Navigating CMMC: Internal IT Challenges

[00:00:01] Hello climbers and welcome to season three of Climbing Mount CMMC. Hello climbers and welcome back to another episode of Climbing Mount CMMC. I am back. I've been gone for two weeks. Well, I wasn't really gone. I was in the background producing this stuff, but Bobby was taking over. But now I am back to interviewing him. And I'm very excited to talk about something that I've honestly heard a lot of discussion when people are coming in.

[00:00:37] into our sales pipeline about these are there are some people that are coming in and asking like, hey, I'm the IT person that is tasked with creating or doing this whole environment for CMMC for our company. What do I do? And so this was a really exciting topic, in my opinion, because we're going to be tackling can an internal IT staff do CMMC and how can they prepare for it? You know, we obviously

[00:01:06] we're an MSP if you don't know. Axiom is an MSP or managed service provider. We help organizations get ready for CMMC and maintain it in their system. So, you know, if your IT staff does it, does that mean that they don't need us? I mean, I guess in some ways, yes, but we can't do everything. So we want to help everybody. We don't want to cover. I mean, that would be another podcast where you can work together on it. But yeah, that that that's an interesting conversation, I think would be a great one to have a conversation about later.

[00:01:36] Yeah. And the answer is yes, you can definitely have us and another internal organization do it because of the division of duties. There's a lot to make sure is having done. And in fact, we have like two or three clients that we're working through with that situation that you just described. But it would be interesting to talk about it, Kaylee, because I think that would be a good thing to kind of see like, what would the day in the life look like if you had an MSP doing, you know, certain responsibilities and the others doing that? What would that look like?

[00:02:02] Right, exactly. Oh, I would love to hear about that, too. Yeah, that would be awesome. So you, Bobby, were the person that kind of came up with this idea. When you said it to me, I was like, boom, yes, let's do it. But what were some of the pain points that made you want to bring this up in the podcast that maybe you want to highlight first, you know, overview sort of thing before I zero in on some main points?

[00:02:22] Yeah, we talked about this, I guess maybe a month ago, and you put it on the list of things to talk about. And then I saw Jacob Hill had a post on LinkedIn that talked about it. Maybe we can put a link in there. And his conversation around it was really great because he opened up a little bit more about his experience of him as an internal person working his company that he works at through it, which was really interesting.

[00:02:43] The answer is that you absolutely can do that. You can absolutely move companies through it internally. That is that is an absolute doable thing. But there's just some unique challenges that if you're not engaged with an MSP that you have to be aware of.

[00:02:58] And I would say the first and foremost is knowledge. So there's really kind of two different ways that you can get that knowledge, right, Kaylee, you can get a consultant and have them kind of come in and try to try to, you know, turn the keys over to you after they're done, or you can have done that. Yeah, yeah. And and mixed results. And we will talk about that. And then the other thing is just acquiring talent that has that knowledge, or you

[00:03:27] have them go through courses to get that knowledge and then try to move your company through it. And I think both of those Yeah, but both are equally challenging. But you can do both. You can do both. It's just, um, what do you think about timeframes? Like, so let's go with option, you know, the second one we're talking about where you would either hire someone or you bring in

[00:03:51] some type of training situation where you like that person goes to CCP stuff, maybe even they go to CCA, like, what's your thoughts about timeframe, Kaylee? Yeah, well, you know, I'm going with, at this moment, I'm going to assume the person that is doing this training is like, like a, like a, like a regular technician or engineer that does the just regular help desk, IT managing stuff for a company. Okay, I'm going to base it off.

[00:04:20] Sometimes it's not those. Sometimes they use people that are operational, right? Well, and that's why that's a whole nother story. Because, because the way, so let me be honest about my perspective in sitting through a CCP, or I sat through your, some of your CCA course, even though I wasn't taking it. But sitting through some of that stuff, and then sit, and then you sitting through it, completely different mindset.

