Skip to main content
Right of Boom
March 25, 2025
707873

Refocusing CISA Under Trump – Critical Infrastructure & the Role of the MSP

## Navigating the Shifting Sands of Cybersecurity: What MSPs Need to Know About the CISA Reorg The cybersecurity landscape is in constant flux, and recent shifts in the US government's approach are creating both challenges and opportunities for Managed Service Providers (MSPs). This week, we dissected the implications of these changes, specifically focusing on the potential impacts of CISA's refocus and the broader cybersecurity industry. **The Changing Tide: CISA's New Priorities and the "Department of Government Efficiency"** The current administration's approach seems to be one of "cutting first, asking questions later." This has led to potential funding cuts and reorganization within CISA (Cybersecurity and Infrastructure Security Agency), impacting programs like the Election Infrastructure ISAC and the MS-ISAC. While the stated goal is to eliminate overlapping efforts and increase efficiency, this refocusing could lead to: * **Uncertainty and Disruption:** As federal cybersecurity efforts shift, many are bracing for job changes and service disruptions, creating instability within the industry. * **Shifting Responsibility:** There's a growing trend of pushing cybersecurity responsibilities towards state and local governments. This could result in a patchwork of different standards and requirements, increasing complexity for multi-state MSPs. * **Questions of Effectiveness:** Concerns are being raised about whether CISA can maintain its effectiveness with fewer resources, particularly in areas like incident reporting and collaboration. **CMMC and FAR: No Immediate Changes, But Vigilance Required** For MSPs, it's crucial to understand the implications of these shifts on federal regulations. Scott, a seasoned expert in this space, shared insights into the following: * **CMMC (Cybersecurity Maturity Model Certification):** The certification aspect of CMMC is fully operational, with certifications being issued since January. Furthermore, Katie Arrington, a champion of CMMC, has been brought back into the DOD. Overall, this signals that the CMMC program is here to stay. * **FAR (Federal Acquisition Regulation) Clauses:** The proposed FAR CUI (Controlled Unclassified Information) rule is moving forward, but there's no immediate threat. **The Opportunity for MSPs: Stepping Up to the Challenge** These changes do present significant opportunities for MSPs who are willing to adapt and evolve. Here's what your MSP needs to consider: * **Increased Demand:** The focus on critical infrastructure and the potential for increased threats will drive a higher demand for robust cybersecurity services. * **Upleveling Your Capabilities:** MSPs need to assess and upgrade their services to meet the increasing demands of a complex regulatory landscape. This includes a strong understanding of compliance frameworks like CMMC, NIST, and the evolving requirements in the federal sector. * **Embrace Public-Private Partnerships:** Engage with groups like the MSP Collective and CIS, which are crucial to navigating these changes. **Harmonization is Key: Building a Stronger Future** The discussion highlighted the importance of harmonization and standardization across agencies and sectors. * **Standardize Reporting:** The current situation, with multiple agencies requiring different data on different timelines for the same incident, creates a significant burden on MSPs. Efforts to streamline and harmonize reporting processes are needed. * **Support a Single Standard:** The long-term goal should be to reduce the burden of compliance and promote efficiency by pushing for a single baseline standard. **Key Takeaways and Actionable Steps for MSPs** 1. **Stay Informed:** Read articles about changes in CISA and the federal government. 2. **Strengthen Your Cybersecurity Posture:** Focus on providing robust, adaptable cybersecurity solutions. 3. **Build strong relationships:** Connect with the government and sector-specific communities to help stay ahead of any shifts in strategy. In a world of constant change, staying informed, and agile is essential. MSPs who embrace these challenges and proactively adapt will be best positioned to thrive and continue to safeguard our nation's critical infrastructure.

Guests

Andrew Morgan
Gary Pica

Video Transcript

Okay, welcome. Alright everybody, I apologize. I'm gonna get the team back on here. For some reason, we had an issue with Restream, so just please bear with me one moment. Okay. Can you all hear me now? And is this coming through? Okay. All right. Hey Phyllis. Hello. Looks like the chat's working now. Chat's working. I think we lost most of our audience, unfortunately. Oh, no. Uh, but we'll, we'll get it recorded and, um, hopefully people will refresh YouTube and, and find their way over here.

Uh, let Gary get in and, uh, we'll get going again. Sorry about that, folks. I'm not sure what happened with Restream this week, but did not, did not play the way I wanted it to. Um, Lemme just, so as Gary gets in, we'll get going. Okay. Sorry about that, Scott. No worries. Alright, where is there? Alright, Eric, thanks for letting me know Mr. Stu. Um, appreciate everybody's patients. Let me see if Gary got the, we will get going in just a moment. Huh? Gary? They host.

We are all No fun when technology does not. I know, right? Let's see. All right. All right, Gary, thank you. Thank you all for your patience. I mean, and once again, this, this is a first. We, we had this a lot with, uh, Crowdcast, but this is a first for Restream. So let's, uh, with time ticking away here, let's get on into it. And, um, you know, this, this week, um, Scott, uh, posted something.

It was an article, um, from Federal News Network that I thought it was really fascinating and we're, that's what we're gonna unpack today and the title. And I'll put the URL in shortly And thank For letting me know. Yeah, I, yeah, I appreciate you letting me know, Ann, something happened. Um, so hope, hopefully they'll see everything. Uh, thanks Eric. I really appreciate you guys doing that.

Um, so, so as we let people come in and, and start to talk about this refocusing CSA under the Trump administration, a lot, a lot has gone on, uh, things that have affected everything from Phyllis's organization, you know, indirectly, CIS, which is home of Ms. Isac, the Electoral isac. Um, obviously we've seen things as far sweeping as the removal of the Department of Education. There's a lot going on in federal government right now.

