Ryan Bonner on working with your MSP on CMMC

Ryan starts off by talking about the boorowed time from 2017 and 2022 and suggests we need a shared language with MSPs. We learned about covered conbtractor system. Contractors read the reqs and say, "That is my MSP who does that."

Primes also sent out a questionnaire and said get a SPRS sccore or get dropped.

Do MSPs know about the 7020 clause, have time to read 171 and supporting documents

We have to think about the MSP as a traditional supplier.

Plan, Do, Check, and Adjust. Manufacturers work under quality assurance.

They work in a closed loop system. Everything is verified. You must plan before you perform. If you look at CMMC assessment guides almost all practices start with a governance objective, followed by a procedural objective

After plan and do you now have to add more emphasis to check which assets can make this happen. There are three asset types in the scoping guide. You can start there. Person, Technology, or Facilities

Describe the work once you have decided the asset that will do the objective. Procure software Configure baseline

Lay out the actions in a simple list with an MSP.

Then use a RACI model with your MSP. The MSP maybe responbsible something but the RACI matrix will if they need to check on a team

Then think about tier 3, tier 2, and tier 1 support. When we talk CMMC the tier 3 people of an MSP hop right on. They know what to do but can't explain. They also will get hired away.

Tier 3 should focus on policy, tier 2 on the standard, and tier 1 should focus on specification.

They can ask, "Am I currently connecting to a server?" You have to get to this level