Hello Climbers, let's get real about the resources needed on your climb of CMMC. Bobby and Adam discuss the people, tools, and more that it takes to accomplish CMMC Level 2 compliance.They explore the importance of having knowledgeable personnel, the role of Managed Service Providers (MSPs) and consultants, the challenges in finding certified MSPs, and the technology resources required for compliance. The discussion emphasizes the significance of scoping, data flow, and security considerations, as well as the preparation needed for assessments and audits.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] Hello Climbers and welcome back to another episode of Climbing Mount CMMC.
[00:00:11] Let's get real about resources. Today Bobby and Adam are going to be talking about the resources needed on your CMMC journey.
[00:00:19] They're going to share their experiences as they climb CMMC. So let's get into today's episode.
[00:00:27] Well hello again everybody and thank you for coming back to us as we're going to be talking about resources.
[00:00:32] Okay and what do we mean about that? What we're talking about is what kind of resources whether it be people or technology in order for you to pull off this CMMC journey and getting a 110 score and getting your level 2 certification.
[00:00:46] So our focus is going to be around those types of things as a company is trying to do that.
[00:00:51] And what I wanted to do is pull in Adam. So Adam thank you so much for joining us today.
[00:00:55] Hello. Glad to be here.
[00:00:56] So you know Adam has been integral in our journey of getting ready for CMMC and I thought who would be better for me to cross talk with and go through some of these resources because he's having to document a lot of that in our SSP process and our matrix and all the other things.
[00:01:11] And so he's got a really great insight that I think will be really valuable for this podcast. So thanks for joining us today buddy.
[00:01:19] Glad to be here. Takes me away from the spreadsheets for a minute.
[00:01:21] I feel your pain brother. All right. So first off let's jump into it with both feet Adam. All right. So when we're talking about resources the first topic that we sort of want to discuss is the people and there's different ways that you can kind of slice this bread.
[00:01:35] But can you kind of maybe open the door for us of what we mean by that?
[00:01:40] Yeah. So CMMC when we really get into the meat and potatoes of it it's based off 800-171 as I'm sure plenty of people listening has already heard us talk about a thousand times.
[00:01:49] But in that 800 you know under 800-171 there's those 320 assessment objectives that have to be met.
[00:01:55] Those aren't necessarily a you set it up once and get to walk away from it. These all require continuous maintenance and ongoing support.
[00:02:02] So we look at implementing for an organization for us you know there's there's someone directly responsible for these practices these policies these procedures and that transcends even downstream to our clients.
[00:02:12] So at the end of the day someone has to be responsible for it.
[00:02:15] Right.
[00:02:15] And they have to own that role.
[00:02:18] Right.
[00:02:19] In all of our policy and procedure documents we have our responsible party who does what and who oversees this task.
[00:02:25] That's not something we can just put a position to and just say oh yeah you know Steve does that that's Steve's job.
[00:02:32] Steve has to understand the responsibility that comes with that because again it's going to be assessed.
[00:02:37] So when I look at like my name on some of these documents is Adam well you're responsible for this.
[00:02:41] I take that super seriously much to the chagrin of some of the co-workers there where I nitpick and needle them on all the you didn't fill out this form properly or this paperwork wasn't done.
[00:02:49] But that's what my job is to do.
[00:02:52] Because if we don't do that that can jeopardize our compliance posture and that's you know its own own challenge to get that person that understands what they're doing and that you know knowledge is half the battle in that case.
[00:03:03] That's where you want to think about how it's going to be broken out.
[00:03:08] You know depending on how a company is going to be engaging this challenge if they are bringing in a consulting company or a managed service provider like us what type of resources would let's just say a company going to for a level two.
[00:03:23] Let's say they have an MSP and they don't have an MSP right and they're doing it all on their own.
[00:03:30] What does that resource people like look like for someone like that.
[00:03:36] So let's start with the organization that doesn't have an MSP that's trying to just figure it out on their own.
[00:03:43] You're going to want to have a resource that not only understands the policy and procedure aspect of CMMC but also the technology undertakings with that.
[00:03:53] That's going to be someone that's likely has years of experience in an information security role possibly a compliance role.
[00:04:00] Not an intern that you just hired from college right.
[00:04:03] Correct definitely not the intern.
[00:04:05] Because NIST is complicated enough as it is.
[00:04:08] You need someone that's been there and done that and the simple reality is when you look at Glassdoor or any of the other websites out there that talk about positions and salaries and stuff.
[00:04:16] Those resources aren't cheap.
[00:04:18] No.
[00:04:20] Using myself as an example, I've been in the MSP and cybersecurity industry for a decade plus.
[00:04:25] So a resource like me has the years of experience on top of that.
[00:04:30] I've got my CISSP, which is an additional here's a chunk of experience and stuff on top of that as well.
[00:04:36] And then you actually add in the technical capabilities on that too, which again expands that experience level.
[00:04:44] I'd say resources depending on your area, that could easily, when you factor in benefits and everything else, that's a six-figure plus hire.
[00:04:51] Right.
[00:04:51] So that brings up a good point because of the fact that when you have that person with that skill, you've got to think about timeframe as well.
[00:04:59] So if you want to get certified in less than a year and you're throwing one person at it and you have a larger company, 50 people or something, it's not going to be a very quick process if you're starting from zero.
[00:05:14] Right.
[00:05:15] Right.
[00:05:15] If you're just giving that person and they have to build you from the ground up and move you technology wise, that's going to be a challenge.
[00:05:23] Oh, absolutely.
[00:05:23] And again, that still factors in the technology bits that you mentioned there.
[00:05:28] You know, doing a migration from on-prem file structures to cloud file structures, the amount of planning and energy and effort that goes into that.
[00:05:37] But, you know, if someone's doing it themselves, like you've got to find a really good jack of all trades to be able to pull all of this off simultaneously.
