(Season 2 Episode 8) Koren Marie Wise, CEO of Wise Technical Innovations, and Bobby Guerra emphasize the importance of having a skilled and knowledgeable team, conducting thorough gap assessments, and understanding the flow of Controlled Unclassified Information (CUI). Koren also highlights the need for proper scoping, accurate network diagrams, and the right skill sets to ensure compliance with the NIST 800-171 framework. In this conversation, they discuss the challenges and considerations for Managed Service Providers (MSPs) in the context of the Cybersecurity Maturity Model Certification (CMMC). They emphasize the importance of engaging with experienced and knowledgeable MSPs who understand the requirements and complexities of CMMC.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:00] Welcome back climbers. I'm your co-host, Kaylee Floyd and this is another episode of Climbing Mount CMMC. Today Bobby is joined by Corinne Wise, CEO of Wise Technical Innovations. We're so excited to have
[00:00:17] Corinne on here to talk about Gap Assessments, CUI, the flow of CUI, and even more. Thank you guys so much for listening and we hope that you enjoy. Yeah if you could just tell us a little
[00:00:32] bit more about yourself and your company and then we're going to get into the topic of things to look for a little bit of what kind of snake oil sadly is in the industry. I would have
[00:00:44] to say though, the industry is pretty tight-knit and we're pretty blessed with having just really good people in the industry. That's one of the things when I got in I was really excited
[00:00:55] about but that's not always the case. So Corinne can you just tell us more about yourself and then we'll kind of get into that topic. Okay sounds good so I'm here in Norfolk, Virginia. I own Wise Technical Innovations and I'm an assessor for the Cyber Abuse Assessment Program.
[00:01:11] I'm also an instructor so we are a licensed training provider holding the CCP and CCA classes which is one of my favorite things to do and I'll probably talk a little bit about why that is
[00:01:21] because it ties in to the conversation. We're also a DOD contractor so I kind of feel everybody's pain. I haven't been able to do since CMMC I've been inundated with that so I haven't been doing a
[00:01:33] lot of DOD contracting but nonetheless have to get you know and make sure that I'm compliant myself and so we're in the same boat as everybody else and that's really what I spend most of my
[00:01:46] days doing aside from building enclaves which keeps me super busy so we build AzureGov GCCI enclaves and I think one thing that you know probably we got recognized for quite a bit was that we brought the smallest sub ever in December to the Joint Surveillance Voluntary Assessment
[00:02:05] and they got a perfect 110 and so maybe we can talk a little bit about that just because gives hope to the smaller companies and I always like to clarify at the beginning
[00:02:15] I am an assessor but as assessors we can still be consultants we can just never be both for the same company so if we decide to help a company on their journey then we could never
[00:02:25] be anything or any part of their assessment. I'm not sure where that kind of misnomer got started I feel that multiple times every year people are like oh you're having a C-3PO do yourself
[00:02:39] they can't do that I'm like yeah yeah they can they just can't do both. Right for the same company. Yeah for the same company so how many JSVAs and some people may not know what a JSVA is
[00:02:52] can you maybe mention about what JSVAs are and how many you've participated in? Good so the Joint Surveillance Voluntary Assessment Program is one of many assessments that are current and I always
[00:03:04] say that because I think a lot of folks are not aware that the assessments have been here for a while so CMMC we always try to remind people is is going to be third-party assessments but the DIPCAC the Defense Industrial Based Cybersecurity Assessment Center has been doing
[00:03:21] these assessments for some time and they do DIPCAC mediums and DIPCAC highs and then we also have the requirement to self assess so those assessments have been going on for a long time and been
[00:03:32] a requirement for us as DOD contractors for some time and now there's the Joint Surveillance Voluntary Assessment Program which you could kind of think of as a bridge program where we've had this
[00:03:42] amazing opportunity to work with the people that have been doing this all along which is the DIPCAC and it's I can't even express like what an amazing learning opportunity it is to be there with them
[00:03:55] see how they see things because they they've got that precedence and they've done many more than any of us ever have and so it's kind of like they're observing us during that assessment
[00:04:06] they now let us lead the entire 871 portion of it and they chime in if they want to and when they do you kind of just back off and let them take it and they do and so that is the Joint Surveillance
[00:04:20] Voluntary Assessment Program it's where a C3PAO and by the way we are not at this time a C3PAO so when I'm hired as an assessor I go work for a C3PAO as a 1099 and then they you know
[00:04:32] we work with the DIPCAC on those assessments for companies that are selected for that program whenever people ask me how many I've been on I try not to to say the number because I always
[00:04:43] worry with examples that I give of the JSVA that somebody would be like oh that's that company or that type of thing but I think most of the assessors are active on JSVAs at any given time
[00:04:56] because there's not that many assessors so we're almost always fielding a few SSPs at any given time to see if people are even ready for a Joint Surveillance Voluntary Assessment
[00:05:07] that's because a company has come to a C3PAO they say they want to sign up and there's a whole bunch of screening that goes on before you really contact the DIPCAC and you know say they're
[00:05:19] ready if you're doing it in the right order but some don't and so sometimes that's done out of order and then every once in a while we're lucky enough where the company is selected and we go on to
[00:05:32] actually assess the company with the DIPCAC in the Joint Surveillance but the most valuable experience ever was not being an assessor on a JSVA it was being assessed with Jaco Aerospace in December definitely the most stressful thing I've ever done in my life
[00:05:48] a lot of work a lot of stress and just reminds you how thorough that assessment is I mean they were an all-cloud you know enclave and they spent you know quite a few days up there
[00:06:01] in every single technical configuration that you can think of and I mean it is very very thorough so preparing for that and trying to get your ducks in a row and even practicing moving around Sentinel and all that stuff being able to just fly through it all is
[00:06:15] it's like that's a big deal and I think we'll talk about that some because not everybody is going to handle things equally and if you're working with someone who's supposed to help
[00:06:24] prepare you that's a huge deal you don't want to fumble on the five yard line go through all the process of getting ready and then you do your assessment and you have it done the
[00:06:34] homework of knowing exactly like you said where am I clicking on in Sentinel where am I going here and the consultant or the organization you're working with they need to help
