Are you an MSP navigating CMMC? Are you a contractor looking for the right MSP for your climb to CMMC? This episode is going to decipher the 32 CFR final rule with those to perspectives front-of-mind.
Bobby and Kaleigh discuss the assessment requirements of an ESP, what inheritance is, and how an MSP can prepare to help their clients in the DIB space.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] Hello Climbers and welcome back to another episode of Climbing Mount CMMC.
[00:00:12] Hello Climbers, today we are going to be diving into the 32 CFR ruling and how it affects MSPs.
[00:00:20] Now previously we talked about our notes on the 32 CFR ruling.
[00:00:25] And we've been making changes to the notes that we have in there, I mean like hour by hour, so be advised.
[00:00:32] Be advised, yeah. And that's just how this is going to work.
[00:00:35] This is what everybody's doing right now. We're in this together. So here we go.
[00:00:39] So specifically what we're going to do is we're going to talk about this final ruling that just dropped.
[00:00:46] Okay, it was published on 10-15, October 15th. So that's yesterday of the time that we are recording this.
[00:00:53] So that gives you a little bit of a perspective of how long we've had to read some of this stuff.
[00:00:57] Okay. But what we are trying to do is we want to help specific bodies, specific companies navigate this and work through this,
[00:01:06] which we know that, you know, MSPs and vendors are going to look at this a little bit different, right?
[00:01:11] Right, yeah.
[00:01:11] You're going to look at this differently. So we're going to tackle this from a few different angles.
[00:01:15] And today we're going to be talking about MSPs specifically. And I'm really excited for this one.
[00:01:21] One, because we have a heart for MSPs.
[00:01:23] Because we're an MSP.
[00:01:24] We are one of ourselves. So yeah, so let's just get into this, right? Shall we just get into it?
[00:01:29] Yeah.
[00:01:30] So let's talk about a specific point that was a very, very big topic when the final ruling was released.
[00:01:37] And that is it no longer stated specifically that an ESP, which is what an MSP is, right? An external service provider.
[00:01:47] They no longer have to have a certification equal to or higher than the OSA, right?
[00:01:54] They now only say that the ESP has to be assessed. Okay? So let's talk a little bit about what that means, right?
[00:02:05] Yeah.
[00:02:06] So that's interesting. At first it kind of sounds like, oh, I'm off the hook. But how much off the hook are you really?
[00:02:13] Because they do say that you are having to be assessed, right? And in what way are you going to be assessed with that organization?
[00:02:20] Yeah. So Bobby, you want to talk a little bit about when you read that, what that means and how much you've deciphered it so far and what you've learned from it?
[00:02:29] Yeah. I don't know if you can play a video meme on this, but the way that I see it is like, they're like, oh, we, you know, the kid, like he's on the little Ferris go around thing and with the little arm and he like ducks his head down.
[00:02:40] He's like, oh, and it's like, hey, we don't have to get level two assessed. And they duck their head and they're like, yeah.
[00:02:44] And then the other arm comes around and goes whack and just knocks the kid like right off the pedestal.
[00:02:48] Right.
[00:02:49] To me, I think that's what's kind of going on here. It's like, you know, there's much rejoicing and celebrating.
[00:02:54] And then, you know, the larger giant sort of shows up and that is that you're going to have to be assessed in there.
[00:03:01] And there's a bit of a variance in the beliefs on how that might go.
[00:03:06] We are still in the throes of trying to understand exactly what those implications are.
[00:03:12] Some more conservative CCAs and C3POs are looking at it from the perspective of just the relevant controls that the MSP are providing.
[00:03:20] So, for example, if you're doing patching and that is it, or maybe you're doing vulnerability scanning, or maybe you might just be doing a SIM that you could potentially almost be assessed like a security protection asset.
[00:03:31] And from the fact that they're only going to assess just the components of what you're bringing to the table.
[00:03:38] But there's also a look at what type of information is going to be going into your system.
[00:03:44] So, if you're a ESP that is an MSP, they love their acronyms, you know, because like ESP is kind of like car and an MSP is like Ford, you know, like it's a better definition.
[00:03:58] Like a type of it.
[00:03:59] Yeah, a more, you know, narrow definition because there's a lot of things that fall under the ESP term.
[00:04:04] Yes, very true.
[00:04:04] Good point.
[00:04:05] So, but as an MSP or an MSSP, typically those MSSPs, what they're doing is SIM solutions and security monitoring and those types of things.
[00:04:14] You know, when you look at that, they're going to want to assess and see where they're at.
[00:04:20] And if they're pulling in controlled unclassified information, there are some that are saying the way the rule has been worded, that there might actually be two assessments that could potentially be going on there.
[00:04:30] Because that organization is ingesting that data.
[00:04:33] Now, if they're not ingesting controlled unclassified information, if they're only ingesting just the security information, the logs and those types of things, and they have access to the client's system, then, you know, it could be that they're just being assessed by those specific controls that they're doing.
[00:04:49] Suffice it to say that you don't want to try to walk the line.
[00:04:54] If you're a, and this is where I'm saying that other arm kind of comes around and goes whack, you know, because if you're going to try to walk the line as close as you can, there is a massive variance, sadly, in the way C3PO organizations and CCAs are looking at things.
[00:05:12] And you're seeing this right now as people are reading it.
[00:05:14] Yeah.
[00:05:16] And you don't want to be in that variance level because you could be either on the line, over the line, or behind the line.
[00:05:23] You just don't know where you're going to fall if you're in that variance.
[00:05:25] So you want to stay out of that, you know, DMZ zone of unknown and try to be in a more safer place.
[00:05:32] Yeah.
[00:05:32] So if you're going to go the level of not being certified, you really want to bring your A game about how you're going to prove and approach that.
[00:05:40] And you're going to want to have a C3PO or a very, very good CCA give you solid advice about what type of evidence, what type of proof, what type of system, what type of boundaries you're going to have when you come into the clients.