Um, while we just wait for a few more people to come over, uh, I did wanna open this up, Gary, with the, I'm surprised that you didn't buy Wiz, but it looks like Google out you, uh, at the 32, uh, billion mark for the largest security transaction ever, um, ever is a long time Gar. But, uh, what any thoughts on, you know, so like p you know, acquisitions had really quieted down right in this market, and then I've been 31 and my wife said, that's as far as I could go. I, I I Smart woman. Yeah.

Yeah. It, it's, I don't know, it's hard to know what to, like, you see some of this, these things, these valuations, but as you said, Andrew, it's kind of the exception to the rule now, right? It's quieted down a lot based on some of the results of some of the act, you know, at least at that, at, at that high level. So it'll be interesting to see, you know, what the future holds. Yeah. Scott, four years though, Wiz started four years ago. Yeah. That's amazing.

I mean, a, a category by the way, like other organizations like Orca Security had had a lead, but, um, I listened to, I think it's called Off the Wall, I to a Chama and some other guys, guys' podcast. It's really well done. And they were saying it was, you know, Gary, this goes to Point, but I, I want to get Scott's comment on this first, but I do want to ask you this Gary execution.

Like, it was about how the company, just, the experience, um, everything from the ui, how the integrations just, they, that's what they really talked about, that they just outmaneuver everybody so quickly and so well, um, yeah, Execution is so critical. Um, but four years from zero to four 32 billion is just insane. Uh, that is just a crazy path.

Um, you know, and I've seen a lot of people commenting and wondering, you know, is, you know, Wiz made, you know, their, their big thing was the cross-platform nature of, of what they do, right? Um, and, you know, are they gonna maintain or be able to maintain that same level of expertise across platform, you know, within the Google umbrella? Um, you know, what is that gonna look like, right?

Uh, so I, you know, I've seen, you know, just in the last, just in the last few days, and, you know, Reddit is what Reddit is, right? But, um, you know, I've seen a lot of people talking about, Hey, do I need to be finding a new provider? Because, you know, everything's gonna be mo you know, moving to Google, you know, through Wiz, and we've got Wiz today. Do I need to be looking somewhere else? Mm-hmm.

So there's a lot of uncertainty, you know, within, you know, within the ecosystem as a whole, I think about the acquisition. Um, you know, and, and you know, Gary, you said, uh, or maybe Andrew, it was you that said that, uh, you know, the, the, the m and a transactions have kind of been, you know, depressed, if you will, for the last, you know, 12 to 24 months. You know, it's been, it's been, you know, there hasn't been a lot going on.

Um, and I think that has, that may have something to do with why their valuation was so high. Hmm. Um, there is a lot of money sitting on the sideline right now, um, and not a lot of it is flowing. And all of these firms, they've gotta get that money to work. And so when they find a target, I'm, you know, I think that the right targets are going to get significant valuations well beyond what they would've gotten, you know, five years ago.

I mean, you still see money flowing into, um, businesses like MSPs, right? And other sectors that are based on multiples of ebitda. They'll go up and down based on interest rates and market, those kind of things. But where you see these wide fluctuations are these companies that are, you know, valued as a multiple of of sales.

And you just, especially now as money gets more, uh, expensive, even though there's a lot of money on the sidelines, um, they feel a higher, much higher level of risk, even though I think the level of risk is the same, you know, but the envi but the environment has changed. Just one last comment, Gary. 'cause I think there's always relevance, like for, you know, big business, but the lessons learned, right?

But to, to the point of execution, like, you know, we hear commoditization, you know, et cetera, et cetera, but isn't this a strong lesson that there like, Wiz isn't the only one and yet they executed better? So, so that lesson for MSPs? Yeah. I mean, look, if you're an MSP, the two lessons I would have is the, one of the great, you know, the downside of an MSP is, it's not like if you hit a software company and it just turns into 32 billion or a billion or, you know, there's limits.

But the other side of it is you're not really affected by too many things. Competition, um, uh, economy, those kind of things, you pretty much, your plan is based on execution. And if you understand that, and number two, that all companies are go to market companies. They're not software companies, they're not service delivery companies. That everybody, every company is a go-to market business.

And if you tie those two threads together right now in the MSP business where it has a, you know, expanding tam, you can, you can achieve whatever goals you set down if you, if you have your plan. Yeah. Good stuff. Alright, let's get on into it. So thanks for everybody shifting over here. It looks like we got the, you know, a bunch of the audience back over with us. Thanks for the patience, and we are gonna get into today's, um, uh, topic.

And in, in doing so, Scott, um, for those that may not know you, could you do, you know, a brief intro and, uh, as always, um, maybe just start off with, I, I love, you know, thank you for your service. I love starting off with, you know, being a West Point grad and, and some, and, and some stuff that's going on with your family too. That's awesome as well. So, um, but take it away. Yeah, sure. Um, I am the CEO and founder at Summit seven.

We're an MSP focused in the defense industrial base and federal contractor base. So we specifically support, uh, you know, the dib, which is one of the critical infrastructure sectors. So anything that, you know, anytime we're talking about CISA and, you know, regulatory requirements around, uh, critical infrastructure and supporting critical infrastructure is something that we're very interested in.

Um, also one of, uh, one of the directors for, um, the MSPs for the protection of critical infrastructure, uh, which is a group of MSPs, uh, that we're putting together, uh, that focus specifically in that sector. Because believe it or not, federal government does not understand, uh, ESPs very well. Uh, they don't understand MSPs, they don't understand MSPs. Uh, they many times get them confused and, and conflate ESPs, uh, MSPs, MSPs with CSPs like Microsoft and Google and Amazon.

And we're very different, very different animals, right? And so, uh, we try to do, um, a lot of bringing that specific ecosystem together to communicate to government, to communicate to industry, to communicate to the critical infrastructure sectors about what we are and what we do.

