Is MSP a Four-Letter Word with CMMC?

[00:00:00] Welcome back climbers, I'm your co-host Kaylee Floyd and this is another episode of Climbing Mount CMMC In today's episode Bobby and Adam are tackling the question Is MSP a Four-Letter Word when it comes to CMMC? We're so excited for you guys to join us in

[00:00:21] today's episode and we hope that you enjoy. Our focus for us as Axiom is we're hoping to be level two ready by first quarter of next year and then be ready to be assessed. We're anticipating the

[00:00:36] actual assessment to be available to be done by organizations in early 2025 so what's that gap? Why are we getting ready so early? Well, we want to be ready first so we can help our clients.

[00:00:47] So as our clients are going to be going down that that that progress, that road, we're going to need to be on that hill first. We're going to need to have the flag so that we can help

[00:00:55] them up and be their Sherpa versus us just kind of discovering it together at the same time. And we look at the SMB space too, there's a lot of businesses in the defense industrial

[00:01:04] base that are going through this process as well that don't necessarily know that they have those CMMC requirements and those SMBs look to MSPs, that's a lot of words the letters say in rapid

[00:01:13] succession like that but at the end of the day they need the help. MSPs need to be able to provide that help and provide the right kind of help so it's kind of another

[00:01:21] other reason why we're doing what we're doing. So with that let's get into history Adam. So for me, you know this is an area where we want to try to be concise as possible because

[00:01:31] I do have a link in the in this with Jacob Horne who does a great job it's about an hour and 10 minute video that Jacob did he goes through in great detail about the history of

[00:01:42] CMMC so with that already being well covered. Yeah let's say if you're like Bobby and I and you find that kind of stuff fascinating it's great if that is not your language it's the

[00:01:49] best sleep aid you'll ever find that being said loved it but we want to save a little bit of time for sure I've been to that kind of just get right to the point here. But the big thing that we want

[00:01:58] to get out of this is the Department of Defense got very frustrated especially in 2016 that organizations weren't first off having a good beacon to follow when it came to protecting CUE that stands for controlled unclassified information and so they wanted to provide

[00:02:17] organizations a standard a way a guideline for them to protect that data and so in 2016 they released the DFAR 225 or 252 242 7012 and basically a DFAR is the government's way of putting a whole bunch of legal things on their kind of website document and then when they write

[00:02:39] contracts they weaponize those requirements to make organizations that are going to be taking those contracts on they have to follow it that they have to do what's in that contract and in that DFAR requirement is where you start to hear now the dimension of 800 171

[00:02:55] and 171a that organizations are going to have to start following that so at that point the Department of Defense kind of gave each other high fives and they're like hey look we've got this thing crushed everything's done organizations now have in their contracts that say they need

[00:03:08] to follow these processes to protect CUE everything's great well that's not the case nobody did it those types of things nobody did it and they said they did it right yeah they were they were

[00:03:19] signing on the data lines but they weren't doing so the DOT said fine we're going to take our toys and leave and so in 2020 they released a new DFAR ruling where they weaponized the

[00:03:28] fact that cmc is coming that's when you start hearing the cmc conversations start to happen that's when you start seeing the DOD say basically we'll see you in a few years once we have that

[00:03:38] requirement completed which at the time of this recording has yet to come out so the the actual official ruling about how cmc is going to be happening in the in that is DFARs should be coming

[00:03:50] out any day now possibly but yeah we're recording mid-december right now 2023 for all we know once the time this is posted the ruling will be out we'll be doing another podcast for that

[00:04:02] for sure or given the pace of the DOD stuff this could be coming out and we're still waiting yeah yeah yeah but i think i think we're gonna get a gift for christmas we'll see fingers crossed

[00:04:12] yeah fingers crossed but uh so what the department of fence did then at that point is they put everybody on notice that cmc is coming and that organizations need to submit what's called a SPUR score in other words their evaluation of how they're being compliant with 800 171

[00:04:28] and 171 a so that is 110 requirements and 320 assessment objectives it's a lot it's a lot to do a lot to require so that's where we're at so that's the history that's kind of where we've

[00:04:39] gotten to this point so let's talk more about next the you know what an audit looks like where you know where audits are sort of happening how the ecosystem goes but before we jump into that

[00:04:54] can you can you can you actually go into 800 171 a and how that's sort of being poured into those assessments and how they're kind of going through that yeah and i like to put a little