[00:04:49] Because I'm thinking of it operationally. I mean, you're also thinking of it operationally, but you're also an engineer, you know, or IT guy at heart. So you're thinking about the very, like, nitty gritty things. So there are people that come to me that are these, like, organizational, you know, like operational people that are in the company that are just tasked with CMMC that have no IT background. And they're just like, I know that you have to have something for security.

[00:05:17] I don't know what those things are, you know, but I know that you have to have it for these controls. And that's what they know, you know, and then like, that's still not enough, you know, it's really hard. You're really hitting on some really key things there is because there's like really three types of people that are going to be involved in it. You're going to be the person that's more GRC compliance documentation focused.

[00:05:43] And when they look at 311, they think, all right, how am I going to do this policy wise? How am I going to do this this way? How am I going to talk to the team and train them? Right. And then you're going to have the other person goes, OK, is that intra? Is that active directory? Is it a GPO policy? They're going technical. Yeah, like a literal tool. Right. Yeah. What tool? How am I technically going to enforce this? You need to know. You need but you need both. Right. And then you've got that third person, which is the unicorn that knows both of them equally as well.

[00:06:12] Those are not a dime a dozen. You don't see those. Those are expensive. Extremely expensive to find and have and acquire. And, you know, so that's where what you find is people that are hiring, that are having those things internally. That's a larger corporation, a larger company that have a staff of people that they might have a person that's GRC based.

[00:06:37] And they might have a person that is more technical based that can kind of go down those two different paths. That's about the best way you can do it success wise. But what about the S&P, Kaylee? You know, the people that are 50 person, does that are they doomed? Can they do that? Is it possible? You I mean, I mean, I do want to mention, though, you did ask about time frame. And I just want to clarify, that is completely increasing your time frame. Oh, yeah, for sure.

[00:07:03] Like to be able to sit through the CCP course to actually get, you know, certified, which I guess you could take away tier three background track. Right. You would have to. Because that's like eight months right there. Ignore that and pretend you're CCP for the time being and keep going with helping your organization. But that would take at least eight months in itself. So there you go.

[00:07:24] Well, let's dive into that for just a second, because I've known in my CCA class, there were several people that went through their CCP and then actually went through the CCA because of the background tier three and the other stuff. And they needed the knowledge for them to be able to work in their organization to do it. And they just for they just foregoed trying to get certified because they couldn't wait for the tier three background check in case you're not sure about what that means is the in the third to CFR.

[00:07:53] You have to get like a you basically have to go through the background check of as if you were going to get secret clearance. So the FBI look at you. There's this massive long form you fill out. They get your fingerprints and it takes about eight months to do. And so technically before you could be a CCP, you have to have that done. And so, you know, if you did that, then you'd be looking at almost a year before you actually got your CCP. So, you know, that's just not realistic if you're trying to get your knowledge just so you can help move the client.

[00:08:22] So that's why you see people just going through the courses because they want to get that knowledge to help their organization. They just can't take the time to follow the natural process of it. Yeah. Yeah. Yeah. So the knowledge is the first huge hurdle of like you can't just expect your IT staff internally that has just been doing your regular IT tickets to just know how to get you ready for CMMC.

[00:08:47] Especially if you are a government contractor that was not really adhering to any of these things, but it's just been saying, yeah, we put in a score and that's it. You know, then that means like you still need policies and procedures that align with this. Like you've got a lot of maturity to develop during that time. And it cannot just be the IT person, which let's dive into that a little bit more because you're very passionate about this.

[00:09:16] You are the CEO of our company. So obviously when you're pushing down CMMC, it was from leadership down. But that is so, so critical because the IT staff in your little closet is not going to be able to magically make all of these policies and procedures happen throughout the entire organization. Yeah. It doesn't do any good if your IT department, right? You got the person that's doing the GRC stuff.

