What to Know Before Working with a C3PAO

[00:00:01] Hello Climbers and welcome to Climbing Mount CMMC. Bobby got by six. Good job. What is it doing? Look at that. Hello Climbers and welcome back to another episode of Climbing Mount CMMC the podcast. My name is Kaylee Floyd and this is Bobby Guerra and we are your hosts for Climbing Mount CMMC.

[00:00:29] And today we are joined by a very special guest. Fernando, thank you so much for joining us. The things that you guys are doing are really, really incredible stuff. If you guys are not aware, if you're living under a rock and you don't know who CyberSec is and you don't know what a C3PAO is, well, you're about to find out in this episode. CyberSec investments and all that they're doing over there with their C3PAO is really incredible. You just hit over a hundred assessments gone through your C3PAO. Incredible. Incredible.

[00:00:59] That's really, really amazing. And I'm excited to talk with you today and just discuss really what it's like to go through working with a C3PAO. Many people that are contractors stepping into this space, they're new. They don't even know what a C3PAO is and they don't even know how much an assessment is going to cost. Like, is there a phase one? Is there a phase two? Is there a phase six? They don't know how many phases there are, what's going on.

[00:01:25] And so today my goal is to honestly use Fernando's incredible knowledge, what they're doing over there at CyberSec and just kind of share to many contractors who are listening to this, even MSPs that are walking their clients through this process, what they can expect. So, Fernando, do you want to go ahead and just share just what you guys are doing, who you are and set the stage for you guys before we get into this topic? Yeah. So I'm Fernando Machado, Managing Principal at CyberSec Investments.

[00:01:54] I'm a lead CMMC certified assessor and our organization is an authorized CMMC third-party assessment organization. And we're located in Melbourne, Florida. So my journey to CMMC throughout this entire process has been a long one. So back in January of 2020, we joined the CyberAB's Standard Management Industry Working Group. And our job was to basically create language and assessment criteria for what would be then the CMMC 1.0 assessment guide.

[00:02:21] Our group collectively had contributed something like 17,000 volunteer hours. We were formerly recognized by the president of the United States with the president's volunteer service award for our efforts. Later that year, the first provisional assessor class came up. And so if you look at the CPNs now, they're all the way up to like the 69,000, 70,000 range. My CPN is number eight. So I've been involved in this from the very beginning.

[00:02:47] And then in July of 2022, we decided to take the leap forward and become a C3PO ourselves. At the time, the one thing that I always wanted to discover to see if it could actually be done was can a one-person, one-man band actually do this? And it took me about, you know, four months of 12-hour days, but we were able to become the 29 C3PO with just by myself at the time. So it took a lot longer than, you know, I was anticipating.

[00:03:15] But, you know, when you're by yourself, you're kind of constrained on time and resources. And then we recently became reauthorized in June of last year. So now we're good for another three years. And since before then, right, we had the Joint Surveillance Voluntary Assessments back then. So that program was where you would have DCMA, DBCAC, the Defense Industrial-Based Cybersecurity Assessment Center, doing DFAR-7012 assessments in conjunction with C3PAOs.

[00:03:42] So the C3PAOs would do the 800-171 portion of the assessment. And then DBCAC would pull the contractor aside to then conduct the DFAR-7012 portion of the assessment of having things like your Media Assurance Certificate, right? Are you flowing CUI down to your subcontracts in accordance with Paragraph M and so forth? And then in January of 2025, we became authorized to conduct CMMC assessments starting on January 2nd.

[00:04:09] And from that point until now, we've conducted over 100 CMMC Level 2 final certification assessments. And here we are today. And it's still just you. No. No, no, no, no. We've grown since then. I think we're up to eight assessment teams at the moment. Some management structures in place that's kind of helping kind of keep things on a very good process on how we do things. Yeah, that's great.

[00:04:36] I think a lot of people envision C3PAOs like this massive organization that it's highly organized and has millions of years of experience in the industry. And that's not necessarily the case. I've seen quite a bit of divergence between the capabilities. So just becoming a C3PO is a big undertaking and milestone that is not trivial by any stretch. But to hit 100, that's a story.

[00:05:02] Fernando, can you maybe sort of talk about the journey that took you from you being, I'm sure you probably kicked the door into management and said, hey, this is going to work out. And they're like, what the heck are you talking about? Like, can you kind of sort of talk the story from where you took it to now building that operational maturity to be able to run multiple assessments at the same time in a week, right? Which is a challenge on its own. Everybody has different ways of how they write their SSPs and policies and components.

