Skip to main content
Right of Boom
March 31, 2025
707873

Signal “Gate” and MSPs Achieving CMMC Level 2 C3PAO Certified Journey

The recent “SignalGate” incident, where classified military information was leaked through a compromised Signal chat, should serve as a wake-up call for Managed Service Providers (MSPs). This breach wasn’t just about one failure—it exposed systemic issues that all MSPs should pay attention to. In a recent episode of The CyberCall, Andy Sauer, CEO of CMMC-certified MSP Sentinel Blue, and Joy, a compliance expert from Summit Seven, broke down the implications of the incident and what MSPs can learn from it.

One of the key failures in the SignalGate breach was access control. An unauthorized person was accidentally added to a sensitive chat, highlighting the importance of strict access policies, regular audits, and clear verification processes. Another major vulnerability was the use of personal mobile devices for sensitive communication. As Andy pointed out, personal devices are often the weakest link, making mobile device management (MDM) and bring-your-own-device (BYOD) policies essential. The experts also stressed the importance of situational awareness—knowing exactly who’s involved in a conversation, whether in a chat app or a CC’d email chain. Finally, the incident reinforced that the choice of communication platform matters. Not every app is appropriate for every situation, especially when sensitive data is involved.

The conversation also touched on CMMC (Cybersecurity Maturity Model Certification), which presents both a challenge and an opportunity for MSPs looking to serve the defense sector. According to Andy, CMMC isn’t just a checklist—it requires a deep understanding of frameworks like NIST 800-171 and the regulations around Controlled Unclassified Information (CUI). MSPs need more than just technical knowledge; they must build strong processes, invest in the right tools, and make strategic business decisions, including specialization, pricing, and client selection. CMMC readiness requires significant financial and operational commitment, but it can also differentiate an MSP in a crowded market.

Across the board, the speakers emphasized that proper documentation, careful client evaluation, and clearly communicating the value of your services are essential best practices. The SignalGate breach and the ongoing CMMC journey both illustrate that cybersecurity isn’t a box to check—it’s a long-term investment. MSPs that take these lessons seriously can not only protect their clients more effectively but also strengthen their own businesses for the future.

Guests

Andrew Morgan

Video Transcript

All right. Welcome. Welcome everybody. And, uh, Gar, as you say, it wouldn't be a week without controversy. Is that, is that a is, am I paraphrasing you correctly? Yeah, we're a day Or every a day. Yes, not all right. Um, and welcome everyone. Let me just, uh, check with chat. Uh, uh, bear with me folks. Chat. You're seeing us. You hear us? Yeah. Yeah. That's what I'm just checking here, Andy.

So, um, and what's interesting, Andy, 'cause I know you've been on in the past when we used to have, um, Crowdcast and everybody, all the, everybody could, um, chat. Unfortunately with the Restream, it's, it's only me, but unless if you go to out, to, um, out to, uh, YouTube yourself. Um, but we're working on, we're working on a solution actually, to change that up.

Um, good to see everybody where we'll have it on the right of boom site and then bring in ideally some, some type of chat mechanism. So everybody, everybody in chat. So, um, well, good. Well welcome everybody as you are all settling in here. Um, good to see all Ed, uh, Todd, Chris, welcome everybody. Um, so this is an interesting one in the hat. Um, if you were with us last week, um, we had Scott Edwards, uh, the CEO of Summit seven on, and it, it was, it was awesome.

We, you know, we was, we were talking about this article on, uh, uh, cisa being reshaped under the Trump administration. Um, Andy and I had been going back and forth, um, for the past few months, been really patient for, for this, Andy. Thanks is, you know, we have write a boom, but, um, you know, you've done some fabulous work getting, you know, a truly audited C3 PO, um, level two certification.

So I really wanted, you know, to congratulate you on that, bring you on, and, and have people understand what that process looks like. And Yeah, just in time for deregulation. Congrats, man. Yeah, thank you. I appreciate that. We'll, we'll see, we'll see, uh, if the wisdom pans out in the long haul, but I'm pretty confident it will, but I'm sure we'll get into that. Yeah.

Um, and then, um, as Gary, like, you know, you said that a day, uh, not even a week goes by, but, but in between those two things, I, you know, lo and behold, we have, you know, the signal incident or, or is now being dubbed Signal Gate. Um, so I thought that, you know, it would be, we'd spend some time because I think there are some lessons learned here truly for MSPs. Um, this is, You prob maybe not everybody knows what you're talking about. I would kind of level set It. Okay.

Yeah, fair enough, Gareth. Thanks for that. Um, so over the, and I'll, and I'll, when I hand it to Gary, I'll put up some URLs for you all that, you know, in case you'd like to read about it. But basically what happened was, um, as you all know, we did some airstrikes on Yemen and the planning process and, uh, you know, the diligence, any, any types of classified things.

First of all, um, historically in the United States, um, you know, DOD or things that happen in the, um, um, you know, uh, federal government that are classified, they're documented, um, so that, you know, there are records and, you know, people can, you know, that or in the know can have that information and, and look at it.

Um, what occurred in this case was, you know, for those of you that have your handy phone, was that, uh, people in the DOD, uh, started a, and advisors to Trump started a signal chat. Um, and again, I'm paraphrasing, so don't hold me to the letter of law every fact, but basically a signal chat was started. One of the individuals added, it would be like, Hey, I'm gonna add Gary Pika, thinking it's a Gary Pika that should have been in the know.

Unfortunately, this Gary Pika person happened to be a reporter and who stayed in the chat long enough to actually, you know, see all of these classified information on the planning of the attacks, um, before he reclused himself out of the chat. Um, and then later on, obviously, you know, basically went and did a, for lack of a better word, ex expose and, and reported on what had occurred. So is that is pretty good Gar summation of it. Yeah.

And for those who don't know, signal is a, uh, it is a chat, uh, encrypted chat application. Yeah, exactly. I mean, commercial, It's commercial. Yep. Application. It's not a, it's not a government application. It's a commercially used. You could use it. Fair, fair enough. Yes. Tha thanks for setting the stage on that, Gary. Gary, I'm bringing that to everybody's attention.

