that lawsuit out there.
[00:29:39] [SPEAKER_03]: Yeah.
[00:29:39] [SPEAKER_03]: And so that just the responsibility and requirement for the maintenance service
[00:29:44] [SPEAKER_03]: provider that's supporting that client is just so high.
[00:29:48] [SPEAKER_03]: That's why we put it as number four is just the tools and trying to make sure that you have
[00:29:52] [SPEAKER_03]: a good offering that is a conservative approach that isn't going to put the client in danger of them
[00:29:59] [SPEAKER_03]: failing their assessment.
[00:30:00] [SPEAKER_03]: And that's another reason why I like the fact that the MSP is required to get level two certified
[00:30:07] [SPEAKER_03]: because at least they should get sniff test.
[00:30:10] [SPEAKER_03]: But if you're working with an MSP, be sure that you validate that what they had assessed
[00:30:16] [SPEAKER_03]: is what they're using in your environment.
[00:30:20] [SPEAKER_03]: Don't fall for that trick.
[00:30:21] [SPEAKER_01]: People, processes and technology.
[00:30:24] [SPEAKER_03]: All right.
[00:30:24] [SPEAKER_03]: So let's get to the fifth one, which I think is one that is very on the forefront of us.
[00:30:32] [SPEAKER_03]: We made it for last just because I think it's a good one to have as last.
[00:30:38] [SPEAKER_03]: And that is the unknown factor.
[00:30:39] [SPEAKER_03]: I kind of equate to the CMMC program as us being on a train heading to a train station that's
[00:30:47] [SPEAKER_03]: being built as we're on the track heading there.
[00:30:50] [SPEAKER_03]: I mean, that's kind of like what we're in for, right?
[00:30:52] [SPEAKER_03]: Adam, I mean, we're the 32 CFR proposed rule still is proposed.
[00:30:56] [SPEAKER_03]: It's not official, which means there could be some deviations or changes.
[00:31:00] [SPEAKER_03]: We're not thinking there's going to be much, but there's still that ambiguity out there
[00:31:04] [SPEAKER_03]: that are they going to keep security protection data in the rule?
[00:31:08] [SPEAKER_03]: Are they going to remove it?
[00:31:09] [SPEAKER_03]: If you're not sure what that is.
[00:31:10] [SPEAKER_01]: Are they going to better define it?
[00:31:11] [SPEAKER_03]: Yeah, are they going to better define it?
[00:31:13] [SPEAKER_03]: Like there's so many things that they're not even security protection data.
[00:31:18] [SPEAKER_03]: You could read with Ron Ross looking over your shoulder the 800171 requirement, right?
[00:31:27] [SPEAKER_03]: That standard and you will not see security protection data anywhere in there.
[00:31:32] [SPEAKER_01]: Right, because 800171 is the protection of controlled unclassified information,
[00:31:38] [SPEAKER_03]: no. And so everybody was like, and it, you know, people like us main service providers,
[00:31:43] [SPEAKER_03]: like it impacted us a lot heavier than it did just our clients.
[00:31:48] [SPEAKER_03]: Because if you're just building your own system, it doesn't matter about security
[00:31:53] [SPEAKER_03]: protection data in general and controlled unclassified because most of the time,
[00:31:57] [SPEAKER_03]: wherever you're controlled unclassified information is going to be is where your
[00:32:00] [SPEAKER_03]: security protection.
[00:32:01] [SPEAKER_03]: There's some exceptions to that.
[00:32:02] [SPEAKER_03]: I'm sure me and you could discuss and argue about that for a while.
[00:32:05] [SPEAKER_01]: Yeah, we want to go down the exception.
[00:32:06] [SPEAKER_01]: We'll be here all day, but in the interest of time.
[00:32:08] [SPEAKER_03]: My point is if you're building this system yourself for yourself, it's different than
[00:32:13] [SPEAKER_03]: as a managed service provider where you're putting tools and all of that security
[00:32:17] [SPEAKER_03]: protection data is flowing into you as an MSP, you've got to account for that.
[00:32:21] [SPEAKER_03]: And that is a very big challenge.
[00:32:23] [SPEAKER_03]: And that's a big unknown for managed service providers.
[00:32:26] [SPEAKER_01]: Yeah. And I think the approach we had to take on that is one of the sentences
[00:32:29] [SPEAKER_01]: that I had to keep reiterating during the course of our assessment is
[00:32:32] [SPEAKER_01]: Axiom is a managed service provider supporting organizations with a defense
[00:32:35] [SPEAKER_01]: industrial base and we have no plans to directly store, process or transmits
[00:32:39] [SPEAKER_01]: controlled unclassified information.