[00:05:30] And having a team to continually be moving people through that process has got to be quite a challenge. Can you talk to us about that? Yeah. So one of the things that I like to do very early on, and like we're going to discuss it here in a little bit, is kind of like that pre-phase one process, kind of having that discovery call and kind of understanding the needs of the client, figuring out who they are, what they do, you know, what kind of external pressures that we're seeing. Contrary to popular belief, right?

[00:05:59] Everybody sees the 32 CFR part 170 phase rollout. However, if you're a sub to a prime, that phase rollout doesn't really apply to you. You're beholden to the prime, so your rollout could potentially be faster. And then it was just a matter of getting the right assessment teams in place, figuring out how to not burn out assessors, because as you can imagine, assessor burnout's a real thing.

[00:06:21] And we actually had one of our assessors leave one of our competitors to come work for us, because they had them working, you know, two to three assessments a week. And this person finally did about six months of it and said, I can't do this anymore. I need something with a little bit more work-life balance. And so it's taken a long time to develop these processes. And we're constantly improving, because as we start to do things, we start to see different environments. We start to see different scenarios.

[00:06:47] We start to adjust with those different workflows to ensure that the assessments are being concluded on time. Yeah. Well, I mean, it's like what Bobby was saying, too. You can't just say, oh, yeah, I've been doing CMMC level two assessments for 10 years. I've been doing them for 10 years. If you have somebody saying that to you, they're a liar, right? So that's not real. He couldn't be doing that for that long.

[00:07:11] So, I mean, you bring up a great point of like, you know, part of the way that you are successful, too, Fernando, and even we're experiencing on even just a service provider side is you have to learn as you go and be able to adapt and be able to see what, you know, what you can get better on and what you can dive more into. And I'm really excited to talk about this. It's just really we're going to go not go too in-depth because we only have a certain amount of time.

[00:07:40] But for somebody who is new to, you know, to the C3PAO discussion, which there are still many of them out there, they can kind of get a better understanding of what their timeline or their map looks like of the journey that they're going to go down. We can't have an exact timeline, obviously, because everybody's a little bit different. But I want to start by talking about the CAP, the CMMC assessment process, because first off, you know it like the back of your hand.

[00:08:08] And I fear, you know, I fear you could quote the entire thing right here and right now. Please don't. We don't have the time. But for people who are new to this space, can you sort of set the stage for understanding what the CMMC assessment process is for and going into phase one, how you can utilize that and understand what you're looking at? Yep. Yeah. So you've got the CAP, right, which stands for the CMMC assessment process document.

[00:08:34] It's a document that's sanctioned by the Cyber AB, and it basically instructs C3PAOs a pretty uniform way on how assessments are supposed to be conducted when we conduct CMMC level two assessments. And it's broken up into four phases, right? So phase one, you've got your pre-assessment activities. Phase two, you've got assessing conformity to the requirements. Phase three is closing out any POAMs. And then phase four is issuing the certificate.

[00:09:01] And so we have to follow all these different steps in the CAP. So when we get to phase one, that's what we're doing at that point is this is a pre-assessment part of it, right? We're reviewing your system security plan, your policies, your procedures. And at this time, we're not necessarily evaluating the content of your documentation. We're just saying, is there enough documentation and artifacts here to even continue and proceed with an assessment?

[00:09:28] If that is not the case, then what ends up happening is we issue what's called a adverse determination of assessment readiness. So if the organization is not ready to move forward with a level two assessment, we have to fill out a document called a pre-assessment form, which ends up getting uploaded into the CMMC version of EMAS, regardless of the OAC is ready or not.

[00:09:51] So what ends up happening is when we upload that pre-assessment form, whether you're ready or not, it now brings your organization. You become visible to the Department of War and demonstrating that like now for one reason or another, you know, your assessment may take long. So you'll notice like we actually had the other day a client that we had an adverse determination for that we had to push out for another six months, but we still had to upload the pre-assessment form.

[00:10:18] And about a couple of weeks ago, the CMMC EMAS team said, hey, what's going on with this organization? Because we noticed that you uploaded the document and we said they've just been moved to another date because of the adverse determination of assessment readiness and they left it alone. So the CMMC EMAS team, they are very much aware of organizations that get uploaded into that. And that could be some foreshadowing. Yeah, I was going to say. Right? Yeah.