[00:05:44] And again, those aren't cheap resources.
[00:05:46] And when thinking through that in the context of a business, you know, a business functionality, that's a resource that's not generating you revenue.
[00:05:52] Right.
[00:05:53] You know, for a good period of time, you're just going to have to eat that cost.
[00:05:56] And I think that's a big reason why most SMBs just don't go that route because it's just not attainable or realistic because you have to think about not only once you get level two certified, you're not done.
[00:06:05] You know, congratulations.
[00:06:06] You just finished the first lap.
[00:06:08] You know, see you next time.
[00:06:09] You know, and you just keep going around and around.
[00:06:12] So that's why a lot of people switch to MSP.
[00:06:14] So what type of commitment would you expect for, you know, a full-time person or people inside the organization would have to commit working with a consulting or an MSP?
[00:06:23] What kind of commitment would you see there?
[00:06:26] I'd say that would really depend on the big thing.
[00:06:28] And I think the biggest caveat when all these conversations that come up is the scope of the engagement.
[00:06:35] But assume that the scope is nice and narrow.
[00:06:37] You're working with a 50-person or less company.
[00:06:39] Nothing too crazy to deal with in terms of technology and processes.
[00:06:42] I'd still expect that internal resource that the company has to have to provide a handful of hours every month to maintaining this.
[00:06:49] A great example of that, one of our internal tasks has been to go through our cybersecurity maintenance checklist and try to find some efficiencies.
[00:06:57] And in that, there are things like collecting your facility visitor access logs and storing those someplace safe.
[00:07:04] That's a task that might only take 15 minutes, but someone has to do that in the company.
[00:07:08] You can't, you know, a company is not going to submit a help desk ticket to an MSP saying, can you come out to my facility and move the visitor logbook over?
[00:07:14] You could.
[00:07:15] I just don't think that's a good idea.
[00:07:16] I will bill you for it.
[00:07:19] But, you know, there's still that practice and stuff.
[00:07:22] And not to mention, you know, there's those other ongoing tasks that might be more at the quarterly level.
[00:07:27] Reviewing the authorized user inventories, the hardware, software, et cetera.
[00:07:31] Someone at the client has to sign off on that.
[00:07:33] Well, and another thing is, you're looking at that, in my opinion, from you've already gotten there kind of engagement, right?
[00:07:42] But that's not what that person's kind of day-to-day operational look like when you're trying to ramp up to get ready.
[00:07:47] Oh, yeah.
[00:07:48] That too.
[00:07:48] That would be very different.
[00:07:50] I mean, it would be inverted probably most of their day until you were ready would be involved in working with that company and making sure.
[00:07:57] Because if you want to get done in six to eight months or, you know, some timeframe that's relatively quick, you don't want your MSP waiting on you, right?
[00:08:06] Or your consulting company.
[00:08:08] You want to be waiting on them.
[00:08:10] And what we find ends up happening is companies are – they want to do their job.
[00:08:15] They want to do their business.
[00:08:16] And so what ends up happening is these consulting companies are just waiting and doing donuts until they get back to them so they can start moving to the next phase.
[00:08:23] Or there's some project or something they're trying to do and they can't finish that other piece so they can then go to the next thing.
[00:08:29] And that's what tends to backlog and slow stuff up.
[00:08:32] Right.
[00:08:33] And that actually brings up a great point.
[00:08:34] As someone who's worked in the MSP industry so long, my clients have always understood their business and how their business functions better than I ever hoped to.
[00:08:43] So when we look at things like rolling out a standard set of policies for a client that say we sign tomorrow, I can have the best templates in the world.
[00:08:51] They're not going to align to how that company actually does business.
[00:08:55] So that internal resource is going to have to be able to communicate with a consultant or MSP to align those policies and procedures.
[00:09:01] Or the inverse, if the company is writing those policies and procedures from scratch themselves, the MSP is going to have to be able to come in and say, I can support this.
[00:09:09] I do this.
[00:09:10] Here's the stuff that I handle.
[00:09:11] Because those two have to be working in lockstep together to make sure that we meet the objectives.
[00:09:16] There can be a major disconnect if the company institutes a, I don't know, configuration management policy.
[00:09:21] And it says that the hardware inventory will contain X, Y, and Z.
[00:09:25] And the MSP is like, huh?
[00:09:28] I can't facilitate that.
[00:09:30] Or in other cases, MSPs will say, I simply won't facilitate that.
[00:09:35] Yeah.
[00:09:35] So I think if you're looking for a very specific brass tacks kind of answer, I think that point of contact, and you'll need at least one that's going to be handling it, you would be able to do that.
[00:09:45] Probably write off a half a day most of the week until it's ready for implementation.
[00:09:51] It would be a fair quarter of a day working on them to be able to write that person off.
[00:09:58] So don't think that you can just kind of put that point of contact and they can just do their normal job and pull their normal weight.
[00:10:06] During that onboarding process, you need to be understanding when you give that responsibility to that point of contact.
[00:10:13] They're going to have to pick up the ball because what you don't want to have is you have a bad design because the person that you have put in charge for your internal company is not pulling their weight.
[00:10:26] And, you know, the other organization, the MSP that you're utilizing is you will still fail.
[00:10:32] Right?
[00:10:32] Yeah.
[00:10:33] And it brings up another point as well is that internal person may be your internal point person to distribute and roll out CMMC to the entire organization.
[00:10:42] Looking at something like incident response, for instance, you know, they're going to have to work through to management and other people as staff to say, here's how you report incidents to the MSP or managers.
[00:10:53] You just hired a new person.
[00:10:54] Here's the process to go through to get that new employee, their username and password.
[00:10:58] Right.
[00:10:59] Right.
[00:10:59] That's going to transcend much further than just, you know, what an MSP typically does in that engagement.
[00:11:04] They've got to take those policies and procedures and make sure the entire organization is trained and aware of them.
