The Mission Behind CMMC from Three Perspectives: C3PAO, MSP, and Vendor

[00:00:01] Climbing Mount CMMC presents Cybher Women in CMMC. Today I am joined by Joy Bielen, Vice President of Cybersecurity Compliance at Summit 7, Carly Salmon, Senior Security Specialist at Microsoft, and Amy Williams, Vice President of CMMC at Coal Fire Federal.

[00:00:25] Hello climbers and welcome to Cybher Women in CMMC, a series that is attached to Climbing Mount CMMC. And I am beyond excited because we don't have just one or two, we have three incredible guests that are doing some amazing things in the CMMC ecosystem. Each individually has their hand in something completely different, which I think is extraordinary.

[00:00:52] I am excited for you to hear all about what they are doing in the ecosystem and what they have coming up. Some have some exciting news that they can even share on here, which is really excellent. But I'd love to get started. Joy, Amy, Carly, thank you guys so much for taking the time to talk on here. I'm literally, I selfishly am doing this, honestly. It's really just for me.

[00:01:17] But other people get to do it. So this is so great. I would love to ask you guys just, you know, introduce yourselves, who you are, a little bit about yourself and where you are in the community right now. Let's go around and just each share a little bit. Joy, did you want to get started with yourself? I'm happy to. And thanks for having us, Kaylee. So I'm the vice president of cybersecurity compliance over at Summit 7.

[00:01:44] We're a managed service provider and we have roughly a thousand customers in the defense industrial base. So we're helping them in their preparatory journey for their CMMC level two assessments for NIST 800-171. We also have other frameworks that we support, but we are exclusively focused on the defense industrial base.

[00:02:05] And in my role, you know, I'm doing internal cybersecurity readiness and getting ready for our own CMMC level two assessment. But I had my own MSP for 21 years. So I really come from a lot of background in managed services and have been focusing on CMMC now since 2020. So I think that a lot of people have much deeper roots than I do.

[00:02:31] But then I absolutely love this industry and the mission. So, so great. I, I, you know, we have a connection because here we are as an MSP ourselves, too. And it's really exciting to watch you guys and all that you're doing and accomplishing and being in the middle of your CMMC level two assessment is like so excited. You will be literally one of the first in the country to get that. So that is no small feat. And that is super exciting.

[00:03:00] So thank you so much for being on here for sure. Thank you. Amy, did you want to go ahead and introduce yourself? Sure. Thank you very much. And thank you for bringing us all together today. I'm Amy Williams. I'm vice president of CMMC for Coal Fire Federal. We are one of the first C3 PAOs and RPOs. We've been doing advisory work for quite some time now. We are in the midst of doing our first assessments, which is incredibly exciting.

[00:03:29] And like Joy, I actually ran an MSP. I don't know if you knew that, Joy, some time ago. And it was a small MSP though. It wasn't on Summit 7 scale. And we were trying to figure out how we could do cybersecurity work also for that part of the organization. And advisory was the only way we could go because we didn't have the budget for a SOC or anything like that.

[00:03:54] And then CMMC was an obvious answer because we had about 40 companies that were manufacturers that needed to be compliant with 171 at the time. So, yeah. Wow. And another incredible accomplishment to be one of the first ever C3 PAOs in this ecosystem, which is incredible. Congratulations. Thank you. Wow. I can't wait to see like what this year brings for you guys. It's going to be crazy. Yeah. It's going to be awesome. Yeah.

[00:04:25] Carly, did you want to introduce yourself as well? Yeah. No, thanks for having me. I'm humbled to be here with these two amazing women as well. Carly Salmon. I work at Microsoft in the federal arm as a security technical specialist. So I work with our defense industrial base, as well as our DOD customers with their security stories and their security journeys.

[00:04:49] And the reason why, you know, I'm in this space is mostly from my previous role, which I was part of DCMA DivCAC. I helped start that back in 2019 and did the first DFAR 7012 assessments. And that's kind of, you know, the precursor to CMMC today. So I did the first C3 PAO assessments.

[00:05:11] And so it's great to still be kind of part of that community, but kind of my role in that community now, like Microsoft is a big cloud service provider. So participate in those things as well as evangelizing how Microsoft help companies meet the CMMC requirements, answer any questions. And, you know, I'm still heavily involved just now, not from the assessing side and the government side, but from the cloud service provider side.

[00:05:40] So it's really interesting to kind of have been part of both sides of it. So, yes, that's such a person like the dual perspective that you have is like really interesting to me because it is it is helping, you know, the same ecosystem, but in different ways. Yeah. And so, like, even I wanted to highlight to a recent announcement is that the GCC high is now authorized in the FedRAMP marketplace.

