Common Mistakes MSPs Make When Tackling CMMC (Part Two)

[00:00:00] [SPEAKER_00]: Welcome back climbers! I'm your co-host, Kaylee Floyd and this is another episode of Climbing Mount CMMC.

[00:00:15] [SPEAKER_00]: In today's episode, Bobby and Adam are doing part two of the Common Mistakes MSPs Make

[00:00:20] [SPEAKER_00]: When Tackling the CMMC Journey. We're so excited for you to join us in today's episode and we hope you enjoy it.

[00:00:30] [SPEAKER_01]: Okay everybody, we're back on our second part for Common Mistakes that MSPs make when they're

[00:00:36] [SPEAKER_01]: going on their CMMC journey. So we've covered a lot of great things. Adam, thank you so much

[00:00:40] [SPEAKER_01]: for helping us there. But we were talking about complexity. We kind of touched on NFO controls.

[00:00:48] [SPEAKER_01]: We also went through the whole marriage counseling and a whole bunch of other things that

[00:00:52] [SPEAKER_01]: if you haven't caught it, it's really great. Hop back and watch that one. We release them every

[00:00:56] [SPEAKER_01]: Thursday. So this Thursday what we're going to be talking about is we're picking up where we left

[00:01:01] [SPEAKER_01]: off about complexity. Can you dive more into the situation of complexity and how MSPs

[00:01:07] [SPEAKER_02]: make common mistakes about those things? Yeah. So let's add some context because I love my context

[00:01:12] [SPEAKER_02]: stuff here. So 800, 171, DFAR, CMMC, they all relate to one another and they each put their own little

[00:01:19] [SPEAKER_02]: sub requirements in there. And that starts to rapidly expand the complexity around CMMC because

[00:01:25] [SPEAKER_02]: we as MSPs will see CMMC, we'll type that into Google real quick and go what is this?

[00:01:30] [SPEAKER_02]: It'll then point us back to 171 and we go cool, 171 exists. Let me get into the meat

[00:01:34] [SPEAKER_02]: potatoes of this as technically minded engineers and go right to those controls. In the process

[00:01:40] [SPEAKER_02]: of that, we've missed the appendixes. We've not read those out. We've also not read

[00:01:44] [SPEAKER_02]: that there's an assessor guide out there under 171A. And we just see the strict hard requirements

[00:01:50] [SPEAKER_02]: and the controls out there saying encrypt your data at risk. Rest, that words. And we go cool,

[00:01:56] [SPEAKER_02]: great, I do that already. But there's more. As you start going through those additional

[00:02:01] [SPEAKER_02]: controls, you start seeing controls that impact other controls and support one another.

[00:02:05] [SPEAKER_02]: And it can very quickly become a spiral of death if we're not paying close attention to that.

[00:02:10] [SPEAKER_02]: And without understanding what we're getting into, which leads into expanding our time

[00:02:15] [SPEAKER_02]: investment on stuff. If we're going through and saying, yeah, I'm going to go ahead and roll

[00:02:18] [SPEAKER_02]: out encryption organization wide. Good, great. Next control is it FIPS validated? Right.

[00:02:25] [SPEAKER_02]: What's that mean? Let me look that up. And what is it appropriate to use FIPS

[00:02:28] [SPEAKER_01]: valid? So many people I've seen go, oh my gosh, FIPS, FIPS, FIPS, I have to put it on everywhere.

[00:02:33] [SPEAKER_01]: And you're like, well, that's not necessarily case. So I've seen so many people utilize FIPS when

[00:02:38] [SPEAKER_02]: it's not needed. Yeah. And I think we'll touch on that a little bit more later when we talk about

[00:02:42] [SPEAKER_02]: scoping and scoping nightmares because that's another easy pitfall and tarp for MSPs to fall

[00:02:47] [SPEAKER_02]: into. But it just shows the complexity of it all. We know we're familiar from MSPs,

[00:02:53] [SPEAKER_02]: all of our interconnected systems, all the cool things they do between our

[00:02:57] [SPEAKER_02]: our workstations, our cloud services, our tool sets, our client environments.

[00:03:00] [SPEAKER_02]: Like let's be realistic, technology is a very complex mechanism. And now we have to start

[00:03:05] [SPEAKER_02]: thinking through 300 some of assessment objectives on all those interconnected

[00:03:11] [SPEAKER_02]: moving pieces of technology and then throw the stuff that they don't specifically outright say.

[00:03:18] [SPEAKER_02]: I'm not sure we get on with the editing process if this will be in this episode or

[00:03:21] [SPEAKER_02]: something that will come off with the other one, but just talking through those NFO controls

[00:03:25] [SPEAKER_02]: and where those come from. It's a really interesting piece, but coming from 853,

[00:03:31] [SPEAKER_02]: coming from FedRAMP and how that all works, there's a lot there. Yeah. Yeah. Very challenging.

