In this conversation, Kaleigh Floyd, Bobby Guerra, and Adam Evans discuss the distinctions between Cloud Service Providers (CSPs) and other service providers (ESPs), the significance of Controlled Unclassified Information (CUI), and the importance of vendor assessments in the context of the 32 CFR rule. They delve into the necessary audits, risk management strategies, and the implications of security protection data versus security protection assets for contractors and subcontractors in the defense industry.
They discuss the importance of selecting the right vendors for compliance, emphasizing the need for vendors to be prepared and knowledgeable. The conversation also highlights the ongoing nature of compliance, stressing that businesses must continually assess and update their practices.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] Hello Climbers and welcome back to another episode of Climbing Mount CMMC.
[00:00:12] Hello Climbers, today we are going to be talking about vendors and the 32 CFR Rule.
[00:00:20] So we are excited to share some info about, many of you guys have been seeing maybe some things online about CSPs, FedRAMP, the requirements, what does that mean?
[00:00:34] You might be a contractor or subcontractor that's in the Dib space going, what the heck do I do with these vendors around me?
[00:00:41] How do I choose the correct vendors for my CMMC journey?
[00:00:45] If you're having those questions, those concerns, this is the right place for you.
[00:00:51] We're trying to help you.
[00:00:52] We're going to share some information that we have gathered from the rule as well as how that could affect you.
[00:01:01] And we're also going to share some questions, some things that you should be asking your vendors when choosing them to help you better assess where they are in their journey.
[00:01:11] So I have Bobby, I have Adam.
[00:01:14] They're here to share their knowledge about all of this.
[00:01:17] They know way more about it than I do.
[00:01:19] But let's start this whole journey by talking about what a CSP is.
[00:01:26] I think this is important to start with because in the 32 CFR rule, it does discuss the difference between CSPs and ESPs.
[00:01:38] What makes it a CSP?
[00:01:40] What makes it an ESP?
[00:01:42] What's the difference?
[00:01:43] So let's talk about that.
[00:01:45] I am going to completely and totally steal what Karen Sanford said in one of our podcasts previously.
[00:01:52] It was a good summary.
[00:01:53] Because I think she did a wonderful job.
[00:01:55] So when you are an ESP, you're going to have a contractual agreement with a client in a relationship that continues through time.
[00:02:08] Whereas a CSP is somebody that could, and I think this is important to note, even in the rule, I'll put it up here.
[00:02:15] It talks about that you can rapidly release with minimal management effort or service provider interactions.
[00:02:25] You don't need that interaction like what I was saying with an ESP.
[00:02:30] And so I feel like how she explained that with what the rule says is a beautiful explanation of the difference between those two.
[00:02:37] So if you're wondering what you are, maybe that will help.
[00:02:40] I think one of the things that's important to kind of think about is that the CSP is a sub, a subset of ESPs.
[00:02:47] So it's not one or the other.
[00:02:50] But it is, I think, good to maybe use some examples.
[00:02:54] Like a CSP would be like Blackpoint, right, Adam?
[00:02:57] Or Azure.
[00:02:58] Those are examples of CSPs that are kind of like what you're talking about, Kaylee.
[00:03:03] You just sign up for them, buy the subscription, put your credit card, you're done.
[00:03:07] You don't have to really do anything.
[00:03:09] Whereas an MSP, like us, we're still an ESP.
[00:03:12] We're just not a CSP.
[00:03:14] We have a contract.
[00:03:15] We have services.
[00:03:16] We can negotiate the contract.
[00:03:18] We send them quotes.
[00:03:19] They accept it or they don't.
[00:03:20] Maybe they make some changes.
[00:03:21] It's much more relational.
[00:03:24] Right.
[00:03:24] Or ultimately, you have your cloud service providers like Microsoft, Amazon.
[00:03:29] You want to get a resource out there.
[00:03:31] Your barrier to entry is your credit limit, basically.
[00:03:34] Swipe the card, you're in.
[00:03:35] Your ESPs would be the people who are doing stuff on top of that.
[00:03:38] Could you be an ESP that's also a CSP?
[00:03:41] I mean, there's companies out there that will do all the above.
[00:03:44] But I'd say most companies will probably fit into that ESP model.
[00:03:48] And that's where a lot of our vendors seem to start to hit.
[00:03:51] But there are certainly going to be some out there that do provide the cloud resources as well.
[00:03:56] Right.
[00:03:56] So it's just important to understand the differences where those boundaries lie.
[00:04:00] And that ultimately just gets into overall just understanding scope.
[00:04:04] Mm-hmm.
[00:04:04] Mm-hmm.
