CMMC Architecture: Enclave, Enterprise, or Hybrid?

Cole French:

Are you wrestling with your CMMC scope? Are you looking at service providers to help with this, but aren’t sure what questions to ask? Do you have questions about where the CMMC ecosystem is headed? Join us for the special episode recorded on location at CUI-CON in Orlando, Florida, where we cover some of the questions and help you formulate the questions you should be asking on your CMMC journey.

Welcome to the Cyber Compliance and Beyond Podcast, a Kratos podcast that brings clarity to compliance, helping you leverage compliance as a tool to drive your business’s ability to compete in any market. I’m your host, Cole French. Kratos is a leading cybersecurity compliance advisory and assessment organization, providing services to both government and commercial clients across varying sectors, including defense, space, satellite, financial services, and healthcare. Now, let’s get to today’s episode and help you move cybersecurity forward.

The first and most important challenge on the CMMC journey is the scope of the environment. And there are many considerations to address in this process. Where is the CUI within your organization? Who are the people within your organization that handle CUI? Where does CUI travel? What is your business plan and does it include growth that could increase your CUI footprint? Each of these questions and others eventually leads to the ultimate question, should I pursue CMMC for my enterprise or should I build an enclave to limit my CMMC scope? The decision on scope should also include considerations for the future of not only your organization, but also the CMMC program. Like any new program, there are going to be changes and some of them are significant. Specifically, the migration from NIST, Special Publication 800-171 Revision 2 to Revision 3.

Joining us for today’s conversation is Toby Musser, founder and co-CEO of MNS Group, a CMMC level two certified MSP and MSSP that equips defense and government contractors with cybersecurity and compliance solutions that allow them to win contracts. MNS Group is one of the early leading authorized CMMC third-party assessment organizations and provides CMMC level two assessments to members of the defense industrial base and supply chain. Toby resides in Harford County, Maryland with his wife and co-CEO business partner, Laura, and their family.

For more than 25 years, Toby has served as a business leader in technology and security with in depth experience implementing the vision, practice management, process, and compliance for medium and small businesses. His extensive background includes providing risk assessments of information systems for defense contractors and commercial clients across multiple industries.

Toby, thank you for stopping by here to join us on the Cyber Compliance and Beyond Podcast on site here at CUI-CON in Orlando. So yeah, just wanted to catch up with you, get your thoughts. I know you’re going to be speaking as part of a panel later today on architecture decisions or really what we talk about a lot is scoping. So what kind of scope do I have if I already have a scope or if I’m planning to maybe build something or I’m planning to pursue CMMC certification, what kind of scope should I pursue? Should I do my entire organization? Should I do an enclave? So if you just want to talk about kind of what goes into that decision making process.

Toby Musser:

Cole, yeah. Thank you for inviting me on here. I’m happy to hopefully be useful to the audience and have a great conversation. You mentioned scoping and enclave approaches and other ways, the types of environments you choose. Something we’ve observed is that many times people go to their technology teams to start the process of compliance with CMMC. And perhaps a better approach would be to consider the people, the policies, the processes, the procedures, and how you think people are going to communicate, how the information flows in the business before you try to ascertain what is the best approach? Is it an enclave? Is it the cloud? Which cloud are you going to do on prem? Are you going to do hybrid? All of these are questions that really can only be best informed by having a little bit of a plan. And we often see that just from the misunderstandings around what CMMC is, that people start with the shiny technology piece and then try to back into it with the people, the policies, the procedures and the information flow.

Cole French:

That’s a good ... And we see that a lot in the work that we do that, yeah, I think the technology and the organization itself at a high level is what drives these decisions, but yet not as much.

The people who will be doing the work, policies, procedures, all that as it relates to that, so how do you go about helping organizations make those decisions, evaluating which approach is better for them?

Toby Musser:

We try to encourage people to understand business risk and to consider what the plans are for their business over the next three to five years. The old idea begin with the end in mind, and we jokingly say there’s nothing more expensive than doing it right the second time. And so we want to make sure that people consider that whatever choice they make should be able to stick with them for at least 36 months, right? They’re going to get an assessment and it’s likely that they’ll be unable to change the vendor or change the position they find themselves in for 36 months without triggering another assessment. So we want to really take that time to walk a slow walk in the beginning and make sure whatever information we need to know about the future is documented and then discuss, is it enclave? Is it enterprise? I would say we are observing many people who started with enclaves doing enclave to enterprise conversion, basically moving their teams into the enclave and it becomes their enterprise. That’s not always the easiest thing to do and it can be an indicator of insufficient upfront planning.

