What is CMMC?

[00:00:00] Welcome back climbers, I'm your co-host Kaylee Floyd and this is another episode of Climbing Mount CMMC. In today's episode I talk with Adam Evans about what started CMMC. We talk about the basics and how it might affect businesses around the United States.

[00:00:21] I've learned so much from this podcast and I hope that you guys do too. Let's get into it. Hi guys and welcome to another episode. Today I am now in the front of the camera. Bobby has

[00:00:36] allowed me to come into the light. So we are going to talk about a subject that I've been really excited to discuss with all of you and it's really just how did CMMC get started? So without further

[00:00:49] ado let's get into the subject. I have Adam here with me so Adam let's talk about how this whole thing started, this journey of CMMC. Where did it all come from? Yeah so it's I'm weird first off and I find this really fascinating to get into as especially

[00:01:07] someone who loves history and loves context and the understanding of why something is. So there's a there are fantastic resources out there and kind of I wanted to summarize some of those. So if we think about CMMC and where it comes from we've kind of got to think

[00:01:22] about what the purpose of CMMC is and we can kind of work back from there. So CMMC is designed around safeguarding the confidentiality of controlled unclassified information. That's a mouthful. A little bit. So where did that all come from? Well unfortunately you know we all know what

[00:01:38] happened on 9-11 and in subsequent investigations that came out of that the government realized that they needed to share some information a little bit. That information was sensitive so you know they wanted to keep it private but it wasn't classified. That meant they had some

[00:01:53] possibilities to share it around between governmental agencies, contractors etc. But there wasn't really any strong rules around it. Kind of before they were keeping things kind of locked up you know and vaulting key and they realized they needed

[00:02:06] to share a little bit more to prevent bad things from happening. So that started to happen which was great but they realized that hey they needed to do something for security. Around that time as well a few other executive orders kind of came through. Charged the National

[00:02:20] Institute of Standard and Technology to creating some security safeguards and standards which if we look at the history of cybersecurity you know those governance frameworks kind of came in a little late to the party. Usually bad things would happen you know malware would be created

[00:02:35] or you know hackers started going about doing hacker things and the legislation always came after the fact. I mean we kind of still see that today you know with things like you know regulating social media and whatnot. But anyway so those executive orders went through some programs

[00:02:54] were established and this threw it up a really cool document called NIST 853. There's a lot of stuff in 853 and it's it poses a lot of really good security objectives and things to ensure confidentiality integrity and availability of that information. So as part of our economy

[00:03:11] and government and how we all work you know we spend a lot of money on military stuff right. You know where we kind of have military bases everywhere the most advanced technology.

[00:03:20] We've got a lot of cool toys in the toy box. And then we started noticing that countries that weren't so friendly to us started having weirdly similar looking toys in their toy box.

[00:03:33] And that concerned you know lawmakers. I think the most shiny example of that is we spent billions of dollars on this fighter jet called the F-22. Yep I'm an aviation nerd and we'll probably

[00:03:45] you know geek out over that so I'm gonna stop talking about planes very quickly otherwise we'll be here all day. You'll lose me quickly. You'll lose me fast. But anyway we'd spent billions of dollars on this fancy you know flying machine and it was supposed to

[00:03:58] be our most advanced fighter that we've ever built ever still is. And then all of a sudden we noticed that China had something that looked very very similar in a lot of different ways and we got a

[00:04:12] little concerned so the government started doing some audits looking into what could have possibly happened. And in that process they realized we were leaking information left and right. All kinds of sensitive information was just getting out. And you know you think okay did China hack

[00:04:29] into Lockheed or Boeing or any one of those big huge companies. You know they've tried there's been cases and instances where they may have tried to do that with limited degrees of success. But our adversaries realized very quickly they could just go after people that

[00:04:44] Boeing buys things from. So that concerned all those subcontractors and those subcontractors being small medium businesses and organizations that don't have a Lockheed Martin style budget. They didn't have those kind of security safeguards and that made them a right target for those

[00:05:00] adversaries with all that sensitive information even speaking from my own history of stuff. A client I worked with years and years and years ago a user there said hey can you recover this document from our backups and everything. Yeah sure buddy here you go it's

[00:05:14] right there on your desktop. Well can you open it up to check to see what it was. It was definitely a sensitive document. And I'm over here like this is a super sensitive

[00:05:24] document. I probably shouldn't be seeing this and you told me what your password was to check what it was. And it wasn't a good password. So that kind of paints a picture of where did

