When Will CMMC Affect My Business? (Phase Rollout and Memo)

[00:00:01] Hello Climbers and welcome to Season 3 of Climbing Mount CMMC. Well hello Climbers and we're at it again and we're joined today with Ryan Bonner. So Ryan, thank you so much for joining us. I'm excited to be here. Always enjoy a chance to talk with you and your team.

[00:00:23] I appreciate it. Yeah, let's talk about the CMMC ecosystem and the memo that came out from the DOD that kind of created more definition around what would be qualified as a level one, assessment situation, what would be a level two self-assessment and what would actually require a third party assessment. This memo outlined what kind of data would fall in those buckets and those types of situations.

[00:00:49] It gave some guidance to the program managers and I have been hoping and praying that the rollout would play almost like a more casual approach to the exit versus someone in the theater screaming fire, you know, and everybody just runs and it just starts. And I'm not sure how that's going to play out. You know, I guess time will tell, but I'm just curious, how do you see that memo impacting the market rollout right now?

[00:01:20] Yeah, I think there's going to be the parts of that memo that people pay attention to and then maybe the elements of it where they don't and they should. So I think what most people are going to orient around is the requirements being clarified for program managers within the DOD that, you know,

[00:01:42] basically if they are going to include or involve certain kinds of CUI in an upcoming contract or solicitation, that they need to push for formal certification sooner, right at the beginning of the phase two rollout. And that will be something that I think causes a lot of discussion with very good reason. And we'll talk about that maybe here.

[00:02:09] I think a lot of people will also spend a little more time than they need to looking at like the last section of that memo talking about the waiver process. Because you'll think that they are somehow invited into that process. Right. Yeah. And that might not be that might not be accurate. I really think, though, that's that some of the things people aren't going to pay attention to.

[00:02:37] Are going to be who this memo is directed towards, which is program managers. Like we have to keep in mind that those kinds of decisions on what level of of CMMC to require are happening at a program level before you get down into acquisition activities where contracting officers become involved. Yeah, let's let's drive in that a little more. But I also I know some people are thinking, wait a minute.

[00:03:04] This doesn't necessarily impact the primes specifically about how they're going to operate. We're going to talk about that a little bit later. But let's drive into that more. Let's let's dip into that, because we had talked before the recording that I listened to Stacey Bestonic. I'm probably slaughtering her last name. I apologize, Stacey, if I did. I did a Jacob Hills recording that he did, and I was like listening to it almost like it's Alan Greenspan talking about, you know, market or, you know, market pieces. I'm like, OK, what does she mean here? What is it?

[00:03:34] And she alluded to this memo coming out in that recording. If you haven't listened to Jacob Hills recording when he talked with her so much great history about how things happened. It was just it was great listening to her kind of talk about it. But she talked in that interview about the PM process and about how this memo is going to do that. She talked very pointedly about some of those things. Can you can you can you dive into that more?

[00:03:58] Yeah, I mean, when you think about the role that a program manager plays in relation to people doing defense contracting, you know, there could be multiple contracting activities or or things of that nature delineating from one program.

[00:04:14] So like you could be rolling up multiple solicitations and multiple awards underneath the program that is actually asking an acquisition commander, contracting officers to go buy things or or make things happen. And so it's it's a smaller set of decisions.

[00:04:33] Right. Your contracting officers not going to be making gut call decisions on CMMC levels, even though the clause language that's proposed tells them to effectively write in the requirement. That requirement is going to be handed to them by the program manager and they're going to copy paste. So so let's you know, not all of the people that are listening to our podcast really have have lived and immersed themselves in sort of what that process looks like.

[00:05:00] Can you sort of back up at a satellite view and say, OK, you know, this is how an organization would get pulled into a DFAR. This is how they would bid on the contract. They go to sam.gov or can you walk through just high level and then and kind of bring the memo into into like focus in that process?

