Can MSPs Participate in Joint Surveillance Assessments?

[00:00:00] Welcome back climbers! I'm your co-host, Kaylee Floyd and this is another episode of Climbing Mount CMMC. In today's episode, Bobby and Adam are joined by Brian Hubbard and they are going to be talking about Joint Surveillance Voluntary Assessments and MSPs. We are so excited for you guys to

[00:00:23] join us in today's episode and we hope that you enjoy it. Brian, thank you for joining us today. Thanks for having me, Bobby. So first off, before we kind of get into the exciting topic that

[00:00:36] I know we're really looking forward to talking about and that is about MSPs and whether or not they can participate in Joint Surveillance Assessments. But before we get into that, why don't you tell us a little bit more about what it is that your peer group does?

[00:00:51] Yeah, sure. So MSPs CyberX were a community of MSPs and cybersecurity professionals getting together to try to help solve compliance challenges and and kind of help MSPs get through their compliance challenges and help their clients

[00:01:07] with their compliance challenges. So we're a building community to have an ongoing dialogue and discussions and education about compliance. CMMC certainly is a hot topic and that's something we're focusing a lot of energy on. But other things are there too.

[00:01:26] So we'll be talking about the CIS controls, we'll be talking about the FTC safeguard rules, we'll be talking about HIPAA, we'll be talking about everything that's coming down the pike and everything that's going to come down the pike of MSPs, which is there's a snowball

[00:01:41] happening. It's not getting easier as a managed service provider. It is not getting easier. The security requirements are getting much, much harder. And one of the things that I was that kind of shocked me when I went to do my Google search for MSP doing CMMC,

[00:02:02] what kind of information is really out there. It was cricket. It's never a good sign when you do a Google search and you come back with hardly anything. You're like, I'm in for a fight.

[00:02:11] So it just isn't much resources out there. So I'm just really glad that you're doing this and just the amount of time we've been able to spend and work with you has been instrumental

[00:02:20] in helping us get along over the hump of the CMMC mountain that we're still continuing to climb. Yeah. And I think to your point too, is even when you do search for the CMMC resources,

[00:02:31] there are so many out there that are very out of date from the old CMMC model where you had those five different levels. Or worse, vendors out there slinging FUD everywhere, basically,

[00:02:40] the we can get you compliant in three days with no hard work behind it. In all kinds of nonsense that us as practitioners realize is not realistic, is not sustainable and will result in

[00:02:51] significant problems for the dip. So it's nice to have a good group that approaches this rationally, understands the requirements and does it well and works to support one another. And that helps us transition into the topic that I want to talk about.

[00:03:06] So just so that you guys may or may not be aware, us as an MSP, we've been keeping our head down. Me and Adam have been doing so much work to get ready as a company for our assessment.

[00:03:19] And we got to a point where we felt like we could possibly schedule a JSVA assessment. And first off, before we kind of get into that, Brian, can you tell us what is that and why would somebody possibly want to sign up for that?

[00:03:33] Sure. So right now, before the CMMC rule is final. So in other words, before the D&D publishes in the Federal Registered what the program is, formal assessments for CMMC can't happen by CMMC third party assessment organizations. You can't get certified right

[00:04:00] now. The only way to kind of get a jumpstart is to work with the defense, the DCMA, defense contract management agency and their assessment arm, which is called the DIPCAC, the Defense Industrial Base Cert. They love their acronyms. The DIPCAC. So that's the only way to get it

[00:04:30] done. So what the DIPCAC did, they've been doing what they call DIPCAC high assessments for some time, which is to go out and they'll assess against the NIST 800-171 controls and against the DFARS requirements that people have to meet in their contracts. And they'll go out and do

[00:04:49] assessments of companies that have contracts. And so the way they've decided since they recognized that they needed to get a jumpstart on seems like they have 200,000 companies that are supporting the DIPC and at some level about 80,000 of those are going to have to be certified

[00:05:10] against CMMC. So that's an awful lot of work. And they have to be recertified every three years. So how can we get started on it? So they wrote out this thing called the Joint Surveillance Voluntary Assessment Program. So it's JSVA, it's abbreviated. Sounds a little ominous.