[00:11:10] Otherwise, again, this whole process can fail.
[00:11:13] So let's switch gears to the consulting or MSP engagement.
[00:11:17] Right.
[00:11:17] So that would be considered a resource.
[00:11:19] You want to find out who you're going to grab.
[00:11:21] First off, how difficult is it finding an MSP that's going to be level two certified and be transparent on when they're going to be certified?
[00:11:28] How hard is that, Adam?
[00:11:30] Based on what we're seeing so far, that's pretty difficult.
[00:11:34] Yeah.
[00:11:34] Very.
[00:11:35] I've seen a thousand MSPs that have a page on their website that say, we'll do CMMC.
[00:11:40] And then when you start asking them questions about it, they've barely gotten started themselves.
[00:11:45] Yeah.
[00:11:46] So that's its own challenge.
[00:11:47] There's also plenty of MSPs whose approach to CMMC boils down to simply them saying, trust me, bro, I've got this.
[00:11:55] Right.
[00:11:56] Well, we know CMMC requires that evidence, that paper trail, those documentation items.
[00:12:00] Trust me, bro, won't hold up in an audit.
[00:12:03] No.
[00:12:03] So they have to have their system security plan ready, their shared responsibility matrix ready, because those are the documents that are likely to be in scope for assessment.
[00:12:10] And again, so many MSPs haven't gotten started in that process.
[00:12:14] They will tell organizations, we'll get you there.
[00:12:17] But with that requirement for external service providers to match the level of CMMC as the organization that's getting assessed, that's a big nail in the coffin to those trust me, bro companies.
[00:12:26] Yeah.
[00:12:27] And if you think about it, your MSP, if you want to get certified this coming year, your MSP will need to be certified probably in Q1 and be ready to be certified in Q1 of next year.
[00:12:41] So because they have to have their environment and design finalized so that you can appropriately align with them.
[00:12:48] Yeah.
[00:12:50] And speaking from experience in the MSP space with us, you know, when I came on board, one of the key drivers of that that was a helpful thing was we're focusing entirely on CMMC with a dedicated practice of doing so.
[00:13:02] We will be building it and aligning that.
[00:13:05] Not every MSP makes that decision.
[00:13:07] Right.
[00:13:07] Some MSPs say, well, we want to take our existing operations and transform that for CMMC.
[00:13:12] That's another entire challenge in and of itself to make that happen.
[00:13:17] Even if you look at another framework like CIS or PCI, if an MSP says, I want to align to support this framework exclusively, that's still a mountain of work to transform those current operations over to that framework.
[00:13:29] Right.
[00:13:29] Not every MSP has that luxury.
[00:13:31] And even if they want to commit to it, it will still take a considerable amount of time to get there.
[00:13:36] So to your point, yeah, they've got to get the ball started now.
[00:13:40] They have to get that assessment scheduled, especially as we see the demand rising for assessments.
[00:13:45] It's going to be a matter of time before the new MSP reaches out to the C3PAO, say in January, saying, I'd like to get an assessment scheduled.
[00:13:53] And they go, cool, our earliest availability is August.
[00:13:56] Right.
[00:13:56] Not that we've specifically heard that scenario playing out right now, but it's not an impossibility given the demand that we're seeing out there.
[00:14:02] Yeah, I've seen, been talking, you know, the newer C3PAOs that haven't been as well established that have been coming out more recently.
[00:14:13] They're booked up to next year, but probably Q1.
[00:14:17] The organizations that are C3PAOs that have been around for a very long time, I'm hearing Q3 is far there getting pushback.
[00:14:25] So you have some, some variants in those C3PAOs, but they're all getting quite a backlog and that's important.
[00:14:34] And so I think to kind of be very specific about the MSP specific kind of conversation about as a resource, you have to be very careful.
[00:14:42] You have to make sure that you're, you've talked with them.
[00:14:44] You get asked them very tough questions and make sure that they're ready as a resource to help support you and not become a liability for you.
[00:14:50] What about consultants?
[00:14:53] What kind of things as a resource would you want to think about with that?
[00:14:57] And would you recommend having a consultant in MSP or just have a consultant?
[00:15:00] Like, what do you think about that?
[00:15:02] So I think the big thing that comes down with bringing your consultants is you want to make sure you have a good consultant.
[00:15:08] There are a lot of people out there that, that are consultants.
[00:15:13] And they'll have fancy, you know, letters at the end of their signature, CISSP, RP, RPO, CCP, CCA, et cetera.
[00:15:21] So you got to decipher what those things actually mean and select appropriately.
[00:15:27] Just because you, you paid money for advice doesn't make it good advice.
[00:15:31] That's true.
[00:15:33] And there are a lot of people out there that have gone through the process to get their, their CMMC registered practitioner certificate.
[00:15:42] That when you start hearing them talk, the words coming out of their mouth aren't making sense.
[00:15:48] That doesn't mean that all RPs are bad.
[00:15:50] That doesn't just, you know, not to discredit what the RP designation is supposed to be.
[00:15:54] But there are a lot of people that just went out, paid some money, got it and said, yep, I can give CMMC advice now.
[00:15:59] And you're over here like, did you even read the documents?
[00:16:04] Like, but the key thing on those is when we think about it in a bigger picture, everyone's goal in the CMMC process.
[00:16:11] Not to, you know, obviously they keep controlled and classified information confidential and maintain that.
[00:16:15] But we all want to get our assessment.
[00:16:17] Like we need to get assessed.
[00:16:18] We want to pass that assessment with this, you know, as straightforward and as cheaply and as efficiently as possible.
[00:16:24] So when it comes to finding a good consultant, look for people who have been assessed, gone through assessments or are assessors themselves.
[00:16:30] That's, that's so true because you can get a CCA and never have gone through an assessment.
[00:16:36] Right.