[00:05:19] Sure. By the time you're looking at a potential contract opportunity or solicitation on something like sam.gov, you're effectively dealing with someone's acquisition command who's actually, you know, act the contracting officers have already created that solicitation and things like that. So you're several layers removed from the launch of a program or an operation that that actually necessitated that that opportunity.

[00:05:45] So if if you're thinking about that, imagine program managers as professionals within DOD who are thinking much more about programmatic challenges like I'm the program manager for the XM30. You know, I'm the program manager for the F-35. The list goes on. You know, I'm the program manager for this particular military base or whatever it might be.

[00:06:13] And so they're they're very focused on operating these programs. And there's a lot of elements to program management that are unrelated to just what you need to buy in order to be able to run that program. So most organizations are going to interact with agencies at an acquisition level. What do you need for me? What can I do for you?

[00:06:39] Is there something here that represents an opportunity that I can bid on based on what I'm able to do out in the private sector? And so it's at the program level that you're going to have a lot of like risk decisions being made and impact levels being assigned. And, you know, sort of these these determination calls on like, am I just a CMC level two program or do I need to elevate to level three?

[00:07:05] We're having potential clients reach out to us and they're talking about what they're seeing in. They're getting kind of warning shots from declarations of how some of these might go. Can you walk us through a little bit about what that looks like and how you're seeing that play out right now?

[00:07:25] Yeah, I mean, we see a lot of the of the sources where defense contractors are going to get their work, whether it's, you know, directly from an agency or often a prime contractor who is in between you and the agency. You know, there's different levels of awareness inside of these different customers that you might be working with.

[00:07:52] There's different levels of, I guess you could say granularity when you're working with someone who is sort of the top level management for an individual award inside of, let's say, a prime contractor. Things are a lot more clear cut, right, that that prime contractor probably has a lot of good operating information about what they're going to have you do.

[00:08:21] Whereas a lot of organizations are interacting with a buyer, right? This is not that high level individual. This is someone down in procurement who's like boss says I need one hundred and forty six pieces of this part. What is your price? I just need a quote and people are trying to interface with them by just reading boilerplate text or flow down clauses or things like that.

[00:08:48] This is your at risk population in the defense industrial base because they are not going to have access to information about what's coming on on future solicitations and awards. Until it's effectively too late. The buyers like, oh, by the way, I have to flow you this clause. Like there's not going to be much of an early warning system.

[00:09:11] And so depending on how elevated or vertically integrated your contracting organization is or, you know, you as a contractor with these customers. You know, you might not have very much time to react to the inclusion of a certification requirement. So, Ryan, so given the fact that people are looking at this elephant from different perspectives, they're seeing and have access to different kinds of information.

[00:09:38] Like, how's this going to impact the ecosystem rollout when it comes to this memo and just the rollout of it? Yeah. So the way that I see this recent memo really having an impact that you need to respond to and plan for now is that the memo added an additional clarification for these program managers,

[00:10:01] basically saying if your program tends to generate controlled classified information that within the context of the larger CUI registry comes from a subset list inside of that registry called an index grouping.

[00:10:18] So if your CUI comes from the defense index grouping, which is sort of some of the more potent data that exists out there from within the defense industrial base, then you as a program manager don't have a choice on that phase two rollout decision where you could have previously picked between self-certification being allowed for your contractors on that program or formal certification.

[00:10:48] The decision is made for you. Right. It's a formal certification. It's not subjective but prescriptive at this point because of the memo. Yeah. So instead of an opt-in, opt-out sort of individual program level decision, that's off the board. You need to behave a certain way. You need to specify a certain type of level two certification. So when we think about the knowledge gap or the disparity that contractors have as it's filtered to them through multiple layers,

[00:11:15] you might not learn about that program level determination through your prime or these other levels because, you know, that information isn't finding its way down into these lower levels of procurement. But one thing's for sure that the primes are not under-informed on this challenge, right?

[00:11:37] If they know that even some of their upcoming program level awards are going to specify formal certification at level two, one year after the rollout of the CMMC contract clause, they are going to benchmark their entire supply chain approach on that high benchmark. Like they're going to say it's certification or bust.

