(Season Two Episode 4) Bobby is joined by Joy Beland, Stuart Itkin, and George Perezdiaz to discuss the changes happening in the MSP industry, due to these new compliance regulations and frameworks. Is it for the better? How can we prepare our businesses for this change?
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] Welcome back to season two of climbing Mount CMMC the podcast. Today Bobby is joined by Stuart, George and Joy. They are all members of MSP's for the protection of critical infrastructure and today they are going to be tackling some difficult topics discussing the compliance and regulation
[00:00:25] changes for the MSP industry and how that is going to affect businesses around the United States. We're so excited for you guys to join us in today's episode and we hope that you enjoy.
[00:00:36] Okay everybody we've got a very special episode we're joined with multiple people I'm not sure if we've had this many people on the show at one time but I just want to say Joy Stuart
[00:00:46] and George thank you both or all of you for being being on the show today and joining us thank you so much. Great thank you. So we've got a really good list of things that we want
[00:00:58] about all of you have such a passionate industry you have all been very very involved in trying to you know high tide raises all boats and I just thank you all of you so much from the
[00:01:11] bottom of my heart for being on this show just trying to help everybody become more educated. We've got a lot of great topics to talk about but before we do I just want to kind
[00:01:20] of give you guys a little bit of an opportunity to talk about your specific area of expertise in the companies that you serve just so that everybody kind of gets a general idea of where
[00:01:30] you're coming from. Joy we'll start with you just because I've kind of known you the longest can you maybe talk about how we ran into each other and sort of you know what you do on
[00:01:39] your day-to-day basis? Yeah well I have deep roots in the MSP industry it is an industry that I love. I had my own MSP for 21 years and I sold that back in 2018 thinking I'm no longer
[00:01:56] going to be anywhere in the MSP working for an MSP ever again so that I could go work in the vendor community the cybersecurity vendor community and for me that was attractive to be able to kind of change the security posture of the MSP industry as a whole
[00:02:14] from 2014 to 2018 it was a huge focus of mine so when I sold my practice and kind of dipped my boots into that it was very exciting for me within a couple of years I transitioned into a certified third-party assessment organization or C3PAO in the CMMC world
[00:02:35] and that really was so that I could focus on standing up a training program for the assessors in CMMC and so it was kind of neat that I was leveraging my background in maturing the security posture within small companies and the amount of training and
[00:02:56] workshops and webinars and presenting all of that was culminating together to be able to stand up the assessor program and you know in order to do that I had to be an assessor myself and I went through the provisional assessor and provisional instructor training when I moved into
[00:03:14] summit seven in the role of strategic partnerships the goal was for me to kind of bring together all of those different areas that I had a lot of great relationships formed and expertise so
[00:03:28] in the MSP industry, in the assessor industry, in the training portion of that and consulting and so those came together for CMMC under the umbrella of summit seven and that was one of
[00:03:42] the reasons that I was so excited about the idea of starting this collective. I just want to point out that all four of us are competitors, all four of us are from competing companies and
[00:03:53] how rare that is to have within our industry to have us all come together and talk through what's the best approach for this, what it would be meaningful for guidance in the
[00:04:04] Department of Defense and the cyber AB so that's kind of the background and the experience I bring to this. So George, you know we're both associate members of the collective, would you maybe share
[00:04:17] a little bit about what it is that you know the life and the day of George and how you're involved in the MSP space and just sort of share that perspective? Yes aside from saving
[00:04:27] puppies from burning buildings. Oh of course. Yeah so for SP6 for example, it's a Splunk reseller originally as an organization. They also do the co-managed services. I was brought into the company about 14-16 months ago to build the CMMC practice. I have
[00:04:48] done this before. My experience is as a veteran, I started IT in the Air Force over 20 years ago doing anything from building networks to training other network administrators before they get privileged access to a particular network. Then I took the trajectory that most
[00:05:06] military folks do. They become a DOD contractor and a civilian. So I was a civilian working for the Joint Chief of Staff under DISA, the Defense Information Systems Agency, and I loved that mission because you are more impactful in my opinion in civilian clothing than in uniform.
