The Country Song of CMMC (What 32 CFR Did to Us)

[00:00:01] [SPEAKER_01]: Hello Climbers and welcome back to another episode of Climbing Mount CMMC.

[00:00:11] [SPEAKER_01]: In today's episode, Bobby and I talk about the Country Song of CMMC.

[00:00:16] [SPEAKER_01]: Many people have found themselves in some sort of hole in their journey of CMMC

[00:00:20] [SPEAKER_01]: and they're wondering how to get out.

[00:00:22] [SPEAKER_01]: So without further ado, let's get into today's episode.

[00:00:27] [SPEAKER_02]: Hello guys! Welcome to today's podcast.

[00:00:30] [SPEAKER_02]: Today we are going to be talking about the CMMC Country Song of the 32 CFR ruling.

[00:00:40] [SPEAKER_03]: I'm laughing instead of crying, but yeah.

[00:00:44] [SPEAKER_02]: Isn't that one of the most country songs?

[00:00:46] [SPEAKER_03]: That's pretty much it. You've got two options there.

[00:00:49] [SPEAKER_02]: You've got a couple tears maybe that might have been shed discussing this with me earlier.

[00:00:55] [SPEAKER_02]: It really seemed to... The big thing for you when you were explaining this podcast to me is

[00:01:03] [SPEAKER_02]: it tugged on your heart string.

[00:01:05] [SPEAKER_02]: And there's a reason for that that you were sharing with me and it had to do with...

[00:01:10] [SPEAKER_02]: It's not necessarily that there was some wrong in lies that people were doing purposefully

[00:01:16] [SPEAKER_02]: or anything like that. Nothing malicious.

[00:01:18] [SPEAKER_02]: There were just some things that happened due to this.

[00:01:23] [SPEAKER_02]: And I'd love for you to share kind of where your heart is with this podcast

[00:01:28] [SPEAKER_02]: and why you decided to make it at first.

[00:01:31] [SPEAKER_03]: Yeah, there's kind of two parties.

[00:01:34] [SPEAKER_03]: There are the people that saw, hey, we're going to have people that are going to need some type of CMMC solution

[00:01:42] [SPEAKER_03]: and we need to be able to help them.

[00:01:45] [SPEAKER_03]: So how are we going to do this?

[00:01:46] [SPEAKER_03]: Let's look at the NIST 800-171-171A list of all the 320 assessment objectives

[00:01:53] [SPEAKER_03]: and let's figure out how we can step in this space and help these clients out.

[00:01:57] [SPEAKER_03]: And that's how MSPs did it. That's how vendors did it.

[00:02:01] [SPEAKER_03]: MSSPs that are doing CEM solutions and other types of things.

[00:02:04] [SPEAKER_03]: I've seen lots of different even software vendors come out with kind of their matrix

[00:02:09] [SPEAKER_03]: that maps out how they're going to help the clients and do it.

[00:02:12] [SPEAKER_03]: And let's be frank. I think it's 2016 was the first revision of 800-171s controls

[00:02:19] [SPEAKER_03]: and now we're on revision three, but we're going to stick with revision two right now

[00:02:24] [SPEAKER_03]: because of the class deviation that was, and that's a whole other podcast that we might do.

[00:02:30] [SPEAKER_02]: We could go on about that one.

[00:02:31] [SPEAKER_03]: But we're sticking with revision two. The revision three is out,

[00:02:33] [SPEAKER_03]: but we're sticking with revision two.

[00:02:35] [SPEAKER_03]: So it's a very mature framework.

[00:02:38] [SPEAKER_03]: It's not a framework. It's a standard special publication that's been out

[00:02:41] [SPEAKER_03]: because it's focused on protecting, controlled, unclassified information.

[00:02:46] [SPEAKER_03]: That's its goal. That's its focus.

[00:02:47] [SPEAKER_03]: And there's a lot of people that stepped in that space and saw a need

[00:02:49] [SPEAKER_03]: and they're like, how is someone going to be able to do this?

[00:02:53] [SPEAKER_03]: And so there's a ton of people, of vendors as well as people

[00:02:58] [SPEAKER_03]: that are going to have to get certified that went into that space

[00:03:01] [SPEAKER_03]: and said, let's figure out how we're going to solve this.

[00:03:03] [SPEAKER_03]: And they've been solving it for a while until 32 CFR dropped.

[00:03:11] [SPEAKER_03]: And a lot of people were saying, I don't understand why this is so complicated.

[00:03:15] [SPEAKER_03]: NIST 800171 has been out for a while, but I think a lot of people underestimated

[00:03:19] [SPEAKER_03]: the massive punch in the face that the 32 CFR security protection data did

[00:03:25] [SPEAKER_03]: and the requirement that external companies have to meet the level two requirements.

[00:03:30] [SPEAKER_03]: So let's break that down for just a second and how we sort of got into this country song scenario.

[00:03:35] [SPEAKER_04]: Right? Yes.

[00:03:37] [SPEAKER_03]: So the first thing, let's just talk about the requirement

[00:03:41] [SPEAKER_03]: that if you're using an external service provider, they prefer to it as ESP

[00:03:45] [SPEAKER_03]: and the ruling and I'm not sure if we have some ability to show that on the screen or not.

