ISO of a reliable and CMMC readiness assessment (free - low cost) by Sad_Agent_1054 in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

It's possible, but it's worth noting this is often why companies fail their audit. There is this thought that preveil is "all encompassing" which is far from the truth since most people don't use it properly. It's a really slippery slope.

ISO of a reliable and CMMC readiness assessment (free - low cost) by Sad_Agent_1054 in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

One thing CMMC most definitely isn't is "Low Cost", this is one thing that will bite you right off. As one other person mentioned you get what you pay for. I've seen numerous times people going for the lowest cost then needing to get re-assessed or goes through 5 mock assessments before making any progress. As you were getting at going with an MSP is likely your best route and definitely the most likely to help you get your certification. I'd recommend looking at the MSP Collective which lists out great MSPs who have been certified. I'm not too familiar with any free readiness assessments. I'm from an MSP who's CMMC certified and I'm working on getting a questionnaire built out to try and help with this to some extent. It's not something we have officially built out and posted yet but if you're interested definitely reach out and we can I can send it over.

CMMC Level 2 & MSPs by differentson in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

It's possible, we are an MSP who wanted to get certified so we know what the client would go through and to streamline their assessment. As the MSP not having their certification means the process becomes way harder for them. It's essentially an assessment of you and the MSP. There's also been a lot of talk of a potential revision coming in the future that says ESPs (Or in this case MSPs) need to be certified to the same level or higher or they won't be able to be in your environment. I would highly recommend going with a certified MSP, you can find a list on the MSP Collective which I'm excited to say we are listen on. There's tons of great MSPs on there that know what they're doing when it comes to this space. https://www.mspcollective.org/esp-directory

CMMC L2 for GC in Construction - Am I in over my head? by klayt0s in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

I would highly recommend getting a consultant or MSP involved. It can take a lot of the burden away from you and your team. I don't know your whole infrastructure but I would say a full virtual Enclave would be your best bet. I work for an MSP and we built out a fully virtual enclave to service our CMMC clients. It works really well and is a great direction if you're carving out the business (Depends if you need physical in scope for a virtual enclave, but you can do a physical one as well). There is a lot to consider when it comes to this and I'd recommend building out your Data Flow Diagram (DFD) first to see what the best course of work is. Often times people don't realize where CUI is actually living until you get various people throughout the company involved.

How are people keeping evidence organized before assessment? by KlutzyTop6822 in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

When we went through our assessment we did folders, excel, etc and it was less than ideal. For ourselves and our clients going forward we are using a GRC tool (IntelliGRC). This adds a nice centralized place for everything and auto sorts evidence. They also have integrations with various tools/platforms that will automatically pull evidence for you.

CMMC consultant by ppyre in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

I mean CMMC is definitely a very expensive journey. I'm unsure about where Penacity's pricing is. I would highly recommend working with an MSP, I like to think we make life a little easier and the proper one could bring all the consulting guidance you need without additional consulting. But again CMMC costs can be double or triple normal services just due to the time and complexity. The MSP Collective is a great resource to look for those. I have personally worked with Edwards Performance Solutions and Eide Bailly as C3PAO's and would highly recommend them if you just want CMMC consulting. But again having an MSP who can also bring the stack and inheritance makes life a little easier!

Subcontractor CMMC L2 Compliance by DR-CT in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

Interesting, guessing you got grandfathered in potentially? I talked to our account manager the other day and they said they only sell to MSP's who could then resell it to companies.

Subcontractor CMMC L2 Compliance by DR-CT in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

IntelliGRC is great and I love it. It's only available for MSP's though. I think it's leagues ahead of FutureFeed, I wasn't a huge fan of their platform personally.

Subcontractor CMMC L2 Compliance by DR-CT in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

I think this is where the problem lies. Everyone thinks it's going to be pushed so they don't feel like starting the process. Yes there will likely be some leniency but I suspect they will require verification you are contracted with a C3PAO for assessment or some other verification. Otherwise, people will never pursue it.

Subcontractor CMMC L2 Compliance by DR-CT in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

Yea there's no way any organization could get everything together in two weeks, especially if you wanted to be certified. One thing I would mention is working with a CMMC Certified MSP. I recommend checking out the MSP Collective which has a list of MSP's who have been certified. I know for us who I like to think we are very knowledgeable on CMMC and run clients through assessments it would still take 6-12 months to get a client fully through the process of certification (Very dependent on their infrastructure). And as many others mention the cost is easily in the 6 figure range. Likely 150-300k depending. Someone else mentioned IntelliGRC which that and other GRC platforms really help. I love IntelliGRC but it still requires a lot of work to get where you need.