[00:05:28] Yeah. So what that does is it allows DIPCAC to sort of force multiply because you know they can only do so many systems with their workforce. So they're actually bringing in the C3PAOs

[00:05:44] and the C3PO will actually leave the assessment and the DIPCAC sort of oversees it. So they instead of having three or four people from the DIPCAC, they only have to have one or two

[00:05:55] to oversee this the C3PAOs work just to make sure it's being done and they're hitting all the right things. And the DIPCAC can ask the questions that they wanted to ask for the

[00:06:04] DIPCAC high assessment. So that's a lot of terminology and a lot of stuff right through at you. But in essence what it means is that the only way to get assessed against

[00:06:15] CMMC right now is to work either get a DIPCAC high assessment, which is the government coming out and doing their thing or get a joint surveillance assessment where you have a little bit more control

[00:06:26] because you're hiring a C3PAO and that the DIPCAC is overseeing their work to make sure they do it the way the DIPCAC wants it done. Now correctly from the wrong is those joint

[00:06:36] surveillance are also an opportunity for DIPCAC to see kind of look over the shoulder of the organization that will eventually be leading the assessments and handling them. Those are the C3PAOs that are privately owned companies that will be doing the assessments. It's kind of their chance

[00:06:53] to look over the shoulder and kind of see their homework and see how well they're doing those assessments. Is that right? Yeah it is and I you know they haven't come out and said this.

[00:07:02] My thing I thought was it was a way for them to verify that this program actually will work. Right. You know when they unleash it and let the C3PAOs do their job

[00:07:12] then you know it actually will do what they want to accomplish which is you know security of the DIPCAC. Now for us we thought right Adam we were like I don't think we want to do a GSVA. I think

[00:07:23] we're going to wait until the starter pistol goes off which we are hoping that the final rule will drop and the assessments might be able to start as early as the very end of this year

[00:07:33] or sometime middle of next year. Who knows? I'm not sure how that's going to go. But then we thought to ourselves well let's go ahead and do a GSVA instead. That way we can go ahead and get a

[00:07:44] jump start on that thinking that hey you know this could really help us get a competitive advantage because for those that may not be aware MSPs must have their certification, their level two if they're going to be supporting organizations if the rule stays as it is.

[00:08:01] So for example if we're supporting a company that's going to be required to be level two we're going to have to be level two certified ourselves. But they can't go for their certification

[00:08:10] until we have already been certified is the way that that rule has been written and everybody seems to be interpreting it that way. So you know maybe at the time of this recording

[00:08:20] after the final rule comes out that might change but as it stands right now as we're talking MSPs have to get certified and we probably need to be first in line so that we can go ahead and

[00:08:32] start working with our clients and helping them down the journey because you don't want to hire an MSP that hasn't got level two because if they pinky promise that they're going to get level two certified and then decide not to that organization that's working with them could

[00:08:43] be really in a lot of trouble right? And not to mention you know this is the pitfalls that MSPs fall into. We love our fancy tools how many of our fancy tools will be in scope for

[00:08:52] that are our tools appropriately aligned with their you know for cloud service providers or external service providers are the practices that we as MSPs perform you know vulnerability management patching instant response system maintenance have those been assessed because it really keeps us

[00:09:07] as a critical linchpin for those organizations seeking their certifications there to where if they go through their their assessment process we aren't certified ourselves and where the failure point we have a very angry client on our hands who's now likely pointing some fingers and

[00:09:22] those fingers may be labeled lawsuits. Yeah it's not going to end well and I don't think organizations that are out there trying to get ready quite understand that those companies that are going

[00:09:33] to be helping them technically with the controls that they're going to have to at least meet the level that they're at right Brian what's your thoughts about that and what have you seen in

[00:09:42] the industry so far? Yeah so wow there's a lot a lot done back. That is a lot done back. Yeah so so first of all you know the joint surveillance assessments you know just kind of

[00:09:57] the DibCAC those are you know they're still government-to-lady led right so the government isn't going to spend any resources on companies that don't have DOD contracts and they so a prerequisite of getting into those is an active DOD contract so they won't do assessments.

