(Season Three Episode 1) It's less than 30 days from our CMMC Level 2 assessment and our MSP has done A LOT of preparation. We'd love to share our experience with all of you. We prepared our MSP to not only service ourselves, but also our clients. Axiom's goal is to be open and transparent with our audience and we hope you all get a lot from this episode.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:00] Hello Climbers and welcome to Season 3 of Climbing Mount CMMC.
[00:00:12] Alright everybody, today we're joined with Adam. What we're going to be doing today is we're going to be talking about us, Axiom.
[00:00:20] Normally we have guests, we're talking about topics, but it's been a while, like maybe almost a year since we did kind of a barometer check where we told everybody about what we were doing, where we're at, about getting ready for Level 2 to be certified.
[00:00:34] And when is that assessment?
[00:00:37] I believe Phase 1 begins on January 6th.
[00:00:40] Yeah, so we are...
[00:00:42] Literally 30 days out. It is December 6th as of recording right now.
[00:00:47] Yeah, so 30 days away from what we're going to do.
[00:00:50] One of the things that we just pride ourselves about our podcast is we want to be very open and transparent as much as we can about our journey, as well as bringing on guests and having other people talk.
[00:01:00] We thought, let's just spend just a little bit of time in this episode just kind of being very open about what we've been experiencing, what's kind of gone through.
[00:01:09] And this should hopefully help MSPs that are thinking about trying to take that journey as well, as well as companies that are going to be hiring MSPs.
[00:01:18] And what should it look like if you're going to be engaging with an MSP that has gotten themselves ready to be assessed for Level 2 or support people that are going to have a Level 2 requirement in their DFARS.
[00:01:30] So let's kind of get into that first. What do you say?
[00:01:33] That sounds good, because I think the last time...
[00:01:35] Because we've kind of done this a little bit before, but our first big one we did was about this time last year.
[00:01:40] Right.
[00:01:41] Then we did another one in the summer after we did our assessment with our C3 PAO.
[00:01:45] It wasn't a JSPA. It was more of like a mock assessment, just readiness assessment.
[00:01:48] Yeah, let's talk about that.
[00:01:49] So we were so pumped after we went and had that.
[00:01:54] Not everybody might be aware of what we did in August.
[00:01:57] So walk the people through kind of what we did and then what we covered in that last meeting in August after we...
[00:02:05] Yeah, so in short, we had our C3 PAO come in and do an assessment against all 320 assessment objectives, looking for evidence, doing the interviews, treating it as if it was our actual assessment.
[00:02:16] Right.
[00:02:17] But obviously, 32 CFR hadn't been finalized yet, so it wasn't officially official.
[00:02:21] And the cap wasn't out yet either.
[00:02:23] Yeah, didn't have the cap.
[00:02:24] So at the time of this recording, still the cap hasn't come out, so we're not exactly sure.
[00:02:27] Yeah, 10 more days.
[00:02:28] Yeah, yeah.
[00:02:28] Count them down.
[00:02:29] Yeah, yeah.
[00:02:30] When we've mentioned to people that we had C3 PAO on us, immediately people are like,
[00:02:34] but they can't do your...
[00:02:35] Because they did consulting.
[00:02:36] They can't be your...
[00:02:37] They didn't do any consulting.
[00:02:38] Yeah, not our consultant at all.
[00:02:39] Yeah, they're not our consultant.
[00:02:40] In fact, we've used Kiri for our consulting and they've been amazing.
[00:02:43] Yep.
[00:02:44] We also had Brian help us in working some things.
[00:02:47] Brian Hubbard, in case you guys aren't sure about who he is.
[00:02:50] Jonathan over at Kiri has been hugely helpful.
[00:02:53] And of course, Amira has been very helpful for us in helping us understand and build our scope.
[00:02:57] So we've worked very closely with them and they've been instrumental in our journey.
[00:03:00] Yeah.
[00:03:01] Yeah.
[00:03:01] And our C3 PAO is not one of those consultants.
[00:03:03] Right.
[00:03:04] Exactly.
[00:03:04] He came in.
[00:03:05] We went through all the controls and objectives and it was, you know, A, met, not met.
[00:03:11] Fortunately, we came out the other side of that with everything being met.
[00:03:14] Right.
[00:03:14] So perfect score.
[00:03:15] Yeah.
[00:03:16] And we were really nervous.
[00:03:17] I mean, we had high expectations, but I mean, we're human.
[00:03:20] We're not perfect.
[00:03:21] So we didn't really know what that's going to look like.
[00:03:23] And again, even though we've got a perfect score in August, doesn't mean that necessarily
[00:03:27] we're going to get a perfect score in January.
[00:03:29] So we're taking it very serious to try to get ready.
[00:03:31] But after we got done, we were jazzed.
[00:03:34] Right.
[00:03:34] We were like, let's do a podcast and talk about what it was like and what it was like
[00:03:38] getting ready.
[00:03:39] So we thought, let's do this episode and talk about what it is on this side of the audit.
[00:03:44] And then after we have it, we're going to do another one to talk about it again.