[00:03:36] [SPEAKER_02]: And if we're security people, and this is the fun bit too, is that balance between security

[00:03:40] [SPEAKER_02]: and compliance. It's important to remember 800-171 is focused entirely on the confidentiality

[00:03:45] [SPEAKER_02]: confidentiality aspect of the CIA triad. It just says encrypt your backups. It doesn't

[00:03:50] [SPEAKER_02]: tell you have to have backups. It just doesn't encrypt them if you do.

[00:03:55] [SPEAKER_01]: And I think MSPs, and this is another area where MSPs make mistakes, is they feel that it's a

[00:04:01] [SPEAKER_01]: complete framework or a framework that once you finish your complete, you really need to engage

[00:04:07] [SPEAKER_01]: the client holistically. That's why we plan to not only follow CMMC's 800-171 standard and 171A,

[00:04:18] [SPEAKER_01]: but with our clients. We're also going to sprinkle NCIS on that because of the fact that

[00:04:22] [SPEAKER_01]: CIS has a more holistic approach because their focus isn't just on that data protection.

[00:04:28] [SPEAKER_01]: It covers the whole aspect of the health and well-being of that organization.

[00:04:33] [SPEAKER_01]: And so as an MSP, when we go to support the client, we don't just want to support their

[00:04:38] [SPEAKER_01]: QE. We want to support them as an organization. Now, that's part of the compliance requirement,

[00:04:43] [SPEAKER_01]: but if you're only supporting their compliance part, as most MSPs do, they're doing most everything

[00:04:51] [SPEAKER_01]: for the client. And MSPs, if you look archingly, account for about 60% of the CMMC requirements

[00:05:00] [SPEAKER_01]: fall on the shoulders either partially or completely on the MSP. And so they really have

[00:05:06] [SPEAKER_01]: to be able to be willing to accept that not only from a compliance, but also holistically,

[00:05:12] [SPEAKER_01]: because they just don't look at it from that perspective.

[00:05:14] [SPEAKER_02]: Yeah, and then there's a good point too as we look through our approach. Compliance and CMMC,

[00:05:20] [SPEAKER_02]: it's absolutely critical we get it right, but we know we can do better. That's why we're looking

[00:05:25] [SPEAKER_02]: at some things from CIS. And I'm sure as we go through that journey, we may pick a few items

[00:05:29] [SPEAKER_02]: out of 853 or from other standards that make sense. Because again, CMMC and compliance frameworks

[00:05:34] [SPEAKER_02]: here are the rules we have to play by. You can be the worst team in the world playing

[00:05:39] [SPEAKER_02]: by the rules in a football game and still you've played by the rules, or you can really knock it

[00:05:43] [SPEAKER_02]: out of the park and go above and beyond. But it's still finding those balances between

[00:05:48] [SPEAKER_02]: affordability, operational efficiencies. We don't have a complete blank checkbook as much as I would

[00:05:56] [SPEAKER_02]: love to say we've got a blank checkbook for it. You're the one with a checkbook and I'm sure

[00:05:59] [SPEAKER_01]: you know it was not a blank checkbook. It's not. Yeah, I don't have the CMMC

[00:06:01] [SPEAKER_01]: money tree in the backyard. Speaking of money, we have that listed under the complexity

[00:06:06] [SPEAKER_01]: section. Can you talk to that and the challenges that a lot of MSPs misunderstand when it comes to

[00:06:14] [SPEAKER_02]: money with CMMC? Yeah, it's not cheap. If I were to sum it up in one sentence, that would be it.

[00:06:20] [SPEAKER_02]: But let's think about what that looks like. So we have to build out the enhanced processes to

[00:06:26] [SPEAKER_02]: make sure that we're doing things in a compliant way. That's adding time and we all know the

[00:06:30] [SPEAKER_02]: saying time is money. So we're hitting that from our operations. Tool sets is another matter.

[00:06:34] [SPEAKER_02]: If we start looking at putting data in a cloud environment or those risk-managed assets and the

[00:06:40] [SPEAKER_02]: security protection assets and whatnot, we may have to align the FedRAMP for those kind of systems

[00:06:45] [SPEAKER_01]: depending on the data that flows into them. Let me jump in there real quick. So for us,

[00:06:49] [SPEAKER_01]: something that was a little bit surprising is as we started to step in the space, we chose

[00:06:53] [SPEAKER_01]: GCC High for us. Now we didn't have to go with GCC High. You can use other platforms.

