1
00:00:00,000 --> 00:00:08,240
Today on our Tech for Business podcast, Todd, our COO and CISO and Ann, our Quality Assurance

2
00:00:08,240 --> 00:00:11,400
Analyst and GMC Specialist.

3
00:00:11,400 --> 00:00:13,200
Just joked about all these letters.

4
00:00:13,200 --> 00:00:17,120
I'm here to discuss CMMC.

5
00:00:17,120 --> 00:00:23,040
So we get Cybersecurity Maturity Model Certification.

6
00:00:23,040 --> 00:00:24,040
Did I get it?

7
00:00:24,040 --> 00:00:25,040
You did?

8
00:00:25,040 --> 00:00:26,040
Yeah!

9
00:00:26,040 --> 00:00:27,040
I love it.

10
00:00:27,040 --> 00:00:30,200
And that's the last time we'll say it.

11
00:00:30,200 --> 00:00:34,120
We'll just say the letters.

12
00:00:34,120 --> 00:00:40,360
Ann or Todd, I was hoping you'd give a really quick overview and my question is really who

13
00:00:40,360 --> 00:00:42,840
are we talking to today?

14
00:00:42,840 --> 00:00:48,640
Who is affected by the changes coming to this CMMC?

15
00:00:48,640 --> 00:00:50,400
And then what is it?

16
00:00:50,400 --> 00:00:53,280
Yeah, why don't we start with what is it real quick?

17
00:00:53,280 --> 00:00:54,280
Yeah.

18
00:00:54,280 --> 00:00:59,400
Let Ann do that and then I'll jump into some who and she can expand on it.

19
00:00:59,400 --> 00:01:01,680
It's a program.

20
00:01:01,680 --> 00:01:10,080
CMMC, not anything longer, is a program that was built to protect the defense industrial

21
00:01:10,080 --> 00:01:19,280
base which you'd hear Dibb referred to because we all love making words out of acronyms.

22
00:01:19,280 --> 00:01:26,560
A lot of times people hear those words immediately or if they have a similar background to me

23
00:01:26,560 --> 00:01:30,200
they're like, what, why are we touching this?

24
00:01:30,200 --> 00:01:32,040
We should just let it go.

25
00:01:32,040 --> 00:01:41,560
And really it's to protect the real details, not the overly secured, it's the medium level

26
00:01:41,560 --> 00:01:56,120
things and it applies to prime and subcontracts of the DOD and that goes to many levels, say

27
00:01:56,120 --> 00:01:58,840
a tier one, two, three and more.

28
00:01:58,840 --> 00:02:07,400
I think we as a technology provider really hit that two and three level.

29
00:02:07,400 --> 00:02:13,560
We're not typically dealing with a prime contractor but it's the smaller manufacturing

30
00:02:13,560 --> 00:02:20,360
that CIT really deals with and it applies to them just the same as a prime which makes

31
00:02:20,360 --> 00:02:22,840
it interesting and hard.

32
00:02:22,840 --> 00:02:26,080
Yeah, so a couple of things.

33
00:02:26,080 --> 00:02:34,440
This started out, what was it, 2019 I think is when they had the first iteration of CMMC

34
00:02:34,440 --> 00:02:36,840
and it's gone through a couple of iterations since then.

35
00:02:36,840 --> 00:02:38,080
It was a little bit longer than that.

36
00:02:38,080 --> 00:02:39,920
I can look that up real briefly.

37
00:02:39,920 --> 00:02:42,160
It's gone through a couple of iterations.

38
00:02:42,160 --> 00:02:47,120
The reason why we're talking about it now is because 2.0 is out and we're anticipating

39
00:02:47,120 --> 00:02:51,480
that this will be the final version that will end up being live.

40
00:02:51,480 --> 00:02:56,920
The current timeline has it being included in contracts that will be accepted at the

41
00:02:56,920 --> 00:03:02,240
beginning of 2025 so you're looking at February through April timeframe roughly.

42
00:03:02,240 --> 00:03:07,280
And so with that in mind, the time to get serious about it is now.

43
00:03:07,280 --> 00:03:10,800
When we've gone through a couple of the previous iterations, most people wait until the very

44
00:03:10,800 --> 00:03:16,200
last moment which is a little scary because it's hard to put all of the pieces in place

45
00:03:16,200 --> 00:03:17,280
at the last minute.

46
00:03:17,280 --> 00:03:23,800
But expanding on the who, it's anybody that's providing any goods or services to the Department

47
00:03:23,800 --> 00:03:30,740
of Defense and it's extremely broad so it includes subcontractors, it includes any providers

48
00:03:30,740 --> 00:03:32,720
that happen to be within the supply chain.

49
00:03:32,720 --> 00:03:33,720
So it's big.

50
00:03:33,720 --> 00:03:37,920
I think the number they're estimating is roughly 76,000.

51
00:03:37,920 --> 00:03:39,000
Companies are impacted by this.

52
00:03:39,000 --> 00:03:42,640
So it's a big number and it does impact a lot of people.

53
00:03:42,640 --> 00:03:50,520
And like I said, if you find yourself in that supply chain at any rate, the reason that

54
00:03:50,520 --> 00:03:55,800
the last C I want to kind of highlight this is it's not as simple as just putting and

55
00:03:55,800 --> 00:03:57,400
policies in place.

56
00:03:57,400 --> 00:04:00,240
There's a certification process that needs to be completed.

57
00:04:00,240 --> 00:04:03,920
So you have to do all of the stuff before you can be certified.

58
00:04:03,920 --> 00:04:09,640
And then once you're certified, you can start applying for the contracts.

59
00:04:09,640 --> 00:04:14,840
Some of the minor changes that happened over the last couple of iterations is it used to

60
00:04:14,840 --> 00:04:18,840
be a couple of different levels and they've scaled it down from five down to three, which

61
00:04:18,840 --> 00:04:21,640
makes it a little bit easier.

62
00:04:21,640 --> 00:04:24,840
Level one is about as basic as it gets.

63
00:04:24,840 --> 00:04:26,760
I mean, there's literally 17 controls.

64
00:04:26,760 --> 00:04:28,560
It really isn't all that complicated.

65
00:04:28,560 --> 00:04:32,720
But if you're going to be doing any business, you really need to be gunning for level two.

66
00:04:32,720 --> 00:04:36,800
And that I think jumps up to 119 security controls.

67
00:04:36,800 --> 00:04:42,800
So you go from a few to, wow, we got to get serious here.

68
00:04:42,800 --> 00:04:46,760
The level two really parallels the NIST 800.

69
00:04:46,760 --> 00:04:54,760
So it is that like Todd said, it's really paralleling that I like to think of the CMMC

70
00:04:54,760 --> 00:05:00,600
controls, one, two, and three, which it went, I think Todd, you said that five to three

71
00:05:00,600 --> 00:05:15,640
in this iteration is it's similar to what a SOC-1 type one to SOC-1 type two.

