What Does CMMC Readiness Look Like?

[00:00:01] Hello Climbers and welcome to Season 3 of Climbing Mount CMMC. Hello Climbers and welcome to Season 3 of Climbing Mount CMMC. Today we are going to be talking about what CMMC readiness looks like, okay?

[00:00:26] We have had a lot of conversations with either clients or even other MSPs who have said, oh yeah, we're there. We're almost there. We're about ready. We're almost ready. And so we just wanted to sit down and we wanted to share what we consider almost ready and what that looks like in the CMMC space.

[00:00:54] Now who's going to get the most out of this episode? I would say there's a few different groups of people, okay? There's going to be people that are themselves getting ready for CMMC. So you can kind of gauge where your company is at. More specifically, if you're an MSP, you'll definitely get a lot out of this as well. But also if you're a company that an MSP is working with,

[00:01:23] so you have an MSP that is walking you through CMMC, these are also ways that you can gauge if they are ready themselves and how ready they are for your company or their own company. So there's a couple groups of people that can get a lot out of this today. And I'm very excited for this. Bobby's going to really be leading the charge because I think that somebody that has gotten... I'm really passionate about. Yeah.

[00:01:50] I'm really passionate about because there are times where... And you've done it. Well, yeah. And like we were at Seek East and I can't tell you how many people I've run into. And they're like, oh yeah, we're really close. And then as I start to go through the conversations with them, you're like, okay, so your SSP is written on a napkin. And that constitute as... I mean, like... I mean, that's extreme. You've got to dream about your policies and procedures one time. Right. I mean, that's extreme. But my point that I'm trying to make is like a lot of times if you're working with an MSP,

[00:02:20] they'll be like, well, we're almost ready anytime. You know, like what does that mean? So we're going to define that today. So that... And you can kind of reverse engineer the list of items that we're talking about. And so if that's what your MSP is saying, that they're ready, you can start asking these types of very specific questions. And if you're an MSP and you're like, well, I think I'm ready, walk through this list and we can kind of help you try to understand what that sort of means. Because there's a lot to it.

[00:02:50] I mean, we've talked about it many times, Kelly, right? There's two different mountains. There's the mountain of the MSP getting certified themselves. We're very passionate about MSPs needing to get level two certified. There's plenty that I know that are going to try to walk that tight rope. I think that's a very bad idea. And that's a whole other podcast to talk about. And then there's the second mountain for the MSP. How are they ready to help their clients get to level two? And so we're going to talk about both of those, which is really exciting.

[00:03:15] Let's first go into the broad section, which is for most any company that is getting ready for CMMC and what that readiness looks like. Okay, so we've got five things that we want to discuss. The first thing is design and scope. And we did put those together. And when you say that you're almost ready, we would assume that your design and your scoping is done, right?

[00:03:46] So talk a little bit about that and what you mean by like done in that sense. Yeah, like you said, we'll briefly go through these. But your design and scope is really the blueprint, the foundation of what you're going to do. You've got it done. You've had appropriate people look at it. You make sure that this is good. Your scope and design are going to take some significant time to adjust if you get it wrong. So this is where you want to make sure you get it baseline right. Right. Once you have that done, that's what you're building up from.

[00:04:14] So that's going to be like what is in scope, what is out of scope, what tools are in there, what processes, what procedures, what policies, like all of it's, it is the pregu sauce that you're putting everything into. It is what is all in that part. And then as an MSP, you're thinking about, okay, as you're building that, you've got to be thinking about the next mountain because what you're building, you have to think about, you're going to utilize to support your clients. Right.

[00:04:41] So this is when you should have already drawn the line, whatever that may be, and section out the parts that should be in and should be out and that kind of thing. So then you talk about the second thing that you said is the design built, which is different than the scoping and design piece.

[00:05:06] So the design built, what do you mean by that when you say built up? Yeah. So, and it kind of goes in hand in hand with some of the other ones that you have is once you've sort of built your design, you really have two different ways of thinking about this. You can have multiple people and staff members in your organization attacking different perspectives that we're just a second about to talk about. One of those is building that container of where that data is going to sit and where those tools and other things that you're going to be utilizing out of.