[00:03:47] So when we did our kind of like after action conversation in August, the focus was really
[00:03:55] a lot about what steps we took to get ready.
[00:03:58] And we did kind of that readiness review where we had that sheet that we got from Amira.
[00:04:04] We also have had Vince Scott come on and he actually had this great document that he
[00:04:09] provides free of charge that goes through the readiness review as well.
[00:04:13] And we just dropped that this Thursday, his podcast where he talks about doing a readiness
[00:04:18] assessment for yourself, which was such a great episode.
[00:04:21] And I learned a lot through that.
[00:04:24] What are you thinking about Adam?
[00:04:27] You personally, I haven't, I haven't, he doesn't know I'm going to ask him this question.
[00:04:32] The biggest challenge as you're coming into this, what's, what is, what are concerns that
[00:04:37] you have like that you've spent a lot of time focusing on?
[00:04:41] So I think our big ones really is when we went through our assessment, we, you know,
[00:04:45] we were very happy with our score, super pumped about it, but we, you know, our culture and
[00:04:49] who we are, we're not happy with that.
[00:04:52] We always think of what can be better.
[00:04:53] So as we were going through our assessment, we were taking notes of, you know, we had to
[00:04:58] spend more time answering questions around this specific AO.
[00:05:00] Maybe we could have wrote our SSP statements better.
[00:05:03] Or as we were going through our readiness, we made notes of this process, this practice,
[00:05:07] et cetera.
[00:05:07] It wasn't as good as we wanted it to be.
[00:05:09] We realized it could be better.
[00:05:11] Right.
[00:05:12] Because if we look at compliance, like compliance is the minimum set of rules that you have to
[00:05:15] operate by.
[00:05:16] How we operate by those rules and how we define them, we've got some flexibility here and there.
[00:05:21] So we looked at some of those things and said, we can do better.
[00:05:24] So we spent the last several months figuring out how to do better, making improvements to our
[00:05:30] documentation, our SSP, but also thinking about it more of how we're handling it for clients.
[00:05:36] Right.
[00:05:36] Yeah.
[00:05:36] I love the fact that we didn't sit on the laurels that even though we got a 110, we immediately
[00:05:41] said, how can we write the SSP better to incorporate inheritance?
[00:05:46] So we went through and rewrote all of that in that guise, in that perspective.
[00:05:53] And I think it's, I couldn't have been happier with the results of how we've had that turn
[00:05:56] out. But again, because we're making those changes, it opens up the opportunity for some
[00:06:01] risk in our January assessment. So I guess that's what you're referring to is those concerns
[00:06:06] of making that rewrite.
[00:06:07] And not to mention the clarification that we got from 32 CFR on some of the asset classifications.
[00:06:14] Right. Yeah. Right.
[00:06:15] You know, in our structure, we definitely had some reclassification that had to occur.
[00:06:20] Right.
[00:06:20] What was something that you felt that 32 CFR perhaps made you kind of have to think, okay,
[00:06:26] how we might want to re look at whatever that might be?
[00:06:31] I think a big one was security protection assets.
[00:06:34] We've had a lot of conversations around our own scoping and saying, is this a CRMA or not
[00:06:39] CRMA, is this a security protection asset or not?
[00:06:42] Right.
[00:06:42] Or is it more a CRMA? Like, where does this fit into the, you know, our scope and trying
[00:06:47] to figure that out? Because we initially had saw 32 CFR and they mentioned, you know,
[00:06:51] assess against, you know, the objectives, you know, relevant to the capabilities provided.
[00:06:55] They had left some stuff out initially at that time that made us think like, okay,
[00:06:59] could we use maybe a third party vendor tool to fill a role in us as a security protection
[00:07:04] asset? And does that have to be Fed ramped and everything? You know, we were debating
[00:07:08] whether that was the case or not, because 32 CFR when it came out, didn't have that.
[00:07:11] Well, I think one of the big things is fortunately, we still erred on the side of caution.
[00:07:15] Yeah.
[00:07:15] It didn't go gung ho into, you know, a shopping spree at the last IT conference or anything
[00:07:19] like that. We said, no, we'll, we'll be measured about it. And that actually paid
[00:07:23] off once again, because at a DOD town hall or cyber AB town hall, the DOD clarified your
[00:07:29] security protection assets of their cloud base still must be Fed ramped.
[00:07:33] Yeah. I mean, he said the way that he interprets, I believe is the word the gentleman said when
[00:07:38] he was on the town hall call, you know, how much weight that conversation had during that
[00:07:46] question being answered by him. I think it just, it does open the door to that perspective that
[00:07:53] the DOD may take. And as they continue to answer those questions and provide additional validation
[00:07:58] of that perspective, time will tell. But it does go to show that, you know, MSPs have a real danger
[00:08:06] for the vendors that they're engaging with, that they're introducing into their clients. And we
[00:08:11] have to take that, that very serious. 32 CFR definitely helped provide some clarity to some
[00:08:18] extent there and open the door to trying to possibly use some things that might not be Fed
[00:08:23] ramp, but it did also additionally open the door to the responsibility of them being transparent
[00:08:27] and being open. And we found in our journey with working with vendors, that's usually not the case.
