Video: Navigating the Path to CMMC Compliance: A Buyer’s Guide | Duration: 3652s | Summary: Navigating the Path to CMMC Compliance: A Buyer’s Guide | Chapters: Welcome and Introduction (0.08s), CMMC Compliance Landscape (128.395s), Choosing Compliance Partners (719.24s), License-First Model Pitfalls (1022.81s), Vendor Evaluation Challenges (1422.15s), Audit Experience Matters (2079.455s), Operational Compliance Questions (2574.29s), Contract Red Flags (2781.48s), Success and Implementation (3104.395s), Conclusion and Gratitude (3587.2852s)

Transcript for "Navigating the Path to CMMC Compliance: A Buyer’s Guide": It starts recording, and there we go. Welcome, everybody. I'm Eric Noonan, CEO of CyberSheet, and I'm thrilled to be here with you today. Very, very excited to do this webinar, which is navigating the path to CMMC compliance, a buyer's guide. And part of the reason I'm excited is I get to spend time with Rich Baron, and and Rich is uniquely positioned, here at Cyber Sheep and I think in the industry. Rich is the vice vice president of, service delivery. And what that means in our world is Rich kinda sees the whole waterfront. Right? So he sees all of IT, everything from, big mail migrations into different platforms, from help desk to change management, patch management, all of the twenty four seven monitoring that goes with a fully capable incident response and security operation center center. And then also, he's been toe to toe with auditors, at least five times, two more underway as we speak, this year in getting five customers to full CMMC compliance just in the first six weeks of this year. So, Rich, greatly appreciated for your time today. Yeah. Thanks, Eric. Happy to be here. I think you're gonna find that, Rich is gonna offer a lot of unique value that that hopefully ties together, what we wanna try and convey to you around some things to be aware of as you're in the market for solutions or or doing this in house, which is entirely possible. So, as always, what's most important to us is that you get something out of this webinar, and that we help you further along in your journey to compliance on that path. And so the way that you can let us know if we did our job is to complete the survey at the end of the webinar. So there will be a survey. By the way, you will get slides. We will take questions. You will get a copy of this full recording. But I would ask you, please, you're taking the time, which we greatly appreciate it. So one resource you don't get any more of, please take the time to give us a survey so we know if we were useful to you because that's the purpose of this today. So, with that, we can jump right in and and just kinda start with the the agenda here on the next slide. So from an agenda perspective, we're really gonna try hard to call balls and strikes here today. And what I mean by that is, look, we're obviously a vendor in the space. We're the largest managed service provider in the space. We've been doing this for thirteen years now, long before the government blessed us with the acronym CMMC, back when it was just the DFARS seventy twelve clause. And so, we've got a massive client base, lots of experience, and and, of course, we would love every one of you in the audience today to become a customer. But we're really gonna try and give you the kind of balls and strikes version of what we see in the compliance and vendor landscape today. We know them all. We've worked with them all, and to one degree or another in terms of transitioning customers onto our just answering questions for people who decide to do it themselves or or go another way. So we'll try and, again, give it very balls and strikes, and I think that's hard to get these days. You know, Steve Shirley, former director of the Defense Cybercrime Center, now executive director of NDISAC. Amazing man who has, you know, has a important place in this industry and kind of the the Dibs' ability to come along to where we are today, in terms of raising the bar for cybersecurity. And and Steve Steve jokes sometimes if you you put CMMC into your web browser, it'll explode. And I think anybody here on this, audience today can attest to that. There's a lot of vendors, a lot of claims, a lot of misinformation, and we'll try and sort through some of that today. Try and give you a framework for asking the right questions. What are the questions? And not CyberSheet friendly questions. Right? Questions around, like, how do I get to compliance? This is my situation. I'm on prem. I'm on cloud. I have this licensing. We use this widget. Whatever it is, what are the questions you need to ask that are that will be useful to anybody in this audience, not kind of vendor led questions, which you'll see sometimes. We'll talk a little bit about that. We'll talk about having a track record in this arena. So if you don't have a in this area so when what is a track record? What does it mean? Does it mean the the MSP, the managed service provider you're talking to, has achieved compliance? Have they achieved it for compliance on behalf of their customers? Is it both? Is it something else? So we'll talk about that, you know, in terms of you know, you think about when people come to do work on your house, maybe something like that, and the old, like, are you licensed and insured kind of thing. What does it mean to be licensed and insured in our industry, and what should you look for? And then at the end, we're gonna give you, road map to compliance, which is completely vendor agnostic, and it really is something you could use yourself to, plot your journey to full compliance and then to execute kind of step by step getting to full compliance. And the reason we wanna end with that is because we wanna end with the idea that this is all within your grasp. Whether you choose to partner with somebody or not, we think we're gonna give you the tools today to choose the right partner. But either whether you do that or you do it internally, this road map to compliance, I think, will be useful either way, and, and we think it'll be very important to you. So, hopefully, that'll be useful. That's what we're gonna talk about today. So let's jump to the next slide. So real quick, to the point I made earlier around, the amount of information, misinformation, vendors in the space, vendors coming into the space, I always think it's important to know who you're talking to in this space. And, so, obviously, we are CyberSheet. We've been here for thirteen years now. % US based, US based staff. We do everything internal. We don't outsource anything. And our our approach to the problem has always been to solve the whole problem. So, originally, that was DFAR seventy twelve, as I said earlier. DFAR seventy twelve requires the implementation of NIST eight hundred one seventy one. That now that implementation is now audited by independent third parties, which is CMMC. And so three different names, but really the same thing depending, you know, on your perspective. So we focus entirely on that, and we solve the whole problem. One of the things that we recognize and one of the reasons we're doing this webinar is the fact that there's no such thing as partial compliance. So it's great if you have an amazing twenty four seven SOC and you have a beautiful system security plan, but if you're not doing patch management, you don't have an asset inventory, then you're not compliant. So you really need to solve the whole problem. And for us, the whole problem is IT security and compliance. And so we we solve the whole problem, meeting you where you are, giving you any one or all three of those puzzle pieces, to the extent you need them. And as I touched on earlier as you, talked to different folks in this space, we like to view ourselves as customer approved and audit