[00:10:17] So if for example if I go out and I do a joint surveillance assessment for a company that is using a managed service rider I can't count on that managed service rider already being certified

[00:10:28] because they have no way of doing it right they have no way of being there so what has to happen then is that managed service rider has to participate in that assessment. So they won't

[00:10:39] get an assessment out of it right they won't get qualified because in order so the other benefit I should let's roll back a little bit because the other benefit of doing a joint surveillance assessment for an organization seeking certification OSC is that they get it done now

[00:11:00] and if they score a perfect score if they're all said and done they are nailed everything they can qualify to be a certified once the program goes live they will they will get a certificate basically and that certificate will be good from the day they got assessed

[00:11:19] until for three years so they would they would basically are buying it now they're getting a an assessment done now that they will then have one bragging rights and they'll have be able to exercise that in contracts that they will have the certification once the

[00:11:35] certification is required. Well and they've got something to show that they've gone through an examination that they know the DivCAC will be posting the score up in what's called the supplier performance risk system it's SBRS so that that that is a high confidence score that

[00:11:57] the that the contracting officers can look at and make a determination of that hey this company is certified and that company isn't so I'm going to give it to the company this sort of

[00:12:07] now you touched on it and we kind of sadly found out the answer to this is because we as an MSP don't do specific contract work for the government we can't do a JSVA. So now we if we had a client

[00:12:21] we were supporting like you said that got to participate in a JSVA then we would be pulled in because we have to stand next to them shoulder to shoulder and that opens up a whole other can of

[00:12:33] things to think about and talk about but not a ton of MSPs do actual government work there's a very very small percentage of those and so what's your thoughts about the fact that those requirements

[00:12:46] are going to force us to have to be first but yet we can't participate in joint surveillance yet? Yeah so the main thing is you can't participate in joint surveillance but here's the thing all right there's only about 50 or 60 companies that actually have

[00:13:05] participating in joint surveillance so you're not that far behind the power curve. Right. So let me just start with that there's not like a thousands of companies going through joint surveillance it's not happening that fast right it's like a snail's pace and

[00:13:18] once so once the rule drops though this MSPs do need to be prepared so they need to get their CMMC preparation done now and there's something else they're going to need to do so we believe

[00:13:31] based on reading the tea leaves of the what's happening and the systems that are going to have to be reported to in order to have a certification is that all the MSPs are going

[00:13:46] to have to go out and register in the as if they were going to go after government contracts so there's a system called SAM.gov they're going to have to go out and register in that

[00:13:57] and then they're going to have to get a cage code. Cage code right. It's not that hard to do it takes time uh and energy but it it doesn't cost anything and it and it's all you have to do

[00:14:11] to register um you know I don't ever plan on doing um government contracts but I have a cage code right and when I went out just to prove that I could do it um and got it done it took some time

[00:14:26] and it took some energy and lots of cussing up my screen um but uh because of some of the you know some of the website the idiosyncrasies but but it's doable okay so it's doable so

[00:14:39] so hopefully there'll be some good guidance coming out on that uh here soon from the dod on how how one goes about doing that um and um you don't have to have a sponsor or anything to use code either

[00:14:51] done so so that's part of the prep right so that's that's the easy administrative part of the prep easy easy and air quotes right the other piece that's a little hard is actually getting your

[00:15:03] cmc docks and rows so doing the things that I had them talking about making sure that your tool sets are there making sure you have things like a shared responsibility matrix you know that can

[00:15:13] can I can that you're not only being compliant yourself but you're telling your clients here's what i'm going to do for you uh here's here's how i'm going to do it here's what your

[00:15:21] responsibility is client and here's what i'm going to do for you um because it's you can't do it you can't do as an msp you cannot make your client 100% compliant now one of the things

[00:15:36] that uh I've been talking with other uh cca's and organizations that have gone through joint assessments and I I think you've been through what three or four that you've either been the leader participated before yeah that's a that's a lot considering there's only been you know 40 or

[00:15:54] 50 maybe somebody maybe 60 that's a that's a that's a pretty good amount yeah i think i have more schedule in the fall I think just to be on schedule soon when they don't get kicked

[00:16:05] out or something so one of the things that I was surprised to find out is that uh the jsva is not based on the cap specifically that it is based on something different can you talk a little bit

[00:16:20] about those differences between the jsva and the traditional cmc assessment process when the start of this still goes off so so the um so another kind of advantage of jsva's um so

[00:16:36] one is you know like I said you have to get 110 in order for that to translate to a cmc certification you have to have be 110 which is a perfect score in cmc if you're not

[00:16:46] coming out of cmsc but um in order to do that um let me back up so you have to have a 110 score and you can't have any open poem items right so you can't you can't have um

[00:17:01] say well I'm going to implement two-factor authentication and I'll do that later well that's that's not you're going to fail right and in fact that particular control would be something we call five point control which is there's there's stratification of the controls and the point value