[00:12:01] Maybe there's a step-down process for certain areas that they've discovered don't handle that kind of data. But I mean, like we have to be honest about how profuse those CUI data types, particularly controlled technical information is in the defense industrial base. If you handle technical data, if you're a manufacturer, like you're handling controlled technical information. Like that's going to be the CUI type that you handle.

[00:12:28] So you can predict that you will need a formal cert before you get the call from your buyer. Like you already know that. So in those situations, let's say you're a client that you had 70-12 in your DFARS contracts because they were slapping in on everything.

[00:12:51] But you don't perceive based on your limited understanding that you think that you are currently receiving CUI. How do you see this memo in, let's pretend, two possible clients, right? So client A is they do prime type work themselves. They're just going to SAM.gov and they're picking stuff. And then you have the second person who's the sub.

[00:13:16] How do you see this market rollout sort of looking in those situations where they clearly had the 70-12 requirements and what was flowing down to them, but they feel somewhat confident they don't have it? Like are they just kind of waiting and get punched or not? Or like how can they go on the offensive about trying to find the answers around this kind of stuff? Yeah. I mean, I want to start by answering that with kind of like a strategic insight. Okay. Insight. Okay.

[00:13:43] If you're a subcontractor and you already know that you have limited visibility into what's coming on future awards from certain customers of yours, you're probably working for more than one customer. And it's unclear how much of the information that you receive qualifies as CUI. You've got to ask yourself, which is the easier resource to go get?

[00:14:10] An environment that is capable of safeguarding CUI based on that eventuality or developing the precision experience required to know if you're receiving CUI to better identify exactly contract by contract by contract, whether you have a safeguarding obligation. So kind of the only offensive to defend yourself that you don't have it or, or build one with

[00:14:40] the assumption you're going to get it. Is that, am I kind of boiling that down to? Exactly. And, and that, that kind of harms me to say that because like my team does a lot of work helping organizations identify what information qualifies as CUI or even like how to take a CUI mark document and decontrol data elements of it, things like that. I would rather go into organizations who have some ability to safeguard CUI today.

[00:15:10] And from that position of privilege, then work on shrinking the scope or better decontrolling certain systems or supplier relationships because I know I have a protected flank. And, and I do think that there are certainly more service providers out in the world who are able to help you build a safeguarding environment than there are CUI weirdos like my team. That is so true.

[00:15:39] I mean, there's not a lot of implementers, but I think there's a lot less of people like you and, you know, Bailey, we had her on and she was amazing talking about EAR and ITAR and you guys collaborate on different projects, but that is so special. Not a lot of people do that. And, and I think, why is that? Why is that so mysterious for most people?

[00:16:03] Well, I think one of the reasons is that we mostly get to learn about controlled classified information through really inefficient methods. Like, you know, the, the, the government loves to do this thing where they're like, I posted it on a website 42 years ago. What's the problem? You know, you, you, you had your chance to, to be, you know, get educated. Right. And, uh, you know, in, in, in a distraction economy, that's, that's really unfair.

[00:16:33] And so then if you do incidentally stumble upon something like the CUI registry, it's, it's not well organized or laid out or intuitive. And so you might, you know, visit that website and still not get the information you need. Uh, the, the reality is in order to truly understand even a single category of CUI, you have to drill

[00:16:58] down into one or more laws or regulations and consume those documents just to even know which way is up. And so when you get into these conversations, the minimum body of knowledge you need to have digested to be able, even be able to open your mouth on the topic of CUI is, is a built in delay fuse to being able to act.

[00:17:25] And so like, I don't want to paint a picture that these topics are unapproachable, right? But they are irreducible. Like you have to spend a minimum amount of time. They're unapproachable. I would consider them unapproachable adjacent. I mean, they're freaking tough. Uh, and your CS2 and Kaylee, maybe you could put something down here around or post, but your CS2 presentation where you went through CUI and identifying it and you sort of went through

[00:17:54] and explained a little bit more of the mystery of like, okay, you go into the NARA website that you can go in here and you say, okay, well, it's CTI. So now it's taking me to 7012. So now I can read some more information about how CTI is defined in 7012. And then you look at some other things and it starts to demystify it. I still, let's double back to that other avatar situation that we talked about where they're doing the prime engagement.

