Everything You Need to Know About CMMC Implementation

[00:00:01] Hello Climbers and welcome to Season 3 of Climbing Mount CMMC. Hello Climbers and welcome back to another episode of Climbing Mount CMMC. My name is Kaylee Floyd and this is Bobby Guerra and we are your hosts of Climbing Mount CMMC and we also work for a company called Axiom or an MSP that is CMMC Level 2 Certified. And today we are going to be talking about adopting puppies.

[00:00:30] No, we're going to be talking about adopting CMMC. Now in our opinion, you have to adopt this from at least an MSP perspective in two ways. Now Bobby, you want to explain those two different perspectives to the people listening? Well, I think let's make an overarching assumption that you've already gotten your level 2. Congratulations. Congratulations. The reason why I say that is it forces you as an organization to go through the maturity process yourself.

[00:00:59] It forces you to understand how to do it. You go through the audit, you learn how the audit process goes, you know how it feels to talk to an auditor. It really helps mature your organization to be ready to work and function in the ecosystem. So let's take that, set it on the shelf, and let's talk on the... Super easy, barely an inconvenience. Right. Yeah, it's one of these... Put it on your shelf right there. There's ours right there in the background. I'm so proud of that. Yeah. But yeah, that's really kind of the starting pistols. We're talking... You're past that now.

[00:01:28] You're out of the starting blocks and you're starting to turn the corner. And you're going to have to do it with the clients. And we're assuming that you're an MSP, okay, in this scenario. It doesn't have to be, but maybe you're just an implementer. You're adopting this as a company too in your organization seeking an assessment. Right. So you have to also adopt this. Yeah, you've got to think about how you as an organization are going to support them in their journey. So you've got to think about them adopting CMMC and normalizing in their environment and accepting it operationally

[00:01:56] and that they then kind of ride off in the sunset doing their daily thing and living inside this compliant box that they now have to operate in. At the same time, you've got to think about how you're going to support them. So you've got to think your organization adoptions around supporting them in their journey, right? Right. So those two things are not the same thing. They're kind of two sides of the same coin. And they really are critical to have alignment.

[00:02:25] Yeah, so true. Yes, I love this because for some people listening that might not be an MSP, they might be an organization going through this, you can think of it as an adoption inside of your organization itself. Like you have to own up to CMMC. It is not just a you write the paper to a company that does it or you write the paper and you sign the line to your intern and say, go do CMMC. Now go do that. Well, you have to adopt it as a company.

[00:02:53] It's going to require changes throughout the entire company. And then as an MSP, like what Bobby is saying, you then have to scale this to multiple different clients and teach those clients while you're going through it how it is inside of their organizations. So you don't just drop a hammer down, walk away and say, good luck, right? Let's bring this down to some people. I'm going to say this and they're going to be like, crap, he's so right. I've gone through that. I felt it. I've done it.

[00:03:23] I buy a template and I'm ready, right? But then you feel like you have solved the problem, that you're the genius, your smartest person in the room. You bought that template that promises you to have all the answers to your problems. And then you open that book and you sit down and you're like, oh, crap. How does this translate to how I operationally function? So true. Because no template is going to properly align with you and how your team is going to work.

[00:03:50] How are you going to work them through understanding and adopting that? And that's why we get reached out so many times by different organizations that buy these templates that they have. And they've started and they've kind of gone through it and they realize this ain't getting it. I need to now figure out how I can get outside this hole that I've just dug me in. And it's because as they go through and they start to figure out – because this document, maybe these templates are absolutely perfect.

[00:04:19] If you lived and breathed that exact methodology of that company, you would pass, right? But the problem is you've got this perfection and then how you operate and there's this massive gap. So true. Between the two. And it's just too much unless you know really how to do that. Normalization and connectivity between those because both are going to have to move. The templates are going to have to move to the organization and the organization is going to have to move to the templates. And they both have to meet.

