Skip to main content
Right of Boom
January 30, 2025

DoD Rulemaking & Potential Impact to MSP/MSSPs

In this video, industry experts Scott Edwards, Jacob Horn, and Stuart Itkin discuss the critical developments around CMMC (Cybersecurity Maturity Model Certification) and its implications for MSPs (Managed Service Providers) and the defense industrial base. They delve into the timeline of CMMC implementation, the challenges faced by MSPs in reaching compliance, and the potential market dynamics as the rulemaking process nears its conclusion. The conversation also explores the formation of the MSP Collective, a group aimed at advocating for MSPs within the regulatory landscape, highlighting the importance of collaboration and proactive engagement with regulatory bodies.<ul><li>The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense program designed to ensure that defense contractors meet minimum cybersecurity requirements, aiming to prevent data loss from the defense industrial base.</li><li>The timeline for CMMC implementation is becoming critical, with historical data suggesting the final rule could be published by April 2025, but companies should act now to be assessment-ready within 12 to 18 months.</li><li>The MSP Collective aims to serve as a unified voice for Managed Service Providers (MSPs) to communicate with governmental bodies, ensuring that regulations take into account the specific needs and roles of MSPs in critical infrastructure.</li></ul>

Guests

Andrew Morgan

Video Transcript

Welcome, welcome everybody. Episode 1 49 here on the cyber call. We've got a packed house. In fact, we've got another person we're gonna bring up. If the Crowdcast platform allowed us seven, we'd have seven on here right now. So, uh, we're doing a full Brady Bunch. We'll rotate in a few folks as, uh, as our, uh, session goes on today. Um, so first off, Gary, we're gonna spend the first half hour talking about your trip through Italy. Um, you know, but, uh, welcome back. It's good to see you.

You look well rested even though you did some, uh, probably, I know I would probably have some jet lag, but, uh, did you have a good time? I did, had a great time with the family. And, uh, yeah, overall I came back yesterday, but I'm feeling, uh, right now, I'm feeling pretty good. But I did wanna make an important announcement. Yeah, talk To us. Yeah. So, um, I, I no longer say, let's go people. I now say I amte. Is that, is that the Italian version? All right, fantastic.

Okay, so let me set the stage here. We'll get going on, um, on this topic. I, you know, look, this is something that if you are an MSP supporting the defense industrial base, a very important, uh, date in the making happened last week. We've got, uh, some amazing guests here to talk about that. And I think, you know, I wish a lot more MSPs were on.

In fact, uh, Scott, I hope you give some, um, you know, kind of maybe talking points about this, even folks that don't handle, uh, uh, companies in the dib. I think there's some kind of, you know, where we are headed from a regulatory perspective. I think, and I'd like you to kind of, you talk about reading the tea leaves, where this could go quote unquote, you know, as a, an initial foray of how the government sees, um, working with service providers, et cetera, uh, coming in years to come.

Alright, so, uh, just quick announcement, um, I, I'll mention this. Um, we've got, uh, gosh, it's neck and neck right now on the right of Boom Preday between SA alert and interests. Um, we, I think just went over in the first week, 25% sold out already, uh, for the event. Um, so, um, hopefully we can sell this out in record time and not have to worry about anything. And just really fo continue to focus on the content we've got, uh, Ryan Weeks back this year.

It's gonna be phenomenal who's, uh, working on all the content in the background with some other folks. So stay tuned there. All right, so setting the stage here, uh, week ago Monday. So one week to the day, uh, the Defense Department, uh, finally Senate, its highly anticipated proposed rule, um, to, uh, Jacob, is it OI know it's OIRA. Is it, do they go by Oriah or? Oh, yeah. So the, uh, goofy government way of pronouncing it is O ira.

It is ira, it is a, it is a subset of the Office of Management and Budget. So by the time you hear the Feds arguing about the budget, it's always going through OMB. Anytime you have executive agencies that write rules, otherwise known as regulations to those of us in the muggle world, it has to go through an office in OMB. That office is called OIRA. Okay, fantastic. Thank you for that. Um, so this is, um, you know, a ruling that we're gonna be talking about today.

Um, it's, you know, if you follow Jacob, if you don't, um, I'm gonna put his LinkedIn in. You should, if you, if this is an of an area of interest for you. Um, but, um, there's probably very few people that, um, have had Ron Ross actually reach out to them. Ron Ross, for those of you who don't know, has written a, you know, large portion of nist, um, documents.

And specifically 800, 1 71 reached out to Jacob because he said, wow, you know, you're one of the first people that I've ever found that can actually take all this gov speak and distill it down to something people can understand. So, great job of that. And so we're gonna do some intros here. And then the other thing that's going on is, um, well, when Did the government start caring whether we can understand it Well, yeah, it's, uh, That's a really good point, Gary. Really good point.

Um, maybe it's just a fascination Ron had with Jacob's Beard. Who knows? I, yeah, I'm not, I'm not, uh, I mean that's a, that's a, a very kind paraphrasing, I think of the conversation. This is, this is mostly like Bill Belichick telling Edelman good job on the catch is not exactly asking for advice, you know what I mean? Yeah, Fair enough.

Um, but like, we're gonna get into kind of, um, you know, what is the state of the industry and, and that's really why I wanted to bring on, um, some people that really in the know here and very close to it. Um, and we're gonna get right on into that. And that would be Scott Edwards, who's the CEO of Summit seven. Scott will tell you a little about who Summit seven is, what they do, um, and then Jacob Horn. So Scott, let me let you kick things off here.

We're gonna hand it right over to Gary after some intros, but starting with you, Scott, uh, an intro about yourself, um, and Summit seven. And then maybe just a, a touch on that. We're going to, well, let's hold off on the other thing that you guys are doing, 'cause that's part of the show here, um, in terms of the collective. So go ahead, Scott. Yeah, so, uh, I'm Scott Edwards. I am CEO here at Summit seven.

Uh, we are a defense industrial based critical, infrastructure based, um, M-S-P-M-S-S-P, um, in my role, my actual role today, I'm here as, as the Executive director of MSPs for the Protection of Critical Infrastructure. Not necessarily as the CEO of Summit seven, though. Um, but, uh, we'll get into more of what that is here in just a few minutes. But, um, yeah, that's my background. Awesome. Thanks for joining us, Jacob. Good to see you as always.

Uh, how about a little about yourself and, uh, again, thanks for joining. Yeah, of course. Yeah, thanks for having me. So I'm the chief security evangelist at Summit seven. And, uh, my primary role in the ecosystem over the last few years has been trying to convince people that even if you don't believe in the boogeyman, the boogeyman believes in you. And so what we're gonna talk about today is, uh, how we can now have a knowable estimate of when the boogeyman will show up under your bed.

