CyberCall – July, 6th, 2020
In this video, industry experts discuss the evolving landscape of cybersecurity regulations, specifically focusing on the Cybersecurity Maturity Model Certification (CMMC) and its impact on Managed Service Providers (MSPs). They explore the challenges MSPs face in adapting to these new standards, including the need for enhanced documentation, governance, and risk management practices. The conversation highlights the importance of understanding and implementing security controls, data protection measures, and the potential opportunities and risks for MSPs as they navigate this regulatory environment.<ul><li>The Cybersecurity Maturity Model Certification (CMMC) is a regulatory framework aimed at protecting intellectual property and is critical for defense contractors to maintain compliance and secure contracts.</li><li>Managed Service Providers (MSPs) play a crucial role in helping clients achieve CMMC compliance, particularly in documenting and implementing cybersecurity controls.</li><li>The introduction of CMMC is expected to drive significant changes in the industry, including consolidation among defense contractors and MSPs, as those unable to meet the requirements may choose to exit the market.</li></ul>
Guests
Video Transcript
Okay, we are live. How you guys doing today? Welcome, Gary. Welcome, Kyle. Hey, happy Monday everyone. Happy Monday to you guys. Hey, just a few things in housekeeping. I don't have my, uh, my, my, my, my wreaths and my Santa Claus hats and everything in the background. We had our internet go down and I had a run, and Wes should be getting on shortly. We're gonna keep an eye out there for him. But, um, I was looking for some water. Um, I found Woodford Reserve.
I found Tito's, but no, I mean, those are all water substitutes. Should be a great call. Yeah, I was thinking the same thing. Perfect. Water substitutes. Yeah, Exactly. All right. So, um, again, we'll keep an eye Off. They said he's in that, uh, someone said he's in chat. Is he in chat? Okay, You're out there, Wes. Let us know. All right, Andrew, we got a lot to cover today, man. You have a lot to cover. Yeah.
So first things, um, number one, um, Gary was telling me a little bit in the green room, my audio might be a little choppy. Apologize up front for that, guys. Um, if it gets a little haywire, I'll let these guys take over. Um, yeah, Carl, I know I'm, we're having some issues with, with my side, so sorry about that. Um, A few resources for you guys up and gals up top.
Uh, probably is now if you have, if you scroll back up, top glossary terms, the last time we had someone on regarding CMNC, there was a lot of, there's a ton of acronyms gonna get thrown around, so I just wanted to make sure you guys, it's very true about, um, there. And, um, uh, Ryan Bonner's, um, uh, uh, bio other thing, I'm just gonna put this in the chat real quick, is we are gonna do a tabletop, um, there's the URL to register for the tabletop. Um, and we, we'll get right on into it.
Um, thank you for that, Kyle. Yeah, that's what I threw in there too. Um, okay. So, um, today, why are we going back to CMMC? Well, there's tremendous amount of talk about it. It's the largest, um, you know, small to medium business overall out there. Like when you look at a cross section and talking to Ryan Bonner of customers and, and where the lion's share of GP goes it. So this is gonna impact, I would say arguably the majority of MSPs out there.
Again, not all, but the majority of them are, are you going to have a client that fits in the defense industrial base, or dib as they call it. So, with that, let me start off with the agenda.
I'm gonna ask, you know, Kyle and Gary, and if we, again, from their perspective and working with MSPs and their perspective, 'cause they have very unique ones, Kyle coming from working literally in the DOD and, and, and serving our country, Gary, running an MSP, and then Wes, again from the practitioner side of things, but little backdrop, um, you know, if you guys are servicing, um, industrial base CMCs, probably nothing brand new to you, but for those of you that aren't just a quick background.
Okay? So there's something called 801 71. It's a NIST framework that was put out a while back. And lo and behold, you for the most part, unless you were way up in the subs, uh, or a prime contractors, you would self attest, meaning you, no one would sit there and say, Hey, let me see your audit as an MSP. Hey Wes, welcome to, to, or, um, or as a customer providing widgets, let me see. You know, your, you want audit.
Well, lo and behold, with, um, you know, the cyber espionage and attacks that we are experiencing the deal, we need something new here. And hence the cybersecurity maturity model Certification was born. Um, it's going into effect as we speak. This is right around the time where the screws are starting to tighten down. Ryan Bonner's gonna give us a whole host of information on it.
He works with not only NIST and is a contractor, um, for them and the, what are called the, uh, manufacturers extension programs or meps, but he works with a bunch of MSPs and MSPs because he gets involved directly with customers and through their audits. Lo and behold, it's gonna be reaching out to some of you at some point. Um, so with that, um, you know, again, you and I have known each other for a long time.
We do own dynamic digital around that time, probably, you know, HIPAA was impacting healthcare providers and there was a macroeconomic change, um, consolidation, et cetera. How do you see this thing playing out, um, today and in the future for MSPs? Yeah, so if you think about it, Andrew, a lot of MSPs deal with, there'll be an increasing number of their customers that will fall under this. They're somewhere in that chain that you talked about, right? Uh, dib.
So probably what will happen is it, it'll be an opportunity for some and a risk for others. So some, they won't be able to get up the maturity level that Ryan's gonna talk about. And they're gonna have to change the way, like how they focus their business, who they deal with. Others will be able to do it and continue to grow in, in that area.
And some will get really good at it, and they'll be able to gain more business because they're more that other people in terms of where, what level they are in that framework, you know, and, and you know, as Ryan explains how this gets rolled out over time, this is the, this is the perfect timing, Andrew, to be able to start.
And the last thing I'll say is, you know, if you think about a lot of the things that happen with frameworks, especially early, like the basics of that, there are actually things to everyone, like, regardless to who your customer is, like everyone should be there, right? Yeah. Well, they talk about a level one. Like if you're not at a level one CMMC, you probably want to question being in the business period. Uh, Kyle, a question to you.