So, so with that, Gary, um, let me introduce Andy first and, and, and, uh, certainly Joy Bob, you're a regular, you're always welcome. But, um, but, uh, Andy, uh, thanks for for joining us. It's been a while since having you on here, but welcome back and again, congrats to you. Tell us a little about yourself and Yeah, well, always a pleasure to jump back on the cyber call. Uh, Andy Sauer. I'm the CEO of Sentinel Blue.

Uh, and I, I'll talk a bit about Sentinel Blue in a sec, but, uh, my MSP roots go back 15 years now. I started out as a help desk technician, and I spent a decade, uh, more just about a decade in, uh, in a growing MSP. Uh, so I was the first employee at said MSP and always stayed in sort of the technical realm. Uh, and I left to take a stint somewhere else with a lower pace. And that other place happened to be a defense contractor.

And this was back in 2017, which was right around the time this little thing D 4 70 12 was making waves and NIST 801 71. Uh, so I spent a couple years at that defense contractor focusing on, uh, NIST compliance, which is now what has turned into CMMC. And so I left that role and, uh, decided, hey, I built a skillset building NIST 801 71 compliance.

I had the skillset from being an MSP, and I had a network that sort of organically formed of people trying to figure out how are we all gonna do this? Uh, there was enough there to combine all that together, and that was the genesis of Sentinel Blue. It was marrying up those skill sets and working, you know, that network to see what I could do, uh, to help others. Uh, so Sentinel Blue from day one has been an M-S-P-M-S-S-P that services exclusively defense and federal contractors.

Uh, so that's been our mission focus from day one, which has been an absolute luxury for us in pursuing things like certification because we didn't have the mass of tech debt. The companies MSPs generally have that. They then have to re, you know, refit and refocus to something like CMMC, let alone all the process requirements that they would have to go back and change.

So that's been my core focus, and part of why we haven't talked in some time is my head's been down, our company's head has been very much down for years working toward this, uh, this end. And hey, uh, we're one of several who have our certs under our belt. Uh, summit seven also has their cert under their belt.

There's a, a small group of MSPs who I think have really emerged as the early leaders, but it's, you know, to the audience here, I would say it's definitely not too late to throw your hat in and get, uh, get involved. Don't take our early lead as, uh, some exclusionary measure. It's, it's still wide open. And boy does the div need help. Yeah. And, and, and, and the demand is gonna be there. Andy and I, I just wanna say this. Absolutely. Yeah.

Andy, um, Gary, your comment on this too, Andy, to, to go, you know, you and I have known each other a long time, and to see what you've done is truly awesome. Like, when it, it shows, you know, someone that, you know, you don't typically say, oh, you're our help desk person now to become your own MSP and to get the level of, you know, certification. You, you know, you really, uh, I hats off to you, man, that that is, I appreciate that. Yeah. It's been, it's been a, it's been a rollercoaster.

The help desk tech in you never leaves. And, uh, one thing I'm finding is we're growing my desire to, to jump in and solve problems, causes more problems, and it solves, you know, these days. But, uh, that's, that's hard. DNA to, to get out. I was gonna say, I think Gary as a business owner would like to beat that help desk outta you. But, uh, Well, listen, my team finally stopped allowing me to commit code to get, so all my pull requests just get denied by default now.

So they've said, no more scripting. You're not up to standard. So, hey, it starts somewhere. Okay. Yeah. Well, I have a whole theory about where support will be and the, the, the massive changes in the next five to seven years that will hit MSPs, but that will have to be for another, uh, we could spend a day on that for sure. Yeah. Another, another call. Um, so here, here's where I wanna start. Like, Oh, Gary, can I, can I just let Joy just say a quick who she is? Apologies. Oh, I'm sorry.

Go ahead. That's okay. Just quick. That's okay. Joy, welcome. And another person who's done some amazing stuff and, you know, over the last few years, so Joy, welcome And thank you, Andrew. I'm excited to be here. It's actually my first time on the show, but I've watched many times and participated in the chat. And I'm also a big fan of Andy's and, uh, really enjoy every time that I see him present or speak, or even blog.

I laughed last week when I read some kind of a blog about him being like his staff, carrying him away from the keyboard or something, like hands off. Um, and I can relate to all that so much. You know, I had my own MSP for 21 years, and when I sold that practice back in 2018, it was so that I could create a cybersecurity fundamentals course for MSPs. And really it was the first introduction for a lot of folks like Met, met Lee, who always is, you know, like Joy's.

The reason I got into cyber, it was because I taught the NIST CSF class with continuum back in the day. And, um, those and the CIS controls, which we all love. So, uh, that was really neat, a neat experience. And when I decided to refocus on the defense industrial base, it's really because I'm very, just at the core of it, I'm mission driven and I'm very patriotic. And I was looking at what could I do to make an impact that is much broader than just the MSP industry now.

And as Andy will tell you, you know what, we do it. I mean, it is really hard to integrate all of these compliance controls into service delivery. And when you're doing it on behalf of so many, you know, it'll be tens of thousands of contractors and the defense industrial base that we support in the MSP industry. So it has to be done right.

And it's really just one of the biggest, um, honors that I've had in my career is to be where I'm at now, leading the compliance team at Summit seven, uh, for our own internal cybersecurity compliance. And having undergone hands-on with the assessors going through that audit, it's really a phenomenal thing to experience as, you know, the one who's in the hot seat, because I've been teaching the Cybersecurity bootcamp since 2021, I think, is when we first started the CCP classes.

And so, you know, four years later to turn around and not just be teaching it and doing the auditing, but in the hot seat myself has been a transformative experience, and I'm really grateful to be here. Thank you, Andrew. Yeah, thanks for the overview, joy. All right, Mr. Pika, let me let you kick it off here and we'll get into so Much. Yeah. First off, I'm watching some of the chat. I, I wanna start off by saying, um, this is a security discussion, not a political, uh, Yeah, exactly.

Discussion. Uh, it's hard with something like this not to have it, you know, kind of lop over. So we want to try to stick to it from, from that standpoint. Yeah. I can't believe that would happen in our country these days. Yeah. Well, look, I wanna talk about what MSPs can learn about this access control, but there's a number of things here, right?

The use of a personal cell phone, the use of a commercial app, even though it's encrypted, um, access control of who gets added, how it's monitored, alerted. Can you kind of take us through your thought process on that kind of multi-layered, well, what we can learn from this and what can an MSP actually take away? Yeah, so, uh, the, the first thing all this is, it's kind of funny. We happen to be in a cmmc level two assessment with a client last week. 'cause this was all happening.