[00:05:05] bit of context to this too is so as bobby was already mentioning is one of the big reasons for the why cmc is a thing is all these smb's and organizations said yeah i've done all the 800 171 requirements

[00:05:15] i've got a perfect SPUR score which is that's kind of the supplier risk risk score and whatnot everything's great and peachy and we we did our job well incidents kept happening leaks still

[00:05:24] happened the government looked at that and said hold on you didn't actually do what you just told us you did so one of the big pieces with cmc is that third party assessment that audit process

[00:05:32] where someone else has to come in look over your homework and say you understood the assignment or what were you thinking and or even you know yeah kind of where that all boils into so

[00:05:42] looking at cmc you've got all the requirements and cmc's based off of the nist 800 171 right which nist is not the department of defense those are two different organizations right and

[00:05:51] if you go back into the video we talked about the jago porn it really gets through that timeline again love that video compliance nerds is probably one of my favorite things out there if you're not the

[00:05:59] well done yeah well done but um so nist came out with the one once uh words and letters and numbers were already deep into the acronym so this is fun um but basically 800 171 is all about protecting confidentiality of controlled on classified info now they'll mention statements

[00:06:15] protect the confidentiality of data arrest you know encrypt data at rest but what does that actually mean so that's where for assessors and people that have to figure out what's in place and how it's in place that's where we get our assessment uh assessment guide which is

[00:06:27] backed up with nist 800 171 a right love to remember that easy 800 171 a as an assessor there we go so now the department of defense said to themselves look we don't want to stand up another IRS we don't want to build this huge organization that's going to start doing these

[00:06:43] assessments they didn't want to do that uh and i'm i think that's a pretty good call i agree with that now they do have an arm called dib cat that does do assessments but they didn't

[00:06:53] want to blow that organization up in into a much larger entity to do all these required assessments so what did they do they spun up what's called the cyber a b it's a non-profit organization

[00:07:04] and they are in charge of finding prop for profit private organizations just to come to them and say okay we're gonna we feel like we're ready to do assessments we have certified people on

[00:07:15] staff that are that are prepared to do assessments that have experience in the do d and then they go through the dib cat assessment they get assessed those organizations uh they get assessed and then

[00:07:26] what ends up happening is um once they get approved they go on the cyber a b marketplace kind of almost like fed ramp marketplace and now they are available to provide assessments

[00:07:37] once the starter pistol the rulings come out and the department of defense says it's it's a go you can start doing assessments which we're thinking is going to be possibly early 2025

[00:07:46] so that's where the cyber a b comes in and that's those organizations are called c 3 paos not c 3 p o yeah heart you know we're still following protocols here but uh not not in the same way

[00:07:58] and then one's a robot and the other's an assessment organization and that's not the first time you've heard that joke i'm sure and the assessor organization is much less witty and sarcastic yeah of course um but the the c 3 paos um basically their focus is to provide

[00:08:12] that assessment so a an organization that wants to get certified which uh msp's are going to have to be certified if they're providing support for organizations that are going to be level two

[00:08:22] as well so if you have a client that's going to be level two certified for c mc you as an msp you're going to have to be level two certified as well that is our belief that's how it's going

[00:08:31] to go as the ruling is going to drop some leak documents showed that that was going to be the case but everybody is in the assumption that's going to be but so it's not a hundred percent fact that

[00:08:42] that's the case and to kind of kind of focus on that too is i know there was the leak documents we're kind of looking in on that but there was some language in the documents that we already

[00:08:50] have that suggested that very strongly yeah um you know it was still that big well what's it going to be one way or another because msp's the the to be clear the terminology they use

[00:08:59] with you know cloud service providers right and it's that big distinction of is an msp technically being classified as a cloud service provider or not and the leak kind of helped clarify that a

[00:09:09] little bit more but again it's a leak we can't really you know better put our weight behind it right now but but they put the writing on the wall i'm i'd be nine out of ten nine point five

[00:09:18] nine point eight out of ten that it's they're going to require that and it makes sense yeah if we're providing support to an organization that's level two makes sense that we're

[00:09:26] going to have to be level two ourselves because if you take cmc and you you kind of allocate the responsibility into two columns our msp responsibility in the company that is going to be assessed you know the manufacturing company whoever that client is 60 roughly of those requirements

[00:09:44] either partially fall on the shoulders of us or fully fall on our shoulders so if so much of the requirement for cmc falls on the msp if they're stepping in helping that client

