How To Pass CMMC The First Time
Climbing Mount CMMCJuly 02, 2026x
12
00:38:5626.78 MB

How To Pass CMMC The First Time

In this episode of Climbing Mount CMMC, Kaleigh and Bobby discuss the complexities of CMMC readiness and the importance of proper preparation for assessments. They share insights from their experiences as an MSP navigating the evolving cybersecurity landscape. Podcast episode-The Game of Chicken with Lawrence Cruciana: https://youtu.be/NffcMSVnKUM Podcast episode-The State of CMMC Today with Matt Travis: https://youtu.be/rzeumax1HqQ Time Stamps: 00:00-04:52 Intro 04:53-11:20 The Game of Chick...

In this episode of Climbing Mount CMMC, Kaleigh and Bobby discuss the complexities of CMMC readiness and the importance of proper preparation for assessments. They share insights from their experiences as an MSP navigating the evolving cybersecurity landscape.

Podcast episode-The Game of Chicken with Lawrence Cruciana: https://youtu.be/NffcMSVnKUM

Podcast episode-The State of CMMC Today with Matt Travis: https://youtu.be/rzeumax1HqQ

Time Stamps:

00:00-04:52 Intro

04:53-11:20 The Game of Chicken

11:21-18:17 Marriage Counseling for CMMC

18:18-29:53 Comparing Apples to Oranges and Oranges to Potatoes

29:54-34:31 The Easy Bake Oven Approach

34:32-37:04 The Assessment Tango

37:05-38:55 Conclusion

Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ

Axiom's LinkedIn: https://www.linkedin.com/company/axiomtech/

Bobby's LinkedIn: https://www.linkedin.com/in/bobbyguerra/

Kaleigh's LinkedIn: https://www.linkedin.com/in/kaleigh-floyd-079a52190/

[00:00:01] Hello Climbers and welcome to Climbing Mount CMMC. Boxing up by 6. Good job. What is it doing? Look at that. Hello Climbers and welcome back to another episode of Climbing Mount CMMC The Podcast. My name is Kaylee Floyd and this is Bobby Guerra and we are a part of an MSP called Axiom

[00:00:28] that is CMMC Level 2 Certified and we are figuring out the CMMC thing. I think I said that one time before and I think it summed it up fine. Yeah. Because it's like we don't know it all. Like we don't know it all. We're not going to act like we do. It would be great. It would be easier for us I think if we did. It would be so cool. Yeah, that would be pretty cool. Comment down below if you know it all. No, they will. They normally do comment. You can't wait for your book to be released. Oh gosh.

[00:00:57] Well today what we're going to talk about is something near and dear to our hearts. We actually did this topic at CMMC Midwest. If you were there you heard us talk about it a little bit but we are very passionate about kind of understanding what ready looks like and the different types of CMMC readiness that we've experienced and honestly the different journeys or the paths that you can go down.

[00:01:23] So we've talked about this before but again we're learning and I feel like we have a better definition that I think that could be more helpful. So you might have been like oh guys you've already talked to this. I'm hitting next. Please don't. We've got some more. Yeah, if you really want to you can but you would not believe the stories that I have for you since the last time we've talked about it. I'm intrigued now. I want to hear it. Well, I mean for those of you who don't know we're in it.

[00:01:51] We're boots on the ground experiencing this. Bobby experiences it in a different way than I do. We have different perspectives of yes we're in the same company but we're doing different things. For those of you who want to know the specifics of it honestly why the crap not let's let's talk about it Bobby you know he's very much invested in the technical components of our clients scoping their assessments themselves. He's in them. He's experiencing those. He's speaking to them.

[00:02:20] He also made our whole SSP so he kind of knows about that a little bit. So he's really on that side of things the boots on the ground with those technical documentation components and going through them not just for us as the company that CMMC level two certified but also going through it with each of our clients to have to do it. So multiple different times in different ways and guess what they all don't have the same scope. Isn't that incredible how that happens? They're all different in their own ways.