[00:10:48] So, yeah. And so for people who also don't know about the term false starts, this has been mentioned a lot even by the Cyber AB in town halls or discussions when talking about the numbers of the ecosystem in general. Would you be able to explain where that falls in this discussion of going into phase one and, you know, and how that pertains to that? Yeah.

[00:11:17] So usually in phase one is typically where the false starts happen is we'll have conversations with organizations and they'll say, you know, this is what my environment looks like. I'm currently in Microsoft 365 commercial, which we know is not federate, moderate, authorized or equivalent. So at that point we say, you're not even ready for an assessment at the moment. Come back and see us in six months. Or they don't even know what a system security plan is. Or they don't have policies and procedures.

[00:11:43] Or one of the biggest ones that I've seen, I still cannot believe into this Tate. People not assessing to the assessment objective level. They will download NIST 800-171. Totally forget that there's a second part to that document, 171A. And they don't assess to the assessment objective level. They download the NIST template and they just say, this has been implemented with no explanation as to how that document was implemented. And I'm like, you're probably not going to make it through an assessment. You're not ready to go.

[00:12:13] Come back and see us in a few months. And so let's say that that happens, right? And you gave an example of like, okay, then we had to reschedule for another six months. Does the CAP say specifically that, you know, in a few weeks they could reevaluate you in another timeframe? Does it give a timeframe to where you have to push out that phase one for somebody? Or is that kind of to the C3PAO's discretion of how they want to handle that?

[00:12:39] There's no timeline, right? But all the processes, if memory serves me right, everything in phase one has to be completed before you get to phase two. So kind of like the assessor has to kind of make that determination of at a high level, it looks like this organization is ready to proceed with an assessment before going into phase two, which is now you're assessing conformity to the security requirements. Yeah.

[00:13:06] So when you, I think sometimes people kind of assume or think that because they're stepping into the space, they don't know, like they don't realize you get to pick the C3PAO, right? That you can go through and evaluate different C3PAOs because you have to pay them, right? So can you maybe walk me through how you feel the variance is there for people that are reaching out to you guys to be like, hey, you know, Fernando, I want to use you guys.

[00:13:34] Like, what are some good questions to ask? What are some things that, what rights do they have to exercise as they go to discuss with you at the beginning? Yeah. So one of the greatest tools that are out there that came out probably about a year and a half ago, and it's called the NDI SAC C3PAO Shopping Guide for Small and Medium-Sized Businesses. And in that document, it literally tells you some of the questions you can ask your C3PAO that matter.

[00:14:00] For example, right, are you utilizing 1099 CCAs or are you utilizing W2 CCAs? As you can imagine, if you're using 1099 CCAs, right, it's still a growing ecosystem. There's still a lot of learning curves. So you're going to get different varying levels of experience. You're going to get different varying levels of nitpickiness. Some people might be more nitpicky on MFA versus other assessors.

[00:14:23] So things like that, how many assessments have they actually conducted, whether it be JSVA assessments or CMMC Level 2 assessments? Do they have experience with certain technologies, right? Are they experienced with on-prem manufacturing environments? Or are they experienced with cloud services like, you know, Microsoft, AWS, Google, and so forth? So these are some of the questions you can ask that C3PAO and also processes, right? What do POM closeouts look like, right? What does everything, all of that stuff look like?

[00:14:52] These are all good questions to ask your C3PAO. And if you're getting a deer in the headlight looks, I always say it's good to interview at least three or four C3PAOs to kind of see which one is the best fit for your organization, right? Depending on the work that you do, you may not have a choice on obtaining Level 2 certification. But as an OSC, you have the choice of selecting the C3PAO that you're going to use. Right. And I think another good one to ask is like how they handle limited practice deficiencies. What's that process look like?

[00:15:22] So if for those that may not know what that means, basically that was an old CAP term. I don't think it's even referred to in the new CAP. But it's basically if the assessor has a finding, how do they see that being handled as far as how you can push back? If it is just something of the nature of maybe a number needs to be changed on policy, would that still be considered a finding? You know, would that be something that you could say, you know, we'll let you make some type of adjustments? C3Os have different perspectives about how those can be handled, even different assessors.

[00:15:50] Like when you're talking about especially if they're using contract assessors, there can be quite a large swath of opinion, even with the C3P you're working because they may have an ardent belief this way and an ardent belief completely different with another assessor that you might have. Whereas if you have, you know, teams that have been trained and they have a much more consistent perspective, you can tend to perhaps get a more consistent experience. I find that's a really good question to have.

