What is "The Game of Chicken" in CMMC? (feat. Lawrence Cruciana)

[00:00:01] Hello Climbers and welcome to Climbing Mount CMMC. Boxing up by 6. Good job. What is it doing? Look at that. Hello Climbers and welcome back to another episode of Climbing Mount CMMC, the podcast. My name is Kaylee Floyd and this is Bobby Guerra and we are your hosts for Climbing Mount CMMC.

[00:00:29] Today we are joined by the one, the only, Mr. Lawrence. And sir, thank you so much for joining us today. We are thrilled to have a competitor next to us. It is fantastic to be part of it. I could finally be on the podcast rather than just watch the podcast. Well, I'm a huge fan of you, man. Yes. Mad respect for what you guys are doing in the industry, even though you're an evil empire trying to take over the CMMC.

[00:00:59] I'm just kidding. No, we're really good friends for those that may not know, although we are technically competitors. Like, I mean, the ecosystem needs, I don't know, several thousand MSPs to step into this space, wouldn't you say? I mean, they are desperately... The last time I looked at the target addressable market, it was around 109,000 businesses that were in the ecosystem. And if we can look at about 85% of those use an MSP of some form. So I think there's plenty of work to go around.

[00:01:30] That doesn't even account for the subs that are going to be dropping down from them. So multiple, take that by 2, 3, 4, 5X. No one knows for sure what that number is going to be exactly. So, I mean, we've been working for years in the market. I don't think we've ever run into you in a bid situation. Maybe you want... I can't remember. Have we ever run into them? I don't think so. Yeah. So it's just, that's how large the ecosystem is. And there's just not many MSPs are doing it. So I ran into you in a conference. I'm like, dude, this is hard, isn't it?

[00:01:59] And you're like, yes, it is. And then we just kind of bonded over the commiseration of how difficult the MMC is. Yeah. Well, so Lawrence, do you want to go ahead and just set the stage and share with the people that are listening who you are, what your company does? I know we share a little bit that we're competitors, but if you want to go ahead and share what you guys do. Yeah, I would love to. Again, thanks for having me on the podcast. It's fantastic to be here.

[00:02:23] And I think the fact that we are here together does just kind of demonstrate the fact that the ecosystem is big and it's a big tent. There's a lot of room for a lot of us and there's a lot of subspecialties. So with that said, again, my name is Lawrence Krushana. I am a lead CCA. I'm the president and founder of Corporate Information Technologies, Corp Infotech. We are almost 30 years in business now. We have always worked inside of regulated industries from financial services, defense and energy.

[00:02:53] I'm working mostly with regulated upper end of small and mid-market organizations that are in high consequence environments. So CMMC was a natural, kind of a natural fit for us. I'd like to say that the genesis of the business, like our story arc and all of the things that we went through getting to where we were, that CMMC has been kind of a natural conclusion. We, very similar to Axiom, were one of the first to go through CMMC level two certification.

[00:03:21] I'd like to say that we had first mover disadvantage. And so here we are. We just went through, just celebrated our first year in January. So first year in certification. So yeah, we're kind of right on the side. Both of us are very early into this game. We were both, we both got our level twos in January. I think we were kind of being kind of comparing like, when's your schedule? It was like in a couple of days. It's like, who's going to beat the raid boss first, you know?

[00:03:50] And I think technically, I think we did. It just, I mean, nobody's keeping score, but if we would, it would have been us. Just saying. And now he's going to leave, just like that. I'm going to go on the episode. I want to say, I wasn't even keeping score. You know, the fact that we got to the other side of it and successfully, and it didn't completely tear the business apart, I was thoroughly happy for. Oh yeah. I've said it numerous times. I'm not afraid to say it.

[00:04:17] I like literally cried after we finished off it because it was just so stressful. And just like, I mean, because it was, I mean, we've been, we changed our whole business direction over the course of two years. This was the culmination of like so much dedication and hard work to get our level two. And what was really interesting is the moment after we passed, like that night, we were like, okay, we got to take this and replicate it to our clients. Right. And, you know, that's next. It's like, yeah, we kind of high five and then it's like, get back to the war. You know, I mean, like, you know, we just won a battle, but we did not win the war.

[00:04:47] Let's get these clients through it next. And that was the, let's get back to it. You know, it was really interesting. Oh, it's, and, and, you know, I, I think the, the point I'll, I'll, I'll foot stomp on that is, is, uh, we, we had the same thing where like, it was, it was almost anticlimactic, right? Like, like it was, we got, we got the last met and, uh, and then it's like, okay. And, you know, next day had the certification, right? Had, had the, had the result. And, and we had the exact same, the exact same takeaway.

