Questions to Ask When Hiring A CMMC Consultant

[00:00:00] Welcome back climbers, I'm your co-host Kaylee Floyd and this is another episode of Climbing Mount CMMC

[00:00:11] Today Bobby is joined by the last guest of season one of Climbing Mount CMMC, Joe's School Field

[00:00:18] Joe is the director of compliance at DeafSir and has over 20 years of cyber security and IT experience

[00:00:25] Bobby and Joe are going to be talking about the questions you should ask when hiring a CMMC consultant or an MSP during your CMMC journey

[00:00:33] We're so excited for you guys to join us in today's episode, and we hope that you enjoy

[00:00:41] I got to connect with Joe through where Joe how do we connect? Why don't you share?

[00:00:45] The Cyber AB CCP training that we both joined

[00:00:50] So we went through the CCP training the test had not yet come out

[00:00:55] Right, so we were basically taking a course for a test that did not yet exist

[00:00:59] I think that's kind of set the tone for CMMC in my experience

[00:01:03] You know just everything kind of backwards, but you know it's been it's been a great ride

[00:01:09] So Joe, thank you so much for joining us again. Like I said today

[00:01:13] We're gonna be covering some pretty cool topics

[00:01:14] But I just wanted to give you an opportunity to for those people who aren't familiar with DeafSir and you know what you do there

[00:01:21] Can you maybe talk a little bit about that before we go into our topic?

[00:01:25] Yeah, absolutely. So yeah, I'm the director of compliance at DeafSir

[00:01:28] We're a small or boutique cyber security consulting firm

[00:01:33] So what we do is we try to help organizations, you know small medium large doesn't matter what size you are

[00:01:37] but we try to help you

[00:01:39] Understand where you're at in terms of compliance and you know work with you to try to meet these, you know

[00:01:44] Cyber security compliance objectives

[00:01:46] so today what we're wanting to talk about for those that are joining us is that

[00:01:51] We're wanting to provide guidance for people who might be hiring a consultant somebody like deaf Sir for example

[00:01:57] We're an MSP like what I do and I thought this would be just a great topic

[00:02:01] So let me just start off with

[00:02:03] You know kind of a hard but straightforward question

[00:02:06] When you're trying to hire somebody from just a consulting perspective, you know not an MSP

[00:02:11] But just from a consulting what are some things that you think that that they should look for and ask from someone like

[00:02:17] That they would hire that would be doing those. Yeah

[00:02:19] I think the number one thing that I would look for in terms of a cyber security compliance consultant is

[00:02:25] What their overall approach is, you know, are they trying to snake oil sell me a

[00:02:30] CMMC in a box kind of solution where it's you know a one-click you're automatically compliant by

[00:02:37] Doing minimal effort on your part because at the end of the day

[00:02:40] There's a lot of work involved in these things to make sure that we're doing it, right?

[00:02:44] You know organizations can take either an enclave approach or a whole organization approach

[00:02:49] Those are both totally valid approaches here

[00:02:52] but

[00:02:53] At the end of the day, you know unless you're going to be tied to a

[00:02:57] Consultant to manage this for the rest of your organization's life through this process, you know

[00:03:02] Ultimately, you're gonna want to try to take this stuff over for yourself and know how to manage

[00:03:07] Understand the requirements yourself and know what they mean to you

[00:03:11] Because it's you're not at the finish line when you get your cert, right that no, yeah

[00:03:15] You're only just restarting a clock. Yeah

[00:03:17] Right. Yeah, one of the things that I guess you would want to see in someone that's going to be doing those types of consulting

[00:03:24] engagements is that they built into their system

[00:03:27] The client eventually taking over that that service and then they kind of move it forward, right?

[00:03:32] Unless you just want to have a perpetual engagement, right?

