Ep.215 – You Can’t Buy Your Way Into CMMC in Q4—Here’s Why with CJ Messana of Thrive

Josh Lupresto (00:02)
Welcome to the podcast designed to fuel your success selling technology solutions. I’m your host, Josh Lupresto SVP of sales engineering at Telarus this is Next Level Biz Tech.

Everybody, welcome back. We got a good one for you today. We’re going to go deep. We’re talking about security, and today’s title is, Can’t Buy Your Way Into CMMC in Q4, and Here’s Why. We’re going to explain what all that means in a little bit. On with us today, we’ve got CJ Messana Director of Channels That Thrive. CJ, welcome on,

CJ Messana (00:38)
Yeah, thanks for having me. So I had to talk deep into CMMC and fair what’s going on in the ecosystem.

Josh Lupresto (00:45)
All right, so first off, you know, look, we got a lot of stuff. There’s some big deadlines. I’m not going to give spoilers here. Before we get into all these things that matter about what CMMC is, first a little bit about you for the audience. Where did you come from? Where did you get your start in technology? And then we’ll get into a little bit more of like, you know, thrive and kind of the role now.

CJ Messana (01:07)
Yeah, I grew up in South Florida, playing all sorts of sports, wound up playing division two college golf. And just the competitive aspect of being an athlete knew I wanted to be in a fast paced environment. I don’t know, 15 years later, I still find myself in IT sales and cybersecurity. So I love that space and riding the wave and helping drive the narrative around helping organizations mature from a cyber perspective.

Josh Lupresto (01:37)
All right, now this is going to show my hand. I am not a golfer, but I did stumble across in the rabbit hole of scrolling the Divot guys. So I feel like I at least have to ask the question then, what’s your handicap?

CJ Messana (01:52)
Well, now that I’m long away from my competing days, I’m like a three and a half, 3.5 handicap. Yeah, used to be decent amount better, but trending the wrong direction, unfortunately. Selling does not allow for much golf time.

Josh Lupresto (02:07)
That’s all right. That means you’re doing a lot of selling. So that’s good if you had too much time for golf and you wouldn’t be selling. So all right, three and a half. Not bad. That’s three and a half better than me. So let’s maybe start off. Thrive has been a supplier in the channel, known commodity for a long time. You guys do a lot. And we could do an episode on just this because the portfolio is so big. For the partners that, you the advisors out there that don’t know.

Give us the overview of Thrive, what the business is today, and how much you guys have evolved. Acquisitions, just growth, all that good stuff.

CJ Messana (02:44)
Yeah, yeah. really thrive next gen managed services is where we’re at today. So we view managed IT, like traditional IT managed services as table stakes. And we focus on the three C’s, cyber, cloud, and compliance. And so those are the areas that we specialize in to round out a managed service offering for an organization so we can help them from end to end.

To your point, done a lot of acquisitions over the last 10 plus years, but believe it or not, manufacturing is our second largest vertical in the business. So we’re very specialized and nuanced in this defense industrial based CMMC route.

Josh Lupresto (03:28)
So I guess as you think of, know, we’ve got some pillars that we’re setting up, right? Cloud, security, compliance. I mean, just to give people color, it doesn’t matter if you’re private cloud, it doesn’t matter if you want to go Azure, it doesn’t matter. I mean, it’s fair to say a lot of depth in every one of those, when somebody needs an MSSP, there’s just a massive pillar of depth and specialization, even verticals, private equity, you guys are also well known in that space too, yeah?

CJ Messana (03:56)
Yeah, I mean, that’s number one, vertical financial services and whatnot. yeah, mean, the way we tackle it is through an advisory angle, right? So we’re trying to help drive the overarching strategy of the organization through one of those three Cs, right? And compliance is usually a great way to bring everything together, right? And most of the executives are making IT or cyber purchasing decisions because of compliance. So we found that to be a very

nice way to bundle it, not bundle everything together, but tie everything together so we can deliver outcomes, not just vendor sprawl and tech widget knife fights, right?