[00:18:22] Now they're not having to deal with primes and they're kind of like just slap whatever on it approach on some of that. Are they still going to be able to slow roll it? Like they said, now that the memos come out and, and how's that going to impact someone that's actually just doing a prime engagement? Yeah. Yeah. So when you think about like working directly with a prime, particularly not like, you know, three levels down buyer, but maybe somebody who is at a higher level who truly needs to

[00:18:51] confirm that your capabilities will allow them to perform on a much larger opportunity. You know, you have that vertical integration. And the, the improvement there is that you're going to see the punch coming, uh, and decide, you know, what to do about that before it lands. It's not that you're going to somehow be absolved of these requirements. It's that you just might have more of an early warning system.

[00:19:18] And so, you know, from that perspective, it's like, uh, you know, the difference between having your door knocked in and having your attorney say like, Hey, just so you know, you're going to be arrested on Tuesday. It's, it's, it's still an imminent event for you that you need to decide what you're going to do to respond to that. And so from that perspective, you know, the, the, the timelines we're talking about here,

[00:19:47] which is a year after the DFARS clause goes into effect. I mean, that's still not a lot of time. So, you know, my thought process is that if you do have a vertically integrated relationship with a prime, you know, this is coming like you're, you're not harming your situation by

[00:20:12] reaching out to that prime and saying, Hey, we both know CMMC level two is in our future. Um, what, what do you want to see from me as an assurance that I am committed to playing in this space? I'm not going to exit the dib because it got too hard. I am making progress towards this. What, what do you want to see from me?

[00:20:37] And in those situations we've seen subcontractors get, you know, information back from their prime saying, Hey, listen, okay. If your SPRS score can be here or higher, you're still in the fight. Like I'm not, I'm not writing you off. And if you can get from here to here from a score perspective, uh, in this period of time, uh, you know, I'm, I'm going to find a way to make this work, uh, so on and so forth.

[00:21:06] And, and so I think that's where you have to educate up, drive awareness, be front of mind with that prime and say like, you know, we're not going to crumble like a house of cards when we get our first 70, 21 flow down. Right. We, we are trying to, to make this happen. Right. So do you see that they're going to still be able to stick to their guns, doing a phased

[00:21:31] rollout and having that type of CUI that will afford them the self-assessment of a level two, or do you see that they kind of, kind of the DOD felt like they painted themselves in the corner and they're just going to go for it and start rolling out, uh, more third party requirements than what you might've anticipated in June. Yeah. Yeah. I think you have to filter some of this through the DOD's perspective on this, which is, you

[00:21:56] know, we, we basically put out our very first, uh, you know, what does the industry think, uh, you know, effort in roughly 2011, when we started proposing the DFAR 7012 clause in its sort of nascent state. And no one seems to mind back then when we said, we're going to require more safeguarding from you. Right.

[00:22:20] So now 14 years later, because of the way that agencies think the, the industry operates and maybe how they, they feel you should have been paying attention, you know, my God, you've had 14 years of effectively warning after warning.

[00:22:42] Uh, there's not a lot of mercy left on, on, on the behalf of the DOD that, that doesn't correctly characterize what it's like to be a contractor, but that's the perspective that you will be up against. Right. And so, you know, all, all the tea leaves are indicating that this, this is going to be disruptive. Um, so just keep that in mind.

[00:23:10] However, if, if you are in that, that situation you described where you are a small business who functions as a prime, I mean, there, there won't be any trickle down method before these requirements reach you. You'll be the first party to receive that 7021 clause. So it will actually accelerate your timelines compared to maybe some of your subcontractors who might be performing on an old contract that didn't have an opportunity to have 7021

[00:23:39] included. So from that perspective, you'll be one of the first, uh, in line to, to have one of these, these certifications. Uh, so that, that, that's an accelerated timeline for those, those organizations. Um, you know, I think there's a lot of opportunity there as well. If you can find a way to get your level two formal certification in time for that to happen, what does that do for you?