Um, and, you know, the, the benefits of working with an ESP, things like, uh, controlling costs and the risks of working with ESPs and government needing to understand what those risks are, uh, when they're putting regulations in place, uh, you know, that's really critical. So, um, yeah, it is, uh, it's a very interesting, very exciting place to be right now.

There's a lot going on, obviously with the administration change and everything that the administration is, uh, changing within the ecosystem. And then also the, you know, the changes that have been working their way through the process, through the system over the last two to three administrations, um, that, you know, some of those things are finally coming to fruition.

Uh, things like, you know, um, the CMMC requirement for the defense industrial base, the far CUI rule set that is going to impact all federal contractors. Um, you know, all of those are kind of in, in the world that we deal in. So, so gar, as I hand it over to you, I think in, in Jacob, horn's words, who works for you, Scott, the sausage has finally been made and a lot is changing.

Um, I think, again, Gar, and I'll put the article in there that Scott, you know, put up, and, and I think this is the thing, like a lot of times people think, you know, defense industrial base, as soon as, as soon as it, it's CISA and critical infrastructure, kind of like default is, okay, it's CMMC, it's the dib, it's, but, but by and large, Phyllis, right? We're talking north of 60% of critical infrastructure being supported by MSPs.

And this is a, this is a big area that is not just about defense industrial base. This is where, you know, MSPs that are water utilities, s ltts, you, you know, you name it that financial, et cetera, right? This is gonna have ramifications. Yeah, 100%. I mean, I think, you know, we've said it so many times that MSPs really are supporting the backbone of this nation, which are those small mediums to include, um, those smaller government entities, uh, not just big federal agencies. Yeah.

Good care. Over to you. So let's first talk, there's a lot going on with, um, doge, I'm gonna put air quote department, uh, of government, uh, efficiency. So can you give us like a little overview of some of the proposed changes that like you're aware of, um, with csa, with the Trump administration and some of the rational, like what have you made? Can you make a rationale out of it? Yeah, sure. I mean, there's, there's a lot of changes going on.

Um, I think everybody's pretty aware, well aware of, you know, uh, just kind of what feels chaotic in a lot of ways of how, um, doge and the, and the new administration are going about, uh, implementing changes. Um, is it chaotic? It feels chaotic. Uh, you know, there's been, for example, impacts to Phyllis's organization in CIS, right? Um, you know, the elections infrastructure isac as well as the MS isac both, uh, either being defunded or losing funding.

Um, and, you know, the comment across the board has been, um, they, that the administration wants to remove overlapping, um, missions and agencies, uh, so that we're not paying for doing things in multiple places. I don't necessarily agree that those were overlapping, uh, you know, capabilities that were out there. I don't know who else is doing, you know, the MS ISAC and EI ISAC work today.

Um, I don't know who else that would be doing that outside of, uh, outside of, uh, CISA supporting CIS to do some of that work.

Um, but I think that there, to some degree, there is a, uh, an idea of, you know, and I think, I think we've seen this across the board with a lot of different, you know, things that are going on right now within the administration of essentially cutting and then asking questions and then bringing things back at some point in the future, um, at either a reduced rate or, or something like that.

So, I think that we may see some of these things come back at some point, um, but there is an, uh, there is a need or a desire to, um, you know, to, to make a lot of cuts right up front and then bring back the pieces that are determined to be essential, um, at a later date. And it, it causes a lot of, uh, a lot of, um, you know, churn, if you will, both from an standpoint. Yeah. People gotta find other jobs, like they're, you know, yeah, they gotta go on with their lives, right?

They can't lean around to see whether they get called back. Right? Yeah, no, that's absolutely correct. I mean, I know that, you know, a lot of these agencies have had employees called back, uh, you know, in the last week or so, and, you know, some of them aren't available to be called back. They found other jobs already, um, which is great for them, right. You know, they had marketable skills and they were able to go find new jobs and, and that's all great.

Um, but it, you know, it could have a long-term impact on, you know, certain missions within the government. Um, you know, as, as a whole, you know, i, I support, you know, the idea that they have of getting rid of overlapping missions, um, and support and, um, you know, not, not paying for two or three different groups, two or three different agencies to do the same exact thing. That doesn't make a lot of sense, right? There needs to be coordination and harmonization among the agencies.

Um, it just hasn't been done in a very coordinated fashion, I don't think thus far. Um, so, you know, for example, you know, you look at, at rules that are out there right now, like the CRC rule, uh, you know, the CRC rule, um, that I think, Andrew, you had, you know, it is actually talked about in the article that you posted, you know, that I posted about, um, you know, there are a lot of reporting requirements that are overlapping with reporting requirements from other agencies.

Um, and that causes absolute, you know, absolute challenges for ESPs, for the Ms P community, um, and for just industry as a whole, because of, you know, having different timelines for reporting, having different data that they have to report to different agencies, all about the same exact incident, um, that needs to be fixed. Um, you know, CISA probably does need to be the center of that, you know, reporting scheme, and then they can distribute out to the rest of the federal government.

But, um, right now, the, the, all the agencies are not playing ball together, right? Um, you know, DOD and SEC and Department of Homeland Security and cisa, you know, they're just not all working together on the same page and haven't for administrations. Now, this isn't a, a recent administration problem.

This is just a whole of government problem, uh, where every agency wants specific data that they're interested in, in a very specific way, that they want it on a very specific timeline that they wanna receive it. And every single agency has a different standard. Um, and that makes it really, really challenging, you know, to, to share data with the federal government in, you know, in an appropriate manner. So it seems like there's a mandate, right, for CISA to focus on.

Its, you know, its core job, like what it, its core role at the same time there's reductions. So it's kind of counter like, how realistic do you think they'll, that they can do a better job with less, less resources. And what do you think will be some of the gaps in critical infrastructure based on that? Well, you know, there's always going to be some level of funding that, um, you know, may not be as, uh, being used as efficiently.

