Emergency Podcast Episode 🚨
The 32 CFR Final Rule COMPLETED THE REVIEW PROCESS and things are heating up. We couldn't help but hop on the podcast and share this news and what it means for organizations and MSPs in the community.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] [SPEAKER_00]: Hello Climbers and welcome back to another episode of Climbing Mount CMMC.
[00:00:11] [SPEAKER_00]: The 32 CFR Final Rule has cleared the regulatory review and we have some stuff to talk about.
[00:00:18] [SPEAKER_00]: Today, and I literally mean today, Bobby and I sat down and talked about what this means for organizations in this community
[00:00:26] [SPEAKER_00]: as well as the MSPs that are helping these organizations.
[00:00:29] [SPEAKER_00]: This is a really big deal and we've got a lot to cover today.
[00:00:33] [SPEAKER_00]: So without further ado, let's get into today's episode.
[00:00:39] [SPEAKER_00]: Hello Climbers, we have some big news today.
[00:00:42] [SPEAKER_00]: It just dropped that the 32 CFR ruling has just cleared regulatory review, which basically means that assessments, actual certifications going to happen is coming up close.
[00:00:57] [SPEAKER_00]: How close is it going to be coming up?
[00:00:59] [SPEAKER_00]: What does this mean for people working with MSPs?
[00:01:03] [SPEAKER_00]: MSPs working for clients in the DoD space, right?
[00:01:07] [SPEAKER_00]: We have a lot of questions, I guess.
[00:01:10] [SPEAKER_00]: With every new announcement that I see on LinkedIn, there's just tons of questions that come with it.
[00:01:17] [SPEAKER_00]: So that's what we are going to be talking about.
[00:01:19] [SPEAKER_00]: We're going to be covering today.
[00:01:20] [SPEAKER_00]: Do we have the answers to all these questions?
[00:01:23] [SPEAKER_00]: No, but at least we can talk about it together and have this community so we can see
[00:01:29] [SPEAKER_00]: what other people, what other MSPs are doing, what other clients are doing, all of that stuff.
[00:01:34] [SPEAKER_00]: So let's first just talk about just the big scale about what this means exactly, this clearance that the 32 CFR ruling just went through.
[00:01:46] [SPEAKER_01]: Right, so just a little quick summary of events, right?
[00:01:49] [SPEAKER_01]: So you kind of like the little thing kind of changes and then you see these little different shades of things explaining what's happened in the past.
[00:02:01] [SPEAKER_01]: But in December of last year, the 32 CFR rule came out as proposed.
[00:02:07] [SPEAKER_01]: Then it was read over, everybody commented.
[00:02:12] [SPEAKER_01]: As those comments happened, the DoD started going through an adjudication process where they go through and they look at the different
[00:02:18] [SPEAKER_01]: comments that people have had to kind of get an idea of how they feel about it.
[00:02:23] [SPEAKER_01]: They then, once they have that ready, they kick it over to some additional review process of which one of them is OIRA,
[00:02:30] [SPEAKER_01]: which stands for Kaylee, I think you brought it up because I'm not really good with acronyms.
[00:02:34] [SPEAKER_00]: I did. It says the Office of Information and Regulatory Affairs.
[00:02:38] [SPEAKER_01]: Affairs, right. So it just left OIRA this weekend.
[00:02:41] [SPEAKER_01]: They love to do those updates over the weekend.
[00:02:44] [SPEAKER_01]: I'm not sure why, just to kind of give somebody to talk something to talk about on the weekend.
[00:02:47] [SPEAKER_01]: And so that's left that. So what does that mean?
[00:02:50] [SPEAKER_01]: That means at this point, probably sometime this month, the 32 CFR, the final rule, which will build into effect.
[00:02:57] [SPEAKER_01]: Final rule.
[00:02:58] [SPEAKER_01]: And 32 CFR, what that basically is, is the definition of the CMMC program and all the things that go around that type of definition
[00:03:06] [SPEAKER_01]: of understanding it, explaining it.
[00:03:09] [SPEAKER_01]: And this will allow the certifications to begin to happen.
[00:03:11] [SPEAKER_01]: So this will then unlock the achievement for the C3PO's out there that are allowed to do the assessments to then start to begin to do that.
[00:03:19] [SPEAKER_01]: So that's sort of what happens.
[00:03:21] [SPEAKER_01]: It was a very big deal.
[00:03:23] [SPEAKER_01]: This is one of the last two things that need to happen.
[00:03:26] [SPEAKER_01]: The second piece is going to be the 48 CFR, which is the last piece for it to drop.
[00:03:33] [SPEAKER_01]: We're assuming sometime early next year, Q1, when that 48 CFR drops,
[00:03:39] [SPEAKER_01]: what that is, is basically the mechanism that the DOD and the FAR council can use to include the CMMC requirements and contracts.
[00:03:52] [SPEAKER_01]: So it's their ability to weaponize it into the situation where it starts showing up in SAM.gov and the contracts
[00:03:57] [SPEAKER_01]: and you'll start seeing those CMMC requirements and then you'll have to be certified.
[00:04:02] [SPEAKER_01]: That's a phase-resort rollout process, which is plenty of things to talk about there.
[00:04:06] [SPEAKER_01]: Yeah.
[00:04:07] [SPEAKER_01]: We're going to talk about that today.
[00:04:08] [SPEAKER_01]: That sounds like a much scarier topic.
[00:04:11] [SPEAKER_00]: This one is pretty scary, but that one seems even more.
[00:04:14] [SPEAKER_01]: Yeah, we just really wanted to today focus on what does that 32 CFR actually mean to MSPs and the MSSPs and people that are going to have to get certified to interact with them?