[00:02:47] And then me on the other side is kind of doing the external facing things. So I talked to a lot of different C3 PAOs about different things. I also talked to a lot of assessors about different things. I also talked to a lot of contractors that are either small or large that are looking to try to go down the path of CMMC and trying to figure this thing out. So talking to a lot of external companies that are doing different journeys and things like that. So I have that perspective.

[00:03:15] So it's honestly it's very fascinating the things that we've learned internally and externally even since we talked about this last. Right. Yeah. It's pretty nuts. So let's get into it. We kind of dialed in to five different topics that we want to talk about today. So the first thing is the game of chicken which we're not going to dwell on too much because we actually have a specific episode that talks about that where we add we had Lawrence on and he's wonderful.

[00:03:44] He's actually a competitor of ours but for those of you who aren't aware of it there's not a lot of us in this space. So even though we might be competitors I think there's enough business to go around so we don't have to freak out about that. The other thing that we're going to talk about today is marriage counseling for CMMC. Now we have talked about this in the past but we're going to have a different approach to it this time. Also comparing apples to oranges and oranges to potatoes and we'll talk more about what we mean by that. The Easy Bake Oven approach which is a classic approach that I'm sure actually many of you guys

[00:04:14] know of but haven't heard of it. I don't know if I've ever talked to anyone that actually liked Easy Bake Ovens as far as how they tasted. So comment below if you are one of those psychopaths that actually enjoyed the Easy Bake Ovens. I thought it was basically cheap imitation hummus on cardboard. Right. Then the last thing we're going to talk about is the assessment tango.

[00:04:39] Now we also have talked about this but boy do we have some more topics to talk about with assessment tangos that we've learned. And Bobby I might have to cut him off a little bit with that conversation because he's very passionate about that too. So let's dive into the first topic. The game of chicken. Like I said we're not really going to dwell on this because if you want to check out more about it we can put the episode down below where we get more into this.

[00:05:02] But Bobby do you want to explain kind of where you came up from this slogan and something that we are seeing time and time again and experiencing right now in the ecosystem. Yeah I think the ecosystem as we were coming in. So let's just rewind time for just a second to where 32 CFR was coming out and certifications could happen right. So the 2025 January 2025 certifications could start happening. We saw this big rush of companies go through to get their certifications.

[00:05:32] The number jumped up very quickly and then it went and what ended up happening is it was kind of like you had the line at the store ready to open and once the doors opened everybody ran into the store and then there was nobody there. And what you're starting to run into is there's just a lot of organizations out there that are playing chicken trying to wait to see when contracts are going to drop that are going to require them

[00:05:58] to have to get their level two to some capacity whether it be self-assessment or third party. And what's happening is a lot of them are getting they're losing because what's ended up happening is once they they don't serve fast enough they're going to have contractual requirements they can't meet and you could go in and do a self-assessment very quickly but you're also equally quickly held to account by the Department of Justice.

[00:06:26] And if they come in and Dibcat evaluates and it's very clear you don't have an SSP you lied on the fact that you had versions of SSPs because you don't when Dibcat shows up and and they can tell that you have just straight defrauded the company the country because you're just hitting next so that you get done with that self-assessment. I don't think they're going to think that's very funny and what a lot of companies are doing is they're looking down the barrel that also primes right we're seeing Elbit, Northrop Grumman,

[00:06:55] Deloitte, Leidos, Lockheed, Accenture. All three Harris. Yeah there are a lot of them are now pushing down saying hey at a very minimum we want to see a self-attestation we want to see what version your SSP is at we want to see your poem and we want to see examples of those. Some of those even more than that. Yeah some of them even more than that and so it's it's forcing these organizations that are like okay what happens if you don't like what we have well we just won't pick you.