You know, you, you know, 10, 11, 12 years of the NSA, you've dealt with the granddaddy 853. Um, and, and maybe just you share a little bit about what that is and what are your thoughts on moving from kind of a self attestation level of an, you know, these MSPs and their customers now moving into, Hey, there's gonna be full blown audits, um, feet are gonna get held to the fire. Um, how do you see this rolling out over the next few years?
So, I guess it's worth mentioning, not only did I work at NSA for a very long time as a government civilian, but I actually left and started a clear defense contracting company. And that was literally the cash my co-founder and I got from that exiting that company that allowed us to roll out hunts. So we've been on all sides of this from the people helping influence some of the decisions to the, the folks actually having to comply with some of the NIST 801 71 NIST 853.
And for any of you that don't understand those acronyms, think of just overall frameworks and guidance publications that the US government said, Hey, here's a standard. But you'll notice, like when you start thinking about security and privacy controls, as Andrew kind of alluded to, there's one thing to be able to, you know, more or less self-assess or more or less say, Hey, you know what, I'm good to go. I promise I'm, I'm a pinky promise here.
And, uh, promise you a self attestation that I'm good to go. Uh, unfortunately it doesn't work that way anymore. Even with NIST 801 71, it gave you more requirements that you in controls that you would have to implement. However, with CMMC, it's now, they're not gonna trust you until they verify you.
And that's a big difference to have somebody in your Kool-Aid making sure that, you know, not only is the bar this high today, when they leave that perimeter, when the auditors leave, you're still more or less agreeing that you're gonna maintain that certification or you're gonna lose your contract.
So I could tell you, me, as a small defense contractor, you know, with only a couple million of revenue when I, when I had that company, uh, I would've outsourced it 110% would not have been worth my time. Huge greenfield opportunity. Yeah. And probably that line is more than 2 million in revenue, right? Where it doesn't make sense. Yeah. Yeah.
Gary, what's crazy, first year in business, my very first year in business as a clear defense contractor, well over two, three, I think I was, I was closer to six or 7 million in annual revenue in the first year. That's how big some of those defense contracting companies get. Hence the reason it's a drop in the bucket to go pay somebody a couple hundred dollars, you know, per endpoint to go take care of that stuff. Yep. Great. I mean, hundreds is gonna be outsourcing a $200 in endpoint.
Kyle, I just wanna see if we're gonna get any bids out here for you. Yeah, not, not today. I, I love the services work, but, uh, I got software. So Wes, um, practitioner viewpoint, um, implementing security controls, assessing over and over. This is, you know, doing audits is nothing new for you.
But, you know, if we were to use the financial services as a, you know, maybe a, a backdrop in relationship to CMMC, was there a mature or a rolling out or a maturing of the F-F-I-E-C, um, which is the equivalent to if I could Governing bodies Use audit? Um, can you talk about that? Is there gonna be a maturing of this and was there in the banks? Well, we can't hear you. You know, he does look studly though, in that virtual background. I mean, whoever's doing his decorating, I am impressed.
Um, let me just see. Bear with us. So, Looks Like his, uh, mic on. Yeah, I think, uh, do we, do we get anybody in the help desk that might be able, if we try turning it off, we turning it on again, right? That, that's where we go with the Okay, well one second. One second. Do we got it? Wes? Matt, can I throw The show going? I'm sure We can come back to him. Yeah. So Kyle, can you speak to FIPs at all? I don't wanna put you on the spot. We can leave it for Ryan if need be.
Tell me if you want me to bring up that. Um, or actually, I got one here for you, Kyle. This comes from, uh, forests laying 'em on us. Really good here. He said, like with two fa, how far down do you need to go with multifactor? Do all paths and windows need to be protected by two fa? So this is specific to CMMC. We might wanna leave this to, to Ryan coming on board. I'm happy to do that as well. Alright. So we, you let us know. We'll keep working on that. Oh, he's back.
Oh, is that, Are you kidding? Is it back? You there? Yeah. Gotcha. Yeah, Who knows what's Going on. I, I blame, uh, I blame all the things today, including our internet service in Tampa. It's not so great. Yeah, it's not. So, Wes did, did you recall the question I Had there? I did. You, yeah, I did recall the question. You know, one of the things that I will say I'm excited about where CMMC is going. So nobody really likes regulation, right?
Like, I've never met anybody that's like, Hey, yay, more regulations wonderful for all of us, right? No one likes it, but what's good about it is it does force change. You look at like financial services, where I come outta, it's one of the first industries that really banded around, Hey, we've gotta do some things differently inside of what we're doing for money movement. We really need to protect all of this.
Um, and what you saw out of that was a maturity that's put banks by and large, not only, not specifically, and there are outliers, but banks do a really good job overall of not only practicing cybersecurity, especially for their size and their complexity, but also resourcing it. Um, also funding it, all of those kinds of things. And why is that? Well, let's be honest. Cyber regulations are a driver for that, right? But what all regulations that sink into it, right? They need consequences.
They need, Hey, if you're not doing this, here are the things that are gonna happen. And you see good regulations have those teeth. And I think with CMC it has those teeth, right? And it's going to change our industry, especially as MSPs and service providers, as we're gonna talk about today, with the requirements that you have with your adherence to it if you're gonna serve those clients, right? So there revenue ramifications, there are security ramifications.
Um, I think those that seize on it and utilize it are going to come ahead, right? And so now is the time to be practicing and prepared for it. Excellent. Alright, so I'm gonna keep mo motoring through here 'cause I know we got a little behind. Apologies for those guys, g guys and out there. Um, normally I would've talked a little bit more about the difference between level one, three and five, just, and Ryan's gonna do that.
But leading into that, realize that again, you know, 17, um, you know, practices, minimal things in level one, level three is where, you know, they call it managed. This is the full 801 and level five is where you, you know, it's significant amount of controls, process, policies, backdrop.