72
00:05:15,640 --> 00:05:17,600
It's the now prove it.

73
00:05:17,600 --> 00:05:18,600
Okay.

74
00:05:18,600 --> 00:05:23,200
Now we have, okay, we've had these requirements for a really long time.

75
00:05:23,200 --> 00:05:29,120
Like a lot of these stem from DFARS that have been on these contracts and have been

76
00:05:29,120 --> 00:05:31,280
pushed or levied.

77
00:05:31,280 --> 00:05:37,320
I don't want to say just like signed off, checked off, and not thought about much.

78
00:05:37,320 --> 00:05:39,040
But they're like, yeah, we're pretty close to that.

79
00:05:39,040 --> 00:05:41,480
I think this should be good.

80
00:05:41,480 --> 00:05:46,800
But it's really having that extra level now that says, well, now someone else is going

81
00:05:46,800 --> 00:05:48,840
to come and certify.

82
00:05:48,840 --> 00:05:54,520
In level one, you can self-certify, but level two, you can't.

83
00:05:54,520 --> 00:06:02,440
And that's really a huge leap to say, okay, now we have to have the evidence that we meet

84
00:06:02,440 --> 00:06:14,560
all these practices they call them, that everything from minor auditing to how you handle and

85
00:06:14,560 --> 00:06:16,320
safeguard your information.

86
00:06:16,320 --> 00:06:18,640
So it's a big deal.

87
00:06:18,640 --> 00:06:19,640
It really is.

88
00:06:19,640 --> 00:06:26,440
And some organizations have had practices in place.

89
00:06:26,440 --> 00:06:33,480
They've just never documented them, nor been required to certify that they do them in a

90
00:06:33,480 --> 00:06:36,760
way or modify them year over year.

91
00:06:36,760 --> 00:06:39,720
So it is a big, big thing coming.

92
00:06:39,720 --> 00:06:48,600
I think it's, is it required in 2025 that it will be on every new contract coming.

93
00:06:48,600 --> 00:06:53,240
It, we are seeing it already.

94
00:06:53,240 --> 00:07:00,120
But it, the requirement I think has, that's the part, one of the few items.

95
00:07:00,120 --> 00:07:08,320
The 2.0 isn't entirely ratified, if you will, by all parties yet.

96
00:07:08,320 --> 00:07:11,440
But that has been one of the key pieces.

97
00:07:11,440 --> 00:07:12,960
When is this effective?

98
00:07:12,960 --> 00:07:17,720
Because there are people that are like, well, it should have been a long time ago.

99
00:07:17,720 --> 00:07:22,600
And now we need to put a hard and fast date where that, that'll be included.

100
00:07:22,600 --> 00:07:23,600
Yeah.

101
00:07:23,600 --> 00:07:29,880
And I believe that the, the timeline was supposed to be more, I mean, so it's gone through several

102
00:07:29,880 --> 00:07:34,240
iterations and I think they're trying to get it ratified a little bit later this year.

103
00:07:34,240 --> 00:07:37,440
But to Ann's point, it is showing up in contracts already.

104
00:07:37,440 --> 00:07:38,960
And I kind of wanted to highlight this.

105
00:07:38,960 --> 00:07:41,560
This does impact a lot of small and mid-sized businesses.

106
00:07:41,560 --> 00:07:46,480
I mean, when I gave that 76,000, the vast majority of them, and that's like well over

107
00:07:46,480 --> 00:07:50,400
50,000 of those 76 are small businesses.

108
00:07:50,400 --> 00:07:55,720
And I mentioned that because that, again, you most likely can't do this on your own.

109
00:07:55,720 --> 00:07:59,160
You're probably going to need some assistance walking through it because you probably haven't

110
00:07:59,160 --> 00:08:05,160
had a mature compliance process historically.

111
00:08:05,160 --> 00:08:09,640
And I know you can easily get into the people's head if you go, is it worth it?

112
00:08:09,640 --> 00:08:11,600
My answer would be yes.

113
00:08:11,600 --> 00:08:14,120
But most people do know already inherently.

114
00:08:14,120 --> 00:08:18,440
If you look at what it takes to start to go down that path, people are already doing business

115
00:08:18,440 --> 00:08:19,800
with the Department of Defense.

116
00:08:19,800 --> 00:08:23,640
And if you don't go through this process, that portion of your business is going to go away.

117
00:08:23,640 --> 00:08:26,400
And you can quickly put a dollar amount as to what that looks like.

118
00:08:26,400 --> 00:08:27,880
You can look at your percentage of it.

119
00:08:27,880 --> 00:08:32,200
And assuming that's true, again, my perspective is now is the time really waiting throughout

120
00:08:32,200 --> 00:08:34,240
the year is not going to get you where you want to go.

121
00:08:34,240 --> 00:08:35,560
And historically, we have seen that.

122
00:08:35,560 --> 00:08:39,800
So we've had a few starts and stops with a bunch of our customers throughout the years

123
00:08:39,800 --> 00:08:43,640
as they're going, okay, I'm getting ready to gear up, which is good because again, now

124
00:08:43,640 --> 00:08:48,280
they don't have to take massive leaps over the next quarter, a couple of months.

125
00:08:48,280 --> 00:08:52,240
So in any case, anybody's curious, we're still in the, we just started the second quarter

126
00:08:52,240 --> 00:08:53,240
of 2024.

127
00:08:53,240 --> 00:08:57,200
So the timing of this podcast is pretty early in the process still.

128
00:08:57,200 --> 00:08:59,760
But if you're needing assistance, it doesn't have to be us.

129
00:08:59,760 --> 00:09:06,080
Obviously, we're not, our podcast does reach all parts of the country and beyond.

130
00:09:06,080 --> 00:09:10,280
So there are plenty of people out there that can help with the process, but it's now's

131
00:09:10,280 --> 00:09:11,280
the time.

132
00:09:11,280 --> 00:09:14,600
Get your head around the fact that you need to start working on this because there are

133
00:09:14,600 --> 00:09:18,800
plenty of projects that will take more than a couple of days or weeks.

134
00:09:18,800 --> 00:09:24,400
I did quick find at least the information right now says that assessments will be available

135
00:09:24,400 --> 00:09:31,360
Q1 2025, but the requirements will be Q3 of 2025.

136
00:09:31,360 --> 00:09:33,000
That's what it is as of today.

137
00:09:33,000 --> 00:09:34,000
Yeah.

138
00:09:34,000 --> 00:09:37,840
So the assessment that Ariel's talking about is you will be required if you're in this

139
00:09:37,840 --> 00:09:41,840
industry, you will be required to complete a self assessment every single year.

140
00:09:41,840 --> 00:09:47,080
So those are the ones that you're going to start seeing at the beginning of 2025.

141
00:09:47,080 --> 00:09:56,320
So I know this is, compliance is always, at least in my mind, like a lot of information.