[00:06:43] or at the very least be ready to do that so that when it comes time that you're not wasting the assessor's time because they don't seem to like that very much when that happens right
[00:06:52] that's well I mean the dip tax actually I think much kinder than people realize and much more understanding um uh they're not you know these mean ogres that are like assessment over
[00:07:06] all right you know um uh yeah you don't want to you don't want to reduce any assessor's confidence it's the I'll talk about that later on but we're trained that we can stop when we're
[00:07:16] confident and we're signing our name on the dotted line that we're confident you're achieving that objective and if it goes up into emas with our name on it so that's a pretty big deal um
[00:07:25] you don't want to do that and and to end that answer to your question I've run the full game it's so I've assessed on the other side as an assessor really big primes which is a very different experience there's just so much ground to cover during that assessment
[00:07:38] and really complex architectures beyond anything that most of us are used to so true so uh kind of what made me want to reach out to you about participating in a podcast with us which I'm
[00:07:52] super thankful you did um is that you had a post um and can you share a little bit about that post and kind of the reactions that you had and what it was about well I was surprised
[00:08:03] at the reaction to that post um I try not to be negative and I love it that you kind of started off by saying there's a lot of good people in the ecosystem because I I really hope
[00:08:11] that's kind of the way we frame it today and give people hints on how to get to those to the right people um but that was after a frustrating day I think we've all had these days where
[00:08:22] we're looking at the results of a gap analysis for our customer that was done by somebody before we got to the picture so they've already been ripped off for 30k or 50k and got literally
[00:08:34] zero output um and this is happening over and over and over again every week this happens I'm with a customer they show me the output from a previous engagement they don't know why they're not getting
[00:08:45] anywhere or they don't feel like they're getting anywhere um and when you take a look at what's been done you realize wow I don't know if this is being done purposely but it's it seems very
[00:08:57] fraudulent you know and um uh it just it's frustrating and then the other thing that cost me to write that post is I think everyone is also experiencing panels in their city where
[00:09:10] they're having their first cmmc you know um event and it's they don't know what they don't know so the people who are putting on these types of events are selecting individuals who are not
[00:09:21] part of the ecosystem and literally can't answer a single question uh properly about cui about scoping about anything and they don't even know that they're you know being so reckless or how irresponsible
[00:09:35] it is but there's hundreds of contractors in the room that are hanging on their words and they're giving incorrect advice so that was what sparked that post which obviously resonated yeah and I I parrot the ecosystem that your perspective that you have about it crème
[00:09:53] it is a great ecosystem I've been so pleasantly surprised and happy to be able to participate in it and there's so much shoulder to shoulder effort with everybody about different training systems different you know I'm part of the msp for critical infrastructure we're all competitors
[00:10:11] we're all working together to try to help raise the tide for everybody and there's just so many people that have that attitude I've never been in an industry that is just so so shoulder like that
[00:10:21] but like you said that's not always the case sadly and so what we're wanting to try to do is knowing that you know a large majority that's how that is there is some situations where
[00:10:33] these types of things are happening and in my opinion but I'm curious grand what you think about this do you feel that this is going to start happening less once assessments start
[00:10:44] happening and it's going to start to flesh out the pretenders of how some of those things are being done because these people aren't going to be able to help people pass because of what
[00:10:54] they're doing do you feel that's going to start squelching and kind of calming that down or do you think that's always going to be a challenge I think you know podcasts like this and you know
[00:11:06] I was watching the one you did with joy and all my good friends steward and then George was on there but I think you know folks that are just really trying to spread the word
[00:11:19] that's working but I also just think there's a natural evolution that has to happen where certain things are going to have to happen just like the the way false claims right now is unfortunately scaring people into action right the same thing will happen
[00:11:36] I believe with C3PAOs and assessors and the and people getting ready where there's going to be some who are doing it wrong or not doing it thoroughly or not doing it the way
[00:11:47] it was meant to be and until action is taken which will be a few a year or two from now when the DOD develops some type of oversight over this process more than it is right and it has to
[00:11:59] mature a little bit right but you know maybe a few breaches happen right after an assessor left or right after an MSP claim to have gotten somebody to a 110 I'm not saying that the assessor
[00:12:10] of the C3PAO would be responsible for that at all they probably wouldn't be responsible for it but they might be looked at and they might be asked hey this is was an obvious thing that existed last
[00:12:23] week when you ran that assessment why on earth was this not caught and so certain things like that would have to happen I mean we saw this happen with Microsoft when they had a major breach
[00:12:35] I think Congress like one of the first things somebody said was where's their last fed ramp assessment we want to see it that would be your natural curiosity right what it was mine yeah
[00:12:46] and so I think these things have to play out and then the you know the the good ones will rise to the top and stick around and hopefully the the program will will be more solid and more
[00:12:57] incredible and I'm not saying that it's not right now but I it's so new it's got to go through those growing pains yeah I think like just to compare perhaps and maybe you have another analogy as well I'm curious but for me as a main assessor provider like
[00:13:13] there are lots of peer groups that I can be a member of that talk about how I can operate maturely and and run but when you look at CMMC that doesn't exist yet because that
[00:13:22] like you said the ecosystem is so new there just isn't a breadth and depth of knowledge about how to do some of these things what right looks like what wrong looks like per se
[00:13:34] and these types of different systems I mean there's so many different ways that you can slice the spread about how you want to do a CMMC implementation and you know I don't even think we've touched
[00:13:45] really all of the possible scenarios and all as that starts to play out more and more knowledge is going to start being spread around and I think that's going to help but do you have some examples based on your experience about
[00:14:04] you're you know looking at those gap assessments looking at how people have not really moved the needle what are some things and some stories that you can share to help them