And so we're having the day in conversation of, with a, a company that's fairly far removed from the serious supply chain. You know, they make a part that goes on a part that goes in an assembly, that goes on a platform, that goes on a weapon system, and they're like, man, we're getting scrutinized to this minutia level.

And then the highest levels of the defense, you know, uh, architecture of our country are, you know, just blatantly flying in the face of that just made an interesting juxtaposition as a, as a starting point of, Hey, this is what's going on. Um, yeah, uh, I guess I'm still kind of processing how wild it is. Uh, just the, the, the loss of opsec, uh, and the way it was done. And there's, there's a lot we can learn in there.

Um, for me, I think a lot of security, not to get into the technical, it's just situational awareness around security and the need to maintain situational awareness.

Uh, if any one of the other 15 people in that group chat had the, uh, the situational awareness to occasionally check who were the members of that chat, uh, as I do most of the time before I send a mass email, make sure everyone that I've put in the two or CC is someone that I intended that to reach, uh, that situational awareness would've prevented that opsec, uh, breach.

Also, the situational awareness of understanding, hey, the, the information we're communicating on this platform is probably not appropriate for this platform. I know, and I see in the chat some splitting of hairs over whether it was truly classified or not. Uh, I think I saw someone say, this is the first time in my life that I've seen specifics regarding attack times and weapons platforms and whatnot.

So I guess there's a technical argument to be made that, you know, they can declassified or, or determined it was not classified, but certainly sensitive and confidential and should not be open to the mistake of accidentally adding, you know, the wrong person. Um, one of the big things I also, you know, uh, think we can learn from this, uh, is that we have controlled information systems for a reason.

If you're gonna work with like the defense industry, one of the big concepts that we work with contractors on is enclaves. Some of them don't put their whole enterprise into a compliance state to handle CUI, they build an enclave, and that gives them a certain level of control to only put in the people who are gonna have access and need access to that data to be in there, the appropriate system to discuss and handle those communications.

And that data has been purposely designed to do that use of signal in this way. I understand what they're trying to do, and I can kind of, you know, forgive them on some, some level of what they're trying to do there. But, uh, there's a reason why we have these classified information systems or these more confidential, secured, uh, monitored and professionally managed environments because no one would've been able to add a journalist to one of those environments.

Uh, had somebody, you know, requested they be added. Hmm. Outside of that, uh, the only other thought I had there was just least privilege necessary is always the name of the game. It's just a good reminder, like keep your situational awareness for sure, but also constantly be revisiting who has access. Should they have access? Is this relevant to them? Uh, we occasionally go through as join us.

We occasionally have to go through in a procedure to validate all the user accounts and all the authorized users who have access to our environment to catch that old stuff that sort of lingers and make sure, does that make sense? So this person in this role has access to this Microsoft team. They're not involved in that, remove them. Yeah. Gary, it's, it's, uh, it's interesting. It's like I was thinking, I, I see Chris Laer out there, Andy and I, I really like the point you brought up.

It's like Chris will talk about RMM, right? And that, you know, being on a flat network, you know, the equivalent of an enclave, like does marketing, the marketing team need to be on the same network and or nons segmented area as an RMN as an example, right? It's that same kind of concept of le you know, least privilege needs to have access to these things, right? Yeah.

I I was thinking about if anybody might, everyone might not go back this far of get smart, but we gotta go back to the cone of silence, like two hair dryers came down. Yes, yes, yes. Fishbowls. Yeah. Which is basically what they use in government normally is you, you are in the building in, in, in, in a specific room. It's basically a cone of silence. Yeah. It's a ski, Right. You know, it's Normally used. Yeah. So, um, so look, the, the Pentagon had kind of warned against these things.

So what do you think happens to have this get to like, the highest level that it could get to, right? The Secretary of Defense? Like how many, like if you were, if it wasn't the government, if this was just a big organization that you were talking to, how would you try to go down to figure out, like how does it get to this point?

Yeah, so, uh, obviously this is a politically charged topic, but, uh, in general, I, I don't attribute to malice what can be attributed to what we'll call incompetence. And I'm not making a statement about the administration saying maybe they were well-intentioned to start. There's certainly a political angle that I've, of, I know I've seen and heard a lot like, Hey, this is a purposeful way of getting around foyer requests and whatnot.

We table that for the moment and assume they have good intention, and that good intention may just be they wanna way to communicate amongst what would otherwise be a very onerous group of people to try to regularly communicate with. So, like I said, I can kind of almost forgive the intent of having a high contact low threshold to communication option for the most high level national security advisors in the administration.

I understand how awesome it is to be able to send a quick text and say, Hey, everyone in the national security apparatus, we're launching a tax at this time, so you know what to do. Uh, you know, in response, I understand what they're going for. So I, I can see it in that light of, you know, as, as, uh, as amateurish as it may seem or be in truth, the loss of opsec.

Okay, maybe it's well intentioned, um, but it, it, someone somewhere had to tell these folks at some point, this was not an appropriate avenue. And I think they're just probably pushing the bubble a little bit too far. It might've started fairly innocuous of, Hey, just a, a bit of, you know, I'll be here at this time, will you be there?

That kind of coordination and, you know, grew into, Hey, this is how we're gonna communicate what time we're launch Thing in every organization, large and small, right? Yeah.

And, and I like how you tie that in Gary, because really, um, number one, whether it's the government or it's a enterprise organization, trying to secure voice, quick chats, quick text, those kinds of communications in my mind is one of the hardest things because there is that borderline of, it's not Mark CUI are classified. We're actually talking like in fast discourse about something real time.

And so that's always going to be one of those things that among the highest level stakeholders is hard to control. And then you have on top of that, like, let's go back for a minute to the Hillary days, who, who was in charge of telling Hillary Clinton? You're not allowed to have an email server at your home that's processing government information, and how was that greeted by somebody that had the power and the control?

And so whether it's a, uh, private organization, a commercial organization, the government, um, we all have to be mindful that there's only so much you can force as if you're the IT person or the security person, uh, upon the people that are in charge. And, um, even if it is supposed to be regulated or, um, you know, follow it or any kind of compliance or classification, it's a really difficult thing to navigate. Joy.