[00:05:37] Like that's what you got to do, that technical build piece. But then you've got to think about, you know, policies and other things. So is that going to be one person or a group of people that are going to be working on? That's something you really need to think about. So what you're saying is at this part, if you don't have people that have names on things that are knowing what they're doing and what they're structuring, because you have to create these things, then you are not almost ready, right?

[00:06:07] There's a certain amount of train cars in each of those categories that go. And if you have assigned them all to one person, that is one long train car that is assigned to that one individual, right? Yeah. But if you can start breaking out, and that's where part of the expense of CMMC starts to really kick in is because typically you need multiple people to pull this off. Because if you want to get it done in a year or less time frame, you're going to need multiple people because as you start hashing up the responsibilities, then you can start talking about eight months, six or seven months.

[00:06:36] But if you're like one person's doing it all, I just don't see how that's reasonably possible to do in a year, unless that person has done it many, many, many times. Right. So then the next part is an SSP should be written. That addresses all 300. That's the policies, right? Yes. Right. Yes.

[00:06:56] So the system security plan should be written out to actually address all assessment objectives, right? Not just like partially written out or three quarters of the way through. Like it should be built, right? Yeah. An SSP is like the ground fighting.

[00:07:22] That is where you're going to be in the trenches fighting your explanation of how you're going to do it. It is the table of contents that branches out into the policies, procedures of how you have those things outlined. Multiple, multiple pages. I think ours is like 200 and some change long. Most organizations, if they have addressed all 320 assessment objectives, plus there's DFAR clause type information that they want to have in there about incident response and other types of things that you want to have in there.

[00:07:52] Then you've got your network design. Also, you've got to have your cage information in there. There's all kinds of things. So you have like a preamble and a lot of times organizations have appendices in there of different things like where you might list your ports and you've got to have your hardware. There's just the list just goes on and on. It is a very long, voluminous document that points to many other types of documents. And so that's where you've got your person working in your design and architecture. You've got the other person doing your policies.

[00:08:20] And then what you'll do is you'll have additional project pieces that will probably have to happen that you may not have thought about that are outside of just the scope of what you're trying to do, like getting your contracts and agreements lined up and all a bunch of other things. Right. So I feel like, you know, it's important to also note because you talked about this just for a second,

[00:08:46] but the policies and the procedures linking to the SSP, all of these things, it's a lot of statements, right? You're stating a lot of things. You're saying we're doing this for this and we're doing that for that. And this person does this. And there's a lot of statements. But then the next piece of it is you have to start actually doing those things, right?

[00:09:15] Because they are going to, you know, they're going to ask for more information than just that. And you're going to be, you're going to have to be able to talk about it as well too. Your system security plan should be written in such a way that the auditor should find it almost comical to continue asking additional questions. That's an extreme.

[00:09:41] My point is, is like each objective, you've written it out in such a way that typically they would look at in their mind, they go, well, I need to ask some more stuff. But man, that pretty much nailed it. I feel like that explained how you're doing it. Not, we will identify users. That's a promise. That's not how you're doing it, right? You know. You would say we identify users by. By doing these things, this activity. We're using these, you know, we have these tools. This information is this way.

[00:10:11] Different controls really require some heavy handedness on getting into more detail. Others tend to be more straightforward. But you really need to speak to that. And then the policies, you're going to call out to that. And then the procedures are how you're actually accomplishing some of those specific tasks in the trenches.

[00:10:32] And if you, when it comes to the evidence gathering situations, if you want to consolidate more of who's being interviewed and those types of things, if you have the procedures and those activities that are happening, if they're tickets and you can have records of that, you know, providing that. Of people actually doing those historically, that can help save necessarily having to talk to a whole bunch of different people. If they're like, well, I can talk to people. I can literally look at the work that they did. Right. And know that they did it.

[00:10:59] Because that's how they really did it in real life. Versus let me go interview these people and talk about how they might do it where I can actually see the evidence of how they did it. But that doesn't mean they won't still want to interview and ask questions. But, you know, if I was an auditor, I would prefer real life over, you know, theory conversation, just seeing mentally if they'll answer the questions the way I think they should versus here's that person's actual activities doing things. Mm-hmm. Mm-hmm. Yeah.