[00:07:21] So it has created a lot of drama and it's coming in different waves from different angles so the best thing you can do is just get certified as fast as you can do not wait until you hit the wall. Well here's another thing that I think we're seeing and this is another type of the game of chicken that we're seeing. So there are these companies that are like oh my gosh I have to get level two certified have to get level two certified got to schedule the time with my

[00:07:46] C3PAO got to get in the boat and row let's do it. They go and I think C3PAOs are getting more mature. Hopefully they're continuing to do that in phase one of an assessment where they come and evaluate the information and the data that the documentation that the OSC has in front of them has given to the C3PAO to then proceed and do phase two of the actual assessment. They come in and they give the

[00:08:15] documentation and the C3PAO says this won't do you know this is no bueno this is not good and they say try again later right and then they send them off and so I think that honestly there's so many companies that say you know F it like we've got enough. I think we've got enough and they just schedule it and they go to get started and they are like so far off the mark. I mean it's not even

[00:08:43] funny and then they realize Brit I have to back up and I have to figure out how to do this thing now and then when they figure out that they have to do it they realize oh this is going to actually probably take a little bit longer. Now some people in the ecosystem might argue oh it can take you know really short period of time. Guys it depends on what type of company you're dealing with and what type of scope because some of these people they have pretty wild environments that they're handling

[00:09:09] and they do not realize the craziness that is in front of them and so then they're playing this game of chicken. They went to go try to do their assessment. They're definitely not ready. They came back. Some of them have an MSP. Some of them maybe have one person in the organization that they said you're our CMMC guy. You've got this and they're like what should we do? You know they're like do we find somebody that knows more than than what we know about CMMC? Could we figure

[00:09:35] this thing out on our own? Do we pick a service provider that is CMMC focused? Do we think that our service provider now could do it? You know and they're like making this decision that seems to take a very long time sometimes. And my favorite game of chicken person is the one that says I am just the most perfect snowflake and the industry cannot survive without me so I'm not going to move. Oh yeah.

[00:10:04] Bring the mountain to Muhammad. I mean I've heard and had conversations with organizations like we're just not doing this. They're gonna have to just they're gonna have to bend to us. I'm like yeah. Because they're the special one? Because they're we're the way we work the way we operate or we're just our situations you're just like okay I'm sure let's go with that. Let's see how maybe that's gonna go. And I've run into and had conversations with some pretty crazy OSCs that are out there

[00:10:32] and their approach to it. Another thing that you can do is sell to your prime. If that's the case then just sell out. Just because some of these companies larger primes they're like we need more subs and they just don't care enough to try to get it done and but we need to be able to win these contracts so they're scooping up companies to try to bundle them into their compliance posture so they can get these contracts. And that's interesting as well. So I've heard rumors that we wouldn't be involved in that because once they got scooped up they're not going to want to use it. They're going

[00:11:01] to use whatever the upstream that you're just going to have compliance. Yeah because they're too cool for us after that point. It's interesting. Yeah that is interesting. Well if you want to check check out more about what we were talking about more in depth and with Lawrence as well make sure to check out the podcast episode below where we dive very specifically into that topic even more than we just did now. So let's talk about marriage counseling for CMMC. I know we've discussed this in

[00:11:27] the past so if you're a listener that has heard multiple of our episodes first off thanks for listening to us. It's crazy that you do that. Second you've probably heard us talk about marriage counseling for CMMC. For those of you who don't know we kind of describe this approach as you know you're a managed service provider and the OSC just shared with you hey by the way we do need this CMMC thing. You might have heard of it before you might not have. We do need it and we need to be level two

[00:11:57] do you think you can help us and that MSP because you know bless bless them they say yeah we'll help you and we'll figure it out. Sounds great this is awesome let's do it together. Yeah let's do it together and we've got it we're gonna hold hands and walk through it and I want to clarify. I would equate it to both of you deciding you want to donate a kidney. Whoa the same thing? You may not quite realize that but once you sort of get the brochure you sit down with the doctor they go through all the