Um, you, you also bring up a good point about the, you know, these types of communication platforms which are becoming, you know, first of all, like I talk about John Strand, like his number one, one of their nu top ways in which they'll compromise an environment today is standing up teams infrastructure and posing as, you know, somebody, you know, that's related some way, shape or form to the organization.

And so, to your point, you know, these are control, you know, areas that companies do, whether they're big enterprises, government or or SMB, really need to be mindful of what's happening in these types of platforms. Mm-hmm. And, and from a mobile device, in my mind it's the hardest because you'll see a name, but even just like for emails, I'll see Andrew Morgan, and it doesn't say Andrew's exact email address and his company name unless I hit reply and do, you know, expand it.

And so the mobile devices always makes it that much harder to identify who's on what. And I'm not removing responsibility or advocating responsibility for it at all. I'm just saying it's one of the harder forms of communication to secure. Yeah. So that kind of leads to the next question, like, at the highest level of security government or private industry, should we be using personal cell phones? Like Andy, I would ask you that. Yeah. Is it because all of those can be compromised right?

By foreign in adversaries in theory? Yeah, absolutely. Um, I mean, I think of Pegasus, so think of Pegasus malware. Am I giving feedback? Do you hear feedback? All of a sudden There was like a blender going all of a sudden. Are you doing your Nutra Nutra bullet right now? Might be lunchtime, uh, I'll, I'll check on that in a sec. But, uh, certainly Pegasus malware or spyware that, uh, we know that's commercially available to nation state actors that's available.

And there was a zero click exploit with which they could basically root an iOS device, right? And if you have root iOS access, uh, even signal, which is encrypted at rest, uh, there are ways to get keys out of the iOS key chain for a sophisticated actor. So having things on, you know, uncontrolled personal devices, uh, yeah, it's absolutely a vulnerability. It's a attack surface that is unnecessary. 'cause there are ways to eliminate it.

And, and, you know, Gary, it's a great question about, you know, because this is something Eric, uh, Woodard did a, I think a fantastic job when he works with companies on BYOD, you know, and, and who owns what. It's like, you know, the whole, uh, shared responsibility matrix, right? He's like, you, you're not gonna let me, you're not gonna let me secure your mobile devices yet. You also want me to be responsible. If one of those is used to compromise your environment, that's Yeah.

When everything you have on your desktop is now on your mobile phone, right? Everything, right? Yeah. Yeah. So I think that's a really good, you know, lesson. And for those of you that, you know, have ever heard Eric talk about this, it's, it's really well done how he cars these controls out, um, in, and he uses IG one and CIS to do so, so go. Please continue there. So last question I had was like, how can organizations have stricter policies to prevent unauthorized disclosures?

Um, you mentioned one which is enclaves, but what are some other, like, basic stuff for the average MSP who's working with, um, you know, SMBs? Yeah. Uh, one of the thoughts I have in talking about all this is just a reminder. Um, we do all this like talk about nation state preparation, you know, and, and all the protections we need in place. And like this, this is your real threat across your client base from most MSBs. Once you eliminate the RDP, that's internet facing.

And the non MFA, like your real risk is this sort of stuff. And it's, it's insider risk that is I, you know, malicious or not. And in this case, I think, you know, uh, the person who invited the journalist in seems to indicate that was all inadvertent and accidental. But that's kind of the real risk is the user's misuse of the technology. Yeah. That's the worst part of it. I would, I would rather, yeah. I'm with And How do you, how do you control for that?

I mean, yeah, MSPs, uh, I could wax about this, but we're, we're fighting a hard fight to begin with being information security professionals. Um, we're fighting it on hard mode because our relationship with the people we're trying to secure is transactional. And there's a, there's an exchange of money with which, you know, people wanna minimize how much they're paying you. So it's already like making a hard thing happen on hard mode.

Uh, so it's all very difficult and, and good luck going to any company and telling their highest level people, uh, hey, you guys really can't iMessage each other or signal each other about, uh, our most proprietary insecure stuff. They're gonna tell you, like, go back to the closet IT people. Um, so that's tough.

A lot of that comes down to communication and, you know, the discussions that you have in trying to get buy-in from the highest level across your client base, that these are serious conversations and serious capabilities that are not silos of it. Your whole businesses now operate on it. This is a core discipline that your business needs to, you know, invest time, resources, and executive understanding too, the same as your finances, the same as, yeah, how you're building your talent pool.

This has to be core to that. So an average American is looking at this and they're either thinking, wow, that's bad. Or they're thinking everybody makes mistakes. As IT folks, security folks we're looking at it and saying, how could this possibly happen? Like, how many failures does there have to be in protocols in training? And what could lie under that at levels down? Sure.

Like if this happened to the CEO of a company that had a thousand employees that we support it, like what would you be thinking? Like, that's how I think about this, Gary. Yeah. Well you, you mentioned training and, and part of this I think is, um, one, it's a showcase of technical illiteracy, but it's kind of one that we've foisted on ourselves as community a bit. So we've been pushing encryption, great. We need to push encryption.

Um, but I think that's allowed the non-technical folks to assume, Hey, I'm using something. It's encrypted so it's safe. Well, if that were the, the case, the whole internet would be safe. 'cause everything's TLS encrypted these days. Um, but we need to teach people about access control. We need to teach people about, again, go back to that situational awareness.

It's, I think training as a broad topic of information security, uh, is one of our, uh, I think we have one of the least sophisticated approaches. Um, I think it gets the least amount of attention, and I think it's across the board poorly done and doesn't affect outcomes beyond training people to recognize like base level phishing and giving them a button to click.

But at, do we, do we assume these people have received some sort of informed training and briefing, uh, that really detailed, uh, things like access control and evaluating who they're talking to about what? I'm gonna guess No, at this point, that's the guess. Well, I dunno, I mean, let's be mindful the guy thought he was adding in a valid person into the, the chat, right? He, he grabbed the wrong person from to add him in. Yeah. I mean, I don't, I don't wanna attribute malice to it.