[00:04:26] [SPEAKER_01]: What does that mean to them?
[00:04:27] [SPEAKER_00]: Right.
[00:04:28] [SPEAKER_00]: So this umbrella that is covered, this is including all the stuff that we've talked about with not only C3PAOs but also assessors, those organizations that work with assessors.
[00:04:41] [SPEAKER_00]: That includes people that are in the DOD space that have COOI correct in their organization, controlled, unclassified information.
[00:04:51] [SPEAKER_00]: So these are the people that we are talking to, but we are also talking to MSPs that work inside those organizations because they now have the access to this controlled unclassified information and now have to be certified themselves.
[00:05:13] [SPEAKER_00]: Is that correct?
[00:05:15] [SPEAKER_01]: Yeah.
[00:05:15] [SPEAKER_01]: So as an MSP, what you would want to do is you want to basically pull all of your clients and say, okay, do you do work that supports the DOD?
[00:05:25] [SPEAKER_01]: Do you have any 7012 require, DeFAR requirements in your contract?
[00:05:32] [SPEAKER_01]: That's, oh my gosh, 2522047012 if I remember correctly.
[00:05:37] [SPEAKER_01]: It's like this long specific dot almost looks like a math equation, if you will.
[00:05:43] [SPEAKER_01]: It's high.
[00:05:44] [SPEAKER_01]: It's really high.
[00:05:45] [SPEAKER_01]: It's high.
[00:05:46] [SPEAKER_01]: Yeah.
[00:05:46] [SPEAKER_01]: But it's really these numbers, 7008 is another one that you'll see in your contracts.
[00:05:52] [SPEAKER_01]: You want to do searches for those to see if any of your clients, obviously you would be able to search for your clients.
[00:05:59] [SPEAKER_01]: You just need to ask them to do that search to see if they have contracts that they support that have those DeFARs in them.
[00:06:08] [SPEAKER_01]: Chances are they're going to get pulled in to the CMMC requirement and they're going to have to get level two if they have those requirements more than likely.
[00:06:17] [SPEAKER_01]: And what does that mean for you as an MSP?
[00:06:19] [SPEAKER_01]: That means you're going to have to make a decision.
[00:06:21] [SPEAKER_01]: Do you want to keep them as a client and now you want to get level two certified yourself?
[00:06:25] [SPEAKER_01]: That's eight months to a year for you as an organization to have to do.
[00:06:29] [SPEAKER_01]: Now, if you're like, well, that scares the crap out of me.
[00:06:31] [SPEAKER_01]: I don't want to do that.
[00:06:32] [SPEAKER_01]: Then you need to think about how you want to address that client's needs because you're not going to be able to keep them as traditional MSP like you have in the past.
[00:06:39] [SPEAKER_01]: So that's really a decision that you're going to have to make.
[00:06:42] [SPEAKER_01]: Now, do you have another organization or people that you know and trust that you would want to pass them off to?
[00:06:47] [SPEAKER_01]: Is there some type of partnership situation?
[00:06:49] [SPEAKER_01]: Those are discussions, business decisions that you need to understand.
[00:06:52] [SPEAKER_01]: Right.
[00:06:53] [SPEAKER_01]: You have to start thinking about how those clients are going to have to be handled and what kind of transition that looks like.
[00:06:59] [SPEAKER_00]: Yeah.
[00:06:59] [SPEAKER_00]: Okay.
[00:07:00] [SPEAKER_00]: So now that you're talking about this, I'm very curious about the timing of it all.
[00:07:04] [SPEAKER_00]: So should we break down this timing of, you know, so we just discovered that it has gone through and cleared the review process.
[00:07:16] [SPEAKER_00]: Right.
[00:07:16] [SPEAKER_00]: But that took only 79 days, I believe is what they said from for the review process to occur.
[00:07:25] [SPEAKER_00]: So that's pretty quick based upon what we've previously seen as far as timelines go with CMMC in that sort of world.
[00:07:34] [SPEAKER_01]: So I'm not sure if it's that fast, but it was it basically from when they went ahead and finalized all of the.
[00:07:42] [SPEAKER_01]: Proposal, you know, the comments that everybody did to the proposed rule to now.
[00:07:47] [SPEAKER_01]: So that's December to when it drops, we're looking at I don't know, probably end up being nine months, something like that.
[00:07:57] [SPEAKER_01]: Eight months.
[00:07:58] [SPEAKER_01]: So from a proposed rule to a final rule, that's pretty crazy fast.
[00:08:04] [SPEAKER_02]: Yeah.
[00:08:04] [SPEAKER_01]: I think they obviously want to get that done in the timeframe before the election.
[00:08:09] [SPEAKER_01]: I think that's a big powerful motivator that they want to have.
[00:08:12] [SPEAKER_01]: And on top of that, there's a 60 day moratorium.
[00:08:18] [SPEAKER_01]: I don't know if that's the right term to use, but basically they don't.
[00:08:21] [SPEAKER_01]: Once it becomes a final rule, which let's say, I think it's very effective date for it.
[00:08:26] [SPEAKER_00]: Yeah.
[00:08:27] [SPEAKER_01]: It is it is reasonable to assume that it will drop sometime this month and become a final rule ready for review.
[00:08:35] [SPEAKER_01]: There's like a 60 day clock that starts at that point, that kind of gives the government to do some additional review processes.
[00:08:42] [SPEAKER_01]: Congress kind of takes a SNF test at it.
[00:08:44] [SPEAKER_01]: At that point after the 60 days, assessments can start to happen.
[00:08:50] [SPEAKER_01]: C3KOs can start looking at their list, which many of them are already backed up out to March to start saying, OK, assessments can happen.
[00:09:00] [SPEAKER_01]: Does December look OK for you?
