Brian Guenther | Crucial Conversations: CMMC, Compliance, and Your Cybersecurity Strategy

[00:00:10] Hey everyone, welcome to the latest installment of MSP Business School. As always, I'm your host, Brian Doyle.

[00:00:16] And I'm pretty excited about today because today's subject is obviously something that means a lot to me in my day job.

[00:00:22] And I love learning more and more about this subject through those professionals that really understand it.

[00:00:28] So I would like to welcome to our show today our guest, Brian Guenther from XSeed Cyber.

[00:00:34] I met Brian a few weeks ago, indirectly, we didn't actually have a chance to talk, but got to meet him a couple weeks ago on Dan Tomaszewski's Everything MSP podcast, or I guess he calls that a podcast, or his Wednesday WTF sessions.

[00:00:50] And, you know, really saw that Brian had a lot of good knowledge and can put it into practical speed around CMMC and really help, I think, listeners like yourself who are wondering, you know, what is going on with CMMC?

[00:01:02] What is this going to really mean to me? And what are some of the myths and rumblings out there that I might not know the full truth on?

[00:01:08] So with that being said, Brian, I'd like to welcome you to the show.

[00:01:12] Thank you so much for having me, Brian. I appreciate it.

[00:01:14] You bet, man. And, you know, excited again to hear what you have to share with us today.

[00:01:18] But before you dive fully into the CMMC waters, maybe tell us a little bit about your backstory, you know, a little bit about yourself and how you ended up in the world of MSP, MSSP.

[00:01:29] Sure. MSP-dom, right? How do we end up there?

[00:01:31] Yes, MSP-dom. I like that one.

[00:01:33] It's not MSP-D-U-M-B, right?

[00:01:36] Well, you know, it could go either way.

[00:01:39] So, yeah, thanks for having me.

[00:01:40] So, yeah, a little quick background.

[00:01:42] I'm sure my background and stories probably has as many twists and turns as convoluted as many of your audience, right?

[00:01:48] So a lot of us ended up here in a circuitous path, a circuitous manner.

[00:01:52] You know, honestly, about 26, 27 years ago, I started off by building PCs like a lot of us, right?

[00:01:57] Just kind of a hobbyist. I was doing different kind of work and I just sort of leaned into that and figured I had a pretty good penchant for solving problems, right?

[00:02:05] And troubleshooting. And that's kind of how it began.

[00:02:07] Fast forward a few years, I bought an IT franchise as the first national IT franchise that actually existed about early 2003.

[00:02:15] And then through a variety of different roll-ups and partnerships, some which were good, some which weren't, I sort of learned a couple of lessons, which is don't have partners.

[00:02:24] My brother-in-law always says the only ship that doesn't sail is the partnership.

[00:02:28] So, but either way, but then ultimately led me to, you know, in 2017, starting to exceed cyber and really being much more focused on the, you know, on the cyber journey, essentially helping protect customers, helping them level up and really taking information security more seriously.

[00:02:44] Because frankly, I mean, got to figure out and knew that I don't want to be commoditized, but I want to help my client better protect the organization.

[00:02:51] Well, you know, I think one thing that we can all agree on is security never goes out of style.

[00:02:55] You know, it sounds like Brian, you and I entered into this industry, you know, in the same kind of timeframe.

[00:03:01] And even back then we were having security stories.

[00:03:03] It was just a different level of security and different threats that we were facing.

[00:03:06] I do like your comment though, about no good ships, except are no partnerships, good ships or whatever, because I always came from a different school of thought and it was never odd numbers.

[00:03:18] Two partners were okay, but never odd numbers.

[00:03:20] Cause then it's always going to be a gang up situation somewhere.

[00:03:24] And are you on the wrong side or the right side of that gang up?

[00:03:27] But you know, it is funny how we learn over the years when we went faced with different partnerships and different acquisition strategies,

[00:03:34] what you like and what you don't like quick and what mistakes you will never make again.

[00:03:39] Unfortunately, sometimes they can be expensive mistakes to learn.

[00:03:42] Hard to learn sometimes, right?

[00:03:44] But let's shift gears a little bit into what you're doing today.

[00:03:47] So, you know, you've come up through the ranks, you've been part of the community for, you know, really since the onset of managed services.

[00:03:54] And now you are, you know, kind of specializing in a few different areas.

[00:03:57] It looks like, tell us a little bit about, you know, what today looks like for you.