[00:05:39] things get started where did it come from. So the DoD tasked NIST with coming up with those security safeguards. They looked at NIST 853 and well that's a lot of security controls a whole bunch of stuff in there. And the Pentagon said you know we really only care about

[00:05:55] just keeping this information secret and make sure only the right people can see this not the bad guys just our people. So a whole bunch of hearings and you know working groups and sessions and smart people got into a room together stripped out a whole bunch of stuff

[00:06:07] from 853 and NIST 800-171 was born. And that again is you know protecting the confidentiality of controlled unclassified information. So the government said hey if you want to do business

[00:06:21] with us you need to follow this and do it. You know it's in our contract terms just go forth and secure right. Naturally everyone said yep sure thing boss we did the thing we're good thumbs

[00:06:31] up let's go. The problem didn't go away trying to keep showing up with you know fancier tools that looked more like our things other countries did the same and it never really got better. So

[00:06:43] the government looked at that and said okay you guys didn't do it clearly so we're going to put some extra stuff in place. So they came up with the you know the SPIRS score your supplier risk

[00:06:52] scores I forget the full acronym off the top of my head right now but essentially that score that everyone has to go through a test to and say here's our score. A whole bunch of businesses

[00:07:01] came back again and said we got a perfect score look at us because you know they're self-assessing everyone self-assesses and when you know think back to when we were all in school

[00:07:09] and you know the teacher said grade your friend's paper you all got a hundred percent didn't you? Same thing happened in the business space. So the government looked at that and said well

[00:07:22] clearly this isn't working we still have a problem here and we're now into like the 2010s you know closer to modern day. The government also said you know we reserve the right to

[00:07:31] come by and inspect and prove and if you don't actually if you didn't do what you said you did then we can go after you for criminal proceedings and a whole bunch of other fines and sanctions and

[00:07:39] stuff. But they really started talking about how we needed to have something better. Well we didn't want to throw the baby out with the bathwater so we kept 800 171 which is slowly getting revised for vision three which we're not quite there yet but you know we're working on it.

[00:07:54] But around that time they said well we've got us foundation here what else can we do and their solution they seem to arrive at was let's get third party assessors to come in here

[00:08:03] and sign off on all this stuff. So that way we don't have the people self reporting their own thing and hopefully things will get better. That's kind of led to where we are now.

[00:08:15] CMMC has been proposed. The rules are out there the kind of data that they care about or the different levels are out there. The assessment methodology is coming along and the whole process is being built up and it's expected that in 20 25 itch or so we

[00:08:27] should start seeing that first language appearing in contracts saying that you must have been assessed by now. But that's kind of the roadmap to get there. Yeah and so like who is CMMC for what business

[00:08:44] is that for? So you kind of gave a little bit example of when you were saying unclassified information but yet they still don't want people getting to it. I could think of a lot

[00:08:55] of information that's like that. So what exactly do you mean by that? So as it stands right now the main place where CMMC comes in is from the federal acquisition register contracts and the defense

[00:09:08] contracts your FAR and DFAR clauses respectively. And that really just says if it's in the contract you have to implement. Now when we look at CMMC there's that whole category and control and they're saying to label your controlled unclassified info. Okay that what does that mean though?

[00:09:26] That usually points you over to the National Archives that says here's all your categories of your controlled unclassified info. Have fun. Yeah now we're not going to get into the feelings around the National Archives and how easy they make it to figure out what is

[00:09:38] QI and what isn't QI and all that other stuff because you know I've got my own thoughts around that one that we can probably again be here all day if we get on that tangent. We might need to do a separate episode for that is what you're saying.

[00:09:53] We can sum that episode up really easily. That episode is just hey Adam how do you feel about NARA and their QI rules? But anyway so to your question there well CMMC comes up the most when

[00:10:07] referring to defense information. Information related to you know building planes and guns and bullets and ships and bombs and stuff. Those archive categories will get into things like nuclear technology, agriculture, national parks information. Anything that could be considered

[00:10:25] sensitive to the United States as a whole and need to be controlled appropriately but not classified. Okay. A great example of that that I think came out in those 9-11 reports was we had known that some of the individuals responsible for 9-11 were on the radar of the

[00:10:44] government. That information wasn't freely shared across all government agencies so the government said we could have done this better. So that was sensitive because you know you don't want that information getting out there saying hey Mr. Bad Guy the government's

[00:10:57] watching everything you're doing but the government agencies need to know about it. That's a good example or if hypothetically speaking if a national park had a huge oil reserve that the United States could tap into in the event of a major global conflict you know the government