I don't, I don't know exactly. I don't think it's malice what the, what the sequence there was. But I don't think It's malice. I, I think it was just user error. Right. But who, who hasn't? I've, listen, I've tried to send, I don't have errors at that level. That's the whole point. There has to be checks and balance. Listen, my daughter works for a law firm. She has two laptops and she has two phones. Okay. That laptop and that phone is completely locked down. And does she like it? No.

'cause when she is working, she has to always carry two phones and it's a big expense to the law firm and I'm, but it sounds like the law firm has higher security than, you know, government. But You bring up a really good point, Gary. 'cause I, I was just gonna say, well, what about a law firm, right? That might be working a high IP case, you know, or, or working on a large transaction that these are companies we as MSPs could be supporting, right?

Or, uh, you know, some type of, uh, m and a deal, right? That could be going on. And what if, you know, those types of things that we think, you know, oh, well, it's just an SMD, but, but there are big ramifications to to those types of things. Yeah. Insider trading, security secrets, stolen esp, corporate espionage. It's exactly the same as this. Right, right, right, right. To me.

And, but I, I feel like our government should have a higher level of standards with all this then my daughter's law firm. Well, would, I'd love to, for Chris Laer to comment as we go to you, Bob, I'd love Chris to share like what would happen, you know, in a, you know, in a, when he's doing ir, all of a sudden the, you know, the breach attorney's using this with the, the defer organization and, and something were to happen from a forensics perspective that now is discoverable.

Like I, I, I think there's, there are ramifications and, and, you know, carry over to what we in our world do. So, so anyway, Mr. Uh, Miller over to you. Yeah, I was so glad that Gary had that section of the, of the discussion today because it's, I knew it was gonna be difficult, but I, I wanna add just one thing. Alright. Being an MSP, we have health healthcare customers, right? And we're in communications with them working on problems all the time.

And if we were, which involved HIPAA compliance and other things of that nature, right? And if we were to inadvertently add somebody on our side, even by accident, whoopsy would not be the thing that we would need to be, that would not be our out whoopsy would not be our out at that point, right? We would have to actually report that up and it go to the regulatory third. It's because we will have violated regulations. So the thing is, it's just a common sense thing, right?

I mean, we, and I, I think a lot is being made to try and change the narrative, but the bottom line is if we did something like that, we'd be held responsible. I mean, that's, that's just how it works. It's not optional for us. So, but getting away from that subject as fast as we can and is some In the minefield, is it? Yeah. Yeah. It's, yeah. Yeah.

Nobody's happy no matter where they're, Well, can we be honest, like putting, it's because right now, uh, we are, even with this, this is a good idea of saying how people value ideology over facts today, right? And so what, Bob, you're saying this is less about ideology, whether you are a Republican or Democrat independent, left, right, whatever. If you look at this in a vacuum, the factual parts of it is what you're saying.

I I'm just saying if I was, I'm, I am held to a different standard than, than it that I perceive as being held in this case on lesser things. It's the same thing you're saying when you say law firms got different rules apparently than you know, other people. So I mean, look, it is what it is and everybody's gonna have their own opinion about it and their own position On it. Could I soup box to close this, this out 'cause Oh Yeah, please do. So we can get out of it. Yeah.

It serves A narrative that I, I do try to, to remind people of. Uh, when you have interaction with people who are part of the institutions, uh, you will generally find that they are very human. Uh, and institutions are very easy to, uh, you know, illustrate as these massive monoliths. You, you get the Jason born kind of idea of what the CIA is, where it's, you know, the big command center and they can zoom in with a satellite to see your face and all that.

At the end of the day, these institutions are serviced by people at the highest levels and they, they make human errors at this level. Uh, so I think it serves to inform that narrative. Like don't, there's a lot of conspiratorial sort of thought around institutions. There's a lot of institutional skepticism of American institutions in particular these days.

Just be reminded that the people with the most power in the American government, the, the most powerful government on the face of the earth, made this level of a mistake. Yeah. Just keep that in mind. Yeah. Hundred percent well said Andy. Yes, a hundred percent. Alright, Andy, let's talk about something. It won't get us all killed, right? So you just, you just managed to get through your, you know, you, you guys accomplished something very important, right?

Which is your C3 PAO and also your, obviously you had to have your CM mc level two. Yeah. So I think it's really interesting because most people do not know the, the, the uphill battle it is in some cases to kind of get even a CM MC level one certification, much less a level two. And everybody kind associates that with bur bureaucracy and all of the paperwork's required to kind of pull that off.

Could you get, could you kind of put that in context about, you know, from a, like we're SOC two type two and that takes a lot of work, you know what I mean? And CMMC two requires another load of work. So why don't you put in context, you know, what kind of Yeah. Load that reveals. So it's, I may struggle to relate with other MSPs on this at some level because again, SENDAL blue, we have this, this luxury that I knew day one what we were gonna be about and it was gonna be about this.

And I had a background in it that serviced that. So we were able to, from day one architect at a technical level, how we were gonna build our tool set because we understood what requirements were gonna be need to be met. So, you know, we were on Microsoft 365 GCC high from day one. Like we knew that's where we needed to be.

So a lot of the challenge that I think other MSPs have, and I know this from talking to a lot of my peers who have done it, that pivot just from a tooling standpoint is, is a challenge, let alone, uh, one of the things I think that is unique about CMMC is the level of knowledge goes much deeper than the control set. Um, at a surface level, CC level two has 110 requirements that are in that document.

And it references nist, the a hundred one seventy one, they're literal mirrors of each other, 110 controls. But when you dig a little deeper, you find out it's not 110 controls, it's 320 objectives that need to be met, that combined implement the 110 controls. So once you've contextualized, oh, I need to do the one 10, then someone pulls that rug from onto you and says, actually you need to do the three 20.

And that, then if you do a little more digging, you find out, well, why is this even being stipulated? Well, it's coming from DAR 70 12, so now you gotta go read the DA 70 12, which is defense regulation. And then you see, okay, this is, this is just one of the requirements. The others are, we have to have incident response to tell the government within 72 hours of an incident, and if we're gonna use cloud services, they have to be fed moderate or equivalent. Well, what does that mean?

What's equivalent? Now you gotta go read the DOD memo about it and then there's the requirements around handling CUI, now you gotta go read the CUI stipulations and regulations and you have to build this wealth of knowledge, which joy and I can both tell you is a literal full-time job. Uh, in some, in some cases it's the full-time job of a whole department, uh, at that, you know, certain organizations in this space because there's so much nuance.