[00:06:59] [SPEAKER_01]: That's the one that we chose. And you don't have to go with high. You could go with

[00:07:01] [SPEAKER_01]: GCC. But because the fact that we know that there's clients that we already have that do ITAR work,

[00:07:08] [SPEAKER_01]: we wanted to make sure that if we had more clients that had that, we didn't want to have to then

[00:07:12] [SPEAKER_01]: build a new system to support them or just tell them, shove off, we can't take care of you.

[00:07:17] [SPEAKER_01]: So we wanted to build a system that we felt like is going to be inclusive to all the potential

[00:07:22] [SPEAKER_01]: clients we might bring in. And so we went with GCC High. Well, with GCC High, when you

[00:07:31] [SPEAKER_01]: and if you're not 100% sure of the licenses you're picking or the ones you want, and you make

[00:07:36] [SPEAKER_01]: some mistakes, it's kind of costly. And so when you go to step into that and start building those

[00:07:41] [SPEAKER_01]: types of things out, you just don't realize that. So then you're like, okay, well, if you're doing

[00:07:45] [SPEAKER_01]: VDI or doing these types of things, and now you're having to pay for it up front, you thought

[00:07:48] [SPEAKER_01]: maybe you only had to pay for it monthly. Now you've got capital expenses for the most part

[00:07:52] [SPEAKER_01]: versus amateurized monthly expenses. Those things can add up very quickly. Yeah. So we've

[00:07:58] [SPEAKER_02]: got our tools since we have to pay for GCC. You'll have to grab new tools, perhaps, and then

[00:08:03] [SPEAKER_01]: you got to pay for those. And then you've got the total cost of ownership on those tool sets

[00:08:07] [SPEAKER_02]: and whatnot too. So okay, we've got the tool sets that we need for it. We've got a rough

[00:08:12] [SPEAKER_02]: understanding now let's talk about the people investment. Yeah, absolutely.

[00:08:16] [SPEAKER_02]: You know, I think this is a perfect proof of the pudding on that one. You made a significant

[00:08:19] [SPEAKER_02]: investment in people on this one by the fact that hi, I'm here talking to you nice to meet

[00:08:22] [SPEAKER_02]: y'all. Right, right. Yeah, that's not cheap to just bring anyone on board for that.

[00:08:27] [SPEAKER_02]: Even if you're not bringing someone on board, you have to retask and retrain your team on those

[00:08:31] [SPEAKER_02]: new tools. That's more time away from clients not doing stuff. That's more money. Then you take

[00:08:36] [SPEAKER_02]: that forward through to the assessment phases. You've got to find your your assessor firm,

[00:08:39] [SPEAKER_02]: you've got to find your C3PAO, all the people to get the work done. I can tell you they're

[00:08:44] [SPEAKER_01]: not cheap either. No, they're estimated between 30 and $80,000 to do an assessment

[00:08:50] [SPEAKER_01]: depending on the size of your organization. I think it's pretty reasonable as a smaller

[00:08:55] [SPEAKER_01]: MSP if you're getting assessed yourself, you're probably going to spend somewhere between 30 and

[00:08:58] [SPEAKER_01]: 50 would be pretty reasonable. You know, I've heard of people being able to find cheaper

[00:09:02] [SPEAKER_01]: and I've heard of people finding a lot more. But the point is it's going to cost something

[00:09:07] [SPEAKER_01]: and that amount is going to be something other than zero and you need to account for that.

[00:09:11] [SPEAKER_02]: And then okay, so you've gone through, you've paid for your assessment.

[00:09:14] [SPEAKER_02]: What if you don't pass? Oh yeah. So okay, now you've got maybe you're fortunate enough

[00:09:19] [SPEAKER_02]: to be close enough to passing that you get you know, you're allowed to use a plan of

[00:09:22] [SPEAKER_02]: action. So you still have to invest the time, energy, effort, resources to go through that plan

[00:09:26] [SPEAKER_02]: of action. But keep in mind, you know, so okay, let's let's take a step back before I get on the

[00:09:31] [SPEAKER_02]: next point. So you've done to the you've gone through the plan of action, you were fortunate

[00:09:35] [SPEAKER_02]: enough to be allowed to use a plan of action and just not you know, you didn't get told out right,

[00:09:38] [SPEAKER_02]: you failed to go try again talk to you later. So you get that all done.

[00:09:43] [SPEAKER_02]: Those assessments is reassessed. And finally, you're sitting there, you've got your

[00:09:47] [SPEAKER_02]: stamp of approval, everything's fine, great, peachy, right? It still costs money. Because you know,

[00:09:53] [SPEAKER_02]: those costs of tools don't suddenly stop training new people to get up to speed on those processes

[00:09:58] [SPEAKER_02]: doesn't stop. But then remember, CMMC requires reassessment. Yeah, that's not a one done.

