In today's episode, Bobby is joined by Amira Armond, President of Kieri Solutions. They discuss scoping in the CMMC landscape and the things that can help or hinder your journey. Amira breaks down the difference between in scope and out of scope, is your work email able to be on a personal device, and more. We hope you enjoy today's episode!
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:00] Welcome back climbers, I'm your co-host, Kaylee Floyd and this is another episode of Climbing Mount CMMC. In today's episode, Bobby is joined by Amira Armond from CURY Solutions. Now today they are going to be talking about scoping. This is a very important part of the
[00:00:21] CMMC journey and we're so excited for you to join us in today's podcast. Amira, thank you so much for joining us today. We're going to be talking about a topic that
[00:00:33] is major critical. Not a lot of people talk about it as much as I feel like they should. And then I think there is some ambiguity, misunderstanding and a lot of other things that kind of revolve around scoping but it's such a huge deal especially from your adoption,
[00:00:48] cost savings to CMMC those kinds of things as well as it can totally tank your assessment if you don't do it right. So thank you so much Amira for joining us today and can you kind of enlighten us your perspective about scoping?
[00:01:02] Thank you for having me. So scoping is fun right and there's opportunities with scoping to dramatically change your assessment, dramatically change your odds of passing or failing as well as the cost. Right and it's definitely worth being creative, not bad creative but
[00:01:33] taking some time thinking about all the angles about how you're going to do scoping because your competitors are going to do that too. You know other defense contractors are working on that. That's going to affect your price.
[00:01:49] Right they're working with cybersecurity experts to do this and you know figure out what network needs to be secure, what networks don't and that lowers their cost and now we're again same story as always right we're bidding against other competitors
[00:02:14] and you need to have the cheapest bid to win even if everybody now has to have super duper security it's again going to be cheapest cost wins. So with scoping there's some cool carbots that the DOD is giving us for CMMC scoping which is
[00:02:38] this concept of a contractor risk managed asset and specialized assets where we don't have to do all the security for those things because either one the DOD is decided it's not very important
[00:02:56] or on the other side it's just really hard to do security and they recognize it and they're not going to cause people to fail because whatever it is cannot literally cannot be secured.
[00:03:13] Yeah the the scoping is such a critical part at what point do you feel like people should start thinking about that because it seems like a lot of people will kind of get in the documentation
[00:03:26] they'll start writing kind of their approach to things like can you maybe help me understand at what point do you feel is the right time to start looking at scoping and what are some factors that you can you can take about that into consideration. As early as possible
[00:03:46] so the the scoping conversation should come in right after you understand what contracts you have and what controlled and classified information you have and then the next conversation should be
[00:04:00] how should we be scoping this thing. Now it could be that you don't have network diagrams yet or you don't even understand your own networks and of course obviously we need to understand what we're
[00:04:12] dealing with today but the ideal way that you progress on your CMMC journey right to get ready is not that you start running as fast as you can in a certain direction
[00:04:27] and then after you've gone a couple miles look around and go wait this is the wrong direction right. I'm laughing too with you because I did that several times it's frustrating when that happens.
[00:04:42] We it's it really is worth it to start and try and get in your brain right in one big brain get all of this understood and start game planning what happens if this happens what happens if this
[00:04:59] plan happens right. Right now we don't have to deal with itar data but then the next six months to a year we plan on bidding on a contract that has to do with itar well that's going to make a difference
[00:05:14] to how we want to do scoping. You know right now the only CUI we see or the only CUI we have to deal with is a print on a PDF file which we could potentially just you know get a literal print out
[00:05:33] and keep it as safe at the end of the day but in the future you know maybe we need to be able to export it to a CAD system to create actual detailed specs or maybe it's going to cost just
[00:05:49] going to save us millions of dollars if we can do that. You really need to take that time and you know this is absolutely the case or the situation where you want to pull in somebody with
[00:06:04] assessment experience somebody who's really really good at scoping who can talk you through the pros and cons so for example my company Cair Solutions we've done at this point four joint surveillance voluntary assessments. We're very excited about that those are those are assessments that
[00:06:28] according to the DOD will turn into CMFC certifications as soon as CMFC comes out and as part of these assessments very early on we have a conversation about scoping to make sure that they're they're not violating boundaries right so when we get into an assessment scoping conversation
[00:06:52] it's actually more about understanding the boundaries you're using to keep the CUI where it's supposed to be as opposed to what I've been talking about which is you know you as an organization
[00:07:07] trying to figure out what systems should have CUI on them or you know how we should secure them it's actually a different conversation even though they're both called scoping so but I can give you a couple lessons learned from the assessment side scoping.
