How to Build Your CMMC Documents the RIGHT Way

[00:00:01] Hello Climbers and welcome to Season 3 of Climbing Mount CMMC. Hello Climbers and welcome back to another episode of Climbing Mount CMMC, the podcast. My name is Kaylee Floyd and I have my co-host here, Bobby Guerra. And we are part of an MSP called Axiom, the CMMC Level 2 Certified. But today we are excited because we have a special guest.

[00:00:29] Tom Conkle is going to be joining us from OpticCyber and they are wonderful. We have worked with them for a while now and we are very excited today to be talking about the biggest fails of CMMC documentation. But really we want to talk about just things you might not notice at first or be thinking about when writing a system security plan or a CRM, a customer responsibility matrix,

[00:00:55] that are things that easily can trip you up and easily become a bigger thing. And so Tom, thank you so much for joining us today. We're really excited to have you. Do you want to share with just the people who might not know who you are and what you guys do over at Optic? Absolutely. Yeah, no, I'm excited to be here. Thank you very much for inviting me. As you said, I'm Tom Conkle. I'm the CEO and a cybersecurity engineer at Optic Cyber Solutions. We are an RPO, a registered practitioner organization.

[00:01:23] So we specialize in helping organizations get ready for CMMC. I've been working cybersecurity for about 25, a little over 25 years now. I started when I was three. Right. I've had plenty of opportunity to help organizations get ready for different certifications. I've worked on the government side with NIST as well and helping with some of the cybersecurity standards, including the cybersecurity framework.

[00:01:47] So I understand what it means to help write some of the standards and requirements and then take that information out into the real world and help organizations use it. So at Optic, we have plenty of opportunities to help organizations build their CMMC security package or their FedRAMP security packages. That's what they need. So I have definitely a lot of experience with the documentation side as well as how do we actually make this or implement the security capabilities to meet those requirements. So looking forward to talking to you about it today. Yeah, that's awesome.

[00:02:15] And you also work with someone else that we've had on the show before, right? Yes, Kelly Hood. She's definitely great. One of the smartest people. I do my best to try to keep up every day. I'm really excited specifically because I feel like, Tom, you've seen a lot, a lot of people's documentation of different system security plans, different customer responsibility matrix.

[00:02:39] We talked about even before we started recording this that sometimes we've had to adopt that there is – you said it in a way that I really like. There is the right way, the wrong way, and there's my way as well. And sometimes people don't always do it the way that you think is the best.

[00:02:58] And I really love that perspective because that – I'm sure you've seen that multiple times of people trying something new or people doing something that you might not have expected with your system security plan or customer responsibility matrix. But it could still work for an assessment, right? So I want to open the floor with just talking about what would you say is the most difficult part, first, about writing a system security plan?

[00:03:25] And then I'll ask you more about the customer responsibility matrix. But what would you say is the hardest part that people seem to have when writing a system security plan? Yeah, a system security plan. I think people have been struggling with that for quite a few years outside of CMMC, even through FSMA and FedRAMP. And I think one of the biggest challenges people have when writing a system security plan is they forget the reason that it's there. They think it's a compliance checkbox.

[00:03:50] They think it's a document that needs to be developed to meet compliance requirements. They forget that really it was created or the idea of a system security plan was created as a management tool, right? The whole reason we have it is because of all of the different policies and procedures that need to be organized, the different technologies that need to be put in place. For any program manager, it's really difficult to stay on top of your cybersecurity program and understand what you're doing.

[00:04:15] And I've just found that once you can get that flip, you know, that thought flipped in your head of, oh, it's not a document. It's actually a tool, right? It's a tool that helps me describe what I'm doing, how I'm doing it. And that's why, you know, it becomes more easy to maintain and update because if you're relying on it to understand your security program and where you're making improvements, you're kind of forced to update it throughout the year and not just annually when you do your self-assessment or triannually when the certifier is going to come back.

