Skip to main content
Right of Boom
January 30, 2025

Big Changes in CMMC – Learn from Two MSPs who specialize in the DIB

In this video, Jennifer VanderWeer and Andy Sauer discuss the recent changes in the CMMC framework and what it means for MSPs and contractors. They delve into the implications of the rollback in requirements and how it affects cybersecurity practices, emphasizing the importance of maintaining a strong security posture regardless of regulatory changes. The conversation highlights the balance between compliance and security, providing insights into how businesses can navigate these regulatory shifts while ensuring robust cybersecurity measures.<ul><li>CMMC 2.0 introduced changes that simplify the certification process by reducing levels and eliminating some controls, which aims to make compliance more attainable for companies.</li><li>The self-attestation process has been reintroduced at Level 1, shifting some of the responsibility back to companies to self-assess their compliance, which might reduce the urgency but maintains the legal obligation.</li><li>MSPs are encouraged to focus on building strong cybersecurity practices in general, rather than solely aiming to pass specific assessments, ensuring readiness for real-world threats.</li></ul>

Guests

Andrew Morgan

Video Transcript

Hey there. Well, hey there. How are you? Good, Andy. How are you? Hey, Jennifer. I, um, apologize to both of you, but we're already live. I accidentally did. That's fine. Whoever's out there. Hello. I like, usually if I was having this problem with the camera, and I don't know what I did, but it accidentally took us live. So here we are. Nothing like doing it live, you know? Can you hear Mera? Yeah. We got you. You in, uh, In Orlando? I am. This is my beautiful hotel room, so, Hi, Tina.

Big week. Yes. Yeah, we're actually, my group is meeting right now, so I, uh, asked for forgiveness and ducked out. We appreciate that, for sure. Yeah. Andy, how are you? I'm good. It's Monday, so, you know. So will you be coming to Orlando or No, I won't be. No. I've got, got a lot going on and, uh, my wife is, we're in the, we're in the home stretch of baby number two here, so leaving the states kind of out of the question, so. Got it. I'm home. I'm homebound for now. Very fair.

Hey, Danielle, good to see you. Hey, everybody, we, uh, as I said, I accidentally hit us live, so, uh, anybody want to jump on stage with us? You're more than welcome. Um, Oh, So, boy, I tell you what, what an interesting, uh, like I said, Andy, I, I loved what you've been saying all along, but how interesting is it that like, we went back to really just the original, uh, We were back two years ago. That's what It was. Yeah, yeah. It's 2017 again. Yeah, Exactly. Coming. Oh, It's interesting.

It's, um, to me it was a little surprising. I didn't think we were gonna walk it back quite so far, but there was some inkling like, okay, losing the delta 20 in the cmmc unique practices kind of sounded like, okay, I could see that happening, but like the basically complete rollbacks surprising, but I get it. We'll see.

Well, when you have security professionals that have teams that are doing nothing but this, and they're, you know, focused and concentrating on this, and they can't even pass a level three, which is now level two, um, it, you know, it was getting to the point where it just wasn't tenable. I was, I, I could not understand how the rollout could continue on, um, if they didn't make some concessions. Hindsight will prove to be very 2020 on this. Exactly.

Um, but in hindsight, you think back and, uh, I was thinking about today and like what I wanted to talk about, but early estimates were 300,000 companies were gonna need to be certified at some level, which immediately must make it the biggest cybersecurity certification program in history. Like, yeah. Is anything that large a soc to that large high trust? No, certainly not.

So it's super ambitious, and, uh, in hindsight you're like, yeah, there's, there's no way that was gonna work the way that they intended. But of course we can all say that now. Right. But you've been, you guys have, in essence, been saying that 'cause where were all the cer, you know, certification, the people that were actually gonna do it. Yeah. Well, that it's simple math.

Go through and look at all of the, look at all these CISSPs and see, you know, cisas out there and add all those together, and you still don't even come close to what you would need to create the auditing hour. Yeah. It's, uh, it really threw my week last week for a loop. I had a lot I wanted to get done and, uh, come around Thursday, I was like, oh, okay, well, my, my week's over. Nothing happening now. So, Right there with you. Yeah. Took a lot of phone calls.

I was like, all right, everyone, let's, let's calm it down for a minute. So I think today's call will be very good. Hopefully, um, the reactionaries, we can hopefully calm things down a little bit. At least that's my take on it, is we don't need to be over reactionary here. It's, it's not a huge deal. No, No. I mean, it, it, you know, I, I, I titled my blog at CM MC blew up, but I, I mean, it's, DFARS is still in place. You still need to do it.

You will still be violating government law if you're not doing it. And if you are attesting that you are doing it, then again, laws are being broken. So, um, there's still enough reason that there's still enough power. It's just really interesting to see the, the boat going in one direction and then get steered in slightly different direction. Yeah. Un understated.

Even, you know, the, just that document that came out, you know, short document, a couple bullet points, you're like, oh, just a couple small bullet points with huge cascading consequence of like, just a complete change to the model. We'll, uh, we'll see, Speaking of which, let me just share out my screen if I could, 'cause when we talked early on, I would like to show this if you guys To Just talk to it real quick. So, do you guys see this okay? Yeah. Okay. Yes. Perfect. It's so fun.

Like, funny, I don't funny's the right word. It's so ironic that level two is now level three is now level two, and Yeah, That's not confusing at all. No, It's gonna be bad even today, just talking about it. Like, you'll reference level three and you mean level five People on the call will hear level three and be like, why are they talking about level two? It's like, oh man, have to be extra clear on, on what means what. I'm just gonna get a little water. Is it busy, Jennifer, by the way?

A lot of, a lot of people there. I mean, yeah, it's the first, uh, you know, first day of the meetings, um, for Evol. Um, so I, I, it'll be interesting to see Wednesday night the welcome reception for it. H see how many people. But yeah, it's, it seems to be a good crowd. Good, good, good. Be right back. Thanks everyone for joining us live for the Pre-show. The unintended pre-show. Yeah. If anybody has any, uh, hot takes they wanna share with the six minutes we have love to talk about it.

So, Andy, if I, if I say, uh, Amira, do you know who I'm talking about? Absolutely. All right. So I, uh, after I was reading all of, of everything being, uh, launched, I sent her a quick email. Am I seeing this right? Am I hearing this right? I just needed some kind of secondary validation. The government site wasn't enough. Yes. Again, they're so understated sometimes, just like, yep, we have a new website and here's a, a document that we accidentally posted to the register early. Oops.

And and nobody's coming out to address it. Classic. Yeah. But I mean, it, we already had it snapshot. We already had it saved, and it was only up for 30 minutes, I think before that. Yeah, Yeah, Yeah. Cat's out in that bag. That was, that was done deal. Yeah. Yeah. So I know, I know Amira pretty well. Mike Elders. Did something happen with CMMC last week, Mike? No. Nothing at all. One, one could say CMMC expired. Jennifer, did your husband join you or is he holding on the floor?