[00:09:01] [SPEAKER_01]: Because if you take the date, let's say that that the final rule comes out October 1st.
[00:09:07] [SPEAKER_01]: That means that assessments could start as early as December 1st.
[00:09:12] [SPEAKER_00]: Right.
[00:09:12] [SPEAKER_00]: 60 days from now.
[00:09:13] [SPEAKER_01]: Yeah.
[00:09:13] [SPEAKER_01]: If you do the 60 days.
[00:09:15] [SPEAKER_01]: So we're talking assessments could start happening.
[00:09:18] [SPEAKER_01]: You know, Merry Christmas in December.
[00:09:22] [SPEAKER_01]: You know, which is that's crazy.
[00:09:25] [SPEAKER_01]: I mean, that's really.
[00:09:26] [SPEAKER_00]: That's pretty wild.
[00:09:27] [SPEAKER_01]: That's real folks.
[00:09:29] [SPEAKER_01]: You know, it's like how many times have you like picked that vacation date and you like you said it years or so in advance because it's like you're going overseas.
[00:09:35] [SPEAKER_01]: And then like you're getting ready to get on the plane.
[00:09:37] [SPEAKER_01]: You're like, oh my gosh, it's here finally.
[00:09:39] [SPEAKER_01]: Yeah.
[00:09:39] [SPEAKER_01]: That's what it feels like for a lot of us that have been preparing and really working hard.
[00:09:43] [SPEAKER_01]: Right.
[00:09:44] [SPEAKER_01]: To get ready for this moment.
[00:09:45] [SPEAKER_01]: Right.
[00:09:46] [SPEAKER_01]: And it is, it's going to be in your stocking for Christmas.
[00:09:50] [SPEAKER_00]: It's going to be a little stocking stuffer for you.
[00:09:53] [SPEAKER_00]: Congratulations.
[00:09:55] [SPEAKER_00]: Really big stocking stuffer.
[00:09:56] [SPEAKER_00]: So let's talk about what this means for people or organizations in that space but then also MSPs helping those organizations.
[00:10:05] [SPEAKER_00]: So that means that if those people can be assessed, they are going to have that level two certification next to their name.
[00:10:13] [SPEAKER_00]: Right.
[00:10:14] [SPEAKER_00]: So that's going to give some MSPs, MSSPs a differentiating factor separating them from others as well as the government contracting organizations, right?
[00:10:30] [SPEAKER_00]: Who are looking for, well, you know, we can talk about sam.gov later on and what that means with what you were talking about previously.
[00:10:38] [SPEAKER_00]: But what exactly does that mean as far as that differentiator from other organizations?
[00:10:47] [SPEAKER_00]: Can you talk a little bit about that?
[00:10:49] [SPEAKER_01]: So I guess what you're referring to is the fact that it's not in the requirements but yet you can still get certified.
[00:10:53] [SPEAKER_01]: Exactly.
[00:10:54] [SPEAKER_01]: Yes.
[00:10:55] [SPEAKER_01]: So that's a good question.
[00:10:59] [SPEAKER_01]: How many times have you seen someone pull up next to you with a car that you're like, ooh, that was really cool.
[00:11:05] [SPEAKER_01]: I think I'd like to get that car, right?
[00:11:07] [SPEAKER_01]: But there's more to it than just that.
[00:11:10] [SPEAKER_01]: The primes and subprimes have already been having conversations with the vendors that they trust, more than likely, right?
[00:11:18] [SPEAKER_01]: So if they haven't been talking to you, what does that mean for you?
[00:11:24] [SPEAKER_01]: Does that mean that your contractor is just really busy and that they've got other things on their mind and they just haven't gotten around to you?
[00:11:31] [SPEAKER_01]: I don't know.
[00:11:32] [SPEAKER_01]: I don't know if I would agree with that.
[00:11:33] [SPEAKER_01]: I would have to think that these primes and subprimes know what's going to go on in the industry.
[00:11:39] [SPEAKER_01]: They're assuming, expecting that these assessments are going to start happening and they know that contracts, it's reasonable to assume that contract requirements might show up as early as June of next year.
[00:11:53] [SPEAKER_01]: With that being the case, they're already starting to put plans together with trusted contractors that they're used to working with
[00:12:03] [SPEAKER_01]: and trying to see whether they're going to align.
[00:12:06] [SPEAKER_01]: So if they haven't been talking to you, there's a possibility you might not be part of the end crowd.
[00:12:11] [SPEAKER_01]: Maybe not, but what that really does mean is you need to start thinking about where you want to be and start planning on when you want to get certified.
[00:12:21] [SPEAKER_01]: Because these subprimes and primes, they're going to start thinking about trying to make sure that they have those relationships
[00:12:27] [SPEAKER_01]: and they want to see where everybody is on their certification process.
[00:12:31] [SPEAKER_01]: And they're going to start providing preferential treatment for those people that have those certifications.
[00:12:36] [SPEAKER_01]: Now, there won't be requirements yet for contracts until probably June.
[00:12:43] [SPEAKER_01]: So if you happen to be able to go directly to SAM.gov and request those, you shouldn't see those show up until sometime.
[00:12:51] [SPEAKER_01]: Those requirements until June and you can start playing the game of, well, maybe I won't bid on those, but I'll try to bidding on the others that are available.
[00:12:57] [SPEAKER_01]: But eventually what's going to happen is those that, although the ones that will be required for it in the next few years will eventually phase out and they'll all have it.
[00:13:06] [SPEAKER_01]: Not everything that shows up on SAM.gov will require that.
[00:13:10] [SPEAKER_01]: But those that have those, you might be doing construction road work, but if it's on a military base that has sensitive information, chances are the plans of that base that they're going to give you
[00:13:21] [SPEAKER_01]: is going to be considered controlled and classified information.