Josh Lupresto (04:39)
Yes, love a knife fight. Yeah, look, we won’t be able to get to everything that you guys do today, but what I would say is that anybody that’s listening to this that had an understanding of what Thrive was five years ago, three years ago, a year ago, it’s just expanded, right? I mean, down to…

end user security software, MDR, full VC. So like the list just goes on, right? AS400s. mean, there’s a, a dart, you guys fit it. And I would just remind the TAs that look, is a great time, I think in 2026, where the customers are just constantly being asked, do less with more.

And what does that mean? That means they need help. That one person is now the CISO and the CIO and probably player coach on some of the infrastructure management. so the point is talk to your customers and figure out where they’re at. They’re probably overburdened and they probably need help. And you guys, spend some time with you guys to understand the depth of the portfolio if you haven’t already.

CJ Messana (05:48)
Yeah, thanks. I always tell TAs like our surface area is so large, we’re going to find something that’s causing friction or pain. And so we’re a good bet, right? We’re likely going to find something that we can help your clients solve. That’s usually my general message to TAs that haven’t worked with us in a while or aren’t familiar with us.

Josh Lupresto (06:08)
Okay, so let’s jump in this beautiful term, CMMC. So, first of all, level set for us. There’s a deadline looming. What is this? November, September, somewhere around there. Walk us through, I guess, what is this CMMC deadline, and is it a deadline problem? Is it something else? What does it mean?

CJ Messana (06:33)
Sure, so CMMC is a journey, not a destination, right? So it’s not one of those things where you just say, okay, did it, high five, throw a party and move on to the next thing, right? It’s operational maturity at the end of the day. And in terms of the deadline, so last November, the Department of War rolled out that this is now in place, right? This is law, you have to become CMMC compliant. And they’re doing a phase rollout, which…

we should be appreciative of, right? However, this November, they’re saying if you’re interfacing, if you’re touching controlled unclassified information, most people just CUI, you need to have a third party assessor certify you being CNMC level two compliant. So they basically gave everyone a year saying, hey, last November, this is real.

This upcoming November, need to prove that you’ve been certified by a third party. So no more self attestations will appease the requirement.

Josh Lupresto (07:37)
So the, okay, so CMMC Cybersecurity Maturity Model Certification, right? Pretty, I suppose pretty self-explanatory related to this.

CJ Messana (07:44)
That’s right.

Josh Lupresto (07:48)
What’s let’s kind of walk in through right now, I guess, maybe the reality in the market, right? You know, they rolled this out, everybody’s got to do it, you the government’s like, you know, everybody’s used to deadlines that move. Now, this is a real deadline and you’ve got to have this level two of compliance, but you’ve kind of got this.

We’re going to do acronym soup today a little bit. You’ve got these things out there called C3PAOs. Now, don’t be confused if you’re a Star Wars fan and this is nothing related to that. It’s just coincidentally also a nerd term. Walk us through what in the world a C3PAO is and then what’s the, what’s kind of the assessments that most contractors aren’t quite seeing yet? Because we’ve got the assessing side of the house.

CJ Messana (08:35)
Yeah, so C3PAO stands for Certified Third Party Assessor Organization. So that’s what I was talking about by November 2026. You need to have a C3PAO assessed and validate that you’re compliant, right? And so the deadline is November. A lot of folks have just been kicking the can down the road, saying, I’m going to worry about this in November. That’s where I say not the best idea, right? Not only is it not a good idea, but

Early adoption in this is a competitive advantage, right? And that’s what we’ve been telling clients for years. Like the early adopters are going to gain incremental business because they went ahead and got this done and are testing prior to their competition. And a great example of that is L3 Harris, their big prime contractor. Last month, they went to their subs and said, Hey, we just got awarded a $65 million contract.

If you want a piece of that, you need to be certified by July. And they came out and said that in April. So if you want to get a piece of that contract and you’re not compliant right now, most likely you’re it’s too far gone for you to get that to get certified by July. Right. It’s a six to nine month process. If you have a lot of hands on deck. Right. And so we’re trying to tell people like, yes, don’t this is coming like you can’t hide from it forever. So just embrace it.

be an early adopter and have the competitive advantage over your competition to win incremental contracts. And so the primes are pushing this and making this a very like capitalistic like environment more so than the government, because the primes are the one holding all the liability and responsibility. So they’re the ones moving the needle and moving the deadline left, if you will. And so that’s how we’re trying to advise our TAs and clients to be aware of.

