MSPs: Ready for CMMC? (EP 927)

Hello friends, Uncle Marv here with another episode of the IT Business Podcast, and as you can tell in the background, we are recording live at IT Nation in Orlando. This is technically pre-show, and people are still setting stuff up, and there are stages and signs and stuff, so you're probably going to hear some stuff in the background, and as you know, I don't edit, so what you hear is what you hear. So I am joined by somebody new to the show, they just walked by and said, hey, we need to be on that show, and I said, absolutely.

I have with me Khanh Tran, the CEO and co-founder of Biorn Cyber Group, and they specialize in cybersecurity and CMMC, so we're going to chat about that. So Khanh, welcome. Thank you, Mark.

Thank you. So I was just walking by, and I was like, hey, Mark, can we just sit and talk? We sure can. Yeah, so why not, right? All right.

Why not? So let me first get some logistical questions out the way. All right. You've been in the business a while, is this your first IT Nation, or many IT Nations? Oh, this is our first.

First, okay. Yeah, we have partners that we work with that invited us, and we're like, why not, right? That's what we do. So why not just come to this event and see what it's about? I'm really excited, because a lot of people don't know, I'm originally from Alabama, so three doors down at Goo Goo Dolls, my favorite.

And here I am, I'm going to see one of the two, so why not? So are you in Alabama now? No, I'm in Charleston, South Carolina. Oh, okay. Yeah.

That's a nice move. Yeah, it's not bad. You know, I spend a lot of time around the world, and somewhere along the way, we ended up in Charleston, South Carolina.

Okay. Is that the home of Hootie? Yeah, Hootie. Hootie.

I actually know somebody that's cousins with Hootie, so I keep on telling her to introduce me, but she's like, I got it, I got it, but she never does. So I never met Hootie, I'm very disappointed. LaSondra, if you hear this, I'm very disappointed.

Very disappointed. All right. And so how long ago did you get invited? We got invited last week, actually.

Okay, so was that enough time to book a plane ticket and do all that, or did you drive? I drove. Really? I was just like, you know, things are happening really fast in the CMMC space, right? November 10th is the CFR 48 goes live. Okay.

So I've been really busy, even while I was driving. Don't tell the cops this, but I was on meetings, meetings all the way down here. As long as you're hands-free, you're okay.

Yeah, my hands are free, right? I was like, as soon as I get out of South Carolina with a hands-free law, as long as I had my headset on, life was good. Let's go ahead and talk a little bit about CMMC, because I'll be honest, that acronym gets thrown around a lot. Most MSPs have nothing to do with CMMC, at least in my understanding.

I don't. And everybody tells me I got to be CMC certified or all of this, I'm like, none of my clients do. Yeah.

So tell us about that and what made you decide to focus on that? See, CMMC is more in the DoD space, right? If the government tomorrow changed to DoW, then it'd be the DoW space. But today is the DoD space. And it's basically working towards cybersecurity compliance, mostly when it comes to data like FCI and CUI, or federal contracting information or controlled unclassified information.

I think I started this back in 2018, 2019, I worked with a large prime. And from there, we built what that CMMC part of the organization was going to look like. And from there, I realized that there's a lot of organizations out there, a lot of MSPs, a lot of ESPs in general, that are just throwing around CMMC, but do they really know what it was? Working with a prime, one of the things I learned is, you know, there's more to it than just meets the eye.

And I'm very excited about it. Because when I was working with a prime, if we talk about primes today, the Boeing's, the Raytheon's, the Lockheed's and everything, they fight out in public, right? You know, just, and it's all about competition, and I consider it friendly competition. Right.

But to be able to see all these primes come together, when it comes to CMMC and have the discussion and really hash it out of what CMMC is about, it brings that connection, unity, the symbiotic relationship of organizations of primes into the ecosystem. Okay. Now, let me ask this question for clarification, because when you say, you know, it's related to DoD, is it true that DoD can extend, you know, not just to the primaries, but to other organizations that have a connection to DoD? So companies that are supplying DoD? Yes.