[00:06:07] And all of these things are evolving and changing in the Microsoft space, too. So that's a really big deal, too, for the CMMC ecosystem. For sure. And Microsoft definitely has like a really like large CMMC. I say large, but it's really kind of small, I guess, compared to the size of Microsoft. Right. But there are so many people that are so passionate about our defense contractors and what how we can help them in this space.

[00:06:34] And so it's really cool to kind of be a part of that community and coming from the government, because there's only so much you can say as a government like employee and as a dip cacker. And so to kind of be on the outside and be able to kind of have like, you know, a little bit more open conversations, but then taking kind of that perspective and that connection, you know, has really been very helpful to to me, to us and to the ecosystem as a whole.

[00:07:01] Yeah, that's awesome. So I would love to get to your guys is why behind, you know, why, number one, you do what you do, but also specifically why you chose to step into the CMMC space. Some of you guys have shared like what what kind of the transition was like.

[00:07:22] But I feel like, you know, anybody who is in this has a certain heart behind maybe whether that's a certain type of person or company or individual or even just to, you know, help the United States of America in a certain way. I would love to hear you guys just your perspective on your why. Who wants to go first?

[00:07:48] So, I mean, my my why kind of stems into also like why CMMC, you know, I've realized a lot everything that I've kind of done in my life career wise or even just personal, like it's very purposeful and mission driven from being an Army veteran. And then I even saw kind of that extension of service when I started working for the government at DCMA.

[00:08:13] And then stepping into CMMC was a different way to continue that service because it, you know, that involved the defense industrial base and our contractors, which are building things, creating things for our war fighters. And so, you know, being one then before kind of felt like an extension of that mission. And I even still feel that today at Microsoft with what we're doing, especially with the customers that I get to support.

[00:08:42] So kind of having that purpose driven, mission driven work because securing our, you know, information is, you know, very, very much something that I've grown a lot more passionate about in the years. And so CMMC is the step in that direction for ensuring that protections are in place.

[00:09:05] Yeah. Do you feel like that your background in serving gave you a totally different perspective on the security of it on the other side? I mean, I think it does to an extent. Granted, before I got into, you know, DCMA, I thought IT was calling the help desk, calling the electric. Like, and then when I got to DCMA, like I started out as a, as an executive assistant, essentially, so director of cybersecurity.

[00:09:35] And so that's how I learned about IT. He actually explained cybersecurity in, and compliance in a manner relating it to aviation because I was a pilot. He was a pilot. So he would explain like, and so being able to kind of decipher, you know, what I love when they say geek speak into layman's terms for our two star, three stars up the chain was how I learned about cybersecurity.

[00:10:04] And then compliance was just kind of an easy way into IT. If you're not super technical, compliance can be kind of a gateway into technology and kind of being in the military and disciplined like that rule following that, you know, regulation, always going back to the source of truth. What is the requirement? Made it really easy to kind of adapt and learn. And then just gotten more and more technical over the past 10 years. So.

[00:10:34] Yeah, that's so cool. Yeah. And what, what about you guys, Amy, do what, what about you? Do you have any perspective on your why from your background as well? Stepping into the space. Absolutely. But before we get to me, I want Carly to say what kind of pilot she was. As a Black Hawk helicopter pilot. Yeah. Just a little bit. That's really cool. It's a blip in time at this point. Oh my gosh.

[00:11:04] That's so cool. I have to see pictures after this. That's awesome. So I have a very different background. And thank you for pulling together this group of women because I love the back, how diverse the backgrounds are for all of us. But I actually was a college professor for quite some time. I've always been the champion of the underdog.

[00:11:25] And I was incredibly aware for a very long time of how unaware most people are of how vulnerable they are for a whole bunch of different risks. And so I did that for a while. Well, I really wanted to go into private practice. And then when I went into private practice, I really continued wanting to be sort of the champion of the underdog.

[00:11:48] I was director of cyber for the New York Crime Commission, who's dedicated to helping businesses in New York City protect themselves from various risks. And then ended up going to a managed security services company. And it was exactly, you know, those small companies that needed to comply with 171. As I said, they were really deer in headlights and didn't understand it at all. And it was, you know, the small companies in the supply chain for the defense industry are the most vulnerable.

[00:12:17] And the prime contractors, you know, the way that attacks are taking place against the prime contractors is through the smallest, most vulnerable. So that's always been a passion of mine is to help companies that don't even realize how vulnerable they are identify those vulnerabilities and then figure out a path forward.

[00:12:38] And like Carly said, the compliance, one of the reasons why it's a good step in is because there are guidelines and rules. And, you know, you know, here are the things that you have to do. And they're not always easy to figure out. Sometimes they're incredibly difficult to figure out. But you know what you have to figure out. So that's a super helpful thing.