[00:04:00] Sure. Yeah.

[00:04:01] So, so today our focus is mostly on helping businesses that have compliance requirements, whether it be contractual, legal, or regulatory,

[00:04:09] that really onto whom something is foisted upon from above, right?

[00:04:13] Again, that through a contract or regulation that have to do something.

[00:04:16] In this case, we're really talking about cybersecurity mandate, right?

[00:04:21] And whether that be SOC 2, whether that be ISO 27001 or CMMC, whichever flavor you're looking at,

[00:04:29] there's somebody telling you something to do.

[00:04:30] I realized a few years ago that that's actually a good place to be.

[00:04:34] It's a really good intersection, a good niche to be in and dealing with customers who have to do something, right?

[00:04:40] And if they don't do it, there could be a price to pay, could be varying outcomes, right?

[00:04:45] So that's what was really sort of my why when I went into that.

[00:04:47] It's not the opportunity, but I also saw a way to differentiate ourselves as a company.

[00:04:52] Yeah, and it's funny, you know, while you talk about the why, and I totally agree with you,

[00:04:56] because a lot of the folks that, you know, we used to have in my data centers back when I was an MSP were tied to regulatory requirements,

[00:05:02] and that was what was driving them to be there.

[00:05:04] But when you look at today, cyber liability itself is now starting to drive a compliance story that didn't exist just a few years ago, right?

[00:05:12] You know, where it was totally tied to only regulatory bodies.

[00:05:14] I don't know what your thoughts are there if you're seeing the same trend.

[00:05:18] Yeah, I mean, look, we're definitely seeing cyber liability is a big part of the mover and shaker in the industry, right?

[00:05:26] Because insurance especially, right?

[00:05:27] If you're talking about insurance being a driver for, let's say, for law, for sure, you know, certainly in the state level.

[00:05:34] And I like to use the example of like, you know, automobiles, right?

[00:05:37] Back in the 50s and 60s when a lot more cars and the Eisenhower interstate system was built,

[00:05:42] a lot more cars on the roads post-World War II.

[00:05:44] Then a lot, you know, car crashes would happen.

[00:05:46] A lot of people would get hit or killed, you know, would get injured or killed in car accidents.

[00:05:49] And ultimately, insurance companies were paying out a lot of money,

[00:05:52] and they end up then driving and pushing forward these new technologies.

[00:05:56] You know, this crazy thing called the seatbelt.

[00:05:57] Like, you're telling me I have to belt myself in?

[00:05:59] That's just un-American, right?

[00:06:00] Can't do that.

[00:06:01] But who was the driver behind that?

[00:06:03] Was the insurance industry?

[00:06:04] Same thing with airbags and other types of like side, you know, SRS, side restraint, whatever, other ABS,

[00:06:09] other features and functionality that made, in this case, the car passenger safer.

[00:06:15] And this is really no different.

[00:06:17] That story can be now overlaid in the current situation when you have insurance companies paying

[00:06:21] out billions of dollars in losses and claims to their insured because they had relatively weak

[00:06:27] applications and underwriting constraints, right?

[00:06:29] And now they're paying a lot of money.

[00:06:31] And the insurance company now has said, we're no longer going to be the bank.

[00:06:34] And so they're now driving, certainly at the state level, and making changes to law, right?

[00:06:40] And figuring out like, well, we're not going to want to be the guys who foot the bill anymore.

[00:06:44] And I'd love to hold in the bag.

[00:06:46] And you're also seeing, you know, on the other side of it,

[00:06:48] they're really holding the end user accountable to really speaking the truth, right?

[00:06:54] There's a lot of things like MFA, right, is a great example.

[00:06:57] You know, people think because they've been voted on, you know,

[00:06:59] certain areas that they've now covered off on that checkbox.

[00:07:02] But, you know, then all of a sudden marketing goes out and tries a new tool

[00:07:06] and sticks all of our information into it and has no two MFA on it.

[00:07:10] And when that gets breached, you're seeing those carve outs and those claims being not paid.

[00:07:14] So I think, you know, it's funny that at least from my seat,

[00:07:18] I've seen more people starting to gravitate to frameworks like NIS, CSF or CIS,

[00:07:22] at least to get some foundational, you know, find out foundational cyber practice guidance,

[00:07:27] if you will, and then using that to hopefully better answer those security questions.