Cole French:

Yeah, I was going to say, is that because they built the enclave? So we’ve worked with some folks who have built enclaves and then now they’re wrestling with the enclave actually makes everybody’s day-to-day job more difficult because we have this enterprise environment, we have this enclave environment, these people need to work in both environments. So it’s like they have two different ... It’s like if they’re doing work on this, they have to be in this enclave environment, but if they’re doing this other work, they got to be on this other machine and this other environment, other credentials. Is that what you’re seeing with enclave to enterprise conversion or is it organizations just making a different decision as it relates to maybe pursuing DOD contracts? What’s the driver there?

Toby Musser:

Well, I’ll give you a sort of a tangential comment and come back to it. Complexity breeds profit for consultants.

Cole French:

True.

Toby Musser:

And selling an enclave is an easy win for a sales team because they don’t need to assess the full environment. They’re just going to give you something they’ve pre-baked and maybe it’s at 60% or 80% and then they tune it. So there’s a lot of economic drivers to the whole ecosystem pushing for enclaves because it seems to be an easy solve. There is no direct way to take a commercial tenant and upgrade licenses in Microsoft; you have to do a lift-and-shift. Same thing in Google, same thing in the Oracle environments we work in. And so it becomes very expensive to think about it a second time and move people.

The complexity I was referring to is, as you were discussing, the fact that the actual person sitting in the seat has to log into two different systems and they have to keep track of, “Hey, am I in the right system to send this person or that person email or to receive it?” So that complexity also breeds security risk and additional risks, surfaces you have to consider. And it’s really a bad idea and users aren’t good at managing complexity. And I count myself among them.

Right now I have six different accounts that I have to log into depending on the type of work we’re doing or what I’m checking on. We are a government contractor as well. We have a facility clearance and we’re a C3PAO and we’re an MSP and all these different environments have different places I have to work. And so the chances of accidentally doing the wrong thing in the wrong environment are high for me. And I live and breathe in this world, right? For a Joe Schmo, who’s trying to get some engineering drawings edited and get them back out to the field so that somebody can go build a thing, it’s a high probability of error occurring. So ideally we would say that our opinion, my opinion, is that everybody should really just do the whole enterprise so that end users don’t have to think about it. The difficulty is that what I just said is terribly expensive.

Cole French:

And complex.

Toby Musser:

Yeah.

Cole French:

We’ve worked with a lot of enterprise environments and, I think going back to what you said about risk, the difficulty with an enterprise environment is now I have to think about my entire organization, which means I have to make a lot of decisions about scope and like level of effort for different parts of the organization and stuff like that. It’s very complex.

Toby Musser:

Are you going to train your cleaning company staff? Are you going to vet them? It starts to bring into scope questions that create a lot of bureaucratic load, not in the evil way, but just there’s a paperwork load to doing that.

Cole French:

Yeah, and that’s a good example. I mean, it extends far beyond what you would like normally think of. Yeah, the cleaning people. I think most of us, at least if you’re not in security, I don’t know if you’re necessarily even thinking about it going all the way down. So how about like an enterprise approach, but also with an enclave, do you see organizations doing kind of like what we call a hybrid approach where their boundary is their entire environment, but there is an enclave within their environment?

Toby Musser:

Yeah, we’ve seen a few people do that and I think there’s a lot of wisdom to the approach. You have to have some internal quarterback or hero who understands the nature of that and can run it inside the organization. And so that takes a little more on the technical chops side. So if you put sort of bands of revenue, sub $20 million companies probably don’t have that internal capability to run that, so they’ll need an external MSP and certainly that’s a way to do it. And you’re then locked into that external service provider probably for 36 months after your assessment. So make sure you love them or at least that they have good problem resolution clauses. Then we see that band of 20 million to 250 million. They usually can pull that off and maintain it internally. And you know above that, they have entire cadres of technically proficient people who can maintain it and keep it going.

