YouTube video

January 10, 2025

Episode 57: Confusing and Misunderstood

Listen to the podcast

Read Transcript

Erick and Rich discuss what research from CompTIA implies about the year ahead for the channel in AI, plus three proven strategies for navigating client budget constraints. Then they’re joined by compliance guru Mike Semel for a deep dive look at what the recently published CMMC final rule means for MSPs. And finally, one last thing: The lamest excuse ever given for failing to return a rental car on time.

Discussed in this episode:

Happy Days Are Here Some More!

CompTIA’s IT Industry Outlook 2025 report

Mike Semel’s free CMMC 2.1 Desktop Reference Guide

Woman arrested in Spokane after saying she was too busy to return rental car

Transcript:

Rich: [00:00:00] And three, two, one blast off, ladies and gentlemen, welcome to another episode of the MSP chat podcast. Your weekly visit with two talking heads, talking with you about the services, strategies, and success tips you need to make it big and manage services. My name is Rich Freeman. I’m the chief analyst at Channel Mastered, the organization responsible for this program.

And I am joined in a brand new year by your other co host, our chief strategist at Channel Mastered Erick Simpson. Erick, happy new year. Happy New Year, Rich. Good to see ya. 2025, off with a bang. Now I should say this is actually our second episode of 2025.

Rich: This episode is due out on January 10th. Our January 3rd episode was the first of the year, but as we freely admitted, while recording that for you, we, we did that episode before the holidays.

So this is actually the first one of the year. That we’re recording in 2025. And in fact, we’re recording it on January 2nd which for Erick and me alike is the first day back to work after a break, which was wonderful. And I got to say, Erick it, it’s a Thursday today. I got out of bed this morning.

It felt like Monday, but it was actually Thursday, which means obviously tomorrow is Friday. And I’m liking this two day work week thing. I think this could be a good policy going forward.

Erick: We’ll just have to see how that pans out in 2025, Rich.

Rich: We’ll work on that. We’ve got some budget planning coming up and we’ll just see if the two day workweek pencils out.

But speaking of 2025 and and numbers concerning 2025 a little bit before the holidays, I was invited to join our good friend, Dave Sobel on the business of tech podcast. He does these live streaming events once a week these days. And I was invited to come on as a guest as was.

Seth Robinson from CompTIA. And it just so happens that Seth and company had recently finished up the 2025 state of the IT industry report that CompTIA does every year, so perfect opportunity for us to discuss those numbers. And so I am actually, I’m going to quote some of the numbers from that report and some of the conclusions from that report.

And I think it points us in an interesting direction for AI. Specifically in 2025. So what do we see? According to this very good research data from CompTIA. First of all the channel firms out there are pretty optimistic about the year ahead. 32 percent of them said they’ve got a strong outlook for 2025.

43 percent said they have a good outlook. Only a collective 25 percent said that they were, had, mixed sentiments or a little uneasy about the year ahead. The channel businesses are very enthusiastic about the year to come. And so are their customers. When CompTIA went out to businesses of various sizes and asked.

What’s your technology mindset basically looking back over the past 12 months. And 52 percent of the small businesses said we are more enthusiastic than before about technology. 65 percent of mid sized businesses, 58 percent of enterprise businesses. So good, solid majorities of the businesses out there, looking back at 2024 were more enthusiastic about technology and just believe that technology could do more for them.

And in fact, when they were asked, what are the reasons, why are you enthusiastic? The number one response was AI. AI’s ability to innovate and streamline. So far, so good, Erick. Here’s the thing that’s interesting. And from a certain perspective, maybe contradictory about everything that I just told you when the Contia folks went to the end users and asked them to talk about their approach to technology implementation in 2025, they were given three options.

Are you going to be aggressive? Are you going to be measured? Or are you going to be hold steady, slow things down. And I won’t get into the specific numbers, but trust me, large, there was a big edge across the board, small businesses, medium businesses, large business for measured. And so what you’re seeing there basically is.

People have a great deal of faith, a great deal of enthusiasm about technology and AI in particular, and what it can do for businesses. But after several years of pretty aggressive spending on just on technology, generally, a lot of SAS applications a lot of initial spending AI related on things like infrastructure and so on businesses out there, I think.

Are getting a little bit more cautious. They want to know that they are actually going to get a return on continued investment in technology generally and AI specifically. And here’s a little bit of evidence for you. These numbers are from Gartner CompTIA cited them in their report. And in [00:05:00] 2024 data center systems and trust me when I tell you most of the growth and data center systems in the last couple of years has been AI related.

In 2024 data center spending infrastructure spending up 34. 7 percent according to Gartner. The projection for 2025 is 15. 5 percent which is still a good solid double digit number, but well down from what we were seeing in 2024. Spending a little more slowly, maybe a little more cautiously on data center infrastructure, probably in relation to AI.

Now here’s the spending number on services, IT services. That spending grew 5. 6 percent last year and is projected by Gartner to grow 9. 4 percent in 2025. So what are you seeing there? You’re seeing a company take their foot off the gas on infrastructure spending. We’ve already done a lot of that. We’ve done a lot of spending on AI software as well.

What we want now is actual implementable technologies that are actually going to impact the top and bottom line for our business. And in order to get that, they understand, apparently, They need help from service providers, and this is a very long winded way, Erick, of saying that all of this looks good for the MSPs in our audience, provided they are in a position to provide strategic services related advice on actually getting results from AI.

The market is setting up very nicely for companies with that capability set. If you’re just reselling copilot, if you’re just trying to move the the AI related infrastructure, the headwinds could be a little harder for you in 2025, but if you can sit down and take advantage of the work that hopefully you were doing in 2024 and even 2023, to be prepared to have a strategic AI related services conversation with customers, 2025 could be a really good year for you.

Erick: Well, Rich, the the AI story. Continues to have a very pronounced impact on businesses of all stripes. Where, this, the data you just cited included, small, medium businesses mid market and enterprise it talked about measured growth and it talked about services almost double what the spend was for 2024.

So I think this is a recipe for the MSP audience that we serve to start planning, as you advised, planning for taking advantage of this opportunity. And this is uniquely different than anything else that MSPs do. Have considered to be their unique value proposition to their clients, right?

Their unique value propositions in the past have included not only, tactical services but strategic advisory services in the areas of Technology, road mapping and the areas of cybersecurity and compliance. Now we’re talking about AI, which is almost a different language for MSPs. So what are your thoughts, Rich, around how to take advantage of this?

What could we share with the audience that could be stepping stones to move into this opportunity to qualify? Some of their clients for these services. I know that we’ve had guests on the show that are really leading the charge in developing strategic AI services and selling them through the channel.

And we’ve had MSPs on that, really leveraging AI to be more strategic. So if you, if I were to ask you rich to think of maybe we can come up with three things. That MSPs should begin evaluating in terms of taking advantage of this opportunity in a measured fashion that gets their clients to raise their hands and say, yes, we like some of these.

Kind of entry level services and solutions.

Erick: Where

Rich: would we start? I’ll give you two. And and if we come across a third that’s great. So one of the things that I I said, obviously is hopefully a lot of the MSPs in our audience have been spending or using time in the last two years to educate themselves and get themselves in a position to have a conversation about AI that isn’t product focused.

And so if that has not been the case it is never too late to get started. Suggestion number one is to really start getting serious about thinking around AI related services, service engagements that you can bring to your customers. That we’ll focus on, and this is the second of the two things that I want to suggest is begin reorienting your thinking and your service offerings to your customers, move those away from products and towards [00:10:00] outcomes, because the real sort of moral of the story that I was talking about there is everybody understands AI can do a lot.

They’re getting a little impatient to actually see it, do some of that stuff. And so what you really want to be talking to end users about these days, isn’t this exciting product, this exciting service, this exciting solution outcomes, business outcomes that I can help you realize utilizing AI and obviously the best way.