[00:24:06] You have a high level of visibility to a contracting officer. You're receiving a direct award. They know what your capabilities are. They have your past performance on file. They can do a contractor evaluation of you in SPRS. Uh, if the other people who are in your adjacent field don't have that cert, did I just become a sole supplier? Right.

[00:24:31] I was listening to, uh, this Navy seal, I think his name's Jacko, um, was talking about how everybody gets so fascinated about buds and kind of like the, how hard it is. And he's like, when we get together seals, we don't talk about buds. We talk about missions that we can't talk about except our peers that are way more complicated, difficult and risky and life threatening. Like we're like buds is in our rear view mirror. Like that is, that is something that other people talk about, not us.

[00:24:59] Um, and I thought that was really insightful and interesting. And I, and the way that I relate that to is like, everybody's focusing on, do I have to get it? But like, what does your business look like when you get it? Like, what does it look like when you have to actually implement and work and function on a daily basis in that environment? How do you operate? Um, and I think the organizations that have been really focusing more on how do I capitalize on this as an opportunity to move forward with it and integrate it into our processes and

[00:25:26] the systems, I think are going to fare a lot better versus the kicking and screaming methodology talking about, you know, the training camp versus, uh, you know, let's talk about the next missions that we need to go accomplish. Um, and I think that perspective is really important for people trying to implement it. Yeah, I think, you know, some of the ideologies that came out of like lean and agile development, you know, in, in the early two thousands, I think point us towards what it looks like to

[00:25:53] be a company who's particularly good at data management and data security. Uh, what, one of the quotes that I remember was from, uh, a bank who, uh, adopted, you know, agile development practices for their technologies, for their banking systems. And they said, we're not a bank or a technology company who happens to have a banking license. Right. Yeah.

[00:26:20] And it's that, it's that shift in what am I choosing to be good at? Right. These kinds of requirements reveal the need for businesses of all sizes to have a robust data management capability. And over time it, it, it almost becomes like a revised statement of who you are as a company, not your missions or your values. Although those can be affected.

[00:26:46] Uh, it's almost like starting to say, I'm a trusted steward of other organizations data that as a result of that allows me to be dot, dot, dot, whatever NAICS code you were before we started on this process, you know, allows me to be an aerospace manufacturer, allows me to be a non-destructive testing lab, allows me to be X, Y, Z. Right.

[00:27:12] Um, and that's, that's the, the paradigm shift that a lot of businesses are going through that like my team personally is going through, uh, you know, as we dog food, a lot of these things that, that we care about, um, you know, you, you find yourself slowing down, structuring things, developing better processes and practices around that to the point where, uh, there's

[00:27:39] less volatility in your day-to-day business operations. And there's more standard work. There's less novel one-offs. You're far more proactive. You don't have to be as reactive. Like your cortisol levels start to drop because you've built out this framework for how to go through your day that is knowable and that you can, you can live inside of.

[00:28:09] And, uh, I'd be lying if I said, we have all of that figured out yet. We're always learning lessons on that topic, but you, you will not be the same organization when, when you're done with an effort like this. Now, as an MSP, and we've gone through this ourselves, that change, like you're talking about, we're a different company because of the fact that we had to get ready and get our level two certification. Um, that was no easy task for us.

[00:28:36] We basically had to build a company inside our company to go through, to have a scope, to get assessed and go through that process. And, uh, we did it twice. You know, we did our self-assessment or mock assessment through the C through PO that once it became live, we had them reassess this over again because we wanted to know what our bearing was on where we were at. Um, and it provided valuable insight for us, but it was really, really hard.