[00:16:17] But how do you as a C3PO try to create that consistency? Because I imagine it's got to be really tough. Yeah. So it's why we like when we onboard folks like per ISO 1720 process, we've got what we call ride checks, right? So you got to you don't just get to jump in on an assessment right away. You've kind of got to, you know, observe, slowly participate, kind of get your feet wet, understanding how the assessments are conducted and like in what uniform manner. Yeah.

[00:16:44] And that point forward, right, before we actually allow them to go actually conduct assessments, they've got to pass, you know, our ISO 1720 internal audit checks of making sure that they're good to go. Regarding the 10-day reevaluation period, I think which is what you're talking about, the rule says if a security requirement is deemed to be marked as not met, we can reevaluate that security requirement during the course of the assessment and up to 10 business days after provided there's three criteria.

[00:17:10] So the first one is, right, you provide additional evidence to demonstrate that the control is met. It doesn't change or limit the effectiveness of the other controls that have been marked as met. And prior to the assessment team submitting our assessment findings report. So as long as you're doing all three, you're allowed to make technical and documentation changes is how we interpret it. Mm-hmm. I really, really hope that people that are choosing a C-3PAO or even our MSPs that are working alongside an OSC,

[00:17:40] like as an external service provider, truly, truly hear how important these questions are. And there is a healthy fear with stepping into this with your OSC because it would really suck to figure out some of these things during an assessment. It would really suck to have a false start. You don't also, as the MSP coming from an external service provider,

[00:18:05] for it to be partly your fault that your client didn't go through because you didn't set them up for success. And also, too, there are situations where it's not even necessarily something as drastic as you're in a commercial container for Microsoft and you're not in GCC or GCC High. But instead, it could be something like the assessor doesn't really understand the environment that you've set up for your client and is asking these questions that make no sense to what you've done.

[00:18:33] And now you're fumbling trying to get like trying to make this assessor understand your environment in such a way. And, you know, you're doing it in front of your client as the MSP. And that is not a good place to be in, you know. And we've taken the position internally, right? Because it's not a requirement for MSPs to be level two certified. But we've made an internal decision that if a client comes from a non-certified MSP, we will not take that client on.

[00:19:04] Had situations where we've had to turn five clients away when their MSPs came to the table and to have to sit there and it becomes a very awkward conversation of saying, you know, your MSP clearly doesn't understand the requirements to help you achieve that level. And they're causing you to false start. We can't help you. Taking you on would be a waste of everybody's time and money here. So we just say, we're just simply not going to take you.

[00:19:33] And we take it from there. And, you know, that is one of the biggest reasons why we have the success that we've been having is we filter out a lot of the noise very early on before it gets to our assessment teams. Right. And that, I think, is a big point too. I've seen, I've been on assessments where the assessor, the first time they see the SSPs as we're talking with them on day one of phase one. And I'm just like, how's that happening?

[00:20:01] Like, we uploaded it like weeks before. And like, and I'm meeting you and you're meeting the SSP at that moment. You know, you're just like, oh, Lord, this is going to be. Or the second CCA that comes in, you know, not the lead, but the second has never looked at it, you know, and you're just like, and they have their own sections. I've seen it done different ways. With you guys, with your teams, like, how do you have your teams as far as in how you're working?

[00:20:31] Do you have, you know, how do you guys attack that type of approach of whether you have a lead or whether you have a CCA? How's that? Because I've seen quite a bit of variance there. Yeah, so we usually have like our assessment teams reviewing the documentation prior to the start of the assessment in order to become familiar with the environment. I think everybody does things a little bit differently. I mean, I guess there's nothing stopping a C3PO from saying we want to take a look at your documentation for the first time during phase two.

[00:21:01] I guess knock yourself out. I'm all about consistency and I'm all about efficiency, right? Why have the OSC upload documentation weeks in advance if I'm only going to sit on it until day one of the kickoff of the assessment itself? Like that to me seems inefficient. Yeah. And one of the things that we've always tried to do is we like we'll have we have an assessment like prep plan document that we have to where we actually go through and we're like we're showing these menus. Here's the specific evidence we're going to try to show.

[00:21:31] Here are the policies and procedures that are relevant to each assessment objective. And so like as we're hitting it, like we're opening them up and we're ready to go. And like sometimes I think some organizations and this is a good question to ask your C3PO when you're coming in is like how are you guys preparing in advance? How are you going to go to do through things? Because if the assessor has already done that, they're already going to fill out those fields with their initial findings of beliefs of how it's going to be.

