In this conversation, Bobby Guerra and Kaleigh Floyd discuss the recent release of the 32 CFR Final Rule and its implications for organizations. They explore the importance of self-assessments, the complexities involved, and the distinctions between different types of compliance measures such as enduring exceptions, operational plans, and temporary deficiencies.
The conversation also delves into the differences between Cloud Service Providers (CSPs) and External Service Providers (ESPs), providing insights into how organizations can navigate these new regulations effectively. Kaleigh and Bobby discuss FedRAMP requirements, the importance of understanding inheritance in compliance frameworks, and the recent changes in certification requirements for CCPs and CCAs.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] Hello Climbers and welcome back to another episode of Climbing Mount CMMC.
[00:00:11] All right folks, it's finally here. 32 CFR finally dropped. It dropped on Friday and then today at the time of this recording is Tuesday and the kind of the companion documents have now dropped.
[00:00:26] So you can actually see all of it, the assessment guides and those types of things, scoping guides and all of that additional compendium and information that you can use for your 32 CFR.
[00:00:34] So it's all out. So what we want to do today is just kind of give everybody a quick synopsis or summary of what we saw and some things that are key points that we feel that a lot of people might want to know about.
[00:00:45] But let's just put some caveats there out there. We are not pretending that what we're going to share here is going to be absolute gospel.
[00:00:54] You should not operate your organization based on what you just watched in this video. It's just intended to help create dialogue, good discussion.
[00:01:04] Also, if you're going to be reading through it, you can have some more specifics to kind of drill into and have better insights.
[00:01:10] Every time I look at this, I see something else that I want to add to this list.
[00:01:14] And so we do have a list that we're going off of. Kaylee, thank you for joining us.
[00:01:19] It's going to be kindly helping guide me through this because if not, I'll be talking forever.
[00:01:24] So she's got the little shepherd staff ready off, you know, just to kind of keep me on target here.
[00:01:30] But we're going to be going through this document, which at some point I believe, Kaylee, we're going to be sharing. Is that right?
[00:01:35] Yes, we are. We will publish this on our website in a way that I mean, it's not going to be just a complete document itself.
[00:01:45] We're just going to copy and paste it onto our website.
[00:01:46] We're planning on, you know, deciphering this talk, talking about it ourselves, posting articles about our, you know, our thoughts on each of these subjects, how it could affect your business.
[00:01:59] So we're going to go more in depth into maybe how it will affect specific parties.
[00:02:05] We're even going to do this in podcast episodes coming up. Right.
[00:02:09] So we're going to be doing specific discussions on like MSPs, vendors and so forth to discuss how this could affect them in the ways that it could affect them.
[00:02:20] So we just we really want to bring, you know, there's a lot of words and there's a lot of definitions and there's a there's a lot to to comprehend.
[00:02:31] So we understand that and we're trying to help businesses as much as they can.
[00:02:37] And that's just a way that we think that we could do that effectively.
[00:02:41] Let's kick this off with talking about something that we we did already previously discuss in our podcast that we first put out.
[00:02:47] But I just wanted to make sure to say it on here as well, that there was an update to the timeline of the rollout of all of this.
[00:02:54] Right. So just to just briefly say that the phase one actually was extended by six months to make it an entire year.
[00:03:03] Right. So so that just adds because each phase is based upon the previous phase amount.
[00:03:11] Each one of these phases is going to last a year now rather than phase one to just be six months.
[00:03:17] We're going to talk a little bit about it, but that means there's a longer opportunity for self-assessments, which I think in their own right can be very dangerous if you try to not understand.
[00:03:28] Yeah, it's a bit of a cobra.
[00:03:30] And, you know, if you're just like, oh, let me just go pet this thing and you're going to get one right in the jugular if you're not careful.
[00:03:35] So yes, treat it with the right respect.
[00:03:38] Yes, for sure.
[00:03:39] Sure. So now that we've gotten just talked a little bit about the timeline, let's talk about just the CMMC program as a whole,
[00:03:46] because specifically in the ruling, they did point to SP 800-171 revision two.
[00:03:55] Right.
[00:03:55] So can you talk to us a little bit about that, what that means in class deviations?
[00:04:01] Yeah. So what happened is everybody was losing their mind because we're approaching kind of the stop, you know, like the plane is coming in and people are like, are we going to, are we just going to go right off the runway?
[00:04:12] And what they were worried about is NIST. It's a different organization than the DOD.
[00:04:17] And so they have come out with a new version of the standard that CMMC is based on, which is 800-171 and 171A.
[00:04:26] And so because there's a new revision, the way that the ruling was kind of, or the rule and some of the information was written, it created this contention of which version are we going to use?
[00:04:36] And so the DOD said, okay, you know, they wrote a memo and said, it's called a class deviation that says we're going to use rev two because that's what everybody's kind of been getting ready for.
[00:04:46] So that's, we're going to use in the 32 CFR. They, they pretty much said, okay, this is what we're going to do.
[00:04:53] We're using rev two and they put it in the rule.
[00:04:55] So that just gives us a good indication that, you know, they're going to have to write a new rule before they will go to revision, revision three,
[00:05:04] which means, you know, that process is going to take several years at a minimum if they're really booking it.
[00:05:08] Right, right. So keep, keep that in mind when thinking about when they might possibly do that.
[00:05:15] Not next week, I'll tell you that.
[00:05:16] And we'll even talk about this a little bit further, but they have organizational defined values as well.
[00:05:21] And the newest version of the 171, which allows organizations to kind of define it.
[00:05:27] The DOD kind of helps set a precedence there as well.
[00:05:30] So, I mean, there's really a lot to be thankful for that the DOD could kind of lay that to rest.
[00:05:35] So we know that we're, we're zeroing in on rev two and that's what we're going to stay with for at least a few years.
[00:05:40] And then, you know, mileage may vary after that. We'll see.
[00:05:43] Right. Yes.
[00:05:45] So let's now talk, let's go into assessments.
[00:05:48] Okay. Self-assessments and certification.
[00:05:51] So something that is important to discuss, which Bobby and I were just talking about this before recording, which was the level one self-assessments are still required to submit an SPRS score.
[00:06:07] Right.
[00:06:07] So they don't just get it.
[00:06:10] They just don't get to just personally publish whatever they want and say whatever they want.
[00:06:16] I do feel like there was a little bit, some people were confused about, oh, so they're just going to self-assess and say whatever they want kind of thing.
[00:06:24] I mean, in some ways it's not, it's definitely not as serious as a certification itself and going through a PAO, you know, assessment.
[00:06:34] But they are still required to do very specific things and it lays it all out in the ruling.
[00:06:40] Right.
[00:06:41] Yeah.
[00:06:41] Because the organizations, when they were basically saying you had to self-assess, that's how we sort of got into this situation.
[00:06:50] Yeah.