[00:07:32] So interesting times for our industry, that's for certain.

[00:07:36] Right.

[00:07:37] So, you know, I'd love to hear a little bit more about, you know, where you see things going from your seat

[00:07:44] as a, you know, tried and true daily practitioner of, you know, governance, risk and compliance.

[00:07:49] What are you seeing out there?

[00:07:51] I know in our conversation where we met each other, it was really focused on CMMC,

[00:07:54] but feel free to, you know, expand even beyond that if you've got thoughts in other areas.

[00:07:59] Sure.

[00:07:59] Yeah, no problem.

[00:08:00] So basically just in the interest of time, probably makes sense to talk about sort of a primer on CMMC.

[00:08:04] Sounds good.

[00:08:05] For your audience.

[00:08:05] Is that okay?

[00:08:06] Sounds great.

[00:08:07] Because we've got a lot of other topics, but then we end up going up a couple hours.

[00:08:09] We don't have to have that.

[00:08:11] We can come back and we can do other ones in the future.

[00:08:14] No doubt.

[00:08:15] Absolutely.

[00:08:15] For sure.

[00:08:16] So, yeah, I'll just kind of go back a little bit and talk about the,

[00:08:19] from the governance risk compliance GRC practitioner side of the house.

[00:08:23] Again, that's kind of extension.

[00:08:24] I mean, running compliance work effectively for customers.

[00:08:26] I want to be very clear here to your audience.

[00:08:28] I'm sure your audience has probably listened to a lot of your content.

[00:08:31] It's probably fairly learned is understanding that compliance is not equal security, right?

[00:08:35] Even though it's cybersecurity related.

[00:08:37] CMMC as a framework itself is really only concerned around,

[00:08:40] if you're familiar with the CIA triad, right?

[00:08:42] Confidentiality, integrity, and availability.

[00:08:44] It's only really concerned about confidentiality.

[00:08:46] That's really only that sort of that bucket, if you will, right?

[00:08:49] Let's talk about it that way.

[00:08:52] So I'll dig a little bit into CMMC, kind of talk about where it came from.

[00:08:55] Is that cool?

[00:08:55] Very cool.

[00:08:56] I'll share that with the audience.

[00:08:57] Okay.

[00:08:57] All right.

[00:08:58] So first of all, for those that are uninitiated,

[00:09:00] you probably heard this four-letter, evil phrase, CMMC,

[00:09:06] sense for cybersecurity maturity model certification.

[00:09:09] It's a mouthful.

[00:09:10] But essentially what it is, it's a mechanism by which the DOD can prove that you're either compliant or non-compliant with certain cybersecurity practices under the NIST 800-171 special publication, Rev. 2, by the way, since deprecated, but they're still in Rev. 2.

[00:09:30] That's what they're watching and following.

[00:09:31] And ensuring that these 110 controls, to be clear, if your client, and this would be a defense contractor, we're talking specifically here, right?

[00:09:41] So what I'm saying is that the defense contractor is safeguarding data that's called controlled unclassified information, CUI, often abbreviated CUI because it's easier, right?

[00:09:49] So if this defense contractor is safeguarding CUI, that defense contractor must enact and safeguard, that's actually the term that's being used, these 110 controls to make sure that data is the confidentiality of that data is in fact protected.

[00:10:04] And so that's really the foundation of all this.

[00:10:07] And I want to be very clear.

[00:10:09] Sometimes people believe that CMMC is new.

[00:10:12] And where did this come from?

[00:10:13] How could they suddenly do this?

[00:10:15] And for all of you listening who think it's new, it's not.

[00:10:19] No, I mean, I think we've been talking about CMMC for the better part of four years easily, if not more, right?

[00:10:25] And obviously NIST 800-171 as a precursor has been around.

[00:10:30] You probably have a better idea than I do, Brian, on how long that's been around, but quite some time, right?

[00:10:35] It has been for sure.

[00:10:36] This would be a great time to share that slide I shared with you earlier and talk a little bit about the timeframe.

[00:10:41] And I'll talk in a second about, thank you for sharing that.

[00:10:44] So I'll talk kind of like the origins of CMMC and where this came from.

[00:10:47] So I'm going through this pretty quickly here, but it started in 2004 with the publishing of the 9-11 Commission Report.

[00:10:53] So it took almost three years from Congress to requisition and do research into the 9-11 report.