[00:11:29] And so, I mean, you said it perfectly. The last thing that we're going to say is evidence that you are doing all of those objectives. And they're going to, you know, if you're doing a assessment by a C-3PO organization, they're going to be asking for those things and looking for those things. You can't get those things unless you're actually doing them. So that's why the part before this comes first.

[00:11:57] And then you gather the evidence. So you do those things, but then, you know, screenshots or documents or, you know, whatever that may be to gain the evidence for that objective so that you can store that and make sure you have it ready for the assessment time. So, okay, do we hit them all? Do we do them? Boom, boom, boom, boom, boom. Yeah.

[00:12:20] I think just to put a little bow on the evidence piece, a lot of times people are like, well, why is it, you know, eight months to accomplish when I think you could probably do it in six or you could do it in seven? A big part of that is if I have a perfect, you know, apartment, but I haven't changed the air filters. I haven't mowed the grass. I haven't taken the trash out. Like we just moved in. There's no evidence that this house has been appropriately maintained and lived in. And it takes some time to do that.

[00:12:46] And it usually takes a few months for you to try to, I mean, that is like really knocking it out and getting to it. You know, your tabletop exercises and the, you know, some of the log reviews and the assessment review, all of that stuff needs to happen so that you have those things done. And if you just built it, it's very difficult for you to accomplish all of that.

[00:13:07] And the auditor just like, so now I'm supposed to, I mean, I know you have the policies, but, you know, you haven't, I don't really have any evidence that you really stood up anybody other than the two people that you have that's talking to me right now. And that doesn't mean they can't do that. It just, it just makes it a lot more challenging for the auditor to wrap their head around it. Right. Yeah, totally. You just reminded me that I need to change my air filters as well. So thank you. Thank you so much. Do that. Yeah. PSA.

[00:13:37] You're welcome. Yeah. So, okay, let's go into the second part of this, which is more geared towards an MSP. And the reason that we're saying this is because if you are an MSP and you are getting certified, level two certified yourself, you are most likely doing that, not for funsies, but because you have clients that are going to be going through it as well. And you would like to assist them and help them as much as you possibly can on their journey. Right.

[00:14:04] So let's talk about what Almost Ready is for servicing clients. Right. Because that is a whole nother mountain. And let's just talk about, let's say that you don't want to get level two certified. A lot of the stuff that we're going to talk about, you still need to be able to do because you're going to be part of that client's assessment. Yeah, you can't get out of these things. Yeah. A lot of what we're going to talk about, you're going to have to do. So if you're like, let me just see about the bare minimum I can do because I still want to be involved in the ecosystem.

[00:14:33] If that's the path you want to take, you're not going to be able to dodge much of this. But we'll see. Well, yeah, good luck, I guess. But OK. So the first thing is both SSPs should complement each other. Now, you said two SSPs. Right. Now, that's confusing because the first part, there was only one SSP. So now we're talking about multiple SSPs. I'm curious. I'm curious. What do you think? I want your opinion on that one.

[00:15:00] So your client also has to have a system security plan, right? So it does not just involve your system security plan, but also theirs. And the reason that they need to complement each other is because there are tasks that your client needs to have done for their organization that you are going to be doing as the MSP.

[00:15:26] If there aren't such things, I don't know how much of an MSP you are, honestly. Right. If you do not do some of these things, at least just a few of – I mean, we do a lot. But at least just a few of the things that are going to be in their SSP, I really don't even know if I'd classify you as an MSP because it has to do with security. It has to do with setting up workstations, setting up users, things like that.

[00:15:55] So they need to be able to complement each other, which means the same verbiage from you as an MSP should also be the same verbiage for certain things on your client's SSP, right? Yeah. For us and how we did it is we had inheritance statements that are written on our SSP and on our client's SSP. Our statement, we're like saying, oh, we're inheriting from Microsoft in this component or this component.

[00:16:22] So we're specifically calling it out trying to help the auditor wrap their head around specifically about how some of the things we feel. We want to really rub the auditor's nose in our approach to how we do it. An MSP should literally have both SSPs for the most part – they should obviously have theirs already written. Right. They should have one that is pre-written already with all that connection in mind about how it's going to be done. And you're just connecting the dots with the client and what they're doing.