[00:06:51] They came out with the DFARS requirement 7012 that says that organizations have to comply with all of the NIST 800-171 standards that the CMMC ecosystem is built around.
[00:07:03] And they said, hey, this is the standard you got to line up with.
[00:07:06] And everybody said, we got this.
[00:07:07] We can self-assess.
[00:07:08] This is going to be great.
[00:07:10] And then, you know, the DODs high-fiving each other.
[00:07:12] They're like, we did this, man.
[00:07:13] We crushed this problem.
[00:07:14] And then when the IG reports start coming out and they're like, no one's doing it, they're like, okay, this has got to stop.
[00:07:21] The DOD took their toys and left.
[00:07:23] They came back with CMMC and said, here's what you got.
[00:07:26] And so now we all have to adhere to this CMMC standard.
[00:07:29] And as you notice, by not by accident, even the things that are self-assessed, you still have to attest.
[00:07:36] And you have to submit some evidence to prove that you're doing that in your SPUR scores as far as in like details of what you did, who did it,
[00:07:44] what times you did it, what your score was, the status of your score.
[00:07:48] Then you're supposed to keep that information for six years.
[00:07:51] And if they come knocking and you don't have it and you lied, you specifically misled the government.
[00:07:57] And they love it when you do that.
[00:07:59] They just throw their head back and laugh and just say, this is great.
[00:08:02] You guys, you're such jokesters.
[00:08:05] Yeah, they don't like that very much.
[00:08:07] You don't like that very much.
[00:08:08] And that's what I was saying about the fact that it's a bit of a cobra is in the past when it had to deal with self-assessments,
[00:08:14] everybody just said, yeah, we're good.
[00:08:16] But we're good ain't going to cut it.
[00:08:18] Every year, no matter what version you're at, whether it's level one or level two or even level three,
[00:08:25] each year, even if you got assessed fully, each year you have to attest where you're at.
[00:08:31] You have to upload that SPUR score.
[00:08:32] So, and then keep that evidence for how long, Kaylee?
[00:08:36] Six years.
[00:08:38] So it ain't a short, get that folder structure ready and make sure you got it because, you know,
[00:08:43] it's like the IRS when they're like, hey, show me your receipts.
[00:08:46] You're like, dang it, don't have them.
[00:08:48] And they're like, that's so funny.
[00:08:49] All of these, you know, all these things, they just kind of draw a line right through it.
[00:08:55] Right.
[00:08:55] So that's going to happen.
[00:08:56] So you've got to keep your receipts for what you're doing.
[00:08:59] They're not joking around.
[00:09:00] And you best believe they're going to be auditing and checking people because they know how
[00:09:03] this game has been played in the past.
[00:09:05] And they are going to make some examples of people who do not take it serious.
[00:09:08] You know, Kaylee, maybe you can throw up the post that I did on LinkedIn, but we used
[00:09:11] Admiral Ackbar about that one.
[00:09:14] I'll let you, anyone else who was like, what is he talking about?
[00:09:16] Just go click the link.
[00:09:17] It was kind of funny.
[00:09:18] Yes.
[00:09:18] I love it.
[00:09:19] I actually was just about to bring that up with level two self-assessments.
[00:09:23] Okay.
[00:09:23] Is the same kind of, right.
[00:09:25] This is the same vibe.
[00:09:26] Level one, I think it's like set 15 or 17 practices.
[00:09:30] And then of course the, the level two is going to be the 110 practices that you have to adhere
[00:09:35] to.
[00:09:36] And then on top of that, if you're doing level three, there's an additional 24 controls that
[00:09:41] are added and they're not actually even full controls.
[00:09:44] There's even sub objectives that they're adding.
[00:09:46] So they're not even full controls that they've added, which is very interesting.
[00:09:48] Yep.
[00:09:49] Yep.
[00:09:50] So, um, I mean, we're going to talk about this a little bit more, but, um, self-assessments
[00:09:56] do not include poems, right?
[00:09:59] Because those are actually, they do, they do.
[00:10:02] Yeah.
[00:10:02] They'll have the poems like, but you have to, it's interesting process.
[00:10:07] You, you assess yourself and you can literally feel yourself.
[00:10:11] So, so you have to go through the same process with the self-assessment as you would being assessed
[00:10:16] by an organization and that's another kind of a kick in the head because a lot of companies
[00:10:21] don't have that level of knowledge.
[00:10:23] So when they just go to assess their self, they're like, Hey, Hey Fred, did we do?
[00:10:26] Yeah, we got right.
[00:10:27] Yeah.
[00:10:27] Okay.
[00:10:27] And yeah, yeah.
[00:10:28] And they're just checking stuff off.
[00:10:29] Right.
[00:10:30] Um, but that's not how it goes.
[00:10:31] There's a process that you have to do.
[00:10:33] You have to have a body of evidence to validate that you have that you have certain controls will
[00:10:37] be a fail.
[00:10:38] And if it's a self-assessment on a level two, you technically can fail yourself and then you
[00:10:44] would then have to then revoke yourself's ability to participate in those because you are not
[00:10:49] at a stage and they're, they're trusting you to do it the right way.
[00:10:52] And if you do say that you have, uh, failed the perfect controls that you can still do a
[00:10:59] poem, which is what you're talking about.
[00:11:00] Then you can, you have a hundred and a what?
[00:11:03] 120 days, 80, 180 days, 180 days to, to get those completed.
[00:11:09] And if you don't, then you still have to fail yourself.
[00:11:11] Right.
[00:11:12] So it's like you're holding yourself accountable.
[00:11:14] Just people are always great at holding themselves accountable.
[00:11:17] So I see no problem at that.
[00:11:19] Oh, no, no, no, no.
[00:11:19] There's no problem.
[00:11:20] I see.
[00:11:20] Yeah.
[00:11:21] It'll go perfectly.
[00:11:22] Um, but I only saw these things and you can correct me if I'm wrong.
[00:11:25] I only saw discussion about the poems and failing yourself in the level two self-assessments.
[00:11:31] Are there, are they also in level one self-assessments or?
[00:11:35] Oh man, I didn't really pay as much attention to that.
[00:11:37] I was more focused on level two because we just don't really engage specifically with
[00:11:41] clients at level one.
[00:11:43] We're like, okay, I'll look back and confirm that on the screen now that they have it there.
[00:11:47] But I'm not sure.
[00:11:48] Yeah.
[00:11:48] But I thought that was interesting.
[00:11:49] I didn't notice the poem closeouts in level one section.
[00:11:53] I only noticed them in level two self-assessments.
[00:11:56] So I wasn't paying attention.
[00:11:57] There's so much to go through.
[00:12:00] Yeah.
[00:12:00] So there is a lot.
[00:12:01] So while we're talking about poems, I think there is a connection between a few things,
[00:12:08] um, when in regards to poem, we talk about, so let me just list these, these four titles.
[00:12:14] So poems, um, enduring exceptions, operational plan of actions and temporary deficiencies.