[00:13:00] And one last thing about, you know, 171 and CMMC is that it really emphasizes that cybersecurity is not a thing. It's a whole bunch of things. And you have to protect all those things in order to reduce your vulnerabilities in the space. I have just like, this is just a personal curious question of your story.

[00:13:27] So you shared that you were a professor, correct, at one point. And then did you start working for an MSP after that? I did. I did everything backwards. So I just wanted to know how that, I wanted to know how it worked and like what you learned from that because it's so intriguing. Well, I was the youngest person to graduate from Virginia Tech with a doctorate. And then I was one of the youngest people at the University of Tennessee to get tenure. And so I kind of fast-tracked everything.

[00:13:57] And, you know, best laid plans. You know, since this is a women's thing, I really wanted a career where I could have children and do all these things and then didn't have children. So when it was clear that I wasn't going to do that, I thought, well, I want another life adventure. So I'm going to go into private practice. So none of it was planned, but, I mean, the things that were planned didn't happen. But it's all been great.

[00:14:21] But it's so cool to see that perspective now that you have going from like teaching to – and when you went into the MSP and you shared it, you saw still a lot of deer in headlights look. So you did still have to continue teaching even when stepping into that space, just a different way. Yeah. So that's really cool. Joy, did you want to share your story and your why behind what you do? Yeah.

[00:14:46] I mean, first of all, let me say, though, I love the backgrounds and where both Amy and Carly are in their careers. Both of them, like I would give just so much to be able to say that I was a Black Hawk helicopter pilot. You know, it was a professor or the youngest at Virginia Tech to get a doctorate. I mean, those things are just so incredibly crazy cool. And I love that about the women of CMMC.

[00:15:14] It's something that draws me constantly to them because both of these women, if you sit down, you can talk for hours. Just they're so down-to-earth, level-headed, out there to help people. And I love that. Absolutely. There's no errors about our community.

[00:15:32] But my why, you know, when I had my MSP for all those years, similar to Amy, I was day-to-day interacting with all these small businesses who really didn't understand why cyber should apply to them. You know, and when I moved out of that, after I sold my practice and went to work in the vendor community to manage service providers, I was exposed to what their own security postures were. They were security vendors.

[00:16:01] And you look at the, you know, you lift up the hood and you look at what's on the inside. And I was like, oh, my God. You know, it was horrific to understand how much was about selling their product and not practicing what they were preaching. And I'm not going to pick on anyone in particular or say any names, but it's a common problem with a lot of security vendors.

[00:16:28] And that's why we keep seeing all of these breaches with major security vendors. You're like, lock your own house down. And that's something that, you know, we used to say amongst our MSP community, lock your own house down. I like, and at Summit 7, one of the things I've been saying is we have to have our own oxygen mask on first, right? Like, let's make sure that we know exactly what we are doing.

[00:16:51] And so moving into CMMC, I was able to take a lot of the training and I have a love of educating others. It really makes me feel like I've done something good at the end of the day when I see the light bulb come on. And I could do that with CMMC. You know, all the security training I had done in the past, it felt like this is for a purpose and a mission of, you know, Summit 7, we say the American dream and protecting the warfighter.

[00:17:20] And to me, I've got four grandbabies. It actually really means something. Like, I have skin in the game now. I have a way of impacting our nation's security, not just in a small MSP with other customers, but on a much broader scale. So I'm going to jump at the chance, you know, I'm going to throw my hat in the ring and do everything I can so that my kids are raised in a United States of America that I have come to know and love. And I think it's a real existential threat.

[00:17:50] And the other thing I love about CMMC and compliance in general, like Amy was alluding to, is that, like, we have a prescribed plan in front of us. And it's an opportunity where, okay, so the businesses are being forced. This is not trying to convince them, although to some level there still is, right? But they're being forced.

[00:18:13] And so how can I translate this cyber speak, like Carly's talking about, into something that they understand, but not just how to implement it, but the why? Like, the why. It's for every single one of those controls. They serve a purpose and a meaning. And I love that I can make that come to life.

[00:18:34] I'm really curious about your perspective on being a part of an MSP that was not in the CMMC ecosystem versus one that is and is now going for, you know, level two. Have you felt like a dramatic difference between the environments, not necessarily in a bad way,

[00:18:59] but just, like, different because of what CMMC brings to somebody like an MSP that is going to be doing that and trying to be conquering, you know, trying to conquer that mountain. So I just am curious about that perspective. You know, I actually would put it more in terms of working for leadership at a company that every single person takes cybersecurity extremely seriously.

