We Went Through Our CMMC Assessment (What we learned)

[00:00:01] Hello Climbers and welcome to Season 3 of Climbing Mount CMMC. Hello Climbers and welcome back to another episode of Climbing Mount CMMC, the podcast. I am so excited because we have a very big announcement that we have been waiting to share with you guys for a while now.

[00:00:25] Some of you that are new to this might not know, we are an MSP and we have been climbing, literally climbing to get our CMMC Level 2 certification. And we have some big news. We've got it. And we have passed. And it was very, very, very hard. And the people that know how hard it is are Adam and Bobby.

[00:00:55] And they're here with me today. And we are going to talk about it. We're going to share some insight. We did, some of you guys maybe who are new too don't know this part about us as well. We did a mock assessment before we did the full assessment. And that was in August, back in August of last year of 2024 that we did that.

[00:01:16] And this is 2025 in February that we actually, January was when we did our full assessment, CMMC Level 2 assessment. So we are going to go through a lot of really cool things today. I'm very excited to ask Bobby and Adam some of these questions. But first, I want to start with before you have ever experienced even the mock assessment, the real assessment itself. Babes. What it was like.

[00:01:46] What it was like for you in your head, how you thought it was going to go and the way that you prepped a little bit for that. And before I, before I ask you fully that question, I'm also going to link in the comments below the actual podcast episode that we did that they can watch before you did your mock assessment. So they can go and look at the little babies that hadn't gone through it yet, actually.

[00:02:12] But we can talk a little bit about like briefly about what that was like. So what do you want to go first, Bobby? The journey right through that. Yeah, literally. Yeah. I'll let you fill that one first, Adam. I'm curious what your thoughts are about that. Oh, Adam. Okay. Let's do it. Okay. Yeah. Getting into our mock assessment, you know, there was a lot of unknowns and some anxieties around that. But, you know, we'd done our self-assessment. We'd poured over it a whole bunch. So it felt fairly confident, but still we had so many unknowns about how the assessor would look at things.

[00:02:42] Yeah. And even in our own preparation, we found those kind of differences in interpretation. And we just didn't know what that would be like. So I think that was probably my biggest thing hanging over my head during the mock assessment was just simply, what are we walking into? Because there's so much we don't know. Yeah. It seemed like, you know, when you go through and you write stuff in your SSP about your stance on something, you're like, all right, got it. We're done. But you don't think about the perspective of someone sitting down.

[00:03:13] It's kind of the Jeopardy moment. Okay. For 3-1-1, you know, Alpha, go. What's your answer? You know, and you're just like, oh, crap. Like, what am I supposed to say? How am I proving that exactly? Like, when you think about that, it really catches you. And you've got to think about, how am I going to address this? How am I going to speak authoritatively? Because you're like on the five-yard line, right? You're right there with the auditor.

[00:03:40] You've done all of this massive amount of work. And if you freaking fumble on the five-yard line because you say it wrong or you don't set up your test right, like, man, that could really get you. And I think I saw a future feed did a mock assessment with Matt Tipcomb and Fernando Machada. And it was amazing. It was great. They went through. Yeah, it was such a great podcast. I enjoyed it.

[00:04:07] And I thought to myself, okay, that scared me a bit because of the fact that I hadn't thought about necessarily that exact dance that was going to happen. We were ready, but we weren't ready for the dance, right? I know how to catch a football. I know how to score, but I don't know how the cadence works. And so that is his own game. And it really caught me by surprise.

[00:04:35] And thankfully, we planned for that. So then we called Brian Hubbard. We're like, can you do a mini mock with us? Walk us through it. And then we actually scheduled one with our auditor, a mock assessment so that we could see how we were going to go for them. And we did that in August so that we felt really good in January when we had our audit. So then we felt prepared. But there were still plenty of lessons learned in each of those. Right. Yeah.

[00:05:01] What about the prep work for CMMC as a whole, like the SSP, the CRM, prepping, all that stuff? What was the hardest part you would say about all that? I'll go ahead and jump in on that one. I think for me, it was getting everything ready for that mock assessment. Really?

[00:05:29] There were so many of those unknowns about how an assessor would interpret stuff. We had the wonderful people over at Curie to be our consultants and help us through that process. Whenever we would disagree with them to account for how we operate, we'd get the comments occasionally of, yeah, you can try that and see how the assessor will interpret it. And we're over here like, what is that supposed to mean? That's terrifying. Okay, we'll run with that. So we were able to work around those. We just didn't know how our assessors would interpret.

[00:05:59] But once we got up to our mock assessment and got that done, that gave a lot more clarity that we had through the mock process that we were trending met, that we were looking good. And then when it came time to work through for our actual assessment, that made our path forward much more clear. And that also helped us answer questions around building our responsibility matrix and how we would do it for clients. Because at this point, we'd already done it for ourselves. An assessor had given the seal of approval. The mock seal of approval, I should say.

[00:06:29] Different seal. So we felt a lot more confident getting into it. And I think in the times period between the mock and our actual assessment, it's not exactly cruise control because we still had to work hard, push hard through it. But it's, you know, like you're coasting down the hill a little bit. You can pick up a little bit of speed just so you can go right back up the top again. So it helped out a lot. I think that was my takeaway between the two. Yeah, it's the unknown factor when you step in the ring.