To come up with a specific outcome or two or three for a specific customer is to have that information gathering conversation with them, understand where the pain points are, talk to them about their workflows, what’s working well, what isn’t, what are their objectives, et cetera, but really focus on the outcome and then work back to the AI from there and make sure you, you weave the customer when it’s, when their turn to decide, am I going to invest in this or not?

Make sure they’re crystal clear on what they are going to get for the money that they spend around AI and when they’ll get it.

Erick: I love those. I love those those tips, rich. And I think I would add the third would be. To generate a good set of qualifying questions that you can sit down with your client to help kick this conversation off.

And I think, just a couple that come to mind for me, one would be. What, would you like, what kind of information would you like to see from all of the data that your company generates? Have that strategic conversation. What are you not getting right from a strategic perspective?

Like you said, bridge business outcomes, strategic outcomes, where does the client, where does that business owner want to be in the next three to five years? And where are the opportunities in the data that they’re generating today or the workflows that they’re using? How can we leverage AI?

To visualize that, to normalize it, because, as rich and many of our listeners know the power of generative AI is, it seems almost limitless as long as we can harness it with the right prompts to gather that information. We’ve had folks on the program rich that talk about.

The first step is tagging, categorizing the data in a business, right? So I think that’s one of the first steps, as I understand it we have to prepare the data in order for the AI to be able to assess it, to ingest it and give us outputs. So I think, having a really strong set of qualifying questions.

That then you can map your service offering to, like you said, rich what am I going to get? How long will it take to get there? I think some of those questions are unknown until we maybe pilot some of this. So maybe take a business unit or a specific amount of data. And then use that as a pilot that then you can grow into a larger or maybe an AI as a service or a V.

What did we do? What did we say on one of our previous episodes, which we had a virtual AI officer or something like that. We said VAIO just like VCIO or VCTO. So these are things that I think would be interesting for our audience to explore, and I’d love to hear feedback in the comments from our audience

Rich: and two real quick thoughts before we move on to your tip of the week there, Erick.

And one is just, it’s been a recurring theme on the podcast for a while, that the more you are having strategic outcome oriented conversations with your customer, the more you’re freeing yourself from the risk of commoditization. Competing on price and all that stuff. This is a really good thing to do just for the business in general.

And then the other thing, what I like about your suggestion, Erick, to come up with a good set of qualifying questions that map to solutions is over time, as you hone that list of questions and the relationship between the answers and the solutions, You start getting yourself into the zone of having a menu of repeatable AI solutions that you can deliver for your customers.

And from a profitability standpoint, that’s going to be a really good thing for you. If there are certain kinds of solutions that you have experience delivering, you know you can deliver solid outcomes. And you’re not reinventing the wheel every single time you work with a customer, that’s going to be a great thing for you.

Thanks. Now those are great things. Here’s something that might not be quite so great that relates to your tip of the week, Erick, is you could have this strategic conversation with a customer and they could be very excited about what you’re saying, but deal with or have budget constraints that make it a little bit difficult for them to buy in.

So that is, I believe what you’re going to provide some advice on this week.

Erick: You’re right, Rich. And it is a challenge that [00:15:00] every. Organization faces is having strategic goals that we’re trying to reach as an organization and growth goals and things like that. But then justifying budget to spend to get there.

And this is the challenge that MSPs have with their clients. All the time, right? It’s understanding where the organization wants to be and where they are today. And then building out a strategic roadmap to help them get there with timelines. And then budget requirements, right? And Rich, as a former MSP, I can say that I’ve experienced A plus clients where, they seem to have the ability to justify budget within reason to help them get to where they need to go and invest that in their infrastructure and their solutions and applications and cybersecurity nowadays and things like that.

And I’ve had the opposite. I’ve had the, Not just the C customers, but the D and F customers, right? Especially when we first launched our MSP practice, years ago. And so the ones that tend to fall into those D and F categories and the C customer categories are the folks that maybe they just aren’t, growing or are restrained from growing or scaling for some reason, and thereby.

Can’t really justify budget for growth. So we want to find those clients that, you know, on a growth curve, or maybe our B clients that, we can justify budget. Periodically throughout the year, if not, as much as we would love for them to have. But how do we have those conversations with clients and how do we navigate these budget conversations?

So three quick tips. The first one is. Figure out how to create flexibility, if you can, in how you bill your clients. And I don’t mean be the bank for your clients, but maybe you can create an as a service offering. That gets the client to say, Oh, I can pay for this over time. As long as you’ve you’re covering your hard costs and things like that, and you’re realizing your profit over time, that may be one way to do a rich.

The other way to do it is to, partner up with some financing. Options. I know there are several vendors that, that market heavily to MSPs that, that offer financing or services and products and gear, just depending upon what the mix is. And then maybe over time, you can include some services the longer a term of an agreement is for a client.

So let’s say, for instance, Rich, a client’s got a 12 year 12 month, I’m sorry, 12 year agreement. Wouldn’t that be nice? 12 month agreement. And they’re paying a lot more initially for projects and things like that. Maybe with a 36 month agreement, you have a little bit more flexibility to defray your costs of labor and bring some of those solutions.

More upfront payment and when can I defray the costs? And of course, having an early termination clause in your long term agreements that says, Hey, if you terminate early, then you’re going to owe us all this money rather than let the client just walk away when you’ve invested all of your time, energy and effort up front.

Second tip, pilot programs. Think about piloting something for a client that is a smaller chunk of what the overall deployment might be. We talked about this just now with the AI conversation, right? How do we pilot a service for maybe a department? Or a small group of users and get the client to agree that, boy, if this delivers the outcomes that you say, then not only will I pay you for the pilot, which you are charging for, this is not free rich, but I will agree to, your quote for deploying it to the overall organization.

So this is something, pilots. And proof of concepts are something that’s used really effectively in like enterprise sales and mid market sales and things like that. Smaller MSPs, have the opportunity to use this as well. As long as you get that agreement with your client to say, look, we’re going to charge you for the pilot, but then if the pilot delivers on these specific outcomes, which have to be objectively measurable, not subjectively measurable.

We’re going to, make everybody, more efficient, but by how much how much will this impact that company from an objectively measurable perspective that you and your client both agree on so that when you hit it and knock it out of the park, the client is forced to say, yep, you did it.

Let’s roll it out and move forward. And the third tip bridge is really that good, better, best approach to bundling and pricing services so that you have the ability To get clients into your minimum required services that you must subscribe to, to be your client number one. So [00:20:00] this includes your managed IT services along with cybersecurity that you layer on top.

So what does a client have to subscribe to in terms of your service offering in order to be a client and then have that be your minimum stand, your good offering? Then you are better and best so that over time you can have a conversation with your client rates that says, Hey, it’s time to really get you into our better portfolio of services.

And it’s going to cost an extra, X number of dollars per user. But here are the additional benefits and value you’re going to get that you cannot get In this current portfolio of services and you can only get in this next higher level of service offering. And that includes better SLAs, response times, et cetera.

It’s not more it’s not quantitatively better. Like it’s not, 15 licenses versus five licenses of this. It’s qualitatively better. Like you’re getting more additional benefit that you can’t get in the existing bundle of services you’re getting. So we’re getting you from a good to a better and ultimately to a best.

Rich: Yeah, and you know that the common thread to every bit of advice that you are offering there isn’t, there’s no reason why you have to walk away from a customer that has legitimate budget constraints. You’re just looking for a way to scale. What you offer them to what they can pay for.

And in doing so not only keep your foot in the door, your engagement with that customer active, but set them up for a longer term and bigger engagement for you when they’re either willing or able to spend more heavily. And I particularly liked the suggestion to structure 36 month deal because a 36 month deal is.