[00:05:24] But then I started working on my master's, Bobby, and I was learning a lot about system design and system architecture and whatnot and I knew I wasn't going to be able to use that knowledge
[00:05:34] in the Pentagon because it takes literally an act of Congress to make a change there. So I went and played in the private industry. So for the first time actually working in an organization
[00:05:45] that has nothing to do with the DOD until CMMC, I'm sorry, DFAR 7012 came about in 2016. I was part of the project to implement this in a global organization. We scoped down from 50,000 employees plus to about 3,000 and then I was given the opportunity to manage and
[00:06:04] maintain that program. Through that particular journey you can imagine there's many interactions with the external services provider. At the Pentagon you have a whole bunch of contractors that are external services provider. Pernis 53 and 171. At the Fortune 500 company,
[00:06:20] a lot of different systems, different applications and whatnot, external services providers. And then as SP6, as a co-manage Splunk and CIM, as security information and event management organization, engineer and organization, we also traverse our network into the client's
[00:06:39] network. So we have a deep understanding of one, the regulatory and technical security requirements and two, the operational aspect of living and breathing a CUI program, a control and testify information program with many services providers. And we thought that it
[00:06:56] would be critical for us to be part of the journey that the collective is taking here and share that our information. Let me ask you a question. I had no idea I was going to even
[00:07:05] ask you this. Like are you guys planning on going through a level two assessment yourselves? Sir, that is a beautiful question that you will think that I set it up. Yes, we are in the
[00:07:14] process of becoming a C3PIO using that learning to our co-manage services and recently we're using those activities. So yes, we are in the process as we speak. Well, I mean there's just not many organizations that are doing that MSSP that are going to go through that. I've
[00:07:31] heard sticking the flag in the ground to say that they're actually going to do it. A lot of them want to participate, take your money, but not a lot of them want to commit to what's required to make it happen. So hats off to you brother. Thank you.
[00:07:42] Stuart, so if you would kind of just share with us like how you kind of got into the space a little bit and just like your experience and then Neo systems. Very good.
[00:07:53] And again, I think to Joy's point that there really is a higher order commitment to the mission and to the importance of CMMC as a program being successful that we all share and
[00:08:06] that all bring us together. And it's certainly, you know, the thing that has brought me here. I kind of been on this journey for well over a decade and have been actively involved in supply chain security for the aerospace and defense industry for supply chain risk management
[00:08:24] and compliance. Initially with a company called Exostar, which was at that time a joint venture that had been formed by a number of large aerospace and defense contractors. Boeing, Lockheed Martin, BA systems, Rolls Royce, Raytheon were the primary owners of the
[00:08:42] organization and in the role had the privilege to work very closely with their set as well as a broader set of large prime CIOs and CISOs and was really happy to hear for the first time in those meetings people talking about risk rather than talking about compliance. And
[00:09:04] a lot of that information, a lot of those individuals helped really influence what happened with the CMMC program and feel while some people talk about, gee, I got in on the ground
[00:09:15] floor. I think I had the opportunity to kind of sneak in at the basement a little bit and ride the elevator up as it's been developed. I think a lot of us said that's kind of been
[00:09:24] the case to some extent, right? I think it is. We've all been in this fight for a long time and I think again, you know, we all share that passion for it. From Exostar, I went to
[00:09:36] coal fire federal and helped build its RPO practice and its C3PAO practice and took that, the C3PAO practice through its Dibcac assessment to become one of the early authorized C3PAOs within the ecosystem. But I really recognized, and this is one of the focuses of the
[00:10:00] collective, was that the need for kind of affordable solutions, easy to implement solutions for small and medium businesses within the defense industrial base. And that's what brought me to NeoSystems. NeoSystems is a 21-year-old organization that has been exclusively
[00:10:18] provided or exclusively focused on providing managed services to the government contracting community. And its mission was really to look at how can we build solutions that are easy to implement, easy for small businesses to afford, easy to operate to ensure that this very vital part
[00:10:39] of the defense industrial base, what is it about 73% of the defense industrial base being smalls have access to solutions that will enable them to satisfy the requirements of 800-171, not just to be able to be certified, but on an ongoing basis to ensure that they maintain
[00:10:59] not compliance, but security. And I think with that, we looked at the mission of the collective, had a conversation early on with Scott Edwards at Summit 7 and really talked about our common interest and said, absolutely, it makes a lot of sense to bring one stronger voice
[00:11:23] to all areas, to government, to the market than a series of individual voices. And that's what led us in Summit 7 as two of the three founding partners to be able to help establish the collective. I think maybe kind of a little bit of the
[00:11:39] juxtaposition between all of you guys here, the amount of massive experience in the DOD community and compliance and those types of things. And then you got little old me over here who's coming from a managed service provider. We've been around for 20 years,
[00:11:55] but I didn't grow up cutting my teeth. And I think I'm a pretty good representative of a lot of the MSPs in the space. But again, continuing that juxtaposition, you've got a lot of small
[00:12:08] organizations that do a lot of work with those companies. And they don't have the experience that you guys do. They don't know what you guys know. They don't have all of that deep, rich experience of seeing what that community is like, what's required, all of the…
[00:12:27] It's not just about 171. There's a lot of other DFARs and other requirements that kind of overlay that you really have to understand when you're supporting a client in that space. And quite frankly, a lot of MSPs aren't prepared to handle that. So I just kind of like maybe