[00:08:32] They aren't very transparent. They're not very open. They don't share that kind of
[00:08:35] information. And thus you could bring a client into jeopardy by introducing a product that you
[00:08:41] can't necessarily verify when it comes time during your audit. And that could be a real bad day for
[00:08:45] your client as well as for you. Yeah. And I think that raises up a good point. So when we go back
[00:08:49] to our conversation that we had around this time last year, what we're doing, where we're going from
[00:08:52] here. One of the big things that we looked at was how do we write stuff with ourselves in mind,
[00:08:58] our clients in mind, all the fun stuff there. And we started off trying to do everything all at once.
[00:09:03] And we very quickly realized, you know, we blew three months and we haven't even left the access
[00:09:07] control domain. You know, going right down the list, we're like, we are way behind schedule of
[00:09:11] where we need to be. So we essentially had said, well, let's take the client stuff and punt on that.
[00:09:16] Let's get our assessment stuff done first. Well, we circled back after our assessment to say,
[00:09:21] okay, what can we do for our client side of stuff now? So over the last couple of months was
[00:09:25] basically writing all that, right, right. Building out and redefining that shared responsibility matrix
[00:09:31] and how we're going to handle, you know, 3.1.1 Bravo, 3.1.1 chart, you know, et cetera. And putting
[00:09:37] that down in our responsibility matrix, but also writing some SSP statements around that. So that way
[00:09:44] we can again, build out more of that inheritance. So when we say in our SSP, you know, 3.1.1 A,
[00:09:51] do we inherit anything from Microsoft on this one from their FedRAMP perspective? We do? Cool.
[00:09:57] Great. And for reference for the people listening, I'm just picking a random control and random
[00:10:02] hypotheticals. This is not consulting advice or anything of the sort. So then we'd go, okay,
[00:10:07] how do we implement 3.1.1 A? We've got these policies that govern this and these procedures.
[00:10:13] We've got this technical implementation for this here. Here's how we would support this for a client
[00:10:19] environment. And that's written in our SSP. Yes. Which I love because we're sending a clear
[00:10:25] message into the future, right? Time traveling that when our clients get assessed and they have
[00:10:33] to then look at our SSP, even though we all have a level two, we still expect to provide that SSP
[00:10:39] to our auditor for a client to review just because they probably want to validate our scoping is
[00:10:45] legitimate and how it relates to how we're supporting our client. Because they're going to
[00:10:50] look at the client SSP. And I love the fact that you rewrote the client SSP at the same time. Like
[00:10:56] we have basically have both SSPs in lockstep and how they relate back to each other through that
[00:11:00] matrix. And that was no easy feat, man. I have to say, I was really impressed as you went through
[00:11:05] and rewrote that. That was great.
[00:11:06] It's been very interesting and I'm glad we did it in the way we did too. It all worked out in the end
[00:11:11] because like Bobby mentioned, our SSP structure, do we inherit from a third-party vendor? If yes,
[00:11:17] here's what we inherit based on their SSP and their responsibility matrix. So key takeaway on that one,
[00:11:23] when engaging a third-party vendor and bringing them in, even if they have their FedRAMP moderate
[00:11:27] or FedRAMP high ATO, what are they still doing? So if it's relevant to what we do, in this case,
[00:11:32] we'll use Microsoft for a GCC or GCC high environment. We would say Microsoft per their FedRAMP
[00:11:39] SSP implemented 3.1.1, you know, AC1, you know, correspond or correlate the controls together
[00:11:46] and then say, if they are fully responsible for it, we'd say Microsoft is fully responsible
[00:11:51] or Microsoft is partially responsible per their statements here. And then flesh out ours from
[00:11:56] there. We get in the client perspective, says, you know, we, we at Axiom will support our client
[00:12:01] for this control in this way. We are responsible for these items. The client is responsible for this.
[00:12:07] Switch over to the client SSP, inherited statement. We partially inherit aspects of this from Axiom and
[00:12:13] their system security plan and their shared responsibility matrix. Axiom does this and this
[00:12:18] and this, and we are responsible for this per their matrix. Then it gets into their policies and
[00:12:25] procedures. We may have an assessor that says, nope, I want Adam in this meeting for this assessment to
[00:12:31] answer everything. They may, emphasis on may, be able to look at that and go, Axiom is level two.
[00:12:38] They provided an SSP. They provided a responsibility matrix. It's documented on the client's SSP.
[00:12:44] I don't need to talk to them. I just need their evidence. Right. Right. Because that is one thing
[00:12:49] we are very much prepared for is if they want to talk to us for every control and every AO,
[00:12:54] we're ready. Yeah. We know we're going to have to provide evidence. So we're ready for that too.