[00:10:59] And there's a lot that came out of that, a ton.

[00:11:01] But really the big things were is that they learned is that the different departments within the federal government really weren't communicating very well with one another and sharing threat level intelligence, right?

[00:11:12] Threat data.

[00:11:13] And so ultimately what came out of that was the actual creation, not long after 9-11, the DHS was created, Department of Homeland Security, which was the biggest consolidation of the federal government since the Second World War, since the creation of the Department of Defense.

[00:11:28] It was the Department of War before that, right?

[00:11:30] A different name.

[00:11:30] And so there's a lot of consolidation that came out of that.

[00:11:33] But that was one of the big things.

[00:11:34] Hey, we need to make sure information is better consolidated and better disseminated across different agencies so not everyone's working in sort of a kind of a box, you know, doesn't know what's going on next door.

[00:11:45] So 2020, excuse me, 2005, 2009, NIST 853, which is the massive, what we call the granddaddy of compliance requirements for DOD systems or what are called federal systems, essentially government furnished systems.

[00:12:01] That's about like 900 or so controls.

[00:12:03] It's massive.

[00:12:04] It's huge.

[00:12:05] And it's sort of, let's call it the grandchild NIST 800-171, special publication 171.

[00:12:11] That is concerned, 171 is concerned about the safeguarding CUI.

[00:12:16] That was written and released in that timeframe.

[00:12:17] Then in 2010, executive order under President Obama.

[00:12:21] And this, by the way, is not a, in any way, a political statement.

[00:12:24] I'll get into that in a minute.

[00:12:26] Released essentially an executive order stating and defining what CUI is, controlled unclassified information.

[00:12:32] Then fast forward another six, seven years into 2017.

[00:12:36] This is actually a really important point.

[00:12:38] I want to pause here for a second.

[00:12:39] And this is when the finalization of DFAR 7012, 252-204-7012.

[00:12:46] It's a mouthful, but it's essentially a component in the Defense Federal Acquisition Regulation Supplement was issued.

[00:12:52] And that means that these NIST 800-171 110 controls must be implemented and applied to safeguard CUI.

[00:13:01] It was being included in contracts starting then.

[00:13:05] Remember earlier I said this is not new?

[00:13:07] This is why.

[00:13:08] It's been around for seven years now, and most defense contractors didn't follow it.

[00:13:15] They didn't implement that.

[00:13:16] And that's what the IG and Inspector General of the DoD figured out.

[00:13:19] That's why CMMC was created.

[00:13:21] And all that CMMC is to just wrap it up into a nice little bow is essentially making sure you did what you were supposed to already have done if you're a defense contractor.

[00:13:32] So now it's going to 2024.

[00:13:34] We're wrapping up Title 32.

[00:13:36] That's what's going to be published and be final next, I think it's December 16.

[00:13:41] And then Title 48 means it's going to be included in contracts.

[00:13:44] And all of this rolls into, well, these are some pretty serious mandates for someone who didn't do anything to start with.

[00:13:51] But they're going to have a heavy lift.

[00:13:53] Yeah, and it is funny when you put out there, you know, how long it's really been, because I think that is something that I am finding interesting, too, is how many government contractors did not prepare for this, even though they were the ones staring this down and hearing about it from their counterparts in the purchasing organizations.

[00:14:09] It's wild.

[00:14:10] Especially in the supply chain, for sure.

[00:14:11] Yeah.

[00:14:12] Yeah.

[00:14:13] So if you want to stop sharing on that item, you can feel free to do that.

[00:14:16] Sure.

[00:14:18] But yeah, so ultimately, that's sort of where we're ramped up into now.

[00:14:22] But a lot of people tended to believe that CMMC was a brand new thing, came out of nowhere, right?

[00:14:27] Even though it's been talked about for years, it's really the enforcement arm of an existing DFARS requirement that says you have to safeguard this data.

[00:14:35] So anybody that's new to the federal defense contracting space, for them, in fact, is net new.

[00:14:40] But anybody that's been around for several years, it's been existing for a long time.

[00:14:44] And I think there's been a lot of talk about it in our industry that the majority of at least mature MSPs have been, I won't say preparing for it, because I think there was a lot of gray area in what to prepare for, but at least been keeping an ear open to understand what this might mean for some of their government clients.

[00:15:02] Yes.

[00:15:03] That's really a critical component here, right?