[00:09:55] it makes sense they're going to require us to be level two as well yeah yeah and the clarification that's on the way is going to be super beneficial because as we look at msp and what's currently

[00:10:03] out there it's easy for us to go we're not a csp we don't fit into this category so the the the dod and the the c3 pao is out there without clarifying this run the risk of just getting

[00:10:13] into constant back and forth and arguments with msp is trying to justify are we a csp are we not are we in scope are we out of scope let's just cut to the chase here just get right into

[00:10:21] it and to say yep if you're an msp you are going to have to meet these requirements because of just what bobby just mentioned here yeah so and another thing to take into account for that is there's

[00:10:30] three levels of cmc there's level one right level one is if you don't have uh kui you have what's called fci which is a fci is kui um or actually no so fci is kind of like cars right and kui is a

[00:10:53] subset of fci it's a more stringent version of it so it's kind of like you know the larger and then coming down to the smaller so that's why under uh the level two is where if you have kui you're

[00:11:03] going to be assessed but if you have general fci information then you can self attest for that but just because you can self assess and say i'm doing all this you still have to do it

[00:11:15] yeah you still have to comply just like everybody else is doing in level two you're just saying pinkie swear i'm doing that um so that's the difference between one and two level three is still

[00:11:25] being developed right now uh they have that's based on 872 and 172a but is still being revised by nest and some other things that are happening and so all that hasn't quite been defined yet

[00:11:39] so let's talk about you know before you start as an msp you know what are some things you need to think about we've talked about this before in previous podcasts about the kind of that uh

[00:11:49] you know marriage counseling for cmc i think you did a good job of explaining i'll let you talk about that one but why is you know before you start you know what are some things that you need

[00:11:59] to think about you know that you probably shouldn't be doing and that's one of those things that we've talked about can you can you kind of go into that a little bit more yeah so we think through

[00:12:08] cmc and what that entails that's a lot of stuff and it's not just technical processes technical procedures cmc and any compliance framework for that matter will impact the entire organization right so we think about that as an msp we've got our client base out there

[00:12:22] and we've got you know kathy's air force widgets company she is making widgets for the air force and they're the greatest things since sliced bread she may be one of 20 30 40 50 clients and now when we start looking at the responsibilities and requirements for cmc

[00:12:39] that's going to impact how we do business how we operate and that can be a huge change depending on the msp and what's already in place and is that something that all msp's want to go

[00:12:48] for yeah no is a perfectly acceptable answer but if no is your answer don't do business with kathy's air force widget shop um because you're gonna you're gonna run afoul of those requirements and

[00:12:56] you don't want to find that out as you're going through this council journey from an msp you know from some cmc experts so let's say that you bring in a company and they're going to do

[00:13:06] consulting for cmc and they're gonna you know you're the msp and i'm the organization that needs to get level two well based on what we know we're both going to have to get level

[00:13:14] two right so if i'm the organization you know the kathy's elf force widget whatever was that was the yeah whatever we want to let's say that's me and you're the msp when that company comes in to

[00:13:26] help us we're both going to be assuming we're gonna have to get level two at that point right and if you only have one out of 50 clients that do this work that's kind of a tough sell right i mean

[00:13:35] and you may realize as you start to go through it halfway through this counseling session you know six months into it you're like the amount of changes i'm gonna have to do i don't want

[00:13:43] to do that and then you leave and the same thing could be for me as the manufacturing company i might start to go through this and go you know what i didn't realize this is what it's like i don't want to

[00:13:52] do that and now you're kind of screwed because you didn't finish how you were trying to do it and then you might go well do i want to do this so really before you kind of step in and try to

[00:14:01] do that counseling session which is a lot of what msp's try to do what you need to do is just have a heart to heart with yourself and with your client and decide on whether or not you

[00:14:10] really want to be all in or all out because it's really difficult for you to walk together shoulder to shoulder with the client through that journey you really need to be on the mountain

[00:14:20] have gotten you know the t-shirt put the flag on the hill and you help them up yeah because you don't want to inhabit especially using the marriage counseling thing is so you're working over at

[00:14:30] you know company abc you're going through the cmc process as a subcontractor of a prime you're making nuts and bolts i'm over here at the msp side of stuff and we've got third party person

[00:14:40] in the background here they're coming in and they're saying let's look at those instant response practices you're going from the business side of stuff saying my msp does that right now i'm over

[00:14:50] here at the msp side of stuff and i'm working through that trying to get through it but you know msp life is is crazy it's hectic maybe one of my largest clients um had a full scale