[00:10:04] [SPEAKER_01]: That's a continued train that once you hop on, you're not getting off.

[00:10:07] [SPEAKER_01]: And that's a good point there Adam, because once you're going through that process,

[00:10:12] [SPEAKER_01]: you're committed, you're in for a penny, you're in for a pound. And a lot of organizations have

[00:10:21] [SPEAKER_01]: really struggled trying to be financially viable and certain new tasks when they don't plan on things

[00:10:29] [SPEAKER_01]: taking longer than they expect, right? Our CMMC journey is taking us a lot longer than we

[00:10:34] [SPEAKER_01]: anticipated, but we knew that that was a possibility and accommodated for it cost wise

[00:10:39] [SPEAKER_01]: and resource wise. And if you're thinking, okay, I got to have six months to be ready,

[00:10:44] [SPEAKER_01]: we're going to pass the assessment on month seven, and then we're going to start generating all this

[00:10:48] [SPEAKER_01]: revenue on month eight. And if this whole thing falls apart, I'm screwed, then you're not in a

[00:10:53] [SPEAKER_01]: good position to go after this, you have to have enough, you know, war chest to go after

[00:10:58] [SPEAKER_01]: this thing so that you can appropriately accommodate for a time resource wise and money,

[00:11:03] [SPEAKER_01]: so that if it goes off the rails, which it probably will to some extent, because

[00:11:07] [SPEAKER_01]: everything doesn't just play out the way you want with such a large massive implementation project,

[00:11:12] [SPEAKER_01]: you've got to be able to accommodate for that. You've got to be able to accommodate for additional

[00:11:16] [SPEAKER_01]: slides in time. You can't just say, well, I can only tie up Adam for six months and if it goes

[00:11:22] [SPEAKER_01]: past six months, I'm going to have to pull him. Well then you've just pretty much went halfway

[00:11:25] [SPEAKER_01]: through the forest and then just burn the whole forest down and left, you know, it's just not

[00:11:29] [SPEAKER_02]: really very viable. Because if there's anything we've learned over the years in MSPs, things

[00:11:32] [SPEAKER_02]: will change. And setting those super aggressive timelines are great, but you've got to have that

[00:11:38] [SPEAKER_02]: flexibility built in. So when you do hit those delays, you know, hypothetical scenario, say we did

[00:11:43] [SPEAKER_02]: set that aggressive timeline, which we do have our aggressive timelines, we do have that flexibility

[00:11:46] [SPEAKER_02]: padded in. But we get to month five, month five is crunch time, we've got a lot of work to do,

[00:11:51] [SPEAKER_02]: it's a super critical point. And something bad happens, I just get really sick. And I can't,

[00:11:57] [SPEAKER_02]: you know, my brain's not where it needs to be, I'm not able to sign on that week to do

[00:12:00] [SPEAKER_02]: work. Did that just compromise our entire business plan? And that's if, if me taking a week off of

[00:12:06] [SPEAKER_02]: work for one reason or another compromises the business, I'm sorry, that's a problem that you

[00:12:11] [SPEAKER_01]: need to work out. Well, and I think that also goes to being realistic too, that if you're going

[00:12:15] [SPEAKER_01]: to try to bring in that intern or somebody and you're just going to say here, you handle this

[00:12:19] [SPEAKER_01]: and, you know, I'll come back to you in eight months and you'll have this thing figured out.

[00:12:23] [SPEAKER_01]: They're not going to get very far at all. You've got to take a very serious approach

[00:12:27] [SPEAKER_01]: to this and have very realistic timelines for the resources and the people you have.

[00:12:32] [SPEAKER_01]: So you're going to have to have, you know, I'm the CEO of the company. So that's a big part of

[00:12:37] [SPEAKER_01]: the reason why, you know, I'm helping out as best I can, but I needed to bring you on too.

[00:12:41] [SPEAKER_01]: And I didn't bring on an intern or brought on somebody that knew what they were doing

[00:12:44] [SPEAKER_01]: and had experience. And so these are all things that are really critical to be able

[00:12:48] [SPEAKER_02]: to be successful in that. Yeah. And even then, you know, I've been working with CMMC 800-171

[00:12:53] [SPEAKER_02]: for a while now, there's still the whole piece of some parts of, you know, writing a policy and

[00:12:57] [SPEAKER_02]: figuring out how do we do business? How do we do this thing here? What do we already have established?