[00:15:05] Because who does your MSP customer, in this case, let's say a DOD client, who will they lean on for help?

[00:15:11] They're going to lean on their, either the internal IT department to figure it out or their MSP.

[00:15:16] In this case, sorry if my audio, my video is a little janky here, but in this case, what happens is that the client's going to come to you and they're going to ask you about this.

[00:15:26] What's this all about?

[00:15:27] Can you help me with this?

[00:15:28] You know, how do I fix this?

[00:15:29] My upstream subcontractor or prime contractor is telling me I need to do something, I need to act.

[00:15:37] And Brian, is there going to be any grace period or timeline that they're going to allow people to fix these problems now, right?

[00:15:43] Because if you haven't been preparing for it, my guess is you're going to have some gaps in those 110 controls.

[00:15:50] Those are kind of two separate questions, but I'll kind of address them both together.

[00:15:53] So is there going to be a grace period?

[00:15:57] Technically, is there?

[00:15:58] Well, maybe.

[00:15:59] It depends, right?

[00:16:00] So the defense contractor, let's just talk about in terms of your client.

[00:16:04] You're an MSP.

[00:16:04] Your client is a DOD customer, right?

[00:16:06] And they're working what's called part of the supply chain.

[00:16:08] Prime subcontractor, second sub, third sub, and so on, right?

[00:16:12] And those folks, again, need to do certain things and implement these controls.

[00:16:17] Now, remember I said a few minutes ago, this is something they should have already been doing and they should have already had that done, right?

[00:16:24] And now the problem becomes that they haven't done it yet, they're effectively, they're kind of in breach of contract.

[00:16:30] And I don't mean kind of, I mean, they are in breach of contract, to be clear, with the federal government.

[00:16:35] It's not a good place to be, but there's hope.

[00:16:37] And that is your second part of the question, which is, is there a grace period?

[00:16:40] The short answer is they all know that everyone knows shit's getting real, right?

[00:16:46] They realize that the ecosystem, which is the defense department, the supplier, everyone in the supply chain, including the external service providers, us, the MSPs, they're helping get all this in order.

[00:16:58] And they're realizing nobody had their ducks in a row.

[00:17:00] And so now, if you're working on this and identifying what has or hasn't been done yet and starting to work toward compliance, which, by the way, don't go it alone, especially if your client has CUI, right?

[00:17:12] This is a very major undertaking.

[00:17:14] I would not encourage you to take on the liability on your MSP if you don't have experience in how to do this, right?

[00:17:21] So whether it's talk to someone like us or someone else who does what we do, get advice, get help, right?

[00:17:27] Bring in an expert.

[00:17:28] And, you know, those are all critical statements that you just shared right there, Brian, because, I mean, I think the positive momentum is something you're going to have to show, prove that you're doing your due diligence.

[00:17:38] You're closing the gap on anything that's in your security plan and POAM, right?

[00:17:42] But the second part of that that you were covering off on is if you don't feel confident you know how to do it, reach out for help.

[00:17:49] Because this is not an area that you want to make a mistake in.

[00:17:53] Yeah, absolutely.

[00:17:53] Reach out.

[00:17:54] I mean, reach out for help.

[00:17:55] Get help from somebody who knows what they're doing.

[00:17:57] If you are internally or maybe with if it's a co-managed deal, right, working with their internal folks and you're working on getting the controls in place and at least sort of getting there, you will eventually end up, if you do what's called a gap or readiness assessment, you will end up with the things, what Brian mentioned a second ago called a POAM, plan of action and milestones.

[00:18:14] And effectively, that's what in an unofficial, either unofficial or official assessment, those are the gaps of controls or systems or processes or policies that haven't been checked or haven't been fully validated, right?

[00:18:26] Can't be completely checked off.

[00:18:28] At least not rightfully so.

[00:18:31] And really what the DoD wants to see is that the customer, the DoD contractor in the supply chain is working toward that diligently so, right?

[00:18:42] As long as they can see that and they've got things checked off, they have a POAM.

[00:18:45] And even if they get assessed by what's called a C3PO, and that's not R2D2's friend, but a certified third-party auditor, and they come and check it off, they're allowed to be certified with what's called remaining controls open or gaps under what's called a plan of action milestones.

[00:18:59] So all these things can be rectified.

[00:19:03] And, you know, I think the key there is, though, then you have to go do it.