[00:16:37] You can, you can provide guidance and suggestion, but there is a huge difference between reading and being tested and having conversations.
[00:16:46] And of having experience, even in the DIP space, than having real experience by looking across the table at DIPCAC or looking at another C3PO who's doing your audit against you versus just having that general consulting and GRC kind of guidance.
[00:17:01] And I think that's one of the areas that I highly suggest when you're trying to pick that consultant is you want to find individuals that have gone through actual assessments and have guided people through successful passing of those assessments.
[00:17:17] Because it's, it's really hard to do.
[00:17:19] The, the CMMC assessment process is no joke.
[00:17:25] It's not very flexible.
[00:17:26] Um, 60%, over 60% of the 110 or 320 assessment objectives or 110, um, controls, or you'll fail them straight out.
[00:17:36] If you, if you, if you get any of those wrong, it's a, it's a, it's a fail.
[00:17:40] Your whole assessment would consider not met.
[00:17:42] So when you take into consideration that, that high level of fidelity that you have to have when you're going in there, um, you want to make sure that your consultant is going to really be able to understand that and have guided people successfully through it.
[00:17:55] And that's why we like saying C3PO's because they've at least had to be assessed themselves.
[00:18:01] But that doesn't mean you can't work with a consulting company that all they do is consulting.
[00:18:05] But again, if they're just doing consulting, they could do consulting, but have never had to really design, um, a real implementation and guided clients through it.
[00:18:15] And you could be the very first one.
[00:18:17] Is that a good situation for you to be in?
[00:18:18] I don't know.
[00:18:19] That's a business decision, but you really want to think about that.
[00:18:22] And that brings up a great point.
[00:18:24] Um, you know, and looking at the consultant piece of stuff, um, you know, we have our consultants and, you know, a good variety of them.
[00:18:31] And we can look at some of them where they haven't really, they're not MSPs.
[00:18:35] They're experts on CMMC, but they're not an MSP.
[00:18:39] So we can come up to them and say, here's how we want to solve this challenge as an MSP.
[00:18:44] What do you think?
[00:18:45] Well, they don't know how we operate.
[00:18:46] They don't know.
[00:18:46] Right.
[00:18:47] You know, they know what we tell them about our industry, but in this case, that consultant's a C through PAO.
[00:18:53] They go through assessments.
[00:18:55] Our dedicated resource at that, that company has said for our next consulting call, just to let them know ahead of time.
[00:19:00] Cause he's very busy doing JSVA assessments right now.
[00:19:04] Um, and that's where that value to your point really comes in because we can say, here's how we handle this as an MSP.
[00:19:10] Here's what we think will pass the test.
[00:19:12] Have you seen this before?
[00:19:14] What do you think?
[00:19:15] Like in some cases he goes, that's more above and beyond what the assessment objective says.
[00:19:19] This is great.
[00:19:19] I love everything about this.
[00:19:21] And in other times he comes back and goes, I see what you're trying to do there.
[00:19:24] And here's why this fails on so many different levels.
[00:19:27] And we're over here like crap.
[00:19:30] Yeah.
[00:19:31] But it's that valuable stuff that we're getting pre-assessment and that consulting time pre, you know, getting into the assessment time where we have that flexibility to make those decisions as opposed to assess an assessor looking at that going.
[00:19:42] No, that's a not meant for me, bro.
[00:20:12] Yeah.
[00:20:14] This is small because you're having to find organizations that have done JSVAs.
[00:20:18] You're trying to find people that have participated in it and have had more experience because you, you, you just don't have a lot of those assessments happening yet for you, a large pool to pull from.
[00:20:29] So it's, it's challenging for people.
[00:20:31] It's not fair, but these are the cards everybody's dealt.
[00:20:32] Yeah.
[00:20:34] Yeah.
[00:20:35] It's going to continue to be a challenge for, I'd say the foreseeable future.
[00:20:38] Yeah.
[00:20:39] Until we get more companies that have been assessed, we get more see-through PAOs, we get more assessors out there.
[00:20:44] The consultants that are taking this seriously go through more and more of this and can expand out.
[00:20:49] You know, as we were talking before we started recording, you know, we've got a lot of stuff in place and we're ready to go and we're excited about it.
[00:20:56] But we also know that we're going to be in for a whole new world of learning experiences once we start getting these rolled out to more organizations.
[00:21:03] Yeah.
[00:21:05] From an MSP perspective, our journey, you know, well, we've made our social posts saying, you know, we've made our huge step in our journey, getting our own assessment done.
[00:21:12] We know where we're so early on still.
[00:21:15] Yeah.
[00:21:15] Well, and I've talked with different C-through-POs, every JSV assessment or assessment they've done, they've learned something.
[00:21:22] They've learned something about how they could do it better, how they could improve the process better.
[00:21:26] And we anticipate that to be the exact case for us as we're working with our clients and moving them through.
[00:21:32] So we've got to be prepared to make that audit.
[00:21:35] Now, let's switch gears to just some of the technology resources that organizations are probably going to need.
[00:21:42] And I think first and foremost, storage would be a concern that people would have to think about.
[00:21:47] And typically organizations are going to have a cloud storage and they might even have a local storage.
[00:21:53] Can we talk about, you know, without getting too far in the weeds, because we try to keep this within 45 minutes,
[00:22:01] just cloud and local and what are some thoughts that people need to think about when they're trying to go down that box and checking it off?
[00:22:09] I think if we break this down, we've got a handful of technology buckets that we have to look into.
[00:22:13] Number one, we have to control who has access to what.
[00:22:16] So that screams identity and access management platform, a.k.a. you need usernames, you need passwords, and something has to manage it on the back end.
[00:22:25] That could be an on-prem server handling that.
[00:22:27] That could be a cloud service.
[00:22:28] That could be a hybrid environment where both are doing it.