So I think that there is a general idea that, uh, there may be funding that can be better used within csa. Um, you know, I know for example, the, the review board that was put in place, and I believe Michael talked about this in his article as well, um, the cybersecurity review board that was put in place, um, and was funded by CSA was not super effective. Um, you know, the reports that they put out were dramatically late, um, not useful by industry because they were so late.

Um, and there were criticisms that essentially that review board was, was just a place for cybersecurity influencers to, you know, to essentially, you know, rooster tell, if you will, you know, to feel like they are, you know, important. Um, and so I think that, you know, Michael called for in the article, Hey, we need, we need, this capability needs to exist, but it needs to exist in a different way, and it needs to be more effective than it is.

Um, so I think that there are ways that you can find funding within CSA and redirect that funding to make it more effective, um, you know, if it's done, you know, if it's done in an appropriate manner. Gotcha. So the critical infrastructure, I'm gonna read this one, critical infrastructure partnership advocacy council, right? Um, gets disbanded if I'm correct through this. So what was the purpose of that, and what do you think it means? What was the purpose of it?

Um, I don't know that any of us know the actual answer to that question, Phyllis, maybe you can answer, you know, maybe you can step in on a little bit of that, if you've got any insight into what the actual purpose of the disbanding was. Um, I don't have any insight information on, on what the thoughts were there. Um, like I said, some of the cuts seem random. Um, you know, you, it's really hard to tell sometimes. Yeah. Well, I guess it's, it's, you know, difficult.

'cause if there's not like watch guards and no checks and balances in place, I guess we'll continue to see some of that. Um, And, and, you know, in some cases it may be, and, and this is me just complete supposition at this point, um, because I don't really know. Um, it could be that, you know, they're looking at removing, while on one hand they say they wanna do, um, public-private partnerships, and that's something that's really important.

Um, that's on one side they say that on the other side, you know, you see funding to, uh, nonprofit organizations being cut that are part of that public, you know, public-private partnership ecosystem. Um, you know, the CIS is obviously a 5 0 1 C3. It is not a government agency. Um, and so we were having, you know, there was funding coming from CISA directly to, uh, CIS to fund EI isac and Ms.

Isac, did they go through and look at, um, and specifically target funding going to nonprofits, and then just cut that, that funding off. And so MS and EI, I sat got caught in that. I don't know, it's, it's a, it's a possibility. Um, and then they're looking at redistributing that funding within the organization. Um, you know, that could be, uh, could be one way that they're looking at doing it. I just, I just really don't know, Gary.

I mean, it, it just seems interesting, Scott, your point, um, for example, I heard this morning that there's a talk of, and there there's a point to me saying this, there's talk that, hey, all the pharmaceutical ads, right, are gonna, you know, get shut down. Right? And, and interestingly, you know, uh, from a Trump perspective, a lot of the, um, news networks weren't his, you know, favorites that would necessarily show those ads. And so that's, that's a kind of a, a, a double win, right?

For, for, for both sides. But it would seem also that the electoral isac, which you know, is, you know, supporting the constitution, you know, of, of, of our country, that that, you know, literally all funding, not some, all funding to that organization just got obliterated. That that's pretty alarming. Um, yeah, I mean, yeah, I'm not, I'm certainly not here to pr, you know, to, uh, to, as a spokesperson for the administration anyway. Yeah.

No, no, I, I really have no idea why, you know, why they chose that, um, you know, those specific, uh, those specific line items. Yeah, it's strange. So I guess in the end, what this means is more of a shift towards, you know, state and local governments, um, having more of the responsibility around cyber defense, right? So what do you foresee that means for MSPs to work with these entities? And I know many of them, Yeah.

I mean, you know, I think that that kind of goes along with the entire administration approach of, you know, pushing things outta the federal government and pushing it toward, you know, state, state governments to handle, you know, federalism, right?

Um, that's pretty consistent with what, you know, the, the administration's view has been in lots of other areas is, you know, uh, shrinking federal government and, you know, pushing those decisions and those controls down to state and local levels. What is that gonna mean?

Is it's gonna mean, you know, you're gonna have potentially, um, you know, more different organizations if you're working, you know, across multiple states, you're gonna have multiple different organizations with different standards and different, uh, needs and requirements that you're gonna have to work with as a, as an MSP. Um, and that certainly is gonna bring its own level of challenge. You know, we need to be harmonizing these standards.

We need to be, you know, getting to the point where, you know, we're doing the same thing across the board rather than, um, rather than, you know, coming up with 50 different standards, right? One for each state that would make things extremely challenging for, you know, multi-state, you know, MSPs, uh, that work in, in multiple locations. So, um, you know, not something that I would certainly think that is, uh, gonna be efficient.

Um, you know, I know that, you know, there are things like the state ramp program and some other things where they're trying to get multiple states together to do things in the same way. Um, you know, but even that, you know, there's, there's a lot of confusion with that and, and how that, you know, contrast with the existing FedRAMP program, um, as well. So, Gary, did I, I got the question back to you.

You sit on boards with some very large PE backed MSPs that are multi-state, if not, you know, Canada and US type. So like, when you look at this, of all of a sudden it's in the state hand and state A says one thing, state B says another. Like, how do you look at that as an advisor to, to if these potential things come to roost? Yeah, I mean, it's, it's, it's a big potential problem.

The only other side of it is I don't think things will change even more slowly because the states don't really have the resources to take on anymore. So I, I think the result will be, um, kind of everything that, you know, we've been seeing talking fellows about kind of working forward to get this momentum. I, I think it'll get stalled, and I think it's probably a pretty good day to be a bad guy. Yeah, That's fine. I agree. Yeah. Good day to be a bad guy. Good day.