[00:19:07] And that's something that, you know, we often see where things will drag, right?

[00:19:11] We get through that initial certification, we get that ability to continue doing work with our, you know, under our contract.

[00:19:17] And then all of a sudden those things can fall off.

[00:19:19] And I think in this new iteration of the CMMC, there's going to be a little bit more governance around these things getting done and ensuring that people are getting to that future state of being hopefully 100% compliant.

[00:19:31] Yeah, that's the hope, right?

[00:19:32] So we want to get folks there as quickly as possible.

[00:19:34] One thing I think is worth talking about real quick.

[00:19:36] I want to be mindful here because I know we're coming up on time.

[00:19:39] It's all right.

[00:19:39] We've got, we're good.

[00:19:40] Okay.

[00:19:41] So a couple of things I want to discuss.

[00:19:42] One of them is talk about kind of the elephant in the room, right?

[00:19:45] Right now it's November 13, 2024.

[00:19:48] We had a, you know, federal complete four-year election last week, right?

[00:19:51] And so no matter whether you are, you know, blue, red, purple, pink, I don't care.

[00:19:59] It doesn't really matter.

[00:20:00] This is not meant to be a political statement.

[00:20:02] But what I want to share is there have been rumblings in the community about will the election of this party or that party have an impact on CMMC?

[00:20:11] And let's just go with the actual result of the election, right?

[00:20:14] Is that the Republican party took essentially all three, if you will.

[00:20:18] Right.

[00:20:18] They kind of took that.

[00:20:19] It was a home run.

[00:20:20] Let's call it that.

[00:20:20] You're a baseball fan.

[00:20:22] You talked about that earlier.

[00:20:22] Right.

[00:20:23] So if that could be a home run, they take all pieces.

[00:20:25] Now, will this affect CMMC?

[00:20:27] Will CMMC get crushed?

[00:20:28] Will it get, will it deregulate?

[00:20:31] Will they throw it out?

[00:20:32] Maybe with the bathwater.

[00:20:33] And I can tell you, I've had this conversation with multiple folks in the past week, excuse me, in the past week in the industry trying to get some, you know, some input.

[00:20:41] What do people feel around this?

[00:20:42] And overwhelmingly, the response is, this is not going to go away.

[00:20:47] So if you feel like you as an MSP or your clients or your counseling, that CMMC is going to disappear because the Trump administration is taking over and they have deregulations on the forefront of what they're doing.

[00:20:57] This is not going to go away.

[00:20:59] This started during the first Trump administration, continued under Biden.

[00:21:02] It is now going into regulation and law by extension, and it's not going to disappear.

[00:21:07] And so you would really be, in my opinion, and again, please take no offense, but you'd be foolish if you felt that was going to happen because this is broadly bipartisan because it's national security.

[00:21:19] You just took the words out of my mouth.

[00:21:21] You know, I think confidentiality crosses all boundaries, right?

[00:21:25] I think, you know, if you looked at yourself as a collective of Americans, realistically global citizens, right?

[00:21:31] I think we all want to make sure that, you know, any information we have that could be of any pain to anybody is being, you know, protected to the best of our ability, right?

[00:21:40] And I can see very easily that this is not going to change.

[00:21:43] So I'm glad you brought that up.

[00:21:44] Yeah, sure.

[00:21:45] I mean, it has to be brought up because, again, it's kind of prescient, right?

[00:21:47] The timing is right.

[00:21:48] We got to talk about this because there's some folks are also hanging out and saying, I'm just going to take a, you know, a wait and see.

[00:21:55] The approach, if you're still taking a wait and see approach, independent of political leanings, whatever, you're like, I want to see what happens.

[00:22:01] I would encourage you not to do that because the DOJ and the DOD themselves have already shown their desire and their willingness to go after anybody that's flouting the rules and they'll bring a false claims act suit down on you, right?

[00:22:14] And you don't want that to happen, right?

[00:22:15] Whether you think the enforcement will be there or not, it's not a good place to be.

[00:22:18] Think in terms of not the enforcement side, but the actual award of the contract, right?

[00:22:22] The contract can only be awarded to a defense contractor and all subcontractors if they check all the boxes and have validated, by the way, by a certified third party that goes into a system in the government called EMAS, where all that information is logged and cataloged.

[00:22:37] And the actual contract officers who then give the award look into to be sure that you actually are, in fact, certified at ML2 if required.