[00:12:24] Okay.
[00:12:24] We're going to, we're, we're going to connect all of these because, um, cause they, they
[00:12:29] do discuss each other, um, throughout this ruling.
[00:12:32] So let's first talk about enduring exceptions.
[00:12:37] Yeah.
[00:12:37] Okay.
[00:12:38] What exactly?
[00:12:39] During exception is, is basically an exception that they've, they've just, it's a new thing
[00:12:43] that they added, which was not in the proposed rule, at least not that I remember.
[00:12:46] Uh, and now it's in the final rule.
[00:12:47] So they, they kind of like surprise here.
[00:12:49] It is.
[00:12:49] Uh, but this enduring is, is a good idea in my opinion, in, in what its intention is
[00:12:55] to try to do is to allow organizations to define themselves things that they, they cannot
[00:13:00] remediate.
[00:13:01] And they give some examples like government issued devices.
[00:13:04] You still have to track them.
[00:13:05] You've got to know how many you have.
[00:13:07] You have to actually have that in your, um, SSP.
[00:13:10] You have to have, you know, track those, even though they're government issued systems,
[00:13:14] but you would have an enduring exception because you can't apply your own practices.
[00:13:19] That's their government system.
[00:13:21] And so they just, what they're trying to do, and you'll see this in some of the other ones
[00:13:26] is just really have better information in the system security plan.
[00:13:29] So when auditors talking with you, those are some of the things that they're immediately
[00:13:33] going to go right to that section and go, okay, how many enduring exceptions do they
[00:13:36] have?
[00:13:37] How many, you know, um, um, uh, what is it?
[00:13:42] Deficiency, uh, temporary deficiencies or, you know, operational plan of actions or poems
[00:13:47] that those are the things that they're going to want to hit right off the bat, especially
[00:13:50] in your phase one to get a general idea of where you're at, because some of those would
[00:13:54] be based on how you do it as well as the look at your scoping.
[00:13:57] And they could kind of go, I don't think we can go to phase two because you've got some
[00:14:01] problems with some of these things.
[00:14:02] And they clearly explain that, that these, the, and they do gave examples, which I will
[00:14:07] list on the screen, but enduring exceptions, um, like no operational plan of action is required.
[00:14:15] Um, so, so those are not the same, the same kind of thing.
[00:14:19] Um, and so let's talk, let's talk about what an operational plan of action is.
[00:14:25] And what do we say we are?
[00:14:27] Opa.
[00:14:28] Opa.
[00:14:29] Are you starting that now?
[00:14:30] I'm starting it.
[00:14:31] You heard it here first.
[00:14:32] Okay, well, here we go.
[00:14:33] Yeah.
[00:14:34] And we're going to get some, watch us get hate for that.
[00:14:37] And they're like, you can't say that, you know?
[00:14:40] So, and I was like, I'm saying it personally.
[00:14:43] I mean, if you watched like the movie, big fat Greek wedding, you know, I love that movie.
[00:14:46] It's so great.
[00:14:47] And they do it all the time when they're doing the dance.
[00:14:48] And so when I read this, I was like, that's Opa, like Opa, you know, because, uh, you know,
[00:14:53] operational plan of actions, what they did is they separated POAMs from Opa, you know,
[00:14:59] the operational plan of actions, because what they're trying to do is to put, um, those
[00:15:03] things in separate buckets.
[00:15:05] And so plan of actions are really things that are coming out of your audit and they have a
[00:15:11] deadline on how you've got to get them done.
[00:15:13] Like you've got to get them done that 180 days.
[00:15:14] So anything that's going on, that is because of the fact that you are not ready to be, you're
[00:15:19] not, you're not really technically able to do your, your compliance at the level you need
[00:15:24] to.
[00:15:24] So you've got that deadline to get it done.
[00:15:26] And that gets happened or that gets done to you when you get assessed.
[00:15:30] So you're not do, you're not just throwing stuff all the time on your plan of action,
[00:15:33] which is how people have traditionally been doing it.
[00:15:35] So they separated that out.
[00:15:37] Then you have the operational plan of actions.
[00:15:39] And those are the things that you're going to be doing those kinds of things to like,
[00:15:42] oh my gosh, there's this new update that came out.
[00:15:44] We need to figure out how we're gonna do it.
[00:15:46] It could be that maybe the vendor has an update and you don't know when they're going to release
[00:15:51] it.
[00:15:52] So there's no timeframe on the OPA, you know, on the operational plan of action.
[00:15:57] So it could be six months.
[00:16:00] It's however long that vendor is going to take to come back with that patch or adjustment,
[00:16:05] or it could just be a system change of things that you're trying to do to help make the system
[00:16:09] harder or more designed, but it's not to align your system with controls that you never did.
[00:16:15] That would be a POAM.
[00:16:17] That would be something that would be, you know, a deficiency that would have been found
[00:16:21] during your audit.
[00:16:22] The POAMs are just the continued process of maintaining and keeping your system up and
[00:16:26] going.
[00:16:27] Mm-hmm.
[00:16:28] Mm-hmm.
[00:16:28] So just to confirm, POAMs do have, are required to complete within 180 days, but the OPAs,
[00:16:41] operational plan of actions, do not have a timeline.
[00:16:44] So, right.
[00:16:45] And they even used like FIPS as an example for that.
[00:16:48] So you, you have a Windows 11 system and you're running and it's not FIPS validated and you've
[00:16:55] got a choice.
[00:16:55] You can either be compliant or you can be secure.
[00:16:58] And in that situation, you would put that as a operational plan of action.
[00:17:02] So you're, you're pretty much guaranteed to at least have a few operational plan of actions
[00:17:06] because nobody is, you know, if you're, is running Windows on a FIPS validated compliant,
[00:17:12] because if you are, that is not a supported version of the operating system by Windows at
[00:17:17] the time of this recording.
[00:17:19] Mm-hmm.
[00:17:19] Mm-hmm.
[00:17:20] So let's now talk about temporary deficiencies.
[00:17:25] Okay.
[00:17:25] Because we do, because they talk about, they talk about FIPS there as well.
[00:17:31] So this is just a good segue.
[00:17:33] Which I'll have the definition here on the screen.
[00:17:37] But let's talk a little bit more about what those are compared to what we've already discussed.
[00:17:44] So here it says temporary deficiencies means a condition where remediation of a discovered
[00:17:52] deficiency is feasible and a known fix is available or is in process.
[00:17:57] The deficiency must be documented in an operational plan of action.
[00:18:02] And that's where it comes back in.
[00:18:04] I told you guys these were connected.
[00:18:05] Hello, here they are.
[00:18:07] So, so that FIPS example that I listed is the reason why it's going to show up in FIPS is
[00:18:11] because it's going to come in from your temporary deficiency.