If you like election interference, you probably have a much, you know, you have a window probably going forward where it'll be easier and not harder. It's gonna be one of these, again, reactions, right? Gar, like, things are gonna have to get bad, and then, oh, yeah, maybe we should have not removed all the funding for, for this agency, right?

Listen, with all the funding and all the inefficiency, just in the time that we've been doing this podcast, we've seen slow, but we've seen motion in the right direction, right? Right. Come, and so very hard to gain ground. Um, and, but it's really easy to give up ground and even harder to gain it back. So this is definitely, I would say, I don't, I don't think anyone would say that, that this, this is, is not a setback for critical infrastructure, cybersecurity, defense.

I mean, I, I don't think that's a political statement. No. But, um, Scott, just one more thing, but before turn it over to Phyllis. There was some, you know, posturing in the article that, or from the Trump administration, which this I kind of agree with that. Like, SSA's mission kind of got diverted, like, Hey, you're out on social media, you're getting involved with things that really aren't targeted with your core mission. Is, can you speak to that a little bit?

I mean, is there some truth to that area where they're saying, Hey, that your job is to protect the country and critical infrastructure, your job isn't to be political in nature, Right? Yeah. And I, I think that, you know, I think that as we see the administration making changes, um, you know, I think that there is a movement within the, within the administration as well to, uh, protect some of the cybersecurity rules that are being put in place from change in modification.

Um, you know, 'cause you know, there's been, you know, there has been, um, you know, requirements to, you know, remove regulation for every regulation you add, you have to remove 10, those kinds of, you know, ideas that have been floating around within the administration.

And I think that, you know, there is a recognition within the administration as a whole that, um, you know, that does not work very well when you come, when it comes to cybersecurity, uh, simply because, um, simply because we are so far behind the eight ball on, um, on, you know, attackers having the upper hand against our, our critical infrastructure, and we need to be, uh, implementing, um, additional controls, additional capabilities.

Um, I, I just, I cannot, um, justify that with some of the cuts that we have seen within csa. It's really hard to do that. So, you know, one hand, you, you hear people within the agency saying one thing, and on the other hand you hear, you see, you know, cuts being made within a, without any real explanation of what's going to happen to those cuts and where those dollars are going to flow.

Could there be some connective tissue on the backend where that those funding, that funding is going to another place where it's going to be better used than it's being used today? Is that possible? Yes. Um, has that been, um, talked about or advertised? It certainly has. Not yet. Not that I've seen. Um, so, you know, we're just, we're gonna have to wait and see what happens, I think. Yeah. I love Scott's optimism. It's very cute. I know, I mean, I'm just, you're, You're adorable, Scott.

Well, I just, I have to be optimistic because, um, the, the situation is dire, um, out there. And I know that there, I know people within the administration, and I know where their heart is at, and I know what they think and how they feel about things, um, and the conversations that I have with them, and they're, they want to do the right thing. Um, and so I have to have optimism that those individuals are going to have the impact that they should be able to have.

And we're going to see, um, we're going to see that over the long term. Um, like I said at the beginning, you know, a lot of the things that are happening right now seem very chaotic. Um, ultimately the chaos is going, is going to have to calm down, and then, you know, we'll see where the long-term, you know, where the long-term, uh, you know, impact is. Awesome. All right. Phy? Yeah, sure.

I mean, I'll just make one commentary about Miss Disinformation that originally came out of elections, and it really was about, um, what would happen is there'd be miss or disinformation saying, this local elections place is closed down, so don't go there. So that's, that's where that kind of spun out of, was to say, oh, that elections facility isn't closed down. You can vote. Because there was some, there was some, um, uh, there was an effort to not necessarily change votes, right?

So votes weren't changed, but to influence results by not by, by, um, trying to get people to not vote in certain areas. So, um, that's why I think SSA was involved in that. Uh, it may have expanded since then, but that was really the origination, um, was to make sure that people knew things like that kind of mis miss or disinformation they could make it to elections. All right.

So, um, you know, given Scott, given the reduction in federal oversight, what do you think the implications on CMMC or requirements that, um, recently passed FAR clauses mm-hmm. Um, and, and that went into effect, how, how are these changes gonna affect these types of federal regulations? Sure. Um, you know, as of right now, I don't see any impact, any negative impact to those, uh, those regulations.

You know, the 32 CFR, which was the program rule for CMMC, that was, uh, you know, that went into effect in December. So that is fully in effect. Certifications have been ongoing since the, the beginning of January. Um, you know, so that is, you know, the certification aspect and the program itself is all, you know, 100%, you know, you know, moving forward the regulatory freeze that happened, uh, that's a pretty standard, um, thing that happens across all administrations at this point.

When an administration changes, the administration comes in, puts a regulatory freeze on everything so that they can ensure that their people review the regulations that are on the way out rather than, you know, the old administration, that regulatory freeze is over now. It ended on March 21st. Um, so the regulatory freeze is over at this point.

Um, the, the final rule for the 48 CFR rule, which is the rule that will put the CMMC requirement into contracts for defense contractors, um, is expected, you know, really any day at this point, anytime between now. And I would say June is kind of when we would expect it. That's the rule that we'll actually put the requirement in contracts. Um, you know, I don't foresee any, any impact to that final rule.

Uh, you see who has been brought into the DOD, um, you know, Katie Arrington is now the CIO, um, at DOD. Uh, she obviously is, you know, one of the, you know, biggest engines behind CMMC all the way back to 2019, um, in the first Trump administration. Um, I do not believe that there's any way she would've taken that position if she, you know, if she thought that CMMC was going to get killed. I mean, it is one of her babies, right? Yep.