And then because it's defense work, it's federal contracting work, it has its fingers, you know, in so many other things, there's export control. Now you're in the Department of State and their requirements around IAR and export control. And it just becomes so much to wrap your head around that for a lot of small and mediums, what they've done for the last decade has been bury their heads in the sand and just say, someone will eventually come and tell me what I'm supposed to do.

'cause I can't make sense of all this. And I think that's probably true for a lot of MSPs who have had clients kind of ask about this over the last couple years that probably kind of punted and said like, yeah, yeah, yeah, it's, we've got our SOC two, type two, we've done iso. How bad can a list of controls really be? Well, it's a lot more than just a list of controls. I mean, it, it becomes a deep level of programming.

Uh, so when you talk about, you know, the mountain of, of the approach here to get there and things like bureaucracy, yeah, it's a ton. There's a ton of knowledge work and it's a big technical shift. And on top of all of that, it's procedural and process. You have to have process to demonstrate that these controls are in place. By the way, the vast majority of controls are not technical controls.

They're processed, they're procedure, they're validating that you're, you know, managing the environment in a competent way. Uh, and hey, which, which it community struggles the most with process and procedure and documentation and that kind of the legendary status of MSPs. Like, that's been the struggle. And you have a lot of people like me who lead MSPs who, uh, were technical outta the gate and who always struggled to document and still do.

Uh, that's been a lot of the challenge is just, it's comprehensive, man. It's deep and you have to do the work to build the knowledge and it's not something that you're just gonna be able to inherit or knock out on a weekend project. And if you try it, you will get your clock cleaned. Yeah. It's just a tremendous amount of overhead.

I mean, I know even for SOC two type two, it was 80% of it was put in processes and procedures in place so that we could audit and track that we were actually following the rules and regulations that are ified, right, uh, specified in the, in the, in the control. So it's the same thing, like you said, it's an expansion of that same process. Building on top of it.

And I would also say it's an economic decision, just like you're pointing out, is you gotta be willing, if you're going to go out there, a very specific market, you gotta know what the investment's gonna require to get you in there. Yeah. That's people, people time process, right? That's how that works out Of the gate.

So we're in GCC high, but then any infrastructure we host, we host in Azure government, uh, because we're trying to stay within this data sovereignty bubble, uh, out of the gate, our operational costs have like a 30 to 50% higher rate than what we would otherwise pay in commercial just for licensing and just for usage of the Azure tools that we use. Right? And we built our entire practice on Microsoft 365. Our whole SOC is built on Microsoft Sentinel.

So our overhead cost is significant, uh, just to operate, Let alone that Everything else. Can you speak, I'm sorry to interrupt, but I you're on a, a crucial point. If you could speak to not just where, where the cloud contents are and the tools, but also outsource people that a lot of MSPs and leverage. Yeah, so we made a lot of decisions. Again, we had the luxury of making these decisions from a, of a place of being informed that we opted not to third party anything.

So we knew we had to build a soc. Uh, there are a lot of great soc options available to them. SP market, some of the most reputable beloved companies in the space have offerings that, you know, service as a SOC that we had to say no to, or that even in some cases we put in place and then found out later, oh, okay, there's ties to a foreign country here where, you know, there are personnel who service it that we weren't aware of that we've had to now excise from our tech stack.

And you have to do this thinking, but you have to have that background of knowledge to understand, hey, if you consume this tool or they're actually servicing it by people in Canada, Yeah, that Clients have All that sounds expensive, Andy, It's wildly expensive. Well, because you have to have US citizens, not citizens have, you know, US persons.

If you're gonna serve export controlled clients, which a lot of defense contractors are, and if they're not yet A million dollars a C, they wanna be, That's a Lot. But in all serious, Jerry, If that, if that's gonna be your advice to how we price it.

Listen, I know you're well educated to follow it, Gary, but we hear about all the process and he went through how, you know, if you were advising him or, or somebody that goes through this and you hear about these, you know, increases, you know, significant increase. How do you go about your modeling again, knowing, hey, I can't outsource, I've gotta build a sock. I can't, my, my licensing cost is gonna go from here up 35%.

You know, you, you, you've got like this incredible way to look at margin. Like how does this kind of flip things around for you? I, I think in general, it's the same scale we have, which is understanding your costs and what your target margins are, and then based on that price, can you show a customer value? And so I just think where Andy lives is on the far upper right quadrant of that.

And it means that you have to market your business in a different kind of way because the whole audience, the whole TAM is not available to you. A much smaller section of that tam who understand this value are there, but you're also gonna have less competition. 'cause very few people can get to where Andy's gotten his business to. So I think it's always, it's like every MSP today needs to know where they need to live.

A smaller, more immature MSP shouldn't be wasting time, even if it's a referral on types of companies who need a higher level of maturity than what they offer. Like that's not a good business model. So I think everyone, you know, what I tell our peer members is everyone needs to be self-aware about where they are today and market to those customers that can live with wherever their maturity is. And then if they choose to, they can build maturity and, and, and, and move to different customers.

And I think it applies here. Um, it's just that again, uh, very targeted audience and very few set of real competitors where Andy is. Yeah, I agree. So they, um, Andy, I mean, you guys went through and actually got your C3 PAO, right? Do you, did you observe any changes in your organization about how they kind of viewed security after going through the process of actually getting a three C3 PAO certification? How did that change their outlook?

And I don't mean just about federal clients, but 'cause I would expect this has an impact across the board.

Yeah, so we, we had our first, prior to the c your PAO assessments of your status there, there's a, uh, there's a government side program called D cac, which you'll sometimes hear thrown around D CAC high assessments, and that's the DODs DCMA, defense Contract management agency has a, you know, a group that will come out and assess company's compliance against functionally CMMC level two nty hundred 1 71. We had been through a couple of those.

And then in January we had our first true C3 PAO assessment of us for our certification, um, collectively the experience. And we just had another one last week which we passed. So, hey, um, we've had a number of these and we continue to learn how important it is for us to hold our ground, especially with clients who want to ask us to change the program.