[00:04:05] And so, too, if you're new to this discussion or maybe CMMC and specifically the final rule that was just released,
[00:04:16] the 32 CFR final rule, you know, you might be asking possibly why do they talk about CSPs the most out of all ESPs?
[00:04:26] And that's because CUI, right?
[00:04:29] And environments that store or transmit or process that, right?
[00:04:36] And so those are the ones that they're the most nervous about.
[00:04:41] By the, I mean, the DOD, right?
[00:04:43] They're nervous about the CUI in that space.
[00:04:45] So in case you don't know, the CUI, just in case you happen to just be freshly tuned in and you haven't even done this,
[00:04:50] the CUI is basically the controlled and classified information the government has given that contractor.
[00:04:56] And now they could potentially pass it off to another vendor.
[00:05:01] And if the government entrusted that to you, of course, they're going to be super curious about that data going somewhere else.
[00:05:06] Mm-hmm.
[00:05:06] And so this starts this whole kind of, you know, gears turning on this whole process.
[00:05:13] Yeah.
[00:05:14] And I mean, it fully makes sense.
[00:05:16] You know, if their CUI is in that environment, they want to know what that environment is.
[00:05:21] So, yeah.
[00:05:22] So we take that seriously and we hope that you guys are, too, tuning in.
[00:05:25] So let's talk more in depth about what you need to have ready.
[00:05:32] And by that, what we mean is what the vendor should have that you can ask them about that should clarify to you where they are at in their CMMC journey or their qualifications, right?
[00:05:49] Because you don't want to know that when you're doing your assessment.
[00:05:53] That would be impossible.
[00:05:56] You need to know that stuff before getting into this.
[00:05:59] So let's talk about, Bobby and Adam, let's talk about the first thing that we want to discuss about what they need to have ready.
[00:06:08] What kind of audit have you had, right?
[00:06:12] So you can ask that to the vendor, what kind of audit they have had.
[00:06:15] And what do you mean by that question?
[00:06:17] Like, what are you trying to clarify to that person?
[00:06:22] Well, I think where this kind of really comes down to a fine point is a lot of vendors thought that they were off the menu until the final rule dropped, right?
[00:06:33] Because the final rule drops and then everybody was thinking if you're a cloud provider, chances are you're going to have to be FedRAMPed.
[00:06:40] And now, spoiler alert, because of the way the rule is, it doesn't necessarily have to do that.
[00:06:45] So now we have to start thinking about, just like what you're talking about, Kaylee, what type of information that you want to have.
[00:06:52] One would be, do they have a FedRAMP ATO?
[00:06:55] Are they in the FedRAMP marketplace?
[00:06:58] That would be a good conversation to have, right, Adam?
[00:07:01] What are some other things that you would probably want to know if they're not in the FedRAMP marketplace?
[00:07:05] Well, again, it all comes down to the data and what's in scope.
[00:07:07] If it's a cloud service provider that stores controlled unclassified information, FedRAMP is what you have to have.
[00:07:13] No ifs, ands, or buts.
[00:07:15] Now, that brings me to your other data classifications like security protection data.
[00:07:19] When we look at the assessor guides and what's out there, it's to be assessed in scope of CMMC against all 800-171 requirements relevant to what it's providing.
[00:07:29] That opens those doors to where we can go in and start looking into it.
[00:07:33] So what should the vendors be providing to help us out there?
[00:07:36] Well, if you're FedRAMP moderate or equivalent, which, spoiler alert, the only thing equivalent to FedRAMP is, in fact, still FedRAMP.
[00:07:44] You don't say.
[00:07:45] Yeah, fun DOD memo on that one.
[00:07:47] But anyway, if they've got a FedRAMP ATO, awesome, great.
[00:07:52] If they're working on their FedRAMP ATO, still awesome, great.
[00:07:56] But if they don't need to go that route because they're not storing, processing, or transmitting CUI, I want to know what other frameworks they may be hitting and how they're going to be assessed relevant to what they provide.
[00:08:07] So if it's a SIEM tool, like there's a Splunk or Elk or an Elk stack or any of those other ones out there.
[00:08:14] What I want to specifically know is how that impacts my auditing and accountability domain.
[00:08:19] What do we have around that?
[00:08:20] What actions are in place?
[00:08:21] And what can they provide me?
[00:08:23] Some options they could do to help facilitate that process.
[00:08:26] Do they adhere to and align to other security frameworks?
[00:08:29] Maybe the ISO 27000 family or, you know, just a good robust CIS practice.
[00:08:36] Maybe they've gone through a PCI DSS assessment and they've been able to, you know, scope that further than just their cardholder environment.