[00:07:28] Yeah that would be great because like when I went to do it for us as we were you know going down our journey to get ready and I was super nervous about doing scoping and I think rightfully so if
[00:07:39] it's your first time really going out and doing it and so I you know we talk with you guys we talk with various other people just try to get various opinions on our approach MSPs and how
[00:07:49] they do scoping is is definitely something that's not on the forefront of the DOD when they were doing a lot of the stuff that they published so you know it was really challenging for us to
[00:08:00] try to make sure that we were staying in the right approach so that as we got certified we would pass but not only that we would appropriately be set up to be successful for our clients which is a
[00:08:13] huge deal so those lessons I'm really curious about so hit me with it. Okay so let me let me strike terror into your heart as an MSP. Okay so this wasn't one of the joint surveillance
[00:08:29] clients that we accepted this was one that we actually couldn't take because they had they had scoping issues but a defense contractor came to us say we want we want to be assessed
[00:08:42] we want to go forward we're perfect we're ready and I said great tell me about your external service providers do you have an MSP? See Bobby's face just went oh no so
[00:08:59] and they said yeah we have an MSP I said okay does the MSP manage your servers right so they had they had on-premises servers they had their own network and it was not very cloud-based it was
[00:09:15] actually like an old school network with servers and stuff in a in a server room you know how does your MSP interact? And they said oh well the MSP has a VPN connection to our network and when they want
[00:09:35] to patch our servers they VPN in from their laptop the MSP laptop into the network where they can then pivot to any device in the network they can ping any device and they will then you
[00:09:50] know do a remote desktop connection to the server to patch it they'll remote desktop into the domain controller to do stuff they can connect to the firewall from the inside right and I said whoa okay this could be a problem right? Fraught with peril
[00:10:13] because essentially what we're doing is we're taking a laptop right or a computer that we have no idea the security on it they could have viruses right it's not managed by this this company it's managed by their MSP and we're introducing that laptop on the inside
[00:10:36] where anything could pivot outwards from it right if it's if it's being controlled by a bad guy as soon as they make that connection it can just go connections to everything it's inside the boundary
[00:10:52] but but that's not like okay I'm just thinking that right this is just a risk I'm an assessor I think about this stuff I go can you tell me about the security of your mass services providers
[00:11:04] network right what are they doing for that laptop to secure it and the client says I got no idea and I go okay do you have a shared responsibility matrix do you have a system security plan for
[00:11:25] the MSPs network right have they provide you any documentation about how how they're doing security on their network and they go no not at all right so I actually went to the DoD
[00:11:43] not to I didn't name names right I just said look I got this situation normally if the MSP wasn't putting their laptop into the network we'd be able to assess it by itself right we'd be able to assess that that defense contractors network and ignore the MSPs security
[00:12:06] but because they're putting the laptop in what do I do right do I have to assess the MSPs network and the DoD CIO said yeah like you can't you can't just assess the defense contractor standalone
[00:12:25] you have to know what the security is of that MSP so they did get an assessment right I had to turn them down I had to say this is this is not great come back when you know what's going on with your
[00:12:37] MSP and honestly that would have been two different assessments because the MSPs network is completely separate it's got their own patching directory vulnerability scanning right policies procedures compared to the clients so it would have been two separate assessments
[00:12:59] to do that and that's that's probably the exact scenario where we get the DoD saying if you use an external services provider they have to be CMMC level two right it's it's that sort of scenario that they're worried about
[00:13:19] that now if they would have the OSC that came to you if they would have given that MSP their laptop that they had full control over and said hey you know use this whenever you need
[00:13:33] to get in from our stuff because then we know what it is and sign this agreement that says these are the only people that are allowed to access it and give us some additional information
[00:13:42] that we want to know background check about who you are and who's going to be touching those systems and you know wrapper that around some risk assessment processes they would have been