[00:16:51] If you're like, oh, we'll just figure it out when we get there. Dude, seriously, like that is crazy talk. Yeah. You cannot build the bridge as you're moving them across it. It won't be efficient. It'll probably end up being a snake versus a straight line. You know, I mean, it is just – you are – so if you're talking with an MSP, like show me the template that talks to yours and how they connect together. Yeah.

[00:17:17] Like don't even sign up if they don't have that because they need to have that connectivity ready to go because it – that shows that they're thinking about you. They're thinking about what you're going to have to go through. So you want to make sure that you have that connectivity done. So you want to have that system security plan that's a purple technique. And in the middle is the matrix that I think we're supposed to talk about next. Yeah, we sure are. Not the movie. Not the blue. Not the blue. I feel like it though. Yeah. Okay.

[00:17:45] So the matrix, the shared responsibility matrix, right? Mm-hmm. That should explain who's doing what. What is being shared? What is specifically connecting with the MSP and the client? And if you don't know what this is as an MSP, you are not almost ready because this is critical. This is so critical to know.

[00:18:13] Like you don't want, you know, Bob thinking that the client is doing this thing when actually Bob's supposed to be doing it and then it never gets done. Then you can't create the evidence for it. And how can you be prepared for your client's assessment if you don't know what's going on? So I could not imagine somebody being almost ready without having this prepared as well. Right? Absolutely. And the matrix, in my opinion, needs to be broken into two categories.

[00:18:44] It's basically the infrastructure that is being provided by the MSP and the services being performed by the MSP. Mm-hmm. And those are things that they're responsible for because MSP is going to have really those two different kinds of things. Infrastructure provided would be like, oh, I have the application allow listed hosted in my container, which got assessed and under my level two. And I am providing it to the client.

[00:19:11] So therefore, because my level two got assessed and it was part of that assessment and it's absolutely what I'm providing to you, most C-3PO's would look at that and think to themselves, that's a straight inheritance. Right. But if a service is performed, in other words, the level two MSP is hopping on and doing things for those, that's where it gets a little bit more interesting. But if you can start appropriately separating them, you're starting to think about how you can help the client shorten their assessment.

[00:19:41] Exactly. So your matrix really needs to be broken out and you need to see some more definition about that. Mm-hmm. Yeah. Yeah. It's like so easy for the assessor to walk in, see the difference and be able to quickly tell, you know, what he needs to dig more into potentially and what doesn't even really need to be touched that much. Right. Yeah. I definitely can see where that would be beneficial where you always say your goal is to get them in.

[00:20:10] And get them out. And get them right out. And don't keep them there. The infrastructure provided and the services performed, those aren't technical terms that you see specifically referenced in the cap or anything. Those are just internal things that we have started thinking about as we've really been spending a tremendous amount of time, how we can make this as short as possible for our clients. And it just starts to become self-evident that, like, this is sort of how things start to fall.

[00:20:35] And, you know, you really start to have to think about those kinds of things to try to help the client and the C-3PO because they've got risk they have to think about when they're saying met or not met. You want to try to help them as best you can feel like, oh, I have no problem making this met now. Right. Based on how you're attacking it. Yeah. So let's talk about the next one, which is the legal agreement must incorporate 32 CFR and DFARS. Well, cause it. Wait, hold on a second.

[00:21:05] Are you telling me legal has to get involved with this? Like you're telling me I need to talk to a lawyer? Right. Yeah, it is. It is a, it is a thing that I think a lot of times gets very little focus on the CMMC ecosystem is the legal connection between the OSC, the people getting assessed and the MSP.

[00:21:28] The MSP needs to have a very well-written agreement that speaks specifically to how they incorporate the shared matrix between them and the client. And it needs to talk about the responsibilities. If things go south, how you unwind it. If you have to depart from your MSP, like a lot of that needs to be defined and gone through about that. So when you're engaging with your MSP, you really want to understand how all that is going to work.