[00:11:19] would want to be aware of that and keep that kind of secretive but wouldn't necessarily want to make that public. Elected officials health records you know there's conversation right now as of recording about the mental state of the candidates coming into the election for this year. I had

[00:11:39] imagined it again and I don't know how secretive all that stuff really comes out to me because I've never really dug that far into it but you know if a presidential candidate's coming up that may have a terminal illness that may be sensitive information that a foreign

[00:11:50] adversary would want to exploit but needs to be you know it needs to be kept secret or you know handled appropriately so yeah you kind of see where that starts to come into play

[00:11:59] but those categories are pretty vast and can move around a lot because again this all comes back to national defense and keeping you know that's information secret. Yeah yeah because like what you said it's not just the big companies it's not the companies that you would expect

[00:12:16] there's the companies that make the little parts that go into that big company right so so even those smaller businesses are having to apply this framework is that correct? Yes because

[00:12:29] there are those those rules in there saying if you're bound by CMMC and you hire someone to help you out with it you've got to impose those requirements on those organizations if they

[00:12:39] deal with the kind of data that you're working with. Wow so all of a sudden that has just multiplied dramatically the amount of people that have to follow this. Right the silliest of examples but it's still very relevant yeah I think you're you know typical 100 person 150 person

[00:12:56] factory and office space you know they've got your your standard engineers that work on parts your manufacturers of those your office staff that deal with it but those people probably don't have a cleaning staff or a cleaning person on staff right? Right so they're going to outsource

[00:13:12] that to a cleaning uh to a service to a company if that company were to potentially have access to that data and that controlled and classified info they're now bleeding into that CMMC scope a little

[00:13:26] bit so that business has to make some decisions on how they handle it. Wow they can you know for instance as one example say hey we need a contractor service that can come in and do all

[00:13:37] this stuff and these people need to be properly screened they're going to be trusted with access they need to be able to follow these security protocols and procedures or they can simply

[00:13:47] say they're allowed to clean the office space but not the shop floor you know wherever that data lives yeah but again it's still imposing those requirements out there um yeah I think a great

[00:13:58] example I've seen and this is just reading on reddit in those silly little like you know people screwed up their lives in this crazy way with articles. The government will contract

[00:14:07] that out too um because you know if you can hire in a company to come in and do the work then you can save some money then we're having an on time or a full-time staff member. Yeah right and those

[00:14:17] cleaning services that come in to clean up you know army bases or naval facilities or whatever they're going to have people that could potentially have access to those secrets and they need to be screened or overly handled or overly so they're going to require

[00:14:28] those clauses in those contracts as well for something as innocuous as someone just you know clean and toilet sweep in the floor and you know dusting off shelves. Weird to think about

[00:14:38] isn't it? Oh sorry I said interesting. Yeah I was just saying weird isn't it? Yeah it's super weird. Well and like going into going into this same subject this is when MSPs are getting roped

[00:14:55] right because their their main goal I mean one of these most of them is to keep their clients secure and so like if they have a client like this their job just got dramatically harder

[00:15:13] right because now they have to follow all of these all of these frameworks in on these requirements. Yeah and when you look at the role that MSPs play in this because again there are those small medium businesses out there they do need help in MSPs

[00:15:27] they can't do it do it alone but now when we look at things like adding users to systems and removing users from systems that's not your on the ground point of contact those client environments usually those people are business leaders decision makers they're not technical

[00:15:41] in the slightest right. Right so when we deal with those you know that's our staff doing that that's you know our technicians our project implementators your implementers etc. So we've got to know how to follow those procedures and protocols and whatnot as well

[00:15:58] to be able to support them because if we don't we could be leaving the door wide open. Right yeah exactly. Not to mention we see time and time again as as we speak my phone is

[00:16:09] absolutely exploding with a big you know industry group chat because one of the tools that MSPs love to use has a major vulnerability in it right now is low probability for exploitation

[00:16:18] it's a tool that almost every MSP that I can think of has heard of or uses themselves and we just got our first indicators of compromise today. There's over 7000 potentially exposed instances of the software out there.

