What Questions Should Your MSP Be Asking You?

[00:00:00] Hello, climbers, and welcome back to another episode of Climbing Mount CMMC, the podcast. We are in season five, and today I am joined not by my father, Bobby Guerra, but rather my brother, Ashton Guerra. Ashton, thank you so much for joining me today. Thank you for having me. I'm excited because we get to talk about something that him and I have been doing a lot recently, which is talking to organizations seeking certification that are coming in looking

[00:00:29] to do business with us as a managed service provider. For those of you who are new to the podcast, Axiom is a company that we work for. We're an MSP that is CMMC Level 2 certified that gets clients through to their CMMC Level 2 certification, sits with them through it, maintains the environment afterwards, and does help desk support. So we talk to these people coming in and share our perspectives of what we need to know about

[00:00:54] them, how we need to assess their environment, their scope, and understand them before going into their environment itself and actually managing and servicing them. A lot of the time, you'd be baffled by how surprised they are that we're asking some of these questions as if this is the first time they've ever been asked this by an MSP. And I thought to myself, you know what? Let's talk about these questions that we ask and let's talk about it on the podcast because

[00:01:25] hopefully if you're an organization seeking certification, you're going through this with a managed service provider or some type of provider, you can take these questions that we ask and realize, did my MSP ask that question? Did they not? If they didn't, should I be concerned that I'm with the right provider? And so hopefully this can be a benefit to you guys that are really truly stepping into this space. Also, Ashton, to get your perspective because you're coming into this really helping me take

[00:01:54] notes in these meetings and understand these perspectives that potential clients are coming in with. And you don't really know CMMC as a baseline. So I'm curious of what perspective you have and what sticks out to you that surprised you as somebody new to this environment and kind of go, I'm very shocked that that client hasn't been asked that before. So the first thing I wanted to talk about is when somebody, an OSC is coming in and we are

[00:02:23] asking them about their scope, the first thing that we ask them about when pertaining to the scope of their environment is CUI, right? I mean, that's kind of a big deal when you're thinking about CMMC. That's the thing that we're trying to protect and manage correctly. And we ask, you know, where is it coming from? Where is it sitting in your environment? And does it go somewhere else after your environment?

[00:02:49] And sometimes they seem like they've never had that question given to them ever when that, in my opinion, is one of the most important. Ashton, what is your perspective to when sitting into those calls that you've learned when talking about CUI and also about scoping in general? Yeah, I'd say I think every call, there's at least one point where I learned something new

[00:03:15] about how, you know, a company can forget or not know where something or how something is held. And it's just, you know, you keep asking those questions and then you start to see, okay, there's a lot of different ways that you have to think about. Yes. The different opportunities you have of just giving out that information. And I feel like a lot of companies just don't, they don't totally know how to check those boxes

[00:03:43] in order to 100% say and give you an answer. Right. Well, because it can be a lot more nuanced than you would expect. And so on the surface, when we're first talking to OSCs and we ask, you know, where the CUI is potentially going, they're like, oh, well, you know, we give it back to the government. We send it to DOD safe. We send it via email.

[00:04:10] And then when we're like, okay, well, do you send it to this software though? What about this application that's going to this China app that does some sort of design product? Do you send it there? Yeah, we do. Oh, okay. Well, that's, that's really interesting, you know? And so when you're tying this into what we're talking about today of like, is your provider asking these questions?

[00:04:36] If they're not, I would be curious on how the service provider is taking care of those services or making sure that they're being safely, they're secured, they're safeguarded if they don't know about that application or they don't know where you're sending that. So automatically that is a huge red flag if you've not been asked that question whatsoever. Now, Ashton, you bring up a great point too. They don't always know, they don't know what they don't know kind of thing.

[00:05:06] And so, so they don't think it's concerning. So they're not bringing it up to the MSP. So maybe it's not fully the MSP's fault that they don't know about that. But if you're working with an MSP that knows CMMC, that knows these scary pitfalls that could occur and how it could affect your assessment, they know to ask these questions even if you don't know, right? Right. So what's another one, out of curiosity, that one was the one that stood out to me that I wanted to bring up.