[00:21:57] You want to see in that agreement that there is appropriate service level conversations and just, you know, how that's going to happen and that it's appropriately referring back to the matrix so that you're like, okay, we have appropriately come to an agreement legally as well as by handshake and how we're going to get this done.

[00:22:21] Because CMMC is no joke and you want to make sure that everybody has looked at it from all perspectives. And then you have DFAR, like who's supposed to report those types of things. If there's an incident. Right. All that kind of stuff. Yeah. Well, we've said it before and CMMC is not cheap.

[00:22:41] So I definitely can imagine covering, you know, your tracks and making sure that you have everything thought through and you don't back yourself into a corner because that would be a very bad day, I believe. And people love to yell at MSPs. So I think that would maybe just being safe with that would be good. Okay. So let's talk about another part.

[00:23:06] And I love that you added this in here because I even said to you, doesn't everybody do this? And you're like, no. But it is having KPIs, so key performance indicators and profitability. Profitability. Oh, yeah. I said that right. Does that not sound like a word? No. Profitability tracking. So MSPs don't go broke, right? Right. So what does that mean? I think, well, I think it's self-explanatory.

[00:23:33] It is probably one of the biggest questions most MSPs when they're talking with me, when they're thinking about this, is like, all right, what's this going to cost me? What is, how much effort is this going to take? Because they don't know how big the hill is going to be, how much their wallet is going to get vacuumed out by the CMMC vacuum cleaner. And they want to know what that is because they don't want to get a quarter away, what they think is a quarter when it's actually only one-tenth of the way.

[00:24:02] And they're not even close to halfway, and they realize, boy, did we screw up. Right. So you want to just get a better idea. The MSP is really thinking about how they've done the metrics of the cost, that they have plenty of money in the bank to back up all of this journey and process. They have everything because you just don't want them to exit stage right because we're getting more and more references and referrals or people coming in and talking to us going, hey, our MSP just told us that they can't do it now.

[00:24:32] And they said they thought they would. Now they have exited stage right. And what am I going to do? How can you help us? And so, you know, you really want to start asking those tougher questions to your MSPs. And or if you're just consulting or looking at possibly engaging with one, you just want to know. So that's why having the level two is super helpful because you've already known they've made the investment, right? They've already gotten there and they got the certificate. Now you don't need to worry. Yeah. But if it's like, well, we'll get it in June or we'll get it.

[00:25:02] We're good. We don't need it. We'll help you, though. And you're like, how do you know that they do? You just don't. You're just going to have to take them at word value and hope that that savings they're passing on to you is really worth something other than just an IOU that you'll never be able to cash because it's written on Monopoly money. And that's just not where you want to be. It's just not.

[00:25:26] And what I would not be surprised is some MSPs trying to do this will go out of business because if they try to go at it and they don't really look at it seriously, it will wreck them. Yeah. Because there's a tremendous amount of requirement and obligation for the MSP, and they have to be able to track the time and effort that they're doing, the profitability, what they're doing, and they need to have the work chest to back it up to get it done. Yeah.

[00:25:54] So the next part is a process to support the client that doesn't compromise their posture. Right. So when you're saying that, when you're talking about the client's posture, what exactly are you meaning to preserve there? Well, it's just the simple things that MSPs take for granted being able to do. How are you going to remote in and support them? Yeah. It's a remote access. Like literally that is one of the controls that has to be addressed.

[00:26:18] And if you're doing it for remote and how you're going to support them, you have to do something, some type of remote connection through FIPS. Which if you don't know what FIPS is, then it is the pain of everything. It is basically the validation of the encryption.

[00:26:35] You have all these types of different encryptions, but FIPS is basically the FIPS 140-2 and 140-3 is the mechanism that the NIST uses to validate the encryption is okay. It's not a certain kind of encryption. It is just a stamp of approval that the encryption is okay, that it's not sending secret packets to like China and that somehow it's compromisable and those types of things.

[00:27:05] So I mean it makes sense, but the problem with FIPS is it's just so difficult for people to get modules certified that their encryption is okay. It just greatly slows down the process for people that are trying to get software developed, and that's the reason why part of the ecosystem is so void of good products is because of FIPS. Well, the MSP has got to think about how am I going to support you in a way that isn't going to compromise you? Because the auditor is going to go like, okay, so you've got an MSP.