[00:05:15] Like we're going to have to do the same thing. Like 10,000 times. Wow. Sobering. It is, it is sobering. It is, it is sobering. And so, you know, with that, with hearing that, if you guys are MSPs that are listening to this instead, now that you've heard the fear of that, let's talk about what we're talking about. No, I'm just kidding. So not to scare you, but now let's talk about that today. No, what we, we do truly want to talk about what we're calling the game of chicken.

[00:05:42] And it would be wrong of me, I feel like not to plug something that we're going to do in the future as well here at the beginning of this episode, which is we're going to be at Pax8 Beyond soon in June. Yeah. All of us. All of us. All of us. You too, Lawrence. Yes. That's right. With Andy from Sentinel Blue, right? And so. Another competitor. Another competitor. Yeah. And I don't know why we keep doing that. No, I'm just kidding.

[00:06:07] So what we're going to be talking about there is actually, and I'll tag what we're going to title it, which is You Can't Be Half Pregnant in CMMC. So I'm sure that is an intriguing title to some of you, but we are going to be talking about it from the MSP perspective there. So if you are an MSP listening to that, you're going to be coming. Please join us there. We'd love to see you. We'd love to connect.

[00:06:32] Today, we're going to be talking about it kind of from a different perspective as the OSC and somebody that has an external service provider that is, you know, an MSP of some kind. And the game of chicken of deciding between you, let's say you have a current MSP that you're working with right now that is not CMMC level two certified, maybe is not aware of the CMMC space, but is willing to work with you.

[00:06:59] Or maybe you haven't talked to them about it yet, which if you haven't, please talk to them now about it. And or the other option, which is to go with somebody new, which we want to, you know, share. We know that that's scary. That's it's scary to switch service providers that you're maybe especially if you've had them for like 20 years, you know, many years. Yeah.

[00:07:19] And so your perspective, I guess, just to clarify, is that the chicken that's being played is the person that has to get certified which path they're going to pick and whether they want to make that decision like definitively. Yeah. And a lot of times I find that OSCs go, I don't like this decision, so I'm just not going to make it right now. Yeah. I was going to say the same thing. That's exactly what I've seen. Because it is like, I mean, I want to kind of chime in there because like. Yes. It is. It's a scary decision.

[00:07:46] And many MSPs, I mean, I know personally many friends that are in the MSP business that they do have those multi-decade relationships with their clients. I mean, their kids literally grew up together. Right. That's a big change. Mm-hmm. And so, you know, also to say just because an MSP doesn't know everything about CMMC doesn't make them a bad MSP, you know. Right.

[00:08:16] We can say now on this call, even with talking, you know, previously at the beginning of this call, we talked about how difficult it was for both of you guys to go through this, how scary it was. So, you know, we acknowledge that choosing this as an MSP to move forward and push clients through this process is very difficult for an MSP to do. So in no way are we saying that if an MSP doesn't know all this there is to know about CMMC and has a whole process that they're a bad MSP.

[00:08:44] Oh, and there are multiple MSPs I look up to that don't do CMMC that I've learned lessons from that I have deep, passionate respect for the type of people they are, how they run their business. I'm in a peer group. I know that you are in multiple peer groups, Lawrence. And, you know, when I go to tell some of my fellow brother in the MSP industry, like, what we do, we'll go to conferences sometimes and sit at tables and talk with people. And they'll look at us and go, you guys are crazy.

[00:09:06] Like, why would you put yourself and your team through this when you can be very profitable just running a traditional MSP where you don't have almost like cross-examination attorney, like, coming at you, assessor, that's going to be like, you fail. You know, and you're doing it right in front of the client. Like, the client gets to see you either be their greatest hero or their, you know, boat anchor that they absolutely hate at that moment and want to murder because maybe you might have been responsible for them getting a not met in their assessment.

[00:09:35] So it's a really big deal, but it doesn't make us better. It just makes us different. Different. You know? But what I do, I would say that the CMMC system requires a high operational maturity in order for you to pull it off because of the complexity of the details that have to be required because almost doesn't get it. And there's so many traditional MSPs that almost is good enough for the relationship with the client. But for CMMC, that doesn't cut it.

[00:10:05] You literally have to be, I mean, you have to get a perfect score. What test have you ever taken that's like the only way you pass is to get 100%? And it's not an inexpensive test to take. Or fail. Right. And not just the dollars. I mean, everyone gets caught up in the dollars, but it is so operationally burdensome. Right. It is disruptive to everyone.