[00:12:43] throw this question out here. How do you see the ecosystem for the SMBs, the smaller MSPs that are providing that service? What do you see that CMMC program having an impact for the MSPs as well as those people who are working with them? I'm just going to throw
[00:13:01] that out to the group and just kind of see what you guys say. I was going to say one thing is that it represents opportunity. There is certainly a need, and that need for managed service providers is going to grow tremendously as the program begins
[00:13:20] to roll out next year. And for organizations that are looking for opportunities to grow and expand their business, there is certainly going to be a need. It is a business opportunity, but more important, it's a business opportunity that really comes with, I think, the ability
[00:13:41] to do something that's important for the nation. And that, I think, has attracted a number of organizations that have come. And I'm sorry, Joy, didn't mean to cut you off. No, I love that that's how you started this. I mean, it is a mission. The thing that I
[00:13:57] think is the most important for MSPs to understand about the opportunity, though, is that if you wait to try to understand what's the investment going to be, if you haven't already started and you have one or more clients in the defense industrial base who themselves are
[00:14:15] going to need a CMMC Level 2 assessment, you're jeopardizing that company's ability to serve in contracts. Because it's just such a heavy lift for most MSPs to understand how they themselves will prepare for their own assessment. And necessarily, they're going
[00:14:35] to have to get there and understand how to do it for themselves, how to get their own validation of those controls, but then also to provide valuable guidance to their customers to get their customers through that gate. And the process, the timing of that, the timeline,
[00:14:54] the resources, the investment is something that takes tremendous commitment. And I think a lot of MSPs are not understanding how much resources, how much of time it's going to take to get there and without making a decision to assure their customers, don't worry, we have your backs
[00:15:17] without actually taking that stance one way or the other. They're jeopardizing that customer, their relationship. And so that's the biggest thing is I think our MSP community for many years has been led by vendors who are saying this is the opportunity we can help you
[00:15:36] sell this to be all things to all people and CMMC is not that period. It's not that it's the MSPs themselves digging in very little can be outsourced. You can't have a knock based in India or the Philippines without understanding completely what the repercussions of that is.
[00:15:55] So it's not a vendor-led conversation that's a marketing theme that is going to get you a high level of return right away. It's a long-term dig your heels and you really have to commit and invest in this. Well, that's kind of the point I was
[00:16:12] really making. Thank you, Joy and Stuart for making that in that you see the richness of experience between all three that are here. And I think that can't be discounted. You need to
[00:16:25] kind of have some knowledge. It's not just a tool you can buy and implement like something else. CMMC is a people problem that needs to be solved by people to get in there and start
[00:16:35] understanding the processes and it takes knowledge. This season, Matt Hopper is going to be, we already recorded this session and that will be coming out in season two. And he talks about the training requirements and that's a great way for you to get involved. If you want to
[00:16:50] get in the ecosystem, you can go through some of those training materials. Your job can't be to be one step ahead of your client with CMMC. You've got to try to be on the mountain
[00:17:01] with the flag, with the t-shirt, right? Because you can't be moving while they're trying to get there. The CMMC marriage counseling approach of both of you guys kind of holding your hands, walking the journey together is just not really very practical.
[00:17:19] There are a lot of tools that can help and hurt you in this journey. I might want to throw this over to George just because the fact that your area of expertise is something a lot of times
[00:17:33] MSPs will lean on. Can you maybe talk about how using a SEM solution or things like that in the MSP ecosystem, how they've traditionally done it and some like gotchas that could happen with CMMC if you're continuing that same methodology into that ecosystem?
[00:17:52] Absolutely. Before I go there, Bobby, I'm going to go back to your previous question on CMMC. That's a problem. This is an opportunity. From my perspective, MSPs are... The impact that MSPs have on the CMMC program is greater than the impact CMMC has on them. Meaning,
[00:18:12] CMMC, especially for those organizations within the SMB, needs managed services. There's no way that the SMBs can do this alone, exactly what we're talking about here. There's no way that they can go and find a tool set, a landscape of tools to help them achieve
[00:18:28] their goals and objectives securely. From our perspective, what we have seen in the same world just at a small lens has been that organizations don't know how to categorize the system because no one knows what it's important anymore. Everything is important or nothing is
[00:18:45] important. What is CUI? A lot of the times that we always see the organization seeking certification or assessment come to the MSPs and ask them, what is CUI? There is no way that the poor MSP has that visibility into their contracts, into their programs. We are there
[00:19:03] just to help them manage and maintain the technical landscape that's there for them. The other opportunity the MSPs need to recognize is that when organizations such as myself, when we're actually building a program, inevitably we have to do an assessment before we can understand
[00:19:19] what they have and what they look like. Instead of seeing us, any one of us here as a thread, take that as an opportunity. I love when an MSP is happy to see us because now they say,
[00:19:31] I am going to learn something. I am going to be more impactful for and with my client. I likely don't have to pay for it because George's there already paid for by their client. It's an opportunity versus some of MSPs just completely get discouraged. They get scared
[00:19:48] and they say, I don't want to do CMMC. I don't want to do NIST. You have 12 months to find somebody else to replace me. It's a matter of how you look at things and having that
[00:19:59] added to the positivity to ensure that you can generate revenue. The CMMC actually needs you potentially more than you need CMMC but it's recognizing that value. Yeah, I think that fish or cut bait, right? If you have clients that are in the ecosystem, you need to either commit.