[00:27:34] How do you remote in? Oh, we use Screen Connect. Okay, where's that Screen Connect at? We have it at ConnectWise's place, so you're having it hosted at another – who's that organization? I mean the auditor's mind just kind of goes – and you just opened up Pandora's box. So you've got to really think about like how am I going to support the client in a way that isn't going to make me become the star of the show and not in the good way.

[00:28:03] I want to be able to provide value to the client by answering those questions in a way that makes them feel very comfortable and they're just like, oh, these guys really have their stuff together. And so it's things like how are you going to handle the tickets, the ticket flow? How are you going to close that? How are you going to do the maintenance? There is almost 100 items that we have to do for the client that are broken up into weekly, monthly, quarterly, all that kind of stuff.

[00:28:33] And they haven't even picked up the phone. Those are activities that we're doing on behalf of the client to make sure that they're compliant. And I haven't even handled the first support ticket yet. So those activities have to be tracked and monitored. So you've got to really be thinking about that. So when you look at just trying to help a client, it doesn't quite look as hard until you start thinking about the reality of really getting it done and doing it at scale. That's what I'm talking about. You've got to really get into that and think about how to do that. Yeah.

[00:29:02] And there's just so many MSPs that I've talked with that are just like, well, I just want to get involved in the ecosystem. I want to help. You know, you might want to help as a lifeguard, but if you don't know how to really swim very well and you don't have, you know, the training and the teaching and the other stuff, you're just going to be a boat anchor. And so you just don't want to be that. Yeah. Well, you touched on this a little bit. So I want to continue with that next point, which is having a checklist in a scheduled cadence to do that.

[00:29:31] It is maintenance that is consistently needed when you are, you know, being or continuing being certified for CMMC compliance. It doesn't just stop at an assessment, right? So like almost ready for an MSP means you also have to know what you're doing for the maintenance of it because the client's not going to know.

[00:29:57] At least we have not met a client that knows yet, but they need your help to support that in the background the entire time. So you can't just pull that at your butt. You got to actually have a list and have a process for that. And you should ask your MSP, like, so you do have a maintenance checklist of activities that will help me get compliant. Oh, yeah, we do. Can I see it? Yeah.

[00:30:24] And they're like, well, it's proprietary. How? Oh, OK. Do you want to sign NDA? I mean, like you're putting your life on the line here when you're engaging with an MSP. So I would feel comfortable with getting NDA out of there. Now show me what you got. Yeah. Because I can't just sign on the dotted line, get three quarters of the way through here and realize that list is like four things. And we're going to work through it with you and define those. No.

[00:30:53] I mean, there's no. A lot of this can be scalable. Right. It's not going to be scalable. You've got to already have that figured out. Yeah. You have to. It's just, you know, a wheel is a wheel. You know, I'm like, I think we can make a triangle work. Um, really? You know, no, not really. So it's a wheel is a wheel. That is like, so there is a certain checklist activities that have to happen.

[00:31:18] This is not possible for you not to, that you have to accomplish, uh, for the client to make sure they're going to get done. Example, tabletop exercise. Training. Background check validations that they're being done. Routine assessments that have to happen yearly. I mean, there's the list just goes on and on and on and on of activities. Those all have to be accounted for. Somebody in the MSP's team has to be, you know, because it's the matrix says they're supposed to do it. It's got to be assigned to the person.

[00:31:45] These are all things that I can't tell you how times the MSPs are just like, I'll just figure it out. Like, no, you can't just figure it out while you're working with the client. You've got to have that defined when you're engaging with them because you're never going to get them there. The goal line will always move forward and you will never score. Uh, and they will be in an infinite loop waiting to land and it'll just be a bad day for them. So ask for that. Like, show me the, the, the list. They can't present that to you. If they're like, well, we've got a really cool matrix. Okay, cool.

[00:32:15] Do you have an SSP ready for us to adopt and start working in? You know, like these are things that are very reasonable questions to ask. And if they can't present that to you, run. Right. So another thing that they should be able to present or at least explain very well is the onboarding process. When it comes to onboarding a CMMC client is going to look different for an MSP than the average client.