[00:04:43] And I think that's one of the biggest challenges I've seen with people and, you know, the easiest way to overcome it is just look at it as another management tool to make it effective. Yeah, that's an interesting perspective because I feel like, too, Bobby and I just recently talked about scalability in one of our episodes. And I feel like you're kind of speaking upon that in your documentation as well as, you know, if you write it in this way that you're explaining,

[00:05:09] you don't have to worry about changing it every single second rather than reevaluating it once a year kind of thing. So, yeah, that's so important. Well, it's also kind of interesting how, like, as we've started moving to better adoption of a system security plan for us organizationally, part of the challenge that we're running into is – and I've seen this argument play out, and I'm just curious what your thought is about this, Tom, as well –

[00:05:35] is some people, they want to keep their SSP very pure from an audit perspective for their 800-171-alpha-slash-CMMC assessment. And they don't want to necessarily talk about other controls or things that they may have in place, so they may even have a separate SSP just because they don't want to muddy the waters during their audit. For example, alpha, its focus is really on just the control of that data, right?

[00:06:05] It doesn't really follow that whole triad of the CIA method, right, confidentiality, integrity, and availability. So it's really focused on, you know, just the confidentiality piece of that data. But if you wanted to have a more comprehensive SSP that addressed all of those things, it would be potentially longer and have some additional enhancements to it. What's your thoughts about that? Yeah, no, you're absolutely right. Fortunately or unfortunately, I don't know how to describe it, but a lot of organizations, you know,

[00:06:32] they're being shown what an SSP is because of CMMC and the mandate of the requirement for it there. So they're starting out as, you know, dealing with the confidentiality aspect and meeting the 171 security requirements and the 171-alpha assessment objectives and making sure that they've defined those. So I completely agree. A lot of people don't understand it as just one – well, it's one-third of the triad, but it's not one-third of the capabilities, right? Right. Because they're not all equal.

[00:06:59] So hopefully, yeah, if people do CMMC, right, and as they build their SSP and they actually start seeing the value of using it to manage and understand what technologies they're doing and how the technologies are supporting each other, right, they will want to expand that into availability and integrity. And, you know, fortunately for organizations that have, you know, GRCs, they're able to customize and pull out the requirements when an assessor shows up. Otherwise, you're right.

[00:07:24] You might be having to create a second SSP because, yeah, even I wouldn't want to share any of that extra stuff with the assessor because, as we know, when we open, you know, peek behind too many curtains, we don't know what's going to come out. But even though we know we're going to be doing the right things, let's focus on confidentiality while the assessor's there and not muddy the water with the rest of it. So we talked about a system security plan and that difficulty of it and, you know,

[00:07:51] and trying to ride it in such a way that doesn't mean you have to change it every second. And I'm curious, though, about the customer responsibility matrix because this sometimes will bring in outside or external service providers or, you know, or other people that are not just internal to your organization. So that also brings in another difficulty and another challenge to that and to riding that.

[00:08:19] So what's your perspective on that side of things? Well, absolutely. And I think, you know, customer responsibility matrix are solely for external service providers and making sure that we communicate between the two, right? So as I said, with the system security plan or the SSP, right, it's a management tool for you and how you're operating. And especially if you're dealing with cloud service offerings that have gone through the FedRAMP process, they have shared responsibility matrix or customer responsibility matrix as a requirement on their side too to tell you what they're doing.

[00:08:48] And that customer responsibility matrix in all cases is a way of bridging the two SSPs, right? So if I have an SSP for what I'm supposed to be doing and the external service provider has their SSP, how do I get them to work together, right? How do they plug in together? And that's how I look at the customer responsibility matrix is the way to bridge that gap and have that communication so that we understand who's doing what aspects of it

[00:09:13] so that whenever I overlay my SSP with the CRM, I can see, you know, clearly what I need to do as well as what the customer or what the external service provider is doing for me. So, yeah. So where do you see the most difficult part of that connection coming into play? Where are some things that are the most mistakes kind of happen with the CRM? It's kind of ironic. A lot of the mistakes are the exact same thing for the CRM and the SSP is people look at it as a document, right?

[00:09:41] As they, you know, I just need to fill this thing out. It's a checkbox I need to meet. So I've seen CRMs that, you know, list the 171 requirements, just the 110 requirements for level two, and they'll have a checkbox that says this is the customer responsibility and this is the ESP's responsibility. And that's not really effective communication. Yes, it's a step further in the communication as to who's going to do what, but what are they doing and how are they doing it is missing, right?

[00:10:07] If you're actually using it as a tool to communicate to your customer, if you're the external service provider and you're using it as a tool to communicate to your customers on what you need from them and what you're going to provide. That's so true. Then you can start build it out, put that narrative in there so that when it says, you know, I'll create, you know, as a ESP, I'm going to create and manage the accounts in ENTRE or AD or something like that. How do I know how to create an account, right?