[00:06:57] Like you might train in boxing, but when you step in the ring against an opponent, you've never met. You don't know. And they're going to start coming with their own strategy of how they're going to win. You know, not a partner who's there to try to help you prepare. It's someone who wants to put you on the mat hard. Now, auditors aren't coming at you like that per se, but they do have risks they want to mitigate. And they're bringing it. And they're not playing around. And they're not being apologetic. And they're not pulling any punches. They're throwing them.

[00:07:23] So you've got to be ready to dance and prepare and set up. And so it is very different than the practice part and then stepping in the ring and really going at it. And that makes us feel that much more comfortable and confident that when it's time for our clients, we're going to, you know, help them pass with flying colors.

[00:07:42] But for me, I would say mine was the biggest challenge at first was wrapping my head around this is as a CEO perspective, I guess, is where that's kind of tainted my perspective. It's just the architecture design. Like what does this thing really look like from its infancy to completion? And not just like your container, but like I'm thinking from organizational structure. Like I'm thinking like all the way, like how's this business work?

[00:08:12] How is this like not just how's this little container pass, but how does this container function in our organization and actually like work? And then how does that connect as the second mountain as we talk about helping our clients pass? So I'm I'm looking well beyond just our audit. Like how does all that work? And there was just so many permutations. Like at some point, you just have to trust your team, right? You can't foresee at some point. So many forks are there in the road.

[00:08:42] You just it's just continuous, you know, so you have to start knowing that we're just going to have to move further down as you start to solve those. And I just saw all those multiple, multiple forks. And it's pretty scary when you're stepping into that space. But I knew we could do it. I knew we had the right people. And, you know, we did it. And now we're moving forward with our clients and we're going to do it again. You know, the shirt that I have here. Keep moving forward. You know, it's like after we passed.

[00:09:12] You'd think I'd sleep like a baby. I woke up at 1 a.m. in the morning. You know what I was thinking about? How we're going to. Continue that journey for our clients and get them through to pass. What do we need to do? How do we refine our structure of our organization to leverage our level two certification to better help our clients pass? I mean, I just my mind was swimming. I was taking notes and thinking about how we're going to do it and how we're going to continue to push this forward. Because it's just passing isn't like that's like halftime. Really?

[00:09:41] Like it's now it's about helping our clients pass. That's when you really are scoring in my opinion. Yeah. Yeah. And even if you're not an MSP like we are, we have to take this to our clients. If you're just the organization that needs to be assessed, you're the Dib contractor of the world. Passing is not completion. You still have to maintain the system. You still have to keep yourself compliant and prepare to be reassessed in three years. Yeah. That's the whole purpose of a compliance program. It's never a one and done. You have to maintain that.

[00:10:08] I love the fact that we engaged with NSF, who's our C3PO, that they're going to assess us like almost like ISO where you have a portion assessment every year. I love the fact that we're going to have that. That keeps us more on our toes, helps us stay more relevant of what we're doing. I think if you just don't see them in three years, you never have a discussion. I think that's a bit dangerous. So we wanted to keep that engagement with them, and we're really glad. Right. And that actually leads me to a great point for preparation and whatnot is the self-assessment process.

[00:10:38] We had self-assessed plenty of times over the last year. We did our full self-assessment in preparation for our mock. We did it again in preparation for our final assessment, and our maintenance checklist requires self-assessment of select controls quarterly as well. So we've been looking over things quite a lot over the last several months, but so many different biases start to slip in. Yeah. You know, you look at something and you feel this is great. I don't need to scrutinize this. Right. Or, yeah, I've looked at this document 30 times over the last month.

[00:11:07] Like, yeah, there's no issues with this. Like, let me just write down. It's fine. The assessors don't know any of that context. They don't have those biases. So they come in and they look at it and they go, what's that over there? Why does it say that? I don't think that's a good implementation. And you're like, what? Why are you stealing candy from my proverbial baby over here? I'm upset. But that's exactly what they're there for. There's freaking superpower. It's so annoying.

[00:11:32] You know, like when we did our mock assessment, I kid you not, Kaylee, literally the first control, the first policy. Me and Adam bring up that we have had reviewed by me. Like 3.1.1? We were 3.1.1, baby. Access management. We bring up our access management policy and we did not notice that the year was off. You know, the date was right, but the year was wrong.

[00:12:00] You know, we like to call that. You like to call that the human factor. Yeah. It's just if you didn't punch me right. And like literally the first thing. And I'm like, we reviewed that document numerous times. Yeah. And the first thing and just one second. He's like, that date's wrong. And we're just both of us. Things come mentally. You know, I could see Adam like, what the? But I mean, the policy was fine, but that's just an example.

[00:12:25] No, I did triple check that getting into our real assessment because New Year's occurred over then as we were updating the policies. And I'm over here like, did I get the year wrong? You forgot what year it was. You best know those dates were right. But that does bring up a good point with the human factor during our assessment. So what happens if you get a not met during the assessment? Well, 32 CFR carved out that 10 day remediation period. There are still controls that you cannot put on your plan of action and milestones. Hold on that. Let's let's back up a little bit further.