[00:20:18] The video that we did, we went through actual dollar amount. We were like, it's worth of $250,000. You need at least one to two people to be able to accomplish it. You're going to tie
[00:20:27] that person up doing nothing but really that job for eight to nine months if not a year. It depends on the maturity of the MSP. As we were coming into that space, you guys have kind of talked about this a little bit but it has changed our company.
[00:20:43] It is the hardest thing that I've ever had to do getting our organization ready to do that and it has transformed us. We are so much better for the journey that we have taken because if we've gone through this and it has strengthened our posture, we're better for
[00:20:56] our clients. I think part of the challenge and I want to maybe throw this out to you Stuart is MSPs sometimes don't do a great job of eating their own dog food and it creates this
[00:21:09] challenge because there's this tech debt deficit of understanding of the type of compliance, things like system security plans and appropriate management of processes and policies that a lot of MSPs aren't necessarily great at doing. We hear this talked about a lot of conferences
[00:21:24] that I'm sure all of you have attended. What are some nuggets of wisdom that you can maybe suggest to MSPs to kind of help them level up to get onto the playing field before they maybe
[00:21:36] try to attack the summit of CMMC? If I speak from experience, especially for someone who is a new MSP, go through the process yourself. Start at the beginning and if you look at the traditional approach an organization may take to become ready for a CMMC certification,
[00:22:01] start with understanding your boundary and what it is that you need to protect. Understand the assets that you have and how they're categorized. Go through and do a gap assessment and understand what the delta is. But I think with all of that, most important is
[00:22:20] to understand each and every one of the individual controls and each of the requirements underneath the controls. You can't take a cookbook approach to it and simply say, well, it says I need to do this. I'm going to do this. It's important that you understand
[00:22:37] the why you're doing this. What are the threats in the environment that this particular control is intended to mitigate? I think by going through with that process and with that mindset, it's going to enable and prepare somebody then to be able to work with a
[00:22:56] client and kind of share that understanding. It's not just the mechanics. It's truly the understanding of why we're doing this. To your point, it is more than IT. A lot of organizations, especially commercial managed service providers, understand the IT and the
[00:23:14] IT management of it. It's not about cybersecurity. It's about information security. It's an understanding of all of those other things that have an impact on the security of information, people, and the need to ensure that you've vetted people appropriately, that you've taken
[00:23:38] adequate precautions to be able to protect or at least detect any insider issues that may exist. It's the security of the facilities. It's the insurance that when somebody comes in to visit, that they don't have unfettered access to information that may be on screens or that may
[00:23:58] be laying around. It really is go through and understand what the requirements are, but understand why the requirements exist to be able to satisfy them. I think just to go to one point, and it's an important one that George and Joy made,
[00:24:17] it is a commitment. It's an investment to be able to get there. You need to understand that rather than going halfway. It's a business decision for a lot of commercial managed service providers in terms of whether they want to go through this, but we certainly don't want
[00:24:36] to scare people away from doing this. It is achievable. It can be accomplished. And ultimately, the ecosystem is going to need more of us with the passion and the ability to be able to support all these small and medium businesses within the Dib.
[00:24:54] How much of a challenge, Stewart, do you see that being fulfilled? Are we going to have a crisis here? I try not to be a sky's falling, but what are we looking down the barrel of here?
[00:25:08] I think there is a real supply and demand issue that's going to need to be addressed. I think it's more than just managed service providers. It's going to be with respect to C3PAOs, with respect to the individual assessors, and so forth. The government
[00:25:27] is looking at how to stage or roll this whole program out with the hope that capacity builds as the demand increases. But certainly, I think that is going to be a challenge that exists out there. I think one other point though to make, and it's really related to
[00:25:51] organizations coming in perhaps without the commitment. We're serving organizations that know how to do the things they do. They know how to make what they make, they know how to deliver the services. They're not IT experts, they're not
[00:26:04] cybersecurity experts, and they have real difficulty discerning the claims that are made by individuals out in the marketplace. And there are many very capable, good managed service providers out there, but there are others that are making claims that are just incredible.