[00:10:32] The customer responsibility matrix tells me if I need to, you know, send a carrier pigeon out to notify the ESP that, you know, I've got a new user and I need to have an account created or am I going to send an email or am I going to put it in a ticket, right? So that we lay all of that stuff out front. The other thing that I've noticed or I've seen over time is what the customer responsibility matrix, especially for external service providers when they're onboarding new customers.

[00:10:58] It gives you a way to have a conversation with them on who's going to be responsible for what and setting expectations up front so that when an account doesn't get created in time or you're missing a piece of information and you don't get, you know, unable to set it up because you don't know the permissions. You can point back to it and say, well, you were supposed to submit a ticket with this information in order for me to create the account. We agree to this, right? So that, you know, instead of them calling you and saying, hey, you know, I hired Joe six days ago and Joe still doesn't have an account. I'm like, well, how did I know you hired Joe, right?

[00:11:28] You never told me, right? We can set that expectation up front. Bobby, from your perspective, have you seen, have you, have you already seen the CRM come into play multiple times with risk, you know, from your perspective and the client's perspective and divvying out responsibilities in that way? Coming from an ESP that has to use it more. I'm pretty passionate about this from my perspective.

[00:11:54] I mean, I guess you could do it other ways, but just based on my experience and what I've seen, I just don't know how you could really effectively do it any other way. And I've had situations where people have said, no, no, no, it needs to be, you don't want to provide too much detail. You just want to have checkboxes. Client, you shared. And I'm just like, I couldn't disagree more with that approach.

[00:12:19] For us, in our perspective, the way that we look at it, we feel that this document is actually a critical legal document for us in the way that we look at it. Because the way that we are trying to understand this is legally our agreement that we have actually calls to the CRM to empower that to speak to what services we're providing for them. So as we're working with the client, defining and for the most part, everything's set.

[00:12:47] But there are some that are a little flexible that we can do some things around. And so we go through the phases with the client to help define and make sure those are done. And we have different kind of like milestone pieces where they are signing off and testing, okay, this is fine and how these things are. A big part of that is because the agreement we have talks to that CRM from the perspective of saying, we're on the hook for this, so we're responsible for this. We have to do those things like Tom's talking about.

[00:13:15] The client is responsible for authorizing the users. Axiom is responsible for adding them. So we're going to have to do that. And you won't have access to that tenant to do that. It is our job because we own it. We're the only people that are going to do it. So you might have a break glass, for example, to do things if you fire us or whatever that you're going to do and take control. But the reality is like if we're on the hook for it, we've got to be able to speak to it.

[00:13:41] And the only way you can do that is you have total control over it because you can't give all these other people access to this thing and somehow know that it all goes the right way. That's just not realistic. Yeah, I've heard that a lot from different organizations that they say, well, I've got SLAs with my external service provider or my MSP, right? That's going to define that they have to create accounts for my new users. Like, well, that's great, right? Or it'll say they're going to alert me if something happens.

[00:14:09] But the customer responsibility matrix can help bridge that gap onto when are you going to alert me? How are you going to alert me on the capabilities? And that's one of the reasons I'm so passionate about CRMs. You know, I've seen a lot of things over my career in helping organizations get ready. I mean, it was just a year ago I was working with an OSC that was getting ready for CMMC. And we were going through the audit controls and understanding what they had in place.

[00:14:34] And they had a separate MSSP that was providing their auditing requirements. And we're like, great. Well, let's see what are you getting from them today so that what can we use to build on to CMMC? You know, is it appropriate? Do we need to add anything or can we use that? And they're like, well, you know, we've had them in place for about a year now. And, you know, fortunately, nothing's ever happened. So we don't get any alerts. I'm like, wait, what do you mean?

[00:14:59] And they're like, well, our agreement says that, you know, if there are suspicious activities, you know, our SLA says they will notify us that there's suspicious activities in our environment. So we haven't been notified in a year. So everything is great. So we were like, OK, let's go talk to them and find out. And we set up a meeting to go talk to the MSSP and said, OK, tell us what are you watching for? What, you know, what assets do you have that you're monitoring and what type of events do you monitor for so that you would define suspicious behavior?