[00:13:02] [SPEAKER_02]: And then trying to decipher all that looking at what you already have and going,

[00:13:05] [SPEAKER_02]: okay, I can take these bits that still work. I need to re-architect this, then I have to

[00:13:09] [SPEAKER_02]: pass that through change approvals and send it your way because I can't make business

[00:13:12] [SPEAKER_01]: impacting decisions on my own without a sign off. Right? Yeah. It's not just about

[00:13:17] [SPEAKER_01]: passing the assessment. Like you said, you've got to continue to pass. So you have to build

[00:13:20] [SPEAKER_01]: a system that can not only support the existing clients you have, future clients that you're going

[00:13:25] [SPEAKER_01]: to have in the CMMC ecosystem. And you're going to be able to continue to support them in a way

[00:13:29] [SPEAKER_01]: that scales. That is, there's no book that you can read about that. You're gonna, it's going to

[00:13:33] [SPEAKER_01]: take time to learn how to do that for you as a company. And the way that we do it will not

[00:13:38] [SPEAKER_01]: be the same way that you're necessarily going to do it yourself. You've got to find your own

[00:13:42] [SPEAKER_01]: path and you've got to give yourself the time to accomplish that. And that is a huge, huge

[00:13:46] [SPEAKER_01]: order. Now, five years down the road, I think there's going to be a lot more

[00:13:51] [SPEAKER_01]: common type processes just like with CMMC is just like MSPs. As MSPs were kind of evolving

[00:13:59] [SPEAKER_01]: back in the day, we kind of all started following certain types of molds and patterns. And that took

[00:14:04] [SPEAKER_01]: some time to develop. And then there's a lot of knowledge and books about that. But we're

[00:14:09] [SPEAKER_01]: all new. This is all new. So none of that's happened. And everybody's figuring that out

[00:14:12] [SPEAKER_02]: right now. Yeah. So I think that actually leads very well to transition to our next topic to kind

[00:14:17] [SPEAKER_02]: of wrap things up is so how do we as an MSP keep that under control? And I think the answer

[00:14:22] [SPEAKER_02]: that really boils down to keeping our scope contained, right? When we think about 800-171

[00:14:28] [SPEAKER_02]: and the objective of the CMMC is to preserve the confidentiality of federal contract

[00:14:32] [SPEAKER_02]: information, SCI, in controlled and classified information, CUI. If a system does not come

[00:14:38] [SPEAKER_02]: into contact with SCI or CUI, get it the heck out of that scope, right? Right. Like shove it off

[00:14:44] [SPEAKER_02]: to the side, get it away from me like why would you if you don't accept federal contracts, you

[00:14:49] [SPEAKER_02]: don't have SCI, why would you why would you ever want your QuickBooks server in the scope of a

[00:14:53] [SPEAKER_02]: CMMC assessment unless it has to be there for some other reason? Or why would you want

[00:14:57] [SPEAKER_02]: your sales and marketing team to be scoped in on that process when they shouldn't be touching

[00:15:01] [SPEAKER_02]: you know, CUI, they may touch SCI sales and marketing because they're going to be looking

[00:15:05] [SPEAKER_02]: over those contracts as RFPs for potential you know, whatnot. But the CMMC level one

[00:15:09] [SPEAKER_02]: requirements that only apply to SCI are much less of a struggle than the 800-171 requirements.

[00:15:17] [SPEAKER_01]: So this brings us to a good point that a lot of MSPs, the mistake they try to do is they say

[00:15:21] [SPEAKER_01]: to themselves we'll just put our whole organization in scope because it's easier

[00:15:25] [SPEAKER_01]: because I don't have to think about how I want to scope things and trust me it's not

[00:15:28] [SPEAKER_01]: easier. It's easier from the decision of scoping but it is not easier cost wise,

[00:15:32] [SPEAKER_01]: resource wise and adjustment wise. An example of that is for us we scoped down to a much smaller

[00:15:38] [SPEAKER_01]: chunk of our business. In fact, our daily operational systems we did not include in scope. We actually

[00:15:44] [SPEAKER_01]: had virtual machines so when we're going to support our clients we're actually going

[00:15:49] [SPEAKER_01]: to have virtual machines inside our GCC high environment that we're going to be hopping

[00:15:52] [SPEAKER_01]: from to support our clients so that we're in parity as we're supporting them but we're going

[00:15:57] [SPEAKER_01]: to be accessing those from our normal workstations that we're supporting our existing clients.

[00:16:02] [SPEAKER_01]: What that does is that makes our normal operational workstations still in scope but

[00:16:06] [SPEAKER_01]: what are called CMRAs which are smaller subset of requirements which that means that the

[00:16:12] [SPEAKER_01]: workstations that we're going to be using on a daily basis isn't really going to be at the

[00:16:16] [SPEAKER_01]: level that one of those fully compliant devices are going to have to be which are called CUE

[00:16:22] [SPEAKER_01]: assets. So that allows us to kind of keep the cost down. Now that then means I don't have to throw out

[00:16:28] [SPEAKER_01]: all the tools for everything for everybody so that allows us to have a little bit more

[00:16:32] [SPEAKER_01]: flexibility so that we can start to grow our client base in that CMMC environment and evolve

[00:16:38] [SPEAKER_01]: as a company and then from then we can make some additional decisions but that's where that's

[00:16:43] [SPEAKER_01]: scoping you really need to think about that and really start thinking about because if you just say

[00:16:46] [SPEAKER_01]: okay you know Frick it we're going to just change our whole company to try to be compliant

[00:16:51] [SPEAKER_01]: and if you do that then that means the tools that you use yeah everything is under review.