[00:14:15] kind of know that that's maybe perhaps happening to them what can they do to try to possibly get off of that crazy training get to something that's going to be more productive for them
[00:14:24] right I thought one thing that I've heard even you say before is that the end result of doing this is awesome right so this is not in vain it can be a little bit painful but there's
[00:14:37] nothing you're doing that you shouldn't be doing when you look at 8171 the people who wrote it they're very smart and at the end of the day this is a very heavy systems and network engineering
[00:14:50] document right we cannot take the technical out of it but everybody wants to do that right just like people want to take the technical out of cyber cyber is the end of the road when it comes to
[00:15:02] the level of talent somebody should have in systems and network engineering it would be the endpoint not the beginning you don't start at cyber and then learn how to be a network and systems engineer you're an excellent network and systems engineer and then you are
[00:15:17] able to adapt that to protecting traffic flows and all the types of complex things that cyber has to do with hacking information like these guys are so talented right so if I think the number
[00:15:30] one thing that I see is is my clients or you know students or whoever else they're hiring compliance people that don't have technical people on their staff so don't get me wrong the documentation and the parts of 8171 that don't have to do with network and systems engineering
[00:15:53] are equally important they're so important and you need somebody that's talented in that way as well like a network and systems engineer the ones I deal with every day they're horrible at writing
[00:16:03] policy and they're horrible you know most of us are horrible at that's not our strong point right so you need they don't they didn't pick a company with all the talent pool that's needed to get this done sometimes that's one person right sometimes one person is an excellent
[00:16:22] you know documentation policy writer procedure writer they're a systems engineer they're a network engineer and they understand cyber but a lot of times that's not the case and that's a tall
[00:16:31] order for any person how about just do you have someone on your staff that is a network and systems engineer because I promise you if they don't or they're not tapping into one they will
[00:16:41] not ever ever be able to make you 8171 compliant if they don't understand a router they don't understand the vlan and they don't understand boundaries and they don't understand what it truly means to protect control monitor detect um there's no way um so it's it's not a tall order
[00:17:01] for a network and systems engineer to read those lines in 8171 and say oh yeah yeah this is what we need this is how we do it um it becomes much less overwhelming when you've got the
[00:17:11] right person working on it and then what I find is they're like you know you might find an excellent network and systems engineer um but they they don't know the language yet of 800 171 they need
[00:17:25] translation and so that's why all all the different types of talent are important they're there might just be someone who's not as technical but is excellent at what the assessor's looking for
[00:17:36] and you know presenting the right type of evidence and so I think that's the the number one thing that I see is a lack of understanding uh that anyone who doesn't have that element that we're talking
[00:17:50] about they're going to spin you around in a documentation wheel a big compliance story and you'll never get anywhere you'll just be they're pretending they're oh this week we need to work on
[00:18:00] this procedure and this week well guess what that's backwards because it all starts and this is bad sign number two bad sign number two is that they don't understand that they can't get going on this
[00:18:13] engagement without the basics the basics are an accurate inventory of your assets your users your devices and your service or process accounts the second basic is your network diagram and the
[00:18:26] third basic is your cui flow so we can talk about each of those separately but I think we should talk about each of those um mandatory items you can't even start your engagement
[00:18:40] with a company until those three things they that's where you should start let me put it that way I was smiling because I went through that journey that you just described like when I was trying to
[00:18:51] tackle it it was I was like okay I'm I'm an engineer by design know thyself right I'm an engineer I grew the company I'm the CEO but I'm a engineer at heart so as we've kind of worked on our journey
[00:19:04] I was focusing on trying to do both I'm not great at the documentation piece um and so I had to bring on somebody else that was much better at that way more efficient and boy did
[00:19:15] that make all the world a difference for us in how we were doing that because I needed someone that that's the lane that they own and can really swim in and really get the most bang for us to
[00:19:27] be able to move that and then I worked on the scoping the design the architecture the documentation of all of that those are just such a big deal and neither of those can be
[00:19:37] overlooked they're they're such a major component um but I had to learn that the hard way sadly um and so you know over the years as I've been working you know those are lessons that we've learned
[00:19:52] but the the areas that you talked about I just want to kind of dive into this more because I think those those are so good it is the those critical starting points you know those could
[00:20:05] be would you say red flags if you're not seeing someone want to try to do this what are some what some insights that you can share about each of those briefly that that that if someone doesn't
[00:20:14] really know those they can kind of use that as a barometer right to take a measurement and kind of go you know maybe this isn't so good can can you touch on that a little bit more well I think
[00:20:24] a good sequence of events would be to fully understand the current state and the output from fully understanding the current state which is going to come from a very thorough gap analysis
[00:20:38] the output from that is going to be at least you know an accurate asset inventory of what's going on right this moment for the scoping that's been determined so that that gap analysis will
[00:20:51] lead to first of all you know big kind of saying this is what it looks like your scope is based on what you've said so far and there's a lot of questions that erupt from that gap analysis
[00:21:04] like for me it's always what are these workers doing how do they work with the CUI where do they get it where do they send it what systems do they use what applications do they use
[00:21:16] from cradle to grave is cat one of my fellow instructors cat Adams that's her favorite saying but love cat if we can't understand that for every single flow that there is then we will not be able
[00:21:29] to do this so one flow could represent hundreds of people in the way that they work right they all get it the same way they all use the same systems they all store at the same place and they never
[00:21:40] send it anywhere or they do but that's one an example of a flow and then maybe there's this other contract that you want it's got a completely different flow every if people are like wait
[00:21:50] we got to know all that yes we cannot get started until we know how everybody's working with CUI we will not you can't protect what you don't understand so it's impossible right so if we don't