[00:05:33] But is there one that you could think of like right off the dome that you feel like is always surprising to people when I'm talking with them in a meeting? I think printing or just the use of any type of physical environment. Yeah, like flash drives or something like that. You know, it might cross somebody's mind, but they don't think it's a big deal. But it's a big deal. Right. Yeah, that's a great point.

[00:06:00] I mean, there's a whole control and some change on that. If you do incorporate even like USB, flash drives, hard drives of some kind, and they are storing CUI on it, that involves a whole nother aspect of encryption, FIPS, those types of things. So that brings a whole new element to the ballgame. So yeah, that's a great point. Another one that I was thinking about too doesn't really have to even do with technical

[00:06:30] controls, but rather implementation, specifically talking about what does CMMC Ready look like? Because I've learned that many different service providers have many different perspectives on Ready. And so some people think that they're going to have this service provider sit with them in the assessment, and the service provider is not fully aware that they have to sit in that assessment with their organization seeking certification.

[00:06:59] So that's another scary topic that I'm pretty surprised about when people don't know, because I like to point out very clearly, we will be sitting and speaking to the controls as the MSP. We're going to be speaking to the ones that we handle, which is a lot of them as your MSP. And we're going to be speaking to those in the assessment, and we're going to be in there with you, and the assessor is going to ask us those questions. We're going to come prepared with evidence and explanation.

[00:07:26] And then they kind of look at me like, oh, that's great. That's awesome to hear. And I'm like, is this the first time you're hearing about this from a provider? Because that's pretty concerning. From your perspective, even to Ashton, with stepping into the CMMC ecosystem, what are your immediate thoughts of concern when you hear something like that too? Well, I mean, it's just good to be educated on it. So for a lot of people, like you said, they kind of, I guess, resort to thinking, you know,

[00:07:56] they get CMMC wrapped in a bow and then it's left to them right before the test. And it's just a quick test. You just show them that present and then they're good to go. Yeah. But it's a whole journey and you have to have, you know, all your P's and Q's checked off. And if you don't have an MSP that's willing to help you with that or guide you through that, then it's going to be a really big struggle. Yeah.

[00:08:23] And I feel like that kind of like what you said, just with the implementation, that whole process for an MSP that's not maybe doing it, you know, as correct as they should, it's going to be rough and it's going to make that assessment way harder. And I think people just don't realize that if they're not asking the right questions, it's going to be a nightmare for that assessment.

[00:08:49] And if they do leave it off to you when the assessment comes around, it's going to be a struggle to get through that. You maybe even think about too, if they're not asking those questions or being prepared in such a way for the assessment, but also just the timeline in general for CMMC. Because I think about this, a lot of OSCs that come to us, they ask how much does it cost and how long is it going to take you to do it, right? Those are the big top two questions.

[00:09:17] And I would say, you know, after taking multiple clients through their CMMC level two implementation journey from start to finish and through the assessment, do we have the perfect understanding of a timeline of any possible client? No, because we don't have a crystal ball, you know? We don't know the ins and outs of every environment as they come in. We have to assess it. We have to review it.

[00:09:46] We have to scope it out. And sometimes that brings new challenges. It brings out some skeletons in the closet. It opens, you know, project doors that we have to then fully complete and close off, which will extend the timeline. And so if your service provider does not know how to ask those questions or prepare for that,

[00:10:11] they're probably just going to give you a really nice, really fast, sound, super good timeline because that sounds nice. And that makes people say, okay. But it's also not always accurate because you need to know that bumps in the road come up. Sometimes even mountains in the road come up.

[00:10:36] I mean, I'd be shocked sometimes with the things that we figure out about clients later down the road, like months down the journey. They say, oh, all of a sudden, by the way, we have a server that's back in Panama. And we need to make sure that all of those things are also connected to our Azure environment. And you're like, wait, hold on. What? Where did that show up? You know? And all of a sudden, that brings on new challenges, new projects.