[00:16:57] [SPEAKER_01]: You just included all that stuff you don't have another little section that you can sort of

[00:17:01] [SPEAKER_01]: start to create that environment and then build off of that and it just it just doesn't in my

[00:17:08] [SPEAKER_01]: opinion work if you try to do your whole system but I'm sure there's some companies that could

[00:17:13] [SPEAKER_02]: pull it off. Yeah and you know there's if you want to as an MSP scope your entire company

[00:17:17] [SPEAKER_02]: into it just to be clear I don't think that's wrong to do but you've got to understand what

[00:17:21] [SPEAKER_02]: you're doing in that process that is all your tools all your techs your physical environments

[00:17:26] [SPEAKER_02]: everything that gets very complicated very quickly and that increases your I think if you're going

[00:17:31] [SPEAKER_01]: to pull that off you really have to be your organization already would have to be very

[00:17:35] [SPEAKER_01]: familiar with compliance and have some very well tied in extremely mature processes as an

[00:17:41] [SPEAKER_01]: organization I mean like high level like very well rounded ticket template processes very well

[00:17:46] [SPEAKER_01]: rounded change control processes I mean you would have to be really close to

[00:17:52] [SPEAKER_01]: to the CMMC model I think if you're going to really tackle your organization and I'm sure there's MSPs

[00:17:58] [SPEAKER_01]: out there that are used to compliance and have been really working but most MSPs don't really

[00:18:03] [SPEAKER_02]: do that. Right and it's not like the other the other frameworks that exist out there because

[00:18:08] [SPEAKER_02]: don't forget there are plenty of those other frameworks out there they do have their

[00:18:11] [SPEAKER_02]: requirements and how MSPs may be tied into those in some way shapes and forms but CMMC

[00:18:16] [SPEAKER_02]: comes down to a matter of national security and national defense so the government takes it

[00:18:21] [SPEAKER_02]: extremely seriously the DOD takes it extremely seriously because of the risks involved with

[00:18:26] [SPEAKER_02]: doing it wrong and as a result that they're making sure you're crossing your T's dotting

[00:18:33] [SPEAKER_02]: your i's and doing it right and that's where it gets scary as an MSP to make sure you get

[00:18:36] [SPEAKER_02]: that scope in there properly because if something takes something silly and simple MSP uses

[00:18:43] [SPEAKER_02]: tools that ABC to do things that's scoped in and that has you know kui in it but and the vendor

[00:18:50] [SPEAKER_02]: says yeah we're great for CMMC it's all fine and dandy okay but they store that in a cloud server

[00:18:55] [SPEAKER_02]: right DeFar says your cloud server providers have to meet FedRAMP moderate

[00:19:00] [SPEAKER_02]: right and when you say okay mr vender here or Mrs. Vendor or whoever and you say

[00:19:08] [SPEAKER_02]: where's your FedRAMP status and they go well what's FedRAMP?

[00:19:12] [SPEAKER_02]: yeah conversations I've had with vendors before is hey you probably have some kui out here and

[00:19:17] [SPEAKER_02]: your functioning as cloud service providers where are you at in your FedRAMP journey I don't see

[00:19:21] [SPEAKER_02]: you in the FedRAMP marketplace what's going on what's that oh yeah you've got a problem and

[00:19:28] [SPEAKER_01]: and especially if you built your whole organization around the process and how that organization

[00:19:32] [SPEAKER_01]: operates and now you've just invalidated that tool how do you handle that you know if you haven't

[00:19:37] [SPEAKER_01]: scoped it to where that even shouldn't be in scope the way that you went to support it when those

[00:19:42] [SPEAKER_01]: curves happen you don't have to you know throw the baby out with the bath water and that's why

[00:19:47] [SPEAKER_01]: it's super dangerous when you start including your whole organization in scope because you're

[00:19:50] [SPEAKER_01]: going to run into those types of gotchas that you weren't expecting as you look under the

[00:19:53] [SPEAKER_01]: hood on certain things vendors aren't always transparent and when you start trying to get

[00:19:57] [SPEAKER_01]: evidence that the salesperson said everything's fine and you go to collect the evidence and