Uh, very recently, along with Scott, I had the honor of, uh, becoming the director of policy and standards for, uh, MSPs for critical infrastructure, which Scott will get into in great detail later on in the show. But I'm primarily here today as the rulemaking guy who's been sort of shouting in a corner for the last, uh, couple years. And, uh, we're just back from Italy and we got some spicy meatballs to dig into today. 'cause, uh, this timeline is, this timeline's getting close, everybody.

Yeah, it's interesting, Jacob. 'cause I remember for years you've been saying this will happen, and everybody's like, ah, no, it won't. No, it won't. I hope everybody's been doing their implementation. I we'll talk about it. We'll talk about it. So In other words, he's saying this time we really mean it. Yeah, It sounds like it, it sounds like Gary, When your kids say they're gonna clean their room, like Yeah, right. Yeah, exactly. Yeah, Exactly.

So this is the, uh, the wolf that finally gets to cry. Gary, like, I, I think it'd be great if you kind of dig into setting the stage here with Scott and Jacob. Yeah. Listen, this is interesting because we have, um, we've had this as a subject since the beginning for three years, right? Different times we've had, uh, Ryan Bonner on and different people. Um, and I, I think for MSPs, uh, a lot of confusion, ambiguity, those kind of things.

Can you start by just talking about what's really gone on the past few months, bringing everybody up to date level, set us, and then we can try to answer some additional detailed questions from Yeah, absolutely. We'll get to 'em all. So, um, you know, so I saw some people in the chat, so just to go very, very high level, right?

So, CMMC is a Department of Defense program that is designed to assess and verify that DOD contractors have implemented minimum cybersecurity requirements that have been required since 2017.

There were lots and lots of DOD studies, lots and lots of audits, lots and lots of independent industry studies, and lots and lots of obvious evidence that controlled unclassified information was just getting hemorrhaged out of the defense industrial base, despite the fact that minimum requirements had been required for years, and that everybody had been self attesting, that they were implemented. So clearly that was not true.

So naturally, uh, the DOD turned around and said, fine, we'll come and verify that your claims are true, because they're all true, right? And, uh, that was under a program that we knew as CMMC 1.0. Uh, and it obviously caused a lot of political backlash because people suddenly felt called out and threatened. So, uh, the rule comes out in 2020, everybody sort of retaliates against the rule, the administration changes, and then they say, we're gonna review the rule.

About a year later, they come out and they say, we've fixed it. We have CNMC 2.0. However, that process of codifying the revised CNMC program has to go through something known as rulemaking. And rulemaking is a fascinating topic because it is probably the single largest thing that affects the daily lives of American citizens in all, uh, you know, every way the government interacts with the American population, and almost no one knows anything about how it works.

Uh, and so it is obscure and it is confusing and it's complex, and CMMC has to go through this process. And so as a result, there's been a ton of, you mentioned corrupt. Yeah, well, I mean, that's a whole other, that's a whole other topic, right? So, uh, either way, uh, you know, at a high level, rulemaking takes a really long time. And so, DOD came out at the end of 2021 and they said, we figure out what we wanna do now, thanks for all your feedback. See you in nine to 24 months.

Uh, that 24 month timeframe is the end of this year around November. So what has to happen during the rulemaking process is the DOD has to develop what the language of the rule is gonna be and then submit it up to, like we said earlier, to OIRA, this group of people who works within the Office of Management and Budget. All federal agencies have to send their regulations before they are published and enacted through this office. It's just how the sausage is made.

It's just how the bureaucracy works. And so what we've been waiting on is for DOD to send the text of their rule, the text of the CMMC program in its finality up to O ira, because once it goes to OIRA, the clock starts ticking. We have actual knowable historical timeframes for how long it takes O IRA to review how long it takes for it to get published, and then how long it takes for the DOD to respond to public comments, issue, those responses, and then for the program to become effective.

So what, so like you said, on Monday on the 24th, what happened was at long last, DOD sent the text of the CMMC rule to O ira. So the clock has now officially started ticking. The actual rule making process itself is now in its final stages. Uh, the majority of the rulemaking process, the vast majority is over, right? The deliberation, the back and forth, trying to figure out what the program is going to say, that's all done. And I really wanna stress this to everybody, right?

When rules are published for the public to read in the federal register, that is not the beginning of the rulemaking process. That is the end of the rulemaking process. And if it were not for all of the bureaucracy that no one is a fan of the text, of the rule that the DOD sent to OMB on Monday would be the text of CMMC that they would otherwise publish in the federal register, right? It is only because 3.0, I mean, the, the version numbers are arbitrary, right?

I mean, the version numbers are really pretty silly, and I think they're more of a distraction than anything else because the underlying requirements that the CMMC program is assessing have remained unchanged. So you haven't really, uh, iterated on the version at all. It's just, it's just a superficial sort of a thing, right? We could call it 3.0, you call it 2.1, you call it whatever you want to. What we do know is that implementation rates across the DIB are sort of two things.

One, they're, uh, less than 30%, pretty much they've stagnated at 30% over the last few years. And they're incredibly highly dependent on the managed service providers who are connected to those defense suppliers.

And so, whether it's the defense suppliers, whether it's their MSPs, uh, I know that didn't get a lot of news and it's sort of this obscure rulemaking thing, uh, but we are now roughly 20 months away from all historical averages, what they say as the actual rule being published in its final form.

And based off our experience at Summit seven, you know, nearly a thousand of these companies that are roughly 50 to 100 per, uh, employees in size, specifically focused on facilitating compliance with these requirements in the DIB over the last few years, uh, to go from average to fully implemented what we would be considered, assessment ready takes 12 to 18 months. So do the math, right? Uh, we are quickly going to be completely out of time.

And most companies, most MSPs are sort of doing the same thing everyone's doing. It's been delayed. What version number are we on? It's been taking them forever kind of a thing. They're gonna wait until that rule is published in its final form, and those assessments are gonna start to roll out. The mega primes are gonna start to require it in an accelerated fashion, and those companies are gonna be a year to two years behind the curve.

Yeah, but I mean, isn't it like, just, um, but isn't this a numbers issue? Well, so if you, you're, you mean in terms of like, I mean, just Think about like what you just described, the number of companies, 70% of 'em, right? Yeah. Aren't there? And then the number of MSPs that aren't there that have to get them there, like, it sounds like, uh, as I, I like to say, Andrew likes my comment, it sounds like it, you're gonna be sucking peanut butter through a straw. Yeah.

It sounds like, uh, it's gonna be, uh, a massive disaster. Right? And that's exactly what we're hurdling towards, which is why the DOD, uh, since the 2020 rule has said the CMMC rule has nothing to do with the requirements that a company has to implement. The requirements the companies have to implement have been in place. We're just showing up to assess. Yeah. So you should get started and implement them.