[00:18:14] Your temporary deficiency is going to say, I can't do FIPS on this Windows 11 version because
[00:18:19] I'm using the latest version, which is not FIPS validated.
[00:18:22] So it's going to go into your operational plan of action, which has got like a dot, dot,
[00:18:26] dot, and you're not going to be able to get it done until they have it.
[00:18:29] And you just move on because that's just kind of how it is.
[00:18:32] Mm-hmm.
[00:18:33] And again, emphasizing there's no standard duration for this temporary deficiency.
[00:18:40] It's interesting.
[00:18:41] I think it makes sense.
[00:18:42] And granted, this is the way that I read it.
[00:18:46] You know, maybe if you ask me in four months, I might have a different opinion about how
[00:18:49] this all connects together.
[00:18:51] So please don't come at me if you have a different opinion about how this connects.
[00:18:54] But this is just the way that we've read it, interpreted it.
[00:18:57] And everybody's figuring out this together.
[00:18:59] But I think those are really important things for you to dive into and really have a better
[00:19:03] understanding.
[00:19:04] Absolutely.
[00:19:05] I think when you see so much connection between things like this, it's very critical to pay
[00:19:11] attention to it because I do feel like, you know, that it's a trap sort of situation comes
[00:19:18] into play with these scenarios.
[00:19:19] Sure.
[00:19:21] And that's why I wanted to bring up these four things all in order and all connected
[00:19:26] because they do mention each other throughout.
[00:19:29] And let's make sure that you don't label something incorrectly in your environment that can come
[00:19:35] back and bite you in the butt later.
[00:19:37] Right?
[00:19:38] Yeah.
[00:19:38] And it's just sometimes it's the simple little things that can kind of get you in an audit.
[00:19:43] And if maybe the way that you're approaching this isn't the way that the auditor is going
[00:19:47] to see it, you could have every good intention and just drive right off the cliff, not even
[00:19:51] knowing it.
[00:19:52] So these types of things, don't take our word for gospel, really dive into it more.
[00:19:56] Talk with your assessment organizations that you know, talk with your auditors or CCAs
[00:20:03] or CCPs or other implementers that just want to talk with them, have a better understanding
[00:20:07] because you definitely, this is very foundational about how you kind of have your operating system
[00:20:12] working.
[00:20:12] And I'm not meaning Windows operating system.
[00:20:15] I'm saying like you're the operating environment that you, you have for your CMC compliance,
[00:20:20] like the whole, the whole system, you know, your system information.
[00:20:24] You want to make sure that that's all working the right way.
[00:20:26] Yes.
[00:20:27] Okay.
[00:20:27] So let's, let's switch gears and let's talk about CSPs and ESPs.
[00:20:33] Okay.
[00:20:33] First, first I want to talk about CSPs.
[00:20:39] Okay.
[00:20:39] Okay.
[00:20:40] Let's talk about the big differences that we noticed here.
[00:20:45] There was a difference between CSPs that transmit and, and have CUI in their environment.
[00:20:57] Right.
[00:20:58] And, and then ones that do not.
[00:21:00] Let's talk a little bit about how you can define that.
[00:21:03] Um, I think Karen Stanford did a good job of, we had her on our podcast, which I don't
[00:21:08] know if this episode will have come out by the time you're watching this one, but we asked
[00:21:12] her that same question, you know, how do you define the difference between a CSP and
[00:21:16] an ESP?
[00:21:17] And she said something I thought was really prescient about it.
[00:21:19] She's like the biggest difference that a lot of times people will try to lean on is the fact
[00:21:24] that if it's a CSP, the way that you can sort of define that is, is like, do you have a contract
[00:21:30] with them?
[00:21:31] That's based on the relationship that you have.
[00:21:33] Right.
[00:21:33] In other words, I'm going to do a SIM solution for this client.
[00:21:38] Right.
[00:21:38] And I, I'm providing that service to them and I'll have a contract with the client and we
[00:21:43] have a relationship and we've, you know, we talk, I send you the agreement, you look it
[00:21:48] over and you sign it.
[00:21:50] And then that's more of an ESP engagement, right?
[00:21:52] That's me connecting with you and the requirements for, for DFARS could potentially flow down
[00:21:58] because we're having that relationship and engagement and we're talking.
[00:22:01] But if it's a cloud provider like Microsoft, you can sign up, you can put your credit card
[00:22:06] in.
[00:22:06] I didn't talk to, you know, Bill Gates to have a conversation about how this is going to go.
[00:22:12] Like I'm just subscribing and I'm ingesting it.
[00:22:15] And it's like, I'm, I'm ingesting a product at that point.
[00:22:18] Right.
[00:22:18] That's really, you're, you're talking about a CSP engagement.
[00:22:21] So it's more of like, it's a solution that you're providing with no real relationship and
[00:22:25] you don't have a real contractual agreement that is relationship driven.
[00:22:30] It's more of like large scale consumption driven.
[00:22:34] And that's where you start to see those differences.
[00:22:36] At least that's my opinion.
[00:22:37] I agreed with how Karen kind of did that.
[00:22:40] So, so when we're talking about a CSP, a cloud service provider, right?
[00:22:47] There is a, there is a difference when we're talking about, well, we'll, we'll talk about
[00:22:53] FedRAMP, right?
[00:22:55] The FedRAMP requirements.
[00:22:57] Okay.
[00:22:57] Specifically based on if CUI is in the environment or not.
[00:23:03] Am I correct about that?
[00:23:04] Yeah.
[00:23:04] Yeah.
[00:23:05] So let's talk about that.
[00:23:06] So that's the reason why I kind of started with determining whether you're an ESP or a CSP
[00:23:11] is you really kind of have to understand where you fall there first and you have to have a
[00:23:15] defensible position for a defensible position on that.
[00:23:18] Yeah.
[00:23:19] But let's say that you are clearly in the CSP side and you're processing controlled unclassified
[00:23:24] information.
[00:23:25] In that situation, you're going to fall under the FedRAMP requirements.
[00:23:28] So you're going to have to have either equivalency or actually be FedRAMP high or moderate.
[00:23:34] Mm-hmm.
[00:23:35] And now if you are an ESP, like a managed service provider or an MSSP, if you're handling
[00:23:41] controlled unclassified information, then you just have to get level two certified.
[00:23:46] Mm-hmm.
[00:23:47] At least that's the way the chart breaks down.
[00:23:48] So that's why it's really important for you to feel like you clearly know where you fall
[00:23:52] in that chart.
[00:23:53] Because the chart does a pretty good job of defining what you have to do, but you've got
[00:23:57] to know where you are on that chart.
[00:23:59] Mm-hmm.
[00:23:59] And that's where it gets a little confusing.
[00:24:02] Yeah.
[00:24:02] Yeah.
[00:24:03] The chart list, I'll put it up here.
[00:24:05] It has a CSP and then not a CSP, which not a CSP is an ESP.
[00:24:14] That's how I would probably take it.