A good thing for you too, if you can get more of your customers on that deal. And if it feels like something that allows the end user to benefit, it doesn’t feel to the end user. Like I’m making some big, long commitment that I don’t want to make it, to them, it feels like an opportunity to begin collecting the benefits you were talking about now and knowing that I will collect more and more of them over time.

That’s a sort of win kind of scenario. A lot of good advice in there, Erick.

Erick: Yeah, and I think two additional thoughts that come to mind, Rich, is number one, in that 36 month agreement, obviously, if you’re doing your job right, as, a service provider to this client you’re more profitable the 13th month than you were the 6th month, and you’re even more profitable the 18th month.

So the longer the agreement is, the more efficient you are delivering these services, cause you’re basically addressing. All of the issues in that environment over a longer period of time. So By that 36th payment, you should have way higher gross profit than you had from, in the first month payment, right?

So you’re increasing your profitability over time as well. So this actually helps you out over the long term. And then the the second thought I had was you’re asking for more budget, but based you’re justifying it based on an increased performance for your client, right? So you’re not just saying, look, you need this because it’s the opposite of having kind of a risk based sales approach where it says you’re just vulnerable and you have to shell out all this money to.

For us to fix all this stuff, to make sure that your data is secure and your folks are secure and all of this other stuff. It’s more of a, it’s a little bit of a carrot and a stick approach, right? Rich. What you’re recommending to your client should be objectively demonstrable to improving their business in a way that isn’t practical, but strategic.

Like it’s going to map to their company growth goals or the company profitability or scalability goals, or you’re addressing some kind of a friction that’s creating inefficiency within their staff, the workflows and things like that. So if you can prove that, what do we always say? If. If you if if I pay you a dollar and get 2 worth of value back, that’s a good deal, right?

So that’s what we’re trying to do here.

Rich: And it dovetails perfectly with what we were just discussing with regards to AI. It applies well beyond AI, but but it aligns perfectly with those AI conversations that we were talking about. Okay, folks. We, as we record this actually, as you are listening or watching this, it has been just shy of three months since the federal government published the final rule for the CMMC regulation, and that is a milestone in the CMMC story with some pretty serious implications MSPs out there.

And now is a really good time to start exploring what those implications are and who better to do that with. Then our good friend, Mike Semel CEO of Semel Consulting one of the industry’s foremost compliance and regulatory experts. We’re going to take a quick break here. When we come back on the other side, we will be joined by Mike to talk a little bit about CMMC and help [00:25:00] you understand how this final rule is going to impact you, what you need to do as an MSP in response to that and where you might be able to make some money as well.

So stick around. We’ll We are going to be right back.

And welcome back to part two of this episode of the MSP chat podcast, our spotlight interview segment, where we are pleased to be joined by Mike Semel. He’s the CEO of Semel consulting. He also happens to be One of our industry’s foremost compliance experts, if not the foremost compliance experts, he’s been my go to on anything compliance related for many years.

Mike, welcome to the show. Thanks Rich. It’s great to be with you and Erick and happy new year. Happy New Year, Mike. Happy New Year as well. Now, Mike you are deeply knowledgeable about pretty much every compliance related challenge an MSP might face, but we’re gonna zero in on this conversation on CMMC, because in a lot of ways, that’s the most timely topic.

But before we actually get started with that just for the folks in the audience who don’t know you just say a few words about who you are and what you do and what Semo Consulting is about.

Mike: Be glad to. I’ve been an MSP, but I started out long before that in our industry. Long before the term MSP was even used.

And I was in this industry since the late 1970s. And have been an MSP. I’ve also been the Chief Information Officer for a hospital and for a K 12 school district. And in 2012, I started a consulting company. Since around 2004, I repositioned my MSP business as a Compliance Specialist. We did the same thing as every other MSP.

We all had the same products and services and tools in our stack and things like that. But by positioning our services as compliant services, I was able to distinguish myself and have different conversations with clients and we eliminated a lot of our competition and we were able to charge more because we positioned our MSP services as compliance services and helped our clients not just secure their data but be ready for audits and investigations by regulators.

And by doing that, it created a whole new business model for me where I was able to stop being an MSP and I didn’t have to wake up when servers crashed in the middle of the night and I was able to become a consultant. And we don’t sell any it products and services. So we get a lot of referrals from MSPs to work with their clients who are in regulated industries.

Rich: Let me just say quickly here Mike splits his time between New York and Florida. He is joining us from his Florida home right now. And while there are. Many things to love about having a home in Florida this time of year. Broadband apparently is not one of them in the building Mike is in.

So if you are watching us on YouTube and the video isn’t quite keeping up with the audio blame it on Mike’s ISP. We did our best to compensate. But we just really wanted to have this conversation with him and the main reason I, you know I said before CMMC is a timely topic right now.

What makes it timely is that on October 15th the federal government Published the final rule, the the final CMMC rule was published in the Federal Register October 15th. So just to set things up a little bit, just help folks in the audience understand what is the final rule and what is significant about it being in the Federal Register now.

Mike: So CMMC is the Cyber Security Maturity Model Certification and it’s a requirement that’s coming for all defense contractors. at different levels. So it depends on the type of information that you handle, but it actually goes back long before this final rule was published to 2017 when the Department of Defense started requiring defense contractors to implement cyber security requirements.

As part of the contract. And it’s important to understand that it’s part of a contract. It’s not a law. It’s part of a contract, which means that if you accept a contract from the department of defense, in other words, if you want to take the money, you’re agreeing to do certain things. What happened was they put these cybersecurity requirements in back in 2017 and then when they started auditing defense contractors and a lot of defense contractors are small business, you tend to think of the big companies that get the.

Contracts for the fighter jets and the ships and the tanks, but a lot of the parts and pieces for those fighter jets and ships and tanks. Go to small businesses. The audits found out they had not implemented the cyber security that was required, even though [00:30:00] they took the money. So the Department of Defense came out with this new regulation called CMMC that they’re putting in contracts.

They’re going through the process to add them to the contracts. And the final rule that was published on October 15th. says that CMMC, it defines CMMC, first of all, and says that audits can begin because they’re now requiring that defense contractors that handle controlled, unclassified information, known as CUI.

And if you think that we have a lot of buzzwords in the IT industry, Just go to the military and start looking at all those acronyms and three letter def or three letter abbreviations and things. So the key term here is CUI for Controlled Unclassified Information. There’s another category of information that all federal contractors, not just defense contractors, have to protect and that’s called FCI, Federal Contract Information.

The reason I’m bringing this up is that not every defense contractor handles FCI. Controlled Unclassified Information, or CUI. But all defense contractors, even those that are doing things like mowing the lawns at Air Force bases, or cleaning the offices, or providing food services, they have a government contract that needs to be protected by basic cybersecurity requirements.

So this affects a huge number of businesses. We’re seeing numbers between 200, 000 and 300, 000. businesses. Many of them only have to deal with the lowest level of CMMC, level one, because they handle federal contract information. When you start getting into the contractors that handle CUI, the controlled unclassified information, the estimate is there are probably at least 80, 000 that will need to go through an independent assessment Of 110 cybersecurity practices, but it’s really 320 items if you look at the audit guide, the assessment guide, and I am a certified CMMC assessor.

And the reason that’s important is that there are a lot of people talking about CMMC these days. And there are a lot of people that are claiming to be knowledgeable or claiming to be experts. Many of them don’t have any sort of formal training or certification. And there are some low level, they call them registered practitioners.

And this is an, where you go through an overview of CMMC and you take a quiz and you get this registered practitioner authorization. It’s not a certification and it doesn’t really give a lot of knowledge about CMMC. So one of my warnings about CMMC to everybody is be careful where you get your information from and you want to get it from either a certified professional or certified assessor.