So yeah, everybody knows nobody's been doing their homework and everybody knows what the questions are gonna be on the test, and now we know within a one to three month window when that test is gonna be started to be administered. Gary, can I just ask Jacob a quick question? Like, Jacob, like 30, 60 seconds if you could. Yeah, Yeah, of course. Contrarian. Well, Jacob, isn't this just like a hipaa? You know, I'm gonna, I'm gonna be a contrarian. Oh, you know, it's hipaa, we, I'll be fine.

I'll just, you know, we'll skirt along for while. Is it, or is it different? It's different. And I would say for the the MSP crowd, the fundamental way that it's different is there is no BAA in CMMC, there is no, uh, oh, we're just a business associate. Uh, we are just have incidental relationship to the protected form of data.

Uh, upwards of 60 to 80% of the evaluation criteria to prove that these controls are implemented can really only be answered by the MSP because that is the work that is being outsourced to them. And so the problem will be, uh, that we're gonna get this on prep in preparation for the assessment. Companies are gonna sign up for their assessment because their large customers are gonna pressure them to prove that they can do it.

Even though the DOD is not going to overnight require everyone to do it, the market will suddenly react and then demand that everybody does it, and then the customer is gonna COC to their MS. P and say, we good, right? And the MSP's gonna go, yeah, it's like hipaa, we're good. And then you're gonna get into pre-assessment review. It's gonna be quite obvious that you are not ready to answer those questions. And so this is, uh, you know what my theory is about what's going to happen?

Very few companies are going to fail A-C-N-M-C assessment, because if you look carefully at the documentation for CMMC, there is a lengthy pre-assessment review process to prove that you're ready to go through an assessment. And when it is quite clear that an MSP is not prepared at all to answer these questions, they won't even qualify for the assessment.

So we're gonna end up in a situation, I think, where everyone who's ready to go is probably going to be just fine, because we know what questions are on the test. We know what the answers to the test needs to be. For the most part, the company and the MSP gets to write the answers to the test as a sort of feature of the way NIST controls work.

Uh, so I think there's gonna be a lot of companies that just don't get assessed, but they won't even, they won't even have the luxury of failing the assessment, if you will. And it'll be pretty much entirely on their MSP as a result. Hmm, interesting. Yeah. So let me ask you this. If you right now are in the defense industrial base, where should you be right now in terms of level one, level two, level three, where should you be today? And how would you look at that? Sure. Well, on paper, right?

On paper, I'm not a lawyer, uh, but I would say that what you should be, what you ought to be is having 801 71 fully implemented because it's been required for so long. However, if for some reason that weren't the case, no judgment, uh, then you need to be ready to go for an assessment, uh, basically 20 months from now. So you need to take a look at 801 71 specifically 801 71 A.

You need to be answer, you need to be able to answer all of those questions in that document, uh, between now and 20 months from now. Now, what I would say is that 12 to 18 month average is an average. And that usually is the average as a result of companies who have the resources dedicated to it, they're actually taking it seriously. They actually have buy-in at the top. They're actually spending the cycles on doing it, right?

I mean, we're, we're already sort of missing a budget cycle here based off when this news is coming out. So, you know, you, you need to be starting in earnest right now, and this is the sort of thing where it's like, I know it's rulemaking. I know it's this obscure thing. Uh, don't jack around with the timeline. It takes a lot longer to implement them, and everyone knows what's gonna happen when that rule gets published.

The x factor here that I would remind people of is a, uh, ridiculous feature of rulemaking is that once an agency submits their rule for regulatory review at O ira, they're not allowed to talk about it until it's published. So the DOD has already started to sort of slow down the amount of public statements that they're making outside of testimony to Congress. You note their number of webinars, their interviews, their podcasts, those numbers have dropped off precipitously.

They are in full radio silence mode now. So they cannot get out there and start banging the drum and say, it's coming, it's coming, it's coming. We are in the crescendo here prior to publication. So, you know, what we hear all the time is we, you know, our customers don't have it as a requirement, so we're not gonna do it.

And companies are falling into the implementation trap of CMMC, where the program assesses requirements that have been required if you don't start on the risk requirements until the assessment is required, your one to two years behind. So, you know, we have a, one of our colleagues at Summit seven, Daniel Acreage, just put it put, he puts at best. He's like, there is no being on time for CMMC. You're either early or you're really, really late. So I, I'm gonna make a bold statement, Andrew.

I, I don't think, I think that many, many MSPs, if you ask them the question, have you had a conversation with every one of your customers to see whether they're impacted in some way by this, the answer will be no. Mm-Hmm. So I think there's a lot of hidden risk inside many MSP's customer base, um, that, that that's gonna, you know, that's gonna arise.

So, uh, Scott, talk to us about MSP security programs and specifically, let's just say that, uh, I have a customer, right, that I'm supporting that requires, uh, level two, right? Mm-Hmm. And does that mean that I, as the MSP also must pass the same requirements? In most cases, the answer to that is gonna be yes.

If you are doing traditional MSP and MSSP roles, then yes, you're going to likely have access to controlled unclassified information as part of your day-to-day, and you will have to meet those requirements. In addition, you're gonna have to understand how your customers meet those requirements, and you're gonna be involved in the, in the actual assessment process, uh, you will be involved in the actual assessment process.

So, um, you know, today, the requirement for, you know, for MSPs is going to be CMCL two, if your customer is CCL two, the expectation, uh, based on what the DOD has said thus far, is that if they're c MCL three, they, the MSPs will likely need to be cmcl three. And there has been intimations that, um, the standard may go beyond that.

And so this is one of the reasons why we actually created, um, this, this non-profit, this 5 0 1 C six MSPs for the protection of critical infrastructure, um, was to actually have these conversations with government, uh, to have these conversations with the DOD, to, with the federal agencies, uh, with the cyber ab. Because traditionally, the federal government does not understand, um, MSPs, they don't understand MSPs.

They understand what A CSP is, a cloud service provider is, uh, a Microsoft, and Amazon and Oracle. They understand that role. Um, and they have put in, well, from their Defense, they didn't know who we were like 10 minutes ago. And so, and so they put in standards, uh, for those kinds of providers called FedRAMP. And so I'm sure many of you have heard of FedRAMP and FedRAMP Moderate and FedRAMP High.

Well, those standards are in place specifically for these CSPs, um, the federal government, many cases in many conversations in, in, in congressional testimony, loops and lumps, MSPs and MSPs in with those CSPs. And the concern is that they're also going to lump MSPs and MSPs into that same requirement, set of FedRAMP moderate as a minimum standard for an MS. P to be able to participate in this specific economy, in this specific ecosystem.