[00:12:52] I think we need to do a little history lesson because I think you're going into a beautiful point, Adam, that is really good. But like, I don't know about you, but I thought that it was like there was no leeway there when we were coming as we were preparing, as we were coming in for the landing. Like, I envisioned the runway being like exactly the size of the tires and we had to freaking land it right. You're landing on the aircraft carrier. It's there or you're off the runway and you're dead like that.

[00:13:21] Like I didn't see in the initial drafts and some of these other things a lot of leeway or room for grace through that process. And so me and Adam are like, man, we're going to have to freaking stick. I mean, like it's either a 10 or it doesn't count. You know, I mean, who goes to the Olympics going either you get a 10 to pass, not just win. You know, that's just really hard. But I mean, keep on talking, Adam. I think that we learned some lessons through that. Yeah. So that brings up the human factor.

[00:13:49] So we're going through our assessment and we get on one of the controls and our assessor is going through our policies and says your access management policy doesn't match what you wrote in your configuration management policy. But you also wrote those policies must match. Yeah. Not the whole policies, but like a small right. Yeah. One little sentence was off by some word complexity requirements. And we're like, huh? I looked over that document a whole bunch. Bobby looked over it and we had one other person in the company looking over it as well.

[00:14:17] So we looked at that and the assessor's asking the question, which what's authoritative here? And why do I have a conflict in statements here? And we're like, we don't know. Yeah. So he's like, all right, I've got to report. Mark, this is a finding trending not met. But we hit our 10 day window. We were able to look at that after our session with the assessor and go, what needs to happen to fix this? Bobby, which one do you agree is the authoritative one? And let's go ahead and go through our processes to update that.

[00:14:44] And we were able to take that back to our assessor the same day and say, yeah, we corrected this. We followed all of our processes, our policies. We've got evidence of that. We think we're good now. Here's our updated evidence. And our assessor was able to reassess and say, yep, that finding is no longer valid. You're trending met on this control now. Yeah. And as me and Adam talked about it so many times, like, oh my gosh, man, we're so human. Like, how are we going to get this perfect? We're so human. Yeah. Like, how are we going to get this perfect? We have no idea how we're going to.

[00:15:12] I mean, because how many documents do we have, Adam? Like, 16. I mean, our SSP alone is 217 pages. Yeah, I mean, there's just so many words, Kaylee. So many words. It's unreasonable to expect that the human factor isn't, to some extent, going to kick in. And it, I mean, it ran us ragged for us trying to prepare for it. And we can talk about that a little bit later. But, like, it was super hard.

[00:15:37] But when we came into the audit, what I was so great is NSF, I think they handled it perfectly.

[00:15:43] They were like, look, you know, during the audit process, if you have things that are not met, you know, in the post session each day that you have, if there are things that we have a running tab on that, you know, end out, close out, you know, through that process, you can send adjustments or things that you feel will help address things that we might have found either not met or might have some eyebrow raising.

[00:16:10] And so, you know, there were a few things that we had to go through. We were human, just like everybody else. But it was great to see that I feel like there is stopgap measures plus the 10 days which you talked about and, Kaylee, we talked about in our podcast, that gives you the grace for those organizations who really took what they're trying to do serious. They came in very prepared. And then, oops, I became human and I made a mistake. What do I do? Is it a straight fail? And the answer is no, it's not.

[00:16:37] The mechanisms in 32 CFR that are written for those people who are really serious, you know, we're not talking about standing up change control because you didn't have it. You know, we're talking about, you know, like we're speaking of power. Yeah, I think. I do want to highlight that. So we spent so much time on preparation. I think easily between the two of us, we've just spent about at least 100 hours each self-assessing. Yeah. We felt extremely confident getting into our assessments both times that we had a system that could stand on its own.

[00:17:07] We were looking forward to our assessor poking holes in it and finding those weaknesses as that's their job. But we felt that we had met every control when we did our self-assessments. An organization that's feeling shaky or unsure or not sure if their processes or procedures will uphold a control, you might want to revisit that before you get into those assessments. Because depending on what you're doing, that might not be something you can correct within that 10-day window.

[00:17:31] Or the correction process itself has to blow through so many other, you know, core requirements that it just, an assessor would raise even more eyebrows at it saying, really? You rushed deploying a SIEM in 10 days? Yeah. Are you mad? Well, I think it just also goes to reiterate that you absolutely are a crazy person if you go into this audit without having at least gone through some type of mock qualification of your process.

[00:17:58] I can't tell you how many companies that I have talked to that are C3PO's and they're like, you know, I'm like, how many companies have come in and they weren't even out of phase one? They're like, they just story after story of just companies that just sort of waltz in there. They're like, you know, they're the rooster on the walk there and they've got it all. And then they're like... Look at me. I self-reported a full compliance with 800-171. I'm perfect.

[00:18:24] Dude, that's a two-page SSP written on a napkin. That doesn't count. You know, that's... I'm sorry. Yeah, we're not moving past phase one. Yeah, your acceptable use policy says don't do bad things and you think that's good. Right. Don't do bad things. So, like, and that's happening, like, constantly. These organizations are coming in here. So, like, if you have not gone through... And then there are people that I've talked to that were like, they were prepared.