[00:24:15] Okay.
[00:24:16] Okay.
[00:24:16] Yeah.
[00:24:17] I think they were just kind of leaving it open to interpretation on purpose.
[00:24:20] Right.
[00:24:21] If for some reason they missed somebody or something.
[00:24:23] Yeah.
[00:24:23] I guess.
[00:24:24] So the thing that a bunch of people have been talking about is that it doesn't necessarily
[00:24:32] state that an ESP is required to get level two certified.
[00:24:40] Right.
[00:24:41] Right.
[00:24:41] But they will be pulled in to their OSA's assessments.
[00:24:49] Yeah.
[00:24:49] It is the controlled unclassified that is determining that fact of whether you have to get friend
[00:24:56] remped or not.
[00:24:58] One of the problems that a lot of people didn't know about, and if you've been living under
[00:25:02] a rock a little bit, you didn't know about this thing called security protection data,
[00:25:05] which basically it's a type of data that a lot of times managers providers like ourselves
[00:25:09] or SIM solutions where they're doing log aggregation of things.
[00:25:13] When they're ingesting a lot of very sensitive information about that company that could be used by a threat
[00:25:19] actor to exploit them, but it's not given to you by the government.
[00:25:23] In other words, it's not controlled information.
[00:25:25] It's not plans for the Death Star or a base or anything of that nature.
[00:25:29] It's just log information or protection information that you use about like the patch level of the
[00:25:35] machines.
[00:25:36] That type of data is what they refer to as security protection data.
[00:25:39] And a lot of organizations like myself collect that as you're working with them because you have to know
[00:25:45] what version is the machine at so we can patch it and those types of things.
[00:25:48] That information is critical to have so that we can do our jobs, but it's also dangerous information
[00:25:53] that if it gets in the wrong hands could be used to exploit the contractors.
[00:25:58] So they have that on the chart.
[00:26:00] That's what you see that SPD about.
[00:26:01] And what it's doing is saying, hey, if you're even a cloud provider and you're ingesting it,
[00:26:07] that's where people started to go, oh my gosh.
[00:26:09] I think the way that we're reading this is if I'm a cloud service provider, all right,
[00:26:13] but I'm not having control on classified information, I can still take that sensitive data and I won't
[00:26:20] have to get FedRAMPed.
[00:26:21] And so that kind of achievement unlocked for cloud providers that are like SIM solutions,
[00:26:25] if they're not ingesting control on classified information, they could be used in an ecosystem
[00:26:32] that is going to be CMMC level too.
[00:26:34] It's possible to do that.
[00:26:36] It's just in the chart, it says, bring your A game.
[00:26:39] It doesn't say it exactly like that, but it says bring your A game from providing evidence
[00:26:44] that helps them understand your compliance level.
[00:26:47] And you have to, the auditor is going to assess that solution or vendor based on all applicable
[00:26:53] controls.
[00:26:54] So if it's touching specific things, they want to know what it's doing, validate it and all
[00:26:58] that kind of stuff.
[00:26:59] So they're going to get really involved in that.
[00:27:00] We're going to talk about that more in a future podcast.
[00:27:03] Yes.
[00:27:03] Yes, we will.
[00:27:04] Because there is a lot of connection to what falls on the OSA, right?
[00:27:10] Which there is a lot.
[00:27:12] There is a lot that falls on, if you're listening to this and you are one of those, there's a
[00:27:18] lot that falls on you with picking this person, laying out, you know, your connection between
[00:27:24] that.
[00:27:25] But there also is, and this is where I wanted to get into just a little bit.
[00:27:29] There's some opportunities for an ESP in this situation to help out their OSA, right?
[00:27:38] For sure.
[00:27:38] And you want to.
[00:27:39] I would hope.
[00:27:40] I would really hope that you wouldn't want to, but there are such things as, and let me
[00:27:48] go specifically to this.
[00:27:50] So inheritance, right, is the word that we were discussing before.
[00:27:55] And they talk about this.
[00:27:57] Can you go ahead and discuss, since we're talking about ESPs and CSPs, what inheritance
[00:28:04] is?
[00:28:05] Yeah, it's a critical aspect of CMMC and you really need to understand it before you start
[00:28:10] playing with it.
[00:28:11] It's like, you know, Mercury, you know, you can be like, it's so pretty, it's cool.
[00:28:14] And then you're like, oh, it's giving me poison.
[00:28:15] I'm dying.
[00:28:16] I don't like that.
[00:28:17] You know, you, you've got to think about inheritance from a very healthy perspective because you
[00:28:22] can't just throw it around willy nilly that you have to really think about what you, and
[00:28:27] you can sometimes inherit and sometimes you cannot, and don't assume either you really
[00:28:32] need to know in your bones.
[00:28:33] So inheritance is allowing you as a organization getting assessed that you can pull in.
[00:28:40] Because they're a known good.
[00:28:42] An example of that would be FedRAMP, right?
[00:28:44] So let's say that I am using Microsoft GCC.
[00:28:48] It has an ATO.
[00:28:49] It is FedRAMP approved.
[00:28:51] And it is 100, you know, you can go to the FedRAMP marketplace and you can look at it.
[00:28:55] You can get the package and you can bring that in.
[00:28:57] And so then when you're using the GCC environment with your environment, you can say, hey, I don't
[00:29:03] have to worry about the facilities of where my CUI is stored because we're only keeping it.
[00:29:08] Let's just say you're only keeping it in the GCC high cloud that they provide for you.
[00:29:12] You can inherit the physical infrastructure that GCC is providing for you because they've
[00:29:19] got data centers and they have all these requirements they've got to go.
[00:29:22] You can inherit that.
[00:29:23] That's cool.
[00:29:24] They'll let you do that.
[00:29:25] You can't inherit everything, but you can inherit some things.
[00:29:28] And so that's where that inheritance responsibility comes in is you can do that.
[00:29:33] And so that's important.
[00:29:34] But you can't inherit just a cloud provider that says, hey, I've got an ISO certification,
[00:29:42] you know, 2701 for our stuff.
[00:29:44] We know what we're doing.
[00:29:45] We're super secure.
[00:29:45] That means nothing to an auditor.
[00:29:47] You can't inherit that.
[00:29:48] So you've got to be ready to prove it.
[00:29:49] So it's a different type of relationship.
[00:29:52] And then it's the same thing for CSPs that are, you know, like, or for MSPs that are level
[00:29:57] two certified.
[00:29:58] So like for us, we're going to get certified in January and then our clients can inherit
[00:30:04] directly from us like they would for Microsoft because the fact that we have our level two
[00:30:09] certification.
[00:30:10] So you can also inherit from someone that has been validated from a level two certification.
[00:30:15] And there's a process about that, which we'll talk about in the other podcast.
[00:30:18] Yes.
[00:30:18] And just like how you were saying previously, you know, you could be asking, okay, but
[00:30:24] what happens if my MSP is not certified?