142
00:09:56,320 --> 00:10:01,560
So I was wondering if you could explain a little bit of the changes and is this going

143
00:10:01,560 --> 00:10:04,440
to be a heavy lift for businesses?

144
00:10:04,440 --> 00:10:08,920
Are they going to have a lot they're going to need to do in the next year to get up to

145
00:10:08,920 --> 00:10:09,920
speed?

146
00:10:09,920 --> 00:10:18,840
And it depends, but the average business, the average, if you're doing your due diligence,

147
00:10:18,840 --> 00:10:22,040
are you going to have a harder time with all the changes coming?

148
00:10:22,040 --> 00:10:24,440
I was going to say hit the sound bar.

149
00:10:24,440 --> 00:10:26,000
Should we just have one?

150
00:10:26,000 --> 00:10:37,880
Just hit the button just for that, that it's really, in the 2.0, there really is not a

151
00:10:37,880 --> 00:10:42,840
lot of new requirements, to be honest.

152
00:10:42,840 --> 00:10:45,960
It's still near's nist.

153
00:10:45,960 --> 00:10:52,240
It just went from the five to the three.

154
00:10:52,240 --> 00:10:58,760
And that actually gained a lot of clarity for who can certify who can't and whatnot.

155
00:10:58,760 --> 00:11:03,480
But the requirements kind of remain the same.

156
00:11:03,480 --> 00:11:09,640
Just because there was an iteration or an update to 2.0 didn't make those required by

157
00:11:09,640 --> 00:11:14,960
this in 1.0, have those requirements disappear.

158
00:11:14,960 --> 00:11:20,240
I think there may have been some people that chose to wait until 2.0 was out.

159
00:11:20,240 --> 00:11:24,120
But it is a heavy lift.

160
00:11:24,120 --> 00:11:26,120
It can be.

161
00:11:26,120 --> 00:11:31,800
And it really getting through each of the requirements and seeing where you're at.

162
00:11:31,800 --> 00:11:38,840
And even, I know, like Todd said, we can certainly help do these, the gap assessment help you

163
00:11:38,840 --> 00:11:40,960
through a process.

164
00:11:40,960 --> 00:11:43,960
But it won't go away.

165
00:11:43,960 --> 00:11:53,000
And if you, again, like Todd mentioned, you risk not having that portion of your business

166
00:11:53,000 --> 00:11:55,160
quickly.

167
00:11:55,160 --> 00:12:00,040
And I don't think this is something that a lot of businesses are willing to just give

168
00:12:00,040 --> 00:12:01,040
up.

169
00:12:01,040 --> 00:12:09,760
A lot of that bread and butter of a smaller organization is this DOD base.

170
00:12:09,760 --> 00:12:16,640
And they've never had those requirements enforced before.

171
00:12:16,640 --> 00:12:20,680
And this is really kind of where what rubber meets the road.

172
00:12:20,680 --> 00:12:26,840
And unfortunately, it is kind of a we mean business kind of deal.

173
00:12:26,840 --> 00:12:32,560
And no one wants to be the bad guy, but this is kind of forced that hand to say, we've

174
00:12:32,560 --> 00:12:35,160
said this to you many times.

175
00:12:35,160 --> 00:12:38,840
We still need you to meet these requirements.

176
00:12:38,840 --> 00:12:45,160
And now we've expanded those to make a little bit more to mirror the NIST.

177
00:12:45,160 --> 00:12:48,920
And now someone's going to assess against this.

178
00:12:48,920 --> 00:12:55,360
And even if you had tried to, you're over a year, you're still going to have to maintain

179
00:12:55,360 --> 00:12:57,360
that year over a year.

180
00:12:57,360 --> 00:12:58,360
Yeah.

181
00:12:58,360 --> 00:13:01,520
And I think the depends part comes from everybody's in a different spot, right?

182
00:13:01,520 --> 00:13:06,000
So if an organization has already started down the path, it's going to be a lot easier.

183
00:13:06,000 --> 00:13:10,120
If you're waiting and you have been waiting, which, you know, love it, hate it, other,

184
00:13:10,120 --> 00:13:13,440
when it comes to compliance, a lot of people will make the decision.

185
00:13:13,440 --> 00:13:15,880
I'll do it when I'm forced to do it.

186
00:13:15,880 --> 00:13:20,080
Personally, I'm not a big believer in that.

187
00:13:20,080 --> 00:13:23,200
But my career sent me through manufacturing.

188
00:13:23,200 --> 00:13:27,920
So I was always in the ISO world and in the constant improvement process in general.

189
00:13:27,920 --> 00:13:32,560
So when I grew up, if you will, through my career, that was just kind of part of who

190
00:13:32,560 --> 00:13:33,960
I was and how I learned.

191
00:13:33,960 --> 00:13:38,720
And so when it comes to that, I look at it as more volunteer, which I would naturally

192
00:13:38,720 --> 00:13:43,360
fall into and start doing that, which we started this at CIT before we have had any kind of

193
00:13:43,360 --> 00:13:50,400
requirements, but we do fall heavily into that category as well.

194
00:13:50,400 --> 00:13:54,720
I would love to say I have an idea what the cost would be for an organization to go through

195
00:13:54,720 --> 00:13:55,720
this.

196
00:13:55,720 --> 00:14:00,000
Unfortunately, since every organization is a different size, the pricing does vary, right?

197
00:14:00,000 --> 00:14:06,280
You may have some things already in place, whether that's training and policies and procedures,

198
00:14:06,280 --> 00:14:07,760
or you may have nothing.

199
00:14:07,760 --> 00:14:10,760
And you're starting from ground zero, in which case there's going to be a lot to go through

200
00:14:10,760 --> 00:14:14,880
and a lot of stuff you're going to try and get in place, which is still possible between

201
00:14:14,880 --> 00:14:17,080
now and the beginning of 25.

202
00:14:17,080 --> 00:14:20,640
But you are starting to run out a little bit of a runway there.

203
00:14:20,640 --> 00:14:24,240
But there are some deep compliance requirements that are in there as well.

204
00:14:24,240 --> 00:14:29,280
I don't know how deep we're going to get into the security questions and controls today,

205
00:14:29,280 --> 00:14:30,720
but there is a lot there.

206
00:14:30,720 --> 00:14:34,280
And so it can be a significant amount of work.

207
00:14:34,280 --> 00:14:37,560
Just to kind of give you anything from a ballpark is if you've been going down a compliance

208
00:14:37,560 --> 00:14:42,400
path anyway, and there's a lot of them out there for a lot of different reasons, this

209
00:14:42,400 --> 00:14:47,440
had started and some people are on the path, you may have your antivirus, your security

210
00:14:47,440 --> 00:14:50,000
policy, your incident response plan.

211
00:14:50,000 --> 00:14:53,360
You may have good pieces in place already and you're just going, okay, the next big

212
00:14:53,360 --> 00:14:54,920
piece for me is a SIM.

213
00:14:54,920 --> 00:14:57,320
Well, that might be pretty straightforward.