[00:11:05] It doesn't mean that we can't do it. It just means, hey, that perfect six-month timeline that we told you for a fully cloud environment is not accurate anymore. And all of that to say, if the MSP or the service provider of some kind that you're working with is not familiar with CMMC and not familiar with the danger, danger zones going down that

[00:11:29] journey, they might be able to give you a really pretty, lovely timeline that looks super nice, is the fastest out of all the people that you've talked to, has the best quote, has the cheapest quote. And, you know, all of it looks beautiful. But it's probably because they haven't really done it a lot. And they don't know some of the dangers that come up. And so you just made me think about that because it really is a conversation I have to seriously

[00:11:58] have with every OSC that I talk to is the honesty behind that. And I think that every service provider should be honest like that. Well, yeah, I think now, like talking about it, I feel like any good sales call should kind of strike fear into you. When it comes to CMMC. Yeah, it has to. And if it's not, then that's just most of the time not realistic. Yeah. Yeah.

[00:12:27] And I think doubling down, I think, to what you're saying, too, is because it should it should strike fear into the people that realize, like, it's not just the even going back to what you said previously, sign on the dotted line and then, you know, we take care of it. It's an IT issue. It's not. It's it's your entire company. You're fully involved through the process. You have to literally direct hours towards it yourself. We can't just do everything for you.

[00:12:57] And if there is a service provider that can do everything for you, I mean, please feel free to comment down below and tell me what your secret sauce is for owning that company to be able to do that or, you know, whatnot. But as far as we know right now, we're not able to fully own the company to be able to do all of these things like hire people, you know, for that. Like, there are only there are only so much that we can do as an external provider, as an external service provider.

[00:13:25] So I think you're absolutely right that there's going to there's going to be an awakening moment for the people, the OSCs that are that are talking to this service provider and their CMMC journey and be like, oh, I'm going to have to do some of this stuff. Now, there are a few OSCs that I've talked to that have come more prepared. But let me tell you the caveat. A lot of the times they're more prepared because they've been burned already.

[00:13:55] Right. So they know the questions to ask because they've either failed an assessment with an external service provider. I shouldn't say failed because a lot of the times these people are classifying it as like a false start because they didn't even get past phase one. And so then they had to completely start from ground zero or they went down the line with an MSP for months and months and months and then realized, oh, we still don't have our SSP.

[00:14:24] Nothing is done. So this is probably not going to work out, you know, and so that now that they've been burned in the past from from something, they know more questions to ask, which is unfortunate. Out of out of the you know, the calls that you've been in to Ashton, what would you say is something if somebody is new to the CMMC ecosystem like you, what would you say was

[00:14:52] the biggest punch in the face to you coming in of like, oh, I didn't even know that. I didn't know that you'd have to do that for CMMC because I would love to get your perspective because I'm sure that there's a lot of people that are listening to this podcast that are new to it just like you were. You know what I mean? I think there's probably two big things. One of them, I think everybody feels this as soon as they learn about the whole process, but just the money involved.

[00:15:20] I think, yeah, especially for, you know, you have one assessment you're doing. It's it's probably going to take a couple months to a year and then you fail that. And that's that, you know, you got to retry again. And and to put that many resources into that type of thing is is pretty crazy. And I think the other thing, too, would just be kind of along with that, but just how big

[00:15:48] the process is and kind of like what goes into it. I mean, you know, an MSP sit in with you and have to basically do an interview with you. I think that was just crazy to see. To me, it sounds like something that, you know, all of these companies need this in order to make bids and, you know, further do business. So it would be something that would be pretty easy.

[00:16:17] But that is not the case whatsoever. And they made it extremely hard. So I think that was kind of a big shock. I just I thought, oh, you know, a lot of companies will probably need this. So this must be not easy, but, you know, quicker or just smoother process. But no, they they really put up all the security measures. Well, you brought up I mean, you bring up a really good point. It might seem silly to somebody who is listening to this. It's been a part of the CMMC ecosystem for a while.