[00:19:26] Like, it is a mission and a badge of honor with every single colleague I have. That, to me, is the biggest difference between where I work now and the MSP that I had. Well, we did that at my MSP, but a lot of the other MSPs that I've interacted with over the years, the ones that I've trained and taught the basics of cybersecurity, working for a company that won't accept the status quo, it makes all the difference.

[00:19:55] You know, being, I had a opportunity this morning for a mandatory meeting, every single employee on there, just to talk about physical security and what are the expectations. And it was, you know, like, people were engaged. They were unmuting and asking questions. We had 191 people at one time really engaged. Every corporate officer was on there engaged. And that's like, it's a dream come true. You know, it's hard to find companies that will do that.

[00:20:25] Yeah. There's a really start at the top. I think there's a really big shift that we're seeing, too, where security and especially cybersecurity was an afterthought. And it is now becoming more of a line of business.

[00:20:46] And it is being something that is talked about up front, which makes it really, I want to say, it makes it a lot easier when we come out or when IT professionals have to go to their readership, ask for money to do X, Y, or Z, get a tool, like bolster their security. There's more understanding of the need for it. And there's more support.

[00:21:08] Because, like, I really know that I saw companies where there wasn't management support and you could really see it and, like, see how and why they were struggling. But as soon as, like, you know, a not so great assessment score comes through, that tune changes. But I think we're just seeing, like, kind of across the board, though, that we're seeing it becoming more and more prevalent for how to do, like, how to run a business versus this is a business I want to run.

[00:21:37] And it's like, oh, now I have to make sure I do this. Like, it's that kind of, it's part of that building process, not an afterthought. Yeah. Well, it's always been a cost center. Cybersecurity has always been considered a cost center. And cost centers are, the goal is to always reduce the cost as much as possible and maintain whatever you need to do. But now it's becoming a strategic imperative, which is, I think, what you're saying. And it's a strategic imperative because breaches are happening. And now it's a real wake-up call.

[00:22:06] So, yeah, fortunately. And you're absolutely right. That's night and day, the way companies behave, depending on whether or not the leadership views it as a strategic imperative or a cost center. I think this perfectly goes into, I really wanted to hear what your guys' thoughts are about 2025 and how you think this year is going to shape your different perspectives.

[00:22:31] Because, you know, at least for us and our side of things, the end of last year or the end of 2024 was wild as soon as 32 CFR final rule dropped. And they were like, what time do I have to be ready? What's going on? Oh, my gosh. I have to be calling 35,000 people trying to figure out what I'm supposed to do. Some people were even reaching out to us that had seen us three years ago but didn't feel like they had to reach out until then, you know.

[00:23:01] And so I just want to hear, you know, from each of your individual perspectives how you see things changing and evolving into this new year. Who wants to go first? What do you think? Well, I couldn't agree with your perspective more. I mean, we, I was at a conference, a CMMC conference, talked to two really big companies, like October 1st. It was before 32 dropped.

[00:23:31] And both of them were saying they were taking a wait and see attitude with CMMC. And I was like, what universe are you living in? You know, it's polite. I didn't say that. But in my head, I said that. And so now, you know, the phone is ringing off the hook, just like, you know, everybody on the call here. It's just been absolutely insane. And people are scrambling to try to get ready. And a lot of companies are signing up for certifications.

[00:23:57] And, you know, it's, I'm so glad that there's that piece where they need to have a readiness review because I think a lot of companies are rushing to sign up that are not ready and not going to be ready for a while. So you're seeing, you're already seeing that kind of start, Amy, of just like really needing to vet because people are just scared and wanting to get right to it kind of thing, but are not fully ready themselves. Yeah. Yeah.

[00:24:24] And we have, you know, we have a great fortune being a large company that, you know, was one of the first, the biggest and FedRAMP that we work with really big companies. So those companies are obviously really well prepared, but we're happy to work with anybody. And we work with small, medium and large companies. And there's, there are a lot of medium to small companies that just have been pushing this on the back burner. Cybersecurity is a cost center. Let's wait and see what happens.

[00:24:53] And now it's, you know, it's scramble time. What about you too, Joy, from your perspective with MSP? It's, yeah, it's crazy growth. I think it'll be interesting in 2025 to see how service delivery improves and more automation kicks in. You know, we're all just starting to figure it out how to best do it as service providers.

[00:25:18] And so our industry, I could see that, first of all, vendors are going to wake up and say, oh, this is a great opportunity. I should have taken the FedRAMP or at least CMMC crosswalk a lot more seriously and the shared responsibility matrix. There's a lot of parts of CMMC, I think, that are also going to leak into other frameworks, other service providers that are, you know,

[00:25:42] maybe they're really good at CIS or NIST-CSF or whatever, and they're going to learn a lot from what we accomplish in CMMC. And so it'll be interesting to see how it spans outside of just the defense industrial base, customer base right now. Carly, from your perspective, like where do you see you guys, you know, adjusting this already?