[00:05:55] And it's not something you're just going to, you know, show up one day and say, hey, let's do this, guys.
[00:06:01] Like, I mean, you got to really put your A game and think about what you're doing.
[00:06:04] Right.
[00:06:05] It's a big deal.
[00:06:06] Right.
[00:06:07] And if you have multiple clients that are in this space.
[00:06:12] Right.
[00:06:12] You're going to be assessed with them multiple times.
[00:06:17] Okay.
[00:06:18] They don't say it's one and done.
[00:06:20] They don't say that.
[00:06:21] They say you have to be assessed with your OSA.
[00:06:26] And that I feel like that's just a huge deal.
[00:06:29] I mean, yes, I get that they don't require you to have the level certification.
[00:06:34] But like hearing that you could be assessed tons and tons of times still is I mean, that should still be a really big deal for MSPs and ESPs out there.
[00:06:47] Yeah.
[00:06:47] That's a good one.
[00:06:50] I think the way that the DOD perhaps and other organizations are looking at this is like that somehow the MSPs desperately don't want to be in the room of the assessment.
[00:07:03] So they want to try to provide opportunities for organizations that have been certified to just provide the body of evidence and then just let the client handle the discussion just like it would be like you don't expect Microsoft to be in your assessment.
[00:07:17] Right.
[00:07:18] You don't go, hey, Bill, show up here and talk to the assessor about how this whole GCC high container works.
[00:07:23] Ready?
[00:07:23] Go.
[00:07:23] No, he's not going to do that.
[00:07:25] They just provide the body of evidence.
[00:07:26] It's your job to appropriately inherit and reference like how you're using those GCC environments that have a FedRAMP certification.
[00:07:36] Like so you can you can inherit from those and it's your job to do that.
[00:07:40] And I think the DOD sort of kind of assumed that if you're an MSP that's got level two, that is going to continue.
[00:07:46] But what I don't think a lot of people think about is the MSP is not just the guy or gal that get you to the podium.
[00:07:54] They're doing your help desk, right?
[00:07:56] Yeah.
[00:07:57] They're all up in just trying to help make sure that you are successful as a business.
[00:08:01] Their job is to make sure that the company can do theirs.
[00:08:05] If they can't do their job because somehow you screwed something up, either it be compliance or security or just general efficiency in how they operate.
[00:08:13] They can't do a and they need to.
[00:08:16] And you somehow didn't think about that.
[00:08:18] Like that's our job, right?
[00:08:20] So we really want to be there and help the client.
[00:08:23] We don't want to dip and exit.
[00:08:25] So I think more mature and more forward thinking MSPs, even though they might get certified and still be able to not be at the assessment, will probably still be there.
[00:08:36] We will still be there.
[00:08:38] So we're going to get level two ourselves assessed.
[00:08:40] The inheritance, which we'll talk about a little bit later, will be different.
[00:08:45] The engagement will be different and the flow and capability of how fast that assessment will be different.
[00:08:51] Yeah.
[00:08:51] So all of that kind of being said, if you're not a level two certified organization, just like Kaylee saying, you're going to get assessed and they're going to look at whether the services you're providing a much larger scope, a subset.
[00:09:06] It just depends on, you know, like most MSPs, if they're fully engaging a company, they're going to do like 60 to 70 percent of the technical controls.
[00:09:15] So you best believe that they're going to be checking out a ton of how you operate as a business.
[00:09:20] Yeah, absolutely.
[00:09:21] And they're going to be looking at all the stuff that you're providing, how you're providing it, how you're securing it.
[00:09:25] And that's going to happen every time you get assessed.
[00:09:29] Every time a client gets assessed, they're going to go looking at all of that information.
[00:09:34] You know, and it's not going to be isolated to just the client.
[00:09:37] They're going to be getting into your business and that's going to happen every time.
[00:09:41] And if you have different C3PO's that are assessing that client, they're going to be looking at things from different perspectives.
[00:09:47] They're going to be looking at things and they may not look at the way that you do one way.
[00:09:52] Okay.
[00:09:52] And then another company looks at it and they kind of go, I'm not sure about that.
[00:09:56] And that's where really being very careful about your approach so that no matter who looks at it, you're going to pass is going to be critical and key.
[00:10:04] Gosh, you really just like hit me with something so realistic of there's, I mean, MSPs are selling to their clients security and compliance all the time.
[00:10:18] And if you have clients that are in this industry and you're still selling them the same thing that you're selling other clients, like how could you not be in the room when they're doing one of the most important compliance and security assessments of their entire business?
[00:10:37] Like you are the one that they placed in charge of this for a reason.
[00:10:42] Like they, let's say that they're, you know, they're in, uh, they're creating like aircraft parts.
[00:10:48] Right.
[00:10:48] And they don't have the time to do help desk support, security, firewalls, phishing, whatever that may be.
[00:10:56] You're doing all of that for them so that they can do their job.
[00:11:01] Like, let's be real on what you're standing up to do for this company.
[00:11:06] Like, don't let them down.
[00:11:08] You know what I mean?
[00:11:09] And I just, I just think that's such a great point.
[00:11:12] It's so real.
[00:11:14] It's so true.
[00:11:14] We need MSPs that are going to step up to the plate and, and do that and say, say what they're going to do and do it, you know?
[00:11:23] And, and that I'm excited.
[00:11:26] Now we have to dive into inheritance.
[00:11:28] We have to dive into it now.
[00:11:29] Before, before we do that, I do want to talk a little bit deeper about some potential options.
[00:11:34] Okay.
[00:11:35] Um, so I, I kind of equate to, to the actual assessment, like the wedding day, right?
[00:11:43] You, you know, you're the proud father or mother and you've gone through the dress fitting, you've done all this stuff.
[00:11:51] If you don't show up to the wedding, like that's a pretty big deal.
[00:11:54] Right.
[00:11:55] And that's kind of the way that I look at the assessment.
[00:11:57] Like if you're not going to show up to the wedding day, you know, you're on the five yard line.