214
00:14:57,320 --> 00:15:00,280
But again, if you're nowhere yet and you're going, that's fine.

215
00:15:00,280 --> 00:15:02,440
They're going to force me, I'll get to it.

216
00:15:02,440 --> 00:15:09,240
Then there's a lot and you are literally looking at months worth of work.

217
00:15:09,240 --> 00:15:13,080
One of the things that I think is interesting as you look at how CMMC has been evolving

218
00:15:13,080 --> 00:15:19,120
is it started out pretty heavy handed, which good, bad or other.

219
00:15:19,120 --> 00:15:25,200
It started because historically there was no enforcement of the rules, if you will.

220
00:15:25,200 --> 00:15:29,120
And then they got a lot of feedback going, you're asking an awful lot of us.

221
00:15:29,120 --> 00:15:33,760
And so they swung completely the opposite direction and made it extremely easy.

222
00:15:33,760 --> 00:15:38,080
And then it's kind of settling down in the middle where it's still a big lift, but it's

223
00:15:38,080 --> 00:15:40,360
not what it looked like in its original form.

224
00:15:40,360 --> 00:15:42,160
There's still a lot there.

225
00:15:42,160 --> 00:15:45,840
But again, the purpose behind it is it's time to get serious.

226
00:15:45,840 --> 00:15:47,480
We are going to enforce it.

227
00:15:47,480 --> 00:15:50,200
And if you can't do that, which is a whole certification phase, right?

228
00:15:50,200 --> 00:15:52,240
If you're not certified, you're not getting the business.

229
00:15:52,240 --> 00:15:57,200
So again, it was before we just kind of let it go and we figured we'd get there eventually.

230
00:15:57,200 --> 00:16:01,400
And unfortunately, the way the world is when it comes to cybersecurity and getting access

231
00:16:01,400 --> 00:16:04,920
to the state, even though it's been unclassified, it's still controlled.

232
00:16:04,920 --> 00:16:08,600
So they do have specific requirements about what you can do with it.

233
00:16:08,600 --> 00:16:13,600
And therefore, here comes CMMC to make sure you're doing what you're saying you're doing.

234
00:16:13,600 --> 00:16:15,680
For sure.

235
00:16:15,680 --> 00:16:21,280
So we can get into the nitty-gritty if you'd like.

236
00:16:21,280 --> 00:16:25,240
My quick question is, when I'm looking at some of the information provided for this

237
00:16:25,240 --> 00:16:30,880
podcast, I'm seeing these maturity levels and these framework levels.

238
00:16:30,880 --> 00:16:38,520
And when you go through this assessment, where you land, is that going to change the type

239
00:16:38,520 --> 00:16:41,880
of business you're able to do, the type of contracts you have?

240
00:16:41,880 --> 00:16:45,680
Are you able to reassess before that year?

241
00:16:45,680 --> 00:16:50,760
What does a little bit of that process look like just out of my own curiosity?

242
00:16:50,760 --> 00:16:54,600
Yes, to all of that.

243
00:16:54,600 --> 00:17:02,640
One of the more difficult pieces of this as they were approaching 2.0 is there were not

244
00:17:02,640 --> 00:17:09,480
assessors available and they had not been able to be trained on this nor certified.

245
00:17:09,480 --> 00:17:17,400
We had two, myself included, that went through registered practitioner training for this.

246
00:17:17,400 --> 00:17:22,440
And we have not recertified because this hasn't been ratified, if you will.

247
00:17:22,440 --> 00:17:29,640
And we want to make sure we're recertifying to the actual standard, not to a GUI standard

248
00:17:29,640 --> 00:17:32,120
that we can hope for.

249
00:17:32,120 --> 00:17:38,720
But I think I alluded to it earlier.

250
00:17:38,720 --> 00:17:46,720
Even once it's assessed, this is a requirement ongoing, not just a one time and then we'll

251
00:17:46,720 --> 00:17:47,720
come back.

252
00:17:47,720 --> 00:17:55,520
This could be one contractor can be required by one contract to be assessed or provide

253
00:17:55,520 --> 00:17:59,160
that information that they've been certified.

254
00:17:59,160 --> 00:18:08,440
But it could be that they have another assessment, if you will, by another entity, if you will.

255
00:18:08,440 --> 00:18:09,840
And I won't say it.

256
00:18:09,840 --> 00:18:13,480
It's not like an Army contract versus a Navy contract.

257
00:18:13,480 --> 00:18:17,920
They can go back and forth and have, they are all the same requirements, but they can

258
00:18:17,920 --> 00:18:21,160
go through and say, nope, we're not quite there.

259
00:18:21,160 --> 00:18:24,280
It looks like it's been nine months since your last assessment.

260
00:18:24,280 --> 00:18:27,400
We want to see your latest.

261
00:18:27,400 --> 00:18:34,080
And Todd mentioned that the requirement for the self-assessments, that is across the board,

262
00:18:34,080 --> 00:18:38,480
truly required whether you're any level.

263
00:18:38,480 --> 00:18:46,680
But the two and the three on this are other people being available outside entities coming

264
00:18:46,680 --> 00:18:48,200
to do that.

265
00:18:48,200 --> 00:18:51,120
And that can be tricky when there's not a lot of people.

266
00:18:51,120 --> 00:18:59,400
So to answer your question in a roundabout way, yes, you could have that follow on assessment,

267
00:18:59,400 --> 00:19:03,360
but the availability might not be there.

268
00:19:03,360 --> 00:19:07,360
Maybe you're scheduled and you're ready, but there's no one to do that.

269
00:19:07,360 --> 00:19:13,960
So it really is trying to ensure that you're going first and right the first time.

270
00:19:13,960 --> 00:19:17,520
So you wouldn't be required to do that.

271
00:19:17,520 --> 00:19:24,120
It sounds like the assessors are reasonable and fair, I guess I would say.

272
00:19:24,120 --> 00:19:29,080
But you don't, I would not want someone to have to come back and say, oh, are you sure?

273
00:19:29,080 --> 00:19:31,360
Do you still need it?

274
00:19:31,360 --> 00:19:32,360
Yeah.

275
00:19:32,360 --> 00:19:39,640
The answer to the original question is the contracts are going to come and it is a requirement.

276
00:19:39,640 --> 00:19:40,640
So it's part of the contract.

277
00:19:40,640 --> 00:19:42,760
You either participate and you don't.

278
00:19:42,760 --> 00:19:46,280
If you're not certified, you can't participate, you're done.

279
00:19:46,280 --> 00:19:50,160
If you were not certified by February and there's contracts that happened in there, those are

280
00:19:50,160 --> 00:19:51,240
the ones that you won't be able to.

281
00:19:51,240 --> 00:19:55,440
But if you got certified by April, then sure you could participate.