validated. And what I mean by that is we've been through every kind of audit possible. And so audited by Prime's, Defense Contract Management Agency, DCMA, joint surveillance audits, now c three PAO audits, again, with, five and counting in the first few weeks of this year alone, getting our customers through an audit. So so we know our solution as a services provider. We have to service has to come first, so we know we do a great job there from our customer feedback, and then auditor feedback, as well, ultimately getting our customers through the audit. So that's why we think we have something worth sharing today. So on the next slide, we'll talk about the the compliance landscape. What is CMMC? Why do you have to do it? How is it gonna be implemented? We won't spend too much time on on these few slides because I think that this audience in particular is is well attuned to what CMMC is, why we have it, and how it's gonna be implemented. But but at 50,000 feet, nothing's changed really. So it's the same NIST eight hundred one seventy one, the 10 things that you have to go do. There's a sub discussion there we could get into, but I I think sometimes that sub discussion, is, about the requirements beyond the one ten is designed to confuse people, so I won't go there. What I'll say is that these are the same requirements that you had to implement ten years ago. The difference is now independent third party audit. So these slides, wherever possible, are from the DOD, and the DOD office of the CIO. And so just to, again, kinda balls and strikes give you factual information. We'll we'll use those slides for these next couple where we can. And and so ultimately, CMMC is a requirement that all defense contractors and subcontractors have to show compliance with, at the applicable security requirements through self assessment or independent third party assessment. Does not apply to COTS providers, so excluding COTS providers. But when we're talking about CMMC here, we're really talking about level two. So, So, yes, there's three levels, but everybody we talk to and I think the industry writ large is really tracking towards level two CMMC compliance. To my knowledge, actually, it's the only pre award cybersecurity requirement in the world. So other things like PCI DSS, HIPAA, HITECH, they're all after the fact kind of, you know, possibly under threat of fine or penalty kind of, framework. CMMC is a pre bid, pre award, need to have your ducks in a row before you're awarded the contract kind of thing, which I think is more carrot, less stick. So a little bit of good CMMC news there, I think. So the next slide. I touched on this briefly. Again, these are not our slides. This this one here, again, is right from the DOD CIO. If you think about the legacy requirements, DFARS seventy twelve came out in about 2015. They said, hey. You, industry, have to go implement these 10 controls, and you've got until 12/31/2017. But it was really a kind of don't ask, don't tell world in the sense that there was no enforcement mechanism. So by virtue of taking the contract and and receiving CUI, mostly unmarked CUI from from government, you were attesting to compliance, perhaps unwittingly, and ultimately, the government realized that's not working. And really all CMMC is is the independent third party verification that you're doing what you were supposed to be doing, relative to that legacy clause. That really boiled down. It's just auditing of what's always been required. That is the simplicity, of CMMC. So the next slide, the two questions we get most often are how much, how much they're gonna cost, and how long is it gonna take? The probably third question we get is when does this go into effect? And I think for those steeped in the space know that the the final rule, was published December sixteenth of last year. And I think what's relevant in the final rule is the fact that on right on page one fifty seven, it essentially says the DOD expects that you've used the time, depending on when you start counting, leading up to the final rule to get fully compliant. So whether that was 2020, when you first heard about CMMC and and and saw that it could be required, or it's from the fact, way back in 2015, '1 of those two. But but either way, they it's now final and the you will see it in contracts at some point. I can't tell you exactly when it may impact you and your business, but I think the takeaway is that it it's time to really start implementing, these requirements. So in the next slide. So as we start to think about the right partner, you know, maybe you're doing this internally, maybe you're doing it with a partner, maybe you reached out and you you asked an independent third party to do an assessment for you and score you using this state hundred one seventy one a. Maybe you went to a webinar and you heard that you had to buy GCC high, so you ran out and contracted with the vendor to buy you some licensing. There's a lot of different kind of paths to take to compliance, and we try to put these in kind of four buckets. And so the buckets of partners out there, the flavors are a licensing first model. And and the danger of a licensing first model where it's, hey. Buy this software first, and then we'll get you to full compliance. The the big danger there is that you have a very high propensity to overspend and under comply. So, you know, Microsoft's a great example relative to, requirements in getting from commercial to GCC or GCI. We love Microsoft. We're a Microsoft partner, but we don't lead with licensing, and I'll talk about why here in another slide. And and from a customer perspective, from a defense contractor perspective, the why is you're very likely to overspend and under comply if you're starting your journey thinking about what license to buy. Then there's partial solutions, that don't equate to full compliance. And many vendors, if you just go to their website, will tell you in different words, that they are not a full solution. And the challenge there is that you're left with the full requirement. So if you buy a partial solution, just do it, with the sober view of the situation, understanding that you have to go do a little bit of extra work or a lot of extra work for the part of the requirements that that vendor is not solving for. So another thing that I would say is that you should probably be aware of, another challenge in this space for sure, is hidden costs. Right? So the hidden costs of remediation not included. So if you bought licensing and you have a partial solution to the requirements, but you still have a lot of gaps to close relative to your POAIMs, and I'm gonna ask Rich to chime in here in a minute. You still have a lot of gaps relative to your POAM. That could be a big challenge for you because you still have to remediate all those gaps. And if you spent all the money on licensing and whatever partial solution you bought, now you may be out of resources to do the actual remediation, and we'll talk about that. And then marketing hype. You really wanna get to somebody who's been audited. If you're talking to a managed service provider, they should absolutely have been through their own CMMC audit, and we absolutely have been through our own CMMC audit. So we're, you know, not, we're not saying something that we're not doing for sure. So you want proven audit experience, and then you want success from where they delivered full compliance for a customer that's just like you. So, obviously, not all businesses are created equal. And so a manufacturing environment at 1,500 employees across five locations is not a 10 person enclave. And so those are two very different set of requirements, two very different, implementations, remediations, etcetera, and they're apples and oranges, frankly, at some