[00:22:31] But that's definitely one resource to factor in.
[00:22:34] Now, we know that data doesn't just exist in some magical world.
[00:22:37] It has to live somewhere.
[00:22:38] Right.
[00:22:39] So where is that living?
[00:22:40] Because that's not free either.
[00:22:42] So that's going to be your cloud storage or your on-prem or both.
[00:22:47] We know as part of this process as well, access to all that stuff has to be logged.
[00:22:52] Logs don't just take up a magical amount of space as well.
[00:22:54] They have to, they take up a decent amount of space.
[00:22:56] They have to live somewhere.
[00:22:58] We know those auditing requirements require us to be able to correlate those logs and take action on them.
[00:23:03] So that screams a SEAM or SOAR resource.
[00:23:06] Those aren't cheap either, and those have to live somewhere, whether it's cloud or on-prem.
[00:23:11] We know that we have to have something to handle endpoint management.
[00:23:15] We know we can't just have that one person running around hitting, you know, update now on every computer.
[00:23:20] I mean, you could do that, but that's not terribly efficient.
[00:23:22] Right.
[00:23:23] So you need something to manage your endpoints, apply those baseline configs, perform those maintenance.
[00:23:27] And then, of course, you have to be prepared for what happens next.
[00:23:29] What are the worst case scenarios?
[00:23:31] Instance.
[00:23:31] You need to have something to detect and help respond to those incidents.
[00:23:35] Right.
[00:23:36] And those are just the quick categories, and we've not even started to break that down into subcategories.
[00:23:42] We haven't mentioned patch management platforms, application allow lists, zero trust network acts.
[00:23:46] I can keep naming industry buzzwords for the next hour and bore everyone to death, but the reality is a modern business ecosystem has a lot of technology pieces into it, a lot of moving parts.
[00:23:58] Right.
[00:23:59] Those have to be managed, maintained, implemented.
[00:24:01] They have to be aligned to those controls.
[00:24:03] We have to keep them up to date, and somebody has to do that work.
[00:24:08] Companies are faced with decisions of, do you hire an internal person to do it?
[00:24:13] You certainly could.
[00:24:15] Sysadmin salaries in the U.S. are ranging between $60,000 and $90,000, approximately, and that's just for someone to maintain your servers and workstations.
[00:24:24] Security professionals, that range and more.
[00:24:26] Someone that can handle automation to tie it all together, more.
[00:24:29] Cloud engineer to build it out yourself, oh boy, I think I picked the wrong line of work when I see those salaries come up some days.
[00:24:34] But again, the moral of the story, you can hire a dedicated team to do this and to handle your compliance stuff, but to get everyone in their dedicated full-time seats, I'd round that up to a six-figure with benefits salary investment to have a dedicated IT team.
[00:24:50] Yeah, for sure.
[00:25:20] To align a G Suite environment to CMMC.
[00:25:23] I am telling you, pretty promptly, I can't do that.
[00:25:28] Here's someone else who can as I walk out the door.
[00:25:30] Yeah.
[00:25:31] And it's not that we drink the Kool-Aid and somehow we've been indoctrinated.
[00:25:36] There's some very specific technologies and things and capabilities that we just haven't been able to see over in some of the other products that make us feel comfortable.
[00:25:45] Now, does that mean that you can't utilize other methodologies to get there?
[00:25:49] Yeah, you can.
[00:25:50] And people have passed.
[00:25:52] But it's about the organization and how comfortable we are.
[00:25:56] Because when you heard that rattled off list that Adam gave, those are technologies that apply to that storage, right?
[00:26:04] So you've got to have to have identity about who's accessing it.
[00:26:06] You've got to think about what type of data you're storing.
[00:26:08] You have to think about encryption.
[00:26:09] You have to think about a lot of things about...
[00:26:13] And it all ties back into that file sitting in that location.
[00:26:17] Like all of those sort of come together to make that thing secure, that data in that location.
[00:26:23] And all those technologies have to work together as a piece.
[00:26:26] And then let's go ahead and wrap it with FIPS.
[00:26:29] You know, what boundaries and where is that encryption going to be required and how is it maintained?
[00:26:35] And this pulls in this scoping process that everybody talks about and why it's so critical that you have to do.
[00:26:43] Why don't you talk a little bit more, Adam, about how that scoping process comes into the selection process of those resources?
[00:26:50] Yep.
[00:26:51] So I think a great example of that is with our own environment.
[00:26:55] We are a fully remote organization.
[00:26:59] So how did we do our scope?
[00:27:01] Well, we have an enclave.
[00:27:03] Easiest way for us to do that because that keeps all of our data in the enclave location.
[00:27:08] We have our appropriate safeguards around that.
[00:27:11] And that allows us to really set those boundaries.
[00:27:14] If we didn't do that, would my home office and setup here at home, would that be in scope for our CMMC environment?
[00:27:22] If so, that brings up physical security controls.
[00:27:25] Do I need to have an electronic key card to access my home office with security cameras managed by my organization?
[00:27:31] Bobby, I'm sorry, buddy.
[00:27:32] If you ask me to do that, I'm going to tell you promptly where you can put that camera.
[00:27:38] Wow.
[00:27:39] The hostility.
[00:27:41] I've seen worse from end users too, but scope is key.
[00:27:45] It really is.
[00:27:46] And I've said this publicly and also posted this.
[00:27:52] There are certain controls that tend to be battlegrounds for assessors.
[00:27:56] And as an MSP, me and Adam have lots of discussions about what those controls might possibly be.
[00:28:02] Remote workplace can be one of those.
[00:28:04] It is definitely one that some assessors have more of an attitude towards what Adam's talking about, like almost to the point where you have to have key cards at the remote office, even though others look at it from the perspective of it's a remote home office.
[00:28:18] And therefore, that scope doesn't appropriately apply to them if you handle it another way.