[00:13:50] golden they would have been golden absolutely right if um that's the way that is the way you keep external service providers out of scope right especially the MSP type folks or the security consultant folks is you just say hey use my computer use my policies procedures
[00:14:17] onboarding process we're going to treat you just like an employee you're a privileged employee right but we're going to manage you using our set of policies and procedures and that keeps the scope of the assessment inside your company I've got no problem
[00:14:37] assessing a company that has their main IT person work for a different company no problem right as long as that person has been screened right has gone through training has had their
[00:14:51] rights reviewed right as long as they're doing all the CMMC stuff I don't care who pays them it's it's really about whether we're mixing in risk levels right now I would say as an you know
[00:15:10] putting my MSP hat on here um that helps MSPs get in the door to support an individual but that doesn't scale very well uh you know if you have 20 clients you're going to have
[00:15:22] 20 different laptops where are you going to store that at like how do you even do that um so there's obviously some challenge there but you know CMMC is in its infancy and that's
[00:15:34] definitely a valid approach to try to you know get your foot in the door and supporting clients but that's not going to scale very well so there's alternative ways of doing that
[00:15:44] um you know we may if we have time get into some of those possible scoping scenarios is that do you think that's a possible thing that we could talk about I'm here yeah
[00:15:53] so that would be kind of cool I don't know but I really I really do want to hear more of the scenarios that like the real-life practical ones because I think those are so great so
[00:16:01] keep going I just want to interject that one point okay um so there's there's a hot button list of scoping topics that um that we ask during during our assessment scoping call where hopefully everything has already been figured out right we reached this point
[00:16:23] we're a month away from actually doing the assessment hopefully the company is ready to go um but we got a check right so do you have CUI an email
[00:16:37] there's a big one right um if you do how are you keeping that CUI from going on to other devices right so CUI an email you can pass you can pass with CUI an email but it's really hard because
[00:16:59] inherently email is an unencrypted medium right by by default when you send an email it negotiates down to the lowest level of security if needed and it will send it out unencrypted and a lot of people are probably listening you know if you're an IT person you're
[00:17:22] probably listening to this and you're going no no no no no exchange servers can set up a TLS connection between the two of them and they can you know they can do server to server transport
[00:17:33] yeah I get it okay but but I'm gonna take the help desk calls when all that stuff starts not working well when they're trying to receive certain emails which does not sound exciting that's that's the thing right so um yes modern day email servers will attempt to negotiate
[00:17:52] to a high level of security right but if the other side doesn't do it they will negotiate down to no security unless you have unless you have changed the setting to say don't negotiate down
[00:18:07] now how do you know that you have set that setting when your email when your users are going my emails are bouncing I can't send emails life is sucking right right and you're dealing
[00:18:22] with a bunch of churn from people who can't get their emails out if you're not dealing with that situation if you're not dealing with angry users they can't send emails then you have not okay put that setting there right and your your email servers absolutely will negotiate down
[00:18:42] to sending stuff unencrypted um so that's that's one concern right uh that's assuming that your email servers are fully secured themselves um or they're on a fed ramp uh cloud right which
[00:19:03] which a lot of them are um but the next concern after that point you know after the concern transport is how are we keeping uh end user devices that should not have access to CUI
[00:19:20] let me just make one suggestion though and this this is not necessarily a perfect one okay if you had a separate you know unclaved mail server that you then forced it down you
[00:19:31] had a separate email address that was specifically to only cui that is outside of the normal operation that you do I think would that make you feel more comfortable as an assessor when they kind of
[00:19:40] outline that and show their understanding that they're going about that now that's not perfect from the business process wise uh you know having two emails don't doesn't sound exciting but it does provide you some monocom of way of separating that right so if if you have