[00:22:02] figure out what all the flows are during that gap analysis and determine what the true scope is the assessors might or will hopefully if they're good assessors on I say might because assessments are limited to a certain time frame and they have boundaries that they
[00:22:18] have to stay in but it's very assessors are pretty talented people normally they they pass that exam and they have a certain background they're pretty good at you know asking important questions not
[00:22:29] that they're digging or trying to make people fail but they're going to notice red flags and we don't want them to notice a red flag that we didn't notice or a flow that we didn't notice
[00:22:40] you know that that becomes evident during the assessment so all flow and anyway when I'm talking to customers they might say I don't really know what those field workers do or how they do and
[00:22:51] they just think that that's that's an okay answer but we have to know we we have to go talk to them ask them so I'll just keep saying have we have we gotten a meeting with with so and so yet you
[00:23:01] know and they're like wait you're you need to talk to a worker a field worker a nurse this of that yeah we need to talk to one representative of that CUI flow so that we can understand
[00:23:13] what it's like out there are they are they using their laptop are they using their phone are they where you know what's going on at at at their from their perspective with their interaction
[00:23:24] with the CUI a big red flag would be that your your consulting company is not really concerned with those CUI flows or doesn't understand how important they are and how important it is by the end of that gap analysis to get an accurate depiction of your network
[00:23:39] the network diagram's got to be accurate and the CUI flows and from there the other bad sign is they want to write policy that you haven't even done the future design yet and we don't even know
[00:23:50] what the future state is going to scope and all that fun stuff while writing a policy and procedures to a state that we're going to be completely changing um that that shouldn't be at all there should be a very technical discussion um not only technical obviously
[00:24:06] there's other domains the personnel domain risk management incident response are we gonna what what did our POA and ms that came out of that gap analysis say we need to do and let's go through
[00:24:18] this project by project and figure out how we're going to tackle this is project management what we got a bunch of many projects um how are we going to tackle them all let's see if there's
[00:24:26] some overlapping work you know all that all that stuff you learn in your pmp class or whatever yeah that's your tip yeah so so not trying to put words in your mouth but what you would just
[00:24:38] kind of summarize there would be uh that you want to see that they're doing a proper gap assessment of understanding they have a good result and return they're looking at um the flow of your data they're looking at the architectural design they're understanding the mechanics
[00:24:54] that are going to be involved to pull it off so you kind of paint the story picture and now you start writing policies around what that's going to look like and you're going to
[00:25:03] implement projects to get it there uh and start happening is that does that sound right i mean that's a very general and i mean i probably the most important step in between all that is to
[00:25:13] determine the official scope of cui like what are we doing here are we doing enterprise where or their home offices that are in scope are there you know cloud services that are in scope
[00:25:24] sub subcontractor you know that we from all of that learning that we do at the osc that that and learning about their flows that we determine a proper scope and so another bad sign would be maybe
[00:25:38] that whoever you're working with is not even aware of the scoping guide out there and um the do dcio's website or the assessment guide and this goes to training um i can't really
[00:25:48] understand how anybody would be able to help you through this without um rpa or or even better ccp i mean it i've never had a student start ccp on monday and finish on friday and say i already knew
[00:26:03] all that ever not one time and i've taught hundreds and hundreds of students it was a firehouse for me i was like whoa it's awesome it's so awesome because i mean and by the way my classes are
[00:26:14] filled with msp's not osc's my classes or sorry not assessors i mean the ccp the certified um the certified cmmc professional is the first step to become an assessor which the next step is
[00:26:27] certified cmmc assessor so you would think that everyone in the class wants to be an assessor but that is not the case we have about two or three people in there that are going down
[00:26:37] the assessor track everybody else is an osc or an msp trying to get ready which is i have to applaud that's so awesome that there's no better way to get ready than to go through the
[00:26:47] 110 controls one by one and understand each one have a chance to ask questions learn scoping learn the cap find out what your assessment is going to be like um so if someone hasn't been through that i
[00:26:58] don't know how they would really be able to help as well you kind of open two doors there which i want to make sure we cover both because i think they're amazing is you talked about the
[00:27:07] ccp you talked about having that knowledge what are some things that might be red flags knowledge wise that you would want to see whoever you're working with have i mean is if they have a
[00:27:21] ccp or cca that's enough great you don't have to go any further or is there more to it can you can you put some more flesh on the bones about what kind of knowledge and certifications
[00:27:29] and expectations which you want to have from someone before you engage with them so i would i don't want to be too judgmental and say you know you have to have this or you have to
[00:27:38] have that i'm a cis sp i have a lot of sorts in my background with sisco and microsoft it is i it obviously gives me a huge competitive edge so i'm telling you that i use that stuff every single
[00:27:54] engagement i am using my network engineering skills um to the fullest it is a tall order this stuff right so and even i get stumped because i don't know every single technology if somebody
[00:28:08] comes to me i had this amazing company come to me um they're in aws uh that is not my expertise and we need to bow out gracefully when that happens and say um you need i can help you
[00:28:22] with with this part of things that's exactly what i said i said i'd be excellent at shooting holes and everything and asking some hard questions and uh complimenting the expertise of an aws expert
[00:28:35] but the the what the talent that is needed uh is determined by is the technologies that they have invested in if they got a palo alto firewall do you have someone who can actually
[00:28:47] look at that and maybe the person is on their team already that's fine just make sure that you and again this goes back to project management what are the skill sets needed in order
[00:28:58] to evaluate this environment and fix it or get it to its future state that's eight hermost and one compliant don't put people's names there yet just identify the skills we need someone that