level. So, really need to think about that. But, Rich, I'd love to just have you chime in on, thinking about the remediation piece before we get to the next slide. If you look at kind of, how you think about remediation relative to deploying multifactor authentication or deploying a security incident event management system, that's hard work, and it's not necessarily a cookie cutter thing at an enclave versus on prem. So how do you think about those kinds of challenges relative to remediation? Yeah. Definitely. And you're right. Certainly not cookie cutter. Well, it's probably consistent to operationalize these products from environment to environment. Actually, implementing it is a different story. Obviously, no two companies are exactly the same, and so, therefore, they probably don't have their solution implemented exactly the same. So much like kind of firewall vendor a versus firewall vendor b, that's gonna have different takeaways for us on, like, a security or a technology side to plug in and do what we need to do from the CMMC aspect. Same with, like, oh, I use Okta for multifactor authentication versus someone else uses Duo. Kinda it sorta continues on there, but those are the kind of the key differences of why the cookie cutter piece isn't always actually what it's drowned up to be. And so I think your challenge is to kind of make sure the vendor that you're talking to, again, going to that last column, has done this for a company like yours, and we're gonna unpack that a little bit. So if we jump to the next slide, let's talk about license first models and what why that can often lead you to overspend and under comply. And so the thing that I would say here is when you're talking to a potential partner or a vendor, whatever terminology you wanna use, I'd be really conscious if they lead with their ability to solve your problem or tell you what software they sell and what licensing they think you need. And if you again, go to the website. Site. I I find this very kind of instructive in getting ready for this webinar. It's one of the things I did. And if you go to a webinar, you can kinda see where incentive or you go to a website, you can see where the incentives are in terms of, if you go in and you see we're a certified Microsoft partner and that's kind of most of the kind of front page of what they're doing and then your conversations with that vendor are, here's the licensing you need to buy, what that tells you is not much about their ability to solve your problem. It tells you a lot about their business model. If they lead with selling licensing, that's probably how they're incentivized is to resell licensing. Maybe they can do all the other things, but but licensing and buying licensing doesn't get you to full compliance. And so if licensing is the first step in the proposed journey to compliance with that vendor, I think you need to really double down on some due diligence and understand, well, licensing is not gonna write my system security plan. Licensing isn't gonna monitor my network. Licensing isn't gonna, in and of itself, do patch management. There's a component. I need some software to do that, but I need a human being to run the process, audit the process, collect the artifacts, etcetera. So you need to really get past the marketing and understand, are you solving my CMMC problem, or are you selling me licensing and then trying to figure out like, the other things you can also help with for CMMC? And so when you see claims, there's a lot of marketing challenges, I think, in this space. And so one of the things you should look for, I think, when you see claims like, we solve CMMC for the top prime contractors. Well, having come from a top prime contractor, and led IT in North America and cybersecurity globally, we had more than enough resources to do that in house. We weren't looking for third parties to come in and help us. More than likely, if they're selling licensing, they probably sold licensing to the top prime contractor because you can only get that certain places. Or if you see claims like over a thousand clients, we don't have a thousand clients at CyberSheet, I'll tell you right now, because we solve the whole CMMC problem. But if we were just selling licensing, sure, you can easily have over a thousand clients, especially if it's Microsoft licensing because everybody I know has Microsoft somewhere in their infrastructure. So really kinda, again, go to the website and just think critically just like you would when you're buying things in your personal life. Are are they solving CMMC or just reselling licenses, to some population like the top defense contractors? And then I think it's asking then verify, and we'll talk about references here in a little bit. But, Rich, I think you've seen this in different audits kind of throughout your experience. Right? And and Rich, again, as a reminder, has a very unique, kind of perch here because he's delivering day to day IT security and compliance for customers, and he's facing off the audits, actual c three p o audit. So he knows what good looks like. He stood toe to toe with the auditor. And so, I'd love to hear from you, Rich, like, the difference between or the maybe some of the misconceptions around licensing, particularly around GCC, GCC high, or some other software, solution, and then how how an auditor potentially looks at that. Like, are they coming in first, the auditors, and having licensing conversations? Or or is it what does that look like? No. Like, yeah. Your your other's much more focused on the practice of, you know, your environment at large of how you are getting to then maintaining your compliance. Like, yeah, there are some key elements of, like, how how does licensing play a piece, but it's kind of a yeah. Are you in GCC or GCC high? Okay. Great. That's that's really the the main answer that they're expecting. And then so once you kinda get past that, we're kind of we're, again, we're digging in further into, like, okay. How are you protecting CUI? How are you meeting these controls? It's it's certainly you know, there is no no one's ever gonna ask you what kind of Microsoft licensing do you have. It's more so, are you in the correct cloud? Are you in storing your stuff in place to maintain that compliance in the first place? Great. So it's almost like, do you have the right equipment to go play the game? And then, okay, you got the equipment. Now we can kind of get on the field. And, you know, a a little bit of a deviation maybe from the licensing, but something you said maybe think about it. Like, what are what's a big misconception potentially that people have about achieving CMMC compliance? Yeah. I think the biggest misconception is that compliance never stops. Like, you you know, even the day after you pass your c three PAO assessment and, you know, it's great, but that doesn't mean, okay. We're stopped. We're good. We can go wait for another three years until the next cycle. Like, there's many different things that can take place inside of that time. I've actually like, clients of ours that have gone or been just about ready to actually go through their assessment, they go through a change freeze because, you know, much like how compliance never sleeps, most of the time your business doesn't also stop innovating either. So then, you know, those folks really they, you know, audit plus day one, you know, in terms of that outcome, that it's like, okay. Great. We wanna go enable some more technologies. We need to bring more people into the fold and, you know, continue on. And then similarly, everything from your your incident tabletop exercises, your annual internal assessments, the operational side of, like, twenty four seven, three 60 five security monitoring, those are all things that continue to