[00:22:48] And if you're not, you do not get the contract.

[00:22:51] Full stop.

[00:22:53] And I think that's, you know, you were talking a little bit earlier about ML1 and ML2, and I think that's another part where people have a little bit of a gray area if they're new to CMMC and what that really means.

[00:23:02] But, you know, I'll give you my interpretation and then you can tell me where my missing gaps are.

[00:23:07] But I've always been under, you know, kind of a large impression of ML1 is really what you need to do to prove that you're even worthy to bid.

[00:23:14] And ML2 is really where you're going to need to be once you're awarded a contract of any substance with the government.

[00:23:20] So there are some nuance to that, and I'll share with you what I know.

[00:23:23] And what I know is that ML1 essentially means that every, just to be clear, every defense contract has to be at least in maturity level one.

[00:23:29] It's 15 controls, right?

[00:23:31] It's no policies per se, but it's 15 controls that most MSPs, if you will, can probably pretty easily stand up and safeguard that information.

[00:23:38] And it's specifically about safeguarding federal contract information.

[00:23:41] It's about the contract you hold with the government or with your subcontractor or prime upstream, right?

[00:23:47] It's about safeguarding that data, which is why it's only 15 controls, right?

[00:23:51] However, if you're safeguarding CY, controlled unclassified information, this is data that actually goes into like information about product, services, maybe something special that the DOD ordered from you.

[00:24:02] You maybe make a specialized version of a gun or maybe a weapon system or maybe like an aerospace component that is militarized, if you will, right?

[00:24:10] For military applications.

[00:24:12] That information they really care about.

[00:24:14] That's maturity level two.

[00:24:15] That's now 110 controls, right?

[00:24:17] Go from 15 to this.

[00:24:19] And it's not just from 15 to 110.

[00:24:22] It's exponentially more difficult, not just 7X, but like, let's say 50X.

[00:24:27] I'm exaggerating a little bit.

[00:24:28] Forgive the hyperbole.

[00:24:30] But the reality is that you've got to start that journey.

[00:24:34] Start it today if your customer knows.

[00:24:37] Don't wait.

[00:24:37] If you know your client's a defense contractor and they've never talked to you about CMMC, don't wait for them to ask you.

[00:24:44] Go talk to them.

[00:24:46] Say, hey, do you guys work with the DOD?

[00:24:48] You do?

[00:24:48] Have you ever heard of CMMC?

[00:24:50] Do you know what that is?

[00:24:52] Should we have a conversation about that?

[00:24:54] Start that conversation.

[00:24:55] Don't wait because what could happen, you could lose competitive edge.

[00:24:58] What if an interloper comes in and they start talking to your customer about CMMC and now you lose credibility because you never brought it up, right?

[00:25:06] And they have potential to take a piece of your business or worst case, all of it.

[00:25:10] All of it.

[00:25:11] So, you know, with that, you know, we'll get near our closing thoughts here, Brian.

[00:25:15] But, you know, what I'd like you to really share is how can you help?

[00:25:18] You know, I think there's a lot of MSPs when they really look at this go, we're not ready to take this burden on.

[00:25:23] You know, is this an area where you can support the MSPs directly or is it more indirect through some of the learnings like you're sharing today?

[00:25:31] Yeah.

[00:25:32] So the indirect is really kind of how we, you know, a big mission of mine is to educate, to be kind of a compliance Sherpa, to be an evangelist, to talk about that, right?

[00:25:40] So people know that they're also, they're not in it alone.

[00:25:43] There's a lot of public options out there and public available resources.

[00:25:47] However, yeah, we do help MSPs and we also help end customers in that journey.

[00:25:51] So if you have any concerns or any issues or worried, you're more than welcome to reach out to me.

[00:25:58] You can find me pretty easily on LinkedIn.

[00:26:01] I don't know if I probably hadn't given you my LinkedIn profile link, but you can reach out to me.

[00:26:05] Happy to have a chat and sort of help me figure out.

[00:26:08] We put that up in the show notes with both the video and the podcast itself.

[00:26:13] So you'll definitely be able to reach Brian directly through that.

[00:26:17] Yeah.

[00:26:17] So folks can reach out to me and we're happy to have a conversation.

[00:26:19] So we do actually assist with the customer with their journey.

[00:26:24] And by the way, one more thing we didn't talk about, right?