282
00:19:55,440 --> 00:20:01,120
There may be business cases as to why you would want to be fully ready to rock by February,

283
00:20:01,120 --> 00:20:05,560
assuming, hey, there's going to be a limited pool of people that are even able to do this

284
00:20:05,560 --> 00:20:06,560
work.

285
00:20:06,560 --> 00:20:10,040
We want to be one of those and that might be worthy of their time.

286
00:20:10,040 --> 00:20:13,440
But you can get assessed at any given time, of course, as Ann mentioned, assuming that

287
00:20:13,440 --> 00:20:16,600
you've got availability of the assessor.

288
00:20:16,600 --> 00:20:21,280
But again, I think the main thrust of it is you want to do it because it's going to be

289
00:20:21,280 --> 00:20:24,120
a requirement of a lot of those contracts.

290
00:20:24,120 --> 00:20:28,560
One of the things I think is really interesting when it looks at the assessment itself is there

291
00:20:28,560 --> 00:20:33,240
is a requirement in that you get that signed off by a senior official of your organization.

292
00:20:33,240 --> 00:20:38,560
And I mentioned that because the intent here is that you can't just say, go get that done,

293
00:20:38,560 --> 00:20:41,320
Jim, go turn the buttons and push the knobs.

294
00:20:41,320 --> 00:20:42,320
Sorry.

295
00:20:42,320 --> 00:20:45,240
No, you have to be fully engaged.

296
00:20:45,240 --> 00:20:47,240
So it is.

297
00:20:47,240 --> 00:20:54,440
Todd signs our SOC report saying that everyone in our organization has met the requirements

298
00:20:54,440 --> 00:21:00,520
and all the evidence that we've provided is true and accurate.

299
00:21:00,520 --> 00:21:07,320
That's where that senior leadership endorsement and Todd's eyes are wide open to where we

300
00:21:07,320 --> 00:21:09,800
are as an organization.

301
00:21:09,800 --> 00:21:12,440
It's no different in the CMMC.

302
00:21:12,440 --> 00:21:20,600
And this doesn't allow for a senior leadership team to be covering their eyes like, I had

303
00:21:20,600 --> 00:21:21,600
no idea.

304
00:21:21,600 --> 00:21:22,600
Wow.

305
00:21:22,600 --> 00:21:23,600
What?

306
00:21:23,600 --> 00:21:32,720
And we're very fortunate at CIT that our leadership is absolutely focused on things like this.

307
00:21:32,720 --> 00:21:33,720
That's not always the case.

308
00:21:33,720 --> 00:21:35,040
They're like, just get it done.

309
00:21:35,040 --> 00:21:37,440
Just check it off and we'll just sign it.

310
00:21:37,440 --> 00:21:47,080
I'm like, it really avoids that endorsement is critical and I like it.

311
00:21:47,080 --> 00:21:52,840
But it's across the board for a lot of different frameworks, to be honest, not just CMMC.

312
00:21:52,840 --> 00:21:53,840
Right.

313
00:21:53,840 --> 00:21:54,840
Yeah.

314
00:21:54,840 --> 00:21:58,520
And there was one other thing that I thought and hit on a moment ago before I started babbling

315
00:21:58,520 --> 00:22:02,160
when she had kind of talked about this isn't a one time thing, right?

316
00:22:02,160 --> 00:22:04,440
This is a continuous process.

317
00:22:04,440 --> 00:22:05,800
So you don't start it.

318
00:22:05,800 --> 00:22:08,200
You don't get a quick stamp and I'm done.

319
00:22:08,200 --> 00:22:09,600
This is a continuous thing.

320
00:22:09,600 --> 00:22:11,840
The intent is that you're always trying to get better.

321
00:22:11,840 --> 00:22:17,800
Again, as I said, we are not under a heavy compliance, but as these kinds of things come,

322
00:22:17,800 --> 00:22:19,880
we do start to become part of the supply chain.

323
00:22:19,880 --> 00:22:22,440
So we need to follow along as well.

324
00:22:22,440 --> 00:22:25,640
We naturally do because we're trying to do the right things.

325
00:22:25,640 --> 00:22:30,720
It also helps us with what we do, giving this type of guidance in general.

326
00:22:30,720 --> 00:22:36,280
But to me, staying on the path of compliance is a good natural thing for a business to

327
00:22:36,280 --> 00:22:41,880
be doing regardless of whether a regulator is on you about it or not.

328
00:22:41,880 --> 00:22:43,440
Understand that there's a cost associated with it.

329
00:22:43,440 --> 00:22:44,840
So not everybody's on board with that.

330
00:22:44,840 --> 00:22:51,480
But in my opinion, it's a big deal and being engaged does matter.

331
00:22:51,480 --> 00:23:03,360
So we've kind of been talking this high overview and I always try to ask what the biggest challenges

332
00:23:03,360 --> 00:23:10,760
or what the biggest hurdles you see, what are the things that are new for this CMMC

333
00:23:10,760 --> 00:23:19,360
2.0 that are going to kind of stop people up or clog people as they are trying to get

334
00:23:19,360 --> 00:23:24,640
this new certification, if that kind of makes sense?

335
00:23:24,640 --> 00:23:27,960
Where are the hiccups for businesses that they're going to maybe have problems with

336
00:23:27,960 --> 00:23:35,240
that are new or you've seen them lacking in the previous generation of this?

337
00:23:35,240 --> 00:23:42,120
I think we hit it from a couple different angles and that's really like the, I see maybe

338
00:23:42,120 --> 00:23:44,600
three right off the top of my head.

339
00:23:44,600 --> 00:23:48,600
One is it's not just a, oh yeah, we do it.

340
00:23:48,600 --> 00:23:54,480
It is you have to certify and then be ready with evidence that you can do this and continue

341
00:23:54,480 --> 00:23:56,640
to do this.

342
00:23:56,640 --> 00:24:04,640
That would be your self assessment, but then being prepared for having an assessment by

343
00:24:04,640 --> 00:24:07,480
an external entity.

344
00:24:07,480 --> 00:24:12,120
We're fortunate that we've gone through the process of, say, a SOC audit, but many people

345
00:24:12,120 --> 00:24:17,800
have not ever had that requirement of having external auditors or assessors to come into

346
00:24:17,800 --> 00:24:19,480
their organization.

347
00:24:19,480 --> 00:24:23,800
ISO is a big deal and it's in a similar vein.

348
00:24:23,800 --> 00:24:30,440
That might be one of the only manufacturing elements that they would kind of drop parallel,

349
00:24:30,440 --> 00:24:38,720
but then that compliance as a voluntary kind of implementation.

350
00:24:38,720 --> 00:24:49,000
That has a completely dovetailing that the voluntary commitment to getting to compliance

351
00:24:49,000 --> 00:24:53,680
standards and maintaining them because it's the right thing to do.

352
00:24:53,680 --> 00:24:58,840
Matt, unfortunately, he's right that there are always going to be the people that don't

353
00:24:58,840 --> 00:25:03,120
do it till the very last second because it's stupid and I don't have time for this.