[00:03:34] And yeah, I mean that's a totally valid approach that some organizations might want to take

[00:03:39] You know what we try to do ourselves is try to teach you how to fish and allow you to learn how to manage these

[00:03:46] Activities and manage your own documentation your policies your SSP all that fun stuff yourself so that you wouldn't necessarily

[00:03:52] tied to us for

[00:03:54] eternity

[00:03:57] So so you really kind of touched on a good part there is he said those types of documents and things that they would have

[00:04:02] You would expect them to bring that to the table at least in some type of maturity for that client to kind of take it forward

[00:04:08] How do you see people handling that? Yeah, so I know there's there's different

[00:04:14] Maturity levels of different organizations where some organizations may have nothing, you know

[00:04:18] No established or properly, you know approved policies or standards or any sort of documentation like that

[00:04:26] Other organizations. Yeah, they might have you know ISO 9000 certifications that they have to do so they have at least some set

[00:04:32] Expectation or some set amount of documentation

[00:04:36] Even though it might not necessarily meet the bar for what you need for all of your NIST

[00:04:40] 8171 or CMMC specifics

[00:04:43] So what we like to try to do is just take in what what it is that you do have and try to mine that for credit

[00:04:49] You know wherever we can get it

[00:04:51] And you know figure out which assessment objectives are met which ones are not met and from there work with

[00:04:58] Organizations to coach them into, you know

[00:05:00] What words they might need to add in order to gain?

[00:05:04] Compliance credit where they can and I think this I'll ask a more pointed question here Joe

[00:05:08] And I know mileage varies quite a bit

[00:05:10] But would it be fair to say that even if you hired a great consulting company that has a tremendous amount of experience

[00:05:17] It's going to tie up an employee

[00:05:20] Significant amount of time yeah that they can't just say hey, you know said you're gonna take care of this

[00:05:26] You'll just talk with these guys. It'll be easy. There's not really a whole lot for you to do

[00:05:30] They've got it all is that even realistic? I mean are they said's gonna be tied up for a considerable amount of time

[00:05:35] If so how much and what does that look like right? Yeah?

[00:05:38] I mean that is one of the when it comes to you know

[00:05:41] How quickly can we be compliant sort of conversations that is ultimately how it ends up turning is it's not necessarily

[00:05:47] The amount of time that I'm able to as a consultant commit to you as a client

[00:05:52] It's how much time you can commit to me to make sure that you're producing that you're

[00:05:58] Showing me the documentation or producing, you know what we call audit proofs or evidence of your implementations

[00:06:04] Or you know on the technical front if there are changes that are identified that are necessary to your system to become compliant

[00:06:12] I'm not going to help you with that as a consultant

[00:06:15] I'm here to coach you to review to help us assess your implementation

[00:06:20] It's going to be you or the MSP that's involved that that is necessary to actually make change happen within that organization

[00:06:27] So it it's a lot has to deal with that I think sometimes people go into this engagement thinking what's your job?

[00:06:35] It's our job like we all have to kind of get through it together

[00:06:39] And there's going to be a significant investment even with the top quality consultant that's going to be able to guide you

[00:06:46] Let's say they're not even doing the technical implementation of those per se

[00:06:49] They're just helping with the consulting aspect of it

[00:06:51] Even then it's going to take a good amount of time from that. Yeah, that person to have that engagement, right?

[00:06:57] Yeah, and when you an organization that was only able to assign one person, you know

[00:07:02] Chances are at least my own experience here that person's going to be an IT

[00:07:06] And it's not just an IT problem, you know, we have people processes and technology that are involved throughout the organization

[00:07:13] You know, we talked about background checks earlier

[00:07:15] Where's your HR? We need their time as well or you know, you're assigned IT person will need to know and to talk to HR to

[00:07:24] You know understand organizationally how we how we meet these requirements

[00:07:29] But I think if you kind of look at the other side of the coin, that's what you would expect that the consulting company

[00:07:35] It's almost like if you have an if you're looking for an investment and they're like guaranteed return on this this

[00:07:41] You're like whoa, that's super scary if they're like saying oh, you don't have to spend much

[00:07:46] We got you like you need to be scared

[00:07:48] I think of an organization that's saying that because that's just not realistic

[00:07:52] If you want to have it done at any given time

[00:07:55] Because they'll certainly take your money and string you along for a long period of time like you were saying and nothing's really going to get done

[00:08:03] Other than the the good feeling that something is being done even though not really much

[00:08:10] Now let's turn the the gears a little bit. So you're a consulting

[00:08:15] organization

[00:08:16] And you are now

[00:08:19] consulting for the company

[00:08:21] And you're you're providing no technical

[00:08:24] Implementation moving forward right so you're you guys aren't doing the patching right, but that company has an msp

[00:08:30] Yes, what are questions that you would want to say hey guys?