[00:26:27] Which is the elephant in the room, not the election.

[00:26:29] But what does this mean for MSPs?

[00:26:31] Remember like the final rule dropped about a month ago?

[00:26:35] And what does this mean for MSPs?

[00:26:36] And what we call the proposed final rule that was published in December, 2023,

[00:26:42] then until October 15 when the final rule dropped, which goes into effect next December, sorry, December 24.

[00:26:48] When that happened, the requirement for an MSP to be CMMC certified at the same level as your customer, ML1 or ML2, for example, right?

[00:26:59] Only in maturity level two requires certification by third party.

[00:27:02] But let's say your client does have to be certified.

[00:27:04] The MSP no longer has to be certified at the same level.

[00:27:07] And I want to add this as my closing thought.

[00:27:09] So a lot of MSPs are not thinking, good, I'm off the hook.

[00:27:15] And I'll say not so fast.

[00:27:17] Because while you don't need to get a certification and invest all that money into it,

[00:27:21] you still have to remember you're still part of the assessment process that your client has to go through.

[00:27:26] Because you're a central part of the information systems and information security processes that your client uses on a daily basis.

[00:27:34] So therefore, what you do will be heavily scrutinized as part of that process, right?

[00:27:38] It gets into detail, security protection assets and so on, which I don't want to bore you with.

[00:27:43] But just know it's not as cut and dry as you won't even be looked at.

[00:27:47] That's not true.

[00:27:48] So the short story there is if you're going to be working in this field and you're going to be supporting customers that need CMMC, prepare as if.

[00:27:56] As if you needed to be certified and get yourself under those controls.

[00:28:00] So if the time does turn and you do have to become certified and there's a change in the rule, it shouldn't be a heavy lift for you.

[00:28:07] It shouldn't be.

[00:28:08] And one more thing to add, just know that if you do lean into this, right, and realize that if you do get certified for maturity level two,

[00:28:15] know there will be a dramatic opportunity in the marketplace, in the addressable market for customers looking for a certified MSP because they don't want to take risks.

[00:28:23] Right?

[00:28:24] Remember, they're in the risk management business as well.

[00:28:26] They want to put their business at risk, especially if you're talking millions or tens of millions in revenue from the DoD every year.

[00:28:31] They're not going to put that at risk by going with an MSP that doesn't really know their game.

[00:28:35] Right?

[00:28:36] Whether you have a years-long relationship with them or not, bear in mind, it's all for risk management.

[00:28:42] Well, Brian, I want to thank you so much for joining us today.

[00:28:45] You know, really appreciate what you've shared here.

[00:28:47] I think a lot of our listeners probably picked up at least one or two golden nuggets they can take back to their teams

[00:28:53] and really make sure that they're sitting on the right side of the fence when, you know, all this does get formally finalized.

[00:28:58] But more importantly, what's going to be their approach as an MSP in the market?

[00:29:02] You know, is it something that they're going to attain and try to do themselves?

[00:29:05] Is it something that they're going to partner up and, you know, approach?

[00:29:08] And I think a lot of MSPs are really trying to drill into which of those approaches they're going to take long-term.

[00:29:14] Absolutely.

[00:29:14] I'm happy to do it.

[00:29:15] And thanks, Brian, for reaching out.

[00:29:16] I was happy to provide a little bit of education.

[00:29:19] Yeah, appreciate it as well.

[00:29:21] Sure.

[00:29:21] And I look forward to learning more from you over time.

[00:29:24] But with that being said, listeners, this podcast will be available to you, as always, anywhere that you get your podcast.

[00:29:31] And, of course, up on YouTube as well.

[00:29:33] So feel free to visit us there at youtube.com MSP Business School to see the video of this.

[00:29:40] You'll get to see the lovely slide that Brian provided today.

[00:29:42] And, of course, I'll be adding his links to both his LinkedIn and to his website at exceedcyber.io.

[00:29:51] So thank you again, Brian, for joining us.

[00:29:53] And, you know, I wish you the best.

[00:29:55] I know these are crazy times for folks like you as you're trying to keep up with everything that's changing and start implementing as well.

[00:30:01] It's going to get crazier.

[00:30:02] Everyone out there, don't wait.

[00:30:03] Get on it.

[00:30:05] All right.

[00:30:05] Well, thank you so much, Brian.

[00:30:07] And we'll talk again soon.

[00:30:08] Take care.