I have both. certifications. The big thing about CMMC is people think about it as a cyber security requirement and it’s really an audit preparation requirement and that’s different because you have to be able to fully document what you’re doing as an MSP for a defense contractor that’s a client and show all sorts of written evidence and be able to demonstrate your own processes.

As an MSP, and if you don’t do that, as part of your client’s assessment, you’re going to be the cause for your client to fail their assessment. The significance of the final rule is that assessments are now beginning, and we’re expecting to see CMMC in defense contractors in the middle of this year, and it’s going to take a ramp up period.

Not all contracts will have it, but remember I said this goes back to 2017 when there was a requirement to implement cyber security. That requirement’s still in place. So every defense contractor has some requirement to secure their data. And that’s an opportunity for an MSP.

Erick: Mike, you and I have known each other for many years, and you are no doubt, as Rich mentioned earlier, probably for me the top source of CMMC information and expertise that I know in the channel. And I really appreciate you sharing how you used. Cybersecurity and compliance as a way to differentiate your organization.

When you had your MSP practice. That’s music to my ears as a lot of our listeners know [00:35:00] what was really interesting in leading up to today’s conversation, Mike, as we were having some email exchange between between ourselves setting up the interview and you mentioned in one of your emails to us that you were shocked By some of the CMMC misinformation that is being shared.

I’m going to tie it back to some of the comments you just made. Can you give us some examples of some of the typical or more widely spread misinformation and where those misinformation sources are coming from? Is it from some of these folks that are purporting to be CMMC experts and don’t really have the certification training expertise that you do, or are they coming from other?

Mike: It’s a good question because it’s coming from a lot of different places and there are very smart people in our industry who think that because they’re cyber security experts and they have read some things about CMMC that they really understand it. In my journey, I did become one of the original registered practitioners, which means I took about a five hour self paced online course, took this quiz, and it was advertised as this is what you need if you want to be a CMMC advisor.

When I decided that I wanted to become an assessor, That’s a two step process. You have to become a certified professional, CMMC certified professional, before you can take the course, and then you have to pass the test to become an assessor. I took the five day CMMC certified professional class, and what the shock was what I didn’t know about CMMC when I had been a registered practitioner.

Literally, five hours of training compared to five days of training on the same topic. And that’s where there’s a big area of misunderstanding. And what I tell everybody, that is, that wants to talk about CMMC or be in the CMMC business, whether you’re an MSP or an MSSP or cybersecurity advisor, whatever term you want to use to describe yourself, go get your certified or your CMMC certified professional training.

And that way you’re going to have enough knowledge. If you then want to become an assessor, You can do that, but that’s where a lot of the misinformation is coming from. And some of the information that has come out has not come from the sources, the people that are knowledgeable or say they’re knowledgeable about CMMC.

It’s come from MSPs who literally just can’t believe that the Department of Defense is telling their clients to do certain things. And I’ve been at several industry events recently where this has come up and I was in a meeting in this, during the summer with a prospect, the manufacturing company that sells to the Department of Defense.

And we had a great meeting with their CEO, their CFO, all the right people were in the room and their IT director was walking me to the door after the meeting. Now when you’re at a defense contractor, you have to be escorted. So he was escorting me out. And he said, yeah, I’ve, as soon as you leave, I’ve got to go in and renew my subscription.

And I won’t say the name of the company, but everybody in our industry knows the top backup companies. He said, I need to renew my subscription for this backup company. And I said, you can’t use that backup company to store controlled unclassified information because they don’t meet the federal FedRAMP requirements for cloud services.

And they don’t encrypt their data using FIPS, F I P S, Validated Encryption, which are two requirements for CUI. And he said my MSP told me that I could do it, and they’re a CMMC Registered Practitioner. Again, that’s that five hour self paced class. And I said to him, I know these regulations because I’m a certified assessor.

And here’s where you can go and validate that this is a requirement. Here’s where you go and find out that FedRAMP is a requirement. And that FIPS validated encryption is a requirement. And let’s go to the website for that vendor. And let’s look to see if they meet those requirements. Now, I happen to know the vendor very well, and I had conversations with that vendor earlier in the year about what they needed to do to meet the CMMC requirements.

And they had admitted they weren’t ready for it. Now that’s not a criticism. That’s just saying that they didn’t have the things in place and that they knew what was on the road map if they wanted to do that. We’re looking at the website. Of [00:40:00] course, there’s nothing on there. And I, and these are two things that if you have those certifications, if you have FedRAMP, you’re going to advertise it all over your website because that Really eliminates a lot of competition and he couldn’t believe it because his msp had told him it was okay to do Now fast forward.

I was at it nation in orlando At one of the breakout sessions for cmmc and I was sitting next to an msp And we were talking before the speaker started about some of the requirements for cmmc And I said fedramp and phipps validated encryption and I mentioned that there was no vendor In the exhibit hall at it nation.

And I know you’ve been to that conference and you know how many vendors there are, like everybody in the industry shows up. I said, nobody has that in our part of the industry. Now there are companies that specialize in the defense industry and government contracting that offer those, that level of protection, but none of the commercial products.

That an MSP uses for backup meets the requirement for CUI, Controlled Unclassified Information. And the MSP said to me there’s no way the Department of Defense is going to make MSPs change their backup solutions. What? You think the Department of Defense cares what an MSP thinks about a particular backup vendor or another one?

They’ve put these requirements in place for MSPs. And they require them, and I’ll go back and say that if you’re, if you don’t deliver the right services to your clients, if they’re defense contractors, you’re going to be the cause of them failing their assessment. And that could cost between 50, 000 just for their assessment.

They are not going to be happy with you.

Rich: So that’s a great segue to something I wanted to ask you about. From an MSP standpoint, CMMC is both an opportunity and an obligation. And we’ll get to the opportunity side of the equation a little later in the conversation, but let’s start with the obligation.

What kind of impact, what kind of burden is CMMC going to impose on the typical MSP? And if you can, break it out, because one of the things I’m curious about is how much does CMMC affect an MSP who, as far as they know, doesn’t have clients within the defense industrial, like they’re not working with somebody.

Doing defense related work. So what’s the burden on MS MSP, excuse me, and how does that compare if you do or do not support clients who work with the DOD?

Mike: So it’s a great question, Rich, because CMMC really has been tied to the Department of Defense. It is their regulation. However, the way it’s written and the way that it was published in the Federal Register, it’s not just for defense contractors.

Right now it is. So the answer to your, the quick answer to your question is if you don’t have any defense contractor clients or you don’t want to turn that into a business opportunity and get some, then there’s no obligation to you. Having said that, we’re seeing other regulations, such as the new HIPAA security rule that was just published as a proposed regulation that’s adding more requirements to healthcare providers which are dragging MSPs in.

Again, if you’re delivering the services, To any regulated client, whether they’re in the defense industry, in the healthcare industry, in financial services, like a business protected or that’s regulated under the FTC. safeguards rule and that can be every accountant and lending organization bank car dealer that has Offers credit, you know when you try to get out of a car dealership without filling out a credit application So when we look at all of these industries, there are requirements for the clients But the clients are outsourcing To an MSP because they don’t want to own those services.

They don’t want to manage an IT person or an IT department. So again, it doesn’t matter what industry you’re in. If your clients regulated. And you’re not delivering the services according to those regulations, you’re going to be the cause of them failing an audit. Or if there’s an incident, perhaps paying a lot of money and a fine for not meeting the requirement.

Back to CMMC, that you have to ask your clients. And this is something that has not been obvious, and I’ve been in this compliance industry for 20 some years. And we had some clients that came to us that were non profit organizations that [00:45:00] helped people with developmental disabilities. So they came to us for HIPAA because they were dealing with a lot of health information.