[00:28:59] Um, for MSPs in this market that are looking down the barrel of this rollout and they, let's just, let's just kind of say that they understand, uh, some of the requirements around CMMC, but they haven't had much traction and they are having clients come to them with these challenges. What would you say and recommend to them now that there's even more clarity starting to come out, especially with the memo? Yeah.

[00:29:31] When, when you're an MSP, like we talked earlier about like an information gap, not having enough warning or notice that these requirements are going to apply to you. The same is true for MSPs, but you're even one layer removed from there, right? You won't know that an existing portfolio client of yours or a potential prospect needs CMMC level to until they tell you.

[00:29:59] And they won't tell you until either they find out or they found out six months ago and they finally decided it's unavoidable. So from that perspective, yeah, I mean, you, you have to, I, this might be a little edgy, but as an MSP, you build it and they will come right. I mean, you, you need to have at least a partial answer to your client's problems or an ability

[00:30:27] to say, I can solve for X amount of the model today and we're working towards the rest, some sort of runway. Uh, or you're already too far behind by the time your client tells you they need it. And what you're going to find with MSPs is that these clients who you don't see as a defense contractor, because they're just a consulting firm. They're just a professional services company. They're just an HR processor there.

[00:30:57] They are just dot, dot, dot. You don't know that they also happen to do defense contracting. Also, in addition to, you know, the other work that they do commercially. And so they're going to activate like sleeper cells inside of, you know, your, your client portfolio and you're, it's going to be another one, another one, another one. Right. And yeah, that that's, that's a real wake up call for a lot of MSPs that we're seeing now. Yeah.

[00:31:26] I love the analogy sleeper cells because, um, I, you know, you're one of the few individuals that do a lot of consulting that I've seen go to MSP based conferences. Not a lot of people do that. And I appreciate the fact that you're there and speaking out. And if you're an MSP and you're at a conference and Ryan's there, do not let him leave the building without having at least some type of CMMC conversation because the dude knows his stuff. So if you know, pay attention, if you are talk to him.

[00:31:53] Uh, but one of the things that I have seen is the lack of understanding of that sleeper cell mentality that's going to pop up. And just sharing from my perspective, uh, we worked on our CMMC journey for two and a half years of which part of the challenge that we had was understanding the requirements well enough to accurately implement it efficiently. Right. So it's sort of like, I want to become a doctor. Well, how do I become a doctor before I can become a doctor? So like we had to go through this preamble process.

[00:32:22] But if you have all the magical understanding of what you need to do as an MSP to become ready to receive clients for CMMC, it was like eight months to a year just for us to be ready so that we could then appropriately start to be getting supporting clients. And if you think about the fact, if they like sleep sell you and they're like, Hey, you know, we got this contract and let's like, you know, four, three months or something like that. We need to get this done. I mean, what do you do as an MSP in that situation?

[00:32:55] Well, you know, that's why I'm such a big advocate of MSPs having answers to some of these problems before they absolutely need them. Um, I don't know what happened in your world where you saw the opportunity and started building towards it in advance of the demand curve starting to spike like we're seeing now, but

[00:33:19] whatever that was, you know, you needed to have seen that there was a sizable opportunity here. Um, I feel like a crazy person, like at some of these MSP conferences, I'm just like, I'm flopping around on the ground, just screaming like the first 10 or 20 of you that figured this out. Just you win. Right. Right. Like you just win. Yeah. And not wrong there. Everyone's like, ah, I don't, I'm just like, it's the single largest industry segment

[00:33:49] like on the planet. Like just, you can't, you can't lose if you figure this out. And, uh, there's just like, there's just not a lot of, uh, vision, I guess you could say, uh, and, and if, if I'm being honest, I think a lot of that is because so many MSPs have, have gotten through life and survived by reacting to the biggest fire, the person shouting the loudest.

[00:34:20] It's all, it's always been very reactive. And so you, you can't occupy a mindset where you're waiting for another shoe to drop and also be in another mindset where you're like, I need to carve out one day a week to really pursue this. I need to build a new center of excellence inside of my MSP organization that doesn't play by the same rules as the way we've always done business.