[00:04:48] And there has to be a Rosetta Stone there, someone or some organization that knows how to connect those two and tie them together. You have no chance of success. That's so true. I feel like it's like you bought the most perfect, awesome shirt and you love how it looks. But like it's two sizes too big or two sizes too small. Like you still have to scale it to yourself. It doesn't matter how nice it is. You don't know a sewing machine. You don't know how to – you don't know anything about alterations. You're screwed.

[00:05:18] Yeah, exactly. Okay. So, Bobby, you have been feeling this boots on the ground firsthand right now living through it. Could you explain some difficulties and things when it comes to the adopting it as a service team on the service side first? And then we'll talk about the client side. What would you say? Yeah. So that is a great question.

[00:05:43] So what you have to do is you really have to think about your architecture from really two different perspectives. You've got to look at it from a technology perspective. So what technologies are you bringing to bear? Are you doing DLP? Are you doing Azure? Are you doing Google? Are you doing conditional accesses? How are you doing your AV? How are you tackling the Fantastic Four or the Four Horsemen or whatever you want to call the patching vulnerability? Application allow. Application allow listing.

[00:06:12] Those four are just death to try to figure out how to do if you don't know how to do it. So you've got to sit down from a technical perspective, figure out how you're going to do this part. And then you've got to think about from a documentation perspective how you're going to do that, right? And then how those two connect together. And then you've got to think to yourself, now that I have this perfect system to help someone get to where they need to go, how am I going to boil it down to bite-sized chunks for them, the organization that now has to adopt it, right?

[00:06:41] Just because you've got all these great policies and procedures and templates doesn't mean they know how to do it. So you've got to have a process to now take this perfection and feed that to them operationally so that they can now take it in bite-sized implementational chunks. You've got to do it in such a way so that they can do it. And you've got to be able to boil it down into things that they understand. Wow. And that is an art all on its own. So you've got to really think about how you're going to attack that. And that's going to take some whiteboard time.

[00:07:11] That's going to take some maturity about how you operate as an organization. That's going to have to understand how the challenges around working around CUI works. It's super hard. Super, super hard. I have a feeling that somebody is listening to this right now that is implementing this internally for their OSC or OSA. And they just heard what you said and they go, I'm trying to teach them this.

[00:07:35] I really am trying to teach my staff how to use change control process, but they're just not getting it. You know, or I'm trying to do this. There's, this is, I feel like, Bobby, you can tell me, correct me if I'm wrong, but I feel like this is the part that people so often underestimate of a requirement when it comes to CMMC and the implementation of it.

[00:08:00] And, and how many people it might take in your organization to do something like this if you did it internally versus an ESP, you know? Yeah. Let's talk about how I've seen people try this and fail. Really good intended people. So organizations like I'm going to sit down with them and I'm going to do a gap assessment and I'm going to list all the things that they've got so wrong.

[00:08:24] And I'm going to figure out where to create this wonderful poem that explains how they're probably a negative 203 and how we're going to take them to 110. And what we're going to do is we're just going to start like a little piranha and just nibble on everything and work them through it. It's going to be great. Yeah. That typically doesn't work out great for the client or for you if you don't have really a good process on how to do it regardless of whatever that poem says.

[00:08:52] The reason why is most everybody's going to suck at how they have it. So just understand they're probably going to be at a negative 203 or hovering somewhere around there. So you really need to think about how you're going to try to move them efficiently through that process versus we're going to just build this custom home design for them. And we're just going to listen to every conversation they have.

[00:09:15] And it's going to be hours if you don't have already kind of pre-concept of how you're going to move most, if not everybody, through this. If you're just going to sit down and listen to everything they have and build it from scratch, I could not even begin to tell you how many hours you're going to sit down and you're going to custom build an access control policy for the client. You're going to build a custom whatever for this client. This is how they're doing it here.

[00:09:40] I mean it's just going to be endless meetings for probably a year and a half to two years before you have any chance of doing that. You're not going to be able to do it at any speed or pace because the client doesn't know what they want necessarily other than they just want to pass. They just – they can tell you what you have. So if you don't have like constructs already built, templates and processes already done, that's just – I've seen people think that that's how I'm going to do it and then I'll just consult my way through this.