[00:26:26] We'll get you compliant in two weeks is one that I've seen. Others out there that again need to be taken with a grain of salt about the size that you used for your water softener. And the challenge is that again, that the organizations that need the help don't
[00:26:46] have the ability to really distinguish the valid claims from other claims. And I think this is one of the reasons why the collective is focused as one of its tenants on establishing kind of minimum standards for organizations to be able to demonstrate that they have made that investment,
[00:27:05] that they do have the capability of being able to support an organization. One of the things I love so much about what you said, Bobby, in your own journey,
[00:27:14] the amount of resources and time that you spent to do this is if an MSP or MSSP is going to take CMMC seriously and decide, yes, we're going to do this. They need to go through the journey
[00:27:28] of educating themselves. Don't do it alone. I think this is an area that it's really important for MSPs to understand they don't know what they don't know. So seeking the guidance of
[00:27:40] others who have done this journey, consultants, whether it's a C3PAO or an RPO that has done very well getting organizations ready for their own CMMC level two assessment. There's a lot of them out there. There's a lot of peer groups starting to form around
[00:27:56] getting ready for CMMC. But once you've made that commitment and you start that journey, looking at the MSPs for the protection of critical infrastructure is that next mature step that you would want to make. The requirements to join us varying on what kind of member you
[00:28:15] want to be can be, yeah, I'm just an MSP and I want to kind of be informed about what you guys are doing too. I want to actively participate. I want to vote. I want to be a part of
[00:28:24] change in legislation impact to the entire ecosystem and community. Like how involved do you want to be? But that's where MSPs are coming into us is they've made that commitment. And the thing I love is that your MSP, three or four others that have joined us early on
[00:28:46] are small MSPs that made the commitment that are focused on the defense industrial base. So the people, any organization that joins us in service delivery, that is their focus because it's a big expense, big commitment to resources. Yeah. And me as a managed service provider,
[00:29:05] I wasn't sure exactly when I joined the group what that was going to be like. The meetings are very timely, reasonable. The cost to join was very reasonable for our size. So they did
[00:29:17] a good job of scaling it that way. But then I got to connect with others in the industry that are much larger and I get to see kind of how they're operating and have conversations
[00:29:26] with them and get connections because I think we can all kind of agree that this ecosystem is not large enough for anybody to be an island into them own. You need to get connected. You need
[00:29:37] to start getting involved in getting to know other players in the industry and communicate and talking. And I think this group is such a great way of getting your ear to the ground.
[00:29:47] You guys are in Washington having conversations, trying to see how we as MSPs can be first in the assessment process and those critical infrastructure organizations have to go first because we've got to get our assessments done first. You guys are taking on that challenge of
[00:30:01] many, many others. I'm sorry I interrupted you but I just for me in my perspective that's some of the best value that I've been getting out of being a member. We're getting legislative initiatives. We have a lobbying firm. We're like Stuart's being
[00:30:22] our communications person and navigating all media relations. We have highly technical people on our team. We have Jacob Horn who is like probably the most well-versed person in all of the regulatory body of work. You know when George and I dug into all right how would scoping
[00:30:45] what do we think the DOD needs to know about how MSPs function and what we think scoping would look like knowing that we don't actually process store transmit CUI but the security protection data, the security protection assets category that we represent. What does that look
[00:31:08] like at an MSP? This is a lot of work. I just Stuart, George, everybody on the collective, we have our full-time jobs and it's a lot of work to put together our positions and get us
[00:31:24] out there in the community really get the voice of the DOD, the legislature. We're making a big difference so it's very exciting. Yeah I'd like to maybe pivot a little bit here to ask the question about the document that you guys created. Before we talk about the document,
[00:31:41] I think it's important to talk about the challenge about why you guys felt it was necessary to create it in the first place. Can you guys talk about the challenge of how getting
[00:31:51] level two assessed as an OSC or an organization looking for assessment is good for maybe that organization but for a managed service provider us getting assessed what's that difference because some people may not necessarily be aware of why there is a potential challenge. Is that
[00:32:10] something you could maybe talk to, George? Sure so if you look at the CMMC assessment guide for example and or the assessment the scoping guide it has a very cool little diagram that shows you from the cyber AB perspective how an organization seeking certification or assessment
[00:32:30] will be structured. They show the items that are out of scope in red, they show the purple as the security protection assets that potentially defines the boundary and provide protections to the CUI
[00:32:42] assets and then inside that bubble you have the OSC themselves and the MSPs or the external services provider. A lot of the times external services provider feels as if they are outside the box. They don't recognize that by virtue of accessing the environment for their client
[00:33:04] they are automatically affecting and being affected by the regulatory requirement so it's a matter of how are you doing what you're doing for your client right. How are you remoting into that location? Are you having do you go through VDI and then get into the
[00:33:19] security protection asset and depending on those different use cases and we went through a lot of them and we went through a lot of visual diagrams so that we can dissect all the pretty