[00:21:58] And then when they go into the assessment, if you are really ready, buddy, you can smoke through an assessment because the assessor already has their questions of what they're doing. They have the specific because you have exam and interview and test. Right. So they are going to the assessor knows the tests that they're going to want to do. But if you already have your tests that you're going to show them, they'll be like, OK, well, show me your test. And then you can like pop, pop, pop, pop, pop, pop, pop. You can really fly through.

[00:22:24] You know, I've seen assessments really crawl and fly. And a lot of it has to deal with preparation for both the MSP as well as the C3PO. It's really interesting. One of the things that we did internally, like this was just from like my experience of working with the joint surveillance assessments back in the day. And what we used to basically go through our assessment ourselves is we created what I like to call the poor man's GRC tool.

[00:22:51] It was a one note document that we called the assessor's playbook. And in there, it's basically a one note document that says, go take a look. We're going to want to see screenshots of these assessment objectives. Right. Package it all together. Send it over to us. So like now at a high level, the assessment team can say, oh, I'm looking at that and I could see how there's everything that's in there before we even start going through a lot of the assessment. That's great. I mean, that proves you already learned that from JSPA. It's like that.

[00:23:20] That's, you know, things that you took from already previously that you're already applying to level two certifications now. And it's free. You can go onto our website right now and download it for free. It was like, it's just a way for people to just organize their artifacts to provide to us. Yeah. So when someone's like first reaching out to you, like what are the types of things that you want to see from them to provide to you? Like what is like, what are key documents or components?

[00:23:46] You're like, before you even pick up the phone to call me, have these ready. And they better not be on a napkin written in crayon. Right. Like it's going to have to be something of substance. Yeah. Yeah. So usually on that call is usually I tell them, hey, be prepared to show us your SSP, show us your policy, show us your procedures, show us any artifacts that you have supporting your environment. And that's like there's all the stuff that we're going to want to see when we actually have that call with them.

[00:24:12] One of the things you'd said before is like an example of that scoping problem would be like, here's my Microsoft commercial tenant. That's scoped. You scoped it. Already not. Yeah. And that's why you said six months. Right. Because that takes some time to convert and move the data. What are typical scoping mistakes that you see people make that, you know, obviously a non-CUI acceptable environment. What are some other mistakes that you see people in scoping make?

[00:24:42] So we see first, right, Microsoft 365, right? That's obviously not a good one. No lack of shared responsibility matrix. Like they'll say, this is my MSP. They don't even have a service level agreement in place. Not even that. So I'm like, okay, so who's responsible for what? Oh, well, we do everything. Well, where are you showing me who's responsible for what? Because it clearly defines it in the 32 rule that we have to have a customer responsibility matrix to show that.

[00:25:11] And then also, right, folks, what I'd like to see too and like what actually needs to be seen is documenting your assets in your SSP in accordance with the scoping diagram, right? And having your CUI assets, your security protection assets, contractor risk managed assets, specialized assets and out of scope assets, just kind of listing everything there. So like now when I'm looking at that, as well as like your data flow diagram, I could say, okay, now I'm starting to get a clear picture of the environment.

[00:25:39] Another thing that I also want to point to that's super important for folks to know, the C3PAO is there to validate your scope. They're not there to create the scope for you. And I've been hearing that a lot, right, lately. So I figured I'd go ahead and address that. So if you tell me my scope is X, Y, Z, that's what we're going to evaluate. And just X, Y, Z. My job is not to go snooping around, trying to go find different things. My job is to validate the scope that you've presented to us. Right.

[00:26:07] And that's really important because I think sometimes people don't understand the importance of that because like the CAGE codes, right, of the locations and the offices, like if you're not including certain components, but you're doing services there, like knowing what's being done where, because once you've had your assessment and you validate it and you're like, oh, wait a minute, these three other locations actually we need to include, like you're toast at that point. You know, you're looking at a reassessment over again. Yep. Um, and those are cheap.

[00:26:35] So pay attention to your scoping. And also, um, it's the department stance right now that if you have to add a CAGE code or there's a significant change where you have to, there are no Delta assessments. You have to go through a full blown assessment all over again. And it's not enough to say, oh, I can just pay for another assessment with 103 C3 PAOs and 118,000 companies. I got to get certified. Availability is what starts to become an issue. Yeah. Yeah.