So Gary, you know, when you spoke with your clients as they were going through regular, you know, increased regulatory scrutiny, did things change in terms of sales for both, you know, your sales methodology as well as your BCIO methodology? If so, how? And any thoughts or recommendations for the folks out there? Yeah, so Andrew, the short story on this is what changed was, um, how I was able to, it gave me something concrete to be able to explain risk and exposure, right?
To those business people. Once that happens, now I can talk to them about making budget decisions, right? Based on, you know, mitigating that and getting to the point of having that be the reason for the conversations instead of How I was talking to him years prior about, you know, tickets and support and response times was done, that wasn't even mentioned anymore. And so that value proposition goes up, and I was doing it not just for them, but my own risk that was going up.
And that's what's happening right now. MSP's risks are increasing. Kyle, we were talking in the green room, they increased again this weekend, so they're increasing at a pretty alarming rate right now. And so, and in order to move forward, like, you know, we're doing the tabletop exercise, that's great, but having a framework to work within is so important on how, how you understand what's involved in and how to translate that to customers. Yeah.
And I think what you're saying there too, Gary, and, and, and Wes are gonna kind of flow into your question is, you know, you'd want to know that the MSP themselves is doing that. I gotta believe in Wes. My question to you is that, you know, if you were on the receiving side being the customer, 'cause you have been to MSPs and MSPs, what, what message would you want to be here?
What, what kind of communication would you want coming forth from pro MSPs prospecting, MSS PS prospecting at you and your existing one if you had had one? Yeah, I've mentioned this before. I think it was at IT Nation last year, if I remember right. And I said, maybe it was at Peric Con. And I said, you know, one of these days I'm gonna start a talk. I'm gonna call it why I fired my MSP and why I would hire them in the end. That's fine. And we went through this at the bank.
So we had an MSP when I came on board as CIO and they were just performing sort of the VCIO oversight, and they were doing a pretty good job with it. But, you know, as they were, um, looking at adding managed service on top, you know, we started doing a lot of due diligence, really looking into what this MSP was doing and not doing, and really discovered they, from a security point of view, they weren't mature enough. They, they didn't even have basic policies in place.
Um, you don't have that, you're not practicing, right? We just knew as, as we started going through these questions and the delays and answers all of this, it just wasn't working. And I remember sitting down with lunch with the owner and I said, Hey, we're having some problems here. And he said, stop. He goes, I'm having problems with you. And he goes, if I can be honest, it's mutual. He's like, you're about to fire me, right? I'm like, yeah. And he goes, good, because I was about to fire you.
He's like, you guys are a cost overhead. We just can't maintain, fast forward four years where they're at today. Not only are they purchase customers, so I talk to them often, but they have grown so much. They have a number of financial customers that they work with, and not just banks, but credit unions and investment firm and number of them.
And they're very, very, very successful because they'll tell you, this is the wake up moment for us to say we weren't ready, we weren't mature, we weren't prepared for it yet, but they made those changes. They grew and all of that. And now they're serving that industry and serving it very well, and there's a higher, uh, profit margin that exists there as well.
And so I just, I love that story of that MSP saying, we're not ready, pausing, fixing, maturing, and now they're just flourishing through it. Yeah. Good, good. Kyle, you know, you, you, you, you, you help a lot of MSPs through various aspects, whether it's literal incident response, but from a, from a business side side of things that they said, Hey, I'm interested, Kyle, 'cause you were in the, you know, defense industrial base. I'm thinking of getting into it. What are your thoughts?
What should I be doing? You know, what that, what could that journey look like for me? So for those of you who haven't had the opportunity to work with DARS, which is the defense acquisition regulations that effectively say how you do business to acquire contracts, you'll know they don't play, they don't play with accounting, and now they don't play with cybersecurity. And so what I would caution everyone is there is awesome opportunity, but this probably isn't, dip your toes in lightly.
You're gonna need to take it serious because there will be ramifications if you come with your, you know, half a, uh, version of cybersecurity, both for that DIB partner or the clear defense contractor that depended on you and yourself as an MSP.
So I wouldn't say just, you know, jump into it, but if you are at the point where you're like, look, we have mature processes, we have a lot of this, we've been looking to build our cybersecurity practice now more than ever, like, this is your opportunity to really formalize around something that other parts of the industry follow. There's just no doubt about it.
Um, I was sharing, and when we were in the green room before this, I've had two calls today alone in regards to an upcoming US government announcement that'll come probably today in regards to MSPs and security. So I think my conversation would be, for one, if you're looking at this, CMMC is just getting started, you haven't missed the opportunity, now's the time to, but would caution if you're gonna spin up, it's kind of like a relationship.
You can hold hands, you can kiss for only so long, but some, you know, sometime later, uh, you'll have to make the decision, am I really gonna jump into this? And when you jump in, you better jump in, you know, for the long haul. Um, if you want to be successful regardless, I'm excited about it. I think for one, I've been on plenty of investigations where I've had to investigate stolen US property, right? Stolen US IP or defense, uh, information.
So I'm kind of glad we're finally getting this under control as clear defense contractor's had way too much freedom when it was self attestation. Very good. So normally I would've given some more, you know, kind of headline here leading into the question, Gary, but I'm just gonna come right at it for time. Last week I asked you about will MSPs need a dedicated security role like A-V-C-I-O for this type of industry? Do you think differently about it?
If somebody is dealing with level two, you know, level threes and, and just curious, No, listen, they're gonna have to have some domain expertise, but obviously around this, but it's almost like what Wes said, how, if you think about, um, you know, uh, uh, a company with a thousand employees, you know, they might have a certain number of people that are in their security department, but a lot of what happens happens in the IT department, the blocking and tackling, and that's what MSPs are good at.