They had to comply with HIPAA based on where their funding was coming from, and they got donations, but they also got grants, and they got Medicare and Medicaid payments. So we were helping them with HIPAA. And I said to them, can you tell me about the rest of your organization beyond these residents where people were living that had health care information.

They mentioned that they were making military uniforms. And the reason they did it was that they were able to have this manufacturing company that employed people with disabilities. And that was one of the products that they made. And I said to them, do you have a contract with the Department of Defense?

They had a contract with one of the military branches, so the answer was yes. I said, can I look at the contract? And there was the cyber security requirement for defense contractors at what I thought was a healthcare organization. Because that’s why they came to us. This is something where you need to ask your client, and even going beyond CMMC, these are the same questions we ask every client in healthcare, financial services, manufacturing companies, all sorts of different businesses, to ask if they have any requirements in contracts or cyber insurance policies.

That we need to know about. It’s easy to look at a regulation like CMMC or HIPAA or the FTC safeguards rule and know what to do. But we’ve seen some really specialized demands in contracts and they’ve signed these contracts and in many cases just filed them away. And when we ask to look at them, we find out they’re not implementing the cyber security that’s in their contracts.

That’s where their money comes from. Back to defense contractors. If you don’t have any Then CMMC doesn’t apply. If you have some that are in a business where you don’t necessarily Think they’re working with the department of defense. They’re not making military equipment. It’s still worth asking If they do any work with the Department of Defense because we had another one of the nonprofits that helped developmentally disabled people that cleaned the offices at an Air Force base.

So again, it wasn’t in their like mission statement. We didn’t know that they were doing that. We asked to see the contract with the Air Force. Sure enough, there were the defense contractor requirements. So you may be surprised as part of the answer to your question. Second thing is, if you do have a defense contractor, you need to ask them if they know what level of CMMC they’re going to have to meet.

If it’s level one, There are 15 basic cybersecurity requirements to protect that federal contract information. Not CUI, but the federal contract information, which is literally the information about their contract. Every MSP can do that. Right now, the client will have to do a self assessment, which you can help them for, but it’s just 15 basic cybersecurity things that you’re probably doing anyway, or they should be doing anyway.

And you’re going to help them formalize it in a way to report back to the Department of Defense. No special training, no expensive assessment, none of that stuff. When you get to level two, now you’re in the game. When the original CMMC rule was published, the proposed rule, it said that MSPs, that service defense contractors, were going to need to be assessed themselves.

which was going to add a 50, 000 to 100, 000 burden on MSPs. When the final rule was published in October, that was taken out. But they did say that if you are an MSP, and they use the term ESP for external service provider, if you’re an ESP, an external service provider, And you bring CUI into your environment, then you are fully, then you have to be fully assessed and pay for an assessment because you bring CUI in.

Who would that be? I know MSPs that don’t resell online backup services because they have built their own backup environment and they don’t want to share the revenue with any vendors. They have their own servers, they back up their clients data into their own servers. If you’re doing that, that could cost between 50, 000 if you’re backing up CUI, Controlled [00:50:00] Unclassified Information, and that way, you’re part of, you’re going to be assessed independently.

But, If you’re not backing up data or bringing it into your own environment, you’re just doing remote support for your client and you don’t bring CUI in, then your services are going to be assessed as part of your client’s assessment. And they literally have gone to the, point where they’ve said when you’re do the network diagram for your client and you’re an MSP and every MSP I know and we always use third party services to deliver our vulnerability scans and our patching and our remote management and all that stuff that the client’s network diagram needs to include your people and Your systems that you use to access the client and any third party tools.

That’s on your client’s network diagram. So you’re going to have to be very transparent with your clients about what tools you’re using because they’re going to be assessed for the way you deliver those services.

Erick: Mike, seems like a very heavy lift for the typical MSP if they’re thinking about or even, are worried that they may unintentionally be servicing a client that needs to be that needs to meet these CMMC regulatory requirements.

So you mentioned a little bit ago that, it’s tough to find a backup provider that meets some of these requirements. What’s your guidance for MSPs today to look at their own business and determine, whether the juice is worth the squeeze, if you will? Is there a kind of a maturity model that an MSP can, Evaluate their business and their current customer base.

And then maybe even, forecast out, okay maybe I do want to. Service clients, they need to meet CMMC the new mandate, the regulatory requirements, what do I need to do in my business to prepare for that? It sounds to me like there may be some, a five hour course, a five day course and things like that.

But ultimately. It’s a lot bigger lift than that, right? Because what you just described was I have to expose my entire organization and how I manage data in the, in the best case scenario where we are servicing EOD clients and things like that. Can you give us any guidance or direction on how an MSP should look at their business and maybe start thinking about the decisions they need to make and the investments in time and money?

Leading up to, I think, one of the follow up questions I’ll have afterwards is, Kind of the opportunity later.

Mike: So Erick, that, that becomes really the most fundamental question. And I’ve gone to conferences and I’ve had MSPs email me and they’ll say something to the effect I don’t want to work with regulated clients because of the added liability and the extra work that I have to do. Now, the problem with that is that every single business.

In the United States, in Canada, Europe, most of Asia that you’re ever going to deal with has to meet some sort of cybersecurity regulation. All 50 U. S. states have a state law that requires social security numbers and driver’s licenses to be secured. Every business has to have social security numbers to pay their employees.

So the first part of the question becomes, if you don’t want to work in the regulate, with regulated clients, You can’t be an MSP. It’s that simple. What does regulation mean? It simply means that you have to deliver your services in a way that aligns with the regulation. It doesn’t mean you have to learn all the regulations.

When we drive, we stop at stop signs, we stop at stop lights, we stay on the correct side of the double yellow line. We look at the speed limit sign. Maybe we aren’t going to do exactly the speed limit, but we’re not going to do twice the speed limit and lose our license. But we can’t recite what those regulations are.

I don’t know what the vehicle and traffic law is for stop signs, or traffic lights, or the double yellow line. I know that I can get hurt if I don’t pay attention to those things, but I also know that at two o’clock in the morning, if I come up to a stop sign and I don’t see any traffic coming from the side road in either direction, I still stop.

And the reason I stop is that I know there’s a regulator out there, which would be a police car, which could [00:55:00] be hidden and could give me a ticket for not stopping at the stop sign, even if it’s not a danger to me, but I can’t recite the laws. So the first thing is, you don’t need to learn all these regulations to be able to support the clients.

If you deliver your services, in a way where you encrypt everything. You don’t have to understand the rules in the FTC safeguards rule that says you have to encrypt financial data or in the HIPAA security rule that you have to encrypt health care data. Just encrypt everything and you’re helping your client meet that requirement.

Put MFA on everything. When you deliver your services in a way that meets the requirements, you don’t have to learn all the requirements. Sounds counterintuitive, but this doesn’t mean you have to become a compliance expert. What you do need to do is understand the basics of what those requirements are.

Every regulation Says that either you have to encrypt something or if something is encrypted and it’s lost it’s not a penalty It’s not a violation. So it’s a carrot and a stick approach. The carrot approach is If you encrypted, say, a laptop and it got lost or stolen, because it was encrypted, you don’t have to report it as a breach.

That’s a benefit. That’s the carrot. Other regulations will come in and maybe audit your clients and look to see if data’s encrypted. If it’s not, then they can be penalized. That’s the stick. But again, it goes back to if you encrypt everything, you don’t need to know those regulations and your clients will comply.

That is the benefit. The basis of why MSPs need to look at what they’re doing. compared to what their client’s requirements are. Look at your client’s cyber insurance policy application that asks them questions. Do you encrypt your data? Do you limit access only to authorized users? And think about the documentation you would need to provide because one of the big things that’s different about compliance from cyber security protects data.