[00:14:58] disaster maybe um you know all kinds of stuff can happen and the assessor and in this case our marriage counselor here is going through that process and going well the msp is not holding

[00:15:09] their weight right now they're kind of dragging behind they're taking too long and stuff and now the optics of that look bad yeah because at the end of the day the client spending tons and tons of

[00:15:18] money on this the msp spending tons of money on it but the clients over there going why am i trusting you to do this i'm all in i'm spending thousands of dollars on it and you're off you're busy

[00:15:29] dealing with someone that's not my business why am i paying you that yeah it is it looks tentitious very contentious and you know as an msp right we're just going to pretend you're the msp

[00:15:39] and on the client still uh there are tools that that as you're going through that counseling session you're going to realize you're going to have to change right and you're like well i don't

[00:15:46] know if i want to change that for just that one client uh do i want to make my people learn another tool that's going to be compliant for cmmc and maybe you know sim solutions or seam however

[00:15:56] you want to say that it is a perfect example that data is considered to be protected and it has to be stored either in a fed ramp equivalent or fed ramp moderate environment or a level two equivalent

[00:16:07] location so if you if you've got a location that has already been assessed and that environment safe that would be a potential place to store it um those are all things you need to take into

[00:16:18] consideration but when you start also thinking about the time frame of how long it's going to take for this assessment to happen sometimes people don't realize when they start to get

[00:16:25] into it that it's going to take so long eight months to a year and a half sometimes two years we've been going at this for two years now and we're we're almost there but a big part of it is

[00:16:35] just making some wrong turns and not making the right choices as we're going forward and it just it's proven to be a lot harder than we thought um and uh you know as we went through that and

[00:16:46] started learning those lessons um then you know that's part of why we're doing this podcast this is the reason why we're doing this we want to help other people not have to go through

[00:16:53] those same challenges that we went through and I think the cost right yeah um what are some challenges that you see businesses and cost-wise that that they're going to run into the immediate one that's

[00:17:05] ignoring any of the tools out there because don't get me wrong the tools there's lots of great ones out there it's not always the tools that can get you there but the good tools that you need for

[00:17:12] this stuff they're not cheap to begin with right um GCC licensing is expensive gov cloud provisioning in AWS it's expensive your uh seam volanskans all the other ones they're expensive but also you've got to put your the right people in place in this one you can't just

[00:17:26] grab the intern off the street out of that you know fresh in the cyber security program and say make me compliant this language is complex it's not the easiest to decipher much less business operations security operations and msp operations people power is going to be expensive and the

[00:17:43] amount of change that's going to have your business is quite significant uh for the for the osc that's what the organization seeking uh certification uh and the msp they they also are going to have to go through major changes and and tool changes and other types of things

[00:17:58] um and and those are all really difficult but what you start to realize is as you're going through this um cost is just part of that equation that you're going to have to deal with it's

[00:18:10] the knowledge about how to apply that that's also a cost you've got to acquire that knowledge either by bringing in a consultant or working with someone and that isn't cheap as well to be able

[00:18:21] to help you understand what you need to know to put this thing together and to be quite honest there isn't many people out there that understand how to do that for msp's there's more out there

[00:18:32] that know how to do it for just organizations that want to get level two because a lot of uh you know a lot of organizations have already been working in that space about dealing with

[00:18:41] compliance because again 2016 is 1871 was was really being assigned because of that d far so a lot of organizations have been done it but not a lot of msp's so one of the things with msp's in the 2016

[00:18:53] requirement that we really have to think about too at that time this 2016 requirement to assess to submit the SPUR score was still largely that self-assessment model and msp's looking over that model we'd look at 171 but not realize that 171a exists or we not realize that things like the

[00:19:09] nfo controls are out there are some of the other requirements for people listening if you want to know more we've done other podcasts about that where we dive much deeper in um but the thing is is

[00:19:18] because it was a self-assessment and we weren't reading the requirements in full we didn't know what we're doing we were making mistakes we would look at something and say yeah we encrypt our data at rest but we forgot about that fits requirement right which is part of

[00:19:30] the assessment ejector or or we've we've implemented we have instant response but we never wrote it down anywhere right you know instant responses to call up johnny on the beach

[00:19:37] and uh he'll he'll dive in and save save the world but those are those are things that you really have to kind of to take into consideration um what we have in this slide is really very clear that