[00:17:19] in the assessment methodology 1.3 point or five point um if you miss a five point control during formal cmc assessments those five point controls cannot be put on a poem after the assessment right

[00:17:37] they so that results in a failure you fail the assessment and you have to start over again there's uh the vast majority of the one-point assessments uh controls if you miss one of those

[00:17:52] you can put them on a plan of accident milestone fix it in the in 180 days and it get reassessed and still have a shot at being certified that's during the formal cmc assessments when that starts during the joint surveillance assessment okay there is no distinction currently being made

[00:18:13] between one points and five point controls all of them can be put on a joint on a on a plan of accident milestone um which I think is is reasonable in my opinion I don't know why the

[00:18:26] dod took that that more aggressive approach but go ahead sorry yeah it's kind of a hard blind approach but but yeah so doing a joint surveillance now uh is kind of an advantage

[00:18:38] because if I if I you know I should going into assessment I should believe 100 I'm 110 right but with the assessor finds that well you're not really doing everything you're not meeting all the assessment objectives in a in a five point control during the joint surveillance you can

[00:18:55] put that on a plan of accident milestone and then have it have it to you know work it off within 180 days you still have that 180 window and then have it reassessed and then the

[00:19:05] divcac will update your score right you know if you if you get it right so you can you you'll say you scored a 95 and you're missing the one five pointer and you do that then you can get a 95

[00:19:17] and just my math is wonderful you do 105 and miss that one five point control right then you can then you can achieve 110 still so right yeah so so it's an advantage of the joint surveillance

[00:19:29] whereas if that if you're 105 and missed a five point control uh during CMNC assessments under the current rule under what we believe the rule is going to say you're out you have to you have to

[00:19:42] start off all over again now correct me from wrong too but their approach and attitude towards like security protection data things like that is a little bit more lax they're not really following

[00:19:52] some of those requirements at least that I've heard so far yeah change right so we're here in rumblings though that the divcac is starting to look at that a little harder and taking the

[00:20:07] little harder line on it so if you're using a tool that is a cloud-based tool and it has security protection data in it and it's not fed ramp moderate or equivalent then they may kick

[00:20:20] you out of the assessment they may stop the assessment and if someone's not really familiar with security protection data is it was a classification of type of data that no one had heard of until

[00:20:32] the proposed rule came out I guess in December of last year and nobody had heard of it but basically it's it's any type of data that would be logged or or sensitive data I mean it makes sense

[00:20:46] you know yeah and I mean the examples that specifically gave was log data and configuration data and those probably the most vague ambiguous terms that you can think of in the security industry is what was defined as configuration data is it a baseline document is it just

[00:21:02] these are my settings in my computer this is the web browser I use like is that all configuration data or is that not it's it's four words that has flipped the table on on us as msp

[00:21:12] yeah and then hopefully they'll come out with a better definition right in the in the follow-up but because you know what that leads you to right I mean configuration data log data but if that's security protection data then what about the my password manager

[00:21:28] right right what about my work notes yeah what about what about um my ticketing system right where I'm going to have potentially have vulnerability to flow around um it gets interesting you know and it was it seems so unusual at the 11th hour right as the

[00:21:48] rules coming out to introduce a whole new type like that uh that isn't controlled by NARA in case you're wondering NARA is the organization that's in charge of the classification of the

[00:21:58] type of data if you did search for NARA you're not going to see security protection data at least not that I'm aware of um and uh so everybody was like eyebrow raised and it just threw

[00:22:09] definitely msp community into tailspin because a lot of the tools and things that we would expect to use now became called into question now some would argue and and I think there's a valid case that

[00:22:20] security protection data and security protection assets um that a lot of those controls and those types of tools would should be included in scope anyway and that's a whole other pandora's box

[00:22:33] unpack but um I guess what is really interesting through this situation is now if you did a joint assessment you might get a kinder view perspective on that and versus if you were actually having it

[00:22:52] happen once the official rules come out yeah yeah yeah I think the DOD is starting to solidify their position on several things and it's just a matter of them getting to the point that they can

[00:23:03] actually document it put it out of ML you know like for example you know there is this big term of FedRAMP called FedRAMP equivalency and nobody knew what that really meant um the DOD finally came