[00:09:41] You got the person that's doing the actual implementation of your container or whatever the technology is because you're going to have your administrative controls and how they're going to be handled. And you're going to have your technical controls and how they're managed. And usually it's technology and policies working together in unisense. And you have that. But now you need leadership's buy-in. You need leadership to say, hey, this is happening, everybody. Get in the boat and row. So – but that's not always the case, right, Kaylee? And we've had to pass in working with potential clients because they've reached out to us.

[00:10:11] And after we've kind of learned and listened to their story, we're like your leadership is not really bought in. And if we get engaged with you, we're just going to get into some kind of third world battle that we'll never get out of. Yeah. It's like we've become orthodontists and all we do is pull teeth. Right. We're just constantly – No, thank you. Yeah. Please move forward. Yeah. And so I think it is really, really critical for the leadership to understand. And if you're one of those technical people, forward this to them.

[00:10:40] Like they absolutely have to stand up and support that IT department and their challenge, their massive challenge of changing the culture and making sure that everybody is held accountable to do what is required in order for this to be successful. Because they're going to interview you in the audit. They're going to ask questions. And all it takes is a rogue approach or person attitude that could really sink your ship in your audit.

[00:11:09] Obviously, they're not going to interview everybody. They're not omniscient. They don't know everything in your organization. Yeah, they're not coming in with a light. Right, yeah. Looking at all their employees. Right, kicking the door in. Like, I need to talk to all your people. Line them up. You know, like they're not going to do that. No. But they're going to be curious and they're going to start paying attention to this. Otters have a superpower for sniffing that kind of stuff out. It's like really freaky. They'll find it in documentation.

[00:11:37] They'll find it in conversations with people and they'll start zeroing in on things. And they're really good at it. And it's sometimes annoying. Yeah. But they're not omniscient. Yeah. Yeah. No, that's a really good point.

[00:11:52] I can say, like, personally, coming from just a, you know, a staff member of an organization that became CMMC Level 2 certified, that even understanding what change control processes are and how to implement. I mean, like, that wasn't just something Bobby said he did and he does, you know, on his own. Like, I have to do it.

[00:12:21] Like, there are all of these people have to adhere to this. It wasn't just one. You know, it wasn't just one little environment, whatever. It's all of us doing it. And so that was really hard. You can't just go in and just download whatever you want. I have to be like, well, this isn't an approved, you know, software that we have on our list. So now I have to go in. I have to fill out this form. I have to send it to Adam. And I say, Adam, please allow this.

[00:12:51] It's just for something to draw. Right. It's simple. It's simple. I'm begging you. Yeah. And I'm like, I'm just doing marketing drawings. You know, it's something from my little web pad that I have. But it's like, that's part of the process now. That's how it works. That's why it's not just like an easy little form that you fill out of CMMC. It changes the way that your organization is run. So, yeah. And let's, we didn't talk about this specifically even in our green room conversation.

[00:13:19] But I think it's really important to point out is that if you don't have leadership buy-in, let's say that you found that unicorn or that really good GRC person. Do you think they're going to stay if leadership's not going to provide that buy-in? Right. Right? Yeah. No, they're going to hit, they're going to exit. I can't tell you how many. They can't fully do their job. They can't. And it's super frustrating. And they want to be involved in the environment. They want to be part of a company that's getting this done. And it's not all about the company.

[00:13:45] These other people that are involved want to see, they want to see this baby be born. Right? They want to see this thing get done. And it fulfills their desire of completion of like, we have this completed. We got this done. And it's a feather in their career cap. Everybody wins when you're going to do that. But if you're at this company and it is floundering and they're not getting it done, I can't tell you how many resumes I receive where people are like, the company I'm at, they don't have a clue about CMMC. It is so frustrating.

[00:14:15] You guys really understand it. It would be great for us to work in an organization that gets that. So if you're an organization and you don't get that, you're going to bleed talent pretty bad. And so you've got to really protect your borders from your staff by making sure that your leadership is buying into this so that they can help sure them up so that all the work and effort that they've done is going to actually come to a real delivery of the process of them getting certified. And that's a huge deal. Yeah, that's huge.