[00:18:47] They had their SSPs written, but they didn't get ready for the dance. And they got punched in the face there too. Um, Kaylee, how many hours do you think I spent writing the test procedures for our self-assessment for our audit? Do you understand what I'm asking? Writing? That was a long sentence. Writing the test procedures for your self-assessment for your audit.

[00:19:15] That we're planning on providing when they were like 3-1-1, you know, speak to it. We read our SSP and we talk about those types of things. And then there, you know, what are the prepared tests that we are willing to show? I would say you would take at least 80 hours thinking about how many... It was 85, like, yeah, it was like 85 to 90 hours. It's probably because you told me one time and it just sticks in there, you know?

[00:19:38] But, yeah, I'm like, now that we have it done, when we go to review and reassess ourselves, you know, but I was sitting down and I was starting... Everything that we had from our mock, I threw out and I started over again. And said, let me go through and write them all out. And I did that independent of Adam. And then I had Adam go through and review what I had done. And you're referring to, like, this is kind of, like, evidence of each of the controls. That's what you're referring to. Yeah, for each assessment objective.

[00:20:04] Like, what types of activities can we show them to prove that we feel like it was met? If you look at, like, the privacy and security notice requirement under the access control domain, our policies say we have to provide that. We define what that is. Meanwhile, Bobby's going through saying, how do I prove this to an assessor? Okay, we know that's supposed to display during login, so we can grab a screenshot there, demonstrate that. But where's that setting located? Let me write that down. So that way, when we get assessed... Go ahead, Bobby. You want to say something? All right.

[00:20:32] Well, just pro tip, like, as you go to do that, you know, I started realizing, oh, my gosh, like, some of these are the same. Yeah, that helped us be more efficient to demonstrate, like, when they want to see the login process, we can go, okay, let's talk about our boundary control and what we do to get access to this enclave here. Hey, look, there's a privacy and security notice. Note that you saw that. Exactly. Here's the fact that we did MFA. Note that you saw that. Right.

[00:20:56] You know, so that helped us speed through a little bit, but what I was ultimately getting to is when we go through that process and that dance with the assessor, the assessor will say, how do you implement privacy and security notice? And I go, well, we've got our configuration management and access management policy to say this. Our notice is defined as this and everything. We can see it at login here. Would you like the demonstration of that? And the setting that applies it is here. And they'll go, can we see that setting? And Bobby's like, yeah, let me go ahead and share screen real quick and see, look, it's right there. It put us in control of the pace of the assessment. Right. Right.

[00:21:26] And mostly, and most often than not, it led it to the point where we had answered our stuff and we had to pause for our assessor to write their notes, which then helped us move on to the next item. We wanted a really good cadence and flow to this process. Let me ask something very specific. Is evidence for each control a requirement for an assessment? Like, will they look to see if you have evidence for every control?

[00:21:56] No. No. They won't. And here's why. And this is, I would say, good organizations and auditors, they could read a well-written SSP on some of those controls. And JSVAs have proven this because DibCAC has demonstrated that they do this as well for their C-3PO audits as well as for their joint surveillance. It's that well-written SSPs and other things.

[00:22:24] You can mark things met because the methodology, right, interview, examine, and test, like one of those, your SSP could speak to it clearly, and you can have some of those met before the audit even starts. Your auditor can look at it, and they may ask you some basic questions and just move on. But also, you could have performed exactly what Adam's saying, tests that are combined, and they go, hey, login banner.

[00:22:50] Well, remember when I showed you this on access control and I did that login banner yesterday that we had that? It had that screenshot, remember? Oh, yeah, right. Okay, and then move on. And so having those notes that you've already validated this control that we've already done those examples help them kind of go, oh, that's right, and you can help them move on. And a lot of times the auditor is like, and you demonstrated that earlier yesterday. We're going to go ahead and mark that met. And they keep on going.

[00:23:18] Or they may at the very least say, hey, I know you demonstrated this, but we just want some better notes. Can you just re-demonstrate for us? That happened too. We want a little more. And then, you know, I mean, you can sit there and fight them if you want to. We don't. Wouldn't recommend that, maybe. It's not a good posture to take. There were a few controls where we felt the need to dig in a little bit and get a little more defensive on it. But, you know, the auditor is there to help you.

[00:23:44] You know, Bobby, you mentioned earlier about how this all goes through with the plans and, you know, no plan survives first contact with the enemy. The auditors are not our enemies, though. The threat actors out there that are targeting our organizations, that's the actual enemy because they don't care. They're out to hurt you. The auditors are here to help you. So, you know, as we prepared for it, we had the conversations. What if we do get a not met? Well, we take the time to understand, is it really a not met or is it a difference of opinion? If it's a difference of opinion, we can have an appeals process to try to get it on track.

[00:24:14] But if it's truly a not met, then it's a not met. And we have to just take that on the nose. It's an ego blow, but that's what they're there to catch. Well, here's a perfect example. We had one not met that had to deal with we referring to a term they didn't feel was adequately defined. They could see that the system was addressing everything with those controls. They just wanted to see it better defined. Better clarity, which in 10 minutes we had it addressed, you know.

[00:24:42] But that's just like they're just – they kind of, you know, say, okay, we're going to lean on this a little bit more. And we're feeling like it could be a little stronger. And they have no problems pointing out that – but they can't provide advice, right? So they're just going to say in this situation we don't feel this is necessarily adequate for what we're looking for. And then we can address it.