[00:10:06] It's just what you'll find, and so many times I've had this happen, they sit in meetings that go nowhere because they don't have a plan to how to move them efficiently from start to finish. So I love what you said about the client not knowing actually fully how to implement CMMC, but they want it done, right?

[00:10:25] They want it to be done, but they also – I'm going to add on top of that – they will be pissed off if you mess up or mess with their system or mess with their efficiency, which a lot of this stuff can actually do some of that if you're not careful. So you have to be careful.

[00:10:45] So that's part of the reason why if you just try to do a poem and just sort of back your way into this, you can find yourself getting yourself backed in the corner because you're just saying yes and trying to work through it. And then you've kind of, oh my gosh, now how am I going to make all this kind of connect at the end with some of these other choices and conversations we had? That's why if you already have a built system that you're trying to move them through and how you would do it, you've already looked at where those dead ends are and have avoided it.

[00:11:11] So that's why I just – I'm not a big fan of the process of just like let's do this gap assessment and poem them through this magically because it's just very difficult to see those possible dead ends if you're just making it up as you go along. Like you really need to have a full system to guide them through. And when you think about that and you've tried it, you're like, okay, that makes sense. But now maybe there's people that are magically great at that.

[00:11:40] But what that requires is an individual or a group of individuals that have such a deep understanding of the ecosystem to be able to customize, move someone through that. Like that isn't a system that could even come close to scaling because that means you need to have all these unicorns working with you that just don't really exist. Yeah.

[00:12:02] So what about on the client side when trying to help them adopt this, what would you say it has been – I know you talked about creating this system first. But going even a little bit more specific than that, what is something that clients usually have the hardest time adopting in this process and what can be the most difficult like hurdle to jump through?

[00:12:32] So some big ones that they really struggle with is the access authorization, the process of authorizing users to come into the system. Right at the beginning. We're just starting at the top. Yeah, just letting them in. They just really struggle with that. That change management is a big punch in the face. Like, hey, can't I just install this? No, you can't install it on your own. But I need to. You're like, I know you probably need to. But we got to know, is that software syncing to the cloud?

[00:13:02] Is it grabbing data? Like, is this program a cloud-based program that is going to grab all of your CAD data and send it up to this cloud that may not be authorized to receive this content you're building because it may have CUI in it? These are things that you need to really think about. And, oh, if we do this, we're going to break a boundary and allow physical printing of devices. And maybe with the way you did your scoping, it was never intended to do that.

[00:13:32] There's so many ways that you can just blow off your foot with a rocket launcher. You're doing it yourself. And so you've got to really think about that system. That's why having a system in place, a design to go through and how you're going to ask the clients the questions so that you can appropriately scope it in an efficient way for them so that you then, like the second part of the thing that we're talking about is have a system support them. And that's another unique challenge in itself. Yeah.

[00:14:02] So another thing that I am just curious about is changes and learning how to discuss with clients and your team, you know, changes are always important. But with CMMC, they're not as easy as they once were, just in general.

[00:14:26] Like, for example, if a client came up to you and like you, Bobby, as the CEO, right, of an MSP servicing this client and they go, hey, we actually decided to start printing. We decided to start printing our CUI. Yeah. And then what in the world do you do? Like, I mean, there's so many challenges of explaining to a client. You can't just like you can't just do that.

[00:14:54] And also, if you say that to us, you have to understand what it takes on our side to help you because that's not just an easy fix. That's a whole scoping change, right? Right. So let's walk through that. Let's walk through this in a realistic scenario. So let's pretend you have a client. Okay. How is the client going to do a change control process that kicks to you? Right. All right.

[00:15:21] Are you going to always do all the change controls for the client? Or is the client all going to do it? Do you want to? Are you going to invite them to their cab meeting? You know, like how are you going to attack that as an organization if you're supporting that client? Okay. Let's say that you don't have an MSP like us and you're just an organization doing it through yourself. Okay. So what platform are you going to do your change management through? Is it going to be via email? Are you going to use like approvals in teams?