[00:20:02] [SPEAKER_01]: it's crickets and they don't get back to you and you realize I've got nothing and then you

[00:20:05] [SPEAKER_01]: got to make a decision because sometimes we've seen vendors disgust us they won't even get back

[00:20:09] [SPEAKER_01]: to us and you're really wanting to include them in that process but you can't because

[00:20:13] [SPEAKER_01]: they're not getting back to you on the information and you don't want to go to the mats fighting

[00:20:17] [SPEAKER_01]: for them if they're not going to fight for you right yeah I've even had a situation before

[00:20:20] [SPEAKER_02]: with a backup vendor um this was years ago and whatnot uh the offender shall remain

[00:20:25] [SPEAKER_02]: nameless so um we don't get sued but um backup vendor and years before they had a process for

[00:20:33] [SPEAKER_02]: itar so we'd gone through we did our vendor selection the process was available we said

[00:20:37] [SPEAKER_02]: cool great we'll use this vendor if we have any clients that need itar there's a process it'll

[00:20:41] [SPEAKER_02]: be great we get the client with itar we uh call up the vendor we're like hey we're just

[00:20:46] [SPEAKER_02]: going to we're ready to move forward with us where's your procedures for this oh we don't

[00:20:53] [SPEAKER_02]: need itar compliance no thanks for telling us um also um does the industry know this because

[00:21:03] [SPEAKER_02]: there's probably those backup solutions in itar environments that you are now

[00:21:08] [SPEAKER_02]: breaking the law a little bit here you're doing it wrong yeah and that was just a big old

[00:21:14] [SPEAKER_01]: yeah so yeah you've got it and that's a good point is vendors got it or gonna have to

[00:21:21] [SPEAKER_01]: they're gonna do what they need to do to be profitable and your your well-being isn't

[00:21:26] [SPEAKER_01]: necessarily always their best interest so you have to be very careful and that's another reason

[00:21:30] [SPEAKER_01]: when you're doing your scoping is try to include as little vendors as possible because that kind of

[00:21:35] [SPEAKER_01]: crap can happen and you can really get thrown for a loop and have to do your own change controls

[00:21:41] [SPEAKER_01]: and you'll have to potentially have change code processes for your clients who wants to do that

[00:21:45] [SPEAKER_02]: I definitely don't all right and that brings up a good another good point um on that is the

[00:21:50] [SPEAKER_02]: the criticality of vendor due diligence on this matter right um we've certainly seen vendors

[00:21:54] [SPEAKER_02]: that'll say yep we meet cmc requirements they don't there are other vendors out there that say

[00:22:00] [SPEAKER_02]: use our solution and in five easy minutes and three easy clips clicks we'll get you cmc compliant

[00:22:06] [SPEAKER_02]: um i don't know if y'all listen to the podcast can smell that smell but uh smells like some bs yeah

[00:22:13] [SPEAKER_02]: um especially based on everything we've already talked about so it's critical as we go through

[00:22:16] [SPEAKER_02]: that process to make sure our vendors are appropriately in scope there are a ton of

[00:22:19] [SPEAKER_02]: absolutely wonderful vendors out there that make great products but they just don't fit

[00:22:25] [SPEAKER_02]: into the scope and the requirements and it's unfortunate we have to look at those solutions

[00:22:28] [SPEAKER_02]: and go hmm i need to come up with something new which gets back to our bigger points of

[00:22:34] [SPEAKER_02]: the operational impacts and the challenges around it and it's and we can start to build

[00:22:38] [SPEAKER_02]: that cycle of where we're at with that because we've talked about our scoping nightmares we've

[00:22:41] [SPEAKER_02]: talked about the complexities of all that now we're starting to see this come full circle well i

[00:22:45] [SPEAKER_01]: think that that emphasizes the importance of risk management right the risk management process

[00:22:49] [SPEAKER_01]: then that's why so i love the fact that's included in cmc is to to look at your organization and

[00:22:55] [SPEAKER_01]: your vendors and each year reevaluate that because like you said if they've made a change

[00:23:02] [SPEAKER_01]: and they don't always tell you uh it could considerably impact uh your posture and so that's

[00:23:08] [SPEAKER_01]: why keeping the quantity of vendors down to a minimum as well as doing those risk assessments

[00:23:12] [SPEAKER_01]: to reevaluate them so you don't get some blindsides the last thing we want to do is find out a vendor

[00:23:16] [SPEAKER_01]: might be in question when a client comes to you and says i can't seem to do this anymore

[00:23:20] [SPEAKER_01]: and then the vendor goes oh that's because we removed it and you're like what you know and

[00:23:26] [SPEAKER_02]: of course um because i know i've got plenty of friends that do there are that are on the