[00:15:26] And they're like, oh, no, no, the contract says that the client has to tell us what they consider suspicious so that we know how to configure our system to alert you when those things happen. The MSSP had literally been running for a year with this client without anything configured in their alerts. And they were able to point back to the SLA on their side and said, yes, we will alert you, but you have to define it for us. If they had had a CRM and had something, you know, sat down as a use it as a conversation, right, to say, how are we going to work together? Right.

[00:15:55] We could have clarified that up front. So, you know, and all they ended up doing is finding a new MSSP because they were frustrated. The customer was frustrated that, you know, they didn't feel that they were informed well enough to know that it was their responsibility for telling the MSSP on what they wanted to be alerted about. You know, so they ended up, you know, having to go find a new service provider, all just because of a misunderstanding that a CRM could have, you know, solved, you know, quickly up front.

[00:16:22] Yeah, and something that I see with the CRM is really the CRM is about responsibility, not inheritance, right? So it's talking about who's responsible for what parties. Inheritance is a completely different conversation. But the responsibility, the way that we sort of have – I've seen it, and this is just my personal opinion. I'm curious what your take is.

[00:16:45] There are certain responsibilities that are the clients that are – that will probably still be spoken to by the MSP. What do I mean by that? So what I mean by that is you might say, you know, Mr. or Mrs. Client, we're going to do lockout timer. This is – what timer is okay with you this amount of time? Great. So you've now authorized that's what you want to do. We're going to implement that for you.

[00:17:11] And during the audit, because it's written in policy, they don't even really need to talk to the client per se to say that. Even though it's the responsibility of the client to do it in the audit, it's going to be us talking because we're going to talk about that. We're going to refer to that, to the policy. But there are some other responsibilities where they're absolutely going to have to talk. So there is a bit of a difference, even though they're responsible for, like, some of those, like, first parts of the objectives.

[00:17:42] Like, for example, 3-1-1, like, they're authorizing the users. So they have to say, yeah, that's us. We authorize the users and we do that. And here's the form that we fill out. And this is where we can find it at. HR background, for example, things like that. Those are all things, you know, in the PS domain where they would probably talk. You know, they're going to talk about that. You're absolutely right. They don't know what their responsibility is. So it's a good way to have that conversation.

[00:18:08] And even, again, you know, using the CRM as a conversation with the, you know, prospective customer or the new customer that you're onboarding, letting them know. It's like, hey, you're responsible for identifying your users, right? How am I going to do that? And it's common sense when you talk about it. But in reality, like I said, I've seen customers call their MSP and say, I hired Joe six weeks ago. Why doesn't Joe have an account, right? That does happen because they get so busy and they don't realize what they're doing.

[00:18:34] But up front, when you're having that conversation about here's the ticket that I need you to put in, here's the template we're going to use for creating those accounts. You know, it's not, you know, I like analogies with everything. You know, it's not, it's very much like going to go see your, you know, your physician for your physical, right? They're going to, you need to be able to coach, you know, doctor's going to coach you on, hey, these are the things that I think you should do. Here's what you need to. It's ultimately up to you on what you're going to eat and how you're going to take care of yourself.

[00:19:00] But, right, you're still doing, you know, as an ESP, you can use a CRM as that consulting kind of piece to have that conversation. Let them know so that they can tell you back. Yeah, you know, 15 minutes for a timeout is reasonable. I can deal with that. Right. And it's just another value of the CRM. And I think, you know, just, you know, having conversations like this and getting people to understand why the CRM is there. It's not that, you know, the DOD came in and said, oh, I know what I can do to punish the dib. Right.

[00:19:27] The dib is, you know, they need to be, you know, set in a corner or something. So we're going to make them do this CRM because I think that, you know, they deserve to be punished. No, it's because they saw these miscommunications happening time and time and time again. And they said, we've got to get in front of this. And how else can we get in front of it other than forcing the conversation? We're trying to at least. I think the CRM also can be used as a great tool to prepare for the actual assessment. And what do I mean by that?

[00:19:55] So what I mean is when you go through to do kind of a self-assessment for yourself and the client to prepare and make sure that you're fine, using that CRM to say, OK, these 40 assessment objectives or 50 or however many it is. These are going to fall under the clients. And to kind of go back to what I was saying is, OK, which of these are they actually going to talk? Like, are they really do they have to say words? OK, so then you can start breaking that down. OK, so of this chunk, they're going to have to actually talk.