Yeah, He's in the, he's in the meeting. The deal was if I left him behind as collateral that I could come and talk. Oh, Okay. Very cool. Hi, David. Tim, Jonathan. Hello everybody. Yeah, it's a special, um, Zach, I don't know if CMC broke last week or if it got better. I guess that remains to be seen. Yeah. CMC definitely went through a little bit of a, a tornado last week. I'd say that. Oops. Jacob did a nice, um, video on it, uh, as well. Jacob always does nice videos. He's good at that.

He's got good production value. I think most of it just generates from the beard. You know, there's a certain authority. The beard lends Jacob. He's, does He He might be, he might be on this call. He might be stalking it. He said He was gonna be, he said he was gonna be. I see lots of Jacobs. I'm searching for Jacob, but, uh, I don't See if anybody doesn't know. We're talking about Jacob Horn of, uh, recently of Summit seven.

It's a major commentator on all things CMMC and defense cybersecurity. Good guy to follow on LinkedIn. Yeah, summit Seven's about two miles down the road from me. Are they really, Jennifer? Yeah, we're in the same town. Let's see. Oh, Eric. Eric, good to see you. Have we heard anything about R-P-R-P-O that I haven't, Uh, not yet. That is still being discussed from my understanding, um, that there's a lot of conversation going on about what does this mean for those, uh, credentials. Hey, Andrew.

Hey, Gary. You're live. We know, we know. I somehow messed it up. So we're, we're here, we're live. We're, it's, it's like, uh, you know, In inside baseball. It's like taking out the beach ball party before the actual show. Yep. This is the new pre-show. You didn't hear about this. Good to see you, Gary. Well, and then, uh, if this is the pre-show, then I have to make sure my language is not salty like it is in the, in the green room. I got a, I'm trying to change it.

I have a horrible foul mouth. Makes two of us Might make three, but I'll, uh, like you Gary, I'll have to keep it under control now that we're live. Yeah. I just, I I think everything's better with the f-bomb in it Lends a certain weight to it, that's for sure. Yeah, Everything's, that's awesome. I, Gary, the sailor thing, but I'm working, I'm working on it.

We, uh, back when I had my MSP, um, the woman who ran our office, she, uh, used to have a, you know, every, you know, all the texts, everybody was swearing. So she came up with a swear jar. Every time you said a swear you had to put a dollar in the jar. And I walked into one management meeting and something big was going on. I walked in, I pulled a $10 bill out and just let's go meeting began. Too funny. That's funny. 61 in Chicago.

I think it's actually a little colder here in Northern Virginia. There's get a little warmer, he says. Gary says, get your effing seat price up. That's awesome. That's great. Oh my goodness, Gary, so you're not gonna be in Orlando? No, I have, um, I guess a family thing I've taken care of, but Bob Penland is on his way tomorrow. Okay. And, uh, he'll be meeting with our customers and he'll be, uh, presenting one of my sessions for me there. I've been at every one since the beginning. Hmm. Yeah.

Yeah. Everybody too. Ryan's coming in here. Do you remember the one Andrew with Burn Harnish? Yeah, yeah, yeah. Harnish. And then there was, do you remember, um, Michael Gerber. Michael Gerber Email, And then later it was Jim Collins. Marcus. Ramona, Yeah. And, uh, Wozniak. Wozniak was really early on. Wozniak was early. Um, that was when it was still in Tampa, so, alright, shout out. Oh, good. I'm glad Carl. Carl Good. It was it good.

Um, I, I heard awesome stuff about the training session with John as Well. Yes. Did I? Oh good. Excellent. Alright. Um, and let's see where Wes is. Wes says he's having camera problems. The guy with the Oh surprise, High, high-end, high-end production stuff Is, uh, who's asking the first set of questions, by the way, uh, is, uh, having problem. So who knows? Maybe, um, we'll have to, we'll have to re rejigger the, the questions hopefully we'll get last time. So, welcome everybody.

Uh, I took us live about 25 minutes ago, um, not, I guess paying attention to actually what I was doing, but, uh, welcome everybody to, uh, episode 73 and we went over, um, 4,000, uh, Ryan and Gary and everybody out there, uh, 4 0 2 6, so that's pretty cool. Um, alright, so big changes last week in CMM clan. Um, and so what I wanted to do was bring two awesome MSPs on with us to talk about that. I, um, before I go into intros, a few things.

I put up a poll question, pretty simple, straightforward one. And, um, let's see, uh, who out there is heading to Orlando or is in Orlando Love? Give us a yes or no, Jennifer's in Orlando. And, um, so let's get right on into it. Um, so hopefully Wes will be here momentarily. I can't tell if he is or it isn't, but it says let's reprompt one more time, but, um, while we're waiting to see if we do get, we, let me start off with you, Jennifer. Thanks for joining us.

Talk to us a little about yourself, your company, uh, and where you're located right now. Um, I'm Jennifer Van Weer. I'm the president of F1 Solutions. Uh, we are based out of Huntsville, Alabama. Um, but I am a, uh, I am in Orlando attending the, uh, evolve meetings, uh, which we're a, a member of as well as, um, uh, IT nation later this week.

Uh, and that's, uh, we, we have a fairly strong concentration, uh, with government contractors, so that's why this topic was, uh, so fun to discuss over the weekend. Yeah, absolutely. And I put you, you did a wonderful job on your blog, Jennifer. I put it up on LinkedIn, but then it's in the call to action there for anybody that, uh, hasn't seen it, um, down below there. So I highly encourage that. Um, Andy, um, I, I, uh, affectionately, there's two, two MSPs I refer to as Don Rickles.

Uh, Jason Slagel is the Don Rickles just in general of MSPs. And, um, I love you because of your commentary on C all things CMMC. So welcome, Andy. Tell us a little about yourself and, and Yeah. So, um, my name's Andy Soer. Hey, everybody. Um, I run a company called Sentinel Blue. We're an M-S-P-M-S-S-P, uh, and we're we're more or less exclusively focused on defense industry.

Uh, the business sort of emerges out of my personal background, which started as a help desk, got an MSP, and kind of working up through that world and making a transition into it management, uh, defense contractor. And Sentel Blue is sort of the marrying up of two skill sets there. Uh, angel references my commentary and, uh, my, my commentary is colored by that background. So I'm a, I'm a guy who's, my career's sort of been, figure it out as you go.

And my transition into cybersecurity was very much like just a willingness to figure it out. So a lot of my commentary's colored by very practical practitioner, like, yeah, we just need to figure this out. Um, so I try not to get too admiring of the problem itself in that I move straight into the problem. So my commentary tends to be sort of like, can we just cut through this and have the real talk? So that's, uh, very good. That'll be in my tone a little bit. No, it's great.

I don't know if you get along with Andrew, he likes, you know, he likes more words. Well, I can, I could go off. Let get back to the announcements then, Gary. How's that? All right, so Wes, good to see you. Everything good on the audio? The visual looks great. I don't know if you guys have ever heard of these, uh, things called Windows drivers, but, uh, they're not a lot of fun. Wes. Um, I'm gonna let you take over while you're doing that, I just wanna share my screen.