And, um, and so that's why we created MSPs for the protection of critical infrastructures, because that in one of the areas that we want to communicate with the government about is, hey, an MSP is not a CSP. It requires a different set of security controls. It does not necessarily, uh, require the same set that A CSP would require, and it needs to be tailored.

Specifically, we still need to look at a set of, uh, you know, a tailored version of NIST 853, which 801 71 is, but 801 71 is only, is only, uh, concerned about confidentiality. That's the only thing it focuses on, is confidentiality. There's no integrity controls. There's no availability controls in 801 71. And so we need to look at a tailored baseline for 853 that's specifically built for the mission that MSPs and MSPs have.

Um, and so that's the conversation we wanna have with the government so we don't end up getting federal and moderate pushed on all MSPs and MSPs. I, I have a question. What are, are you familiar with State Ramp? Yes, I am familiar with It. What are your thoughts about State Ramp, um, kind of, uh, filling that gap or an, I mean, state ramp wants to differentiate just in the interest to fill full disclosure, I'm an advisor for State ramp. I'm not a voting member.

I'm on their technical advisory group or technical advisory board. And so there is, like, there, they wanna be separate from FedRAMP, but they really closely align themselves with FedRAMP, right? The requirement One for one. So I'm curious about the viability of State Ramp. Yeah, I don't know. The requirement set that State Ramp is, is using, um, what their tailored baseline looks like. I would assume it's still based on 853.

Um, but I haven't seen exactly what the standard is that they're leveraging. So it would be hard for me to comment on that piece of it specifically. Um, happy to, would love to get more information about the specific requirement set. Um, but in general, if it's looking at cloud service providers is probably not going to be, um, as effective as a, as a tailored baseline might be.

And so what Is really supposed to d is trying to differentiate self and, and, and go towards the smaller providers that are okay providing, um, services to the states. But yeah, that's just offline. I was just curious. Yeah, Yeah. So, so that's, that's that. So basically what we're trying to do with MSPs for protection of critical infrastructure, also we call it just the collective, because that's a really, you know, that's a lot of words.

Uh, the, the, the MS P collective is basically coming together as a group of MSPs, uh, to work together, uh, to, to talk to Congress, to talk to DOD, to talk to other federal agencies to talk to the cyber B and basically present these arguments and present these sta these stances, um, about how we think things should go, um, so that we can both protect the ecosystem, but also protect critical infrastructure and national security.

Um, because we don't want to damage national security by, you know, not having standards, right? But we wanna make sure it's the correct set of standards. And if it's not the correct set of standards, then we're not going to meet the ultimate mission of, of both, um, being there and, um, and having good MSPs and MSPs that can, you know, uh, take care of this ecosystem, um, because there's not gonna be enough of them there to do it.

Um, if they, if they go with, you know, full up FedRAMP, it's going to be a real, uh, a real challenge to get, uh, MSPs and MSPs to make that leap. Yeah. Interesting comment that David made. He said, I'm gonna guess that if, uh, MSPs are required to comply with CMMC in full, um, there won't be enough MSPs that are com uh, compliant fast enough to actually service, uh, the industry. Yeah. And What I was trying to say earlier, And, and it, and it, and it, and that's true, right?

Um, and mean, we're already to the point of, just like Jacob was saying, the timelines don't line up very well if you haven't done your implementation yet.

Um, and so, and, and I will tell you that it is more difficult for an M-S-P-M-S-S-P to do it than it is for a standard, you know, OSC or DIB contractor because you have to look at it, um, with, you know, you've got many customers and you have to look at how your processes line up across all those customers and, and to meet these requirements across all those customer sets.

So it is a much more challenging effort for an M-S-P-M-S-S-P out of the gate, um, than it is for a regular defense contractor. Yeah. So, yeah, it is going to definitely, um, challenge the MSP community. Yeah. Just on that, just on that real quick, sorry, Gary, just to hop in so you, I see it in the chat, I'm sure this comes up all the time. It's the first thing that comes to people's mind, and they go, oh, well, there's not enough assessors for the number of companies that want to get assessed.

And the first thing I always tell people is people make that argument based off of the assumption that everyone will be ready to get assessed. The real constraint, like Scott was saying, is on the number of implementers.

And for the handful of MSPs that are really focused in this area, I would say that when the demand, uh, spikes as a result of the rule coming out, uh, every MSP on this call could probably do nothing but try to help with implementation, and you're still not gonna be able to get the glut of companies ready for an assessment. So the number of assessors is a constraint. The number of implementers is a tighter constraint that happens before the assessor constraint.

So it's something for everyone to keep in mind. And Jacob, just to, to ask you this, you know, um, this is almost like, you know, the scenario where, you know, the, call it a Boeing, call it a Lockheed whoever, and it's a role, you know, almost like a reverse supply chain. They're, they don't, I'm air quoting, they don't care, right? It's like you either are ready or you're not ready, and you're either on the contract or you're not on the contract.

Is that, to simplify It, I think that, uh, for everybody who doesn't have a lot of experience working in the defense supply chain with very large prime contractors, I would say it doesn't take a lot to imagine that they are not exactly, uh, altruistic entities here, right? They are not your friends. This is an industry that is marked and defined since the end of the Cold War by sharp and extensive consolidation, right?

And so, for any company that is not resting on, I'm a sole source provider, and you literally can't get this IP anywhere else, one, they're probably gonna buy you. And if you're not that person, they're gonna find it somewhere else. Now, here's what's, what, another theory, here's another speculation. There's going to be not enough implementers. There won't be enough assessors, right? And so, DOD will not come out overnight and say, if you don't have the cert, you don't get the work, right?

But unofficially, we all know what's going to happen. People are gonna squeak through those assessments. They're gonna get their certification first. And when you flip a coin between you and the company that has the cert, unofficially, they're gonna get the nod, right? And there won't be any official policy to point to, there won't be any specific harm that you'll be able to recover. The phone will just sort of slowly suffering. This is talking to the DIB contractor specifically, right?

It's not a joke. It's not a joke. The market dynamics are not going to be kind to people as this plays out. Scott, Last, so if I could just comment and then I'll let you go, Scott, again, like, I don't, I I think we're being naive here, like again, and, and if you think about what might happen in the next 12 to 18 months in regional commercial real estate, again, you're going to see regional commercial banks fail.

You're gonna see the JP Morgans, as we already saw, take over Silicon Valleys and others. And as Jacob's kind of alluded to, Scott, your comments, and I'll let you, you know, what you were gonna say, th this isn't like, you know, the, you know, they're concerned, like you said, Jacob, this isn't an altruistic group when you get to the highest levels, the biggest companies, um, and we're already seeing it banking, and I think we're gonna see it here. Um, Scott?