[00:20:25] What are they going to say? Like, right, because you and your CRM, it says they're responsible. So they're going to have to say something. So what's that something going to be? You've got to write down what that is. Don't don't be like, it's your job. Good luck, buddy. Like, you got to like sit down and work with them and know like almost like you're preparing them for the witness stand because that's what's happening. You've got to prepare them for what they're going to have to say. And so I think the CRM is a critical document to help that happen,

[00:20:52] because then you can sort of look at it and say, OK, well, this is what we wrote. This is what they say they're supposed to be doing. So, OK. And then it says that they're storing this data here. OK, so when it comes to your turn and we get to this, you know, we're going to provide all this evidence in advance. They may look at that, the auditor, and go, this is already met because you did such a great job of giving this information. I mean, that's what you're hoping. Fingers crossed. But there's a lot of these are going to be, you know, they're going to be examined. They want to look at it.

[00:21:22] And then some of it is going to be tests. So show us, you know, give me a screen share. Let's look at this. And so when you're doing that, that's when you're going to say, OK, well, then I've mapped this out. You're going to go here. You're going to click on this folder and you're going to show this file and you're going to say these words. No, and that's exactly it. Right. And the partnership with the SSP on both sides. Right. The CRM, like you said, helps point out who's going to say what. The SSP tells you what are the key things that you want to talk about in that.

[00:21:51] And I agree. You know, I mean, the goal for an assessment is to keep their confidence in you doing the right thing very, very high. Right. So if it's well rehearsed, you're looking at the CRM like, oh, I know we're on, you know, 311A now. That's the customer's responsibility for identifying. But when we get to D and we're talking about implementation, I know my MSP is going to step up and start talking about how they actually implement that. So I can back off and start looking at the next requirement and start preparing for that. And it goes so smooth in that confidence meter.

[00:22:21] Right. You almost need to think about as the assessor sitting there, you want to keep that confidence meter up high. Because the higher it stays, they, you know, the, the, it's not the less they'll look at. It's the less of that deep they have to go for proof because they got that confidence they're looking for. But as soon as you start mixing it up on who's saying what and you're talking over, you're contradicting people. Well, now you get a lot of show me's. Okay. This is, I'm so glad you said this because this was literally going to be going into my next question.

[00:22:47] I was going to ask you, put your assessor hat on for a second rather than, you know, the consulting side of things. Okay. What is something that leads you, like in the documentation and something that you see that leads you to question, you know, the, the OSA and their, you know, their integrity and like of their, of their system.

[00:23:14] What is something that, that makes you question that the most when it comes to documentation that you see? If it's back to the SSP, you know, if they don't understand it, right. If they're contradicting their own SSP. Contradictions. It will start to go way, way down if they're not sure. And it happens time and time again. And the other thing that, you know, from an SSP standpoint that I see way, way too often, but I'm sure you're familiar with it as well.

[00:23:40] Most people, when they write their first SSP, they regurgitate the requirement, right? Yes. I authorize users. Yes. I encrypt data. Yes. I store this. I honestly think there's like no way around it. No matter how much I've taught people, I've worked with them. The first couple SSP statements that implementation guidance they write, they regurgitate the. They're like a parent. Did it. You nailed me. Yeah.

[00:24:04] I think we were four or five SSPs in before we felt like we had a clue what we're doing. Yeah. No, you need to expect just throw out. You're going to throw out the first two. You have to go through it because it's that trial and error, right? You can talk about it forever. You can have all your notes of here are the six questions I'm going to answer on all the implementations. And then people start writing and it goes out the window until you do it a couple of times. And then you realize, wait, but back to your question, you know, back to that confidence. If it says I do encryption, you're like, great.

[00:24:34] How are you doing encryption, you know, for your email if that's in scope? Or how are you transferring files to your client? How what's that encryption? They're like, oh, I just use, you know, this portal. Like, okay, well, then who's running that portal? Was it your portal? Right. But if you start actually talking about the implementation, it's in the SSP and you've defined what you're implementing properly. You can basically just read it, keep their confidence high. And, you know, you're not contradicting yourself.

[00:25:02] You're not leaving blanks where you don't know the answer for. And then you can see that confidence meter going down and down and down. And now we've got to dig through it. Yeah. So I love that you want explanation, right? You want them to sound like in their documentation that they understand it. Can I ask about the difference between explanation in an SSP and a CRM?