[00:32:41] [SPEAKER_01]: That is a very true statement.
[00:32:43] [SPEAKER_01]: We don't we're not going out to Lockheed Martin and Boeing to do work with them.
[00:32:47] [SPEAKER_01]: We're not bidding on those contracts.
[00:32:48] [SPEAKER_01]: We're helping those small, medium businesses in the Dib.
[00:32:51] [SPEAKER_01]: So we're going to be ingesting that security protection data an awful
[00:32:53] [SPEAKER_01]: lot and we had to make some decisions.
[00:32:55] [SPEAKER_01]: Could we have potentially been a little bit more loose with our controls
[00:32:59] [SPEAKER_01]: and our interpretation of them?
[00:33:00] [SPEAKER_01]: Because again, we're not going to store, process or transmit CUI.
[00:33:03] [SPEAKER_01]: That's absolutely a true statement.
[00:33:05] [SPEAKER_01]: But again, it's that unknown.
[00:33:07] [SPEAKER_01]: We don't know where that final rules are going to come out if there's to be
[00:33:10] [SPEAKER_01]: further clarifications on security protection data.
[00:33:12] [SPEAKER_01]: So we had to make some judgment calls and assume that security protection data
[00:33:16] [SPEAKER_01]: equals controlled unclassified information where possible.
[00:33:21] [SPEAKER_01]: You know, we had it.
[00:33:22] [SPEAKER_01]: We there were a few instances where we did have to take some some
[00:33:25] [SPEAKER_01]: flexibilities and some leeways in the hopes that our assessor would
[00:33:29] [SPEAKER_01]: agree and we were prepared to argue if they did not to try to make our case.
[00:33:33] [SPEAKER_01]: But we had to make some decisions and given that they only say configuration data
[00:33:37] [SPEAKER_01]: or log data as their examples, that's a huge unknown.
[00:33:41] [SPEAKER_01]: You know, what about your vulnerability scans, your patch reports,
[00:33:44] [SPEAKER_01]: your your your account management database, your software inventory?
[00:33:48] [SPEAKER_01]: Is that security protection data?
[00:33:49] [SPEAKER_01]: Is that configuration data?
[00:33:51] [SPEAKER_01]: I can argue that it is.
[00:33:52] [SPEAKER_01]: I can argue that it isn't.
[00:33:54] [SPEAKER_03]: So Adam, we kind of hinted on the fact that we had just finished our assessment.
[00:34:01] [SPEAKER_03]: Do you want to share how our assessment went?
[00:34:05] [SPEAKER_01]: Oh, you're giving me the I'm giving you the honor.
[00:34:08] [SPEAKER_03]: I'm giving you the honor.
[00:34:09] [SPEAKER_01]: So yeah, we we spent the last three days of last week going through our assessment,
[00:34:13] [SPEAKER_01]: diving deep into our SSP going over all 110 objectives, all 320 controls.
[00:34:20] [SPEAKER_01]: And all those to really drag this out and really build some anticipation and hype on
[00:34:23] [SPEAKER_01]: that by just putting words out there to again drag this out and build that hype.
[00:34:27] [SPEAKER_01]: But at the end of our assessment, we did walk away with a 110 score from our assessor.
[00:34:34] [SPEAKER_03]: So all this is not no small task, you know, that is that was easily the hardest thing
[00:34:41] [SPEAKER_03]: business wise I've ever had to do in my life.
[00:34:44] [SPEAKER_01]: Definitely.
[00:34:46] [SPEAKER_01]: Just when you look at all the linkages, linkages between the SSP, the policies,
[00:34:49] [SPEAKER_01]: the procedures, the reoccurring tasks and maintenance checklist, there's a lot there.
[00:34:55] [SPEAKER_01]: Especially when you drill into all those 320 objectives that have to be reinforced
[00:34:59] [SPEAKER_01]: throughout this entire process.
[00:35:01] [SPEAKER_01]: I think we have well over 500 pages of documentation, if not, you know, closer to a
[00:35:06] [SPEAKER_01]: thousand pages.
[00:35:08] [SPEAKER_01]: All for an environment that's pretty small, pretty secluded, not a whole lot there.
[00:35:14] [SPEAKER_01]: But that it encompasses, of course, our support tools and whatnot that will take
[00:35:17] [SPEAKER_01]: to the client.