[00:27:02] And I think, I think a lot of what you were saying too, and your examples of the SSP, your, your examples of the assets, um, and listing those as well, I think goes to a lot of times Bobby brings up the echo chamber that happens where these companies don't realize, hey, you're stepping in as a successor and you're looking at this for the first time. You know, it's a book. You're trying to understand their environment and you're going to tell them what, you know,

[00:27:30] what you're seeing here, what is being understood based upon their SSP, based upon their evidence at hand. And, and just like you said, you're not going to be a consultant for them. You're not going to make their scope. So they're going to tell you that. And then you're going to take what they have at this value and try to understand as best as you can, what is going on. Uh, and, and, and so that, I think people forget, they forget that and, and they, they're

[00:27:58] in this echo chamber and they're looking at it all the time. They're looking at this SSP. They're looking at this documentation and they're like, it makes sense, right? It makes sense. But it makes zero sense to somebody coming in for the first time and evaluating it as a whole, you know? And I really love that you said that because I think people greatly misunderstand that like, oh, somebody is coming to this for the first time and trying to review this, you know? And they have to understand it all. So another thing I want to talk about, which Bobby took all of my time.

[00:28:27] So I'm going to end with this. Okay. Let me clarify, Bobby took all that time. Um, and so we talked about phase one, but I do just want to touch on the differences between phase one and phase two for somebody who is new and stepping into this space. So, so phase one is very different when it comes to the evidence gathering, understanding the scope and understand the boundaries, what you have and seeing like, okay, this is, this is enough to where we can move forward to phase two.

[00:28:54] But could you explain to somebody just briefly what the difference is between that phase one and going into phase two and what that looks like for an OSC? Yeah. So phase one is right in the name is pre-assessment. We're trying to determine, do you have everything here to move forward with an assessment? So that when we get to phase two, we're actually conducting the actual assessment, assessing to conformity of the security requirements of 800-171.

[00:29:20] And what we're doing there is we're doing things like during the in brief, we got to make sure, right? That most, first and foremost, questions to ask your C3PAO, are they informing you of your appeals rights? Right? Because that's in there. Every single C3PAO is supposed to inform you and they're supposed to have an appeals rights process, right? Per our ISO 1720 requirements that we have to meet, right? They have to document official meeting minutes and document any questions and answers between the OSC and the C3PAO.

[00:29:49] And then at this point, we start to introduce what's called non-statistical sampling. So this is where, for example, let's say you have five manufacturing sites all over the country, all managed under one system security plan. The assessment team can say, okay, out of the five, we're going to randomly pick three. And if the three are deemed to be good to go and they're adequate and sufficient, then we could say with reasonable assurance that the other two are good to go as well, since they're all under one system security plan.

[00:30:17] And it saves time and money for everybody involved. And then lastly, right, we get into conducting those daily checkpoints, right? One of the things that the assessment team has to do is at the end of each assessment day, they're supposed to say, hey, based on the control families that we've assessed, these controls are currently trending as met, not met, or we may have to leave them open pending additional clarification or documentation from you. So that could be, hey, you know, we uploaded 400 documents and I accidentally left the access

[00:30:47] control policy out. I need to go get it for you. And right, I mean, it happens, right? You're uploading so much documentation stuff is going to get missed. Yeah, that's true. And they're like, okay, yeah, you've got it, right? And so, you know, just providing it at a later time. And then you'll get kind of instructions from your assessment team on how to provide that to them. And understanding that from your C3PO that you're trying to pick would be a great, great question for sure. And we talked about that before. We've seen some people attempt this in odd ways.

[00:31:16] So I think being able to understand how they conduct those daily checkpoints and those meetings would be very helpful as well. It's not consulting. It's not like they're telling you how to do your job. It's just understanding how they do their business. And I think that's fine. The last piece of that too is how does an external service provider fit into that? For somebody that is going into this thinking, which I've had this conversation multiple times

[00:31:43] with contractors, they're like, oh yeah, I have this MSP. They're going to come in and pop into this assessment when I need them to talk about these things. Could you just sort of explain how that connection works with that external service provider that's listed in the customer responsibility matrix that they've given you? Yeah. So we've got two flavors of external service providers, right? So you've got your... I was going to make sure we clarify the distinction.