[00:32:44] So do they know how to do that? Can they tell you, you know, the stages of it? Um, how long it would take to onboard your company. You know, they should have rough estimates of that. It's not going to be like, you know, they're pulling it out of their butts as well. They've, they should know based upon the information that they already have from you about how long it should take. Yeah, our onboarding meeting, our clients are just off the bat or like, whoa, man, this isn't like we've got it.

[00:33:13] Draw it down. Here's the things. Here's the specific shares point site that we have that allows us to collaborate securely in our DCC tenant that we have. We've already got the POCs that have the appropriate or point of contacts that have already been authorized to have access to. We have policies that address and how they get connected. We get that information shared that the, the onboarding processes is marching down and it's just, you know, we need this information, this, this, this, and this.

[00:33:42] This shows that they've put a lot of thought in how they're doing this. And it's going to save the, the company, you know, that is engaged, that MSP that they're engaged in. It's going to, it's going to save them a lot of time. Mm-hmm. And, and so it's not just onboarding as far as in getting them on board. It is about bringing them into the fold, whether they already have a compliant environment or not. Like sometimes clients come to us and they have nothing.

[00:34:09] And sometimes clients come to us and they have already an established DCC. How are you going to move them to mission ready to be assessed? Mm-hmm. So you've got to take that project piece of it too. Right. And so that onboarding that we have, we've written it all the way from the start of the first meeting that we have all the way down to they're standing on the podium. Right. We had to go through and write that process. And is it perfect?

[00:34:39] No, we're continuing to refine it. Like everybody is learning about CMMC to some extent as we're doing it because assessments are starting. But that doesn't mean you can't have these documents already built. That doesn't mean you can't already put your best foot forward in there and then continue to refine it. Don't go, well, we're not 100% sure how it is all exactly going to do. So we'll just make it all up as we go along. No, you can get 90% there. Yeah. And, you know, have the additional 10% refinement on it. Don't just throw your hands up.

[00:35:06] And so like ready, like almost ready as an MSP to support a client is doing these types of activities well in advance so that you're not learning on the client's dime. Exactly. Yeah. So the last thing that we have is the process to move the client through the three stages. So you should have a handle on that process and how to move through it. There are many clients that are coming to us that know barely anything about CMMC.

[00:35:35] And we're educating them as well as going through this process. If they can't take you through the process, you know, it's – Right. There is a very big disconnect there because especially like how we said before, we believe that if you're an MSP that's going to work with clients through this, you should go through it yourself before and then take your client through it. So they should be able to tell you that process and how they can move you through it because they've already done it themselves.

[00:36:03] You know, so I feel like that's a huge tell if they can talk you through that process. So what's your opinion on it? Yeah, I agree. See, we've met with what, two or three clients just today that we went through. And I just feel – I feel sad for them in some perspectives in that it's a scary – it's scary. Yeah. Yeah.

[00:36:26] To – they're spending lots of money to try to navigate this water and there is not a clear path for these people. And they're like, gosh, they seem like they really know what they're doing and they have all their ducks in a row. And we try to be very transparent as we're talking with them and we're like, here's the reason why trusting us is good and here's the different points that we talked about, the stuff that we just talked about in this podcast. We're listing those out. We're talking about how we're getting level two.

[00:36:56] You know, we just finished our phase one and got approved and moved to phase two. So this month we're going to get hopefully pass the last phase of our certification and we'll be level two. So super exciting. The time of this recording, that's where we're at. Like – but they don't know those things. Like they only know it because we were transparent and shared it to them. They just by blind luck of doing searches go, hey, Axiom seems pretty good. Let's connect to them. And then like, okay, congratulations.

[00:37:26] You found one of the few MSPs that will get level two certified this year in the country. You know, there's not going to be many. I would be shocked if there was – many is 20 in the country in this first year. There's just not going to be many because it's just really hard to do. But those people that need to get us – like to get level two certified, they don't know that. They don't know those types of things.