[00:26:08] You know, I've kind of shared big perspectives and new changes that are happening there. But where do you see that going this year? Yeah, I mean, you know, in a sense, luckily, you know, Microsoft has been like creating their clouds and their tools in alignment with the FedRAMP. And that's always kind of been, you know, part of our business practice for many, many years. So how do we continue to support our customers?

[00:26:35] How do we better partner with our customers, the ecosystem, with the DoD to figure to help figure out some of like the best ways to do this, especially for those smaller companies, because this can be such a costly endeavor up front. And so how can we, how can we help be part of those conversations as they're trying to figure out what to do? And how can we like, what can we do internally?

[00:27:02] And so I mean, we're definitely still like kind of in the forefront. It wasn't just a, we're FedRAMP, you know, like we're FedRAMP authorized, we create the cloud for you, go figure it out. Continuing to partner with our customers to get through this and achieve this. And a lot of the people who work with those contractors who are their customers are there.

[00:27:23] And with our partners, especially with our partners, because, you know, there are, there's a lot of people who use our products who we can't, who, not that we can't touch them, but it's just, we don't have that touch point. So how can we enable our partners to support those companies and how can we support our partners throughout this as well? That really like means a lot. I feel like to me as well in our SMB and going through this and you're absolutely right.

[00:27:49] It is not, you know, my, my dad always says that none of the C's in CMMC stand for cheap. And that is quite true. Yeah. You can use that. Tell them that I gave you approval to use that.

[00:28:06] Um, but I, it's just, you know, to know that there are people that are, that are listening to that stuff that are seeing the perspective because SMBs are the huge, you know, like contractor base. It's like, you cannot just disregard them, which I'm thankful that, that I feel like they haven't fully disregarded them.

[00:28:27] But I do feel like there's so much still to be done, um, to figure out a way to be able to, to help them, which we, we hope to be able to help many SMBs with our MSP as well. Um, but it's just, I, I love hearing that because I really do think there, there is so much to not even just necessarily vendor perspective, but just in the ecosystem to help these SMBs figure out how to climb because it is, it is no small feat.

[00:28:57] Um, so that is so great to hear. And I, I love hearing all of your perspectives on that. I, I do want to hear another perspective of, there's like a little bit of an underground women in CMMC community here. If you guys are new to this community and you're listening to this for the first time, just know there is like tons of incredible bosses in this community that are killing it.

[00:29:23] And just like Joy said, you could sit down for hours to hear the backstory of all these people. But I've heard that you kind of, you know, started this, um, kind of community getting together when going to like seek ease, you know, in different conferences and stuff like that. Did you want to share a little bit about the why behind that and what you've learned? Did you guys meet each other from that group? You know, tell a little bit about that perspective too, because I'd love to hear. I met Joy.

[00:29:53] I can't remember what conference it was at, but it was one where it was one of the early trainings for CMMC or really it was 171. And you were there, this bright light in the room. And I remember you asked the most interesting questions and I was like, her, I need to meet her.

[00:30:10] And so I think, you know, I hope neither one of none of you are offended by this, but to me, sometimes it's a little bit like when I'm in a whole bunch of people and I'm walking my dog and my dog sees another dog. He's like, you know, you let's get together. And it's kind of like, for a while, cybersecurity conferences were like that. He was like, oh my God, another woman. I have to go talk to her. And they're all so amazing and incredible.

[00:30:37] And I don't want to take credit where it's not due, but I think I sort of put together the first impromptu women's thing. And it was just so incredible that everybody kept bringing other people. And that's how I met you, Carly, because Carly Logan brought you and you sat across from me and was like, oh my God, where's this woman been all in cybersecurity? And so we just all instantly became friends.

[00:31:04] And then Joy being the joy that she is and the great organizer, she took it and ran with it and turned it into another whole thing and got Summit 7 to sponsor the next one, which was incredible. And now she's, I don't want to steal your thunder, talk about what you're working on, Joy, to get this to be really something for everybody. Well, it's great fun. You know, I will say in that first dinner, there was like 10 or 12 of us at that table.

[00:31:32] And when we went around and talked about our backgrounds, I was in this room going, oh, pinch me. Yeah. Which is so cool because every woman is just so cool and such different backgrounds coming into CMMC. And then the second one is a little bit more structured, totally organic, though. And that's what was one of the things that has been a problem is that whoever we know we've been reaching out to and saying, hey, join us for dinner. Really without a lot of planning or anything.