I think most everybody, oh wow. I can't share my screen. Nevermind. I forgot. This actually takes up a resource, so I'm gonna just put it in chat. For those of you that haven't seen the, you know, colorful 2.0 versus 1.0, um, it's in there if you scroll down just a little bit. But this is what we're gonna be, we're gonna be talking about a little bit. It looks, it looks something like this. And, uh, you can kind of follow along with the paint by numbers. But Wes, can you take us out here?

Yeah, for sure. So both of you, so I know Andy and Jennifer, really glad you guys both joined. Otherwise, uh, you don't want me and Ryan and Gary trying to lead through CMMC when we have two true experts. And I was actually in, uh, at a conference with Joy Belinda Beland, um, just, uh, uh, last week and we had some great discussion around this. So Jennifer, I'm gonna start with you. We know that, like, I think we've always intuited that changes. Were still in on the way for CMMC, right?

I've been around government regulation for quite a long time, and there's been so much confusion, misinformation, um, even changing in the story over the past, uh, year or two. So why don't you just catch everyone up to date. Jennifer, I'll let you kick us off with like what just happened last week, um, why you think this is happening, and then we'll kind of jump into more depth from there. Okay.

So, uh, as you all know, CMMC was originally conceived to help, uh, fix some, uh, weaknesses that DFARS and the government contractors that were utilizing DFARS fell under. It wasn't a control weakness, it was a, yeah, sure. We're doing this wink wink and we're really not. Um, CMMC was birthed last week. Uh, things went a little different.

Um, I think a lot of us that have been following CMMC very closely that are, you know, RPS and C through PAO candidates and so forth, I think we realized that there were some writing on the wall. There were some discussions that were being had. Um, I don't think any of us understood the depths of those conversations and the sheer volume of changes that would, would be coming out.

So last week, uh, uh, based on a report that was released that then pulled back and then released again, um, the, uh, department of Defense, uh, came to some conclusions. They were reviewing CMMC, the rollouts and moving forward. And, uh, based on that review that that finished, they came, uh, with some, um, uh, changes. And those changes were published last week. And those changes do have several rollbacks, um, that, uh, I guess we're talking about today.

So that gives kind of a, an overview of, of where we find ourselves today. And those rollbacks are, are pretty meaningful. No, you're on mute. Andrew and I got a chance to listen to your little, uh, video last night. It was really informative. Still on mute, Andrew, Sorry, go ahead. It's Andrew's, uh, it's Andrew's first podcast. So It sounds, it sounds like I'm trying to get back Wes and, and then Ryan somehow got boot off. Yeah, I think Crowdcast may be having issues today.

It dropped both of us, I think it may be. Yeah. Uh, So bear with us everybody. Okay. Um, so Wes, can you hit on over there to Andy and lemme see if I can Get Yeah, for sure. So Andy, you had a really good post that probably most people on the cyber call didn't see. I, I remember, I think Andrew, you started it in just like a smaller group discussion on LinkedIn and you said something that was like, right on. Like, I really love this mentality.

I want, I want you to rephrase it for everyone and talk about why it's so important. Sort of this rephrasing of like, if you've been specifically focused on CMMC, you've sort of been missing the, the boat. It's really about good security and then CMMC attaches to that, right? And this is true in all things, but can you, can you kind of talk more about what you said and, and uh, then talk about, um, why that matters so much?

Yeah, so hopefully everyone will indulge a metaphor, uh, given the metaphors in my experience really helped with cybersecurity. Um, what came to mind or what comes to mind when I think about cybersecurity is there was a time in my life where I was really getting into power lifting. It was quite a while ago, not, not so much anymore. Um, but the general goal was like, I wanted to get strong, wanted to put up those big numbers, compare with my buddies, uh, just wanna be more capable.

So decided I'm gonna start lifting. And uh, you know, like any information glutton who can't buy toothbrush without reading, you know, a hundred reviews on Amazon, I spent months like debating over my lifting regimen, reading and trying to find the optimal routines and optimal rest days and nutrition. I get so focused on the model that months of work translate to no actual progress, no actual progress toward the goal of getting strong.

So essentially, you know, you lose that proverbial forest for the trees 'cause you're so focused on the model. Um, eventually someone much wiser and more experienced and, you know, obviously much stronger than I recognized where I was at and just kind of slapped me upside the head and was like, what are you doing? Just get under the bar. And that's kind of a, a click for me. It's like, lift the heavy thing, put it back down, don't overthink it.

And that's kind of what the, uh, messages that I was trying to get. I was like, don't focus so much on the model, don't worry about the optimal days. You just gotta get in the gym. You just gotta put yourself under the bar. And I think it's cybersecurity the same way. The, the goal here is get secure, which is as ambiguous as saying get strong. It's not an end state. It's sort of a progress. And the goal here is build cybersecurity fitness. CMC is just a test of your cybersecurity fitness.

It's a test of where your cybersecurity fitness is at. It focuses on a couple sort of like, core groups. And my message is, instead of focusing on the test and hand wring over the, you know, intense specifics of it and letting these changes like completely shift how you're doing things like what happened last week, um, just get under the bar, start lifting, get stronger and you'll be well poised for any test. And by the way, I should add CMMC soc two high trusts.

All these sort of operate the same way. They're, they're sort of practice tests, academic tests, um, that you can game if you want. You know, they give you the answers ahead of time so that you know what you're gonna be tested on. Uh, but the real goal here is to be ready for the real world tests. You know, no beum and the APTs who are out there who know that you as an MSP are the juiciest target they're gonna find right now.

So to me it was always about if you just get fit, you'll be ready for whatever the test is, regardless of what the specifics are. I love it. Yep. And and this even goes back into like cross mapping across frameworks. You know, we often say pick one and go down this journey of maturity, and you're gonna discover every framework that's out there that has some kind of industry bearing or federal bearing has a crosswalk to it.

And so, uh, I I I love that message and I, you know, I I think the gym analogy is really accurate, right? Like if I'm focusing on, um, you know, getting fit and those things, it doesn't matter if I'm traveling and using some hotel gym, is it the world's greatest? No. But I'm not gonna focus on how to use this particular machine. I'm gonna focus on the overall, you know, how do I get fit regardless of gym that I go to? Um, and, and so I think that's valuable.

And Jennifer, um, maybe to come back to you, so we see in model one that it was five different, uh, like levels, right? And it seemed to me that like two and four were like the left out step childs for some reason. Um, and, and so I, is it, is it more in your opinion that we like that, that they nixed two and four or they combined elements of two and four into like the new three models that we have in 2.0? Can you kind of clarify some of that for us? Sure.

I mean, they, they flat out nixed level two and level four realized, wait, we have gaps, what do we do? Let's squish it together. And now we're gonna have one, two, and three. So the, uh, lev the new level two is the old level three. The new level three is the old level five. Um, one is still one, but that, that's the correct, that's the correction that they made. And yes, that will be confusing for a while because a lot of clients just were settled on, I have to be level three compliant.