[00:03:49] [SPEAKER_03]: But the reality is that the CMMC 32 CFR definition

[00:03:55] [SPEAKER_03]: so this 32 CFR is basically defining what this program is going to be about.

[00:04:00] [SPEAKER_03]: The proposed rules come out already and it very clearly defines that organizations like ourselves,

[00:04:06] [SPEAKER_03]: managed service providers or other providers, like if you have someone doing your SEM

[00:04:11] [SPEAKER_03]: or those types of things, if they're doing those types of technical controls for you,

[00:04:15] [SPEAKER_03]: they're going to have to meet the level that you're at.

[00:04:18] [SPEAKER_03]: So if you're level two, they're going to have to get level two.

[00:04:20] [SPEAKER_03]: You can sit down with a highlighter and read NIST 800 171 A all day

[00:04:28] [SPEAKER_03]: and you'll never see that requirement in there.

[00:04:30] [SPEAKER_02]: No.

[00:04:31] [SPEAKER_03]: And so these people have built their systems around the assumption that

[00:04:36] [SPEAKER_03]: that 800 171 requirement was what they needed to do, right?

[00:04:42] [SPEAKER_03]: And then the 32 CFR came out and it's like, you're going to have to get level two.

[00:04:47] [SPEAKER_03]: Now, people have been talking about that being a potential requirement for some years.

[00:04:53] [SPEAKER_03]: I think there was a fair amount of people that kind of stuck their fingers in the ear and went,

[00:04:57] [SPEAKER_03]: I don't think that's going to happen.

[00:04:59] [SPEAKER_03]: And they just kind of said, let's go with this,

[00:05:01] [SPEAKER_03]: the easiest way of implementing all of these controls.

[00:05:04] [SPEAKER_03]: And they just used vendors that they were readily available to them to be abused.

[00:05:10] [SPEAKER_03]: And it just turns out that that's probably not going to be the case

[00:05:13] [SPEAKER_03]: because they have to now look at those vendors and go,

[00:05:15] [SPEAKER_03]: hey, are you guys going to be level two ready?

[00:05:18] [SPEAKER_03]: And they're like, I don't know if we're going to do that.

[00:05:20] [SPEAKER_03]: And then you're like, well, then who am I going to use to monitor my Sim?

[00:05:24] [SPEAKER_04]: Right.

[00:05:24] [SPEAKER_03]: That just blew up my whole plan.

[00:05:26] [SPEAKER_03]: Yeah.

[00:05:27] [SPEAKER_03]: Like, I just don't know.

[00:05:28] [SPEAKER_03]: And then if there are like a cloud provider that requirement for FedRAMP is now there

[00:05:34] [SPEAKER_03]: for if they have that type of data that's going to be there,

[00:05:37] [SPEAKER_03]: a whole other podcast about that.

[00:05:39] [SPEAKER_03]: But so you see what I'm saying?

[00:05:40] [SPEAKER_03]: It's not that these organizations like went out and said,

[00:05:43] [SPEAKER_03]: let's try to see how we can stick it to the man.

[00:05:45] [SPEAKER_02]: No, they weren't lying at this time.

[00:05:48] [SPEAKER_02]: They weren't trying to support.

[00:05:49] [SPEAKER_03]: It was just a situation of them trying to provide support

[00:05:52] [SPEAKER_03]: and it's organizations that went out and built their system.

[00:05:56] [SPEAKER_03]: A lot of these companies have had their own system security plans

[00:05:59] [SPEAKER_03]: that based around these products that are pointing to these things.

[00:06:03] [SPEAKER_03]: And those just all sort of got detonated once that 32 CFR came out.

[00:06:07] [SPEAKER_03]: And they're like, what the heck are we going to do now?

[00:06:09] [SPEAKER_03]: And this kind of brings us to the country song, sadly,

[00:06:12] [SPEAKER_03]: is that I'm just hearing this more and more and more as companies are like,

[00:06:15] [SPEAKER_03]: I thought we were ready.

[00:06:16] [SPEAKER_03]: I thought we were ready and now we're not.

[00:06:18] [SPEAKER_03]: And we're trying to figure out how to address this.

[00:06:20] [SPEAKER_03]: How can you help us, Bobby?

[00:06:21] [SPEAKER_03]: What should we do?

[00:06:23] [SPEAKER_03]: And then you go to tell them, well, we're going to have to rip this out,

[00:06:28] [SPEAKER_03]: do this, this, this, this and this and then put these things here.

[00:06:31] [SPEAKER_03]: And they're like, how much is this going to cost us?

[00:06:33] [SPEAKER_03]: This is different.

[00:06:33] [SPEAKER_03]: And they're kind of going through the seven stages of grief, right?

[00:06:38] [SPEAKER_03]: Yeah.

[00:06:38] [SPEAKER_03]: CMMC.

[00:06:39] [SPEAKER_03]: And it's really hard for them to come to terms because they've tried

[00:06:42] [SPEAKER_03]: to do the right thing.

[00:06:43] [SPEAKER_03]: Right.

[00:06:44] [SPEAKER_03]: They tried to do the right thing.

[00:06:46] [SPEAKER_03]: They went to do it early.

[00:06:47] [SPEAKER_03]: They wanted to be prepared.

[00:06:50] [SPEAKER_03]: And sadly, it's unfair.

[00:06:52] [SPEAKER_03]: It's not a good deal of the cards to them.