Cole French:

Yeah. Yeah. You’ve mentioned MSP. So if you’re looking for an MSP to do this kind of work, what would be things you would say to look for or questions to ask, things like that?

Toby Musser:

Well, certainly you would want the MSP to have achieved their level two certificate that’s been assessed by a C3PAO. It is a benefit that they would be an RPO, but in the industry, the RPO designation doesn’t have a high level of respect from the assessment side, and you can just pay a fee to become an RPO and have a minimum number of people take a very simple test. So RPO does not necessarily indicate a level of expertise to do a great job, but if they have that certificate along with it, then you know that they’ve actually executed on at least their own environments.

I would look at the shared responsibility matrix they provide and something that’s common is in marketing, a company will say, “Well, we do this percentage 60, 70, 80, 90%,” they’ll pick some number. And in truth, there are things within a responsibility matrix that are shared that sometimes shift to the MSP after discovery and integration or sometimes shift to the client. So none of those matrices are actually really or shouldn’t be reflective of the final state. They all need to be tuned a little for each client to reflect the realities of the policies, procedures, practices, and the ways they do it. So a question to an MSP is how often does your shared responsibility matrix, customer responsibility matrix get updated while you’re doing implementation? Is it typical that 5% of it or 10% get changed? If they look like they’re deer in headlights, then they might not have the operational experience to operationalize it inside your business.

Cole French:

We’ve also run into situations where we’ve asked about shared responsibility matrix and it’s, “Yeah, yeah, we have that,” and then you find out that what they have documented is subpar, for lack of a better way of saying it. So it could even be indicative of maybe they don’t even have a shared responsibility matrix or it’s not documented appropriately.

Toby Musser:

You make a good point. Just because they have a level two doesn’t mean they’ve devoted the effort to creating that matrix. A good matrix might have a column that says, “This is the ESP or MSP’s responsibility, this is shared things, these are the client responsibility,” and things that are shared should maybe have a little paragraph that say, “This is why it’s shared or this is why it might change.” Because there’s that hidden cost and implementation. If you sign up and suddenly you find out that, “Oh, we need a special project because you changed this or we’re going to change our fees,” look at the contracts, understand what’s included and what’s not. Compliance as a service programs often are add-ons to MSP, the base MSP does help desk ticketing, patching, all those things and we just have seen a lot of people get burned because of incomplete contract coverage for compliance and those shared responsibility matrices being incorrect.

Cole, something people could consider as they’re looking at MSPs or ESPs are the software contracts that they have in place and their line of business applications. When you get an assessment and your ESP comes in, if your renewal contracts for your line of business application don’t line up to your assessment and you decide, “Hey, we want to switch from this payroll provider to that payroll provider,” and it’s tightly integrated to your HR process, you have a chance that you could trigger a major change just from changing that large line of business application. So one of the ones everybody’s heard of is Deltek. If you’re in Deltek and you want to switch, you’re probably going to trigger a major change and need another assessment. So it’s not just the ESPs or MSPs that can trigger an assessment, but really you want to look at all your contractual relationships.

Let’s consider that you’re a manufacturer and you have a lease and you had them come on site and assess all your physical security. If you need to change your location and move, again, you could have that surprise need for an additional reassessment. So the 36-month window is something that really takes a lot of work and you want an ESP or MSP partner or a compliance partner who really understands business and is not just selling you the shiny thing that meets the technical requirements.

Cole French:

I hadn’t even thought about the fact that an ESP making a change to your environment could trigger a reassessment. Is that something you’ve seen?

Toby Musser:

So we have been approached recently by somebody who said something like this, “MNS Group, we just got our level two certificate, but we decided we really don’t feel comfortable with our MSP. We’d like to hire you to be our MSP.” To which we had to respond, “We’d be honored. We’d be happy to be your MSP, and you should probably check with your compliance team and whoever did your assessment to ascertain whether that will trigger another assessment.” And there was a Zoom meeting, so a look of horror on the screen, like they just, “Oh, we thought we’d get the assessment and then replace the MSP that we were unhappy with.” And they just didn’t know.