[00:16:47] But for somebody that's just stepping in, that's a that's a contractor that's been in the Dib space that is just assumed kind of what you're saying, that because they're pushing this on to everybody, that surely it would be easy. There are some people that do consider this easy, but that's because they are very mature organizations already in their security posture. And so their security posture, their their compliance posture is already to the point

[00:17:13] where they can manage this a lot easier when it's somebody that's got absolutely nothing. And they're starting from ground zero. This is not an easy feat. And so you're you're so right. And I'm I'm really glad that you brought that up, because many of the many, many times I have heard because it is required at such a big grand scale that surely it's easy.

[00:17:39] And, you know, the Department of War would actually argue that it is easy. But I would say with the caveat, it's it's easier for the organization that already has a pretty strong security and compliance posture. But unfortunately, not many of these contractors do. You know, not not all of them are like that, but not many of them do. And so that's what makes this really hard.

[00:18:07] And then another thing to take take into consideration is I feel like we would be it would be wrong of us to end this talk without talking about a customer responsibility matrix or a shared responsibility matrix, which if you have a service provider, an external service provider of some kind, that is a requirement. It is listed in the cap as the CMMC assessment process is a requirement to have.

[00:18:34] The assessor will request this when going into phase one if you have any external service provider. And so if they have not mentioned this to you, if that external service provider that you're working with has not mentioned this to you, has not shown you theirs, has not gone through it with you, has not given you some sort of copy of it, I would be greatly concerned.

[00:18:58] And I would start asking some questions for sure, because we don't go out of the first meeting with somebody without talking about that, because it's I mean, it's one of the foundational reasonings that we have the connection with our clients. The purpose of it is to is to show the shared responsibility between the two of us who is responsible for what so that lines don't get crossed or, you know, or even worse,

[00:19:27] something gets cut because somebody thought that they were doing it and somebody else thought that they were doing it and then nobody's doing it. Right. So it is a very, very important document when it comes to CMMC. And if the external service provider is not having that conversation with you, that is that's super concerning. What have you what have you already learned, even from your experience with with the connection between a managed service provider?

[00:19:57] Well, you know, that's us specifically, but even just external service providers connecting to these organizations seeking certification. What was a big shock for you when it came to that connection? Like, was there something that stood out to you between like something that we do for our clients that you're like, wow, like that's pretty surprising to me. I guess I would have thought I wouldn't have thought that. Yeah, I mean, I think just from someone that wasn't originally in IT, I think just the SSP

[00:20:25] of it all and then what goes into writing that for the client specifically. Yeah. I think that whole process is crazy. And it's really cool to see how you can tailor it towards what you need done in that company. And then just also being able to to speak to literally every type of control and, you know, procedure. Yeah. Just going through that.

[00:20:56] I didn't realize how much. You know, you have to make from scratch. In order to get this thing going on, you know? Yeah. What would you have guessed the amount of pages an SSP would have been when you when you first started here? How many pages would you have guessed without hearing dad talk about it for hours? Yeah. Yeah. Not many.

[00:21:24] Yeah, it's pretty it's pretty lengthy for. Oh, well, at least I think a correct one would be a. Yeah. Do we have a page down on that? Do we know how much we're talking? Do we know how long it is? I mean, ours ours is around 220 pages. Yeah. 236 or something like that. Yeah. Fresh to fresh to I.T. Ashton would have said like 10. Solid 10. Solid 10. That wouldn't even fit a data chart. I mean, it wouldn't even you.

[00:21:52] You would literally get the user counts and the user lists of the environment and then that's it. You wouldn't even get the controls. Yeah. And that kind of goes into I mean, I'm sure a lot of the companies and a lot of the ones we have do have a base knowledge of the whole process. But I think when you look to find like the right MSP, having someone that asked the questions

[00:22:16] for how we do with the phases and really explaining what that process looks like rather than we can get you through this. It's this much. You know, if there's not many questions and it's a quick meeting again, you need to have that fear factor. The fear is a factor. Yeah, the fear is a factor. Well, that's so true because you brought up our phases going through the implementation

[00:22:46] phases that we have with our clients. We can speak very clearly to how we're going to break it out for you, how we approach this. You're going to have homework. You're going to have policies and procedures you're going to have to do. We have those listed out. All of those things we already have done. We're not thinking about how we're going to do that when we onboard you. We already have that process. So if you say yes to us, this is what we're going to do because we already have it set up.

