Ryan Bonner on working with your MSP on CMMC
Ryan starts off by talking about the boorowed time from 2017 and 2022 and suggests we need a shared language with MSPs. We learned about covered conbtractor system. Contractors read the reqs and say, "That is my MSP who does that."
They work in a closed loop system. Everything is verified. You must plan before you perform. If you look at CMMC assessment guides almost all practices start with a governance objective, followed by a procedural objective
After plan and do you now have to add more emphasis to check which assets can make this happen. There are three asset types in the scoping guide. You can start there. Person, Technology, or Facilities
Describe the work once you have decided the asset that will do the objective. Procure software Configure baseline
Lay out the actions in a simple list with an MSP.
Then use a RACI model with your MSP. The MSP maybe responbsible something but the RACI matrix will if they need to check on a team
Then decide on when you do the security assessment. The assessment check if the controls are in place and working correctly.
Then think about tier 3, tier 2, and tier 1 support. When we talk CMMC the tier 3 people of an MSP hop right on. They know what to do but can't explain. They also will get hired away.
Tier 3 should focus on policy, tier 2 on the standard, and tier 1 should focus on specification.
They can ask, "Am I currently connecting to a server?" You have to get to this level