[00:13:00] We can generate and prepare our evidence packages. But the big focus that we're really making is how do
[00:13:06] we make this easy for the assessor, transparent and clear for the client while also mitigating our own
[00:13:11] risks and defining our practices for those clients. So when those clients come up and say,
[00:13:15] we want to do this, we can say we've thought of that already. Well, and our goal to be able to allow
[00:13:22] them to be feeling like they don't need to talk to us is just marking controls met as much as possible
[00:13:28] to speed up the assessment process. But yeah, with high confidence that we've, we've met those controls
[00:13:33] because they look at our statements and our evidence and says, everything matches. I don't have any
[00:13:38] concerns here. This all makes perfect sense to me. If they do have a legitimate concern, again, we want to
[00:13:43] be there. We want to listen. We want to have that conversation. Cause we, in our, like in our
[00:13:47] preparedness. So for, for a situation, like if we have a client and they're coming up on their 30 day,
[00:13:53] right? Then it's the, you're, you're preparing the package pieces that you're going to do as well as
[00:13:57] do coaching with the client. We're anticipating every client that's going to go through their
[00:14:01] assessment. Our objective is not to be there. Our objective is to be there just that when it comes
[00:14:07] time that we have to speak as little as possible as well as our client, because they're able to
[00:14:10] inherit as much as they can from us, knowing that they're not going to be able to do it all.
[00:14:15] And our objective there is to try to coach and get them ready because obviously there's going to be
[00:14:22] some parts that they'll have to talk through because we're not going to do their background
[00:14:25] checks. We're not going to do their door controls. Those are things that they have to do and they'll
[00:14:28] have to speak to that. But the technical controls absolutely will fall on our plate. And if we can
[00:14:34] speak as much as we can, the less that the client, because that's not what they do for a living
[00:14:38] is having to engage on that, the better it is for them. So our objective there is not to
[00:14:44] be as little involved in the audit. We want to be as involved as we can in the audit, but we just
[00:14:49] don't want to have to be part of that conversation if we can just let our previous assessment speak for
[00:14:55] us. We're not going to know 100% how that's going to go until more precedent has been set and how much
[00:15:02] and how little that process will go. Do you have a theory about how you think that's going to go?
[00:15:06] Just kind of like Adam's foreshadowing, foretelling. How much do you think they'll allow or C3PO's
[00:15:14] will allow? I think we're dealing with a little bit of a numbers game. Extra behind the scenes here,
[00:15:21] we just wrapped up a conference called Seek East and we did our pre-days. What were our pre-days?
[00:15:28] Bobby, you were in a CCA training. Yeah, I did the CCA training. And I was in the CCP training.
[00:15:32] Right. So one of the key things from that is, you know, as assessors, we're looking to pass
[00:15:37] people. We're trying to find those reasons to pass. We also want to make sure we don't have any
[00:15:41] outstanding concerns. When we look at the number of assessors in the ecosystem right now, and we look
[00:15:47] at the number of organizations that will need to be assessed and certified, those numbers don't add up.
[00:15:53] Yeah, for sure. We've got a serious supply problem brewing. Which means the more I can do to make the
[00:16:03] assessor feel confident in what I'm doing and reduce any concerns, the faster they can get done with my
[00:16:09] assessment and move on to the next one. Yeah, right. So again, we want to be there the whole way through.
[00:16:15] We want to be able to ease any concerns, address any issues. If something is not met, something's not
[00:16:21] met. If we have a disagreement on something, whether it's met or not, we want to be there to be able to
[00:16:26] argue on behalf of our client to support them in their journey. But we want to make it easy for us.
[00:16:30] You know, we want to be in and out as quick as possible, get the job done, make the assessor happy.
[00:16:36] Think going to the airport security line. The more you've been there, your shoes are off,
[00:16:42] your jacket's off, your bags are set. You can be in and out of those lines pretty quickly.
[00:16:46] If you're standing around, shuffling around, you know, acting a little weird,
[00:16:51] you might get randomly selected and that draws out the time and no one wants that process happening
[00:16:55] either. Same process with the assessment. We just want to be in and out, done, make the assessor happy,
[00:16:59] get the clients through their journey and get on with it. Yeah, we've talked about it before.
[00:17:05] Our belief is that if they're, like for us, an MSP that's level two assessed and has their level two
[00:17:15] assessment, it does not mean that you get a pass on the technologies you support. Right.
[00:17:23] If, for example, let's say that we're supporting the client's SEM and they have their own SEM that they
[00:17:32] will speak volumes that we've got level two and that even if we're doing it the same way that the
[00:17:36] client has, but if it's theirs, they're going to want us to prove it and it doesn't matter where we
[00:17:43] have a level two. They're going to want to look at that evidence and see how it's being done.
[00:17:47] But if it's services that we're bringing from our assessment that we're providing that has already
[00:17:53] been assessed, we feel that in that situation, the level two certification should carry that forward.
[00:18:00] Do you feel that that's the case as well? I mean, right, that's sort of where we, I believe we feel
[00:18:05] Yeah, and something that we're trying, this is a little bit of a novel concept for us, so we don't
[00:18:08] know exactly how this is going to pan out just yet. It may work out where the industry looks at that and
[00:18:13] goes, that's lightning in a bottle right there. That's great. Like, let's work with this more and
[00:18:18] mature this. Or they may look at it and go, that's cute. I don't care. I got to ask you questions
[00:18:22] anyway. But what we're thinking through is what I like to refer to as operational inheritance.