[00:23:16] out with a memo published it and so now everybody knows what it meant nobody likes the definition but now I've got a question at least they know what what they mean right so so that's we sort of

[00:23:26] need to get there and that's you know that's a loving anybody from the DOD is watching you need to come out with this stuff you need to start publishing your findings since FOILB is in your

[00:23:35] reports um so we you know to get the document because right now it's a lot of interpretation right so you might get uh unfortunately you might get one DIPGAC team that says one thing

[00:23:45] another DIPGAC team that says another thing so it's another sort of a disadvantage of the Joint Surveillance Program because not everything is solid hopefully when the CMMC assessment process works starts working and the the C-through goes are all following the same sort CMMC assessment

[00:24:03] process that all of that will become standardized right yeah we'll have that and we'll be able to publish those this is how this must be interpreted um that kind yeah I I think I'd

[00:24:15] love to have you come back Brian and do uh maybe a top five or ten things you'd like to see defined before assessments happened uh for me there's some security protection data would be one of those

[00:24:29] things that we would want to know a lot more definition about because it's just it's really caused a lot of people to do my comments on the proposed rule about that so many comments

[00:24:41] about that oh my gosh so many and and who knows it may stay in there it may come out uh I think the betting line is that it's going to stay but yeah who knows all indications are that it'll

[00:24:53] it'll stay around I mean because it is it is a it is an important um let's say challenge or weakness in everybody's systems right is you know and we're and unfortunately we're seeing reinforcement

[00:25:08] by the vulnerabilities and the and the attacks that have been happening right you know solar winds you know look pointing back to that you know the you know harking back to the kaseya attack you know all all of those things that are happening are just reinforcing their position

[00:25:25] that you know yeah you're using these great security tools but they're opening up a whole brand new set of vulnerabilities it's a new attack surface that's something that Adams are passionate about yeah I mean at the end of the day um we have our role in the supply

[00:25:39] changes the same as our clients in the dib do as well and I think it's perfectly normal and rational for the dib or the the do d to look at that and say msp's you have a critical role in

[00:25:48] this you need to safeguard that data those tools everything in there to reduce the risk to us into the organization's downstream but at the end of the day we as msp's don't live in the

[00:25:59] world of nist we don't live in the do d's headspace we don't know what they're thinking what they mean we need clarity because at the end of the day our clients have limited budgets we

[00:26:08] have limited budgets so we can't you know we're not getting multi-billion dollar contracts from the pentagon to do this you know we're getting maybe if we're lucky a six figure a year contract

[00:26:17] from a client to do this and that depends on the client um if you've got a five person company that we do business with we have to do all this you know they're not going to pay

[00:26:25] those bills enough to make that sustainable for us we've got to figure out how we can apply that prescriptively and appropriately to still safeguard and mitigate the risks that we bring

[00:26:33] to the table but um we need clarity because we don't have a lot of like our tools are our force multipliers yeah and if we can't bring our force multiplier to bear you know we're hemorrhaging

[00:26:46] money we're hemorrhaging funds we're losing efficiency and at what point does that become the risk that we experience you know if a technician has to trace down every incident manually because they can't use a modern edr tool what level of expertise does that come into play

[00:27:02] like bobby how much is your payroll skyrocket to bring that experience resource if you don't do that you gotta pass on right well you've got to pass on it also the things that those people exist

[00:27:12] yeah and you know those are those people that exist they're going to be looking at the enterprise level where they can pay those high paying salaries and whatnot you know it creates a huge

[00:27:20] challenge and then do you get the help desk intern that said i'm interested in security and you say have at it buddy who's not going to recognize lateral spread or insider threat or

[00:27:28] privilege activity going off is that a bigger risk introduce as a result of this so the dod has to figure some stuff out and give us some clarity so we can make informed decisions

[00:27:38] to do our jobs in the supply chain yeah i think i think i'm i'm i'm right there with you at on my i thought it was a good idea of including security protection data i think it was a terrible

[00:27:48] idea introducing it in december uh if they could have just introduced it when they did the 2.0 redesign if they just would have included it there and it is something that could be done incrementally right

[00:28:01] we don't what we but we don't want to have happened is regulation knock us back to what less secure state right and if that starts to happen and that's a failure complete failure of the system

[00:28:15] right we for the sake of for sake of regulatory compliance were being less secure because if i if you know we go back to the 80s where you know we had our main frames and we printed out a stack of