And it's got to the point, our sales team, our marketing team's pretty well trained on like, hey, we, we can't deviate and we're getting good at communicating why we can't deviate. We have a lot of, you know, prospects who, hey, we like what you're offering, but we kind of, can we do this piece of it? And we have to tell 'em, no, you can't, or you have to do it our way because it's all interconnected.

Once you sat on the other side of the table from an assessment team who's gonna tear you apart for a couple days, you're gonna feel really bad about the idea of losing control over the consistency of your, you know, your service delivery and of your security program. Uh, so culturally, I mean, that's challenged us. Um, especially as a growing MSP when you wanna say yes to everything, all new business feels like good business, all revenue feels like good revenue.

It's really challenged us to, you know, stick to our guns and turn away prospects who don't get that part of it and who say like, Hey, we really wanna do our thing. We just kinda want you to augment. I always tell 'em like, listen, that I don't wanna be part of something that I don't think is highly likely to be successful and that's not gonna be highly likely to be successful. Are, are you saying that not all MRR is good MRR Gary?

I Mean, you know what, I, I think I'm gonna make a video on A 50 year so I can finally stuff. Oh wait, I already did. Listen, I maybe have consumed that at some point. Uh, but building up the courage, I Think I have a t-shirt somewhere To say it. Yeah. Uh, well, it's a cultural, that's a cultural challenge. I mean, for salespeople who's who, their, their money's tied to what they sell. Yeah. It's hard to get them to agree To that.

Well, and think about this, think about you're an MS p like many MSPs who don't really have great sales and marketing, so everything's been a referral. And in the old days, every referral, if they had a pulse and a checkbook, they were a good prospect and now they're not. You can get referrals that you're either a, on one side, not really qualified to have as a customer on the other end. They don't fit your profile.

And so it does change the business model that we now need to have sales, marketing and targeting as part of, of our skillset. Yeah, I think too that the CMMC ecosystem is a, a different animal in that, you know, our customers must have their assessments done. It's very few, few, very small percentage now that will be able to self at test and instead are going to be required to have a third party come in and validate their implementation.

And the MSPs that are choosing to be certified are basically living the blood, sweat, and tears of that process themselves. But even though I, I, I look at the, the seat conversation, that price per seat conversation that is necessitated when you have an MSP, that is CMMC level two. And as Andy was saying, our tools are more expensive, our personnel are more expensive. We have these very mature operations compared to where the MSP industry usually is.

And when that translates into what the price tag is for the end customer, we're looking at that and saying, yeah, but look how much of this you get to inherit because we are validated already. And that, that concept of inheritance is a huge thing. I mean, outsourcing your MSP or your IT services historically, we've always had that argument of, look, you can hire in-house people to do your IT for you or for a fraction of that cost, you can outsource it to us as A MSP.

Well just, you know, if you add to that the, the cost of very specific compliance knowledge and architecture knowledge that these contractors have to have to be able to outsource that and then also to outsource, inheriting those capabilities pre-validated, if you will, there's a definite return on investment conversation you can have in this part. M MSS P would choose to go after this and do it, well get their own certification. They can definitely substantiate that higher cost per seat.

Does that make sense? Totally. Yeah. That at some level that assumes, um, you know, I, we've, again, we've had a lot of luxury, there's been a lot of luck in sentinel blues growth, and a lot of it has been reputational because of the network that we're, we're tapped into. Um, and the success we've had, we have a track record of success, uh, this last week. You know, if you combine the dib, CACs and uh, CMMC certs, we've supported, we're batting a hundred percent.

And as Joy pointed out, the client base here has a requirement to fulfill this. This is a no failure allowed when they're going through their selection process to find the right partner, they want the most assured path, also the cheapest path, but the most assured path to the outcome.

And so for us, going back to why we turn certain deals away, if we don't think they're gonna be successful, well, if we've worked so dang hard to build a reputation of assurance toward that outcome, you know, that's not worth our time and effort to potentially lower our batting average. You know, we're not gonna swing at that if it's very likely to miss, um, Hey, listen, and So you could, you could bat 2 75 and go to the Hall of Fame That's right. On baseball. Yeah.

See, I don't know anything about baseball, so I'll assume that's true. That's right. You know, So I, I got one more question before I hand it off to, to, unless You gamble. Um, but Andy, I, it, it sounds like, and, and my question, I think you've kind of answered it, but I thought I'd give you one more shot at how has, how has having gone through this changed the way you approach a customer now? I mean, what's that? How's that discussion changed after you have completed these certifications?

And I think we've talked a little bit about it, but is there anything else that sticks out, um, that we haven't really talked about? Yeah, Well, I'll be clear to my peers who might be in the audience base here. Um, you have serious competitors in Sentinel Blue and companies like Summit Seven who have gone off, done the work and have the certs. And you should rest assured that if we're in contest with you over a prospect, we will be flexing that.

I mean, there's a huge accomplishment of ours, and we can demonstrate the value these clients are looking for, the outcome they're looking for. And so we wear it on our sleeve, uh, and we'll tell the prospects, listen, if you wanna work toward this and you want the most assured outcome, this is gonna be professionally delivered by a company that knows what they're doing. Here's our track record, here's the proof, the validation, we've gone off and done it ourselves.

That's how serious we are about this. I could tell you that's very moving to the client base, uh, who needs this. And so if you're an MS P and you want to approach this and, and offer this, again, you can't dabble in it. You have to go in, you have to be able to tell a story, uh, similar to the one that I can tell, similar to the one that Joy and Summit seven can tell of the expertise, the attention, the involvement, uh, the putting ourselves forward first and bringing you along first.

What I think a lot of MSPs that we regularly come in after who took on a more reactive, like, Hey, client, why don't you tell us what to do and we'll do it that's not working. These, you know, know these clients don't have a good experience with you. Then they come to companies like us and we say, Hey, we'll, we'll direct It. You know what's funny?

You're talking about this and explaining it in your very specific world that you live in and all this training, but everything you just said could apply to every single MSP at every level is that they build process, uh, they build a certain level of maturity. They build out roles and process so that when they sit with a prospect, they can differentiate themselves from whoever they compete against. And so, uh, you had to do this to get to where you are. But this is the same thing.

We try to teach every MSP at every level of maturity, like how, this is why you try to get to the next level of operational maturity. Because people always think they have a price problem, but they don't. They have a value problem. And the value problem is based on maturity, knowledge, experience, all the things that you're describing. So Andrew, this is applicable for everyone who's listening regardless of where they are on their journey.