[00:18:28] We define out in our policies, procedures, SSP, we're saying that Axiom is responsible for doing,
[00:18:34] for the work involved with this practice. So if you look at something like audit management with
[00:18:39] their SIEM that may live in their environment in Sentinel, the client's not going to have access
[00:18:44] to that to be able to do that because they're a small medium business. You're talking about the
[00:18:47] theory of how if you have the same operational process that we had for our audit, that we apply
[00:18:56] to our clients, that in theory that should be inheritable. Is that what you're going to say?
[00:19:00] In theory.
[00:19:01] In theory, right. I agree with that and I think that's a really cool concept. This is where I think GRC tools
[00:19:06] could really help in this. If you're able to have a GRC tool that says, here is our SSP, here's our
[00:19:13] matrix, here's our policies, here's our policies naturally inherited to our clients that dictate how
[00:19:19] we operate that which got audited however many months or years before. Our cat likes to come in
[00:19:26] and out. That's what you're seeing the door open here. Yeah. If you're watching us on YouTube,
[00:19:30] that's, it's not a ghost. It's our cat that comes in and out. So in that situation, the, in theory,
[00:19:42] I think a good argument could made that if it's the same process that you follow for yours that got
[00:19:48] audited and how you're doing it and those policies are the ones that the client has adopted, some or
[00:19:53] portions of that process could be inherited. That seems reasonable to me. Yeah. And again, but key words,
[00:19:59] who knows? Theory. Theory, right. And the thing is, assessor discretion. Yeah, for sure. An assessor
[00:20:06] could look at this and go, oh, you're saying you do that you follow the exact same procedure?
[00:20:11] Yeah. Can we see the procedure? We described it in our SSP that was assessed. Okay, well, we want to,
[00:20:17] okay, can we see evidence? We're ready to cite that evidence still. We're still ready to participate
[00:20:22] in that entire process. Yeah. Work through it, et cetera. The client, we all still have some procedures.
[00:20:27] That procedure may say, conduct axiom and axiom follows a procedure. Right. We can provide one of
[00:20:32] our internal procedures for a client audit if we need to. Like we're still ready to have that fight.
[00:20:36] But assessor discretion. If an assessor is happy with that and feels that that meets the controls
[00:20:41] and validates that theory and approves that theory, awesome sauce, I'm happy. Yeah. If an assessor says,
[00:20:46] I don't quite buy that. I'm not quite subscribed to that. I still want to go through the full process and
[00:20:51] get all that information out. I'm fine with that too. At the end of the day, as long as my client,
[00:20:56] you know, meets their objectives, they pass their assessment, I'm a happy candidate. Everybody wins.
[00:21:01] Yeah. Let's switch gears. So let's, let's talk now more focused on the fact that we're looking
[00:21:06] down the barrel in less than 30 days or 30 days ish of having our audit. Walk me through. I mean,
[00:21:12] I, I know what we're doing, but people who are listening, don't like walk us through
[00:21:18] what we're trying to do to get ready for in this last 30 days before we're going to get audited.
[00:21:22] Just walk, walk through some of the things that we're trying to do to, to get us ready. And I think
[00:21:26] in general, those would mimic exactly for a client. Yeah. We're in our final stuff. We just had our cab
[00:21:33] meeting right before this recording. One of my reminders was, hey, if we've got open change requests,
[00:21:38] we need to get those closed up. We need to make sure they're looking good. We're doing our final
[00:21:43] sweeps through our documentation to make sure that we've updated everything we want to update.
[00:21:47] We are going through performing another full self-assessment as our readiness. Last thing we
[00:21:53] want to do with an update is forget to update a document somewhere. And we don't have evidence
[00:21:57] to support something. We're also looking at our, our maintenance checklist to make sure that we've
[00:22:02] executed everything on the schedules we're supposed to do. And the quality of our evidence is where it
[00:22:06] needs to be doing a little extra above and beyond, you know, quality control above what we already do.
[00:22:12] Making sure the team is ready to go. They're preparing appropriately.
[00:22:17] And then, right, we're, we're also, once we've gone through that assessment and I, and I, I think that
[00:22:23] that document that we took from Curie that is your, the prep, and then we then added some additional
[00:22:30] fields for us on how we operate. Really became our, our cheat sheet dinner audit.
[00:22:35] Yeah, we, we told our, uh, cause we had that for our August audit. Um, we told our assessor,
[00:22:39] like if, if you really wanted the luxury to our intent with this document is for you to look at
[00:22:44] this document and be able to use the sole spreadsheet and come away with an assessment.
[00:22:50] Yeah. Like a completed assessment, because we did our interview statements,
[00:22:54] our examine, you know, statements, our test statements. We had our screenshots all in there,
[00:23:00] our procedures that we would follow through for testing. So as our assessor said, how do you implement,
[00:23:04] you know, 3.2.1? We'd go, oh, we've got this policy and this procedure and everything. You'd go,
[00:23:09] okay, can you show me evidence of that? And we're sitting there and we're like, yes, here, here it is.