[00:23:30] [SPEAKER_02]: dark side and all that stuff um those yearly checkpoints and risk assessments actually

[00:23:34] [SPEAKER_02]: present opportunity as well for the vendor if they are working towards this themselves they

[00:23:38] [SPEAKER_02]: are aligning to it and working towards it it's a great opportunity to say hey we know it's that

[00:23:44] [SPEAKER_02]: time to come through for our risk assessment and everything as the account managers um we've got

[00:23:49] [SPEAKER_02]: some stuff we think you're gonna like vendor i was talking to you recently that i've had a great

[00:23:52] [SPEAKER_02]: relationship with for a couple years now when i reached out to them and said hey i'm coming

[00:23:56] [SPEAKER_02]: over to join bobby and we're working on our cmc stuff um where do you guys fit into this

[00:24:01] [SPEAKER_02]: east straight up it's like we're working on our fed ramp stuff we've hired we put people on it i'm

[00:24:05] [SPEAKER_02]: like oh you guys are going for it let's go people let's have some fun yeah um so it's good to always

[00:24:12] [SPEAKER_01]: continue to do that and that's another reason why it's nice that if you have some separation

[00:24:16] [SPEAKER_01]: between your normal operations and your cmc scoping piece you know you on your non cmc you

[00:24:22] [SPEAKER_01]: should still be doing your risk assessment you should still be going through and analyzing

[00:24:25] [SPEAKER_01]: that and what you can find is is maybe some vendors that you're like eh i'm not really sure

[00:24:29] [SPEAKER_01]: if i want to bring them over onto the cmc side but you're going to keep an eye on them you're

[00:24:33] [SPEAKER_01]: going to continue to refine and work with them and eventually more and more vendors are going to

[00:24:38] [SPEAKER_01]: start stepping out at that space how long that's going to take who knows but more are going to

[00:24:43] [SPEAKER_01]: start stepping out on it um and when that starts happening you can start potentially

[00:24:47] [SPEAKER_01]: moving more and more over into your environment where it actually counts and starts helping

[00:24:51] [SPEAKER_02]: them and i think that brings up another good point on that one that we can kind of

[00:24:54] [SPEAKER_02]: use to kind of tie this one off a little bit um we think about vendors and their process is

[00:24:59] [SPEAKER_02]: going through this they continue to be reevalu... reevaluation when we talk about the price

[00:25:04] [SPEAKER_02]: SMBs have said this is going to be too that's one of the common things that comes up in the

[00:25:07] [SPEAKER_02]: requests for comments it's going to be way too expensive and way too prohibitive for the

[00:25:10] [SPEAKER_02]: SMB and MSP community and the DOD's response is that sucks charge more money right and if

[00:25:16] [SPEAKER_02]: you don't want to do that then uh it was nice doing business with you we'll find someone else

[00:25:20] [SPEAKER_02]: but what that really means for us as msp is is as we go through the cmc journey ourselves we

[00:25:24] [SPEAKER_02]: put those more formal risk management practices in place we build our systems to be more secure

[00:25:28] [SPEAKER_02]: we take those lessons learned from the DOD and cmc space down to the rest of the msp

[00:25:34] [SPEAKER_02]: our other clients can benefit from that too for sure so sure we might be working with a company

[00:25:38] [SPEAKER_02]: that's a subcontractor of Lockheed Martin building whiz bang components for the air forces six

[00:25:43] [SPEAKER_02]: generations fancy whiz bang gizmo gadget um but then we've got the local animal shelter

[00:25:48] [SPEAKER_02]: right that we do work with um you know they don't have those requirements they just have

[00:25:54] [SPEAKER_02]: some puppies and everyone loves puppies of course but it's an opportunity to take

[00:25:57] [SPEAKER_02]: the lessons learned there increase their security posture right just from what we've

[00:26:02] [SPEAKER_02]: already learned so they can get that added bonus and the world becomes a slightly better place for

[00:26:07] [SPEAKER_02]: puppies absolutely puppies for kitties for little birds maybe some turtles in there we're not

[00:26:12] [SPEAKER_02]: exclusive yeah we're an all-inclusive animal friendly environment over here absolutely

[00:26:17] [SPEAKER_01]: well thank you all so much for joining us uh on in our conclusion of our second part for

[00:26:23] [SPEAKER_01]: you know common mistakes the msp's make when they're going on their cmmc journey um and uh tune in

[00:26:29] [SPEAKER_01]: next thursday when we go through some more topics and until then keep on climbing everybody make

[00:26:35] [SPEAKER_00]: sure to follow us on linkedin and youtube to stay up to date on the latest cmmc news we hope you

[00:26:41] [SPEAKER_00]: guys enjoyed today's episode and listen out for the next one but until then keep on climbing