354
00:25:03,120 --> 00:25:05,880
I don't want to put the budget towards it.

355
00:25:05,880 --> 00:25:14,480
But in reality, most of any framework to very much importantly include CMMC are really trying

356
00:25:14,480 --> 00:25:20,680
to guide people in the right direction of meeting standards that are really important

357
00:25:20,680 --> 00:25:28,680
for you as an organization to maintain, in this case, your cyber hygiene.

358
00:25:28,680 --> 00:25:32,560
From my perspective, I think the thing that's going to be the hardest for organizations,

359
00:25:32,560 --> 00:25:35,960
there hasn't been a significant change on the security controls.

360
00:25:35,960 --> 00:25:41,400
There's domains that you have, so you need to do things like do you have physical security,

361
00:25:41,400 --> 00:25:45,480
that's door badge access, it's cameras on the buildings, there's security training.

362
00:25:45,480 --> 00:25:50,400
A lot of those things really didn't change from one version to the other.

363
00:25:50,400 --> 00:25:55,160
From my perspective, I think the hardest thing to kind of get your arms around is the maturity

364
00:25:55,160 --> 00:25:56,160
of it.

365
00:25:56,160 --> 00:26:00,520
I'll use this example of one of the things that you need to do under here is, and this

366
00:26:00,520 --> 00:26:03,320
is just an example, this is one piece of the puzzle.

367
00:26:03,320 --> 00:26:08,840
This is not like, hey, boom, we've got the answers, is the incident response.

368
00:26:08,840 --> 00:26:13,120
Typically the way that CIT addresses this is we go, we build the incident response plan,

369
00:26:13,120 --> 00:26:15,840
which includes a call tree.

370
00:26:15,840 --> 00:26:19,680
Inevitably at every organization I have never been at, I have never started out where they

371
00:26:19,680 --> 00:26:23,320
didn't have a single person that was the answer to every question.

372
00:26:23,320 --> 00:26:24,480
When this happens, what do you call?

373
00:26:24,480 --> 00:26:25,480
You call Joe.

374
00:26:25,480 --> 00:26:26,960
Great.

375
00:26:26,960 --> 00:26:30,960
What we typically do is we build the plan and then we build the tabletop exercise.

376
00:26:30,960 --> 00:26:36,040
The tabletop exercise we start as a maturity level is we try to bring in leadership, and

377
00:26:36,040 --> 00:26:37,960
this is the maturity I'm talking about.

378
00:26:37,960 --> 00:26:41,960
Again, more often than not, you got a doer that's doing the work and senior management

379
00:26:41,960 --> 00:26:44,680
is going, great, let me know when that's done and I'll sign off on it.

380
00:26:44,680 --> 00:26:47,120
Well, in this situation, that doesn't work, right?

381
00:26:47,120 --> 00:26:51,760
Because in the event something happens, senior management is going to want to know what happens.

382
00:26:51,760 --> 00:26:56,360
We start the plan, we do the tabletop, and the vast majority of our tabletop exercises

383
00:26:56,360 --> 00:27:01,320
to begin with are, do you know you're supposed to go grab the plan?

384
00:27:01,320 --> 00:27:02,320
It's that basic, right?

385
00:27:02,320 --> 00:27:03,320
Where's the plan?

386
00:27:03,320 --> 00:27:06,880
Then phase two is, okay, Joe's not available.

387
00:27:06,880 --> 00:27:07,880
Now what are you going to do?

388
00:27:07,880 --> 00:27:09,760
They're like, well, wait a minute, Joe's always available.

389
00:27:09,760 --> 00:27:12,520
He never goes on vacation, even when he does, he's got a cell phone.

390
00:27:12,520 --> 00:27:13,520
I can always get a phone.

391
00:27:13,520 --> 00:27:14,640
I'm like, great, he's out to see.

392
00:27:14,640 --> 00:27:15,640
His phone's not working now.

393
00:27:15,640 --> 00:27:16,640
What are you going to do?

394
00:27:16,640 --> 00:27:17,640
He won the lottery.

395
00:27:17,640 --> 00:27:18,640
He's out to see.

396
00:27:18,640 --> 00:27:19,640
Right.

397
00:27:19,640 --> 00:27:20,640
Whatever it is, right?

398
00:27:20,640 --> 00:27:25,080
Now all of a sudden, this maturity kicks in and the leadership finally gets it.

399
00:27:25,080 --> 00:27:28,400
So it isn't Joe, this is everybody.

400
00:27:28,400 --> 00:27:29,640
And then we keep building for that.

401
00:27:29,640 --> 00:27:35,240
So to me, that's the biggest hurdle to overcome is this isn't something you assign and delegate

402
00:27:35,240 --> 00:27:36,240
off.

403
00:27:36,240 --> 00:27:37,800
This is something that impacts your entire organization.

404
00:27:37,800 --> 00:27:42,960
And it does take a while to kind of embrace that and go, no, this is who we are now.

405
00:27:42,960 --> 00:27:45,560
And that is going to be by far, in my opinion, the biggest hurdle.

406
00:27:45,560 --> 00:27:49,760
And I know that sounds probably a little cheesy and whatnot, but it's the only way that you

407
00:27:49,760 --> 00:27:52,760
get this and you get it in place and it's repeatable.

408
00:27:52,760 --> 00:27:55,440
And again, if this is your business, you're working with the Department of Defense, there's

409
00:27:55,440 --> 00:27:57,160
a lot of money to be had out there, right?

410
00:27:57,160 --> 00:28:00,680
Everybody knows what Lockheed Martin's making and whatnot.

411
00:28:00,680 --> 00:28:01,780
It's significant.

412
00:28:01,780 --> 00:28:06,080
So there's a good reason why a lot of businesses choose to work with the Department of Defense.

413
00:28:06,080 --> 00:28:08,880
These are the kinds of things you're going to have to get your arms around and build

414
00:28:08,880 --> 00:28:10,200
it into the culture of your organization.

415
00:28:10,200 --> 00:28:17,280
And in my opinion, that's going to be the hardest thing to get in place.

416
00:28:17,280 --> 00:28:19,280
Looking at these changes.

417
00:28:19,280 --> 00:28:27,160
Is there anything that you are really, and maybe we answered it already, excited that's

418
00:28:27,160 --> 00:28:29,040
new in it?

419
00:28:29,040 --> 00:28:35,440
Or is there anything that you feel like is glaringly missing?

420
00:28:35,440 --> 00:28:37,800
From my perspective, I don't think there's a lot that's glaringly missing.

421
00:28:37,800 --> 00:28:41,240
They've got a lot of smart people that have contributed to this.

422
00:28:41,240 --> 00:28:43,520
So it is a very robust process.

423
00:28:43,520 --> 00:28:44,840
It's a great framework.

424
00:28:44,840 --> 00:28:45,840
There's a lot there.