[00:30:27] Do I inherit bad vibes?
[00:30:29] Right.
[00:30:29] They open that door.
[00:30:31] It's really interesting.
[00:30:32] Yeah.
[00:30:32] Yeah.
[00:30:33] So we'll talk more about that specifically in that podcast.
[00:30:36] Well, I do want to touch on it.
[00:30:37] So just to kind of, you know, spoiler alert, MSPs are no longer required to have parity with who
[00:30:43] they're supporting.
[00:30:43] So if I'm supporting an organization that is level two, I don't have to me personally be
[00:30:49] level two certified.
[00:30:50] That's different than what it was previously.
[00:30:53] Yeah.
[00:30:53] The way that it was written before, like we had to match the level that they were at.
[00:30:57] Yeah.
[00:30:58] Equal two or more.
[00:30:59] Right.
[00:30:59] Right.
[00:30:59] So I could now support as just a normal MSP, somebody who's doing CMMC.
[00:31:05] The problem is they can't inherit anything from you.
[00:31:08] Okay.
[00:31:08] So you've got to, the company that's using them has to really think about themselves.
[00:31:13] Like, have they been assessed before?
[00:31:15] Do I know where they're at?
[00:31:17] What assurances do I have that they're doing it right?
[00:31:20] And you don't want to find that out in your audit because you failed because they don't
[00:31:24] have their stuff together.
[00:31:26] And so those are things that you really have to think about.
[00:31:28] Uh, but you know, maybe that organization only has two, two or three companies that
[00:31:34] do DOD work and they just want to continue to have that client and work with them.
[00:31:38] But it's no joke, man.
[00:31:40] I mean, they got to know what they're doing.
[00:31:42] It's not something you can YOLO.
[00:31:43] Oh yeah, absolutely.
[00:31:45] Yeah.
[00:31:46] So we'll get into the, the thoughts we have behind that too.
[00:31:50] Yeah.
[00:31:51] Um, specifically in the MSP, how it affects MSPs, right?
[00:31:54] Because they, they still very clearly can get pulled in and most likely will for things.
[00:32:00] So let's talk about it.
[00:32:01] You could use either.
[00:32:02] And there's some strategies on how to do that.
[00:32:03] And we'll go into that.
[00:32:05] We're going to be doing it from the perspective of, you know, you're an organization, um, you're
[00:32:08] an MSP, you know, how do you navigate this?
[00:32:10] Which path should you pick?
[00:32:11] So we're going to really try to put ourselves in the MSP and try to understand that.
[00:32:15] But it'd also be really valuable for someone who's picking an MSP to understand the challenges
[00:32:19] that they're having to go through.
[00:32:20] Yes, totally.
[00:32:21] So let's, um, let's talk a little bit about, um, security protection assets because specifically
[00:32:30] we did not have a lot of information on this topic.
[00:32:33] Right.
[00:32:33] And now we have more, um, of a definition or a better defined thing.
[00:32:39] They did, they did have, you know, scoping ads.
[00:32:41] They talked about it and they provided it.
[00:32:42] It's just the CMC ecosystem, the Dib, uh, we're just really good at like, what about this?
[00:32:50] What about this?
[00:32:51] You know, what if the guy shows up with a bazooka, you know, and you're like, who has
[00:32:55] a bazooka?
[00:32:56] You know, you're just like, you know, you're like trying to plan.
[00:32:59] Well, what if a meteor comes down?
[00:33:01] Do I have a shield?
[00:33:02] You know, and you're like, uh, should we be defining how we define a defense against,
[00:33:06] you know, meteors?
[00:33:07] Uh, but people were really concerned, especially with the proposed rule about security protection
[00:33:13] assets.
[00:33:13] And so one of the things that's really important in the scoping, so you, you sit down and you're
[00:33:17] like, Hey, I want to, I want to figure out how I'm going to do this whole CMMC thing.
[00:33:22] And the first thing that you really need to do is think about scoping.
[00:33:25] And what that basically means is what is going to be in the scope of the assessment.
[00:33:31] And then the guide, they give you, uh, asset types that you can categorize things.
[00:33:36] So you have to define, and if it's going to be in scope, you're going to have to define
[00:33:40] what it is.
[00:33:41] Yeah.
[00:33:41] Is it a security protection data?
[00:33:43] Is it a controlled unclassified asset?
[00:33:46] You know, is it a CMRA?
[00:33:49] Is it a specialized asset?
[00:33:50] There's just these different categories.
[00:33:52] We're not going to go into a lot of that detail today, but in the 32 CFR, what they basically
[00:33:57] did is they just did a better definition of what a security protection asset is.
[00:34:02] This was one of the asset categories that really confused me because there was a lot of differentiation
[00:34:07] between how deep do you go on these assets and what would be an example of one.
[00:34:12] So an example would be like your domain controller, right?
[00:34:15] It is a security protection asset.
[00:34:17] It's job is to help enforce the security and the policies that you have defined to all
[00:34:22] of your devices or assets that are going to have controlled unclassified in on it.
[00:34:27] So your AD domain controller is going to push to all your file servers that might have the
[00:34:32] controlled unclassified information or the workstations that are going to be talking to it.
[00:34:36] It's going to push all the policies, the baselines and the other things.
[00:34:40] It's going to push that.
[00:34:40] So they consider that a security protection asset because you're not putting controlled
[00:34:45] unclassified information on the domain controller.
[00:34:47] You're just using that domain controller to enforce the policies and the security, hence
[00:34:52] the security protection asset and that asset definition.
[00:34:55] But what people didn't know is they were like, how deep do I go on these?
[00:35:00] Because also something that's defined as security protection asset is a firewall or a switch,
[00:35:06] because those are enforcing the switching boundaries.
[00:35:09] And you can't do a background check on a firewall, right?
[00:35:14] You can't, you know, do, you know, any type of other additional administrative procedures
[00:35:21] on some of these devices.
[00:35:22] They're devices.
[00:35:23] They're not people.
[00:35:24] You can't apply all, you know, 110, 320 of the assessment objectives against those different
[00:35:29] types of assets.
[00:35:30] So where's the line?
[00:35:31] So they just wrote it out a lot better to basically say that you just apply all the security
[00:35:38] practices on these assets that make sense.
[00:35:41] And that makes sense.
[00:35:42] But you would be surprised how difficult that was for people to really feel like they could
[00:35:48] lean on that.
[00:35:49] And that just provided that necessary firm ground I think people were looking for on that.
[00:35:54] Right.
[00:35:55] That was a lot of words.
[00:35:56] Sorry.
[00:35:56] No, no, no.
[00:35:57] But that makes sense.
[00:35:58] I mean, that like scoping is critical.
[00:36:01] Yeah.
[00:36:01] You know, you really like if this is your first diving into this, you can take take this from
[00:36:07] me because I am not a CCP.