[00:28:22] Right. And again, it just the layers of the onion just keep coming and the tears are involved in the process.
[00:28:29] And so you sort of have to think about how you want to attack that.
[00:28:33] And that is where that scoping comes in, right, Adam, and can be such a critical thing about dodging those and trying to stay on what would be the most solid ground without spending the most amount of money.
[00:28:46] Because, you know, going to all of your people's houses and trying to implement physical security boundaries around their personal houses would be, I mean, unrealistic.
[00:28:56] I've seen users throw an absolute conniption over, you know, getting a text message to multi-factor into their environment.
[00:29:02] Right.
[00:29:03] Saying, how dare you do this on my personal phone?
[00:29:05] I demand the company now pay my entire cell phone bill.
[00:29:07] And I'm like, dude, it's a text message.
[00:29:10] Can you imagine those people having to deal with the company now has to secure your home office?
[00:29:15] Right.
[00:29:17] Yeah, that's not going to go over well.
[00:29:18] But I think a good point you make there is on the cost of stuff and like where we can make, you know, smart decisions.
[00:29:24] As we're going through our processes here and thinking through how we can take the approach that we've built and help, you know, businesses deal with this.
[00:29:31] Some great examples of this are like portable storage.
[00:29:34] We have no reason for our business right now, based on what we know, to need portable storage.
[00:29:41] We know that's not going to be the case for every environment.
[00:29:43] So we've started looking at portable storage methodologies to help us facilitate that.
[00:29:47] So when a client says, I need to use a flash drive, how do we help guide them in the right direction?
[00:29:52] Right.
[00:29:53] I think we all know we can go to Walmart, Best Buy, Staples or whatever, pick up a 32 gig flash drive for eight bucks at the checkout counter and everything like that and call it a day.
[00:30:01] Sure.
[00:30:02] Well.
[00:30:03] Problem solved.
[00:30:03] Way to go, man.
[00:30:04] Done.
[00:30:05] I wish, right?
[00:30:06] So then we have to talk about encrypted storage because if it can leave the boundary, it has to be encrypted because you don't have your alternative physical safeguards to protect you at this point.
[00:30:16] Yep.
[00:30:16] You have to have some form of encryption and that encryption has to be subsid validated.
[00:30:19] And I've heard some people, interestingly enough, try to argue about the fact it's USB, but our policies say it has to stay within the boundary.
[00:30:27] Right?
[00:30:28] Right.
[00:30:29] Yeah.
[00:30:30] It's like, is that a hill you really want to fight on?
[00:30:34] You know, we've gone back and forth on different things regarding encryption and how we handle it and everything internally.
[00:30:39] But to finish this little anecdote here so we can move on to the next one.
[00:30:42] So we looked at self-encrypting flash drives.
[00:30:44] I think right now there's a great one from a third party out there that's on an Amazon Prime Day sale because as of recording, it is Prime Day.
[00:30:50] And I said, wow, look at that.
[00:30:52] It's half off.
[00:30:52] It's $30 for an eight gig.
[00:30:55] So we're already looking at, you know, four times the cost for less storage.
[00:31:00] But its cryptographic module wasn't FIPS validated.
[00:31:02] Let's find the FIPS validated one.
[00:31:03] And now a four gig flash drive is costing over $100.
[00:31:06] And I'm over here going, what is this?
[00:31:08] 2001 with that kind of memory pricing again?
[00:31:11] Yeah.
[00:31:11] And they can get you on that.
[00:31:13] So knowing the hardware resources, the technologies you're going to need that are compliant, there's no shortage of things that can't do what you need.
[00:31:21] The trick is doing it in a way that's compliant, that doesn't compromise your assessment.
[00:31:26] Yeah.
[00:31:27] And I think that brings us up to so many different things.
[00:31:30] We look at cloud storage locations.
[00:31:33] Obviously, you have your Amazon Web Services, GovCloud, your Microsoft GCC High.
[00:31:38] You've got plenty of environments that have gone through this process.
[00:31:41] You've got other companies out there.
[00:31:43] And I'm not picking on anyone that I mentioned here.
[00:31:45] I'm just citing as examples.
[00:31:46] You have companies like Prevail.
[00:31:48] They're out there offering solutions to this.
[00:31:51] Companies have passed and failed using that solution.
[00:31:53] There are caveats and risks and stuff like that to it.
[00:31:56] And it's up to each company to understand those risks that they're bringing on board and to understand that scope, data flow, and requirements there.
[00:32:03] You look at something like in our own space here.
[00:32:06] You see so many security and technology solutions saying, we'll help you with CMMC.
[00:32:10] In fact, here's our page on our website saying exactly which controls will help facilitate.
[00:32:14] And I'm over here like, okay, that's cool.
[00:32:16] You're a log service.
[00:32:17] You're a SIEM tool.
[00:32:18] You're security protection data that lives in your cloud environment.
[00:32:22] And we now have reason to say that your cloud environment might not be authorized here.
[00:32:30] We might have a problem.
[00:32:32] And it's easy to look at those, especially at the MSP level.
[00:32:35] We love our tech conferences.
[00:32:36] We love our vendors in the vendor hall there.
[00:32:39] It's easy to find a great solution.
[00:32:41] Have a sales rep say, yeah, it'll be great.
[00:32:43] Here's some documentation on it.
[00:32:45] An assessor might not agree with you on that.
[00:32:47] So, again, it's up to the companies to do their own risk assessments to dig in, to make sure that the – what's the phrase I want to use here?
[00:32:56] But to make sure that what they say actually is in reality and that an assessor would likely agree with that.
[00:33:02] Right.
[00:33:03] By our approach.
[00:33:05] Yeah.
[00:33:05] By our approach.
[00:33:05] By our beware, right?
[00:33:07] Yeah.
[00:33:07] Our approach.