[00:08:42] At the end of the day, what other framework have they aligned to and what's the scope of that engagement?
[00:08:48] A SOC 2, you know, SOC 2 type 2 audit is absolutely useless to me if it only covers their, you know, CRM.
[00:08:55] Right.
[00:08:55] I want to know about their dev environment, et cetera.
[00:08:58] So that's a good starting point is what has a vendor already done?
[00:09:01] What have they been assessed against?
[00:09:02] And can I see a copy of that?
[00:09:04] Most vendors will still ask for an NDA, but still, how can I see a copy?
[00:09:09] Because transparency is key.
[00:09:11] And the vendors need to understand just because the rule changed in such a way that you could participate like ThreatLocker or Blackpoint Cyber or some of these other vendors that are kind of everybody thought they were on the menu and then off the menu.
[00:09:27] And now they can kind of be back on the menu again.
[00:09:30] But the way the rule is written in such a way, they have to be prepared to defend themselves and their posture and, you know, what type of access controls, what type of security.
[00:09:39] All of these types of things have to be validated based on what that tool is doing and how like what Adam is saying.
[00:09:47] And if you if the vendors like, yeah, here's this, you know, little one pager that says we had a sock report.
[00:09:54] That's not going to cut it like they need a lot more information to be able to speak specifically to the relevant security controls.
[00:10:01] And inside those systems, you might be able to provide that.
[00:10:04] Right. So you might be able to show your separation of duties in those products.
[00:10:08] You might be able to do those types of things that are going to be required, but you're playing by their rules.
[00:10:13] You need to step further outside the boundaries of that and understand like what Adam's saying is that the risk about using that vendor overall.
[00:10:22] That's one of the things you're really great at.
[00:10:23] I always love how you really drill into that.
[00:10:25] Can you talk a little bit more about the the risk piece of those those types of things that you would want to know?
[00:10:30] Yeah, because at the end of the day, whenever I bring on a new vendor, I also bring in the risks that come with them as well.
[00:10:37] So my decision to adopt a vendor is really a very strong exercise in risk management.
[00:10:43] Because while they may be able to solve a problem again, what do they bring into the table that could cause a problem?
[00:10:47] Right.
[00:10:48] So I want to know things I've already asked for their security reports they have available.
[00:10:52] Some other questions I might have is have they done any kind of penetration testing?
[00:10:56] What is their vulnerability remediation processes look like?
[00:10:59] Right.
[00:10:59] How do they handle their internal staff training?
[00:11:02] How do they separate my data from other data?
[00:11:05] What do they have in place for to, again, protect the confidentiality, integrity or availability of my own data in that platform?
[00:11:12] What kind of resilience planning do they have in place as well?
[00:11:15] Because, you know, if if their platform goes out and I can't do my job, I've got a problem.
[00:11:20] So I start by asking those questions and start to drill into some of the meat and potatoes of what they bring to the table so that I can therefore be a little bit more informed about the risks that I'm taking on and what I can do about them.
[00:11:32] Because in a worst case scenario, the last thing I want to do is adopt a solution.
[00:11:36] It works great for six months and then it absolutely dies, hits the fan is, you know, complete garbage.
[00:11:41] And I have to rip that out and start over.
[00:11:44] That's just a giant waste of everyone's time, money, energy, effort, etc.
[00:11:47] I could be locked into a contract.
[00:11:50] Who knows?
[00:11:52] But again, this whole entire process is to keep asking questions in order to get answers so I can make an intelligent decision.
[00:11:59] And to do that, I need to have good, clear answers from the vendor, a good amount of healthy transparency, even if that transparency is still locked behind a nondisclosure agreement.
[00:12:09] Yeah.
[00:12:09] But I still need that information to make my decisions.
[00:12:13] Yeah.
[00:12:14] So you kind of hinted about this a little earlier, Adam, but I really do want to talk more about this graph that we are going to pull directly from the rule, the 32 CFR rule, which talks about a CSP and not a CSP.
[00:12:31] And it brings up a few things that you've already mentioned, CUI and security protection data, right?
[00:12:37] And what is required of that CSP, whether they have CUI in their system or they don't and they have SPD, security protection data in their system, what is required of them?
[00:12:50] Now, something that is important to note is if they are with or without SPD but have CUI in the system, they have to meet FEDRAM requirements.
[00:13:01] It's what it says in this graph that I'll pull it up on the screen.
[00:13:05] But then if it does not have CUI but does have SPD, then they will be assessed as security protection assets in the OSA's assessment scope, right?