happen all the time. It's not just a one time achievement, and we don't have to do anything for the next three years. Yeah. That that's really when you said your broader explanation really is is why that whatever you said earlier caught my attention because these are ongoing things, and and none of them are solved by swiping the credit card and buying licensing. So it's such a bigger problem to solve. I you know, we wish it were all that easy, but it isn't. So on the next slide, one of the other kind of challenges that I think with vendors is, is partial solutions where full compliance isn't, fully achieved. And so things you can look for, again, go to the website. I think the website tells a pretty pretty, a pretty telling story. And so if they lead with things like save 75% versus GCC high, well, that tells you they're selling software. It's just cheaper software. And we know licensing software doesn't solve the whole problem. So just know it may be the right solution for you, but know that you're not solving the entire CMMC problem. You're just buying cheaper licensing. Fake badging. So, you know, I was almost uncomfortable with this slide, but this is badging from an actual website, like, fake badging that implies expertise, like government approved, DFARS certified. There's no such thing as a DFARS certification. This is a logo I grabbed that was on someone's website that hopefully will be gone after this webinar. But it's just those things don't exist. Can managed service providers get fully CMMC certified and and pass an audit with the c three p o just like it yes. Yes. We have. Others have. But there's not a DFARS compliance or a government approved thing that they can do. Another thing, and this relates to a partial solution, and I wanna bring Rich in here again on this, is if the vendor is screaming FedRAMP and FIPS at you, what I mean by that again, go to the website. If they're leading with FedRAMP compliant or FIPS compliant, that should be a massive red flag for you. And and, Rich, I'll I'll ask the question this way without going too far down the the FIPS, FedRAMP, rabbit hole. But I think it's a good time to talk about what FedRAMP and FIPS mean in the grand scheme of things. Like, is this a center stage issue, or how does it play into overall CMMC compliance? Yeah. So it it plays in certainly when it's it's something that's storing, transmitting, or processing your CUI. Like, that's when you're kind of close to center stage, and that's where the importance of it is. But does everything in your every single component of your environment store, process, or transmit CUI? So, usually, no. Not always. So it's just important that you as the as the recipient of that is that you need to just stay focused on the flow of your CUI when worrying about things like FedRAMP and not let that distract you around broader things in the environment that may not necessarily have those same demands. Yeah. So I I it's it's definitely a feature and a requirement that you have to have, but it's, it's one of like licensing, it's one of many things that you have to kind of all put together to be able to fully tell your story around CMMC compliance. It's not something that's center stage. And if you see it as center stage on a website, it's probably because they're selling a solution that's achieved FedRAMP status, and so they're gonna lead with that. But it doesn't solve the whole problem. Do does the vendor lead with things like virtual enclave or your business requirements? Virtual enclave may be great, may be exactly what you need. We have an enclave. Many vendors have an enclave, but it's not the right solution for everybody. And and so one of the things that, I think is very important is your business requirements, and I'll I'll lean again on Rich's experience here. You know, we've we've taken customers from kind of five site manufacturers, 1,500 endpoints through, you know, audits, and enclaves, very small enclaves to larger enclaves through, full audits. And and those solutions, enclave versus on prem, were led by the customer's business requirements. And so, Rich, you know, from a scoping perspective and understanding, the business requirements, how do you think about things like an enclave versus on prem? And and can you know that answer before you kinda walk through the business requirements? Yeah. So, I mean, like, kinda just following that same kind of example of, like, your manufacturing firm. Like, that probably means you have industrial machinery embedded systems, like, things that you just can't pick up and put into an enclave. So it's like and you can usually figure that out fairly quickly where it's like, hey. Yeah. This probably becomes more of, like, how do we meet you where you are and and solve today's problems than trying to shoehorn something that just frankly won't ever work. So yes. Like and then it just becomes, like, making sure that, like, you are asking and bringing that to the attention of the folks that you're engaging with. So then there is much more clarity around, like, hey. Here's kinda my current state. And then to the point where it's like, yeah. How could I ever make my Haas machine work in an Enclave? Maybe can I? Like, those are those are critical questions that the right partner can answer for you. Yeah. And they're critical for you if you're the CIO, director of IT, whatever your role is because ultimately, you're the one who'll have to answer to the users using the environment. Another thing to look out for are claims like CUI security in fourteen days, things like that, and any kind of day timeline. First of all, you're not allowed to guarantee compliance, per the CMMC AB code of conduct, so know that. But also that doesn't say CMMC compliance. It says CUI security compliance. I don't know what CUI security is. I imagine if I asked 10 people I'd get at least 11 definitions. I know what CMMC compliance is. So when you see just a little spin on what's actually required with a little bit different words, be cautious, and know that you, your business, probably needs to meet CMMC compliance, not CUI security, whatever that is. And so you gotta get past the marketing to include words like trusted by thousands of defense contractors. Does that mean they've delivered full compliance for thousands, or, are they just selling some widget that a thousand plus contractors bought, ask and verify? And it matters because you have to address all of CMMC compliance. There's no partial compliance. You have to solve the whole problem. So vague marketing complaints and a focus on less familiar terms like FedRAMP and FIPS weren't designed with your best interest in mind. They were designed with the vendor's best interest in mind, so be mindful of that. Next slide. So let's talk about hidden costs and and remediation not included. And one of the things that, Rich, maybe before I even get into the slide, you've been through so many audits. I'd love to hear your perspective of, like, where auditors go and dig in and where you've had difficulty or we've had, to fulfill the totality of a required control, which means everything's fully remediated. All the people, processes, and technologies are in place, and not just, a written policy has been documented or a tool has been deployed, but you've actually remediated. I mean, I'd love an example like that just to set this slide up. Yeah. Like, a a really common example, like, harmonizing people process and technology could be, like, something like your change management procedure where it's like, okay. Great. I can sell you a tool that will let you do change management tracking, and that's great. That is part of the control where it's like you actually use a system that you're tracking it. But then how do you do it? And then, well, okay. Yeah. Then