[00:29:07] knows palo alto firewall we need someone that knows gcc high in azure we need someone that understands hybrid because we're bringing it back on prem and we need someone that understands this msp tool or msp whatever now that you've figured out the skill sets needed or the the
[00:29:24] different technologies in use now go through what you have today that could be mapped to those different skills that are needed and where is your gap what what don't you have do you
[00:29:36] do you are you missing something um and the two choices are send somebody to training so that you can get the skill that you need for that whole or go find someone with that talent and there's so
[00:29:48] many places now where we can go but um you know you do have to be very careful with eight hermost 71 and sensitive data that you're not you know going places that you're not allowed to go
[00:30:01] like two non-us citizens if you've got itar export control it's you've got to be really careful at the same time as you fill those skills gaps um to put them through your full onboarding authorization process and just be super super careful if you do have to fill
[00:30:18] gaps with people you haven't worked with before so would you be comfortable if someone didn't have any ccp or staff i know i'm getting a little more specific i'm sorry but uh i just want
[00:30:30] what your thoughts about that so i really appreciate um what the ab has done i i think they have lined up a lot of different flavors of training for different levels of involvement in the ecosystem right and
[00:30:48] i don't even know if they expected ccp to be so popular but at the end of the day the reason it's so popular is because it gives there's not a single thing in that class that you don't
[00:31:00] need to know the only thing i could even think of that you wouldn't really need to know day-to-day is the part about the code of federal regulation and all of the defars clauses but really kind
[00:31:09] of do need to know that too so that you can understand the requirements so um that one might say that's the most important part of the class uh so i would i would i am biased towards ccp
[00:31:24] and cca even better that means they've gone through all of it once and then they went through it again at a super deep level right um and i have that on my list today is you know i
[00:31:36] cautioned people against um dealing with a company who doesn't have a ccp or cca i don't think they're going to be able to get you there without that training it's just too much in there that
[00:31:49] you have to know about the assessment uh in order to do it right so we have people all the time to say we're ready this happens at every conference we're good we're ready we're ready um and it's just
[00:32:00] because they don't know they're not ready they don't mean to be misleading you don't know you're not ready until you take that class and realize what the assessment's going to be like and that
[00:32:08] is leads us to another red flag is comparing two things devaluing the program saying it's stupid or that's dumb this is a scam this is that that's not going to be helpful at all in your
[00:32:21] journey to be compliant um and uh the other thing is comparing it to other assessment types or audits so this is unlike any audit that anyone i know of has been through um it's not like
[00:32:37] sock two it's not like i sew anything it's not even like r m f why because and i hear that one all the time i've been doing r m f since 1902 and you know i'm the best in the world at r m f
[00:32:49] i'm like that's awesome and that means you know 853 really really well which is a an important thing for this right but what is not the same is in r m f you have so much more control you are able
[00:33:06] to accept risk you're selecting controls you're doing that they don't understand how powerless we are and how much is on the line for an assessor we can't accept risk barely at all we can't skip
[00:33:20] past objectives or controls pretty much for unless there's a super super obvious or good reason or the do dc i o has written them a letter saying they're excused it's really hard to uh to not do the
[00:33:35] assessment in this very strict way with the 320 objectives we have to check them all off write a paragraph about why we believe they're doing this across their entire scope and then our name
[00:33:46] as an assessor is on that as permanent record in do d system so i think people need to realize that this might be a little bit more rigid not that it's harder or better or anything like that
[00:33:58] it's it's more rigid than these other more flexible assessments that they may have been through in the past yeah i've never had anyone that have is objected about doing the ccp but then
[00:34:11] went through it that said that was a waste every time it was always like oh why did i fight this i really should have went through it um the knowledge they get through it is just invaluable
[00:34:23] and they immediately kind of you know light bulb you know they're like that i really i really do i'm glad that i went through it i really do think this is the right thing to do and so
[00:34:34] if you're going to be doing it on your own and not engaging with a consulting company or if you're going to be engaging with the consulting company of some magnitude or sort making sure that they have at least a vast amount of experience with doing actual assessments have
[00:34:47] participated in them and gone through them or at a minimum have those certifications would be my level of comfort um yeah and and i would want to make sure that they hey you said it
[00:34:58] not me yeah uh but the the reality is there's so much it cost at it right to go through this you mentioned some dollar values of some people that had spent some money when they came to you and it
[00:35:09] was really hurtful i'm sure for you to see that happen and go you know i wish i could give you the you got kind of stuck discount but i mean it's going to take your time and you're going
[00:35:21] to have to charge them what you need to in order for you to get them where they need to be and um do you have other stories that you can kind of share about what you've experienced in the
[00:35:30] industry about those types of situations um so you know i again i try to to keep it positive but i would just say that you know i've had people get up and ccp and storm out because they realized
[00:35:44] that they were getting taken advantage of hugely so that literally happened they stormed out made a phone call fired whoever was their consultant and came back into class not stormed out of my
[00:35:54] classes they were mad stormed out because they were mad that they realized they've been being taken advantage of right um and i think it's a lot more difficult to get taken advantage of when
[00:36:05] you're educated also you can do a whole lot of it one thing you realize is like there's like half of these i can do by myself right and then you kind of go through and you're like i can't
[00:36:15] do these ones by myself um so i would say what i'm seeing the the most uh bobby as far as if we were to talk about the negative side of things or the side that can hurt people
[00:36:31] it's just their folks aren't checking the marketplace that's one of the best things that the ab gave us is a place to validate credentials and so i they the biggest problem is that people don't know that that they can validate credentials and that this is the type
[00:36:49] of thing that you can't do uh just because you put a new sign out on your building and said now we're which is happening everywhere right everyone's on this now we get emails just flooding our