[00:32:09] So you've got an external service provider that is acting like an MSP, MSSP right on one side. And then another external service provider, which is a cloud service provider that process stores or transmit CUI on the other side. So traditional MSP, MSSPs, what I want to see is, and it would be the same thing on the other side. I'd like to see a shared responsibility. So for 311, right? It would be a shared responsibility. How are you authorizing system access to your authorized users, processes, and devices?

[00:32:37] And then I want to see how the MSP is also doing it on their side. And we would just go down the list and figuring out who's responsible for what. Contrary to popular belief, you can't have a 98% inheritance, right? So that doesn't exist. We were on a panel and that literally came up. Remember? Yeah, you guys were both on that same panel. And some dude's like, oh, I do like all of it. And we all brought our mic up. I'm like, no, dude, that's not happening. Nope.

[00:33:03] Yeah, so, right, they can't determine who gets access to an account with that access to CUI. They can't determine who conducts background checks. They can't determine who, you know, training and so forth, right? There's a whole bunch of things that it's at a minimum is a shared responsibility or the customer responsibility solely. And then on the cloud service provider side, right, if they're going to be using that external cloud service provider to process or transmit CUI, they either A, have to be FedRent moderate

[00:33:30] authorized on the FedRent marketplace, not FedRamp ready, not FedRamp in process. They have to be FedRent moderate authorized or B, they have to be FedRent moderate equivalent in accordance with DOD's December 2023 memo in which it is a 100% compliance with the latest FedRamp requirements conducted by a FedRamp 3 PAO. And there was a body of evidence that they have to provide. Well, it's I think it's important to understand the relationship like you were talking about

[00:33:57] to Fernando is what is the MSP and MSP's relationship during that critical piece? So is the MSP going to help you get ready or are they just going to do their part and then look at you to do yours? And that's it. And understanding like for us, what we do is we're all in or nothing. So we will take you from zero to 110. We don't do projects just for someone to build a tenant and then give them the keys and walk away.

[00:34:26] Like we only do full service engagements or we don't do it. And so from that, we're expecting to take them, build their documentation, create the whole component, build their tenant, sit the assessment, talk through the parts and go and be able to speak. So that is how we've built our system and how we're going to work. But understanding the relationship, because I think sometimes we've had companies come to us and they've had some horror stories because they made assumptions about how that

[00:34:52] was going to actually happen only to discover when it's too late that actually, in fact, it's just a relationship where they're going to look at you and you have to do your part. And, you know, and and that's fine. But you need to know that engagement going in. And it's sad. And sometimes it's being discovered by you guys during the initial discussion process. And we work even with the client about how to like build the evidence package to upload

[00:35:21] because so much of the stuff is technical from our part. The client can't even get access to those components to upload those, you know, because we we have the relationship and MSP that like as the matrix, like that's our responsibility. So we have to own that. And so, like, even in that final days and week before the assessment, like how's that MSP going to help you build your evidence package? And what are they going to upload? Who's going to be responsible?

[00:35:48] Just even having those questions covered a lot of times aren't thought of. And you're trying to figure it out at the last minute. And it can be. I think I'd hate to assume this, but I would guess, Fernando, that this is why you chose CMMC level two certified service providers only because some people start to learn that they have to talk in the assessment during when they first talk with you.

[00:36:14] And maybe that, you know, starts to set people up for, you know, the wrong kind of assessment and not not for success. Yeah. And it's a lot of what we jokingly call it, right? CMMC is a lot like the five stages of grief. So a lot of the small business owners, like they'll just say, oh, the IT guy is going to answer all the questions. I'm like, they can't. Like there there's things that you have to do on your side of the shared responsibility that you're going to have to talk to. Yeah. Both like both parties have at a minimum a shared responsibility or there's going to be

[00:36:44] a fully customer responsible, but there should be almost equal dialogue across the board throughout the entire assessment. Mm hmm. Absolutely. Yeah. Because like we'll have a situation where the client has their pre-onboarding process they have to go through. And so the procedure has to speak to how they do the background screens, the agreements, the, you know, acceptable use policy of how they are going to operate, those people sign it. Then they go through the training components.

[00:37:13] Then they maybe fill out a form and then they send it to us. And now we can actually add them to the system. Yeah. We can't, we can't show up at their location and be all like, hey, did you do that? Show me the evidence for that. Like they have to do that part. And chances are the assessor is going to want them to speak at that point. Right. Yeah. And you also too, Fernando, you brought up a great point about the difference between

[00:37:39] CSPs and like external service providers that are considered like MSPs and MSSPs. Another thing about cloud service providers, and you gave the example about a commercial tenant versus a GCC or GCC high tenant. Another thing you have to think about with those are like tools. If you're bringing an external service provider, I did just want to mention that briefly because I've heard a lot of people not get through phase one for this example.