[00:06:55] [SPEAKER_03]: Yeah.

[00:06:56] [SPEAKER_03]: But that's the reality.

[00:06:58] [SPEAKER_02]: So these companies that have started early that are now kind of

[00:07:04] [SPEAKER_02]: backtracking, what would you recommend is the first step to sort

[00:07:08] [SPEAKER_02]: of getting out of that country song, that whole that maybe

[00:07:11] [SPEAKER_02]: they've put themselves in without knowing and without really doing

[00:07:17] [SPEAKER_02]: anything necessarily wrong at first that they knew of?

[00:07:20] [SPEAKER_02]: Yeah.

[00:07:20] [SPEAKER_03]: It could be a company that needs to get certified or it could

[00:07:23] [SPEAKER_03]: be an organization that's providing services to someone that

[00:07:26] [SPEAKER_03]: needs to get certified.

[00:07:28] [SPEAKER_03]: Both of those need to kind of reconcile in their head and they

[00:07:31] [SPEAKER_03]: need to be very honest with themselves and their clients and

[00:07:35] [SPEAKER_03]: their vendors and who they're working with.

[00:07:37] [SPEAKER_03]: They need to come to terms with, do I want to step into this

[00:07:42] [SPEAKER_03]: space?

[00:07:44] [SPEAKER_03]: And I'm sorry that sounds kind of jaded.

[00:07:47] [SPEAKER_03]: And I've even had clients go, I'm not even sure now that

[00:07:50] [SPEAKER_03]: I'm realizing what I'm going to have to do if I want to

[00:07:52] [SPEAKER_03]: even stay in the space.

[00:07:53] [SPEAKER_02]: Wow.

[00:07:54] [SPEAKER_02]: Even the decision to possibly just throw in the towel or just

[00:07:57] [SPEAKER_02]: because it's going to cost money, right?

[00:08:00] [SPEAKER_02]: You can put that there now.

[00:08:02] [SPEAKER_02]: It's not going to cost nothing to change it.

[00:08:04] [SPEAKER_03]: So they're looking at there like we tried to do the right

[00:08:06] [SPEAKER_03]: thing and this kind of goes back to the seven stages of

[00:08:10] [SPEAKER_03]: grief about CMMC that you sort of have to come to terms

[00:08:12] [SPEAKER_03]: with.

[00:08:13] [SPEAKER_03]: And it's not fair.

[00:08:15] [SPEAKER_03]: And they absolutely have a right to scream at the clouds

[00:08:19] [SPEAKER_03]: and anything else that'll listen and situations.

[00:08:22] [SPEAKER_03]: There's been plenty of times where I've been on the phone

[00:08:24] [SPEAKER_03]: and I'm just kind of like, I feel your brother, you know,

[00:08:27] [SPEAKER_03]: just let it out.

[00:08:28] [SPEAKER_03]: Just let it tell me how you're feeling because it's really

[00:08:32] [SPEAKER_03]: sad to hear that these people are trying to go through

[00:08:35] [SPEAKER_03]: these situations and they're trying to think about how do

[00:08:38] [SPEAKER_03]: I want to proceed?

[00:08:39] [SPEAKER_03]: So that's really the first thing is you have to decide,

[00:08:42] [SPEAKER_03]: do I want to still stay in this space?

[00:08:45] [SPEAKER_03]: And that's a tough call to make.

[00:08:48] [SPEAKER_03]: But when you have decided, okay, I do want to step

[00:08:51] [SPEAKER_03]: in this space, then at that point it starts becoming,

[00:08:55] [SPEAKER_03]: all right, how am I going to have to turn this around?

[00:08:56] [SPEAKER_03]: How am I going to budget this?

[00:08:58] [SPEAKER_03]: Am I going to have to change my perspective on when I want

[00:09:00] [SPEAKER_03]: to get certified?

[00:09:01] [SPEAKER_03]: How do I look at what contracts I'm taking?

[00:09:04] [SPEAKER_03]: How do I have to change my hopper approach as far as

[00:09:06] [SPEAKER_03]: in keeping the business in the hopper flowing through?

[00:09:09] [SPEAKER_02]: Like what am I able to keep from that I already

[00:09:12] [SPEAKER_02]: have set up?

[00:09:14] [SPEAKER_03]: You need to start planning about that.

[00:09:15] [SPEAKER_03]: You need to start trying to understand that so

[00:09:17] [SPEAKER_03]: that you can continue to move forward with that.

[00:09:21] [SPEAKER_03]: But if you think to yourself, there isn't a way for me to dodge

[00:09:23] [SPEAKER_03]: this to give myself time, then you're going to have to think

[00:09:26] [SPEAKER_03]: about, okay, well what kind of cost am I willing to absorb

[00:09:29] [SPEAKER_03]: to try to get these problems solved sooner than later?

[00:09:33] [SPEAKER_03]: Because it really comes down to how fast you want to move

[00:09:36] [SPEAKER_03]: and how much do you want to pay to get those issues

[00:09:39] [SPEAKER_03]: corrected and done.

[00:09:42] [SPEAKER_03]: And the longer you yell at the clouds, right,

[00:09:47] [SPEAKER_03]: about that choice that you have to make, the more time

[00:09:51] [SPEAKER_03]: you're spending that you could have done action in other areas.

[00:09:56] [SPEAKER_03]: Right, not moving into the new direction that you must go.