[00:13:24] [SPEAKER_01]: So in those types of situations, even if you're doing work that isn't having to deal with launching missiles, you may be pulled into this.
[00:13:31] [SPEAKER_01]: And so to get a good idea of the type of work that perhaps will be exposed to these requirements, just do those D-FAR checks in SAM.gov and see if the types of work you have have those requirements in it.
[00:13:44] [SPEAKER_01]: If they do, you know your chance of what you're going to get caught up in this over the next phased rollout.
[00:13:51] [SPEAKER_01]: But what's going to happen with the subprimes and primes, they're going to start pushing that down to their contract people probably pretty quick because they want to start getting the list of people that can help support those bids known.
[00:14:05] [SPEAKER_01]: And they want to put them right where they want to be so that they can get those contracts because the subprimes and primes, they're going to want to get as many contracts as they have possible to snag.
[00:14:17] [SPEAKER_01]: And the more people that are compliant, the greater chance of those they'll get.
[00:14:22] [SPEAKER_01]: So that's kind of how I think that's going to play out.
[00:14:25] [SPEAKER_01]: You know, I wish I could give you more specific answers to that, but having that certification will definitely, you know, as a company will definitely help solidify your ability to snag those opportunities that a lot of people probably aren't.
[00:14:40] [SPEAKER_01]: So you really want to start doing the math on how fast you want to get certified.
[00:14:45] [SPEAKER_00]: Yeah. So the first thing that MSPs and people in that space or organizations in that space need to do, first they need to make sure like they know where they fall in that space.
[00:14:58] [SPEAKER_00]: They need to look at their contracts.
[00:14:59] [SPEAKER_00]: They need to look at their clients if they're an MSP and see if they are falling under this category and know when it's going to hit them.
[00:15:08] [SPEAKER_00]: But then second, they need to know if they even want to be in that space once they know that they are.
[00:15:15] [SPEAKER_00]: Do I want to be a part of this or do I not?
[00:15:18] [SPEAKER_00]: And if you are an MSP, you need to make that correct decision of giving that client to somebody that can if they are still going into that space.
[00:15:28] [SPEAKER_00]: Then you also need to find a C3PAO that can come along your organization.
[00:15:34] [SPEAKER_00]: So let's go into that conversation now. We're going down the line, right?
[00:15:40] [SPEAKER_00]: So you kind of already touched on this. You said they're a little bit backed up here, right?
[00:15:46] [SPEAKER_00]: So let's discuss what that means for organizations that are wanting to get into this space that are hearing about the regulatory review finalized and all of that discussion.
[00:15:57] [SPEAKER_00]: And they're wanting to take that step. What is it looking like for them? What does that space look like for them?
[00:16:05] [SPEAKER_01]: Yeah, that's a good one. This is where experience really pays off. Not all C3PAOs are equal.
[00:16:14] [SPEAKER_01]: Not all C3PAOs are going to look at NIST 800-171 implementation as far as how it relates to CMMC the same.
[00:16:22] [SPEAKER_01]: I know that might sound heresy to some people. They're like, wait a minute, they all should be the same.
[00:16:26] [SPEAKER_01]: Well, that's like robots.
[00:16:28] [SPEAKER_01]: They're not robots. They're awesome. Right.
[00:16:32] [SPEAKER_01]: There are some battleground controls that some assessors will say, I feel this way and some others feel this way.
[00:16:39] [SPEAKER_01]: So the key there is if you're an OSC and you're going to be partnering with an MSP, you want to make sure you partner with an MSP first off that's going to be level two.
[00:16:46] [SPEAKER_01]: So you want to have a hard discussion with them and know where they're going to be at.
[00:16:50] [SPEAKER_01]: Okay. So let's say that you found one that is going to be ready at the time frame you want and now you go to turn to a C3PO to start the process of picking them.
[00:17:00] [SPEAKER_01]: In that situation, you need to make sure your MSP has a good understanding of the lay of the land of the C3PAOs that will line up well with what they do for a business and they understand it appropriately and that they are going to interpret things the way that you feel should be interpreted.
[00:17:16] [SPEAKER_01]: So you want to have in that interview process because the OSC when they go to pick theirs, they can, they're bidding.
[00:17:22] [SPEAKER_01]: It's basically are picking the company that's going to audit you.
[00:17:26] [SPEAKER_01]: So you have a right to say yes or no to them.
[00:17:28] [SPEAKER_01]: And so what you do is you go through and you just want to ask good questions and try to be appropriately transparent with how you guys operate so that you can pick them.
[00:17:38] [SPEAKER_01]: But here's the catch.
[00:17:39] [SPEAKER_01]: A lot of the C3POs have already been backed up as far as March.
[00:17:44] [SPEAKER_01]: I've heard others that have been February, I've heard some that are further than that.
[00:17:49] [SPEAKER_01]: Some C3POs that have just gotten their C3PO approval.
[00:17:56] [SPEAKER_01]: They don't quite have as far as a backlog.
[00:17:58] [SPEAKER_01]: So there's a variation but there's still I think 40 something like that.
[00:18:07] [SPEAKER_01]: C3POs, there's a sizable amount of C3POs out there.
[00:18:10] [SPEAKER_01]: But you want to know kind of narrow it down to two or three that you sort of want to talk to and start trying to think, okay, if I want to get certified in say July next year.
[00:18:24] [SPEAKER_01]: So that's what I want to do it.
[00:18:26] [SPEAKER_01]: You don't want to do it in November, December.
[00:18:27] [SPEAKER_01]: You want to do it in July.
[00:18:28] [SPEAKER_01]: Fine.