This is just showing you, again to the, you know, all the way out to the right hand side of that model where Andy lives. It's given us a great view. Yeah, it, it made me think about Gary all the years I worked with you of those conversations about belief, belief and belief systems. You talked about, right? Were were built around doing the hard work. Andy and Joy, you know, in listening to Andy's story today, you know, he's forced to do the hard work.

So yeah, I don't want to compete against Andy. Listen, I can feel his belief. I don't want to compete against that. Yeah, well that's what I'm saying. He's in a sale. You can see him in a sales process in a, in a deal, you know, and his conviction. Right? I know what it takes. Right. And, and there. That's powerful. Yep. My point is, every MSP, wherever they are at their level, needs to feel the same way.

This is hundred percent how you grow and how you push to the next level of operational maturity. Yeah. It takes a great level of command, uh, over the business model as well as the security model. A hundred percent. J Joy, I'm gonna hand it over to you. Thank you.

Um, just to, to follow up what Gary was saying too, though, I mean, I remember presenting at a conference a couple years ago where I was talking about the difference between A MSP and A-M-S-S-P and when you're implementing your own, um, framework on your own environment and with your team and going through that maturity process that I, I don't consider you an MSSP unless you've had a third party come in to validate how you've implemented. Because my thing is, you never know what you don't know.

And so it's really important, and I remember that it just caused massive heartburn in the audience. And people were saying, what do you mean I have to have someone else come in and validate it? Well, I, I do think that that's an incredible part of the maturation process. And Andy, I wanted to get your perspective on that.

Like, do you feel that with everything, you know, as a C3 PAO being able to do these assessments, was it, um, for you something that was even up to that next level that you do recommend to have a third party come in and validate your own environment? Yeah, I mean, it certainly has required us to think very carefully and be more purposeful. 'cause now it's not just defending it to ourselves and our own way of thinking.

It's, we're having to explain our architecture and how we thought about it to third parties who don't have our biases and who don't have our experience, who weren't privy to those conversations. Uh, so after our first, you know, CT PO assessment, having been prompted by some questions we didn't anticipate that we thankfully had answers for, but we're like, oh, dang, that was a good question. Never really thought of it that way.

Um, having that third party view at it has made us go back and think a little more carefully and make sure, okay, does this all truly make sense? Let's look at it from that outside perspective. And having that validation's amazing. I mean, I sleep so much better at night now that I know it's not just my team and ourselves blowing smoke at it, you know, at ourselves. Someone else has come in, uh, and scrutinized us and evaluated whether or not we're realistically there. Awesome.

And then, um, you know, when you were, I know that you already had in mind your tech stack as you were building this out, which was a lot different from having to rip and replace like a lot of MSPs will have to do. But was there some part of that, um, in the whole preparation process that you had underestimated and, and can you give us a little bit more colors to what that looked like? I think I still underestimate the documentation and, and process side of things.

And that's, we've done, uh, four cm MC certs at this point. And after each one I tell the team, I'm like, dang, there's some areas of weakness like we're passing, but especially around procedural and process, I'm still like, it's not there yet. It's not good enough. I want, you know, I want more there. Uh, because when you, again, you have to go defend this and you have to show it and it's scrutinized by people, um, you really want it to be foolproof.

And I, I have a very high standard, uh, myself personally, but when you sit across from an assessment team being scrutinized in this way, like you wanna do everything to not be on the back foot, it's not comfortable. Yeah. Um, I've done four of 'em now. My anxiety definitely picks up the weekend before they start. 'cause you're having people come in and evaluate whether everything you've been building for years is in place.

The way that you say it's in place, that's nerve wracking, especially for someone like me who I, as I mentioned, bit of a control freak, technical by trade, still got the help desk in me. I've had to let a lot of trust happen. And, you know, having other people come in and make sure that your team is operating the way that you've designed, it's scary. And as you know, you can't take your foot off the gas.

You know, the continuous monitoring aspects is, is just something that is brutal if you're not used to being well organized and executing regularly. Um, and Andrew, I hope that you'll forgive me. I I wanna point out that Andy is one of about a dozen MSPs now that we have on a listing, a formal validated external service provider or ESP marketplace. If you go to msp collective.org, you'll see the MSPs that have already undergone their CMMC level two.

We were thrilled to be, um, Andy's team I think was one of the first or um, second that we added in there. And it was, uh, kind of funny how the, the reset happened on when we could announce because of the certificates. But, um, you'll see the list of the dedicated MSPs that are on there, um, for the ESP marketplace. And it's really a cool thing that the MSP collective came together in and, uh, made this directory for the contractors who are looking for an MSP that's qualified.

Yeah, no, you guys did a great job with the MSP collection, starting that out. Andrew, this is great today. Yeah, thank you. Thank You. Really, really good. Uh, Andy, really good, uh, perspective on things for everyone. Yeah. Cool. I appreciate that. I'm glad, uh, I'm glad it could be of use it, it helps on a Monday. Joy, do you have, I think we have time for one more if you have it. Um, but, but if you wanna wrap it up, that's that's absolutely fine too.

I'm coming up on here on the top of the hour. Well, I'll just say that I feel like CMMC in particular is different from some of those other movements that we've seen across the MSPs, um, industry historically, where there are entities out there saying, we can teach you how to be, you know, A-C-M-M-C-M-S-P, um, in, you know, three weeks or, you know, these promised very small lift time and resource commitments. And that is not the case.

Like there's so much liability involved in doing CMMC wrong if you're an MSP, you're talking about the renewal of defense contracts that are hundreds of thousands, but normally millions of dollars for your customers. And if you are, the reason they don't get that think twice, like really take CMMC seriously is what I would like to say. Cool. Yeah. Alright, well way to wrap that up, joy.

But yeah, Gary, I I think like you said this, and I'll just reiterate, people should go back and listen to this, whether it's CMC or not, how Andy's belief and what process and determination did for him in the way he approaches his clients and prospects. I think that's you the major thing here. Absolutely. Yeah. That and, uh, I'll speak to you all on signal, so, uh, just if I, you just, just let me on and see everybody. Have a great week. See you. Thanks Andrew. Bye.

Related Videos