[00:19:51] you know 800 171 with cmc when the ruling comes out we're fairly confident it's going to require msp's to be level two certified so as an msp if you're not really aware of that you know

[00:20:03] perhaps you were gonna live out on a rock and you're unaware but know that that is that is how it's probably going to go so you need to be having a conversation with all of your clients and find

[00:20:12] out hey do you do work in the department of defense or take subcontracts from other organizations that do do you have a d-far requirement that is going to require you to be level two certified

[00:20:24] or level one because maybe you're not having to get assessed but you could still be audited by dibcack because you're doing that self-attestment assessment piece in the self-testation that you have met level one requirements which means you still have to hit 171 and 171 a yeah so those are

[00:20:41] those are really big deals and a great example on the why on that too um so msp's we provide plenty of good services for our clients we already talked about the overlap there so thinking

[00:20:49] through this process you've just hired a new employee great example hi i'm an employee i was hired recently um so i'm now you know brought on board and i'm now going to have to support those

[00:21:02] those environments that are um you know have the c y in it how do you know that i'm not some weird convicted felon somewhere for selling secrets to the russians you're not are you i hope not

[00:21:14] so you've got to go through those appropriate personnel screening procedures and authorize me and make sure that i'm authorized to touch this data another great example of which we did

[00:21:21] background check you by the way we did um but a great example of that is if that data happened to be sensitive to us secrets and was under itar restrictions were being export controlled

[00:21:31] if i wasn't a u.s citizen and then i was in the u.s as a foreign national you know it's still be great to work together but i couldn't see that data i couldn't touch

[00:21:38] that data i couldn't support that environment so we you know that's where you can start to see that overlap and why msp's have to you know fall into this especially when you look out on

[00:21:46] the msp communities and they're you know we're we're at a raise to cut costs we're we're feeling the financial burden is any other industry and we're feeling the skills gap is any other industry and you see things out there in the community saying has anyone used outsourced

[00:21:57] services that outsource tech support to the philippines or india or wherever and it's like you can make that decision as a business for an msp but if those individuals have access to ceo i environments we've we've got a problem here right right those are those are tough

[00:22:11] things in your organization you really have to think about some things that you want to that you really should be doing uh one of the first things will go quickly because

[00:22:19] we're running low on time here is you want to have a good system security plan if you're not sure what a system security plan is and you're trying to go for cmmc you're in trouble uh so you

[00:22:28] really need to start diving into getting better understanding of knowledge because but a system security plan in a high level is really just a story it's a document that your auditor is going

[00:22:38] to be looking for it's the first thing they want to see it's that storybook it's the kind of the abridged version of your story of how you're doing your compliance and your

[00:22:46] approach to cmmc assessment they're going to look at that and they're going to see how it connects to everything else all your policies and all your procedures so it is really the heart and soul

[00:22:54] of your security posture they want to see that so before you're tackling that you really should understand that you should probably have one already in existence with how you operate your system so then you can start evolving that into something else yeah and keep in mind the

[00:23:08] the nist uh ssp template has options for you to say that it's not implemented yet it's planned to be implemented so you can still go through and use that to start the assessment process

[00:23:17] and say to yourself but you couldn't go through assessment if you don't have an ssp correct yeah yeah just to be clear yeah every resource i've ever seen anywhere ever

[00:23:25] basically when you get to the option of ssp and you say no it basically goes no game over um you're out of lives uh you've died um you know go pass go but do not collect 100 you know 200

[00:23:35] dollars so something that's passionate to you is risk assessment can you talk a little bit about how important that is for organizations yeah so inherently all businesses will face risk at all times it can be coming from inside the house with insider threats externally from you know

[00:23:47] competition uh the risks of non-compliance risk of threat actors foreign domestic blah blah blah there are risks everywhere there's there's a risk that when i stand up off this chair right now i will fall over and crack my skull the likelihood of that is very low but it's

[00:24:01] important for msp's and our client base to go through these risk assessments to understand when we do stuff where vulnerabilities may come into play right and what are we going to

[00:24:10] do about them in some instances it may be a simple matter of dealing with this issue is going to be far too cost prohibitive for us to take action on it we're willing to accept this low level risk

[00:24:20] and and with msp's we're targeted right they're coming threat actors are coming after us and they're coming after our tools uh perfect example of that is what happened with kaseya you know those that tool was specifically targeted okay so part of that risk assessment process is to

[00:24:35] look at the tools and you have to do it at least once a year and through any changes you want to assess those as well that's part of the cmc process but let's be honest msp's haven't been doing a