[00:23:12] Whereas if you pick a service provider, maybe the one that you're already with is learning as they go. Just know that, you know, that you're going to have to learn on your dime. And I mean, some people are OK with that and they want to keep the MSP that they have or the service provider that they have. But just know it's definitely not going to be a quicker process. Because they're having to learn for themselves and for you. So there's double learning, you know.

[00:23:38] Bobby always says he's like there's like marriage counseling for CMMC. And he describes it that way because it's like, do you really want a managed service provider or an external service provider of any kind to be like holding your hand, walking it through with you at the same exact time? Or do you want somebody to coach you and teach you and help you through it that has already gone through it before? You know, I just think you're exactly right there.

[00:24:06] There should be a little bit of a little bit of fear when it comes to that. This seems too perfect. I'm not being asked enough questions that are concerning because there should be a lot of questions that come along with it. There should be a lot of conversation about scope there, you know. And if there's not, how accurate of a quote are you going to get from that person if they don't ask those questions?

[00:24:31] So I think another thing, too, and you do a good job at this in our sales calls is making a point that it's not just us. It's it's a team game. We have to work with you, you know, and making sure that they know that. So it's as smooth as possible, because if they don't know that and they think it's just us, you know, things fall through the cracks. Yeah. Takes a lot longer, you know, then you're pushing things back.

[00:24:59] And a lot of times that's really going to affect how things are done. If you're not 100 percent on the teamwork aspect and, you know, if a customer went into a call and they didn't say anything about, you know, we're going to be holding you guys accountable for this and that. That's another thing that could be concerning for sure. Yeah. That's a great point.

[00:25:27] Well, guys, I really hope that you all listening. I'm allowed to say this because he's my brother. He doesn't know a ton about CMMC yet. He's learning as he goes. He knows a lot more about the NBA. You can ask him, ask him about Kawhi Leonard and he will tell you, he will tell you all about that guy. But when it comes to CMMC, he's newer and look at what he's already learned needs to be questions

[00:25:56] that an MSP or an external service provider needs to be asking you. So it truly is, I mean, it's a pretty obvious thing when you're invested in it and when you're going through it. So all of that to say, I hope that this is eye opening to you either as an external service provider that is doing this with a client and hasn't asked these questions. Please, my goodness, start doing your research on these things and take it seriously.

[00:26:26] But also if you're an OSC, an organization seeking certification, and you have an external service provider of some kind and have not been communicated to in this way, I really hope the light bulb has turned on and you turn around and have a conversation with your external service provider after. Send them an email right now as you're listening to the end of this podcast. But again, our goal is not for you to just run over and talk to us.

[00:26:53] Our goal is for you to have a successful experience and be able to get to be CMMC level two certified or whether that's level one or level two or whatnot. We want people to be successful. We want the ecosystem to be successful. We do not want this to fail. We also do not want another security breach or infrastructure breach. So we want this to be taken seriously. And that's why we're pushing this out.

[00:27:20] And if you have other things that you feel like are questions that people should be asking, comment them down below. Let us know your experiences. Let us know if you want us to cover one specifically in a podcast episode. We're here to bring awareness to those things. Also, please make sure to check out our events page on our website, which will have there. There'll be a link in the description below for that. When we post this, we'll already have been at CS5 West.

[00:27:49] We'll be going to CMMC Midwest in Wichita, Kansas. And then we're also going to be at PAX 8 Beyond, which is going to be in Salt Lake City, Utah. So there's going to be a really, really fun panel discussion. I think I can maybe tease it a little bit because I'm working on the titles for it right now. But basically, I'm thinking that the title is going to be You Can't Be Half Pregnant with CMMC.

[00:28:16] So that's a pretty, pretty interesting discussion there with a couple of MSP friends. So make sure to tune in to those things if you're going to be in the area. If you're going to be in those conferences, please hit us up. We'd love to see you. We always have free t-shirts on us. So ask for them. But yeah, we hope you guys enjoyed today's episode. Thank you so much for listening. Tune in next Thursday for another episode. But until then, guys, as always, keep on climbing. See ya.