<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt="">
C3PAO

Digital Beachhead

Cybersecurity consulting firm offering vCISO services and CMMC compliance assessments to small and mid-sized businesses in the defense and commercial sectors.

Digital Beachhead Website
Read transcript Hide transcript

Thanks everyone for checking out this edition of the Virtru Assessor Spotlight. Today, I'm joined by Mike Crandall from Digital Beachhead.

So, Mike, thanks for joining. Why don't you introduce yourself?

Hi. Like you said, I'm Mike Crandall. I'm the CEO of Digital Beachhead. We're a cybersecurity firm. We are also an authorized three CPAO within the CMMC ecosystem. We like to say we are the droids you're looking for.

Just just with the three added. Yes. For those who That's right. I like it. So, Mike, share with us a little bit more about, being a c three PO.

What what are you focusing on right now? Are you doing just final assessments? Do you do readiness, mock assessments, consulting?

Yeah. The answer is yes. We try to do a little bit of all of that. We actually started a sister company called Frontier that is helping people get ready, and Digital Beachhead is focused on those final certifications. And, we're helping people cross the finish line after what are for many, it has been a long CMMC journey.

That's great. And share a little bit about your background. How did you get into the space? What were you doing previously?

So, I'm retired military. I was in the United States Air Force. I did that for twenty one years, and effectively was doing cybersecurity things before we called it cyber. We were just those guys who knew IT that they stuck in a damp basement somewhere, and we figured stuff out as we went.

And and then, did you begin doing that for small businesses? Were you working in corporate America a little bit after? How did you get the CMMC space?

So when I retired, I went to work as, you know, most military guys do in the contracting world because we don't know what else to do with our lives, what to do when we grow up. I was fortunate enough to learn a lot, but that company got acquired, and I got let go as part of the acquisition. And that's when I started Digital Beachhead about ten years ago, me and my partner. And we started in the virtual CISO, you know, helping companies, small to midsized companies, just come up with strategic cyber visions. And then in two thousand nineteen, two thousand twenty, when CMMC was being kicked around, we knew that would be a great place coming from the DIB ourselves.

So we signed up to be a three CPO in the very beginning. And then within the last year, when it really truly kicked off, we got our authorization past our own level two assessment through the DIBCAC, and here we are ready to answer questions and do your assessments.

That's great. And what, I guess, what sort of organizations do you primarily focus on, helping? You know, size, industry, geography?

Yeah. I like to say as a veteran, you know, I work for food. So we don't really have a vertical per se, but we do tend to focus on the small to midsized businesses.

Being a small business ourselves, we know that, you know, finances are always important. And while this is not an inexpensive, you know, undertaking, we try to do our best to make it as affordable as possible for those midsized companies. And then when we're trying to help them, you know, we try to find the most suitable option instead of saying you have to go big and you have to spend, you know, hundreds upon hundreds of thousands of dollars. If there's a shorter, quicker, easier way, you know, we'll help you find it.

That's great. And, yeah, could you share what's it like working with you? Do you offer, you know, packages or mock assessment something that you recommend or offer?

Yeah. We typically in our if we're helping you get prepared, we offer something which kinda leans into our VC, so where we all set up a period of time for a fixed price per month depending on the number of months you need. We would prefer six.

Love twelve, but, you know, we can do it as short as three depending on your needs.

As far as the actual assessments, we strongly, tapping my foot, pulling my ear, touching my nose, strongly recommend a mock assessment because even ourselves when we were getting ready and went through DIBCAT, you think you're prepared, but you never know what the assessor's gonna see or, you know, want to see or interpret something. And so we say the mock assessment is kind of that off book.

We do the mock, which is a really, a full assessment is no punches pulled. We give you the full assessment. But if there are things missing, then you we recommend a three to four week period between the mock and the full. That gives you three to four weeks to kinda dot those i's, cross those t's, and then get ready for that actual full assessment.

Okay. And are there Yeah. Are there any besides doing a mock assessment, what are maybe some other tips or observations that you've seen that you would give to a OSC that's maybe considering going down the assessment path?

So I referenced this to when I was in the military as an inspector general, an IG inspection. And we all know you need an SSP part of CMMC, so make sure that you cover all three hundred and twenty objectives in your SSP. It's beyond the hundred and ten controls, but get down to the objective level and say, this is how I'm implementing it. Then you have to have a policy and some sort of procedure document that also says this is that I'm doing it and how I do it.

They should kinda mirror each other. And then the last step is that artifact, that piece of evidence, be it a screenshot, be it another plan document, that it gives the proof that the things you just said those two times and to me, I call it the drag. If I go SSP, okay. Oh, you are saying this is how you do it.

Excellent. Ah, here's a piece of proof that you did it.

The final step is me asking you that live during the assessment, but I've already dragged my finger across expect.

That's great. And what would you maybe say to an organization, maybe a really small one that's intimidated, doesn't really know where to start even with kind of going down the the CMMC path in general? What would be some tips you'd give them?

Yeah. I would say, you know, number one, breathe. We've all taken tests in our life, and this is just another one.

Understand those three hundred and twenty objectives. There's plenty of spreadsheets out there, places to find them. Reach out to us. I can give you the three hundred and twenty, and just know you have to answer them. So if you think of it as an exam with three hundred and twenty questions that you have to provide the answer to, start at the top, work your way down, and then there are organizations like yourself and ourselves and others out there that if you're like, I don't understand this question, that you can reach out to and get an explanation of what the question means.

But at the end of the day, you just need to say, I have answered this quiz set of three hundred and twenty.

So go ahead and look at it, but my takeaway one of my takeaways there also is, it's okay to ask for help, whether it's reaching out to you and, you know, they end up doing a full consultation, or I'm sure you offer, if they had just have a question or two, an option to help help to answer it.

Absolutely. Never be afraid to ask for help. You know, that's, you know, sometimes the hardest thing to do. And we're happy to, like I say, answer onesie, twosie questions just to help the ecosystem out.

And then if that turns into more, excellent, we'll talk about it. But don't be afraid to even call and just say, this objective, I have no idea what it means. I've got the rest. Happy to give you the this is how we see it.

That's that that that's really helpful, and and and I appreciate you sharing and offering that, just because from my my experience, I know sometimes people are trying to figure a lot of stuff on their own, and it's, hey. Just ask an expert. I know that the word expert is not, always looked upon, great in the CMC space because almost no one's an expert. But if if there are any, it's closest to it. It's it's someone like yourself, a c three p o.

So Yeah.

Thank you.

Well, thanks for joining, Mike. I really appreciate your time and your insights. So if anyone is looking to get in touch with Mike or Digital Beachhead for consulting, readiness assessments, mock assessments, or their final, they are a c three PO out in Colorado, but but serving organizations across the nation and globally.

Mike is part of the Virtru Compliance Champions program, but thanks for your partnership, and we'll talk to you again soon. Thanks, Mike.

Thanks for having me, Andrew.

You're welcome.