[00:18:30] [SPEAKER_01]: Talk to the C3PO now.
[00:18:32] [SPEAKER_01]: Go ahead and sign the paperwork with them.
[00:18:33] [SPEAKER_01]: Get in the queue.
[00:18:34] [SPEAKER_01]: They might ask you some specific questions.
[00:18:37] [SPEAKER_01]: Start talking to them right now.
[00:18:39] [SPEAKER_01]: Get that relationship because you don't want to be caught up in the firestorm of people running for the door once this thing starts really going.
[00:18:48] [SPEAKER_01]: So you want to start having those conversations if you're an MSP and you feel like you're ready to get assessed, but you might want to wait till later.
[00:18:56] [SPEAKER_01]: Have the talk now.
[00:18:57] [SPEAKER_01]: They will talk with you now.
[00:18:59] [SPEAKER_01]: You can have the conversations with them now and you have the paperwork signed now.
[00:19:02] [SPEAKER_01]: And you can push it out.
[00:19:04] [SPEAKER_01]: Well, I've heard some go almost a year before they like they'll sign the work for you to do it because they're business too.
[00:19:13] [SPEAKER_01]: They want to go ahead and get their hopper full right of who's going to get assessed when and they're perfectly okay with either taking, you know, just some type of document process or some type of, you know, deposit or things like that.
[00:19:25] [SPEAKER_01]: Those are different between C3PO's.
[00:19:28] [SPEAKER_01]: So that's why you want to have several to pick from.
[00:19:32] [SPEAKER_01]: But the thing is, get the conversation now.
[00:19:35] [SPEAKER_01]: Start having those and get them lined up.
[00:19:37] [SPEAKER_01]: But it doesn't have to be like tomorrow.
[00:19:40] [SPEAKER_01]: You might even be starting to think about your journey.
[00:19:43] [SPEAKER_01]: We even were talking with C3PO for us before we had even really built our framework out.
[00:19:49] [SPEAKER_01]: We were maybe a quarter way done when we were talking with our C3O last year and had them sign up.
[00:19:54] [SPEAKER_01]: That's why technically we're actually going to, we asked to go first.
[00:19:58] [SPEAKER_01]: They said yes, we're going to go first in our assessment because we wanted to be ready to get our work done.
[00:20:02] [SPEAKER_01]: We wanted to get our certification and you want to be thinking about when you want to get that done.
[00:20:08] [SPEAKER_00]: So the last thing that I wanted to talk about, which we mentioned a little bit at the beginning of this episode, which was the 32 CFR ruling is different than you said the 40-
[00:20:25] [SPEAKER_01]: 48 CFR.
[00:20:26] [SPEAKER_00]: 48, which is the, and you can correct me if I'm wrong.
[00:20:31] [SPEAKER_00]: It's when the requirements really come in for the contracts.
[00:20:36] [SPEAKER_01]: So they have these, you have like the FAR, which is Federal Acquisition Regulation.
[00:20:40] [SPEAKER_01]: I believe that's right.
[00:20:41] [SPEAKER_01]: And then every government body has kind of a sub underneath that the Department of Defense has their DFARs.
[00:20:49] [SPEAKER_01]: So that's the Department of Defense Federal Acquisition Regulations.
[00:20:52] [SPEAKER_01]: So under those DFARs, there's regulations.
[00:20:56] [SPEAKER_01]: And so when 48 CFR drops, what it's going to do is it's going to allow verbiage to update the 70-21 requirement as well as there's going to be another one that's going to drop another DFAR that we don't know what the number is going to be.
[00:21:09] [SPEAKER_01]: But what that effectively is going to do is those FARs and DFARs are basically a big table of contents of contractual requirements.
[00:21:18] [SPEAKER_01]: I mean, it is massive.
[00:21:19] [SPEAKER_01]: There's thousands of these things in there and not all of them have to deal with security.
[00:21:23] [SPEAKER_01]: They have to deal with employment regulations, requirements for all kinds of things.
[00:21:29] [SPEAKER_01]: And it's just this tool chest for when the government says, okay, we need to go ahead and request for proposals.
[00:21:38] [SPEAKER_01]: And here's the grocery list of all these requirements.
[00:21:40] [SPEAKER_01]: And it allows them to weaponize these requirements and put them in a contract so that when you sign on the dot online, you're saying you're doing those things.
[00:21:49] [SPEAKER_01]: So the 48 CFR is going to allow them to put that verbiage in there so that then it can actually go in the contracts.
[00:21:56] [SPEAKER_01]: And that is the last piece of the puzzle, which are anticipating to drop sometime Q1 of next year.
[00:22:02] [SPEAKER_01]: And then with that 60 days, we'll push it out to sometime around June when you might start seeing those contracts start to fall.
[00:22:08] [SPEAKER_00]: And what exactly does that mean for organizations in the that space as well as as well as the MSPs that are working with those organizations?
[00:22:21] [SPEAKER_00]: Like, what does that change with how they're working?
[00:22:23] [SPEAKER_01]: Yeah, it's going to change the landscape right now with 32 dropping so soon that people are going to start having to make decisions.
[00:22:32] [SPEAKER_01]: But then when the 48 starts to happen, those decisions will be made for them.
[00:22:40] [SPEAKER_01]: That's a good way to put it.
[00:22:42] [SPEAKER_01]: Because like once the it starts falling in there, they're going to look to them and go, well, do you have this?
[00:22:47] [SPEAKER_01]: No. All right.
[00:22:48] [SPEAKER_01]: Well, that's lack of decision is a decision.
[00:22:51] [SPEAKER_01]: So you're not eligible for this and we're going to move on.
[00:22:54] [SPEAKER_01]: And that's where I said you've got to do the searching.