So no, do I think the same thing like with cybersecurity as I think with, with this, that every MS P is gonna be able to have all the knowledge and experience and afford to have it in house. I don't, I think they're gonna have to have a relationship with someone that does. And then they gotta figure out the part that they need to put, you know, into their process, their systems, their stack, um, in order to make sure that it happens. Got it.
So in, in, in this last question, gonna lead right into bringing Ryan on, um, we, and, and you know, uh, Kyle, if you guys could, you know, do rock paper, scissors and figure out who's going, We'll let it on as a thread anyway. But, so there's this article I put in the, you know, I, I put some assets and, and one of 'em was really well written by a great MSP called Steel Root for, it was an article for, um, CSO Mag.
And it talks about a quote by, um, a gentleman named Wayne Bolene who's in the accreditation body for the CMNC. And basically, I'm paraphrasing it, but he's asked, Hey, will it service providers need an equivalent level of certification as the customer and flat out he's like, if they have access to their systems. Absolutely. So Ru row. Yeah. So Kyle closing out with you and Wes, thoughts on this, will it change how RMMs are used?
Will it, you know, if you're an MSP, are you, you know, and this is a key, you know, vertical for you. How are you looking at this now? Does it change those types of tools? I think when it comes to RMM, we're already being challenged on how things are, you know, changing. Um, your critical remote exploitable RM vulnerabilities in June and July on the ConnectWise side of the house. The important part is they're quickly patching.
But, uh, Gary and I have talked about this before, when you're sitting on 15 years of debt and code and things that need to be written, and were written for a different time when security meant a different thing, like that's debt. Sometimes you have debt in the processes of your business. Sometimes your vendors have debt in their old legacy code. I think now, regardless of the situation, it, it's time to pay the piper and pay off that debt. Yep. The bill came due. Yeah, you go, How about you?
Any thoughts? Kyle was, right. Um, paying off technical debt is enormous. And to be fair to the RMMs that are out there, they know that and they're working on it. We all know that. Right? Um, but it can't happen fast enough. Right? I know at Perch, even as a 4-year-old company, we still spend time handling technical debt on our end that we consider maybe a year old because we don't want it to grow like that, right? So it's really important for all of us. So Kyle is exactly right.
I don't think that, um, CMMC directly will change the way we use the RMM. I think it will be one of many things together that are changing the winds of the industry, right? As, as Kyle mentioned, the breaches that are happening, uh, not MC, but other regulations that are waking up to the MSP and understanding for the first time who the MSP is and why they're a critical player. I mean, this is, this is bound to happen, guys, right? I mean, all of these breaches that have happened, no question.
It, this is, it's about time that all of this has changed. So, so yeah, the winds of the industry are changing. Here's what I think's gonna happen. I think it's gonna separate the MSPs that can handle all of this and can certify it through the audit process of CMMC and those that can't, right? And so you're going to see a lot of shifts. You're gonna see Ms. MSPs that are prepared for it, truly be able to serve. Those clients are gonna take on new clients, they're gonna keep their currents.
And then you're gonna see other MSPs that say, I can't do it. It's too hard. I'm not used to it. Security is not my forte. And they're gonna bow out of all of that. And you're gonna see the same thing, consolidation inside DOD manufacturers as well. You're gonna see some say, Hey, the overhead cost that's being passed to me to meet this is something that I don't, I I can't do any longer. You're gonna see others that are gonna say, so you're gonna see growth and consolidation.
I'll give you an example of this. We saw that in banking when Dodd-Frank came out. All of a sudden the changes that were supposed to be for 10 billion in plus banks under management all of a sudden started filtering downward. And so you see where banks would track their, um, average return. So basically this idea of like, uh, how many cents do I have to spend to make a dollar was all of a sudden just grossly going out of balance.
And so you see these small banks saying, we can't keep up, we can't compete. We're gonna consolidate with bigger banks. We can be more effective that way. And you see that happen. So I do think those are the things you need to be prepared for with what CMC is going to do to the industry overall. Um, but I do think this is the thing that needs to happen, for sure. Awesome. So Wes, you're gonna go over your said, just so get, alright, I'm gonna move you over, bring it back up in a bit.
Um, so let me grab Ryan, and, and again, you know, Gary, I know you talked about me with a dog with a bone, but the reason also I wanted to, to bring this, uh, topic up again and a lot is happening right now with it. Um, yeah, sorry, bear with me guys. Uh, and like meaning timing, so, And Andrew, I'll give, uh, when It gets to the end, I'm gonna make a bold statement before we Close out today. Oh man, you, you got me hooked already, Gary. Okay. Hey everyone. I'm, how are you?
I'm got some hot takes. So Ryan, we got some questions coming in already. I got some. First, thank you so much for coming on. Let me just set the agenda real quick and I'll turn it over to you. So we're gonna give to about five minutes. You're gonna give some background 'cause I'll probably botcher it up there. Um, but you'll give some background on CMMC where we're at today. You deal with a lot of MSPs and MSPs as a result of being in the, the auditing process yourself.
Um, so, and then from there, maybe I hope we'll get into some Q and a and then we'll close out before Gary's bold statement, bringing on Ken Tripp. Because from a data side, again, you know, most MSPs didn't have a data element to their offering. I'm not saying all again, don't flip out at me out there. Oh, we do data auditing. I'm saying for the most part, people aren't doing data identification, data classification, data auditing.
So with that, Ryan, you take it on over here and let's get on into the wood. Alright, well, thanks again everyone for coming and hanging out today. Uh, yeah, the, there's even just some questions that have come up in the chat since this EV event began. That makes me feel like I, I need to carve out enough time to, to talk about what's unique about CMMC. So not as much like what it is factually, but like what's different about this, that, that is causing such a, a industry transformation.
And so in light of that, I, I would say that, um, just from the, the base facts, CMMC is an evolution of the Dodd's attempt to stem the tide of intellectual property leaving the United States. I mean, the early estimates are 600 billion a year in ip, uh, exfiltrating out of the United States. And I think the most recent estimates put that actually closer to a trillion a year.