[00:23:14] Next question, please. Yeah. If you had to do a test, it's like, okay, um, can I see a test up
[00:23:19] there? And we're already like, yeah, here's the start of the test ready to go. And that was a nice
[00:23:22] other dynamic that we had there is I would usually handle the interview portion and provide that stuff.
[00:23:28] Bobby's pulling up the test and has the test ready to go. Right. Or if it's something that he's
[00:23:32] responsible for, he's handled the interview and I've got the test ready to go. So when we did that
[00:23:38] assessment, our goal was really to answer those questions as quickly as possible and sufficiently
[00:23:44] and then shut up. Yeah. And another thing that was hugely helpful is we, we contracted with Brian
[00:23:51] to use a cert, like just for a few hours to have him like test us through a few of those controls so
[00:23:59] that we could get good at that dance. And if you've never gone through that dance in an audit,
[00:24:05] if your MSP has gone through it, they should coach you through that to get you ready because
[00:24:10] you've got to know how that's going to work. If you haven't gone through it before, it's just like,
[00:24:14] you know, in any law case or whatever, if you're going to go on the stand, the attorneys are going to
[00:24:18] help prepare you for what those cross examinations might look like. And it's going to be to some extent
[00:24:22] the same way for your audit. You've got to get the people that are going to be communicating
[00:24:27] comfortable with what they're going to say because you don't want them to get in front of an auditor and
[00:24:30] say stuff that the auditor cannot ignore. And they're saying it in a way in a negative light
[00:24:35] that could jeopardize your success of your audit. You don't want to do all of this hard work and be
[00:24:40] on the one yard line and then fumble and fail your assessment. That's a very, very bad day.
[00:24:45] But you do want to do that practice internally too, because you find those people and you say,
[00:24:48] okay, how do you do your, your physical, you know, your, your monitor visitors? And they go,
[00:24:53] oh, well I do this and this and this silence. Oh, and let's say go through the loading bay dock door.
[00:25:00] That is, and then you're sitting there as the MSP or the, you know, consultants in this process going,
[00:25:05] what did you just say? Right. Yeah. So you need to identify that of course in your readiness stuff,
[00:25:09] because if something would trend not met, you need to address that of course. Yeah, for sure.
[00:25:13] But you know, our, our thought process, we went through our assessment with our, our auditor
[00:25:17] auditor was just like being deposed in a court case. You answer the question and nothing else.
[00:25:24] Yeah, for sure. But, and that's the key thing that helps out because that also gives the auditor
[00:25:27] time to write down the notes of their questions. Think about other stuff and you, they, you know,
[00:25:32] they get the, they get to decide whether or not your answer is good enough. They can plan their next
[00:25:35] steps, et cetera. But also remembering if you don't say something, you can't necessarily get a not met
[00:25:43] for not, you know. Right. They could ask more questions. Yeah. And that's exactly what you want. If they
[00:25:47] have more questions, they are supposed to ask those questions to figure out if the control is met or
[00:25:51] not met. And that's the reason why we have that guide is that you just can read off like, especially
[00:25:55] of the client, they can just read off that section that they're responsible for. And at that point,
[00:26:01] they should have said everything that needed to be said. And then you can stop talking. And then if
[00:26:05] the auditor has other questions, then they could inject that at that time, but nothing more, nothing less.
[00:26:11] Yeah. It was the, if that answer is sufficient and adequate, then no need to ask another question.
[00:26:16] Again, if an auditor doesn't have a concern, wants more info, that is what they're supposed to do. They
[00:26:19] have to ask those questions. But so let's talk about the documentation preparation and the sending it to
[00:26:26] the auditor for the C-3PO. Those, the mileage will vary with different C-3PO's and how they'll be able to
[00:26:32] receive it. The, you might could use a GRC tool. I've seen some of those go in some weird ways because of
[00:26:40] the fact that sometimes the GRC tools allow a lot more access for the auditor C information that they
[00:26:46] shouldn't see, because you don't want to give the auditor any more than they need. You want to like
[00:26:51] keep things very laser focused and have the story very clearly defined that you're going to tell them
[00:26:56] and you want them in and out of your environment. But in that's, in that light, uh, what type of
[00:27:02] information and then how are some ways that you can interact with the auditor? I mean, obviously we've,
[00:27:08] we've done this before and, and, but I just, I'm, I, I just want to, I think it's very valuable for
[00:27:13] people listening to hear different approaches on how we do that and, um, what you might want to try to
[00:27:19] get together, uh, in advance for your audit when you do that phase one where you pass the documents to
[00:27:24] the auditor. So what we did is obviously the main, the big main important document was our system
[00:27:29] security plan. Um, we also provided over that, uh, self-assessment as we were going through that,
[00:27:39] we also made a list of all the documents that we cite in our system security plan because we knew we
[00:27:45] needed to be, you know, potentially be able to provide those as well. So we zip that up, we put it in a,
[00:27:51] uh, you know, special SharePoint library that we made just for our audit with external access for
[00:27:56] our auditor to come in and take a look at that. Um, cause the big other key thing too is, you know,
[00:28:00] going through the assessments, they may have to go on site for an assessment. Well, we're fully
[00:28:03] remote. We don't have any physical offices in scope. The closest thing to a physical facility we
[00:28:08] have is a Microsoft data center. Right. And our, our assessor is welcome to go to the Microsoft
[00:28:13] data center, but I don't think they're going to get terribly far in that process.