[00:16:34] Wow those 7000 instances could have anywhere between five companies that people can access to hundreds of companies that they could access you know knowing that it's a software that we use

[00:16:46] internally for us to support our clients which I did double check we are not exposed to it we're set but it's one of those from a from a target perspective if I were a bad guy

[00:16:57] knowing that MSPs exist we have access to a whole bunch of businesses that have access to a whole bunch of data money etc. That tool is the first thing I'm going to look for to see

[00:17:05] if I can get access to if I can get access to that tool I've got so much ability to cause harm do damage etc. If I'm a nation state entity you know China Russia Iran etc that means if I compromise

[00:17:19] this one tool I can now compromise everything downstream and if that is say a doctor's office I don't care it's personal health data it's not my my objective most instances I might ransom

[00:17:30] wear it get some money move on about my day but I come around and see you know defense contractor ABC that makes lug nuts for you know a battleship because battleships have lug nuts now why not

[00:17:43] you could have fooled me right but you know they find that and they go in they do they have their objectives you know when we look at the kill chain of a cyber incident there's always that

[00:17:52] acts on objectives portion of it so if I find my defense contractor nomination state I probably want the data that they have right figure out how valuable it is later unless again I'm really after a specific objective but I get something that's potentially useful file of her way

[00:18:08] who knows where it ends up and what what the other people can do with it but yeah and you know I also wanted to talk in this podcast about something that we discuss as

[00:18:19] a company in law but I think it's very beneficial to speak about in this episode today which is the difference between security compliance because there is a difference sometimes a company is doing one and not the other right so talk a little bit Adam about the differences between

[00:18:41] those and the connection between what CMMC is looking for between those two yeah so security you know actually let me refer let me start that over so compliance is kind of like the rules

[00:18:54] of the game it sets forth those the sets of requirements that a company must adhere to those compliance options objectives may be something of you know have this kind of encryption out there have this you know response time for instance or sponsor something but the other

[00:19:10] thing that we tend to get with compliance is if there's a problem you must respond an X amount of time you know when we look at our client base and everything when you know we're going

[00:19:19] through the sales process they may be asking us in our team well if we have a server outage how fast will you guys respond to us how fast can we get back up and running can you put that in the contract

[00:19:29] can you write that on paper that's technically a compliance requirement you know for us to be in compliance with their objectives and what they want out of that contract we have to have

[00:19:38] you know X response time now they may nice they may say we don't care about security as much we just want that response time so by that metric as long as we respond in an hour for that

[00:19:50] response thing we don't have to have instant response we don't have to have any virus because they didn't speculate stipulate it in the contract we just have to be ready within that hour right and that's kind of where you start to have that difference between compliance and security

[00:20:02] because security looks at what I just said and says what the heck are you talking about that no stop it if there's any practitioners listening they're probably like looking listening

[00:20:11] to what I just said and are going are you crazy man um but that's where that kind of comes in in that object those those differences kick in because good security focuses on confidentiality

[00:20:21] of the data so the people who are supposed to have access to it can access it that data needs to be available so those people need to access it in a reasonable amount of time when

[00:20:29] they need it and that data has to be you know it has to have integrity it has to be trustworthy so we've got those three objectives to balance all joker all the time saying if you want

[00:20:39] me to make the most secure system I possibly can i'll do that I will remove every keyboard every mouse take your take your staff and say you're not allowed to touch any of this disconnect from the

[00:20:48] internet that data will be secure but it won't be available it'll be trustworthy because nothing can mess with it but again it won't be available we'll have no employees right yeah okay so so this

[00:21:03] is you know this is making sense like I'm piecing the puzzle pieces together as we're discussing this today um but let's go to this one question that I'm sure many people who are

[00:21:16] listening to this that are learning a lot of this stuff for the first time like me today are wondering like how does this apply to me in my business right so let's say that um you know

[00:21:31] I'm a small business um that has some sort of hand in government work you know in some way like what do they do with this information how do they get started is it is there a company that they go

[00:21:47] to are there resources that they that they can go to to get started on this journey should they even start the journey right now you know what I mean like yeah how what would you say to them

[00:21:59] so um I think the first thing that a company has to decide is do they want to get into CMMC or not CMMC is is definitely a force for change in an organization it's not something that's easy to do

[00:22:11] and it's something that's expensive you know even hearing the figures from our industry and what we're looking at we're looking at three to six times increases in cost for basic services

[00:22:23] you know the amount of changes that you know Bobby and I have been working on you know behind the scenes on our end to try to get us ready for our own stuff is pretty staggering when we think about

[00:22:30] it yeah um and let's not even get into the amount of time you know Bobby also made messages that you know eight o'clock at night saying hey brother I was looking at this thing over here and I'm you