[00:10:32] And, you know, I've heard this, the CMMC space be referred to with analogies to like HIPAA. Right. And the process with the BAA and all of this. And now it's different. Right. I mean, this is not just sign a BAA and do a few things. The level of nuance, the level of detail, the continuous compliance. And frankly, I mean, I don't know about you, Bobby, but I can say experience in the MSP space.

[00:11:03] CMMC is the exact opposite of what makes a really good, highly efficient, operationally mature MSP good at what they do. Right. CMMC is like, let's just take that and flip it on its head. Yeah. Point you back to the Stone Age. Because, I mean, you know, I grew up in the traditional MSP space. You were more coming from cleared facilities that you were servicing. You know, so you were really more into the nitty gritty early on before us, you know.

[00:11:33] And so we cut our teeth for 15 years, you know, doing traditional MSP space. And that's what we knew. And you would just walk the hall every year and look for the best vendors that you would think would help you solve your AV problems or whatever. And then you would just swap them. And it was cool. It was easy. Yeah. It was easy. You know, and if you try to do that with CMMC, there's no way you could pull that off. The documentation is different. You have to go through change control processes. I mean, so when we go through the vendor halls, people are like, hey, use our product.

[00:12:03] I'm like, dude, don't even talk to me. Like, there's only two vendors I'm possibly thinking about, right? Like, you've got to plan that junk out because you cannot just swap stuff on a dime because your policies and procedures lock you in to so much. Unless you've written all of them at such a high level that it just talks about everything generically. And if you did that, I don't know how well your assessment is going to go because everything is going to be show me. Because nothing speaks to any relevancy about how you operate.

[00:12:31] And assessors hate that to some extent as well. So it's a weird challenge. And the main thing that we want to talk about, too, with the game of chicken is making sure that the people that are listening understand that comparing a CMMC level to certified MSP, or more specifically what I want to say is an MSP that is choosing to run on CMMC as their main, like, you know, product, I guess, that they're driving.

[00:12:58] So, you know, they do MSP support, but they are CMMC. That is their foundation versus somebody who is an MSP that you work with right now and can help you with CMMC, you know, because they are already your MSP. Okay. So comparing those two things is like comparing apples and potatoes. And we're going to talk about why we say that.

[00:13:22] And again, like I said in the, like before, there's no negatives towards the MSP, you know, that you have right now because it's not the same thing. You know, I want to say that I love apples and I love potatoes, you know, very much. So you can love both. So let's talk about, I just didn't want to get hate mail. You know, I just wanted to clear that up. Okay.

[00:13:45] So let's talk about the first thing that honestly Lawrence was really touching on and I think cannot be stressed enough is time. So going down each one of these routes is going to take time. But I think you touched on something, Lawrence, which is very important, is the maturity that you had to go through or the learning of that maturity as an organization for CMMC. It took you time and effort. Sure.

[00:14:11] So let's talk about when you choose an MSP that hasn't gone through that yet. They're going to have to go through that as well as helping you, right? So there's going to be something happening in tandem where that MSP is learning about CMMC and how it affects them as your MSP, as well as trying to prepare you for CMMC yourself as an organization. Well, and I would add even another dimension to that.

[00:14:38] And I've spoken for many years on the concept of shared responsibility. And before it was something that was cool, before anyone was talking about it, before we were talking about supply chain risks, this was – it was a thing. And as an MSP, I saw it, and I saw it kind of in a unique view. And I think the MSP community is starting to see that same unique view now.

[00:15:07] And I give the background not to be braggadocious, but merely to say I've spent almost a decade considering this and experiencing this and trying to raise awareness of this supply chain risk concept and the resulting concept of shared responsibility.

[00:15:29] Very often what I see, and Bobby, to the point you made earlier, I tune in many peer groups and will speak about their concepts of shared responsibility. And even the most cornerstone document of having a shared responsibility matrix or a customer responsibility matrix, bring that up to most MSPs and they say, yeah, yeah, we have something.

[00:15:53] Or you ask the question of, well, do you align your services to a defined security framework or service delivery framework like Idle? And many MSPs, even very high-functioning ones, will say, yeah, we do – like, we have a thing.

[00:16:08] But going to, can't look to the point, they haven't taken the time and they haven't had an operational imperative to really ground that – like, ground their practices into an absolute rigid alignment inside of a shared responsibility model, inside of that matrix that is aligned to some kind of standard, to some framework that is unflinching, that is outside of their control. They haven't had to do that.