And so, obviously, you know, the federal government and the powers that be are not going to, uh, just stand by and witness the single biggest transfer of wealth in history according to the New York Times. So this is the attempt to do something about that. And so, uh, really, I think with CMMC, you can dig into the model, right? And read about the 130 practices that exist at level three. Uh, you can read about the basic safeguarding, uh, requirements from far that have now become CMMC level one.
Uh, you can read about the, the process maturity levels for things like resourced plans, uh, for things like documented policies and processes and all of those things. And I would recommend doing that, you know, around a pot of coffee so that, you know, you have a chance to, to absorb all that and look at some of the, the unique aspects of the model. I really think though, that we need to get to what is, what is gonna motivate your clients to do something different.
And how does this impact both of you? So first of all, what what's different about CMMC? Um, it, it really functions like a regulatory white list. So, you know, there's, there's no best effort like we see with hipaa. There's no, um, there's no scaling of like your comparison to peers like we would see with FFIC, right? Um, there's, there's no bridge letter from a SOC two audit.
Um, basically any defense contractor, uh, that receives a specified CMMC level and an opportunity from a, a contracting office, basically they're gonna be denied the ability to be awarded that contract unless they have that certification. So it's, it's a very hard coded model for who gets the business going forward as individual program offices and entire platforms within the DOD begin to adopt this model.
And so that can displace a lot of the people who traditionally have won on the metrics we're all used to, you know, cost and schedule and performance. So really quickly, this can turn into, You're talking about this at the contractor level, like first it affects them and before we get to the point of dealing with IT providers, Right? Absolutely. And, and so this is what's hitting your client base, right?
Um, they can be displaced overnight and somebody else can become sole supplier or they can so understand what's motivating that sense of urgency. Um, the other thing that's really unique about CMMC is that certification is a pass fail event. And so, uh, you know, it's true recently announced there will be a limited window in which to correct findings from the assessment. But if it's anything major, it's unlikely they're gonna be able to get that done inside of a 90 day window.
So, um, I think you could see a lot of contractors who could be forced into a really expensive second attempt at certification, uh, or rescheduled certification. And that's probably gonna cost them contract awards, um, or maybe Let themselves just go get acquired by someone who's further up the chain Y Yeah. Or sell your book of business to somebody who is certified. The, the consolidation is, is pretty intensive.
Um, if we look at any other, even more limited examples where, where these types of regulations have come in, even without the hard coded pass fail dynamics and the go no go decisions on contract award. So this could be very polarizing very quickly. Um, another thing that people need to keep in mind is that CMMC is likely to require multiple proof points.
So, uh, all of the, to this assessment methodology we're being told will be published follows, uh, in the DOD parlance, what they call the kid method. So that kid stands for known, implemented, and documented. And they're gonna look to prove that out on multiple tiers. And so this won't be a paper tiger exercise. Um, you'll need to have people in the room who, when the assessor says, who here can tell me about topic? There's somebody in the room that can say that would be me.
And then they ask you to talk about how a particular requirement has been implemented. Um, so there there's gonna be a much, uh, just because of its nature, more layers of depth that are gonna be required. So, So, so you're saying there, Ryan, unlike and no discredit to like a CIS 20 controls where you could run something and it spits out information for you.
This is what is the policy and show me the controls and how they relate back to the policy and who's responsible for it's a much more holistic approach. Fair? Absolutely. So MSP MSP, And that's labor intensive. Like this is the part that M MSP struggled with, which is having people, right, that can, that are dedicated, this is what we've been talking about, Andrew, like over the last, you know, eight or nine weeks.
This is the most difficult thing because you have to figure out how to monetize that, not Yeah, it definitely, now you're getting to the things that M MSP struggle with, right? Doing things. Yeah. And so Running things, running a tool, running this, right? Yeah. Then what you're talking about when you get into this, which is it's just a constant process and discipline.
So Ryan, from A customer perspective, if you're the DOD contractor, it's likely that they've outsourced to you the MSP, the knowledge, the implementation Yeah. And the documentation of that system and its operation. So I gotta ask like, who's really being assessed here? Yeah. And, and Ryan should shift from a timing perspective into some of those interactions you've had, the good and the bad and the ugly with, 'cause not all are bad.
You work with some great MSPs, you know, oftentimes you're called in to work with a end customer. Lo and behold, you start asking questions, asking, it is, oh, I work with X-Y-Z-M-S-P, and now all of a sudden the phone gets picked up by you to the MSP. So can you talk about that inter those interactions? Yeah. So here's generally what I see exactly what you described. You go into work with an end client, right?
So one of, one of an MSP's customers because, you know, they got a vendor questionnaire from a prime whatever's triggering that, that set of activities. And just think about this, a lot of times the IT providers aren't even alerted that, that I've been brought in. So just think, just let that speak for itself. And then, uh, you get into the conversation with the MSP and you start going through some of these, these processes. Here's what I tend to see from an MSP perspective.
Their documentation and governance is not good. Like at least it's 75% of the MSPs I've interacted with. Shocking. Yeah. They, they don't have an UpToDate inventory of their client system components. And no, your, your RM tool doesn't always cut it. You know, you need to account for every IP in that network scope, not just the RMM friendly components. So, I mean, there's, there's gaps there in the, in the completeness of what's being done. Um, they don't manage vulnerabilities.
Uh, I can't tell you just the profound loss of confidence in an MSP that happens when you run that vulnerability scan and, and the client's like, what is this dumpster fire I'm looking at? Because not every vulnerability comes matched with a Windows update.
So, you know, there's a lot of things that have been cropping up over the years, and if there aren't network wide attempts to understand security vulnerabilities, that backlog can become a deal breaker in whether you can pay down the technical debt in those systems. And then the other thing I see is that, that generally MSPs, um, are very overconfident in their initial response to the client's compliance inquiry.