[00:13:19] So that is a really big deal because if you are a person that is a contractor or subcontractor listening to this right now, just note that your CSP that you are using is going to be pulled in to your scope of your assessment, right?
[00:13:41] And you want to make sure that they are going to be able to hold up their end of the bargain, right?
[00:13:49] So that you don't fail something because of them.
[00:13:52] We talked about this with ESPs or specifically MSPs that are servicing OSAs.
[00:14:00] Sorry, that was like a lot of little letters all next to each other.
[00:14:03] So sorry about that.
[00:14:04] Yeah.
[00:14:04] Before we get into the craziness, the alphabet soup that I listed off, all the acronyms, okay, I think it's important.
[00:14:11] And Adam, you always do a great job of this.
[00:14:14] So let's just break those down really quick for people that might not know what SPD is, what CUI is, what FCI is, all that stuff.
[00:14:22] Let's break it down for them all.
[00:14:25] Yep.
[00:14:25] So let's just hit it real quick.
[00:14:27] FCI is your federal contract information that is in scope for your CMMC level one practices.
[00:14:34] CUI is your controlled unclassified information.
[00:14:37] That's the meat and potatoes of CMMC and NIST 800-171.
[00:14:41] You're probably getting that from the government and it has to be protected and you apply your safeguards depending on where that goes to the organization.
[00:14:46] You know, who touches it?
[00:14:47] Where does it live?
[00:14:48] How do you do it?
[00:14:49] Then we have that category security protection data.
[00:14:52] And I'm just going to read straight from the rule here.
[00:14:54] So security protection data means data stored or processed by a security protection asset that are used to protect the OSC, Organization Seeking Certification's, assessed environment.
[00:15:04] It is security relevant information and it includes, but it's not limited to, configuration data required to operate an SBA, log files generated or ingested by an SBA,
[00:15:14] and data related to the configuration or voter release status of in scope assets and passwords that grant access to the in scope environment.
[00:15:22] Right.
[00:15:23] So those are the main terms that keep coming up in CMMC conversations and discussions.
[00:15:29] And each one of those has its different practice requirements associated with it.
[00:15:32] Like I mentioned, FCI is level one.
[00:15:35] CUI is level two.
[00:15:36] Security protection data comes from your security protection assets, which are expected to be in scope for both level one and level two and need to be assessed appropriately.
[00:15:43] Exactly.
[00:15:44] Yep.
[00:15:45] That's perfect.
[00:15:45] And, you know, that goes back to just like I was saying before, that if you look at the graph that we have up on the screen,
[00:15:53] that if you are a CSP that does not even store CUI but does have SPD, security protection data,
[00:16:03] you will be in scope of the OSA organization seeking assessment and you will be assessed as a security protection asset.
[00:16:16] Okay.
[00:16:16] So hopefully with Adam's descriptions, thank you, Adam.
[00:16:20] And what I just explained there, it makes you understand this graph a little bit more.
[00:16:24] That's critical to know when picking a CSP, when picking a vendor that's going to do services for you.
[00:16:32] If you are on your CMMC journey and this is the climb that your company is pursuing, you got to take that stuff very seriously.
[00:16:41] So I love it.
[00:16:43] Let's get into the last point here.
[00:16:46] And it's really what do you need to know?
[00:16:51] What do you need to know going into picking that vendor for you, whatever it may be for?
[00:16:57] Bobby, I'm going to kick this question over to you because you have literally experienced this because you do have to also do this as a business owner.
[00:17:07] You have to pick these people.
[00:17:09] What are the things that you needed to educate yourself on before picking those people to maybe help these contractors and subcontractors and businesses listening to this podcast episode, you know, get into your shoes and kind of think about that.
[00:17:26] Yeah.
[00:17:27] I just, I feel like I'm hearing, you know, a Beatles song, you know, the long and winding road, you know.
[00:17:34] The long and winding road.
[00:17:37] I actually do know what you're talking about.
[00:17:39] You know, it's just like, it's no joke.
[00:17:42] You know, you're either chasing the vendor down to try to give them, to have them give you the information so that you can use their product because they're not prepared to have the discussion with you.
[00:17:50] Right.
[00:17:51] Or you're trying to find more information about their products specifically from a technical perspective so you can decide on whether or not you want to have them in your environment.
[00:18:00] Right.
[00:18:00] So, so I remember one very large vendor that I used.
[00:18:04] I'm going to stay agnostic here in their name.
[00:18:07] But boy, I would really like to call them out on this.
[00:18:09] But I went through four different salespeople just to try to get to someone who actually could talk technically enough about how the product functioned before I could determine if I wanted to use it or not.