Josh Lupresto (10:34)
So we’ve got a lot of things to do to help people get ready. And then they have to go in front of this, help people understand that.

this is a separate function, right? You’re gonna help them get ready. You’re gonna do all of these things. And there’s a lot that goes into that. And then they’re gonna go out and have to get this assessment, maintain this assessment. Who knows, maybe level that up over time. Let’s just say, I’m a really good procrastinator. So let’s just say you got us, the TAs have a CIO, a CISO out there that says, you know what? It gets government, not a big deal.

we’re going to wait till Q4. And then they choose, you know, let’s tackle this in Q4 when things are little slower. What happens with that kind of mindset?

CJ Messana (11:15)
So a lot of things, right? mean, it’s like my layman term comparison is like, you want abs. You don’t wait till the day you want, like the day, if you set a goal to get abs, you don’t wait for that day to start caring about it, right? It’s it’s operational maturity. It’s doing the right things day in and day out and having good habits, right? CMMC is very similar. It’s like I said, it’s a journey, not a destination. The one thing I want to paint for folks to understand is,

This isn’t, we haven’t missed the bus, right? There’s approximately 300,000 organizations seeking compliance. So there’s roughly 300,000 companies that CMC applies to. Only 1100 have been certified so far. So, and that was as of the end of April, so April 30th. So I don’t want TAs to think, this is the November deadline, my manufacturing client that has DoD or…

Department of War contracts already has this figured out. They most likely don’t, right? Only 1,100 out of 3,000 are certified today. And so that’s what I want everyone to walk away with is like the opportunity is right here for the taking. But to ask, like to answer your question more directly, we’re having a lot of false confidence, right? If you go start talking to your manufacturing clients,

the CIO, the CISO will likely sound very confident. Oh yeah, we’ve got CMMC cover. We self-attested. We’re 110 out of 110. That’s where I challenge you to go a little deeper and say, well, let’s have a third party look at that and determine whether or not you’re actually 110 out of 110. Obviously you don’t want to be combative about it, but what we’re seeing in the space is everyone’s self-assessing themselves. And so they this false confidence.

And then they book an audit with a C3PAO assessor. And during that pre-audit work and diligence phase with the auditor, the auditor finds out they’re nowhere near ready to become audited, let alone passed. And so there’s this phenomenon of false starts or straight up failing the audit. And that’s where you’re wasting money, time, cycles, et cetera. And that’s what we’re trying to help folks avoid is that false confidence and false start.

Josh Lupresto (13:35)
This reminds me, this reminds me of, you remember on Saturday Night Live, the Stuart Smiley guy, where he comes on and he says, this is all about like positive reinforcements. I’m good enough, I’m smart enough, and gosh darn it, people like me. Like positive reinforcements by Stuart Smiley, that’s what it was. This, you know, look if I could have graded my own tests in school, I’d probably had a lot better grades. Different conversation.

But when we see people doing these kind of self, hey, I self-tested, I felt good, I got a lot of the controls, and then you guys step in. As an example, is there a common through line there of, and we see that they generally miss this, this, this, and this? Or what do you see when you kind of get into that and uncover it? Because that’s a good challenge.

CJ Messana (14:28)
Yeah, lot of times we see a lack of documentation and evidence, right? That’s where this becomes very burdensome and very heavy is having the proper documentation that these controls and policies exist, and then the evidence that they’re being enforced to the business on a day-to-day basis. And so that’s what you have to prove is being done not on one given day, over a period of time, over and over and over again, right? And so

That’s why we say a journey and that operational maturity is, is the kryptonite of, of what this is all about. And so usually it’s a lack of documentation and a lack of evidence. A lot of times, sometimes we find that there’s some upgrading and technologies required, right. And as a TA that’s music to your ears, right? Like this is just a great, our partners have always found three to five X and incremental business after we get this CMMC advisory program.

put into an account because we’re just doing all this interview gap assessment type work to find additional ways to help them, not additional ways, but more ways to help them become compliant. And it’s usually IT blocking and tackling and having compliant technology in their stack.