[00:09:59] [SPEAKER_03]: It's very binary thought process and it's not really recognizing

[00:10:03] [SPEAKER_03]: the grief in your heart that you have to feel

[00:10:06] [SPEAKER_03]: and I'm sorry that I'm being a little bit more binary

[00:10:08] [SPEAKER_03]: and logical about it.

[00:10:09] [SPEAKER_03]: But I mean, the mental impact cannot be understated

[00:10:14] [SPEAKER_03]: because I've heard from many different companies like

[00:10:18] [SPEAKER_03]: this is their baby, right?

[00:10:19] [SPEAKER_03]: And they're scared about the potential impact.

[00:10:23] [SPEAKER_02]: A family company that has been in the family for generations,

[00:10:29] [SPEAKER_02]: but I just try to figure out how to do this.

[00:10:32] [SPEAKER_03]: So you really want to decide if you want to stay

[00:10:34] [SPEAKER_03]: in that space still, I think first off.

[00:10:35] [SPEAKER_03]: And the second thing I would do is get with a C3PO

[00:10:38] [SPEAKER_03]: that has gone through the assessment that you trust

[00:10:40] [SPEAKER_03]: and have them counsel you on the next moves that you want to do

[00:10:45] [SPEAKER_03]: because the last thing you want to do is then

[00:10:46] [SPEAKER_03]: re-put yourself right back in the same position

[00:10:48] [SPEAKER_03]: that you did again and put more money after this bad situation

[00:10:53] [SPEAKER_03]: and just keep doing it.

[00:10:55] [SPEAKER_03]: So you really want to dive into somebody

[00:10:56] [SPEAKER_03]: that's got some serious knowledge,

[00:10:58] [SPEAKER_03]: that knows what they're doing,

[00:10:59] [SPEAKER_03]: that has helped people turn themselves around.

[00:11:01] [SPEAKER_03]: You want to ask how they've helped other people

[00:11:03] [SPEAKER_03]: get out of this situation that they're in

[00:11:05] [SPEAKER_03]: and you want to talk with C3PO's that have done GSV assessments

[00:11:09] [SPEAKER_03]: that may have worked with clients.

[00:11:11] [SPEAKER_03]: And if you're not sure what a GSV,

[00:11:13] [SPEAKER_03]: that's a joint surveillance assessment.

[00:11:15] [SPEAKER_03]: So that's basically DibCAC, which is a government body,

[00:11:19] [SPEAKER_03]: actually does the assessment of a company

[00:11:22] [SPEAKER_03]: and then this C3PO actually is doing the assessment

[00:11:26] [SPEAKER_03]: just DibCAC's watching them, they're surveilling them,

[00:11:28] [SPEAKER_03]: making sure that the way that they're doing assessment

[00:11:30] [SPEAKER_03]: is appropriate the way that they feel it should be done.

[00:11:33] [SPEAKER_03]: And you want to ask, well, have you done

[00:11:35] [SPEAKER_03]: a surveillance assessment on a company like ours?

[00:11:37] [SPEAKER_03]: If they've done that, then you're like,

[00:11:40] [SPEAKER_03]: okay, now not only have they helped someone

[00:11:43] [SPEAKER_03]: go through a real assessment, they understand our business

[00:11:45] [SPEAKER_03]: and they can help make some recommendations on us

[00:11:47] [SPEAKER_03]: about how we could turn this thing around

[00:11:49] [SPEAKER_03]: because we're on the 11th hour here.

[00:11:51] [SPEAKER_03]: We're in the red zone, we got to score

[00:11:54] [SPEAKER_03]: because if you want to get certified by next year

[00:11:57] [SPEAKER_03]: because of your requirements of keeping your hopper going

[00:12:01] [SPEAKER_03]: because the way that the 38 CFR was written,

[00:12:06] [SPEAKER_03]: you have to have your level two certification on award.

[00:12:11] [SPEAKER_03]: So in other words, you may have won the bid,

[00:12:13] [SPEAKER_03]: but when the DOD turns to you and goes,

[00:12:15] [SPEAKER_03]: well actually you're supposed to be certified

[00:12:16] [SPEAKER_03]: and I don't see you have that,

[00:12:17] [SPEAKER_03]: then they wouldn't award it to you

[00:12:19] [SPEAKER_03]: and you got a real problem there.

[00:12:21] [SPEAKER_03]: So that's kind of the situation

[00:12:24] [SPEAKER_03]: that a lot of people are in.

[00:12:26] [SPEAKER_03]: And those are the kind of recommendations

[00:12:27] [SPEAKER_03]: that I would make for people

[00:12:28] [SPEAKER_03]: trying to turn that around for them.

[00:12:32] [SPEAKER_02]: Yeah, so one, even be honest with yourself

[00:12:35] [SPEAKER_02]: if you even want to continue down this road.

[00:12:38] [SPEAKER_02]: And two, if you do talk to an outside

[00:12:41] [SPEAKER_02]: like outsourced professional of C3PAO

[00:12:44] [SPEAKER_02]: that has worked with somebody that like your business

[00:12:47] [SPEAKER_02]: that can really direct you in the right path, right?

[00:12:51] [SPEAKER_02]: So then two, I'm going to kind of plug one

[00:12:54] [SPEAKER_02]: of our other videos.