[00:24:45] very good job of doing that internally and for those organizations that do go for cmc they're going to be forced to do that and i think that's a good thing um you know it's been very

[00:24:54] helpful for us looking at that uh learning how to provide risk assessments for itself it has made us so much better of a company yeah and to be clear on that how msp's handle risk assessments

[00:25:03] i've legitimately seen msp's their risk assessment process is to call it the vendor hey uh mr vender um i'm doing a risk assessment do you treat security very well you do cool we're good we're done we've done our risk assessment very yeah it's very very

[00:25:16] tertiary and if that's the case i mean if that's your risk assessment process yikes um and if that's the case i've got a you know a bridge to sell you in new york i'd also

[00:25:24] like to announce that i'm not the new queen of england and uh if that's if we're taking that word then you know have some fun so quickly going through the rest of the things we have on here

[00:25:31] change control that's really important inside your organization you should be that should be part of your culture before you even start trying to tackle cmc if you have it it's going to be very

[00:25:40] difficult for you to really push into the cmc space because if you're trying to learn how to do change control and you've never done it at the same time you're trying to you know

[00:25:49] dial in your processes and policies it's going to be very very difficult so getting used to control process make sure review your tools that's part of the risk piece making sure that

[00:25:58] your tools don't compromise your journey and if you realize that they are how are you going to address that you need to understand that before you start because you have to have a design that

[00:26:08] you're shooting for in order for you to have a chance of success and the last piece is ticket templates if your organization does not have a good process of templates and your tickets and

[00:26:17] the reason why this is important is when your client sends you a request you have to be able to follow the process that they're expecting you to follow and a big way to do that is ticket

[00:26:28] templates so when you have your ticket template that says hey i'm onboarding a new employee here's the 20 things that i'm going to do and i'm checking them off in the ticket and that becomes my

[00:26:36] evidence of what i'm trying to do yeah because at the end of the day we as msp isn't coming from my background and help desk and everything we deal with a lot of end users and a lot of clients

[00:26:44] if you ask me what the difference is between company abc and company xyz from the msp's i've dealt with over the years i can't say that everyone can remember all those specific nuances but if it's a ticket template the engineer doesn't have to be a master of understanding

[00:26:58] everything related to that client they don't have to look it up they don't think that i look at updates in the template yep it's right there following it and they go through and that provides

[00:27:05] a lot of consistency and more importantly evidence yep it provides evidence so the next thing that we want to talk about is you know if you're if you're going for it where should

[00:27:15] you start and i think the first thing is just trying to get knowledge understanding it we have some some some suggestions up here amira has a great template we highly suggest her brian hubbard is

[00:27:25] uh he's done i think at this point maybe five joint assessments with dib cat and has a wealth of knowledge he has a community he's starting highly suggest he talk with him sum it up with jacob

[00:27:35] whorm and jason sprauser park place and boardwalk of of podcasts as far as i mean it's the it's the best if you want to really get some good information about cmc they're really really

[00:27:46] good yeah i really enjoy this and then you know possibly go for your ccp try to get you know educated edwards performance solutions has a great training course on that uh and i went through that myself

[00:27:59] and i can't speak enough about them and then us you know follow the podcast is and there's others jacob hill has a great podcast about compliance others have more on there and if and there's

[00:28:11] there's a growing list of people in the msp community that are going through this journey it's still a small small select group but we're getting more of us and we're here to share um

[00:28:19] you know and everyone has their different takes on it but there's there's lots of great people out there we were talking to some you know over the last couple days um we were sitting under

[00:28:26] some of those webinars and everything over lunch today um yeah and they've got some interesting perspectives to share um and especially given the fluidity of the rule making process you know we'll see how things ultimately shape up in the end

[00:28:37] but as we find out more and more as we're going through them we're here in the same items repeated time and time again yeah it's it's interesting to see the different people kind of reinventing the same wheel everybody's kind of come into a lot of the

[00:28:48] same conclusions as as we're all coming at this from different directions and more organizations are creating podcasts you're starting to see a lot of the same voices saying kind of sort of the same things as you're starting to get i think more

[00:29:00] consistency and that's going to continue especially once the ruin comes out a lot more of that's gonna start happening yeah so many great resources though at this point um you know everyone on this list is fantastic but if you're looking for others and want

[00:29:11] other thoughts just go on linkedin and search the hashtag cmmc and you'll start finding someone seeing who's interacting you'll probably start finding the same post from the same people with the same other people in the comments talking about it and