[00:12:01] You want to, you want to, you want to put it in the end zone and, and, you know, win for the big team, you know, and, and try to try to get the W you, you, you know, whatever analogy works for you.
[00:12:11] You really got to think about that, that, that assessment day is the day that is happening.
[00:12:18] And do you want to like, let it go to chance about how this is going to go?
[00:12:22] Oh, true.
[00:12:22] So, so if I'm not going to be there, there better be somebody who's going to be really good at the helm.
[00:12:28] Yeah.
[00:12:28] And that could be a consultant.
[00:12:30] We always try to suggest to the client that they have a triad.
[00:12:34] So it's us, them, and a consultant that is, you know, a C3PO or a very, very, you know, knowledgeable consulting organization that has been, you know, established and understands the space.
[00:12:48] The reason why we like having kind of that triad is not that we couldn't do it because we could, but it's better in situations for organizations that are doing specific consulting to have that additional third party that looks at what we're doing.
[00:13:04] Kind of the watch, the watcher, as well as working with the client.
[00:13:08] Right.
[00:13:10] To do things like administrative controls or other controls that are more not typically handled by MSPs from a traditional sense.
[00:13:16] So they'll understand those better and they can also work in the procedures because as us, as we come in from an inheritance, which we're going to talk about in just a second, you know, a big approach of that is to try to create a good system that docks those two together between the client and you.
[00:13:32] But there's plenty of opportunity for consultants to come in procedurally and help make sure that those are aligned very well with how that company operates.
[00:13:42] You don't necessarily have to change a ton of policy, but you will have to change a lot of procedures.
[00:13:47] And so getting those procedures to change, to operate the way the company works is a huge amount of space that is greatly filled by a consultant organization that comes in there and comes next to and is working and helping address those.
[00:14:00] We love that.
[00:14:01] That's something that we like to stay in the lane that we're in.
[00:14:04] We can do that if we need to.
[00:14:05] And we already have those procedures already built out for the clients for them to inherit if they wanted to.
[00:14:10] But it just makes more sense for the client to have a more customizable procedure that really addresses how they operate.
[00:14:16] And we can do that for the client.
[00:14:17] But if you have that consultant and you have a shorter time frame, you can now have a consultant that's working on those procedures.
[00:14:23] At the same time, we are working on building your container, importing your data, doing those types of things.
[00:14:28] And you can really help tag team and stay in your lane and get there much faster.
[00:14:33] And then what happens is in that situation, you could pass off the day, the game day, to the consultant if you wanted to.
[00:14:41] You have all the body of the evidence because you're level two certified and how you can do the inheritance.
[00:14:46] And they could stay there next to the client and do that evidentiary explanation and provide the evidence they have.
[00:14:54] Where it gets a little tricky is the MSP is probably going to have the only admin access.
[00:15:00] That would be how I would handle it.
[00:15:02] So if the auditor is like, hey, show us access to this, this, this, and this, that auditor is not going to be, you know, that consultant is not going to have that access.
[00:15:10] Yeah, complete.
[00:15:10] So, you know, unless they're okay with just taking screenshots, which a lot of them aren't, you're still going to get pulled in to some extent, especially on some of those technical controls.
[00:15:20] So how does that play out?
[00:15:22] That's a dance that everybody needs to kind of start getting used to going through and really understanding.
[00:15:26] Yes, for sure.
[00:15:28] So, okay, let's talk about inheritance a little bit.
[00:15:31] Let's talk about what that word means and then how it affects the assessment itself.
[00:15:38] Okay.
[00:15:38] I want to hear your definition of inheritance.
[00:15:41] I'm not saying that I'm like testing you, but I want to hear what your thoughts are about this.
[00:15:44] I'm really curious.
[00:15:45] Wow.
[00:15:46] Okay.
[00:15:47] So basically it's, you know, if, if you, if one of your parents dies and you take all of the money, you know, but I'm, I'm her parent just in case you're wondering.
[00:15:58] So she's talking about my death right now.
[00:16:00] Let's talk about it.
[00:16:01] Let's talk about it in the CMMC.
[00:16:03] Okay.
[00:16:32] Okay.
[00:16:33] From them.
[00:16:34] Yes.
[00:16:34] Because that was already assessed under their controls, right?
[00:16:39] Under, under their environment.
[00:16:41] And so let's take it on the other side.
[00:16:44] If they did not get those things checked out, they will be getting them assessed during yours.
[00:16:51] Right.
[00:16:52] Right.
[00:16:52] So, so it could kind of be flipped from a few different, different angles.
[00:16:58] I say angle one looks a lot better for you.
[00:17:01] Angle two is a bit scary to wait for.
[00:17:05] But, but what do you think?
[00:17:06] Did I do okay with explaining some of it?
[00:17:08] I love it.
[00:17:09] I agree.
[00:17:09] I agree.
[00:17:10] I agree whole, wholeheartedly with your interpretation.
[00:17:13] Well, the first one was kind of a joke, but I mean, that's also true, but let's be real
[00:17:19] about what this means to you as let's, let's talk to MSPs.
[00:17:24] Yeah.
[00:17:24] Okay.
[00:17:24] Yeah.
[00:17:25] You have the opportunity to give your client a leg up.
[00:17:30] You have an opportunity to give them peace of mind for just some of the controls that
[00:17:39] you handle.
[00:17:40] Some of the, you're, you're saying be level two certified.
[00:17:42] Right.
[00:17:43] In level two certified.
[00:17:45] Um, you have the chance to give them peace of mind in certain areas and you know, that's,
[00:17:52] that's a really big deal.
[00:17:54] Um, I think people looking for MSPs are going to be looking for that because why would you
[00:18:00] not want more peace of mind when going into an assessment?
[00:18:04] You do not want to figure out what your MSP is good at and not good at during your assessment
[00:18:10] itself.
[00:18:10] That is a very bad day, very bad day.