[00:12:55] [SPEAKER_02]: Another video that we did is talking about

[00:12:57] [SPEAKER_02]: the CMMC menu that you can look at too.

[00:13:00] [SPEAKER_02]: Right, right.

[00:13:01] [SPEAKER_02]: And depending on where you are

[00:13:04] [SPEAKER_02]: on the scenario or the hole that you're in,

[00:13:08] [SPEAKER_02]: maybe looking at that menu might be good for you

[00:13:11] [SPEAKER_02]: and discussing those with your C3PAO

[00:13:14] [SPEAKER_02]: to see what direction you should be going towards

[00:13:17] [SPEAKER_02]: and heading towards now would be.

[00:13:21] [SPEAKER_02]: So another thing that I really wanted to ask you

[00:13:24] [SPEAKER_02]: about this topic is,

[00:13:27] [SPEAKER_02]: I mean, I don't want to say like,

[00:13:31] [SPEAKER_02]: I don't want to make it like kind of anxious feeling,

[00:13:33] [SPEAKER_02]: but like we didn't know that this hole was going to happen

[00:13:38] [SPEAKER_02]: until it happened, right?

[00:13:40] [SPEAKER_02]: How do these companies that are going down this new direction,

[00:13:44] [SPEAKER_02]: right, that are, let's say that they say yes,

[00:13:45] [SPEAKER_02]: they're still going down the journey.

[00:13:47] [SPEAKER_02]: They're going to another direction,

[00:13:49] [SPEAKER_02]: focusing on another way of doing it.

[00:13:51] [SPEAKER_02]: How do they know that that's not going to happen again?

[00:13:54] [SPEAKER_02]: Do you know what I'm saying?

[00:13:55] [SPEAKER_02]: Like how do they know that they're not going to spend

[00:13:58] [SPEAKER_02]: $100,000 during this year going to this new direction

[00:14:03] [SPEAKER_02]: to only get stuck in a hole again?

[00:14:06] [SPEAKER_02]: You know?

[00:14:07] [SPEAKER_03]: Yeah, that's where finding that C3PAO

[00:14:10] [SPEAKER_03]: is going to be very helpful for them

[00:14:11] [SPEAKER_03]: to avoid the rinse and repeat

[00:14:14] [SPEAKER_03]: of possibly getting stuck back in that again

[00:14:16] [SPEAKER_03]: because that is not a good place to be in

[00:14:18] [SPEAKER_03]: because you're running out of potential time frame

[00:14:22] [SPEAKER_03]: if you want to get done next year.

[00:14:25] [SPEAKER_03]: And let's be honest,

[00:14:30] [SPEAKER_03]: people are going to say,

[00:14:30] [SPEAKER_03]: you know, maybe I don't really want to participate next year.

[00:14:36] [SPEAKER_03]: We're going to, next year is going to be kind of our,

[00:14:40] [SPEAKER_03]: it's going to be for us to just play the field and look

[00:14:43] [SPEAKER_03]: and then we'll decide on how we want to do it.

[00:14:46] [SPEAKER_03]: What's going to start happening is,

[00:14:47] [SPEAKER_03]: is once other bodies and people are going to start getting

[00:14:50] [SPEAKER_03]: certified, that's going to start putting pressure

[00:14:53] [SPEAKER_03]: on more and more organizations to match that.

[00:14:59] [SPEAKER_03]: Absolutely.

[00:14:59] [SPEAKER_03]: And that's because the sub primes and prime,

[00:15:01] [SPEAKER_03]: they're going to start putting pressure.

[00:15:04] [SPEAKER_03]: Also, when you have that checkbox that says that you are level

[00:15:07] [SPEAKER_03]: two and you've attested to that and you're in the system

[00:15:11] [SPEAKER_03]: when they do the automatic awards and they validate

[00:15:13] [SPEAKER_03]: that you are level two,

[00:15:15] [SPEAKER_03]: you got to think that they're going to take preferential

[00:15:18] [SPEAKER_03]: treatment for those people there to be doing those

[00:15:20] [SPEAKER_03]: types of things.

[00:15:20] [SPEAKER_03]: Do I know that?

[00:15:21] [SPEAKER_03]: Perfect. No, I don't.

[00:15:22] [SPEAKER_03]: So you really want to start thinking about your

[00:15:25] [SPEAKER_03]: strategy for the next two years

[00:15:27] [SPEAKER_03]: and how you want to attack this

[00:15:28] [SPEAKER_03]: and you don't want to accidentally fall into this.

[00:15:31] [SPEAKER_03]: You really want to sit down and start mapping things out

[00:15:35] [SPEAKER_03]: about how you want to attack this because this is your

[00:15:37] [SPEAKER_03]: livelihood that you really want to do,

[00:15:39] [SPEAKER_03]: especially if it's a large percentage of your business

[00:15:41] [SPEAKER_03]: that's doing contracts and the far rules around the corner.

[00:15:45] [SPEAKER_03]: And so even if you say,

[00:15:46] [SPEAKER_03]: you know what, I'm just not going to do stuff with DoD.

[00:15:48] [SPEAKER_03]: I'm going to maybe work in other organizations

[00:15:51] [SPEAKER_03]: that are government related because I have a good

[00:15:53] [SPEAKER_03]: relationship with them,

[00:15:54] [SPEAKER_03]: but the far rule drops,

[00:15:56] [SPEAKER_03]: you got to believe that they're going to have at least some

[00:15:58] [SPEAKER_03]: type of requirement to match the NS 800 171.