[00:36:59] email inbox every day everybody is a cmc expert now um so i would say checking that cyber ab marketplace just to see um on there you can go to the individual level you don't have to go to
[00:37:13] the company level who's going to be working on my um environment and what let me see what they pop up as in the ab marketplace if they haven't been trained on this at all um i promise you
[00:37:26] uh they're even if they are 871 experts the little details of the assessment are very very important you have to understand how this is going to work now i i'll mention this and and i'm
[00:37:39] i'm going to take a little bit of a liberty here so you tell me from every step in the line um like i was talking i think it was a few weeks ago with the company that was thinking about
[00:37:49] engaging with us and after we talked we were like here's what i would do if i was you i would do this this i would go back to this other company have this discussion and go with them
[00:37:58] i just i'm just sharing honestly i just want you to know that this is probably the best path for you based on where you're at right now and they were just like shocked that you know that
[00:38:07] they're not trying to get shoehorned into something um but i i think so many people in industry are just comfortable sharing like you i think you could pretty much reach out to a
[00:38:17] lot of the people in industry i i'm happy and i'm sure you probably would too karen if you have questions about like are you is does this sound right you know just like you know some
[00:38:26] some bearing checks on some things you know we're not here to try to sell you on you know with moment that you try to reach out to us about oh you need to do this like we read everybody just
[00:38:37] this is what i love about this industry really cares so much that if you if you're not sure if you think you might be having a bad experience just reach out to somebody
[00:38:45] and talk ask just ask that's such great advice and i want to talk a little bit about the msp's i actually feel like msp's are staged very well to play a wonderful part in the ecosystem like
[00:39:01] just in the exact way that you're doing because of what i'm harping on which i i hope i don't get you know uh you know people don't make people upset by what i'm saying but we cannot deny the
[00:39:13] technical element to this assessment and msp's they already have that very technical background most of them and yes msp's in the past had not been held to maybe this strict of a standard
[00:39:28] and definitely there are msp's in the past uh that we're not following you know good protocol but there are a lot that are and do and they have highly technical staffs and so i i
[00:39:42] it's akin to like um if you gave someone who had never been in the kitchen a recipe and then you gave a famous cook that same recipe um the output is going to be extremely different
[00:39:54] right and the msp's they they've been in the kitchen a long time right this recipe i can teach you how to do it uh 8001 so i can teach you what 8001 71 means pretty easily in a week i can
[00:40:07] translate the language to you and i can tell you what assessors are looking for all these different assessments like i do uh department of homeland security i'm a lead assessor for a s hva it's just a different flavor tell me how you want me to write the report
[00:40:21] tell me how you want me to which controls you want me to to assess um tell me the rules of this particular assessment right that's the easy part to learn what's what you can't
[00:40:32] teach somebody is 20 years of it right but msp's they already have the hard part they they are the cooks they are they are the kitchen um and they they can pick up this the rest of this stuff i'm
[00:40:46] not trying to downplay the complexity of compliance or policy writing or procedure they might need to supplement a little bit on that and because they're not they're not traditionally very good
[00:40:55] at that but they are good at the hard hard part right and um maybe the msp's need to also think about bringing in now these these folks that are compliance folks that are good at the policy
[00:41:07] and procedure it's just gonna say that i mean it it's so true uh i get looked at weird sometimes when people are like okay so you you're in the you're in the c mpc space so you're going to do
[00:41:17] everything for the client i'm like i'm an msp man like i do i am my msp's that aren't going for c mpc do i help them with their policy on background checks yeah uh no not really um that's
[00:41:33] not really what an msp traditionally does right uh we're like you just said we're more in the technical area we're the things that our clients aren't used to or not very good at doing those are the
[00:41:44] things that we pick that mantle up the problem is are we doing it a way not really a problem but a challenge is are we doing it in a way that's productive for their c mpc journey or are we doing
[00:41:55] it in a way that could potentially compromise their c mpc journey heard it that yeah you know and so the msp's can be your savior or they can be your downfall so how can you uh one thing that i've
[00:42:07] always suggested and i'm just curious what your thoughts is is like if you're engaging with an msp you should still talk to whoever's eventually going to be your c3po and just have a sounding
[00:42:15] board about what you're trying to do or at least have another outside consultant just to make sure that the msp process that's being involved is going to be healthy for you moving down the road
[00:42:24] do you feel like that's good advice whenever so right now um you know when i have clients that have msp's it and this is on the consulting side not the assessing side it adds a huge
[00:42:36] layer of complexity for the very reason that you're saying so now we've got a whole bunch of shared responsibility that's going to come into play during the assessment um and yes you do want
[00:42:47] to reach out to a c3pao earlier rather than later not that they can give you any inside scoop or anything like that but you can interview c3pao is the same way you interview anyone right um they
[00:43:00] they if they can't answer a question they're just going to say i'm sorry i cannot answer that but you're still going to get a feel for what the c3pao is familiar with maybe they've assessed
[00:43:09] people using msp's before maybe they never have um so you can ask the really simple and basic questions um and you they're probably going to ask you some questions as well just to try to get the
[00:43:22] preliminary information about your company even their questions that they're asking you might be insightful oh they were interested in that they were asking us about this or that um but the part that's really hard with msp's is how hurtful they can be to the osc's compliance
[00:43:39] if they don't have their ducks in a row right um and it's sort of what i was referring to when i was saying c3paos is like you know because they can engage you in a consulting they can't do
[00:43:49] both but if you're able to engage with a c3pao or another reputable certified qualified organization that can sort of help you understand um i mean just spending money on a consulting call to have
[00:44:05] your msp just sniffed about their approach would be well worth the investment uh because you don't want to find out when you start that engagement with who's going to be your organization's