Yeah, well, I was just gonna say, you know, I'm, I'm looking at the comment thread here, and Andy Sauer is throwing out some really good information here for everybody to read through. And, um, you know, we are, we are actively looking for other MSPs and MSPs to join us inside the collective. So Andy, you know, you, we'd love to have you, uh, you know, join up with us and, and come on the team. Uh, so please reach out to me.

Um, but, but yeah, I mean, you know, this is going to be a very, very interesting 24 month period, um, to see where this thing ends up and, uh, exactly what happens. 'cause it could, and I've seen the word a couple times in the, in the comment thread, um, the word bloodbath. Um, and, and it could be a bloodbath. I mean, it really could.

Uh, so, but what we're trying to do is come together as a team of MSPs to go talk to government and make it less of a bloodbath by helping them make decisions in the right way. Um, so that's really the goal. And So, let, let me ask you one more question, um, before I hand it over to Phyllis. So I kind of look at it this way. If I'm an MSP, and, and this might not be a choice. My choice might be made for me already, but theoretically, here's my choices.

One, I just focus on a customer base where this doesn't affect me. That's number one. Two, I go all in, right? And a very small percentage of MSPs will be able to get there. I mean, just based on their, if you look at all the MSPs and their scale and maturity, like even if their intentions were good, there's no scenario where they get there.

And then the middle is, are there some that are mature MSPs, it doesn't make financial sense based on their customer base, and they have some customers, do they partner with someone? I, I think what we're gonna end up seeing, and, and maybe we can bring Stewart here in a minute, um, but, And do you agree with my assessment, first Of all? Yeah. Yeah.

So I do, I think, I do think what you're, what you're saying is correct, and I think what we're gonna end up seeing is we're gonna see an ecosystem of MSPs and MSPs, sps develop that literally just focuses on critical infrastructure. And that's kind of what we're trying to bring that group together so that we can work together, because none of us individually can handle this market, right? Um, this is a very large market of companies.

However, the, the requirements are very, uh, um, you know, stringent to get into this market and do it correctly. So we've gotta work together, um, to make sure that, that we're all doing the things the right way. Because if you have companies doing things the wrong way, it just causes problems for everybody. And so we're trying to make sure that this ecosystem is doing things the right way for the MSP ecosystem, but also for the critical infrastructure sector.

Um, but critical infrastructure sector is critical. It's mission critical. It has to be done correct. Um, and, uh, and if you're, and if you're willing to step up to that plate, we want you on the team. We want all of us MSP MSPs to come together on the team, um, and, and work together to make it the best we can make it. Yeah.

And just to, I think just to go to your first point there, Gary, about this, this, you know, affects a marketplace for which MSPs maybe aren't involved, or it's a small fraction what they're involved, what I would say is, uh, people should pay attention to what's happening in the defense supply chain space because it is the canary in the coal mine, right? Ironically, DOD is light years ahead of the rest of the federal agencies in terms of getting their hands around this problem.

We don't have time to go into the details, but just so everybody knows, there is a much larger, uh, effort that has been coming for longer than CMMC has to make 801 71 the minimum set of requirements for all federal contracts. That process is still in rulemaking, the part that the majority of which for CMMC just ended.

Uh, and so if back to your HIPAA point, uh, earlier, if you are an MSP with HIPAA clients, the 801 71 baseline will be bolted onto the forms of PHI that are considered to be controlled and classified information. So the world is a lot smaller than people think. And so even if you don't believe in the boogeyman within the DOD space, you need to be paying attention to see which way the winds are blowing.

And when push comes to shove, uh, as those far federal wide contracting rules come online, uh, it might be closer to home than, than you think. So, and, and this is, I'm Hoping Before that happens, I'll be at, uh, you know, my, uh, We permanently just Full retirement. Yeah. So Ja, you know, Jacob's referring to like right. Critical infrastructure. So, Scott, how about, I'll ha I'll let Phyllis ask Jacob, this is his first question, and then I'll rotate in. Stuart.

And Stuart, if you could get ready, um, I'll have you take, um, Phyllis the second question to Jacob and, um, we'll kick it off that way. So, alright. First off, Jacob, as a former federal employee, I wanna say you did a great job explaining the process in, Hey, thanks, The end curb terms. And it was very clear. I always tell people that it's the worst superpower you could possibly have. Like, I couldn't have super strength or X-ray vision.

I can read NIST publications and federal regulations without getting bored. And you're like, that's not, I guess it's helpful, but it's not cool, nor is it normal. No, it's, yeah, you're, yeah, it's, it's a weird mutation for sure. It's exceptional though. It's like, very Well, thank you. Thank you. That's very nice. Um, so, um, as we've said earlier on the call, OMB has until around September, October to complete their regulatory regulatory review. So what is it that's really going on?

What could actually happen over the next few months and what do you think the odds are that'll get kicked back to DOD for some updates? Yeah, so inside of the sausage maker, there's basically three steps left. O IRA does their regulatory review, then they send it to the federal register to be published, which is where we can all then read it. And then once it's published, we'll know what the remaining timeline is based off of which designation the rule gets.

So El Ira has up to 90 days in the executive order that governs this process. They have up to 90 days to review that submission. Uh, we weren't satisfied with that range of uncertainty. So earlier this year for funsies, we went back and analyzed every DOD rule that had been submitted to O Iris since 2009. Uh, they keep very good records of their dates and, uh, we determined that it takes 66 business days on average for O IRA to review a DOD rule and send it over to be published.

The actual 5% trimmed mean is 60 days. So it is 60 to 66 days from the 24th, which would put us in late October for a published rule. So everybody can just remember sometime around Halloween, the DOD is gonna jump out and scare us with a rule, uh, when it's published. Once it's published, uh, like Andrew was saying earlier, it's likely going to be what's known as a proposed rule.

We put a link to the video from the AB Town Hall of July where I go into great detail, uh, visually of how all this works. Effectively, what that means is the DOD has to get public comments for 60 days, and then the rule can't be effective until they respond to public comments. Uh, for every DOD rule, since 2009, that was proposed, and then they had to respond to comments, and then it was final and effective. It takes them between 280 to 333 business days.

So the long story short Halloween, we should get a published rule end of December, Christmas time is the end of public comments, and then right around April Fool's day of 2025 would be the day that the final rule gets published and fully implemented starts to roll out. Now, to your question about the odds of it being turned back, uh, almost impossible to estimate, there is an option of O IRA to send the rule back.

However, what I would say is part of the reason why rulemaking takes so long is to try to avoid the idea that OIRA would send a rule back. It's actually interesting in how the rulemaking process has evolved over the history of the United States in that we've stacked all of these weird bureaucratic checks onto the process that have drawn it out into this multi-year long process.