425
00:28:45,840 --> 00:28:49,440
It excites me personally, and you're going to have to deal with the fact that I'm a security

426
00:28:49,440 --> 00:28:50,440
nerd.

427
00:28:50,440 --> 00:28:55,800
The fact that people are going to have to embrace it, right?

428
00:28:55,800 --> 00:28:59,680
From my perspective, the easiest thing that actually gets the security culture in place

429
00:28:59,680 --> 00:29:00,680
is the compliance.

430
00:29:00,680 --> 00:29:04,160
And I know that that sounds like it's really designed to be a hammer.

431
00:29:04,160 --> 00:29:07,600
And quite frankly, in a lot of cases it is.

432
00:29:07,600 --> 00:29:11,600
To me, that is the biggest boom from something like this, is most organizations should be

433
00:29:11,600 --> 00:29:13,880
doing a lot of stuff.

434
00:29:13,880 --> 00:29:19,120
Just to give you a little context out there is the way that CIT builds our offerings is

435
00:29:19,120 --> 00:29:20,720
we just include security.

436
00:29:20,720 --> 00:29:24,480
Because if I said, hey, we think you should do this, more often than not, the response

437
00:29:24,480 --> 00:29:25,560
is, let me think about that.

438
00:29:25,560 --> 00:29:26,760
I'll get back to you.

439
00:29:26,760 --> 00:29:31,120
But if we say it's just included and you get it, we'll set it up for you and we'll help

440
00:29:31,120 --> 00:29:34,680
you through the process, then people are pretty, okay, that makes sense.

441
00:29:34,680 --> 00:29:38,200
Well when that happens, those people that have been working for us, and I'm guessing

442
00:29:38,200 --> 00:29:43,560
there's other people that are out there like this, they're already set on that first level

443
00:29:43,560 --> 00:29:44,800
one, they're ready to rock.

444
00:29:44,800 --> 00:29:48,640
They're okay, we've got ports in place, we could even get certified on that today if

445
00:29:48,640 --> 00:29:50,280
we wanted to.

446
00:29:50,280 --> 00:29:54,680
That's great, but this compliance does help get us to the next level, which again, it

447
00:29:54,680 --> 00:29:59,080
can be a fight when people say I don't see the value in that.

448
00:29:59,080 --> 00:30:04,640
And I can only make so many business propositions on how it does actually make sense before

449
00:30:04,640 --> 00:30:08,640
I kind of go, okay, well, it's your decision, it's your risk, it's not mine.

450
00:30:08,640 --> 00:30:15,080
It's like the addition into cyber insurance requirements for ADR, where we had been ahead

451
00:30:15,080 --> 00:30:21,160
of the game putting that as part of our managed service offering.

452
00:30:21,160 --> 00:30:26,480
And I don't want to make this all about CIT because these are about technology for business,

453
00:30:26,480 --> 00:30:34,680
but to spot on, we are almost always ahead of the game in our compliance requirements

454
00:30:34,680 --> 00:30:42,240
and can confidently say it's important to us, it's important for us to deliver this quality

455
00:30:42,240 --> 00:30:45,280
of service to organizations.

456
00:30:45,280 --> 00:30:51,360
And oh, by the way, this meets XYZ amount of your compliance requirements.

457
00:30:51,360 --> 00:30:57,800
I mean, we're not, we're humble breaking, I don't know.

458
00:30:57,800 --> 00:30:59,960
Wait, just a break.

459
00:30:59,960 --> 00:31:06,120
Oh, you need to be able to have a show ADR.

460
00:31:06,120 --> 00:31:09,000
Okay, you're so good at this.

461
00:31:09,000 --> 00:31:11,600
I do think that's a part of it.

462
00:31:11,600 --> 00:31:15,000
One of the things, it came up a little bit earlier and I was going to jump in and mention

463
00:31:15,000 --> 00:31:17,680
that and I kind of forgot about it and I let it go.

464
00:31:17,680 --> 00:31:23,280
But Anne was kind of talking about earlier in the podcast about how going through the

465
00:31:23,280 --> 00:31:27,560
audit and being prepared for it is sometimes difficult to do.

466
00:31:27,560 --> 00:31:32,360
When you've got all the things in place, it really isn't that hard.

467
00:31:32,360 --> 00:31:35,120
And I know that's easy for me to say I've been doing this for a long time.

468
00:31:35,120 --> 00:31:38,160
I got all kinds of gray hair on my chin.

469
00:31:38,160 --> 00:31:46,240
But where I was going with this is really what it is is when you've got it in place.

470
00:31:46,240 --> 00:31:52,040
It's a little nerving, unnerving to go through an audit or certification process, right?

471
00:31:52,040 --> 00:31:55,760
You're basically somebody's judging you and that's a hard thing for most people to get

472
00:31:55,760 --> 00:31:57,600
their arms around.

473
00:31:57,600 --> 00:32:01,240
But when you're working with a partner that's going, yep, we've got that.

474
00:32:01,240 --> 00:32:03,560
We've got these, we're checking the boxes.

475
00:32:03,560 --> 00:32:07,880
It's more than checking the boxes because like I said, I want that leadership accountability

476
00:32:07,880 --> 00:32:08,880
in there too.

477
00:32:08,880 --> 00:32:13,040
But when we know we've got the things in place and we've got the proof, the certification

478
00:32:13,040 --> 00:32:16,080
process is quite simple.

479
00:32:16,080 --> 00:32:17,080
There is a roadmap.

480
00:32:17,080 --> 00:32:19,600
There is a way to get there.

481
00:32:19,600 --> 00:32:25,280
I try to avoid tuning our own horn on this podcast to keep it educational.

482
00:32:25,280 --> 00:32:29,400
But the businesses that we work with, do they come to you and say, I'm doing this

483
00:32:29,400 --> 00:32:35,360
CMMC thing and you hand them a folder and say, here's the pieces that we provide?

484
00:32:35,360 --> 00:32:40,400
What does that conversation look like with businesses who are working with an outside

485
00:32:40,400 --> 00:32:41,400
person?

486
00:32:41,400 --> 00:32:44,480
So if you listened to any of our podcasts before, basically what ends up happening is

487
00:32:44,480 --> 00:32:46,920
we do what I refer to as a gap analysis.

488
00:32:46,920 --> 00:32:47,920
Where are you at today?

489
00:32:47,920 --> 00:32:50,840
Because if I can't tell you where you're at, I can't tell you what the next steps are.

490
00:32:50,840 --> 00:32:52,640
But yes, you can start to build.

491
00:32:52,640 --> 00:32:57,400
Like I said, this process is completely mapped out.

492
00:32:57,400 --> 00:32:59,400
It is very, very logical.

493
00:32:59,400 --> 00:33:02,680
There is a way from zero to 100 and it is mapped.

494
00:33:02,680 --> 00:33:05,920
So you can sit down and say, here's how we're going to do it.

495
00:33:05,920 --> 00:33:09,640
You build the plan, you build the budget, and then you implement the plan.