Um, so, so I don't foresee any change to the CMMC program, uh, based on the administration change at this point, as far as the far CUI rule goes, you know, the far CUI rule, um, you know, the, the proposed rule was out, the comment period just closed last week on the far CUI rule. So now it'll go through its process of, you know, comment, answer, and then, you know, re releasing a final rule. Um, you know, we make comments as part of the MSPs for protection of critical infrastructure.

We had a set of comments that we sent in on that rule. Um, it was a few pages long. Uh, you know, you can go, go to the MSP collective.org website to see those, or you can go actually pull it off the comment website for the rule itself. Um, you know, there were, you know, I I wanna say, I think it was somewhere around 80 comments total, uh, which is way less than the CMMC rule had.

Um, so, um, you know, there's, there weren't that many people that commented on the far CUI rule, uh, but that one is continuing forward as well. I don't expect to see a significant, uh, significant change to that rule either. You know, some of the things that I did not like in the far CUI rule were some of the reporting timelines.

Uh, some of the reporting timelines are, you know, not really, um, you know, something that could really be effective, you know, things like eight hour reporting timelines on, you know, on incidents or suspected incident incidents. Um, whereas DOD within the DA 70 12 rule, uh, gives you 72 hours. Um, and so, you know, eight hours, and even within the rule, they say that, you know, it's gonna take at least four hours for you to prepare the information needed to report. Yeah.

So, you know, that's, that's just a, not, not really a, a great, uh, timeline there. So, Yeah. Scott, I'm just curious with that, how, you know, you, this is your business, like this, you know, you focus on this. Mm-hmm. How do you, you know, one of your clients has an incident. I mean, by the time you get, you know, forensics, you know, investigation like it, how, how do you handle that? I mean, it's, yeah, It's, it's gonna be really challenging.

It's gonna, you're gonna have to do a lot of automated work to be able to meet something like that. Um, and I don't know that I have all the answers on that yet. Um, that's why, that's one of the reasons why we made the comment that we did. They need to make these, uh, reporting timelines, uh, standardized across the agencies.

And the data that is being reported needs to be standardized across the agencies, uh, because it's very feasible that, you know, if we are supporting a defense industrial based company that is, um, that is a, um, a publicly listed on the stock exchange company, um, there's very, it's very feasible that we would have to report different information to the SEC, to the DOD and to cisa, um, all on different timelines. And that's just for three agencies and there's others out there as well. Right.

Um, which it just really becomes very, very difficult for any kind of, not just a, not just a a a company, but for an MSP, especially if you're doing it for multiple companies. Right. Um, that makes it really, really challenging. And the only way you can get there is, um, through harmonization and most likely through some automation as well. Yeah. Yeah. Then you didn't even mention things like PHI or things that, that would be on reporting. Yeah, I mean, that, that's, that's, yeah.

So if you're talking about a publicly traded, you know, health system, uh, that is doing work for the VA or the DOD, um, you know, now you've got, you know, four or five different agencies that you've gotta report to, and that's really, really challenging. Yeah. Wow. Alright. Phyllis, more fun over to you. Yeah. So do you see these changes, um, you know, creating any opportunities or hurdles for MSPs, for example, there could be an increased demand of services. Sure.

I mean, anytime, anytime that there is, um, you know, challenges or confusion, um, or information asymmetry within a market, there's opportunity, right?

Um, it's just a matter of what, you know, what opportunities do you as an MSP want to, uh, uh, want to take advantage of because it's going to require pretty much any MSP involved in the ecosystem to significantly up level what they're doing today, uh, to meet the requirements that the government's asking for, uh, that the critical infrastructure sectors are asking for.

Um, you know, cisa, DOD, whoever it is, um, is going to significantly, uh, re it's gonna require significant upleveling, um, of the existing MSPs out there. Um, and you know, MSPs, you know, the majority of the MSPs in in the ecosystem are small. You know, they're, you know, they're, the majority of them are very small, you know, sub sub 20 employees in most cases, I think, right? Sub 10. Yeah.

I mean, and so the sub 10, even sub 20, I mean, I know some sub 20, uh, employee MSPs, uh, that have, you know, done things like CMMC and getting ready for CMMC, um, but, you know, you know, think Axiom, right? Axiom with Bobby Guerra, you know, great, great company, small team, they've, you know, they've done great work in, in uplifting themselves to be able to support the ecosystem. Um, but it's been an all of company effort for them, and it's all they focused on for a couple of years. Right.

Um, if, if you're a sub 20 employee MSP, um, and you're not willing to put in that level of effort and that level of focus, then, you know, you probably don't want to be engaged in that ecosystem. Yeah. Okay. He's done a phenomenal job. Him and, uh, Andy Sauer too, right? Andy Sour, yeah. At Sentinel Blue. Andy's done a great job. Um, I mean, there's, there's a number of smaller MSPs out there that have done it and have done a really, really good job with it. Yeah.

Um, and that I would have no, you know, no qualms about, you know, pointing, you know, pointing people to go use. Right. Um, you know, they've done a great job and, but, but they have had unusual focus, um, you know, laser focus for years to get there. Yeah, yeah. Yeah. By the way, um, they, they, they both reached out to me and I think, let, let me know in chat, but they, uh, wanted to come on and talk about, uh, their, their certification process and what it was like to go through, um, yeah.

For a smaller MSP, let me know if you guys thought that. I think that would be an interesting, I'd love to have them on so you guys could hear the level of efforts almost like, uh, I, a different note, Eric Woodard's two to 3000 hour investment in CIS. Right. Phyllis, it's just right. Staggering what some MSPs will dedicate. So, Yeah, I mean, you know, Bobby has a podcast podcast, um, and, you know, I think he's talked about it.