Cole French:

Interesting. Yeah, that’s true.

Toby Musser:

In theory, in theory, you could replace an MSP or an ESP without triggering a major change if there was pretty much identical service alignment and shared responsibilities and the product stack was close to the same, you could use a change control process for any deltas, but that’s fraught, right? There’s legal risk there and it becomes a business decision. Are you going to count that? We don’t have guidance yet from the Cyber AB and from the committees about what constitutes a major change, so it’ll probably be a little more lenient in this year as the program really gets its legs, but I suspect by next year we’ll have some guidance and things will be locked down.

Cole French:

Yeah, that’s something we’ve had a lot of conversations about in the last, I would say really just in the last month, maybe six weeks, we’ve had several of our customers that we took through assessment come to us and say, “X, Y, Z,” whatever the scenarios are. Most of them are related to like business structure, not so much environmental change, but yeah, come to us and say, “This is the scenario we’re presented with, how does this play for us in terms of are we going to need a reassessment?” So to your point about there not being a lot of guidance, I would echo that going into hiring an MSP or really making any decision about your environment, you definitely want to make sure that you’re thinking about it beyond getting that certificate because it is a three-year window, so anything you do afterwards does have ramifications towards that certificate that you achieved and could trigger a reassessment.

Toby Musser:

We noticed in construction, for instance, people get a cage code and they have a trailer on site, right? And this has come up several times in background discussions and the Department of War’s guidance is, “Oh, well, if you get a new cage code, you need a new assessment.” Well, it’s challenging because that trailer has all the same physical security attributes and internally is consistent, it’s the same environment. In truth, the scope didn’t change, just the address changed, which generates a new cage code, but the current guidance from the government is go get another assessment and companies don’t want to hear that. However, they can be prepared for that. They can build it into wrap rates or into their contracts that there’s an additional assessment cost. They have to figure out how to work that out. Does it affect your PWIN? There’s a lot of things to think about other than, do I do an enclave or an Enterprise?

Cole French:

Very true. Yeah, and I think to your point, trailers, manufacturing environments, almost certainly always going to be hybrid approaches there because you can’t get away from, “I got to build this thing, so I got to have this physical space and a physical environment.” So there’s limitations to what you can do from an enclave perspective where I’m just going to build this box and put everything in there. So standing up each additional trailer, is there firm guidance on it triggering a reassessment or is that interpretive?

Toby Musser:

So a representative Department of War in a podcast said, “We have such limited guidance,” Cole, “That those are the little nuggets that we have to grab onto and just make that risk known to the clients so they can plan for that expense just in case it happens.” We had a client open a new office, does that trigger a new assessment? It’s the same locks, the same cameras, the same everything, same policies, procedures, and practices and some people are debating over whether that requires a new assessment or whether that’s just more people within the existing environment. These are things that will get worked out, but in the meantime, businesses need to budget for and plan for the possibility of another assessment. You might talk to your C3PAO and ask them, “If I have a construction business and the trailer moves and I need another assessment, is there a discount? Is there a way to handle that in an iterative way?”

Cole French:

Yeah, we always tell our customers and even potential customers, we always say, “Come to us with these situations before you go make a decision.” And we actually just had one recently where it’s a conditional certificate with remediation and obviously we knew what needed to be remediated, but they went off and did the remediations and said, “Hey, we did the remediations we’re coming back to have them reassessed.” Well, turns out to fix one of the issues, they just ripped and replaced a system. So same problem, right? Now it’s like, “Well, wait a minute, we assessed that entire system against all the other controls and now it’s not part of your environment anymore,” so I think that also ties in with what you’re saying about risk is ask the questions and understand the scenarios that you might be faced with as far in advance as you can and have conversations with your C3PAOs or whoever you’re working with to get guidance or do our best to get whatever guidance we can get on these before.

And yeah, like the trailer examples like, “Hey, I know I’m going to have all these trailers that I’m going to have to take through an assessment,” work with your C3PAO. I’m sure there’s arrangements that can be made to defray some of those costs or lessen some of those costs given the circumstances and the nature of that type of situation.