I have to be level three compliant. I'm accepting CUII, I have to to be level three. So that's gonna be a take a little bit of time. That chart. I think, um, going out to clients is gonna be helpful for them to visually see the difference. Um, but yes, once they dropped the additional 20 controls that the old level three had, um, and went basically back to 800 dash 1 71 and DAS, uh, that, uh, that is what the new level two is. And it seems, I have a two part question for you.

Gen, why, why Jennifer? Did they even have a level two then, uh, when I suppose that they never even thought that they would issue like, uh, any kind of, um, uh, contracts around it. And then secondly, uh, just give us your opinion. To me, this seems much, much better. It seems much more digestible. It is cleaner, absolutely.

And it's working with a set of, of controls that many of us are already familiar with, we already have been working on with our poam and the SSPs, and we already have those baselines. Sandy was saying to kind of build off of, um, why the conversation actually came up multiple times.

In fact, I've been at a couple of town hall meetings and asked, and uh, they, uh, they basically said two and four were holding areas, um, you know, for a client, for a, for a government contractor that was almost to level three, but maybe there was a particular control that they just weren't quite there yet. Maybe they could have two status. That was kind of an intent that was stated.

Um, also they were playing around with, for those of us that took the RP test, and you actually saw on the test that level two, um, maybe MSP related, oh no wait, maybe it's 3 0 8, maybe it's one they kept going back and forth. I feel that level two, level four were conceived almost as a, a, a on deck circle, if you will. I like that, yeah. Now that they realize they don't, they didn't need them. And I actually, I think getting rid of it makes it a lot cleaner and it was a good decision.

I totally agree. Yeah, go ahead Carrie. Real quick. I was thinking, I'm looking at the, the, um, the poll question. Um, more people can go in there and answer it, it'd be interesting. But, uh, 23% of the people, the question was, um, CMMC 2.0 changes. Are they a net positive? And, you know, three quarters the people said yes, and you know, others said no. Why do you think someone would say no? Do you know what the thought process is there? I I think that, I personally think it is a positive.

I, I think there's a lot of pieces of this that make sense. Um, I do think they are giving up a little bit of the independence we're trying to gain with third party everything being third party certification moving forward. Of course, we now know that it's probably going to end up looking more like certain contracts are going to have a third party, um, auditing requirement, uh, and others will not. We definitely know level one is self attestation at the CEO level or at the C level.

So an executive will have to, uh, test, which puts them on the hook and not the IT director. Um, but, uh, I think that, you know, again, a lot of this is, is going back to positive game because now it's attainable. I mean, we were talking about this in the pre, um, conversation that there are security firms that do nothing but this, that we're having a very hard time passing their own audits. How can you expect that to happen when you have a government contractor with 30 seats?

The, there's just, it, it didn't equate. Andy, do you, do you agree? I think it's double-edged. So for MSPs, there's a positive effect. I think net it's a net negative. In the short term, it, the pressure of C has created somewhat of a certain amount of frantic fear sort of spreading through the defense industry, or at least in my experience, and that's anecdotal, but a lot of people I talk to have clients calling them somewhat panicked. Like, what do I need to do about this?

Um, and for the first time in a long time, I mean, people were putting rubber to the road because there was a real threat. And, uh, my fear now is that softening the threat's gonna trim down on your MSP security pipeline. Um, I think, you know, the businesses that support the defense industry are businesses, and a lot of them really still struggle to see the return on investment from cybersecurity. So the teeth just got a little dollar.

So I think companies will be a little less fearful of getting bit. Um, so from that aspect, I think the MSP industry might suffer. Um, I mean, I even, I got an email last week from one of my clients who was already asking like, is our pricing gonna to come down now? And, uh, that's a whole can of worms. And the answer's basically no, because the changes to the model aren't anything meaningful in terms of like what we need to be doing on a technical level.

Um, on the other hand, that's a hard no. What's that? That's a hard no down. We don't bring the seat price down. Um, on the other hand, I shared your opinion, Jennifer, that CMC 1.0 was complex. I mean, we, we had people spending the better part of the last two years going down every rabbit hole and finding no answers and trying to do the best they could with it. So reducing the complexity, certainly around like process maturity requirements, I'm happy with that.

I think that's a, a positive, and I think that gives us all a little bit more bandwidth to do what needs to be done, which can be a good thing. It's a little bit more rope, but of course you can do a lot with rope. You can, you know, do well for yourself where you can, you know, hang yourself up with it. Um, I did wanna get in the point, the, the, the change from CM OC 1.0 to 2.

0, if you haven't read it, guys, they're removing these Delta 20 practices, these 20 practices that were net new from 801 71. You're not now gonna be assessed on those. But if you look at the Delta 20, there are things like, um, perform and test data backups, uh, prevent email forgery, sandbox, email attachments. Please don't stop doing those just because SM C's not gonna assess you. I mean, those are still super critical practices.

So in my mind, there's just not a whole lot that's really going to change in terms of what you need to do. Andy, can I just get Wes can Ryan, I see Ryan shaking his head, you know, on your first comment. I just, Ryan, can you, do you mind just chiming in just for a bit what you're thinking on, on, on it? Yeah. I mean, that Delta 20 to me, I had the same reaction. I was like, all right, again, we need to think about this as a minimum bar, right?

This isn't the correct set of things that we need to do to be cyber resilient. This is a minimum bar, um, for you to do, do business in the DOD defense industrial base. And the idea is to raise, you know, raise the bar for everyone. But that doesn't, if you're already doing things above the bar, that doesn't mean stop doing those things because in future iterations, c, M and C3 0.0, maybe five of those 20 come back, right? So don't, don't treat this as what good looks like.

Treat this as a kind of stop on your journey to to, to better security. Very, very good. Andrew, could I, could I just chime in on something I just saw post Hundred percent, Please. I, okay. Just, uh, I saw someone post this earlier, and I thought it was, uh, something to definitely just make sure that we called out too, is that, um, you know, there are a lot of changes.

I don't think we need to go through all the, the changes here, but it is important to understand that limited poems, uh, plans of actions and milestones are gonna be allowed. And I, I really think it's, it's important to spend some time on that. Two years ago it was, uh, throw it on a poem, it'll be fine. You can take care of it whenever. We didn't say that, but that's the client that's in their mind what they thought.

Um, realize, I've talked with Northrop, I've talked with Lockheed, I've talked with missile defense agency. They aren't coming off of their rigidness. They've developed this posture and they've come out and said, look, yes, we may take a poam, however, we're gonna hold you to your timeline. And if you're not meeting your timeline, you may go out of our preferred vendor status. So when you can have a business conversation with your client and say, look, you're still gonna need to do this.

And you know, Northrop has a level two, they're, they have a, they have their own classification, uh, process. And if you're not at level two, you're not gonna be able to get these contracts, period. That's a business to business decision that they made. So there's still absolute reasons to go forward with this. Um, and there are absolute reasons why today it's still more important than it was two years ago when a lot of the DIB did not care about it.