[00:15:51] Are you going to stand up SharePoint and use some type of approval process from SharePoint? Are you going to use an Excel file? Are you going to buy a cloud tool that will let it do it for you? Like some type of ticketing or other type systems. Those are all possibilities that have their own challenges around how you might want to try to do that.

[00:16:12] But this is where like if you just try to figure it out when you do some type of gap assessment and walk through it and just throw a dart and pick a solution versus you've sat down, whiteboarded how all these types of answers need to be done and you guide the client through adopting those. Maybe you might have a few options for the change process and let them pick the path, but you need to go ahead and know what they're going to be already in advance and know how they all connect to the other systems appropriately.

[00:16:39] So no matter what choice they make, they're going to be okay. And so that requires this forethought of planning before you move them through the system. So you've got to really sit down and think about this stuff or you'll find yourself backed into a corner and you're going to have to have backward conversations with a client that is not fun to have. You're like, hey, we thought we were going to use this stuff. It's not going to work. We're going to have to change it. We're going to have to do something different. And they're like, well, what does that do to our timeline of being ready for our audit?

[00:17:05] But, you know, so you've got to think about that. So let's go even a little deeper. So let's say that you want to do a partnership, right? So that would imply the client has to go through an authorization process. They have half a cab team. How are they going to meet? Are they going to meet monthly, quarterly, yearly? What system of policies are they going to adopt around that, right? So who are the members who are authorized to make that change? Then they communicate to you through some methodology.

[00:17:35] Was it a ticketing system? They send you an email. Do they run some client on their machine that allows them to send a ticket? Like how is that going to happen? So you think about that and then it comes to you. So now your team as an MSP has to be trained to receive that change request, validate it has been done appropriately, log it correctly in the ticketing system. Because remember, all that's going to have to be audited, right? And remember, somebody's going to judge all of that. Yeah, right? So you're doing this hold dismount.

[00:18:03] Someone's going to hold up a card and go 10 or 0. You know, you're like, darn, you know. This is so important because this really does show scalability here of what you're talking about too. Because you cannot make this customizable to every client.

[00:18:21] Just like what Bobby was saying here, where that change approval or where that change request is coming into your team under, you know, if you're an MSP and you have a team of technicians, they are going to leave. If you start telling them you have to look here for this and you have to look SharePoint for here because one of our clients sends it here and then another one of our clients sends it here and then another one of our clients does this. You can't do that. That's not how an MSP can run. That's not scalable.

[00:18:49] Your technicians won't be able to keep track of that, you know. So you're exactly right. Going deeper, it makes you see what you're talking about, this whiteboard effect of all of a sudden it's not, oh, yeah, change approvals. That's easy. Let me write a document of how we do change approvals and then let me, you know, implement that with like a little cloud solution and that's it. No, no, no. No, that is not what it fully entails and you have to write it all out because there's much more to it than just that.

[00:19:18] Well, and just, okay, application allow listing. Okay, who authorizes apps to execute? Maybe the app is authorized but you still have to go through the app allow list. I was talking with some person who's trying – they're an implementer and they're like, oh, we just lock it all the way down so we don't have to have application. It's purely baseline. I'm like, what? They're like, yeah, yeah. We just do the baseline and so that is – that's how we allow apps.

[00:19:48] We just change the baseline. I'm like, all right. Good luck with that. Oh. It's like obviously that person has not implemented that in real time because you're going to be changing the baseline constantly. You're going to be constantly changing the baseline. Like that's life. Like we've onboarded so many different clients and gone through that. It is insane. Unless you just say I only want these kinds of clients and this is how it's going to be and if they don't like it, suck it. Okay, fine.