[00:22:39] know and it'll be one in the morning and I'll have random thoughts and I'll be like I'm gonna mess this Bobby about that in the morning because I know he's trying to sleep right now

[00:22:46] but um either way it's a huge investment of money huge investment of time and it's a big change now the one caveat to that whole statement I'll say is if a business does have contracts with

[00:22:59] the government already especially defense suppliers read those contracts to see if they've already agreed to do it um that is something that I've seen businesses do time and time again where they sign these contracts with the dod and then down the road they say oh by the way

[00:23:17] IT support you know MSP can you help us with the CMMC thing um we've got an audit due in a week can you just knock this out real quick and I'm over here like screaming pulling my hair out and

[00:23:28] just you know that's why I keep it so long and everything I've got more to pull out when that stuff happens yeah you have tons to work with it'll be fine so but yeah again read those contracts

[00:23:39] because those contracts may have different sets of requirements it could be CMMC if you're a medical provider it could be HIPAA if you're in financial services it could be you know your SOC type

[00:23:49] 1 type 2 that's being required of you or you know requirements under GBLA those contracts have a lot of important stuff in there that need to be you know managed appropriately yeah but so okay so

[00:24:00] let's say that the government that the business says you hope we don't have any existing contracts already so we're not already under the gun but we want to go down this road we see it as a competitive advantage because let's think about the idea a little bit more

[00:24:12] the United States spends more on defense spending than the next several countries combined this is the sheer amount of money that pours into the military in that you know the subcontracts is

[00:24:24] huge more money spent a minute than you and I will see in our lifetimes yeah so there's money in in that those those contracts and that can be a huge boost to business now of course the

[00:24:38] decisions have to be made whether it's you know beneficial the cost benefit works out or not but so so you see it as a competitive advantage you want to do it so now you decided that you're

[00:24:48] going to do it I just repeated myself a bit there maybe we can cut that out I can so okay you decided that you want to do it you've allocated some money you're starting to put together your your dream team what do you do

[00:25:03] if you're in you know in bobby shoes you send me a you know send me a message saying hey brother let's have a conversation and then a couple months later you know the rest is history

[00:25:12] but if you're not an it company and you don't have the resources to hire a me you hire a company like us which there's a whole set of requirements and things that you know you want to dig through and look over

[00:25:26] and it really suggests a lot of you know if you're a company looking for an msp to help out with this to to look into those requirements and the things that you want to look into I believe

[00:25:34] Kaylee you and I just wrote a blog about that not too long ago we did yeah shameless self-flug here I love it I'm here for it it's super important for a business to select the right partner for this

[00:25:45] because when we think about it you know like I was saying earlier msp's play a part in this as well there's those flowdown requirements and at the end of the day when it comes time for

[00:25:53] assessments you know we've got to make sure those controls are properly implemented and we may be you know part of that assessment ourselves if you have a an msp that's not doesn't quite understand the requirements they may be giving you bad advice

[00:26:08] which may cause you to waste time money resources or worse fail an assessment if you have those contracts a bad msp could be the result of you losing those contracts or it could result in you losing those contracts I should say so again you want to take your

[00:26:22] time and do your homework on selecting those partnerships just because an msp can show up and say we know all the cmmc things do they really you know ask those questions ask things about you know where's your shared responsibility matrix have you done your own internal assessment you

[00:26:37] know how do you handle these situations and then gauge the answers appropriately you know there are certainly msp's that are a little bit further along in our journey that are you know closer to success on that one and able to come back with an authoritative here's everything

[00:26:52] you need and more because it's been our bread and butter there are other msp's that are well on their journey that have great answers for stuff they may not be 100 of the way they're yet but they're

[00:27:03] working very hard to get to that point I think it's a fair assessment to say that we're in that boat ourselves and then unfortunately there are msp's out there that are simply saying yep we'll promise you absolute compliance the lowest price possible and everything will be

[00:27:16] great um but you know what they say about gas station sushi right you know you don't go for that you know it might be cheap but you probably shouldn't go for it so you know and again I want

[00:27:27] to say that there's the majority of msp's out there are doing their best they're going to give this a you know a good valiant effort but they're also you know those those ones out there that

[00:27:35] are not going to do very well and uh you know they'll find out how that works out the form i'm sure but then there's one other category of msp out there there's the msp that looks at cmmc

[00:27:46] and says nope nope this one's not for me yeah and that's and plenty of smb's out there are doing that as well um because again it's expensive it takes a lot of time and it will change how companies do business