[00:28:28] logs you know once once a quarter and somebody's that they're manually going through to see if they see anything if that's where we go back to and by the way you can comply

[00:28:37] by doing that um it's not practical you definitely will never keep anybody in that job right yeah and you know and it just and it's so much less secure um because you can't do real-time detection

[00:28:55] you can't do anything else right and here's a quick thought too um because i think we all agree that security protection data is absolutely critical we need to safeguard that appropriately but where do we slot that in if only nistate hundred 171 had a recent revision that we're

[00:29:09] going to have to deal with at some point anyway maybe that's the good time to introduce that that gives the do time to clarify they can bring it into the same time we've got our methods

[00:29:17] dealing with they can roadmap appropriately maybe that's the time to tackle that instead of just shoving it in at the fight at the you know 11th hour but again i can only do so much

[00:29:27] except for shout at the void here so this is me just shouting at the void well man you have gone round and round about our opinions about it i mean it's and we're in the same company you know

[00:29:37] and so i can only imagine different organizations and their perspectives and how they're going round and round about it it's and dr ross right with uh that basically helped pin the 871 when they did their revision three you didn't really see specific references to security

[00:29:54] protection data in that um so it is just kind of interesting that like even after their viewpoint of looking at that that wasn't exactly specific addressed right um and those types of things

[00:30:08] i think uh if those are concerns that they really had um they should have just pulled them in from the 853 catalog and just address them somehow in the 171 standard and just rolled with it

[00:30:20] that's just my opinion but um yeah so so i know we're getting ready to wrap up but i i have a parting plea okay the msp community do not leave the dib

[00:30:34] don't leave those clients behind try to work with them and try to figure out figure out solutions to this because we need you um you know there's there's um by my back of the envelope math we need

[00:30:49] something like you know 20 000 msp supporting the dib alone and the requirements that the dib is facing today the federal federal uh government contractors are going to face um by the end of the year so they're going to have the same kind of requirements coming down on them

[00:31:10] this 871 compliance requirements so the we're going from 200 000 to over a million companies that are supporting the federal government that are going to need help and the majority of those are small right and i actually i want to want to support that uh some

[00:31:27] good good friends of mine in the industry uh matt lee and jason slagle actually did a session at a security conference called gher con last year said um you know yes msp sucked but the world

[00:31:37] without us is worse um because let's be realistic the the worst case scenario if we as msp leave the dib it's going to go back to the mom and pop shops calling up the cousin that may know security

[00:31:47] or something like that and that's just a disaster and nightmare of a dumpster fire and the direct consequence that is a negative impact to our national security as a country we cannot have

[00:31:57] that so we've got to as msp do exactly what you said we've got to put our heads down get to work work our way through this we know it's not easy but um it's it's in the best interest of our

[00:32:07] nation to do this and it's the hard work worth doing in my view the the um many service provider community should be considered by a department of land security as a critical infrastructure yeah second absolutely yeah and special considerations like how allowing us to

[00:32:25] participate in jsva even though we don't have a government contract having those types of things allowed for msp's i think is very very critical because that would allow us to kind of start stepping in and participating and uh you know having a appropriate cap that's defined for

[00:32:40] us so that we can then appropriately participate those are a lot of things that could be done to help us be able to step in the space and you're so right brian um i've done some quick head counting

[00:32:51] and i would be shocked if in the first year if there was 50 msp's that that actually went through and the next few years and got level two certified right uh and if they are they're gonna need

[00:33:05] that many msp's to support the organizations that we're just going to get over a run there's just going to be a massive shortage and we're going to be the bottleneck yeah so we need more people

[00:33:16] to step up in the msp community to start serving the dib and you know do d can you help us out a little bit and help us help step into the space and try to help participate because um uh i think

[00:33:30] it it could become a huge train wreck if there's not enough of us in the space to be able to support yep absolutely that's that's why msp cyber security exchange exists by the way just another

[00:33:41] plug and it's by the way it i didn't mention before but it is a 501c3 we're a not-for-profit um organization so we're trying to accomplish a mission and the mission is to help msp's support

[00:33:55] the small business community well brian thank you so much for joining us today and adam as always thank you it's been a pleasure having you here sir um and until next time everybody keep on fun

[00:34:07] make sure to follow us on linkedin and youtube to stay up to date on the latest cmmc news we hope you guys enjoyed today's episode and listen out for the next one but until then keep on climate