Because by the time you have a rule sent to the public, it needs to be done so that the rule knows, so that the public knows what they're commenting on. But if the rule is done, then the public comments don't really have that much of an effect on the rule. So there's a chance most DOD rules do not get sent back from O ira, but even if it did for revisions, you're adding, what, 30 to 90 days for them to change stipulations of the text of the rule. This is not a major overhaul.

The major overhauls and changes to the text of the rule is what has happened between Monday and the end of 2021. That was when everything was in flux. That was when the text of the rule was being changed. Like I said earlier, the text of the rule on Monday is the text of the rule that DOD would otherwise publish. So we are running out of time for zigs and zags here, and the zigs and zags are all getting shorter and smaller.

And I was gonna say, JI mean, again, this is complete speculation, but I think by and large, don't you think everybody's in essence fed up with like, let's continue this on and on and on? Well, you know who, you know, who is fed up with it is Congress, DOD did not create CMMC because they thought it was a good idea. Congress pulled them to, in the NDAA for FY 2020.

And I've got a slide in that recording of the town hall where most of the time that DOD is talking about CMMC, they're not talking to industry. They're in hearings with the Armed Services Committee. And the Armed Services Committee says, where is CMMC? And why aren't you done yet? So a lot of times you'll hear people say, Congress is never gonna let this happen.

If you go listen to the testimony, which I know is not an exciting thing to do, but if you just go listen to the conversations that DOD is having in public with the Armed Services Committee, that is not what Congress is saying. Congress is saying, why aren't you done yet? Not, oh, we're gonna kill this. So I just, I know it's crazy. I know we've been talking about it for a long time. Look at the timelines on the slides from the video.

You can go look up the information for yourself and do the calculations. Um, I don't know what else to tell you, but it takes a long time to get it implemented and ready. And those timelines are getting ready to invert in terms of how much time rulemaking has left versus how much time it takes a company to get ready for an assessment. So it's, it's, it's obvious for people who have the eyes to see it, you know, believe it or not. Thanks. Thanks, Jacob. Hey, Stewart. Jacob pretty much answered.

Um, he gave such a complete answer. He also answered, Sorry. Sorry. No, I think that's great. It's a good segue into Stewart, can you also comment on, um, your thoughts on what we've discussed so far as well as, you know, the last question, like where do we go from here as far as the rulemaking and how long it would take, et cetera? Oh, and Stewart, can you tell us a little about yourself? Little That's okay. All right. Well, and I, I'm with NEO Systems.

We are a managed service provider and a managed security service provider focused on serving the government, the broader government contracting community, as well as the critical infrastructure sector, which includes the defense industrial base. Uh, this has been a great conversation. Mm-Hmm. And I know we've looked at it from, you know, one perspective of just, you know, the aperture of organizations available to assess the aperture of organizations that are available to support.

But I think there's another side to this and, and why first, the collective is important and, uh, independent of the collective. Why, back to, you know, Scott's comment is that it's important to do it right. Uh, yes, there are a limited number of MSPs that, that truly are qualified, that have individuals that understand the regulations and requirements that implement ili, uh, implications and how to help organizations satisfy those.

But there's a lot of other companies that are, that are out there that really haven't invested the time, don't fully understand the requirements, but see it as a business opportunity to be able to take advantage of.

And, you know, somebody who gets it wrong has a huge cost, not just for the government contractor who's going to invest time, who's going to invest money, get to the point of taking a certification, failing that certification, failing to get the contract or the business that they were looking for. It's, you know, similarly doesn't further, you know, the whole objective of in, of ensuring the cybersecurity of organizations that support the critical infrastructure sector.

I had an inter interesting dialogue via email with Scott last week. Uh, we were at an event and happened to see an organization in MSP who made the claim that we can get you compliant, not just TMMC, but 801 71 cybersecurity framework 853. There may have been a few other things in two weeks or less.

And the problem is that there are companies that are out there listening to these claims and believing these claims, uh, Ellen Lord back, oh my goodness, probably, you know, four years ago, you know, may or issued a warning to the dib of being very cautious about the claims that organizations were making, and to ensure that claims that were being made were, were truly, you know, being made by organizations that were qualified to support them.

So, uh, the importance of the collective, you know, I think is as much, is ensuring that the overall intent of CMMC, which is to assure the cybersecurity of critical infrastructure is achieved. That's great. So I'll just, um, I'll just go to my last question in the interest of time and then hand it over to Wes If, um, Scott and Stewart, if you both wanna, um, kind of chime in.

We talked about, um, how ready, um, an organization can be and how ready and MSP, um, can bring an organization up to let's say CM MC level two. So can you kind of walk us through, Scott, like, what do you think it'll take, um, for an organization or an MSP, um, that says, Hey, you know, we're just a small mom and pop shop, and now I have to be C-M-M-C-L two compliant. What do I need to do? What's it gonna take? And, and I think what other people wanna know is how much is it gonna cost me? Wow.

Those are some really loaded questions. Um, so yeah, so I will tell you that we have been working on this since 2017, since 20 17, 20 18. Um, it's a constant continual improvement cycle of what you're doing from a process standpoint, from a technology standpoint, et cetera, et cetera. Um, and then figuring out how to deliver that to multiple customers consistently, um, is also a big challenge.

Um, I will tell you that, you know, the level, you know, the level that CM MCL two requires, that 8 1 71 requires actually, um, and then coming up with 801 71 R three, like Jacob just put in the chat being a, a, you know, a significant increase over top of that, and we hadn't even talked about that yet. Um, but, but that's gonna add additional requirements to it. Um, I know that we, you know, summit seven would've very, would've very, would've had a very hard time, um, executing to that level.

Um, you know, back in 20 17, 20 18, um, when we were say 25, 30 people, we would've had a very, very hard time doing it. Um, it has taken us maturing over years to even get, you know, really close, uh, to, to where we need to be. So it is a ve it is a significant investment in time and, um, and money, um, how much is, how much dollar wise, um, we typically see OSCs, um, you know, to go, and I'm talking zero to a hundred, zero to fully fully ready. Okay.

Um, you know, not taking into consideration everything that, you know, maybe you're not doing any longer and all of that, um, you know, it's going to, you're not going to get there for less than, you know, six figures. Um, it is going to cost you, I mean, just an assessment itself is gonna be, you know, 40,000 to a hundred thousand dollars just for the final assessment, right? Right.

Um, and so then you start talking about implementation wise for an MSP, I can tell you that we're into seven figures. Um, you know, for, for our effort that we've put in place over the last four to five years to get there, uh, we are definitely into seven figures.