Josh Lupresto (15:45)
So then, I think, we talking about this too earlier, before this call, when we started out the security practice years ago, the common misconception was, customers aren’t big enough to matter, they’re not Home Depot, they’re not Target, they’re not these people that you were reading about in the big reaches, right? And at the end of the day, we all came to realize, no, bad guys want your data, they don’t care about who you are, how big you are, honestly, they don’t even know some of the time.

And so therefore, if you’ve got an IP address, use the internet and breathe air, you’re likely susceptible to somebody that they care about. So, you we’ve established those things. So people obviously know there’s a lot of risk here. I want to talk a little about business impact, though. So let’s say I don’t do these things. Let’s say I, you know, I assume there’s a loss. There’s an opportunity cost here of lost revenue. They’re not going to able to bid on opportunities. You kind of talked about that, but I mean,

Is it fines? Is it lost deals? mean, what do you see?

CJ Messana (16:48)
So, CMC is all about eligibility to do business with the Department of War. The Department of War is the largest consuming entity in the world, right? Like they’re the largest customer anyone in IT can sell to. So basically this is all, number one, it’s a matter of national security, right? We don’t want our adversaries getting the competitive edge that we have, right? From a military defense standpoint. And then number two, this is

breaking the barriers to allow you to do business with the largest customer in the world, right? So that’s number one. If you’re not compliant and you have existing contracts, those are at risk, right? As an organization, as that November deadline encroaches and maybe your prime contractor calls it out even before then, you can lose that contract if you don’t have a third party certification to present.

So those are the two like obvious business impacts. The one thing that I call out, it’s like an intrinsic benefit of CMMC is there’s 110 controls and they’re all meant to make you more resilient, more secure and more trustworthy to do business with. So your likelihood of having a security event or incident is decreased like exponentially. Like I don’t even have statistics to throw at you, right? If you’re meeting 110 of these controls,

you’re much less likely to have a breach and incident data exfiltration, whatever. And what I encourage people to do is like visualize your largest customer. have a contract. Let’s just say, let’s pick on Lockheed Martin, right? They’re the prime that consumes your product or service. You do five plus million dollars a year with them. And let’s say you are CMMC compliant, right? You’re CMMC compliant. You got certified.

against all odds, you had a security event, you had an incident, you have to disclose that to Lockheed Martin that you had an incident. And I said, let’s pretend you are compliant. Even if you are compliant, how quickly do you think that business is going to run away and go to a competitor once you have to disclose that you had an incident or an event? So imagine that same scenario if you’re not compliant, you don’t have a third party certification. Like you may never see that business again.

And so that’s what I think the big impact here is you just want to be able to say you did everything you could in your power to prevent an incident from happening. And CMMC is the vehicle to get there basically.

Josh Lupresto (19:23)
It’s a good example, I suppose too, as to who the addressable audience here is. You called out hundreds of thousands. I was running the math on, my math is right, and there’d be any math today, but I think I ran the math right. Three tenths of a percent are the people that are currently compliant based on who at least looks like needs to be compliant. not only is that, there’s a lot of opportunity there currently, but…

I think we also have to remind the TAs that it isn’t just this obvious entity that is pure government contractor, right? Because you’ve kind of got this sub of a sub mentality. how would you advise the TAs to uncover those? Do you do business with anybody that does business with the government? Is that the right path?

CJ Messana (19:55)
Yeah.

Yeah, and so give it little more context. So we have a client, they’re a family-owned business. The last name’s on the front of the building. All they do is manufacture stickers. So happens that one of their largest customers purchasing their stickers is Lockheed Martin, who puts them on the fighter jets that the Department of War consumes, right? So they’re a family-owned business, less than 100 employees. They manufacture stickers for Crying Out Loud.

but they have to become CMMC compliant because they have the blueprints of the fighter jets to understand what dimensions their stickers need to be. Right. And so I like to use that example because they’re not a high flying, sexy space and defense company, right? They’re a family owned business, very like simple manufacturer, right? But they, have a DOD, sorry, Department of War contract. so CMMC applies to them. Right. And so we’ve been helping them over the last year and a half or so.

close their gaps, go from wherever they were when we met them to 110 out of 110 controls. They’re going through their certification as we speak. And they’re going to start advertising that and try to grow their contract business because they have the competitive advantage, right? So I would like to give that example because that shows you how far this sprawls, right? And not to the 300,000 companies, not all of them are drone manufacturers or missile defense, like

super crazy stuff that you would never think that applies to your customer base.