[00:18:21] Right.
[00:18:21] I mean, it is it.
[00:18:22] I mean, it runs the gambit.
[00:18:24] I mean, they just these vendors are so used to being able to just see market share and just want to attack it.
[00:18:30] And that's all they think about.
[00:18:31] And they're not really thinking about what do I need first from you before I use your product.
[00:18:36] And it isn't from a sales perspective, like, you know, ooh, that's a shiny new point, you know, penny or whatever.
[00:18:43] Like there's a lot of like what Adam and you just said, like they're going to assess these products against all relevant controls.
[00:18:51] And so I need to be able to get ready to potentially defend this product.
[00:18:56] And I need to be smart enough to be able to do that.
[00:18:59] And I don't want to have a doctorate degree in chasing them down just so they can give me the information.
[00:19:05] That would be the first thing is just be prepared, vendor.
[00:19:09] You know, have a loaded pod of information.
[00:19:13] It makes me and Adam feel so much better.
[00:19:15] Right.
[00:19:16] If we come to you and you are ready to go, you're like, oh, CMC, here you go.
[00:19:21] In your email, if you look right now, here's this big package that has all this stuff like responsibility matrix and how you can probably use the product and what kind of controls perhaps it solves.
[00:19:30] How you address the security controls, you know, are going to be relevant since you're going to be trying to address those controls.
[00:19:36] How are you being protected?
[00:19:38] You know, how can you do those things?
[00:19:40] Like Adam was talking about the different packages of like audits that perhaps you've had.
[00:19:45] Maybe you have a 27,001 or maybe you had a really relevant SOC audit or other types of things.
[00:19:52] Maybe you even got CMMC assessed.
[00:19:54] Maybe your FedRAMP.
[00:19:55] I don't know.
[00:19:56] Like all these things are really helpful.
[00:19:58] So just being ready for those discussions is great.
[00:20:01] Yeah.
[00:20:01] And I'd say just to support that and piggyback off it a little bit, I have a ton of great friends that are those business development reps and those sales reps.
[00:20:09] The best ones that I've dealt with when I ask a specific question regarding security or compliance, if the person doesn't know the answer, the best answer I've ever gotten is, I don't know.
[00:20:19] Let me find somebody who does.
[00:20:21] Right.
[00:20:21] And then they connect me with a technical person, security, you know, CISO, et cetera.
[00:20:26] But to take that a step further in that package of stuff that I really want to see, I think the holy grail that all vendors should really strive for, regardless of whether they're a CSP in the FedRAMP side of stuff or in the ESP side, which is their own CMMC level two or not even getting their own CMMC level two, but still an ESP.
[00:20:43] Give me that responsibility matrix.
[00:20:46] Put it in clear terminology and clear language that I can follow.
[00:20:49] And if you've done that, I can do my job just fine.
[00:20:53] I want to know what you do, what I do, and what my end client has to do.
[00:20:58] If you put that down, that's the key document I need when writing my system security plan and writing my own documentation to answer those questions in an audit.
[00:21:09] And I would say, do not base vendor.
[00:21:13] Listen, listen to me.
[00:21:15] Listen here.
[00:21:16] Okay.
[00:21:16] Listen.
[00:21:17] All right.
[00:21:18] Do not base your decisions of how to operate based on how your salespeople have had sales calls with people who think they know about CMMC.
[00:21:25] Hire a professional.
[00:21:26] Go get somebody who knows what the heck they're doing and talk to them about how your product works and what people need to know.
[00:21:34] Right.
[00:21:35] What your people need to know about how to use your product in that ecosystem.
[00:21:39] And I mean, CMMC ecosystem, how to use it in the div space, because you need to really understand that.
[00:21:45] Okay.
[00:21:45] This is not some great achievement, unlock market share opportunity for you to just dive right in and just say, let me just flail.
[00:21:52] Like I'm drowning.
[00:21:53] You know, like that you're going to bring everybody down.
[00:21:56] Like do it responsibly, like hire somebody who knows what they're doing and really understand the space when you're coming into it and be prepared to have very serious conversations about how your product functions so that they can defend.
[00:22:11] It's not that they're trying to be buttheads about it.
[00:22:13] They just need to be able to defend the product because they're about to use it because they're going to get interrogated.
[00:22:17] You're not going to be there.
[00:22:17] They are.
[00:22:19] Yeah.
[00:22:19] And at the end of the day, this is a whole exercise in risk management.
[00:22:22] It's my job to ask you as a vendor, very difficult questions to understand what risks you bring to me.
[00:22:28] I'm going to try to poke holes in your security stack and your security posture, because I just need to know where the gaps are so I can decide if it's acceptable or not.