[00:18:14] So it's just, I think it's critical for, um, if you are a person, um, a contractor,
[00:18:22] subcontractor, if you're a company that's in the dib space and you're listening to this,
[00:18:26] if you're looking for an MSP, like look for somebody who has the approach like that, you
[00:18:33] know, um, I'm not saying that somebody that doesn't get level two certified could help
[00:18:38] you pass an assessment because, you know, maybe they are doing it all on their own.
[00:18:42] I'm not saying that they can't, but seeing the certification and seeing the piece of paper
[00:18:47] really does look super nice, you know?
[00:18:50] And, um, I think for an assessor, it also is going to look super nice.
[00:18:54] For sure.
[00:18:55] And they've said that to us, you know?
[00:18:57] Oh yeah.
[00:18:58] Yeah.
[00:18:58] They, uh, it's kind of funny when we went through our gap assessment, uh, we used NSF, they were
[00:19:04] great.
[00:19:04] Um, but they were like, when we were talking with them because they've worked like all the
[00:19:09] C3PO's are kind of this way, at least the ones that I've worked with and looked at because
[00:19:13] they've done so much with MSPs.
[00:19:15] They're kind of like, they kind of have this watchful eye, like, do you really know what
[00:19:20] you're doing?
[00:19:20] Cause a lot of people kind of talk, but when it comes down to it, it's like, man, they're
[00:19:25] not doing it.
[00:19:25] Yeah.
[00:19:26] Um, so as we started kind of going through our gap, they were really like, you know, they
[00:19:30] were really like kind of giving us a watchful eye.
[00:19:32] But then like, as they started going through the assessment and looking at how we were doing,
[00:19:35] they're like, Oh, okay.
[00:19:36] Yeah.
[00:19:36] Wow.
[00:19:37] Okay.
[00:19:37] Man, that's a nice system that you guys have, you know, and they were kind of like going
[00:19:40] through and, and looking at the approaches that we're doing and then they kind of start
[00:19:44] to feel more comfortable.
[00:19:45] Right.
[00:19:45] Yeah.
[00:19:46] And so now when we go to, because they, it's the same company that's going to assess us,
[00:19:50] they did not provide any consulting.
[00:19:51] So they're, they are allowed to do the actual assessment in January for us.
[00:19:56] Mm-hmm.
[00:19:57] They have a much better confidence of how we're approaching this.
[00:20:00] They even have a better understanding of our ecosystem and what they're going to be looking
[00:20:04] at when they look at us again in January.
[00:20:06] So that's a huge help, but also let's just say that it's another company that did the level
[00:20:12] two for us and that NSF was doing an assessment for a client, right.
[00:20:18] That we service, uh, and they saw that we were level two.
[00:20:22] They would immediately start feeling a lot more comfortable with our approach right off
[00:20:26] the bat, just because they don't hand those things out like candy.
[00:20:28] You've got to earn them and really work to get that.
[00:20:31] Yeah.
[00:20:31] So that, to them, they, that, that immediately signals a significant, uh, level of confidence
[00:20:38] that they can have right off the bat.
[00:20:40] Doesn't mean that they just come in with eyes closed.
[00:20:42] You know, they're going to, they're definitely going to do their jobs, but they have a different
[00:20:46] perspective about that.
[00:20:48] Um, and you know, that's really, um, you know, a really important aspect to, to think
[00:20:53] and consider, right.
[00:20:55] When you're doing that, um, those types of things are, or can't be overstated about that.
[00:21:02] Absolutely.
[00:21:03] So let me just give you a suggestion on why you might want to not be assessed and it actually
[00:21:07] could potentially be a good thing.
[00:21:09] Um, so let's say that you have a client that not a majority of their work is in the dip space,
[00:21:16] maybe a smaller percentage, right?
[00:21:18] So it's not as big a deal for this contractor.
[00:21:21] I mean, business is business, but like, you're both kind of not really fully committed to this
[00:21:26] system.
[00:21:27] This is where I could see companies that aren't fully committed are, um, as far as in contractors
[00:21:33] and trying to use MSPs, but it's super dangerous because, um, you know, if you don't fully commit
[00:21:41] to the system of CMMC, the chance of you passing is, is very low.
[00:21:46] Very low.
[00:21:47] So if you're not fully committed to the dib and you try to take that attitude towards your
[00:21:52] implementation, it will not go well for you.
[00:21:54] But I could see where there might be some opportunities where the MSPs like, look, dude,
[00:21:59] you know, this isn't our thing.
[00:22:01] Doesn't sound like it's your thing necessarily.
[00:22:03] Maybe we could sort of get a C3PO.
[00:22:06] We can talk about how we're going to do the scope.
[00:22:08] We can do some things together.
[00:22:11] We're going to charge you for our time.
[00:22:12] You're going to charge for our time.
[00:22:13] And you could create, you know, maybe, uh, some type of engagement that would be complimentary
[00:22:20] and work.
[00:22:21] Yeah.
[00:22:21] That it is a, a bit Pollyanna in that perspective.
[00:22:25] You know, we've talked about our approach on, you know, marriage counseling for CMMC.
[00:22:29] It's very difficult to do.
[00:22:30] It doesn't typically work out.
[00:22:32] Most people get, end up getting divorced and go their separate ways.
[00:22:35] Um, but you, there is at least that possibility.
[00:22:39] I can see where organizations that aren't certified could try to do that.
[00:22:44] And, and, and, but it would require transparency on both parts to do it.
[00:22:48] I think to have a chance of being successful, the MSP would have to be very clear, their intentions
[00:22:53] and the organization getting assessed.
[00:22:55] We've had companies where we've talked with, and they were like gung ho for CMMC.
[00:22:59] And we start having conversations with them and they just cool their jets and decide,
[00:23:02] I, I don't want to do that all of a sudden, just because it's not a majority of their business.
[00:23:07] They've kind of started listening to the conversations and hearing what we're telling
[00:23:11] them they have to do.
[00:23:12] And they think, nah, maybe we don't really want to get into this business.