that becomes the oh, we have a change review board. They meet twice a week. Oh, okay. Like, what who's in the change review board? Oh, the change review board, it's made up of both IT and security stakeholders who are going through the motions of validating the technicality from it. That's kind of the IT side of the house. And then the security side is like, hey. Is this also, like, you know, are we maintaining good security posture? Is this gonna jeopardize anything tied to CMMC compliance? So it becomes, you know, it it becomes that harmonization of people, process, and technology to actually get you to the finish line and controls like that. And you have to be at the finish line. That's why the remediation piece is so important, and it's important to know, like, who's deploying this? Who's documenting this? Who's maintaining it? Who's collecting the artifacts? Is that on my side of the ledger or the vendor side of the ledger led ledger? Other things to be mindful of here, and although they seem like common sense, I I think, I always think of, like, if it if if it's what's too good to be true? Is it the price? Is it the promised timeline to compliance? Or is it both too good to be true? And if it is, it probably is too good to be true. It's, you know, the six minute abs of of CMMC. You wanna be mindful of that and, like, trust your instincts. If it sounds like it's how can you possibly do that for $1,400 a month when I've talked to three other partners? You know, dig in. Start to do your diligence. Be aware of vendor lock in. This was a bigger thing in the earlier days of CMMC. You know, we'd see vendors who had a cloud based enclave, but everything was licensed in their name, not yours. And it was really their infrastructure environment licensing, and you were more of a tenant in the sense of, like renting an apartment. You could use it, but you were locked into that vendor, you know, for as long as you could absorb that pain as in opposed to the pain of just creating your own infrastructure and getting your own, people processes and technologies in place. So be mindful of who owns the licensing, who owns the technology, and, you know, who owns the environment, essentially. Are are you a a property manager managing the environment for me, but it's my house, or is that inverse? And then, again, get past the marketing. So when you see things like an 80% solution for all of your CMMC level two assessment objectives, well, 80% isn't all. So that's just a big, hey. Let me dig in here. Let me figure out what's not covered here. Because an incomplete solution is just that, noncompliant incomplete solution. So you have to address the whole problem. Partial compliance doesn't exist, and you wanna pass your audit the first time. So it's, you know, it's a lot of work to get to the place where you're ready to be audited. It's a lot of work to be audited and pass, and and that work involves remediating all non compliant controls fully to meet the CMMC requirements. So you wanna make sure whoever you're partnering with, you're either crystal clear that, yeah, remediation is not included, but I know what I have to do, and I know that, you know, their set of controls and my set of controls together gets me to full compliance, or remediation is on the vendor and I have a way to kind of measure and manage them, through that. So on the next slide. So one of the other things that I think is is super important is proven audit success of a business just like yours. And and maybe, Rich, we can again kind of talk through some of the things that, you know, are super important around audit success. Obviously, you you want a vendor who's been through an audit, but you've been through many audits, Rich. And and tell me what's different from the seat of an operator of being audited for a 10 person enclave versus, you know, many, many, many endpoints, you know, totally different kind of profiles relative to even if it's the same tools, it's a different profile. Right? An enclave environment, how how is that different from kind of a disparate on prem environment, and how does that matter to you when you're going through an audit as someone who's kinda going toe to toe with the auditors? Yeah. It's, you know, kind of if if we, you know, we use, like, the former example of the manufacturing company, but it's like when once you get into these kind of, like, you know, my environment's on prem, maybe I'm hybrid. Most folks are now. Right? If you're if you don't have an enclave, you probably have some level of hybrid environment. And really what that means is, like, you're probably you probably don't have, like, email on prem anymore. You're using, like, an Office three sixty five ecosystem. So, like, in those types of environments, we are kind of changing lanes a little bit because we you know, just the ecosystem of of really what's in scope of the audit is much larger, whereas, like, kind of the one of the benefits of an enclave is that it's more confined into a box and, you know, that box has more flow controls. So the, you know, the auditor is looking forward to you know, in these larger, more distributed environments that you're you know, there's more work to be done, and so they're coming in and validating that, like, hey. You've spent the time to make sure that you're effectively protecting and controlling these systems. You know, if you're, you know, if you're a manufacturing company, do you have an OT network? And are you, like, properly segmenting your systems just to make sure things are safe? Whereas, like, you know, the the enclave is that just everything might be under the fold under a similar umbrella. So it it it does really translate into some more time that's just spent kind of going through all of the different technologies and how that's broken out in a kind of a typical on premise slash hybrid environment versus what you'd get out of an enclave. You know, Rich, as you share that, it makes me think about the versatility of the the team that has to face off to an auditor because regardless, if you're in kinda Microsoft o three sixty five, GCC, GCI, whatever it is, there's a kind of cloud engineer mind. But then if you have on prem infrastructure, there's that's a different kind of, skill set technically, potentially. And so I'm just thinking through of, the versatility required, I guess, potentially in in whoever you choose as a partner from a skill set. Is that accurate? Yeah. It's certainly accurate. Right? Because, like, we might have to take an environment that, you know, they might not have network segmentation. It could be a flat network. So then it's a combination of bringing together the right not, you know, and maybe the technology that's in place can't support the objectives of CMMC. So then it could be a combination of, like, okay. Now we have to go architect and solution around the right product and then making sure that, okay. Great. We picked the right technology, but is this gonna break your business when we implement it? Obviously, that can't happen. So then it's also thoughtfully going in and making sure that are we meeting business objectives, let alone CMMC objectives because, you know, we we really need to to actually get to that finish line. Yeah. Super important points. And so kinda going back to the slide and some key things to to consider, has the provider passed their own CMMC audit? If not, you probably wanna look elsewhere. Like, you you if you have a third party, there's lots of opinions on this, and some of it's subjective, some of it's not. You probably want somebody who's kinda licensed. Right? Call it for in plain English, like, they've been through their own audits. You want a provider who's been audited. Have they ever passed an audit for a customer just like yours? And when I