He and Andy actually, I think were on the same, uh, I think he had Andy on his podcast and they talked about it for one of the episodes. So, um, yeah. It's, it's an interesting conversation. Yeah, for sure. All right. Tell us, Yeah, so also in the article it calls out fostering public private relationships. So what steps do you think MSPs should take to make sure their teams are prepared to handle the evolving cybersecurity landscape, um, resulting from SSA's reorg?

Yeah, so public-private partnerships I think are really important. And this is a, this is a place where I know, uh, CIS has played a lot, you know, played a big role with EI, IAC and MS isac. This is a place where, you know, you know, our organization, the Ms P collective are also known as MSPs for the protection of critical. This is the same place where we play as well, right?

And so if you are an SP that is interested in this ecosystem, you're interested in this bar market segment, this vertical, um, you know, come see what we're about and engage with us because we are engaging with Congress, we are engaging with the federal agencies, we are engaging with the marketplace, um, to do some of the things that you see in this article around public-private partnerships and, and, and, and talking about how we as a, as commercial entities can support the mission of cisa, can support the mission of the DOD and of DHS and of Department of Energy in getting the supply chain that we support, that support those federal agencies.

Getting that supply chain secure and compliant is really important. Um, but we need to make sure that Congress and these federal agencies understand what MSPs do and why they do things the way they do them, and how they can do them better, and how government can interface and engage with, um, MSPs and MSPs in a, in a better and more, you know, collaborative way. That's really important.

Um, and so, you know, come get engaged with us, get engaged with CISI think that the both of those are really important, uh, ways to, uh, to engage in, in these new public private partnerships, um, that, you know, the, the current administration, uh, feels like are important. Awesome. Yeah. So what do you think are the long-term implications of these changes for the cybersecurity industry as a whole?

I mean, we talk about, you know, DHS and then CISA, of course inherit the authorities, which are over all, you know, the 16 sector critical infrastructure. A lot of times we focus on DIB because of CMMC. Mm-hmm. Um, but we know it, it's larger than that. And certainly the MSPs are servicing all those sectors, right? We've got healthcare, um, you know, IT sectors. So MSPs are a part of that sector and so on and so forth. Yeah.

I mean, you know, one of the things that I think that we've got to do is continue to tell the government to, um, you know, I, I've said this word probably a dozen times already harmonize, right?

All of these agencies need to get on the same piece of paper, um, even within the far CUI rule, uh, which, you know, the FAR council, which is made up of nasa, GSA and DOD, um, got together to release, um, you know, the far CUI the proposed FAR CUI rule, it does not even have a requirement for third party attestation within, within that requirement, within that, uh, rule. So under DOD, we have the dfr 70 12 clause that requires the implementation to NIST 801 71, right? Mm-hmm.

And then we have the CMMC program that is the third party attestation that a company has implemented the standard appropriately well under the FAR CUI rule currently as written, um, in the proposed rule, they have the 801 71 requirement, but there is no requirement within that rule for any third party attestation. And we know exactly what happens when there's no requirement for third party attestation. People don't do the work. It's just, they just don't do it. Right?

Which Is why we have to have CM M which is why the DOD implemented cmc, That's why we have cmmc. Now, the worst thing, the worst possible thing that could happen would be that each individual agency comes up with its own third party attestation program. And so now MSP supporting DOD and Department of Energy and, you know, all the different agencies have to go through 3, 4, 5, 6 different certifications to be able to support that ecosystem. That would be a disaster.

They need to come up with a single standard leverage. CMMC, don't leverage CMMC, but pick a standard for third party attestation and let's move forward with it. Um, it's the same thing. That's right now we're seeing the exact same thing happening with Canada. You know, Gary, you were talking about you have MSPs that support, you know, Canadian organizations as well as US based organizations. Well, Canada has just released their CMMC program, right? It's called the C-P-C-S-C.

And that program is actually baselined on N 801 71 revision three instead of NIST 801 1 71 revision two. And so now we have, if you're a DIB contractor supporting Canadian organizations and US organizations, now you have to meet 801 71 R three for the Canadian certification, and you have to meet N 8 1 71 R two for the US certification. That kind of, that really makes it very, very challenging for DIB organizations supporting the Canadian federal government and the US DOD. Wow.

So, so Scott, you mentioned the word harmonize. I feel like you said a few times, this, this is obviously a, a hyper, you know, a little bit of a hyperpersonalization, right? We had nine 11, right? And post nine 11, we said, wow, all these departments, if they only talked what, wow, what, what, what could have been, right? This company knew this, uh, this organization department knew this, this department knew this. We should all be working together.

I mean, granted, this is not kinetic war, but we know there's impacts to kinetic war. Sure. I mean, is it almost like we, or did we not learn something, you know, in from those types of dismantling of, you know, keeping these organizations cohesive And Well, yeah. I mean, if you look at the long arc of all of these policies, I mean, you know, even the nta hundred 1 71 requirement on DOD, that is an outflow of nine 11, right?

You know, from nine 11 to, um, the executive order that President Bush put together, followed by the executive order from, um, um, um, from President Obama, followed by implementation in, you know, of 801 71 for DA 70 12, and then CMMC under Trump, and then, you know, the finalization of 32 CFR underneath Biden. And now we've got, you know, the, the far CUI rule, and all of that's gonna happen under the second Trump administration.

If you look at the long arc, the things are moving in the di in the right direction. Okay? But you've gotta pay attention to the long arc of, of progress. And you can't look at the individual blips. It's just like looking at the stock market, right? You know, you have days it goes up and it goes down. We make progress forward. We, we, we move backwards in certain areas. But the long arc of it is that the market grows.

I think it's the same way around cybersecurity in, you know, both in the federal government, but also within, um, the larger commercial ecosystem. My concern is that we're not gonna get there fast enough. We're doing the right things and we're going in the right direction long term, but we're, it's gonna take too long.