[00:23:15] Right.
[00:23:16] Wow.
[00:23:16] So that's where I could see, that's where I could see organizations that may want to try
[00:23:21] this together, uh, because they're both of them are not really sure that they want to
[00:23:25] do this.
[00:23:25] They even want to do it.
[00:23:26] Yeah.
[00:23:26] And so they might try to step into this space, hire C3PO.
[00:23:29] They both kind of start going through it and then one or the other kind of goes, I
[00:23:32] don't think I want to participate in this and they leave.
[00:23:34] But what if the other one says, I want to stay?
[00:23:36] Well, then you're going to have to have a transition.
[00:23:37] You're going to have to find another MSP that actually can do it.
[00:23:40] Yeah.
[00:23:41] Um, and so that's where I could see that potential start to happen.
[00:23:45] But if you're an organization that a majority of your business is DOD work, I don't see
[00:23:51] how you could roll up with someone that isn't level two certified.
[00:23:54] That is just crazy talk.
[00:23:56] Um, and the reason why I say that is you don't want to find out that they're not prepared.
[00:24:02] Like just for example, if you're level two, the level two requirements say each year you
[00:24:07] have to attest, you have to keep your evidence.
[00:24:09] Like there's a lot of pressure on organizations that are level two certified to stay in compliance.
[00:24:14] If they don't, they will be out of compliance and are required.
[00:24:17] They could potentially fall in false claims acts.
[00:24:19] And there's not a lot of fun about that either.
[00:24:21] So, so like it's, it's pressuring those organizations to stay in line.
[00:24:26] And so if you're, if you're aligning with an MSP, that's level two, they have those requirements
[00:24:31] just like you do.
[00:24:32] And so they will be forced to be in alignment with you and it encourages them to stay in
[00:24:36] lockstep.
[00:24:36] But you could have an MSP, right?
[00:24:39] That doesn't have a level two requirement.
[00:24:41] Uh, and they don't have a level two certification.
[00:24:45] They could start waffling and they have no requirement to report other than the information
[00:24:51] they may provide to you.
[00:24:52] Yeah.
[00:24:53] That you will then have to do your soft assessment because you're going to have to assess some
[00:24:57] of that parts, but it will not be as deep.
[00:24:59] It will not be as deep as them being level two is served certified.
[00:25:03] So there's a potential that your MSP could start to drift, uh, significantly without
[00:25:09] your knowledge, uh, only to be discovered, not at the right time.
[00:25:13] So your chances of that happening are much smaller if you're engaging with an MSP that's,
[00:25:19] uh, you know, CMMC level two certified and has the same parity of, of requirements that
[00:25:23] you do.
[00:25:23] So you, you really want to partner.
[00:25:25] So that's where I think organizations that a majority of their business is coming from
[00:25:28] DOD.
[00:25:29] I, you just don't want to mess around.
[00:25:31] That's just my opinion.
[00:25:32] I mean, I can't, that's not a fact, but that's how I would look at it.
[00:25:35] Well, I mean, I agree.
[00:25:37] I think it's important to, let's just know about recertifications here.
[00:25:42] Let's talk about what the 32 CFR final rule said.
[00:25:47] If you potentially make a major change to your environment and your scoping, um, which
[00:25:55] you were talking to me about this before, um, you know, one of those, one of those could
[00:26:01] be switching MSPs.
[00:26:04] Right.
[00:26:05] And what that looks like when maybe you let go of an MSP and bring on another one that
[00:26:12] you will have to get assessed again with that new MSP.
[00:26:20] That's, that's, that's, that's a lot.
[00:26:21] That should not be taken lightly.
[00:26:23] Yeah.
[00:26:23] Someone might not have known that and you might've just gobsmacked someone.
[00:26:27] So let's repeat that.
[00:26:28] Okay.
[00:26:29] A little bit.
[00:26:29] We're going to rewind and say it again.
[00:26:32] Yeah.
[00:26:32] Like, uh, you know, if maybe throw up the, the, the rule, interestingly enough, like I
[00:26:37] went through, like, I didn't read.
[00:26:40] So for those of you that aren't geeks, like I am about CMMC, like I went through the day
[00:26:45] that happened, I was reading it Saturday, like early morning, I got up, I was jazzed
[00:26:50] and went through and started reading it, but I didn't read.
[00:26:53] Uh, there was like 400 pages in that first initial release on Friday.
[00:26:57] Uh, then they released the, the kind of like the appropriately formatted version that was
[00:27:03] released with everything else that came out.
[00:27:04] The first few pages were comments that were made.
[00:27:08] It was more than first few.
[00:27:10] It was like 200, the first initial like preview, I think it was 400 and something pages.
[00:27:16] The, the properly three column spaced one now that everybody will see, uh, is like,
[00:27:22] I think 200, but, but basically however you slice how many pages, a little more than half
[00:27:28] was just, uh, replies to comments when the rule came out.
[00:27:34] So they're providing guidance and understanding of, of how that is.
[00:27:38] And then the rule is the other half of it.
[00:27:41] So I read the rule and this is kind of funny as I was going through reading the rule, I was
[00:27:46] looking at the rule, I was reading it, taking all these kinds of notes.
[00:27:48] And then I'm hearing and seeing people make comments about the comment section about how
[00:27:53] it's actually impacting the rule as well.
[00:27:55] And one of those was the reassessment piece.
[00:27:58] And I cannot right now at the time of this recording, I cannot find a good, clear reference
[00:28:04] in the rule about this, but the, the answers to questions from the DOD are very clear.
[00:28:09] And that organizations that go through a major change, uh, like, uh, that require major SSP
[00:28:17] rewrites, uh, are going to have to get reassessed over again.
[00:28:21] And you heard that right.
[00:28:23] You would have to get reassessed.
[00:28:25] So, uh, the chance of you finding a perfect clone of your MSP, if you fire them or they
[00:28:30] leave, um, so that there is no change to your SSP that would be considered major is pretty
[00:28:37] unlikely.