[00:12:26] side effects someone is probably going to raise their hand and go ah that sounds terrible. I don't want to do that. Yeah and and you know I've said this before in the past but sometimes I think people hear us say that and they think that we're like bashing an MSP for doing that. Might I say you know for somebody who's really going in to this thing and and doing it full steam ahead working hard to get

[00:12:54] CMMC ready for their client honestly you're you're heroes you're true heroes if you're doing it right and you're doing this for a client. Not many would do all of this effort for one client or two clients like it's a lot and so I just want to be clear now for the MSPs that are like that are just spitting in a bucket and hoping that hoping that it goes in you know and doing it please be very careful and I think we

[00:13:19] have many episodes on this podcast that speak to why you need to be very careful about just winging this thing with your client because I think what Bobby said is you don't realize that you're actually donating your kidney as well. I think you don't realize how much you have at stake as well. Because we we slow boiled ourselves as we were kind of thinking okay we'll get we'll do this we'll get involved in it we can start to do this and as we start getting deeper into it we start realizing there's it's a much bigger commitment some of these tools have to go oh we have to change our

[00:13:47] processes we have to do this I have to have this knowledge I don't have this knowledge I need to go get it now I need to go pay for this oh we have different licensing we have to do and it's just cha-ching cha-ching cha-ching cha-ching it just keeps coming at you and if you haven't like gone all the way to end of the story and know how this thing goes and are fully prepared to be invested in it it's reasonable to get left at the altar if you're not careful there and that's just not it's not good

[00:14:14] you don't want to be there you don't want to be there as an MSP where your client dips on you and you've gone through because I've talked with with MSPs that have had that happen you know they've been working with their with their OSCs and they're like I want to get out of the space after we've seen what we have to do and I don't want to do it and they're like what what do we do they're like well I guess you got to choose if you want to continue on being able to support it it's

[00:14:37] not just MSP both have the option to walk yeah and so I want to take this perspective that we haven't necessarily talked on but we're fresh off the conversation with Matt Travis when recording this so if you're listening to this we have we have already posted that episode with Matt Travis from the cyber AP and we've talked about some of the things in the ecosystem that pertain to MSPs and some things honestly that he was like wow we didn't really think about the impact the MSPs would have

[00:15:07] on the space good or bad you know and positive or negative and he did you know he he did share they didn't really have a perspective of training specifically for us as managed service providers or preparation or you know or discussion groups or things like that that they thought that that we needed because they weren't really thinking about us well and their physical and their fairness like they had to focus on just at least getting the bar hit right which he means assessors and

[00:15:36] their attempt right their attempt to help people be prepared to support the industry was the RP and RPO which he said in the interview very quickly he's like we we've got plenty of ground to make up there yeah like I mean kudos to him for admitting that and they're going to try to but they've got a lot of fish to fry right now so that's on the pile of things to do for them I'm sure but they've got other other things they're working on but all of that to say if you're coming in as an MSP and you're trying

[00:16:04] to help a client get through this and you're like what resources do I have what if I become what if we become an RPO what if I go through my CCP what if I go through my CCA those are all really good things to go through but they do not speak to many of the challenges that an MSP is going to go through right you know I would recommend go to the conferences yeah find us find other MSPs and

[00:16:34] talk their ear off yeah don't be like hey can you set up a time out of your busy day to just sit down and counsel me one-on-one individually like it drives me crazy when people do that and some people I think get mad they're like well you have a duty to we're giving back through the podcast and we will talk to you at conferences and other things like because what people try to do is they'll be like well we just we just want to determine if we want to get in the space great go to the conference anyway

[00:17:04] and learn what it is spend the money invest the time go in there and put some time into it and then the other people that are already in there will respond to that but if you're like I'm not sure if I really want to be involved in it at all I feel I still feel like the right call is to go to the conference because just having a short conversation with me or anyone else in the industry is not going to be enough like you need to go to a conference and see what the ecosystems look like you can see other people and the challenges they have it really starts to make sense whether you do or do not want