[00:29:22] yeah the the how was it the cooie of excellence the the discord channel it's alex also a really good one yeah you can you can get an invite from some people and i'd be happy to share an invite to that channel as well uh that discord is really

[00:29:36] really great so many just amazing people that know a lot more about cmmc than we do and they're that that discord is made up of many organizations that are msp's so it's a very

[00:29:47] large one so that's a great one to follow as well so uh kind of really kind of drill down on you know msp's is a four letter word why does the this presentation have that title

[00:30:00] and a lot of that has to deal with the fact that msp's uh were so used to just buying tools and doing types of things like that uh we can provide services for a lot of different

[00:30:10] clients in a lot of different industries and a lot of msp's have kind of come to the conclusion that cmmc is going to be that way that would be an incorrect conclusion it's not it's going to be completely different than anything you've ever done you have to either

[00:30:22] go all in or you have to figure out how you're going to back out because you can't ride two horses with one but you know you're either on this one which is i'm all in or you are

[00:30:33] riding off to the sunset out yeah it's not quite the the game we played with hippa back in the day right no definitely not yeah so you've got to really make that choice and that's i think that's

[00:30:42] going to create um and there's a lot of vendors that are also trying to sell msp's to kind of help double down that belief so they can kind of cash in as well and what's going to end up

[00:30:52] happening is msp's are helping people in ignorance and both of you are you know kind of going through this blind process and when they start to approach the c3 pao to get assessed

[00:31:01] they're going to find out you're not ready and all the money they've spent that client's not going to be happy and there's going to be a lot of fallout from that and the other piece that you're

[00:31:09] going to see is that a lot of these assessors right are coming from fed ramp and other things enterprise about that yeah um msp's as a whole when it comes to the space where

[00:31:22] we're the redheaded stepchild that no one wants to think about and the people that are in this are used to working with big big departments big government millions of dollar budgets yeah when

[00:31:31] we look at tools that you know the cost of gcc licensing for example and you mentioned that to you know lockheed martin they're going to look at you and go why are we talking about this this is

[00:31:40] a rounding error on our monthly financial statement get out of here you're wasting my time right where you take the same number down to uh you know kathy's naval widget factory and emporium or whatever we're talking about earlier and you drop the same amount and she's going

[00:31:52] you know you think you just uh you just stole her puppy right um we've got a factor that in and I think it's well into the next point on here too um if we get it wrong we are the scapegoat

[00:32:06] we're the ones that have to deal with and msp's as a whole we've not had the best reputation when it comes to dealing with security and compliance because of the challenges that come

[00:32:15] with the msp space the complexities around it we don't as an industry we don't need another thing the industry as a whole looks at and says yeah there's another thing the msp screwed up again

[00:32:24] and those assessors that are coming from fed ramp audits coming from much larger audits they don't really understand the s and b space they're seeing those headlines they're hearing those things about msp's they're going to come in with some assumptions and then as they start doing

[00:32:36] assumptions is if a lot of msp's are still in the space with ignorance people are going to start failing and it's going to start creating more and more of this stigma about us in the

[00:32:46] industry and it's going to be bad for everybody and so we just kind of want to make this session to kind of like help everybody wake up to this reality and and start understanding you know

[00:32:55] like have a discussion with your clients find out if you're going to be susceptible to that find out if you want to participate if you if you're curious about possibly participating

[00:33:04] let us know we want to try to help you out um we want to to know whether you want to do that but the last thing that we want to talk about is whether or not you know why would

[00:33:13] you want to get into this space right why do you want to participate why would you want to do that and i think the first thing is we're estimating between 25 and 50 in the next few years or the

[00:33:24] only about that many msp's are going to be level two certified not many so if you think about the tens and tens of thousands of s and b organizations that participate in a dib they're

[00:33:35] going to need msp's to help them get there and if you only have between 25 and 50 that can do it that's a lot of business yeah a lot of business for a few people for a few people and

[00:33:45] what you're going to find out is probably the limiting factor isn't going to be how many assessors the limiting factor isn't going to be how many c3 paos the limiting factor is

[00:33:54] probably going to be us there isn't going to be enough msp's to support the msp uh the the s and b space to help them get ready for c mc and it's going to be a real problem and so i start i think

[00:34:05] you're going to start seeing a lot of msp's start scrambling to try to get there late because they start seeing that there's such a green field and a need for that and so many people