Not COTS, straight out of the shelf. It doesn't, there is a non-applicable side to it today. Okay.

We don't know what it's going to look like tomorrow. But the idea is a lot of these primes, when you're talking about subs, there's hundreds of thousands of subs, right? So these subs are gaining this information, these FCIs, these CUI information, data, technical data, drawings, how to build certain specific thing for the DoD. If they receive that type of information, then the prime will now push it down to their sub that they're either required to be a level one, a level two, self-assessed, or a level two, you know, certified.

So if you looked in the news and you looked in LinkedIn the last couple months, you've seen that the Boeings are throwing it down. The Lockheeds have been throwing it down saying like, hey, if you're a sub with us, you have to be level two. But everybody is doing a tactic where, hey, you have to be level two by November 10th.

And it's not true, right? It's a slow rollout. You have to be level one by November 10th, but your prime is the one that dictates if you're required to be a level two, self, or just certified. And it depends on what type of information you have and how much security that needs to go around it, right? If they believe that they want you to be level two, then you need to start really taking it seriously or else you won't get the contract or won't keep the contract.

All right. Now, let me ask you a question between level one and level two, because for some reason, I get the feeling that level one, at least from my understanding, was all about cyber hygiene. Yeah.

So what makes level two that much more? So level one is cyber hygiene. It's 67 objectives versus a level two being 110 control groups, right? So of the 110 control groups, it's 320 objectives. And now you're getting done with cyber hygiene and you're building in that technical piece, right? How are you doing it? How are you configuring your Microsoft GCC, your Google FedRAMP? Are you using enclaves? Are they respectable and do they have the body of evidence? We see a lot of organizations today, mostly in the CMMC space, and we see them here at IT Nations.

A lot of our partners like IntelliJ, RC, and Senteon, they are doing things like going through the FedRAMP equivalency, right? Having that body of evidence to show that they're really into it, right? They really believe into it. And this is where they focus for their clients. Versus you see a lot of organizations out there that are not doing that.

They're not doing a level two. They're finding loopholes to just say, hey, I don't need it. Great.

You don't need it. But then now the client's asking you, do you care enough about me to go and create that body of evidence to make sure that I'm that extra safe? Versus, hey, I'm just a number to you. Interesting.

So you said that you got interested in this, you know, 2018 and stuff, but when did you start BEYOND? BEYOND was started in 2019. We were in all and consulting and project management on that side. 2021 was when I came in and I decided I really wanted to do something that I'm really good at and have a really good understanding with and be an advocate for it, right? I think the word is either champion or evangelist.

So I like champion because the other one sounds too angelic for me. You don't want to be considered an angel? I'm not an angel by any means, right? But I think whenever I came in, I wanted to create something for the SMB, the small and medium SMB, but I get a lot of requests for primes and I'm like, I'm okay. I came from a prime.

So if you're chasing 530 subject matter experts all around the world for evidence, artifacts, I don't think five or six is going to hurt me at all. It's a complexity depending on different organizations, but small and medium, they really need the help and we do try to find different ways to really give them that boutique feel, right? With a customizable what they need, just like one of the big fours or a big organization, but then we price it accordingly instead of asking you to pay $50,000, $150,000 a month to get into compliance because small and medium SMBs, there's no money for it. Well, it's a lot harder, that's for sure.

But one of the things that when we first started talking, you mentioned that you help a lot of MSPs. So my question is going to be, most MSPs that are dealing with CMMC, where do they go to get that initial help? Do they find somebody like you or can they go to an organization that teaches about CMMC? There's many routes to it, right? You can look for a learn together program, CyberAV has that branch side for learning how to do it. But I was talking to a company last night and one of the things that really hit me was that they're pricing their clients, really helping the small and medium SMB, but they're not really thinking about their self-worth, right? Because CMMC is not something that you just, it's a check mark and move along.