496
00:33:09,640 --> 00:33:11,880
As I mentioned, everybody's in a different spot.

497
00:33:11,880 --> 00:33:13,600
Some people might be on antivirus.

498
00:33:13,600 --> 00:33:15,640
Some people may have adopted EDR.

499
00:33:15,640 --> 00:33:17,920
That's going to change how you approach things.

500
00:33:17,920 --> 00:33:21,360
But that's typically how it goes as you start to work through what's in place today and

501
00:33:21,360 --> 00:33:23,200
where are the gaps that we need to fill in?

502
00:33:23,200 --> 00:33:26,400
Do I need to get additional buy-in from leadership?

503
00:33:26,400 --> 00:33:28,240
So on and so forth.

504
00:33:28,240 --> 00:33:29,360
But that's how it typically begins.

505
00:33:29,360 --> 00:33:34,520
And yes, most people, I think one of the larger things that's hard, especially for those 50,000

506
00:33:34,520 --> 00:33:40,320
small businesses is while it's written in English and it's clear to someone like myself

507
00:33:40,320 --> 00:33:43,840
and Ann, it isn't to everybody.

508
00:33:43,840 --> 00:33:47,280
And so they look at that and they go, I can read that, but I'll be darned if I have the

509
00:33:47,280 --> 00:33:48,960
slightest idea what that says.

510
00:33:48,960 --> 00:33:51,680
The words putting together things.

511
00:33:51,680 --> 00:33:52,680
Right, exactly.

512
00:33:52,680 --> 00:33:55,160
So that can be a big hurdle.

513
00:33:55,160 --> 00:33:59,240
And so, yeah, there are lots of people out there that can help through that process and

514
00:33:59,240 --> 00:34:04,120
translate that into plain, actionable English for organizations.

515
00:34:04,120 --> 00:34:13,160
Again, not horn-tutting it either is one of the benefits of the CI team as a whole is

516
00:34:13,160 --> 00:34:15,600
that we are translators.

517
00:34:15,600 --> 00:34:19,200
But we may even have the products ahead of time.

518
00:34:19,200 --> 00:34:23,520
We have the things that meet the requirements, but we also seek to educate.

519
00:34:23,520 --> 00:34:28,120
We're not just going to drop something and say, hey, here, good luck to you.

520
00:34:28,120 --> 00:34:30,320
Like, yeah, it's EDR.

521
00:34:30,320 --> 00:34:32,440
And really, do you know what an EDR is?

522
00:34:32,440 --> 00:34:34,120
Do you know what that is?

523
00:34:34,120 --> 00:34:35,720
Okay, let's talk about it.

524
00:34:35,720 --> 00:34:36,720
Do you know?

525
00:34:36,720 --> 00:34:39,960
I understand you've asked us about CMMC.

526
00:34:39,960 --> 00:34:41,960
Here's the requirements.

527
00:34:41,960 --> 00:34:46,640
And let's see where that cross-references.

528
00:34:46,640 --> 00:34:51,640
We can't certify you, but we can certainly get you where you need to be and where you

529
00:34:51,640 --> 00:34:55,440
can start to understand where those requirements are.

530
00:34:55,440 --> 00:35:00,240
Some people might not be as excited as I am to talk about those things.

531
00:35:00,240 --> 00:35:08,200
But it's really important, even on a super high level, to say that it educates someone.

532
00:35:08,200 --> 00:35:16,280
Tell me in easy terms, not the words putting together, terms that this is why EDR is important

533
00:35:16,280 --> 00:35:17,640
to you.

534
00:35:17,640 --> 00:35:23,640
This is why these products are important to you as an organization.

535
00:35:23,640 --> 00:35:27,800
Yeah, one thing that, as Ann was talking, popped into my head, and I thought it related

536
00:35:27,800 --> 00:35:32,040
pretty well, is if you are looking for someone to partner with, there's a couple of different

537
00:35:32,040 --> 00:35:33,840
ways that the approaches typically go.

538
00:35:33,840 --> 00:35:36,960
And so if you're starting to do this, just keep this in your head.

539
00:35:36,960 --> 00:35:40,200
The three that I would say is, do it yourself.

540
00:35:40,200 --> 00:35:43,360
So somebody can sell you a tool, you implement it, you get it done, or maybe you do it all

541
00:35:43,360 --> 00:35:45,480
on your own, you do the research, et cetera.

542
00:35:45,480 --> 00:35:46,640
Do it together.

543
00:35:46,640 --> 00:35:50,240
So someone like CIT comes in and says, OK, we're going to work together on it.

544
00:35:50,240 --> 00:35:53,800
I'll take this piece, you take that piece, you let us know when you need additional help.

545
00:35:53,800 --> 00:35:54,840
And then there's do it for you.

546
00:35:54,840 --> 00:36:01,040
So there'll be the all-in, everything's included approach where that organization may just take

547
00:36:01,040 --> 00:36:02,240
it, run with it.

548
00:36:02,240 --> 00:36:06,480
It's not as simple as they just do everything with something like this.

549
00:36:06,480 --> 00:36:08,880
Because as I mentioned, the business does need the buy-in.

550
00:36:08,880 --> 00:36:10,200
They do need to say yes.

551
00:36:10,200 --> 00:36:11,880
They are the ones signing on the bottom line.

552
00:36:11,880 --> 00:36:17,280
And so there's a lot of trust that would go into a decision like that for me where you're

553
00:36:17,280 --> 00:36:18,280
going.

554
00:36:18,280 --> 00:36:21,760
I really believe this person can do everything they said they can, and I'm just going to sign

555
00:36:21,760 --> 00:36:22,760
off on it.

556
00:36:22,760 --> 00:36:24,720
That would be a tough pill for me to swallow.

557
00:36:24,720 --> 00:36:26,120
But there are those three approaches.

558
00:36:26,120 --> 00:36:29,240
And just think about that if you're looking for a partner to help you through that, is

559
00:36:29,240 --> 00:36:31,600
which one of those best suits you.

560
00:36:31,600 --> 00:36:33,600
For sure.

561
00:36:33,600 --> 00:36:34,600
Definitely.

562
00:36:34,600 --> 00:36:39,640
It seems to be a topic we may come back to at the end of the year as it comes back top

563
00:36:39,640 --> 00:36:44,400
of mind for people because it's getting a little bit closer for sure.

564
00:36:44,400 --> 00:36:47,280
Thank you so much, Todd and Anne for joining us today.

565
00:36:47,280 --> 00:36:51,560
If you liked this podcast, please sure to like and subscribe.

566
00:36:51,560 --> 00:36:56,520
If you have a topic you'd like us to discuss or want to know more about CMMC and all the

567
00:36:56,520 --> 00:37:03,280
things coming for that, reach out to us at info at cIT-net.com or head out to our podcast

568
00:37:03,280 --> 00:37:09,640
cIT-net.com slash podcast and we'll be back next week with an all new episode.