[00:28:39] So the, the reality would be is if you transition MSPs, chances are you're going to have to go
[00:28:46] through the process of them exiting because they can't just jump out because they're doing
[00:28:50] 60 to 70% probably of your, uh, technical requirements.
[00:28:55] So the new MSP coming in are going to have to do a tactical retreat, right?
[00:28:59] They're going to have to come in and take over the position of what you're leaving so
[00:29:02] that you don't have these gaps.
[00:29:04] And that's not going to be a, you know, flip the switch that that's going to be months
[00:29:09] to have happen.
[00:29:10] Right.
[00:29:10] So that transition will have to happen.
[00:29:12] And then once you have that done, re redo your SSP in that process, there's going to
[00:29:18] be poems that will have to be done because that will not be a, uh, you know, an OPA, an
[00:29:23] operational plan of action.
[00:29:25] That's going to be an actual poem that you'll have to go through and it's going to trigger
[00:29:29] a reassessment.
[00:29:30] Um, now traditionally the way the rules written a poem, you have to have done in 180 days.
[00:29:35] There's no way you're going to have that done in 180.
[00:29:37] So how that works, I'm not a hundred percent sure, but the, the bottom line is your SSP will
[00:29:42] have to be rewritten to some extent.
[00:29:44] The MSP will have to come in and then at some point you'll have to notify your C3PO that
[00:29:49] probably already assessed you if you were happy with how they handled it before and they'll
[00:29:53] have to reassess you again.
[00:29:54] Um, you know, you know what I am curious about when you're talking about the timelines of
[00:29:59] a poem, I, I am curious about what the timeline is supposed to be for something like this.
[00:30:03] Cause they say you have to be reassessed.
[00:30:05] Well, when do you have to be reassessed?
[00:30:07] Is it when, when the year hits, is it when the third year hits that you get reassessed
[00:30:11] again with that?
[00:30:12] Well, it doesn't say you have to be reassessed.
[00:30:14] So that's just keeping your, are you talking, are you talking about a level three or not
[00:30:18] the level three level?
[00:30:19] Are you saying that the, your third year of your level two to get reassessed?
[00:30:22] Well, yeah, let's say that you switch MSPs, right.
[00:30:25] From the one that you got your initial assessment from, right.
[00:30:30] When do you have to take that reassessment immediately after you lose that MSP and you
[00:30:36] bring in the new one?
[00:30:37] Do you know what I mean?
[00:30:37] Right.
[00:30:38] It is, it is vague to that extent.
[00:30:40] I believe what they, they would probably do is you, you have to have a yearly re-attestation
[00:30:48] reassessment of where you're at and you have to attest to where your position is.
[00:30:52] So let's say in January 1st, you got your level two certification.
[00:30:57] High five on everybody.
[00:31:00] And the, again, at the end of that, right.
[00:31:04] That year, sometime in the next year, you're going to have to have your self-assessment to
[00:31:12] attest to where you're at and upload that to SPRS.
[00:31:16] And you're going to have to keep the evidence for six years.
[00:31:18] Yeah.
[00:31:18] So you have to go through this self-assessment every year to attest to where you're at.
[00:31:24] So let's say in year two, you go through a CMMC or a MSP change, right.
[00:31:29] So during that year, you'll have to move as fast as you probably can.
[00:31:33] You probably don't want to bridge across because if you did do that, it would absolutely have
[00:31:40] to be visible right then as you submit your SPRS score.
[00:31:44] Because you're going to have potentially some gaps there.
[00:31:47] Yeah.
[00:31:47] It gets really kind of interesting and messy.
[00:31:49] That would be a discussion you would want to have with your C3PO.
[00:31:53] So that would be a situation where you would want to talk with your consultant and the organization
[00:32:01] that did your assessment initially and have a conversation about what that looks like.
[00:32:05] It would be, yeah.
[00:32:06] That's to be determined how that would go.
[00:32:09] Yeah.
[00:32:09] Those are all great questions.
[00:32:10] I don't have a good answer.
[00:32:11] Because, you know, and for me, because when I'm reading this and we can put this up on
[00:32:15] the screen, obviously for all of you guys, but when I'm reading, you know, a new CMMC
[00:32:19] assessment may be required.
[00:32:21] You know, if that significant change occurs.
[00:32:26] Well, one, it does say maybe, you know, required, but then also it doesn't say you have to get
[00:32:32] recertified.
[00:32:33] It just says you have to do an assessment.
[00:32:35] So does that mean a self-assessment or does that mean a certification assessment?
[00:32:41] Do you get what I'm saying there?
[00:32:43] Yeah.
[00:32:43] No, I could see how you can interpret that.
[00:32:45] I'm going to dig more into that and see.
[00:32:47] And the problem, and this is the problem when you start applying rules in the discussions,
[00:32:52] right?
[00:32:52] The actual rule in the last half is written to be like, this is what you're supposed to
[00:32:59] follow.
[00:32:59] The discussions is just to help provide clarity to other people that were asking questions.
[00:33:03] But sadly, sometimes these discussions create more discussions than they actually resolve.
[00:33:08] Yeah.
[00:33:09] What do you know?
[00:33:09] And this would just be an example of that, sadly.
[00:33:12] Yeah.
[00:33:12] Yeah, that's huge.
[00:33:13] So let's switch.
[00:33:14] But, you know, before we close today, I want to switch to talking about some realistic strategies
[00:33:19] here.
[00:33:20] Okay.
[00:33:21] How MSPs can attack this, right?
[00:33:24] Right.
[00:33:24] How can they help themselves and their clients when preparing for this?
[00:33:28] Let's talk first about gap assessments, right?
[00:33:32] And how that can be helpful in this situation.
[00:33:34] So how can they use that to their advantage?
[00:33:37] Can you explain that a little bit?
[00:33:38] Since we're just focusing on MSPs specifically, let's just put two categories on the board,
[00:33:42] if you will.