That's in, that's interesting perspective because we're asking about how M MSPs feel about this, and now you're starting to talk about how the contractors feel about this different view, right? It is a different view, and a lot, a lot of the decision making that MSPs, uh, I think go through, at least in my business, are driven by what my client needs. You know, what my client is asking for and what my client wants, they come to me expecting for me to be as expert as I can be.

Um, and in return, they need to understand how this fits within their business model and their growth. And bottom line, how can I get more revenue? How can I make the cybersecurity initiative a, uh, revenue generator for me, allowing me to step up into a higher class of getting contracts? And then the, is It fair to say that they don't wanna, is it fair to say in general they don't wanna be less secure? Is that a fair statement? Sure. Absolutely. That's very fair.

They don't wanna be less secure. They are worried, as, you know, Andy brought up earlier, um, and, and as their insurance companies, as I've seen, you know, folks that are, are also, uh, pretty concerned about as well. Um, but I think that they have already gotten scared. And now I, I believe a lot of my clients don't want to step back. They are still understanding the value of DNS filtering and some of the things that were cut, and they are still understanding that value moving forward.

And it's, it's our, I think it's our obligation, everyone on the call to make sure that we do continue to push forward. So, Jennifer, uh, I've got one last question for Andy, but, you know, I come outta banking and I wanna see if you see a similarity to this for a minute. Uh, I remember when EMV was first coming out, you know, the new chip thing that had come out. I remember like all of this discussion starting around what EMV process will look like, how the US will certify.

It will be chip and pin, chip and signature, and then deadlines start being rolled out and everyone's panicking and rushing. And the, the, the onus is on banks to be the first to get it done. And so banks rush out and spend millions of dollars getting all this done, completely attested, reassessing their vendors, re uh, reissuing debit cards, all of this work only to have, uh, PCI come back and say, wait a second, we're gonna delay EMV for a while. We're gonna try to figure this thing out more.

And we have a bunch of constituents that aren't ready for this, namely gas stations. And these gas stations, um, have, you know, all of these millions of terminals all over. And so we're gonna yet again extend this, uh, this timeline by another, I think it was three more years for gas stations before they were mandated to become EMV compliant, yet they still left in process the onus of responsibility.

So, you know, where, who, who pays out in the event of a card breach, uh, based on whether you chose to move, uh, to EMV or not, both as a processor, both as a card issuer, and both as a merchant. And this whole thing kept getting muddier and muddier and, you know, things continued to change and change and change until, like, finally, I'm now at the stage where anytime I go to a gas station, CMV, we're finally rolled this thing out, this process of about 10 years.

Do you see similarities with CMMC and, and EMV as an example? Like, do you see some of these things happening in, in a, just in a another cycle here? Who's that question directed to? Is that me or Jennifer? Either you or both. Whoever wants to throw an opinion at, why don't you Go first? So I wanna ponder on that for a minute. I mean, Yeah, I, I wasn't around for that.

I'm not from banking, and I think, uh, I think that event predates my entry into cybersecurity as a practitioner, but sounds similar in terms of here's the big program. Here's all this energy behind this program. Here's how it's going to revolutionize everything. And here's all these people, these prominent people we're gonna put in front of you, and here's all this investment we want you to make.

And here are the prime DOD contractors who are out there telling their supply chain, this is real and we're gonna expect it of you. And then, you know, rug pooled, Hey everyone, we're putting this whole thing on hold. Stop what you're doing and uh, let's, let's, you know, let us go off to the side here and we'll come back with a new plan. Yeah. If that's sort of how that played out, That's exactly what I'm getting at. That's Exactly what this is.

Um, and so you're gonna have a lot of frustrated people, a lot of frustrated companies who are gonna feel like, Hey, we invested in this. Where's that money? Who gets it? Do I get that money back? I'm gonna, you know, go ahead and throw this out there. No, I, no one's getting any money back in my mind. Not a lawyer, not part of the ab, not part of the DOD, but I don't think anyone's recouping anything like RP and C3 PAO costs.

Maybe that may happen, but I also will say, I mean, at least in our business and our clients, this change last week doesn't change much. There's not a whole lot of lost investment for them. Uh, 'cause again, our focus was always we're building good cybersecurity regardless of how they wanna test it. You know, our foundation, our anchor point's still the cybersecurity framework, it's never C-M-M-C-C-M-M-C was an augment. Um, so we're staying focused on that.

We're keeping the same stuff that we find effective, like DNS filtering as a general cybersecurity practice. So not, not a whole lot's gonna change. You just may not have to shell out six figures for an assessment of your level three. Yeah. And adding, you know, adding onto that. I would, uh, it's a good analogy. Um, I, I had one of my, uh, one of my team members send me a really funny, um, clip and it had a kind of a, a baseball bat from Mad Max with chains and barbed wire all over it.

That was the bat. And then he, he said, you know, CMMC one 1.0 and then CMMC 2.0, and I said, teeny tiny little league, you know, baseball bat. And I said, guys, I understand. I, let's try not to be hyperbolic about this though. You are still violating a federal law. If you attest that you are doing something and you are not doing it, you are still, you know, on the hook for Fair Claims Act. And there they're strengthening that.

They're making sure that executives have to sign off and no longer it directors can sign off on it, and they're putting more teeth behind going after the DOJ going after that piece. Again, not as much of a, of a mad max bat, but it still does have some teeth to it. And I think we all need to remind our clients, you still have a legal liability here that puts you on the hook and no one looks good in the orange jumpsuit. Fair point. Okay. That's awesome.

So my last question, uh, before we turn over to Ryan is, uh, Andy, I don't, you talk about CUI controlled unclassified information for a little bit, and I think you have a theory here is what I understand, right? So for, uh, you know, any org that was like not having to handle CUI initially, um, you know, talk to us about level one and level two by extension, like where were there, are there changes to that aspect on, on this?

And I, I also want to you to stumble a little bit into like this argument I hear often, uh, or sometimes often of a client saying, back to MSP, well, I don't have CUI, uh, uh, so so why does this even matter for me? Right? Can you, can you just talk about all of this? Yeah. So, um, level one, level two, level two, which used to be level three, let's set all that confusion assignment. Let's talk CMC 2.0. So we all accept old level three is now level two.

Um, level two is essentially if you're gonna handle controlled and classified information, you're gonna need to be at level two. Most companies that I work with, uh, have been told from a contract officer, they're probably gonna handle controlled and classified information. No one's really told them which data set that they have is controlled and classified information. Um, they're certainly not receiving it labeled properly.

SCUI, um, most of 'em are still receiving it as FOUO, which is sort of the precursor or you know, they're outright being told like, yeah, no, our whole program's generically, CUI, so you should treat it that way. Um, they'll have it in their contract language, you know, implement DAR 70 12 that clause, which, uh, enforces in this state a hundred one seventy one for the protection of CUI. They'll have that in their contract.

They won't know if they have CUI, their contract officer may tell them, but won't tell them specifically, or their prime will tell them and say, you know, implement this. And then the small subcontractor has to be like, but we don't, we don't know if we have any CY Why would we have to do this if you can't tell us that we do have it? Um, so there's been a lot lost in that.