[00:28:16] No, right, right. Um, which of course a good example, we inherited our physical security controls
[00:28:21] from Microsoft per their FedRAMP, you know, SSP. But anyway, to that point, so we, we collected
[00:28:26] anything that we cited, put that together and said, here's everything you need. We walked
[00:28:31] through that. We even wrote a nice little cheat sheet of if you're looking for a procedure,
[00:28:34] it's in this folder. If you're looking for a policy, it's in this folder. Right. If you're
[00:28:38] looking for evidence from our self-assessment, it's in this folder. Right. To which of course our
[00:28:43] assessor was like, that's cute that you still have that evidence and everything. That's great.
[00:28:46] Well, I'm glad you have that. Um, I still need you to show me again, but that was a,
[00:28:50] for sure. Yeah. A point in time for when you did it. I need a point in time for me doing it. And my
[00:28:54] point of time is right now, show it to me live. Well, and I've heard some division here for auditors.
[00:28:59] I've heard some auditors that if, if you've prepared it and you've done it and you, and you say that you've
[00:29:04] had these screenshots I've, I've heard in certain situations where they'll take it. And I've heard other
[00:29:10] auditors say, no, I don't think there's anything wrong with being overly prepared. If you have the time to
[00:29:16] allocate, if you don't, then mileage may vary. Uh, I think that's good. I've heard of other
[00:29:22] organizations just sharing their GRC access. Um, we didn't do that, but how do you see that going?
[00:29:32] It could go a handful of different ways. Um, I think it's certainly a viable approach if it lets me see,
[00:29:38] you know, if I was assessing to see what the client has, how they do it, what evidence they may have,
[00:29:44] and if that can provide the fidelity of data that I would need to assess. Awesome. I'm not going to
[00:29:48] complain if it doesn't. Right. Show me the money. Well, the, uh, the problem that I've seen with GRC
[00:29:55] tools, some of them, I haven't looked at all that exist out there is that when you give someone like
[00:30:00] an auditor access and it shows all the revision history of the documents, if it shows all of this
[00:30:05] information and the auditor being a human person may start to be a little more curious, even though
[00:30:12] they're not supposed to technically do that. They're supposed to just look at what you have.
[00:30:15] Um, it could be very distracting for them. That's where having a package that you've curated that
[00:30:21] you're, you feel confident with a story you're telling is really important. I think if you're going
[00:30:25] to give GRC access, you have to be very careful that you're able to maintain that story. You don't
[00:30:31] want to just give them access to this massive environment and trust that they're going to somehow follow
[00:30:36] the path that you're talking them through. Um, especially when you have the phase one to phase two,
[00:30:41] right, uh, phase one, they're wanting to get access and look at the information and then they're going
[00:30:45] to look at it before they start their phase two, which the phase two is the actual real met, not
[00:30:49] met piece for those that are, may not be aware of that. Um, and so they have that time between phase
[00:30:55] one and phase two to examine that evidence. And if you just gave them access to everything, who knows
[00:30:59] where they're going to start rummaging through. Yeah. So I think that's a concern. You have to be really
[00:31:03] careful about that when you're, when you're doing your, um, uh, audits, you have to, sorry, um, you have to be
[00:31:11] really careful about that, uh, in those situations. Is there any other types of processes you feel that we
[00:31:17] haven't covered that's kind of leading up to the assessment yet? I mean, we're talking about closing out
[00:31:22] poems, any types of open CRs or tickets, you're validating our maintenance process. Yeah. All of those things. Is there
[00:31:29] anything else that you think we might be missing? Just re-reviewing our updated documents in the
[00:31:32] context of the controls. We've done so much. Um, and I don't know how much of it we've really talked
[00:31:38] about before, but, um, you know, when we say preparing to be able to support a client with this,
[00:31:46] what we mean by that is if a client comes to us and says, I just got told I need to do CMMC and I
[00:31:52] don't know what that means or what I need to do. I've got some computers, I've got some emails.
[00:31:57] Can you help me? Yeah, we can. I feel confidently saying that. Right. Because we've not only had our
[00:32:03] posture to, you know, and handled our posture on stuff to be able to be that level two certified
[00:32:07] MSP to help them, but also to go, you need a policy. We got you. We got a policy for you.
[00:32:13] Right. You need procedures. We've got them for you too. You want to bring them to consultant to help out?