[00:17:05] And that's a very fundamental, to the point, that is a very fundamental, to the outcome.

[00:17:36] framework to deliver a purpose and we're not going to change it. Find our practices and our people and all of our written procedures and our written documentation to the same framework and we're good to go. So that then when they bring that to the customer, well, all of that is already built. Otherwise, I mean, they have to build that and that's going to take time and confusion and effort. Yeah. So I think maybe I don't want to put words in your mouth, Lawrence, but so I guess

[00:18:05] sort of kind of what you're saying is the game of chicken here for the OSC's perspective is that they're not requiring the MSP that they're going to try to potentially just work with to build a responsibility that is clearly defined to the objective level. And what that means is in the 171 alpha document from NIST, it has 320 assessment objectives

[00:18:33] and your matrix that says Lawrence during the onboarding process is going to do during the authorization of 311, Lawrence's responsibility will be shared and the shared process will be after they've done their preamble things of background checks and training the people because Lawrence can't do that. But Lawrence is now going to go through and add them into the tenant and do these types of functions and activities. Right.

[00:18:57] So that shared responsibility needs to be defined at the assessment level so that the assessor goes to look and they go, OK, I'm going to talk to OSC first and then I'm going to talk to Lawrence next. And Lawrence is on the hook for this part. We I mean, we were going through like literally I had an assessment this morning that ended. It went really well. And we finished early. So I was able to make the podcast. I didn't think I was going to. So I was super happy.

[00:19:25] But part of the reason that it did that is because we had everything broken down to the assessment objective level. And so the assessors were able to get everything they needed so much quicker. We even had the documentation and the procedures and policies that are relevant to each assessment objective broken out. So there because if you don't if you're if you've not gone through assessment, you don't realize the assessors have to fill in a field for every assessment objective and list the policies and the procedures. Right.

[00:19:50] So if you help them out by getting all of those ready for them, they can fill those in and they're like, oh, thank God, this made my job so much easier. And you think that's the kind of person that's going to give you grace when you need it. Hopefully so, because they're your assessor. Right. But so many times they play chicken with that and they just won't do it. And then they try to scramble the last minute to throw this thing together. Yeah. And it can't be thrown together at the last minute.

[00:20:18] They have to really think about it. And so as an OSC, I would agree with you, Lawrence, like you have to go ahead and make that a priority and get that done. Well, yeah. To be able to think, you have to have time. Right. And so it's actually literally impossible for your MSP when you come to them and say, I need you to help me get CMMC certified. And they're not a CMMC level two certified MSP themselves and haven't gone through themselves.

[00:20:48] They can't just magically just appear their customer responsibility matrix with the 320 assessment objectives on it. They have to now literally do it themselves. They have to sit down and do it. And it's going to take time. You cannot just say that that's not going to be there. It literally is like you cannot make that up. So so they're they're going to have to do that. And guess what? That customer responsibility matrix is awesome and great and you need it.

[00:21:16] But they are bringing it for you. That has nothing to do with your SSP. Well, I mean, it does have stuff to do with your SSP, but that is not creating your SSP, which is a whole nother thing you have to create. And they have to help you with that because they're going to be doing a lot of the controls or parts of the assessment objectives that are going to be inside of that SSP. So you're going to have to work together to do that. So not only do they have to do their side, which I'm quite curious about how the billing is going to be for that, but I couldn't speak to that.

[00:21:46] That's going to be the next topic. So there's that time that that is the buildup of those things, plus just getting you ready yourselves as the OSC. Now, if you choose somebody who is CMMC level two certified, guess what? You cannot blink and be at your assessment. They still have to do the work because you haven't done the work already. So the MSP that is CMMC level two certified, even if you chose Lawrence, even if you chose Bobby, they like our team has to do the work for you.

[00:22:16] You do not miraculously just get to be CMMC level two certified. So there is going to be time for both sides. But to acknowledge that is going to take longer with an MSP that has not already done it is very important to note. And I'm not saying it again to bash the MSP. It's honestly, it's a shame that it took OSCs this long to bring up this conversation to many of their MSPs to even start thinking, oh, my gosh, can I do this? You know, because I didn't know that I had to do this, you know?

[00:22:46] And so it's time. Either way. And, you know, one thing I want to go back to to kind of like really footstop something you said. And for those that are listening that may have not been through an assessment, and I think, Bobby, you kind of showed a light on this. Inside of at the end of the day, CMMC is all about compliance with 800-171-REV2. So there's 320 discrete assessment objectives.