So it is a very significant investment, but what we're trying to say is we need MSPs to make these investments, but we want them to make them in the right way so that when we're work doing this work for the defense industrial base, we're all doing it correct, and we're doing it the right way, and we're protecting national security as part of that, as part of that process. Um, yes.

Is it a business opportunity, as Stuart said, absolutely, it's a business opportunity, but it's only a business opportunity if you're gonna do it correctly. If you're not gonna do it correctly, then you know, it's not a good business opportunity, one, because you're not going to get there. And two, you're gonna hurt the DIB in the, in the process. Right. And so, um, you gotta be really careful. That was a kind of a long answer, Stuart.

You know, I, I, and, and I mean, we didn't become involved in this, you know, because of CMMC, uh, NS 801 71, which Jacob referred to is the requirement. It has been the requirement for over five and a half years. And Neo Systems became involved in developing competencies as an MSP to support government contractors in satisfying NIST 801 71 because it was a requirement long before CMMC was envisaged as a means of needing to enforce it.

Uh, couldn't begin to start or to calculate the investments that we've made, but we continue to make investments and a lot of the investments that we're making today are focused on how is it that we automate the implementation aspects of what it is we deliver, and how is it that we automate kind of the ongoing support and maintenance activities of those things that we deliver, all with the objective of ensuring that what we're doing is going to be compliant and satisfy the, the 801 71 requirements for our client, but also focused on trying to make this less and less costly for.

And I think that's the whole key. If we as MSPs are going to succeed, we need to make it simpler and we need to make it less expensive for a small organization to be able to implement and manage an environment that satisfies the set of requirements. Great. Thanks. I'll over to you s Okay, great.

That thi this has been such a good conversation, and I, you know, I'll admit I sit here from the sidelines watching not being an MSP, um, but seeing this, as Andrew mentioned at the beginning from, you know, the very beginnings of cyber call and talking to MSPs that are going down this journey.

And, um, so this is always helpful and, and thank you to all of you for joining and sharing knowledge and, and kind of letting us kind of lean into, um, your experiences and those in comments, Andy Sauer in particular, and others. Thank you for contributing. So let's shift gears a little bit into the collective. I'm gonna paste a link here just so people can jump into this. If you wanna trust links that I send you, I'm sure it's, it's super safe. Um, but Scott, I'll start with you, my friend.

Uh, I know you've mentioned the collective a little bit, um, but just high level, again, recycle our memories on kind of why you built this, what the mission is behind it. Yeah, so, so basically, uh, the, the mission of the collective is essentially to communicate with the government, the federal agencies, state agencies were necessary, the cyber ab on topics that are pertaining to MSPs and MSPs in, um, in critical infrastructure. Okay. Critical, critical infrastructure industries.

And if you're not familiar with critical infrastructure industries, go look up, uh, presidential Policy Directive 21. And, uh, PPD 21 basically lays out 16 critical infrastructure sectors of which the dib, the defense industrial base is one.

And so because we need to communicate to these, uh, federal organizations and the industry as a set of MSPs and MSPs, um, we felt like we needed to come together in this 5 0 1 C six so that we could do it together because one voice backed up by many companies is way more valid and, and easier for co, for Congress to listen to than a bunch of disparate voices kind of saying the same things, but not coming together as a single voice. So that's why we did it. Okay, got it.

So in, in a sense, like we've heard MSPs talk about this type of thing for quite some time. Some kind of like non-profit collective that answers for the majority, which I think is great. Do you, let me just ask an off script question that Andrew loves when I do this. Um, do you, do you foresee this becoming some sort of like self-regulating body almost like the bar associations like American Medical, like do you foresee this happening? That might be what it morphs into down the road.

Our, our current, you know, our current current focus right now is just to get good information to Congress and to the cyber AB and to DOD on how the decisions they're making impact the overall ecosystem and MSPs and MSPs. And, and that's what we're focused on today. If we can, you know, morph this into a self-regulating body, I think that would be a great thing. Um, because I do believe that this ecosystem is going to have to be self-regulating to a degree.

'cause if we're not self-regulating, we're going to get regulated. Um, and, um, and, and when you get regulated, you typically don't like the outcome of that. And so, um, you know, we, you know, it's going to happen one way or the other. We just have to figure out the best way to make it happen. And one last follow up question then, um, Stuart, I'm gonna go to you on the same question on the collective, but Scott, one more for you.

What do you think it takes to get the attention of congressional leadership DOD leadership, et cetera, from from the MSP collective? Yeah, so that's an interesting question. Essentially, it takes money. Um, you know, it takes money and you know, the way you do it is you lobby. Um, so we are effectively a lobbying organization and the only way you can lobby is to have money behind it.

And so that's essentially what the membership fees for the collective are going to be used for is we're gonna take, we're taking, you know, it's a lot better to take, you know, a little bit of money from a lot of companies rather than each individual, one of our companies. Um, having to put up and pay for an entire lobbyist. It doesn't make sense.

We can't do it individually, but if we pull our resources, we can then hire, you know, hire appropriate lobbyists to go talk to Congress, to go talk to DOD and, and have those conversations and open those doors. And so that's what we're doing is we're essentially pooling our resources as MSPs to go have a conversation with Congress, with members of Congress and with DOD. Got it. Okay. I'm gonna steal from Derek here 'cause he asked a good question.

In Chad, is it only focused, is the collective only focused on CMMC concerns? Do you see it branching out from there? So Stuart, I want you to answer this one too, but I'll say, you know, real quickly, um, no CMMC and the DIB are the first of the federal contractors to that are going to get regulated.

But like, you know, Jacob was saying this is going to go, um, federal wide and as all of the other agencies, DHS, department of Justice, you know, department of state, nasa, et cetera, as they start adopting these same types of standards, then we will start working with those agencies as well. But right now, DOD and the DIB are really where all of these efforts are focused. Do you have anything to answer, add, add to that Stuart? I I, I, I would agree with that.

I think there's enough to be done for us to be able to get the DIB sorted out before we start to move on, you know, to, uh, to the rest of the critical infrastructure sectors. But, you know, this is a regulation, uh, that does apply, uh, pan government and the enforcement mechanism, uh, is going to be extended to apply pan government.

And, you know, ultimately we'd expect it to see to non-government, you know, sectors just, you know, a couple of points, uh, you know, that, that kind of click or double click on what Scott said. You know, while you know, external, you know, I think standards are important and provide some credibility. You know, we've already started self-regulating to the extent of basic requirements for organizations who want to become members of the collective.

And so an organization that wants to join as a regular member at least needs to be able to demonstrate CMMC competency by having individuals that have passed the CCA exam, have that CCA credential or one CCA and won RPA. And they also need to have gone through or had one client that has successfully completed a dib CAC assessment. So we wanted to at least establish that there is some, uh, you know, some basic competency or level for organizations that, uh, that are joining this.