[00:17:34] to be in that space go to CS5 go to one of those other conferences it'll be well worth I think the time and knowledge and understanding because then you can sit down with multiple different people different C3POs have lots of different conversations and really look at it from different angles you shouldn't just trust one word for me or someone else you really want to and that's another reason why we just don't like doing those kind of one-on-one partner call type things to try to help people explain to them because it's just that's even just our perspective you go to the conference you'll get

[00:18:01] a more rounded perspective that's my opinion yeah I agree and I've had many of those conversations with people yeah one person even tried tried to try to see if they'd buy us out by the end of the call I get that every week I know I said we like what we're doing we're okay thanks though another thing that I want to talk about I explain it as comparing apples to oranges and oranges to potatoes now here let's break that down by what I mean by that so comparing apples to oranges what I like to explain

[00:18:31] that as is comparing cmmc coming from a managed service provider comparing the cmmc to hipaa compliance or iso I don't know 27 000 to one or you know or something like that and I get it you know it's like it's tangible oh yeah which is basically 53 because they're like oh it's rmf it's cins yeah

[00:18:58] you're like it's funny a lot of times people when they go through the course like some of the students that I have come through it's harder sometimes for them that have had rmf experience because they're so used to the approaches around that and it's different it's not the same and some people when we say that they're like ah you just think you're so much cooler because you know the cmmc you're so much freaking cooler than us I'm like no it's just I'm trying to explain that it's

[00:19:26] that it's just different yeah it's it's different in its own ways and you can't just magically go into it and because you've you've helped somebody with rmf or hipaa compliance or something like that you just like you now know this type of compliance like you just miraculously know it it's not the same thing so you have to you have to learn those things I mean I don't know about you but but when I went into cmmc and I just said the word cmmc and I said I want to know this I didn't just all of a

[00:19:56] popped into my head and then I just knew it like I had to like actually figure it out and so that's what that's what I mean by that when I say comparing apples to oranges is it's really not the same thing then let's get even more in depth and comparing oranges to potatoes not even not even the same food group anymore and what I mean by that is comparing somebody who is an msp which again there's not

[00:20:23] many of them out there an msp that not just is cmmc level two certified but but has gone through and gotten multiple clients cmmc level two certified and has like a full cmmc approach with their support

[00:20:42] having that msp versus a regular msp commercial you know company and again I am not saying that one is better than the other because let me say many commercial companies need msps and they don't give an f about cmmc and they don't want to pay those prices so I get it they need those msps that

[00:21:06] don't specialize in cmmc but there there is going to be a difference between those two providers and I have talked to so many contractors that just don't get like they they really don't they're not asking the right questions and I'm like you've got to ask this you've got to ask this you know like because it's different like you can't just go in asking the same questions there needs to be

[00:21:30] differentiation you know yeah I think you you sort of fall into multiple different buckets the potato to the what was it you said potatoes and oranges is that what you said yeah and I think a lot of people go oh you're in cmmc so you guys are like summit seven no we're not summit seven's not like other people summit seven did a freaking over a hundred assessments yeah in the last year guys

[00:21:56] we're not that cool um you know we did like two yeah last year at the end of the year and we probably going to have 10 this year now we're we're ramping up to do volume but that's going to take us this year to kind of be able to do that I mean I think we could do in a year or two we could start doing 20 30 40 50 60 you know we could really start we start building the teams I mean really we're really

[00:22:23] getting the process locked down but okay so let's talk about the difference between those it's like tigers and lions okay still a cat you know bells around here somewhere running around she hasn't i'm sure she will you know that's a house cat still a cat still a feline but not the same thing not a lion and and so you can be an msp that understands cmmc you might be an msp that is involved in the ecosystem because you've got one or two clients you've got you've got maybe somebody that's

[00:22:50] got a passion for it you've you've sat maybe one person in the ccp course you sit down you help a client go through and get cmmc certified great awesome that's not the same thing as summit seven that's not the same thing as us it's a completely different cat different experience different situation they met that organization wherever they're at and help them write specific documentation and other components if a new client comes along are they going to use that same document they use the other one probably not they might try but it's not going to work the same way because it wasn't