Toby Musser:

Yeah. If a business like yours or mine values long-term relationships, which we do, we’re going to try to come up with something that works for our clients, right? We want to have something that’s equitable and helps them survive and win contracts and stay in the space. One of the options to consider, and Cole, I don’t know if you guys do this, we offer the ability in the in between years to call us up and have us review any changes if they want, to make sure that the changes are properly documented or trending met. And we don’t give advice, right? We don’t tell you how because we want to maintain our ability to do your next assessment, but that’s also something people can explore.

It’s like, do you want to have a small amount of budget set aside in the in between years so that things don’t stack up, there’s no surprises. I know many executives are flinching at the fact that they’re personally and legally responsible for the sign-off. And if I recall correctly, $250,000 fine and 20 year jail sentence times 320 things, that’s a lot. Is that going to happen? No. It’s kind of ridiculous, right? But there is real risk. And if you bring in a C3PAO in the in between years, just to check things out, and if something comes to light, then you have a chance to remediate it. It definitely is not a just once and done thing.

Cole French:

We’ve talked about a setup like this, sort of like a continuous monitoring type. How do you guys set that up? Is it just an annual one-time check and you’re looking at just a cross-section of the requirements or are you diving into specific things on different intervals? How do you guys structure that?

Toby Musser:

Well, our current approach, and I say it that way because sands are shifting, we don’t know when Rev 3 is going to come into effect and all those things, but our current approach is to say, “Show us all your change control board meetings and all the notes and what was approved and changed and show us if any changes were made to policy, procedure, and practice to take into account those changes.” And then we [inaudible 00:22:39] that’s trending met or it’s trending not met, and then they have an opportunity to feel confidence or to go do a little more homework so that they’re more ready when the time comes.

Cole French:

Okay. So it’s focused on changes specifically and then the process and procedure around how they handle changes in the environment?

Toby Musser:

Yeah. We don’t go and review all of the elements to see if they’re still in place. I guess we could if somebody asked for that, but that’s basically running an assessment again. Perhaps there’s value for some enterprises depending on their mass.

Cole French:

No, I like that. Yeah. Since really one of the primary risks is doing something that could initiate a reassessment, I think that is a good ... That’s what we’ve struggled with is, how do we scope sort of an annual check-in or reviewing things in that three-year window? It’s like, how do you include the right amount of stuff or, and make it valuable? And I think if tying it back to the risk of needing a reassessment and really just checking that every year or whatever the frequency is, I think there’s a lot of value in that.

Toby Musser:

I think the value also can extend to your insurance and liability coverage. Early in this conversation, you asked about questions people ask about ESPs and you triggered that thought. When you select any type of provider, you want to make sure they have the appropriate insurance coverage for the mass of your business and the risk that they bring to your business. We have found that many times the MSPs we’re replacing, didn’t have the right liability coverage. When we’ve done assessments, we often say, “We have the insurance to do assessments.” It’s a good question to ask C3PAOs, “What’s your insurance coverage?” If you do an assessment and you say, and you issue a certificate and DIBCAC comes back and reviews it and suddenly says, “No,” are you covered? Are they going to pay for the assessment, the lost business, downtime? It really should always be business risk that drives the choice and what is the business’s individual tolerance for risk. The more risk, the more profit is what they say, but there’s limits to that, right?

Cole French:

Mm-hmm. And we talk a lot about risk. We’ve done previous episodes on that very topic. And I don’t know if you guys have seen this in your assessments, but there’s risk assessment requirements and security control assessment requirements and you get a lot of people thinking those are the same thing. They think, “Oh, I did my security control assessment. I reviewed all my 320 objectives and requirements, so I’m good on my risk assessment.” But to what you’re saying now, and what we’ve said many times on this podcast before is risk is way broader than just your security requirements. Risk is like, “Yeah, what happens if I can’t operate my business?” Or if some adverse or catastrophic event happens, insurance coverage, all those kinds of things. So risk is a much broader topic that requires you to look at the entire business, not just security. Security is just a component of overall risk.