[00:22:36] Maybe you don't do a monthly pen test with a third party provider and doing third party application security reviews over your tech stack.
[00:22:42] That's probably fine.
[00:22:45] Do you not enable multi-factor authentication for your developers privileged accounts?
[00:22:49] That's going to be the showstopper there.
[00:22:51] But I'm going to ask the questions.
[00:22:53] Yeah.
[00:22:54] Well, I'm curious about something.
[00:22:57] So we have talked about asking the right questions and being educated in certain ways.
[00:23:04] Let's say this is a person that has to step in to the CMMC journey because they mostly work with government contracts and they don't know much about this world.
[00:23:20] What would you recommend for that person to do?
[00:23:24] Is it something like a C3PAO?
[00:23:26] Would this be something that if they picked the right MSP that their MSP could help them with?
[00:23:33] Do you get what I'm saying?
[00:23:34] What direction should they take?
[00:23:36] Because I feel like it's so unrealistic for that business owner to be able to fully ask these questions and comprehend because sales people are good at selling.
[00:23:46] That's why they're in sales.
[00:23:49] And so they might make it sound really, really good.
[00:23:51] But I feel like only technical people when they're in that meeting can tell they don't actually know the technical aspect of this.
[00:24:00] I think a good example of that is that expectation versus reality.
[00:24:03] You go to McDonald's to pick up the Big Mac.
[00:24:05] You see that beautiful picture there on the menu and you're like, dang, that looks really tasty.
[00:24:09] And then you open up the box of what you get and there's like a patty on top, pickles coming out the sides.
[00:24:14] Expectation does not conform with reality.
[00:24:15] And sales people are great at the expectation setting.
[00:24:19] But if reality doesn't match that, we've got a problem.
[00:24:21] So anyway, to that point, though, you know, in going through that process as a business owner and trying to figure out what do I even do?
[00:24:30] I'd say the best piece of advice I could say is find a good MSP that has gone through that level two certification journey and that already has identified vendors to meet those needs.
[00:24:40] Because what's likely happened in that case, you get to inherit what the MSP brings to the table.
[00:24:45] And the MSP has likely selected vendors that they can inherit from as well.
[00:24:50] So at the end of the day, the amount of work and documentation that you, the business owner, has to do should be simplified down to just the key or items that you, the business, needs to do.
[00:25:00] You don't have to write about how Microsoft manages identity and access management from their perspective and how the MSP does that.
[00:25:05] You just say, I inherited all that from my CSP and my ESP, and I perform background screening and security awareness training for my staff that's authorized into this environment.
[00:25:15] Beautiful.
[00:25:16] Neat.
[00:25:16] That's an operational thing that you get to do that's in your wheelhouse.
[00:25:20] And you let the technical people handle what they're best at and the security people handle what they're best at.
[00:25:26] Anything you want to add to that, Bobby?
[00:25:28] You covered pretty good.
[00:25:30] I would say, I think the name of the game is how high can you raise your assurance level that you're going to pass?
[00:25:40] Exactly.
[00:25:41] If you're doing it solely on your own, then you better have a really good consultant that, you know, somebody like Defcert, for example.
[00:25:51] Those guys are solid.
[00:25:52] You know, they're really good consulting companies.
[00:25:54] I'm going to call just one now.
[00:25:55] There's others that are out there.
[00:25:57] But the reason why I just picked them is they're not a C3PO.
[00:26:01] They just do consulting.
[00:26:03] But those guys are sort of the skunk works of CMMC.
[00:26:06] They really just get into it and just figure out how to make this thing kind of stand up and bark for you.
[00:26:11] But that's like, that's their thing.
[00:26:13] That's what they do.
[00:26:14] That's what they love.
[00:26:14] Right.
[00:26:14] Whereas with an MSP, they're going to come in and they're going to provide help desk support and they're going to try to do it in compliance fashion and get you moving across the finish line.
[00:26:22] Those are different ways that you sort of have to attack it.
[00:26:25] The bottom line is you need solid experts who know what they're doing.
[00:26:29] So even if you're trying to do it on your own, you still need to have a consultant that can come in and help you try to pick those vendors and have those difficult conversations.
[00:26:38] Because if you are picking them on your own, you're sort of building your own stack.
[00:26:43] You need to have those conversations.
[00:26:44] You need to be able to be able to defend yourself when you're picking those.
[00:26:48] So because you don't want to go through and change those.
[00:26:50] Then when you write your system security plan, like our system security plan is what?
[00:26:54] Like 200 pages-ish of documents.