[00:16:02] [SPEAKER_03]: And then you're right back in the same pot again.

[00:16:05] [SPEAKER_03]: Now maybe they don't require certification.

[00:16:08] [SPEAKER_03]: Maybe they have self assessment that way,

[00:16:11] [SPEAKER_03]: but no one knows for sure about how the far rule is

[00:16:13] [SPEAKER_03]: going to drop.

[00:16:14] [SPEAKER_03]: That's going to be government wide on their acquisition

[00:16:17] [SPEAKER_03]: process.

[00:16:18] [SPEAKER_03]: So because the far is federal acquisition regulations,

[00:16:22] [SPEAKER_03]: right?

[00:16:22] [SPEAKER_03]: So this is going to be kind of the snap,

[00:16:25] [SPEAKER_03]: the baseline for anyone that is going to be doing acquisition

[00:16:29] [SPEAKER_03]: or type of contract work for any government body that's going

[00:16:33] [SPEAKER_03]: to fall into that.

[00:16:35] [SPEAKER_03]: And so who knows?

[00:16:37] [SPEAKER_03]: So that's why you really need to start thinking about how

[00:16:39] [SPEAKER_03]: you're going to attack it and how you're going to do it.

[00:16:41] [SPEAKER_03]: And as a vendor, right?

[00:16:43] [SPEAKER_03]: If you're if you're doing that and you're providing that,

[00:16:46] [SPEAKER_03]: you need to think about how you want to step into

[00:16:48] [SPEAKER_03]: the space and you need to be honest with the people

[00:16:51] [SPEAKER_03]: you're working with.

[00:16:52] [SPEAKER_03]: If you have no intention or you're really not serious about

[00:16:54] [SPEAKER_03]: doing it next year, you need to let your people know that

[00:16:58] [SPEAKER_03]: you're working with like, hey, we're not going to be

[00:17:00] [SPEAKER_03]: level two.

[00:17:01] [SPEAKER_03]: We're not going to do federal, we're not going to do these

[00:17:02] [SPEAKER_03]: types of things that we know are going to have to be

[00:17:04] [SPEAKER_03]: required for anyone using our service.

[00:17:07] [SPEAKER_03]: And you need to let them know that because like that way

[00:17:11] [SPEAKER_03]: you can start having people who may not have

[00:17:14] [SPEAKER_03]: necessarily been watching the wheel as closely as they

[00:17:17] [SPEAKER_03]: should have that can start giving them notification

[00:17:19] [SPEAKER_03]: that you start trying to pick another path.

[00:17:22] [SPEAKER_03]: And I think that also comes down to you need to look

[00:17:25] [SPEAKER_03]: at the vendors and the outsourced relationships

[00:17:28] [SPEAKER_03]: that you have.

[00:17:30] [SPEAKER_03]: So true.

[00:17:30] [SPEAKER_03]: You need to really break that down, break that down.

[00:17:33] [SPEAKER_03]: And that's where having that C3 could help you because

[00:17:35] [SPEAKER_03]: they can ask the right questions.

[00:17:37] [SPEAKER_03]: They can be even on the calls when you're talking

[00:17:38] [SPEAKER_03]: with them to be an abaster for your success in

[00:17:41] [SPEAKER_03]: that process.

[00:17:42] [SPEAKER_03]: And then also I would highly recommend that if you

[00:17:46] [SPEAKER_03]: want to be assessed next year that you go ahead

[00:17:47] [SPEAKER_03]: and get a gap assessment this year and get an idea

[00:17:50] [SPEAKER_03]: of where you're at because if after you get your

[00:17:53] [SPEAKER_03]: gap assessment, you find out that you've got some

[00:17:56] [SPEAKER_03]: architectural problems.

[00:17:59] [SPEAKER_03]: You know, if you've ever watched my wife loves

[00:18:01] [SPEAKER_03]: DOI shows, one of the veins of anything when you

[00:18:06] [SPEAKER_03]: buy a house is foundational problems.

[00:18:08] [SPEAKER_03]: If you have a problem with the foundation, that's

[00:18:10] [SPEAKER_03]: the thing that really throws them into tailspin

[00:18:12] [SPEAKER_03]: because it could be very expensive to correct on

[00:18:15] [SPEAKER_03]: a house foundation.

[00:18:15] [SPEAKER_03]: Yeah.

[00:18:16] [SPEAKER_03]: And you definitely don't want to build on something

[00:18:18] [SPEAKER_03]: that isn't foundationally solid.

[00:18:20] [SPEAKER_03]: So, and it's that way with CMMC.

[00:18:23] [SPEAKER_03]: So having a gap assessment, if there is a

[00:18:25] [SPEAKER_03]: foundational problem, a scoping issue or

[00:18:27] [SPEAKER_03]: technology or other pieces that you have plugged

[00:18:30] [SPEAKER_03]: in there that they discover that you don't

[00:18:31] [SPEAKER_03]: have right.

[00:18:32] [SPEAKER_04]: Yeah.

[00:18:33] [SPEAKER_03]: You have some time still to make those

[00:18:35] [SPEAKER_03]: corrections right now.