We all know that. Implement a good stack and you’re going to protect your client’s data. But when an auditor comes in, or if there’s an incident and they’re being investigated, it didn’t matter what you did for cybersecurity if you can’t prove it with reporting, with documentation. And sometimes these incidents happen months before they’re discovered.

The request will come in, we want to see a report that shows that six months ago or eight months ago, and there was recently an incident where the organization didn’t know that they had been breached for 20 months until the hackers encrypted their data and sent them a ransom note. But the hackers had been in there for 20 months.

The regulators went back and said, we want to see your audit logs for the last 20 months. They didn’t exist. We want to see your encryption reports for the last 20 months. They didn’t exist. Now you’ve got an opportunity, and you don’t need to go out and buy special tools for this, just the RMM tools and the vulnerability scanning tools.

And the network management tools that you’re using today that can print out an inventory today that shows the operating systems that are on the computers or the fact that they’re encrypted with BitLocker or FileVault if it’s a Macintosh. Just having those reports every month will give your client the information that’s needed if they’re going to pass an audit or an assessment.

Now that’s not included in a basic managed service price. And it can take as long to document something as it did to perform the service. So this is a huge opportunity for MSPs to just add documentation as a service. To their client, just using the tools that are there today, prove that those systems are encrypted, prove that the systems are running current operating systems, that there’s no unsupported software versions, that the patches have been installed.

All the things that I used to do every day as an MSP were great for securing our clients. But when we positioned ourselves as a compliance business, we added documentation. And here was one of the tricks. We were using firewalls from one of the very popular firewall companies. And there was an intrusion detection, intrusion prevention report that we could print out from the firewall console that we manage for all of our clients.

So we would print out this PDF report, could be a thousand pages because I, incident detection and incident [01:00:00] response there hits like all the time when you’re in a business, you’re getting pinged all the time by hackers. So we would print these reports out. I say print with quotes. These were PDF files. We would take the front cover from the firewall IPDS IPS report, create our own front cover to replace it with that said HIPAA perimeter security report.

and make that the new front cover. We sold that as part of a documentation or compliance documentation as a service report. We automated the report. We didn’t have to touch anything after the first time we set it up and said run it every month other than to change the front cover And charge more money for our services because we were selling the documentation that they would need for an audit.

That’s how you get in the compliance business.

Rich: Mike, we’ve been talking a lot about the the cost and complexity of bringing your own businesses and MSP, helping your clients bring their business into compliance with CMMC. Particularly from the MSP standpoint, maybe just to put the importance of of being diligent about this into context, you mentioned, that if you flunk an audit the client is going to be impacted by that, you could lose that business, but there’s also fines potentially at issue here.

What quantifies some of the. potential impact here a little bit if you’re not as diligent about CMMC compliance as you ought to be.

Mike: Quite simply, if you’re not going to be able to meet the requirements, you’re better off telling your clients that you can’t work with them anymore than setting yourself up or setting your client up to fail an audit.

And this is where it’s not something where you can just put a toe in the water. You’re either standing on the side or you’re in the deep end underwater. There’s no real middle ground with CMMC. And the reason for it is that CMMC is based on the NIST. Special Publication 800 171 Cybersecurity Framework.

And if you read that, there are 110 requirements in it, 110 practices. But there’s an assessment guide that goes with it, which takes those 110 practices and breaks them down into 320 specific assessment items. You need to be able to prove that you’re doing that. So in the assessment guide, it talks about all the documentation that’s required for the client to be able to prove that you’re implementing the services.

Remember, you don’t exist as far as the Department of Defense is concerned. Your client does. But your client is allowed to outsource services to you and the new requirements that have come out for CMMC say that the MSP needs to be present at the client’s assessment and be able to answer all the questions about the services that they’re providing and be able to document those things.

And be able to demonstrate that the systems are working. As simple as even setting up a new user for a client. You have to prove that your client has authorized the new user. And that you’ve gone through and implemented whatever the steps are to add a new user to the active directory, set them up with email, give them access to things.

But this isn’t just about CMMC anymore because We’re seeing the same types of audit requirements. in financial services, in healthcare organizations. Again, this is a big sea change. And CMMC is driving the conversation now. That’s why we’re talking today. But we’re seeing a lot of other industries starting to catch up, realizing that the people in their industry, the businesses in their industry, have not implemented cyber security At the level that it should be.

And I hear MSPs complaining all the time. My clients won’t implement the cybersecurity that I know they need. That’s what I hear all the time. The problem is that they don’t know they need it. And that’s why the regulators are stepping in. I did this 20 years ago, and it’s different today simply because of the sheer volume.

At that point, it was like HIPAA oversaw healthcare organizations. Now we have financial services, defense contractors, and others. The secret to compliance is that almost all of these regulations say the same things with different words. [01:05:00] As long as you do those things, you don’t have to worry about it.

You do have to have a mindset change. One is, you can’t avoid regulated clients, okay? If you want to avoid regulated clients, go to work for McDonald’s and learn how to say would you like fries with that, or go open an ice cream stand, because every business has some level of regulation. We’re seeing different industries cracked out.

The new HIPAA security rule has been proposed for health care that adds a lot of stricter requirements to health care clients and they’re going to enforce these. Because they know that for the last 20 years, healthcare organizations have not implemented the cyber security. I hear it again from MSPs all the time.

Doctors don’t worry about HIPAA. They’re going to have to do because we’re going to see a lot more specificity and the requirement and a lot more enforcement and enforcement doesn’t always come from the regulators. If there’s a data breach of health care information, the lawyers that are out saying that they’ll sue drunk drivers, and if you have a slip and fall at a retail store, they’ll sue the company for you.

They all now have cyber divisions to sue after data breaches. And all they have to do is prove to a jury you were supposed to comply with HIPAA, or CMMC, or the FTC safeguards rule, and you didn’t do it. That means you’re liable because you didn’t meet your own industry’s regulations and now you get to go pay these poor victims millions of dollars.

So it’s not always a regulator that does this. But realize that if you’re the MSP whose client is being sued, you’re the one that’s going to be up on the stand. And this has no, nothing to do with the specific regulation. This is just any one of your clients that may get breached. You’re the one that’s up on the stand and you may be saying things like I told my client they should have done this and they didn’t do it.

Even if it’s your services that failed, you could end up being dragged into their mess. So this is a whole different conversation about how you protect your MSP business. But you can’t avoid regulations. It’s not as complex as you think, because you don’t have to learn the foreign language of all like 10 or 15 regulations that may affect your clients.

If you deliver your services in a way that just complies,

Erick: Mike, I’ve been saying that for a long time to MSPs that I work with it’s, there is no good objection or reason why your clients will not. Say yes to your enhanced cybersecurity portfolio or a bundle of services because you’re at too much risk as well as them.

And by, because you’re serving all these other clients, you’re putting all the other clients at risk when A client that is not, has not subscribed to your enhanced cybersecurity portfolio or compliance package, whatever it is that you are now requiring all your clients to say yes to in order to remain your client and they get breached.

Now you’ve got to drop everything that you’re doing to go rescue them. Cause I pulled audiences like, we speak at some of the same conferences and I say, how many of you will. When a client that, has declined your program or your portfolio to strengthen or enhance their cybersecurity compliance, how many of you will just let them twist in the wind when they get breached or how many of you will rescue them and the overwhelming majority 99.

99 percent raise their hands and say they would rescue them. And I say you see what’s happening here is you’ve got to draw a line in the sand. You have to take a stand. It goes back to your comment, Mike, about. If you’re not going to, support these, regulated clients, then you can’t be an MSP.