[00:23:19] written conceptually right from that perspective and so then maybe they might bring on another client and they might do another one and they may they may they may just say you know what we're going to use all the tools in the client's environment so we can help clients do that so you might have an msp that's still in the ecosystem but they are vastly different in how they operate between us summit seven you know

[00:23:44] andy or lawrence or any of the other guys that we know in the industry that would that do these things they're not the same those are oranges and potatoes and so stop thinking we're all the same in that perspective because we're in different journeys you know and and i really think it comes down to two perspectives do you want to be an msp that wants to be almost like a you know a ferrari or custom type

[00:24:10] designer that's ferrari sounds much cooler but you know that the concept is you're going to make lamborghini you're going to make a lot less cars it's going to be custom it's going to be built to that individual but you're not doing some massive factory we're trying to build like a ford factory of moving a lot of clients through we'll have variations and designs on it we're going to take clients from not having a car to being level two and we're going to be getting turned into burden

[00:24:36] and we're going to start scaling to do that the level of investment for what you have to do to accomplish a scale process the tools the processes the environment is very different than the person that'll just meet you wherever you're at right okay and they are not the same they're not and a lot of people don't get that they don't understand that they just assume okay you're doing cmmc and you're doing cmmc so you guys have no we are not like you could walk in the door i can show you all the

[00:25:04] templates and the processes i can show you the the floor models that we're going to do i can show you how we're going to build them and how we'll work through them and if that fits for you we're ready to go right right another company going to work with them well let's just sit down we'll do a gap assessment we'll understand where you're at and we'll meet you where and we'll do this you might have 80 of your documentation already done and they'll just fix it up slap some butter on it and it's good to go on the toast and they're ready to serve right but we start from the beginning

[00:25:30] and we take you to the finish we don't have options like that so you see how that's different and that goes to show you how those other people are just as important and needed in the industry just like we are and it's not one better than the other they're just different yes they're they're different cats in the ecosystem doing their own cat things um but they are not the same i feel bad

[00:25:55] for the people with neo systems that got i know they got totally screwed over yeah um we've had multiple organizations reach out to us and they're like look we're 80 there i'm like well i don't know really if that's true um i i'm not sure about that but i know this is our floor this is how we operate it doesn't matter what documentation you have you have to use the process we have because they've been validated right that's the reason why we're able to move so much more efficiently and so much faster

[00:26:24] with the clients is we have our team knows how to do those things our teams know how to do them we can support you and we can maintain you yeah right for the years to come because it's our team has been trained on the system of how we operate you know if you're like oh this we're over here doing this using these other avs and this other products using these different policies and we have our change management completely different the way we work in it like all that is completely different like we're like this you know just we don't we don't even connect but msps that are very custom

[00:26:53] they have a few knowledgeable people in their in their organization and they can they can support those smaller quantity of clients they can step in there and maybe fill that gap but you can't take that and run that through a factory process you just those are two different things they're just different animals and you have to understand that's not going to be validated in the same type of way and guess what that's okay if you're accepting of that if you know that

[00:27:18] and that's what you want to do then there you go but no there's a difference between a scalable validated process of how we do things and the tools that we use and the way that we write our ssp and the way that we document and things we do there's a difference between that in the custom car you know and so i'm not saying that you can't pass with a custom car tons of people do they love their custom cars you know what i mean it's just is it's different you can't compare them the challenge that

[00:27:47] i see is and this is where i call out to the oscs that are trying and they were like oh you're a custom car builder okay that's fine call them out on this be like how many msp companies do you have and what's your plans the msp needs to understand what lane they're swimming in we only going to do a few like those custom builders that process does not scale very well you can't take option one you

[00:28:13] can't take the enzo ferrari philosophy of building cars and scale that you can't they've tried like you've got the factory process or you got this but you can't blend the two together it just doesn't work that way and it's the same thing with msps if msp is like oh now we'll start scaling all to do this but but our clients are completely running in different ways and our service department has to process these things differently and if you start scaling that up it will break you it will break