[00:36:10] I'm not a CCA.
[00:36:11] I'm just somebody that's that's in my organization that's trying to better understand what this
[00:36:16] is from outside looking in.
[00:36:19] And like if you don't understand scoping and security protection assets, you know, that's
[00:36:26] that's kind of like a base for all of this.
[00:36:28] And it could really screw you up.
[00:36:30] And also, you know, you need to know even if somebody is doing this for you, like helping
[00:36:35] you as like an outside source, like you want to make sure that they're doing it correctly
[00:36:39] as well.
[00:36:40] So even if you're not doing this, like physically, you need to understand it.
[00:36:48] So if you have not looked into the scoping, the CMMC scoping and what the definitions for
[00:36:55] those are and what that means, I would really recommend for you as a business owner or whoever's
[00:37:01] listening to this for your organization to look into that and better understand what that
[00:37:06] is and how it works.
[00:37:08] Yeah.
[00:37:09] Yeah.
[00:37:09] And because Amira did a good job.
[00:37:10] We had a video with her.
[00:37:11] I think it was a two part series.
[00:37:13] Yeah, she does a great.
[00:37:14] She broke out with paint and talked about like you could watch that video that Amira did with
[00:37:19] us.
[00:37:19] Oh, that's a great idea.
[00:37:20] Is good.
[00:37:20] And then read the scoping it.
[00:37:22] It's not very long.
[00:37:22] I think it's like maybe 20 pages or something like that.
[00:37:25] Yeah.
[00:37:25] It's not a very long.
[00:37:26] I could be totally off on that, but it's not a very long document, the scoping one.
[00:37:29] And so you can kind of look at the assets.
[00:37:31] You can kind of look about what they're talking about and just have a general idea because
[00:37:34] that's literally a foundation.
[00:37:36] So everything builds off of that.
[00:37:38] And if you've got your scope wrong or your foundational, your categories that you're
[00:37:42] picking for your assets, it's a bad day.
[00:37:45] It's a very bad day.
[00:37:45] It's a bad couple of months after that.
[00:37:50] Okay.
[00:37:50] Last thing I want to talk about just really quickly.
[00:37:53] I want to go over some of the different things that we've learned about CCP, CCAs and CCIs.
[00:38:01] Okay.
[00:38:01] That's the last thing.
[00:38:02] And again, this is going to go into more of the certification world, right?
[00:38:10] So we're switching gears just a little bit, but I do feel like this is very important because
[00:38:14] there are some changes that occurred.
[00:38:18] So let's talk first about CCPs.
[00:38:21] You want to cover that?
[00:38:22] Yeah.
[00:38:23] So CCPs, they are professionals, right?
[00:38:28] They are now required to complete a tier three background check.
[00:38:34] Now I'm going to put on the screen, I need to look that up to see exactly if they have a
[00:38:38] better understanding of how long that will take, but it's not a short period of time, right?
[00:38:43] Oh, yeah.
[00:38:44] So that's something that you need to understand if you are a CCP or you want somebody to be
[00:38:52] certified in that.
[00:38:53] And they're talking that if when this thing goes live and-
[00:38:57] And you haven't completed that background check.
[00:38:59] And you haven't completed, you're going to be marked as a deactivator, some term.
[00:39:04] Like they'll just flip you.
[00:39:05] So my CCP, I don't think I have a T3.
[00:39:07] I have to go back and look.
[00:39:08] I mean, it's a pretty big deal.
[00:39:10] So I can't imagine that I, but it could be surprising sometimes how I can oversight things
[00:39:14] because I got my CCP like, you know, when it was first coming out.
[00:39:18] So it was a while ago.
[00:39:18] So I don't think I have my T3.
[00:39:20] I have to go back and look just to double check.
[00:39:21] But then that's going to be like months, six, I've heard six to eight months sometimes for
[00:39:25] people to get it.
[00:39:27] Holy moly.
[00:39:27] And so like, that means I won't have a valid CCP for almost a year, you know?
[00:39:33] So we're going to have to try to dig into that and see if I can get mine.
[00:39:38] So then CCAs, it's also important to note, let's just talk for a second about a assessment
[00:39:47] team, a required assessment team, right?
[00:39:50] So they have stated in this ruling that you must have two CCAs, but specifically you need
[00:39:57] a lead, right?
[00:39:58] You need at least one lead assessor.
[00:40:01] And then you could either have another lead assessor or just a regular CCA.
[00:40:07] But those are two completely different certifications.
[00:40:10] Am I correct when saying that?
[00:40:13] Well, you get CCA certified, so there's no difference in the certification.
[00:40:18] But if you want to be a lead, the requirement is, I mean, I see what you're saying.
[00:40:24] Yes, those are two different certifications from the required certifications before you
[00:40:30] can get CCA certified.
[00:40:32] So, and I'm sure you'll probably put it on the screen at some point.
[00:40:35] But they're like the medium or assurance or the proficiency is what they call it.
[00:40:43] It'd be like, they're like security plus or other types of certifications you have to have
[00:40:50] before you can be an approved CCA.
[00:40:52] So there's these certain required industry standard certs that you have to have.
[00:40:57] The lead is going to be like a CSIP or CISMM, CISM I think is what it is.
[00:41:06] Yes, CISM.
[00:41:07] You're correct.
[00:41:07] Like different ones like that, which are higher, those then you would have to have if you want
[00:41:14] to be a lead.
[00:41:15] Right.
[00:41:17] And CCPs are allowed to participate in assessments, but there is no requirement for a CCP.
[00:41:25] Right.
[00:41:25] Right.
[00:41:26] So I think you explained this really well when saying like, it seems as though to us when
[00:41:33] you're reading this, that CCPs are very helpful to have inside of your organization to better
[00:41:38] understand CMMC, but they are not tied to an assessment in that way.
[00:41:42] Yeah.
[00:41:43] They're making CCPs, I think more monitored and looked at.
[00:41:49] And so it's just up to the C3PO's to figure out how they want to work CCPs if they do want
[00:41:56] to work them into the ecosystem.
[00:41:58] Because I think so many people are going to get disqualified because the CCAs also have
[00:42:03] the tier three requirement as well.
[00:42:05] So with that being said, I believe there's going to be a ton of people that are probably
[00:42:10] going to get flipped to not optional.
[00:42:13] And so as we're ramping up to start trying to get people certified, they are just going
[00:42:17] to take a big scythe and just go and just cut off a ton of people in the community that
[00:42:22] can help make the ecosystem move forward faster.
[00:42:25] So part of me has to think to myself, they've got to somehow maybe provide some exemptions
[00:42:31] for those people and grandfather men.
[00:42:33] But who knows?
[00:42:34] I would not count on it.
[00:42:35] Okay.
[00:42:35] So the last thing I wanted to talk about before closing is CCIs.
[00:42:40] So they cannot provide consulting services.
