Axiom

I don’t usually re-share my posts (Linked in the comments below), but I truly believe this episode is worth it. How often do you see competitors in the same space come together to openly share their experiences? The contrast between Andy Sauer and me in our journeys is fascinating. Axiom started in 2002, while Sentinel Blue launched in 2020 but from day one, Andy built his company with CMMC readiness in mind. Meanwhile, Axiom began pivoting in that direction in 2020. It’s incredible how two companies can arrive in the same space from completely different starting points. If you’re an MSP considering entering this space, this episode is a must-watch. And if you’re a company selecting an MSP, getting a behind-the-scenes look at the challenges of running one will be invaluable in your decision-making process. Check it out and let me know your thoughts! Also, Kaleigh Floyd and Andy Sauer, took a shot at AI generated image and this is what I got. MSPs for the Protection of Critical Infrastructure, MSPCyberX #CMMC #MSP #NIST

Episode 12 is out now featuring Andy Sauer ??? Two MSPs: Axiom and Sentinel Blue Two business owners talking about how they prepared their businesses for CMMC Level 2 and how they get clients ready. ?? I consider it an honor to share the field with Andy and his team. In many ways, we are competitors. But this ecosystem needs implementors and we're in this together! We both have the same goal, and I loved hearing how his team is climbing it. If you're an implementor in this space, definitely check this episode out! Link in the comments below ??

Merry Christmas to all... And on the twelfth day of CMMC, my assessor gave to me... ?? Twelve controls a-controlling ?? Eleven plans a-planning ?? Ten scans a-scanning ?? Nine patches patching ?? Eight logs a-logging ?? Seven backups running ?? Six training sessions ?? Five incident reports ?? Four access controls ??? Three risk assessments ?? Two-factor authentication ?? And a policy for cybersecurity Full article below ??

Tomorrow is CEIC EAST and we’re stoked!?? Our team has been here since Monday learning from Edwards Performance Solutions and it has been great to connect with so many of you already. Ready for tomorrow???? Bobby Guerra and Adam Evans, CISSP

Preparing Axiom for a CMMC Level 2 assessment in January has been the hardest business task I’ve ever undertaken by a huge margin—nothing else even comes close. You might find it surprising, but the real challenge isn’t just getting Axiom ready for Level 2 certification; it’s building a complete, integrated system that encompasses Axiom's infrastructure, the shared matrix between us and our clients, and the client’s own system as well. We’ve developed this as three separate components designed to work together. Rather than requiring clients to use a dedicated virtual environment like AVD, we build their GCC/GCC High container around their existing environment, leveraging our upcoming Level 2 certification. Our goal is to allow clients as much flexibility as possible while ensuring scalability as we expand to support more clients. Typically, an MSP takes on the responsibility for a majority of NIST 800-171a requirements, so it’s critical that they fully understand these standards. That’s why I recommend choosing a Level 2-certified MSP. It demonstrates the competence needed around these requirements and underscores why selecting the right MSP for your CMMC journey is so important—they’re your most crucial factor for success or failure in achieving certification. Choosing the right MSP initially is also vital because switching MSPs after reaching certified status will likely require your organization to undergo reassessment. As 32 CFR states, "A new assessment is required if there are significant architectural or boundary changes to the previous CMMC Assessment Scope." Swapping MSPs would definitely fall into this category, as no two MSPs are exactly alike, and such a transition involves significant changes to the scope. In short, choose wisely—MSPs vary greatly. There’s no shortage of MSPs who would happily take your money to help you get CMMC ready, but they’re not all equal. Choosing a Level 2-certified company can increase your chances of success, but don’t stop there. Look closely at their entire process, their design approach to compliance, and how they plan to support both you and future clients. #CMMC #NIST #CMMCCompliance #CMMCCertification #MSP #DoDCompliance #ManagedSecurity Adam Evans, CISSP, Kaleigh Floyd

In Phase 1 of CMMC, starting early to mid-next year, many companies will need to perform self-assessments. The temptation to simply "put the right score" in SPRS to stay eligible for contracts will be strong. It’s tempting to think, "Others have done it—why can’t I?" Listen closely: it’s a TRAP. 32 CFR explicitly states that companies are affirming and attesting to their self-assessment scores. The Department of Justice even requested that the DoD include a requirement for companies to keep documentation proving they conducted the assessment, with records maintained for seven years! This means the DOJ is preparing themselves if needed for False Claims Act cases against any misleading claims. Per 32 CFR, Section 170.22, the "Affirming Official" at each company must confirm in SPRS that the company’s CMMC status is accurate, with annual updates. Executives, don’t ignore pushback from your Affirming Official if they tell you, "We aren’t ready." Moving forward despite being unprepared might make that person more likely to report any violations—and, under the False Claims Act, they may even receive a portion of any awarded funds if a case is won. There are at least two major pitfalls to consider if you don’t take your self-assessment seriously. First, when it’s time for your third-party C3PAO assessment, one of the initial questions will be to see your self-assessment score and evidence. If they see glaring inaccuracies, it won’t go well. Second, if your C3PAO finds a major gap in your compliance and submits a large delta to SPRS, it could have significant contractual implications. Per 32 CFR: "Within the period of performance of a contract, standard contractual remedies will apply, and the OSC will be ineligible for additional awards with a requirement for the CMMC Status." In other words, major non-compliance may leave a company open to more than just fines—it could mean contract ineligibility. In the DiB space, trying to “game” the CMMC system is a risky strategy that will likely backfire. Running a business is tough enough without taking unnecessary compliance risks. Instead, approach CMMC as a proactive, strategic advantage that strengthens your business. This doesn't have to go down a dark path, but the DoD/DoJ will most likely make some examples to help straighten the ranks. Don't be unlucky enough to plucked out of the crowd. Brian Hubbard, Amira Armond, Kaleigh Floyd, Adam Evans, CISSP, Shel Philips, PMP CCP RP, Vincent Scott, Koren Wise, Kyle Lai, Robert Metzger, Jonathan Weadon, Karen Stanford, Jacob Horne, Jason Sproesser, Joy Belinda Beland CMMC CCA, PI, QTE, CISM #CMMC #DoDCompliance #Cybersecurity #CFR32 #FalseClaimsAct #SelfAssessment #MSPCommunity #RiskManagement #ComplianceJourney #DiBSpace