Josh Lupresto (21:45)
Okay, so then let’s fast forward. Let’s say everybody listens, takes the advice, gets ready. Someone for a company then, what does good really look like if somebody’s CMMC ready? What does that look like operationally then?

CJ Messana (21:59)
Yeah, so I’ll revert back to my phrase of the day. It’s a journey, not a destination. it really comes down to operational maturity, right? Like you need to prove that you’re for to get specific for a second. You have to prove that you’re doing a vulnerability assessment at least every quarter. But not only do have to prove you’re doing that, you need to prove that you’re remediating the found vulnerabilities during that exercise. And so that’s where we come in because we help operationalize all these things that

the customer is essentially signing themselves up for, for now, till the end of time that they want to continue doing government, Department of War business. And that’s where even a decently sized IT or cyber team internally, like they need an army to accomplish all these 110 controls and maintain them. Like it’s all about the hygiene and the constant remediation and tweaking and hardening of the network. And so that’s, that’s where we come in.

That’s where we shine, right? Helping with that remediation roadmap. And so that’s where, that’s what good looks like. You have a mature program and when it comes time to get your third party assessment or audit, you have a complete packet of documents and evidence to drop on the desk and let them have at it and prove that you’re ready and organized.

Josh Lupresto (23:19)
Love it. And then I suppose, yeah, I mean, to your point, some of these things just aren’t a cost center anymore. I mean, it’s going to take you some dollars, I suppose, to then do the things that you need to do to become compliant, whether it’s with your services and they need a firewall, they need this documentation, this process, and this whatever. All those things, then the customer can turn around and advertise and go tackle that new business that they couldn’t tackle before, right? So you could argue this is a…

This is probably a net positive in some instances if they go explore new business to go after that they weren’t after before or weren’t deep enough or weren’t really confident or like, we just pick up this one or two contractors and they didn’t require, or these one or two customers, they didn’t require us to have this compliance, but now we have to have it, so we’re getting it. Shoot, let’s go tackle it. Let’s be really confident in it that they’ve got that great ability and then to your point, go do it before anybody else does because there’s still such, it’s such early runway.

CJ Messana (24:13)
Right, right. And yeah, that’s basically it. mean, and as a TA, like,

productively call out your contact, whether it’s the director of IT, CISO, CIO, right? Because they’re more than likely going to have that false confidence because they self-assess themselves. And so that’s usually the, like, my number one question to give TAs to qualify, like, is there a CMMC need within this customer of mine is just ask them, do you have any DOD or Department of War contracts? Question, right?

If the answer is yes, we need to talk to them together, right? Because they’re likely going to say yes, oh, but I self-assessed, I’m currently 110 out of 110, and like have that false sense of confidence. And then they call in an auditor, and they’re the stakeholder of this for their company. And then the auditor comes in and says, you guys aren’t even auditable, let alone going to pass. And then the egg is on your contact, the customer, the IT director, CIO, whoever it is.

And so as their TA, like I encourage you to help avoid them having that egg on their face and do some due diligence with a non assessor, right? Like thrive, we’re a registered practitioner organization, so we don’t do any of the assessing ourselves. And so we’re just a friendly ally to you and the clients to make sure that they have their T’s crossed and their I’s dotted so they don’t have that egg on their face to the rest of their company when they call an actual.

Josh Lupresto (25:45)
Yeah. Is that, to put a bow on, as we get here to the end, is that question set the best way to ask? Is there any other ways to ask it, to kind of uncover these? We talked earlier, we talked, do you do business with anybody that works with the Department of War, or anybody that’s a sub of the Department of War, those types of things? And then you talked about…

you know, how are you assessing right now? Have you had a third party assessment? Is that the best track? Are there any other ways that you want TAs to be thinking about to weave into that thread?