[00:35:18] [SPEAKER_01]: But yeah, it was perfect.
[00:35:22] [SPEAKER_03]: Yeah, it was not easy to do.
[00:35:24] [SPEAKER_03]: It was a lot of work just trying to pass and it would have been considerably easier,
[00:35:30] [SPEAKER_03]: right?
[00:35:30] [SPEAKER_03]: Adam, for us just to focus on passing ourselves, but that's not what we did.
[00:35:34] [SPEAKER_03]: What we had to do is we had to think about how we would pass, but we had to
[00:35:37] [SPEAKER_03]: pass in a way that set us up for success on how we're going to support our clients.
[00:35:42] [SPEAKER_03]: And that there's no assessment guide or any direction that explains how to
[00:35:48] [SPEAKER_03]: do that the right way.
[00:35:49] [SPEAKER_03]: There just isn't.
[00:35:49] [SPEAKER_03]: So we literally were the tip of the spear trying to figure out how to do that.
[00:35:53] [SPEAKER_03]: And so the moment we finished on Monday, we were immediately talking about how
[00:35:59] [SPEAKER_03]: we're going to build that and integrate our changes into our matrix and how
[00:36:03] [SPEAKER_03]: we're going to do our linkage between our client's security plan and our
[00:36:08] [SPEAKER_03]: security plan that will be at the time of the once the assessment start
[00:36:13] [SPEAKER_03]: happening, we're going to race to the finish line to get assessed
[00:36:16] [SPEAKER_03]: immediately.
[00:36:18] [SPEAKER_03]: And then we want our clients then as they go through their SSP and the
[00:36:22] [SPEAKER_03]: matrix have to connect, we kind of call that the docking station is you
[00:36:25] [SPEAKER_03]: have to have that built.
[00:36:26] [SPEAKER_03]: That system, there is no assessment for that.
[00:36:30] [SPEAKER_03]: Right.
[00:36:31] [SPEAKER_03]: So you could hire an MSP that has passed and you could hire us that's
[00:36:36] [SPEAKER_03]: passed and if they don't have a system to do that efficiently,
[00:36:39] [SPEAKER_03]: you could still fail.
[00:36:41] [SPEAKER_03]: So you've got to really think about that.
[00:36:43] [SPEAKER_03]: And boy, are we really putting a tremendous amount of time and effort
[00:36:48] [SPEAKER_03]: and thought about how to do that because we want our clients to inherit as
[00:36:52] [SPEAKER_03]: much of what we went through our journey so that they're having to do less.
[00:36:57] [SPEAKER_03]: And that's not an easy task.
[00:36:59] [SPEAKER_03]: Well, everybody, I appreciate you following us along this conversation about
[00:37:05] [SPEAKER_03]: the five pitfalls.
[00:37:07] [SPEAKER_03]: We gave you some extra bonus conversations in there about what you
[00:37:10] [SPEAKER_03]: need to look out for passing your assessment.
[00:37:12] [SPEAKER_03]: This is all based on the right off the press of us having our experience
[00:37:15] [SPEAKER_03]: with our gap assessment.
[00:37:17] [SPEAKER_03]: And I think it's a good telltale sign for us to know where we're going to be.
[00:37:23] [SPEAKER_03]: And I think we just wanted to provide that insight to others
[00:37:27] [SPEAKER_03]: to try to help them get more in line with what they're going to need
[00:37:31] [SPEAKER_03]: to do in order for them to climb that hill as well.
[00:37:34] [SPEAKER_03]: So Adam, again, thank you so much for joining us today, buddy.
[00:37:37] [SPEAKER_01]: Yeah, it's nice now that we're out of the assessment.
[00:37:39] [SPEAKER_01]: I can actually come out a little bit more, talk a little bit more about
[00:37:41] [SPEAKER_01]: some of the fun learnings over the last several months.
[00:37:43] [SPEAKER_02]: With that, let's go ahead and close.
[00:37:45] [SPEAKER_02]: So thank you again, everybody.
[00:37:47] [SPEAKER_02]: And don't forget, keep on climbing.
[00:37:50] [SPEAKER_00]: Make sure to follow us on LinkedIn and YouTube
[00:37:52] [SPEAKER_00]: to stay up to date on the latest CMMC news.
[00:37:55] [SPEAKER_00]: We hope you guys enjoyed today's episode
[00:37:57] [SPEAKER_00]: and listen out for the next one.
[00:37:59] [SPEAKER_00]: But until then, keep on climbing.