And, and certainly from a lobbying standpoint with respect to Congress, yes, I mean, it does take money to be able to get, you know, get access and to be heard. I think what's important is that it's one voice that is being heard with one perspective that we can bring together at the level of the collective, rather than a number of people perhaps who are still trying to kind of adjudicate their differences before it gets to, uh, gets to Congress.

The good thing is when we look at the DOD and the Cyber ab, those doors have been wide open. They have been very receptive to, you know, to working outside and understand the value of public private partnerships. Uh, our relationships as a collective, our relationships as individual companies, both with the DOD and with the cyber ab, uh, are just really excellent. And I think that's important to, you know, the ultimate, uh, achievement of this particular mission.

We, Wes, can I just ask Phyllis a quick question, Phyllis, are any of the states concerned or, or interested in this and like, I'll just pull it out like because of Virginia and Norfolk, Virginia, like are, and and I'm asking you this because of the MS I stack, do you ever hear any of the states going, Hey, this is important As far as CMMC and those requirements? Yeah, yeah, Yeah. I mean, I think the states are looking out for that as well.

Um, you know, they're just kind of watching it to see what is going to happen. Um, because as, um, Jacob alluded to, um, things flow downhill, so everyone's watching and waiting to see how is this going to work out, if at all. Everyone is concerned about supply chain, um, and everyone's concerned about getting regulated, so they are interested and they're looking to see what happens. And I will say additionally, the states are very interested in, um, MSP security.

I mean very, it it is high on the list, which is why you have something like a state ramp, um, trying to mimic FedRAMP Well, so much so that you're gonna be in Utah in a week with a panel of MSPs addressing the MS. IEC fair. Yes. Yes. Yeah, very cool. Wes, I man's a lot of questions I could continue to ask, but we have maybe two minutes left. So let me ask one question and then there's a bunch that came in.

So if those of you, um, there's a bunch of you watching when you guys go the ask a question and everyone upvote and whatever is the most upvoted one is the last question that I'll ask. How about we do this? So rush over there and do that. Um, so while we're kind of waiting for that, Stuart, a a question over for you. Like, how open do you feel government officials are gonna be to recommendations from the MSP community?

Like Scott talked about that just a little bit and you know, the lobbying, that sort of thing, but like, you know, do you feel like there's a disconnect, especially with MSPs? Like, I mean, there's even a disconnect in their voice and their understanding. So what, what's your path? What what's your ideal pathway here? I think the, I mean the ideal pathway is, is is continuing to maintain a dialogue and to be an advisor, you know, to DOD as it's going through and, and proposing regulations.

Uh, and to be able to maintain the dialogue with the cyber AB as it's looking at how to implement and enforce those regulations or to operationalize CMMC more appropriately. And again, I, again, I emphasize that, that that has been going on, uh, on a very fairly consistent basis. You know, as we've seen things such as the certification assessment process document, the cyber has been working very collaboratively with those in the industry.

The problem has been that there's been many voices that have been going to the cyber AB and on the cyber AB trying to reconcile that. I think that we feel that we can be more effective reconciling those differences of opinions and coming up with one point of view and bringing it to DOD, bringing it to the cyber, which is in the best interest of, uh, MSPs. MSPs, the more important is in the best interest of organizations within, within the dib.

Uh, so I think that with respect to DOD, with respect to the cyber ab, uh, again, the, the doors are wide open, the partnership is there, it's just simply a matter of, of our being able to continue to be active in that dialogue and to be able to approach that dialogue with one voice rather than, you know, several disjointed voices potentially. Roger that. Um, appreciate that. Um, okay, so maybe just we'll go into overtime for just a minute if Andrew, if that's okay.

And I'll just ask the, the ques the number one, actually, there's a tie for two questions, so I'm just gonna pick the, the top one from El Spencer here. Um, what else? And, and everyone can read this, right, if you wanna just bring up questions, but, um, that this person says, what else do we know at this point about how MSPs and mss, uh, MSPs will be assessed? I'm gonna skip down to part of it. Um, who has the authority to implement this recommendation?

Is this being considered part of the rulemaking? Scott, I don't know if you saw that question come in, you wanna tackle that one? I can, uh, I can jump in real quick, Scott, if you Yeah, please Jacob ahead, Jacob. So, because I was, I was, I was reading, I was reading Mr. Spencer's question there. Okay, so a couple things.

One is we need to wait for the rule to be published to know exactly what DUD is going to say, but there are only so many, uh, bowls of soup for little Red Riding Hood to try, right? So like Scott was saying, part of the motivation behind establishing the collective is programs like FedRAMP, programs like CMMC standards, like 1 71 possibly even things like state ramp don't really capture the set of controls that ought to be applied to the use case of how an MSP operates, right?

It's either way too big, the bowl of soup is way too hot and we're talking about mega sized cloud service providers, or they are on-prem archaic old school focused standards of controls and there really isn't an MSP specific standard that's set up. So they reference a paper from the C3 PAO stakeholder forum, which is a big player in the CMC ecosystem.

However, it's just a recommendation as far as we know, it's not considered as part of rulemaking, it's not an official aspect of the program, which is why earlier Scott said if the DOD has to pick between FedRAMP for MSPs because they don't understand the difference between an MS P and A CSP or CMMC level two or nothing, right? At a minimum, right?

The only bowl of soup they have to go with here is CMMC level two for managed service providers, if they decide to get crazy and do a great job of, uh, requiring security from a government perspective, they're probably going to slap FedRAMP onto the requirements and that's when the bomb goes off. So that's why we're saying there needs to be this baseline that's tailored to represent what an MSP is actually doing in MSP operations, and that should be the standard that gets assessed.

Uh, but uh, you know, is it the light at the end of the tunnel or is it the train coming down the tunnel? We don't really know. Uh, but there are not that many good options for what's being considered in rulemaking. Uh, I don't expect them to thread the needle in such a way that your MSP will not be disrupted if you decide to continue servicing this part of industry. Okay, well, that's a great place to end. Andrew, That was awesome. Jacob, Scott Stewart, thanks a million for coming on.

And um, again, I put the MSP collective, uh, information in the chat. Um, we'll hear more about that, Scott. I'm sure we'll certainly publish it out as, as you know, anything we can to the, to the base about, you know, getting you guys involved. So wishing everybody a fantastic week and we'll look forward to next week having the founder, one of the founders, major founders of electric ai, um, the MSP that built on automation as their platform. Uh, it's gonna be real interesting.

It'll be with Bill Tyndall, so look forward to seeing you all back next week. Until then, have a fantastic one. Take care everybody. Thanks Guys. Guys.

Related Videos