[00:23:14] And the best analogy I can make is that it's kind of like Connect Four. Remember that game Connect Four? Yeah. I loved that as a kid. I don't I don't know why, because like, I don't know, a little bit of like logic and tactile, but every single assessment objective has to be owned by someone. And and when we're talking about this concept of shared responsibility, if the MSP has some

[00:23:40] portion of responsibility, well, they're like one row in Connect Four. And if if the OSC has some portion, well, they're one row in Connect Four. And we have to line up everyone, every single assessment objective someone has to own and they have to agree that they own it. And so, Caitlin, to the point you made, this is it's not like that an OSC can put together

[00:24:06] a a an SRM, a shared responsibility matrix, and give it to their MSP. Good point. Right. Right. I've heard that. I've heard that as well. And that's not something that the OSC can put together. And say, here, Mr. MSP, this is what I need you to agree to. The MSP has to put it together and give it to their OSC. And similarly, every tool, everything in their tech stack that they're that they're using

[00:24:35] to accomplish any of the assessment objectives that they say they're doing. Well, that vendor has to say that they agree that they're responsible for that to the MSP. And so now we have these other third party companies that the OSC may have never heard of. They don't know who they are. And they're they're present, at least by way of documentation, in the assessment.

[00:25:03] And if any of those assessment objectives and 320 of them, it's a fairly long list. If any of those are not owned by someone in that that ecosystem, it's automatically not met. And I think that is when we talk about this game of chicken and the time.

[00:25:22] I mean, you can you can look on on almost any social media and you will see MSPs asking the question, hey, and one of my clients came to me and they said, like, we need to get evidence for their CMC level two certification. And I think that's a great disservice to the MSP, because now the customer is saying, like, oh, you're doing all this stuff for us. Right. So, like, give us evidence.

[00:25:46] And they have no idea what what they're being signed up for because they weren't the ones that gave the customer that shared responsibility model, that CRM and CMMC parlance. And so I think that's one of the one of the elements in the game of chicken here that you it's it's going to take time. Those things have to be agreed upon. And then we have this whole question of tool suitability.

[00:26:13] And I don't know about you, Bobby, but that I mean, like you mentioned the point that you go to a show and you have to put blinders on because these vendors, they they're the best thing since sliced bread. But they are entirely unsuitable for use inside of a CUI environment, much less if you have ITAR or export control data. Right. That's that's another gear that you have to worry about on top of this. So it's it's it's interesting.

[00:26:40] It is a time based and risk based game of chicken that I think a lot of people are are are playing and they don't know that even if they're playing the game. And if you look at the consequences of those actions, so if the MSP plays the game with the OSC because they're like, well, they seem OK with it. And maybe I don't know what to charge. We'll just have meetings with them periodically and we'll just bill them for us to kind of work with them on it. OK, that makes sense at a high level. Yeah.

[00:27:07] But when you realize like that's like saying, well, I was an amateur carpenter. You want your house, you know, a whole extension added on your house. So what I'm going to do is I'm just going to help work with you throughout the course of the next year or two to get your house ready. And you've never done inspections. You don't know how to pull things and file them down in the city hall. Like, you know, and you're just going to wing it and like no one would ever try to. Well, most sane people would never try that.

[00:27:37] But that's sort of what an MSP is doing when they want to just sort of hold hands and kind of just marry their way through. And it just because the OSC is OK with it doesn't mean you're not playing that game of chicken. You are because then what ends up happening is they they realize, oh, I need to be at the finish line by the end of this year, for example, let's just say, because I have a contract that says I have to have that. And can we speed this up?

[00:28:04] And you're like, I don't know, because I don't know what the finish line truly looks like. And you're screwed. Both of you are screwed. And either both either you're going to have to fully commit or eject as the MSP. And now the OSC has got to figure out who's going to be filling that space. And it becomes really great. That is so true.

[00:28:22] Yeah, that cannot be that cannot be understated because that if you choose to go forward with an MSP that might not know all that it entails when they discover all that it entails for their company as an MSP, they might give you the boot and not you giving them the boot. And how long is it going to take for that boot to to occur?

[00:28:45] And do you lose six months to just start over and end up having to find an MSP that is CMMC level two certified or has that CMMC process already? And you just wasted that time, unfortunately. We've had some MSPs that have realized this game of chicken and they're like, I don't think that's fair to our client. We're going to go ahead and try to pass them off to some to someone that can do it. And a hats off to people that really care enough to do that. And I think that's great.

[00:29:14] But there are some MSPs that are like, hey, they're OK with me billing them and me taking their money. And it's not really my fault if they don't realize about their contracts. And we're just going to go ahead and ride this thing out and keep that client as long as we can to keep that monthly reoccurring revenue. Knowing that this is going to come to a head, this game of chicken is going to there's going to be winners and losers. The losers are the people that don't make that decision until that last minute.

[00:29:39] And you cannot get someone ready if you don't know what you're doing and you can't just sort of work your way through it. I mean, it takes serious commitment. So you've got to really know that you're playing that game. I think the only way you can win a game typically is if you know you're in it. And so like realize you're in one right now. You still don't even always win one when you're in a game and you know you're in it. So you're definitely not going to win it if you're not in it.

[00:30:06] And, you know, I think, you know, and Bobby, I've had the same conversation with MSPs on both sides of it, right? Where some are like, yeah, we got into this and there's a whole new world of TLAs and new letter, three letter acronyms. And we don't know any of them and they look scary. And so we're going to, like, that's not our business. It's not fair to the client. We're out.

[00:30:30] But equally, I've seen the exact opposite where they have the same approach of, no, we're going to, like, keep riding this. And they view it as almost this limitless bucket of professional services hours and that they're going to figure it out. They have really smart people and they've always been able to figure this stuff out. But there's, like, I like to say that your E&O insurance can't indemnify you against, like, committing a federal crime.

[00:30:58] And at the end of the day, that's one of the risks. You mentioned, like, the risks of this and the winners and losers. And ultimately for the OSC and for the MSP, but ultimately the OSC, because they signed their name on the dotted line with these contracts. There are real consequences or real potential consequences for this. And I was recently addressing a group of MSPs and they were, it was under the auspices of, hey, we want to pursue CMMC.

[00:31:24] So it was a group of MSPs that had self-selected saying, we want to pursue this thing. Tell us how we can do it. And I asked one question and I said, who has read DFARS 252-204-7012? And, like, three hands went up. And I said, who's heard of the DFARS clauses? And, like, the same three hands kind of sheepishly went up.

[00:31:52] And I share that here to say, like, that's the code of federal regulations that ties the OSC. Those are the contract terms that you may not even know that are applicable to you or you're playing in. And there are real consequences in that.

[00:32:09] And if, as an MSP, if they don't know the parlance, they don't understand the risk, if they don't know that ignorance is an admittable defense strategy here, then that's disadvantageous for both the MSP and surely the OSC.

[00:32:32] And, again, I think that's another dimension to this game of chicken that, you know, there's real risk for everyone involved here. I know I have a great respect for the Department of Justice and the work that they do, especially through the Civil Stubber Fraud Initiative. And that has to be considered in this game of chicken, too, that those risks exist. Yeah. And the other big word that I want to bring up before we close, which is not a small one, cost.

[00:33:03] Obviously, we said time. Other big, big, big question that everybody has is the cost of it. Now, both ways, you're not going to get rid of the cost of CMMC. And, again, this is not like CMMC, you know, this is bringing in the assessments and the certifications and whatnot. But this was already supposed to be incorporated in your cost as a company for many years. Okay. So this is not CMMC bringing this cost.

[00:33:33] Really, the only cost that was brought were the assessments themselves and then service providers realizing, holy crap, my regular company cannot just do this. So their costs change, right, to adapt. Which goes into what I was going to mention first, which is if you're going to compare an MSP that is CMMC level two certified that has a CMMC process that you would go through versus an MSP that's more on the commercial side, their prices are going to be different.

[00:34:02] I hope to God their prices are different because they should be. They should be. I mean, they're going to be different. They're going to be doing different services, different activities. And so if you're one comparison for staying with your MSP and going with an MSP that is CMMC level two certified and has a CMMC process is the cost. You're going to go with your current MSP that is commercial every time. Every day. Yeah. Every day.

[00:34:29] And there's a reason why they're cheaper and there's a reason why there are different costs. And guess what? By the end of the line, I would not be surprised if it ended up being about the same cost because that MSP realizes the time and effort that they're going to take doing this with you that they didn't realize up front. But they still have to do it like they still have to take this time. They have to train their staff on this now to do it.

[00:34:55] That's going to be I mean, CCPs and CCAs are not cheap. We've had to hire them. So we know that already. And that's why our prices reflect that. They don't. And they're going to learn it, you know. And so there is just this part in this process of understanding why the costs are different and they should be different. Right. And so, Lawrence, what is your perspective on that, too, as well from an MSP that's gone through this and seen the cost of it? You hit the nail on the head.

[00:35:25] The the amount of time. So there is there is a value for knowing the answer to the question. Right. So there is there is a value for that. But besides that, I mean, we we spent years and many hundreds of thousands of dollars on ourselves. We we have a very different set of tooling. Right. So the tools that we bring to the table, your point on CCPs and CCAs. Right.

[00:35:55] We have we just like you have sent your people through classes. We have ongoing certification, ongoing professional education. The culture of of this is very different. And and so all of that is reflected in in in the cost. But the other thing and this this is something that it's an unpopular opinion. So I'm just going to say it. If as an MSP, why why are we pursuing CMMC?

[00:36:19] Why why as a as a nation are we undertaking this initiative? Why risk disrupting the entire defense industrial base for for this thing? And and that is to stop the the wholesale theft of American ingenuity that has been happening for a couple of decades now. And it's not been happening through the big primes. It's not happening through the Boeings and the Lockheeds. Right.

[00:36:43] It's happening through the small businesses that are inside of those supply chains that have have pinky promised that they're doing this this stuff for almost 10 years. Right. I mean, CMMC and these DFARS causes go back to 2017. So they're not new. But the whole reason we're doing that is to stop the wholesale theft of American ingenuity. And if what we did previously worked, we wouldn't be having this conversation. Right.

[00:37:11] If if the MSPs had adequate protection and the and the defense contractors agreed to implement the controls that they already said they were going to do, to your point. Right. If everyone was already like if the status quo is good enough, then we wouldn't be having this conversation. Yeah. But it wasn't. We have seen the wholesale theft of American ingenuity. We have MSPs that are being targeted now. And that that's really where the unpopular opinion is.

[00:37:38] Like if as an MSP, you have clients that are in the defense industrial base, then nation state threat actors are targeting you. They understand that you and your tooling are a weak link in this and they are targeting you. And and as an OSC, if you don't think that they're monitoring like nation state threat actors are monitoring your LinkedIn posts and your people and they understand the relationships that you have. Right.

[00:38:07] You are very misinformed, I believe. So I say all of that to say that it's going to be more expensive because the the the risk that as an MSP that we're taking on, like we understand that our our systems, our tools, our people are absolutely targeted by nation state threat actors. Yeah.

[00:38:31] And we have to we have to gear up and skill up ourselves to be able to detect those things and stop those things. And our level of preparation, our level of readiness is vastly different than that of a commercial MSP because they don't have the same the same risk profile that someone in the CMMC spaces. I mean, just saying we're in CMMC means that we are raising our hand publicly and saying we have defense contractors.

[00:38:59] If you target us, you're in the defense and you're in the defense industrial base. And so we have to have the capability and skills that are very different. So I'll get off my soapbox. But all that said, yeah, it's it's a it's a it's a different business. Yeah, it's just a different business. Yeah. If that doesn't make you pee your pants a little, I mean, I don't know what to tell you, to be honest. I mean, it does. It does for me. I feel like I feel like it should.

[00:39:27] And that that goes back to like what I was saying about cost and what we're all saying about it. And in the time, it's there is a difference between knowing the answer, like what you were saying, Lawrence, already to that question or having to learn it later down the way. You know, but are you like Bobby? Like you're just just in the conversation here. You very casually were like, oh, by the way, there's like 320 assessment objectives, 100 controls. Here's how they work. Right.

[00:39:57] I mean, you teach this stuff. Right. Yeah. I mean, as a provisional instructor, which is weird to still say provisional because they haven't come out with the CCIs yet. But I would like to also add on a little bit to the cost, the game of chicken. Where I think the OSC falls into the trap when they're working with MSP is they're like, I want to hear the answer that I want to hear.

[00:40:25] And a lot of that is tied to cost because they are terrified about how much additional cost they're looking down the barrel of doing because they have not appropriately done all the controls they needed to do. So because of that, they are desperately grabbing any foothold that is going to hopefully give them the answer they want to hear.

[00:40:46] And if that local MSP can tell them what they want to hear and they hope that they're going to say the words that they want to hear, they're like, OK, we've solved this problem. Let's move on and take care of the other things. But what they don't realize is they've just punted the can further in most situations. We even – this is so dangerous.

[00:41:09] We even saw a company that is not level two themselves provide a service now that they can then take MSPs so they can keep their clients and coach them and their clients to get level two ready and pass their assessment and help it. And they're like, you don't need to get your level two. It's fine. We'll coach you. We'll go through. And I'm just like, that is the worst idea ever.

[00:41:35] You have two people, two parties that another party is coaching that don't have any real idea of what they're signing up for. And you're going to somehow move them through this process that is extremely difficult. The most difficult process I have ever gone through as an MSP provider. And let's just say that you happen to magically hit the dart on the bullseye and you got them through it and they passed. What about the maintenance, right?

[00:42:03] Literally the week afterwards, is their access control database going to be totally wrong? Is the patching level of the system is going to fall off? And when you see you in three years or when DibCat shows up to find their environment, in case you don't know who DibCat is, it's basically kind of the IRS equivalent for compliance. They show up and they say, hey, you know, you have these requirements in the DFARS like Lawrence was talking about. We want to see if you're in and you've got 90 days roughly before they show up.

[00:42:31] They give you a notice and they'll walk through and do a high assessment and evaluate where you're at. And if you said that you've affirmed that you've been doing it and your stuff is total trash, if you don't keep it in maintenance, you probably won't have 90 days timeframe to get it corrected before, you know, Uncle Sam shows up to get things back in alignment again. If it's just a total train wreck.

[00:42:56] So it's just you've got to think about not just helping the client get certified, but continuing to maintain them. And that cost is no joke. And when you go to work with a company, you know, you don't want to team you it when it comes to CMMC. You don't want to just be like, oh, let me just, you know, let me get this car for $80 on TEMU, you know, a patch box that's going to show up. It's not going to be a real car.

[00:43:27] It looks great on the website. It looks really good. The AI picture online is so good. Fire, right? But no, it's not going to be what you're looking for. And so that is just sort of that reality of. And so what ends up happening, we've seen it multiple times and it's going to be a story. I'm sure you've probably had experience too, Lawrence. And it's going to play out, sadly, a lot this year. Companies that tried to grab for the cheaper, they're going to pay a lot for that cheaper solution.

[00:43:57] Realize it's not going to work. Now they've got a shorter time frame and runway. They're going to have to pay more to hit that time and runway to be able to keep those contracts. And they're going to end up paying double the three times what they would have paid had they just accepted that it's going to be more and paid the cost from the beginning. And ultimately, it would have been a much cheaper and safer run for them. And now they're going to have to speed run it at three times the cost if they can. If they can. If they can.

[00:44:25] That's what they're looking down, that barrel of chicken. And so many companies are playing it. And I'm scared to God they're going to lose. And there's going to be a lot of great mom and pop shops that are small businesses that are just going to go out of business or they're going to have to turn to their upstream contractor and say, what the heck can we do? And they'll probably buy them. Or they'll just go out of business. Or both, a mixture of both. And it's going to start to play out, sadly, a lot this year and next year.

[00:44:55] Yeah. So don't get caught up in a game of chicken. Be safe. Yeah. And as you can tell, guys, there is a lot that we could even talk further about. I mean, with this, I have to close this, unfortunately, because we're out of time. But we could keep going. And all that to say, if you're going to Pax8 Beyond and you're an MSP, please come to that because that's going to be so much fun. We really want to meet you guys.

[00:45:20] We want to see, you know, what you're seeing on your side as an MSP going through this with some of your clients potentially. Also, I think, I guess if this is already posted, we've already gone to CMMC Midwest Conference where we talked about this as well. Me and Bobby are going to that to talk about it there. So we're very passionate about this topic because, honestly, one, we would love if MSPs jumped into the space. They weren't half pregnant. They were full pregnant. And they stepped in and they actually took it seriously.

[00:45:49] And we had more providers that were doing this and doing it right. So we want that. And then also, too, we want OSCs to succeed. And we don't want them to lose a contract because they lost time. And so we care about both of those types of businesses. And that's why we want to talk about this. Lawrence, thank you for taking the time to step on here and just talk your wisdom from your side and your perspective. I always, always love talking with you at conferences. So, guys, if you have the opportunity to talk with Lawrence at a table, don't freaking miss out.

[00:46:18] Like, talk to him because he will talk to you if you're at a conference with him. So please do not miss out and check him out on LinkedIn. Follow his stuff and check out his website that will be linked below of what they do. They do great stuff. And make sure to tune in next Thursday. We always have an episode out every Thursday for another one of Climbing Mounts at CMMC. But until then, guys, as always, just remember to keep on climbing. See you guys. Bye.