[00:22:57] [SPEAKER_01]: You've got to, you know, if you're an OSC that has to your end of the day, then you need to start looking at the same backup.
[00:23:03] [SPEAKER_01]: Maybe you're a subprime.
[00:23:06] [SPEAKER_01]: Maybe you're a prime and you can go straight to Sam.gov and actually look at those things and do those bids, but maybe you're not.
[00:23:13] [SPEAKER_01]: But you can still go on to Sam.gov and you can still do the searches for the type of work that you're doing than right.
[00:23:19] [SPEAKER_01]: Codes you can type those in there for the type of stuff and get a general idea of how many of those are going to have those requirements built into them.
[00:23:27] [SPEAKER_02]: Yeah.
[00:23:27] [SPEAKER_01]: And you can start to get an idea. Well, if 60% of the type of work that's out there all has those DFAR requirements in it, there's a 60% chance that, well, it's not even that.
[00:23:40] [SPEAKER_01]: 60% of the opportunity for you to bid will be off the table if you don't have the certification, if you really want to look at it the right way.
[00:23:46] [SPEAKER_02]: Wow.
[00:23:46] [SPEAKER_01]: Then you can only bid on 40% of what you're used to bidding on.
[00:23:50] [SPEAKER_01]: Is that okay?
[00:23:52] [SPEAKER_01]: Maybe it is.
[00:23:53] [SPEAKER_01]: Maybe it isn't.
[00:23:54] [SPEAKER_01]: That's a business decision, right?
[00:23:55] [SPEAKER_01]: Right.
[00:23:56] [SPEAKER_00]: Only you can know that.
[00:23:58] [SPEAKER_01]: And as an MSP, you need to start talking to your clients to kind of get an idea, do you have these requirements?
[00:24:04] [SPEAKER_02]: Yeah.
[00:24:05] [SPEAKER_01]: And if you do, you need to know that are they going to go for level two and then you've got a decision to make about how you want to do it.
[00:24:12] [SPEAKER_01]: And if you work with an MSP, you need to be very factual with the conversation with them.
[00:24:18] [SPEAKER_01]: And I would not take a peek, you promise, especially, you know, we've been talking with many different companies of which some of them are not.
[00:24:25] [SPEAKER_01]: Some, a majority of their work is through DoD stuff and some are heavy into missile systems and other types of government.
[00:24:35] [SPEAKER_01]: 100% of their work is going to be DoD that is going to fall within the CMMC requirements.
[00:24:41] [SPEAKER_01]: So their whole business revolves around that.
[00:24:44] [SPEAKER_01]: They have no choice.
[00:24:45] [SPEAKER_01]: They have to get ready.
[00:24:46] [SPEAKER_01]: And so they can't mess around with an MSP that might say I might do it sometime next year.
[00:24:52] [SPEAKER_01]: Like if they want to get certified in June, they need an MSP that's already ready.
[00:25:00] [SPEAKER_01]: They have no choice because they can't pick someone and then they not be ready.
[00:25:06] [SPEAKER_01]: They can't go for their certifications.
[00:25:08] [SPEAKER_00]: And if they can't go for their certification, they lose their business.
[00:25:12] [SPEAKER_01]: Then they could potentially lose some business if not more business.
[00:25:15] [SPEAKER_01]: Yeah.
[00:25:15] [SPEAKER_01]: And how that's all going to roll out.
[00:25:19] [SPEAKER_01]: No one's 100% sure how this rollout is exactly going to go.
[00:25:22] [SPEAKER_01]: The DoD says it's going to be a phase process over a course of three years.
[00:25:27] [SPEAKER_01]: But no one knows exactly how the subprimes and primes are going to handle things.
[00:25:31] [SPEAKER_01]: Right.
[00:25:31] [SPEAKER_01]: And so that's all going to be interesting.
[00:25:34] [SPEAKER_01]: So you definitely don't want to be trying to be cool playing the field and be left out in the cold.
[00:25:41] [SPEAKER_01]: That could be a really, really expensive affair.
[00:25:44] [SPEAKER_01]: And so there's some things that you really need to start thinking about.
[00:25:47] [SPEAKER_02]: Absolutely.
[00:25:48] [SPEAKER_01]: For those people that have kind of had a flatter earth or perspective on CMMC, it's happening.
[00:25:54] [SPEAKER_01]: I mean, there is no...
[00:25:56] [SPEAKER_01]: You might look at it.
[00:25:57] [SPEAKER_01]: I was talking with the potential client last week and they're like, yeah, it needs some more refinement.
[00:26:05] [SPEAKER_01]: We think it needs to get some more work done.
[00:26:09] [SPEAKER_01]: They just...
[00:26:10] [SPEAKER_01]: We feel that they're probably not going to implement it because it's just not quite there yet.
[00:26:14] [SPEAKER_01]: I'm like, okay.
[00:26:17] [SPEAKER_01]: Maybe you might be right.
[00:26:19] [SPEAKER_01]: And maybe I might die by getting hit by a comet.
[00:26:22] [SPEAKER_01]: But neither of those are probably true.
[00:26:25] [SPEAKER_01]: The fact is Threat Actors are bleeding data out of it.
[00:26:30] [SPEAKER_01]: The DoD has drawn the line in the sand.
[00:26:33] [SPEAKER_01]: They are frustrated with this.
[00:26:35] [SPEAKER_01]: They say no more.
[00:26:36] [SPEAKER_01]: Yeah, they're sick of it.
[00:26:38] [SPEAKER_01]: They're basically driving that car through the gate and they don't care what the consequence of that is at this point.
[00:26:44] [SPEAKER_01]: They are going to be like, we're going to get this done.