[00:28:41] your msp don't do that like you've got to understand which lane you're swimming in and know how how this works you can do a few clients and support them msp and still have your general commercial approach if you play it right if you're smart and you do it right and you can meet the client where they're at there's a lot of options we'll probably do some podcasts specifically about

[00:29:02] that someday but you can definitely do it but you can't scale it don't think you can and try yeah um and if you're going to work with an osc if you're an osc and you're going to work with them understand what type of msp you're working with is it is it going to be more that customer is it going to be somebody that's going to be scaling that's going to try to do this because it has an impact because if they try to scale that then they're going to fail in your compliance management over

[00:29:31] time they're not going to have a team and people that are going to be able to keep you compliant and then you're going to have problems in year two or year three because they they got you through the the first assessment and they're going to fail you later on and keep in mind dibcat can show up at any time and give you a 90 day notice they'll come in and assess so you don't always get to pick when those assessments happen yeah yeah yep so another thing that goes hand in hand with that

[00:29:56] too is um the easy bake oven approach um i want to have it easy and i want to have it cheap you know an easy bake oven i mean honestly sometimes i feel like it's kind of hard to use but it's supposed to be simplified supposed to be easier right less styles looks pretty it's tiny you know and it's a lot cheaper oven oven than a regular oven but i cannot make a thanksgiving turkey

[00:30:27] so this might come to a surprise to some people listening but we do not jack up our prices to really get at these smbs and get them out of business you know we really try our best as a company to think about what is the time that our team is taking doing these tasks for these clients i i can say it because i do it personally for our company as the person in charge of all the operations

[00:30:55] i really think about how long does it take for us to do this part how much would that cost okay how can we do this we need to be able to stay afloat as a company but we're trying to help the small businesses right the best that we can we're not the red cross we are not the red cross unfortunately we are not so we're trying to figure out how to do both of these things at the same time

[00:31:18] it is not going to be cheap but guess what we're really trying to not make it i don't know what an expensive oven is i really don't know the types of ovens there are out there but we're trying to make it like a what a frigidaire an lg i don't know good a good hoopty lg yeah just just like another thing to think about the risk right if i'm going to be a security guard and you're waltzing through

[00:31:43] a war zone or if i'm going to be a security guard wait hold on back it up i'm trying to follow you okay you're a security guard and you're in a war zone i'm escorting you through a war zone or i'm a security guard and i'm escorting you to go get some water from the fridge those are two different risk levels right of my job we're in a fridge yeah i mean hey i got to cover while you're getting

[00:32:07] that water you're good okay you know you're good but it's completely different and and the the pay and the process has to be commensurate with those responsibilities because when you're as an msp stepping in that space support the client there is a ton of possible ways we can fail there's so much more education and training we have to do there's a lot more risk we have threat actors are thinking about what we do and how they come after you know it's just it is infinitely harder this is literally

[00:32:37] the hardest thing business-wise i have ever done in my life and i've been running msp for over 20 years um it's just crazy how much harder it is to do it the right way to care about it the right way and um yeah i mean it's forced us to change an organization to reorg how we do it it's much harder to hire in this space um hiring it as an msp is always tough i think any msp will probably agree with me on that

[00:33:06] because msps msps are natively different they're yeah if you have somebody that's worked at citibank or merrill lynch or some large corporation right and they've they've worked in the enterprise space but all they did was sharepoint they're gonna drown in an msp because guess what we don't just do sharepoint stuff you have to know a lot of different we gotta know yeah a ton of stuff you've got to have

[00:33:31] a lot of knowledge you gotta understand firewalls you gotta understand networking concepts and dns and mail tracking and you know sharepoint and all the microsoft suites and admin stuff and dlp i mean just the list goes on and on and on and on so ton of depth and width uh through it and so because of that you can't just go pluck somebody out of enterprise space and think they'll be able to slide into an msp and just rock it doesn't work that way we've tried we have yeah i could not have