[00:28:00] and there's that is it worth it question to ask so if it is worth it great full steam ahead do the things secure everything get compliant um you know and have fun with it and rake in those government

[00:28:10] contracts but if it's not worth it don't try to bend bend the rules in your favor and get cute with it and everything like that because it's not going to work out the way you think

[00:28:19] you know every time just from our own experiences here internally bobby and i have gone through months ago with the here's how we think everything will work and then that updated proposed rule

[00:28:27] came out and flipped half the work i was doing on its head and said start over right um and this is again why this is all starting to turn gray now so but uh it's super important to ask those

[00:28:41] questions do the homework and find the right partnership that right partnership will then be able to help guide the company through that journey you know we've got our partners that we work with

[00:28:50] as well to help provide us with that consulting advice that we need you know bobby and i you know bobby's brilliant he can come put some stuff i'm uh questionable on a good day i'll let

[00:29:01] other people make jokes and get the plug you're not giving yourself enough credit here come on i just love my good self deprecating humor from time to time but um

[00:29:12] but you know we'll come up with some great stuff we know a lot of things but there's always that are we on the right track just because we read some things here we found these bits

[00:29:20] in the documents etc and we think we can twist something to our favor on this way are we missing something are we doing it right and having those resources in our

[00:29:28] back pocket to call up and say you know hey buddy i want to do this thing over here am i going to be shooting myself in the foot in the process in some instances i'll say

[00:29:36] yep nope that sounds great other times i'll say buddy you're not shooting yourself in the foot you're shooting yourself in the foot with a rocket launcher yeah um right when we think about a lot of businesses they don't have the luxury of starting from scratch and building something

[00:29:47] up from scratch some do some may be able to do little micro segments of their business and be able to do all that stuff but you know especially where i'm from out of the cleveland

[00:29:57] area there are machine shops and businesses that have been in been in business for generations you know there you go on their website when you're doing your prospecting you see that you know celebrating 90 years of business and there's a family photo of you know grandpa son and then

[00:30:10] the grandson who's going to be taking over the business and it's really cool to see that but they're not going to change how they've done business because it's clearly worked for them for three generations and msp showing up they're saying hey we want you to change everything

[00:30:23] about how you do business they're going to make a change all right they're going to make a change in msp's right um so we've got to think about how those things can be architected and

[00:30:33] done appropriately you know taking a look at how things have been done where things do need to change how to make those cost effective reasonable changes and you know give the business leaders the information they need to make informed decisions because at the end of the day msp's

[00:30:51] we cannot do everything when it comes to technology and security for a client you know we can't make those decisions we can't sign our own checks they need to make informed intelligent decisions about the future of their business how technology is going to impact that and how

[00:31:05] security and compliance will be part of that process as well right and we're all we're all about it transparency and communication um and giving the other person in this conversation an opportunity to make a informed decision decision because of everything that you have

[00:31:26] given them as far as the transparency and communication on your side so i totally agree i mean if i was the business on the other side trying to figure all of this stuff out this entire journey and if

[00:31:37] i want to go on it or not and if i want to use an msp or not i definitely want to know what i need to know to make that informed decision you know right and that's that's

[00:31:47] really where it's key there so you know because it goes back to that original question does the business want to participate in the cmmc ecosystem or not right um because right now unless a business

[00:31:59] has those existing contracts they can choose that they don't want government contracts and they can go about their merry way um now that doesn't say anything for other different kinds of business

[00:32:07] where they may have regulatory requirements as well you know how doctors have hip at a deal with or you know banking has its own sets of regulations but at the end of the day you know a lot of the

[00:32:18] companies right now still have that decision point to make and as msp is in security and you know compliance specialists we need to be able to offer enough information so those businesses can make

[00:32:26] that call oh yeah absolutely well thank you adam for um talking about this subject with me i feel like coming out of this episode i've known like i haven't really known that much about cmmc

[00:32:39] even now i definitely feel a lot more educated and i hope that many people who are listening to this podcast episode that might not have known much about it um can make maybe a little bit more of

[00:32:51] an informative educational decision um when deciding if they want to go and even start this journey of cmmc so thank you again for um being a part of this episode and thank you guys

[00:33:05] for listening or watching um and please make sure to um subscribe or like our um content so that you can be notified anytime we upload more stuff but until next episode keep on climbing make sure

[00:33:20] to follow us on linkedin and youtube to stay up to date on the latest cmmc news we hope you guys enjoyed today's episode and listen out for the next one but until then keep on climbing