[00:33:08] We had to leave a lot of stuff that we would love to use off our list just because we didn't want to take that risk because we didn't want to introduce a technology tool set to our environment and then to a client environment and then to have an assessor somewhere go, no, or I'm going to fail you on that.
[00:33:22] Right.
[00:33:23] Yeah.
[00:33:24] Because that carries a huge weight and liability to us if we do that.
[00:33:27] So, let's transition, Adam, here as we're closing out to the scoping process.
[00:33:34] I think when you look at the resources, whether it be people or technology, it all comes back to the scoping piece.
[00:33:42] The pen that just kind of everything branches off of, that linchpin that everything's kind of bouncing, is that scoping, is that foundational design?
[00:33:52] Because what you don't want to have is a situation where some of those key components are actually in that kind of battleground situation and you find out that, you know, you didn't make the cut and that's being discovered in assessment.
[00:34:07] Not a good day.
[00:34:09] Can you just talk about the scoping process as far as in how you would find someone and engage in that scoping process to kind of help dodge that, kind of put a bow on this resource piece?
[00:34:19] Yeah.
[00:34:20] I think through when it comes to scoping is you follow the data.
[00:34:23] And in this case, there's three kinds of data that I'm looking at.
[00:34:26] You've got your FCI, your federal contract info, your CUI, your controlled unclassified information, and your security protection data.
[00:34:34] Where that flows, you need to start putting those protections in place.
[00:34:37] Right.
[00:34:38] Does the janitor come into contact with CUI, FCI, or security protection data?
[00:34:44] Probably not.
[00:34:45] They probably don't need to exist in your CUI environment.
[00:34:48] Your accountant, well, they might, you know, in finance department, they might deal with FCI, scope appropriately.
[00:34:55] Your engineering department on a manufacturing firm, they might be dealing with that CUI directly because they're printing the parts.
[00:35:01] Right.
[00:35:01] Your IT provider, absolutely security protection data is going to touch them in some way, shape, or form.
[00:35:06] Right.
[00:35:07] And then the sub data artifacts.
[00:35:08] So we've got to think about the, what data do you have?
[00:35:11] Where does that data go around the organization as it moves dynamically?
[00:35:14] Because you don't just put it in your file share and leave it there.
[00:35:17] It does move around.
[00:35:18] And then, you know, how is that data manipulated?
[00:35:22] Who controls it?
[00:35:22] Who messes with it?
[00:35:24] Who has access to it?
[00:35:25] And that helps build out your scope.
[00:35:27] If the answer is they don't have to do any of that, you can potentially scope them out.
[00:35:33] The reason why I say potentially on that aspect, sometimes it is more efficient and cheaper to scope the entire organization in than to have two separate information systems to work with.
[00:35:44] Sometimes it's the inverse.
[00:35:46] It depends on your organization, your business needs, and how you function.
[00:35:49] I've seen companies take it both ways.
[00:35:53] And again, that's all up to the business leaders to the side.
[00:35:55] It gets back to our conversations about people, consultants, and kind of wrappers it all together.
[00:36:00] Because cybersecurity and compliance doesn't just affect a computer, a single person.
[00:36:06] These things impact the entire company in one way or another.
[00:36:10] And it's important that the company work towards that in a holistic fashion.
[00:36:16] Because they added benefit of it all.
[00:36:19] Well, if you take this on to handle one government contract, and that government contract say it's only 40% of your revenue, you can live without it.
[00:36:27] It'd be tough, but you could live without it.
[00:36:30] Well, by adopting this, you've just better protected the remaining 60% of your organization.
[00:36:36] You've added important policies and procedures to help out everybody, which makes you a slightly more mature organization than some of the other players out there.
[00:36:44] Will all companies want to take that jump and do it?
[00:36:46] No.
[00:36:47] And that's their right to do so.
[00:36:48] They can certainly choose that they don't want to go down the CMMC journey for go government contracts and do their own thing.
[00:36:53] But for those that want to do that, they have an incredible opportunity to raise the bar for their own security posture, participate in the defense industrial base, which could be quite lucrative, and grow their business.
[00:37:03] Yeah, for sure.
[00:37:04] That's each and everyone's opportunity to decide.
[00:37:06] Well, and you talked about security protection data, which I'm so glad that you touched on that.
[00:37:10] And it's not always flowing necessarily to your MSP.
[00:37:14] It could be your MSSP or it could be your GRC company that's helping you with your consulting, right?
[00:37:19] They might have copies or access to all of your sensitive data for you to get ready for your audit.
[00:37:27] And so you have to think about who has access to that information and where it's going.
[00:37:31] Maybe you have a GRC tool and you're loading so much information about how you operate into there.
[00:37:38] You have to think about, well, will that tool be pulled into scope?
[00:37:41] These are questions you really have to think very hard about in that scoping because you've got to, just like Adam said, track where that data is going.
[00:37:48] And even if it seems insignificant, you still want to think about it because what you don't want to have is a door that you haven't walked down with that data in mind.
[00:37:59] And the auditor does.
[00:38:01] And you don't have the answers in the conversations that are ready to be had when the auditor starts asking those conversations.
[00:38:07] Because I've been through those audits and they don't always go the way that you expect.
[00:38:11] You might be prepared for the dance, but that doesn't mean that someone's going to call an audible about something.
[00:38:17] And then you're going to be like, whoop.
[00:38:19] And then you got to be ready to have that conversation.
[00:38:21] Yeah.
[00:38:21] I think when we went through our prep work for our own assessment, we went through every assessment objective and basically played out the scenario of, well, what if the assessor wants to drill in deeper on this?
[00:38:33] What do we do?
[00:38:34] Are we prepared to have this argument with them?
[00:38:38] How can we prove this?
[00:38:41] Some controls were much easier to satisfy.
[00:38:44] I think a good example of that is displaying our privacy and security notices.
[00:38:48] We've got that in place.