[00:33:28] pictures and then break it down into different components. How each one of those line items quote-unquote use cases affects the certification, the scope of the assessment and the certification for that for that client. So we felt that it was a dire need for us to
[00:33:45] agree on yes if and when you access that environment for your OSC organization significant certification you may be an SPA at that use case a security protection asset as just that alone. If you're
[00:34:01] accessing their endpoints or a server that has processed or transmits CUI then you are automatically yourself as a person as an entity you are yourself a CUI asset. So we went through all
[00:34:13] those discussions it was beautiful Bobby because like Joey mentioned it was a lot of us in different rooms remotely. We agreed and disagreed respectfully right and then arrived at the conclusion that
[00:34:27] yeah this is once you have no other what if you know as a group then you arrive at the conclusion that this is going to be a CUI asset, a security protection asset and this
[00:34:40] is how an OSC I'm sorry an MSP or external service provider will be affected by the certification. It's like CMMC is almost like so many people that are involved in it it's
[00:34:52] like a religion. I mean there's like a lot of people have some very passionate views on these things and you know having that many people together in a room agreeing on an approach is
[00:35:03] pretty significant. Yeah I love that you said that right because it is exactly that and you have to go to the scripture you have to go to the written guidance right and you have to go
[00:35:15] more than just a Sunday if you really want to speak the language of the Lord. You see now you haven't started Bobby. Yeah excellent analogy I love it. So yeah it is exactly like that.
[00:35:25] So Joey like when you're looking as an MSP you know as owning an MSP you speak the language pretty well if not better than me and I have my own MSP is
[00:35:41] kind of that logic that a lot of us have tried to do is well I'll participate but I won't be required to be certified. This kind of belief that that MSPs could sort of dip their toe in
[00:35:51] without having to be held to the standard that the organization they're supporting is going to be held to. I think that's been shattered now right with the proposed rule it's very clear that MSPs are going to be pulled in just kind of like what George is saying
[00:36:03] if we're going to participate and help with the assess you know with the technical requirements we're going to get pulled in. We're going to be required to be level two certified. So that creates this challenge MSPs aren't going to contain probably control unclassified
[00:36:18] information. It's not going to come to us. It's going to go to our clients and the assessment has been built around the assumption that's going to be happening but for us as MSPs that's probably not going to be the case. Can you maybe talk a little bit more
[00:36:32] about the document that you guys had that kind of that helps frame that perspective a little bit better about how that approach? Well Lynn here the reason that we did the document is
[00:36:46] to address what you just said first of all that MSPs they understand if they perform a service capability any of those security controls on behalf of an organization that is going through
[00:37:00] their CMMC assessment they now are in scope to get CMMC level two themselves and the best way to picture that is I have a 25 person customer that does manufacturing and that 25 person
[00:37:17] customer if they want to do CMMC all themselves they probably have to have five people on their IT team right doing security and that's not realistic. We all know that's not realistic
[00:37:28] so if they took those five people and said I'm going to pay for them as a contractor instead that those five people are the MSP now but they're still performing those same capabilities
[00:37:40] as if they were in-house so when an MSP says to me I only do I only set up new computers for them and do their patching on their servers and we have a knock that helps them out we are not
[00:37:54] going to be CMMC. I'm like oh no you are you are going to be CMMC level two required for those capabilities that you perform on behalf of the customer so there's that part of it. The
[00:38:06] other reason that we authored this paper is that there's a lot of folks in the DoD and even the Cyber AB that really don't understand how MSPs work and so at first prior to the
[00:38:20] proposed rule coming out the DoD was saying that they wanted MSPs to be FedRAMP moderate or equivalent which is 324 controls, 325 plus out of the NIST 853 catalog. I mean it's a huge there's
[00:38:38] I think there's one or two MSPs in the United States that are FedRAMP but it's such a huge lift it's extremely expensive and so having them reduce that now to okay they have to be
[00:38:51] required to be CMMC level two themselves even then I don't think the DoD understands how MSPs work, the kind of tools they use, the kind of outsourced resources. I mean I made my living
[00:39:04] for a couple of years after I sold my MSP working for a security vendor that proffered to MSPs use the outsourced India-based knock and sock services so that you don't have to try to
[00:39:18] build your own sock in the United States and so taking a realistic look at how would that work? If you're an MSP and you have a knock based in India doing the patching on the servers
[00:39:34] and the basic remediations George and I were sitting there going okay what does this look like how do we peel this onion? How do we address that? Are there certain kinds of CUI that they still could handle using an outsourced knock and what would those
[00:39:54] dissemination limitations be? Is it export control data ITAR? So we had to really talk through all of those different scenarios and that's what I think the gold is in a collective like ours when we're talking about yeah we disagreed we went back and forth and
[00:40:15] then what we came to finally is a group and the purpose is not to disclude as many MSPs as possible so that we can have all of the business for ourselves. It is not that this
[00:40:25] group here clearly shows that's not the case. It's not at all and I hate it when I hear that. I still hear that from other people that are like oh they're trying to be exclusionary.