say just like yours, yes. We've talked about on prem. We've talked about hybrid. We've talked about enclave cloud only. But a business just like yours probably means if you're an architecture and design firm, do they have another architecture and design firm they work with that they can kind of provide as a reference? If you're a manufacturer, you wanna talk to another manufacturer. You don't wanna talk to a pro services company that is doing kind of office worker things, on a daily basis. That's not that's not a good reference. Not apples to apples. So you wanna talk to somebody and a customer of theirs with a business just like yours. It matters. It's not all created equal and it matters. What if you've already selected your auditor? So this has happened to us many times where our customers come in, we we've had the good fortune to win their business, and then, they've said, hey. We we're already signed up for an audit at whatever date. And so we've gotten to work with a lot of different auditors because of that, and they're not all created equal. And, Rich, you've been through many audits with many different auditors, and I'd love to highlight a little perspective around there is a level of kind of subjectivity or, some threshold difference from auditor to auditor to auditor. No? Yeah. There is. I I mean, frankly, you know, like, there are no two auditors are exactly the same. So when and we've seen it countless times is that you're gonna get slightly different questions, and it's really based on auditor interpretation. And then the other side of it too, no two environments are the same, so that's also gonna influence how that question might come out. But, like, in you know, especially in scenarios where it's a process that we own top to bottom, like, you know, we we actually have I I look at this as a huge benefit. We have the fortune of, like, making sure that, like, every time that we get asked the question, it's like, you know, we're we get through it. But then if there's the way the question was asked or how it was interpreted, how we got to the the end result of of meeting that control, like, that then becomes, you know, support for our entire library of documentation to make sure that the next auditor that we see is that, like, there's never gonna be an outcome where it's like, no. We we answered this, and it's completely ironclad because, you know, we've been able to get the perspective of different folks asking different questions. And that's a combination of both what the auditor is bringing to the table and the type of environment that's being assessed. Yeah. Great great segue into the words actually on the screen. Like, experience matters. I think, Rich, in in a much more articulate way than the screen says, just said that. Right? It does matter. Auditing a five person enclave is way different from a multi site, multi kind of thousand person plus manufacturing environment or an architecture and design firm. Again, ask and verify. Get somebody who's got a business just like yours. As Rich said, not all audits or auditors are created equal, and, yours shouldn't be the audit that your partners learns, learning everything they need to know on. You want proven success. This isn't the place to do charity work and bring on somebody who's never done this before on your dime. And done this, like, selling licenses, great. That's that's easy. But done the hard work of getting someone audited just like you and can give you a reference, that's different. So with CMMC still evolving in terms of auditor interpretations varying widely, you need a partner who can frankly stand toe to toe with an auditor, as Rich said, in terms of being able to say, this is ironclad. Here's the artifact. Here's why. And and helping the auditor understand the unique implementation. Because in fairness to the auditor, the managed service provider works with you every day. The auditor is going from environment to environment to environment. So, having super important to getting the score you deserve, and that you've earned. And and so you want someone who's already been through both their own audit of their own infrastructure and a business just like yours. So on the next slide, we're gonna go through some questions, and and we're gonna we can jump to the next slide. We're gonna ask some questions. I don't believe this one's on the screen. I'm gonna ask Rich first, but these are just questions. We won't go through every one here. These are just some questions we wanted to give you to take away, and I think you'll see they aren't kind of vendor specific, but they are CMMC specific. And I I don't think any of them are ones that, you you wouldn't ask a provider that you're entrusting with, you know, some portion, if not all, of your compliance with. But, Rich, you know, one of the things that we've talked a lot about compliance, and and all the things required, but post audit, even pre audit, there's a real operational nature to things. Like, we're talking about compliance and controls and audits and SSPs and POEMs. But talk a little bit about, in addition to doing all the compliance stuff, I think done right, the implementation of a SIEM, of a SOAR, of, you know, an incident response plan, a change management process should really just be, compliance should be a natural outcome of day to day operations. So talk to me a little bit about the operational nature of the things that feed into the audit. Yeah. I mean, yeah, the operational nature, like and I think because you mentioned both pre and post audit. Like, there there's gonna be so many different things that are you know, I used the example before of that, like, change review board, and it's now it's not just the technology, and it's not even just the people, but it's also the process. It's the harmonization of the three. There's others you know, there's the twenty four seven monitoring, you know, on the security side. There's vulnerability management. You know, patches come out all the time. You need to address them. You have a process and a document you have a documented process that is then like, okay. Yeah. With the criticals, we're addressing those in this much time or highs, mediums, lows, etcetera, like, get, you know, handled by by this. So it's those are both things that, like, pre and post audit and during the audit, like, you're you're providing the evidence that's in the in the receipts of that process to make sure that it's happening. But then, obviously, after the audit, like, still have to continue doing those things. That's critical because that's how you maintain compliance inside of the environment. So there's there's certainly many different things that have to happen maturely, maturely to CMMC in order for you to make sure that, you know, that the, you know, nothing actually stops just because you you hit a certain milestone. Yeah. Great way to frame it. We won't, again, we won't go through every question here, but some that I think should be obvious, asking a vendor, does your solution get me to see compliance full compliance? That's a yes or no. It really is. It's not an it depends. What's not included in your solution? That should be easy to answer. How many customers have you gotten through your audit this year? I mean, it's a good question, I think, now, early days, because the folks who are going through audits today of customers just like yours have that real auditor experience. What specific required controls does your solution implement? A provider should be able to tell you, here's what we do on a control by control basis. Who owns the solution? We talked a little bit about that. Rich just talked a little bit about, ensuring ongoing compliance. So, again, we think these are useful questions for you to take away, and and we hope, again, if