And unfortunately, I mean that a lot of that just stems from the government not really, uh, being on top of their own labeling process. Um, now there are big changes coming, um, in the old model. I mean, we were told level three, 100% of the companies that handle CUI were gonna need level three. And that involved an assessment, uh, a five day minimum mm-hmm.

On onsite assessment, um, equivalent to dib cac, which I've been through one and it's five days of microscopic looking into your systems, a hundred percent of those companies are gonna need it. Now, the DOD has packaged into the new model of bifurcation, and the bifurcation is essentially DOD saying, we reserve the right to pick some contracts where we think we're gonna want an assessment, but for most everyone, you're not gonna need one.

We're going back to 2017 where you attest to us that you're doing it and you know, we'll dangle the threat of DCMA coming out to check that. Or, you know, if we put you on a contract that we de critical, you'll need a third party assessment. Fantastic. Thanks Ryan. I'm gonna turn it over to you, my friend. Cool, thanks. So we touched on this a little bit.

Um, uh, you know, Jennifer, I know earlier you, you made, um, a comment about people's self attesting and how well that had gone and like why we really needed CNMC to begin with, but it seems that we've kinda reintroduced this with level one needing self-assessment. Talk to us about that requirement, um, specifically for companies only needing one and what, what that self-assessment really means and what their obligations are. Yeah, absolutely.

So I think that when the delay occurred with CM MC over and over and over again, and they put in the, the Spurs score, the SPRS score as a stopgap measure, um, where a, you know, the Department of Defense contractor has to go onto a particular portal and they have to post their their number and attest to that, I think they started to realize, Hey, why don't we do this instead?

Because the writing was on the wall a little bit that the DOD wasn't pleased with how many government contractors were gonna fall off their approved list. So I think that within that, um, they saw that as a mechanism to, to jump behind and say, Hey, okay, let's, let's, let's at level one, you know, 17, let's, at level one, let's go ahead and allow self assessment. I do know the, there's a lot of talk, um, behind the scenes. What does le the new level two look like?

You know, I know there's a lot of debate back and forth of self assess, uh, self, um, attestation versus a third party. Um, and again, I feel that they are still fleshing that out. They're still gonna have to define what type of contract or what type of CUI, you can probably bet that any type of technical data, um, UTCI data is probably gonna have some type of, of third party validation or third party audit, but it may be more tightly scoped than before.

Um, we're still waiting for that guidance to, to come out and see what that looks like. So I, I, I hope we answered the question. Uh, it, there's still a little gray trying to develop that, but definitely level one, you will be allowed to self assess and self attest at level three. Some, uh, contracts are gonna be able to self-assess and self attest.

And then the contract will specifically state, it's supposed to specifically state if third party, um, certification will be allowed or will be needed, or will be required. Um, and that's where, that's what we know now. Check back in a week and we'll see what happens. Right. So one of the, I'm gonna go down a rabbit hole here on this question. Um, so MSPs themselves can be contractors, uh, directly, right? But MSPs can also service small, medium sized businesses that are contractors.

So when there's a level one self assessment, um, is the MSP in both cases always going to need to submit a self-assessment in their own SPRS scores? Or is there a difference depending on whether they're third party or fourth party to the defense industrial base? It's a loaded question. Um, I'll preface it. I'm not a lawyer. Um, but my interpretation is if you're not on the contract, you have no legal obligation, right?

If you're an M ms p, you're, you're a service provider, there's no legal obligation on you to do it unless you're on the contract. Now, your client may say, Hey, part of our agreement is I want you to get CMC level one or CMC level two, whatever the case, right? But you're certainly not required to do it. Um, if you're an M MS P who wants to play in this space and you wanna grow, uh, in your defense vertical, I would advise you go down this pathway and be prepared to be certified.

Um, up until two weeks ago, or last week really when this all changed, we had had a number of conversations with some of the C3 PAOs that were already out there about us as an MSP, getting in mind to get level three certified and what that would mean for our clients because we're providing so many of the requirements. I mean, some of our clients we're doing 80% is kind of our guesstimate of like what they need to do.

So if an, if we get certified at level three and we have 10 clients, surely those 10 clients should have an expedited assessment. 'cause we're the critical dependency providing everything. And, uh, shockingly, when I talked to these C3 PIOs, this was the first they'd heard of the idea of really, of MSPs being a critical dependency of small defense contractors. And they were all kinda like, oh yeah, that kind of makes sense. I I could see us doing that. There's no directive on it. Yeah.

Um, so I think, I mean, that kind of gets, again, there's layers to this, right? One of the layers is what's, what's the impact to the MSP if they're a contractor, a sub to a contractor for the defense industrial base, and the customer fills out a self attest characterizing the MS P subservice is one thing, but it's actually something else. Yes. And So I think Territory, Yeah.

So there's, I think even if you're an MSP, whether you're directly impacted or you're a sub to someone that's impacted Gary, who I think would, would agree with this, you're, you need a service that you are charging for to, uh, you know, it needs to be something that they, um, they engage with you with. You probably need to carve out language in your contracts for it. But, um, if, if you have to engage with them in their self-assessment process, you should be charging for that full stop. Right?

A hundred percent. So knowing that self-assessment is, is a requirement, um, do you think that's gonna drive more bus and given like the likelihood that these small defense contractors are, are not really gonna even fully understand how to parse the framework, do you think that, and do you think that these changes specifically in this self-assessment piece, is gonna drive even more business to MSPs as a result? Not That think it net, net the same?

No, I, I think, I think it ultimately drives fewer, um, because the self-assessment was already a thing. It is already been rolling downhill because it's part of this interim rule that came out. And so we were seeing a lot of pressure come down from primes and even the government saying, Hey, you need your SPRS score. And so that, that mechanism already existed.

Now there will be more of that mechanism because there won't be the certification mechanism, but the certification mechanism was always gonna put more business in the MSP uh, channel. I mean, that was always gonna drive more people. 'cause that's a scarier thing. That's actual spotlight coming, and that's actual assessors coming to look.

Now in the self-assessment, self attestation thing, there's plausible deniability to a point where companies, I mean, companies are gonna do what companies do, and maybe this is just me being a little jaded, but there's not as much teeth there. And they might say, Hey, what's I get this, I get this question a lot when I talk to prospects. What's the realistic, you know, threat of me actually getting assessed, right?

And they, they ask that when we're talking about the actual work we're gonna do for them, they're like, yeah, but do we need to do that? I mean, what's the actual risk? Or they'll be like, isn't the Actual risk that I'm gonna have a breach? Right. And you can't quantify that. Or they'll be like, you know, they'll ask me in, in uh, different ways basically like, well, what's the latest I can start on this?

Because they'll be like, well, what's, you know, what's the actual timeline where I might need to be prepared? And you try to tell 'em, look, this isn't a thing where you can call us 30 days out and we can fly in a bunch of people, you know, uh, in Black Hawk helicopters and get you ready and you're, you're, you know, you're ready to be assessed. So I think ultimately the change, it loses a lot of teeth.