[00:40:36] No actually we understand how the MSP ecosystem works. We understand the adversaries and we understand the CMMC requirements so we're trying to refine what that looks like for the benefit of the DOD, the OSC, and the MSP world. We're trying to do different languages
[00:40:58] and have one translator. Well I think that document proves that you want more participation now. You know that it's there so if you're a managed service provider or you're looking to hire a managed service provider definitely check out the document
[00:41:14] that Joy and George are talking about. I wasn't as involved in it just because I'm just so focused on some of the things that I was doing and I was hearing some of
[00:41:25] the things you were going on doing and all the meetings you guys were having and I just hats off and I appreciate the fact that you guys did that because that's a crazy difficult challenge.
[00:41:36] But one of the things that I loved about it when I looked at it was that you didn't shy away from difficult conversations on the design architecture of it right so like what George talked about
[00:41:47] scoping is so critical and if you're new to the CMMC ecosystem you may not know what scoping is but it's basically an attempt to reduce your risk to shrink down where that data that
[00:41:58] the government cares about may be residing so that those are the areas where you're going to try to apply those security practices from the 800-171 and 171a as well as the other requirements that have to come along with the contracts because there's a lot of other things besides
[00:42:13] just that. But they did such a great job of having complex realistic scenarios for a managed service provider because not all MSPs are going to only do CMMC right? They're going to be involved in having other clients that aren't necessarily in the ecosystem and your
[00:42:30] design has that assumption in that so if you're trying to think about participating in the ecosystem take a look at it. It gives you a great idea of seeing how some of those designs may look and how you might be able to continue to practice supporting your existing
[00:42:45] clients as well as supporting those new clients. MSPcollective.org and when there's a menu option this is where we stand and if you scroll down to the bottom it's external service provider recommendations and scoping. Bobby I love that you said that because it's what Joey said
[00:43:05] there's nothing more expensive than ambiguous requirements and assumptions right? Because you're going to protect the wrong thing and you're going to make investments that not are not going to translate to actual positive outcomes so this documentation to your point
[00:43:19] is exactly that it's a guidance. Hey look how you can dissect the gigantic scoping guide, the defunct requirements even the export control requirements into one document into a paper with pictures right? Because yeah that's how the soul thinks with pictures anyways.
[00:43:37] Yeah what I also liked is when we were in the group meetings we were talking about us and seeing that document as it got to be evolved and we got to see the input of
[00:43:46] others in how we tried to continually grow the realistic perspective of that and I just it was great to see the kind of the baby grow up and then become a document that has been published
[00:43:57] and I think is I hope more people are paying attention to that but Joey or anyone I'm just throwing this out like what traction are you seeing from people who are looking at that document and what do you see the positive impacts from it thus far?