And the first thing that's gonna happen, you know, when, when China decides that they're going to take Taiwan, the first thing that's gonna happen is not going to be missiles headed from China to Taiwan. The first thing that's gonna happen is they're gonna take out the electrical infrastructure in the United States. They're gonna take out the water systems in the United States.

They're gonna take out the internet infrastructure in the United States to shut down our ability to respond to their coming kinetic war in Taiwan. That's what's going to happen. First, they're going to shut down our ability to respond. They're gonna, you know, uh, distract us with things in local, you know, domestic issues. And then they're going to take their, make their move on Taiwan. That is exactly what's going to happen. When is it gonna happen? We don't know.

But my concern is that we're not gonna get our overall critical infrastructure secured fast enough to be able to protect against that. Yeah. Because that's not gonna take 10 years or probably even five. No, no, it's not, I mean, you know, it would not surprise me to see it within this administration. Agree. Yeah. You know? Alright, Go, go. I would say like, you know, DHS was created as a result of the nine 11 commission. Mm-hmm. Right?

And that's why you have a singular agency that has, um, authority of all overall critical infrastructure. I will say I was there when, um, NIST was charged with creating a uni one framework, one cybersecurity framework for all, all organizations like that wanna do business with the federal government, right. All critical infrastructure. Mm-hmm.

And, um, I don't know if anyone has ever worked in a standards body or if anyone sees whenever something that, that's like a regulatory, um, framework or a regulation that's coming down. I'm sure Scott, you know, it's like, it's serious politics. You've got every sector in there fighting because they're unique. And so we've kind of created this mess ourselves where, um, energy will come in and say, oh no, you can't write that regulation that way. 'cause we're special.

You'll have, you know, um, water come in, you'll have, um, you know, uh, IT sector come in. Every major sector comes in to try to get something like the NIST CSF, you know, to be at a high level. Why is the NIST CSF the way it is today? It was written that way on purpose because all the critical infrastructure came in. They were like, oh, no, you can't, you can't write something specific because you never considered this. You never considered this. Right.

And so, you know, for as much as we, we complain 'cause we're in the IT sector kind of supporting everybody, right? But we did kind of create this mess ourselves where the different sectors come in and fight for their own thing, and they all, they all say we're special, right? So I mean, that's part of it. It's not all of it, but that's part of it. Yeah.

I mean, that's, it's that way anytime you're talking about a, you know, any kind of service industry, um, every customer comes in and says that they're special. Are they special? Are they really special? They think they're special, right? But they're, this is right, this is our argument with the controls. Yeah. Something small. Like there's a co there's commonality across all the different frameworks, which is why we map to them. Yeah. Right? Yeah.

And so you should have like a baseline and then if you wanna be special, be special, there's like appendix A for you, appendix B for someone else, and so on and so forth. Yeah, that's absolutely right. I mean, and that's what NIST Day 1 71 was built at, right? It was, it's a, it's a baseline control set. Um, that doesn't mean that you can't go above and beyond it, but it's a baseline control set.

And DOD has decided that they're going to take specific pieces of NIST State 1 72, um, to enhance the framework for, you know, the higher level three of CMMC. Right? Um, so each agency could go above and beyond. Uh, but we need to standardize on a single baseline. Yep. Gosh. Yeah. So I know we're coming down the last few minutes here. Gary, I'm gonna ask you to, I got one, you know, question to you. Um, and then, you know, we'll close it on out.

But, uh, your thoughts on MSP messaging, you know, from a go to market sales conversation, um, you know, how would you recommend, you know, I know how much you wanna start getting back in and starting your third MSP and you know, but no, if you were, you know, you have a lot of peer, you know, peer members, like what the ones that are ha are dealing with critical infrastructure, what guidance might you say share here knowing these changes?

Look, I, I, I don't know, other than I think they've been, we've been trying to get people right on the, on the right track with what we talk about here and what standards they need to adhere to. So I don't think they can change their strategy based on, you know, what an administration's done. And at least until we see how it settles out. Mm-hmm. And I think we're a ways away of it.

And so I think they need to, you know, stay their course with what we know to be true in terms of protecting their customers. And those that deal, I mean, Scott can say those who are de dealing in, in, uh, dib, they're gonna just have to be more, a lot more watchful. So to make sure that there's nothing that's gonna impact their business, you know, whether it's overall or on a state by state basis, um, that they're gonna need to adapt to. So they're gonna have to be much more vigilant. Yeah.

Scott, any closing comments on your side? Thanks, by the way for coming. It always awesome having you. It's Great to see you, Scott. Yeah, Yeah. Good to see you guys as well. And thank you for the in invite, Andrew. I mean, you know, I would just encourage everybody to go read that article, um, that was po that, that I commented on that kind of started this, um, this whole thing. Um, but Michael McLaughlin is definitely a thought leader in this space. Um, he, he knows the players.

Um, he's having really good conversations internal to the administration, um, right now. And I, and I feel very comfortable having him, you know, having those conversations within the agencies. Um, so, you know, read that article, it is, uh, it's got a lot of really good ideas in it. Um, and I think again, over, over time, um, the long arc, if you will, of, of cybersecurity within, um, you know, within our ecosystem is moving in the right direction.

There are always gonna be ups and downs and we just have to stay the course and continue doing everything you can do, can do to continue to secure your MSP to secure your, uh, purview of influence. Um, and then if we all do that at the end of the day, we will, uh, we will be stronger tomorrow than we are today. Way to, great way to sum it up, Scott. Awesome. Thanks a million. Uh, everyone have a great week. Phyllis, thank you for coming on, Scott.

Look forward to having you back again very soon. Ya have a great day, everybody. Have a fantastic week. Take care. Thank you. Take Care.

Related Videos

Refocusing CISA Under Trump – Critical Infrastructure & the Role of the MSP | Right of Boom