[00:26:57] And growing.
[00:26:57] And growing, right?
[00:26:59] I mean, and so, and then that's not even including the policies.
[00:27:02] And Lord, that's not even including the procedures.
[00:27:04] So my point is, is if you change some of those vendors, the amount of documents you sort of have to trace down to find, it's no fun.
[00:27:11] You know, so you want to make sure that whoever you pick, like that's someone you're in for the long haul.
[00:27:16] And so you want to go through all the stuff that we're sort of talking about to make sure that we are, that you're not going to shoot yourself in the foot and wish that you could go back and pass and punch yourself in the face, right?
[00:27:27] You just really want to make sure that you're choosing wisely when you're doing that.
[00:27:30] So whether you have an implementer that'll do it for you or you're going to try to do it and have someone recommend it and kind of like turn the keys over.
[00:27:37] But you want to make sure that you're using the right people to accomplish those types of tasks.
[00:27:44] Couldn't have said it better myself, you guys.
[00:27:47] You said exactly what I was thinking.
[00:27:49] I also just want to plug, too, we did discuss a little bit more about inheritance and what that means in our podcast about MSPs and ESPs and what the 32 CFR final rule meant to that community.
[00:28:07] So if you want to go check that out, you can.
[00:28:10] Another thing that I just wanted to just include in here is with everything that Bobby said and everything that Adam said, another thing about picking that person and the right person is like if you are somebody who is a contractor or a subcontractor that is listening to this, just know this is not a one-time assessment that you get to and you throw a party and everything's done.
[00:28:34] One, you have to review yourself as a company personally once a year and you have to be reassessed every three years.
[00:28:44] Right?
[00:28:45] That's a good point, Kaylee.
[00:28:46] Let me touch on that for just a second.
[00:28:48] As a vendor, you've got to think about that, too.
[00:28:51] You've got to keep your information relevant.
[00:28:54] What I've seen, I've seen this so many times, you've got to reach out to a vendor, Adam, and they're like, oh, here's our CMM&C information and it has five levels in how they talk about it.
[00:29:03] That's the old version, like 1.0 version of CMM&C.
[00:29:06] Got to update that one.
[00:29:07] There's only three levels, right?
[00:29:08] When I see something like that coming from a vendor that is so obviously stale, you're just like, this is trash.
[00:29:15] I can't even use this.
[00:29:16] So you want to make sure as a vendor, like Kaylee's saying, every three years you have to get re-audited.
[00:29:21] Every year you have to do an assessment and a test, like a personal assessment of how your organization is doing.
[00:29:27] As a vendor, you need to be paying attention about how you're operating, making those changes, and making sure those packages are relevant when you provide them on a regular basis.
[00:29:37] Don't just do it once, hire some consultant, and never talk to them in three years.
[00:29:41] You've got to stay up to date with that.
[00:29:43] Right.
[00:29:43] Because I can't think of any vendor out there in our industry or others that builds a product and says, we're done.
[00:29:49] We're never doing anything with it, especially in software and technology.
[00:29:53] I mean, we finished our own assessment and everything like that, and we already had a page of notes of all the things we wanted to improve on it before we were even done.
[00:30:01] Yeah.
[00:30:01] Yeah.
[00:30:02] So vendors, if you're continuing to evolve and improve your products, which I know you are, update your stuff regularly and communicate when that happens.
[00:30:11] You know, you give release notes when you update your agents and whatnot.
[00:30:14] If you update your documentation, just include the link to that.
[00:30:18] Will the general population of the world care about that?
[00:30:21] Probably not.
[00:30:22] Will people like myself who have to defend that in an audit care about that?
[00:30:26] Absolutely.
[00:30:27] Oh, that brings up a great point because if you're a business owner and you're listening to this and you don't want to have to keep track of all of this stuff that's happening, Adam will keep track of it for you.
[00:30:38] So just reach out to him.
[00:30:40] No, I'm just kidding.
[00:30:41] Your check is my command.
[00:30:43] Well, what I am serious about is you want somebody that's going to be on top of that stuff.
[00:30:47] Like if one of your vendors is changing something or updating something, you need to hear about that.
[00:30:54] You need to know about that.
[00:30:55] Do you, as a business owner, want to keep track of all that?
[00:30:59] Or do you want somebody to keep track of all that?
[00:31:02] You know, I think that's really up to you.
[00:31:04] But I think it would definitely help if you had somebody that was more, you know, in depth into that space and knew more about those changes.
[00:31:13] And that would be really helpful for you.
[00:31:15] So anything else you guys want to add before I close today?
[00:31:18] I think you guys crushed it.