[00:08:35] I know that you got an msp

[00:08:37] Um, here's the things that I would want them to know and be a part of can you kind of shed some light on that?

[00:08:42] Yeah, and that's it's a very common problem

[00:08:45] Where you know there is more than one entity involved, you know

[00:08:49] Many of our clients do outsource a lot of the it responsibility to an msp

[00:08:53] So one of the things that I would myself want to understand at least as a starting point for that kind of

[00:08:59] Understand your engagement is you know, bobby lets you use you as an example

[00:09:03] What what activities are you responsible for on behalf of our shared client?

[00:09:09] Um, you know, do you have a customer responsibility matrix or something similar to that that says, you know

[00:09:14] Yes, we are responsible for vulnerability management and we're responsible for creating accounts in active directory or on tra i d

[00:09:22] But we're not responsible for saying who's authorized the client. You know our shared client needs to be responsible for that

[00:09:29] um

[00:09:30] And so that to me is kind of the first pass is understanding what

[00:09:34] What the msp is uh

[00:09:36] accepting responsibility of and then from there we can understand

[00:09:40] You know what what gaps need to be filled, you know what?

[00:09:44] Shared client with them themselves then have to be responsible for

[00:09:48] One of the big hot button topics is tools right can you kind of talk us through how they can be dangerous in helping or

[00:09:56] Or hindering the compliance journey on that?

[00:09:59] Yeah, um, I mean assuming that you mean or at least the the tool that comes to my mind in particular would be an rmm tool

[00:10:05] You know a remote management. Yeah, sure tool. So, you know very commonly used by many msp's

[00:10:12] As it helps them under

[00:10:14] Manage multiple clients, you know, we're both in the game of

[00:10:18] supporting and servicing multiple clients at the same time so

[00:10:22] You know that rmm tool, uh, no doubt has a lot of capabilities that can support a client's

[00:10:28] Needs for cmmc like maybe instrumenting and managing patches

[00:10:33] But you know understanding how that tool is itself managed and built and how it operates what permissions it has or uses

[00:10:41] You know, is it a cloud based system? Or is it on premise, you know hosted by yourself?

[00:10:46] You know, there's there's lots of questions to ask about that to understand

[00:10:51] Um, not only, you know the msp for sure pool base, but you know what the client themselves is using

[00:10:56] Yeah, it's a it's a pretty big deal and it definitely got even harder once they started talking about

[00:11:04] Adding restrictions on the type of data that isn't even really cooey, right?

[00:11:08] They call that security protection data and that type of data would be like cem

[00:11:12] Receive however you want to say that

[00:11:14] Data or rmm collected information if they're putting that information if the msp they're using is putting in the cloud

[00:11:22] Um, that's probably not going to go well

[00:11:25] Uh for your assessment if it isn't fed ramped

[00:11:28] Because the auditor is going to be looking for

[00:11:32] That type of assurance that wherever that data is going is gonna

[00:11:36] It's yeah, I mean they they very well might you know, we we're taking a little bit of a cautious approach there where

[00:11:42] You know, we might not necessarily

[00:11:45] If those tools were fed ramped don't get me wrong that would of course be bread and butter

[00:11:49] That would be yeah, you know the best possible solution for that

[00:11:52] But you know the other consideration would be is that msp at least pursuing cmmc themselves

[00:11:59] Because as a part of that cmmc rule where that definition of security protection data does come out

[00:12:04] It's in that context of if you do

[00:12:07] Store process or transmit security protection data on behalf of you know as an external service provider

[00:12:14] That they themselves would then need a cmmc certificate at the same level as the organization

[00:12:19] Um, right, you know a good question for msp is

[00:12:23] How much are they preparing themselves for this?