So, you know, client kicks 'em over a copy of 800, 1 71 or a vendor questionnaire and says, you do this, right? And they go, oh, how hard could it be? They, they see a few keywords that jump out at 'em and they go, well, yeah, we're basically doing all of that. And then, uh, you know, the client continues forward with a perhaps inflated sense of, uh, confidence and then, and then some sort of self, self-assessment or prime initiator party. Yeah.
And, you know, or somebody like me comes in, right? The compliance, the hated compliance consultant, and, uh, you know, I'm looking around and I'm saying, yeah, you guys put in antivirus, but there's a federal ban on that brand. Uh, or yeah, that firewall's capable enough, but, uh, it, that particular vendor doesn't ship their units to NIST labs for, for FIPs validation or, yeah, I agree.
There's some great security features in G Suite, but G Suite's terms and conditions prohibit the, the use of, uh, IAR data or export controlled information in their platforms, and they blatantly refuse to follow DOD damage assessment requirements. So, uh, I don't know how to tell you that this is a reset button scenario, but this is, this is not, this is not what we were thought, uh, what we thought it was going into it.
So MSPs need to be really careful about just that, that quick glance over of something like 800, 1 71 or CMMC and really dig into what it's like to implement On a positive note. And then we will go to some questions. We have some, but on a positive note, I know you work with some really, really good MSPs. Some of 'em are on the call, some of 'em chatting it up out there. Um, but, uh, we have send us some questions on, in as those questions come in.
Um, I'll also bring up Ken, so you guys can talk data a little bit, um, but, uh, some good, maybe a positive note as we go to the q and a. Yeah. Kyle, I'm gonna move you over to the audience if I could just for a moment, pal. Okay. Um, You know, Ryan, one comment I was gonna make is, you know, you gave, you know, an idea of why, you know, from a defense standpoint, how, how much, right, how much ip, how much information leaves, right?
But, you know, expand that out beyond outside of defense, right? With Yeah, pharma. Yeah. Like, there's just so much, right? That it's, it's, um, yeah, I don't, I don't think most people realize, um, the, just the level of constant that every second of the day. Yeah. Do you think like General Electric is only gonna care about their defense ip, commercial aviation division isn't gonna learn those same lessons, Right? Yeah. Okay. Well, how about this?
Um, keeping an eye on time, keeping everything, uh, and, and, and Ken Ryan, why don't we talk a little bit about data. Um, again, not to be sounds silly, but I don't think it's been a focus overarching, like Gary Fair, like, in other words, fair identification, classification, managing of data, that's new per se. Ken Ryan, talk to us a little about, again, if we're an MSP involved or getting involved in this space, what are the critical things we need to know about?
Yeah, so I, I think still today, the biggest challenge that this entire industry faces is the ability to know which data needs to be protected. So we have sort of this burgeoning category called controlled unclassified information, CUI or kui, as some people may call it in the industry. Uh, nobody really fully understands how to, how to identify that. And so that, it's a huge challenge that we see. It's the biggest educational opportunity that, that I would say, um, is needed. Yep.
And you know, I agree with that, and it, and it even kind of goes beyond the identif, uh, identification and classification of it. It's like, okay, well what are we gonna do? So, uh, you know, fortunately those existing MAR markers for, uh, CUI pretty easy to spot, uh, pretty uniform, right? And it goes across. Um, but then what kind of predefined actions are you gonna take around it? I mean, CUI data is really considered toxic by the DOD, right?
And now you gotta remediate it against it, redact it, create workflows to move it to a secure location. And then as you even go up to level five, now you gotta start tagging that metadata. And for us, that's included in integrating with the DLP solution, uh, you know, for enforcing data protection policies and creating a persistent layer against those tags. So it gets pretty complicated the more you move up.
Um, but it, it's something that's extremely important because really, uh, a lot of the CMMC is around the exfiltration of that CUI data. Yeah. I couldn't agree with you more on that. It's, you don't want to trust fallible human process to always do the right thing when it comes to CUI. And so putting a floor on that set of activities with some autonomous decision making is really helpful.
To your point, Ken, as soon as COI finds its way onto a system, that system is now what's called a covered contractor information system. And all these, these government contract clauses apply. And so clearly controlling the scope of where that data lives and where it flows is a huge part of contractors controlling costs, Right? Yeah, and I agree. And, and the, you know, the challenge around data is it's constantly being modifying, changed, moved, and even created, right?
So it's gotta be a continuous process that you keep evaluating, monitoring, and then setting up automation. I mean, uh, Gary was just speaking, um, you know, manually, it's extremely expensive to do that, right? So, uh, you've gotta find tools out there that can, you know, help you be profitable when you go into that market. And, you know, just to say, I know that, uh, Wes had mentioned earlier about regulation, you know, forcing us to change.
I mean, from a vendor standpoint, uh, five years ago we were born as a change auditing tool, right? And we didn't know we were necessarily in the data security business until our customers started asking. So we had a change. And a lot of our MSP partners today, uh, you know, whether they know it or not, are in that business, and there's a great opportunity for 'em, uh, to become profitable and, and attack, uh, that marketplace.
So, And just so that everyone knows what Ken's referencing when he talks about those legacy markings, the, the two most common formats for CUI that we see with contractors are, uh, export controlled information, pretty broad category, and then controlled technical information. So a lot of the things that, that are, you know, drawings and plans and specifications, things like that, those already have legacy marking, uh, that have been in place for up to 30 years.
So those distribution statements or export control statements are what Ken's talking about, something that's, uh, identifiable and very uniform in the, in the way that they're worded. So, um, making it easier to spot CUI than, than just trying to understand CUI in and of its nature. Awesome. Great. Um, can I go to a few questions for you, Ryan?