[00:20:01] say a commercial network that's not not seamlessly level two and then you've got a secured network you absolutely would have that situation of having different email addresses and that's great a lot of the issues where the government sends CUI and they don't encrypt it right so now they're
[00:20:24] putting CUI in people's email even if you don't want it a lot of those issues can be solved by telling the government hey this email address doesn't work send it to this secure one
[00:20:37] right and and this is the number one complaint from defense contractors they say um I can do all the security I want the the government still sends me unencrypted by through my email right
[00:20:51] and and they just won't stop um I've heard of people actually to the point where they will turn off an email address that's being abused and they will turn on a secure email
[00:21:07] address and say you know you got to do it this way right of course that that messes up one of your users but it's if it's horrible that's one of the the nuclear options you can take
[00:21:20] well it goes back to business processes how I mean it just you're sometimes in certain situations you're picking the lesser of the two favorite options that you want to sort of go with but
[00:21:30] you have to understand the pros and cons when you're doing that and that can be really difficult and scoping when you're trying to make those decisions um but going back to the user end
[00:21:43] points and email if you do have CUI in your email uh we all know that users like to get email they like to check their email on the weekends they like to check their email at home right um
[00:22:00] I hire employees and the same day that I hire them they figure out how to get to my my email from their cell phone right this is how people are it's it's an expected part of business nowadays
[00:22:15] um and if you have CUI an email if it's unencrypted right you have to have some block in place to make sure that only devices that should have CUI can get to your email
[00:22:33] and that's hard right and in a lot of cases you actually don't want to do that because it is so nice to have email on the cell phones email on the BYOD so people can do their calendar
[00:22:46] right or respond messages um now the most common solution for that is using S-mime encryption for CUI messages so if if if you need to send CUI across email you you get a digital
[00:23:08] certificate you encrypt that message that message is encrypted uh on um it's it's encrypted through transport it's encrypted in storage uh and the end user devices generally cannot access that message because they don't have the certificate to decrypt it right now if you're a super smart IT person
[00:23:36] you can figure out how to get a certificate onto your cell phone to decrypt the message but you don't want to do that right you want to tell people don't do that and don't tell users that that's an option and I've seen plenty of companies get through scoping
[00:23:55] for cmc where they have CUI and email but they use the S-mime encryption 100% and they don't give those BYOD devices the ability to decrypt it and so you can have the best of both worlds
[00:24:12] uh except yeah if you do have an actual CUI email you have to go to work to read it right which is probably what we should be doing anyways yeah those are it's just amazing how like
[00:24:28] it seems like a simple thing on a thread you go to pull like just more starts coming out the deeper you start to go and you just don't really realize how deep that iceberg really is until
[00:24:37] you like smash into it you know and you're like well that sucks uh and and so I thank you for sharing some of those scenarios because I think that hopefully the people that are listening
[00:24:49] this can start opening their eyes to some of those possibilities because you just definitely don't want to to find that out the hard way right so do you have some other ones that
[00:24:58] you want to go through or did you want to switch over to some of those other uh scenarios we discussed earlier um let me let me talk a little bit about printing
[00:25:08] so I'm probably going through the the top the top three or top five list of things that get that they get people in trouble during that assessment scoping call um do you print right
[00:25:22] do you print c u i so printing of c u i the technology is unencrypted right but unless you have spent a lot of money on a very very very expensive printer if yours if you're printing c u i that print job is going across the network unencrypted
[00:25:49] and that's a problem from a scoping perspective uh because it it honestly it breaks scoping in a lot of in a lot of ways because almost all of our c y transfers are our data flows under normal
[00:26:04] situations are encrypted right it's encrypted up to the cloud it's encrypted back down from the cloud it's encrypted to email server because we're using um 443 or you know the application security um it's encrypted to the file server because again we're using hct ps or or another