[00:32:01] And then not meaning to, but not being able to extend it to all the women in the CMMC community. So we're trying to make that a more formal thing where just a great networking hour. I'll tell you the first one. I know the men were really jealous. They kept trying to break into our room and we're like, whoa, dude.

[00:32:20] So at Lake West in Las Vegas in May, we are working with them to add on a pre-night, I think on Wednesday night before the whole conference kicks off, for us to have a dinner at the conference. And it will be the kind of thing where as you register for the conference, you can add on a dinner ticket for like $20 or $30 or something.

[00:32:45] And so that all the women will know about it and it will be available to them. And we'll just kind of organically see where this goes. We don't have like a mission other than it is really awesome. I think that we all would agree in different areas of cyber that we kind of grew up in. Nowadays, it's a lot different, but we were very lonely as women in our respective fields coming into where we are now.

[00:33:15] My first conference was 600 men and me back in 2008. And see, and that's a common, a lot of women will tell you that's exactly where they come from. And, you know, none of us that I know let that be anything that stopped us or was daunting to us. But it's refreshing to be surrounded by so many women in the CMMC ecosystem. We should celebrate it and we should really build on it. Yeah, I agree. And I will like double down on what Amy said.

[00:33:45] Like joy is a light. Like, you know, just her smile, like the presence that she brings into a room. Yeah, I think I love like you were saying, Joy, that we all have like these varied, diverse backgrounds. And most people in the ecosystem do. And, you know, I think this community, like as I've kind of come into it over the past couple of years, like it is a very kind of like close-knit community.

[00:34:11] You see a lot of people that you'll see at like similar conferences over time or different gatherings or meetings or trainings. And so it really is a community and everybody really does look out for each other. And it's just nice to kind of have this like, you know, girlfriends club, whatever you want to call it. But like just like another like aspect of the community.

[00:34:38] And yeah, the men were very jealous the first time we had the dinner. But yeah, I mean, it's great just to also hear the different backgrounds to also like, you know, in a sense, if you're feeling like, what am I doing here? Like you'll hear like the stories that you hear. And, you know, it's just very supportive. And, you know, it's just that networking and additional connecting because that's the way that this is going to be successful is if we continue to work together.

[00:35:07] And that's also been something like really great to see. And like Joy, you kind of mentioned it before. But I'll say most, you know, maybe like 90 percent of the people who are in this ecosystem who are doing this work are doing it for the purpose behind the work. It's not. And like, you know, coming from the government. And then when they were putting this, you know, into the private sector to do, you know, there were people who are naysayers. They're like, people are just going to do this for the money.

[00:35:37] How are we going to know that they're like it's all, you know, up to par or, you know, it's good work. But everybody in this ecosystem hares. And that has been like, you know, everybody that I know that I've worked with who has come out and into the ecosystem are like blown away by that. And so it's just it's amazing to be a part of. Yeah, I'm I'm so inspired by I mean, this conversation and seeing so much of the ecosystem.

[00:36:05] And I am very excited, Joy, to hopefully get together for for that and be at Sequest with you guys, because that will just be so amazing. I I think it's also so funny how if you looked at like on a paper, technically, Joy, you and I are both MSPs that would like worse. We're much smaller. We're a boutique MSP. But that's like a competitor.

[00:36:33] But that's not the same thing in the CMMC ecosystem. And I love this because I feel like talking about the MSPs for the protection of critical infrastructure and how we're both a part of that. And there is a main goal. There is a mission that we are trying to accomplish. And we're we're MSPs. We're doing the same things just in different ways. And we're trying to accomplish, you know, CMMC.

[00:36:59] And I and I do feel like like just echoing what all of you are saying. You can really see that throughout the ecosystem, which is very inspiring to me. And I think it's so cool. So I do want to say, Kaylee, I've seen you kind of grow up in this ecosystem over the last year or two. And I, you know, from where you started on the podcast with your dad and the kinds of questions that I see you asking now, I'm really happy for you.

[00:37:29] Like you're really embracing this. And so thank you for you. I love that you're going to be getting your CCP. Now I've put the pressure on you that you actually have to do it. Oh, no, I love that. Yes. No, I put the pressure on Bobby to pay for it for me. I'll call him as soon as we're done. Yeah, I have. Guys, I'm telling you, I'm so new to this. And I hope that I can be a voice for some people that are listening to this that are stepping into it for the first time.

[00:37:56] I don't know nearly as much as what these women do. But I literally I'm so inspired just from marketing it and learning about it through all that Bobby has done. My dad has done in the MSP and watching every step of it that I I I sat through. I sat through a CCA course, even though I literally didn't pay for it. I also did not get the credits for it. I was just sitting just listening in the back.