It's continuous, right? And every year you have to self-assess. Every three year you have to assess again, certify again. The initial start point is from scoping the gap, getting your scope right, getting your gap right, and then remediation.

If you're truly remediating and using technical controls and using technical tools and tech stacks and also policy procedures, each control could take five to 10 hours, right? But their models are wrong. They really don't understand what it takes. I've seen organizations, the piece we work with, that we're pricing at 30 hours for remediation.

I mean, if you take that 110 and you say five hours minimum, yeah, that's 30 hours is not going to do it, right? You're not just trying to check mark something. You're trying to not only get into compliance, but teach the OSC what compliance is, right? Why they're doing it. What are they protecting by having this tech stack versus that tech stack? And if they're too big or should they minimize their scope? And if you don't do it, you just spend money and waste money.

Right. Now, here's the question on length of engagement. Because if you're talking about those scopes being five hours each, there's also the education component with going through with the customer, why do this? Why do that? Making decisions.

Yeah. It sounds like we're talking about months. It depends.

Okay. It depends. We've seen a lot of ESPs out there or cloud service providers that can make life very easy.

They remove all the technical piece from the client themselves and they own them, right? One of our organizations we like to work with is QuickTrack, right? Eric Power and George and this team over there are great. One of the things we do is their CSP, they've done the FedRAMP equivalency, they own the enclave, right? That means you're not taking on the enclave, you're taking on the permissions portion of it, right? Administrative permissions. Of, hey, I need so-and-so on and so-and-so off of it.

But they take on that burden. A lot of organizations, if you're small, you don't need an IT team, right? IT teams cost. Think about it.

If you have one IT person and you're paying them like $125,000 a year, now really work the math on the back end, you're actually paying around like $200,000, $225,000, right? With insurance, 401k and everything else. Take that. And then now if you have an organization that's just charging you like $400, $500 a month and they take the risk, then what are you paying for? You're paying $60,000 of 10 people or are you using $225,000 to pay for one person that is overwhelmed because he's like, or she is like, I don't know where to start.

I'm just an IT person. Okay. How many people are with your group? We're 11 right now, but we're growing.

We are homegrown organic, so every one of our CCAs and CCPs are learned from our nonprofit side, Tassel, Technology at the Spine of Servant Leadership. And then as we grow them over there, we bring them over. And so we have a dedicated team that we have a mission.

We all enjoy each other and a lot of these conferences and a lot of these meetings and stuff. One of the things I want to express of who we hire, we're SDBOSB. So we hire veterans.

So a lot of our staff are veterans. And I've been in the Middle East myself for a long time contracting. And I realized that, you know, with veterans, we just want to find a home, right? We want to find an organization that respects, loves us and give us that camaraderie that we miss when we're in the military itself.

Right. Certified Service Disabled Veteran-Owned Small Business, SDBOSB. And since you're also registered as a CyberAB Practitioner Organization? Yes, yes.

So with the Cyber Practitioner Organization, a lot of organizations out there, they say they do the CMMC. If you get a consultant organization to do your CMMC, something goes wrong. They're like, oh, hands off, you know, not my fault.

The thing about CyberAB and the RPO program, right, the Registered Practitioner Organization program is if we screw up, if we mess up along the way, that's our reputation. That's the integrity that we put out there. If an organization feels like we're not doing a good job or we're trying to cheat them or something, then we're bounded by the COPC or the Code of Professional Conduct inside of CyberAB where we could either lose our license or, you know, just like really just get shoved out of the ecosystem.

And that's something we don't want. And I think if organizations are out there looking for consultants, they should look for RPOs because we're bounded by something where if we're not good, then we lose our license. And then that means a lot to me because our organization is based around my morals, my values, and it's about trust and integrity.