[00:25:26] Like when you ask, when you're asking for explanation in a system security plan versus when you're asking for the explanation in a CRM, you're asking for the same exact AOs, the, you know, assessment objectives. You're asking for the exact controls, but different, you know, information, right? So can you describe a little bit about that with each of those documents? Yeah. And that's a very good question because you're right.

[00:25:56] Well, first off, both the SSP and the CRM should be at the assessment objective level. Every time people try to do them at the requirement level and say, but I've addressed all the assessment objectives, you inevitably miss one. But if you tag, you know, if you have one cell but you tag A through F, that's fine. But, you know, you need to list A through F so that you know you've talked about all of them and not just say, yeah, it's in there, right? That's a best practice kind of thing. But as far as the information, right, the SSP is that management tool.

[00:26:25] So it's helping me point to my access control policy so that I know who types of users are authorized in my environment, right? So it's defining my, you know, if I'm the OSC, right, it's defining my expectation for managing my staff, authorizing people who are going to have access to the system, right? Right. But then it can list out and says, you know, MSP is responsible, you know, is responsible for actually enforcing these capabilities.

[00:26:53] And then the CRM just talks about, all right, how are you doing that? Now that you have a policy that says only authorized users will be in your system, how are you doing that? Like the CRM says, like, put in a ticket. I have the approved ticket. Do you want to see a ticket? Here it is, right, for the system. And it helps bridge that gap back to the ESP and what they're doing. Yeah. And I love that explanation, too, because it makes me realize if an ESP is doing this at scale or having multiple different assessments with multiple different clients,

[00:27:23] how critical it is for them to have an SSP of their own that they bring to the table to, like you said, bridge that gap. Because I can't imagine somebody that's that mature that's doing it that many times and that scalability to only have everything they do reference in the CRM. Like, I feel like there's going to be more to the table that has to be spoken to. And there, the ESP is SSP, you know what I mean, rather than just the CRM itself.

[00:27:51] Yeah. And you can kind of gauge yourself when you're writing the SSP and the CRM if you're copying and pasting from one to the other, right? You're not talking about the same thing. If you're copying and pasting the same text in the CRM for multiple assessment objectives, you're probably not describing what really is happening there. But back to your scalability question, I actually think, you know, a CRM, a well-written CRM from an external service provider builds. This is the way we're going to do it with our customers, right?

[00:28:19] If you just have an SLA that says, yes, we will create accounts as needed, and you have some customers that are going to call you. Some customers are going to send emails. Others are going to put in tickets. You know, others that are, you know, going to send the carrier pigeon and let you know that they just hired someone. We have many of those, actually. And now you've set that standard for all of your customers, right? So now you know what to monitor and manage that scale, you know, help you grow.

[00:28:46] So that's why I think, yeah, it's almost the other way around. Not necessarily that CRM should be compliance requirements, but if you really want to make sure that you have a good service provider that is going to be able to work with you and make sure that you're, you know, on the same page for how they're providing the services, they don't have a CRM, maybe you should look elsewhere. If they just say, don't worry, I got you covered. Yeah. I think the CRM and your SSP, like when you go to look at it, you can really learn a lot about the maturity of the organization you potentially might work with.

[00:29:15] So having more detail in the SSP about how the organization goes about accomplishing the tasks and how they call out to the policies and procedures, I think shows the maturity of how they're doing things. And then equally in the CRM, if they go into the appropriate level of detail of responsibility, right?

[00:29:38] So it's the CRM is the division of duties part, like you're talking about, that you go through and having the appropriate details in there to speak to that so that that document is more than just a checklist. It's something powerful. I think it gives you a glimpse into what type of relationship you're looking down the barrel of having with that organization. So you really want to look at those skeptically from the maturity perspective because that's going to show you how mature that organization is on the other side that you're going to potentially do business with.

[00:30:08] And to kind of like what you're saying is not just whether they have one, but what quality of the one do they have and what is the difference between those? And that's what you should really be looking for is that clear detail. Talk about the type of agreement that they might have with you. And like, can I see the verbiage of how that's working? You just, you really want to think about how they are.

[00:30:31] And then one great question to ask is like, can you talk to me about the architecture of how you do your documentation inside your system security plan? Just talk to me about your tactics of how you approach that. Like if they're like, I have a system security plan. Like if they can't even talk to you about the tactics of how they did it, then chances are they probably didn't have the tactics. They just created a document through some policies and it's just sort of a documentation grab bag.