[00:14:45] Yeah, I want to mention something else that we talked about before this is organizational maturity and how that is a critical part of this process. And I think that goes with the leadership buy-in as well because that helps form its organizational maturity. Do you want to speak into what you've learned about it and what you mean by that?

[00:15:11] It is – CMMC is probably the most greased pig that you can find to try to catch because it will just slip out of your grips. It will run over to a corner that you're not expecting and they'll hide under different things. And it's just like it is so hard to nail down because there's so many nooks and crannies and ways that you have to think about and implement it.

[00:15:33] And it requires operational maturity as an organization to see those to completion, to have someone who is – like the organization realizes how difficult this is to implement and they put the right amount of eyes and responsibility and enforcement on making sure that this happens to completion. It is not a just lob this over the fence and we hope that we hit the target. If you're doing it right. Yeah. If you're doing it the way that it's meant to be done. Right.

[00:16:00] It's the – like you need some type of EOS, entrepreneurial operating system or some really well-defined ISO process of project management process for you to be able to see this through to completion. A lot of people don't think about that. They'll get the GRC person. They might get the admin person. The IT person is really happy. The GRC person is super happy and the leadership is yeah, yeah, yeah.

[00:16:26] But everybody is sort of doing their own thing but you don't have the maturity and the process movement of moving it through to completion. You're not having the right cadence of meetings. You're not having accountable type of environment and you're not moving those things. What will happen is it just won't get done. You will do a lot of stuff. You'll move the chairs around on the boat but you're not changing the direction of the ship. And so you're doing a lot of activities. You're doing a lot of stuff but you're still sort of going the wrong way.

[00:16:55] And so that maturity of an organization. So how can you do that? So you need to have someone who is kind of like the czar, if you will, inside your organization that is moving it forward put dates on activities. I cannot explain how important that is. You meet together on a regular occurrence. Here's these activities. Map it out to the finish line. Okay? Because what I find a lot of times people do is they're like, yeah, yeah, yeah.

[00:17:23] We should be able to get it done by our audit by October. Right? And you're like, sure. And then as you start getting there, you're like, oh my gosh, we've got too much to do. Well, the reason why that happened is you didn't start putting timeframes on everything. Right? So you're like, okay, we're going to talk about these policies. We're going to do this. That's probably going to be a month. And this. And then we've got to absolutely this. Then we've got to build this container. I've got to have these licenses. And as you start putting dates and timeframes, all of a sudden you're like, oh crap, I'm into next year. Okay, well, what do I got to do? Oh my.

[00:17:52] I don't have enough people to do this. Then you start seeing like these huge gaps that you didn't realize you had of resources, knowledge, time, funds. So that's why organizations just don't have that maturity about how to go through and follow that and start putting those types of things. And they just start moving forward thinking that that's going to get them where they need to go. And that you'll get there potentially eventually, but that doesn't mean it's going to be efficient

[00:18:21] and the timeframe you need to get it done. And it could leave you kind of like with buyer's remorse and the choices that you've made. And, you know, sitting there kind of just looking at the cloud screaming and nobody likes that. That is so true. And I love how that kind of like building that whole timeline and setting dates for things also goes with leadership buy-in because leadership needs to be having those conversations with the people that are implementing this so that they fully are aware of when they can

[00:18:49] properly bid on contracts and when they can't. And also, I'm just going to say this. I know this might be, you know, frustrating for some people, but if you waited and you're starting now and you're going to miss a contract, it is not on your IT staff when you didn't tell them to start it until just last month. Like I'm, we're, we're telling you right now, we have implemented this and it cannot just

[00:19:18] take three months unless you go with some sort of in a box solution with a whole other subject. Well, but let's think about that for just a second. And I think this is super dishonest and you could potentially do this, but you could get a certification, right? You could get a level two certification of an environment that you don't use, don't have any intention of using and will never use, but you'll get your level two so that you can then get your bids. But the way that you operate is not that way.