[00:38:49] It popped up.
[00:38:50] We are ready to demonstrate it.
[00:38:51] Our assessor really didn't have much room to say, I don't agree with your findings on this one.
[00:38:56] But we've got different ones where we may have scoped something differently or we may have a different procedure to handle this.
[00:39:01] And we may have looked at an alternative safeguard that we drilled into.
[00:39:04] We referenced with our C3PAO consultants to say, do you think this would work?
[00:39:08] I think in that courting process, when you're looking at picking your C3PAO, those type of battleground conversations you want to have in the selection process, if at all possible.
[00:39:17] Oh, absolutely.
[00:39:17] You can't have them all in the selection process.
[00:39:20] But the ones that you're really concerned about, you definitely want to be forward in that conversation.
[00:39:25] Right.
[00:39:25] You can ask questions along the lines of, you know, how do you feel about security protection assets and security protection data?
[00:39:31] Do you feel that security protection data, you know, do you feel this qualifies as security protection data or do you think it doesn't qualify?
[00:39:38] You get a good chance to ask that.
[00:39:40] And keep in mind, your assessor cannot provide consulting advice to you.
[00:39:44] That's a conflict of interest.
[00:39:45] But you can ask those high-level questions without divulging specifics just to feel out the conversation.
[00:39:51] Well, let's, I do want to close with this one point.
[00:39:56] And that I think one of the important resources is picking that consultant or MSP or whoever that has been in the industry and has had those conversations with the C3PAOs in advance.
[00:40:08] In advance.
[00:40:09] Because you don't want to rely on your ability to ferret out the right C3PO for you.
[00:40:17] You want your consultants or your MSP to have plenty of experience of knowing how that's going to go.
[00:40:25] Because here I think things might possibly go.
[00:40:28] I think what's going to happen is the C3POOs, and they're already starting to get backlogged.
[00:40:32] They're going to start getting so busy.
[00:40:34] They're not going to want to do a song and dance very much.
[00:40:38] They're going to be like, do you want to sign up?
[00:40:40] Here's what we need.
[00:40:41] Do you want to answer the questions?
[00:40:42] Because I got six other people that want to do this, and I don't have to do this dance with you or not.
[00:40:47] I think some will.
[00:40:49] But I just have a feeling that these C3POOs are going to get so inundated.
[00:40:52] They're just not going to have the time to go through five levels of debate and understanding of where they're at.
[00:40:59] That's where the consultant that you're picking needs to have already done that before all of these C3POOs get underwater.
[00:41:04] They need to have an understanding of where they're at and be able to have those backdoor conversations before you bring the client there so that you can make sure that you're not bringing someone to a C3PO, that their perspective is going to be so misaligned.
[00:41:20] And would it be great in a perfect world that all C3POOs see things equally the same way and everybody interprets it?
[00:41:27] That would be great.
[00:41:30] But that's not the world we live in, sadly.
[00:41:32] And so you have to be an advocate for your client.
[00:41:34] So I think one of the most important resources, like we're talking about, is get that scoping right and have somebody who's going to be an ambassador for you to when it's time for you to pick, that you're going to pick wisely.
[00:41:44] So as we're wrapping up again, like we said, Adam, I believe you're going to be speaking somewhere.
[00:41:48] Do you want to share what that is and where?
[00:41:51] Yeah. So coming up here in November, there's a conference called CEIC East.
[00:41:57] That's for the CMMC ecosystem.
[00:41:59] And I'm actually going to be speaking on the topic of external service provider participation by control.
[00:42:05] Something we're slightly passionate about.
[00:42:08] Yeah, considering, you know, we fall into the external service provider management portion of stuff.
[00:42:13] And that'll be extra important for us as we go through this process to share about, you know, those key roles and those responsibilities and how we can start to, like, build those templates to build those artifacts and evidence.
[00:42:24] And how we can start building those partnerships.
[00:42:26] As we already talked about, you know, shameless self-plugging continued.
[00:42:29] But we talked about how everyone needs to be working together.
[00:42:33] This is where we can kind of drill into that.
[00:42:34] So if you're an MSP and you're wondering, you know, on the fence about what to do, consider showing up to the conference and, you know, checking that out.
[00:42:42] Because there's a lot of brilliant, brilliant, brilliant people there with lots of great, you know, knowledge and experience.
[00:42:47] I could keep singing their praises all day, but we don't want to have the time too much.
[00:42:52] But also a good chance to, you know, bug us, ask us some questions, you know, have some chats and, you know, all work together because we're all, you know, fighting that fight, sharing the same goals.
[00:43:02] Well, and it's not just going to be, I mean, I'll be there, you'll be there, and Kaylee will be there as well.
[00:43:08] So there's going to be three of us there, so it should be pretty fun.
[00:43:12] Yep.
[00:43:12] And with some of the most wonderful consultants that we've had the pleasure of working with directly.
[00:43:16] Yeah.
[00:43:17] And some of our, dare I even say, some of our competition in the MSP space who are also equally brilliant and wonderful as well.
[00:43:25] And that's what I love about these kind of things because even though we're going to be alongside some of our direct competition, the camaraderie and respect is all there.
[00:43:33] We're all fighting the same fight in the same direction.
[00:43:35] And at the end of the day, we know companies need help, and we're trying to find ways that we can deliver that.
[00:43:40] We just have different opinions on how we would accomplish that.
[00:43:42] But, you know, I think we'd all agree everything we just talked about in the podcast is super critical to do.
[00:43:48] Yes, absolutely.
[00:43:49] So again, thank you all so much for tuning in today.
[00:43:52] And as always, keep on climbing.
[00:43:55] See you, everyone.
[00:43:57] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.
[00:44:03] We hope you guys enjoyed today's episode and listen out for the next one.
[00:44:07] But until then, keep on climbing.
[00:44:10] Bye.