[00:26:25] encryption method uh but then you want to print and now we're throwing c y across the network right um if your printing is done inside of a secure facility not that big a deal because
[00:26:43] that that network cord uh where the traffic is passing unencrypted is inside of a secure facility where we're figuring that uh that's where the security is from right we don't need to encrypt everything we need to make sure it's protected protected can mean either encrypted or somebody
[00:27:04] standing there with a bat ready to take out a bad guy right um but when if you have remote users if you have people that leave the secure facility this is where the printing
[00:27:21] question becomes a real big deal okay because if they go home and then they print c y and in their home network we have now put into scope the entire home network
[00:27:36] which is not good okay very very strong probability the home network is not secured up to c m m c level two yeah i would say so the kids the kids wandering around with a tablet right um
[00:27:53] during a meeting you go like yeah so um you can what i have seen work in assessments is they just prohibit printing c u i unless it's to a specific printer inside a secure facility
[00:28:17] right uh don't print c u i to a home printer um i have also seen that people are allowed to print non c u i right so as long as we don't throw c u i unencrypted across the network we don't really
[00:28:36] care if you're printing out financials or you know an email or something right it's not a big deal um i've also seen that with um secure enclaves uh you if you need to print and they've got printing
[00:28:52] just turned off entirely if it's not c u i you can email it to a different network right email it to yourself on the commercial side print this for me um and that's again
[00:29:05] not a big deal we're only trying to protect c u i but i think what's kind of important there is i think some people especially in ignorance go into cmc and they're like can't we just get
[00:29:16] compliant but we still operate the same way that we have operated it's your job to figure it out you're like uh no like if you're gonna adopt and take on cmc your business practices are going
[00:29:28] to change to some extent there just really isn't a reasonable way for that to happen because if you're trying to do stuff like you're saying oh i need to print this file that's uh
[00:29:40] accounting well maybe you have to email it to a different place to do it because of the scoping and the way that you've done it those kinds of changes are highly likely to happen when
[00:29:50] you embrace cmc so you have to kind of just expect that and embrace it um yeah there just is an easy button for cmc they're just i mean to where everything that you have always done always
[00:30:02] works the way you want and it's perfectly secure and you pass just at least i haven't seen that i don't know have you um so if if somebody's been working in in highly secure government facilities then they're like oh this is normal right right that doesn't make sense
[00:30:21] oh i have to go through a 15 step onboarding process okay whatever right i have to justify every permission i need okay fine um you know they're they're lurking over me when i want
[00:30:34] connect to my email yeah that's normal right that makes sense but yeah most of us are not we didn't come from from government um i actually uh that experience that user experience of
[00:30:50] working in government is i actually find it really valuable for an it department that has to be cmc level two because they're just like oh yeah this is it's just the normal um we have to do all this
[00:31:05] paperwork we have to do change approval you know meetings uh but yeah most most contractors especially you know if this is like what is this cmc thing if that was a big surprise a couple
[00:31:18] years ago um i guess the word is technology debt right just you haven't been been at that level so it's a big deal to get up to it now we we chose to take the path of just block all printing i mean
[00:31:37] now but we did go a situation where we our kui is enclaved and we have our normal outside operational methodology so that you know just disabling printing wasn't a big deal for us because
[00:31:51] we didn't really want anything printed that might happen to be in there in the first place um and so that was okay operationally for us but let's say that that's not the case and that they do
[00:32:02] want to print from home and they want to be able to do that and they want to pass like i'm really curious your perspective on how how have you seen that and what are some ways that people
[00:32:13] could do that so having c u i in paper form at a home is generally a really bad idea um let's try and avoid that right there's like there's a few cases where you have to do it um you know but think