[00:25:07] But that's where having the experience of when they tell you it's not met, you need to know what you're doing so you can adjust it so it is. Which that does bring up, I think, a great transition to another point. Through our assessment, you know, that really highlighted our ability to keep an open mind as our assessors are going through. Because, you know, as Bobby mentioned, they can't consult. They can't give us advice during that assessment. But they can drill a little deeper if they feel the need to. You can sense their uncomfort. They're in comfort or what's their lack of comfort? Yeah. Uncomfy?

[00:25:37] So – but it's being good of being able to listen and look for cues when, you know, you explain something and they go, oh, that's interesting. Or they start asking questions that's beyond the scope of the control saying, well, how do you track and manage this? What do you do about that? And you realize they've exceeded past the control and they're digging a little deeper maybe to save their own curiosity a little bit. But as they do that in the words they say, that starts giving you feedback if you're open to it. Right.

[00:26:05] You know, if they were drilling into our risk assessment process or our plan of action and milestones processes, there were a few things that they really started to hone in on and focus on above and beyond what CMMC requires that were like – we were taking notes going, if they keep asking about this, they realize this part of this process could be better.

[00:26:23] Well, and if they – if it takes them longer than we feel they need to come to terms with understanding that that is met, then what can we do inside our system in our definitions and this information we're providing to them? Maybe it's already there and we just didn't present it in a way that they could easily consume. Okay, let's change that. How can that apply for our clients when it's their turn? Right.

[00:26:48] You know, those are the things that you want to think – you want to pay attention to that because you're – they are walking the line and there are nuggets there that can be definitely learned. Yeah. So you want to capitalize on those. Yeah, and especially the biggest part too is because they don't have, again, the biases that we have of having built and maintained the system and how our company works. They don't know what we mean by certain terminology. It's our baby. Our baby is beautiful.

[00:27:12] Yeah, but there's things we imply throughout our entire process and we assume just by nature of being human and they don't have any of the data to make the same assumptions and inferences. Yeah. Which really, again, helps cut through the nonsense that's determined do we have a good system or do we just have good people that know what to do that can build a good system without documenting it? Yeah. Don't die by a suicide. That's what I like to say. Yeah, you got it. I need a teacher. Don't allow assumptions. Yeah. Yeah.

[00:27:42] Okay, I have one more question that I am very eager to ask because we get this a lot specifically from other MSPs and I feel like we get into these situations where it gets very nitpicky on like a specific control or like SPD, you know, security protection data or where the boundary is of a specific thing. And we get really nitpick.

[00:28:11] And the moral of the story is MSPs are trying to figure out how to use as much of their system that they've already built in their MSP to be able to pass this thing and do what they're still continuing to do. So you guys are now an MSP that has gone through an assessment and has gone through making an environment that is sustainable.

[00:28:33] Do you feel, do you feel, after going through this, that you were too hard on yourself with the things that you allowed in just the right amount or not enough? Well, I want to talk first about how hard I think I was on ourselves through it. And then I want to answer your question that you have there because I think there's two parts there. Okay.

[00:28:57] Me and Judy were walking, my wife, we were going on our nightly walk and I kind of made a joke is that I need to work off my CMMC belly. Uh, because it was emotionally hard for me trying to go through and get ready for this. Because if you take it serious, if you know what you're looking down the barrel of, you better darn well know that this is a serious thing that you can't just waltz in.

[00:29:23] Let's say that you're not going to try to get level two and you're just going to waltz in with your client to get them level two. Buddy, you better be ready for a fight because it was one of the hardest things that I've ever done is going through the audit and being prepared for it. So if you're walking in thinking it's going to be cakewalk, uh, just listen, it ain't, it's not. Uh, and it, it was, you know, when they told us that we passed, I cried.

[00:29:48] Uh, I cried because three years of hard work and dedication for our team sacrifices of time with family. And our team also did the same thing and all for the commitment to get this done, to get over the hump of passing. And it's, and it's not just about us. It's about our clients and about what we want to do is just that true dedication and caring for it. I mean, it was emotional and it, it had a physical effect on me, um, trying to be ready for that.

[00:30:18] Um, and you know, we're, I'm going a lot more walks now. I'm, I'm trying to, you know, cut my weight down, uh, to get back to a healthier situation. And it was hard on me, uh, emotionally. I don't know about for you, Adam, but it was definitely hard for me. Yeah. I mean, we, we had the final, um, you know, as we've gone through this process, um, you know, we had in both cases, what I'd call the sprint period. That's that final 30 days prior to the, both the mock assessment and the real assessment.

[00:30:45] That's the, every I must be dotted, every T crossed. You know, we've got to get all the bows on everything. It's got to be as good as we think we can get it to be. And that 30 days final sprint and everything for us happened to coincide with Christmas and New Year's. Yeah. I worked both full days to get it done. Actually extended days. I think Christmas Eve, I was working from like 9am to like 8pm to get it done.

[00:31:10] Um, but for me, this is the culmination of a 10 year journey that started back with my first MSP job. When a client said, I need help with this 800-171 thing. Do you think you can help? And I said, sure. How bad could this be? Then going through that, hearing the CMMC discussions, the debates, the naysayers, the, you know, all the stuff around that, the different opportunities and being able to come over with, with Bobby and the team here to keep that going and actually really focus and hone in on it.