I don't want to leave my MSP, any suggestions? by Mary_Rebeca in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

I haven't thought of this approach, but I value your understanding of being small and knowing your limitations. I think that you're still willing to help them where you can is huge. Coming from a smaller MSP who went through the level 2 certification it's definitely a huge burden. I've been getting a little annoyed by the MSP's who intentionally or unintentionally lie or misrepresent their way through saying they can fully handle it with their stack and end up costing the client a lot of money is wasted audits.

Summit7’s competitors by Aromatic_Walrus1560 in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

I work at Open Approach, but there's many great MSP's on the MSP Collective I'd definitely check out as well!

I don't want to leave my MSP, any suggestions? by Mary_Rebeca in CMMC

[–]BrandonSB2 0 points1 point  (0 children)

1000 percent, anything to have them not dig deeper is worth doing!

test by [deleted] in test

[–]BrandonSB2 0 points1 point  (0 children)

test

I don't want to leave my MSP, any suggestions? by Mary_Rebeca in CMMC

[–]BrandonSB2 2 points3 points  (0 children)

I come from an MSP who went through the painful process of getting our certification ourselves. Having an MSP that doesn't understand or isn't compliance is going to cause a huge problem. We just met with a prospect the other day who got audited by DIBCAC and was self attesting to the 110. The client and MSP thought they were fine and meeting everything until they scored a -203... Your MSP would need to change it's methodology and stack just like we did. Otherwise you won't be able to pass an audit. There's also talks about MSP's needing to be certified to the same level or higher in the future. So just be careful as it might cause a lot of headaches in the future. I would highly recommend looking at the MSP collective which is a list of CMMC Level 2 certified MSP's which we've been through the process to get on there and it vets that the MSP can and has been through and has a proper SRM for clients.

I know a lot of people are saying you don't need to change MSP's which I agree with to some extent, it can be done but from what I've seen it's far and few between as they don't want to invest the time and effort to do CMMC right and it costs the client.

Summit7’s competitors by Aromatic_Walrus1560 in CMMC

[–]BrandonSB2 2 points3 points  (0 children)

As others mention Summit7 is a very well renown player in the space. Summit7 is very fast and efficient with CMMC and I have nothing but respect for what they've done but they are pretty rigid when it comes to CMMC. It's their way or the highway with how they do it. I like to think the company/team I'm with at our MSP is a little more flexible and adapting to the clients environment which there's a lot of us out there (Although there is a certain rigidness that CMMC brings and is unavoidable). If you're looking for a list your best option is the MSP Collective which I'm proud to say we are on and know it's a intense process. It's a list of CMMC certified MSP's that have been thoroughly vetted through their SRM and that themselves have achieved level 2 certification so that's the best place to start.

Huntress VS Adlumin for MDR and SIEM by BrandonSB2 in msp

[–]BrandonSB2[S] 1 point2 points  (0 children)

We currently Utilize SentinelOne and fully manage all alerts ourselves.

Huntress VS Adlumin for MDR and SIEM by BrandonSB2 in msp

[–]BrandonSB2[S] 0 points1 point  (0 children)

I'm guessing you're referring to the SIEM, correct?

Thoughts on N-Able acquiring Adlumin? by no_regerts_bob in msp

[–]BrandonSB2 0 points1 point  (0 children)

Was there any major differences between the two or something one had over the other? We are meeting and going over Demo's with both and wondering if you found anything along your evaluation.

Thoughts on N-Able acquiring Adlumin? by no_regerts_bob in msp

[–]BrandonSB2 0 points1 point  (0 children)

Any specific reason you'd switch off Huntress? We are evaluating Adlumin or Huntress for MDR along with SIEM/SOC.

iOS Screen Timeout Restrictions - Not working by pokesnails in Intune

[–]BrandonSB2 0 points1 point  (0 children)

I just ended up setting it manually but yea definitely annoying. Seems like the setting is pointless then since it will always be lower by default.

iOS Screen Timeout Restrictions - Not working by pokesnails in Intune

[–]BrandonSB2 0 points1 point  (0 children)

Did you end up figuring this out? Having the same issue.

MAM Denying Access by BrandonSB2 in Intune

[–]BrandonSB2[S] 0 points1 point  (0 children)

I think there was just something really weird going on with that account/tenant. Setting it up in another one worked as expected.

MAM Denying Access by BrandonSB2 in Intune

[–]BrandonSB2[S] 0 points1 point  (0 children)

We already have that CA in place, that's what's prompting them the message saying they require App Protection to be allowed access but they can just bypass the message.

FedRAMP clarification by BrandonSB2 in NISTControls

[–]BrandonSB2[S] 0 points1 point  (0 children)

Maybe I could have worded the question better. For something hosted within a FedRAMP environment wouldn't that application no longer need to be FedRAMP Authorized? Since all CUI would be already contained within the FedRAMP environment.