I will take that further and say if an, if a client will not subscribe to what you recommend to protect them and yourself and all your other clients, then they should not be your client, right? So there’s the carrot and the carrot is the opportunity, right? It’s there’s money to be made and there are people that we can help, but then the stick is.

If I don’t move in this direction, I could be at risk, my company, my staff, my livelihood, all of my clients. So it’s a very complicated discussion. And this is like you said, Mike, this is the one thing that we hear a lot from MSPs. There’s too much risk. I don’t want to dip my toe in the water.

Like you said, I don’t think that. You can look away and if you wanna be an MSP, you need to [01:10:00] move in this direction, but let’s give some of the folks, Mike, a little bit of, a little bit of the positive outcome of this. You made a decision in your MSP to move into compliance. You differentiate yourself and grow your practice and to address the needs of these clients.

Probably before a lot of us were even thinking about this. What’s the opportunity for MSPs today, Mike and in your estimation, and how lucrative can it be for MSPs to move in the direction that you did and start offering compliance services? And I know I’ve talked to MSPs that say I’m stopping delivering traditional managed services and only doing cybersecurity and compliance services.

So there’s something there Mike? So what is the big opportunity and how would you influence or encourage MSPs to take a closer look and move in that direction?

Mike: Erick, I’ve been doing this for a long time. Talked to hundreds, if not thousands of MSPs. And one of the things that we’ve done for the last 12 years exclusively, but even before that was to do cybersecurity and compliance assessments for clients of MSPs. that are in the healthcare industry or financial industries or defense industries.

And one of the things we’ve seen is that the MSPs have failed to deliver the services that they should have because they thought they had to learn all these regulations and that they thought that they were delivering the services that they were promising and that compliance was something different than delivering MSP services.

very much. And one of the reasons that they believe that, and I’m guilty because I worked with some companies that were in this business, was that compliance as a service means that you have to learn a compliance regulation or a bunch of them. And there are companies out there that go to all of our events that are selling GRC tools.

Those are governance, risk, and compliance management tools. And these are software platforms where they take the regulations and remember that the regulations always include things that the client has to do for themselves and then other things that the MSPs can do for them. What the clients have to do for themselves, it’s as simple as things like physical security and making sure that new employees are trained.

And that the client has to notify the MSP when a new employee comes on board to, to add them into the network access. But then they also have the responsibility at the end of that employee’s employment to notify the MSP that the person was terminated to take them out. So there’s always a mix of what the MSP has to do versus what the client has to do.

These compliance tools are expensive and they require MSPs to learn compliance. And I know first hand. by experience that a lot of MSPs bought into these tools and they bought into the concept that they should be delivering compliance as a service, but they didn’t realize that every regulation, remember I said that the regulations use different words to say the same things.

HIPAA uses different words about encrypting health information than the FTC safeguards rule uses about encrypting financial information and then CMMC uses different words about defense information. What hap what do we call things that have different words for the same thing? Those are foreign languages.

If you look at every regulation as a foreign language, And you look across your customer base, and I was an MSP in a small market, and then I moved to a larger market, but we still didn’t have any single type of customer that we could focus on to get enough business that we needed. So we were always working with people in financial services, in healthcare, in defense, all at the same time.

If you’re going to manage their compliance, you’ve got to learn all those regulations. But here’s my suggestion for an MSP, it’s as simple as this. Don’t sell compliance services, NCE at the end of compliance. Focus on delivering compliant, with then T at the end of the word, services. And if you do that, you’re going to stay in your lane as an MSP.

You’re not going to have to learn the regulations. You’re not going to be managing your client’s compliance. You’re going to be wrapping your technical services In a way that you can say to your client, I don’t care if you’re in healthcare, I don’t care if you’re in financial services, defense contracting, whatever, [01:15:00] we’re going to encrypt all of your devices.

Your phones, your laptops, your desktops, your servers, your portable media, thumb drives, things like that. And by doing that, you’re going to automatically comply. We’re going to turn logging on, access logging, so that we can track what your employees are doing when they open files, and they go into certain records and databases and things like that, because every regulation has that in there.

By doing that, we’re going to make you compliant. And from an MSP standpoint, they don’t have to learn all the regulations. So if you deliver services in a compliant way, I changed my focus this past year from building training courses for MSPs to learn compliance and be able to deliver the compliance management services.

To helping them deliver compliant services because at the same time we’re building out all this training, we were auditing clients of MSPs who were failing their cyber security and compliance assessments because their MSPs weren’t delivering what they needed to. And by turning it around and saying to MSPs, just encrypt everything, just turn MFA on, turn logging on, the MSPs understood that language, which is, by the way, is foreign to people walking down the street.

When you go to an MSP conference, you realize we’re speaking a foreign language too. But by speaking MSP to them, we showed them, here’s what you need to do, and here’s how you protect yourself through things like what we call a shared responsibility matrix. Thanks. Which is saying things like it’s up to you, the customer to tell us who you hired and tell us when you fire someone, that’s your responsibility.

Our responsibility is to give them the right access based on what you’ve told us to give people in that role. And then when you tell us they’re fired or that they quit, to terminate that access so they can’t get information they’re not entitled to. This is where we put together a basic training course for MSPs that teaches them how to deliver compliant services.

Not learn all the regulations to deliver compliance services.

Rich: That that we’re just about out of time, Mike. And there’s a lot for folks to digest here, but before we let you go that, what you just said there about the basic training course is a great segue. For one thing I do want to give you just a moment or two to discuss, which is that you have a desktop reference guide to CMMC that you’re offering right now.

So tell folks just a little bit. But what’s in that and where they can go to get it.

Mike: So first of all, I’ll send you the link to share so that they can click and be able to get to it. The desktop, desktop reference guide talks about CMMC. It’s 40 pages. So it’s not just a cursory overview. And it’s from an auditor’s point of view.

It shows you, explains what CMMC is that it’s an audit process, not a cybersecurity The Department of Defense actually has a scoring system where they take the 110 cyber security practices and they assign a different score to each one and they’re one point items, there are three point items, there are five point items.

If your client goes through an assessment and they miss one of the one point items, they’re allowed to put those on what’s called a plan of action and milestones, a POAM, And be able to get a conditional certification and then go fix that. But if they fail a three point or a five point item, then they failed their assessment.

So we built all of that into this reference guide. It’s free. It explains CMMC. It talks about the audit process, the assessment process. And this is designed both for end user defense contractors, but also for MSPs. So that you understand CMMC and it’s truly a desktop reference guide. Keep it handy so that when you have to have a CMMC discussion, even if you’re not that much of an expert in CMMC or in authority, go read the guide or read part of the guide before your conversation.

And you’ll be more knowledgeable and you can even bring the guide into a conversation so that you can look things up as you go along. It’s free, it’s a lot of content, and again it’s because I’m trying to overcome this misinformation. I once said that the CM and CMMC stands for confusing and misunderstood, and I’m trying to make CMMC less confusing and less misunderstood.

Rich: Fantastic. We will have a [01:20:00] link to that reference guide in the show notes for this episode. It is a free download, folks I highly recommend everybody listening now go out and download that and give it a read. Mike Semel from Semel Consulting, we thank you so much for joining us on the show this week.

Folks, Erick and I are going to take a quick break now. We come back on the other side. We’re going to share some final thoughts about this very interesting conversation with Mike, have a little fun, wrap up the show. So stick around. We are going to be right back

and welcome back to part three of this episode of the MSP chat podcast. That was quite an education in a relatively short amount of time on CMMC from Mike. We really appreciate him coming on and sharing his insights and sharing his knowledge that, there are a lot of things that jumped out at me here.

But one thing that I just thought was particularly good and important advice was to explore this issue that the CMMC issue with a wider cross section of your customers than you might see elsewhere. I suspect there are probably going to be a lot of MSPs out there who are thinking, I don’t work with anybody who is part of the defense industrial base, who does business with the DOD.