[00:26:47] [SPEAKER_01]: And if we break stuff, then we'll just deal with it as it goes.
[00:26:52] [SPEAKER_01]: I mean, have I interviewed somebody from the do and I know that for a fact, no.
[00:26:57] [SPEAKER_01]: From everything that I've been seeing them do, it just seems like they have to know how much of a negative impact this is going to have in the industry.
[00:27:04] [SPEAKER_01]: But I just don't think they care at this point.
[00:27:06] [SPEAKER_01]: They just, the way they look at it is the lack of action I think is too negative now.
[00:27:13] [SPEAKER_01]: They would rather argue with people that they can throw money and talk about how just get contracts, change the pricing of your contracts versus looking at Congress going, I'm sorry that, you know, this classified information somehow got ended up in, you know, our adversary's hands.
[00:27:32] [SPEAKER_01]: They just, if they have to choose between the two of those, they're going to pick the form and then the latter.
[00:27:36] [SPEAKER_00]: Yeah, right.
[00:27:39] [SPEAKER_00]: Well, this is a really, really big deal and I know we say this for, you know, a lot of announcements, but every announcement is one step closer for that, you know, flat earth or seen around the earth.
[00:27:55] [SPEAKER_00]: This is a big one.
[00:27:57] [SPEAKER_00]: This is a big test.
[00:27:59] [SPEAKER_01]: Yeah.
[00:27:59] [SPEAKER_01]: And there's also something that we haven't talked about that I think is sort of important is there's a, there's a system called E-MAS.
[00:28:06] [SPEAKER_01]: I believe I'm saying that right, that the C3PO has to submit the scores to and right now I don't even believe that they have access to it yet.
[00:28:15] [SPEAKER_00]: And so C3PAOs don't have access to that.
[00:28:18] [SPEAKER_01]: And that is a critical part of the certification process.
[00:28:21] [SPEAKER_01]: So, right.
[00:28:23] [SPEAKER_01]: It could be that certifications could start in December, but the C3PAOs may not even be ready because all the systems for them to report to you may not be fully turned on yet.
[00:28:33] [SPEAKER_01]: So it could be that they may not be able to start until January.
[00:28:37] [SPEAKER_01]: We just don't know quite yet how that's going to go.
[00:28:40] [SPEAKER_01]: Because keep in mind, it just so that you guys aren't, you may not be aware.
[00:28:43] [SPEAKER_01]: You've got the DOD which is over here and then you've got the CyberAB, which is a nonprofit.
[00:28:48] [SPEAKER_01]: They're not a government agency that is kind of stood up that interfaces with the DOD for this CMMC process.
[00:28:56] [SPEAKER_01]: And the CyberAB's responsibility is to do the certifications, to regulate the industry from that perspective and they connect to the C3PAOs that actually do the assessment.
[00:29:06] [SPEAKER_01]: And the C3PAOs are organizations that are for profit that are just anybody that said, hey, you know, I have a passion for this.
[00:29:14] [SPEAKER_01]: I want to start a business that does assessments for organizations trying to get level two certified.
[00:29:20] [SPEAKER_01]: That's what a C3PAO does and they report to the CyberAB.
[00:29:24] [SPEAKER_01]: So that's kind of that chain, right? That needs to happen.
[00:29:26] [SPEAKER_01]: So just because the DOD says, okay, the 32 CFR is now ready to go.
[00:29:33] [SPEAKER_01]: It doesn't mean that all of that is quite ready yet for the certifications to happen.
[00:29:37] [SPEAKER_01]: We don't know.
[00:29:38] [SPEAKER_01]: We'll see.
[00:29:39] [SPEAKER_01]: They could start immediately happening in December.
[00:29:43] [SPEAKER_01]: It could be January, but it's coming.
[00:29:46] [SPEAKER_01]: It's happening.
[00:29:47] [SPEAKER_01]: So you want to start thinking about that now.
[00:29:49] [SPEAKER_00]: Right. Absolutely.
[00:29:50] [SPEAKER_00]: I mean, no matter where you are right now, there is going to be some gray area.
[00:29:55] [SPEAKER_00]: It's just depending on where you are, the amount of gray area can shrink just a bit.
[00:30:00] [SPEAKER_00]: And so I think how comfortable are you with that large gray area for your business?
[00:30:05] [SPEAKER_01]: So many MSPs and OSCs that I've talked with have kind of like, there's just too much gray area for me to make a decision.
[00:30:11] [SPEAKER_01]: It's okay for you to think that way, but the DOD knows that there's gray areas and they don't care they're moving forward.
[00:30:19] [SPEAKER_00]: They don't care about your gray areas.
[00:30:22] [SPEAKER_01]: They're just moving forward.
[00:30:24] [SPEAKER_01]: So when you finally have all of the perspectives that you feel like you need to have answered before you jump in the space,
[00:30:33] [SPEAKER_01]: it could be late next year before all those questions finally get answered.
[00:30:37] [SPEAKER_01]: And by that point, organizations very well could have been getting certified for almost a year before all those questions get answered.
[00:30:44] [SPEAKER_01]: And do you want to be in the batch of people that have gone through and gotten certified?
[00:30:48] [SPEAKER_01]: Or do you want to be in the batch now of the other people saying, I guess this is really happening and this is the thing that needs to happen.
[00:30:54] [SPEAKER_01]: Let me go ahead and try to get this done.
[00:30:56] [SPEAKER_01]: And keep in mind it's going to be eight months to a year for you to get ready.
[00:31:00] [SPEAKER_01]: And then you have to then get certified.
[00:31:04] [SPEAKER_01]: So, you'd be putting yourself out to a year and a half later after that.