[00:38:05] And I think you touched on that before, but, but just, you know, they don't think about, oh, this tool is actually considered a CSP and can do such things. And because of that, you know, it's not FedRAMP authorized. And what happens there? You know, oh no, here we go. And so those are some of the things that you, you, you have to think about when you're an external service provider, bringing tools into that OSC's environment and just being an OSC that has tools in their environment as well. Right. Agreed. Yeah.

[00:38:34] So all of that to say, this is a really, really easy thing to do. I'm shocked that not many people have done it yet. You know, Fernando's got a hundred, but come on guys, let's see if you can beat them, you know, and we're going to see how we, no, I'm just kidding. This is no small feat. This is a really huge accomplishment. Congratulations, you guys. Congratulations, Fernando and your team. You're doing incredible things in the ecosystem.

[00:39:01] I hope that many people learn from what you guys are doing. I really hope that we can continue to build up these contractors that need this, that are absolutely scared to death of this November 16th deadline that they are now, you know, panicking about. We really need, you know, not only C3 PAOs that are doing it right. We need service providers that can help people implement it right.

[00:39:27] We need OSCs that are, you know, getting in the boat and rowing and not just trying to sign up for the next assessment, but understanding what they're signing up for, really understanding what an SSP is, how they can make it right, and how they can successfully secure their environment and how they can safeguard CUI. So I hope that with what Fernando has shared today, and honestly, we could have kept going,

[00:39:54] and Fernando has amazing discussions in a lot of different like CS5 West. We saw him at CUI Con just a little bit ago. You can see him at a lot of different conferences. Do you have a page? I should have asked you that. We actually have on our CyberSec Investments website. I think we actually have like an events page, and it shows where I'm going to be bouncing around the country. There you go. So I've got speaking engagements all the way through the end of the year, and we'll see if we can fill in the rest. I have always enjoyed your speaking.

[00:40:21] The one that you did where you did the summarization of the, like how we kind of got there, the CMMC that you did at CUI Con was awesome. I think it was the best way to explain that. I've heard it. It's almost like an Easter Sunday service. Like you've heard it so many times. You're like, how many times are we going to talk about, you know, this Easter service, you know, type thing. And, but you took something that has been covered many, many times, and I think you had a really good perspective. You did a great job of breaking it down and for the audience that needed to hear it.

[00:40:51] And so that was a really good one. So if you ever happen to hear Fernando around speaking, make sure to dip in. I give that talk, the CMMC Unraveled talk, everywhere I go around the country, because I never like to presume that everyone is aware of the CMMC requirements and kind of the history and everything behind it. Like heard it, even though the program, right? With the CMMC accreditation body was set up in January of 2020 and people are just now

[00:41:21] starting to figure it out right now. So I never liked to make that presumption and just kind of get, getting them back to basics. Right. And I say, if you, if you need help beyond the basics here, that's where they need to reach out like folks to you guys. Yeah. And you know, we're all sick of hearing Jacob Horn's, the history of CMMC video. Get something new out here. No, I'm just kidding. Yeah, I really do. I really do want to emphasize too that like there are amazing resources, like what you guys have on your website.

[00:41:48] You said you even had some free materials that we can link below as well that they can check out. Please guys don't hesitate to, to follow Fernando on LinkedIn, to check out what they're doing to keep up to date as well as check out his website and what they're doing over there. Um, you know, if you can learn from other people that have been doing some things before you, why not do that? I mean, that's what I would recommend. So please make sure to check that out. Um, again, thank you Fernando so much for taking the time to sit down with us.

[00:42:18] Um, I greatly appreciate it. And I hope that many people got a lot of information and knowledge, um, from, from this podcast episode. Guys, if you're listening to this every Thursday, we post a new episode. So make sure to tune in next Thursday for another one. Check out our events page if you want to stalk us as well as Fernando. But, you know, we'll be dressed as well as he is, but we're still pretty cool with cool t-shirts. Fernando will always be wearing something nice. Bobby will continue to wear his cargo pants and, and that will be how it is. So make sure to find us.

[00:42:48] But yeah, guys, as always, again, uh, remember to keep on climbing and we'll see you next episode. See ya. Thanks for having me guys. Bye. Bye.