[00:34:13] are begging for them to come over um that uh i think it's it's just going to be just almost a rush you know like a christmas black friday rush to try to provide those services and so if

[00:34:26] you can start at least now and start getting your organization moved over and get ready it's a massive commitment it's very expensive but when you're there i think it will be well worth the

[00:34:35] return plus the multiples for your business your business is going to be worth considerably more i think one of the sessions in rejection con uh they were talking about is how organizations that are just involved in the financial compliance most of those organizations are now worth multiples

[00:34:52] just because of how they're involved in them and this is going to be no different and probably exponentially larger so you know your organization will be worth more as an msp you'll be worth

[00:35:03] more in your multiples and i think you'll be a safer and stronger organization so those are the reasons why for us and actually i i liked a really interesting point that we were talking about last

[00:35:11] night um is it's also to an extent job security yeah because cmmc as it sits right now is focused on the defense industrial base in the united states right what are our largest industries in the

[00:35:23] us we've got pharmaceutical but it's military as well yeah and that military spending comes down to the defense industrial base these smbs the pentagon is not magically in a closed up shop one

[00:35:34] day if it does we've we as a country have also closed up shop yeah so unless something drastic happens and the government decides to completely upend the economy and consolidate nationally whatever they

[00:35:45] want to do we're going to have that smb community those smbs are going to need technology security and compliance of support and as msp's if we're positioned to handle that right now if it's

[00:35:55] that 50 out there and we're the only 50 to handle the millions of smbs out there that's great we're going to be taking it into the bank cash in those checks and uh you know you know giggling in our

[00:36:04] ferrari's on the way home well but another aspect of it too i think is that's really important is that as an msp you're going to be a tighter integration with your client not like anything

[00:36:15] you've ever had before because you have to be ready to support them and they have to be ready to pass the information it's not like any normal engagement you've had so it's not

[00:36:25] not transactional at all yeah it is very much almost a marriage between the two of you and you're continually moving forward and so when you have that relationship with that client it's not like

[00:36:35] they can just kind of say well i think i don't want to do business with me more i'm just going to switch to somebody else that integration is pretty tight uh because that's the only way

[00:36:43] it really can it can operate so you have a tremendous more amount of stickiness with your clients when you have those types of engagements with them so you know you have higher multiples

[00:36:52] you have higher stickiness with your clients uh there's going to be a higher rate of return and more value for your business and it's a more of a brain field so those are pretty significant

[00:37:01] reasons why you would want to step into that space and that's another reason why i wanted to mention that it's not all about you know the money or the return it's something that

[00:37:08] we have a passion about and last thing but not least i think the most important is i think you're being involved in this space you're doing a service for the country you're helping protect the war fighters by helping protect the industries and organizations keeping that

[00:37:22] data safe and making uh our technologies that are so critical safe because organizations need us to be involved in that space and so i think it's almost a higher calling we were talking about that

[00:37:33] earlier about you know some organizations just aren't going to see it but we felt almost called to be in that space like we really need to do that and we just had a passion for it and that's

[00:37:42] why we got involved these other things are very important to us but to be honest with you that's the most important one for me like i just have such a passion for that industry and

[00:37:51] trying to help out that community and i know it's going to make me better and oh by the way these other things are going to come along from a ride which are two thumbs up for me um it's just a

[00:38:00] win-win and that's the reason why we got involved in the you know the ecosystem for us yep my journey is like when i went through that first initial taste of compliance i said this sounds

[00:38:08] great i like this this works well with how my brain works and the weirdness of all that so yay for me but at the same time if it can if it can make some good money that lets me go out and

[00:38:16] have fun experiences do great things while also helping those small medium businesses that directly impact my friends family neighbor why not right i guess the perfect combo well i hope you enjoyed this session that we went through we went a little bit along and i apologize about that

[00:38:30] but we had a lot to cover uh if you have any questions please head us up on linkedin or you know dms directly through linkedin or uh you know message us and then if you have

[00:38:39] ideas or suggestions you'd like to see us cover in our podcasts in the future please let us know we really would like to know that we're always looking for good topics because we have a lot of

[00:38:47] passion we want to be very transparent through the process for us until next time everybody i'm bobby and there's adam adam and keep on climbing everybody on mount cmc and see you next time make

[00:38:59] sure to follow us on linkedin and youtube to stay up to date on the latest cmc news we hope you guys enjoyed today's episode and listen out for the next one but until then keep on climbing