[00:31:20] Covered it pretty well.
[00:31:22] All right.
[00:31:23] All right.
[00:31:24] Well.
[00:31:24] Just buyer beware.
[00:31:25] Buyer beware.
[00:31:26] Wow.
[00:31:27] I'm shocked it took this long for you to say that phrase.
[00:31:30] Yeah.
[00:31:30] Wow.
[00:31:31] Well, guys, I hope this was helpful to you.
[00:31:34] If you are either a vendor that's just trying to get some encouragement on what to do and what to be prepared for for your clients,
[00:31:41] or if you're a contractor or subcontractor that's in this space that needs to be asking these questions to vendors,
[00:31:49] we hope this was helpful to you.
[00:31:51] If you have any other thoughts about this, ideas on questions to ask,
[00:31:55] please put them in the comments of our YouTube video or in LinkedIn.
[00:31:59] So we'd love to hear about that.
[00:32:01] And we'd love to hear if you want to hear more about this topic,
[00:32:05] even in vendors and in that space too.
[00:32:09] So, yeah.
[00:32:10] Haley, remember that the post that I did with the, it's, you know,
[00:32:13] they're on the menu again with the ring things.
[00:32:16] Like so many people were worried about,
[00:32:19] oh my gosh, vendors are going to trash this place.
[00:32:22] So I'm hoping this episode kind of maybe helps vendors kind of understand how serious this space is.
[00:32:28] And this is the reason why, if you're not sure if you're a vendor,
[00:32:30] go check out that post and see some of the things that people were saying about how they're scared about other vendors coming into the space that aren't FedRAMP.
[00:32:37] Yeah.
[00:32:38] And, you know, maybe you might think it's fear mongering.
[00:32:41] Maybe you might think it's well placed, but it's still worth a check.
[00:32:44] Yeah.
[00:32:44] Yeah.
[00:32:44] And I would just like to support that and call that out a little bit.
[00:32:46] I know we're trying to wrap up, but I think it's super important.
[00:32:50] From my perspective, if a vendor contacts me and starts talking about their solution and how great it is,
[00:32:55] I'm talking to a sales rep who I inherently think is lying to me.
[00:32:58] Point blank.
[00:32:59] Because at the end of the day, their job is to get the money, right?
[00:33:03] And again, I've got plenty of good friends that are business development reps, love them to death, etc.
[00:33:07] But your job is to make money for your company.
[00:33:10] And some of them out there are absolutely don't mind just, you know, saying what they think to get the money.
[00:33:16] The thing that's going to actually prove whether you're going to get my money or not is that responsibility matrix
[00:33:20] and that vendor due diligence process that we go through.
[00:33:22] It's not fun.
[00:33:24] It's not easy.
[00:33:25] I'm annoying and ask you a million questions, but I've got to do it.
[00:33:29] Yeah.
[00:33:30] Listen, we only deal in certainties around here.
[00:33:32] Am I right, Bobby?
[00:33:33] That's right.
[00:33:34] So to Bobby's point and to the industry at large, I assume the vendors are going to BS stuff.
[00:33:38] They're going to make things up.
[00:33:40] They're going to stretch it a little bit to try to get the business.
[00:33:42] And that will have a negative impact on us as an ESP and the MSP side of stuff.
[00:33:46] And that will have a further negative impact to those small businesses out there who don't know any better,
[00:33:51] who are trusting MSPs to get it right.
[00:33:54] So our trust has to be placed in the vendors and the vendors have to get it right.
[00:33:57] And I think that's, you know, I can speak for the people in those comments of saying we're worried that the vendors are not going to get it right
[00:34:03] and are going to try to pull, you know, the rug over us and pull a fast one.
[00:34:06] So don't do that, vendors.
[00:34:07] Let me grab the camera and shake you a little bit there.
[00:34:12] Don't do this.
[00:34:14] Transparency, please.
[00:34:16] Transparency.
[00:34:17] Well, thank you guys so much for listening to this episode.
[00:34:21] We hope you enjoy our coverage so far on the final rule.
[00:34:26] And again, I'm going to repeat, it is final.
[00:34:29] So for right now, this is the certainty that we have going into December as all of this begins and the assessments begin and the phases begin.
[00:34:38] Here we go.
[00:34:39] So make sure to tune in next Thursday for our next episode.
[00:34:44] We hope you guys enjoyed this one.
[00:34:46] And just remember, keep on climbing.
[00:34:49] Bye, guys.
[00:34:51] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.
[00:34:56] We hope you guys enjoyed today's episode and listen out for the next one.
[00:35:00] But until then, keep on climbing.