[00:20:16] Then you might have the four or five clients that are going to go with you and that is it. But if you want to have a reasonable modicum of capability to support in your client, you're going to have to have some flexibility there. So you're going to want to think about how you're going to be able to support the apps that they're going to need to bring to you. You still have to be able to put the borders on it, but you still have to have some of the customizableness of it. So who's going to do the authorization? How is that process going to go through? Who manages the application allow listing?

[00:20:45] Is it something that's hosted at the client? Is it something you host? Is it a cloud-based solution? How do you authorize all that? Like you've got to think about that and how do you get to do that and collaborate with the client? And now if you don't have an organization like us to do it, you still are going to have to figure out how you're going to do application allow listing. No, you're telling me you can't just write that off? No. You've got to figure it out. And that's a tough one to climb. A lot of people struggle with that.

[00:21:13] They don't realize that it's going to be such a technical punch in the face to figure out how you're going to go through and address. Yes. Because what's going to happen is if you have any type of size to your organization, there's all kinds of stuff people are going to want to do. And they're not going to be able to do it when you do application allow listing unless you pretty much allow everything, which doesn't really work. Yeah. This is where, too, leadership buy-in is so critical. Oh, yeah. Because there's no way you can get past something like that without having them bought in, you know?

[00:21:43] Well, just like a typical commercial client that we work with. Client calls up and says, hey, you know, we just bought this app. Organizations are okay with it. Yeah, sure. Can you help us get installed? Sure. When do you want us to get it rolled out? Mm-hmm. We get it done. Hey, I can't print this. Oh, it's because you don't have the correct driver. Let's go ahead and install a different driver. Oh, that's not working. You're using the wrong type of print protocol.

[00:22:10] We're going to change the ports on this so that you can use this here. Those are just things that you help the client, and you do it right then, and you try to get it solved. But if you start changing ports, maybe that printer is on another VLAN, and you have to open it and authorize it. Maybe you don't realize that, but that printer is actually a CUI printer, and now you've just given someone who's not authorized to have access to that printer now has access to that printer and can print to it. Right?

[00:22:35] It's a different rule of engagement with support when you're doing it with people that have compliance requirements than just a traditional MSP engagement. Yeah, yeah. So the last thing I wanted to ask you is internally, the adoption of it just as an MSP. So this is more catered specifically to MSPs, which is the technicians.

[00:22:57] I mean, Bobby, you spend months and months building this wonderful CMMC process of documentation and implementation, but are you the one that does this for everyone? No. No. No. It's your team, right? It has to be scalable to your team, too. So do you want to explain a little bit of some of the challenges that you faced while jumping that side of it? Yeah, and this is, being very transparent, this is something we're still working through and refining and getting better at.

[00:23:27] I think it's a constant. Yeah, like you're never going to get this perfect, so you're always going to be working on it. But, you know, granted, level two certifications started in January. Yeah, so they say they have it perfect. Yeah. Anyway that says, I've got this nailed down, I've been doing it for decades, is probably lying. Now, there are some organizations that have been doing this longer, but here's the challenge with it.

[00:23:53] But CMMC and how some of the requirements came around, especially with 32 CFR and how they applied to MSPs, sort of changed a little bit. So if you were, like the security protection data and some of those types of requirements didn't exist three or four years ago before that. So it changed a bit of the rules of engagement, the FedRAMP requirement, the way that some of those things have to deal with CMMC. Like that wasn't really a thing some years ago. So true. As much.

[00:24:19] And so these, they've gotten stricter appropriately, I feel like, about how that needs to happen. And so it's forcing organizations to be tighter with how they're doing it. And so because of that, the burdensome requirements on organizations that are doing the implementation is greater. And so you can't just sit here and hire CMMC geniuses to do printer configurations for people or basic workstation setups.

[00:24:49] You can't have, you know, a 20-year veteran of CCA doing workstation installation. But you've got to think about how are you going to educate your existing team where their knowledge set is at and keep it appropriately and create the boundaries to be able to support them in a way where when someone calls up and asks for something, they don't compromise their compliance by just helping them do something they need. So you've got to sit down and think about how you're going to support that.