[00:18:37] [SPEAKER_03]: But you don't want to find that out when

[00:18:40] [SPEAKER_03]: you know, you finally have been in the

[00:18:42] [SPEAKER_03]: hopper companies have been C3 business

[00:18:45] [SPEAKER_03]: and those have been booked out to March.

[00:18:48] [SPEAKER_03]: Now, today at the time of this recording

[00:18:49] [SPEAKER_03]: and this recording is beginning of September.

[00:18:54] [SPEAKER_03]: So that is months and months out and

[00:18:56] [SPEAKER_03]: that list is getting longer.

[00:18:59] [SPEAKER_03]: Yep.

[00:19:00] [SPEAKER_03]: So if you have to wait till March, September,

[00:19:05] [SPEAKER_03]: October timeframe to finally get assessed

[00:19:08] [SPEAKER_03]: to find out that you've got some

[00:19:11] [SPEAKER_03]: significant changes you have to do that

[00:19:13] [SPEAKER_03]: could push you out months.

[00:19:16] [SPEAKER_03]: Then to then get back in the queue again.

[00:19:20] [SPEAKER_03]: Yeah.

[00:19:20] [SPEAKER_03]: To try to get back in there right.

[00:19:22] [SPEAKER_03]: Yeah.

[00:19:22] [SPEAKER_03]: It's kind of like you waited in that line

[00:19:25] [SPEAKER_03]: to buy that thing and then you left

[00:19:26] [SPEAKER_03]: your wallet in the car.

[00:19:28] [SPEAKER_02]: Yeah.

[00:19:28] [SPEAKER_03]: You're like.

[00:19:29] [SPEAKER_02]: And honestly how I felt, it's honestly

[00:19:31] [SPEAKER_02]: how I felt when I went to Disney

[00:19:33] [SPEAKER_02]: World just the other week and I went

[00:19:36] [SPEAKER_02]: to go wait in the Guardians of the

[00:19:38] [SPEAKER_02]: Galaxy ride that they have.

[00:19:40] [SPEAKER_02]: You have to get in a queue on your phone.

[00:19:44] [SPEAKER_02]: And so I waited until and I was there

[00:19:47] [SPEAKER_02]: like right at one boom, boom, boom,

[00:19:49] [SPEAKER_02]: gotten the queue.

[00:19:50] [SPEAKER_02]: I was number, you know, I was in group 108.

[00:19:53] [SPEAKER_02]: In that queue.

[00:19:55] [SPEAKER_02]: Well once finally group 108 got called.

[00:19:58] [SPEAKER_02]: We went to the ride to go wait in line

[00:20:01] [SPEAKER_02]: and we still had to wait an hour.

[00:20:03] [SPEAKER_02]: We've gotten the queue to then wait

[00:20:06] [SPEAKER_02]: in the line.

[00:20:08] [SPEAKER_02]: It's literally exactly like

[00:20:10] [SPEAKER_02]: you think you're fine but actually

[00:20:13] [SPEAKER_02]: you're just you're getting in line

[00:20:14] [SPEAKER_02]: to wait for another line.

[00:20:16] [SPEAKER_02]: So all of a sudden your time has

[00:20:18] [SPEAKER_02]: increased dramatically than what you

[00:20:21] [SPEAKER_02]: thought.

[00:20:21] [SPEAKER_03]: So I think that the kind of the

[00:20:25] [SPEAKER_03]: takeaway that we would hope people

[00:20:26] [SPEAKER_03]: would understand in this is really

[00:20:28] [SPEAKER_03]: twofold.

[00:20:28] [SPEAKER_03]: For those people that were early adopters

[00:20:30] [SPEAKER_03]: that have kind of fallen in that country

[00:20:32] [SPEAKER_03]: song early of CMMC which my heart

[00:20:35] [SPEAKER_03]: bleeds for you.

[00:20:35] [SPEAKER_03]: I'm really sorry.

[00:20:36] [SPEAKER_03]: There is salvation.

[00:20:38] [SPEAKER_03]: You can still get it turned around.

[00:20:41] [SPEAKER_03]: There are still answers.

[00:20:42] [SPEAKER_03]: You just want to make sure that you

[00:20:43] [SPEAKER_03]: partner with a good organization

[00:20:45] [SPEAKER_03]: that make the recommendation to help

[00:20:46] [SPEAKER_03]: you turn that around the right way,

[00:20:48] [SPEAKER_03]: the right way.

[00:20:49] [SPEAKER_03]: The first time that you're doing it.

[00:20:51] [SPEAKER_03]: Correct.

[00:20:51] [SPEAKER_03]: Right.

[00:20:52] [SPEAKER_03]: You want to you want to adjust that

[00:20:53] [SPEAKER_03]: right then.

[00:20:54] [SPEAKER_03]: And then the you've got the other

[00:20:55] [SPEAKER_03]: people that are now trying to

[00:20:57] [SPEAKER_03]: play the field that are looking

[00:20:59] [SPEAKER_03]: and they're like okay we sort of

[00:21:01] [SPEAKER_03]: were dipping our toe but we're

[00:21:02] [SPEAKER_03]: actually going to really go all in

[00:21:03] [SPEAKER_03]: here.

[00:21:04] [SPEAKER_03]: How can we avoid being caught up in

[00:21:06] [SPEAKER_03]: this country song process because

[00:21:07] [SPEAKER_03]: this is scooped up so many people

[00:21:10] [SPEAKER_03]: in the CMC ecosystem.