Um, and also, um, when we close things out, if you take a look at questions, if we don't get to all of them, um, maybe you could just answer a few of them by, uh, q and a. Um, and by the way, um, if I believe I, yeah, I put your LinkedIn profile, and if any MSPs have, you know, customers that need help, Ryan, uh, can they, can they reach out to you, by the way? Yeah, so with, with CMMC heating up, I mean, you know, time is always the biggest limiting factor, um, for people on the cyber call.
I'd, I'd love to spin off maybe a standing call or something like that so that we can, we can chip in and, and help each other out with, with each other's problems, um, wherever possible. I'm, I'm always, um, fighting to keep spots open on my calendar for those critical discussions with customers. I, it's hard to get ahold of you, which is, I'm happy for you. Um, let's go with the most uploaded.
Um, can MSPs run their typical model of an RMM tool, other remote tools, et cetera, in the context of CMMC, the model support this, or are MSPs faced with a new way of doing things? Ryan? So that's a, that's a great and very loaded question.
So I, I think that, you know, uh, the real question is, do you want to, so there, there's a middle ground with your customers where, first of all, you have to figure out, are you gonna be supporting all of the customer environment at let's say CMMC level three, or just some, and if that's the case, um, does your traditional stack of tools, um, match well with, with what needs to be done in that environment?
You know, do you want to re-architect two management models inside of that tool, or do you want to use this as an opportunity to run something side by side? Um, it's the scope of your customer environment is largely going to drive that for you, especially with how you price RMM. Um, I'm assuming a lot of people out there are pricing RMM on a per seat or per endpoint basis. Um, a lot of limited scope CMMC environments need to be looked at and priced differently.
So those are just some consideration. Then there's the, there's the whole context of aggregated risk. We're seeing all these, these security advisors coming from DHS and US cert about the in inherent risks of advanced persistent threats and managed service providers. There's zero chance we get through this year's election without some major security advisories around election systems and disruption of those systems.
And again, it's gonna continue to drive the conversation on, uh, how much, uh, aggregated risk can you tolerate as an MSP, you know, the risk of your customers is bleeding into your environment. You are a more lucrative and attractive target because of who you service in this day and age.
And so I think that there are organizations we see who are just straight up going back to the drawing board and figuring out, are we gonna use a different tool, the same tool, but twice are we going to, um, logically carve out and separate, uh, some of our customer environments or a new instance and any of the above. So I, I think that what, whatever, whatever the answer to that question is gonna be is probably not gonna be an easy yes or no.
It, it's going to, it's gonna look different than what you have today. Boy, I'll tell you Andy, um, I'm, I'm looking at these questions, Andy, so answer it. We gotta get you guys in touch with him. He is done a great job answering a lot of 'em, but, uh, um, do you know Andy, by the way? I do, yeah. Okay. Um, here's one from Jennifer. I'd like to know the biggest challenge in assessing cloud applications like Microsoft offices. We'll end with this one.
There's quite a few questions, but I wanna be fair to everybody's timeline. If you could take a look, and I can always send you these questions as well, but, um, or is everybody, Gary, should we keep going and answering some of these? What are your thoughts? Yeah, we got just about 10 minutes, so maybe take one more question and then, uh, I really want to, I think it's important to wrap up today because we went, you know, deep on a topic, you know, uh, today. Yeah. So I think, um, zoom.
Yeah, Sure. So I was gonna say, Ryan, you and I just laugh quickly. I was laughing because, you know, FedRAMP, um, on, when you go on to the marketplace, seemingly you could look at Microsoft 365 GCC high and go, well, it's not even accepted yet. Again, I'm air quoting that, so I'd love your take on, on, on, Yeah. So the, the use of cloud and how it interacts with CMMC is, there's a lot of facets here. I'll try and move through these as quickly as possible.
First off, you know, the DFARS clauses require that if you're gonna put CUI in the cloud, it needs to be using a cloud service provider who provides at least, uh, security controls equivalent to the FedRAMP moderate baseline, which obviously makes someone who's already in the FedRAMP marketplace more attractive, um, but doesn't require that they're there necessarily, and that they also need to be willing to support DOD damage assessment requirements out of some of those same clauses.
So access to log information and, and in some limited cases, even the original equipment involved in the hack. So in those types of scenarios, uh, there's very few cloud providers who want to play by those rules. We've mentioned earlier, you know, G Suite is listed in the FedRAMP marketplace. You can't use 'em as a defense contractor. It's these weird set of paradoxes.
But when it comes to CMMC, assessing CMMC and understanding the cloud, whoever figures that out in a way that's repeatable, um, is going to do really well in the space because so few people understand the responsibilities, uh, or the shared responsibilities of the cloud. And it's literally the same challenge that MSPs have. MSPs can provide security capabilities that then the organization seeking a CMM CER gets to inherit.
You literally have a seat at the table to talk about it in the customer's assessment. By that same token, cloud service providers under the FedRAMP model basically give you security capabilities that you get to inherit and speak to in your CMMC assessment.
But, but whoever's gonna do that assessment has to understand the nature of that, because you can't get Microsoft to come sit in your CMMC assessment and you can't get, uh, you know, somebody who's outside the building necessarily to always participate. And so you've, you've gotta understand how that works. One quick thing I wanna put to bed. People are talking a lot right now about reciprocity between FedRAMP and CMMC. That's something that benefits the cloud providers.
It doesn't necessarily benefit the organization who subscribes to that cloud. Um, FedRAMP is a system authorization for a system. CMMC is a certification for an entire organization. So a, a FedRAMP cloud system will plug into your organization's cybersecurity operations. It will not replace the need for facility requirements, for personnel requirements for all the things that go with running a mature program. Oh, great. Hey, Ryan, I want to thank you so much for coming on. You're welcome.