Toby Musser:

I say this with a little humor, but a fun question you could ask an ESP or MSP is, do any of your software products use - have non-subrogation clauses in the software licenses? And so what that means is subrogation’s a process where an insurance company has to pay a claim, but then they go, “Man, we want to get some of our money back.” So then they go after or sue the other elements that cause the claim. So say, God forbid something happens and your MSP’s insurance pays you because they did something wrong, then the MSP insurance will go after each of the subpieces of software, the MSPs that might be involved in a failure. Maybe they had a monitoring tool that didn’t catch something. And you want to check also in your MSP’s contract if they have non-subrogation clauses, because you want your insurance company to cover you.

And if you sign a contract, and a lot of contract officers don’t know about this because they’re used to working with government contracts, these commercial contracts are some of the things we’re seeing that you should just be careful about is your own insurance company may have something that’s not on page one on declarations, it’s probably halfway through the back that says, “We don’t cover you if you sign a non-subrogation clause.” So you want to make sure your own insurance will cover you in addition to your ESP or MSP. And these are the subtleties that come out when you’re dealing with a business first MSP or assessor, as opposed to a technology company that’s gotten excited about being in the compliance space.

Cole French:

And selling their product, like you mentioned earlier, it’s the shiny technology that will solve all the problems, but yeah, you still have to answer all the questions related to the business and really those actually should go first. And you mentioned Rev 3 briefly just a minute ago, and so 800171 Rev 3. So I know right now the CMMC framework is aligned to the Rev 2 requirements, and we’ve been getting a lot of questions lately about, “Well, should we be preparing for Rev 3? What’s the timeline on Rev 3? How’s it going to work?” So obviously we tell them, “Yes, you should already be ... And in many cases, if you’re doing Rev 2 and doing it well, you’re doing a lot of Rev 3, but you should be definitely preparing for Rev 3.” So what are you hearing as far as timeline and things like that are concerned as it relates to Rev 3, the move from Rev 2 to Rev 3?

Toby Musser:

Well, recently the GSA released their guidelines and it’s a program that’s sort of parallel to CMMC, but it’s not CMMC and it’s based on Rev 3. And there now is a conversation going on to see if there’s going to be reciprocity between CMMC and what the GSA is doing. I suspect they’re going to work something out, but in the current situation, somebody might have to do a bunch of Rev 3 things and have a different body of evidence to be on GSA contracts and have a level two certificate in Rev 2 to be on DOW or DOD contracts.

The reason I mentioned that is that has accelerated the conversation in the Department of War. Everybody wants to have great security and protect the war fighter and keep them safe and have their equipment function and do a good job and having two different revisions in play is a difficulty. So that’s a really long-winded way to say. I suspect by the end of the year that you’re going to hear some official language around moving to Rev 3. It could be sooner, but practically, there’s about 40%, give or take, more things you have to do in Rev 3 and so it’s a heavy lift.

There might be economic benefits though. I mean, I don’t know that I would bet my life on it. However, if you are ready with Rev 2 and you get your assessment before Rev 3 stuff happens, notionally you might have 36 months then to get ready with Rev 3 before your next assessment. You can’t quite go to the bank with that because perhaps contract officers will be given the ability to choose which revision, we just don’t know. There’s a lot of volatility currently in the administration. So what we do know is that it’s not going away and the requirements are increasing, not decreasing, so you should get ready for Rev 3 now and probably the end of the year would be my prognostication.

Cole French:

So end of the year would be when we officially migrate from Rev 2 to Rev 3, or the follow on question I guess to that would be, do you think, and I know some have voiced this as a concern of how we do this migration. So if I did my assessment already and now I have my three-year window, I did my assessment today, I got three years and then a year into it, they move to Rev 3. What does that do to my certificate? Do I now have to ... And you kind of touched on a contracting officer could be given the ability to put Rev 3 requirements in a contract potentially as an option year exercise or something like that. But do you think it puts you at risk if you already have a cert against Rev 2 that you would have to do a new assessment? Again, going back to kind of what we were talking about earlier.

Toby Musser:

You’re going to pay to do Rev 3 no matter what. If you have Rev 2, you’re mostly there. You’re on the way, you have the programs in place. It’s not money that’s wasted. It’s not the joke from the beginning of our talk that nothing’s more expensive than doing the job right the second time. It’s a continuation of what you’re already doing. So it’s definitely not a lost investment. It still gives you market advantage, especially if you’re a sub and the primes want to go after everything with autonomy and know their subs are all ready, definitely a benefit to get your certificate now. There’s no reason to wait. It won’t have a benefit.