[00:31:37] And then to come back at the end of it and say, 10 years later, we've got a piece of paper that says we did it. Well, and then to put a finer point of what you're talking about, Kaylee, um, it's something that we've talked about in the past is you hear these conversations that, that our fellow brother and MSP are doing. And you can ultimately boil it down to the fact that they're trying to figure out, and I get it, that how can I try to participate in CMMC without changing much of my business, if at all possible?

[00:32:06] And when you hear what we had to go through to get to our level two, you could see how we could kind of get a little jaded about that conversation because the amount of sacrifice and commitment. There are so many friends and people in this industry that I've gone through. They've been doing it for eight years. They were there before it was even really called CMMC. I mean, we've been doing this for three, like Summit Seven and Scott Edwards and their team. They've been doing this for eight years, man.

[00:32:32] They have been out plugging mud and out there pounding dirt to try to get ready their company. And they're like 200 people. And, you know, to go through and pass that audit for them. Oh, my Lord. How would you? I can't even wrap my head around a large organization and an MSP supporting other people is just off to those people for doing that. That's massive. And then you hear these other people are like, so do you think that I need to have a system secure?

[00:33:00] Do I need to have my own enclave to support our clients? And I'm like – What tools do I have to buy just to solve this problem? Right. You're like, what are you talking about? Like, you know, at this point now I don't choke people. So, you know, that's good. But, you know, I'm approved. I'm approved. Lots of counseling. But – A lot. A lot has gone in to – But I – You know, I also have the grace because I've gone through it. We call it the five levels of CMMC.

[00:33:29] Like, when we were trying to – When I was trying to get into the space years ago in 2021, 22, you know, I kept asking other professionals, like, do we have to get certified? Because I was scared. I had this attitude of I don't want to overcommit my company. And at some point I realized, oh, my gosh, I have to be all in or all out. You have to. Yeah. That is the absolute wrong way of looking at it.

[00:33:57] Like, I've got to be full in or get fully out. What made you? What made you say that? Do you remember? It's interesting. I've got a thought. I'm curious to what Bobby's going to say on this one too. Well, it was an epiphany. I was trying to do it on my own. And I had some crappy templates I bought. And I was kind of letting the wind of CMMC blow me around of just misinformation. I was getting kind of frustrated.

[00:34:24] I was actually – interestingly enough, I was at Summit 7's, which is my – Oh, yes. The CIC or something? Yeah. I can't want to say CEIC, but that's our – Yeah, I know. It's one of them. It's C2. C-2. Is that what it is? No. Anyhow. Anyhow. CS2. That's it. CS2. CS2. But I was at CS2 in Denver.

[00:34:51] And interesting enough, they're technically competitors of ours. You just waltzed in. But also great friends and love those people. And if we're on the battlefield and we're competing, I'm going to try to crush them. And they're going to do the same for me. But when we sit down, they're my buddies. Yeah. Look out on the battlefield, man. You're sending this to Scott right now? Yeah. Look out, man. I'm coming for you. We even have a generic brand Jacob Horn over here. Right. Yeah.

[00:35:21] We got a small tangent for the audience. And I look just like Jason Sprouse. I mean just – We got to tell that story. So we're at CEIC East. And we're on – we walk on the elevator. We turn around. The door's starting to close. And this dude turns around and sees – He sees Adam. Adam. And he goes, I'm such a big fan. I'm a huge fan of your podcast. Yeah, you're the guy for the podcast. Like I'm such a big fan. And we're like, wow, people know our podcast. That's amazing.

[00:35:50] He goes, Jacob, huge fan. And we all – We both look at each other and just bust out laughing. I'm like, well, Jacob Horn, how are you doing today? And I'm over here like, can we have a Jacob Horn? No, we have a Jacob Horn at home. Yeah, we have a Jacob Horn at home. It's out. It was so funny. And I had to tell Jason on their team and Joy as well. They got a good chuckle out of it. It was late at night too.

[00:36:20] Guy clearly had a couple drinks and everything like that at a conference as one tends to do sometimes. It was a good chuckle. It's so good. I really hope that guy is not beating himself up over this going, oh my god, I called the wrong person. No, he's listening to – no, he doesn't listen to ours. He listens to Summit 7's podcast. That's the point. Good point. Never mind that. If he listened to ours, he'd know better. Yeah. Anyway, tangents aside, you were talking about C2 and Summit 7 kind of pushing forward.

[00:36:46] I was at that moment, and I realized I can't do this on my own. I have to fully commit beyond what I was already doing. We are all in, and this is the only way we're going to pull this thing off. And I saw the massive amount of potential for what we could do in the industry for good. And I was just like – at that moment, I'm like, you know what? We're going to budget more money for this.

[00:37:14] We're going to go all in. I immediately started texting Adam because I had had discussions with him at IT Nation some years before, and I knew he really liked NIST and was wanting to get into CMMC. And I'm like, what's the truth up here? Yeah, we had actually talked while waiting to talk to Jacob Horn, the real one. Yeah, right. So I messaged him, and he's like, man, that sounds exciting. I don't know any MSP that's really going after this like what you're describing. You sound like you're fully committed, and as the CEO, he knew that that's going to be the case.