[00:34:46] I might need to throw some people over in a, in a closet over here and not like, you know, let them do good work without a lot of distractions. You, you won't be doing both of those things unless you, you create a separation and decide to pursue this very intentionally. That, that is so true. It's, it's funny how sometimes people look at the same situation and go, that's a wheel. And you're like, yes, it is. It's very important.

[00:35:15] It goes round to round and it helps you go places like, like that. You're absolutely right. Because as we were looking at the industry, uh, we started really looking at it when it went from, you know, five levels to three, right? So from one O to two O is that transition started to happen. And a lot of people were talking about, is this going to happen? And I looked, that's when we looked at it and go, oh, it's going to happen and it's going to be big. And they're, they're going to have these requirements for MSPs to do it.

[00:35:41] And you're so true about MSPs that they, they like product solutions that like solutions that are much more in scale with how they're used to operating. It's very much within their alligator arms to reach and support. But CMMC is not alligator. You're like, you're with a pole, like reaching out there, trying to build a boat in a bottle, you know, with a telescope. It's sort of how that is. So you, you've got to figure out how to do that.

[00:36:08] Uh, but let me just say the sales process, you know, we started our organization in 2002. So we've been doing MSP work for over 20 years. The sales process for organizations that have to get CMMC level two compliant, the sales process and conversations are radically different than in a, just a traditional, Hey, let's try to talk to you about managed services. And there's 50 in this, in the zip code that you're in that want to have that same conversation

[00:36:37] versus, Hey, uh, I need level two work. Are you certified? Do you understand this? Can you help us get there? Do you have a process? Do you have templates to move us through this process? And you're like, yes, yes, yes, yes. They're like, okay, where do we sign? Like, it's a different conversation. It is so, so radically different. Yeah. Yeah. You get to walk into interactions. I'm sure where, you know, you're, you're able to provide not just like a, yes, we do

[00:37:06] that in a general sense. People can tell that you have like names for things and like you, you have processes for things and you have paid down some of the organizational and technical debt that needs to be addressed so that you can do this repeatedly at scale. And that, that I think is what people pick up on very quickly.

[00:37:32] Uh, they might've been in a sales call where someone was like, we do CMMC. Would you like CMMC quantity one price tag X, please sign here. Right. And there's, there's no transparency. You have an MSP who, who walks into the room and says, we have a shared responsibility matrix. This is going to suck. This is going to suck for both of us. We have a lot of work to do. When do you want to get started? Here's our process.

[00:38:00] And people are like, I kind of knew it was going to suck. Yeah. I kind of knew there was going to be some change. Uh, uh, I'm, I'm in, it sounds like we know how we're going to be able to work together and that's what people are looking for. Yeah, that's so true because they, they really do want to see, um, a process to take them from, I said yes to how do you solve and inherit as much risk from us? Because we're, we want to slide as much across the table to you.

[00:38:30] Can you show us what that looks like? What are the documents you're going to provide? How's this process going to work of moving us through the path? You know, at what point can we talk with the C3PO? How does that conversation? There's just so many questions that they need to have answered and you have to have gone that journey to be able to have that conversation and talk with them. Um, because I think this memo is just clarifying how much more laser focused the CUI program is going to get.

[00:38:56] And it's not going to be, um, uh, you know, I think as, as ability to dodge as some people are hoping. And I think what that sleeper cell analogy you said is so true is I think a lot of C, uh, CMMC clients are going to pop off on these MSPs, uh, because of the fact in June, they're going to start realizing. We can't get around this. We were hoping for a self-assessment. We were hoping more time. We don't have it now.

[00:39:24] Now, now it's, you know, the primes come to us and they said, uh, we just think that controlling flow down is just not so fun. We'd rather just have you do level two and be done with it, you know? Uh, and, and then they have to make a decision, right? Uh, and we've been tracking, interestingly enough, uh, organizations that have come to us that we kind of start working them through what it's going to take and what we would charge. And we've started seeing some people go, yeah, you know, I just don't think we're gonna stay in the market.