And people keep talking about the backlog. I suspect that’s really overemphasized. We see a lot of people getting training. Every month the C3PAO account goes up. They said there’s 9,500 people, maybe a little more who have applied to be C3PAOs, 1,500 CCPs that are on the path to being CCAs. And it’s still a lot of companies. There’s going to be some backlogs. It’s not going to be the end of the world, but definitely a benefit to move now.

Cole French:

I would agree with you, and I would tell folks the same thing that it’s better to be proactive. And I think it’s fair to ask the question, “Does this mean I have to go do this?” Kind of what we were talking about, you should ask the right questions and understand the requirements, but I don’t see a reason ... If you’re already ready for Rev 3, I don’t see why you wouldn’t go ahead and pursue certification if we migrated to Rev 3. So I would agree with what you’re saying.

Toby Musser:

You asked an interesting question or you mentioned this idea of what happens in the in between years if Rev 3 comes out and you passed on Rev 2, and the truth of the matter is we don’t know. We have to wait until ... I suspect that you’re attesting that you’re still doing the things that you said you were doing the first time around. The government is very eager for people to succeed. This is not an auditing program. It’s not looking for your failures. It’s an assessment program, show me how you’re meeting the requirements. It’s a different attitude. I guess that might be one of the things, that’s why we get along so well, even though we’re both C3PAOs, understanding that we’re trying to have our clients win, we want them to pay us. We’re not looking for failure. We’re looking to understand how they succeed. That’s a really important question to ask ESPs and C3PAOs, what is your attitude about this? It’s not an audit. It’s an assessment.

Cole French:

It’s an assessment. Yeah, we do remind people that we’re here to assess, so we’re here to evaluate and assess what you show us, what you tell us, what you present to us. So it’s really an opportunity for you. And I know when we prepared our own organization to go through assessment, we focused heavily on working with them on how they told the story in an assessment. It’s really important. It’s an opportunity for you to share. Yeah. And I mean, obviously don’t ... You want to be measured in what you share and you don’t want to go off on tangents and things like that. We’ve all, I think, sat in assessments where people just keep talking and it’s like, not sure you should be saying these things right now necessarily, but-

Toby Musser:

Not good. Just answer the question.

Cole French:

Yeah, just answer the question. So you do want to keep it concise and answer the question, but also it is an opportunity. And there’s certain controls and requirements that I think really lend themselves to you win by how good of a story you can tell and how well you can present how you’re doing something. And I agree with you, that’s the approach we come at it from. But I think businesses a lot of times look at it more like an audit and they’re worried that they’re going to come in here and try to find the way I’m doing something wrong and stuff like that. And I’ve definitely worked with auditors and things like that, that are people with more of an audit mindset, and it definitely makes for a different experience in an assessment.

Toby Musser:

Yeah, we jokingly give this example, and I’ll throw it in here. Maybe you’ve shared it already before, but if the assessor asks you, “Do you know what time it is?” The answer is yes or no.

Cole French:

Yeah.

Toby Musser:

But people tend to be like, “Oh, it’s three.” “No, I didn’t ask you to tell me what time it is. I said, “Do you know what time it is?” And so keeping your answers simple and carefully listen, the question will lead you to success. Assessors are trying to just get the necessary information, but they’re duty bound to follow up on anything you mentioned. Like you said, if the talkers talk, then you have to follow up on what they’ve said because you need to make sure you understand.

Cole French:

Well, Toby, I really appreciate you stopping by to chat with us about these things. And I really think our listeners will appreciate your perspective and especially those important questions you should ask as you prepare for and are going through CMMC.

Toby Musser:

Cole, thank you for allowing me the opportunity to participate. Hopefully I’ve been useful and I just want to remind people that work with people you like to work with when you’re interviewing ESPs, C3PAOs. This is really stressful stuff, so make sure you like the people you work with.

Cole French:

Great advice. Thank you for joining us on the Cyber Compliance and Beyond Podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss or you just have some feedback for us? Let us know on LinkedIn and Twitter @KratosDefense or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode and until then keep building security into the fabric of what you do.