[00:37:45] And so when he came here, he knew we were going to be laser-focused on getting this, and that's really kind of that I think pivotal moment. And he came in, and we kind of looked at what we had, and we were like, this is all going out the window. We just literally hit the delete button on every document that we had related to CMMC. Yeah, we archived it, used it for reference purposes needed, but just started over. Wow. Super fun. Don't recommend it. I don't know.

[00:38:14] But it helped us really get, I think, a much better product that is going to allow us to grow so much better. So it was a good call. Right. On the note of the seriousness of that, too, like that was my moment, too, when I realized that we're serious over here was when I came on board, got that message from me on LinkedIn, and then within a month of that, we'll try to juggle the CMMC stuff and doing security for other clients. And the other client security stuff that we'd already been doing was taking away my time from this.

[00:38:43] You had made the call saying, no, we functioned just fine without you doing it up to this point. We'll be fine with us continuing to do it the way we were doing it moving forward. Focus entirely on CMMC, nothing else. Like that's an expensive, you know, both time and money investment to have a full-time dedicated resource to build and document and handle CMMC. Yeah. Yeah. Well, because I knew that documentation is not my thing.

[00:39:11] And we had the templates from Kiri, but they weren't designed for MSPs. So I needed someone to hot rod it for what we're doing. I felt like it was a good system to base off of, but we didn't – I looked at that and I'm like, man, that is going to take some serious work to get it to where it's really functional for scale for an MSP. And incorporating the tools that are appropriate that we're going to host that we're not going to – because we decided we're not going to use

[00:39:39] any cloud solutions that aren't either FedRAMP or we're self-hosting ourselves. We drew the line. That was how it was going to be. And we just felt like that was a safer path, and we didn't want to have to worry about standing on any potholes or landmines. And so in that – so then I was like – I went down the focus of architecture, design, getting those relationships with other people to bring in to help us so that we're like, all right, here's what Adam's done. Let's do some testing of this and other things.

[00:40:08] And so Adam was able to just put the hoodie on and just focus on the documentation hot rod process, and he crushed it. That was just hugely helpful. Yeah, and I think one of the things that factors into it, back to Kaylee's original question, I think when it comes to our technology and tools, I think we had that dialed in pretty well. Yeah. We assessed early on, and we figured out a risk assessment process, even a very light informal one, which boiled down to what Bobby had just mentioned.

[00:40:32] I think the one that we – we probably could have been a little more of a stickler starting off, but we corrected over time was just with the team itself. Yeah. We looked at our early assessment from our mock, and we pulled up some of those tickets and said, these notes suck. Yeah. Like, I can't defend this very easily. I have to – it's a stretch for me to defend it. Right. So as we were preparing for our final assessment, we had one of our team members, one of our coordinators go through, and as people were checking off their

[00:41:00] maintenance checklist items and stuff, provided that QA oversight in partnership with what I did to say, is this sufficient? Does this explain what happened? Does this uphold our policy, our practices, our procedures? And even on some of my own stuff, and even some of Bobby's stuff, when we had done work, we'd said, yep, we're done here. She pulled that back up and said, I don't know if you followed this procedure or not. Do it again. Well, it's sort of like you build this beautiful satellite that's going to do all these wonderful

[00:41:27] tests and accomplish this beautiful mission, and then you turn around and start to load it into the shuttle, and it's like, and you're like, Houston, we got a problem here. Yeah. Because, you know, you have this great system, but it doesn't fit in how, as a managed service provider, you're going to support your clients, and your team doesn't understand how to do all of this. And so it's about building those processes and holding your team's hand through how they do the

[00:41:56] ticket templates and how they're putting in the notes and how that information validates and how they're doing the checklists that then build this evidence in the ticketing system so that when it comes time to the auditor, you can just do a quick search, grab this and say, right here, see, this is how we're doing it. Yeah. And even if the auditor says, that's cool that you grabbed the one from last month, can I see the one you did from November down there? And you just go, yeah, sure. Here you go. Yeah. It's just, it's great.

[00:42:23] Once that, that was a, that was a big deal for us to kind of go through and really start to understand, you know, once we had a system built, it didn't quite fit how we operated. So then we had to move how we operate as a company to make sure that we had alignment as well as vertical growth. You know, so many people that I have talked with and have huge trust and we show them the system we've got and they're like, this is amazing.

[00:42:50] But my big concern now is how can you handle the growth that's going to come your way? What assurances can you have that's going to make us feel like you're not going to fold like a lawn chair when, you know, come June. And so, you know, we've got to share, like, here's our approach. Here's how we're doing things. This is, you know, how we're going to handle at scale. And it is, but it's a challenge, you know, but anyhow. Yeah. I think all that, just to wrap up that point and put a nice bow on it, or the term that kept coming up in

[00:43:19] our assessment was square the circle. Square the circle. Every time Bobby hears that now, he's just going to just shudder a little bit, just from the assessment experience. But, you know, going back to it is those procedures and everything that we'd built helped reinforce it to the existing team, train them, get them up to speed, support them through the process. We made sure after our assessment and everything, as we kept pulling that evidence, that evidence kept helping us out to call back to the team members and let them know, hey,