[00:44:17] going to do your assessment they kind of go i don't think you're really ready um it's it that is such a great idea what you just said so what who cares if you spend 500 bucks to hire um an assessor a
[00:44:29] cca for an hour who's not going to be your assessor in the future but instead you want them to poke some holes tell me tell me what you would want to know about this tell me what you would be concerned
[00:44:38] about an 800 171 related to our use of this msp there that'd be the best 500 you ever spend or for a thousand whatever it is um however much time you want them to spend doing that um i mean
[00:44:50] what a what a great way to find out sooner rather than later uh what the problem's going to be and i i don't know if i would this is just me as an msp i can say this i'm not so don't think
[00:45:03] i'm putting words in your mouth because i'm not uh as an msp i don't know if i would straight up gospel trust an msp doing your full scope like i would want to have
[00:45:15] unless they have just been in the industry and just have owned that space like nobody's business i would want to have another third party organization to to just look at your scope
[00:45:26] to make sure it sounds right right to spend some time and having someone just kind of look at it like you said poke some holes because as you're going to spend a lot of money and project time
[00:45:36] to build that scope out and if you don't have someone else sort of looking at it um now this is where having maybe somebody in house that has a ccp experience could be really helpful for the
[00:45:47] sc but i don't know what's your thoughts about that engaging you kind of reminded me of something else that's really really important and we keep going back to engaging experts that have been trained
[00:46:01] in this um and having them take a look at what you've got going on um and it it this is another red flag would be that a company doesn't that you're working with or an msp that you're
[00:46:13] working with doesn't understand it's kind of the beauty of 81171 and it's it's it's the part that everyone's not seeing and it drives me absolutely nuts um 81171 is an alphabetical order the domains right so it doesn't mean that you're supposed to do access
[00:46:30] control first and then you do this one and then you do this one this is just a alphabetized checklist and and jacob horn uh i did a video recently where he talks even more about
[00:46:40] 8153 and how um the actual individual controls and things like that how they came up with their numbers that's kind of interesting but as far as the domains go they're an alphabetical order i bring that up because the systems and communication protection domain is got the
[00:46:59] most important control for beginning everything it's the boundary we have to know where the boundaries at and there's going to be several of them in a lot of situations right so you're
[00:47:09] going to draw a circle around all your boundaries that first circle might be the center of the universe where your cage code is and your your headquarters is or your osc main area is that right
[00:47:21] another you might be communicating with home offices they need a circle too they've got to have a boundary right so draw all your circles if you can't tell the assessor where the boundary
[00:47:32] is the dipkack i can tell you right now if they can't feel that boundary you're in bad shape at home even um you can get them off your back by saying here's the and now i'm going to
[00:47:43] bring it to msp's here's the boundary and here's how we keep it in that boundary if they realize that you don't understand the technology and the boundary isn't what you think it is and it's leaking back
[00:47:54] into your home wireless network it's leaking over to the printer and you think the boundaries at this one end point and they're like nah you did not create a boundary you you did you had a
[00:48:05] boundary but when you did this you went outside of it the reason we need the boundary is because 8001 71 tells us there's the inside and the outside internal and external so every
[00:48:15] boundary we call it a covered space is that safe space that we work in and there's all these things that have to be true in that safe space and that's what a lot of 8001 71 is about the people
[00:48:25] inside of it the devices inside of it um and the way to transmit that's really complex you know everybody tends to kind of go to enclave like a virtual enclave is the only way you
[00:48:36] could do boundaries it's that's a boundary too you know that is a boundary it's not the only way that you can do it but you know i think doing a virtual enclave is definitely paints a prettier
[00:48:49] more defined picture yep it gets pretty it starts to get messy when you start involving in scope and you know local resources with your virtual resources and other things that those are all definitely doable but i think the difficulty factor goes up exponentially when you involve an msp
[00:49:10] they have their own infrastructure how are they scoped how are they how is their boundary attaching to your boundaries right that is the that's the really important part that was going to be what i said next so let's go to the msp's boundary and your boundary
[00:49:24] and that external connection right so external connections outside of inside of each boundary is what we call a covered space this is why they want your msp to get cmmc certified that is now
[00:49:35] a covered space you're they have their own internal area and it's been certified and it's practicing all of the things it's supposed to and then that external connection has a whole another set of rules all this stuff kicks in the second you go external and the boundaries
[00:49:51] at both places is where we do uh monitoring controlling protecting those words mean something go to the system communication domain the assessor is going to go straight to that boundary where's the point at which it becomes external where's the point at which it becomes internal
[00:50:06] is that a sealed boundary or is it leaky and that's what the msp when they try to involve themselves with the osc if they could focus on that alone not having a leaky boundary and being very specific about how they've secured their boundary and their boundary uh you
[00:50:22] know the point at which it becomes where you're out or your your gateway that you're doing all of those things that a her 171 says has to be done at that point this is all a really great story
[00:50:33] when you look at it her 171 it's not that's complex as everyone thinks it's asking for these boundaries and respect for external transmission and rules that kick in when you go outside the boundary and only dealing with others who have a boundary including
[00:50:50] cloud service providers and that that I think maybe is a good transition to another point is you work a lot with msp's from a consulting of training side right based on some of the things
[00:51:01] that you talked about as msp's we use a lot of tools right these tools can be our savior or our boat anchor when we drop in the water especially when it comes to the cmmc process
[00:51:16] there are a lot of tools out there that are talking to msp's and saying that they can solve their cmmc journey problems and they can then resell them to their clients and things of that
[00:51:27] nature um what's your thoughts about that for an msp and then when msp engages you uh and you're an osc you're how what do they need to be weary of about that msp's tools and those types of
[00:51:43] things can you sort of talk about that I know that's a big pandora's box uh but what's your thoughts well I think if you just take those tools and bring it back to what we were just saying