[00:39:52] Um, I think we have like two or three potential clients that we've talked with that after we've kind of talked to them for a while and they, they bid it at other places and they were like, yeah, we're just not going to do it. And we're like, wow, that's so sad that we're starting to see that, that kind of natural selection. That's that CMMC is sort of forcing to happen. Yeah. And that, that is absolutely an outcome that we are going to see.

[00:40:14] We're going to see organizations who due to constraints or a lack of a, of a strategy to be able to grow, uh, as, as this consolidation happens, they're going to exit the defense industrial base.

[00:40:29] And, you know, organizations who don't know why they're doing defense contracting today are probably going to be the ones who leave people who have a clear reason why, uh, will be those who stay. And so, you know, there will be fewer defense contractors, you know, five years from now than, than what we see today. And I think that you'll have much more vertically integrated supply chains.

[00:41:00] Um, I think that things like CMMC might have been the change agent that caused some of this stuff to happen, but I think you're going to see a lot of, you know, waste cut out of the system. I think you're going to find organizations learning better ways to exchange data and maintain data integrity throughout multiple tiers of a supply chain.

[00:41:23] I think you're just going to see a lot of data management practices come into play that are going to strip costs out of the system. They're going to increase efficiencies and everyone's going to be kind of like on the same page on more of what is happening inside of a defense contract than maybe you would have had before.

[00:41:46] And if not for the sudden need to have supply chain transparency, I don't think you would see any of those positives happen. So Ryan, uh, is there any other closeout points that you feel like we, we should really cover, uh, around this topic? I really think that everyone involved contractors and MSPs need to identify that we have this, this dwindling window of opportunity inside of which to create an unbelievable advantage, uh, to meet these requirements.

[00:42:16] Before a bunch of compounding market forces descend upon us, uh, you know, you've got a demand curve where a bunch of contractors are going to need this all at the same time. There won't be enough capacity. Not everyone can get their C3 PAO assessment scheduled in a timely manner.

[00:42:35] And also you're about to have entire industry sectors that aren't as well represented in the Dib having federal CUI safeguarding rules imposed on them because of the new FAR CUI rule. These are industries who spend two or three or four times more on IT as a percentage of revenue than most people in the Dib. Who do you think is going to get the help?

[00:43:06] So you've got this moment in time where you can get the help that you need. You can implement the requirements. You can, uh, sort of ride the wave of consolidation at, with a positive, positive outcome. Right. Before the resources you need to make that happen, uh, are pulled in a million directions and. And, you know, you just sort of fall through the cracks. So I think, I think now is the time to do something effective. So, so true.

[00:43:35] Cause you saw the CCA situation with the, the ramp up of the C3PO costs. You know, we've, we've seen C3PO costs for assessments double almost, uh, from middle of June last year to now, what is happening at this time of this recording? It's just the prices are going up because of supply and demand.

[00:43:58] So, uh, and I don't think that's going to change this year because of just the constraints in the market, uh, because more people are going to realize like you're saying, and it's going to change the market. The more people get into it to kind of want to be moved through the process. Great point. If you're a defense contractor and you know about theory of constraints because you're a manufacturer, for example, you know that your only job is to increase the capacity of your biggest bottleneck. Right.

[00:44:26] And then move on to the next one and move on to the next one. And if you, if we continue to have the bottlenecks that we're having, there's going to be some big winners and a lot of losers. So true. So true. Well, Ryan, thank you so much for joining us today. It's been super insightful. My pleasure. All right, climbers. Well, uh, once again, if you're listening on something like Spotify or one of the media, if it has the opportunity to rate the show, please do that. That's very helpful for us. We would really appreciate that.

[00:44:53] If you're watching us on YouTube, of course, hit the like and subscribe. That's also very helpful. So until next time, climbers, keep on climbing. Thank you for joining us. Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news. We hope you guys enjoyed today's episode and listen out for the next one. But until then, keep on climbing.