So I'm gonna, I'm gonna say there's a tool in a lot of cybersecurity practitioners, toolboxes that's being removed today where you can no longer sort of tell the client like, look, this is really happening. There will be assessors coming here. Where now it's much less of a threat. So I think that causes the net negative. Okay. So talk, Andy, talk to us about, um, new level three levels, also known as level two. Yeah.

Um, there's this requirement, this criteria for the bifurcation of criticality of data. Yeah. Um, which is really like the critic that as the data relates to national security, is it true that that, you know, subjected entities will, um, will be not only assessed, but they'll be assessed more frequently against that criteria? No. So the old model was everyone at level three was gonna get an assessment every three years. That was the language, that was what was built in.

And the new model, they're saying only a subset of the level two will be assessed and they'll still be assessed every three years. The original document came out last week and the original site said Triannual. So people were like, oh, it's gonna be three times a year. It was a typo. They came out and they fixed it. It's triennial. So they'll still be assessed once every three years, but it's only gonna be a subset of those level two contracts that will have that.

Um, it's worth pointing out in this, uh, someone, another person worth following for folks Leslie Weinstein on, uh, LinkedIn. She's a, a policy expert. She's someone who has a pretty good take on CUI and, and the legality around it. Um, this bifurcation is still CUI on both sides. It's still controlled and classified information still needs to be protected. In the same way only a subset DOD is saying this type of stuff.

We, you know, we want to come with an external party and make doubly sure that you're doing what you said you're supposed to be doing. Yeah. So I'm gonna go kind of broad on the next one too. Maybe load this question up too a little bit. So when I think about the opportunity, maybe over the next three to five years for MSPs when it comes to, to CMMC? Uh, I have, uh, I have two minds about it. One is I think it's a tremendous growth opportunity for them.

Um, the other is, it's, it's a question of at what cost, right? And the, at what cost piece for me is, um, certainly if you're going to the new level three, right? That's, that's like prime time for very capable threat actors. So as you walk down this path, you are, you're, you're taking on additional risk, cyber risk, well, you know, well, but at the prospect of actually giving a customer that understands, appreciates and has a requirement for real security.

How do, how do you rationalize this, like, this kind of increased risk, but increased growth opportunity that comes from this? Uh, what do you, how do you think that's gonna take out for MSPs over the next few years? I get where people are being un, you know, I, I get that's uncomfortable. There's more liability when you say, Hey, we're gonna monitor for security incidents and we're gonna be on hand for, uh, incident response.

I mean, that's tremendous liability, um, addition to what most MSPs do today. But I think, at least my anecdotal experience in talking to MSPs, the, the whole tide seems to be rising for everybody. So I think it's, um, everyone's adding this stuff to their stack. There's more and more vendors coming to the channel with security tools who have recognized like, Hey, the MSP world, we can bring some, some real value here. So I think MSPs broadly are still gonna, uh, take advantage of it.

I agree with you completely that there's huge opportunity with CMMC and, uh, you know, the other broad cybersecurity programs that are being, uh, put out there. If you're a wise MSP and you want to grow, I think security is not only an option. I think it's the option. And I think those who, uh, those who fail to move forward and act on it, you'll end up, uh, suffering for it. Yeah. Yeah.

I mean, the way I tend to, the way I frame the question really succinctly in my mind is, um, is going after a five x revenue multiple worth having EPT 29 actively target me? That's a hard question. Yeah. Right. Hey, I have a question for Andrew.

Andrew, we've kind of been saying we've had, you know, Ryan Bonner on, and basically we came to the conclusion, and I've been sharing this with, you know, my traumatic members members, you know, based on CMMC, either you're gonna focus on this vertical and do the things you need to do and make the investments, and then you're gonna monetize it, right?

By having more customers in that vertical, or you happen to have one or two these customers, and maybe it's better just to transition them to someone else. A that's what we discuss, right? But do you feel any different? Does this change anything in terms of how you would recommend people, Andrew? No, no.

I wanna ask you, Andrew, that's kind of what we had talked about and we had Ryan on like, you're either gonna make a commitment to this and make the investments and you're gonna monetize it, or it's not like something you wanna just put one toe in the water and you may walk away from a client or two, uh, because it doesn't make sense to do all the investment for those one or two clients.

Yeah, I mean, I think it depends on, you know, again, I I, let me just validate this with like Andy first and then Jennifer, but you know, I think, like Andy says, you know, are you practicing good cybersecurity, number one? And then number two, at what level is this company going to, you know, kind of fall into, are they really gonna be at a CUI level where it's gonna be the one where they're gonna be assessed, uh, at level two now? Sorry, had to think that through.

Um, and can you work with, uh, let's call it, or Ryan Bonner, if you will, to, to help in that? Um, in that process, if it's only one or two, I, I'm not so sure you have to give 'em up, but if, if you're doing those a, like Andy says, if you're doing the right, you know, security controls and then improving your security maturity and working and partnering with somebody like Orion Bonner, Andy, what are, what are your So thoughts on that answer?

This past summer, we had our first DIAC assessment, and if everyone's not familiar with DIP CAC assessments, that's when the government sends out an assessment team of three guys and you spend five days with them and they go through your compliance with 801 71. And we did this with an MSP client. Uh, I was already coming into that feeling like, okay, we need to do a lot more than we would typically do with MSP clients for these clients.

I came out of that feeling like, I will not do work for defense contractor if I'm not fully engaged. And I don't have that like deep intertwined with them, and that we're not on the same page sitting across from assessment team for five days and being absolutely microscopically shredded in terms of what our infrastructure and our processes were and who our people were. Just, you can't be half in. That's my opinion.

I Mean, so it was, it you, they were, they were looking at your company, Andy, or the customers Looking at my client, but because we provide upwards of 80% of what my client, you know, what their security apparatus is. Yeah. I mean, it was, it turned into about that day in the assessor sort of realized, wait a minute, we're assessing you Right through Them, but ultimately this is an assessment of you.

And that sort of solidified to me like, you have to be in this, you have to understand it, you have to put in the time and the effort for a lot of MSPs, you're gonna have to get personnel who can do cybersecurity. And that's hard to come by. It's a terribly small talent pool already. Yeah. So just to clarify, was that a level three? Yeah, at the time, A level three? Yeah. So it wasn't A-C-M-M-C level three, it was a DIB cac, which is an assessment of 801 71. So it's the 110 requirements.

Got it. Very good. It's, So now level Cmc level three should be, yeah. Now level two. Okay. So I mean, so Gary, I think that's really, you know, these are the guys. And Jennifer, any thoughts on that as well? I mean, I think what it sounds like you, you may in theory, yeah, you will get out of it a again, I don't know if that, Andy, if they're a level one and they're asking for help, do you need to, but That's, that's a little easier. I mean, level one's pretty straightforward.