[00:33:44] There's the organizations that are MSPs or MSSPs that are not going to get level two certified,
[00:33:49] right?
[00:33:49] So those.
[00:33:50] What could you do to help increase your odds of success and have a market strategy as
[00:33:56] you go in there?
[00:33:58] If you're trying to step in and really have a market strategy, I think you're a little
[00:34:02] flawed right then if you're trying to say, I want to stay out and not get level two certified,
[00:34:07] but I really want to participate hardcore in that space.
[00:34:10] Those are sort of, you know, kind of a, you know, dichotomy or is that the right term?
[00:34:19] I'm not even sure.
[00:34:19] You mean like conflicting statements?
[00:34:21] Conflicting.
[00:34:21] Yeah.
[00:34:22] They're, they're, they're just at odds, right?
[00:34:24] With each other just to some extent.
[00:34:26] So that's not a great approach.
[00:34:27] Where I see the people that don't want to get level two or those people that want to
[00:34:32] participate in a smaller scale and still be able to help and participate for those people
[00:34:37] that they cherish or care about or have those relationships.
[00:34:40] Maybe not.
[00:34:41] But what I absolutely recommend you do, like you're talking about, is get a gap assessment of
[00:34:46] where you're at and how you're approaching it.
[00:34:49] And if you do a gap assessment, there's two different ways you could do it.
[00:34:53] So if you hire a C3PO to kind of give you an assessment, you can either have them do it
[00:34:59] like a regular assessment where they're not allowed to do consulting or they could do consulting.
[00:35:05] If they do consulting for you, they are now disqualified from, because of ethic violations
[00:35:10] of being able to participate in assessing you or your client.
[00:35:15] Because of the fact that you're going to be engaged in that.
[00:35:18] So they've now been disqualified.
[00:35:19] They cannot do assessments.
[00:35:21] And that starts to get a little interesting, especially if you have a very strong presence
[00:35:32] in the ecosystem.
[00:35:33] C3Os may be a little concerned about providing consulting to you because if everywhere they
[00:35:38] turn, you are.
[00:35:39] They're like, we can't freaking assault.
[00:35:40] We can't assess you.
[00:35:42] We can't assess you because you're everywhere.
[00:35:44] So that creates this weird, interesting situation where that might happen.
[00:35:48] But you want to get that decision up front as early as you can and get a good idea so
[00:35:54] that it will give you a good idea of whether or not you want to participate.
[00:35:57] And if so, how?
[00:35:58] And how could you do it in a meaningful way that won't sacrifice that client or few
[00:36:04] clients that you might have's journey for their CMMC?
[00:36:07] You don't want to be that person.
[00:36:08] Don't be that person.
[00:36:09] Don't get a gap assessment and find out where you're at.
[00:36:13] Get responsibly.
[00:36:14] Now, the C3Os are exploding right now.
[00:36:18] They are getting pulled in left and right to do all kinds of things.
[00:36:22] Yeah.
[00:36:22] Yeah.
[00:36:23] We never saw that coming.
[00:36:26] And a sad thing that's sort of happening is the we just did.
[00:36:30] I just did a post about this today is that the CCAs and CCPs, they all have to do tier
[00:36:35] three background checks now because of the way this rule is done.
[00:36:38] And it takes over six months to get that done.
[00:36:41] And they're like, wow, they get all up in your business.
[00:36:45] And that's just one part of it.
[00:36:47] If you don't have that, then at the way the time of the way that I've read it at the time
[00:36:51] of the 32 CFR going into effect, you would just become a an inactive state.
[00:36:58] You wouldn't be a valid person.
[00:37:00] You're saying within 60 days of this when it dropped yesterday.
[00:37:03] Yeah.
[00:37:04] Yeah.
[00:37:05] So in theory, there's going to be a lot of CCAs and CCPs that will no longer be valid
[00:37:11] in December.
[00:37:13] In December.
[00:37:14] In January, they won't be able to participate in any assessments.
[00:37:17] So that's going to be problematic.
[00:37:19] But maybe you could use those to help those people that can't participate in assessments.
[00:37:24] Maybe they might be able to give you those types of things.
[00:37:27] But the way that they wrote it is just, man, it gets kind of interesting.
[00:37:32] The way they wrote it is the way that CCAs have to go is they have two different additional
[00:37:41] certifications they have to get.
[00:37:43] So a lot of those might end up becoming disqualified and being able to participate in the space.
[00:37:50] All of that to kind of say that your availability to talk to C-3PO's is shrinking quickly.
[00:37:56] So if you want to participate in the space, act now.
[00:38:01] You know, callers are standing by.
[00:38:04] Right.
[00:38:04] You know, like you need to pick up the phone right now and start getting involved because
[00:38:08] you don't want to wait until you're at the back end of the pile because you're going to
[00:38:12] get scraps, if at all.
[00:38:14] Yeah, absolutely.
[00:38:15] And so that gap assessment, that's going to be helpful even if you don't fully attempt
[00:38:20] your level certification, right?
[00:38:23] That's like you can get that done and see as an MSP how you're doing before you go into
[00:38:29] an assessment with your client, right?
[00:38:32] Sure.
[00:38:32] Which we wouldn't necessarily recommend if you have many clients that are like that and
[00:38:36] that are serious about it.
[00:38:37] But if you're like a scenario like you were saying previously where it's not that big of
[00:38:41] a deal for your client or maybe you and you're not sure if you want to fully go into the
[00:38:45] space, that could potentially be helpful for you to see where you're at.
[00:38:48] Right.
[00:38:49] So any other tips or tricks that you wanted to share before we close today for MSPs?
[00:38:55] Yeah, for organizations that do get certified, right, that are going to get level two, you
[00:39:00] know, what's their strategy going to be?
[00:39:02] I think what you want to do is double down on your inheritance, your process to make that
[00:39:06] easier.
[00:39:06] Absolutely.
[00:39:07] It is your helper, right?