[00:12:26] Absolutely. Yeah, one of the things that I also suggest is if you're talking with an msp is

[00:12:32] Ask who I would find this out before you say yes to them

[00:12:36] Or if you if they've already doing your work and you're like are you gonna help us and they're like yes

[00:12:42] Then you would want to say show me the list of the tools you utilize and what its purpose is

[00:12:47] And then where is that data saved? Yeah, you want to know where it's going are they

[00:12:52] and in the the way that the rule came out it forced us

[00:12:57] Uh to save a chunk a good chunk of what we're doing

[00:13:02] In our like what you're saying joe in our fed ramped environment that we have that we host for us

[00:13:07] Like we're not fed ramp because we're in a fed ramp environment

[00:13:10] So when we go to get assessed as an msp that environment's going to be checked

[00:13:15] It's going to get its level two certification

[00:13:17] Even though it's in a gcc high, you know fed ramped environment. Um, that doesn't mean it's fed ramp. Uh, that means it just

[00:13:24] I have some things I can inherit right?

[00:13:27] So don't let the msp

[00:13:30] Yeah, don't let the msp kind of say oh, I put my stuff in gc high. It's all great. You're like, uh

[00:13:36] I'm not necessarily the case

[00:13:38] Um

[00:13:40] Because they like you said the msp is got to be willing to get level two certified if you are going to get level two

[00:13:46] Right, and that's that comes down to the question is what kind of assurances

[00:13:51] Joe would you feel comfortable from that msp? Like what would you ask like what would you ask them to say?

[00:13:58] Uh to make you feel comfortable that they're going to do it

[00:14:00] I I mean, I suppose at the end of the day it'd be a lot of that same questions that we'd ask

[00:14:05] Any other organization that we were consulting with, you know

[00:14:09] Show us your maturity show us your policies procedures things like that and and prove to us that that you are living and breathing

[00:14:17] cmc yourselves

[00:14:20] Because right now like like I couldn't I can't no one can show a level two certification yet

[00:14:25] I mean you could say I went through a joint surveillance assessment which would definitely be a

[00:14:30] A big that's a that's a very, you know good indication obviously because uh, you're supposed to get grandfathered in

[00:14:35] I think is how the rule was supposed to go but

[00:14:39] um

[00:14:40] Other than that that's it. Uh, so I love that idea Joe. So let's let's fast forward and say everything's

[00:14:48] Great all systems go

[00:14:50] How would your consultant or msp?

[00:14:54] Advocate in your behalf or help you in your behalf of when you're searching for that organization that's going to do

[00:15:00] The assessment of your organization

[00:15:03] How does that look what are some things that you would expect them to help you with? Um, so

[00:15:10] In in cmc today, um or as far as we know in the future as well

[00:15:14] You know the the client would be able to choose which assessor they choose to work with

[00:15:19] So I do think it's important to you know make sure that when you are choosing your assessor that you're finding an organization to do your assessment that

[00:15:26] Understands your way of business, you know that they don't necessarily take a hard line of you know

[00:15:32] physical VPN appliance must be on every employee's house or something like that, you know to

[00:15:40] Um, there's there's a lot of uh feeder questions that you could use when evaluating

[00:15:45] A c3 pao. I want to say the um small

[00:15:48] Business working group at the national defense isack, uh recently published

[00:15:53] A white paper that helps, you know with some of those questions that you could use

[00:15:56] So that's a great resource to understand that's a good question are

[00:16:00] But but right, you know an msp is a

[00:16:04] An important relationship there as well

[00:16:07] So, you know, does the msp expect to sit side by side with you during that assessment and answer questions?

[00:16:14] live with you or

[00:16:16] You know, even even if not, you know physically on site there, you know virtually able to support that assessment

[00:16:22] Are they able to provide?

[00:16:24] Evidence and artifacts ahead of the assessment

[00:16:27] We've found a lot of value in gathering this evidence

[00:16:30] In preparation for an assessment so that when you do walk into that assessment

[00:16:34] You're not having to answer every question live

[00:16:37] You just show them your homework that you have already put together

[00:16:41] And you're now controlling that narrative saying to the assessor here is my answer to the test

[00:16:47] Um, not just the sb, you know again all of those screenshots from your tools and things like that

[00:16:53] um, and so, you know when working with an msp, um, you know, are they willing to and able to provide that evidence up front?