[00:21:12] [SPEAKER_03]: And I think it's knowledge,

[00:21:14] [SPEAKER_03]: knowledge, knowledge getting in

[00:21:15] [SPEAKER_03]: there and partnering with people

[00:21:17] [SPEAKER_03]: that know that you trust.

[00:21:19] [SPEAKER_03]: They're going to give you the right

[00:21:20] [SPEAKER_03]: answers.

[00:21:21] [SPEAKER_03]: They're going to move you in the

[00:21:23] [SPEAKER_03]: right direction because then

[00:21:24] [SPEAKER_03]: you can have that solid evidence,

[00:21:26] [SPEAKER_03]: that solid understanding

[00:21:28] [SPEAKER_03]: and really help you move down

[00:21:30] [SPEAKER_03]: the path to make sure that you're

[00:21:32] [SPEAKER_03]: doing the right decisions and

[00:21:34] [SPEAKER_03]: get you safe.

[00:21:36] [SPEAKER_03]: As things go on.

[00:21:38] [SPEAKER_02]: Yes, absolutely.

[00:21:40] [SPEAKER_02]: And you know again we're here to

[00:21:42] [SPEAKER_02]: answer, I said this at the end of

[00:21:44] [SPEAKER_02]: every episode but it's because I

[00:21:46] [SPEAKER_02]: really mean it.

[00:21:46] [SPEAKER_02]: We're here to answer any questions,

[00:21:48] [SPEAKER_02]: concerns, things that you're

[00:21:50] [SPEAKER_02]: thinking about for your business.

[00:21:52] [SPEAKER_02]: I know that this is just a podcast

[00:21:54] [SPEAKER_02]: episode so you can't talk to us

[00:21:55] [SPEAKER_02]: here on this episode.

[00:21:57] [SPEAKER_02]: We're just really talking and you're

[00:21:58] [SPEAKER_02]: listening.

[00:21:59] [SPEAKER_03]: I'm here just go ahead and speak

[00:22:00] [SPEAKER_03]: right now.

[00:22:00] [SPEAKER_02]: Go ahead and say something right

[00:22:01] [SPEAKER_02]: now.

[00:22:03] [SPEAKER_02]: But there are you know places

[00:22:05] [SPEAKER_02]: where you can reach us on LinkedIn,

[00:22:07] [SPEAKER_02]: on YouTube, comments and stuff.

[00:22:09] [SPEAKER_02]: We're looking at all those places.

[00:22:11] [SPEAKER_02]: We're not ignoring them.

[00:22:12] [SPEAKER_02]: We are active in all of those

[00:22:14] [SPEAKER_02]: places so please feel free to

[00:22:16] [SPEAKER_02]: reach out to us if you have any

[00:22:17] [SPEAKER_02]: questions or ideas for new videos

[00:22:20] [SPEAKER_02]: or things you want to hear about.

[00:22:22] [SPEAKER_02]: And then also too I'm going to

[00:22:23] [SPEAKER_02]: link in the description of these

[00:22:25] [SPEAKER_02]: any information that might help

[00:22:27] [SPEAKER_02]: you that we've created over this

[00:22:29] [SPEAKER_02]: time.

[00:22:29] [SPEAKER_02]: Hopefully as we're going through

[00:22:31] [SPEAKER_02]: this we'll have more and more

[00:22:33] [SPEAKER_02]: content for you guys to be able to

[00:22:35] [SPEAKER_02]: help you in any way that we

[00:22:36] [SPEAKER_02]: possibly can.

[00:22:38] [SPEAKER_02]: Our goal as a company is to make

[00:22:40] [SPEAKER_02]: a little bit easier of a trail for

[00:22:41] [SPEAKER_02]: the people behind us so you know

[00:22:43] [SPEAKER_02]: we're going to continue it to strive

[00:22:46] [SPEAKER_02]: for that as we are climbing

[00:22:47] [SPEAKER_02]: ourselves.

[00:22:49] [SPEAKER_02]: So if you guys have anything

[00:22:51] [SPEAKER_02]: like that that you need to ask feel

[00:22:52] [SPEAKER_02]: free to reach out to us and please

[00:22:54] [SPEAKER_02]: don't hesitate to do so.

[00:22:56] [SPEAKER_02]: But we hope you guys enjoyed

[00:22:58] [SPEAKER_02]: today's episode.

[00:22:59] [SPEAKER_02]: Make sure to tune in next

[00:23:00] [SPEAKER_02]: Thursday for our next episode.

[00:23:03] [SPEAKER_02]: And thank you guys so much for watching.

[00:23:05] [SPEAKER_02]: Remember to keep on climbing.

[00:23:06] [SPEAKER_02]: Bye guys.

[00:23:08] [SPEAKER_00]: Make sure to follow us on LinkedIn

[00:23:09] [SPEAKER_00]: and YouTube to stay up to date on the

[00:23:11] [SPEAKER_00]: latest CMMC news.

[00:23:13] [SPEAKER_00]: We hope you guys enjoyed today's

[00:23:15] [SPEAKER_00]: episode and listen out for the next

[00:23:16] [SPEAKER_00]: one.

[00:23:17] [SPEAKER_00]: But until then keep on climbing.