[00:31:10] [SPEAKER_01]: So that means you might not actually be getting your certification for two years or longer if you wait to kind of see all the questions and read the tea leaves before you even try to get into the ecosystem.
[00:31:20] [SPEAKER_01]: Do you have the ability to dodge the requirements for that long in your business?
[00:31:26] [SPEAKER_01]: Are you okay with that 20% or 30% of your business just not happening anymore?
[00:31:31] [SPEAKER_01]: Those are just business decisions you really want to start thinking about right now and have answers to because you don't want to be caught up in the actual tidal wave of things that could be happening and not in a good way.
[00:31:43] [SPEAKER_01]: And then you're being forced to make decisions you just don't want to make.
[00:31:47] [SPEAKER_01]: I'd rather make a bad decision but I made it myself than be forced to make a quick decision and all of the things that I have left are just bad choices, right?
[00:31:57] [SPEAKER_01]: Yeah, kind of a shirt.
[00:31:59] [SPEAKER_01]: It's still a bad choice but I would like to make a choice on my own.
[00:32:03] [SPEAKER_02]: Yeah, absolutely.
[00:32:05] [SPEAKER_01]: Versus put my head in the sand.
[00:32:06] [SPEAKER_01]: I think there are good choices that you can make.
[00:32:08] [SPEAKER_01]: There's a lot of good ones that could really, I think if an organization plays their cards right this could be a huge opportunity for them.
[00:32:15] [SPEAKER_01]: A huge opportunity.
[00:32:19] [SPEAKER_01]: And you know you either look at it that way or you look at it like necessary evil and then you could find yourself behind an eight ball.
[00:32:25] [SPEAKER_01]: I think there's a lot of companies that are OSCs that see this as a great opportunity for them to get a ton of additional work that they normally wouldn't get because people just aren't taking the actions that are needed.
[00:32:36] [SPEAKER_00]: That's a great point.
[00:32:37] [SPEAKER_00]: Yeah, I mean also you know not to be sentimental about this but what an opportunity it is to work with our government and to have that kind of opportunity to be able to no matter what you're doing because you know there's many aspects of this.
[00:32:53] [SPEAKER_00]: But to even be able to help our country in some way and now it's time that I mean they're forcing us to but we should be taking it seriously.
[00:33:03] [SPEAKER_01]: Yeah, the security.
[00:33:04] [SPEAKER_00]: The security of our country and our government.
[00:33:08] [SPEAKER_00]: And so you know I think you're bringing up a great point of depending on how you look at it as there's a differentiation right.
[00:33:18] [SPEAKER_00]: You're looking a little different, a lot of it different than other organizations with this certification under your belt.
[00:33:26] [SPEAKER_00]: What an opportunity that is for you to really step into this space and like own it in a huge way and get potentially you know you will get more opportunity because of it.
[00:33:37] [SPEAKER_00]: And so you know I love that perspective that I honestly haven't really heard a lot of just really more information.
[00:33:46] [SPEAKER_00]: And so I hope that this podcast for you guys listening is you know both just an opportunity for you to see just our perspective but also just you to think about your own you know after hearing this what we talked about I know we can't talk back and forth but online we can you know on LinkedIn on YouTube and whatnot.
[00:34:07] [SPEAKER_00]: We'd love to hear you guys as input your thoughts on this questions that you may have.
[00:34:13] [SPEAKER_00]: We've already had a lot of questions come through on LinkedIn about this you know this had just dropped and so if you guys have any more after listening to this podcast or you want us to cover something specific that we talked about today.
[00:34:28] [SPEAKER_00]: Please let us know because you know we're on this climb just like you guys are we're here listening. We don't have some insider information like Bobby said we didn't have somebody sit down with us that we know all the stuff that's coming up next that gray area is great to us as well.
[00:34:46] [SPEAKER_00]: And so we're just here to talk about what we know so far in the thoughts that we have moving forward and we'd love to hear your perspective as well.
[00:34:53] [SPEAKER_00]: Bobby is there anything that you wanted to add before we close today or do you think that we wrapped it up pretty well.
[00:34:59] [SPEAKER_01]: I think that's good. I think it's just now is the time to start making the choices and you might not necessarily love the fact that you're having to make those choices but yeah make them now when you can make them versus them being thrust upon you because someone's picking up the phone saying hey I know you bid on this but you don't have this or you're an MSP and they're like hey we really need you to be level to certified where are you at and you have been started and that's not going to be a problem.
[00:35:23] [SPEAKER_01]: Like your second largest client and you don't want to lose them. Yeah that's going to be a bad day for your organization because as an MSP myself being ready is the hardest thing that we have ever done business wise.
[00:35:37] [SPEAKER_01]: If I just went to get certified it wouldn't have been anywhere as hard but being certified and also doing it a way that allows you to support your clients was just another level of difficulty.
[00:35:49] [SPEAKER_01]: Yeah and you need to think about that it takes some time to plan that out as an MSP and I get it it's hard so that's why a lot of MSPs just aren't thinking about doing it or they don't want to do it.
[00:35:59] [SPEAKER_01]: But those decisions are going to get thrust on you whether you want to make them or not so might as well just go ahead and make the call and make the decisions now and because this is like this is the 1155 on the clock at this point.
[00:36:15] [SPEAKER_00]: Yeah wow yeah that's great well thank you guys for listening to this podcast and continuing to listen to our podcast every Thursday. This one is a pretty quick turnaround but we do have a few more that we are going to be posting with some really great guests that I'm very excited for you guys to listen out for.
[00:36:36] [SPEAKER_00]: So make sure to tune in next Thursday for our next episode but until then keep on climbing. Bye guys.
[00:36:45] [SPEAKER_00]: Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news. We hope you guys enjoyed today's episode and listen out for the next one but until then keep on climbing.