[00:51:53] is the tool able to respect all of the elements of what we were talking about boundaries and secure communications and the other rules that are involved in 8001 and including our are the rules that are going to be involved in title 32 uh when when the new rule comes out
[00:52:15] the fact that um you know certain data if it if the msp is housing it for for customers and they have set themselves up in a cloud service provider type fashion they they are going to step
[00:52:31] into that fed ramp territory cmmc is is and I have a whole video on that I think um you know I love that one for that video but they're very they're very different purposes um and it's
[00:52:43] it's completely logical that when you begin to tell people oh it's safe put your data over here in my tool or I need to pull your data back over here um that you're held to a standard
[00:52:54] that in that inspects the elements that are involved with that which is a whole different set of elements and um architecture concerns that are not addressed with cmmc and so when you
[00:53:07] talk about these tools um I get I I finally wiser end up to this but I used to accidentally spend a lot of time I always want to make sure I meet with people who have questions
[00:53:17] but I think we all get those people who want to sell their tool and you know they've got this great tool and this tool that and this tool this and this tool that um uh you know
[00:53:28] the tools that your msp is using is one of the first questions you should be asking them what are the tools you use will you be um you know will you be pooling my logs back to
[00:53:42] your environment will you be um will you be uh popping up on people's desktops to offer remote assistance and I need to understand every single detail about the configurations involved with
[00:53:56] that the product its fed ramp status um all that stuff yeah and I think that goes back to just spending some time with a qualified individual preferably a cca in my opinion someone that's gone through assessments that thoroughly understand scoping you could spend a few hours talking with
[00:54:17] them and having them talk to your msp just to analyze just critical questions like you're saying it could save you so much headache down the road don't spend eight months to a year with that msp
[00:54:30] then do it like I would have that conversation with them right away and I dare I say if you're in the process of picking an msp hire Corinne to help you pick the msp well I know a lot of amazing
[00:54:46] like yourself and the ecosystem I was gonna say um you you all like like spit out quite a few of the most famous tools that msp's are using right now just what are they uh kaseya connect wise
[00:55:00] ninja synchro um tons of screen connect splash top all kinds of different tools that that they use now take that those tools and tell me what someone who is extremely irresponsible could accidentally I'm not saying they did it purposely could accidentally do with they have they're not
[00:55:22] familiar with sensitive data do d type customers um they are pulling back logs and possibly even have opened up their their um tunnel to control and classified information they have the keys to the kingdom what could they do to to jeopardize without without ill intentions just pure irresponsible
[00:55:42] or not knowing how do those tools end up posing a danger to the client I mean they're a huge security risk uh because you can do so much if so if your msp gets compromised you're screwed
[00:55:55] it is a very very bad day um that's what I wanted you to say that's a very bad day what's your approach towards your tools on the compliance in scope environment right you could use some more latitude
[00:56:08] and out of scope situations but the end scope like are you gonna use a remote management tool right to be able to push the patches and to have full control of the systems and you know
[00:56:20] those are questions that you want to ask uh for us we kind of said you know what we feel like this is a dangerous zone especially in cmc so we we decided we're just going to utilize in tune
[00:56:30] we're going to utilize that for our management piece that we're going to have because we just didn't want to introduce that in the compliance environment just because there's just there's challenges from the security perspective there's challenges from the assessment perspective
[00:56:42] and we just really wanted to steer away from that whole situation because right now there just isn't a good fed-bramped solution to use in that space unless you self host and that's a whole other
[00:56:54] podcast conversation that would be very interesting to have I'd love to have with you about it but um is there anything else Corinne that you feel like you'd like to cover before we close out
[00:57:05] I really enjoyed talking to you I mean I think the the the biggest point here is we need MSPs and they are a critical part of this program that are charging towards it instead of
[00:57:19] running away from it you're helping the nation I mean that's all there is to it we we need more MSPs to follow your lead and do what you're doing and jump in and it's going to pay off you know
[00:57:32] it's it's good for your own network and your own company it's good for all the people you're helping and it's where the country needs to go so well thank you so much Corinne and I appreciate
[00:57:43] the compliment knowledge is really important if you're stepping into that space and either you need to surround yourself with if you don't have much with a good consultant and an msp to be able
[00:57:55] to pull all that off or you fully engage with uh you know learning to really know it yourself because I mean it's just too much to try to tackle on your own if you haven't had significant
[00:58:08] experience in time and it's definitely not something you just kick to your enter right you don't just say you know we just hired this guy yesterday he's going to help us do our cmc
[00:58:16] you're like no yes no you're in trouble well Corinne thank you so much I really appreciate it how can people engage and connect with you can you share some some ways that they can connect
[00:58:29] I think the best place is just to go to either my profile on LinkedIn which is Corinne wise and that's a great place to kind of see other things that I've put out there or go to my website which
[00:58:40] is WTI networks.com and that's where you can sign up for ccp class I would love to have anybody that's watching in ccp class um I'm just I just love that class because I think it's you know
[00:58:52] so beneficial but um uh there's also a lot of other resources out there and you can take a look you can even schedule 30 minutes uh for free with me anytime one time just to ask questions
[00:59:03] and that is just to help the dib it's not for salespeople but more for oscs who need help and really have questions like you were talking about earlier we try to make sure we always meet with them
[00:59:13] yeah that is that's great yeah all of you thank you so much and if uh if you haven't followed us on social please do you know try to make sure depending on what media you're on click
[00:59:22] and subscribe um and we always are open to comments or questions or suggestions um and as always everybody keep on climbing make sure to follow us on LinkedIn and YouTube to stay up
[00:59:34] to date on the latest cmmc news we hope you guys enjoyed today's episode and listen out for the next one but until then keep on climbing