[00:25:16] And you, if you're working with an MSP, need to think about how they're thinking about it. Because, you know, they may be such the greatest help ever. You're like, oh, this MSP is so great. They always say yes to everything we need and they help us and they do everything we want. It's great. We love these guys. But we failed our audit. You're like, great, you know. Yeah. Like, that doesn't help them.

[00:25:44] Like, so you've got to really think about how you probably are going to have to say no to clients a lot more than you have ever done before. And it's not really so much of a no because we're saying no. It's no because the policies you've adopted that we've worked with you and agreed on how they're doing. They say we can't do that. They say you need to talk to this person to get authorization before we can do this. And this is going to take time.

[00:26:06] So this probably means what you want now at 3 o'clock in the afternoon is probably going to have to wait until tomorrow because that person left on vacation and they aren't getting back. So now it has to go to the owner and they've left for the day. And so now you're going to have to wait until they get back tomorrow to get authorization before we can do whatever it is you want. Sorry. That's how the policy is written. And they're probably not used to that.

[00:26:31] They're probably used to whenever they call that you just fix whatever it is they need however they want whenever they want. Yeah. It's just not the case. Yeah. So it's different. Very, very different. Yeah, that's so true. Any other things that you can think of that you wanted to add? Well, I think your SLAs are going to change. If you go in thinking that your SLA is going to be the same, you're sadly mistaken. There's no way you're going to be able to close tickets anywhere as fast and efficiently as you have in the past. No, because you have more hurdles now. More hurdles to jump through. More things to jump through.

[00:27:01] Like there are times where we've had it where people reach in and they're like, why isn't this done? I'm like, because the person who's three cubes down didn't say yes yet and we've emailed them twice today. Maybe you might want to walk down there and put them in a chokehold. You know, like I don't know what to tell you. Like I can't, you know, I can't pester them, but only so much. And so those types of things are playing out that are changing the speed and rapidness of us being able to close tickets.

[00:27:29] Our average closure rate on tickets are like less than an hour. Like closure, not just response because we crush tickets. And so we are really, really good at that. And we've noticed that it's just been all over the board just because part of it is trying to train and work with the clients and helping them streamline their internal systems so that we can help support them faster. So it's like help us help you. Right. And know how to do that so that we can get these down to a more scalable fashion.

[00:27:56] And understanding how that game is played so that we can help the client out better is its own art. Yeah. That's such a great point. Yeah. Well, I've really enjoyed this conversation because I do think that this happens to be – we try our best to do a lot of boots on the ground discussion. You know, that really applies to what it's like to for realsies do this and not just breed the documentation of it. Right.

[00:28:23] And so we really encourage you guys if you're listening today, if you have any specific questions or more things that you want to talk about that are getting into the, you know, meat and potatoes of it and getting more into the specifics of it, we love to talk about that. We don't want to just be CMMC news. You know, we don't want to be news anchors. We, like, really want to talk about the specifics with you guys and get as much as we can out of it. So let us know if you have any more topics, too, like this because we'd love to cover it. And we're doing that webinar series.

[00:28:53] Like, I mean, there's – Yes. We get even more into stuff. Yes. Thank you for saying that. We've started to do webinars on LinkedIn. And so make sure to check out those and follow us on our Axiom LinkedIn page to keep up to date on when those events happen. But we just recently did one for MSPs that was really fun and successful. And people ask questions in it. And it was great. And we're going to be doing another one in just a few weeks. So – but, yeah, great point. Make sure to check that out.

[00:29:21] And stay tuned, obviously, for next Thursday. We'll be back at it with another episode, which I'm very excited for. So keep up to date. Make sure to subscribe so you get notified when we post anything on YouTube or on Spotify. Rate the podcast if you're listening on one of the platforms. Write Apple Podcasts. Yes, Spotify. Yeah, great point. Give us five stars, please. Yeah. And thank you guys so much for listening. And remember, as always, keep on calling. See you guys.

[00:29:54] We hope you guys enjoyed today's episode and listen out for the next one. But until then, keep on climbing.