[00:38:22] And it's just it sucked me in, you know, and I don't know what else to say other than maybe it's because I'm a rule follower. And we've all talked about how there's rules and structures and you got to follow them. And, you know, so I do hope thank you, Joy, for those really kind words because that really does mean a lot. But I do hope that that that there are people listening to this that are like me that are like, should I step into this space? I don't really know a ton.

[00:38:47] It's like, well, learn from people who know more than you and don't be afraid to say, I don't know and listen, you know, and you can slowly, you know, start to learn more and more and more. And I I just am really, really inspired about that. I also wanted to highlight to Amy, you were sharing something when we talked yesterday. And I don't want to let this go about what background you need to step into this space.

[00:39:16] Can you share a little bit of what you said to us? Yeah, thank you for asking, because I feel very passionate about this, too. And again, being the champion of the underdog is there are so many careers that it's it's hard to be really successful and rise to the top unless you have college degrees and have spent a ton of money. But cybersecurity is not one of them. And, you know, if you've got a passion for it, there's so much that you can learn. You can start with YouTube. You can start you can join hacking competitions.

[00:39:45] You can join hacking groups. There are universities that have hacking clubs that you don't have to belong to the university to become a part of. There are tons of people that want to mentor people in cybersecurity. The Cyber Guild has an incredible program to mentor women in particular, but also people of any minority. I'm a mentor for them.

[00:40:08] There's a bunch of women that are mentors for them, just helping them figure out a path forward in cybersecurity without having to quit everything and go to college. And, you know, I hired somebody a long time ago when I was working for the MSP that didn't have a college degree. And I think he's making more money than anybody I know now. He never did get a cybersecurity degree.

[00:40:30] So he's you know, it's just it's all about if you've got the passion for it and you can find a mentor that says, well, go here next and then go there next. And you can you the sky's the limit with cybersecurity of any of any branch. Thank you for asking about that. Yeah, there's also some fabulous Microsoft certifications. Absolutely. Yeah, that's absolutely. Thank you for. Yeah.

[00:40:57] Carly, you also are a part of some really cool organizations that like work with women and cybersecurity and stuff like that, too. I was wondering if you'd be able to share a little bit about that and give them a shout out, too. No, thanks for that. So, I mean, I do a lot of, you know, because I wouldn't be here today if it weren't for my mentors and others.

[00:41:21] And so I always, you know, I look at it as like paying it forward, especially because I don't have an IT or cyber background. You know, I am classically trained, as I like to say, classically educated in the health sciences. And so this was a big transition for me. And then so, you know, I do a lot of work with this organization called STEM for Her. Right now it's like in the DMV area and they work.

[00:41:49] I work with their mentorship program, which puts women and college age students together for mentoring as they're like going through their journey and trying to figure out what they want to do. So but they also do a lot with girls in high school, elementary school and a ton of stuff like that. And that organization, you know, it's very cool. It's starting to grow. And so hopefully maybe some more like nationals type stuff.

[00:42:16] But then I also do a lot with at Microsoft. They have a veteran transitioning program. So veterans who are transitioning out of the military. And so I work with those students. So not all of them have degrees. Not all of them were, you know, IT in the military. And so, you know, what does that look like?

[00:42:39] And, you know, it's really big, too, in translating your military experiences into like those soft skills that you can put onto a resume that a jobs will understand. But be like, you know, I know that if I see somebody who's a veteran, like on their resume, I know there's a bunch of things that they come with right off the bat. But not everybody does.

[00:43:03] And so how do you translate, you know, that teamwork, discipline, you know, learning, et cetera, that is kind of innate of someone who served into words that will go on a resume and like interview practice and all of that. So I really enjoy both of those programs and continue to do, you know, one-off mentoring when people reach out on LinkedIn or ask about, you know, different programs or connections.

[00:43:30] And so just try to always be there because I know I wouldn't be here without my network or the people in my life. So. Yes, that's so true. It's so true. Joy, did you want to share a little bit for the people who didn't know about what the MSPs for Protection of Critical Infrastructure is? We did mention that, but I just wanted to give you the opportunity to share what the mission is and what we're doing there. Sure. Yeah.

[00:43:56] So the founding partners were all competing MSPs and Summit 7, Neo Systems, QZARA. We have really pulled, I think we have about 12 MSPs that have joined us now. And the mission really is to represent the service provider community that serves critical infrastructure

[00:44:17] and help to guide legislation and decisions that are being made that impact the service provider community and thus the small businesses so that decisions are made smart. A lot of the government agencies actually have no clue what a managed service provider does. That was pretty evident in the first couple of drafts of CMMC where we were like, FedRAMP or managed service providers? Are you out of your mind? Yeah.