Anytime. Come back. Um, Ken, thank you so much, Ryan. If you, if you have a moment, take a look at the questions there and, um, we're gonna bring back, Wes and Kyle will wrap things up. Gary will play the maestro here and, uh, pull everything back together. So with that, let me bring up Wes. Lemme bring up Kyle. All I join, drawing a blank, Wes on the game in your background. My son is classic. No, They're too old. Uh, this is Minecraft famous Minecraft. That's what it was. Yeah. Yeah.
So I'm anxious to hear what, uh, take on, take on this there. You know, I said we went a little deeper on a subject, right? Today. Um, so I'm anxious to hear your perspective of you got to sit there and, and, and listen and chat and what you're thinking on. It Was that question, Was that your first Yeah, yeah. Look, um, let's do this in the chat. Raise your hand or just do a me if you feel intimidated by what we're talking about today. And it's okay to have that. I'm gonna look Yeah.
Or we can do you I can do a poll. Um, Yeah. E either way. Yeah. Hi Kyle. Me too. Right? So here's the deal. Um, it can be intimidating and government regulations when they come are always intimidating, right? And so, but, but you're hearing from people like Ryan, you're going to have him that are pushing, here's how we do it. Here's the things to think about. Here's how we approach it. And to you, YouTube have been really, really helpful in all the chat today.
Don't be as you get used to it, as you learn it, as you become more familiar. It's like learning a new language. I remember the first time I walked into financial regulations and just felt overwhelmed, right? Um, but don't fret the same principles that govern CSF are ultimately the same principles that govern what Cmmc is doing. There's just some differences in how it's applied, and it's more of a prescriptive model. As, as Andy mentioned, as we get more familiar, we'll learn these things.
We'll learn how to build it out, we'll learn about compliance. We're all going through this together. So, yeah, I'm seeing lots of the mes here. That's okay. I guess my big point is takeaway is don't let that scare you into inaction. Start small. It's just like eating the elephant, right? One bite at a time. That's how we begin through this process. So I just wanted to say that Thank, first of all, thanks everyone. Honesty. Um, Kyle, please.
Yeah, I'm digging the, uh, you know, I feel intimidated. Yeah, it's crazy, right? It, I mean, it's one of those things that, uh, you know, things tend to come at you fast, right? I've seen the politics around masks and things along those lines, and it's crazy how quick everybody can pivot on a dime to where we have to be. You know, during this call, I, I had a heads up that the secret service notification was going to become public.
I just included a link there in the Secret Service recommendation, talking about MSPs getting their pants hacked out of themselves in the month of June. They included have, well-defined security controls that comply with end users regulatory compliance, right? It literally, we're talking about CMMC and how we need to comply with those defense industrial based compliance requirement. If you're not taking it, se uh, serious, I hope a secret service bulletin on the thing.
Uh, and it just happened to hit perfect time in this could help reiterate that. And it doesn't mean, you know, uh, that you're bad because you're not compliant. Now it's more along the lines of this is your eye-opening moments, but if you don't comply, it's gonna be first time. Shame on you know them for not telling you second time shame on you for not taking the action. Yeah.
So Andrew, with this, I wanna zoom out from, uh, whether you do business with defense contractors or not, obviously, um, if you do or want to, life is changing for you, right? And some people will make the decision to move closer to it or further away from it. But just apply this in general, why this is happening, and the same issues that defense concerts deal with all companies deal with Now, all SMBs deal with. So here's my bold statement.
I don't know a lot about a lot of things, but I know a lot about the American clients of, of MSPs, and I'm saying we are reaching a point where, you know, for 10 years I was trying to get everybody to get to $150 a seat, right? At $150 a seat. You can't possibly secure your customers or yourself. So we're gonna have to get better at operationalizing this and going to our customers and having that value conversation or the risks almost every week or weekend.
We save them going up for ourselves and our customers. I'm saying, let's go. People Mean that's real talk. I, I gotta imagine that's the big announcement, right? That's the, hey look, uh, you know, put your money where your mouth is because look, if you, you didn't get the one 50, you're further behind or, Or yeah, absolutely. That's not the number right now.
That's the number to run an RMM, which, which is being put up on, you know, uh, security sites right now that we have to be careful of that and, and answer people's, you know, uh, help desk questions.
We have a whole nother thing we need to do that you've been, you know, we, I mean we took it to the extreme today with these requirements, but we've been talking about it now for eight weeks about all the roles, process, discipline, framework that every MSP needs to have in place to reduce their risk and their customer's risk. So we need to get going. Things like what hap what we talked about today, the tabletop event we're doing right? True methods.com/tabletop.
We need, we need to be able to, you have to make the time and then figure out how you go get the budget from your customers and prospects. Yeah, well, an incident response is gonna definitely be part, if you take a look at the CMMC guidelines, depending on the level, you're gonna need an incident response plan. But Gary, the reason I also wanted to do was timing.
Things are just getting released from the lady by the name of Katie Arrington and the whole team that's, uh, heading up the CMMC June was the timeframe. It's starting to go into effect. The other thing is this, what's interesting about CMMC, and you know, we're talking about enablement. When I say we, you know, you and I, uh, Wes and, and Gary, um, you know, MSPs have gotta start somewhere. And what's fascinating about CMMC is look, you have a, a progression and you can look at peers.
I think those things are important, but, you know, I think every MSP man, if, if you, if, if you have to look, look at least level one, forget even if you service the DIB, the defense industrial base, um, because it'll start to set you up to look at policies, not just do I have a firewall or do I have these controls, which are technology driven? Uh, I hope that makes some sense. Yeah, great. Great job today, Andrew. Yeah. Hey, for you guys, as always, thank you so much.
Thanks for everybody staying on. Um, we'll get this posted. Thank you for dealing with the internet connectivity here in Tampa. Um, and with that, we'll look forward to seeing everybody next Monday. Kyle West. Gary, thanks so much. Thanks everybody. Take care.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois