Let's talk about the CMMC Menu items. There are multiple ways that a business can tackle CMMC and we wanted to share with you 4 popular ways. In no way are we claiming these to be the only ways, but we do feel like these are the top four ways we've seen companies climb the mountain.
Comment below if you have any questions or ideas on another way to climb. We'd love to hear!
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] [SPEAKER_00]: Hello Climbers and welcome back to another episode of Climbing Mount CMMC.
[00:00:11] [SPEAKER_00]: In today's episode Bobby and I are going to talk about the menu items of CMMC.
[00:00:17] [SPEAKER_00]: We're going to discuss the different options and ways to tackle your CMMC journey and
[00:00:22] [SPEAKER_00]: how you can choose what's best for your business.
[00:00:25] [SPEAKER_00]: So let's get into today's episode.
[00:00:29] [SPEAKER_00]: Welcome back climbers.
[00:00:31] [SPEAKER_00]: Today we are going to be talking about the menu of CMMC.
[00:00:36] [SPEAKER_00]: Now here's what we mean by that.
[00:00:38] [SPEAKER_00]: We believe that there's four different ways or four different menu items that you can use to tackle CMMC.
[00:00:45] [SPEAKER_00]: And those four ways are you could either do it yourself,
[00:00:49] [SPEAKER_00]: CMMC in a box which we'll explain later, software solutions, MSP engagement solutions.
[00:00:56] [SPEAKER_00]: Okay, so those are the four that we're going to talk about today.
[00:00:59] [SPEAKER_00]: But Bobby I'm going to kick it over to you with the first kind of bucket that we have on this menu,
[00:01:04] [SPEAKER_00]: the first menu item, the do it yourself.
[00:01:08] [SPEAKER_00]: So when we say do it yourself, what do we mean by tackling CMMC just by yourself as a company?
[00:01:15] [SPEAKER_01]: Well, I mean I think we can all agree that CMMC is a beast to try to tackle.
[00:01:19] [SPEAKER_01]: And so I think it's kind of important to realize that these four areas that we talked about aren't like the end all be all.
[00:01:24] [SPEAKER_01]: You can combine them.
[00:01:26] [SPEAKER_01]: There's a lot of exceptions to those things, but in general they kind of fall into those four different buckets.
[00:01:32] [SPEAKER_00]: Right.
[00:01:32] [SPEAKER_01]: So you mentioned do it yourself.
[00:01:36] [SPEAKER_01]: So option one.
[00:01:37] [SPEAKER_01]: So there's different ways that people tend to tackle that.
[00:01:40] [SPEAKER_01]: I've seen individuals contract or hire an organization or people to have them work at their organization.
[00:01:47] [SPEAKER_01]: And the concept is get it to where it's ready to turn the keys over and then somehow we'll go through and make this happen on our own as those other individuals that helped them onboard it kind of sail off into the sunset.
[00:02:02] [SPEAKER_01]: Now there are organizations that are large enough that may have people full time on staff that can actually do that, but just realize based on our experience that you're going to need one to two people full time for at least six to eight months if not a year
[00:02:16] [SPEAKER_01]: to really focus on getting that implemented assuming you don't have a system already built, which for the SMB and smaller communities a lot of times they don't.
[00:02:25] [SPEAKER_00]: No.
[00:02:27] [SPEAKER_00]: And so when you're saying do it yourself like is not necessarily you're meaning you're meaning the whole thing by itself but almost like the idea that once somebody or maybe multiple people have come in and helped you with some things you'll just take it over by yourself.
[00:02:45] [SPEAKER_01]: Yeah, you're building that system on your own.
[00:02:50] [SPEAKER_01]: You're going to create your own policies you might buy some templates you might not.
[00:02:53] [SPEAKER_01]: You sort of built that system that you have.
[00:02:56] [SPEAKER_01]: You go with some type of cloud solution perhaps to save your documents maybe you don't have a solution maybe you have everything in house and you sort of you create your design your plan of attack how you're going to do your CMMC implementation.
[00:03:11] [SPEAKER_01]: You're scoping your system security plan you build it all out.
[00:03:15] [SPEAKER_01]: And then at that point you're like okay I feel like we're ready to be assessed and then you go for assessment you pick your C through P O you go through hopefully you pass, you know, and you're like mission accomplished gold medal way to go.
[00:03:27] [SPEAKER_01]: And that whole process is going to be at least a year for somebody to go through from yeah, starting building getting ready.
[00:03:35] [SPEAKER_01]: We've learned.
[00:03:36] [SPEAKER_01]: Yeah, getting ready for your, your assessment doing your assessment getting your certification.
[00:03:41] [SPEAKER_01]: You know that just takes time if you don't have a good ecosystem so there are people that are trying to tackle that on their own and some are at various different levels and that's that's sort of the one approach that people try to do and it's super challenging because it requires a high level of knowledge inside your organization and even if you bring an outside consultant like you're going to have to have that engage with that
[00:04:05] [SPEAKER_01]: person probably indefinitely just because of the fact that it's not about just getting your certification you have to have someone on staff to help champion the system to continue happening correctly you're going to have to have that you know compliance officer or CISO or CIO or someone in your
[00:04:25] [SPEAKER_01]: company who's like burr dog and to make sure that after you get that that process built that it's being followed because it's very easy once you sort of build something to kind of focus on other things and it just kind of kind of goes to shambles.
[00:04:38] [SPEAKER_00]: Right yeah.
[00:04:39] [SPEAKER_00]: Because I mean you can't just forget that the company still goes on the compliance still goes on even after the assessment itself.
[00:04:47] [SPEAKER_00]: I am curious one more question about this this sort of do it yourself bucket is is there like a company maybe size or or category that that would do better in this category than the others like when you when you hear do it yourself like is this even is do it yourself even possible for a small business.
[00:05:11] [SPEAKER_00]: Do you understand what I'm saying.
[00:05:12] [SPEAKER_01]: Yeah no it is it's not very realistic because typically if you try to hire someone on staff even a contract basis for a particular period of time to try to accomplish that.
[00:05:25] [SPEAKER_01]: I think there's some other options on the menu that you might be better served to try to do that taste better to you.
[00:05:30] [SPEAKER_01]: Yeah because what you'll end up happening is as you're trying to do that process.
[00:05:37] [SPEAKER_01]: We're talking about smaller organizations that they don't have those type of staff.
[00:05:42] [SPEAKER_01]: What what you're going to find is you'll get this thing built and then in general what happens is once that person leaves they tend to turn their attention elsewhere and it just the system starts to fall apart because you don't have some type of anchor to keep that because the
[00:05:59] [SPEAKER_01]: CMMC ecosystem you know it's moving forward it's changing and you've got to have someone that has an eye on the ball that's keeping an eye on making sure that the way that that things are being done inside your organization is happening they want now.
[00:06:15] [SPEAKER_01]: Once we get past the certifications and this whole thing is totally live this might start to change over the course of a few years but right now there's still some ebb and flow to it and even if you have a system right now today.
[00:06:27] [SPEAKER_01]: You really want to make sure that you're staying on target because you have to be you have to be assessment ready right now just because the assessments are happening yet so.
[00:06:35] [SPEAKER_01]: Oh yeah even if you you've got your system ready at the beginning of this year.
[00:06:39] [SPEAKER_01]: You know it's possible that once the assessment start you might have had a year of neglect for that system not to be appropriately managed so that's why you got to really keep keep your eye on it.
[00:06:51] [SPEAKER_01]: And that can be difficult if you're like okay well Sally over here who does our quoting system she's our point of contact for CMMC she'll keep an eye on it you know yeah and you're like.
[00:07:01] [SPEAKER_01]: They've got two jobs to do.
[00:07:04] [SPEAKER_00]: That's a pretty tall order that yeah that's a very tall order in and definitely people that are going to attempt to do it that way need to understand that it's a tall order because.
[00:07:14] [SPEAKER_00]: If they don't they might get stuck in a situation where Sally is is left with no no extra time to even be able to do that stuff so yeah that makes a lot of sense.
[00:07:25] [SPEAKER_00]: So let's move over to this one I'm very curious about your thoughts the the in a box right okay so you said when you were describing this to me the magic on clave box.
[00:07:40] [SPEAKER_00]: Let's break that down what do you what do you mean exactly by that menu item.
[00:07:44] [SPEAKER_01]: So those kind of fall in different subcategories I would say but in general what what that's trying to say is you go with some type of solution that's outsourced that's in a box or you can create an.
[00:07:58] [SPEAKER_01]: In in a box solution for yourself but regardless what you're kind of saying is is everything that we care about that is controlled unclassified information is going to stay in that box.
[00:08:09] [SPEAKER_01]: So as we receive and operate and work it's going to be inside that that environment whether it be virtual machines that you have whether it just be a separate container that the only way you can access it is through.
[00:08:20] [SPEAKER_01]: Specific web interfaces and you have policies whatever that might be that's kind of that in the box solution and it's it's either you're building it yourself or you're outsourcing it to another company.
[00:08:31] [SPEAKER_01]: A lot of MSPs have for other MSSPs or other organizations have stepped into that space and it's very appealing for them because they can build this system that is replicable replicable.
[00:08:45] [SPEAKER_01]: They can copy it a lot about that.
[00:08:47] [SPEAKER_01]: Yeah, they can build this and they can have a pretty consistent environment and they feel a lot more comfortable assuming the responsibility that comes along with adopting those CMMC requirements for the client and that's kind of addressed in a shared matrix perspective.
[00:09:02] [SPEAKER_01]: So, you know, in those types of situations 60 70 80% of the CMMC responsibilities may be pushed over to the organization that is running that in the box methodologies and you can then have a lot less requirements for you to have to implement.
[00:09:21] [SPEAKER_01]: Right.
[00:09:22] [SPEAKER_01]: That sounds super cool, but there's always a catch.
[00:09:26] [SPEAKER_01]: It's always going to be a catch.
[00:09:29] [SPEAKER_01]: There are some some cons to this type of solution and I'm not saying like it's a con in general, but there are some things that you do need to understand when you take a, you know, a fully enclave in a box solution.
[00:09:42] [SPEAKER_01]: Let's say that the world is a happy place and the company that you pick is magical and they do everything the way you want.
[00:09:48] [SPEAKER_01]: And it's great.
[00:09:49] [SPEAKER_01]: It's everything's firing on all cylinders.
[00:09:51] [SPEAKER_01]: They're doing what they say they're going to do.
[00:09:53] [SPEAKER_01]: And it's a happy day.
[00:09:55] [SPEAKER_01]: But what if you want to leave that organization?
[00:09:58] [SPEAKER_01]: Let's say it's not a happy day.
[00:09:59] [SPEAKER_01]: Let's say that the organization isn't doing what you think that they should be doing or they're not operating or just whatever.
[00:10:05] [SPEAKER_01]: Maybe they had a merger and acquisition and they're just hard to deal with now.
[00:10:08] [SPEAKER_01]: They've got everything of yours that you really care about that's controlled on classified information.
[00:10:14] [SPEAKER_01]: Your whole plan that you built around is that that's a huge deal to pivot away from.
[00:10:20] [SPEAKER_01]: So a lot of times people run to these in a box solutions because they're like, man, it's cheaper.
[00:10:24] [SPEAKER_01]: A lot of times those in a box solutions don't cost as much and they, you know, they promise they're much easier to implement.
[00:10:31] [SPEAKER_01]: And so you can get into those solutions and boy, it's great, right?
[00:10:35] [SPEAKER_01]: But then if you decide you want to leave, it's a lot harder because they've got you at that point.
[00:10:41] [SPEAKER_01]: And I just, I'm not a big fan of full in blocks type solutions because of that.
[00:10:46] [SPEAKER_01]: I'm a big advocate of organizations that kind of have their own destiny and have their own control of their data.
[00:10:53] [SPEAKER_01]: So if I was going to do a fully enclave, a lot of times you hear people refer to that an enclave solution.
[00:10:59] [SPEAKER_01]: I'd want it to be hosted myself.
[00:11:02] [SPEAKER_01]: Yeah, I wouldn't want to, you know, and so that goes back to okay, well who's going to manage it?
[00:11:07] [SPEAKER_01]: You know, if that's the case then, you know, talking with those to be like, hey, could you manage it for us?
[00:11:13] [SPEAKER_01]: Yeah, maybe that might be a better way of doing it because that control is a really big deal.
[00:11:20] [SPEAKER_01]: And I have seen it go so far south so many times for different companies that have done those solutions.
[00:11:26] [SPEAKER_01]: It's just really scary for me because if your organization, if the majority of your business is DOD contracts and the far rule is around the corner
[00:11:35] [SPEAKER_01]: and that's going to then hit all government bodies.
[00:11:38] [SPEAKER_01]: So maybe you say, you know what? I don't want to do this whole DOD thing.
[00:11:41] [SPEAKER_01]: Maybe I'm just going to go to other federal government agencies and still continue that.
[00:11:46] [SPEAKER_01]: It's going to be hard eventually for anybody to be able to avoid these types of requirements because the fact that eventually all government bodies are going to be controlled by some type of control and classified information regulations and requirements.
[00:11:59] [SPEAKER_02]: Right.
[00:12:00] [SPEAKER_01]: So yeah, it's coming down the pipe.
[00:12:01] [SPEAKER_01]: And there's some other aspects about that enclave methodology.
[00:12:06] [SPEAKER_01]: And here's the other piece that a lot of people greatly underestimate.
[00:12:10] [SPEAKER_01]: So let's say that we use a magic box solution that all the stuff goes in there, that it's compliant, 100% compliant.
[00:12:20] [SPEAKER_01]: How are you still have to have a system security plan?
[00:12:24] [SPEAKER_01]: Yeah.
[00:12:24] [SPEAKER_01]: The organization have to have a system security plan that talks about how you operate in that box.
[00:12:30] [SPEAKER_02]: Okay.
[00:12:32] [SPEAKER_01]: And now you have created this intricate system security plan that is purely written in general for that plan, that box that you have.
[00:12:42] [SPEAKER_01]: And if you want to move to another box, you better write that system security plan in a way that is more generic so that if you want to use another solution.
[00:12:51] [SPEAKER_00]: You don't have to completely rewrite the entire thing.
[00:12:54] [SPEAKER_01]: It's a pain just leaving the enclave that you're going with the other company.
[00:12:57] [SPEAKER_01]: It's another thing than rewrite all of your system security plans, your policies, your procedures, all that goes out the window tool.
[00:13:03] [SPEAKER_01]: You're basically it's page one rewrite.
[00:13:05] [SPEAKER_02]: Yeah.
[00:13:05] [SPEAKER_01]: And that is not a good day.
[00:13:09] [SPEAKER_01]: So you've got to think about your system security plan about how it's written and how it integrates with that in a box solution.
[00:13:16] [SPEAKER_01]: And then you have to have the policies and procedures.
[00:13:18] [SPEAKER_01]: Now you might be able to say, Oh well, that in a box solution does those policies.
[00:13:23] [SPEAKER_01]: But you still have to have a system security plan that refers to that and integrates that and works with that.
[00:13:29] [SPEAKER_01]: And then your in a box solution isn't going to do your background checks, right?
[00:13:35] [SPEAKER_01]: They're not going to hire your people.
[00:13:37] [SPEAKER_01]: Right.
[00:13:37] [SPEAKER_01]: They don't they're not in your company.
[00:13:40] [SPEAKER_01]: They're not going to do your door controls.
[00:13:42] [SPEAKER_01]: If you have, you know, things that are physical in nature that you might that may be in scope that's out of sight of that, you know, it starts to get really.
[00:13:53] [SPEAKER_01]: Questionable so that you have to really understand what responsibilities you truly are going to own.
[00:13:58] [SPEAKER_01]: Yeah, you know, a part of the hiring process is always going to have to be the company, even if you have them in the box that has to be documented through a policy and procedure and how all that works.
[00:14:09] [SPEAKER_01]: That's going to get audited.
[00:14:10] [SPEAKER_01]: So the and then the last thing is, is what's that in a box company going to do for you when it comes on at time?
[00:14:17] [SPEAKER_01]: Right.
[00:14:18] [SPEAKER_01]: Is that out of box solution or in a box?
[00:14:21] [SPEAKER_01]: I should say.
[00:14:23] [SPEAKER_01]: Are they going to sit next to you during your audit and answer the questions they're responsible for?
[00:14:27] [SPEAKER_01]: Are they just going to give you a document that answers the questions and you have to talk to it?
[00:14:34] [SPEAKER_01]: Well, are you prepared to have that discussion?
[00:14:36] [SPEAKER_01]: Do you feel comfortable?
[00:14:38] [SPEAKER_01]: I wouldn't.
[00:14:39] [SPEAKER_01]: I wouldn't want to say toe to toe, but if an auditor is looking at you, they want to know that you feel confident and competent to address and answer all questions they have.
[00:14:49] [SPEAKER_01]: That's a different conversation.
[00:14:50] [SPEAKER_01]: So you've got to really think about that enclave solution that you're renting from somebody else.
[00:14:56] [SPEAKER_01]: How all of that plays out?
[00:14:57] [SPEAKER_01]: Those are those are things a lot of times who don't think about in the sales process, they don't want you to think about that.
[00:15:02] [SPEAKER_01]: They'd much rather go through and say, OK, you know, we're going to talk about these things.
[00:15:07] [SPEAKER_01]: I've heard some talk about the piece of it, which is nice.
[00:15:10] [SPEAKER_01]: I've seen a few of those that do that and how soft those that do that because I think they're handling getting a more reasonable approach.
[00:15:18] [SPEAKER_01]: Barbie, where about those?
[00:15:20] [SPEAKER_01]: You have to really pay attention.
[00:15:21] [SPEAKER_01]: It sounds like you get there quickly, but it doesn't necessarily help you get where you need to be.
[00:15:26] [SPEAKER_00]: And it sounds like, you know, especially women, you don't want to make assumptions at any time, but especially with the in a box solution.
[00:15:37] [SPEAKER_00]: You want to be careful with the things that you're assuming are inside that box, right, that are being covered because, you know, the saying when what do you do?
[00:15:47] [SPEAKER_00]: You know, what happens when you assume?
[00:15:49] [SPEAKER_02]: Right.
[00:15:50] [SPEAKER_00]: Makes but it really just seems like it makes it out of you for this.
[00:15:55] [SPEAKER_03]: Yeah.
[00:15:56] [SPEAKER_00]: For this kind of thing, it really seems like it falls more on you than them, right?
[00:16:00] [SPEAKER_00]: Because I mean, depending on who you're working with, which we could go into another topic about that, they're not necessarily being audited.
[00:16:07] [SPEAKER_00]: I mean, they are.
[00:16:09] [SPEAKER_00]: But, you know, it's really mostly falling on you.
[00:16:12] [SPEAKER_00]: And so that it sounds like to me this in a box solution, you especially have to be very careful with what you're assuming is inside that box and taking care of.
[00:16:26] [SPEAKER_01]: And that's a pretty big deal to kind of think about that audit process, how that goes.
[00:16:31] [SPEAKER_01]: Has their in a box solution actually gone through an assessment?
[00:16:35] [SPEAKER_01]: Have they been assessed the organization that built it?
[00:16:38] [SPEAKER_03]: Right.
[00:16:39] [SPEAKER_01]: Have they gone through a CMMC assessment or a Fed ramp or whatever?
[00:16:42] Right.
[00:16:42] [SPEAKER_01]: Are you the test dummy?
[00:16:44] [SPEAKER_01]: Right.
[00:16:45] [SPEAKER_01]: You want to know that as well as have a good understanding about how that's playing out.
[00:16:49] [SPEAKER_01]: And I think this kind of gives us a good opportunity to pause for a second and say, as you start to hear option one and two, you're like, those sounds super complicated.
[00:16:57] [SPEAKER_01]: It doesn't get any easy.
[00:16:59] [SPEAKER_00]: Yeah, option three and four are not less complicated.
[00:17:04] [SPEAKER_00]: Right.
[00:17:04] [SPEAKER_01]: So it, I think what the point that I'm trying to make there is you really should engage with AC3PO or some type of certified.
[00:17:12] [SPEAKER_01]: I would do either a CCP or CCA, probably a CCA.
[00:17:15] [SPEAKER_01]: And I like a C3PO because they've gone through the audit concept.
[00:17:19] [SPEAKER_01]: It's always a good idea to have one of those in your hip pocket as you're trying to pick the menu option.
[00:17:24] [SPEAKER_01]: Right.
[00:17:24] [SPEAKER_01]: So which of those four do you want to go with or a hybrid of those?
[00:17:27] [SPEAKER_01]: So you kind of come up and hatch the plan.
[00:17:29] [SPEAKER_01]: Right.
[00:17:29] [SPEAKER_01]: And then you either, you know, the ones that you pick are going to go through and those, that person or people or body like a C3PO are going to help you navigate the concerns and make sure that those are properly addressed.
[00:17:42] [SPEAKER_01]: Because all four of these can work.
[00:17:44] [SPEAKER_01]: They absolutely can work.
[00:17:45] [SPEAKER_01]: You just have to know the pros and cons of them and lean heavily into it.
[00:17:49] [SPEAKER_01]: And it's not going to be a little easy button push and you're good to go no matter what anyone says.
[00:17:54] [SPEAKER_01]: That's just not reality.
[00:17:56] [SPEAKER_00]: Yeah, absolutely.
[00:17:56] [SPEAKER_00]: There definitely is not an easy button here.
[00:17:59] [SPEAKER_00]: You will, you will have to climb.
[00:18:01] [SPEAKER_00]: That is for sure.
[00:18:02] [SPEAKER_00]: Right.
[00:18:02] [SPEAKER_00]: So let's go in and talk about option three, which is a software solution.
[00:18:08] [SPEAKER_00]: So like a cloud package, right?
[00:18:11] [SPEAKER_01]: Right.
[00:18:11] [SPEAKER_01]: You're starting to see and people kind of go, well isn't that an enclave?
[00:18:14] [SPEAKER_01]: Well, sort of not really.
[00:18:16] [SPEAKER_01]: There are software packages that say that you can put and I'm going to stay generic.
[00:18:21] [SPEAKER_01]: A lot of you probably have some already coming to the top of your mind that even tout and say,
[00:18:26] [SPEAKER_01]: that they can do this, that they're an all in one type of software solution that can do
[00:18:32] [SPEAKER_01]: everything that you need for your CMMC compliance.
[00:18:35] [SPEAKER_01]: But it's not an enclave.
[00:18:36] [SPEAKER_01]: In other words, there's not a hard border around that system so that when the data goes in,
[00:18:43] [SPEAKER_01]: it's kind of the Roche motel.
[00:18:44] [SPEAKER_01]: It doesn't come out.
[00:18:46] [SPEAKER_01]: So if it's just a software you put on your workstation, the assumption is that that
[00:18:51] [SPEAKER_01]: workstation and whatever computers are going to have that software, there's going to
[00:18:56] [SPEAKER_01]: be some assumptions made about the status of those systems.
[00:19:00] [SPEAKER_01]: Right?
[00:19:01] [SPEAKER_01]: There has to be some type of boundary around those systems when you're using that software.
[00:19:06] [SPEAKER_01]: So while the software vendors may say that this software is solves all your problems,
[00:19:13] [SPEAKER_01]: it doesn't solve the things like the boundaries about the physical boundaries and the barriers
[00:19:17] [SPEAKER_01]: that you have around those systems.
[00:19:19] [SPEAKER_01]: So if you have 50 computers and they're all in some flat network and you've got four computers
[00:19:27] [SPEAKER_01]: and you install that software on all four and everybody can see each other and everybody
[00:19:30] [SPEAKER_01]: can have access to those different systems, doesn't matter that you're putting it in
[00:19:34] [SPEAKER_01]: that software per se.
[00:19:35] [SPEAKER_01]: If that system is accessible by those other computers and that data is somehow put
[00:19:43] [SPEAKER_01]: on there, you've got to really think about how you're doing those boundaries.
[00:19:46] [SPEAKER_01]: You've got to think about how you're handling that and how you're managing that and how you
[00:19:50] [SPEAKER_01]: have the access around those types of things.
[00:19:53] [SPEAKER_01]: Door controls and other types of physical access.
[00:19:56] [SPEAKER_01]: And auditors have different opinions.
[00:19:59] [SPEAKER_01]: This isn't, I would say this is an area that contends, sometimes contends to be a battleground
[00:20:04] [SPEAKER_01]: topic for some assessors that they feel much more aggressive about there has to be
[00:20:11] [SPEAKER_01]: better protections around these types of software solutions than just the software
[00:20:15] [SPEAKER_01]: itself.
[00:20:15] [SPEAKER_01]: If you just roll up to an audit and say, oh, we're using a software package.
[00:20:18] [SPEAKER_01]: We're good to go, right?
[00:20:20] [SPEAKER_01]: I think you're going to be rudely awakened on that.
[00:20:23] [SPEAKER_01]: So you can't just listen to those software packages and just assume that somehow
[00:20:27] [SPEAKER_01]: you're good because you're using those products.
[00:20:30] [SPEAKER_01]: You really do need to again have somebody that knows what they're doing that has
[00:20:34] [SPEAKER_01]: looked at that and it can be part of a solution.
[00:20:38] [SPEAKER_02]: Yeah.
[00:20:38] [SPEAKER_01]: But it won't really be all the solutions.
[00:20:44] [SPEAKER_01]: Yeah.
[00:20:44] [SPEAKER_00]: Yeah.
[00:20:45] [SPEAKER_00]: So you've said a lot of things.
[00:20:47] [SPEAKER_00]: You said the word manage and managing a lot of the time when explaining this one.
[00:20:54] [SPEAKER_00]: And I feel like I just have to ask, is this a recommendation for somebody inside
[00:21:00] [SPEAKER_00]: of the business to be able to manage this route?
[00:21:03] [SPEAKER_00]: Somebody outside of the organization coming in and managing that?
[00:21:07] [SPEAKER_00]: When you're saying that they need to be able to manage that as far as the
[00:21:12] [SPEAKER_00]: cloud services, what does that look like for a company?
[00:21:18] [SPEAKER_01]: Yeah.
[00:21:18] [SPEAKER_01]: Myla's varies greatly here.
[00:21:20] [SPEAKER_01]: I've talked with some potential clients and clients about their posture around
[00:21:25] [SPEAKER_01]: CMMC and they're super knowledgeable and very impressed with their knowledge
[00:21:28] [SPEAKER_01]: and understanding and feel much more confident about various different
[00:21:32] [SPEAKER_01]: options we've already discussed that they could be successful in those
[00:21:34] [SPEAKER_01]: areas.
[00:21:36] [SPEAKER_01]: And then I've seen others that they're like, hey, I just want to focus
[00:21:39] [SPEAKER_01]: on doing ABC.
[00:21:42] [SPEAKER_01]: Which of these can we just kind of pick and get on with our business life
[00:21:45] [SPEAKER_01]: of operating?
[00:21:46] [SPEAKER_01]: Which I understand that too.
[00:21:47] [SPEAKER_01]: I mean, if they've, especially if it's generational, right?
[00:21:51] [SPEAKER_01]: Oh yeah, totally.
[00:21:53] [SPEAKER_01]: You know, I'm the third generation of this manufacturer and I want to make
[00:21:56] [SPEAKER_01]: sure that our products are cranking out and that we're competitive on our
[00:22:00] [SPEAKER_01]: bids and we want to do this.
[00:22:01] [SPEAKER_01]: This thing's driving me crazy.
[00:22:02] [SPEAKER_01]: Can we just make it go away?
[00:22:03] [SPEAKER_01]: Yeah.
[00:22:04] [SPEAKER_01]: You know, you're going to have to change your approach on some of
[00:22:08] [SPEAKER_01]: this and your thinking.
[00:22:09] [SPEAKER_01]: And if that's your kind of your thought, you're going to have to get
[00:22:14] [SPEAKER_01]: somebody embedded in there that is going to be a championing and watching
[00:22:18] [SPEAKER_01]: and guiding that so you can focus on that.
[00:22:20] [SPEAKER_01]: Just putting someone that doesn't have a passion or understanding of
[00:22:24] [SPEAKER_01]: that, your chance of success inside your company just drops
[00:22:27] [SPEAKER_01]: dramatically.
[00:22:28] [SPEAKER_01]: You need to have someone who is keeping an eye on the ball there
[00:22:32] [SPEAKER_01]: for you no matter which of those you pick, whether that is
[00:22:35] [SPEAKER_01]: someone who's qualified and trained inside on staff or someone
[00:22:38] [SPEAKER_01]: that you have outsourced to that are comfortable consulting with
[00:22:43] [SPEAKER_01]: you on a monthly basis, making sure those things are happening
[00:22:45] [SPEAKER_01]: the way you want because someone's going to have to do it.
[00:22:49] [SPEAKER_01]: Someone's not to keep an eye on those things and making sure
[00:22:51] [SPEAKER_01]: that they're functioning the right way.
[00:22:53] [SPEAKER_01]: Even if you pick like an enclave solution that they're doing
[00:22:57] [SPEAKER_01]: 90%, someone needs to make sure that the background checks are
[00:22:59] [SPEAKER_01]: happening, that your policies are being reviewed as your
[00:23:02] [SPEAKER_01]: organization and those types of things.
[00:23:04] [SPEAKER_01]: That stuff has to happen throughout the year and someone needs
[00:23:08] [SPEAKER_01]: to be on charge of that.
[00:23:09] [SPEAKER_01]: And that's where that kind of comes in to making sure you're
[00:23:13] [SPEAKER_01]: staying on top of it.
[00:23:14] [SPEAKER_00]: Yes.
[00:23:15] [SPEAKER_00]: So I think this is a perfect segue to number four, the final
[00:23:19] [SPEAKER_00]: item that we have on this menu, which is MSP engagement
[00:23:23] [SPEAKER_00]: solutions.
[00:23:24] [SPEAKER_00]: So bringing somebody in like that, explain why that's a
[00:23:28] [SPEAKER_00]: little bit different than the rest of these things that
[00:23:31] [SPEAKER_00]: you've already said.
[00:23:32] [SPEAKER_01]: I think that this one also can be very challenging to
[00:23:36] [SPEAKER_01]: implement.
[00:23:36] [SPEAKER_01]: This is obviously the space that we live in, so we're
[00:23:38] [SPEAKER_01]: passionate about it.
[00:23:40] [SPEAKER_01]: But it's also equally concerning and dangerous,
[00:23:44] [SPEAKER_01]: engaging in that capacity if the organization that you
[00:23:48] [SPEAKER_01]: engage with isn't where they need to be for their
[00:23:51] [SPEAKER_01]: CMMC journey.
[00:23:52] [SPEAKER_01]: For example, in the 32 CFR, the proposed rule, which at
[00:23:56] [SPEAKER_01]: the time of this recording has not become final, the way
[00:23:58] [SPEAKER_01]: that it is written, your MSP, if they're providing
[00:24:01] [SPEAKER_01]: technical controls, in other words, your outsourcing
[00:24:03] [SPEAKER_01]: components of your compliance to them, if they have
[00:24:07] [SPEAKER_01]: to make sure that the rights are being assigned, that
[00:24:11] [SPEAKER_01]: they're in your system doing technical controls and
[00:24:15] [SPEAKER_01]: they're going to be responsible for those, they're
[00:24:16] [SPEAKER_01]: going to have to meet the level of requirement for
[00:24:19] [SPEAKER_01]: CMMC that you have.
[00:24:20] [SPEAKER_01]: Absolutely.
[00:24:21] [SPEAKER_01]: So if you have a level two requirement, they're
[00:24:23] [SPEAKER_01]: going to have to have a level two requirement.
[00:24:24] [SPEAKER_01]: And so because of that, that puts a lot of pressure on
[00:24:29] [SPEAKER_01]: the man to service provider to make sure that they
[00:24:31] [SPEAKER_01]: have a level two themselves.
[00:24:33] [SPEAKER_01]: And you as a company cannot go for your certification
[00:24:38] [SPEAKER_01]: until they have it.
[00:24:40] [SPEAKER_01]: And it doesn't have to just be an MSP.
[00:24:42] [SPEAKER_01]: Maybe you're outsourcing your SIM solution to, because
[00:24:45] [SPEAKER_01]: you don't want to have those agents running on
[00:24:48] [SPEAKER_01]: those boxes, that is definitely going to get pulled
[00:24:51] [SPEAKER_01]: in to an audit.
[00:24:53] [SPEAKER_01]: That type of data, at least the way that it's written,
[00:24:55] [SPEAKER_01]: most assessors are interpreting that as a requirement
[00:24:58] [SPEAKER_01]: that they're going to have to have level two.
[00:25:00] [SPEAKER_01]: And what's going on is the certification requirement
[00:25:04] [SPEAKER_01]: hasn't come out, it hasn't been finalized yet,
[00:25:06] [SPEAKER_01]: so you can't turn to that company and say show me
[00:25:08] [SPEAKER_01]: your cert.
[00:25:09] [SPEAKER_02]: Yeah.
[00:25:10] [SPEAKER_01]: Unless they've gone through a joint surveillance
[00:25:13] [SPEAKER_01]: assessment, that's the only exception to that rule.
[00:25:16] [SPEAKER_01]: Those are called JSVAs and there's maybe 50
[00:25:19] [SPEAKER_01]: companies to 60 companies so far that have gone through
[00:25:21] [SPEAKER_01]: that globally.
[00:25:24] [SPEAKER_01]: So not many.
[00:25:26] [SPEAKER_01]: With that being said, you're putting a lot of faith
[00:25:29] [SPEAKER_01]: when you go to partner with a company at this point
[00:25:31] [SPEAKER_01]: that they're serious about when the starter pistol
[00:25:34] [SPEAKER_01]: goes off that they're going to get certified because
[00:25:37] [SPEAKER_01]: if they are sort of not really serious about it,
[00:25:40] [SPEAKER_01]: but they've told you they are and then it comes time,
[00:25:42] [SPEAKER_01]: you're like okay, all right, it's
[00:25:46] [SPEAKER_01]: January, February, March, June, whatever time frame
[00:25:49] [SPEAKER_01]: next year that you want to go for it.
[00:25:51] [SPEAKER_01]: And they're like okay we're ready to go, do you guys
[00:25:53] [SPEAKER_01]: have your cert?
[00:25:53] [SPEAKER_01]: And they're like no.
[00:25:55] [SPEAKER_01]: Yeah, we think November and you're like
[00:25:59] [SPEAKER_01]: our queue is about to run out.
[00:26:02] [SPEAKER_02]: Yeah.
[00:26:03] [SPEAKER_01]: And I can't bid unless I have my certification
[00:26:06] [SPEAKER_01]: and I'm wanting to get certified now.
[00:26:10] [SPEAKER_01]: Yeah.
[00:26:11] [SPEAKER_01]: Or go through that so that when that happens,
[00:26:13] [SPEAKER_01]: my hopper's not going to dry out.
[00:26:16] [SPEAKER_01]: And the reality is if they're like well we're not there yet,
[00:26:19] [SPEAKER_01]: sorry, what do you do at that point?
[00:26:22] [SPEAKER_02]: Yeah, you're stuck.
[00:26:24] [SPEAKER_01]: You're stuck.
[00:26:25] [SPEAKER_01]: So you've got to make sure that whoever your
[00:26:27] [SPEAKER_01]: managed service provider is that it's going to work
[00:26:29] [SPEAKER_01]: with you and getting your system set up
[00:26:32] [SPEAKER_01]: and built and working, they have to be
[00:26:37] [SPEAKER_01]: ready to go.
[00:26:38] [SPEAKER_01]: So you really want to have a good conversation
[00:26:40] [SPEAKER_01]: with them, have some type of contractual agreement
[00:26:44] [SPEAKER_01]: about how that's going to have to be done.
[00:26:47] [SPEAKER_01]: Some type of claw black, whatever that might be,
[00:26:49] [SPEAKER_01]: some type of guarantee, some conversation
[00:26:52] [SPEAKER_01]: that you have with them to make sure that
[00:26:55] [SPEAKER_01]: what they say they're going to do is going to be able to do
[00:26:57] [SPEAKER_01]: because you're going to be depending on them.
[00:26:59] [SPEAKER_02]: Yeah.
[00:26:59] [SPEAKER_01]: And they can't exit stage right
[00:27:03] [SPEAKER_01]: when you need them to be there for you.
[00:27:04] [SPEAKER_01]: That's just a...
[00:27:05] [SPEAKER_00]: Yeah.
[00:27:06] [SPEAKER_00]: So the moral of the story too is I mean they can tell
[00:27:09] [SPEAKER_00]: you everything they want.
[00:27:11] [SPEAKER_00]: It could be the most beautiful MSPU
[00:27:13] [SPEAKER_00]: that we're seeing.
[00:27:15] [SPEAKER_00]: But if they're not going for that certification
[00:27:18] [SPEAKER_00]: in time for what you're looking for,
[00:27:22] [SPEAKER_00]: right, there's still going to be an issue there.
[00:27:25] [SPEAKER_01]: And so that's where you have to be honest
[00:27:27] [SPEAKER_01]: about when you want to be certified.
[00:27:29] [SPEAKER_01]: Right.
[00:27:29] [SPEAKER_01]: You want to think about when you go to engage with them.
[00:27:32] [SPEAKER_03]: Right.
[00:27:32] [SPEAKER_01]: Because if you're like, I want to be in June,
[00:27:36] [SPEAKER_01]: I want to be certified.
[00:27:38] [SPEAKER_01]: Let's say.
[00:27:39] [SPEAKER_01]: We were thinking assessments are probably going to be
[00:27:41] [SPEAKER_01]: firing off in January to February timeframes
[00:27:44] [SPEAKER_01]: when the startup is really going to be able to happen.
[00:27:47] [SPEAKER_02]: Yeah.
[00:27:47] [SPEAKER_01]: So that means that your MSP that you're working with
[00:27:52] [SPEAKER_01]: should pretty much be ready to be audited now.
[00:27:55] [SPEAKER_01]: They're in the final phases of making sure
[00:27:57] [SPEAKER_01]: they're collecting all the data.
[00:27:58] [SPEAKER_01]: So they should be able,
[00:28:00] [SPEAKER_01]: the company that you're picking should be able
[00:28:01] [SPEAKER_01]: to prove that with no problem.
[00:28:04] [SPEAKER_02]: Mm-hmm.
[00:28:04] [SPEAKER_01]: What does that mean?
[00:28:05] [SPEAKER_01]: That means they either have had a gap assessment.
[00:28:08] [SPEAKER_01]: They've been through a JSVA assessment
[00:28:11] [SPEAKER_01]: or you can talk with a C3PO that is who they've partnered with
[00:28:16] [SPEAKER_01]: and you can have a dialogue with that C3PO
[00:28:20] [SPEAKER_01]: that has been helping or working with them
[00:28:22] [SPEAKER_01]: and they can somehow have a conversation with you
[00:28:25] [SPEAKER_01]: to make you feel comfortable that that MSP is ready to go.
[00:28:28] [SPEAKER_01]: Absolutely.
[00:28:28] [SPEAKER_01]: That's the level of like down in the weeds
[00:28:30] [SPEAKER_01]: you need to get before you pick them, in my opinion.
[00:28:33] [SPEAKER_03]: Mm-hmm.
[00:28:33] [SPEAKER_00]: And you know, I'm actually going to link in the description too.
[00:28:39] [SPEAKER_00]: We have questions you can ask your MSP to if you're somebody
[00:28:45] [SPEAKER_00]: who's listening to these things that are like,
[00:28:47] [SPEAKER_00]: I'm just trying my best to keep my company doing
[00:28:50] [SPEAKER_00]: what my company does and make my business happen,
[00:28:55] [SPEAKER_00]: which we completely understand and we feel for you
[00:28:58] [SPEAKER_00]: and we're here for you
[00:28:59] [SPEAKER_00]: and we want you to have a successful experience, right?
[00:29:04] [SPEAKER_00]: So we put together this question so you can ask just a few questions
[00:29:09] [SPEAKER_00]: that you can just bring to your MSP
[00:29:12] [SPEAKER_00]: or your potential MSP that you may be doing business with
[00:29:15] [SPEAKER_00]: to make sure that they are taking this as serious
[00:29:19] [SPEAKER_00]: as you want them to and as you are.
[00:29:23] [SPEAKER_00]: And so we can link that in the description as well
[00:29:26] [SPEAKER_00]: so they can check that out.
[00:29:27] [SPEAKER_01]: And obviously I'm more passionate because that's the area that we live in.
[00:29:30] [SPEAKER_01]: I think you have a lot of flexibility
[00:29:32] [SPEAKER_01]: if you pick the right MSP in that space to do some great things.
[00:29:37] [SPEAKER_01]: They also take care of that burden of knowledge
[00:29:39] [SPEAKER_01]: if you pick the right one and they've understood that
[00:29:41] [SPEAKER_01]: and you're able to lead on them if you pick the right MSP
[00:29:44] [SPEAKER_01]: and there's some that I know in this space
[00:29:47] [SPEAKER_01]: that are solid that I would trust
[00:29:49] [SPEAKER_01]: and I think they're really good doing it right.
[00:29:51] [SPEAKER_01]: I include ourselves in that obviously,
[00:29:53] [SPEAKER_01]: but you know it like there are those that are out there.
[00:29:57] [SPEAKER_01]: That you can talk with that I think are doing a great job
[00:30:01] [SPEAKER_01]: and have been able to prove that they've been able to do a good job.
[00:30:04] [SPEAKER_01]: Absolutely.
[00:30:05] [SPEAKER_01]: And that's the point that I'm trying to make
[00:30:06] [SPEAKER_01]: and I think that it also solves a lot of those challenges that you have.
[00:30:10] [SPEAKER_01]: So my preference is obviously option four,
[00:30:12] [SPEAKER_01]: but you have that immense challenge of finding the right MSP
[00:30:16] [SPEAKER_01]: and I just want to caution you about this last piece.
[00:30:20] [SPEAKER_01]: You want to engage with them now.
[00:30:22] [SPEAKER_01]: Even if you don't engage with them at a CMMC level,
[00:30:25] [SPEAKER_01]: if you can get in the door with a good MSP
[00:30:26] [SPEAKER_01]: that you feel like they're doing it and they can prove it,
[00:30:30] [SPEAKER_01]: just having that relationship with them
[00:30:33] [SPEAKER_01]: when this stuff starts heating up the moment
[00:30:35] [SPEAKER_01]: that 32 CFR drops and becomes a finalized rule
[00:30:38] [SPEAKER_01]: and assessments start happening.
[00:30:40] [SPEAKER_01]: You're going to see a tremendous amount of pressure start getting applied
[00:30:43] [SPEAKER_01]: and these organizations that have been doing the work
[00:30:46] [SPEAKER_01]: and are ready to support those people,
[00:30:48] [SPEAKER_01]: they're probably going to get overrun with needs and support
[00:30:52] [SPEAKER_01]: and if you're part of the crowd that's running to the exit
[00:30:55] [SPEAKER_01]: when someone screams fire in the building,
[00:30:58] [SPEAKER_01]: it's not going to go well for you about trying to get at that.
[00:31:01] [SPEAKER_01]: So get that relationship with them now.
[00:31:04] [SPEAKER_01]: Go ahead and start engaging with them now,
[00:31:05] [SPEAKER_01]: even if it's not at a CMMC level.
[00:31:08] [SPEAKER_01]: If you've got that relationship, there's a greater chance
[00:31:09] [SPEAKER_01]: that they're going to be able to work you in
[00:31:11] [SPEAKER_01]: if you already have some type of contractual agreement with them now
[00:31:15] [SPEAKER_01]: versus just trying to start fresh
[00:31:17] [SPEAKER_01]: and they haven't even really heard with you
[00:31:19] [SPEAKER_01]: and maybe you might even had given them a look
[00:31:23] [SPEAKER_01]: and you've got a quote from them
[00:31:25] [SPEAKER_01]: and now it's November of next year
[00:31:28] [SPEAKER_01]: and you're like, I think we're ready to go.
[00:31:30] [SPEAKER_01]: You can get it for us in eight months.
[00:31:31] [SPEAKER_01]: Their answer might be, it's now 16 months.
[00:31:34] [SPEAKER_02]: It was eight.
[00:31:36] [SPEAKER_01]: And you're like, well that blows out my timeline.
[00:31:39] [SPEAKER_01]: That's where you really have to start thinking about
[00:31:41] [SPEAKER_01]: what your goals and times and when you want to get certified
[00:31:44] [SPEAKER_01]: because let's focus here people.
[00:31:47] [SPEAKER_01]: Let's put our seat and trays to the full upright position
[00:31:49] [SPEAKER_01]: because you might go to Sam.gov
[00:31:51] [SPEAKER_01]: and you might do a search and you're like, well
[00:31:54] [SPEAKER_01]: only 30% of the contracts that I'm seeing
[00:31:58] [SPEAKER_01]: have this DeFar requirement.
[00:32:01] [SPEAKER_01]: So I should be able to play in this other area
[00:32:03] [SPEAKER_01]: and be able to dodge that DeFars requirement
[00:32:07] [SPEAKER_01]: and I think that might work for some companies
[00:32:13] [SPEAKER_01]: if they can try to pick the contract smartly.
[00:32:15] [SPEAKER_01]: They might be able to push the line out for them
[00:32:18] [SPEAKER_01]: of having to have this requirement
[00:32:21] [SPEAKER_01]: but that means you probably aren't going to have to
[00:32:24] [SPEAKER_01]: that means you probably aren't going to be allowed
[00:32:25] [SPEAKER_01]: to do anything on bases.
[00:32:28] [SPEAKER_01]: Bases are military bases.
[00:32:29] [SPEAKER_01]: They have all time, just like if you have a ice maker
[00:32:33] [SPEAKER_01]: or you might do coffee supplies
[00:32:35] [SPEAKER_01]: they give you a map to where those coffee makers are
[00:32:39] [SPEAKER_01]: on the military base.
[00:32:41] [SPEAKER_01]: A lot of times would be considered controlled
[00:32:43] [SPEAKER_01]: unclassified information.
[00:32:44] [SPEAKER_01]: You're not even, you know, just the fact that they gave you
[00:32:47] [SPEAKER_01]: then you can't bid on that, right?
[00:32:49] [SPEAKER_01]: So you've got to start thinking about
[00:32:50] [SPEAKER_01]: the types of contracts that you have,
[00:32:53] [SPEAKER_01]: how they are so
[00:32:55] [SPEAKER_01]: look at Sam.gov, start doing the searches,
[00:32:57] [SPEAKER_01]: start trying to get a better understanding
[00:32:59] [SPEAKER_01]: of the, you know, 7,000 8,000 70,000 12
[00:33:03] [SPEAKER_01]: those types of DeFar requirements
[00:33:05] [SPEAKER_01]: that are falling in your contracts
[00:33:07] [SPEAKER_01]: that you might have
[00:33:09] [SPEAKER_01]: and do a search and try to have a better idea
[00:33:12] [SPEAKER_01]: of that because keep in mind
[00:33:14] [SPEAKER_01]: the FAR clause that's going to come in
[00:33:16] [SPEAKER_01]: that's going to hit all government bodies
[00:33:19] [SPEAKER_01]: is just around the corner.
[00:33:21] [SPEAKER_01]: This year it's going to drop
[00:33:22] [SPEAKER_01]: and I can't imagine that they're not going to have
[00:33:25] [SPEAKER_01]: at least the 800-171
[00:33:28] [SPEAKER_01]: NIST requirements supplied.
[00:33:30] [SPEAKER_01]: They may not require you to be audited
[00:33:33] [SPEAKER_01]: but I can't imagine they would not have
[00:33:37] [SPEAKER_01]: the requirements that those,
[00:33:39] [SPEAKER_01]: that framework is not applied.
[00:33:43] [SPEAKER_01]: So they might make you sign an agreement
[00:33:46] [SPEAKER_01]: and you peek, you promise
[00:33:47] [SPEAKER_01]: and then if they audit you and you don't pass
[00:33:50] [SPEAKER_01]: are they nice about it
[00:33:52] [SPEAKER_01]: or are we talking false claims here?
[00:33:54] [SPEAKER_01]: Who knows how that's going to play out?
[00:33:57] [SPEAKER_01]: So you know, you might be thinking to yourself
[00:33:59] [SPEAKER_01]: well I'll just avoid the DOD
[00:34:01] [SPEAKER_01]: and I can start doing work with other governments
[00:34:04] [SPEAKER_01]: there isn't going to be
[00:34:06] [SPEAKER_01]: eventually in the next year or so
[00:34:07] [SPEAKER_01]: there isn't going to be a place that you can hide
[00:34:09] [SPEAKER_01]: that you're not going to be exposed to this.
[00:34:11] [SPEAKER_01]: Now it doesn't mean you can't pick contracts
[00:34:12] [SPEAKER_01]: that don't have those clauses
[00:34:14] [SPEAKER_01]: but I think over time
[00:34:15] [SPEAKER_01]: that pool of options is just going to shrink
[00:34:17] [SPEAKER_01]: and shrink and shrink
[00:34:18] [SPEAKER_01]: and it's going to be harder and harder for you
[00:34:19] [SPEAKER_01]: to be able to grab contracts without being required
[00:34:23] [SPEAKER_01]: to do that.
[00:34:24] [SPEAKER_01]: And subcontractors, if you're a subcontractor
[00:34:27] [SPEAKER_01]: the primes and subprimes
[00:34:28] [SPEAKER_01]: probably aren't going to play around
[00:34:30] [SPEAKER_01]: because they just like
[00:34:31] [SPEAKER_01]: I don't want to have to deal with this
[00:34:32] [SPEAKER_01]: either get the cert or don't
[00:34:34] [SPEAKER_01]: and we don't want to talk to you if you do.
[00:34:35] [SPEAKER_02]: Yeah.
[00:34:36] [SPEAKER_01]: If you don't have it
[00:34:36] [SPEAKER_01]: I could see that starting to play out
[00:34:39] [SPEAKER_01]: so really be thinking about that
[00:34:41] [SPEAKER_01]: because the time is nigh.
[00:34:44] [SPEAKER_00]: Yeah, absolutely.
[00:34:46] [SPEAKER_00]: This is the reason why we made this list
[00:34:48] [SPEAKER_00]: it's for those people that are getting into
[00:34:51] [SPEAKER_00]: the space that don't know where to start
[00:34:52] [SPEAKER_00]: they don't know where to go
[00:34:54] [SPEAKER_00]: what's best for their business
[00:34:55] [SPEAKER_00]: we can tell you guys what we recommend
[00:34:58] [SPEAKER_00]: but you know your business better than we do
[00:35:02] [SPEAKER_00]: so that's why we wanted to create this menu of options
[00:35:06] [SPEAKER_00]: right is you can look at this
[00:35:09] [SPEAKER_00]: and know your company
[00:35:11] [SPEAKER_00]: what are you good at?
[00:35:14] [SPEAKER_00]: Where are you not good at?
[00:35:15] [SPEAKER_00]: Do you want this in a box method?
[00:35:17] [SPEAKER_00]: Do you want somebody to come alongside you?
[00:35:19] [SPEAKER_00]: You know, you can look at these options
[00:35:21] [SPEAKER_00]: and decide for yourself.
[00:35:23] [SPEAKER_00]: So I hope that you guys enjoyed this episode
[00:35:25] [SPEAKER_00]: and maybe it helped relieve just a little bit
[00:35:27] [SPEAKER_00]: of pressure off your shoulders
[00:35:29] [SPEAKER_00]: when listening to this
[00:35:30] [SPEAKER_00]: also if you're somebody that's already in the space
[00:35:33] [SPEAKER_00]: to kind of get some perspectives on how other people
[00:35:36] [SPEAKER_00]: are doing it or what we've found so far
[00:35:38] [SPEAKER_00]: of course, you know again I have to say this
[00:35:41] [SPEAKER_00]: we're not claiming CMMC Jesus
[00:35:43] [SPEAKER_00]: so this may not be the only menu that we make
[00:35:46] [SPEAKER_00]: and we might make another menu next month
[00:35:48] [SPEAKER_00]: you know what I mean?
[00:35:50] [SPEAKER_01]: Knowing how this place is.
[00:35:51] [SPEAKER_01]: And this has also helped for like
[00:35:52] [SPEAKER_01]: for MSPs like us that are maybe stepping in the space
[00:35:55] [SPEAKER_01]: trying to figure out
[00:35:55] [SPEAKER_01]: what type of offering they want to provide
[00:35:57] [SPEAKER_01]: totally.
[00:35:58] [SPEAKER_01]: Those are different ways of looking at it too.
[00:36:01] [SPEAKER_00]: Yeah, absolutely.
[00:36:02] [SPEAKER_00]: Well thank you Bobby for sharing your perspective on this
[00:36:05] [SPEAKER_00]: and guys if you have any questions,
[00:36:08] [SPEAKER_00]: comments, concerns, anything like that
[00:36:10] [SPEAKER_00]: please feel free to reach out to us
[00:36:12] [SPEAKER_00]: we'd love to talk with you, chat with you
[00:36:14] [SPEAKER_00]: come up with some new video ideas for you guys
[00:36:16] [SPEAKER_00]: so thank you all so much for watching this episode
[00:36:19] [SPEAKER_00]: and just remember keep on climbing.
[00:36:21] [SPEAKER_00]: Bye guys.
[00:36:22] [SPEAKER_00]: Make sure to follow us on LinkedIn and YouTube
[00:36:24] [SPEAKER_00]: to stay up to date on the latest CMMC news.
[00:36:27] [SPEAKER_00]: We hope you guys enjoyed today's episode
[00:36:30] [SPEAKER_00]: and listen out for the next one
[00:36:31] [SPEAKER_00]: but until then keep on climbing.