[00:44:46] We're doing that. We also are helping to put together, you know, in any way that we can support initiatives for tax incentives for the small contractors that are getting their CMMC certifications. What is the right level of security that should be required of a managed service provider that is serving critical infrastructure? Those kinds of initiatives. So, and one of the neat announcements we just made yesterday is that we found out that the Cyber AB

[00:45:14] cannot put onto their marketplace, the ESPs, external service providers that have received their own CMMC level two certification. They're not able to track that or have that be a publicly accessible database. So we stepped up to offer that for them. And we'll be checking with no charge at all.

[00:45:34] Any MSP that gets a CMMC level two certification will be validating with the C3 PAO that did that and then adding them to a marketplace so that all the defense contractors who want to know the legit MSPs that are doing it right, that have their own certifications, they'll have a place to come to look through them. And so very excited about that. Oh, that's awesome. That's huge. I mean, because that's always like the number one thing when people ask, like, how do I know

[00:46:03] what C3 PAO to hire or how do I know X, Y, or Z? Or like, you know, from like a, is it FedRAMP? Like you have to go look. Can't just take some, like, unfortunately, you just can't take somebody at their word or at their, no offense, Kaylee, marketing or whatever. You need to go double check. I know more than, I know, I know more than anybody you can do that. So, I mean, so that is the biggest thing is how are they supposed to know?

[00:46:30] And I think that's also going to be the biggest struggle is people are not going to know that they should go check somewhere or know what to check to ensure that the service that they're purchasing is going to meet the muster until they get assessed. And then don't pass or get a finding or something to that nature. That's always heartbreaking.

[00:46:54] Like, because I know, like, from my perspective, when I was an assessor, like, we weren't looking for gotchas. We weren't looking to, like, look for you to fail. And so, you know, just work with us to figure it out and to show us how you do this. And, like, if it's something that can satisfy the requirement.

[00:47:17] And so it always, like, the first, you know, non-passing one that we had, of course, I don't know why I had that one as well. But, like, it hurt. I was like, I really don't want to tell you this. But, yeah. Of course. That's very, like. And that's where, again, like, goes back to the requirements. Like, and so, anyway. It's very stressful for a company to go through an assessment. And I love the empathy that you're expressing there.

[00:47:45] And it's really important for the first C3PAOs to, you know, be aware of that. That you're bringing in clients who are doing something that is, you know, this is, they've got a lot of livelihood hanging in the balance depending on how this assessment goes. Absolutely. And we need to be, you know, as C3PAOs, respectful of that and, you know, kind. And you can be independent and follow all the guidelines without being a juror.

[00:48:18] Yeah. I think, you know, and I'm seeing that, like, from your perspective, Amy, like what you're saying of, you know, bringing it from your side. But then as what Joy is saying and what we're trying to accomplish from the MSP side is to also honor your time and what you're doing. It's, like, with both categories. And then with what Carly is saying, being honest, being transparent, always trying to think of what would be best for the industry as a vendor.

[00:48:45] It's, like, all of that stuff combined can help make this ecosystem thrive. So I just, like, love hearing all of those perspectives because it literally, it gets like a fire under me. I'm like, here we go. And that wasn't me trying to promote Joy, the MSP for the Reduction of Critical Role. I'm, like, thinking of the logo, the fire under me. But anyway, it's a little plug there.

[00:49:11] But I just want to say I want to honor you guys' time and I want to say thank you, first and foremost, for allowing me to interview you guys, even though I have nothing in my title besides marketing director and inspired by the CMMC community. Hopefully, like Joy said, CCP soon. But thank you guys for sharing your perspectives, your backgrounds, what you're trying to accomplish in this community.

[00:49:37] Again, congratulations, Amy, with your company and the C3PAO, one of the first, which is such a big deal. Joy stepping into level two certifications. We are doing it in the middle of it right now, assessment time. Here we go. That is a huge deal as well. And what Carly is doing, what Microsoft is doing literally is, I mean, for a company like us is literally helping us with the foundation of our work and what we're doing and helping us thrive.

[00:50:06] So it's incredible to see that perspective as well. I'm going to link where you can find all of these wonderful women at LinkedIn as well as the different organizations that they shared about in this podcast episode. So if you wanted to learn more about those organizations, you can check out those links below. But thank you guys for listening to this episode. And we will see you in the next one. But until then, keep on climbing. Bye, guys. All right. Thank you.

[00:50:36] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news. We hope you guys enjoyed today's episode and listen out for the next one. But until then, keep on climbing.