CJ Messana (26:22)
That’s definitely the number one. Do you have a third party assessor on deck that you already know you’re going to work with? Are you on their schedule? That’s always a good question to ask. Another good qualifying question is, do you have continuous monitoring in place? Because that is an automatic deal breaker. If you don’t have an MDR-like solution in place,

and you can actually prove that there’s a person or resource to actually remediate any alarms generated out of that monitoring, you’re going to fail. So I think that’s a good automatic. We attach MDR to CMC advisory at a very high clip because of that. So just calling that out as well as another area of questioning to understand.

Josh Lupresto (27:15)
All right, so then I don’t think we’ve said AI yet, which is crazy. It’s almost full 30 minutes with no AI, so we to bring up AI. So here we are then as we kind of, final thought. Think about the future, right? We’re getting into this CMMC level nothing that didn’t exist a while back to now level two deadlines by November. I think you’ve given us some gold to help everybody tackle that. As we move forward now and we’re helping everybody down this kind of like separate but…

tied in AI journey, know, agentic tooling is starting to take off and people are doing a lot of testing and you know, it’s not, that’s probably in that 0.3 % of people are where they need to be also. How does that drive urgency towards this? Does it? Is it different? What’s your kind of final thought of where this goes?

CJ Messana (28:10)
For the time being, think it’s different, right? think, so a lot of companies are building, not really building, but they’re going the Enclave route where they’re not making the boundary of their CMMC certification, their entire company. They’re going with the Enclave approach, which is like a subset of infrastructure and a subset of users that access that infrastructure. And so for the near term, my answer to AI is you gotta think long and hard about how you utilize

AI within your CMMC boundary or enclave, right? I encourage everyone to be using it in their commercial business, right? Like where you’re not in a regulated industry per se. But when it comes to CMMC, you need to think about it three times longer, right? Because you’re basically amplifying the risk of the data that you exposed AI.

We also have AI governance and readiness assessments that we offer that will operate under the lens of CMMC if we know that that’s part of your world, right? So I highly recommend that. But I just caution everyone, like all the defense industrial base, like those 300,000 companies, like implementing AI into your DOD, your Department of War business, or part of your business is,

little scary to think about, it’s gonna happen, so we just have to do it intelligently.

Josh Lupresto (29:37)
Yeah.

I agree. mean, just imagine those, you know, Senate Judiciary Committee meetings fast forward a little bit of, okay, so you have your CMMC enclave. Okay, so you’ve added some agentic and AI tooling. So you’ve brought known good guys into the environment with a probabilistic way that they’re going to answer and go search for information and share and not share. And what’s your paper trail and your audit trail for that inside the agentic tooling that you chose?

And everybody says, could you talk slower and say that again? That’s not the one that you don’t want to have an answer for. yeah, this just creates more. Everything with great power comes great responsibility. So if you want these tools, which everybody does, then I like it. What you said, I think you’ve got to think about it three times longer. It’s a great way to put it.

CJ Messana (30:14)
All right.

Yeah, yeah, very exciting times. Definitely a lot of opportunity around CMMC. I’m sure as a TA, you can’t throw a rock without hearing about it these days, hence us talking about it right now. the opportunity is huge. We feel well positioned to help you tackle the market and help your clients navigate the waters. And especially we’re here to help them avoid making the wrong decision or stubbing their toe along the way, right? Like our team of

TMMC consultants are former auditors. So they used to be the ones on the other side of the table doing the audits. And so that’s why we’re so confident in our approach because we know exactly, we’ve taken the test hundreds of times, right? We used to administer the test. So what we’re doing now is pleasant light work compared to what we have done in other arenas, if you will.

Josh Lupresto (31:28)
I bet. All right, man. CJ, that wraps this up. Lots of great nuggets, lots of good stuff. I really appreciate you coming on, man. Good stuff.

CJ Messana (31:36)
Yeah, Josh, thanks

for having me. Enjoyed it. yeah, happy to talk with any TAs. I have questions coming out of that episode.

Josh Lupresto (31:44)
Awesome. All right, as always, everybody, this drops every Wednesday. If you are not subscribed and you are not getting these on Spotify and Apple, go get them so that you get these drops before anybody else does as they come out. And until next time, that wraps us up for today. I’m your host, Josh Lupresto SVP of Sales Engineering at Telarus CJ Messana Director of Channel to Thrive. This has been You Can’t Buy Your Way into CMMC and Q4. Until next time. Thanks, everybody.