[00:43:47] you guys are absolutely crushing it here. Because it's important to make sure we're highlighting the good, too. But all that really helps build out for us, the simple matter is, as we grow in scale and new staff comes on board, the guardrails already exist. They have the lane to work in. They've got a team that's seasoned and experienced to support them. And they've got the support of Bobby and I to make sure they are still hitting their marks. With the QA oversight as well. You know, and getting back to that overall point of MSPs trying to slowly shift their

[00:44:16] practices over to hitting that mark. We just described an entire ticket quality assurance oversight process for an entire maintenance checklist. That's a lot of work. And most MSPs, especially the smaller ones, just don't have capacity to handle that. Now, that is not a CMMC requirement. That is us making sure we want to make sure that we've got the best stuff that we possibly can and supporting us and our clients, etc. Right. But it helped. It definitely saved the bacon several times over. Yeah.

[00:44:45] I mean, that's a good point. Like, there are so many times where we would sit down and I would say, well, Adam, here's the bar. We're here. Like, we're hitting it. And you're, and you, Adam, you're like, but let, we need to be here. And I'm like, okay, we'll do that. But there was, I can't tell you how many times where it was like, I felt like we hit the bar, but we needed that extra to get that auditor to kind of be like, yep, we're good.

[00:45:11] Like, it was the extra, the extra stuff, like, that really helped them even more confidently breeze through things. Um, and, and, and when they even wanted to dig a little deeper, we had that extra icing on the cake or that, that ace up our sleeve to say, well, in that situation, this is this and this. I was chopped. Yeah, that all called back to our existing policies and procedures too. So it was based in, in what we were doing, just like extra little, little spice. I was, I was a little surprised. I don't know about you, Adam, about how often we had to do that.

[00:45:41] Um, I, it was, they were so thorough and so deep in what they were doing and I get it, but, um, we, I was really glad that we went the extra mile because there was lots of times where we, we had to kind of fall back on some additional validations and checking to say, well, you know, this is how we're hitting it met, but here's additional validations are here and here's some additional tickets where we do this double check. And they're like, oh, that's great. Okay. Check. Yeah. Yeah.

[00:46:08] Cause there was definitely a few, few lines of questioning where they, they did dig a little deeper beyond the requirements. I think it was just as, you know, with NSF at the time, um, you know, they, they were going through, you know, it's, it's, it's February 6th right now. Yeah. Formal assessments have only been authorized for a month and a half. Yeah. Um, so pretty early in the queue. Um, so anyway, so yeah, they wanted to dig deeper on a few things, but to your point, Bobby, about the, how do we, how do we go above the bar?

[00:46:36] You know, if we were shooting for that, we still had to account for the fact that time is money. So how do we, how are we being smart with our time? Right. Are we being smart with our money and are we being smart with our resources? So if you wanted to go above bare minimum, you know, as much as I would love to enter, you know, fully implement a, you know, fortune 500 class security system with all the bells and whistles and everything. We're a small company. Wow. It'd be fun. It'd be a fun adventure. His idea of fun is lost on me. That's someone who's not the CEO speaking.

[00:47:06] Let me tell you. Exactly. I don't have to pay the bills because someone pays them for me. I just got the playing check. Right. But Bobby was really good as we were, as you know, to keep that reined in when I go, well, what if we did this bit? You know, well, how do we do that affordably scalable? Like how does this help? Or yeah, that's great. Not right now. Or there's no way we can make that work. Like just, just move on from there. Like, yeah. So Bobby, when are we doing 853 and going for our FedRamp? 853. You're a wild child.

[00:47:37] You're wild. Oh gosh. Well, guys, what a mountain. What a mountain to climb. Great work. Pat yourself on the back and then continue to climb. Yeah. Because here we go. Off to the next thing. But we are very thrilled. We're excited. We're also, I mean, I feel like I'm speaking for all of us when I say this.

[00:48:00] I love having this podcast to look back on to see like how far we've come even from our talks at the beginning of this to now. It's been really cool. I hope you guys have enjoyed just us being transparent on this whole journey. We will continue to be that. Also, if you want to stay tuned, ask us questions. If you want to stay connected with us, we have, we all are on LinkedIn.

[00:48:23] We also are going to be at, if you're listening to this before, we're going to be at Seek West in May and we're going to have a booth and you can come and see us there. You can ask us questions. We'll be signing autographs as generic Jacob Horn. The Walmart Jacob Horn. The? Great value. Great value Jacob Horn. No. Give yourself some credit. Do like, what's the one for Costco? Yeah. Marketplace. Yeah. What is Marketplace? Is that what it is? What is it?

[00:48:52] The Skymart of. Kirtland brand. Kirtland. That's what it is. It's Kirtland. That's what it is. Anyway. But if you want to come see us, yeah, make sure to stop on by. We'd love to meet you. We'd love to connect you on LinkedIn and you can ask us questions. And yeah, well, we're going to be continuing these episodes, talking about more about the assessment, what we're doing afterwards, how we're helping clients, all of that jazz. So stay tuned. Follow us.

[00:49:21] And until then, guys, just keep on climbing. Bye. See ya. Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news. We hope you guys enjoyed today's episode and listen out for the next one. But until then, keep on climbing.