[00:39:11] Your helper tool that you can use to help lift and create leverage in the audit for your
[00:39:18] client to help that go faster.
[00:39:20] I think it would be reasonable to assume you could potentially cut a whole day off, if not
[00:39:26] more.
[00:39:27] Um, and if you know what you're doing and you've got your stuff together, uh, with the
[00:39:33] inheritance that you'll be able to bring to the table for your clients, what do I mean by that?
[00:39:37] What I mean is, um, you know, a lot of organizations will book out, uh, for phase two.
[00:39:42] So that's where they're like, show me your Carfax, you know, the SSP, let's look at what you've
[00:39:47] got.
[00:39:47] They're going through and looking at all the details and they want to shoot.
[00:39:50] They want you to show them the evidence of those things.
[00:39:52] Um, you know, that, that phase two process, a lot of companies are scheduling two to three
[00:39:56] days, if not larger, you know, more for larger organizations.
[00:40:00] Um, a lot of people that have their, their processes very, very well nailed down or cutting
[00:40:06] that in half, if not more.
[00:40:09] Right.
[00:40:09] So if you're an MSP and you got a level two, get your act together and really get that inheritance
[00:40:16] dialed in sweet.
[00:40:17] And you could potentially cut down whole days.
[00:40:20] And that's, that's a, that's a purple cow where you could kind of come in and people
[00:40:25] are like driving down and they see this purple cow in the paddock and they're like, Whoa,
[00:40:28] stop the car.
[00:40:28] What the heck is that?
[00:40:29] You know, I want to see pictures of that.
[00:40:32] Uh, you want to be that purple cow.
[00:40:33] And I think that's a good opportunity for MSPs that are level two certified to have that.
[00:40:37] They can kind of say, you know, uh, not only can we provide a level of comfort that when
[00:40:43] you're engaging with us, we know what we're doing.
[00:40:45] We've done this plenty of times.
[00:40:47] We can help guide you through the assessment process.
[00:40:50] We can help guide you through the assessment down by days.
[00:40:52] Right.
[00:40:53] Uh, and, and you could have a conversation with a C3PO and say, Hey, you know, normally you're
[00:40:58] charging this much, but we're level two.
[00:41:00] We have our inheritance process.
[00:41:01] Could you, you know, is there some type of wiggle room?
[00:41:04] Those are conversations you could have not saying they're going to say yes, but what's
[00:41:07] the harm in asking?
[00:41:08] Um, you know, and so there's all kinds of benefits that you can bring to your client.
[00:41:13] Like lean into that.
[00:41:14] Like, you know, I've, I've, I've had people reach out to me and go, Oh man, I heard you
[00:41:17] guys are getting level two.
[00:41:19] We're so sad about the way I'm like sad.
[00:41:21] Like I, this is great.
[00:41:23] I love the way the rules written right now.
[00:41:25] Um, uh, is there more risk for perhaps in some of the choices for the DOD?
[00:41:31] Sure.
[00:41:31] Yep.
[00:41:32] I think they tried to allow for people to make wiser choices.
[00:41:36] Um, and there's opportunities for people not to make wise choices, uh, especially picking
[00:41:41] vendors and other things like that.
[00:41:43] But it did put, it did put the ball in our hands to, to, to handle it responsibly.
[00:41:49] Sure.
[00:41:49] Some people won't handle it responsibly, but we have every intention of doing that.
[00:41:53] And I like having more options.
[00:41:54] I want to have more control.
[00:41:56] Uh, and I think the 32 CFR provided that for us.
[00:42:00] Yeah.
[00:42:01] Um, and, uh, so yeah, I like it.
[00:42:03] Uh, I, I feel like it didn't degrade anybody having to get level two certified.
[00:42:08] I think if anything, the tightening of how they do the inheritance and flow down, I think
[00:42:12] was really great that, that made, uh, it a lot easier.
[00:42:16] Luckily we kind of anticipated that coming.
[00:42:18] So all of our SSP and stuff are written very heavily about the inheritance process to make
[00:42:23] that easier and faster.
[00:42:25] So we, we spent a lot of time on that and, uh, we've, we've really, um, refined
[00:42:30] it.
[00:42:31] Uh, and you know, we weren't sure how that was going to go.
[00:42:33] And, but the way that it did, we were like, yes.
[00:42:35] Yeah.
[00:42:36] We, we, you know, I definitely got that right.
[00:42:39] Yeah.
[00:42:40] Well, I hope, um, that this can be helpful for, you know, two parties, one for MSPs are
[00:42:45] trying to figure this out just like we are.
[00:42:49] Um, you know, um, you know, contractors, subcontractors in the div space that are trying to figure out
[00:42:55] what to do with an MSP to get an MSP, which ones they need.
[00:43:00] Um, we'd love to hear from you guys.
[00:43:02] Yeah.
[00:43:03] If you have questions, thoughts, comments, we're just reading this.
[00:43:08] We just started reading this this past weekend.
[00:43:10] You know, you guys are probably doing so as well.
[00:43:13] We'd love to hear your thoughts.
[00:43:14] We'd love to also hear if you have any specific topics from the ruling that you'd like us
[00:43:20] to discuss in a video.
[00:43:22] Um, we'd be happy to put that, um, on our list to discuss.
[00:43:26] Um, just a reminder that we will be posting every Thursday.
[00:43:29] Now, sometimes we'll sprinkle a little bit here and there.
[00:43:32] If there's some, you know, important things that we notice that we feel like really need
[00:43:36] to be posted immediately.
[00:43:37] So make sure to follow us just in case we post extra that you'll be notified anytime we
[00:43:43] post something.
[00:43:44] Um, we hope you guys enjoyed today's episode, um, and tune in for the next one.
[00:43:49] But until then, keep on climbing.
[00:43:50] Bye guys.
[00:43:52] Bye.
[00:43:53] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.
[00:43:59] We hope you guys enjoyed today's episode and listen out for the next one.
[00:44:03] But until then, keep on climbing.