we do our job today, is get you a little further on your journey to full compliance. We'll keep going because I know we're coming up, on fifteen minutes here or we're at fifteen minutes or so. So on the next slide, as you go through the things to watch for as you're doing your research to get to a vendor and a potential partner, you go through the solutioning, you understand whether you need an enclave, on prem, hybrid, whatever it is, you get here, and you're at the place where you're you got a contract and you're ready to do something. I think there's some red flags that you really need to watch for, and I'm gonna I'll ask Rich here in a minute to chime in because there's there's some pretty meaningful ones when it comes to, you know, throttling your ability to use the service. So if we think about incident response or breach remediation, if that's not covered in the contract, well, that's a problem. Because if you have a breach and you have an incident, how does that get remediated? Who responds to that? What is the process? Now it should be articulated in your incident response plan. But if incident response help is only available if you pay extra, that's not a contract I'd wanna enter into. If emergency support is, you know, already envisioned to be billed at two times the normal rate, whatever the normal rate is, well, those of you who've been in IT for a while know that emergency support is also known as, like, support because, like, emergencies just happen. So, it matters because if if the vendor misses a breach, you still have to pay them to fix it. So they made a mistake, they missed the breach, now they're coming to fix what they they, you know, broke, and you're gonna pay extra for it. That that to me is, crazy. And and, Rich, maybe you could give us a sense of thinking about that in terms of the volume of incidents and why a clause like this charging extra for incident response is just unbelievably expensive and and just not practical in the real world. Yeah. I mean, certainly not practical. Can you imagine having an incident response document that says if I pay, then things keep going? But when it comes to actually thinking about doing this scale, I mean yeah. Like, kinda rolling twelve months, we we're processed about 80,000 alerts, like and that's like humans looking at things. And really what that means is security never sleeps. Like, there is no you know, we don't do it at our leisure or, like, you know, there is no miss. There is no second chance in security. So that's like instead, it's it's pick up the phone, get something done. And, frankly, as the security stakeholders, like, we wanna fix the problem. Nobody wants to, like, just be the person. Oh, it looks like something's on fire. Better go better go figure something out. Like, no. We wanna go get the hose. We wanna put the fire out and then go tell you, hey. Fire's out, but, like, here are the next steps. Yeah. And I think, and you I mean, really, CMMC, obviously, I'm a fan. I it it does make you more secure. It forces you to implement certain controls. One of the ways it makes you more secure is to have incident response or remediation. And if that's not included in the contract, that's an incomplete solution that's probably you're gonna regret later. Another one is vendor lock in, one-sided termination rules. So you should be able to get out of your contract for cause or for, you know, for a reason. So if it says early exit fees are you pay the entire contract and we just let you out of the contract, well, it's not really an early exit. I could I can kinda do that, by myself. I don't need that written in the contract. So you should have some level of termination rights, particularly for poor service or or cybersecurity failures. Otherwise, if they fail, you're still stuck paying them. So pay attention to the t's and c's of the contract. Surprise changes, hidden costs. I mean, this is where we spend a lot of time, talking to prospective customers. They're always they've potentially been burned before, and they don't wanna be burned again, and they wanna know what's out of scope, how do you handle emergency work, is it billed at double rates? For us, I can say no, but for many other contracts, it's it is billed at double rates. And, again, I think that, I think it's crazy. And and, you know, for anybody, again, who's been around for a while, you know, a lot of work tends to be emergency work depending on who's asking for it. And I've seen where if you're in your environment that you've paid a vendor to get to full compliance and make secure doesn't meet a vendor's standards, they can pause the contract or charge extra for support. Also crazy. Like, if you're partnering with a vendor to get you to full compliance and full security, isn't it their job to do that? And so I think that in that environment where you're on the hook to meet the vendor's standards, which is just the inverse of the way it's supposed to be, buyer and seller, Expect up charges and surprises in your IT environment. Again, another thing that I think I'd be redlining in a contract. And then finally, do you as the customer bear the burden? So if you're responsible for maintaining certain configurations at your own expense, If your environment doesn't meet those configurations or or your vendor's standards, if they can charge extra or refuse service, you know, where they have that that option, that puts you in a really precarious spot, and you're paying for compliance help, but they're pushing all the responsibility to you. And worse yet, if you actually have an incident, who's gonna do the work of of identifying, responding, and, eradicating the incident? You know, pretty pretty big flags to watch out for. We'll press forward because I know, we're coming up on time here. Proven track record for success. And so just some success. These are some of our success stories. We suggest that anybody you talk to should have similar success stories. Again, you wanna talk to somebody who's done this for a business just like yours. Rich, real quickly, because on this chart, we've listed the kind of business, the kind of environment, the solution required. But when we say on prem and cloud, why are we saying both? Isn't it one or the other? Why is it part cloud, part on prem? Yeah. The reason that it's part cloud, part on prem is that, you know, this gets into that, like, just with it's 2025 and, like, there is gonna be some component of your business that lives in, like, a, like, SaaS infrastructure or software as a service. So, like, you know, this again, this could be your Office three sixty five environment. Maybe you have a some servers in the Azure cloud. That that's really what that means in terms of, like, there's there's really we're not really in the days anymore of, like, every single thing runs on prem. I've got a data center with servers, etcetera. Like, some of this has been off boarded to a a public cloud that takes some of that demand off of internal teams. So you should look for those kind of explanations and those kind of success stories. On on the next slide and I think this is a really important slide. We had to condense it, for for many different reasons, but but I'm gonna turn it over to Rich here. But with the frame that I want you to look at this slide and I want you to kind of, take away to go put your potential partner through the paces, how do they deal with onboarding? How do they deal with implementation? Implementing and remediating the controls. And then what's it look like when you're steady state? So so, hey, vendor, potential partner, tell me the story. It should have a beginning, a middle, and an ongoing, not really an end because compliance never ends. But, Rich, tell me why, you know, I'd love you to take it from here and tell me about