[00:42:46] Right.
[00:42:46] Right.
[00:42:47] Let's talk a little bit about what that means and also their connection into assessments.
[00:42:54] Yeah.
[00:42:58] So you have to be careful about the code of professional conduct and conflict of interest.
[00:43:04] Right.
[00:43:04] Right.
[00:43:04] So this is where you're stepping on.
[00:43:06] You need to be careful and just walk that, tread that lightly.
[00:43:11] So they can serve on an assessment team if there is no COC, like the code of professional
[00:43:19] conduct or conflict in there.
[00:43:20] Right.
[00:43:21] So what exactly does that mean?
[00:43:22] Does that mean like if they're the instructor in the class that that person is connected
[00:43:28] to?
[00:43:29] Yeah.
[00:43:29] Like half the people that are being, that are on the organization that's being assessed,
[00:43:34] like if you were their instructor, I think they would frown on that because obviously there's
[00:43:38] a relationship there.
[00:43:39] So that would be frowned upon.
[00:43:41] But, you know, that's something you got to think about.
[00:43:43] That kind of sounds very similar to like C3PAO type things, right?
[00:43:48] Yeah.
[00:43:48] So it's like there's a, there was a, if there was a relationship before, or they were assisting
[00:43:52] you in something, you cannot use them in your audit.
[00:43:56] Right.
[00:43:57] Yeah.
[00:43:58] Like, you know, I think if somebody like Corinne or like Matt Hober, who has probably taught
[00:44:03] between the two of them, a good chunk of the people in the ecosystem, like if they wanted
[00:44:08] to participate in assessments and they've trained a good chunk of them, like, what does that
[00:44:12] mean?
[00:44:12] Can they not do assessments anymore?
[00:44:15] Because they didn't know about that until the rule came out.
[00:44:18] So what about people that have already been training and they've like, like I said, have
[00:44:22] trained half the staff there.
[00:44:23] Are they not going to be able to be able to participate in the assessments?
[00:44:27] Because the, well, the reason why I say that is, is for them, because they've been teaching
[00:44:31] for so long.
[00:44:32] Um, you know, there's a, a decent chance that when you go to assess that one of them that's
[00:44:39] going to be on staff is, uh, might've been a student of theirs.
[00:44:44] So, um, and do they get a break on that and just say, okay, going forward, you can't do
[00:44:48] that.
[00:44:48] You know?
[00:44:49] Yeah.
[00:44:50] I don't know.
[00:44:50] Yeah.
[00:44:50] That's going to be interesting.
[00:44:51] I'd love to hear people's opinions about that in the comments and stuff.
[00:44:55] I mean, I mean, that goes to say, I'd love to hear, you know, everybody's thoughts and
[00:44:59] understandings with each one of these topics that we've discussed.
[00:45:03] Um, you know, if you could, depending on what you're talking about, if you could, um,
[00:45:08] just tag, you know, where we, where we talk about that subject to, um, in the comments,
[00:45:12] that would be so helpful, um, so that we can sort through, um, and know.
[00:45:17] Amira has too.
[00:45:18] Amira has taught a ton of people and she's doing JSVAs and assessments too.
[00:45:22] So like there, you know, there's, there's multiple C3PO's that have been participating as
[00:45:28] contractors for people like Edwards or other companies in doing, uh, education and like,
[00:45:34] would they, why are they now disqualified from being able to be involved in assessments?
[00:45:38] These are some of the most high level trained and most knowledgeable.
[00:45:42] I mean, if you want, you would want those people to be able to do assessments because
[00:45:46] we need as many of them as we can get.
[00:45:49] So why would we want to disqualify them?
[00:45:51] It's very head scratching.
[00:45:52] And then also they can't consult.
[00:45:54] So that's another thing is, is those people that are doing the, you know, the instruction,
[00:46:00] the training, they cannot do consulting.
[00:46:02] So they can't just be out here teaching people how to do it.
[00:46:06] Um, and then actually go out and try to help implement it.
[00:46:10] Uh, I just, that, that also baffles me.
[00:46:12] That's, yeah, that's super interesting.
[00:46:15] Yeah.
[00:46:15] I'd love to hear more about what others, especially instructors, um, that are themselves,
[00:46:21] you know, and, and their thoughts on that.
[00:46:24] Um, well guys, we, this is, this is covered in about 45 minutes and we talked about 16 subjects
[00:46:31] in total.
[00:46:32] Okay.
[00:46:32] Sometimes we went off and even talked about a little bit more.
[00:46:35] So we have more to discuss more to break down with each of the videos coming, um, about specific,
[00:46:42] um, industries, uh, you know, MSPs, vendors, whatnot, um, and how this affects them.
[00:46:48] So stay tuned for that.
[00:46:50] We'd love to, again, we've already said this before, but we'd love to hear your comments.
[00:46:54] Um, you know, if, if you notice something that maybe we didn't, we're excited to hear about
[00:46:58] it.
[00:46:59] Right.
[00:46:59] Sure.
[00:46:59] So, so let us know in the comments below, um, make sure to tune.
[00:47:04] And also like, uh, it's 32 CFR.
[00:47:06] We've all, what, three days now we've been looking at it.
[00:47:09] So you may have a different opinion.
[00:47:10] We want to hear about that.
[00:47:11] We're not, again, just to.
[00:47:13] Not claiming Bible.
[00:47:14] Yeah.
[00:47:15] We're not claiming CMMC Jesus here.
[00:47:17] So, you know, just know that we're also open to people's interpretations and understanding.
[00:47:23] I was just in discord, uh, yesterday looking and discussing some things and based on how
[00:47:30] that is.
[00:47:30] And I reread it and looked at it.
[00:47:31] I was like, it's switched my perspective on some things.
[00:47:34] And so I know that's going to happen moving forward.
[00:47:36] So it's very possible that some of the things that we shared, uh, today, uh, you know, a week
[00:47:41] or two from now, we might have a different opinion.
[00:47:43] So, um, this is, this is sort of the nature of the game though.
[00:47:47] Yeah.
[00:47:47] This is where we are.
[00:47:48] This is where we are right now.
[00:47:50] And we, we are going to be starting assessments soon.
[00:47:55] So, so soon.
[00:47:57] And then it's like game on.
[00:47:58] Here we go.
[00:47:59] We're starting the phase rollout.
[00:48:01] We're starting what they've said, and we're going to learn more and more as the time goes
[00:48:05] on.
[00:48:05] Right.
[00:48:06] So I'm excited for that.
[00:48:07] Um, we'll keep you posted on, on our journey as well.
[00:48:10] Um, make sure to tune in next Thursday for the next episode.
[00:48:14] Um, but until then guys, keep on climbing.
[00:48:17] See ya.
[00:48:19] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.
[00:48:24] We hope you guys enjoyed today's episode and listen out for the next one, but until then
[00:48:29] keep on climbing.