The requirements there aren't as complex. It's just defense contractors. CMMC and DAS is one aspect of it. I mean, you have all these other requirements in DAS about incident reporting, and you have to know how to, you know, respond to an incident and that you have 72 hours to tell the government and how to tell the government and that media needs to be preserved. All that stuff, we don't shine any light on because 801 70 ones, it's whole scary thing.

Um, you can quickly be a liability if you aren't doing your due diligence and you don't have folks who are putting in, you know, the time and effort to be on, on top of all this stuff. So if you're gonna have companies on your role who handle C ui, you have to do a lot of proactive work.

You have to make sure that your staff are probably US persons that your infrastructures in the United States, uh, that if you're using certain platforms that have offshore links, you're have to find a way to cut those links. I mean, a lot goes into it, and I wouldn't be comfortable myself being half in. Yeah. Okay. Well, there you go, Gary, does that answer it?

And that's a conversation that I've had with clients as well of asking them, you know, I have a client, a couple clients that are manufacturers and sure what that is. Uh, I have a couple clients that are manufacturers and they, uh, they'll have one or two government contracts out of their entire business, and we'll ask them if, Hey, do you have, you know, is this worth it? Is this $30,000 con, you know, contract worth it, you know, to make that determination.

We, um, we decided eight months ago when clients were asking us where CMMC was, we decided, look, you need to be in compliance with DFARS 800 dash 1 71. Let's focus on that. Let's, let's, let's get you an adherence to that. We've probably been through I a a dozen, um, DIB CAC slash d dcs a, um, audits reviews, um, with clients.

And the very quickest way to get that client to say yes to something that I've been telling them to do for the last six months is for the government to say, yeah, you really should do that. And then the contract is sign next day. And it's not, I'm not trying to make it a revenue generator. I'm recommending something that really is going to increase the, you know, maturity of their security.

And, uh, to be able to have them say, yes, Jennifer's right, you actually should be doing this, that really helps. So I actually look forward to those situations where the client is sitting next to us and we're holding their hand and say, yeah, I mean, he's got a point. He's gonna, I told you he's gonna din you on it, and you, you've gotta accept that. Um, so for us, it, it's a little different.

Uh, I don't think that, um, we don't really worry too much about that because we have made a, a corporate decision to align with 800 dash 1 71 with our own, um, controls for F1. Therefore, it's just a, a world that we feel comfortable in, uh, with those clients. But Andy, I, I totally agree is if you are thinking about just dipping a toe into this, you really need to jump in.

You need to jump in all the way, you need to understand, you need to be on the chat boards, you need to really understand what's going on. No one's ever an expert, you know, we just try to know enough to be dangerous. Good. Gary, thanks for that question. Um, so Ryan, are you, did you have any others left? You have left here. No, I'm good. Good. Okay. So in the remaining like seven minutes, Gary, you know, business side of things, maybe we could kind of turn to you.

There were a few more questions we can answer, but I think we've covered a lot of the spirit of this. Um, yeah. You know, the changes and everything. What, what kind of the, is the net takeaway for you? What are you thinking? What are you gonna recommend to your peer, you know, their peer groups and, uh, MSPs as they bring this up? Yeah, so I mean, I think they got a lot of good advice today. I actually like to pose a question to Andy and Jennifer, like two scenarios.

One, you're someone who is already dealing in this, you know, from everything we've talked about, like specifically, what might you do differently? And if you're someone who was preparing right for CMMC as an MS P, what, how does this change maybe what their plan would be?

So I'm trying to net it out to, to MSPs, like to zoom out on this thing and saying, after all these things we talked about and some things we don't know, is anything really different what they should be doing the right thing to do? And yeah, Jennifer, I'll let you go first. Okay. Um, I think that this doesn't really change our playbook at all. Um, we are still, um, actioning the same playbook we had a year ago, two years ago.

I think that Andy's right, the freak out motivation that a lot of clients had over the last eight months has been diminished. They're not as, oh my God, I have to do this. But they still realize they do have to do it. So I think maybe the sense of urgency may be diminished a little bit. However, uh, I don't think it's, it's changed any of our playbook. Go after dfars, get your poem narrowed down as much as you can get all the controls in place, you know, let's do the right things.

Just what MSPs need less motivation. Get that. Andy, my Sentiment's the same. I mean, nothing meaningful changed for our business last week. Um, our roadmaps largely the same. Our efforts are largely the same. There's changes to the specifics, but again, our goal was always get stronger. Uh, so there's one less of a, of a tool in our toolbox for motivating clients, but there's naum still out there.

I got plenty of articles to point to of companies like theirs that have, uh, tanked and, you know, those, those are still out there and, and we're getting better. You ask like, what would you do differently? I've learned a lot in the last year about messaging, um, and what messaging works with clients to motivate them to make investment.

And, um, someone much wiser than me probably told me at a time, like, focus on the return on investment they get, and less on the fear, um, less on the sky is falling and more on here's the benefit your business will see. And, um, I think if I got on that messaging a little sooner, it'd probably be a little further along. So, Yeah.

So in when I had my MSPs in dealing with clients and working with our V CIOs, you know, often they would hear like, they would ask 'em to make some investment in anything, and the client would often say their number one objection was, well, that, that, that doesn't really seem to be a problem. And our response was, nothing's a problem, un until it is. Right? We haven't been breached yet, so why do we need this multifactor stuff? Right. Awesome.

So, uh, any, Jennifer, any closing thoughts from Orlando as you, uh, head into a week of, uh, community peer groups, et cetera? And we wrap things up. I mean, this is a, a, a topic of conversation. It's, it's, um, that it's happening in the peer group meetings, um, at least in in my meeting. And I don't think we're focusing as much on CMMC, I think we're focusing more on insurance, uh, how insurance is driving compliance. Um, which then we're able to tie back into HIPAA and, and DFARS and CMC.

But I think that moving forward, again, there's just, right, there's just trying to do the right thing. It's making best efforts. You're not gonna be perfect if the bad guys won't end. Again. That's why security professionals now are now saying assume breach. Just assume breach. You know, the, the, the stopping of the bad guys getting in isn't really the goal anymore.

Yes, we'd love to, but I think that we're all focused on, okay, how can we put as many speed bumps in the way and be the hardest target possible? Not perfect but possible. I think no matter what regulation you fall under or don't fall under, I feel that that just has to be a guiding focus for all of us. Just try to make our clients and ourselves the hardest targets we can. Thanks for that. Jennifer. Andy, how about you closing thoughts?

Um, I'll put it simply, if you're an MSP in this space, get under the bar. Start lifting. Alright. Alright, well, so on behalf of everybody, Hey Jennifer. Andy, thanks so much for coming out. Jennifer, especially, uh, yes, heading back to your hotel room, um, doing this for us and, uh, really excited that we finally eclipse 4,000 and, uh, we'll look forward to next week. We have a special one. Tell everybody, it's gonna be ask the CSOs.

So we are going to have, uh, David McKim on from Enable with Ryan and Wes. And Gary's gonna be doing some warmups here, uh, you know, uh, with some fastball. So until then, everybody have a fantastic week. Take care everyone.

Related Videos