[00:17:04] Well, I think probably another huge

[00:17:08] Undervalued and underestimated

[00:17:12] Point of a very experienced consulting company

[00:17:15] Would be a good understanding of the ecosystem of where you could go to get a good c3pa organization to do your assessment, right?

[00:17:24] Your the company that you would hire to help you with your consulting should absolutely know

[00:17:31] Off the top of their head four or five

[00:17:33] Solid c3pa organizations that are gonna do just like what you're talking about show that are going to be able to make sure

[00:17:39] That that they don't get caught in the weeds and

[00:17:42] Don't help your client go off the rails

[00:17:45] because um

[00:17:48] I mean, that's what they're doing on a regular basis, right? So they're gonna know

[00:17:51] What that is and if you're you know, if you're going through the assessment yourself

[00:17:56] This might be or probably would be your first time ever so

[00:17:59] But that consulting company might have happened happened to work with 10 15 20 other people already earlier that year last year and know

[00:18:07] The lay of the land and that is a huge deal, right? The wrong assessor versus the right assessor could make all the difference

[00:18:15] Yeah, absolutely

[00:18:17] Yeah, and no doubt as time goes on we're going to see and hear you know a lot more examples of that

[00:18:22] um, but you know another consideration to take there as well is

[00:18:27] Behind a lot of these c3paos is going to be a shared pool of cca's or those lead assessors

[00:18:33] Because there are only so many of them right now and so you know a lot of those lead assessors may not be

[00:18:38] Uh hired only to a specific c3pao, you know, they might be shared among others very true

[00:18:45] And so, you know just understanding at that at that layer, you know, will you know who your lead assessor is?

[00:18:53] Walking into this

[00:18:55] Yeah, you want to have that discussion pretty early

[00:18:58] And I think also you would want your consulting company to kind of

[00:19:02] Uh know what type of evidence and types of pieces of data you would be able to expect

[00:19:07] Um, and and how that would go because you you don't want to be in a lurch

[00:19:12] In those types of situations, right

[00:19:15] Well, jude, uh, thank you so much for joining us today. Is there anything else that you'd like for us?

[00:19:19] You think that we need to cover before we close it out?

[00:19:22] Uh, no, I mean, I think the only the only closing thought that I might have is just you know

[00:19:27] When it comes to consulting, you know, it's it's just solid communication overall, you know what?

[00:19:32] A good consultant is an organization that is going to work with you and understand your processes your procedures and try to

[00:19:39] You know help you be compliant without changing who you are

[00:19:43] Um, right. You know, that's one of the greatest strengths that that you could have as a

[00:19:49] Or what you might want to look for when it comes to a consultant

[00:19:52] Yeah, that's such a good point because it doesn't do you any good if you're cmmc level two, but you can't operate as an organization

[00:19:59] That's just does that's not really

[00:20:01] It's not very realistic and I think that's a bit of a stark contrast because right now

[00:20:07] predominantly most of the organizations that have gone through

[00:20:11] Um those types of assessments are c3pa organizations, right? They they went through and got certified themselves

[00:20:17] So they could do the assessments

[00:20:19] But the usually in most of the time that what they built was just to kind of play environment to show they knew what they were doing

[00:20:28] You know as the starter pistol goes off organizations are gonna have to function and live in this environment that they're building

[00:20:34] And that is going to be something totally different

[00:20:37] Um and having an organization that's consulted that understands that they keep them functioning and compliant

[00:20:44] Boy, that's something right there. Good point. I like that

[00:20:47] Well, Joe, thank you so much for joining us today and for you guys

[00:20:52] Like I said, this should be probably the last episode of the season and if i'm correct there then thank you for for join us for this full season

[00:20:59] We've got some pretty cool ones lined up already for next season. So stay tuned and thank you so much for joining us

[00:21:07] Make sure to follow us on linkedin and youtube to stay up to date on the latest cmmc news

[00:21:12] We hope you guys enjoyed today's episode and listen out for the next one, but until then keep on climbing