some of the critical things a buyer could pay attention to to know that, oh, these guys know what they're talking about. Yeah. Like, just kinda starting on the first on the first row here, like, you know, I think most of us can follow what's happening inside of phase one. Okay. Great. I signed the contract. You're getting to know me. We're getting to get an environment that's suitable for storing our CUI. And then what's not specifically called out in phase two, but it's a pretty critical part, and Eric mentioned this, you know, we don't lead with licensing. And and part of it is we need to know like, that discovery and use case review both actually educates both sides of the table. Obviously, us as the implementers and the technical folks that are supporting your CMMC initiatives, but also sometimes it helps folks on your side of the table too. So that's when we're getting into the conversations around like, okay. What kind of licensing are we gonna get you? What are we gonna buy? So then that way we're not, you know, overspending, under complying. So it's like a really good example here is, like, overspending on simpler staff. And what I mean by simpler, not necessarily the staff themselves, but maybe what their demands are from a licensing perspective in the environment. So, like, really common example is, like, folks that use GFE, government furnished equipment, where it's like they probably go to another site. They have, they've, you know, a laptop provided to them by someone, and with that comes an email system licensing that's, you know so really what's left inside of your environment is someone that probably just goes into their email a couple times a week. They're submitting a time sheet. So they don't need the kitchen sink license. They really just need the what's minimally viable to get compliant. And then, you know so discussions like that happen later on in the phase because, well, yeah, we just don't wanna really light money on fire for no good reason. So then as we get into finalization, go live actually move you into that compliant state and then begin that that steady state, you know, kinda post onboarding example. Like, that's when we're focusing on everything tied to, you know, our continuous activities. You know, we've talked about the security monitoring, the incident response, the vulnerability management, the IT help desk, you know, our monthly deliverables around, you know, our TeamMC compliance meetings, our cadences around making sure that, like, hey. We're tracking we're either we have a c three p o assessment that's been scheduled or we're tracking towards one or, hey. We just finished one. We got our perfect score. And now we're making sure that come the next one, we're doing all that. And then what's super critical about the monthly deliverables, the business reviews, and the annual engagements is that we're only doing them because we are talking you know, they they're meeting CMMC objectives, so we're really thoughtful about how we're spending our time with you. Is that, like, it's not just to kinda, like, parade for CyberSheet. It's also to parade really for you to make sure that, like, hey. If you're on our business review, there's actually outcomes in the dot in the PowerPoint deck that call out specific CMMC controls so that we can take credit for that later on in an assessment. And then similarly in the annual side, you know, incident tabletop exercises, all things that are required as part of your, you know, your CMMC, journey. So your relationship with the partner, again, ask the questions. What's onboarding look like? What are those steps? Do I get a project manager? How does that work? When do we do licensing? What's implementation look like? What does remediation look like? What's my role? What's your role? What's our role together? How do we know what good looks like when we've completed certain objectives? And then what's steady state look like? All these things are the kinds of questions, and hopefully this slide is useful to you in putting your vendors through the paces. On the next slide, I think we've covered a lot of this, so I'm I'm gonna kinda just go past it. We talked about all of these bullets already, and I wanna get it get to the next slide to try and give a little bit of a framework on the road map to compliance. And so as we think of a road map to compliance, stepping back from vendors who are driving software only, vendors who are doing partial solutions, vendors who are screaming FIPS or FedRAMP and not talking about everything else that's required, Like, how do you deal with all that? And, hopefully, this is a little bit of a cheat sheet for you that, well, I, as a defense contractor, have to assess myself. I have to get a score to enter into SPS. I have to write an SSP. I have to have a plan of action milestone to date certain that I'll be compliant. So that's the assessed bucket. How does this vendor I'm evaluating help me get there? Then I have to implement based on my POEM and get to full compliance. I have to deploy all the people, processes, and technologies required in the way that's reflected in my documentation. How does the vendor I'm talking to get me an implementation? And then I have to manage. There's an ongoing element, as Rich said, to compliance and to incident response and just protecting your network. Is this vendor doing that, or are they just getting me to compliance and then when I have an incident, I'm telling them I have an incident, and incident response and support is extra. Emergency support, I pay double rates. So what does manage look like? And so, hopefully, you can use this as a a framework to help have those conversations with your vendor to fully understand what you're buying and and to know that you're getting a partner who could solve the whole problem. And so with that, I'm sorry to speed up a little bit there, but I wanna answer some questions. And so, Rick asks, and I don't know how they show the questions live here, but I can read them. Does Cyberchief have multiple offices? Do you only work remotely? Do you also have on-site assistance or customers? The majority of our customers, work fully remote, and they have us work remote. We do have some. It goes to your business requirements who say, we need an on-site person. And if that's what's required for your business, we provide that. Next question is, is CyberSheet presenting itself as a partner to help prepare reach CMMC? Yes is the answer. Or a c three PAO completing the actual. We are not a c three PAO. We partner with c three PAOs. We deliver all the people processing technologies to get you fully compliant. We essentially become your IT security and compliance department. Next question is, what are representative labor hours that an MSP needs to dedicate to an SMB client to assist them with being CMMC compliant? Peter, we don't think in terms of hours. We think hourly engagements leave someone disappointed, us or you. We think in terms of objectives. What do you need to complete? Do you need to deploy a SIM? Do you need to build out a a a GCC environment? Do you need to do a mail migration? What are the objectives around compliance that you need to achieve? So with that, I'm gonna wrap because, I you've given us an hour of your time. Please fill out the survey, that you should all have access to right now as I'm speaking. We are really truly grateful for your time. An hour of your time in in a world bombarded by marketing claims is a lot. We hope we've earned it. We hope we've, done well by you and that we've given you some information to get you further along in your journey to full compliance. And, with that, again, very grateful for your time. Rich, you as well, thank you so much for joining me today. Yeah. Thank you. Thanks, everyone. Bye bye.