All right. I want to do something that I should have done at the very beginning and tell everybody how to spell your company name. If you're looking in the show notes, it's there, but it's Born, B-I-O-R-N, Group Cyber, not as in Jason Bourne with the Bourne, I can't think of something.

It's like Biorn, but without the J, two dots, it's just Biorn. Biorn. All right, Khanh.

So the website, is it simple? BiornCybergroup.com? Biorn Group Cyber.com. Biorn Group Cyber.com. Biorn Group, Biorn Group Cyber, yeah, and a lot of times, if you're looking for us, a lot of the initial 34 C3 POs are certified third-party assessing organizations. They'll recommend you to us anyways. We do a lot.

So start there. Yeah, we do a lot with OSCs, but we haven't talked about what we do with MSPs. And a lot.

Yeah, I got so caught up in all the acronyms and the other stuff. Yeah, I started to ask you, but yeah, for MSPs, what can you help with? So we've seen a lot of MSPs get into the CMMC space, right? The clients are leaning that way. They need it.

They have 5,000 endpoints. They have 10,000 endpoints. They have 30,000 endpoints.

But at the end of the day, do they have the manpower to do it? Right. We find like a lot of surges and a lot of overflows. That's where MSPs come out to us and say, hey, can you come in and do the gap in scope? And how long does it take, right? Can you come in to take over policies and procedures and, you know, just really bring them in? Our CRM, Customer Responsibility Matrix, our SRM, Share Responsibility Matrix, and build it into your application, your GRC tool, which and let me just throw it out.

They're here for IT Nation's IntelliGRC with Aussie. So, you know, just that's what we use exclusively. So we're really excited for that partnership.

I had a question about MSPs, but I'm thinking it's probably too basic. Yeah. Because a lot of us get stuck on CMMC, the NIST stuff, 800-171.

Yep. Doesn't that fall under CMMC? Yes. That's the same thing.

So originally, CMMC was based on five foundational and you were talking about one of them was cyber hygiene and the five levels. And it was created to be an offset of NIST, right? But not NIST 800-171. But I guess somewhere along the way, there was a realization that, hey, we can't do the basics.

Why move on to something else? Right. Why have a new type of, you know, framework in place? So the revision tool came out and it was based on NIST 800-171. OK.

So if you're OSC and you're trying to learn how to do this, you can also Google NIST 800-171 alpha and it really helps them identify, you know, what kind of policy procedures needs to be in place per control and what type of evidence artifacts. OK. All right.

Got that straight away. Very nice. So now let's go back to a couple of simple questions.

You got invited here. Yep. So do you have any expectations out of the conference? You're going to go visit any parks? What's going to happen here? So, well, we met some MSPs a while ago and I didn't realize today we're not going to start at 6.30. So we're going to go and network over the golf course.

Oh, there you go. Makes a relationship. Yesterday when I came in early, it was like golf course and we met printer MSPs.

We have other type MSPs and it's been really good at this conference so far because, and again, CMMC is like a shiny new name that's been thrown out there, acronym that's been thrown out there since, you know, two months ago when everybody's realizing that November 10th is CFR 48. So it's, I mean, the jacket says it all when they come to us and ask, are you ready for CMMC? And then organizations say, Hey, yeah, a lot of our clients are looking for it and we want to keep our clients. So they want to find that partnership to work with and grow with along the way.

All right. Wakanda, I hope that you enjoy your trip down here. I'm assuming you've been to Orlando before, right? Oh yeah.

I have three kids. We love Orlando. Of course.

It's like daddy's time in Orlando for Universal. But you're not here with the kids this time, are you? No, no. They're like, daddy, are you on vacation? I'm like, oh, I'm working.

You're going to go visit the rides that you couldn't do while you had them here last time. There you go. All right.

Wakanda, it was nice to meet you. Thank you for stopping by and we'll have information for people to contact you at Biorn Group Cyber and have fun here. Thank you so much, Marv.

You too. All right, folks, we'll be back with more from IT Nation here in Orlando. See you soon.

Holla.