[00:31:01] Like no, it's supposed to have good linkage and connectivity and there's thought to it. Whiteboard was involved in this process. And somebody with authority should be able to talk to you about that at that other organization. And if you can't find that person or that's not available, you know, I'm not sure. I 100% agree. And it's for all, like we said early on, right?

[00:31:25] It's for all ESPs, including the cloud service providers, whether they've got CUI and need to be FedRAMP moderate or they're just handling the security protection data, right? I still need to see that CRM to make sure that I'm configuring it properly. And even back to the auditing, if you're hiring, you know, if you're using a cloud SOC capability, right? They need to be able to tell you how do you inform them, right?

[00:31:51] How are you going to point the audit files to the right place so that you get the alert so that they're working with it? So CRMs are extremely important for all of those different pieces as well. Before we close out, Tom, could I ask you what are some, like if you had a specific like pro tip that you could give to somebody writing a CRM or just even something that you wish you knew, you know, before writing one, what would that be? What would you give to people who are listening?

[00:32:21] So I think, yeah, some of the things is back to what we've talked about is having a conversation, right? You know, maybe a great way to write a CRM is to have a note taker, right? And you're having a conversation, even if it's just the ESP, you're having a conversation with yourself and saying this is how we're going to implement this capability. And someone's writing it down. This is how we do this, right? That way it's just a conversation. It becomes more natural.

[00:32:45] So at Optic, we have created a CRM template that's freely available on our website to help organization get started that has some of the best practices built into it. So it starts off by asking you what services are included in this CRM. Because it's not uncommon for an external service provider or specifically MSPs to have three or four different CRMs, right? Here's our standard CRM. But if you want SOC services, right, we can add this CRM to it. Or if you want this other service, we can add that too.

[00:33:12] So our template helps you capture what services, what are we talking about when we're talking about the CRM? What's covered with it? And then we go through a step-down process and working with organizations. When you look at 320 assessment objectives, it overwhelms everybody. So we give you the ability to tailor down what are the assessment objectives that matter so you can focus on those ones. I still think you need to come back, my personal opinion, you need to come back to those other assessment objectives and just say, Yep, I purposely didn't include this.

[00:33:39] That way, you know, when you're going to the, for an assessor standpoint, you don't give a CRM that only has, you know, 50 assessment objectives, which could be appropriate. Those are the only ones that you're doing. But if you list all 320 and say, but here are the 50 I'm doing, they can filter it really quickly and understand you didn't miss something by accident, right? So that's another practice. Yeah, I think that, you know, like I said, everything that we've talked about, hopefully everybody's taken the kind of heart to the conversation that we've had here,

[00:34:05] will help them generate, you know, an effective CRM so that we can enable those communications and not just have a document that, you know, we're using for meeting compliance requirements that really isn't doing any, it doesn't have any value. Yes, it's not just a checkbox, right? It's a tool. Yeah, it's a tool to use. Yeah, that's great. Right. Tom, where can people find you if, you know, if they're wanting like the resources that you were sharing today or just to contact you in general?

[00:34:34] So Optic Cyber Solutions website, we have a resource page where we have a bunch of resources to help you get started on your CMMC path. And of course, as an RPO, we're here to help organizations implement their capabilities. And you can reach me through our website or I'm always on LinkedIn trying to share information and keep, you know, everyone current in my community on some of the ongoings and things that they need to be aware of as CMMC continues to mature in and of itself, right, as we're going through the process. Yeah. Yeah.

[00:35:04] Well, Tom, thank you so much for joining us today and just sharing some of your wisdom with CRMs and SSPs and documentation. This is such a critical part that many companies, especially MSPs, are not used to doing in this detail. And it is so necessary to continue to talk about this and continue to encourage them to use these as tools to their advantage rather than just check boxes that they need to do.

[00:35:31] So definitely check out what Tom and Kelly are doing over at Optic Cyber Solutions and just their great videos that they have as well for resources. We'll link those below. And always, guys, tune in every Thursday for another episode of Climbing Mount CMMC. But until then, as always, keep on climbing. See you guys. Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news. We hope you guys enjoyed today's episode and listen out for the next one.

[00:36:01] But until then, keep on climbing.