[00:37:48] And to think that those potential companies, those SMBs trying to go out there are going to magically find the right people, the right implementers that know how to do it and are going to do it the right way ethically and get them where they need to be, that's a tall order. You know, we – before we went into the holidays, we gave a quote to a client and they're like, well, you're the first person we talk to. We're going to go talk to a whole bunch of other people and see if – I'm like, okay.

[00:38:19] Yeah. We don't do that. But the problem is we tried to outline about like how you need to qualify these people because there's plenty of MSPs that you can find that will say, yeah, we'll help you and we'll take your money. But they're not really truly qualified to get you where you need to be. Right. And so you just really need to be super careful about that and make sure that where you're at.

[00:38:43] And there are some good friends of mine that have their own MSPs that know what they're doing and they really have it dialed in and they're going to help you. And we're cheering on for each other. We're texting each other about where they're at in their level two process. I'm like, man, way to go. You know, we're rooting for them. You know, so it's not that we're trying to keep – we want more people to participate in that space.

[00:39:07] It's just very difficult and a lot of them just don't want to take the effort to do it, but they still want to be involved. And that door is going to close this year as more people start to go through their assessments and those people that want to participate but aren't really fully committed, that's going to come clear as they start to run up against the walls of the assessment. And it's going to reverberate through the industry, not in a good way. Yeah.

[00:39:33] If you are a person – if you're a company that is listening to this right now, let's say you're an MSP or you're just, you know, an organization seeking certification, you know, and you are stepping into this journey or going through this journey.

[00:39:51] If you're thinking that we are a humongous company of 300 people that is speaking down upon you and has millions of dollars to devote to CMMC and we're excited to take other people's money about this, you are not in the right place because we are a small business.

[00:40:14] Just like many of you guys listening to this, we had to go through ourselves and it was not easy and it still is not easy. But we have a heart for SMEs that are going through this because of it. And we have a heart for the mom and pops who are a three-person company doing government contracting work and they've been doing it since 1982, you know. Yeah. And we – I love those conversations with those people. Yeah.

[00:40:43] Because we're family-owned too. That's how we operate. There's only 16 of us. Right. So we're not shying away from those people. We have a heart to help those people and do the best we can for them, make it as, you know, cheap as we possibly can make CMMC, also make them as efficient as we possibly can with our policies, our procedures, and our templates that we've already created, you know.

[00:41:10] And I think that's just – we need more MSPs that have a heart like that that are doing it right too. So, you know. And reach out to us if you want to know more about that. Yeah. I try to be as transparent about that. MSPs, CyberX, like Brian Hubbard, his team, they're great. Mm-hmm. And you can get involved in that. Brian's a great resource. But you really have to fully commit. Yeah. Don't sort of be pregnant.

[00:41:39] Like you're either are or you aren't. So you either fully commit. Well, I mean that's not a great example I guess. But that's how like they think, well, it'll just be like another service offering. No. It's like if you as an MSP are going to commit to this, it's going to transform your MSP. Yeah. The way you do business. It can't. Yeah. Do it any other way. It's going to transform you. So you have to just hug that. Mm-hmm.

[00:42:06] And if you're not in for that, then you should not be involved in that. And guys, this is hopefully beneficial to you and helpful to you. We made this podcast episode because this is the kind of questions that we get the most. And so we want to focus on it as much as we possibly can for all of you listening. If you have any other questions, thoughts, comments, we're on LinkedIn. We're on YouTube. You can send us an email. Anything like that.

[00:42:35] Go onto our website. Ask us questions. We're ready for it. We're ready to help. If you're an MSP trying to figure out what to do. If you're an organization seeking a certification in CMMC, just reach out to us. Let us know. And, yeah, make sure to tune in next week for another episode. We post every Thursday. So make sure to tune in every Thursday for season three of Climbing Mount CMMC. That's crazy. Season three. Season three. We're here.

[00:43:05] We're doing it. This is, I guess, the second or third episode. I'm not sure. Yeah, this will be the third episode of season three. That's exciting. Crazy. Well, thank you guys for listening. And remember, as always, to keep on climbing. See you guys. Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news. We hope you guys enjoyed today's episode and listen out for the next one. But until then, keep on climbing. Keep on climbing.