I don’t have to worry about it because my customers aren’t doing that kind of work. And that story Mike told, about it could be a healthcare provider or a hospital that unbeknownst to you is subject to CMC related restrictions and obligations and so on. Getting into, knowing what to ask and having some of those conversations, even with the customers, you don’t think are going to be affected by CMMC is just a wise precaution.

I suspect most of the time, 80, 90 percent of the time you’ll determine. Yeah, just as we both suspected, you don’t really need to worry about that, but you’re really going to thank yourself about that other 10 and 20%.

Erick: Yeah, that was really interesting to me too. Rich made me think of that. What is it? The seven levels of Kevin Bacon or whatever, where, there’s so many different ways that, actors are connected to Kevin Bacon in one way or another, but it’s interesting because.

That example that he gave about, the nonprofit really resonated with me because one of our verticals, my MSP that we sold back in 2007 was nonprofits and yes, they. They have their hands on all kinds of different things that unless you really sit down and explore, you might miss a lot of it.

And we had a a really large nonprofit as a client for many years, rich, and, it took me a couple of years to really figure out they had multiple locations and, they did all these different things, but to really grasp and understand, and of course, back then I was as mature as I was when we sold the MSP practice, but.

It took me a while to really understand everything that they did and to really be able to add that strategic value, which today, includes compliance services. I love that. That’s one thing that I took away from what Mike said is moving from compliance services to delivering services that are compliant and T and I think that’s a really.

Easy pickup for our audience to evaluate the services that are in their stack and to make sure that they are compliant to whatever these regulatory requirements are specific, especially CMMC. And, one of the things that Mike said that kind of fell into that. Category, which was encrypt everything.

If you encrypt everything, all the data, then you’re checking the box off of a lot of these different frameworks, because as we know from having other folks on the podcast, a lot of these different regulatory frameworks have overlap like, yeah, MFA that probably appears in all the regulatory frameworks, right?

Password management. Things like that, having a cyber liability insurance, but who knows, right? Maybe that one not, but that’s just good practice, right? Making sure that you as an MSP and your clients have a cyber insurance policy that at least your portfolio addresses those requirements, but encrypting everything, having MFA, I think are just some of those things that MSPs can go to their clients and prospects and say, look, these are our are compliant services.

And I thought that was a great takeaway as well.

Rich: And it’s really interesting because I’ve got a post coming up. In fact, it might it might be coming out the same day as this podcast. I’m not sure, but I’ve been researching a post for my blog, Channel Holic, about GRC services and compliance services and how MSPs can actually get into that in a way that’s affordable and effective and so on.

And I had a conversation, it was probably the last interview I did researching that story just before the holidays with Matt Lee, the great Matt Lee of PAX 8, always a very interesting person to talk to. And I was asking him, how do MSPs get into compliance services, and he basically [01:25:00] cut me off and said, Rich.

They’re already in compliant services because, and this goes straight to what Mike was talking about, doesn’t matter who you are or what you do, you are subject to some set of regulations and you must be compliant with them. It could be as simple as the cyber insurance policy we’re talking about there.

And so Matt was basically saying, at a bare minimum as an MSP, you really need to get your own house in order. You need to make sure that the services you’re delivering are compliant. Compliant NT at the end to use Mike’s terminology there. And a really good way to begin down that path is to encrypt.

Everything. End to end. You’re just, there’s so many safe harbor clauses in state data privacy regulations and federal regulations. If everything’s encrypted, you’re not in trouble, even if the customer gets hacked. Yeah, encrypt everything is really good advice that goes way beyond CMMC.

Erick: And what did you think about Mike’s comment, Rich, where he said, You can’t be an MSP without delivering compliance services. And I think he mapped it back to being compliant that way. That was a bold statement, but when I appreciated what he was saying. It makes total sense to me.

Rich: No, absolutely.

And it sounds like exactly what Matt Lee was saying. This is a, an obligation for 100 percent of the MSPs out there at a minimum, your house has to be in order because if it isn’t and you get breached and your customers get breached as a result There’s going to be a lot of pain going on.

And Matt told me a story about an MSP he knows who put a lot of time and effort into building a business. He had it up to 2 million a year. And then there was a security problem that could easily have been avoided. And practically overnight that 2 million business just went poof in a puff of smoke.

And you just, Those stories are so horrifying. You really just don’t want to be taking that chance if you’re an MSSP or an MSP, excuse me. And yeah you’ve got to be compliant yourself if you’re going to be in this business.

Erick: Yeah. And the great example that Mike Semel shared with us, it was about, look if somebody loses a laptop or gets stolen, you don’t even have to, report it because the data’s encrypted.

So you are in compliant, you are compliant. To that regulatory rule.

Rich: Well folks, that leaves us with time for just one last thing. And this story actually came out about a month ago, Erick. I didn’t really get a chance to work it into the show until now. It resonated with me at least because like you, I, I do a lot of traveling.

And and I’m a busy guy. So are you a lot of traveling, very busy, common thread for both of us here. This story concerns a woman from Spokane, Washington, the other end of my home state here, who was arrested early in December for failing to return a rental car. Now this was a rental car that she had rented apparently in Florida late in October never took it back the sheriff’s tracked her down basically and arrested her and what she said at the time of the arrest was, really sorry, but I’ve just been so busy.

I just didn’t have time to bring it back. And you know what, it turns out the sheriffs, they just weren’t buying it. She wound up behind bars. I don’t know, Erick, I, a lot takes place on the road. It certainly does make getting everything done that more, that much more difficult if you’re doing a lot of travel, but I would say if you rented a car.

That might be something that that sorts higher to the stack in terms of of what you’re getting that car back to the company you rented it from.

Erick: Boy, oh boy, Rich. Yeah I would agree. And, I was very relieved when the car rental agency started allowing you to just, drop the car off as before that, I’d go in and check in with the, the car rental agent and stand in line and all that.

But I’m happy to say that I, when I. You know, now I don’t rent cars as often since, Uber and Lyft and these ride share services are so prevalent and so convenient sometimes, but sometimes you just got to rent one, but I do the ability to just, Drop the car off and get to my gate and make sure, and it all just works that way.

But yeah, folks rent a car, you got to return

Rich: another good tip from your friends at MSP chat, return that rental car. They don’t care if you’re busy. All right, folks. We thank you very much for joining us on the show this week. We’re going to be back again next week with another episode of MSP chat for you.

Until then let me just remind you, this is both a video and an audio podcast, which means if you are listening to us, but you’d like to check us out on video, you can go to YouTube. Look us up, MSP chat. You’re going to find us there. If you are watching the YouTube, but you’re into audio podcasts, go to wherever it is, you get your audio podcast Google, Apple, Spotify, you name it.

You’re going to find us there too. However you find us, please subscribe, rate, review. It’s going to help more people like you find and enjoy the show. This show is produced by the great Russ Johns. It is edited by the great Riley Simpson. They are part of the team with the Theory Channel Master. They stand ready, willing, and able to create a podcast for you.

And. Podcast folks are a tiny little bit of what we [01:30:00] do for our clients at Channel Mastered. If you wanna learn more about the company, go to www.channel master.com. Channel Mastered has a sister business called MSP Master. That is Erick working one-on-one with MSPs to help them grow and optimize their business.

And you can learn more about that at www dot msp. Mastered. Dot com. So once again, we thank you for joining us. We’re going to see in a week’s time until then, folks, please remember, you can’t spell channel without M. S. P.

Subscribe

Subscribe and listen to future MSP Chat episodes with your favorite podcatcher

Sign up for our newsletter

Get MSP Mastered’s latest news, offers, and expert advice delivered straight to your inbox.

Newsletter > Subscribe