[00:32:34] about people carrying around briefcases you know that are they're locked to the wrist that that's the sort of attitude that you should have if you're if you're taking c u i outside of a secure
[00:32:46] perimeter um that's the that's the attitude that the do d wants us to have right um and you know keep in mind that c y can range in in true sensitivity from yeah you know it's it's a
[00:33:04] couple of people's you know personal information right their names addresses you know date of birth right yeah who cares right it could be plans for an icemaker right right it could be it could be a
[00:33:17] tire a tire diagram for a humby or right they can go all the way to here's a plan for how to build a nuclear missile right um some of the sensitive c u i is really sensitive and the reason why okay and this
[00:33:36] is this is a mirror's take on it but the reason why they can't classify it is not because they don't want to right there's there's a lot of c y out there that probably should be classified
[00:33:49] but they can't get people to make it if it's classified you know i mean like the manufacturing factories can't handle classified stuff so they have to leave it unclassified to get it made i never
[00:34:07] thought of that wow that that's an interesting take and that does make sense because i've heard similar stories and i'm like i didn't really make sense but that does make a lot more since now
[00:34:16] i think that's the reason i might be wrong there there might be some expert out there that knows better but um that that's what makes sense to me and that's why we've got manufacturers out there with
[00:34:29] the full plans for the f35 right it's not because it's not because the duty thinks this is not important um or that it doesn't pose a risk to the united states to have the full plans out there
[00:34:44] it's because they need it made somebody has to make it right um so with the you mentioned printing right you've disabled printing i do the same thing in my network um my company is a is a tech company
[00:35:02] we're working on you know word and excel documents and and web pages all day we don't need to print we really don't it's it's a it's a nice to have for us so i just prohibit printing
[00:35:18] from our network however i do say you can forward an email if it's non-sensitive you can forward an email and print it right i trust you user use good judgment right um but it's fine
[00:35:35] and of course we've got data loss prevention which helps so it'll catch anything sent out through email um but there are cases where manufacturers specially really really really does need to print
[00:35:49] you know they've got a gigantic plotter that they need to print out and then post it on the wall in their shop um and i think that's a perfectly reasonable reason to be able to print
[00:36:02] right just control it to say here's here's the the reasons why you know use a use a shop printer don't send it to the print shop down the street right uh which by the way that's been a big deal
[00:36:19] that's been a big problem where in the past um if you wanted that f8 18 diagram you send it to a print shop right oh that's crazy right do you know the level of security over there it's
[00:36:35] there is no there is no security there's no password let alone mfa or anything else um which is which is why the do is is on our back about this you know because they're starting
[00:36:48] to realize just how bad it's been for for the home network though um it presents such a challenge because if you were doing ip printing right you're absolutely wire transferring that right across
[00:37:02] there but if you were using a printer that was you know lpt directly to it or you know plug directly into it you know there's some possible grace given there right um but still how could
[00:37:21] you slice that bread to pass an assessment with having printed controlled and classified information in your home um just pretend that you were able to do it correctly how could you manage just the
[00:37:34] paper itself uh for the assessors it comes back to the exact assessment objectives right which talk about um protecting ceo i in storage protecting ceo i uh in your facility and um there's ways to do
[00:37:58] it right it's it's really about designing a program um you know we call it administrative controls where we're going to tell you what to do you need to do those things right but it's not going
[00:38:11] to be a technical thing so if somebody does need to have printed ceo i or written ceo i um outside the facility do we have uh training that says you need to put a cover sheet on it do we have
[00:38:27] training that says you need to lock it in a locked room when you're not right there accessing it um do you you know have a check in and check out process a lot of people a lot of companies
[00:38:44] actually will tag their ceo i printouts with a unique id and they'll have a check in and check out process for that now as assessors we're probably not going to get that deep