[00:34:01] said it better myself i'm going through those struggles now yeah yes haley's taking over hiring for me yeah yeah it's definitely no easy bake oven that's for sure um yeah i just thought about another thing you know you can't make a thanksgiving turkey but if we try an easy bake oven oh could you imagine how raw that turkey would be and you would get can you get salmonella from turkey that's not a lot of

[00:34:25] things from turkey yeah uncooked rabies i don't know what it is i'll have to look it up the last thing i wanted to talk about okay the assessment tango we're running short on time but i did want to touch on this because i do think that if you haven't come to the conclusion as an msp of how involved you are yet you know you'll hit that when you go into the assessment because you have to because they're

[00:34:52] going to ask you to be involved in certain ways and so even if you haven't hit that wall yet with the osc that you're working through you're going to for sure when going through the assessment now i talk to a lot of c3 paos in the ecosystem and many many many say one of the reasons and the factors that people don't get past phase one is their msp is not ready let that sink in it's not necessarily that

[00:35:19] the osc does not have their stuff together but there's a component called the msp that does not have their stuff together and that's pretty scary at least in my opinion from somebody who is an msp that's going through this like to be the reason that your client can't go through it that's that's an awful place to be in my opinion would you agree bobby yeah that would be yeah that's really bad and

[00:35:45] i think also when you look at that tango process we have a process where we try to teach up and train our clients like how the assessment is going to go we actually prepare them yeah we go through a validation process we actually interview the clients like they're they would be interviewed in the controls that they're going to do we go through it and and it's part of actually the self-assessment process that we do for them because we we want them to be prepared because we want to ask them the questions they're going to be asked i do that and it's amazing how a lot of times when

[00:36:12] even we go into that they're not prepared and they're like oh thank you for doing this but we still have had some clients that still phone in they're like yeah but the day that meeting before the assessment and they're going to walk in there they're wide-eyed and bushy tailed they're like oh crap i i'm like you know we covered this and we'll go through and prepare them and and go through and make sure they understand those conversations but their eyes are like now's the time and i really

[00:36:39] should have been thinking more about mentally being prepared to answer these questions and do these tango right we'll do it it and yes your organization is a hundred percent prepared but if you're not mentally prepared to defend yourself in battle that's just different you know what i mean so you got to really take that serious you got to take those opportunities when you can to have those the preparedness yeah i just you can't can't emphasize it enough no cannot emphasize it enough well if you

[00:37:06] are listening to this we've already had this happen but we went to uh pax 8 beyond and talked to hopefully a lot of msps about our experience oh so you're doing time travel here yeah we're doing time we have not gone there yet but the time you listen to it we have the time you listen to it yes right are you following me am i trying yeah yeah we had a great flight it was i'm sure it was an

[00:37:29] incredible time i met this guy though he was an absolute jerk and um and yeah no we have not gone but i'm hoping and i hope that once watching this back later that we have talked to many msps since then of just the experience you know we do continue to go to these conferences and our main goal honestly from the conferences is not like let's find clients let's find clients we're not really trying to do that

[00:37:55] i mean honestly we'd love to talk to msps or people that are in osc's companies that are doing this that are trying to figure it out we feel you we feel that experience um let's talk together um just like bobby said even at the beginning of this podcast episode so if you are going to uh cs5 east we will be there and we'll also have a booth and so i think that that will be the next place that we're going to

[00:38:21] so that would be in october if you're listening to this hope we saw you at pax 8 beyond but if not cs5 east we'll be there so make sure to come stop by we'll have shirts there for free if you want to check them out these are free those are free and and yeah i'll be there bobby will be there we'd love to see you um we hope you enjoyed this episode of the podcast and if you haven't checked out some of the other episodes that i mentioned in this episode check them out at the link below everything's in the

[00:38:50] description but as always guys keep on climbing we'll see ya bye bye