[00:44:15] Well it's a conversation starter I mean that's what it was meant to be we can't tell the DOD what to do we can't tell the cyber AB right so we're hoping that they take it seriously
[00:44:26] we had submitted it as part of the comments on this the proposed rule I understand that I've have confirmation from people on the working group that go through the comments that
[00:44:36] yes it is it is being read we have conversations with the cyber AB with Matt Travis yes he's seeing how we're proposing that the cyber AB might handle standing up the program the recommendations that we made we've talked it through answered questions and so it's just
[00:44:57] meant to be a guide for conversation for right now I think that the next steps is we are working with the C3PAO forum so this is a an association of all the different C3PAOs who have
[00:45:12] been authorized to go out there and do assessments and we want to work with them now and all of that assessor community to see if what we've authored it meets with aligning with them
[00:45:25] and because the C3PAOs themselves we believe are going to be the ones that go into assess an MSP the same as they would assess an OSC so having them understand how we think MSP should
[00:45:39] be scoped what the MSPs use in the way of tools the service delivery models external internal to the MSP all of that it's been really important to align on so those are our next steps in
[00:45:51] taking this document and helping us to align with the assessor community all right I'm going to throw out one last challenging question to everybody and I'd like to get all of y'all's input about this but let's dream the dream let's dream the dream that
[00:46:11] they listen to the document and they decide MSPs need to be assessed differently than the normal OSC so here's the specific pointed question I like to ask all three of you
[00:46:23] and I'd like to get your input on it number one do you think it's wise to have a separate type of assessment for MSPs versus the OSCs and number two do you feel like the standard
[00:46:35] should be higher or lower for the MSPs and what would that look like I know this might be a Pandora's box and we might just have flipped into two episodes just with that one question
[00:46:45] but I just think it's such an important question and I was really looking forward to asking all three of you your perspective on that so I'm just going to take a little bit
[00:46:53] of liberties here and ask maybe if I can you know can jump in I mean I think one needs to recognize the kind of the risk on one hand that MSPs represent within the ecosystem I you know we're potentially responsible for supporting hundreds or tens or hundreds of
[00:47:14] individual OSCs that makes us kind of a very rich target for our adversaries and you know so certainly you know that that risk I think warrants to some extent a higher standard to ensure
[00:47:29] that we're protecting the interest of all of those that are dependent upon us I think the other though is it's about an appropriate standard you know Joy mentioned that at one point the DOD was looking at the FedRAMP standard for external service providers for MSPs, MSSPs,
[00:47:50] and it was a standard that was particularly developed selecting controls out of the 853 catalog that applied or were applicable to cloud services well managed services and managed service providers have different responsibilities and probably also different liabilities that they
[00:48:08] represent and while 800 171 is a good start it deals you know largely with data confidentiality you know the responsibilities that an MSP has to organizations is both about the integrity of the information that they're serving for that organization and the availability
[00:48:28] of that information and so if one were thinking about you know what really was an appropriate standard longer term and I think this is kind of a crawl walk run but I mean ultimately to ensure that a standard is protecting OSCs to ensure that
[00:48:47] MSPs they work with not only can ensure the confidentiality of information but the integrity of information and the availability of information as they you know when they need it. George, next. No you're gonna hear Auntie DeJoy I love it okay.
[00:49:04] I'll go yeah so for me Bobby if you if you look at it from the perspective of the sigma principles right we and the sigma principles have the CTQ critical to quality
[00:49:15] we have to look at this aspect for the MSPs as critical to security and critical to compliance right so to to Stuart's point why you're Singapore failure potentially one-to-many relationship but also the reason why you ask if they can be should be done differently
[00:49:33] yes because not every MSSP is created equally right like you said so yourself some MSPs are going to be deeply embedded into the CUI systems the CUI assets other are going to be just creating those system provision the systems handing it over to the to the OSCs
[00:49:52] and probably not interact with the CUI asset and just stay with the security protection accent so it's going to be a delicate balance to find out sure what is the MSP that
[00:50:01] is going to do xyc and ensure that we have visibility into if they change if they try to do more that sort of implies kind of going back to the 853 Ron Ross philosophy of of
[00:50:17] customization right the what's the term he uses tailoring right yeah tailoring it's you know having some type of assessment methodology that has built-in tailoring that and that's something that the you mean like the rms what do you know right yeah i mean but you know the the cmmc
[00:50:35] framework doesn't seem to really want to adopt i mean when they looked at rev three for for 171 people were losing their minds because it had you know variables now all of a sudden and that people don't seem to like i don't know why
[00:50:53] a tailoring concept in in the cms field i'm sorry i'm getting on soapbox go ahead i think it's just to you know to again emphasize this is one team one fight this is one of the most
[00:51:04] collegial ecosystems that we've seen i think a number of us were at an industry conference in california about a month ago and it was a collaboration fest almost to speak of organizations that you would think as competitors in the marketplace what were they talking about
[00:51:25] again yeah how can we do a better job of supporting the ecosystem it is it is one team one fight and you know we we welcome other like-minded organizations other like-minded individuals to
[00:51:38] to join us yeah and we have a podcast coming up that we will be recording we'll be talking about just more reasons why you would want to get involved in the ecosystem we talk about
[00:51:48] how you can do it so stay tuned for that coming up further down the line so thank you all so much for joining us today i really really appreciate it i could talk with you guys for hours
[00:52:00] about this topic i know all of you have such a passion we touched on some topics that i was just like oh i really want to go down that rabbit hole uh but we we did have an objectives and
[00:52:09] some things we want to talk about and i think we did cover that uh but i absolutely would love to have all of you back on our show again talking about more things uh that i just really
[00:52:18] wanted to touch on but we just didn't have time so thank you all so much obby thank you thank you well thank you all for joining us again today and as always keep on climbing make
[00:52:27] sure to follow us on linkedin and youtube to stay up to date on the latest cmmc news we hope you guys enjoyed today's episode and listen out for the next one but until then keep on climbing