[00:19:46] That is such fraught with peril. It is the grounds for a DOJ conversation that is not going to go the right way. And so if you get caught on that, it is not going to go well with you. So you really need to think about whatever you're going to implement. It needs to be the way that you actually operate, not let's just get this cert, get across the finish line and do whatever is required in order for us to pass.

[00:20:11] Because part of the C-level, listen to me, if you're a C-level person, risk is real, right? That is a big deal with what you're trying to do. You're trying to mitigate risk in your organization so you can be profitable. If you take on these kinds of contracts and you sign on the dotted line and you're saying you're doing these things, you're accepting the required risk that goes along with the fact that you have to be doing these things. And if you aren't, you have just now heaped hot coals possibly in your lap and it may or

[00:20:40] may not burn you based on how the winds blow. And so you just need to really pay attention to what you're doing here and how you're doing it because it can come back to bite you. And you're kidding yourself if you don't think the DOG is just itching to make an example of someone that has not been doing this because they've been waiting on the sidelines to some extent about for CMMC as it's coming through to make sure that people are doing this the

[00:21:05] right way because it has seriously frustrated the Department of Defense for all the years of this data that they've been giving organizations that have been leaking out like a sieve and they want it stopped and they're not joking around. So I do not be that person that they get made an example of. That will not be a good day for you. No, it will not. It's so true. Yeah. So are there any other things that you can think of that are challenges that you felt

[00:21:31] like maybe were unexpected that you want to share with people that are trying to do this internally? Yeah. You did it internally. I would say keep your ear to the ground. I think would be the last piece is you need to have a resource, somebody that is in the know, right? That is keeping their ear to the ground about what's happening in the cyber ABE and those types of things. Do they have to go to the 15 CMMC conferences? They do not. May and April.

[00:22:00] No, but I think you can listen in to some good podcasts. Jacob Hill's great. Jacob Horn's awesome. Mira's got some great, great content. Thanks for listening to us. Yeah. We got some okay stuff, I feel like. You know, like listening to different people like that. And you can do that on a walk and you can start to have a good pulse about what's going on in the industry of what's happening. The cyber ABE town hall meetings are great. They're free. You can go ahead and register and sign up.

[00:22:28] They talk about a lot of very technical things. So maybe if you're not as technical, you might be like, I'm not sure if I want to sit on that. But having at least somebody in your organization that is listening to these types of things, you know, I'm sure they've got a job to do and they want to make sure they get it done. But it is really important for you to hear what's going on so that you're not going to get blindsided by something. Right. Exactly.

[00:22:58] So you don't have to make some of the same mistakes maybe and learn from that. So, yeah, I totally agree. And I think also have a good attorney on staff. Like, don't cut corners in that. You know, if you're exporting stuff, you're doing things, get an export control attorney. Get somebody that is legal counsel that knows what they're doing about this type of stuff. And it's really important because have them look at those types of things to make sure that your ignorance is not bliss in this area. So do not do not do that. You know, I've learned that many people believe that that is the case in the sense of like,

[00:23:28] oh, well, you know, like if they're like a subcontractor, they're like, well, my prime hasn't mentioned it to me. So I'm just not right. It doesn't happen. I'm like, well, they're going to mention it. They're going to mention it to you. They're actually not going to mention it. They're going to tell. Yeah. Not going to be pretty. So, yeah, I totally agree. I think that's great. Well, guys, I really hope that this was just even tiny little nuggets of what we have learned and what we've come across.

[00:23:57] And just will encourage you that we do. I mean, we said this at the beginning, but we do believe that you can do it. There is just there, you know, you don't want to do it wrong or have your IT staff doing something that's almost impossible because you don't have leadership buy in the right amount of money allocated, the knowledge given to them to where they can properly do what they need to do to accomplish CMMC for your organization. So we hope you guys enjoyed this episode. Make sure to tune in next Thursday for another one.

[00:24:27] But until then, guys, keep on climbing. See ya. Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news. We hope you guys enjoyed today's episode and listen out for the next one. But until then, keep on climbing.