[00:32:18] We've got that. But thinking sort of in a way that makes sense and building out that as basically
[00:32:23] templatizing that practice aligned with how we do stuff to take that to that next step so that when
[00:32:28] clients come on board with us, we know what their story looks like before they know what their story
[00:32:32] looks like. Yeah. Well, I mean, there's plenty of times where we've had clients come to us that had
[00:32:37] nothing and they're like, we need you to build something from scratch and we don't even have
[00:32:41] a single policy. We just know that we have this, which is scary because a lot of those clients have
[00:32:46] already been doing DFARS requirements. They've already attested the fact that they've already,
[00:32:53] yeah, they've been self-attesting their perfect 110 for the last four years. And you're like,
[00:32:58] okay, well, we're just going to move past that and go on towards getting this done for you and
[00:33:02] accomplishing what you're doing. It's nice that we have that ability. And Kaylee and I have done some
[00:33:07] previous podcasts where in one that is going to be coming out that at the time this recording has yet
[00:33:12] been released. We talk about it in two mountains. We say the first mountain is us, us as an organization
[00:33:19] getting level two ourselves and building that mountain with the purpose of being inherited as
[00:33:28] best it can be from the second mountain, which is the client's journey, helping them building an
[00:33:32] environment and a system that can help clients and doing it in a way that can scale. Because it doesn't
[00:33:38] it doesn't do anybody any good as an MSP. If we're level two and yay, we got our certification,
[00:33:44] but we can't successfully get our clients over the end zone or into the end zone, over the goal line
[00:33:51] to be able to score. And we can't do it in a consistent regular fashion. And that's why we spent
[00:33:56] so much time building out that system that not only ties to us, but helps them pass. You want to make
[00:34:04] sure that you talk to organizations first to understand how you operate before you introduce
[00:34:11] yourself to C-3PO is one of the best words of wisdom I would give because you might talk with
[00:34:16] a C-3PO organization and have never talked to them before. And you have no idea how they're going to
[00:34:22] have a general read of how you operate as an organization. And having someone that has already
[00:34:26] gone through audits with those companies and they understand your business could really help improve
[00:34:31] your possibility of successfully passing because maybe that C-3PO understands software development
[00:34:36] and that's what you do. And they could be a good fit for you, but maybe this other organization,
[00:34:40] C-3PO doesn't, and you decide to go with them. It could be a real train wreck.
[00:34:46] Picking the right C-3PO is a very, very big deal. Yeah. We specifically asked our C-3PO what they
[00:34:51] understood about how MSPs and how MSPs operate. When we go to help our clients through their journeys,
[00:34:56] one of the questions that we will, I would say, strongly advise our clients to ask,
[00:34:59] are you familiar with managed service providers and how they support client environments?
[00:35:04] Right. Right.
[00:35:04] Yeah. We want to, we want a C-3PO for a client that understands what we do and how we do it.
[00:35:09] So when we say this is what we do and how we do it, they're not like, huh?
[00:35:14] Yeah. Right. That's not the time you want to start thinking about that.
[00:35:17] Right. Well, Adam, thank you so much for joining us today. And for those of you who are tuning in,
[00:35:24] I'm not sure when this is going to get released as far as in relationship to when our audit will be
[00:35:28] done. So wish us luck as we go into January for our assessment, you know, fingers crossed there,
[00:35:33] knock on wood. You know, we're looking for a perfect one 10 to kind of really kick the year off. I mean,
[00:35:37] what a way to start the year. You'll figure out how well it goes when we pop on a podcast. If it goes,
[00:35:43] if it goes poorly, this will be a lot grayer, you know, after that. I'm not cosplaying Santa Claus
[00:35:48] that time. Well, I'm, I'm, I know I'm already losing some sleep over it just because we're,
[00:35:53] we take this very, very serious. You know, this is sacrosanct to us, like, you know, being ready,
[00:35:59] being ready to support our clients. We take the responsibility of being in a position to give our
[00:36:05] clients the best advantage for them. It's a huge deal. And we want to get ready so that we can help
[00:36:11] properly support our clients. And then also be an advocate for how this works. Try to be as transparent,
[00:36:17] to share news to others, kind of our journey. Obviously our journey isn't the journey for everyone.
[00:36:22] Right. But you know, if you know about how we're doing stuff, it could help in a relative term to
[00:36:27] you and your journey, because you might see how that might affect you from the perspective you're
[00:36:32] coming from. And so just, that's one of the things I liked about the ecosystem. There's so
[00:36:36] many people in it that have been very helpful in our journey and being transparent. And we just want
[00:36:40] to be honorable to that and be equally as transparent. So we will keep everybody posted on our progress
[00:36:46] and what's going on. And I thank you for Adam, for us tuning us in. It's pretty cool that you're here,
[00:36:52] in Jacksonville today. Yeah. And we have a Christmas party at the next, what tomorrow.
[00:36:58] And so that's part of the reason why Adam joined us today is for him to be here for our party. And we
[00:37:03] always try to get together once a year just to kind of celebrate and just. And coming from Ohio,
[00:37:09] it is like 20 degrees and snowing up there. And Bob, you mentioned that it's cold right now in
[00:37:13] Jacksonville. A balmy 61. Yeah, real, real frigid weather out there. So with that, I think we're
[00:37:20] set to go outside and just, you know, enjoy some nice Florida weather. Well, thank you all so much
[00:37:25] for tuning in. And as always, keep on climbing. See ya. Make sure to follow us on LinkedIn and YouTube
[00:37:32] to stay up to date on the latest CMMC news. We hope you guys enjoyed today's episode and listen
[00:37:38] out for the next one. But until then, keep on climbing.
[00:37:41] Bye.