[00:38:57] into it unless you say that's how we do it then we'll be like cool show us but um we generally that that's a little bit more than what the minimum is it's it's awesome if you do it
[00:39:10] but we're not going to go that deep we're going to be basically saying how do you make sure somebody doesn't walk into your house and just snag it right or that your kids don't take it to show and
[00:39:22] tell um i can draw on the back of it like pictures of mom and dad and then on the other side is the f he had 22 yeah i when i was a little kid i grabbed some stuff from my my dad um he had
[00:39:41] a coin collection and i thought one of his coins would be cool to take to show and tell um which was a which is a school and parent incident of major proportions um so you know kids do this
[00:39:55] stuff right yeah that's a good point and you know we we can be it can sound super paranoid but um the little manufacturers out there you do have to worry about being surveilled right you do have to worry
[00:40:14] about nation state stuff looking at you you're not too small it just means you're an easier target yeah especially the the leaders of the organizations um because you've got to get out there socially i mean
[00:40:29] i'm here same for you i mean you're out on social they know who you are so they're coming after you they're coming after me you know i have employees the moment they start and they mark their names
[00:40:40] as being employed with me bomb linkedin immediately they start getting texts you know that's part of our training process that we go through to teach them but they're coming after um your
[00:40:49] people as well as you especially if you're linkedin you know connected or other types of social stuff they know you and they're coming after you for sure and you know this is msp oriented show
[00:41:01] um msp's are a pivot point for sure and they know that they know that if they can break into an msp they can get access to a hundred other companies from there and i think this is part of the reason
[00:41:14] why i so appreciate and you know i'm probably going to take some flak for this but i was glad really glad to see that the do d said you know what msp's you're gonna have to get level two two
[00:41:26] you're gonna have to meet parity with who you're doing because i just i've seen so many msp's that have not really done a great job because traditionally msp's we struggle with trying to
[00:41:38] follow our own practices um and to to require that msp to be audited to validate that they're doing the practices they should be doing before they can enter into the dib and support them i think raises the
[00:41:52] bars where it should be um and is a really good call for them i just wish it would have been sooner so that we would have more time to get more of us you know through the network because
[00:42:03] you know with the proposed rule if it if it keeps how it is we're gonna have to be level two before they can start to do their their song and dance so whoever they pick because their msp needs to
[00:42:13] already be level two where they can't start their assessment so um but i really i thought that was a good call i understand it um i wish it was based off of access
[00:42:31] and that's a comment i made on the rule which is instead of doing it by this concept of security data where anybody who's got a log or a network diagram needs to be level two
[00:42:46] um do it based on access right the audits assembly is going to hack you because they got access to your logs it's a stretch guys it's a stretch it's really a stretch okay but if they have privileged rights to the inside of your network that's not a stretch
[00:43:10] that's a if you compromise them the other stuff is compromised right it's not even an extra step it's just it's just automatically compromised well if they took that approach then msp's could probably use some other vendors because more vendors would probably be willing to step into the space
[00:43:26] if their requirements that they had to fill sort of matched some of that conceptual idea of what their engagement is that's a whole other fan doors fox uh you know tangled not uh to to do um
[00:43:43] um so amira is there any other ones or did you want to go ahead and break out with you paint you want to see the paint i'm looking forward to it there's other ones maybe we can have another
[00:43:56] another session appreciate i appreciate the opportunity body well for all of you uh that have joined us we thank you so much just go ahead and make sure to continue to connect
[00:44:07] with us and let others know about some of the great content we've been sharing out here i mean there's just so much uh on this journey and so we thank you for joining us on it and as always
[00:44:19] keep on climbing make sure to follow us on linkedin and youtube to stay up to date on the latest cmmc news we hope you guys enjoyed today's episode and listen out for the next one but until then keep on climbing